Evil-Winrm – The Ultimate WinRM Shell For Hacking/Pentesting

The ultimate WinRM shell for hacking/pentesting. ___ __ __ ____ _ / _] | || || | / [_| | | | | | | | _] | | | | | |___ | [_| : | | | | | | |\ / | | | | |_____| \_/ |____||_____| __ __ ____ ____ ____ ___ ___ | |__| || || \ | \ | | || | | | | | | _ || D )| _ _ || | | | | | | | || / | \_/ || ` ‘ | | | | | || \ | | | \ / | | | | || . \| | | \_/\_/ |____||__|__||__|\_||___|___| By: CyberVaca@HackPlayersDescription & PurposeThis shell is the ultimate WinRM shell for hacking/pentesting.WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. A standard SOAP based protocol that allows hardware and operating systems from different vendors to interoperate. Microsoft included it in their Operating Systems in order to make life easier to system adminsitrators.This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only if you have credentials and permissions to use it. So we can say that it could be used in a post-exploitation hacking/pentesting phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate purposes by system administrators as well but the most of its features are focused on hacking/pentesting stuff.FeaturesCommand HistoryWinRM command completionLocal files completionUpload and download filesList remote machine servicesFullLanguage Powershell language modeLoad Powershell scriptsLoad in memory dll files bypassing some AVsLoad in memory C# (C Sharp) compiled exe files bypassing some AVsColorization on output messages (can be disabled optionally)HelpUsage: evil-winrm -i IP -u USER -s SCRIPTS_PATH -e EXES_PATH [-P PORT] [-p PASS] [-U URL] -i, –ip IP Remote host IP or hostname (required) -P, –port PORT Remote host port (default 5985) -u, –user USER Username (required) -p, –password PASS Password -s, –scripts PS_SCRIPTS_PATH Powershell scripts path (required) -e, –executables EXES_PATH C# executables path (required) -U, –url URL Remote url endpoint (default /wsman) -V, –version Show version -h, –help Display this help messageRequirementsRuby 2.3 or higher is needed. Some ruby gems are needed as well: winrm >=2.3.2, winrm-fs >=1.3.2, stringio >=0.0.2 and colorize >=0.8.1.~$ sudo gem install winrm winrm-fs colorize stringioInstallation & Quick StartStep 1. Clone the repo: git clone https://github.com/Hackplayers/evil-winrm.gitStep 2. Ready. Just launch it! ~$ cd evil-winrm && ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p ‘MySuperSecr3tPass123!’ -s ‘/home/foo/ps1_scripts/’ -e ‘/home/foo/exe_files/’If you don’t want to put the password in clear text, you can optionally avoid to set -p argument and the password will be prompted preventing to be shown.To use IPv6, the address must be added to /etc/hosts.Alternative installation method as ruby gemStep 1. Install it: gem install evil-winrmStep 2. Ready. Just launch it! ~$ evil-winrm -i 192.168.1.100 -u Administrator -p ‘MySuperSecr3tPass123!’ -s ‘/home/foo/ps1_scripts/’ -e ‘/home/foo/exe_files/’DocumentationBasic commands upload: local files can be auto-completed using tab key. It is not needed to put a remote_path if the local file is in the same directory as evil-winrm.rb file. usage: upload local_path remote_path download: it is not needed to set local_path if the remote file is in the current directory. usage: download remote_path local_path services: list all services. No administrator permissions needed. menu: load the Invoke-Binary and l04d3r-LoadDll functions that we will explain below. When a ps1 is loaded all its functions will be shown up.Load powershell scripts To load a ps1 file you just have to type the name (auto-completion usnig tab allowed). The scripts must be in the path set at -s argument. Type menu again and see the loaded functions. Advanced commands Invoke-Binary: allows exes compiled from c# to be executed in memory. The name can be auto-completed using tab key and allows up to 3 parameters. The executables must be in the path set at -e argument. l04d3r-LoadDll: allows loading dll libraries in memory, it is equivalent to: [Reflection.Assembly]::Load([IO.File]::ReadAllBytes(“pwn.dll")) The dll file can be hosted by smb, http or locally. Once it is loaded type menu, then it is possible to autocomplete all functions. Extra featuresTo disable colors just modify on code this variable $colors_enabled. Set it to false: $colors_enabled = falseCredits:Main author:cybervacaCollaborators, developers, documenters, testers and supporters:OscarAkaElvisjarilaosvis0rHat tip to:Alamot for his original code.3v4Si0N for his awesome dll loader.Disclaimer & LicenseThis script is licensed under LGPLv3+. Direct link to License.Evil-WinRM should be used for authorized penetration testing and/or nonprofit educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own servers and/or with the server owner’s permission.Download Evil-Winrm

Link: http://www.kitploit.com/2019/07/evil-winrm-ultimate-winrm-shell-for.html

GitGot – Semi-automated, Feedback-Driven Tool To Rapidly Search Through Troves Of Public Data On GitHub For Sensitive Secrets

