Backtrack Team: Honeypot

Affichage des articles dont le libellé est Honeypot. Afficher tous les articles

MEMSCAN A Memory Scanning Tool For A Specific Sequence of Bytes

MEMSCAN A Memory Scanning Tool..
For A Specific Sequence of Bytes!

A memory scanning tool which uses mach_vm* to either dump memory or look for a specific sequence of bytes.
To build MEMSCAN, you will need to have the OS installed. Well, you don't really need it but it makes life easier.

Once Theos is installed, simply navigate to the MEMSCAN folder in terminal and run:

make package install

Usage

Dumping the memory of a process

Obtain the target process PID, using ps.
Provide the PID to memscan:

./memscan -p -d

Finding objects in memory

Open your target app or process in a disassembler, grab first ~16 bytes (customise this number as you will) of the method you want to hook and these bytes will be your "signature".

Write the signature to a file, make sure to encode the bytes like so:

echo -n -e '\x55\x48\x89\xE5\xB8\x15\x00\x00\x00\x5D' > needle

Run the scanner against the target process. It will locate the signature in memory and print it's address. The signature has to be passed in as bytes, not a literal string so use the scanner as shown:

./memscan -p -s

e.g:

./memscan -p 1234 -s ./needle

MEMSCAN should then print the address where the needle is located in memory.

Download

by Malik korrich ~ lundi 5 octobre 2015 0 commentaires

GitHub Announces To Support Universal 2nd Factor Authentication

GitHub Announces To Support Universal 2nd Factor Authentication (U2F)
A rapidly growing open authentication standard!

When you insert them, these physical USB keys automatically generates a second-factor code. And you don't even enter a Six-digit code from Google Authentication and similar Apps. GitHub announced that its partnership with Yubico.

Two-factor authentication is a security process in which the user provides two means of identification from separate categories of credentials; one is typically a physical token, such as a card, and the other is typically something memorized, such as a security code.

The FIDO U2F Security Key by Yubico is a specially designed YubiKey, relying on high-security, public-key cryptography. U2F is built to protect against phishing and man-in-the-middle attacks, allowing one U2F authenticator to access any number of services without any shared secrets.

What is U2F — FIDO UNIVERSAL 2ND FACTOR

U2F is an open authentication standard that enables internet users to securely access any number of online services, with one single device, instantly and with no drivers or client software needed.

U2F was created by Google and Yubico, with contribution from NXP, and is today hosted by the open-authentication industry consortium FIDO Alliance.

U2F is used with USB devices, including YubiKeys, as one of many authentication methods

In order to take advantage of the security improvements provided by U2F, you'll need to purchase a hardware key. You can purchase the U2F key of your choice from a range of vendors. GitHub are partnering with Yubico, inventor of the YubiKey, co-creator of the U2F protocol, and a leading provider of U2F authenticators.

Together with Yubico we are offering discounts to GitHub users for a limited time through a special offer page where you will verify your GitHub account and place your order:

While supplies last, GitHub users can purchase special edition U2F Security Keys for $5 plus shipping and handling (regular price $18; 5,000 special edition keys available).
After the special keys are gone, all GitHub users are eligible for a 20% discount on U2F-certified YubiKeys, for a limited time.
In addition, all students who are eligible for the Student Developer Pack will receive a 20% discount on any U2F-certified YubiKey.

by Malik korrich ~ vendredi 2 octobre 2015 0 commentaires

Thug: A Tool For Python Low-Interaction Honeyclient

Thug: A Tool For Python Low-Interaction Honeyclient

Thug is a Python low-interaction honeyclient aimed at mimicing the behavior of a web browser in order to detect and emulate malicious contents.

The number of client-side attacks has grown significantly in the past few years shifting focus on poorly protected vulnerable clients. Just as the most known honeypot technologies enable research into server-side attacks, honeyclients allow the study of client-side attacks.

A complement to honeypots, a honeyclient is a tool designed to mimic the behavior of a user-driven network client application, such as a web browser, and be exploited by an attacker's content.

Download

by Malik korrich ~ mercredi 30 septembre 2015 0 commentaires

How To Test Security in IPv4 and IPv6 Data Networks?

How To Test Security in IPv4 and IPv6 Data Networks ?

