GoGhost is a High Performance, lightweight, portable Open Source tool for mass SMBGhost Scan.

Installation

You can download Windows Binary or Linux Binary. Alternatively, GoGhost uses native Golang libraries so the line above would be fine to compile it:

go build GoGhost.go

Usage Options

GoGhost Scanned 25,000 IP addresses in less than 3 seconds, NMAP took more than 600.

-iL [FILE]

By using the -iL option you're able to specify a list file with CIDRs in the file.

-iR [CIDR]

By using the -iR option you're able to specify an IP Range.

False Positive & False Negative

If the Windows is patched with KB4551762, GoGhost will still flag it as vulnerable. If the list of CIDRs in the file is bigger than 500k IP Addresses it may flag some vulnerable as Timeout.

The Results

Timeout => Closed Port

Not Vulnerable => Does not has compression

Vulnerable => LZNT1 compression on SMB.

Disclaimer

This tool was coded to measure the impact of SMBGhost in Latin America and Deepsecurity is not responsible for the use of this tool.

More: https://github.com/deepsecurity-pe/GoGhost

The post GoGhost - a High Performance, lightweight, portable Open Source tool for mass SMBGhost Scan. appeared first on Hakin9 - IT Security Magazine.

A Proof-of-Concept bind shell using the Fax service and a DLL hijack based on Ualapi.dll.

See our writeup at: https://windows-internals.com/faxing-your-way-to-system/

How to use

• Build Ualapi.dll and place in c:\windows\system32
• Start the Fax service, which will load the DLL and call the export UalStart. UalStart will queue a thread pool work item that will open a handle to RpcSs, find a SYSTEM token, and then impersonate it. Afterward, it will create a socket on the local endpoint address, bind it to port 9299, and then asynchronously wait for a connection using a thread pool I/O completion port.
• Connect to the socket on port 9299 using your favorite client (such nc(at).exe <ip> 9299) and then type let me in and press ENTER. If you're writing custom code, make sure to send the string let me in\n.
• The I/O completion packet will then wake up the thread pool callback, which will start a Cmd.exe process under the DcomLaunch service with SYSTEM privileges, binding its input and output handles to the newly created socket.
• Win!

EDR / AV evasion

• Uses a service that is not commonly known and not monitored or flagged as suspicious by EDR vendors.
• Uses the Windows thread pool API to do the setup, making stacks harder to read, offloading work through multiple threads, and avoiding easy "hints" that something suspicious is happening.
• The lifetime of the impersonated tokens is very small, and only the worker thread ever runs as SYSTEM, reverting back to NETWORK SERVICE very quickly and after only doing one API call. This helps reduce the chance of getting caught by various scanners.
• Uses uncommon socket APIs that make the import table less suspicious and avoids EDR detections, IOCTL hooks, and LSPs.
• Creates the bind shell under the DcomLaunch service (which is already a SYSTEM service) and not under the Fax service, making it look a lot more natural, and avoiding a very suspicious-looking process tree.
• Leverages a Windows bug that makes it look as if our socket belongs to the Fax service, and not to DcomLaunch or Cmd.exe. If we kill the Fax service it looks like socket belongs to System.

Caveats

This isn't meant to be a drop-in, undetectable, malicious, weaponized shell:

• It is only a bind shell, which most firewalls will prevent. Opening firewall rules, or using a reverse bind shell, or doing communications over a common port such as 80 or 443 would work better.
• Other services, notably the Spooler, also load Ualapi.dll. While the system behaves fine if the Faxservice is "stuck" in the SERVICE_START_PENDING state, this will cause issues in Spoolsv.exe.
• There's probably bugs/memory leaks in the PoC -- we tried our best to make things production quality, but we did not run things through Application Verifier or asan.

More: https://github.com/ionescu007/faxhell

The post faxhell - A Bind Shell Using the Fax Service and a DLL Hijack appeared first on Hakin9 - IT Security Magazine.

pythem is a multi-purpose pentest framework written in Python. It has been developed to be used by security researchers and security professionals. The tool intended to be used only for acts within the law. I am not liable for any undue and unlawful act practiced by this tool, for more information, read the license.

Installation

Links:

• Create a Desktop Shortcut

Linux Installation

Dependencies Installation

NOTE: Tested only with Debian-based distros, feel free to try the dependencies installation with yum or zypper if you use Redhat-like or SUSE-like.

sudo apt-get update
sudo apt-get install -y build-essential python-dev python-pip tcpdump python-capstone \
libnetfilter-queue-dev libffi-dev libssl-dev

Installation

• With pip:

sudo pip install pythem

• With source:

git clone https://github.com/m4n3dw0lf/pythem
cd pythem
sudo python setup.py install

• With source and pip:

git clone https://github.com/m4n3dw0lf/pythem
cd pythem
sudo python setup.py sdist
sudo pip install dist/*

Running

• Call on a terminal (requires root privileges):

$ sudo pythem

Running as a Docker container

• Requires Docker

docker run -it --net=host --rm --name pythem m4n3dw0lf/pythem

Usage

Examples

• ARP spoofing - Man-in-the-middle.
• ARP+DNS spoof - fake page redirect to credential harvester
• DHCP ACK Injection spoofing - Man-in-the-middle
• Man-in-the-middle inject BeEF hook
• SSH Brute-Force attack.
• Web page formulary brute-force
• URL content buster
• Overthrow the DNS of LAN range/IP address
• Redirect all possible DNS queries to host
• Get Shellcode from binary
• Filter strings on pcap files
• Exploit Development 1: Overwriting Instruction Pointer
• Exploit Development 2: Ret2libc

Developing

• Running tests.

Commands Reference

Index

Core

• help
• exit/quit
• set
• print

Network, Man-in-the-middle and Denial of service (DOS)

• scan
• webcrawl
• arpspoof
• dhcpspoof
• dnsspoof
• redirect
• sniff
• dos
• pforensic
  pforensic: Commands Reference
  • help
  • clear
  • exit/quit
  • show
  • conversations
  • packetdisplay
  • filter

Exploit Development and Reverse Engineering

• xploit
  xploit: Commands Reference
  • help
  • clear
  • exit/quit
  • set
  • shellcode
  • encoder
  • decoder
  • search
  • xploit
  • cheatsheet
  • fuzz
  • decode/encode

Brute Force

• brute

Utils

• decode/encode
• cookiedecode

Wiki: https://github.com/m4n3dw0lf/pythem/wiki

Main page: https://github.com/m4n3dw0lf/pythem

The post pythem - Penetration Testing Framework appeared first on Hakin9 - IT Security Magazine.

Brutemap is an open source penetration testing tool that automates testing accounts to the site's login page, based on Dictionary Attack. With this, you no longer need to search for other bruteforce tools and you also no longer need to ask CMS What is this? (only to find parameter forms), because brutemap will do it automatically. Brutemap is also equipped with an attack method that makes it easy for you to do account checking or test forms with the SQL injection bypass authentication technique.

Installation

Brutemap uses selenium to interact with the website. So, you need to install Web Driver for selenium first. See here. If you have installed the git package, you only need to clone the repository Git. Like this:

$ git clone https://github.com/brutemap-dev/brutemap.git

And, install the required modules:

$ pip install -r requirements.txt

Usage

For basic use:

$ python brutemap.py -t http://www.example.com/admin/login.php -u admin -p abc, root, default

To display a list of available options:

$ python brutemap.py -h

For more information about available options, you can visit the User's manual.

Attack method

On the brutemap tool, there are several attack methods that make it easy for you to check accounts or test forms.

Twin

The Twin Method is a method that tests passwords based on the current username index. And the purpose of this method is to simplify checking accounts

For example, I have 2 usernames:

And, 1 password:

And it will come out, like this:

=> admin : default

The root username will not be tested, because it has no partner password.

Use the option --twin to activate this method

SQL Injection Bypass Authentication

This method will test the page form with SQL injection payloads, for more information see here

Use the option (-sB or --sqli-bypass) to activate this method.

SQL Injection Payloads

This method is the same as the SQL Injection Bypass Authentication method, but it will insert SQL injection payloads into the username.

