Nov 7, 2015

Tools: SpiderFoot – Open Source Intelligence Automation Tool (OSINT)


There are three main areas where SpiderFoot can be useful:
  • If you are a pen-tester, SpiderFoot will automate the reconnaisance stage of the test, giving you a rich set of data to help you pin-point areas of focus for the test.
  • Understand what your network/organisation is openly exposing to the outside world. Such information in the wrong hands could be a significant risk.
  • SpiderFoot can also be used to gather threat intelligence about suspected malicious IPs you might be seeing in your logs or have obtained via threat intelligence data feeds.


SpiderFoot has plenty of features, including the following:
  • Utilises a lot of different data sources; over 40 so far and counting, including SHODAN, RIPE, Whois, PasteBin, Google, SANS and more.
  • Designed for maximum data extraction; every piece of data is passed on to modules that may be interested, so that they can extract valuable information. No piece of discovered data is saved from analysis.
  • Runs on Linux and Windows. And fully open-source so you can fork it on GitHub and do whatever you want with it.
  • Visualisations. Built-in JavaScript-based visualisations or export to GEXF/CSV for use in other tools, like Gephi for instance.
  • Web-based UI. No cumbersome CLI or Java to mess with. Easy to use, easy to navigate. Take a look through the gallery for screenshots.
  • Highly configurable. Almost every module is configurable so you can define the level of intrusiveness and functionality.
  • Modular. Each major piece of functionality is a module, written in Python. Feel free to write your own and submit them to be incorporated!
  • SQLite back-end. All scan results are stored in a local SQLite database, so you can play with your data to your heart’s content.
  • Simultaneous scans. Each footprint scan runs as its own thread, so you can perform footprinting of many different targets simultaneously.

Tools: Bluto - Recon, Subdomain Bruting, Zone Transfers

DNS recon | Brute forcer | DNS Zone Transfer | Email Enumeration
Author: Darryl Lane | Twitter: @darryllane101
The target domain is queried for MX and NS records. Sub-domains are passively gathered via NetCraft. The target domain NS records are each queried for potential Zone Transfers. If none of them gives up their spinach, Bluto will brute force subdomains using parallel sub processing on the top 20000 of the 'The Alexa Top 1 Million subdomains'. NetCraft results are presented individually and are then compared to the brute force results, any duplications are removed and particularly interesting results are highlighted.
Bluto now does email address enumeration based on the target domain, currently using Bing and Google search engines. It is configured in such a way to use a random User Agent: on each request and does a country look up to select the fastest Google server in relation to your egress address. Each request closes the connection in an attempt to further avoid captchas, however exsesive lookups will result in captchas (Bluto will warn you if any are identified).


Nov 2, 2015

Tools: ARDT - Akamai Reflective DDoS Tool

Attack the origin host behind the Akamai Edge hosts and bypass the DDoS protection offered by Akamai services.


Tools: windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems

Windows-privesc-check is standalone executable that runs on Windows systems. It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).
It is written in python and converted to an executable using pyinstaller so it can be easily uploaded and run (as opposed to unzipping python + other dependencies). It can run either as a normal user or as Administrator (obviously it does a better job when running as Administrator because it can read more files).
The latest version of the code is in the master branch.

Use Cases

Below is a high level description of common use cases. See also the Quick Start & Usage page.

Find Privesc Vectors (as Administrator)

When run with admin rights, windows-privesc-check has full read access to all secureable objects. This allows it to perform audits for escalation vectors such as:
  • Reconfiguring Windows Services
  • Replacing Service executables if they have weak file permissions
  • Replacing poorly protected .exe or .dll files in %ProgramFiles%
  • Tojaning the %PATH%
  • Maliciously modifying the registry (e.g. RunOnce)
  • Modifying programs on FAT file systems
  • Tampering with running processes
A great many of the privielges escalation vectors checked are simply checks for weak security descriptors on Windows securable objects.
A report is generated in HTML, TXT and XML format.

Find Privesc Vectors (as a Low-Privileged User)

An important design goal is that windows-privesc-check can perform as many checks as possible (above) without admin rights. This will make the tool useful to pentesters as well as auditors.
Clearly, low-privileged users are unable to see certain parts of the registry and file system. The tool is therefore inherently less able to identify security weaknesses when run as a low-privileged user.
As above, a report is generated in HTML, TXT and XML format.

Dump Raw Auditing Data

Windows-privesc-check can simply dump raw data that it would normally use to identify security weaknesses. This data can then analysed some other way - or simply stored as a snapshot of system security at the time of the audit.
Both human-readable (text) and machine readable (tab delimited) formats are supported.
Examples of data users are able to dump: