This bash script tests for sticky keys and utilman backdoors. The script will connect to an RDP server, send both the sticky keys and utilman triggers and screenshot the result. How does it work?
Connects to RDP using rdesktop
Sends shift 5 times using xdotool to trigger sethc.exe backdoors
Sends Windows+u using xdotool to trigger utilman.exe backdoors
Takes screenshot
Kills RDP connection
Prerequisites
Linux host running an X server
The following packages: xdotool imagemagick rdesktop bc
Debian/Ubuntu/Kali install: apt-get install xdotool imagemagick rdesktop bc
Screen cannot be locked during this process or all of the screenshots will turn out black
Usage Scan a single host: ./stickyKeysHunter.sh 192.168.1.10 Scan Multiple hosts: for i in $(cat list.txt); do ./stickyKeysHunter.sh "${i}"; done
TODO
Automatically analyze screenshots with OCR or image processing to identify backdoors.
The WarBerry was built with one goal in mind; to be used in red teaming engagement where we want to obtain as much information as possible in a short period of time with being as stealth as possible. Just find a network port and plug it in. The scripts have been designed in a way that the approach is targeted to avoid noise in the network that could lead to detection and to be as efficient as possible. The WarBerry script is a collection of scanning tools put together to provide that functionality.
Usage To get a list of all options and switches use:
sudo python warberry.py -h
Parameters: -h, --help [*] Print this help banner -m, --man [*] Prints WarBerry's Man Page -A, --attack [*] Run All Enumeration Scripts -S, --sniffer [*] Run Sniffing Modules Only -C, --clear [*] Clear Output Directories -F, --fulltcp [*] Full TCP Port Scan -T, --toptcp [*] Top Port Scan -U, --topudp [*] Top UDP Port Scan
example usage: sudo python warberry.py -A sudo python warberry.py --attack sudo python warberry.py -C
Installation Optional: Change the hostname of the RaspberryPi to WarBerry sudo nano /etc/hosts sudo nano /etc/hostname Reboot the WarBerry for the changes to take effect Create a directory under /home/pi sudo mkdir WarBerry Create the Results subdirectory in /WarBerry sudo mkdir Results Download WarBerry by cloning the Git repository: sudo git clone https://github.com/secgroundzero/warberry.git
Important The tool in case of MAC address filtering enumerates by default the subnets specified under /home/pi/WarBerry/warberry/discover . This is done for the tool to run quicker. If you want to enumerate more subnets either add the subnets in that file or change line 154 in rest_bypass.py so that it does not read from the file.
Faraday introduces a new concept - IPE (Integrated Penetration-Test Environment) a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the generated data during the process of a security audit.
A brand new Faraday version is ready! Faraday v1.0.20 (Community, Pro & Corp) is here, bringing more functionality to our GTK interface and other cool new features.
You will probably notice the most our new conflict resolution dialog, which improves on our design for QT and highlights the differences between the two conflicting objects, not to mention it requires one less click from you when fixing a conflict.
Conflict resolution dialog in Faraday's GTK interface
Also, you will notice the status bar now displays relevant information about your workspace, so you know exactly where you stand regarding the number of hosts, services and vulnerabilities. Your workflow will also be improved by the new exit command support, which now behaves as you'd expect - if you exit from a tab inside Faraday, the tab will close.
Big new features are exciting, but bug fixes and small add-ons are important too. The terminal now features infinite scrolling and scroll bars, there are more descriptive labels, the sidebar is resizable and you can search for specific workspaces by name.
However, our web UI wasn't left behind, including fixes and improvements in the hosts and services views. Also, in this version we added the report import event to the commands history, so it can be viewed in the dashboard. We believe this feature will enable you to keep track of all the movements in the workspace, so we hope you enjoy it!
Pro & Corp changes:
Fixed a bug in report creation - removed relative paths in the generation script so it can be run from another directory
bt2 is a Python-based backdoor in form of a IM bot that uses the infrastructure and the feature-rich bot API provided by Telegram, slightly repurposing its communication platform to act as a C&C. Dependencies
PS: Telepot requires minimum of requests 2.9.1 to work properly.
Limitations Currently the shellcode execution component is dependent on ctypes and works only on Windows platforms.
Usage Before using this code one has to register a bot with Telegram. This can be done by talking to Botfather - after setting up the name for the bot and username you will get a key that will be used to interact with the bot API. For more information see Telegram bots: an introduction for developers Also, it is highly advisable to replace 'botmaster ID' with the ID of the master, locking the communication between the bot to the specific ID of the botmaster to avoid abuse from unauthorized parties.
After launching a reverse shell and exiting from it, all commands sent to the bot have duplicate responses.
The 'kill' functionality is not working as it should.
