rePy2exe - A Reverse Engineering Tool for py2exe applications

January 15, 2017, 6:00 am

≫ Next: Invoke-TheHash - PowerShell Pass The Hash Utils

≪ Previous: Operative - The Fingerprint Framework

Reverse Engineering Tool for py2exe applications.

Prerequisites

cmake
git
python2.7

Cloning

git clone https://github.com/4w4k3/rePy2exe.git

Running

python rePy2exe.py

python2.7 rePy2exe.py

Authors

Alisson Moretto - Coder - 4w4k3

Reference
Thanks to:

zrax - pycdc
matiasb - unpy2exe

License
This project is licensed under the GPL 3.0 License - see the LICENSE file for details.

Download rePy2exe

↧

Invoke-TheHash - PowerShell Pass The Hash Utils

January 16, 2017, 6:19 am

≫ Next: Tinfoleak v2.0 - Get detailed information about a Twitter user activity

≪ Previous: rePy2exe - A Reverse Engineering Tool for py2exe applications

Invoke-TheHash contains PowerShell functions for performing NTLMv2 pass the hash WMI and SMB command execution. WMI and SMB services are accessed through .NET TCPClient connections. Local administrator privilege is not required client-side.

Requirements
Minimum PowerShell 2.0

Import
Import-Module ./Invoke-TheHash.psd1
or
. ./Invoke-WMIExec.ps1
. ./Invoke-SMBExec.ps1
. ./Invoke-TheHash.ps1

Functions

Invoke-WMIExec
Invoke-SMBExec
Invoke-TheHash
ConvertTo-TargetList

Invoke-WMIExec

WMI command execution function.

Parameters:

Target - Hostname or IP address of target.
Username - Username to use for authentication.
Domain - Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username.
Hash - NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format.
Command - Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target.
Sleep - Default = 10 Milliseconds: Sets the function's Start-Sleep values in milliseconds.

Example:
Invoke-WMIExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose

Screenshot:

Invoke-SMBExec

SMB (PsExec) command execution function supporting SMB1, SMB2, and SMB signing.

Parameters:

Target - Hostname or IP address of target.
Username - Username to use for authentication.
Domain - Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username.
Hash - NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format.
Command - Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to SCM on the target.
CommandCOMSPEC - Default = Enabled: Prepend %COMSPEC% /C to Command.
Service - Default = 20 Character Random: Name of the service to create and delete on the target.
SMB1 - (Switch) Force SMB1. The default behavior is to perform SMB version negotiation and use SMB2 if supported by the target.
Sleep - Default = 150 Milliseconds: Sets the function's Start-Sleep values in milliseconds.

Example:
Invoke-SMBExec -Target 192.168.100.20 -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose

Screenshot:

Invoke-TheHash

Function for running Invoke-WMIExec and Invoke-SMBExec against multiple targets.

Parameters:

Type - Sets the desired Invoke-TheHash function. Set to either WMIExec or SMBExec.
Targets - List of hostnames, IP addresses, or CIDR notation for targets.
TargetsExclude - List of hostnames and/or IP addresses to exclude form the list or targets.
PortCheckDisable - (Switch) Disable WMI or SMB port check. Since this function is not yet threaded, the port check serves to speed up he function by checking for an open WMI or SMB port before attempting a full synchronous TCPClient connection.
PortCheckTimeout - Default = 100: Set the no response timeout in milliseconds for the WMI or SMB port check.
Username - Username to use for authentication.
Domain - Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username.
Hash - NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format.
Command - Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI or SCM on the target.
CommandCOMSPEC - Default = Enabled: SMBExec type only. Prepend %COMSPEC% /C to Command.
Service - Default = 20 Character Random: SMBExec type only. Name of the service to create and delete on the target.
SMB1 - (Switch) Force SMB1. SMBExec type only. The default behavior is to perform SMB version negotiation and use SMB2 if supported by the target.
Sleep - Default = WMI 10 Milliseconds, SMB 150 Milliseconds: Sets the function's Start-Sleep values in milliseconds.

Example:
Invoke-TheHash -Type WMIExec -Targets 192.168.100.0/24 -TargetsExclude 192.168.100.50 -Username Administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0

Screenshot:

ConvertTo-TargetList

Converts Invoke-TheHash output to an array that contains only targets discovered to have Invoke-WMIExec or Invoke-SMBExec access. The output from this function can be fed back into the Targets parameter of Invoke-TheHash.

Download Invoke-TheHash

↧

Tinfoleak v2.0 - Get detailed information about a Twitter user activity

January 17, 2017, 5:42 am

≫ Next: JudasDNS - Nameserver DNS poisoning attacks made easy

≪ Previous: Invoke-TheHash - PowerShell Pass The Hash Utils

Are you interested in OSINT tools? Tinfoleak is the best OSINT tool for Twitter, and is open-source!
The new version includes a lot of new and improved features:

Search by coordinates
Geolocated users
Tagged users
User conversations
Identification in other social networks
More powerful and flexible search filter
More detailed information on existing features
… and many more information to generate intelligence!

Screenshots

Download Tinfoleak V2.0

↧

JudasDNS - Nameserver DNS poisoning attacks made easy

January 18, 2017, 6:30 am

≫ Next: Glue - Application Security Automation

≪ Previous: Tinfoleak v2.0 - Get detailed information about a Twitter user activity

A DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation. Judas works by proxying all DNS queries to the legitimate nameservers for a domain. The magic comes with Judas's rule configurations which allow you to change DNS responses depending on source IP or DNS query type. This allows an attacker to configure a malicious nameserver to do things like selectively re-route inbound email coming from specified source IP ranges (via modified MX records), set extremely long TTLs to keep poisoned records cached, and more.

Example Config

The following is an example configuration for Judas for an example scenario where an attacker has comprimised/taken over one of Apple's authoritative nameservers (for apple.com ):

{
    "version": "1.0.0",
    "port": 2248,
    "dns_query_timeout": 10000,
    "target_nameservers": [ "17.254.0.59", "17.254.0.50", "17.112.144.50", "17.112.144.59", "17.171.63.30", "17.171.63.40", "17.151.0.151", "17.151.0.152" ],
    "rules": [
        {
            "name": "Secretly redirect all emails coming from 127.0.0.1!",
            "query_type_matches": [ "MX" ],
            "ip_range_matches": [ "127.0.0.1/32" ],
            "modifications": [
                {
                    "answer": [
                        {
                            "name": "apple.com",
                            "type": 15,
                            "class": 1,
                            "ttl": 10,
                            "priority": 10,
                            "exchange": "hacktheplace.localhost"
                        }
                    ]
                }
            ]
        },
        {
            "name": "Make all responses NOERROR even if they've failed.",
            "query_type_matches": [ "*" ],
            "modifications": [
                {
                    "header": {
                        "rcode": 0
                    }
                }
            ]
        }
    ]
}

The above configuration value purposes are the following:

version : The configuration file format version (for now is always 1.0.0 ).
port : The port Judas should run on.
dns_query_timeout : How long to wait in milliseconds before giving up on a reply from the upstream target nameserver.
target_nameservers : The legit nameservers for your target domain, all DNS queries will be sent here from Judas on behalf of all requesting clients.
rules : A list of rules with modifications to the DNS response to apply if matched.
- name : Name of a given rule.
- query_type_matches : List of query types to match on such as CNAME , A , etc. A wildcard ( * ) can also be specified to match any query type.
- ip_range_matches : List of IP ranges to match on. For selectively spoofing responses to a specific range of IPs.
- modifications : See the "Modifications" section of this README.

