PE Linux – Linux Privilege Escalation Tool

New Linux Privilege Escalation Tool.Getting StartedSystem Information GathererKernel Information GathererChecking Development environments on the system (Escaping Restricted Shells)Extract PATH & environment InformationCheck Kernel if Vulnerable To Dirty cow ExploitPassword CollectorLog Analyzer For interesting InformationCheck Password PolicyDatabase Password CollectorCheck If SSH Are Allowed With RootChecking For interesting Root,Home,Var Directory FilesRSA Key’s CollectorCommand History AnalyzerUsers Enumeration (Root – Sudo – UID List – GID List)Cron Jobs Enumeration (Permissions – Own Cron – Cron Content – Writable Cron)Network Information Lookup (TCP Connections – ARP – Services)List Are Open For Updates :)Download PE-Linux

Link: http://feedproxy.google.com/~r/PentestTools/~3/Dp53wu5dov8/pe-linux-linux-privilege-escalation-tool.html

Probequest – Toolkit For Playing With Wi-Fi Probe Requests

Toolkit allowing to sniff and display the Wi-Fi probe requests passing near your wireless interface.Probe requests are sent by a station to elicit information about access points, in particular to determine if an access point is present or not in the nearby environment. Some devices (mostly smartphones and tablets) use these requests to determine if one of the networks they have previously been connected to is in range, leaking personal information.Further details are discussed in this paper. Installationpip3 install –upgrade probequest DocumentationThe project is documented here.UsageEnabling the monitor modeTo be able to sniff the probe requests, your Wi-Fi network interface must be set to monitor mode.With ifconfig and iwconfigsudo ifconfig downsudo iwconfig <wireless interface> mode monitorsudo ifconfig <wireless interface> upFor example:sudo ifconfig wlan0 downsudo iwconfig wlan0 mode monitorsudo ifconfig wlan0 upWith airmon-ng from aircrack-ngTo kill all the interfering processes:sudo airmon-ng check killTo enable the monitor mode:sudo airmon-ng start <wireless interface>For example:sudo airmon-ng start wlan0Command line argumentsToolkit for Playing with Wi-Fi Probe Requestsusage: probequest [-h] [–debug] -i INTERFACE [–ignore-case] [–mode {RAW,TUI}] [-o OUTPUT] [–version] [-e ESSID [ESSID …] | -r REGEX] [–exclude EXCLUDE [EXCLUDE …] | -s STATION [STATION …]]Named Arguments –debugdebug modeDefault: False-i, –interfacewireless interface to use (must be in monitor mode)–ignore-caseignore case distinctions in the regex pattern (default: false)Default: False–modePossible choices: RAW, TUIset the mode to useDefault: RAW-o, –outputoutput file to save the captured data (CSV format)–versionshow program’s version number and exit-e, –essidESSID of the APs to filter (space-separated list)-r, –regexregex to filter the ESSIDs–excludeMAC addresses of the stations to exclude (space-separated list)-s, –stationMAC addresses of the stations to filter (space-separated list)Example of usesudo probequest -i wlan0Download Probequest

Link: http://feedproxy.google.com/~r/PentestTools/~3/fpE9V2W2e84/probequest-toolkit-for-playing-with-wi.html

Sslmerge – Tool To Help You Build A Valid SSL Certificate Chain From The Root Certificate To The End-User Certificate

