May 15, 2015

Tools: WS-Attack - Web Services Pentest Tool

WS-Attacker is a modular framework for web services penetration testing. It is developed by the Chair of Network and Data Security, Ruhr University Bochum ( ) and the 3curity GmbH ( ).


Tools: PACK - A collection of utilities to analysis of password lists

PACK (Password Analysis and Cracking Toolkit) is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers.
NOTE: The toolkit itself is not able to crack passwords, but instead designed to make operation of password crackers more efficient.


Tools: Bacula - Open Source Network Backup Solution

Bacula is a set of Open Source, computer programs that permit you (or the system administrator) to manage backup, recovery, and verification of computer data across a network of computers of different kinds. Bacula is relatively easy to use and very efficient, while offering many advanced storage management features that make it easy to find and recover lost or damaged files. In technical terms, it is an Open Source, network based backup program.
According to Source Forge statistics (rank and downloads), Bacula is by far the most popular Open Source program backup program.


May 14, 2015

Howto: Install Windows 10 or 8 without Product Key

  1. After you’ve downloaded the Windows 10 or 8 ISO image, burn it to a USB flash drive with the freeware ISO2Disc. It is easiest if you’ve created USB installation media, as you can later edit the files directly on your USB flash drive. If you created an ISO file, you’ll have to modify the files inside the ISO image before burning it to disc.
  2. Open your USB installation drive and navigate to the /sources folder. Look for the ei.cfg file and open it in a text editor such as Notepad. If the file doesn’t already exist, create a new text document and rename it as ei.cfg.
  3. Copy and paste the following text into the ei.cfg file and then save it. Make sure that anything that already exists in the file should be cleared first. [EditionID]

    Now reboot to use your usb and skip when you are prompted to insert the key.


May 13, 2015

Tools: commix - Automated All-in-One OS Command Injection and Exploitation Tool

Commix (short for [comm]and [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language.


Tools: race-condition-exploit

Tool to help with the exploitation of web application race conditions


Howto: Install OpenVPN Server on Ubuntu 14.04

#### Server Side
1. Install required application
# apt-get install openvpn easy-rsa

2. Extract sample file to /etc/openvpn/
# gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

3. Edit server.conf
# vim /etc/openvpn/server.conf

Change some configure in server.conf
- Diffie hellman parameters
# dh dh1024.pem
# dh dh2048.pem
- Change vpn network that will provide to client
# server
to any network you want
# server
(server will take to server IP)
- If you want to to redirect their default network gateway through the VPN, causing all IP traffic such as web browsing and and DNS lookups to go through the VPN, uncomment this line.
;push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1 bypass-dhcp"
- If you want to specific DNS IP to client, please uncomment this line
push "dhcp-option DNS"
- Uncomment these lines to lower privileges

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
# You can uncomment this out on
# non-Windows systems.
user nobody

group nogroup

4. Enable IP Forwarding in server
# echo 1 > /proc/sys/net/ipv4/ip_forward
you can set in /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4

5. Copy easy-RSA script for generate keys
# cp -r /usr/share/easy-rsa/ /etc/openvpn
after that I create key folder to keep keys

6. Modify the preference and keys
Change some value that match your location

export KEY_CITY="Samsennai"
export KEY_ORG="Tester"
export KEY_EMAIL=""

export KEY_OU="Tester"

export KEY_NAME="techsuii"

7. Generate Diffle-Hellman key
# openssl dhparam -out /etc/openvpn/dh2048.pem 2048

8. Initialize the PKI (Public Key Infrastructure).
# cd /etc/openvpn/easy-rsa/
# . ./vars

9. We'll clear the working directory of any possible old or example keys to make way for our new ones.
# ./clean-all

10. Build CA(Certificate Authority)
# ./build-ca

11. Generate key for server
# ./build-key-server server
*** server is the same of KEY_NAME in Step#6
# ./build-key-server Techsuii

12. After all "sign the certificate"

13. Copy certificate from easy-rsa folder to openvpn folder
(Example: if your KEY_NAME is server)
# cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn/

14. Start OpenVPN Server
# service openvpn restart

15. Generate key per client
# cd /etc/openvpn/easy-rsa/
# ./build-key client1

16. Copy sample configuration of client side to /etc/openvpn/easy-rsa/
# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn

#### Client side
17. Copy ca.crt client1.crt client1.key client.ovpn to client side (if you have new client, repeat step#15-17, ca.crt and client.ovpn is the same file of all client)

18. Edit client.ovpn,
- remote my-server-1 1194
to your server
- remote 1194

19. Install openvpn client
# apt-get install openvpn

20. Now, client and server ready to connect, use the command
# openvpn client.ovpn

21. Done

*** If you want to merge file ca.crt, client.crt, client.key into client.ovpn with comment ca,cert,key like this
#ca ca.crt
#cert tester.crt
#key tester.key

after that, copy content of ca.crt, tester.crt, tester.key into client.ovpn in XML format
(insert ca.crt here)
(insert client1.crt here)
(insert client1.key here)


May 12, 2015

Tools: SMBMap is a handy SMB enumeration tool

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks.
Some of the features have not been thoroughly tested, so changes will be forth coming as bugs are found. I only really find and fix the bugs while I'm on engagements, so progress is a bit slow. Any feedback or bug reports would be appreciated. It's definitely rough around the edges, but I'm just trying to pack in features at the moment. Version 2.0 should clean up the code a lot….whenever that actually happens ;). Thanks for checking it out!! Planned features include simple remote shell (instead of the god awful powershell script in the examples), actual logging, shadow copying ntds.dit automation (Win7 and up only..for now), threading, other things….


May 11, 2015

Tools: Bowcaster Exploit Development Framework

This framework, implemented in Python, is intended to aid those developing exploits by providing useful set of tools and modules, such as payloads, encoders, connect-back servers, etc.  Currently the framework is focused on the MIPS CPU architecture, but the design is intended to be modular enough to support arbitrary architectures.


Tools: Graudit - Grep rough audit - source code auditing tool

Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.

Graudit supports several options and tries to follow good shell practices. For a list of the options you can run graudit -h or see below. The simplest way to use graudit is;
graudit <options> /path/to/scan


Video: BSides Boston 2015 Videos

May 10, 2015

Tools: Dockerpot A Docker Based Honeypot

What is Docker: Docker is an open source project that automates the deployment of applications inside Linux Containers, and provides the capability to package an application with its runtime dependencies into a container.


Install the necessary software

$ sudo apt-get update
$ sudo apt-get install socat xinetd auditd
$ # for installing nsenter
$ docker run --rm -v /usr/local/bin:/target jpetazzo/nsenter
Install the honeypot scripts

Copy honeypot to /usr/bin/honeypot and honeypot.clean to /usr/bin/honeypot.clean and make them executable.


Video: OWASP AppSec California 2015

Tools: Relyze - Interactive Software Analysis

Relyze lets you analyse and understand native x86 and x64 Windows software.


Tools: Autorize - Automatic Authorization Enforcement Detection (Extension for Burp Suite)

Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert at AppSec Labs. Autorize was designed to help security testers by performing automatic authorization tests.

  1. Download Burp Suite (obviously):
  2. Download Jython standalone JAR:
  3. Open burp -> Extender -> Options -> Python Environment -> Select File -> Choose the Jython standalone JAR
  4. Install Autorize from the BApp Store or follow these steps:
  5. Download the file.
  6. Open Burp -> Extender -> Extensions -> Add -> Choose file.
  7. See the Autorize tab and enjoy automatic authorization detection :)
User Guide - How to use?
  1. After installation, the Autorize tab will be added to Burp.
  2. Open the configuration tab (Autorize -> Configuration).
  3. Get your low-privileged user authorization token header (Cookie / Authorization) and copy it into the textbox containing the text "Insert injected header here".
  4. Click on "Intercept is off" to start intercepting the traffic in order to allow Autorize to check for authorization enforcement.
  5. Open a browser and configure the proxy settings so the traffic will be passed to Burp.
  6. Browse to the application you want to test with a high privileged user.
  7. The Autorize table will show you the request's URL and enforcement status.
  8. It is possible to click on a specific URL and see the original/modified request/response in order to investigate the differences.

Tools: Loki - Simple IOC Scanner

Scanner for Simple Indicators of Compromise
Detection is based on four detection methods:
1. File Name IOC
   Regex match on full file path/name

2. Yara Rule Check
   Yara signature match on file data and process memory

3. Hash check
   Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
The Windows binary is compiled with PyInstaller 2.1 and should run as x86 application on both x86 and x64 based systems.