Tinfoleak v2.0 – Get detailed information about a Twitter user activity

Are you interested in OSINT tools? Tinfoleak is the best OSINT tool for Twitter, and is open-source!The new version includes a lot of new and improved features:Search by coordinatesGeolocated usersTagged usersUser conversationsIdentification in other social networksMore powerful and flexible search filterMore detailed information on existing features… and many more information to generate intelligence!ScreenshotsDownload Tinfoleak V2.0

Link: http://feedproxy.google.com/~r/PentestTools/~3/dCb9yxoUPpY/tinfoleak-v20-get-detailed-information.html

Invoke-TheHash – PowerShell Pass The Hash Utils

Invoke-TheHash contains PowerShell functions for performing NTLMv2 pass the hash WMI and SMB command execution. WMI and SMB services are accessed through .NET TCPClient connections. Local administrator privilege is not required client-side. Requirements Minimum PowerShell 2.0 Import Import-Module ./Invoke-TheHash.psd1 or . ./Invoke-WMIExec.ps1 . ./Invoke-SMBExec.ps1 . ./Invoke-TheHash.ps1 Functions Invoke-WMIExec Invoke-SMBExec Invoke-TheHash ConvertTo-TargetList Invoke-WMIExec WMI command execution function. Parameters: Target – Hostname or IP address of target. Username – Username to use for authentication. Domain – Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. Hash – NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. Command – Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI on the target. Sleep – Default = 10 Milliseconds: Sets the function’s Start-Sleep values in milliseconds. Example: Invoke-WMIExec -Target -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command “command or launcher to execute" -verbose Screenshot: Invoke-SMBExec SMB (PsExec) command execution function supporting SMB1, SMB2, and SMB signing. Parameters: Target – Hostname or IP address of target. Username – Username to use for authentication. Domain – Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. Hash – NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. Command – Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to SCM on the target. CommandCOMSPEC – Default = Enabled: Prepend %COMSPEC% /C to Command. Service – Default = 20 Character Random: Name of the service to create and delete on the target. SMB1 – (Switch) Force SMB1. The default behavior is to perform SMB version negotiation and use SMB2 if supported by the target. Sleep – Default = 150 Milliseconds: Sets the function’s Start-Sleep values in milliseconds. Example: Invoke-SMBExec -Target -Domain TESTDOMAIN -Username TEST -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 -Command "command or launcher to execute" -verbose Screenshot: Invoke-TheHash Function for running Invoke-WMIExec and Invoke-SMBExec against multiple targets. Parameters: Type – Sets the desired Invoke-TheHash function. Set to either WMIExec or SMBExec. Targets – List of hostnames, IP addresses, or CIDR notation for targets. TargetsExclude – List of hostnames and/or IP addresses to exclude form the list or targets. PortCheckDisable – (Switch) Disable WMI or SMB port check. Since this function is not yet threaded, the port check serves to speed up he function by checking for an open WMI or SMB port before attempting a full synchronous TCPClient connection. PortCheckTimeout – Default = 100: Set the no response timeout in milliseconds for the WMI or SMB port check. Username – Username to use for authentication. Domain – Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username. Hash – NTLM password hash for authentication. This module will accept either LM:NTLM or NTLM format. Command – Command to execute on the target. If a command is not specified, the function will just check to see if the username and hash has access to WMI or SCM on the target. CommandCOMSPEC – Default = Enabled: SMBExec type only. Prepend %COMSPEC% /C to Command. Service – Default = 20 Character Random: SMBExec type only. Name of the service to create and delete on the target. SMB1 – (Switch) Force SMB1. SMBExec type only. The default behavior is to perform SMB version negotiation and use SMB2 if supported by the target. Sleep – Default = WMI 10 Milliseconds, SMB 150 Milliseconds: Sets the function’s Start-Sleep values in milliseconds. Example: Invoke-TheHash -Type WMIExec -Targets -TargetsExclude -Username Administrator -Hash F6F38B793DB6A94BA04A52F1D3EE92F0 Screenshot: ConvertTo-TargetList Converts Invoke-TheHash output to an array that contains only targets discovered to have Invoke-WMIExec or Invoke-SMBExec access. The output from this function can be fed back into the Targets parameter of Invoke-TheHash. Download Invoke-TheHash

