Affichage des articles dont le libellé est Monitor. Afficher tous les articles
Affichage des articles dont le libellé est Monitor. Afficher tous les articles

How To Detecting DDoS Attack?


How To Detecting DDoS Attack?

It's very important to have a single pane of glass where you can visualize all of the elements to help diagnose issues and detect DDoS attacks.

Bob Pierpoint, Director of Customer Experience at SevOne, shares how to effectively detect DDoS attacks. It's very important to have a single pane of glass where you can visualize all of the elements that make up your DMZ and your internet facing infrastructure to help diagnose issues and detect DDoS attacks


Offered Free by: SevOne

FREE Download
Read more

by Malik korrich ~ dimanche 8 novembre 2015 0 commentaires

GitHub Announces To Support Universal 2nd Factor Authentication



GitHub Announces To Support Universal 2nd Factor Authentication (U2F) 
A rapidly growing open authentication standard!

When you insert them, these physical USB keys automatically generates a second-factor code. And you don't even enter a Six-digit code from Google Authentication and similar Apps. GitHub announced that its partnership with Yubico.

Two-factor authentication is a security process in which the user provides two means of identification from separate categories of credentials; one is typically a physical token, such as a card, and the other is typically something memorized, such as a security code.

The FIDO U2F Security Key by Yubico is a specially designed YubiKey, relying on high-security, public-key cryptography. U2F is built to protect against phishing and man-in-the-middle attacks, allowing one U2F authenticator to access any number of services without any shared secrets.

What is U2F — FIDO UNIVERSAL 2ND FACTOR

U2F is an open authentication standard that enables internet users  to securely access any number of online services, with one single device, instantly and with no drivers or client software needed.

U2F was created by Google and Yubico, with contribution from NXP, and is today hosted by the open-authentication industry consortium FIDO Alliance.



U2F is used with USB devices, including YubiKeys, as one of many authentication methods

In order to take advantage of the security improvements provided by U2F, you'll need to purchase a hardware key. You can purchase the U2F key of your choice from a range of vendors. GitHub are partnering with Yubico, inventor of the YubiKey, co-creator of the U2F protocol, and a leading provider of U2F authenticators.

Together with Yubico we are offering discounts to GitHub users for a limited time through a special offer page where you will verify your GitHub account and place your order:

  • While supplies last, GitHub users can purchase special edition U2F Security Keys for $5 plus shipping and handling (regular price $18; 5,000 special edition keys available).
  • After the special keys are gone, all GitHub users are eligible for a 20% discount on U2F-certified YubiKeys, for a limited time.
  • In addition, all students who are eligible for the Student Developer Pack will receive a 20% discount on any U2F-certified YubiKey.
Read more

by Malik korrich ~ vendredi 2 octobre 2015 0 commentaires

How To Test Security in IPv4 and IPv6 Data Networks?


How To Test Security in IPv4 and IPv6 Data Networks ?

Evil Foca is a tool for security pentesters and auditors whose purpose it is to test security in IPv4 and IPv6 data networks. 

Compared to IPv4 address space is 32 bits which resulting 4 billion addresses.IPv6 offers larger address space. Its addresses are 128 bits long, resulting in an address space of 340 undecillion addresses.


In addition, IPv6 provides other technical benefits, particularly, it permits hierarchical address allocation methods that facilitate route aggregation across the Internet, and thus limit the expansion of routing tables. The use of multicast addressing is expanded and simplified, and provides additional optimization for the delivery of services. Device mobility, security, and configuration aspects have been considered in the design of the protocol.

The tool is capable of carrying out various attacks such as:


  • MITM over IPv4 networks with ARP Spoofing and DHCP ACK Injection.
  • MITM on IPv6 networks with Neighbor Advertisement Spoofing, SLAAC attack, fake DHCPv6.
  • DoS (Denial of Service) on IPv4 networks with ARP Spoofing.
  • DoS (Denial of Service) on IPv6 networks with SLAAC DoS.
  • DNS Hijacking.


The software automatically scans the networks and identifies all devices and their respective network interfaces, specifying their IPv4 and IPv6 addresses as well as the physical addresses through a convenient and intuitive interface.

Man In The Middle (MITM) attack

The well-known “Man In The Middle” is an attack in which the wrongdoer creates the possibility of reading, adding, or modifying information that is located in a channel between two terminals with neither of these noticing. Within the MITM attacks in IPv4 and IPv6 Evil Foca considers the following techniques:

ARP Spoofing: Consists in sending ARP messages to the Ethernet network. Normally the objective is to associate the MAC address of the attacker with the IP of another device. Any traffic directed to the IP address of the predetermined link gate will be erroneously sent to the attacker instead of its real destination.

DHCP ACK Injection: Consists in an attacker monitoring the DHCP exchanges and, at some point during the communication, sending a packet to modify its behavior. Evil Foca converts the machine in a fake DHCP server on the network.

