DrSemu - Malware Detection And Classification Tool Based On Dynamic Behavior

February 17, 2020, 4:00 am

≫ Next: DecryptTeamViewer - Enumerate And Decrypt TeamViewer Credentials From Windows Registry

≪ Previous: Syborg - Recursive DNS Subdomain Enumerator With Dead-End Avoidance System

Dr.Semu runs executables in an isolated environment, monitors the behavior of a process, and based on Dr.Semu rules created by you or the community, detects if the process is malicious or not.

whoami: @_qaz_qaz
With Dr.Semu you can create rules to detect malware based on dynamic behavior of a process.

Isolation through redirection
Everything happens from the user-mode. Windows Projected File System (ProjFS) is used to provide a virtual file system. For Registry redirection, it clones all Registry hives to a new location and redirects all Registry accesses.
See the source code for more about other redirections (process/objects isolation, etc).

Monitoring
Dr.Semu uses DynamoRIO (Dynamic Instrumentation Tool Platform) to intercept a thread when it's about to cross the user-kernel line. It has the same effect as hookingSSDT but from the user-mode and without hooking anything.
At this phase, Dr.Semu produces a JSON file, which contains information from the interception.

Detection
After terminating the process, based on Dr.Semu rules we receive if the executable is detected as malware or not.
Dr.Semu Rules/Detections

Dr.Semu rules
They are written in Python or LUA (located under dr_rules) and use dynamic information from the interception and static information about the sample. It's trivial to add support of other languages.

Example (Python): https://gist.github.com/secrary/ac89321b8a7bde998a6e3139be49eb72
Example (Lua): https://gist.github.com/secrary/e16daf698d466136229dc417d7dbcfa3

Usage

Use PowerShell to enable ProjFS in an elevated PowerShell window:

Enable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart

Download and extract a zip file from the releases page
Download DynamoRIO and extract into DrSemu folder and rename to dynamorio
Install Python 3 x64

DrSemu.exe --target file_path
DrSemu.exe --target files_directory

DEMO

BUILD

Use PowerShell to enable ProjFS in an elevated PowerShell window:

Enable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart

Install Python 3 x64
Download DynamoRIO and extract into bin folder and rename to dynamorio
Build pe-parser-library.lib library:
- Generate VS project from DrSemu\shared_libs\pe_parse using cmake-gui
- Build 32-bit library under build (\shared_libs\pe_parse\build\pe-parser-library\Release\) and 64-bit one under build64
- Change run-time library option to Multi-threaded (/MT)
Set LauncherCLI As StartUp Project

TODO

Solve isolation related issues
Improve synchronization
Update the description, add more details
Create a GUI for the tool

Limitations

Minimum supported Windows version: Windows 10, version 1809 (due to Windows Projected File System)
Maximum supported Windows version: Windows 10, version 1809 (DynamoRIO supports Windows 10 versions until 1809)

Download DrSemu

↧

DecryptTeamViewer - Enumerate And Decrypt TeamViewer Credentials From Windows Registry

February 17, 2020, 12:30 pm

≫ Next: Gospider - Fast Web Spider Written In Go

≪ Previous: DrSemu - Malware Detection And Classification Tool Based On Dynamic Behavior

Uses CVE-2019-18988 to enumerate and decrypt TeamViewer credentials from Windows registry. Blogpost detailing the vulnerability: https://whynotsecurity.com/blog/teamviewer/

Usage
.\DecryptTeamViewer.exe

Download DecryptTeamViewer

↧

Gospider - Fast Web Spider Written In Go

February 17, 2020, 4:24 pm

≫ Next: NekoBot - Auto Exploiter With 500+ Exploit 2000+ Shell

≪ Previous: DecryptTeamViewer - Enumerate And Decrypt TeamViewer Credentials From Windows Registry

GoSpider - Fast web spider written in Go

Installation

go get -u github.com/jaeles-project/gospider

Features

Fast web crawling
Brute force and parse sitemap.xml
Parse robots.txt
Generate and verify link from JavaScript files
Link Finder
Find AWS-S3 from response source
Find subdomains from response source
Get URLs from Wayback Machine, Common Crawl, Virus Total, Alien Vault
Format output easy to Grep
Support Burp input
Crawl multiple sites in parallel
Random mobile/web User-Agent

Showcases

Usage

Fast web spider written in Go - v1.1.0 by @theblackturtle

Usage:
  gospider [flags]

