CT-Exposer – An OSINT Tool That Discovers Sub-Domains By Searching Certificate Transparency Logs

Discover sub-domains by searching through Certificate Transparency logs.What is CT?Certificate Transparency (CT) is an experimental IETF standard. The goal of it was to allow the public to audit which certificates were created by Certificate Authorities (CA). TLS has a weakness that comes from the large list of CAs that your browser implicitly trusts. If any of those CAs were to maliciously create a new certificate for a domain, your browser would trust it. CT adds benefits to TLS certificate trust: Companies can monitor who is creating certificates for the domains they own. It also allows browsers to verify that the certificate for a given domain is in the public log record.These logs end up being a gold mine of information for penetration testers and red teams.What can you find with ct-exposer?ct-exposer will query the CT logs for a given domain, and then try to do DNS lookups for the domains to see which ones exist in DNS. In my experience, so far, I’ve found numerous sub-domains that were not located with ‘site:domain.com’ google searches. Keep in mind that the domains that do not resolve, they can either be old domains, or internal only domains (Ex: you need access to the internal DNS server to resolve them).RequirementsPython3, gevent, requests, and urllib3. pip3 install -r requirements.txtUsageusage: ct-exposer.py [-h] -d DOMAIN [-u] [-m]optional arguments: -h, –help show this help message and exit -d DOMAIN, –domain DOMAIN domain to query for CT logs, ex: domain.com -u, –urls ouput results with https:// urls for domains that resolve, one per line. -m, –masscan output resolved IP address, one per line. Useful for masscan IP list import “-iL" format.Example outputpython3 ct-exposer.py -d teslamotors.com[+]: Downloading domain list…[+]: Download of domain list complete.[+]: Parsed 76 domain(s) from list.[+]: Domains found:205.234.27.243 adfs.teslamotors.com104.92.115.166 akamaisecure.qualtrics.com211.147.80.202 cn.auth.teslamotors.com211.147.88.104 cnvpn.teslamotors.com209.10.208.24 energystorage.teslamotors.com209.11.133.110 epc.teslamotors.com149.14.82.93 euvpn.teslamotors.com209.11.133.50 extconfl.teslamotors.com209.11.133.35 extissues.teslamotors.com209.10.208.31 fleetview.teslamotors.com64.125.183.134 leaseapp.teslamotors.com64.125.183.134 leaseappde.teslamotors.com209.11.133.11 lync.teslamotors.com211.147.80.201 mycn-origin.teslamotors.com205.234.27.211 origin-www45.teslamotors.com205.234.31.120 owner-api.teslamotors.com12.201.132.70 plcvpn.teslamotors.com205.234.27.246 quickbase.teslamotors.com104.86.205.249 resources.teslamotors.com209.10.208.55 sdlcvpn.teslamotors.com209.11.133.37 service.teslamotors.com205.234.27.226 sftp.teslamotors.com23.227.38.64 shop.eu.teslamotors.com209.133.79.61 shop.teslamotors.com23.227.38.64 shop.uk.teslamotors.com205.234.27.197 smswsproxy.teslamotors.com209.11.133.36 supercharger.teslamotors.com209.133.79.59 suppliers.teslamotors.com209.133.79.61 tesla.com209.11.133.106 teslamotors.com205.234.27.200 teslaplm-external.teslamotors.com209.11.133.107 toolbox.teslamotors.com209.10.208.20 trt.teslamotors.com205.234.27.250 upload.teslamotors.com209.10.208.27 us.auth.teslamotors.com205.234.27.218 vpn.teslamotors.com211.147.80.205 wechat.teslamotors.com205.234.27.212 wsproxy.teslamotors.com209.133.79.54 www-origin.teslamotors.com104.86.216.34 www.teslamotors.com209.11.133.61 xmail.teslamotors.com211.147.80.203 xmailcn.teslamotors.com[+]: Domains with no DNS record:none cdn02.c3edge.netnone creditauction.teslamotors.comnone evprd.teslamotors.comnone imail.teslamotors.comnone jupytersvn.teslamotors.comnone leadgen.teslamotors.comnone lockit.teslamotors.comnone lockpay.teslamotors.comnone neovi-vpn.teslamotors.comnone origin-wte.teslamotors.comnone referral.teslamotors.comnone resources.tesla.comnone securemail.teslamotors.comnone shop.ca.teslamotors.comnone shop.no.teslamotors.comnone sip.teslamotors.comnone sjc04p2staap04.teslamotors.comnone sling.teslamotors.comnone tesla3dx.teslamotors.comnone testimail.teslamotors.comnone toolbox-energy.teslamotors.comnone vpn-node0.teslamotors.comnone wd.s3.teslamotors.comnone www-uat2.teslamotors.comnone www45.teslamotors.comDownload Ct-Exposer