Evil Foca is a tool for security pentesters and auditors whose purpose it is to test security in IPv4 and IPv6 data networks.

Compared to IPv4 address space is 32 bits which resulting 4 billion addresses.IPv6 offers larger address space. Its addresses are 128 bits long, resulting in an address space of 340 undecillion addresses.

In addition, IPv6 provides other technical benefits, particularly, it permits hierarchical address allocation methods that facilitate route aggregation across the Internet, and thus limit the expansion of routing tables. The use of multicast addressing is expanded and simplified, and provides additional optimization for the delivery of services. Device mobility, security, and configuration aspects have been considered in the design of the protocol.

The tool is capable of carrying out various attacks such as:

MITM over IPv4 networks with ARP Spoofing and DHCP ACK Injection.
MITM on IPv6 networks with Neighbor Advertisement Spoofing, SLAAC attack, fake DHCPv6.
DoS (Denial of Service) on IPv4 networks with ARP Spoofing.
DoS (Denial of Service) on IPv6 networks with SLAAC DoS.
DNS Hijacking.

The software automatically scans the networks and identifies all devices and their respective network interfaces, specifying their IPv4 and IPv6 addresses as well as the physical addresses through a convenient and intuitive interface.

Man In The Middle (MITM) attack

The well-known “Man In The Middle” is an attack in which the wrongdoer creates the possibility of reading, adding, or modifying information that is located in a channel between two terminals with neither of these noticing. Within the MITM attacks in IPv4 and IPv6 Evil Foca considers the following techniques:

ARP Spoofing: Consists in sending ARP messages to the Ethernet network. Normally the objective is to associate the MAC address of the attacker with the IP of another device. Any traffic directed to the IP address of the predetermined link gate will be erroneously sent to the attacker instead of its real destination.

DHCP ACK Injection: Consists in an attacker monitoring the DHCP exchanges and, at some point during the communication, sending a packet to modify its behavior. Evil Foca converts the machine in a fake DHCP server on the network.

Neighbor Advertisement Spoofing: The principle of this attack is identical to that of ARP Spoofing, with the difference being in that IPv6 doesn’t work with the ARP protocol, but that all information is sent through ICMPv6 packets. There are five types of ICMPv6 packets used in the discovery protocol and Evil Foca generates this type of packets, placing itself between the gateway and victim.

SLAAC attack: The objective of this type of attack is to be able to execute an MITM when a user connects to Internet and to a server that does not include support for IPv6 and to which it is therefore necessary to connect using IPv4. This attack is possible due to the fact that Evil Foca undertakes domain name resolution once it is in the communication media, and is capable of transforming IPv4 addresses in IPv6.

Fake DHCPv6 server: This attack involves the attacker posing as the DCHPv6 server, responding to all network requests, distributing IPv6 addresses and a false DNS to manipulate the user destination or deny the service.

Denial of Service (DoS) attack: The DoS attack is an attack to a system of machines or network that results in a service or resource being inaccessible for its users. Normally it provokes the loss of network connectivity due to consumption of the bandwidth of the victim’s network, or overloads the computing resources of the victim’s system.

DoS attack in IPv4 with ARP Spoofing: This type of DoS attack consists in associating a nonexistent MAC address in a victim’s ARP table. This results in rendering the machine whose ARP table has been modified incapable of connecting to the IP address associated to the nonexistent MAC.
DoS attack in IPv6 with SLAAC attack: In this type of attack a large quantity of “router advertisement” packets are generated, destined to one or several machines, announcing false routers and assigning a different IPv6 address and link gate for each router, collapsing the system and making machines unresponsive.

DNS Hijacking: The DNS Hijacking attack or DNS kidnapping consists in altering the resolution of the domain names system (DNS). This can be achieved using malware that invalidates the configuration of a TCP/IP machine so that it points to a pirate DNS server under the attacker’s control, or by way of an MITM attack, with the attacker being the party who receives the DNS requests, and responding himself or herself to a specific DNS request to direct the victim toward a specific destination selected by the attacker.

Download

by Malik korrich ~ mardi 29 septembre 2015 0 commentaires

AIDE (Advanced Intrusion Detection Environment) To Verify The Integrity Of Files

AIDE (Advanced Intrusion Detection Environment) To Verify The Integrity Of Files

AIDE is a file and directory integrity checker.