Neighbor Advertisement Spoofing: The principle of this attack is identical to that of ARP Spoofing, with the difference being in that IPv6 doesn’t work with the ARP protocol, but that all information is sent through ICMPv6 packets. There are five types of ICMPv6 packets used in the discovery protocol and Evil Foca generates this type of packets, placing itself between the gateway and victim.

SLAAC attack: The objective of this type of attack is to be able to execute an MITM when a user connects to Internet and to a server that does not include support for IPv6 and to which it is therefore necessary to connect using IPv4. This attack is possible due to the fact that Evil Foca undertakes domain name resolution once it is in the communication media, and is capable of transforming IPv4 addresses in IPv6.

Fake DHCPv6 server: This attack involves the attacker posing as the DCHPv6 server, responding to all network requests, distributing IPv6 addresses and a false DNS to manipulate the user destination or deny the service.

Denial of Service (DoS) attack: The DoS attack is an attack to a system of machines or network that results in a service or resource being inaccessible for its users. Normally it provokes the loss of network connectivity due to consumption of the bandwidth of the victim’s network, or overloads the computing resources of the victim’s system.

DoS attack in IPv4 with ARP Spoofing: This type of DoS attack consists in associating a nonexistent MAC address in a victim’s ARP table. This results in rendering the machine whose ARP table has been modified incapable of connecting to the IP address associated to the nonexistent MAC.
DoS attack in IPv6 with SLAAC attack: In this type of attack a large quantity of “router advertisement” packets are generated, destined to one or several machines, announcing false routers and assigning a different IPv6 address and link gate for each router, collapsing the system and making machines unresponsive.

DNS Hijacking: The DNS Hijacking attack or DNS kidnapping consists in altering the resolution of the domain names system (DNS). This can be achieved using malware that invalidates the configuration of a TCP/IP machine so that it points to a pirate DNS server under the attacker’s control, or by way of an MITM attack, with the attacker being the party who receives the DNS requests, and responding himself or herself to a specific DNS request to direct the victim toward a specific destination selected by the attacker.

Download
Read more

by Malik korrich ~ mardi 29 septembre 2015 0 commentaires

How To Detect Potentially Malicious PHP Files


How To Detect Potentially Malicious PHP Files ?

Here is the tool called PHP-malware-finder by nbs-system


What does it detect?

PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.

The following list of encoders/obfuscators/webshells are also detected:

  • Best PHP Obfuscator
  • Carbylamine
  • Cipher Design
  • Cyklodev
  • Joes Web Tools Obfuscator
  • Php Obfuscator Encode
  • SpinObf
  • Weevely3
  • atomiku
  • cobra obfuscator
  • phpencode
  • webtoolsvn

How does it work?

Detection is performed by crawling the filesystem and testing files against a set of YARA rules. Yes, it's that simple!

How to use it?

$ ./phpmalwarefinder -h
Usage phpmalwarefinder [-cfhw] ...
    -c  Optional path to a configuration file
    -f  Fast mode
    -h  Show this help message
    -v  Verbose mode

Or if you prefer to use yara:

$ yara -r ./malwares.yara /var/www

Download
Read more

by Malik korrich ~ jeudi 24 septembre 2015 0 commentaires

Toxy: Hackable HTTP Proxy To Simulate Server Failure Scenarios And Unexpected Network Conditions


Toxy: Hackable HTTP Proxy To Simulate Server Failure Scenarios And Unexpected Network Conditions

toxy is a fully programmatic and hackable HTTP proxy to simulate server failure scenarios and unexpected network conditions, built for node.js/io.js.

It was mainly designed for fuzzing/evil testing purposes, when toxy becomes particularly useful to cover fault tolerance and resiliency capabilities of a system, especially in service-oriented architectures, where toxy may act as intermediate proxy among services.

toxy allows you to plug in poisons, optionally filtered by rules, which essentially can intercept and alter the HTTP flow as you need, performing multiple evil actions in the middle of that process, such as limiting the bandwidth, delaying TCP packets, injecting network jitter latency or replying with a custom error or status code.

toxy can be fluently used programmatically or via HTTP API. It's compatible with connect/express, and it was built on top of rocky, a full-featured middleware-oriented HTTP proxy.

Requires node.js +0.12 or io.js +1.6


Why toxy?

There're some other similar solutions like toxy in the market, but most of them do not provide a proper programmatic control and usually are not easy to hack, configure and/or extend. Additionally, most of the those solutions only operate at TCP level stack instead of providing high-level abstraction to cover common requirements of the specific domain and nature of the HTTP protocol, like toxy does.

toxy provides a powerful hackable and extensible solution with a convenient abstraction, but also a low-level interface and programmatic capabilities exposed as a simple, concise and fluent API, with the implicit power, simplicity and fun of node.js.

Concepts

toxy introduces two core directives that you can plug in the proxy and should knowing before using: poisons and rules.