Is an open source tool to help you build a valid SSL certificate chain from the root certificate to the end-user certificate. Also can help you fix the incomplete certificate chain and download all missing CA certificates.How To UseIt’s simple:# Clone this repositorygit clone https://github.com/trimstray/sslmerge# Go into the repositorycd sslmerge# Install./setup.sh install# Run the appsslmerge -i /data/certs -o /data/certs/chain.crtsymlink to bin/sslmerge is placed in /usr/local/binman page is placed in /usr/local/man/man8ParametersProvides the following options: Usage: sslmerge Examples: sslmerge –in Root.crt –in Intermediate1.crt –in Server.crt –out bundle_chain_certs.crt sslmerge –in /tmp/certs –out bundle_chain_certs.crt –with-root sslmerge -i Server.crt -o bundle_chain_certs.crt Options: –help show this message –debug displays information on the screen (debug mode) -i, –in add certificates to merge (certificate file, multiple files or directory with ssl certificates) -o, –out saves the result (chain) to file –with-root add root certificate to the certificate chainHow it worksLet’s start with ssllabs certificate chain. They are delivered together with the sslmerge and can be found in the example/ssllabs.com directory which additionally contains the all directory (containing all the certificates needed to assemble the chain) and the server_certificate directory (containing only the server certificate).The correct chain for the ssllabs.com domain (the result of the openssl command):Certificate chain 0 s:/C=US/ST=California/L=Redwood City/O=Qualys, Inc./CN=ssllabs.com i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. – for authorized use only/CN=Entrust Certification Authority – L1K 1 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. – for authorized use only/CN=Entrust Certification Authority – L1K i:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. – for authorized use only/CN=Entrust Root Certification Authority – G2 2 s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. – for authorized use only/CN=Entrust Root Certification Authority – G2 i:/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification AuthorityThe above code presents a full chain consisting of: Identity Certificate (Server Certificate)issued for ssllabs.com by Entrust Certification Authority – L1K Intermediate Certificateissued for Entrust Certification Authority – L1K by Entrust Root Certification Authority – G2 Intermediate Certificateissued for Entrust Root Certification Authority – G2 by Entrust Root Certification Authority Root Certificate (Self-Signed Certificate)issued for Entrust Root Certification Authority by Entrust Root Certification Authority Scenario 1In this scenario, we will chain all delivered certificates. Example of running the tool:Scenario 2In this scenario, we only use the server certificate and use it to retrieve the remaining required certificates. Then, as above, we will combine all the provided certificates. Example of running the tool:Certificate chainIn order to create a valid chain, you must provide the tool with all the necessary certificates. It will be:Server CertificateIntermediate CAs and Root CAsThis is very important because without it you will not be able to determine the beginning and end of the chain.However, if you look inside the generated chain after generating with sslmerge, you will not find the root certificate there. Why?Because self-signed root certificates need not/should not be included in web server configuration. They serve no purpose (clients will always ignore them) and they incur a slight performance (latency) penalty because they increase the size of the SSL handshake.If you want to add a root certificate to the certificate chain, call the utility with the –with-root parameter.Certification PathsSslmerge allows use of two certification paths:Output commentsWhen generating the chain of certificates, sslmerge displays comments with information about certificates, including any errors.Here is a list of all possibilities:not found identity (end-user, server) certificateThe message is displayed in the absence of a server certificate that is the beginning of the chain. This is a unique case because in this situation the sslmerge ends its operation displaying only this information. The server certificate is the only certificate required to correctly create a chain. Without this certificate, the correct chain will not be created.found correct identity (end-user, server) certificateThe reverse situation here – message displayed when a valid server certificate is found.not found first intermediate certificateThis message appears when the first of the two intermediate certificates is not found. This information does not explicitly specify the absence of a second intermediate certificate and on the other hand it allows to determine whether the intermediate certificate to which the server certificate was signed exists. Additionally, it can be displayed if the second intermediate certificate has been delivered.not found second intermediate certificateSimilar to the above, however, it concerns the second intermediate certificate. However, it is possible to create the chain correctly using the second certification path, e.g. using the first intermediate certificate and replacing the second with the main certificate.one or more intermediate certificate not foundThis message means that one or all of the required intermediate certificates are missing and displayed in the absence of the root certificate.found ‘n’ correct intermediate certificate(s)This message indicates the number of valid intermediate certificates.not found correct root certificateThe lack of the root certificate is treated as a warning. Of course, when configuring certificates on the server side, it is not recommended to attach a root certificate, but if you create it with the sslmerge, it treats the chain as incomplete displaying information about the incorrect creation of the chain.an empty CN field was found in one of the certificatesThis message does not inform about the error and about the lack of the CN field what can happen with some certificates (look at example/google.com). Common Name field identifies the host name associated with the certificate. There is no requirement in RFC3280 for an Issuer DN to have a CN. Most CAs do include a CN in the Issuer DN, but some don’t, such as this Equifax CA.RequirementsSslmerge uses external utilities to be installed before running:opensslOtherContributingSee this.Project architectureSee this.Download Sslmerge

Link: http://feedproxy.google.com/~r/PentestTools/~3/G7_uBQCMSxY/sslmerge-tool-to-help-you-build-valid.html

