โŒ
There are new articles available, click to refresh the page.
Yesterday โ€” 29 November 2022Tools

Pycrypt - Python Based Crypter That Can Bypass Any Kinds Of Antivirus Products

By: Zion3R
29 November 2022 at 11:30


Python Based Crypter That Can Bypass Any Kinds Of Antivirus Products


Important:

  1. Make Sure your payload file have all the libraries import and it will be a valid payload file

How To Use:

  1. Find Any Python Based Backdoor/RAT on github.
  2. Crypt its payload with pycrypt
  3. Now Convert crypted payload to exe using pyinstaller
  4. Enjoy

Note:

  1. Don't Upload Any Payloads To VirusTotal.com Bcz This tool will not work with Time.
  2. Virustotal Share Signatures With AV Comapnies.
  3. Again Don't be an Idiot!

KleenScan Scanner Result:-

  1. Generated stub.py Result:- https://kleenscan.com/scan_result/39e61c692ee91dd6cd48aca77a8bb220ef27fcc40df75807d4a1f96b4db8df69
  2. Crypter Code Result:- https://kleenscan.com/scan_result/24487da561419105e29cabd5fc66c503ee767719029fae2f9a041b04d6a75d4b

Download Python3:

*:- For Windows: https://www.python.org/ftp/python/3.10.7/python-3.10.7-amd64.exe

*:- For Linux:

  1. sudo apt-get install python3
  2. sudo apt-get install python3-pip

Requriements:-

  1. Make Sure Python3 And Pip Installed
  2. pip install termcolor
  3. pip install requests

How To Run:-

*:- For Windows:-

  1. Make Sure python3 and pip is installed and requriements also installed
  2. python pycrypt.py
  3. Then give the path of your payload file and enjoy

*:- For Linux:-

  1. Make Sure All Requriements is installed.
  2. python3 pycrypt.py
  3. Then enter the path of your payload file and enjoy

Platforms:

  1. Windows
  2. Linux Based Os

How To Install:

  1. git clone https://github.com/pycrypt
  2. cd pycrypt
  3. python3 pycrypt.py

Features:-

  1. FUD Ratio 0/40
  2. Bypass Any EDR's Solutions
  3. Lightweight Crypter
  4. Very Small And Simple Crypter

Warning:-

Use this tool Only for Educational Purpose And I will Not be Responsible For ur cruel act.



Before yesterdayTools

EvilTree - A Remake Of The Classic "Tree" Command With The Additional Feature Of Searching For User Provided Keywords/Regex In Files, Highlighting Those That Contain Matche

By: Zion3R
28 November 2022 at 13:30


A standalone python3 remake of the classic "tree" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches. Created for two main reasons:

  • While searching for secrets in files of nested directory structures, being able to visualize which files contain user provided keywords/regex patterns and where those files are located in the hierarchy of folders, provides a significant advantage.
  • "tree" is an amazing tool for analyzing directory structures. It's really handy to have a standalone alternative of the command for post-exploitation enumeration as it is not pre-installed on every linux distro and is kind of limited on Windows (compared to the UNIX version).

Usage Examples

Example #1: Running a regex that essentially matches strings similar to: password = something against /var/www

Example #2: Using comma separated keywords instead of regex:

Disclaimer: Only tested on Windows 10 Pro.

Further Options & Usage Tips

Notable features:

  • Regex -x search actually returns a unique list of all matched patterns in a file. Be careful when combining it with -v (--verbose), try to be specific and limit the length of chars to match.
  • You can search keywords/regex in binary files as well by providing option -b.
  • You can use this tool as the classic "tree" command if you do not provide keywords -k and regex -x values. This is useful in case you have gained a limited shell on a machine and want to have "tree" with colored output to look around.
  • There's a list variable filetype_blacklist in eviltree.py which can be used to exclude certain file extensions from content search. By default, it excludes the following: gz, zip, tar, rar, 7z, bz2, xz, deb, img, iso, vmdk, dll, ovf, ova.
  • A quite useful feature is the -i (--interesting-only) option. It instructs eviltree to list only files with matching keywords/regex content, significantly reducing the output length:

Useful keywords/regex patterns

  • Regex to look for passwords: -x ".{0,3}passw.{0,3}[=]{1}.{0,18}"
  • Keywords to look for sensitive info: -k passw,db_,admin,account,user,token


Kubeeye - Tool To Find Various Problems On Kubernetes, Such As Application Misconfiguration, Unhealthy Cluster Components And Node Problems

By: Zion3R
27 November 2022 at 11:30

ย 

KubeEye is an inspection tool for Kubernetes to discover Kubernetes resources (by OPA ), cluster components, cluster nodes (by Node-Problem-Detector) and other configurations are meeting with best practices, and giving suggestions for modification.

