Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5854 articles
Browse latest View live

Mitm6 - Pwning IPv4 Via IPv6

February 22, 2018, 12:04 pm
$
0
0

Mitm6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server. It does this by replying to DHCPv6 messages, providing victims with a link-local IPv6 address and setting the attackers host as default DNS server. As DNS server, mitm6 will selectively reply to DNS queries of the attackers choosing and redirect the victims traffic to the attacker machine instead of the legitimate server. For a full explanation of the attack, see this blog about mitm6. Mitm6 is designed to work together with ntlmrelayx from impacket for WPAD spoofing and credential relaying.

Dependencies and installation
mitm6 is compatible with both Python 2.7 and 3.x. You can install the requirements for your version with pip install -r requirements.txt. In both cases, mitm6 uses the following packages:
  • Scapy
  • Twisted
  • netifaces
For python 2.7, it uses the ipaddress backport module. You can install the latest release from PyPI with pip install mitm6, or the latest version from source with python setup.py install after cloning this git repository.

Usage
After installation, mitm6 will be available as a command line program called mitm6. Since it uses raw packet capture with Scapy, it should be run as root. mitm6 should detect your network settings by default and use your primary interface for its spoofing. The only option you will probably need to specify is the AD domain that you are spoofing. For advanced tuning, the following options are available:
usage: mitm6.py [-h] [-i INTERFACE] [-l LOCALDOMAIN] [-4 ADDRESS] [-6 ADDRESS]
                [-m ADDRESS] [-a] [-v] [--debug] [-d DOMAIN] [-b DOMAIN]
                [-hw DOMAIN] [-hb DOMAIN] [--ignore-nofqnd]

mitm6 - pwning IPv4 via IPv6
For help or reporting issues, visit https://github.com/fox-it/mitm6

optional arguments:
  -h, --help            show this help message and exit
  -i INTERFACE, --interface INTERFACE
                        Interface to use (default: autodetect)
  -l LOCALDOMAIN, --localdomain LOCALDOMAIN
                        Domain name to use as DNS search domain (default: use
                        first DNS domain)
  -4 ADDRESS, --ipv4 ADDRESS
                        IPv4 address to send packets from (default:
                        autodetect)
  -6 ADDRESS, --ipv6 ADDRESS
                        IPv6 link-local address to send packets from (default:
                        autodetect)
  -m ADDRESS, --mac ADDRESS
                        Custom mac address - probably breaks stuff (default:
                        mac of selected interface)
  -a, --no-ra           Do not advertise ourselves (useful for networks which
                        detect rogue Router Advertisements)
  -v, --verbose         Show verbose information
  --debug               Show debug information

Filtering options:
  -d DOMAIN, --domain DOMAIN
                        Domain name to filter DNS queries on (Whitelist
                        principle, multiple can be specified.)
  -b DOMAIN, --blacklist DOMAIN
                        Domain name to filter DNS queries on (Blacklist
                        principle, multiple can be specified.)
  -hw DOMAIN, --host-whitelist DOMAIN
                        Hostname (FQDN) to filter DHCPv6 queries on (Whitelist
                        principle, multiple can be specified.)
  -hb DOMAIN, --host-blacklist DOMAIN
                        Hostname (FQDN) to filter DHCPv6 queries on (Blacklist
                        principle, multiple can be specified.)
  --ignore-nofqnd       Ignore DHCPv6 queries that do not contain the Fully
                        Qualified Domain Name (FQDN) option.
You can manually override most of the autodetect options (though overriding the MAC address will break things). If the network has some hardware which blocks or detects rogue Router Advertisement messages, you can add the --no-ra flag to not broadcast those. Router Advertisements are not needed for mitm6 to work since it relies mainly on DHCPv6 messages.

Filtering options
Several filtering options are available to select which hosts you want to attack and spoof. First there are the --host-whitelist and --host-blacklist options (or -hw and -hb for short), which take a (partial) domain as argument. Incoming DHCPv6 requests will be filtered against this list. The property checked is the DHCPv6 FQND option, in which the client provides its hostname. The same applies for DNS requests, for this the --domain option (or -d) is available, where you can supply which domain(s) you want to spoof. Blacklisting is also possible with --blacklist/-b.
For both the host and DNS filtering, simple string matching is performed. So if you choose to reply to wpad, it will also reply to queries for wpad.corpdomain.com. If you want more specific filtering, use both the whitelist and blacklist options, since the blacklist takes precedence over the whitelist. By default the first domain specified will be used as the DNS search domain, if you explicitliy want to specify this domain yourself use the --localdomain option.

About network impact and restoring the network
mitm6 is designed as a penetration testing tool and should thus impact the network as little as possible. This is the main reason mitm6 doesn't implement a full man-in-the-middle attack currently, like we see in for example the SLAAC attack. To further minimize the impact, the IP addresses assigned have low time-to-live (TTL) values. The lease will expire within 5 minutes when mitm6 is stopped, which will remove the DNS server from the victims configuration. To prevent DNS replies getting cached, all replies are sent with a TTL of 100 seconds, which makes sure the cache is cleared within minutes after the tool exits.

Usage with ntlmrelayx
mitm6 is designed to be used with ntlmrelayx. You should run the tools next to each other, in this scenario mitm6 will spoof the DNS, causing victims to connect to ntlmrelayx for HTTP and SMB connections. For this you have to make sure to run ntlmrelayx with the -6 option, which will make it listen on both IPv4 and IPv6. To obtain credentials for WPAD, specify the WPAD hostname to spoof with -wh HOSTNAME (any non-existing hostname in the local domain will work since mitm6 is the DNS server). Optionally you can also use the -wa N parameter with a number of attempts to prompt for authentication for the WPAD file itself in case you suspect victims do not have the MS16-077 patch applied.

Detection
The Fox-IT Security Research Team team has released Snort and Suricata signatures to detect rogue DHCPv6 traffic and WPAD replies over IPv6. The signatures are available here: https://gist.github.com/fox-srt/98f29051fe56a1695de8e914c4a2373f


Search

Invoke-Obfuscation - PowerShell Obfuscator

February 23, 2018, 5:00 am
$
0
0

Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator.

Purpose
Attackers and commodity malware have started using extremely basic obfuscation techniques to hide the majority of the command from the command line arguments of powershell.exe. I developed this tool to aid the Blue Team in simulating obfuscated commands based on what I currently know to be syntactically possible in PowerShell 2.0-5.0 so that they can test their detection capabilities of these techniques.
The tool's sole purpose is to break any assumptions that we as defenders may have concerning how PowerShell commands can appear on the command line. My hope is that it will encourage the Blue Team to shift to looking for Indicators of Obfuscation on the command line in addition to updating PowerShell logging to include Module, ScriptBlock and Transcription logging as these sources simplify most aspects of the obfuscation techniques generated by this tool.

Usage
While all of the layers of obfuscation have been built out into separate scripts, most users will find the Invoke-Obfuscation function to be the easiest way to explorer and visualize the obfuscation techniques that this framework currently supports.

Installation
The source code for Invoke-Obfuscation is hosted at Github, and you may download, fork and review it from this repository (https://github.com/danielbohannon/Invoke-Obfuscation). Please report issues or feature requests through Github's bug tracker associated with this project.
To install:
Import-Module ./Invoke-Obfuscation.psd1
Invoke-Obfuscation

License
Invoke-Obfuscation is released under the Apache 2.0 license.

