Recon-ng v5.0.0 – Open Source Intelligence Gathering Tool Aimed At Reducing The Time Spent Harvesting Information From Open Sources

Recon-ng is a full-featured reconnaissance framework designed with the goal of providing a powerful environment to conduct open-source web-based reconnaissance quickly and thoroughly.Recon-ng has a look and feels similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to social engineer, use the Social-Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng! See the Wiki to get started.Recon-ng is a completely modular framework and makes it easy for even the newest of Python developers to contribute. See the Development Guide for more information on building and maintaining modules.Download Recon-Ng

Link: http://feedproxy.google.com/~r/PentestTools/~3/aJ03REwtdTs/recon-ng-v500-open-source-intelligence.html

UACME – Defeating Windows User Account Control

Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.System Requirementsx86-32/x64 Windows 7/8/8.1/10 (client, some methods however works on server version too).Admin account with UAC set on default settings required.UsageRun executable from command line: akagi32 [Key] [Param] or akagi64 [Key] [Param]. See “Run examples" below for more info.First param is number of method to use, second is optional command (executable file name including full path) to run. Second param can be empty – in this case program will execute elevated cmd.exe from system32 folder.Keys (watch debug output with dbgview or similar for more info):Author: Leo Davidson Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): cryptbase.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: sysprep.exe hardened LoadFrom manifest elementsAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): ShCore.dllImplementation: ucmStandardAutoElevationWorks from: Windows 8.1 (9600)Fixed in: Windows 10 TP (> 9600) How: Side effect of ShCore.dll moving to \KnownDllsAuthor: Leo Davidson derivative by WinNT/Pitou Type: Dll HijackMethod: IFileOperationTarget(s): \system32\oobe\setupsqm.exeComponent(s): WdsCore.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 10 TH2 (10558) How: Side effect of OOBE redesignAuthor: Jon Ericson, WinNT/Gootkit, mzH Type: AppCompatMethod: RedirectEXE ShimTarget(s): \system32\cliconfg.exeComponent(s): -Implementation: ucmShimRedirectEXEWorks from: Windows 7 (7600)Fixed in: Windows 10 TP (> 9600) How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versionsAuthor: WinNT/Simda Type: Elevated COM interfaceMethod: ISecurityEditorTarget(s): HKLM registry keysComponent(s): -Implementation: ucmSimdaTurnOffUacWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: ISecurityEditor interface method changedAuthor: Win32/Carberp Type: Dll HijackMethod: WUSATarget(s): \ehome\mcx2prov.exe, \system32\migwiz\migwiz.exeComponent(s): WdsCore.dll, CryptBase.dll, CryptSP.dllImplementation: ucmWusaMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: WUSA /extract option removedAuthor: Win32/Carberp derivative Type: Dll HijackMethod: WUSATarget(s): \system32\cliconfg.exeComponent(s): ntwdblib.dllImplementation: ucmWusaMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: WUSA /extract option removedAuthor: Leo Davidson derivative by Win32/Tilon Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): Actionqueue.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: sysprep.exe hardened LoadFrom manifestAuthor: Leo Davidson, WinNT/Simda, Win32/Carberp derivative Type: Dll HijackMethod: IFileOperation, ISecurityEditor, WUSATarget(s): IFEO registry keys, \system32\cliconfg.exeComponent(s): Attacker defined Application Verifier DllImplementation: ucmAvrfMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: WUSA /extract option removed, ISecurityEditor interface method changedAuthor: WinNT/Pitou, Win32/Carberp derivative Type: Dll HijackMethod: IFileOperation, WUSATarget(s): \system32\{New}or{Existing}\{autoelevated}.exe, e.g. winsat.exeComponent(s): Attacker defined dll, e.g. PowProf.dll, DevObj.dllImplementation: ucmWinSATMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH2 (10548) How: AppInfo elevated application path control hardeningAuthor: Jon Ericson, WinNT/Gootkit, mzH Type: AppCompatMethod: Shim Memory PatchTarget(s): \system32\iscsicli.exeComponent(s): Attacker prepared shellcodeImplementation: ucmShimPatchWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versionsAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): dbgcore.dllImplementation: ucmStandardAutoElevationWorks from: Windows 10 TH1 (10240)Fixed in: Windows 10 TH2 (10565) How: sysprep.exe manifest updatedAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\mmc.exe EventVwr.mscComponent(s): elsext.dllImplementation: ucmMMCMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14316) How: Missing dependency removedAuthor: Leo Davidson, WinNT/Sirefef derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system\credwiz.exe, \system32\wbem\oobe.exeComponent(s): netutils.dllImplementation: ucmSirefefMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH2 (10548) How: AppInfo elevated application path control hardeningAuthor: Leo Davidson, Win32/Addrop, Metasploit derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\cliconfg.exeComponent(s): ntwdblib.dllImplementation: ucmGenericAutoelevationWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14316) How: Cliconfg.exe autoelevation removedAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\GWX\GWXUXWorker.exe, \system32\inetsrv\inetmgr.exeComponent(s): SLC.dllImplementation: ucmGWXWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14316) How: AppInfo elevated application path control and inetmgr executable hardeningAuthor: Leo Davidson derivative Type: Dll Hijack (Import forwarding)Method: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): unbcl.dllImplementation: ucmStandardAutoElevation2Works from: Windows 8.1 (9600)Fixed in: Windows 10 RS1 (14371) How: sysprep.exe manifest updatedAuthor: Leo Davidson derivative Type: Dll Hijack (Manifest)Method: IFileOperationTarget(s): \system32\taskhost.exe, \system32\tzsync.exe (any ms exe without manifest)Component(s): Attacker definedImplementation: ucmAutoElevateManifestWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14371) How: Manifest parsing logic reviewedAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\inetsrv\inetmgr.exeComponent(s): MsCoree.dllImplementation: ucmInetMgrMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14376) How: inetmgr.exe executable manifest hardening, MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32ImagesAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\mmc.exe, Rsop.mscComponent(s): WbemComn.dllImplementation: ucmMMCMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16232) How: Target requires wbemcomn.dll to be signed by MSAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperation, SxS DotLocalTarget(s): \system32\sysprep\sysprep.exeComponent(s): comctl32.dllImplementation: ucmSXSMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16232) How: MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32ImagesAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperation, SxS DotLocalTarget(s): \system32\consent.exeComponent(s): comctl32.dllImplementation: ucmSXSMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\pkgmgr.exeComponent(s): DismCore.dllImplementation: ucmDismMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: BreakingMalware Type: Shell APIMethod: Environment variables expansionTarget(s): \system32\CompMgmtLauncher.exeComponent(s): Attacker definedImplementation: ucmCometMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS2 (15031) How: CompMgmtLauncher.exe autoelevation removedAuthor: Enigma0x3 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\EventVwr.exe, \system32\CompMgmtLauncher.exeComponent(s): Attacker definedImplementation: ucmHijackShellCommandMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS2 (15031) How: EventVwr.exe redesigned, CompMgmtLauncher.exe autoelevation removedAuthor: Enigma0x3 Type: Race ConditionMethod: File overwriteTarget(s): %temp%\GUID\dismhost.exeComponent(s): LogProvider.dllImplementation: ucmDiskCleanupRaceConditionWorks from: Windows 10 TH1 (10240)AlwaysNotify compatibleFixed in: Windows 10 RS2 (15031) How: File security permissions alteredAuthor: ExpLife Type: Elevated COM interfaceMethod: IARPUninstallStringLauncherTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmUninstallLauncherMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16199) How: UninstallStringLauncher interface removed from COMAutoApprovalListAuthor: Exploit/Sandworm Type: Whitelisted componentMethod: InfDefaultInstallTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmSandwormMethodWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: InfDefaultInstall.exe removed from g_lpAutoApproveEXEList (MS14-060)Author: Enigma0x3 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\sdclt.exeComponent(s): Attacker definedImplementation: ucmAppPathMethodWorks from: Windows 10 TH1 (10240)Fixed in: Windows 10 RS3 (16215) How: Shell API updateAuthor: Leo Davidson derivative, lhc645 Type: Dll HijackMethod: WOW64 loggerTarget(s): \syswow64\{any elevated exe, e.g wusa.exe}Component(s): wow64log.dllImplementation: ucmWow64LoggerMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Enigma0x3 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\sdclt.exeComponent(s): Attacker definedImplementation: ucmSdcltIsolatedCommandMethodWorks from: Windows 10 TH1 (10240)Fixed in: Windows 10 RS4 (17025) How: Shell API / Windows components updateAuthor: xi-tauw Type: Dll HijackMethod: UIPI bypass with uiAccess applicationTarget(s): \Program Files\Windows Media Player\osk.exe, \system32\EventVwr.exe, \system32\mmc.exeComponent(s): duser.dll, osksupport.dllImplementation: ucmUiAccessMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: winscripting.blog Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\fodhelper.exe, \system32\computerdefaults.exeComponent(s): Attacker definedImplementation: ucmMsSettingsDelegateExecuteMethodWorks from: Windows 10 TH1 (10240)Fixed in: unfixed , How: -Author: James Forshaw Type: Shell APIMethod: Environment variables expansionTarget(s): \system32\svchost.exe via \system32\schtasks.exeComponent(s): Attacker definedImplementation: ucmDiskCleanupEnvironmentVariableWorks from: Windows 8.1 (9600)AlwaysNotify compatibleFixed in: unfixed , How: -Author: CIA & James Forshaw Type: ImpersonationMethod: Token ManipulationsTarget(s): Autoelevated applicationsComponent(s): Attacker definedImplementation: ucmTokenModificationWorks from: Windows 7 (7600)AlwaysNotify compatible, see noteFixed in: Windows 10 RS5 (17686) How: ntoskrnl.exe->SeTokenCanImpersonate additional access token check addedAuthor: Thomas Vanhoutte aka SandboxEscaper Type: Race conditionMethod: NTFS reparse point & Dll HijackTarget(s): wusa.exeComponent(s): dcomcnfg.exe, mmc.exe, ole32.dll, MsCoree.dllImplementation: ucmJunctionMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Ernesto Fernandez, Thomas Vanhoutte Type: Dll HijackMethod: SxS DotLocal, NTFS reparse pointTarget(s): \system32\dccw.exeComponent(s): GdiPlus.dllImplementation: ucmSXSDccwMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Clement Rouault Type: Whitelisted componentMethod: APPINFO command line spoofingTarget(s): \system32\mmc.exeComponent(s): Attacker definedImplementation: ucmHakrilMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Stefan Kanthak Type: Dll HijackMethod: .NET Code ProfilerTarget(s): \system32\mmc.exeComponent(s): Attacker definedImplementation: ucmCorProfilerMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Ruben