Poisons are the specific logic to infect an incoming or outgoing HTTP flow (e.g: injecting a latency, replying with an error). HTTP flow can be poisoned by one or multiple poisons, and poisons can be plugged to infect both global or route level incoming traffic.

Rules are a kind of validation filters that can be reused and applied to global incoming HTTP traffic, route level traffic or into a specific poison. Their responsability is to determine, via inspecting each incoming HTTP request, if the registered poisons should be enabled or not, and therefore infecting or not the HTTP traffic (e.g: match headers, query params, method, body...).

How it works

↓   ( Incoming request )  ↓
↓           |||           ↓
↓     ----------------    ↓
↓     |  Toxy Router |    ↓ --> Match the incoming request
↓     ----------------    ↓
↓           |||           ↓
↓     ----------------    ↓
↓     |  Exec Rules  |    ↓ --> Apply configured rules for the request
↓     ----------------    ↓
↓           |||           ↓
↓     ----------------    ↓
↓     | Exec Poisons |    ↓ --> If all rules passed, then poison the HTTP flow
↓     ----------------    ↓
↓        /       \        ↓
↓        \       /        ↓
↓   -------------------   ↓
↓   | HTTP dispatcher |   ↓ --> Proxy the HTTP traffic, either poisoned or not
↓   -------------------   ↓


Installation

npm install toxy


Download
Read more

by Malik korrich ~ vendredi 28 août 2015 0 commentaires

SONAR: A Framework For Identifying And Launching Exploits Against Internal Network Hosts


SONAR: A Framework For Identifying And Launching Exploits Against Internal Network Hosts

Works via WebRTC IP scanning combined with external resource fingerprinting.

How does it work?

Upon loading the sonar payload in a modern web browser the following will happen:
  • sonar will use WebRTC to scan the internal network for live hosts.
  • If a live host is found, sonar begins to attempt to fingerprint the host by linking to it via and and hooking the onload event. If the expected resources load successfully it will trigger the pre-set JavaScript callback to start the user-supplied exploit.
  • If the user changes networks, sonar starts the process all over again on the newly joined network.

Fingerprints

Sonar works off of a database of fingerprints. A fingerprint is simply a list of known resources on a device that can be linked to and detected via onload. Examples of this include images, CSS stylesheets, and even external JavaScript.

An example fingerprint database can be seen below:

var fingerprints = [
    {
        'name': "ASUS RT-N66U",
        'fingerprints': ["/images/New_ui/asustitle.png","/images/loading.gif","/images/alertImg.png","/images/New_ui/networkmap/line_one.png","/images/New_ui/networkmap/lock.png","/images/New_ui/networkmap/line_two.png","/index_style.css","/form_style.css","/NM_style.css","/other.css"],
        'callback': function( ip ) {
            // Insert exploit here
        },
    },
    {
        'name': "Linksys WRT54G",
        'fingerprints': ["/UILinksys.gif","/UI_10.gif","/UI_07.gif","/UI_06.gif","/UI_03.gif","/UI_02.gif","/UI_Cisco.gif","/style.css"],
        'callback': function( ip ) {
            // Insert exploit here
        },
    },
]

The above database contains fingerprints for two devices, the ASUS RT-N66U WiFi router and the Linksys WRT54G WiFi router.

Each database entry has the following:

  • name: A field to identify what device the fingerprint is for. This could be something like HP Officejet 4500 printer or Linksys WRT54G Router.
  • fingerprints: This is an array of relative links to resources such as CSS stylesheets, images, or even JavaScript files. If you expect these resources to be on a non-standard port such as 8080, set the resource with the port included: :8080/unique.css. Keep in mind using external resources with active content such as JavaScript is dangerous as it can interrupt the regular flow of execution.
  • callback: If all of these resources are found to exist on the enumerated host then the callback function is called with a single argument of the device's IP address.
  • By creating your own fingerprints you can build custom exploits that will be launched against internal devices once they are detected by sonar. Common exploits include things such as Cross-site Request Forgery (CSRF), Cross-site Scripting (XSS), etc. The idea being that you can use these vulnerabilities to do things such as modifying router DNS configurations, dumping files from an internal fileserver, and more.

For an easier way to create fingerprints, see the following Chrome extension which generates fingerprint template code automatically for the page you're on:

Click Here to Install Chrome Extension



What can be done using sonar?

By using sonar a pentesting team can build web exploits against things such as internal logging servers, routers, printers, VOIP phones, and more. Due to internal networks often being less guarded, attacks such as CSRF and XSS can be powerful to take over the configurations of devices on a hosts internal network.

Download
Read more

by Malik korrich ~ lundi 24 août 2015 0 commentaires

BinNavi A Binary Analysis IDE To Control Disassembled Code


BinNavi: A Binary Analysis IDE To Control Disassembled Code

BinNavi is a binary analysis IDE that allows to inspect, navigate, edit and annotate control flow graphs and call graphs of disassembled code.