Link: http://feedproxy.google.com/~r/PentestTools/~3/2rWNTpCGHRY/ct-exposer-osint-tool-that-discovers.html

BetterCap v2.10 – The Swiss Army Knife For 802.11, BLE And Ethernet Networks Reconnaissance And MITM Attacks

bettercap is the Swiss Army knife for 802.11, BLE and Ethernet networks reconnaissance and attacks.How to InstallA precompiled version is available for each release, alternatively you can use the latest version of the source code from this repository in order to build your own binary.Make sure you have a correctly configured Go >= 1.8 environment, that $GOPATH/bin is in $PATH, that the libpcap-dev and libnetfilter-queue-dev (this one is only required on Linux) package installed for your system and then:$ go get github.com/bettercap/bettercap$ cd $GOPATH/src/github.com/bettercap/bettercap$ make build && sudo make installThis command will download bettercap, install its dependencies, compile it and move the bettercap executable to /usr/local/bin.Now you can use sudo bettercap -h to show the basic command line options and just sudo bettercap to start an interactive session on your default network interface, otherwise you can load a caplet.Once bettercap is installed, you can download/update system caplet with the command:sudo bettercap -eval “caplets.update; q"UpdateIn order to update to an unstable but bleeding edge release from this repository, run the commands below:$ go get -u github.com/bettercap/bettercap$ cd $GOPATH/src/github.com/bettercap/bettercap$ make build && sudo make installDocumentation and ExamplesThe project is documented in this wiki.Download Bettercap

Link: http://www.kitploit.com/2018/10/bettercap-v210-swiss-army-knife-for.html

WPScan v3.3.1 – Black Box WordPress Vulnerability Scanner

WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.INSTALLPrerequisites:Ruby >= 2.2.2 – Recommended: 2.3.3Curl >= 7.21 – Recommended: latest – FYI the 7.29 has a segfaultRubyGems – Recommended: latestFrom RubyGems:gem install wpscanFrom sources:Prerequisites: Gitgit clone https://github.com/wpscanteam/wpscancd wpscan/bundle install && rake installDockerPull the repo with docker pull wpscanteam/wpscanUsagewpscan –url blog.tld This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings. If a more stealthy approach is required, then wpscan –stealthy –url blog.tld can be used. As a result, when using the –enumerate option, don’t forget to set the –plugins-detection accordingly, as its default is ‘passive’.For more options, open a terminal and type wpscan –help (if you built wpscan from the source, you should type the command outside of the git repo)The DB is located at ~/.wpscan/dbWPScan can load all options (including the –url) from configuration files, the following locations are checked (order: first to last):~/.wpscan/cli_options.json~/.wpscan/cli_options.ymlpwd/.wpscan/cli_options.jsonpwd/.wpscan/cli_options.ymlIf those files exist, options from them will be loaded and overridden if found twice.e.g:~/.wpscan/cli_options.yml:proxy: ‘http://127.0.0.1:8080’verbose: truepwd/.wpscan/cli_options.yml:proxy: ‘socks5://127.0.0.1:9090’url: ‘http://target.tld’Running wpscan in the current directory (pwd), is the same as wpscan -v –proxy socks5://127.0.0.1:9090 –url http://target.tldPROJECT HOMEhttps://wpscan.orgVULNERABILITY DATABASEhttps://wpvulndb.comDownload Wpscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/TmfmR2gTAB0/wpscan-v331-black-box-wordpress.html

