Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5816 articles
Browse latest View live

Volatility 2.6 - Advanced Memory Forensics Framework

July 17, 2017, 8:09 am
$
0
0

In 2007, the first version of The Volatility Framework was released publicly at Black Hat DC. The software was based on years of published academic research into advanced memory analysis and forensics. Up until that point, digital investigations had focused primarily on finding contraband within hard drive images. Volatility introduced people to the power of analyzing the runtime state of a system using the data found in volatile storage (RAM). It also provided a cross-platform, modular, and extensible platform to encourage further work into this exciting area of research. Another major goal of the project was to encourage the collaboration, innovation, and accessibility to the knowledge that had been common within the offensive software communities.

Since that time, memory analysis has become one of the most important topics to the future of digital investigations and Volatility has become the world’s most widely used memory forensics platform. The project is supported by one of the largest and most active communities in the forensics industry. Volatility also provides a unique platform that enables cutting-edge research to be immediately transitioned into the hands of digital investigators. As a result, research built on top of Volatility has appeared at the top academic conferences and Volatility has been used on some of the most critical investigations of the past decade. It has become an indispensable digital investigation tool relied upon by law enforcement, military, academia, and commercial investigators throughout the world.

Volatility development is now supported by The Volatility Foundation, an independent 501(c) (3) non-profit organization. The foundation was established to promote the use of Volatility and memory analysis within the forensics community, to defend the project's intellectual property (trademarks, licenses, etc.) and longevity, and, finally, to help advance innovative memory analysis research. Along these lines, the foundation was also formed to help protect the rights of the developers who sacrifice their time and resources to make the world’s most advanced memory forensics platform free and open source.


Quick Start
  • Choose a release - the most recent is [Volatility 2.6] (http://www.volatilityfoundation.org/26), released December 2016. Older versions are also available on the Releases page or respective release pages. If you want the cutting edge development build, use a git client and clone the master.
  • Install the code - Volatility is packaged in several formats, including source code in zip or tar archive (all platforms), a Pyinstaller executable (Windows only) and a standalone executable (Windows only). For help deciding which format is best for your needs, and for installation or upgrade instructions, see Installation.
  • Target OS specific setup - the Linux, Mac, and Android support may require accessing symbols and building your own profiles before using Volatility. If you plan to analyze these operating systems, please see Linux, Mac, or Android.
  • Read usage and plugins - command-line parameters, options, and plugins may differ between releases. For the most recent information, see Volatility Usage, Command Reference and our Volatility Cheat Sheet.

Why Volatility
  • A single, cohesive framework analyzes RAM dumps from 32- and 64-bit Windows, Linux, mac, and android systems. Volatility's modular design allows it to easily support new operating systems and architectures as they are released. All your devices are targets...so don't limit your forensic capabilities to just Windows computers.
  • It's Open Source GPLv2, which means you can read it, learn from it, and extend it. Why use a tool that outputs results without giving you any indication where the values came from or how they were interpreted? Learn how your tools work, understand why and how to tweak and enhance them - help yourself become a smarter analyst. You can also immediately fix any issues you discover, instead of having to wait weeks or months for vendors to communicate, reproduce, and publish patches.
  • It's written in Python, an established forensic and reverse engineering language with loads of libraries that can easily integrate into volatility. Most analysts are already familiar with Python and don't want to learn new languages. For example, windbg's scripting syntax which is often seen as cryptic and many times the capabilities just aren't there. Other memory analysis frameworks require you to use Visual Studio to compile C# DLLs and the rest don't expose a programming API at all.
  • Runs on Windows, Linux, or Mac analysis systems (anywhere Python runs) - a refreshing break from other memory analysis tools that only run on windows and require .NET installations and admin privileges just to open. If you're already accustomed to performing forensics on a particular host OS, by all means, keep using it - and take volatility with you.
  • Extensible and scriptable API gives you the power to go beyond and continue innovating. For example, you can use volatility to build a customized web interface or GUI, drive your malware sandbox, perform virtual machine introspection or just explore kernel memory in an automated fashion. Analysts can add new address spaces, plugins, data structures, and overlays to truly weld the framework to their needs. You can explore the Doxygen documentation for Volatility to get an idea of its internals.
  • Unparalleled feature sets based on reverse engineering and specialized research. Volatility provides capabilities that Microsoft's own kernel debugger doesn't allow, such as carving command histories, console input/output buffers, USER objects (GUI memory), and network-related data structures. Just because it's not documented doesn't mean you can't analyze it!
  • Comprehensive coverage of file formats - volatility can analyze raw dumps, crash dumps, hibernation files, VMware .vmem, VMware saved state and suspended files (.vmss/.vmsn), VirtualBox core dumps, LiME (Linux Memory Extractor), expert witness (EWF), and direct physical memory over Firewire. You can even convert back and forth between these formats. In the heat of your incident response moment, don't get caught looking like a fool when someone hands you a format your other tools can't parse.
  • Fast and efficient algorithms let you analyze RAM dumps from large systems without unnecessary overhead or memory consumption. For example, volatility is able to list kernel modules from an 80 GB system in just a few seconds. There is always room for improvement, and timing differs per command, however other memory analysis frameworks can take several hours to do the same thing on much smaller memory dumps.
  • A serious and powerful community of practitioners and researchers who work in the forensics, IR, and malware analysis fields. It brings together contributors from commercial companies, law enforcement, and academic institutions around the world. Don't just take our word for it - check out the Volatility Documentation Project - a collection of over 200 docs from 60+ different authors. Volatility is also being built on by a number of large organizations such as Google, National DoD Laboratories, DC3, and many Antivirus and security shops.
  • Forensics/IR/malware focus - Volatility was designed by forensics, incident response, and malware experts to focus on the types of tasks these analysts typically form. As a result, there are things that are often very important to a forensics analysts that are not as important to a person debugging a kernel driver (unallocated storage, indirect artifacts, etc).

Search

nWatch - Tool for Host Discovery, PortScanning and Operating System Fingerprinting

July 17, 2017, 4:12 pm
$
0
0

nWatch is a handy tool for host discovery, portscanning and operating system fingerprinting.

Demo video



Requirements

Installation and execution
Install the requirements Then you can download nWatch by cloning the Git repository:
git clone https://github.com/suraj-root/nWatch.git
cd nWatch/
python nwatch.py
For educational purposes only.


SET v7.7 - The Social-Engineer Toolkit “Blackout”

July 18, 2017, 7:30 am
$
0
0


The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community.

The Social-Engineer Toolkit has over 2 million downloads and is aimed at leveraging advanced technological attacks in a social-engineering type environment. TrustedSec believes that social-engineering is one of the hardest attacks to protect against and now one of the most prevalent. The toolkit has been featured in a number of books including the number one best seller in security books for 12 months since its release, “Metasploit: The Penetrations Tester’s Guide” written by TrustedSec’s founder as well as Devon Kearns, Jim O’Gorman, and Mati Aharoni.