What does it do?

It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (see below) that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies. It can read databases from older or newer versions. See the manual pages within the distribution for further info.

Features

supported message digest algorithms: md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool (additionally with libmhash: gost, haval, crc32b)
supported file attributes: File type, Permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime
support for Posix ACL, SELinux, XAttrs and Extended file system attributes if support is compiled in
plain text configuration files and database for simplicity
powerful regular expression support to selectively include or exclude files and directories to be monitored
gzip database compression if zlib support is compiled in
stand alone static binary for easy client/server monitoring configurations

AIDE is included in the following distributions. Please use the corresponding command to install AIDE.

Debian GNU/Linux | Ubuntu: apt-get install aide or aptitude install aide
Gentoo: emerge aide
MacPorts: port install aide
FreeBSD: pkg_add -r aide
Red Hat | CentOS | Fedora: yum install aide
openSUSE: zypper install aide
IPCop: see here for installation guidelines

Download

by Malik korrich ~ lundi 14 septembre 2015 0 commentaires

Toxy: Hackable HTTP Proxy To Simulate Server Failure Scenarios And Unexpected Network Conditions

Toxy: Hackable HTTP Proxy To Simulate Server Failure Scenarios And Unexpected Network Conditions

toxy is a fully programmatic and hackable HTTP proxy to simulate server failure scenarios and unexpected network conditions, built for node.js/io.js.

It was mainly designed for fuzzing/evil testing purposes, when toxy becomes particularly useful to cover fault tolerance and resiliency capabilities of a system, especially in service-oriented architectures, where toxy may act as intermediate proxy among services.

toxy allows you to plug in poisons, optionally filtered by rules, which essentially can intercept and alter the HTTP flow as you need, performing multiple evil actions in the middle of that process, such as limiting the bandwidth, delaying TCP packets, injecting network jitter latency or replying with a custom error or status code.

toxy can be fluently used programmatically or via HTTP API. It's compatible with connect/express, and it was built on top of rocky, a full-featured middleware-oriented HTTP proxy.

Requires node.js +0.12 or io.js +1.6

Why toxy?

There're some other similar solutions like toxy in the market, but most of them do not provide a proper programmatic control and usually are not easy to hack, configure and/or extend. Additionally, most of the those solutions only operate at TCP level stack instead of providing high-level abstraction to cover common requirements of the specific domain and nature of the HTTP protocol, like toxy does.

toxy provides a powerful hackable and extensible solution with a convenient abstraction, but also a low-level interface and programmatic capabilities exposed as a simple, concise and fluent API, with the implicit power, simplicity and fun of node.js.

Concepts

toxy introduces two core directives that you can plug in the proxy and should knowing before using: poisons and rules.

Poisons are the specific logic to infect an incoming or outgoing HTTP flow (e.g: injecting a latency, replying with an error). HTTP flow can be poisoned by one or multiple poisons, and poisons can be plugged to infect both global or route level incoming traffic.

Rules are a kind of validation filters that can be reused and applied to global incoming HTTP traffic, route level traffic or into a specific poison. Their responsability is to determine, via inspecting each incoming HTTP request, if the registered poisons should be enabled or not, and therefore infecting or not the HTTP traffic (e.g: match headers, query params, method, body...).

How it works

↓ ( Incoming request ) ↓
↓ ||| ↓
↓ ---------------- ↓
↓ | Toxy Router | ↓ --> Match the incoming request
↓ ---------------- ↓
↓ ||| ↓
↓ ---------------- ↓
↓ | Exec Rules | ↓ --> Apply configured rules for the request
↓ ---------------- ↓
↓ ||| ↓
↓ ---------------- ↓
↓ | Exec Poisons | ↓ --> If all rules passed, then poison the HTTP flow
↓ ---------------- ↓
↓ / \ ↓
↓ \ / ↓
↓ ------------------- ↓
↓ | HTTP dispatcher | ↓ --> Proxy the HTTP traffic, either poisoned or not
↓ ------------------- ↓

Installation

npm install toxy

Download

by Malik korrich ~ vendredi 28 août 2015 0 commentaires

SONAR: A Framework For Identifying And Launching Exploits Against Internal Network Hosts

SONAR: A Framework For Identifying And Launching Exploits Against Internal Network Hosts

Works via WebRTC IP scanning combined with external resource fingerprinting.