BinNavi is a binary analysis IDE - an environment that allows users to inspect, navigate, edit, and annotate control-flow-graphs of disassembled code, do the same for the callgraph of the executable, collect and combine execution traces, and generally keep track of analysis results among a group of analysts.

Complications from a third-party dependency
BinNavi uses a commercial third-party graph visualisation library (yFiles) for displaying and laying out graphs. This library is immensely powerful, and not easily replaceable.

In order to perform direct development using yFiles, you need a developer license for it. At the same time, we want the community to be able to contribute to BinNavi without needing a commercial yFiles license. In order to do this and conform to the yFiles license, all interfaces to yFiles need to be properly obfuscated.

In order to achieve this, we did the following:

1) BinNavi and all the libraries have been split into two: The parts of the project that directly depend on yFiles were split into subpackages called "yfileswrap":

com.google.security.zynamics.binnavi
com.google.security.zynamics.binnavi.yfileswrap
com.google.security.zynamics.zylib
com.google.security.zynamics.zylib.yfileswrap
com.google.security.zynamics.reil
com.google.security.zynamics.reil.yfileswrap

We are distributing a pre-built JAR file with all the code in the "yfileswrap" subpackages - pre-linked and obfuscated against yFiles. If you wish to change or add code in BinNavi and do not have a yFiles license, you can freely do pretty much whatever you want in the non-yfileswrap packages - you can simply put the lib/yfileswrap-obfuscated.jar into your classpath to test and see the results.

If you wish to make changes to the "yfileswrap" subdirectories, please be aware that you will need a valid yFiles license - and any contribution that you make to the BinNavi project has to honor their license agreement. This means that you can't simply expose their inner APIs under different names etc.

We will enforce this - we're very happy to have found a way to open-source BinNavi with the yFiles dependency, and we will make sure that any code we pull in respects the yFiles license.

Building BinNavi from scratch
BinNavi uses Maven for its dependency management, but not for the actual build yet. To build from scratch use these commands:

mvn dependency:copy-dependencies
ant -f src/main/java/com/google/security/zynamics/build.xml \
  build-binnavi-fat-jar

Running BinNavi for the first time
Please be aware that BinNavi makes use of a central PostgreSQL database for storing disassemblies/comments/traces - so you need to have such an instance running somewhere accessible to you. You can build/launch BinNavi as follows:

ant -f src/main/java/com/google/security/zynamics/build.xml \
  build-binnavi-fat-jar
java -jar target/binnavi-all.jar


Loading the project into Eclipse

Loading the code into Eclipse for further development requires a little bit of configuration.

  1. Download the dependencies (as described above) and make sure you have a Java SDK with 1.8 language compliance installed.
  2. Create a new "Java Project From Existing Ant Buildfile" and use the file src/main/java/com/google/security/zynamics/build.xml
  3. Select '"javac" task found in target "build-binnavi-jar"
  4. Open the "Project Properties" dialog.
  5. Edit the source folders to have the following properties:
  6. Linked Folder Location: $SRCDIR/src/main/java
  7. Folder Name: java
  8. Click on "Next"
  9. Add binnavi/yfileswrap, zylib/yfileswrap, and reil/yfileswrap to the list of directories to exclude.
  10. Go to Run->Debug Configurations, select "Java Application" and then search for "CMain".
  11. You should be ready to go from here.

Exporting disassemblies from IDA
As part of this project, we are distributing a binary-only (sorry!) IDA pro plugin that exports disassemblies from IDA into the Postgresql database format that BinNavi requires. When running BinNavi, simply configure the right path for IDA, click on the "install plugin" button if necessary -- you should now be able to import disassemblies.

Using other disassemblers than IDA
Right now, we only have the IDA export plugin - but we are hoping very much that someone will help us build export functionality for other disassemblers in the near future.

website: http://www.zynamics.com/binnavi.html

Download
Read more

by Malik korrich ~ jeudi 20 août 2015 0 commentaires

SniffLab: Setup Your Own MITM, Packet Sniffing WiFi Access Point


Setting up a SNIFFLAB
Scripts to create your own MITM'ing, packet sniffing WiFi access point.

Firewall rules on DD-WRT router to send traffic to MITM proxy box

Make sure the network interface (vlan1 here) is correct.

