Quantcast
Viewing all 5854 articles
Browse latest View live

BtleJuice Framework - Bluetooth Smart (LE) Man-in-the-Middle Framework

December 25, 2017, 5:12 am
$
0
0
BtleJuice is a complete framework to perform Man-in-the-Middle attacks on Bluetooth Smart devices (also known as Bluetooth Low Energy). It is composed of:
  • an interception core
  • an interception proxy
  • a dedicated web interface
  • Python and Node.js bindings

How to install BtleJuice ?
Installing BtleJuice is a child's play. First of all, make sure your system uses a recent version of Node.js (>=4.3.2) and npm. Then, make sure to install all the required dependencies:

Ubuntu/Debian/Raspbian
sudo apt-get install bluetooth bluez libbluetooth-dev libudev-dev
### Fedora / Other-RPM based
sudo yum install bluez bluez-libs bluez-libs-devel npm
Last, install BtleJuice using npm:
sudo npm install -g btlejuice
If everything went well, BtleJuice is ready to use !

How to use BtleJuice ?
BtleJuice is composed of two main components: an interception proxy and a core. These two components are required to run on independent machines in order to operate simultaneously two bluetooth 4.0+ adapters. BtleJuice Proxy does not work in a Docker container.
The use of a virtual machine may help to make this framework work on a single computer.
From your virtual machine, install btlejuice and make sure your USB BT4 adapter is available from the virtual machine:
$ sudo hciconfig
hci0: Type: BR/EDR  Bus: USB
 BD Address: 10:02:B5:18:07:AD  ACL MTU: 1021:5  SCO MTU: 96:6
 DOWN
 RX bytes:1433 acl:0 sco:0 events:171 errors:0
 TX bytes:30206 acl:0 sco:0 commands:170 errors:0
$ sudo hiconcig hci0 up
Then, make sure your virtual machine has an IP address reachable from the host.
Launch the proxy in your virtual machine:
$ sudo btlejuice-proxy
On your host machine, don't forget to stop the bluetooth service and ensure the HCI device remains opened/initialized:
$ sudo service bluetooth stop
$ sudo hciconfig hci0 up
Finally, run the following command on your host machine:
$ sudo btlejuice -u <Proxy IP address> -w
The -w flag tells BtleJuice to start the web interface while the -u option specifies the proxy's IP address.
The Web User Interface is now available at http://localhost:8080. Note the web server port may be changed through command-line.

Using the web interface
The BtleJuice's web interface provides in the top-right corner a set of links to control the interception core, as shown below.

Image may be NSFW.
Clik here to view.

Target selection
First, click the Select target button and a dialog will show up displaying all the available Bluetooth Low Energy devices detected by the interception core:

Image may be NSFW.
Clik here to view.

Double-click on the desired target, and wait for the interface to be ready (the bluetooth button's aspect will change). Once the dummy device ready, use the associated mobile application or another device (depending on what is expected) to connect to the dummy device. If the connection succeeds, a Connected event would be shown on the main interface.

Image may be NSFW.
Clik here to view.

All the intercepted GATT operations are then displayed with the corresponding services and characteristics UUID, and of course the data associated with them. The data is shown by default with the HexII format (a variant of the format designed by Ange Albertini), but you may want to switch from HexII to Hex (and back) by clicking on the data itself. Both Hex and HexII format are supported by BtleJuice.

Replay GATT operations
It is possible to replay any GATT operation by right-clicking it and then selecting the Replay option, as shown below:

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Click the Write (or Read) button to replay the corresponding GATT operation. This operation will be logged in the main interface.

On-the-fly data modification
Last but not least, the interface may intercept locally or globally any GATT operation and allow on-the-fly data modification. You may either use the global interception by clicking the Intercept button in the top-right corner or use the contextual menu to enable or disable a hook on a given service and characteristic. Any time a GATT operation is intercepter, the following dialog box will show up:

Image may be NSFW.
Clik here to view.

Export data to file
Since version 1.0.6, the interface provides a data export feature allowing readable and JSON exports. These exports are generated based on the intercepted GATT operations, but also include information about the target device. When the Export button is clicked, the following dialog will show up:

Image may be NSFW.
Clik here to view.

Click the Export button at the bottom of the dialog box to download a JSON (or text) version of the intercepted data.

Settings
The settings dialog provides a single option at the moment allowing to automatically reconnect the proxy when the target device disconnects. This may be useful when dealing with devices that are active during a short amount of time.

Image may be NSFW.
Clik here to view.

Disconnection
Clicking the top-right Select Target button when the proxy is active will stop it and allow target selection again.

Installing the bindings
BtleJuice's Node.js bindings may be installed as well through npm:
$ sudo npm install -g btlejuice-bindings
More information about how to use the Node.js bindings in the package documentation.


Image may be NSFW.
Clik here to view.
Search

GOSINT - Open Source Threat Intelligence Gathering and Processing Framework

December 25, 2017, 1:12 pm
$
0
0
Image may be NSFW.
Clik here to view.

The GOSINT framework is a project used for collecting, processing, and exporting high quality indicators of compromise (IOCs). GOSINT allows a security analyst to collect and standardize structured and unstructured threat intelligence. Applying threat intelligence to security operations enriches alert data with additional confidence, context, and co-occurrence. This means that you apply research from third parties to security event data to identify similar, or identical, indicators of malicious behavior. The framework is written in Go with a JavaScript frontend.

Installation
Please find the installation procedure at http://gosint.readthedocs.io/en/latest/installation.html
There are three ways to get up and running:
  1. Bash install script
  2. Docker
  3. Manual installation

Updates
Updating is simple and encouraged as bugs are reported and fixed or new features are added. To update your instance of GOSINT, pull the latest version of GOSINT from the repository and re-run the build command to compile the updated binary.
godep go build -o gosint

Configuration
GOSINT needs some quick initial configuration to start making use of the framework features. All the settings you will need to specify can be found under the "Settings" tab.
Please find the configuration procedure at http://gosint.readthedocs.io/en/latest/configuration.html

Use
Please find the instructions for use at http://gosint.readthedocs.io/en/latest/use.html


Image may be NSFW.
Clik here to view.

BruteSpray v1.6.0 - Brute-Forcing from Nmap output (Automatically attempts default creds on found services)

December 26, 2017, 5:30 am
$
0
0
Image may be NSFW.
Clik here to view.

BruteSpray takes nmap GNMAP/XML output and automatically brute-forces services with default credentials using Medusa. BruteSpray can even find non-standard ports by using the -sV inside Nmap.

Installation
pip install -r requirements.txt
On Kali:
apt-get install brutespray

Usage
First do an nmap scan with -oG nmap.gnmap or -oX nmap.xml.

Command: 
python brutespray.py -h
Command:
python brutespray.py --file nmap.gnmap
Command:
python brutesrpay.py --file nmap.xml
Command:
python brutespray.py --file nmap.xml -i

Image may be NSFW.
Clik here to view.

Examples

Using Custom Wordlists:
python brutespray.py --file nmap.gnmap -U /usr/share/wordlist/user.txt -P /usr/share/wordlist/pass.txt --threads 5 --hosts 5

Brute-Forcing Specific Services:
python brutespray.py --file nmap.gnmap --service ftp,ssh,telnet --threads 5 --hosts 5

Specific Credentials:
python brutespray.py --file nmap.gnmap -u admin -p password --threads 5 --hosts 5

Continue After Success:
python brutespray.py --file nmap.gnmap --threads 5 --hosts 5 -c

Use Nmap XML Output
python brutespray.py --file nmap.xml --threads 5 --hosts 5

Interactive Mode
python brutespray.py --file nmap.xml -i

Image may be NSFW.
Clik here to view.

