Login
Mobile Helper Framework is a tool that automates the process of identifying the framework/technology used to create a mobile application. Additionally, it assists in finding sensitive information or provides suggestions for working with the identified platform.
The tool searches for files associated with the technologies used in mobile application development, such as configuration files, resource files, and source code files.
Search files:
FreshRSS index.html
cordova.js
cordova_plugins.js
Search file
Andorid files:
libreactnativejni.so
index.android.bundle
iOS files:
main.jsbundle
❗A minimum of Java 8 is required to run Apktool.
pip install -r requirements.txt
python3 mhf.py app.apk|ipa|aab
python3 mobile_helper_framework.py file.apk
[+] App was written in React Native
Do you want analizy the application (y/n) y
Output directory already exists. Skipping decompilation.
Beauty the react code? (y/n) n
Search any info? (y/n) y
==>>Searching possible internal IPs in the file
results.........
==>>Searching possible emails in the file
results.........
==>>Searching possible interesting words in the file
results.........
==>>Searching Private Keys in the file
results.........
==>>Searching high confidential secrets
results.........
==>>Searching possible sensitive URLs in js files
results.........
==>>Searching possible endpoints in js files results.........
This tool uses Apktool for decompilation of Android applications.
This tool renames the .ipa file of iOS applications to .zip and extracts the contents.
| Feature | Note | Cordova | React Native | Native JavaScript | Flutter | Xamarin |
|---|---|---|---|---|---|---|
| JavaScript beautifier | Use this for the first few occasions to see better results. | ✅ | ✅ | ✅ | ||
| Identifying multiple sensitive information | IPs, Private Keys, API Keys, Emails, URLs | ✅ | ✅ | ✅ | ❌ | |
| Cryptographic Functions | ✅ | ✅ | ✅ | ❌ | ❌ | |
| Endpoint extractor | ✅ | ✅ | ✅ | ❌ | ❌ | |
| Automatically detects if the code has been beautified. | ❌ | ❌ | ❌ | |||
| Extracts automatically apk of devices/emulator | ❌ | ❌ | ❌ | ❌ | ❌ | |
| Patching apk | ✅ | |||||
| Extract an APK from a bundle file. | ✅ | ✅ | ✅ | ✅ | ✅ | |
| Detect if JS files are encrypted | ❌ | ❌ | ||||
| Detect if the resources are compressed. | ❌ | Hermes✅ | ❌ | ❌ | XALZ✅ | |
| Detect if the app is split | ❌ | ❌ | ❌ | ❌ | ❌ |
What is patching apk: This tool uses Reflutter, a framework that assists with reverse engineering of Flutter apps using a patched version of the Flutter library.
More information: https://github.com/Impact-I/reFlutter
Split APKs is a technique used by Android to reduce the size of an application and allow users to download and use only the necessary parts of the application.
Instead of downloading a complete application in a single APK file, Split APKs divide the application into several smaller APK files, each of which contains only a part of the application such as resources, code libraries, assets, and configuration files.
adb shell pm path com.package
package:/data/app/com.package-NW8ZbgI5VPzvSZ1NgMa4CQ==/base.apk
package:/data/app/com.package-NW8ZbgI5VPzvSZ1NgMa4CQ==/split_config.arm64_v8a.apk
package:/data/app/com.package-NW8ZbgI5VPzvSZ1NgMa4CQ==/split_config.en.apk
package:/data/app/com.package-NW8ZbgI5VPzvSZ1NgMa4CQ==/split_config.xxhdpi.apk
For example, in Flutter if the application is a Split it's necessary patch split_config.arm64_v8a.apk, this file contains libflutter.so
SwaggerSpy is a tool designed for automated Open Source Intelligence (OSINT) on SwaggerHub. This project aims to streamline the process of gathering intelligence from APIs documented on SwaggerHub, providing valuable insights for security researchers, developers, and IT professionals.
Swagger is an open-source framework that allows developers to design, build, document, and consume RESTful web services. It simplifies API development by providing a standard way to describe REST APIs using a JSON or YAML format. Swagger enables developers to create interactive documentation for their APIs, making it easier for both developers and non-developers to understand and use the API.
SwaggerHub is a collaborative platform for designing, building, and managing APIs using the Swagger framework. It offers a centralized repository for API documentation, version control, and collaboration among team members. SwaggerHub simplifies the API development lifecycle by providing a unified platform for API design and testing.
Performing OSINT on SwaggerHub is crucial because developers, in their pursuit of efficient API documentation and sharing, may inadvertently expose sensitive information. Here are key reasons why OSINT on SwaggerHub is valuable:
Developer Oversights: Developers might unintentionally include secrets, credentials, or sensitive information in API documentation on SwaggerHub. These oversights can lead to security vulnerabilities and unauthorized access if not identified and addressed promptly.
Security Best Practices: OSINT on SwaggerHub helps enforce security best practices. Identifying and rectifying potential security issues early in the development lifecycle is essential to ensure the confidentiality and integrity of APIs.
Preventing Data Leaks: By systematically scanning SwaggerHub for sensitive information, organizations can proactively prevent data leaks. This is especially crucial in today's interconnected digital landscape where APIs play a vital role in data exchange between services.
