Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5816 articles
Browse latest View live

Invoker - Penetration Testing Utility

May 4, 2020, 5:30 am
$
0
0

Penetration testing utility.
The goal is to use this tool when access to some Windows OS features through GUI is restricted.
Some features require administrative privileges.
Capabilities:
  • invoke the Command Prompt and PowerShell,
  • download a file,
  • schedule a task,
  • add a registry key,
  • connect to a remote host,
  • list unquoted service paths and restart a running service,
  • terminate a running process,
  • run a new process,
  • inject bytecode into a running process,
  • inject DLL into a running process,
  • enable access token privileges,
  • duplicate access token of a running process,
  • replace Sticky Keys.
Built with Dev-C++ IDE v5.11 (64 bit), compiled with TDM-GCC v4.9.2 (64 bit) and tested on Windows 10 Enterprise OS (64 bit). Download Dev-C++ from here.
Made for educational purposes. I hope it will help!

Invoker Library
Check all the capabilities here. Feel free to use the library.

PowerShell Scripts
Check all the PowerShell scripts used in the main C++ program here.

How to Run
Run '\exec\Invoker.exe'.

Bytecode Injection
Elevate privileges by injecting bytecode into a higher-privileged process.
This tool can parse an HTTP response and extract the payload from a custom element, i.e. from <img class="bc" src="data:image/gif;base64,payload" alt="bc" hidden="hidden"> where payload is a binary code/file encoded in Base64.
This might be useful if antivirus is constantly deleting your local payloads.
You can also specify your own custom element but you will have to modify the program source code and recompile it.
Check an example at pastebin.com/raw/Nd1tCBv6.
Bytecode provided will most certainly not work for you.

Generate a Reverse Shell Payload
Find out how to generate a reverse shell payload from my other project.

Get the LocalSystem Account (NT AUTHORITY\SYSTEM)
Run the Invoker.exe as administrator.
Enable all access token privileges.
Duplicate the access token from e.g. Windows Logon Application (winlogon.exe) and run a new instance of Invoker.exe.
Within the new Invoker.exe instance, open the Command Prompt and run whoami, you should now see nt authority\system.
Enable all access token privileges once again.
Close the old instance of Invoker.exe.
P.S. You get more access token privileges from Local Security Authority Subsystem Service (lsass.exe).

Images






Search

Parsec - Secure Cloud Framework

May 4, 2020, 2:30 pm
$
0
0

Homepage: https://parsec.cloud
Documentation: https://parsec-cloud.readthedocs.org.
Parsec is a free software (AGPL v3) aiming at easily share your work and data in the cloud in total privacy thanks to cryptographic security.


Key features:
  • Works as a virtual drive on you computer. You can access and modify all the data stored in Parsec with your regular softwares just like you would on your local hard-drive.
  • Never lose any data. Synchronization with the remote server never destroy any data, hence you can browse data history and recover from any point in time.
  • Client-side cryptographic security. Data and metadata are only visible by you and the ones you choose to share with.
  • Cryptographic signature. Each modification is signed by it author making trivial to identify modifications.
  • Cloud provider agnostic. Server provides connectors for S3 and swift object storage.
  • Simplified enrollment. New user enrollment is simple as sharing a link and a token code.

Installation methods

Windows installer
Windows installers are available at https://github.com/Scille/parsec-cloud/releases/latest

Linux Snap
Available for Linux through Snapcraft at https://snapcraft.io/parsec

Python PIP
Parsec is also available directly through PIP for both Linux and Windows with Python > 3.6 with the command: pip install parsec-cloud (or, if you need to specify Python 3 pip version, pip3 install parsec-cloud)


Generator-Burp-Extension - Everything You Need About Burp Extension Generation

May 5, 2020, 5:30 am
$
0
0

Everything You Need About Burp Extension Generation


Installation
First, install Yeoman and generator-burp-extension using npm (we assume you have pre-installed node.js).
npm install -g yo
npm install -g generator-burp-extension
Then generate your new project:
yo burp-extension

Burp Extension features
When you generate your plugin project, the generator will ask you what features should be included in your plugin. If you are familiarized with burp extension developing, the names of the features will be descritive enough, but, if you are new in burp extensions, here is a short description of what can be done with each feature.

Extension Tab GUI
Custom tab that will be added to Burp's UI. Normally is used to add some functionality (like logger++ extension) or just for enabling the user to config the extension.


Message Editor Tab GUI
Custom message editor tab that will be added to Burp's Message editor UI (Repeter, Intruder...). Normally is used to provide some kind of custom editor/view functionality in request/response payloads. One example is JSON Beutifier extension.


Context menu GUI
Custom context menu will be added to Burp's UI nearly anywhere, by pressing right click. Burp allows to show context menus in any of this situations:
  • Intruder attack results.
  • Intruder payload positions editor.
  • Request editor.
  • Response editor.
  • Non-editable request viewer.
  • Non-editable response viewer.
  • Proxy history.
  • Scanner results.
  • Search results window.
  • Target site map table.
  • Target site map tree.
A simple example of this functionality is copy-as-python-requests extension, that allows to copy a request as python code (just an example).


HTTP Listener / Proxy Listener
The listener will be notified of requests and responses being processed by the Proxy tool (Proxy Listener) or made by any Burp tool (HTTP Listener). Extensions can perform custom analysis or modification of these messages.
In other words, a Proxy Listeners intercept the request coming from the browser to Burp and the response coming from Burp to the browser. A HTTP Listener intercept outgoing request from burp to the web server and incoming responses comming from the web server.


A real life example plugin using this extension's feature is AutoRepeater

Intruder payload generator
Extend Intruder payloads adding custom generator capabilities. One posible use of this functionality could be generate random valid IBAN numbers. One real life example is the extension Intruder file payload generator (I don't use it, it's just an example)


Intruder payload processor
Extend Intruder payloads adding custom processor capabilities, one possible example could be perform an AES encryption based on a static key.


Scanner check
When performing scanning, Burp will ask the check to perform active or passive scanning on the base request, and report any Scanner issues that are identified.

Scanner insert point provider
When a request is actively scanned, the Scanner will invoke this, and the provider should provide a list of custom insertion points that will be used in the scan.

Session Handling action
Each registered action will be available within the session handling rule UI for the user to select as a rule action. Users can choose to invoke an action directly in its own right, or following execution of a macro.


Extension state listener
The listener will be notified when extension is unloaded from Burp. Note: Any extensions that start background threads or open system resources (such as files or database connections) should register a listener and terminate threads / close resources when the extension is unloaded.

Scanner Listener
The listener will be notified of new issues that are reported by the Scanner tool. Extensions can perform custom analysis or logging of Scanner issues by registering a Scanner listener.

Scope Change listener
The listener will be notified whenever a change occurs to Burp's suite-wide target scope.
Probably useless because Burp don't allow you to access global scope definition.

Trade-offs
This section explain some decisions in the development of the template.

Why Java and not Python/Ruby
First of all, I'm not a Java fan
As you might know, BurpSuite allows to develop extensions in three main languages: Java, Python and Ruby. Actually this is not entirely true. Burp allows you to develop in Jython and JRuby. The real problem here is that, when you are using Jython or JRuby in a Burp extension you still need to think in Java (because is the main language of Burp), so, at the end, you will be developing in Python and Java, but with a lot of problems to integrate your project with a real IDE, with autocompletion and those kind of modern thins.
Another good reason to use Java instead of Jython is because it is based on python 2.7, and I'm not using JRuby because I don't like Ruby, that's all.

