SharpWeb – .NET 2.0 CLR Project To Retrieve Saved Browser Credentials From Google Chrome, Mozilla Firefox And Microsoft Internet Explorer/Edge

SharpWeb is a .NET 2.0 CLR compliant project that can retrieve saved logins from Google Chrome, Firefox, Internet Explorer and Microsoft Edge. In the future, this project will be expanded upon to retrieve Cookies and History items from these browsers.UsageUsage: .\SharpWeb.exe arg0 [arg1 arg2 …]Arguments: all – Retrieve all Chrome, FireFox and IE/Edge credentials. full – The same as ‘all’ chrome – Fetch saved Chrome logins. firefox – Fetch saved FireFox logins. edge – Fetch saved Internet Explorer/Microsoft Edge logins.Example: Retrieve Edge and Firefox Credentials.\SharpWeb.exe edge firefoxExample: Retrieve All Saved Browser Credentials.\SharpWeb.exe allStanding on the Shoulders of GiantsThis project uses the work of @plainprogrammer and his work on a compliant .NET 2.0 CLR compliant SQLite parser, which can be found here. In addition, @gourk created a wonderful ASN parser and cryptography helpers for decrypting and parsing the FireFox login files. It uses a revised version of his work (found here) to parse these logins out. Without their work this project would not have come together nearly as quickly as it did.Download SharpWeb

Link: http://feedproxy.google.com/~r/PentestTools/~3/rfzjbjrQBAI/sharpweb-net-20-clr-project-to-retrieve.html

BurpBounty – A Extension Of Burp Suite That Improve An Active And Passive Scanner

This extension allows you, in a quick and simple way, to improve the active and passive burpsuite scanner by means of personalized rules through a very intuitive graphical interface. Through an advanced search of patterns and an improvement of the payload to send, we can create our own issue profiles both in the active scanner and in the passive. This Extension Requires Burp Suite Pro.- Usage:1. Config sectionProfile Manager: you can manage the profiles, enable, disable o remove any of them.Select Profile: you can choose any profile, for modify it and save.Profiles reload: you can reload the profiles directory, for example, when you add new external profile to directory.Profile Directory: you choose the profiles directory path.2. PayloadsYou can add many payloads as you want. Each payload of this secction will be sent at each entry point (Insertion points provided by the burp api) You can choos multiple Enocders. For example, if you want encode the string alert(1), many times (in descendent order): Plain text: alert(1) HTML-encode all characters: alert(1) URL-encode all characters: %26%23%78%36%31%3b%26%23%78%36%63%3b%26%23%78%36%35%3b%26%23%78%37%32%3b%26%23%78%37%34%3b%26%23%78%32%38%3b%26%23%78%33%31%3b%26%23%78%32%39%3b Base64-encode: JTI2JTIzJTc4JTM2JTMxJTNiJTI2JTIzJTc4JTM2JTYzJTNiJTI2JTIzJTc4JTM2JTM1JTNiJTI2JTIzJTc4JTM3JTMyJTNiJTI2JTIzJTc4JTM3JTM0JTNiJTI2JTIzJTc4JTMyJTM4JTNiJTI2JTIzJTc4JTMzJTMxJTNiJTI2JTIzJTc4JTMyJTM5JTNi If you choose “URL-Encode these characters" option, you can put all characters that you want encode with URL. 3. Grep – MatchFor each payload response, each string, regex or payload (depending of you choose) will be searched with the specific Grep Options. Grep Type: Simple String: search for a simple string or stringsRegex: search for regular expressionPayload: search for payloads sendedPayload without encode: if you encode the payload, and you want find for original payload, you should choose thisGrep Options: Negative match: if you want find if string, regex or payload is not present in responseCase sensitive: Only match if case sensitiveNot in cookie: if you want find if any cookie attribute is not presentContent type: you can specify one or multiple (separated by comma) content type to search the string, regex or payload. For example: text/plain, text/html, …Response Code: you can specify one or multiple (separated by coma) HTTP response code to find string, regex or payload. For example. 300, 302, 400, …4. Write an IssueIn this section you can specify the issue that will be show if the condition match with the options specified.Issue NameSeverityConfidenceAnd others details like description, background, etc.- ExamplesSo, the vulnerabilities identified so far, from which you can make personalized improvements are:1- Active ScanXSS reflected and StoredSQL Injection error basedXXECommand injectionOpen RedirectLocal File InclusionRemote File InclusionPath TraversalLDAP InjectionORM InjectionXML InjectionSSI InjectionXPath Injectionetc2- Passive ScanSecurity HeadersCookies attributesSoftware versionsError stringsIn general any string or regular expression.For example videos please visit our youtube channel:YouTubeDownload BurpBounty

