Crowbar - Brute Forcing Tool for Pentests

January 12, 2015, 3:43 pm

≫ Next: FirePassword - Firefox Username & Password Recovery Tool

≪ Previous: Instant PDF Password Protector - Password Protect PDF file

$

0

0

Crowbar (crowbar) is brute forcing tool that can be used during penetration tests. It is developed to brute force some protocols in a different manner according to other popular brute forcing tools. As an example, while most brute forcing tools use username and password for SSH brute force, Crowbar uses SSH key. So SSH keys, that are obtained during penetration tests, can be used to attack other SSH servers.

Currently Crowbar supports

• OpenVPN
• SSH private key authentication
• VNC key authentication
• Remote Desktop Protocol (RDP) with NLA support

Installation

First you shoud install dependencies

 # apt-get install openvpn freerdp-x11 vncviewer

Then get latest version from github

 # git clone https://github.com/galkan/crowbar 

Attention: Rdp depends on your Kali version. It may be xfreerdp for the latest version.

Usage

-h: Shows help menu.

-b: Target service. Crowbar now supports vnckey, openvpn, sshkey, rdp.

-s: Target ip address.

-S: File name which is stores target ip address.

-u: Username.

-U: File name which stores username list.

-n: Thread count.

-l: File name which stores log. Deafault file name is crwobar.log which is located in your current directory

-o: Output file name which stores the successfully attempt.

-c: Password.

-C: File name which stores passwords list.

-t: Timeout value.

-p: Port number

-k: Key file full path.

-m: Openvpn configuration file path

-d: Run nmap in order to discover whether the target port is open or not. So that you can easily brute to target using crowbar.

-v: Verbose mode which is shows all the attempts including fail.

If you want see all usage options, please use crowbar --help

Download Crowbar

---

FirePassword - Firefox Username & Password Recovery Tool

January 15, 2015, 5:31 pm

≫ Next: Tribler - Download Torrents using Tor-inspired onion routing

≪ Previous: Crowbar - Brute Forcing Tool for Pentests

$

0

0

FirePassword is first ever tool (back in early 2007) released to recover the stored website login passwords from Firefox Browser.

Like other browsers, Firefox also stores the login details such as username, password for every website visited by the user at the user consent. All these secret details are stored in Firefox sign-on database securely in an encrypted format. FirePassword can instantly decrypt and recover these secrets even if they are protected with Master Password.

Also FirePassword can be used to recover sign-on passwords from different profile (for other users on the same system) as well as from the different operating system (such as Linux, Mac etc). This greatly helps forensic investigators who can copy the Firefox profile data from the target system to different machine and recover the passwords offline without affecting the target environment.

This mega release supports password recovery from new password file 'logins.json' starting with Firefox version 32.x.

Note: FirePassword is not hacking or cracking tool as it can only help you to recover your own lost website passwords that are previously stored in Firefox browser.

It works on wider range of platforms starting from Windows XP to Windows 8.

Features

• Instantly decrypt and recover stored encrypted passwords from 'Firefox Sign-on Secret Store' for all versions of Firefox.
• Recover Passwords from Mozilla based SeaMonkey browser also.
• Supports recovery of passwords from local system as well as remote system. User can specify Firefox profile location from the remote system to recover the passwords.
• It can recover passwords from Firefox secret store even when it is protected with master password. In such case user have to enter the correct master password to successfully decrypt the sign-on passwords.
• Automatically discovers Firefox profile location based on installed version of Firefox.
• On successful recovery operation, username, password along with a corresponding login website is displayed
• Fully Portable version, can be run from anywhere.
• Integrated Installer for assisting you in local Installation & Uninstallation. 

Download FirePassword

Tribler - Download Torrents using Tor-inspired onion routing

January 15, 2015, 5:45 pm

≫ Next: PortExpert - Monitors all applications connected to the Internet

≪ Previous: FirePassword - Firefox Username & Password Recovery Tool

$

0

0

Tribler is a research project of Delft University of Technology. Tribler was created over nine years ago as a new open source Peer-to-Peer file sharing program. During this time over one million users have installed it successfully and three generations of Ph.D. students tested their algorithms in the real world.

Tribler is the first client which continuously improves upon the aging BitTorrent protocol from 2001 and addresses its flaws. We expanded it with, amongst others, streaming from magnet links, keyword search for content, channels and reputation-management. All these features are implemented in a completely distributed manner, not relying on any centralized component. Still, Tribler manages to remain fully backwards compatible with BitTorrent.

Work on Tribler has been supported by multiple Internet research European grants. In total we received 3,538,609 Euro in funding for our open source self-organising systems research.

Roughly 10 to 15 scientists and engineers work on it full-time. Our ambition is to make darknet technology, security and privacy the default for all Internet users. As of 2013 we have received code from 46 contributors and 143.705 lines of code.

Vision & Mission

"Push the boundaries of self-organising systems, robust reputation systems and craft collaborative systems with millions of active participants under continuous attack from spammers and other adversarial entities."

