LDAP_Search – Tool To Perform LDAP Queries And Enumerate Users, Groups, And Computers From Windows Domains

LDAP_Search can be used to enumerate Users, Groups, and Computers on a Windows Domain. Authentication can be performed using traditional username and password, or NTLM hash. In addition, this tool has been modified to allow brute force/password-spraying via LDAP. Ldap_Search makes use of Impackets python36 branch to perform the main operations. (These are the guys that did the real heavy lifting and deserve the credit!)Installationgit clone –recursive https://github.com/m8r0wn/ldap_searchcd ldap_searchsudo chmod +x setup.shsudo ./setup.shUsageEnumerate all active users on a domain:python3 ldap_search.py users -u user1 -p Password1 -d demo.localLookup a single user and display field headings:python3 ldap_search.py users -q AdminUser -u user1 -p Password1 -d demo.localEnumerate all computers on a domain:python3 ldap_search.py computers -u user1 -p Password1 -d demo.localSearch for end of life systems on the domain:python3 ldap_search.py computers -q eol -u user1 -p Password1 -d demo.local -s DC01.demo.localEnumerate all groups on the domain:python3 ldap_search.py groups -u user1 -p Password1 -d demo.local -s 192.168.1.1Query group members:python3 ldap_search.py groups -q “Domain Admins" -u user1 -p Password1 -d demo.localQueriesBelow are the query options that can be specified using the "-q" argument:User active / [None] – All active users (Default) all – All users, even disabled [specific account or email] – lookup user, ex. "m8r0wn" group [None] – All domain groups [Specific group name] – lookup group members, ex. "Domain Admins" computer [None] – All Domain Computers eol – look for all end of life systems on domainOptionspositional arguments: lookup_type Lookup Types: user, group, computeroptional arguments: -q QUERY Specify user or group to query or use eol. -u USER Single username -U USER Users.txt file -p PASSWD Single password -P PASSWD Password.txt file -H HASH Use Hash for Authentication -d DOMAIN Domain (Ex. demo.local) -s SRV, -srv SRV LDAP Server (optional) -t TIMEOUT Connection Timeout (Default: 4) -v Show Search Result Attribute Names -vv Show Failed Logins & ErrorsDownload Ldap_Search

Link: http://www.kitploit.com/2018/12/ldapsearch-tool-to-perform-ldap-queries.html

ZIP Shotgun – Utility Script To Test Zip File Upload Functionality (And Possible Extraction Of Zip Files) For Vulnerabilities

