Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
WMAT - Web Mail Auth Tool
Posted by: Ivan
Date: February 17, 2009 09:13AM

Hello everyone,

After successful project DFF Scanner (http://www.owasp.org/index.php/Phoenix/Tools, http://sla.ckers.org/forum/read.php?12,11148,11489, http://security-net.biz/wsw/index.php?p=242&n=195), I'm happy to introduce a new tool from NSS (http://netsec.rs) WMAT.

WMAT is Web Mail Auth Tool that provide some essential functions for testing web mail logins.

How it works ? It is very simple, You give WMAT file with usernames, file with passwords, URL of web mail app and chose pattern for attack.

Patterns are XML files that define post/get fields, http method, referer, success tag, etc ... for each web mail applications.

For now I have patterns for horde, squirrelmail, kerio and mdaemon web mail.
Example of this XML file You can see here: http://security-net.biz/wmat/patterns/horde.wmat.xml.

--- horde.wmat.xml ---
<?xml version='1.0' encoding='UTF-8'?>
<data>
<username>horde_user</username>
<password>horde_pass</password>
<action_url>login.php</action_url>
<success>sidebar.php</success>
<method>post</method>
<useragent></useragent>
<referer></referer>
<additional_fields></additional_fields>
<author>ivan.markovic@netsec.rs</author>
</data>
-----------------------

I need some help from community for this patterns. In each pattern I expect author field as sign of gratitude. :)

There are some more options like setting timeout (time between each request), bell on success and option for writing output in file.

Readme file is here: http://security-net.biz/wmat/readme.txt.

This is first version and I plan to implement more options like:
- using a proxy
- special addon for generation of usernames/passwords
- automatic recognizer of web app
- ...

You can download WMAT from this URL: http://security-net.biz/wmat/wmat.zip, or
see wmat.py here: http://security-net.biz/wmat/wmat.py.txt


Please give some comments, ideas/requests, bug reports, ...


Thanks,
Ivan Markovic
Network Security Solutions

http://www.security-net.biz/

Options: ReplyQuote
Re: WMAT - Web Mail Auth Tool
Posted by: Ivan
Date: March 09, 2009 05:40PM

Hello everyone,

Just to say that we released a new version of WMAT, the download link is the same: http://security-net.biz/wmat/wmat.zip.

In new version we have support for SSL, Proxy and automatic password generator.
Updated readme can be found here: http://security-net.biz/wmat/readme.txt.


Please feel free to give any comment ... Thanks!

http://www.security-net.biz/

Options: ReplyQuote


Sorry, only registered users may post in this forum.