Backtrack Team: Intrusion Detection System

Affichage des articles dont le libellé est Intrusion Detection System. Afficher tous les articles

MEMSCAN A Memory Scanning Tool For A Specific Sequence of Bytes

MEMSCAN A Memory Scanning Tool..
For A Specific Sequence of Bytes!

A memory scanning tool which uses mach_vm* to either dump memory or look for a specific sequence of bytes.
To build MEMSCAN, you will need to have the OS installed. Well, you don't really need it but it makes life easier.

Once Theos is installed, simply navigate to the MEMSCAN folder in terminal and run:

make package install

Usage

Dumping the memory of a process

Obtain the target process PID, using ps.
Provide the PID to memscan:

./memscan -p -d

Finding objects in memory

Open your target app or process in a disassembler, grab first ~16 bytes (customise this number as you will) of the method you want to hook and these bytes will be your "signature".

Write the signature to a file, make sure to encode the bytes like so:

echo -n -e '\x55\x48\x89\xE5\xB8\x15\x00\x00\x00\x5D' > needle

Run the scanner against the target process. It will locate the signature in memory and print it's address. The signature has to be passed in as bytes, not a literal string so use the scanner as shown:

./memscan -p -s

e.g:

./memscan -p 1234 -s ./needle

MEMSCAN should then print the address where the needle is located in memory.

Download

by Malik korrich ~ lundi 5 octobre 2015 0 commentaires

GitHub Announces To Support Universal 2nd Factor Authentication

GitHub Announces To Support Universal 2nd Factor Authentication (U2F)
A rapidly growing open authentication standard!

When you insert them, these physical USB keys automatically generates a second-factor code. And you don't even enter a Six-digit code from Google Authentication and similar Apps. GitHub announced that its partnership with Yubico.

Two-factor authentication is a security process in which the user provides two means of identification from separate categories of credentials; one is typically a physical token, such as a card, and the other is typically something memorized, such as a security code.

The FIDO U2F Security Key by Yubico is a specially designed YubiKey, relying on high-security, public-key cryptography. U2F is built to protect against phishing and man-in-the-middle attacks, allowing one U2F authenticator to access any number of services without any shared secrets.

What is U2F — FIDO UNIVERSAL 2ND FACTOR

U2F is an open authentication standard that enables internet users to securely access any number of online services, with one single device, instantly and with no drivers or client software needed.

U2F was created by Google and Yubico, with contribution from NXP, and is today hosted by the open-authentication industry consortium FIDO Alliance.

U2F is used with USB devices, including YubiKeys, as one of many authentication methods

In order to take advantage of the security improvements provided by U2F, you'll need to purchase a hardware key. You can purchase the U2F key of your choice from a range of vendors. GitHub are partnering with Yubico, inventor of the YubiKey, co-creator of the U2F protocol, and a leading provider of U2F authenticators.

Together with Yubico we are offering discounts to GitHub users for a limited time through a special offer page where you will verify your GitHub account and place your order:

While supplies last, GitHub users can purchase special edition U2F Security Keys for $5 plus shipping and handling (regular price $18; 5,000 special edition keys available).
After the special keys are gone, all GitHub users are eligible for a 20% discount on U2F-certified YubiKeys, for a limited time.
In addition, all students who are eligible for the Student Developer Pack will receive a 20% discount on any U2F-certified YubiKey.

by Malik korrich ~ vendredi 2 octobre 2015 0 commentaires

Thug: A Tool For Python Low-Interaction Honeyclient

Thug: A Tool For Python Low-Interaction Honeyclient

Thug is a Python low-interaction honeyclient aimed at mimicing the behavior of a web browser in order to detect and emulate malicious contents.

The number of client-side attacks has grown significantly in the past few years shifting focus on poorly protected vulnerable clients. Just as the most known honeypot technologies enable research into server-side attacks, honeyclients allow the study of client-side attacks.

A complement to honeypots, a honeyclient is a tool designed to mimic the behavior of a user-driven network client application, such as a web browser, and be exploited by an attacker's content.

Download

by Malik korrich ~ mercredi 30 septembre 2015 0 commentaires

How To Test Security in IPv4 and IPv6 Data Networks?

How To Test Security in IPv4 and IPv6 Data Networks ?

Evil Foca is a tool for security pentesters and auditors whose purpose it is to test security in IPv4 and IPv6 data networks.

Compared to IPv4 address space is 32 bits which resulting 4 billion addresses.IPv6 offers larger address space. Its addresses are 128 bits long, resulting in an address space of 340 undecillion addresses.

In addition, IPv6 provides other technical benefits, particularly, it permits hierarchical address allocation methods that facilitate route aggregation across the Internet, and thus limit the expansion of routing tables. The use of multicast addressing is expanded and simplified, and provides additional optimization for the delivery of services. Device mobility, security, and configuration aspects have been considered in the design of the protocol.

The tool is capable of carrying out various attacks such as:

MITM over IPv4 networks with ARP Spoofing and DHCP ACK Injection.
MITM on IPv6 networks with Neighbor Advertisement Spoofing, SLAAC attack, fake DHCPv6.
DoS (Denial of Service) on IPv4 networks with ARP Spoofing.
DoS (Denial of Service) on IPv6 networks with SLAAC DoS.
DNS Hijacking.

