Aug 26, 2015

Tools: Static Code Analysis for Smali

Dynamic program analysis will give you a pretty good overview of your applications activities and general behaviour. However sometimes you'll want to just analyze your application without running it. You'll want to have a look at its components, analyze how they interact and how data is tainted from one point to another. This is was the major factor driving the development of smalisca. There are indeed some good reasons for a static code analysis before the dynamic one. Before interacting with the application I like to know how the application has been build, if there is any API and generate all sort of call flow graphs. In fact graphs have been very important to me since they visualize things. Instead of jumping from file to file, from class to class, I just look at the graphs.
While graph building has been an important reason for me to code such a tool, smalisca has some other neat features you should read about.

Source:: https://github.com/dorneanu/smalisca

Aug 25, 2015

Tools: dnSpy - .NET decompiler

dnSpy is a .NET assembly editor, decompiler, and debugger forked from ILSpy.

Source:: https://github.com/0xd4d/dnSpy

Aug 24, 2015

Howto: Install Metasploit 4.0.5 on Ubuntu 14.04

1. Install and update some software
$ apt-get update && apt-get upgrade -y
$ apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev openjdk-7-jre git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev curl zlib1g-dev ruby-dev

2. Get the metasploit
$ git clone https://github.com/rapid7/metasploit-framework

3. Install ruby gem
$ cd metasploit-framework/
$ apt-get install ruby ruby-dev
$ gem install bundler

5. Install rvm
$ gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
$ \curl -sSL https://get.rvm.io | bash -s stable --ruby

6. Use Ruby 2.2.3
$ source /usr/local/rvm/scripts/rvm
$ rvm install ruby-2.2.3
$ rvm use --default  2.2.3

6. Install bundle
$ gem install bundle bundler
$ gem install ffi -v '1.9.8'
$ gem install nokogiri -v '1.6.6.2'
$ gem install metasploit-concern -v '1.0.0'
$ bundle install

7. Done.
./msfconsole

Aug 23, 2015

Tools: Exe2Image

A simple utility to convert EXE files to JPEG images and vice versa.

Source:: https://github.com/OsandaMalith/Exe2Image

Howto: Install VMware Tools in Kali Linux 2

1. Update your app and repository list
$ apt-get update && apt-get upgrade -y

2. Install Linux kernel header
$ apt-get install -y linux-headers-$(uname -r)

3. Install VMWare tool
- mount by Click Install VMware Tools. from menu
- copy the file VMwareTools-9.9.3-2759765.tar.gz to your Kali
$ tar -xf VMwareTools-9.9.3-2759765.tar.gz
$ cd vmware-tools-distrib
$ perl vmware-install.pl -d

Aug 21, 2015

Tools: CrackMapExec - pentesting Windows/Active Directory tool

CrackMapExec is your one-stop-shop for pentesting Windows/Active Directory environments!
From enumerating logged on users and spidering SMB shares to executing psexec style attacks and auto-injecting Mimikatz into memory using Powershell!
The biggest improvements over the above tools are:
  • Pure Python script, no external tools required
  • Fully concurrent threading
  • Uses ONLY native WinAPI calls for discovering sessions, users, dumping SAM hashes etc...
  • Opsec safe (no binaries are uploaded to dump clear-text credentials)
Requires the impacket, gevent and netaddr Python libraries

Source:: https://github.com/byt3bl33d3r/CrackMapExec

Tools: BinNavi - binary analysis IDE

BinNavi is a binary analysis IDE - an environment that allows users to inspect, navigate, edit, and annotate control-flow-graphs of disassembled code, do the same for the callgraph of the executable, collect and combine execution traces, and generally keep track of analysis results among a group of analysts.