Utility script to test zip file upload functionality (and possible extraction of zip files) for vulnerabilities. Idea for this script comes from this post on Silent Signal Techblog – Compressed File Upload And Command Execution and from OWASP – Test Upload of Malicious FilesThis script will create archive which contains files with “../" in filename. When extracting this could cause files to be extracted to preceding directories. It can allow attacker to extract shells to directories which can be accessed from web browser.Default webshell is wwwolf’s PHP web shell and all the credit for it goes to WhiteWinterWolf. Source is available HEREInstallationInstall using Python pip pip install zip-shotgun –upgrade Clone git repository and install git clone https://github.com/jpiechowka/zip-shotgun.gitExecute from root directory of the cloned repository (where setup.py file is located) pip install . –upgrade Usage and optionsUsage: zip-shotgun [OPTIONS] OUTPUT_ZIP_FILEOptions: –version Show the version and exit. -c, –directories-count INTEGER Count of how many directories to go back inside the zip file (e.g 3 means that 3 files will be added to the zip: shell.php, ../shell.php and ../../shell.php where shell.php is the name of the shell you provided or randomly generated value [default: 16] -n, –shell-name TEXT Name of the shell inside the generated zip file (e.g shell). If not provided it will be randomly generated. Cannot have whitespaces -f, –shell-file-path PATH A file that contains code for the shell. If this option is not provided wwwolf (https://github.com/WhiteWinterWolf/wwwolf- php-webshell) php shell will be added instead. If name is provided it will be added to the zip with the provided name or if not provided the name will be randomly generated. –compress Enable compression. If this flag is set archive will be compressed using DEFALTE algorithm with compression level of 9. By default there is no compression applied. -h, –help Show this message and exit.ExamplesUsing all default options zip-shotgun archive.zipPart of the script output 12/Dec/2018 Wed 23:13:13 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip12/Dec/2018 Wed 23:13:13 +0100 | WARNING | Shell name was not provided. Generated random shell name: BCsQOkiN23ur7OUj12/Dec/2018 Wed 23:13:13 +0100 | WARNING | Shell file was not provided. Using default wwwolf’s webshell code12/Dec/2018 Wed 23:13:13 +0100 | INFO | Using default file extension for wwwolf’s webshell: php12/Dec/2018 Wed 23:13:13 +0100 | INFO | –compress flag was NOT set. Archive will be uncompressed. Files will be only stored.12/Dec/2018 Wed 23:13:13 +0100 | INFO | Writing file to the archive: BCsQOkiN23ur7OUj.php12/Dec/2018 Wed 23:13:13 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: BCsQOkiN23ur7OUj.php12/Dec/2018 Wed 23:13:13 +0100 | INFO | Writing file to the archive: ../BCsQOkiN23ur7OUj.php12/Dec/2018 Wed 23:13:13 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../BCsQOkiN23ur7OUj.php12/Dec/2018 Wed 23:13:13 +0100 | INFO | Writing file to the archive: ../../BCsQOkiN23ur7OUj.php12/Dec/2018 Wed 23:13:13 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../../BCsQOkiN23ur7OUj.php…12/Dec/2018 Wed 23:13:13 +0100 | INFO | Finished. Try to access shell using BCsQOkiN23ur7OUj.php in the URLUsing default options and enabling compression for archive file zip-shotgun –compress archive.zipPart of the script output 12/Dec/2018 Wed 23:16:13 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip12/Dec/2018 