Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5839 articles
Browse latest View live

Vulmap - Online Local Vulnerability Scanners Project

May 3, 2019, 5:54 am
$
0
0
Vulmap is an open source online local vulnerability scanner project. It consists of online local vulnerability scanning programs for Windows and Linux operating systems. These scripts can be used for defensive and offensive purposes. It is possible to make vulnerability assessments using these scripts. Also they can be used for privilege escalation by pentesters/red teamers.
Vulmap can be used to, scan vulnerabilities on localhost, see related exploits and download them. Scripts basically, scan localhost to gather installed software information and ask vulmon.com api if there are any vulnerabilies and exploits related with installed software. If vulnerabilities exist, vulmap give CVE ID, risk score, vulnerability's detail link, exploit id and exploit title. Exploits can be downloaded with vulmap also.

Use below links to get detailed information about vulmap:



Search

AutoSource - Automated Source Code Review Framework Integrated With SonarQube

May 3, 2019, 2:47 pm
$
0
0

AutoSource is an automated source code review framework integrated with SonarQube which is capable of performing static code analysis/reviews. It can be used for effectively finding the vulnerabilities at very early stage of the SDLC(Software Development Life Cycle). The user can scan the code by just giving GIT repository link into the framework.
AutoSource framework is capable of performing a source code review on all platforms(MAC, Linux, and Windows).

INSTALL
  1. Download the AutoSource repository into your system.
  2. Read the prerequisites.txt file and install the dependencies (mentioned for each platform)
  3. Execute downloadSonar.py (python3 downloadSonar.py), this will download and setup the SonarQube framework which can be access from 'http://127.0.0.1:9000'
  4. After that run executeScanner.py (python3 executeScanner.py), this will ask for your GIT repository that you want to scan.
  5. Access the results on SonarQube Portal('http://127.0.0.1:9000')

Screenshots

Downloading SonarQube and SonarScanner



SonarQube is up and running


Executing Scanner


Scanning Started


Scanner Execution Successful


Results showing in SonarQube Dashboard


Collaborators
  • Malkit Singh
  • Shubham Shubhankar Sharma


Kerbrute - A Tool To Perform Kerberos Pre-Auth Bruteforcing

May 4, 2019, 5:53 am
$
0
0

A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication
Grab the latest binaries from the releases page to get started.

Background
This tool grew out of some bash scripts I wrote a few years ago to perform bruteforcing using the Heimdal Kerberos client from Linux. I wanted something that didn't require privileges to install a Kerberos client, and when I found the amazing pure Go implementation of Kerberos gokrb5, I decided to finally learn Go and write this.
Bruteforcing Windows passwords with Kerberos is much faster than any other approach I know of, and potentially stealthier since pre-authentication failures do not trigger that "traditional" An account failed to log on event 4625. With Kerberos, you can validate a username or test a login by only sending one UDP frame to the KDC (Domain Controller)
For more background and information, check out my Troopers 2019 talk, Fun with LDAP and Kerberos (link TBD).

Usage
Kerbrute has three main commands:
  • bruteuser - Bruteforce a single user's password from a wordlist
  • passwordspray - Test a single password against a list of users
  • usernenum - Enumerate valid domain usernames via Kerberos
A domain (-d) or a domain controller (--dc) must be specified. If a Domain Controller is not given the KDC will be looked up via DNS.
By default, Kerbrute is multithreaded and uses 10 threads. This can be changed with the -t option.
Output is logged to stdout, but a log file can be specified with -o.
By default, failures are not logged, but that can be changed with -v.
Lastly, Kerbrute has a --safe option. When this option is enabled, if an account comes back as locked out, it will abort all threads to stop locking out any other accounts.
The help command can be used for more information
$ ./kerbrute

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.0 (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnop

This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication.
It is designed to be used on an internal Windows domain with access to one of the Domain Controllers.
Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accounts

Usage:
  kerbrute [command]

Available Commands:
  bruteuser     Bruteforce a single user's password from a wordlist
  help          Help about any command
  passwordspray Test a single password against a list of users
  userenum      Enumerate valid domain usernames via Kerberos
  version          Display version info and quit

Flags:
      --dc string       The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS
  -d, --domain string   The full domain to use (e.g. contoso.com)
  -h, --help            help for kerbrute
  -o, --output string   File to write logs to. Optional.
      --safe            Safe mode. Will abort if any user comes back as locked out. Default: FALSE
  -t, --threads int     Threads to use (default 10)
  -v, --verbose         Log failures and errors

Use "kerbrute [command] --help" for more information about a command.

User Enumeration
To enumerate usernames, Kerbrute sends TGT requests with no pre-authentication. If the KDC responds with a PRINCIPAL UNKNOWN error, the username does not exist. However, if the KDC prompts for pre-authentication, we know the username exists and we move on. This does not cause any login failures so it will not lock out any accounts. This generates a Windows event ID 4768 if Kerberos logging is enabled.
root@kali:~# ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: dev (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnop

2019/03/06 21:28:04 >  Using KDC(s):
2019/03/06 21:28:04 >   pdc01.lab.ropnop.com:88

2019/03/06 21:28:04 >  [+] VALID USERNAME:       amata@lab.ropnop.com
2019/03/06 21:28:04 >  [+] VALID USERNAME:       thoffman@lab.ropnop.com
2019/03/06 21:28:04 >  Done! Tested 1001 usernames (2 valid) in 0.425 seconds