GitGot is a semi-automated, feedback-driven tool to empower users to rapidly search through troves of public data on GitHub for sensitive secrets.How it WorksDuring search sessions, users will provide feedback to GitGot about search results to ignore, and GitGot prunes the set of results. Users can blacklist files by filename, repository name, username, or a fuzzy match of the file contents.Blacklists generated from previous sessions can be saved and reused against similar queries (e.g., example.com v.s. subdomain.example.com v.s. Example Org). Sessions can also be paused and resumed at any time.Read more about the semi-automated, human-in-the-loop design here: https://know.bishopfox.com/blog/going-semi-automated-in-an-automated-world-using-human-in-the-loop-workflows-to-improve-our-security-toolsInstall Instructions[1] Install the ssdeep dependency for fuzzy hashing.Ubuntu/Debian (or equivalent for your distro):apt-get install libfuzzy-dev ssdeepor, for Mac OSX:brew install ssdeepFor Windows or *nix distributions without the ssdeep package, please see the ssdeep installation instructions.[2] After installing ssdeep, install the Python dependencies using pip:pip3 install -r requirements.txtUsageGitHub requires a token for rate-limiting purposes. Create a GitHub API token with no permissions/no scope. This will be equivalent to public GitHub access, but it will allow access to use the GitHub Search API. Set this token at the top of gitgot.py as shown below:ACCESS_TOKEN = “"After adding the token, you are ready to go:# Query for the string "example.com" using the default RegEx list and logfile location (/logs/<query>.log)./gitgot.py -q example.com# Using GitHub advanced search syntax./gitgot.py -q "org:github cats"# Custom RegEx List and custom log files location./gitgot.py -q example.com -f checks/default.list -o example1.log# Recovery from existing session./gitgot.py -q example.com -r example.com.state# Using an existing session (w/blacklists) for a new query./gitgot.py -q "Example Org" -r example.com.stateQuery SyntaxGitGot queries are fed directly into the GitHub code search API, so check out GitHub’s documentation for more advanced query syntax.UI CommandsIgnore similar [c]ontent: Blacklists a fuzzy hash of the file contents to ignore future results that are similar to the selected fileIgnore [r]epo/[u]ser/[f]ilename: Ignores future results by blacklisting selected stringsSearch [/(mykeyword)]: Provides a custom regex expression with a capture group to searches on-the-fly (e.g., /(secretToken))[a]dd to Log: Add RegEx matches to log file, including all on-the-fly search results from search commandNext[<Enter>], [b]ack: Advances through search results, or returns to previous results[s]ave state: Saves the blacklists and progress in the search results from the session[q]uit: QuitDownload GitGot

Link: http://feedproxy.google.com/~r/PentestTools/~3/a-tFgzEyrNg/gitgot-semi-automated-feedback-driven.html

Userrecon v1.1.0 – Recognition Usernames In 187 Social Networks

Find usernames in 187 social networks.InstallationInstall dependencies (Debian/Ubuntu):sudo apt install python3 python3-pipInstall with pip3:sudo -H pip3 install git+https://github.com/decoxviii/userrecon-py.gituserrecon-py –helpBuilding from SourceClone this repository, and:git clone https://github.com/decoxviii/userrecon-py.git ; cd userrecon-pysudo -H pip3 install -r requirements.txtpython3 setup.py buildsudo python3 setup.py installUpdateTo update this tool to the latest version, run:sudo -H pip3 install git+https://github.com/decoxviii/userrecon-py.git –upgradeuserrecon-py –versionUsageStart by printing the available actions by running userrecon-py –help. Then you can perform the following tests:userrecon-py –target decoxviii -o test_oneWatch this demo videoThanksThis program is possible thanks to:userreconWhatsMyNamedecoxviiiMITDownload Userrecon-Py

Link: http://www.kitploit.com/2019/07/userrecon-v110-recognition-usernames-in.html

Detect It Easy – Program For Determining Types Of Files For Windows, Linux And MacOS

Detect It Easy, or abbreviated “DIE" is a program for determining types of files."DIE" is a cross-platform application, apart from Windows version there are also available versions for Linux and Mac OS.Many programs of the kind (PEID, PE tools) allow to use third-party signatures. Unfortunately, those signatures scan only bytes by the pre-set mask, and it is not possible to specify additional parameters. As the result, false triggering often occur. More complicated algorithms are usually strictly set in the program itself. Hence, to add a new complex detect one needs to recompile the entire project. No one, except the authors themselves, can change the algorithm of a detect. As time passes, such programs lose relevance without the constant support.Detect It Easy has totally open architecture of signatures. You can easily add your own algorithms of detects or modify those that already exist. This is achieved by using scripts. The script language is very similar to JavaScript and any person, who understands the basics of programming, will understand easily how it works. Possibly, someone may decide the scripts are working very slow. Indeed, scripts run slower than compiled code, but, thanks to the good optimization of Script Engine, this doesn’t cause any special inconvenience. The possibilities of open architecture compensate these limitations.DIE exists in three versions. Basic version ("DIE"), Lite version ("DIEL") and console version ("DIEC"). All the three use the same signatures, which are located in the folder "db". If you open this folder, nested sub-folders will be found ("Binary", "PE" and others). The names of sub-folders correspond to the types of files. First, DIE determines the type of file, and then sequentially loads all the signatures, which lie in the corresponding folder. Currently the program defines the following types: MSDOS executable files MS-DOS PE executable files Windows ELF executable files Linux MACH executable files Mac OS Text files Binary all other filesYou could download binaries for Windows, Linux and Mac here: http://ntinfo.biz/Download Detect-It-Easy