For example, I have 2 usernames:

And, 2 payloads:

And it will come out, like this:

=> admin') or true-- : ...
=> admin')) or 1--   : ...

Use the option (-sP or --sqli-payloads) to activate this method

Contributing

Before contributing to this project, please read the contributing guidelines.

Donate

We hope you are happy and we hope you donate! Please donate today to: https://paypal.me/aprilahijriyan (thanks!)

Links

• Homepage: https://brutemap-dev.github.io
• Download: .zip (latest version) or .tar.gz (latest version).
• Issue tracker: https://github.com/brutemap-dev/brutemap/issues
• User's manual: https://github.com/brutemap-dev/brutemap/wiki

The post Brutemap - Let's find someone's account... appeared first on Hakin9 - IT Security Magazine.

SNOWCRASH creates a script that can be launched on both Linux and Windows machines. Payload selected by the user (in this case combined Bash and Powershell code) is embedded into a single polyglot template, which is platform-agnostic.

There are few payloads available, including command execution, reverse shell establishment, binary execution and some more :>

Basic usage

1. Install dependencies: ./install.sh
2. List available payloads: ./snowcrash --list
3. Generate chosen payload: ./snowcrash --payload memexec --out polyglot_script
4. Change extension of the polyglot script: mv polyglot_script polyglot_script.ps1
5. Execute polyglot script on the target machine

Additional notes

Delay before script run and payload execution can be specified as an interval (using --sleep flag) in the form:

x[s|m|h]

where

x = Amount of interval to spend in idle state
s = Seconds
m = Sinutes
h = Hours

After generation, the extension of a generated script containing the payload can be set either to .sh or .ps1(depending on the platform we want to target).

The generated payload can be written directly to STDOUT (instead of writing to a file) using --stdout flag.

Screenshots

License

This software is under MIT License

More: https://github.com/wintrmvte/SNOWCRASH 

The post Snowcrash - A polyglot payload generator appeared first on Hakin9 - IT Security Magazine.

StegCloak is a pure JavaScript steganography module designed in functional programming style, to hide secrets inside the text by compressing and encrypting the secret before cloaking it with special unicode invisible characters. It can be used to safely watermark strings, invisible scripts on webpages, texts on social media, or for any other covert communication. Completely invisible! See how it works in-depth in this Medium article or watch our demo to know what it does.

Features

• Protect your invisible secret using passwords and HMAC integrity
• Cryptographically secure by encrypting the invisible secret using AES-256-CTR.
• Uses 6 Invisible characters in unicode characters that work everywhere on the web - Tweets, Gmail, WhatsApp, Telegram, Instagram, Facebook, and many more!
• Maximum Compression to reduce the payload (LZ, Huffman).
• Completely invisible, uses Zero Width Characters instead of white spaces or tabs.
• Superfast! Hides the Wikipedia page-source for steganography (800 lines and 205362 characters) within a cover text of 3 words in under one second.
• Hiding files in strings can be achieved by uploading the file to the cloud and stegcloaking the link in the string
• Written in a pure functional style.
• Usage - Available as an API module, a CLI, and also a Web Interface (optimized with web workers).

Installing

Using npm,

$ npm install -g stegcloak

Using npm (to use it locally in your program),

$ npm install stegcloak

How it works

CLI Usage

Hide

$ stegcloak hide

Options:

  hide [options] [secret] [cover]

  -fc, --fcover <file>      Extract cover text from file
  -fs, --fsecret <file>     Extract secret text from file
  -n, --nocrypt             If you don't need encryption (default: false)
  -i, --integrity           If additional security of preventing tampering is needed (default: false)
  -o, --output <output>     Stream the results to an output file
  -c, --config <file>       Config file
  -h, --help                display help for command

Reveal

$ stegcloak reveal       

Options:

  reveal [message]

  -f, --file <file>       Extract message from file
  -cp, --clip             Copy message directly from clipboard
  -o, --output <output>   Stream the secret to an output file
  -c, --config <file>     Config file
  -h, --help              display help for command

Additional support

• STEGCLOAK_PASSWORD environment variable, if set, will be used by default as a password.
• Configuration file support to configure StegCloak CLI and to avoid prompts. Read the config docs here.

API Usage

const StegCloak = require('stegcloak');

const stegcloak = new StegCloak(true, false);  // Initializes with encryption true and hmac false for hiding

// These arguments are used only during hide

// Can be changed later by switching boolean flags for stegcloak.encrypt and stegcloak.integrity

What's HMAC and do I need it?

HMAC is an additional fingerprint security step taken towards the tampering of texts and to verify if the message received was actually sent by the intended sender. If the data is sent through WhatsApp, Messenger, or any social media platform, this is already taken care of! However, if you are using StegCloak in your program to safely transmit and retrieve, this option can be enabled and StegCloak takes care of it.

Hide

stegcloak.hide(secret, password, cover) -> string

const magic = stegcloak.hide("Voldemort is back", "mischief managed", "The WiFi's not working here!");

// Uses stegcloak.encrypt and stegcloak.integrity booleans for obfuscation

console.log(magic);  // The WiFi's not working here!

Reveal

stegcloak.reveal(data, password) -> string

const secret = stegcloak.reveal(magic, "mischief managed");

// Automatically detects if encryption or integrity checks were done during hide and acts accordingly

console.log(secret); // Voldemort is back

This amazing blog by Francesco Soncina shows how you could use the StegCloak API to watermark any text on your website.

Important

StegCloak doesn't solve the Alice-Bob-Warden problem, it's powerful only when people are not looking for it and it helps you achieve that really well, given its invisible properties around the web! It could be safely used for watermarking in forums, invisible tweets, social media, etc. Please don't use it when you know there's someone who is actively sniffing your data - looking at the unicode characters through a data analysis tool. In that case, even though the secret encoded cannot be deciphered, the fact lies that the Warden (middle-man) knows some secret communication took place because he would have noticed an unusual amount of special invisible characters.

Resources

The following papers were referred to for insight and understanding of using Zero Width Characters in steganography.

• Milad Taleby Ahvanooey, Qianmu Li , Jun Hou, Ahmed Raza Rajput and Chen Yini

Modern Text Hiding, Text Steganalysis, and Applications: A Comparative Analysis

• Taleby Ahvanooey, Milad & Li, Qianmu & Hou, Jun & Dana Mazraeh, Hassan & Zhang, Jing.

AITSteg: An Innovative Text Steganography Technique for Hidden Transmission of Text Message via Social Media.
IEEE Access

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

Visit the website: https://github.com/kurolabs/stegcloak

License

MIT - Copyright (c) 2020 Jyothishmathi CV, Kandavel A, Mohanasundar M

Acknowledgments

The StegCloak logo was designed by Smashicons.

The post StegCloak - Hide secrets with invisible characters in plain text securely using passwords appeared first on Hakin9 - IT Security Magazine.

WiFi Passview is an open-source batch script-based program that can recover your WiFi Password easily in seconds. This is for Windows OS only. Basically, this scripted program has the same function as other passview software such as webpassview and mailpassview. Visit Wiki

Disclaimer: WiFi Passview is NOT designed for malicious use! Please use this program responsibly!

Featured By

The project has been featured in some popular cybersecurity websites and Facebook pages such as KitPloit.com, Hakin9.org, Pentest Magazine, Hackers Guru, and National Cyber Security Services.

How it Works

Basically, this is the shortcut and batch scripted file version of a popular WiFi password manager viewing method using the command prompt. This is how it works...

netsh wlan show profiles

When you use this tool, you are able to extract the WiFi passwords stored on the target machine in just seconds.

To learn more visit Wiki page.

Features

This simple tool offers you the following features...

• Extract all available WiFi passwords stored in the target machine and can be done in just seconds.
• Extract password from specific target SSID.
• Save extracted passwords.
• Additional options.
• No manual reading of Key Content, the tool will do that for you!
• No need for admin rights to run the program.
• Standalone batch program.
• Supports all languages.
• Generate WLAN report. (requires admin privileges)
• Upload collected passwords to the cloud. (powered by file.io api)
• Customizable builds.

