Mimicry - Security Tool For Active Deception In Exploitation And Post-Exploitation

Mimicry is a security tool developed by Chaitin Technology for active deception in exploitation and post-exploitation.

Active deception can live migrate the attacker to the honeypot without awareness. We can achieve a higher security level at a lower cost with Active deception.

English | 中文文档

Demo

️

Quick Start

1. Make sure docker, docker-compose is installed correctly on the machine

docker info
docker-compose version

2. Install honeypot service

docker-compose build
docker-compose up -d

3. Deploy deception tool on other machines

update config.yaml,replace ${honeypot_public_ip} to the public IP of honeypot service

4. Perform Webshell deceiving

./mimicry-tools webshell -c config.yaml -t php -p webshell_path



Advance Usage

️

Contact Us

1. You can make bug feedback and feature suggestions directly through GitHub Issues.
2. You can join the discussion group on Discord .

Thunderstorm - Modular Framework To Exploit UPS Devices

Thunderstorm is a modular framework to exploit UPS devices.

For now, only the CS-141 and NetMan 204 exploits will be available. The beta version of the framework will be released on the future.

CVE

Thunderstorm is currently capable of exploiting the following CVE:

• CVE-2022-47186 – Unrestricted file Upload # [CS-141]
• CVE-2022-47187 – Cross-Site Scripting via File upload # [CS-141]
• CVE-2022-47188 – Arbitrary local file read via file upload # [CS-141]
• CVE-2022-47189 – Denial of Service via file upload # [CS-141]
• CVE-2022-47190 – Remote Code Execution via file upload # [CS-141]
• CVE-2022-47191 – Privilege Escalation via file upload # [CS-141]
• CVE-2022-47192 – Admin password reset via file upload # [CS-141]
• CVE-2022-47891 – Admin password reset # [NetMan 204]
• CVE-2022-47892 – Sensitive Information Disclosure # [NetMan 204]
• CVE-2022-47893 – Remote Code Execution via file upload # [NetMan 204]

Requirements

• Python 3
• Install requirements.txt

Download

It is recommended to clone the complete repository or download the zip file. You can do this by running the following command:

git clone https://github.com/JoelGMSec/Thunderstorm

Also, you probably need to download the original and the custom firmware. You can download all requirements from here: https://darkbyte.net/links/thunderstorm.php

Usage

- To be disclosed

The detailed guide of use can be found at the following link:

• To be disclosed

License

This project is licensed under the GNU 3.0 license - see the LICENSE file for more details.

Credits and Acknowledgments

This tool has been created and designed from scratch by Joel Gámez Molina // @JoelGMSec

Contact

This software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.

For more information, you can find me on Twitter as @JoelGMSec and on my blog darkbyte.net.

X-force - IBM Security Utilitary Library In Python. Search And Query All Sources: Threat_Activities And Groups, Malware_Analysis, Industries

IBM Security X-FORCE Exchange library in Python 3. Search: threat_activities, threat_groups, malware_analysis, collector and industries.

Install

pip3 install XForce

Use

Using you API_KEY make a basic authentication. After make a base64 code → Key + : + Password:

printf "d2f5f0f9-2995-42c6-b1dd-4c92252da129:06c41d5e-0604-4c7c-a599-300c367d2090" | base64
# ZDJmNWYwZjktMjk5NS00MmM2LWIxZGQtNGM5MjI1MmRhMTI5OjA2YzQxZDVlLTA2MDQtNGM3Yy1hNTk5LTMwMGMzNjdkMjA5MAo=

Using API_KEY, call functions.

Call functions

import XForce

# Args: 1 - Term of search, 2 - API KEY

# Threat activity search return in string
XForce.threat_activities(Term, API_KEY)

# Malware analysis search return in string
XForce.malware_analysis(Term, API_KEY)

# Threat groups search return in string
XForce.threat_groups(Term, API_KEY)

# Industries search return in string
XForce.industries(Term, API_KEY)

# All categories search return in list with dict
XForce.industries(Term, API_KEY)

For see more details of consult, run:

from XForce import details

# Args: 1 - GUID, 2 - API KEY 
# IMPORTANT: all GUID are correspondent to category
# All function of details have:
# url → with x-force exchange panel
details.activity(Id, API_KEY)
details.group(Id, API_KEY)
details.malware(Id, API_KEY)
details.industry(Id, API_KEY)

Popeye - A Kubernetes Cluster Resource Sanitizer

Popeye - A Kubernetes Cluster Sanitizer

Popeye is a utility that scans live Kubernetes cluster and reports potential issues with deployed resources and configurations. It sanitizes your cluster based on what's deployed and not what's sitting on disk. By scanning your cluster, it detects misconfigurations and helps you to ensure that best practices are in place, thus preventing future headaches. It aims at reducing the cognitive overload one faces when operating a Kubernetes cluster in the wild. Furthermore, if your cluster employs a metric-server, it reports potential resources over/under allocations and attempts to warn you should your cluster run out of capacity.