Everything is a Singleton (leading article)
As you might notice, all implementations of a Burp Interface are a following a Singleton pattern the main reason for this is completely subjective.
The thing is that Burp is a great tool, but is a little bit obscure about it's internals and probably a little bit messy. So, for example, Burp allows you tu register multiple IHTTPListeners, but you will loose important decisions like the order of calling for this listeners. This kind of situations, in my humble opinion, might obscure and difficult the understanding of a Burp Extension and code maintainability.
You can see each singleton class as a necessary connection point with Burp, that must be unique. From that point of connection, you can control your code, performing any kind of object oriented design.


Sshprank - A Fast SSH Mass-Scanner, Login Cracker And Banner Grabber Tool Using The Python-Masscan Module

May 5, 2020, 2:30 pm
$
0
0

A fast SSH mass-scanner, login cracker and banner grabber tool using the python-masscan module.

Usage
[ hacker@blackarch ~ ]$ sshprank -H
--==[ sshprank by nullsecurity.net ]==--

usage

  sshprank <mode> [opts] | <misc>

modes

  -h <host:[ports]>     - single host to crack. multiple ports can be seperated
                          by comma, e.g.: 22,2022,22222 (default port: 22)

  -l <file>             - list of hosts to crack. format: <host>[:ports]. multiple
                          ports can be seperated by comma (default port: 22)

  -m <opts> [-r <num>]  - pass arbitrary masscan opts, portscan given hosts and
                          crack for logins. found sshd services will be saved to
                          'sshds.txt' in supported format for '-l' option and
                          even for '-b'. use '-r' for generating random ipv4
                             addresses rather than scanning given hosts. these
                          options are always on: '-sS -oX - --open'.
                          NOTE: if you intent to use the '--banner' option then
                          you need to specify '--source-ip <some_ipaddr>' which
                          is needed by masscan.

  -b <file>             - list of hosts to grab sshd banner from
                          format: <host>[:ports]. multiple ports can be
                          seperated by comma (default port: 22)

options

  -r <num>              - generate <num> random ipv4 addresses, check for open
                          sshd port and crack for login (only with -m option!)
  -c <cmd>              - execute this <cmd> on host if login was cracked
  -u <user>                - single username (default: root)
  -U <file>             - list of usernames
  -p                    - single password (default: root)
  -P <file>             - list of passwords
  -C <file>             - list of user:pass combination
  -x <num>              - num threads for parallel host crack (default: 20)
  -s <num>              - num threads for parallel service crack (default: 10)
  -X <num>              - num threads for parallel login crack (default: 20)
  -B <num>              - num threads for parallel banner grabbing (default: 50)
  -T <sec>              - num sec for connect timeout (default: 2s)
  -R <sec>              - num sec for (banner) read timeout (default: 2s)
  -o <file>             - write found logins to file. format:
<host>:<port>:<user>:<pass> (default: owned.txt)
  -e                    - exit after first login was found. continue with other
                          hosts instead (default: off)
  -v                    - verbose mode. show found logins, sshds, etc.
                          (default: off)

misc

  -H                    - print help
  -V                    - print version information

examples

  # crack targets from a given list with user admin, pw-list and 20 host-threads
  $ ./sshprank -l sshds.txt -u admin -P /tmp/passlist.txt -x 20

  # first scan then crack from founds ssh services
  $ sudo ./sshprank -m '-p22,2022 --rate=5000 --source-ip 192.168.13.37 \
    --range 192.168.13.1/24'

  # generate 1k random ipv4 addresses, then port-scan (tcp/22 here) with 1k p/s
  # and crack login 'root:root' on found sshds
  $ sudo ./sshprank -m '-p22 --rate=1000' -   r 1000 -v

  # grab banners and output to file with format supported for '-l' option
  $ ./sshprank -b hosts.txt > sshds2.txt

Author
noptrix

Notes
  • quick'n'dirty code
  • sshprank is already packaged and available for BlackArch Linux
  • My master-branches are always stable; dev-branches are created for current work.
  • All of my public stuff you find are officially announced and published via nullsecurity.net.

Disclaimer
We hereby emphasize, that the hacking related stuff found on nullsecurity.net are only for education purposes. We are not responsible for any damages. You are responsible for your own actions.


TorghostNG - Make All Your Internet Traffic Anonymized Through Tor Network

May 6, 2020, 5:30 am
$
0
0

TorghostNG is a tool that make all your internet traffic anonymized through Tor network.
Rewritten from TorGhost with Python 3.
TorghostNG was tested on:
  • Kali Linux
  • Manjaro
  • ...

Before you use TorghostNG
  • For the goodness of Tor network, BitTorrent traffic will be blocked by iptables. Although you can bypass it with some tweaks with your torrent client. It's difficult to completely block all torrent traffic.
  • For security reason, TorghostNG is gonna disable IPv6 to prevent IPv6 leaks (it happened to me lmao).

Installing TorghostNG
TorghostNG currently supports:
  • GNU/Linux distros that based on Arch Linux
  • GNU/Linux distros that based on Debian/Ubuntu
  • GNU/Linux distros that based on Fedora, CentOS, RHEL, openSUSE
  • Solus OS
  • Alpine Linux
  • OpenWrt Linux
  • Void Linux
  • Anh the elder guy: Slackware
  • (Too much package managers for one day :v)
To install TorghostNG, open your Terminal and enter these commands
git clone https://github.com/githacktools/TorghostNG
cd TorghostNG
sudo python3 install.py
sudo torghostng
But with Slackware, you use sudo python3 torghostng.py to run TorghostNG :v

Help
TorghostNG 1.0 - Make all your internet traffic anonymized through TOR proxy
Rewritten from TorGhost with Python 3
usage: torghostng [-h] -s|-x|-id|-m|-c|-l|--list

OPTIONS:
-h, --help      Show this help message and exit
-s, --start     Start connecting to TOR
-x, --stop      Stop connecting to TOR
-id COUNTRY ID  Connect to TOR exit node of a specific country. Go to CountryCode.org to search country ID
-mac INTERFACE  Randomly change MAC address. Use 'ifconfig' to show interface devices
-c, --checkip   Check your current IP address
--nodelay       Disable delay time
-l, --language  Change the display language. English is the default
--list          Show the available languages list
-u, --update    Check for update
--dns           Use this to fix DNS when website address can't be resolved
You can combine multiple choices at the same time, such as:
  • torghostng -s -m INTERFACE: Changing MAC address before connecting
  • torghostng -c -m INTERFACE: Checking IP address and changing MAC address
  • torghostng -s -x: Connecting to Tor anh then stop :v
  • ...

How to update TorghostNG
Open Terminal and type torghostng -u with sudo to update TorghostNG, but i will download new TorghostNG to /root, because you run it as root. If you don't like that, you can type git pull -f and sudo python3 install.py.

Notes before you use Tor
Tor can't help you completely anonymous, just almost:
It's recommended that you should use NoScript before before surfing the web with Tor. NoScript shall block JavaScript/Java/Flash scripts on websites to make sure they won't reveal your real identify.