PwnAdventure3 – Game Open-World MMORPG Intentionally Vulnerable To Hacks

Pwnie Island is a limited-release, first-person, true open-world MMORPG set on a beautiful island where anything could happen. That’s because this game is intentionally vulnerable to all kinds of silly hacks! Flying, endless cash, and more are all one client change or network proxy away. Are you ready for the mayhem?Official Site: http://www.pwnadventure.com/YouTube SeriesThis setup is part of a video series covering the different hacks and challenges in this game.Let’s Play/Hack – Pwn Adventure 3: Pwnie Island – part 1Setup Private Server with Docker – Pwn Adventure 3: part 2Information Gathering / Recon – Pwn Adventure 3: part 3Recover Game Classes with gdb – Pwn Adventure 3: part 4Hooking on Linux with LD_PRELOAD – Pwn Adventure 3: part 5Flying and our first Flag! (Cow King) – Pwn Adventure 3: part 6Teleporting and Hovering (Unbearable Revenge) – Pwn Adventure 3: part 7Install ServerRequirementsFrom the official README:At least 2GB of RAM, more RAM will allow more instances to be run on a single machine The Game Server does not need any graphics hardware and runs purely on console. It is known to run well on Amazon AWS and Digital Ocean VPS instances. The Game Server requires a lot of RAM to run, but uses fork and copy-on-write memory to allow many instances to run on a single host. For a server with 2GB of RAM, it is not recommended to run more than 5 instances, but a server with 8GB of RAM can typically run as many as the CPU can handle. It is recommended to use 2-3 instances per CPU core if you have sufficient RAM. You may be able to run 4-5 instances per core, but doing so may introduce slight lag. The files for the client and server are over 2GB as well, so several GB of free disk space are required. There are several ways to build and deploy your own server.Option 1 – OriginalOne option is to download and follow the instructions included in the README of the official files. The download can be found on the official website here http://www.pwnadventure.com/#server.Option 2 – Guide@Beaujeant created an excellent, and easy to follow step-by-step guide. It was also the basis for building the docker image from Option 3. The guide can be found here: https://github.com/beaujeant/PwnAdventure3/blob/master/INSTALL-server.md.Option 3 – DockerThis option is super easy, as long as docker and docker-compose are installed on a host. It makes it easy to run and tear down a server, without making changes to the actual host system.First, gather all necessary files:git clone https://github.com/LiveOverflow/PwnAdventure3.gitcd PwnAdventure3wget http://pwnadventure.com/pwn3.tar.gztar -xvf pwn3.tar.gzIn order to run the server, docker and docker-compose have to be installed. Docker is moving fast, so it’s a good idea to follow the current official steps for installation (which could also include to remove an older system version of docker):Docker CE Ubuntu: https://docs.docker.com/install/linux/docker-ce/ubuntu/.docker-compose: https://docs.docker.com/compose/install/make sure the current user is part of the docker group with: sudo usermod -a -G docker $USER. restart or re-login and verify with id that the user is part of the docker group.Then simply build the image and launch the master and game server:docker-compose builddocker-compose updocker-compose up can also run in detached/background mode with -d.Install ClientFirst download the client from the official website here: http://www.pwnadventure.com/#downloadsTo get a client connected to the new server, the server.ini for the client has to be modified. The server launched with docker expects that hostnames master.pwn3 and game.pwn3 are being used (These could theoretically be changed in the docker/setup files).The server.ini for the client has to look something like this:[MasterServer]Hostname=master.pwn3Port=3333[GameServer]Hostname=game.pwn3Port=3000Username=Password=Instances=Make sure that the client can reach these hosts, for example by adding them to the /etc/hosts file. In this example the server is running on 192.168.178.57 and the entry for them would be:192.168.178.57 master.pwn3192.168.178.57 game.pwn3Warning: Using an IP as Hostname in the server.ini does not work! I spent 2 hours trying to figure out what was wrong.To stop the server, simply type docker-compose down.Warning: The database file is not persistent – taking down the container resets everything. So backup first.TroubleshootingError: docker-compose build$ docker-compose buildBuilding initERROR: Error processing tar file(exit status 1): write /client/PwnAdventure3_Data/PwnAdventure3/PwnAdventure3/Content/Paks/Characters.pak: no space left on deviceA: Get more disk space.$ docker-compose buildBuilding initERROR: Couldn’t connect to Docker daemon at http+docker://localunixsocket – is it running?A: Your user is probably not part of the docker group or docker service not running. sudo usermod -a -G docker pwn3, verify with id. Or service docker restart.File IntegrityCheck if the archive is corrupted$ md5sum pwn3.tar.gzd3f296461fa57996018ce0e4e5a653ee pwn3.tar.gz$ sha1sum pwn3.tar.gz022bd5174286fd78cd113bc6da6d37ae9af1ae8e pwn3.tar.gzPwnAdventure3 Client ErrorsConnection Error: Unable to connect to master serverThis probably means that the MasterServer is not reachable.Client issues:Check the [MasterServer] entry in the client’s server.iniCan you ping master.pwn3 from the host from your system?Is the IP correct in the /etc/hosts file?Server issues:Is the server not running and listening on port 3333?Check with sudo netstat -tulpn Is the master server listening: tcp6 0 0 :::3333 :::* LISTEN 31913/docker-proxyCheck docker ps if the two containers are upmaster server running? 880f93374070 pwn3server “/opt/pwn3/setup/mas…" 0.0.0.0:3333->3333/tcp, 5432/tcp pwnadventure3_master_1Waiting in connection queue…This means the MasterServer is reachable and is waiting now for a free GameServer that can be given to the client. This probably means that no GameServer is running, or was not able to connect to the MasterServer.Server issues:Is a game server running and listening on port 3000-3005?Check listening processes with sudo netstat -tulpntcp6 0 0 :::3000 :::* LISTEN 32160/docker-proxyIs pwnadventure3_game_1 container running? Check with docker ps -a 84343f81034f pwn3server "/opt/pwn3/setup/gam…" 0.0.0.0:3000-3010->3000-3010/tcp, 5432/tcp pwnadventure3_game_1do you see the following line in the log from docker-compose up: line 1: 7 Killed ./PwnAdventure3Server; pwnadventure3_game_1 exited with code 137 GET MORE RAM!Docker versionsThese versions were used during testing as a host:$ uname -aLinux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux$ docker-compose versiondocker-compose version 1.19.0, build 9e633efdocker-py version: 2.7.0CPython version: 2.7.13OpenSSL version: OpenSSL 1.0.1t 3 May 2016$ docker –versionDocker version 17.12.1-ce, build 7390fc6ScreenshotsDownload PwnAdventure3