After successful execution of shellcode, the bot dies. Upon return it fetches the previous messages from the server and executes the shellcode again. Need to find a way to avoid fetching of previous messages.
Most of the websites compress their resources such as JS files in order to increase the loading speed. However, security testing and debugging a compressed resource is not an easy task. This is a Burp Suite open source extension which makes it possible to beautify most of the resources properly. Therefore, it will help the web application security researchers to view the compressed resources easier. It also helps them to have the decompressed versions of the resources (such as JS, CSS, HTML, XML, and so on) inside the browsers to debug them without any problem.
Step 1- (Adding Libraries) Now under "Extender" tab, click on the "Options" tab; in "Java Environment" section, click on "Select folder ..." button and select the "libs" folder that contains "js.jar" and "rsyntaxtextarea.jar".
Step 2- (Adding Extension) In Burp Suite, click on the "Extender" tab, then click on "Add" button and select "jsbeautifier.jar" file.
Step 3- (Testing Extension) Now you should be able to see "JSBeautifier Settings" tab in burp suite. You can also manually beautify requests/responses by using right click and selecting the "Beautify This!" option. If it cannot beautify anything, check your Burp Suite extension settings and make sure that you have added the requested libraries; Unload/Load the extension and try again.
Features:
Works with the latest version of Burp Suite (tested on 1.5.21)
Manual beautifying the requests/responses
Automatic beautifying the responses in proxy
Automatic beautifying the responses in all tabs
Can support Burp suite scope
Mimicking exact behaviour of JSBeautifier.org website by using Rhino library
Supporting multiple file types (JS, CSS, HTML, and so on)
Detecting packers and obfuscators (based on JSBeautifier.org)
Syntax highlighter in the read-only editor by using Fifesoft RSyntaxTextArea library
Open Source
This extension is based on the following modules/libraries (included in repository):
If you have found an issue, please use “Debug Mode” option and attach the extension's Output and Error files to your report. I may not be able to replicate the issue without having this information.
Tested on:
This extension has been tested on Burp Suite Pro v1.5.21 with Java v7ux. If you are using an older version of Burp Suite, you may be able to use version 0.1a of this extension which is located at https://code.google.com/p/burp-suite-beautifier-extension/
Intercepter-NG is a multifunctional network toolkit for various types of IT specialists. It has functionality of several famous separate tools and more over offers a good and unique alternative of Wireshark for android.
The main features are:
Network discovery with OS detection
Network traffic analysis
Passwords recovery
Files recovery
WARNING! You need ROOT access (SUPERSU ONLY) and BUSYBOX to use this application. Please you Google to learn how to get it on your device! Also, if you face any problems reinstall busybox and supersu!
WifiChannelMonitor is a utility for Windows that captures wifi traffic on the channel you choose, using Microsoft Network Monitor capture driver in monitor mode, and displays extensive information about access points and the wifi clients connected to them. WifiChannelMonitor also allows you to view the information about wifi clients that are not connected to any access points, including the list of SSIDs (network names) that they are trying to connect.
For every access point, the following information is displayed: SSID, MAC Address, Device Manufacturer , PHY Type, Channel, RSSI, Security, Beacons Count, Probe Responses Count, Data Bytes, Retransmitted Data Bytes, and more...
For every client, the following information is displayed: MAC Address, Device Manufacturer, SSID list that the client tries to connect, Sent Data Bytes, Received Data Bytes, Probe Requests Count, and more...
System Requirements
Windows 10/Vista/7/8/2012 - 32-bit or 64-bit. (In previous version of Windows , there is no support for wifi monitor mode)
Wireless network adapter and a driver that works properly in 'monitor mode' under Windows. See the remarks about that in the 'Known Problems' section below, it's very important !!
You can also use WifiChannelMonitor to watch wifi information offline by importing a capture pcap file created under Linux with airodump-ng or wireshark. In this case, there is no need for capture driver and you can also use it under Windows XP.
WifiChannelMonitor vs Other Tools
Capturing data using monitor mode allows WifiChannelMonitor to show information that other wifi tools cannot get:
Detect and show all wifi clients (Tablets, Smartphones, computers with wifi adapter, and so on... ), Including wifi clients that are not connected to any access point, but only tries to connect...
For wifi clients that try to connect to one or more APs - WifiChannelMonitor displays the list of network names (SSIDs) that the wifi client tries to connect.
WifiChannelMonitor can also detect clients with a wired connection to the router.
WifiChannelMonitor shows the number of sent/received data bytes for every access point and for every wifi client connected to the access point.
