Lynis 2.6.8 – Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.Supported operating systemsThe tool has almost no dependencies, therefore it runs on almost all Unix-based systems and versions, including:AIXFreeBSDHP-UXLinuxMac OSNetBSDOpenBSDSolarisand othersIt even runs on systems like the Raspberry Pi and several storage devices!Installation optionalLynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use “./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). How it worksLynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.StepsDetermine operating systemSearch for available tools and utilitiesCheck for Lynis updateRun tests from enabled pluginsRun security tests per categoryReport status of security scanBesides the data displayed on the screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.Opportunistic ScanningLynis scanning is opportunistic: it uses what it can find.For example, if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers an SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates so they can be scanned later as well.In-depth security scansBy performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!Use casesSince Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:Security auditingCompliance testing (e.g. PCI, HIPAA, SOx)Vulnerability detection and scanningSystem hardeningResources used for testingMany other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.Best practicesCISNISTNSAOpenSCAP dataVendor guides and recommendations (e.g. Debian Gentoo, Red Hat)Lynis PluginsPlugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.ChangelogUpgrade note## Lynis 2.6.8 (2018-08-23)### Changed- BOOT-5104 – improved parsing of boot parameters to init process- PHP-2372 – test all PHP files for expose_php and improved logging- Alpine Linux detection for Docker audit- Docker check now tests also for CMD, ENTRYPOINT, and USER configuration- Improved display in Docker output for showing which keys are used for signingDownload Lynis 2.6.8

Link: http://feedproxy.google.com/~r/PentestTools/~3/crZYwFyGbEM/lynis-268-security-auditing-tool-for.html

ASWCrypter – An Bash&Python Script For Generating Payloads that Bypasses All Antivirus

An Bash&Python Script For Generating Payloads that Bypasses All Antivirus so far [FUD].PLEASE DON’T UPLOAD BACKDOOT TO WWW.VIRUSTOTAL.COM ImportantThis Version Just for test , In future I will update ASWCrypter to generate a payloads for linux ,Mac and Windows . ;)Legal Disclamer:The author does not hold any responsibility for the bad use of this tool, remember this is only for educational purpose.Requirements1- Metasploit Framework 2- PythonGetting Startedgit clone https://github.com/AbedAlqaderSwedan1/ASWCrypter.gitcd ASWCrypterchmod +x setup.sh or chmod 777 setup.shScreenshotDownload ASWCrypter

Link: http://feedproxy.google.com/~r/PentestTools/~3/LBt2kOgRz1c/aswcrypter-bash-script-for-generating.html

Mallet – A Framework For Creating Proxies

Mallet is a tool for creating proxies for arbitrary protocols, along similar lines to the familiar intercepting web proxies, just more generic.It is built upon the Netty framework, and relies heavily on the Netty pipeline concept, which allows the graphical assembly of graphs of handlers. In the Netty world, handler instances provide frame delimitation (i.e. where does a message start and end), protocol decoding and encoding (converting a stream of bytes into Java objects, and back again, or converting a stream of bytes into a different stream of bytes – think compression and decompression), and higher level logic (actually doing something with those objects).By following the careful separation of Codecs from Handlers that actually manipulate the messages, Mallet can benefit from the large library of existing Codecs, and avoid reimplementation of many protocols. The final piece of the puzzle is provided by a Handler that copies messages received on one pipeline to another pipeline, proxying those messages on to their final destination.Of course, while the messages are within Mallet, they can easily be tampered with, either with custom Handlers written in Java or a JSR-223 compliant scripting language, or manually, using one of the provided editors.You can get an idea of the available codecs by looking at the Netty source at GitHub, under the codec* directories.Building MalletMallet makes use of Maven, so compiling the code is a matter ofmvn packageTo run it:cd target/java -jar mallet-1.0-SNAPSHOT-spring-boot.jarThere are a few sample graphs provided in the examples/ directory. The JSON graphs expect a JSON client to connect to Mallet on localhost:9998/tcp, with the real server at localhost:9999/tcp. Only the last JSON graph (json5.mxe) makes any assumptions about the structure of the JSON messages being passed, so they should be applicable to any app that sends JSON messages.The demo.mxe shows a complex graph, with two pipelines, both TCP and UDP. The TCP pipeline is built to support HTTP and HTTPS on ports 80 and 443 respectively, as well as WebSockets, while relaying any other traffic directly to its destination. The UDP pipeline is built to process DNS requests on localhost:1053/udp, replace queries for google.com with queries for www.sensepost.com, and forward the requests on to Google DNS servers.Download Mallet

Link: http://feedproxy.google.com/~r/PentestTools/~3/uEIqUbaTQy4/mallet-framework-for-creating-proxies.html

CMSeeK v1.0.9 – CMS Detection And Exploitation Suite (Scan WordPress, Joomla, Drupal And 100 Other CMSs)