Link: http://feedproxy.google.com/~r/PentestTools/~3/egsf10eEzi0/invoke-thehash-powershell-pass-hash.html

rePy2exe – A Reverse Engineering Tool for py2exe applications

Reverse Engineering Tool for py2exe applications. Prerequisites cmake git python2.7 Cloning git clone https://github.com/4w4k3/rePy2exe.git Running python rePy2exe.pyor python2.7 rePy2exe.py Authors Alisson Moretto – Coder – 4w4k3 Reference Thanks to: zrax – pycdc matiasb – unpy2exe License This project is licensed under the GPL 3.0 License – see the LICENSE file for details. Download rePy2exe

Link: http://feedproxy.google.com/~r/PentestTools/~3/Hwq_A3gl0-s/repy2exe-reverse-engineering-tool-for.html

custom-bytecode-analyzer – Java bytecode analyzer customizable via JSON rules

Java bytecode analyzer customizable via JSON rules. It is a command-line tool that receives a path containing one or more Jar files, analyzes them using the provided rules and generates HTML reports with the results. Usage usage: java -jar cba-cli.jar [OPTIONS] -a DIRECTORY_TO_ANALYZE -a,–analyze Path of the directory to run the analysis.-c,–checks <checks…> Space separated list of custom checks that are going to be run in the analysis. -f,–custom-file <customFile> Specify a file in JSON format to run custom rules. Read more in GitHub. -h,–help Print this message. -i,–items-report <maxItems> Max number of items per report. If the number of issues found exceeds this value, the report will be split into different files. Useful if expecting too many issues in the report. Default: 500. -o,–output <outputDir> Directory to save the report. Warning – if there are already saved reports in this directory they will be overwritten. Default is “report". -v,–verbose-debug Increase verbosity to debug mode. -vv,–verbose-trace Increase verbosity to trace mode. Custom JSON rules Rules file can be specified using -f,–custom-file argument . The file is in JSON format and has the following structure: rules : array(rule) name : string interfaces : array(string) superClass : string methods : array(method) name : string visibility : [public|protected|private] parameter : string (only one parameter is supported at the moment) report : boolean (default: true) invocations : array(invocation) owner : string method : method name : string visibility : [public|protected|private] parameter : string (only one parameter is supported at the moment) notFrom : method name : string visibility : [public|protected|private] parameter : string (only one parameter is supported at the moment) from : method name : string visibility : [public|protected|private] parameter : string (only one parameter is supported at the moment) report : boolean (default:true) You can also check net.nandgr.cba.custom.model.Rules.java to see the structure in Java code. Examples Find custom deserialization If we need to find classes with custom deserialization, we can do it quite easily. A class defines custom deserialization by implementing private void readObject(ObjectInputStream in) . So we only need to find all classes where that method is defined. It would be enough just to define a rule as: { "rules": [{ "name": "Custom deserialization", "methods": [{ "name": "readObject", "visibility": "private", "parameter": "java.io.ObjectOutputStream" }] }]}It will report methods with private visibility, readObject as name and a parameter of type java.io.ObjectOutputStream . Since we only have one rule, a report named: custom-deserialization-0.html will be created. Find custom serialization and deserialization In this case, one rule with two methods have to be defined. The same one than in the previous example for deserialization, and a new one to match private void writeObject(ObjectOutputStream out) . As shown in the JSON structure above, the property rules.rule.methods is an array of methods, so a rule like this can be written: { "rules": [{ "name": "Custom serialization and deserialization", "methods": [{ "name": "readObject", "visibility": "private", "parameter": "java.io.ObjectOutputStream" },{ "name": "writeObject", "report": "false", "visibility": "private", "parameter": "java.io.ObjectOutputStream" }] }]}The property report was set to false to avoid reporting twice for the same rule. We are using the second method just as a condition, but reporting only readObject methods should be enough for the example purpose. Find all method definitions If a property is not defined, it will always match as true. For example, this rule would return all methods definitions: { "rules": [{ "name": "Method definitions", "methods": [{ }] }]} Find String.equals method invocations Method invocations can also be found. The JSON in this case would be: { "rules": [{ "name": "String equals", "invocations": [{ "owner": "java.lang.String", "method": { "name": "equals" } }] }]}The property owner specifies the class containing the method. Reflection method invoke Another method invocation example a bit more useful than the previous one: { "rules": [{ "name": "Method invocation by reflection", "invocations": [{ "owner": "java.lang.reflect.Method", "method": { "name": "invoke" } }] }]} Deserialization usage In this example, we want to find deserialization usages (not classes defining serialization