WifiChannelMonitor can show the name of hidden network. (The name is detected only when somebody connects this wireless network)
Start Using WifiChannelMonitor
Before you start capturing wifi data with WifiChannelMonitor, you have to install the Microsoft Network Monitor 3.x from this Web page or from this Web page. Except of the Microsoft Network Monitor driver, there is no need for any installation process or additional dll files.
In order to start using WifiChannelMonitor, simply run the executable file - WifiChannelMonitor.exe
After running WifiChannelMonitor, press F6 to start capturing in wifi monitor mode. On the 'Capture Options' window, you have to choose the correct wireless network adapter and the channel number you want to monitor. It's recommended to start monitoring with one of the 3 major wifi channels - 1, 6, or 11.
After choosing the channel and adapter, click the Ok button to start monitoring. After a few seconds, you should see the access points information in the upper pane. If you don't see any information , stop the capture (F7) , go to the 'Capture Options' window (F9) and try to change from 802.11n to 802.11g. After that press F6 to start the capture again.
Wifi Clients Modes (Lower Pane)
There are 3 different modes that you can view the wifi clients in the lower pane:
Show Clients Of Selected AP:In this mode, WifiChannelMonitor only displays the wifi clients that are connected to the access point you select in the upper pane.
Show All Clients:In this mode, WifiChannelMonitor displays all detected clients.
Show All Clients Without AP:In this mode, WifiChannelMonitor displays all clients that are not connected to any access point.
Show All Clients With AP:In this mode, WifiChannelMonitor displays all clients that are connected to access point.
Show Only Clients+APs In My List:In this mode, WifiChannelMonitor displays only the clients and APs that appear in the MAC Addresses List (Ctrl+F8)
AP Columns Description
SSID:The name of the wireless network
MAC Address:MAC address of the access point.
Company:Company that manufactured this access point, determined according to the MAC address.
PHY Type:802.11g, 802.11n, and so on...
Frequency:Channel frequency in MHz.
Channel:Channel number.
RSSI:Specifies the signal strength, in dBm. Some drivers don't provide the correct RSSI values in monitor mode.
Beacons:The total number of beacons sent by the access point. Beacon is a packet sent frequently by the access point and contains essential information that the wifi client need to identify and connect it.
Probe Responses:The total number of times that the access point responded to a probe request sent by a wifi client.
Data Bytes:Total number of data bytes sent and received by this access point.
Retransmitted Data:Total number of retransmitted data bytes sent and received by this access point.
Device Name:The name of the device. This value is displayed only for devices that support WPS.
Device Model:The device model. This value is displayed only for devices that support WPS.
WPS:Specifies the WPS status: No (No WPS Support), Configured, Not Configured, or Locked.
Start Time:Displays the last time that access point was possibly started/restarted/rebooted. Be aware that some access points reset their timestamp periodically without restart/reboot action, and thus for these APs, the time value displayed on this column doesn't represent the correct start time.
First Data Detected On:The first time that sent/received data was detected for this AP.
Last Data Detected On:The last time that sent/received data was detected for this AP.
Wifi Client Columns Description
MAC Address:MAC address of the wifi client.
Company:Company that manufactured this wifi client, determined according to the MAC address. For example, if the wifi client is iPhone or iPad, you'll see 'Apple' in this column.
RSSI:Specifies the signal strength, in dBm. Some drivers don't provide the correct RSSI values in monitor mode.
SSID List:When wifi client tries to connect one or more access points, this field will display the list of network names (SSIDs) that this client tries to connect.
Sent Data Bytes:Total number of data bytes sent by the client.
Received Data Bytes:Total number of data bytes received by the client.
Retransmitted Sent:Total number of retransmitted data bytes sent by the client.
Retransmitted Received:Total number of retransmitted data bytes received by the client.
Client Type:Wifi Client, Router, or Unknown.
Wifi Client means that this client uses wireless connection.
Router means that this client is the router (Yes... the router is also displayed as a client in the network).
Unknown means that this client uses wired connection or wireless connection.
Device Name:The name of the device. This value is displayed only for devices that support WPS.
Device Model:The device model. This value is displayed only for devices that support WPS.
WPS:Specifies the WPS status: No (No WPS Support), Configured, Not Configured, or Locked.
PHY Type:802.11g, 802.11n, and so on...
Security:None, WPA-PSK, WPA2-PSK, WPA-EAP, WPA2-EAP, or WEP. This field is filled only when the client tries to connect the access point.
Cipher:None, WEP, TKIP, CCMP, TKIP+CCMP. This field is filled only when the client tries to connect the access point.
Probe Requests:Total number of probe requests sent by this client.
First Detected On:The first date/time that this client was detected.
Last Detected On:The last date/time that this client was detected.
Association Status Code:Specifies the last Association Status Code that might be useful to disgnose wifi connection problems. You can find the meaning of these codes in this Web page.