Link: http://feedproxy.google.com/~r/PentestTools/~3/DTt4xwte7KE/detect-it-easy-program-for-determining.html

UACME – Defeating Windows User Account Control

Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.System Requirementsx86-32/x64 Windows 7/8/8.1/10 (client, some methods however works on server version too).Admin account with UAC set on default settings required.UsageRun executable from command line: akagi32 [Key] [Param] or akagi64 [Key] [Param]. See “Run examples" below for more info.First param is number of method to use, second is optional command (executable file name including full path) to run. Second param can be empty – in this case program will execute elevated cmd.exe from system32 folder.Keys (watch debug output with dbgview or similar for more info):Author: Leo Davidson Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): cryptbase.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: sysprep.exe hardened LoadFrom manifest elementsAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): ShCore.dllImplementation: ucmStandardAutoElevationWorks from: Windows 8.1 (9600)Fixed in: Windows 10 TP (> 9600) How: Side effect of ShCore.dll moving to \KnownDllsAuthor: Leo Davidson derivative by WinNT/Pitou Type: Dll HijackMethod: IFileOperationTarget(s): \system32\oobe\setupsqm.exeComponent(s): WdsCore.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 10 TH2 (10558) How: Side effect of OOBE redesignAuthor: Jon Ericson, WinNT/Gootkit, mzH Type: AppCompatMethod: RedirectEXE ShimTarget(s): \system32\cliconfg.exeComponent(s): -Implementation: ucmShimRedirectEXEWorks from: Windows 7 (7600)Fixed in: Windows 10 TP (> 9600) How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versionsAuthor: WinNT/Simda Type: Elevated COM interfaceMethod: ISecurityEditorTarget(s): HKLM registry keysComponent(s): -Implementation: ucmSimdaTurnOffUacWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: ISecurityEditor interface method changedAuthor: Win32/Carberp Type: Dll HijackMethod: WUSATarget(s): \ehome\mcx2prov.exe, \system32\migwiz\migwiz.exeComponent(s): WdsCore.dll, CryptBase.dll, CryptSP.dllImplementation: ucmWusaMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: WUSA /extract option removedAuthor: Win32/Carberp derivative Type: Dll HijackMethod: WUSATarget(s): \system32\cliconfg.exeComponent(s): ntwdblib.dllImplementation: ucmWusaMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: WUSA /extract option removedAuthor: Leo Davidson derivative by Win32/Tilon Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): Actionqueue.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: sysprep.exe hardened LoadFrom manifestAuthor: Leo Davidson, WinNT/Simda, Win32/Carberp derivative Type: Dll HijackMethod: IFileOperation, ISecurityEditor, WUSATarget(s): IFEO registry keys, \system32\cliconfg.exeComponent(s): Attacker defined Application Verifier DllImplementation: ucmAvrfMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH1 (10147) How: WUSA /extract option removed, ISecurityEditor interface method changedAuthor: WinNT/Pitou, Win32/Carberp derivative Type: Dll HijackMethod: IFileOperation, WUSATarget(s): \system32\{New}or{Existing}\{autoelevated}.exe, e.g. winsat.exeComponent(s): Attacker defined dll, e.g. PowProf.dll, DevObj.dllImplementation: ucmWinSATMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH2 (10548) How: AppInfo elevated application path control hardeningAuthor: Jon Ericson, WinNT/Gootkit, mzH Type: AppCompatMethod: Shim Memory PatchTarget(s): \system32\iscsicli.exeComponent(s): Attacker prepared shellcodeImplementation: ucmShimPatchWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: Sdbinst.exe autoelevation removed, KB3045645/KB3048097 for rest Windows versionsAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): dbgcore.dllImplementation: ucmStandardAutoElevationWorks from: Windows 10 TH1 (10240)Fixed in: Windows 10 TH2 (10565) How: sysprep.exe manifest updatedAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\mmc.exe EventVwr.mscComponent(s): elsext.dllImplementation: ucmMMCMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14316) How: Missing dependency removedAuthor: Leo Davidson, WinNT/Sirefef derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system\credwiz.exe, \system32\wbem\oobe.exeComponent(s): netutils.dllImplementation: ucmSirefefMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 TH2 (10548) How: AppInfo elevated application path control hardeningAuthor: Leo Davidson, Win32/Addrop, Metasploit derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\cliconfg.exeComponent(s): ntwdblib.dllImplementation: ucmGenericAutoelevationWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14316) How: Cliconfg.exe autoelevation removedAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\GWX\GWXUXWorker.exe, \system32\inetsrv\inetmgr.exeComponent(s): SLC.dllImplementation: ucmGWXWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14316) How: AppInfo elevated application path control and inetmgr executable hardeningAuthor: Leo Davidson derivative Type: Dll Hijack (Import forwarding)Method: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): unbcl.dllImplementation: ucmStandardAutoElevation2Works from: Windows 8.1 (9600)Fixed in: Windows 10 RS1 (14371) How: sysprep.exe manifest updatedAuthor: Leo Davidson derivative Type: Dll Hijack (Manifest)Method: IFileOperationTarget(s): \system32\taskhost.exe, \system32\tzsync.exe (any ms exe without manifest)Component(s): Attacker definedImplementation: ucmAutoElevateManifestWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14371) How: Manifest parsing logic reviewedAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\inetsrv\inetmgr.exeComponent(s): MsCoree.dllImplementation: ucmInetMgrMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14376) How: inetmgr.exe executable manifest hardening, MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32ImagesAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\mmc.exe, Rsop.mscComponent(s): WbemComn.dllImplementation: ucmMMCMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16232) How: Target requires wbemcomn.dll to be signed by MSAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperation, SxS DotLocalTarget(s): \system32\sysprep\sysprep.exeComponent(s): comctl32.dllImplementation: ucmSXSMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16232) How: MitigationPolicy->ProcessImageLoadPolicy->PreferSystem32ImagesAuthor: Leo Davidson derivative Type: Dll HijackMethod: IFileOperation, SxS DotLocalTarget(s): \system32\consent.exeComponent(s): comctl32.dllImplementation: ucmSXSMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Leo Davidson derivative Type: Dll HijackMethod: IFileOperationTarget(s): \system32\pkgmgr.exeComponent(s): DismCore.dllImplementation: ucmDismMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: BreakingMalware Type: Shell APIMethod: Environment variables expansionTarget(s): \system32\CompMgmtLauncher.exeComponent(s): Attacker definedImplementation: ucmCometMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS2 (15031) How: CompMgmtLauncher.exe autoelevation removedAuthor: Enigma0x3 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\EventVwr.exe, \system32\CompMgmtLauncher.exeComponent(s): Attacker definedImplementation: ucmHijackShellCommandMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS2 (15031) How: EventVwr.exe redesigned, CompMgmtLauncher.exe autoelevation removedAuthor: Enigma0x3 Type: Race ConditionMethod: File overwriteTarget(s): %temp%\GUID\dismhost.exeComponent(s): LogProvider.dllImplementation: ucmDiskCleanupRaceConditionWorks from: Windows 10 TH1 (10240)AlwaysNotify compatibleFixed in: Windows 10 RS2 (15031) How: File security permissions alteredAuthor: ExpLife Type: Elevated COM interfaceMethod: IARPUninstallStringLauncherTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmUninstallLauncherMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16199) How: UninstallStringLauncher interface removed from COMAutoApprovalListAuthor: Exploit/Sandworm Type: Whitelisted componentMethod: InfDefaultInstallTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmSandwormMethodWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: InfDefaultInstall.exe removed from g_lpAutoApproveEXEList (MS14-060)Author: Enigma0x3 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\sdclt.exeComponent(s): Attacker definedImplementation: ucmAppPathMethodWorks from: Windows 10 TH1 (10240)Fixed in: Windows 10 RS3 (16215) How: Shell API updateAuthor: Leo Davidson derivative, lhc645 Type: Dll HijackMethod: WOW64 loggerTarget(s): \syswow64\{any elevated exe, e.g wusa.exe}Component(s): wow64log.dllImplementation: ucmWow64LoggerMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Enigma0x3 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\sdclt.exeComponent(s): Attacker definedImplementation: ucmSdcltIsolatedCommandMethodWorks from: Windows 10 TH1 (10240)Fixed in: Windows 10 RS4 (17025) How: Shell API / Windows components updateAuthor: xi-tauw Type: Dll HijackMethod: UIPI bypass with uiAccess applicationTarget(s): \Program Files\Windows Media Player\osk.exe, \system32\EventVwr.exe, \system32\mmc.exeComponent(s): duser.dll, osksupport.dllImplementation: ucmUiAccessMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: winscripting.blog Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\fodhelper.exe, \system32\computerdefaults.exeComponent(s): Attacker definedImplementation: ucmMsSettingsDelegateExecuteMethodWorks from: Windows 10 TH1 (10240)Fixed in: unfixed , How: -Author: James Forshaw Type: Shell APIMethod: Environment variables expansionTarget(s): \system32\svchost.exe via \system32\schtasks.exeComponent(s): Attacker definedImplementation: ucmDiskCleanupEnvironmentVariableWorks from: Windows 8.1 (9600)AlwaysNotify compatibleFixed in: unfixed , How: -Author: CIA & James Forshaw Type: ImpersonationMethod: Token ManipulationsTarget(s): Autoelevated applicationsComponent(s): Attacker definedImplementation: ucmTokenModificationWorks from: Windows 7 (7600)AlwaysNotify compatible, see noteFixed in: Windows 10 RS5 (17686) How: ntoskrnl.exe->SeTokenCanImpersonate additional access token check addedAuthor: Thomas Vanhoutte aka SandboxEscaper Type: Race conditionMethod: NTFS reparse point & Dll HijackTarget(s): wusa.exeComponent(s): dcomcnfg.exe, mmc.exe, ole32.dll, MsCoree.dllImplementation: ucmJunctionMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Ernesto Fernandez, Thomas Vanhoutte Type: Dll HijackMethod: SxS DotLocal, NTFS reparse pointTarget(s): \system32\dccw.exeComponent(s): GdiPlus.dllImplementation: ucmSXSDccwMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Clement Rouault Type: Whitelisted componentMethod: APPINFO command line spoofingTarget(s): \system32\mmc.exeComponent(s): Attacker definedImplementation: ucmHakrilMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Stefan Kanthak Type: Dll HijackMethod: .NET Code ProfilerTarget(s): \system32\mmc.exeComponent(s): Attacker definedImplementation: ucmCorProfilerMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Ruben Boonen Type: COM Handler HijackMethod: Registry key manipulationTarget(s): \system32\mmc.exe, \System32\recdisc.exeComponent(s): Attacker definedImplementation: ucmCOMHandlersMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 19H1 (18362) How: Side effect of Windows changesAuthor: Oddvar Moe Type: Elevated COM interfaceMethod: ICMLuaUtilTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmCMLuaUtilShellExecMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: BreakingMalware and Enigma0x3 Type: Elevated COM interfaceMethod: IFwCplLuaTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmFwCplLuaMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS4 (17134) How: Shell API updateAuthor: Oddvar Moe derivative Type: Elevated COM interfaceMethod: IColorDataProxy, ICMLuaUtilTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmDccwCOMMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: bytecode77 Type: Shell APIMethod: Environment variables expansionTarget(s): Multiple auto-elevated processesComponent(s): Various per targetImplementation: ucmVolatileEnvMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS3 (16299) How: Current user system directory variables ignored during process creationAuthor: bytecode77 Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\slui.exeComponent(s): Attacker definedImplementation: ucmSluiHijackMethodWorks from: Windows 8.1 (9600)Fixed in: unfixed , How: -Author: Anonymous Type: Race ConditionMethod: Registry key manipulationTarget(s): \system32\BitlockerWizardElev.exeComponent(s): Attacker definedImplementation: ucmBitlockerRCMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS4 (>16299) How: Shell API updateAuthor: clavoillotte & 3gstudent Type: COM Handler HijackMethod: Registry key manipulationTarget(s): \system32\mmc.exeComponent(s): Attacker definedImplementation: ucmCOMHandlersMethod2Works from: Windows 7 (7600)Fixed in: Windows 10 19H1 (18362) How: Side effect of Windows changesAuthor: deroko Type: Elevated COM interfaceMethod: ISPPLUAObjectTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmSPPLUAObjectMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS5 (17763) How: ISPPLUAObject interface method changedAuthor: RinN Type: Elevated COM interfaceMethod: ICreateNewLinkTarget(s): \system32\TpmInit.exeComponent(s): WbemComn.dllImplementation: ucmCreateNewLinkMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS1 (14393) How: Side effect of consent.exe COMAutoApprovalList introductionAuthor: Anonymous Type: Elevated COM interfaceMethod: IDateTimeStateWrite, ISPPLUAObjectTarget(s): w32time serviceComponent(s): w32time.dllImplementation: ucmDateTimeStateWriterMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS5 (17763) How: Side effect of ISPPLUAObject interface changeAuthor: bytecode77 derivative Type: Elevated COM interfaceMethod: IAccessibilityCplAdminTarget(s): \system32\rstrui.exeComponent(s): Attacker definedImplementation: ucmAcCplAdminMethodWorks from: Windows 7 (7600)Fixed in: Windows 10 RS4 (17134) How: Shell API updateAuthor: David Wells Type: Whitelisted componentMethod: AipNormalizePath parsing abuseTarget(s): Attacker definedComponent(s): Attacker definedImplementation: ucmDirectoryMockMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Emeric Nasi Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\sdclt.exeComponent(s): Attacker definedImplementation: ucmShellDelegateExecuteCommandMethodWorks from: Windows 10 (14393)Fixed in: unfixed , How: -Author: egre55 Type: Dll HijackMethod: Dll path search abuseTarget(s): \syswow64\SystemPropertiesAdvanced.exe and other SystemProperties*.exeComponent(s): \AppData\Local\Microsoft\WindowsApps\srrstr.dllImplementation: ucmEgre55MethodWorks from: Windows 10 (14393)Fixed in: unfixed , How: -Author: James Forshaw Type: GUI HackMethod: UIPI bypass with token modificationTarget(s): \system32\osk.exe, \system32\msconfig.exeComponent(s): Attacker definedImplementation: ucmTokenModUIAccessMethodWorks from: Windows 7 (7600)Fixed in: unfixed , How: -Author: Hashim Jawad Type: Shell APIMethod: Registry key manipulationTarget(s): \system32\WSReset.exeComponent(s): Attacker definedImplementation: ucmShellDelegateExecuteCommandMethodWorks from: Windows 10 (17134)Fixed in: unfixed , How: -Author: Leo Davidson derivative by Win32/Gapz Type: Dll HijackMethod: IFileOperationTarget(s): \system32\sysprep\sysprep.exeComponent(s): unattend.dllImplementation: ucmStandardAutoElevationWorks from: Windows 7 (7600)Fixed in: Windows 8.1 (9600) How: sysprep.exe hardened LoadFrom manifest elementsNote:Method (6) unavailable in wow64 environment starting from Windows 8;Method (11) (54) implemented only in x86-32 version;Method (13) (19) (30) (38) (50) implemented only in x64 version;Method (14) require process injection, wow64 unsupported, use x64 version of this tool;Method (26) is still working, however it main advantage was UAC bypass on AlwaysNotify level. Since 15031 it is gone;Method (30) require x64 because it abuses WOW64 subsystem feature;Method (35) AlwaysNotify compatible as there always will be running autoelevated apps or user will have to launch them anyway;Method (38) require internet connection as it executes remote script located at github.com/hfiref0x/Beacon/blob/master/uac/exec.html;Method (55) is not really reliable (as any GUI hacks) and included just for fun.Run examples:akagi32.exe 1akagi64.exe 3akagi32 1 c:\windows\system32\calc.exeakagi64 3 c:\windows\system32\charmap.exeWarningThis tool shows ONLY popular UAC bypass method used by malware, and reimplement some of them in a different way improving original concepts. There are exists different, not yet known to general public methods, be aware of this;Using (5) method will permanently turn off UAC (after reboot), make sure to do this in test environment or don’t forget to re-enable UAC after tool usage;Using (5), (9) methods will permanently compromise security of target keys (UAC Settings key for (5) and IFEO for (9)), if you do tests on your real machine – restore keys security manually after you complete this tool usage;This tool is not intended for AV tests and