Link: http://feedproxy.google.com/~r/PentestTools/~3/xh6yhoQKxTg/burpbounty-extension-of-burp-suite-that.html

LinkFinder – A Python Script That Finds Endpoints In JavaScript Files

LinkFinder is a python script written to discover endpoints and their parameters in JavaScript files. This way penetration testers and bug hunters are able to gather new, hidden endpoints on the websites they are testing. Resulting in new testing ground, possibility containing new vulnerabilities. It does so by using jsbeautifier for python in combination with a fairly large regular expression. The regular expressions consists of four small regular expressions. These are responsible for finding:Full URLs (https://example.com/*)Absolute URLs or dotted URLs (/* or ../*)Relative URLs with atleast one slash (text/test.php)Relative URLs without a slash (test.php)The output is given in HTML. Karel_origin has written a chrome extension for LinkFinder which can be found here.InstallationLinkFinder supports Python 2 & 3.$ git clone https://github.com/GerbenJavado/LinkFinder.git$ cd LinkFinder$ python setup.py installDependenciesLinkFinder depends on the requests, argparse, jsbeautifier and requests-file python modules. These dependencies can all be installed using pip.Usage Short Form Long Form Description -i –input Input a: URL, file or folder. For folders a wildcard can be used (e.g. ‘/*.js’). -o –output Where to save the file, including file name or output to CLI. Default: output.html -r –regex RegEx for filtering purposes against found endpoints (e.g. ^/api/) -b –burp Toggle to use when inputting a Burp ‘Save selected’ file containing multiple JS files -c –cookies Add cookies to the request -h –help show the help message and exit ExamplesMost basic usage to find endpoints in an online JavaScript file and output the results to results.html:python linkfinder.py -i https://example.com/1.js -o results.htmlCLI ouput (doesn’t use jsbeautifier, which makes it very fast):python linkfinder.py -i https://example.com/1.js -o cliBurp input (select in target the files you want to save, right click, Save selected items, feed that file as input):python linkfinder.py -i burpfile -bEnumerating an entire folder for JavaScript files, while looking for endpoints starting with /api/ and finally saving the results to results.html:python linkfinder.py -i ‘Desktop/*.js’ -r ^/api/ -o results.htmlDownload LinkFinder

Link: http://feedproxy.google.com/~r/PentestTools/~3/nJLysXS52nI/linkfinder-python-script-that-finds.html