Deauthentication Code:Specifies the last Deauthentication Code that might be useful to disgnose wifi connection problems. You can find the meaning of these codes in this Web page.
Association Requests:Specifies the number of association requests sent by the client.
Device DescriptionIf the MAC address of the device is identical a MAC address in your MAC Addresses List (Ctrl+F8), then the description of the device in this list is displayed in this column.
Meaning of Icons
Green Icon - The AP or wifi client sent or received data in the last 10 seconds. (You can change the number of seconds in the 'Advanced Options' window)
Orange Icon - The AP or wifi client sent or received data in the last 60 seconds. (You can change the number of seconds in the 'Advanced Options' window)
Red Icon - No sent/received data in the last 60 seconds.
Command-Line Options
/cfg <Filename>
Start WifiChannelMonitor with the specified configuration file. For example: WifiChannelMonitor.exe /cfg "c:\config\wf.cfg" WifiChannelMonitor.exe /cfg "%AppData%\WifiChannelMonitor.cfg"
NDIS 6 Support : Npcap makes use of new NDIS 6 Light-Weight Filter (LWF) API in Windows Vista and later (the legacy driver is used on XP). It's faster than the deprecated NDIS 5 API, which Microsoft could remove at any time.
Extra Security : Npcap can be restricted so that only Administrators can sniff packets. If a non-Admin user tries to utilize Npcap through software such as Nmap or Wireshark, the user will have to pass a User Account Control (UAC) dialog to utilize the driver. This is conceptually similar to UNIX, where root access is generally required to capture packets.
WinPcap Compatibility : If you choose WinPcap Compatible Mode at install-time, Npcap will use the WinPcap-style DLL directories c:\Windows\System32 and servcie name npf , allowing software built with WinPcap in mind to transparently use Npcap instead. If compatability mode is not selected, Npcap is installed in a different location C:\Windows\System32\Npcap with a different service name npcap so that both drivers can coexist on the same system. In this case, applications which only know about WinPcap will continue using that, while other applications can choose to use the newer and faster Npcap driver instead.
Loopback Packet Capture : Npcap is able to sniff loopback packets (transmissions between services on the same machine) by using the Windows Filtering Platform (WFP) . After installation, Npcap will create an adapter named Npcap Loopback Adapter for you. If you are a Wireshark user, choose this adapter to capture, you will see all loopback traffic the same way as other non-loopback adapters. Try it by typing in commands like ping 127.0.0.1 (IPv4) or ping ::1 (IPv6).
Loopback Packet Injection : Npcap is also able to send loopback packets using the Winsock Kernel (WSK) technique. User-level software such as Nping can just send the packets out using Npcap Loopback Adapter just like any other adapter. Npcap then does the magic of removing the packet's Ethernet header and injecting the payload into the Windows TCP/IP stack.
Raw 802.11 Packet Capture : Npcap is able to see 802.11 packets instead of fake Ethernet packets on ordinary wireless adapters. You need to select the Support raw 802.11 traffic (and monitor mode) for wireless adapters option in the installation wizard to enable this feature. When your adapter is in Monitor Mode , Npcap will supply all 802.11 data + control + management packets with radiotap headers. When your adapter is in Managed Mode , Npcap will only supply 802.11 data packets with radiotap headers. Moreover, Npcap provides the WlanHelper.exe tool to help you switch to Monitor Mode on Windows. See more details about this feature in section For softwares that use Npcap raw 802.11 feature . See more details about radiotap here: http://www.radiotap.org/
Run installer\Build.bat : build all DLLs and the driver. The DLLs need to be built using Visual Studio 2013 . And the driver needs to be built using Visual Studio 2015 with Windows SDK 10 10586 & Windows Driver Kit 10 10586 .
Run installer\Deploy_Symbols.bat : copy the debug symbol files (.PDB) from build directories to deployment directories and package them into a zip file named npcap-nmap-<VERSION>-DebugSymbols.zip using 7-Zip .
WAFW00F allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.
How does it work?
To do its magic, WAFW00F does the following:
Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions
If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is
If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess if a WAF or security solution is actively responding to our attacks
What does it detect? It detects a number of WAFs. To view which WAFs it is able to detect run WAFW00F with the -l option. At the time of writing the output is as follows:
$ ./wafw00f -l
^ ^ _ __ _ ____ _ __ _ _ ____ ///7/ /.' \ / __////7/ /,' \ ,' \ / __/ | V V // o // _/ | V V // 0 // 0 // _/ |_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/ < ...'
