Normal view

There are new articles available, click to refresh the page.
Today β€” 25 September 2023Tools

EDRaser - Tool For Remotely Deleting Access Logs, Windows Event Logs, Databases, And Other Files

By: Zion3R
24 September 2023 at 11:30

EDRaser is a powerful tool for remotely deleting access logs, Windows event logs, databases, and other files on remote machines. It offers two modes of operation: automated and manual.

Automated Mode

In automated mode, EDRaser scans the C class of a given address space of IPs for vulnerable systems and attacks them automatically. The attacks in auto mode are:

  • Remote deletion of webserver logs.
  • SysLog deletion (on Linux).
  • Local deletion of Windows Application event logs.
  • Remote deletion of Windows event logs.
  • VMX + VMDK deletion

To use EDRaser in automated mode, follow these steps:

python edraser.py --auto

Manual Mode

In manual mode, you can select specific attacks to launch against a targeted system, giving you greater control. Note that some attacks, such as VMX deletion, are for local machine only.

To use EDRaser in manual mode, you can use the following syntax:

python edraser.py --ip <ip_addr> --attack <attack_name> [--sigfile <signature file>]


  • --ip: scan IP addresses in the specified range and attack vulnerable systems (default: localhost).
  • --sigfile: use the specified encrypted signature DB (default: signatures.db).
  • --attack: attack to be executed. The following attacks are available: ['vmx', 'vmdk', 'windows_security_event_log_remote', 'windows_application_event_log_local', 'syslog', 'access_logs', 'remote_db', 'local_db', 'remote_db_webserver']

Optional arguments:

  • port : port of remote machine
  • ``
  • db_username: the username of the remote DB.
  • db_password: the password of the remote DB.
  • db_type: type of the DB, EDRaser supports mysql, sqlite. (# Note that for sqlite, no username\password is needed)
  • db_name: the name of remote DB to be connected to
  • table_name: the name of remote table to be connected to
  • rpc_tools: path to the VMware rpc_tools


python edraser.py --attack windows_event_log --ip 

python EDRaser.py -attack remote_db -db_type mysql -db_username test_user -db_password test_password -ip

DB web server

You can bring up a web interface for inserting and viewing a remote DB. it can be done by the following command: EDRaser.py -attack remote_db_webserver -db_type mysql -db_username test_user -db_password test_password -ip

This will bring up a web server on the localhost:8080 address, it will allow you to view & insert data to a remote given DB. This feature is designed to give an example of a "Real world" scenario where you have a website that you enter data into it and it keeps in inside a remote DB, You can use this feature to manually insert data into a remote DB.

Available Attacks

In manual mode, EDRaser displays a list of available attacks. Here's a brief description of each attack:

  1. Windows Event Logs: Deletes Windows event logs from the remote targeted system.
  2. VMware Exploit: Deletes the VMX and VMDK files on the host machine. This attack works only on the localhost machine in a VMware environment by modifying the VMX file or directly writing to the VMDK files.
  3. Web Server Logs: Deletes access logs from web servers running on the targeted system by sending a malicious string user-agent that is written to the access-log files.
  4. SysLogs: Deletes syslog from Linux machines running Kaspersky EDR without being .
  5. Database: Deletes all data from the remotely targeted database.

HTMLSmuggler - HTML Smuggling Generator And Obfuscator For Your Red Team Operations

By: Zion3R
23 September 2023 at 11:30

The full explanation what is HTML Smuggling may be found here.

The primary objective of HTML smuggling is to bypass network security controls, such as firewalls and intrusion detection systems, by disguising malicious payloads within seemingly harmless HTML and JavaScript code. By exploiting the dynamic nature of web applications, attackers can deliver malicious content to a user's browser without triggering security alerts or being detected by traditional security mechanisms. Thanks to this technique, the download of a malicious file is not displayed in any way in modern IDS solutions.

The main goal of HTMLSmuggler tool is creating an independent javascript library with embedded malicious user-defined payload. This library may be integrated into your phishing sites/email html attachments/etc. to bypass IDS and IPS system and deliver embedded payload to the target user system. An example of created javascript library may be found here.


  • Built-in highly configurable JavaScript obfuscator that fully hides your payload.
  • May be used both as an independent JS library or embedded in JS frameworks such as React, Vue.js, etc.
  • The simplicity of the template allows you to add extra data handlers/compressions/obfuscations.


  1. Install yarn package manager.

  2. Install dependencies:

  3. Read help message.

    yarn build -h

    Preparation steps

    1. Modify (or use my) javascript-obfuscator options in obfuscator.js, my preset is nice, but very slow.

    2. Compile your javascript payload:

      yarn build -p /path/to/payload -n file.exe -t "application/octet-stream" -c
    3. Get your payload from dist/payload.esm.js or dist/payload.umd.js. After that, it may be inserted into your page and called with download() function.

    payload.esm.js is used in import { download } from 'payload.esm'; imports (ECMAScript standart).

    payload.umd.js is used in html script SRC and require('payload.umd'); imports (CommonJS, AMD and pure html).

    Pure HTML example

    A full example may be found here.

    1. Do preparation steps.

    2. Import created script to html file (or insert it inline):

      <script src="payload.umd.js"></script>
    3. Call download() function from body:

      <button onclick="download()">Some phishy button</button>
    4. Happy phishing :)

    VueJS example

    A full example may be found here.

    1. Do preparation steps.

    2. Import created script to vue file:

      import { download } from './payload.esm';
    3. Call download() function:

      <button @click="download()">Some phishy button</button>
    4. Happy phishing :)


    Q: I have an error RangeError: Maximum call stack size exceeded, how to solve it?

    A: This issue described here. To fix it, try to disable splitStrings in obfuscator.js or make smaller payload (it's recommended to use up to 2Β MB payloads because of this issue).

    Q: Why does my payload build so long?

    A: The bigger payload you use, the longer it takes to create a JS file. To decrease time of build, try to disable splitStrings in obfuscator.js. Below is a table with estimated build times using default obfuscator.js.

    Payload size Build time
    525 KB 53 s
    1.25 MB 8Β m
    3.59 MB 25Β m