Sep 9, 2015

Howto: Extract sensitive plaintext data from Android memory

1. Upload the file$ adb push gdbserver /sdcard

2. Enter a shell and become root
$ adb shell
$ su

3. Remount /system as read/write
$ mount -o rw,remount /system

4. Copy file to /system/xbin (or /system/bin)
$ cp /sdcard/gdbserver /system/xbin

5. Change permissions to ensure that it is executable
$ chmod 555 /system/xbin

6. Clean up
$ mount -o ro,remount /system
$ rm /sdcard/gdbserver

7. Download and compile gdb
$ wget
$ bunzip2 gdb-7.7.tar.bz2
$ tar xf gdb-7.7.tar
$ cd gdb-7.7/
$ ./configure --target=arm-linux-gnueabi
$ make

8. Find the keystore pid
$ ps | grep key
$ cd /proc/228

9. Find the heap
What we’ll normally find are is the code that makes up the process and its libraries and then a copy of the important bits of the process:
- heap   - memory assigned by the VM or by the kernel for data storage
- stack  - memory used during function calls etc.
 So above we can see that the heap runs from 0xb7712000(start of heap) – 0xb771f000(end of heap)

10. Start gdbserver on the process listening on a port on the device
$ gdbserver --attach :1234 228
1234 => any Port
228 => any PID

11. Use adb to forward the port on the device to a local port
$ adb forward tcp:1234 tcp:1234

This will now allow us to talk to the device on port 1234/tcp by connecting to 1234/tcp on the host device.

12. Use a third party program to forward the local port to the device where you will be running gdb
> Use program "Port Forwarding for Windows” to forward from my native OS to the virtual machine I run gdb on

13. Connect via gdb
$ ./gdb
$ gdb> target remote

14. Dump the memory
$ gdb> dump memory /tmp/heapout 0xb7712000 0xb771f000

15. Look for some strings that can be user, password
$ strings /tmp/heapout | more

Tools: USBDeview v2.45 - View all installed/connected USB devices on your system

USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used.
For each USB device, extended information is displayed: Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, VendorID, ProductID, and more...
USBDeview also allows you to uninstall USB devices that you previously used, disconnect USB devices that are currently connected to your computer, as well as to disable and enable USB devices.
You can also use USBDeview on a remote computer, as long as you login to that computer with admin user.

Using USBDeview

USBDeview doesn't require any installation process or additional DLL files. Just copy the executable file (USBDeview.exe) to any folder you like, and run it.
The main window of USBDeview displays all USB devices installed on your system. You can select one or more items, and then disconnect (unplug) them , uninstall them, or just save the information into text/xml/html file.
USBDeview Columns Description
  • Device Name: Specifies the device name. For some device, this column may display meaningless name, like "USB Device". If the device name is meaningless, try to look at the Description column.
  • Device Description: The description of the device.
  • Device Type: The device type, according to USB class code. For more information about USB classes: USB Class Codes.
  • Connected: Specifies whether the device is currently connected to your computer. If the device is connected, you can use the 'Disconnect Selected Devices' option (F9) to disconnect the device.
  • Safe To Unplug: Specifies whether it's safe to unplug the device from the USB plug without disconnecting it first. If the value of this column is false, and you want to unplug this device, you must first disconnect this device by using the 'Disconnect Selected Devices' option (F9) of USBDeview utility, or by using the 'Unplug or Eject Hardware' utility of Windows operating system.
  • Drive Letter: Specifies the drive letter of the USB device. This column is only relevant to USB flash memory devices and to USB CD/DVD drives. Be aware that USBDeview cannot detect drive letters of USB hard-disks.
  • Serial Number: Specifies the serial number of the device. This column is only relevant to mass storage devices (flash memory devices, CD/DVD drives, and USB hard-disks).
  • Created Date: Specifies the date/time that the device was installed. In most cases, this date/time value represents the time that you first plugged the device to the USB port. However, be aware that in some circumstances this value may be wrong. Also, On Windows 7, this value is initialized with the current date/time on every reboot.
  • Last Plug/Unplug Date: Specifies the last time that you plugged/unplugged the device. This date value is lost when you restart the computer.
  • VendorID/ProductID: Specifies the VendorID and ProductID of the device. For unofficial list of VendorID/ProductID, click here.
  • USB Class/Subclass/Protocol: Specifies the Class/Subclass/Protocol of the device according to USB specifications. For more information about USB classes: USB Class Codes.
  • Hub/Port: Specifies the hub number and port number that the device was plugged into. This value is empty for mass storage devices.
Notice: According to user reports, On some systems the 'Last Plug/Unplug Date' and the 'Created Date' values are initialized after reboot. This means that these columns may display the reboot time instead of the correct date/time.