not tested to work in aggressive AV environment, if you still plan to use it with installed bloatware AV soft – you use it at your own risk;Some AV may flag this tool as HackTool, MSE/WinDefender constantly marks it as malware, nope;If you run this program on real computer remember to remove all program leftovers after usage, for more info about files it drops to system folders see source code;Most of methods created for x64, with no x86-32 support in mind. I don’t see any sense in supporting 32 bit versions of Windows or wow64, however with small tweaks most of them will run under wow64 as well.If you wondering why this still exist and work here is the explanation, an official Microsoft WHITEFLAG (including totally incompetent statements as bonus) https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105Windows 10 support and testing policyEOL’ed versions of Windows 10 are not supported and therefore not tested (at moment of writing EOL’ed Windows 10 versions are: TH1 (10240), TH2 (10586));Insider builds are not supported as methods may be fixed there.ProtectionAccount without administrative privileges.Malware usageIt is currently known that UACMe used by Adware/Multiplug (9), by Win32/Dyre (3), by Win32/Empercrypt (10 & 13), by IcedID downloader (35 & 41). We do not take any responsibility for this tool usage in the malicious purposes. It is free, open-source and provided AS-IS for everyone.Other usageCurrently used as "signature" by "THOR APT" scanner (handmade pattern matching fraudware from Germany). We do not take any responsibility for this tool usage in the fraudware;The scamware project called "uacguard" has references to UACMe from their platform. We do not take any responsibility for this tool usage in the scamware. The repository https://github.com/hfiref0x/UACME and it contents are the only genuine source for UACMe code. We have nothing to do with external links to this project, mentions anywhere as well as modifications (forks);In July 2016 so-called "security company" Cymmetria released report about script-kiddie malware bundle called "Patchwork" and false flagged it as APT. They stated it was using "UACME method", which in fact is just slightly and unprofessionally modified injector dll from UACMe v1.9 and was using Carberp/Pitou hybrid method in malware self-implemented way. We do not take any responsibility for UACMe usage in the dubious advertising campaigns from third party "security companies".BuildUACMe comes with full source code, written in C with some parts written in C#;In order to build from source you need Microsoft Visual Studio 2013/2015 U2 and later versions.Instructions Select Platform ToolSet first for project in solution you want to build (Project->Properties->General): v120 for Visual Studio 2013;v140 for Visual Studio 2015;v141 for Visual Studio 2017. For v140 and above set Target Platform Version (Project->Properties->General): If v140 then select 8.1 (Note that Windows 8.1 SDK must be installed);If v141 then select 10.0.17134.0 (Note that Windows 10.0.17134 SDK must be installed). Note that Fujinami module built with .NET Framework 3.0 (this is requirement for it work), so .NET Framework 3.0 must be installed if you want to build this module. Can be built with SDK 8.1/10.17134/10.17763. ReferencesWindows 7 UAC whitelist, http://www.pretentiousname.com/misc/win7_uac_whitelist2.htmlMalicious Application Compatibility Shims, https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdfJunfeng Zhang from WinSxS dev team blog, https://blogs.msdn.microsoft.com/junfeng/Beyond good ol’ Run key, series of articles, http://www.hexacorn.com/blogKernelMode.Info UACMe thread, http://www.kernelmode.info/forum/viewtopic.php?f=11&t=3643Command Injection/Elevation – Environment Variables Revisited, https://breakingmalware.com/vulnerabilities/command-injection-and-elevation-environment-variables-revisited"Fileless" UAC Bypass Using eventvwr.exe and Registry Hijacking, https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/Bypassing UAC on Windows 10 using Disk Cleanup, https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/Using IARPUninstallStringLauncher COM interface to bypass UAC, http://www.freebuf.com/articles/system/116611.htmlBypassing UAC using App Paths, https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/"Fileless" UAC Bypass using sdclt.exe, https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/UAC Bypass or story about three escalations, https://habrahabr.ru/company/pm/blog/328008/Exploiting Environment Variables in Scheduled Tasks for UAC Bypass, https://tyranidslair.blogspot.ru/2017/05/exploiting-environment-variables-in.htmlFirst entry: Welcome and fileless UAC bypass, https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/Reading Your Way Around UAC in 3 parts: https://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-1.htmlhttps://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-2.htmlhttps://tyranidslair.blogspot.ru/2017/05/reading-your-way-around-uac-part-3.htmlResearch on CMSTP.exe, https://msitpros.com/?p=3960UAC bypass via elevated .NET applications, https://offsec.provadys.com/UAC-bypass-dotnet.htmlUAC Bypass by Mocking Trusted Directories, https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6eYet another sdclt UAC bypass, http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypassUAC Bypass via SystemPropertiesAdvanced.exe and DLL Hijacking, https://egre55.github.io/system-properties-uac-bypass/Accessing Access Tokens for UIAccess, https://tyranidslair.blogspot.com/2019/02/accessing-access-tokens-for-uiaccess.htmlFileless UAC Bypass in Windows Store Binary, https://www.activecyber.us/1/post/2019/03/windows-uac-bypass.htmlAuthors(c) 2014 – 2019 UACMe ProjectDownload UACME

