JoomScan 0.0.6 – OWASP Joomla Vulnerability Scanner Project

OWASP Joomla! Vulnerability Scanner (JoomScan) is an open source project, developed with the aim of automating the task of vulnerability detection and reliability assurance in Joomla CMS deployments. Implemented in Perl, this tool enables seamless and effortless scanning of Joomla installations, while leaving a minimal footprint with its lightweight and modular architecture. It not only detects known offensive vulnerabilities, but also is able to detect many misconfigurations and admin-level shortcomings that can be exploited by adversaries to compromise the system. Furthermore, OWASP JoomScan provides a user-friendly interface and compiles the final reports in both text and HTML formats for ease of use and minimization of reporting overheads.OWASP JoomScan is included in Kali Linux distributions.WHY OWASP JOOMSCAN ?Automated …Version enumeratorVulnerability enumerator (based on version)Components enumerator (1209 most popular by default)Components vulnerability enumerator (based on version)(+1030 exploit)Firewall detectorReporting to Text & HTML outputFinding common log filesFinding common backup filesINSTALLgit clone https://github.com/rezasp/joomscan.gitcd joomscanperl joomscan.plJOOMSCAN ARGUMENTSUsage: joomscan.pl [options]–url | -u | The Joomla URL/domain to scan.–enumerate-components | -ec | Try to enumerate components.–cookie <String> | Set cookie.–user-agent | -a <user-agent> | Use the specified User-Agent.–random-agent | -r | Use a random User-Agent.–timeout <time-out> | set timeout.–about | About Author–update | Update to the latest version.–help | -h | This help screen.–version | Output the current version and exit.OWASP JOOMSCAN USAGE EXAMPLESDo default checks…perl joomscan.pl –url www.example.comorperl joomscan.pl -u www.example.com Enumerate installed components…perl joomscan.pl –url www.example.com –enumerate-componentsorperl joomscan.pl -u www.example.com –ecSet cookieperl joomscan.pl –url www.example.com –cookie “test=demo;" Set user-agentperl joomscan.pl –url www.example.com –user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"orperl joomscan.pl -u www.example.com -a "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"Set random user-agentperl joomscan.pl -u www.example.com –random-agentorperl joomscan.pl –url www.example.com -rUpdate Joomscan…perl joomscan.pl –updatePROJECT LEADERSMohammad Reza Espargham [ reza[dot]espargham[at]owasp[dot]org ]Ali Razmjoo [ ali[dot]razmjoo[at]owasp[dot]org ]OWASP JoomScan introduction (Youtube)OWASP JoomScan 0.0.6 [#BHUSA]Updated vulnerability databasesAdded new module: Firewall Detector (supports detection of [CloudFlare, Incapsula, Shieldfy, Mod_Security])Added exploit for com_joomanagerUpdated list of common log pathsA few enhancementsDownload Joomscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/LkQh4-Er0AQ/joomscan-006-owasp-joomla-vulnerability.html