PROXYIP=your.proxy.ip
iptables -t mangle -A PREROUTING -j ACCEPT -p tcp -m multiport --dports 80,443 -s $PROXYIP
iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp -m multiport --dports 80,443
ip rule add fwmark 3 table 2
ip route add default via $PROXYIP dev vlan1 table 2

PCAP machine scripts

/etc/network/interfaces

auto lo
iface lo inet loopback
iface eth0 inet manual
iface eth1 inet manual
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

auto bond0
iface bond0 inet dhcp
bond-mode 3
bond-miimon 100
slaves eth0 eth1
/etc/wpa_supplicant/wpa_supplicant.conf

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
        ssid=""
        psk=hashofyourpassword
        proto=RSN
        key_mgmt=WPA-PSK
        pairwise=TKIP
        auth_alg=OPEN
}

Getting the network running correctly on boot

/etc/init.d/network.sh

#!/bin/sh
### BEGIN INIT INFO
# Provides:     network.sh
# Short-Description:    Ensure WiFi as well as Ethernet interfaces are up
# Description:
# Default-Start:    2 3 4 5
# Default-Stop:     0 1 6
# Required-Start:   $remote_fs $syslog
# Required-Stop:    $remote_fs $syslog
### END INIT INFO
sudo ifplugd eth0 --kill
sudo ifup wlan0
sudo ifup eth0
sudo ifup eth1
sudo ifconfig eth1 promisc
sudo ifconfig eth0 promisc
exit 0

Start capturing packets on startup -- create a sniffer service

/etc/init/sniffer.conf

#sniffer.conf
start on runlevel [2345]
stop on runlevel [016]

script
    cd /home/pi/snifflab
    exec python sniffer.py -i bond0 -s 100 -t 1200
end script

MITM proxy service

mitm.conf

start on filesystem

script
    sudo iptables -A PREROUTING -t nat -i em1 -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 4567
    SSLKEYLOGFILE=/var/log/mitmkeys.log
    export SSLKEYLOGFILE
    echo "MITM Keys being logged here: $SSLKEYLOGFILE"
    exec mitmdump -T --host --conf=/etc/mitmproxy/common.conf
end script

Script to backup pcaps to local machine

#!/bin/bash
remote_server=yourservername
pcap_dir=/pcaps
keylogfile=/var/log/mitmkeys.log
local_dir=~/Documents/snifflab

rsync -a "$remote_server":$pcap_dir $local_dir
scp "$remote_server":$keylogfile $local_dir

Download
Read more

by Malik korrich ~ lundi 17 août 2015 0 commentaires

NetRipper - Smart Traffic Sniffing For Penetration Testers


NetRipper - Smart Traffic Sniffing For Penetration Testers

Description
NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.

NetRipper was released at Defcon 23, Las Vegas, Nevada.

Abstract
The post-exploitation activities in a penetration test can be challenging if the tester has low-privileges on a fully patched, well configured Windows machine. This work presents a technique for helping the tester to find useful information by sniffing network traffic of the applications on the compromised machine, despite his low-privileged rights. Furthermore, the encrypted traffic is also captured before being sent to the encryption layer, thus all traffic (clear-text and encrypted) can be sniffed. The implementation of this technique is a tool called NetRipper which uses API hooking to do the actions mentioned above and which has been especially designed to be used in penetration tests, but the concept can also be used to monitor network traffic of employees or to analyze a malicious application.

Tested applications
NetRipper should be able to capture network traffic from: Putty, WinSCP, SQL Server Management Studio, Lync (Skype for Business), Microsoft Outlook, Google Chrome, Mozilla Firefox. The list is not limited to these applications but other tools may require special support.

Components
NetRipper.exe - Configures and inject the DLL
DLL.dll       - Injected DLL, hook APIs and save data to files
netripper.rb  - Metasploit post-exploitation module

Command line
Injection: NetRipper.exe DLLpath.dll processname.exe  
Example:   NetRipper.exe DLL.dll firefox.exe

Generate DLL:

  -h,  --help          Print this help message
  -w,  --write         Full path for the DLL to write the configuration data
  -l,  --location      Full path where to save data files (default TEMP)

Plugins:

   -p,  --plaintext     Capture only plain-text data. E.g. true  
 -d,  --datalimit     Limit capture size per request. E.g. 4096  
 -s,  --stringfinder  Find specific strings. E.g. user,pass,config  

Example:
NetRipper.exe -w DLL.dll -l TEMP -p true -d 4096 -s user,pass  

Metasploit module

msf > use post/windows/gather/netripper 
msf post(netripper) > show options

Module options (post/windows/gather/netripper):

   Name          Current Setting                  Required  Description
   ----          ---------------                  --------  -----------
   DATALIMIT     4096                             no        The number of bytes to save from requests/responses
   DATAPATH      TEMP                             no        Where to save files. E.g. C:\Windows\Temp or TEMP
   PLAINTEXT     true                             no        True to save only plain-text data
   PROCESSIDS                                     no        Process IDs. E.g. 1244,1256
   PROCESSNAMES                                   no        Process names. E.g. firefox.exe,chrome.exe
   SESSION                                        yes       The session to run this module on.
   STRINGFINDER  user,login,pass,database,config  no        Search for specific strings in captured data

Set PROCESSNAMES and run.