Wed 23:16:13 +0100 | WARNING | Shell name was not provided. Generated random shell name: 6B6NtnZXbXSubDCh12/Dec/2018 Wed 23:16:13 +0100 | WARNING | Shell file was not provided. Using default wwwolf’s webshell code12/Dec/2018 Wed 23:16:13 +0100 | INFO | Using default file extension for wwwolf’s webshell: php12/Dec/2018 Wed 23:16:13 +0100 | INFO | –compress flag was set. Archive will be compressed using DEFLATE algorithm with a level of 9…12/Dec/2018 Wed 23:16:13 +0100 | INFO | Finished. Try to access shell using 6B6NtnZXbXSubDCh.php in the URLUsing default options but changing the number of directories to go back in the archive to 3 zip-shotgun –directories-count 3 archive.zip zip-shotgun -c 3 archive.zipThe script will write 3 files in total to the archivePart of the script output 12/Dec/2018 Wed 23:17:43 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip12/Dec/2018 Wed 23:17:43 +0100 | WARNING | Shell name was not provided. Generated random shell name: 34Bv9YoignMHgk2F12/Dec/2018 Wed 23:17:43 +0100 | WARNING | Shell file was not provided. Using default wwwolf’s webshell code12/Dec/2018 Wed 23:17:43 +0100 | INFO | Using default file extension for wwwolf’s webshell: php12/Dec/2018 Wed 23:17:43 +0100 | INFO | –compress flag was NOT set. Archive will be uncompressed. Files will be only stored.12/Dec/2018 Wed 23:17:43 +0100 | INFO | Writing file to the archive: 34Bv9YoignMHgk2F.php12/Dec/2018 Wed 23:17:43 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: 34Bv9YoignMHgk2F.php12/Dec/2018 Wed 23:17:43 +0100 | INFO | Writing file to the archive: ../34Bv9YoignMHgk2F.php12/Dec/2018 Wed 23:17:43 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../34Bv9YoignMHgk2F.php12/Dec/2018 Wed 23:17:43 +0100 | INFO | Writing file to the archive: ../../34Bv9YoignMHgk2F.php12/Dec/2018 Wed 23:17:43 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../../34Bv9YoignMHgk2F.php12/Dec/2018 Wed 23:17:43 +0100 | INFO | Finished. Try to access shell using 34Bv9YoignMHgk2F.php in the URLUsing default options but providing shell name inside archive and enabling compressionShell name cannot have whitespaces zip-shotgun –shell-name custom-name –compress archive.zip zip-shotgun -n custom-name –compress archive.zipName for shell files inside the archive will be set to the one provided by the user.Part of the script output 12/Dec/2018 Wed 23:19:12 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip12/Dec/2018 Wed 23:19:12 +0100 | WARNING | Shell file was not provided. Using default wwwolf’s webshell code12/Dec/2018 Wed 23:19:12 +0100 | INFO | Using default file extension for wwwolf’s webshell: php12/Dec/2018 Wed 23:19:12 +0100 | INFO | –compress flag was set. Archive will be compressed using DEFLATE algorithm with a level of 912/Dec/2018 Wed 23:19:12 +0100 | INFO | Writing file to the archive: custom-name.php12/Dec/2018 Wed 23:19:12 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: custom-name.php12/Dec/2018 Wed 23:19:12 +0100 | INFO | Writing file to the archive: ../custom-name.php12/Dec/2018 Wed 23:19:12 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../custom-name.php12/Dec/2018 Wed 23:19:12 +0100 | INFO | Writing file to the archive: ../../custom-name.php12/Dec/2018 Wed 23:19:12 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../../custom-name.php12/Dec/2018 Wed 23:19:12 +0100 | INFO | Writing file to the archive: ../../../custom-name.php…12/Dec/2018 Wed 23:19:12 +0100 | INFO | Finished. Try to access shell using custom-name.php