OSINT-SPY – Search using OSINT (Open Source Intelligence)

Performs OSINT scan on email/domain/ip_address/organization using OSINT-SPY. It can be used by Data Miners, Infosec Researchers, Penetration Testers and cyber crime investigator in order to find deep information about their target.OSINT-SPY Documentation (beta)File Name : READMEAuthor : @sk_securityVersion : 0.0.1Website : osint-spy.comOverview of this tool:Perform scan on IP Address / domain / email address / BTC(bitcoin) address / deviceFind out latest bitcoin block informationList out all the ciphers supported by particular website and serverCheck whether a particular website is vulnerable to heartbleed or not ?Dump all the contacts and messages from skype databaseAnalyze malware or malicous file remotelyLicenses informationOSINT-SPY and its documents are covered with GPL-3.0 (General Public License v3.0)Using OSINT-SPY @@@@@@@@@ @@@@@@@@@ | @@ @ 88888|88888 @@@@@@@@@ 8@@@@@@@@ 8 @ 88888888888 | | @ @ @ | | 8 @ 8 @ @@@@@@@@@@@ | | @ @ @ | | 8 @ 8 @ 88888888888 |@@@@@@@@ | @ @ @ | —- |@@@@@@@@ 8@@@@@@@@ 8 @ @@@@@@@@@@@ | | @ @ @ | | 8 @ @@@@@@@@@@@ | | @ @ @ | | 8 @ 888888888 @@@@@@@@| | @ @@ | @@@@@@@@| 8 @ Search using OSINT Website: www.osint-spy.com Usage: osint-spy.py [options] Options: -h, –help show this help message and exit. –btc_block Find latest Bitcoin blockchain info. –btc_date Find Bitcoin blockchain information from given date. –btc_address Find out balance and transaction information of given bitcoin address. –ssl_cipher List out all the ciphers used by given server. –ssl_bleed Check whether server is vulnerable to heart bleed flaw or not. –domain Get bunch of detail of given website or organization. –email Gather information of a given email address. –device Find out devices which are connected to internet. –ip Enumerate information from given IP Addresss. –skype_db Give the location of skype database in order to fetch all the information from that including chats and contacts. –malware Find out whether a given file is infected by malware or not. –carrier Give path of carrier file behind which you want to add text. –setgo_text Enter text to hide behind carrier file. –stego_find Give a stego file and it will try to find hidden text.Required setupPython 2.7Use install_linux.py (for installing all dependencies and libraries on linux)Use install_windows.py (for installing all dependencies and libraries on windows)Contributors1. Sharad Kumar – @sk_security DocumentationSetting up the enviornmentInstalling and using OSINT-SPY is very easy.Installation process is very simple and is of 4 steps.1.Downloading or cloning OSINT-SPY github repository.2.Downloading and installing all dependencies.3.Generating API Keys4.Adding API Keys in config fileLet’s Begin !!Step 1 – Download OSINT-PSY on your system.In order to install OSINT-SPY simply clone the github repository.Below is the command which you can use in order to clone OSINT-SPY repository.git clone https://github.com/SharadKumar97/OSINT-SPY.gitStep 2 – Downloading and Installing dependencies.Once you clone OSINT-SPY, you will find one directory name as OSINT-SPY. Just go that directory and install dependencies. If you are using OSINT-SPY on windows then run install_linux.py file and if you are using linux then run install_linux.pypython install_linux.pyORpython install_windows.pyGenerating API KeysWe need some API Keys before using this tool.Following are the API’s which we are using in this tool for a time being.1.Clearbit API2.Shodan API3.Fullcontact API4.Virus_Total API5.EmailHunter APIClearbit API Register yourself at Clearbitand activate your account. Once you login, you will find one section of API. Go there and copy your secret API Key and paste inside config.py file. Config.py file can be find in modules directory of OSINT-SPY.Shodan API Register yourself at Shodan and activate your account. Once you activated your account then login to Shodan. Once you login, you will find an API key in overview tab. Copy that key and paste inside config.py file.FullContact API Register yourself at Full Contact. You can sign up by using your email or you can Sign Up with Google. Once you login, you will find your API Key on front of your dashboard. Just copy that key and paste it inside config.py file.VirusTotal API Register yourself at VirusTotal. Once you login, you will find My Api Key section in your profile menu. Just go there and copy your public API Key and paste in config.py file.EmailHunter API Register yourself at Email Hunter . Once you login, go to API tab and click on EYE icon to view your API Key. Copy your API Key in config.py file.UsageOSINT-SPY is very handy tool and easy to use.All you have to do is just have to pass values to parameter.In order to start OSINT-SPY just write — python osint-spy.com–btc_block –btc_block parameter gives you the information of latest bitcoin block chain.Usage:python osint-spy.py –btc_block–btc_date –btc_date parameter will give you an information of bitcoin block chain from given date.Usage:python osint-spy.py –btc_date 20170620–btc_address –btc_address will give you an information about particular bitcoin owner.python osint-spy.py –btc_address 1DST3gm6JthxhuoNKFqXrdpzPFfz1WgHpW–ssl_cipher –ssl_cipher will show you all the ciphers supported by given website.python osint-spy.py –ssl_cipher google.com–ssl_bleed –ssl_bleed will find out whether given website is vulnerable to heartbleed or not ? .python osint-spy.py –ssl_bleed google.com–domain –domain will give you in depth-information about particular domain including whois,dns,ciphers,location and so more.python osint-spy.py –domain google.com–email –email will gather information about given email address from various public sources.python osint-spy.py –email david@toorcon.org–device –device will search for a given device from shodan and will list out all the available devices on public IP.python osint-spy.py –device webcam–ip –ip will gather all the information of given IP Address from public sources.python osint-spy.py –ip–skype_db –skype_db will find out all the contacts and message history from given skype database.This can be useful for forensics investigator.In Windows,Skype database can be found in AppData\Roaming\Skype\(Your username)\main.db and in Mac OSX , database can be found in /Users/(Your mac user anme)/Library/Support/Skype/(your skyoe username)/main.dbpython osint-spy.py –skype_db main.db–malware –malware will send a given piece of file to virustotal and will give you a result whether given file is malware or not? .python osint-spy.py –malware abc.exe–carrier and –stego_text –carrier and –stego_text are used to hide text behind any image. –carrier will specify the image behind which you want to hide the text. –stego_text will specify the text you want to add.python osint-spy.py –carrier image.jpg –stego_text This_is_secre_text–stego_find –stego_find will find out hidden text behind any image.python osint-spy.py –stego_find hidden.jpgDownload OSINT-SPY