The software automatically scans the networks and identifies all devices and their respective network interfaces, specifying their IPv4 and IPv6 addresses as well as the physical addresses through a convenient and intuitive interface.

Man In The Middle (MITM) attack

The well-known “Man In The Middle” is an attack in which the wrongdoer creates the possibility of reading, adding, or modifying information that is located in a channel between two terminals with neither of these noticing. Within the MITM attacks in IPv4 and IPv6 Evil Foca considers the following techniques:

ARP Spoofing: Consists in sending ARP messages to the Ethernet network. Normally the objective is to associate the MAC address of the attacker with the IP of another device. Any traffic directed to the IP address of the predetermined link gate will be erroneously sent to the attacker instead of its real destination.

DHCP ACK Injection: Consists in an attacker monitoring the DHCP exchanges and, at some point during the communication, sending a packet to modify its behavior. Evil Foca converts the machine in a fake DHCP server on the network.

Neighbor Advertisement Spoofing: The principle of this attack is identical to that of ARP Spoofing, with the difference being in that IPv6 doesn’t work with the ARP protocol, but that all information is sent through ICMPv6 packets. There are five types of ICMPv6 packets used in the discovery protocol and Evil Foca generates this type of packets, placing itself between the gateway and victim.

SLAAC attack: The objective of this type of attack is to be able to execute an MITM when a user connects to Internet and to a server that does not include support for IPv6 and to which it is therefore necessary to connect using IPv4. This attack is possible due to the fact that Evil Foca undertakes domain name resolution once it is in the communication media, and is capable of transforming IPv4 addresses in IPv6.

Fake DHCPv6 server: This attack involves the attacker posing as the DCHPv6 server, responding to all network requests, distributing IPv6 addresses and a false DNS to manipulate the user destination or deny the service.

Denial of Service (DoS) attack: The DoS attack is an attack to a system of machines or network that results in a service or resource being inaccessible for its users. Normally it provokes the loss of network connectivity due to consumption of the bandwidth of the victim’s network, or overloads the computing resources of the victim’s system.

DoS attack in IPv4 with ARP Spoofing: This type of DoS attack consists in associating a nonexistent MAC address in a victim’s ARP table. This results in rendering the machine whose ARP table has been modified incapable of connecting to the IP address associated to the nonexistent MAC.
DoS attack in IPv6 with SLAAC attack: In this type of attack a large quantity of “router advertisement” packets are generated, destined to one or several machines, announcing false routers and assigning a different IPv6 address and link gate for each router, collapsing the system and making machines unresponsive.

DNS Hijacking: The DNS Hijacking attack or DNS kidnapping consists in altering the resolution of the domain names system (DNS). This can be achieved using malware that invalidates the configuration of a TCP/IP machine so that it points to a pirate DNS server under the attacker’s control, or by way of an MITM attack, with the attacker being the party who receives the DNS requests, and responding himself or herself to a specific DNS request to direct the victim toward a specific destination selected by the attacker.

Download

by Malik korrich ~ mardi 29 septembre 2015 0 commentaires

AIDE (Advanced Intrusion Detection Environment) To Verify The Integrity Of Files

AIDE (Advanced Intrusion Detection Environment) To Verify The Integrity Of Files

AIDE is a file and directory integrity checker.

What does it do?

It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (see below) that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies. It can read databases from older or newer versions. See the manual pages within the distribution for further info.

Features

supported message digest algorithms: md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool (additionally with libmhash: gost, haval, crc32b)
supported file attributes: File type, Permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime
support for Posix ACL, SELinux, XAttrs and Extended file system attributes if support is compiled in
plain text configuration files and database for simplicity
powerful regular expression support to selectively include or exclude files and directories to be monitored
gzip database compression if zlib support is compiled in
stand alone static binary for easy client/server monitoring configurations

AIDE is included in the following distributions. Please use the corresponding command to install AIDE.

Debian GNU/Linux | Ubuntu: apt-get install aide or aptitude install aide
Gentoo: emerge aide
MacPorts: port install aide
FreeBSD: pkg_add -r aide
Red Hat | CentOS | Fedora: yum install aide
openSUSE: zypper install aide
IPCop: see here for installation guidelines

Download

by Malik korrich ~ lundi 14 septembre 2015 0 commentaires

MALHEUR - Automatic Analysis of Malware Behavior

MALHEUR - Automatic Analysis of Malware Behavior

Malheur is a tool for the automatic analysis of malware behavior (program behavior recorded from malicious software in a sandbox environment). It has been designed to support the regular analysis of malicious software and the development of detection and defense measures.

Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It supports four basic actions for analysis which can be applied to reports of recorded behavior:

1. Extraction of prototypes: From a given set of reports, malheur identifies a subset of prototypes representative for the full data set. The prototypes provide a quick overview of recorded behavior and can be used to guide manual inspection.

2. Clustering of behavior: Malheur automatically identifies groups (clusters) of reports containing similar behavior. Clustering allows for discovering novel classes of malware and provides the basis for crafting specific detection and defense mechanisms, such as anti-virus signatures.

3. Classification of behavior: Based on a set of previously clustered reports, malheur is able to assign unknown behavior to known groups of malware. Classification enables identifying novel and unknown variants of malware and can be used to filter program behavior prior to manual inspection.

4. Incremental analysis: Malheur can be applied incrementally for analysis of large data sets. By processing reports in chunks, the run-time as well as memory requirements can be significantly reduced. This renders long-term application of malheur feasible, for example for daily analysis of incoming malware programs.