Release Notes
v1.0 - 2016-09-25 DerbyCon 6.0 (Louisville, Kentucky USA): PUBLIC Release of Invoke-Obfuscation.
v1.1 - 2016-10-09 SANS DFIR Summit (Prague, Czech Republic): Added -f format operator re-ordering functionality to all applicable TOKEN obfuscation functions. Also added additional syntax options for setting variable values.
v1.2 - 2016-10-20 CODE BLUE (Tokyo, Japan): Added Type TOKEN obfuscation (direct type casting with string obfuscation options for type name).
v1.3 - 2016-10-22 Hacktivity (Budapest, Hungary): Added two new LAUNCHERs: CLIP+ and CLIP++. Also added additional (and simpler) array char conversion syntax for all ENCODING functions that does not require For-EachObject/%.
v1.4 - 2016-10-28 BruCON (Ghent, Belgium): Added new BXOR ENCODING function. Also enhanced randomized case for all components of all ENCODING functions as well as for PowerShell execution flags for all LAUNCHERs. Finally, added -EP shorthand option for -ExecutionPolicy to all LAUNCHERs as well as the optional integer representation of the -WindowStyle PowerShell execution flag: Normal (0), Hidden (1), Minimized (2), Maximized (3).
v1.5 - 2016-11-04 Blue Hat (Redmond, Washington USA): Added WMIC LAUNCHER with some randomization of WMIC command line arguments.
v1.6 - 2017-01-24 Blue Hat IL (Tel Aviv, Israel):
  • Added CLI functionality: E.g., Invoke-Obfuscation -ScriptBlock {Write-Host 'CLI FTW!'} -Command 'Token\All\1, Encoding\1,Launcher\Stdin++\234,Clip' -Quiet -NoExit
  • Added UNDO functionality to remove one layer of obfuscation at a time.
  • Removed Whitespace obfuscation from Token\All\1 to speed up large script obfuscation.
  • Added Process Argument Tree output for all launchers to aid defenders.
  • Added base menu auto-detect functionality to avoid needing to use BACK or HOME: E.g., if you ran TOKEN then ALL then 1, then just type LAUNCHER and you will get to the LAUNCHER menu without needing to type HOME or BACK to get back to the home menu.
  • Added multi-command syntax utilized by CLI and interactive mode: E.g., Token\All\1,String\3,Encoding\5,Launcher\Ps\234,Clip
  • Added regex capability to all menu and obfuscation commands: E.g., Token**,String[13],Encoding(1|6),Launcher.*[+]{2}\234,Clip
  • Added OUT FILEPATH single command functionality.
  • Added decoding if powershell -enc syntax is entered as a SCRIPTBLOCK value.
  • Added alias ForEach to ForEach-Object/% randomized syntax options in all ENCODING functions.
  • Added -Key -Ke -K KEY substring syntax options to Out-SecureStringCommand.ps1.
  • Added more thorough case randomization to all \Home\String obfuscation functions.
  • Added -ST/-STA (Single-Threaded Apartment) flags to CLIP+ and CLIP++ launcher functions since they are required if running on PowerShell 2.0.
  • Added Get-Item/GI/Item syntax everywhere where Get-ChildItem is used to get variable values.
  • Added Set-Item variable instantiation syntax to TYPE obfuscation function.
  • Added additional Invoke-Expression/IEX syntax using PowerShell automatic variables and environment variable value concatenations in Out-ObfuscatedStringCommand.ps1's Out-EncapsulatedInvokeExpression function and copied to all launchers, STRING and ENCODING functions to add numerous command-line syntaxes for IEX.
  • Added two new JOIN syntaxes for String\Reverse and all ENCODING obfuscation options:
  1. Added [String]::Join('',$string) JOIN syntax
  2. Added OFS-variable JOIN syntax (Output Field Separator automatic variable)
  • Added two more SecureString syntaxes to Encoding\5:
  1. PtrToStringAnsi / SecureStringToGlobalAllocAnsi
  2. PtrToStringBSTR / SecureStringToBSTR
  • Added six GetMember alternate syntaxes for several SecureString members:
  1. PtrToStringAuto, ([Runtime.InteropServices.Marshal].GetMembers()[3].Name).Invoke
  2. PtrToStringAuto, ([Runtime.InteropServices.Marshal].GetMembers()[5].Name).Invoke
  3. PtrToStringUni , ([Runtime.InteropServices.Marshal].GetMembers()[2].Name).Invoke
  4. PtrToStringUni , ([Runtime.InteropServices.Marshal].GetMembers()[4].Name).Invoke
  5. PtrToStringAnsi, ([Runtime.InteropServices.Marshal].GetMembers()[0].Name).Invoke
  6. PtrToStringAnsi, ([Runtime.InteropServices.Marshal].GetMembers()[1].Name).Invoke
  • Updated Out-ObfuscatedTokenCommand.ps1 so that VARIABLE obfuscation won't encapsulate variables in ${} if they are already encapsulated (so ${${var}} won't happen as this causes errors).
  • Replaced Invoke-Obfuscation.psm1 with Invoke-Obfuscation.psd1 (thanks @Carlos_Perez).
  • Fixed several TOKEN-level obfuscation bugs reported by @cobbr_io and @IISResetMe.
v1.7 - 2017-03-03 nullcon (Goa, India):
  • Added 3 new LAUNCHERs: RUNDLL, RUNDLL++ and MSHTA++
  • Added additional ExecutionContext wildcard variable strings
v1.8 - 2017-07-27 Black Hat (Las Vegas, Nevada USA):
  • Added 2 new ENCODING options: Special Characters and Whitespace
v1.8.1 - 2017-12-19:
  • Added COMPRESS function for easier conversion of multi-line scripts to a one-liner command while drastically reducing the command length for cmd.exe command line length limitation purposes.
v1.8.2 - 2018-01-04:
  • Added AST obfuscation functions, which obfuscates by manipulating the structure of the AbstractSyntaxTree without using many special characters.


Revoke-Obfuscation - PowerShell Obfuscation Detection Framework

February 23, 2018, 12:29 pm
$
0
0


Revoke-Obfuscation is a PowerShell v3.0+ compatible PowerShell obfuscation detection framework.

Authors
Daniel Bohannon (@danielhbohannon) Lee Holmes (@Lee_Homes)

Research

Background
In the Fall of 2016 and Spring of 2017, Daniel Bohannon (@danielhbohannon) released Invoke-Obfuscation and Invoke-CradleCrafter, two open-source PowerShell obfuscation frameworks. The goal of this research and these frameworks was to highlight the limitations of a purely signature-based approach to detecting attackers' usage of PowerShell. The core message to defenders has been to focus on detecting Indicators of Obfuscation in addition to known suspicious syntax.
However, the extreme levels of randomization in Invoke-Obfuscation and Invoke-CradleCrafter paired with the token-layer obfuscation options that are not deobfuscated in PowerShell's script block logging have led defenders to look for a new, scalable means of generically detecting both known and unknown obfuscation techniques.
A few weeks after the release of Invoke-Obfuscation, Lee Holmes (@Lee_Homes) authored a blog posted entitled More Detecting Obfuscated PowerShell in which he highlighted statistical analysis techniques to detect anomalous features found in heavily obfuscated scripts, specifically those produced by Invoke-Obfuscation.
Since this exchange, Daniel and Lee became good friends and shared many common interests/obsessions -- namely, a love of fine coffee and the pursuit of creating new ways to thoroughly detect obfuscated PowerShell.
The amount of time both Blue Teamers spent pouring over research and POC code would equate to several thousand cups of Chemex-brewed coffee assuming the proper 4-minute target brew time (assuming at least one other coffee enthusiast picked up on this "pour over" pun).
Revoke-Obfuscation is the final hand-crafted product of these efforts.

