ROPgadget – This Tool Lets You Search Your Gadgets On Your Binaries To Facilitate Your ROP Exploitation

This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports ELF/PE/Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC and MIPS architectures. Since the version 5, ROPgadget has a new core which is written in Python using Capstone disassembly framework for the gadgets search engine – The older version can be found in the Archives directory but it will not be maintained.InstallIf you want to use ROPgadget, you have to install Capstone first.For the Capstone’s installation on nix machine:$ sudo pip install capstoneCapstone supports multi-platforms (windows, ios, android, cygwin…). For the cross-compilation, please refer to the https://github.com/aquynh/capstone/blob/master/COMPILE.TXT file.After Capstone is installed, ROPgadget can be used as a standalone tool:$ ROPgadget.pyOr installed into the Python site-packages library, and executed from $PATH.$ python setup.py install$ ROPgadgetOr installed from PyPi$ pip install ropgadget$ ROPgadgetUsageusage: ROPgadget.py [-h] [-v] [-c] [–binary ] [–opcode <opcodes>] [–string <string>] [–memstr <string>] [–depth <nbyte>] [–only <key>] [–filter <key>] [–range <start-end>] [–badbytes <byte>] [–rawArch <arch>] [–rawMode <mode>] [–re <re>] [–offset <hexaddr>] [–ropchain] [–thumb] [–console] [–norop] [–nojop] [–nosys] [–multibr] [–all] [–dump]optional arguments: -h, –help show this help message and exit -v, –version Display the ROPgadget’s version -c, –checkUpdate Checks if a new version is available –binary <binary> Specify a binary filename to analyze –opcode <opcodes> Search opcode in executable segment –string <string> Search string in readable segment –memstr <string> Search each byte in all readable segment –depth <nbyte> Depth for search engine (default 10) –only <key> Only show specific instructions –filter <key> Suppress specific instructions –range <start-end> Search between two addresses (0x…-0x…) –badbytes <byte> Rejects specific bytes in the gadget’s address –rawArch <arch> Specify an arch for a raw file –rawMode <mode> Specify a mode for a raw file –re <re> Regular expression –offset <hexaddr> Specify an offset for gadget addresses –ropchain Enable the ROP chain generation –thumb Use the thumb mode for the search engine (ARM only) –console Use an interactive console for search engine –norop Disable ROP search engine –nojop Disable JOP search engine –callPreceded Only show gadgets which are call-preceded (x86 only) –nosys Disable SYS search engine –multibr Enable multiple branch gadgets –all Disables the removal of duplicate gadgets –dump Outputs the gadget bytesScreenshotsDownload ROPgadget

Link: http://feedproxy.google.com/~r/PentestTools/~3/GLrMnvW88oo/ropgadget-this-tool-lets-you-search.html

GRR Rapid Response – Remote Live Forensics For Incident Response

GRR Rapid Response is an incident response framework focused on remote live forensics.The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely.GRR consists of 2 parts: client and server.GRR client is deployed on systems that one might want to investigate. On every such system, once deployed, GRR client periodically polls GRR frontend servers for work. “Work" means running a specific action: downloading file, listing a directory, etc.GRR server infrastructure consists of several components (frontends, workers, UI servers) and provides web-based graphical user interface and an API endpoint that allows analysts to schedule actions on clients and view and process collected data.Remote forensics at scaleGRR was built to run at scale so that analysts are capable of effectively collecting and processing data from large numbers of machines. GRR was built with following scenarios in mind:Joe saw something weird, check his machine (p.s. Joe is on holiday in Cambodia and on 3G)Forensically acquire 25 machines for analysis (p.s. they’re in 5 continents and none are Windows)Tell me if this machine is compromised (while you’re at it, check 100,000 of them – i.e. "hunt" across the fleet)GRR client featuresCross-platform support for Linux, OS X and Windows clients.Live remote memory analysis using YARA library.Powerful search and download capabilities for files and the Windows registry.OS-level and raw file system access, using the SleuthKit (TSK).Secure communication infrastructure designed for Internet deployment.Detailed monitoring of client CPU, memory, IO usage and self-imposed limits.GRR server featuresFully fledged response capabilities handling most incident response and forensics tasks.Enterprise hunting (searching across a fleet of machines) support.Fast and simple collection of hundreds of digital forensic artifacts.AngularJS Web UI and RESTful JSON API with client libraries in Python, PowerShell and Go.Powerful data export features supporting variety of formats and output plugins.Fully scalable back-end capable of handling large deployments.Automated scheduling for recurring tasks.Asynchronous design allowing future task scheduling for clients, designed to work with a large fleet of laptops.ScreenshotsDocumentationPlease visit our documentation website if you want to know more about GRR.Download GRR Rapid Response