WAFW00F - Web Application Firewall Detection Tool
By Sandro Gauci && Wendel G. Henrique
Can test for these WAFs:
Anquanbao Juniper WebApp Secure IBM Web Application Security Cisco ACE XML Gateway F5 BIG-IP APM 360WangZhanBao ModSecurity (OWASP CRS) PowerCDN Safedog F5 FirePass DenyALL WAF Trustwave ModSecurity CloudFlare Imperva SecureSphere Incapsula WAF Citrix NetScaler F5 BIG-IP LTM Art of Defence HyperGuard Aqtronix WebKnight Teros WAF eEye Digital Security SecureIIS BinarySec IBM DataPower Microsoft ISA Server NetContinuum NSFocus ChinaCache-CDN West263CDN InfoGuard Airlock Barracuda Application Firewall F5 BIG-IP ASM Profense Mission Control Application Shield Microsoft URLScan Applicure dotDefender USP Secure Entry Server F5 Trafficshield
How do I use it? For help please make use of the --help option. The basic usage is to pass it a URL as an argument. Example:
$./wafw00f https://www.ibm.com/
^ ^ _ __ _ ____ _ __ _ _ ____ ///7/ /.' \ / __////7/ /,' \ ,' \ / __/ | V V // o // _/ | V V // 0 // 0 // _/ |_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/ < ...'
WAFW00F - Web Application Firewall Detection Tool
By Sandro Gauci && Wendel G. Henrique
Checking https://www.ibm.com/ The site https://www.ibm.com/ is behind a Citrix NetScaler Number of requests: 6
How do I install it? The following should do the trick:
Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting, privacy/anonimity and cryptography. Based on Debian and developed by Frozenbox network.
Who can use it
Parrot is designed for everyone, from the Pro pentester to the newbie, because it provides the most professional tools combined in a easy to use, fast and lightweight pentesting environment, and it can be used also for an everyday use.
Features:
System Specs
Debian jessie core
Custom hardened linux 4.5 kernel
Rolling release upgrade line
MATE desktop environment
Lightdm Dislpay Manager
Custom themes, icons and wallpapers
System Requirements
CPU: at least 1Ghz dual core cpu
ARCH: 32bit, 64bit and ARMhf
RAM: 256Mb - 512Mb suggested
GPU: No graphic acceleration required
HDD Standard: 6Gb used - 8Gb suggested
HDD Full: 8Gb used - 16Gb suggested
BOOT: Legacy bios or UEFI (testing)
Cloud
Parrot Server Edition
Parrot Cloud Controller
Parrot VPS Service
Custom installation script for Debian VPS
Digital Forensic
"Forensic" boot option to avoid boot automounts
Most famous Digital Forensic tools and frameworks out of the box
The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.
The Tor Browser lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained.
The Tor Browser Team is proud to announce the first stable release in the 6.0 series. This release is available from the Tor Browser Project page and also from our distribution directory.
This release brings us up to date with Firefox 45-ESR, which should mean a better support for HTML5 video on Youtube, as well as a host of other improvements.
Beginning with the 6.0 series code-signing for OS X systems is introduced. This should help our users who had trouble with getting Tor Browser to work on their Mac due to Gatekeeper interference. There were bundle layout changes necessary to adhere to code signing requirements but the transition to the new Tor Browser layout on disk should go smoothly.
The release also features new privacy enhancements and disables features where we either did not have the time to write a proper fix or where we decided they are rather potentially harmful in a Tor Browser context.
On the security side this release makes sure that SHA1 certificate support is disabled and our updater is not only relying on the signature alone but is checking the hash of the downloaded update file as well before applying it. Moreover, we provide a fix for a Windows installer related DLL hijacking vulnerability.
The full changelog since Tor Browser 5.5.5 is
Tor Browser 6.0
All Platforms
Update Firefox to 45.1.1esr
Update OpenSSL to 1.0.1t
Update Torbutton to 1.9.5.4
Bug 18466: Make Torbutton compatible with Firefox ESR 45
Bug 18743: Pref to hide 'Sign in to Sync' button in hamburger menu
Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship almost anywhere you go and on any computer but leaving no trace unless you ask it to explicitly.
It is a complete operating system designed to be used from a DVD, USB stick, or SD card independently of the computer's original operating system. It is Free Software and based on Debian GNU/Linux.
Tails comes with several built-in applications pre-configured with security in mind: web browser, instant messaging client, email client, office suite, image and sound editor, etc.
New features
We enabled the automatic account configuration of Icedove which discovers the correct parameters to connect to your email provider based on your email address. We improved it to rely only on secure protocol and we are working on sharing these improvements with Mozilla so that users of Thunderbird outside Tails can benefit from them as well.