Download Tribler

PortExpert - Monitors all applications connected to the Internet

January 19, 2015, 2:15 pm

≫ Next: Password Sniffer Console - Command-line Tool to Sniff and Capture HTTP/FTP/POP3/SMTP/IMAP Passwords

≪ Previous: Tribler - Download Torrents using Tor-inspired onion routing

$

0

0

PortExpert gives you a detailed vision of your personnal computer cybersecurity. It automatically monitors all applications connected to the Internet and give you all the information you might need to identify potential threats to your system.

Features

• Monitor of application using TCP/UDP communications
• User-friendly interface
• Identifies remote servers (WhoIs service)
• Allows to open containing folder of any applications
• Allow to easily search for more info online
• Automatic identification of related service : FTP, HTTP, HTTPS,...
• Capability to show/hide system level processes
• Capability to show/hide loopbacks
• Time freeze function

Download PortExpert

Password Sniffer Console - Command-line Tool to Sniff and Capture HTTP/FTP/POP3/SMTP/IMAP Passwords

January 19, 2015, 2:26 pm

≫ Next: ProGuard - Java class file Shrinker, Optimizer, Obfuscator and Preverifier

≪ Previous: PortExpert - Monitors all applications connected to the Internet

$

0

0

Password Sniffer Console is the all-in-one command-line based Password Sniffing Tool to capture Email, Web and FTP login passwords passing through the network.

It automatically detects the login packets on network for various protocols and instantly decodes the passwords.

Here is the list of supported protocols,

• HTTP (BASIC authentication)
• FTP
• POP3
• IMAP
• SMTP
  

In addition to recovering your own lost passwords, you can use this tool in following scenarios,

• Run it on Gateway System where all of your network's traffic pass through.
• In MITM Attack, run it on middle system to capture the Passwords from target system.
• On Multi-user System, run it under Administrator account to silently capture passwords for all the users.
  

It includes Installer which installs the Winpcap, network capture driver required for sniffing. For Windows 8, first you have to manually install Winpcap driver (in Windows 7 Compatibility mode) and then run our installer to install only Password Sniffer Console.

It is a very useful tool for penetration testers and being a command-line tool makes it suitable for automation.

It works on both 32-bit & 64-bit platforms starting from Windows XP to Windows 8.

Requirements

PasswordSnifferConsole requires Winpcap (http://www.winpcap.org) - industry standard packet capture library for Windows. By default latest version of Winpcap (as of this writing v4.1.2) is installed automatically during the installation of Password Sniffer Console.

However if you don't want it, you can uncheck it during installation and later install the latest version manually.

Download Password Sniffer Console

ProGuard - Java class file Shrinker, Optimizer, Obfuscator and Preverifier

January 20, 2015, 6:01 am

≫ Next: Exploit Pack - Open Source Security Project for Penetration Testing and Exploit Development

≪ Previous: Password Sniffer Console - Command-line Tool to Sniff and Capture HTTP/FTP/POP3/SMTP/IMAP Passwords

$

0

0

ProGuard is a free Java class file shrinker, optimizer, obfuscator, and preverifier. It detects and removes unused classes, fields, methods, and attributes. It optimizes bytecode and removes unused instructions. It renames the remaining classes, fields, and methods using short meaningless names. Finally, it preverifies the processed code for Java 6 or higher, or for Java Micro Edition. 

Some uses of ProGuard are:

• Creating more compact code, for smaller code archives, faster transfer across networks, faster loading, and smaller memory footprints.
• Making programs and libraries harder to reverse-engineer.
• Listing dead code, so it can be removed from the source code.
• Retargeting and preverifying existing class files for Java 6 or higher, to take full advantage of their faster class loading.

ProGuard's main advantage compared to other Java obfuscators is probably its compact template-based configuration. A few intuitive command line options or a simple configuration file are usually sufficient. The user manual explains all available options and shows examples of this powerful configuration style.

ProGuard is fast. It only takes seconds to process programs and libraries of several megabytes. The results section presents actual figures for a number of applications.

ProGuard is a command-line tool with an optional graphical user interface. It also comes with plugins for Ant, for Gradle, and for the JME Wireless Toolkit.

What is shrinking?

Java source code (.java files) is typically compiled to bytecode (.class files). Bytecode is more compact than Java source code, but it may still contain a lot of unused code, especially if it includes program libraries. Shrinking programs such as ProGuard can analyze bytecode and remove unused classes, fields, and methods. The program remains functionally equivalent, including the information given in exception stack traces.

What is obfuscation?

By default, compiled bytecode still contains a lot of debugging information: source file names, line numbers, field names, method names, argument names, variable names, etc. This information makes it straightforward to decompile the bytecode and reverse-engineer entire programs. Sometimes, this is not desirable. Obfuscators such as ProGuard can remove the debugging information and replace all names by meaningless character sequences, making it much harder to reverse-engineer the code. It further compacts the code as a bonus. The program remains functionally equivalent, except for the class names, method names, and line numbers given in exception stack traces.