How does it work?

Upon loading the sonar payload in a modern web browser the following will happen:

sonar will use WebRTC to scan the internal network for live hosts.
If a live host is found, sonar begins to attempt to fingerprint the host by linking to it via and and hooking the onload event. If the expected resources load successfully it will trigger the pre-set JavaScript callback to start the user-supplied exploit.
If the user changes networks, sonar starts the process all over again on the newly joined network.

Fingerprints

Sonar works off of a database of fingerprints. A fingerprint is simply a list of known resources on a device that can be linked to and detected via onload. Examples of this include images, CSS stylesheets, and even external JavaScript.

An example fingerprint database can be seen below:

var fingerprints = [
{
'name': "ASUS RT-N66U",
'fingerprints': ["/images/New_ui/asustitle.png","/images/loading.gif","/images/alertImg.png","/images/New_ui/networkmap/line_one.png","/images/New_ui/networkmap/lock.png","/images/New_ui/networkmap/line_two.png","/index_style.css","/form_style.css","/NM_style.css","/other.css"],
'callback': function( ip ) {
// Insert exploit here
},
},
{
'name': "Linksys WRT54G",
'fingerprints': ["/UILinksys.gif","/UI_10.gif","/UI_07.gif","/UI_06.gif","/UI_03.gif","/UI_02.gif","/UI_Cisco.gif","/style.css"],
'callback': function( ip ) {
// Insert exploit here
},
},
]

The above database contains fingerprints for two devices, the ASUS RT-N66U WiFi router and the Linksys WRT54G WiFi router.

Each database entry has the following:

name: A field to identify what device the fingerprint is for. This could be something like HP Officejet 4500 printer or Linksys WRT54G Router.
fingerprints: This is an array of relative links to resources such as CSS stylesheets, images, or even JavaScript files. If you expect these resources to be on a non-standard port such as 8080, set the resource with the port included: :8080/unique.css. Keep in mind using external resources with active content such as JavaScript is dangerous as it can interrupt the regular flow of execution.
callback: If all of these resources are found to exist on the enumerated host then the callback function is called with a single argument of the device's IP address.
By creating your own fingerprints you can build custom exploits that will be launched against internal devices once they are detected by sonar. Common exploits include things such as Cross-site Request Forgery (CSRF), Cross-site Scripting (XSS), etc. The idea being that you can use these vulnerabilities to do things such as modifying router DNS configurations, dumping files from an internal fileserver, and more.

For an easier way to create fingerprints, see the following Chrome extension which generates fingerprint template code automatically for the page you're on:

Click Here to Install Chrome Extension

What can be done using sonar?

By using sonar a pentesting team can build web exploits against things such as internal logging servers, routers, printers, VOIP phones, and more. Due to internal networks often being less guarded, attacks such as CSRF and XSS can be powerful to take over the configurations of devices on a hosts internal network.

Download

by Malik korrich ~ lundi 24 août 2015 0 commentaires

BinNavi A Binary Analysis IDE To Control Disassembled Code

BinNavi: A Binary Analysis IDE To Control Disassembled Code

BinNavi is a binary analysis IDE that allows to inspect, navigate, edit and annotate control flow graphs and call graphs of disassembled code.

BinNavi is a binary analysis IDE - an environment that allows users to inspect, navigate, edit, and annotate control-flow-graphs of disassembled code, do the same for the callgraph of the executable, collect and combine execution traces, and generally keep track of analysis results among a group of analysts.

Complications from a third-party dependency
BinNavi uses a commercial third-party graph visualisation library (yFiles) for displaying and laying out graphs. This library is immensely powerful, and not easily replaceable.

In order to perform direct development using yFiles, you need a developer license for it. At the same time, we want the community to be able to contribute to BinNavi without needing a commercial yFiles license. In order to do this and conform to the yFiles license, all interfaces to yFiles need to be properly obfuscated.

