Packet Fence 12.2.0

MacOSThreatTrack - Bash Tool Used For Proactive Detection Of Malicious Activity On macOS Systems

The tool is being tested in the beta phase, and it only gathers MacOS system information at this time.

The code is poorly organized and requires significant improvements.

Description

Bash tool used for proactive detection of malicious activity on macOS systems.

I was inspired by Venator-Swift and decided to create a bash version of the tool.

OneLiner command

curl https://raw.githubusercontent.com/ab2pentest/MacOSThreatTrack/main/MacOSThreatTrack.sh | bash

Gathered information

[+] System info
[+] Users list
[+] Environment variables
[+] Process list
[+] Active network connections
[+] SIP status
[+] GateKeeper status
[+] Zsh history
[+] Bash history
[+] Shell startup scripts
[+] PF rules
[+] Periodic scripts
[+] CronJobs list
[+] LaunchDaemons data
[+] Kernel extensions
[+] Installed applications
[+] Installation history
[+] Chrome extensions

Todo

1. Saving output as JSON instead of printing out the result.

DataSurgeon - Quickly Extracts IP's, Email Addresses, Hashes, Files, Credit Cards, Social Secuirty Numbers And More From Text

 DataSurgeon (ds) is a versatile tool designed for incident response, penetration testing, and CTF challenges. It allows for the extraction of various types of sensitive information including emails, phone numbers, hashes, credit cards, URLs, IP addresses, MAC addresses, SRV DNS records and a lot more!

• Supports Windows, Linux and MacOS

Extraction Features

• Emails
• Files
• Phone numbers
• Credit Cards
• Google API Private Key ID's
• Social Security Numbers
• AWS Keys
• Bitcoin wallets
• URL's
• IPv4 Addresses and IPv6 addresses
• MAC Addresses
• SRV DNS Records
• Extract Hashes
  • MD4 & MD5
  • SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
  • SHA-3 224, SHA-3 256, SHA-3 384, SHA-3 512
  • MySQL 323, MySQL 41
  • NTLM
  • bcrypt

Want more?

Please read the contributing guidelines here

Quick Install

Install Rust and Github

Linux

wget -O - https://raw.githubusercontent.com/Drew-Alleman/DataSurgeon/main/install/install.sh | bash

Windows

Enter the line below in an elevated powershell window.

IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/Drew-Alleman/DataSurgeon/main/install/install.ps1")

Relaunch your terminal and you will be able to use ds from the command line.

Mac

curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/Drew-Alleman/DataSurgeon/main/install/install.sh | sh

Command Line Arguments

Video Guide

Examples

Extracting Files From a Remote Webiste

Here I use wget to make a request to stackoverflow then I forward the body text to ds . The -F option will list all files found. --clean is used to remove any extra text that might have been returned (such as extra html). Then the result of is sent to uniq which removes any non unique files found.

 wget -qO - https://www.stackoverflow.com | ds -F --clean | uniq

Extracting Mac Addresses From an Output File

Here I am pulling all mac addresses found in autodeauth's log file using the -m query. The --hide option will hide the identifer string infront of the results. In this case 'mac_address: ' is hidden from the output. The -T option is used to check the same line multiple times for matches. Normallly when a match is found the tool moves on to the next line rather then checking again.

$ ./ds -m -T --hide -f /var/log/autodeauth/log     
2023-02-26 00:28:19 - Sending 500 deauth frames to network: BC:2E:48:E5:DE:FF -- PrivateNetwork
2023-02-26 00:35:22 - Sending 500 deauth frames to network: 90:58:51:1C:C9:E1 -- TestNet

Reading all files in a directory

The line below will will read all files in the current directory recursively. The -D option is used to display the filename (-f is required for the filename to display) and -e used to search for emails.

$ find . -type f -exec ds -f {} -CDe \;

Speed Tests

When no specific query is provided, ds will search through all possible types of data, which is SIGNIFICANTLY slower than using individual queries. The slowest query is --files. Its also slightly faster to use cat to pipe the data to ds.

Below is the elapsed time when processing a 5GB test file generated by ds-test. Each test was ran 3 times and the average time was recorded.

Computer Specs

Processor	Intel(R) Core(TM) i5-10400F CPU @ 2.90GHz, 2904 Mhz, 6 Core(s), 12 Logical Processor(s)
Ram         12.0 GB (11.9 GB usable)

Searching all data types

Using specific queries

Project Goals

• JSON and CSV output
• Untar/unzip and a directorty searching mode
• Base64 Detection and decoding

AIDE 0.18.1

Thunderstorm - Modular Framework To Exploit UPS Devices

Thunderstorm is a modular framework to exploit UPS devices.

For now, only the CS-141 and NetMan 204 exploits will be available. The beta version of the framework will be released on the future.

CVE

Thunderstorm is currently capable of exploiting the following CVE:

• CVE-2022-47186 – Unrestricted file Upload # [CS-141]
• CVE-2022-47187 – Cross-Site Scripting via File upload # [CS-141]
• CVE-2022-47188 – Arbitrary local file read via file upload # [CS-141]
• CVE-2022-47189 – Denial of Service via file upload # [CS-141]
• CVE-2022-47190 – Remote Code Execution via file upload # [CS-141]
• CVE-2022-47191 – Privilege Escalation via file upload # [CS-141]
• CVE-2022-47192 – Admin password reset via file upload # [CS-141]
• CVE-2022-47891 – Admin password reset # [NetMan 204]
• CVE-2022-47892 – Sensitive Information Disclosure # [NetMan 204]
• CVE-2022-47893 – Remote Code Execution via file upload # [NetMan 204]

Requirements

• Python 3
• Install requirements.txt

Download

It is recommended to clone the complete repository or download the zip file. You can do this by running the following command:

git clone https://github.com/JoelGMSec/Thunderstorm

Also, you probably need to download the original and the custom firmware. You can download all requirements from here: https://darkbyte.net/links/thunderstorm.php

Usage

- To be disclosed

The detailed guide of use can be found at the following link:

• To be disclosed

License

This project is licensed under the GNU 3.0 license - see the LICENSE file for more details.

Credits and Acknowledgments

This tool has been created and designed from scratch by Joel Gámez Molina // @JoelGMSec

Contact

This software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.

For more information, you can find me on Twitter as @JoelGMSec and on my blog darkbyte.net.

RedTeam-Physical-Tools - Red Team Toolkit - A Curated List Of Tools That Are Commonly Used In The Field For Physical Security, Red Teaming, And Tactical Covert Entry

***The links of the products may change with time, if so, just ping me on twitter so I can update them. None of the links are affiliated or sponsored. Also, I have personally purchased almost every single item from this list out of my own pocket based on needs for engagements. If there are any other items that are not on this list and you believe they should be, feel free to DM or ping me on twitter (@DavidProbinsky) and I can add them.***

Commonly used tools for Red Teaming Engagements, Physical Security Assessments, and Tactical Covert Entry.

In this list I decided to share most of the tools I utilize in authorized engagements, including where to find some of them, and in some cases I will also include some other alternative tools. I am not providing information on how to use these tools, since this information can be found online with some research. My goal with this list is to help fellow Red Teamers with a 'checklist', for whenever they might be missing a tool, and use this list as a reference for any engagement. Stay safe and legal!!

X-force - IBM Security Utilitary Library In Python. Search And Query All Sources: Threat_Activities And Groups, Malware_Analysis, Industries

IBM Security X-FORCE Exchange library in Python 3. Search: threat_activities, threat_groups, malware_analysis, collector and industries.

Install

pip3 install XForce

Use

Using you API_KEY make a basic authentication. After make a base64 code → Key + : + Password:

printf "d2f5f0f9-2995-42c6-b1dd-4c92252da129:06c41d5e-0604-4c7c-a599-300c367d2090" | base64
# ZDJmNWYwZjktMjk5NS00MmM2LWIxZGQtNGM5MjI1MmRhMTI5OjA2YzQxZDVlLTA2MDQtNGM3Yy1hNTk5LTMwMGMzNjdkMjA5MAo=

Using API_KEY, call functions.

Call functions

import XForce

# Args: 1 - Term of search, 2 - API KEY

# Threat activity search return in string
XForce.threat_activities(Term, API_KEY)

# Malware analysis search return in string
XForce.malware_analysis(Term, API_KEY)

# Threat groups search return in string
XForce.threat_groups(Term, API_KEY)

# Industries search return in string
XForce.industries(Term, API_KEY)

# All categories search return in list with dict
XForce.industries(Term, API_KEY)

For see more details of consult, run:

from XForce import details

# Args: 1 - GUID, 2 - API KEY 
# IMPORTANT: all GUID are correspondent to category
# All function of details have:
# url → with x-force exchange panel
details.activity(Id, API_KEY)
details.group(Id, API_KEY)
details.malware(Id, API_KEY)
details.industry(Id, API_KEY)

Wireshark Analyzer 4.0.4

Cortex-XDR-Config-Extractor - Cortex XDR Config Extractor

This tool is meant to be used during Red Team Assessments and to audit the XDR Settings.

With this tool its possible to parse the Database Lock Files of the Cortex XDR Agent by Palo Alto Networks and extract Agent Settings, the Hash and Salt of the Uninstall Password, as well as possible Exclusions.

Supported Extractions

• Uninstall Password Hash & Salt
• Excluded Signer Names
• DLL Security Exclusions & Settings
• PE Security Exclusions & Settings
• Office Files Security Exclusions & Settings
• Credential Gathering Module Exclusions
• Webshell Protection Module Exclusions
• Childprocess Executionchain Exclusions
• Behavorial Threat Module Exclusions
• Local Malware Scan Module Exclusions
• Memory Protection Module Status
• Global Hash Exclusions
• Ransomware Protection Module Modus & Settings

Usage

Usage = ./XDRConfExtractor.py [Filename].ldb
Help  = ./XDRConfExtractor.py -h

Getting Hold of Database Lock Files

Agent Version <7.8

With Agent Versions prior to 7.8 any authenticated user can generate a Support File on Windows via Cortex XDR Console in the System Tray. The databse lock files can be found within the zip:

logs_[ID].zip\Persistence\agent_settings.db\

Agent Version ≥7.8

Support files from Agents running Version 7.8 or higher are encrypted, but if you have elevated privileges on the Windows Maschine the files can be directly copied from the following directory, without encryption.

Method I

C:\ProgramData\Cyvera\LocalSystem\Persistence\agent_settings.db\

Method II

Generated Support Files are not deleted regulary, so it might be possible to find old, unencrypted Support Files in the following folder:

C:\Users\[Username]\AppData\Roaming\PaloAltoNetworks\Traps\support\

Agent Version >8.1

Supposedly, since Agent version 8.1, it should no longer be possible to pull the data from the lock files. This has not been tested yet.

Credits

This tool relies on a technique originally released by mr.d0x in April 2022 https://mrd0x.com/cortex-xdr-analysis-and-bypass/

Legal disclaimer

Usage of Cortex-XDR-Config-Extractor for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.

APKHunt - Comprehensive Static Code Analysis Tool For Android Apps That Is Based On The OWASP MASVS Framework

APKHunt is a comprehensive static code analysis tool for Android apps that is based on the OWASP MASVS framework. Although APKHunt is intended primarily for mobile app developers and security testers, it can be used by anyone to identify and address potential security vulnerabilities in their code.

With APKHunt, mobile software architects or developers can conduct thorough code reviews to ensure the security and integrity of their mobile applications, while security testers can use the tool to confirm the completeness and consistency of their test results. Whether you're a developer looking to build secure apps or an infosec tester charged with ensuring their security, APKHunt can be an invaluable resource for your work.

Features

• Scan coverage: Covers most of the SAST (Static Application Security Testing) related test cases of the OWASP MASVS framework.
• Multiple APK scanning: Supports scanning multiple APK files in a perticular path or folder.
• Optimised scanning: Specific rules are designed to check for particular security sinks, resulting in an almost accurate scanning process.
• Low false-positive rate: Designed to pinpoint and highlight the exact location of potential vulnerabilities in the source code.
• Output format: Results are provided in a TXT file format for easy readability for end-users.

Installation

1. git clone https://github.com/Cyber-Buddy/APKHunt.git
2. cd apkhunt
3. go run apkhunt.go

Requirements:

• Install Git: sudo apt-get install git
• Install Golang: sudo apt install golang-go
• Install JADX: sudo apt-get install jadx
• Install Dex2jar: sudo apt-get install dex2jar

Limitation:

• Only supported on Linux environments

Usage

      _ _   __ __  _   __  _   _                _   
     / _ \ | _ _ \| | / / | | | |              | |  
    / /_\ \| |_/ /| |/ /  | |_| | _   _   _ _  | |_ 
    |  _  ||  __/ |    \  |  _  || | | |/  _  \|  _|                                                                                     
    | | | || |    | |\  \ | | | || |_| || | | || |_                                                                                      
    \_| |_/\_|    \_| \_/ \_| |_/\ _ _ /|_| |_|\_ _|                                                                                     
    ------------------------------------------------                                                                                     
    OWASP MASVS Static Analyzer  

    APKHunt Usage:                                                                                                                          
          go run APKHunt.go [options] {.apk file}                                                                                        

    Options:                                                                                                                             
         -h     For help                                                                                                                 
         -p     Provide the apk file-path
         -m     Provide the folder-path for multiple apk scanning
         -l     For logging (.txt file)

    Examples:                                                                                                                            
         APKHunt.go -p /Downloads/android_app.apk                                                                                        
         APKHunt.go -p /Downloads/android_app.apk -l
            APKHunt.go -m /Downloads/android_apps/
         APKHunt.go -m /Downloads/android_apps/ -l

Security test-case coverage

The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results.

Upcoming Features

• Scanning of multiple APK files - DONE
• More output format such as HTML - In the outer orbit!
• Integration with third-party tools - Cannot commit!

Contribution

We would love to receive any sort of contribution from the community. Please provide your valuable suggestions or feedback to make this tool even more awesome.

Disclaimer

This project is created to help the infosec community. It is important to respect its core philosophy, values, and intentions. Please refrain from using it for any harmful, malicious, or evil purposes.

License

This project is licensed under the GNU General Public License v3.0

Project Developer

• Sumit Kalaria | Twitter | Linkedin
• Mrunal Chawda | Twitter | Linkedin

Credits

• RedHunt Labs

IpGeo - Tool To Extract IP Addresses From Captured Network Traffic File

IpGeo is a python tool to extract IP addresses from captured network traffic file (pcap/pcapng) and generate csv report containing details about the geolocation of each ip in the packets.

The report contains:

1. Country:
2. Country Code.
3. Region
4. Region Name
5. City
6. Zip
7. Latitude
8. Longitude
9. Timezone
10. Isp
11. Org
12. Ip

Installation

Use the package manager pip3 to install required modules.

pip3 install colorama
pip3 install requests
pip3 install pyshark

If you are not using Kali or ParrotOs or any other penetration distribution you need to install Tshark.

sudo apt install tshark

Usage

python3 ipGeo.py
# then you will enter captured traffic file path

SXDork - A Powerful Tool That Utilizes The Technique Of Google Dorking To Search For Specific Information On The Internet

SXDork is a powerful tool that utilizes the technique of google dorking to search for specific information on the internet. Google dorking is a method of using advanced search operators and keywords to uncover sensitive information that is publicly available on the internet. SXDork offers a wide range of options to search for different types of dorks, such as domain login dork, wpadmin dork, SQL dork, configuration file dorks, logfile dorks, dashboard dork, id_rsa dorks, ftp dorks, backup file dorks, mail archive dorks, password dorks, DCIM photos dork, and CCTV dorks.