Link: http://feedproxy.google.com/~r/PentestTools/~3/veLRI3wsHIs/grr-rapid-response-remote-live.html

CHAOS Framework v2.0 – Generate Payloads And Control Remote Windows Systems

CHAOS allow generate payloads and control remote Windows systems.DisclaimerThis project was created only for learning purpose.THIS SOFTWARE IS PROVIDED “AS IS" WITHOUT WARRANTY OF ANY KIND. YOU MAY USE THIS SOFTWARE AT YOUR OWN RISK. THE USE IS COMPLETE RESPONSIBILITY OF THE END-USER. THE DEVELOPERS ASSUME NO LIABILITY AND ARE NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE CAUSED BY THIS PROGRAM.FeaturesReverse ShellDownload FileUpload FileScreenshotKeyloggerPersistenceOpen URL RemotelyGet Operating System NameRun Fork BombTested On Kali Linux – ROLLING EDITIONHow To Use# Install dependencies (You need Golang and UPX package installed)$ apt install golang xterm git upx-ucl -y# Clone this repository$ git clone https://github.com/tiagorlampert/CHAOS.git# Get and install external imports (requirement to screenshot)$ go get github.com/kbinani/screenshot && go get github.com/lxn/win$ go install github.com/kbinani/screenshot && go install github.com/lxn/win# Maybe you will see the message "package github.com/lxn/win: build constraints exclude all Go files".# It’s occurs because the libraries are to windows systems, but it necessary to build the payload.# Go into the repository$ cd CHAOS# Run$ go run CHAOS.goVideoDownload CHAOS

Link: http://feedproxy.google.com/~r/PentestTools/~3/4yPrMOaG3KY/chaos-framework-v20-generate-payloads.html

LeakVM – Research & Pentesting Framework For Android, Run Security Tests Instantly