in the URLProvide custom shell file but use random name inside archive. Set directories count to 3 zip-shotgun –directories-count 3 –shell-file-path ./custom-shell.php archive.zip zip-shotgun -c 3 -f ./custom-shell.php archive.zipShell code will be extracted from user provided file. Names inside the archive will be randomly generated.Part of the script output 12/Dec/2018 Wed 23:21:37 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip12/Dec/2018 Wed 23:21:37 +0100 | WARNING | Shell name was not provided. Generated random shell name: gqXRAJu1LD8d8VKf12/Dec/2018 Wed 23:21:37 +0100 | INFO | File containing shell code was provided: REDACTED\zip-shotgun\custom-shell.php. Content will be added to archive12/Dec/2018 Wed 23:21:37 +0100 | INFO | Getting file extension from provided shell file for reuse: php12/Dec/2018 Wed 23:21:37 +0100 | INFO | Opening provided file with shell code: REDACTED\zip-shotgun\custom-shell.php12/Dec/2018 Wed 23:21:37 +0100 | INFO | –compress flag was NOT set. Archive will be uncompressed. Files will be only stored.12/Dec/2018 Wed 23:21:37 +0100 | INFO | Writing file to the archive: gqXRAJu1LD8d8VKf.php12/Dec/2018 Wed 23:21:37 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: gqXRAJu1LD8d8VKf.php12/Dec/2018 Wed 23:21:37 +0100 | INFO | Writing file to the archive: ../gqXRAJu1LD8d8VKf.php12/Dec/2018 Wed 23:21:37 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../gqXRAJu1LD8d8VKf.php12/Dec/2018 Wed 23:21:37 +0100 | INFO | Writing file to the archive: ../../gqXRAJu1LD8d8VKf.php12/Dec/2018 Wed 23:21:37 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../../gqXRAJu1LD8d8VKf.php12/Dec/2018 Wed 23:21:37 +0100 | INFO | Finished. Try to access shell using gqXRAJu1LD8d8VKf.php in the URLProvide custom shell file and set shell name to save inside archive. Set directories count to 3 and use compression zip-shotgun –directories-count 3 –shell-name custom-name –shell-file-path ./custom-shell.php –compress archive.zip zip-shotgun -c 3 -n custom-name -f ./custom-shell.php –compress archive.zipShell code will be extracted from user provided file. Names inside the archive will be set to user provided name.Part of the script output 12/Dec/2018 Wed 23:25:19 +0100 | INFO | Opening output zip file: REDACTED\zip-shotgun\archive.zip12/Dec/2018 Wed 23:25:19 +0100 | INFO | File containing shell code was provided: REDACTED\zip-shotgun\custom-shell.php. Content will be added to archive12/Dec/2018 Wed 23:25:19 +0100 | INFO | Getting file extension from provided shell file for reuse: php12/Dec/2018 Wed 23:25:19 +0100 | INFO | Opening provided file with shell code: REDACTED\zip-shotgun\custom-shell.php12/Dec/2018 Wed 23:25:19 +0100 | INFO | –compress flag was set. Archive will be compressed using DEFLATE algorithm with a level of 912/Dec/2018 Wed 23:25:19 +0100 | INFO | Writing file to the archive: custom-name.php12/Dec/2018 Wed 23:25:19 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: custom-name.php12/Dec/2018 Wed 23:25:19 +0100 | INFO | Writing file to the archive: ../custom-name.php12/Dec/2018 Wed 23:25:19 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../custom-name.php12/Dec/2018 Wed 23:25:19 +0100 | INFO | Writing file to the archive: ../../custom-name.php12/Dec/2018 Wed 23:25:19 +0100 | INFO | Setting full read/write/execute permissions (chmod 777) for file: ../../custom-name.php12/Dec/2018 Wed 23:25:19 +0100 | INFO | Finished. Try to access shell using custom-name.php in the URLDownload Zip-Shotgun