Metasploit installation (Kali)
  • cp netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/netripper.rb
  • mkdir /usr/share/metasploit-framework/modules/post/windows/gather/netripper
  • g++ -Wall netripper.cpp -o netripper
  • cp netripper /usr/share/metasploit-framework/modules/post/windows/gather/netripper/netripper
  • cd ../Release
  • cp DLL.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.dll
  • Plugins
  • PlainText - Allows to capture only plain-text data
  • DataLimit - Save only first bytes of requests and responses
  • Stringinder - Find specific string in network traffic

To do
  • Support multiple applications
  • Support for x64 processes
  • Thread-safe API hooking
  • Monitor loading of DLLs and new processes

Author
Ionut Popescu, Senior Security Consultant at KPMG Romania

Read more

by Malik korrich ~ vendredi 14 août 2015 0 commentaires

PortDog: Port Scanning Tool In Python


PortDog: Port Scanning Tool In Python

PortDog is a network anomaly detector aimed to detect port scanning techniques. It is entirely written in python and has easy-to-use interface. 

It was tested on Ubuntu 15. Please note that, it is not working on Windows OS due to suffering from capturing RAW packets.I am working on to write this script to work both platforms. In future , I'm thinking about adding firewall options that could block malicious attempts. It is using Raw packets for analysis. For this reason, please ensure that you have run this script from privileged session.


Usage:

sudo python portdog.py -t time_for_sniff_in_minutes

For example, if you want to detect for 5 minutes use:

sudo python portdog.py -t 5

For infinite detection use:

sudo python portdog.py -t 0

If you want to get list of scanned ports , press CTRL+C to get port list at runtime (If scan was happened).


Download
Read more

by Malik korrich ~ 0 commentaires

FruityWifi: The Open Source Tool To Audit Wireless Networks


FruityWifi: The Open Source Tool To Audit Wireless Networks

It allows the user to deploy advanced attacks by directly using the web interface or by sending messages to it. 

Rhe application can be installed in any Debian based system adding the extra packages. Tested in Debian, Kali Linux, Kali Linux ARM (Raspberry Pi), Raspbian (Raspberry Pi), Pwnpi (Raspberry Pi), Bugtraq.


What’s New

With the new version, it is possible to install external modules. This functionality gives the user more flexibility and the FruityWifi can be customized. The modules can be added or removed anytime using the on-line repository.

A more flexible control panel. Now it is possible to use FruityWifi combining multiple networks and setups:

Ethernet <--> Ethernet,
Ethernet <--> 3G/4G,
Ethernet <--> Wifi,
Wifi <--> Wifi,
Wifi <--> 3G/4G, etc.


Within the new options on the control panel we can change the AP mode between Hostapd or Airmon-ng allowing to use more chipsets like Realtek.

It is possible customize each one of the network interfaces which allows the user to keep the current setup or change it completely.


Features:

FruityWifi is based on modules making it more flexible. These modules can be installed from the control panel to provide FruityWifi with new functionalities.
  • Hostapd Karma
  • URLsnarf
  • DNSspoof
  • Kismet
  • Squid (code injection capabilities)
  • SSLstrip (code injection capabilities)
  • nmap
  • mdk3
  • ngrep
  • Captive Portal
  • Nessus
  • Ettercap
  • Tcpdump
  • AutoSSH
  • Supplicant
  • 3G/4G

Video:


Read more

by Malik korrich ~ mercredi 12 août 2015 0 commentaires

BetterCap: A New MITM Framework Tool


BetterCap A New MITM Tool And Framework Tool

Bettercap is a complete, modular, portable and easily extensible MITM tool and framework with every kind of diagnostic and offensive feature you could need in order to perform a man in the middle attack.

How to install ?

Stable Release ( GEM )

gem install bettercap

From Source

git clone https://github.com/evilsocket/bettercap
cd bettercap
gem build bettercap.gemspec
sudo gem install bettercap*.gem

DEPENDS
All dependencies will be automatically installed through the GEM system, in some case you might need to install some system dependency in order to make everything work:

sudo apt-get install ruby-dev libpcap-dev



Read more: Bettercap
Read more

by Malik korrich ~ mardi 4 août 2015 0 commentaires

Oops! New Microsoft Windows 10 Is Spying On You


Oops! New Microsoft Windows 10 Is Spying On You
Did You Know ? I think not .

You are happy to see that Windows 10 officially launched and you get a new Windows with attractive, stylish graphics. But wait..

By downloading and introducing Windows 10, you give Microsoft exceptionally to gather things you do, allow to access your data.

Microsoft will synchronize your settings by default with its servers. This would be included your program history, website surfing, hotspot and Wi-Fi network names passwords

Today i am telling you about its Privacy policy, where we easily tick this notification without read. I just pick some point out which is very necessary to know about it as below.


Microsoft can unveil your data:
This is the part you ought to be most worried about. Microsoft's new security approach allocates is free regarding the matter of when it will or won't get to and unveil your own information.


How Microsoft Windows 10 Is Spying On YOU?