Gobuster – Directory/File & DNS Busting Tool Written In Go

Gobuster is a tool used to brute-force:URIs (directories and files) in web sites.DNS subdomains (with wildcard support).Oh dear God.. WHY!?Because I wanted:… something that didn’t have a fat Java GUI (console FTW)…. to build something that just worked on the command line…. something that did not do recursive brute force…. something that allowed me to brute force folders and multiple extensions at once…. something that compiled to native on multiple platforms…. something that was faster than an interpreted script (such as Python)…. something that didn’t require a runtime…. use something that was good with concurrency (hence Go)…. to build something in Go that wasn’t totally useless.Common Command line options-fw – Force processing of a domain with wildcard results.-m – which mode to use, either dir or dns (default: dir)-q – disables banner/underline output.-t <threads> – number of threads to run (default: 10).-u <url/domain> – full URL (including scheme), or base domain name.-v – verbose output (show all results).-w <wordlist> – path to the wordlist used for brute forcing.Command line options for dns mode-cn – show CNAME records (cannot be used with ‘-i’ option).-i – show all IP addresses for the result.Command line options for dir mode-a <user agent string> – specify a user agent string to send in the request header.-c <http cookies> – use this to specify any cookies that you might need (simulating auth).-e – specify extended mode that renders the full URL.-f – append / for directory brute forces.-k – Skip verification of SSL certificates.-l – show the length of the response.-n – “no status" mode, disables the output of the result’s status code.-o <file> – specify a file name to write the output to.-p <proxy url> – specify a proxy to use for all requests (scheme much match the URL scheme).-r – follow redirects.-s <status codes> – comma-separated set of the list of status codes to be deemed a "positive" (default: 200,204,301,302,307).-x <extensions> – list of extensions to check for, if any.-P <password> – HTTP Authorization password (Basic Auth only, prompted if missing).-U <username> – HTTP Authorization username (Basic Auth only).BuildingSince this tool is written in Go you need install the Go language/compiler/etc. Full details of installation and set up can be found on the Go language website. Once installed you have two options.Compilinggobuster now has external dependencies, and so they need to be pulled in first:gobuster $ go get && go buildThis will create a gobuster binary for you. If you want to install it in the $GOPATH/bin folder you can run:gobuster $ go installRunning as a scriptgobuster$ go run main.go <parameters>Wordlists via STDINWordlists can be piped into gobuster via stdin:hashcat -a 3 –stdout ?l | gobuster -u https://mysite.comNote: If the -w option is specified at the same time as piping from STDIN, an error will be shown and the program will terminate.Examplesdir modeCommand line might look like this:$ gobuster -u https://mysite.com/path/to/folder -c ‘session=123456’ -t 50 -w common-files.txt -x .php,.htmlDefault options looks like this:$ gobuster -u http://buffered.io/ -w words.txtGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dir[+] Url/Domain : http://buffered.io/[+] Threads : 10[+] Wordlist : words.txt[+] Status codes : 200,204,301,302,307=====================================================/index (Status: 200)/posts (Status: 301)/contact (Status: 301)=====================================================Default options with status codes disabled looks like this:$ gobuster -u http://buffered.io/ -w words.txt -nGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dir[+] Url/Domain : http://buffered.io/[+] Threads : 10[+] Wordlist : words.txt[+] Status codes : 200,204,301,302,307[+] No status : true=====================================================/index/posts/contact=====================================================Verbose output looks like this:$ gobuster -u http://buffered.io/ -w words.txt -vGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dir[+] Url/Domain : http://buffered.io/[+] Threads : 10[+] Wordlist : words.txt[+] Status codes : 200,204,301,302,307[+] Verbose : true=====================================================Found : /index (Status: 200)Missed: /derp (Status: 404)Found : /posts (Status: 301)Found : /contact (Status: 301)=====================================================Example showing content length:$ gobuster -u http://buffered.io/ -w words.txt -lGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dir[+] Url/Domain : http://buffered.io/[+] Threads : 10[+] Wordlist : /tmp/words[+] Status codes : 301,302,307,200,204[+] Show length : true=====================================================/contact (Status: 301)/posts (Status: 301)/index (Status: 200) [Size: 61481]=====================================================Quiet output, with status disabled and expanded mode looks like this ("grep mode"):$ gobuster -u http://buffered.io/ -w words.txt -q -n -ehttp://buffered.io/postshttp://buffered.io/contacthttp://buffered.io/indexdns modeCommand line might look like this:$ gobuster -m dns -u mysite.com -t 50 -w common-names.txtNormal sample run goes like this:$ gobuster -m dns -w subdomains.txt -u google.comGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dns[+] Url/Domain : google.com[+] Threads : 10[+] Wordlist : subdomains.txt=====================================================Found: m.google.comFound: admin.google.comFound: mobile.google.comFound: www.google.comFound: search.google.comFound: chrome.google.comFound: ns1.google.comFound: store.google.comFound: wap.google.comFound: support.google.comFound: directory.google.comFound: translate.google.comFound: news.google.comFound: music.google.comFound: mail.google.comFound: blog.google.comFound: cse.google.comFound: local.google.com=====================================================Show IP sample run goes like this:$ gobuster -m dns -w subdomains.txt -u google.com -iGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dns[+] Url/Domain : google.com[+] Threads : 10[+] Wordlist : subdomains.txt[+] Verbose : true=====================================================Found: chrome.google.com [2404:6800:4006:801::200e, 216.58.220.110]Found: m.google.com [216.58.220.107, 2404:6800:4006:801::200b]Found: www.google.com [74.125.237.179, 74.125.237.177, 74.125.237.178, 74.125.237.180, 74.125.237.176, 2404:6800:4006:801::2004]Found: search.google.com [2404:6800:4006:801::200e, 216.58.220.110]Found: admin.google.com [216.58.220.110, 2404:6800:4006:801::200e]Found: store.google.com [216.58.220.110, 2404:6800:4006:801::200e]Found: mobile.google.com [216.58.220.107, 2404:6800:4006:801::200b]Found: ns1.google.com [216.239.32.10]Found: directory.google.com [216.58.220.110, 2404:6800:4006:801::200e]Found: translate.google.com [216.58.220.110, 2404:6800:4006:801::200e]Found: cse.google.com [216.58.220.110, 2404:6800:4006:801::200e]Found: local.google.com [2404:6800:4006:801::200e, 216.58.220.110]Found: music.google.com [2404:6800:4006:801::200e, 216.58.220.110]Found: wap.google.com [216.58.220.110, 2404:6800:4006:801::200e]Found: blog.google.com [216.58.220.105, 2404:6800:4006:801::2009]Found: support.google.com [216.58.220.110, 2404:6800:4006:801::200e]Found: news.google.com [216.58.220.110, 2404:6800:4006:801::200e]Found: mail.google.com [216.58.220.101, 2404:6800:4006:801::2005]=====================================================Base domain validation warning when the base domain fails to resolve. This is a warning rather than a failure in case the user fat-fingers while typing the domain.$ gobuster -m dns -w subdomains.txt -u yp.to -iGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dns[+] Url/Domain : yp.to[+] Threads : 10[+] Wordlist : /tmp/test.txt=====================================================[-] Unable to validate base domain: yp.toFound: cr.yp.to [131.155.70.11, 131.155.70.13]=====================================================Wildcard DNS is also detected properly:$ gobuster -w subdomainsbig.txt -u doesntexist.com -m dnsGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dns[+] Url/Domain : doesntexist.com[+] Threads : 10[+] Wordlist : subdomainsbig.txt=====================================================[-] Wildcard DNS found. IP address(es): 123.123.123.123[-] To force processing of Wildcard DNS, specify the ‘-fw’ switch.=====================================================If the user wants to force processing of a domain that has wildcard entries, use -fw:$ gobuster -w subdomainsbig.txt -u doesntexist.com -m dns -fwGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dns[+] Url/Domain : doesntexist.com[+] Threads : 10[+] Wordlist : subdomainsbig.txt=====================================================[-] Wildcard DNS found. IP address(es): 123.123.123.123Found: email.doesntexist.com^C[!] Keyboard interrupt detected, terminating.=====================================================Download Gobuster