In order to achieve this, we did the following:

1) BinNavi and all the libraries have been split into two: The parts of the project that directly depend on yFiles were split into subpackages called "yfileswrap":

com.google.security.zynamics.binnavi
com.google.security.zynamics.binnavi.yfileswrap
com.google.security.zynamics.zylib
com.google.security.zynamics.zylib.yfileswrap
com.google.security.zynamics.reil
com.google.security.zynamics.reil.yfileswrap

We are distributing a pre-built JAR file with all the code in the "yfileswrap" subpackages - pre-linked and obfuscated against yFiles. If you wish to change or add code in BinNavi and do not have a yFiles license, you can freely do pretty much whatever you want in the non-yfileswrap packages - you can simply put the lib/yfileswrap-obfuscated.jar into your classpath to test and see the results.

If you wish to make changes to the "yfileswrap" subdirectories, please be aware that you will need a valid yFiles license - and any contribution that you make to the BinNavi project has to honor their license agreement. This means that you can't simply expose their inner APIs under different names etc.

We will enforce this - we're very happy to have found a way to open-source BinNavi with the yFiles dependency, and we will make sure that any code we pull in respects the yFiles license.

Building BinNavi from scratch
BinNavi uses Maven for its dependency management, but not for the actual build yet. To build from scratch use these commands:

mvn dependency:copy-dependencies
ant -f src/main/java/com/google/security/zynamics/build.xml \
build-binnavi-fat-jar

Running BinNavi for the first time
Please be aware that BinNavi makes use of a central PostgreSQL database for storing disassemblies/comments/traces - so you need to have such an instance running somewhere accessible to you. You can build/launch BinNavi as follows:

ant -f src/main/java/com/google/security/zynamics/build.xml \
build-binnavi-fat-jar
java -jar target/binnavi-all.jar

Loading the project into Eclipse

Loading the code into Eclipse for further development requires a little bit of configuration.

Download the dependencies (as described above) and make sure you have a Java SDK with 1.8 language compliance installed.
Create a new "Java Project From Existing Ant Buildfile" and use the file src/main/java/com/google/security/zynamics/build.xml
Select '"javac" task found in target "build-binnavi-jar"
Open the "Project Properties" dialog.
Edit the source folders to have the following properties:
Linked Folder Location: $SRCDIR/src/main/java
Folder Name: java
Click on "Next"
Add binnavi/yfileswrap, zylib/yfileswrap, and reil/yfileswrap to the list of directories to exclude.
Go to Run->Debug Configurations, select "Java Application" and then search for "CMain".
You should be ready to go from here.

Exporting disassemblies from IDA
As part of this project, we are distributing a binary-only (sorry!) IDA pro plugin that exports disassemblies from IDA into the Postgresql database format that BinNavi requires. When running BinNavi, simply configure the right path for IDA, click on the "install plugin" button if necessary -- you should now be able to import disassemblies.

Using other disassemblers than IDA
Right now, we only have the IDA export plugin - but we are hoping very much that someone will help us build export functionality for other disassemblers in the near future.

website: http://www.zynamics.com/binnavi.html

Download

by Malik korrich ~ jeudi 20 août 2015 0 commentaires

NetRipper - Smart Traffic Sniffing For Penetration Testers

NetRipper - Smart Traffic Sniffing For Penetration Testers

Description
NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.

NetRipper was released at Defcon 23, Las Vegas, Nevada.

Abstract
The post-exploitation activities in a penetration test can be challenging if the tester has low-privileges on a fully patched, well configured Windows machine. This work presents a technique for helping the tester to find useful information by sniffing network traffic of the applications on the compromised machine, despite his low-privileged rights. Furthermore, the encrypted traffic is also captured before being sent to the encryption layer, thus all traffic (clear-text and encrypted) can be sniffed. The implementation of this technique is a tool called NetRipper which uses API hooking to do the actions mentioned above and which has been especially designed to be used in penetration tests, but the concept can also be used to monitor network traffic of employees or to analyze a malicious application.

Tested applications
NetRipper should be able to capture network traffic from: Putty, WinSCP, SQL Server Management Studio, Lync (Skype for Business), Microsoft Outlook, Google Chrome, Mozilla Firefox. The list is not limited to these applications but other tools may require special support.