Flags:
  -s, --site string            Site to crawl
  -S, --sites string           Site list to crawl
  -p, --proxy string           Proxy (Ex: http://127.0.0.1:8080)
  -o, --output string          Output folder
  -u, --user-agent string      User Agent to use
                                web: random web user-agent
                                mobi: random mobile user-agent
                                or you can set your special user-agent (default "web")
      --cookie string          Cookie to use (testA=a; testB=b)
  -H, --header stringArray     Header to use (Use multiple flag to set multiple header)
      --burp string            Load headers and cookie from burp raw http request
      --blacklist string       Blacklist URL Regex
  -t, --threads int            Number of threads (Run sites in parallel) (default 1)
  -c, --concurrent int         The number of the maximum allowed concurrent requests of the matching domains (default 5)
  -d, --depth int              MaxDepth limits the recursion depth of visited URLs. (Set it to 0 for infinite recursion) (default 1)
  -k, --delay int              Delay is the duration to wait before creating a new request to the matching domains (second)
  -K, --random-delay int       RandomDelay is the extra randomized duration to wait added to Delay before creating a new request (second)
  -m, --timeout int            Request timeout (second) (default 10)
      --sitemap                Try to crawl sitemap.xml
      --robots                 Try to crawl robots.txt (default true)
  -a, --other-source           Find URLs from 3rd party (Archive.org, CommonCrawl.org, VirusTotal.com)
  -w, --include-subs           Include subdomains crawled from 3rd party. Default is main domain
  -r, --include-other-source   Also include other-source's urls (still crawl and request)
      --debug                  Turn on debug mode
  -v, --verbose                Turn on verbose
      --no-redirect            Disable redirect
      --version                Check version
  -h, --help                   help for gospider

Example commands

Run with single site

gospider -s "https://google.com/" -o output -c 10 -d 1

Run with site list

gospider -S sites.txt -o output -c 10 -d 1

Run with 20 sites at the same time with 10 bot each site

gospider -S sites.txt -o output -c 10 -d 1 -t 20

Also get URLs from 3rd party (Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com)

gospider -s "https://google.com/" -o output -c 10 -d 1 --other-source

Also get URLs from 3rd party (Archive.org, CommonCrawl.org, VirusTotal.com, AlienVault.com) and include subdomains

gospider -s "https://google.com/" -o output -c 10 -d 1 --other-source --include-subs

Use custom header/cookies

gospider -s "https://google.com/" -o output -c 10 -d 1 --other-source -H "Accept: */*" -H "Test: test" --cookie "testA=a; testB=b"

gospider -s "https://google.com/" -o output -c 10 -d 1 --other-source --burp burp_req.txt

Blacklist url/file extension.
P/s: gospider blacklisted .(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico) as default

gospider -s "https://google.com/" -o output -c 10 -d 1 --blacklist ".(woff|pdf)"

Download Gospider

↧

NekoBot - Auto Exploiter With 500+ Exploit 2000+ Shell

February 18, 2020, 4:00 am

≫ Next: CVE Api - Parse & filter the latest CVEs from cve.mitre.org

≪ Previous: Gospider - Fast Web Spider Written In Go

NekoBotV1 | Auto Exploiter With 500+ Exploit 2000+ Shell

Features :
[+] Wordpress :

1- Cherry-Plugin
2- download-manager Plugin
3- wysija-newsletters
4- Slider Revolution [Revslider]
5- gravity-forms
6- userpro
7- wp-gdpr-compliance
8- wp-graphql
9- formcraft
10- Headway
11- Pagelines Plugin
12- WooCommerce-ProductAddons
13- CateGory-page-icons
14- addblockblocker
15- barclaycart
16- Wp 4.7 Core Exploit
17- eshop-magic
18- HD-WebPlayer
19- WP Job Manager
20- wp-miniaudioplayer
21- wp-support-plus
22- ungallery Plugin
23- WP User Frontend
24- Viral-options
25- Social Warfare
26- jekyll-exporter
27- cloudflare plugin
28- realia plugin
29- woocommerce-software
30- enfold-child Theme
31- contabileads plugin
32- prh-api plugin
33- dzs-videogallery plugin
34- mm-plugin
35- Wp-Install
36- Auto BruteForce

[+] Joomla

1- Com_adsmanager
2- Com_alberghi
3- Com_CCkJseblod
4- Com_extplorer
5- Com_Fabric
6- Com_facileforms
7- Com_Hdflvplayer
8- Com_Jbcatalog
9- Com_JCE
10- Com_jdownloads
11- Com_Joomanager
12- Com_Macgallery
13- Com_media
14- Com_Myblog
15- Com_rokdownloads
16- Com_s5_media_player
17- Com_SexyContactform
18- Joomla core 3.x RCE
19- Joomla core 3.x RCE [2019]
20 - Joomla Core 3.x Admin Takeover
21 - Auto BruteForce
22 - Com_b2jcontact
23 - Com_bt_portfolio
24 - Com_civicrm
25 - Com_extplorer
26 - Com_facileforms
27 - Com_FoxContent
28 - Com_jwallpapers
29 - Com_oziogallery
30 - Com_redmystic
31 - Com_simplephotogallery
32 - megamenu module
33 - mod_simplefileuploadv1

[+] Drupal :

1- Drupal Add admin geddon1
2- Drupal RCE geddon2
3- Drupal 8 RCE RESTful
4- Drupal mailchimp
5- Drupal php-curl-class
6- BruteForce
7- Drupal SQL Add Admin
8- Drupal 7 RCE
9- bartik
10- Avatarafd Config
11- Drupal 8
12- Drupal Default UserPass

[+] Magento :

1- Shoplift
2- Magento Default user pass

[+] Oscommerce

1- OsCommerce Core 2.3 RCE Exploit
opencart

[+] OTHER :

1- Env Exploit
2- SMTP CRACKER
3- CV

Download NekoBotV1

↧

CVE Api - Parse & filter the latest CVEs from cve.mitre.org

February 18, 2020, 12:16 pm

≫ Next: 0L4Bs - Cross-site Scripting Labs For Web Application Security Enthusiasts

≪ Previous: NekoBot - Auto Exploiter With 500+ Exploit 2000+ Shell

Parse & filter the latest CVEs from https://cve.mitre.org.