Link: http://feedproxy.google.com/~r/PentestTools/~3/-x63Tn8Ij2w/osint-spy-search-using-osint-open.html

Maltego CE – An Interactive Data Mining Tool That Renders Directed Graphs For Link Analysis

Maltego CE is the community version of Maltego that is available for free after a quick online registration. Maltego CE includes most of the same functionality as the commercial version however it has some limitations. The main limitation with the community version is that the application cannot be used for commercial purposes and there is also a limitation on the maximum number of entities that can be returned from a single transform. In the community version of Maltego there is no graph export functionality that is available in the commercial versions.What does Maltego do?The focus of Maltego is analyzing real-world relationships between information that is publically accessible on the Internet. This includes footprinting Internet infrastructure as well as gathering information about the people and organisation who own it. Maltego can be used to determine the relationships between the following entities:People.Names.Email addresses.Aliases.Groups of people (social networks).Companies.Organizations.Web sites.Internet infrastructure such as:Domains.DNS names.Netblocks.IP addresses.Affiliations.Documents and files.Connections between these pieces of information are found using open source intelligence (OSINT) techniques by querying sources such as DNS records, whois records, search engines, social networks, various online APIs and extracting meta data. Maltego provides results in a wide range of graphical layouts that allow for clustering of information which makes seeing relationships instant and accurate – this makes it possible to see hidden connections even if they are three or four degrees of separation apart.Maltego CE Features:The ability to perform link analysis on up to 10 000 entities on a single graph.The capability to return up to 12 entities per transform that is run.Includes collection nodes which automatically group entities together with common features allowing you to see passed the noise and find the key relationships you are looking for.Includes the ability to share graphs in real-time with multiple analysts in a single session.Graph export options include:GraphML.Entity lists.Graph import options include:Tablular formats – csv, xlx and xlsx.Copy and paste.Technical Details:Maltego CE is easy and quick to install – it uses Java, so it runs on Windows, Mac and Linux.Hardware Requirements:A Maltego CE client requires at least 2GB of RAM, but the more the merrier as Maltego loves memory.Any modern multi-core processor will have more than enough processing power.4GB of disk space should be more than enough.Using a mouse makes navigating Maltego graphs much easier and is definitely recommended.Network Requirements: A Maltego CE client requires Internet Access to operate fully.The client will need to make outgoing connections on the following ports: 80, 443, 8081. Additionally port 5222 is needed to join shared graphs on Paterva’s public Comms server.Please note that a Maltego client may need to make connections on additional ports if the client is using transform from 3rd party transform vendors from the Transform Hub.Download Maltego CE

Link: http://www.kitploit.com/2019/02/maltego-ce-interactive-data-mining-tool.html

TROMMEL – Sift Through Embedded Device Files To Identify Potential Vulnerable Indicators