Popeye is a readonly tool, it does not alter any of your Kubernetes resources in any way!

Installation

Popeye is available on Linux, OSX and Windows platforms.

• Binaries for Linux, Windows and Mac are available as tarballs in the release page.

• For OSX/Unit using Homebrew/LinuxBrew

  brew install derailed/popeye/popeye

• Building from source Popeye was built using go 1.12+. In order to build Popeye from source you must:

  1. Clone the repo

  2. Add the following command in your go.mod file

     replace (
       github.com/derailed/popeye => MY_POPEYE_CLONED_GIT_REPO
     )
     

  3. Build and run the executable

     go run main.go

  Quick recipe for the impatient:

  # Clone outside of GOPATH
  git clone https://github.com/derailed/popeye
  cd popeye
  # Build and install
  go install
  # Run
  popeye

PreFlight Checks

• Popeye uses 256 colors terminal mode. On `Nix system make sure TERM is set accordingly.

  export TERM=xterm-256color

Sanitizers

Popeye scans your cluster for best practices and potential issues. Currently, Popeye only looks at nodes, namespaces, pods and services. More will come soon! We are hoping Kubernetes friends will pitch'in to make Popeye even better.

The aim of the sanitizers is to pick up on misconfigurations, i.e. things like port mismatches, dead or unused resources, metrics utilization, probes, container images, RBAC rules, naked resources, etc...

Popeye is not another static analysis tool. It runs and inspect Kubernetes resources on live clusters and sanitize resources as they are in the wild!

Here is a list of some of the available sanitizers:

You can also see the full list of codes

Save the report

To save the Popeye report to a file pass the --save flag to the command. By default it will create a temp directory and will store the report there, the path of the temp directory will be printed out on STDOUT. If you have the need to specify the output directory for the report, you can use the environment variable POPEYE_REPORT_DIR. By default, the name of the output file follow the following format : sanitizer_<cluster-name>_<time-UnixNano>.<output-extension> (e.g. : "sanitizer-mycluster-1594019782530851873.html"). If you have the need to specify the output file name for the report, you can pass the --output-file flag with the filename you want as parameter.

Example to save report in working directory:

  $ POPEYE_REPORT_DIR=$(pwd) popeye --save

Example to save report in working directory in HTML format under the name "report.html" :

  $ POPEYE_REPORT_DIR=$(pwd) popeye --save --out html --output-file report.html

Save the report to S3

You can also save the generated report to an AWS S3 bucket (or another S3 compatible Object Storage) with providing the flag --s3-bucket. As parameter you need to provide the name of the S3 bucket where you want to store the report. To save the report in a bucket subdirectory provide the bucket parameter as bucket/path/to/report.

Underlying the AWS Go lib is used which is handling the credential loading. For more information check out the official documentation.

Example to save report to S3:

popeye --s3-bucket=NAME-OF-YOUR-S3-BUCKET/OPTIONAL/SUBDIRECTORY --out=json

If AWS sS3 is not your bag, you can further define an S3 compatible storage (OVHcloud Object Storage, Minio, Google cloud storage, etc...) using s3-endpoint and s3-region as so:

popeye --s3-bucket=NAME-OF-YOUR-S3-BUCKET/OPTIONAL/SUBDIRECTORY --s3-region YOUR-REGION --s3-endpoint URL-OF-THE-ENDPOINT

Run public Docker image locally

You don't have to build and/or install the binary to run popeye: you can just run it directly from the official docker repo on DockerHub. The default command when you run the docker container is popeye, so you just need to pass whatever cli args are normally passed to popeye. To access your clusters, map your local kube config directory into the container with -v :

  docker run --rm -it \
    -v $HOME/.kube:/root/.kube \
    derailed/popeye --context foo -n bar

Running the above docker command with --rm means that the container gets deleted when popeye exits. When you use --save, it will write it to /tmp in the container and then delete the container when popeye exits, which means you lose the output. To get around this, map /tmp to the container's /tmp. NOTE: You can override the default output directory location by setting POPEYE_REPORT_DIR env variable.

  docker run --rm -it \
    -v $HOME/.kube:/root/.kube \
    -e POPEYE_REPORT_DIR=/tmp/popeye \
    -v /tmp:/tmp \
    derailed/popeye --context foo -n bar --save --output-file my_report.txt

  # Docker has exited, and the container has been deleted, but the file
  # is in your /tmp directory because you mapped it into the container
  $ cat /tmp/popeye/my_report.txt
    <snip>

The Command Line

You can use Popeye standalone or using a spinach yaml config to tune the sanitizer. Details about the Popeye configuration file are below.

