It’s Finally out there the OWASP Mth3l3m3nt Framework . It’s a small tool to aid you in carrying out your pentest tasks with as little resources as possible. Most of us can afford the simple shared hosting services but not a powerful enough VPS to run pentest distros especially due to cost constraints. This one however just needs you to have a webserver and optionally a database server, if you don’t have a database server no worries it has you covered with its own database based on JIG.
A run through the modules currently available in version one:
Storage
Information Stored in the Mth3l3m3nt Framework can be done in any of the following database with a smooth change over.
- JIG
- SQLite
- PostgreSQL
- MySQL
- MSSQL
- MongoDB
The change over is smooth however note that in the current version it doesn’t migrate the data to the new Database, it just builds the schema and adds a default user for you to start with your changed over Database.
Mth3l3m3nt Database Configuration panel
Payload Module
I’m sure we are all familiar with those payloads we love to use but we never seem to find them when we need them. This aims to keep them for you in one place, best part you can share this with public on a frontend from a read only capacity and backend with edit capability. No more losing those key payloads.
Mth3l3m3nt Payloads Frontend
Mth3l3m3nt Payloads Backend
Generic Request Module
We all love services like hurl.it however when we are on a penetration test where an application or webservice is only accessible to the internal network we cannot have the luxury of using this service. This module brings that service to you, on your local install you may have the ability to perform requests as you would in hurl.it but from a self managed application offering you that flexibility. It’s opensource no limitation. Currently it supports GET and POST requests.
Mth3l3m3nt Generic Web Requests
Shell Generator Module
Well this module is self explanatory , you need that minimal shell in a pentest ASAP so that you can open up the gateway to heaven. Not a coder?, Not a problem “Let me generate that shell for you “ 😉 . Currently we are doing shells in :
- PHP
- JSP
- JSPX
- ASP
Mth3l3m3nt Web Shell Generator
Web Herd Module
So Your shell is safely uploaded coupled with a few other million shells in your very largely scaled pentest. Keeping track becomes easy when you can trace and control all of them from a central point. Enter “Web Herd” …. “Oh yee great shepherd, may the force of the HTTP Bot be with you” . With this you can command all your minimal shells and when done you need to clean up before deleting them from the list but this is easy , in the command view just run the relevant delete command on the webshell file depending on the OS e.g. rm -f myShell.php for linux. Then in the list delete the shell. Now no more leaving unattended shells on client machines after a pentest, effective backdoor management is provided.
Web Herd List
Web Herd Command Mode
LFI Exploits Module
Well LFI is easy and fun and loveable especially when extracting files . This module makes it easy to have inbuilt LFI exploits that you can also build custom ones in as little as 6 lines of code. It doesn’t get easier than this.
Mth3l3m3nt Zimbra LFI
Payload Encoder/Decoder Module
This does what it says it does. an example is for instance you are doing an SQL injection you’ve written your upload script and you need to push it via the INTO OUTFILE function. running the script as a string breaks the query so why not speak to the database in a language it understands e.g. Hex witha 0x prefix. this module will encode this for you and decode if you use the decoder.
Mth3l3m3nt Payload Encoder
Mth3l3m3nt Payload Decoder