Link: http://feedproxy.google.com/~r/PentestTools/~3/1enkfDCYNho/pwnadventure3-game-open-world-mmorpg.html

One-Lin3r v1.1 – Gives You One-Liners That Aids In Penetration Testing Operations

One-Lin3r is simple and light-weight framework inspired by the web-delivery module in Metasploit.It consists of various one-liners that aids in penetration testing operations:Reverser: Give it IP & port and it returns a reverse shell liner ready for copy & paste.Dropper: Give it an uploaded-backdoor URL and it returns a download-&-execute liner ready for copy & paste.Other: Holds liners with the general purpose to help in penetration testing (ex: Mimikatz, Powerup, etc…) on the trending OSes (Windows, Linux, and macOS) “More OSes can be added too".FeaturesSearch for any one-liner in the database by its full name or partially.You can add your own liners by following these steps to create a ".liner" file. Also, you can send it to me directly and it will be added in the framework and credited with your name .Autocomplete any framework command and recommendations in case of typos (in case you love hacking like movies ).Command line arguments can be used to give the framework a resource file to load and execute for automation.The ability to reload the database if you added any liner without restarting the framework.You can add any platform to the payloads database just by making a folder in payloads folder and creating a ".liner" file there.More…The payloads database is not big now because this the first edition but it will get bigger with updates and contributions.ScreenshotsUsageCommandline argumentsusage: one-lin3r [-h] [-r R] [-x X] [-q]optional arguments: -h, –help show this help message and exit -r Execute a resource file (history file). -x Execute a specific command (use ; for multiples). -q Quit mode (no banner).Framework commandsCommand Description——– ————-help/? Show this help menulist/show List payloads you can use in the attack.search Search payloads for a specific oneuse <payload> Use an available payloadinfo <payload> Get information about an available payloadbanner Display bannerreload/refresh Reload the payloads databasecheck Prints the core version and database version then check for them online.history Display command line most important history from the beginningsave_history Save command line history to a fileexit/quit Exit the frameworkInstalling and requirementsTo make the tool work at its best you must have :Python 3.x or 2.x (preferred 3).Linux (Tested on kali rolling), Windows system, mac osx (tested on 10.11)The requirements mentioned in the next few lines.Installing+For windows : (After downloading ZIP and upzip it)python -m pip install ./One-Lin3r-masterone-lin3r -h+For Linux :git clone https://github.com/D4Vinci/One-Lin3r.gitapt-get install libncurses5-devpip install ./One-Lin3rone-lin3r -hUpdating the framework or the databaseOn Linux while outside the directorycd One-Lin3r && git pull && cd ..pip install ./One-Lin3r –upgradeOn Windows if you don’t have git installed, redownload the framework zipped!Download One-Lin3r

Link: http://feedproxy.google.com/~r/PentestTools/~3/elxDfxPSrg8/one-lin3r-v11-gives-you-one-liners-that.html

