Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5854 articles
Browse latest View live

DigiDuck Framework - Framework For Digiduck Development Boards Running ATTiny85 Processors And Micronucleus Bootloader

October 10, 2018, 2:12 pm
$
0
0

Framework for Digiduck Development Boards running ATTiny85 processors and micronucleus bootloader!

Roadmap:
  • Plan to implement a command for Duckyspark translation within the framework.

Requirements:
- ATTiny85 or other compatible "Digispark" Development Board(s)
- DigiSpark Drivers (If you can use it with arduino you should be fine.)
- OSX or MacOS
- ArduinoIDE with Digispark Library Installed

Getting Started:

Installation:
DigiDuck Framework (Referred to as DDF) is really simple to start and setup! There are no third party modules required for DDF! All you need to do is make sure you have Python 3.6+ (I used this to develop it but it should be backwards compatible *hopefully*). Clone this repository and enter the directory from the command line. Once inside the directory simply run:
python start.py
This will start the program and display the Welcome Screen shown above.

Help Menu::
There are three commands in this Framework! I wanted to make this as lightweight as possible so it only requires one command in order to get a payload onto your board.

Command: help
The help command displays this menu:


Command: show
The show command displays this menu:


All your available payloads will be shown here. However if you run the execute command they display again.

Execution:
The third and last command in DDF is execute. The execute command will display the same menu as the show command, however from this menu you will input the payload name. You have to include .hex at the end of it or it won't load correctly and ask you to enter it again.


execute command display.

Once you choose your payload you will be prompted to insert your desired board into the computer. From there it will install the desired payload and display this when completed:


Thats it! You can now go plug in your badUSB DigiSpark board into a computer and run the desired payload!

Payloads:
Payloads are DigiSpark .ino hex files that are installed using the micronucleus bootloader to your ATTiny85 or other boards.

Current Payloads:
All the current payloads are from Hak5's RubberDucky scripts available here. If you are unsure of what a payload may do this is the place to go read about it. I'll try to keep the payloads close to the same name but I don't want you on Windows to be typing out too much since rlcompleter doesn't work.

Creating a Payload:
Head to the (Duckyspark GitHub Page)[https://github.com/toxydose/Duckyspark] to see how to create your translated .ino file from a RubberDucky script. After that load your .ino file into Arduino IDE. Make sure Verbose is on inside Preferences and compile your code. Open the terminal output below and look for the .hex file location. It should be in a temp directory in your AppData or equivalent on MacOS. Here's and example:


This is right above where it tells you to plug in your board!
Pull the payloadname.cpp.hex file from that folder and drag it into payloads inside the DDF framework. Run the program and your payload will be loaded into Available Payloads!
Feel free to contribute by adding custom or more payloads from the Rubber Ducky scripts above! Make a PR with the new payloads.

Credits:
Duckyspark - https://github.com/toxydose/Duckyspark Micronucleus - https://github.com/micronucleus/micronucleus Hak5 RubberDucky Payloads - https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads


Search

XXRF Shots - Tool to Test SSRF Vulnerabilities

October 11, 2018, 5:12 am
$
0
0

What is SSRF vulnerability?
Server Side Request Forgery (SSRF) is a type of vulnerability class where attacker sends crafted request from a vulnerable web application, including the unauthorised access to the internal resources behind the firewall which are inaccessible directly from the external network.

Installation
git clone https://github.com/ariya/phantomjs.git
cd phantomjs
chmod +x build.py
./build.py

Usage
./xxrf.sh

Enter the url with vulnerable parameter and hit return key. The script is designed to perform two different tasks. At first it will inject the payload next to the vulnerable parameter and process the request to another python script written by @maaaaz. The python script requires phantomJS to perform screenshot function. It uses the list of injected payload and screenshots them and places them in a screenshot directory.

Example:
https://www.example.com/index.php?url=


Video



Pentest-Machine - Automates Some Pentest Jobs Via Nmap Xml File

October 11, 2018, 2:22 pm
$
0
0

Automates some pentesting work via an nmap XML file. As soon as each command finishes it writes its output to the terminal and the files in output-by-service/ and output-by-host/. Runs fast-returning commands first. Please send me protocols/commands/options that you would like to see included.
  • HTTP
    • whatweb
    • EyeWitness with active login attempts
    • light dirb directory bruteforce
  • DNS
    • nmap NSE dns-zone-transfer and dns-recursion
  • MySQL
  • PostgreSQL
    • light patator bruteforce
  • MSSQL
    • light patator bruteforce
  • SMTP
    • nmap NSE smtp-enum-users and smtp-open-relay
  • SNMP
    • light patador bruteforce
      • snmpcheck (if patador successfully finds a string)
  • SMB
    • enum4linux -a
    • nmap NSE smb-enum-shares, smb-vuln-ms08-067, smb-vuln-ms17-010
  • SIP
    • nmap NSE sip-enum-users and sip-methods
    • svmap
  • RPC
    • showmount -e
  • NTP
    • nmap NSE ntp-monlist
  • FTP
    • light patator bruteforce
  • Telnet
    • light patator bruteforce
  • SSH
    • light patator bruteforce
  • Wordpress 4.7
    • XSS content uploading
  • To add:
  • IPMI hash disclosure
  • ike-scan (can't run ike-scans in parallel)