The next major revision of The Social-Engineer Toolkit (SET) v7.7 codename “Blackout” has just been released. This version incorporates support for hostnames in the HTA attack vector, and a redesigned Java Applet attack vector. Java is still widely used in corporations and with a valid code signing certificate can be one of the easiest ways to get a shell in an organization. In this version, the Java Applet is substantially more improved on reliability, evasion, and code execution. In addition, it’s now possible to specify a text file that has multiple commands to execute which you can incorporate your own payloads. Before you could only use either your own EXE or the Meterpreter shells built into SET. If you are doing something like your own PowerShell payload or another framework, you can have multiple commands:

command1,command2,command3

This will execute each command in sequence and since through HTML parameters, can be as large as you want them to be.

 For a video on the new text feature within the Applet, visit below.


Changelog: 
~~~~~~~~~~~~~~~~
version 7.7
~~~~~~~~~~~~~~~~

* rewrote grab_ipaddress() function to be a centralized routine that incorporates hostnames or IP addresses.
* rewrote grab_ipaddress() to include automatic detection of ipaddress or failover to manual entry. This will allow easier selection fo IP addresses without having to drop into a different window
* add hostname support for hta attack vector
* removed deploy binaries as a default option in the set.config file
* added ability for new menu for java applet that now allows you to specify multiple commands – useful if you want to insert things like empire payloads, etc.
* rewrote java applet to have additional functionality for multiple command menu
* better handling on command output
* fixed custom applet from not working properly
* fixed custom executable from not working properly
* added new unsigned obfuscated jar file
* added Java.java source files for customization
* added new Java Applet self-signed with new expirations


GPS-SDR-SIM - Software-Defined GPS Signal Simulator

July 19, 2017, 7:30 am
$
0
0

GPS-SDR-SIM generates GPS baseband signal data streams, which can be converted to RF using software-defined radio (SDR) platforms, such as bladeRF, HackRF, and USRP.

Windows build instructions
  1. Start Visual Studio.
  2. Create an empty project for a console application.
  3. On the Solution Explorer at right, add "gpssim.c" and "getopt.c" to the Souce Files folder.
  4. Select "Release" in Solution Configurations drop-down list.
  5. Build the solution.

Building with GCC
$ gcc gpssim.c -lm -O3 -o gps-sdr-sim

Generating the GPS signal file
A user-defined trajectory can be specified in either a CSV file, which contains the Earth-centered Earth-fixed (ECEF) user positions, or an NMEA GGA stream. The sampling rate of the user motion has to be 10Hz. The user is also able to assign a static location directly through the command line.
The user specifies the GPS satellite constellation through a GPS broadcast ephemeris file. The daily GPS broadcast ephemers file (brdc) is a merge of the individual site navigation files into one. The archive for the daily file is:
ftp://cddis.gsfc.nasa.gov/gnss/data/daily/
These files are then used to generate the simulated pseudorange and Doppler for the GPS satellites in view. This simulated range data is then used to generate the digitized I/Q samples for the GPS signal.
The bladeRF command line interface requires I/Q pairs stored as signed 16-bit integers, while the hackrf_transfer and gps-sdr-sim-uhd.py support signed bytes.
HackRF and bladeRF require 2.6 MHz sample rate, while the USRP2 requires 2.5 MHz (an even integral decimator of 100 MHz).
The simulation start time can be specified if the corresponding set of ephemerides is available. Otherwise the first time of ephemeris in the RINEX navigation file is selected.
The maximum simulation duration time is defined by USER_MOTION_SIZE to prevent the output file from getting too large.
The output file size can be reduced by using "-b 1" option to store four 1-bit I/Q samples into a single byte. You can use bladeplayer for bladeRF to playback the compressed file.
Usage: gps-sdr-sim [options]
Options:
  -e <gps_nav>     RINEX navigation file for GPS ephemerides (required)
  -u <user_motion> User motion file (dynamic mode)
  -g <nmea_gga>    NMEA GGA stream (dynamic mode)
  -l <location>    Lat,Lon,Hgt (static mode) e.g. 30.286502,120.032669,100
  -t <date,time>   Scenario start time YYYY/MM/DD,hh:mm:ss
  -T <date,time>   Overwrite TOC and TOE to scenario start time
  -d <duration>    Duration [sec] (dynamic mode max: 300 static mode max: 86400)
  -o <output>      I/Q sampling data file (default: gpssim.bin)
  -s <frequency>   Sampling frequency [Hz] (default: 2600000)
  -b <iq_bits>     I/Q data format [1/8/16] (default: 16)
  -i               Disable ionospheric delay for spacecraft scenario
  -v               Show details about simulated channels
The user motion can be specified in either dynamic or static mode:
> gps-sdr-sim -e brdc3540.14n -u circle.csv
> gps-sdr-sim -e brdc3540.14n -g triumphv3.txt
> gps-sdr-sim -e brdc3540.14n -l 30.286502,120.032669,100

Transmitting the samples
The TX port of a particular SDR platform is connected to the GPS receiver under test through a DC block and a fixed 50-60dB attenuator.
The simulated GPS signal file, named "gpssim.bin", can be loaded into the bladeRF for playback as shown below:
set frequency 1575.42M
set samplerate 2.6M
set bandwidth 2.5M
set txvga1 -25
cal lms
cal dc tx
tx config file=gpssim.bin format=bin
tx start
You can also execute these commands via the bladeRF-cli script option as below:
> bladeRF-cli -s bladerf.script
For the HackRF:
> hackrf_transfer -t gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0
For UHD supported devices (tested with USRP2 only):
> gps-sdr-sim-uhd.py -t gpssim.bin -s 2500000 -x 0


DropboxC2C - A Post-Exploitation Agent Which Uses Dropbox Infrastructure For Command And Control Operations

July 19, 2017, 3:35 pm
$
0
0
DropboxC2C is a post-exploitation agent which uses Dropbox Infrastructure for command and control operations.

DO NOT USE THIS FOR MALICIOUS PURPOSES. THE AUTHOR IS NOT RESPONSIBLE FOR ANY MISUSE OF THIS PROGRAM.

Structure
main.py - The "server" part which manages all the agents.
agent.py - The "client" part which does what the server tells.
I have removed the keylogging functions so this doesn't get missused.

Requirements
Python 2.7
Libraries dropbox psutil pyinstaller

Installation
1-) Clone the repository.
2-) Modify the API Key on agent.py and main.py # The api key must be created from the dropbox web interface.
3-) Run setup.bat on a Windows Machine. You will get agent.exe which is the "compiled" agent.
4-) Run main.py and run the agent on the compromised server.
Video Coming Soon

Screenshots
Screenshot - 1


Screenshot - 2


Screenshot - 3


Screenshot - 4


NagaScan - NagaScan is a distributed passive scanner for Web application.

July 20, 2017, 7:49 am
$
0
0
What is NagaScan
NagaScan is a distributed passive vulnerability scanner for Web application.

What NagaScan do
NagaScan currently support some common Web application vulnerabilities, e.g. XSS, SQL Injection, File Inclusion etc

How NagaScan work
Config a proxy, e.g. Web Browser proxy or mobile Wi-Fi proxy, the traffic (including requests headers, cookies, post data, URLs, etc) will be mirrored and parsed into our central database, then NagaScan will be automatically assigned to distributed scanners to scan the common web application vulnerabilities.