TROMMEL sifts through embedded device files to identify potential vulnerable indicators.TROMMEL identifies the following indicators related to:Secure Shell (SSH) key filesSecure Socket Layer (SSL) key filesInternet Protocol (IP) addressesUniform Resource Locator (URL)email addressesshell scriptsweb server binariesconfiguration filesdatabase filesspecific binaries files (i.e. Dropbear, BusyBox, etc.)shared object library filesweb application scripting variables, andAndroid application package (APK) file permissions.TROMMEL has also integrated vFeed which allows for further in-depth vulnerability analysis of identified indicators.DependenciesPython-Magic – See documentation for instructions for Python3-magic installationvFeed Database – For non-commercial use, register and download the Community Edition databaseUsage$ trommel.py –helpOutput TROMMEL results to a file based on a given directory. By default, only searches plain text files.$ trommel.py -p /directory -o output_fileOutput TROMMEL results to a file based on a given directory. Search both binary and plain text files.$ trommel.py -p /directory -o output_file -bNotesThe intended use of TROMMEL is to assist researchers during firmware analysis.TROMMEL has been tested using Python3 on Kali Linux x86_64.TROMMEL was written with the intent to help with identifying indicators that may contain vulnerabilities found in firmware of embedded devices.ReferencesvFeedFirmwalkerLua Code: Security Overview and Practical Approaches to Static Analysis by Andrei CostinAuthorKyle O’Meara – komeara AT cert DOT orgDownload Trommel

Link: http://feedproxy.google.com/~r/PentestTools/~3/UW_LBgpwYX4/trommel-sift-through-embedded-device.html

Security News – Paul’s Security Weekly #594

    Why it’s way too easy to sell counterfeit goods on amazon, how to defend against the runC container vulnerability, creating a dream team for the new age of cyber security, how you can get a windows 95 emulator for Windows 10, Linux, or MAC, DEF CON goes to Washington, and InfoSec institutes top […]
The post Security News – Paul’s Security Weekly #594 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/M4glO-Wepms/

Pompem – Exploit and Vulnerability Finder

Pompem is an open source tool, designed to automate the search for Exploits and Vulnerability in the most important databases. Developed in Python, has a system of advanced search, that help the work of pentesters and ethical hackers. In the current version, it performs searches in PacketStorm security, CXSecurity, ZeroDay, Vulners, National Vulnerability Database, WPScan Vulnerability Database …ScreenshotsSource codeYou can download the latest tarball by clicking here or latest zipball by clicking here.You can also download Pompem directly from its Git repository:$ git clone https://github.com/rfunix/Pompem.gitDependenciesPompem works out of the box with Python 3.5 on any platform and requires the following packages:Requests 2.9.1+InstallationGet Pompem up and running in a single command:$ pip3.5 install -r requirements.txtYou may greatly benefit from using virtualenv, which isolates packages installed for every project. If you have never used it, simply check [this tutorial] (http://docs.python-guide.org/en/latest/dev/virtualenvs) .UsageTo get the list of basic options and information about the project:$ python3.5 pompem.py -hOptions: -h, –help show this help message and exit -s, –search text for search –txt Write txt File –html Write html FileExamples of use:$ python3.5 pompem.py -s WordPress$ python3.5 pompem.py -s Joomla –html$ python3.5 pompem.py -s “Internet Explorer,joomla,wordpress" –html$ python3.5 pompem.py -s FortiGate –txt$ python3.5 pompem.py -s ssh,ftp,mysqlDownload Pompem

Link: http://www.kitploit.com/2019/02/pompem-exploit-and-vulnerability-finder.html

Pftriage – Python Tool And Library To Help Analyze Files During Malware Triage And Analysis