# Dump version info
popeye version
# Popeye a cluster using your current kubeconfig environment.
popeye
# Popeye uses a spinach config file of course! aka spinachyaml!
popeye -f spinach.yml
# Popeye a cluster using a kubeconfig context.
popeye --context olive
# Stuck?
popeye help

Output Formats

Popeye can generate sanitizer reports in a variety of formats. You can use the -o cli option and pick your poison from there.

The SpinachYAML Configuration

A spinach.yml configuration file can be specified via the -f option to further configure the sanitizers. This file may specify the container utilization threshold and specific sanitizer configurations as well as resources that will be excluded from the sanitization.

NOTE: This file will change as Popeye matures!

Under the excludes key you can configure to skip certain resources, or certain checks by code. Here, resource types are indicated in a group/version/resource notation. Example: to exclude PodDisruptionBugdets, use the notation policy/v1/poddisruptionbudgets. Note that the resource name is written in the plural form and everything is spelled in lowercase. For resources without an API group, the group part is omitted (Examples: v1/pods, v1/services, v1/configmaps).

A resource is identified by a resource kind and a fully qualified resource name, i.e. namespace/resource_name.

For example, the FQN of a pod named fred-1234 in the namespace blee will be blee/fred-1234. This provides for differentiating fred/p1 and blee/p1. For cluster wide resources, the FQN is equivalent to the name. Exclude rules can have either a straight string match or a regular expression. In the latter case the regular expression must be indicated using the rx: prefix.

NOTE! Please be careful with your regex as more resources than expected may get excluded from the report with a loose regex rule. When your cluster resources change, this could lead to a sub-optimal sanitization. Once in a while it might be a good idea to run Popeye „configless“ to make sure you will recognize any new issues that may have arisen in your clusters…

Here is an example spinach file as it stands in this release. There is a fuller eks and aks based spinach file in this repo under spinach. (BTW: for new comers into the project, might be a great way to contribute by adding cluster specific spinach file PRs...)

# A Popeye sample configuration file
popeye:
  # Checks resources against reported metrics usage.
  # If over/under these thresholds a sanitization warning will be issued.
  # Your cluster must run a metrics-server for these to take place!
  allocations:
    cpu:
      underPercUtilization: 200 # Checks if cpu is under allocated by more than 200% at current load.
      overPercUtilization: 50   # Checks if cpu is over allocated by more than 50% at current load.
    memory:
      underPercUtilization: 200 # Checks if mem is under allocated by more than 200% at current load.
      overPercUtilization: 50   # Checks if mem is over allocated by more than 50% usage at current load.

  # Excludes excludes certain resources from Popeye scans
  excludes:
    v1/pods:
    # In the monitoring namespace excludes all probes check on pod's containers.
    - name: rx:monitoring
      code   s:
      - 102
    # Excludes all istio-proxy container scans for pods in the icx namespace.
    - name: rx:icx/.*
      containers:
        # Excludes istio init/sidecar container from scan!
        - istio-proxy
        - istio-init
    # ConfigMap sanitizer exclusions...
    v1/configmaps:
      # Excludes key must match the singular form of the resource.
      # For instance this rule will exclude all configmaps named fred.v2.3 and fred.v2.4
      - name: rx:fred.+\.v\d+
    # Namespace sanitizer exclusions...
    v1/namespaces:
      # Exclude all fred* namespaces if the namespaces are not found (404), other error codes will be reported!
      - name: rx:kube
        codes:
          - 404
      # Exclude all istio* namespaces from being scanned.
      - name: rx:istio
    # Completely exclude horizontal pod autoscalers.
    autoscaling/v1/horizontalpodautoscalers:
      - name: rx:.*

  # Configure node resources.
  node:
    # Limits set a cpu/mem threshold in % ie if cpu|mem > limit a lint warning is triggered.
    limits:
      # CPU checks if current CPU utilization on a node is greater than 90%.
      cpu:    90
      # Memory checks if current Memory utilization on a node is greater than 80%.
      memory: 80

  # Configure pod resources
  pod:
    # Restarts check the restarts count and triggers a lint warning if above threshold.
    restarts:
      3
    # Check container resource utilization in percent.
    # Issues a lint warning if about these threshold.
    limits:
      cpu:    80
      memory: 75

  # Configure a list of allowed registries to pull images from
  registries:
    - quay.io
    - docker.io

Popeye In Your Clusters!