Risk Mitigation: Understanding that developers might forget to remove or obfuscate sensitive details in API documentation underscores the importance of continuous OSINT on SwaggerHub. This proactive approach mitigates the risk of unintentional exposure of critical information.
Compliance and Privacy: Many industries have stringent compliance requirements regarding the protection of sensitive data. OSINT on SwaggerHub ensures that APIs adhere to these regulations, promoting a culture of compliance and safeguarding user privacy.
Educational Opportunities: Identifying oversights in SwaggerHub documentation provides educational opportunities for developers. It encourages a security-conscious mindset, fostering a culture of awareness and responsible information handling.
By recognizing that developers can inadvertently expose secrets, OSINT on SwaggerHub becomes an integral part of the overall security strategy, safeguarding against potential threats and promoting a secure API ecosystem.
SwaggerSpy obtains information from SwaggerHub and utilizes regular expressions to inspect API documentation for sensitive information, such as secrets and credentials.
To use SwaggerSpy, follow these steps:
git clone https://github.com/UndeadSec/SwaggerSpy.git
cd SwaggerSpy
pip install -r requirements.txt
python swaggerspy.py searchterm
SwaggerSpy is intended for educational and research purposes only. Users are responsible for ensuring that their use of this tool complies with applicable laws and regulations.
Contributions to SwaggerSpy are welcome! Feel free to submit issues, feature requests, or pull requests to help improve this tool.
SwaggerSpy is developed and maintained by Alisson Moretto (UndeadSec)
I'm a passionate cyber threat intelligence pro who loves sharing insights and crafting cybersecurity tools.
SwaggerSpy is licensed under the MIT License. See the LICENSE file for details.
Special thanks to @Liodeus for providing project inspiration through swaggerHole.
This repo contains the code for our USENIX Security '23 paper "ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions". Argus is a comprehensive security analysis tool specifically designed for GitHub Actions. Built with an aim to enhance the security of CI/CD workflows, Argus utilizes taint-tracking techniques and an impact classifier to detect potential vulnerabilities in GitHub Action workflows.
Visit our website - secureci.org for more information.
Taint-Tracking: Argus uses sophisticated algorithms to track the flow of potentially untrusted data from specific sources to security-critical sinks within GitHub Actions workflows. This enables the identification of vulnerabilities that could lead to code injection attacks.
Impact Classifier: Argus classifies identified vulnerabilities into High, Medium, and Low severity classes, providing a clearer understanding of the potential impact of each identified vulnerability. This is crucial in prioritizing mitigation efforts.
This Python script provides a command line interface for interacting with GitHub repositories and GitHub actions.
python argus.py --mode [mode] --url [url] [--output-folder path_to_output] [--config path_to_config] [--verbose] [--branch branch_name] [--commit commit_hash] [--tag tag_name] [--action-path path_to_action] [--workflow-path path_to_workflow]--mode: The mode of operation. Choose either 'repo' or 'action'. This parameter is required.--url: The GitHub URL. Use USERNAME:TOKEN@URL for private repos. This parameter is required.--output-folder: The output folder. The default value is '/tmp'. This parameter is optional.--config: The config file. This parameter is optional.--verbose: Verbose mode. If this option is provided, the logging level is set to DEBUG. Otherwise, it is set to INFO. This parameter is optional.--branch: The branch name. You must provide exactly one of: --branch, --commit, --tag. This parameter is optional.--commit: The commit hash. You must provide exactly one of: --branch, --commit, --tag. This parameter is optional.--tag: The tag. You must provide exactly one of: --branch, --commit, --tag. This parameter is optional.--action-path: The (relative) path to the action. You cannot provide --action-path in repo mode. This parameter is optional.--workflow-path: The (relative) path to the workflow. You cannot provide --workflow-path in action mode. This parameter is optional.To use this script to interact with a GitHub repo, you might run a command like the following:
python argus.py --mode repo --url https://github.com/username/repo.git --branch masterThis would run the script in repo mode on the master branch of the specified repository.
Argus can be run inside a docker container. To do so, follow the steps:
results folderYou can view SARIF results either through an online viewer or with a Visual Studio Code (VSCode) extension.
Online Viewer: The SARIF Web Viewer is an online tool that allows you to visualize SARIF files. You can upload your SARIF file (argus_report.sarif) directly to the website to view the results.
VSCode Extension: If you prefer to use VSCode, you can install the SARIF Viewer extension. After installing the extension, you can open your SARIF file (argus_report.sarif) in VSCode. The results will appear in the SARIF Explorer pane, which provides a detailed and navigable view of the results.
Remember to handle the SARIF file with care, especially if it contains sensitive information from your codebase.
If there is an issue with needing the Github authorization for running, you can provide username:TOKEN in the GITHUB_CREDS environment variable. This will be used for all the requests made to Github. Note, we do not store this information anywhere, neither create any thing in the Github account - we only use this for cloning the repositories.
Argus is an open-source project, and we welcome contributions from the community. Whether it's reporting a bug, suggesting a feature, or writing code, your contributions are always appreciated!