We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to.

By Turning on Cortana:

To enable Cortana to provide personalized experiences and relevant suggestions, Microsoft collects and uses various types of data, such as your device location, data from your calendar, the apps you use, data from your emails and text messages, who you call, your contacts and how often you interact with them on your device.
Cortana also learns about you by collecting data about how you use your device and other Microsoft services, such as your music, alarm settings, whether the lock screen is on, what you view and purchase, your browse and Bing search history, and more.”


Advertisers knows Who you are:
Windows 10 creates an one of a kind promoting ID for every client on system. That can be utilized by developers and Ad networks. But you can turn it off this service, however you have to know where to look.

These new policies take impact on 1 August and there are a couple unsettling things to settling in there that you ought to be pondering in case you're in the Business organization's.

How can we Turn off these settings?

To turn this off Go into the Setting menu > Privacy> general > Change privacy option.


Microsoft spokesperson talked with Business Insider and said,

"To effectively provide Windows as a service, Microsoft collects some performance, diagnostic and usage information that helps keep Windows and apps running properly," said the spokesperson.

"Microsoft does not sell this data or use it for advertising purposes. We give a select number of Microsoft employees and third party engineers access to select portions of the information to repair or improve Microsoft products and services."

Read all privacy statement of Windows 10

Also Watch >>  Microsoft Windows 10 Bugs Fixed After Official Released
Read more

by Malik korrich ~ samedi 1 août 2015 0 commentaires

Inveigh: A Windows PowerShell LLMNR/NBNS Spoofer With Challenge/Response Capture Over HTTP/SMB




Inveigh: A Windows PowerShell LLMNR/NBNS Spoofer With Challenge/Response Capture Over HTTP/SMB.

Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system.

This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions.

Notes

  1. Currently supports IPv4 LLMNR/NBNS spoofing and HTTP/SMB NTLMv1/NTLMv2 challenge/response capture.
  2. LLMNR/NBNS spoofing is performed through sniffing and sending with raw sockets.
  3. SMB challenge/response captures are performed by sniffing over the host system's SMB service.
  4. HTTP challenge/response captures are performed with a dedicated listener.
  5. The local LLMNR/NBNS services do not need to be disabled on the host system.
  6. LLMNR/NBNS spoofer will point victims to host system's SMB service, keep account lockout scenarios in mind.
  7. Kerberos should downgrade for SMB authentication due to spoofed hostnames not being valid in DNS.
  8. Ensure that the LMMNR,NBNS,SMB,HTTP ports are open within any local firewall on the host system.
  9. Output files will be created in current working directory.
  10. If you copy/paste challenge/response captures from output window for password cracking, remove carriage returns.


Usage
Obtain an elevated administrator or SYSTEM shell. If necessary, use a method to bypass script execution policy.

To execute with default settings:
Inveigh.ps1 -i localip

To execute with features enabled/disabled:
Inveigh.ps1 -i localip -LLMNR Y/N -NBNS Y/N -HTTP Y/N -HTTPS Y/N -SMB Y/N -Repeat Y/N -ForceWPADAuth Y/N


Download


Read more

by Malik korrich ~ jeudi 30 juillet 2015 0 commentaires

Smashing The Browser: From Vulnerability Discovery To Exploit Development



Smashing The Browser: From Vulnerability Discovery To Exploit Development.

Part 1: Browser Fuzzing Technology

This part will first introduce a fuzzer framework (StateFuzzer) developed by myself as well as the fuzzing strategies behind it. Then conclude some effective fuzzing ideas and related vulnerabilities based on results of the fuzzer.

Part 2: Advance Browser Exploitation Techniques

This part will first brief introduce the security model of modern browsers as well as the combat between exploit and mitigation. Then introduce all kinds of heap management mechanisms and their defects together with some exploit-friendly data structures of Google Chrome and IE 11. After that, analyze the advance exploit technologies of these two browsers, including two new exploitation techniques, one of which is not limited by sandbox (Demo). Finally conclude the dilemmas of Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and Sandbox.

Part 3: IE 11 0day Exploit Development

After taking one of my IE 11 UAF vulnerabilities from StateFuzzer, I will share the whole exploit developing experience from the vulnerability trigger to arbitrary code execution, together with all related technologies and skills (Demo).

At last, I will bring a special, interesting and undisclosed IE 11 0day (not affected by isolated heap and protected free).

Download

Read more

by Malik korrich ~ samedi 25 juillet 2015 0 commentaires

Snitch: A Tool For Information Gathering Via Dorks


Snitch: A Tool For Information Gathering Via Dorks.

