Reaper is a proof-of-concept designed to exploit BYOVD (Bring Your Own VulnerableDriver) driver vulnerability. This malicious technique involves inserting a legitimate, vulnerable driver into a target system, which allows attackers to exploit the driver to perform malicious actions.
Reaper was specifically designed to exploit the vulnerability present in the kprocesshacker.sys driver in version 2.8.0.0, taking advantage of its weaknesses to gain privileged access and control over the target system.
Note: Reaper does not kill the Windows Defender process, as it has a protection, Reaper is a simple proof of concept.
A Slack Attack Framework for conducting Red Team and phishing exercises within Slack workspaces.
Disclaimer
This tool is intended for Security Professionals only. Do not use this tool against any Slack workspace without explicit permission to test. Use at your own risk.
Background
Thousands of organizations utilize Slack to help their employees communicate, collaborate, and interact. Many of these Slack workspaces install apps or bots that can be used to automate different tasks within Slack. These bots are individually provided permissions that dictate what tasks the bot is permitted to request via the Slack API. To authenticate to the Slack API, each bot is assigned an api token that begins with xoxb or xoxp. More often than not, these tokens are leaked somewhere. When these tokens are exfiltrated during a Red Team exercise, it can be a pain to properly utilize them. Now EvilSlackbot is here to automate and streamline that process. You can use EvilSlackbot to send spoofed Slack messages, phishing links, files, and search for secrets leaked in slack.
Phishing Simulations
In addition to red teaming, EvilSlackbot has also been developed with Slack phishing simulations in mind. To use EvilSlackbot to conduct a Slack phishing exercise, simply create a bot within Slack, give your bot the permissions required for your intended test, and provide EvilSlackbot with a list of emails of employees you would like to test with simulated phishes (Links, files, spoofed messages)
Attacks: -sP, --spoof Spoof a Slack message, customizing your name, icon, etc (Requires -e,-eL, or -cH) -m, --message Send a message as the bot associated with your token (Requires -e,-eL, or -cH) -s, --search Search slack for secrets with a keyword -a, --attach Send a message containing a malicious attachment (Requires -f and -e,-eL, or -cH)
Arguments: -f FILE, --file FILE Path to file attachment -e EMAIL, --email EMAIL Email of target -cH CHANNEL, --channel CHANNEL Target Slack Channel (Do not include #) -eL EMAIL_LIST, --email_list EMAIL_LIST Path to list of emails separated by newline -c, --check Lookup and display the permissions and available attacks associated with your provided token. -o OUTFILE, --outfile OUTFILE Outfile to store search results -cL, --channel_list List all public Slack channels
Token
To use this tool, you must provide a xoxb or xoxp token.
Depending on the permissions associated with your token, there are several attacks that EvilSlackbot can conduct. EvilSlackbot will automatically check what permissions your token has and will display them and any attack that you are able to perform with your given token.
Attacks: -sP, --spoof Spoof a Slack message, customizing your name, icon, etc (Requires -e,-eL, or -cH)
-m, --message Send a message as the bot associated with your token (Requires -e,-eL, or -cH)
-s, --search Search slack for secrets with a keyword
-a, --attach Send a message containing a malicious attachment (Requires -f and -e,-eL, or -cH)
Spoofed messages (-sP)
With the correct token permissions, EvilSlackbot allows you to send phishing messages while impersonating the botname and bot photo. This attack also requires either the email address (-e) of the target, a list of target emails (-eL), or the name of a Slack channel (-cH). EvilSlackbot will use these arguments to lookup the SlackID of the user associated with the provided emails or channel name. To automate your attack, use a list of emails.
With the correct token permissions, EvilSlackbot allows you to send phishing messages containing phishing links. What makes this attack different from the Spoofed attack is that this method will send the message as the bot associated with your provided token. You will not be able to choose the name or image of the bot sending your phish. This attack also requires either the email address (-e) of the target, a list of target emails (-eL), or the name of a Slack channel (-cH). EvilSlackbot will use these arguments to lookup the SlackID of the user associated with the provided emails or channel name. To automate your attack, use a list of emails.
With the correct token permissions, EvilSlackbot allows you to search Slack for secrets via a keyword search. Right now, this attack requires a xoxp token, as xoxb tokens can not be given the proper permissions to keyword search within Slack. Use the -o argument to write the search results to an outfile.
