• Place a payload.bin raw shellcode file in the same directory. Default Architecture is x86
• run python obfuscate.py
• Default output is out.py

• Windows
• Python 2.7
• Pyinstaller
• PyCrypto (PyCryptodome didn't seem to work)

• Non-Root by default
• Kali single installer image
• Kali NetHunter Rootless
• Improvements to theme & kali-undercover
• New tools

• NetHunter– Needs rooted devices with custom recovery and patched kernel. Has no restrictions. Device specific images are available here.
• NetHunter Light– Needs rooted devices with custom recovery but no custom kernel. Has minor restrictions, i.e. no WiFi injection or HID support. Architecture specific images are available here.
• NetHunter Rootless– Installable on all stock standard, unmodified devices using Termux. Some limitations, like lack of db support in Metasploit and no root permissions. Installation instruction is available here.

kali@kali:~$ cat <<EOF | sudo tee /etc/apt/sources.list
deb http://http.kali.org/kali kali-rolling main non-free contrib
EOF
kali@kali:~$
kali@kali:~$ sudo apt update && sudo apt -y full-upgrade
kali@kali:~$
kali@kali:~$ [ -f /var/run/reboot-required ] && sudo reboot -f
kali@kali:~$

kali@kali:~$ grep VERSION /etc/os-release
VERSION="2020.1"
VERSION_ID="2020.1"
VERSION_CODENAME="kali-rolling"
kali@kali:~$
kali@kali:~$ uname -v
#1 SMP Debian 5.4.13-1kali1 (2020-01-20)
kali@kali:~$
kali@kali:~$ uname -r
5.4.0-kali3-amd64
kali@kali:~$

$ git clone https://github.com/ClaudiuGeorgiu/Obfuscapk.git

$ docker --version             
Docker version 19.03.0, build aeac949

$ # Download the Docker image.
$ docker pull claudiugeorgiu/obfuscapk
$ # Give it a shorter name.
$ docker tag claudiugeorgiu/obfuscapk obfuscapk

$ # Make sure to run the command in Obfuscapk/src/ directory.
$ # It will take some time to download and install all the dependencies.
$ docker build -t obfuscapk .

$ docker run --rm -it obfuscapk --help
usage: python3.7 -m obfuscapk.cli [-h] -o OBFUSCATOR [-w DIR] [-d OUT_APK]
...

$ apktool          
Apktool v2.4.0 - a tool for reengineering Android apk files
...

$ jarsigner
Usage: jarsigner [options] jar-file alias
       jarsigner -verify [options] jar-file [alias...]
...

$ zipalign
Zip alignment utility
Copyright (C) 2009 The Android Open Source Project
...

$ # Make sure to run the commands in Obfuscapk/ directory.

$ # The usage of a virtual environment is highly recommended, e.g., virtualenv.
$ # If not using virtualenv (https://virtualenv.pypa.io/), skip the next 2 lines.
$ virtualenv -p python3.7 venv
$ source venv/bin/activate

$ # Install Obfuscapk's requirements.
$ python3.7 -m pip install -r src/requirements.txt

$ cd src/
$ # The following command has to be executed always from Obfuscapk/src/ directory
$ # or by adding Obfuscapk/src/ directory to PYTHONPATH environment variable.
$ python3.7 -m obfuscapk.cli --help
usage: python3.7 -m obfuscapk.cli [-h] -o OBFUSCATOR [-w DIR] [-d OUT_APK]
...

• Docker image: a local directory containing the application to obfuscate has to be mounted to /workdir in the container (e.g., the current directory "${PWD}"), so the command:
  

  $ obfuscapk [params...]

  becomes:
  

  $ docker run --rm -it -u $(id -u):$(id -g) -v "${PWD}":"/workdir" obfuscapk [params...]

• From source: every instruction has to be executed from the Obfuscapk/src/ directory (or by adding Obfuscapk/src/ directory to PYTHONPATH environment variable) and the command:
  

  $ obfuscapk [params...]

  becomes:
  

  $ python3.7 -m obfuscapk.cli [params...]

$ obfuscapk --help
obfuscapk [-h] -o OBFUSCATOR [-w DIR] [-d OUT_APK] [-i] [-p] [-k VT_API_KEY] <APK_FILE>

• -w DIR is used to set the working directory where to save the intermediate files (generated by apktool). If not specified, a directory named obfuscation_working_dir is created in the same directory as the input application. This can be useful for debugging purposes, but if it's not needed it can be set to a temporary directory (e.g., -w /tmp/).
  
• -d OUT_APK is used to set the path of the destination file: the apk file generated by the obfuscation process (e.g., -d /home/user/Desktop/obfuscated.apk). If not specified, the final obfuscated file will be saved inside the working directory. Note: existing files will be overwritten without any warning.
  
• -i is a flag for ignoring known third party libraries during the obfuscation, in order to use less resources, to increase performances and to reduce the risk of errors. The list of libraries to ignore is adapted from LiteRadar project.
  
• -p is a flag for showing progress bars during the obfuscation operations. When using the tool in batch operations/automatic builds it's convenient to have progress bars disabled, otherwise this flag should be enabled to see the obfuscation progress.
  
• -k VT_API_KEY is needed only when using VirusTotal obfuscator, to set the API key(s) to be used when communicating with Virus Total. Can be set multiple times to cycle through the API keys during the requests (e.g., -k VALID_VT_KEY_1 -k VALID_VT_KEY_2).
  