Installation
./setup.sh
source pm/bin/activate

Usage
Read from Nmap XML file
sudo ./pentest-machine -x nmapfile.xml
Perform an Nmap scan with a hostlist then use those results The Nmap scan will do the top 1000 TCP ports and the top 100 UDP ports along with service enumeration It will save as pm-nmap.[xml/nmap/gnmap] in the current working directory
sudo ./pentest-machine -l hostlist.txt
Skip the patator bruteforcing and all SIP and HTTP commands -s parameter can skip both command names as well as protocol names
sudo ./pentest-machine -s patator,sip,http -x nmapfile.xml


Swap Digger - Tool That Automates Swap Extraction And Searches For Linux User Credentials, Web Forms Credentials, Web Forms Emails, Http Basic Authentication, Wifi SSID And Keys, Etc

October 12, 2018, 5:32 am
$
0
0

swap_digger is a bash script used to automate Linux swap analysis for post-exploitation or forensics purpose. It automates swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc.

Download and run the tool

On your machine
Use the following commands to download and run the script on your machine:
alice@1nvuln3r4bl3:~$ git clone https://github.com/sevagas/swap_digger.git
alice@1nvuln3r4bl3:~$ cd swap_digger
alice@1nvuln3r4bl3:~$ chmod +x swap_digger.sh
alice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -vx



On a mounted hard drive
To use swap_digger on a mounted hard drive, do the following:
First, download the script using the following commands:
alice@1nvuln3r4bl3:~$ git clone https://github.com/sevagas/swap_digger.git
alice@1nvuln3r4bl3:~$ cd swap_digger
alice@1nvuln3r4bl3:~$ chmod +x swap_digger.sh
Then, find the target swap file/partition with:
alice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -S
Finally, analyze the target by running:
alice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -vx -r path/to/mounted/target/root/fs -s path/to/target/swap/device

On a third party machine
Use the following commands to download and run the script on a third party machine (useful for pentests and CTFs):
alice@1nvuln3r4bl3:~$ wget https://raw.githubusercontent.com/sevagas/swap_digger/master/swap_digger.sh
alice@1nvuln3r4bl3:~$ chmod +x swap_digger.sh
alice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -vx
Note: Use the -c option to automatically remove the directory created by swap_digger (/tmp/swap_dig).

Simple run
If you only need to recover clear text Linux user passwords, simply run:
alice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh

Available options
All options:
 ./swap_digger.sh [ OPTIONS ]
 Options : 
  -x, --extended    Run Extended tests on the target swap to retrieve other interesting data
        (web passwords, emails, wifi creds, most accessed urls, etc)
  -g, --guessing  Try to guess potential passwords based on observations and stats
        Warning: This option is not reliable, it may dig more passwords as well as hundreds false positives.
  -h, --help    Display this help.
  -v, --verbose Verbose mode.
  -l, --log Log all outputs in a log file (protected inside the generated working directory).
  -c, --clean Automatically erase the generated working directory at end of script (will also remove log file)
  -r PATH, --root-path=PATH   Location of the target file-system root (default value is /)
        Change this value for forensic analysis when target is a mounted file system.
        This option has to  be used along the -s option to indicate path to swap device.
  -s PATH, --swap-path=PATH   Location of swap device or swap dump to analyse
        Use this option for forensic/remote analysis of a swap dump or a mounted external swap partition.
        This option should be used with the -r option where at least /<root-path>/etc/shadow exists.
  -S, --swap-search   Search for all available swap devices (use for forensics).

Relevant resources
Blog posts about swap digging:

Contact
Feel free to message on my Twitter account @EmericNasi


AutoRDPwn - The Shadow Attack Framework

October 12, 2018, 1:46 pm
$
0
0

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim's desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.

Requirements
Powershell 5.0 or higher

Changes

Version 4.0
• Fixed a bug in the scheduled task to remove the user AutoRDPwn
• The Scheluded Task attack has been replaced by Invoke-Command
• It is now possible to choose the language of the application and launch the attack on English versions of Windows
*The rest of the changes can be consulted in the CHANGELOG file

Use
Execution in a line:
powershell -ExecutionPolicy Bypass "cd $ env: TEMP; iwr https://goo.gl/HSkAXP -Outfile AutoRDPwn.ps1;. \ AutoRDPwn.ps1"
The detailed guide of use can be found at the following link:
https://darkbyte.net/autordpwn-la-guia-definitiva

Credits and Acknowledgments
Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
Stas'M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap
Kevin Robertson for his tool Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash
Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatz

Contact
This software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.
For more information, you can contact through info@darkbyte.net


Metadata-Attacker - A Tool To Generate Media Files With Malicious Metadata

October 13, 2018, 6:12 am
$
0
0

With this small suite of open source pentesting tools you're able to create an image (.jpg), audio (.mp3) or video (.mp4) file containing your custom metadata or a set of cross-site scripting vectors to test any webservice against possible XSSvulnerabilities when displaying unfiltered meta data.