If you use Argus in your research, please cite our paper:
@inproceedings{muralee2023Argus,
title={ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions},
author={S. Muralee, I. Koishybayev, A. Nahapetyan, G. Tystahl, B. Reaves, A. Bianchi, W. Enck,
A. Kapravelos, A. Machiry},
booktitle={32st USENIX Security Symposium (USENIX Security 23)},
year={2023},
}
CATSploit is an automated penetration testing tool using Cyber Attack Techniques Scoring (CATS) method that can be used without pentester. Currently, pentesters implicitly made the selection of suitable attack techniques for target systems to be attacked. CATSploit uses system configuration information such as OS, open ports, software version collected by scanner and calculates a score value for capture eVc and detectability eVd of each attack techniques for target system. By selecting the highest score values, it is possible to select the most appropriate attack technique for the target system without hack knack(professional pentester’s skill) .
CATSploit automatically performs penetration tests in the following sequence:
Information gathering and prior information input First, gathering information of target systems. CATSploit supports nmap and OpenVAS to gather information of target systems. CATSploit also supports prior information of target systems if you have.
Calculating score value of attack techniques Using information obtained in the previous phase and attack techniques database, evaluation values of capture (eVc) and detectability (eVd) of each attack techniques are calculated. For each target computer, the values of each attack technique are calculated.
Selection of attack techniques by using scores and make attack scenario Select attack techniques and create attack scenarios according to pre-defined policies. For example, for a policy that prioritized hard-to-detect, the attack techniques with the lowest eVd(Detectable Score) will be selected.
Execution of attack scenario CATSploit executes the attack techniques according to attack scenario constructed in the previous phase. CATSploit uses Metasploit as a framework and Metasploit API to execute actual attacks.
CATSploit has the following prerequisites:
For Metasploit, Nmap and OpenVAS, it is assumed to be installed with the Kali Distribution.
To install the latest version of CATSploit, please use the following commands:
$ git clone https://github.com/catsploit/catsploit.git
$ cd catsploit
$ git clone https://github.com/catsploit/cats-helper.git
$ sudo ./setup.sh
CATSploit is a server-client configuration, and the server reads the configuration JSON file at startup. In config.json, the following fields should be modified for your environment.
(*) Adjust the number according to the specs of your machine.
To start the server, execute the following command:
$ python cats_server.py -c [CONFIG_FILE]
Next, prepare another console, start the client program, and initiate a connection to the server.
$ python catsploit.py -s [SOCKET_PATH]
After successfully connecting to the server and initializing it, the session will start.
_________ ___________ __ _ __
/ ____/ |/_ __/ ___/____ / /___ (_) /_
/ / / /| | / / \__ \/ __ \/ / __ \/ / __/
/ /___/ ___ |/ / ___/ / /_/ / / /_/ / / /_
\____/_/ |_/_/ /____/ .___/_/\____/_/\__/
/_/
[*] Connecting to cats-server
[*] Done.
[*] Initializing server
[*] Done.
catsploit>
The client can execute a variety of commands. Each command can be executed with -h option to display the format of its arguments.
usage: [-h] {host,scenario,scan,plan,attack,post,reset,help,exit} ...
positional arguments:
{host,scenario,scan,plan,attack,post,reset,help,exit}
options:
-h, --help show this help message and exit
I've posted the commands and options below as well for reference.
host list:
show information about the hosts
usage: host list [-h]
options:
-h, --help show this help message and exit
host detail:
show more information about one host
usage: host detail [-h] host_id
positional arguments:
host_id ID of the host for which you want to show information
options:
-h, --help show this help message and exit
scenario list:
show information about the scenarios
usage: scenario list [-h]
options:
-h, --help show this help message and exit
scenario detail:
show more information about one scenario
usage: scenario detail [-h] scenario_id
positional arguments:
scenario_id ID of the scenario for which you want to show information
options:
-h, --help show this help message and exit
scan:
run network-scan and security-scan
usage: scan [-h] [--port PORT] targe t_host [target_host ...]
positional arguments:
target_host IP address to be scanned
options:
-h, --help show this help message and exit
--port PORT ports to be scanned
plan:
planning attack scenarios
usage: plan [-h] src_host_id dst_host_id
positional arguments:
src_host_id originating host
dst_host_id target host
options:
-h, --help show this help message and exit
attack:
execute attack scenario
usage: attack [-h] scenario_id
positional arguments:
scenario_id ID of the scenario you want to execute
options:
-h, --help show this help message and exit
post find-secret:
find confidential information files that can be performed on the pwned host
usage: post find-secret [-h] host_id
positional arguments:
host_id ID of the host for which you want to find confidential information
op tions:
-h, --help show this help message and exit
reset:
reset data on the server
usage: reset [-h] {system} ...
positional arguments:
{system} reset system
options:
-h, --help show this help message and exit
exit:
exit CATSploit
usage: exit [-h]
options:
-h, --help show this help message and exit
In this example, we use CATSploit to scan network, plan the attack scenario, and execute the attack.
catsploit> scan 192.168.0.0/24
Network Scanning ... 100%
[*] Total 2 hosts were discovered.