And please
  • Don't spam or perform DoS attacks with Tor. It's not effective, you will only make Tor get hated and waste Tor's money.
  • Don't torrent over Tor. If you want to keep anonymous while torrenting, use a no-logs VPN please.
Bittorrent over Tor isn't a good idea
Not anonymous: attack reveals BitTorrent users on Tor network


Changes log
Version 1.1
  • Check your IPv6
  • Change all "TOR" to "Tor"
  • Block BitTorrent traffic
  • Auto disable IPv6 before connecting to Tor

Screenshots of Torghost (Version 1.0)
  • Changing MAC address: torghostng -m INTERFACE

  • Checking IP address: torghostng -c

  • Disconnecting from Tor: torghostng -x

  • Connecting to Tor exitnode in a specific country: torghostng -id COUNTRY ID

  • Uninstalling TorghostNG: python3 install.py


Contact to the coder

To-do lists
  • Block torrent, for you - Tor network
  • IPv6 (maybe?)
  • GUI version
  • Fix bug, improve TorghostNG (always)

And finally
You can help me by telling me if you find any bugs or issues. Thank you for using my tool


Nexphisher - Advanced Phishing Tool For Linux & Termux

May 6, 2020, 2:30 pm
$
0
0

NexPhisher is an automated Phishing tool made for Termux & Linux .The phishing Pages are Taken from Zphisher under GNU General Public License v3.0 . This tool has 37 Phishing Page Templates of 30 Websites.There are 5 Port Forwarding Options including Localhost !! If you copy then give me the Credits !
[!] I am not Responsible for any Misuse of this tool . Use at your Own Risk [!]




[+] Installation :
  • apt update
  • apt install git -y
  • git clone https://github.com/htr-tech/nexphisher
  • cd nexphisher
  • bash setup

Run : bash nexphisher

Or ; Use Single Command
apt update && apt install git -y && git clone https://github.com/htr-tech/nexphisher && cd nexphisher && bash setup && bash nexphisher

[+] Features :

[+] Latest Login Pages !
[+] New Instagram Auto Follower Page !
[+] New Port Forwarding Options !
[+] Perfect for All Devices !

[+] Credits :

[~] Some Phishing Pages are Generated by DarksecDevelopers ; UndeadSec ; thelinuxchoice& suljot_gjoka

[+] Find Me on :

[~] Facebook
[~] Instagram
[~] Github


HiveJack - This Tool Can Be Used During Internal Penetration Testing To Dump Windows Credentials From An Already-Compromised Host

May 7, 2020, 5:30 am
$
0
0

This tool can be used during internal penetration testing to dump Windows credentials from an already-compromised host. It allows one to dump SYSTEM, SECURITY and SAM registry hives and once copied to the attacker machines provides an option to delete these files to clear the trace.
Often, this is a repetitive process, once an attacker gets system-level access on the compromised host dumping hives values is the next step. Time is very valuable when it comes to internal penetration testing. HiveJack will save you plenty of time when it comes to dumping and deleting the files.

You'll never have to remember the command to perform the actions. ;)


Files dumped in the c:\temp\ folder of the compromised host:


Files are successfully deleted from the compromised host upon clicking on the Delete Hives button:


Any suggestions or ideas for this tool are welcome - just tweet me on @ManiarViral
A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.
Registry files have the following two formats:
  • Standard format: Supported from Windows 2000, also supported in the later versions of the Windows for backward compatibility
  • Latest format: Supported starting with Windows XP
HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE\SAM, HKEY_LOCAL_MACHINE\Security, and HKEY_USERS.DEFAULT; all other hives use the latest format.
During an internal penetration test, the attacker often wants to perform a lateral movement from one host to the other. To move from one host to the other attacker often requires account credentials. Using HiveJack attacker would be able to gather credentials via system hives.
HiveJack is useful once the attacker has successfully gained local admin or system privileges on one of the compromised hosts. To further gain access within the network attacker can use registry hives. Dumping these hives would allow an attacker to capture system users' password hashes.
Upon dumping the registry hives and pulling it on the attacking box one can use a tool such as secretsdump available here: https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py


Once the password hashes are obtained it opens the doors to a variety of attacks such as pass-the-hash, spraying or password cracking to perform a lateral movement within the network.
When hive files are copied to the attacking machine it is a good practice to delete the files from the temp folder to avoid leaking of sensitive files or cleaning the traces.

Quick Tip
It is a good practice to check the C:\Windows\repair\ location to obtain the SAM and SYSTEM files to avoid detection from EDR solutions. However, this directory contains outdated copies of the original C:\Windows\System32\config\ files so it might not reflect the current users' credentials. However, if the passwords are cracked it may be useful to know any password patterns such as Winter2020 or Summer2020

How do I use this?
Method 1:
Use a HiveJack.exe file from the release section (https://github.com/Viralmaniar/HiveJack/releases/download/v1.0/HiveJack.exe) and run it on the compromised host. The hives will get stored at the c:\temp\ folder.
Method 2:
Open the solution using Visual Studio and look at the code to build the solution.
Note: Please make sure you have a temp folder in the 'C:' Drive of the compromised host before dumping the registry hives.

Questions?
Twitter: https://twitter.com/maniarviral
LinkedIn: https://au.linkedin.com/in/viralmaniar

Contribution & License
MIT License
Copyright (c) 2020 Viral Maniar
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Any suggestions or ideas for this tool are welcome - just tweet me on @ManiarViral@PreemptiveCyber


PowerSploit - A PowerShell Post-Exploitation Framework

May 7, 2020, 2:30 pm
$
0
0

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts:

CodeExecution
Execute code on a target machine.

Invoke-DllInjection
Injects a Dll into the process ID of your choosing.

Invoke-ReflectivePEInjection
Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.

Invoke-Shellcode
Injects shellcode into the process ID of your choosing or within PowerShell locally.

Invoke-WmiCommand
Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel.

ScriptModification
Modify and/or prepare scripts for execution on a compromised machine.

Out-EncodedCommand
Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.

Out-CompressedDll
Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.

Out-EncryptedScript
Encrypts text files/scripts.

Remove-Comments
Strips comments and extra whitespace from a script.

Persistence
Add persistence capabilities to a PowerShell script

New-UserPersistenceOption
Configure user-level persistence options for the Add-Persistence function.

New-ElevatedPersistenceOption
Configure elevated persistence options for the Add-Persistence function.

Add-Persistence
Add persistence capabilities to a script.

Install-SSP
Installs a security support provider (SSP) dll.

Get-SecurityPackages
Enumerates all loaded security packages (SSPs).

AntivirusBypass
AV doesn't stand a chance against PowerShell!

Find-AVSignature
Locates single Byte AV signatures utilizing the same method as DSplit from "class101".

Exfiltration
All your data belong to me!

Invoke-TokenManipulation
Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread.

Invoke-CredentialInjection
Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).

Invoke-NinjaCopy
Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.

Invoke-Mimikatz
Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz.

Get-Keystrokes
Logs keys pressed, time and the active window.

Get-GPPPassword
Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.

Get-GPPAutologon
Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences.

Get-TimedScreenshot
A function that takes screenshots at a regular interval and saves them to a folder.

New-VolumeShadowCopy
Creates a new volume shadow copy.

Get-VolumeShadowCopy
Lists the device paths of all local volume shadow copies.

Mount-VolumeShadowCopy
Mounts a volume shadow copy.

Remove-VolumeShadowCopy
Deletes a volume shadow copy.

Get-VaultCredential
Displays Windows vault credential objects including cleartext web credentials.

Out-Minidump
Generates a full-memory minidump of a process.

'Get-MicrophoneAudio'
Records audio from system microphone and saves to disk

Mayhem
Cause general mayhem with PowerShell.

Set-MasterBootRecord
Proof of concept code that overwrites the master boot record with the message of your choice.