Alternatively, Popeye is containerized and can be run directly in your Kubernetes clusters as a one-off or CronJob.

Here is a sample setup, please modify per your needs/wants. The manifests for this are in the k8s directory in this repo.

kubectl apply -f k8s/popeye/ns.yml && kubectl apply -f k8s/popeye

---
apiVersion: batch/v1
kind: CronJob
metadata:
  name:      popeye
  namespace: popeye
spec:
  schedule: "* */1 * * *" # Fire off Popeye once an hour
  concurrencyPolicy: Forbid
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: popeye
          restartPolicy: Never
          containers:
            - name: popeye
              image: derailed/popeye
              imagePullPolicy: IfNotPresent
              args:
                - -o
                - yaml
                - --force-exit-zero
                - true
              resources:
                limits:
                  cpu:    500m
                  memory: 100Mi

The --force-exit-zero should be set to true. Otherwise, the pods will end up in an error state. Note that popeye exits with a non-zero error code if the report has any errors.

Popeye got your RBAC!

In order for Popeye to do his work, the signed-in user must have enough RBAC oomph to get/list the resources mentioned above.

Sample Popeye RBAC Rules (please note that those are subject to change.)

---
# Popeye ServiceAccount.
apiVersion: v1
kind:       ServiceAccount
metadata:
  name:      popeye
  namespace: popeye

---
# Popeye needs get/list access on the following Kubernetes resources.
apiVersion: rbac.authorization.k8s.io/v1
kind:       ClusterRole
metadata:
  name: popeye
rules:
- apiGroups: [""]
  resources:
   - configmaps
   - deployments
   - endpoints
   - horizontalpodautoscalers
   - namespaces
   - nodes
   - persistentvolumes
   - persistentvolumeclaims
   - pods
   - secrets
   - serviceaccounts
   - services
   - statefulsets
  verbs:     ["get", "list"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources:
  - clusterroles
  - clusterrolebindings
  - roles
  - rolebindings
  verbs:     ["get", "list"]
- apiGroups: ["metrics.k8s.io"]
  resources   :
  - pods
  - nodes
  verbs:     ["get", "list"]

---
# Binds Popeye to this ClusterRole.
apiVersion: rbac.authorization.k8s.io/v1
kind:       ClusterRoleBinding
metadata:
  name: popeye
subjects:
- kind:     ServiceAccount
  name:     popeye
  namespace: popeye
roleRef:
  kind:     ClusterRole
  name:     popeye
  apiGroup: rbac.authorization.k8s.io

Screenshots

Cluster D Score

Cluster A Score

Report Morphology

The sanitizer report outputs each resource group scanned and their potential issues. The report is color/emoji coded in term of Sanitizer severity levels:

The heading section for each scanned Kubernetes resource provides a summary count for each of the categories above.

The Summary section provides a Popeye Score based on the sanitization pass on the given cluster.

Known Issues

This initial drop is brittle. Popeye will most likely blow up when…

• You're running older versions of Kubernetes. Popeye works best with Kubernetes 1.13+.
• You don't have enough RBAC oomph to manage your cluster (see RBAC section)

Disclaimer

This is work in progress! If there is enough interest in the Kubernetes community, we will enhance per your recommendations/contributions. Also if you dig this effort, please let us know that too!

ATTA Girls/Boys!

Popeye sits on top of many of open source projects and libraries. Our sincere appreciations to all the OSS contributors that work nights and weekends to make this project a reality!

Contact Info

1. Email: fernand@imhotep.io
2. Twitter: @kitesurfer

Kscan - Simple Asset Mapping Tool

0 Disclaimer (The author did not participate in the XX action, don't trace it)

• This tool is only for legally authorized enterprise security construction behaviors and personal learning behaviors. If you need to test the usability of this tool, please build a target drone environment by yourself.

• When using this tool for testing, you should ensure that the behavior complies with local laws and regulations and has obtained sufficient authorization. Do not scan unauthorized targets.

We reserve the right to pursue your legal responsibility if the above prohibited behavior is found.

If you have any illegal behavior in the process of using this tool, you shall bear the corresponding consequences by yourself, and we will not bear any legal and joint responsibility.

Before installing and using this tool, please be sure to carefully read and fully understand the terms and conditions.

Unless you have fully read, fully understood and accepted all the terms of this agreement, please do not install and use this tool. Your use behavior or your acceptance of this Agreement in any other express or implied manner shall be deemed that you have read and agreed to be bound by this Agreement.