Purpose
Revoke-Obfuscation is an open-source PowerShell v3.0+ framework for detecting obfuscated PowerShell commands and scripts at scale. It relies on PowerShell's AST (Abstract Syntax Tree) to rapidly extract thousands of features from any input PowerShell script and compare this feature vector against one of several pre-defined weighted feature vectors computed through an automated learning process conducted against a corpus of 408K+ PowerShell scripts. This full corpus can be downloaded from (https://aka.ms/PowerShellCorpus). Stay tuned for the publishing of the labeled data and the tooling used for training.
Since Revoke-Obfuscation relies on feature extraction and comparison instead of pure IOCs or RegEx matching, it is more robust in its ability to identify unknown obfuscation techniques even when attackers attempt to subdue their obfuscation by padding it with unobfuscated script contents to overthrow basic checks like character frequency analysis.
Revoke-Obfuscation can easily measure most input PowerShell scripts within 100-300 milliseconds. This level of performance allows an organization to measure the obfuscation of (at worst) 12K+ PowerShell scripts per hour without the need to index verbose PowerShell script block logs in a SIEM.
Lastly, Revoke-Obfuscation supports easy whitelisting functionality along with the ability to ingest PowerShell Operational event log records and reassemble script blocks that are recorded across numerous script block EID 4104 records. It can easily become a one-stop shop for ingesting an environment's PowerShell Operational event logs, reassembling and unique'ing all scripts within those logs, and then identifying obfuscated PowerShell scripts that deserve manual inspection.

Installation
The source code for Revoke-Obfuscation is hosted at Github, and you may download, fork and review it from this repository (https://github.com/danielbohannon/Revoke-Obfuscation). Please report issues or feature requests through Github's bug tracker associated with this project.
To install (from Github):
Import-Module .\Revoke-Obfuscation.psd1
The source code can also be installed directly from the PowerShell Gallery via the following commands:
To install (from PowerShell Gallery):
Install-Module Revoke-Obfuscation
Import-Module Revoke-Obfuscation

Usage
Revoke-Obfuscation will provide a detailed tutorial as well as a few other fun surprises. But if you are not into the lulz then you can simply run Get-Help Measure-RvoObfuscation to see usage syntax or just continue reading.
There are two primary functions used in this framework:
  • Get-RvoScriptBlock -- reassembles scripts from EID 4104 script block logs
  • Measure-RvoObfuscation -- measures input script(s) and returns obfuscation score
If you need to reassemble and extract script block logs from PowerShell Operational logs then Get-RvoScriptBlock is your function of choice. It automatically returns only unique script blocks and excludes certain default script block values deemed not malicious. This can be overridden with the -Deep switch.
  • Get-RvoScriptBlock -Path 'C:\Windows\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx' -Verbose
  • Get-ChildItem .\Demo\demo.evtx | Get-RvoScriptBlock -Verbose
  • Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | Get-RvoScriptBlock -Verbose
Get-RvoScriptBlock also supports MIR/HX audit results as well as PowerShell Operational logs retrieved via Matt Graeber's (@mattifestation) CimSweep project (https://github.com/PowerShellMafia/CimSweep). For CimSweep there is a minor registry tweak required to trick WMI into querying a non-classic event log. Details can be found in the NOTES section of Get-RvoScriptBlock.
  • Get-ChildItem C:\MirOrHxAuditFiles\*_w32eventlogs.xml | Get-RvoScriptBlock -Verbose
  • Get-CSEventLogEntry -LogName Microsoft-Windows-PowerShell/Operational | Get-RvoScriptBlock
A full example against test data recorded in demo.evtx can be found below:
$obfResults = Get-WinEvent -Path .\Demo\demo.evtx | Get-RvoScriptBlock | Measure-RvoObfuscation -OutputToDisk -Verbose
A full example against local and remotely hosted test scripts can be found below:
  • Measure-RvoObfuscation -Url 'http://bit.ly/DBOdemo1' -Verbose -OutputToDisk
  • Get-Content .\Demo\DBOdemo*.ps1 | Measure-RvoObfuscation -Verbose -OutputToDisk
  • Get-ChildItem .\Demo\DBOdemo*.ps1 | Measure-RvoObfuscation -Verbose -OutputToDisk
The -OutputToDisk switch will automatically output all obfuscated scripts to .\Results\Obfuscated. Regardless, all results will be returned as PSCustomObjects containing the script content along with metadata like an obfuscation score, measurement time, whitelisting result, all extracted script features, etc.
Three whitelisting options exist in two locations in Revoke-Obfuscation:
  1. On Disk (automatically applied if present):
    1. .\Whitelist\Scripts_To_Whitelist\ -- All scripts placed in this directory will be hashed and any identical scripts will be whitelisted. This whitelisting method is preferred above the next two options.
    2. .\Whitelist\Strings_To_Whitelist.txt -- A script containing ANY of the strings in this file will be whitelisted. Syntax: Rule_Name,string_to_whitelist
    3. .\Whitelist\Regex_To_Whitelist.txt -- A script containing ANY of the regular expressions in this file will be whitelisted. Syntax: Rule_Name,regex_to_whitelist
  2. Arguments for Measure-RvoObfuscation (applied in addition to above whitelisting options):
    1. -WhitelistFile -- -WhitelistFile .\files\*.ps1,.\more_files\*.ps1,.\one_more_file.ps1
    2. -WhitelistContent -- -WhitelistContent 'string 1 to whitelist','string 2 to whitelist'
    3. -WhitelistRegex -- -WhitelistRegex 'regex 1 to whitelist','regex 2 to whitelist'
If interested in creating your own set of training data and generating a weighted vector for the Measure-Vector function, then ModelTrainer.cs/ModelTrainer.exe can be executed against a labeled data set. The following command will extract feature vectors from all input scripts and aggregate them into a single CSV used in this training phase:
Get-ChildItem .\*.ps1 | ForEach-Object { [PSCustomObject](Get-RvoFeatureVector -Path $_.FullName) | Export-Csv .\all_features.csv -Append }
Lastly, if looking for a platform for creating indicators (IOCs) that harness the power of PowerShell's AST (Abstract Syntax Tree) -- which we would highly recommend for identifying malicious PowerShell activity that is NOT obfuscated -- then PS Script Analyzer is an excellent framework designed to handle such tasks.

Release Notes
v1.0 - 2017-07-27 Black Hat USA & 2017-07-30 DEF CON: PUBLIC Release of Revoke-Obfuscation.


meg - Fetch Many Paths For Many Hosts (Without Killing The Hosts)

February 24, 2018, 5:06 am
$
0
0

meg is a tool for fetching lots of URLs but still being 'nice' to servers.
It can be used to fetch many paths for many hosts; fetching one path for all hosts before moving on to the next path and repeating.
You get lots of results quickly, but non of the individual hosts get flooded with traffic.

Install
meg is written in Go and has no run-time dependencies. You can install it with go get:
▶ go get -u github.com/tomnomnom/meg
Or download a binary and put it somewhere in your $PATH.

