Swap Digger – Tool That Automates Swap Extraction And Searches For Linux User Credentials, Web Forms Credentials, Web Forms Emails, Http Basic Authentication, Wifi SSID And Keys, Etc

swap_digger is a bash script used to automate Linux swap analysis for post-exploitation or forensics purpose. It automates swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc.Download and run the toolOn your machineUse the following commands to download and run the script on your machine:alice@1nvuln3r4bl3:~$ git clone https://github.com/sevagas/swap_digger.gitalice@1nvuln3r4bl3:~$ cd swap_diggeralice@1nvuln3r4bl3:~$ chmod +x swap_digger.shalice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -vxOn a mounted hard driveTo use swap_digger on a mounted hard drive, do the following:First, download the script using the following commands:alice@1nvuln3r4bl3:~$ git clone https://github.com/sevagas/swap_digger.gitalice@1nvuln3r4bl3:~$ cd swap_diggeralice@1nvuln3r4bl3:~$ chmod +x swap_digger.shThen, find the target swap file/partition with:alice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -SFinally, analyze the target by running:alice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -vx -r path/to/mounted/target/root/fs -s path/to/target/swap/deviceOn a third party machineUse the following commands to download and run the script on a third party machine (useful for pentests and CTFs):alice@1nvuln3r4bl3:~$ wget https://raw.githubusercontent.com/sevagas/swap_digger/master/swap_digger.shalice@1nvuln3r4bl3:~$ chmod +x swap_digger.shalice@1nvuln3r4bl3:~$ sudo ./swap_digger.sh -vxNote: Use the -c option to automatically remove the directory created by swap_digger (/tmp/swap_dig).Simple runIf you only need to recover clear text Linux user passwords, simply run:alice@1nvuln3r4bl3:~$ sudo ./swap_digger.shAvailable optionsAll options: ./swap_digger.sh [ OPTIONS ] Options : -x, –extended Run Extended tests on the target swap to retrieve other interesting data (web passwords, emails, wifi creds, most accessed urls, etc) -g, –guessing Try to guess potential passwords based on observations and stats Warning: This option is not reliable, it may dig more passwords as well as hundreds false positives. -h, –help Display this help. -v, –verbose Verbose mode. -l, –log Log all outputs in a log file (protected inside the generated working directory). -c, –clean Automatically erase the generated working directory at end of script (will also remove log file) -r PATH, –root-path=PATH Location of the target file-system root (default value is /) Change this value for forensic analysis when target is a mounted file system. This option has to be used along the -s option to indicate path to swap device. -s PATH, –swap-path=PATH Location of swap device or swap dump to analyse Use this option for forensic/remote analysis of a swap dump or a mounted external swap partition. This option should be used with the -r option where at least //etc/shadow exists. -S, –swap-search Search for all available swap devices (use for forensics).Relevant resourcesBlog posts about swap digging:http://blog.sevagas.com/?Digging-passwords-in-Linux-swapContactFeel free to message on my Twitter account @EmericNasiDownload Swap_Digger

Link: http://feedproxy.google.com/~r/PentestTools/~3/FdfKjJxumdE/swap-digger-tool-that-automates-swap.html

Docker TOR Hidden Service – Easily Setup A Hidden Service Inside The Tor Network

Easily run a hidden service inside the Tor network with this containerGenerate the skeleton configuration for you hidden service, replace for your hidden service pattern name. Example, if you want to your hidden service contain the word ‘boss’, just use this word as argument. You can use regular expressions, like ^boss, will generate an address wich will start with ‘boss’. Be aware that bigger the pattern, more time it will take to generate it.docker run -it –rm -v $(pwd)/web:/web \ strm/tor-hiddenservice-nginx generate Create an container named ‘hiddensite’ to serve your generated hidden servicedocker run -d –restart=always –name hiddensite -v $(pwd)/web:/web \ strm/tor-hiddenservice-nginx ExampleLet’s create a hidden service with the name beginning with strm.docker pull strm/tor-hiddenservice-nginxWait to the container image be downloaded. And them we can generate our site skeleton:$docker run -it –rm -v $(pwd)/web:/web strm/tor-hiddenservice-nginx generate ^strm[+] Generating the address with mask: ^strm[+] Found matching domain after 137072 tries: strmfyygjp5st54g.onion[+] Generating nginx configuration for site strmfyygjp5st54g.onion[+] Creating www folder[+] Generating index.html templateNow we have our skeleton generated, we can run the container with:docker run -d –restart=always –name hiddensite \ -v $(pwd)/web:/web strm/tor-hiddenservice-nginxAnd you have the service running ! :)Troubleshoot403 error on nginx, check your directory permissions and folder permissions. Nginx run as “hidden" user, his UID is 666, just check if you give this user access to the /web/www folder (in the case the folder mapped to it).Builddocker build -t strm/tor-hiddenservice-nginx .Rundocker run -d –restart=always –name hiddensite-v $(pwd)/web:/web strm/tor-hiddenservice-nginxShelldocker run -it –rm -v $(pwd)/web:/web–entrypoint /bin/bash strm/tor-hiddenservice-nginxDownload Docker-Tor-Hiddenservice-Nginx

Link: http://feedproxy.google.com/~r/PentestTools/~3/O5qn-eFrwys/docker-tor-hidden-service-easily-setup.html

The Age of DevOps

The Most Valuable Resource of All: Time This post was authored by Paul Asadoorian, CEO and founder of Security Weekly. Over the last twenty years we have witnessed dramatic changes in the way companies write and ship code. First there was Waterfall, followed by the Agile movement in the early 2000’s, and now we find […]
The post The Age of DevOps appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/SOx2euM6uio/

Offensive Operating Against SysMon, Carlos Perez – Paul’s Security Weekly #577

Carlos Perez delivers the Technical Segment on How to Operate Offensively Against Sysmon. He talks about how SysMon allows him to create rules, and track specific types of tradecraft, around process creation and process termination. He dives into network connection, driver loading, image loading, creation of remote threats, and more! Full Show NotesVisit our website: […]
The post Offensive Operating Against SysMon, Carlos Perez – Paul’s Security Weekly #577 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/ZcUh9FtxQUc/

Mail Security Tester – A Testing Framework For Mail Security And Filtering Solutions

A testing framework for mail security and filtering solutions.IMPORTANT: Don’t do anything evil with this! Tests of cloud or otherwise hosted solutions should always be approved by the tested provider. Only use your own test accounts and don’t annoy anyone with a load of test mails.InstallationThe mail security testing framework works with with Python >=3.5. Just pull this repository and go ahead. No further dependencies are required.UsageThe script mail-tester.py runs the tests. Read the help message with ./mail-tester.py –help and check the list of test and evasion modules with ./mail-tester.py -l to get an overview about the capabilities and the usage of the script. Some hints:At least the parameters –smtp-server and –to should be given for a minimal test run.All parameters can also be stored in configuration files without the prefix –. These configuration files can be used by invoking ./mail-tester.py @tester.conf (configuration contained in tester.conf).Multiple recipients can be configured with –to for testing of different filter configurations.Some mail filtering solutions may reject messages after a while. Use –auto-delay for automatic throttling of the mails. This can be fine-tuned with –delay-step, –delay-max and –delay.Some tests (Spam and Malware) require samples. Put these in directories and configure these directories with –spam-folder and –malware-folder parameters. The samples are not included in this repository (and will not be). Good places to get malware are theZoo, Das Malwerk or other collections. Spam can be exported straight from yout Spam folder, but must be in EML format.Blacklists can be supplied with the –blacklist parameter and are used as sender addresses.The Shellshock and subject XSS test cases should have a valid backconnect domain, where you are able to see any backconnects (especially DNS requests). The free Canary Tokens service can be used for this purpose. Thanks to Thinkst for providing this awesome service!Some neat attachment recognition evasion tricks can be enabled with –evasion content-disposition. These were used in the past to confuse AV/sandboxing solutions and let them pass malicious mails.Don’t forget to log the test results with –log. Mail filtering providers often reject mails in the SMTP dialog, which is reflected in the generated log.Test cases can be dumped with –output as plain files in a directory, in MBox (–mbox) or MailDir (–maildir) format. This is useful to test mail user agents without sending any mails, to document or review generated test cases.Development and ExtensionTestsOwn tests can be implemented with a class in one of the iexisting or newly created Python files in the tests/ directory. The class must be a subclass of MailTestBase located in the module tests.base of this project. Newly implemented tests are discovered automatically when the class variable active is set to True. Further (if you plan to contribute tests back to the main repository), the class variables identifier, name and description should be set appropriately.The following base classes exist with methods or class variables intended for overriding:MailTestBase: Test class for generic tests.generateTestCases(): Yields test messages. These should be generated with the MIME* classes from the Python email.mime.