Tunna – Set Of Tools Which Will Wrap And Tunnel Any TCP Communication Over HTTP

Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments.SUMMARYTLDR: Tunnels TCP connections over HTTPIn a fully firewalled (inbound and outbound connections restricted – except the webserver port)The webshell can be used to connect to any service on the remote host. This would be a local connection on a local port at the remote host and should be allowed by the firewall.The webshell will read data from the service port wrap them over HTTP and send it as an HTTP response to the local proxy.The local proxy will unwrap and write the data to it’s local port where the client program would be connected.When the local proxy receives data on the local port, it will send them over to the webshell as an HTTP Post.The webshell will read the data from the HTTP Post and put them on the service portand repeat –^Only the webserver port needs to be open (typically 80/443) The whole communication (Externally) is done over the HTTP protocolUSAGEpython proxy.py -u -l <localport> [options]Options–help, -h show this help message and exit–url=URL, -u URL url of the remote webshell–lport=LOCAL_PORT, -l LOCAL_PORT local listening port–verbose, -v Verbose (outputs packet size)–buffer=BUFFERSIZE, -b BUFFERSIZE* HTTP request size (some webshels have limitations on the size)No SOCKS OptionsOptions are ignored if SOCKS proxy is used–no-socks, -n Do not use Socks Proxy–rport=REMOTE_PORT, -r REMOTE_PORT remote port of service for the webshell to connect to–addr=REMOTE_IP, -a REMOTE_IP address for remote webshell to connect to (default = 127.0.0.1)Upstream Proxy OptionsTunnel connection through a local Proxy–up-proxy=UPPROXY, -x UPPROXY Upstream proxy (http://proxyserver.com:3128)–auth, -A Upstream proxy requires authenticationAdvanced Options–ping-interval=PING_DELAY, -q PING_DELAY webshprx pinging thread interval (default = 0.5)–start-ping, -s Start the pinging thread first – some services send data first (eg. SSH)–cookie, -C Request cookies–authentication, -t Basic authenticationSee limitationsexample usage: python proxy.py -u http://10.3.3.1/conn.aspx -l 8000 -v# This will start a Local SOCKS Proxy Server at port 80000# This connection will be wrapped over HTTP and unwrapped at the remote serverpython proxy.py -u http://10.3.3.1/conn.aspx -l 8000 -x https://192.168.1.100:3128 -A -v# This will start a Local SOCKS Proxy Server at port 80000# It will connect through a Local Proxy (https://192.168.1.100:3128) that requires authentication# to the remote Tunna webshellpython proxy.py -u http://10.3.3.1/conn.aspx -l 4444 -r 3389 -b 8192 -v –no-socks# This will initiate a connection between the webshell and Remote host RDP (3389) service# The RDP client can connect on localhost port 4444# This connection will be wrapped over HTTPPrerequisitesThe ability to upload a webshell on the remote serverLIMITATIONS / KNOWN BUGS / HACKSThis is a POC code and might cause DoS of the server. All efforts to clean up after execution or on error have been made (no promises)Based on local tests: * JSP buffer needs to be limited (buffer option): 4096 worked in Linux Apache Tomcat 1024 worked in XAMPP Apache Tomcat (slow) * More than that created problems with bytes missing at the remote socket eg: ruby proxy.rb -u http://10.3.3.1/conn.jsp -l 4444 -r 3389 -b 1024 -v * Sockets not enabled by default php windows (IIS + PHP) * Return cariages on webshells (outside the code): get sent on responses / get written on local socket –> corrupt the packets * PHP webshell for windows: the loop function DoS’es the remote socket: sleep function added -> works but a bit slow * PHP webshell needs new line characters removed at the end of the file (after “?