Munin – Online Hash Checker For Virustotal And Other Services

Munin is a online hash checker utility that retrieves valuable information from various online sourcesThe current version of Munin queries the following services:VirustotalMalshareHybridAnalysisNote: Munin is based on the script “VT-Checker", which has been maintained in the LOKI repository.Usageusage: munin.py [-h] [-f path] [-c cache-db] [-i ini-file] [-s sample-folder] [–comment] [-p vt-comment-prefix] [–download] [-d download_path] [–nocache] [–intense] [–retroverify] [-r num-results] [–nocsv] [–verifycert] [–sort] [–debug]Online Hash Checkeroptional arguments: -h, –help show this help message and exit -f path File to process (hash line by line OR csv with hash in each line – auto-detects position and comment) -c cache-db Name of the cache database file (default: vt-hash- db.pkl) -i ini-file Name of the ini file that holds the API keys -s sample-folder Folder with samples to process –comment Posts a comment for the analysed hash which contains the comment from the log line -p vt-comment-prefix Virustotal comment prefix –download Enables Sample Download from Hybrid Analysis. SHA256 of sample needed. -d download_path Output Path for Sample Download from Hybrid Analysis. Folder must exist –nocache Do not use cache database file –intense Do use PhantomJS to parse the permalink (used to extract user comments on samples) –retroverify Check only 40 entries with the same comment and therest at the end of the run (retrohunt verification) -r num-results Number of results to take as verification –nocsv Do not write a CSV with the results –verifycert Verify SSL/TLS certificates –sort Sort the input lines (useful for VT retrohunt results) –debug Debug outputFeaturesMODE A: Extracts hashes from any text file based on regular expressionsMODE B: Walks sample directory and checks hashes onlineRetrieves valuable information from Virustotal via API (JSON response) and other information via permalink (HTML parsing)Keeps a history (cache) to query the services only once for a hash that may appear multiple times in the text fileCached objects are stored in JSONCreates CSV file with the findings for easy post-processing and reportingAppends results to a previous CSV if availableDisplaysHash and comment (comment is the rest of the line of which the hash has been extracted)AV vendor matches based on a user defined listFilenames used in the wildPE information like the description, the original file name and the copyright statementSigner of a signed portable executableResult based on Virustotal ratioFirst and last submissionTags for certain indicators: Harmless, Signed, Expired, Revoked, MSSoftwareExtra ChecksQueries Malshare.com for sample uploadsQueries Hybrid-Analysis.com for present analysisImphash duplicates in current batch > allows you to spot overlaps in import table hashesGetting startedDownload / clone the repoInstall required packages: pip3 install -r requirements.txt (on macOS add –user)(optional: required for –intense mode) Download PhantomJS and place it in your $PATH, e.g. /usr/local/bin http://phantomjs.org/download.htmlSet the API key for the different services in the munin.ini fileUse the demo file for a first run: python munin.py -f munin-demo.txt –nocacheTypical Command LinesProcess a Virustotal Retrohunt result and sort the lines before checking so that matched signatures are checked in blockspython munin.py -f my.ini -f ~/Downloads/retro_huntProcess an IOC file and show who commented on these samples on Virustotal (uses PhantomJS, higher CPU usage)python munin.py -f my.ini -f ~/Downloads/misp-event-1234.csv –sort –intenseProcess a directory with samples and check their hashes onlinepython munin.py -f my.ini -s ~/malware/case34Get the API Keys used by MuninVirustotalCreate an account here https://www.virustotal.com/#/join-usCheck Profile > My API key for your public API keyMalshareRegister here https://malshare.com/register.phpHybrid AnalysisCreate an account here https://www.hybrid-analysis.com/signupAfter login, check Profile > API keyDownload Munin

Link: http://feedproxy.google.com/~r/PentestTools/~3/0Cc8y6zLvSQ/munin-online-hash-checker-for.html