Installation / Usage
First install docker on your host system.
Now you can simply run the following command:
sudo docker run -p 80:80 --rm lednerb/metadata-attacker
When finished open your favorite browser and switch to the docker ip or http://localhost

Credits


Censys Subdomain Finder - Perform Subdomain Enumeration Using The Certificate Transparency Logs From Censys

October 13, 2018, 2:58 pm
$
0
0

This is a tool to enumerate subdomains using the Certificate Transparency logs stored by Censys. It should return any subdomain who has ever been issued a SSL certificate by a public CA.

See it in action:
$ python censys_subdomain_finder.py github.com

[*] Searching Censys for subdomains of github.com
[*] Found 42 unique subdomains of github.com in ~1.7 seconds

  - hq.github.com
  - talks.github.com
  - cla.github.com
  - github.com
  - cloud.github.com
  - enterprise.github.com
  - help.github.com
  - collector-cdn.github.com
  - central.github.com
  - smtp.github.com
  - cas.octodemo.github.com
  - schrauger.github.com
  - jobs.github.com
  - classroom.github.com
  - dodgeball.github.com
  - visualstudio.github.com
  - branch.github.com
  - www.github.com
  - edu.github.com
  - education.github.com
  - import.github.com
  - styleguide.github.com
  - community.github.com
  - server.github.com
  - mac-installer.github.com
  - registry.github.com
  - f.cloud.github.com
  - offer.github.com
  - helpnext.github.com
  - foo.github.com
  - porter.github.com
  - id.github.com
  - atom-installer.github.com
  - review-lab.github.com
  - vpn-ca.iad.github.com
  - maintainers.github.com
  - raw.github.com
  - status.github.com
  - camo.github.com
  - support.enterprise.github.com
  - stg.github.com
  - rs.github.com

Setup
  1. Register an account (free) on https://censys.io/register
  2. Browse to https://censys.io/account, and set two environment variables with your API ID and API secret
$ export CENSYS_API_ID=...
$ export CENSYS_API_SECRET=...
  1. Clone the repository
$ git clone https://github.com/christophetd/censys-subdomain-finder.git
  1. Install the dependencies
$ cd censys-subdomain-finder
$ pip install -r requirements.txt
  1. Run the script on example.com to make sure everything works as expected.
$ python censys_subdomain_finder.py example.com

[*] Searching Censys for subdomains of example.com
[*] Found 5 unique subdomains of example.com

  - products.example.com
  - www.example.com
  - dev.example.com
  - example.com
  - support.example.com

Usage
usage: censys_subdomain_finder.py [-h] [-o OUTPUT_FILE]
                                  [--censys-api-id CENSYS_API_ID]
                                  [--censys-api-secret CENSYS_API_SECRET]
                                  domain

positional arguments:
  domain                The domain to scan

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT_FILE, --output OUTPUT_FILE
                        A file to output the list of subdomains to (default:
                        None)
  --censys-api-id CENSYS_API_ID
                        Censys API ID. Can also be defined using the
                        CENSYS_API_ID environment variable (default: None)
  --censys-api-secret CENSYS_API_SECRET
                        Censys API secret. Can also be defined using the
                        CENSYS_API_SECRET environment variable (default: None)

Compatibility
Should run on Python 2.7 and 3.5.

Notes
The Censys API has a limit rate of 120 queries per 5 minutes window. Each invocation of this tool makes exactly one API call to Censys.
Feel free to open an issue or to tweet @christophetd for suggestions or remarks.


Quasar - An Information Gathering Framework For Lazy Penetration Testers

October 14, 2018, 5:33 am
$
0
0

Quasar Is An Information Gathering Framework For Penetration Testers Coded By Belahsan Ouerghi:
  • Website Informations
  • E-mail Address Checker
  • Phone Number Information
  • Credit Card Bin Checker
  • Ip Locator
  • Port Scanner

Installation
sudo apt-get install git
git clone https://github.com/TunisianEagles/quasar.git
cd quasar
chmod +x install.sh
chmod +x quasar.sh
sudo ./install.sh
sudo ./quasar.sh

Screenshots



Tested On :
  • Backbox linux
  • Ubuntu

Tutorial


Contact


Search

Auto-Root-Exploit - Auto Root Exploit Tool

October 14, 2018, 2:56 pm
$
0
0
Auto Root Exploit Tool
Author : Nilotpal Biswas
Facebook : https://www.facebook.com/nilotpal.biswas.73
Twitter : https://twitter.com/nilotpalhacker

USAGE :
       for kernel version 2.6 all
       bash autoroot.sh 2

       for kernel version 3 all
       bash autoroot.sh 3

       for kernel version 4 all
       bash autoroot.sh 4

       for freebsd & openbsd all
       bash autoroot.sh bsd

       for apple macos all
       bash autoroot.sh app

       for kernel 2.6,3,4 bsd & app all
       bash autoroot.sh all

Screenshot 1


Screenshot 2


All exploits are suggested by "exploit-db.com" and will update according to it.