$ # original.apk is a valid Android apk file.
$ obfuscapk -o RandomManifest -o Rebuild -o NewSignature -o NewAlignment original.apk

• since no working directory was specified, a new working directory (obfuscation_working_dir) is created in the same location as original.apk (this can be useful to inspect the smali files/manifest/resources in case of errors)
  
• some checks are performed in order to make sure that all the needed files/executables are available
  
• the actual obfuscation process begins: the specified obfuscators are executed (in order) one by one until there's no obfuscator left or until an error is encountered
  
  • when running the first obfuscator, original.apk is decompiled with apktool and the results are stored into the working directory
    
  • since the first obfuscator is RandomManifest, the entries in the decompiled Android manifest are reordered randomly (without breaking the xml structures)
    
  • Rebuild obfuscator simply rebuilds the application (now with the modified manifest) using apktool, and since no output file was specified, the resulting apk file is saved in the working directory created before
    
  • NewSignature obfuscator signs the newly created apk file with a custom certificate contained in this keystore
    
  • NewAlignment obfuscator uses zipalign tool to align the resulting apk file
    
• when all the obfuscators have been executed without errors, the resulting obfuscated apk file can be found in obfuscation_working_dir/original_obfuscated.apk, signed, aligned and ready to be installed into a device/emulator
  

• Trivial: as the name suggests, this category includes simple operations (that do not modify much the original application), like signing the apk file with a new signature.
  
• Rename: operations that change the names of the used identifiers (classes, fields, methods).
  
• Encryption: packaging encrypted code/resources and decrypting them during the app execution. When Obfuscapk starts, it automatically generates a random secret key (32 characters long, using ASCII letters and digits) that will be used for encryption.
  
• Code: all the operations that involve the modification of the decompiled source code.
  
• Resources: operations on the resource files (like modifying the manifest).
  
• Other
  

Uses reflection to invoke dangerous APIs of the Android Framework. In order to find out if a method belongs to the Android Framework, Obfuscapk refers to the mapping discovered by Backes et al.

Insert junk code. In this case, the junk code is composed by arithmetic computations and a branch instruction depending on the result of these computations, crafted in such a way that the branch is never taken.

Encrypt asset files.

This technique modifies the control-flow graph without impacting the code semantics: it adds new methods that invoke the original ones. For example, an invocation to the method m1 will be substituted by a new wrapper method m2, that, when invoked, it calls the original method m1.

Change the package name and rename classes (even in the manifest file).

Encrypt constant strings in code.

Remove debug information.

Rename fields.

Given a method, it inserts a goto instruction pointing to the end of the method and another goto pointing to the instruction after the first goto; it modifies the control-flow graph by adding two new nodes.

Encrypt native libs.

It exploits the overloading feature of the Java programming language to assign the same name to different methods but using different arguments. Given an already existing method, this technique creates a new void method with the same name and arguments, but it also adds new random arguments. Then, the body of the new method is filled with random arithmetic instructions.

Rename methods.

Realign the application.

Re-sign the application with a new custom signature.

Insert junk code. Nop, short for no-operation, is a dedicated instruction that does nothing. This technique just inserts random nop instructions within every method implementation.

Randomly reorder entries in the manifest file.

Rebuild the application.

This technique analyzes the existing code looking for method invocations of the app, ignoring the calls to the Android framework (see AdvancedReflection). If it finds an instruction with a suitable method invocation (i.e., no constructor methods, public visibility, enough free registers, etc.) such invocation is redirected to a custom method that will invoke the original method using the Reflection APIs.

This technique consists of changing the order of basic blocks in the code. When a branch instruction is found, the condition is inverted (e.g., branch if lower than, becomes branch if greater or equal than) and the target basic blocks are reordered accordingly. Furthermore, it also randomly re-arranges the code abusing goto instructions.

Encrypt strings in resources (only those called inside code).

Send the original and the obfuscated application to Virus Total. You must provide the VT API key (see -k option).

• Simone Aonzo - Research Assistant
• Gabriel Claudiu Georgiu - Core Developer
• Luca Verderame - Postdoctoral Researcher
• Alessio Merlo - Faculty Member

• Check for time based injection.
• Get database name.
• Get tables names.

#!/usr/bin/python

import Blinder

blind = Blinder.blinder(
    "http://sqli-lab/sql_injection/index.php?search=3",
    sleep=1
 )

print blind.check_injection()

root@kali:~/Desktop# python check.py
True
root@kali:~/Desktop#

#!/usr/bin/python

import Blinder

blind = Blinder.blinder(
    "http://sqli-lab/sql_injection/index.php?search=3",
    sleep=1
 )

print "Database name is : %s " % blind.get_database()

root@kali:~/Desktop# python get-database.py
Database name is : db1
root@kali:~/Desktop#

#!/usr/bin/python

import Blinder

blind = Blinder.blinder(
    "http://sqli-lab/sql_injection/index.php?search=3",
    sleep=1
 )

tables = blind.get_tables()

for table in tables:
    print table

root@kali:~/Desktop# python get-tables.py
blogs
notes
root@kali:~/Desktop#

• the ability of adding customized query
• test injection points based on burp request
• extract tables/columns data

SSRF being one of the critical vulnerabilities out there in web, I see there was no tool which would automate finding potential vulnerable parameters. See-SURF can be added to your arsenal for recon while doing bug hunting/web security testing.

• Python3

1. Takes burp's sitemap as input and parses and parses the file with a strong regex matches any GET/POST URL parameters containing potentially vulnerable SSRF keywords like URL/website etc. Also, checks the parameter values for any URL or IP address passed. Examples GET request -
   google.com/url=https://yahoo.com
   google.com/q=https://yahoo.com
   FORMS -
   <input type="text" name="url" value="https://google.com" placeholder="https://msn.com">
2. Multi-threaded In-built crawler to run and gather as much data as possible to parse and identify potentially vulnerable SSRF parameters.
3. Supply cookies for an authenticated scanning.
4. By default, normal mode is On, with a verbose switch you would see the same vulnerable param in different endpoints. The same parameter may not be sanitized at all places. But verbose mode generates a lot of noise. Example:
   https://google.com/path/1/urlToConnect=https://yahoo.com
   https://google.com/differentpath/urlToConnect=https://yahoo.com
5. Exploitation - Makes an external request to burp collaborator or any other http server with the vulnerable parameter to confirm the possibility of SSRF.