Docs

Usage
http://localhost:4000/cve?target=KEYWORD
The year parameter is optional.
http://localhost:4000/cve?target=KEYWORD&year=YEAR

Examples
http://localhost:4000/cve?target=ruby%20on%20rails

http://localhost:4000/cve?target=ruby%20on%20rails&year=2020
If you want to parse the latest year, use the "latest" keyword.
http://localhost:4000/cve?target=ruby%20on%20rails&year=latest

Getting started

Download the project
bundle install
ruby rest.rb

Requirements

Ruby
Docker (Optional, only required if you want to run through a container.)

Environment
You can switch between prod & dev at config/environment.rb
You need to create one yourself, an example can be found here.

Healthcheck
The url will return a status code of 200 which means the api is healthy.
If 200 is not shown then you should assume there is something wrong.
http://localhost:4000/status

Manage image

Access
You can access the api via http://localhost:4000/
You should be able to view the index page from the url.

Build image
docker build . -t cve-api

Run image
docker run -p 4000:4000 -d cve-api

Get id
docker ps

Stop image
docker stop ID

Remove image
docker rmi cve-api

Download Cve-api

↧

0L4Bs - Cross-site Scripting Labs For Web Application Security Enthusiasts

February 19, 2020, 4:00 am

≫ Next: Rabid - A CLI Tool And Library Allowing To Simply Decode All Kind Of BigIP Cookies

≪ Previous: CVE Api - Parse & filter the latest CVEs from cve.mitre.org

Cross-site scripting labs for web application security enthusiasts

List of Chall :

~ Chall 1 | URL
~ Chall 2 | Form
~ Chall 3 | User-Agent
~ Chall 4 | Referrer
~ Chall 5 | Cookie
~ Chall 6 | LocalStorage
~ Chall 7 | Login Page
~ Chall 8 | File Upload
~ Chall 9 | Base64 Encoding
~ Chall 10 | Removes Alert
~ Chall 11 | Removes Script
~ Chall 12 | Preg_replace
~ Chall 13 | HTML Entities
~ Chall 14 | Regex Filter #1
~ Chall 15 | Regex Filter #2
~ Chall 16 | Regex Filter #3
~ Chall 17 | HTML Entities + URL Encode
~ Chall 18 | HTML Entities #2 (Special Character)
~ Chall 19 | HTML Entities #3 (Input Value)
~ Chall 20 | HTML Entities #4 (Input Value + Capitalizes)

Screenshot :

Instalation :

Run your web server (XAMPP / LAMPP)
Clone the repository and put the files in the /htdocs/xss-labs
You can akses http://localhost:8080/xss-labs
Happy Hacking ^_^

Visite website : https://www.tegal-1337.com/

Thnks for Abhi-M and Codepen for References

Download 0L4Bs

↧

Rabid - A CLI Tool And Library Allowing To Simply Decode All Kind Of BigIP Cookies

February 19, 2020, 12:30 pm

≫ Next: Metabigor - Intelligence Tool But Without API Key

≪ Previous: 0L4Bs - Cross-site Scripting Labs For Web Application Security Enthusiasts

RApid Big IP Decoder

What it is
A CLI tool and library allowing to simply decode all kind of BigIP cookies.

Features

Support all 4 cookie formats
CLI tool & library
Hackable

References
Homepage / Documentation: https://orange-cyberdefense.github.io/rabid/

Author
Made by Alexandre ZANNI (@noraj), pentester from Orange Cyberdefense.

Download Rabid

↧

Metabigor - Intelligence Tool But Without API Key

February 20, 2020, 3:30 am

≫ Next: Adama - Searches For Threat Hunting And Security Analytics

≪ Previous: Rabid - A CLI Tool And Library Allowing To Simply Decode All Kind Of BigIP Cookies

Intelligence Tool but without API key

What is Metabigor?
Metabigor is Intelligence tool, its goal is to do OSINT tasks and more but without any API key.

Installation

go get -u github.com/j3ssie/metabigor

Main features

Discover IP Address of the target.
Wrapper for running masscan and nmap on IP target.
Do searching from command line on some search engine.

Demo

Example Commands

# discovery IP of a company/organization
echo "company" | metabigor net --org -o /tmp/result.txt

# discovery IP of an ASN
echo "ASN1111" | metabigor net --asn -o /tmp/result.txt
cat list_of_ASNs | metabigor net --asn -o /tmp/result.txt

# running masscan on port 443 for a subnet
echo "1.2.3.4/24" | metabigor scan -p 443 -o /tmp/result.txt

# running masscan on all port and nmap on open port
cat list_of_IPs | metabigor scan --detail -o /tmp/result.txt

# search result on fofa
echo 'title="RabbitMQ Management"' | metabigor search -x -v -o /tmp/result.txt

Credits
Logo from flaticon by freepik

Disclaimer
This tool is for educational purposes only. You are responsible for your own actions. If you mess something up or break any laws while using this software, it's your fault, and your fault only.