Basic Usage
Given a file full of paths:
/robots.txt
/.well-known/security.txt
/package.json
And a file full of hosts (with a protocol):
http://example.com
https://example.com
http://example.net
meg will request each path for every host:
▶ meg --verbose paths hosts
out/example.com/45ed6f717d44385c5e9c539b0ad8dc71771780e0 http://example.com/robots.txt (404 Not Found)
out/example.com/61ac5fbb9d3dd054006ae82630b045ba730d8618 https://example.com/robots.txt (404 Not Found)
out/example.net/1432c16b671043271eab84111242b1fe2a28eb98 http://example.net/robots.txt (404 Not Found)
out/example.net/61deaa4fa10a6f601adb74519a900f1f0eca38b7 http://example.net/.well-known/security.txt (404 Not Found)
out/example.com/20bc94a296f17ce7a4e2daa2946d0dc12128b3f1 http://example.com/.well-known/security.txt (404 Not Found)
...
And save the output in a directory called ./out:
▶ head -n 20 ./out/example.com/45ed6f717d44385c5e9c539b0ad8dc71771780e0
http://example.com/robots.txt

> GET /robots.txt HTTP/1.1
> Host: example.com

< HTTP/1.1 404 Not Found
< Expires: Sat, 06 Jan 2018 01:05:38 GMT
< Server: ECS (lga/13A2)
< Accept-Ranges: bytes
< Cache-Control: max-age=604800
< Content-Type: text/*
< Content-Length: 1270
< Date: Sat, 30 Dec 2017 01:05:38 GMT
< Last-Modified: Sun, 24 Dec 2017 06:53:36 GMT
< X-Cache: 404-HIT

<!doctype html>
<html>
<head>
Without any arguments, meg will read paths from a file called ./paths, and hosts from a file called ./hosts. There will also be no output:
▶ meg
But it will save an index file to ./out/index:
▶ head -n 2 ./out/index
out/example.com/538565d7ab544bc3bec5b2f0296783aaec25e756 http://example.com/package.json (404 Not Found)
out/example.com/20bc94a296f17ce7a4e2daa2946d0dc12128b3f1 http://example.com/.well-known/security.txt (404 Not Found)
You can use the index file to find where the response is stored, but it's often easier to find what you're looking for with grep:
▶ grep -Hnri '< Server:' out/
out/example.com/61ac5fbb9d3dd054006ae82630b045ba730d8618:14:< Server: ECS (lga/13A2)
out/example.com/bd8d9f4c470ffa0e6ec8cfa8ba1c51d62289b6dd:16:< Server: ECS (lga/13A3)
If you want to request just one path, you can specify it directly as an argument:
▶ meg /admin.php

Detailed Usage
meg's help output tries to actually be helpful:
▶ meg --help
Request many paths for many hosts

Usage:
  meg [path|pathsFile] [hostsFile] [outputDir]

Options:
  -c, --concurrency <val>    Set the concurrency level (defaut: 20)
  -d, --delay <val>          Milliseconds between requests to the same host (defaut: 5000)
  -H, --header <header>      Send a custom HTTP header
  -r, --rawhttp              Use the rawhttp library for requests (experimental)
  -s, --savestatus <status>  Save only responses with specific status code
  -v, --verbose              Verbose mode
  -X, --method <method>      HTTP method (default: GET)

Defaults:
  pathsFile: ./paths
  hostsFile: ./hosts
  outputDir:  ./out

Paths file format:
  /robots.txt
  /package.json
  /security.txt

Hosts file format:
  http://example.com
  https://example.edu
  https://example.net

Examples:
  meg /robots.txt
  meg hosts.txt paths.txt output

Concurrency
By default meg will attempt to make 20 concurrent requests. You can change that with the -c or --concurrency option:
▶ meg --concurrency 5
It's not very friendly to keep the concurrency level higher than the number of hosts - you may end up sending lots of requests to one host at once.

Delay
By default meg will wait 5000 milliseconds between requests to the same host. You can override that with the -d or --delay option:
▶ meg --delay 10000
Warning: before reducing the delay, ensure that you have permission to make large volumes of requests to the hosts you're targeting.

Adding Headers
You can set additional headers on the requests with the -H or --header option:
▶ meg --header "Origin: https://evil.com"
▶ grep -h '^>' out/example.com/*
> GET /.well-known/security.txt HTTP/1.1
> Origin: https://evil.com
> Host: example.com
...

Raw HTTP (Experimental)
If you want to send requests that aren't valid - for example with invalid URL encoding - the Go HTTP client will fail:
▶ meg /%%0a0afoo:bar
request failed: parse https://example.org/%%0a0afoo:bar: invalid URL escape "%%0"
You can use the -r or --rawhttp flag to enable use of the rawhttp library, which does little to no validation on the request:
▶ meg --verbose --rawhttp /%%0a0afoo:bar
out/example.com/eac3a4978bfb95992e270c311582e6da4568d83d https://example.com/%%0a0afoo:bar (HTTP/1.1 404 Not Found)
The rawhttp library and its use is experimental. Amongst other things it doesn't yet support chunked transfer encoding, so you may notice chunk lengths interspersed with your output if you use it.

Saving Only Certain Status Codes
If you only want to save results that returned a certain status code, you can use the -s or --savestatus option:
▶ meg --savestatus 200 /robots.txt

Specifying The Method
You can specify which HTTP method to use with the -X or --method option:
▶ meg --method TRACE
▶ grep -nri 'TRACE' out/
out/example.com/61ac5fbb9d3dd054006ae82630b045ba730d8618:3:> TRACE /robots.txt HTTP/1.1
out/example.com/bd8d9f4c470ffa0e6ec8cfa8ba1c51d62289b6dd:3:> TRACE /.well-known/security.txt HTTP/1.1
...


meg+ - Automated Reconnaissance Wrapper

February 24, 2018, 1:12 pm
$
0
0

This wrapper will automate numerous tasks and help you during your reconnaissance process. The script finds common issues, low hanging fruit, and assists you when approaching a target. meg+ also allows you to scanall your in-scope targets on HackerOne in one go — it simply retrieves them using a GraphQL query.

Watch TomNomNom's talk to learn more about his reconnaissance methodology:


Installation
You will need Golang, Python 2 or 3, and PHP 7.0 to use all the features provided by this tool. On top of that, make sure to install meg, waybackurls, Sublist3r, and gio.
git clone https://github.com/EdOverflow/megplus.git
cd megplus
go get github.com/tomnomnom/meg
go get github.com/tomnomnom/waybackurls
git clone https://github.com/aboul3la/Sublist3r.git
# See https://github.com/aboul3la/Sublist3r#dependencies

Usage
You can either scan a list of hosts or use your HackerOne X-Auth-Token token to scan all the bug bounty programs that you participate in.
$ ./megplus.sh
1) Usage - target list of domains:        ./megplus.sh <list of domains>
2) Usage - target all HackerOne programs: ./megplus.sh -x <H1 X-Auth-Token>
3) Usage - run sublist3r first:           ./megplus.sh -s <single host>

1) Example: ./megplus.sh domains
2) Example: ./megplus.sh -x XXXXXXXXXXXXXXXX
3) Example: ./megplus.sh -s example.com

Usage - Docker
If you don't feel like installing all the dependencies mentioned above, you can simply run the abhartiya/tools_megplus Docker container, where test.txt is a sample file containing the URLs to test against. In your case, this will be the file containing the URLs you want to test:
docker run -v $(pwd):/megplus abhartiya/tools_megplus test.txt
The command will run the abhartiya/tools_megplus Docker image as a container and mount the pwd onto the container as a volume (at /megplus), which makes the test.txt file available to the container. Once megplus finishes running, the out directory will be created in pwd with all the results.

Scanner
meg+ will scan for the following things:
  • Sudomains using Sublist3r;
  • Configuration files;
  • Interesting strings;
  • Open redirects;
  • CRLF injection;
  • CORS misconfigurations;
  • Path-based XSS;
  • (Sub)domain takeovers.

contact.sh - An OSINT tool to find contacts in order to report security vulnerabilities

February 25, 2018, 5:12 am
$
0
0

An OSINT tool to find contacts in order to report security vulnerabilities.