Munin – Online Hash Checker For Virustotal And Other Services

Munin is a online hash checker utility that retrieves valuable information from various online sourcesThe current version of Munin queries the following services:VirustotalMalshareHybridAnalysisNote: Munin is based on the script “VT-Checker", which has been maintained in the LOKI repository.Usageusage: munin.py [-h] [-f path] [-c cache-db] [-i ini-file] [-s sample-folder] [–comment] [-p vt-comment-prefix] [–download] [-d download_path] [–nocache] [–intense] [–retroverify] [-r num-results] [–nocsv] [–verifycert] [–sort] [–debug]Online Hash Checkeroptional arguments: -h, –help show this help message and exit -f path File to process (hash line by line OR csv with hash in each line – auto-detects position and comment) -c cache-db Name of the cache database file (default: vt-hash- db.pkl) -i ini-file Name of the ini file that holds the API keys -s sample-folder Folder with samples to process –comment Posts a comment for the analysed hash which contains the comment from the log line -p vt-comment-prefix Virustotal comment prefix –download Enables Sample Download from Hybrid Analysis. SHA256 of sample needed. -d download_path Output Path for Sample Download from Hybrid Analysis. Folder must exist –nocache Do not use cache database file –intense Do use PhantomJS to parse the permalink (used to extract user comments on samples) –retroverify Check only 40 entries with the same comment and therest at the end of the run (retrohunt verification) -r num-results Number of results to take as verification –nocsv Do not write a CSV with the results –verifycert Verify SSL/TLS certificates –sort Sort the input lines (useful for VT retrohunt results) –debug Debug outputFeaturesMODE A: Extracts hashes from any text file based on regular expressionsMODE B: Walks sample directory and checks hashes onlineRetrieves valuable information from Virustotal via API (JSON response) and other information via permalink (HTML parsing)Keeps a history (cache) to query the services only once for a hash that may appear multiple times in the text fileCached objects are stored in JSONCreates CSV file with the findings for easy post-processing and reportingAppends results to a previous CSV if availableDisplaysHash and comment (comment is the rest of the line of which the hash has been extracted)AV vendor matches based on a user defined listFilenames used in the wildPE information like the description, the original file name and the copyright statementSigner of a signed portable executableResult based on Virustotal ratioFirst and last submissionTags for certain indicators: Harmless, Signed, Expired, Revoked, MSSoftwareExtra ChecksQueries Malshare.com for sample uploadsQueries Hybrid-Analysis.com for present analysisImphash duplicates in current batch > allows you to spot overlaps in import table hashesGetting startedDownload / clone the repoInstall required packages: pip3 install -r requirements.txt (on macOS add –user)(optional: required for –intense mode) Download PhantomJS and place it in your $PATH, e.g. /usr/local/bin http://phantomjs.org/download.htmlSet the API key for the different services in the munin.ini fileUse the demo file for a first run: python munin.py -f munin-demo.txt –nocacheTypical Command LinesProcess a Virustotal Retrohunt result and sort the lines before checking so that matched signatures are checked in blockspython munin.py -f my.ini -f ~/Downloads/retro_huntProcess an IOC file and show who commented on these samples on Virustotal (uses PhantomJS, higher CPU usage)python munin.py -f my.ini -f ~/Downloads/misp-event-1234.csv –sort –intenseProcess a directory with samples and check their hashes onlinepython munin.py -f my.ini -s ~/malware/case34Get the API Keys used by MuninVirustotalCreate an account here https://www.virustotal.com/#/join-usCheck Profile > My API key for your public API keyMalshareRegister here https://malshare.com/register.phpHybrid AnalysisCreate an account here https://www.hybrid-analysis.com/signupAfter login, check Profile > API keyDownload Munin