Requirements

Web Console
  • sudo pip install mysql-connector
  • sudo pip install jinja2
  • sudo pip install bleach

Scanner
  • sudo apt-get install python-pip python-dev libmysqlclient-dev
  • sudo pip install requests
  • sudo pip install MySQL-python
  • sudo pip install -U selenium
  • sudo apt-get install libfontconfig

Proxy
  • sudo apt-get install python-pip python-dev libmysqlclient-dev
  • sudo pip install MySQL-python

Installation & Configuration

Database
  • Install MySQL and create a db user and password, e.g. root/toor
  • Create database for NagaScan by using command source schema.sql

Web Console
  • Modify www/config_override.py with your own DB configuration for Web console
configs = {
    'db': {
        'host': '127.0.0.1',
        'user': 'root',
        'password': 'toor'
    }
}
  • Run sudo python www/wsgiapp.py to start Web console

Scanner
  • Modify scanner/lib/db_operation.py with your own DB configuration for Scanner
def db_conn():
    try:
        user = "root"
        pwd = "toor"
        hostname = "127.0.0.1"
self.executable_path='[Your Own Phantomjs Binary Path]' # e.g. /home/ubuntu/phantomjs-2.1.1-linux-x86_64/bin/phantomjs
  • Run below commands to start Scanner
    • python scanner/scan_fi.py to scan File Inclusion
    • python scanner/scan_xss.py to scan XSS
    • python scanner/scan_sqli.py to scan SQL injection

Proxy & Parser
  • Install MitmProxy
    • Ubuntu 16.04 (Preferred):
      • sudo apt-get install python3-dev python3-pip libffi-dev libssl-dev
      • sudo pip3 install mitmproxy
    • Ubuntu 14.04:
      • sudo apt-get install python-pip python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev
      • sudo pip install "mitmproxy==0.18.2"
    • MacOS:
      • brew install python3
      • brew install mitmproxy
  • Run mitmdump -p 443 -s "proxy/proxy_mitmproxy.py /tmp/logs.txt" to start Proxy
  • Modify parser/lib/db_operation.py with your own DB configuration for Parser
def db_conn():
    try:
        user = "root"
        pwd = "toor"
        hostname = "127.0.0.1"
  • Run python parser/parser_mitmproxy.py /tmp/logs.txt to start Parser

Usage
  • Access to Web Console with the default username and password (nagascan@example.com/Naga5c@n) to config exclusions and add SQLMAP server



  • Install MitmProxy certificates for Browser or Mobile per Instruction
  • Add a proxy you created in your Web Browser or Mobile Wi-Fi
  • Just browse websites from Browser or use APPs from Mobile whatever you like
  • Have fun!


Hardentools - Utility that disables a number of risky Windows features

July 20, 2017, 4:46 pm
$
0
0
Hardentools is a collection of simple utilities designed to disable a number of "features" exposed by operating systems (Microsoft Windows, for now), and primary consumer applications. These features, commonly thought for Enterprise customers, are generally useless to regular users and rather pose as dangers as they are very commonly abused by attackers to execute malicious code on a victim's computer. The intent of this tool is to simply reduce the attack surface by disabling the low-hanging fruit. Hardentools is intended for individuals at risk, who might want an extra level of security at the price of some usability. It is not intended for corporate environments.
WARNING: This is just an experiment, it is not meant for public distribution yet. Also, this tool disables a number of features, including of Microsoft Office, Adobe Reader, and Windows, that might cause malfunctions to certain applications. Use this at your own risk.
Bear in mind, after running Hardentools you won't be able, for example, to do complex calculations with Microsoft Office Excel or use the Command-line terminal, but those are pretty much the only considerable "downsides" of having a slightly safer Windows environment. Before deciding to use it, make sure you read this document thoroughly and understand that yes, something might break. In case you experience malfunctions as a result of the modifications implemented by this tool, please do let us know.

How to use it
Once you double-click on the icon, depending on your Windows security settings, you should be prompted with an User Access Control dialog asking you confirmation to allow Hardentools to run. Click "Yes".



Then, you will see the main Hardentools window. It's very simple, you just click on the "Harden" button, and the tool will make the changes to your Windows configuration to disable a set of features that are risky. Once completed, you will be asked to restart your computer for all the changes to have full effect.



In case you wish to restore the default settings and revert the changes Hardentools made (for example, if you need to use cmd.exe), you can simply re-run the tool and instead of an "Harden" button you will be prompted with a "Restore" button. Similarly, click it and wait for the modifications to be reverted.
In the future, we will create the ability to select or deselect certain modifications Hardentools is configured to make.
Please note: the modifications made by Hardentools are exclusively contextual to the Windows user account used to run the tool from. In case you want Hardentools to change settings for other Windows users as well, you will have to run it from each one of them logged in.

What this tool does NOT
  • It does NOT prevent software from being exploited.
  • It does NOT prevent the abuse of every available risky feature.
  • It is NOT an Antivirus. It does not protect your computer. It doesn't identify, block, or remove any malware.
  • It does NOT prevent the changes it implements from being reverted. If malicious code runs on the system and it is able to restore them, the premise of the tool is defeated, isn't it?

Disabled Features

Generic Windows Features
  • Disable Windows Script Host. Windows Script Host allows the execution of VBScript and Javascript files on Windows operating systems. This is very commonly used by regular malware (such as ransomware) as well as targeted malware.
  • Disabling AutoRun and AutoPlay. Disables AutoRun / AutoPlay for all devices. For example, this should prevent applicatons from automatically executing when you plug a USB stick into your computer.
  • Disables powershell.exe, powershell_ise.exe and cmd.exe execution via Windows Explorer. You will not be able to use the terminal and it should prevent the use of PowerShell by malicious code trying to infect the system.
  • Sets User Account Control (UAC) to always ask for permission (even on configuration changes only) and to use "secure desktop".
  • Disable file extensions mainly used for malicious purposes. Disables the ".hta", ".js", ".JSE", ".WSH", ".WSF", ".scr", ".vbs" and ".pif" file extensions for the current user (and for system wide defaults, which is only relevant for newly created users).

Microsoft Office
  • Disable Macros. Macros are at times used by Microsoft Office users to script and automate certain activities, especially calculations with Microsoft Excel. However, macros are currently a security plague, and they are widely used as a vehicle for compromise. With Hardentools, macros are disabled and the "Enable this Content" notification is disabled too, to prevent users from being tricked.
  • Disable OLE object execution. Microsoft Office applications are able to embed so called "OLE objects" and execute them, at times also automatically (for example through PowerPoint animations). Windows executables, such as spyware, can also be embedded and executed as an object. This is also a security disaster which we observed used time and time again, particularly in attacks against activists in repressed regions. Hardentools entirely disables this functionality.
  • Disabling ActiveX. Disables ActiveX Controls for all Office applications.

Acrobat Reader
  • Disable JavaScript in PDF documents. Acrobat Reader allows to execute JavaScript code from within PDF documents. This is widely abused for exploitation and malicious activity.
  • Disable execution of objects embedded in PDF documents. Acrobat Reader also allows to execute embedded objects by opening them. This would normally raise a security alert, but given that legitimate uses of this are rare and limited, Hardentools disables this.

Authors
This tools is developed by Claudio Guarnieri, Mariano Graziano and Florian Probst.