Modifications
Judas's rules come with a modifications specification which is set to a list of varying modifications to make to the DNS response before it is sent back to the client. It is important that you read the node-dns documentation to understand the DNS response structure so you can modify it.
An example DNS response format is the following:

{ header: 
   { id: 25373,
     qr: 1,
     opcode: 0,
     aa: 1,
     tc: 0,
     rd: 1,
     ra: 0,
     res1: 0,
     res2: 0,
     res3: 0,
     rcode: 5 },
  question: [ { name: 'apple.com', type: 2, class: 1 } ],
  answer: 
   [ { name: 'apple.com',
       type: 2,
       class: 1,
       ttl: 86400,
       data: 'nserver2.apple.com' },
     { name: 'apple.com',
       type: 2,
       class: 1,
       ttl: 86400,
       data: 'nserver4.apple.com' },
     { name: 'apple.com',
       type: 2,
       class: 1,
       ttl: 86400,
       data: 'nserver.apple.com' },
     { name: 'apple.com',
       type: 2,
       class: 1,
       ttl: 86400,
       data: 'nserver3.apple.com' },
     { name: 'apple.com',
       type: 2,
       class: 1,
       ttl: 86400,
       data: 'nserver5.apple.com' },
     { name: 'apple.com',
       type: 2,
       class: 1,
       ttl: 86400,
       data: 'nserver6.apple.com' },
     { name: 'apple.com',
       type: 2,
       class: 1,
       ttl: 86400,
       data: 'adns2.apple.com' },
     { name: 'apple.com',
       type: 2,
       class: 1,
       ttl: 86400,
       data: 'adns1.apple.com' } ],
  authority: [],
  additional: [],
  edns_options: [],
  payload: undefined,
  address: undefined,
...trimmed for brevity...

(For more information on the DNS response data structure see this documentation .)
Writing a modification is very simple, an example rule with modification can be seen below:

{
  "name": "Make all responses NOERROR even if they've failed.",
  "query_type_matches": [ "*" ],
  "modifications": [
    {
      "header": {
        "rcode": 0
      }
    }
  ]
}

The above rule matches any query type (due to the wildcard ( * )) and sets the header.rcode value of the DNS response to 0 . Whatever object is set as a modification element is merged into the DNS response - replacing whatever value was originally set.
Another example is the following:

{
  "name": "Secretly redirect all emails coming from 127.0.0.1!",
  "query_type_matches": [ "MX" ],
  "ip_range_matches": [ "127.0.0.1/32" ],
  "modifications": [
    {
      "answer": [
        {
          "name": "apple.com",
          "type": 15,
          "class": 1,
          "ttl": 10,
          "priority": 10,
          "exchange": "hacktheplace.localhost"
        }
      ]
    }
  ]
}

The above rule matches any MX query from 127.0.0.1 . The DNS response's answer is overwritten with a single MX record for hacktheplace.localhost . A real world implementation of this would be to redirect inbound emails from a specific IP in order to read private emails of your target. Additionally an attacker in a real world scenario may also choose to modify the response TTL to be a very high value in order to persist their malicious records in client DNS caches as long as possible.

Download JudasDNS

↧

Glue - Application Security Automation

January 19, 2017, 6:30 am

≫ Next: LUNAR - Lockdown UNix Auditing and Reporting

≪ Previous: JudasDNS - Nameserver DNS poisoning attacks made easy

Glue is a framework for running a series of tools. Generally, it is intended as a backbone for automating a security analysis pipeline of tools.

Recommended Usage
For those wishing to run Glue, we recommend using the docker image because it should have the other tools it uses available already and configured. See the documentation for more info. Glue Docker Documentation
For those interested in how to use Glue in a DevOps context, see Glue DevOps Integration Options

Installation
gem install owasp-glue
or
docker run owasp/glue

Installation for Development

git clone https://github.com/owasp/glue
cd glue                     -- RVM will set to 2.3.1 with Gemset Glue
gem install bundler
bundle install

Running in Development

cd lib
../bin/glue -h

Extending Glue
Glue is intended to be extended through added "tasks". To add a new tool, copy an existing task and tweak to make it work for the tool in question.

Usage
Glue <options> <target>

Options
Common options include:

-d for debug
-f for format (takes "json", "csv", "jira")

For a full list of options, use Glue --help or see the OPTIONS.md file.

Target
The target can be:

Filesystem (which is analyzed in place)
Git repo (which is cloned for analysis)
Other types of images (.iso, docker, etc. are experimental)

Dependencies

clamav
hashdeep
rm (*nix)
git
mount (*nix)
docker

Development
To run the code, run the following from the root directory:
>ruby bin/Glue <options> target
To build a gem, just run:
gem build Glue.gemspec

Integration

Git Hooks
First, grab the hook from the code.

meditation:hooks mk$ cp /area53/owasp/Glue/hooks/pre-commit .

Then make it executable.

meditation:hooks mk$ chmod +x pre-commit

Make sure the shell you are committing in can see docker.

meditation:hooks mk$ eval "$(docker-machine env default)"

Now go test and make a change and commit a file. The result should be that Glue runs against your code and will not allow commits unless the results are clean. (Which is not necessarily a reasonable expectation)

Configuration files
For advanced usage scenarios, you can save your configuration and use it at runtime.

Authors
Matt Konda Alex Lock Rafa Perez

Download Glue

↧

LUNAR - Lockdown UNix Auditing and Reporting

January 20, 2017, 6:30 am

≫ Next: chisel - A fast TCP tunnel over HTTP

≪ Previous: Glue - Application Security Automation

A UNIX security auditing tool based on several security frameworks

Introduction

This scripts generates a scored audit report of a Unix host's security. It is based on the CIS and other frameworks. Where possible there are references to the CIS and other benchmarks in the code documentation.

Why a shell script? I wanted a tool that was able to run on locked down systems where other tools may not be available. I also wanted a tool that ran on all versions of UNIX. Having said that there are some differences between sh and bash, so I've used functions only from sh.

There is no warranty implied or given with this script. My recommendation is to use this script in audit mode only, and address each warning individually via policy, documentation and configuration management.

It can also can perform a lockdown. Unlike some other scripts I have added capability to backout changes. Files are backed up using cpio to a directory based on the date.

Although it can perform a lockdown, as previously stated, I'd recommend you address the warnings via policy, documentation and configuration management. This is how I use the tool.