Vulnerability Scanning ... 100%
[*] Total 14 vulnerabilities were discovered.
catsploit> host list
┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━┓
┃ hostID ┃ IP ┃ Hostname ┃ Platform ┃ Pwned ┃
┡━━━━━━ ━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━┩
│ attacker │ 0.0.0.0 │ kali │ kali 2022.4 │ True │
│ h_exbiy6 │ 192.168.0.10 │ │ Linux 3.10 - 4.11 │ False │
│ h_nhqyfq │ 192.168.0.20 │ │ Microsoft Windows 7 SP1 │ False │
└──────────┴ ───────────────┴──────────┴──────────────────────────────────┴───────┘
catsploit> host detail h_exbiy6
┏━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━┓
┃ hostID ┃ IP ┃ Hostname ┃ Platform ┃ Pwned ┃
┡━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━┩
│ h_exbiy6 │ 192.168.0.10 │ ubuntu │ ubuntu 14.04 │ False │
└──────────┴──────────────┴──────────┴──────────────┴─ ─────┘
[IP address]
┏━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━┳━━━━━━━━━━━━┓
┃ ipv4 ┃ ipv4mask ┃ ipv6 ┃ ipv6prefix ┃
┡━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━╇━━━━━━━━━━━━┩
│ 192.168.0.10 │ │ │ │
└──────────── ─┴──────────┴──────┴────────────┘
[Open ports]
┏━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ ip ┃ proto ┃ port ┃ service ┃ product ┃ version ┃
┡━━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 192.168.0.10 │ tcp │ 21 │ ftp │ ProFTPD │ 1.3.5 │
│ 192.168.0.10 │ tcp │ 22 │ ssh │ OpenSSH │ 6.6.1p1 Ubuntu 2ubuntu2.10 │
│ 192.168.0.10 │ tcp │ 80 │ http │ Apache httpd │ 2.4.7 │
│ 192.168.0.10 │ tcp │ 445 │ netbios-ssn │ Samba smbd │ 3.X - 4.X │
│ 192.168.0.10 │ tcp │ 631 │ ipp │ CUPS │ 1.7 │
└──────────────┴───────┴──────┴─────────────┴──────────────┴────────────────────────────┘
[Vulnerabilities]
┏━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┓
┃ ip ┃ proto ┃ port ┃ vuln_name ┃ cve ┃
┡━━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━┩
│ 192.168.0.10 │ tcp │ 0 │ TCP Timestamps Information Disclosure │ N/A │
│ 192.168.0.10 │ tcp │ 21 │ FTP Unencrypted Cleartext Login │ N/A │
│ 192.168.0.10 │ tcp │ 22 │ Weak MAC Algorithm(s) Supported (SSH) │ N/A │
│ 192.168.0.10 │ tcp │ 22 │ Weak Encryption Algorithm(s) Supported (SSH) │ N/A │
│ 192.168.0.10 │ tcp │ 22 │ Weak Host Key Algorithm(s) (SSH) │ N/A │
│ 192.168.0.10 │ tcp │ 22 │ Weak Key Exchange (KEX) Algorithm(s) Supported (SSH) │ N/A │
│ 192.168.0.10 │ tcp │ 80 │ Test HTTP dangerous methods │ N/A │
│ 192.168.0.10 │ tcp │ 80 │ Drupal Core SQLi Vulnerability (SA-CORE-2014-005) - Active Check │ CVE-2014-3704 │
│ 192.168.0.10 │ tcp │ 80 │ Drupal Coder RCE Vulnerability (SA-CONTRIB-2016-039) - Active Check │ N/A │
│ 192.168.0.10 │ tcp │ 80 │ Sensitive File Disclosure (HTTP) │ N/A │
│ 192.168.0.10 │ tcp │ 80 │ Unprotected Web App / Device Installers (HTTP) │ N/A │
│ 192.168.0.10 │ tcp │ 80 │ Cleartext Transmission of Sensitive Information via HTTP │ N/A │
│ 192.168.0.10 │ tcp │ 80 │ jQuery < 1.9.0 XSS Vulnerability │ CVE-2012-6708 │
│ 192.168.0.10 │ tcp │ 80 │ jQuery < 1.6.3 XSS Vulnerability │ CVE-2011-4969 │
│ 192.168.0.10 │ tcp │ 80 │ Drupal 7.0 Information Disclosure Vulnerability - Active Check │ CVE-2011-3730 │
│ 192.168.0.10 │ tcp │ 631 │ SSL/TLS: Report Vulnerable Cipher Suites for HTTPS │ CVE-2016-2183 │
│ 192.168.0.10 │ tcp │ 631 │ SSL/TLS: Report Vulnerable Cipher Suites for HTTPS │ CVE-2016-6329 │
│ 192.168.0.10 │ tcp │ 631 │ SSL/TLS: Report Vulnerable Cipher Suites for HTTPS │ CVE-2020-12872 │
│ 192.168.0.10 │ tcp │ 631 │ SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection │ CVE-2011-3389 │
│ 192.168.0.10 │ tcp │ 631 │ SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection │ CVE-2015-0204 │
└──────────────┴───────┴──────┴─────────────────────────────────────────────────────────────────────┴───& #9472;────────────┘
[Users]
┏━━━━━━━━━━━┳━━━━━━━┓
┃ user name ┃ group ┃
┡━━━━━━━━━━━╇━━━━━━━┩
└───────────┴───────┘
catsploit> plan attacker h_exbiy6
Planning attack scenario...100%
[*] Done. 15 scenarios was planned.
