Inguma - A Free Penetration Testing and Vulnerability Research Toolkit

Inguma 0.0.7: Bug fixes, stability and new modules [2008-03-12 18:08]

Inguma version has been released. In this version I have added new modules and exploits, fixed many, many, many bugs as well as enhancing existing modules, such as the Oracle related stuff.

PyShellcodelib has been enhanced as well and now supports Mac OS X. But, for the moment, just BSD syscalls. Mach syscalls implementation is on the way. You will also notice that it is now object oriented as opossed to the previous versions.

Among with the aforementioned changes, I'm releasing 5 new Oracle modules: 4 modules for bugs fixed in the Critical Patch Update of January 2008 and one skr1pT k1|>i3 like module for the Oracle PL/SQL gateway flaw. Give to the module the target's address and port and run "oragateway". The module will automagically guess the correct DAD and bypass technique. After it an SQL terminal will be opened.

The new modules added to the framework are the following:

nikto: A plugin that uses Nikto based databases (Thanks you Sullo!).
archanix: As you may imagine, it gathers information from archaic Unix services.
brutesmtp: A brute forcer for SMTP servers.
anticrypt: A tool to guess the encryption algorithm of a password's hash. It saves a lot of time when auditing passwords.

Inguma 0.0.6: Free Shellcode Library [2007-11-26 10:03]

Inguma version 0.0.6 have been released. In this new version I added many modules as well as enhanced existent ones as, in example, the Oracle modules. The Oracle payloads now uses the Cursor Injection method when possible so CREATE PROCEDURE system privilege is not needed to become DBA.

The support for InlineEgg, added in version, have been removed and a new completely free library have been added: PyShellCodeLib. Currently, the library supports Linux and OpenBSD x86 based shellcodes.

The static analysis framework OpenDis have been enhanced and now you can use the API exposed by OpenDis to write your own binary static analysis tools. As an example of the API, a tool to make binary diffs have been added. Take a look to the file $INGUMA_DIR/dis/ and to the README stored in the same directory.

New 5 exploits for Oracle Databases have been added and the module "sidguess" have been enhanced to retrieve the SID of the database instance from the Enterprise Manager/Database Control banner when possible.

The new modules added to the discover, gather and brute sections are the following:

  1. brutehttp: A brute forcer for HTTP servers.
  2. extip : A tool to know your external IP address. Very usefull to check anonymous proxies, i.e.
  3. nmbstat : A tool to gather NetBIOS information.
  4. ipscan : A tool to make IP protocol scans. The tool checks what IP protocols are enabled in the target.
  5. arppoison: A tool to poison target's ARP cache.
The following is the complete ChangeLog:
  1. Enhanced the module "sidguess". It now extracts the SID from Enterprise Manager banner. Thanks to Alexander Kornbrust!
  2. Added more services to the identify module.
  3. Added a brute force module for HTTP servers.
  4. Renamed the directory "aux" to "auxi" to avoid problems in Win32.
  5. Added a tool to know your external ip address. Util to check how anonymous an anonymous proxy server is ;) For more information navigate to the wiki.
  6. Added various Oracle 8i, 9i and 10g SQL injection modules. A total of 5 new modules.
  7. Oracle payloads changed to use, when possible, the cursor injection technique.
  8. Fixed bugs in whois module.
  9. Added module nmbstat to gather NetBIOS information.
  10. Enhanced the module firetest to make ICMP probes as well as TCP/IP probes. The probes are executed with an small MTU and with a common MTU (by default 16000).
  11. Initial version of the Website (You are looking it!).
  12. Initial version of the Wiki.
  13. Added a protocol scanner. Check what IP protocols has enabled a target. Take a look to the module "protoscan".
  14. Initial version of PyShellCodeLib. A GPL'ed library similar to the well know InlineEgg.
  15. Module SIDVault uses now PyShellCodeLib instead of InlineEgg.
  16. Addedd module getmac to get the MAC address and the vendor name from a given IP address.
  17. Added a module to poison ARP target's cache.
  18. Fixed security paranoia bugs.
  19. Added examples of the OpenDis framework. A tool called have been added to do binary diffs as a well as other example that prints an OpenDis format database. See $INGUMA_DIR/dis/README for details.

Inguma 0.0.5: Brute forcing and password cracking [2007-10-20 09:08]

The latest version of Inguma (0.0.5) have been released with many fixes and new modules. The following are the most important changes and updates:
  1. Added the module "firetest" to test firewall configurations.
  2. Added module "brutessh" to brute force SSH servers.
  3. Added module "bruteora" to brute force Oracle servers. It will check for every (commonly) possible user or for an specified user.
  4. Added a tool to crack MD5 hashes using freely available rainbow tables.
  5. Added module "sidguess" to guess the SID of an Oracle Database instance.
  6. _*Initial*_ shellcode support. See the SIDVault remote root exploit and $INGUMA_DIR/lib/ for details. x86 support with InlineEgg. Thanks you Gera!
  7. Added one exploit for the vulnerability in SYS.LT.FINDRICSET (Oracle CPU Oct. 2007).
  8. Added a password cracker for Oracle11g.
  9. Added a password cracker for MS SQL Server 7 and 2000.
  10. Enhanced the Oracle PL/SQL Fuzzer. Now, if you redirect the output only the vulnerabilities found are logged, all the rest of the output is written to stderr.