ReconDog v2.0 - Reconnaissance Swiss Army Knife

October 15, 2018, 5:02 am
$
0
0

Reconnaissance Swiss Army Knife


Main Features
  • Wizard + CLA interface
  • Can extracts targets from STDIN (piped input) and act upon them
  • All the information is extracted with APIs, no direct contact is made to the target

Utilities

Demo


Compatibility
Recon Dog will run on anything that has a python interpreter installed. However, it has been tested on the following configurations:
Operating Systems: Windows, Linux, Mac
Python Versions: Python2.7, Python 3.6

Installation
Recon Dog requires no manual configuration and can be simply run as a normal python script.
However, a debian package can be downloaded from here if you want to install it.

Usage

Wizard Interface
Wizard interface is the most straightforward way you can use Recon Dog in. Just run the program, select what you want to do and enter the target, it's that simple.

CLA Interface
Recon Dog also has a Command Line Argument inteface. Here's how you can find subdomains:
python dog -t marvel.com -c 7
There's more to it! Do you have a program that can enumerate subdomains and you want to scan ports of all the subdomains it finds? Don't worry, Recon Dog is designed for handling with such cases. You can simply do this:
subdomainfinder -t example.com | python dog --domains -c 3
Also, it doesn't matter what kind of output the other program generates, Recon Dog uses regular expressions to find targets which makes it easy to integrate will literally every tool. There are two switchs available:
--domains    extract domains from STDIN
--ips        extract ip addresses from STDIN


Nameles - Open Source Entropy Based Invalid Traffic Detection And Pre-Bid Filtering

October 15, 2018, 2:07 pm
$
0
0

Nameles provides an easy to deploy, scalable IVT detection and filtering solution that is proven to detect at a high level of accuracy ad fraud and other types of invalid traffic such as web scraping.
For a high level overview you might want to check out the website
If you have any questions or need support, try the gitter channel

Getting Started
wget https://raw.githubusercontent.com/Nameles-Org/Nameles/master/setup
chmod +x setup && ./setup
More detailed information related with setup options is provided below.

Detection Capability
While absolute measurement of detection capability is impossible, Nameles is the only detection solution that can be audited by indepedent parties and that is backed by several scientfic papers.
Nameles can detect invalid traffic on:
  • mobile and desktop
  • display, video, and in-app

Detection Method
Nameles implements a highly scalable entropy measurement using Shannon entropy of the IP addresses a given site is receiving traffic from, and then assigns a normalized score to the site based on its traffic pattern.

Entropy have been used widely in finance, intelligence, and other fields where dealing with vast amounts of data and many unknowns characterize the problem. The use of Shannon entropy has been covered in hundreds of scientific papers. Some argue that Shannon received it from Alan Turing himself, and that it was the method Turing used for cracking the Nazi code.

System Overview
Nameles consist of two separate modules
The scoring-module replies to the query messages sent by DSP with the confidence score of the domain and the category in which the domain falls, based on the statistical thresholds of outlierness. In addition, the scoring-module forwards the messages to the data-processing-module for updating the scores at the end of the day. Modules communicate using zeromq.
Figure 1: An example deployment with a DSP


Figure 1 presents a high level representation of Nameles functional blocks. Moreover, the figure shows how Nameles could be integrated in the programmatic ad delivery chain as an auxiliary service for the DSPs. The only difference with respect to the current operation of a DSP would be that, as part of the pre-bid phase, the DSP makes a request to Nameles to provide a Confidence Score per bid request. To this end, the DSP sends a scoring request to Nameles (step 2 in Figure 3). The scoring request includes the following fields: bid request id (mapping Nameles result to the corresponding bid request), IP address of the device associated with the bid event and the domain offering the ad space. This information is included in the bid requests as defined in the openRTB protocol standard. The scoring request is delivered to two independent modules of Nameles: the Scoring module and the Filtering module.

Scoring Module
The scoring-module runs several worker threads that pull the queries from the DSP end and push the reply messages. The workers perform a single lookup in a shared hash table for each message. Therefore, the host running the scoring-module module requires minimal memory and drive. We recommend setting a worker per CPU and running latency tests with your expected throughtput load in order to dimensionate an appropriate number of processors for the host. Note that you can run several scoring modules in your system communicating with the same data processing module.

Data Processing Module
The data-processing-module performs precomputations with the stream of data received from the scoring module. The data is periodically serialized to a PostgreSQL database. The scores are computed at the end of each day. The host of this module would benefit from having a high amount of RAM and a certain number of processors in order to reduce the score computation times. We recommend at least 64GB of RAM and 4 cores.

Scalability
In the case of a DSP a response to a given bid request has to be received by the Ad Exchange within 100 ms. Hence, the delay introduced by Nameles is limited to few ms in order to minimize the impact in the overall bidding process delay. This ensures that also in Exchange use, the strict requirements for avoiding delays on publisher websites are avoided.
Figure 2: Stress-testing results with Nameles using real data


Figure 2 the performance of Nameles once deployed. The x-axis shows the different tested scoring request rates. The left y-axis and right y-axis show the 95-percentile filtering delay and 95-percentile memory consumption for the different scoring request rates (QPS). The line in the figure represents the average of 95-percentile values across the 5 experiments whereas the lighter color area shows the max and min 95-percentile values.

