Ashok - A OSINT Recon Tool, A.K.A Swiss Army Knife

Reconnaissance is the first phase of penetration testing which means gathering information before any real attacks are planned So Ashok is an Incredible fast recon tool for penetration tester which is specially designed for Reconnaissance" title="Reconnaissance">Reconnaissance phase. And in Ashok-v1.1 you can find the advanced google dorker and wayback crawling machine.

Main Features

- Wayback Crawler Machine
- Google Dorking without limits
- Github Information Grabbing
- Subdomain Identifier 
- Cms/Technology Detector With Custom Headers

Installation

~> git clone https://github.com/ankitdobhal/Ashok
~> cd Ashok
~> python3.7 -m pip3 install -r requirements.txt

How to use Ashok?

A detailed usage guide is available on Usage section of the Wiki.

But Some index of options is given below:

• Extract Http Headers from single url
• Dump internet-archive machine with json output for single url
• Google dorking using number of results as dorknumber
• Dns Lookup of single target domain
• Subdomain Lookup of single target domain
• Port Scan using nmap of single target domain
• Extract data using Github username of target
• Detect Cms of target url

Docker

Ashok can be launched using a lightweight Python3.8-Alpine Docker image.

$ docker pull powerexploit/ashok-v1.2
$ docker container run -it powerexploit/ashok-v1.2  --help

Credits

• hackertarget

HardeningMeter - Open-Source Python Tool Carefully Designed To Comprehensively Assess The Security Hardening Of Binaries And Systems

HardeningMeter is an open-source Python tool carefully designed to comprehensively assess the security hardening of binaries and systems. Its robust capabilities include thorough checks of various binary exploitation protection mechanisms, including Stack Canary, RELRO, randomizations (ASLR, PIC, PIE), None Exec Stack, Fortify, ASAN, NX bit. This tool is suitable for all types of binaries and provides accurate information about the hardening status of each binary, identifying those that deserve attention and those with robust security measures. Hardening Meter supports all Linux distributions and machine-readable output, the results can be printed to the screen a table format or be exported to a csv. (For more information see Documentation.md file)

Execute Scanning Example

Scan the '/usr/bin' directory, the '/usr/sbin/newusers' file, the system and export the results to a csv file.

python3 HardeningMeter.py -f /bin/cp -s

Installation Requirements

Before installing HardeningMeter, make sure your machine has the following: 1. readelf and file commands 2. python version 3 3. pip 4. tabulate

pip install tabulate

Install HardeningMeter

The very latest developments can be obtained via git.

Clone or download the project files (no compilation nor installation is required)

git clone https://github.com/OfriOuzan/HardeningMeter

Arguments

-f --file

Specify the files you want to scan, the argument can get more than one file seperated by spaces.

-d --directory

Specify the directory you want to scan, the argument retrieves one directory and scan all ELF files recursively.

-e --external

Specify whether you want to add external checks (False by default).

-m --show_missing

Prints according to the order, only those files that are missing security hardening mechanisms and need extra attention.

-s --system

Specify if you want to scan the system hardening methods.

-c --csv_format'

Specify if you want to save the results to csv file (results are printed as a table to stdout by default).

Results

HardeningMeter's results are printed as a table and consisted of 3 different states: - (X) - This state indicates that the binary hardening mechanism is disabled. - (V) - This state indicates that the binary hardening mechanism is enabled. - (-) - This state indicates that the binary hardening mechanism is not relevant in this particular case.

Notes

When the default language on Linux is not English make sure to add "LC_ALL=C" before calling the script.

Porch-Pirate - The Most Comprehensive Postman Recon / OSINT Client And Framework That Facilitates The Automated Discovery And Exploitation Of API Endpoints And Secrets Committed To Workspaces, Collections, Requests, Users And Teams

Porch Pirate started as a tool to quickly uncover Postman secrets, and has slowly begun to evolve into a multi-purpose reconaissance / OSINT framework for Postman. While existing tools are great proof of concepts, they only attempt to identify very specific keywords as "secrets", and in very limited locations, with no consideration to recon beyond secrets. We realized we required capabilities that were "secret-agnostic", and had enough flexibility to capture false-positives that still provided offensive value.

Porch Pirate enumerates and presents sensitive results (global secrets, unique headers, endpoints, query parameters, authorization, etc), from publicly accessible Postman entities, such as:

• Workspaces
• Collections
• Requests
• Users
• Teams

Installation

python3 -m pip install porch-pirate

Using the client

The Porch Pirate client can be used to nearly fully conduct reviews on public Postman entities in a quick and simple fashion. There are intended workflows and particular keywords to be used that can typically maximize results. These methodologies can be located on our blog: Plundering Postman with Porch Pirate.

Porch Pirate supports the following arguments to be performed on collections, workspaces, or users.

• --globals
• --collections
• --requests
• --urls
• --dump
• --raw
• --curl

Simple Search

porch-pirate -s "coca-cola.com"

Get Workspace Globals

By default, Porch Pirate will display globals from all active and inactive environments if they are defined in the workspace. Provide a -w argument with the workspace ID (found by performing a simple search, or automatic search dump) to extract the workspace's globals, along with other information.

porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8

Dump Workspace

When an interesting result has been found with a simple search, we can provide the workspace ID to the -w argument with the --dump command to begin extracting information from the workspace and its collections.

porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --dump

Automatic Search and Globals Extraction

Porch Pirate can be supplied a simple search term, following the --globals argument. Porch Pirate will dump all relevant workspaces tied to the results discovered in the simple search, but only if there are globals defined. This is particularly useful for quickly identifying potentially interesting workspaces to dig into further.

porch-pirate -s "shopify" --globals

Automatic Search Dump

Porch Pirate can be supplied a simple search term, following the --dump argument. Porch Pirate will dump all relevant workspaces and collections tied to the results discovered in the simple search. This is particularly useful for quickly sifting through potentially interesting results.

porch-pirate -s "coca-cola.com" --dump

Extract URLs from Workspace

A particularly useful way to use Porch Pirate is to extract all URLs from a workspace and export them to another tool for fuzzing.

porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --urls

Automatic URL Extraction

Porch Pirate will recursively extract all URLs from workspaces and their collections related to a simple search term.

porch-pirate -s "coca-cola.com" --urls

Show Collections in a Workspace

porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --collections

Show Workspace Requests

porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --requests

Show raw JSON

porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --raw

Show Entity Information

porch-pirate -w WORKSPACE_ID

porch-pirate -c COLLECTION_ID

porch-pirate -r REQUEST_ID

porch-pirate -u USERNAME/TEAMNAME

Convert Request to Curl

Porch Pirate can build curl requests when provided with a request ID for easier testing.

porch-pirate -r 11055256-b1529390-18d2-4dce-812f-ee4d33bffd38 --curl

Use a proxy

porch-pirate -s coca-cola.com --proxy 127.0.0.1:8080

Using as a library

Searching

p = porchpirate()
print(p.search('coca-cola.com'))

Get Workspace Collections

p = porchpirate()
print(p.collections('4127fdda-08be-4f34-af0e-a8bdc06efaba'))

Dumping a Workspace

p = porchpirate()
collections = json.loads(p.collections('4127fdda-08be-4f34-af0e-a8bdc06efaba'))
for collection in collections['data']: 
    requests = collection['requests']
    for r in requests:
        request_data = p.request(r['id'])
        print(request_data)

Grabbing a Workspace's Globals

p = porchpirate()
print(p.workspace_globals('4127fdda-08be-4f34-af0e-a8bdc06efaba'))

Other Examples

Other library usage examples can be located in the examples directory, which contains the following examples:

• dump_workspace.py
• format_search_results.py
• format_workspace_collections.py
• format_workspace_globals.py
• get_collection.py
• get_collections.py
• get_profile.py
• get_request.py
• get_statistics.py
• get_team.py
• get_user.py
• get_workspace.py
• recursive_globals_from_search.py
• request_to_curl.py
• search.py
• search_by_page.py
• workspace_collections.py

CloudGrappler - A purpose-built tool designed for effortless querying of high-fidelity and single-event detections related to well-known threat actors in popular cloud environments such as AWS and Azure

Permiso: https://permiso.io
Read our release blog: https://permiso.io/blog/cloudgrappler-a-powerful-open-source-threat-detection-tool-for-cloud-environments

CloudGrappler is a purpose-built tool designed for effortless querying of high-fidelity and single-event detections related to well-known threat actors in popular cloud environments such as AWS and Azure.

Notes

To optimize your utilization of CloudGrappler, we recommend using shorter time ranges when querying for results. This approach enhances efficiency and accelerates the retrieval of information, ensuring a more seamless experience with the tool.

Required Packages

bash pip3 install -r requirements.txt

Cloning cloudgrep locally

To clone the cloudgrep repository locally, run the clone.sh file. Alternatively, you can manually clone the repository into the same directory where CloudGrappler was cloned.

bash chmod +x clone.sh ./clone.sh

Input

This tool offers a CLI (Command Line Interface). As such, here we review its use:

Example 1 - Running the tool with default queries file

Define the scanning scope inside data_sources.json file based on your cloud infrastructure configuration. The following example showcases a structured data_sources.json file for both AWS and Azure environments:

Note

Modifying the source inside the queries.json file to a wildcard character (*) will scan the corresponding query across both AWS and Azure environments.

{
  "AWS": [
    {
      "bucket": "cloudtrail-logs-00000000-ffffff",
      "prefix": [
        "testTrails/AWSLogs/00000000/CloudTrail/eu-east-1/2024/03/03",
        "testTrails/AWSLogs/00000000/CloudTrail/us-west-1/2024/03/04"
      ]
    },
    {
      "bucket": "aws-kosova-us-east-1-00000000"
    }

  ],
  "AZURE": [
    {
      "accountname": "logs",
      "container": [
        "cloudgrappler"
      ]
    }
  ]
}

Run command

python3 main.py

Example 2 - Permiso Intel Use Case

python3 main.py -p

[+] Running GetFileDownloadUrls.*secrets_ for AWS 
[+] Threat Actor: LUCR3 
[+] Severity: MEDIUM 
[+] Description: Review use of CloudShell. Permiso seldom witnesses use of CloudShell outside of known attackers.This however may be a part of your normal business use case. 

Example 3 - Generate report

python3 main.py -p -jo

reports
└── json
    ├── AWS
    │   └── 2024-03-04 01:01 AM
    │       └── cloudtrail-logs-00000000-ffffff--
    │           └── testTrails/AWSLogs/00000000/CloudTrail/eu-east-1/2024/03/03
    │               └── GetFileDownloadUrls.*secrets_.json
    └── AZURE
        └── 2024-03-04 01:01 AM
            └── logs
                └── cloudgrappler
                    └── okta_key.json

Example 4 - Filtering logs based on date or time

python3 main.py -p -sd 2024-02-15 -ed 2024-02-16

Example 5 - Manually adding queries and data source types

python3 main.py -q "GetFileDownloadUrls.*secret", "UpdateAccessKey" -s '*'

Example 6 - Running the tool with your own queries file

python3 main.py -f new_file.json

Running in your Cloud and Authentication cloudgrep

AWS

Your system will need access to the S3 bucket. For example, if you are running on your laptop, you will need to configure the AWS CLI. If you are running on an EC2, an Instance Profile is likely the best choice.

If you run on an EC2 instance in the same region as the S3 bucket with a VPC endpoint for S3 you can avoid egress charges. You can authenticate in a number of ways.

Azure

The simplest way to authenticate with Azure is to first run:

az login

This will open a browser window and prompt you to login to Azure.

Attack Surface Management vs. Vulnerability Management

Sr2T - Converts Scanning Reports To A Tabular Format

Scanning reports to tabular (sr2t)

This tool takes a scanning tool's output file, and converts it to a tabular format (CSV, XLSX, or text table). This tool can process output from the following tools:

1. Nmap (XML);
2. Nessus (XML);
3. Nikto (XML);
4. Dirble (XML);
5. Testssl (JSON);
6. Fortify (FPR).

Rationale

This tool can offer a human-readable, tabular format which you can tie to any observations you have drafted in your report. Why? Because then your reviewers can tell that you, the pentester, investigated all found open ports, and looked at all scanning reports.

Dependencies

1. argparse (dev-python/argparse);
2. prettytable (dev-python/prettytable);
3. python (dev-lang/python);
4. xlsxwriter (dev-python/xlsxwriter).