Set-CriticalProcess
Causes your machine to blue screen upon exiting PowerShell.

Privesc
Tools to help with escalating privileges on a target.

PowerUp
Clearing house of common privilege escalation checks, along with some weaponization vectors.

Recon
Tools to aid in the reconnaissance phase of a penetration test.

Invoke-Portscan
Does a simple port scan using regular sockets, based (pretty) loosely on nmap.

Get-HttpStatus
Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.

Invoke-ReverseDnsLookup
Scans an IP address range for DNS PTR records.

PowerView
PowerView is series of functions that performs network and Windows domain enumeration and exploitation.

Recon\Dictionaries
A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources.

Usage
Refer to the comment-based help in each individual script for detailed usage information.
To install this module, drop the entire PowerSploit folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
To use the module, type Import-Module PowerSploit
To see the commands imported, type Get-Command -Module PowerSploit
If you're running PowerShell v3 and you want to remove the annoying 'Do you really want to run scripts downloaded from the Internet' warning, once you've placed PowerSploit into your module path, run the following one-liner: $Env:PSModulePath.Split(';') | % { if ( Test-Path (Join-Path $_ PowerSploit) ) {Get-ChildItem $_ -Recurse | Unblock-File} }
For help on each individual command, Get-Help is your friend.
Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.

Contribution Rules
We need contributions! If you have a great idea for PowerSploit, we'd love to add it. New additions will require the following:
  • The script must adhere to the style guide. Any exceptions to the guide line would need an explicit, valid reason.
  • The module manifest needs to be updated to reflect the new function being added.
  • A brief description of the function should be added to this README.md
  • Pester tests must accompany all new functions. See the Tests folder for examples but we are looking for tests that at least cover the basics by testing for expected/unexpected input/output and that the function exhibits desired functionality. Make sure the function is passing all tests (preferably in mutiple OSes) prior to submitting a pull request. Thanks!

Script Style Guide
For all contributors and future contributors to PowerSploit, I ask that you follow this style guide when writing your scripts/modules.
  • Avoid Write-Host at all costs. PowerShell functions/cmdlets are not command-line utilities! Pull requests containing code that uses Write-Host will not be considered. You should output custom objects instead. For more information on creating custom objects, read these articles:
  • If you want to display relevant debugging information to the screen, use Write-Verbose. The user can always just tack on '-Verbose'.
  • Always provide descriptive, comment-based help for every script. Also, be sure to include your name and a BSD 3-Clause license (unless there are extenuating circumstances that prevent the application of the BSD license).
  • Make sure all functions follow the proper PowerShell verb-noun agreement. Use Get-Verb to list the default verbs used by PowerShell. Exceptions to supported verbs will be considered on a case-by-case basis.
  • I prefer that variable names be capitalized and be as descriptive as possible.
  • Provide logical spacing in between your code. Indent your code to make it more readable.
  • If you find yourself repeating code, write a function.
  • Catch all anticipated errors and provide meaningful output. If you have an error that should stop execution of the script, use 'Throw'. If you have an error that doesn't need to stop execution, use Write-Error.
  • If you are writing a script that interfaces with the Win32 API, try to avoid compiling C# inline with Add-Type. Try to use the PSReflect module, if possible.
  • Do not use hardcoded paths. A script should be useable right out of the box. No one should have to modify the code unless they want to.
  • PowerShell v2 compatibility is highly desired.
  • Use positional parameters and make parameters mandatory when it makes sense to do so. For example, I'm looking for something like the following:
    • [Parameter(Position = 0, Mandatory = $True)]
  • Don't use any aliases unless it makes sense for receiving pipeline input. They make code more difficult to read for people who are unfamiliar with a particular alias.
  • Try not to let commands run on for too long. For example, a pipeline is a natural place for a line break.
  • Don't go overboard with inline comments. Only use them when certain aspects of the code might be confusing to a reader.
  • Rather than using Out-Null to suppress unwanted/irrelevant output, save the unwanted output to $null. Doing so provides a slight performance enhancement.
  • Use default values for your parameters when it makes sense. Ideally, you want a script that will work without requiring any parameters.
  • If a script creates complex custom objects, include a ps1xml file that will properly format the object's output.


Search

How to Set Up a VPN on Kodi in 2 Minutes or Less

May 8, 2020, 6:00 am
$
0
0

VPNs are useful for masking your identity when online. Without a VPN, you run the risk of having your data exposed to your Internet Service Provider (ISP). This is something that you should think about since your ISP has access to all of your data, including the streaming data from your streaming activities. In addition, depending on where you live, your ISP may even be able to sell your data to third parties for a profit. This is certainly the case in the US. In addition, VPNs can prevent hackers from hijacking your internet connection. 

VPNs can also give you access to geographically restricted content. Using a VPN with streaming services is wise since some ISPs are known to throttle streaming activities. By using a VPN, you can enjoy streaming content without intervention by your ISP. One such streaming service is Kodi which we will explore further below.

What is Kodi?

Kodi is an open-source media player which has lots of features. It lets users play audio and video from local and online sources. It can also be installed on a variety of different devices. It can be installed on Android devices, iOS devices, Mac computers, Windows computers, and even Linux computers. You can see a more complete list of devices that the software is compatible with on the official Kodi website.

If you are streaming content from Kodi, you should install a VPN. It will protect you while you stream. Luckily, setting up a VPN isn’t difficult and we’ll show you how to set up a VPN quickly for your Kodi usage. 

Installing a VPN on Kodi in 2 Minutes or Less

There are a few ways to install a VPN on Kodi but we’ll cover 2 of the simpler options. You have the choice of running your VPN from directly within Kodi, or you can install it directly on the machine you are running Kodi on. We will cover both methods.

Installing a VPN Directly On Kodi 

To install a VPN directly on Kodi, you will need to install the Zomboided VPN Manager plugin. For this addon to work, you will need to be subscribed to a VPN service. There are several VPN services out there so find the best one for you and subscribe based on your preferences if you haven’t already.

To get set up with the VPN Manager, you will first need to head to the Zomboided Repo page to download the latest version of the Zomboided repository. From there, you need to download the latest version of the repository. It will be named repository.zomboided.plugins-X.X.X.zip.

You can then install this zip file in Kodi. Open Kodi, head to the Add-ons menu, and click on the icon that looks like an open box. Then select Install from zip file. From there, you can navigate to the zip file you downloaded. Select it and install it. Now, head back to the main menu that you are directed to after clicking on the open box icon. 

From there, choose Install from the repository. Select Zomboided Add-on Repository. Select Services and then you will see VPN Manager for Open VPN at the top of the list. Select it and install it. After installation, open the addon. You can then enter the relevant details for your VPN provider. Make sure you run through all of the configuration options in the addon. This will vary depending on your VPN provider. After configuring the plugin, you will be protected by your VPN while using Kodi.

Installing Kodi Using a VPN App

VPN providers usually provide apps for a wide range of platforms. You can also protect yourself with a VPN while using Kodi by using the app that corresponds to the operating system of the machine you’re running Kodi on. 

Final Thoughts

You need to protect yourself while streaming online with Kodi. You can do this by either using a plugin from directly within Kodi, or you can use an app that runs on the machine you have Kodi installed on. Pick the option that suits you best and stream safely with Kodi. 


Powerob - An On-The-Fly Powershell Script Obfuscator Meant For Red Team Engagements

May 8, 2020, 2:30 pm
$
0
0

An on-the-fly Powershell script obfuscator meant for red team engagements. Built out of necessity.