• Include more places to look for potential params like Javascript files
• Finding potential params during redirection.
• More conditions to avoid false positives.
• Exploitation.

go get github.com/koenrh/s3enum

$ s3enum --wordlist examples/wordlist.txt --suffixlist examples/suffixlist.txt --threads 10 hackerone

hackerone
hackerone-attachment
hackerone-attachments
hackerone-static
hackerone-upload

s3enum \
  --wordlist examples/wordlist.txt \
  --suffixlist examples/suffixlist.txt \
  --nameserver 1.1.1.1 \
  hackerone h1 roflcopter

• Quirin Scheitle, Technical University of Munich

Usage: ./bin/massdns [options] [domainlist]
  -b  --bindto           Bind to IP address and port. (Default: 0.0.0.0:0)
      --busy-poll        Use busy-wait polling instead of epoll.
  -c  --resolve-count    Number of resolves for a name before giving up. (Default: 50)
      --drop-group       Group to drop privileges to when running as root. (Default: nogroup)
      --drop-user        User to drop privileges to when running as root. (Default: nobody)
      --flush            Flush the output file whenever a response was received.
  -h  --help             Show this help.
  -i  --interval         Interval in milliseconds to wait between multiple resolves of the same
                         domain. (Default: 500)
  -l  --error-log        Error log file path. (Default: /dev/stderr)
      --norecurse        Use non-recursive queries. Useful for DNS cache snooping.
  -o  --output           Flags for output formatting.
         --predictable      Use resolvers incrementally. Useful for resolver tests.
      --processes        Number of processes to be used for resolving. (Default: 1)
  -q  --quiet            Quiet mode.
      --rcvbuf           Size of the receive buffer in bytes.
      --retry            Unacceptable DNS response codes. (Default: REFUSED)
  -r  --resolvers        Text file containing DNS resolvers.
      --root             Do not drop privileges when running as root. Not recommended.
  -s  --hashmap-size     Number of concurrent lookups. (Default: 10000)
      --sndbuf           Size of the send buffer in bytes.
      --sticky           Do not switch the resolver when retrying.
      --socket-count     Socket count per process. (Default: 1)
  -t  --type             Record type to be resolved. (Default: A)
      --verify-ip        Verify IP addresses of incoming replies.
  -w  --outfile          Write to the specified output file instead    of standard output.

Output flags:
  S - simple text output
  F - full text output
  B - binary output
  J - ndjson output

$ ./bin/massdns -r lists/resolvers.txt -t AAAA domains.txt > results.txt

$ ./bin/massdns -r lists/resolvers.txt -t AAAA -w results.txt domains.txt

;; Server: 77.41.229.2:53
;; Size: 93
;; Unix time: 1513458347
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51298
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
example.com. IN A

;; ANSWER SECTION:
example.com. 45929 IN A 93.184.216.34

;; AUTHORITY SECTION:
example.com. 24852 IN NS b.iana-servers.net.
example.com. 24852 IN NS a.iana-servers.net.

$ ./scripts/ptr.py | ./bin/massdns -r lists/resolvers.txt -t PTR -w ptr.txt

$ ./scripts/subbrute.py lists/names.txt example.com | ./bin/massdns -r lists/resolvers.txt -t A -o S -w results.txt

$ ./scripts/ct.py example.com | ./bin/massdns -r lists/resolvers.txt -t A -o S -w results.txt

• Prevent flooding resolvers which are employing rate limits or refusing resolves after some time
• Implement bandwidth limits
• Employ cross-resolver checks to detect DNS poisoning and DNS spam (e.g. Level 3 DNS hijacking)
• Add wildcard detection for reconnaissance
• Improve reconnaissance reliability by adding a mode which re-resolves found domains through a list of trusted (local) resolvers in order to eliminate false positives
• Detect optimal concurrency automatically
• Parse the command line properly and allow the usage/combination of short options without spaces

• Remote Web Deface Detection (Optional)
• Static Application security Testing

• cd web_deface/
• pip install -r requirements.txt
• python web_deface.py <notif arguments>
• For more detailed information, refer to the user guide
  we have update related web deface detection please see video Youtube

• For more detailed information, refer to the user guide

• Ade Yoseman Putra (@adeyosemanputra)
• AZZEDDINE Ramrami (@aramrami)
• Rejah Rehim (@RejahRehim)

• masscan
• nmap
• dirsearch
• amass
• patator

• find me all hosts, which have open ports, but not 80
• find me all hosts, whose ips start with 82.
• find me hosts where dirsearch has found at least 1 file with 200 status code

sudo apt install docker.io

sudo curl -L "https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
git clone https://github.com/c0rvax/project-black
cd project-black
sudo docker-compose up

• IPs/Hosts list
• IP/Host details
• Dirsearch list

1. Filter the hosts
2. Launch the task

Interactive operation:
    1.cross-references for strings, classes, methods and fields;
    2.searching for strings, classes methods and fields;
    3.comments for java code;
    4.rename for methods,fields and classes;
    5.save the analysis results in gda db file.
    ...

Utilities for Assisted Analysis:
    1.extracting DEX from ODEX;
    2.extracting DEX from OAT;
    3.XML Decoder;
    4.algorithm tool;
    5.device memory dump;
    ...

New features:
    1.Brand new dalvik decompiler in c++ with friendly GUI;
    2.Support python script
    3.packers Recognition;
    4.Multi-DEX supporting;
    5.making and loading signature of the method 
    6.Malicious Behavior Scanning by API chai   ns;
    7.taint analysis to preview the behavior of variables;
    8.taint analysis to trace the path of variables;
    9.de-obfuscate;
    10.API view with x-ref;
    11.Association of permissions with modules;
    ...