A detailed description of these techniques as well as technical background on analysis of malicious software is provided in the following articles:

"Automatic Analysis of Malware Behavior using Machine Learning." Konrad Rieck, Philipp Trinius, Carsten Willems, and Thorsten Holz Journal of Computer Security (JCS), 19 (4) 639-668, 2011.
"A Malware Instruction Set for Behavior-Based Analysis." Philipp Trinius, Carsten Willems, Thorsten Holz, and Konrad Rieck Technical report TR-2009-07, University of Mannheim, 2009

Dependencies

libconfig >= 1.4, http://www.hyperrealm.com/libconfig/
libarchive >= 2.70, http://libarchive.github.com/

Debian & Ubuntu Linux

The following packages need to be installed for compiling Malheur on Debian and Ubuntu Linux

gcc
libconfig9-dev
libarchive-dev

For bootstrapping Malheur from the GIT repository or manipulating the automake/autoconf configuration, the following additional packages are necessary.

automake
autoconf
libtool
Mac OS X

For compiling Malheur on Mac OS X a working installation of Xcode is required including gcc. Additionally, the following packages need to be installed via Homebrew

libconfig
libarchive (from homebrew-alt)

OpenBSD

For compiling Malheur on OpenBSD the following packages are required. Note that you need to use gmake instead of make for building Malheur.

gmake
libconfig
libarchive

For bootstrapping Malheur from the GIT repository, the following packages need be additionally installed

autoconf
automake
libtool

Compilation & Installation

From GIT repository first run

$ ./bootstrap

From tarball run

$ ./configure [options]
$ make
$ make check
$ make install

Options for configure

--prefix=PATH Set directory prefix for installation

By default Malheur is installed into /usr/local. If you prefer a different location, use this option to select an installation directory.

License
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed without any warranty. See the GNU General Public License for more details.

Copyright
Copyright (c) 2009-2015 Konrad Rieck (konrad@mlsec.org) University of Goettingen, Berlin Institute of Technology

Download

by Malik korrich ~ vendredi 4 septembre 2015 0 commentaires

Toxy: Hackable HTTP Proxy To Simulate Server Failure Scenarios And Unexpected Network Conditions

Toxy: Hackable HTTP Proxy To Simulate Server Failure Scenarios And Unexpected Network Conditions

toxy is a fully programmatic and hackable HTTP proxy to simulate server failure scenarios and unexpected network conditions, built for node.js/io.js.

It was mainly designed for fuzzing/evil testing purposes, when toxy becomes particularly useful to cover fault tolerance and resiliency capabilities of a system, especially in service-oriented architectures, where toxy may act as intermediate proxy among services.

toxy allows you to plug in poisons, optionally filtered by rules, which essentially can intercept and alter the HTTP flow as you need, performing multiple evil actions in the middle of that process, such as limiting the bandwidth, delaying TCP packets, injecting network jitter latency or replying with a custom error or status code.

toxy can be fluently used programmatically or via HTTP API. It's compatible with connect/express, and it was built on top of rocky, a full-featured middleware-oriented HTTP proxy.

Requires node.js +0.12 or io.js +1.6

Why toxy?

There're some other similar solutions like toxy in the market, but most of them do not provide a proper programmatic control and usually are not easy to hack, configure and/or extend. Additionally, most of the those solutions only operate at TCP level stack instead of providing high-level abstraction to cover common requirements of the specific domain and nature of the HTTP protocol, like toxy does.

toxy provides a powerful hackable and extensible solution with a convenient abstraction, but also a low-level interface and programmatic capabilities exposed as a simple, concise and fluent API, with the implicit power, simplicity and fun of node.js.

Concepts

toxy introduces two core directives that you can plug in the proxy and should knowing before using: poisons and rules.

Poisons are the specific logic to infect an incoming or outgoing HTTP flow (e.g: injecting a latency, replying with an error). HTTP flow can be poisoned by one or multiple poisons, and poisons can be plugged to infect both global or route level incoming traffic.

Rules are a kind of validation filters that can be reused and applied to global incoming HTTP traffic, route level traffic or into a specific poison. Their responsability is to determine, via inspecting each incoming HTTP request, if the registered poisons should be enabled or not, and therefore infecting or not the HTTP traffic (e.g: match headers, query params, method, body...).

How it works

↓ ( Incoming request ) ↓
↓ ||| ↓
↓ ---------------- ↓
↓ | Toxy Router | ↓ --> Match the incoming request
↓ ---------------- ↓
↓ ||| ↓
↓ ---------------- ↓
↓ | Exec Rules | ↓ --> Apply configured rules for the request
↓ ---------------- ↓
↓ ||| ↓
↓ ---------------- ↓
↓ | Exec Poisons | ↓ --> If all rules passed, then poison the HTTP flow
↓ ---------------- ↓
↓ / \ ↓
↓ \ / ↓
↓ ------------------- ↓
↓ | HTTP dispatcher | ↓ --> Proxy the HTTP traffic, either poisoned or not
↓ ------------------- ↓

Installation

npm install toxy

Download

by Malik korrich ~ vendredi 28 août 2015 0 commentaires

SONAR: A Framework For Identifying And Launching Exploits Against Internal Network Hosts

SONAR: A Framework For Identifying And Launching Exploits Against Internal Network Hosts

Works via WebRTC IP scanning combined with external resource fingerprinting.