What is preverification?

When loading class files, the class loader performs some sophisticated verification of the byte code. This analysis makes sure the code can't accidentally or intentionally break out of the sandbox of the virtual machine. Java Micro Edition and Java 6 introduced split verification. This means that the JME preverifier and the Java 6 compiler add preverification information to the class files (StackMap and StackMapTable attributes, respectively), in order to simplify the actual verification step for the class loader. Class files can then be loaded faster and in a more memory-efficient way. ProGuard can perform the preverification step too, for instance allowing to retarget older class files at Java 6.

What kind of optimizations does ProGuard support?

Apart from removing unused classes, fields, and methods in the shrinking step, ProGuard can also perform optimizations at the bytecode level, inside and across methods. Thanks to techniques like control flow analysis, data flow analysis, partial evaluation, static single assignment, global value numbering, and liveness analysis, ProGuard can:

• Evaluate constant expressions.
• Remove unnecessary field accesses and method calls.
• Remove unnecessary branches.
• Remove unnecessary comparisons and instanceof tests.
• Remove unused code blocks.
• Merge identical code blocks.
• Reduce variable allocation.
• Remove write-only fields and unused method parameters.
• Inline constant fields, method parameters, and return values.
• Inline methods that are short or only called once.
• Simplify tail recursion calls.
• Merge classes and interfaces.
• Make methods private, static, and final when possible.
• Make classes static and final when possible.
• Replace interfaces that have single implementations.
• Perform over 200 peephole optimizations, like replacing ...*2 by ...<<1.
• Optionally remove logging code.

The positive effects of these optimizations will depend on your code and on the virtual machine on which the code is executed. Simple virtual machines may benefit more than advanced virtual machines with sophisticated JIT compilers. At the very least, your bytecode may become a bit smaller.

Some notable optimizations that aren't supported yet:

• Moving constant expressions out of loops.
• Optimizations that require escape analysis (DexGuard does).

Download ProGuard

Exploit Pack - Open Source Security Project for Penetration Testing and Exploit Development

January 20, 2015, 2:03 pm

≫ Next: Gitrob - Reconnaissance tool for GitHub organizations

≪ Previous: ProGuard - Java class file Shrinker, Optimizer, Obfuscator and Preverifier

$

0

0

Exploit Pack, is an open source GPLv3 security tool, this means it is fully free and you can use it without any kind of restriction. Other security tools like Metasploit, Immunity Canvas, or Core Iimpact are ready to use as well but you will require an expensive license to get access to all the features, for example: automatic exploit launching, full report capabilities, reverse shell agent customization, etc. Exploit Pack is fully free, open source and GPLv3. Because this is an open source project you can always modify it, add or replace features and get involved into the next project decisions, everyone is more than welcome to participate. We developed this tool thinking for and as pentesters. As security professionals we use Exploit Pack on a daily basis to deploy real environment attacks into real corporate clients.

Video demonstration of the latest Exploit Pack release:

More than 300+ exploits

Military grade professional security tool

Exploit Pack comes into the scene when you need to execute a pentest in a real environment, it will provide you with all the tools needed to gain access and persist by the use of remote reverse agents.

Remote Persistent Agents

Reverse a shell and escalate privileges

Exploit Pack will provide you with a complete set of features to create your own custom agents, you can include exploits or deploy your own personalized shellcodes directly into the agent.

Write your own Exploits

Use Exploit Pack as a learning platform

Quick exploit development, extend your capabilities and code your own custom exploits using the Exploit Wizard and the built-in Python Editor moded to fullfill the needs of an Exploit Writer.

Download Exploit Pack

Gitrob - Reconnaissance tool for GitHub organizations

January 21, 2015, 8:34 am

≫ Next: Grinder - System to Automate the Fuzzing of Web Browsers

≪ Previous: Exploit Pack - Open Source Security Project for Penetration Testing and Exploit Development

$

0

0

Gitrob is a command line tool that can help organizations and security professionals find such sensitive information. The tool will iterate over all public organization and member repositories and match filenames against a range of patterns for files, that typically contain sensitive or dangerous information.

How it works

Looking for sensitive information in GitHub repositories is not a new thing, it has been known for a while that things such as private keys and credentials can be found with GitHub's search functionality, however Gitrob makes it easier to focus the effort on a specific organization.

The first thing the tool does is to collect all public repositories of the organization itself. It then goes on to collect all the organization members and their public repositories, in order to compile a list of repositories that might be related or have relevance to the organization.

When the list of repositories has been compiled, it proceeds to gather all the filenames in each repository and runs them through a series of observers that will flag the files, if they match any patterns of known sensitive files. This step might take a while if the organization is big or if the members have a lot of public repositories.

All of the members, repositories and files will be saved to a PostgreSQL database. When everything has been sifted through, it will start a Sinatra web server locally on the machine, which will serve a simple web application to present the collected data for analysis.