Supported Operating Systems:

Linux
- RHEL 5,6,7
- Centos 5,6,7
- Scientific Linux
- SLES 10,11,12
- Debian
- Ubuntu
- Amazon Linux
Solaris (6,7,8,9,10 and 11)
Mac OS X
FreeBSD (needs more testing)
AIX (needs more testing)
ESXi (initial support - some tests)

More Information

For more information refer to wiki:

Usage

Usage: ./lunar.sh -[a|A|s|S|d|p|c|l|h|c|V] -[u]

-a: Run in audit mode (no changes made to system)
-A: Run in audit mode (no changes made to system)
    [includes filesystem checks which take some time]
-s: Run in selective mode (only run tests you want to)
-d: Print information for a specific test
-S: List functions available to selective mode
-l: Run in lockdown mode (changes made to system)
-L: Run in lockdown mode (changes made to system)
    [includes filesystem checks which take some time]
-c: Show changes previously made to system
-p: Show previously versions of file
-u: Undo lockdown (changes made to system)
-h: Display usage
-V: Display version
-v: Verbose mode [used with -a and -A]
    [Provides more information about the audit taking place]

Examples

Run in Audit Mode:

./lunar.sh -a

Run in Audit Mode and provide more information:

./lunar.sh -a -v

Display previous backups:

./lunar.sh -b
Previous backups:
21_12_2012_19_45_05  21_12_2012_20_35_54  21_12_2012_21_57_25

Restore from previous backup:

./lunar.sh -u 21_12_2012_19_45_05

List tests:

./lunar.sh -S

Only run apache based tests:

./lunar.sh -s audit_apache

Print documentation regarding apache based tests:

./lunar.sh -d audit_apache

# SYSTEM INFORMATION:

Platform: i386
Vendor:   Apple
Name:     Darwin
Version:  10.12
Update:   3

Checking:  If node is managed
Notice:    Node is not managed

# Module: audit_apache

# Solaris:

# The action in this section describes disabling the Apache 1.x and 2.x web
# servers provided with Solaris 10. Both services are disabled by default.
# Run control scripts for Apache 1 and the NCA web servers still exist,
# but the services will only be started if the respective configuration
# files have been set up appropriately, and these configuration files do not
# exist by default.
# Even if the system is a Web server, the local site may choose not to use
# the Web server provided with Solaris in favor of a locally developed and
# supported Web environment. If the machine is a Web server, the administrator
# is encouraged to search the Web for additional documentation on Web server
# security.

# Linux:

# HTTP or web servers provide the ability to host web site content.
# The default HTTP server shipped with CentOS Linux is Apache.
# The default HTTP proxy package shipped with CentOS Linux is squid.
# Unless there is a need to run the system as a web server, or a proxy it is
# recommended that the package(s) be deleted.

# Refer to Section(s) 3.11,14   Page(s) 66-9    CIS CentOS Linux 6 Benchmark v1.0.0
# Refer to Section(s) 2.2.10    Page(s) 110     CIS Ubuntu Linux 16.04 Benchmark v1.0.0
# Refer to Section(s) 3.11,14   Page(s) 79-81   CIS RHEL 5 Benchmark v2.1.0
# Refer to Section(s) 3.11,14   Page(s) 69-71   CIS RHEL 6 Benchmark v1.2.0
# Refer to Section(s) 2.2.10,13 Page(s) 110,113 CIS RHEL 7 Benchmark v2.1.0
# Refer to Section(s) 6.10,13   Page(s) 59,61   CIS SLES 11 Benchmark v1.0.0
# Refer to Section(s) 2.4.14.7  Page(s) 56-7    CIS OS X 10.5 Benchmark v1.1.0
# Refer to Section(s) 2.10      Page(s) 21-2    CIS Solaris 11.1 v1.0.0
# Refer to Section(s) 2.2.11    Page(s) 30-2    CIS Solaris 10 v5.1.0
# Refer to Section(s) 2.2.10,13 Page(s) 102,105 CIS Amazon Linux Benchmark v2.0.0

Download LUNAR

↧

chisel - A fast TCP tunnel over HTTP

January 21, 2017, 6:07 am

≫ Next: Automato - Automating the user-focused enumeration tasks during an internal penetration test

≪ Previous: LUNAR - Lockdown UNix Auditing and Reporting

Chisel is a fast TCP tunnel, transported over HTTP. Single executable including both client and server. Written in Go (Golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. Chisel is very similar to crowbar though achieves much higher performance .

Install
Binaries
See the latest release or download and install it now with curl https://i.jpillora.com/chisel! | bash
Docker

docker run --rm -it jpillora/chisel --help

Source

$ go get -v github.com/jpillora/chisel

Features

Easy to use
Performant *
Encrypted connections using crypto/ssh
Authenticated connections ; authenticated client connections with a users config file, authenticated server connections with fingerprint matching.
Client auto-reconnects with exponential backoff
Client can create multiple tunnel endpoints over one TCP connection
Server optionally doubles as a reverse proxy

Demo
A demo app on Heroku is running this chisel server :

$ chisel server --port $PORT --proxy http://example.com
# listens on $PORT, proxy web requests to 'http://example.com'

This demo app is also running a simple file server on :3000 , which is normally inaccessible due to Heroku's firewall. However, if we tunnel in with:

$ chisel client https://chisel-demo.herokuapp.com 3000
# connects to 'https://chisel-demo.herokuapp.com',
# tunnels your localhost:3000 to the server's localhost:3000

and then visit localhost:3000 , we should see a directory listing of the demo app's root. Also, if we visit the demo app in the browser we should hit the server's default proxy and see a copy of example.com .

Usage


    Usage: chisel [command] [--help]

    Version: 0.0.0-src

    Commands:
      server - runs chisel in server mode
      client - runs chisel in client mode

    Read more:
      https://github.com/jpillora/chisel

chisel server --help


    Usage: chisel server [options]

    Options:

      --host, Defines the HTTP listening host – the network interface
      (defaults to 0.0.0.0).

      --port, Defines the HTTP listening port (defaults to 8080).

      --key, An optional string to seed the generation of a ECDSA public
      and private key pair. All communications will be secured using this
      key pair. Share this fingerprint with clients to enable detection
      of man-in-the-middle attacks.

      --authfile, An optional path to a users.json file. This file should
      be an object with users defined like:
        "<user:pass>": ["<addr-regex>","<addr-regex>"]
        when <user> connects, their <pass> will be verified and then
        each of the remote addresses will be compared against the list
        of address regular expressions for a match. Addresses will
        always come in the form "<host/ip>:<port>".

      --proxy, Specifies the default proxy target to use when chisel
      receives a normal HTTP request.

      -v, Enable verbose logging

      --help, This help text

    Read more:
      https://github.com/jpillora/chisel

chisel client --help


    Usage: chisel client [options] <server> <remote> [remote] [remote] ...

    server is the URL to the chisel server.

    remotes are remote connections tunnelled through the server, each of
    which come in the form:

<local-host>:<local-port>:<remote-host>:<remote-port>

        * remote-port is required.
        * local-port defaults to remote-port.
        * local-host defaults to 0.0.0.0 (all interfaces).
        * remote-host defaults to 0.0.0.0 (server localhost).

        example remotes

            3000
            example.com:3000
            3000:google.com:80
            192.168.0.5:3000:google.com:80

    Options:

      --fingerprint, An optional fingerprint (server authentication)
      string to compare against the server's public key. You may provide
      just a prefix of the key or the entire string. Fingerprint 
      mismatches will close the connection.

      --auth, An optional username and password (client authentication)
      in the form: "<user>:<pass>". These credentials are compared to
      the credentials inside the server's --authfile.