Firebase Exploiting Tool – Exploiting Misconfigured Firebase Databases

Exploiting vulnerable/misconfigured Firebase databasesPrerequisitesNon-standard python modules:dnsdumpsterbs4requestsInstallationIf the following commands run successfully, you are ready to use the script:git clone https://github.com/Turr0n/firebase.gitcd firebasepip install -r requirements.txtUsagepython3 firebase.py [-h] [–dnsdumpster] [-d /path/to/file.htm] [-o results.json] [-l /path/to/file] [-c 100] [-p 4]Arguments: -h Show the help message -d Absolute path to the downloaded HTML file. -o Output file name. Default: results.json -c Crawl for domains in the top-1m by Alexa. Set how many domains to crawl, for example: 100. Up to 1000000 -p How many processes to execute. Default: 1 -l Path to a file containing the DBs to crawl. One DB name per line. This option can’t be used with -d or -c –dnsdumpster Use the DNSDumpster API to gather DBs –just-v Ignore “non-vulnerable" DBs –amass Path of the output file of an amass scan ([-o] argument)Example: python3 firebase.py -p 4 -f results_1.json -c 150 –dnsdumpster This will lookup the first 150 domains in the Alexa file aswell as the DBs provided by DNSDumpster. The results will be saved to results_1.json and the whole script will execute using 4 parallel processesThe script will create a json file containing the gathered vulnerable databases and their dumped contents. Each database has a status:-2: DB doesn’t exists-1: means it’s not vulnerable0: further explotation may be possible1: vulnerableFor a better results head to pentest-tools.com and in its subdomain scanner introduce the following domain: firebaseio.com. Once the scan has finished, save the page HTML(CRL+S) and use the -d [path] argument, this will allow the script to analyze the subdomains discovered by that service. Further subdomain crawlers might get supported.Now we support the amass scanner by @caffix! By running any desired scann with that tool against firebaseio.com using the -o argument, the script will be able to digest the output file and crawl for the discovered DBs.Firebase DBs work using this structure: https://[DB name].firebaseio.com/. If you are using the -l [path] argument, the supplied file needs to contain a [DB name] per line, for example:airbnbtwittermicrosoftUsing that file will check for these DBs: https://airbnb.firebaseio.com/.json, https://twitter.firebaseio.com/.json, https://microsoft.firebaseio.com/.jsonDownload Firebase

Link: http://feedproxy.google.com/~r/PentestTools/~3/i5hgSAIPl6I/firebase-exploiting-tool-exploiting.html

Intrigue-Core – Discover Your Attack Surface

Intrigue-core is a framework for automated attack surface discovery. There are a number of use cases:Application and Infrastructure (Asset) DiscoverySecurity Research and Vulnerability DiscoveryMalware Campaign Research & Indicator EnrichmentExploratory OSINT ResearchIf you’d like assistance getting started or have development-related questions, feel free to join to the chat.UsersIf you just want to get started and play around with an instance, have a look at the Getting Started GuideDevelopersTo get started setting up a development environment, follow the instructions below!Setting up a development environmentFollow the appropriate setup guide:Vagrant (preferred) – http://intrigue.io/getting-started-with-intrigue-core-on-vagrant-virtualbox/Docker – https://intrigue.io/2017/03/07/using-intrigue-core-with-docker/Manual setup guides (may be out of date!)Ubuntu Linux – https://github.com/intrigueio/intrigue-core/wiki/Setting-up-a-Test-Environment-on-Ubuntu-LinuxKali Linux – https://github.com/intrigueio/intrigue-core/wiki/Setting-up-a-Test-Environment-on-Kali-LinuxOS X – https://github.com/intrigueio/intrigue-core/wiki/Setting-up-a-Test-Environment-on-OSX-10.10Now that you have a working environment, browse to the web interface.Using the web interfaceTo use the web interface, browse to http://127.0.0.1:7777. Once you’re able to connect, you can follow the instructions here: http://intrigue.io/up-and-running/Configuring the systemMany tasks work via external APIs and thus require configuration of keys. To set them up, browse to the “Configure" tab and click on the name of the module. You will be taken to the relevant signup page where you can provision an API key. These keys are ultimately stored in the file: config/config.json.The APIIntrigue-core is built API-first, allowing all functions in the UI to be easily automated. The following methods for automation are provided.API usage via core-cliA command line utility has been added for convenience, core-cli.List all available tasks:$ bundle exec ./core-cli.rb listStart a task:## core-cli.rb start [Project Name] [Task] [Type#Entity] [Depth] [Option1=Value1#…#…] [Handlers] [Strategy Name] [Auto Enrich]$ bundle exec ./core-cli.rb start new_project create_entity DnsRecord#intrigue.io 3Got entity: {"type"=>"DnsRecord", "name"=>"intrigue.io", "details"=>{"name"=>"intrigue.io"}}Task Result: {"result_id":66103}API usage via curlYou can use curl to drive the framework. See the example below:$ curl -s -X POST -H "Content-Type: application/json" -d ‘{ "task": "create_entity", "entity": { "type": "DnsRecord", "attributes": { "name": "intrigue.io" } }, "options": {} }’ http://127.0.0.1:7777/resultsDownload Intrigue-Core