Boonen Type: COM Handler HijackMethod: Registry key manipulationTarget(s): \system32\mmc.exe, \System32\recdisc.exeComponent(s): Attacker definedImplementation: ucmCOMHandlersMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 19H1 (18362) How: Side effect of Windows changesAuthor: Oddvar Moe Type: Elevated COM interfaceMethod: ICMLuaUtilTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmCMLuaUtilShellExecMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: BreakingMalware and Enigma0x3 Type: Elevated COM interfaceMethod: IFwCplLuaTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmFwCplLuaMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS4 (17134) How: Shell API updateAuthor: Oddvar Moe derivative Type: Elevated COM interfaceMethod: IColorDataProxy, ICMLuaUtilTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmDccwCOMMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: bytecode77 Type: Shell APIMethod: Environment variables expansionTarget(s): Multiple auto-elevated processesComponent(s): Various per targetImplementation: ucmVolatileEnvMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16299) How: Current user system directory variables ignored during process creationAuthor: bytecode77 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\slui.exeComponent(s): Attacker definedImplementation: ucmSluiHijackMethodWorks from: Windows 8.1 (9600)Fixed in: unfixed , How: -Author: Anonymous Type: Race ConditionMethod: Registry key manipulationTarget(s): \system32\BitlockerWizardElev.exeComponent(s): Attacker definedImplementation: ucmBitlockerRCMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS4 (>16299) How: Shell API updateAuthor: clavoillotte & 3gstudent Type: COM Handler HijackMethod: Registry key manipulationTarget(s): \system32\mmc.exeComponent(s): Attacker definedImplementation: ucmCOMHandlersMethod2Works from: Windows 7 (7600)Fixed in: Windows 10 19H1 (18362) How: Side effect of Windows changesAuthor: deroko Type: Elevated COM interfaceMethod: ISPPLUAObjectTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmSPPLUAObjectMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS5 (17763) How: ISPPLUAObject interface method changedAuthor: RinN Type: Elevated COM interfaceMethod: ICreateNewLinkTarget(s): \system32\TpmInit.exeComponent(s): WbemComn.dllImplementation: ucmCreateNewLinkMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14393) How: Side effect of consent.exe COMAutoApprovalList introductionAuthor: Anonymous Type: Elevated COM interfaceMethod: IDateTimeStateWrite, ISPPLUAObjectTarget(s): w32time serviceComponent(s): w32time.dllImplementation: ucmDateTimeStateWriterMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS5 (17763) How: Side effect of ISPPLUAObject interface changeAuthor: bytecode77 derivative Type: Elevated COM interfaceMethod: IAccessibilityCplAdminTarget(s): \system32\rstrui.exeComponent(s): Attacker definedImplementation: ucmAcCplAdminMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS4 (17134) How: Shell API updateAuthor: David Wells Type: Whitelisted componentMethod: AipNormalizePath parsing abuseTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmDirectoryMockMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Emeric Nasi Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\sdclt.exeComponent(s): Attacker definedImplementation: ucmShellDelegateExecuteCommandMethodWorks from: Windows 10 (14393)Fixed in: unfixed , How: -Author: egre55 Type: Dll HijackMethod: Dll path search abuseTarget(s): \syswow64\SystemPropertiesAdvanced.exe and other SystemProperties*.exeComponent(s): \AppData\Local\Microsoft\WindowsApps\srrstr.dllImplementation: ucmEgre55MethodWorks from: Windows 10 (14393)Fixed in: unfixed , How: -Author: James Forshaw Type: GUI HackMethod: UIPI bypass with token modificationTarget(s): \system32\osk.exe, \system32\msconfig.exeComponent(s): Attacker definedImplementation: ucmTokenModUIAccessMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Hashim Jawad Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\WSReset.exeComponent(s): Attacker definedImplementation: ucmShellDelegateExecuteCommandMethodWorks from: Windows 10 (17134)Fixed in: unfixed , How: -Author: Leo Davidson derivative by Win32/Gapz Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): unattend.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: sysprep.exe hardened LoadFrom manifest elementsNote:Method (6) unavailable in wow64 environment starting from Windows 8;Method (11) (54) implemented only in x86-32 version;Method (13) (19) (30) (38) (50) implemented only in x64 version;Method (14) require process injection, wow64 unsupported, use x64 version of this tool;Method (26) is still working, however it main advantage was UAC bypass on AlwaysNotify level. Since 15031 it is gone;Method (30) require x64 because it abuses WOW64 subsystem feature;Method (35) AlwaysNotify compatible as there always will be running autoelevated apps or user will have to launch them anyway;Method (38) require internet connection as it executes remote script located at github.com/hfiref0x/Beacon/blob/master/uac/exec.html;Method (55) is not really reliable (as any GUI hacks) and included just for fun.Run examples:akagi32.exe 1akagi64.exe 3akagi32 1 c:\windows\system32\calc.exeakagi64 3 c:\windows\system32\charmap.exeWarningThis tool shows ONLY popular UAC bypass method used by malware, and reimplement some of them in a different way improving original concepts. There are exists different, not yet known to general public methods, be aware of this;Using (5) method will permanently turn off UAC (after reboot), make sure to do this in test environment or don’t forget to re-enable UAC after tool usage;Using (5), (9) methods will permanently compromise security of target keys (UAC Settings key for (5) and IFEO for (9)), if you do tests on your real machine – restore keys security manually after you complete this tool usage;This tool is not intended for AV tests and not tested to work in aggressive AV environment, if you still plan to use it with installed bloatware AV soft – you use it at your own risk;Some AV may flag this tool as HackTool, MSE/WinDefender constantly marks it as malware, nope;If you run this program on real computer remember to remove all program leftovers after usage, for more info about files it drops to system folders see source code;Most of methods created for x64, with no x86-32 support in mind. I don’t see any sense in supporting 32 bit versions of Windows or wow64, however with small tweaks most of them will run under wow64 as well.If you wondering why this still exist and work here is the explanation, an official Microsoft WHITEFLAG (including totally incompetent statements as bonus) https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105Windows 10 support and testing policyEOL’ed versions of Windows 10 are not supported and therefore not tested (at moment of writing EOL’ed Windows 10 versions are: TH1 (10240), TH2 (10586));Insider builds are not supported as methods may be fixed there.ProtectionAccount without administrative privileges.Malware usageIt is currently known that UACMe used by Adware/Multiplug (9), by Win32/Dyre (3), by Win32/Empercrypt (10 & 13), by IcedID downloader (35 & 41). We do not take any responsibility for this tool usage in the malicious purposes. It is free, open-source and provided AS-IS for everyone.Other usageCurrently used as "signature" by "THOR APT" scanner (handmade pattern matching fraudware from Germany). We do not take any responsibility for this tool usage in the fraudware;The scamware project called "uacguard" has references to UACMe from their platform. We do not take any responsibility for this tool usage in the scamware. The repository https://github.com/hfiref0x/UACME and it contents are the only genuine source for UACMe code. We have nothing to do with external links to this project, mentions anywhere as well as modifications (forks);In July 2016 so-called "security company" Cymmetria released report about script-kiddie malware bundle called "Patchwork" and false flagged it as APT. They stated it was using "UACME method", which in fact is just slightly and unprofessionally modified injector dll from UACMe v1.9 and was using Carberp/Pitou hybrid method in malware self-implemented way. We do not take any responsibility for UACMe usage in the dubious advertising campaigns from third party "security companies".BuildUACMe comes with full source code, written in C with some parts written in C#;In order to build from source you need Microsoft Visual Studio 2013/2015 U2 and later versions.Instructions Select Platform ToolSet first for project in solution you want to build (Project->Properties->General): v120 for Visual Studio 2013;v140 for Visual Studio 2015;v141 for Visual Studio 2017. For v140 and above set Target Platform Version (Project->Properties->General): If v140 then select 8.1 (Note that Windows 8.1 SDK must be installed);If v141 then select 10.0.17134.0 (Note that Windows 10.0.17134 SDK must be installed). Note that Fujinami module built with .NET Framework 3.0 (this is requirement for it work), so .NET Framework 3.0 must be installed if you want to build this module. Can be built with SDK 8.1/10.17134/10.17763. ReferencesWindows 7 UAC whitelist, http://www.pretentiousname.com/misc/win7_uac_whitelist2.htmlMalicious Application Compatibility Shims, https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdfJunfeng Zhang from WinSxS dev team blog, https://blogs.msdn.microsoft.com/junfeng/Beyond good ol’ Run key, series of articles, http://www.hexacorn.com/blogKernelMode.Info UACMe thread, http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643Command Injection/Elevation – Environment Variables Revisited, https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited"Fileless" UAC Bypass Using eventvwr.exe and Registry Hijacking, https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/Bypassing UAC on Windows 10 using Disk Cleanup, https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/Using IARPUninstallStringLauncher COM interface to bypass UAC, http://www.freebuf.com/articles/system/116611.htmlBypassing UAC using App Paths, https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/"Fileless" UAC Bypass using sdclt.exe, https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/UAC Bypass or story about three escalations, https://habrahabr.ru/company/pm/blog/328008/Exploiting Environment Variables in Scheduled Tasks for UAC Bypass, https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.htmlFirst entry: Welcome and fileless UAC bypass, https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/Reading Your Way Around UAC in 3 parts: https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.htmlhttps://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.htmlhttps://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.htmlResearch on CMSTP.exe, https://msitpros.com/?p=3960UAC bypass via elevated .NET applications, https://offsec.provadys.com/UAC-bypass-dotnet.htmlUAC Bypass by Mocking Trusted Directories, https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6eYet another sdclt UAC bypass, http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypassUAC Bypass via SystemPropertiesAdvanced.exe and DLL Hijacking, https://egre55.github.io/system-properties-uac-bypass/Accessing Access Tokens for UIAccess, https://tyranidslair.blogspot.com/2019/02/accessing-access-tokens-for-uiaccess.htmlFileless UAC Bypass in Windows Store Binary, https://www.activecyber.us/1/post/2019/03/windows-uac-bypass.htmlAuthors(c) 2014 – 2019 UACMe ProjectDownload UACME