LeakVM: Run security tests instantly.Why LeakVM:LeakVM fast security test on Android, by skipping the time-consuming build pen-testing laboratories, you can test on real devices or virtual devices. LeakVM makes researchers and pen-testers more productive since they can run the test on real time and with zero knowledge on malware develop or attacks.Our technology uses the same techniques used in criminal software, but in a controlled environment, you always have control over the SDK, our product, gives you a real approach against real malware and real attacks.Why Pentesting:With 2000 million active devices, 90% of mobile users are vulnerable to exploit kits (software vulnerabilities), Cyber crime damage costs to hit $6 trillion annually by 2021, Mobile Malware Shows Rapid Growth in Volume and Sophistication, Mobile security is a big data problem.Unsecured devices and apps are the norm, In 2017 every 4.2 seconds a new malware specimen emerges, You need to reduce the threat surface.Rewards:Our platform is designed even so that anyone can make money with us, without any type of investment, by sharing your reseller link, the customer that is obtained will bring you rewards, now we have 3 methods of payment: Western Union, Wire Transfer and PayPal, These rewards will be received for life, is just share a link.For first 100 customers: new client 20%, renewal 10%.For next 900 clients: new client 15%, renewal 10%.After reaching 1000 clients: new client 10%, renewal 5%.Questions:I can inject ELF/APK code inside of the sandbox of any package ?Yes, you can.I can load external libraries ?Yes, from Git’s, Mediafire and another sources.I can start a HTTP service ?Yes, as synchronous and asynchronous way.I can start a HTTP client ?Yes, we have one, very configurable.I can analyze security on ELF as V.A.S ? Yes, you can.I can bypass OOP protections ?Yes, there not exist: ‘package’, ‘private’, ‘protected’ or ‘final’.I can extract private files from external packages ?Yes, you can see and get any file.I can hack the Keystore ?Yes, you can.I can trick the Context ?Yes, you can.I can hack the SmartLock ?Yes, you can.I can use reflections in simple way ?Yes, you can.I can see the Linux system in simple way ?Yes, you can.I can install it on simple way ?Yes, just with 2 lines on the gradle.I can develop plugins with it ?Yes, on the same way as AAR library.Any can use it in a simple way ?Yes, we develop it for dummies.Features:Ptrace/ASLR/Yama BypassAPI for 3rd party projectsLinux common featuresDynamic library loadingSmartLock extractionPrivate file extractorKeyStore extractionAdvanced reflectionWebServices EnginePrivilege escalationContext SpoofersCore ObserversLibrary injectionOOP BypassExtensibleSupport:Android 4.4 to 6.0Architectures Arm(32/64 bits), x86(32/64 bits), MIPS(32/64 bits)Samples:Where is JavaDocHow configure a Virtual DeviceHow Install LeakVM SDKHow Connect to APIHow Test ExploitsHow use Common IO methodsHow to Load librariesHow to Sudo & RunasHow compile a native binary (ELF)How to run loaded codeHow to Hack OOPHow to Inject code Native/VMHow build VM Code to InjectDownloads:LeakVM APPLeakVM SDK 1.0.0Web Interface:LeakVM ConsoleSocial Media:TwitterLinkedInFacebookInstagramLeakVM Developers GroupDownload LeakVM

Link: http://feedproxy.google.com/~r/PentestTools/~3/c6RDVe3FcAU/leakvm-research-pentesting-framework.html

StaCoAn – Crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications

StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications*.This tool will look for interesting lines in the code which can contain:Hardcoded credentialsAPI keysURL’s of API’sDecryption keysMajor coding mistakesThis tool was created with a big focus on usability and graphical guidance in the user interface.For the impatient ones, grab the download on the releases page.*: note that currently only apk files are supported, but ipa files will follow very shortly.An example report can be found here: example reportFeaturesThe concept is that you drag and drop your mobile application file (an .apk or .ipa file) on the StaCoAn application and it will generate a visual and portable report for you. You can tweak the settings and wordlists to get a customized experience.The reports contain a handy tree viewer so you can easily browse trough your decompiled application.Looting conceptThe Loot Function let you ‘loot’ (~bookmark) the findings which are of value for you and on the loot-page you will get an overview of your ‘loot’ raid.The final report can be exported to a zip file and shared with other people.WordlistsThe application uses wordlists for finding interesting lines in the code. Wordlists are in the following format:API_KEY|||80||| This contains an API key reference(https|http):\/\/.*api.*|||60||| This regex matches any URL containing ‘api’Note that these wordlists also support regex entries.FiletypesAny source file will be processed. This contains ‘.java’, ‘.js’, ‘.html’, ‘.xml’,… files.Database-files are also searched for keywords. The database also has a table viewer.Responsive DesignThe reports are made to fit on all screens.LimitationsThis tool will have trouble with obfuscated code. If you are a developer try to compile without obfuscation turned on before running this tool. If you are on the offensive side, good luck bro.Getting StartedIf you want to get started as soon as possible, head over to the releases page and download the executable or archive which corresponds to your operating system.If you have downloaded the release zip file, extract this. Copy the .apk or .ipa file to the extracted folder.Drag and drop this file onto the executable. The report will now be generated in the report folder.From sourcegit clone https://github.com/vincentcox/StaCoAn/cd StaCoAn/srcMake sure that you have pip3 installed:sudo apt-get install python3-pipInstall the required python packages:pip3 install -r requirements.txtRun StaCoAn:python3 stacoan.py yourApp.apkBuilding the executablepip3 install pyinstallerWindowspyinstaller main.py –onefile –icon icon.ico –name stacoan –cleanmacpyinstaller main.py –onefile –icon icon.ico –name stacoan –cleanLinuxpython3 -m PyInstaller main.py –onefile –icon icon.ico –name stacoan –cleanRunning the Docker containercd dockerdocker build . -t stacoandocker run -e JAVA_OPTS=”-Xms2048m -Xmx2048m" -p 8000:8000 -v /yourappsfolder:/tmp -i -t stacoan /tmp/com.myapk.apkWait for it to be analysed and the open your browser in http://localhost:8000Download StaCoAn