Link: http://feedproxy.google.com/~r/PentestTools/~3/iG4boXqkAq8/intrigue-core-discover-your-attack.html

Dependency-Track – An Intelligent Software Composition Analysis (SCA) Platform That Allows Organizations To Identify And Reduce Risk From The Use Of Third-Party And Open Source Components

Modern applications leverage the availability of existing components for use as building blocks in application development. By using existing components, organizations can dramatically decrease time-to-market. Reusing existing components however, comes at a cost. Organizations that build on top of existing components assume risk for software they did not create. Vulnerabilities in third-party components are inherited by all applications that use those components. The OWASP Top Ten (2013 and 2017) both recognize the risk of using components with known vulnerabilities.Dependency-Track is a Software Composition Analysis (SCA) platform that keeps track of all third-party components used in all the applications an organization creates or consumes. It integrates with multiple vulnerability databases including the National Vulnerability Database (NVD), Node Security Platform (NSP), and VulnDB from Risk Based Security. Dependency-Track monitors all applications in its portfolio in order to proactively identify vulnerabilities in components that are placing your applications at risk. Use of Dependency-Track can play a vital role in an overall Cyber Supply Chain Risk Management (C-SCRM) program by fulfilling many of the recommendations laid out by SAFECode.Dependency-Track is designed to be used in an automated DevOps environment where Dependency-Check results or BoM (Bill of Material) formats are automatically ingested during CI/CD. Use of the Dependency-Check Jenkins Plugin is highly recommended for this purpose and is well suited for use in Jenkins Pipeline. In such an environment, Dependency-Track enables your DevOps teams to accelerate while still keeping tabs on component usage and any inherited risk.Dependency-Track can also be used to monitor vulnerabilities in COTS (commercial off-the-shelf) software.NOTICE: Always use official binary releases in production.FeaturesIncreases visibility into the use of vulnerable and outdated componentsFlexible data model supporting an unlimited number of projects and componentsTracks vulnerabilities and inherited riskby componentby projectacross entire portfolioTracks usage of out-of-date componentsIncludes a comprehensive auditing workflow for triaging resultsSupports standardized SPDX license ID’s and tracks license use by componentSupports CycloneDX and SPDX bill-of-material formatsEasy to read metrics for components, projects, and portfolioProvides a reliable mirror of the NVD data feedAPI-first design facilitates easy integration with other systemsAPI documentation available in Swagger 2.0 (OpenAPI 3 support coming soon)Supports internally managed users, Active Directory/LDAP, and API KeysSimple to install and configure. Get up and running in just a few minutesDistributionsDependency-Track supports the following three deployment options:Docker containerExecutable WARConventional WARDeploying Docker ContainerDeploying with Docker is the easiest and fastest method of getting started. No prerequisites are required other than an modern version of Docker. Dependency-Track uses the following conventions:The ‘latest’ tag, which is pulled by default if no tag is specified, will always refer to the latest stable release (3.0.0, 3.0.1, 3.1.0, etc)The ‘snapshot’ tag will be built and pushed on all CI changes to the master. Use this if you want a “moving target" with all the latest changes.Version tags (3.0.0, 3.0.1, etc) are used to indicate each releasedocker pull owasp/dependency-trackdocker volume create –name dependency-trackdocker run -d -p 8080:8080 –name dependency-track -v dependency-track:/data owasp/dependency-trackTo run snapshot releases (not recommended for production):docker pull owasp/dependency-track:snapshotdocker volume create –name dependency-trackdocker run -d -p 8080:8080 –name dependency-track -v dependency-track:/data owasp/dependency-track:snapshotDeploying the Executable WARAnother simple way to get Dependency-Track running quickly is to automatically deploy the executable WAR. This method requires Java 8u101 or higher. Simply download dependency-track-embedded.war and execute:java -Xmx4G -jar dependency-track-embedded.warDeploying the Conventional WARThis is the most difficult to deploy option as it requires an already installed and configured Servlet container such as Apache Tomcat 8.5 and higher, however, it offers the most flexible deployment options. Follow the Servlet containers instructions for deploying dependency-track.war.Compiling From Sources (optional)To create an executable WAR that is ready to launch (recommended for most users):mvn clean package -P embedded-jettyTo create a WAR that must be manually deployed to a modern Servlet container (i.e. Tomcat 8.5+):mvn clean packageTo create an executable WAR that is ready to be deployed in a Docker container:mvn clean package -P embedded-jetty -Dlogback.configuration.file=src/main/docker/logback.xmlWebsiteThe official Dependency-Track website is accessible at: https://dependencytrack.org/DocumentationOnline documentation is accessible at: https://docs.dependencytrack.org/Download Dependency-Track