Source:: https://github.com/google/binnavi

CheatSheet: LFCS (Linux Foundation Certified System Admin)


Command-line Detail Command
Command-line Editing text files on the command line vim, nano

Editing text files on the command line cat, grep, tr, cut, awk, head, tail, echo
Filesystem & storage Archiving and compressing files and directories tar,gzip,xz,gunzip,bz2

Assembling partitions as LVM devices pvcreate,vgcreate,lvcreate,lvextend

Configuring swap partitions mkswap, swapon, swapoff

File attributes chmod, chattr, chown

Finding files on the filesystem find, grep

Formatting filesystems mkfs series

Mounting filesystems automatically at boot time /etc/fstab

Mounting networked filesystems mount in /etc/fstab and package of nfs-client

Partitioning storage devices fdisk

Troubleshooting filesystem issues fsck
Local system administration Creating backups cp, rsync

Creating local user groups useradd, adduser, groupadd, addgroup

Managing file permissions chmod, chattr, chown

Managing fstab entries /etc/fstab

Managing local users accounts usermod, passwd

Managing the startup process and related services /etc/rc.local, /etc/rc*.d

Managing user accounts usermod, passwd

Managing user account attributes usermod, passwd

Managing user processes /etc/security/limits.conf, ulimit

Restoring backed up data tar,gzip,xz,gunzip,bz2

Setting file permissions and ownership chmod, chattr, chown
Local Security Accessing the root account su, sudo

Using sudo to manage access to the root account sudo
Shell scripting Basic bash shell scripting if,else, expr, while, for,${#string},${name:0:n:},$0,$1,$2,$#,$*
Software management Installing software packages apt-get, dpkg, rpm, yum

Tools: Whonix - Anonymous OS

Whonix is an operating system focused on anonymity, privacy and security. It's based on the Tor anonymity network[1], Debian GNU/Linux[2] and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user's real IP.
Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible.

Source:: https://www.whonix.org/wiki/Main_Page

Aug 18, 2015

Howto: Setup MiTM lab on wifi network By Hackers Online Club

Source:: http://blog.hackersonlineclub.com/2015/08/snifflab-setup-your-own-mitm-packet.html

Setting up a SNIFFLAB
Scripts to create your own MITM'ing, packet sniffing WiFi access point.

Firewall rules on DD-WRT router to send traffic to MITM proxy box

Make sure the network interface (vlan1 here) is correct.

PROXYIP=your.proxy.ip
iptables -t mangle -A PREROUTING -j ACCEPT -p tcp -m multiport --dports 80,443 -s $PROXYIP
iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp -m multiport --dports 80,443
ip rule add fwmark 3 table 2
ip route add default via $PROXYIP dev vlan1 table 2

PCAP machine scripts

/etc/network/interfaces

auto lo
iface lo inet loopback
iface eth0 inet manual
iface eth1 inet manual
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

auto bond0
iface bond0 inet dhcp
bond-mode 3
bond-miimon 100
slaves eth0 eth1
/etc/wpa_supplicant/wpa_supplicant.conf

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1

network={
ssid=""
psk=hashofyourpassword
proto=RSN
key_mgmt=WPA-PSK
pairwise=TKIP
auth_alg=OPEN
}

Getting the network running correctly on boot

/etc/init.d/network.sh

#!/bin/sh
### BEGIN INIT INFO
# Provides: network.sh
# Short-Description: Ensure WiFi as well as Ethernet interfaces are up
# Description:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
### END INIT INFO
sudo ifplugd eth0 --kill
sudo ifup wlan0
sudo ifup eth0
sudo ifup eth1
sudo ifconfig eth1 promisc
sudo ifconfig eth0 promisc
exit 0

Start capturing packets on startup -- create a sniffer service

/etc/init/sniffer.conf

#sniffer.conf
start on runlevel [2345]
stop on runlevel [016]

script
cd /home/pi/snifflab
exec python sniffer.py -i bond0 -s 100 -t 1200
end script

MITM proxy service

mitm.conf

start on filesystem

script
sudo iptables -A PREROUTING -t nat -i em1 -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 4567
SSLKEYLOGFILE=/var/log/mitmkeys.log
export SSLKEYLOGFILE
echo "MITM Keys being logged here: $SSLKEYLOGFILE"
exec mitmdump -T --host --conf=/etc/mitmproxy/common.conf
end script

Script to backup pcaps to local machine

#!/bin/bash
remote_server=yourservername
pcap_dir=/pcaps
keylogfile=/var/log/mitmkeys.log
local_dir=~/Documents/snifflab

rsync -a "$remote_server":$pcap_dir $local_dir
scp "$remote_server":$keylogfile $local_dir