Link: http://feedproxy.google.com/~r/PentestTools/~3/SVc2u0HEg4k/uacme-defeating-windows-user-account.html

Project iKy v2.0.0 – Tool That Collects Information From An Email And Shows Results In A Nice Visual Interface

Project iKy is a tool that collects information from an email and shows results in a nice visual interface.Visit the Gitlab Page of the ProjectProjectFirst of all we want to advice you that we have changed the Frontend from AngularJS to Angular 7. For this reason we left the project with AngularJS as Frontend in the iKy-v1 branch and the documentation for its installation here.The reason of changing the Frontend was to update the technology and get an easier way of installation.VideoInstallationClone repositorygit clone https://gitlab.com/kennbroorg/iKy.gitInstall BackendRedisYou must install Rediswget http://download.redis.io/redis-stable.tar.gztar xvzf redis-stable.tar.gzcd redis-stablemakesudo make installAnd turn on the server in a terminalredis-serverPython stuff and CeleryYou must install the libraries inside requirements.txtpip install -r requirements.txtAnd turn on Celery in another terminal, within the directory backend./celery.shFinally, again, in another terminal turn on backend app from directory backendpython app.pyInstall FrontendNodeFirst of all, install nodejs.DependenciesInside the directory frontend install the dependenciesnpm installTurn on Frontend ServerFinally, to run frontend server, execute:npm startBrowserOpen the browser in this urlConfig API KeysOnce the application is loaded in the browser, you should go to the Api Keys option and load the values of the APIs that are needed.Fullcontact: Generate the APIs from hereTwitter: Generate the APIs from hereLinkedin: Only the user and password of your account must be loadedChange from latest versionAdd more analysis on twitterReactive Have I Been Pwned (BLOCK, NOLEAK, LEAK)Change the main coverChange the secondary coverAdd Modules Implemented to main coverAdd Contributors to main coverAdd Projects to main coverAdd People to main coverAdd Friends to main coverChange visual windows, sidepanel, footer and shadowsChange validation indicatorsChange validation filtersDownload Project iKy v2.0.0