[*] To check each scenario, try 'scenario list' and/or 'scenario detail'.
catsploit> scenario list
┏━━━━━━━━━━━━━┳━━━━━ ━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━━┳━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ scenario id ┃ src host ip ┃ target host ip ┃ eVc ┃ eVd ┃ steps ┃ first attack step ┃
┡━━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━γ 3;━━━━━━━╇━━━━━━━╇━━━━━━━╇━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 3d3ivc │ 0.0.0.0 │ 192.168.0.10 │ 1.0 │ 32.0 │ 1 │ exploit/multi/http/jenkins_s… │
│ 5gnsvh │ 0.0.0.0 │ 192.168.0.10 │ 1.0 │ 53.76 │ 2 │ exploit/multi/http/jenkins_s… │
│ 6nlxyc │ 0.0.0.0 │ 192.168.0.10 │ 0.0 │ 48.32 │ 2 │ exploit/multi/http/jenkins_s… │
│ 8jos4z │ 0.0.0.0 │ 192.168.0.1 0 │ 0.7 │ 72.8 │ 2 │ exploit/multi/http/jenkins_s… │
│ 8kmmts │ 0.0.0.0 │ 192.168.0.10 │ 0.0 │ 32.0 │ 1 │ exploit/multi/elasticsearch/… │
│ agjmma │ 0.0.0.0 │ 192.168.0.10 │ 0.0 │ 24.0 │ 1 │ exploit/windows/http/managee… │
│ joglhf │ 0.0.0.0 │ 192.168.0.10 │ 70.0 │ 60.0 │ 1 │ auxiliary/scanner/ssh/ssh_lo… │
│ rmgrof │ 0.0.0.0 │ 192.168.0.10 │ 100.0 │ 32.0 │ 1 │ exploit/multi/http/drupal_dr… │
│ xuowzk │ 0.0.0.0 │ 192.168.0.10 │ 0.0 │ 24.0 │ 1 │ exploit/multi/http/struts_dm… │
│ yttv51 │ 0.0.0.0 │ 192.168.0.10 │ 0.01 │ 53.76 │ 2 │ exploit/multi/http/jenkins_s… │
│ znv76x │ 0.0.0.0 │ 192.168.0.10 │ 0.01 │ 53.76 │ 2 │ exploit/multi/http/jenkins_s… │
└─────────────┴─────────────┴────────────────┴───────┴───────┴───────┴───────────────────────────────┘
catsploit> scenario detail rmgrof
┏━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━┓
┃ src host ip ┃ target host ip ┃ eVc ┃ eVd ┃
┡━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━┩
│ 0.0.0.0 │ 192.168.0.10 │ 100.0 │ 32.0 │
└─────────────┴──────── ───────┴───────┴──────┘
[Steps]
┏━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┓
┃ # ┃ step ┃ params ┃
┡━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━ ━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━┩
│ 1 │ exploit/multi/http/drupal_drupageddon │ RHOSTS: 192.168.0.10 │
│ │ │ LHOST: 192.168.10.100 │
└───┴───────────────────────────────────────┴───────────────────────┘
catsploit> attack rmgrof
> ~> ~
> Metasploit Console Log
> ~
> ~
[+] Attack scenario succeeded!
catsploit> exit
Bye.
All informations and codes are provided solely for educational purposes and/or testing your own systems.
For any inquiry, please contact the email address as follows:
catsploit@nk.MitsubishiElectric.co.jp
Gold Digger is a simple tool used to help quickly discover sensitive information in files recursively. Originally written to assist in rapidly searching files obtained during a penetration test.
Gold Digger requires Python3.
virtualenv -p python3 .
source bin/activate
python dig.py --helpusage: dig.py [-h] [-e EXCLUDE] [-g GOLD] -d DIRECTORY [-r RECURSIVE] [-l LOG]
optional arguments:
-h, --help show this help message and exit
-e EXCLUDE, --exclude EXCLUDE
JSON file containing extension exclusions
-g GOLD, --gold GOLD JSON file containing the gold to search for
-d DIRECTORY, --directory DIRECTORY
Directory to search for gold
-r RECURSIVE, --recursive RECURSIVE
Search directory recursively?
-l LOG, --log LOG Log file to save outputGold Digger will recursively go through all folders and files in search of content matching items listed in the gold.json file. Additionally, you can leverage an exclusion file called exclusions.json for skipping files matching specific extensions. Provide the root folder as the --directory flag.
An example structure could be:
~/Engagements/CustomerName/data/randomfiles/
~/Engagements/CustomerName/data/randomfiles2/
~/Engagements/CustomerName/data/code/You would provide the following command to parse all 3 account reports:
python dig.py --gold gold.json --exclude exclusions.json --directory ~/Engagements/CustomerName/data/ --log Customer_2022-123_gold.logThe tool will create a log file containg the scanning results. Due to the nature of using regular expressions, there may be numerous false positives. Despite this, the tool has been proven to increase productivity when processing thousands of files.