pftriage is a tool to help analyze files during malware triage. It allows an analyst to quickly view and extract properties of a file to help during the triage process. The tool also has an analyze function which can detect common malicious indicators used by malware.DependenciespefilefilemagicNote: On Mac – Apple has implemented their own version of the file command. However, libmagic can be installed using homebrew$ brew install libmagicUsageusage: pftriage [options]Show information about a file for triage.positional arguments: file The file to triage.optional arguments: -h, –help show this help message and exit -i, –imports Display import tree -s, –sections Display overview of sections. For more detailed info pass the -v switch –removeoverlay Remove overlay data. –extractoverlay Extract overlay data. -r, –resources Display resource informations -D DUMP_OFFSET, –dump DUMP_OFFSET Dump data using the passed offset or ‘ALL’. Currently only works with resources. -a, –analyze Analyze the file. -v, –verbose Display version. -V, –version Print version and exit.SectionsDisplay Section information by using the -s or –sections switch. Additionally you can pass (-v) for a more verbose view of section details.To export a section pass –dump and the desired section Virtual Address. (ex: –dump 0x00001000) —- Section Overview (use -v for detailed section info) —- Name Raw Size Raw Data Pointer Virtual Address Virtual Size Entropy Hash .text 0x00012200 0x00000400 0x00001000 0x000121d8 6.71168555177 ff38fce4f48772f82fc77b4ef223fd74 .rdata 0x00005a00 0x00012600 0x00014000 0x0000591a 4.81719489022 b0c15ee9bf8480a07012c2cf277c3083 .data 0x00001a00 0x00018000 0x0001a000 0x0000ab80 5.28838495072 5d969a878a5106ba526aa29967ef877f .rsrc 0x00002200 0x00019a00 0x00025000 0x00002144 7.91994689603 d361caffeadb934c9f6b13b2474c6f0f .overlay 0x00009b30 0x0001bc00 0x00000000 0x00000000 0 N/AResourcesDisplay resource data by using -r or –resources. —- Resource Overview —- Type: CODATA Name Language SubLang Offset Size Code Page Type 0x68 LANG_RUSSIAN RUSSIAN 0x000250e0 0x00000cee 0x000004e4 0x69 LANG_RUSSIAN RUSSIAN 0x00025dd0 0x000011e6 0x000004e4 Type: RT_MANIFEST Name Language SubLang Offset Size Code Page Type 0x1 LANG_ENGLISH ENGLISH_US 0x00026fb8 0x0000018b 0x000004e4To extract a specific resource use -D with the desired offset. If you want to extract all resources pass ALL istead of a specific offset.ImportsDisplay Import data and modules using -i or –imports. Imports which are identified as ordinals will be identified and include the Ordinal used.[*] Loading File… —- Imports —- Number of imported modules: 4 KERNEL32.dll |– GetProcessHeap |– HeapFree |– HeapAlloc |– SetLastError |– GetLastError WS2_32.dll |– getaddrinfo |– freeaddrinfo |– closesocket Ordinal[3] (Imported by Ordinal) |– WSAStartup Ordinal[115] (Imported by Ordinal) |– socket Ordinal[23] (Imported by Ordinal) |– send Ordinal[19] (Imported by Ordinal) |– recv Ordinal[16] (Imported by Ordinal) |– connect Ordinal[4] (Imported by Ordinal) ole32.dll |– CoCreateInstance |– … ExportsDisplay exports using -e or –exports.[*] Loading File… —- Exports —- Total Exports: 5 Address Ordinal Name 0x00001151 1 FindResources 0x00001103 2 LoadBITMAP 0x00001137 3 LoadICON 0x000010e9 4 LoadIMAGE 0x0000111d 5 LoadSTRINGWMetadataFile and version metadata is displayed if no options are passed on the commandline.[*] Loading File…[*] Processing File details…—- File Summary —- General Filename samaple.exe Magic Type PE32 executable (GUI) Intel 80386, for MS Windows Size 135168 First Bytes 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 Hashes MD5 8e8a8fe8361c7238f60d6bbfdbd304a8 SHA1 557832efe10daff3f528a3c3589eb5a6dfd12447 SHA256 118983ba4e1c12a366d7d6e9461c68bf222e2b03f3c1296091dee92ac0cc9dd8 Import Hash 0239fd611af3d0e9b0c46c5837c80e09 ssdeep Headers Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI Linker Version 12.0 – (Visual Studio 2013) Image Base 0x400000 Compile Time Thu Jun 23 16:04:21 2016 UTC Checksum 0 Filename sample.exe EP Bytes 55 8b ec 51 83 65 fc 00 8d 45 fc 56 57 50 e8 64 Signature 0x4550 First Bytes 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 Sections 4 Entry Point 0x139de Packed False Size 135168 Characteristics IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_RELOCS_STRIPPEDAnalyzePFTriage can performa a simple analysis of a file to identify malicious characteristics.[*] Loading File…[*] Analyzing File…[*] Analysis Complete… [!] Checksum Invalid CheckSum [!] AntiDebug AntiDebug Function import [GetTickCount] [!] AntiDebug AntiDebug Function import [QueryPerformanceCounter] [!] Imports Suspicious API Call [TerminateProcess] [!] AntiDebug AntiDebug Function import [SetUnhandledExceptionFilter] [!] AntiDebug AntiDebug Function import [IsDebuggerPresent]Overlay DataOverlay data is identified by analyzing or displaying section information of the file. If overlay data exists PFTriage can either remove the data by using the (–removeoverlay) switch or export the overlay data by using the (–extractoverlay) switch.Download Pftriage

Link: http://feedproxy.google.com/~r/PentestTools/~3/ZjjYohz9GbE/pftriage-python-tool-and-library-to.html