1. Before Deployment

1.1. System Requirements
You have the option of setting up Nameles on a single machine, or 3 separate machines. For a production system, we recommend:

1.1.1. Operating System
Nameles have been built and tested on Ubuntu / Debian systems.

1.1.2. Single Machine
  • 4 cpu cores
  • 64GB of RAM

1.1.3. Multi Machine
scoring module
  • 2 cpu cores
  • 4GB of RAM
data processing module
  • 4 cpu cores
  • 64GB of RAM
dsp emulator module
  • 4 cpu cores
  • 8GB of RAM

1.2. Depedencies
Depencies will be taken care by the setup script, so you should not have to worry about anything more than running ./setup as shown in the section 2.1. and 2.2. depending on your system configuration. The main depencies are:
  • docker-ce
  • psql

2. Install Nameles
You can install Nameless on a single machine or a cluster of multiple machines following the instructions on section 2.1 below. There are two options:
  • single configuration deployment
  • multiple configuration deployment
If you install Nameles on a multiple machine docker cluster/swarm, then you have two options: a) where you let docker allocate resources per service b) where you allocate reseources yourself.

2.1 Installation with Setup Script
For running Nameles on a single server on an Ubuntu or Debian system:
# download the setup script
wget https://raw.githubusercontent.com/Nameles-Org/Nameles/master/setup

# change the permissions
chmod +x setup

# run the setup script
./setup

2.3. Test Installation
You will have to create another shell, as in the shell where you run the setup now you will have a running docker instance.
psql -h 127.0.0.1 -p 5430 -U nameles
NOTE: you need to have installed the postgreSQL client as detailed in section 1.2

3. Using Nameles
The dsp-emulator module can be used as an example for interfacing Nameles from your infrastructure, i.e. message formatting and zeromq port bindings. The latency test source code is implemented in C++ but a different language for which zeromq is available could be used.

3.1. Restarting

3.1.1. Single Configuration Install
If the machine where Nameles is running reboots or is interrupted for another reason, you can restart with:
sudo docker-compose -f ~/Nameles/nameles-docker-compose.yml up

3.1.2. Multiple Configuration Install
Note that after each command you have to start a new shell, as the current shell has a container running in it.
  sudo docker-compose -f ~/Nameles/data-docker-compose.yml up
  sudo docker-compose -f ~/Nameles/scoring-docker-compose.yml up
  sudo docker-compose -f ~/Nameles/emulator-docker-compose.yml up


SQLMap v1.2.10 - Automatic SQL Injection And Database Takeover Tool

October 16, 2018, 5:43 am
$
0
0

SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features
  • Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.
  • Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
  • Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
  • Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
  • Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
  • Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.
  • Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain string like name and pass.
  • Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
  • Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.

Installation
You can download the latest tarball by clicking here or latest zipball by clicking here.
Preferably, you can download sqlmap by cloning the Git repository:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
sqlmap works out of the box with Python version 2.6.x and 2.7.x on any platform.

Usage
To get a list of basic options and switches use:
python sqlmap.py -h
To get a list of all options and switches use:
python sqlmap.py -hh
You can find a sample run here. To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples, you are advised to consult the user's manual.

Demo

Links

Translations


RemoteRecon - Remote Recon And Collection

October 16, 2018, 2:04 pm
$
0
0
RemoteRecon provides the ability to execute post-exploitation capabilities against a remote host, without having to expose your complete toolkit/agent. Often times as operator's we need to compromise a host, just so we can keylog or screenshot (or some other miniscule task) against a person/host of interest. Why should you have to push over beacon, empire, innuendo, meterpreter, or a custom RAT to the target? This increases the footprint that you have in the target environment, exposes functionality in your agent, and most likely your C2 infrastructure. An alternative would be to deploy a secondary agent to targets of interest and collect intelligence. Then store this data for retrieval at your discretion. If these compromised endpoints are discovered by IR teams, you lose those endpoints and the information you've collected, but nothing more. Below is a visual representation of how an adversary would utilize this.


RemoteRecon utilizes the registry for data storage, with WMI as an internal C2 channel. All commands are executed in a asynchronous, push and pull manner. Meaning that you will send commands via the powershell controller and then retrieve the results of that command via the registry. All results will be displayed in the local console.

Current Capabilities
PowerShell
Screenshot
Token Impersonation
Inject ReflectiveDll (Must Export the ReflectiveLoader function from Stephen Fewer)
Inject Shellcode
Keylog

Improvements, Additions, ToDo's:
Dynamically Load and execute .NET assemblies
Support non reflective dll's for injection

Build Dependecies
The RemoteRecon.ps1 script already contains a fully weaponized JS payload for the Agent. The payload will only be updated as the code base changes.
If you wish to make changes to the codebase on your own, there are a few depencies required.
  1. Visual Studio 2015+
  2. Windows 7 and .NET SDK
  3. Windows 8.1 SDK
  4. mscorlib.tlh (This is included in the project but there are instances where intellisense can't seem to find it [shrug])
  5. .NET 3.5 & 4
  6. James Forshaw's DotNetToJScript project
  7. Fody/Costura Nuget package. Package and embed any extra dependencies in .NET.

For a short setup guide, please visit the wiki


imR0T - Send A Message To Your Whatsapp Contact And Protect Your Text By Encrypting And Decrypting (ROT13)

October 17, 2018, 5:46 am
$
0
0

imR0T: Send a quick message with simple text encryption to your whatsapp contact and protect your text by encrypting and decrypting, basically in ROT13 with new multi encryption based algorithm on ASCII and Symbols Substitution.