RouterSploit v3.4.0 – Exploitation Framework For Embedded Devices

The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices.It consists of various modules that aids penetration testing operations:exploits – modules that take advantage of identified vulnerabilitiescreds – modules designed to test credentials against network servicesscanners – modules that check if a target is vulnerable to any exploitpayloads – modules that are responsible for generating payloads for various architectures and injection pointsgeneric – modules that perform generic attacksInstallationRequirementsRequired:futurerequestsparamikopysnmppycryptoOptional:bluepy – bluetooth low energyInstallation on Kali Linuxapt-get install python3-pipgit clone https://www.github.com/threat9/routersploitcd routersploitpython3 -m pip install -r requirements.txtpython3 rsf.pyBluetooth Low Energy support:apt-get install libglib2.0-devpython3 -m pip install bluepypython3 rsf.pyInstallation on Ubuntu 18.04 & 17.10sudo add-apt-repository universesudo apt-get install git python3-pipgit clone https://www.github.com/threat9/routersploitcd routersploitpython3 -m pip install -r requirements.txtpython3 rsf.pyBluetooth Low Energy support:apt-get install libglib2.0-devpython3 -m pip install bluepypython3 rsf.pyInstallation on OSXgit clone https://www.github.com/threat9/routersploitcd routersploitsudo python3 -m pip install -r requirements.txtpython3 rsf.pyRunning on Dockergit clone https://www.github.com/threat9/routersploitcd routersploitdocker build -t routersploit .docker run -it –rm routersploitUpdateUpdate RouterSploit Framework often. The project is under heavy development and new modules are shipped almost every day.cd routersploitgit pullDownload Routersploit

Link: http://www.kitploit.com/2018/10/routersploit-v340-exploitation.html

LibSSH Scanner – Script To Identify Hosts Vulnerable To CVE-2018-10933

This is a python based script to identify hosts vulnerable to CVE-2018-10933.The vulnerability is present on versions of libssh 0.6+ and was remediated by a patch present in libssh 0.7.6 and 0.8.4. For more details: https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/HelpCVE-2018-10933 Scanner – Find vulnerable libssh services by Leap Security (@LeapSecurity)optional arguments: -h, –help show this help message and exit -v, –version show program’s version number and exit -t TARGET, –target TARGET An ip address or new line delimited file containing IPs to banner grab for the vulnerability. -p PORT, –port PORT Set port of SSH serviceDownload Libssh-Scanner

Link: http://feedproxy.google.com/~r/PentestTools/~3/QmL8AcFG_pI/libssh-scanner-script-to-identify-hosts.html

SILENTTRINITY – A Post-Exploitation Agent Powered By Python, IronPython, C#/.NET

A post-exploitation agent powered by Python, IronPython, C#/.NET.RequirementsServer requires Python >= 3.7SILENTTRINITY C# implant requires .NET >= 4.5How it worksNotes.NET runtime supportThe implant needs .NET 4.5 or greater due to the IronPython DLLs being compiled against .NET 4.0, also there is no ZipArchive .NET library prior to 4.5 which the implant relies upon to download the initial stage containing the IronPython DLLs and the main Python code.Reading the source for the IronPython Compiler it seems like we can get around the first issue by directly generating IL code through IKVM (I still don’t understand why this works). However this would require modifying the compiler to generate a completely new EXE stub (definitely feasible, just time consuming to find the proper IKVM API calls).C2 CommsCurrently the implant only supports C2 over HTTP 1.1, .NET 4.5 seems to have a native WebSocket library which makes implementing a WS C2 channel more than possible.HTTP/2 client support for .NET’s HttpClient API is in the works, just not yet released.The implant and server design are very much “future proof" which should make implementing these C2 Channels pretty trivial when the time comes.COM Interophttp://ironpython.net/documentation/dotnet/dotnet.html#oleautomation-and-com-interopWe could possibly leaverage this to use IE’s COM object to do C2 ala WSC2.Python Standard LibraryWe technically could load/use IronPython’s stdlib instead of calling .NET APIs but this would require writing some "magic" dependency resolving code.Possibly could modify httpimports to do this automagically.Inject into unmanaged processhttps://www.codeproject.com/Articles/607352/Injecting-Net-Assemblies-Into-Unmanaged-ProcessesRPCWe might want to implement a fully fledged RPC that proxies objects between C# and Python. This could be interesting… https://pythonhosted.org/Pyro4/pyrolite.html https://thrift.apache.org/Download SILENTTRINITY