Install

Using Pip:

pip install --user sr2t

Usage

You can use sr2t in two ways:

• When installed as package, call the installed script: sr2t --help.
• When Git cloned, call the package directly from the root of the Git repository: python -m src.sr2t --help

$ sr2t --help
usage: sr2t [-h] [--nessus NESSUS [NESSUS ...]] [--nmap NMAP [NMAP ...]]
            [--nikto NIKTO [NIKTO ...]] [--dirble DIRBLE [DIRBLE ...]]
            [--testssl TESTSSL [TESTSSL ...]]
            [--fortify FORTIFY [FORTIFY ...]] [--nmap-state NMAP_STATE]
            [--nmap-services] [--no-nessus-autoclassify]
            [--nessus-autoclassify-file NESSUS_AUTOCLASSIFY_FILE]
            [--nessus-tls-file NESSUS_TLS_FILE]
            [--nessus-x509-file NESSUS_X509_FILE]
            [--nessus-http-file NESSUS_HTTP_FILE]
            [--nessus-smb-file NESSUS_SMB_FILE]
            [--nessus-rdp-file NESSUS_RDP_FILE]
            [--nessus-ssh-file NESSUS_SSH_FILE]
            [--nessus-min-severity NESSUS_MIN_SEVERITY]
            [--nessus-plugin-name-width NESSUS_PLUGIN_NAME_WIDTH]
            [--nessus-sort-by NESSUS_SORT_BY]
            [--nikto-description-width NIKTO_DESCRIPTION_WIDTH]<   br/>            [--fortify-details] [--annotation-width ANNOTATION_WIDTH]
            [-oC OUTPUT_CSV] [-oT OUTPUT_TXT] [-oX OUTPUT_XLSX]
            [-oA OUTPUT_ALL]

Converting scanning reports to a tabular format

optional arguments:
  -h, --help            show this help message and exit
  --nmap-state NMAP_STATE
                        Specify the desired state to filter (e.g.
                        open|filtered).
  --nmap-services       Specify to ouput a supplemental list of detected
                        services.
  --no-nessus-autoclassify
                        Specify to not autoclassify Nessus results.
  --nessus-autoclassify-file NESSUS_AUTOCLASSIFY_FILE
                        Specify to override a custom Nessus autoclassify YAML
                        file.
  --nessus-tls-file NESSUS_TLS_FILE
                        Specify to override a custom Nessus TLS findings YAML
                           file.
  --nessus-x509-file NESSUS_X509_FILE
                        Specify to override a custom Nessus X.509 findings
                        YAML file.
  --nessus-http-file NESSUS_HTTP_FILE
                        Specify to override a custom Nessus HTTP findings YAML
                        file.
  --nessus-smb-file NESSUS_SMB_FILE
                        Specify to override a custom Nessus SMB findings YAML
                        file.
  --nessus-rdp-file NESSUS_RDP_FILE
                        Specify to override a custom Nessus RDP findings YAML
                        file.
  --nessus-ssh-file NESSUS_SSH_FILE
                        Specify to override a custom Nessus SSH findings YAML
                        file.
  --nessus-min-severity NESSUS_MIN_SEVERITY
                        Specify the minimum severity to output (e.g. 1).
  --nessus-plugin-name-width NESSUS_PLUGIN_NAME_WIDTH
                           Specify the width of the pluginid column (e.g. 30).
  --nessus-sort-by NESSUS_SORT_BY
                        Specify to sort output by ip-address, port, plugin-id,
                        plugin-name or severity.
  --nikto-description-width NIKTO_DESCRIPTION_WIDTH
                        Specify the width of the description column (e.g. 30).
  --fortify-details     Specify to include the Fortify abstracts, explanations
                        and recommendations for each vulnerability.
  --annotation-width ANNOTATION_WIDTH
                        Specify the width of the annotation column (e.g. 30).
  -oC OUTPUT_CSV, --output-csv OUTPUT_CSV
                        Specify the output CSV basename (e.g. output).
  -oT OUTPUT_TXT, --output-txt OUTPUT_TXT
                        Specify the output TXT file (e.g. output.txt).
  -oX OUTPUT_XLSX, --output-xlsx OUTPUT_XLSX
                        Specify the outpu   t XLSX file (e.g. output.xlsx). Only
                        for Nessus at the moment
  -oA OUTPUT_ALL, --output-all OUTPUT_ALL
                        Specify the output basename to output to all formats
                        (e.g. output).

specify at least one:
  --nessus NESSUS [NESSUS ...]
                        Specify (multiple) Nessus XML files.
  --nmap NMAP [NMAP ...]
                        Specify (multiple) Nmap XML files.
  --nikto NIKTO [NIKTO ...]
                        Specify (multiple) Nikto XML files.
  --dirble DIRBLE [DIRBLE ...]
                        Specify (multiple) Dirble XML files.
  --testssl TESTSSL [TESTSSL ...]
                        Specify (multiple) Testssl JSON files.
  --fortify FORTIFY [FORTIFY ...]
                        Specify (multiple) HP Fortify FPR files.

Example

A few examples

Nessus

To produce an XLSX format:

$ sr2t --nessus example/nessus.nessus --no-nessus-autoclassify -oX example.xlsx

To produce an text tabular format to stdout:

$ sr2t --nessus example/nessus.nessus
+---------------+-------+-----------+-----------------------------------------------------------------------------+----------+-------------+
|       host    |  port | plugin id |                                 plugin name                                 | severity | annotations |
+---------------+-------+-----------+-----------------------------------------------------------------------------+----------+-------------+
| 192.168.142.4 | 3389  |   42873   | SSL Medium Strength Cipher Suites Supported (SWEET32)                       |    2     |      X      |
| 192.168.142.4 | 443   |   42873   | SSL Medium Strength Cipher Suites Supported (SWEET32)                       |    2     |      X      |
| 192.168.142.4 | 3389  |   18405   | Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness |    2     |      X      |
| 192.168.142.4 | 3389  |   30218   | Terminal Services Encryption Level is    not FIPS-140 Compliant                |    1     |      X      |
| 192.168.142.4 | 3389  |   57690   | Terminal Services Encryption Level is Medium or Low                         |    2     |      X      |
| 192.168.142.4 | 3389  |   58453   | Terminal Services Doesn't Use Network Level Authentication (NLA) Only       |    2     |      X      |
| 192.168.142.4 | 3389  |   45411   | SSL Certificate with Wrong Hostname                                         |    2     |      X      |
| 192.168.142.4 | 443   |   45411   | SSL Certificate with Wrong Hostname                                         |    2     |      X      |
| 192.168.142.4 | 3389  |   35291   | SSL Certificate Signed Using Weak Hashing Algorithm                         |    2     |      X      |
| 192.168.142.4 | 3389  |   57582   | SSL Self-Signed Certificate                                                 |    2     |      X      |
| 192.168.142.4 | 3389  |   51192   | SSL Certificate Can   not Be Trusted                                           |    2     |      X      |
| 192.168.142.2 | 3389  |   42873   | SSL Medium Strength Cipher Suites Supported (SWEET32)                       |    2     |      X      |
| 192.168.142.2 | 443   |   42873   | SSL Medium Strength Cipher Suites Supported (SWEET32)                       |    2     |      X      |
| 192.168.142.2 | 3389  |   18405   | Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness |    2     |      X      |
| 192.168.142.2 | 3389  |   30218   | Terminal Services Encryption Level is not FIPS-140 Compliant                |    1     |      X      |
| 192.168.142.2 | 3389  |   57690   | Terminal Services Encryption Level is Medium or Low                         |    2     |      X      |
| 192.168.142.2 | 3389  |   58453   | Terminal Services Doesn't Use Network Level Authentication (NLA) Only       |    2     |      X      |
| 192.168.142.2 | 3389  |   45411   | S   SL Certificate with Wrong Hostname                                         |    2     |      X      |
| 192.168.142.2 | 443   |   45411   | SSL Certificate with Wrong Hostname                                         |    2     |      X      |
| 192.168.142.2 | 3389  |   35291   | SSL Certificate Signed Using Weak Hashing Algorithm                         |    2     |      X      |
| 192.168.142.2 | 3389  |   57582   | SSL Self-Signed Certificate                                                 |    2     |      X      |
| 192.168.142.2 | 3389  |   51192   | SSL Certificate Cannot Be Trusted                                           |    2     |      X      |
| 192.168.142.2 | 445   |   57608   | SMB Signing not required                                                    |    2     |      X      |
+---------------+-------+-----------+-----------------------------------------------------------------------------+----------+-------------+

Or to output a CSV file:

$ sr2t --nessus example/nessus.nessus -oC example
$ cat example_nessus.csv
host,port,plugin id,plugin name,severity,annotations
192.168.142.4,3389,42873,SSL Medium Strength Cipher Suites Supported (SWEET32),2,X
192.168.142.4,443,42873,SSL Medium Strength Cipher Suites Supported (SWEET32),2,X
192.168.142.4,3389,18405,Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness,2,X
192.168.142.4,3389,30218,Terminal Services Encryption Level is not FIPS-140 Compliant,1,X
192.168.142.4,3389,57690,Terminal Services Encryption Level is Medium or Low,2,X
192.168.142.4,3389,58453,Terminal Services Doesn't Use Network Level Authentication (NLA) Only,2,X
192.168.142.4,3389,45411,SSL Certificate with Wrong Hostname,2,X
192.168.142.4,443,45411,SSL Certificate with Wrong Hostname,2,X
192.168.142.4,3389,35291,SSL Certificate Signed Using Weak Hashing Algorithm,2,X
192.168.142.4,3389,57582,SSL Self-Signed Certificate,2,X
   192.168.142.4,3389,51192,SSL Certificate Cannot Be Trusted,2,X
192.168.142.2,3389,42873,SSL Medium Strength Cipher Suites Supported (SWEET32),2,X
192.168.142.2,443,42873,SSL Medium Strength Cipher Suites Supported (SWEET32),2,X
192.168.142.2,3389,18405,Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness,2,X
192.168.142.2,3389,30218,Terminal Services Encryption Level is not FIPS-140 Compliant,1,X
192.168.142.2,3389,57690,Terminal Services Encryption Level is Medium or Low,2,X
192.168.142.2,3389,58453,Terminal Services Doesn't Use Network Level Authentication (NLA) Only,2,X
192.168.142.2,3389,45411,SSL Certificate with Wrong Hostname,2,X
192.168.142.2,443,45411,SSL Certificate with Wrong Hostname,2,X
192.168.142.2,3389,35291,SSL Certificate Signed Using Weak Hashing Algorithm,2,X
192.168.142.2,3389,57582,SSL Self-Signed Certificate,2,X
192.168.142.2,3389,51192,SSL Certificate Cannot Be Trusted,2,X
192.168.142.2,44   5,57608,SMB Signing not required,2,X

Nmap

To produce an XLSX format:

$ sr2t --nmap example/nmap.xml -oX example.xlsx

To produce an text tabular format to stdout:

$ sr2t --nmap example/nmap.xml --nmap-services
Nmap TCP:
+-----------------+----+----+----+-----+-----+-----+-----+------+------+------+
|                 | 53 | 80 | 88 | 135 | 139 | 389 | 445 | 3389 | 5800 | 5900 |
+-----------------+----+----+----+-----+-----+-----+-----+------+------+------+
| 192.168.23.78   | X  |    | X  |  X  |  X  |  X  |  X  |  X   |      |      |
| 192.168.27.243  |    |    |    |  X  |  X  |     |  X  |  X   |  X   |  X   |
| 192.168.99.164  |    |    |    |  X  |  X  |     |  X  |  X   |  X   |  X   |
| 192.168.228.211 |    | X  |    |     |     |     |     |      |      |      |
| 192.168.171.74  |    |    |    |  X  |  X  |     |  X  |  X   |  X   |  X   |
+-----------------+----+----+----+-----+-----+-----+-----+------+------+------+

Nmap Services:
+-----------------+------+-------+---------------+-------+
| ip address      | port | proto | service       | state |
+---------------   --+------+-------+---------------+-------+
| 192.168.23.78   | 53   | tcp   | domain        | open  |
| 192.168.23.78   | 88   | tcp   | kerberos-sec  | open  |
| 192.168.23.78   | 135  | tcp   | msrpc         | open  |
| 192.168.23.78   | 139  | tcp   | netbios-ssn   | open  |
| 192.168.23.78   | 389  | tcp   | ldap          | open  |
| 192.168.23.78   | 445  | tcp   | microsoft-ds  | open  |
| 192.168.23.78   | 3389 | tcp   | ms-wbt-server | open  |
| 192.168.27.243  | 135  | tcp   | msrpc         | open  |
| 192.168.27.243  | 139  | tcp   | netbios-ssn   | open  |
| 192.168.27.243  | 445  | tcp   | microsoft-ds  | open  |
| 192.168.27.243  | 3389 | tcp   | ms-wbt-server | open  |
| 192.168.27.243  | 5800 | tcp   | vnc-http      | open  |
| 192.168.27.243  | 5900 | tcp   | vnc           | open  |
| 192.168.99.164  | 135  | tcp   | msrpc         | open  |
| 192.168.99.164  | 139  | tcp   | netbios-ssn   | open  |
| 192   .168.99.164  | 445  | tcp   | microsoft-ds  | open  |
| 192.168.99.164  | 3389 | tcp   | ms-wbt-server | open  |
| 192.168.99.164  | 5800 | tcp   | vnc-http      | open  |
| 192.168.99.164  | 5900 | tcp   | vnc           | open  |
| 192.168.228.211 | 80   | tcp   | http          | open  |
| 192.168.171.74  | 135  | tcp   | msrpc         | open  |
| 192.168.171.74  | 139  | tcp   | netbios-ssn   | open  |
| 192.168.171.74  | 445  | tcp   | microsoft-ds  | open  |
| 192.168.171.74  | 3389 | tcp   | ms-wbt-server | open  |
| 192.168.171.74  | 5800 | tcp   | vnc-http      | open  |
| 192.168.171.74  | 5900 | tcp   | vnc           | open  |
+-----------------+------+-------+---------------+-------+

Or to output a CSV file:

$ sr2t --nmap example/nmap.xml -oC example
$ cat example_nmap_tcp.csv
ip address,53,80,88,135,139,389,445,3389,5800,5900
192.168.23.78,X,,X,X,X,X,X,X,,
192.168.27.243,,,,X,X,,X,X,X,X
192.168.99.164,,,,X,X,,X,X,X,X
192.168.228.211,,X,,,,,,,,
192.168.171.74,,,,X,X,,X,X,X,X

Nikto

To produce an XLSX format:

$ sr2t --nikto example/nikto.xml -oX example/nikto.xlsx

To produce an text tabular format to stdout:

$ sr2t --nikto example/nikto.xml
+----------------+-----------------+-------------+----------------------------------------------------------------------------------+-------------+
| target ip      | target hostname | target port | description                                                                      | annotations |
+----------------+-----------------+-------------+----------------------------------------------------------------------------------+-------------+
| 192.168.178.10 | 192.168.178.10  | 80          | The anti-clickjacking X-Frame-Options header is not present.                     |      X      |
| 192.168.178.10 | 192.168.178.10  | 80          | The X-XSS-Protection header is not defined. This header can hint to the user     |      X      |
|                |                 |             | agent to protect against some forms of XSS                                       |             |
| 192.168.178.10 | 192.168.178.10  | 8   0          | The X-Content-Type-Options header is not set. This could allow the user agent to |      X      |
|                |                 |             | render the content of the site in a different fashion to the MIME type           |             |
+----------------+-----------------+-------------+----------------------------------------------------------------------------------+-------------+

Or to output a CSV file:

$ sr2t --nikto example/nikto.xml -oC example
$ cat example_nikto.csv
target ip,target hostname,target port,description,annotations
192.168.178.10,192.168.178.10,80,The anti-clickjacking X-Frame-Options header is not present.,X
192.168.178.10,192.168.178.10,80,"The X-XSS-Protection header is not defined. This header can hint to the user
agent to protect against some forms of XSS",X
192.168.178.10,192.168.178.10,80,"The X-Content-Type-Options header is not set. This could allow the user agent to
render the content of the site in a different fashion to the MIME type",X

Dirble

To produce an XLSX format:

$ sr2t --dirble example/dirble.xml -oX example.xlsx

To produce an text tabular format to stdout:

