Jun 27, 2015

Tools: Cowrie - Cowrie SSH Honeypot (based on kippo)

1. Install python conch and web module
# apt-get install python-twisted-web python-twisted-conch

2. Download Source From https://github.com/micheloosterhof/cowrie

3. Copy cowrie.cfg.list to cowrie.cfg

4. Run cowrie with ./start.sh

5. IPtables to forward from 22 to 2222 (That cowrie was binding)
# sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

6. Try to connect port 22

7. Replay the attack with
# ./utils/playlog.py -f ../log/tty/20150626-135348-5c4ecc58.log

Source:: https://github.com/micheloosterhof/cowrie

Jun 24, 2015

Tools: iOS Penetration Testing Lab Environment

Damn Vulnerable iOS App (DVIA) is an iOS application that is damn vulnerable. Its main goal is to provide a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment. This application covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks) and contains several challenges that the user can try. This application also contains a section where a user can read various articles on iOS application security.
Source:: http://www.ehacking.net/2015/06/ios-penetration-testing-lab-environment.html

Tools: Evomalware - BASH script do detect malwares/virus/backdoor/... especially for PHP files.

Evomalware is a simple BASH script do detect malwares/virus/backdoor/... especially for PHP files.

Source:: https://github.com/evoforge/evomalware



Jun 23, 2015

Tools: The Backdoor Factory - Patch PE, ELF, Mach-O binaries with shellcode

The Backdoor Factory (BDF)


For security professionals and researchers only.
The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.
DerbyCon 2013:
Video: http://www.youtube.com/watch?v=jXLb2RNX5xs

Injection Module Demo: http://www.youtube.com/watch?v=04aJAex2o3U

Slides: http://www.slideshare.net/midnite_runr/patching-windows-executables-with-the-backdoor-factory
DerbyCon 2014:
Video: http://www.youtube.com/watch?v=LjUN9MACaTs
Shmoocon 2015:
Video: https://archive.org/details/joshpitts_shmoocon2015

Paper: https://www.dropbox.com/s/te7e35c8xcnyfzb/JoshPitts-UserlandPersistenceOnMacOSX.pdf
Contact the developer on:
irc.freenode.net #BDFactory 

Source:: https://github.com/secretsquirrel/the-backdoor-factory 

Tools: Anticuckoo - A tool to detect and crash Cuckoo Sandbox


A tool to detect and crash Cuckoo Sandbox. Tested in Cuckoo Sandbox Official and Accuvant version.


  • Detection:
    • Cuckoo hooks detection (all kind of cuckoo hooks).
    • Suspicius data in own memory (without APIs, page per page scanning).
  • Crash (Execute with arguments) (out of a sandbox these args dont crash the program):
    • -c1: Modify the RET N instruction of a hooked API with a higher value. Next call to API pushing more args into stack. If the hooked API is called from the Cuckoo's HookHandler the program crash because it only pushes the real API args then the modified RET N instruction corrupt the HookHandler's stack.
TODO list

Cuckoo Detection

Submit Release/anticuckoo.exe to analysis in Cuckoo Sandbox. Check the screenshots (console output). Also you can check Accesed Files in Sumary:

Source::  https://github.com/David-Reguera-Garcia-Dreg/anticuckoo

Tools: unix-privesc-check - Unix/Linux User Privilege Escalation Scanner

It is written as a single shell script so it can be easily uploaded and run (as opposed to un-tarred, compiled and installed). It can run either as a normal user or as root (obviously it does a better job when running as root because it can read more files).
unix-privesc-check is intended to be run by security auditors and penetration testers against systems they have been engaged to assess, and also by system administrators who want to check for “obvious” misconfiguration. It can even be run as a cron job so you can check regularly for misconfiguration that might be introduced.

The author wanted to write something that was at least partially useful to penetration testers when they gained access to a low-privilege account and wanted to escalate privileges. There are lots of things that pen-testers will check in this situation and one of the most tedious to check is weak file permissions – this of often one of the most fruitful, though, so there’s no avoiding it.

Checks Performed

  • Writable Home Directories
  • Readable /etc/shadow
  • Weak Permissions On Cron Jobs
  • Writable Configuration Files
  • Writable Device Files
  • Readable Files In Home Directories
  • Running Processes Correspond To Writable Programs
  • sudo Configuration
  • Accounts with no Password
Source:: http://pentestmonkey.net/tools/audit/unix-privesc-check

Jun 21, 2015

BSides Cleveland 2015 Videos