ASUS, Microsoft, & Tesla – Hack Naked News #212

    Zero-Days in Counter Strike client could be used to build a major botnet, huge aluminum plants hit by ‘severe’ ransomware attack, Myspace loses 50 million songs in server migration, wifi signals can reveal your password, and PuTTY in your hands: an SSH client gets patched after RSA key exchange memory vulnerability was spotted! […]
The post ASUS, Microsoft, & Tesla – Hack Naked News #212 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/VrsX9vpaVWg/

WPScan v3.4.5 – Black Box WordPress Vulnerability Scanner

WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.INSTALLPrerequisites(Optional but highly recommended: RVM)Ruby >= 2.3 – Recommended: latestRuby 2.5.0 to 2.5.3 can cause an ‘undefined symbol: rmpd_util_str_to_d’ error in some systems, see #1283Curl >= 7.21 – Recommended: latestThe 7.29 has a segfaultRubyGems – Recommended: latestFrom RubyGems (Recommended)gem install wpscanOn MacOSX, if a Gem::FilePermissionError is raised due to the Apple’s System Integrity Protection (SIP), either install RVM and install wpscan again, or run sudo gem install -n /usr/local/bin wpscan (see #1286)From sources (NOT Recommended)Prerequisites: Gitgit clone https://github.com/wpscanteam/wpscancd wpscan/bundle install && rake installUpdatingYou can update the local database by using wpscan –updateUpdating WPScan itself is either done via gem update wpscan or the packages manager (this is quite important for distributions such as in Kali Linux: apt-get update && apt-get upgrade) depending how WPScan was (pre)installedDockerPull the repo with docker pull wpscanteam/wpscanEnumerating usernamesdocker run -it –rm wpscanteam/wpscan –url https://target.tld/ –enumerate uEnumerating a range of usernamesdocker run -it –rm wpscanteam/wpscan –url https://target.tld/ –enumerate u1-100** replace u1-100 with a range of your choice.Usagewpscan –url blog.tld This will scan the blog using default options with a good compromise between speed and accuracy. For example, the plugins will be checked passively but their version with a mixed detection mode (passively + aggressively). Potential config backup files will also be checked, along with other interesting findings. If a more stealthy approach is required, then wpscan –stealthy –url blog.tld can be used. As a result, when using the –enumerate option, don’t forget to set the –plugins-detection accordingly, as its default is ‘passive’.For more options, open a terminal and type wpscan –help (if you built wpscan from the source, you should type the command outside of the git repo)The DB is located at ~/.wpscan/dbWPScan can load all options (including the –url) from configuration files, the following locations are checked (order: first to last):~/.wpscan/cli_options.json~/.wpscan/cli_options.ymlpwd/.wpscan/cli_options.jsonpwd/.wpscan/cli_options.ymlIf those files exist, options from them will be loaded and overridden if found twice.e.g:~/.wpscan/cli_options.yml:proxy: ‘http://127.0.0.1:8080’verbose: truepwd/.wpscan/cli_options.yml:proxy: ‘socks5://127.0.0.1:9090’url: ‘http://target.tld’Running wpscan in the current directory (pwd), is the same as wpscan -v –proxy socks5://127.0.0.1:9090 –url http://target.tldEnumerating usernameswpscan –url https://target.tld/ –enumerate uEnumerating a range of usernameswpscan –url https://target.tld/ –enumerate u1-100** replace u1-100 with a range of your choice.LICENSEWPScan Public Source LicenseThe WPScan software (henceforth referred to simply as “WPScan") is dual-licensed – Copyright 2011-2019 WPScan Team.Cases that include commercialization of WPScan require a commercial, non-free license. Otherwise, WPScan can be used without charge under the terms set out below.1. Definitions1.1 "License" means this document.1.2 "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns WPScan.1.3 "WPScan Team" means WPScan’s core developers.2. CommercializationA commercial use is one intended for commercial advantage or monetary compensation.Example cases of commercialization are:Using WPScan to provide commercial managed/Software-as-a-Service services.Distributing WPScan as a commercial product or as part of one.Using WPScan as a value added service/product.Example cases which do not require a commercial license, and thus fall under the terms set out below, include (but are not limited to):Penetration testers (or penetration testing organizations) using WPScan as part of their assessment toolkit.Penetration Testing Linux Distributions including but not limited to Kali Linux, SamuraiWTF, BackBox Linux.Using WPScan to test your own systems.Any non-commercial use of WPScan.If you need to purchase a commercial license or are unsure whether you need to purchase a commercial license contact us – team@wpscan.org.Free-use Terms and Conditions;3. RedistributionRedistribution is permitted under the following conditions:Unmodified License is provided with WPScan.Unmodified Copyright notices are provided with WPScan.Does not conflict with the commercialization clause.4. CopyingCopying is permitted so long as it does not conflict with the Redistribution clause.5. ModificationModification is permitted so long as it does not conflict with the Redistribution clause.6. ContributionsAny Contributions assume the Contributor grants the WPScan Team the unlimited, non-exclusive right to reuse, modify and relicense the Contributor’s content.7. SupportWPScan is provided under an AS-IS basis and without any support, updates or maintenance. Support, updates and maintenance may be given according to the sole discretion of the WPScan Team.8. Disclaimer of WarrantyWPScan is provided under this License on an “as is” basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the WPScan is free of defects, merchantable, fit for a particular purpose or non-infringing.9. Limitation of LiabilityTo the extent permitted under Law, WPScan is provided under an AS-IS basis. The WPScan Team shall never, and without any limit, be liable for any damage, cost, expense or any other payment incurred as a result of WPScan’s actions, failure, bugs and/or any other interaction between WPScan and end-equipment, computers, other software or any 3rd party, end-equipment, computer or services.10. DisclaimerRunning WPScan against websites without prior mutual consent may be illegal in your country. The WPScan Team accept no liability and are not responsible for any misuse or damage caused by WPScan.11. TrademarkThe "wpscan" term is a registered trademark. This License does not grant the use of the "wpscan" trademark or the use of the WPScan logo.Download Wpscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/36ioKYj1ExE/wpscan-v345-black-box-wordpress.html