Installation

Linux
Make sure you have installed the whois and jq packages.
$ git clone https://github.com/EdOverflow/contact.sh.git
$ cd contact.sh/
$ chmod u+x contact.sh
$ ./contact.sh -d google.com -c google

OSX
$ brew install gnu-sed --with-default-names
$ brew install jq
$ git clone https://github.com/EdOverflow/contact.sh.git
$ cd contact.sh/
$ chmod u+x contact.sh
$ ./contact.sh -d google.com -c google

Usage
$ ./contact.sh


 _  _ __ _|_ _  _ _|_    _ |_ 
(_ (_)| | |_(_|(_  |_ o _> | |
            ---
        by EdOverflow


[i] Description: An OSINT tool to find contacts in order to report security vulnerabilities.
[i] Usage: ./contact.sh [Options] use -d for hostnames (-d example.com), -c for vendor name (-c example), and -f for a list of hostnames in a file (-f domains.txt) 
[i] Example: ./contact.sh -d google.com -c google
Use the -d flag when trying to find addresses linked to a domain. contact.sh will return a "Confidence level" based on the source of the information retrieved. A security.txt file located on the domain will have a higher priority than a Twitter account on the company's website.
$ ./contact.sh -d google.com
The -c flag allows you to specify the company's name.
$ ./contact.sh -c google
If the company's name contains spaces, make sure to place the name inside quotes.
$ ./contact.sh -c "keeper security"
You can check a list of domains using the -f flag.
$ ./contact.sh -f domains.txt
For the best results, combine both flags as follows:
$ ./contact.sh -d google.com -c google
contact.sh abides by the target's robots.txt file.
$ ./contact.sh -d linkedin.com


 _  _ __ _|_ _  _ _|_    _ |_ 
(_ (_)| | |_(_|(_  |_ o _> | |
            ---
        by EdOverflow


[+] Finding security.txt files 
 | Confidence level: ★ ★ ★ 
[!] The robots.txt file does not permit crawling this hostname.

[+] Checking HackerOne's directory for hostname 
 | Confidence level: ★ ★ ★ 
https://hackerone.com/linkedin


icebreaker - Gets Plaintext Active Directory Credentials If You'Re On The Internal Network

February 25, 2018, 1:24 pm
$
0
0

Break the ice with that cute Active Directory environment over there. Automates network attacks against Active Directory to deliver you piping hot plaintext credentials when you're inside the network but outside of the Active Directory environment. Performs 5 different network attacks for plaintext credentials as well as hashes. Autocracks hashes found with JohnTheRipper and the top 10 million most common passwords.
  • RID cycling
    • Uses Nmap to find NULL SMB sessions
    • Performs asynchronous RID cycling to find valid usernames
    • Performs a 2 password reverse bruteforce of found usernames
    • Passwords tested: P@ssw0rd and <season><year>, e.g., Winter2018
  • SCF file upload
    • Uses Nmap to find anonymously writeable shares on the network
    • Writes an SCF file to the share with a file icon that points to your machine
    • When a user opens the share in Explorer their hash is sent to you
    • Autocracks the hash with john and top 10 million password list
  • LLMNR/NBTNS/mDNS poisoning
    • Uses Responder.py to poison the layer 2 network and capture user hashes
    • Autocracks the hash with john and top 10 million password list
  • SMB relay
    • Uses ntlmrelay.py and Responder.py to relay SMB hashes
    • After a successful relay it will do the following on the victim machine:
      • Add an administrative user - icebreaker:P@ssword123456
      • Run an obfuscated and AMSI bypassing version of Mimikatz and parse the output for hashes and passwords
  • IPv6 DNS poison
    • Uses mitm6 and ntlmrelayx.py to poison IPv6 DNS and capture user and machine hashes
    • Creates fake WPAD server with authentication
    • Note: this can easily cause network connectivity issues for users so use sparingly

How It Works
It will perform these 5 attacks in order. RID cycling and SCF file uploads usually go fast, then it lingers on attack 3, Repsonder.py, for 10 min by default. After that amount of time, or the user-specified amount of time has passed, it will move on to the final two attacks which are run in parallel. If an SCF file was successfully uploaded and a user visits that file share in Explorer, that hash will be caught by either Responder if the hash is sent while attack 3 is running or the hash will be caught by ntlmrelayx if attacks 4 and 5 are running.
Once ntlmrelayx relays a captured hash, it will run a base64-encoded powershell command that first adds an administrative user (icebreaker:P@ssword123456) then runs an obfuscated and AMSI-bypassing version of Mimikatz. This mimikatz output is parsed and delivered to the user in the standard output as well as in the found-passwords.txt document.
All that's left is pipe those credentials into DeathStar and BAM you went from being a lonely outsider leering at the party going on in that Active Directory domain to being tha goddamn domain admin.

Installation
Note to Kali users: you will need to run 'apt-get remove python-impacket' before running the setup script
sudo ./setup.sh
sudo pipenv shell

Usage
Read from a newline separated list of IP addresses and instead of having ntlmrelayx add a user and mimikatz the victim upon hash relay, have it execute a custom command on the victim machine.
sudo ./icebreaker -l targets.txt -c "net user /add User1 P@ssw0rd"

Read from Nmap XML file, tell Responder to use the eth0 interface rather than the default gateway interface
sudo ./icebreaker -x nmapscan.xml -i eth0

Skip all five attacks and don't autocrack hashes
sudo ./icebreaker.py -x nmapscan.xml -s rid,scf,llmnr,ntlmrelay,dns,crack

Run attack 3, LLMNR poisoning, for 30 minutes before moving on to attack 4, SMB relaying
sudo ./icebreaker.py -x nmapscan.xml -t 30

Run Empire and DeathStar to automatically get domain admin 
sudo ./icebreaker.py -x nmapscan.xml --auto



PoT - Phishing On Twitter

February 26, 2018, 5:16 am
$
0
0
Generate tweet automatically like him/her




How it works?
  • 1- Collect data from target's twitter account
  • 2- Find target's friend and copy her/him account
  • 3- Generate tweet automatically with markov chain algorithm and send it

Installation
git clone https://github.com/omergunal/PoT
cd PoT
pip3 install -r requirements.txt
Update your api keys in "PoT.py". Go to https://apps.twitter.com/ and get API keys

Usage
python3 PoT.py [target_account_name]

ScreenShots






Search

Shellen - Interactive Shellcoding Environment, In Which You Can Easily Craft Your Shellcodes

February 26, 2018, 1:02 pm
$
0
0

Shellen is an interactive shellcoding environment. If you want a handy tool to write shellcodes, then shellen may be your friend. Also, it can be used just as assembly/disassembly tool.
It uses keystone and capstone engines for all provided operations.
Shellen works only on python3. Maybe it will be changed in the future.

Installing
You can install the stable version of shellen using pip3:
$ sudo pip3 install shellen
Or if you already have all required packages (see Requirements):
$ python3 setup.py install
If you have any trouble with installing keystone-engine, then you should compile it by yourself (see the COMPILE.md file in the keystone repository)

How to run:
After installing shellen and all its required packages, you can run shellen just by typing the next in your terminal:
$ shellen
There is the help command inside the tool, that will explain almost everything.

Features
Shellen was created for assembling and disassembling instructions, so there are two modes of using the tool: asm and dsm respectively. Of course, there are some other possibilities like syscalls tables, common shellcodes and other.

Problems/New features
If you find a problem/bug or something, then just write an issue about this problem. Also, if you think, that some feature will be nice to use in shellen, then do the same -- write an issue and I will try to add this feature.

Prompt
It also has a usefull prompt, displaying current mode, OS (Operating System for syscalls) and chosen architecture exactly for this mode. It looks as follows:
L:asm:x86_32 >
You can edit your input like you're typing in a terminal. Also, it has a history of commands (just type up arrow to see them).
L is the shortened name of Linux in the prompt. Below listed all other OS names:
  • L is Linux
  • W is Windows
  • M is MacOS
If you want to change OS, then type setos [linux/windows/macos] as follows:
L:asm:x86_32 > setos windows

[+] OS changed to windows.
To change current mode, enter asm or dsm in the prompt.
L:dsm:arm32 > asm

[+] Changed to asm (assembly) mode

L:asm:x86_32 > dsm

[+] Changed to dsm (disassembly) mode

L:dsm:arm32 >

Assembling
To assembly instuctions, type them separated by colons as follows:
L:asm:x86_32 > mov edx, eax; xor eax, eax; inc edx; int 80;
   [+] Bytes count: 7
       Raw bytes:  "\x89\xc2\x31\xc0\x42\xcd\x50"
       Hex string: "89c231c042cd50"
If your assembled bytes contain a null byte, then shellen will tell you about this.