Usage

Download the repository and look for "wifi-passview-vX.X.X.bat" the file and run it as an ordinary *.bat file (no need to run it as administrator). All you have to do is to follow the on-screen instructions.

Read the official blog on How to Use WiFi Passview.

Wanna use for WiFi Hacking? Visit this exclusive post from the author.

Screenshots

Here's the screenshot of the program

In Action

Here's how this tool works:

Don't forget to like, share, and subscribe to my channel!

White Label / Personalize / Custom / Development

• Download the repository
• Do "npm install" and "npm install gulp-cli -g && npm install gulp -D"
• After that, edit the "./src/config.json" file for your customization or personalization.
• When you think you are satisfied, just do "gulp build" or "gulp" to initiate the building process.
• If you want to reset the building process just do "gulp cleandev".
• If you are editing the "./src/core.bat" you can use "gulp test" it is a combination of "gulp build" and "gulp cleandev" so you can quickly quality check the production build.
• Do "gulp --tasks" to see all available "gulp" commands.

Premium Version

Looking for the official "wifi-passview-vX.X.X.exe" Do you like this version and wanna support the project?

FAQs

Q: Why you don't use the built-in netsh wlan export command?

I'm aware of that command, the only reason why I use findstr instead of that command is that to make the tool more user-level that does not require any admin rights. For example, if you are about to use the tool in a machine that you don't own then you're not able to use the tool. Got the idea? If the tool does not require admin rights then we can avoid the UAC prompt and we can use the tool more efficiently, the command netsh wlan show profiles do not require admin rights that's why we can still use that and capture the data and save it to file using the findstr command. Brilliant?

Visit FAQ section for more information.

Contributing

Contributions are welcome, create a pull request to dev branch of this repo and I will review your code.

Issues

If you're facing a problem in using WiFi Passview please let me know by creating an issue in this github repository. I'm happy to help you! Don't forget to provide some screenshot or error logs of it!

To Do

• Extract WiFi Password Across Network (experimental)
• More... (have suggestions? let me know!)

Community

Wanna see other projects I made? Join today!

Donate or Support

If you love this project please consider supporting the development by means of coffee. I spend my time just to save your time! Be a sponsor or backer of this project. Just a cup of coffee!

Supporters and Backers

• ernest_bigelow, nanantakeshi, kerry_howell

Wanna see your name here? Just buy me a coffee!

License

WiFi Passview is licensed under GNU General Public License v3 - https://opensource.org/licenses/GPL-3.0

Author

This project is created by Waren Gonzaga for educational purposes.

• Facebook: https://facebook.com/warengonzagaofficial
• Twitter: https://twitter.com/warengonzaga
• Website: https://warengonzaga.com
• Email: dev(at)warengonzaga[.]com

</> with <3 by Waren Gonzaga

The post WiFi Passview - An open source batch script based WiFi Passview for Windows appeared first on Hakin9 - IT Security Magazine.

The beginnings of a C2 framework. Currently without all the C2 stuff so far. Generates a dual-stage VBS infection vector, and a dual-stage HTA infection vector. The variables take into account C2 addresses, Koadic/Empire payloads, and a few delivery mechanisms. The payload files are output to an aptly named directory "Payloads" that is created if not already present.

Installation & Usage

GIVINGSTORM is a breeze to use. Simply clone the directory, and cd into it.

For the HTA payload: python3 GIVINGSTORM.py -n Windows-Upgrade -p b64encodedpayload -c amazon.com/c2/domain

HTA Example

For the Macro Subroutine: python3 GIVINGSTORM.py -n Windows-Upgrade -e amazon.com/final/payload.exe

Macro Example

More: https://github.com/nins3i/GIVINGSTORM

The post GIVINGSTORM - Infection vector that bypasses AV, IDS, and IPS. (For now...) appeared first on Hakin9 - IT Security Magazine.

All in One Hacking tool For Hackers

Your favorite tool is not in hackingtool or Suggestions Please CLICK HERE

Update Available

• Added New Tools
• Fix Errors
• Uninstall hackingtool Script Available
• Removed Unused Library

In Beta

This project still in BETA so you may face problems, please open an issue so I'll fix them.

Hackingtool Menu

• AnonSurf
• Information Gathering
• Password Attack
• Wireless Attack
• SQL Injection Tools
• Phishing Attack
• Web Attack Tool
• Post exploitation
• Forensic Tools
• Payload Creator
• Router Exploit
• Wifi Jamming
• XSS Attack Tool
• SocialMedia Finder
• DDos Attack Tools
• Steganography Tools
• IDN Homograph Attack
• Hash Cracking Tools
• SocialMedia Attack
• Android Hack
• Update System

AnonSurf

• Anonymously Surf
• Multirotor

Information Gathering

• Nmap
• Dracnmap
• Port Scanning
• Host To IP
• Xerosploit
• Infoga - Email OSINT
• ReconSpider
• RED HAWK (All In One Scanning)
• ReconDog
• Striker
• SecretFinder
• Port Scanner
• Breacher

Password Attack

• Cupp
• WordlistCreator
• Goblin WordGenerator
• Credential reuse attacks
• Wordlist (Contain 1.4 Billion Pass)

Wireless Attack

• WiFi-Pumpkin
• pixiewps
• Bluetooth Honeypot GUI Framework
• Fluxion
• Wifiphisher
• Wifite
• EvilTwin

SQL Injection Tools

• sqlmap tool
• NoSqlMap
• Damn Small SQLi Scanner
• Explo
• Blisqy - Exploit Time-based blind-SQL injection
• Leviathan - Wide Range Mass Audit Toolkit
• SQLScan

SocialMedia Attack

• Instagram Attack
• AllinOne SocialMedia Attack
• Facebook Attack
• Application Checker

Android Attack

• Keydroid
• MySMS
• Lockphish (Grab target LOCK PIN)
• DroidCam (Capture Image)
• EvilApp (Hijack Session)

Phishing Attack

• Setoolkit
• SocialFish
• HiddenEye
• Evilginx2
• Shellphish
• BlackEye
• I-See-You(Get Location using phishing attack)
• SayCheese (Grab target's Webcam Shots)
• QR Code Jacking

Web Attack

• SlowLoris
• Skipfish
• SubDomain Finder
• CheckURL
• Blazy
• Sub-Domain TakeOver

Post-Explotation

• Vegile - Ghost In The Shell
• Chrome Keylogger

Forensic Tool

• Bulk_extractor
• Disk Clone and ISO Image Aquire
• AutoSpy
• Toolsley
• Wireshark

Payload Generator

• The FatRat*
• Brutal
• Stitch
• MSFvenom Payload Creator
• Venom Shellcode Generator
• Spycam
• Mob-Droid

Exploit Framework

• RouterSploit
• WebSploit
• Commix
• Web2Attack
• Fastssh

SocialMedia Finder

• Find SocialMedia By Facial Recognation System
• Find SocialMedia By UserName
• Sherlock
• SocialScan

Steganography

• SteganoHide
• StegnoCracker
• Whitespace

DDoS Attack tool

• SlowLoris
• SYN Flood DDoS Weapon
• UFOnet
• GoldenEye

XSS Attack tool

• DalFox(Finder of XSS)
• XSS Payload Generator
• Advanced XSS Detection Suite
• Extended XSS Searcher and Finder
• XSS-Freak
• XSpear
• XSSCon
• XanXSS

IDN Homograph

• EvilURL

Email Verifier

• KnockMail

Hash Cracking Tool

• Hash Buster

Installation in Linux:

This tool must run as ROOT

git clone https://github.com/Z4nzu/hackingtool.git

chmod -R 755 hackingtool  

cd hackingtool

sudo pip3 install -r requirement.txt

./install.sh

sudo hackingtool

After following all steps just type in terminal root@kaliLinux:~ hackingtool

Thanks to original author of the tools used in hackingtool

MIT License

Please Don't Use for illegal Activity

Follow ➤ GitHub Twitter

Contact Via Twitter or Email

Feel free to make a pull request if you feel that you have improved this tool

Don't forget to share with your friends

Thank you!!

Page: https://github.com/Z4nzu/hackingtool

The post hackingtool - All in One Hacking tool For Hackers appeared first on Hakin9 - IT Security Magazine.