DFIRTrack – The Incident Response Tracking Application

DFIRTrack (Digital Forensics and Incident Response Tracking application) is an open source web application mainly based on Django using a PostgreSQL database backend.In contrast to other great incident response tools, which are mainly case-based and support the work of CERTs, SOCs etc. in their daily business, DFIRTrack is focused on handling one major incident with a lot of affected systems as it is often observed in APT cases. It is meant to be used as a tool for dedicated incident response teams in large cases. So, of course, CERTs and SOCs may use DFIRTrack as well, but they may feel it will be more appropriate in special cases instead of every day work.In contrast to case-based applications, DFIRTrack works in a system-based fashion. It keeps track of the status of various systems and the tasks associated with them, keeping the analyst well-informed about the status and number of affected systems at any time during the investigation phase up to the remediation phase of the incident response process.FeaturesOne focus is the fast and reliable import and export of systems and associated information. The goal for importing systems is to provide a fast and error-free procedure. Moreover, the goal for exporting systems and their status is to have multiple instances of documentation: for instance, detailed Markdown reports for technical staff vs. spreadsheets for non-technical audiences without redundancies and deviations in the data sets. A manager whose numbers match is a happy manager! ;-)The following functions are implemented for now:ImporterCreator (fast creation of multiple related instances via web interface) for systems and tasks,CSV (simple and generic CSV based import (either hostname and IP or hostname and tags combined with a web form), should fit for the export capabilities of many tools),Markdown for entries (one entry per system(report)).ExporterMarkdown for so-called system reports (for use in a MkDocs structure),Spreadsheet (CSV and XLS),LaTeX (planned).Installation and dependenciesDFIRTrack is developed for deploying on Debian Stretch or Ubuntu 16.04. Other Debian based distributions or versions may work but were not tested yet. At the moment the project will be focused on Ubuntu LTS and Debian releases.For fast and uncomplicated installation on a dedicated server including all dependencies an Ansible playbook and role was written (available here). For testing a docker environment was prepared (see below).For a minimal setup the following dependencies are needed:django (2.0),django_q,djangorestframework,gunicorn,postgresql,psycopg2-binary,python3-pip,PyYAML,requests,virtualenv,xlwt.Note that there is no settings.py in this repository. This file is submitted via Ansible or has to be copied and configured by hand. That will be changed in the future (see issues for more information).Docker EnvironmentAn experimental Docker Compose environment for local-only usage is provided in this project. Run the following command in the project root directory to start the environment:docker-compose upA user admin is already created. A password can be set with:docker/setup_admin.shThe application is located at localhost:8000.Built-in softwareThe application was created by implementing the following libraries and code:Bootstrapclipboard.jsDataTablesjQueryOpen IconicPopper.jsDevelopmentThere are two main branches:masterdevelopmentThe master branch should be stable (as you can expect from an alpha version). New features and changes are added to the development branch and merged into master from time to time. Everything merged into development should run too but might need manual changes (e. g. config). Devolopment branch of DFIRTrack Ansible should follow these changes. So if you want to see the latest features and progress: “check out" development.DisclaimerThis software is in an early alpha phase so a lot of work has to be done. Even if some basic error checking is implemented, as of now the usage of DFIRTrack mainly depends on proper handling.DFIRTrack was not and most likely will never be intended for usage on publicly available servers. Nevertheless some basic security features were implemented (in particular in connection with the corresponding ansible role) always install DFIRTrack in a secured environment (e. g. a dedicated virtual machine or in a separated network)!Download Dfirtrack

Link: http://feedproxy.google.com/~r/PentestTools/~3/vHFBZOQWsMA/dfirtrack-incident-response-tracking.html