Supported Services
  • ssh
  • ftp
  • telnet
  • vnc
  • mssql
  • mysql
  • postgresql
  • rsh
  • imap
  • nntp
  • pcanywhere
  • pop3
  • rexec
  • rlogin
  • smbnt
  • smtp
  • svn
  • vmauthd
  • snmp

Video

Changelog
  • v1.6.0
    • added support for SNMP
  • v1.5.3
    • adjustments to wordlists
  • v1.5.2
    • change tmp and output directory behavior
  • v1.5.1
    • added check for no services
  • v1.5
    • added interactive mode
  • v1.4
    • added ability to use nmap XML
  • v1.3
    • added the ability to stop on success
    • added the ability to reference custom userlists and passlists
    • added the ability to specify specific users & passwords


Image may be NSFW.
Clik here to view.

Username Anarchy - Username Tools For Penetration Testing

December 26, 2017, 1:10 pm
$
0
0
Image may be NSFW.
Clik here to view.

Tools for generating usernames when penetration testing. Usernames are half the password brute force problem.
This is useful for user account/password brute force guessing and username enumeration when usernames are based on the users' names. By attempting a few weak passwords across a large set of user accounts, user account lockout thresholds can be avoided.

Users' names can be identified through a variety of methods:
  • Web scraping employee names from LinkedIn, Facebook, and other social networks.
  • Extracting metadata from document types such as PDF, Word, Excel, etc. This can be performed with FOCA.
Common aliases, or self chosen usernames, from forums are also included.

Features
  • Plugin architecture for username formats
  • Format string style username format definitions
  • Substitutions. e.g. when only a first initial and lastname is known (LinkedIn lists users like this), it will attempt all possible first names
  • Country databases of common first and last names from Familypedia and PublicProfiler
  • Has the Facebook common first and lastnames lists

Extras
  • Common forum usernames, ordered by popularity

Usage
Username Anarchy is a command line tool.
  ___ ____                                                        
 |   |    \ ______  ____ _______   ____  _____     __ __    ____  
 |   :    //  ___/_/    \\_  __ \ /    \ \__  \   /  :  \ _/    \
 '   .   / \___ \ \   o_/ |  | \/|   :  \ /  o \ |  . .  \\   o_/ 
  \_____/ /______) \_____)|__|   |___:  /(______)|__: :  / \_____)
        _____                         \/       .__     \/      
       /     \    ____  _____  _______   ____  |  |__  ___.__.   
      /   o   \  /    \ \__  \ \_  __ \_/ ___\ |  |  \(   :  |   
     /    .    \|   .  \ /  o \ |  | \/\  \___ |   .  \\___  |   
     \____:__  /|___:__/(______)|__|    \_____)|___:__//_____|   
             \/                                                  
 Usage: ./username-anarchy [OPTIONS]... [firstname|first last|first middle last]
 Author: Andrew Horton (urbanadventurer). Version: 0.5

 Names:
  -i, --input-file FILE     Input list of names. Can be SPACE, CSV or TAB delimited.
                            Defaults to firstname, lastname. Valid column headings are:
                            firstinitial, firstname, lastinitial, lastname,
                            middleinitial, middlename.
  -a, --auto                Automatically generate names from a country/list
  -c, --country COUNTRY     COUNTRY can be one of the following datasets:
                            PublicProfiler:
                            argentina, austria, belgium, canada, china,
                            denmark, france, germany, hungary, india, ireland,
                            italy, luxembourg, netherlands, newzealand, norway,
                            poland, serbia, slovenia, spain, sweden,
                            switzerland, uk, us
                            Other:
                            Facebook - uses the Facebook top 10,000 names
      --given-names FILE    Dictionary of given names
      --family-names FILE   Dictionary of family names
  -s, --substitute STATE    Control name substitutions
                            Valid values are 'on' and 'off'. Default: off
                            Can substitute any part of a name not available
  -m, --max-sub NUM         Limit quantity of substitutions per plugin.
                            Default: -1 (Unlimited)

 Username format:
  -l, --list-formats        List format plugins
  -f, --select-format LIST  Select format plugins by name. Comma delimited list
  -r, --recognise USERNAME  Recognise which format is in use for a username.
                            This uses the Facebook dataset. Use verbose mode to
                            show progress.
  -F, --format FORMAT       Define the user format using either format string or
                            ABK format. See README.md for format details.

 Output:
  -@, --suffix BOOL         Suffix. e.g. @example.com
                            Default: None
  -C BOOL,                  Case insensitive usernames.
      --case-insensitive    Default: True (All lower case)

 Miscellaneous:
  -v, --verbose             Display plugin format comments in output and displays
                            last name searches in plugin format recogniser
  -h, --help

Example Usage

You know the name of a user but not the username format
./username-anarchy anna key
anna
annakey
anna.key
annakey
annak
a.key
akey
kanna
k.anna
...

You know the username format and names of users
./username-anarchy --input-file ./test-names.txt  --select-format first.last
andrew.horton
jim.vongrippenvud
peter.otoole

You know the server is in France
Note that -a or --auto is required when you do not specify any input names.
./username-anarchy --country france --auto
martin
bernard
thomas
durand
richard
robert
petit
moreau
dubois
simon
martinsmith
martinjohnson
...

List username format plugins
./username-anarchy --list-formats
Plugin name          Example
--------------------------------------------------------------------------------
first                anna
firstlast            annakey
first.last           anna.key
firstlast[8]         annakey
firstl               annak
f.last               a.key
flast                akey
lfirst               kanna
l.first              k.anna
lastf                keya
last                 key
last.f               key.a
last.first           key.anna
FLast                AKey
first1               anna0,anna1,anna2
fl                   ak
fmlast               abkey
firstmiddlelast      annaboomkey
fml                  abk
FL                   AK
FirstLast            AnnaKey
First.Last           Anna.Key
Last                 Key
FML                  ABK

Automatically recognise the username format in use
./username-anarchy --recognise j.smith
Recognising j.smith. This can take a while.
Username format j.smith recognised. Plugin name: f.last

Input Files
To generate usernames for more than one user account you must provide the names in a text file. This can be either TAB or CSV delimited.

Example 1
Firstname,Lastname
Andrew,Horton
Jim, von Grippenvud
Peter,O'Toole

Example 2
LinkedIn often shows the firstname and last initial
firstname,lastinitial
andrew,h
foo,b

Example 3
Mixed set of names
firstname,firstinitial,middleinitial,lastname,lastinitial
andrew,,,horton,
jim,,,,v
,p,,o'toole,

Custom Plugins

Command line Plugins
Define a custom plugin format using either the ABK or format string format. Specify the username format with -F or --format

Example 1
./username-anarchy -F "v-annakey" andrew horton
v-andrewhorton

Example 2
./username-anarchy -F "v-%f%l" -a -C poland
v-nowaksmith
v-nowakjohnson
v-nowakjones
v-nowakwilliams
v-nowakbrown
v-nowaklee
v-nowakkhan
v-nowaksingh
v-nowakkumar
v-nowakmiller
...