Key Features:

• Finds parameters from web archives of the entered domain.
• Finds parameters from subdomains as well.
• Gives support to exclude URLs with specific extensions.
• Saves the output result in a nice and clean manner.
• It mines the parameters from web archives (without interacting with the target host)

Usage instructions:

Note : Use python 3.7+

$ git clone https://github.com/devanshbatham/ParamSpider
$ cd ParamSpider
$ pip3 install -r requirements.txt
$ python3 paramspider.py --domain hackerone.com

Usage options:

1 - For a simple scan [without the --exclude parameter]
$ python3 paramspider.py --domain hackerone.com
-> Output ex : https://hackerone.com/test.php?q=FUZZ

2 - For excluding urls with specific extensions
$ python3 paramspider.py --domain hackerone.com --exclude php,jpg,svg

3 - For finding nested parameters
$ python3 paramspider.py --domain hackerone.com --level high
-> Output ex : https://hackerone.com/test.php?p=test&q=FUZZ

4 - Saving the results
$ python3 paramspider.py --domain hackerone.com --exclude php,jpg --output hackerone.txt

5 - Using with a custom placeholder text (default is FUZZ), e.g. don't add a placeholder
$ python3 paramspider.py --domain hackerone.com --placeholder FUZZ2

6 - Using the quiet mode (without printing the URLs on screen)
$ python3 paramspider.py --domain hackerone.com --quiet

7 - Exclude subdomains [for parameters from domain+subdomains, do not specify this argument]
$ python3 paramspider.py --domain hackerone.com --subs False 

ParamSpider + GF (for massive pwnage)

Let's say you have already installed ParamSpider and now you want to filter out the juicy parameters from a plethora of parameters. No worries you can easily do it using GF(by tomnomnom).

Note: Make sure you have to go properly installed on your machine.

Follow along with this:

$ go get -u github.com/tomnomnom/gf
$ cp -r $GOPATH/src/github.com/tomnomnom/gf/examples ~/.gf

Note : Replace '/User/levi/go/bin/gf' with the path where gf binary is located in your system.

$ alias gf='/User/levi/go/bin/gf'
$ cd ~/.gf/

Note : Paste JSON files(https://github.com/devanshbatham/ParamSpider/tree/master/gf_profiles) in ~/.gf/ folder

Now run ParamSpider and navigate to the output directory

$ gf redirect domain.txt //for potential open redirect/SSRF parameters
$ gf xss domain.txt //for potential xss vulnerable parameters
$ gf potential domain.txt //for xss + ssrf + open redirect parameters
$ gf wordpress domain.txt //for wordpress urls

[More GF profiles to be added in future]

Example:

$ python3 paramspider.py --domain bugcrowd.com --exclude woff,css,js,png,svg,php,jpg --output bugcrowd.txt

Note:

As it fetches the parameters from web archive data ,
so chances of false positives are high.

Contributing to ParamSpider :

• Report bugs, missing best practices
• Shoot my DM with new ideas
• Make more GF profiles (.json files)
• Help in Fixing bugs
• Submit Pull requests

My Twitter:

Say hello: 0xAsm0d3us

Wanna show support for the tool?

I will be more than happy if you will show some love for Animals by donating to Animal Aid Unlimited. Animal Aid Unlimited saves animals through street animal rescue, spay/neuter, and education. Their mission is dedicated to the day when all living beings are treated with compassion and love.

More: https://github.com/devanshbatham/ParamSpider 

The post ParamSpider - Mining parameters from dark corners of Web Archives appeared first on Hakin9 - IT Security Magazine.

Love shhgit? Help me reach my goal by sponsoring me via GitHub: https://github.com/sponsors/eth0izzle/

NEW: LIVE VERSION. Find secrets find from your browser!

Finding secrets in GitHub is nothing new. There are many great tools available to help with this depending on which side of the fence you sit. On the adversarial side, popular tools such as gitrob and truggleHog focus on digging in to commit history to find secret tokens from specific repositories, users or organisations. On the defensive side, GitHub themselves are actively scanning for secrets through their token scanning project. Their objective is to identify secret tokens within committed code in real-time and notify the service provider to action. So in theory, if any AWS secret keys are committed to GitHub, Amazon will be notified and automatically revoke them.

I developed shhgit to raise awareness and bring to life the prevalence of this issue. I hope GitHub will do more to prevent bad actors using the treasure trove of information across the platform. I don't know the inner-workings of their token scanning project but delaying the real-time feed API until the pipeline has completed and posing SLAs on the providers seems like a step in the right direction.

With some tweaking of the signatures, shhgit would make an awesome addition to your bug bounty toolkit. 

Installation

You can use the precompiled binaries or allow Go to build from source:

1. Install Go for your platform.
2. go get github.com/eth0izzle/shhgit will download and build shhgit automatically. Optionally you can clone this repository manually and run GO111MODULE=on CGO_ENABLED=0 go build -v -i -o shhgit.
3. See usage.

Or you can run from Docker:

1. Grab a copy of the config.yaml and insert your GitHub credentials (see Usage).
2. docker run -v $(pwd)/config.yaml:/config.yaml:ro eth0izzle/shhgit

Usage

shhgit can work in two ways: through the GitHub, GitLab, and BitBucket public repositories or by processing files in a local directory.

By default, shhgit will run in the former 'public mode' and needs to access the public GitHub API. You will need to obtain and provide an access token. The API has a hard rate limit of 5,000 requests per hour per account, regardless of what token is used. The more account-unique tokens you provide, the faster you can process the events. Follow this guide to generate a token; it doesn't require any scopes or permissions. And then place it under github_access_tokens in config.yaml. Note that it is against the GitHub terms to bypass their rate limits. Use multiple tokens at your own risk.

Unlike other tools, you don't need to pass any targets with shhgit. Simply run $ shhgit to start watching GitHub commits and find secrets or sensitive files matching the included 120 signatures. You can also forgo the signatures and use shhgit with a search query, e.g. to find all AWS keys you could use shhgit --search-query AWS_ACCESS_KEY_ID=AKIA

To run in local mode (and perhaps integrate into your CI pipelines) you can pass the --local flag (see Usage below).

Options

--clone-repository-timeout
        Maximum time it should take to clone a repository in seconds (default 10)
--config-path
        Searches for config.yaml from given directory. If not set, tries to find if from shhgit binary's and current directory
--csv-path
        Specify a path if you want to write found secrets to a CSV. Leave blank to disable
--debug
        Print debugging information
--entropy-threshold
        Finds high entropy strings in files. Higher threshold = more secret secrets, lower threshold = more false positives. Set to 0 to disable entropy checks (default 5.0)
--local
        Specify local directory (absolute path) which to scan. Scans only given directory recursively. No need to have Github tokens with local run.
--maximum-file-size
        Maximum file size to process in KB (default 512)
--maximum-repository-size
        Maximum repository size to download and process in KB) (default 5120)
--minimum-stars
        Only clone repositories with this many stars or higher. Set to 0 to ignore star count (default 0)
--path-checks
        Set to false to disable file name/path signature checking, i.e. just match regex patterns (default true)
--process-gists
        Watch and process Gists in real time. Set to false to disable (default true)
--search-query
        Specify a search string to ignore signatures and filter on files containing this string (regex compatible)
--silent
        Suppress all output except for errors
--temp-directory
        Directory to store repositories/matches (default "%temp%\shhgit")
--threads
        Number of concurrent threads to use (default number of logical CPUs)

Config

The config.yaml file has 7 elements. A default is provided.

github_access_tokens: # provide at least one token
  - 'token one'
  - 'token two'
webhook: '' # URL to a POST webhook.
webhook_payload: '' # Payload to POST to the webhook URL
blacklisted_extensions: [] # list of extensions to ignore
blacklisted_paths: [] # list of paths to ignore
blacklisted_entropy_extensions: [] # additional extensions to ignore for entropy checks
signatures: # list of signatures to check
  - part: '' # either filename, extension, path or contents
    match: '' # simple text comparison (if no regex element)
    regex: '' # regex pattern (if no match element)
    name: '' # name of the signature

Signatures

shhgit comes with 120 signatures. You can remove or add more by editing config.yaml.