M4Ngl3M3 – Common Password Pattern Generator Using Strings List

Common password pattern generator using strings list.Quick Installation:$ git clone https://github.com/localh0t/m4ngl3m3$ cd m4ngl3m3$ ./main.pyBasic Help:usage: main.py [-h] [-fy FROM_YEAR] [-ty TO_YEAR] [-sy] [-nf NUMBERS_FILE] [-sf SYMBOLS_FILE] [-cf CUSTOM_FILE] [-sbs] [-sap] [-mm MUTATION_METHODS] MUTATION_MODE STRINGS_FILE OUTPUT_FILECommon password pattern generator using strings listpositional arguments: MUTATION_MODE Mutation mode to perform: (prefix-mode | suffix-mode | dual-mode) STRINGS_FILE File with strings to mutate OUTPUT_FILE Where to write the mutated stringsoptional arguments: -h, –help show this help message and exit -fy FROM_YEAR, –from-year FROM_YEAR Year where our iteration starts (default: 2015) -ty TO_YEAR, –to-year TO_YEAR Year where our iteration ends (default: 2020) -sy, –short-year Also add shorter year form when iterating (default: False) -nf NUMBERS_FILE, –numbers-file NUMBERS_FILE Numbers prefix/suffix file (default: ./files/numbers/numbers_set2.txt) -sf SYMBOLS_FILE, –symbols-file SYMBOLS_FILE Symbols prefix/suffix file (default: ./files/symbols/symbols_set2.txt) -cf CUSTOM_FILE, –custom-file CUSTOM_FILE Custom words/dates/initials/etc file (default: None) -sbs, –symbols-before-suffix Insert symbols also before years/numbers/ custom (when in suffix-mode or dual-mode) (default: False) -sap, –symbols-after-prefix Insert symbols also after years/numbers/ custom (when in prefix-mode or dual-mode) (default: False) -mm MUTATION_METHODS, –mutation-methods MUTATION_METHODS Mutation methods to perform (comma separated, no spaces) (valid: see MUTATION_METHODS.md) (default: normal,uppercase,firstup,replacevowels)–from-year (-fy), –to-year (-ty):Here we set where we want our script to start and end iterating over years. Many times people include the current year in an effort to add some entropy. Because passwords could be outdated, or the years included could be in the (near) future, we are going to add them as a range. For online environments, we would be looking at a conservative approach and only include ranges in the order of (-1, +1) or (-2, +2). For offline environments, the range could be wider to (-20, +5) or even (-50, +10). Output example:password2017[…]password2018[…]password2019–short-year (-sy):When iterating years, also add its shorter double digit form. Output example:password17[…]password18[…]password19–numbers-file (-nf):In this argument we are going to select a file containing numbers that people frequently add to their passwords. By default I included 6 sets, the largest being the 6, and the rest being subsets of the previous one. The numbers included in the first sets (1,2…) are more likely to be present that the ones only included in latest sets (…5,6). Again, for online environments, we would be looking at using the first three sets, where in offline environments, we could use the last ones. By default, the script uses the set number 2. Output example:password1[…]password123[…]password1234–symbols-file (-sf):In this argument we are going to select a file containing symbols that people frequently add to their passwords. Again, set number 1 is the shortest, set number 6 is the largest. The symbols included in the first sets (1,2…) are more likely to be present that the ones only included in latest sets (…5,6). By default, the script uses the set number 2. Output example:password123![…]password2018?[…]password1234.