behaviors like in the previous examples). Deserialization happens when ObjectInputStream.readObject() is invoked. for example in this code snippet: ObjectInputStream in = new ObjectInputStream(fileInputStream);Object o = in.readObject();So we need to find method invocations from ObjectInputStream named readObject . But it will find a lot of false positives in a researching context, because when a class defines custom deserialization, they make an invocation to this method inside a private void readObject(ObjectInputStream in) method, and that would pollute the report too much. If we want to exclude those cases and keep only genuine deserialization, notFrom property can be used: { "rules": [{ "name": "Deserialization usage", "invocations": [{ "owner": "java.io.ObjectInputStream", "method": { "name": "readObject" }, "notFrom": { "name": "readObject", "visibility": "private", "parameter": "java.io.ObjectInputStream" }, "report": true }] }]}This file will find java.io.ObjectInputStream.readObject() invocations if the invocation is not done inside private void readObject(ObjectInputStream in) method. A class compiled with this code will not be reported: private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { Object o = in.readObject();}But this one will be reported: public Object deserializeObject(ObjectInputStream in) throws IOException, ClassNotFoundException { Object o = in.readObject(); return o;}The property from can be set in invocations in exactly the same way than notFrom , but the result will be the opposite: it will only match if the invocation is made from the defined method. Java servlets The property superClass can be used in this case. If we want to find all classes extending javax.servlet.http.HttpServlet , a rule can be: { "rules": [{ "name": "Java servlets", "superClass" : "javax.servlet.http.HttpServlet" }]} X509TrustManager implementations A rule can be written to find classes implementing an array of interfaces. if more than one interface is defined in the rule, the class has to implement all of them to be reported. If we want to find classes implementing javax.net.ssl.X509TrustManager , the rule would be: { "rules": [{ "name": "X509TrustManager implementations", "interfaces" : ["javax.net.ssl.X509TrustManager"] }]}Please note that interfaces is an array , so make sure you add the strings between square brackets, e.g: ["interface1", "interface2", …] . Define multiple rules Multiple rules can be defined in the same JSON file. They will be processed and reported separately and they will not affect each other. We can combine some of the previous examples rules: { "rules": [{ "name": "Custom deserialization", "methods": [{ "name": "readObject", "visibility": "private", "parameter": "java.io.ObjectOutputStream" }] },{ "name": "Method invocation by reflection", "invocations": [{ "owner": "java.lang.reflect.Method", "method": { "name": "invoke" } }] }]}Here, we have two rules ("Custom deserialization" and "Method invocation by reflection"). They will be processed as if you do it in two separated executions. And a report per rule will be generated. Custom Java rules The project can be downloaded and built to add more complex custom rules in Java code that are not covered by the JSON format. There are already three examples under the package net.nandgr.cba.visitor.checks . Those are CustomDeserializationCheck, DeserializationCheck and InvokeMethodCheck . You can create your own rules by extending net.nandgr.cba.custom.visitor.CustomAbstractVisitor . CustomAbstractVisitor is extending ASM org.objectweb.asm.ClassVisitor , so plenty of documentation can be found in the internet about it. Command line examples Run an analysis using a JSON file java -jar cba-cli-<version>.jar -a /path/with/jars -f /path/with/json/file/rules.json Run an analysis using a Java custom rule To use custom java rules, class names have to be specified as arguments of -c . java -jar cba-cli-<version>.jar -a /path/with/jars -c DeserializationCheckAccepts a space separated list, so multiple custom rules can be defined (each of the rules will create a separate report): java -jar cba-cli-<version>.jar -a /path/with/jars -c DeserializationCheck InvokeMethodCheck CustomDeserializationCheck YourCustomRule Combine JSON and custom Java rules java -jar cba-cli-<version>.jar -a /path/with/jars -f /path/with/json/file/rules.json -c YourCustomRule1 YourCustomRule2 Increase verbosity To find errors, verbosity can be increased. Debug level: java -jar cba-cli-<version>.jar -a /path/with/jars -c YourCustomRule1 -vTrace level: java -jar cba-cli-<version>.jar -a /path/with/jars -c YourCustomRule1 -vv Build and run the project There is already an executable jar file under bin directory at: https://github.com/fergarrui/custom-bytecode-analyzer/blob/master/bin/cba-cli-0.1-SNAPSHOT.jar . If you want to do modifications or add custom rules, the project can be built doing: git clone https://github.com/fergarrui/custom-bytecode-analyzer.gitcd custom-bytecode-analyzermvn clean packageTwo jars will be generated under target folder. cba-cli-<version>.jar contains all dependencies and is executable. Can be run using java -jar cba-cli-<version>.jar Download custom-bytecode-analyzer