      --keepalive, An optional keepalive interval. Since the underlying
      transport is HTTP, in many instances we'll be traversing through
      proxies, often these proxies will close idle connections. You must
      specify a time with a unit, for example '30s' or '2m'. Defaults
      to '0s' (disabled).

      -v, Enable verbose logging

      --help, This help text

    Read more:
      https://github.com/jpillora/chisel

See also programmatic usage .

Security
Encryption is always enabled. When you start up a chisel server, it will generate an in-memory ECDSA public/private key pair. The public key fingerprint will be displayed as the server starts. Instead of generating a random key, the server may optionally specify a key seed, using the --key option, which will be used to seed the key generation. When clients connect, they will also display the server's public key fingerprint. The client can force a particular fingerprint using the --fingerprint option. See the --help above for more information.

Authentication
Using the --authfile option, the server may optionally provide a user.json configuration file to create a list of accepted users. The client then authenticates using the --auth option. See users.json for an example authentication configuration file. See the --help above for more information.
Internally, this is done using the Password authentication method provided by SSH. Learn more about crypto/ssh here http://blog.gopheracademy.com/go-and-ssh/ .

Performance
With crowbar , a connection is tunnelled by repeatedly querying the server with updates. This results in a large amount of HTTP and TCP connection overhead. Chisel overcomes this using WebSockets combined with crypto/ssh to create hundreds of logical connections, resulting in one TCP connection per client.
In this simple benchmark, we have:

                    (direct)
        .--------------->----------------.
       /    chisel         chisel         \
request--->client:2001--->server:2002---->fileserver:3000
       \                                  /
        '--> crowbar:4001--->crowbar:4002'
             client           server

Note, we're using an in-memory "file" server on localhost for these tests
direct

:3000 => 1 bytes in 1.440608ms
:3000 => 10 bytes in 658.833µs
:3000 => 100 bytes in 669.6µs
:3000 => 1000 bytes in 570.242µs
:3000 => 10000 bytes in 655.795µs
:3000 => 100000 bytes in 693.761µs
:3000 => 1000000 bytes in 2.156777ms
:3000 => 10000000 bytes in 18.562896ms
:3000 => 100000000 bytes in 146.355886ms

chisel

:2001 => 1 bytes in 1.393731ms
:2001 => 10 bytes in 1.002992ms
:2001 => 100 bytes in 1.082757ms
:2001 => 1000 bytes in 1.096081ms
:2001 => 10000 bytes in 1.215036ms
:2001 => 100000 bytes in 2.09334ms
:2001 => 1000000 bytes in 9.136138ms
:2001 => 10000000 bytes in 84.170904ms
:2001 => 100000000 bytes in 796.713039ms

~100MB in 0.8 seconds
crowbar

:4001 => 1 bytes in 3.335797ms
:4001 => 10 bytes in 1.453007ms
:4001 => 100 bytes in 1.811727ms
:4001 => 1000 bytes in 1.621525ms
:4001 => 10000 bytes in 5.20729ms
:4001 => 100000 bytes in 38.461926ms
:4001 => 1000000 bytes in 358.784864ms
:4001 => 10000000 bytes in 3.603206487s
:4001 => 100000000 bytes in 36.332395213s

~100MB in 36 seconds
See more test/

Known Issues

WebSockets support is required
- IaaS providers all will support WebSockets
  - Unless an unsupporting HTTP proxy has been forced in front of you, in which case I'd argue that you've been downgraded to PaaS.
- PaaS providers vary in their support for WebSockets
  - Heroku has full support
  - Openshift has full support though connections are only accepted on ports 8443 and 8080
  - Google App Engine has no support

Contributing

http://golang.org/doc/code.html
http://golang.org/doc/effective_go.html
github.com/jpillora/chisel/share contains the shared package
github.com/jpillora/chisel/server contains the server package
github.com/jpillora/chisel/client contains the client package

Changelog

1.0.0 - Init
1.1.0 - Swapped out simple symmetric encryption for ECDSA SSH

Todo

Better, faster tests
Expose a stats page for proxy throughput
Treat client stdin/stdout as a socket
Allow clients to act as an indirect tunnel endpoint for other clients
Keep local connections open and buffer between remote retries

Download chisel

↧

Automato - Automating the user-focused enumeration tasks during an internal penetration test

January 22, 2017, 6:11 am

≫ Next: iptodomain - This tool extract domains from IP address based in the information saved in virustotal

≪ Previous: chisel - A fast TCP tunnel over HTTP

automato should help with automating some of the user-focused enumeration tasks during an internal penetration test.
automato is also capable of conducting limited brute force attacks such as:

Testing to see if a list of users with a common password exists in the target domain
Identifying if a domain user is a local administrator against machines in the target domain

automato will create outfiles automatically for evidence preservation.

Usage

skawa-mbp:automato $ ruby automato.rb 
Written by: Sanjiv Kawa
Twitter: @skawasec

Usage: ruby automato.rb [options]
Main Arguments:
    -d, --domain DOMAIN              The target domain.
    -u, --username USERNAME          A domain user account name.
    -p, --password PASSWORD          The password for the corresponding domain user account.
    -i, --ip DC_IP                   The IP address of a domain controller with RPC and LDAP listening.
Options:
    -a, --all                        Run a bulk of automato's features. Enumerate all domain groups, administrators, computers and user account attributes.
    -c, --domain-users               Get all domain users in the domain.
    -g, --groups                     Get all domain groups for the domain.
    -m, --member GROUP               List all users in a specified domain group. Make sure you escape spaces with a backslash!
    -t, --attributes                 Get the domain account attributes for all domain users.
    -b, --bad                        Get the bad password count for all domain users.
    -z, --du-hunter USER_FILE        Brute force a list of common usernames with a common password against the target domain.
    -l, --la-hunter IP_FILE          Test if a domain user is a local admin against a list of IP addresses with SMB listening in the target domain.

Download Automato

↧

iptodomain - This tool extract domains from IP address based in the information saved in virustotal

January 23, 2017, 6:18 am

≫ Next: backdoorppt - transform your payload.exe into one fake word doc (.ppt)

≪ Previous: Automato - Automating the user-focused enumeration tasks during an internal penetration test

This tool allows you to extract domains from a IP range, using the historic information archived in Virustotal(using API key). It is usefull if you want to know what domains are behind of this IP address, for example in bug bounty programs one of the first steps is to extract subdomains, this tool can help with this task... first you have to find out the IP range that uses a company. Many times a good start point is to know the AS (Autonomus system) number, then you can find the IP range.

To use this tool you have to set up your Virustotal API key in the code, please sign up on Virustotal then they provide you the API key.

Example:

python iptodomain.py -i 103.22.201.25  -f 103.22.201.255  -o 103.22.200.255.txt -v -r IPsCF.txt

Usage:

iptodomain.py [-h] [-i FIRST_IP] [-f LAST_IP] [-w FILE2] [-o FILE1] [-v] [-r FILE3]

This tool allow to extract domains from IP information on Virustotal and save the output in a file. You have to set up the IP range where you like to extract domain or subdomain. Additionally it is neccesary set up your VirusTotal API key in the code.