* packages or with the Message class from email.message to ensure valid mail messages.active: Boolean value if test should be active.identifier: Short identifier of the test. This one is used to enable or disable tests in parameters.name: Short test title.description: Longer test description, should fit within approximately 100 characters.delivery_sender and delivery_recipient: Boolean values, False by default. Normally, the sender and recipients are set in the message and the Python SMTP module takes them over from there. Sometimes it is desirable to set them explicitely in the SMTP library, which can be configured by setting this values to True.finalizeMessage(msg): By default, the base test class sets the From and To headers accrodingly. This behaviour can be overridden if required for the test case.MailAttachmentTestBase: Test class for attachment test cases. This generates a complete valid mail with a Subject and a text part and attaches the test case to it. Derived from MailTestBase, therefore the methods/variables from it can be overridden here, too.generateAttachments(): Yields test cases as (description, attachment) tuples.subject: Sets the subject. The place holder {} is replaced by the description yielded by generateAttachments().generateTestCases(): is already overridden with an implementation of the message generation described above, but may be further adapted if required.Setting the subjects of generated messages is highly recommended to be able to recongize the tests in the receiving inbox.EvasionsEvasion classes implement techniques for evading recognition of particular mail properties by mail security solutions. Currently, a evasion technique that tries to hide attachments from such solutions by intentionally broken Content-Disposition headers is implemented.Implement new EvasionsEvasions are implemented by a factory class pattern. The DeliveryBase class instantiaties a factory class derived from the BaseEvasionFactory class. The factory constructor receives a flag that indicates if the evasion is activated. The evasion factory instance is then passed to the test class and stored in its evasions attribute that contains a dict with the evasion identifiers as keys. Inside the test, a evasion class (based on EvasionBase) is instantiated with getEvasionGenerator(). The constructor parameter are defined individually per evasion technique.The following base classes are used to implement evasions:BaseEvasionFactory: Evasion factories must be based on this class. Usually, only the following class variables should be set:active: Set to True if the evasion should be active.identifier: Short identifier of the evasion module used for enabling it in the test configuration.name: Short title of the evasion technique.description: Longer description of the evasion technique. Should fit in approximately 100 characters.generator_evasion: Evasion class that is instantiated if the evasion is enabled.generator_default: Evasion class that is instantiated if the evasion is disabled.BaseEvasion: Implementation of evasions must be a subclass of this base class. The following method must be overridden:__init__(): Should instantiate the class with the base message or attachment that should be manipulated with evasion techniques.generate(): Apply the evasion technique to the object passed to the constructor and yield it to the caller as (description, object with evasion applied) tuple.Generally, the evasion class should yield all evasion variants and pass the default as dedicated test case, while the default evasion classes only pass the given object or create the required data structures, like headers.Using Evasion Techniques in Test CasesEvasion techniques are used in test cases where they are applicable. E.g. if an evasion technique manipulates the header of a mail or attachment, the following steps have to be implemented:Generate the base object (mail or attachment) without consideration of the evasion.Instantiate the appropriate evasion class by utilization of the evasion factory instance from self.evasions, e.g.: evasion_items = self.evasions[“evasion_identifier"].getEvasionGenerator(message)Iterate over the generator and yield the test cases:for evasion_item in evasion_items: yield evasion_itemUsage of the Content Disposition Evasion TechniqueThe content disposition evasion technique is already implemented in the framework and should be used for all test cases that target on the recognition of malicious attachments. The constructor receives an attachment and the intended file name. The evasion class then yields (evasion name, attachment with applied evasion technique) tuples that can directly be yielded by the tests generateAttachments() method.Download Mail-Security-Tester

Link: http://feedproxy.google.com/~r/PentestTools/~3/HrZh9xBkVuo/mail-security-tester-testing-framework.html