Link: http://feedproxy.google.com/~r/PentestTools/~3/IhS6iIbGYcE/custom-bytecode-analyzer-java-bytecode.html

Chromebackdoor – Backdoor C&C for Populars Browsers

Chromebackdoor is a pentest tool, this tool use a MITB technique for generate a windows executable “.exe" after launch run a malicious extension or script on most popular browsers, and send all DOM datas on command and control. VIDEO Install Text (V 3.0) Install Video (OLD) Binder guide Module guide Form grabber plugins Facebook MessengerSpy plugins Jabber Notifier/ Hide Panel Windows infection Rubber Ducky Payload Require: pip install crxmake wine32 Let’s go python chromebackdoor.py web browser infection pour rappel, infiltrer, surveiller, un système informatique sans autorisation est un délit reminder, infiltrate, monitor, computer system without authorization is a crime Download Chromebackdoor

Link: http://feedproxy.google.com/~r/PentestTools/~3/B9yfkY8zVLo/chromebackdoor-backdoor-c-for-populars.html

sslscan – tests SSL/TLS enabled services to discover supported cipher suites

This is a fork of ioerror’s version of sslscan (the original readme of which is included below). Changes are as follows: Highlight SSLv2 and SSLv3 ciphers in output. Highlight CBC ciphers on SSLv3 (POODLE). Highlight 3DES and RC4 ciphers in output. Highlight PFS+GCM ciphers as good in output. Highlight NULL (0 bit), weak (<40 bit) and medium (40 < n <= 56) ciphers in output. Highlight anonymous (ADH and AECDH) ciphers in output (purple). Hide certificate information by default (display with --get-certificate ). Hide rejected ciphers by default (display with --failed ). Added TLSv1.1 and TLSv1.2 support (merged from twwbond/sslscan). Compiles if OpenSSL does not support SSLv2 ciphers (merged from digineo/sslscan). Supports IPv6 hostnames (can be forced with --ipv6 ). Check for TLS compression (CRIME, disable with --no-compression ). Disable cipher suite checking --no-ciphersuites . Disable coloured output --no-colour . Removed undocumented -p output option. Added check for OpenSSL HeartBleed (CVE-2014-0160, disable with --no-heartbleed ). Flag certificates signed with MD5 or SHA-1, or with short (<2048 bit) RSA keys. Support scanning RDP servers with --rdp (credit skettler). Added option to specify socket timeout. Added option for static compilation (credit dmke). Added --sleep option to pause between requests. Disable output for anything than specified checks --no-preferred . Determine the list of CAs acceptable for client certificates --show-client-cas . Experimental build support on OSX (credit MikeSchroll). Flag some self-signed SSL certificates. Experimental Windows support (credit jtesta). Display EC curve names and DHE key lengths with OpenSSL >= 1.0.2 –no-cipher-details . Flag weak DHE keys with OpenSSL >= 1.0.2 –cipher-details . Flag expired certificates. Flag TLSv1.0 ciphers in output as weak. Experimental OSX support (static building only). Support for scanning PostgreSQL servers (credit nuxi). Check for TLS Fallback SCSV support. Added StartTLS support for LDAP –starttls-ldap . Added SNI support –sni-name (credit Ken). Building on Windows Thanks to a patch by jtesta, sslscan can now be compiled on Windows. This can either be done natively or by cross-compiling from