Download Gitrob

---

Grinder - System to Automate the Fuzzing of Web Browsers

January 21, 2015, 12:00 pm

≫ Next: Sysmon v2.0 - System Activity Monitor for Windows

≪ Previous: Gitrob - Reconnaissance tool for GitHub organizations

$

0

0

Grinder is a system to automate the fuzzing of web browsers and the management of a large number of crashes. Grinder Nodes provide an automated way to fuzz a browser, and generate useful crash information (such as call stacks with symbol information as well as logging information which can be used to generate reproducible test cases at a later stage). A Grinder Server provides a central location to collate crashes and, through a web interface, allows multiple users to login and manage all the crashes being generated by all of the Grinder Nodes.

System Requirements

A Grinder Node requires a 32/64 bit Windows system and Ruby 2.0 (Ruby 1.9 is also supported but you wont be able to fuzz 64bit targets).

A Grinder Server requires a web server with MySQL and PHP.

Features

Grinder Server features:

• Multi user web application. User can login and manage all crashes reported by the Grinder Nodes. Administrators can create more users and view the login history.
• Users can view the status of the Grinder system. The activity of all nodes in the system is shown including status information such as average testcases being run per minute, the total crashes a node has generated and the last time a node generated a crash.
• Users can view all of the crashes in the system and sort them by node, target, fuzzer, type, hash, time or count.
• Users can view crash statistics for the fuzzers, including total and unique crashes per fuzzer and the targets each fuzzer is generating crashes on.
• Users can hide all duplicate crashes so as to only show unique crashes in the system in order to easily manage new crashes as they occur.
• Users can assign crashes to one another as well as mark a particular crash as interesting, exploitable, uninteresting or unknown.
• Users can store written notes for a particular crash (viewable to all other users) to help manage them.
• Users can download individual crash log files to help debug and recreate testcases.
• Users can create custom filters to exclude uninteresting crashes from the list of crashes.
• Users can create custom e-mail alerts to alert them when a new crash comes into the system that matches a specific criteria.
• Users can change their password and e-mail address on the system as well as view their own login history.

Grinder Node features:

• A node can be brought up and begin fuzzing any supported browser via a single command.
• A node injects a logging DLL into the target browser process to help the fuzzers perform logging in order to recreate testcases at a later stage.
• A node records useful crash information such as call stack, stack dump, code dump and register info and also includes any available symbol information.
• A node can automatically encrypt all crash information with an RSA public key.
• A node can automatically report new crashes to a remote Grinder Server.
• A node can run largely unattended for a long period of time.

Grinder Screenshots

Download Grinder

Sysmon v2.0 - System Activity Monitor for Windows

January 21, 2015, 4:47 pm

≫ Next: Ghiro 0.2 - Automated Digital Image Forensics Tool

≪ Previous: Grinder - System to Automate the Fuzzing of Web Browsers

$

0

0

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.

Note that Sysmon does not provide analysis of the events it generates, nor does it attempt to protect or hide itself from attackers.

Overview of Sysmon Capabilities

Sysmon includes the following capabilities:

• Logs process creation with full command line for both current and parent processes.
• Records the hash of process image files using SHA1 (the default), MD5, SHA256 or IMPHASH.
• Multiple hashes can be used at the same time.
• Includes a process GUID in process create events to allow for correlation of events even when Windows reuses process IDs.
• Include a session GUID in each events to allow correlation of events on same logon session.
• Logs loading of drivers or DLLs with their signatures and hashes.
• Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port names.
• Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks.
• Automatically reload configuration if changed in the registry.
• Rule filtering to include or exclude certain events dynamically.
• Generates events from early in the boot process to capture activity made by even sophisticated kernel-mode malware.

Usage

Uses Sysmon simple command-line options to install and uninstall it, as well as to check and modify Sysmon’s configuration:

Sysinternals Sysmon v2.00 - System activity monitor

Copyright (C) 2014-2015 Mark Russinovich and Thomas Garnier

Sysinternals - www.sysinternals.com

Usage:

Install:    Sysmon.exe -i <configfile>

[-h <[sha1|md5|sha256|imphash|*],...>] [-n (<process,...>)]

[-l (<process,...>)]

Configure:  Sysmon.exe -c <configfile>

              [--|[-h <[sha1|md5|sha256|imphash|*],...>] [-n (<process,...>)]

                   [-l (<process,...>)]]

Uninstall:  Sysmon.exe -u

-c	Update configuration of an installed Sysmon driver or dump the current configuration if no other argument is provided. Optionally take a configuration file.
-h	Specify the hash algorithms used for image identification (default is SHA1). It supports multiple algorithms at the same time. Configuration entry: Hashing.
-i	Install service and driver. Optionally take a configuration file.
-l	Log loading of modules. Optionally take a list of processes to track. Configuration entry: ImageLoading.
-m	Install the event manifest (done on service install as well).
-n	Log network connections. Optionally take a list of processes to track. Configuration entry: Network.
-u	Uninstall service and driver.

The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.

On Vista and higher, events are stored in "Applications and Services Logs/Microsoft/Windows/Sysmon/Operational". On older systems, events written to the System event log.