Chef private key, Potential Linux shadow file, Potential Linux passwd file, Docker configuration file, NPM configuration file, Environment configuration file, Contains a private key, AWS Access Key ID Value, AWS Access Key ID, AWS Account ID, AWS Secret Access Key, AWS Session Token, Artifactory, CodeClimate, Facebook access token, Google (GCM) Service account, Stripe API key, Google OAuth Key, Google Cloud API Key
Google OAuth Access Token, Picatic API key, Square Access Token, Square OAuth Secret, PayPal/Braintree Access Token, Amazon MWS Auth Token, Twilo API Key, MailGun API Key, MailChimp API Key, SSH Password, Outlook team, Sauce Token, Slack Token, Slack Webhook, SonarQube Docs API Key, HockeyApp, Username and password in URI, NuGet API Key, Potential cryptographic private key, Log file, Potential cryptographic key bundle, Potential cryptographic key bundle
Potential cryptographic key bundle, Potential cryptographic key bundle, Pidgin OTR private key, OpenVPN client configuration file, Azure service configuration schema file, Remote Desktop connection file, Microsoft SQL database file, Microsoft SQL server compact database file, SQLite database file, SQLite3 database file, Microsoft BitLocker recovery key file
Microsoft BitLocker Trusted Platform Module password file, Windows BitLocker full volume encrypted data file, Java keystore file, Password Safe database file, Ruby On Rails secret token configuration file, Carrierwave configuration file, Potential Ruby On Rails database configuration file, OmniAuth configuration file, Django configuration file
1Password password manager database file, Apple Keychain database file, Network traffic capture file, GnuCash database file, Jenkins publish over SSH plugin file, Potential Jenkins credentials file, KDE Wallet Manager database file, Potential MediaWiki configuration file, Tunnelblick VPN configuration file, Sequel Pro MySQL database manager bookmark file, Little Snitch firewall configuration file, Day One journal file, Potential jrnl journal file, Chef Knife configuration file, cPanel backup ProFTPd credentials file
Robomongo MongoDB manager configuration file, FileZilla FTP configuration file, FileZilla FTP recent servers file, Ventrilo server configuration file, Terraform variable config file, Shell configuration file, Shell configuration file, Shell configuration file, Private SSH key, Private SSH key, Private SSH key, Private SSH key, SSH configuration file, Potential cryptographic private key, Shell command history file
MySQL client command history file, PostgreSQL client command history file, PostgreSQL password file, Ruby IRB console history file, Pidgin chat client account configuration file, Hexchat/XChat IRC client server list configuration file, Irssi IRC client configuration file, Recon-ng web reconnaissance framework API key database, DBeaver SQL database manager configuration file, Mutt e-mail client configuration file, S3cmd configuration file, AWS CLI credentials file, SFTP connection configuration file, T command-line Twitter client configuration file, Shell configuration file
Shell profile configuration file, Shell command alias configuration file, PHP configuration file, GNOME Keyring database file, KeePass password manager database file, SQL dump file, Apache htpasswd file, Configuration file for auto-login process, Rubygems credentials file, Tugboat DigitalOcean management tool configuration, DigitalOcean doctl command-line client configuration file, git-credential-store helper credentials file, GitHub Hub command-line client configuration file, Git configuration file

Contributing

1. Fork it, baby!
2. Create your feature branch: git checkout -b my-new-feature
3. Commit your changes: git commit -am 'Add some feature'
4. Push to the branch: git push origin my-new-feature
5. Submit a pull request.

Disclaimer

I take no responsibility for how you use this tool. Don't be a dick.

License

MIT. See LICENSE

More: https://github.com/eth0izzle/shhgit

The post shhgit - find secrets and sensitive files across GitHub (including Gists), GitLab and BitBucket appeared first on Hakin9 - IT Security Magazine.

reNgine is an automated reconnaissance framework meant for gathering information during penetration testing of web applications. reNgine has customizable scan engines, which can be used to scan the websites, endpoints, and gather information. The beauty of reNgine is that it gathers everything in one place. It has a pipeline of reconnaissance, which can be customized.

It can be very useful when you have a domain, you want to recon the domain, gather endpoints, directory, and file search, performing visual reconnaissance, and gather the results in one place.

Suppose, if you have a domain hackerone.com, reNgine can perform the scan based on your defined scan engine, gather all the results in one place. reNgine makes it possible for use cases like, "I want to search the subdomain which has page title "Dashboard" and has page status as 200 and quickly wants to have a look at the screenshot", reNgine makes it possible.

Another use-case could be, "I want to list all subdomains that use PHP and the HTTP status is 200!"

On the endpoints part, reNgine is capable of gathering the URL endpoints using tools like gau, gathers URL from many sources like common crawl, Wayback engine, etc.

reNgine makes it possible for the use case like, "search the URLs that have extension .php and HTTP status is 200!"

Also, Suppose if you are looking for open redirection, you can quickly search for =http and look for HTTP status 30X, this will give high accuracy of open redirection with minimal efforts.

What it is not

It is not a:

• Vulnerability scanner!
• Reconnaissance with high accuracy (No! reNgine, uses other open-source tools, to make this pipeline possible. The accuracy and capability of reNgine is also dependent on those tools)
• Speed oriented recon framework with immediate results

Screenshots

Scan results

Gathered Endpoints

Of course, at this point, reNgine does not give the best of the best result compared to other tools, but reNgine has certainly minimal efforts. Also, I am continuously adding new features. You may help me on this journey by creating a PR filled with new features and bug fixes. Please have a look at the Contributing section before doing so.

Flow

Getting Started

To get a local copy up and running follow these simple example steps.

git clone https://github.com/yogeshojha/rengine.git
cd rengine

Prerequisites

• Docker
  • Install docker based on your OS from here
• docker-compose
  • Installation instructions for docker-compose from here

Installation

Assuming that you have followed the above steps and inside its directory

docker-compose up --build

The build process may take some time.

Usage

reNgine does fingerprinting, port scanning, and banner grabbing which might be illegal in some countries. Please make sure you are authorized to perform reconnaissance on the targeted domain before using this tool.

If the installation is successful, then you can simply run it by using the command

docker-compose up -d

The web application can then be accessed from http://localhost:8000

Contributing

Contributions are what make the open-source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated. Your contributions could be as simple as fixing the indentations or fixing UI to as complex as bringing new modules and features.

See contributing guide to get started.

First-time Open Source contributors

Please note that reNgine is beginner-friendly. If you have never done any open-source yet, we encourage you to do so. We will be happy and proud of your first PR ever.

You can begin with resolving any open issues.

License

Distributed under the GNU GPL v3 license License. See LICENSE for more information.

Acknowledgments and Credits

reNgine is just a pipeline of recon. reNgine would not have been possible without the following individuals/organizations.

• Amass: OWASP
• httpx, subfinder, naabu: ProjectDiscovery
• Sublist3r: Ahmed Aboul-Ela
• gau, assetfinder, hakrawler: Tom Hudson
• dirsearch: maurosoria
• pulsar: FooBallZ
• subjack haccer

Also, some of the icons and images used herein reNgine are from Freepik and Flaticon.

More: https://github.com/yogeshojha/rengine

The post reNgine - An automated recon framework for web applications appeared first on Hakin9 - IT Security Magazine.

In this video from our Packet Analysis with Wireshark course by Atul Tiwari we learn how to perform ICMP analysis in Wireshark. Eavesdropping on ICMP traffic can provide a lot of data to a savvy adversary - or pentester!

Wireshark is the world’s foremost and most widely-used network protocol analyzer. Network analysis and troubleshooting data packets in a network is always a daunting task. But Wireshark always comes to the rescue in such situations. As Wireshark is used widely inside commercial, non-profit, educational and at various places, it becomes crucial for IT people to have thorough knowledge about Wireshark’s capabilities to get insights at a microscopic level in a network and know what’s happening in order to analyze, troubleshoot, monitor and sometimes capture sensitive credentials passing through the wires. Wireshark is useful even in session hijacking of authenticated users and it is the industry leading tool that every ethical hacker, network admin, system admin and even malicious hackers or black hat hackers uses to perform advanced security analysis and attacks.