Link: http://feedproxy.google.com/~r/PentestTools/~3/0Cc8y6zLvSQ/munin-online-hash-checker-for.html

RouterSploit v3.4.0 – Exploitation Framework For Embedded Devices

The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices.It consists of various modules that aids penetration testing operations:exploits – modules that take advantage of identified vulnerabilitiescreds – modules designed to test credentials against network servicesscanners – modules that check if a target is vulnerable to any exploitpayloads – modules that are responsible for generating payloads for various architectures and injection pointsgeneric – modules that perform generic attacksInstallationRequirementsRequired:futurerequestsparamikopysnmppycryptoOptional:bluepy – bluetooth low energyInstallation on Kali Linuxapt-get install python3-pipgit clone https://www.github.com/threat9/routersploitcd routersploitpython3 -m pip install -r requirements.txtpython3 rsf.pyBluetooth Low Energy support:apt-get install libglib2.0-devpython3 -m pip install bluepypython3 rsf.pyInstallation on Ubuntu 18.04 & 17.10sudo add-apt-repository universesudo apt-get install git python3-pipgit clone https://www.github.com/threat9/routersploitcd routersploitpython3 -m pip install -r requirements.txtpython3 rsf.pyBluetooth Low Energy support:apt-get install libglib2.0-devpython3 -m pip install bluepypython3 rsf.pyInstallation on OSXgit clone https://www.github.com/threat9/routersploitcd routersploitsudo python3 -m pip install -r requirements.txtpython3 rsf.pyRunning on Dockergit clone https://www.github.com/threat9/routersploitcd routersploitdocker build -t routersploit .docker run -it –rm routersploitUpdateUpdate RouterSploit Framework often. The project is under heavy development and new modules are shipped almost every day.cd routersploitgit pullDownload Routersploit

Link: http://www.kitploit.com/2018/10/routersploit-v340-exploitation.html

LibSSH Scanner – Script To Identify Hosts Vulnerable To CVE-2018-10933

This is a python based script to identify hosts vulnerable to CVE-2018-10933.The vulnerability is present on versions of libssh 0.6+ and was remediated by a patch present in libssh 0.7.6 and 0.8.4. For more details: https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/HelpCVE-2018-10933 Scanner – Find vulnerable libssh services by Leap Security (@LeapSecurity)optional arguments: -h, –help show this help message and exit -v, –version show program’s version number and exit -t TARGET, –target TARGET An ip address or new line delimited file containing IPs to banner grab for the vulnerability. -p PORT, –port PORT Set port of SSH serviceDownload Libssh-Scanner

Link: http://feedproxy.google.com/~r/PentestTools/~3/QmL8AcFG_pI/libssh-scanner-script-to-identify-hosts.html

Webroot WiFi Security: Expanding Our Commitment to Security & Privacy

Reading Time: ~3 min.For the past 20 years, Webroot’s technology has been driven by our dedication to protecting users from malware, viruses, and other online threats. The release of Webroot® WiFi Security—a new virtual private network (VPN) app for phones, computers, and tablets—is the next step in fulfilling our commitment to protect everyone’s right to be secure in […]
The post Webroot WiFi Security: Expanding Our Commitment to Security & Privacy appeared first on Webroot Blog.