Fnord – Pattern Extractor For Obfuscated Code

Fnord is a pattern extractor for obfuscated codeDescriptionFnord has two main functions:Extract byte sequences and create some statisticsUse these statistics, combine length, number of occurrences, similarity and keywords to create a YARA rule1. StatisticsFnord processes the file with a sliding window of varying size to extract all sequences of with a minimum length -m X (default: 4) up to a maximum length -x X (default: 40). For each length, Fnord will present the most frequently occurring sequences -t X (default: 3) in a table.Each line in the table contains:LengthNumber of occurrencesSequence (string)Formatted (ascii/wide/hex)Hex encoded formEntropy2. YARA Rule CreationFnord also generates an experimental YARA rule. During YARA rule creation it will calculate a score based in the length of the sequence and the number of occurrences (length * occurrences). It will then process each sequences by removing all non-letter characters and comparing them with a list of keywords (case-insensitive) to detect sequences that are more interesting than others. Before writing each string to the rule Fnord calculates a Levenshtein distance and skips sequences that are too similar to sequences that have already been integrated in the rule.Status[Experimental] Fnord was created a few days ago and I have tested it with a handful of samples. My guess is that I’ll adjust the defaults in the coming weeks and add some more keywords, filters, scoring options.Improve the ResultsIf you’ve found obfuscated code in a sample, use a hex editor to extract the obfuscated section of the sample and save to a new file. Use that new file for the analysis.Play with the flags -s, -k, -r, –yara-strings, -mand-e`.Please send me samples that produce weak YARA rules that could be better.Usage ____ __ / __/__ ___ _______/ / / _// _ \/ _ \/ __/ _ / /_/ /_//_/\___/_/ \_,_/ Pattern Extractor for Obfuscated Code v0.6, Florian Roth usage: fnord.py [-h] [-f file] [-m min] [-x max] [-t top] [-n min-occ] [-e min-entropy] [–strings] [–include-padding] [–debug] [–noyara] [-s similarity] [-k keywords-multiplier] [-r structure-multiplier] [-c count-limiter] [–yara-exact] [–yara-strings max] [–show-score] [–show-count] [–author author] Fnord – Pattern Extractor for Obfuscated Code optional arguments: -h, –help show this help message and exit -f file File to process -m min Minimum sequence length -x max Maximum sequence length -t top Number of items in the Top x list -n min-occ Minimum number of occurrences to show -e min-entropy Minimum entropy –strings Show strings only –include-padding Include 0x00 and 0x20 in the extracted strings –debug Debug output YARA Rule Creation: –noyara Do not generate an experimental YARA rule -s similarity Allowed similarity (use values between 0.1=low and 10=high, default=1.5) -k keywords-multiplier Keywords multiplier (multiplies score of sequences if keyword is found) (best use values between 1 and 5, default=2.0) -r structure-multiplier Structure multiplier (multiplies score of sequences if it is identified as code structure and not payload) (best use values between 1 and 5, default=2.0) -c count-limiter Count limiter (limts the impact of the count by capping it at a certain amount) (best use values between 5 and 100, default=20) –yara-exact Add magic header and magic footer limitations to the rule –yara-strings max Maximum sequence length –show-score Show score in comments of YARA rules –show-count Show count in sample in comments of YARA rules –author author YARA rule authorGetting Startedgit clone https://github.com/Neo23x0/Fnord.git and cd Fnordpip3 install -r ./requirements.txtpython3 ./fnord.py –helpExamplespython3 fnord.py -f ./test/wraeop.sct –yara-strings 10python3 fnord.py -f ./test/vbs.txt –show-score –show-count -t 1 -x 20python3 fnord.py -f ./test/inv-obf.txt –show-score –show-count -t 1 –yara-strings 4 –yara-exactScreenshotsFAQsWhy didn’t you integrate Fnord in yarGen?yarGen uses a white-listing approach to filter the strings that are best for the creation of a YARA rule. yarGen applies some regular expressions to adjust scores of strings before creating the YARA rules. But its approach is very different to the method used by Fnord, which calculates the score of the byte sequences based on statistics.While yarGen is best used for un-obfuscated code. Fnord is for obfuscated code only and should produce much better results than yarGen.ContactFollow on Twitter for updates @cyb3ropsDownload Fnord

Link: http://feedproxy.google.com/~r/PentestTools/~3/kM2-_TEV7fY/fnord-pattern-extractor-for-obfuscated.html

