[Owasp-alabama] lunker

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Fri Aug 28 20:13:01 EDT 2009


A few items I wanted to address relating the setup of the tool, and
distribution.

 

#1 If the tool is downloaded in a source code type format. The user will be
responsible for creating the MySQL database tables, permissions, etc. At one
point, I believe Brad wrote a script for this.

#2 no matter the install method, the htemail.py (sp) script has a setting at
the bottom to configure your SMTP mail server. For most scenarios, it
requires authentication to be supplied.

#3 To add and modify the phishing emails, they are in the Linker database.
The field accepts HTML code so you can so a simple save-as and paste the
code into a new field.

#4 The last time I checked, the Ajax monitor page wasn't working correctly
yet. So you can simply tail the Apache log file, or write a monitor script.
However, I'm sure that we will get the AJAX working with a few changes.

 

TODO:

We need to add the following:

A: Interface to easily add and modify the spoofed email templates

B: A better monitoring interface

C: TimeStamps in the DB when each email is sent to be used as a metric in
the reporting

D: Cleanup of the root folder (I'm working on this)

E: Cleanup of the info gathering page. (There actually is CURL code to crawl
search engines but we run into search result limit issues. This could be
corrected with API I suppose like MSN Pawn does)

F: We need to come up with a SAFE payload page much like the anti phishing
work group has.

G: Security audit of the code before we release to Beta status

 

We are looking for contributors to help so reply to the items above if
you're interested.

 

JP

 

From: owasp-alabama-bounces at lists.owasp.org
[mailto:owasp-alabama-bounces at lists.owasp.org] On Behalf Of
owasp-alabama at lists.owasp.org
Sent: Friday, August 28, 2009 1:11 PM
To: owasp-alabama at lists.owasp.org
Subject: [Owasp-alabama] lunker

 

A few things going on with Lunker:

- It has not been officially released yet, and we are in a sort of "alpha
internal testing state" This will allow our local alabama chapter to
download, play with, and test it before we present it officially to OWASP as
a project (tool).

- It is currently hosted in read only SVN status here:
https://attackvectors.com/svn/lunker
As recommended during our first chapter meeting, I've only pushed up the
/htdocs directory and its up to you to have apache, mysql, php, etc.

- The next release of the OWASP live CD will have a working copy of lunker
on it.

- Directly after that release there will be a Forum set up for user support
on http://www.appseclive.org

- What am I missing? Anyone had a chance to look at it? I know the thing HAS
to be full of bugs, given that Josh and I haven't had much free to really
hammer on it lately. Are there any list members willing to contribute some
time or effort?

-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
Never underestimate the time, expense, and effort an opponent will expend to
break a code. (Robert Morris)
--

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-alabama/attachments/20090828/9ca5a606/attachment.html 


More information about the Owasp-alabama mailing list