How To Use
It's simple:
# Clone this repository
git clone https://github.com/Screetsec/imR0T.git

# Go into the repository
cd imR0T

# Permission Acces
chmod +x imR0T

# Run the app
./imR0T

Command Line
help: A standard command displaying help.
imR0T╺─╸[ cli ] > help
 | 
 |_ 
    Options:[arguments] 

      help       |:| show this message
      show       |:| show all modules from this tools
      list style |:| show list style  
      use        |:| use a module, ex : use [ID] 
      options    |:| show module options 
      run        |:| Execute the module 
      set        |:| Set a value
      back       |:| Back to main
      clear      |:| Clear window
      ls         |:| list directory content
      cat        |:| read file/standard input
      pwd        |:| print name of current/working director
      exit       |:| Exit program

Configuration
Before using feature send message to your whatsapp contact with text encryption. you must config file inconf/whatsapp.confand add your api key
# Getting API :
# Register in here https://www.apiwha.com/
# Use your mail or temp mail :P                     

# Setup API KEY
# Example : 
#     - api="CA6DSQ3CLPC6FCQ3CLPC6F"

api=""

Demo Video



Infog - Information Gathering Tool

October 17, 2018, 2:46 pm
$
0
0

InfoG is a Shellscript to perform Information Gathering.


Features
  • Check Website info
  • Check Phone info
  • IP Tracker
  • Check Valid E-mail
  • Check if site is Up/Down
  • Check internet speed
  • Check Personal info
  • Find IP behind Cloudflare
  • Find Subdomains
  • Port Scan (Multi-threaded)
  • Check CMS
  • Check DNS leaking

Usage:
git clone https://github.com/thelinuxchoice/infog
cd infog
bash infog.sh

Install requirements (Curl, Netcat):
apt-get install -y curl nc


Search

Evilginx v2.0 - Standalone Man-In-The-Middle Attack Framework Used For Phishing Login Credentials Along With Session Cookies, Allowing For The Bypass Of 2-Factor Authentication

October 18, 2018, 5:42 am
$
0
0

evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.
This tool is a successor to Evilginx, released in 2017, which used a custom version of nginx HTTP server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website. Present version is fully written in GO as a standalone application, which implements its own HTTP and DNS server, making it extremely easy to set up and use.

Disclaimer
This work is merely a demonstration of what adept attackers can do. It is the defender's responsibility to take such attacks into consideration and find ways to protect their users against this type of phishing attacks. Evilginx should be used only in legitimate penetration testing assignments with written permission from to-be-phished parties.

Video
See evilginx2 in action here:


Write-up
If you want to learn more about this phishing technique, I've published an extensive blog post about evilginx2 here:
https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens

Installation
You can either use a precompiled binary package for your architecture or you can compile evilginx2 from source.
You will need an external server where you'll host your evilginx2 installation. I personally recommend Digital Ocean and if you follow my referral link, you will get an extra $10 to spend on servers for free.
Evilginx runs very well on the most basic Debian 8 VPS.

Installing from source
In order to compile from source, make sure you have installed GO of version at least 1.10.0 (get it from here) and that $GOPATH environment variable is set up properly (def. $HOME/go).
After installation, add this to your ~/.profile, assuming that you installed GO in /usr/local/go:
export GOPATH=$HOME/go
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
Then load it with source ~/.profiles.
Now you should be ready to install evilginx2. Follow these instructions:
sudo apt-get install git make
go get -u github.com/kgretzky/evilginx2
cd $GOPATH/src/github.com/kgretzky/evilginx2
make
You can now either run evilginx2 from local directory like:
sudo ./bin/evilginx -p ./phishlets/
or install it globally:
sudo make install
sudo evilginx
Instructions above can also be used to update evilginx2 to the latest version.

Installing with Docker
You can launch evilginx2 from within Docker. First build the container:
docker build . -t evilginx2
Then you can run the container:
docker run -it -p 53:53/udp -p 80:80 -p 443:443 evilginx2
Phishlets are loaded within the container at /app/phishlets, which can be mounted as a volume for configuration.

Installing from precompiled binary packages
Grab the package you want from here and drop it on your box. Then do:
unzip <package_name>.zip -d <package_name>
cd <package_name>
If you want to do a system-wide install, use the install script with root privileges:
chmod 700 ./install.sh
sudo ./install.sh
sudo evilginx
or just launch evilginx2 from the current directory (you will also need root privileges):
chmod 700 ./evilginx
sudo ./evilginx

Usage
IMPORTANT! Make sure that there is no service listening on ports TCP 443, TCP 80 and UDP 53. You may need to shutdown apache or nginx and any service used for resolving DNS that may be running. evilginx2 will tell you on launch if it fails to open a listening socket on any of these ports.
By default, evilginx2 will look for phishlets in ./phishlets/ directory and later in /usr/share/evilginx/phishlets/. If you want to specify a custom path to load phishlets from, use the -p <phishlets_dir_path> parameter when launching the tool.
Usage of ./evilginx:
  -debug
        Enable debug output
  -developer
        Enable developer mode (generates self-signed certificates for all hostnames)
  -p string
        Phishlets directory path
You should see evilginx2 logo with a prompt to enter commands. Type help or help <command> if you want to see available commands or more detailed information on them.