Download Metabigor

↧

Adama - Searches For Threat Hunting And Security Analytics

February 20, 2020, 12:30 pm

≫ Next: SUDO_KILLER - A Tool To Identify And Exploit Sudo Rules' Misconfigurations And Vulnerabilities Within Sudo

≪ Previous: Metabigor - Intelligence Tool But Without API Key

Adama

Searches For Threat Hunting and Security Analytics

A collection of known log and / or event data searches for threat hunting and detection. They enumerate sets of searches used across many different data pipelines. Implementation details are for ELK. Adama is part of the SpaceCake project which is a set of hunts, searches, alerts, visualizations and data pipelines for for intrusion detection, security analytics and threat hunting using F/OSS (free and open source) tools

Download Adama

↧

SUDO_KILLER - A Tool To Identify And Exploit Sudo Rules' Misconfigurations And Vulnerabilities Within Sudo

February 21, 2020, 4:00 am

≫ Next: TaskManager-Button-Disabler - Simple Way To Disable/Rename Buttons From A Task Manager

≪ Previous: Adama - Searches For Threat Hunting And Security Analytics

Linux Privilege Escalation through SUDO abuse.
If you like the tool and for my personal motivation so as to develop other tools please a +1 star *
The tool can be used by pentesters, system admins, CTF players, students, System Auditors and trolls :).

INTRO
**WARNING: SUDO_KILLER is part of the KILLER project. SUDO_KILLER is still under development and there might be some issues, please create an issue if you found any. **
Other tool will be added to the KILLER project in the coming months so stay tuned up. Also ideas, bug reports, contributions are more than welcome !
** Stay tuned : Follow me on twitter @ https://twitter.com/TH3xACE **

Overview
SUDO_KILLER is a tool that can be used for privilege escalation on linux environment by abusing SUDO in several ways. The tool helps to identify misconfiguration within sudo rules, vulnerability within the version of sudo being used (CVEs and vulns) and the use of dangerous binary, all of these could be abused to elevate privilege to ROOT.
SUDO_KILLER will then provide a list of commands or local exploits which could be exploited to elevate privilege. It is worth noting that the tool does not perform any exploitation on your behalf, the exploitation will need to be performed manually and this is intended.

Features

Some of the checks/functionalities that are performed by the tool.

Misconfigurations
Dangerous Binaries
Vulnerable versions of sudo - CVEs
Dangerous Environment Variables
Credential Harvesting
Writable directories where scripts reside
Binaries that might be replaced
Identify missing scripts

What version 2 of SK includes:

New checks and/or scenarios
CVE-2019-14287 - runas
No CVE yet - sudoedit - absolute path
CVE-2019-18634 - pwfeedback
User Impersonation
list of users in sudo group
Performance improved
Bugs corrected (checks, export, report,...)
Continous improvement of the way output presented
New videos will be added soon
Annonying password input several time removed
New functionality: offline mode - ability to extract the required info from audited system and run SK on host.
Testing environment : A docker to play with the tool and different scenarios, you can also train on PE.

Usage

Example Online mode

./sudo_killer.sh -c -e -r report.txt -p /tmp

Example Offline mode
Run extract.sh on system to be audited/victim machine. Copy the output from /tmp/sk_offline.txt on the system to be audited/victim machine to your host.

Note: Three checks are missing in the offline mode, still in dev... coming soon...

Run SK with the below parameter:

./sudo_killer.sh -c -i /path/sk_offline.txt

Optional arguments

-c : include CVE checks with respect to sudo version
-i : import (offline mode) from extract.sh
-e : include export of sudo rules / sudoers file
-r : report name (save the output)
-p : path where to save export and report
-s : supply user password for sudo checks (not recommended ++except for CTF)
-h : help

CVEs check
To update the CVE database : run the following script ./cve_update.sh

Providing password (Important)
If you need to input a password to run sudo -l then the script will not work if you don't provide a password with the argument -s.

How to run SK on the targetted/audited machine
If you are on a machine that has internet connection, just git clone the tool and run it. If you are on a machine that does not have internet, then git clone on your host, compress the tool (tar) then transfert the compressed file via http/smb (apache web server / python simplehttpserver / smb server / nc) then uncompressed the file on the targeted system and enjoy!

Notes
**NOTE : sudo_killer does not exploit automatically by itself, it was designed like this on purpose but check for misconguration and vulnerabilities and then propose you the following (if you are lucky the route to root is near!) :

a list of commands to exploit
a list of exploits
some description on how and why the attack could be performed

Why is it possible to run "sudo -l" without a password?
By default, if the NOPASSWD tag is applied to any of the entries for a user on a host, he or she will be able to run "sudo -l" without a password. This behavior may be overridden via the verifypw and listpw options.
However, these rules only affect the current user, so if user impersonation is possible (using su) sudo -l should be launched from this user as well.
Sometimes the file /etc/sudoers can be read even if sudo -l is not accessible without password.