Androwarn – Yet Another Static Code Analyzer For Malicious Android Applications

Androwarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.The detection is performed with the static analysis of the application’s Dalvik bytecode, represented as Smali, with the androguard library.This analysis leads to the generation of a report, according to a technical detail level chosen from the user.FeaturesStructural and data flow analysis of the bytecode targeting different malicious behaviours categories Telephony identifiers exfiltration: IMEI, IMSI, MCC, MNC, LAC, CID, operator’s name…Device settings exfiltration: software version, usage statistics, system settings, logs…Geolocation information leakage: GPS/WiFi geolocation…Connection interfaces information exfiltration: WiFi credentials, Bluetooth MAC adress…Telephony services abuse: premium SMS sending, phone call composition…Audio/video flow interception: call recording, video capture…Remote connection establishment: socket open call, Bluetooth pairing, APN settings edit…PIM data leakage: contacts, calendar, SMS, mails, clipboard…External memory operations: file access on SD card…PIM data modification: add/delete contacts, calendar events…Arbitrary code execution: native code using JNI, UNIX command, privilege escalation…Denial of Service: event notification deactivation, file deletion, process killing, virtual keyboard disable, terminal shutdown/reboot…Report generation according to several detail levels Essential (-v 1) for newbiesAdvanced (-v 2)Expert (-v 3)Report generation according to several formats Plaintext txtFormatted html from a Bootstrap templateJSONUsageOptionsusage: androwarn [-h] -i INPUT [-o OUTPUT] [-v {1,2,3}] [-r {txt,html,json}] [-d] [-L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}] [-w]version: 1.4optional arguments: -h, –help show this help message and exit -i INPUT, –input INPUT APK file to analyze -o OUTPUT, –output OUTPUT Output report file (default “./_<timestamp>.<report_type>") -v {1,2,3}, –verbose {1,2,3} Verbosity level (ESSENTIAL 1, ADVANCED 2, EXPERT 3) (default 1) -r {txt,html,json}, –report {txt,html,json} Report type (default "html") -d, –display-report Display analysis results to stdout -L {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL}, –log-level {debug,info,warn,error,critical,DEBUG,INFO,WARN,ERROR,CRITICAL} Log level (default "ERROR") -w, –with-playstore-lookup Enable online lookups on Google PlayCommon usage$ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3By default, the report is generated in the current folder.An HTML report is now contained in a standalone file, CSS/JS resources are inlined.Sample applicationA sample application has been built, concentrating several malicious behaviours.The APK is available in the _SampleApplication/bin/ folder and the HTML report is available in the _SampleReports folder.Dependencies and installationPython 2.7 + androguard + jinja2 + play_scraper + argparseThe easiest way to setup everything: pip install androwarn and then directly use $ androwarnOr git clone that repository and pip install -r requirements.txtChangelogversion 1.5 – 2019/01/05: few fixesversion 1.4 – 2019/01/04: code cleanup and use of the latest androguard versionversion 1.3 – 2018/12/30: few fixesversion 1.2 – 2018/12/30: few fixesversion 1.1 – 2018/12/29: fixing few bugs, removing Chilkat dependencies and pip packagingversion 1.0 – from 2012 to 2013ContributingYou’re welcome, any help is appreciated :)ContactThomas Debize < tdebize at mail d0t com >Join #androwarn on FreenodeGreetingsStéphane Coulondre, for supervising my Final Year projectAnthony Desnos, for his amazing Androguard project and his help through my Final Year projectDownload Androwarn