What is a CMS?A content management system (CMS) manages the creation and modification of digital content. It typically supports multiple users in a collaborative environment. Some noteable examples are: WordPress, Joomla, Drupal etc.Release History- Version 1.0.9 [21-08-2018]- Version 1.0.8 [14-08-2018]- Version 1.0.7 [07-08-2018]- Version 1.0.6 [23-07-2018]- Version 1.0.5 [19-07-2018]- Version 1.0.4 [17-07-2018]- Version 1.0.3 [06-07-2018]- Version 1.0.2 [06-07-2018]- Version 1.0.1 [19-06-2018]- Version 1.0.0 [15-06-2018]Changelog FileFunctions Of CMSeek:Basic CMS Detection of over 30 CMSDrupal version detectionAdvanced WordPress ScansDetects VersionUser EnumerationPlugins EnumerationTheme EnumerationDetects Users (3 Detection Methods)Looks for Version Vulnerabilities and much more!Advanced Joomla ScansVersion detectionBackup files finderAdmin page finderCore vulnerability detectionDirectory listing checkConfig leak detectionVarious other checksModular bruteforce systemUse pre made bruteforce modules or create your own and integrate with itRequirements and Compatibility:CMSeeK is built using python3, you will need python3 to run this tool and is compitable with unix based systems as of now. Windows support will be added later. CMSeeK relies on git for auto-update so make sure git is installed.Installation and Usage:It is fairly easy to use CMSeeK, just make sure you have python3 and git (just for cloning the repo) installed and use the following commands:git clone https://github.com/Tuhinshubhra/CMSeeKcd CMSeeKFor guided scanning:python3 cmseek.pyElse:python3 cmseek.py -u […]Help menu from the program:USAGE: python3 cmseek.py (for a guided scanning) OR python3 cmseek.py [OPTIONS] <Target Specification>SPECIFING TARGET: -u URL, –url URL Target Url -l LIST, -list LIST path of the file containing list of sites for multi-site scan (comma separated)USER AGENT: -r, –random-agent Use a random user agent –user-agent USER_AGENT Specify custom user agentOUTPUT: -v, –verbose Increase output verbosityVERSION & UPDATING: –update Update CMSeeK (Requires git) –version Show CMSeeK version and exitHELP & MISCELLANEOUS: -h, –help Show this help message and exit –clear-result Delete all the scan resultEXAMPLE USAGE: python3 cmseek.py -u example.com # Scan example.com python3 cmseek.py -l /home/user/target.txt # Scan the sites specified in target.txt (comma separated) python3 cmseek.py -u example.com –user-agent Mozilla 5.0 # Scan example.com using custom user-Agent Mozilla is 5.0 used here python3 cmseek.py -u example.com –random-agent # Scan example.com using a random user-Agent python3 cmseek.py -v -u example.com # enabling verbose output while scanning example.comChecking For Update:You can check for update either from the main menu or use python3 cmseek.py –update to check for update and apply auto update.P.S: Please make sure you have git installed, CMSeeK uses git to apply auto update.Detection Methods:CMSeek detects CMS via the following:HTTP HeadersGenerator meta tagPage source coderobots.txtSupported CMSs:CMSeeK currently can detect 40 CMSs, you can find the list on cmss.py file which is present in the cmseekdb directory. All the cmss are stored in the following way: cmsID = { ‘name’:’Name Of CMS’, ‘url’:’Official URL of the CMS’, ‘vd’:’Version Detection (0 for no, 1 for yes)’, ‘deeps’:’Deep Scan (0 for no 1 for yes)’ }Scan Result:All of your scan results are stored in a json file named cms.json, you can find the logs inside the Result\<Target Site> directory, and as of the bruteforce results they’re stored in a txt file under the site’s result directory as well.Here is an example of the json report log:Bruteforce Modules:CMSeek has a modular bruteforce system meaning you can add your custom made bruteforce modules to work with cmseek. A proper documentation for creating modules will be created shortly but in case you already figured out how to (pretty easy once you analyze the pre-made modules) all you need to do is this:Add a comment exactly like this # <Name Of The CMS> Bruteforce module. This will help CMSeeK to know the name of the CMS using regex Add another comment ### cmseekbruteforcemodule, this will help CMSeeK to know it is a module Copy and paste the module in the brutecms directory under CMSeeK’s directory Open CMSeeK and Rebuild Cache using U as the input in the first menu. If everything is done right you’ll see something like this (refer to screenshot below) and your module will be listed in bruteforce menu the next time you open CMSeeK.Need More Reasons To Use CMSeeK?If not anything you can always enjoy exiting CMSeeK (please don’t), it will bid you goodbye in a random goodbye message in various languages.Also you can try reading comments in the code those are pretty random and weird!!!Screenshots:Download CMSeeK

Link: http://feedproxy.google.com/~r/PentestTools/~3/NGGMG4yYz8A/cmseek-v109-cms-detection-and.html