Shout out to @d1vious for releasing git-wild-hunt https://github.com/d1vious/git-wild-hunt! Most of the regex in GoldDigger was used from this amazing project.
jsFinder is a command-line tool written in Go that scans web pages to find JavaScript files linked in the HTML source code. It searches for any attribute that can contain a JavaScript file (e.g., src, href, data-main, etc.) and extracts the URLs of the files to a text file. The tool is designed to be simple to use, and it supports reading URLs from a file or from standard input.
jsFinder is useful for web developers and security professionals who want to find and analyze the JavaScript files used by a web application. By analyzing the JavaScript files, it's possible to understand the functionality of the application and detect any security vulnerabilities or sensitive information leakage.
jsfinder requires Go 1.20 to install successfully.Run the following command to get the repo :
go install -v github.com/kacakb/jsfinder@latestTo see which flags you can use with the tool, use the -h flag.
jsfinder -h | Flag | Description |
|---|---|
| -l | Specifies the filename to read URLs from. |
| -c | Specifies the maximum number of concurrent requests to be made. The default value is 20. |
| -s | Runs the program in silent mode. If this flag is not set, the program runs in verbose mode. |
| -o | Specifies the filename to write found URLs to. The default filename is output.txt. |
| -read | Reads URLs from stdin instead of a file specified by the -l flag. |
If you want to read from stdin and run the program in silent mode, use this command:
cat list.txt| jsfinder -read -s -o js.txt
If you want to read from a file, you should specify it with the -l flag and use this command:
jsfinder -l list.txt -s -o js.txtYou can also specify the concurrency with the -c flag.The default value is 20. If you want to read from a file, you should specify it with the -l flag and use this command:
jsfinder -l list.txt -c 50 -s -o js.txtIf you have any questions, feedback or collaboration suggestions related to this project, please feel free to contact me via:
e-mail
SXDork is a powerful tool that utilizes the technique of google dorking to search for specific information on the internet. Google dorking is a method of using advanced search operators and keywords to uncover sensitive information that is publicly available on the internet. SXDork offers a wide range of options to search for different types of dorks, such as domain login dork, wpadmin dork, SQL dork, configuration file dorks, logfile dorks, dashboard dork, id_rsa dorks, ftp dorks, backup file dorks, mail archive dorks, password dorks, DCIM photos dork, and CCTV dorks.
One of the key features of SXDork is its ability to search dorks using the -s flag. This function allows users to retrieve a significant amount of information related to search keywords. Users can specify specific keywords and the tool will search for all the related information available on the internet. Additionally, users can use the -r flag to set the number of results that will be displayed. The default setting is 10 results, however, users can increase or decrease the number of results as per their requirement. This feature is useful for users who are looking for specific information and want to filter through the results quickly.
SXDork also allows users to search wildcard domains and find a wide range of information. This feature is particularly useful for security researchers, penetration testers and other professionals who need to find sensitive information on the internet. With the ability to search for different types of dorks, wildcard domains and filter through results, SXDork is a powerful tool that can help users find information that is publicly available on the internet.
SXDork has the ability to search for information on multiple domains. By default, the tool searches for information on pastebin.com and controlc.com, but you can easily add more domains to search against. To do this, you can navigate to the src directory and edit the dorks.py file, where you will see an array called src that contains the default domains. Simply add more domains to this array, and the next time you run a search query, SXDork will check all the domains in the array for the keyword you are searching for. This allows you to easily find information across multiple domains.
git clone https://github.com/samhaxr/SXDork.git
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
python SXDork.py
usage: SXDork.py [-h] [-s SEARCH] [-r RESULT] [-dl DOMLOGIN] [-da DOMADMIN]
[-wp WPADMIN] [-lp LPANEL] [-sql SQLFILE] [-cnf CONFILE]
[-log LOGFILE] [-dash DASHBOARD] [-rsa IDRSA] [-ftp FTPFILE]
[-bck BACKUPFILE] [-ma MAILARCHIVE] [-pw PASSWORD]
[-pic PHOTOS] [-cam CCTVCAM]
Search keywords using google dork
optional arguments:
-h, --help show this help message and exit
-s SEARCH, --search SEARCH
Search keyword with dork
-r RESULT, --result RESULT
Number of output result
-dl DOMLOGIN, --domlogin DOMLOGIN
Search domain(s) for login pages
-da DOMADMIN, --domadmin DOMADMIN
Search domain(s) for admin panels
-wp WPADMIN, --wpadmin WPADMIN
Search domain(s) for wordpress admin
-lp LPANEL, --lpanel LPANEL
Search domain(s) for login panels
-sql SQLFILE, --sqlfile SQLFILE
Search domain(s) for sql database files
-cnf CONFILE, --confile CONFILE
Search domain(s) for configuration files
-log LOGFILE, --logfile LOGFILE
Search domain(s) for log files
-dash DASHBOARD, --dashboard DASHBOARD
Search domain(s) for the dashboard
-rsa IDRSA, --idrsa IDRSA
Search domain(s) for id_rsa pub keys
-ftp FTPFILE, --ftpfile FTPFILE
Search domain(s) for FTP files
-bck BACKUPFILE, --backupfile BACKUPFILE
Search domain(s) for backup files
-ma MAILARCHIVE, --mailarchive MAILARCHIVE
Search domain(s) for ma il archives
-pw PASSWORD, --password PASSWORD
Search domain(s) for passwords
-pic PHOTOS, --photos PHOTOS
Search domain(s) for DCIM/Photos
-cam CCTVCAM, --cctvcam CCTVCAM
Search domain(s) for CCTV/CAMs
Something looks a little … sketchy. Is that website safe or unsafe?