One of the key features of SXDork is its ability to search dorks using the -s flag. This function allows users to retrieve a significant amount of information related to search keywords. Users can specify specific keywords and the tool will search for all the related information available on the internet. Additionally, users can use the -r flag to set the number of results that will be displayed. The default setting is 10 results, however, users can increase or decrease the number of results as per their requirement. This feature is useful for users who are looking for specific information and want to filter through the results quickly.

SXDork also allows users to search wildcard domains and find a wide range of information. This feature is particularly useful for security researchers, penetration testers and other professionals who need to find sensitive information on the internet. With the ability to search for different types of dorks, wildcard domains and filter through results, SXDork is a powerful tool that can help users find information that is publicly available on the internet.

SXDork has the ability to search for information on multiple domains. By default, the tool searches for information on pastebin.com and controlc.com, but you can easily add more domains to search against. To do this, you can navigate to the src directory and edit the dorks.py file, where you will see an array called src that contains the default domains. Simply add more domains to this array, and the next time you run a search query, SXDork will check all the domains in the array for the keyword you are searching for. This allows you to easily find information across multiple domains.

Installation

git clone https://github.com/samhaxr/SXDork.git
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
python SXDork.py

Usage

usage: SXDork.py [-h] [-s SEARCH] [-r RESULT] [-dl DOMLOGIN] [-da DOMADMIN]
                 [-wp WPADMIN] [-lp LPANEL] [-sql SQLFILE] [-cnf CONFILE]
                 [-log LOGFILE] [-dash DASHBOARD] [-rsa IDRSA] [-ftp FTPFILE]
                 [-bck BACKUPFILE] [-ma MAILARCHIVE] [-pw PASSWORD]
                 [-pic PHOTOS] [-cam CCTVCAM]

Search keywords using google dork

optional arguments:
  -h, --help            show this help message and exit
  -s SEARCH, --search SEARCH
                        Search keyword with dork
  -r RESULT, --result RESULT
                        Number of output result
  -dl DOMLOGIN, --domlogin DOMLOGIN
                        Search domain(s) for login pages
  -da DOMADMIN, --domadmin DOMADMIN
                        Search domain(s) for admin panels
  -wp WPADMIN, --wpadmin WPADMIN
                        Search domain(s) for wordpress admin
  -lp LPANEL, --lpanel LPANEL
                        Search domain(s) for login panels
  -sql SQLFILE, --sqlfile SQLFILE
                        Search domain(s) for sql database files
  -cnf CONFILE, --confile CONFILE
                        Search domain(s) for configuration files
  -log LOGFILE, --logfile LOGFILE
                        Search domain(s) for log files
  -dash DASHBOARD, --dashboard DASHBOARD
                        Search domain(s) for the dashboard
  -rsa IDRSA, --idrsa IDRSA
                        Search domain(s) for id_rsa pub keys
  -ftp FTPFILE, --ftpfile FTPFILE
                        Search domain(s) for FTP files
  -bck BACKUPFILE, --backupfile BACKUPFILE
                        Search domain(s) for backup files
  -ma MAILARCHIVE, --mailarchive MAILARCHIVE
                        Search domain(s) for ma   il archives
  -pw PASSWORD, --password PASSWORD
                        Search domain(s) for passwords
  -pic PHOTOS, --photos PHOTOS
                        Search domain(s) for DCIM/Photos
  -cam CCTVCAM, --cctvcam CCTVCAM
                        Search domain(s) for CCTV/CAMs

CVE-Vulnerability-Information-Downloader - Downloads Information From NIST (CVSS), First.Org (EPSS), And CISA (Exploited Vulnerabilities) And Combines Them Into One List

Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities.
Exploit Prediction Scoring System (EPSS) estimates the likelihood that a software vulnerability will be exploited in the wild.
CISA publishes a list of known exploited vulnerabilities.

This projects downloads the information from the three sources and combines them into one list.
Scanners show you the CVE number and the CVSS score, but do often not export the full details like "exploitabilityScore" or "userInteractionRequired". By adding the EPSS score you get more options to select what to do first and filter on the thresholds which makes sense for your environment.
You can use the information to enrich the information provided from your vulnerability scanner like OpenVAS to prioritize remediation.
You can use tools like PowerBI to combine the results from the vulnerability scanner with the information downloaded by the script in the repository.

After the download the required information will be extracted, formatted, and output files will be generated.
CVSS, EPSS and a combined file of all CVE information will be available. Outputs are available in json and csv formats.
Additionally the information is imported into a sqlite database.

The goal was not performance or efficiency.
Instead the script is written in a simple way. Multiple steps are made to make easier to understand and traceable. Files from intermediate steps are written to disk to allow you make it easier for you to adjust the commands to your needs.
It is only using bash, jq, and sqlite3 to be very beginner friendly and demonstrate the usage of jq.

PowerBI Example Dashboard

This repository contains a demo folder with a PowerBI template file. It generate a dashboard which you can adjust to your needs.

The OpenVAS report must be in the csv format for the import to work.

PowerBI will use the created CVE.json file and create a relationship:

You can download PowerBI for free from https://aka.ms/pbiSingleInstaller and you don't need an Microsoft account to use it.

Configuration

1. Get an NIST API key: https://nvd.nist.gov/developers/request-an-api-key
2. cp env_example .env
3. edit the .env file and add your API key
4. optional: edit docker-compose file and adjust the cron schedule
5. optional: edit data/vulnerability-tables-logstash/config/logstash.conf
6. docker-compose up -d
7. you will find the files in data/vulnerability-tables-cron/output/ after the script completed. It needs several minutes.

Run

You can either wait for cron to execute the download script on a schedule.
Alternatively you can execute the download script manually by running:

docker exec -it vulnerability-tables-cron bash /opt/scripts/download.sh

Container Description

There are three docker containers.
The cron container downloads the information once a week (Monday 06:00) and stores the files in the output directory.
It uses curl and wget to download files. jq is used work with json.

The filebeat container reads the json files and forwards it to the logstash container.
The logstash container can be used to send to a OpenSearch instance, upload it to Azure Log Analytics, or other supported outputs.
Filebeat and logstash are optional and are only included for continence.

Example output files

Several output files will be generated. Here is an estimate:

316K   CISA_known_exploited.csv
452K   CISA_known_exploited.json
50M    CVSS.csv
179M   CVSS.json
206M   CVE.json
56M    CVE.csv
6.7M   EPSS.csv
12M    EPSS.json
49M    database.sqlite

You can expect this information for every CVE:

grep -i 'CVE-2021-44228' CVE.json | jq
{
  "CVE": "CVE-2021-44228",
  "CVSS2_accessComplexity": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
  "CVSS2_accessVector": "NETWORK",
  "CVSS2_authentication": "MEDIUM",
  "CVSS2_availabilityImpact": "NONE",
  "CVSS2_baseScore": "COMPLETE",
  "CVSS2_baseSeverity": "COMPLETE",
  "CVSS2_confidentialityImpact": "COMPLETE",
  "CVSS2_exploitabilityScore": "9.3",
  "CVSS2_impactScore": "null",
  "CVSS2_integrityImpact": "8.6",
  "CVSS2_vectorString": "10",
  "CVSS3_attackComplexity": "null",
  "CVSS3_attackVector": "null",
  "CVSS3_availabilityImpact": "null",
  "CVSS3_baseScore": "null",
  "CVSS3_baseSeverity": "null",
  "CVSS3_confidentialityImpact": "null",
  "CVSS3_exploitabilityScore": "null",
  "CVSS3_impactScore": "null",
  "CVSS3_integrityImpact": "null",
  "CVSS3_privilegesRequired": "null",
  "CVSS3_scope": "null",
  "CVSS3_userInteraction   ": "null",
  "CVSS3_vectorString": "null",
  "CVSS3_acInsufInfo": "null",
  "CVSS3_obtainAllPrivilege": "null",
  "CVSS3_obtainUserPrivilege": "null",
  "CVSS3_obtainOtherPrivilege": "null",
  "CVSS3_userInteractionRequired": "null",
  "EPSS": "0.97095",
  "EPSS_Percentile": "0.99998",
  "CISA_dateAdded": "2021-12-10",
  "CISA_RequiredAction": "For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available."
}

Links

• https://www.first.org/epss/user-guide
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://nvd.nist.gov/developers/vulnerabilities

Tracgram - Use Instagram Location Features To Track An Account

Trackgram Use Instagram location features to track an account

Usage

At this moment the usage of Trackgram is extremly simple:

1. Download this repository

2. Go through the instalation steps

3. Change the parameters in the tracgram main method directly:
    + Mandatory:
        - NICKNAME: your username on Instagram
        - PASSWORD: your instagram password
        - OBJECTIVE: your objective username

    + Optional:
        - path_to_csv: the path were the csv file will be stored, including the name


4. Execute it with python3 tracgram.py

Installation steps

1. Download with $ git clone https://github.com/initzerCreations/Tracgram

2. Install dependencies using pip install -r requirements.txt

3. Congrats! by now you should be able to run it: python3 tracgram.py

Screenshots

Features

1. Provides a heatmap based on the location frequency

2. Markers displayed on the heatmap indicating:

   • Exact location name
   • Time when relate post was made
   • Link to Google Maps address

3. Graph relating the posts count for an specific location

4. Generate a easy to process .CSV file

Gmailc2 - A Fully Undetectable C2 Server That Communicates Via Google SMTP To Evade Antivirus Protections And Network Traffic Restrictions

 A Fully Undetectable C2 Server That Communicates Via Google SMTP to evade Antivirus Protections 
 and Network Traffic Restrictions

Note:

 This RAT communicates Via Gmail SMTP (or u can use any other smtps as well) but Gmail SMTP is valid
 because most of the companies block unknown traffic so gmail traffic is valid and allowed everywhere.

Warning:

 1. Don't Upload Any Payloads To VirusTotal.com Bcz This tool will not work
    with Time.
 2. Virustotal Share Signatures With AV Comapnies.
 3. Again Don't be an Idiot!

How To Setup

 1. Create Two seperate Gmail Accounts.
 2. Now enable SMTP On Both Accounts (check youtube if u don't know)
 3. Suppose you have already created Two Seperate Gmail Accounts With SMTP enabled
    A -> first account represents  Your_1st_gmail@gmail.com
    B -> 2nd account   represents  your_2nd_gmail@gmail.com
 4. Now Go To server.py file and fill the following at line 67:
    smtpserver="smtp.gmail.com"          (don't change this)
    smtpuser="Your_1st_gmail@gmail.com"  
    smtpkey="your_1st_gmail_app_password"
    imapserver="imap.gmail.com"    (don't change this)
    imapboy="your_2nd_gmail@gmail.com"
5. Now Go To client.py file and fill the following at line 16:
    imapserver = "imap.gmail.com"          (dont change this)
    username = "your_2nd_gmail@gmail.com"
    password = "your2ndgmailapp password"
    getting = "Your_1st_gmail@gmail.com"
    smtpserver = "smtp.gmail.com"          (don   't change this)
6. Enjoy

How To Run:-

 *:- For Windows:-
 1. Make Sure python3 and pip is installed and requriements also installed
 2. python server.py  (on server side)


 *:- For Linux:-
 1. Make Sure All Requriements is installed.
 2. python3 server.py  (on server side)

C2 Feature:-

 1) Persistence (type persist)
 2) Shell Access 
 3) System Info (type info)
 4) More Features Will Be Added 

Features:-

1) FUD Ratio 0/40
2) Bypass Any EDR's Solutions
3) Bypass Any Network Restrictions
4) Commands Are Being Sent in Base64 And Decoded on server side
5) No More Tcp Shits

Warning:-

Use this tool Only for Educational Purpose And I will Not be Responsible For ur cruel act.

Zeek 5.0.7

Probable_Subdomains - Subdomains Analysis And Generation Tool. Reveal The Hidden!

Online tool: https://weakpass.com/generate/domains

TL;DR

During bug bounties, penetrations tests, red teams exercises, and other great activities, there is always a room when you need to launch amass, subfinder, sublister, or any other tool to find subdomains you can use to break through - like test.google.com, dev.admin.paypal.com or staging.ceo.twitter.com. Within this repository, you will be able to find out the answers to the following questions:

1. What are the most popular subdomains?
2. What are the most common words in multilevel subdomains on different levels?
3. What are the most used words in subdomains?

And, of course, wordlists for all of the questions above!

Methodology

As sources, I used lists of subdomains from public bugbounty programs, that were collected by chaos.projectdiscovery.io, bounty-targets-data or that just had responsible disclosure programs with a total number of 4095 domains! If subdomains appear more than in 5-10 different scopes, they will be put in a certain list. For example, if dev.stg appears both in *.google.com and *.twitter.com, it will have a frequency of 2. It does not matter how often dev.stg appears in *.google.com. That's all - nothing more, nothing less< /strong>.

You can find complete list of sources here

Lists

Subdomains

In these lists you will find most popular subdomains as is.

Subdomain levels

In these lists, you will find the most popular words from subdomains split by levels. F.E - dev.stg subdomain will be split into two words dev and stg. dev will have level = 2, stg - level = 1. You can use these wordlists for combinatory attacks for subdomain searches. There are several types of level.txt wordlists that follow the idea of subdomains.

Popular splitted subdomains

In these lists, you will find the most popular splitted words from subdomains on all levels. For example - dev.stg subdomain will be splitted in two words dev and stg.

Google Drive

You can download all the files from Google Drive

Attributions

• berzerk0 for the inspiration with the great work Probable-Wordlists
• chaos.projectdiscovery.io
• bounty-targets-data/
• Based on some previous iteration of the same idea - https://github.com/zzzteph/substats

Thanks!

Reverseip_Py - Domain Parser For IPAddress.com Reverse IP Lookup

Domain parser for IPAddress.com Reverse IP Lookup. Writen in Python 3.

What is Reverse IP?

Reverse IP refers to the process of looking up all the domain names that are hosted on a particular IP address. This can be useful for a variety of reasons, such as identifying all the websites that are hosted on a shared hosting server or finding out which websites are hosted on the same IP address as a particular website.

Requirements

• beautifulsoup4
• requests
• urllib3

Tested on Debian with Python 3.10.8

Install Requirements

pip3 install -r requirements.txt

How to Use

Help Menu

python3 reverseip.py -h
usage: reverseip.py [-h] [-t target.com]

options:
  -h, --help            show this help message and exit
  -t target.com, --target target.com
                        Target domain or IP

Reverse IP

python3 reverseip.py -t google.com

Disclaimer

Any actions and or activities related to the material contained within this tool is solely your responsibility.The misuse of the information in this tool can result in criminal charges brought against the persons in question.

Note: modifications, changes, or changes to this code can be accepted, however, every public release that uses this code must be approved by author of this tool (yuyudhn).

AIEngine 2.3.0

Falco 0.34.1

Faraday - Open Source Vulnerability Management Platform

Security has two difficult tasks: designing smart ways of getting new information, and keeping track of findings to improve remediation efforts. With Faraday, you may focus on discovering vulnerabilities while we help you with the rest. Just use it in your terminal and get your work organized on the run. Faraday was made to let you take advantage of the available tools in the community in a truly multiuser way.

Faraday aggregates and normalizes the data you load, allowing exploring it into different visualizations that are useful to managers and analysts alike.

To read about the latest features check out the release notes!

Install

Docker-compose

The easiest way to get faraday up and running is using our docker-compose

$ wget https://raw.githubusercontent.com/infobyte/faraday/master/docker-compose.yaml
$ docker-compose up

If you want to customize, you can find an example config over here Link

Docker

You need to have a Postgres running first.