How does it work?

Upon loading the sonar payload in a modern web browser the following will happen:

sonar will use WebRTC to scan the internal network for live hosts.
If a live host is found, sonar begins to attempt to fingerprint the host by linking to it via and and hooking the onload event. If the expected resources load successfully it will trigger the pre-set JavaScript callback to start the user-supplied exploit.
If the user changes networks, sonar starts the process all over again on the newly joined network.

Fingerprints

Sonar works off of a database of fingerprints. A fingerprint is simply a list of known resources on a device that can be linked to and detected via onload. Examples of this include images, CSS stylesheets, and even external JavaScript.

An example fingerprint database can be seen below:

var fingerprints = [
{
'name': "ASUS RT-N66U",
'fingerprints': ["/images/New_ui/asustitle.png","/images/loading.gif","/images/alertImg.png","/images/New_ui/networkmap/line_one.png","/images/New_ui/networkmap/lock.png","/images/New_ui/networkmap/line_two.png","/index_style.css","/form_style.css","/NM_style.css","/other.css"],
'callback': function( ip ) {
// Insert exploit here
},
},
{
'name': "Linksys WRT54G",
'fingerprints': ["/UILinksys.gif","/UI_10.gif","/UI_07.gif","/UI_06.gif","/UI_03.gif","/UI_02.gif","/UI_Cisco.gif","/style.css"],
'callback': function( ip ) {
// Insert exploit here
},
},
]

The above database contains fingerprints for two devices, the ASUS RT-N66U WiFi router and the Linksys WRT54G WiFi router.

Each database entry has the following:

name: A field to identify what device the fingerprint is for. This could be something like HP Officejet 4500 printer or Linksys WRT54G Router.
fingerprints: This is an array of relative links to resources such as CSS stylesheets, images, or even JavaScript files. If you expect these resources to be on a non-standard port such as 8080, set the resource with the port included: :8080/unique.css. Keep in mind using external resources with active content such as JavaScript is dangerous as it can interrupt the regular flow of execution.
callback: If all of these resources are found to exist on the enumerated host then the callback function is called with a single argument of the device's IP address.
By creating your own fingerprints you can build custom exploits that will be launched against internal devices once they are detected by sonar. Common exploits include things such as Cross-site Request Forgery (CSRF), Cross-site Scripting (XSS), etc. The idea being that you can use these vulnerabilities to do things such as modifying router DNS configurations, dumping files from an internal fileserver, and more.

For an easier way to create fingerprints, see the following Chrome extension which generates fingerprint template code automatically for the page you're on:

Click Here to Install Chrome Extension

What can be done using sonar?

By using sonar a pentesting team can build web exploits against things such as internal logging servers, routers, printers, VOIP phones, and more. Due to internal networks often being less guarded, attacks such as CSRF and XSS can be powerful to take over the configurations of devices on a hosts internal network.

Download

by Malik korrich ~ lundi 24 août 2015 0 commentaires

BinNavi A Binary Analysis IDE To Control Disassembled Code

BinNavi: A Binary Analysis IDE To Control Disassembled Code

BinNavi is a binary analysis IDE that allows to inspect, navigate, edit and annotate control flow graphs and call graphs of disassembled code.

BinNavi is a binary analysis IDE - an environment that allows users to inspect, navigate, edit, and annotate control-flow-graphs of disassembled code, do the same for the callgraph of the executable, collect and combine execution traces, and generally keep track of analysis results among a group of analysts.

Complications from a third-party dependency
BinNavi uses a commercial third-party graph visualisation library (yFiles) for displaying and laying out graphs. This library is immensely powerful, and not easily replaceable.

In order to perform direct development using yFiles, you need a developer license for it. At the same time, we want the community to be able to contribute to BinNavi without needing a commercial yFiles license. In order to do this and conform to the yFiles license, all interfaces to yFiles need to be properly obfuscated.

In order to achieve this, we did the following:

1) BinNavi and all the libraries have been split into two: The parts of the project that directly depend on yFiles were split into subpackages called "yfileswrap":

com.google.security.zynamics.binnavi
com.google.security.zynamics.binnavi.yfileswrap
com.google.security.zynamics.zylib
com.google.security.zynamics.zylib.yfileswrap
com.google.security.zynamics.reil
com.google.security.zynamics.reil.yfileswrap

We are distributing a pre-built JAR file with all the code in the "yfileswrap" subpackages - pre-linked and obfuscated against yFiles. If you wish to change or add code in BinNavi and do not have a yFiles license, you can freely do pretty much whatever you want in the non-yfileswrap packages - you can simply put the lib/yfileswrap-obfuscated.jar into your classpath to test and see the results.

If you wish to make changes to the "yfileswrap" subdirectories, please be aware that you will need a valid yFiles license - and any contribution that you make to the BinNavi project has to honor their license agreement. This means that you can't simply expose their inner APIs under different names etc.

We will enforce this - we're very happy to have found a way to open-source BinNavi with the yFiles dependency, and we will make sure that any code we pull in respects the yFiles license.