Getting started
To get up and running, you need to first do some setting up.
At this point I assume, you've already registered a domain (let's call it yourdomain.com) and you set up the nameservers (both ns1 and ns2) in your domain provider's admin panel to point to your server's IP (e.g. 10.0.0.1):
ns1.yourdomain.com = 10.0.0.1
ns2.yourdomain.com = 10.0.0.1
Set up your server's domain and IP using following commands:
config domain yourdomain.com
config ip 10.0.0.1
Now you can set up the phishlet you want to use. For the sake of this short guide, we will use a LinkedIn phishlet. Set up the hostname for the phishlet (it must contain your domain obviously):
phishlets hostname linkedin my.phishing.hostname.yourdomain.com
And now you can enable the phishlet, which will initiate automatic retrieval of LetsEncrypt SSL/TLS certificates if none are locally found for the hostname you picked:
phishlets enable linkedin
Your phishing site is now live. Think of the URL, you want the victim to be redirected to on successful login and get the phishing URL like this (victim will be redirected to https://www.google.com):
phishlets get-url linkedin https://www.google.com
Running phishlets will only respond to tokenized links, so any scanners who scan your main domain will be redirected to URL specified as redirect_url under config. If you want to hide your phishlet and make it not respond even to valid tokenized phishing URLs, use phishlet hide/unhide <phishlet> command.
You can monitor captured credentials and session cookies with:
sessions
To get detailed information about the captured session, with the session cookie itself (it will be printed in JSON format at the bottom), select its session ID:
sessions <id>
The captured session cookie can be copied and imported into Chrome browser, using EditThisCookie extension.
Important! If you want evilginx2 to continue running after you log out from your server, you should run it inside a screen session.


SILENTTRINITY - A Post-Exploitation Agent Powered By Python, IronPython, C#/.NET

October 18, 2018, 2:29 pm
$
0
0

A post-exploitation agent powered by Python, IronPython, C#/.NET.

Requirements
  • Server requires Python >= 3.7
  • SILENTTRINITY C# implant requires .NET >= 4.5

How it works

Notes

.NET runtime support
The implant needs .NET 4.5 or greater due to the IronPython DLLs being compiled against .NET 4.0, also there is no ZipArchive .NET library prior to 4.5 which the implant relies upon to download the initial stage containing the IronPython DLLs and the main Python code.
Reading the source for the IronPython Compiler it seems like we can get around the first issue by directly generating IL code through IKVM (I still don't understand why this works). However this would require modifying the compiler to generate a completely new EXE stub (definitely feasible, just time consuming to find the proper IKVM API calls).

C2 Comms
Currently the implant only supports C2 over HTTP 1.1, .NET 4.5 seems to have a native WebSocket library which makes implementing a WS C2 channel more than possible.
HTTP/2 client support for .NET's HttpClient API is in the works, just not yet released.
The implant and server design are very much "future proof" which should make implementing these C2 Channels pretty trivial when the time comes.

COM Interop
http://ironpython.net/documentation/dotnet/dotnet.html#oleautomation-and-com-interop
We could possibly leaverage this to use IE's COM object to do C2 ala WSC2.

Python Standard Library
We technically could load/use IronPython's stdlib instead of calling .NET APIs but this would require writing some "magic" dependency resolving code.
Possibly could modify httpimports to do this automagically.

Inject into unmanaged process
https://www.codeproject.com/Articles/607352/Injecting-Net-Assemblies-Into-Unmanaged-Processes

RPC
We might want to implement a fully fledged RPC that proxies objects between C# and Python. This could be interesting...


LibSSH Scanner - Script To Identify Hosts Vulnerable To CVE-2018-10933

October 19, 2018, 5:51 am
$
0
0

This is a python based script to identify hosts vulnerable to CVE-2018-10933.
The vulnerability is present on versions of libssh 0.6+ and was remediated by a patch present in libssh 0.7.6 and 0.8.4. For more details: https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/

Help
CVE-2018-10933 Scanner - Find vulnerable libssh services by Leap Security (@LeapSecurity)

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  -t TARGET, --target TARGET
                        An ip address or new line delimited file containing
                        IPs to banner grab for the vulnerability.
  -p PORT, --port PORT  Set port of SSH service


RouterSploit v3.4.0 - Exploitation Framework For Embedded Devices

October 19, 2018, 1:39 pm
$
0
0

The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices.