Link: http://feedproxy.google.com/~r/PentestTools/~3/zgU6TcdSSH8/zip-shotgun-utility-script-to-test-zip.html

Cameradar v2.1.0 – Hacks Its Way Into RTSP Videosurveillance Cameras

  An RTSP stream access tool that comes with its libraryCameradar allows you toDetect open RTSP hosts on any accessible target hostDetect which device model is streamingLaunch automated dictionary attacks to get their stream route (e.g.: /live.sdp)Launch automated dictionary attacks to get the username and password of the camerasRetrieve a complete and user-friendly report of the resultsDocker Image for CameradarInstall docker on your machine, and run the following command:docker run -t ullaakut/cameradar -t <other command-line options>See command-line options.e.g.: docker run -t ullaakut/cameradar -t 192.168.100.0/24 -l will scan the ports 554 and 8554 of hosts on the 192.168.100.0/24 subnetwork and attack the discovered RTSP streams and will output debug logs.YOUR_TARGET can be a subnet (e.g.: 172.16.100.0/24), an IP (e.g.: 172.16.100.10), or a range of IPs (e.g.: 172.16.100.10-20).If you want to get the precise results of the nmap scan in the form of an XML file, you can add -v /your/path:/tmp/cameradar_scan.xml to the docker run command, before ullaakut/cameradar.If you use the -r and -c options to specify your custom dictionaries, make sure to also use a volume to add them to the docker container. Example: docker run -t -v /path/to/dictionaries/:/tmp/ ullaakut/cameradar -r /tmp/myroutes -c /tmp/mycredentials.json -t mytargetInstalling the binary on your machineOnly use this solution if for some reason using docker is not an option for you or if you want to locally build Cameradar on your machine.DependenciesgodepInstalling depOSX: brew install dep and brew upgrade depOthers: Download the release package for your OS hereSteps to installMake sure you installed the dependencies mentionned above.go get github.com/Ullaakut/cameradarcd $GOPATH/src/github.com/Ullaakut/cameradardep ensurecd cameradargo installThe cameradar binary is now in your $GOPATH/bin ready to be used. See command line options here.LibraryDependencies of the librarycurl-dev / libcurl (depending on your OS)nmapgithub.com/pkg/errorsgopkg.in/go-playground/validator.v9github.com/andelf/go-curlInstalling the librarygo get github.com/Ullaakut/cameradarAfter this command, the cameradar library is ready to use. Its source will be in:$GOPATH/src/pkg/github.com/Ullaakut/cameradarYou can use go get -u to update the package.Here is an overview of the exposed functions of this library:DiscoveryYou can use the cameradar library for simple discovery purposes if you don’t need to access the cameras but just to be aware of their existence.This describes the nmap time presets. You can pass a value between 1 and 5 as described in this table, to the NmapRun function.AttackIf you already know which hosts and ports you want to attack, you can also skip the discovery part and use directly the attack functions. The attack functions also take a timeout value as a parameter.Data modelsHere are the different data models useful to use the exposed functions of the cameradar library.Dictionary loadersThe cameradar library also provides two functions that take file paths as inputs and return the appropriate data models filled.ConfigurationThe RTSP port used for most cameras is 554, so you should probably specify 554 as one of the ports you scan. Not specifying any ports to the cameradar application will scan the 554 and 8554 ports.docker run -t –net=host ullaakut/cameradar -p “18554,19000-19010" -t localhost will scan the ports 18554, and the range of ports between 19000 and 19010 on localhost.You can use your own files for the ids and routes dictionaries used to attack the cameras, but the Cameradar repository already gives you a good base that works with most cameras, in the /dictionaries folder.docker run -t -v /my/folder/with/dictionaries:/tmp/dictionaries \ ullaakut/cameradar \ -r "/tmp/dictionaries/my_routes" \ -c "/tmp/dictionaries/my_credentials.json" \ -t 172.19.124.0/24This will put the contents of your folder containing dictionaries in the docker image and will use it for the dictionary attack instead of the default dictionaries provided in the cameradar repo.Check camera accessIf you have VLC Media Player, you should be able to use the GUI or the command-line to connect to the RTSP stream using this format : rtsp://username:password@address:port/routeWith the above result, the RTSP URL would be rtsp://admin:12345@173.16.100.45:554/live.sdpCommand line options"-t, –target": Set target. Required. Target can be a file (see instructions on how to format the file), an IP, an IP range, a subnetwork, or a combination of those."-p, –ports": (Default: 554,8554) Set custom ports."-s, –speed": (Default: 4) Set custom nmap discovery presets to improve speed or accuracy. It’s recommended to lower it if you are attempting to scan an unstable and slow network, or to increase it if on a very performant and reliable network. See this for more info on the nmap timing templates."-T, –timeout": (Default: 2000) Set custom timeout value in miliseconds after which an attack attempt without an answer should give up. It’s recommended to increase it when attempting to scan unstable and slow networks or to decrease it on very performant and reliable networks."