If you need more information on configuration files, use the '-? config' command. More examples are available on the Sysinternals website.

Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to accept it.

Neither install nor uninstall requires a reboot.

Examples

Install with default settings (process images hashed with sha1 and no network monitoring)

sysmon -accepteula  –i

Install with md5 and sha256 hashing of process created and monitoring network connections

sysmon -accepteula –i –h md5,sha256 –n

Install Sysmon with a configuration file (as described below)

sysmon –accepteula –i c:\windows\config.xml

Uninstall

sysmon –u

Dump the current configuration

sysmon –c

Change the configuration to use all hashes, no network monitoring and monitoring of DLLs in Lsass

sysmon –c –h * –l lsass.exe

Change the configuration of sysmon with a configuration file (as described below)

sysmon –c c:\windows\config.xml

Change the configuration to default settings

sysmon –c --

Download Sysmon v2.0

Ghiro 0.2 - Automated Digital Image Forensics Tool

January 26, 2015, 6:25 am

≫ Next: CapTipper - Malicious HTTP traffic explorer tool

≪ Previous: Sysmon v2.0 - System Activity Monitor for Windows

$

0

0

Sometime forensic investigators need to process digital images as evidence. There are some tools around, otherwise it is difficult to deal with forensic analysis with lot of images involved.

Images contain tons of information, Ghiro extracts these information from provided images and display them in a nicely formatted report.

Dealing with tons of images is pretty easy, Ghiro is designed to scale to support gigs of images.

All tasks are totally automated, you have just to upload you images and let Ghiro does the work.

Understandable reports, and great search capabilities allows you to find a needle in a haystack.

Ghiro is a multi user environment, different permissions can be assigned to each user. Cases allow you to group image analysis by topic, you can choose which user allow to see your case with a permission schema.

Use Cases

Ghiro can be used in many scenarios, forensic investigators could use it on daily basis in their analysis lab but also people interested to undercover secrets hidden in images could benefit. Some use case examples are the following:

• If you need to extract all data and metadata hidden in an image in a fully automated way
• If you need to analyze a lot of images and you have not much time to read the report for all them
• If you need to search a bunch of images for some metadata
• If you need to geolocate a bunch of images and see them in a map
• If you have an hash list of "special" images and you want to search for them

Anyway Ghiro is designed to be used in many other scenarios, the imagination is the only limit.

Video

MAIN FEATURES

Metadata extraction

Metadata are divided in several categories depending on the standard they come from. Image metadata are extracted and categorized. For example: EXIF, IPTC, XMP.

GPS Localization

Embedded in the image metadata sometimes there is a geotag, a bit of GPS data providing the longitude and latitude of where the photo was taken, it is read and the position is displayed on a map.

MIME information

The image MIME type is detected to know the image type your are dealing with, in both contacted (example: image/jpeg) and extended form.

Error Level Analysis

Error Level Analysis (ELA) identifies areas within an image that are at different compression levels. The entire picture should be at roughly the same level, if a difference is detected, then it likely indicates a digital modification.

Thumbnail extraction

The thumbnails and data related to them are extracted from image metadata and stored for review.

Thumbnail consistency

Sometimes when a photo is edited, the original image is edited but the thumbnail not. Difference between the thumbnails and the images are detected. 

Signature engine 

Over 120 signatures provide evidence about most critical data to highlight focal points and common exposures.

Hash matching

Suppose you are searching for an image and you have only the hash. You can provide a list of hashes and all images matching are reported.

Download Ghiro

CapTipper - Malicious HTTP traffic explorer tool

January 26, 2015, 10:59 am

≫ Next: Beeswarm - Active IDS made easy

≪ Previous: Ghiro 0.2 - Automated Digital Image Forensics Tool

$

0

0

CapTipper is a python tool to analyze, explore and revive HTTP malicious traffic.

CapTipper sets up a web server that acts exactly as the server in the PCAP file, and contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found.

The tool provides the security researcher with easy access to the files and the understanding of the network flow,and is useful when trying to research exploits, pre-conditions, versions, obfuscations, plugins and shellcodes.

Feeding CapTipper with a drive-by traffic capture (e.g of an exploit kit) displays the user with the requests URI's that were sent and responses meta-data.

The user can at this point browse to http://127.0.0.1/[URI] and receive the response back to the browser.

In addition, an interactive shell is launched for deeper investigation using various commands such as: hosts, hexdump, info, ungzip, body, client, dump and more...

Download CapTipper

Beeswarm - Active IDS made easy

January 27, 2015, 12:42 pm

≫ Next: SmartSniff v2.16 - Capture TCP/IP packets on your network adapter

≪ Previous: CapTipper - Malicious HTTP traffic explorer tool

$

0

0

Beeswarm is an active IDS project that provides easy configuration, deployment and management of honeypots and clients. The system operates by luring the hacker into the honeypots by setting up a deception infrastructure where deployed drones communicate with honeypots and intentionally leak credentials while doing so. The project has been release in a beta version, a stable version is expected within three months.