Password Spray
With passwordwpray, Kerbrute will perform a horizontal brute force attack against a list of domain users. This is useful for testing one or two common passwords when you have a large list of users. WARNING: this does will increment the failed login count and lock out accounts. This will generate both event IDs 4768 - A Kerberos authentication ticket (TGT) was requested and 4771 - Kerberos pre-authentication failed
root@kali:~# ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: dev (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnop

2019/03/06 21:37:29 >  Using KDC(s):
2019/03/06 21:37:29 >   pdc01.lab.ropnop.com:88

2019/03/06 21:37:35 >  [+] VALID LOGIN:  callen@lab.ropnop.com:Password123
2019/03/06 21:37:37 >  [+] VALID LOGIN:  eshort@lab.ropnop.com:Password123
2019/03/06 21:37:37 >  Done! Tested 2755 logins (2 successes) in 7.674 seconds

Brute User
This is a traditional bruteforce account against a username. Only run this if you are sure there is no lockout policy! This will generate both event IDs 4768 - A Kerberos authentication ticket (TGT) was requested and 4771 - Kerberos pre-authentication failed
root@kali:~# ./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: dev (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnop

2019/03/06 21:38:24 >  Using KDC(s):
2019/03/06 21:38:24 >   pdc01.lab.ropnop.com:88

2019/03/06 21:38:27 >  [+] VALID LOGIN:  thoffman@lab.ropnop.com:Summer2017
2019/03/06 21:38:27 >  Done! Tested 1001 logins (1 successes) in 2.711 seconds

Installing
You can download pre-compiled binaries for Linux, Windows and Mac from the releases page. If you want to live on the edge, you can also install with Go:
$ go get github.com/ropnop/kerbrute
With the repository cloned, you can also use the Make file to compile for common architectures:
$ make help
help:            Show this help.
windows:  Make Windows x86 and x64 Binaries
linux:  Make Linux x86 and x64 Binaries
mac:  Make Darwin (Mac) x86 and x64 Binaries
clean:  Delete any binaries
all:  Make Windows, Linux and Mac x86/x64 Binaries

$ make all
Done.
Building for windows amd64..
Building for windows 386..
Done.
Building for linux amd64...
Building for linux 386...
Done.
Building for mac amd64...
Building for mac 386...
Done.

$ ls dist/
kerbrute_darwin_386        kerbrute_linux_386         kerbrute_windows_386.exe
kerbrute_darwin_amd64      kerbrute_linux_amd64       kerbrute_windows_amd64.exe

Credits
Huge shoutout to jcmturner for his pure Go implemntation of KRB5: https://github.com/jcmturner/gokrb5 . An amazing project and very well documented. Couldn't have done any of this without that project.


Hackuna - The First Mobile App to Track Hackers

May 4, 2019, 3:12 pm
$
0
0


Cryptors, a cyber security company, invented a mobile app called HACKUNA (Anti-Hack) that can block and detect these WiFi hackers. The exciting part here is, you can also track the hackers within the area. It will give you all the details you need to find the hacker within the area or to report it to the authority. We are now given the power to fight back against the WiFi hackers. 

Do you often connect to Public Free WiFi? 
Study says that a hacker can hack your online accounts within at least 60 seconds, just because you connect to Public Free WiFi... 
Experts says that the best thing to do to secure yourself from this,  is to ditch the use of public Free WiFi. How annoying right? But not anymore! 

Proof that this works

Hackuna vs The common WiFi Hacking Tools


Hackuna vs WiFi Kill Pro



Joy - A Package For Capturing And Analyzing Network Flow Data And Intraflow Data, For Network Research, Forensics, And Security Monitoring

May 5, 2019, 5:58 am
$
0
0

Joy is a BSD-licensed libpcap-based software package for extracting data features from live network traffic or packet capture (pcap) files, using a flow-oriented model similar to that of IPFIX or Netflow, and then representing these data features in JSON. It also contains analysis tools that can be applied to these data files. Joy can be used to explore data at scale, especially security and threat-relevant data.

JSON is used in order to make the output easily consumable by data analysis tools. While the JSON output files are somewhat verbose, they are reasonably small, and they respond well to compression.
Joy can be configured to obtain intraflow data, that is, data and information about events that occur within a network flow, including:

  • the sequence of lengths and arrival times of IP packets, up to some configurable number of packets.
  • the empirical probability distribution of the bytes within the data portion of a flow, and the entropy derived from that value,
  • the sequence of lengths and arrival times of TLS records,
  • other non-encrypted TLS data, such as the list of offered ciphersuites, the selected ciphersuite, the length of the clientKeyExchange field, and the server certificate strings,
  • DNS names, addresses, and TTLs,
  • HTTP header elements and the first eight bytes of the HTTP body, and
  • the name of the process associated with the flow, for flows originate or terminate on the host on which pcap is running.


Joy is intended for use in security research, forensics, and for the monitoring of (small scale) networks to detect vulnerabilities, threats and other unauthorized or unwanted behavior. Researchers, administrators, penetration testers, and security operations teams can put this information to good use, for the protection of the networks being monitored, and in the case of vulnerabilities, for the benefit of the broader community through improved defensive posture. As with any network monitoring tool, Joy could potentially be misused; do not use it on any network of which you are not the owner or the administrator.
Flow, in positive psychology, is a state in which a person performing an activity is fully immersed in a feeling of energized focus, deep involvement, and joy. This second meaning inspired the choice of name for this software package.
Joy is alpha/beta software; we hope that you use it and benefit from it, but do understand that it is not suitable for production use.