Link: http://feedproxy.google.com/~r/PentestTools/~3/SVc2u0HEg4k/uacme-defeating-windows-user-account.html

PTF v2.3 – The Penetration Testers Framework Is A Way For Modular Support For Up-To-Date Tools

The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we’ve been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all of the time. We have those “go to" tools that we use on a regular basis, and using the latest and greatest is important.PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used. PTF simplifies installation and packaging and creates an entire pentest framework for you. Since this is a framework, you can configure and add as you see fit. We commonly see internally developed repos that you can use as well as part of this framework. It’s all up to you.The ultimate goal is for community support on this project. We want new tools added to the github repository. Submit your modules. It’s super simple to configure and add them and only takes a few minute.Instructions:First check out the config/ptf.config file which contains the base location of where to install everything. By default this will install in the /pentest directory. Once you have that configured, move to running PTF by typing ./ptf (or python ptf).This will put you in a Metasploitesque type shell which has a similar look and feel for consistency. Show modules, use , etc. are all accepted commands. First things first, always type help or ? to see a full list of commands.For a video tutorial on how to use PTF, check out our Vimeo page here: https://vimeo.com/137133837Update EVERYTHING!If you want to install and/or update everything, simply do the following:./ptfuse modules/install_update_allyesThis will install all of the tools inside of PTF. If they are already installed, this will iterate through and update everything for you automatically.You can also individually install each module, then use the use modules/update_installed which will only update what you’ve previously installed.For example:./ptfuse modules/update_installedThis will only update previous ones you’ve installed.You can also show options to change information about the modules.If you only want to install only for example exploitation tools, you can run:./ptfuse modules/exploitation/install_update_allThis will only install the exploitation modules. You can do this for any module category.Customize your own installed toolsYou can only install the tools you want to by going to the modules/custom_list/list.py section. Modify the list.py file and add the tools you only want to install or update.Then when in PTF:./ptfuse modules/custom_list/listyesThis allows you to carry your module configuration over and only install the tools that you want and keep them updated.Modules:First, head over to the modules/ directory, inside of there are sub directories based on the Penetration Testing Execution Standard (PTES) phases. Go into those phases and look at the different modules. As soon as you add a new one, for example testing.py, it will automatically be imported next time you launch PTF. There are a few key components when looking at a module that must be completed.Below is a sample moduleAUTHOR="David Kennedy (ReL1K)"DESCRIPTION="This module will install/update the Browser Exploitation Framework (BeEF)"INSTALL_TYPE="GIT"REPOSITORY_LOCATION="https://github.com/beefproject/beef"X64_LOCATION="https://github.com/something_thats_x64_instead_of_x86INSTALL_LOCATION="beef"DEBIAN="ruby1.9.3,sqlite3,ruby-sqlite3"ARCHLINUX = "arch-module,etc"BYPASS_UPDATE="NO"AFTER_COMMANDS="cd {INSTALL_LOCATION},ruby install-beef"LAUNCHER="beef"TOOL_DEPEND="modules/exploitation/metasploit"Module Development:All of the fields are pretty easy, on the repository locations, you can use GIT, SVN or FILE. Fill in the depends, and where you want the install location to be. PTF will take where the python file is located (for example exploitation) and move it to what you specify in the PTF config (located under config). By default it installs all your tools to /pentest/PTES_PHASE/TOOL_FOLDERNote in modules, you can specify after commands {INSTALL_LOCATION}. This will append where you want the install location to go when using after commands.You can also specify {PTF_LOCATION} which will pull the base path for your PTF installation.You also have the ability for repository locations to specify both a 32 bit and 64 bit location. Repository location should always be the x86 download path. To add a 64 bit path for a tool, specify X64_LOCATION and give it a URL. When PTF launches it will automatically detect the architecture and attempt to use the x64 link instead of the x86.Note that ArchLinux packages are also supported, it needs to be specified for both DEBIAN and ARCH in order for it to be properly installed on either platform in the moduleGITLAB SupportYou can create your own modules and also supports gitlab access. Instead of specify git, wget, etc., simply specify gitlab and point to your own internal gitlab tools for modules.BYPASS UPDATES:When using traditional git or svn as a main method, what will happen after a module is installed is it will just go and grab the latest version of the tool. With after commands, normally when installing, you may need to run the after commands after each time you update. If you specify bypass updates to YES (BYPASS_UPDATE="YES"), each time the tool is run, it will check out the latest version and still run after commands. If this is marked to no, it will only git pull the latest version of the system. For FILE options, it is recommended to always use BYPASS_UPDATE="YES" so that it will overwrite the files each time.After Commands:After commands are commands that you can insert after an installation. This could be switching to a directory and kicking off additional commands to finish the installation. For example in the BEEF scenario, you need to run ruby install-beef afterwards. Below is an example of after commands using the {INSTALL_LOCATION} flag.AFTER_COMMANDS="cp config/dict/rockyou.txt {INSTALL_LOCATION}"For AFTER_COMMANDS that do self install (don’t need user interaction).Automatic LaunchersThe flag LAUNCHER= in modules is optional. If you add LAUNCHER="setoolkit" for example, PTF will automatically create a launcher for the tool under /usr/local/bin/. In the setoolkit example, when run – PTF will automatically create a file under /usr/local/bin/setoolkit so you can launch SET from anywhere by simply typing setoolkit. All files will still be installed under the appropriate categories, for example /pentest/exploitation/setoolkit however an automatic launcher will be created.You can have multiple launchers for an application. For example, for Metasploit you may want msfconsole, msfvenom, etc. In order to add multiple launchers, simply put a , between them. For example LAUNCHER="msfconsole,msfvenom". This would create launchers for both.Automatic Command LineYou can also just run ./ptf –update-all and it will automatically update everything for you without having to go into the framework.Running UnattendedIf you’re running ptf in an automatic build, you can use a heredoc so you don’t have to interactively type the modules you wish to install. Example:./ptf <<EOFuse modules/exploitation/metasploitrunuse modules/password-recovery/johntheripperrunEOFTOOL DEPENDSSome tools such as Veil, SET, etc. require tools such as the Metasploit Framework. You can add in the module TOOL_DEPEND="modules/exploitation/metasploit,module/exploitation/set" and multiple other tools if there is a tool required to be installed prior to installing the tool. This will force PTF to install the required tool first, then install the module that requires it. Example:TOOL_DEPEND="modules/exploitation/metasploit"This will install Metasploit first or ensured its installed first prior to installing the application.IGNORE Modules or CategoriesThe IGNORE_THESE_MODULES= config option can be found under config/ptf.config in the PTF root directory. This will ignore modules and not install them – everything is comma separated and based on name – example: modules/exploitation/metasploit,modules/exploitation/set or entire module categories, like /modules/code-audit/*,/modules/reporting/*IGNORE Modules from Update/Install AllThe IGNORE_UPDATE_ALL_MODULES= config option can be found under config/ptf.config in the PTF root directory. This will ignore modules only when doing install_update_all which are used when you want to install all tools. This could be for large applications that take substantial time, ones that require user interaction, or open up a number of ports and protocols on the system. This works very similar in the IGNORE_THESE_MODULES, except that they can be manually installed and updated through the modules/update_installed. These are comma deliminated, so for example modules/exploitation/tool1,modules/exploitation/tool2, when running install_update_all, this would not install the tools unless you went to use modules/exploitation/tool1 and installed via that method.INCLUDE_ONLY_THESE_MODULESThe INCLUDE_ONLY_THESE_MODULES in the config option under config/ptf.config will only install and include specific modules that is specified here. This is good for baselining your tools that you want and only install them.Written by: David Kennedy (@HackingDave)https://www.trustedsec.comDownload PTF

Link: http://www.kitploit.com/2019/06/ptf-v23-penetration-testers-framework.html

One-Lin3r v2.0 – Gives You One-Liners That Aids In Penetration Testing Operations, Privilege Escalation And More

