PenTest Oriented Web Browser - Sandcat Browser 5.3

Sandcat is a lightweight multi-tabbed web browser that combines the speed and power of Chromium and Lua. Sandcat comes with built-in live headers, an extensible user interface and command line console, resource viewer, and many other features that are useful for web developers and pen-testers and when you need to examine live web applications. For more details, visit http://www.syhunt.com/sandcat/ . See also the docs directory and credits section below for a few more details about the Sandcat architecture.

Directories

• /docs - Lua API documentation
• /packs - contents of uncompressed pack files
  • /Common - common CSS, widgets and scripts package (Common.pak)
  • /Resources - resources package (Resources.pak)
• /src - the main executable source and built-in resource files
  • /core - user interface source
  • /html - user interface resources (HTML)
  • /lua - Lua API source

Download
Compiled binaries for Windows can be downloaded from the links below.

• 5.3 64-bit
• 5.3 32-bit
• 5.3 32-bit with Pen-Tester Tools (included as part of Syhunt Community)

Compiling
For compiling Sandcat, you will just need Catarinka and pLua .
The entire Sandcat user interface is created during runtime, so there is no need to install third-party components in the IDE - you can just add the dependencies listed above to the library path and hit compile. It compiles under Delphi 10 Seattle down to XE2. If you are trying to compile it with Lazarus, let me know which errors you get - I will try to do the same soon.
Some work is still needed before a Mac or Linux version materializes.

ChangeLog

5.3

This upgrade brings more stability on newer OSes.

• Fixed: constant freeze during navigation under some Windows installations (IPC related).
• Fixed: AV when restoring minimized Sciter dialog.
• Replaced the Selenite library with Catarinka.

5.2

• Added the ability to create offscreen Chromium renderers using the Lua API.
• Improved tab status bar text handling.
• Improved task script error handling.
• Improved live headers.
• Improved startup for Windows 10 compatibility.
• Make window close work as cancel in Preferences dialog.
• The Chromium library was upgraded to the latest release.
• Some extensive code cleanup.
• Minor user experience improvements.
• 64-bit version now available separately (special thanks for @RJ35 for fixing a Chromium

related crash under Win64 environments making this release possible)

• Fixed: a rare crash when switching tabs.

5.1

This release address minor issues like a crash when loading a homepage during startup or calling the context-menu from a loaded web page.

5.1 Beta 3

This release uses the latest Chromium binaries. This fixes some instability issues when browsing with the live headers enabled.

5.1 Beta 2

This release is focused on stability and performance, as well as some other improvements such as being able to ignore certificate errors while navigating and open PDF files.

Here is what changed in version 5.1:

• Switched to the WACEF Chromium framework and the latest Chromium binaries. This significantly improves speed and stability, and fixes some issues during shutdown.
• Most preferences now get applied instantly (just need to open a new tab instead of restarting).
• Added a certificate error dialog.
• Added a PDF viewer plugin.
• Added proxy support.
• Improved Lua integration.
• Minor compiler optimizations.
• The OpenSSL library was upgraded to the latest release.
• The Selenite library was upgraded to the latest release.

5.0

We're excited to announce a brand new version of our Sandcat Browser (codenamed Catarinka browser), now available as a free, open source project - because many people asked for it, the entire source for Sandcat is now available on GitHub. Feel free to fork it, examine it, contribute code, send suggestions, report or fix issues.

Here is what changed in version 5.0 beta 1:

• Faster startup and responsiveness.
• Huge refactoring and cleanup of the current code.
• The Chromium library was upgraded to the latest release (incredibly fast!).
• Improved compatibility with 64-bit Windows editions.
• Improved source code editor.
• Available as free, open source/community edition (under a BSD-3-Clause license).
• Built using components and libraries from the Catarinka toolkit (also made open source at the same time with this release and under the same license).
• Includes the Selenite Lua library - a multi-purpose set of Lua extensions developed to make the development of Lua extensions easier in Sandcat. The code for Selenite is now open source, under the MIT license. The library documentation is available here.
• Fixed: output of the SHA1 and the full URL encoders that come with the pen-tester pack. 
• 
  

Download Sandcat Browser

Read More

IDPS & SandBox & AntiVirus STEALTH KILLER - MorphAES

MorphAES is the world's first polymorphic shellcode/malware engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it's cross-platform as well and library-independent.