Vim.Wasm – Vim Editor Ported To WebAssembly

This project is an experimental fork of Vim editor by @rhysd to compile it into WebAssembly using emscripten and binaryen.Try it with your browserNOTICESPlease access from a desktop browser (Chrome/Firefox/Safari/Edge). Safari seems the best on macOS.Please avoid slow networks. Your browser will fetch total of around 1MB files.vim.wasm takes key inputs from DOM keydown event. Please disable your browser extensions which affect key inputs (incognito mode would be the best).This project is very early phase of experiment. Currently only tiny features are supported. More features will be implemented (please see TODO section). And you may notice soon on trying it… it’s buggy :)If inputting something does not change anything, please try to click somewhere in the page. Vim may have lost the focus.You can try vimtutor by :e tutor.The goal of this project is running Vim editor on browser by compiling Vim C sources into WebAssembly.How It WorksBuild ProcessWebAssembly frontend for Vim is implemented as a new GUI frontend. C sources are compiled to each LLVM bitcode files and then they are linked to one bitcode file vim.bc by emcc. emcc finally compiles the vim.bc into vim.wasm binary using binaryen and generates HTML/JavaScript runtime.The difference I faced at first was the lack of terminal library such as ncurses. I modified configure script to ignore the terminal library check. It’s OK since GUI frontend for Wasm is always used instead of CUI frontend. I needed many workarounds to pass configure checks.emscripten provides Unix-like environment. So os_unix.c can support Wasm. However, some features are not supported by emscripten. I added many #ifdef FEAT_GUI_WASM guards to disable features which cannot be supported by Wasm (i.e. fork (2) support, PTY support, signal handlers are stubbed, …etc).I created gui_wasm.c heavily referencing gui_mac.c and gui_w32.c. Event loop (gui_mch_update() and gui_mch_wait_for_chars()) is simply implemented with sleep(). And almost all UI rendering events arer passed to JavaScript layer by calling JavaScript functions from C thanks to emscripten.C sources are compiled (with many optimizations) into LLVM bitcode with Clang which is integrated to emscripten. Then all bitcode files (.o) are linked to one bitcode file vim.bc with llvm-link linker (also integrated to emscripten).Finally I created JavaScript runtime to draw the rendering events sent from C. It is created as wasm/runtime.ts using emscripten API. It draws Vim screen to

element with rendering events such as ‘draw text’, ‘scroll screen’, ‘set foreground color’, ‘clear rect’, …etc.emcc (emscripten’s C compiler) compiles the vim.bc into vim.wasm, vim.js and vim.html with preloaded Vim runtime files (i.e. colorscheme) using binaryen. Runtime files are put on a virtual file system provided by emscripten on a browser.Now hosting vim.html with a web server and accessing to it with browser opens Vim. It works.User InteractionUser interaction is very simple. You input something with keyboard. Browser takes it as KeyboardEvent on keydown event and JavaScript runtime sends the input to Wasm thanks to emscripten’s JS to C API. Sent input is added to a buffer in C layer. It affects the editor’s state.An editor core implemented in C calculates rendering events and sends it to JavaScript layer thanks to emscripten’s C to JS API. JavaScript runtime receives rendering events and stores them into a queue. On animation frames, it draws them to <canvas/> element in the web page.Finally you can see the rendered results in the page.Download Vim.Wasm

Link: http://feedproxy.google.com/~r/PentestTools/~3/1vJYKge35tI/vimwasm-vim-editor-ported-to-webassembly.html

Kali Linux 2018.3 Release – Penetration Testing and Ethical Hacking Linux Distribution

Kali 2018.3 brings the kernel up to version 4.17.0 and while 4.17.0 did not introduce many changes, 4.16.0 had a huge number of additions and improvements including more Spectre and Meltdown fixes, improved power management, and better GPU support.New Tools and Tool UpgradesSince our last release, we have added a number of new tools to the repositories, including:idb – An iOS research / penetration testing toolgdb-peda – Python Exploit Development Assistance for GDBdatasploit – OSINT Framework to perform various recon techniqueskerberoast – Kerberos assessment toolsIn addition to these new packages, we have also upgraded a number of tools in our repos including aircrack-ng, burpsuite, openvas,wifite, and wpscan.For the complete list of updates, fixes, and additions, please refer to the Kali Bug Tracker Changelog.Download Kali Linux 2018.3If you would like to check out this latest and greatest Kali release, you can find download links for ISOs and Torrents on the Kali Downloads page along with links to the Offensive Security virtual machine and ARM images, which have also been updated to 2018.3. If you already have a Kali installation you’re happy with, you can easily upgrade in place as [email protected]:~# apt update && apt -y full-upgradeIf you come across any bugs in Kali, please open a report on our bug tracker. It’s more than a little challenging to fix what we don’t know about.Making sure you are up-to-dateTo double check your version, first make sure your network repositories is [email protected]:~# cat

Link: http://feedproxy.google.com/~r/PentestTools/~3/dF6YCwcpz4s/kali-linux-20183-release-penetration.html