Disassembling
It works exactly as assembling. Type your bytes in the input prompt and see the result!
L:dsm:x86_32 > 89c231c042cd50
        0x00080000:     mov     edx, eax
        0x00080002:     xor     eax, eax
        0x00080004:     inc     edx
        0x00080005:     int     0x50

Architectures
asm and dsm modes work for different architectures. To see a list of available architectures for a current mode, type this:
L:dsm:x86_32 > archs
┌────────┬────────┬─────────┬─────────┬────────┐
│        │        │         │         │        │
│ arm32  │ mips32 │ sparc32 │ systemz │ x86_16 │
│ arm64  │ mips64 │ sparc64 │         │ x86_32 │
│ arm_tb │        │         │         │ x86_64 │
└────────┴────────┴─────────┴─────────┴────────┘
And if you want to change current architecture, enter follow:
L:dsm:x86_32 > setarch arm32

[+] Architecture of dsm changed to arm32

Syscalls
It's apparent that in process of crafting a shellcode you will be needed syscalls. So, shellen will help you with that. Just type sys with a name of desired syscall and shellen will show you a list of possible syscalls you were looking for.
L:asm:x86_32 > sys open

┌────────┬───────┬──────────────────────┬──────────────────────┬──────────────┬──────────────┐
│ name   │ eax   │ ebx                  │ ecx                  │ edx          │ esi          │
├────────┼───────┼──────────────────────┼──────────────────────┼──────────────┼──────────────┤
│ open   │ 0x05  │ const char *filename │ int flags            │ umode_t mode │ -            │
│ openat │ 0x127 │ int dfd              │ const char *filename │ int flags    │ umode_t mode │
└────────┴───────┴──────────────────────┴──────────────────────┴──────────────┴──────────────┘
This prints possible variants of syscall depending on entered pattern. Syscall table for searching depends on chosen architecture and OS (Operating System). In this case it's x86_32 and Linux.

Common shellcodes
Shellen can show you a list of common shellcodes depending on your keyword. The example of using placed in Pictures section. It uses API of shell-storm.org site (thanks to the author!). You can use it like this:
L:asm:x86_32 > shell <keyword> <count>
Actually, count parameter isn't required.

Operating Systems
It was assumed that there will be several OSs (Linux, Windows and MacOS), but right now supported only Linux. If you want to add functionality for Windows or MacOS, then write an issue and I will add it.

Base commands
CommandDescription
clearClear the terminal screen. As usual cls on Windows or clear on *nix systems.
helpShow the help message.
quit,q,exitFinish the current session and quit

Requirements

Pictures
Just a little bunch of pictures.






WAScan - Web Application Scanner

February 27, 2018, 5:12 am
$
0
0

WAScan ((W)eb (A)pplication (Scan)ner) is a Open Source web application security scanner. It is designed to find various vulnerabilities using "black-box" method, that means it won't study the source code of web applications but will work like a fuzzer, scanning the pages of the deployed web application, extracting links and forms and attacking the scripts, sending payloads and looking for error messages,..etc. WAScan is built on python2.7 and can run on any platform which has a Python environment.

Features
  • Fingerprint
    • Detect Server
    • Detect Web Frameworks (22)
    • Check Cookie Security
    • Check Headers Security
    • Detect Language (9)
    • Detect Operating System (OS - 8)
    • Detect Content Management System (CMS - 6)
    • Detect Web Application Firewall (WAF - 54)
  • Attacks
    • Bash Command Injection (ShellShock)
    • Blind SQL Injection
    • SQL Injection via Cookie,Referer and User-Agent Header Value
    • Cross-Site Scripting (XSS) via Cookie,Referer and User-Agent Header Value
    • Buffer Overflow
    • HTML Code Injection
    • PHP Code Injection
    • LDAP Injection
    • Local File Inclusion (lfi)
    • OS Commanding
    • SQL Injection
    • XPath Injection
    • Cross Site Scripting (XSS)
  • Audit
    • Apache Status
    • WebDav
    • PHPInfo
    • Robots Paths
    • Cross-Site Tracing (XST)
  • Bruteforce
    • Admin Panel
    • Backdoor (shell)
    • Backup Dirs
    • Backup Files
    • Common Dirs
    • Common Files
  • Disclosure
    • Credit Cards
    • Emails
    • Private IP
    • SSN
    • Detect Warnings,Fatal Error,...

Installation
$ git clone https://github.com/m4ll0k/WAScan.git wascan
$ cd wascan 
$ pip install -r requirements.txt
$ python wascan.py


Protobuf-Inspector - Tool To Reverse-Engineer Protocol Buffers With Unknown Definition

February 27, 2018, 1:04 pm
$
0
0
Simple program that can parse Google Protobuf encoded blobs (version 2 or 3) without knowing their accompanying definition. It will print a nice, colored representation of their contents. Example:


As you can see, the field names are obviously lost, together with some high-level details such as:
  • whether a varint uses zig-zag encoding or not (will assume no zig-zag by default)
  • whether a 32-bit/64-bit value is an integer or float (both shown by default)
  • signedness (auto-detect by default)
But protobuf-inspector is able to correctly guess the message structure most of the time. When it finds embedded binary data on a field, it'll first try to parse it as a message. If that fails, it'll display the data as a string or hexdump. It can make mistakes, especially with small chunks.
It shows the fields just in the order they are encoded in the wire, so it can be useful for those wanting to get familiar with the wire format or parser developers, in addition to reverse-engineering.

Usage
No dependencies required. Just run main.py and feed the protobuf blob on stdin:
./main.py < my-protobuf-blob
After reading the first (blind) analysis of the blob, you typically start defining some of the fields so protobuf-inspector can better parse your blobs, until you get to a point where you have a full protobuf definition and the parser no longer has to guess anything.
Read about defining fields here.

Parsing errors
If a parsing error is found, parsing will stop within that field, but will go on unaffected at the outside of the hierarchy. The stack trace will be printed where the field contents would go, along with a hexdump indicating where parsing was stopped in that chunk, if applicable.
So, if you specified a uint32 and a larger varint is found, you'd get something like:


If you specified that some field contained an embedded message, but invalid data was found there, you'd get:


Please note that main.py will exit with non-zero status if one or more parsing errors occurred.

Tricks
There are some tricks you can use to save time when approaching a blob:
  1. If you are positive that a varint does not use zig-zag encoding, but are still not sure of the signedness, leave it as varint. If it does use zig-zag encoding, use sint64 unless you are sure it's 32-bit and not 64-bit.
  2. If a chunk is wrongly being recognized as a packed chunk or an embedded message, or if you see something weird with the parsed message and want to see the raw bytes, specify a type of bytes. Conversely, if for some reason it's not being detected as an embedded message and it should, force it to message to see the reason.
  3. If you want to extract a chunk's raw data to a file to analyze it better, specify a type of dump and protobuf-inspector will create dump.0, dump.1, etc. every time it finds a matching blob.
  4. protobuf-inspector parses the blob as a message of type root, but that's just a default. If you have lots of message types defined, you can pass a type name as optional argument, and protobuf-inspector will use that instead of root:
    ./main.py request < my-protobuf-blob


Ninja Shell - Port Knocking Technique With AES256-GCM

February 28, 2018, 5:17 am
$
0
0

Raw socket shell with AES256-GCM, using Port Knocking technique( https://en.wikipedia.org/wiki/Port_knocking ) using specific tcp flags ,FIN,URG and PSH.