 $ docker run \
     -v $HOME/.faraday:/home/faraday/.faraday \
     -p 5985:5985 \
     -e PGSQL_USER='postgres_user' \
     -e PGSQL_HOST='postgres_ip' \
     -e PGSQL_PASSWD='postgres_password' \
     -e PGSQL_DBNAME='postgres_db_name' \
     faradaysec/faraday:latest

PyPi

$ pip3 install faradaysec
$ faraday-manage initdb
$ faraday-server

Binary Packages (Debian/RPM)

You can find the installers on our releases page

$ sudo apt install faraday-server_amd64.deb
# Add your user to the faraday group
$ faraday-manage initdb
$ sudo systemctl start faraday-server

Add your user to the faraday group and then run

Source

If you want to run directly from this repo, this is the recommended way:

$ pip3 install virtualenv
$ virtualenv faraday_venv
$ source faraday_venv/bin/activate
$ git clone git@github.com:infobyte/faraday.git
$ pip3 install .
$ faraday-manage initdb
$ faraday-server

Check out our documentation for detailed information on how to install Faraday in all of our supported platforms

For more information about the installation, check out our Installation Wiki.

In your browser now you can go to http://localhost:5985 and login with "faraday" as username, and the password given by the installation process

Getting Started

Learn about Faraday holistic approach and rethink vulnerability management.

• Centralize your vulnerability data
• Automate the scanners you need

Integrating faraday in your CI/CD

Setup Bandit and OWASP ZAP in your pipeline

• GitHub [PDF]
• Jenkins [PDF]
• TravisCI [PDF]

Setup Bandit, OWASP ZAP and SonarQube in your pipeline

• Gitlab [PDF]

Faraday Cli

Faraday-cli is our command line client, providing easy access to the console tools, work in faraday directly from the terminal!

This is a great way to automate scans, integrate it to CI/CD pipeline or just get metrics from a workspace

$ pip3 install faraday-cli

Check our faraday-cli repo

Check out the documentation here.

Faraday Agents

Faraday Agents Dispatcher is a tool that gives Faraday the ability to run scanners or tools remotely from the platform and get the results.

Plugins

Connect you favorite tools through our plugins. Right now there are more than 80+ supported tools, among which you will find:

Missing your favorite one? Create a Pull Request!

There are two Plugin types:

Console plugins which interpret the output of the tools you execute.

$ faraday-cli tool run \"nmap www.exampledomain.com\"
💻 Processing Nmap command
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-22 14:13 -03
Nmap scan report for www.exampledomain.com (10.196.205.130)
Host is up (0.17s latency).
rDNS record for 10.196.205.130: 10.196.205.130.bc.example.com
Not shown: 996 filtered ports
PORT     STATE  SERVICE
80/tcp   open   http
443/tcp  open   https
2222/tcp open   EtherNetIP-1
3306/tcp closed mysql
Nmap done: 1 IP address (1 host up) scanned in 11.12 seconds
⬆ Sending data to workspace: test
✔ Done

Report plugins which allows you to import previously generated artifacts like XMLs, JSONs.

faraday-cli tool report burp.xml

Creating custom plugins is super easy, Read more about Plugins.

API

You can access directly to our API, check out the documentation here.

Links

• Homepage: faradaysec.com
• Documentation: Faraday Docs
• Download: Download .deb/.rpm from releases page
• Issue tracker and feedback: Github issue tracker
• Frequently Asked Questions: FaradaySEC FAQ
• Twitter: @faradaysec
• Try one of our Demos

ThreatHound - Tool That Help You On Your IR & Threat Hunting And CA

This tool will help you on your IR & Threat Hunting & CA. just drop your event log file and anlayze the results.

New Release Features:

• support windows (ThreatHound.exe)
• C for Linux based
• new vesion available in C also
• now you can save results in json file or print on screen it as you want by arg 'print' "'yes' to print the results on screen and 'no' to save the results on json file"
• you can give windows event logs folder or single evtx file or multiple evtx separated by comma by arg -p
• you can now give sigam ruels path by arg -s
• add multithreading to improve runing speed
• ThreatHound.exe is agent based you can push it and run it on multiple servers

• Example:

$ ThreatHound.exe -s ..\sigma_rules\ -p C:\Windows\System32\winevt\Logs\ -print no

• NOTE: give cmd full promission to read from "C:\Windows\System32\winevt\Logs"

• Linux Based:

• Windows Based

I’ve built the following:

• A dedicated backend to support Sigma rules for python
• A dedicated backend for parsing evtx for python
• A dedicated backend to match between evtx and the Sigma rules

Features of the tool:

• Automation for Threat hunting, Compromise Assessment, and Incident Response for the Windows Event Logs
• Downloading and updating the Sigma rules daily from the source
• More then 50 detection rules included
• support for more then 1500 detection rules for Sigma
• Support for new sigma rules dynamically and adding it to the detection rules
• Saving of all the outputs in JSON format
• Easily add any detection rules you prefer
• you can add new event log source type in mapping.py easily

To-do:

• Support for Sigma rules dedicated for DNS query
• Modifying the speed of algorithm dedicated for the detection and making it faster
• Adding JSON output that supports Splunk
• More features

installiton:

$ git clone https://github.com/MazX0p/ThreatHound.git
$ cd ThreatHound
$ pip install - r requirements.txt
$ pyhton3 ThreatHound.py

• Note: glob doesn't support get path of the directory if it has spaces on folder names, please ensure the path of the tool is without spaces (folders names)

Demo:

https://player.vimeo.com/video/784137549?h=6a0e7ea68a&amp;badge=0&amp;autopause=0&amp;player_id=0&amp;app_id=58479

Screenshots:

Upload_Bypass_Carnage - File Upload Restrictions Bypass, By Using Different Bug Bounty Techniques!

POC video:

File upload restrictions bypass by using different bug bounty techniques! Tool must be running with all its assets!

Installation:

pip3 install -r requirements.txt

Usage: upload_bypass.py [options]

Options: -h, --help

  show this help message and exit

-u URL, --url=URL

  Supply the login page, for example: -u http://192.168.98.200/login.php'

-s , --success

 Success message when upload an image, example: -s 'Image uploaded successfully.'

-e , --extension

 Provide server backend extension, for example: --extension php (Supported extensions: php,asp,jsp,perl,coldfusion)

-a , --allowed

 Provide allowed extensions to be uploaded, for example: php,asp,jsp,perl

-H , --header

 (Optional) - for example: '"X-Forwarded-For":"10.10.10.10"' - Use double quotes around the data and wrapp it all with single quotes. Use comma to separate multi headers.

-l , --location

 (Optional) - Supply a remote path where the webshell suppose to be. For exmaple: /uploads/

-S, --ssl

 (Optional) - No checks for TLS or SSL

-p, --proxy

 (Optional) - Channel the requests through proxy

-c, --continue

 (Optional) - If set, the brute force will continue even if one or more methods found!

-v, --verbose

 (Optional) - Printing the http response in terminal

-U , --username

 (Optional) - Username for authentication. For exmaple: --username admin

-P , --password

 (Optional) - - Password for authentication. For exmaple: --password 12345

Faraday 4.3.3

OffensivePipeline - Allows You To Download And Build C# Tools, Applying Certain Modifications In Order To Improve Their Evasion For Red Team Exercises

OfensivePipeline allows you to download and build C# tools, applying certain modifications in order to improve their evasion for Red Team exercises.
A common use of OffensivePipeline is to download a tool from a Git repository, randomise certain values in the project, build it, obfuscate the resulting binary and generate a shellcode.

Features

• Currently only supports C# (.Net Framework) projects
• Allows to clone public and private (you will need credentials :D) git repositories
• Allows to work with local folders
• Randomizes project GUIDs
• Randomizes application information contained in AssemblyInfo
• Builds C# projects
• Obfuscates generated binaries
• Generates shellcodes from binaries
• There are 79 tools parameterised in YML templates (not all of them may work :D)
• New tools can be added using YML templates
• It should be easy to add new plugins...

What's new in version 2.0

• Almost complete code rewrite (new bugs?)
• Cloning from private repositories possible (authentication via GitHub authToken)
• Possibility to copy a local folder instead of cloning from a remote repository
• New module to generate shellcodes with Donut
• New module to randomize GUIDs of applications
• New module to randomize the AssemblyInfo of each application
• 60 new tools added

Examples

• List all tools:

OffensivePipeline.exe list

• Build all tools:

OffensivePipeline.exe all

• Build a tool

OffensivePipeline.exe t toolName

• Clean cloned and build tools

OffensivePipeline.exe 

Output example

PS C:\OffensivePipeline> .\OffensivePipeline.exe t rubeus

                                                                                                   ooo
                                                                                           .osooooM M
      ___   __  __                _           ____  _            _ _                      +y.     M M
     / _ \ / _|/ _| ___ _ __  ___(_)_   _____|  _ \(_)_ __   ___| (_)_ __   ___           :h  .yoooMoM
    | | | | |_| |_ / _ \ '_ \/ __| \ \ / / _ \ |_) | | '_ \ / _ \ | | '_ \ / _ \          oo  oo
    | |_| |  _|  _|  __/ | | \__ \ |\ V /  __/  __/| | |_) |  __/ | | | | |  __/          oo  oo
     \___/|_| |_|  \___|_| |_|___/_| \_/ \___|_|   |_| .__/ \___|_|_|_| |_|\___|          oo  oo
                                                     |_|                            MoMoooy.  h:
                                                                                       M M     .y+
                                                                                    M Mooooso.
                                                                                    ooo

                                                                    @aetsu
                                                                                v2.0.0


[+] Loading tool: Rubeus
    Clonnig repository: Rubeus into C:\OffensivePipeline\Git\Rubeus
                 Repository Rubeus cloned into C:\OffensivePipeline\Git\Rubeus

    [+] Load RandomGuid module
        Searching GUIDs...
                > C:\OffensivePipeline\Git\Rubeus\Rubeus.sln
                > C:\OffensivePipeline\Git\Rubeus\Rubeus\Rubeus.csproj
                > C:\OffensivePipeline\Git\Rubeus\Rubeus\Properties\AssemblyInfo.cs
        Replacing GUIDs...
                File C:\OffensivePipeline\Git\Rubeus\Rubeus.sln:
                           > Replacing GUID 658C8B7F-3664-4A95-9572-A3E5871DFC06 with 3bd82351-ac9a-4403-b1e7-9660e698d286
                        > Replacing GUID FAE04EC0-301F-11D3-BF4B-00C04F79EFBC with 619876c2-5a8b-4c48-93c3-f87ca520ac5e
                        > Replacing GUID 658c8b7f-3664-4a95-9572-a3e5871dfc06 with 11e0084e-937f-46d7-83b5-38a496bf278a
                [+] No errors!
                File C:\OffensivePipeline\Git\Rubeus\Rubeus\Rubeus.csproj:
                        > Replacing GUID 658C8B7F-3664-4A95-9572-A3E5871DFC06 with 3bd82351-ac9a-4403-b1e7-9660e698d286
                        > Replacing GUID FAE04EC0-301F-11D3-BF4B-00C04F79EFBC with 619876c2-5a8b-4c48-93c3-f87ca520ac5e
                        > Replacing GUID 658c8b7f-3664-4a95-9572-a3e5871dfc06 with 11e0084e-937f-46d7-83b5-38a496bf278a
                [+] No errors!
                File C:\OffensivePipeline\Git\Rubeus\Rubeus\Properties\AssemblyInfo.cs:
                           > Replacing GUID 658C8B7F-3664-4A95-9572-A3E5871DFC06 with 3bd82351-ac9a-4403-b1e7-9660e698d286
                        > Replacing GUID FAE04EC0-301F-11D3-BF4B-00C04F79EFBC with 619876c2-5a8b-4c48-93c3-f87ca520ac5e
                        > Replacing GUID 658c8b7f-3664-4a95-9572-a3e5871dfc06 with 11e0084e-937f-46d7-83b5-38a496bf278a
                [+] No errors!


    [+] Load RandomAssemblyInfo module
        Replacing strings in C:\OffensivePipeline\Git\Rubeus\Rubeus\Properties\AssemblyInfo.cs
                [assembly: AssemblyTitle("Rubeus")] -> [assembly: AssemblyTitle("g4ef3fvphre")]
                [assembly: AssemblyDescription("")] -> [assembly: AssemblyDescription("")]
                [assembly: AssemblyConfiguration("")] -> [assembly: AssemblyConfiguration("")]
                [assembly: AssemblyCompany("")] -> [assembly: AssemblyCompany("")]
                [assembly: AssemblyProduc   t("Rubeus")] -> [assembly: AssemblyProduct("g4ef3fvphre")]
                [assembly: AssemblyCopyright("Copyright ©  2018")] -> [assembly: AssemblyCopyright("Copyright ©  2018")]
                [assembly: AssemblyTrademark("")] -> [assembly: AssemblyTrademark("")]
                [assembly: AssemblyCulture("")] -> [assembly: AssemblyCulture("")]


    [+] Load BuildCsharp module
        [+] Checking requirements...
        [*] Downloading nuget.exe from https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
                [+] Download OK - nuget.exe
                [+] Path found - C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\Common7\Tools\VsDevCmd.bat
        Solving dependences with nuget...
        Building solution...
                [+] No errors!
                [+] Output folder: C:\OffensivePipeline\Output\Rubeus_vh00nc50xud


    [+] Load ConfuserEx module
        [+] Checking requirements...
        [+] Downloading ConfuserEx from https://github.com/mkaring/ConfuserEx/releases/download/v1.6.0/ConfuserEx-CLI.zip
                [+] Download OK - ConfuserEx
        Confusing...
                [+] No errors!


    [+] Load Donut module
        Generating shellcode...

Payload options:
        Domain: RMM6XFC3
        Runtime:v4.0.30319

Raw Payload: C:\OffensivePipeline\Output\Rubeus_vh00nc50xud\ConfuserEx\Donut\Rubeus.bin
B64 Payload: C:\OffensivePipeline\Output\Rubeus_vh00nc50xud\ConfuserEx\Donut\Rubeus.bin.b64

                [+] No errors!


    [+] Generating Sha256 hashes
                Output file: C:\OffensivePipeline\Output\Rubeus_vh00nc50xud


-----------------------------------------------------------------
                SUMMARY

 - Rubeus
         - RandomGuid: OK
         - RandomAssemblyInfo: OK
            - BuildCsharp: OK
         - ConfuserEx: OK
         - Donut: OK

-----------------------------------------------------------------

Plugins

• RandomGuid: randomise the GUID in .sln, .csproj and AssemblyInfo.cs files
• RandomAssemblyInfo: randomise the values defined in AssemblyInfo.cs
• BuildCsharp: build c# project
• ConfuserEx: obfuscate c# tools
• Donut: use Donut to generate shellcodes. The shellcode generated is without parameters, in future releases this may be changed.