Components
NetRipper.exe - Configures and inject the DLL
DLL.dll - Injected DLL, hook APIs and save data to files
netripper.rb - Metasploit post-exploitation module

Command line
Injection: NetRipper.exe DLLpath.dll processname.exe
Example: NetRipper.exe DLL.dll firefox.exe

Generate DLL:

-h, --help Print this help message
-w, --write Full path for the DLL to write the configuration data
-l, --location Full path where to save data files (default TEMP)

Plugins:

-p, --plaintext Capture only plain-text data. E.g. true
-d, --datalimit Limit capture size per request. E.g. 4096
-s, --stringfinder Find specific strings. E.g. user,pass,config

Example:
NetRipper.exe -w DLL.dll -l TEMP -p true -d 4096 -s user,pass

Metasploit module

msf > use post/windows/gather/netripper 
msf post(netripper) > show options

Module options (post/windows/gather/netripper):

   Name          Current Setting                  Required  Description
   ----          ---------------                  --------  -----------
   DATALIMIT     4096                             no        The number of bytes to save from requests/responses
   DATAPATH      TEMP                             no        Where to save files. E.g. C:\Windows\Temp or TEMP
   PLAINTEXT     true                             no        True to save only plain-text data
   PROCESSIDS                                     no        Process IDs. E.g. 1244,1256
   PROCESSNAMES                                   no        Process names. E.g. firefox.exe,chrome.exe
   SESSION                                        yes       The session to run this module on.
   STRINGFINDER  user,login,pass,database,config  no        Search for specific strings in captured data

Set PROCESSNAMES and run.

Metasploit installation (Kali)

cp netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/netripper.rb
mkdir /usr/share/metasploit-framework/modules/post/windows/gather/netripper
g++ -Wall netripper.cpp -o netripper
cp netripper /usr/share/metasploit-framework/modules/post/windows/gather/netripper/netripper
cd ../Release
cp DLL.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.dll
Plugins
PlainText - Allows to capture only plain-text data
DataLimit - Save only first bytes of requests and responses
Stringinder - Find specific string in network traffic

To do

Support multiple applications
Support for x64 processes
Thread-safe API hooking
Monitor loading of DLLs and new processes

Author

Ionut Popescu, Senior Security Consultant at KPMG Romania

Download

by Malik korrich ~ vendredi 14 août 2015 0 commentaires

ezbash: A Tool That Teaches How To Use The Terminal

ezbash: A Tool That Teaches How To Use The Terminal

ezbash (yes, it's uncapitalized on purpose) is a tool created to help people ease their way into using the MacOS or Linux terminal, that most powerful of applications.

Installation

As your first step into learning bash, enter this into your terminal:

gem install ezbash

Note: You may have to tack "sudo" onto the begining of the above command to get the program to install. If you get an error code like "Permision denied", you will need to do this.

Usage

To run the application, enter this into the terminal:

ezbash

Then, list possible commands by entering "help" and get started! Have fun!

Uninstallation

To uninstall the program, enter this into your terminal:

gem uninstall ezbash

Download

by Malik korrich ~ vendredi 7 août 2015 0 commentaires

Inveigh: A Windows PowerShell LLMNR/NBNS Spoofer With Challenge/Response Capture Over HTTP/SMB

Inveigh: A Windows PowerShell LLMNR/NBNS Spoofer With Challenge/Response Capture Over HTTP/SMB.

Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system.

This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions.

Notes

Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/SMB NTLMv1/NTLMv2 challenge/response capture.
LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets.
SMB challenge/response captures are performed by sniffing over the host system's SMB service.
HTTP challenge/response captures are performed with a dedicated listener.
The local LLMNR/NBNS services do not need to be disabled on the host system.
LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind.
Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS.
Ensure that the LMMNR,NBNS,SMB,HTTP ports are open within any local firewall on the host system.
Output files will be created in current working directory.
If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns.

Usage
Obtain an elevated administrator or SYSTEM shell. If necessary, use a method to bypass script execution policy.

To execute with default settings:
Inveigh.ps1 -i localip

To execute with features enabled/disabled:
Inveigh.ps1 -i localip -LLMNR Y/N -NBNS Y/N -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ForceWPADAuth Y/N

Download

by Malik korrich ~ jeudi 30 juillet 2015 0 commentaires

Fuddly: Fuzzing And Data Manipulation Framework

Fuddly: Fuzzing And Data Manipulation Framework

List of features

Graph-based data model that enables:

To represent complex data formats and also to mix them
complex data manipulations
to dissect/absorb existing data
generation & mutation fuzzing strategy

Fuzzing automation framework:

Target abstraction
Monitoring means based on independant probes
Replay & logging
Data manipulation based on disruptors (objects that implement specific data transformation)
Virtual operator abstraction

What's still missing

Documentation
refer to TODO file

Miscellaneous

Don't forget to populate ./imported_data/ with sample files for data models that need it.