$ sr2t --dirble example/dirble.xml
+-----------------------------------+------+-------------+--------------+-------------+---------------------+--------------+-------------+
| url                               | code | content len | is directory | is listable | found from listable | redirect url | annotations |
+-----------------------------------+------+-------------+--------------+-------------+---------------------+--------------+-------------+
| http://example.org/flv            | 0    | 0           | false        | false       | false               |              |      X      |
| http://example.org/hire           | 0    | 0           | false        | false       | false               |              |      X      |
| http://example.org/phpSQLiteAdmin | 0    | 0           | false        | false       | false               |              |      X      |
| http://example.org/print_order    | 0    | 0           | false        | false       | fa   lse               |              |      X      |
| http://example.org/putty          | 0    | 0           | false        | false       | false               |              |      X      |
| http://example.org/receipts       | 0    | 0           | false        | false       | false               |              |      X      |
+-----------------------------------+------+-------------+--------------+-------------+---------------------+--------------+-------------+

Or to output a CSV file:

$ sr2t --dirble example/dirble.xml -oC example
$ cat example_dirble.csv
url,code,content len,is directory,is listable,found from listable,redirect url,annotations
http://example.org/flv,0,0,false,false,false,,X
http://example.org/hire,0,0,false,false,false,,X
http://example.org/phpSQLiteAdmin,0,0,false,false,false,,X
http://example.org/print_order,0,0,false,false,false,,X
http://example.org/putty,0,0,false,false,false,,X
http://example.org/receipts,0,0,false,false,false,,X

Testssl

To produce an XLSX format:

$ sr2t --testssl example/testssl.json -oX example.xlsx

To produce an text tabular format to stdout:

$ sr2t --testssl example/testssl.json
+-----------------------------------+------+--------+---------+--------+------------+-----+---------+---------+----------+
| ip address                        | port | BREACH | No HSTS | No PFS | No TLSv1.3 | RC4 | TLSv1.0 | TLSv1.1 | Wildcard |
+-----------------------------------+------+--------+---------+--------+------------+-----+---------+---------+----------+
| rc4-md5.badssl.com/104.154.89.105 | 443  |   X    |    X    |   X    |     X      |  X  |    X    |    X    |    X     |
+-----------------------------------+------+--------+---------+--------+------------+-----+---------+---------+----------+

Or to output a CSV file:

$ sr2t --testssl example/testssl.json -oC example
$ cat example_testssl.csv
ip address,port,BREACH,No HSTS,No PFS,No TLSv1.3,RC4,TLSv1.0,TLSv1.1,Wildcard
rc4-md5.badssl.com/104.154.89.105,443,X,X,X,X,X,X,X,X

Fortify

To produce an XLSX format:

$ sr2t --fortify example/fortify.fpr -oX example.xlsx

To produce an text tabular format to stdout:

$ sr2t --fortify example/fortify.fpr
+--------------------------+-----------------------+-------------------------------+----------+------------+-------------+
|                          |          type         |            subtype            | severity | confidence | annotations |
+--------------------------+-----------------------+-------------------------------+----------+------------+-------------+
| example1/web.xml:135:135 | J2EE Misconfiguration | Insecure Transport            |   3.0    |    5.0     |      X      |
| example2/web.xml:150:150 | J2EE Misconfiguration | Insecure Transport            |   3.0    |    5.0     |      X      |
| example3/web.xml:109:109 | J2EE Misconfiguration | Incomplete Error Handling     |   3.0    |    5.0     |      X      |
| example4/web.xml:108:108 | J2EE Misconfiguration | Incomplete Error Handling     |   3.0    |    5.0     |      X      |
| example5/web.xml:166:166 | J2EE Misconfiguration | Inse   cure Transport            |   3.0    |    5.0     |      X      |
| example6/web.xml:2:2     | J2EE Misconfiguration | Excessive Session Timeout     |   3.0    |    5.0     |      X      |
| example7/web.xml:162:162 | J2EE Misconfiguration | Missing Authentication Method |   3.0    |    5.0     |      X      |
+--------------------------+-----------------------+-------------------------------+----------+------------+-------------+

Or to output a CSV file:

$ sr2t --fortify example/fortify.fpr -oC example
$ cat example_fortify.csv
,type,subtype,severity,confidence,annotations
example1/web.xml:135:135,J2EE Misconfiguration,Insecure Transport,3.0,5.0,X
example2/web.xml:150:150,J2EE Misconfiguration,Insecure Transport,3.0,5.0,X
example3/web.xml:109:109,J2EE Misconfiguration,Incomplete Error Handling,3.0,5.0,X
example4/web.xml:108:108,J2EE Misconfiguration,Incomplete Error Handling,3.0,5.0,X
example5/web.xml:166:166,J2EE Misconfiguration,Insecure Transport,3.0,5.0,X
example6/web.xml:2:2,J2EE Misconfiguration,Excessive Session Timeout,3.0,5.0,X
example7/web.xml:162:162,J2EE Misconfiguration,Missing Authentication Method,3.0,5.0,X

Donate

• WOW: WW4L3VCX11zWgKPX51TRw2RENe8STkbCkh5wTV4GuQnbZ1fKYmPFobZhEfS1G9G3vwjBhzioi3vx8JgBx2xLxe4N1gtJee8Mp

GitHub Launches AI-Powered Autofix Tool to Assist Devs in Patching Security Flaws

CVE-2024-23897 - Jenkins <= 2.441 & <= LTS 2.426.2 PoC And Scanner

Exploitation and scanning tool specifically designed for Jenkins versions <= 2.441 & <= LTS 2.426.2. It leverages CVE-2024-23897 to assess and exploit vulnerabilities in Jenkins instances.

Ensure you have the necessary permissions to scan and exploit the target systems. Use this tool responsibly and ethically.

python CVE-2024-23897.py -t <target> -p <port> -f <file>

or

python CVE-2024-23897.py -i <input_file> -f <file>

Parameters: - -t or --target: Specify the target IP(s). Supports single IP, IP range, comma-separated list, or CIDR block. - -i or --input-file: Path to input file containing hosts in the format of http://1.2.3.4:8080/ (one per line). - -o or --output-file: Export results to file (optional). - -p or --port: Specify the port number. Default is 8080 (optional). - -f or --file: Specify the file to read on the target system.

• Added scanning/exploiting via input file with hosts (-i INPUT_FILE).
• Added export to file (-o OUTPUT_FILE).

• Initial release.

Contributions are welcome. Please feel free to fork, modify, and make pull requests or report issues.

Alexander Hagenah - URL - Twitter

This tool is meant for educational and professional purposes only. Unauthorized scanning and exploiting of systems is illegal and unethical. Always ensure you have explicit permission to test and exploit any systems you target.

RepoReaper - An Automated Tool Crafted To Meticulously Scan And Identify Exposed .Git Repositories Within Specified Domains And Their Subdomains

RepoReaper is a precision tool designed to automate the identification of exposed .git repositories across a list of domains and subdomains. By processing a user-provided text file with domain names, RepoReaper systematically checks each for publicly accessible .git files. This enables rapid assessment and protection against information leaks, making RepoReaper an essential resource for security teams and web developers.

• Automated scanning of domains and subdomains for exposed .git repositories.
• Streamlines the detection of sensitive data exposures.
• User-friendly command-line interface.
• Ideal for security audits and Bug Bounty.

Clone the repository and install the required dependencies:

git clone https://github.com/YourUsername/RepoReaper.git
cd RepoReaper
pip install -r requirements.txt
chmod +x RepoReaper.py

RepoReaper is executed from the command line and will prompt for the path to a file containing a list of domains or subdomains to be scanned.

To start RepoReaper, simply run:

./RepoReaper.py
  or
python3 RepoReaper.py

Upon execution, RepoReaper will ask for the path to the file containing the domains or subdomains: Enter the path of the file containing domains

Provide the path to your text file when prompted. The file should contain one domain or subdomain per line, like so:

example.com
subdomain.example.com
anotherdomain.com

RepoReaper will then proceed to scan the provided domains or subdomains for exposed .git repositories and report its findings. 

This tool is intended for educational purposes and security research only. The user assumes all responsibility for any damages or misuse resulting from its use.

SwaggerSpy - Automated OSINT On SwaggerHub

SwaggerSpy is a tool designed for automated Open Source Intelligence (OSINT) on SwaggerHub. This project aims to streamline the process of gathering intelligence from APIs documented on SwaggerHub, providing valuable insights for security researchers, developers, and IT professionals.

Swagger is an open-source framework that allows developers to design, build, document, and consume RESTful web services. It simplifies API development by providing a standard way to describe REST APIs using a JSON or YAML format. Swagger enables developers to create interactive documentation for their APIs, making it easier for both developers and non-developers to understand and use the API.

SwaggerHub is a collaborative platform for designing, building, and managing APIs using the Swagger framework. It offers a centralized repository for API documentation, version control, and collaboration among team members. SwaggerHub simplifies the API development lifecycle by providing a unified platform for API design and testing.

Performing OSINT on SwaggerHub is crucial because developers, in their pursuit of efficient API documentation and sharing, may inadvertently expose sensitive information. Here are key reasons why OSINT on SwaggerHub is valuable:

1. Developer Oversights: Developers might unintentionally include secrets, credentials, or sensitive information in API documentation on SwaggerHub. These oversights can lead to security vulnerabilities and unauthorized access if not identified and addressed promptly.

2. Security Best Practices: OSINT on SwaggerHub helps enforce security best practices. Identifying and rectifying potential security issues early in the development lifecycle is essential to ensure the confidentiality and integrity of APIs.

3. Preventing Data Leaks: By systematically scanning SwaggerHub for sensitive information, organizations can proactively prevent data leaks. This is especially crucial in today's interconnected digital landscape where APIs play a vital role in data exchange between services.

4. Risk Mitigation: Understanding that developers might forget to remove or obfuscate sensitive details in API documentation underscores the importance of continuous OSINT on SwaggerHub. This proactive approach mitigates the risk of unintentional exposure of critical information.

5. Compliance and Privacy: Many industries have stringent compliance requirements regarding the protection of sensitive data. OSINT on SwaggerHub ensures that APIs adhere to these regulations, promoting a culture of compliance and safeguarding user privacy.

6. Educational Opportunities: Identifying oversights in SwaggerHub documentation provides educational opportunities for developers. It encourages a security-conscious mindset, fostering a culture of awareness and responsible information handling.

By recognizing that developers can inadvertently expose secrets, OSINT on SwaggerHub becomes an integral part of the overall security strategy, safeguarding against potential threats and promoting a secure API ecosystem.

SwaggerSpy obtains information from SwaggerHub and utilizes regular expressions to inspect API documentation for sensitive information, such as secrets and credentials.

To use SwaggerSpy, follow these steps:

1. Installation: Clone the SwaggerSpy repository and install the required dependencies.

git clone https://github.com/UndeadSec/SwaggerSpy.git
cd SwaggerSpy
pip install -r requirements.txt

1. Usage: Run SwaggerSpy with the target search terms (more accurate with domains).

python swaggerspy.py searchterm

1. Results: SwaggerSpy will generate a report containing OSINT findings, including information about the API, endpoints, and secrets.

SwaggerSpy is intended for educational and research purposes only. Users are responsible for ensuring that their use of this tool complies with applicable laws and regulations.

Contributions to SwaggerSpy are welcome! Feel free to submit issues, feature requests, or pull requests to help improve this tool.

SwaggerSpy is developed and maintained by Alisson Moretto (UndeadSec)

I'm a passionate cyber threat intelligence pro who loves sharing insights and crafting cybersecurity tools.

• [ ] Review and improve existing regular expressions.
• [ ] Ensure that regular expressions adhere to best practices.
• [ ] Check for any potential optimizations in the regex patterns.
• [ ] Test regular expressions with various input scenarios for accuracy.
• [ ] Document any complex or non-trivial regex patterns for better understanding.
• [ ] Explore opportunities to modularize or break down complex patterns.
• [ ] Verify the regular expressions against the latest specifications or requirements.
• [ ] Update documentation to reflect any changes made to the regular expressions.

SwaggerSpy is licensed under the MIT License. See the LICENSE file for details.

Special thanks to @Liodeus for providing project inspiration through swaggerHole.

AzSubEnum - Azure Service Subdomain Enumeration

AzSubEnum is a specialized subdomain enumeration tool tailored for Azure services. This tool is designed to meticulously search and identify subdomains associated with various Azure services. Through a combination of techniques and queries, AzSubEnum delves into the Azure domain structure, systematically probing and collecting subdomains related to a diverse range of Azure services.

AzSubEnum operates by leveraging DNS resolution techniques and systematic permutation methods to unveil subdomains associated with Azure services such as Azure App Services, Storage Accounts, Azure Databases (including MSSQL, Cosmos DB, and Redis), Key Vaults, CDN, Email, SharePoint, Azure Container Registry, and more. Its functionality extends to comprehensively scanning different Azure service domains to identify associated subdomains.

With this tool, users can conduct thorough subdomain enumeration within Azure environments, aiding security professionals, researchers, and administrators in gaining insights into the expansive landscape of Azure services and their corresponding subdomains.

During my learning journey on Azure AD exploitation, I discovered that the Azure subdomain tool, Invoke-EnumerateAzureSubDomains from NetSPI, was unable to run on my Debian PowerShell. Consequently, I created a crude implementation of that tool in Python.

➜  AzSubEnum git:(main) ✗ python3 azsubenum.py --help
usage: azsubenum.py [-h] -b BASE [-v] [-t THREADS] [-p PERMUTATIONS]

Azure Subdomain Enumeration

options:
  -h, --help            show this help message and exit
  -b BASE, --base BASE  Base name to use
  -v, --verbose         Show verbose output
  -t THREADS, --threads THREADS
                        Number of threads for concurrent execution
  -p PERMUTATIONS, --permutations PERMUTATIONS
                        File containing permutations

Basic enumeration:

python3 azsubenum.py -b retailcorp --thread 10

Using permutation wordlists:

python3 azsubenum.py -b retailcorp --thread 10 --permutation permutations.txt

With verbose output:

python3 azsubenum.py -b retailcorp --thread 10 --permutation permutations.txt --verbose

SqliSniper - Advanced Time-based Blind SQL Injection Fuzzer For HTTP Headers

SqliSniper is a robust Python tool designed to detect time-based blind SQL injections in HTTP request headers. It enhances the security assessment process by rapidly scanning and identifying potential vulnerabilities using multi-threaded, ensuring speed and efficiency. Unlike other scanners, SqliSniper is designed to eliminates false positives through and send alerts upon detection, with the built-in Discord notification functionality.