The automatic account configuration of Icedove freezes when connecting to some email providers. (#11486)
In some cases sending an email with Icedove results in the error: "The message could not be sent using Outgoing server (SMTP) mail.riseup.net for an unknown reason." When this happens, simply click "Ok" and try again and it should work. (#10933)
The update of the Mesa graphical library introduce new problems at least on AMD HD 7770 and nVidia GT 930M.
An Arch Linux repository for security professionals and enthusiasts.
Done the Arch Way and optimized for i686, x86_64, ARMv6, and ARMv7.
ArchStrike is a penetration testing and security layer on top of Arch Linux. We follow the Arch Linux standards very closely in order to keep our packages clean, proper and easy to maintain.
The team is working very hard to maintain the repository and give you the best ArchStrike experience.
Q: What difference does ArchStrike have from other penetration distributions?
A: We are a layer on top of ArchLinux that you can install and remove easily. We try and follow the Arch Linux standards when making our packages.
Q: Do you have an ISO?
A: As of yet, we do not have an ISO, although our team is working on an ISO to be released as you are reading this. Updates on the ISO will be made on twitter and our website.
A tool that transforms Firefox Browsers into a penetration testing suite
How?
It downloads the most important extensions, and install it on your browser. The used extensions has been chosen by a survey among the information security community. Based on it's results, Firefox Security Toolkit was made. Also, it allows you to download Burp Suite certificate and a large user-agent list for User-Agent Switcher. Making it one-click away to prepare your web-application testing browser.
How does it differs from well-known projects, such as OWASP Mantra and Hcon STF ?
OWASP Mantra and Hcon STF are not regularly updated, and needs a lot of work in order to develop and maintain. Meanwhile, Firefox Security Toolkit does not need a additional maintaining, although I would be maintaining it for any issues/bugs if needed. The used extensions are downloaded from Mozilla Addons Store with its latest version, to ensure the best testing experience for the penetration tester.
Who can use Firefox Security Toolkit ?
Web-Application Penetration Testers, Information Security Learners, and basically anyone interested in web-application security.
Compatibility:
The project currently supports Linux/Unix environments.
Usage:
bash ./firefox_security_toolkit.sh
Demo Video:
Available Addons:-
Cookie Export/Import
Cookie Manager
Copy as Plain Text
Crypto Fox
CSRF-Finder
Disable WebRTC
FireBug
Fireforce
FlagFox
Foxy Proxy
HackBar
Live HTTP Headers
Multi Fox
PassiveRecon
Right-Click XSS
Tamper Data
User Agent Switcher
Wappalyzer
Web Developer
Additional Features:-
Downloading Burp Suite Certificate
Downloading a large user-agent list for User-Agent Swithcer
Detux is a sandbox developed to do traffic analysis of the Linux malwares and capture the IOCs by doing so. QEMU hypervisor is used to emulate Linux (Debian) for various CPU architectures.
What's in this release? This release of Detux contains the script for executing a Linux binary/script in a specified CPU arch. Don't worry if you don't know what platform, it's in the script, the Magic package helps picking up the CPU arch in an automated way. x86 is the default CPU version, this can be tuned to a different one in the config file. This release gives the analysis report in a DICT format, which can be easily customized to be inserted in to NOSQL dbs. An example script has been provided which demonstrates the usage of the sandbox library.
What's in the report?
- Static Analysis -- Basic strings extracted from binary -- ELF information generated by readelf commands -- the report.py can be modified to add more 3rd party commands to analyse the binary and add the result to DICT.
- Dynamic Analysis -- The captured pcaps are parsed with DPKT to extract the IOC's and readable info from the packets.
Requirements
System packages
python 2.7
qemu
pcaputils
sudo
libcap2-bin
bridge-utils
Python libraries (Preferable to use virtual environment)
pexpect
paramiko
python-magic
Kindly make sure that the above requirements are met before using Detux. A few dependencies may vary from OS to OS.
Architecture
Host ( The host itself can be a VM or a baremetal machine)
QEMU
dumpcap
DETUX Scripts
Network Arch
- NIC1 : This interface is for accessing the Host - NIC2 : Interface bridged with the the QEMU Sandbox VMs. One can redirect the traffic from the interface to WHONIX or REMNUX or a custom Gateway to filter/allow internet access for the Sandboxed VMs.
VM Setup:
Downloading Linux VM Images Special thanks to aurel who has uploaded pre built QEMU Debian VM images for all possible CPU architectures. The VM images are located at : https://people.debian.org/~aurel32/qemu/ , the same link contains the command examples for invoking the vm images. You can use the following script to automatically download the VM images to the "qemu" folder of Detux.
Setting sudoers for qemu execution Detux uses SSH to communicate with the VMs and so, this is currently required for the VMs to have networking capability. Considering that the listed binaries are in the same path, you may add the following lines to to /etc/sudoers (only if you are a non-root user):
Change the paths to the binaries if they differ for you.