Link: http://www.kitploit.com/2018/10/silenttrinity-post-exploitation-agent.html

UPDATED VERSION: RouterSploit 3.4.0

PenTestIT RSS Feed
RouterSploit 3.4.0, the long awaited router exploitation framework update is out guys! This release includes some really cool features and updates such as using pycryptodome from pycryptoand newer exploitation modules! Read on for the improvements. What is RouterSploit? The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. It consists of the followingRead more about UPDATED VERSION: RouterSploit 3.4.0
The post UPDATED VERSION: RouterSploit 3.4.0 appeared first on PenTestIT.

Link: http://pentestit.com/updated-version-routersploit-3-4-0/

SQLMap v1.2.10 – Automatic SQL Injection And Database Takeover Tool

SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.FeaturesFull support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.InstallationYou can download the latest tarball by clicking here or latest zipball by clicking here.Preferably, you can download sqlmap by cloning the Git repository:git clone –depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-devsqlmap works out of the box with Python version 2.6.x and 2.7.x on any platform.UsageTo get a list of basic options and switches use:python sqlmap.py -hTo get a list of all options and switches use:python sqlmap.py -hhYou can find a sample run here. To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples, you are advised to consult the user’s manual.DemoLinksHomepage: http://sqlmap.orgDownload: .tar.gz or .zipCommits RSS feed: https://github.com/sqlmapproject/sqlmap/commits/master.atomIssue tracker: https://github.com/sqlmapproject/sqlmap/issuesUser’s manual: https://github.com/sqlmapproject/sqlmap/wikiFrequently Asked Questions (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQTwitter: @sqlmapDemos: http://www.youtube.com/user/inquisb/videosScreenshots: https://github.com/sqlmapproject/sqlmap/wiki/ScreenshotsTranslationsBulgarianChineseCroatianFrenchGreekIndonesianItalianJapanesePortugueseSpanishTurkishDownload SQLMap v1.2.10

Link: http://www.kitploit.com/2018/10/sqlmap-v1210-automatic-sql-injection.html

ReconDog v2.0 – Reconnaissance Swiss Army Knife

Reconnaissance Swiss Army KnifeMain FeaturesWizard + CLA interfaceCan extracts targets from STDIN (piped input) and act upon themAll the information is extracted with APIs, no direct contact is made to the targetUtilitiesCensys: Uses censys.io to gather massive amount of information about an IP address.NS Lookup: Does name server lookupPort Scan: Scan most common TCP portsDetect CMS: Can detect 400+ content management systemsWhois lookup: Performs a whois lookupDetect honeypot: Uses shodan.io to check if target is a honeypotFind subdomains: Uses findsubdomains.com to find subdomainsReverse IP lookup: Does a reverse IP lookup to find domains associated with an IP addressDetect technologies: Uses wappalyzer.com to detect 1000+ technologiesAll: Runs all utilities against the targetDemoCompatibilityRecon Dog will run on anything that has a python interpreter installed. However, it has been tested on the following configurations:Operating Systems: Windows, Linux, MacPython Versions: Python2.7, Python 3.6InstallationRecon Dog requires no manual configuration and can be simply run as a normal python script.However, a debian package can be downloaded from here if you want to install it.UsageWizard InterfaceWizard interface is the most straightforward way you can use Recon Dog in. Just run the program, select what you want to do and enter the target, it’s that simple.CLA InterfaceRecon Dog also has a Command Line Argument inteface. Here’s how you can find subdomains:python dog -t marvel.com -c 7There’s more to it! Do you have a program that can enumerate subdomains and you want to scan ports of all the subdomains it finds? Don’t worry, Recon Dog is designed for handling with such cases. You can simply do this:subdomainfinder -t example.com | python dog –domains -c 3Also, it doesn’t matter what kind of output the other program generates, Recon Dog uses regular expressions to find targets which makes it easy to integrate will literally every tool. There are two switchs available:–domains extract domains from STDIN–ips extract ip addresses from STDINDownload ReconDog