Installing and starting the server

On the VM to be set up as the server, perform the following steps. Make sure to write down the administrative password.

$ sudo apt-get install libffi-dev build-essential python-dev python-pip libssl-dev libxml2-dev libxslt1-dev
$ pip install pydes --allow-external pydes --allow-unverified pydes
$ pip install beeswarm
Downloading/unpacking beeswarm
...
Successfully installed Beeswarm
Cleaning up...
$ mkdir server_workdir
$ cd server-workdir/
$ beeswarm --server
...
****************************************************************************
Default password for the admin account is: uqbrlsabeqpbwy
****************************************************************************
...

Download Beeswarm

SmartSniff v2.16 - Capture TCP/IP packets on your network adapter

January 27, 2015, 1:51 pm

≫ Next: Appie - Android Pentesting Portable Integrated Environment

≪ Previous: Beeswarm - Active IDS made easy

$

0

0

SmartSniff is a network monitoring utility that allows you to capture TCP/IP packets that pass through your network adapter, and view the captured data as sequence of conversations between clients and servers. You can view the TCP/IP conversations in Ascii mode (for text-based protocols, like HTTP, SMTP, POP3 and FTP.) or as hex dump. (for non-text base protocols, like DNS) 

SmartSniff provides 3 methods for capturing TCP/IP packets :

1. Raw Sockets (Only for Windows 2000/XP or greater): Allows you to capture TCP/IP packets on your network without installing a capture driver. This method has some limitations and problems.
2. WinPcap Capture Driver: Allows you to capture TCP/IP packets on all Windows operating systems. (Windows 98/ME/NT/2000/XP/2003/Vista) In order to use it, you have to download and install WinPcap Capture Driver from this Web site. (WinPcap is a free open-source capture driver.) 
   This method is generally the preferred way to capture TCP/IP packets with SmartSniff, and it works better than the Raw Sockets method.
3. Microsoft Network Monitor Driver (Only for Windows 2000/XP/2003): Microsoft provides a free capture driver under Windows 2000/XP/2003 that can be used by SmartSniff, but this driver is not installed by default, and you have to manually install it, by using one of the following options:
   • Option 1: Install it from the CD-ROM of Windows 2000/XP according to the instructions in Microsoft Web site
   • Option 2 (XP Only) : Download and install the Windows XP Service Pack 2 Support Tools. One of the tools in this package is netcap.exe. When you run this tool in the first time, the Network Monitor Driver will automatically be installed on your system.
4. Microsoft Network Monitor Driver 3: Microsoft provides a new version of Microsoft Network Monitor driver (3.x) that is also supported under Windows 7/Vista/2008. Starting from version 1.60, SmartSniff can use this driver to capture the network traffic. 
   The new version of Microsoft Network Monitor (3.x) is available to download from Microsoft Web site.    

System Requirements

SmartSniff can capture TCP/IP packets on any version of Windows operating system (Windows 98/ME/NT/2000/XP/2003/2008/Vista/7/8) as long as WinPcap capture driver is installed and works properly with your network adapter. 

You can also use SmartSniff with the capture driver of Microsoft Network Monitor, if it's installed on your system.

Under Windows 2000/XP (or greater), SmartSniff also allows you to capture TCP/IP packets without installing any capture driver, by using 'Raw Sockets' method. However, this capture method has some limitations and problems:

• Outgoing UDP and ICMP packets are not captured.
• On Windows XP SP1 outgoing packets are not captured at all - Thanks to Microsoft's bug that appeared in SP1 update... 
  This bug was fixed on SP2 update, but under Vista, Microsoft returned back the outgoing packets bug of XP/SP1.
• On Windows Vista/7/8: Be aware that Raw Sockets method doesn't work properly on all systems. It's not a bug in SmartSniff, but in the API of Windows operating system. If you only see the outgoing traffic, try to turn off Windows firewall, or add smsniff.exe to the allowed programs list of Windows firewall.   

Download SmartSniff v2.16

Appie - Android Pentesting Portable Integrated Environment

January 28, 2015, 8:59 am

≫ Next: DAws - Advanced Web Shell (Windows/Linux)

≪ Previous: SmartSniff v2.16 - Capture TCP/IP packets on your network adapter

$

0

0

Appie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on USB stick.This is a one stop answer for all the tools needed in Android Application Security Assessment.

Difference between Appie and existing environments ?

• Tools contained in Appie are running on host machine instead of running on virtual machine.
• Less Space Needed(Only 600MB compared to atleast 8GB of Virual Machine)
• As the name suggests it is completely Portable i.e it can be carried on USB Stick or on your own smartphone and your pentesting environment will go wherever you go without any differences.
• Awesome Interface

Which tools are included in Appie ?