TLS Fingerprinting
We have recently released the largest and most informative open source TLS fingerprint database. Among other features, our approach builds on previous work by being fully automated and annotating TLS fingerprints with significantly more information. We have built a set of python tools to enable the application of this database, as well as the generation of new databases with the help of Joy. For more information, please see the TLS fingerprinting documentation.

Relation to Cisco ETA
Joy has helped support the research that paved the way for Cisco’s Encrypted Traffic Analytics (ETA), but it is not directly integrated into any of the Cisco products or services that implement ETA. The classifiers in Joy were trained on a small dataset several years ago, and do not represent the classification methods or performance of ETA. The intent of this feature is to allow network researchers to quickly train and deploy their own classifiers on a subset of the data features that Joy produces. For more information on training your own classifier, see saltUI/README or reach out to joy-users@cisco.com.

Credits
This package was written by David McGrew, Blake Anderson, Philip Perricone and Bill Hudson {mcgrew,blaander,phperric,bhudson}@cisco.com of Cisco Systems Advanced Security Research Group (ASRG) and Security and Trust Organization (STO).

Release 4.3.0
  • Add IPv6 support to Joy and libjoy
  • IPFix collection and export only support IPv4
  • NFv9 only supports IPv4
  • Anonymization only supports IPv4 addresses
  • Subnet labeling only supports IPv4 addresses

Release 4.2.0
  • Re-write joy.c to use libjoy library
  • Updated joy.c to utilize multi-threads for flow processing
  • Updated unit tests and python tests to reflect new code changes
  • Removed guts of the updater process to prepare for re-write
  • Fixed bug in processing multiple files on the command line
  • Other minor bug fixes

Release 4.0.3
  • Added support for make install for Centos

Release 4.0.2
  • Add support for fingerprinting

Release 4.0.1
We are pleased to announce the 4.0.1 release of the package, which has these features:
  • Add additional API's for parent application processing of Flow Records and data features
  • Fixed TCP retransmission and out of order detection
  • Better identification of IDP packet
  • Fixed some memory usage issues
  • Fixed minor bugs
  • Removed dead code

Release 4.0.0
We are pleased to announce the 4.0.0 release of the package, which has these features:
  • Add support for building with autotools. ./configure;make clean;make

Release 3.0.0
We are pleased to announce the 3.0.0 release of the package, which has these features:
  • Modified JOY infrastructure code to be thread safe.
    • Allowed support multiple work threads for packet processing.
    • Each worker thread uses own output file.
    • Removed global variables for Config.
    • Modified code infrastructure to use Config Structure.
  • Modified the Makefile system to build the JOY infrastructure as a static and shared library.
  • Implemented an API for utilizing the JOY Library (joy_api.[hc]).
  • Implemented a Vector Packet Processing integration scheme to utilize VPP native infrastructure when building that integration.
  • Created 2 API test programs, joy_api_test.c and joy_api_test2.c.
  • Modified existing test programs to link against static JOY library instead of re-compiling the infrastructure code.
  • Modified versioning to use Common Security Module (CSM) conventions.
  • Modified build_pkg to accept package version on the command line.
  • Cleaned up coverity errors and warnings.
  • Various bug fixes.

Release 2.0
We are pleased to announce the 2.0 release of the package, which has these features:
  • The JSON schema has been updated to be better organized, more readable, and more searchable (by putting searchable keywords as the JSON names),
  • The new sleuth tool replaces query/joyq, and brings new functionality such as —fingerprint,
  • Much improved documentation, which covers the joy and sleuth tools, examples, and the JSON schema (see using-joy)

Quick Start
Joy has been successfully run and tested on Linux (Debian, Ubuntu, CentOS, and Raspbian), Mac OS X and Windows. The system has been built with gcc and GNU make, but it should work with other development environments as well.
Go to the Wiki for a guide on building: Build Instructions


Kostebek - Reconnaissance Tool Which Uses Firms Trademark Information To Discover Their Domains

May 5, 2019, 2:43 pm
$
0
0

The Kostebek is a reconnaissance tool which uses firms' trademark information to discover their domains.

Installation
Tested on Kali Linux 2018.2, Ubuntu 16.04 
sudo apt-get -y install python3-pip
pip3 install -r requirements.txt  


download latest version of Chromedriver and configure your driver-path
#sudo apt-get install unzip
#sudo unzip /tmp/chromedriver.zip chromedriver -d /usr/local/bin/


download latest version of Chrome
https://www.google.com/chrome/browser/desktop/
#dpkg -i google-chrome-stable_current_amd64.deb
#apt-get install -f
#dpkg -i google-chrome-stable_current_amd64.deb

Example
Trademark Scan : python3 kostebek.py -u list.txt -n Organization Name
Get Google Domains : python3 kostebek.py -g Organization Name
Get Company Trademarks : python3 kostebek.py -t Organization Name

Demo



Termshark - A Terminal UI For Tshark, Inspired By Wireshark

May 6, 2019, 5:49 am
$
0
0

A terminal user-interface for tshark, inspired by Wireshark.

If you're debugging on a remote machine with a large pcap and no desire to scp it back to your desktop, termshark can help!

Features
  • Read pcap files or sniff live interfaces (where tshark is permitted).
  • Inspect each packet using familiar Wireshark-inspired views
  • Filter pcaps or live captures using Wireshark's display filters
  • Copy ranges of packets to the clipboard from the terminal
  • Written in Golang, compiles to a single executable on each platform - downloads available for Linux (+termux), macOS, FreeBSD, and Windows
tshark has many more features that termshark doesn't expose yet! See What's Next.