Nowadays, it can take a bit work to tell.
And that’s by design. Increasingly, hackers and scammers go to great pains when they create their malicious websites. They take extra steps to make their sites look legit, when in fact they’re anything but. Certainly, plenty of other hackers and scammers slap together malicious sites that still look a bit roughshod, which makes them easier to spot.
So whether it’s a clever knockoff or a slapdash effort, unsafe websites of all kinds have several telltale signs you can spot. We’ll show you, and let’s start things off with what makes an unsafe website unsafe in the first place.
Unsafe websites typically harbor one of two primary forms of attack—yet sometimes both:
Malware: Hackers will use their sites to install malware on your device, often by tricking you into clicking or tapping on a download. They might tempt you with an offer, a prize, a show to stream—just about anything you might want to otherwise download. (Recently, we saw hackers installing malware on sites that offered to stream dubbed versions of the “Barbie” movie.)
Phishing: Another classic attack. Phishing involves scammers who try to hoodwink you into providing account or financial information. Common ruses include links in emails, texts, and DMs that appear to be urgent messages from streaming services, banks, social media, and other accounts. Of course, those messages are phony.
As a result, unsafe websites can lead to some not-so-good things.
On the malware side, attackers can install spyware and similar apps that siphon financial and personal information from your device while you’re using it. Other malware might steal files outright or maliciously delete them altogether. Ransomware remains a major concern today as well, where attackers hold devices and data hostage. And even if victims end up paying the ransom, they have no guarantee that the attacker will free their device or data.
Phishing attacks often lead to financial headaches, sometimes large ones at that. It depends on the information scammers get their hands on. In some cases, the damage might lead to identity fraud and a few illicit charges on a debit or credit card. If scammers gather enough information, they can take that a step further and commit identity theft. That can include opening new credit or loans in your name. It could also give a scammer the info they need to get driver’s licenses or employment in your name.
Above and beyond committing fraud or theft on their own, scammers might also sell stolen information to others on the dark web.
Again, all not-so-good. Yet quite preventable.
For some sites, it only takes one sign. For other sites, it takes a few signs—a series of red flags that warn you a site is unsafe. When you’re online, keep a sharp eye out for the following:
The “s” stands for “secure.” Specifically, it means that the website uses SSL (Secure Sockets Layer) that creates an encrypted link between a web server and a web browser. SSL helps prevent others from intercepting and reading your sensitive information as it’s transmitted, which is particularly important when you shop or bank online. Likewise, you can also look for a little lock symbol in the address bar of your web browser. That’s one more way you can spot a site that uses SSL.
From spelling errors and grammatical mistakes, to stretched out logos and cheap photography, some unsafe websites are designed poorly. Legitimate businesses pride themselves on error-free and professional-looking sites. If a website looks like it got cobbled together in a hurry or doesn’t seem to be well-designed, that’s usually a red flag. The site might be unsafe, created by attackers who don’t have a strong attention to detail—or the creative capabilities to create a good-looking website in the first place.
Plenty of unsafe sites are imposter sites. They’ll try to pass themselves off as a legitimate company, like the streaming services, banks, and so forth that we mentioned earlier—all to get a hold of your account information. With all these imposter sites in play, look at the site’s address. Scammers will gin up web addresses that are close to but different from legitimate sites, so close that you might miss it. If you’re uncertain about the address, leave the page. Also note that many companies have web pages that provide lists of the official addresses that they use. Amazon provides on example, and we do the same here at McAfee. Reviewing these lists can help you spot an imposter site.
A window or graphic pops up on your screen. The site you’re on says that it’s identified a security issue with your device. Or maybe it says that your system isn’t current. Either way, there’s a file the site wants you to download. “You can correct the issue with a click!” Don’t. It’s a classic trick. Instead of fixing your non-existent problem, the download will create one. Scammers use the security alert trick to install malware on the devices of unsuspecting victims.
A screen full of links insisting you to click ranks among the top signs of an unsafe site. So much so, it’s often the subject of sitcom bits. Needless to say, the attackers behind these sites want you to click for one of several reasons. It might be to get you to download malware. It might be to generate ad revenue with clicks. Or it might be to get you to click a link that redirects you to another malicious site. In all, if you encounter a site like this, close your browser. And then run a system scan with your online protection software.
These unsafe sites sprout up around the holidays and gift-giving seasons. When stores run low on particularly popular or hot items, scammers will quickly launch sites that claim these items are in stock and ready to ship. Similarly, they might promote popular items at a deep discount. Of course, shopping at these sites will likely lead to one thing—a credit card charge and no item on your doorstep. Be wary when you see ads for stores in your social media feed, in search, and elsewhere. Stick with known, trusted retailers. (And for more on shopping safely online, give this article a quick read.)