• Drozer
• dex2jar
• Androguard
• Introspy-Analyzer
• Jd-Gui
• Android Debug Bridge
• Apktool
• Sublime Text
• Androguard SublimeText Plugin
• Eclipse with Android Developer Tools
• Owasp GoatDroid Project Configured
• Fastboot and sqlite3
• Java Runtime Environment and Python Files.With these you don’t even need to have Python or Java Runtime Environment installed on the computer.
• Nearly all UNIX commands like ls, cat, chmod, cp, find, git, unzip, mkdir, ssh, openssl, keytool ,jarsigner and many others

Download Appie

---

DAws - Advanced Web Shell (Windows/Linux)

January 28, 2015, 1:25 pm

≫ Next: MalwaRE - Malware Repository Framework

≪ Previous: Appie - Android Pentesting Portable Integrated Environment

$

0

0

There's multiple things that makes DAws better than every Web Shell out there:

1. Bypasses Disablers; DAws isn't just about using a particular function to get the job done, it uses up to 6 functions if needed, for example, if shell_exec was disabled it would automatically use exec or passthru or system or popen or proc_open instead, same for Downloading a File from a Link, if Curl was disabled then file_get_content is used instead and this Feature is widely used in every section and fucntion of the shell.
2. Automatic Encoding; DAws randomly and automatically encodes most of your GET and POST data using XOR(Randomized key for every session) + Base64(We created our own Base64 encoding functions instead of using the PHP ones to bypass Disablers) which will allow your shell to Bypass pretty much every WAF out there.
3. Advanced File Manager; DAws's File Manager contains everything a File Manager needs and even more but the main Feature is that everything is dynamically printed; the permissions of every File and Folder are checked, now, the functions that can be used will be available based on these permissions, this will save time and make life much easier.
4. Tools: DAws holds bunch of useful tools such as "bpscan" which can identify useable and unblocked ports on the server within few minutes which can later on allow you to go for a bind shell for example.
5. Everything that can't be used at all will be simply removed so Users do not have to waste their time. We're for example mentioning the execution of c++ scripts when there's no c++ compilers on the server(DAws would have checked for multiple compilers in the first place) in this case, the function would be automatically removed and the User would know.
6. Supports Windows and Linux.
7. Openned Source.

Extra Info

• Eval Form:
• `include` is being used instead PHP `eval` to bypass Protection Systems.
• Download from Link - Methods:
• PHP Curl
• File_put_content
• Zip - Methods:
• Linux:
• Zip
• Windows:
• Vbs Script
• Shells and Tools:
• Extra:
• `nohup`, if installed, is automatically used for background processing.

Download DAws

MalwaRE - Malware Repository Framework

January 30, 2015, 10:59 am

≫ Next: JADX - Java source code from Android Dex and Apk files

≪ Previous: DAws - Advanced Web Shell (Windows/Linux)

$

0

0

malwaRE is a malware repository website created using PHP Laravel framework, used to manage your own malware zoo. malwaRE was based on the work of Adlice team with some extra features.

If you guys have any improvements, please let me know or send me a pull request.

Features

• Self-hosted solution (PHP/Mysql server needed)
• VirusTotal results (option for uploading unknown samples)
• Search filters available (vendor, filename, hash, tag)
• Vendor name is picked from VirusTotal results in that order: Microsoft, Kaspersky, Bitdefender
• Add writeup url(s) for each sample
• Manage samples by tag
• Tag autocomplete
• VirusTotal rescan button (VirusTotal's score column)
• Download samples from repository

Download MalwaRE

JADX - Java source code from Android Dex and Apk files

January 31, 2015, 7:31 am

≫ Next: PhEmail - Automate Sending Phishing Emails

≪ Previous: MalwaRE - Malware Repository Framework

$

0

0

Command line and GUI tools for produce Java source code from Android Dex and Apk files.

Usage

jadx[-gui] [options] <input file> (.dex, .apk, .jar or .class)
options:
 -d, --output-dir    - output directory
 -j, --threads-count - processing threads count
 -f, --fallback      - make simple dump (using goto instead of 'if', 'for', etc)
     --cfg           - save methods control flow graph to dot file
     --raw-cfg       - save methods control flow graph (use raw instructions)
 -v, --verbose       - verbose output
 -h, --help          - print this help
Example:
 jadx -d out classes.dex

Download JADX

PhEmail - Automate Sending Phishing Emails

February 2, 2015, 11:59 am

≫ Next: AppCrashView - View Application Crashes (.wer files)

≪ Previous: JADX - Java source code from Android Dex and Apk files

$

0

0

PhEmail is a python open source phishing email tool that automates the process of sending phishing emails as part of a social engineering test. The main purpose of PhEmail is to send a bunch of phishing emails and prove who clicked on them without attempting to exploit the web browser or email client but collecting as much information as possible. PhEmail comes with an engine to garther email addresses through LinkedIN, useful during the information gathering phase. Also, this tool supports Gmail authentication which is a valid option in case the target domain has blacklisted the source email or IP address. Finally, this tool can be used to clone corporate login portals in order to steal login credentials.