What skills do you gain in this course?

• Know what’s happening inside the network traffic
• Filter traffic based on your own rules that you created
• How to capture the traffic in multiple datasets
• How to split and merge large captured traces
• Perform various attacks based on protocol issues
• Find TCP and HTTP headers for further analysis
• See only endpoints, target traffic for a single requirement
• Filter for one protocol, one port or port range, one IP address or range of IP
• Identify network intrusions using filters and colorizing rules
• Identify port scanning and DoS attacks on your networks
• Remotely capturing the traffic
• IP and port filtering
• Capture VoIP telephony and listen to the conversations
• Baseline your network traffic for your organization
• EMAIL, DNS, HTTP, TCP, ARP, Ipv4, Ipv6, etc., analysis
• ICMP analysis
• Make and apply display filters

This video is from module 4, where we analyze different protocols, listen to VoIP communications and playback using the captured packets. As a network engineer, one can dive into Wireshark’s plugins, create rules for detecting unauthorized scanning, network flooding of the network and intrusion detection, and fixing issues, as well. Make your own traffic baseline for organization.

Related Posts

Capture credentials with Wireshark [FREE COURSE CONTENT]

IPv4 and IPv6 analysis in Wireshark [FREE COURSE CONTENT]

Live in the Wire

Packet Analysis with Wireshark (W37)

Programming and Exploitation: Top Hakin9 Tutorials

VoIP Pentesting (W47)

The post ICMP Analysis with Wireshark [FREE COURSE CONTENT] appeared first on Hakin9 - IT Security Magazine.

Scrummage is the ultimate OSINT framework. It is an OSINT tool that centralises search functionality from powerful, yet simple OSINT sites. This project draws inspiration mainly from two other projects, including:

• The https://github.com/Netflix-Skunkworks/Scumblr project, which while is now deprecated, inspired this concept.
• The OSINT framework, a high-level overview of a range of sites that can be used to search for a variety of things, which can be found at https://osintframework.com/ or https://github.com/lockfale/OSINT-Framework.

While at first glance the web application may not look that original when compared to Scumblr, the plugins this tool uses is mainly what makes this project unique, where the provided Python/Flask web application is just a simple, lightweight, and scalable way of providing users with the ability to manage large pools of results. The other main benefit this projects brags is a simpler, up-to-date installation process.

Any feedback is welcome.

If you're enjoying this tool, feel free to buy me a cup of coffee :)

VERSION 2.4

• UI Simplifications.
• Simplified new code that retains the same look and feels as before with a few improvements.
• Bug fixes for task management functions and plugins.
• Phishtank plugin removed and replaced with Phishstats (See The Wiki Pages linked below)
• Divided Punycode Fuzzer into comprehensive search and condensed search (See The Wiki Pages linked below)
• Better, more accurate results. Results also allow users to access Main Files (Related to all results from the relevant query used to find the result), Individual Files (Related to result), CSV and DOCX Output files (If the functionality is switched on in the configuration file).
• New API endpoints to manage tasks, results, accounts, etc. Refer to the Wiki Page

There is currently a known bug with the Google Play Store plugin.

FOR INSTRUCTIONS REFER TO THE WIKI

An Overview of the Web Application

Some of the Available Plugins

• Blockchain Search
• Domain Fuzzer
• Twitter Scraper
• Instagram Search
• Have I Been Pwned Search
• Ahmia Darkweb Search
• Many more... Refer to the "Long List of Tasks" Wiki file for the full list.

Dashboard

The dashboard is the home screen which the application directs a user to when they log in. It provides a high-level chart which shows the amount of each result based on their result type. It does this for each kind of finding. However, if a graph doesn’t load, this is most likely due to none of the results being in that category, I.e if there are no closed results, no graph will appear under “Overview of Closed Results”.

Events

The events page shows anything that changes within the web application, from logins to failed login attempts, to any actions performed against a task. This assists with understanding what has recently been happening in the web app, and can assist in matters such as detecting brute-force login attempts or tracking down who altered a task.

Note: This page only loads the latest 1000 events, for optimisation of the web application. 

Results

The results page simply shows results that have been created by a task. The results table shows the basic metadata of the result, but also provides a “Details” button which can be used to investigate the result further. As mentioned all results have some kind of output file, if a result is a link the file will be a copy of the HTML of the page. Furthermore, screenshot functionality is provided to assist in keeping a photographic record of a result. Both the output and screenshot files will be deleted if the result is deleted.

Note: This page only loads the latest 1000 results, for optimisation of the web application.

For optimisation purposes, the results table only displays some of the general information regarding a result, to investigate a result further, the user should use the Details button. The details page allows the user to view the soft copy of the result's link and provides the ability for a user to generate a screenshot.

Furthermore, buttons for reviewing, inspecting, and closing a result are provided to show other users where a result is in terms of assessment. The buttons are colour-coded and are coloured as the result progresses through the assessment.

Results are categorised into the following:

• Data Leakage
• Domain Spoof
• Phishing
• Exploit
• Blockchain Address
• Blockchain Transaction

Tasks

The tasks page shows all created task and provides the ability for the user to run each task. This page doesn’t have a limit on tasks; however, don’t go crazy creating tasks, you can always add a list to a task, rather than having the same task created multiple times for one search. So really you shouldn’t have any more than 50 tasks. Tasks have to cache and logging for each which can be found in the “protected/output” directory under the tasks name, ex. Google Search is called “google”. If you need to remove the cache, you can edit/delete the appropriate cache file.

All the plugins are open-source, free to individuals, just like the rest of the code. Furthermore, feel free to use the pre-existing libraries used in other plugins. If you are creating or editing a plugin, make sure to understand that when you run it for the first time, the web app may reload to reload the python cache. This is normal.

Account

This page changes according to the user's privileges, if a user is an admin, they have the ability to change their password as well as other user's passwords, they can block/unblock users, demote/promote users' privileges. They can also create new users and delete existing users. The account page looks as per below for administrative users:

The account page looks as per below for non-administrative users:

Developer Information

Contributions Welcome!!
Knock yourself out, create any plugins you like, and feel free to leverage existing libraries to help you. Refer to the plugin development guide here.

The post Scrummage - tool that centralises search functionality from powerful, yet simple OSINT sites. appeared first on Hakin9 - IT Security Magazine.

InjuredAndroid - A vulnerable Android application with CTF examples based on bug bounty findings, exploitation concepts, and pure creativity.

Setup for a physical device

1. Download the latest debug or release injuredandroid.apk from the releases.
2. Enable USB debugging on your Android test phone.
3. Connect your phone and your pc with a usb cable.
4. Install via adb. adb install InjuredAndroid.apk. Note: You need to use the absolute path to the .apk file or be in the same directory.

Setup for an Android Emulator using Android Studio

1. Download the apk file.
2. Start the emulator from Android Studio (I recommend downloading an emulator with Google APIs so root adb can be enabled).
3. Drag and drop the .apk file on the emulator and InjuredAndroid.apk will install.

Build from source

Build steps in progress. The flutter module makes this slightly more complicated.

Tips and CTF Overview

Decompiling the Android app is highly recommended.

• XSSTEST is just for fun and to raise awareness on how WebViews can be made vulnerable to XSS.
• The login flags just need the flag submitted.
• The flags without a submit that demonstrate concepts will automatically register in the "Flags Overview" Activity.
• The exclamatory buttons on the bottom right will give users up to three tips for each flag.

Good luck and have fun! :D

Spoilers

Looking at the source code of the applications in the InjuredAndroid directory, InjuredAndroid-FlagWalkthroughs.md file, or binary source code in the Binaries directory will spoil some if not all of the ctf challenges.