>") as these will get send in every response and confuse Tunna FILESWebshells: conn.jsp Tested on Apache Tomcat (windows + linux) conn.aspx Tested on IIS 6+8 (windows server 2003/2012) conn.php Tested on LAMP + XAMPP + IIS (windows + linux)WebServer: webserver.py Tested with Python 2.6.5Proxies: proxy.py Tested with Python 2.6.5Technical DetailsArchitecture descisionsData is sent raw in the HTTP Post Body (no post variable)Instructions / configuration is sent to the webshell as URL parameters (HTTP Get)Data is sent in the HTTP body (HTTP Post)Websockets not used: Not supported by default by most of webserversAsyncronous HTTP responses not really possible Proxy queries the server constantly (default 0.5 seconds)INITIATION PHASE1st packet initiates a session with the webshell – gets a cookie back eg: http://webserver/conn.ext?proxy2nd packet sends connection configuration options to the webshell eg: http://webserver/conn.ext?proxy&port=4444&ip=127.0.0.1IP and port for the webshell to connect toThis is a threaded request: In php this request will go into an infinate loop to keep the webshell socket connection alive In other webshells [OK] is received backTUNNA CLIENTA local socket is going to get created where the client program is going to connect to Once the client is connected the pinging thread is initiated and execution starts. Any data on the socket (from the client) get read and get sent as a HTTP Post request Any data on the webshell socket get sent as a response to the POST requestPINGING THREADBecause HTTP responses cannot be asyncronous. This thread will do HTTP Get requests on the webshell based on an interval (default 0.5 sec) If the webshell has data to send, it will (also) send it as a reply to this request Otherwise it sends an empty responseIn general: Data from the local proxy get send with HTTP Post There are Get requests every 0.5 sec to query the webshell for data If there is data on the webshell side get send over as a response to one of these requestsWEBSHELLThe webshell connects to a socket on the local or a remote host. Any data written on the socket get sent back to the proxy as a reply to a request (POST/GET) Any data received with a post get written to the socket.NOTESAll requests need to have the URL parameter "proxy" set to be handled by the webshell (http://webserver/conn.ext?proxy)AT EXIT / AT ERRORKills all threads and closes local socket Sends proxy&close to webshell: Kills remote threads and closes socketSOCKSThe SOCKS support is an addon module for Tunna. Locally is a seperate thread that handles the connection requests and traffic adds a header that specifies the port and the size of the packet and forwards it to Tunna. Tunna sends it over to the remote webserver, removes the HTTP headers and forwards the packet to the remote SOCKS proxy. The remote SOCKS proxy initiates the connection and mapps the received port to the local port. If the remote SOCKS proxy receives data from the service, it looks at the mapping table and finds the port it needs to respond to, adds the port as a header so the local SOCKS proxy will know where to forward the data. Any traffic from the received port will be forwarded to the local port and vice versa.Download Tunna