With the correct token permissions, EvilSlackbot allows you to send file attachments. The attachment attack requires a path to the file (-f) you wish to send. This attack also requires either the email address (-e) of the target, a list of target emails (-eL), or the name of a Slack channel (-cH). EvilSlackbot will use these arguments to lookup the SlackID of the user associated with the provided emails or channel name. To automate your attack, use a list of emails.
python3 EvilSlackbot.py -t <xoxb token> -a -f <path to file> -e <email address>
python3 EvilSlackbot.py -t <xoxb token> -a -f <path to file> -eL <email list>
python3 EvilSlackbot.py -t <xoxb token> -a -f <path to file> -cH <Channel name>
Arguments
Arguments: -f FILE, --file FILE Path to file attachment -e EMAIL, --email EMAIL Email of target -cH CHANNEL, --channel CHANNEL Target Slack Channel (Do not include #) -eL EMAIL_LIST, --email_list EMAIL_LIST Path to list of emails separated by newline -c, --check Lookup and display the permissions and available attacks associated with your provided token. -o OUTFILE, --outfile OUTFILE Outfile to store search results -cL, --channel_list List all public Slack channels
Channel Search
With the correct permissions, EvilSlackbot can search for and list all of the public channels within the Slack workspace. This can help with planning where to send channel messages. Use -o to write the list to an outfile.
This is a simple SBOM utility which aims to provide an insider view on which packages are getting executed.
The process and objective is simple we can get a clear perspective view on the packages installed by APT (currently working on implementing this for RPM and other package managers). This is mainly needed to check which all packages are actually being executed.
Installation
The packages needed are mentioned in the requirements.txt file and can be installed using pip:
pip3 install -r requirements.txt
Usage
First of all install the packages.
Secondly , you need to set up environment variables such as:
Mount the image: Currently I am still working on a mechanism to automatically define a mount point and mount different types of images and volumes but its still quite a task for me.
Finally run the tool to list all the packages.
Argument
Description
--analysis-mode
Specifies the mode of operation. Default is static. Choices are static and chroot.
--static-type
Specifies the type of analysis for static mode. Required for static mode only. Choices are info and service.
--volume-path
Specifies the path to the mounted volume. Default is /mnt.
--save-file
Specifies the output file for JSON output.
--info-graphic
Specifies whether to generate visual plots for CHROOT analysis. Default is True.
--pkg-mgr
Manually specify the package manager or dont add this option for automatic check.
APT:
- Static Info Analysis:
- This command runs the program in static analysis mode, specifically using the Info Directory analysis method.
- It analyzes the packages installed on the mounted volume located at /mnt.
- It saves the output in a JSON file named output.json.
This command runs the program in static analysis mode, specifically using the Service file analysis method.
It analyzes the packages installed on the mounted volume located at /custom_mount.
It saves the output in a JSON file named output.json.
It does not generate visual plots for CHROOT analysis. bash python3 main.py --pkg-mgr apt --analysis-mode static --static-type service --volume-path /custom_mount --save-file output.json --info-graphic False
Chroot analysis with or without Graphic output:
This command runs the program in chroot analysis mode.
It analyzes the packages installed on the mounted volume located at /mnt.
It saves the output in a JSON file named output.json.
RPM - Static Analysis: - Similar to how its done on apt but there is only one type of static scan avaialable for now. bash python3 main.py --pkg-mgr rpm --analysis-mode static --volume-path /mnt --save-file output.json
Chroot analysis with or without Graphic output:
Exactly how its done on apt. bash python3 main.py --pkg-mgr rpm --analysis-mode chroot --volume-path /mnt --save-file output.json --info-graphic True/False
Supporting Images
Currently the tool works on Debian and Red Hat based images I can guarentee the debian outputs but the Red-Hat onces still needs work to be done its not perfect.
I am working on the pacman side of things I am trying to find a relaiable way of accessing the pacman db for static analysis.
Graphical Output Images (Chroot)
APT Chroot
RPM Chroot
Inner Workings
For the workings and process related documentation please read the wiki page: Link
TODO
[x] Support for RPM
[x] Support for APT
[x] Support for Chroot Analysis
[x] Support for Versions
[x] Support for Chroot Graphical output
[x] Support for organized graphical output
[ ] Support for Pacman
Ideas and Discussions
Ideas regarding this topic are welcome in the discussions page.
Login