1 Introduction

 _   __
|#| /#/ Lightweight Asset Mapping Tool by: kv2	
|#|/#/   _____  _____     *     _   _
|#.#/   /Edge/ /Forum|   /#\   |#\ |#|
|##|   |#|___  |#|      /###\  |##\|#|
|#.#\   \#####\|#|     /#/_\#\ |#.#.#|
|#|\#\ /\___|#||#|____/#/###\#\|#|\##|
|#| \#\\#####/ \#####/#/     \#\#| \#|

Kscan is an asset mapping tool that can perform port scanning, TCP fingerprinting and banner capture for specified assets, and obtain as much port information as possible without sending more packets. It can perform automatic brute force cracking on scan results, and is the first open source RDP brute force cracking tool on the go platform.

2 Foreword

At present, there are actually many tools for asset scanning, fingerprint identification, and vulnerability detection, and there are many great tools, but Kscan actually has many different ideas.

• Kscan hopes to accept a variety of input formats, and there is no need to classify the scanned objects before use, such as IP, or URL address, etc. This is undoubtedly an unnecessary workload for users, and all entries can be normal Input and identification. If it is a URL address, the path will be reserved for detection. If it is only IP:PORT, the port will be prioritized for protocol identification. Currently Kscan supports three input methods (-t,--target|-f,--fofa|--spy).

• Kscan does not seek efficiency by comparing port numbers with common protocols to confirm port protocols, nor does it only detect WEB assets. In this regard, Kscan pays more attention to accuracy and comprehensiveness, and only high-accuracy protocol identification , in order to provide good detection conditions for subsequent application layer identification.

• Kscan does not use a modular approach to do pure function stacking, such as a module obtains the title separately, a module obtains SMB information separately, etc., runs independently, and outputs independently, but outputs asset information in units of ports, such as ports If the protocol is HTTP, subsequent fingerprinting and title acquisition will be performed automatically. If the port protocol is RPC, it will try to obtain the host name, etc.

IP address: 114.114.114.114
IP address range: 114.114.114.114-115.115.115.115
URL address: https://www.baidu.com
File address: file:/tmp/target.txt

[Empty]: will detect the IP address of the local machine and detect the B segment where the local IP is located
[all]: All private network addresses (192.168/172.32/10, etc.) will be probed
IP address: will detect the B segment where the specified IP address is located

fofa search keywords: will directly return fofa search results

usage: kscan [-h,--help,--fofa-syntax] (-t,--target,-f,--fofa,--spy) [-p,--port|--top] [-o,--output] [-oJ] [--proxy] [--threads] [--path] [--host] [--timeout] [-Pn] [-Cn] [-sV] [--check] [--encoding] [--hydra] [hydra options] [fofa options]


optional arguments:
  -h , --help     show this help message and exit
  -f , --fofa Get the detection object from fofa, you need to configure the environment variables in advance: FOFA_EMAIL, FOFA_KEY
  -t , --target Specify the detection target:
                  IP address: 114.114.114.114
                  IP address segment: 114.114.114.114/24, subnet mask less than 12 is not recommended
                  IP address range: 114.114.114.114-115.115.115.115
                  URL address: https://www.baidu.com
                  File address: file:/tmp/target.txt
  --spy network segment detection mode, in this mode, the internal network segment reachable by the host will be automatically detected. The acceptable parameters are:
                  (empty), 192, 10, 172, all, specified IP address (the IP address B segment will be detected as the surviving gateway)
  --check Fingerprinting the target address, only port detection will not be performed
  --scan will perform port scanning and fingerprinting on the target objects provided by --fofa and --spy
  -p , --port scan the specified port, TOP400 will be scanned by default, support: 80, 8080, 8088-8090
  -eP, --excluded-port skip scanning specified ports，support：80,8080,8088-8090
  -o , --output save scan results to file
  -oJ save the scan results to a file in json format
  -Pn After using this parameter, intelligent survivability detection will not be performed. Now intelligent survivability detection is enabled by default to improve efficiency.
  -Cn With this parameter, the console output will not be colored.
  -sV After using this parameter, all ports will be probed with full probes. This parameter greatly affects the efficiency, so use it with caution!
  --top Scan the filtered common ports TopX, up to 1000, the default is TOP400
  --proxy set proxy (socks5|socks4|https|http)://IP:Port
  --threads thread parameter, the default thread is 100, the maximum value is 2048
  --path specifies the directory to request access, only a single directory is supported
  --host specifies the header Host value for all requests
  --timeout set timeout
  --encoding Set the terminal output encoding, which can be specified as: gb2312, utf-8
  --match returns the banner to the asset for retrieval. If there is a keyword, it will be displayed, otherwise it will not be displayed
  --hydra automatic blasting support protocol: ssh, rdp, ftp, smb, mysql, mssql, oracle, postgresql, mongodb, redis, all are enabled by default
hydra options:
   --hydra-user custom hydra blasting username: username or user1,user2 or file:username.txt
   --hydra-pass Custom hydra blasting password: password or pass1,pass2 or file:password.txt
                  If there is a comma in the password, use \, to escape, other symbols do not need to be escaped
   --hydra-update Customize the user name and password mode. If this parameter is carried, it is a new mode, and the user name and password will be added to the default dictionary. Otherwise the default dictionary will be replaced.
   --hydra-mod specifies the automatic brute force cracking module: rdp or rdp, ssh, smb
fofa options:
   --fofa-syntax will get fofa search syntax description
   --fofa-size will set the number of entries returned by fofa, the default is 100
   --fofa-fix-keyword Modifies the keyword, and the {} in this parameter will eventually be replaced with the value of the -f parameter