Installation (FreeBSD)
Termshark is in the FreeBSD ports tree! To install the package, run:
pkg install termshark
To build/install the port, run:
cd /usr/ports/net/termshark/ && make install clean

Building
Termshark uses Go modules, so it's best to compile with Go 1.11 or higher. Set GO111MODULE=on then run:
go get github.com/gcla/termshark/cmd/termshark
Then add ~/go/bin/ to your PATH.
For all packet analysis, termshark depends on tshark from the Wireshark project. Make sure tshark is in your PATH.

Quick Start
Inspect a local pcap:
termshark -r test.pcap
Capture ping packets on interface eth0:
termshark -i eth0 icmp
Run termshark -h for options.

User Guide
See the termshark user guide (and my best guess at some FAQs)

Dependencies
Termshark depends on these open-source packages:
  • tshark - command-line network protocol analyzer, part of Wireshark
  • tcell - a cell based terminal handling package, inspired by termbox
  • gowid - compositional terminal UI widgets, inspired by urwid, built on tcell
Note that tshark is a run-time dependency, and must be in your PATH for termshark to function. Version 1.10.2 or higher is required (approx 2013).

Contact


PeekABoo - Tool To Enable Remote Desktop On The Targeted Machine

May 6, 2019, 2:49 pm
$
0
0
PeekABoo tool can be used during internal penetration testing when a user needs to enable Remote Desktop on the targeted machine. It uses PowerShell remoting to perform this task.
The tool only works if WinRM is enabled. Since Windows Server 2012 WinRM is enabled by default on all Windows server operating systems, but not on client operating systems.
Note: Remote desktop is disabled by default on all Windows operating systems. User would require local administrator password or administrator privileges on the server to enable RDP on a targeted machine.

Screenshots
Targeted machine on an internal network has RDP disabled:


Enabling remote desktop service on a targeted machine by pressing option 2:


Successfully enabled remote desktop service on a targeted machine:


How to install?
- git clone https://github.com/Viralmaniar/PeekABoo.git
- cd PeekABoo
- python peekaboo.py

How do I use this?
  • Press 1: This will set the PowerShell to unrestricted mode.
  • Press 2: It enables the Remote Desktop on the targeted machine and shows the RDP port (3389) status.
  • Press 3: It disables the Remote Desktop on the targeted machine.
  • Press 4: To exit from the program.

My Windows machine does not have Python installed, what should I do?
  • Download an exe from the release section of the Github along with PowerShell files available here or do it on your own using PyInstaller after reviewing the source code.
  • Compile peekaboo.py into an executable using Pyinstaller
  • PyInstaller is available on PyPI. You can install it through pip:
pip install pyinstaller

Questions?
Twitter: https://twitter.com/maniarviral
LinkedIn: https://au.linkedin.com/in/viralmaniar


Search

10Minutemail - Python Temporary Email

May 7, 2019, 5:39 am
$
0
0

10minutemail.net is a free, disposable e-mail service. Your temporary e-mail address will expire after 10 minutes, after which you cannot access it. You can extend the time by 10 minutes. The website you are registering with could be selling your personal information; you never know where your e-mail will be published. An email address with a 10-minute lifespan is the best solution to prevent this.

Installation
wget https://raw.githubusercontent.com/m4ll0k/10minutemail/master/10minutemail.py && python 10minutemail.py

Usage
python 10minutemail.py
python 10minutemail.py --save emails.txt




BruteDum - Brute Force Attacks SSH, FTP, Telnet, PostgreSQL, RDP, VNC With Hydra, Medusa And Ncrack

May 7, 2019, 2:26 pm
$
0
0

BruteDum is a SSH, FTP, Telnet, PostgreSQL, RDP, VNC brute forcing tool with Hydra, Medusa and Ncrack. BruteDum can work with aany Linux distros if they have Python 3.

Features of BruteDum
  • SSH, FTP, Telnet, PostgreSQL, RDP, VNC with Hydra (recommended)
  • SSH, FTP, Telnet, PostgreSQL, RDP, VNC with Medusa
  • SSH, FTP, Telnet, PostgreSQL, RDP, VNC with Ncrack
  • Scan victim's ports with Nmap

Install and run on Linux
You have to install Python 3 first:
  • Install Python 3 on Arch Linux and its distros: sudo pacman -S python3
  • Install Python 3 on Debian and its distros: sudo apt install python3
You have to install Hydra, Medusa, Nmap and Ncrack too:
  • On Arch Linux and its distros: sudo pacman -S nmap hydra medusa ncrack
  • On Debian and its distros: sudo apt install nmap hydra medusa ncrack
    git clone https://github.com/GitHackTools/BruteDum
    cd BruteDum
    python3 brutedum.py

Screenshots
  • Scanning victim's ports with Nmap

  • Ready to brute force

  • Brute force has done



Contact


Cynet Free IR Tool Offering Empowers Responders to Know and Act Against Active Attacks

May 8, 2019, 5:56 am
$
0
0

The saying that there are two types of organizations, those that have gotten breached and those who have but just don’t know it yet, has never been more relevant, making sound incident response a required capability in any organization’s security stack.

To assist in this critical mission, Cynet is launching a free IR tool offering, applicable to both IR service providers in need of a powerful, free incident response platform, and to organizations that either suspect security incidents and want to get immediate visibility into what happened, or that know they have a breach and need to respond immediately.