Docker - Vulnerable testing environment
**IMPORTANT: The recommended way to test the tool is to use the docker image created on purpose for the testing. The image contained several vulnerabilities and misconfigurations related to the usage of SUDO.
Everything is tested from the Docker container available on Docker Hub !**

A Docker image is available on Docker Hub and automatically re-built at each update: https://hub.docker.com/r/th3xace/sudo_killer_demo . It is initially based on official debian:jessie Docker image (debian:jessie).

Pull SUDO_KILLER_DEMO Docker Image from the docker hub (This version maybe a bit more up-to-date):

service docker start
docker pull th3xace/sudo_killer_demo
docker run --rm -it th3xace/sudo_killer_demo

Build locally from Dockerfile :

service docker start
git clone https://github.com/TH3xACE/SUDO_KILLER.git
cd SUDO_KILLER
docker build -t th3xace/sudo_killer_demo .
docker run --rm -it th3xace/sudo_killer_demo

Note: It is important to note that the docker is just an environment that can be used to play with the tool since it contains several vulns to exploit. The tool is meant to be used on its own.

Demos
Several videos are provided below with different scenarios of exploitation.

Credits
The script was developed from myself with the help of online resources found on github and in the wild. Credits also to the authors of the exploits related to CVEs. The authors information and links can be found in the exploit and in the notes provided when running the tool. Special kudos to Vincent Puydoyeux, who gave me the idea to develop this tool and Koutto, for helping me with the docker thing and for improving the tool.

Disclaimer
This script is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (TH3xACE) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of the script is not my responsibility.

Download SUDO_KILLER

↧

TaskManager-Button-Disabler - Simple Way To Disable/Rename Buttons From A Task Manager

February 21, 2020, 12:00 pm

≫ Next: OWASP D4N155 - Intelligent And Dynamic Wordlist Using OSINT

≪ Previous: SUDO_KILLER - A Tool To Identify And Exploit Sudo Rules' Misconfigurations And Vulnerabilities Within Sudo

Simple way to disable/rename buttons from a task manager.

Installation

git clone https://github.com/Mrakovic-ORG/TaskManager-Button-Disabler
cd TaskManager-Button-Disabler\TaskManager Button Disabler
dotnet build

Features

Rename kill proccess button
Disable kill proccess button
Works in TaskMgr, ProcessHacker etc...

Download TaskManager-Button-Disabler

↧

OWASP D4N155 - Intelligent And Dynamic Wordlist Using OSINT

February 22, 2020, 4:30 am

≫ Next: Gadgetinspector - A Byte Code Analyzer For Finding Deserialization Gadget Chains In Java Applications

≪ Previous: TaskManager-Button-Disabler - Simple Way To Disable/Rename Buttons From A Task Manager

It's an information security audit tool that creates intelligent wordlists based on the content of the target page.
Help us
See some calculations used

Install
Need to: Python3.6, Bash (GNU Bourne-Again SHell)
Optional: Git, Groff

git clone https://github.com/owasp/D4N155.git
cd D4N155
pip3 install -r requirements.txt
bash main

Or whithout git

wget -qO- https://github.com/owasp/D4N155/archive/master.zip | bsdtar -xf-
cd D4N155-master
pip3 install -r requirements.txt
bash main

Manual

    D4N155: Tool for smart audit security

    Usage: bash main <option> <value>
    All options are optionals

    Options:
 -w, --wordlist <url|ip> Make the smartwordlist based in informations
     on website.
 -t, --targets <file>   Make the smart-wordlist based in your passed
     source informations in urls.
 -b, --based <file>  Analyze texts to generate the
     custom wordlist
 -r, --rate <time>  Defines time interval between requests
 -o, --output <file>  For to store the all wordlist.
   -?a, --aggressive      Aggressive reading with headless
 -h, --help   Show this mensage.

     Value: <url | ip | source | file | time>
 URL    URL target, example: scanme.nmap.org
 IP    IP address
 TIME    Time, example: 2.5. I.e: 00:00:02:30.. 0 are default
 FILE    File, for save the result, get urls or using in
     wordlist

Download D4N155

↧

Gadgetinspector - A Byte Code Analyzer For Finding Deserialization Gadget Chains In Java Applications

February 22, 2020, 1:00 pm

≫ Next: Ohmybackup - Scan Victim Backup Directories & Backup Files

≪ Previous: OWASP D4N155 - Intelligent And Dynamic Wordlist Using OSINT

This project inspects Java libraries and classpaths for gadget chains. Gadgets chains are used to construct exploits for deserialization vulnerabilities. By automatically discovering possible gadgets chains in an application's classpath penetration testers can quickly construct exploits and application security engineers can assess the impact of a deserialization vulnerability and prioritize its remediation.
This project was presented at Black Hat USA 2018. Learn more about it there! (Links pending)
DISCLAIMER: This project is alpha at best. It needs tests and documentation added. Feel free to help by adding either!

Building
Assuming you have a JDK installed on your system, you should be able to just run ./gradlew shadowJar. You can then run the application with java -jar build/libs/gadget-inspector-all.jar <args>.