6.2 Survival network segment detection

6.3 Fofa result retrieval

6.4 Brute-force cracking

6.5 CDN identification

Prefetch-Hash-Cracker - A Small Util To Brute-Force Prefetch Hashes

Motivation

During the forensic analysis of a Windows machine, you may find the name of a deleted prefetch file. While its content may not be recoverable, the filename itself is often enough to find the full path of the executable for which the prefetch file was created.

Using the tool

The following fields must be provided:

• Executable name
  Including the extension. It will be embedded in the prefetch filename, unless this happens.

• Prefetch hash
  8 hexadecimal digits at the end of the prefetch filename, right before the .pf extension.

• Hash function

• Bodyfile

• Mount point

Hash function

There are 3 known prefetch hash functions:

• SCCA XP
  Used in Windows XP

• SCCA Vista
  Used in Windows Vista and Windows 10

• SCCA 2008
  Used in Windows 7, Windows 8 and Windows 8.1

Bodyfile

A bodyfile of the volume the executable was executed from.

The bodyfile format is not very restrictive, so there are a lot of variations of it - some of which are not supported. Body files created with fls and MFTECmd should work fine.

Mount point

The mount point of the bodyfile, as underlined below:

0|C:/Users/Peter/Desktop ($FILE_NAME)|62694-48-2|d/d-wx-wx-wx|...

How does it work?

The provided bodyfile is used to get the path of every folder on the volume. The tool appends the provided executable name to each of those paths to create a list of possible full paths for the executable. Each possible full path is then hashed using the provided hash function. If there's a possible full path for which the result matches the provided hash, that path is outputted.

Limitations

The following cases are not supported:

• Hosting applications, such as svchost.exe and mmc.exe
• Applications executed with the /prefetch:# flag
• Applications executed from a UNC (network) path

The 29-character limit

If the executable name is longer than 29 characters (including the extension), it will be truncated in the prefetch filename. For example, executing this file:

This is a very long file nameSo this part will be truncated.exe

From the C:\Temp directory on a Windows 10 machine, will result in the creation of this prefetch file:

THIS IS A VERY LONG FILE NAME-D0B882CC.pf

In this case, the executable name cannot be derived from the prefetch filename, so you will not be able to provide it to the tool.

License

MIT

Psudohash - Password List Generator That Focuses On Keywords Mutated By Commonly Used Password Creation Patterns

psudohash is a password list generator for orchestrating brute force attacks. It imitates certain password creation patterns commonly used by humans, like substituting a word's letters with symbols or numbers, using char-case variations, adding a common padding before or after the word and more. It is keyword-based and highly customizable.

Pentesting Corporate Environments

System administrators and other employees often use a mutated version of the Company's name to set passwords (e.g. Am@z0n_2022). This is commonly the case for network devices (Wi-Fi access points, switches, routers, etc), application or even domain accounts. With the most basic options, psudohash can generate a wordlist with all possible mutations of one or multiple keywords, based on common character substitution patterns (customizable), case variations, strings commonly used as padding and more. Take a look at the following example:

The script includes a basic character substitution schema. You can add/modify character substitution patterns by editing the source and following the data structure logic presented below (default):

transformations = [
	{'a' : '@'},
	{'b' : '8'},
	{'e' : '3'},
	{'g' : ['9', '6']},
	{'i' : ['1', '!']},
	{'o' : '0'},
	{'s' : ['$', '5']},
	{'t' : '7'}
]

Individuals

When it comes to people, i think we all have (more or less) set passwords using a mutation of one or more words that mean something to us e.g., our name or wife/kid/pet/band names, sticking the year we were born at the end or maybe a super secure padding like "!@#". Well, guess what?