Raw socket ?
Raw mode is basically there to allow you to bypass some of the way that your computer handles TCP/IP. Rather than going through the normal layers of encapsulation/decapsulation that the TCP/IP stack on the kernel does, you just pass the packet to the application that needs it. No TCP/IP processing -- so it's not a processed packet, it's a raw packet. The application that's using the packet is now responsible for stripping off the headers, analyzing the packet, all the stuff that the TCP/IP stack in the kernel normally does for you.
A raw socket is a socket that takes packets, bypasses the normal TCP/IP processing, and sends them to the application that wants them.
Unless you're a programmer, a kernel hacker, or really really into security, you will most likely not need to deal much with these. But it's good to know what they are, in case you find yourself in one of the above scenarios.

Install OpenSSL lib
Deb based linux follow:
# apt-get install openssl-dev
or
# apt-get install ssldev or ssl-dev
on rpm based linux follow:
# yum install openssl-devel

To run you need use root because raw socket need:
To compile
# make
on server machine:
# bin/server
on client machine:
# bin/client the_SERVER_IP_addr
To change keys edit /src/server.c and /src/cleint.c, and compile...


Prithvi - A Report Generation Tool For Security Assessment

February 28, 2018, 1:21 pm
$
0
0

A Report Generation Tool for Security Assessment

Usage
This project of ours could be used for report generation and its very easy to use.
It includes following features
  1. We can add Owasp Types and recommendation with details.
  2. We can add Multiple Projects and work on it separately.
  3. We can add multiple vulnerabilities on different projects with proof of concept.
  4. On generating report it provides document file (.docx).
  5. Currently we are trying to add more facilities like Chart and will be updated soon.

Setup
  1. Create Database `reporting` in server (We used XAMPP).
  2. Import reporting.sql in your local server.
  3. Download complete source and extract node_modules.
  4. Run index.js and enjoy.
  5. Follow our blog for details

Technology Used
  1. Angularjs for frontend
  2. MySQL as Database
  3. NodeJS (ExpressJS) as our back end

Video


More info at https://www.vegabird.com/prithvi.


Passhunt - Tool For Searching Of Default Credentials For Network Devices, Web Applications And More

March 1, 2018, 5:37 am
$
0
0

Passhunt is a simple tool for searching of default credentials for network devices, web applications and more. Search through 523 vendors and their 2084 default passwords.

How to install?
git clone https://github.com/Viralmaniar/Passhunt.git
cd Passhunt
pip3 install -r requirements.txt
python Passhunt.py

How do I use this?
  • Press 1: This will print the list of supported vendors.
  • Press 2: Enter the vendor name and search for deafult credentials.
  • Press 3: To exit from the program.

Bettercap v2.0 - The State Of The Art Network Attack And Monitoring Framework

March 1, 2018, 11:51 am
$
0
0

bettercap is the Swiss army knife for network attacks and monitoring.


How to Install
A precompiled version is available for each release, alternatively you can use the latest version of the source code from this repository in order to build your own binary.
Make sure you have a correctly configured Go >= 1.8 environment, that $GOPATH/bin is in $PATH and the libpcap-dev package installed for your system, then:
$ go get github.com/bettercap/bettercap
This command will download bettercap, install its dependencies, compile it and move the bettercap executable to $GOPATH/bin.
Now you can use sudo bettercap -h to show the basic command line options and just sudo bettercap to start an interactive session on your default network interface, otherwise you can load a caplet from the dedicated repository.

Update
In order to update to an unstable but bleeding edge release from this repository, run the command below:
$ go get -u github.com/bettercap/bettercap

Interactive Mode

The basic command line arguments ( bettercap -h ) are:
argumentdescription
-caplet FILENAMERead commands from this file and execute them in the interactive session.
-eval COMMANDSRun one or more commands separated by ; in the interactive session, used to set variables via command line.
-iface INTERFACENetwork interface to bind to, if empty the default interface will be auto selected (accepts interface name, ip or mac address).
-no-historyDisable the interactive session history file ~/.bettercap.history.
-env-file FILENAMELoad environment variables from this file if found, set to empty to disable environment persistance. (default ~/bettercap.env)
-cpu-profile FILENAMEWrite cpu profile file (used for debugging and benchmarking).
-mem-profile FILENAMEWrite memory profile to file (used for debugging and benchmarking).
-silentSuppress all logs which are not errors.
-debugEnable debug messages.
If no -caplet option is specified, bettercap will start in interactive mode, allowing you to start and stop modules manually, change options and apply new firewall rules on the fly.
To get a grasp of what you can do, type help and the general help menu will be shown, you can also have module specific help by using help module-name (for instance try with help net.recon), to see which modules are running and their configuration at any time, you can use the active command.
To print all variables and their values instead, you can use get * or get variable-name to get a single variable (try with get gateway.address), to set a new value you can simply set variable-name new-value (a value of "" will clear the variable contents), on a typical session variables look like this.
192.168.1.0/24 > 192.168.1.17  » get *


                        $: '{by}{fw}{cidr} {fb}> {env.iface.ipv4} {reset} {bold}» {reset}'

         api.rest.address: '<interface address>'
     api.rest.certificate: '~/.bcap-api.rest.certificate.pem'
             api.rest.key: '~/.bcap-api.rest.key.pem'
        api.rest.password: ''
            api.rest.port: '8083'
        api.rest.username: ''

        arp.spoof.targets: '<entire subnet>'

      dhcp6.spoof.address: '<interface address>'
      dhcp6.spoof.domains: 'microsoft.com, goole.com, facebook.com, apple.com, twitter.com'

        dns.spoof.address: '<interface address>'
            dns.spoof.all: 'false'
        dns.spoof.domains: '*'

     events.stream.filter: ''

          gateway.address: '192.168.1.1'
              gateway.mac: 'de:ad:be:ef:de:ad'

                http.port: '80'
       http.proxy.address: '<interface address>'
          http.proxy.port: '8080'
        http.proxy.script: ''
      http.server.address: '<interface address>'
         http.server.path: '.'
         http.server.port: '80'

               https.port: '443'
      https.proxy.address: '<interface address>'
  https.proxy.certificate: '~/.bettercap-ca.cert.pem'
          https.proxy.key: '~/.bettercap-ca.key.pem'
         https.proxy.port: '8083'
       https.proxy.script: ''

              iface.index: '6'
               iface.ipv4: '192.168.1.17'
               iface.ipv6: 'fe80::dddd:dddd:ffff:ffff'
                iface.mac: 'de:ad:be:ef:de:ad'
               iface.name: 'enx18ffffffff'

                log.debug: 'false'
               log.silent: 'false'

      mac.changer.address: '<random mac>'
        mac.changer.iface: '<interface name>'

       net.probe.throttle: '10'
         net.sniff.filter: 'not arp'
          net.sniff.local: 'false'
         net.sniff.output: ''
         net.sniff.regexp: ''
         net.sniff.source: ''
        net.sniff.verbose: 'true'

          ticker.commands: 'clear; net.show'
            ticker.period: '1'

       wifi.recon.channel: ''

Basic Commands

commanddescription
help / help MODULEList available commands or show module specific help if no module name is provided.
activeShow information about active modules.
quit / qClose the session and exit.
sleep SECONDSSleep for the given amount of seconds.
get VARIABLEGet the value of VARIABLE, use * for all.
set VARIABLE VALUESet the value of VARIABLE to VALUE.
clearClear the screen .
include CAPLETLoad and run this caplet in the current session.
!COMMANDExecute a shell command and print its output.
alias MAC NAMEAssign an alias to a given endpoint given its MAC address (will be persistent on file and used for the net.show command.

Documentation and Examples
The project is documented in this wiki.