Writing Plugins
You can add plugins to username anarchy by defining them in format-plugins.rb
This example uses the ABK format.
Plugin.define "last.first" do
 def generate(n)
  n.format_anna("key.anna")
 end
end
This example uses the format string format.
Plugin.define "first" do
 def generate(n)
  n.format("%f")
 end
end

Format Strings
Username Anarchy provides a method of defining a username format with format strings.
  • %F - Firstname
  • %M - Middlename
  • %L - Lastname
  • %f - firstname
  • %m - middlename
  • %l - lastname
  • %i.f - first initial
  • %i.m - middle initial
  • %i.l - last initial
  • %i.F - First initial
  • %i.M - Middle initial
  • %i.L - Last initial
  • %D - Digit range 0..9
  • %DD - Digit range 00..99

ABK Format
Username Anarchy provides a method of defining a username format with ABK format which translates to format strings.
  • Anna - %F
  • Boom - %M
  • Key - %L
  • anna - %f
  • boom - %m
  • key - %l
  • A - %i.F
  • B - %i.M
  • K - %i.L
  • a - %i.f
  • b - %i.m
  • k - %i.l

Forum Usernames
The forum-names folder contains:
  • common-forum-names.csv - A CSV file with forum names and the frequency they appeared with
  • common-forum-names-top10k.txt - The top 10,000 forum names
  • common-forum-names.txt - 1,774,313 forum names
  • phpbb-scraper.rb - a web scraper for usernames on PHPbb forums

Name Resources

Names

Name Parsing:


Image may be NSFW.
Clik here to view.

Qubes OS - A Security-Oriented Operating System

December 27, 2017, 5:18 am
$
0
0
Image may be NSFW.
Clik here to view.

Qubes OS is a security-oriented operating system (OS). The OS is the software that runs all the other programs on a computer. Some examples of popular OSes are Microsoft Windows, Mac OS X, Android, and iOS. Qubes is free and open-source software (FOSS). This means that everyone is free to use, copy, and change the software in any way. It also means that the source code is openly available so others can contribute to and audit it.

Why is OS security important?

Most people use an operating system like Windows or OS X on their desktop and laptop computers. These OSes are popular because they tend to be easy to use and usually come pre-installed on the computers people buy. However, they present problems when it comes to security. For example, you might open an innocent-looking email attachment or website, not realizing that you’re actually allowing malware (malicious software) to run on your computer. Depending on what kind of malware it is, it might do anything from showing you unwanted advertisements to logging your keystrokes to taking over your entire computer. This could jeopardize all the information stored on or accessed by this computer, such as health records, confidential communications, or thoughts written in a private journal. Malware can also interfere with the activities you perform with your computer. For example, if you use your computer to conduct financial transactions, the malware might allow its creator to make fraudulent transactions in your name.

Aren’t antivirus programs and firewalls enough?

Unfortunately, conventional security approaches like antivirus programs and (software and/or hardware) firewalls are no longer enough to keep out sophisticated attackers. For example, nowadays it’s common for malware creators to check to see if their malware is recognized by any signature-based antivirus programs. If it’s recognized, they scramble their code until it’s no longer recognizable by the antivirus programs, then send it out. The best of these programs will subsequently get updated once the antivirus programmers discover the new threat, but this usually occurs at least a few days after the new attacks start to appear in the wild. By then, it’s too late for those who have already been compromised. More advanced antivirus software may perform better in this regard, but it’s still limited to a detection-based approach. New zero-day vulnerabilities are constantly being discovered in the common software we all use, such as our web browsers, and no antivirus program or firewall can prevent all of these vulnerabilities from being exploited.

How does Qubes OS provide security?

Qubes takes an approach called security by compartmentalization, which allows you to compartmentalize the various parts of your digital life into securely isolated compartments called qubes.
This approach allows you to keep the different things you do on your computer securely separated from each other in isolated qubes so that one qube getting compromised won’t affect the others. For example, you might have one qube for visiting untrusted websites and a different qube for doing online banking. This way, if your untrusted browsing qube gets compromised by a malware-laden website, your online banking activities won’t be at risk. Similarly, if you’re concerned about malicious email attachments, Qubes can make it so that every attachment gets opened in its own single-use disposable qube. In this way, Qubes allows you to do everything on the same physical computer without having to worry about a single successful cyberattack taking down your entire digital life in one fell swoop.
Moreover, all of these isolated qubes are integrated into a single, usable system. Programs are isolated in their own separate qubes, but all windows are displayed in a single, unified desktop environment with unforgeable colored window borders so that you can easily identify windows from different security levels. Common attack vectors like network cards and USB controllers are isolated in their own hardware qubes while their functionality is preserved through secure networking, firewalls, and USB device management. Integrated file and clipboard copy and paste operations make it easy to work across various qubes without compromising security. The innovative Template system separates software installation from software use, allowing qubes to share a root filesystem without sacrificing security (and saving disk space, to boot). Qubes even allows you to sanitize PDFs and images in a few clicks. Users concerned about privacy will appreciate the integration of Whonix with Qubes, which makes it easy to use Tor securely, while those concerned about physical hardware attacks will benefit from Anti Evil Maid.

How does Qubes OS compare to using a “live CD” OS?

Booting your computer from a live CD (or DVD) when you need to perform sensitive activities can certainly be more secure than simply using your main OS, but this method still preserves many of the risks of conventional OSes. For example, popular live OSes (such as Tails and other Linux distributions) are still monolithic in the sense that all software is still running in the same OS. This means, once again, that if your session is compromised, then all the data and activities performed within that same session are also potentially compromised.

How does Qubes OS compare to running VMs in a conventional OS?

Not all virtual machine software is equal when it comes to security. You may have used or heard of VMs in relation to software like VirtualBox or VMware Workstation. These are known as “Type 2” or “hosted” hypervisors. (The hypervisor is the software, firmware, or hardware that creates and runs virtual machines.) These programs are popular because they’re designed primarily to be easy to use and run under popular OSes like Windows (which is called the host OS, since it “hosts” the VMs). However, the fact that Type 2 hypervisors run under the host OS means that they’re really only as secure as the host OS itself. If the host OS is ever compromised, then any VMs it hosts are also effectively compromised.
By contrast, Qubes uses a “Type 1” or “bare metal” hypervisor called Xen. Instead of running inside an OS, Type 1 hypervisors run directly on the “bare metal” of the hardware. This means that an attacker must be capable of subverting the hypervisor itself in order to compromise the entire system, which is vastly more difficult.
Qubes makes it so that multiple VMs running under a Type 1 hypervisor can be securely used as an integrated OS. For example, it puts all of your application windows on the same desktop with special colored borders indicating the trust levels of their respective VMs. It also allows for things like secure copy/paste operations between VMs, securely copying and transferring files between VMs, and secure networking between VMs and the Internet.

How does Qubes OS compare to using a separate physical machine?

Using a separate physical computer for sensitive activities can certainly be more secure than using one computer with a conventional OS for everything, but there are still risks to consider. Briefly, here are some of the main pros and cons of this approach relative to Qubes:

Pros
  • Physical separation doesn’t rely on a hypervisor. (It’s very unlikely that an attacker will break out of Qubes’ hypervisor, but if one were to manage to do so, one could potentially gain control over the entire system.)
  • Physical separation can be a natural complement to physical security. (For example, you might find it natural to lock your secure laptop in a safe when you take your unsecure laptop out with you.)

Cons
  • Physical separation can be cumbersome and expensive, since we may have to obtain and set up a separate physical machine for each security level we need.
  • There’s generally no secure way to transfer data between physically separate computers running conventional OSes. (Qubes has a secure inter-VM file transfer system to handle this.)
  • Physically separate computers running conventional OSes are still independently vulnerable to most conventional attacks due to their monolithic nature.
  • Malware which can bridge air gaps has existed for several years now and is becoming increasingly common.

Image may be NSFW.
Clik here to view.

Relayer - SMB Relay Attack Script

December 27, 2017, 1:12 pm
$
0
0
Image may be NSFW.
Clik here to view.

Relayer is an SMB relay Attack Script that automates all the necessary steps to scan for systems with SMB signing disabled and relaying authentication request to these systems with the objective of gaining a shell. Great when performing Penetration testing.

Relayer makes use of Unicorn from trustedsec to create the payload that is executed on the target system you select. see https://github.com/trustedsec/unicorn , you can run the listener on the system you are running relayer on or an alternate system.
Other Payload Options will be added.