Link: http://feedproxy.google.com/~r/PentestTools/~3/g_FRu0LoMJ8/dependency-track-intelligent-software.html

Ikeext-Privesc – Windows IKEEXT DLL Hijacking Exploit Tool

This tool is intended for automatically detecting and exploiting the IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL vulnerability.  DescriptionA major weakness is present in Windows Vista, 7, 8, Server 2008, Server 2008 R2 and Server 2012, which allows any authenticated user to gain system privileges under certain circumstances.In Windows there is a service called IKEEXT (IKE and AuthIP IPsec Keyring Modules), which runs as SYSTEM and tries to load a DLL that doesn’t exist. The default DLL search order of Windows includes several system directories and ends with PATH folders. To put it simple, if one of these folders is configured with weak permissions, any authenticated user can plant a malicious DLL to execute code as SYSTEM and thus elevate his/her privileges.IKEEXT trying to load ‘wlbsctrl.dll’:UsageThis PowerShell script consists of 2 Cmdlets:Invoke-IkeextCheck – Only checks whether the machine is vulnerable.Invoke-IkeextExploit – If the machine is vulnerable, exploit it by dropping a specifically crafted DLL to the first weak folder.DetectionThe Invoke-IkeextCheck Cmdlet performs the following checks:OS version – If the OS is Windows Vista/7/8 then the machine is potentially vulnerable.IKEEXT status and start type – If the service is enabled, the machine is potentially vulnerable (default).PATH folders with weak permissions – If at least one folder is found, the machine is potentially vulnerable.Is wlbsctrl.dll already present in some system folder (i.e. a folder where DLLs can be loaded from)? – If wlbsctrl.dll doesn’t exist, the machine is potentially vulnerable (default).Syntax:Invoke-IkeextCheck [-Verbose] Example:PS C:\temp> . .\Ikeext-Privesc.ps1PS C:\temp> Invoke-IkeextCheck -VerboseExploitIf the machine is vulnerable, the Invoke-IkeextExploit Cmdlet will perform the following: Depending on the IKEEXT start type:AUTO – The exploit files will be dropped to the first weak PATH folder, provided that the switch ‘-Force’ was set in the command line (safety override).MANUAL – The exploit files will be dropped to the first weak PATH folder. Then, the service start will be triggered by trying to open a dummy VPN connection (using rasdial). The following exploit files will be dropped to the first vulnerable folder:wlbsctrl.dll – A specifically crafted DLL (32 & 64 bits), that starts a new CMD process and execute a BATCH file.wlbsctrl_payload.bat – The BATCH file that will be executed. BATCH payload:Default – A default BATCH payload is included in this script. It will use net user and net localgroup to create a new user (hacker with password SuperP@ss123) and add it to the local administrators group (the name of the group is automatically retrieved by the script).Custom – A custom set of commands can be specified using the parameter -Payload .\Path\To\File.txt and a file containing one command per line. Log file – Each payload command’s ouput is redirected to a log file located in the same folder as the DLL’s. Its name will be something like wlbsctrl_xxxxxxxx.txt. So if this file is not created, it means that the payload was not executed.Syntax:Invoke-IkeextExploit [-Verbose] [-Force] [[-Payload] ]Example:PS C:\temp> . .\Ikeext-Privesc.ps1PS C:\temp> Invoke-IkeextExploitCreditsHigh-Tech Bridge – Frédéric Bourla, who initially disovered the vulnerability and disclosed it on October 9, 2012. – https://www.htbridge.com/advisory/HTB23108RemediationFirst of all, it’s important to note that this vulnerability was patched in Windows 8.1 and above. In these versions of Windows, wlbsctrl.dll search is limited to C:\Windows\System32\.If you’re stuck with Windows 7 / Server 2008R2 because of compatibility issues for example, several counter measures can be applied:PATH folders with weak permissions – Some applications are installed directly in C:\ and add themselves to the PATH environment variable. By default, folders created in C:\ are writable by any authenticated user so make sure to drop these privileges.Disable IKEEXT – In most cases, IKEEXT could simply be disabled by applying a GPO. This can be a good solution for servers but it is not advised for workstations.Deploy you own DLL – Deploying a dummy wlbsctrl.dll in C:\Windows\System32\ for example is an efficient solution since this directory has a higher priority than PATH folders.Download Ikeext-Privesc