Optional arguments:
-h --help show this help message and exit.
-i FIRST_IP The First IP of the range that you want to scan.
-f LAST_IP The Last IP of the range that you want to scan.
-w FILE2 Please enter the file name where report with all domains and are going to save.
-o FILE1 Please enter the file name where the all domains found are going to save.
-v It shows more information while you are scanning.
-r FILE3 Please enter the name of the final report without duplicate domains results.

This tool was created by:
Juan Esteban Valencia Pantoja

Download iptodomain

↧

backdoorppt - transform your payload.exe into one fake word doc (.ppt)

January 24, 2017, 6:23 am

≫ Next: passfault - OWASP Passfault evaluates passwords and enforces password policy in a completely different way

≪ Previous: iptodomain - This tool extract domains from IP address based in the information saved in virustotal

backdoorppt - 'Office spoof extensions tool'

Version release: v1.5-Stable
Distros Supported: Linux Kali, Ubuntu, Mint
Author: pedro ubuntu  [ r00t-3xp10it ]
Suspicious-Shell-Activity© (SSA) RedTeam develop @2017

Transform your payload.exe into one fake word doc (.ppt)

Simple script that allow users to add a ms-word icon to one
existing executable.exe (using resource-hacker as backend appl)
and a ruby one-liner command that will hidde the .exe extension
and add the word doc .ppt extension to the end of the file name.

Spoof extension methods

backdoorppt tool uses 2 diferent extension spoof methods:
'Right to Left Override' & 'Hide Extensions for Known File Types'
Edit the 'settings' file to chose what method should be used..

cd backdoorppt && nano settings

Dependencies (backend applications required)

xterm, wine, ruby, ResourceHacker(wine)

'backdoorppt script will work on wine 32 or 64 bits'
'it also installs ResourceHacker under .../.wine/Program Files/.. directorys'

Tool Limitations

1º - backdoorppt only supports windows binarys to be transformed (.exe -> .ppt)
2º - backdoorppt requires ResourceHacker installed (wine) to change the icons
3º - backdoorppt present you 6 available diferent icons (.ico) to chose from
4º - backdoorppt does not build real ms-word doc files, but it will transform
     your payload.exe to look like one word doc file (social engineering).

Backdoorppt 1º run (Kali distros)

Backdoorppt working (Kali distros)

transformed files on-target system (windows)

Final notes

Target user thinks they are opening a word document file,
but in fact they are executing one binary payload insted.

Credits: Damon Mohammadbagher
Article: goo.gl/hKHesk

Download backdoorppt

↧

passfault - OWASP Passfault evaluates passwords and enforces password policy in a completely different way

January 25, 2017, 6:30 am

≫ Next: reversemap - Analyse SQL injection attempts in web server logs

≪ Previous: backdoorppt - transform your payload.exe into one fake word doc (.ppt)

Objective: Do Passwords Better!

Running the Command-line Interface:

install java
cd core
gradlew installDist
run build/install/core/bin/core

Running the jsonWebService:

cd jsonService
gradlew build jettyRunWar
browse to localhost:8080/jsonService Note the war will be located in jsonService/build/lib/passfault-jsonService-[version].war

Running in Docker:

Pull the Passfault image: docker pull ccaamm/passfault
Create and run a passfault instance: docker run -p 8080:8080 --name myPassfault ccaamm/passfault
Browse to localhost:8080

License: Passfault is licensed under Apache 2.0 license, and is a project at OWASP, the Open Web Application Security Project, a non-profit organization dedicated to building security tools and learning resources.

Download passfault

↧

reversemap - Analyse SQL injection attempts in web server logs

January 26, 2017, 5:24 am

≫ Next: FiercePhish - A Full-Fledged Phishing Framework To Manage All Phishing Engagements

≪ Previous: passfault - OWASP Passfault evaluates passwords and enforces password policy in a completely different way

Analyse SQL injection attempts in web server logs
The program can either be run in batch mode or interactive mode. In batch mode the program will accept Apache web server logs and will deobfuscate requested URLs from the logs. In interactive mode the program will prompt for user input and will print the deobfuscated results.

The program can deobfuscate the following obfuscation techniques:

SQL CHAR encoding
SQL CAST encoding
Case encoding of SQL keywords
Substring(Experimental - Disabled by default as it will fail with nested queries)

Pull requests, patches and feedback is welcome.

Download reversemap

↧

FiercePhish - A Full-Fledged Phishing Framework To Manage All Phishing Engagements

January 26, 2017, 7:28 am

≫ Next: OWASP Security Shepherd - Web And Mobile Application Security Training Platform

≪ Previous: reversemap - Analyse SQL injection attempts in web server logs

FiercePhish is a full-fledged phishing framework to manage all phishing engagements. It allows you to track separate phishing campaigns, schedule sending of emails, and much more. The features will continue to be expanded and will include website spoofing, click tracking, and extensive notification options.

All Information is on the Wiki Pages
Click here to go to the Wiki Pages

Disclaimer
This project is my own and is not a representation of my employer's views. It is my own side project and released by me alone.

Screenshot

More screenshots are available in the "Features" wiki pages

Quick Automated Install
For more information (like a manual installation method), see the wiki pages
This is the preferred method of installing FiercePhish + SMTP + IMAP services.

Supported Operating Systems

Ubuntu 14.04
Ubuntu 16.04
Ubuntu 16.10

(Fresh installs are expected, but the installer should work on a used OS with no problems)
If you would like a different OS distribution supported, create a Github issue

Recommended Prerequisites

Purchase a domain name to send emails from

This isn't required, but it is heavily suggested. Phishing campaigns where you spoof an active domain you don't own are extremely susceptible to being spam filtered (unless the domain's SPF record is improperly configured). The best way to perform a phishing campaign is by buying a generic domain that can fool someone ("yourfilehost.com") or a domain that is very similar to a real domain ("microsoft-secure.com").

Installation Method #1 (remote curl download)
This method is probably the easiest way to install/configure everything. It is a fully unattended installation (aside from the beginning).

You must run the installer as root:
sudo su
Generate the configuration file:
curl https://raw.githubusercontent.com/Raikia/FiercePhish/master/installer.sh | bash
This will create a configuration file located at "~/fiercephish.config". You must edit this file before moving on!
Click here for a detailed description of the configuration variables
Once "CONFIGURED=true" is set in the configuration file, re-run the install script:
curl https://raw.githubusercontent.com/Raikia/FiercePhish/master/installer.sh | bash
Sit and wait. The installation could take anywhere from 5-15 minutes depending on your server's download speed.
Once the installation completes, follow the instructions it prints out. It will tell you what DNS entries to set.

Installation Method #2 (local installation run)
This method is just as easy as method #1, but the install will prompt you as it runs for the information it requires (as opposed to using a configuration file like method #1).

You must run the installer as root:
sudo su
Download the configuration file:
wget https://raw.githubusercontent.com/Raikia/FiercePhish/master/installer.sh
Set the installer as executable:
chmod +x installer.sh
Run the installer:
./installer.sh
The installer will prompt you for the same information as is described in the configuration file for method #1 . See that wiki page for information on what to provide.
Sit and wait. The installation could take anywhere from 5-15 minutes depending on your server's download speed. It will prompt you periodically, so make sure you pay attention. If you want to hit install and go afk, use method #1
Once the installation completes, follow the instructions it prints out. It will tell you what DNS entries to set.