Fwknop – Single Packet Authorization & Port Knocking

fwknop implements an authorization scheme known as Single Packet Authorization (SPA) for strong service concealment. SPA requires only a single packet which is encrypted, non-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default-drop filtering stance. The main application of SPA is to use a firewall to drop all attempts to connect to services such as SSH in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) more difficult. Because there are no open ports, any service that is concealed by SPA naturally cannot be scanned for with Nmap. The fwknop project supports four different firewalls: iptables, firewalld, PF, and ipfw across Linux, OpenBSD, FreeBSD, and Mac OS X. There is also support for custom scripts so that fwknop can be made to support other infrastructure such as ipset or nftables.SPA is essentially next generation Port Knocking (PK), but solves many of the limitations exhibited by PK while retaining its core benefits. PK limitations include a general difficulty in protecting against replay attacks, asymmetric ciphers and HMAC schemes are not usually possible to reliably support, and it is trivially easy to mount a DoS attack against a PK server just by spoofing an additional packet into a PK sequence as it traverses the network (thereby convincing the PK server that the client doesn’t know the proper sequence). All of these shortcomings are solved by SPA. At the same time, SPA hides services behind a default-drop firewall policy, acquires SPA data passively (usually via libpcap or other means), and implements standard cryptographic operations for SPA packet authentication and encryption/decryption.SPA packets generated by fwknop leverage HMAC for authenticated encryption in the encrypt-then-authenticate model. Although the usage of an HMAC is currently optional (enabled via the –use-hmac command line switch), it is highly recommended for three reasons:Without an HMAC, cryptographically strong authentication is not possible with fwknop unless GnuPG is used, but even then an HMAC should still be applied.An HMAC applied after encryption protects against cryptanalytic CBC-mode padding oracle attacks such as the Vaudenay attack and related trickery (like the more recent “Lucky 13" attack against SSL).The code required by the fwknopd daemon to verify an HMAC is much more simplistic than the code required to decrypt an SPA packet, so an SPA packet without a proper HMAC isn’t even sent through the decryption routines.The final reason above is why an HMAC should still be used even when SPA packets are encrypted with GnuPG due to the fact that SPA data is not sent through libgpgme functions unless the HMAC checks out first. GnuPG and libgpgme are relatively complex bodies of code, and therefore limiting the ability of a potential attacker to interact with this code through an HMAC operation helps to maintain a stronger security stance. Generating an HMAC for SPA communications requires a dedicated key in addition to the normal encryption key, and both can be generated with the –key-gen option.fwknop encrypts SPA packets either with the Rijndael block cipher or via GnuPG and associated asymmetric cipher. If the symmetric encryption method is chosen, then as usual the encryption key is shared between the client and server (see the /etc/fwknop/access.conf file for details). The actual encryption key used for Rijndael encryption is generated via the standard PBKDF1 key derivation algorithm, and CBC mode is set. If the GnuPG method is chosen, then the encryption keys are derived from GnuPG key rings.Use CasesPeople who use Single Packet Authorization (SPA) or its security-challenged cousin Port Knocking (PK) usually access SSHD running on the same system where the SPA/PK software is deployed. That is, a firewall running on a host has a default-drop policy against all incoming SSH connections so that SSHD cannot be scanned, but a SPA daemon reconfigures the firewall to temporarily grant access to a passively authenticated SPA client: "Basic SPA usage to access SSHD"fwknop supports the above, but also goes much further and makes robust usage of NAT (for iptables/firewalld firewalls). After all, important firewalls are usually gateways between networks as opposed to just being deployed on standalone hosts. NAT is commonly used on such firewalls (at least for IPv4 communications) to provide Internet access to internal networks that are on RFC 1918 address space, and also to allow external hosts access to services hosted on internal systems.Because fwknop integrates with NAT, SPA can be leveraged to access internal services through the firewall by users on the external Internet. Although this has plenty of applications on modern traditional networks, it also allows fwknop to support cloud computing environments such as Amazon’s AWS: "SPA usage on Amazon AWS cloud environments"User InterfaceThe official cross-platform fwknop client user interface fwknop-gui (download, github) is developed by Jonathan Bennett. Most major client-side SPA modes are supported including NAT requests, HMAC and Rijndael keys (GnuPG is not yet supported), fwknoprc stanza saving, and more. Currently fwknop-gui runs on Linux, Mac OS X, and Windows – here is a screenshot from OS X:  "fwknop-gui on Mac OS X" Similarly, an updated Android client is available as well.TutorialA comprehensive tutorial on fwknop can be found here:http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.htmlFeaturesThe following is a complete list of features supported by the fwknop project:Implements Single Packet Authorization around iptables and firewalld firewalls on Linux, ipfw firewalls on *BSD and Mac OS X, and PF on OpenBSD.The fwknop client runs on Linux, Mac OS X, *BSD, and Windows under Cygwin. In addition, there is an Android app to generate SPA packets.Supports both Rijndael and GnuPG methods for the encryption/decryption of SPA packets.Supports HMAC authenticated encryption for both Rijndael and GnuPG. The order of operation is encrypt-then-authenticate to avoid various cryptanalytic problems.Replay attacks are detected and thwarted by SHA-256 digest comparison of valid incoming SPA packets. Other digest algorithms are also supported, but SHA-256 is the default.SPA packets are passively sniffed from the wire via libpcap. The fwknopd server can also acquire packet data from a file that is written to by a separate Ethernet sniffer (such as with tcpdump -w ), from the iptables ULOG pcap writer, or directly via a UDP socket in –udp-server mode.For iptables firewalls, ACCEPT rules added by fwknop are added and deleted (after a configurable timeout) from custom iptables chains so that fwknop does not interfere with any existing iptables policy that may already be loaded on the system.Supports inbound NAT connections for authenticated SPA communications (iptables firewalls only for now). This means fwknop can be configured to create DNAT rules so that you can reach a service (such as SSH) running on an internal system on an RFC 1918 IP address from the open Internet. SNAT rules are also supported which essentially turns fwknopd into a SPA-authenticating gateway to access the Internet from an internal network.Multiple users are supported by the fwknop server, and each user can be assigned their own symmetric or asymmetric encryption key via the /etc/fwknop/access.conf file.Automatic resolution of external IP address via https://www.cipherdyne.org/cgi-bin/myip (this is useful when the fwknop client is run from behind a NAT device). Because the external IP address is encrypted within each SPA packet in this mode, Man-in-the-Middle (MITM) attacks where an inline device intercepts an SPA packet and only forwards it from a different IP in an effort to gain access are thwarted.Port randomization is supported for the destination port of SPA packets as well as the port over which the follow-on connection is made via the iptables NAT capabilities. The later applies to forwarded connections to internal services and to access granted to local sockets on the system running fwknopd.Integration with Tor (as described in this DefCon 14 presentation). Note that because Tor uses TCP for transport, sending SPA packets through the Tor network requires that each SPA packet is sent over an established TCP connection, so technically this breaks the "single" aspect of "Single Packet Authorization". However, Tor provides anonymity benefits that can outweigh this consideration in some deployments.Implements a versioned protocol for SPA communications, so it is easy to extend the protocol to offer new SPA message types and maintain backwards compatibility with older fwknop clients at the same time.Supports the execution of shell commands on behalf of valid SPA packets.The fwknop server can be configured to place multiple restrictions on inbound SPA packets beyond those enforced by encryption keys and replay attack detection. Namely, packet age, source IP address, remote user, access to requested ports, and more.Bundled with fwknop is a comprehensive test suite that issues a series of tests designed to verify that both the client and server pieces of fwknop work properly. These tests involve sniffing SPA packets over the local loopback interface, building temporary firewall rules that are checked for the appropriate access based on the testing config, and parsing output from both the fwknop client and fwknopd server for expected markers for each test. Test suite output can easily be anonymized for communication to third parties for analysis.fwknop was the first program to integrate port knocking with passive OS fingerprinting. However, Single Packet Authorization offers many security benefits beyond port knocking, so the port knocking mode of operation is generally deprecated.Building fwknopThis distribution uses GNU autoconf for setting up the build. Please see the INSTALL file for the general basics on using autoconf.There are some "configure" options that are specific to fwknop. They are (extracted from ./configure –help): –disable-client Do not build the fwknop client component. The default is to build the client. –disable-server Do not build the fwknop server component. The default is to build the server. –with-gpgme support for gpg encryption using libgpgme [default=check] –with-gpgme-prefix=PFX prefix where GPGME is installed (optional) –with-gpg=/path/to/gpg Specify path to the gpg executable that gpgme will use [default=check path] –with-firewalld=/path/to/firewalld Specify path to the firewalld executable [default=check path] –with-iptables=/path/to/iptables Specify path to the iptables executable [default=check path] –with-ipfw=/path/to/ipfw Specify path to the ipfw executable [default=check path] –with-pf=/path/to/pfctl Specify path to the pf executable [default=check path] –with-ipf=/path/to/ipf Specify path to the ipf executable [default=check path]Examples:./configure –disable-client –with-firewalld=/bin/firewall-cmd./configure –disable-client –with-iptables=/sbin/iptables –with-firewalld=noDownload Fwknop