-r, –custom-routes": (Default: <CAMERADAR_GOPATH>/dictionaries/routes) Set custom dictionary path for routes"-c, –custom-credentials": (Default: <CAMERADAR_GOPATH>/dictionaries/credentials.json) Set custom dictionary path for credentials"-o, –nmap-output": (Default: /tmp/cameradar_scan.xml) Set custom nmap output path"-l, –log": Enable debug logs (nmap requests, curl describe requests, etc.)"-h" : Display the usage informationFormat input fileThe file can contain IPs, hostnames, IP ranges and subnetwork, separated by newlines. Example:0.0.0.0localhost192.17.0.0/16192.168.1.140-255192.168.2-3.0-255Environment VariablesCAMERADAR_TARGETThis variable is mandatory and specifies the target that cameradar should scan and attempt to access RTSP streams on.Examples:172.16.100.0/24192.168.1.1localhost192.168.1.140-255192.168.2-3.0-255CAMERADAR_PORTSThis variable is optional and allows you to specify the ports on which to run the scans.Default value: 554,8554It is recommended not to change these except if you are certain that cameras have been configured to stream RTSP over a different port. 99.9% of cameras are streaming on these ports.CAMERADAR_NMAP_OUTPUT_FILEThis variable is optional and allows you to specify on which file nmap will write its output.Default value: /tmp/cameradar_scan.xmlThis can be useful only if you want to read the files yourself, if you don’t want it to write in your /tmp folder, or if you want to use only the RunNmap function in cameradar, and do its parsing manually.CAMERADAR_CUSTOM_ROUTES, CAMERADAR_CUSTOM_CREDENTIALSThese variables are optional, allowing to replace the default dictionaries with custom ones, for the dictionary attack.Default values: <CAMERADAR_GOPATH>/dictionaries/routes and <CAMERADAR_GOPATH>/dictionaries/credentials.jsonCAMERADAR_SPEEDThis optional variable allows you to set custom nmap discovery presets to improve speed or accuracy. It’s recommended to lower it if you are attempting to scan an unstable and slow network, or to increase it if on a very performant and reliable network. See this for more info on the nmap timing templates.Default value: 4CAMERADAR_TIMEOUTThis optional variable allows you to set custom timeout value in miliseconds after which an attack attempt without an answer should give up. It’s recommended to increase it when attempting to scan unstable and slow networks or to decrease it on very performant and reliable networks.Default value: 2000CAMERADAR_LOGSThis optional variable allows you to enable a more verbose output to have more information about what is going on.It will output nmap results, cURL requests, etc.Default: falseContributionBuildDocker buildTo build the docker image, simply run docker build -t . cameradar in the root of the project.Your image will be called cameradar and NOT ullaakut/cameradar.Go buildTo build the project without docker:Install depOSX: brew install dep and brew upgrade depOthers: Download the release package for your OS heredep ensurego build to build the librarycd cameradar && go build to build the binaryThe cameradar binary is now in the root of the directory.See the contribution document to get started.Frequently Asked QuestionsCameradar does not detect any camera!That means that either your cameras are not streaming in RTSP or that they are not on the target you are scanning. In most cases, CCTV cameras will be on a private subnetwork, isolated from the internet. Use the -t option to specify your target.Cameradar detects my cameras, but does not manage to access them at all!Maybe your cameras have been configured and the credentials / URL have been changed. Cameradar only guesses using default constructor values if a custom dictionary is not provided. You can use your own dictionaries in which you just have to add your credentials and RTSP routes. To do that, see how the configuration works. Also, maybe your camera’s credentials are not yet known, in which case if you find them it would be very nice to add them to the Cameradar dictionaries to help other people in the future.What happened to the C++ version?You can still find it under the 1.1.4 tag on this repo, however it was less performant and stable than the current version written in Golang.How to use the Cameradar library for my own project?See the example in /cameradar. You just need to run go get github.com/Ullaakut/cameradar and to use the cmrdr package in your code. You can find the documentation on godoc.I want to scan my own localhost for some reason and it does not work! What’s going on?Use the –net=host flag when launching the cameradar image, or use the binary by running go run cameradar/cameradar.go or installing itI don’t see a colored output :(You forgot the -t flag before ullaakut/cameradar in your command-line. This tells docker to allocate a pseudo-tty for cameradar, which makes it able to use colors.I don’t have a camera but I’d like to try Cameradar!Simply run docker run -p 8554:8554 -e RTSP_USERNAME=admin -e RTSP_PASSWORD=12345 -e RTSP_PORT=8554 ullaakut/rtspatt and then run cameradar and it should guess that the username is admin and the password is 12345. You can try this with any default constructor credentials (they can be found here)ExamplesRunning cameradar on your own machine to scan for default portsdocker run –net=host -t ullaakut/cameradar -t localhostRunning cameradar with an input file, logs enabled on port 8554docker run -v /tmp:/tmp –net=host -t ullaakut/cameradar -t /tmp/test.txt -p 8554 -lDownload Cameradar