Linux. See INSTALL for instructions. Note that sslscan was originally written for Linux, and has not been extensively tested on Windows. As such, the Windows version should be considered experimental. Pre-build cross-compiled Windows binaries are available on the GitHub Releases Page . Building on OS X There is experimental support for statically building on OS X, however this should be considered unsupported. You may need to install any dependencies required to compile OpenSSL from source on OS X. Once you have, just run: make static OpenSSL issues Statically linking a custom OpenSSL build It is possible to ignore the OpenSSL system installation and ship your own version. Although this results in a more resource-heavy sslscan binary (file size, memory consumption, etc.), this allows to enable both SSLv2 and SSLv3 ciphers. In comparison to the method of repackaging the Debian build, this custom OpenSSL build won’t affect other tools on the same system, as they would use the version packaged by the distro’s maintainers. To compile your own OpenSSL version, you’ll probably need to install the OpenSSL build dependencies: apt-get install build-essential git zlib1g-devapt-get build-dep opensslthen run make staticwhich will clone the OpenSSL repository , and configure/compile/test OpenSSL prior to compiling sslscan . Please note: Out of the box, OpenSSL cannot compiled with clang without further customization (which is not done by the provided Makefile ). For more information on this, see Modifying Build Settings in the OpenSSL wiki. You can verify whether you have a statically linked OpenSSL version, if ./sslscan –versionlooks a bit like 1.x.y-…-static OpenSSL 1.1.0-dev xx XXX xxxx(pay attention to the -static suffix and the 1.1.0-dev OpenSSL version). Building on Kali Kali now ships with a statically built version of sslscan which supports SSLv2. The package can be found in the Kali Git Repository . If for whatever reason you can’t install this package, follow the instructions above for statically building against OpenSSL. Building on Debian It is recommended that you statically build sslscan using the instructions listed above. If this is not an option and you want to compile your system OpenSSL with support for legacy protocols such as SSLv2 and SSLv3 then follow the instructions below. Note that many modern distros (including Debian) ship with a version of OpenSSL that disables support for SSLv2 ciphers. If sslscan is compiled on one of these distros, it will not be able to detect SSLv2. This issue can be resolved by rebuilding OpenSSL from source after removing the patch that disables SSLv2 support. The build_openssl_debian.sh script automates this process for Debian systems. It has been tested on Debian Squeeze/Wheezy; it may work on other Debian based distros, but has not been tested. The built version of OpenSSL will be installed using dpkg . If it is not possible to rebuild OpenSSL, sslscan will still compile (thanks to a patch from digineo/sslscan , based on the debian patch). However, a warning will be displayed in the output to notify the user that SSLv2 ciphers will not be detected. Download sslscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/TeOV4BpEUF4/sslscan-tests-ssltls-enabled-services.html