KubeEye supports custom inspection rules and plugins installation. Through KubeEye Operator, you can view the inspection results and modification suggestions by the graphical display on the web page.


Architecture

KubeEye get cluster resource details by the Kubernetes API, inspect the resource configurations by inspection rules and plugins, and generate inspection results. See Architecture for details.


How to use

  • Install KubeEye on your machine

    • Download pre built executables from Releases.

    • Or you can build from source code

    Note: make install will create kubeeye in /usr/local/bin/ on your machine.

    git clone https://github.com/kubesphere/kubeeye.git
    cd kubeeye
    make installke
  • [Optional] Install Node-problem-Detector

Note: This will install npd on your cluster, only required if you want detailed report.

kubeeye install npd
  • Run KubeEye

Note: The results of kubeeye sort by resource kind.

kubeeye audit
KIND NAMESPACE NAME REASON LEVEL MESSAGE
Node docker-desktop kubelet has no sufficient memory available warning KubeletHasNoSufficientMemory
Node docker-desktop kubelet has no sufficient PID available warning KubeletHasNoSufficientPID
Node docker-desktop kubelet has disk pressure warning KubeletHasDiskPressure
Deployment default testkubeeye NoCPULimits
Deployment default testkubeeye NoReadinessProbe
Deployment default testkubeeye NotRunAsNonRoot
Deployment kube-system coredns NoCPULimits
Deployment kube-system coredns ImagePullPolicyNotAlways
Deployment kube-system coredns NotRunAsNonRoot
Deployment kubeeye-system kubeeye-controller-manager ImagePullPolicyNotAlways
Deployment kubeeye-system kubeeye-controller-manager NotRunAsNonRoot
DaemonSet kube-system kube-proxy NoCPULimits
DaemonSet k ube-system kube-proxy NotRunAsNonRoot
Event kube-system coredns-558bd4d5db-c26j8.16d5fa3ddf56675f Unhealthy warning Readiness probe failed: Get "http://10.1.0.87:8181/ready": dial tcp 10.1.0.87:8181: connect: connection refused
Event kube-system coredns-558bd4d5db-c26j8.16d5fa3fbdc834c9 Unhealthy warning Readiness probe failed: HTTP probe failed with statuscode: 503
Event kube-system vpnkit-controller.16d5ac2b2b4fa1eb BackOff warning Back-off restarting failed container
Event kube-system vpnkit-controller.16d5fa44d0502641 BackOff warning Back-off restarting failed container
Event kubeeye-system kubeeye-controller-manager-7f79c4ccc8-f2njw.16d5fa3f5fc3229c Failed warning Failed to pull image "controller:latest": rpc error: code = Unknown desc = Error response from daemon: pull access denied for controller, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
Event kubeeye-system kubeeye-controller-manager-7f79c4ccc8-f2njw.16d5fa3f61b28527 Failed warning Error: ImagePullBackOff
Role kubeeye-system kubeeye-leader-election-role CanDeleteResources
ClusterRole kubeeye-manager-role CanDeleteResources
ClusterRole kubeeye-manager-role CanModifyWorkloads
ClusterRole vpnkit-controller CanImpersonateUser
ClusterRole vpnkit-controller CanDeleteResources

What KubeEye can do

  • KubeEye inspects cluster resources according with Kubernetes best practices, to make cluster stable.
  • KubeEye can find problems of your cluster control plane, including kube-apiserver/kube-controller-manager/etcd, etc.
  • KubeEye helps you detect all kinds of cluster nodes problems, including memory/cpu/disk pressure, unexpected kernel error logs, etc.