Installation
git clone https://github.com/cwolff411/powerob

Usage
python3 powerob.py obfuscate originalfile.ps1 obfuscatedfile.ps1
Takes an INPUTFILE obfuscates it and dumps the obfuscated version into OUTPUTFILE.
python3 powerob.py list
Lists all of the currently obfuscated files along with their commands and associated obfuscated commands.
python3 powerob.py getcommand Invoke-AllChecks
For reference on the fly for when you forget. Takes the original command name and displays the obfuscated command name to be used in Powershell.
python3 powerob.py cleardb
Maintenance function to clear the db of past obfuscated files and functions.

About
This was built out of the need to bypass endpoint security on a recent engagement. During priv esc attempts I could not download PowerUp.ps1 until it was obfuscated.
This is v1. It obfuscates the functions only and I will enhance the functionality as time allows. Pull requests and collaboration welcomed.
I work at Layer 8 Security. Come say hi.

License
MIT License


Shellerator - Simple CLI Tool For The Generation Of Bind And Reverse Shells In Multiple Languages

May 9, 2020, 5:30 am
$
0
0

Shellerator is a simple command-line tool aimed to help pentesters quickly generate one-liner reverse/bind shells in multiple languages (Bash, Powershell, Java, Python...). This project is inspired by Print-My-Shell. I just rewrote it and added some options and glitter to it. The lists of reverse and bind shells are not perfect yet. I'll work on this when I have the time to. I'll be happy to review pull requests too :)

Install
The install is pretty simple, just clone this git and install the requirements.
git clone https://github.com/ShutdownRepo/shellerator
pip3 install --user -r requirements.txt

Usage
Usage is dead simple too.
usage: shellerator.py [-h] [-b | -r] [-t TYPE] [-p LPORT] [-i LHOST]

Generate a bind/reverse shell

optional arguments:
  -h, --help              show this help message and exit
  -l, --list            Print all the types of shells shellerator can generate
  -b, --bind-shell        Generate a bind shell (you connect to the target)
  -r, --reverse-shell     Generate a reverse shell (the target connects to you)(Default)

Bind shell options:
  -t TYPE, --type TYPE    Type of the shell to generate (Bash, Powershell, Java...)
  -p LPORT, --port LPORT  Listener Port

Reverse shell options:
  -t TYPE, --type TYPE    Type of the shell to generate (Bash, Powershell, Java...)
  -i LHOST, --ip LHOST    Listener IP address
  -p LPORT, --port LPORT  Listener Port

Without CLI menus
If you already know what type of shell you want to generate and don't have time to select the language in the beautiful CLI menu, you can set it with the appropriate -t (or --type) option.
python3 shellerator.py [-r | -b] -t/--type bash -i/--ip 192.168.56.1 -p/--port 1337


To-Do List

Things to add
Here are some things to add that I have in mind, I'll work on that asap
  • Add bindshells
  • Add encrypted shells and separate them from bind/rev ?
  • Add some kind of option to help user get info on how to improve shell/tty (rlwrap, stty, ConPty (cf. PayloadsAllTheThings))

Sources
Shells mostly come from the following links


GDBFrontend - An Easy, Flexible And Extensionable GUI Debugger

May 9, 2020, 3:00 pm
$
0
0

GDBFrontend is an easy, flexible and extensionable gui debugger.

Installing

Deb Package (Debian / Ubuntu / KDE Neon)
You can install GDBFrontend via deb package for Debian-based distributions.
You can install it from following commands:
echo "deb [trusted=yes] https://oguzhaneroglu.com/deb/ ./" | sudo tee -a /etc/apt/sources.list > /dev/null
sudo apt update
sudo apt install gdbfrontend
After installing with APT, you will get updates for new releases on APT upgrade.
You can get upgrades with following commands:
sudo apt update
sudo apt upgrade gdbfrontend
and you can run it:
gdbfrontend

Running From GIT
You can download latest source and run it.

Requirements
  • GDB => 8.2 (with python3)
  • python3
  • tmux
You can run gdb-frontend with following commands:
git clone https://github.com/rohanrhu/gdb-frontend.git gdb-frontend
cd gdb-frontend
./gdbfrontend
and you can open it with:
http://127.0.0.1:5551/terminal/
or without terminal:
http://127.0.0.1:5551/
You can open GDB shell with the command:
tmux a -t gdb-frontend

Flatpak
Flatpak package is a TODO.

./gdbfrontend
$ gdbfrontend --help
GDBFrontend is a easy, flexible and extensionable gui debugger.

Options:
  --help, -h:                           Shows this help message.
  --version, -v:                        Shows version.
  --gdb-executable=PATH, -g PATH:       Specifies GDB executable path (Default is "gdb" command on PATH environment variable.)
  --tmux-executable=PATH, -tmux PATH:   Specifies Tmux executable path (Default is "tmux" command on PATH environment variable.)
  --terminal-id=NAME, -t NAME:          Specifies tmux terminal identifier name (Default is "gdb-frontend".)
  --listen=IP, -l IP:                   Specifies listen address for HTTP and WS servers.
  --port=PORT, -p PORT:                 Specifies port range for three ports to (Gotty: PORT, HTTP: PORT+1, WS: PORT+2).
  --http-port=PORT:                     Specifies    HTTP server port.
  --server-port=PORT:                   Specifies WS server port.
  --gotty-port=PORT:                    Specifies Gotty server port.
  --readonly, -r:                       Makes code editor readonly. (Notice: This option is not related to security.)
  --verbose, -V:                        Enables verbose output.

Options

--help, -h
Shows help text.

--version, -v
Shows version.

--gdb-executable=PATH, -g PATH
You can specify GDB executable path like gdbfrontend --gdb-executable=/path/to/gdb. (Optional)

--tmux-executable=PATH, -tmux PATH
You can specify Tmux executable path like gdbfrontend --tmux-executable=/path/to/tmux. (Optional)

--terminal-id=PATH, -t PATH
You can specify Tmux terminal id like gdbfrontend --terminal-id=terminal-name. (Default: gdb-frontend)

--listen=IP, -l IP
Specifies listen address for HTTP and WS servers.

--port=PORT, -p PORT
Specifies port range for three ports to (Gotty: PORT, HTTP: PORT+1, WS: PORT+2).

--http-port=PORT
Specifies HTTP server port.

--server-port=PORT
Specifies WS server port.

--gotty-port=PORT
Specifies Gotty server port.

--readonly, -r
Makes code editor readonly. (Notice: This option is not related to security.)

--verbose, -v
Enables verbose output.

Troubleshooting

Zombie Processes
Sometimes GDB and gdb-frontend may not be closed correctly. In this case, you can terminate gdb-frontend shell.
tmux kill-session -t gdb-frontend

GDB-Related Issues and Tips
  • GDB does not give sources of linked object until stepping a line that calls a function from the linked object once. You can add break point a line and step it once, then you will see sources from linked object hereafter during the session.

Windows
In fact, gdb-frontend is able to run on Windows but there are some serious issues in the GDB's Windows version those avoid using gdb-frontend on Windows. Of course you can use gdb-frontend on WSL if you are using Windows 10.

Issues about Windows-GDB
  • GDB's main-thread is being blocked during running process. (gdb-frontend has an interrupting mechanism to fixing this but it is not enough yet.)
  • Windows-GDB's prompt is being blocked during running process and there are some issues about interrupting the application.
  • Current release of Windows-GDB contains Python2. New GDB 9 have Python3 but it is not released yet.