1. Instructions for setting up DVNA
2. Instructions on exploiting the vulnerabilities
3. Vulnerable code snippets and instructions on fixing vulnerabilities
4. Recommendations for avoid such vulnerabilities
5. References for learning more

docker run --name dvna -p 9090:9090 -d appsecco/dvna:sqlite

1. For Developers, using docker-compose with auto-reload on code updates
2. For Security Testers, using the Official image from Docker Hub
3. For Advanced Users, using a fully manual setup

git clone https://github.com/appsecco/dvna; cd dvna

MYSQL_USER=dvna
MYSQL_DATABASE=dvna
MYSQL_PASSWORD=passw0rd
MYSQL_RANDOM_ROOT_PASSWORD=yes

docker-compose up

MYSQL_USER=dvna
MYSQL_DATABASE=dvna
MYSQL_PASSWORD=passw0rd
MYSQL_RANDOM_ROOT_PASSWORD=yes
MYSQL_HOST=mysql-db
MYSQL_PORT=3306

docker run --name dvna-mysql --env-file vars.env -d mysql:5.7

docker run --name dvna-app --env-file vars.env --link dvna-mysql:mysql-db -p 9090:9090 appsecco/dvna

git clone https://github.com/appsecco/dvna; cd dvna

export MYSQL_USER=dvna
export MYSQL_DATABASE=dvna
export MYSQL_PASSWORD=passw0rd
export MYSQL_HOST=127.0.0.1
export MYSQL_PORT=3306

npm install

npm start

• Link commits to fixes in documentation
• Add new vulnerabilities from OWASP Top 10 2017
• Improve application features, documentation

• pcfg_next_function_overview.pptx: A slide deck talking about the PCFG next function. The intended audience for this is developers and academic researchers.

• Python3 is the only hard requirement for these tools
• It is highly recommended that you install the chardet python3 library for training. While not required, it performs character encoding autodetection of the training passwords. To install it:
• Download the source from https://pypi.python.org/pypi/chardet
• Or install it using pip3 install chardet

1. Identify a set of plaintext passwords to train on.

• This passwords set should include duplicate passwords. That way the trainer can identify common passwords like 123456 are common.
• The passwords should be in plaintext with hashes and associated info like usernames removed from them. Don't try to use raw .pot files as your training set as the hashes will be considered part of the password by the training program.
• The passwords should be encoded the same way you want to generate password guesses as. So, if you want to create UTF-8 password guesses, the training set should also be encoded as UTF-8. Long term, the ability to modify this when generating guesses is on the development plan, but that feature is currently not supported.
• The training password list should be between 100k and 50 million. Testing is still being done on how the size of the training password list affects guess generation, and there has been good success even with password lists as small as 10k, but an ideal size is likely around 1 million, with diminishing returns after that.
• For the purposes of this tutorial the input password list will be referred to as INPUT_PASSWORD_LIST

2. Choose a name for your generated ruleset. For the purposes of this tutorial it will be NEW_RULESET
3. Run the trainer on the input password list

• python3 trainer.py -t INPUT_PASSWORD_LIST -r NEW_RULESET
• Common optional flags: a. coverage: How much you trust the training set to match the target passwords. A higher coverage means to use less intelligent brute force generation using Markov modeling, (currently using the OMEN algorithm). If you set coverage to 1, no brute force will be performed. If you set coverage to 0, it will only generate guesses using Markov attacks. This value is a float, with the default being 0.6 which means it expects a 60% chance the target password's base words can be found in the training set. Example: python3 trainer.py -t INPUT_PASSWORD_LIST -r NEW_RULESET -c 0.6 b. --save_sensitive: If this is specified, sensitive data such as e-mail addresses and full websites which are discovered during training will be saved in the ruleset. While the PCFG guess generator does not currently make use of this data, it is very valuable during a real password cracking attack. This by default is off to make this tool easier to use in an academic setting. Note, even when this is off, there will almost certainly still be PII data saved inside a ruleset, so protect generated rulesets appropriately. Example: python3 trainer.py -t INPUT_PASSWORD_LIST -r NEW_RULESET --save_sensitive c. --comments: Adds a comment to your ruleset config file. This is useful so you know why and how you generated your ruleset when looking back at it later. Include the comment you want to add in quotes.

1. Note: the guess generation program is case sensitive when specifying the ruleset name.

• A session name is not required, (it will by default create a session called default_run), but it is helpful to make restarting a paused/stopped session easier. These examples will use the session name SESSION_NAME. Note, there is no built in sanity check if you run multiple sessions with the same name at the same time, but it is recommend to avoid that.

2. To start a new guessing session run:

• python3 pcfg_guesser.py -r NEW_RULESET -s SESSION_NAME

3. To restart a previous guessing session run:

• python3 pcfg_guesser.py -s SESSION_NAME --load

• INPUT_LIST represents the list of passwords to score. These passwords should be plaintext, and separated by newlines, with one password per line.

1. To run a scoring session: python3 password_scorer -r NEW_RULESET -i INPUT_LIST
2. By default. it will output the results to stdout, with each password scored per line

• The first value is the raw password
• The second value will represent if the input value was scored a 'password', 'website', 'e-mail address', or 'other'. This determination of password or other is dependent on the limits you set for both OMEN guess limit, as well as probability associated with the PCFG.
• The third value is the probability of the password according to the Ruleset. If it is assigned a value of 0.0, that means that the password will not be generated by the ruleset, though it may be generated by a Markov based attack
• The fourth value is the OMEN level that will generate the password. A value of -1 means the password will not be generated by OMEN.

1. Train a PCFG ruleset using trainer.py. Note you need to create the ruleset using version 4.1 or later of the PCFG toolset, as earlier versions did not learn all the datastructures that Prince-Ling utilizes.
2. Run Prince-Ling python3 prince-ling.py -r RULESET_NAME -s SIZE_OF_WORDLIST_TO_CREATE -o OUTPUT_FILENAME

• --rule: Name of the PCFG ruleset to create the PRINCE wordlist from
• --size: Number of words to create for the PRINCE wordlist. Note, if not specified, Prince-Ling will generate all possible words which can be quite large depending on if case_mangling is enabled. (Case mangling increases the keyspace enourmously)
• --output: Output filename to write entrees to. Note, if not specified, Prince-Ling will output words to stdout, which may cause problems depending on what shell you are using when printing non-ASCII characters.
• --all_lower: Only generate lowercase words for the PRINCE dictionary. This is useful when attacking case-insensitive hashes, or if you plan on applying targeted case mangling a different way.