Installation

No special requirements. Just clone the repo and make the script executable:

git clone https://github.com/t3l3machus/psudohash
cd ./psudohash
chmod +x psudohash.py

Usage

./psudohash.py [-h] -w WORDS [-an LEVEL] [-nl LIMIT] [-y YEARS] [-ap VALUES] [-cpb] [-cpa] [-cpo] [-o FILENAME] [-q]

The help dialog [ -h, --help ] includes usage details and examples.

Usage Tips

1. Combining options --years and --append-numbering with a --numbering-limit ≥ last two digits of any year input, will most likely produce duplicate words because of the mutation patterns implemented by the tool.
2. If you add custom padding values and/or modify the predefined common padding values in the source code, in combination with multiple optional parameters, there is a small chance of duplicate words occurring. psudohash includes word filtering controls but for speed's sake, those are limited.

Future

I'm gathering information regarding commonly used password creation patterns to enhance the tool's capabilities.

ForceAdmin - Create Infinite UAC Prompts Forcing A User To Run As Admin

ForceAdmin is a c# payload builder, creating infinate UAC pop-ups until the user allows the program to be ran. The inputted commands are ran via powershell calling cmd.exe and should be using the batch syntax. Why use? Well some users have UAC set to always show, so UAC bypass techniques are not possible. However - this attack will force them to run as admin. Bypassing these settings.

Screenshots

Required

For building on your own, the following NuGet packages are needed

• Fody: "Extensible tool for weaving .net assemblies."
• Costura.Fody "Fody add-in for embedding references as resources."
• Microsoft.AspNet.WebApi.Client "This package adds support for formatting and content negotiation to System.Net.Http. It includes support for JSON, XML, and form URL encoded data."

Installation

You can download the latest tarball by clicking here or latest zipball by clicking here.

Download the project:

$ git clone https://github.com/catzsec/ForceAdmin.git

Enter the project folder

$ cd ForceAdmin

Run ForceAdmin:

$ dotnet run

Compile ForceAdmin:

$ dotnet publish -r win-x64 -c Release -o ./publish/

Any questions, errors or solutions, create an Issue in the Issues tab.

Coercer - A Python Script To Automatically Coerce A Windows Server To Authenticate On An Arbitrary Machine Through 9 Methods

A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.

Features

• Automatically detects open SMB pipes on the remote machine.
• Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.
• Analyze mode with --analyze, which only lists the vulnerable protocols and functions listening, without performing a coerced authentication.
• Perform coerce attack on a list of targets from a file with --targets-file
• Coerce to a WebDAV target with --webdav-host and --webdav-port

Usage

$ ./Coercer.py -h                                                                                                  

       ______                              
      / ____/___  ___  _____________  _____
     / /   / __ \/ _ \/ ___/ ___/ _ \/ ___/
    / /___/ /_/ /  __/ /  / /__/  __/ /      v1.6
    \____/\____/\___/_/   \___/\___/_/       by @podalirius_

usage: Coercer.py [-h] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [--hashes [LMHASH]:NTHASH] [--no-pass] [-v] [-a] [-k] [--dc-ip ip address] [-l LISTENER] [-wh WEBDAV_HOST] [-wp WEBDAV_PORT]
                  (-t TARGET | -f TARGETS_FILE) [--target-ip ip address]

Automatic windows authentication coercer over various RPC calls.

options:
  -h, --help            show this help message and exit
  -u USERNAME, --username USERNAME
                        Username to authenticate to the endpoint.
  -p PASSWORD, --password PASSWORD
                        Password to authenticate to the endpoint. (if omitted, it will be asked unless -no-pass is specified)
  -d DOMAIN, --domain DOMAIN
                        Windows domain name to authenticate to the endpoint.
  --hashes [LMHASH]:NTHASH
                        NT/LM hashes (LM hash can be empty)
  --no-pass             Don't ask for password (useful for -k)
  -v, --verbose         Verbose mode (default: False)
  -a, --analyze         Analyze mode (default: Attack mode)
  -k, --kerberos        Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the
                        command line
  --dc-ip ip address    IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
  -t TARGET, --target TARGET
                        IP address or hostname of the target machine
  -f TARGETS_FILE, --targets-file TARGETS_FILE
                        IP address or hostname of the target machine
  --target-ip ip address
                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name or Kerberos name and you cannot resolve it

  -l LISTENER, --listener LISTENER
                        IP address or hostname of the listener machine
  -wh WEBDAV_HOST, --webdav-host WEBDAV_HOST
                        WebDAV IP of the server to authenticate to.
  -wp WEBDAV_PORT, --webdav-port WEBDAV_PORT
                        WebDAV port of the server to authenticate to.