–custom-file (-cf):Here we add anything else we know about our targets (and it’s not considered as the “base” of the password itself). Let the creativity roll in! It could be from company initials, birth dates, special dates… to specific years, short keywords, etc. This custom strings will be treated in the same way that the years/numbers. Output example:passwordABC[…]password01011980![…]password.adminMUTATION_MODE (positional argument):In this parameter we are going to select how the tool will work when shifting strings. You can choose one of three:suffix-mode: It will add years, numbers, symbols and custom after the main string. Example: password2018!prefix-mode: It will add years, numbers, symbols and custom before the main string. Example: !2018passworddual-mode: As the name suggests, it uses both modes (generates both outputs).STRINGS_FILE (positional argument):File containing strings to mutate. If you’re for example, doing a pentest and don’t know where to start, I would suggest you using a tool like CeWL to spider the company website, and keep the most recurring words (including the company name of course).OUTPUT_FILE (positional argument):Simply, file where we want to write the mutated strings.–symbols-before-suffix (-sbs):When this flag is enabled, and we are running the tool either in suffix-mode or dual-mode, the script will also add the symbols before years/numbers/custom. Output example:password2018![…]password!2018[…]–symbols-after-prefix (-sap):When this flag is enabled, and we are running the tool either in prefix-mode or dual-mode, the script will also add the symbols after years/numbers/custom. Output example:!2018password[…]2018!password[…]–mutation-methods (-mm):In this parameter we define which mutation methods are going to be performed. Mutation methods are base transformations made before starting iterating over years/numbers/symbols/custom. You can select as many mutation methods as you want. For a list of all valid mutation methods, check: MUTATION_METHODS.md.By default, m4ngl3m3! runs with the following: Normal, UpperCase, FirstUp and ReplaceVowels.Usage examples:Usage example (1):$ ./main.py –from-year 2017 –to-year 2018 –symbols-before-suffix suffix-mode strings.txt output.txt(or, shorter version)$ ./main.py -fy 2017 -ty 2018 -sbs suffix-mode strings.txt output.txt[!] Starting…[+] Normal-Mangling mutation method done on string: admin[+] UpperCase-Mangling mutation method done on string: admin[+] FirstUp-Mangling mutation method done on string: admin[+] ReplaceVowels-Mangling mutation method done on string: admin—[+] Normal-Mangling mutation method done on string: companyname[+] UpperCase-Mangling mutation method done on string: companyname[+] FirstUp-Mangling mutation method done on string: companyname[+] ReplaceVowels-Mangling mutation method done on string: companyname—[!] All done![!] Strings read: 2[!] Strings written: 888[!] Exiting …“Iterate from year 2017 to 2018, default numbers and symbols file, suffix mode only, insert symbols also before suffix, default mutation methods.”Input file:admincompanynameOutput file:adminadmin![…]Admin2017!Admin!2017[…]COMPANYNAME1234!COMPANYNAME!1234[…]c0mp4nyn4m32018@c0mp4nyn4m3@2018[…]Usage example (2):$ ./main.py -fy 2016 -ty 2019 -sy -nf ./files/numbers/numbers_set1.txt -sf ./files/symbols/symbols_set1.txt -sbs -sap -mm normal,firstup,doubleandfirstup,basicleet dual-mode strings.txt output.txt[!] Starting…[+] Normal-Mangling mutation method done on string: password[+] FirstUp-Mangling mutation method done on string: password[+] DoubleAndFirstUp-Mangling mutation method done on string: password[+] BasicLeet-Mangling mutation method done on string: password—[+] Normal-Mangling mutation method done on string: example[+] FirstUp-Mangling mutation method done on string: example[+] DoubleAndFirstUp-Mangling mutation method done on string: example[+] BasicLeet-Mangling mutation method done on string: example—[!] All done![!] Strings read: 2[!] Strings written: 1288[!] Exiting …“Iterate from year 2016 to 2019, with short year form also, use set 1 for numbers and symbols, dual-mode (prefix and suffix), insert symbols also before suffix, insert symbols also after prefix, mutation methods: Normal, FirstUp, DoubleAndFirstUp, BasicLeet.”Input file:passwordexampleOutput file:passwordpassword!password@[…]!2018PasswordPassword!18PasswordPassword2018!PasswordPassword18!PasswordPassword[…]p455w0rd$1p455w0rd123p455w0rd123!p455w0rd!123[…]Example!2019Example!19[…]Download M4Ngl3M3

