Commix (short for [comm]and [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language.
Install
sudo apt-get install git
cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/stasinopoulos/commix.git
cd commix
python commix.py -h
Most of the part of HconSTF is semi-automated but you still need your brain to work it out. It can be use in all kind of security testing stages, it has tools for conducting tasks like,
- Web Penetration Testing
- Web Exploits Development
- Web Malware Analysis
- Open Source Intelligence ( Cyber Spying & Doxing )
Install
cd ~
mkdir arsenal
cd arsenal
For x86_64 system :
wget http://sourceforge.net/projects/hconframework/files/HconFramework-Fire/HconSTF_0.5_Prime/HconSTF_v0.5_Prime_Linux_x64.tar.bz2
tar -jxvf HconSTF_v0.5_Prime_Linux_x64.tar.bz2
cd HconSTF
sudo ./HconSTF
For x86 system :
wget http://sourceforge.net/projects/hconframework/files/HconFramework-Fire/HconSTF_0.5_Prime/HconSTF_v0.5_Linux_x86.tar.bz2
tar -jxvf HconSTF_v0.5_Linux_x86.tar.bz2
cd HconSTF
sudo ./HconSTF
Update/Upgrade
rm -R ~/arsenal/HconSTF
Go to the official site to download the latest version and repeat the Install procedure.
The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we've been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all of the time. We have those "go to" tools that we use on a regular basis, and using the latest and greatest is important.
PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used. PTF simplifies installation and packaging and creates an entire pentest framework for you. Since this is a framework, you can configure and add as you see fit. We commonly see internally developed repos that you can use as well as part of this framework. It's all up to you.
The ultimate goal is for community support on this project. We want new tools added to the github repository. Submit your modules. It's super simple to configure and add them and only takes a few minute.
Install
sudo apt-get install git
cd ~
git clone https://github.com/trustedsec/ptf.git
cd ptf
sudo ./ptf
If you want to install and/or update everything :
use modules/install_update_all
run
All the modules (pentesting tools) are installed at /pentest directory. Please note that WINE and i386 dependencies will be installed accordingly.
Update/Upgrade
sudo apt-get update
sudo apt-get dist-upgrade
PTF will try to update itself on every start up. Meanwhile, you can run PTF at any directory after the first run.
Last year, I was talking about how to use NightHawk to do malicious things. The full article is here. Two years ago, I also talked about using pre-paid SIM card to do malicious things and the full article is here. However, you think that it would be a chance to be caught as TOR network exit nodes may be monitoring by law enforcements. Meanwhile, identity registration may be needed to purchase SIM card in your country. Okay, today I will introduce another method that you can use wired network to do malicious things untraceable.
In my country, there are many "Internet Cafe" which have a pool of computer systems that running Windows system to provide network gaming or internet services to their customers with a cheap price per hour. Those computer systems will be equipped "Reborn Card" which can reset to its default setting on every reboot. Normally, the "Internet Cafe" will reboot their computer systems every day.
You can hire a computer system in the "Internet Cafe", reboot it. Plug in your Kali Linux or BackBox Linux Live USB (or your custom made pentesting Linux Live USB). Personally, I will recommend BackBox as it will have some outstanding features, such as memory wiper.
After your malicious tasks, you can reboot your computer system and it will reset to its default setting. Normally, no data or activiities will be logged in the computer system.
When law enforcements trace your IP address which will direct them to the "Internet Cafe", they cannot obtain any evidence from the computer pool as those systems are reborned!
Finally, beware that CCTV will be installed in the "Internet Cafe" or nearby shops which will capture your present. You may need to do some "make up" when necessary.
OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.
cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/secretsquirrel/the-backdoor-factory.git
cd the-backdoor-factory
sudo pip install capstone
sudo ./install.sh
edb is a cross platform x86/x86-64 debugger. It was inspired by Ollydbg, but aims to function on x86 and x86-64 as well as multiple OS's. Linux is the only officially supported platform at the moment, but FreeBSD, OpenBSD, OSX and Windows ports are underway with varying degrees of functionality.
cd ~
mkdir arsenal
cd arsenal
git clone --recursive https://github.com/eteran/edb-debugger.git
cd edb-debugger
./travis_install_capstone.sh
qmake
make
sudo make install
cd ~
mkdir .edb
sed -i -e 's/directory.session.path=/directory.session.path=\/home\/$USER\/.edb/g' ~/.config/codef00.com/edb.conf
sed -i -e 's/directory.symbol.path=/directory.symbol.path=\/home\/$USER\/.edb/g' ~/.config/codef00.com/edb.conf
edb
*** Thanks for Vladimir Stupnikov pointed out the installation error. ***
Update/Upgrade
cd ~/arsenal
rm -R edb-debugger
Repeat the Install procedure as previous mentioned.
Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.
It is smart, it trains itself by monitoring and learning from the web application's behavior during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives.
Unlike other scanners, it takes into account the dynamic nature of web applications, can detect changes caused while travelling through the paths of a web application’s cyclomatic complexity and is able to adjust itself accordingly. This way, attack/input vectors that would otherwise be undetectable by non-humans can be handled seamlessly.
Moreover, due to its integrated browser environment, it can also audit and inspect client-side code, as well as support highly complicated web applications which make heavy use of technologies such as JavaScript, HTML5, DOM manipulation and AJAX.
Finally, it is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform.
Install
cd ~
cd arsenal
wget https://github.com/Arachni/arachni/releases/download/v1.2.1/arachni-1.2.1-0.5.7.1-linux-x86_64.tar.gz
tar -xvzf arachni-1.2.1-0.5.7.1-linux-x86_64.tar.gz
cd arachni-1.2.1-0.5.7.1/bin
./arachni_web
Start Firefox and point to http://127.0.0.1:9292
* Default credentials are as the following :
Administrator account
E-mail: admin@admin.admin
Password: administrator
Regular user account
E-mail: user@user.user
Password: regular_user
Update/Upgrade
rm -R ~/arsenal/arachni-1.2.1-0.5.7.1
Then repeat the Install procedure but to download the latest version.
NoSQLMap is an open source Python tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases as well as web applications using NoSQL in order to disclose data from the database.
It is named as a tribute to Bernardo Damele and Miroslav's Stampar's popular SQL injection tool sqlmap, and its concepts are based on and extensions of Ming Chow's excellent presentation at Defcon 21, "Abusing NoSQL Databases". Presently the tool's exploits are focused around MongoDB, but additional support for other NoSQL based platforms such as CouchDB, Redis, and Cassandra are planned in future releases.
Install
sudo apt-get install git python-setuptools
cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/tcstool/nosqlmap.git
cd nosqlmap
sudo python setup.py install
python nosqlmap.py
Update/Upgrade
sudo apt-get update
sudo apt-get dist-upgrade
cd ~/arsenal/nosqlmap
git pull origin master
python setup.py install --force
BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community.
Install
sudo apt-get install git python-impacket
cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/trustedsec/social-engineer-toolkit.git
cd social-engineer-toolkit
John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version.
Install
sudo apt-get install build-essential libssl-dev
cd ~
mkdir arsenal
cd arsenal
wget http://www.openwall.com/john/j/john-1.8.0-jumbo-1.tar.gz
tar -xvzf john-1.8.0-jumbo-1.tar.gz
cd john-1.8.0-jumbo-1/src
./configure
make clean
make
cd ../run
./john --help
* you can also install by sudo apt-get install john john-data
Update/Upgrade
sudo apt-get update
sudo apt-get dist-upgrade
Go to Official site to download the source and compile it as mentioned above.
Reference
Please install Nvidia or AMD Graphic related drivers before installing John when necessary.
Netcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol.
It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities. Netcat, or "nc" as the
actual program is named, should have been supplied long ago as another one of those cryptic but standard Unix tools.
CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs. The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool.
At the moment, CMSs supported by CMSmap are WordPress, Joomla and Drupal.
Install
sudo apt-get install git
cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/Dionach/CMSmap.git
cd CMSmap
python cmsmap.py -t http://www.google.com
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
Install
sudo apt-get install default-jre unzip
cd ~
mkdir arsenal
cd arsenal
wget https://github.com/zaproxy/zaproxy/releases/download/w2015-08-12/ZAP_WEEKLY_D-2015-08-12.zip
unzip ZAP_WEEKLY_D-2015-08-12.zip
rm ZAP_WEEKLY_D-2015-08-12.zip
cd ZAP_D-2015-08-12
./zap.sh
* ZAP_WEEKLY_D-2015-08-12.zip as example.
* ZAP Team generate weekly releases of ZAP from the trunk, typically every Monday.
These are just intended for people who want to use all of the features we've added since the last 'full' release but dont want the hassle of building ZAP from the source code.
While we endeavor to ensure that weekly releases are robust, things may be broken or only partially implemented.