EasySSH – The SSH Connection Manager To Make Your Life Easier

A complete, efficient and easy-to-use manager. Create and edit connections, groups, customize the terminal, with multiple instances of the same connection.Developing and BuildingIf you want to hack on and build EasySSH yourself, you’ll need the following dependencies:libgee-0.8-devlibgtk-3-devlibgranite-devlibvte-2.91-devlibjson-glib-devlibunity-devmesonvalacRun meson build to configure the build environment and run ninja test to build and run automated testsmeson build –prefix=/usrcd buildninja testTo install, use ninja install, then execute with com.github.muriloventuroso.easysshsudo ninja installcom.github.muriloventuroso.easysshInstall with FlatpakInstall:flatpak install flathub com.github.muriloventuroso.easysshRun:flatpak run com.github.muriloventuroso.easysshDownload EasySSH

Link: http://feedproxy.google.com/~r/PentestTools/~3/RzjbGzjnlqo/easyssh-ssh-connection-manager-to-make.html

PMapper – A Tool For Quickly Evaluating IAM Permissions In AWS

A project to speed up the process of reviewing an AWS account’s IAM configuration.PurposeThe goal of the AWS IAM auth system is to apply and enforce access controls on actions and resources in AWS. This tool helps identify if the policies in place will accomplish the intents of the account’s owners.AWS already has tooling in place to check if policies attached to a resource will permit an action. This tool builds on that functionality to identify other potential paths for a user to get access to a resource. This means checking for access to other users, roles, and services as ways to pivot.How to UseDownload this repository and install its dependencies with pip install -r requirements.txt .Ensure you have graphviz installed on your host.Setup an IAM user in your AWS account with a policy that grants the necessary permission to run this tool (see the file mapper-policy.json for an example). The ReadOnlyAccess managed policy works for this purpose. Grab the access keys created for this user.In the AWS CLI, set up a profile for that IAM user with the command: aws configure –profile where <profile_name> is a unique name.Run the command python pmapper.py –profile <profile_name> graph to begin pulling data about your account down to your computer.GraphingPrincipal Mapper has a graph subcommand, which does the heavy work of going through each principal in an account and finding any other principals it can access. The results are stored at ~/.principalmap and used by other subcommands.QueryingPrincipal Mapper has a query subcommand that runs a user-defined query. The queries can check if one or more principals can do a given action with a given resource. The supported queries are:”can <Principal> do <Action> [with <Resource>]""who can do <Action> [with <Resource>]""preset <preset_query_name> <preset_query_args>"The first form checks if a principal, or any other principal accessible to it, could perform an action with a resource (default wildcard). The second form enumerates all principals that are able to perform an action with a resource.Note the quotes around the full query, that’s so the argument parser knows to take the whole string.Note that <Principal> can either be the full ARN of a principal or the last part of that ARN (user/… or role/…).PresetsThe existing preset is priv_esc or change_perms, which have the same function. They describe which principals have the ability to change their own permissions. If a principal is able to change their own perms, then it effectively has unlimited perms.VisualizingThe visualize subcommand produces a DOT and SVG file that represent the nodes and edges that were graphed.To create the DOT and SVG files, run the command: python pmapper.py visualizeCurrently the output is a directed graph, which collates all the edges with the same source and destination nodes. It does not draw edges where the source is an admin. Nodes for admins are colored blue. Nodes for users with the ability to access admins are colored red (potential priv-esc risk).Sample OutputPulling a [email protected]:~/Documents/projects/Skywalker$ python pmapper.py graphUsing profile: skywalkerPulling data for account [REDACTED]Using principal with ARN arn:aws:iam::[REDACTED]:user/TestingSkywalker[+] Starting EC2 checks.[+] Starting IAM checks.[+] Starting Lambda checks.