Howto: use Metasploit in Kali2

1. Initial metasploit database (First time Only)
# systemctl start postgresql
# msfdb init
# msfconsole

2. Start msfdb + postgresql
# systemctl start postgresql
# msfdb start
# msfconsole

Tools: OWASP ZeroDay Cyber Research Shellcoder

OWASP ZeroDay Cyber Research Shellcoder [Generator] is an open source software in python language which lets you generate customized shellcodes for listed operation systems. This software can be run on Linux under python 2.7.x.


Usage of shellcodes

Shellcodes are small codes in assembly which could be use as the payload in software exploiting. Other usages are in malwares, bypassing antiviruses, obfuscated codes and etc.

Why use OWASP ZSC?

According to other shellcode generators same as metasploit tools and etc, OWASP ZSC using new encodes and methods which antiviruses won't detect. OWASP ZSC encoderes are able to generate shellcodes withrandom encodes and that's lets you to get thousands new dynamic shellcodes with same job in just a second,that means you will not get a same code if you use random encodes with same commands, And that make OWASP ZSC one of the bests! otherwise it's gonna generate shellcodes for many operation systems in next versions.

Tools: Btproxy - Man in the Middle analysis tool for Bluetooth.


  • Need at least 1 Bluetooth card (either USB or internal).
  • Need to be running Linux, another *nix, or OS X.
  • BlueZ
For a debian system, run

sudo apt-get install bluez bluez-utils bluez-tools libbluetooth-dev python-dev


sudo python install


To run a simple MiTM or proxy on two devices, run

btproxy <master-bt-mac-address> <slave-bt-mac-address>
Run btproxy to get a list of command arguments.


# This will connect to the slave 40:14:33:66:CC:FF device and 
# wait for a connection from the master F1:64:F3:31:67:88 device
btproxy F1:64:F3:31:67:88 40:14:33:66:CC:FF
Where the master is typically the phone and the slave mac address is typically the other peripherial device (smart watch, headphones, keyboard, obd2 dongle, etc).
The master is the device the sends the connection request and the slave is the device listening for something to connect to it.
After the proxy connects to the slave device and the master connects to the proxy device, you will be able to see traffic and modify it.

How to find the BT MAC Address?

Well, you can look it up in the settings usually for a phone. The most robost way is to put the device in advertising mode and scan for it.
There are two ways to scan for devices: scanning and inquiring. hcitool can be used to do this:

hcitool scan
hcitool inq
To get a list of services on a device:

sdptool records <bt-address>


Some devices may restrict connecting based on the name, class, or address of another bluetooth device.
So the program will lookup those three properties of the target devices to be proxied, and then clone them onto the proxying adapter(s).

Then it will first try connecting to the slave device from the cloned master adaptor. It will make a socket for each service hosted by the slave and relay traffic for each one independently.
After the slave is connected, the cloned slave adaptor will be set to be listening for a connection from the master. At this point, the real master device should connect to the adaptor. After the master connects, the proxied connection is complete.

Using only one adapter

This program uses either 1 or 2 Bluetooth adapters. If you use one adapter, then only the slave device will be cloned. Both devices will be cloned if 2 adapters are used; this might be necessary for more restrictive Bluetooth devices.


Sep 8, 2015

Tools: b374k - PHP Webshell with handy features

This PHP Shell is a useful tool for system or web administrator to do remote management without using cpanel, connecting using ssh, ftp etc. All actions take place within a web browser
Features :
  • File manager (view, edit, rename, delete, upload, download, archiver, etc)
  • Search file, file content, folder (also using regex)
  • Command execution
  • Script execution (php, perl, python, ruby, java, node.js, c)
  • Give you shell via bind/reverse shell connect
  • Simple packet crafter
  • Connect to DBMS (mysql, mssql, oracle, sqlite, postgresql, and many more using ODBC or PDO)
  • SQL Explorer
  • Process list/Task manager
  • Send mail with attachment (you can attach local file on server)
  • String conversion
  • All of that only in 1 file, no installation needed
  • Support PHP > 4.3.3 and PHP 5


Tools: Gcat – Python Backdoor Using Gmail For Command & Control


A stealthy Python based backdoor that uses Gmail as a command and control server


For this to work you need:
  • A Gmail account (Use a dedicated account! Do not use your personal one!)
  • Turn on "Allow less secure apps" under the security settings of the account
This repo contains two files:
  • a script that's used to enumerate and issue commands to available clients
  • the actual backdoor to deploy
In both files, edit the gmail_user and gmail_pwd variables with the username and password of the account you previously setup.
You're probably going to want to compile into an executable using Pyinstaller


Sep 7, 2015

Tools: Next-gen BurpSuite penetration testing tool: BurpKit

BurpKit is a BurpSuite plugin which helps in assessing complex web apps that render the contents of their pages dynamically. As part of its rich feature set, BurpKit provides a bi-directional JavaScript bridge API which allows users to quickly create BurpSuite plugins which can interact directly with the DOM and Burp’s extender API at the same time. This permits BurpSuite plugin developers to run their web application testing logic directly within the DOM itself whilst taking advantage of BurpSuite’s other features as well!