Building BinNavi from scratch
BinNavi uses Maven for its dependency management, but not for the actual build yet. To build from scratch use these commands:

mvn dependency:copy-dependencies
ant -f src/main/java/com/google/security/zynamics/build.xml \
build-binnavi-fat-jar

Running BinNavi for the first time
Please be aware that BinNavi makes use of a central PostgreSQL database for storing disassemblies/comments/traces - so you need to have such an instance running somewhere accessible to you. You can build/launch BinNavi as follows:

ant -f src/main/java/com/google/security/zynamics/build.xml \
build-binnavi-fat-jar
java -jar target/binnavi-all.jar

Loading the project into Eclipse

Loading the code into Eclipse for further development requires a little bit of configuration.

Download the dependencies (as described above) and make sure you have a Java SDK with 1.8 language compliance installed.
Create a new "Java Project From Existing Ant Buildfile" and use the file src/main/java/com/google/security/zynamics/build.xml
Select '"javac" task found in target "build-binnavi-jar"
Open the "Project Properties" dialog.
Edit the source folders to have the following properties:
Linked Folder Location: $SRCDIR/src/main/java
Folder Name: java
Click on "Next"
Add binnavi/yfileswrap, zylib/yfileswrap, and reil/yfileswrap to the list of directories to exclude.
Go to Run->Debug Configurations, select "Java Application" and then search for "CMain".
You should be ready to go from here.

Exporting disassemblies from IDA
As part of this project, we are distributing a binary-only (sorry!) IDA pro plugin that exports disassemblies from IDA into the Postgresql database format that BinNavi requires. When running BinNavi, simply configure the right path for IDA, click on the "install plugin" button if necessary -- you should now be able to import disassemblies.

Using other disassemblers than IDA
Right now, we only have the IDA export plugin - but we are hoping very much that someone will help us build export functionality for other disassemblers in the near future.

website: http://www.zynamics.com/binnavi.html

Download

by Malik korrich ~ jeudi 20 août 2015 0 commentaires

PortDog: Port Scanning Tool In Python

PortDog: Port Scanning Tool In Python

PortDog is a network anomaly detector aimed to detect port scanning techniques. It is entirely written in python and has easy-to-use interface.

It was tested on Ubuntu 15. Please note that, it is not working on Windows OS due to suffering from capturing RAW packets.I am working on to write this script to work both platforms. In future , I'm thinking about adding firewall options that could block malicious attempts. It is using Raw packets for analysis. For this reason, please ensure that you have run this script from privileged session.

Usage:

sudo python portdog.py -t time_for_sniff_in_minutes

For example, if you want to detect for 5 minutes use:

sudo python portdog.py -t 5

For infinite detection use:

sudo python portdog.py -t 0

If you want to get list of scanned ports , press CTRL+C to get port list at runtime (If scan was happened).

Download

by Malik korrich ~ vendredi 14 août 2015 0 commentaires

Inveigh: A Windows PowerShell LLMNR/NBNS Spoofer With Challenge/Response Capture Over HTTP/SMB

Inveigh: A Windows PowerShell LLMNR/NBNS Spoofer With Challenge/Response Capture Over HTTP/SMB.

Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system.

This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions.

Notes

Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/SMB NTLMv1/NTLMv2 challenge/response capture.
LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets.
SMB challenge/response captures are performed by sniffing over the host system's SMB service.
HTTP challenge/response captures are performed with a dedicated listener.
The local LLMNR/NBNS services do not need to be disabled on the host system.
LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind.
Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS.
Ensure that the LMMNR,NBNS,SMB,HTTP ports are open within any local firewall on the host system.
Output files will be created in current working directory.
If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns.

Usage
Obtain an elevated administrator or SYSTEM shell. If necessary, use a method to bypass script execution policy.

To execute with default settings:
Inveigh.ps1 -i localip

To execute with features enabled/disabled:
Inveigh.ps1 -i localip -LLMNR Y/N -NBNS Y/N -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ForceWPADAuth Y/N

Download

by Malik korrich ~ jeudi 30 juillet 2015 0 commentaires

Nuclide: An Open IDE Experience for Hack development

Nuclide : An open IDE for web and native mobile development, built on top of Atom to Provide Hackability.

Nuclide is the first IDE with support for Hack, including autocomplete, jump-to-definition, inline errors, and an omni-search bar for your project. Nuclide has been built from the start to provide a great IDE experience for Hack development.

Project by Facebook!

A unified developer experience for web and mobile development, built as a suite of packages on top of Atom to provide hackability and the support of an active community.

Nuclide
Nuclide is a collection of packages for Atom to provide IDE-like functionality for a variety of programming languages and technologies.

Installation

To install a pre-built version of Nuclide, install the nuclide-installer package in Atom. This package will ensure that you have the full set of Nuclide packages.

If you have never installed an Atom package before, follow the package installation instructions from the Atom Flight Manual to do it through the Atom UI, or run the following from the command line:

apm install nuclide-installer

The first time you start Atom after installing the nuclide-installer package, you will have to wait a few seconds for the installer to determine which Nuclide packages it needs to install or update. To determine whether the installer worked, go to the Settings view in Atom and select the Packages tab. From there, filter your installed packages by nuclide- and verify you see the packages listed in the next section.