One-Lin3r is simple modular and light-weight framework gives you all the one-liners that you will need while penetration testing (Windows, Linux, macOS or even BSD systems) or hacking generally with a lot of new features to make all of this fully automated (ex: you won’t even need to copy the one-liners).ScreenshotsIt consists of various one-liners types with various functions, some of them are: One-liner function What this function refers to Reverse Shell Various methods and commands to give you a reverse shell. PrivEsc Many commands to help in Enumeration and Privilege Escalation Bind Shell Various methods and commands to give you a bind shell. Dropper Many ways to download and execute various payload types with various methods. Features A lot of liners use with different purposes, currently are more than 155 liner. The auto-complete feature that has been implemented in this framework is not the usual one you always see, here are some highlights: It’s designed to fix typos in typed commands to the most similar command with just one tab click so seach becomes search and so on, even if you typed any random word similar to an command in this framework.For you lazy-ones out there like me, it can predict what liner you are trying to use by typing any part of it. For example if you typed use capabilities and clicked tab, it would be replaced with use linux/bash/list_all_capabilities and so on. I can see your smile, You are welcome!If you typed any wrong command then pressed enter, the framework will tell you what is the nearest command to what you have typed which could be the one you really wanted.Some less impressive things like auto-complete for variables after set command, auto-complete for liners after use and info commands and finally it converts all uppercase to lowercase automatically just-in-case you switched cases by mistake while typing.Finally, you’ll find your normal auto-completion things you were using before, like commands auto-completion and persistent history, etc… Automation You can automatically copy the liner you want to clipboard with command copy instead of using use <liner> and then copying it which saves a lot of time, of course, if you merged it with the following features.As you may noticed, you can use a resource file from command-line arguments before starting the framework itself or send commands directly.Inside the framework you can use makerc command like in Metasploit but this time it only saves the correct important commands.There are history and resource commands so you don’t need to exit the framework.You can execute as many commands as you want at the same time by splitting them with semi-colon.Searching for any liner here is so easy, you can search for a liner by its name, function or even the liner author name. You can add your own liners by following these steps to create a liner as a python file. After that you can make a Pull request with it then it will be added in the framework and credited with your name of course . The ability to reload the database if you added any liner without restarting the framework. You can add any platform to the liners database just by making a folder in liners folder and creating a “.liner" file there. More… Note: The liners database is not too big but it will get bigger with updates and contributions.Usagef Command-line argumentsusage: one-lin3r [-h] [-r R] [-x X] [-q]optional arguments: -h, –help show this help message and exit -r Execute a resource file (history file). -x Execute a specific command (use ; for multiples). -q Quiet mode (no banner).Framework commandsCommand Description——– ————-help/? Show this help menu.list/show List all one-liners in the database.search [Keywords..] Search database for a specific liner by its name, author name or description.use <liner> Use an available one-liner.copy <liner> Use an available one-liner and copy it to clipboard automatically.info <liner> Get information about an available liner.set <variable> <value> Sets a context-specific variable to a value to use while using one-liners.variables Prints all previously specified variables.banner Display banner.reload/refresh Reload the liners database.check Prints the core version and checks if you are up-to-date.history Display command-line most important history from t he beginning.makerc Save command-line history to a file.resource <file> Run the commands stored in a fileos <command> Execute a system command without closing the frameworkexit/quit Exit the frameworkPrerequisites before installingPython 3.x.Any OS, it should work on all but it’s tested on Kali 2018+, Ubuntu 18+, Windows 10, Android with termux and MacOs 10.11Installing and runningUsing pip (The best way to install on any OS):pip install one-lin3rone-lin3r -hInstalling it from GitHub: For windows : (After downloading ZIP and upzip it)python -m pip install ./One-Lin3r-masterone-lin3r -hFor Linux :git clone https://github.com/D4Vinci/One-Lin3r.gitapt install libncurses5-devpip3 install ./One-Lin3rone-lin3r -hUpdating the framework or the databaseIf you installed it from pip do:pip install one-lin3r –upgradeIf you installed it from github do: On Linux while outside the directorycd One-Lin3r && git pull && cd ..pip3 install ./One-Lin3r –upgradeOn Windows if you don’t have git installed, redownload the framework zipped!Note: As the liners are written as python modules, it considered as a part of the framework. So every new liner added to the framework, its version will get updated.ContactTwitterTelegramCredits and referencesPayloadsAllTheThingsPowerSploit repoarno0x0x – Windows oneliners to download remote payload and execute arbitrary codeDownload One-Lin3r

Link: http://feedproxy.google.com/~r/PentestTools/~3/tpDLaHMBIEQ/one-lin3r-v20-gives-you-one-liners-that.html

UPDATE: Kali Linux 2019.2 Release

PenTestIT RSS Feed
Kali Linux 2019.2, the latest and the greatest Kali Linux release is now officially available! This is the second 2019 release, which comes after Kali Linux 2019.1, that was made available in the month of February. This new release majorly focuses on Kali Linux NetHunter updates including 13 new images and added device support along withRead more about UPDATE: Kali Linux 2019.2 Release
The post UPDATE: Kali Linux 2019.2 Release appeared first on PenTestIT.

Link: http://pentestit.com/update-kali-linux-2019-2-release/

Book Review – Linux Basics for Hackers

With countless job openings and growth with no end in sight, InfoSec is the place to be. Many pose the question, “Where do I start?” Over his years of training hackers and eventual security experts across a wide array of industries and occupations, the author ascertains that one of the biggest hurdles that many up-and-coming professional hackers face is the lack of a foundational knowledge or experience with Linux. In an effort to help new practitioners grow, he made the decision to pen a basic ‘How To’ manual, of sorts, to introduce foundational concepts, commands and tricks in order to provide instruction to ease their transition into the world of Linux. Out of this effort, “Linux Basics for Hackers" was born.
The post Book Review – Linux Basics for Hackers appeared first on The Ethical Hacker Network.

Link: https://www.ethicalhacker.net/features/book-reviews/book-review-linux-basics-for-hackers/