Network setup Add the following config to /etc/qemu-ifup, backup the original if you already have one:
#! /bin/sh # Script to bring a network (tap) device for qemu up. # The idea is to add the tap device to the same bridge # as we have default routing to.
# in order to be able to find brctl PATH=$PATH:/sbin:/usr/sbin ip=$(which ip) ifconfig=$(which ifconfig)
echo "Starting" $1 if [ -n "$ip" ]; then ip link set "$1" up else brctl=$(which brctl) if [ ! "$ip" -o ! "$brctl" ]; then echo "W: $0: not doing any bridge processing: neither ip nor brctl utility not found" >&2 exit 0 fi ifconfig "$1" 0.0.0.0 up fi
switch=$(ip route ls | \ awk '/^default / { for(i=0;i<NF;i++) { if ($i == "dev") { print $(i+1); next; } } }' ) if [ -d /sys/class/net/br0/bridge/. ]; then if [ -n "$ip" ]; then ip link set "$1" master br0 else brctl addif br0 "$1" fi exit # exit with status of the previous command fi
echo "W: $0: no bridge for guest interface found" >&2
Considering that eth0 is the interface you want your VMs to be bridged with, you may remove the configs for eth0 and use the following configs in /etc/network/interfaces:
auto br0 iface br0 inet dhcp bridge_ports eth0 bridge_maxwait 0
You can also specify a static address you used for eth0.
Setting up your VMs Traverse to the folder in which your VM images are located for each QEMU Images e.g. for ARM is :
<your detux folder>/qemu/arm/1/
For each image, follow the VM boot instructions given at " https://people.debian.org/~aurel32/ ", to start the VM. However, if you are a non-root user, you will have to use sudo. Comands for Booting the VMs (Replace with the MAC you desire):
sudo groupadd -g wireshark sudo usermod -a -G wireshark <your user name> sudo chmod 750 /usr/bin/dumpcap sudo etcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
If you are unable to capture packets, you need to check if permisions for your users are set correctly and the dumpcap path is right.
Detux Config The detux.cfg files in the main directory needs to be configured. Each VM section has to be configured with correct Network Params and SSH credentials. You can choose root/non-root user depending on your need.
Running Detux The Detux library located in "core" directory can be used to suit your need of analysis. The repo contains "detux.py" which analyses the given binary and saves pcap in pcap folder and writes JSON output to a specified filepath.
XssPy is a python tool for finding Cross Site Scripting vulnerabilities in websites. This tool is the first of its kind. Instead of just checking one page as most of the tools do, this tool traverses the website and find all the links and subdomains first. After that, it starts scanning each and every input on each and every page that it found while its traversal. It uses small yet effective payloads to search for XSS vulnerabilities.
The tool has been tested parallel with paid Vulnerability Scanners and most of the scanners failed to detect the vulnerabilities that the tool was able to find. Moreover, most paid tools scan only one site whereas XSSPY first finds a lot of subdomains and then scan all the links altogether. The tool comes with:
Short Scanning
Comprehensive Scanning
Finding subdomains
Checking every input on every page
With this tool, Cross Site Scripting vulnerabilities have been found in the websites of MIT, Stanford, Duke University, Informatica, Formassembly, ActiveCompaign, Volcanicpixels, Oxford, Motorola, Berkeley and many more.
Lalin is a remake of Lazykali by bradfreda with fixed bugs , added new features and uptodate tools . It's compatible with the latest release of Kali (Rolling)
Changelog
Lalin gets updated weekly with new features, improvements and bugfixes. Be sure to check out the [Changelog]
How it works
Extract The lalin-master to your home or another folder
Disclaimer Note: modifications, changes, or alterations to this sourcecode is acceptable, however,any public releases utilizing this code must be approved by writen this tool ( Edo -m- ).
Ruby in the middle (RITM) is an HTTP/HTTPS interception proxy with on-the-fly certificate generation and signing, which leaves the user with the full power of the Ruby language to intercept and even modify requests and responses as she pleases.
Installation
gem install ritm
Basic usage
Write your interception handlers
require 'ritm'
# A single answer for all your google searches Ritm.on_request do |req| if req.request_uri.host.start_with? 'www.google.' new_query_string = req.request_uri.query.gsub(/(?<=^q=|&q=)(((?!&|$).)*)(?=&|$)/, 'RubyInTheMiddle') req.request_uri.query = new_query_string end end
my_picture = File.read('i_am_famous.jpg')
# Replaces every picture on the web with my pretty face Ritm.on_response do |_req, res| if res.header['content-type'] && res.header['content-type'].start_with?('image/') res.header['content-type'] = 'image/jpeg' res.body = my_picture end end
Start the proxy server
proxy = Ritm::Proxy::Launcher.new proxy.start
puts 'Hit enter to finish' gets
proxy.shutdown
Configure your browser Or whatever HTTP client you want to intercept traffic from, to connect to the proxy in localhost:8080
Browse the web! For the examples above, search anything in google and also visit your favorite newspaper website.