Prowler - Tool for AWS Security Assessment, Auditing And Hardening

July 21, 2017, 7:30 am
$
0
0
Tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark 1.1

Features
It covers hardening and security best practices for all AWS regions related to:
  • Identity and Access Management (24 checks)
  • Logging (8 checks)
  • Monitoring (15 checks)
  • Networking (5 checks)
For a comprehesive list and resolution look at the guide on the link above.
With Prowler you can:
  • get a colourish or monochrome report
  • a CSV format report for diff
  • run specific checks without having to run the entire report
  • check multiple AWS accounts in parallel

Requirements
This script has been written in bash using AWS-CLI and it works in Linux and OSX.
  • Make sure your AWS-CLI is installed on your workstation, with Python pip already installed:
pip install awscli
Or install it using "brew", "apt", "yum" or manually from https://aws.amazon.com/cli/
  • Previous steps, from your workstation:
git clone https://github.com/Alfresco/prowler
cd prowler
  • Make sure you have properly configured your AWS-CLI with a valid Access Key and Region:
aws configure
  • Make sure your Secret and Access Keys are associated to a user with proper permissions to do all checks. To make sure add SecurityAuditor default policy to your user. Policy ARN is
arn:aws:iam::aws:policy/SecurityAudit
In some cases you may need more list or get permissions in some services, look at the Troubleshooting section for a more comprehensive policy if you find issues with the default SecurityAudit policy.

How to create a report
1 - Run the prowler.sh command without options (it will use your default credentials and run checks over all regions when needed, default region is us-east-1):
./prowler
2 - For custom AWS-CLI profile and region, use the following: (it will use your custom profile and run checks over all regions when needed):
./prowler -p custom-profile -r us-east-1
3 - For a single check use option -c:
./prowler -c check310
or for custom profile and region
./prowler -p custom-profile -r us-east-1 -c check11
or for a group of checks use group name:
./prowler -c check3
Valid check numbers are based on the AWS CIS Benchmark guide, so 1.1 is check11 and 3.10 is check310
4 - If you want to save your report for later analysis:
./prowler > prowler-report.txt
or if you want a colored HTML report do:
pip install ansi2html
./prowler | ansi2html -la > report.html
or if you want a pipe-delimited report file, do:
./prowler -M csv > output.psv
5 - If you want to run Prowler to check multiple AWS accounts in parallel (runs up to 4 simultaneously -P 4):
grep -E '^\[([0-9A-Aa-z_-]+)\]'  ~/.aws/credentials | tr -d '][' | shuf |  \
xargs -n 1 -L 1 -I @ -r -P 4 ./prowler -p @ -M csv  2> /dev/null  >> all-accounts.csv
6 - For help use:
./prowler -h

USAGE:
      prowler -p <profile> -r <region> [ -h ]
  Options:
      -p <profile>        specify your AWS profile to use (i.e.: default)
      -r <region>         specify an AWS region to direct API requests to (i.e.: us-east-1)
      -c <checknum>       specify a check number or group from the AWS CIS benchmark (i.e.: check11 for check 1.1 or check3 for entire section 3)
      -f <filterregion>   specify an AWS region to run checks against (i.e.: us-west-1)
      -m <maxitems>       specify the maximum number of items to return for long-running requests (default: 100)
      -M <mode>           output mode: text (defalut), mono, csv (separator is "|"; data is on stdout; progress on stderr)
      -k                  keep the credential report
      -h                  this help

How to fix all WARNINGS:
Check your report and fix the issues following all specific guidelines per check in https://benchmarks.cisecurity.org/tools2/amazon/CIS_Amazon_Web_Services_Foundations_Benchmark_v1.1.0.pdf

Screenshots
  • Sample screenshot of report first lines:

  • Sample screnshot of single check for check 3.3:

  • Sample of a full report:
$ ./prowler
                          _
  _ __  _ __ _____      _| | ___ _ __
 | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
 | |_) | | | (_) \ V  V /| |  __/ |
 | .__/|_|  \___/ \_/\_/ |_|\___|_|
 |_| CIS based AWS Account Hardening Tool


Date: Wed Sep 14 13:30:13 EDT 2016

This report is being generated using credentials below:

AWS-CLI Profile: [default] AWS Region: [us-east-1]

--------------------------------------------------------------------------------------
|                                  GetCallerIdentity                                 |
+--------------+-------------------------------------------+-------------------------+
|    Account   |                    Arn                    |         UserId          |
+--------------+-------------------------------------------+-------------------------+
|  XXXXXXXXXXXX|  arn:aws:iam::XXXXXXXXXXXX:user/toni      |  XXXXXXXXXXXXXXXXXXXXX  |
+--------------+-------------------------------------------+-------------------------+

Colors Code for results:  INFORMATIVE, OK (RECOMMENDED VALUE),  CRITICAL (FIX REQUIRED)


Generating AWS IAM Credential Report....COMPLETE


 1 Identity and Access Management *********************************

 1.1 Avoid the use of the root account (Scored). Last time root account was used
     (password last used, access_key_1_last_used, access_key_2_last_used):
      2016-08-11T20:59:27+00:00, N/A, N/A

 1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password (Scored)
     List of users with Password enabled but MFA disabled:
      toni

 1.3 Ensure credentials unused for 90 days or greater are disabled (Scored)
     User list:
      toni

 1.4 Ensure access keys are rotated every 90 days or less (Scored)
     Users with access key 1 older than 90 days:
<root_account>
     Users with access key 2 older than 90 days:

 1.5 Ensure IAM password policy requires at least one uppercase letter (Scored)
      FALSE

 1.6 Ensure IAM password policy require at least one lowercase letter (Scored)
      FALSE

 1.7 Ensure IAM password policy require at least one symbol (Scored)
      FALSE

 1.8 Ensure IAM password policy require at least one number (Scored)
      FALSE

 1.9 Ensure IAM password policy requires minimum length of 14 or greater (Scored)
      FALSE

 1.10 Ensure IAM password policy prevents password reuse (Scored)
      FALSE

 1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored)
      FALSE

 1.12 Ensure no root account access key exists (Scored)
      Found access key 1
      OK  No access key 2 found

 1.13 Ensure hardware MFA is enabled for the root account (Scored)
      OK

 1.14 Ensure security questions are registered in the AWS account (Not Scored)
      No command available for check 1.14
      Login to the AWS Console as root, click on the Account
      Name -> My Account -> Configure Security Challenge Questions

 1.15 Ensure IAM policies are attached only to groups or roles (Scored)
      Users with policy attached to them instead to groups: (it may take few seconds...)
      toni


 2 Logging ********************************************************

 2.1 Ensure CloudTrail is enabled in all regions (Scored)
      FALSE

 2.2 Ensure CloudTrail log file validation is enabled (Scored)
      FALSE

 2.3 Ensure the S3 bucket CloudTrail logs to is not publicly accessible (Scored)
      WARNING! CloudTrail bucket doesn't exist!

 2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs (Scored)
      WARNING! No CloudTrail trails found!