USE
Run install_req.sh to validate dependencies and install missing ones.
Once everything is ready, usage is simple, simply run as root:
sudo ./relayer.sh

How does the Script Work
Script runs the following Steps:
  • Scan for SMB Systems on Target Network and List those with SMB signing Disabled
  • User selects system to Relay the authentication attempts to
  • User selects where to set the Listener for incoming connections
  • Relayer creates payload and sets up Responder and SMBRelayX
  • Wait for connection attempts to your attacking machine and check Listener

Image may be NSFW.
Clik here to view.

PiKarma - Detects Wireless Network Attacks

December 28, 2017, 5:30 am
$
0
0
Image may be NSFW.
Clik here to view.

Detects wireless network attacks performed by KARMA module (fake AP). Starts deauthentication attack (for fake access points)

Working Principle for PiKarma
  • Collects all the packets from Wireless Network. (Probe Response)
  • Analyses all the packets in real time.
  • If PiKarma finds more than one SSID info from unique mac address in Probe Response;
  • Logs the activity with some extra information within defined template and sends deauthentication packets

How works KARMA Attack?
  • Sends Probe Response for all Probe Requests
Example:
Image may be NSFW.
Clik here to view.

Softwares and hardwares that uses KARMA module
  • FruityWifi
  • WiFi Pineapple
  • Mana (improvements to KARMA attacks)
  • ..

Soon to be added features
  • New techniques for KARMA and MANA attacks

DEMO


Image may be NSFW.
Clik here to view.

WPHardening v1.6 - Fortify the security of any WordPress installation

December 28, 2017, 1:15 pm
$
0
0
Image may be NSFW.
Clik here to view.


Fortify the security of any WordPress installation.
 This tool releases new versions on a regular basis. Make sure to update your dependencies frequently to get the latest version. Check out the changelog or CHANGELOG.md to learn about the new features.

Installation
Installing WPHardening requires you to execute one console command:
$ pip install -r requirements.txt

Usage
$ python wphardening.py -h 

 __          _______  _    _               _            _
 \ \        / /  __ \| |  | |             | |          (_)
  \ \  /\  / /| |__) | |__| | __ _ _ __ __| | ___ _ __  _ _ __   __ _
   \ \/  \/ / |  ___/|  __  |/ _` | '__/ _` |/ _ \ '_ \| | '_ \ / _` |
    \  /\  /  | |    | |  | | (_| | | | (_| |  __/ | | | | | | | (_| |
     \/  \/   |_|    |_|  |_|\__,_|_|  \__,_|\___|_| |_|_|_| |_|\__, |
                                                                 __/ |
        Fortify the security of any WordPress installation.     |___/

     Caceria de Spammers - http://www.caceriadespammers.com.ar

Usage: python wphardening.py [options]

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -v, --verbose         Active verbose mode output results
  --update              Check for WPHardening latest stable version

  Target:
    This option must be specified to modify the package WordPress.

    -d DIRECTORY, --dir=DIRECTORY
                        **REQUIRED** - Working Directory.
    --load-conf=FILE    Load file configuration.

  Hardening:
    Different tools to hardening WordPress.

    -c, --chmod         Chmod 755 in directory and 644 in files.
    -r, --remove        Remove files and directory.
    -b, --robots        Create file robots.txt
    -f, --fingerprinting
                        Deleted fingerprinting WordPress.
    -t, --timthumb      Find the library TimThumb.
    --chown=user:group  Changing file and directory owner.
    --wp-config         Wizard generated wp-config.php
    --plugins           Download Plugins Security.
    --proxy=PROXY       Use a HTTP proxy to connect to the target url for
                        --plugins and --wp-config.
    --indexes           It deny you to display the contents of directories.
    --minify            Compressing static file .css and .js
    --malware-scan      Malware Scan in WordPress project.
    --6g-firewall       6G Firewall.
    --rest-api          Disable REST API.

  Miscellaneous:
    -o FILE, --output=FILE
                        Write log report to FILE.log

Examples

Check a WordPress Project
Before using the tool, we must ensure that our working directory is WordPress.
$ python wphardening.py -d /home/path/to/wordpress -v

Change permissions
This option is to add the correct permissions to files and directories.
$ python wphardening.py -d /home/path/to/wordpress --chmod -v

Remove files that are not used
Part of the fortification of any system is to remove those files, directories or components required.
$ python wphardening.py -d /home/path/to/wordpress --remove -v

Create your robots.txt file
WordPress default does not incorporate the robots.txt file with this option poemos customize our robots.txt
$ python wphardening.py -d /home/path/to/wordpress --robots -v
For more information robots.txt

Remove all fingerprinting and Version
$ python wphardening.py -d /home/path/to/wordpress --fingerprinting -v

Check a TimThumb library
$ python wphardening.py -d /home/path/to/wordpress --timthumb -v

Create Index file
This file is created as a way to avoid sailing in a directory.
$ python wphardening.py -d /home/path/to/wordpress --indexes -v

Download Plugins security
The following is a list of the most commonly used security plugins that you can download automatically:
$ python wphardening.py -d /home/path/to/wordpress --plugins

Wizard generated wp-config.php
This command automatically creates a file called wp-config-wphardening.php which can then rename it.
$ python wphardening.py -d /home/path/to/wordpress --wp-config

6G Firewalls
$ python wphardening.py -d /home/path/to/wordpress --6g-firewall

Disable REST API
$ python wphardening.py -d /home/path/to/wordpress --rest-api

WPHardening update
With this option you can always have the latest version of WPHardening.
$ python wphardening.py --update

Use all options
$ python wphardening.py -d /home/path/to/wordpress -c -r -f -t --wp-config --indexes --plugins --6g-firewall --rest-api -o /home/user/wphardening.log

Project Home
www.caceriadespammers.com.ar


Image may be NSFW.
Clik here to view.
Search

Merlin - A cross-platform post-exploitation HTTP/2 Command & Control server and agent

December 29, 2017, 5:05 am
$
0
0
Image may be NSFW.
Clik here to view.

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control  server and agent written in golang.
An introductory blog post can be found here: https://medium.com/@Ne0nd0g/introducing-merlin-645da3c635a

Getting Started
The quickest and easiest way to start using Merlin is download the pre-compiled binary files found in the Releases section. The files are compressed into 7z archives and are password protected to prevent Anti-Virus inspection when downloading. The password is merlin.

Install GO
In order to run Merlin from source, or to compile Merlin yourself, the Go programing language must be installed on the system. However, if you just want to run a pre-compiled version, you do not need to install Go.
Download and install GO: https://golang.org/doc/install

Download Merlin Server
It is recommended to download the compiled binaries from the Releases section
Ensure your GOPATH environment variable is set
Download Merlin with Go
go get github.com/Ne0nd0g/merlin
If you want to use git instead of Go, merlin must be in your GOPATH i.e. $GOPATH/src/github.com/Ne0nd0g/merlin
cd $GOPATH/src/github.com/Ne0nd0g;git clone https://github.com/Ne0nd0g/merlin/

Run Merlin Server
Merlin Server can be run as a script or compiled and run as a standalone binary file.
go run cmd/merlinserver/main.go

Compile Merlin Server
Compile Merlin into an executable using Make make server-windows or make server-linux or make server-darwin

Merlin Server Usage
  -debug
        Enable debug output
  -i string
        The IP address of the interface to bind to (default "0.0.0.0")
  -p int
        Merlin Server Port (default 443)
  -v    Enable verbose output
  -x509cert string
        The x509 certificate for the HTTPS listener (default "C:\\Merlin\\data\\x509\\server.crt")
  -x509key string
        The x509 certificate key for the HTTPS listener (default "C:\\Merlin\\data\\x509\\server.key")

Merlin Server Commands
Merlin is equipped with a tab completion system that can be used to see what commands are available at any given time. Hit double tab to get a list of all available commands.

exit    Exit and close Merlin

help   Show Merlin help menu

quit    Exit and close Merlin

?      Show Merlin help menu

Agent Commands
These are the commands to control an agent from the server. Tab completion can be used to select an Agent's identifier.
agent cmd <agent id> <command>       A command to run on a remote agent

agent control <agent id> <command>  Configure/Control a remote agent (not the host)
                [kill,sleep,padding,maxretry]

agent info <agent id>               Display all information for an agent

agent list                          List agents

TLS Certificates
By default, Merlin will load server.crt and server.key from the data/x509/ directory. You must generate your own certificate pair and place them in this directory.