Link: http://feedproxy.google.com/~r/PentestTools/~3/oK-u7OHfu70/stacoan-crossplatform-tool-which-aids.html

AutoSploit v2.0 – Automated Mass Exploiter

As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets can be collected automatically through Shodan, Censys or Zoomeye. But options to add your custom targets and host lists have been included as well. The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions. Workspace, local host and local port for MSF facilitated back connections are configured by filling out the dialog that comes up before the exploit component is startedOperational Security ConsiderationReceiving back connections on your local machine might not be the best idea from an OPSEC standpoint. Instead consider running this tool from a VPS that has all the dependencies required, available.The new version of AutoSploit has a feature that allows you to set a proxy before you connect and a custom user-agent.UsageClone the repo. Or deploy via Docker. Details for which can be found heregit clone https://github.com/NullArray/AutoSploit.gitStarting the program with python autosploit.py will open an AutoSploit terminal session. The options for which are as follows.1. Usage And Legal2. Gather Hosts3. Custom Hosts4. Add Single Host5. View Gathered Hosts6. Exploit Gathered Hosts99. QuitChoosing option 2 will prompt you for a platform specific search query. Enter IIS or Apache in example and choose a search engine. After doing so the collected hosts will be saved to be used in the Exploit component.As of version 2.0 AutoSploit can be started with a number of command line arguments/flags as well. Type python autosploit.py -h to display all the options available to you. I’ve posted the options below as well for reference.usage: python autosploit.py -[c|z|s|a] -[q] QUERY [-C] WORKSPACE LHOST LPORT [-e] [–ruby-exec] [–msf-path] PATH [-E] EXPLOIT-FILE-PATH [–rand-agent] [–proxy] PROTO://IP:PORT [-P] AGENToptional arguments: -h, –help show this help message and exitsearch engines: possible search engines to use -c, –censys use censys.io as the search engine to gather hosts -z, –zoomeye use zoomeye.org as the search engine to gather hosts -s, –shodan use shodan.io as the search engine to gather hosts -a, –all search all available search engines to gather hostsrequests: arguments to edit your requests –proxy PROTO://IP:PORT run behind a proxy while performing the searches –random-agent use a random HTTP User-Agent header -P USER-AGENT, –personal-agent USER-AGENT pass a personal User-Agent to use for HTTP requests -q QUERY, –query QUERY pass your search queryexploits: arguments to edit your exploits -E PATH, –exploit-file PATH provide a text file to convert into JSON and save for later use -C WORKSPACE LHOST LPORT, –config WORKSPACE LHOST LPORT set the configuration for MSF (IE -C default 127.0.0.1 8080) -e, –exploit start exploiting the already gathered hostsmisc arguments: arguments that don’t fit anywhere else –ruby-exec if you need to run the Ruby executable with MSF use this –msf-path MSF-PATH pass the path to your framework if it is not in your ENV PATHDependenciesAutoSploit depends on the following Python2.7 modules.requestspsutilShould you find you do not have these installed get them with pip like so.pip install requests psutilorpip install -r requirements.txtSince the program invokes functionality from the Metasploit Framework you need to have this installed also. Get it from Rapid7 by clicking here.Download AutoSploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/m7gHz-7epUc/autosploit-v20-automated-mass-exploiter.html