Link: http://feedproxy.google.com/~r/PentestTools/~3/DLmcogzhpGU/m4ngl3m3-common-password-pattern.html

Takeover – SubDomain TakeOver Vulnerability Scanner

Sub-domain takeover vulnerability occur when a sub-domain (subdomain.example.com) is pointing to a service (e.g: GitHub, AWS/S3,..) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that sub-domain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com. For more information: hereInstallation:# git clone https://github.com/m4ll0k/takeover.git# cd takeover# python takeover.pyor:wget -q https://raw.githubusercontent.com/m4ll0k/takeover/master/takeover.py && python takeover.pyDownload Takeover

Link: http://feedproxy.google.com/~r/PentestTools/~3/bCpPqZo0iAg/takeover-subdomain-takeover.html

Airba.sh – A POSIX-compliant, Fully Automated WPA PSK Handshake Capture Script Aimed At Penetration Testing

Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing. It is compatible with Bash and Android Shell (tested on Kali Linux and Cyanogenmod 10.2) and uses aircrack-ng to scan for clients that are currently connected to access points (AP). Those clients are then deauthenticated in order to capture the handshake when attempting to reconnect to the AP. Verification of a captured handshake is done using aircrack-ng. If one or more handshakes are captured, they are entered into an SQLite3 database, along with the time of capture and current GPS data (if properly configured).After capture, the database can be tested for vulnerable router models using crackdefault.sh. It will search for entries that match the implemented modules, which currently include algorithms to compute default keys for Speedport 500-700 series, Thomson/SpeedTouch and UPC 7 digits (UPC1234567) routers.RequirementsWiFi interface in monitor mode aircrack-ng SQLite3 openssl for compilation of modules (optional) wlanhc2hcx from hcxtoolsIn order to log GPS coordinates of handshakes, configure your coordinate logging software to log to .loc/*.txt (the filename can be chosen as desired). Airbash will always use the output of cat “$path$loc"*.txt 2>/dev/null | awk ‘NR==0; END{print}’, which equals to reading all .txt files in .loc/ and picking the second line. The reason for this way of implementation is the functionality of GPSLogger, which was used on the development device.Calculating default keysAfter capturing a new handshake, the database can be queried for vulnerable router models. If a module applies, the default keys for this router series are calculated and used as input for aircrack-ng to try and recover the passphrase.Compiling ModulesThe modules for calculating Thomson/SpeedTouch and UPC1234567 (7 random digits) default keys are included in src/Credits for the code go to the authors Kevin Devine and peter@haxx.in.On Linux:gcc -fomit-frame-pointer -O3 -funroll-all-loops -o modules/st modules/stkeys.c -lcryptogcc -O2 -o modules/upckeys modules/upc_keys.c -lcryptoIf on Android, you may need to copy the binaries to /system/xbin/ or to another directory where binary execution is allowed.UsageRunning install.sh will create the database, prepare the folder structure and create shortlinks to both scripts which can be moved to a directory that is on $PATH to allow execution from any location.After installation, you may need to manually adjust INTERFACE on line 46 in airba.sh. This will later be determined automatically, but for now the default is set to wlan0, to allow out of the box compatibility with bcmon on Android../airba.sh starts the script, automatically scanning and attacking targets that are not found in the database. ./crackdefault.sh attempts to break known default key algorithms.To view the database contents, run sqlite3 .db.sqlite3 "SELECT * FROM hs" in the main directory.Update (Linux only … for now):Airbash can be updated by executing update.sh. This will clone the master branch into /tmp/ and overwrite the local files.Output_n: number of access points found__c/m: represents client number and maximum number of clients found, respectively-: access point is blacklistedx: access point already in database?: access point out of range (not visible to airodump anymore)The DatabaseThe database contains a table called hs with seven columns.id: incrementing counter of table entrieslat and lon: GPS coordinates of the handshake (if available)bssid: MAC address of the access pointessid: Name identifierpsk: WPA Passphrase, if knownprcsd: Flag that gets set by crackdefault.sh to prevent duplicate calculation of default keys if a custom passphrase was used.Currently, the SQLite3 database is not password-protected.Download Airbash

Link: http://feedproxy.google.com/~r/PentestTools/~3/JyoSXbI3rdM/airbash-posix-compliant-fully-automated.html