 2.5 Ensure AWS Config is enabled in all regions (Scored)
      WARNING! Region ap-south-1 has AWS Config disabled or not configured
      WARNING! Region eu-west-1 has AWS Config disabled or not configured
      WARNING! Region ap-southeast-1 has AWS Config disabled or not configured
      WARNING! Region ap-southeast-2 has AWS Config disabled or not configured
      WARNING! Region eu-central-1 has AWS Config disabled or not configured
      WARNING! Region ap-northeast-2 has AWS Config disabled or not configured
      WARNING! Region ap-northeast-1 has AWS Config disabled or not configured
      WARNING! Region us-east-1 has AWS Config disabled or not configured
      WARNING! Region sa-east-1 has AWS Config disabled or not configured
      WARNING! Region us-west-1 has AWS Config disabled or not configured
      WARNING! Region us-west-2 has AWS Config disabled or not configured

 2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket (Scored)
      WARNING! CloudTrail bucket doesn't exist!

 2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs (Scored)
      WARNING! CloudTrail bucket doesn't exist!

 2.8 Ensure rotation for customer created CMKs is enabled (Scored)
      Region ap-south-1 doesn't have encryption keys
      Region eu-west-1 doesn't have encryption keys
      Region ap-southeast-1 doesn't have encryption keys
      Region ap-southeast-2 doesn't have encryption keys
      Region eu-central-1 doesn't have encryption keys
      Region ap-northeast-2 doesn't have encryption keys
      Region ap-northeast-1 doesn't have encryption keys
      WARNING! Key a0e988df-bc84-423f-996c-XXXX in Region us-east-1 is not set to rotate!
      Region sa-east-1 doesn't have encryption keys
      Region us-west-1 doesn't have encryption keys
      Region us-west-2 doesn't have encryption keys


 3 Monitoring *****************************************************

 3.1 Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)
      WARNING! No CloudWatch group found, no metric filters or alarms associated

 3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)
      WARNING! No CloudWatch group found, no metric filters or alarms associated

 3.3 Ensure a log metric filter and alarm exist for usage of root account (Scored)
      WARNING! No CloudWatch group found, no metric filters or alarms associated

 3.4 Ensure a log metric filter and alarm exist for IAM policy changes (Scored)
      WARNING! No CloudWatch group found, no metric filters or alarms associated

 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)
      WARNING! No CloudWatch group found, no metric filters or alarms associated

 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)
      WARNING! No CloudWatch group found, no metric filters or alarms associated

 3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)
      WARNING! No CloudWatch group found, no metric filters or alarms associated

 3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)
      WARNING! No CloudWatch group found, no metric filters or alarms associated

 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)
      WARNING! No CloudWatch group found, no metric filters or alarms associated

 3.10 Ensure a log metric filter and alarm exist for security group changes (Scored)
      WARNING! No CloudWatch group found, no metric filters or alarms associated

 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)
      WARNING! No CloudWatch group found, no metric filters or alarms associated

 3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored)
      WARNING! No CloudWatch group found, no metric filters or alarms associated

 3.13 Ensure a log metric filter and alarm exist for route table changes (Scored)
      WARNING! No CloudWatch group found, no metric filters or alarms associated

 3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored)
      WARNING! No CloudWatch group found, no metric filters or alarms associated

 3.15 Ensure security contact information is registered (Scored)
      No command available for check 3.15
      Login to the AWS Console, click on My Account
      Go to Alternate Contacts -> make sure Security section is filled

 3.16 Ensure appropriate subscribers to each SNS topic (Not Scored)
      Region ap-south-1 doesn't have topics
      Region eu-west-1 doesn't have topics
      Region ap-southeast-1 doesn't have topics
      Region ap-southeast-2 doesn't have topics
      Region eu-central-1 doesn't have topics
      Region ap-northeast-2 doesn't have topics
      Region ap-northeast-1 doesn't have topics
      Region us-east-1 doesn't have topics
      Region sa-east-1 doesn't have topics
      Region us-west-1 doesn't have topics
      Region us-west-2 doesn't have topics


 4 Networking **************************************************

 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
      OK, No Security Groups found in ap-south-1 with port 22 TCP open to 0.0.0.0/0
      OK, No Security Groups found in eu-west-1 with port 22 TCP open to 0.0.0.0/0
      OK, No Security Groups found in ap-southeast-1 with port 22 TCP open to 0.0.0.0/0
      OK, No Security Groups found in ap-southeast-2 with port 22 TCP open to 0.0.0.0/0
      OK, No Security Groups found in eu-central-1 with port 22 TCP open to 0.0.0.0/0
      OK, No Security Groups found in ap-northeast-2 with port 22 TCP open to 0.0.0.0/0
      OK, No Security Groups found in ap-northeast-1 with port 22 TCP open to 0.0.0.0/0
      OK, No Security Groups found in us-east-1 with port 22 TCP open to 0.0.0.0/0
      OK, No Security Groups found in sa-east-1 with port 22 TCP open to 0.0.0.0/0
      OK, No Security Groups found in us-west-1 with port 22 TCP open to 0.0.0.0/0
      OK, No Security Groups found in us-west-2 with port 22 TCP open to 0.0.0.0/0

 4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
      OK, No Security Groups found in ap-south-1 with port 3389 TCP open to 0.0.0.0/0
      OK, No Security Groups found in eu-west-1 with port 3389 TCP open to 0.0.0.0/0
      OK, No Security Groups found in ap-southeast-1 with port 3389 TCP open to 0.0.0.0/0
      OK, No Security Groups found in ap-southeast-2 with port 3389 TCP open to 0.0.0.0/0
      OK, No Security Groups found in eu-central-1 with port 3389 TCP open to 0.0.0.0/0
      OK, No Security Groups found in ap-northeast-2 with port 3389 TCP open to 0.0.0.0/0
      OK, No Security Groups found in ap-northeast-1 with port 3389 TCP open to 0.0.0.0/0
      OK, No Security Groups found in us-east-1 with port 3389 TCP open to 0.0.0.0/0
      OK, No Security Groups found in sa-east-1 with port 3389 TCP open to 0.0.0.0/0
      OK, No Security Groups found in us-west-1 with port 3389 TCP open to 0.0.0.0/0
      OK, No Security Groups found in us-west-2 with port 3389 TCP open to 0.0.0.0/0

 4.3 Ensure VPC Flow Logging is Enabled in all Applicable Regions (Scored)
      WARNING! no VPCFlowLog has been found in Region ap-south-1
      WARNING! no VPCFlowLog has been found in Region eu-west-1
      WARNING! no VPCFlowLog has been found in Region ap-southeast-1
      WARNING! no VPCFlowLog has been found in Region ap-southeast-2
      WARNING! no VPCFlowLog has been found in Region eu-central-1
      WARNING! no VPCFlowLog has been found in Region ap-northeast-2
      WARNING! no VPCFlowLog has been found in Region ap-northeast-1
      WARNING! no VPCFlowLog has been found in Region us-east-1
      WARNING! no VPCFlowLog has been found in Region sa-east-1
      WARNING! no VPCFlowLog has been found in Region us-west-1
      WARNING! no VPCFlowLog has been found in Region us-west-2

 4.4 Ensure the default security group restricts all traffic (Scored)
      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-south-1
      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region eu-west-1
      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-southeast-1
      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-southeast-2
      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region eu-central-1
      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-northeast-2
      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region ap-northeast-1
      OK, no Default Security Groups open to 0.0.0.0 found in Region us-east-1
      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region sa-east-1
      WARNING! Default Security Groups found that allow 0.0.0.0 IN or OUT traffic in Region us-west-1
      OK, no Default Security Groups open to 0.0.0.0 found in Region us-west-2

 - For more information and reference:
   https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf

Troubleshooting

STS expired token
If you are using an STS token for AWS-CLI and your session is expired you probably get this error:
A client error (ExpiredToken) occurred when calling the GenerateCredentialReport operation: The security token included in the request is expired
To fix it, please renew your token by authenticating again to the AWS API.