Link: http://www.kitploit.com/2019/02/fwknop-single-packet-authorization-port.html

Electronegativity – Tool To Identify Misconfigurations And Security Anti-Patterns In Electron Applications

Electronegativity is a tool to identify misconfigurations and security anti-patterns in Electron-based applications.It leverages AST and DOM parsing to look for security-relevant configurations, as described in the “Electron Security Checklist – A Guide for Developers and Auditors" whitepaper.Software developers and security auditors can use this tool to detect and mitigate potential weaknesses and implementation bugs when developing applications using Electron. A good understanding of Electron (in)security is still required when using Electronegativity, as some of the potential issues detected by the tool require manual investigation.If you’re interested in Electron Security, have a look at our BlackHat 2017 research Electronegativity – A Study of Electron Security and keep an eye on the Doyensec’s blog.InstallationMajor releases are pushed to NPM and can be simply installed using:$ npm install @doyensec/electronegativity -gUsage$ electronegativity -h Option Description -V output the version number -i, –input input (directory, .js, .htm, .asar) -o, –output save the results to a file in csv or sarif format -h, –help output usage information Using electronegativity to look for issues in a directory containing an Electron app:$ electronegativity -i /path/to/electron/appUsing electronegativity to look for issues in an asar archive and saving the results in a csv file:$ electronegativity -i /path/to/asar/archive -o result.csvNote: if you’re running into the Fatal Error "JavaScript heap out of memory", you can run node using node –max-old-space-size=4096 electronegativity -i /path/to/asar/archive -o result.csvCreditsElectronegativity was made possible thanks to the work of Claudio Merloni, Ibram Marzouk, Jaroslav Lobačevski and many other contributors.This work has been sponsored by Doyensec LLC.Download Electronegativity

Link: http://feedproxy.google.com/~r/PentestTools/~3/zp7KJ0Mg0-A/electronegativity-tool-to-identify.html