Troubleshooting
If you have errors with the installation script, you can safely rerun the script without messing anything up (even if you provide it different information). If you continue to have problems, set "VERBOSE=true" (for method #1) or run ./installer.sh -v (for method #2) to see the full log of everything running. If you still have problems, submit a bug report .

Download FiercePhish

↧

OWASP Security Shepherd - Web And Mobile Application Security Training Platform

January 28, 2017, 12:07 pm

≫ Next: Nozes - PeTest CMD Manager [Automate Your PenTest Attacks In One Click]

≪ Previous: FiercePhish - A Full-Fledged Phishing Framework To Manage All Phishing Engagements

The OWASP Security Shepherd Project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skill set to security expert status.

Where can I download Security Shepherd?

Virtual Machine or Manual Setup
You can download Security Shepherd VM's or Manual Installation Packs from GitHub

Docker
There is also a docker image available from Dockerhub you can pull it down with
docker pull ismisepaul/securityshepherd
Note: You'll need to get a shell on your docker container and run mysql and tomcat manually;

docker run -i -p 80:80 -p 443:443 -p 27017:27017 -t ismisepaul/securityshepherd /bin/bash

/usr/bin/mongod &
/usr/bin/mysqld_safe &
service tomcat7 start

If you don't have authbind installed and configured on your host machine e.g. on Ubuntu you'll need to do the following;

sudo apt-get install authbind   
touch /etc/authbind/byport/80  
touch /etc/authbind/byport/443  
chmod 550 /etc/authbind/byport/80  
chmod 550 /etc/authbind/byport/443  
chown tomcat7 /etc/authbind/byport/80  
chown tomcat7 /etc/authbind/byport/443

How do I setup Security Shepherd?
We've got fully automated and step by step walkthroughs on our wiki page to help you get Security Shepherd up and running.

What can Security Shepherd be used for?
Security Shepherd can be used as a;

Teaching Tool for All Application Security
Web Application Pen Testing Training Platform
Mobile Application Pen Testing Training
Safe Playground to Practise AppSec Techniques
Platform to demonstrate real Security Risk examples

Why choose Security Shepherd?
There are a lot of purposefully vulnerable applications available in the OWASP Project Inventory, and even more across the internet. Why should you use Security Shepherd? Here are a few reasons;

Wide Topic Coverage
Shepherd includes over sixty levels across the entire spectrum of Web and Mobile application security under a single project.
Gentle Learning Curve
Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.
Layman Write Ups
Each security concept when first presented in Shepherd, is done so in layman terms so that anyone can beginner can absorb them.
Real World Examples
The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users and environment. There are no simulated security risks which require an expected, specific attack vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.
Scalability
Shepherd can be used locally by a single user or easily as a server for a high amount of users.
Highly Customisable
Shepherd enables admins to set what levels are available to their users and in what way they are presented (Open, CTF and Tournament Layouts)
Perfect for Classrooms
Shepherd gives its players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level.
Scoreboard
Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard.
User Management
Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points or take penalty points away user accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.
Robust Service
Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no down time, bar planned maintenance periods.
Configurable Feedback
An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.
Granular Logging
The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know.

Download SecurityShepherd

↧

Nozes - PeTest CMD Manager [Automate Your PenTest Attacks In One Click]

January 29, 2017, 6:30 am

≫ Next: Cyber Probe - Capturing, Analysing and Responding to Cyber Attacks

≪ Previous: OWASP Security Shepherd - Web And Mobile Application Security Training Platform

Nozes is a Pentest cmd manager. You can automate your pentest attacks in one click and get results...

Read the docs: https://github.com/CoolerVoid/nozes/blob/master/doc/nozes_apresentation1.pdf

Install

To install:
Need:
* httpd server with TLS/SSL
* SQLite3 
* php5 and php5-sqlite and PDO driver of sqlite
I test at nginx + php + fastcgi..


1-step
$ git clone https://github.com/CoolerVoid/nozes
$ cp -rf /nozes /var/www/html
$ chmod 755 -R /var/www/html/nozes
$ chmod o+w /var/www/html/nozes/db/ronin.db
$ setenforce 0   (at fedora) or chmod 755 at db/ronin.db

2-step
Go to:  
 http://localhost/nozes/view/login.php
Put it: 
 login: admin
 password: 1234
Change your password at user manager menu...

3-steps
Before start tasks, up the Executor.php in background
$ php scripts/Executor.php &

Video

Download Nozes

↧

Cyber Probe - Capturing, Analysing and Responding to Cyber Attacks

January 30, 2017, 6:30 am

≫ Next: OWASP Security Knowledge Framework - An expert system application that uses OWASP Application Security Verification Standard

≪ Previous: Nozes - PeTest CMD Manager [Automate Your PenTest Attacks In One Click]

Cyberprobe is a distributed software architecture for monitoring of networks against attack. It consists of two components: cyberprobe, which collects data packets and forwards them over a network in standard streaming protocols; and cybermon which decodes protocols, and invokes user-defined logic on the decoded data.

Cyberprobe can be integrated with snort so that the captured data corresponds with an attackers IP address as detected by snort.

Cybermon uses a LUA configuration file to describe what to do with the decoded information, providing great flexibility. Cybermon also supports a couple of packet injection techniques, allowing you to respond to attacks by resetting connections, or forging DNS responses.

The Cyberprobe project is an open-source distributed architecture for real-time monitoring of networks against attack. The software consists of two components:

a probe, which collects data packets and forwards it over a network in standard streaming protocols.
a monitor, which receives the streamed packets, decodes the protocols, and interprets the information.

These components can be used together or separately. For a simple configuration, they can be run on the same host, for more complex environments, a number of probes can feed a single monitor. For more detail, and to see where we are going, read the architecturepage.

The probe, cyberprobe has the following features:

The probe can be tasked to collect packets from an interface and forward any which match a configurable address list.
The probe can be configured to receive Snort alerts. In this configuration, when an alert is received from Snort, the IP source address associated with the alert is dynamically targeted for a period of time. In such a configuration, the system will collect data from any network actor who triggers a snort rule and is thus identified as a potential attacker.
The probe can optionally run a management interface which allows remote interrogation of the state, and alteration of the configuration. This allows dynamic alteration of the targeting map, and integration with other systems.
The probe can be configured to deliver on one of two standard stream protocols.

The monitor tool, cybermon has the following features:

Collects packets delivered in stream protocols.
Decodes packet protocols in and raises events in near-real-time.
Decoded information is made available to user-configurable logic to define how the decoded data is handled. A simple configuration language is used (LUA) and example configurations are provided to monitor data volumes, display data hexdumps, or stash the data in files.
Packet forgery techniques are included, which allow resetting TCP connections, and forging DNS responses. This can be invoked from your LUA in order to fight back against attacks on your network.
Has a pub/sub delivery mechanism with subscribers for ElasticSearch, Google BigQuery and Gaffer graph store.
Supports IP, TCP, UDP, ICMP, HTTP and DNS protocols, currently.

The cybermon software includes some support for STIX as a threat indicator specification, and can create alerts on the presence of threats on the network.
The code is targeted at the Linux platform, although it is generic enough to be applicable to other UN*X-like platforms.