▪   ▐ ▄  ▐▄▄▄▄▄▄ . ▄▄· ▄▄▄▄▄▄• ▄▌.▄▄ ·
██ •█▌▐█  ·██▀▄.▀·▐█ ▌▪•██  █▪██▌▐█ ▀.
▐█·▐█▐▐▌▪▄ ██▐▀▀▪▄██ ▄▄ ▐█.▪█▌▐█▌▄▀▀▀█▄
▐█▌██▐█▌▐▌▐█▌▐█▄▄▌▐███▌ ▐█▌·▐█▄█▌▐█▄▪▐█
▀▀▀▀  ██▪ ▀▀▀• ▀▀▀ ·▀▀▀  ▀▀▀  ▀▀▀  ▀▀▀▀
               ~ BOUNTYSTRIKE ~

usage: Injectus [-h] [-f FILE] [-u URL] [-r] [-w WORKERS] [-t TIMEOUT]
                [-d DELAY] [-c] [-op]

CRLF and open redirect fuzzer. Crafted by @dubs3c.

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  File containing URLs
  -u URL, --url URL     Single URL to test
  -r, --no-request      Only build attack list, do not perform any requests
  -w WORKERS, --workers WORKERS
                        Amount of asyncio workers, default is 10
  -t TIMEOUT, --timeout TIMEOUT
                        HTTP request timeout, default is 6 seconds
  -d DELAY, --delay DELAY
                        The delay between requests, default is 1 second
  -c, --crlf               Only perform crlf attacks
  -op, --openredirect   Only perform open redirect attacks

Needed a simple CRLF/open redirect scanner that I could include into my bug bounty pipeline at https://github.com/BountyStrike/Bountystrike-sh. Didn't find any tools that satisfied my need, so I created Injectus. It's a little bit of an experiment, to see if it works better than other tools.

https://dubell.io/?param1=value1&url=value2&param3=value3

https://dubell.io/?param1=%%0a0abounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%0abounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%0d%0abounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%0dbounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%23%0dbounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%25%30%61bounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%25%30abounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%250abounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%25250abounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%3f%0dbounty:strike&url=value2&param3=value3
https://dubell.io/?param1=%u000abounty:strike&url=value2&param3=value3

https://dubell.io/?param1=value1&url=%%0a0abounty:strike&param3   =value3
https://dubell.io/?param1=value1&url=%0abounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%0d%0abounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%0dbounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%23%0dbounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%25%30%61bounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%25%30abounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%250abounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%25250abounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%3f%0dbounty:strike&param3=value3
https://dubell.io/?param1=value1&url=%u000abounty:strike&param3=value3

https://dubell.io/?param1=value1&url=value2&param3=%%0a0abounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%0abounty:   strike
https://dubell.io/?param1=value1&url=value2&param3=%0d%0abounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%0dbounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%23%0dbounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%25%30%61bounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%25%30abounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%250abounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%25250abounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%3f%0dbounty:strike
https://dubell.io/?param1=value1&url=value2&param3=%u000abounty:strike

https://dubell.io/some/path/%%0a0abounty:strike
https://dubell.io/some/path/%0abounty:strike
https://dubell.io/some/path/%0d%0abounty:strike
https://dubell.io/some/path/%0dbounty:strike
https://dubell.io/some/path/%23%0dbounty:strike
https://dubell.io/some/path/%23%0dbounty:strike
https://dubell.io/some/path/%25%30%61bounty:strike
https://dubell.io/some/path/%25%30abounty:strike
https://dubell.io/some/path/%250abounty:strike
https://dubell.io/some/path/%25250abounty:strike
https://dubell.io/some/path/%3f%0dbounty:strike
https://dubell.io/some/path/%3f%0dbounty:strike
https://dubell.io/some/path/%u000abounty:strike

https://dubell.io/?param1=value1&url=$2f%2fbountystrike.io%2f%2fparam3=value3
https://dubell.io/?param1=value1&url=%2f$2fbountystrike.ioparam3=value3
https://dubell.io/?param1=value1&url=%2fbountystrike.io%2f%2fparam3=value3
https://dubell.io/?param1=value1&url=%2fbountystrike.io//param3=value3
https://dubell.io/?param1=value1&url=%2fbountystrike.ioparam3=value3
https://dubell.io/?param1=value1&url=////bountystrike.ioparam3=value3
https://dubell.io/?param1=value1&url=///bountystrike.ioparam3=value3
https://dubell.io/?param1=value1&url=//bountystrike.ioparam3=value3
https://dubell.io/?param1=value1&url=/\x08ountystrike.ioparam3=value3
https://dubell.io/?param1=value1&url=/bountystrike.ioparam3=value3
https://dubell.io/?param1=value1&url=/http://bountystrike.ioparam3=value3
https://dubell.io/?param1=value1&url=bountystrike.ioparam3=value3

https://dubell.io/some/path/that/redirect/$2f%2fbountystrike.io%2f%2f
https://dubell.io/some/path/that/redirect/%2f$2fbountystrike.io
https://dubell.io/some/path/that/redirect/%2fbountystrike.io%2f%2f
https://dubell.io/some/path/that/redirect/%2fbountystrike.io
https://dubell.io/some/path/that/redirect/%2fbountystrike.io//
https://dubell.io/some/path/that/redirect/////bountystrike.io
https://dubell.io/some/path/that/redirect////bountystrike.io
https://dubell.io/some/path/that/redirect///bountystrike.io
https://dubell.io/some/path/that/redirect//\x08ountystrike.io
https://dubell.io/some/path/that/redirect//bountystrike.io
https://dubell.io/some/path/that/redirect//http://bountystrike.io
https://dubell.io/some/path/that/redirect/bountystrike.io