Search

AutoSploit v2.0 - Automated Mass Exploiter

March 2, 2018, 4:38 am
$
0
0

As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets can be collected automatically through Shodan, Censys or Zoomeye. But options to add your custom targets and host lists have been included as well. The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions. Workspace, local host and local port for MSF facilitated back connections are configured by filling out the dialog that comes up before the exploit component is started

Operational Security Consideration
Receiving back connections on your local machine might not be the best idea from an OPSEC standpoint. Instead consider running this tool from a VPS that has all the dependencies required, available.
The new version of AutoSploit has a feature that allows you to set a proxy before you connect and a custom user-agent.

Usage
Clone the repo. Or deploy via Docker. Details for which can be found here
git clone https://github.com/NullArray/AutoSploit.git
Starting the program with python autosploit.py will open an AutoSploit terminal session. The options for which are as follows.
1. Usage And Legal
2. Gather Hosts
3. Custom Hosts
4. Add Single Host
5. View Gathered Hosts
6. Exploit Gathered Hosts
99. Quit
Choosing option 2 will prompt you for a platform specific search query. Enter IIS or Apache in example and choose a search engine. After doing so the collected hosts will be saved to be used in the Exploit component.
As of version 2.0 AutoSploit can be started with a number of command line arguments/flags as well. Type python autosploit.py -h to display all the options available to you. I've posted the options below as well for reference.
usage: python autosploit.py -[c|z|s|a] -[q] QUERY
                            [-C] WORKSPACE LHOST LPORT [-e]
                            [--ruby-exec] [--msf-path] PATH [-E] EXPLOIT-FILE-PATH
                            [--rand-agent] [--proxy] PROTO://IP:PORT [-P] AGENT

optional arguments:
  -h, --help            show this help message and exit

search engines:
  possible search engines to use

  -c, --censys          use censys.io as the search engine to gather hosts
  -z, --zoomeye         use zoomeye.org as the search engine to gather hosts
  -s, --shodan          use shodan.io as the search engine to gather hosts
  -a, --all             search all available search engines to gather hosts

requests:
  arguments to edit your requests

  --proxy PROTO://IP:PORT
                        run behind a proxy while performing the searches
  --random-agent        use a random HTTP User-Agent header
  -P USER-AGENT, --personal-agent USER-AGENT
                        pass a personal User-Agent to use for HTTP requests
  -q QUERY, --query QUERY
                        pass your search query

exploits:
  arguments to edit your exploits

  -E PATH, --exploit-file PATH
                        provide a text file to convert into JSON and save for
                        later use
  -C WORKSPACE LHOST LPORT, --config WORKSPACE LHOST LPORT
                        set the configuration for MSF (IE -C default 127.0.0.1
                        8080)
  -e, --exploit         start exploiting the already gathered hosts

misc arguments:
  arguments that don't fit anywhere else

  --ruby-exec           if you need to run the Ruby executable with MSF use
                        this
  --msf-path MSF-PATH   pass the path to your framework if it is not in your
                        ENV PATH

Dependencies
AutoSploit depends on the following Python2.7 modules.
requests
psutil
Should you find you do not have these installed get them with pip like so.
pip install requests psutil
or
pip install -r requirements.txt
Since the program invokes functionality from the Metasploit Framework you need to have this installed also. Get it from Rapid7 by clicking here.


Peanalyzer - Advanced Portable Executable File Analyzer And Disassembler

March 2, 2018, 12:27 pm
$
0
0

Advanced Portable Executable File Analyzer
Python 3.6.4 Tested (Working)

Usage
python pyanalyzer.py --file file.exe --show all
python pyanalyzer.py --file file.exe --disassemble all

Video

Dos Header


File Header


Optional Header




Section Headers


Imports (Dll, Function Adress, Function)



CrawlBox - Easy Way To Brute-Force Web Directory.

March 3, 2018, 5:30 am
$
0
0

Easy way to brute-force web directory.

Operating Systems Tested
  • MacOSX
  • Ubuntu 16.04

Usage
python crawlbox.py [-h] [-v] [-w WORDLIST] url
positional arguments:
url            specific target url, like domain.com
optional arguments:
  -h, --help     show this help message and exit
  -v, --version  show program's version number and exit
  -w WORDLIST    specific path to wordlist file
  -d DELAY       add delay between requests

Example
web site scan with internal wordlist
python crawlbox.py www.domain.com
web site scan with external wordlist
python crawlbox.py www.domain.com -w wordlist.txt

Video

Install
(as root)
  git clone https://github.com/abaykan/crawlbox.git
  cd crawlbox/
  pip install -r requirements.txt
  python crawlbox.py -h
note: tested with python 2.7.6


ipChecker - Check If A IP Is From Tor Or Is A Malicious Proxy

March 3, 2018, 1:26 pm
$
0
0

Tool to check if a given IP is a node tor or an open proxy.

Why?
Sometimes all your throttles are not enough to stop brute force attacks or any kind of massive attacks, so it can help you to drop, some attackers who use tor or open proxies.

How it works
The ipChecker has some plugins which scrap proxies ips from public sites, all this ip's are stored in a database where you can make consults using the provided API.
Basically, when you run the command make run it will start docker swarm create one service for the API wich can be escaleted and starts with 4 containers, another service for the updater which is the script responsible to run all the plugins that grab all the proxies and tor nodes,this service starts with only one container, and at last one container for the mongodb where all data are stored.
The containers communicate through a docker network called ipchecker-network, and only the port 8080 is exposed where you consume the API.
To avoid a lot of false positive, the api only returns ip's from the curent day, because almost proxies servers and tor nodes, are dinamic ip's.

Plugins
Here is the list of working plugins on ipChecker
  • cloudproxies.com
  • gatherproxy.com
  • hidemy.name
  • httptunnel.ge
  • multiproxy.org
  • nordvpn.com
  • proxy-list.org
  • rebro.weebly.com
  • samair.ru
  • torstatus.blutmagie.de
  • xroxy.com

Install
git clone https://github.com/mthbernardes/ipChecker
cd ipchecker/
Option to execute the service:
CommandDescription
make buldBuild all images
make runBuild and run all images
make stopStop all services
make wipeStop all services and wipe all images and mongodb data
If you don't have docker, you'll need to install it. (Docker Install)

Basic Usage
Here is the basic usage of the API, for see all the endpoints and access the / endpoint.
EndpointmethodDescription
/GETDocument of all endpoints
/statisticsGETInformations about blocked requests, allowed requests, and number of all proxies on database(per day)
/ips?ip=127.0.0.1GETSearch for a single IP on database
/allGETreturn all ips on database


Cl0neMast3r - Git All Your Favorite Tools In One Click

March 4, 2018, 5:12 am
$
0
0

Cl0neMast3r is a Python script that was coded to make your life easier.
Now you can easily choose your favorite tools from GitHub and install them on your system with one click.
Even better you can ensure that you have latest version of your favorite tools.
All this and more you can do with Clone master.
Clone Master was mainly made for penetration testers and bug hunters

Screenshots:







Options:
Cl0neMast3r provides you with a lot of options:
OptionDescription
AAdd a tool from GitHub using URL
FFind a tool on GitHub
RReinstall your tools
UUpdate your tools
SDisplay information about your favorite tools
DDelete the list of tools
MImport your favorite tools
XExport your tools to HTML

Requirements:
  • Python 2.7.*
  • Requests You can find it Here
    How To Install: pip install requests
  • BeautifulSoup4 You can find it Here
    How To Install: pip install beautifulsoup4

Installation:
git clone https://github.com/Abdulraheem30042/Cl0neMast3r.git
cd Cl0neMast3r/
pip install -r requirements.txt

Environment:
Doesn't support Windows right now :(
Cl0neMast3r has been tested on:
  • macOS High Sierra
  • Kali Linux
  • Mint


Viewing all 5854 articles
Browse latest View live
Search