Features

Nuclide contains the following Atom packages:

nuclide-flow Adds support for Flow. If flow is on your $PATH, then opening .js files with the /* @flow */ pragma under a directory with a .flowconfig should expose information from Flow directly in Atom.
nuclide-hack Adds support for Hack by providing autocomplete and jump-to-definition functionality. Nuclide also includes a nuclide-language-hack package so that Hack files are syntax highlighted correctly.
nuclide-hg-repository Local changes to files in a Mercurial repository will be reflected in Atom's file tree and gutter UI as Atom does natively for Git repositories.
nuclide-remote-projects adds support for remote development. See the nuclide-server package for more information on setting up the server that nuclide-remote-projects will talk to so you can edit your foreign files in Nuclide. Note that this package is used in concert with nuclide-file-tree so that both local and remote files can be browsed from a familiar UI.
nuclide-quick-open provides an advanced file search UI with segmented search results.
Note that some Nuclide packages, such as nuclide-flow and nuclide-hack, work better when the linter package is installed. Note that linter is separate from Nuclide. (There is evidence that the linter package will eventually be bundled as part of Atom core.)

Repository Organization

Most developers choose to maintain individual Node and Atom packages in their own repositories. Because Nuclide is composed of so many packages, we chose to organize all of its code in a single repository rather than across a multitude of repositories. As such, this repository is organized as follows:

pkg/ Source code for Nuclide packages.
scripts/ Utilities for developing and deploying Nuclide packages.

Building from Source

If you want to experiment with modifications to Nuclide's code, we recommend that you build it from source. (Note that when you build from source, an inert instance of the nuclide-installer package will be installed, effectively disabling autoupdate for Nuclide packages. If you want to return to an ordinary installation of Nuclide, run apm install nuclide-installer and restart Atom to get it back.)

System Requirements

Python 2.6 or later.
Atom v0.209.0 or later.
node, npm, apm, and git must be on your $PATH. (Node must be v0.12.0 or later.)

Build and install Nuclide

Run the following command from the root of the repository:

./scripts/dev/setup

or if you are on Windows:

python scripts\dev\setup

If you see any errors, try running the setup script again with the --verbose flag to get more debugging information.

The setup script will fetch the appropriate dependencies from npm and perform any necessary build steps. When complete, you should see several nuclide- packages in your ~/.atom/packages directory. Starting Atom after running ./scripts/dev/setup for the first time may be a little slow because of the large number of Babel files that need to be transpiled. (The results of transpilation are cached for future use. You can see how many files were transpiled from Timecop.)

Some users have reported errors when re-running ./scripts/dev/setup. (You should run this script whenever you add or remove a package, or change the dependencies in a package.json file.) Although it should not be necessary, running git clean -xfd to clear out stale files has fixed the problem for a number of developers. (On Windows, sometimes git clean -xfd has to be run several times to successfully delete the junctions created by the setup script.) If all else fails, you may want to create a fresh clone of Nuclide and run the setup script again from there.

Download

read more: http://nuclide.io/

by Malik korrich ~ dimanche 28 juin 2015 0 commentaires

Fuddly: Fuzzing And Data Manipulation Framework

Fuddly: Fuzzing And Data Manipulation Framework

List of features

Graph-based data model that enables:

To represent complex data formats and also to mix them
complex data manipulations
to dissect/absorb existing data
generation & mutation fuzzing strategy

Fuzzing automation framework:

Target abstraction
Monitoring means based on independant probes
Replay & logging
Data manipulation based on disruptors (objects that implement specific data transformation)
Virtual operator abstraction

What's still missing

Documentation
refer to TODO file

Miscellaneous

Don't forget to populate ./imported_data/ with sample files for data models that need it.

Dependencies

Compatible with Python2 and Python3
Mandatory: six: Python 2/3 compatibility
Optional: xtermcolor: terminal color support
cups: Python bindings for libcups
rpyc: Remote Python Call (RPyC), a transparent and symmetric RPC library

Download

Suggestion: Read more about FUZZING

by Malik korrich ~ samedi 20 juin 2015 0 commentaires

TurboBytes Pulse Tool To Run Network Diagnostics In Distributed Manner

TurboBytes Pulse Tool To Run Network Diagnostics In Distributed Manner.

It is made up of 2 components!

CNC : This is the Command & Control server. Users make http requests to it describing the test they want to run. CNC then runs it across all minions, gathers the response and then returns them to the user. Dependencies : mongodb (I might replace it with something lighter, or make it optional)

minion - This is the agent that runs at places where you want to debug from. It makes a TLS connection to CNC and waits for incoming test requests to be executed. Dependencies: mtr command (ubuntu: apt-get install mtr-tiny)

Build instructions

go get github.com/turbobytes/pulse
cd $GOPATH/src/github.com/turbobytes/pulse
go build cnc.go
go build minion.go

You can build these for any target supported by Go by manipulating GOOS and GOARCH. gccgo is not supported currently because it uses older Go versions. You might need to adapt the code for gccgo. We had success in running it on MIPS as proof of concept.

It is important that the CNC and minion are from the same release. If you are updating one of them then its crucial to update the other to avoid unexpected behaviour. They share data structures.

TLS PKI

CNC and minion use TLS to communicate with each other. Use your own CA to sign the certificates and minion and CNC trusts only this CA. The TLS setup was inspired by this blogpost.

Install EasyRSA

git clone https://github.com/OpenVPN/easy-rsa.git example-ca
chmod 700 example-ca
cd example-ca
rm -rf .git

Create CA

./easyrsa init-pki
Its important that you set a passphrase for your CA's private key

Create server cert

./easyrsa build-server-full localhost nopass
Replace localhost with the hostname of the server that runs the CNC.