Link: http://feedproxy.google.com/~r/PentestTools/~3/p4t5NT8McxM/tunna-set-of-tools-which-will-wrap-and.html

Parat – Python Based Remote Administration Tool (RAT)

Parat is a simple remote administration tool (RAT) written in python.Also you can read wiki!Change log:Compatible with both python 2 and 3 versions(dont forget that may causes some error.so please share us any error(s))Do you want to try?Copy and paste on your terminal:git clone https://github.com/micle-fm/Parat && cd Parat && python main.pyNote: it may need to install python -m easy_install pypiwin32 on some targets.FeaturesFully UnDetectable(FUD)Compatible with Telegram messangerBypass windows User Account Control(UAC)Memory executationNo any requirments to setupTelegramYou can communicate parat using telegram messanger. For this do steps:Open telegram.service file by an editorInsert your bot token on line 15, replaced on YOUR_BOT_TOKENRun telegram.service by typing: python telegram.serviceNow you can use your bot to control parat 🙂 Download Parat

Link: http://feedproxy.google.com/~r/PentestTools/~3/JA8tIb4xMW4/parat-python-based-remote.html

Whapa – WhatsApp DataBase Parser Tool

Whapa is a whatsapp database parser that automates the process. The main purpose of whapa is to present the data handled by the Sqlite database in a way that is comprehensible to the analyst. The Script is written in Python 2.xThe software is divided into three modes:Message Mode: It analyzes all messages in the database, applying different filters. It extracts thumbnails when they’re availables.Decryption Mode: Decrypt crypto12 databases as long as we have the key.Info Mode: Displays different information about statuses, broadcasts list and groups.Please note that this project is an early stage. As such, you could find errors. Use it at your own risk!Bonus: It also comes with a tool to download the backup copies of google drive associated with a smartphone.”Whapas.py" is the spanish version of "whapa.py"Installationwhapa.py (Whatsapp parser)You can download the latest version of whapa by cloning the GitHub repository:git clone https://github.com/B16f00t/whapa.gitthen:pip install -r requirements.txtwhagdext.py (Extracts datas from Google Drive Account)sudo apt-get updatesudo apt-get install -y python3-pipsudo pip3 install pyportifyTo usage:config settings.cfg [auth] gmail = alias@gmail.com passw = yourpasswordpython3 whagdext.py "arguments"Usage __ __.__ __________ / \ / \ |__ _____ \______ \_____ \ \/\/ / | \\__ \ | ___/\__ \ \ /| Y \/ __ \| | / __ \_ \__/\ / |___| (____ /____| (____ / \/ \/ \/ \/ ———- Whatsapp Parser v0.2 ———– usage: whapa.py [-h] [-k KEY | -i | -m] [-t TEXT] [-u USER] [-g GROUP] [-w] [-s] [-b] [-tS TIME_START] [-tE TIME_END] [-tT | -tI | -tA | -tV | -tC | -tL | -tX | -tP | -tG | -tD | -tR] [DATABASE]To start choose a database and a mode with optionspositional arguments:DATABASE database file path – ‘./msgstore.db’ by defaultoptional arguments: -h, –help show this help message and exit -k KEY, –key KEY *** Decrypt Mode *** – key file path -i, –info *** Info Mode *** -m, –messages *** Message Mode *** -t TEXT, –text TEXT filter messages by text match -u USER, –user USER filter messages made by a phone number -g GROUP, –group GROUP filter messages made in a group number -w, –web filter messages made by Whatsapp Web -s, –starred filter messages starred by user -b, –broadcast filter messages send by broadcast -tS TIME_START, –time_start TIME_START filter messages by start time (dd-mm-yyyy HH:MM) -tE TIME_END, –time_end TIME_END filter messages by end time (dd-mm-yyyy HH:MM) -tT, –type_text filter text messages -tI, –type_image filter image messages -tA, –type_audio filter audio messages -tV, –type_video filter video messages -tC, –type_contact filter contact messages -tL, –type_location filter location messages -tX, –type_call filter audio/video call messages -tP, –type_application filter application messages -tG, –type_gif filter GIF messages -tD, –type_deleted filter deleted object messages -tR, –type_share filter Real time location messages Examples("./Media" is the directory where thumbnails is being written)Message mode: python whapa.py -m Show all messages from the database. python whapa.py -m -tS "12-12-2017 12:00" -tE "13-12-2017 12:00"Show all messages from 12-12-2017 12:00 to 13-12-2017 12:00. python whapa.py -m -w -tIShow all images send by Whatsapp Web. Decrypt mode: python whapa.py msgstore.db.crypt12 -k keyDecrypt msgstore.dbcrypt12, creating msgstore.db Info mode: python whapa.py -iShow a stage with options about groups, broadcast lists and statuses.Download Whapa

Link: http://feedproxy.google.com/~r/PentestTools/~3/hv8mEoafXVc/whapa-whatsapp-database-parser-tool.html

DNSspider – Very Fast, Async Mulithreaded Subdomain Scanner

A very fast multithreaded bruteforcer of subdomains that leverages a wordlist and/or character permutation.CHANGELOG:v0.9use async multithreading via concurrent.futures moduleattack while mutating -> don’t generate whole list when using -t 1log only the subdomains to logfile when ‘-r’ was chosenminor code clean-ups / refactoringswitch to tabstop=2 / shiftwidth=2v0.8upgraded to python3v0.7upgraded built-in wordlist (more than 2k)remove annoying timeout warningsremove color output when logging to filev0.6upgraded default wordlistreplaced optionparser with argparseadd version output optionfixed typov0.5fixed extracted ip addresses from rrset answersrenamed file (removed version string)removed trailing whitespacesremoved color outputchanged bannerv0.4fixed a bug for returned listadded postfix optionupgraded wordlist[]colorised outputchanged error messagesv0.3:added verbose/quiet mode default is quiet nowfixed try/catch for domainnamesfixed some tab width (i normally use <= 80 chars per line)v0.2:append DNS and IP output to found listadded diffound list for subdomains resolved to different addressesget right ip address from current used iface to avoid socket problemsfixed socket exception syntax and outputadded usage note for fixed port and multithreaded socket exceptionv0.1:initial release  Download DNSspider

Link: http://feedproxy.google.com/~r/PentestTools/~3/LtSqRCzJviE/dnsspider-very-fast-async-mulithreaded.html