[+] Starting CloudFormation checks.[+] Completed CloudFormation checks.[+] Completed EC2 checks.[+] Completed Lambda checks.[+] Completed IAM checks.Created an AWS Graph with 16 nodes and 53 edges[NODES]AWSNode("arn:aws:iam::[REDACTED]:user/AdminUser", properties={u’is_admin’: True, u’type’: u’user’})AWSNode("arn:aws:iam::[REDACTED]:user/EC2Manager", properties={u’is_admin’: False, u’type’: u’user’})AWSNode("arn:aws:iam::[REDACTED]:user/LambdaDeveloper", properties={u’is_admin’: False, u’type’: u’user’})AWSNode("arn:aws:iam::[REDACTED]:user/LambdaFullAccess", properties={u’is_admin’: False, u’type’: u’user’})AWSNode("arn:aws:iam::[REDACTED]:user/PowerUser", properties={u’is_admin’: False, u’rootstr’: u’arn:aws:iam::[REDACTED]:root’, u’type’: u’user’})AWSNode("arn:aws:iam::[REDACTED]:user/S3ManagementUser", properties={u’is_admin’: False, u’type’: u’user’})AWSNode("arn:aws:iam::[REDACTED]:user/S3ReadOnly", properties={u’is_admin’: False, u’type’: u’user’})AWSNode("arn:aws:iam::[REDACTED]:user/TestingSkywalker", properties={u’is_admin’: False, u’type’: u’user’})AWSNode("arn:aws:iam::[REDACTED]:role/AssumableRole", properties={u’is_admin’: False, u’type’: u’role’, u’name’: u’AssumableRole’})AWSNode("arn:aws:iam::[REDACTED]:role/EC2-Fleet-Manager", properties={u’is_admin’: False, u’type’: u’role’, u’name’: u’EC2-Fleet-Manager’})AWSNode("arn:aws:iam::[REDACTED]:role/EC2Role-Admin", properties={u’is_admin’: True, u’type’: u’role’, u’name’: u’EC2Role-Admin’})AWSNode("arn:aws:iam::[REDACTED]:role/EC2WithS3ReadOnly", properties={u’is_admin’: False, u’type’: u’role’, u’name’: u’EC2WithS3ReadOnly’})AWSNode("arn:aws:iam::[REDACTED]:role/EMR-Service-Role", properties={u’is_admin’: False, u’type’: u’role’, u’name’: u’EMR-Service-Role’})AWSNode("arn:aws:iam::[REDACTED]:role/LambdaRole-S3ReadOnly", properties={u’is_admin’: False, u’type’: u’role’, u’name’: u’LambdaRole-S3ReadOnly’})AWSNode("arn:aws:iam::[REDACTED]:role/ReadOnlyWithLambda", properties={u’is_admin’: False, u’type’: u’role’, u’name’: u’ReadOnlyWithLambda’})AWSNode("arn:aws:iam::[REDACTED]:role/UpdateCredentials", properties={u’is_admin’: False, u’type’: u’role’, u’name’: u’UpdateCredentials’})[EDGES](0,1,’ADMIN’,’can use existing administrative privileges to access’)(0,2,’ADMIN’,’can use existing administrative privileges to access’)(0,3,’ADMIN’,’can use existing administrative privileges to access’)(0,4,’ADMIN’,’can use existing administrative privileges to access’)(0,5,’ADMIN’,’can use existing administrative privileges to access’)(0,6,’ADMIN’,’can use existing administrative privileges to access’)(0,7,’ADMIN’,’can use existing administrative privileges to access’)(0,8,’ADMIN’,’can use existing administrative privileges to access’)(0,9,’ADMIN’,’can use existing administrative privileges to access’)(0,10,’ADMIN’,’can use existing administrative privileges to access’)(0,11,’ADMIN’,’can use existing administrative privileges to access’)(0,12,’ADMIN’,’can use existing administrative privileges to access’)(0,13,’ADMIN’,’can use existing administrative privileges to access’)(0,14,’ADMIN’,’can use existing administrative privileges to access’)(0,15,’ADMIN’,’can use existing administrative privileges to access’)(10,0,’ADMIN’,’can use existing administrative privileges to access’)(10,1,’ADMIN’,’can use existing administrative privileges to access’)(10,2,’ADMIN’,’can use existing administrative privileges to access’)(10,3,’ADMIN’,’can use existing administrative privileges to access’)(10,4,’ADMIN’,’can use existing administrative privileges to access’)(10,5,’ADMIN’,’can use existing administrative privileges to access’)(10,6,’ADMIN’,’can use existing administrative privileges to access’)(10,7,’ADMIN’,’can use existing administrative privileges to access’)(10,8,’ADMIN’,’can use existing administrative privileges to access’)(10,9,’ADMIN’,’can use existing administrative privileges to access’)(10,11,’ADMIN’,’can use existing administrative privileges to access’)(10,12,’ADMIN’,’can use existing administrative privileges to access’)(10,13,’ADMIN’,’can use existing administrative privileges to access’)(10,14,’ADMIN’,’can use existing administrative privileges to access’)(10,15,’ADMIN’,’can use existing administrative privileges to access’)(1,9,’EC2_USEPROFILE’,’can create an EC2 instance and use an existing instance profile to access’)(1,10,’EC2_USEPROFILE’,’can