How to Use
This application expects as argument(s) either a path to a war file (in which case the war will be exploded and all of its classes and libraries used as a classpath) or else any number of jars.
Note that the analysis can be memory intensive (and so far gadget inspector has not been optimized at all to be less memory greedy). For small libraries you probably want to allocate at least 2GB of heap size (i.e. with the -Xmx2G flag). For larger applications you will want to use as much memory as you can spare.
The toolkit will go through several stages of classpath inspection to build up datasets for use in later stages. These datasets are written to files with a .dat extension and can be discarded after your run (they are written mostly so that earlier stages can be skipped during development).
After the analysis has run the file gadget-chains.txt will be written.

Example
The following is an example from running against commons-collections-3.2.1.jar, e.g. with

wget http://central.maven.org/maven2/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
java -Xmx2G -jar build/libs/gadget-inspector-all.jar commons-collections-3.2.1.jar

In gadget-chains.txt there is the following chain:

com/sun/corba/se/spi/orbutil/proxy/CompositeInvocationHandlerImpl.invoke(Ljava/lang/Object;Ljava/lang/reflect/Method;[Ljava/lang/Object;)Ljava/lang/Object; (-1)
  com/sun/corba/se/spi/orbutil/proxy/CompositeInvocationHandlerImpl.invoke(Ljava/lang/Object;Ljava/lang/reflect/Method;[Ljava/lang/Object;)Ljava/lang/Object; (0)
  org/apache/commons/collections/map/DefaultedMap.get(Ljava/lang/Object;)Ljava/lang/Object; (0)
  org/apache/commons/collections/functors/InvokerTransformer.transform(Ljava/lang/Object;)Ljava/lang/Object; (0)
  java/lang/reflect/Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object; (0)

The entry point of this chain is an implementation of the JDK InvocationHandler class. Using the same trick as in the original commons-collections gadget chain, any serializable implementation of this class is reachable in a gadget chain, so the discovered chain starts here. This method invokes classToInvocationHandler.get(). The discovered gadget chain indicates that the classToInvocationHandler can be serialized as a DefaultedMap so that the this invocation jumps to DefaultedMap.get(). The next step in the chain invokes value.transform() from this method. The parameter value in this class can be serialized as a InvokerTransformer. Inside this class's transform method we see that we call cls.getMethodName(iMethodName, ...).invoke(...). Gadget inspector determined that iMethodName is attacker controllable as a serialized member, and thus an attacker can execute an arbitrary method on the class.
This gadget chain is the building block of the full commons-collections gadget chain discovered by Frohoff. In the above case, the gadget inspector happened to discovery entry through CompositeInvocationHandlerImpl and DefaultedMap instead of AnnotationInvocationHandler and LazyMap, but is largely the same.

Other Examples
If you're looking for more examples of what kind of chains this tool can find, the following libraries also have some interesting results:

Don't forget that you can also point gadget inspector at a complete application (packaged as a JAR or WAR). For example, when analyzing the war for the Zksample2 application we get the following gadget chain:

net/sf/jasperreports/charts/design/JRDesignPieDataset.readObject(Ljava/io/ObjectInputStream;)V (1)
  org/apache/commons/collections/FastArrayList.add(Ljava/lang/Object;)Z (0)
  java/util/ArrayList.clone()Ljava/lang/Object; (0)
  org/jfree/data/KeyToGroupMap.clone()Ljava/lang/Object; (0)
  org/jfree/data/KeyToGroupMap.clone(Ljava/lang/Object;)Ljava/lang/Object; (0)
  java/lang/reflect/Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object; (0)

As you can see, this utilizes several different libraries contained in the application in order to build up the chain.

FAQ
Q: If gadget inspector finds a gadget chain, can an exploit be built from it?
A: Not always. The analysis uses some simplifying assumptions and can report false positives (gadget chains that don't actually exist). As a simple example, it doesn't try to solve for the satisfiability of branch conditions. Thus it will report the following as a gadget chain:

public class MySerializableClass implements Serializable {
    public void readObject(ObjectInputStream ois) {
        if (false) System.exit(0);
        ois.defaultReadObject();
    }
}

Furthermore, gadget inspector has pretty broad conditions on those functions it considers interesting. For example, it treats reflection as interesting (i.e. calls to Method.invoke() where an attacker can control the method), but often times overlooked assertions mean that an attacker can influence the method invoked but does not have complete control. For example, an attacker may be able to invoke the "getError()" method in any class, but not any other method name.
Q: If no gadget chains were found, does that mean my application is safe from exploitation?
A: No! For one, the gadget inspector has a very narrow set of "sink" functions which it considers to have "interesting" side effects. This certainly doesn't mean there aren't other interesting or dangerous behaviors not in the list.
Furthermore, there are a number of limitations to static analysis that mean the gadget inspector will always have blindspots. As an example, gadget inspector would presently miss this because it doesn't follow reflection calls.

public class MySerializableClass implements Serializable {
    public void readObject(ObjectInputStream ois) {
        System.class.getMethod("exit", int.class).invoke(null, 0);
    }
}

Download Gadgetinspector

↧

Ohmybackup - Scan Victim Backup Directories & Backup Files

February 23, 2020, 4:30 am

≫ Next: DLLPasswordFilterImplant - DLL Password Filter Implant With Exfiltration Capabilities

≪ Previous: Gadgetinspector - A Byte Code Analyzer For Finding Deserialization Gadget Chains In Java Applications

ohmybackup - Scan Victim's Backup Directories & Backup Files

ohmybackup
Scans backup folders on target sites. Searches archived files in the folders it finds. With the 2-file scanning system, it adds extensions and filenames in different ways, making it more likely to be found.
1 - files/extensions.txt - This adds new extensions to the file, for example: by adding in the form of .example allows you to retry all the possibilities tried in the new extensions.
2 - files/files.txt - It can scan these folders according to the extensions you added, by giving them new file names.
3 - files/folders.txt - Recursively scans the specified folders. You can add to this list yourself.