Link: http://feedproxy.google.com/~r/PentestTools/~3/RauB3rWqdtA/ikeext-privesc-windows-ikeext-dll.html

Pspy – Monitor Linux Processes Without Root Permissions

pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea.The tool gathers it’s info from procfs scans. Inotify watchers placed on selected parts of the file system trigger these scans to catch short-lived processes.Getting startedGet the tool onto the Linux machine you want to inspect. First get the binaries.You can build them yourself by running make build-build-image to build a docker image used in make build to build four binaries:32 bit big, static version: pspy3264 bit big, static version: pspy6432 bit small version: pspy32s64 bit small version: pspy64s The statically compiled files should work on any Linux system but are quite huge (~4MB). If size is an issue, try the smaller versions which depend on libc and are compressed with UPX (<1MB).You can run pspy --help to learn about the flags and their meaning. The summary is as follows:-p: enables printing commands to stdout (enabled by default)-f: enables printing file system events to stdout (disabled by default)-r: list of directories to watch with Inotify. pspy will watch all subdirectories recursively (by default, watches /usr, /tmp, /etc, /home, /var, and /opt).-d: list of directories to watch with Inotify. pspy will watch these directories only, not the subdirectories (empty by default).-i: interval in milliseconds between procfs scans. pspy scans regularly for new processes regardless of Inotify events, just in case some events are not received.-c: print events in different colors. Red for new processes, green for new Inotify events.The default settings should be fine for most applications. Watching files inside /usr is most important since many tools will access libraries inside it.Some more complex examples:# print both commands and file system events and scan procfs every 1000 ms (=1sec)./pspy64 -pf -i 1000 # place watchers recursively in two directories and non-recursively into a third./pspy64 -r /path/to/first/recursive/dir -r /path/to/second/recursive/dir -d /path/to/the/non-recursive/dir# disable printing discovered commands but enable file system events./pspy64 -p=false -fExamplesCron job watchingTo see the tool in action, just clone the repo and run make example (Docker needed). It is known passing passwords as command line arguments is not safe, and the example can be used to demonstrate it. The command starts a Debian container in which a secret cron job, run by root, changes a user password every minute. pspy run in foreground, as user myuser, and scans for processes. You should see output similar to this:~/pspy (master) $ make example[...]docker run -it --rm local/pspy-example:latest[+] cron started[+] Running as user uid=1000(myuser) gid=1000(myuser) groups=1000(myuser),27(sudo)[+] Starting pspy now...Watching recursively : [/usr /tmp /etc /home /var /opt] (6)Watching non-recursively: [] (0)Printing: processes=true file-system events=false2018/02/18 21:00:03 Inotify watcher limit: 524288 (/proc/sys/fs/inotify/max_user_watches)2018/02/18 21:00:03 Inotify watchers set up: Watching 1030 directories - watching now2018/02/18 21:00:03 CMD: UID=0 PID=9 | cron -f2018/02/18 21:00:03 CMD: UID=0 PID=7 | sudo cron -f2018/02/18 21:00:03 CMD: UID=1000 PID=14 | pspy2018/02/18 21:00:03 CMD: UID=1000 PID=1 | /bin/bash /entrypoint.sh2018/02/18 21:01:01 CMD: UID=0 PID=20 | CRON -f2018/02/18 21:01:01 CMD: UID=0 PID=21 | CRON -f2018/02/18 21:01:01 CMD: UID=0 PID=22 | python3 /root/scripts/password_reset.py2018/02/18 21:01:01 CMD: UID=0 PID=25 |2018/02/18 21:01:01 CMD: UID=??? PID=24 | ???2018/02/18 21:01:01 CMD: UID=0 PID=23 | /bin/sh -c /bin/echo -e "KI5PZQ2ZPWQXJKEL\nKI5PZQ2ZPWQXJKEL" | passwd myuser2018/02/18 21:01:01 CMD: UID=0 PID=26 | /usr/sbin/sendmail -i -FCronDaemon -B8BITMIME -oem root2018/02/18 21:01:01 CMD: UID=101 PID=27 |2018/02/18 21:01:01 CMD: UID=8 PID=28 | /usr/sbin/exim4 -Mc 1enW4z-00000Q-MkFirst, pspy prints all currently running processes, each with PID, UID and the command line. When pspy detects a new process, it adds a line to this log. In this example, you find a process with PID 23 which seems to change the password of myuser. This is the result of a Python script used in roots private crontab /var/spool/cron/crontabs/root, which executes this shell command (check crontab and script). Note that myuser can neither see the crontab nor the Python script. With pspy, it can see the commands nevertheless.CTF example from Hack The BoxBelow is an example from the machine Shrek from Hack The Box. In this CTF challenge, the task is to exploit a hidden cron job that's changing ownership of all files in a folder. The vulnerability is the insecure use of a wildcard together with chmod (details for the interested reader). It requires substantial guesswork to find and exploit it. With pspy though, the cron job is easy to find and analyse:How it worksTools exist to list all processes executed on Linux systems, including those that have finished. For instance there is forkstat. It receives notifications from the kernel on process-related events such as fork and exec.These tools require root privileges, but that should not give you a false sense of security. Nothing stops you from snooping on the processes running on a Linux system. A lot of information is visible in procfs as long as a process is running. The only problem is you have to catch short-lived processes in the very short time span in which they are alive. Scanning the /proc directory for new PIDs in an infinite loop does the trick but consumes a lot of CPU.A stealthier way is to use the following trick. Process tend to access files such as libraries in /usr, temporary files in /tmp, log files in /var, ... Using the inotify API, you can get notifications whenever these files are created, modified, deleted, accessed, etc. Linux does not require priviledged users for this API since it is needed for many innocent applications (such as text editors showing you an up-to-date file explorer). Thus, while non-root users cannot monitor processes directly, they can monitor the effects of processes on the file system.We can use the file system events as a trigger to scan /proc, hoping that we can do it fast enough to catch the processes. This is what pspy does. There is no guarantee you won't miss one, but chances seem to be good in my experiments. In general, the longer the processes run, the bigger the chance of catching them is.Download Pspy

Link: http://feedproxy.google.com/~r/PentestTools/~3/Fd8DQCF6QlM/pspy-monitor-linux-processes-without.html