22/08/2012

The Teenage Mutant Ninja Turtles project....

Intro
 
Elusive Thoughts are proud to present you The Teenage Mutant Ninja Turtles project....


What Teenage Mutant Ninja Turtles is?

The Teenage Mutant Ninja Turtles project is three things:
  1. A Web Application payload database (heavily based on fuzzdb project for now).
  2. A Web Application error database.
  3. A Web Application payload mutator.
Nowadays all high profile sites found in financial and telecommunication sector use filters to filter out all types of vulnerabilities such as SQL, XSS, XXE, Http Header Injection e.t.c. In this particular project I am going to provide you with a tool to generate Obfuscated Fuzzing Injection attacks on order to bypass badly implemented Web Application injection filters (e.t.c SQL Injections, XSS Injections e.t.c).

When you test a Web Application all you need is a fuzzer and ammunition:

"I saw clearly that war was upon us when I learned that my young men had been secretly buying ammunition."

Chief Joseph

Ammunition is what you use for fuzzing and the weapon is the fuzzer itself. The project called teenage-mutant-ninja-turtles is an open source payload mutator, nothing more nothing less. With teenage-mutant-ninja-turtles you will be able to generate Obfuscated payloads for testing all sorts of attacks, such as XSS, SQL Injections etc. The project is in version 1.1 and currently supports only SQL Injection fuzzing. Later on I will add support for fuzzdb and all types of attacks. Maybe later it will become a complete Web Application Scanner who knows. If you think that you are interested please contact me to participate.

Download link:http://code.google.com/p/teenage-mutant-ninja-turtles/downloads/list

The Teenage Mutant Ninja Turtles in action

The following screenshot shows the tool banner (yes it has a banner!!):


The Teenage Mutant Turtle is a Web application payload database for performing black box Web Application penetration tests (it also supports banner displaying!!!), more specifically is:
  1. A collection of known attack patterns focused in Web Application input validation attacks (e.g. SQL Injections, XSS attacks e.t.c)
  2. A collection of error messages produced by malicious and malformed user inputs, which you can use with Burp intruder or other grep-like utilities to identify and verify vulnerabilities when fuzzing.
  3. An easy to use python script that helps you to obfuscate payloads for bypassing costume Web Application filters.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers arsenal toolkit.

 The Teenage Mutant Ninja Turtles features

Currently Teenage Mutant Ninja Turtles (tmnt) support the following features:
  1. Generic payload URL encoding.
  2. Generic payload Base64 encoding.
  3. SQL keyword case variation adding (e.g. converts SELECT to SeLeCt e.t.c).
  4. Generic payload DE-duplication (e.g. removing double payload lines).
  5. SQL Injection suffix adder (e.g. adding EXEC to the begging of the payload e.t.c).
  6. SQL Injection post-fix adder (e.g. adding ); -- to the end of the payload e.t.c).  
 The following screenshot shows the help message of the the tool:


Epilogue 

There are more features to come...