https://dubell.io/$2f%2fbountystrike.io%2f%2f
https://dubell.io/%2f$2fbountystrike.io
https://dubell.io/%2fbountystrike.io%2f%2f
https://dubell.io/%2fbountystrike.io
https://dubell.io/%2fbountystrike.io//
https://dubell.io/////bountystrike.io
https://dubell.io////bountystrike.io
https://dubell.io///bountystrike.io
https://dubell.io//\\bountystrike.io
https://dubell.io//bountystrike.io
https://dubell.io//http://bountystrike.io
https://dubell.io/bountystrike.io

pip3.7 install -r requirements.txt --user

• "What the Hack" is a challenge based hackathon format
• Challenges describe high-level tasks and goals to be accomplished
• Challenges are not step-by-step labs
• Attendees work in teams of 3 to 5 people to solve the challenges
• Attendees "learn from" and "share with" each other
• By having to "figure it out", attendee knowledge retention is greater
• Proctors provide guidance, but not answers to the teams
• Emcees provide lectures & demos to setup challenges & review solutions
• What the Hack can be hosted in-person or virtually via MS Teams

• Fork this repo into your own github account
• Create a new branch for your work
• Add a new top level folder using the next number in sequence, eg:
  • 011-BigNewHack
• Within this folder, create two folders, each with two folders with in that looks like this:
  • Host
    • Guides
    • Solutions
  • Student
    • Guides
    • Resources
• The content of each folder should be:
  • Student/Guides: The Student's Guide
  • Student/Resources: Any template or "starter" files that students may need in challenges
  • Host/Guides: The Proctor's Guide lives here as well as any Lecture slide decks
  • Host/Solutions: Specific files that the proctors might need that have solutions in them.
• Once your branch and repo have all your content and it formatted correctly, follow the instructions on this page to submit a pull request back to the main repository:
  • https://help.github.com/articles/creating-a-pull-request-from-a-fork/

• Performance:nfstream is designed to be fast (x10 faster with pypy3 support) with a small CPU and memory footprint.
• Layer-7 visibility:nfstreamdeep packet inspection engine is based on nDPI. It allows nfstream to perform reliable encrypted applications identification and metadata extraction (e.g. TLS, QUIC, TOR, HTTP, SSH, DNS).
• Flexibility: add a flow feature in 2 lines as an NFPlugin.
• Machine Learning oriented: add your trained model as an NFPlugin.

• Dealing with a big pcap file and just want to aggregate it as network flows? nfstream make this path easier in few lines:

   from nfstream import NFStreamer
   my_awesome_streamer = NFStreamer(source="facebook.pcap") # or network interface (source="eth0")
   for flow in my_awesome_streamer:
       print(flow)  # print it, append to pandas Dataframe or whatever you want :)!

    NFEntry(
        id=0,
        first_seen=1472393122365,
        last_seen=1472393123665,
        version=4,
        src_port=52066,
        dst_port=443,
        protocol=6,
        vlan_id=0,
        src_ip='192.168.43.18',
        dst_ip='66.220.156.68',
        total_packets=19,
        total_bytes=5745,
        duration=1300,
        src2dst_packets=9,
        src2dst_bytes=1345,
        dst2src_packets=10,
        dst2src_bytes=4400,
        expiration_id=0,
        master_protocol=91,
        app_protocol=119,
        application_name='TLS.Facebook',
        category_name='SocialNetwork',
        client_info='facebook.com',
        server_info='*.facebook.com',
        j3a_client='bfcc1a3891601edb4f137ab7ab25b840',
        j3a_server='2d1eb5817ece335c24904f516ad5da12'
    )

• From pcap to Pandas DataFrame?

    import pandas as pd 
    streamer_awesome = NFStreamer(source='devil.pcap')
    data = []
    for flow in streamer_awesome:
       data.append(flow.to_namedtuple())
    my_df = pd.DataFrame(data=data)
    my_df.head(5) # Enjoy!

• Didn't find a specific flow feature? add a plugin to nfstream in few lines:

    from nfstream import NFPlugin

    class my_awesome_plugin(NFPlugin):
        def on_update(self, obs, entry):
            if obs.length >= 666:
                entry.my_awesome_plugin += 1

   streamer_awesome = NFStreamer(source='devil.pcap', plugins=[my_awesome_plugin()])
   for flow in streamer_awesome:
      print(flow.my_awesome_plugin) # see your dynamically created metric in generated flows

• More example and details are provided on the official documentation.

    apt-get install libpcap-dev

    pip3 install nfstream

    git clone https://github.com/aouinizied/nfstream.git
    cd nfstream
    python3 setup.py install

• Cross platform: Windows, MacOS, Linux, BSD
• Cross architecture: X86, X86_64, Arm, Arm64, Mips
• Multiple file formats: PE, MachO, ELF
• Emulate & sandbox machine code in a isolated environment
• Provide high level API to setup & configure the sandbox
• Fine-grain instrumentation: allow hooks at various levels (instruction/basic-block/memory-access/exception/syscall/IO/etc)
• Allow dynamic hotpatch on-the-fly running code, including the loaded library
• True framework in Python, making it easy to build customized security analysis tools on top

• Unicorn is just a CPU emulator, so it focuses on emulating CPU instructions, that can understand emulator memory. Beyond that, Unicorn is not aware of higher level concepts, such as dynamic libraries, system calls, I/O handling or executable formats like PE, MachO or ELF. As a result, Unicorn can only emulate raw machine instructions, without Operating System (OS) context.
• Qiling is designed as a higher level framework, that leverages Unicorn to emulate CPU instructions, but can understand OS: it has executable format loaders (for PE, MachO & ELF at the moment), dynamic linkers (so we can load & relocate shared libraries), syscall & IO handlers. For this reason, Qiling can run executable binary without requiring its native OS.