Custom IAM Policy
Instead of using default policy SecurityAudit for the account you use for checks you may need to create a custom policy with a few more permissions (get and list, not change!) here you go a good example for a "ProwlerPolicyReadOnly":
{
    "Version": "2012-10-17",
    "Statement": [{
        "Action": [
            "acm:describecertificate",
            "acm:listcertificates",
            "autoscaling:describe*",
            "cloudformation:describestack*",
            "cloudformation:getstackpolicy",
            "cloudformation:gettemplate",
            "cloudformation:liststack*",
            "cloudfront:get*",
            "cloudfront:list*",
            "cloudtrail:describetrails",
            "cloudtrail:gettrailstatus",
            "cloudtrail:listtags",
            "cloudwatch:describe*",
            "cloudwatchlogs:describeloggroups",
            "cloudwatchlogs:describemetricfilters",
            "codecommit:batchgetrepositories",
            "codecommit:getbranch",
            "codecommit:getobjectidentifier",
            "codecommit:getrepository",
            "codecommit:list*",
            "codedeploy:batch*",
            "codedeploy:get*",
            "codedeploy:list*",
            "config:deliver*",
            "config:describe*",
            "config:get*",
            "datapipeline:describeobjects",
            "datapipeline:describepipelines",
            "datapipeline:evaluateexpression",
            "datapipeline:getpipelinedefinition",
            "datapipeline:listpipelines",
            "datapipeline:queryobjects",
            "datapipeline:validatepipelinedefinition",
            "directconnect:describe*",
            "dynamodb:listtables",
            "ec2:describe*",
            "ecs:describe*",
            "ecs:list*",
            "elasticache:describe*",
            "elasticbeanstalk:describe*",
            "elasticloadbalancing:describe*",
            "elasticmapreduce:describejobflows",
            "elasticmapreduce:listclusters",
            "es:describeelasticsearchdomainconfig",
            "es:listdomainnames",
            "firehose:describe*",
            "firehose:list*",
            "glacier:listvaults",
            "iam:generatecredentialreport",
            "iam:get*",
            "iam:list*",
            "kms:describe*",
            "kms:get*",
            "kms:list*",
            "lambda:getpolicy",
            "lambda:listfunctions",
            "logs:DescribeMetricFilters",
            "rds:describe*",
            "rds:downloaddblogfileportion",
            "rds:listtagsforresource",
            "redshift:describe*",
            "route53:getchange",
            "route53:getcheckeripranges",
            "route53:getgeolocation",
            "route53:gethealthcheck",
            "route53:gethealthcheckcount",
            "route53:gethealthchecklastfailurereason",
            "route53:gethostedzone",
            "route53:gethostedzonecount",
            "route53:getreusabledelegationset",
            "route53:listgeolocations",
            "route53:listhealthchecks",
            "route53:listhostedzones",
            "route53:listhostedzonesbyname",
            "route53:listresourcerecordsets",
            "route53:listreusabledelegationsets",
            "route53:listtagsforresource",
            "route53:listtagsforresources",
            "route53domains:getdomaindetail",
            "route53domains:getoperationdetail",
            "route53domains:listdomains",
            "route53domains:listoperations",
            "route53domains:listtagsfordomain",
            "s3:getbucket*",
            "s3:getlifecycleconfiguration",
            "s3:getobjectacl",
            "s3:getobjectversionacl",
            "s3:listallmybuckets",
            "sdb:domainmetadata",
            "sdb:listdomains",
            "ses:getidentitydkimattributes",
            "ses:getidentityverificationattributes",
            "ses:listidentities",
            "ses:listverifiedemailaddresses",
            "ses:sendemail",
            "sns:gettopicattributes",
            "sns:listsubscriptionsbytopic",
            "sns:listtopics",
            "sqs:getqueueattributes",
            "sqs:listqueues",
            "tag:getresources",
            "tag:gettagkeys"
        ],
        "Effect": "Allow",
        "Resource": "*"
    }]
}

Incremental IAM Policy
Alternatively, here is a policy which defines the permissions which are NOT present in the AWS Managed SecurityAudit policy. Attach both this policy and the AWS Managed SecurityAudit policy to the group and you're good to go.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "acm:DescribeCertificate",
        "acm:ListCertificates",
        "cloudwatchlogs:describeLogGroups",
        "cloudwatchlogs:DescribeMetricFilters",
        "es:DescribeElasticsearchDomainConfig",
        "ses:GetIdentityVerificationAttributes",
        "sns:ListSubscriptionsByTopic"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Bootstrap Script
Quick bash script to set up a "prowler" IAM user and "SecurityAudit" group with the required permissions. To run the script below, you need user with administrative permissions; set the AWS_DEFAULT_PROFILE to use that account.
export AWS_DEFAULT_PROFILE=default
export ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' | tr -d '"')
aws iam create-group --group-name SecurityAudit
aws iam create-policy --policy-name ProwlerAuditAdditions --policy-document file://$(pwd)/prowler-policy-additions.json
aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::aws:policy/SecurityAudit
aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/ProwlerAuditAdditions
aws iam create-user --user-name prowler
aws iam add-user-to-group --user-name prowler --group-name SecurityAudit
aws iam create-access-key --user-name prowler
unset ACCOUNT_ID AWS_DEFAULT_PROFILE
The aws iam create-access-key command will output the secret access key and the key id; keep these somewhere safe, and add them to ~/.aws/credentials with an appropriate profile name to use them with prowler. This is the only time they secret key will be shown. If you loose it, you will need to generate a replacement.


Search

Samplicator - Send copies of (UDP) datagrams to multiple receivers, with optional sampling and spoofing

July 21, 2017, 2:30 pm
$
0
0

This small program receives UDP datagrams on a given port, and resends those datagrams to a specified set of receivers. In addition, a sampling divisor N may be specified individually for each receiver, which will then only receive one in N of the received packets.

INSTALLATION
This distribution uses GNU configure for portability and flexibility of installation. You must configure the program for your system before you can compile it using make:
$ ./configure
$ make
The program can then be installed (under /usr/local/bin by default) using "make install":
$ make install

The configure script accepts many arguments, some of which may even be useful. Using "./configure --prefix ..." you can specify a directory other than /usr/local to be used as an installation destination. Call "./configure --help" to get a list of arguments accepted by configure.