Dependencies

Compatible with Python2 and Python3
Mandatory: six: Python 2/3 compatibility
Optional: xtermcolor: terminal color support
cups: Python bindings for libcups
rpyc: Remote Python Call (RPyC), a transparent and symmetric RPC library

Download

Suggestion: Read more about FUZZING

by Malik korrich ~ samedi 20 juin 2015 0 commentaires

TurboBytes Pulse Tool To Run Network Diagnostics In Distributed Manner

TurboBytes Pulse Tool To Run Network Diagnostics In Distributed Manner.

It is made up of 2 components!

CNC : This is the Command & Control server. Users make http requests to it describing the test they want to run. CNC then runs it across all minions, gathers the response and then returns them to the user. Dependencies : mongodb (I might replace it with something lighter, or make it optional)

minion - This is the agent that runs at places where you want to debug from. It makes a TLS connection to CNC and waits for incoming test requests to be executed. Dependencies: mtr command (ubuntu: apt-get install mtr-tiny)

Build instructions

go get github.com/turbobytes/pulse
cd $GOPATH/src/github.com/turbobytes/pulse
go build cnc.go
go build minion.go

You can build these for any target supported by Go by manipulating GOOS and GOARCH. gccgo is not supported currently because it uses older Go versions. You might need to adapt the code for gccgo. We had success in running it on MIPS as proof of concept.

It is important that the CNC and minion are from the same release. If you are updating one of them then its crucial to update the other to avoid unexpected behaviour. They share data structures.

TLS PKI

CNC and minion use TLS to communicate with each other. Use your own CA to sign the certificates and minion and CNC trusts only this CA. The TLS setup was inspired by this blogpost.

Install EasyRSA

git clone https://github.com/OpenVPN/easy-rsa.git example-ca
chmod 700 example-ca
cd example-ca
rm -rf .git

Create CA

./easyrsa init-pki
Its important that you set a passphrase for your CA's private key

Create server cert

./easyrsa build-server-full localhost nopass
Replace localhost with the hostname of the server that runs the CNC.

Create minion certificate

./easyrsa build-client-full 'client0' nopass
Create one certificate for each minion instance. Replace 'client0' with some descriptive name. This is whats shown in the ui/api to indicate which agent ran the test.

Running Pulse

Its important that system times are correct. If not then TLS might not work correctly.

CNC

The CNC needs mongodb running on localhost. This requirement will be removed in future releases. Mongo is only used for storing metadata about minions.

usage : ./cnc -ca="/path/to/ca.crt" -crt="/path/to/server.crt" -key="/path/to/server.key"

Note: server.crt and server.key is the certificate/key generated using the build-server-full command.

Its important that all minions can reach port 7777 on the server, and all users can reach port 7778.

minion

usage : ./minion -ca="/path/to/ca.crt" -crt="/path/to/minion.crt" -key="/path/to/minion.key" -cnc="cnc.host.name:7777"

Note: minion.crt and minion.key is the certificate/key generated using the build-client-full command. cnc.host.name is the hostname of the CNC

Use one client certificate exclusive to one minion.

Using Pulse

Visit http://cnc.host.name:7778/agents/ for a listing of currently online agents.

http://cnc.host.name:7778/ contains a rough demo UI to run tests.

DNS test

API endpoint: /dns/ Method: POST Payload: Json object

Example :-

{
"Host": "example.com",
"QType": 1,
"Targets": ["8.8.8.8", "8.8.4.4"]
}

Host : The hostname we want to resolve QType : Dns query type Targets : The nameservers we want to query.

HTTP test

API endpoint: /curl/ Method: POST Payload: Json object

Example :-

{
"Path": "/foo/bar.jpg",
"Endpoint": "example.com",
"Host": "foobar.com",
"Ssl": false
}

Path : The URI to test Endpoint : The server to connect to. Host : The contents of the Host header. If blank then endpoint's value is used here. Ssl : Weather to talk SSL/TLS or plaintext.