Trusting self-signed certificates generated by RITM
With the previous example your client might have encountered issues when trying to access HTTPS resources. In some cases you can add an exception to your browser (or instruct your http client not to verify certificates) but in some other cases you won't be able to add exceptions. The reason for this is that in order to decrypt and to be able to modify SSL traffic, RITM will have to be the one doing the SSL negotiatiation with the client (using its own set of certificates) and then it will establish a separate SSL session towards the server. I.e.:
For every different server's hostname your client tries to communicate with, RITM will generate a certificate on the fly and sign it with a pre-configured Certificate Authority (CA). So, in order to be able to establish a secure connection you will need to configure your client (e.g. browser) to trust RITM's CA.
For security reasons, every time you start RITM's proxy with the default settings it will generate a new internal Certificate Authority. To use your own CA instead (so it can be loaded and trusted by your browser) perform the following steps:
Generate a Certificate Authority PEM and Private Key files You can use OpenSSL or RITM to generate these two files. With OpenSSL:
Trust the CA certificate into your browser or client I'll leave it to you to figure out how this is done in your browser or client.
Surf the web!
When you are done Remove the CA from your trusted authorities! Or take really good care of the CA private key since anyone in possession of that key will be capable of decrypting all your traffic! Also notice that when using the proxy every server will be automatically trusted even if the end server certificate is not valid.
BrowserBackdoor is an Electron application that uses a JavaScript WebSocket Backdoor to connect to the listener.
BrowserBackdoorServer is a WebSocket server that listens for incoming WebSocket connections and creates a command-line interface for sending commands to the remote system.
The JavaScript backdoor in BrowserBackdoor can be used on all browsers that support WebSockets. It will not have access to the Electron API of the host computer unless the BrowserBackdoor Client application is used.
Some things you can do if you have access to the Electron API:
The client application will run in the background and provide no user interface while running. To check that it's running, quit it, or enable/disable system startup press Command (OS X) OR Control (Windows/Linux) + Alt + \ or whatever you configured the shortcut as in client/main.js.
The server application's usage can be accessed by typing help in the command line.
Installing NodeJS and NPM are required for BrowserBackdoor. Ruby 2.1+ and the gems in the Gemfile are required for BrowserBackdoorServer. BrowserBackdoor is supported on all devices supported by Electron. Currently that is Windows 32/64, OS X 64, and Linux 32/64 . BrowserBackdoorServer has been tested on Ubuntu 14.04, Debian 8, and Kali Linux. It should work on any similar Linux operating system. To install anything, first, clone the repository. All the rest of the commands shown assume you are in the root of the repository.
git clone https://github.com/IMcPwn/browser-backdoor cd browser-backdoor
How to install and run the BrowserBackdoor Electron application.
cd client npm install # Configure index.html and main.js before the next command npm start
Building executables for all platforms. (see here for more information)
cd client npm install electron-packager -g electron-packager . --all
How to install and run BrowserBackdoorServer.
cd server gem install bundler bundle install # Configure config.yml before the next command ruby bbsconsole.rb
Screenshots of the console The blank space in the pictures where it looks like there is missing text are redacted unique identifiers for sessions.
The command line console with default configuration.
Targeting a specific session then taking a screenshot of the client.
The screenshot will be saved as a base64 encoded string in a .txt file as shown because it it so large (over 190,000 characters). To view the image you will need to delete everything in front of the one comma in the text file, then base64 decode the result. Save that as a .png file and you will have a screenshot at the maximum resolution of the client!
Shadow Daemon is a collection of tools to detect , record and prevent attacks on web application. Technically speaking, Shadow Daemon is a web application firewall that intercepts requests and filters out malicious parameters. It is a modular system that separates web application, analysis and interface to increase security, flexibility and expandability.
This is the main component that handles the analysis and storage of requests.
Preparation Use cmake to configure and prepare the project. It is a good idea to create a separate directory for this. A typical installation might look like this.
mkdir build cd build cmake -DCMAKE_INSTALL_PREFIX:PATH=/usr -DCMAKE_BUILD_TYPE=Release ..
Compilation If cmake is successful it creates a makefile. Use it to compile and install the project.
make shadowd make install
Database Install and configure a database server. At the moment shadowd officially supports PostgreSQL and MySQL. Afterwards create a new user and database for shadowd and import the correct layout. If you are using PostgreSQL you can use psql to import the layout.