USAGE
The usage convention for the program is
$ samplicate [<option>...] [<destination>...]
Where each <option> can be one of
-d <level> to set the debugging level
-s <address> to set interface address on which to listen
  for incoming packets (default any)
-p <port> to set the UDP port on which to listen for
  incoming packets (default 2000)
-b <buflen> size of receive buffer (default 65536)
-c <configfile> specify a config file to read
-x <delay> to specify a transmission delay after each packet,
     in units of microseconds
-S  maintain (spoof) source addresses
-n  don't compute UDP checksum (only relevant with -S)
-f  fork program into background
-m <pidfile> write the process ID to a file
-4  IPv4 only
-6  IPv6 only
-h  to print a usage message and exit
-u <pdulen> size of max pdu on listened socket (default 65536)
and each <destination> should be specified as <addr>[/<port>[/<interval>[,ttl]]], where
<addr>  IP address of the receiver
<port>  port UDP number of the receiver (default 2000)
<freq>  number of received datagrams between successive
  copied datagrams for this receiver.
<ttl>  The TTL (IPv4) or hop-limit (IPv6) for
  outgoing datagrams.
Config file format:
a.b.c.d[/e.f.g.h]: receiver ...
where:
a.b.c.d     is the sender's IP address
e.f.g.h     is a mask to apply to the sender (default 255.255.255.255)
receiver    see above.
Receivers specified on the command line will get all packets, those specified in the config-file will get only packets with a matching source.


Hash Buster - A Script Which Scraps Online Hash Crackers to Find Cleartext of a Hash (MD5, SHA1, SHA2)

July 22, 2017, 8:01 am
$
0
0

Hash Buster is a python script which uses several online hash crackers to find the clear text of a hash in less than 5 seconds.

Features of Hash Buster:
  • Detects hash
  • MD5 Support
  • SHA1 Support
  • SHA2 Support
  • Adding more APIs for SHA1 and SHA2
  • More hash types will be added on demand

Installing and Using Hash Buster

Open your terminal and enter
https://github.com/UltimateHackers/Hash-Buster

Now enter the following command
cd Hash-Buster

Now run Hash Buster by entering
python hash.py

Now you can enter any non-salter MD5/SHA1/SHA2 hash to crack it.


Eternal - An internet scanner for Eternal Blue [exploit CVE-2017-0144]

July 22, 2017, 1:30 pm
$
0
0

Eternal scanner is a network scanner for Eternal Blue exploit CVE-2017-0144.

Requirements
  • masscan
  • metasploit-framework

How to Install

Install Requirements
  • apt-get install masscan metasploit-framework

Screenshots




maltran - Tool To Download Malware Exercises From MALware-TRaffic-ANalysis.net

July 23, 2017, 8:00 am
$
0
0

This tool was developed with the purpose of furthering and organizing access to traffic analysis exercises and malware files captured and published almost daily. Maltran makes the views and downloads exercises and malspams easier in an extremely simple and organized way.

Visit website Malware-Traffic-Analysis - A source for pcap files and malware samples...

Install
$ git clone github.com/MalwareReverseBrasil/maltran.git
 $ cd maltran
  $ sudo apt install python3-pip
   $ pip3 install -r requirements.txt

Help
$ python3 maltran.py --help

Usage
$ python3 maltran.py

Error
$ python2 maltran.py

Screenshots




Developers:
  • Vandré Augusto, Electric Engineer & Malware Researcher - blog
  • Ialle Teixeira, Security/Malware Researcher - blog
Acknowledgments to
  • Thiago Peixoto (@thiagopeixoto)
  • Renato Pacheco (@shrimp)

ReconDog - An All In One Tool For All Your Basic Information Gathering Needs

July 23, 2017, 2:20 pm
$
0
0

Recon Dog is an all in one tool for all your basic information gathering needs. It uses APIs to gather all the information so your identity is not exposed.

Downloading and running Recon Dog

Enter the following command in the terminal to download it
git clone https://github.com/UltimateHackers/ReconDog

After downloading the program, enter the following command to navigate to the Recon Dog directory and listing the contents
cd ReconDog && ls

Now run the script with following command.
python dog.py


WebVulScan - Web Application Vulnerability Scanner

July 24, 2017, 7:22 am
$
0
0

WebVulScan is a web application vulnerability scanner. It is a web application itself written in PHP and can be used to test remote, or local, web applications for security vulnerabilities. As a scan is running, details of the scan are dynamically updated to the user. These details include the status of the scan, the number of URLs found on the web application, the number of vulnerabilities found and details of the vulnerabilities found.

After a scan is complete, a detailed PDF report is emailed to the user. The report includes descriptions of the vulnerabilities found, recommendations and details of where and how each vulnerability was exploited.

The vulnerabilities tested by WebVulScan are:
  • Reflected Cross-Site Scripting
  • Stored Cross-Site Scripting
  • Standard SQL Injection
  • Broken Authentication using SQL Injection
  • Autocomplete Enabled on Password Fields
  • Potentially Insecure Direct Object References
  • Directory Listing Enabled
  • HTTP Banner Disclosure
  • SSL Certificate not Trusted
  • Unvalidated Redirects

Features:
  • Crawler: Crawls a website to identify and display all URLs belonging to the website.
  • Scanner: Crawls a website and scans all URLs found for vulnerabilities.
  • Scan History: Allows a user to view or download PDF reports of previous scans that they performed.
  • Register: Allows a user to register with the web application.
  • Login: Allows a user to login to the web application.
  • Options: Allows a user to select which vulnerabilities they wish to test for (all are enabled by default).
  • PDF Generation: Dynamically generates a detailed PDF report.
  • Report Delivery: The PDF report is emailed to the user as an attachment.

HoneypotBuster - Microsoft PowerShell Module to Find HoneyPots and HoneyTokens in the Network

July 24, 2017, 4:31 pm
$
0
0

Microsoft PowerShell module designed for red teams that can be used to find honeypots and honeytokens in the network or at the host.

CodeExecution
Execute code on a target machine using Import-Module.

Invoke-HoneypotBuster
HoneypotBuster is a tool designed to spot Honey Tokens, Honey Bread Crumbs, and Honey Pots used by common Distributed Deception vendors. This tool will help spot the following deception techniques:

1. Kerberoasting Service Accounts Honey Tokens
Just like the one described in the ADSecurity article by Sean Metcalf, this tricks attackers to scan for Domain Users with assigned SPN (Service Principal Name) and {adminCount = 1} LDAP Attribute flag. So when you try to request TGS for that user, you’ll be exposed as Kerberoasting attempt. TGS definition: A ticket granting server (TGS) is a logical key distribution center (KDC) component that is used by the Kerberos protocol as a trusted third party.

2. Fake Computer Accounts Honey Pots
Creating many domain computer objects with no actual devices associated to them will result in confusion to any attacker trying to study the network. Any attempt to perform lateral movement into these fake objects will lead to exposure of the attacker.

3. Fake Credentials Manager Credentials Breadcrumbs
Many deception vendors are injecting fake credentials into the “Credentials Manager”. These credentials will also be revealed using tools such as Mimikatz. Although they aren’t real, attackers might confuse them as authentic credentials and use them.

4. Fake Domain Admins Accounts Honey Tokens
Creating several domain admins and their credentials who have never been active is bad policy. These Honey Tokens lure attackers to try brute-forcing domain admin credentials. Once someone tries to authenticate to this user, an alarm will be triggered, and the attacker will be revealed. Microsoft ATA uses this method.

5. Fake Mapped Drives Breadcrumbs
Many malicious automated scripts and worms are spreading via SMB Shares, especially if they’re mapped as Network Drive Share. This tool will try to correlate some of the data collected before to identify any mapped drive related to a specific Honey Pot server.

6. DNS Records Manipulation HoneyPots
One of the methods deception vendors use to detect fake endpoints is registering their DNS records towards the Honey Pot Server. They will then be able to point the attacker directly to their honey pot instead of actual endpoints.