Properties:

• Polymorphism (AES encryption)
• Metamorphism (logic and constants changing)
• Platform independent (Linux/BSD/Windows)
• IDPS stealthing (the total number of possible signatures is more the number of atoms in the universe for one given code)
• Sandbox evasion (special assembly instructions)
• Realism (no null bytes)
• Can produce executables (malwares)
• Input code can have arbitrary length

Dependencies for the morpher:

• Python 2.7 - main engine
• Python Crypto 2.6 - for encryption

Dependencies for the code execution:

• 64-bit Intel AES-NI - for decryption

Nonetheless, there are some limitations (aka white-hat aspects):

• Metamorphism is not very robust and can be detected using regular expressions (but can be improved pretty easily)
• Unicode null bytes might still work (but who cares?)
• It will only work on 64-bit Intel processors with AES-NI support, but since all the user's PCs (like Pentium, Celeron, i3, i5, i7) and the industry's servers (like Xeon) have it, it's more a specification, rather than a limitation, thus a 32-bit implementation is unpractical
• Almost any shellcode is guarantee to work however, an arbitrary code (malware) doesn't
• Windows/BSD PoC and executables are in progress...

How it works

1. Shellcode padding with NOPs (since AES is a block cipher)
2. Shellcode encryption with a random key using AES-128-ECB (not the best, but the simplest) - polymorphism
3. Constants randomization, logic changes, instructions modification and rewriting - metamorphism

HowTo
For Linux:

sudo apt-get install python python-crypto

Execute the Pyhton script and enter your shellcode or nothing for a default Linux shell. You can specify your own execution address as well.
It is possible to build and execute on Windows/BSD/Mac as well, but I'm still testing it.
You can also use the Linux PoC in assembly:

as shellcode.s -o shellcode.o
ld shellcode.o -o shellcode
./shellcode

Every file is commented and explained

Tests
At this point, it should be pretty obvious that, the hashes would be different every time, but let's compare SSDEEPes of 2 Linux executables of the same shellcode:

• 96:GztTHyKGQh3lo6Olv4W4zS/2WnDf74i4a4B7UEoB46keWJl09:Gzty6VOlvqSTDflmNroh,
• 96:GQtT23yKmFUh3lo6OlOnIrFS4rkoPPf74i4a4B7UEoB46keWJ5:GQtCGWVOlOWFSsPflmNroh,

Well, there's something in common, but globally those are 2 different signatures, now what about the shellcode it-self:

• 48:eip2bR2LRNtRPORDGRopRBXR3cRzER2vRU9BnH6ksr:Srn+,
• 48:6RjNeR2IRN7RPWRDeRokRB5R3xRz3R28RUxFT2+75eFK9iKMAdXAJKo:O9Tdwoo,

Almost totally different signatures for the same morphed shellcode!
At the publication date, the executable was detected as a shellcode only by 2 out of 53 antiviruses (AVG and Ikarus) on virustotal , but now, it just fails to analyze.
malwr's with cuckoo2 doesn't see anything suspicious.
On the reverser's perspective, IDA won't see anything either.
Radare2 would show the real instructions only if assembled by the assembler it-self however, it doesn't detects any crypto or suspicious activity for the executable.
Althrough, I didn't test it personally, I think that FortiSandbox, Sophos Sandstorm, Blue Coat, GateWatcher and their derivatives might fail badly...

To put it in the nutshell
Basically, it can transform a script-kid's code (or a known-one ) into a zero-day.
IDPS will fail because, it's almost impossible to make a signature and difficult to make a regular expression or heuristic analysis.
Most of the sandboxes doesn't use Intel's AES-NI instructions directly, so they will not execute the code, so "everything is fine" for them, whereas it's not.
The only way to defeat this type of shellcode/malware is to use an appropriate sandboxing or/and an AI.
Notice that, the whole execution is done by a pure assembly, no Python (or shitty OpenSSL) is needed for the shellcode's/malware's execution since, I use built-in assembly instructions only, thus it's system-independent (surely, you will have to assemble it for each-one by adapting the instructions/opcodes, but they are still same).

Notes
This is still a work in progress, I will implement Windows and BSD/Mac engines and PoCs ASAP.
IDPSes and sanboxes suck.

"Tradition becomes our security, and when the mind is secure it is in decay."

Jiddu Krishnamurti

Download MorphAES

Read More

Onion URL Inspector - ONIOFF

A simple tool - written in pure python - for inspecting Deep Web URLs (or onions).
Compatible with Python 2.6 & 2.7.
Author: Nikolaos Kamarinakis ( nikolaskama.me )


Installation
You can download ONIOFF by cloning the Git Repo and simply installing its requirements:

$ git clone https://github.com/k4m4/onioff.git
$ cd onioff
$ pip install -r requirements.txt

Usage
Usage: python onioff.py {onion} [options]
To view all available options run:

$ python onioff.py -h

NOTE : In order for ONIOFF to work, Tor must be correctly configured and running.

Demo
Here's a short demo:

(For more demos click here )

Download ONIOFF

Read More