These sites bear similarities to malicious online shopping sites. When popular movies hit the big screen or major sporting events come around, so do scam sites that promise to stream them for free or at a low cost. Avoid them. Trusted streamers will only carry shows and events that they have the rights to. If you find an offer to stream something that’s heavily discounted, free, or not available on known media outlets, it’s likely a scam. At the very least, it might serve up pirated content, which could carry malware threats along with it.
Not every site that promotes some kind of giveaway or deal is a scam. Yet the ones that ask for personal or financial information likely are. Scammers prey on people’s love for saving money or even winning a buck or two. Enter the prize, coupon, and quiz sites. Malicious prize and coupon sites will often ask for credit or debit card information, often under the guise of a payout or a discount. Malicious quiz sites will likewise ask for all kinds of personal information, typically questions about the name of your pet, the first car you owned, or where you went to school. The questions share much in common with the security questions used by banks and credit card companies. Handing this information over could lead to a breached account. Give these sites a pass.
Comprehensive online protection software like ours includes web protection that can spot malicious sites for you. It has further features that can prevent downloading malware by accident, not to mention strong antivirus protection if a hacker makes their way through to you. In all, it gives you extra confidence that wherever your travels take you online, you’re protected from sketchy and unsafe sites.
However, another part of your best defense against unsafe websites is you. Knowing what the red flags are and the kinds of information hackers want to steal can help you avoid their attacks from the start.
The post How to Tell Whether a Website Is Safe or Unsafe appeared first on McAfee Blog.
Smishing and vishing are scams where criminals attempt to get users to click a fraudulent link through a phone text message, email, or voicemail. These scams are becoming increasingly popular as cybercriminals try to take advantage of people who are more likely to fall for them, such as those who aren’t as familiar with technology or who may be experiencing a crisis.
Be aware that cybercrime and hacking can happen to anyone. Criminals are always looking for new ways to exploit people, and they know that others may not be cautious or recognize the warning signs of phishing scams when using the internet. That’s why it’s important to be aware of the different types of cybercrime and how to protect yourself.
This article discusses how to protect yourself from smishing attempts and scams where criminals try to get you to click on a fraudulent link or respond to their voicemail message to steal your personal data.
Most people are familiar with phishing scams, where scammers try to trick you into giving them your personal or financial information by pretending to be a legitimate company or organization. But have you ever heard of smishing or vishing?
Smishing is a type of phishing scam where attackers send SMS messages (or text messages) to trick victims into sharing personal information or installing malware on their devices. Vishing is almost identical to smishing, except cybercriminals use VoIP (Voice over IP) to place phone calls to trick victims instead of SMS (short message service) messages.
Smishing messages often appear to be from a legitimate source, such as a well-known company or government agency. It may even include urgent language or threats in an effort to get victims to act quickly. In some cases, the message may also include a link that directs victims to a fake website where they are prompted to enter personal information or download malware.
Here are some examples of smishing text messages hackers use to steal your personal details:
If you fall for a smishing scam, you could end up giving away your personal information or money. Cybercriminals use smishing messages to get personal and financial information, like your credit card number or access to your financial services.
For example, one type of smishing scam is when you get a text message that looks like it’s from your bank. The message might say there’s been suspicious activity on your account and that you need to click on a link to verify your identity. If you do click on the link, you’ll be taken to a fake website where you’ll be asked to enter your banking information. Once the scammers have your login information, they have access to clean out your account.
Smishing scams can be very difficult to spot, but there are some telltale signs to look for and steps to take to protect yourself.
One of the easiest ways to protect yourself from smishing scams is to be able to recognize the signs of a smishing text message. Here are some tips:
While you can’t avoid smishing attacks altogether, you can block spam text messages you receive on your mobile phone. iPhone and Android have cybersecurity tools like spam filters and phone number blocking to help protect you from phishing attacks and malicious links.
To set up spam filters on your iPhone:
To set up spam filters on your Android mobile device:
McAfee Mobile Security is a mobile security app that helps protect your phone from malware, phishing attacks, and other online threats. McAfee Mobile Security is available for Android and iOS cell phones.
One of the benefits of using McAfee Mobile Security is that it can help detect and block smishing attacks. With identity monitoring, McAfee Mobile Security monitors your sensitive information like email accounts, credit card numbers, phone numbers, Social Security numbers, and more to protect against identity theft. They notify you if they find any security breaches.
Other benefits include:
These days, our lives are more intertwined with our mobile devices than ever. We use them to stay connected with our loved ones on social media, conduct our business, and even access our most personal, sensitive data. It’s no surprise that mobile cybersecurity is becoming increasingly important.
McAfee Mobile Security is a comprehensive security solution that helps protect your device from viruses, malware, and other online threats. It also offers a variety of other features, like a secure VPN to protect your credit card numbers and other personal data.
Whether you’re browsing your favorite website, keeping up with friends on social media, or shopping online at Amazon, McAfee Mobile Security provides the peace of mind that comes from knowing your mobile device is safe and secure.
So why wait? Don‘t let the smishers win. Get started today with McAfee Mobile Security and rest easy knowing your mobile device and sensitive information are protected.
The post What Is Smishing and Vishing, and How Do You Protect Yourself? appeared first on McAfee Blog.