Usage
To install any of these modules, drop the PowerShell scripts into a directory and type
Import-Module PathTo\scriptName.ps1

Then run the Module from the Powershell.
Refer to the comment-based help in each individual script for detailed usage information.


Search

Hydra 8.6 - Fast and Flexible Network Login Hacker

July 25, 2017, 7:29 am
$
0
0
 A very fast network logon cracker which supports many different services.

See feature sets and services coverage page - incl. a speed comparison against ncrack and Medusa. Number one of the biggest security holes are passwords, as every password security study shows.

This tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system.

There are already several login hacker tools available, however, none does either support more than one protocol to attack or support paralyzed connects.

It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10) and OSX.

Currently, this tool supports the following protocols:
Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

CHANGELOG for 8.6
CHANGELOG for 8.6
  ===================
  ! Development moved to a public github repository: https://github.com/vanhauser-thc/thc-hydra

  ! Reports came in that the rdp module is not working reliable sometimes, most likely against new Windows versions. please test, report and if possible send a fix
  * added radmin2 module by catatonic prime - great work!
  * smb module now checks if SMBv1 is supported by the server and if signing is required
  * http-form module now supports URLs up to 6000 bytes (thanks to petrock6@github for the patch)
  * Fix for SSL connections that failed with error:00000000:lib(0):func(0):reason(0) (thanks gaia@github for reporting)
  * Added new command line option:
    -c TIME: seconds between login attempts (over all threads, so -t 1 is recommended)
  * Options put after -R (for loading a restore file) are now honored (and were disallowed before)
  * merged several patches by Diadlo@github to make the code easier readable. thanks for that!
  * merged a patch by Diadlo@github that moves the help output to the invididual module


inforfinder - Tool To Collect Information Of Any Domains Pointing At Some Server (Ip, Domain, Range, File)

July 25, 2017, 12:30 pm
$
0
0

Inforfinder is a tool made to collect information of any domain pointing at a server (ip,domain,range,file).
Requires python libs: pyRequests and pyDNS
-First, you need to install complementary libraries:
user@machine$ sudo apt-get install python-dns python-dnspython python-requests python-lxml python

OR

pip install  pydns
pip install requests --upgrade
pip install  lxml
-Then Download "inforfinder"
-The next step is to run "inforfinder.py": python inforfinder.py --help

Find more information on how to use this app:
 InforFinder v1.0.9 Powered By GGUsoft 2017

 Powered By GGUsoft 2017

 Commands:

 -d <dominio>    Gets a domain for apply any optional commands

 -dD <dominio>    Gets a domain list hosted in IP of the specified domain

 -dI <IP>    Gets a domain list hosted in the specified IP 

 -dR <IP inicio> <IP fin>  Gets a domain list hosted in every IP of the specified range

 -dF <file>    Gets a list with all domains hosted at same IP from a file, the file contens a IP by line


 Optionals:

 inforfinder <command> -cms   Checks if every domain found has a cms website (wordpress, joomla ,etc) and show version

 inforfinder <command> -servinfo  Checks web server parameters

 inforfinder <command> --subdomain-enum          Lists subdomains of every domain found


WSSAT - Web Service Security Assessment Tool

July 25, 2017, 4:30 pm
$
0
0

WSSAT is an open source web service security scanning tool which provides a dynamic environment to add, update or delete vulnerabilities by just editing its configuration files. This tool accepts WSDL address list as input file and for each service, it performs both static and dynamic tests against the security vulnerabilities. It also makes information disclosure controls. With this tool, all web services could be analyzed at once and the overall security assessment could be seen by the organization.

Objectives of WSSAT are to allow organizations:
  • Perform their web services security analysis at once
  • See overall security assessment with reports
  • Harden their web services
WSSAT’s main capabilities include:

Dynamic Testing:
  • Insecure Communication - SSL Not Used
  • Unauthenticated Service Method
  • Error Based SQL Injection
  • Cross Site Scripting
  • XML Bomb
  • External Entity Attack - XXE
  • XPATH Injection
  • Verbose SOAP Fault Message
Static Analysis:
  • Weak XML Schema: Unbounded Occurrences
  • Weak XML Schema: Undefined Namespace
  • Weak WS-SecurityPolicy: Insecure Transport
  • Weak WS-SecurityPolicy: Insufficient Supporting Token Protection
  • Weak WS-SecurityPolicy: Tokens Not Protected
Information Leakage:
  • Server or technology information disclosure
WSSAT’s main modules are:
  • Parser
  • Vulnerabilities Loader
  • Analyzer/Attacker
  • Logger
  • Report Generator
The main difference of WSSAT is to create a dynamic vulnerability management environment instead of embedding the vulnerabilities into the code.
This project has been developed as Term Project at Middle East Technical University (METU), Software Management master program.


DAws - Advanced Web Shell

July 26, 2017, 7:45 am
$
0
0

There's multiple things that makes DAws better than every Web Shell out there:
  1. Bypasses Security Systems(IPS, WAFs,etc) like Suhosin(uses up to 20 php functions just to get a command executed).
  2. Drops CGI Shells and communicate with them to bypass Security Systems.
  3. Uses the SSH Authorized Keys method to bypass Security Systems.
  4. Uses Shellshock in 2 methods to bypass Security Systems.
  5. Is completely Post Based and uses a XOR Encryption based on a random key that gets generated with every new session + private base64 functions to bypass Security Systems.
  6. Supports Windows and Linux.
  7. Finds a writeable and readable directory and moves there if it's a web directory; DAws will output everything in that found directory.
  8. Drops a php.ini and a .htaccess file that clears all disablers incase "suphp" was installed.
  9. Has an advanced File Manager.
  10. Everything is done automatically so there's nothing for the user to worry about.
  11. Open Source.
  12. and much more (check the source for more information; everything is well commented)

Credits:


ASTo - An IoT Network Security Analysis Tool and Visualizer

July 26, 2017, 2:37 pm
$
0
0

ASTo is security analysis tool for IoT networks. It is developed to support the Apparatus security framework. ASTo is based on electron and cytoscape.js. The icons are provided by Google's Material Design.

The application is still in prototyping stage, which means a lot of functionality is being added with each commit, along with massive changes in almost everything.

Screenshots



To Use
To clone and run this repository you'll need Git and Node.js installed on your computer. To download and install the app, type the following in your terminal:
# Clone this repository
git clone https://github.com/Or3stis/apparatus.git
# Go into the repository
cd apparatus
# Install dependencies
npm install
# to run the app
npm start
Because the app is still in prototype stage, it is best to keep up to date with the most recent commits. To do so, before starting the app, type:
# inside the apparatus directory

# update to latest
git pull
The first window (home screen) will ask you to choose which modeling phase would you like to perform analysis in. After you select a phase, a native dialog window will be displayed and ask you choose a file to load. By default, you can only choose .js or .json files.
You will find some example graphs in the graphs folder.

Instructions
If you want to contribute that's great news. Check the contributing guide. The application is being developed on Mac. That means that new commits might introduce breaking changes in other platforms. Especially commits that involve access to the file system. If something is not working, don't hesitate to create an issue.
If you want to find out how the app works check the wiki.
You can check the project's planned features in the roadmap.


Viewing all 5816 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>