The Cynet Free IR tool offering for IR providers can be accessed here.
The Cynet Free IR tool offering for organizations can be accessed here

Incident response is about getting two things done as fast as possible: accurately knowing breach scope and impact; and ensuring that all malicious presence and activity are completely eliminated. Cynet introduces unmatched speed and efficiency into both aspects with its new free IR offering.



“We see that many organizations and service providers struggle to get the threat visibility they need,” said Eyal Gruner, co-founder of Cynet. “IR is an extremely time sensitive process and having the required threat visibility up and running in minutes is a must.”

The need to deploy an additional product is in many cases a hurdle – in an IR context, fast and seamless deployment is not a nice-to-have. It will often make the difference between successful containment and critical damage. Another delaying factor is the need to manually hunt and investigate for threats by correlating activities and configurations.

Cynet 360 is ideal for incident response purposes for several reasons. Its SaaS-based, lightspeed distribution enables coverage of thousands of endpoints in minutes. Its automated threat discovery radically reduces the manual investigation time, and its complete set of remediation actions enables responders to recover from any type of threat. With Cynet you can, among other things:

  • Get instant visibility to all entities in the internal environment: users, hosts, files, running processes and network traffic.
  • Easily locate live attacks and determine their scope and impact.
  • Remove malicious files, disable compromised users and block risky network connections with the click of a button.
  • Automate threat discovery and removal processes.
  • Leverage Cynet central management  to distribute other open source tools across the environment.
  • Hunt for threats in real-time using IOC feeds.

“It’s true that incident response is many times outsourced, but we’ve put a lot of thought into Cynet 360 so it can be used by an internal team as well,” said Gruner. “There’s a lot of gray area here. What if you only suspect a breach but are not sure? Cynet IR can easily tell you what’s going on. Once you know, you can decide if you handle it internally or not.”

Like it or not, breaches are part of our reality. To acknowledge that means to ensure that you have what it takes to confront them. Anyone that’s involved in incident response, whether as a service provider of end user, should seriously consider upgrading its current capabilities with Cynet free IR.

IR consultants and service providers can access Cynet’s free IR tool offering here.
Internal IT and security teams can access Cynet’s free IR tool offering here.





CQTools - The New Ultimate Windows Hacking Toolkit

May 8, 2019, 1:43 pm
$
0
0

CQURE Team has prepared tools used during penetration testing and packed those in a toolkit named CQTools. This toolkit allows to deliver complete attacks within the infrastructure, starting with sniffing and spoofing activities, going through information extraction, password extraction, custom shell generation, custom payload generation, hiding code from antivirus solutions, various keyloggers and leverage this information to deliver attacks. Some of the tools are based on discoveries that were released to the world for the first time by CQURE Team. CQURE was the first team that did full reverse engineering of DPAPI (Data Protection Application Programming Interface) and prepared the first public tool that allows monitoring WSL (Windows Subsystem for Linux) feature.

This toolkit allows you to deliver complete attacks within the infrastructure, starting with sniffing and spoofing activities, going through information extraction, password extraction, custom shell generation, custom payload generation, hiding code from antivirus solutions, various keyloggers and leverage this information to deliver attacks. Some of the tools are based on discoveries that were released to the world for the first time by CQURE Team; some of the tools took years to complete, and all of the tools work in a straightforward manner. CQTools is the ultimate toolkit to have when delivering a penetration test. The tools work simply, and we use them in practice during our cybersecurity assignments. Come and have a look at how our CQTools can boost your penetration testing experience!

• Download Presentation Slides
• Download White Paper

More info: https://cqureacademy.com/blog/no-category/black-hat-asia-2019-tools


Password: CQUREAcademy#123!

ExtAnalysis - Browser Extension Analysis Framework

May 9, 2019, 5:56 am
$
0
0

With ExtAnalysis you can :
  • Download & Analyze Extensions From:
  • Analyze Installed Extensions of:
    • Google Chrome
    • Mozilla Firefox
    • Opera Browser (Coming Soon)
  • Upload and Scan Extensions. Supported formats:
    • .crx
    • .xpi
    • .zip

Features of ExtAnalysis :
  • View Basic Informations:
    • Name, Author, Description and Version
  • Manifest Viewer
  • In depth permission information
  • Extract Intels from files which include:
    • URLs and domains
    • IPv6 and IPv4 addresses
    • Bitcoin addresses
    • Email addresses
    • File comments
    • Base64 encoded strings
  • View and Edit files. Supported file types:
    • html
    • json
    • JavaScript
    • css
  • VirusTotal Scans For:
    • URLs
    • Domains
    • Files
  • RetireJS Vulnerability scan for JavaScript files
  • Network graph of all files and URLs
  • Reconnaissance tools for extracted URLs:
    • Whois Scan
    • HTTP headers viewer
    • URL Source viewer
    • GEO-IP location
  • Some Fun Stuffs that include:
    • Dark Mode
    • Inbuilt chiptune player (Jam on to some classic chiptune while ExtAnalysis does the work)

How do I install it?
Installing ExtAnalysis is simple! It runs on python3, so make sure python3 and python3-pip are installed and follow these steps:
$ git clone https://github.com/Tuhinshubhra/ExtAnalysis
$ cd ExtAnalysis
$ pip3 install -r requirements.txt`
For proper analysis don't forget to add your virustotal api.