Third Party Libraries
The 3rd party libraries used with Merlin are kept in the vendor directory. This project will default to using the library files in that folder.

Running Merlin Agent
The agent portion of Merlin should be run as a compiled binary file on a target host.
It is recommended to download the compiled binaries from the Releases section
Ensure your GOPATH environment variable is set!
Compile Merlin Agent into an executable
make agent-windows or make agent-linux or make agent-darwin
Merlin Agent can also be compiled without Make, using just go. To compile Merlin Agent with your hard coded Merlin Server's address, so it doesn't have to specified on the command line, include -ldflags -X main.url=https://acme.com:443/
Example: go build -o merlinagent.exe -ldflags "-X main.url=https://acme.com:443/" cmd/merlinagent/main.go
Run Merlin Agent as script: go run cmd/merlinagent/main.go

USAGE
  -debug
        Enable debug output
  -sleep duration
        Time for agent to sleep (default 10s)
  -url string
        Full URL for agent to connect to (default "https://127.0.0.1:443")
  -v    Enable verbose output


Image may be NSFW.
Clik here to view.

Fsociety Hacking Tools Pack - A Penetration Testing Framework

December 29, 2017, 1:33 pm
$
0
0
Image may be NSFW.
Clik here to view.

A Penetration Testing Framework , you will have evry script that a hacker needs

Menu
  • Information Gathering
  • Password Attacks
  • Wireless Testing
  • Exploitation Tools
  • Sniffing & Spoofing
  • Web Hacking
  • Private Web Hacking
  • Post Exploitation
  • INSTALL & UPDATE

Information Gathering :
  • Nmap
  • Setoolkit
  • Port Scanning
  • Host To IP
  • wordpress user
  • CMS scanner
  • XSStracer
  • Dork - Google Dorks Passive Vulnerability Auditor
  • Scan A server's Users

Password Attacks :
  • Cupp
  • Ncrack

Wireless Testing :
  • reaver
  • pixiewps

Exploitation Tools :
  • Venom
  • sqlmap
  • Shellnoob
  • commix
  • FTP Auto Bypass
  • jboss-autopwn

Sniffing & Spoofing :
  • Setoolkit
  • SSLtrip
  • pyPISHER
  • SMTP Mailer

Web Hacking :
  • Drupal Hacking
  • Inurlbr
  • Wordpress & Joomla Scanner
  • Gravity Form Scanner
  • File Upload Checker
  • Wordpress Exploit Scanner
  • Wordpress Plugins Scanner
  • Shell and Directory Finder
  • Joomla! 1.5 - 3.4.5 remote code execution
  • Vbulletin 5.X remote code execution
  • BruteX - Automatically brute force all services running on a target
  • Arachni - Web Application Security Scanner Framework

Private Web Hacking
  • Get all websites
  • Get joomla websites
  • Get wordpress websites
  • Control Panel Finder
  • Zip Files Finder
  • Upload File Finder
  • Get server users
  • SQli Scanner
  • Ports Scan (range of ports)
  • ports Scan (common ports)
  • Get server Info
  • Bypass Cloudflare

Post Exploitation
  • Shell Checker
  • POET
  • Phishing Framework

Install Me
  • Install Directly On System (Only For Linux & Mac System )
  • Update instantly When There are New Update

Installation LinuxImage may be NSFW.
Clik here to view.
[✓] git clone https://github.com/Manisso/fsociety.git
[✓] cd fsociety && python fsociety.py
[◉] 0 : INSTALL & UPDATE
[◉] -> 0
[✓] press 0
[✓] Congratulation Fsociety is Installed !

Installation WindowsImage may be NSFW.
Clik here to view.
[✔] Download python 2.7
[✓] Download fsociety
[✓] Extract fsociety into Desktop
[◉]Open CMD and type the following commands:
[✓] $cd Desktop/fsociety-master/
[✓] $python fsociety.py

Use


Image may be NSFW.
Clik here to view.

BlueMaho v090417 - Bluetooth Security Testing Suite

December 30, 2017, 5:12 am
$
0
0
Image may be NSFW.
Clik here to view.

BlueMaho is GUI-shell (interface) for suite of tools for testing security of bluetooth devices. It is freeware, opensource, written on python, uses wxPyhon. It can be used for testing BT-devices for known vulnerabilities and major thing to do - testing to find unknown vulns. Also it can form nice statistics.

1.2. What it can do? (features)

  • scan for devices, show advanced info, SDP records, vendor etc
  • track devices - show where and how much times device was seen, its name changes
  • loop scan - it can scan all time, showing you online devices
  • alerts with sound if new device found
  • on_new_device - you can spacify what command should it run when it founds new device
  • it can use separate dongles - one for scaning (loop scan) and one for running tools or exploits
  • send files
  • change name, class, mode, BD_ADDR of local HCI devices
  • save results in database
  • form nice statistics (uniq devices by day/hour, vendors, services etc)
  • test remote device for known vulnerabilities (see exploits for more details)
  • test remote device for unknown vulnerabilities (see tools for more details)
  • themes! you can customize it

1.3. What tools and exploits it consist of?

  • tools:
  • atshell.c by Bastian Ballmann (modified attest.c by Marcel Holtmann)
  • bccmd by Marcel Holtmann
  • bdaddr.c by Marcel Holtmann
  • bluetracker.py by smiley
  • carwhisperer v0.2 by Martin Herfurt
  • psm_scan and rfcomm_scan from bt_audit-0.1.1 by Collin R. Mulliner
  • BSS (Bluetooth Stack Smasher) v0.8 by Pierre Betouin
  • btftp v0.1 by Marcel Holtmann
  • btobex v0.1 by Marcel Holtmann
  • greenplaque v1.5 by digitalmunition.com
  • L2CAP packetgenerator by Bastian Ballmann
  • obex stress tests 0.1
  • redfang v2.50 by Ollie Whitehouse
  • ussp-push v0.10 by Davide Libenzi
  • exploits/attacks:
  • Bluebugger v0.1 by Martin J. Muench
  • bluePIMp by Kevin Finisterre
  • BlueZ hcidump v1.29 DoS PoC by Pierre Betouin
  • helomoto by Adam Laurie
  • hidattack v0.1 by Collin R. Mulliner
  • Mode 3 abuse attack
  • Nokia N70 l2cap packet DoS PoC Pierre Betouin
  • opush abuse (prompts flood) DoS attack
  • Sony-Ericsson reset display PoC by Pierre Betouin
  • you can add your own tools by editing 'exploits/exploits.lst' and 'tools/tools.lst'