Link: https://www.webroot.com/blog/2018/10/17/webroot-wifi-security-expanding-our-commitment-to-security-privacy/

SQLMap v1.2.10 – Automatic SQL Injection And Database Takeover Tool

SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.FeaturesFull support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.InstallationYou can download the latest tarball by clicking here or latest zipball by clicking here.Preferably, you can download sqlmap by cloning the Git repository:git clone –depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-devsqlmap works out of the box with Python version 2.6.x and 2.7.x on any platform.UsageTo get a list of basic options and switches use:python sqlmap.py -hTo get a list of all options and switches use:python sqlmap.py -hhYou can find a sample run here. To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples, you are advised to consult the user’s manual.DemoLinksHomepage: http://sqlmap.orgDownload: .tar.gz or .zipCommits RSS feed: https://github.com/sqlmapproject/sqlmap/commits/master.atomIssue tracker: https://github.com/sqlmapproject/sqlmap/issuesUser’s manual: https://github.com/sqlmapproject/sqlmap/wikiFrequently Asked Questions (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQTwitter: @sqlmapDemos: http://www.youtube.com/user/inquisb/videosScreenshots: https://github.com/sqlmapproject/sqlmap/wiki/ScreenshotsTranslationsBulgarianChineseCroatianFrenchGreekIndonesianItalianJapanesePortugueseSpanishTurkishDownload SQLMap v1.2.10

Link: http://www.kitploit.com/2018/10/sqlmap-v1210-automatic-sql-injection.html

Censys Subdomain Finder – Perform Subdomain Enumeration Using The Certificate Transparency Logs From Censys

This is a tool to enumerate subdomains using the Certificate Transparency logs stored by Censys. It should return any subdomain who has ever been issued a SSL certificate by a public CA.See it in action:$ python censys_subdomain_finder.py github.com[*] Searching Censys for subdomains of github.com[*] Found 42 unique subdomains of github.com in ~1.7 seconds – hq.github.com – talks.github.com – cla.github.com – github.com – cloud.github.com – enterprise.github.com – help.github.com – collector-cdn.github.com – central.github.com – smtp.github.com – cas.octodemo.github.com – schrauger.github.com – jobs.github.com – classroom.github.com – dodgeball.github.com – visualstudio.github.com – branch.github.com – www.github.com – edu.github.com – education.github.com – import.github.com – styleguide.github.com – community.github.com – server.github.com – mac-installer.github.com – registry.github.com – f.cloud.github.com – offer.github.com – helpnext.github.com – foo.github.com – porter.github.com – id.github.com – atom-installer.github.com – review-lab.github.com – vpn-ca.iad.github.com – maintainers.github.com – raw.github.com – status.github.com – camo.github.com – support.enterprise.github.com – stg.github.com – rs.github.comSetupRegister an account (free) on https://censys.io/registerBrowse to https://censys.io/account, and set two environment variables with your API ID and API secret$ export CENSYS_API_ID=…$ export CENSYS_API_SECRET=…Clone the repository$ git clone https://github.com/christophetd/censys-subdomain-finder.gitInstall the dependencies$ cd censys-subdomain-finder$ pip install -r requirements.txtRun the script on example.com to make sure everything works as expected.$ python censys_subdomain_finder.py example.com[*] Searching Censys for subdomains of example.com[*] Found 5 unique subdomains of example.com – products.example.com – www.example.com – dev.example.com – example.com – support.example.comUsageusage: censys_subdomain_finder.py [-h] [-o OUTPUT_FILE] [–censys-api-id CENSYS_API_ID] [–censys-api-secret CENSYS_API_SECRET] domainpositional arguments: domain The domain to scanoptional arguments: -h, –help show this help message and exit -o OUTPUT_FILE, –output OUTPUT_FILE A file to output the list of subdomains to (default: None) –censys-api-id CENSYS_API_ID Censys API ID. Can also be defined using the CENSYS_API_ID environment variable (default: None) –censys-api-secret CENSYS_API_SECRET Censys API secret. Can also be defined using the CENSYS_API_SECRET environment variable (default: None)CompatibilityShould run on Python 2.7 and 3.5.NotesThe Censys API has a limit rate of 120 queries per 5 minutes window. Each invocation of this tool makes exactly one API call to Censys.Feel free to open an issue or to tweet @christophetd for suggestions or remarks.Download Censys-Subdomain-Finder

Link: http://feedproxy.google.com/~r/PentestTools/~3/bPFQtNdU4Fw/censys-subdomain-finder-perform.html