Usage

PHishing EMAIL tool v0.13
Usage: phemail.py [-e <emails>] [-m <mail_server>] [-f <from_address>] [-r <replay_address>] [-s <subject>] [-b <body>]
          -e    emails: File containing list of emails (Default: emails.txt)
          -f    from_address: Source email address displayed in FROM field of the email (Default: Name Surname <name_surname@example.com>)
          -r    reply_address: Actual email address used to send the emails in case that people reply to the email (Default: Name Surname <name_surname@example.com>)
          -s    subject: Subject of the email (Default: Newsletter)
          -b    body: Body of the email (Default: body.txt)
          -p    pages: Specifies number of results pages searched (Default: 10 pages)
          -v    verbose: Verbose Mode (Default: false)
          -l    layout: Send email with no embedded pictures 
          -B    BeEF: Add the hook for BeEF
          -m    mail_server: SMTP mail server to connect to
          -g    Google: Use a google account username:password
          -t    Time delay: Add deleay between each email (Default: 3 sec)
          -R    Bunch of emails per time (Default: 10 emails)
          -L    webserverLog: Customise the name of the webserver log file (Default: Date time in format "%d_%m_%Y_%H_%M")
          -S    Search: query on Google
          -d    domain: of email addresses
          -n    number: of emails per connection (Default: 10 emails)
          -c    clone: Clone a web page
          -w    website: where the phishing email link points to
          -o    save output in a file
          -F    Format (Default: 0): 
                0- firstname surname
                1- firstname.surname@example.com
                2- firstnamesurname@example.com
                3- f.surname@example.com
                4- firstname.s@example.com
                5- surname.firstname@example.com
                6- s.firstname@example.com
                7- surname.f@example.com
                8- surnamefirstname@example.com
                9- firstname_surname@example.com 

Examples: phemail.py -e emails.txt -f "Name Surname <name_surname@example.com>" -r "Name Surname <name_surname@example.com>" -s "Subject" -b body.txt
          phemail.py -S example -d example.com -F 1 -p 12
          phemail.py -c https://example.com

Disclaimer

Usage of PhEmail for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume NO liability and are NOT responsible for any misuse or damage caused by this program.

Download PhEmail

AppCrashView - View Application Crashes (.wer files)

February 3, 2015, 12:58 pm

≫ Next: Socat - Multipurpose relay (SOcket CAT)

≪ Previous: PhEmail - Automate Sending Phishing Emails

$

0

0

AppCrashView is a small utility for Windows Vista and Windows 7 that displays the details of all application crashes occurred in your system. The crashes information is extracted from the .wer files created by the Windows Error Reporting (WER) component of the operating system every time that a crash is occurred. AppCrashView also allows you to easily save the crashes list to text/csv/html/xml file.

System Requirements

For now, this utility only works on Windows Vista, Windows 7, and Windows Server 2008, simply because the earlier versions of Windows don't save the crash information into .wer files. It's possible that in future versions, I'll also add support for Windows XP/2000/2003 by using Dr. Watson (Drwtsn32.exe) or other debug component that capture the crash information.

Using AppCrashView

AppCrashView doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - AppCrashView.exe The main window of AppCrashView contains 2 pane. The upper pane displays the list of all crashes found in your system, while the lower pane displays the content of the crash file that you select in the upper pane.

You can select one or more crashes in the upper pane, and then save them (Ctrl+S) into text/html/xml/csv file or copy them to the clipboard ,and paste them into Excel or other spreadsheet application.

Command-Line Options

/ProfilesFolder <Folder>	Specifies the user profiles folder (e.g: c:\users) to load. If this parameter is not specified, the profiles folder of the current operating system is used.
/ReportsFolder <Folder>	Specifies the folder that contains the WER files you wish to load.
/ShowReportQueue <0 | 1>	Specifies whether to enable the 'Show ReportQueue Files' option. 1 = enable, 0 = disable
/ShowReportArchive <0 | 1>	Specifies whether to enable the 'Show ReportArchive Files' option. 1 = enable, 0 = disable
/stext <Filename>	Save the list of application crashes into a regular text file.
/stab <Filename>	Save the list of application crashes into a tab-delimited text file.
/scomma <Filename>	Save the list of application crashes into a comma-delimited text file (csv).
/stabular <Filename>	Save the list of application crashes into a tabular text file.
/shtml <Filename>	Save the list of application crashes into HTML file (Horizontal).
/sverhtml <Filename>	Save the list of application crashes into HTML file (Vertical).
/sxml <Filename>	Save the list of application crashes into XML file.
/sort <column>	This command-line option can be used with other save options for sorting by the desired column. If you don't specify this option, the list is sorted according to the last sort that you made from the user interface. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "Event Name" and "Process File". You can specify the '~' prefix character (e.g: "~Event Time") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns. Examples: AppCrashView.exe /shtml "f:\temp\crashlist.html" /sort 2 /sort ~1 AppCrashView.exe /shtml "f:\temp\crashlist.html" /sort "Process File"
/nosort	When you specify this command-line option, the list will be saved without any sorting.

Download AppCrashView