Link: http://feedproxy.google.com/~r/PentestTools/~3/buQ2qHF-Row/gobuster-directoryfile-dns-busting-tool.html

Autorize – Automatic Authorization Enforcement Detection Extension For Burp Suite

Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert, and Federico Dotta, a security expert at Mediaservice.net. Autorize was designed to help security testers by performing automatic authorization tests. With the last release now Autorize also perform automatic authentication tests.InstallationDownload Burp Suite (obviously): http://portswigger.net/burp/download.htmlDownload Jython standalone JAR: http://www.jython.org/downloads.htmlOpen burp -> Extender -> Options -> Python Environment -> Select File -> Choose the Jython standalone JARInstall Autorize from the BApp Store or follow these steps:Download the Autorize.py file.Open Burp -> Extender -> Extensions -> Add -> Choose Autorize.py file.See the Autorize tab and enjoy automatic authorization detection :)User Guide – How to use?After installation, the Autorize tab will be added to Burp.Open the configuration tab (Autorize -> Configuration).Get your low-privileged user authorization token header (Cookie / Authorization) and copy it into the textbox containing the text “Insert injected header here". Note: Headers inserted here will be replaced if present or added if not.Uncheck "Check unauthenticated" if the authentication test is not required (request without any cookies, to check for authentication enforcement in addiction to authorization enforcement with the cookies of low-privileged user)Click on "Intercept is off" to start intercepting the traffic in order to allow Autorize to check for authorization enforcement.Open a browser and configure the proxy settings so the traffic will be passed to Burp.Browse to the application you want to test with a high privileged user.The Autorize table will show you the request’s URL and enforcement status.It is possible to click on a specific URL and see the original/modified/unauthenticated request/response in order to investigate the differences.Authorization Enforcement StatusThere are 3 enforcement statuses: Bypassed! – Red color Enforced! – Green color Is enforced??? (please configure enforcement detector) – Yellow colorThe first 2 statuses are clear, so I won’t elaborate on them.The 3rd status means that Autorize cannot determine if authorization is enforced or not, and so Autorize will ask you to configure a filter in the enforcement detector tabs. There are two different enforcement detector tabs, one for the detection of the enforcement of low-privileged requests and one for the detection of the enforcement of unauthenticated requests.The enforcement detector filters will allow Autorize to detect authentication and authorization enforcement in the response of the server by content length or string (literal string or regex) in the message body, headers or in the full request.For example, if there is a request enforcement status that is detected as "Authorization enforced??? (please configure enforcement detector)" it is possible to investigate the modified/original/unauthenticated response and see that the modified response body includes the string "You are not authorized to perform action", so you can add a filter with the fingerprint value "You are not authorized to perform action", so Autorize will look for this fingerprint and will automatically detect that authorization is enforced. It is possible to do the same by defining content-length filter or fingerprint in headers.Interception FitlersThe interception filter allows you configure what domains you want to be intercepted by Autorize plugin, you can determine by blacklist/whitelist/regex or items in Burp’s scope in order to avoid unnesseary domains to be intercepted by Autorize and work more organized.Example of interception filters (Note that there is default filter to avoid scripts and images):AuthorsBarak Tawily, Application Security ExpertFederico Dotta, Security Expert at Mediaservice.netDownload Autorize