Key Features

• Time-Based Blind SQL Injection Detection: Pinpoints potential SQL injection vulnerabilities in HTTP headers.
• Multi-Threaded Scanning: Offers faster scanning capabilities through concurrent processing.
• Discord Notifications: Sends alerts via Discord webhook for detected vulnerabilities.
• False Positive Checks: Implements response time analysis to differentiate between true positives and false alarms.
• Custom Payload and Headers Support: Allows users to define custom payloads and headers for targeted scanning.

Installation

git clone https://github.com/danialhalo/SqliSniper.git
cd SqliSniper
chmod +x sqlisniper.py
pip3 install -r requirements.txt

Usage

This will display help for the tool. Here are all the options it supports.

ubuntu:~/sqlisniper$ ./sqlisniper.py -h


███████╗ ██████╗ ██╗     ██╗    ███████╗███╗   ██╗██╗██████╗ ███████╗██████╗
██╔════╝██╔═══██╗██║     ██║    ██╔════╝████╗  ██║██║██╔══██╗██╔════╝██╔══██╗
 ██████╗██║   ██║██║     ██║    ███████╗██╔██╗ ██║██║██████╔╝█████╗  ██████╔╝
╚════██║██║▄▄ ██║██║     ██║    ╚════██║██║╚██╗██║██║██╔═══╝ ██╔══╝  ██╔══██╗
███████║╚██ ███╔╝███████╗██║    ███████║██║ ╚████║██║██║     ███████╗██║  ██║
╚══════╝ ╚══▀▀═╝ ╚══════╝╚═╝    ╚══════╝╚═╝  ╚═══╝╚═╝╚═╝     ╚══════╝╚═╝  ╚═╝

                            -: By Muhammad Danial :-

usage: sqlisniper.py [-h] [-u URL] [-r URLS_FILE] [-p] [--proxy PROXY] [--payload PA   YLOAD] [--single-payload SINGLE_PAYLOAD] [--discord DISCORD] [--headers HEADERS]
                     [--threads THREADS]

Detect SQL injection by sending malicious queries

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     Single URL for the target
  -r URLS_FILE, --urls_file URLS_FILE
                        File containing a list of URLs
  -p, --pipeline        Read from pipeline
  --proxy PROXY         Proxy for intercepting requests (e.g., http://127.0.0.1:8080)
  --payload PAYLOAD     File containing malicious payloads (default is payloads.txt)
  --single-payload SINGLE_PAYLOAD
                        Single payload for testing
  --discord DISCORD     Discord Webhook URL
  --headers HEADERS     File containing headers (default is headers.txt)
  --threads THREADS     Number of threads

Running SqliSniper

Single Url Scan

The url can be provided with -u flag for single site scan

./sqlisniper.py -u http://example.com

File Input

The -r flag allows SqliSniper to read a file containing multiple URLs for simultaneous scanning.

./sqlisniper.py -r url.txt

piping URLs

The SqliSniper can also worked with the pipeline input with -p flag

cat url.txt | ./sqlisniper.py -p

The pipeline feature facilitates seamless integration with other tools. For instance, you can utilize tools like subfinder and httpx, and then pipe their output to SqliSniper for mass scanning.

subfinder -silent -d google.com | sort -u | httpx -silent | ./sqlisniper.py -p

Scanning with custom payloads

By default the SqliSniper use the payloads.txt file. However --payload flag can be used for providing custom payloads file.

./sqlisniper.py -u http://example.com --payload mssql_payloads.txt

While using the custom payloads file, ensure that you substitute the sleep time with %__TIME_OUT__%. SqliSniper dynamically adjusts the sleep time iteratively to mitigate potential false positives. The payloads file should look like this.

ubuntu:~/sqlisniper$ cat payloads.txt 
0\"XOR(if(now()=sysdate(),sleep(%__TIME_OUT__%),0))XOR\"Z
"0"XOR(if(now()=sysdate()%2Csleep(%__TIME_OUT__%)%2C0))XOR"Z"
0'XOR(if(now()=sysdate(),sleep(%__TIME_OUT__%),0))XOR'Z

Scanning with Single Payloads

If you want to only test with the single payload --single-payload flag can be used. Make sure to replace the sleep time with %__TIME_OUT__%

./sqlisniper.py -r url.txt --single-payload "0'XOR(if(now()=sysdate(),sleep(%__TIME_OUT__%),0))XOR'Z"

Scanning Custom Header

Headers are saved in the file headers.txt for scanning custom header save the custom HTTP Request Header in headers.txt file.

ubuntu:~/sqlisniper$ cat headers.txt 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
X-Forwarded-For: 127.0.0.1

Sending Discord Alert Notifications

SqliSniper also offers Discord alert notifications, enhancing its functionality by providing real-time alerts through Discord webhooks. This feature proves invaluable during large-scale scans, allowing prompt notifications upon detection.

./sqlisniper.py -r url.txt --discord <web_hookurl>

Multi-Threading

Threads can be defined with --threads flag

 ./sqlisniper.py -r url.txt --threads 10

Note: It is crucial to consider that employing a higher number of threads might lead to potential false positives or overlooking valid issues. Due to the nature of time-based SQL injection it is recommended to use lower thread for more accurate detection.

BucketLoot - An Automated S3-compatible Bucket Inspector

To know more about our Attack Surface Management platform, check out NVADR.

CATSploit - An Automated Penetration Testing Tool Using Cyber Attack Techniques Scoring

CATSploit is an automated penetration testing tool using Cyber Attack Techniques Scoring (CATS) method that can be used without pentester. Currently, pentesters implicitly made the selection of suitable attack techniques for target systems to be attacked. CATSploit uses system configuration information such as OS, open ports, software version collected by scanner and calculates a score value for capture eVc and detectability eVd of each attack techniques for target system. By selecting the highest score values, it is possible to select the most appropriate attack technique for the target system without hack knack(professional pentester’s skill) .

CATSploit automatically performs penetration tests in the following sequence:

1. Information gathering and prior information input First, gathering information of target systems. CATSploit supports nmap and OpenVAS to gather information of target systems. CATSploit also supports prior information of target systems if you have.

2. Calculating score value of attack techniques Using information obtained in the previous phase and attack techniques database, evaluation values of capture (eVc) and detectability (eVd) of each attack techniques are calculated. For each target computer, the values of each attack technique are calculated.

3. Selection of attack techniques by using scores and make attack scenario Select attack techniques and create attack scenarios according to pre-defined policies. For example, for a policy that prioritized hard-to-detect, the attack techniques with the lowest eVd(Detectable Score) will be selected.

4. Execution of attack scenario CATSploit executes the attack techniques according to attack scenario constructed in the previous phase. CATSploit uses Metasploit as a framework and Metasploit API to execute actual attacks.

Prerequisities

CATSploit has the following prerequisites:

• Kali Linux 2023.2a

Installation

For Metasploit, Nmap and OpenVAS, it is assumed to be installed with the Kali Distribution.

Installing CATSploit

To install the latest version of CATSploit, please use the following commands:

Cloneing and setup

$ git clone https://github.com/catsploit/catsploit.git
$ cd catsploit
$ git clone https://github.com/catsploit/cats-helper.git
$ sudo ./setup.sh

Editing configuration file

CATSploit is a server-client configuration, and the server reads the configuration JSON file at startup. In config.json, the following fields should be modified for your environment.

• DBMS
  • dbname: database name created for CATSploit
  • user: username of PostgreSQL
  • password: password of PostgrSQL
  • host: If you are using a database on a remote host, specify the IP address of the host
• SCENARIO
  • generator.maxscenarios: Maximum number of scenarios to calculate (*)
• ATTACKPF
  • msfpassword: password of MSFRPCD
  • openvas.user: username of PostgreSQL
  • openvas.password: password of PostgreSQL
  • openvas.maxhosts: Maximum number of hosts to be test at the same time (*)
  • openvas.maxchecks: Maximum number of test items to be test at the same time (*)
• ATTACKDB
  • attack_db_dir: Path to the folder where AtackSteps are stored

(*) Adjust the number according to the specs of your machine.

Usage

To start the server, execute the following command:

$ python cats_server.py -c [CONFIG_FILE]

Next, prepare another console, start the client program, and initiate a connection to the server.

$ python catsploit.py -s [SOCKET_PATH]

After successfully connecting to the server and initializing it, the session will start.

   _________  ___________       __      _ __
  / ____/   |/_  __/ ___/____  / /___  (_) /_
 / /   / /| | / /  \__ \/ __ \/ / __ \/ / __/
/ /___/ ___ |/ /  ___/ / /_/ / / /_/ / / /_
\____/_/  |_/_/  /____/ .___/_/\____/_/\__/
                     /_/

[*] Connecting to cats-server
[*] Done.
[*] Initializing server
[*] Done.
catsploit>

The client can execute a variety of commands. Each command can be executed with -h option to display the format of its arguments.

usage: [-h] {host,scenario,scan,plan,attack,post,reset,help,exit} ...

positional arguments:
  {host,scenario,scan,plan,attack,post,reset,help,exit}

options:
  -h, --help       show this help message and exit 

I've posted the commands and options below as well for reference.

host list:
 show information about the hosts
 usage:  host list [-h] 
 options:
  -h, --help       show this help message and exit

host detail:
 show more information about one host
 usage:  host detail [-h] host_id 
 positional arguments:
  host_id          ID of the host for which you want to show information
 options:
  -h, --help       show this help message and exit

scenario list:
 show information about the scenarios
 usage:  scenario list [-h]
 options:
  -h, --help       show this help message and exit

scenario detail:
 show more information about one scenario
 usage:  scenario detail [-h] scenario_id
 positional arguments:
  scenario_id      ID of the scenario for which you want to show information
 options:
  -h, --help       show this help message and exit

scan:
 run network-scan and security-scan
 usage:  scan [-h] [--port PORT] targe   t_host [target_host ...]
 positional arguments:
  target_host      IP address to be scanned
 options:
  -h, --help       show this help message and exit
  --port PORT      ports to be scanned

plan:
 planning attack scenarios
 usage:  plan [-h] src_host_id dst_host_id
 positional arguments:
  src_host_id      originating host
  dst_host_id      target host
 options:
  -h, --help       show this help message and exit

attack:
 execute attack scenario
 usage:  attack [-h] scenario_id
 positional arguments:
  scenario_id      ID of the scenario you want to execute

 options:
  -h, --help       show this help message and exit

post find-secret:
 find confidential information files that can be performed on the pwned host
 usage:  post find-secret [-h] host_id
 positional arguments:
  host_id          ID of the host for which you want to find confidential information
 op   tions:
  -h, --help       show this help message and exit

reset:
 reset data on the server
 usage:  reset [-h] {system} ...
 positional arguments:
  {system}         reset system
options:
  -h, --help  show this help message and exit

exit:
  exit CATSploit
  usage:  exit [-h]
  options:
   -h, --help  show this help message and exit

Examples

In this example, we use CATSploit to scan network, plan the attack scenario, and execute the attack.

catsploit> scan 192.168.0.0/24
Network Scanning ... 100%
[*] Total 2 hosts were discovered.
Vulnerability Scanning ... 100%
[*] Total 14 vulnerabilities were discovered.
catsploit> host list
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━┓
┃ hostID   ┃ IP             ┃ Hostname ┃ Platform                         ┃ Pwned ┃
┡━━━━━━ ━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━┩
│ attacker │ 0.0.0.0        │ kali     │ kali 2022.4                      │ True  │
│ h_exbiy6 │ 192.168.0.10   │          │ Linux 3.10 - 4.11                │ False │
│ h_nhqyfq │ 192.168.0.20   │          │ Microsoft Windows 7 SP1          │ False │
└──────────┴ ───────────────┴──────────┴──────────────────────────────────┴───────┘


catsploit> host detail h_exbiy6
┏━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━┓
┃ hostID   ┃ IP           ┃ Hostname ┃ Platform     ┃ Pwned ┃
┡━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━┩
│ h_exbiy6 │ 192.168.0.10 │ ubuntu   │ ubuntu 14.04 │ False │
└──────────┴──────────────┴──────────┴──────────────┴─ ─────┘

[IP address]
┏━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━┳━━━━━━━━━━━━┓
┃ ipv4         ┃ ipv4mask ┃ ipv6 ┃ ipv6prefix ┃
┡━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━╇━━━━━━━━━━━━┩
│ 192.168.0.10 │          │      │            │
└──────────── ─┴──────────┴──────┴────────────┘

[Open ports]
┏━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ ip           ┃ proto ┃ port ┃ service     ┃ product      ┃ version                       ┃
┡━━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 192.168.0.10 │ tcp   │ 21   │ ftp         │ ProFTPD      │ 1.3.5                      │
│ 192.168.0.10 │ tcp   │ 22   │ ssh         │ OpenSSH      │ 6.6.1p1 Ubuntu 2ubuntu2.10 │
│ 192.168.0.10 │ tcp   │ 80   │ http        │ Apache httpd │ 2.4.7                      │
│ 192.168.0.10 │ tcp   │ 445  │ netbios-ssn │ Samba smbd   │ 3.X - 4.X                  │
│ 192.168.0.10 │ tcp   │ 631  │ ipp         │ CUPS         │ 1.7                        │
└──────────────┴───────┴──────┴─────────────┴──────────────┴────────────────────────────┘