How do I use it?
Once the installation is done you can jump straight ahead and run ExtAnalysis by running the command: $python3 extanalysis.py It should automatically launch ExtAnalysis in a new browser window.
For other options check out the help menu $python3 extanalysis.py --help
usage: extanalysis.py [-h HOST] [-p PORT] [-v] [-u] [-q] [--help]

optional arguments:
  -h HOST, --host HOST  Host to run ExtAnalysis on. Default host is 127.0.0.1
  -p PORT, --port PORT  Port to run ExtAnalysis on. Default port is 13337
  -v, --version         Shows version and quits
  -u, --update          Checks for update
  -q, --quiet           Quiet mode shows only errors on cli!
  --help                Shows this help menu and exits

Python Modules Used:
  • flask for the webserver
  • python-whois for Whois lookup
  • maxminddb for parsing the Geo-IP database
  • requests for http headers and source code viewer


Contribution
You can contribute to the development of ExtAnalysis by improving some code or even reporting by bugs.
For any other queries feel free to contact me via twitter: @r3dhax0r
Below is a list of people who contributed to the development of ExtAnalysis (only pull requests!)


QRGen - Simple Script For Generating Malformed QRCodes

May 9, 2019, 3:36 pm
$
0
0
Simple Script For Generating Malformed QRCodes. These qrcodes are useful if you want to test some QRCode scanner's parser or how the application handle QRCode data.
Down side of this tool: you need to manually scan codes with camera.

Proof


Installation
What do you need:
  • python3
  • qrcode
  • Pillow
  • argparse

Steps
1 git clone https://github.com/h0nus/QRGen
2 cd QRGen
3 pip3 install -r requirements.txt OR python3 -m pip install -r requirements.txt
4 python3 qrcode.py
5 Enjoy attacking QRCodes :P

Personalization
You can change the default wordlists to what you want by passing -w/--wordlist :) Order of default wordlists group:
  • SQL Injection
  • XSS
  • Command Injection
  • Format String
  • XXE
  • String Fuzzing
  • SSI Injection
  • LFI/Directory Traversal
  • custom passed with -w/--wordlist


ReconT - Reconnaisance / Footprinting / Information Disclosure

May 10, 2019, 5:42 am
$
0
0

Recon-Tool made for reconnaissance and information gathering with an emphasis on simplicity.
It will do everything from.

Features
  • Information Security Headers
  • WAF Detector
  • Banner Grabbing
    • Phone Number
    • Credit Card Number
    • Email
    • US Social Security Number
  • Url Crawl
    • Dom Paramter Url
    • Internal Dynamic Paramter
    • External Dynamic Paramter
    • Internal Link
    • External Link
  • Port Scanner
  • Subdomain Enumeration

Requirements
  • click
  • requests
  • colorlog
  • bs4
  • tldextract

Usage & Installation
$ apt-get install python3 nmap
$ pip3 install -r requirements.txt
$ python3 reconT.py http://target.co.li

$ python reconT.py --help
Usage: reconT.py [OPTIONS] TARGET

Options:
  --timeout INTEGER  Seconds to wait before timeout connections
  --proxy TEXT       if Use a proxy ex: 0.0.0.0:8888if with auth
                     0.0.0.0:8888@user:password
  --cookies TEXT     if use cookie comma separated cookies to add the
                     requestex: PHPSESS:123,kontol=True
  --help             Show this message and exit.

Info
Support For Python Version: 3.x
ReconT Version: 0.1
By: 407 Authentic Exploit
Codename: JaxBCD


Search

iCULeak - Tool To Find And Extract Credentials From Phone Configuration Files Hosted On Cisco CUCM

May 10, 2019, 2:30 pm
$
0
0

Tool to find and extract credentials from phone configuration files in environments managed by Cisco's CUCM (Call Manager).
When using Cisco's CUCM (Call Manager), phone configuration files are stored on a TFTP server. These phone configuration files quite frequently contain sensitive data, including phone SSH/admin credentials.
There is also an issue with how some browsersautofill fields such as the SSH Username & Password fields with their CUCM credentials (commonly their AD credentials), if the administrator has saved the credentials in their browser. This issue has also been faced by administrators using password managers that automatically plug in credentials, where they found that their credentials were being automatically inputted into the SSH Username & Password fields, and then being saved (and stored in plaintext in the configuration files).

While the issue was fixed in CUCM 12.0, credentials stored in the past may still be discoverable.
The issue can be somewhat mitigated by the following actions:
  1. Regularly purging existing configuration files from leaked credentials.
  2. Blocking autosave/autofill on CUCM.
  3. Enabling encryption of phone configuration files. Read more on that here. Note that this doesn't completely mitigate the issue, as the encryption password could be obtained from the phones' memory or through administrative access of CUCM.
This tool utilises a lot of code from Dirk-jan's tool adidnsdump to extract a list of phone hostnames from ADIDNS over LDAP. To read more aboout the technique and tool, you can read the associated blog post. So credit goes to him for a lot of the code.

Installation
To install the tool:
git clone https://github.com/llt4l/iCULeak.py
cd iCULeak.py
pip install -r requirements.txt