Create minion certificate

./easyrsa build-client-full 'client0' nopass
Create one certificate for each minion instance. Replace 'client0' with some descriptive name. This is whats shown in the ui/api to indicate which agent ran the test.

Running Pulse

Its important that system times are correct. If not then TLS might not work correctly.

CNC

The CNC needs mongodb running on localhost. This requirement will be removed in future releases. Mongo is only used for storing metadata about minions.

usage : ./cnc -ca="/path/to/ca.crt" -crt="/path/to/server.crt" -key="/path/to/server.key"

Note: server.crt and server.key is the certificate/key generated using the build-server-full command.

Its important that all minions can reach port 7777 on the server, and all users can reach port 7778.

minion

usage : ./minion -ca="/path/to/ca.crt" -crt="/path/to/minion.crt" -key="/path/to/minion.key" -cnc="cnc.host.name:7777"

Note: minion.crt and minion.key is the certificate/key generated using the build-client-full command. cnc.host.name is the hostname of the CNC

Use one client certificate exclusive to one minion.

Using Pulse

Visit http://cnc.host.name:7778/agents/ for a listing of currently online agents.

http://cnc.host.name:7778/ contains a rough demo UI to run tests.

DNS test

API endpoint: /dns/ Method: POST Payload: Json object

Example :-

{
"Host": "example.com",
"QType": 1,
"Targets": ["8.8.8.8", "8.8.4.4"]
}

Host : The hostname we want to resolve QType : Dns query type Targets : The nameservers we want to query.

HTTP test

API endpoint: /curl/ Method: POST Payload: Json object

Example :-

{
"Path": "/foo/bar.jpg",
"Endpoint": "example.com",
"Host": "foobar.com",
"Ssl": false
}

Path : The URI to test Endpoint : The server to connect to. Host : The contents of the Host header. If blank then endpoint's value is used here. Ssl : Weather to talk SSL/TLS or plaintext.

The HTTP test makes a GET request to the target and once the headers come in, it terminates the connection without consuming the full body. This is by design so as to not consume too much bandwidth.

mtr/traceroute

mtr test is a wrapper around the mtr command.

API endpoint: /mtr/ Method: POST Payload: Json object

example :-

{
"Target": "example.com"
}

Target : The hostname/ip we want to trace to.

Download

More info:
TurboBytes pulse https://pulse.turbobytes.com/

by Malik korrich ~ lundi 8 juin 2015 0 commentaires

YASUO: A Ruby Script That Scans Vulnerable 3rd-Party Web Applications

YASUO: A ruby script that scans for vulnerable & exploitable 3rd-party web applications on a network.

While working on a network security assessment (internal, external, redteam gigs etc.), we often come across vulnerable 3rd-party web applications or web front-ends that allow us to compromise the remote server by exploiting publicly known vulnerabilities.

Some of the common & favorite applications are Apache Tomcat administrative interface, JBoss jmx-console, Hudson Jenkins and so on.

If you search through Exploit-db, there are over 10,000 remotely exploitable vulnerabilities that exist in tons of web applications/front-ends and could allow an attacker to completely compromise the back-end server. These vulnerabilities range from RCE to malicious file uploads to SQL injection to RFI/LFI etc.

Yasuo is built to quickly scan the network for such vulnerable applications thus serving pwnable targets on a silver platter.

Setup / Install

You would need to install the following gems:

gem install ruby-nmap net-http-persistent mechanize colorize text-table

Details

Yasuo provides following command-line options:

-r :: If you want Yasuo to perform port scan, use this switch to provide an IP address or IP range or an input file with new-line separated IP addresses

-s :: Provide custom signature file. [./yasuo.rb -s mysignatures.yaml -f nmap.xml] [Default - signatures.yaml]

-f :: If you do not want Yasuo to perform port scan and already have an nmap output in xml format, use this switch to feed the nmap output

-n :: Tells Yasuo to not ping the host while performing the port scan. Standard nmap option.

-p :: Use this switch to provide port number(s)/range

-A :: Use this switch to scan all the 65535 ports. Standard nmap option.

-b [all/form/basic] :: If the discovered application implements authentication, use this switch to brute-force the auth. "all" will brute-force both form & http basic auth. "form" will only brute-force form-based auth. "basic" will only brute-force http basic auth.

-t :: Specify maximum number of threads

-h :: Well, take a guess

Examples

./yasuo -r 127.0.0.1 -p 80,8080,443,8443 -b form

The above command will perform port scan against 127.0.0.1 on ports 80, 8080, 443 and 8443 and will brute-force login for all the applications that implement form-based authentication.

./yasuo -f my_nmap_output.xml -b all

The above command will parse the nmap output file "my_nmap_output.xml" and will brute-force login for all the applications that implement form-based and http basic authentication

Download

by Malik korrich ~ vendredi 5 juin 2015 0 commentaires

PunkSPIDER A Global Web Application Vulnerability Search Engine

PunkSPIDER a global web application vulnerability search engine. Deeper, faster, harder scans!

Its scan BSQLI, SLI XSS, TRAV, MXI, OSCI, XPATHI OR, AND vulnerabilities sections step by step.

About the company:
Its an small software development company focused on innovative research in a variety of areas. Our backgrounds are as hackers, pen testers, developers, engineers, security researchers and intel analysts. We spent some time in the infosec services world but we just aren't cut out for business suits and trade shows.