The easiest way to learn about the software is to follow our Quick Start tutorial.

Download Cyber Probe

↧

OWASP Security Knowledge Framework - An expert system application that uses OWASP Application Security Verification Standard

January 31, 2017, 5:30 am

≫ Next: Faraday v2.3 - Collaborative Penetration Test and Vulnerability Management Platform

≪ Previous: Cyber Probe - Capturing, Analysing and Responding to Cyber Attacks

Security Knowledge Framework is an expert system application that uses OWASP Application Security Verification Standard, code examples, helps developers in pre-development and post-development.

Introduction
Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simply aren't aware of the risks and dangers which are lurking, waiting to be exploited by hackers.
Because of this we decided to develop a proof of concept framework in order to create a guide system available for all developers so they can develop applications secure by design.
The security knowledge framework is here to support developers create secure applications. By analysing processing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.
The second stage of the application is validating if the developer properly implemented different types of defence mechanisms by means of checklists with among others the OWASP Application security verification standards.
By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defence mechanisms the developer forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

Installing

Docker

When Docker is available, the fastest way to start using the SKF project is using the pre-built container hosted at Docker hub.

docker run -ti -p 127.0.0.1:443:5443 blabla1337/skf-flask

The application will greet you on: https://127.0.0.1
This container always has the very latest version from the repository.

Automated installation with Chef

The easiest way to use the SKF project is using the Chef cookbook that we created.
What is Chef?
Chef is a configuration management and automation platform from Opscode. Chef helps you describe your infrastructure with code. Because your infrastructure is managed with code, it can be automated, tested and reproduced with ease. Check out https://www.chef.io for more information about Chef
For using the SKF chef cookbook you will need to install the 3 software products on your machine/laptop. Those are all free to use.
VirtualBox

VirtualBox is a free to use Virtual Machine that can load images.
https://www.virtualbox.org/wiki/Downloads

Chef Development Kit

Chef Development Kit is a free to use tooling for testing and running cookbooks created with chef.
https://downloads.chef.io/chef-dk/

Vagrant

Vagrant is has pre-build images ready to use for stable and fast development
https://www.vagrantup.com/downloads.html

When you have installed the above software you are now able to create a VirtualBox image with Vagrant configuration and using Chef to configure the SKF application. The SKF chef cookbook will do this all for you and you only need to follow the steps below on your machine/laptop.

cd ~/
wget https://github.com/blabla1337/owasp-skf-chef/archive/master.zip
unzip master.zip
cd owasp-skf-chef-master
kitchen converge default

Now you have to wait a few minutes and watch the magic happen! ^^ When the Chef run has completed (-----> Kitchen is finished!) the application is ready to use. When you will start the VirtualBox GUI you can see the cookbook created a new VB image that is running and holding the SKF application.
The application will greet you on: https://192.168.33.118
Below are some useful Kitchen 101 commands.

# All the below commands should be run in the SKF chef directory

# Command for creating the VM with the SKF project
kitchen converge default

# Command for login to the VM with the SKF project
kitchen login default

# Command for detroying the VM with the SKF project
kitchen destroy

AWS installation
A CloudFormation template is provided to make it easy to set up the Security Knowledge Framework in AWS. For more information consult the README in the cloudformation directory .

Ubuntu manual installation

To run SKF you need Python pip and sqlite3 database support.

  On 64-bit platform:
  sudo apt-get install python-pip sqlite3 lib32z1-dev python-dev libxml2-dev libxslt-dev libffi-dev libssl-dev

  On 32-bit platform:
  sudo apt-get install python-pip sqlite3 zlib1g-dev python-dev libxml2-dev libxslt-dev libffi-dev libssl-dev

After the prerequisites you can install the Python packages.

  sudo pip install https://github.com/mitsuhiko/flask/tarball/master
  sudo pip install owasp-skf

Now you can start the program by opening the folder (e.g. /opt/owasp-skf/) and run:

  python skf.py

Windows manual installation

Download and install Python 2.7.9
Run below commands in cmd (As Administrator):

  C:\Python27\Scripts\pip.exe install https://github.com/mitsuhiko/flask/tarball/master
  C:\Python27\Scripts\pip.exe install owasp-skf

Now you can start the program by opening the folder and run the skf.py file:

  cd C:\Python27\Lib\site-packages\skf
  C:\Python27\python.exe skf.py

Mac OSX manual installation

The first step is to install brew

  ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

After installing brew you can now install sqllite3

  brew install python-pip sqlite3

Now we install python pip

  sudo easy_install pip

After the prerequisites you can install the Python packages.

  sudo pip install https://github.com/mitsuhiko/flask/tarball/master
  sudo pip install owasp-skf

Now you can start the program by opening the folder (e.g. /opt/owasp-skf/) and run:

  sudo python skf.py

Ubuntu Apache WSGI Setup (manual installation)

To run the OWASP-SKF as a service (SaaS) you can hook it up to your existing webservers using the WSGI module.
First do the normal owasp-skf installation. User that is installing this software is foobar, change foobar for your own user

  apt-get install git apache2 libapache2-mod-wsgi
  sudo a2enmod wsgi
  cd /home/foobar
  git clone https://github.com/blabla1337/skf-flask.git

Now disable SSL settings, we want Apache to do this
Edit the file file: /home/foobar/skf-flask/skf/skf.py

  Change line:
       app.run(host=bindaddr, port=5443, ssl_context='adhoc')
  to:
       app.run(host=bindaddr, port=5443)

Now we can edit the configuration file of Apache
Edit the following file and add this below the virtualHost config for port 80 /etc/apache2/sites-enabled/000-default.conf

  WSGIRestrictStdout Off
  Listen 5443
<VirtualHost *:5443>

    WSGIDaemonProcess skf user=www-data group=www-data threads=5
    WSGIScriptAlias / /home/foobar/skf-flask/skf/skf.wsgi

<Directory /home/foobar/skf-flask/skf>
        WSGIProcessGroup skf
        WSGIApplicationGroup %{GLOBAL}
        Order deny,allow
        Allow from all
        Require all granted
</Directory>

</VirtualHost>

Now edit the configuration file of WSGI
Edit the following file: /etc/apache2/mods-enabled/wsgi.conf Add below inside the if_module of mod_wsgi:

<FilesMatch ".+\.py$">
    SetHandler wsgi-script
</FilesMatch>

  # Deny access to compiled binaries
  # You should not serve these to anyone
<FilesMatch ".+\.py(c|o)$">
    Order Deny,Allow
    Deny from all
</FilesMatch>

Create the WSGI file so it can be loaded by Apache
Create new skf.py file: /home/foobar/skf-flask/skf/skf.wsgi

  import sys, os
  sys.path.insert (0,'/home/foobar/skf-flask/skf')
  os.chdir("/home/foobar/skf-flask/skf")
  from skf import app as application

The final step:

  chmod +x /home/foobar/skf-flask/skf/skf.py
  chown -R www-data:www-data /home/foobar/skf-flask
  sudo service apache2 restart

The application can be visited at port http://the_ip_/:5443 Also now you can apply your favourite Apache SSL/TLS settings.