Usage:
Run iCULeak.py against phones with hostnames found in the DNS zone
python iCULeak.py -u domain\\llt4l -c 10.100.1.29 10.100.1.1
Run iCULeak.py against a list of phones provided in a file
python iCULeak.py -l phones_hostnames -c 10.100.1.29 10.100.1.1
Flags:
  • View the help page with -h or --help
  • Pass the username of the user that will authenticate to ADIDNS with the -u or --user flags. The user should be preceded by the user's domain, so it should look something like this: domain\\llt4l. This flag is optional if a list is passed instead.
  • Pass the password to the program with the -p or --password flag. If you do not pass it as an argument, but do pass a username, then the program will prompt for a password when run .
  • The IP address or hostname of the CUCM server should be passed to the program with either the -c or --cucm-server flag. If, for any reason, the TFTP server being used by CUCM to store phone configuration files is found on another host, please provide that address.
  • Provide a file that contains a list of phone hostnames with the -l or --list flag. The file should just be a list of phone hostnames, such that each line would look something like SEP112233445566.
  • If you'd like to save the results to a CSV file, pass the -s or --save flag along with the filename to be saved to.
  • By default iCULeak.py checks credentials leaked for validity in the AD. To disable authentication attempts being made to verify the leaked credentials, pass the -nA or --no-authentication flag.
  • To save all the phone configuration files dumped to a directory, pass the -O or --out-dir flag, along with the name of the folder you want to save it to.
  • For increased verbosity, you can pass the -v or --verbose flag.
  • If the DNS entries for the phones are in a different DNS zone to the default zone of the domain you are authenticating against, you can pass the zone along with the -z or --zone flag.


FinalRecon - OSINT Tool For All-In-One Web Reconnaissance

May 11, 2019, 6:12 am
$
0
0
FinalRecon is a fast and simple python script for web reconnaissance. It follows a modular structure so in future new modules can be added with ease.

Features
FinalRecon provides detailed information such as :

Header Information


WHOIS


SSL Certificate Details

 
Found Flag in SSL Certificate - Securinets CTF Quals 2019 - Hidden (200 Points)

Crawler


More modules will be added in future

Tested on
  • Kali Linux 2019.1
  • BlackArch Linux

Installation
git clone https://github.com/thewhiteh4t/FinalRecon.git
cd FinalRecon
pip3 install -r requirements.txt

Usage
python3 finalrecon.py -h
usage: finalrecon.py [-h] [--headers] [--sslinfo] [--whois] [--crawl] [--full]
                     url

FinalRecon - OSINT Tool for All-In-One Web Recon | v1.0.0

positional arguments:
  url         Target URL

optional arguments:
  -h, --help  show this help message and exit
  --headers   Get Header Information
  --sslinfo   Get SSL Certificate Information
  --whois     Get Whois Lookup
  --crawl     Crawl Target Website
  --full      Get Full Analysis, Test All Available Options

# Check headers

python3 finalrecon.py --headers <url>

# Check ssl Certificate

python3 finalrecon.py --sslinfo <url>

# Check whois Information

python3 finalrecon.py --whois <url>

# Crawl Target

python3 finalrecon.py --crawl <url>

# full scan

python3 finalrecon.py --full <url>

Demo



PAnalizer - Pornography Analizer And Face Searching

May 11, 2019, 3:03 pm
$
0
0

PAnalizer is a forensic tool, you can search pornographic images in a specific directory, this is util in Pedestrian Detection. Also, you can search a specific person in the image set, is necessary give to the application a few pictures of the person of interest.


Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts

May 12, 2019, 6:09 am
$
0
0

Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to https://xerosecurity.com.

SN1PER PROFESSIONAL FEATURES:

Professional reporting interface


Slideshow for all gathered screenshots


Searchable and sortable DNS, IP and open port database


Detailed host reports


NMap HTML host reports


Quick links to online recon tools and Google hacking queries


Takeovers and Email Security


HTML5 Notepad


ORDER SN1PER PROFESSIONAL:
To obtain a Sn1per Professional license, go to https://xerosecurity.com.

DEMO VIDEO:




SN1PER COMMUNITY FEATURES:
  • Automatically collects basic recon (ie. whois, ping, DNS, etc.)
  • Automatically launches Google hacking queries against a target domain
  • Automatically enumerates open ports via NMap port scanning
  • Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers
  • Automatically checks for sub-domain hijacking
  • Automatically runs targeted NMap scripts against open ports
  • Automatically runs targeted Metasploit scan and exploit modules
  • Automatically scans all web applications for common vulnerabilities
  • Automatically brute forces ALL open services
  • Automatically test for anonymous FTP access
  • Automatically runs WPScan, Arachni and Nikto for all web services
  • Automatically enumerates NFS shares
  • Automatically test for anonymous LDAP access
  • Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities
  • Automatically enumerate SNMP community strings, services and users
  • Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067
  • Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers
  • Automatically tests for open X11 servers
  • Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
  • Performs high level enumeration of multiple hosts and subnets
  • Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
  • Automatically gathers screenshots of all web sites
  • Create individual workspaces to store all scan output

EXPLOITS:
  • Drupal RESTful Web Services unserialize() SA-CORE-2019-003
  • Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts
  • Drupal: CVE-2018-7600: Remote Code Execution - SA-CORE-2018-002
  • GPON Routers - Authentication Bypass / Command Injection CVE-2018-10561
  • MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
  • Apache Tomcat: Remote Code Execution (CVE-2017-12617)
  • Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271
  • Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)
  • Apache Struts 2 Framework Checks - REST plugin with XStream handler (CVE-2017-9805)
  • Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)
  • Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269
  • ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249
  • Shellshock Bash Shell remote code execution CVE-2014-6271
  • HeartBleed OpenSSL Detection CVE-2014-0160
  • MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)
  • Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843
  • MS08-067 Microsoft Server Service Relative Path Stack Corruption
  • Webmin File Disclosure CVE-2006-3392
  • VsFTPd 2.3.4 Backdoor
  • ProFTPd 1.3.3C Backdoor
  • MS03-026 Microsoft RPC DCOM Interface Overflow
  • DistCC Daemon Command Execution
  • JBoss Java De-Serialization
  • HTTP Writable Path PUT/DELETE File Access
  • Apache Tomcat User Enumeration
  • Tomcat Application Manager Login Bruteforce
  • Jenkins-CI Enumeration
  • HTTP WebDAV Scanner
  • Android Insecure ADB
  • Anonymous FTP Access
  • PHPMyAdmin Backdoor
  • PHPMyAdmin Auth Bypass
  • OpenSSH User Enumeration
  • LibSSH Auth Bypass
  • SMTP User Enumeration
  • Public NFS Mounts