• Qiling is a true analysis framework, that allows you to build your own dynamic analysis tools on top (in friendly Python language). Meanwhile, Qemu is just a tool, not a framework.
• Qiling can perform dynamic instrumentation, and can even hotpatch code at runtime. Qemu does not do either.
• Not only working cross-architecture, Qiling is also cross-platform, so for example you can run Linux ELF file on top of Windows. In contrast, Qemu usermode only run binary of the same OS, such as Linux ELF on Linux, due to the way it forwards syscall from emulated code to native OS.
• Qiling supports more platforms, including Windows, MacOS, Linux & BSD. Qemu usermode can only handles Linux & BSD.

python3 setup.py install

• Below example shows how to use Qiling framework to emulate a Windows EXE on a Linux machine.

from qiling import *

# sandbox to emulate the EXE
def my_sandbox(path, rootfs):
    # setup Qiling engine
    ql = Qiling(path, rootfs)
    # now emulate the EXE
    ql.run()

if __name__ == "__main__":
    # execute Windows EXE under our rootfs
    my_sandbox(["examples/rootfs/x86_windows/bin/x86-windows-hello.exe"], "examples/rootfs/x86_windows")

• Below example shows how to use Qiling framework to dynamically patch a Windows crackme, make it always display "Congratulation" dialog.

from qiling import *

def force_call_dialog_func(ql):
    # get DialogFunc address
    lpDialogFunc = ql.unpack32(ql.mem_read(ql.sp - 0x8, 4))
    # setup stack memory for DialogFunc
    ql.stack_push(0)
    ql.stack_push(1001)
    ql.stack_push(273)
    ql.stack_push(0)
    ql.stack_push(0x0401018)
    # force EIP to DialogFunc
    ql.pc = lpDialogFunc


def my_sandbox(path, rootfs):
    ql = Qiling(path, rootfs)
    # NOP out some code
    ql.patch(0x004010B5, b'\x90\x90')
    ql.patch(0x004010CD, b'\x90\x90')
    ql.patch(0x0040110B, b'\x90\x90')
    ql.patch(0x00401112, b'\x90\x90')
    # hook at an address with a callback
    ql.hook_address(0x00401016, force_call_dialog_func)
    ql.run()


if __name__ == "__main__":
    my_sandbox(["rootfs/x86_windows/bin/Easy_CrackMe.exe"], "rootfs/x86_windows")

• The below Youtube video shows how Qiling analyzes Wannacry malware.

$ ./qltool run -f examples/rootfs/arm_linux/bin/arm32-hello --rootfs examples/rootfs/arm_linux/

$ ./qltool shellcode --os linux --arch x86 --asm -f examples/shellcodes/lin32_execve.asm

• LAU kaijern (xwings) kj@qiling.io
• NGUYEN Anh Quynh aquynh@gmail.com
• DING tianZe (D1iv3) dddliv3@gmail.com
• SUN bowen (w1tcher) w1tcher.bupt@gmail.com
• CHEN huitao (null) null@qiling.io
• YU tong (sp1ke) spikeinhouse@gmail.com

• AttachVolume (ec2)
• CopySnapshot (ec2)
• CreateVolume (ec2)
• DeleteSnapshot (ec2)
• DeleteVolume (ec2)
• DescribeSnapshots (ec2)
• DescribeVolumes (ec2)
• DetachVolume (ec2)
• PurgeQueue (sqs)
• ListQueues (sqs)
• ListAllMyBuckets (s3)
• PutObject (s3)

1. Check your region. Dufflebag can only operate in one AWS region at a time. If you want to search every region, you'll have to deploy that many instances. To change the region, change the contents of the source code file region.go.
   
2. Install dependencies: Ubuntu 18.04 x64:
   

sudo apt install make golang-go git
go get -u github.com/aws/aws-sdk-go
go get -u github.com/deckarep/golang-set
go get -u github.com/lib/pq

3. Then build the EB app into a zip file with:

make

4. Lastly, you'll need to make an S3 bucket. Setting this up automatically within Dufflebag might be possible, but it'd actually be pretty hard. So just do it yourself. You just need to make an S3 bucket with default permissions, and have the name start with dufflebag. S3 bucket names have to be globally unique, so you'll probably need to have some suffix that is a bunch of gibberish or something.

//#####################################################################
//####                    Safety Valve                             ####
//#### Remove this line of code below to search all of your region ####
//#####################################################################
snapshots = snapshots_result.Snapshots[0:20]

1. Check the file name against a blacklist. (blacklist_exact)
2. Check the file name against a "contains" blacklist. (Reject the file if it contains a given string) (blacklist_contains)
3. Check the file name against a prefix blacklist. (Reject the file if it starts with a given string) (blacklist_prefix)

1. The IsSensitiveFileName() function checks the file name against a regular expression that finds sensitive file names. (Such as /etc/shadow, bash_history, etc...)

1. Check the file contents against a set of regular expressions.

GO111MODULE=on go get -u github.com/jaeles-project/jaeles

jaeles scan -u http://example.com

jaeles scan -s signatures/common/phpdebug.yaml -U /tmp/list_of_urls.txt

jaeles scan -v --passive --verbose -s "signatures/cves/jira-*" -U /tmp/list_of_urls.txt -o /tmp/vuls

jaeles server --verbose -s sqli

• Adding more signatures.
• Adding more input sources.
• Adding more APIs to get access to more properties of the request.
• Adding proxy plugins to directly receive input from browser of http client.
• Adding passive signature for passive checking each request.
• Adding more action on Web UI.
• Integrate with many other tools.

• Special thanks to chaitin team for sharing ideas to me for build the architecture.
  
• React components is powered by Carbon and carbon-tutorial.
  
• Awesomes artworks are powered by Freepik at flaticon.com.
  