Add a tool from a remote git

The scripts for downloading the tools are in the Tools folder in yml format. New tools can be added by creating new yml files with the following format:

• Rubeus.yml file:

tool:
  - name: Rubeus
    description: Rubeus is a C# toolset for raw Kerberos interaction and abuses
    gitLink: https://github.com/GhostPack/Rubeus
    solutionPath: Rubeus\Rubeus.sln
    language: c#
    plugins: RandomGuid, RandomAssemblyInfo, BuildCsharp, ConfuserEx, Donut
    authUser:
    authToken: 

Where:

• Name: name of the tool
• Description: tool description
• GitLink: link from git to clone
• SolutionPath: solution (sln file) path
• Language: language used (currently only c# is supported)
• Plugins: plugins to use on this tool build process
• AuthUser: user name from github (not used for public repositories)
• AuthToken: auth token from github (not used for public repositories)

Add a tool from a private git

tool:
  - name: SharpHound3-Custom
    description: C# Rewrite of the BloodHound Ingestor
    gitLink: https://github.com/aaaaaaa/SharpHound3-Custom
    solutionPath: SharpHound3-Custom\SharpHound3.sln
    language: c#
    plugins: RandomGuid, RandomAssemblyInfo, BuildCsharp, ConfuserEx, Donut
    authUser: aaaaaaa
    authToken: abcdefghijklmnopqrsthtnf

Where:

• Name: name of the tool
• Description: tool description
• GitLink: link from git to clone
• SolutionPath: solution (sln file) path
• Language: language used (currently only c# is supported)
• Plugins: plugins to user on this tool build process
• AuthUser: user name from GitHub
• AuthToken: auth token from GitHub (documented at GitHub: creating a personal access token)

Add a tool from local git folder

tool:
  - name: SeatbeltLocal
    description: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
    gitLink: C:\Users\alpha\Desktop\SeatbeltLocal
    solutionPath: SeatbeltLocal\Seatbelt.sln
    language: c#
    plugins: RandomGuid, RandomAssemblyInfo, BuildCsharp, ConfuserEx, Donut
    authUser:
    authToken: 

Where:

• Name: name of the tool
• Description: tool description
• GitLink: path where the tool is located
• SolutionPath: solution (sln file) path
• Language: language used (currently only c# is supported)
• Plugins: plugins to user on this tool build process
• AuthUser: user name from github (not used for local repositories)
• AuthToken: auth token from github (not used for local repositories)

Requirements for the release version (Visual Studio 2019/2022 is not required)

• Microsoft .NET Framework 3.5 Service Pack 1 (for some tools): https://www.microsoft.com/en-us/download/details.aspx?id=22
• Build Tools for Visual Studio 2022: https://aka.ms/vs/17/release/vs_BuildTools.exe
  • Install .NET desktop build tools
• (Alternative) Build Tools for Visual Studio 2019: https://aka.ms/vs/16/release/vs_BuildTools.exe
• Disable the antivirus :D
• Tested on Windows 10 Pro - Version 20H2 - Build 19045.2486

In the OffensivePipeline.dll.config file it's possible to change the version of the build tools used.

• Build Tools 2019:

<add key="BuildCSharpTools" value="C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\Common7\Tools\VsDevCmd.bat"/>

• Build Tools 2022:

<add key="BuildCSharpTools" value="C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\Common7\Tools\VsDevCmd.bat"/>

Requirements for build

• Net framework 3.5.1 (for some tools): https://www.microsoft.com/en-us/download/details.aspx?id=22
• Visual Studio 2022 -> https://visualstudio.microsoft.com/thank-you-downloading-visual-studio/?sku=Community&rel=17
  • Install .NET desktop build tools
• Add the Donut nugget manually. (Thanks to @n1xbyte for the nugget (DonutCore.1.0.1.nupkg))

Credits

• ConfuserEx project: https://github.com/mkaring/ConfuserEx
• Donut project: https://github.com/TheWover/donut
• Donut C# generator: https://github.com/n1xbyte/donutCS
• SharpCollection: https://github.com/Flangvik/SharpCollection

Supported tools

• ADCollector:
  • Description: ADCollector is a lightweight tool that enumerates the Active Directory environment to identify possible attack vectors.
  • Link: https://github.com/dev-2null/ADCollector
• ADCSPwn:
  • Description: A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts (Petitpotam) and relaying to the certificate service.
  • Link: https://github.com/bats3c/ADCSPwn
• ADFSDump:
  • Description: A C# tool to dump all sorts of goodies from AD FS
  • Link: https://github.com/mandiant/ADFSDump
• ADSearch:
  • Description: A tool written for cobalt-strike's execute-assembly command that allows for more efficent querying of AD.
  • Link: https://github.com/tomcarver16/ADSearch
• BetterSafetyKatz:
  • Description: This modified fork of SafetyKatz dynamically fetches the latest pre-compiled release of Mimikatz directly from the gentilkiwi GitHub repo, runtime patching on detected signatures and uses SharpSploit DInvoke to get it into memory.
  • Link: https://github.com/Flangvik/BetterSafetyKatz
• Certify:
  • Description: Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).
  • Link: https://github.com/GhostPack/Certify
• DeployPrinterNightmare:
  • Description: C# tool for installing a shared network printer abusing the PrinterNightmare bug to allow other network machines easy privesc!
  • Link: https://github.com/Flangvik/DeployPrinterNightmare
• EDD:
  • Description: Enumerate Domain Data is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool, and we wanted a .NET implementation that we worked on ourselves. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD.
  • Link: https://github.com/FortyNorthSecurity/EDD
• ForgeCert:
  • Description: C# tool to find vulnerabilities in AD Group Policy, but do it better than Grouper2 did.
  • Link: https://github.com/GhostPack/ForgeCert
• Group3r:
  • Description: Rubeus is a C# toolset for raw Kerberos interaction and abuses
  • Link: https://github.com/Group3r/Group3r
• KrbRelay:
  • Description: C# Framework for Kerberos relaying
  • Link: https://github.com/cube0x0/KrbRelay
• KrbRelayUp:
  • Description: Simple wrapper around some of the features of Rubeus and KrbRelay
  • Link: https://github.com/Dec0ne/KrbRelayUp
• LockLess:
  • Description: LockLess is a C# tool that allows for the enumeration of open file handles and the copying of locked files.
  • Link: https://github.com/GhostPack/LockLess
• PassTheCert:
  • Description: A small Proof-of-Concept tool that allows authenticating against an LDAP/S server with a certificate to perform different attack actions
  • Link: https://github.com/AlmondOffSec/PassTheCert
• PurpleSharp:
  • Description: PurpleSharp is an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments
  • Link: https://github.com/mvelazc0/PurpleSharp
• Rubeus:
  • Description: Rubeus is a C# toolset for raw Kerberos interaction and abuses
  • Link: https://github.com/GhostPack/Rubeus
• SafetyKatz:
  • Description: SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader.
  • Link: https://github.com/GhostPack/SafetyKatz
• SauronEye:
  • Description: SauronEye is a search tool built to aid red teams in finding files containing specific keywords.
  • Link: https://github.com/vivami/SauronEye
• SearchOutlook:
  • Description: A C# tool to search through a running instance of Outlook for keywords
  • Link: https://github.com/RedLectroid/SearchOutlook
• Seatbelt:
  • Description: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
  • Link: https://github.com/GhostPack/Seatbelt
• Sharp-SMBExec:
  • Description: A native C# conversion of Kevin Robertsons Invoke-SMBExec powershell script
  • Link: https://github.com/checkymander/Sharp-SMBExec
• SharpAppLocker:
  • Description: C# port of the Get-AppLockerPolicy PowerShell cmdlet with extended features.
  • Link: https://github.com/Flangvik/SharpAppLocker
• SharpBypassUAC:
  • Description: C# tool for UAC bypasses
  • Link: https://github.com/FatRodzianko/SharpBypassUAC
• SharpChisel:
  • Description: C# Wrapper of Chisel from https://github.com/jpillora/chisel
  • Link: https://github.com/shantanu561993/SharpChisel
• SharpChromium:
  • Description: SharpChromium is a .NET 4.0+ CLR project to retrieve data from Google Chrome, Microsoft Edge, and Microsoft Edge Beta. Currently, it can extract
  • Link: https://github.com/djhohnstein/SharpChromium
• SharpCloud:
  • Description: SharpCloud is a simple C# utility for checking for the existence of credential files related to Amazon Web Services, Microsoft Azure, and Google Compute.
  • Link: https://github.com/chrismaddalena/SharpCloud
• SharpCOM:
  • Description: SharpCOM is a c# port of Invoke-DCOM
  • Link: https://github.com/rvrsh3ll/SharpCOM
• SharpCookieMonster:
  • Description: This is a Sharp port of @defaultnamehere's cookie-crimes module - full credit for their awesome work!
  • Link: https://github.com/m0rv4i/SharpCookieMonster
• SharpCrashEventLog:
  • Description: Crashes the Windows eventlog service locally or remotely using OpenEventLogA/ElfClearEventLogFileW.
  • Link: https://github.com/slyd0g/SharpCrashEventLog
• SharpDir:
  • Description: SharpDir is a simple code set to search both local and remote file systems for files using the same SMB process as dir.exe, which uses TCP port 445
  • Link: https://github.com/jnqpblc/SharpDir
• SharpDPAPI:
  • Description: SharpDPAPI is a C# port of some DPAPI functionality from @gentilkiwi's Mimikatz project.
  • Link: https://github.com/GhostPack/SharpDPAPI
• SharpDump:
  • Description: SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality
  • Link: https://github.com/GhostPack/SharpDump
• SharpEDRChecker:
  • Description: Checks running processes, process metadata, Dlls loaded into your current process and each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.
  • Link: https://github.com/PwnDexter/SharpEDRChecker
• SharPersist:
  • Description: Windows persistence toolkit written in C#
  • Link: https://github.com/mandiant/SharPersist
• SharpExec:
  • Description: SharpExec is an offensive security C# tool designed to aid with lateral movement.
  • Link: https://github.com/anthemtotheego/SharpExec
• SharpGPOAbuse:
  • Description: SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
  • Link: https://github.com/FSecureLABS/SharpGPOAbuse
• SharpHandler:
  • Description: This project reuses open handles to lsass to parse or minidump lsass, therefore you don't need to use your own lsass handle to interact with it. (Dinvoke-version)
  • Link: https://github.com/jfmaes/SharpHandler
• SharpHose:
  • Description: SharpHose is a C# password spraying tool designed to be fast, safe, and usable over Cobalt Strike's execute-assembly.
  • Link: https://github.com/ustayready/SharpHose
• SharpHound3:
  • Description: C# Rewrite of the BloodHound Ingestor
  • Link: https://github.com/BloodHoundAD/SharpHound3
• SharpKatz:
  • Description: Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands
  • Link: https://github.com/b4rtik/SharpKatz
• SharpLAPS:
  • Description: This executable is made to be executed within Cobalt Strike session using execute-assembly. It will retrieve the LAPS password from the Active Directory.
  • Link: https://github.com/swisskyrepo/SharpLAPS
• SharpMapExec:
  • Description: Sharpen version of CrackMapExec
  • Link: https://github.com/cube0x0/SharpMapExec
• SharpMiniDump:
  • Description: Create a minidump of the LSASS process from memory (Windows 10 - Windows Server 2016). The entire process uses dynamic API calls, direct syscall and Native API unhooking to evade the AV / EDR detection.
  • Link: https://github.com/b4rtik/SharpMiniDump
• SharpMove:
  • Description: .NET authenticated execution for remote hosts
  • Link: https://github.com/0xthirteen/SharpMove
• SharpNamedPipePTH:
  • Description: This project is a C# tool to use Pass-the-Hash for authentication on a local Named Pipe for user Impersonation. You need a local administrator or SEImpersonate rights to use this.
  • Link: https://github.com/S3cur3Th1sSh1t/SharpNamedPipePTH
• SharpNoPSExec:
  • Description: File less command execution for lateral movement.
  • Link: https://github.com/juliourena/SharpNoPSExec
• SharpPrinter:
  • Description: Printer is a modified and console version of ListNetworks
  • Link: https://github.com/rvrsh3ll/SharpPrinter
• SharpRDP:
  • Description: Remote Desktop Protocol Console Application for Authenticated Command Execution
  • Link: https://github.com/0xthirteen/SharpRDP
• SharpReg:
  • Description: SharpReg is a simple code set to interact with the Remote Registry service API using the same SMB process as reg.exe, which uses TCP port 445
  • Link: https://github.com/jnqpblc/SharpReg
• SharpSCCM:
  • Description: SharpSCCM is a post-exploitation tool designed to leverage Microsoft Endpoint Configuration Manager (a.k.a. ConfigMgr, formerly SCCM) for lateral movement and credential gathering without requiring access to the SCCM administration console GUI.
  • Link: https://github.com/Mayyhem/SharpSCCM
• SharpScribbles:
  • Description: Extracts data from the Windows Sticky Notes database. Works on Windows 10 Build 1607 and higher. This
  • Link: https://github.com/V1V1/SharpScribbles
• SharpSearch:
  • Description: Project to quickly filter through a file share for targeted files for desired information.
  • Link: https://github.com/djhohnstein/SharpSearch
• SharpSecDump:
  • Description: .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py
  • Link: https://github.com/G0ldenGunSec/SharpSecDump
• SharpShares:
  • Description: Quick and dirty binary to list network share information from all machines in the current domain and if they're readable.
  • Link: https://github.com/djhohnstein/SharpShares
• SharpSniper:
  • Description: SharpSniper is a simple tool to find the IP address of these users so that you can target their box.
  • Link: https://github.com/HunnicCyber/SharpSniper
• SharpSphere:
  • Description: SharpSphere gives red teamers the ability to easily interact with the guest operating systems of virtual machines managed by vCenter
  • Link: https://github.com/JamesCooteUK/SharpSphere
• SharpSpray:
  • Description: SharpSpray a simple code set to perform a password spraying attack against all users of a domain using LDAP and is compatible with Cobalt Strike.
  • Link: https://github.com/jnqpblc/SharpSpray
• SharpSQLPwn:
  • Description: C# tool to identify and exploit weaknesses with MSSQL instances in Active Directory environments
  • Link: https://github.com/lefayjey/SharpSQLPwn
• SharpStay:
  • Description: .NET Persistence
  • Link: https://github.com/0xthirteen/SharpStay
• SharpSvc:
  • Description: SharpSvc is a simple code set to interact with the SC Manager API using the same DCERPC process as sc.exe, which open with TCP port 135 and is followed by the use of an ephemeral TCP port
  • Link: https://github.com/jnqpblc/SharpSvc
• SharpTask:
  • Description: SharpTask is a simple code set to interact with the Task Scheduler service API using the same DCERPC process as schtasks.exe, which open with TCP port 135 and is followed by the use of an ephemeral TCP port.
  • Link: https://github.com/jnqpblc/SharpTask
• SharpUp:
  • Description: SharpUp is a C# port of various PowerUp functionality
  • Link: https://github.com/GhostPack/SharpUp
• SharpView:
  • Description: .NET port of PowerView
  • Link: https://github.com/tevora-threat/SharpView
• SharpWebServer:
  • Description: Red Team oriented simple HTTP & WebDAV server written in C# with functionality to capture Net-NTLM hashes
  • Link: https://github.com/mgeeky/SharpWebServer
• SharpWifiGrabber:
  • Description: Retrieves in clear-text the Wi-Fi Passwords from all WLAN Profiles saved on a workstation
  • Link: https://github.com/r3nhat/SharpWifiGrabber
• SharpWMI:
  • Description: SharpWMI is a C# implementation of various WMI functionality.
  • Link: https://github.com/GhostPack/SharpWMI
• SharpZeroLogon:
  • Description: An exploit for CVE-2020-1472, a.k.a. Zerologon. This tool exploits a cryptographic vulnerability in Netlogon to achieve authentication bypass.
  • Link: https://github.com/nccgroup/nccfsas
• Shhmon:
  • Description: While Sysmon's driver can be renamed at installation, it is always loaded at altitude 385201. The objective of this tool is to challenge the assumption that our defensive tools are always collecting events.
  • Link: https://github.com/matterpreter/Shhmon
• Snaffler:
  • Description: Snaffler is a tool for pentesters and red teamers to help find delicious candy needles (creds mostly, but it's flexible) in a bunch of horrible boring haystacks (a massive Windows/AD environment).
  • Link: https://github.com/SnaffCon/Snaffler
• SqlClient:
  • Description: C# .NET mssql client for accessing database data through beacon.
  • Link: https://github.com/FortyNorthSecurity/SqlClient
• StandIn:
  • Description: StandIn is a small AD post-compromise toolkit
  • Link: https://github.com/FuzzySecurity/StandIn
• SweetPotato:
  • Description: A collection of various native Windows privilege escalation techniques from service accounts to SYSTEM
  • Link: https://github.com/CCob/SweetPotato
• ThreatCheck:
  • Description: Modified version of Matterpreter's DefenderCheck
  • Link: https://github.com/rasta-mouse/ThreatCheck
• TokenStomp:
  • Description: C# POC for the token privilege removal flaw reported
  • Link: https://github.com/MartinIngesen/TokenStomp
• TruffleSnout:
  • Description: Iterative AD discovery toolkit for offensive operators
  • Link: https://github.com/dsnezhkov/TruffleSnout
• Watson:
  • Description: Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.
  • Link: https://github.com/rasta-mouse/Watson
• Whisker:
  • Description: Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account.
  • Link: https://github.com/eladshamir/Whisker
• winPEAS:
  • Description: Privilege Escalation Awesome Scripts SUITE
  • Link: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
• WMIReg:
  • Description: Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute.
  • Link: https://github.com/airzero24/WMIReg

Misp-Extractor - Tool That Connects To A MISP Instance And Retrieves Attributes Of Specific Types (Such As IP Addresses, URLs, And Hashes)

This code connects to a given MISP (Malware Information Sharing Platform) server and parses a given number of events, writing the IP addresses, URLs, and MD5 hashes found in the events to three separate files.