Snitch is a tool which automate information gathering process for specified domain. Using build-in dork categories, this tool helps gather specified information's domain which can be found using web search engines. It can be quite useful in early phases of pentest.


devil@hell:~/snitch$ python snitch.py
                       _ __       __  
           _________  (_) /______/ /_ 
          / ___/ __ \/ / __/ ___/ __ \ 
         (__  ) / / / / /_/ /__/ / / /
        /____/_/ /_/_/\__/\___/_/ /_/ ~0.3   

Usage: snitch.py [options]

Options:

  -h, --help            show this help message and exit
  -U [url], --url=[url]
                        domain(s) or domain extension(s) separated by comma*
  -D [type], --dork=[type]
                        dork type(s) separated by comma*
  -C [dork], --custom=[dork]
                        custom dork*
  -O [file], --output=[file]
                        output file
  -S [ip:port], --socks=[ip:port]
                        socks5 proxy
  -I [seconds], --interval=[seconds]
                        interval between requests, 2s by default
  -P [pages], --pages=[pages]
                        pages to retrieve, 10 by default
  -v                    turn on verbosity


 Dork types:

  •   info   Information leak & Potential web bugs
  •   ext    Sensitive extensions
  •   docs   Documents & Messages
  •   files  Files & Directories
  •   soft   Web software
  •   all    All


Download
Read more

by Malik korrich ~ vendredi 17 juillet 2015 0 commentaires

The Wind: Man In The Middle (MITM) Attack Tool




The Wind: Man In The Middle (MITM) Attack Tool.
To do man in the middle attacks on multiple application layer protocols. 

What is MITM Attack?
A man-in-the-middle (MITM) attack is a form of eavesdropping where communication between two users is monitored and modified by an unauthorized party. Its intercepts a communication between two systems.

For now, it only supports SSL protocol.



Feature

  • SSL Freak Attack


Installation

1) mv ssl_tls.py to ./scapy/layers

2) modify ./scapy/config.py to autoload ssl_tls layer

    config.py::Conf::load_layers 
    375,376c375
    <                    "sebek", "skinny", "smb", "snmp", "tftp", "x509", "bluetooth", "dhcp6", "llmnr", "sctp", "vrrp",
    <                    "ssl_tls", ]
    ---
    >                    "sebek", "skinny", "smb", "snmp", "tftp", "x509", "bluetooth", "dhcp6", "llmnr", "sctp", "vrrp"]

Usage


  • redirect traffic to port 8888: iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8888 Or rdr on xxiface inet proto tcp from xxx.xxx.xxx.xxx/xx to any port = 443 -> 127.0.0.1 port 8888
  • edit wind.py to import the right file, for example, add import freak to launch the SSL FREAK attack
  • you can write your own module to implement a specific ssl attack, the compulsory funtions you need to supply are those in forward.py
  • if man in the middle wants to connect to another server, set use OrinAddr = False, then set ip, port
  • set doProcess = True to make the process functions take effect.



Read more

by Malik korrich ~ samedi 11 juillet 2015 0 commentaires

q-shell - Unix Remote Login And Rootkit Shell Tool



q-shell - Unix Remote Login And Rootkit Shell Tool. 
Quick Shell for Unix administrator!

q-shell is quick shell for remote login into Unix system, it use blowfish crypt algorithm to protect transport data from client to server, you can get two program: 'qsh' for client, and 'qshd' for server, those program can rename by any name with you prefer.

Compile

Just enter 'make' and it will automation to compile, but, you must input the server key.

Usage

1. Server:

Just run qshd on server:

   $ ./qshd

But, you would like to run after change it to other name, such as:

   $ mv qshd smbd
   $ export PATH=.:$PATH
   $ smbd

2. Client:

Set some environment variable, then run qsh:

  $ export _IP=127.0.0.1
  $ export _PORT=2800
  $ unset _P
  $ ./qsh shell

Now you already login into server $_IP .

More function

1. q-shell include more function to manage system:

put/get files:

$ ./qsh get /path/to/server/file .
$ ./qsh put /path/to/local/file  /path/to/server/file

2. Run a command on server:

$ ./qsh exec 'ls -l /bin'

3. Update server program:

$ ./qsh update /path/to/local/qshd

This function will update remote qshd, and run again.

4. Automation to run command on many server:

$ for i in {10..20} ; do \
      export _IP=192.168.0.$i
      export _PORT=2800
      export _P=key   # set key
      ./qsh exec 'ls -l /bin'
  done

Note: qsh use $_P to fetch server key, so you should erase all history data after to use $_P.

5. Update password

start with version 3.2, you can update the password as below:

  $ ./qsh passwd

about VERSION file

Client and server must have the same main version serial, otherwise, the client cannot to connect the server. the main version serial like, both is 1.x, or 2.x, or 3.x, etc.

For example, if the client version is 1.1, and server is 1.5, so client can connect to the server, but if server version is 2.1, in that way the client cannot connect to server.

file config.h

You can configure the server port in config.h : #define _PORT 2800

And undef _HAVE_MORE_FUNCTION to disable some function.

Download


Read more

by Malik korrich ~ jeudi 2 juillet 2015 0 commentaires

« Articles plus anciens