[Vulnerabilities]
┏━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┓
┃ ip           ┃ proto ┃ port ┃ vuln_name                                                           ┃ cve            ┃
┡━━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━┩
│ 192.168.0.10 │ tcp   │ 0    │ TCP Timestamps Information Disclosure                               │ N/A            │
│ 192.168.0.10 │ tcp   │ 21   │ FTP Unencrypted Cleartext Login                                     │ N/A            │
│ 192.168.0.10 │ tcp   │ 22   │ Weak MAC Algorithm(s) Supported (SSH)                               │ N/A            │
│ 192.168.0.10 │ tcp   │ 22   │ Weak Encryption Algorithm(s) Supported (SSH)                        │ N/A            │
│ 192.168.0.10 │ tcp   │ 22   │ Weak Host Key Algorithm(s) (SSH)                                    │ N/A            │
│ 192.168.0.10 │ tcp   │ 22   │ Weak Key Exchange (KEX) Algorithm(s) Supported (SSH)                │ N/A            │
│ 192.168.0.10 │ tcp   │ 80   │ Test HTTP dangerous methods                                            │ N/A            │
│ 192.168.0.10 │ tcp   │ 80   │ Drupal Core SQLi Vulnerability (SA-CORE-2014-005) - Active Check    │ CVE-2014-3704  │
│ 192.168.0.10 │ tcp   │ 80   │ Drupal Coder RCE Vulnerability (SA-CONTRIB-2016-039) - Active Check │ N/A            │
│ 192.168.0.10 │ tcp   │ 80   │ Sensitive File Disclosure (HTTP)                                    │ N/A            │
│ 192.168.0.10 │ tcp   │ 80   │ Unprotected Web App / Device Installers (HTTP)                      │ N/A            │
│ 192.168.0.10 │ tcp   │ 80   │ Cleartext Transmission of Sensitive Information via HTTP            │ N/A            │
│ 192.168.0.10 │ tcp   │ 80   │ jQuery < 1.9.0 XSS Vulnerability                                    │ CVE-2012-6708  │
│ 192.168.0.10 │ tcp   │ 80   │ jQuery < 1.6.3 XSS Vulnerability                                    │ CVE-2011-4969  │
│ 192.168.0.10 │ tcp   │ 80   │ Drupal 7.0 Information Disclosure Vulnerability - Active Check      │ CVE-2011-3730  │
│ 192.168.0.10 │ tcp   │ 631  │ SSL/TLS: Report Vulnerable Cipher Suites for HTTPS                  │ CVE-2016-2183  │
│ 192.168.0.10 │ tcp   │ 631  │ SSL/TLS: Report Vulnerable Cipher Suites for HTTPS                  │ CVE-2016-6329  │
│ 192.168.0.10 │ tcp   │ 631  │ SSL/TLS: Report Vulnerable Cipher Suites for HTTPS                  │ CVE-2020-12872 │
│ 192.168.0.10 │ tcp   │ 631  │ SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection          │ CVE-2011-3389  │
│ 192.168.0.10 │ tcp   │ 631  │ SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection          │ CVE-2015-0204  │
└──────────────┴───────┴──────┴─────────────────────────────────────────────────────────────────────┴───&   #9472;────────────┘

[Users]
┏━━━━━━━━━━━┳━━━━━━━┓
┃ user name ┃ group ┃
┡━━━━━━━━━━━╇━━━━━━━┩
└───────────┴───────┘


catsploit> plan attacker h_exbiy6
Planning attack scenario...100%
[*] Done. 15 scenarios was planned.
[*] To check each scenario, try 'scenario list' and/or 'scenario detail'.
catsploit> scenario list
┏━━━━━━━━━━━━━┳━━━━━ ━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━━┳━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ scenario id ┃ src host ip ┃ target host ip ┃ eVc   ┃ eVd   ┃ steps ┃ first attack step             ┃
┡━━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━&#947   3;━━━━━━━╇━━━━━━━╇━━━━━━━╇━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 3d3ivc      │ 0.0.0.0     │ 192.168.0.10   │ 1.0   │ 32.0  │ 1     │ exploit/multi/http/jenkins_s… │
│ 5gnsvh      │ 0.0.0.0     │ 192.168.0.10   │ 1.0   │ 53.76 │ 2     │ exploit/multi/http/jenkins_s… │
│ 6nlxyc      │ 0.0.0.0     │ 192.168.0.10   │ 0.0   │ 48.32 │ 2     │ exploit/multi/http/jenkins_s… │
│ 8jos4z      │ 0.0.0.0     │ 192.168.0.1   0   │ 0.7   │ 72.8  │ 2     │ exploit/multi/http/jenkins_s… │
│ 8kmmts      │ 0.0.0.0     │ 192.168.0.10   │ 0.0   │ 32.0  │ 1     │ exploit/multi/elasticsearch/… │
│ agjmma      │ 0.0.0.0     │ 192.168.0.10   │ 0.0   │ 24.0  │ 1     │ exploit/windows/http/managee… │
│ joglhf      │ 0.0.0.0     │ 192.168.0.10   │ 70.0  │ 60.0  │ 1     │ auxiliary/scanner/ssh/ssh_lo… │
│ rmgrof      │ 0.0.0.0     │ 192.168.0.10   │ 100.0 │ 32.0  │ 1     │ exploit/multi/http/drupal_dr… │
│ xuowzk      │ 0.0.0.0     │ 192.168.0.10   │ 0.0   │ 24.0  │ 1     │ exploit/multi/http/struts_dm… │
│ yttv51      │ 0.0.0.0     │ 192.168.0.10   │ 0.01  │ 53.76    │ 2     │ exploit/multi/http/jenkins_s… │
│ znv76x      │ 0.0.0.0     │ 192.168.0.10   │ 0.01  │ 53.76 │ 2     │ exploit/multi/http/jenkins_s… │
└─────────────┴─────────────┴────────────────┴───────┴───────┴───────┴───────────────────────────────┘

catsploit> scenario detail rmgrof
┏━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━┓
┃ src host ip ┃ target host ip ┃ eVc   ┃ eVd  ┃
┡━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━┩
│ 0.0.0.0     │ 192.168.0.10   │ 100.0 │ 32.0 │
└─────────────┴──────── ───────┴───────┴──────┘

[Steps]
┏━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┓
┃ # ┃ step                                  ┃ params                ┃
┡━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━ ━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━┩
│ 1 │ exploit/multi/http/drupal_drupageddon │ RHOSTS: 192.168.0.10  │
│   │                                       │ LHOST: 192.168.10.100 │
└───┴───────────────────────────────────────┴───────────────────────┘


catsploit> attack rmgrof
> ~> ~
> Metasploit Console Log
> ~
> ~
[+] Attack scenario succeeded!


catsploit> exit
Bye.

Disclaimer

All informations and codes are provided solely for educational purposes and/or testing your own systems.

Contact

For any inquiry, please contact the email address as follows:

catsploit@nk.MitsubishiElectric.co.jp

BlueBunny - BLE Based C2 For Hak5's Bash Bunny

C2 solution that communicates directly over Bluetooth-Low-Energy with your Bash Bunny Mark II.
Send your Bash Bunny all the instructions it needs just over the air.

Overview

Structure

Installation & Start

1. Install required dependencies

pip install pygatt "pygatt[GATTTOOL]"

Make sure BlueZ is installed and gatttool is usable

sudo apt install bluez

2. Download BlueBunny's repository (and switch into the correct folder)

git clone https://github.com/90N45-d3v/BlueBunny
cd BlueBunny/C2

3. Start the C2 server

sudo python c2-server.py

4. Plug your Bash Bunny with the BlueBunny payload into the target machine (payload at: BlueBunny/payload.txt).
5. Visit your C2 server from your browser on localhost:1472 and connect your Bash Bunny (Your Bash Bunny will light up green when it's ready to pair).

Manual communication with the Bash Bunny through Python

You can use BlueBunny's BLE backend and communicate with your Bash Bunny manually.

Example Code

# Import the backend (BlueBunny/C2/BunnyLE.py)
import BunnyLE

# Define the data to send
data = "QUACK STRING I love my Bash Bunny"
# Define the type of the data to send ("cmd" or "payload") (payload data will be temporary written to a file, to execute multiple commands like in a payload script file)
d_type = "cmd"

# Initialize BunnyLE
BunnyLE.init()

# Connect to your Bash Bunny
bb = BunnyLE.connect()

# Send the data and let it execute
BunnyLE.send(bb, data, d_type)

Troubleshooting

Connecting your Bash Bunny doesn't work? Try the following instructions:

• Try connecting a few more times
• Check if your bluetooth adapter is available
• Restart the system your C2 server is running on
• Check if your Bash Bunny is running the BlueBunny payload properly
• How far away from your Bash Bunny are you? Is the environment (distance, interferences etc.) still sustainable for typical BLE connections?

Bugs within BlueZ

The Bluetooth stack used is well known, but also very buggy. If starting the connection with your Bash Bunny does not work, it is probably a temporary problem due to BlueZ. Here are some kind of errors that can be caused by temporary bugs. These usually disappear at the latest after rebooting the C2's operating system, so don't be surprised and calm down if they show up.

• Timeout after 5.0 seconds
• Unknown error while scanning for BLE devices

Working on...

• Remote shell access
• BLE exfiltration channel
• Improved connecting process

Additional information

As I said, BlueZ, the base for the bluetooth part used in BlueBunny, is somewhat bug prone. If you encounter any non-temporary bugs when connecting to Bash Bunny as well as any other bugs/difficulties in the whole BlueBunny project, you are always welcome to contact me. Be it a problem, an idea/solution or just a nice feedback.

Scaling Security Operations with Automation

Porch-Pirate - The Most Comprehensive Postman Recon / OSINT Client And Framework That Facilitates The Automated Discovery And Exploitation Of API Endpoints And Secrets Committed To Workspaces, Collections, Requests, Users And Teams

Porch Pirate started as a tool to quickly uncover Postman secrets, and has slowly begun to evolve into a multi-purpose reconaissance / OSINT framework for Postman. While existing tools are great proof of concepts, they only attempt to identify very specific keywords as "secrets", and in very limited locations, with no consideration to recon beyond secrets. We realized we required capabilities that were "secret-agnostic", and had enough flexibility to capture false-positives that still provided offensive value.

Porch Pirate enumerates and presents sensitive results (global secrets, unique headers, endpoints, query parameters, authorization, etc), from publicly accessible Postman entities, such as:

• Workspaces
• Collections
• Requests
• Users
• Teams

Installation

python3 -m pip install porch-pirate

Using the client

The Porch Pirate client can be used to nearly fully conduct reviews on public Postman entities in a quick and simple fashion. There are intended workflows and particular keywords to be used that can typically maximize results. These methodologies can be located on our blog: Plundering Postman with Porch Pirate.

Porch Pirate supports the following arguments to be performed on collections, workspaces, or users.

• --globals
• --collections
• --requests
• --urls
• --dump
• --raw
• --curl

Simple Search

porch-pirate -s "coca-cola.com"

Get Workspace Globals

By default, Porch Pirate will display globals from all active and inactive environments if they are defined in the workspace. Provide a -w argument with the workspace ID (found by performing a simple search, or automatic search dump) to extract the workspace's globals, along with other information.

porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8

Dump Workspace

When an interesting result has been found with a simple search, we can provide the workspace ID to the -w argument with the --dump command to begin extracting information from the workspace and its collections.

porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --dump

Automatic Search and Globals Extraction

Porch Pirate can be supplied a simple search term, following the --globals argument. Porch Pirate will dump all relevant workspaces tied to the results discovered in the simple search, but only if there are globals defined. This is particularly useful for quickly identifying potentially interesting workspaces to dig into further.

porch-pirate -s "shopify" --globals

Automatic Search Dump

Porch Pirate can be supplied a simple search term, following the --dump argument. Porch Pirate will dump all relevant workspaces and collections tied to the results discovered in the simple search. This is particularly useful for quickly sifting through potentially interesting results.

porch-pirate -s "coca-cola.com" --dump

Extract URLs from Workspace

A particularly useful way to use Porch Pirate is to extract all URLs from a workspace and export them to another tool for fuzzing.

porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --urls

Automatic URL Extraction

Porch Pirate will recursively extract all URLs from workspaces and their collections related to a simple search term.

porch-pirate -s "coca-cola.com" --urls

Show Collections in a Workspace

porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --collections

Show Workspace Requests

porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --requests

Show raw JSON

porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --raw

Show Entity Information

porch-pirate -w WORKSPACE_ID

porch-pirate -c COLLECTION_ID

porch-pirate -r REQUEST_ID

porch-pirate -u USERNAME/TEAMNAME

Convert Request to Curl

Porch Pirate can build curl requests when provided with a request ID for easier testing.

porch-pirate -r 11055256-b1529390-18d2-4dce-812f-ee4d33bffd38 --curl

Use a proxy

porch-pirate -s coca-cola.com --proxy 127.0.0.1:8080

Using as a library

Searching

p = porchpirate()
print(p.search('coca-cola.com'))

Get Workspace Collections

p = porchpirate()
print(p.collections('4127fdda-08be-4f34-af0e-a8bdc06efaba'))

Dumping a Workspace

p = porchpirate()
collections = json.loads(p.collections('4127fdda-08be-4f34-af0e-a8bdc06efaba'))
for collection in collections['data']: 
    requests = collection['requests']
    for r in requests:
        request_data = p.request(r['id'])
        print(request_data)

Grabbing a Workspace's Globals

p = porchpirate()
print(p.workspace_globals('4127fdda-08be-4f34-af0e-a8bdc06efaba'))

Other Examples

Other library usage examples can be located in the examples directory, which contains the following examples:

• dump_workspace.py
• format_search_results.py
• format_workspace_collections.py
• format_workspace_globals.py
• get_collection.py
• get_collections.py
• get_profile.py
• get_request.py
• get_statistics.py
• get_team.py
• get_user.py
• get_workspace.py
• recursive_globals_from_search.py
• request_to_curl.py
• search.py
• search_by_page.py
• workspace_collections.py

Iac-Scan-Runner - Service That Scans Your Infrastructure As Code For Common Vulnerabilities

Service that scans your Infrastructure as Code for common vulnerabilities.

Purpose and description

The IaC Scan Runner is a REST API service used to scan IaC (Infrastructure as Code) package and perform various code checks in order to find possible vulnerabilities and improvements. Explore the docs for more info.

Running

This section explains how to run the REST API.