Update/Upgrade
sudo apt-get update
sudo apt-get dist-upgrade
cd ~/arsenal/
Go to Download to download ZAP Weekly and repeat the procedure of "Install" previously mentioned.
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.
Install
sudo apt-get install curl default-jre
cd ~
mkdir arsenal
cd arsenal
mkdir burpsuite
cd burpsuite
curl https://portswigger.net/DownloadUpdate.ashx?Product=Free -o burpsuite_free.jar
java -jar -Xmx1024m burpsuite_free.jar
Update/Upgrade
sudo apt-get update
sudo apt-get dist-upgrade
cd ~/arsenal/burpsuite
rm burpsuite_free.jar
curl https://portswigger.net/DownloadUpdate.ashx?Product=Free -o burpsuite_free.jar
Weevely is a command line web shell dynamically extended over the network at runtime designed for remote administration and pen testing. It provides a weaponized telnet-like console through a PHP script running on the target, even in restricted environments.
The low footprint agent and over 30 modules shape an extensible framework to administrate, conduct a pen-test, post-exploit, and audit remote web accesses in order to escalate privileges and pivot deeper in the internal networks.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Install
sudo apt-get install git
cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/sqlmapproject/sqlmap.git
cd sqlmap
python sqlmap.py -hh
Number one of the biggest security holes are passwords, as every password security study shows.
THC-Hydra is a proof of concept code, to give researchers and security
consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.
cd ~
mkdir arsenal
cd arsenal
git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra
./configure
make
./hydra -h
./xhydra
* Oracle, NCP and SAP/R3 are not supported in this build as there are no libraries available from the repos
* you can install by sudo apt-get install hydra hydra-gtk
Update/Upgrade
sudo apt-get update
sudo apt-get dist-upgrade
cd ~/arsenal/thc-hydra
git pull origin master
make clean
./configure
make
Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Install
sudo apt-get install git build-essential
cd ~
mkdir arsenal
git clone https://github.com/nmap/nmap.git
cd nmap
./configure
make
sudo make install
sudo nmap -sS -sV 192.168.0.100
* or you can install by sudo apt-get install nmap
Update/Upgrade
sudo apt-get update
sudo apt-get dist-upgrade
cd ~/arsenal/nmap
git pull origin master
make clean
make
sudo make install
Masscan is the fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second.
It produces results similar to nmap, the most famous port scanner. Internally, it operates more like scanrand, unicornscan, and ZMap, using asynchronous transmission. The major difference is that it's faster than these other scanners. In addition, it's more flexible, allowing arbitrary address ranges and port ranges.
NOTE: masscan uses a custom TCP/IP stack. Anything other than simple port scans will cause conflict with the local TCP/IP stack. This means you need to either use the -S option to use a separate IP address, or configure your operating system to firewall the ports that masscan uses.
Install
To install Masscan on Ubuntu 14.04.03 LTS Desktop :
SpiderFoot is an open source intelligence automation tool. Its goal is to automate the process of gathering intelligence about a given target, which may be an IP address, domain name, hostname or network subnet.
SpiderFoot can be used offensively, i.e. as part of a black-box penetration test to gather information about the target or defensively to identify what information your organisation is freely providing for attackers to use against you.
Install
To install Spiderfoot on Ubuntu 14.04.3 LTS Desktop :
Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.
Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to social engineer, use the Social-Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng!
Install
To install Recon-ng on Ubuntu 14.04.3 LTS Desktop :
*** Please note that all the tests are testing on Linux host (Ubuntu 14.04.3), Windows host may have some different results. ***
*** Updated on August 14, 2015 : VirtualBox 5.0.2 for Linux fixed the slow speed (VMM: fixed an issue causing artifically high load averages on Linux hosts). ***
Kali Linux 2.0 is released on today (August 11, 2014 EST). I downloaded 64-bit full version and installed it on VirtualBox 5.0. The host computer has Intel Celeron(R) CPU N2930 @ 1.83GHz × 4 and 8 GB RAM. I assigned 5 GB RAM to Kali Linux 2.0. It is quite slow for it to run with 5GB RAM on my VirtualBox 5.0. Meanwhile, the sound always mute on every start up even you have set it before.
(A) Installation
When installing via non-graphic interface, you may encounter no network mirror repos, you need to bypass it by selecting "Continue without a network mirror? Yes" and we will edit the /etc/apt/sources.list later. Graphic interface may also has the same problem too.