Usage

To use this script, you will need to provide the URL of your MISP instance and a valid API key. You can then call the MISPConnector.run() method to retrieve the attributes and save them to files.

To use the code, run the following command:

python3 misp_connector.py --misp-url <MISP_URL> --misp-key <MISP_API_KEY> --limit <EVENT_LIMIT>

Supported attribute types

The MISPConnector class currently supports the following attribute types:

• ip-src
• ip-dst
• md5
• url
• domain

If an attribute of one of these types is found in an event, it will be added to the appropriate set (for example, IP addresses will be added to the network_set) and written to the corresponding file (network.txt, hash.txt, or url.txt).

Configuration

The code can be configured by passing arguments to the command-line script. The available arguments are:

• misp-url: The URL of the MISP server. This argument is required.
• misp-key: The API key for the MISP server. This argument is required.
• limit: The maximum number of events to parse. The default is 2000.

Limitations

This script has the following limitations:

• It only retrieves attributes of specific types (as listed above).
• It only writes the retrieved attributes to files, without any further processing or analysis.
• It only retrieves a maximum of 2000 events, as specified by the limit parameter in the misp.search() method.

License

This code is provided under the MIT License. See the LICENSE file for more details.

Clam AntiVirus Toolkit 1.0.1

Web-Hacking-Playground - Web Application With Vulnerabilities Found In Real Cases, Both In Pentests And In Bug Bounty Programs

Web Hacking Playground is a controlled web hacking environment. It consists of vulnerabilities found in real cases, both in pentests and in Bug Bounty programs. The objective is that users can practice with them, and learn to detect and exploit them.

Other topics of interest will also be addressed, such as: bypassing filters by creating custom payloads, executing chained attacks exploiting various vulnerabilities, developing proof-of-concept scripts, among others.

Important

The application source code is visible. However, the lab's approach is a black box one. Therefore, the code should not be reviewed to resolve the challenges.

Additionally, it should be noted that fuzzing (both parameters and directories) and brute force attacks do not provide any advantage in this lab.

Setup

It is recommended to use Kali Linux to perform this lab. In case of using a virtual machine, it is advisable to use the VMware Workstation Player hypervisor.

The environment is based on Docker and Docker Compose, so it is necessary to have both installed.

To install Docker on Kali Linux, run the following commands:

sudo apt update -y
sudo apt install -y docker.io
sudo systemctl enable docker --now
sudo usermod -aG docker $USER

To install Docker on other Debian-based distributions, run the following commands:

curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
sudo systemctl enable docker --now
sudo usermod -aG docker $USER

It is recommended to log out and log in again so that the user is recognized as belonging to the docker group.

To install Docker Compose, run the following command:

sudo apt install -y docker-compose

Note: In case of using M1 it is recommended to execute the following command before building the images:

export DOCKER_DEFAULT_PLATFORM=linux/amd64

The next step is to clone the repository and build the Docker images:

git clone https://github.com/takito1812/web-hacking-playground.git
cd web-hacking-playground
docker-compose build

Also, it is recommended to install the Foxy Proxy browser extension, which allows you to easily change proxy settings, and Burp Suite, which we will use to intercept HTTP requests.

We will create a new profile in Foxy Proxy to use Burp Suite as a proxy. To do this, we go to the Foxy Proxy options, and add a proxy with the following configuration:

• Proxy Type: HTTP
• Proxy IP address: 127.0.0.1
• Port: 8080

Deployment

Once everything you need is installed, you can deploy the environment with the following command:

git clone https://github.com/takito1812/web-hacking-playground.git
cd web-hacking-playground
docker-compose up -d

This will create two containers of applications developed in Flask on port 80:

• The vulnerable web application (Socially): Simulates a social network.
• The exploit server: You should not try to hack it, since it does not have any vulnerabilities. Its objective is to simulate a victim's access to a malicious link.

Important

It is necessary to add the IP of the containers to the /etc/hosts file, so that they can be accessed by name and that the exploit server can communicate with the vulnerable web application. To do this, run the following commands:

sudo sed -i '/whp-/d' /etc/hosts
echo "$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' whp-socially) whp-socially" | sudo tee -a /etc/hosts
echo "$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' whp-exploitserver) whp-exploitserver" | sudo tee -a /etc/hosts

Once this is done, the vulnerable application can be accessed from http://whp-socially and the exploit server from http://whp-exploitserver.

When using the exploit server, the above URLs must be used, using the domain name and not the IPs. This ensures correct communication between containers.

When it comes to hacking, to represent the attacker's server, the local Docker IP must be used, since the lab is not intended to make requests to external servers such as Burp Collaborator, Interactsh, etc. A Python http.server can be used to simulate a web server and receive HTTP interactions. To do this, run the following command:

sudo python3 -m http.server 80

Stages

The environment is divided into three stages, each with different vulnerabilities. It is important that they are done in order, as the vulnerabilities in the following stages build on those in the previous stages. The stages are:

• Stage 1: Access with any user
• Stage 2: Access as admin
• Stage 3: Read the /flag file

Important

Below are spoilers for each stage's vulnerabilities. If you don't need help, you can skip this section. On the other hand, if you don't know where to start, or want to check if you're on the right track, you can extend the section that interests you.

Stage 1: Access with any user

Stage 2: Access as admin

Stage 3: Read the /flag file

Solutions

Detailed solutions for each stage can be found in the Solutions folder.

Resources

The following resources may be helpful in resolving the stages:

• Google
• Twitter Advanced Search
• HackTricks
• PortSwigger Learning Materials
• Payloads All The Things
• Payload Box

Collaboration

Pull requests are welcome. If you find any bugs, please open an issue.

Invoke-Transfer - PowerShell Clipboard Data Transfer

Invoke-Transfer

Invoke-Transfer is a PowerShell Clipboard Data Transfer.

This tool helps you to send files in highly restricted environments such as Citrix, RDP, VNC, Guacamole.. using the clipboard function.

As long as you can send text through the clipboard, you can send files in text format, in small Base64 encoded chunks. Additionally, you can transfer files from a screenshot, using the native OCR function of Microsoft Windows.

Requirements

• Powershell 5.1
• Windows 10 or greater

Download

It is recommended to clone the complete repository or download the zip file. You can do this by running the following command:

git clone https://github.com/JoelGMSec/Invoke-Transfer

Usage

.\Invoke-Transfer.ps1 -h

  ___                 _           _____                     __
 |_ _|_ __ _   __ __ | | __ __   |_   _| __ __ _ _ __  ___ / _| ___ _ __
  | || '_ \ \ / / _ \| |/ / _ \____| || '__/ _' | '_ \/ __| |_ / _ \ '__|
  | || | | \ V / (_) |   <  __/____| || | | (_| | | | \__ \  _|  __/ |
 |___|_| |_|\_/ \___/|_|\_\___|    |_||_|  \__,_|_| |_|___/_|  \___|_|

  ----------------------- by @JoelGMSec & @3v4Si0N ---------------------


 Info:  This tool helps you to send files in highly restricted environments
        such as Citrix, RDP, VNC, Guacamole... using the clipboard function

 Usage: .\Invoke-Transfer.ps1 -split {FILE} -sec {SECONDS}
          Send 120KB chunks with a set time delay of seconds
          Add -guaca to send files through Apache Guacamole

        .\Invoke-Transfer.ps1 -merge {B64FILE} -out {FILE}
          Merge Base64 file into original file in de   sired path

        .\Invoke-Transfer.ps1 -read {IMGFILE} -out {FILE}
          Read screenshot with Windows OCR and save output to file

 Warning: This tool only works on Windows 10 or greater
          OCR reading may not be entirely accurate

The detailed guide of use can be found at the following link:

https://darkbyte.net/transfiriendo-ficheros-en-entornos-restringidos-con-invoke-transfer

License

This project is licensed under the GNU 3.0 license - see the LICENSE file for more details.

Credits and Acknowledgments

This tool has been created and designed from scratch by Joel Gámez Molina (@JoelGMSec) and Héctor de Armas Padrón (@3v4si0n).

Contact

This software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.

For more information, you can find us on Twitter as @JoelGMSec, @3v4si0n and on my blog darkbyte.net.

Email-Vulnerablity-Checker - Find Email Spoofing Vulnerablity Of Domains

Verify whether the domain is vulnerable to spoofing by Email-vulnerablity-checker

Features

• This tool will automatically tells you if the domain is email spoofable or not
• you can do single and multiple domain input as well (for multiple domain checker you need to have text file with domains in it)

Usage:

Clone the package by running:

git clone  https://github.com/BLACK-SCORP10/Email-Vulnerablity-Checker.git

Step 1. Install Requirements

# Update the package list and install dig for Debian-based Linux distribution 
sudo apt update
sudo apt install dnsutils

# Install dig for CentOS
sudo yum install bind-utils

# Install dig for macOS
brew install dig

Step 2. Finish The Instalation

To use the Email-Vulnerablity-Checker type the following commands in Terminal:

apt install git -y 
apt install dig -y 
git clone  https://github.com/BLACK-SCORP10/Email-Vulnerablity-Checker.git
cd Email-Vulnerablity-Checker
chmod 777 spfvuln.sh

Run email vulnerablity checker by just typing:

./spfvuln.sh -h

Support

For Queries: Telegram
Contributions, issues, and feature requests are welcome!
Give a ★ if you like this project!

DNSrecon-gui - DNSrecon Tool With GUI For Kali Linux

DNSRecon is a DNS scanning and enumeration tool written in Python, which allows you to perform different tasks, such as enumeration of standard records for a defined domain (A, NS, SOA, and MX). Top-level domain expansion for a defined domain.

With this graph-oriented user interface, the different records of a specific domain can be observed, classified and ordered in a simple way.

Install

git clone https://github.com/micro-joan/dnsrecon-gui
cd dnsrecon-gui/
chmod +x run.sh
./run.sh

After executing the application launcher you need to have all the components installed, the launcher will check one by one, and in the case of not having any component installed it will show you the statement that you must enter to install it:

Use

When the tool is ready to use the same installer will give you a URL that you must put in the browser in a private window so every time you do a search you will have to open a new window in private or clear your browser cache to refresh the graphics.

Tools

My website: https://microjoan.com
My blog: https://darkhacking.es/
Buy me a coffee: https://www.buymeacoffee.com/microjoan

DISCLAIMER

This toolkit contains materials that can be potentially damaging or dangerous for social media. Refer to the laws in your province/country before accessing, using,or in any other way utilizing this in a wrong way.

This Tool is made for educational purposes only. Do not attempt to violate the law with anything contained here. If this is your intention, then Get the hell out of here!

Powershell-Backdoor-Generator - Obfuscated Powershell Reverse Backdoor With Flipper Zero And USB Rubber Ducky Payloads

Reverse backdoor written in Powershell and obfuscated with Python. Allowing the backdoor to have a new signature after every run. Also can generate auto run scripts for Flipper Zero and USB Rubber Ducky.

usage: listen.py [-h] [--ip-address IP_ADDRESS] [--port PORT] [--random] [--out OUT] [--verbose] [--delay DELAY] [--flipper FLIPPER] [--ducky]
                 [--server-port SERVER_PORT] [--payload PAYLOAD] [--list--payloads] [-k KEYBOARD] [-L] [-H]

Powershell Backdoor Generator

options:
  -h, --help            show this help message and exit
  --ip-address IP_ADDRESS, -i IP_ADDRESS
                        IP Address to bind the backdoor too (default: 192.168.X.XX)
  --port PORT, -p PORT  Port for the backdoor to connect over (default: 4444)
  --random, -r          Randomizes the outputed backdoor's file name
  --out OUT, -o OUT     Specify the backdoor filename (relative file names)
  --verbose, -v         Show verbose output
  --delay DELAY         Delay in milliseconds before Flipper Zero/Ducky-Script payload execution (default:100)
  --flipper FLIPPER     Payload file for flipper zero (includes EOL convers   ion) (relative file name)
  --ducky               Creates an inject.bin for the http server
  --server-port SERVER_PORT
                        Port to run the HTTP server on (--server) (default: 8080)
  --payload PAYLOAD     USB Rubber Ducky/Flipper Zero backdoor payload to execute
  --list--payloads      List all available payloads
  -k KEYBOARD, --keyboard KEYBOARD
                        Keyboard layout for Bad Usb/Flipper Zero (default: us)
  -A, --actually-listen
                        Just listen for any backdoor connections
  -H, --listen-and-host
                        Just listen for any backdoor connections and host the backdoor directory

Features

• Hak5 Rubber Ducky payload
• Flipper Zero payload
• Download Files from remote system
• Fetch target computers public IP address
• List local users
• Find Intresting Files
• Get OS Information
• Get BIOS Information
• Get Anti-Virus Status
• Get Active TCP Clients
• Checks for common pentesting software installed

Standard backdoor

C:\Users\DrewQ\Desktop\powershell-backdoor-main> python .\listen.py --verbose
[*] Encoding backdoor script
[*] Saved backdoor backdoor.ps1 sha1:32b9ca5c3cd088323da7aed161a788709d171b71
[*] Starting Backdoor Listener 192.168.0.223:4444 use CTRL+BREAK to stop

A file in the current working directory will be created called backdoor.ps1

Bad USB/ USB Rubber Ducky attacks

When using any of these attacks you will be opening up a HTTP server hosting the backdoor. Once the backdoor is retrieved the HTTP server will be shutdown.

Payloads

• Execute -- Execute the backdoor
• BindAndExecute -- Place the backdoor in temp, bind the backdoor to startup and then execute it.