Link: http://feedproxy.google.com/~r/PentestTools/~3/n4hrJaCBqDo/recondog-v20-reconnaissance-swiss-army.html

Censys Subdomain Finder – Perform Subdomain Enumeration Using The Certificate Transparency Logs From Censys

This is a tool to enumerate subdomains using the Certificate Transparency logs stored by Censys. It should return any subdomain who has ever been issued a SSL certificate by a public CA.See it in action:$ python censys_subdomain_finder.py github.com[*] Searching Censys for subdomains of github.com[*] Found 42 unique subdomains of github.com in ~1.7 seconds – hq.github.com – talks.github.com – cla.github.com – github.com – cloud.github.com – enterprise.github.com – help.github.com – collector-cdn.github.com – central.github.com – smtp.github.com – cas.octodemo.github.com – schrauger.github.com – jobs.github.com – classroom.github.com – dodgeball.github.com – visualstudio.github.com – branch.github.com – www.github.com – edu.github.com – education.github.com – import.github.com – styleguide.github.com – community.github.com – server.github.com – mac-installer.github.com – registry.github.com – f.cloud.github.com – offer.github.com – helpnext.github.com – foo.github.com – porter.github.com – id.github.com – atom-installer.github.com – review-lab.github.com – vpn-ca.iad.github.com – maintainers.github.com – raw.github.com – status.github.com – camo.github.com – support.enterprise.github.com – stg.github.com – rs.github.comSetupRegister an account (free) on https://censys.io/registerBrowse to https://censys.io/account, and set two environment variables with your API ID and API secret$ export CENSYS_API_ID=…$ export CENSYS_API_SECRET=…Clone the repository$ git clone https://github.com/christophetd/censys-subdomain-finder.gitInstall the dependencies$ cd censys-subdomain-finder$ pip install -r requirements.txtRun the script on example.com to make sure everything works as expected.$ python censys_subdomain_finder.py example.com[*] Searching Censys for subdomains of example.com[*] Found 5 unique subdomains of example.com – products.example.com – www.example.com – dev.example.com – example.com – support.example.comUsageusage: censys_subdomain_finder.py [-h] [-o OUTPUT_FILE] [–censys-api-id CENSYS_API_ID] [–censys-api-secret CENSYS_API_SECRET] domainpositional arguments: domain The domain to scanoptional arguments: -h, –help show this help message and exit -o OUTPUT_FILE, –output OUTPUT_FILE A file to output the list of subdomains to (default: None) –censys-api-id CENSYS_API_ID Censys API ID. Can also be defined using the CENSYS_API_ID environment variable (default: None) –censys-api-secret CENSYS_API_SECRET Censys API secret. Can also be defined using the CENSYS_API_SECRET environment variable (default: None)CompatibilityShould run on Python 2.7 and 3.5.NotesThe Censys API has a limit rate of 120 queries per 5 minutes window. Each invocation of this tool makes exactly one API call to Censys.Feel free to open an issue or to tweet @christophetd for suggestions or remarks.Download Censys-Subdomain-Finder

Link: http://feedproxy.google.com/~r/PentestTools/~3/bPFQtNdU4Fw/censys-subdomain-finder-perform.html

XXRF Shots – Tool to Test SSRF Vulnerabilities

What is SSRF vulnerability?Server Side Request Forgery (SSRF) is a type of vulnerability class where attacker sends crafted request from a vulnerable web application, including the unauthorised access to the internal resources behind the firewall which are inaccessible directly from the external network.Installationgit clone https://github.com/ariya/phantomjs.gitcd phantomjschmod +x build.py./build.pyUsage./xxrf.shEnter the url with vulnerable parameter and hit return key. The script is designed to perform two different tasks. At first it will inject the payload next to the vulnerable parameter and process the request to another python script written by @maaaaz. The python script requires phantomJS to perform screenshot function. It uses the list of injected payload and screenshots them and places them in a screenshot directory.Example:https://www.example.com/index.php?url=VideoDownload XXRF-Shots

Link: http://feedproxy.google.com/~r/PentestTools/~3/lmopLFQ_91o/xxrf-shots-tool-to-test-ssrf.html