WSL
You can use gdb-frontend on WSL (Windows Subsystem for Linux).

Documentation
Documentation is TODO yet.

API Documentation
API Documentation is TODO yet.

Plugin Development
You can read the Plugin Development Tutorial.

Contributing
You can contribute with commiting to project or developing a plugin. All commits are welcome.


Exegol - Exegol Is A Kali Light Base With A Few Useful Additional Tools And Some Basic Configuration

May 10, 2020, 5:30 am
$
0
0

Exegol is a fully configured kali light base with a few useful additional tools (~50), a few useful resources (scripts and binaries for privesc, credential theft etc.) and some configuration (oh-my-zsh, history, aliases, colourized output for some tools). It can be used in pentest engagements and BugBounty. Exegol's original fate was to be a ready-to-hack docker in case of emergencies during engagements. It is now an environnement my team and I use in day to day engagements.

Quick start
The project is on Docker Hub, you don't need to clone this git.
  1. First set the following aliases in your bashrc/zshrc/whateverrc.
alias exegol-update='docker pull nwodtuhs/exegol'
alias exegol-build='docker build --tag nwodtuhs/exegol /PATH/TO/Exegol/'
alias exegol-run='docker run --interactive --tty --detach --network host --volume /PATH/TO/Exegol/shared-volume:/share --name exegol nwodtuhs/exegol'
alias exegol-shell='docker exec -it exegol zsh'
alias exegol-stop='docker stop exegol && docker rm exegol'
  1. Then pull : docker pull nwodtuhs/exegol
  2. Then run the docker and get a shell : exegol-run && exegol-shell
  3. Stop it when you're done : exegol-stop

Pre-requisites
Docker is needed here if you want to run Exegol in a docker (intended). You can also use the install.sh in order to deploy Exegol elsewhere but I don't guarantee it'll work. (That being said I don't guarantee anything bro)
Need a quick install of docker & docker-compose? Check this out (intended for kali users but I guess it could work on any other Debian based system)
sudo apt-get install apt-transport-https ca-certificates curl gnupg-agent software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
echo 'deb [arch=amd64] https://download.docker.com/linux/debian buster stable' | sudo tee /etc/apt/sources.list.d/docker.list
sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io
sudo curl -L "https://github.com/docker/compose/releases/download/1.25.3/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
sudo curl -L https://raw.githubusercontent.com/docker/compose/1.25.3/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose
sudo groupadd docker
sudo usermod -aG docker $USER

Install (from Docker Hub)
It can be long, pull exegol before needing it.
docker pull nwodtuhs/exegol

Install (from GitHub)
The build can be long, build exegol before needing it.
git clone https://github.com/ShutdownRepo/Exegol
cd Exegol
docker build --tag exegol .

Usage
I personnaly use these aliases to go fast (very fast)
alias exegol-update='docker pull nwodtuhs/exegol'
alias exegol-build='docker build --tag nwodtuhs/exegol /PATH/TO/Exegol/'
alias exegol-run='docker run --interactive --tty --detach --network host --volume /PATH/TO/Exegol/shared-volume:/share --name exegol nwodtuhs/exegol'
alias exegol-shell='docker exec -it exegol zsh'
alias exegol-stop='docker stop exegol && docker rm exegol'
  • Update the docker : exegol-update
  • Run the docker : exegol-run
  • Get a shell when exegol is up and running (it is possible to pop multiple shells) : exegol-shell
  • Stop exegol : exegol-stop

Tools
The tools installed in Exegol are mostly installed from sources in order to have the latest version when deploying Exegol. Some of the tools can be found in a complete kali install though. Some installs are made with go, pip, apt, gem etc. The installs are not perfect but hey, it works! You will find most of the tools in /opt/tools. Some of the tools:

Useful resources
In addition to the many tools pre-installed and configured for some, you will find many useful pre-fetched resources like scripts and binaries in /opt/resources. There some pre-EoP enumeration scripts (EoP: Escalation of Privileges) and other useful binaries like Rubeus or mimikatz.

To-Do List

Things to add
Here are some things to add that I have in mind, I'll work on that asap
  • is it possible to use Wifi and Bluetooth??
  • add pre-compiled (obfuscated too?) binaries for x64/x86 Windows (Rubeus, JuicyPotato...)

Small issues to correct
  • Check lsassy, shellerator don't have anymore requirement issues
  • Issue with dementor and grc, output is not printed unless the process has ended...
  • Check darkarmour work flawlessly
  • SSRFMap includes resources with relative path

Credits & thanks
Credits and thanks go to every infosec addicts that contribute and share but most specifically to @th1b4ud for the base "Kali Linux in 3 seconds with Docker".


PayloadsAllTheThings - A List Of Useful Payloads And Bypass For Web Application Security And Pentest/CTF

May 10, 2020, 2:30 pm
$
0
0

A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques !

Every section contains the following files, you can use the _template_vuln folder to create a new chapter:
  • README.md - vulnerability description and how to exploit it
  • Intruder - a set of files to give to Burp Intruder
  • Images - pictures for the README.md
  • Files - some files referenced in the README.md

You might also like the Methodology and Resources folder :
You want more ? Check the Books and Youtube videos selections.


Catchyou - FUD Win32 Msfvenom Payload Generator

May 11, 2020, 5:30 am
$
0
0

Fully Undetectable Win32 MSFVenom Payload Generator (meterpreter/shell reverse tcp)


Author: github.com/thelinuxchoice/catchyou
Twitter: twitter.com/linux_choice

Please, don't upload to VirusTotal! Use https://antiscan.me

Features:
  • Fully Undetectable Win32 MSFVenom Payload (meterpreter/shell reverse tcp)
  • Port Forwarding using ngrok
  • Tested: Win7/Win10

Requirements:
  • Metasploit/MSFVenom
  • mingw-w64: apt-get install mingw-w64

Forwarding requirements:

Legal disclaimer:
Usage of CatchYou for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

Usage:
git clone https://github.com/thelinuxchoice/catchyou
cd catchyou
bash catchyou.sh


Search

Wifipumpkin3 - Powerful Framework For Rogue Access Point Attack

May 11, 2020, 2:30 pm
$
0
0

wifipumpkin3 is powerful framework for rogue access point attack, written in Python, that allow and offer to security researchers, red teamers and reverse engineers to mount a wireless network to conduct a man-in-the-middle attack.

Main Features
  • Rogue access point attack
  • Man-in-the-middle attack
  • Rogue Dns Server
  • Captive portal attack (captiveflask)
  • Intercept, inspect, modify and replay web traffic
  • WiFi networks scanning
  • DNS monitoring service
  • Credentials harvesting
  • Transparent Proxies
  • LLMNR, NBT-NS and MDNS poisoner (Responder3)
  • and more!

Supported platforms
  • Python: you need Python 3.7 or later to run Wp3.
NOTE: The Wp3 require hostapd installed by default
  • Operating System:
    • a recent version of Linux (we tested on Ubuntu 18.04 LTS);
    • please note: Windows is not supported.

Installation & Documentation
Learn more about using wp3 on the official site!

community
on discord: https://discord.gg/jywYskR


Threadtear - Multifunctional Java Deobfuscation Tool Suite

May 12, 2020, 5:30 am
$
0
0
Threadtear is a multifunctional deobfuscation tool for java. Suitable for easier code analysis without worrying too much about obfuscation. Even the most expensive obfuscators like ZKM or Stringer are included. It also contains older deobfuscation tools from my github account, but it can also be useful for other stuff. Insert debug line numbers to better understand where exceptions originate, or add .printStackTrace() to try catch blocks without re-compiling your code. Reverse compatibility is also not a problem anymore (of course only when no version specific methods are used).