Flipper Zero Backdoor

C:\Users\DrewQ\Desktop\powershell-backdoor-main> python .\listen.py --flipper powershell_backdoor.txt --payload execute
[*] Started HTTP server hosting file: http://192.168.0.223:8989/backdoor.ps1
[*] Starting Backdoor Listener 192.168.0.223:4444 use CTRL+BREAK to stop

Place the text file you specified (e.g: powershell_backdoor.txt) into your flipper zero. When the payload is executed it will download and execute backdoor.ps1

Usb Rubber Ducky Backdoor

 C:\Users\DrewQ\Desktop\powershell-backdoor-main> python .\listen.py --ducky --payload BindAndExecute
[*] Started HTTP server hosting file: http://192.168.0.223:8989/backdoor.ps1
[*] Starting Backdoor Listener 192.168.0.223:4444 use CTRL+BREAK to stop

A file named inject.bin will be placed in your current working directory. Java is required for this feature. When the payload is executed it will download and execute backdoor.ps1

Backdoor Execution

Tested on Windows 11, Windows 10 and Kali Linux

powershell.exe -File backdoor.ps1 -ExecutionPolicy Unrestricted

┌──(drew㉿kali)-[/home/drew/Documents]
└─PS> ./backdoor.ps1

To Do

• Add Standard Backdoor
• Find Writeable Directories
• Get Windows Update Status

Output of 5 obfuscations/Runs

sha1:c7a5fa3e56640ce48dcc3e8d972e444d9cdd2306
sha1:b32dab7b26cdf6b9548baea6f3cfe5b8f326ceda
sha1:e49ab36a7ad6b9fc195b4130164a508432f347db
sha1:ba40fa061a93cf2ac5b6f2480f6aab4979bd211b
sha1:f2e43320403fb11573178915b7e1f258e7c1b3f0

Leaktopus - Keep Your Source Code Under Control

• Plug&Play - one line installation with Docker.

• Scan various sources containing a set of keywords, e.g. ORGANIZATION-NAME.com.

  Currently supports:

  • GitHub
    • Repositories
    • Gists (coming soon)
  • Paste sites (e.g., PasteBin) (coming soon)

• Filter results with a built-in heuristic engine.

• Enhance results with IOLs (Indicators Of Leak):

  • Secrets in the found sources (including Git repos commits history):
    • With Shhgit (using a customized rules list).
    • With TruffleHog.
  • URIs (Including indication of your organization's domains)
  • Emails (Including indication of your organization's email addresses)
  • Contributors
  • Sensitive keywords (e.g., canary token, internal domains)

• Allows to ignore public sources, (e.g., "junk" repositories by web crawlers).

• OOTB ignore list of common "junk" sources.

• Acknowledge a leak, and only get notified if the source has been modified since the previous scan.

• Built-in ELK to search for data in leaks (including full index of Git repositories with IOLs).

• Notify on new leaks

• MS Teams Webhook.
• Slack Bot.
• Cortex XSOAR® (by Palo Alto Networks) Integration (WIP).

Technology Stack

• Fully Dockerized.
• API-first Python Flask backend.
• Decoupled Vue.js (3.x) frontend.
• SQLite DB.
• Async tasks with Celery + Redis queues.

Prerequisites

• Docker-Compose

Installation

• Clone the repository
• Create a local .env file

  cd Leaktopus
  cp .env.example .env

• Edit .env according to your local setup (see the internal comments).
• Run Leaktopus

  docker-compose up -d

• Initiate the installation sequence by accessing the installation API. Just open http://{LEAKTOPUS_HOST}:8000/api/install in your browser.
• Check that the API is up and running at http://{LEAKTOPUS_HOST}:8000/up
• The UI should be available at http://{LEAKTOPUS_HOST}:8080

Using Github App

In addition to the basic personal access token option, Leaktopus supports Github App authentication. Using Github App is recommended due to the increased rate limits.

1. To use Github App authentication, you need to create a Github App and install it on your organization/account. See Github's documentation for more details.

2. After creating the app, you need to set the following environment variables:

   • GITHUB_USE_APP=True
   • GITHUB_APP_ID
   • GITHUB_INSTALLATION_ID - The installation id can be found in your app installation.
   • GITHUB_APP_PRIVATE_KEY_PATH (defaults to /app/private-key.pem)

3. Mount the private key file to the container (see docker-compose.yml for an example). ./leaktopus_backend/private-key.pem:/app/private-key.pem

* Note that GITHUB_ACCESS_TOKEN will be ignored if GITHUB_USE_APP is set to True.

Updating Leaktopus

If you wish to update your Leaktopus version (pulling a newer version), just follow the next steps.

• Pull the latest version.

  git pull

• Rebuild Docker images (data won't be deleted).

  # Force image recreation
  docker-compose up --force-recreate --build

• Run the DB update by calling its API (should be required after some updates). http://{LEAKTOPUS_HOST}/api/updatedb

Results Filtering Heuristic Engine

The built-in heuristic engine is filtering the search results to reduce false positives by:

• Content:
  • More than X emails containing non-organizational domains.
  • More than X URIs containing non-organizational domains.
• Metadata:
  • More than X stars.
  • More than X forks.
• Sources ignore list.

API Documentation

OpenAPI documentation is available in http://{LEAKTOPUS_HOST}:8000/apidocs.

Leaktopus Services

The above can be customized by using a custom docker-compose.yml file.

Security Notes

As for now, Leaktopus does not provide any authentication mechanism. Make sure that you are not exposing it to the world, and doing your best to restrict access to your Leaktopus instance(s).

Contributing

Contributions are very welcomed.

Please follow our contribution guidelines and documentation.

C99Shell-PHP7 - PHP 7 And Safe-Build Update Of The Popular C99 Variant Of PHP Shell

C99Shell-PHP7

PHP 7 and safe-build Update of the popular C99 variant of PHP Shell.

c99shell.php v.2.0 (PHP 7) (25.02.2019) Updated by: PinoyWH1Z for PHP 7

About C99Shell

An excellent example of a web shell is the c99 variant, which is a PHP shell (most of them calls it malware) often uploaded to a vulnerable web application to give hackers an interface. The c99 shell lets the attacker take control of the processes of the Internet server, allowing him or her give commands on the server as the account under which the threat is operating. It lets the hacker upload, browse the file system, edit and view files, in addition, to deleting, moving them and changing permissions. Finding a c99 shell is an excellent way to identify a compromise on a system. The c99 shell is about 1500 lines long if packed and 4900+ if properly displayed, and some of its traits include showing security measures the web server may use, a file viewer that has permissions, a place w here the attacker can operate custom PHP code (PHP malware c99 shell).

There are different variants of the c99 shell that are being used today. This github release is an example of a relatively recent one. It has many signatures that can be utilized to write protective countermeasures.

About this release:

I've been using php shells as part of my Ethical Hacking activities. And I have noticed that most of the php shells that are downloadable online are encrypted with malicious codes and without you knowing, others also insert trackers so they can see where you placed your php shell at.

I've came up with an idea such as "what if I get the stable version of c99shell and reverse the encrypted codes, remove the malicious codes and release it to public for good." And yeah, I decided to do it, but I noticed that most of the servers now have upgraded their apache service to PHP 7, sadly, the codes that I have is for PHP 5.3 and below.

The good thing is.. only few lines of syntax are needed to be altered, so I did it.

Here you go mates, a clean and safe-build version of the most stable c99shell that I can see.

If ever you see more bugs, please create an issue or just fork it, update it and do a pull request so I can check it and update the codes for stabilization.

PS:

This is a widely used php shell by hackers, so don't freak out if your anti-virus/anti-malware detects this php file as malicious or treated as backdoor. Since you can see the codes in my re-released project, you can read all throughout the codes and inspect or even debug as much as you like.

Disclaimer:

I will NOT be held responsible for any unethical use of this hacking tool.

Official Release:

c99shell_v2.0.zip (Zip Password: PinoyWH1Z)

Mandos Encrypted File System Unattended Reboot Utility 1.8.16

OpenSSL Toolkit 3.0.8

OpenSSL Toolkit 1.1.1t

Darkdump2 - Search The Deep Web Straight From Your Terminal

About Darkdump (Recent Notice - 12/27/22)

Darkdump is a simple script written in Python3.11 in which it allows users to enter a search term (query) in the command line and darkdump will pull all the deep web sites relating to that query. Darkdump2.0 is here, enjoy!

Installation

1. git clone https://github.com/josh0xA/darkdump
   
2. cd darkdump
   
3. python3 -m pip install -r requirements.txt
   
4. python3 darkdump.py --help
   

Usage

Example 1: python3 darkdump.py --query programming
Example 2: python3 darkdump.py --query="chat rooms"
Example 3: python3 darkdump.py --query hackers --amount 12

• Note: The 'amount' argument filters the number of results outputted
  

Usage With Increased Anonymity

Darkdump Proxy: python3 darkdump.py --query bitcoin -p

Menu

     ____          _     _
    |    \ ___ ___| |_ _| |_ _ _____ ___
    |  |  | .'|  _| '_| . | | |     | . |
    |____/|__,|_| |_,_|___|___|_|_|_|  _|
                                    |_|

        Developed By: Josh Schiavone
        https://github.com/josh0xA
            joshschiavone.com
              Version 2.0

usage: darkdump.py [-h] [-v] [-q QUERY] [-a AMOUNT] [-p]

options:
  -h, --help            show this help message and exit
  -v, --version         returns darkdump's version
  -q QUERY, --query QUERY
                        the keyword or string you want to search on the deepweb
  -a AMOUNT, --amount AMOUNT
                        the amount of results you want to retrieve (default: 10)
  -p, --proxy           use darkdump proxy to increase anonymity

Visual

Ethical Notice

The developer of this program, Josh Schiavone, is not resposible for misuse of this data gathering tool. Do not use darkdump to navigate websites that take part in any activity that is identified as illegal under the laws and regulations of your government. May God bless you all.

License

MIT License
Copyright (c) Josh Schiavone

Unhacked! Armory Edition 1 London 2023 – Call For Tools is Open

AIDE 0.18

Falco 0.34.0

NDC Protocol Fuzzer

Unhacked! Conference Partners with ToolsWatch to Launch Dedicated Security Tools Demo Area

GNUnet P2P Framework 0.19.3

Heap_Detective - The Simple Way To Detect Heap Memory Pitfalls In C++ And C

This tool uses the taint analysis technique for static analysis and aims to identify points of heap memory usage vulnerabilities in C and C++ languages. The tool uses a common approach in the first phase of static analysis, using tokenization to collect information.

The second phase has a different approach to common lessons of the legendary dragon book, yes the tool doesn't use AST or resources like LLVM following parsers' and standard tips. The approach present aims to study other ways to detect vulnerabilities, using custom vector structures and typical recursive traversal with ranking following taint point. So the result of the sum of these techniques is the Heap_detective.

The tool follows the KISS principle "Keep it simple, stupid!". There's more than one way to do a SAST tool, I know that. Yes, I thought to use graph database or AST, but this action cracked the KISS principle in the context of this project.

https://antonio-cooler.gitbook.io/coolervoid-tavern/detecting-heap-memory-pitfalls

Features

• C and C++ tokenizer
• List of heap static routes for each source with taint points for analysis
• Analyser to detect double free vulnerability
• Analyser to detect use after free vulnerability
• Analyser to detect memory leak

To test, read the directory samplers to understand the context, so to run look that following:

$ git clone https://github.com/CoolerVoid/heap_detective

$ cd heap_detective

$ make
// to run
$ bin/heap_detective samplers/   
note:
So don't try "$ cd bin; ./heap_detective"
first argv is a directory for recursive analysis

Note: tested in GCC 9 and 11

The first argument by command is a directory for recursive analysis. You can study bad practices in directory "samplers".

Future features

• Analyser to detect off-by-one vulnerability
• Analyser to detect wild pointer
• Analyser to detect heap overflow vulnerability

Overview

Collect action done

  ...::: Heap static route :::...  
File path: samplers/example3.c
Func name: main
Var name: new
line: 10:	array = new obj[100];
Sinks: 
	 line: 10:	array = new obj[100];
	 Taint:  True 
	 In Loop: false

  ...::: Heap static route :::...  
File path: samplers/example3.c
Func name: 	while
Var name: array
line: 27:	array = malloc(1);
Sinks: 
	 line: 27:	array = malloc(1);
	 Taint:  True 
	 In Loop: false
	 line: 28:	array=2;
	 Taint: false
	 In Loop: false
	 line: 30:	array = malloc(3);
	 Taint:  True 
	 In Loop: false

  ...::: Heap static route :::...  
File path: samplers/example5.c
Func name: main
Var name: ch_ptr
line: 8:	ch_ptr = malloc(100);
Sinks: 
	 line: 8:	ch_ptr = malloc(100);
	 Taint:  True 
	 In Loop: false
	 line: 11:	free(ch_ptr);	
	 Taint:  True 
	 In Loop: false<   br/>	 line: 12:	free(ch_ptr);
	 Taint:  True 
	 In Loop: false

  ...::: Heap static route :::...  
File path: samplers/example1.c
Func name: main
Var name: buf1R1
line: 13:    buf1R1 = (char *) malloc(BUFSIZER1);
Sinks: 
	 line: 13:    buf1R1 = (char *) malloc(BUFSIZER1);
	 Taint:  True 
	 In Loop: false
	 line: 26:    free(buf1R1);
	 Taint:  True 
	 In Loop: false
	 line: 30:    if (buf1R1) {
	 Taint: false
	 In Loop: false
	 line: 31:	free(buf1R1);
	 Taint:  True 
	 In Loop: false

  ...::: Heap static route :::...  
File path: samplers/example2.c
Func name: main
Var name: ch_ptr
line: 7:	ch_ptr=malloc(100);
Sinks: 
	 line: 7:	ch_ptr=malloc(100);
	 Taint:  True 
	 In Loop: false
	 line: 11:		ch_ptr = 'A';
	 Taint: false
	 In Loop:  True 
	 line: 12:		free(ch_ptr);
	 Taint:  True 
	 In Loop:  True 
	 line: 13:		printf("%s\n", ch_pt   r);
	 Taint: false
	 In Loop:  True 

  ...::: Heap static route :::...  
File path: samplers/example4.c
Func name: main
Var name: ch_ptr
line: 8:	ch_ptr = malloc(100);
Sinks: 
	 line: 8:	ch_ptr = malloc(100);
	 Taint:  True 
	 In Loop: false
	 line: 13:		ch_ptr = 'A';
	 Taint: false
	 In Loop: false
	 line: 14:		free(ch_ptr);
	 Taint:  True 
	 In Loop: false
	 line: 15:		printf("%s\n", ch_ptr);
	 Taint: false
	 In Loop: false

  ...::: Heap static route :::...  
File path: samplers/example6.c
Func name: main
Var name: ch_ptr
line: 8:	ch_ptr = malloc(100);
Sinks: 
	 line: 8:	ch_ptr = malloc(100);
	 Taint:  True 
	 In Loop: false
	 line: 11:	free(ch_ptr);
	 Taint:  True 
	 In Loop: false
	 line: 13:	ch_ptr = malloc(500);
	 Taint:  True 
	 In Loop: false

  ...::: Heap static route :::...  
File path: samplers/example7.c
Fu   nc name: special
Var name: ch_ptr
line: 8:	ch_ptr = malloc(100);
Sinks: 
	 line: 8:	ch_ptr = malloc(100);
	 Taint:  True 
	 In Loop: false
	 line: 15:		free(ch_ptr);	
	 Taint:  True 
	 In Loop: false
	 line: 16:		ch_ptr = malloc(500);
	 Taint:  True 
	 In Loop: false
	 line: 17:		ch_ptr=NULL;
	 Taint: false
	 In Loop: false
	 line: 25:	char *ch_ptr = NULL;
	 Taint: false
	 In Loop: false