Full guide: https://github.com/B3nac/InjuredAndroid

The post InjuredAndroid - A vulnerable Android application that shows simple examples of vulnerabilities in a CTF style appeared first on Hakin9 - IT Security Magazine.

pbtk - Reverse engineering Protobuf apps. Protobuf is a serialization format developed by Google and used in an increasing number of Android, web, desktop, and more applications. It consists of a language for declaring data structures, which is then compiled to code or another kind of structure depending on the target implementation.

pbtk (Protobuf toolkit) is a full-fledged set of scripts, accessible through a unified GUI, that provides two main features:

• Extracting Protobuf structures from programs, converting them back into readable .protos, supporting various implementations:
  • All the main Java runtimes (base, Lite, Nano, Micro, J2ME), with full Proguard support,
  • Binaries containing embedded reflection metadata (typically C++, sometimes Java and most other bindings),
  • Web applications using the JsProtoUrl runtime.
• Editing, replaying and fuzzing data sent to Protobuf network endpoints, through a handy graphical interface that allows you to edit live the fields for a Protobuf message and view the result.

Installation

PBTK requires Python ≥ 3.5, PyQt 5, Python-Protobuf 3, and a handful of executable programs (chromium, jad, dex2jar...) for running extractor scripts.

Archlinux users can install directly through the package:

$ yaourt -S pbtk-git
$ pbtk

On most other distributions, you'll want to run it directly:

# For Ubuntu/Debian testing derivates:
$ sudo apt install python3-pip git openjdk-9-jre libqt5x11extras5

$ sudo pip3 install protobuf pyqt5 pyqtwebengine requests websocket-client

$ git clone https://github.com/marin-m/pbtk
$ cd pbtk
$ ./gui.py

Windows is also supported (with the same modules required). Once you run the GUI, it should warn you on what you are missing depending on what you try to do.

Command line usage

The GUI can be launched through the main script:

./gui.py

The following scripts can also be used standalone, without a GUI:

./extractors/jar_extract.py [-h] input_file [output_dir]
./extractors/from_binary.py [-h] input_file [output_dir]
./extractors/web_extract.py [-h] input_url [output_dir]

Typical workflow

Let's say you're reverse engineering an Android application. You explored a bit the application with your favorite decompiler, and figured it transports Protobuf as POST data over HTTPS in a typical way.

You open PBTK and are greeted in a meaningful manner:

The first step is getting your .protos into text format. If you're targeting an Android app, dropping in an APK and waiting should do the magic work! (unless it's a really exotic implementation)

This being done, you jump to ~/.pbtk/protos/<your APK name> (either through the command line, or the button on the bottom of the welcome screen to open your file browser, the way you prefer). All the app's .protos are indeed here.

Back in your decompiler, you stumbled upon the class that constructs data sent to the HTTPS endpoint that interests you. It serializes the Protobuf message by calling a class made of generated code.

This latter class should have a perfect match inside your .protos directory (i.e com.foo.bar.a.b will match com/foo/bar/a/b.proto). Either way, grepping its name should enable you to reference it.

That's great: the next thing is going to Step 2, selecting your desired input .proto, and filling some information about your endpoint.

You may also give some sample raw Protobuf data, that was sent to this endpoint, captured through mitmproxy or Wireshark, and that you'll paste in a hex-encoded form.

Step 3 is about the fun part of clicking buttons and seeing what happens! You have a tree view representing every field in the Protobuf structure (repeated fields are suffixed by "+", required fields don't have checkboxes).

Just hover a field to have focus. If the field is an integer type, use the mouse wheel to increment/decrement it. Enum information appears on hover too.

Here it is! You can determine the meaning of every field with that. If you extracted .protos out of minified code, you can rename fields according to what you notice they mean, by clicking their names.

Happy reversing!

Local data storage

PBTK stores extracted .proto information into ~/.pbtk/protos/ (or %APPDATA%\pbtk\protos on Windows).

You can move in, move out, rename, edit or erase data from this directory directly through your regular file browser and text editor, it's the expected way to do it and won't interfere with PBTK.

HTTP-based endpoints are stored into ~/.pbtk/endpoints/ as JSON objects. These objects are arrays of pairs of request/response information, which looks like this:

[{
    "request": {
        "transport": "pburl",
        "proto": "www.google.com/VectorTown.proto",
        "url": "https://www.google.com/VectorTown",
        "pb_param": "pb",
        "samples": [{
            "pb": "!....",
            "hl": "fr"
        }]
    },
    "response": {
        "format": "other"
    }
}]

Source code structure

PBTK uses two kinds of pluggable modules internally: extractors, and transports.

• An extractor supports extracting .proto structures from a target Protobuf implementation or platform.

Extractors are defined in extractors/*.py. They are defined as a method preceded by a decorator, like this:

@register_extractor(name = 'my_extractor',
                    desc = 'Extract Protobuf structures from Foobar code (*.foo, *.bar)',
                    depends={'binaries': ['foobar-decompiler']})
def my_extractor(path):
    # Load contents of the `path` input file and do your stuff...
    
    # Then, yield extracted .protos using a generator:
    for i in do_your_extraction_work():
        yield proto_name + '.proto', proto_contents
    
    # Other kinds of information can be yield, such as endpoint information or progress to display.

• A transport supports a way of deserializing, reserializing and sending Protobuf data over the network. For example, the most commonly used transport is raw POST data over HTTP.

Transports are defined in utils/transports.py. They are defined as a class preceded by a decorator, like this:

@register_transport(
    name = 'my_transport',
    desc = 'Protobuf as raw POST data',
    ui_data_form = 'hex strings'
)
class MyTransport():
    def __init__(self, pb_param, url):
        self.url = url
    
    def serialize_sample(self, sample):
        # We got a sample of input data from the user.
        # Verify that it is valid in the form described through "ui_data_form" parameter, fail with an exception or return False otherwise.
        # Optionally modify this data prior to returning it.
        bytes.fromhex(sample)
        return sample
    
    def load_sample(self, sample, pb_msg):
        # Parse input data into the provided Protobuf object.
        pb_msg.ParseFromString(bytes.fromhex(sample))
    
    def perform_request(self, pb_data, tab_data):
        # Perform a request using the provided URL and Protobuf object, and optionally other transport-specific side data.
        return post(url, pb_data.SerializeToString(), headers=USER_AGENT)

Forthcoming improvements

The following could be coming for further releases:

• Finishing the automatic fuzzing part.
• Support for extracting extensions out of Java code.
• Support for the JSPB (main JavaScript) runtime.
• If there's any other platform you wish to see supported, just drop an issue and I'll look at it.

I've tried to do my best to produce thoroughly readable and commented code (except for parts that are mostly self-describing, like connecting GUI signals) for most modules, so you can contribute.

Licensing

As pbtk uses PyQt, it is released under the GNU GPL license (I, hereby, etc.) I would likely have chosen something public domain-like otherwise.

There's no formalized rule for the letter case of the project name, the rule is just about following your heart

More: https://github.com/marin-m/pbtk

The post pbtk - A toolset for reverse engineering and fuzzing Protobuf-based apps appeared first on Hakin9 - IT Security Magazine.

Bramble software has been designed for the bramble project. It incorporates many features of pentesting and IT Security. It's easy to use and completely editable. It allows beginners to learn to hack and gives more experienced users a customizable plug and play hacking tools so they can add their own code quickly.

Contribute

Bramble is an open-source project to which you can contribute! If you develop some features, don't be shy and share it with us. We will work together in order to implement it on the platform.

How it works

Bramble is based mainly on C++. But you can adding easily some code using another language. If you don't like C++ (that would be a mistake ^^) it doesn't really matter because I offer some templates to help you and to save your time. I try to put lots of comments in my code and I add some links to online classes/articles to have a better understanding of how the code works. Finally, for each feature, I wrote a help file to give you information about how to use it step by step.