• Possibility to subscribe to multiple ZMQ feeds from different MISP instances
• Shows immediate contributions made by organisations
• Displays live resolvable posted geo-locations

• Provides historical geolocalised information to support security teams, CSIRTs or SOCs in finding threats within their constituency
• Possibility to get geospatial information from specific regions

• The monthly rank of all organisations
• The last organisation that contributed (dynamic updates)
• The contribution level of all organisations
• Each category of contributions per organisation
• The current ranking of the selected organisation (dynamic updates)

• Gamification of the platform:
  • Two different levels of ranking with unique icons
  • Exclusive obtainable badges for source code contributors and donator

• Shows when and how the platform is used:
  • Login punchcard and contributions over time
  • Contribution vs login

• Provides real time information to support security teams, CSIRTs or SOC showing current threats and activity
  • Shows most active events, categories and tags
  • Shows sightings and discussion overtime

• Launch ./install_dependencies.sh from the MISP-Dashboard directory (idempotent-ish)
• Update the configuration file config.cfg so that it matches your system
  • Fields that you may change:
    • RedisGlobal -> host
    • RedisGlobal -> port
    • RedisGlobal -> zmq_url
    • RedisGlobal -> misp_web_url
    • RedisMap -> pathMaxMindDB

• Re-launch ./install_dependencies.sh to fetch new required dependencies
• Re-update your configuration file config.cfg by comparing eventual changes in config.cfg.default

+ virtualenv -p python3 DASHENV
Already using interpreter /usr/bin/python3
Using base prefix '/usr'
New python executable in /home/steve/code/misp-dashboard/DASHENV/bin/python3
Traceback (most recent call last):
  File "/usr/bin/virtualenv", line 9, in <module>
    load_entry_point('virtualenv==15.0.1', 'console_scripts', 'virtualenv')()
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
    symlink=options.symlink)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 942, in create_environment
    site_packages=site_packages, clear=clear, symlink=symlink))
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 1261, in install_python
    shutil.copyfile(executable, py_executable)
  File "/usr/lib/python3.5/shutil.py", line 115, in copyfile
    with open(dst, 'wb') as fdst:
OSError: [Errno 26] Text file busy: '/home/steve/code/misp-dashboard/DASHENV/bin/python3'<   /pre>

• Restart the System: ./start_all.shOR./start_zmq.sh and ./server.py &

• Be sure to have a running redis server
  • e.g. redis-server --port 6250
• Activate your virtualenv . ./DASHENV/bin/activate
• Listen to the MISP feed by starting the zmq_subscriber ./zmq_subscriber.py &
• Start the dispatcher to process received messages ./zmq_dispatcher.py &
• Start the Flask server ./server.py &
• Access the interface at http://localhost:8001/

export FLASK_DEBUG=1
export FLASK_APP=server.py
flask run --host=0.0.0.0 --port=8001 # <- Be careful here, this exposes it on ALL ip addresses. Ideally if run locally --host=127.0.0.1

  Clean data stored in the redis server specified in the configuration file    optional arguments:    -h, --help    show this help message and exit    -b, --brutal  Perfom a FLUSHALL on the redis database. If not set, will use                  a soft method to delete only keys used by MISP-Dashboard.  

Clean data stored in the redis server specified in the configuration file

optional arguments:
  -h, --help    show this help message and exit
  -b, --brutal  Perfom a FLUSHALL on the redis database. If not set, will use
                a soft method to delete only keys used by MISP-Dashboard.

${PATH_TO_MISP}/app/tmp/log/mispzmq.error.log
${PATH_TO_MISP}/app/tmp/log/mispzmq.log

  A zmq subscriber. It subscribe to a ZMQ then redispatch it to the MISP-dashboard    optional arguments:    -h, --help            show this help message and exit    -n ZMQNAME, --name ZMQNAME                          The ZMQ feed name    -u ZMQURL, --url ZMQURL                          The URL to connect to  

$SUDO_WWW ${PATH_TO_MISP}/venv/bin/pip install pyzmq

A zmq subscriber. It subscribe to a ZMQ then redispatch it to the MISP-dashboard

optional arguments:
  -h, --help            show this help message and exit
  -n ZMQNAME, --name ZMQNAME
                        The ZMQ feed name
  -u ZMQURL, --url ZMQURL
                        The URL to connect to

sudo apt-get install libapache2-mod-wsgi-py3

'AWS/S3'
'BitBucket'
'CloudFront'
'Github'
'Shopify'
'Desk'
'Fastly'
'FeedPress'
'Ghost'
'Heroku'
'Pantheon'
'Tumbler'
'Wordpress'
'Desk'
'ZenDesk'
'TeamWork'
'Helpjuice'
'Helpscout'
'S3Bucket'
'Cargo'
'StatuPage'
'Uservoice'
'Surge'
'Intercom'
'Webflow'
'Kajabi'
'Thinkific'
'Tave'
'Wishpond'
'Aftership'
'Aha'
'Tictail'
'Brightcove'
'Bigcartel'
'ActiveCampaign'
'Campaignmonitor'
'Acquia'
'Proposify'
'Simplebooklet'
'GetResponse'
'Vend'
'Jetbrains'
'Unbounce'
'Tictail'
'Smartling'
'Pingdom'
'Tilda'
'Surveygizmo'
'Mashery'

git clone https://github.com/m4ll0k/takeover.git
cd takeover
python3 takeover.py

wget -q https://raw.githubusercontent.com/m4ll0k/takeover/master/takeover.py && python3 takeover.py

pip3 install https://github.com/m4ll0k/takeover.git

$ python3 takeover.py -d www.domain.com -v 
$ python3 takeover.py -d www.domain.com -v -t 30
$ python3 takeover.py -d www.domain.com -p http://127.0.0.1:8080 -v 
$ python3 takeover.py -d www.domain.com -o <output.txt> or <output.json> -v 
$ python3 takeover.py -l uber-sub-domains.txt -o output.txt -p http://xxx.xxx.xxx.xxx:8080 -v 
$ python3 takeover.py -d uber-sub-domains.txt -o output.txt -T 3 -v