Rastrea2R – Collecting &Amp; Hunting For IOCs With Gusto And Style

Ever wanted to turn your AV console into an Incident Response & Threat Hunting machine? Rastrea2r (pronounced “rastreador" – hunter- in Spanish) is a multi-platform open source tool that allows incident responders and SOC analysts to triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes. To parse and collect artifacts of interest from remote systems (including memory dumps), rastrea2r can execute sysinternal, system commands and other 3rd party tools across multiples endpoints, saving the output to a centralized share for automated or manual analysis. By using a client/server RESTful API, rastrea2r can also hunt for IOCs on disk and memory across multiple systems using YARA rules. As a command line tool, rastrea2r can be easily integrated within McAfee ePO, as well as other AV consoles and orchestration tools, allowing incident responders and SOC analysts to collect forensic evidence and hunt for IOCs without the need for an additional agent, with ‘gusto’ and style! DependenciesPython 2.7.xgitbottlerequestsyara-python QuickstartClone the project to your local directory (or download the zip file of the project)$git clone https://github.com/rastrea2r/rastrea2r.git$cd rastrea2rAll the dependencies necessary for the tool to run can be installed within a virtual environment via the provided makefile.$make helphelp – display this makefile’s help informationvenv – create a virtual environment for developmentclean – clean all files using .gitignore rulesscrub – clean all files, even untracked filestest – run teststest-verbose – run tests [verbosely]check-coverage – perform test coverage checkscheck-style – perform pep8 checkfix-style – perform check with autopep8 fixesdocs – generate project documentationcheck-docs – quick check docs consistencyserve-docs – serve project html documentationdist – create a wheel distribution packagedist-test – test a wheel distribution packagedist-upload – upload a wheel distribution packageCreate a virtual environment with all dependencies$make venv//Upon successful creation of the virtualenvironment, enter the virtualenvironment as instructed, for ex:$source /Users/ssbhat/.venvs/rastrea2r/bin/activateStart the rastrea2r server by going to $PROJECT_HOME/src/rastrea2r/server folder$cd src/rastrea2r/server/$python rastrea2r_server_v0.3.pyBottle v0.12.13 server starting up (using WSGIRefServer())…Listening on http://0.0.0.0:8080/Now execute the client program, depending on which platform you are trying to scan choose the target python script appropriately. Currently Windows, Linux and Mac platforms are supported.$python rastrea2r_osx_v0.3.py -husage: rastrea2r_osx_v0.3.py [-h] [-v] {yara-disk,yara-mem,triage} …Rastrea2r RESTful remote Yara/Triage tool for Incident Responderspositional arguments: {yara-disk,yara-mem,triage}modes of operation yara-disk Yara scan for file/directory objects on disk yara-mem Yara scan for running processes in memory triage Collect triage information from endpointoptional arguments: -h, –help show this help message and exit -v, –version show program’s version number and exitFurther more, the available options under each command can be viewed by executing the help option. i,e$python rastrea2r_osx_v0.3.py yara-disk -husage: rastrea2r_osx_v0.3.py yara-disk [-h] [-s] path server rulepositional arguments:path File or directory path to scanserver rastrea2r REST serverrule Yara rule on REST serveroptional arguments:-h, –help show this help message and exit-s, –silent Suppresses standard outputFor ex, on a Mac or Unix system you would do:$cd src/rastrea2r/osx/$python rastrea2r_osx_v0.3.py yara-disk /opt http://127.0.0.1:8080/ test.yar Executing rastrea2r on WindowsApart from the libraries specified in requirements.txt, we need to install the following libraries PSutil for win64: https://github.com/giampaolo/psutilWMI for win32: https://pypi.python.org/pypi/WMI/Requests: pip install requestsCompiling rastrea2rMake sure you have all the dependencies installed for the binary you are going to build on your Windows box. Then install:Pywin32: http://sourceforge.net/projects/pywin32/files/ ** Windows onlyPyinstaller: https://github.com/pyinstaller/pyinstaller/wiki Currently Supported functionalityyara-disk: Yara scan for file/directory objects on diskyara-mem: Yara scan for running processes in memorymemdump: Acquires a memory dump from the endpoint ** Windows onlytriage: Collects triage information from the endpoint ** Windows only NotesFor memdump and triage modules, SMB shares must be set up in this specific way:Binaries (sysinternals, batch files and others) must be located in a shared folder called TOOLS (read only) \path-to-share-foldertoolsOutput is sent to a shared folder called DATA (write only) \path-to-share-folderdataFor yara-mem and yara-disk scans, the yara rules must be in the same directory where the server is executed from. The RESTful API server stores data received in a file called results.txt in the same directory. Contributing to rastrea2r projectThe Developer Documentation provides complete information on how to contribute to rastrea2r project Demo videos on YoutubeVideo 1: Incident Response / Triage with rastrea2r on the command line – https://youtu.be/uFIZxqWeSyQVideo 2: Remote Yara scans with rastrea2r on the command line – https://youtu.be/cnY1yEslirwVideo 3: Using rastrea2r with McAfee ePO – Client Tasks & Execution – https://youtu.be/jB17uLtu45Y Presentationsrastrea2r at BlackHat Arsenal 2016 (check PDF for documentation on usage and examples) https://www.blackhat.com/us-16/arsenal.html#rastrea2rhttps://github.com/aboutsecurity/Talks-and-Presentations/blob/master/Ismael_Valenzuela-Hunting_for_IOCs_rastrea2r-BH_Arsenal_2016.pdf Recording of talk on rastrea2r at the SANS Threat Hunting Summit 2016https://www.youtube.com/watch?v=0PvBsL6KKfA&feature=youtu.be&a Credits & ReferencesTo Robert Gresham Jr. (@rwgresham) and Ryan O’Connor (@_remixed) for their contributions to the Triage module. Thanks folks!To Ricardo Dias for the idea of using a REST server and his great paper on how to use Python and Yara with McAfee ePO: http://www.sans.org/reading-room/whitepapers/forensics/intelligence-driven-incident-response-yara-35542Download Rastrea2R

Link: http://feedproxy.google.com/~r/PentestTools/~3/dD0nCbbILCw/rastrea2r-collecting-hunting-for-iocs.html