Example output

In attack mode (without --analyze option) you get the following output:

After all the RPC calls, you get plenty of authentications in Responder:

Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

Credits

• @tifkin_ and @elad_shamir for finding and implementing PrinterBug on MS-RPRN
• @topotam77 for finding and implementing PetitPotam on MS-EFSR
• @topotam77 for finding and @_nwodtuhs for implementing ShadowCoerce on MS-FSRVP
• @filip_dragovic for finding and implementing DFSCoerce on MS-DFSNM

Zenbuster - Multi-threaded URL Enumeration/Brute-Forcing Tool

ZenBuster is a multi-threaded, multi-platform URL enumeration tool written in Python by Zach Griffin (@0xTas).

I wrote this tool as a way to deepen my familiarity with Python, and to help increase my understanding of Cybersecurity tooling in general. ZenBuster may not be the fastest or most comprehensive tool of its kind. It is however, simple to use, decently flexible, and in practice only marginally slower than other "tried-and-true" tools like Gobuster. Personally, I have been using it to help me solve CTF challenges on platforms like TryHackMe, and have found my implementation to be satisfactorily reliable.

This software is intended for use in CTF challenges, or by security professionals to gather information on their targets:

• It is capable of brute-force enumerating subdomains and also URI resources (directories/files).
• Both methods of enumeration require use of an appropriate wordlist or dictionary file.
• Features Include:
  1. Hostname format supports standard, IPv4, and IPv6.
  2. Support for logging results to a file with -O [filename].
  3. Specifying custom ports for nonstandard webservers with -p .
  4. Optional file extensions in directory mode with -x .
  5. Quiet mode for less distracting output with -Q.
  6. Color can be disabled for less distracting output with -nc/-nl.
  7. Tested on Python versions 3.9 and 3.10, with theoretical support for versions >= 3.6

CAUTION/DISCLAIMER

ZenBuster is capable of producing a potentially unwelcome number of HTTP requests in a short amount of time.

The developers and contributors are not liable or responsible for any damage caused by misuse or abuse of this software.

Please Enumerate Responsibly!

License

ZenBuster is licensed under the GNU GPLv3 License, see here for more information.

Credits

Yin-Yang ASCII art in the banners were created by Joan G. Stark (jgs) and Hayley Jane Wakenshaw (hjw). Modifications were made by me, when specified with: 'zg'.

Installation

Firstly, ensure that Python version >= 3.6 is installed, then clone the repository with:

git clone https://github.com/0xTas/zenbuster.git

Next, cd zenbuster.

Dependencies

ZenBuster relies on 3 external libraries to function, and it is recommended to install these with:

pip install -r requirements.txt

The modules that will be installed and their purposes are as follows:

1. Python requests

   • The backbone of each enumeration request. Without this, the script will not function.

2. termcolor

   • Enables colored terminal output. Non-critical, the script can still run without color if this is not present.

3. colorama (Windows only)

   • Primes the Windows terminal to accept ANSI color codes (from Termcolor). Non-critical.

These dependencies may be installed manually, with pip using requirements.txt, or via interaction with the script upon first run.

Usage

Once dependencies have been installed, you can run the program in the following ways:

On Linux (+Mac?):

./zenbuster.py [options] or python3 zenbuster.py [options]

On Windows:

python zenbuster.py [options]

[Options]

Example Usage

./zenbuster.py -d -w /usr/share/wordlists/dirb/common.txt -u target.thm -v

python3 zenbuster.py -w ../subdomains.txt --host target.thm --ssl -O myResults.log

zenbuster -w subdomains.txt -u target.thm --quiet (With .bashrc alias)

Planned Features/Improvements

• Increased levels of optional verbosity.
• Allow optional throttling of task thread-count.
• Allow users to modify the list of ignored status codes.
• Allow greater user control over various request headers.
• Allow optional ignoring of responses based on content-length.
• Expand subdomain enumeration to include OSINT methods instead of just brute-forcing.
• Explore a more comprehensive and source-readable solution to fancy colored output (possibly using rich).

Known Issues/Limitations

• Enumerating long endpoints may result in ugly terminal output due to line-wraping on smaller console windows. Logging to a file is recommended, especially on Windows.
• If target host is a vHost on a shared webserver, enumeration via IP may not function as expected. Use domain/hostname instead.