Checklist

YES/NO CHECK ITEM Description Level
โœ…
PrivilegeEscalationAllowed Privilege escalation is allowed danger
โœ…
CanImpersonateUser The role/clusterrole can impersonate other user warning
โœ…
CanModifyResources The role/clusterrole can delete kubernetes resources warning
โœ…
CanModifyWorkloads The role/clusterrole can modify kubernetes workloads warning
โœ…
NoCPULimits The resource does not set limits of CPU in containers.resources danger
โœ…
NoCPURequests The resource does not set requests of CPU in containers.resources danger
โœ…
HighRiskCapabilities Have high-Risk options in capabilities such as ALL/SYS_ADMIN/NET_ADMIN danger
โœ…
HostIPCAllowed HostIPC Set to true danger
โœ…
HostNetworkAllowed HostNetwork Set to true danger
โœ…
HostPIDAllowed HostPID Set to true danger
โœ…
HostPortAllowed HostPort Set to true danger
โœ…
ImagePullPolicyNotAlways Image pull policy not always warning
โœ…
ImageTagIsLatest The image tag is latest warning
โœ…
ImageTagMiss The image tag do not declare danger
โœ…
InsecureCapabilities Have insecure options in capabilities such as KILL/SYS_CHROOT/CHOWN danger
โœ…
NoLivenessProbe The resource does not set livenessProbe warning
โœ…
NoMemoryLimits The resource does not set limits of memory in containers.resources danger
โœ…
NoMemoryRequests The resource does not set requests of memory in containers.resources danger
โœ…
NoPriorityClassName The resource does not set priorityClassName ignore
โœ…
PrivilegedAllowed Running a pod in a privileged mode means that the pod can access the hostโ€™s resources and kernel capabilities danger
โœ…
NoReadinessProbe The resource does not set readinessProbe warning
โœ…
NotReadOnlyRootFilesystem The resource does not set readOnlyRootFilesystem to true warning
โœ…
NotRunAsNonRoot The resource does not set runAsNonRoot to true, maybe executed run as a root account warning
โœ…
CertificateExpiredPeriod Certificate expiration date less than 30 days danger
โœ…
EventAudit Event audit warning
โœ…
NodeStatus node status audit warning
โœ…
DockerStatus docker status audit warning
โœ…
KubeletStatus kubelet status audit warning

Add your own inspection rules

Add custom OPA rules

mkdir opa
  • Add custom OPA rules files

Note: the OPA rule for workloads, package name must be kubeeye_workloads_regofor RBAC, package name must be kubeeye_RBAC_regofor nodes, package name must be kubeeye_nodes_rego

  • Save the following rules to rule file such as imageRegistryRule.rego to check the image registry address complies with rules.
package kubeeye_workloads_rego

deny[msg] {
resource := input
type := resource.Object.kind
resourcename := resource.Object.metadata.name
resourcenamespace := resource.Object.metadata.namespace
workloadsType := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
workloadsType[type]

not workloadsImageRegistryRule(resource)

msg := {
"Name": sprintf("%v", [resourcename]),
"Namespace": sprintf("%v", [resourcenamespace]),
"Type": sprintf("%v", [type]),
"Message": "ImageRegistryNotmyregistry"
}
}

workloadsImageRegistryRule(resource) {
regex.match("^myregistry.public.kubesphere/basic/.+", resource.Object.spec.template.spec.containers[_].image)
}
  • Run KubeEye with custom rules

Note: Specify the path then Kubeeye will read all files in the directory that end with .rego.

root:# kubeeye audit -p ./opa
NAMESPACE NAME KIND MESSAGE
default nginx1 Deployment [ImageRegistryNotmyregistry NotReadOnlyRootFilesystem NotRunAsNonRoot]
default nginx11 Deployment [ImageRegistryNotmyregistry PrivilegeEscalationAllowed HighRiskCapabilities HostIPCAllowed HostPortAllowed ImagePullPolicyNotAlways ImageTagIsLatest InsecureCapabilities NoPriorityClassName PrivilegedAllowed NotReadOnlyRootFilesystem NotRunAsNonRoot]
default nginx111 Deployment [ImageRegistryNotmyregistry NoCPULimits NoCPURequests ImageTagMiss NoLivenessProbe NoMemoryLimits NoMemoryRequests NoPriorityClassName NotReadOnlyRootFilesystem NoReadinessProbe NotRunAsNonRoot]

Add custom NPD rules

  • edit configmap
kubectl edit ConfigMap node-problem-detector-config -n kube-system 
  • restart NPD deployment
kubectl rollout restart DaemonSet node-problem-detector -n kube-system

KubeEye Operator

What is KubeEye Operator

KubeEye Operator is an inspection platform for Kubernetes, manage KubeEye by operator and generate inspection result.

What KubeEye Operator can do

  • KubeEye Operator provides management functions through web page.
  • KubeEye Operator recode inspection results by CR, can view and compare cluster inspection results by web page.
  • KubeEye Operator provides more plugins.
  • KubeEye Operator provides more detailed modification suggestions.