Installation
go run ohmybackup.go --hostname victim.host
or
go build ohmybackup.go

Run
./ohmybackup --hostname victim.host

Download Ohmybackup

↧

DLLPasswordFilterImplant - DLL Password Filter Implant With Exfiltration Capabilities

February 23, 2020, 1:00 pm

≫ Next: Liffy - Local File Inclusion Exploitation Tool

≪ Previous: Ohmybackup - Scan Victim Backup Directories & Backup Files

DLLPasswordFilterImplant is a custom password filter DLL that allows the capture of a user's credentials. Each password change event on a domain will trigger the registered DLL in order to exfiltrate the username and new password value prior successfully changing it in the Active Directory (AD).
For more information about password filters consult Microsoft's documentation.

Installing

To install the password filter on a system:

Create the DLL for the targeted architecture. Compile in 32-bit for a 32-bit system and in 64-bit for a 64-bit system.
Copy the DLL to the Windows installation directory. (Default folder: \Windows\System32)
Register the password filter by updating the following registry key:
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
```
If the Notification Packages subkey exists, add the name of the DLL ("DLLPasswordFilterImplant" if you didn't rename it) to the existing value data. Do not overwrite the existing values. If the subkey does not exist, create it and add the name of the DLL ("DLLPasswordFilterImplant" if you didn't rename it) to the value data. NOTE: Do not include the .dll extension when adding the name of the DLL in the Notification Packages subkey.

Configure the public key to use for encrypting credentials.

KEY=key.pem
# Generate an RSA key and dump its public key. Keep the private key around for decryption
openssl genrsa -out $KEY 2048

# Prepare the Windows registry key entry.
echo 'Windows Registry Editor Version 5.00' > addKey.reg
echo >> addKey.reg
echo '[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]' >> addKey.reg
# If python2 does not exist, use `python` instead.
echo "Key=hex:$(openssl rsa -in $KEY -pubout | sed -E '/^\-/d' | base64 -d | python2 -c 'import sys; print(",".join(["{:02x}".format(ord(b)) for b in sys.stdin.read()]))')" >> addKey.reg

You can then run addKey.reg file to append the raw public key to the registry. Note that using asymmetric encryption significantly increases the size of the data to exfiltrate due to message padding. There are possible improvements to be made to reduce the data overhead.

Restart the system Source

To register the key and the domain for DNS exfiltration:

Go to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Create a string type subkey named "Domain". Specify your domain in the value of that subkey. Your domain must start with a "." . (Example value: ".yourdomain.com")

Decrypting
The encrypted data is padded using OAEP and can be decrypted as follows:

# Convert the stitched hex string to raw bytes.
xxd -r -p exfiltrated.hex > raw.bin

# Decrypt using the private key.
openssl rsautl -decrypt -oaep -inkey $KEY -in raw.bin -out decrypted.txt

Uninstalling
To completely remove the password filter of a system:

Unregister the password filter by updating the following registry key:
```
HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\Lsa
```
In the Notification Packages subkey remove the name of the DLL of the existing value data. Do not remove other existing values.
Restart the system
In the Windows installation directory (Default folder: \Windows\System32), find the password filter DLL ("DLLPasswordFilterImplant.DLL" if you didn't rename it) and delete the file.

Compatibility
Works on:

Windows 7 Hosts (x64)
Windows 10 Hosts (x64)
Windows Server 2008 DCs (x64)
Windows Server 2012 DCs (x64)
Windows Server 2016 DCs (x64)

The password filter was tested exclusively on systems listed above.

Debug
Here are some tool that may help you debug the DLL (if necessary):

Download DLLPasswordFilterImplant

↧

Liffy - Local File Inclusion Exploitation Tool

February 24, 2020, 3:30 am

≫ Next: Dnssearch - A Subdomain Enumeration Tool

≪ Previous: DLLPasswordFilterImplant - DLL Password Filter Implant With Exfiltration Capabilities

LFI Exploitation tool

A little python tool to perform Local file inclusion.
Liffy v2.0 is the improved version of liffy which was originally created by rotlogix/liffy. The latter is no longer available and the former hasn't seen any development for a long time.

Main feature

data:// for code execution
expect:// for code execution
input:// for code execution
filter:// for arbitrary file reads
/proc/self/environ for code execution in CGI mode
Apache access.log poisoning
Linux auth.log SSH poisoning
Direct payload delivery with no stager
Support for absolute and relative path traversal
Support for cookies for authentication

Documentation

Contribution

Suggest a feature
- Like any other technique to exploit LFI
Report a bug
Fix something and open a pull request

In any case feel free to open an issue

Credits
All the exploitation techniques are taken from liffy
Logo for this project is taken from renderforest

Support
If you'd like you can buy me some coffee:

Download Liffy

↧