After the installation is completed, we can edit the /etc/apt/sources.list if you encountered no mirror repos when install.
nano /etc/apt/sources.list
The content of the file should be looking like this :
deb http://http.kali.org/kali sana main non-free contrib
deb-src http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security/ sana/updates main contrib non-free
deb-src http://security.kali.org/kali-security/ sana/updates main contrib non-free
(B) Install VirtualBox 5.0 Guest Additions CD
When you are going to install VirtualBox 5.0 Guest Additions CD, you need to install dkms first :
apt-get install dkms
* It will also install related headers files. If not, you need to install the headers files yourself.
When install VirtualBox Guest Additions CD, you may encounter the following error :
*** Error in `systemctl': double free or corruption (fasttop): 0x00007fc0cb648ae0 ***
It should be systemctl error. I do not know what it will be affected so far. After checking the dmesg message, the error is due to :
systemd[1]: Cannot add dependency job for unit vboxadd-service.service, ignoring: Unit vboxadd-service.service failed to load: No such file or directory.
It is recommended to uninstall the Guest Additions CD at the moment and some features will be not available on the guest virtual machine.
(C) Uninstall VirtualBox 5.0 Guest Additions CD
To uninstall VirtualBox Guest Additions, run :
/opt/VBoxGuestAdditions-5.0.0/uninstall.sh
This error will show again :
*** Error in `systemctl': double free or corruption (fasttop): 0x00007f124e3f2ae0 ***
(D) Not working properly applications
The following applications are launched from the Quick Menu on the left hand side of the screen.
armitage - it cannot be launched Maltego - it launches but it cannot be operated and it cannot be quit too BeEF - it shows an error and no login screen is displayed UNLESS you start the "beef start" at "System Services" under "Applications" menu
There may be some more other applications that cannot work, such as "system log", "VLC media player", "ImageMagick" and etc. I cannot test them all one by one as they are too many.
* Even the VirtualBox Guest Additions is uninstalled or reinstall the Kali 2.0, the captioned applications still do not working properly
** Other applications on the Applications menu are not tested as well as those are not in the Applications menu
*** Running BeEF, it produces the following error : (process:1371): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size = 0' failed
(E) Conclusion
Kali Linux 2.0 is not well tested before it is released. It is very disappointed. Kali 2.0 is slower than 1.1.0a on the same testing machine. Or you may need a more powerful computer or laptop to do with it. Some applications cannot be running properly on the Quick Menu in this release. DISAPPOINTED!
That's all! See you.
Update on August 12, 2015
I conducted a random test on Kali Linux 2.0, I found the following :
redis-server is running in the background.
Apache2 is listening on TCP6 only instead of TCP4 and TCP6 at the same time.
OpenVAS cannot be started properly via "Applications", "System services", "openvas start". Systemd error produced.
It seems that systemd is buggy.
Update on August 13, 2015
After talking with the founder of Offensive Security (muts), I going to install Kali Linux 2.0 to other virtual machine software to see the result.
I try to install Kali Linux 2.0 on VMWare Workstation 11 for Linux on a laptop (Lenovo Thinkpad X200 with 4GB RAM) but it failed in the middle and the installation never completed. I do not have Workstation 12, so I cannot test it.
Then, I pick up another laptop (Lenovo Thinkpad X201s with 8GB RAM) which is running VirtualBox 4.3.30 on Ubuntu 14.04. I assigned 4GB RAM to Kali. The installation is smooth. May be the Kali Linux repos server is out of the DDoS. (Kali Linux repos server has been DDoS for hours since it is released according to the founder of Offensive Security).
The VirtualBox Guest Additions CD is installed without problem. However, "armitage", "system log", "VLC media player" and "ImageMagick" do not launched. Meanwhile, "redis-server" is running in the background; "Apache2" is listening on TCP6 only. "systemd" errors will be produced on selecting "openvas start".
On the other hand, "Maltego" and "BeEF" are working properly with only one click.
Kali Linux 2.0 is running fast and responsive on VirtualBox 4.3.30.
Some users at #kali-linux (IRC channel) found some weird problems, such as "thin.services" is running and making the system very slow.
Ubuntu 14.04.4 desktop is running smoothly on VirtualBox 5.0. It is suspected that Kali Linux 2.0 selects hardware and virtual machine software.
The conclusion is changed to ACCEPTABLE! Kali Linux Team should be doing better.
Update on August 13, 2015 (Part 2)
This time, I want to test Kali Linux 2.0 VirtualBox 64-bit image and it is running 2GB RAM and 30GB hard drive.