create an EC2 instance and use an existing instance profile to access’)(1,11,’EC2_USEPROFILE’,’can create an EC2 instance and use an existing instance profile to access’)(4,9,’EC2_USEPROFILE’,’can create an EC2 instance and use an existing instance profile to access’)(4,10,’EC2_USEPROFILE’,’can create an EC2 instance and use an existing instance profile to access’)(4,11,’EC2_USEPROFILE’,’can create an EC2 instance and use an existing instance profile to access’)(3,13,’LAMBDA_CREATEFUNCTION’,’can create a Lambda function and pass an execution role to access’)(3,14,’LAMBDA_CREATEFUNCTION’,’can create a Lambda function and pass an execution role to access’)(3,15,’LAMBDA_CREATEFUNCTION’,’can create a Lambda function and pass an execution role to access’)(9,10,’EC2_USEPROFILE’,’can create an EC2 instance and use an existing instance profile to access’)(4,13,’LAMBDA_CREATEFUNCTION’,’can create a Lambda function and pass an execution role to access’)(9,11,’EC2_USEPROFILE’,’can create an EC2 instance and use an existing instance profile to access’)(4,8,’STS_ASSUMEROLE’,’can use STS to assume the role’)(4,14,’LAMBDA_CREATEFUNCTION’,’can create a Lambda function and pass an execution role to access’)(4,15,’LAMBDA_CREATEFUNCTION’,’can create a Lambda function and pass an execution role to access’)(15,0,’IAM_CREATEKEY’,’can create access keys with IAM to access’)(15,1,’IAM_CREATEKEY’,’can create access keys with IAM to access’)(15,2,’IAM_CREATEKEY’,’can create access keys with IAM to access’)(15,3,’IAM_CREATEKEY’,’can create access keys with IAM to access’)(15,4,’IAM_CREATEKEY’,’can create access keys with IAM to access’)(15,5,’IAM_CREATEKEY’,’can create access keys with IAM to access’)(15,6,’IAM_CREATEKEY’,’can create access keys with IAM to access’)(15,7,’IAM_CREATEKEY’,’can create access keys with IAM to access’)Querying with the [email protected]:~/Documents/projects/Skywalker$ ./pmapper.py –profile skywalker query "who can do s3:GetObject with *"user/AdminUser can do s3:GetObject with *user/EC2Manager can do s3:GetObject with * through role/EC2Role-Admin user/EC2Manager can create an EC2 instance and use an existing instance profile to access role/EC2Role-Adminrole/EC2Role-Admin can do s3:GetObject with *user/LambdaFullAccess can do s3:GetObject with *user/PowerUser can do s3:GetObject with *user/S3ManagementUser can do s3:GetObject with *user/S3ReadOnly can do s3:GetObject with *user/TestingSkywalker can do s3:GetObject with *role/EC2-Fleet-Manager can do s3:GetObject with * through role/EC2Role-Admin role/EC2-Fleet-Manager can create an EC2 instance and use an existing instance profile to access role/EC2Role-Adminrole/EC2Role-Admin can do s3:GetObject with *role/EC2Role-Admin can do s3:GetObject with *role/EC2WithS3ReadOnly can do s3:GetObject with *role/EMR-Service-Role can do s3:GetObject with *role/LambdaRole-S3ReadOnly can do s3:GetObject with *role/UpdateCredentials can do s3:GetObject with * through user/AdminUser role/UpdateCredentials can create access keys with IAM to access user/AdminUseruser/AdminUser can do s3:GetObject with *Identifying Potential Privilege [email protected]:~/Documents/projects/Skywalker$ ./pmapper.py –profile skywalker query "preset priv_esc user/PowerUser"Discovered a potential path to change privileges:user/PowerUser can change privileges because: user/PowerUser can access role/EC2Role-Admin because: user/PowerUser can create an EC2 instance and use an existing instance profile to access role/EC2Role-Admin and role/EC2Role-Admin can change its own privileges.Planned TODOsComplete and verify Python 3 support.Smarter control over rate of API requests (Queue, managing throttles).Better progress reporting.Validate and add more checks for obtaining credentials. Several services use service roles that grant the service permission to do an action within a user’s account. This could potentially allow a user to obtain access to additional privileges.Improving simulate calls (global conditions).Completing priv esc checks (editing attached policies, attaching to a group).Adding options for visualization (output type, edge collation).Adding more caching.Local policy evaluation?Cross-account subcommand(s).A preset to check if one principal is connected to another.Handling policies for buckets or keys with services like S3 or KMS when querying.Download PMapper