  ...::: Heap static route :::...  
File path: samplers/example7.c
Func name: main
Var name: ch_ptr
line: 27:	ch_ptr = malloc(100);
Sinks: 
	 line: 27:	ch_ptr = malloc(100);
	 Taint:  True 
	 In Loop: false
	 line: 30:	free(ch_ptr);
	 Taint:  True 
	 In Loop: false
	 line: 32:	ch_ptr = malloc(500);
	 Taint:  True 
	 In Loop: false

>>-----> Memory leak analyser

  ...::: Memory leak analyser :::...  
File path: samplers/example3.c
F   unction name: main
 memory leak found!  
line: 10:	array = new obj[100];

  ...::: Memory leak analyser :::...  
File path: samplers/example3.c
Function name: 	while
 memory leak found!  
line: 27:	array = malloc(1);
line: 28:	array=2;
line: 30:	array = malloc(3);

  ...::: Memory leak analyser :::...  
File path: samplers/example5.c
Function name: main
 memory leak found!  
line: 8:	ch_ptr = malloc(100);
line: 11:	free(ch_ptr);	
line: 12:	free(ch_ptr);

  ...::: Memory leak analyser :::...  
File path: samplers/example1.c
Function name: main
 memory leak found!  
line: 13:    buf1R1 = (char *) malloc(BUFSIZER1);
line: 26:    free(buf1R1);
line: 30:    if (buf1R1) {
line: 31:	free(buf1R1);

  ...::: Memory leak analyser :::...  
File path: samplers/example2.c
Function name: main
 memory leak found!  
Maybe the function to liberate memory can be in a loo   p context!
line: 7:	ch_ptr=malloc(100);
line: 11:		ch_ptr = 'A';
line: 12:		free(ch_ptr);
line: 13:		printf("%s\n", ch_ptr);

  ...::: Memory leak analyser :::...  
File path: samplers/example6.c
Function name: main
 memory leak found!  
line: 8:	ch_ptr = malloc(100);
line: 11:	free(ch_ptr);
line: 13:	ch_ptr = malloc(500);

  ...::: Memory leak analyser :::...  
File path: samplers/example7.c
Function name: special
 memory leak found!  
line: 8:	ch_ptr = malloc(100);
line: 15:		free(ch_ptr);	
line: 16:		ch_ptr = malloc(500);
line: 17:		ch_ptr=NULL;
line: 25:	char *ch_ptr = NULL;

  ...::: Memory leak analyser :::...  
File path: samplers/example7.c
Function name: main
 memory leak found!  
line: 27:	ch_ptr = malloc(100);
line: 30:	free(ch_ptr);
line: 32:	ch_ptr = malloc(500);

>>-----> Start double free analyser

  ...::: Double free analys   er :::...  
File path: samplers/example5.c
Function name: main
 Double free found!  
line: 8:	ch_ptr = malloc(100);
line: 11:	free(ch_ptr);	
line: 12:	free(ch_ptr);

  ...::: Double free analyser :::...  
File path: samplers/example1.c
Function name: main
 Double free found!  
line: 13:    buf1R1 = (char *) malloc(BUFSIZER1);
line: 26:    free(buf1R1);
line: 30:    if (buf1R1) {
line: 31:	free(buf1R1);

  ...::: Double free analyser :::...  
File path: samplers/example2.c
Function name: main
 Double free found!  
Maybe the function to liberate memory can be in a loop context!
line: 7:	ch_ptr=malloc(100);
line: 11:		ch_ptr = 'A';
line: 12:		free(ch_ptr);
line: 13:		printf("%s\n", ch_ptr);

>>-----> Start use after free analyser

  ...::: Use after free analyser :::...  
File path: samplers/example5.c
Function name: main
 Use after free found  
l   ine: 8:	ch_ptr = malloc(100);
line: 11:	free(ch_ptr);	
line: 12:	free(ch_ptr);

  ...::: Use after free analyser :::...  
File path: samplers/example1.c
Function name: main
 Use after free found  
line: 13:    buf1R1 = (char *) malloc(BUFSIZER1);
line: 26:    free(buf1R1);
line: 30:    if (buf1R1) {
line: 31:	free(buf1R1);

  ...::: Use after free analyser :::...  
File path: samplers/example2.c
Function name: main
 Use after free found  
line: 7:	ch_ptr=malloc(100);
line: 11:		ch_ptr = 'A';
line: 12:		free(ch_ptr);
line: 13:		printf("%s\n", ch_ptr);

  ...::: Use after free analyser :::...  
File path: samplers/example4.c
Function name: main
 Use after free found  
line: 8:	ch_ptr = malloc(100);
line: 13:		ch_ptr = 'A';
line: 14:		free(ch_ptr);
line: 15:		printf("%s\n", ch_ptr);

  ...::: Use after free analyser :::...  
File path: samplers/example6.c
   Function name: main
 Use after free found  
line: 8:	ch_ptr = malloc(100);
line: 11:	free(ch_ptr);
line: 13:	ch_ptr = malloc(500);

  ...::: Use after free analyser :::...  
File path: samplers/example7.c
Function name: special
 Use after free found  
line: 8:	ch_ptr = malloc(100);
line: 15:		free(ch_ptr);	
line: 16:		ch_ptr = malloc(500);
line: 17:		ch_ptr=NULL;
line: 25:	char *ch_ptr = NULL;

  ...::: Use after free analyser :::...  
File path: samplers/example7.c
Function name: main
 Use after free found  
line: 27:	ch_ptr = malloc(100);
line: 30:	free(ch_ptr);
line: 32:	ch_ptr = malloc(500);

Winevt_Logs_Analysis - Searching .Evtx Logs For Remote Connections

Simple script for the purpose of finding remote connections to Windows machine and ideally some public IPs. It checks for some EventIDs regarding remote logins and sessions.

You should pip install -r requirements.txt so the script can work and parse some of the .evtx files inside winevt folder.

The winevt/Logs folders and the script must have identical file path.

Execution Example

Result Example

EAST - Extensible Azure Security Tool - Documentation

Extensible Azure Security Tool (Later referred as E.A.S.T) is tool for assessing Azure and to some extent Azure AD security controls. Primary use case of EAST is Security data collection for evaluation in Azure Assessments. This information (JSON content) can then be used in various reporting tools, which we use to further correlate and investigate the data.

This tool is licensed under MIT license.

Collaborators

• Yours truly
• Nixu Cloud Security Team

Release notes

• Preview branch introduced

  Changes:

  • Installation now accounts for use of Azure Cloud Shell's updated version in regards to depedencies (Cloud Shell has now Node.JS v 16 version installed)

  • Checking of Databricks cluster types as per advisory
    

    • Audits Databricks clusters for potential privilege elevation - This control requires typically permissions on the databricks cluster"

  • Content.json is has now key and content based sorting. This enables doing delta checks with git diff HEAD^1 ¹ as content.json has predetermined order of results

    

  ¹Word of caution, if want to check deltas of content.json, then content.json will need to be "unignored" from .gitignore exposing results to any upstream you might have configured.

  Use this feature with caution, and ensure you don't have public upstream set for the branch you are using this feature for

• Change of programming patterns to avoid possible race conditions with larger datasets. This is mostly changes of using var to let in for await -style loops

Important

• Fixes, updates etc. are done on "Best effort" basis, with no guarantee of time, or quality of the possible fix applied
• We do some additional tuning before using EAST in our daily work, such as apply various run and environment restrictions, besides formalizing ourselves with the environment in question. Thus we currently recommend, that EAST is run in only in test environments, and with read-only permissions.
  • All the calls in the service are largely to Azure Cloud IP's, so it should work well in hardened environments where outbound IP restrictions are applied. This reduces the risk of this tool containing malicious packages which could "phone home" without also having C2 in Azure.
    • Essentially running it in read-only mode, reduces a lot of the risk associated with possibly compromised NPM packages (Google compromised NPM)
    • Bugs etc: You can protect your environment against certain mistakes in this code by running the tool with reader-only permissions
• Lot of the code is "AS IS": Meaning, it's been serving only the purpose of creating certain result; Lot of cleaning up and modularizing remains to be finished
• There are no tests at the moment, apart from certain manual checks, that are run after changes to main.js and various more advanced controls.
• The control descriptions at this stage are not the final product, so giving feedback on them, while appreciated, is not the focus of the tooling at this stage
• As the name implies, we use it as tool to evaluate environments. It is not meant to be run as unmonitored for the time being, and should not be run in any internet exposed service that accepts incoming connections.
• Documentation could be described as incomplete for the time being
• EAST is mostly focused on PaaS resource, as most of our Azure assessments focus on this resource type
• No Input sanitization is performed on launch params, as it is always assumed, that the input of these parameters are controlled. That being said, the tool uses extensively exec() - While I have not reviewed all paths, I believe that achieving shellcode execution is trivial. This tool does not assume hostile input, thus the recommendation is that you don't paste launch arguments into command line without reviewing them first.

Tool operation

Depedencies

To reduce amount of code we use the following depedencies for operation and aesthetics are used (Kudos to the maintainers of these fantastic packages)

Other depedencies for running the tool: If you are planning to run this in Azure Cloud Shell you don't need to install Azure CLI:

• This tool does not include or distribute Microsoft Azure CLI, but rather uses it when it has been installed on the source system (Such as Azure Cloud Shell, which is primary platform for running EAST)

Azure Cloud Shell (BASH) or applicable Linux Distro / WSL

Controls

EAST provides three categories of controls: Basic, Advanced, and Composite

The machine readable control looks like this, regardless of the type (Basic/advanced/composite):

{
  "name": "fn-sql-2079",
  "resource": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourcegroups/rg-fn-2079/providers/microsoft.web/sites/fn-sql-2079",
  "controlId": "managedIdentity",
  "isHealthy": true,
  "id": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourcegroups/rg-fn-2079/providers/microsoft.web/sites/fn-sql-2079",
  "Description": "\r\n Ensure The Service calls downstream resources with managed identity",
  "metadata": {
    "principalId": {
      "type": "SystemAssigned",
      "tenantId": "033794f5-7c9d-4e98-923d-7b49114b7ac3",
      "principalId": "cb073f1e-03bc-440e-874d-5ed3ce6df7f8"
    },
    "roles": [{
      "role": [{
        "properties": {
          "roleDefinitionId": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
          "principalId": "cb073f1e-03b   c-440e-874d-5ed3ce6df7f8",
          "scope": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourceGroups/RG-FN-2079",
          "createdOn": "2021-12-27T06:03:09.7052113Z",
          "updatedOn": "2021-12-27T06:03:09.7052113Z",
          "createdBy": "4257db31-3f22-4c0f-bd57-26cbbd4f5851",
          "updatedBy": "4257db31-3f22-4c0f-bd57-26cbbd4f5851"
        },
        "id": "/subscriptions/6193053b-408b-44d0-b20f-4e29b9b67394/resourceGroups/RG-FN-2079/providers/Microsoft.Authorization/roleAssignments/ada69f21-790e-4386-9f47-c9b8a8c15674",
        "type": "Microsoft.Authorization/roleAssignments",
        "name": "ada69f21-790e-4386-9f47-c9b8a8c15674",
        "RoleName": "Contributor"
      }]
    }]
  },
  "category": "Access"
},

Basic

Basic controls include checks on the initial ARM object for simple "toggle on/off"- boolean settings of said service.

Example: Azure Container Registry adminUser

acr_adminUser

Advanced

Advanced controls include checks beyond the initial ARM object. Often invoking new requests to get further information about the resource in scope and it's relation to other services.

Example: Role Assignments

Besides checking the role assignments of subscription, additional check is performed via Azure AD Conditional Access Reporting for MFA, and that privileged accounts are not only protected by passwords (SPN's with client secrets)

Example: Azure Data Factory

ADF_pipeLineRuns

Azure Data Factory pipeline mapping combines pipelines -> activities -> and data targets together and then checks for secrets leaked on the logs via run history of the said activities.

Composite

Composite controls combines two or more control results from pipeline, in order to form one, or more new controls. Using composites solves two use cases for EAST

1. You cant guarantee an order of control results being returned in the pipeline
2. You need to return more than one control result from single check

Example: composite_resolve_alerts

1. Get alerts from Microsoft Cloud Defender on subscription check
2. Form new controls per resourceProvider for alerts

Reporting

EAST is not focused to provide automated report generation, as it provides mostly JSON files with control and evaluation status. The idea is to use separate tooling to create reports, which are fairly trivial to automate via markdown creation scripts and tools such as Pandoc

• While focus is not on the reporting, this repo includes example automation for report creation with pandoc to ease reading of the results in single document format.

While this tool does not distribute pandoc, it can be used when creation of the reports, thus the following citation is added: https://github.com/jgm/pandoc/blob/master/CITATION.cff

cff-version: 1.2.0
title: Pandoc
message: "If you use this software, please cite it as below."
type: software
url: "https://github.com/jgm/pandoc"
authors:
  - given-names: John
    family-names: MacFarlane
    email: jgm@berkeley.edu
    orcid: 'https://orcid.org/0000-0003-2557-9090'
  - given-names: Albert
    family-names: Krewinkel
    email: tarleb+github@moltkeplatz.de
    orcid: '0000-0002-9455-0796'
  - given-names: Jesse
    family-names: Rosenthal
    email: jrosenthal@jhu.edu

Running EAST scan

This part has guide how to run this either on BASH@linux, or BASH on Azure Cloud Shell (obviously Cloud Shell is Linux too, but does not require that you have your own linux box to use this)

Fire and forget prerequisites on cloud shell

curl -o- https://raw.githubusercontent.com/jsa2/EAST/preview/sh/initForuse.sh | bash;

jump to next step

Detailed Prerequisites (This is if you opted no to do the "fire and forget version")

Prerequisites

git clone https://github.com/jsa2/EAST --branch preview
cd EAST;
npm install

Pandoc installation on cloud shell

# Get pandoc for reporting (first time only)
wget  "https://github.com/jgm/pandoc/releases/download/2.17.1.1/pandoc-2.17.1.1-linux-amd64.tar.gz"; 
tar xvzf "pandoc-2.17.1.1-linux-amd64.tar.gz" --strip-components 1 -C ~

Installing pandoc on distros that support APT

# Get pandoc for reporting (first time only)
sudo apt install pandoc

Login Az CLI and run the scan

# Relogin is required to ensure token cache is placed on session on cloud shell

az account clear
az login

#
cd EAST
# replace the subid below with your subscription ID!
subId=6193053b-408b-44d0-b20f-4e29b9b67394
# 
node ./plugins/main.js --batch=10 --nativescope=true --roleAssignments=true --helperTexts=true --checkAad=true --scanAuditLogs --composites --subInclude=$subId

Generate report

cd EAST; node templatehelpers/eastReports.js --doc

• If you want to include all Azure Security Benchmark results in the report

cd EAST; node templatehelpers/eastReports.js --doc --asb

Export report from cloud shell

pandoc -s fullReport2.md -f markdown -t docx --reference-doc=pandoc-template.docx -o fullReport2.docx

Azure Devops (Experimental) There is Azure Devops control for dumping pipeline logs. You can specify the control run by following example:

node ./plugins/main.js --batch=10 --nativescope=true --roleAssignments=true --helperTexts=true --checkAad=true --scanAuditLogs --composites --subInclude=$subId --azdevops "organizationName"

Licensing

Community use

• Share relevant controls across multiple environments as community effort

Company use

• Companies have possibility to develop company specific controls which apply to company specific work. Companies can then control these implementations by decision to share, or not share them based on the operating principle of that company.