There is a "kali-proposed-updates.list" at /etc/apt/sources.list.d/ and the content is :
deb http://http.kali.org/kali sana-proposed-updates main contrib non-free
Running on VirtualBox 5.0 on Ubuntu 14.04.3 host :
"armitage" cannot be launched.
"maltego" cannot run properly and it cannot be quit.
"BeEF" launched but no login screen UNLESS run "beef start" at "System services" under "Applications".
"VLC media player" and "ImageMagick" do not work.
"system log" works.
"Apache2" is listening on TCP6 only.
"redis-server" is running in the background.
"dkms" accompanied with only one headers file.
Guest Additions CD install with the same "systemctl" error message.
"systemd" errors will be produced on selecting "openvas start".
Running on VirtualBox 4.3.30 on Ubuntu 14.04.3 host :
"armitage" cannot be launched.
"maltego" and "BeEF" can be launched with one click.
"VLC media player" and "ImageMagick" do not work.
"system log" works.
"Apache2" is listening on TCP6 only.
"redis-server" is running in the background.
"dkms" accompanied with only one headers file.
Guest Additions CD install with the same "systemctl" error message.
* Not kidding, it has error message.
"systemd" errors will be produced on selecting "openvas start".
Obviously, Kali Linux Team did not well test their work before it is released. The content of VirtualBox image is different from the ISO. The rating is still remain as ACCEPTABLE!
I will not test any ISO or image files for this release any more. May be wait for the next release.
* It seems that this VirtualBox image is installed VirtualBox 5.0 Guest Additions CD
Update on August 14, 2015
muts stated that I am misinformed. Therefore, I make a very boring video (about 26 minutes long) to proof which is posted at the beginning of this article today.
Armitage is updated yesterday by Kali Linux Team. Therefore, it is working fine now. Meanwhile, VirtualBox is updated from 5.0.0 to 5.0.2 and the high CPU loading on Linux host is fixed.
I also test Debian 8.1 (latest update) on the same environment and installed the Guest Additions CD. I also encounter the "systemctl double free or corruption (fasttop)" error. This error may be from VirtualBox 5.0.x or from Debian.
However, Kali Linux Team forgot to test their amazing Kali Linux 2.0 with VirtualBox 5.0.x on Linux host. Therefore, the rating is still ACCEPTABLE.
Update on August 17, 2015
Fedora 22 is systemd by default. I install Fedora 22 (64-bit) on VirtualBox 5.0.2 with Ubuntu 14.04 host without any problem or error, including Guest Additions CD install.
I also test Kali Linux 2.0 (64-bit) on VirutalBox 5.0.2 with Mac OSX 10.10.5 and it has the similar errors.
Update on August 25, 2015
Since I do not like Kali Linux 2.0, I install my favourite tools on Ubuntu 14.04 LTS recently (please refers to here). I find out that at least BeEF is running very difference between Kali Linux 2.0 and Ubuntu 14.04 on VirtualBox 5.0.2. Kali Linux 2.0 will produces error messages while Ubuntu does not. Both version of BeEF are 0.4.6.1-alpha. I make a video on that, here you are :
Android devices running Android versions 2.2 through 5.1.1_r5 contain vulnerabilities in the Stagefright media playback engine. Exploitation of these vulnerabilities may allow an attacker to access multimedia files or potentially take control of a vulnerable device.
Detection
To test your Andorid if it is vulnerable to Stagefright vulnerabilities, you can use the following Apps by Zimperium INC.
It is recommended to update/upgrade your Android ROM to non-vulnerable version. If your vendors do not release any update/upgrade, you can perform the following steps for a workaround.
I confirmed that CyanogenMod 12.1 Nightly for OnePlus One is fixed the Stagefright vulnerabilities by using Google Play - Stagefright Detector by Zimperium INC while OnePlus One v5.0.2 (Cyanogen OS version 12.0-YNG1TAS2I3) and Google Nexus 5 v5.1.1 (Build number LMY48B) are still vulnerable to Stagefright vulnerabilities at the time of this writing.
It is also confirmed that CyanogenMod 12.0 and 12.1 are fixed for the vulnerabilities. Or, you may consider to flash CyanogenMod ROM if your devices are supported.
If you have OnePlus One, you can follow this guide to update/upgrade your OnePlus One.
The Node Chat Room (NodeChat) is developed with Node.js and it is forked from "Smashing Node.js: JavaScript Everywhere" Chapter 6. It is modified by Samiux and is released under GPLv3 License.
It provides basic chat room features, including private message. It will not save anything in the server.