1.4. Requirements

  • OS (tested with Debian 4.0 Etch / 2.6.18)
  • python (python 2.4 http://www.python.org)
  • wxPython (python-wxgtk2.6 http://www.wxpython.org)
  • BlueZ (3.9/3.24) http://www.bluez.org
  • Eterm to open tools somewhere, you can set another term in 'config/defaul.conf' changing the value of 'cmd_term' variable. (tested with 1.1 ver)
  • pkg-config(0.21), 'tee' used in tools/showmaxlocaldevinfo.sh, openobex, obexftp
  • libopenobex1 + libopenobex-dev (needed by ussp-push)
  • libxml2, libxml2-dev (needed by btftp)
  • libusb-dev (needed by bccmd)
  • libreadline5-dev (needed by atshell.c)
  • lightblue-0.3.3 (needed by obexstress.py)
  • hardware: any bluez compatible bluetooth-device

1.5. Configuration

  1. all configuration is in 'config' dir.
  2. for using bluemaho propertly you need to build tools and exploits. check if you satisfy 'requirements' for bluemaho. then run 'build.sh'. if you see 'Building complete!' message, than all went OK. if not - try to play around requirements.
  3. 'default.conf' is a default configuration file, you can edit it if you need to change some options, path to files and commands used by bluemaho, theme etc. by default you don't need to change it if you do all from 'requirements' chapter. but, please, view it, for example just for setting 'user_location' variable for defining you location, which will be used for tracking function.
  4. 'themes' - directory with themes for bluemaho GUI. You can set path to default theme with 'theme' variable in 'default.conf'

1.6. Run and use

You can run BlueMaho typing in console 'bluemaho.py'. For verbose output in console (and redirecting std_err and std_out) run 'bluemaho.py -v'. it saves founded devices to 'bluemaho.log' by default, you can change it in 'config/defaul.conf'. enjoy! 
Image may be NSFW.
Clik here to view.

Crips - IP Tools To quickly get information about IP Address's, Web Pages and DNS records

December 30, 2017, 1:00 pm
$
0
0
Image may be NSFW.
Clik here to view.

This Tools is a collection of online IP Tools that can be used to quickly get information about IP Address's, Web Pages and DNS records.

Menu
  • Whois lookup
  • Traceroute
  • DNS Lookup
  • Reverse DNS Lookup
  • GeoIP Lookup
  • Port Scan
  • Reverse IP Lookup
  • INSTALL & UPDATE
  • Exit

Whois lookup
Determine the registered owner of a domain or IP address block with the whois tool.

Traceroute
Using mtr an advanced traceroute tool trace the path of an Internet connection.

DNS Lookup
Find DNS records for a domain, results are determined using the dig DNS tool

Reverse DNS Lookup
Find Reverse DNS records for an IP address or a range of IP addresses.

GeoIP Lookup
Find the location of an IP address using the GeoIP lookup location tool.

Port Scan
A simple TCP Port Scan to quickly determine the status of an Internet facing service or firewall.

Reverse IP Lookup
Discover web hosts sharing an IP address with a reverse IP lookup.

INSTALL & UPDATE
To install the tools directly in the system and get new update directly using terminal

Installation LinuxImage may be NSFW.
Clik here to view.
[✓] git clone https://github.com/Manisso/Crips.git
[✓] cd Crips && python Crips.py
[◉] 0 : INSTALL & UPDATE
[◉] -> 0
[✓] press 0
[✓] Congratulation Crips is Installed !

Installation Windows Image may be NSFW.
Clik here to view.
[✔] Download Python 2.7
[✓] Download Crips
[✓] Extract Crips into Desktop
[◉]Open CMD and type the following commands:
[✓] $cd Desktop/Crips-master/
[✓] $python crips.py


Image may be NSFW.
Clik here to view.

Lynis 2.5.8 - Security Auditing Tool for Unix/Linux Systems

December 31, 2017, 5:12 am
$
0
0
Image may be NSFW.
Clik here to view.

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.

Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.

Supported operating systems

The tool has almost no dependencies, therefore it runs on almost all Unix-based systems and versions, including:
  • AIX
  • FreeBSD
  • HP-UX
  • Linux
  • Mac OS
  • NetBSD
  • OpenBSD
  • Solaris
  • and others
It even runs on systems like the Raspberry Pi and several storage devices!

Installation optional

Lynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use "./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). 

How it works

Lynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.

Steps
  1. Determine operating system
  2. Search for available tools and utilities
  3. Check for Lynis update
  4. Run tests from enabled plugins
  5. Run security tests per category
  6. Report status of security scan
Besides the data displayed on the screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.

Opportunistic Scanning

Lynis scanning is opportunistic: it uses what it can find.
For example, if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers an SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates so they can be scanned later as well.

In-depth security scans

By performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!

Use cases

Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:
  • Security auditing
  • Compliance testing (e.g. PCI, HIPAA, SOx)
  • Vulnerability detection and scanning
  • System hardening

Resources used for testing

Many other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.
  • Best practices
  • CIS
  • NIST
  • NSA
  • OpenSCAP data
  • Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Lynis Plugins

Plugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.

Changelog
Upgrade note
Changes:
--------
* Check for empty files improved on several locations
* New allow-auto-purge setting in profile for short-lived systems
* Additional checks for log and report file
* Changes to support time synchronization in old and newer systemd releases
* Enhanced output for systems other than Linux

Plugins:
--------
* New class (hardware) added and enabled in default profile


Image may be NSFW.
Clik here to view.

RedLogin - SSH Brute-force Tools

December 31, 2017, 12:54 pm
$
0
0
Image may be NSFW.
Clik here to view.

Red Login: SSHBrute-force Tools.

Features:
  • High speed and precision
  • CLI ( Console based )
  • Run the arbitrary command after the attack is successful ( Default 'Uname -a' )
  • Telegram messanger support for sending reports via bot API

Usage:
Redlogin.exe  (Optional) -telegram
 ==> List of targets ip list
 ==> List of usernames want to test
 ==> List of passwords want to test
==> Telegram bot token via @BotFather
==> Telegram chatid via @userinfobot


Image may be NSFW.
Clik here to view.

Cloak - Backdoor In Any Python Script With Some Tricks

January 1, 2018, 5:10 am
$
0
0
Image may be NSFW.
Clik here to view.

Cloak is an intelligent python backdoor framework.

What it exactly does?

Cloak generates a python payload via msfvenom and then intelligently injects it into the python script you specify.

To evade basic detection, Cloak breaks the payload into several parts and places it in different places in the code. If you want the victim to run your injected script as root, Cloak can handle that too. Cloak will be further upgraded in future to support a wide range of payloads, platforms and evasion techniques.


Requirements
  • msfvenom
  • python2


Image may be NSFW.
Clik here to view.
Search

WordPress Exploit Framework v1.8 - A Ruby Framework For Developing And Using Modules Which Aid In The Penetration Testing Of Wordpress

January 1, 2018, 1:12 pm
$
0
0
Image may be NSFW.
Clik here to view.

A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.

What do I need to run it?
Ensure that you have Ruby >= 2.4.2 installed on your system and then install all required dependencies by opening a command prompt / terminal in the WPXF folder and running bundle install.
If bundler is not present on your system, you can install it by running gem install bundler.

Troubleshooting Installation

Debian Systems
If you have issues installing WPXF's dependencies (in particular, Nokogiri), first make sure you have all the tooling necessary to compile C extensions:
sudo apt-get install build-essential patch
It’s possible that you don’t have important development header files installed on your system. Here’s what you should do if you should find yourself in this situation:
sudo apt-get install ruby-dev zlib1g-dev liblzma-dev
Install requirements and run:
sudo gem install bundler
sudo bundle install
sudo ruby wpxf.rb

Windows Systems
If you are experiencing errors that indicate that libcurl.dll could not be loaded, you will need to ensure the latest libcurl binary is included in your Ruby bin folder, or any other folder that is in your environment's PATH variable.
The latest version can be downloaded from http://curl.haxx.se/download.html. As of 16/05/2016, the latest release is marked as Win32 2000/XP zip 7.40.0 libcurl SSL. After downloading the archive, extract the contents of the bin directory into your Ruby bin directory (if prompted, don't overwrite any existing DLLs).