Run with Docker

You can run the REST API using a public xscanner/runner Docker image as follows:

# run IaC Scan Runner REST API in a Docker container and 
# navigate to localhost:8080/swagger or localhost:8080/redoc
$ docker run --name iac-scan-runner -p 8080:80 xscanner/runner

Or you can build the image locally and run it as follows:

# build Docker container (it will take some time) 
$ docker build -t iac-scan-runner .
# run IaC Scan Runner REST API in a Docker container and 
# navigate to localhost:8080/swagger or localhost:8080/redoc
$ docker run --name iac-scan-runner -p 8080:80 iac-scan-runner

Run from CLI

To run using the IaC Scan Runner CLI:

# install the CLI
$ python3 -m venv .venv && . .venv/bin/activate
(.venv) $ pip install iac-scan-runner
# print OpenAPI specification
(.venv) $ iac-scan-runner openapi
# install prerequisites
(.venv) $ iac-scan-runner install
# run IaC Scan Runner REST API
(.venv) $ iac-scan-runner run

Run from source

To run locally from source:

# Export env variables 
export MONGODB_CONNECTION_STRING=mongodb://localhost:27017
export SCAN_PERSISTENCE=enabled
export USER_MANAGEMENT=enabled

# Setup MongoDB
$ docker run --name mongodb -p 27017:27017 mongo

# install prerequisites
$ python3 -m venv .venv && . .venv/bin/activate
(.venv) $ pip install -r requirements.txt
(.venv) $ ./install-checks.sh
# run IaC Scan Runner REST API (add --reload flag to apply code changes on the way)
(.venv) $ uvicorn src.iac_scan_runner.api:app

Usage and examples

This part will show one of the possible deployments and short examples on how to use API calls.

Firstly we will clone the iac scan runner repository and run the API.

$ git clone https://github.com/xlab-si/iac-scan-runner.git
$ docker compose up

After this is done you can use different API endpoints by calling localhost:8000. You can also navigate to localhost:8000/swagger or localhost:8000/redoc and test all the API endpoints there. In this example, we will use curl for calling API endpoints.

1. Lets create a project named test.

curl -X 'POST' \
  'http://0.0.0.0/project?creator_id=test' \
  -H 'accept: application/json' \
  -d ''

project id will be returned to us. For this example project id is 1e7b2a91-2896-40fd-8d53-83db56088026.

2. For example, let say we want to initiate all check expect ansible-lint. Let's disable it.

curl -X 'PUT' \
  'http://0.0.0.0:8000/projects/1e7b2a91-2896-40fd-8d53-83db56088026/checks/ansible-lint/disable' \
  -H 'accept: application/json'

3. Now when project is configured, we can simply choose files that we want to scan and zip them. For IaC-Scan-Runner to work files are expected to be a compressed archives (usually zip files). In this case response type will be json , but it is possible to change it to html.Please change YOUR.zip to path of your file.

curl -X 'POST' \
  'http://0.0.0.0:8000/projects/1e7b2a91-2896-40fd-8d53-83db56088026/scan?scan_response_type=json' \
  -H 'accept: application/json' \
  -H 'Content-Type: multipart/form-data' \
  -F 'iac=@YOUR.zip;type=application/zip'

That is it.

Extending the scan workflow with new check tools

At certain point, it might be required to include new check tools within the scan workflow, with aim to provide wider coverage of IaC standards and project types. Therefore, in this subsection, a sequence of required steps for that purpose is identified and described. However, the steps have to be performed manually as it will be described, but it is planned to automatize this procedure in future via API and provide user-friendly interface that will aid the user while importing new tools that will become part of the available catalogue that makes the scan workflow. Figure 16 depicts the required steps which have to be taken in order to extend the scan workflow with a new tool.

Step 1 – Adding tool-specific class to checks directory First, it is required to add a new tool-specific Python class to the checks directory inside IaC Scan Runner’s source code: iac-scan-runner/src/iac_scan_runner/checks/new_tool.py
The class of a new tool inherits the existing Check class, which provides generalization of scan workflow tools. Moreover, it is necessary to provide implementation of the following methods:

1. def configure(self, config_filename: Optional[str], secret: Optional[SecretStr])
2. def run(self, directory: str) While the first one aims to provide the necessary tool-specific parameters in order to set it up (such as passwords, client ids and tokens), another one specifies how the tool itself is invoked via API or CLI and its raw output returned.

Step 2 – Adding the check tool class instance within ScanRunner constructor Once the new class derived from Check is added to the IaC Scan Runner’s source code, it is also required to modify the source code of its main class, called ScanRunner. When it comes to modifications of this class, it is required first to import the tool-specific class, create a new check tool-specific class instance and adding it to the dictionary of IaC checks inside def init_checks(self). A. Importing the check tool class from iac_scan_runner.checks.tfsec import TfsecCheck B. Creating new instance of check tool object inside init_checks """Initiate predefined check objects""" new_tool = NewToolCheck() C. Adding it to self.iac_checks dictionary inside init_checks

    self.iac_checks = {
        new_tool.name: new_tool,
        …
    }

Step 3 – Adding the check tool to the compatibility matrix inside Compatibility class On the other side, inside file src/iac_scan_runner/compatibility.py, the dictionary which represents compatibility matrix should be extended as well. There are two possible cases: a) new file type should be added as a key, together with list of relevant tools as value b) new tool should be added to the compatibility list for the existing file type.

    compatibility_matrix = {
        "new_type": ["new_tool_1", "new_tool_2"],
        …
        "old_typeK": ["tool_1", …  "tool_N", "new_tool_3"]
    }

Step 4 – Providing the support for result summarization Finally, the last step in sequence of required modifications for scan workflow extension is to modify class ResultsSummary (src/iac_scan_runner/results_summary.py). Precisely, it is required to append a part of the code to its method summarize_outcome that will look for specific strings which are tool-specific and can be used to identify whether the check passed or failed. Inside the loop that traverses the compatible checks, for each new tool the following structure of if-else should be included:

        if check == "new_tool":
            if outcome.find("Check pass string") > -1:
                self.outcomes[check]["status"] = "Passed"
                return "Passed"
            else:
                self.outcomes[check]["status"] = "Problems"
                return "Problems"

Contact

You can contact the xOpera team by sending an email to xopera@xlab.si.

Acknowledgement

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 101000162 (PIACERE).

Deepsecrets - Secrets Scanner That Understands Code

Yet another tool - why?

Existing tools don't really "understand" code. Instead, they mostly parse texts.

DeepSecrets expands classic regex-search approaches with semantic analysis, dangerous variable detection, and more efficient usage of entropy analysis. Code understanding supports 500+ languages and formats and is achieved by lexing and parsing - techniques commonly used in SAST tools.

DeepSecrets also introduces a new way to find secrets: just use hashed values of your known secrets and get them found plain in your code.

Under the hood story is in articles here: https://hackernoon.com/modernizing-secrets-scanning-part-1-the-problem

Mini-FAQ after release :)

Pff, is it still regex-based?

Yes and no. Of course, it uses regexes and finds typed secrets like any other tool. But language understanding (the lexing stage) and variable detection also use regexes under the hood. So regexes is an instrument, not a problem.

Why don't you build true abstract syntax trees? It's academically more correct!

DeepSecrets tries to keep a balance between complexity and effectiveness. Building a true AST is a pretty complex thing and simply an overkill for our specific task. So the tool still follows the generic SAST-way of code analysis but optimizes the AST part using a different approach.

I'd like to build my own semantic rules. How do I do that?

Only through the code by the moment. Formalizing the rules and moving them into a flexible and user-controlled ruleset is in the plans.

I still have a question

Feel free to communicate with the maintainer

Installation

From Github via pip

$ pip install git+https://github.com/avito-tech/deepsecrets.git

From PyPi

$ pip install deepsecrets

Scanning

The easiest way:

$ deepsecrets --target-dir /path/to/your/code --outfile report.json

This will run a scan against /path/to/your/code using the default configuration:

• Regex checks by the built-in ruleset
• Semantic checks (variable detection, entropy checks)

Report will be saved to report.json

Fine-tuning

Run deepsecrets --help for details.

Basically, you can use your own ruleset by specifying --regex-rules. Paths to be excluded from scanning can be set via --excluded-paths.

Building rulesets

Regex

The built-in ruleset for regex checks is located in /deepsecrets/rules/regexes.json. You're free to follow the format and create a custom ruleset.

HashedSecret

Example ruleset for regex checks is located in /deepsecrets/rules/regexes.json. You're free to follow the format and create a custom ruleset.

Contributing

Under the hood

There are several core concepts:

• File
• Tokenizer
• Token
• Engine
• Finding
• ScanMode

File

Just a pythonic representation of a file with all needed methods for management.

Tokenizer

A component able to break the content of a file into pieces - Tokens - by its logic. There are four types of tokenizers available:

• FullContentTokenizer: treats all content as a single token. Useful for regex-based search.
• PerWordTokenizer: breaks given content by words and line breaks.
• LexerTokenizer: uses language-specific smarts to break code into semantically correct pieces with additional context for each token.

Token

A string with additional information about its semantic role, corresponding file, and location inside it.

Engine

A component performing secrets search for a single token by its own logic. Returns a set of Findings. There are three engines available:

• RegexEngine: checks tokens' values through a special ruleset
• SemanticEngine: checks tokens produced by the LexerTokenizer using additional context - variable names and values
• HashedSecretEngine: checks tokens' values by hashing them and trying to find coinciding hashes inside a special ruleset

Finding

This is a data structure representing a problem detected inside code. Features information about the precise location inside a file and a rule that found it.

ScanMode

This component is responsible for the scan process.

• Defines the scope of analysis for a given work directory respecting exceptions
• Allows declaring a PerFileAnalyzer - the method called against each file, returning a list of findings. The primary usage is to initialize necessary engines, tokenizers, and rulesets.
• Runs the scan: a multiprocessing pool analyzes every file in parallel.
• Prepares results for output and outputs them.

The current implementation has a CliScanMode built by the user-provided config through the cli args.

Local development

The project is supposed to be developed using VSCode and 'Remote containers' feature.

Steps:

1. Clone the repository
2. Open the cloned folder with VSCode
3. Agree with 'Reopen in container'
4. Wait until the container is built and necessary extensions are installed
5. You're ready

MemTracer - Memory Scaner

MemTracer is a tool that offers live memory analysis capabilities, allowing digital forensic practitioners to discover and investigate stealthy attack traces hidden in memory. The MemTracer is implemented in Python language, aiming to detect reflectively loaded native .NET framework Dynamic-Link Library (DLL). This is achieved by looking for the following abnormal memory region’s characteristics:

• The state of memory pages flags in each memory region. Specifically, the MEM_COMMIT flag which is used to reserve memory pages for virtual memory use.
• The type of pages in the region. The MEM_MAPPED page type indicates that the memory pages within the region are mapped into the view of a section.
• The memory protection for the region. The PAGE_READWRITE protection to indicate that the memory region is readable and writable, which happens if Assembly.Load(byte[]) method is used to load a module into memory.
• The memory region contains a PE header.

The tool starts by scanning the running processes, and by analyzing the allocated memory regions characteristics to detect reflective DLL loading symptoms. Suspicious memory regions which are identified as DLL modules are dumped for further analysis and investigation.
Furthermore, the tool features the following options:

• Dump the compromised process.
• Export a JSON file that provides information about the compromised process, such as the process name, ID, path, size, and base address.
• Search for specific loaded module by name.

Example

python.exe memScanner.py [-h] [-r] [-m MODULE]
-h, --help show this help message and exit
-r, --reflectiveScan Looking for reflective DLL loading
-m MODULE, --module MODULE Looking for spcefic loaded DLL

The script needs administrator privileges in order incepect all processes.

YoroTrooper: Researchers Warn of Kazakhstan's Stealthy Cyber Espionage Group

DakshSCRA - Source Code Review Assist

Daksh SCRA (Source Code Review Assist) tool is built to enhance the efficiency of the source code review process, providing a well-structured and organized approach for code reviewers.

Rather than indiscriminately flagging everything as a potential issue, Daksh SCRA promotes thoughtful analysis, urging the investigation and confirmation of potential problems. This approach mitigates the scramble to tag every potential concern as a bug, cutting back on the confusion and wasted time spent on false positives.

What sets Daksh SCRA apart is its emphasis on avoiding unnecessary bug tagging. Unlike conventional methods, it advocates for thorough investigation and confirmation of potential issues before tagging them as bugs. This approach helps mitigate the issue of false positives, which often consume valuable time and resources, thereby fostering a more productive and efficient code review process.

Debut

Daksh SCRA was initially introduced during a source code review training session I conducted at Black Hat USA 2022 (August 6 - 9), where it was subtly presented to a specific audience. However, this introduction was carried out with a low-profile approach, avoiding any major announcements.

While this tool was quietly published on GitHub after the 2022 training, its official public debut took place at Black Hat USA 2023 in Las Vegas.

Features and Functionalities

Distinctive Features (Multiple World’s First)

• Identifies Areas of Interest in Source Code: Encourage focused investigation and confirmation rather than indiscriminately labeling everything as a bug.

• Identifies Areas of Interest in File Paths (World’s First): Recognises patterns in file paths to pinpoint relevant sections for review.

• Software-Level Reconnaissance to Identify Technologies Utilised: Identifies project technologies, enabling code reviewers to conduct precise scans with appropriate rules.

• Automated Scientific Effort Estimation for Code Review (World’s First): Providing a measurable approach for estimating efforts required for a code review process.

Although this tool has progressed beyond its early stages, it has reached a functional state that is quite usable and delivers on its promised capabilities. Nevertheless, active enhancements are currently underway, and there are multiple new features and improvements expected to be added in the upcoming months.

Additionally, the tool offers the following functionalities:

• Options to use platform-specific rules specific for finding areas of interests
• Options to extend or add new rules for any new or existing languages
• Generates report in text, HTML and PDF format for inspection

Refer to the wiki for the tool setup and usage details - https://github.com/coffeeandsecurity/DakshSCRA/wiki

Feel free to contribute towards updating or adding new rules and future development.

If you find any bugs, report them to d3basis.m0hanty@gmail.com.

Tool Setup

Pre-requisites

Python3 and all the libraries listed in requirements.txt

Setting up environment to run this tool

1. Setup a virtual environment

$ pip install virtualenv

$ virtualenv -p python3 {name-of-virtual-env}  		// Create a virtualenv
Example: virtualenv -p python3 venv

$ source {name-of-virtual-env}/bin/activate 		// To activate virtual environment you just created
Example: source venv/bin/activate

After running the activate command you should see the name of your virtual env at the beginning of your terminal like this: (venv) $

2. Ensure all required libraries are installed within the virtual environment

You must run the below command after activating the virtual environment as mentioned in the previous steps.

pip install -r requirements.txt

Once the above step successfully installs all the required libraries, refer to the following tool usage commands to run the tool.