Link: http://feedproxy.google.com/~r/PentestTools/~3/1bUGqwOggUY/cameradar-v210-hacks-its-way-into-rtsp.html

PENTOL – Pentester Toolkit For Fiddler2

PENTOL – Pentester Toolkit is built as a plugin for the Fiddler HTTP debugging proxy.FeaturesCORS DETECTED Cross-Origin Resource SharingCRLF DETECTED HTTP response splittingHeaders DETECTED (X-Frame-Options)USAGEInstall Fiddler2Open Fiddler2Press Key CTRL + R or Rules > Customize Rules…Copy all script SampleRules.jsPress Key CTRL + S for SaveCheck tools in Rules TABCreditsThanks to allahEka Syahwan (Creator) bugrecon / H1 / bugcrowdEdo Maland (Powerstager) https://github.com/ScreetsecJack Wilder admin in http://www.linuxsec.orgDisclaimerNote: modifications, changes, or changes to this code can be accepted, however, every public release that uses this code must be approved by writing this tool (Eka S)Download PENTOL

Link: http://feedproxy.google.com/~r/PentestTools/~3/Gqg497egrBM/pentol-pentester-toolkit-for-fiddler2.html

AWS EC2 instance userData

In the effort to get me blogging again I’ll be doing a few short posts to get the juices flowing (hopefully).Today I learned about the userData instance attribute for AWS EC2. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.htmlIn general I thought metadata was only things you can hit from WITHIN the instance via the metadata url: http://169.254.169.254/latest/meta-data/However, if you read the link above there is an option to add metadata at boot time. You can also use instance metadata to access user data that you specified when launching your instance. For example, you can specify parameters for configuring your instance, or attach a simple script. That’s interesting right?!?!  so if you have some AWS creds the easiest way to check for this (after you enumerate instance IDs) is with the aws cli.$ aws ec2 describe-instance-attribute –attribute userData –instance-id i-0XXXXXXXXAn error occurred (InvalidInstanceID.NotFound) when calling the DescribeInstanceAttribute operation: The instance ID ‘i-0XXXXXXXX’ does not existah crap, you need the region…$ aws ec2 describe-instance-attribute –attribute userData –instance-id i-0XXXXXXXX –region us-west-1{    “InstanceId": "i-0XXXXXXXX",    "UserData": {        "Value": "bm90IHRvZGF5IElTSVMgOi0p"}anyway that can get tedious especially if the org has a ton of things running.  This is precisely the reason @cktricky and I built weirdAAL.  Surely no one would be sticking creds into things at boot time via shell scripts :-)That module is in the current version of weirdAAL. Enjoy.-CG

Link: http://carnal0wnage.attackresearch.com/2018/11/aws-ec2-instance-userdata.html

Parrot Security 4.4 – Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

Parrot 4.4 is now available for download. This release provides security and stability updates and is the starting point for the plan to develop an LTS edition of Parrot. Parrot 4.4 Development GoalsThe Parrot 4.4 development process involved the ideas of many people in the community, and the goal of this new update was mainly to target software developers and increase average system stability.Upgrade from a previous versionsudo parrot-upgradeorsudo apt updatesudo apt full-upgradeDebian Testing stability statusParrot is based on Debian Testing, which is now entering an important stabilization stage for new Debian 10 (buster) release, that should arrive around the second quarter of 2019. This means that Parrot is up to see a new golden age of stability and reliability, which this time is going to last very long since the team announced the Parrot Long Term Support project in the previous release note.New Golang, Rust, Vala and Mono support There is a big interest in the Parrot team to offer a comfortable environment for software developers and those pentesters who usually write or modify their tools, and even if we already support python, java, c/c++, ruby, perl, bash and php, there is a big interest in the community in other emerging programming languages like golang, rust or vala.Parrot 4.4 added for the first time full support for golang, rust, vala and mono (a FLOSS and independent .NET implementation). We believe software developers will benefit from this internal choice that required a lot of effort in order to keep the ISO files within their usual sizes.New Privacy Metapackageparrot-privacy now provides all the privacy-related applications as anonsurf, torbrowser, ricochet-im, onionshare and more.People who need stronger privacy have now a dedicated metapackage.KDE Plasma EditionThe development of the KDE Plasma edition gave very interesting results, and now Parrot 4.4 provides an awesome KDE flavor with our custom themes and settings for all our users that don’t like MATE and prefer a more advanced and feature-rich (but heavier) desktop environment.Parrot KDE includes the latest 5.13 Plasma desktop with custom configurations that proved to be very lightweight and fast with a small memory footprint, and we will continue to improve this flavor in the future.BTRFS and XFS are the new default filesystemThe new Debian-Installer was modified to use btrfs by default for root and xfs for the home filesystem. The installer does no longer create a swap partition when automatically partitioning uefi or encrypted systems, and the boot partition is large enough to host multiple kernel revisions without running out of space.Btrfs and xfs are very powerful advanced filesystems with CoW, subvolumes, snapshots and other features. While xfs is very fast on some specific workloads, btrfs has additional features like live compression and a very efficient checksuming system for file corruption detection.Btrfs was considered experimental for many years and it is still under heavy development, but its core features are now stable and production ready (but not ready for mission critical scenarios) and many companies already use it and contribute to its development, including facebook, suse, oracle and more.Download  Parrot Security 4.4

Link: http://feedproxy.google.com/~r/PentestTools/~3/oPebm90a_Eg/parrot-security-44-security-gnulinux.html

Brent Dukes – Application Security Weekly #41

Brent Dukes is a hacker, and Director of Information Security for an established manufacturing company. He joins Keith and Paul this week to talk about WAF’s, Pentesting, Burp Suite, and more! Full Show NotesFollow us on Twitter: https://www.twitter.com/securityweekly Hosts
The post Brent Dukes – Application Security Weekly #41 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/vj-NlVPrk50/