Usage
For more detailed information such as user guides and other documentation see:

Readme: extended documentation

Development

Fork and clone https://github.com/blabla1337/skf-flask
pip install -r requirements.txt
cd skf && python ./skf.py
Create your changes commit and open a PR from your fork to the master repo

Scrum Board

Waffle.io:
https://waffle.io/blabla1337/skf-flask

Testing

Travis-ci.org:

Test and Deploy with Confidence. Easily sync your GitHub projects with Travis CI and you'll be testing your code in minutes!
SKF Build details:

https://travis-ci.org/blabla1337/skf-flask

Coveralls.io:

DELIVER BETTER CODE. We help developers deliver code confidently by showing which parts of your code aren't covered by your test suite.
SKF Coveralls details:

https://coveralls.io/r/blabla1337/skf-flask

Scrutinizer-ci.com:

Why to use Scrutinizer. Improve code quality and find bugs before they hit production with our continuous inspection platform. Improve Code Quality.
SKF Scrutinizer details:

https://scrutinizer-ci.com/g/blabla1337/skf-flask/

uptimerobot.com:

Monitor HTTP(s), Ping, Port and check Keywords. Get alerted via e-mail, SMS, Twitter, web-hooks or push. View uptime, downtime and response times.

ssllabs.com & sslbadge.org:

ssllabs.org:
Bringing you the best SSL/TLS and PKI testing tools and documentation.

sslbadge.org:
Creates a nice badge for your website SSL/TLS security settings based on the Qualys SSL Labs testing.

Contributors

Glenn ten Cate
Riccardo ten Cate
Alexander Kaasjager
John Haley
Daniel Paulus
Erik de Kuijper
Roderick Schaefer
Jim Manico
Martijn Gijsberti Hodenpijl
Bithin Alangot
Martin Knobloch
Adam Fisher
Tom Wirschell
Joerg Stephan
Simon Brakhane
Gerco Grandia
Ross Nanopoulos
Bob van den Heuvel
Mariano

Download OWASP Security Knowledge Framework

↧

Faraday v2.3 - Collaborative Penetration Test and Vulnerability Management Platform

February 1, 2017, 6:21 am

≫ Next: Linux Kodachi3 - Secure Open Source Linux Distribution

≪ Previous: OWASP Security Knowledge Framework - An expert system application that uses OWASP Application Security Verification Standard

Faraday is the Integrated Multiuser Risk Environment you were looking for! It maps and leverages all the knowledge you generate in real time, letting you track and understand your audits. Our dashboard for CISOs and managers uncovers the impact and risk being assessed by the audit in real-time without the need for a single email. Developed with a specialized set of functionalities that helps users improve their own work, the main purpose is to re-use the available tools in the community taking advantage of them in a collaborative way!

Some of the features added to this version require that the update parameter is present the first time the client runs after updating, like this:

python faraday.py --update

New workspace comparison graphics

New report templates

Enjoy our professional-looking Executive Report templates and modify them as you wish!

We added a findings index so you can get a quick view of what was found during the assessment before diving into the full report.

New API documentation

Our API to communicate with Faraday Server now has documentation. You can find it in/persistence/server/docs/_build/html/index.html.

Changes:

Improved the Workspace Comparison feature adding several graphics
Added a login dialog when GTK is run without login argument.
Added a template to create an Executive Report with grouped vulns.
Added the ability to edit and copy Executive Reports.
Added the ability to select a template for the Executive Report.
Fixed Executive Report delete button behaviour.
Fixed issues with new lines in MS Office.
Fixed bug that was overwriting vuln owner when editing.
Removed ‘unclassified’ conditionals from Executive templates.
Fixed update without credentials, added the ability to log in.

Added an activity feed panel in the Dashboard.
Added Hping plugin.
Enhancements to Wpscan plugin.
Added IBM AppScan plugin.
Improved Burp’s Online plugin. Added fields and removed HTML tags.
Refactor remaining modules to be compatible with JS Strict Mode.
Fixed bug that prevented GTK from closing when user clicked CANCEL on WS creation.
Fixed size of Workspace creation dialog.
New cwe databases: English and Spanish.

We hope you enjoy it, and let us know if you have any questions or comments.

https://www.faradaysec.com
https://github.com/infobyte/faraday
https://twitter.com/faradaysec
https://forum.faradaysec.com/

Download Faraday v2.2

↧

Linux Kodachi3 - Secure Open Source Linux Distribution

February 2, 2017, 12:02 pm

≫ Next: Insanity-Framework - Generate Payloads and control Remote Machines

≪ Previous: Faraday v2.3 - Collaborative Penetration Test and Vulnerability Management Platform

Linux Kodachi operating system is based on Debian 8.6 it will provide you with a secure, anti forensic, and anonymous operating system considering all features that a person who is concerned about privacy would need to have in order to be secure.

Kodachi is very easy to use all you have to do is boot it up on your PC via USB drive then you should have a fully running operating system with established VPN connection + Tor Connection established + DNScrypt service running. No setup or Linux knowledge is required from your side we do it all for you. The entire OS is functional from your temporary memory RAM so once you shut it down no trace is left behind all your activities are wiped out.

Kodachi is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to:

Use the Internet anonymously.
All connections to the Internet are forced to go through the VPN then Tor network with DNS encryption.
Leave no trace on the computer you are using unless you ask it explicitly.
Use state-of-the-art cryptographic and privacy tools to encrypt your files, emails and instant messaging.

Kodachi is based on the solid Linux Debian with customized XFCE this makes Kodachi stable, secure, and unique view screenshots:

How to use it:

First option (recommended): Download the ISO file and burn it on a USB flash memory using a free tool like Rufus or Linux Live then boot your PC from it. You will need to boot and press F12 key to get the boot menu and select your USB on old PCS you have to change your BIOS settings to allow the system to boot from USB as the first option.
Second option: Download the ISO file and burn it on a DVD using a free tool like DAEMON Tools then boot your PC from it.
Third option: Download the ISO file boot it up using Vmware player or Virtualbox.

Review by one of Kodachi users:

More Linux Kodachi videos on Youtube.

Download Linux Kodachi3

↧

Insanity-Framework - Generate Payloads and control Remote Machines

February 3, 2017, 6:30 am

≫ Next: Tater - A PowerShell implementation of the Hot Potato Windows Privilege Escalation Exploit

≪ Previous: Linux Kodachi3 - Secure Open Source Linux Distribution

With the dynamics of persuasion that prove effective in a pentest, several painstaking means of making a payload has emerged, Insanity Framework provides speed and effectiveness in a single tool to help you work.

Features

Bypass most AV and Sandboxes.
Remote Control.
Payload Generation.
Some Phishing methods are included on payloads generated.
Detect Virtual Machines
Persistence and others features can be enabled.

Prerequisites

apt
wine
python 2.7 in Wine Machine
pywin32 in Wine Machine
sudo
python2.7

Tested on:

Kali Linux

Cloning

git clone https://github.com/4w4k3/Insanity-Framework.git

Running

python insanity.py

python2.7 insanity.py

Screen

To increase:

File Transfer
Webcam Snaps and Streaming
Better compression of portables
Keylogging
Print Screens

Contact
4w4k3@protonmail.com
Telegram Group: https://t.me/joinchat/AAAAAAwbI7KU5sjsHNndEg

Download Insanity-Framework

↧