Noriben – Portable, Simple, Malware Analysis Sandbox

Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the sample’s activities. Noriben allows you to not only run malware similar to a sandbox, but to also log system-wide events while you manually run malware in ways particular to making it run. For example, it can listen as you run malware that requires varying command line options. Or, watch the system as you step through malware in a debugger. Noriben only requires Sysinternals procmon.exe (or procmon64.exe) to operate. It requires no pre-filtering (though it would greatly help) as it contains numerous white list items to reduce unwanted noise from system activity. Cool Features If you have a folder of YARA signature files, you can specify it with the –yara option. Every new file create will be scanned against these signatures with the results displayed in the output results. If you have a VirusTotal API, place it into a file named “virustotal.api" (or embed directly in the script) to auto-submit MD5 file hashes to VT to get the number of viral results. You can add lists of MD5s to auto-ignore (such as all of your system files). Use md5deep and throw them into a text file, use –hash to read them. You can automate the script for sandbox-usage. Using -t to automate execution time, and –cmd "path\exe" to specify a malware file, you can automatically run malware, copy the results off, and then revert to run a new sample. The –generalize feature will automatically substitute absolute paths with Windows environment paths for better IOC development. For example, C:\Users\malware_user\AppData\Roaming\malware.exe will be automatically resolved to %AppData%\malware.exe. Usage: –===[ Noriben v1.6 ]===—-===[ @bbaskin ]===–usage: Noriben.py [-h] [-c CSV] [-p PML] [-f FILTER] [–hash HASH] [-t TIMEOUT] [–output OUTPUT] [–yara YARA] [–generalize] [–cmd CMD] [-d]optional arguments: -h, –help show this help message and exit -c CSV, –csv CSV Re-analyze an existing Noriben CSV file -p PML, –pml PML Re-analyze an existing Noriben PML file -f FILTER, –filter FILTER Specify alternate Procmon Filter PMC –hash HASH Specify MD5 file whitelist -t TIMEOUT, –timeout TIMEOUT Number of seconds to collect activity –output OUTPUT Folder to store output files –yara YARA Folder containing YARA rules –generalize Generalize file paths to their environment variables. Default: True –cmd CMD Command line to execute (in quotes) -d Enable debug tracebacks Download Noriben

Link: http://feedproxy.google.com/~r/PentestTools/~3/mrYkk21lOHk/noriben-portable-simple-malware.html

Wifi-Dumper – Tool To Dump The Wifi Profiles And Cleartext Passwords Of The Connected Access Points On The Windows Machine

This is an open source tool to dump the wifi profiles and cleartext passwords of the connected access points on the Windows machine. This tool will help you in a Wifi testing. Furthermore, it is useful while performing red team or an internal infrastructure engagements. FeaturesOption 1: Shows the wireless networks available to the system. If interface name is given, only the networks on the given interface will be listed. Otherwise, all networks visible to the system will be listed. Option 2: Shows a list of wireless profiles configured on the system. Option 3: Shows the allowed and blocked wireless network list. Option 4: Shows a list of all the wireless LAN interfaces on the system. Option 5: Generates a detailed report about each wireless access point profile on the system. Group Policy Profiles are read only. User Profiles are readable and writeable, and the preference order can be changed. Option 6: Dumps the cleartext passwords of every wireless profiles on the system. Make sure to generate the profile file (by selecting option 2) before running this option. Always run this as an administrator user to see the cleartext password. User needs to provide individual wireless name by reading the profile names(option 7). Option 7: It opens the list of wireless profiles on the system using notepad. Option 8: It saves WLAN profiles to XML files. Option 9: Exit gracefully. General Notes [+] Each option in the tool generates the “.txt" file as an output. [+] If you run the tool multiple times, the output gets appended to the previous results. How to run the application? [+] Run cmd.exe as an administrator. [+] Change Directory [+] Run the application as C:\>python wifi_dumper.py Questions? Twitter: https://twitter.com/maniarviral LinkedIn: https://au.linkedin.com/in/viralmaniar Download Wifi-Dumper

Link: http://feedproxy.google.com/~r/PentestTools/~3/PkqXc79xkk4/wifi-dumper-tool-to-dump-wifi-profiles.html