Tool Usage

$ python3 dakshscra.py -h // To view avaialble options and arguments

usage: dakshscra.py [-h] [-r RULE_FILE] [-f FILE_TYPES] [-v] [-t TARGET_DIR] [-l {R,RF}] [-recon] [-estimate]

options:
-h, --help            show this help message and exit
-r RULE_FILE          Specify platform specific rule name
-f FILE_TYPES         Specify file types to scan
-v                    Specify verbosity level {'-v', '-vv', '-vvv'}
-t TARGET_DIR         Specify target directory path
-l {R,RF}, --list {R,RF}
						List rules [R] OR rules and filetypes [RF]
-recon                Detects platform, framework and programming language used
-estimate             Estimate efforts required for code review

Example Usage

$ python3 dakshscra.py // To view tool usage along with examples

Examples:
# '-f' is optional. If not specified, it will default to the corresponding filetypes of the selected rule.
dakshsca.py -r php -t /source_dir_path

# To override default settings, other filetypes can be specified with '-f' option.
dakshsca.py -r php -f dotnet -t /path_to_source_dir
dakshsca.py -r php -f custom -t /path_to_source_dir

# Perform reconnaissance and rule based scanning if '-recon' used with '-r' option.
dakshsca.py  -recon -r php -t /path_to_source_dir

# Perform only reconnaissance if '-recon' used without the '-r' option.
dakshsca.py  -recon -t /path_to_source_dir

# Verbosity: '-v' is default, '-vvv' will display all rules check within each rule category.
dakshsca.py -r php -vv -t /path_to_source_dir


Supported RULE_FILE: 	dotnet, java, php, javascript
Supported FILE_TY   PES:	dotnet, php, java, custom, allfiles

Reports

The tool generates reports in three formats: HTML, PDF, and TEXT. Although the HTML and PDF reports are still being improved, they are currently in a reasonably good state. With each subsequent iteration, these reports will continue to be refined and improved even further.

Scanning (Areas of Security Concerns) Report

HTML Report:

• DakshSCRA/reports/html/report.html

PDF Report:

• DakshSCRA/reports/html/report.pdf

RAW TEXT Based Reports:

• Areas of Interest - Identified Patterns : DakshSCRA/reports/text/areas_of_interest.txt
• Areas of Interest - Project Files: DakshSCRA/reports/text/filepaths_aoi.txt
• Identified Project Files: DakshSCRA/runtime/filepaths.txt

Reconnaissance (Recon) Report

• Reconnaissance Summary: /reports/text/recon.txt

Note: Currently, the reconnaissance report is created in a text format. However, in upcoming releases, the plan is to incorporate it into the vulnerability scanning report, which will be available in both HTML and PDF formats.

Code Review Effort Estimation Report

• Effort estimation report: /reports/html/estimation.html

Note: At present, the effort estimation for the source code review is in its early stages. It is considered experimental and will be developed and refined through several iterations. Improvements will be made over multiple releases, as the formula and the concept are new and require time to be honed to achieve accuracy or reasonable estimation.

Currently, the report is generated in HTML format. However, in future releases, there are plans to also provide it in PDF format.

Golddigger - Search Files For Gold

Gold Digger is a simple tool used to help quickly discover sensitive information in files recursively. Originally written to assist in rapidly searching files obtained during a penetration test.

Installation

Gold Digger requires Python3.

virtualenv -p python3 .
source bin/activate
python dig.py --help

Usage

usage: dig.py [-h] [-e EXCLUDE] [-g GOLD] -d DIRECTORY [-r RECURSIVE] [-l LOG]

optional arguments:
  -h, --help            show this help message and exit
  -e EXCLUDE, --exclude EXCLUDE
                        JSON file containing extension exclusions
  -g GOLD, --gold GOLD  JSON file containing the gold to search for
  -d DIRECTORY, --directory DIRECTORY
                        Directory to search for gold
  -r RECURSIVE, --recursive RECURSIVE
                        Search directory recursively?
  -l LOG, --log LOG     Log file to save output

Example Usage

Gold Digger will recursively go through all folders and files in search of content matching items listed in the gold.json file. Additionally, you can leverage an exclusion file called exclusions.json for skipping files matching specific extensions. Provide the root folder as the --directory flag.

An example structure could be:

~/Engagements/CustomerName/data/randomfiles/
~/Engagements/CustomerName/data/randomfiles2/
~/Engagements/CustomerName/data/code/

You would provide the following command to parse all 3 account reports:

python dig.py --gold gold.json --exclude exclusions.json --directory ~/Engagements/CustomerName/data/ --log Customer_2022-123_gold.log

Results

The tool will create a log file containg the scanning results. Due to the nature of using regular expressions, there may be numerous false positives. Despite this, the tool has been proven to increase productivity when processing thousands of files.

Shout-outs

Shout out to @d1vious for releasing git-wild-hunt https://github.com/d1vious/git-wild-hunt! Most of the regex in GoldDigger was used from this amazing project.

Kubestroyer - Kubernetes Exploitation Tool

Kubestroyer

Kubestroyer aims to exploit Kubernetes clusters misconfigurations and be the swiss army knife of your Kubernetes pentests

About The Project

Kubestroyer is a Golang exploitation tool that aims to take advantage of Kubernetes clusters misconfigurations.

The tool is scanning known Kubernetes ports that can be exposed as well as exploiting them.

Getting Started

To get a local copy up and running, follow these simple example steps.

Prerequisites

• Go 1.19

  wget https://go.dev/dl/go1.19.4.linux-amd64.tar.gz
  tar -C /usr/local -xzf go1.19.4.linux-amd64.tar.gz

Installation

Use prebuilt binary

or

Using go install command :

$ go install github.com/Rolix44/Kubestroyer@latest

or

build from source:

1. Clone the repo

   $ git clone https://github.com/Rolix44/Kubestroyer.git

2. build the binary

   $ go build -o Kubestroyer cmd/kubestroyer/main.go 

Usage

Currently supported features

• Target

  • List of multiple targets
  • Input file as target

• Scanning

  • Known ports scan
  • Node port scan (30000 to 32767)
  • Port description

• Vulnerabilities

  • Annon RCE on Kubelet
    • Choose command to execute

Roadmap

• Choose the pod for anon RCE
• Etcd exploit
• Kubelet read-only API parsing for information disclosure

See the open issues for a full list of proposed features (and known issues).

Contributing

Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!

1. Fork the Project
2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
3. Commit your Changes (git commit -m 'Add some AmazingFeature')
4. Push to the Branch (git push origin feature/AmazingFeature)
5. Open a Pull Request

License

Distributed under the MIT License. See LICENSE.txt for more information.

Contact

Rolix - @Rolix_cy - rolixcy@protonmail.com

Project Link: https://github.com/Rolix44/Kubestroyer

Kubei - A Flexible Kubernetes Runtime Scanner

1. A Kubernetes cluster is ready, and kubeconfig ( ~/.kube/config) is properly configured for the target cluster.

1. Read secrets in cluster scope. This is required for getting image pull secrets for scanning private image repositories.
2. List pods in cluster scope. This is required for calculating the target pods that need to be scanned.
3. Create jobs in cluster scope. This is required for creating the jobs that will scan the target pods in their namespaces.

1. Set the scan scope. Set the IGNORE_NAMESPACES env variable to ignore specific namespaces. Set TARGET_NAMESPACE to scan a specific namespace, or leave empty to scan all namespaces.
   
2. Set the scan speed. Expedite scanning by running parallel scanners. Set the MAX_PARALLELISM env variable for the maximum number of simultaneous scanners.
   
3. Set severity level threshold. Vulnerabilities with severity level higher than or equal to SEVERITY_THRESHOLD threshold will be reported. Supported levels are Unknown, Negligible, Low, Medium, High, Critical, Defcon1. Default is Medium.
   
4. Set the delete job policy. Set the DELETE_JOB_POLICY env variable to define whether or not to delete completed scanner jobs. Supported values are:
   
   • All - All jobs will be deleted.
   • Successful - Only successful jobs will be deleted (default).
   • Never - Jobs will never be deleted.

1. Run the following command to deploy Kubei on the cluster:
   kubectl apply -f https://raw.githubusercontent.com/Portshift/kubei/master/deploy/kubei.yaml
   
2. Run the following command to verify that Kubei is up and running:
   kubectl -n kubei get pod -lapp=kubei
   
3. Then, port forwarding into the Kubei webapp via the following command:
   kubectl -n kubei port-forward $(kubectl -n kubei get pods -lapp=kubei -o jsonpath='{.items[0].metadata.name}') 8080
   
4. In your browser, navigate to http://localhost:8080/view/ , and then click 'GO' to run a scan.
   
5. To check the state of Kubei, and the progress of ongoing scans, run the following command:
   kubectl -n kubei logs $(kubectl -n kubei get pods -lapp=kubei -o jsonpath='{.items[0].metadata.name}')
   
6. Refresh the page (http://localhost:8080/view/) to update the results.
   

1. Supports Kubernetes Image Manifest V 2, Schema 2 (https://docs.docker.com/registry/spec/manifest-v2-2/). It will fail to scan on earlier versions.
   
2. The CVE database will update once a day.
   

FirebaseExploiter - Vulnerability Discovery Tool That Discovers Firebase Database Which Are Open And Can Be Exploitable

Features

• Mass vulnerability scanning from list of hosts
• Custom JSON data in exploit.json to upload during exploit
• Custom URI path for exploit

Usage

This will display help for the CLI tool. Here are all the required arguments it supports.

Installation

FirebaseExploiter was built using go1.19. Make sure you use latest version of Go to install successfully. Run the following command to install the latest version:

go install -v github.com/securebinary/firebaseExploiter@latest

Running FirebaseExploiter

To scan a specific domain to check for Insecure Firebase DB.

To exploit a Firebase DB to write your own JSON document in it.

Create your own exploit.json file in proper JSON format to exploit vulnerable Firebase DBs.

Checking the exploited URL to verify the vulnerability.

Adding custom path for exploiting Firebase DBs.

Mass scanning for Insecure Firebase Databases from list of target hosts.

Exploiting vulnerable Firebase DBs from the list of target hosts.

License

FirebaseExploiter is made with love by the SecureBinary team. Any tweaks / community contribution are welcome.

UDPX - Fast A nd Lightweight, UDPX Is A Single-Packet UDP Scanner Written In Go That Supports The Discovery Of Over 45 Services With The Ability To Add Custom Ones

Fast and lightweight, UDPX is a single-packet UDP scanner written in Go that supports the discovery of over 45 services with the ability to add custom ones. It is easy to use and portable, and can be run on Linux, Mac OS, and Windows. Unlike internet-wide scanners like zgrab2 and zmap, UDPX is designed for portability and ease of use.

• It is fast. It can scan whole /16 network in ~20 seconds for a single service.
• You don't need to instal libpcap or any other dependencies.
• Can run on Linux, Mac Os, Windows. Or your Nethunter if you built it for Arm.
• Customizable. You can add your probes and test for even more protocols.
• Stores results in JSONL format.
• Scans also domain names.

How it works

Scanning UDP ports is very different than scanning TCP - you may, or may not get any result back from probing an UDP port as UDP is a connectionless protocol. UDPX implements a single-packet based approach. A protocol-specific packet is sent to the defined service (port) and waits for a response. The limit is set to 500 ms by default and can be changed by -w flag. If the service sends a packet back within this time, it is certain that it is indeed listening on that port and is reported as open.

A typical technique is to send 0 byte UDP packets to each port on the target machine. If we receive an "ICMP Port Unreachable" message, then the port is closed. If an UDP response is received to the probe (unusual), the port is open. If we get no response at all, the state is open or filtered, meaning that the port is either open or packet filters are blocking the communication. This method is not implemented as there is no added value (UDPX tests only for specific protocols).

Usage

Concurrency: By default, concurrency is set to 32 connections only (so you don't crash anything). If you have a lot of hosts to scan, you can set it to 128 or 256 connections. Based on your hardware, connection stability, and ulimit (on *nix), you can run 512 or more concurrent connections, but this is not recommended.

To scan a single IP:

udpx -t 1.1.1.1

To scan a CIDR with maximum of 128 connections and timeout of 1000 ms:

udpx -t 1.2.3.4/24 -c 128 -w 1000

To scan targets from file with maximum of 128 connections for only specific service:

udpx -tf targets.txt -c 128 -s ipmi

Target can be:

• IP address
• CIDR
• Domain

IPv6 is supported.

If you want to store the results, use flag -o [filename]. Output is in JSONL format, as can be seen bellow:

{"address":"45.33.32.156","hostname":"scanme.nmap.org","port":123,"service":"ntp","response_data":"JAME6QAAAEoAAA56LU9vp+d2ZPwOYIyDxU8jS3GxUvM="}

Options

        __  ______  ____ _  __
       / / / / __ \/ __ \ |/ /
      / / / / / / / /_/ /   /
     / /_/ / /_/ / ____/   |
     \____/_____/_/   /_/|_|
         v1.0.2-beta, by @nullt3r

Usage of ./udpx-linux-amd64:
  -c int
    	Maximum number of concurrent connections (default 32)
  -nr
    	Do not randomize addresses
  -o string
    	Output file to write results
  -s string
    	Scan only for a specific service, one of: ard, bacnet, bacnet_rpm, chargen, citrix, coap, db, db, digi1, digi2, digi3, dns, ipmi, ldap, mdns, memcache, mssql, nat_port_mapping, natpmp, netbios, netis, ntp, ntp_monlist, openvpn, pca_nq, pca_st, pcanywhere, portmap, qotd, rdp, ripv, sentinel, sip, snmp1, snmp2, snmp3, ssdp, tftp, ubiquiti, ubiquiti_discovery_v1, ubiquiti_discovery_v2, upnp, valve, wdbrpc, wsd, wsd_malformed, xdmcp, kerberos, ike
  -sp
    	Show received packets (only first 32 bytes)
  -t string
       	IP/CIDR to scan
  -tf string
    	File containing IPs/CIDRs to scan
  -w int
    	Maximum time to wait for a response (socket timeout) in ms (default 500)

Building

You can grab prebuilt binaries in the release section. If you want to build UDPX from source, follow these steps:

From git:

git clone https://github.com/nullt3r/udpx
cd udpx
go build ./cmd/udpx

You can find the binary in the current directory.