Menu

Current work:

     0. Cryptography
        -Encrypt file
        -Decrypt file
     1. Steganography
        -Hide a file in a file
        -Get an hidden file
     2. Forensic Tools
        -Restore all deleted files
        -Restore specific type of files
        -Erase permently a file/folder
     3. Wifi jammer/deauther
        -Deauth user(s) from a network (connection not required, monitor mode required)
        -Deauth user(s) from your network (connection required, monitor mode not required)
     4. Evil twin
        -Fluxion custom version for bramble
     5. Key cloner
        -Copy an usb storage to another usb key
        -Copy an usb storage to internal storage
        -Copy only some types of files
     6. Gain access
        -Bruteforce ssh
        -Network backdoor
     7. Sniffer
        -Unencrypted passwords
        -Website's names
        -Detect sniffing attack (by arp poisoning)
        -Read a previous report (sniffing, scan, detection)
     8. Tools
        -Enable/Disable the web interface
        -Erase permently a file/folder
        -Password generator from file
        -Scan a network
        -ARP scanner
        -Change mac adress
     9. Settings
        -Unmount an usb device
        -Display ip adress
        -switch to ligth/classic menu

Coming soon:

     10. Wifi Attack
        -Wps attack
     11. Fake access point
        -Sniffing
        -Phishing ?
     12. Sniffer
        -Password sniffer
        -Website sniffer
        -Custom sniffer

Requirements

As of today, this software works only on the bramble environment. It may become compatible with other devices powered by Kali Linux.

Credits

App

Fluxion

Pentest

Édouard Huon

Screenshots

Download: https://github.com/marcrowProject/Bramble/wiki

The post Bramble - hacking Open source suite. appeared first on Hakin9 - IT Security Magazine.

t14m4t is an automated brute-forcing attack tool, the wrapper of THC-Hydra and Nmap Security Scanner.

t14m4t is scanning a user-defined target (or a document containing targets) for open ports of services supported by t14m4t, and then starting brute-forcing attack against the services running on discovered ports, using lists of most commonly used weak credentials.

Installation:

The installation consists of cloning the repo and making t14m4t executable. THC-Hydra and Nmap Security Scanner are required in order to run t14m4t.

# git clone https://github.com/MS-WEB-BN/t14m4t/
# cd t14m4t
# sudo chmod +x t14m4t

Usage:

The only parameter t14m4t requires is the target identification (obviously). The target parameter can also be a file, where each target is separated by a return. A number of threads if optional parameter, ranging from 1 to 64. If not defined, t14m4t runs the attack with 16 (default) threads.

# ./t14m4t <target> <number of threads>

Example:

# ./t14m4t 192.168.0.1 32
# ./t14m4t /targets/targetlist.txt 32

Supported services:

FTP | SSH | Telnet | SMTP | HTTP | POP3 | SMB | SNMP | LDAP | HTTPS | rexec | rlogin | rsh | IMAP | mssql | mysql | postgres | oracle | RDP | VNC | IRC

Demo:

License:

The software is free to use, modify, and distribute, as long as the credit is given to the creator (n1x_ [MS-WEB]).

Disclaimer:

Any actions and/or activities are done by using t14m4t are solely your responsibility. The misuse of t14m4t can result in criminal charges brought against the persons in question. The author will not be held responsible in the event any criminal charges be brought against any individuals misusing t14m4t to break the law.

Download and support author: https://github.com/MS-WEB-BN/t14m4t

The post t14m4t - Automated brute-forcing attack tool. appeared first on Hakin9 - IT Security Magazine.

ADB-Toolkit is a BASH Script with 28 options and an METASPLOIT Section which has 6 options which is made to do easy penetration testing in Android Device. You can do pretty much anything with this script and test your android device is it safe or not. This script is made with the help of ADB (Android Debug Bridge) it's a tool which is used for the developers for debugging the android device but as we know everything has it's two side a good and a bad and I'm not telling you to do bad things but we don't do illegal things or FBI will find you .

( Don't use with wrong intentions )

Note: I'm not responsible for anything you do to anyone with this tool this does not come under my responsibility.

METASPLOIT SECTION: This section consists of scripts that are related to Metasploit payload and you can create a payload and install it and launch it without even touching the phone and you know the power of Metasploit.

Changelogs

Changelog v2.32

Added vesion checking code
Really big bug fixes
Wiki in made

Changelog V2.3

Added multi device support, now 3 
Added support to Arch, Fedora, Centos
Added option to restart the ADB server or not in the beginning of the script
Added Option to clear screen when a specfic option is done executing
Fix the Exit option (Not Working)
Simplified the Remote connection establishment
Fix 100's of Bugs
Specified the directories for pulling the data
Make the script executable from any where in shell (Fixed)

Changelog V2.1

Added Metasploit Section

Added option to restart the ADB server or not in the beginning of the script

Added 7 more options :-
1. COPY ALL DEVICE STORAGE
2. COPY A SPECIFIED FILE OR FOLDER
3. PUT A FILE IN VICTIMS DEVICE 
4. LAUNCH AN APPLICATION
5. CHECK IS PHONE ROOTED OR NOT
6. HANG THE PHONE ( Rooted Phone )
7. SEND SMS FROM THE PHONE

Fixed the Remote connection not establishing
Make the script executable from any where in shell

Prerequisite

Before using this tool you must enable USB-Debugging from the developer settings from the Android setting and then you are good to go.

1. Go to settings
2. Go to About device/tablet
3. Tap Build Number 7 times
4. Developer options will occur
5. Go to Developer options
6. Search for Usb Debugging & Install via USB 
7. Turn those settings on

Installation

I suggest please reinstall the toolkit or git pull it for every new release

git clone https://github.com/ASHWIN990/ADB-Toolkit.git

cd ADB-Toolkit

sudo chmod +x install.sh

sudo ./install.sh -i "or" sudo bash install.sh -i

Usage

sudo ./ADB-Toolkit.sh 

or you can do

sudo bash ADB-Toolkit.sh

or you can also do

sudo adb-toolkit any where in shell

ADB-Toolkit Screenshot

Metasploit Section Screenshot

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

Author

• ASHWINI SAHU - WHOLE WORK - (https://github.com/ASHWIN990)

More: https://github.com/ASHWIN990/ADB-Toolkit

The post ADB-Toolkit - Tool for testing your android device and hack someone android phone appeared first on Hakin9 - IT Security Magazine.

hackerEnv is an automation tool that quickly and easily sweeps IPs and scan ports, vulnerabilities, and exploit them. Then, it hands you an interactive shell for further testing. Also, it generates HTML and Docx reports. It uses other tools such as Nmap, Nikto, Metasploit and hydra. Works in Kali Linux and Parrot OS. Do not run it in Qterminal, works in gnome-terminal, terminator, and tmux. I am adding features and vulnerabilities exploits consistently. Also, soon there will be a GUI version. This tool was NOT coded by a professional, "I do not know what I am doing". By running this program, you are agreeing on NOT running it against any public, corporate or unauthorized networks. Performed only when you have the authorization to do. Greetz to @R2k4n

Update Kali/Parrot

apt update; apt upgrade -y

Download hackerEnv

cd /opt/
git clone https://github.com/abdulr7mann/hackerEnv.git
cd /opt/hackerEnv
chmod +x hackerEnv

If you want to use it anywhere on the system, create a shortcut using:

ln -s /opt/hackerEnv/hackerEnv /usr/local/bin/

Usage:

Usage:
    hackerEnv <flag> <argument>

Examples:
    hackerEnv -t 10.10.10.10
    hackerEnv -t "10.10.10.10\n20.20.20.20"
    hackerEnv -t 10.10.10.10 -i eth0
    hackerEnv -i eth0 -s 24
    hackerEnv -s 24
    
Flages:
    hackerEnv -h, --help          Display this help message.
    hackerEnv --update            Update tool.
    hackerEnv                     Scan the entire network.
    hackerEnv -t                  Pass a specific target's IP.
    hackerEnv -t                  Pass mutipule targets' IPs e.g. hackerEnv -t "10.10.10.10\n20.20.20.20"
    hackerEnv -i                  To specify an interface.
    hackerEnv -a                  Pass attacker's IP.
    hackerEnv -s                  To specify subNetwork 24 or 23 etc. exclude /
    hackerEnv -e, --aggressive    Enable aggressive port scan
    hackerEnv -oA                 genetrate report in HTML and DOCX format

Visit page: https://github.com/abdulr7mann/hackerEnv

In Gnome terminal

In tmux

Report 

The post hackerEnv - automation tool that quickly and easily sweep IPs and scan ports, vulnerabilities and exploit them appeared first on Hakin9 - IT Security Magazine.