Link: http://feedproxy.google.com/~r/PentestTools/~3/Ifx-LagyHdo/pmapper-tool-for-quickly-evaluating-iam.html

GitMiner v2.0 – Tool For Advanced Mining For Content On Github

Advanced search tool and automation in Github. This tool aims to facilitate research by code or code snippets on github through the site’s search page.MOTIVATIONDemonstrates the fragility of trust in public repositories to store codes with sensitive information.REQUIREMENTSlxmlrequestsargparsejsonreINSTALLgit clone http://github.com/UnkL4b/GitMinersudo apt-get install python-requests python-lxml ORpip install -r requirements.txtDockergit clone http://github.com/UnkL4b/GitMinercd GitMinerdocker build -t gitminer .docker run -it gitminer -hHELP UnkL4b __ Automatic search for Github((OO)) ▄████ ██▓▄▄▄█████▓ ███▄ ▄███▓ ██▓ ███▄ █ ▓█████ ██▀███ \__/ ██▒ ▀█▒▓██▒▓ ██▒ ▓▒▓██▒▀█▀ ██▒▓██▒ ██ ▀█ █ ▓█ ▀ ▓██ ▒ ██▒ OO |^| ▒██░▄▄▄░▒██▒▒ ▓██░ ▒░▓██ ▓██░▒██▒▓██ ▀█ ██▒▒███ ▓██ ░▄█ ▒ oOo | | ░▓█ ██▓░██░░ ▓██▓ ░ ▒██ ▒██ ░██░▓██▒ ▐▌██▒▒▓█ ▄ ▒██▀▀█▄ OoO | | ░▒▓███▀▒░██░ ▒██▒ ░ ▒██▒ ░██▒░██░▒██░ ▓██░░▒████▒░██▓ ▒██▒ /oOo | |___░▒___▒_░▓____▒_░░___░_▒░___░__░░▓__░_▒░___▒_▒_░░_▒░_░░_▒▓_░▒▓░_/ / \______░___░__▒_░____░____░__░______░_▒_░░_░░___░_▒░_░_░__░__░▒_░_▒░__/ v2.0 ░ ░ ░ ▒ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ -> github.com/UnkL4b -> unkl4b.github.io +———————[WARNING]———————+ | DEVELOPERS ASSUME NO LIABILITY AND ARE NOT | | RESPONSIBLE FOR ANY MISUSE OR DAMAGE CAUSED BY | | THIS PROGRAM | +—————————————————+ [-h] [-q ‘filename:shadow path:etc’] [-m wordpress] [-o result.txt] [-r ‘/^\s*.*?;?\s*$/gm’] [-c _octo=GH1.1.2098292984896.153133829439; _ga=GA1.2.36424941.153192375318; user_session=oZIxL2_ajeDplJSndfl37ddaLAEsR2l7myXiiI53STrfhqnaN; __Host-user_session_same_site=oXZxv9_ajeDplV0gAEsmyXiiI53STrfhDN; logged_in=yes; dotcom_user=unkl4b; tz=America%2FSao_Paulo; has_recent_activity=1; _gh_sess=MmxxOXBKQ1RId3NOVGpGcG54aEVnT1o0dGhxdGdzWVpySnFRd1dVYUk5TFZpZXFuTWxOdW1FK1IyM0pONjlzQWtZM2xtaFR3ZDdxlGMCsrWnBIdnhUN0tjVUtMYU1GeG5Pbm5DMThuWUFETnZjcllGOUNkRGUwNUtKOVJTaGR5eUJYamhWRE5XRnMWZZN3Y3dlpFNDZXL1NWUEN4c093RFhQd3RJQ1NBdmhrVDE3VVNiUFF3dHBycC9FeDZ3cFVXV0ZBdXZieUY5WDRlOE9ZSG5sNmRHUmllcmk0Up1MTcyTXZrN1RHYmJSdz09–434afdd652b37745f995ab55fc83]optional arguments: -h, –help show this help message and exit -q ‘filename:shadow path:etc’, –query ‘filename:shadow path:etc’ Specify search term -m wordpress, –module wordpress Specify the search module -o result.txt, –output result.txt Specify the output file where it will be saved -r ‘/^\s*(.*?);?\s*$/gm’, –regex ‘/^\s*(.*?);?\s*$/gm’ Set regex to search in file -c _octo=GH1.1.2098292984896.153133829439; _ga=GA1.2.36424941.153192375318; user_session=oZIxL2_ajeDplJSndfl37ddaLAEsR2l7myXiiI53STrfhqnaN; __Host-user_session_same_site=oXZxv9_ajeDplV0gAEsmyXiiI53STrfhDN; logged_in=yes; dotcom_user=unkl4b; tz=America%2FSao_Paulo; has_recent_activity=1; _gh_sess=MmxxOXBKQ1RId3NOVGpGcG54aEVnT1o0dGhxdGdzWVpySnFRd1dVYUk5TFZpZXFuTWxOdW1FK1IyM0pONjlzQWtZM2xtaFR3ZDdxlGMCsrWnBIdnhUN0tjVUtMYU1GeG5Pbm5DMThuWUFETnZjcllGOUNkRGUwNUtKOVJTaGR5eUJYamhWRE5XRnMWZZN3Y3dlpFNDZXL1NWUEN4c093RFhQd3RJQ1NBdmhrVDE3VVNiUFF3dHBycC9FeDZ3cFVXV0ZBdXZieUY5WDRlOE9ZSG5sNmRHUmllcmk0Up1MTcyTXZrN1RHYmJSdz09–434afdd652b37745f995ab55fc83, –cookie _octo=GH1.1.2098292984896.153133829439; _ga=GA1.2.36424941.153192375318; user_session=oZIxL2_ajeDplJSndfl37ddaLAEsR2l7myXiiI53STrfhqnaN; __Host-user_session_same_site=oXZxv9_ajeDplV0gAEsmyXiiI53STrfhDN; logged_in=yes; dotcom_user=unkl4b; tz=America%2FSao_Paulo; has_recent_activity=1; _gh_sess=MmxxOXBKQ1RId3NOVGpGcG54aEVnT1o0dGhxdGdzWVpySnFRd1dVYUk5TFZpZXFuTWxOdW1FK1IyM0pONjlzQWtZM2xtaFR3ZDdxlGMCsrWnBIdnhUN0tjVUtMYU1GeG5Pbm5DMThuWUFETnZjcllGOUNkRGUwNUtKOVJTaGR5eUJYamhWRE5XRnMWZZN3Y3dlpFNDZXL1NWUEN4c093RFhQd3RJQ1NBdmhrVDE3VVNiUFF3dHBycC9FeDZ3cFVXV0ZBdXZieUY5WDRlOE9ZSG5sNmRHUmllcmk0Up1MTcyTXZrN1RHYmJSdz09–434afdd652b37745f995ab55fc83 Specify the cookie for your githubEXAMPLESearching for wordpress configuration files with passwords:$:> python gitminer-v2.0.py -q ‘filename:wp-config extension:php FTP_HOST in:file ‘ -m wordpress -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4 -o result.txtLooking for brasilian government files containing passwords:$:> python gitminer-v2.0.py –query ‘extension:php “root" in:file AND "gov.br" in:file’ -m senhas -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4Looking for shadow files on the etc paste:$:> python gitminer-v2.0.py –query ‘filename:shadow path:etc’ -m root -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4Searching for joomla configuration files with passwords:$:> python gitminer-v2.0.py –query ‘filename:configuration extension:php "public password" in:file’ -m joomla -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4Hacking SSH ServersDork