Hate_Crack – Automated Hash Cracking Techniques with HashCat

A tool for automating cracking methodologies through Hashcat from the TrustedSec team. InstallationGet the latest hashcat binaries (https://hashcat.net/hashcat/)OSX Install (https://www.phillips321.co.uk/2016/07/09/hashcat-on-os-x-getting-it-going/)mkdir -p hashcat/deps git clone https://github.com/KhronosGroup/OpenCL-Headers.git hashcat/deps/OpenCLcd hashcat/makemake install Download hate_crackgit clone https://github.com/trustedsec/hate_crack.gitCustomize binary and wordlist paths in “config.json"Make sure that at least "rockyou.txt" is within your "wordlists" pathCreate Optimized Wordlistswordlist_optimizer.py – parses all wordlists from , sorts them by length and de-duplicates into <output directory>usage: python wordlist_optimizer.py <input file list> <output directory>$ python wordlist_optimizer.py wordlists.txt ../optimized_wordlists Usage$ ./hate_crack.py usage: python hate_crack.py <hash_file> <hash_type>The <hash_type> is attained by running hashcat –helpExample Hashes: http://hashcat.net/wiki/doku.php?id=example_hashes$ hashcat –help |grep -i ntlm 5500 | NetNTLMv1 | Network protocols 5500 | NetNTLMv1 + ESS | Network protocols 5600 | NetNTLMv2 | Network protocols 1000 | NTLM | Operating-Systems$ ./hate_crack.py Quick CrackRuns a dictionary attack using all wordlists configured in your "hcatOptimizedWordlists" path and applies the "best64.rule", with the option of chaining the "best64.rule".Extensive Pure_Hate Methodology CrackRuns several attack methods provided by Martin Bos (formerly known as pure_hate)Brute Force Attack (7 characters)Dictionary Attack All wordlists in "hcatOptimizedWordlists" with "best64.rule"wordlists/rockyou.txt with "d3ad0ne.rule"wordlists/rockyou.txt with "T0XlC.rule"Top Mask Attack (Target Time = 4 Hours)Fingerprint AttackCombinator AttackHybrid AttackExtra – Just For Good Measure Runs a dictionary attack using wordlists/rockyou.txt with chained "combinator.rule" and "InsidePro-PasswordsPro.rule" rulesBrute Force AttackBrute forces all characters with the choice of a minimum and maximum password length.Top Mask AttackUses StatsGen and MaskGen from PACK (https://thesprawl.org/projects/pack/) to perform a top mask attack using passwords already cracked for the current session. Presents the user a choice of target cracking time to spend (default 4 hours).Fingerprint Attackhttps://hashcat.net/wiki/doku.php?id=fingerprint_attackRuns a fingerprint attack using passwords already cracked for the current session.Combinator Attackhttps://hashcat.net/wiki/doku.php?id=combinator_attackRuns a combinator attack using the "rockyou.txt" wordlist.Hybrid Attackhttps://hashcat.net/wiki/doku.php?id=hybrid_attackRuns several hybrid attacks using the "rockyou.txt" wordlists. Hybrid Wordlist + Mask – ?s?d wordlists/rockyou.txt ?1?1Hybrid Wordlist + Mask – ?s?d wordlists/rockyou.txt ?1?1?1Hybrid Wordlist + Mask – ?s?d wordlists/rockyou.txt ?1?1?1?1Hybrid Mask + Wordlist – ?s?d ?1?1 wordlists/rockyou.txtHybrid Mask + Wordlist – ?s?d ?1?1?1 wordlists/rockyou.txtHybrid Mask + Wordlist – ?s?d ?1?1?1?1 wordlists/rockyou.txtPathwell Top 100 Mask Brute Force CrackRuns a brute force attack using the top 100 masks from KoreLogic: https://blog.korelogic.com/blog/2014/04/04/pathwell_topologiesPRINCE Attackhttps://hashcat.net/events/p14-trondheim/prince-attack.pdfRuns a PRINCE attack using wordlists/rockyou.txtYOLO Combinator AttackRuns a continuous combinator attack using random wordlists from the optimized wordlists for the left and right sides.Download Hate_Crack

Link: http://feedproxy.google.com/~r/PentestTools/~3/syi8OgD0MZ0/hatecrack-automated-hash-cracking.html

VENOM 1.0.15 – Metasploit Shellcode Generator/Compiler/Listener

The script will use msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh ) injects the shellcode generated into one template (example: python) “the python funtion will execute the shellcode into ram" and uses compilers like gcc (gnu cross compiler) or mingw32 or pyinstaller to build the executable file, also starts a multi-handler to recive the remote connection (shell or meterpreter session).’venom generator’ tool reproduces some of the technics used by Veil-Evasion.py, unicorn.py, powersploit.py, etc, etc, etc.."P.S. some payloads are undetectable by AV soluctions… yes!!!" One of the reasons for that its the use of a funtion to execute the 2° stage of shell/meterpreter directly into targets ram the other reazon its the use of external obfuscator/crypters.HOW DO I DELIVER MY PAYLOADS TO TARGET HOST ?venom (malicious_server) was build to take advantage of apache2 webserver to deliver payloads (LAN) using a fake webpage writen in html that takes advantage of