Executions
An "execution" is a task that is executed and modifies all loaded class files. There are multiple types of executions, varying from bytecode cleanup to string deobfuscation. Make sure to have them in the right order. Cleanup executions for example should be executed at last, but also can help other executions if executed first.

Warning
Use this tool at your own risk. Some executions use implemented ClassLoaders to run code from the jar file, an attacker could tweak the file so that malicious code would be executed. Affected executions use the class me.nov.threadtear.asm.vm.VM. These are mostly used for decrypting string or resource / access obfuscation.

How to compile
First, run gradle build, then gradle fatJar. In builds/libs a runnable jar file should then have been created.

Make your own execution
You can easily create your own execution task. Just extend me.nov.threadtear.execution.Execution:
public class MyExecution extends Execution {
 public MyExecution() {
  super(ExecutionCategory.CLEANING /* category */, "My execution" /* name */,
    "Executes something" /* description, can use html */);
 }
 /**
 * This method is invoked when the user clicks on the Run button
 * @return true if success, false if failure
 */
 @Override
 public boolean execute(Map<String, Clazz> classes, boolean verbose) {
  classes.values().stream().map(c -> c.node).forEach(c -> {
   //transform the classes here using the tree-API of ASM
  });
  return false;
 }
}
To load ClassNodes at runtime, use the me.nov.threadtear.asm.vm.VM class and implement me.nov.threadtear.asm.vm.IVMReferenceHandler:
public class MyExecution extends Execution implements IVMReferenceHandler {
 public MyExecution() {
  super(ExecutionCategory.GENERIC, "My execution", "Loads ClassNodes at runtime");
 }
 @Override
 public boolean execute(Map<String, Clazz> classes, boolean verbose) {
  classes.values().stream().map(c -> c.node).forEach(c -> {
   VM vm = VM.constructVM(this);
   //transform bytecode to java.lang.Class
   Class<?> loadedClass = vm.loadClass(c.name.replace('/', '.'), true);
   //do stuff with your class here
   loadedClass.getMethods[0].invoke(...);
   return true;
  });
 }
 /**
 * Will get invoked by VM, when VM.loadClass is called
 */
 @Override
 public ClassNode tryClassLoad(String name) {
  //try to find the class to be loaded in open jar archive
  return classes.containsKey(name) ? classes.get(name).node : null;
 }
}
Using the ConstantTracker (me.nov.threadtear.analysis.stack.ConstantTracker) you can analyze methods and keep track of non-variable stack values. If for example iconst_0 is pushed to the stack, the value itself isn't lost like in the basic ASM analyzer, and you can use it to predict things later on in the code.
public class MyExecution extends Execution implements IConstantReferenceHandler {
 public MyExecution() {
  super(ExecutionCategory.GENERIC, "My execution", "Performs stack analysis and replaces code.");
 }
 @Override
 public boolean execute(Map<String, Clazz> classes, boolean verbose) {
  classes.values().stream().map(c -> c.node).forEach(this::analyzeAndRewrite);
  return true;
 }
 public void analyzeAndRewrite(ClassNode cn) {
  cn.methods.forEach(m -> {
   // this analyzer keeps known stack values, e.g. can be useful for jump prediction
   Analyzer<ConstantValue> a = new Analyzer<ConstantValue>(new ConstantTracker(this, Access.isStatic(m.access), m.maxLocals, m.desc, new Object[0]));
   try {
    a.analyze(cn.name, m);
   } catch (AnalyzerException e) {
    logger.severe("Failed stack analysis in " + cn.name + "." + m.name + ":" + e.getMessage());
    return;
   }
      Frame<ConstantValue>[] frames = a.getFrames();
   InsnList rewrittenCode = new InsnList();
   Map<LabelNode, LabelNode> labels = Instructions.cloneLabels(m.instructions);

   // rewrite method instructions
   for (int i = 0; i < m.instructions.size(); i++) {
    AbstractInsnNode ain = m.instructions.get(i);
    Frame<ConstantValue> frame = frames[i];
    // replace / modify instructions, etc...
    if (frame.getStackSize() > 0) {
     ConstantValue top = frame.getStack(frame.getStackSize() - 1);
     if (top.isKnown() && top.isInteger()) {
      int knownTopStackValue = top.getInteger();
      // use the known stack to remove jumps, simplify code, etc...
      // if(...) { rewrittenCode.add(...); }
      continue;
     }
    }
    rewrittenCode.add(ain.clone(labels));
   }
   // update instructions and fix try catch blocks, local variables, etc...
   Instructions.upda   teInstructions(m, labels, rewrittenCode);
  });
 }
 /**
  * Use this method to predict stack values if fields are loaded
  */
 @Override
 public Object getFieldValueOrNull(BasicValue v, String owner, String name, String desc) {
  return null;
 }
 /**
  * Use this method to predict stack values if methods are invoked on known objects
  */
 @Override
 public Object getMethodReturnOrNull(BasicValue v, String owner, String name, String desc, List<? extends ConstantValue> values) {
  if (name.equals("toCharArray") && owner.equals("java/lang/String")) {
   if (!values.get(0).isKnown()) {
    // invocation target is not known, we can't compute the return
    return null;
   }
   return ((String) values.get(0).getValue()).toCharArray();
  }
  return null;
 }
}
Don't forget to add your execution to the tree in me.nov.threadtear.swing.component.dialog.ExecutionSelection!

Tips & Tricks
There are some tricks that can help you identify and deobfuscate jar files successfully. Before running executions, decompile the code to find out what needs to be used. You can use the implemented decompiler for that.

Deobfuscation order
The best order for deobfuscation is generic executions > access deobfuscation > string deobfuscation > cleaning executions.

Identification
Obfuscators exhibit patterns which you can use to identify obfuscators. The easiest way to identify an obfuscator is to skim the META-INF/MANIFEST.MF file. It's possible that there is an Obfuscated-By: XXX or Protected-By: XXX attribute.

ZKM
Extremely (flow-) obfuscated code, often noticeable by a string decryption method in the static initializer containing switches, or string decryption methods with a very long switch block (about 250 cases). ZKM is one of the best obfuscators for java, and also very expensive.


Stringer
If your jar file contains some special classes with huge decryption algorithms that are used by string obfuscation and access obfuscation, it's probably Stringer. If your file was obfuscated with multiple obfuscators, and Stringer is one of them, you should begin your deobfuscation with Stringer, as Stringer obfuscation cannot be overwritten. Stringer also is very protecting and one of the most expensive obfuscators. Unlike normal obfuscators it does not come with name obfuscation. It is rather used as "second layer". Probably 90% of people that use this obfuscator are using a crack.
 


Allatori
Class names like IiIlIlIiIl or aUx, cOn, PrX indicate Allatori obfuscation. Allatori is very common, because it offers a free demo that accessible within a few clicks. The obfuscation is not that hard to reverse.


Other obfuscators
For other obfuscators you can try generic executions or open an issue and I'll see what i can do.

Libraries needed
commons-io 2.6, darklaf-1.3.3.4, asm-all 8+

Notice
Do not deobfuscate any file that doesn't belong to you.
Please open an issue or send me an email if a transformer doesn't work properly and attach the log.
Note that output files are most likely not runnable. If you still want to try to run them use -noverify as JVM argument!
This tool is intended for Java 8 but it will probably run on higher versions too. Note that not everything written in this README is implemented yet.