Osmedeus – Automatic Reconnaisance And Scanning In Penetration Testing

Automatic Reconnaisance and Scanning in Penetration TestingWhat is Osmedeus?Osmedeus allow you to doing boring stuff in Pentesting automatically like reconnaissance and scanning the target by run the collection of awesome tools.Installationgit clone https://github.com/j3ssie/Osmedeuscd Osmedeuschmod +x install.sh./install.shHow to useDoing normal routine include: Subdomain Scanning, Subdomain TakeOver Scanning, Port Scanning and ScreenShot the target../osmedeus.py -t example.comScanning subdomain and Subdomain TakeOver./osmedeus.py -m subdomain -t example.comGit repo scanning./osmedeus.py -m git –git https://github.com/whatever/repoDoing some stuff with Burp State file./osmedeus.py -m burp -t example.com –burp yourburpstate.xmlAvailable modules with list tool being usedSubdomain Scanning amasssubfindermassdnsSubdomain TakeOver Scanning subjackSubOverPort Scanning and ScreenShot the target aquatonEyeWitnessmasscanGit repo scanning truffleHoggitrobDoing some stuff with Burp State file sqlmapSleuthQLLinkFinderDemoContact@j3ssiejjjDownload Osmedeus

Link: http://feedproxy.google.com/~r/PentestTools/~3/WSk0NzgPyq8/osmedeus-automatic-reconnaisance-and.html

Dirhunt v0.6.0 – Find Web Directories Without Bruteforce

DEVELOPMENT BRANCH: The current branch is a development version. Go to the stable release by clicking on the master branch.Dirhunt is a web crawler optimize for search and analyze directories. This tool can find interesting things if the server has the “index of" mode enabled. Dirhunt is also useful if the directory listing is not enabled. It detects directories with false 404 errors, directories where an empty index file has been created to hide things and much more.$ dirhunt http://website.com/Dirhunt does not use brute force. But neither is it just a crawler. This tool is faster than others because it minimizes requests to the server. Generally, this tool takes between 5-30 seconds, depending on the website and the server.Read more about how to use Dirhunt in the documentation. FeaturesProcess one or multiple sites at a time.Process ‘Index Of’ pages and report interesting files.Detect redirectors.Detect blank index file created on directory to hide things.Process some html files in search of new directories.404 error pages and detect fake 404 errors.Filter results by flags.Analyze results at end. It also processes date & size of the Index Pages (NEW!)Get new directories using robots.txt, VirusTotal & Google (NEW!)Delay between requestsOne or multiple proxies option. It can also search for free proxies (NEW!) InstallIf you have Pip installed on your system, you can use it to install the latest Dirhunt stable version:$ sudo pip3 install dirhuntPython 2.7 & 3.4-3.7 are supported but Python 3.x is recommended. Use pip2 on install for Python2.There are other installation methods available.Download Dirhunt v0.6.0

Link: http://feedproxy.google.com/~r/PentestTools/~3/4jFGrJ8Br3E/dirhunt-v060-find-web-directories.html

Parrot Security 4.3 – Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

Parrot 4.3 is now available for download. This release provides security and stability updates and is the starting point for the plan to develop an LTS edition of Parrot.Linux 4.18Linux was updated to the 4.18.10 version, and linux 4.19 will be released soon.Firefox 63Firefox 63 provides noticeable security and privacy features, but it is no longer available to 32bit systems, so has been switched to firefox-esr on all the unsupported architectures.Wine menuHas been fixed a bug in the parrot menu configuration that prevented several menu categories to show up.This fixed the missing wine menu bug, which is now back again.Bashrc updatesThe Parrot .bashrc file was updated, now it provides better snap support, the ll alias now shows the size in a human readable format and it does no longer overwrite some global settings as it used to do before.Java 11OpenJDK 11 is now the default java provider.AnonsurfAnonsurf received important stability upgrades and now it does not mess up the DNS configuration.New Parrot iconsThe Parrot edition of the MAIA icon theme was updated.Has been dropped many old unused icons and replaced them with newer ones.Core updatesParrot 4.3 provides the latest updates of Debian Testing and many improvements to our sandbox system, in fact, both firejail and apparmor received significant updates, and now the whole system is smoother, more secure and more reliable.Download Parrot Security 4.3

Link: http://feedproxy.google.com/~r/PentestTools/~3/r9_XOjHON1g/parrot-security-43-security-gnulinux.html