Metaspolit-like framework taps into 29M hacked passwords

Powered by SC Magazine
 

Open source Python pen test tool released.

A Python framework has been released that taps into more than 29 million hacked accounts for use in penetration tests.

The fully-fledged Recon-ng framework was released by pen tester Tim Tomes and could access the millions of stolen and hacked credentials held by PwnedList.

Credit: Katsrcool

Tomes said the framework, built over several months, did not overlap with the established Metasploit framework because it was built for web-based open-source reconnaissance.

"We've been using it at Black Hills Information Security over the past several months and it has drastically increased our efficiency and effectiveness during the penetration testing process, Tomes said.

"At times, we've had valid authentication credentials for a target without ever sending a packet to the network.

"I encourage any and all input, as I am not a programmer, just someone who likes to code."

Recon-ng contains "independent modules, database interaction, convenience functions, interactive help, and command completion" with the look and feel of Metasploit, which it is hoped will reduce the learning curve of the framework.

"It is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Each module is a subclass of the module class. The module class is a customised cmd interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as standardising output, interacting with the database, making web requests, and managing API keys. Therefore, all the hard work has been done. Building modules is simple and takes little more than a few minutes. "

PwnList's Steve Thomas told SC it is the first open source framework of its kind.

"It is the first open source framework that we know of that makes it easy for penetration testers to get access to hacker-stolen credentials for their clients in just a matter of seconds," he said.

Copyright © SC Magazine, Australia


Metaspolit-like framework taps into 29M hacked passwords
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 333

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  57%
 
No
  43%
TOTAL VOTES: 138

Vote