Link: http://feedproxy.google.com/~r/PentestTools/~3/1W_lCE0_ys4/project-iky-v200-tool-that-collects.html

Passpie – Multiplatform Command-Line Password Manager

Passpie is a command line tool to manage passwords from the terminal with a colorful and configurable interface. Use a master passphrase to decrypt login credentials, copy passwords to clipboard, syncronize with a git repository, check the state of your passwords, and more.Password files are encrypted using GnuPG and saved into yaml text files. Passpie supports Linux, OSX and Windows.What does it look like? Here is an example of a simple Passpie usage:passpie initpasspie add foo@example.com –randompasspie add bar@example.com –pattern “[0-9]{5}[a-z]{5}"passpie update foo@example –comment "Hello"passpiepasspie copy foo@example.comOutputs:=========== ======= ========== =========Name Login Password Comment=========== ======= ========== =========example.com bar ********example.com foo ******** Hello=========== ======= ========== =========Password copied to clipboardCheck example remote passpie database: https://github.com/marcwebbie/passpiedb. Installpip install passpieOr if you are on a mac, install via Homebrew:brew install passpie DependenciesPasspie depends on GnuPG for encryption CommandsUsage: passpie [OPTIONS] COMMAND [ARGS]…Options: -D, –database TEXT Database path or url to remote repository –autopull TEXT Autopull changes from remote pository –autopush TEXT Autopush changes to remote pository –config PATH Path to configuration file -v, –verbose Activate verbose output –version Show the version and exit. –help Show this message and exit.Commands: add Add new credential to database complete Generate completion scripts for shells config Show current configuration for shell copy Copy credential password to clipboard/stdout export Export credentials in plain text import Import credentials from path init Initialize new passpie database list Print credential as a table log Shows passpie database changes history purge Remove all credentials from database remove Remove credential reset Renew passpie database and re-encrypt… search Search credentials by regular expressions status Diagnose database for improvements update Update credential Learn moreGitter: https://gitter.im/marcwebbie/passpieDocumentation: http://passpie.readthedocs.orgFAQ: http://passpie.readthedocs.org/en/latest/faq.html Download Passpie

Link: http://feedproxy.google.com/~r/PentestTools/~3/2SEdl8ow5w8/passpie-multiplatform-command-line.html

Dwarf – Full Featured Multi Arch/Os Debugger Built On Top Of PyQt5 And Frida

A debugger for reverse engineers, crackers and security analyst. Or you can call it damn, why are raspberries so fluffy or yet, duck warriors are rich as fuck. Whatever you like! Built on top of pyqt5, frida and some terrible code.Checkout the website for features, api and examplesCHANGELOGSomething you can do with Dwarfbreakpointswatchpoints without hardware supportvisual emulation with auto map from target, reporting memory accessesbreaks module loading cycle, java classesset breaks conditions and custom logicsinject code on each breakpointed threadexchange data with your target and display it in UIdigging through memory, disassembly and jvm fields/functionsbacktrace both native and javatakes your whole frida agent in script editor, convert hooks to breakpoints etcmore…all of this can be done through scripting to build custom debugging logicPre requisitesA frida server running anywhere.Android Session:make sure you can use ‘adb’ command in console or Read hereroot on the device/emulator is required!make sure frida is in /system/bin|xbin with a+x permissions or eventually use Dwarf to automatically install latest frida serverSetup and rungit clone https://github.com/iGio90/Dwarfcd Dwarfpip3 install -r requirements.txtpython3 dwarf.pyOptionallyYou can install keystone-engine to enable assembler:Windowsx86: https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win32.msix64: https://github.com/keystone-engine/keystone/releases/download/0.9.1/keystone-0.9.1-python-win64.msiOSX / Unixpip3 install keystone-enginedex2jar tools (required for baksmali/decompiling)Guide: https://sourceforge.net/p/dex2jar/wiki/UserGuide/Files: https://github.com/pxb1988/dex2jar/releasesOn Windows add d2j folder to %PATH% and change:’java -Xms512m -Xmx1024m -cp “%CP%" %*’in d2j_invoke.bat to’java -Xms512m -Xmx4096m -cp "%CP%" %*’SettingsYou can change in .dwarf"dwarf_ui_hexedit_bpl": 32 (default: 16) – Bytes per line in hexview"dwarf_ui_hexstyle": "upper", "lower" (default: "upper") – overall hexstyle 0xabcdef or 0xABCDEF (note: click on the "Offset (X)" in hexview to change)"dwarf_ui_font_size": 12 (default: 12) – (note: hexview/disasm use other font wait for settingsdlg or change lib/utils.py get_os_monospace_font())Download Dwarf

Link: http://www.kitploit.com/2019/07/dwarf-full-featured-multi-archos.html