How do I use it?
Open a command prompt / terminal in the directory that you have downloaded WordPress Exploit Framework to, and start it by running ruby wpxf.rb.
Once loaded, you'll be presented with the wpxf prompt, from here you can search for modules using the search command or load a module using the use command.
Loading a module into your environment will allow you to set options with the set command and view information about the module using info.
Below is an example of how one would load the symposium_shell_upload exploit module, set the module and payload options and run the exploit against the target.
wpxf > use exploit/symposium_shell_upload

[+] Loaded module: #<Wpxf::Exploit::SymposiumShellUpload:0x3916f20>

wpxf [exploit/symposium_shell_upload] > set host wp-sandbox

[+] Set host => wp-sandbox

wpxf [exploit/symposium_shell_upload] > set target_uri /wordpress/

[+] Set target_uri => /wordpress/

wpxf [exploit/symposium_shell_upload] > set payload exec

[+] Loaded payload: #<Wpxf::Payloads::Exec:0x434d078>

wpxf [exploit/symposium_shell_upload] > set cmd echo "Hello, world!"

[+] Set cmd => echo "Hello, world!"

wpxf [exploit/symposium_shell_upload] > run

[-] Preparing payload...
[-] Uploading the payload...
[-] Executing the payload...
[+] Result: Hello, world!
[+] Execution finished successfully
For a full list of supported commands, take a look at This Wiki Page.

What is the difference between auxiliary and exploit modules?
Auxiliary modules do not allow you to run payloads on the target machine, but instead allow you to extract information from the target, escalate privileges or provide denial of service functionality.
Exploit modules require you to specify a payload which subsequently gets executed on the target machine, allowing you to run arbitrary code to extract information from the machine, establish a remote shell or anything else that you want to do within the context of the web server.

What payloads are available?
  • bind_php: uploads a script that will bind to a specific port and allow WPXF to establish a remote shell.
  • custom: uploads and executes a custom PHP script.
  • download_exec: downloads and runs a remote executable file.
  • meterpreter_bind_tcp: a Meterpreterbind TCP payload generated using msfvenom.
  • meterpreter_reverse_tcp: a Meterpreter reverse TCP payload generated using msfvenom.
  • exec: runs a shell command on the remote server and returns the output to the WPXF session.
  • reverse_tcp: uploads a script that will establish a reverse TCP shell.
All these payloads, with the exception of custom and the Meterpreter payloads, will delete themselves after they have been executed, to avoid leaving them lying around on the target machine after use or in the event that they are being used to establish a shell which fails.

How can I write my own modules and payloads?
Guides on writing modules and payloads can be found on The Wiki and full documentation of the API can be found at http://www.getwpxf.com/.

Changelog:
Bug Fixes:
  • Fix API compatibility in Estatik 2.2.5 shell upload
Dependencies:
  • Upgrade required Ruby version to 2.4.2
  • Upgrade Nokogiri to 1.8.1
  • Upgrade rubyzip to 1.2.1
  • Upgrade Slop to 4.5.0
  • Upgrade Typhoeus to 1.3.0
  • Upgrade RSpec to 3.7
API Changes:
  • Add new mixin to provide comment posting functionality
  • Add new mixin for creating hash dump auxiliary modules
  • Add support for multiple potential upload locations in the ShellUpload mixin
New Modules:
  • Add Responsive Image Gallery <= 1.2.0 hash dump
  • Add SQL Shortcode <= 1.1 hash dump
  • Add JTRT Responsive Tables <= 4.1 hash dump
  • Add Simple Events Calendar <= 1.3.5 hash dump
  • Add Pootle Button < 1.2 reflected XSS shell upload
  • Add Embed Images in Comments <= 0.5 stored XSS shell upload
  • Add Qards local port scan
  • Add WP Support Plus Responsive Ticket System < 8.0.8 shell upload
  • Add Events <= 2.3.4 hash dump


Image may be NSFW.
Clik here to view.

LaZagne v2.3 - Credentials Recovery Project

January 2, 2018, 5:09 am
$
0
0
Image may be NSFW.
Clik here to view.

The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software.
This project has been added to pupy as a post-exploitation module. Python code will be interpreted in memory without touching the disk and it works on Windows and Linux host. The last Linux release is not up to date so I recommend using pupy to use it.

Usage
  • Retrieve version
laZagne.exe --version
  • Launch all modules
laZagne.exe all
  • Launch only a specific module
laZagne.exe browsers
  • Launch only a specific software script
laZagne.exe browsers -f (for Firefox)
  • Write all passwords found into a file (-oN for Normal txt, -oJ for Json, -oA for All)
laZagne.exe all -oN
  • Get help
laZagne.exe -h
laZagne.exe browsers -h
  • Use a file for dictionary attacks (used only when it's necessary: Mozilla Master Password, system hashes, etc.). The file has to be a wordlist in cleartext (no rainbow), it has not been optimized to be fast but could be useful for basic passwords.
laZagne.exe all -path file.txt
  • Change verbosity mode (2 different levels)
laZagne.exe all -vv
  • Quiet mode (nothing will be printed on the standard output)
laZagne.exe all -quiet -oA
  • Retrieve passwords on another drive (default: C)
laZagne.exe all -drive D
Note: For wifi passwords \ Windows Secrets, launch it with administrator privileges (UAC Authentication / sudo)

Mac Os
Note: In Mac OS System, without the user password it is very difficult to retrieve passwords stored on the computer. So, I recommend using one of these options
  • If you know the user password, add it in the command line
laZagne all --password SuperSecurePassword
  • You could use the interactive mode that will prompt a dialog box to the user until the password will be correct
laZagne all -i

Supported software

Image may be NSFW.
Clik here to view.
(*) used by many tools to store passwords: Chrome, Owncloud, Evolution, KMail, etc.

For developers
Please refer to the wiki before opening an issue to understand how to compile the project or to develop a new module. https://github.com/AlessandroZ/LaZagne/wiki


Image may be NSFW.
Clik here to view.

ADRecon - Tool Which Gathers Information About The Active Directory

January 2, 2018, 1:07 pm
$
0
0
Image may be NSFW.
Clik here to view.

ADRecon is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis. The report can provide a holistic picture of the current state of the target AD environment. The tool is useful to various classes of security professionals like auditors, DIFR, students, administrators, etc. It can also be an invaluable post-exploitation tools for a penetration tester. It can be ran from any workstation that is connected to the environment even hosts that are not domain members. Furthermore, the tool can be executed in the context of a non-privileged (i.e. standard domain user) accounts. Fine Grained Password Policy, LAPS and BitLocker may require Privileged user accounts. The tool will use Microsoft Remote Server Administration Tools (RSAT) if available, otherwise it will communicate with the Domain Controller using LDAP. The following information is gathered by the tool:
  • Forest;
  • Domains in the Forest and other attributes such as Sites;
  • Domain Password Policy;
  • Domain Controllers and their roles;
  • Users and their attributes;
  • Service Principal Names;
  • Groups and and their members;
  • Organizational Units and their ACLs;
  • Group Policy Object details;
  • DNS Zones;
  • Printers;
  • Computers and their attributes;
  • LAPS passwords (if implemented); and
  • BitLocker Recovery Keys (if implemented).

Getting Started
These instructions will get you a copy of the tool up and running on your local machine.

Prerequisites
  • .NET Framework 3.0 or later (Windows 7 includes 3.0)
  • PowerShell 2.0 or later (Windows 7 includes 2.0)

Optional

Installing
If you have git installed, you can start by cloning the repository:
git clone https://github.com/sense-of-security/ADRecon.git
Otherwise, you can download a zip archive of the latest release. The intent is to always keep the master branch in a working state.