Inguma 0.0.4: New modules and many bug fixes [2007-10-03 13:28]

 The latest version of Inguma is 0.0.4 and among with many fixes the following new features have been added:
  1. Added one module to check for the most common Oracle Appplications Server vulnerable urls.
  2. Added "smbgold" module, to search in SMB/CIFS shares for interesting files (*.mdb, passwords.txt, ...).
  3. Added "scapereal" to distribution. Run "sniffer", sniff a packet list and type "ethereal". You will see an ethereal like GTK Window showing all the sniffed packets in a graphical fashion.
  4. First version of the GUI using pyqt.
  5. Added a module to gather information from an Oracle TimesTen server.

Inguma 0.0.3: Enhancing vulnerability research [2007-09-06 09:21]

Inguma 0.0.3 have been released and lot of work have been done. In that version you will find a disassembler (with special support for x86 and AVR) that makes easier the life of a security researcher when doing an static analysis of a commercial closed source product.
Also, in the krash directory, you will notice that a general purpose automatic "token based" fuzzer have been added with various sample packets.
New in the toolkit are many new simple libraries that will make easier the task of writting new exploits and fuzzers for various protocols.
Needs to say (Hi guy!) that the Oracle PL/SQL fuzzer have been updated and, of course, it continues finding "problems" in the "Fortune 500" favourite database.
A bunch of brute forcers, such as one for SMB/CIFS compatibles servers (such as Samba), have been added to the toolkit.
Read the README, ./dis/README and ./krash/README directories for more information.

The following is the detailed ChangeLog:

  1. Added a, non integrated, disassembler (you will need objdump). See dis/README for details.
  2. Added a, non integrated, general purpose token based fuzzer. See krash/README for details.
  3. Enhaced the Oracle PL/SQL fuzzer.
  4. Added a TNS fuzzer. Use the tnscmd's option "fuzz".
  5. Minor changes to the TNS Listener tool "tnscmd".
  6. Support to "autoscan" a complete network (i.e.,
  7. Now, it can "automagically" brute force username and passwords.
  8. Added "libfuzz", a library to make easier the task of writing new fuzzers.
  9. The module "identify" now can identify rmi, ocfs2, web servers, ftp servers, ssh servers, TNS listeners, CIFS/SMB compatible servers, LPD servers, Jet Direct printers, SMTP servers and MySQL servers. Sufficient for now (at least for me ;]).
  10. Better support for Win32.
  11. Basic plain text report support.
  12. Better support for kb (knowledge base) files.
  13. Better support for brute force modules.
  14. Added the "interactive" option to launch in interactive or batch mode.
  15. Autoscan can ignore specified hosts.
  16. Autoscan is "SMB/CIFS" aware and can automagically brute force username and passwords.
  17. Module "portscan" have been enhanced.
  18. Rpcdump and samrdump can use username and passwords (brute forced or guessed).
  19. Module "tcpscan" have been enhanced.
  20. Minor fixes for various discover modules.
  21. Added "libslp", a library (dissector?) for the Service Location Protocol.
  22. The FTP fuzzer have been integrated.

Inguma, an Open Source pen-testing framework [2007-02-16 08:03]

I'm pleased to announce the first public version of Inguma, an open source penetration testing framework which is written completely in Python.
Currently there is no too many work made, remember that is only a pre-alpha version, but you have modules to perform the following actions:
  1. Communicate with a TNS Listener
  2. Exploits for Oracle Database (prior to CPU Oct 2006)
  3. Gather information from an Oracle E-Business Suite 11i instance
  4. A module to test nids's rules (with an snort plugin)
  5. 2 Portscanners: a simple TCP scan and a SYN, ACK, Fin, XMAS port scanner.
  6. A module to dump the SAM database
  7. A module to dump the RCP endpoints
  8. A samba client
  9. An sniffer
  10. A fuzzer for OSI layers 2,3 and 4 (ARP, TCP and IP, at the moment)
  11. Fuzzers for Oracle, SQL Server/Sybase, Informix and PostgreSQL
  12. A brute forcer for Sybase
  13. Python native libraries to communicate with a TNS Listener or a Sybase/SQL Server server.

There are many dependencies you need to meet in order to fully test the project: 
  1. Impacket libraries
  2. pysnmp (if you will use SNMP)
  3. Scapy

In future releases you can expect more Oracle exploits and many other kind of modules but, at the moment, that's what is implemented.

Copyright (c) 2007 Joxean Koret