Dnssearch - A Subdomain Enumeration Tool

February 24, 2020, 1:00 pm

≫ Next: Faraday presents the latest version of their Security Platform for Vulnerability Management Automation

≪ Previous: Liffy - Local File Inclusion Exploitation Tool

This software is a subdomain enumeration tool.

Purpose
dnssearch takes an input domain ( -domain parameter ) and a wordlist ( -wordlist parameter ), it will then perform concurrent DNS requests using the lines of the wordlist as sub domains eventually bruteforcing every sub domain available on the top level domain.
It supports a custom file extension ( -ext, default to php ) and other optional arguments:

Usage of ./dnssearch:
  -consumers int
        Number of concurrent consumers. (default 8)
  -domain string
        Base domain to start enumeration from.
  -wordlist string
Wordlist file to use for enumeration. (default "names.txt")
  -a bool
        Lookup A records ( default true )
  -txt bool
        Lookup TXT records ( default false )
  -cname bool
        Show CNAME results ( default false )

Compilation

go get github.com/evilsocket/dnssearch
cd dnssearch
go build -o dnssearch main.go

Compilation and use with Docker

docker build -t dnssearch .
docker run -it --rm dnssearch

License
This project is copyleft of Simone Margaritelli and released under the GPL 3 license.

Download Dnssearch

↧

Faraday presents the latest version of their Security Platform for Vulnerability Management Automation

February 24, 2020, 3:08 pm

≫ Next: get_Team_Pass - Get Teamviewer's ID And Password From A Remote Computer In The LAN

≪ Previous: Dnssearch - A Subdomain Enumeration Tool

Miami, February 19, 2020 - Faraday is opening 2020 by strengthening their releases using the featured cybersecurity worldwide events calendar, starting next week with BSides and RSAC in San Francisco. As a Blackhat Global Partner, the company will also participate as a sponsor in all BH’s global events.

By means of automation technology and workflow intelligence, Faraday Platform helps teams reduce their vulnerability findings’ life cycle by prioritizing actions and decreasing the exposure time of their assets while managing their own Security Ecosystem.

Duplicate Vulnerability Detection, Agents with Process Scheduler and the new Cloud implementation are some of the latest enhancements focused on automating every phase of the Vulnerability Management process, thus increasing team’s maturity and risk mitigation.

“We believe that understanding your security posture is the main key to making smarter security investments”

From February 24 to 28, Faraday team will be available to schedule executive meetings around BSides and/or RSA conferences in San Francisco, talk about Vulnerability Management Automation and how their technology can help you. For all those interested in growing their business by including Faraday into their portfolio, this will also be a possibility to approach their new Partner Program designed to adapt to different strategies and business levels.

About Faraday

Faraday's mission is to help companies perform Vulnerability Management by maximizing their teams’ resources. They focus on helping you centralize all your security efforts, guiding you towards adapting and customizing strategies, prioritizing actions and reducing the time of exposure to risk.

Click next to schedule a meeting or if you'd like to learn more about Faraday Platform:

www.faradaysec.com/rsa2020

↧

get_Team_Pass - Get Teamviewer's ID And Password From A Remote Computer In The LAN

February 25, 2020, 12:30 pm

≫ Next: Wifi-Hacker - Shell Script For Attacking Wireless Connections Using Built-In Kali Tools

≪ Previous: Faraday presents the latest version of their Security Platform for Vulnerability Management Automation

Get teamviewer's ID and password from a remote computer in the LAN
This program gets teamviewer's ID and password from a remote computer in the LAN.
Most useful for postexploitation or sysadmins
Tested on windows 7 and windows 10 x86 and x64

Prerequisites
You must have valid credentials on the remote computer Port 445 must be accesible on target machine

Execution examples:
hook.exe must be in same folder as get_Team_Pass.exe

 get_Team_Pass.exe -h for printing the help
get_Team_Pass.exe -t [targetIp] -u [Username] -p [UsernamePassword] -d [usernameDomain]  # -d parameter is optional
 get_Team_Pass.exe -t 192.168.175.136 -u administrator -p Password2018
 get_Team_Pass.exe -t 192.168.175.136 -u administrator -p Password2018 -d domain

Execution video
https://goo.gl/VhWF4g

Blog
https://kr1shn4murt1.blogspot.com/2018/12/obtener-el-id-y-password-de-teamviewer.html

Sha-256 checksums of files
Algorithm Hash File
SHA256 28F71132305CFA45F4335FA8F9E3ADE52CC9E3339AECDCA795FBD5EA51894351 get_Team_Pass.exe SHA256 57F62D0CB5656ED2D79DC16C25A9B0D3AACC307D945CED5B0F1CAA1F563735C1 hook.exe

Authors
@kr1shn4murt1 @t1gr385 kronux.com.co

TODO
Reduce the final size of the compiled files Add more exception handling Add network range capabilities to check all computers in a lan In the future if teamviewer is not found in the remote machine, inject it Add linux support.

Download get_Team_Pass