Usage

Examples
To run ADRecon on a domain member host.
PS C:\> .\ADRecon.ps1
To run ADRecon on a domain member host as a different user.
PS C:\>.\ADRecon.ps1 -DomainController <IP or FQDN> -Credential <domain\username>
To run ADRecon on a non-member host using LDAP.
PS C:\>.\ADRecon.ps1 -Protocol LDAP -DomainController <IP or FQDN> -Credential <domain\username>
To run ADRecon with specific modules on a non-member host with RSAT.
PS C:\>.\ADRecon.ps1 -Protocol ADWS -DomainController <IP or FQDN> -Credential <domain\username> -Collect Domian, DCs
To generate the ADRecon-Report.xlsx based on ADRecon output.
PS C:\>.\ADRecon.ps1 -GenExcel C:\ADRecon-Report-<timestamp>
When you run ADRecon, a ADRecon-Report-<timestamp> folder will be created which will contain ADRecon-Report.xlsx and CSV-Folder with the raw files.

Parameters
-Protocol <String>
    Which protocol to use; ADWS (default) or LDAP

-DomainController <String>
    Domain Controller IP Address or Domain FQDN.

-Credential <PSCredential>
    Domain Credentials.

-GenExcel <String>
    Path for ADRecon output folder containing the CSV files to generate the ADRecon-Report.xlsx. Use it to generate the ADRecon-Report.xlsx when Microsoft Excel is not installed on the host used to run ADRecon.

-Collect <String>
    What attributes to collect (Comma separated; e.g Forest,Domain)
    Valid values include: Forest, Domain, PasswordPolicy, DCs, Users, UserSPNs, Groups, GroupMembers, OUs, OUPermissions, GPOs, DNSZones, Printers, Computers, ComputerSPNs, LAPS, BitLocker.

-DormantTimeSpan <Int>
    Timespan for Dormant accounts.

-PageSize <Int>
    The PageSize to set for the LDAP searcher object. (Default 200)

-Threads <Int>
    The number of threads to use during processing objects (Default 10)

-FlushCount <Int>
    The number of processed objects which will be flushed to disk. (Default -1 - Flush after all objects are processed).

Future Plans
  • Replace System.DirectoryServices.DirectorySearch with System.DirectoryServices.Protocols and add support for LDAP STARTTLS and LDAPS (TCP port 636).
  • Add Domain Trust Enumeration.
  • Gather ACLs for the useraccountcontrol attribute and the ms-mcs-admpwd LAPS attribute to determine which users can read the values.
  • Gather DS_CONTROL_ACCESS and Extended Rights, such as User-Force-Change-Password, DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, etc. which can be used as alternative attack vectors.
  • Additional export and storage option: export to STDOUT, SQLite, xml, html.
  • List issues identified and provide recommended remediation advice based on analysis of the data.


Image may be NSFW.
Clik here to view.

uncaptcha - Defeating Google's audio reCaptcha with 85% accuracy

January 3, 2018, 5:01 am
$
0
0
Image may be NSFW.
Clik here to view.

Defeating Google's audio reCaptcha system with 85% accuracy.

Inspiration
Across the Internet, hundreds of thousands of sites rely on Google's reCaptcha system for defense against bots (in fact, Devpost uses reCaptcha when creating a new account). After a Google research team demonstrated a near complete defeat of the text reCaptcha in 2012, the reCaptcha system evolved to rely on audio and image challenges, historically more difficult challenges for automated systems to solve. Google has continually iterated on its design, releasing a newer and more powerful version as recently as just this year. Successfully demonstrating a defeat of this captcha system spells significant vulnerability for hundreds of thousands of popular sites.

What it does
Our unCaptcha system has attack capabilities written for the audio captcha. Using browser automation software, we can interact with the target website and engage with the captcha, parsing out the necessary elements to begin the attack. We rely primarily on the audio captcha attack - by properly identifying spoken numbers, we can pass the reCaptcha programmatically and fool the site into thinking our bot is a human. Specifically, unCaptcha targets the popular site Reddit by going through the motions of creating a new user, although unCaptcha stops before creating the user to mitigate the impact on Reddit.

Background
Google's reCaptcha system uses an advanced risk analysis system to determine programmatically how likely a given user is to be a human or a bot. It takes into account your cookies (and by extension, your interaction with other Google services), the speed at which challenges are solved, mouse movements, and (obviously) how successfully you solve the given task. As the system gets increasingly suspicious, it delivers increasingly difficult challenges, and requires the user to solve more of them. Researchers have already identified minor weaknesses with the reCaptcha system - 9 days of legitimate (ish) interaction with Google's services is usually enough to lower the system's suspicion level significantly.

How it works
The format of the audio captcha is a varied-length series of numbers spaced out read aloud at varied speeds, pitches, and accents through background noise. To attack this captcha, the audio payload is identified on the page, downloaded, and automatically split by locations of speech.
From there, each number audio bit is uploaded to 6 different free, online audio transcription services (IBM, Google Cloud, Google Speech Recognition, Sphinx, Wit-AI, Bing Speech Recognition), and these results are collected. We ensemble the results from each of these to probabilistically enumerate the most likely string of numbers with a predetermined heuristic. These numbers are then organically typed into the captcha, and the captcha is completed. From testing, we have seen 92%+ accuracy in individual number identification, and 85%+ accuracy in defeating the audio captcha in its entirety.

Installation
First, install python dependencies:
$ pip install -r requirements.txt
Make sure you also have sox, ffmpeg, and selenium installed!
$ apt-get install sox ffmpeg selenium
Then, to kick off the PoC:
$ python main.py --audio --reddit
This opens reddit.com, interacts with the page to go to account signup, generates a fake username, email, password, and then attacks the audio captcha. Once the captcha is completed (whether it passed or not), the browser exits.

To learn more
Please read our paper, located here, for more information. Additionally, you can visit our website here, or check out the original Slides for USENIX WOOT '17.

Disclaimer
unCaptcha is intended to be a proof of concept. As of the time of our paper, we found it to successfully solve reCaptcha's audio challenges with 85% success. Since that time, reCaptcha appears to include some additional protections that limit unCaptcha's success.
For instance, Google has also improved their browser automation detection. This means that Selenium cannot be used in its current state to get captchas from Google. This may lead to Google sending odd audio segments back to the end user. Additionally, we have observed that some audio challenges include not only digits, but small snippets of spoken text.
We encourage you to be careful when doing research in this field, to be mindful of local, state, and federal law, and to responsibly disclose any potential vulnerabilities to Google immediately.
Additionally, we have removed our API keys from all the necessary queries. If you are looking to recreate some of the work or are doing your own research in this area, you will need to acquire API keys from each of the six services used. These keys are delineated in our files by a long string of the character 'X'.

Example


Image may be NSFW.
Clik here to view.

iOSRestrictionBruteForce - Crack iOS Restriction Passcodes with Python

January 3, 2018, 1:00 pm
$
0
0
Image may be NSFW.
Clik here to view.

This version of the application is written with Python programming language,which is used to crack the Restriction PassCode of iphone/ipad.

Brute Force
  1. Get the Base64 key and salt from the backup file in Computer.
  2. Decode the Base64 key and salt.
  3. Try from 1 to 9999 to with the pbkdf2-hmac-sha1 hash with passlib (passlib moudle need to be installed before:easy_install passlib)

How to Use
  1. Make sure to use Itunes to back up the ios device to Computer
  2. Run ioscrack.py
python ioscrack.py

DEPENDENCIES
This has been tested with Python 2.6 and 2.7.


Image may be NSFW.
Clik here to view.
Viewing all 5854 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>