deploy Kubeeye

kubectl apply -f https://raw.githubusercontent.com/kubesphere/kubeeye/main/deploy/kubeeye.yaml
kubectl apply -f https://raw.githubusercontent.com/kubesphere/kubeeye/main/deploy/kubeeye_insights.yaml

get the inspection results

kubectl get clusterinsight -o yaml
apiVersion: v1
items:
- apiVersion: kubeeye.kubesphere.io/v1alpha1
kind: ClusterInsight
metadata:
name: clusterinsight-sample
namespace: default
spec:
auditPeriod: 24h
status:
auditResults:
auditResults:
- resourcesType: Node
resultInfos:
- namespace: ""
resourceInfos:
- items:
- level: warning
message: KubeletHasNoSufficientMemory
reason: kubelet has no sufficient memory available
- level: warning
message: KubeletHasNoSufficientPID
reason: kubelet has no sufficient PID available
- level: warning
message: KubeletHasDiskPressure
reason: kubelet has disk pressure
name: kubeeyeNode

Documents



MSMAP - Memory WebShell Generator

By: Zion3R
26 November 2022 at 11:30


Msmap is a Memory WebShell Generator. Compatible with various Containers, Components, Encoder, WebShell / Proxy / Killer and Management Clients. ็ฎ€ไฝ“ไธญๆ–‡

The idea behind I, The idea behind II





Function

  • Dynamic Menu
  • Automatic Compilation
  • Generate Script
  • Lite Mode
  • Graphical Interface

Container

  • Java
    • Tomcat7
    • Tomcat8
    • Tomcat9
    • Tomcat10
    • Resin3
    • Resin4
    • WebSphere
    • GlassFish
    • WebLogic
    • JBoss
    • Spring
    • Netty
    • JVM*
  • .NET
    • IIS
  • PHP
  • Python

*: Default support for Linux Tomcat 8/9, more versions can be adapted according to the advanced guide.

WebShell / Proxy / Killer

  • WebShell

    • CMD / SH
    • AntSword
    • JSPJS
    • Behinder
    • Godzilla
  • No need for modularity

Proxy: Neo-reGeorg, wsproxy

Killer: java-memshell-scanner, ASP.NET-Memshell-Scanner

Decoder / Decryptor / Hasher

  • Decoder
    • Base64
    • Hex
  • Decryptor
    • XOR
    • RC4
    • AES128
    • AES256
    • RSA
  • Hasher
    • MD5
    • SHA128
    • SHA256

Usage

git clone [email protected]:hosch3n/msmap.git
cd msmap
python generator.py

[Warning] MUST set a unique password, Options are case sensitive.

Advanced

Edit config/environment.py

# Auto Compile
auto_build = True

# Base64 Encode Class File
b64_class = True

# Generate Script File
generate_script = True

# Compiler Absolute Path
java_compiler_path = r"~/jdk1.6.0_04/bin/javac"
dotnet_compiler_path = r"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"

Edit gist/java/container/tomcat/servlet.py

// Servlet Path Pattern
private static String pattern = "*.xml";

If an encryption encoder is used in WsFilter, the password needs to be the same as the path (eg /passwd)

gist/java/container/jdk/javax.py with lib/servlet-api.jar can be replaced depending on the target container.

pip3 install pyperclip to support automatic copying to clipboard.

Example

CMD / SH

Command with Base64 Encoder | Inject Tomcat Valve

python generator.py Java Tomcat Valve Base64 CMD passwd


AntSword

Type JSP with default Encoder | Inject Tomcat Valve

python generator.py Java Tomcat Valve RAW AntSword passwd

Type JSP with aes_128_ecb_pkcs7_padding_md5 Encoder | Inject Tomcat Listener

python generator.py Java Tomcat Listener AES128 AntSword passwd

Type JSP with rc_4_sha256 Encoder | Inject Tomcat Servlet

python generator.py Java Tomcat Servlet RC4 AntSword passwd

Type JSP with xor_md5 Encoder | AgentFiless Inject HttpServlet

python generator.py Java JDK JavaX XOR AntSword passwd

Type JSPJS with aes_128_ecb_pkcs7_padding_md5 Encoder | Inject Tomcat WsFilter

python generator.py Java Tomcat WsFilter AES128 JSPJS passwd

Behinder

Type default_aes | Inject Tomcat Valve

python generator.py Java Tomcat Valve AES128 Behinder rebeyond

Type default_xor_base64 | Inject Spring Interceptor

python generator.py Java Spring Interceptor XOR Behinder rebeyond


Godzilla

Type JAVA_AES_BASE64 | Inject Tomcat Valve

python generator.py Java Tomcat Valve AES128 Godzilla superidol

Type JAVA_AES_BASE64 | AgentFiless Inject HttpServlet

python generator.py Java JDK JavaX AES128 Godzilla superidol

Known issue

Reference

GodzillaMemoryShellProject

AntSword-JSP-Template

As-Exploits memshell_manage

Behinder | wsMemShell | ysomap



โŒ
โŒ