Link: http://feedproxy.google.com/~r/PentestTools/~3/CXJc4Zacvso/androwarn-yet-another-static-code.html

Lynis 2.7.3 – Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.Supported operating systemsThe tool has almost no dependencies, therefore it runs on almost all Unix-based systems and versions, including:AIXFreeBSDHP-UXLinuxMac OSNetBSDOpenBSDSolarisand othersIt even runs on systems like the Raspberry Pi and several storage devices!Installation optionalLynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use “./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). How it worksLynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.StepsDetermine operating systemSearch for available tools and utilitiesCheck for Lynis updateRun tests from enabled pluginsRun security tests per categoryReport status of security scanBesides the data displayed on the screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.Opportunistic ScanningLynis scanning is opportunistic: it uses what it can find.For example, if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers an SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates so they can be scanned later as well.In-depth security scansBy performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!Use casesSince Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:Security auditingCompliance testing (e.g. PCI, HIPAA, SOx)Vulnerability detection and scanningSystem hardeningResources used for testingMany other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.Best practicesCISNISTNSAOpenSCAP dataVendor guides and recommendations (e.g. Debian Gentoo, Red Hat)Lynis PluginsPlugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.ChangelogUpgrade note## Lynis 2.7.3 (2019-03-21)### Added- Detection for Lynis being scheduled (e.g. cronjob)### Changed- HTTP-6624 – Improved logging for test- KRNL-5820 – Changed color for default fs.suid_dumpable value- LOGG-2154 – Adjusted test to search in configuration file correctly- NETW-3015 – Added support for ip binary- SQD-3610 – Description of test changed- SQD-3613 – Corrected description in code- SSH-7408 – Increased values for MaxAuthRetries- Improvements to allow tailored tool tips in future- Corrected detection of blkid binary- Minor textual changes and cleanupsDownload Lynis 2.7.2

Link: http://feedproxy.google.com/~r/PentestTools/~3/SfDf5sliFYA/lynis-273-security-auditing-tool-for.html

Dnsdmpstr – Unofficial API & Client For Dnsdumpster.Com And Hackertarget.Com

Unofficial API & Client for DNS Dumpster and HackerTarget.com IP tools.https://dnsdumpster.com/https://hackertarget.com/ip-tools/Installationgit clone https://github.com/zeropwn/dnsdmpstrcd dnsdmpstrpip3 install -r requirements.txtchmod +x ddump.pyUsageAs a command-line utilitytarget=”hackerone.com"python3 ddump.py -u $target –allExtended usageusage: ddump.py [-h] [-u U] [-a] [-r] [-d] [-dd] [–links] [–headers] [–all]optional arguments: -h, –help show this help message and exit -u U target domain -a host search (DNS A Record lookup) -r reverse dns lookup (accepts IP, IP range or domain name) -d dns lookup -dd classical dns dump format –links grab page links from url –headers grab http headers from url –all grab all information availableAs a libraryimport dnsdmpstrtarget = "hackerone.com"dnsdump = dnsdmpstr()print(json.dumps(dnsdump.dump(target), indent=1))print(dnsdump.hostsearch(target))print(dnsdump.reversedns(target))print(dnsdump.dnslookup(target))print(dnsdump.pagelinks(target))print(dnsdump.httpheaders(target))Download Dnsdmpstr

Link: http://feedproxy.google.com/~r/PentestTools/~3/cJrHa_dhIkQ/dnsdmpstr-unofficial-api-client-for.html

Armory – A Tool Meant To Take In A Lot Of External And Discovery Data From A Lot Of Tools, Add It To A Database And Correlate All Of Related Information

Armory is a tool meant to take in a lot of external and discovery data from a lot of tools, add it to a database and correlate all of related information. It isn’t meant to replace any specific tool. It is meant to take the output from various tools, and use it to feed other tools.Additionally, it is meant to be easily extendable. Don’t see a module for your favorite tool? Write one up! Want to export data in just the right format for your reporting? Create a new report!InstallationPrerequisitesFirst, set up some kind of virtual environment. I like virtualenvwrapper:http://virtualenvwrapper.readthedocs.io/en/latest/install.htmlActually installingClone the repo:git clone https://github.com/depthsecurity/armoryInstall the module:python setup.py installYou will want to run armory at least once in order to create the default config directory: ~/.armory with the default settings.ini and settings for each of the modules.Next edit settings.ini and modify the base_path option. This should point to the root path you are using for your current project. You should change this with every project, so you will always be using a clean database. All files generated by modules will be created in here, as well as the sqlite3 database. By default it will be within the current directory-.UsageUsage is split into modules and reports.ModulesModules run tools, ingest output, and write it to the database. To see a list of available modules, type:armory -lmTo see a list of module options, type:armory -m -MReportsReports are similar to modules, except they are meant to pull data from the database, and display it in a usable format. To view all of the available reports:armory -lrTo view available report options:armory -r <report> -RInteractive ShellThere is also an interactive shell which uses IPython as the base and will allow you to run commands or change database values. It can be launched with: armory-shell. By default, the following will be available: Domain, BaseDomains, IPAddresses, CIDRs, Users, Creds, Vulns, Ports, Urls, ScopeCIDRs.Download Armory