KALI LINUX INSTALL:
bash install.sh

UBUNTU/DEBIAN/PARROT INSTALL:
bash install_debian_ubuntu.sh

DOCKER INSTALL:
docker build Dockerfile

USAGE:
[*] NORMAL MODE
sniper -t|--target <TARGET>

[*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCE
sniper -t|--target <TARGET> -o|--osint -re|--recon -fp|--fullportonly -b|--bruteforce

[*] STEALTH MODE + OSINT + RECON
sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon

[*] DISCOVER MODE
sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>

[*] FLYOVER MODE
sniper -t|--target <TARGET> -m|--mode flyover -w|--workspace <WORKSPACE_ALIAS>

[*] AIRSTRIKE MODE
sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike

[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED
sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>

[*] SCAN ONLY SPECIFIC PORT
sniper -t|--target <TA   RGET> -m port -p|--port <portnum>

[*] FULLPORTONLY SCAN MODE
sniper -t|--target <TARGET> -fp|--fullportonly

[*] PORT SCAN MODE
sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>

[*] WEB MODE - PORT 80 + 443 ONLY!
sniper -t|--target <TARGET> -m|--mode web

[*] HTTP WEB PORT HTTP MODE
sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>

[*] HTTPS WEB PORT HTTPS MODE
sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>

[*] WEBSCAN MODE
sniper -t|--target <TARGET> -m|--mode webscan

[*] ENABLE BRUTEFORCE
sniper -t|--target <TARGET> -b|--bruteforce

[*] ENABLE LOOT IMPORTING INTO METASPLOIT
sniper -t|--target <TARGET>

[*] LOOT REIMPORT FUNCTION
sniper -w <WORKSPACE_ALIAS> --reimport

[*] LOOT REIMPORTALL FUNCTION
sniper -w <WORKSPACE_ALIAS&   gt; --reimportall

[*] DELETE WORKSPACE
sniper -w <WORKSPACE_ALIAS> -d

[*] DELETE HOST FROM WORKSPACE
sniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh

[*] SCHEDULED SCANS'
sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'

[*] SCAN STATUS
sniper --status

[*] UPDATE SNIPER
sniper -u|--update

MODES:
  • NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.
  • STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.
  • FLYOVER: Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly).
  • AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
  • NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.
  • DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.
  • PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
  • FULLPORTONLY: Performs a full detailed port scan and saves results to XML.
  • WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
  • WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.
  • WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.
  • WEBSCAN: Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni.

SAMPLE REPORT:
https://gist.github.com/1N3/8214ec2da2c91691bcbc


Findomain - A Cross-Platform Tool That Use Certificate Transparency Logs To Find Subdomains

May 12, 2019, 3:13 pm
$
0
0

A cross-platform tool that use CertificatesTransparency logs to find subdomains. We currently support Linux, Windows and MacOS.

How it works?
It tool doesn't use the common methods for sub(domains) discover, the tool uses Certificate Transparency logs to find subdomains and it method make it tool very faster and reliable. If you want to know more about Certificate Transparency logs, read https://www.certificate-transparency.org/

Installation Linux
If you want to install it, you can do that manually compiling the source or using the precompiled binary.
Manually: You need to have Rust installed in your computer first.
$ git clone https://github.com/Edu4rdSHL/findomain.git
$ cd findomain
$ cargo build --release
$ sudo cp target/release/findomain /usr/bin/
$ findomain
Using the binary:
$ git clone https://github.com/Edu4rdSHL/findomain.git
$ sudo cp findomain/bin/findomain /usr/bin
$ findomain
If you are using the BlackArch Linux distribution, you just need to use:
$ sudo pacman -S findomain

Installation Windows
Download the binary from https://github.com/Edu4rdSHL/findomain/tree/master/bin/windows and use it.

Installation MacOS
Download the binary from https://github.com/Edu4rdSHL/findomain/tree/master/bin/osx and use it.

Usage
You can use the tool in two ways, only discovering the domain name or discovering the domain + the IP address.
findomain 0.1.3
Eduard Tolosa <tolosaeduard@gmail.com>
A tool that use Certificates Transparency logs to find subdomains.

USAGE:
    findomain [FLAGS] [OPTIONS]

FLAGS:
    -h, --help       Prints help information
    -i, --get-ip     Return the subdomain list with IP address if resolved.
    -V, --version    Prints version information

OPTIONS:
    -f, --file <file>        Sets the input file to use.
    -o, --output <output>    Write data to output file in the specified format. [possible values: txt, csv, json]
    -t, --target <target>    Target host

Features
  • Discover subdomains without brute-force, it tool uses Certificate Transparency Logs.
  • Discover subdomains with or without IP address according to user arguments.
  • Read target from user argument (-t).
  • Read a list of targets from file and discover their subdomains with or without IP and also write to output files per-domain if specified by the user, recursively.
  • Write output to TXT file.
  • Write output to CSV file.
  • Write output to JSON file.
  • Cross platform support: Linux, Windows, MacOS.


Viewing all 5839 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>