Non IPR components

• Code logic and functions are under MIT license. since code logic and functions are alredy based on open-source components & vendor API's, it does not make sense to restrict something that is already based on open source

If you use this tool as part of your commercial effort we only require, that you follow the very relaxed terms of MIT license

Read license

Tool operation documentation

Principles

AZCLI USE

Existing tooling enhanced with Node.js runtime

Use rich and maintained context of Microsoft Azure CLI login & commands with Node.js control flow which supplies enhanced rest-requests and maps results to schema.

• This tool does not include or distribute Microsoft Azure CLI, but rather uses it when it has been installed on the source system (Such as Azure Cloud Shell, which is primary platform for running EAST)

Speedup

View more details

Parameters reference

Example:

node ./plugins/main.js --batch=10 --nativescope --roleAssignments --helperTexts=true --checkAad --scanAuditLogs --composites --shuffle --clearTokens

Parameters reference for example report:

node templatehelpers/eastReports.js --asb 

(Highly experimental) Running in restricted environments where only browser use is available

Read here Running in restricted environments

Developing controls

Developer guide including control flow description is here dev-guide.md

Updates and examples

Auditing Microsoft.Web provider (Functions and web apps)

• Function or Azure AD Authentication enabled
• Count and type of triggers

Azure RBAC baseline authorization

• Checks for users without MFA policies applied for set of conditions
• Checks for ServicePrincipals protected only by password (as opposed to using Certificate Credential, workload federation and or workload identity CA policy)

Maps to App Registration Best Practices

• An unused credential on an application can result in security breach. While it's convenient to use password. secrets as a credential, we strongly recommend that you use x509 certificates as the only credential type for getting tokens for your application

✅State healthy - User result example

{ 
  "subscriptionName": "EAST -msdn",
  "friendlyName": "joosua@thx138.onmicrosoft.com",
    "mfaResults": {
      "oid": "138ac68f-d8a7-4000-8d41-c10ff26a9097",
      "appliedPol": [{
        "GrantConditions": "challengeWithMfa",
        "policy": "baseline",
        "oid": "138ac68f-d8a7-4000-8d41-c10ff26a9097"
      }],
      "checkType": "mfa"
    },
    "basicAuthResults": {
      "oid": "138ac68f-d8a7-4000-8d41-c10aa26a9097",
      "appliedPol": [{
        "GrantConditions": "challengeWithMfa",
        "policy": "baseline",
        "oid": "138ac68f-d8a7-4000-8d41-c10aa26a9097"
      }],
      "checkType": "basicAuth"
      },
    }

⚠️State unHealthy - Application principal example

{ 
  "subscriptionName": "EAST - HoneyPot",
      "friendlyName": "thx138-kvref-6193053b-408b-44d0-b20f-4e29b9b67394",
      "creds": {
        "@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals(id,displayName,appId,keyCredentials,passwordCredentials,servicePrincipalType)/$entity",
        "id": "babec804-037d-4caf-946e-7a2b6de3a45f",
        "displayName": "thx138-kvref-6193053b-408b-44d0-b20f-4e29b9b67394",
        "appId": "5af1760e-89ff-46e4-a968-0ac36a7b7b69",
        "servicePrincipalType": "Application",
        "keyCredentials": [],
        "passwordCredentials": [],
        "OnlySingleFactor": [{
          "customKeyIdentifier": null,
          "endDateTime": "2023-10-20T06:54:59.2014093Z",
          "keyId": "7df44f81-a52c-4fd6-b704-4b046771f85a",
          "startDateTime": "2021-10-20T06:54:59.2014093Z",
          "secretText": null,
          "hint": nu   ll,
          "displayName": null
        }],
        "StrongSingleFactor": []
        }
}

Contributing

Following methods work for contributing for the time being:

1. Submit a pull request with code / documentation change
2. Submit a issue
   • issue can be a:
   • ⚠️Problem (issue)
   • Feature request
   • ❔Question

Other

1. By default EAST tries to work with the current depedencies - Introducing new (direct) depedencies is not directly encouraged with EAST. If such vital depedency is introduced, then review licensing of such depedency, and update readme.md - depedencies
   • There is nothing to prevent you from creating your own fork of EAST with your own depedencies

Aws-Security-Assessment-Solution - An AWS Tool To Help You Create A Point In Time Assessment Of Your AWS Account Using Prowler And Scout As Well As Optional AWS Developed Ransomware Checks

Self-Service Security Assessment too l

Cybersecurity remains a very important topic and point of concern for many CIOs, CISOs, and their customers. To meet these important concerns, AWS has developed a primary set of services customers should use to aid in protecting their accounts. Amazon GuardDuty, AWS Security Hub, AWS Config, and AWS Well-Architected reviews help customers maintain a strong security posture over their AWS accounts. As more organizations deploy to the cloud, especially if they are doing so quickly, and they have not yet implemented the recommended AWS Services, there may be a need to conduct a rapid security assessment of the cloud environment.

With that in mind, we have worked to develop an inexpensive, easy to deploy, secure, and fast solution to provide our customers two (2) security assessment reports. These security assessments are from the open source projects “Prowler” and “ScoutSuite.” Each of these projects conduct an assessment based on AWS best practices and can help quickly identify any potential risk areas in a customer’s deployed environment. If you are interested in conducting these assessments on a continuous basis, AWS recommends enabling Security Hub’s Foundational Security Best P ractices standard. If you are interested in integrating your Prowler assessment results with Security Hub, you can also do that from Prowler natively following instructions here.

In addition, we have developed custom modules that speak to customer concerns around threats and misconfigurations of those issues, currently this includes checks for ransomware specific findings.

ARCHITECTURE OVERVIEW

Overview - Open Source project checks

The architecture we deploy is a very simple VPC with two (2) subnets, one (1) NAT Gateway, one (1) EC2 instance, and one (1) S3 Bucket. The EC2 instance is using Amazon Linux 2 (the latest published AMI), that is patched on boot, pulls down the two projects (Prowler and ScoutSuite), runs the assessments and then delivers the reports to the S3 Bucket. The EC2 instances does not deploy with any EC2 Key Pair, does not have any open ingress rules on its Security Group, and is placed in the Private Subnet so it does not have direct internet access. After completion of the assessment and the delivery of the reports the system can be terminated.

The deployment is accomplished through the use of CloudFormation. A single CloudFormation template is used to launch a few other templates (in a modular approach). No parameters (user input) is required and the automated build out of the environment will take on average less than 10 minutes to complete. These templates are provided for review in this Github repository.

Once the EC2 Instance has been created and begins, the two assessments it will take somewhere around 40 minutes to complete. At the end of the assessments and after the two reports are delivered to the S3 Bucket the Instance will automatically shutdown, You may at this time safely terminate the Instance.

How to deploy this tool

• See the following guide on installation steps

How do I read the reports?

• See the following guide on accessing and reading the report outputs

Diagram

Here is a diagram of the architecture.

What will be created

• A VPC

  • This will be a /26 for the VPC
  • This will include 2 subnets both in the same Availability Zone, one Public and one Private
  • This will include the required Route Tables and ACLs

• An EIP

  • For use by the NAT Gateway

• A NAT Gateway

  • This is required for the instance to download both Prowler and ScoutSuite as well as to make the API Calls

• A Security Group

  • For the Instance

• A single m5a.large instance with a 10 GB gp2 EBS volume

  • This is the instance in which Prowler and ScoutSuite will run
  • It will be in a Private Subnet
  • It will not have an EC2 Key Pair
  • It will not allow ingress traffic on the Security Group

• An Instance Role

  • This Role is required so that Prowler and ScoutSuite can run the API calls from the EC2 Instance

• An IAM Policy

  • Some IAM permissions are required for Prowler and ScoutSuite
    • Prowler info here
    • ScoutSuite info here

• An S3 Bucket

  • This is the location where the reports will be delivered
  • It will take about 40 minutes for the reports to show up

Open source security Assessments

These security assessments are from the open source projects “Prowler” and “ScoutSuite.” Each of these projects conduct an assessment based on AWS best practices and can help quickly identify any potential risk areas in a customer’s deployed environment.

1. Prowler

The first assessment is from Prowler.

• Prowler follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has 40 additional checks including related to GDPR and HIPAA, in total Prowler offers over 160 checks.

2. ScoutSuite

The second assessment is from ScoutSuite

• ScoutSuite has been around since 2012, originally a Scout, then Scout2, and now ScoutSuite. This will provide a set of files that can be viewed in your browser and conducts a wide range of checks

Overiew of optional modules

► Check for Common Security Mistakes module

When enabled, this module will deploy a lambda function that checks for common security mistakes highlighted in https://www.youtube.com/watch?v=tmuClE3nWlk.

What will be created

A Lambda function that will perform the checks. Some of the checks include:

• GuardDuty set to alert on findings
• GuardDuty enabled across all regions
• Prevent accidental key deletion
• Existence of a Multi-region CloudTrail
• CloudTrail validation enabled
• No local IAM users
• Roles tuned for least privilege in last 90 days
• Alerting for root account use
• Alerting for local IAM user create/delete
• Use of Managed Prefix Lists in Security Groups
• Public S3 Buckets

► Ransomware modules

When enabled, this module will deploy separate functions that can help customers with evaluating their environment for ransomware infection and susceptibility to ransomware damage.

What will be created

• AWS Core security services enabled
  • Checks for AWS security service enablement in all regions where applicable (GuardDuty, SecurityHub)
• Data protection checks
  • Checks for EBS volumes with no snapshot
  • Checks for outdated OS running
  • Checks for S3 bucket replication JobStatus
  • Checks for EC2 instances that can not be managed with SSM
  • Checks for Stale IAM roles that have been granted S3 access but have not used them in the last 60 days
  • Checks for S3 deny public access enablement
  • Checks to see if DNSSEC is enabled for public hosted zones in Amazon Route 53
  • Checks to see if logging is enabled for services relevant to ransomware (i.e. CloudFront, Lambda, Route53 Query Logging, and Route 53 Resolver Logging).
  • Checks to see if Route 53 Resolver DNS Firewall is enabled across all relevant regions
  • Checks to see if there are any Access Keys that have not been used in last 90 days

► SolarWinds module

When enabled, this module will deploy separate functions that can help customers with evaluating their environment for SolarWinds vulnerability. The checks are based on CISA Alert AA20-352A from Appendix A & B.

Note: Prior to enablement of this module, please read the module documentation which reviews the steps that need to be completed prior to using this module.

Note: This module MUST be run separately as its own stack, select the S3 URL SelfServiceSecSolar.yml to deploy

What will be created

• Athena query - AA20352A IP IOC
  • This Athena query will scan your VPC flow logs for IP addresses from the CISA AA20-352A.
• SSM Automation document - SolorWindsAA20-352AAutomatedScanner
  • This is a systems manager automation document that will scan Windows EC2 instances for impacted .dll files from CISA AA20-352A.
• Route53 DNS resolver query - AA20352A DNS IOC
  • This Athena query will scan your DNS logs for customers that have enabled DNS query logging

Frequently Asked Questions (FAQ)

1. Is there a cost?
   • Yes. This should normally cost less than $1 for an hour of use.
2. Is this a continuous monitoring and reporting tool?
   • No. This is a one-time assessment, we urge customers to leverage tooling like AWS SecurityHub for Ongoing assessments.
3. Why does the CloudFormation service error when deleting the stack?
   • You must remove the objects (reports) out of the S3 bucket first
4. Does this integrate with GuardDuty, Security Hub, CloudWatch, etc.?
   • Not at this time. In a future sprint we plan to incorporate integration with AWS services like Security Hub and GuardDuty. However, you can follow the instructions in this blog to integrate Prowler and Security Hub.
5. How do I remediate the issues in the reports?
   • Generally, the issues should be described in the report with readily identifiable corrections. Please follow up with the public documentation for each tool (Prowler and ScoutSuite) as well. If this is insufficient, please reach out to your AWS Account team and we will be more than happy to help you understand the reports and work towards remediating issues.

Security

See CONTRIBUTING for more information.

License

This project is licensed under the Apache-2.0 License.

Zeek 5.0.6

OpenSSH 9.2p1

Suborner - The Invisible Account Forger

What's this?

A simple program to create a Windows account you will only know about :)

• Create invisible local accounts without net user or Windows OS user management applications (e.g. netapi32::netuseradd)
• Works on all Windows NT Machines (Windows XP to 11, Windows Server 2003 to 2022)
• Impersonate through RID Hijacking any existing account (enabled or disabled) after a successful authentication

Create an invisible machine account with administrative privileges, and without invoking that annoying Windows Event Logger to report its creation!

Where can I see more?

Released at Black Hat USA 2022: Suborner: A Windows Bribery for Invisible Persistence

• Blogpost: R4WSEC - Suborner: A Windows Bribery for Invisible Persistence
• Demo: YouTube - Suborner: Creation of Invisible Account on Windows 11
• Slides - HITB Singapore Main Track - Suborner Slides

How can I use this?

Build

• Make sure you have .NET 4.0 and Visual Studio 2019
• Clone this repo: git clone https://github.com/r4wd3r/Suborner/
• Open the .sln with Visual Studio
• Build x86, x64 or both versions
• Bribe Windows!

Release

Download the latest release and pwn!

Usage

Monomorph - MD5-Monomorphic Shellcode Packer - All Payloads Have The Same MD5 Hash

                                                
    ════════════════════════════════════╦═══    
     ╔═╦═╗ ╔═╗ ╔═╗ ╔═╗ ╔═╦═╗ ╔═╗ ╔══╔═╗ ╠═╗     
    ═╩ ╩ ╩═╚═╝═╩ ╩═╚═╝═╩ ╩ ╩═╚═╝═╩  ╠═╝═╩ ╩═    
    ════════════════════════════════╩═══════    
                                  By Retr0id    

    ═══ MD5-Monomorphic Shellcode Packer ═   ══    


USAGE: python3 monomorph.py input_file output_file [payload_file]

What does it do?

It packs up to 4KB of compressed shellcode into an executable binary, near-instantly. The output file will always have the same MD5 hash: 3cebbe60d91ce760409bbe513593e401

Currently, only Linux x86-64 is supported. It would be trivial to port this technique to other platforms, although each version would end up with a different MD5. It would also be possible to use a multi-platform polyglot file like APE.

Example usage:

$ python3 monomorph.py bin/monomorph.linux.x86-64.benign bin/monomorph.linux.x86-64.meterpreter sample_payloads/bin/linux.x64.meterpreter.bind_tcp.bin

Why?

People have previously used single collisions to toggle a binary between "good" and "evil" modes. Monomorph takes this concept to the next level.

Some people still insist on using MD5 to reference file samples, for various reasons that don't make sense to me. If any of these people end up investigating code packed using Monomorph, they're going to get very confused.

How does it work?

For every bit we want to encode, a colliding MD5 block has been pre-calculated using FastColl. As summarised here, each collision gives us a pair of blocks that we can swap out without changing the overall MD5 hash. The loader checks which block was chosen at runtime, to decode the bit.

To encode 4KB of data, we need to generate 4*1024*8 collisions (which takes a few hours), taking up 4MB of space in the final file.

To speed this up, I made some small tweaks to FastColl to make it even faster in practice, enabling it to be run in parallel. I'm sure there are smarter ways to parallelise it, but my naive approach is to start N instances simultaneously and wait for the first one to complete, then kill all the others.

Since I've already done the pre-computation, reconfiguring the payload can be done near-instantly. Swapping the state of the pre-computed blocks is done using a technique implemented by Ange Albertini.

Is it detectable?

Yes. It's not very stealthy at all, nor does it try to be. You can detect the collision blocks using detectcoll.

Suricata IDPE 6.0.10