The HTTP test makes a GET request to the target and once the headers come in, it terminates the connection without consuming the full body. This is by design so as to not consume too much bandwidth.

mtr/traceroute

mtr test is a wrapper around the mtr command.

API endpoint: /mtr/ Method: POST Payload: Json object

example :-

{
"Target": "example.com"
}

Target : The hostname/ip we want to trace to.

Download

More info:
TurboBytes pulse https://pulse.turbobytes.com/

by Malik korrich ~ lundi 8 juin 2015 0 commentaires

YASUO: A Ruby Script That Scans Vulnerable 3rd-Party Web Applications

YASUO: A ruby script that scans for vulnerable & exploitable 3rd-party web applications on a network.

While working on a network security assessment (internal, external, redteam gigs etc.), we often come across vulnerable 3rd-party web applications or web front-ends that allow us to compromise the remote server by exploiting publicly known vulnerabilities.

Some of the common & favorite applications are Apache Tomcat administrative interface, JBoss jmx-console, Hudson Jenkins and so on.

If you search through Exploit-db, there are over 10,000 remotely exploitable vulnerabilities that exist in tons of web applications/front-ends and could allow an attacker to completely compromise the back-end server. These vulnerabilities range from RCE to malicious file uploads to SQL injection to RFI/LFI etc.

Yasuo is built to quickly scan the network for such vulnerable applications thus serving pwnable targets on a silver platter.

Setup / Install

You would need to install the following gems:

gem install ruby-nmap net-http-persistent mechanize colorize text-table

Details

Yasuo provides following command-line options:

-r :: If you want Yasuo to perform port scan, use this switch to provide an IP address or IP range or an input file with new-line separated IP addresses

-s :: Provide custom signature file. [./yasuo.rb -s mysignatures.yaml -f nmap.xml] [Default - signatures.yaml]

-f :: If you do not want Yasuo to perform port scan and already have an nmap output in xml format, use this switch to feed the nmap output

-n :: Tells Yasuo to not ping the host while performing the port scan. Standard nmap option.

-p :: Use this switch to provide port number(s)/range

-A :: Use this switch to scan all the 65535 ports. Standard nmap option.

-b [all/form/basic] :: If the discovered application implements authentication, use this switch to brute-force the auth. "all" will brute-force both form & http basic auth. "form" will only brute-force form-based auth. "basic" will only brute-force http basic auth.

-t :: Specify maximum number of threads

-h :: Well, take a guess

Examples

./yasuo -r 127.0.0.1 -p 80,8080,443,8443 -b form

The above command will perform port scan against 127.0.0.1 on ports 80, 8080, 443 and 8443 and will brute-force login for all the applications that implement form-based authentication.

./yasuo -f my_nmap_output.xml -b all

The above command will parse the nmap output file "my_nmap_output.xml" and will brute-force login for all the applications that implement form-based and http basic authentication

Download

by Malik korrich ~ vendredi 5 juin 2015 0 commentaires

NoSQL Honeypot Framework (NoPo) Python Tool

NoSQL Honeypot Framework (NoPo) Python Tool

NoSQL-Honeypot-Framework (NoPo) is an open source honeypot for nosql databases that automates the process of detecting attackers,logging attack incidents. The simulation engines are deployed using the twisted framework.Currently the framework holds support for redis.

N.B : The framework is under development and is prone to bugs

Screenshots

Server Deployed Screenshot

Installation

You can download NoPo by cloning the Git repository:

git clone https://github.com/torque59/nosqlpot.git

pip install -r requirements.txt

NoPo works out of the box with Python version 2.6.x and 2.7.x on any platform.

Added Features:

First Ever Honeypot for NoSQL Databases
Support For Config Files
Simulates Protocol Specification as of Servers
Support for Redis

Usage

Get a list of basic options :
python nopo.py -h

Deploy an nosql engine:
python nopo.py -deploy redis

Deploy an nosql engine with a configuration file:
python nopo.py -deploy redis -config filename

Log commands,session to file :
python nopo.py -deploy redis -out log.out

Download

by Malik korrich ~ lundi 18 mai 2015 0 commentaires