Clipboardme - Grab And Inject Clipboard Content By Link

May 12, 2020, 2:30 pm
$
0
0

Grab/Inject Clipboard Content

Browsers are implementing a new JavaScript API for asynchronous clipboard access to integrate copy and paste into web applications. It is a replacement for the synchronous execCommand-based copy & paste. Async Clipboard requests doesn't block the page while waiting the process, it's a improvement over sync requests as well as simplifying events and aligning them with the Drag & Drop API.
Clipboardme is a pentester tool that can read and write content to the clipboard by just opening a link, using async clipboard API.

How does Async Clipboard API work?

Copy: Writing Text to the Clipboard
Text can be silently and automatically copied to the clipboard by calling writeText(), without requesting permission. Example:
<script>
navigator.clipboard.writeText('Malicious command to be copied');
</script>
Simple, huh? How dangerous it can be if the user is convinced to run the clipboard content? A windowsreverse shell can be made if a user type the following shortcurt sequence after visiting the malicious website generated by clipboardme: windows+x, p, ctrl + v. No need to hit enter, just persuade the target to run that "shortcut" for an attacker take control of a windows system. This scenario can occur when the target is supposed to execute clipboard contents.

Paste: Reading Text from the Clipboard
Text can be read (requires permission) from the clipboard by calling readText(). Example:
<script>
navigator.clipboard.readText().then(clipText =>  document.write(clipText));
</script>
Users routinely copy sensitive information like passwords and personal details to the clipboard, which could then be read by any page. Clipboardme tool can create a HTTPS malicious page to grab that content.
To help prevent abuse, clipboard access is only allowed when a page is the active tab and over secured domains (https). Pages in active tabs can write to the clipboard without requesting permission, but reading from the clipboard always requires permission.

Browser compatibility:
Chrome 66, Opera 53, Chrome for Android, Opera for Android

Requirements:

Ngrok Authtoken (for TCP Tunneling): Sign up at: https://ngrok.com/signup

Your authtoken is available on your dashboard: https://dashboard.ngrok.com

Install your auhtoken: ./ngrok authtoken <YOUR_AUTHTOKEN>

Legal disclaimer:
Usage of Clipboardme for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

Usage:
git clone https://github.com/thelinuxchoice/clipboardme
cd clipboardme
bash clipboardme.sh

Author: https://github.com/thelinuxchoice/clipboardme
Twitter: https://twitter.com/linux_choice
Read the license before using any part from this code :)


Kali Linux 2020.2 Release - Penetration Testing and Ethical Hacking Linux Distribution

May 12, 2020, 5:33 pm
$
0
0

We are incredibly excited to announce the second release of 2020, Kali Linux 2020.1.2
A quick overview of what’s new since January:
  • KDE Plasma Makeover & Login
  • PowerShell by Default. Kind of.
  • Kali on ARM Improvements
  • Lessons From The Installer Changes
  • New Key Packages & Icons
  • Behind the Scenes, Infrastructure Improvements

KDE Plasma Makeover & Login

With XFCE and GNOME having had a Kali Linux look and feel update, it’s time to go back to our roots (days of backtrack-linux) and give some love and attention to KDE Plasma. Introducing our dark and light themes for KDE Plasma:



On the subject of theming, we have also tweaked the login screen (lightdm). It looks different, both graphically and the layout (the login boxes are aligned now)!



PowerShell by Default. Kind of.

If you wanted powershell, you had to install the package as a one off by doing:
kali@kali:~$ sudo apt install -y powershell

PowerShell isn't the primary metapackages, kali-linux-large. This means, if you choose to install this metapackage during system setup, or once Kali is up and running (sudo apt install -y kali-linux-large), if PowerShell is compatible with your architecture, you can just jump straight into it (pwsh)!
PowerShell isn’t in the default metapackage (that’s kali-linux-default), but it is in the one that includes the default and many extras, and can be included during system setup.

Lessons From Installer Changes

Issue It was intended that both “installer” & “live” could be customized during setup, to select which metapackage and desktop environment to use. When we did that, we couldn’t include metapackages beyond default in those images, as it would create too large of an ISO. As the packages were not in the image, if you selected anything other than the default options it would require network access to obtain the missing packages beyond default. After release, we noticed some users selecting “everything” and then waiting hours for installs to happen. They couldn’t understand why the installs where taking so long.


New Key Packages & Icons

 Kali Linux team refresh the package logos for each tool.


Kali Linux NetHunter

  • Nexmon support has been revived, bringing WiFi monitor support and frame injection to wlan0 on the Nexus 6P, Nexus 5, Sony Xperia Z5 Compact, and more!
  • OpenPlus 3T images have been added to the download page.
  • We have crossed 160 different kernels in our repository, allowing NetHunter to support over 64 devices! Yes, over 160 kernels and over 64 devices supported. Amazing.
  • Our documentation page has received a well deserved refresh, especially the kernel development section.

Download Kali Linux 2020.2

Fresh images So what are you waiting for? Start downloading already!
Seasoned Kali users are already aware of this, but for the ones who are not, we do also produce weekly builds that you can use as well. If you can’t wait for our next release and you want the latest packages when you download the image, you can just use the weekly image instead. This way you’ll have fewer updates to do. Just know these are automated builds that we don’t QA like we do our standard release images.

Existing Upgrades If you already have an existing Kali installation, remember you can always do a quick update:
kali@kali:~$ echo "deb http://http.kali.org/kali kali-rolling main non-free contrib" | sudo tee /etc/apt/sources.list
kali@kali:~$
kali@kali:~$ sudo apt update && sudo apt -y full-upgrade
kali@kali:~$
kali@kali:~$ [ -f /var/run/reboot-required ] && sudo reboot -f
kali@kali:~$

You should now be on Kali Linux 2020.2. We can do a quick check by doing:
kali@kali:~$ grep VERSION /etc/os-release
VERSION="2020.2"
VERSION_ID="2020.2"
VERSION_CODENAME="kali-rolling"
kali@kali:~$
kali@kali:~$ uname -v
#1 SMP Debian 5.5.17-1kali1 (2020-04-21)
kali@kali:~$
kali@kali:~$ uname -r
5.5.0-kali2-amd64
kali@kali:~$

NOTE: The output of uname -r may be different depending on the system architecture.
As always, should you come across any bugs in Kali, please submit a report on our bug tracker. We’ll never be able to fix what we don’t know is broken! And Twitter is not a Bug Tracker!

More info here.


Kaiten - A Undetectable Payload Generation

May 13, 2020, 5:30 am
$
0
0

A Undetectable Payload Generation. This tool is for educational purpose only, usage of Kaiten for attacking targets without prior mutual consent is illegal. Developers assume no liability and are not responsible for any misuse or damage cause by this program.
Official Kaiten Repository.

What is it and why was it made?
We intentionally made it for our penetration testing jobs and for learning purposes. Our Kaiten c2 now moved onto a better source. And antivirus is dumb. Source: https://www.shadowlabs.cc/kaiten

Requirements
  • MingW
  • GCC
  • OSSLSIGNCODE

Features
  • Undetectable Payload Generation
  • Stealth FUD Payload
  • Self Signing Certificate
  • Random Junk code

Affected Devices and Operating Systems
  • Windows
  • Android (soon)
  • Mac/Linux

Diagrams (also its cool hehe)



Viewing all 5816 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>