Or via go:

go install -v github.com/nullt3r/udpx/cmd/udpx@latest

After that, you can find the binary in $HOME/go/bin/udpx. If you want, move binary to /usr/local/bin/ so you can call it directly.

Supported services

The UDPX supports more then 45 services. The most interesting are:

• ipmi
• snmp
• ike
• tftp
• openvpn
• kerberos
• ldap

The complete list of supported services:

• ard
• bacnet
• bacnet_rpm
• chargen
• citrix
• coap
• db
• db
• digi1
• digi2
• digi3
• dns
• ipmi
• ldap
• mdns
• memcache
• mssql
• nat_port_mapping
• natpmp
• netbios
• netis
• ntp
• ntp_monlist
• openvpn
• pca_nq
• pca_st
• pcanywhere
• portmap
• qotd
• rdp
• ripv
• sentinel
• sip
• snmp1
• snmp2
• snmp3
• ssdp
• tftp
• ubiquiti
• ubiquiti_discovery_v1
• ubiquiti_discovery_v2
• upnp
• valve
• wdbrpc
• wsd
• wsd_malformed
• xdmcp
• kerberos
• ike

How to add your own probe?

Please send a feature request with protocol name and port and I will make it happen. Or add it on your own, the file pkg/probes/probes.go contains all available payloads. Specify the protocol name, port and packet data (hex-encoded).

{
        Name: "ike",
        Payloads: []string{"5b5e64c03e99b51100000000000000000110020000000000000001500000013400000001000000010000012801010008030000240101"},
        Port: []int{500, 4500},
},

Credits

• Nmap
• UDP Hunter
• ZGrab2
• ZMap

Disclaimer

I am not responsible for any damages. You are responsible for your own actions. Scanning or attacking targets without prior mutual consent can be illegal.

License

UDPX is distributed under MIT License.

CMLoot - Find Interesting Files Stored On (System Center) Configuration Manager (SCCM/CM) SMB Shares

CMLoot was created to easily find interesting files stored on System Center Configuration Manager (SCCM/CM) SMB shares. The shares are used for distributing software to Windows clients in Windows enterprise environments and can contains scripts/configuration files with passwords, certificates (pfx), etc. Most SCCM deployments are configured to allow all users to read the files on the shares, sometimes it is limited to computer accounts.

The Content Library of SCCM/CM have a "complex" (annoying) file structure which CMLoot will untangle for you: https://techcommunity.microsoft.com/t5/configuration-manager-archive/understanding-the-configuration-manager-content-library/ba-p/273349

Essentially the DataLib folder contains .INI files, the .INI file are named the original filename + .INI. The .INI file contains a hash of the file, and the file itself is stored in the FileLib in format of <folder name: 4 first chars of the hash>\fullhash.

CM Access Accounts

It is possible to apply Access control to packages in CM. This however only protects the folder for the file descriptor (DataLib), not the actual file itself. CMLoot will during inventory record any package that it can't access (Access denied) to the file _noaccess.txt. Invoke-CMLootHunt can then use this file to enumerate the actual files that the access control is trying to protect.

OPSEC

Windows Defender for Endpoint (EDR) or other security mechanisms might trigger because the script parses a lot of files over SMB.

HOWTO

Find CM servers by searching for them in Active Directory or by fetching this reqistry key on a workstation with System Center installed:

(Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\SMS\DP -Name ManagementPoints).ManagementPoints

There may be multiple CM servers deployed and they can contain different files so be sure to find all of them.

Then you need to create an inventory file which is just a text file containing references to file descriptors (.INI). The following command will parse all .INI files on the SCCM server to create a list of files available.

PS> Invoke-CMLootInventory -SCCMHost sccm01.domain.local -Outfile sccmfiles.txt

Then use the inventory file created above to download files of interest:

Select files using GridView (Milage may vary with large inventory files):

PS> Invoke-CMLootDownload -InventoryFile .\sccmfiles.txt -GridSelect

Download a single file, by coping a line in the inventory text:

PS> Invoke-CMLootDownload -SingleFile \\sccm\SCCMContentLib$\DataLib\SC100001.1\x86\MigApp.xml

Download all files with a certain file extension:

PS> Invoke-CMLootDownload -InventoryFile .\sccmfiles.txt -Extension ps1

Files will by default download to CMLootOut in the folder from which you execute the script, can be changed with -OutFolder parameter. Files are saved in the format of (folder: filext)\(first 4 chars of hash>_original filename).

Hunt for files that CMLootInventory found inaccessible:

Invoke-CMLootHunt -SCCMHost sccm -NoAccessFile sccmfiles_noaccess.txt

Bulk extract MSI files:

Invoke-CMLootExtract -Path .\CMLootOut\msi

DEMO

Run inventory, scanning available files:

Select files using GridSelect:

Download all extensions:

Hunt "inaccessible" files and MSI extract:

Author

Tomas Rzepka / WithSecure

Fingerprintx - Standalone Utility For Service Discovery On Open Ports!

fingerprintx is a utility similar to httpx that also supports fingerprinting services like as RDP, SSH, MySQL, PostgreSQL, Kafka, etc. fingerprintx can be used alongside port scanners like Naabu to fingerprint a set of ports identified during a port scan. For example, an engineer may wish to scan an IP range and then rapidly fingerprint the service running on all the discovered ports.

Features

• Fast fingerprinting of exposed services
• Application layer service discovery
• Plays nicely with other command line tools
• Automatic metadata collection from identified services

Supported Protocols:

Installation

From Github

go install github.com/praetorian-inc/fingerprintx/cmd/fingerprintx@latest

From source (go version > 1.18)

$ git clone git@github.com:praetorian-inc/fingerprintx.git
$ cd fingerprintx

# with go version > 1.18
$ go build ./cmd/fingerprintx
$ ./fingerprintx -h

Docker

$ git clone git@github.com:praetorian-inc/fingerprintx.git
$ cd fingerprintx

# build
docker build -t fingerprintx .

# and run it
docker run --rm fingerprintx -h
docker run --rm fingerprintx -t praetorian.com:80 --json

Usage

fingerprintx -h

The -h option will display all of the supported flags for fingerprintx.

Usage:
  fingerprintx [flags]
TARGET SPECIFICATION:
	Requires a host and port number or ip and port number. The port is assumed to be open.
	HOST:PORT or IP:PORT
EXAMPLES:
	fingerprintx -t praetorian.com:80
	fingerprintx -l input-file.txt
	fingerprintx --json -t praetorian.com:80,127.0.0.1:8000

Flags:
      --csv               output format in csv
  -f, --fast              fast mode
  -h, --help              help for fingerprintx
      --json              output format in json
  -l, --list string       input file containing targets
  -o, --output string     output file
  -t, --targets strings   target or comma separated target list
  -w, --timeout int       timeout (milliseconds) (default 500)
  -U, --udp               run UDP plugins
  -v, --verbose           verbose mode

The fast mode will only attempt to fingerprint the default service associated with that port for each target. For example, if praetorian.com:8443 is the input, only the https plugin would be run. If https is not running on praetorian.com:8443, there will be NO output. Why do this? It's a quick way to fingerprint most of the services in a large list of hosts (think the 80/20 rule).

Running Fingerprintx

With one target:

$ fingerprintx -t 127.0.0.1:8000
http://127.0.0.1:8000

By default, the output is in the form: SERVICE://HOST:PORT. To get more detailed service output specify JSON with the --json flag:

$ fingerprintx -t 127.0.0.1:8000 --json
{"ip":"127.0.0.1","port":8000,"service":"http","transport":"tcp","metadata":{"responseHeaders":{"Content-Length":["1154"],"Content-Type":["text/html; charset=utf-8"],"Date":["Mon, 19 Sep 2022 18:23:18 GMT"],"Server":["SimpleHTTP/0.6 Python/3.10.6"]},"status":"200 OK","statusCode":200,"version":"SimpleHTTP/0.6 Python/3.10.6"}}

Pipe in output from another program (like naabu):

$ naabu 127.0.0.1 -silent 2>/dev/null | fingerprintx
http://127.0.0.1:8000
ftp://127.0.0.1:21

Run with an input file:

$ cat input.txt | fingerprintx
http://praetorian.com:80
telnet://telehack.com:23

# or if you prefer
$ fingerprintx -l input.txt
http://praetorian.com:80
telnet://telehack.com:23

With more metadata output:

PortexAnalyzerGUI - Graphical Interface For PortEx, A Portable Executable And Malware Analysis Library

Ator - Authentication Token Obtain and Replace Extender

The plugin is created to help automated scanning using Burp in the following scenarios:

1. Access/Refresh token
2. Token replacement in XML,JSON body
3. Token replacement in cookies
   The above can be achieved using complex macro, session rules or Custom Extender in some scenarios. The rules become tricky and do not work in scenarios where the replacement text is either JSON, XML.

Key advantages:

1. We have also achieved in-memory token replacement to avoid duplicate login requests like in both custom extender, macros/session rules.
2. Easy UX to help obtain data (from response) and replace data (in requests) using regex. This helps achieve complex scenarios where response body is JSON, XML and the request text is also JSON, XML, form data etc.
3. Scan speed - the scan speed increases considerably because there are no extra login requests. There is something called the "Trigger Request" which is the error condition (also includes regex) when the login requests are triggered. The error condition can include (response code = 401 and body contains "Unauthorized request")

The inspiration for the plugin is from ExtendedMacro plugin: https://github.com/FrUh/ExtendedMacro

Blogs

1. Authentication Token Obtain and Replace (ATOR) Burp Plugin - Part1 - Single step login sequence and single token extraction
2. Authentication Token Obtain and Replace (ATOR) Burp Plugin - Part2 - Multi step login sequence and multiple extraction

Getting Started

1. Install Java and Maven
2. Clone the repository
3. Run the "mvn clean install" command in cloned repo of where pom.xml is present
4. Take the generated jar with dependencies from the target folder

Prerequisites

1. Make sure java environment is setup in your machine.
2. Confgure the Burp Suite to listen the Proxy traffic
3. Configure the java environment from extender tab of BURP

For usage with test application (Install this testing application (Tiredful application) from https://github.com/payatu/Tiredful-API)

Steps

1. Identify the request which provides the error
2. Identify the Error Pattern (details in section below)
3. Obtain the data from the response using regex (see sample regex values)
4. Replace this data on the request (use same regex as step 3 along with the variable name)

Error Pattern:

Totally there are 4 different ways you can specify the error condition.

1. Status Code: 401, 400
2. Error in Body: give any text from the body content (Example: Access token expired)
3. Error in Header: give any text from header(Example: Unauthorized)
4. Free Form: use this to give multiple condition (st=400 && bd=Access token expired || hd=Unauthorized)

Regex with samples

1. Use Authorization: Bearer \w* to match Authorization: Bearer AXXFFPPNSUSSUSSNSUSN
2. Use Authorization: Bearer ([\w+_-.]*) to match Authorization: Bearer AXX-F+FPPNS.USSUSSNSUSN

Break down into end to end tests

1. Finding the Invalid request:
   • http://HOST:PORT/api/v1/exams/MQ==/ with invalid Bearer token.
2. Identifying Error Pattern:
   • The above request will give you 401, here error condition is Status Code = 401
3. Match regex with request data
   • Authorization: Bearer \w* - this regex will match access token which is passed.
4. Replacement - How to replace
   • Replace the matched text(step 3 regex) with extracted value (Extraction configuration discussed in below, say varibale name is "token")
   • Authorization: Bearer token - extracted token will be replaced.

Usage with test application

Idea : Record the Tiredful application request in BURP, configure the ATOR extender, check whether token is replaced by ATOR.

1. Open the testing application in browser which you configured with BURP
   • Generate a token from http://HOST:PORT/handle-user-token/
   • Send the request http://HOST:PORT/api/v1/exams/MQ==/ by passing Authorization Beaer token(get it from above step)
2. Add the ATOR jar file as a extender in BURP
3. Right Click on the request(/handle-user-token) in Proxy history and send it to Authentication Token Optain and Replace Extender
4. Add the new entry in Extraction configuration by selecting the "access_token" value and give name as "token"(it may be any name) Note: For this application,one request is enough to generate a token.Token can also get generated after multiple requests
5. TRIGGER CONDITION:
   • Macro steps will get executed if the condition is matched.
   • After execution of steps, replace the incoming request by taking values from "Pattern" and "Replacement Area" if specified.
   • For our testing,
     • Error condition is 401(Status Code)
     • Pattern is "Authorization: Bearer \w*" (Specify the regex Pattern how you want to replace with extraction values)
     • Replacement Area is "Authentication: Bearer <NAME which you gave in STEP 4>"
   • Click on "Add" Button.
6. For this example, one replacement is enough to make the incoming request as valid but you can add mutiple replacement for a single condition.
7. Hit the invalid request from Repeater and check the req/res flows in either FLOW/Logger++
   • Invalid Bearer token(http://HOST:PORT/api/v1/exams/MQ==/) from Repeater makes the response as 401.
   • Extender will match this condition and start running the recorded steps, extract the "access_token"
   • Replace the access token(from step ii) in actual response(from Repeater) and makes this invalid request as valid.
   • In the repeater console, you see 200 OK response.
8. Do the Step7 again and check the flow
   • This time extender will not invoke the steps because existing token is valid and so it uses that.

Built With

• SWING - Used to add panel

Contributing

Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us.

Versioning

v1.0

Authors

• **https://github.com/FrUh/ExtendedMacro ** - Initial work

Authors from Synopsys - Ashwath Reddy (@ka3hk) and Manikandan Rajappan (@rmanikdn)

License

This software is released by Synopsys under the MIT license.

Acknowledgments

• https://github.com/FrUh/ExtendedMacro ExtendedMacro was a great start - we have modified the UI to handle more complex scenarios. We have also fixed bugs and improved speed by replacing tokens in memory.

Demo Video

ATOR v2.0.0:

UI Panel was splitted into 4 different configuration. Check out the code from v2 or use the executable from v2/bin.

1. Error Condition - Find the error condition req/res and add trigger condition [Can be statuscode/text in body content/text in header]. Multiple condition can also be added.
2. Obtain Token: Find all the req/res to get the token. It can be single or multiple request (do replacement accordingly)
3. Error Condition Replacement: Mark the trigger condition and also mark the place on request where replacement needs to taken (map the extraction)
4. Preview: Dry run it before configure for scan.