to searchby @techgaun (https://github.com/techgaun/github-dorks) Dork Description filename:.npmrc _auth npm registry authentication data filename:.dockercfg auth docker registry authentication data extension:pem private private keys extension:ppk private puttygen private keys filename:id_rsa or filename:id_dsa private ssh keys extension:sql mysql dump mysql dump extension:sql mysql dump password mysql dump look for password; you can try varieties filename:credentials aws_access_key_id might return false negatives with dummy values filename:.s3cfg might return false negatives with dummy values filename:wp-config.php wordpress config files filename:.htpasswd htpasswd files filename:.env DB_USERNAME NOT homestead laravel .env (CI, various ruby based frameworks too) filename:.env MAIL_HOST=smtp.gmail.com gmail smtp configuration (try different smtp services too) filename:.git-credentials git credentials store, add NOT username for more valid results PT_TOKEN language:bash pivotaltracker tokens filename:.bashrc password search for passwords, etc. in .bashrc (try with .bash_profile too) filename:.bashrc mailchimp variation of above (try more variations) filename:.bash_profile aws aws access and secret keys rds.amazonaws.com password Amazon RDS possible credentials extension:json api.forecast.io try variations, find api keys/secrets extension:json mongolab.com mongolab credentials in json configs extension:yaml mongolab.com mongolab credentials in yaml configs (try with yml) jsforce extension:js conn.login possible salesforce credentials in nodejs projects SF_USERNAME salesforce possible salesforce credentials filename:.tugboat NOT _tugboat Digital Ocean tugboat config HEROKU_API_KEY language:shell Heroku api keys HEROKU_API_KEY language:json Heroku api keys in json files filename:.netrc password netrc that possibly holds sensitive credentials filename:_netrc password netrc that possibly holds sensitive credentials filename:hub oauth_token hub config that stores github tokens filename:robomongo.json mongodb credentials file used by robomongo filename:filezilla.xml Pass filezilla config file with possible user/pass to ftp filename:recentservers.xml Pass filezilla config file with possible user/pass to ftp filename:config.json auths docker registry authentication data filename:idea14.key IntelliJ Idea 14 key, try variations for other versions filename:config irc_pass possible IRC config filename:connections.xml possible db connections configuration, try variations to be specific filename:express.conf path:.openshift openshift config, only email and server thou filename:.pgpass PostgreSQL file which can contain passwords filename:proftpdpasswd Usernames and passwords of proftpd created by cpanel filename:ventrilo_srv.ini Ventrilo configuration [WFClient] Password= extension:ica WinFrame-Client infos needed by users to connect toCitrix Application Servers filename:server.cfg rcon password Counter Strike RCON Passwords JEKYLL_GITHUB_TOKEN Github tokens used for jekyll filename:.bash_history Bash history file filename:.cshrc RC file for csh shell filename:.history history file (often used by many tools) filename:.sh_history korn shell history filename:sshd_config OpenSSH server config filename:dhcpd.conf DHCP service config filename:prod.exs NOT prod.secret.exs Phoenix prod configuration file filename:prod.secret.exs Phoenix prod secret filename:configuration.php JConfig password Joomla configuration file filename:config.php dbpasswd PHP application database password (e.g., phpBB forum software) path:sites databases password Drupal website database credentials shodan_api_key language:python Shodan API keys (try other languages too) filename:shadow path:etc Contains encrypted passwords and account information of new unix systems filename:passwd path:etc Contains user account information including encrypted passwords of traditional unix systems extension:avastlic Contains license keys for Avast! Antivirus extension:dbeaver-data-sources.xml DBeaver config containing MySQL Credentials filename:.esmtprc password esmtp configuration extension:json googleusercontent client_secret OAuth credentials for accessing Google APIs HOMEBREW_GITHUB_API_TOKEN language:shell Github token usually set by homebrew users xoxp OR xoxb Slack bot and private tokens .mlab.com password MLAB Hosted MongoDB Credentials filename:logins.json Firefox saved password collection (key3.db usually in same repo) filename:CCCam.cfg CCCam Server config file msg nickserv identify filename:config Possible IRC login passwords filename:settings.py SECRET_KEY Django secret keys (usually allows for session hijacking, RCE, etc) Download GitMiner

Link: http://feedproxy.google.com/~r/PentestTools/~3/VtATqnX-O4U/gitminer-v20-tool-for-advanced-mining.html