It consists of various modules that aids penetration testing operations:
  • exploits - modules that take advantage of identified vulnerabilities
  • creds - modules designed to test credentials against network services
  • scanners - modules that check if a target is vulnerable to any exploit
  • payloads - modules that are responsible for generating payloads for various architectures and injection points
  • generic - modules that perform generic attacks

Installation

Requirements
Required:
  • future
  • requests
  • paramiko
  • pysnmp
  • pycrypto
Optional:
  • bluepy - bluetooth low energy

Installation on Kali Linux
apt-get install python3-pip
git clone https://www.github.com/threat9/routersploit
cd routersploit
python3 -m pip install -r requirements.txt
python3 rsf.py
Bluetooth Low Energy support:
apt-get install libglib2.0-dev
python3 -m pip install bluepy
python3 rsf.py

Installation on Ubuntu 18.04 & 17.10
sudo add-apt-repository universe
sudo apt-get install git python3-pip
git clone https://www.github.com/threat9/routersploit
cd routersploit
python3 -m pip install -r requirements.txt
python3 rsf.py
Bluetooth Low Energy support:
apt-get install libglib2.0-dev
python3 -m pip install bluepy
python3 rsf.py

Installation on OSX
git clone https://www.github.com/threat9/routersploit
cd routersploit
sudo python3 -m pip install -r requirements.txt
python3 rsf.py

Running on Docker
git clone https://www.github.com/threat9/routersploit
cd routersploit
docker build -t routersploit .
docker run -it --rm routersploit

Update
Update RouterSploit Framework often. The project is under heavy development and new modules are shipped almost every day.
cd routersploit
git pull


Munin - Online Hash Checker For Virustotal And Other Services

October 20, 2018, 5:25 am
$
0
0

Munin is a online hash checker utility that retrieves valuable information from various online sources
The current version of Munin queries the following services:
  • Virustotal
  • Malshare
  • HybridAnalysis
Note: Munin is based on the script "VT-Checker", which has been maintained in the LOKI repository.

Usage
usage: munin.py [-h] [-f path] [-c cache-db] [-i ini-file] [-s sample-folder]
                [--comment] [-p vt-comment-prefix] [--download]
                [-d download_path] [--nocache] [--intense] [--retroverify]
                [-r num-results] [--nocsv] [--verifycert] [--sort] [--debug]

Online Hash Checker

optional arguments:
  -h, --help            show this help message and exit
  -f path               File to process (hash line by line OR csv with hash in
                        each line - auto-detects position and comment)
  -c cache-db           Name of the cache database file (default: vt-hash-
                        db.pkl)
  -i ini-file           Name of the ini file that holds the API keys
  -s sample-folder      Folder with samples to process
  --comment             Posts a comment for the analysed hash which contains
                        the comment from the log line
  -p vt-comment-prefix  Virustotal comment prefix
  --download            Enables Sample Download from Hybrid Analysis. SHA256
                        of sample needed.
  -d download_path      Output Path for Sample Download from Hybrid Analysis.
                        Folder must exist
  --nocache             Do not use cache database file
  --intense             Do use PhantomJS to parse the permalink (used to
                        extract user comments on samples)
  --retroverify         Check only 40 entries with the same comment and
                        therest at the end of the run (retrohunt verification)
  -r num-results        Number of results to take as verification
  --nocsv               Do not write a CSV with the results
  --verifycert          Verify SSL/TLS certificates
  --sort                Sort the input lines (useful for VT retrohunt results)
  --debug               Debug output

Features
  • MODE A: Extracts hashes from any text file based on regular expressions
  • MODE B: Walks sample directory and checks hashes online
  • Retrieves valuable information from Virustotal via API (JSON response) and other information via permalink (HTML parsing)
  • Keeps a history (cache) to query the services only once for a hash that may appear multiple times in the text file
  • Cached objects are stored in JSON
  • Creates CSV file with the findings for easy post-processing and reporting
  • Appends results to a previous CSV if available

Displays
  • Hash and comment (comment is the rest of the line of which the hash has been extracted)
  • AV vendor matches based on a user defined list
  • Filenames used in the wild
  • PE information like the description, the original file name and the copyright statement
  • Signer of a signed portable executable
  • Result based on Virustotal ratio
  • First and last submission
  • Tags for certain indicators: Harmless, Signed, Expired, Revoked, MSSoftware

Extra Checks
  • Queries Malshare.com for sample uploads
  • Queries Hybrid-Analysis.com for present analysis
  • Imphash duplicates in current batch > allows you to spot overlaps in import table hashes

Getting started
  1. Download / clone the repo
  2. Install required packages: pip3 install -r requirements.txt (on macOS add --user)
  3. (optional: required for --intense mode) Download PhantomJS and place it in your $PATH, e.g. /usr/local/bin http://phantomjs.org/download.html
  4. Set the API key for the different services in the munin.ini file
  5. Use the demo file for a first run: python munin.py -f munin-demo.txt --nocache

Typical Command Lines
Process a Virustotal Retrohunt result and sort the lines before checking so that matched signatures are checked in blocks
python munin.py -f my.ini -f ~/Downloads/retro_hunt
Process an IOC file and show who commented on these samples on Virustotal (uses PhantomJS, higher CPU usage)
python munin.py -f my.ini -f ~/Downloads/misp-event-1234.csv --sort --intense
Process a directory with samples and check their hashes online
python munin.py -f my.ini -s ~/malware/case34

Get the API Keys used by Munin

Virustotal
  1. Create an account here https://www.virustotal.com/#/join-us
  2. Check Profile > My API key for your public API key

Malshare
Register here https://malshare.com/register.php

Hybrid Analysis
  1. Create an account here https://www.hybrid-analysis.com/signup
  2. After login, check Profile > API key


Viewing all 5854 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>