Link: http://feedproxy.google.com/~r/PentestTools/~3/MnFG2_D8vOM/autorize-automatic-authorization.html

uncaptcha – Defeating Google’s audio reCaptcha with 85% accuracy

Defeating Google’s audio reCaptcha system with 85% accuracy. InspirationAcross the Internet, hundreds of thousands of sites rely on Google’s reCaptcha system for defense against bots (in fact, Devpost uses reCaptcha when creating a new account). After a Google research team demonstrated a near complete defeat of the text reCaptcha in 2012, the reCaptcha system evolved to rely on audio and image challenges, historically more difficult challenges for automated systems to solve. Google has continually iterated on its design, releasing a newer and more powerful version as recently as just this year. Successfully demonstrating a defeat of this captcha system spells significant vulnerability for hundreds of thousands of popular sites.What it doesOur unCaptcha system has attack capabilities written for the audio captcha. Using browser automation software, we can interact with the target website and engage with the captcha, parsing out the necessary elements to begin the attack. We rely primarily on the audio captcha attack – by properly identifying spoken numbers, we can pass the reCaptcha programmatically and fool the site into thinking our bot is a human. Specifically, unCaptcha targets the popular site Reddit by going through the motions of creating a new user, although unCaptcha stops before creating the user to mitigate the impact on Reddit.BackgroundGoogle’s reCaptcha system uses an advanced risk analysis system to determine programmatically how likely a given user is to be a human or a bot. It takes into account your cookies (and by extension, your interaction with other Google services), the speed at which challenges are solved, mouse movements, and (obviously) how successfully you solve the given task. As the system gets increasingly suspicious, it delivers increasingly difficult challenges, and requires the user to solve more of them. Researchers have already identified minor weaknesses with the reCaptcha system – 9 days of legitimate (ish) interaction with Google’s services is usually enough to lower the system’s suspicion level significantly.How it worksThe format of the audio captcha is a varied-length series of numbers spaced out read aloud at varied speeds, pitches, and accents through background noise. To attack this captcha, the audio payload is identified on the page, downloaded, and automatically split by locations of speech.From there, each number audio bit is uploaded to 6 different free, online audio transcription services (IBM, Google Cloud, Google Speech Recognition, Sphinx, Wit-AI, Bing Speech Recognition), and these results are collected. We ensemble the results from each of these to probabilistically enumerate the most likely string of numbers with a predetermined heuristic. These numbers are then organically typed into the captcha, and the captcha is completed. From testing, we have seen 92%+ accuracy in individual number identification, and 85%+ accuracy in defeating the audio captcha in its entirety.InstallationFirst, install python dependencies:$ pip install -r requirements.txtMake sure you also have sox, ffmpeg, and selenium installed!$ apt-get install sox ffmpeg seleniumThen, to kick off the PoC:$ python main.py –audio –redditThis opens reddit.com, interacts with the page to go to account signup, generates a fake username, email, password, and then attacks the audio captcha. Once the captcha is completed (whether it passed or not), the browser exits.To learn morePlease read our paper, located here, for more information. Additionally, you can visit our website here, or check out the original Slides for USENIX WOOT ’17.DisclaimerunCaptcha is intended to be a proof of concept. As of the time of our paper, we found it to successfully solve reCaptcha’s audio challenges with 85% success. Since that time, reCaptcha appears to include some additional protections that limit unCaptcha’s success.For instance, Google has also improved their browser automation detection. This means that Selenium cannot be used in its current state to get captchas from Google. This may lead to Google sending odd audio segments back to the end user. Additionally, we have observed that some audio challenges include not only digits, but small snippets of spoken text.We encourage you to be careful when doing research in this field, to be mindful of local, state, and federal law, and to responsibly disclose any potential vulnerabilities to Google immediately.Additionally, we have removed our API keys from all the necessary queries. If you are looking to recreate some of the work or are doing your own research in this area, you will need to acquire API keys from each of the six services used. These keys are delineated in our files by a long string of the character ‘X’.ExampleDownload uncaptcha

Link: http://feedproxy.google.com/~r/PentestTools/~3/QbPwj8cqZeI/uncaptcha-defeating-googles-audio.html