Sn1per v7.0 – Automated Pentest Framework For Offensive Security Experts

Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security’s premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to https://xerosecurity.com.SN1PER PROFESSIONAL FEATURES:Professional reporting interfaceSlideshow for all gathered screenshotsSearchable and sortable DNS, IP and open port databaseDetailed host reportsNMap HTML host reportsQuick links to online recon tools and Google hacking queriesTakeovers and Email SecurityHTML5 NotepadORDER SN1PER PROFESSIONAL:To obtain a Sn1per Professional license, go to https://xerosecurity.com.DEMO VIDEO:SN1PER COMMUNITY FEATURES:Automatically collects basic recon (ie. whois, ping, DNS, etc.)Automatically launches Google hacking queries against a target domainAutomatically enumerates open ports via NMap port scanningAutomatically brute forces sub-domains, gathers DNS info and checks for zone transfersAutomatically checks for sub-domain hijackingAutomatically runs targeted NMap scripts against open portsAutomatically runs targeted Metasploit scan and exploit modulesAutomatically scans all web applications for common vulnerabilitiesAutomatically brute forces ALL open servicesAutomatically test for anonymous FTP accessAutomatically runs WPScan, Arachni and Nikto for all web servicesAutomatically enumerates NFS sharesAutomatically test for anonymous LDAP accessAutomatically enumerate SSL/TLS ciphers, protocols and vulnerabilitiesAutomatically enumerate SNMP community strings, services and usersAutomatically list SMB users and shares, check for NULL sessions and exploit MS08-067Automatically exploit vulnerable JBoss, Java RMI and Tomcat serversAutomatically tests for open X11 serversAuto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat CredsPerforms high level enumeration of multiple hosts and subnetsAutomatically integrates with Metasploit Pro, MSFConsole and Zenmap for reportingAutomatically gathers screenshots of all web sitesCreate individual workspaces to store all scan outputEXPLOITS:Drupal RESTful Web Services unserialize() SA-CORE-2019-003Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache StrutsDrupal: CVE-2018-7600: Remote Code Execution – SA-CORE-2018-002GPON Routers – Authentication Bypass / Command Injection CVE-2018-10561MS17-010 EternalBlue SMB Remote Windows Kernel Pool CorruptionApache Tomcat: Remote Code Execution (CVE-2017-12617)Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)Apache Struts 2 Framework Checks – REST plugin with XStream handler (CVE-2017-9805)Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249Shellshock Bash Shell remote code execution CVE-2014-6271HeartBleed OpenSSL Detection CVE-2014-0160MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843MS08-067 Microsoft Server Service Relative Path Stack CorruptionWebmin File Disclosure CVE-2006-3392VsFTPd 2.3.4 BackdoorProFTPd 1.3.3C BackdoorMS03-026 Microsoft RPC DCOM Interface OverflowDistCC Daemon Command ExecutionJBoss Java De-SerializationHTTP Writable Path PUT/DELETE File AccessApache Tomcat User EnumerationTomcat Application Manager Login BruteforceJenkins-CI EnumerationHTTP WebDAV ScannerAndroid Insecure ADBAnonymous FTP AccessPHPMyAdmin BackdoorPHPMyAdmin Auth BypassOpenSSH User EnumerationLibSSH Auth BypassSMTP User EnumerationPublic NFS MountsKALI LINUX INSTALL:bash install.shUBUNTU/DEBIAN/PARROT INSTALL:bash install_debian_ubuntu.shDOCKER INSTALL:docker build DockerfileUSAGE:[*] NORMAL MODEsniper -t|–target [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCEsniper -t|–target <TARGET> -o|–osint -re|–recon -fp|–fullportonly -b|–bruteforce[*] STEALTH MODE + OSINT + RECONsniper -t|–target <TARGET> -m|–mode stealth -o|–osint -re|–recon[*] DISCOVER MODEsniper -t|–target <CIDR> -m|–mode discover -w|–workspace <WORSPACE_ALIAS>[*] FLYOVER MODEsniper -t|–target <TARGET> -m|–mode flyover -w|–workspace <WORKSPACE_ALIAS>[*] AIRSTRIKE MODEsniper -f|–file /full/path/to/targets.txt -m|–mode airstrike[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLEDsniper -f–file /full/path/to/targets.txt -m|–mode nuke -w|–workspace <WORKSPACE_ALIAS>[*] SCAN ONLY SPECIFIC PORTsniper -t|–target <TA RGET> -m port -p|–port <portnum>[*] FULLPORTONLY SCAN MODEsniper -t|–target <TARGET> -fp|–fullportonly[*] PORT SCAN MODEsniper -t|–target <TARGET> -m|–mode port -p|–port <PORT_NUM>[*] WEB MODE – PORT 80 + 443 ONLY!sniper -t|–target <TARGET> -m|–mode web[*] HTTP WEB PORT HTTP MODEsniper -t|–target <TARGET> -m|–mode webporthttp -p|–port <port>[*] HTTPS WEB PORT HTTPS MODEsniper -t|–target <TARGET> -m|–mode webporthttps -p|–port <port>[*] WEBSCAN MODEsniper -t|–target <TARGET> -m|–mode webscan[*] ENABLE BRUTEFORCEsniper -t|–target <TARGET> -b|–bruteforce[*] ENABLE LOOT IMPORTING INTO METASPLOITsniper -t|–target <TARGET>[*] LOOT REIMPORT FUNCTIONsniper -w <WORKSPACE_ALIAS> –reimport[*] LOOT REIMPORTALL FUNCTIONsniper -w <WORKSPACE_ALIAS& gt; –reimportall[*] DELETE WORKSPACEsniper -w <WORKSPACE_ALIAS> -d[*] DELETE HOST FROM WORKSPACEsniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh[*] SCHEDULED SCANS’sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'[*] SCAN STATUSsniper –status[*] UPDATE SNIPERsniper -u|–updateMODES:NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.FLYOVER: Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly).AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.FULLPORTONLY: Performs a full detailed port scan and saves results to XML.WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.WEBSCAN: Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni.SAMPLE REPORT:https://gist.github.com/1N3/8214ec2da2c91691bcbcDownload Sn1per

Link: http://feedproxy.google.com/~r/PentestTools/~3/IoUOymJezTw/sn1per-v70-automated-pentest-framework.html

EasySploit – Metasploit Automation (EASIER And FASTER Than EVER)

EasySploit v3.1 (Linux) – Metasploit automation (EASIER and FASTER than EVER)Options:(1) Windows –> test.exe (payload and listener)(2) Android –> test.apk (payload and listener)(3) Linux –> test.py (payload and listener)(4) MacOS –> test.jar (payload and listener)(5) Web –> test.php (payload and listener)(6) Scan if a target is vulnerable to ms17_010(7) Exploit Windows 7/2008 x64 ONLY by IP (ms17_010_eternalblue)(8) Exploit Windows Vista/XP/2000/2003 ONLY by IP (ms17_010_psexec)(9) Exploit Windows with a link (HTA Server)(10) Contact with me – My accountsHow to install:git clone https://github.com/KALILINUXTRICKSYT/easysploit.gitcd easysploitbash installer.shHow to run (after installation):Type anywhere in your terminal “easysploit".Video tutorials:Download Easysploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/fAldiqcnlVY/easysploit-metasploit-automation-easier.html