We search our website and found no vulnerability results!

Company Still 89,999,252 Sites Scanned and 3,377,131 Vulnerabilities found.

Visit: https://www.punkspider.org/ to find the web application vulnerability online.

by Malik korrich ~ 0 commentaires

Nmap Unveiled New Version 6.49 BETA1 Download Now

Nmap Unveiled New Version 6.49 BETA1 Download Now

Nmap 6.49 BETA1. This version has hundreds of improvements, including:

* 25 new NSE scripts (total is now 494)

* Integrated all of your latest OS detection and version/service detection submissions (including IPv6). This allows Nmap to properly identify Linux 3.18, Windows 8.1, OS X 10.10, Android 5, etc. We now have more than 10,000 service detection signatures!

* Many bug fixes, some performance improvements, and new ASCII art for anyone tired of the compile-time dragon! The dragon is still there and comes out 1/3 of the time.

Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.

Nmap 6.49 BETA1 source code and binary packages for Linux, Windows, and Mac are available for free download from:

https://nmap.org/download.html

by Malik korrich ~ jeudi 4 juin 2015 0 commentaires

Router Exploitation Toolkit - REXT

Router Exploitation Toolkit - REXT
Small toolkit for easy creation and usage of various python scripts that work with embedded devices.

core - contains most of toolkits basic functions
databases - contains databases, like default credentials etc.
interface - contains code that is being used for the creation and manipulation with interface
modules - contains structure of modules, that can be loaded, every module contains vendor specific sub-modules where scripts are stored.

decryptors
exploits
harvesters
misc
scanners

output - output goes here
This is still heavy work-in progress

Requirements
Trying to keep the requirements minimal:

httplib2

License
This software is licensed under GNU GPL v3.

Download

by Malik korrich ~ mercredi 3 juin 2015 0 commentaires

The PenTesters Framework (PTF) Written In Python by TrustedSec

The PenTesters Framework (PTF) Written In Python by TrustedSec.

The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu based distributions to create a similar and familiar distribution for Penetration Testing.

As pentesters, we've been accustom to the /pentest/ directories or our own tool sets that we want to keep up-to-date all of the time. We have those "go to" tools that we use on a regular basis, and using the latest and greatest is important.

PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used.

PTF simplifies installation and packaging and creates an entire pentest framework for you. Since this is a framework, you can configure and add as you see fit. We commonly see internally developed repos that you can use as well as part of this framework. It's all up to you.

The ultimate goal is for community support on this project. We want new tools added to the github repository. Submit your modules. It's super simple to configure and add them and only takes a few minute.

Instructions:
First check out the config/ptf.config file which contains the base location of where to install everything. By default this will install in the /pentest directory. Once you have that configured, move to running PTF by typing ./ptf (or python ptf).

This will put you in a Metasploitesk type shell which has a similar look and feel for consistency. Show modules, use , etc. are all accepted commands. First things first, always type help or ? to see a full list of commands.

Update EVERYTHING!

If you want to install and/or update everything, simply do the following:

./ptf

use modules/install_update_all

run

This will install all of the tools inside of PTF. If they are already installed, this will iterate through and update everything for you automatically.

You can also show options to change information about the modules.

Modules:
First, head over to the modules/ directory, inside of there are sub directories based on the Penetration Testing Execution Standard (PTES) phases. Go into those phases and look at the different modules. As soon as you add a new one, for example testing.py, it will automatically be imported next time you launch PTF. There are a few key components when looking at a module that must be completed.

Below is a sample module

AUTHOR="David Kennedy (ReL1K)"

DESCRIPTION="This module will install/update the Browser Exploitation Framework (BeEF)"

INSTALL_TYPE="GIT"

REPOSITORY_LOCATION="https://github.com/beefproject/beef"

INSTALL_LOCATION="beef"

DEBIAN="ruby1.9.3,sqlite3,ruby-sqlite3"

AFTER_COMMANDS="cd {INSTALL_LOCATION},ruby install-beef,exit"

Module Development:

All of the fields are pretty easy, on the repository locations, right now all thats supported is GIT. The plan in the next release is to expand to file downloader. This can still be accomplished through after commands (explained later). Fill in the depends, and where you want the install location to be. PTF will take where the python file is located (for example exploitation) and move it to what you specify in the PTF config (located under config). By default it installs all your tools to /pentest//

Note in modules, you can specify after commands {INSTALL_LOCATION}. This will append where you want the install location to go when using after commands.

After Commands:

After commands are commands that you can insert after an installation. This could be switching to a directory and kicking off additional commands to finish the installation. For example in the BEEF scenario, you need to run ruby install-beef afterwards. Below is an example of after commands using the {INSTALL_LOCATION} flag.

AFTER_COMMANDS="cp config/dict/rockyou.txt {INSTALL_LOCATION}"

For AFTER_COMMANDS that do self install (don't need user interaction) - place an exit after your commands so it exits the shell.

TODO:
Add ability to support SVN, and FILE download.
Support other operating systems aside from Kali, Ubuntu, Debian

A TrustedSec Project - Copyright 2015

Written by: David Kennedy (@HackingDave)

Website: https://www.trustedsec.com

Download

by Malik korrich ~ jeudi 28 mai 2015 0 commentaires