Link: http://www.kitploit.com/2019/03/armory-tool-meant-to-take-in-lot-of.html

Hashboy-Tool – A Hash Query Tool

Hashboy was redeveloped on hash-busterAuthor:LeiothrixHow to install $git clone https://github.com/sf197/hashboy-tool $cd hashboy-tool $python3 hashboy.pyHow to use$ python3 hashboy.py __ __ __ / /_ ____ ______/ /_ / /_ ____ __ __ / __ \/ __ `/ ___/ __ \/ __ \/ __ \/ / / / / / / / /_/ (__ ) / / / /_/ / /_/ / /_/ / /_/ /_/\__,_/____/_/ /_/_.___/\____/\__, / /____/Author:Leiothrix Github:https://github.com/sf197usage: hashboy.py [-h] [-s HASH] [-f FILE] [-t THREADS]optional arguments: -h, –help show this help message and exit -s HASH, –hash HASH hash -f FILE, –file FILE file containing hashes -t THREADS, –threads THREADS number of threadsVideoDownload Hashboy-Tool

Link: http://feedproxy.google.com/~r/PentestTools/~3/WF_Ut4LqVas/hashboy-tool-hash-query-tool.html

Karma – Search of Emails and Passwords on Pwndb

API pwndbKarma is a tool written in python3 for the search of emails and passwords on the site: pwndb2am4tzkvold (dot) onionInstallsudo apt install tor python3 python3-pipgit clone https://github.com/decoxviii/karma.git ; cd karmasudo -H pip3 install -r requirements.txtpython3 bin/karma.py –helpTestsAll the tests were done in Debian/Ubuntu.Search emails with the password: 123456789python3 bin/karma.py search ‘123456789’ –password -o test1Search emails with the local-part: johndoepython3 bin/karma.py search ‘johndoe’ –local-part -o test2Search emails with the domain: hotmail.compython3 bin/karma.py search ‘hotmail.com’ –domain -o test3Search email password: johndoe@unknown.compython3 bin/karma.py target ‘johndoe@unknown.com’ -o test4DemoThanksThis program is inspired by the projects:M3l0nPan – pwndb-apidavidtavarez – pwndbDownload Karma

Link: http://www.kitploit.com/2019/03/karma-search-of-emails-and-passwords-on.html

Arjun v1.3 – HTTP Parameter Discovery Suite

FeaturesMulti-threading4 modes of detectionA typical scan takes 30 secondsRegex powered heuristic scanningHuge list of 25,980 parameter namesMakes just 30-35 requests to the targetUsageNote: Arjun doesn’t work with python < 3.4Discover parametersTo find GET parameters, you can simply do:python3 arjun.py -u https://api.example.com/endpoint --getSimilarly, use --post to find POST parameters.Multi-threadingArjun uses 2 threads by default but you can tune its performance according to your network connection.python3 arjun.py -u https://api.example.com/endpoint --get -t 22Delay between requestsYou can delay the request by using the -d option as follows:python3 arjun.py -u https://api.example.com/endpoint --get -d 2Including presistent dataLet's say you have an API key that you need to send with every request, to tell Arjun to do that you can use the --include option as follows:python3 arjun.py -u https://api.example.com/endpoint --get --include 'api_key=xxxxx'ORpython3 arjun.py -u https://api.example.com/endpoint --get --include '{"api_key":"xxxxx"}'To include multiple parameters, use & to seperate them or pass them as a valid json object.JSON OutputYou can save the result in a JSON format by using the -o as follows:python3 arjun.py -u https://api.example.com/endpoint --get -o result.jsonAdding HTTP HeadersUsing the --headers switch will open an interactive prompt where you can paste your headers. Press Ctrl + S to save and Ctrl + X to procced.Note: Arjun uses nano as the default editor for the prompt but you can change it by tweaking /core/prompt.py.CreditsThe parameter names are taken from @SecLists.Download Arjun

Link: http://www.kitploit.com/2019/03/arjun-v13-http-parameter-discovery-suite.html