ISF – Industrial Control System Exploitation Framework

ISF(Industrial Exploitation Framework) is a exploitation framework based on Python, it’s similar to metasploit framework.ISF is based on open source project routersploit.Read this in other languages: English, 简体中文,ICS Protocol Clients Name Path Description modbus_tcp_client icssploit/clients/modbus_tcp_client.py Modbus-TCP Client wdb2_client icssploit/clients/wdb2_client.py WdbRPC Version 2 Client(Vxworks 6.x) s7_client icssploit/clients/s7_client.py s7comm Client(S7 300/400 PLC) Exploit Module Name Path Description s7_300_400_plc_control exploits/plcs/siemens/s7_300_400_plc_control.py S7-300/400 PLC start/stop s7_1200_plc_control exploits/plcs/siemens/s7_1200_plc_control.py S7-1200 PLC start/stop/reset vxworks_rpc_dos exploits/plcs/vxworks/vxworks_rpc_dos.py Vxworks RPC remote dos(CVE-2015-7599) quantum_140_plc_control exploits/plcs/schneider/quantum_140_plc_control.py Schneider Quantum 140 series PLC start/stop crash_qnx_inetd_tcp_service exploits/plcs/qnx/crash_qnx_inetd_tcp_service.py QNX Inetd TCP service dos qconn_remote_exec exploits/plcs/qnx/qconn_remote_exec.py QNX qconn remote code execution profinet_set_ip exploits/plcs/siemens/profinet_set_ip.py Profinet DCP device IP config Scanner Module Name Path Description profinet_dcp_scan scanners/profinet_dcp_scan.py Profinet DCP scanner vxworks_6_scan scanners/vxworks_6_scan.py Vxworks 6.x scanner s7comm_scan scanners/s7comm_scan.py S7comm scanner enip_scan scanners/enip_scan.py EthernetIP scanner ICS Protocols Module (Scapy Module)These protocol can used in other Fuzzing framework like Kitty or create your own client. Name Path Description pn_dcp icssploit/protocols/pn_dcp Profinet DCP Protocol modbus_tcp icssploit/protocols/modbus_tcp Modbus TCP Protocol wdbrpc2 icssploit/protocols/wdbrpc2 WDB RPC Version 2 Protocol s7comm icssploit/protocols/s7comm.py S7comm Protocol InstallPython requirementsgnureadline (OSX only)requestsparamikobeautifulsoup4pysnmppython-nmapscapy We suggest install scapy manual with this official documentInstall on Kaligit clone https://github.com/dark-lbp/isf/cd isfpython isf.pyUsage root@kali:~/Desktop/temp/isf# python isf.py _____ _____ _____ _____ _____ _ ____ _____ _______ |_ _/ ____|/ ____/ ____| __ \| | / __ \_ _|__ __| | || | | (___| (___ | |__) | | | | | || | | | | || | \___ \\___ \| ___/| | | | | || | | | _| || |____ ____) |___) | | | |___| |__| || |_ | | |_____\_____|_____/_____/|_| |______\____/_____| |_| ICS Exploitation Framework Note : ICSSPOLIT is fork from routersploit at https://github.com/reverse-shell/routersploit Dev Team : wenzhe zhu(dark-lbp) Version : 0.1.0 Exploits: 2 Scanners: 0 Creds: 13 ICS Exploits: PLC: 2 ICS Switch: 0 Software: 0 isf >Exploitsisf > use exploits/plcs/exploits/plcs/siemens/ exploits/plcs/vxworks/isf > use exploits/plcs/siemens/s7_300_400_plc_controlexploits/plcs/siemens/s7_300_400_plc_controlisf > use exploits/plcs/siemens/s7_300_400_plc_controlisf (S7-300/400 PLC Control) >You can use the tab key for completion.OptionsDisplay module options:isf (S7-300/400 PLC Control) > show optionsTarget options: Name Current settings Description —- —————- ———– target Target address e.g. 192.168.1.1 port 102 Target PortModule options: Name Current settings Description —- —————- ———– slot 2 CPU slot number. command 1 Command 0:start plc, 1:stop plc.isf (S7-300/400 PLC Control) >Set optionsisf (S7-300/400 PLC Control) > set target 192.168.70.210[+] {‘target’: ‘192.168.70.210’}Run moduleisf (S7-300/400 PLC Control) > run[*] Running module…[+] Target is alive[*] Sending packet to target[*] Stop plcisf (S7-300/400 PLC Control) >Display information about exploitisf (S7-300/400 PLC Control) > show infoName:S7-300/400 PLC ControlDescription:Use S7comm command to start/stop plc.Devices:- Siemens S7-300 and S7-400 programmable logic controllers (PLCs)Authors:- wenzhe zhu References:isf (S7-300/400 PLC Control) >DocumentsModbus-TCP Client usageWDBRPCV2 Client usageS7comm Client usageSNMP_bruteforce usageS7 300/400 PLC password bruteforce usageVxworks 6.x Scanner usageProfient DCP Scanner usageS7comm PLC Scanner usageProfinet DCP Set ip module usageLoad modules from extra folderHow to write your own moduleDownload ISF

Link: http://feedproxy.google.com/~r/PentestTools/~3/oT_vl-DqvbE/isf-industrial-control-system.html

UPDATE: AutoSploit 3.0 – The New Year’s edition

PenTestIT RSS Feed
I wrote about AutoSploit in a post titled AutoSploit = Shodan/Censys/Zoomeye + Metasploit and it’s subsequent update to AutoSploit 2.2. Recently, AutoSploit 3.0 was released. This post tries to describe the changes between the last release and the newest version as this release adds a number of features and bug fixes. This release is codeRead more about UPDATE: AutoSploit 3.0 – The New Year’s edition
The post UPDATE: AutoSploit 3.0 – The New Year’s edition appeared first on PenTestIT.

Link: http://pentestit.com/update-autosploit-3-0-the-new-years-edition/