SECURITY EDUCATION, PRIVACY GUIDANCE, THREAT AWARENESS, OPEN SOURCE TOOLS, RESEARCH NOTES, AND RESPONSIBLE TECHNOLOGY CONTENT

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label Red Team. Show all posts
Showing posts with label Red Team. Show all posts

Sunday, February 18, 2024

BounceBack - Stealth Redirector For Your Red Team Operation Security


BounceBack is a powerful, highly customizable and configurable reverse proxy with WAF functionality for hiding your C2/phishing/etc infrastructure from blue teams, sandboxes, scanners, etc. It uses real-time traffic analysis through various filters and their combinations to hide your tools from illegitimate visitors.

The tool is distributed with preconfigured lists of blocked words, blocked and allowed IP addresses.

For more information on tool usage, you may visit project's wiki.

Features

  • Highly configurable and customizable filters pipeline with boolean-based concatenation of rules will be able to hide your infrastructure from the most keen blue eyes.
  • Easily extendable project structure, everyone can add rules for their own C2.
  • Integrated and curated massive blacklist of IPv4 pools and ranges known to be associated with IT Security vendors combined with IP filter to disallow them to use/attack your infrastructure.
  • Malleable C2 Profile parser is able to validate inbound HTTP(s) traffic against the Malleable's config and reject invalidated packets.
  • Out of the box domain fronting support allows you to hide your infrastructure a little bit more.
  • Ability to check the IPv4 address of request against IP Geolocation/reverse lookup data and compare it to specified regular expressions to exclude out peers connecting outside allowed companies, nations, cities, domains, etc.
  • All incoming requests may be allowed/disallowed for any time period, so you may configure work time filters.
  • Support for multiple proxies with different filter pipelines at one BounceBack instance.
  • Verbose logging mechanism allows you to keep track of all incoming requests and events for analyzing blue team behaviour and debug issues.

Rules

BounceBack currently supports the following filters:

  • Boolean-based (and, or, not) rules combinations
  • IP and subnet analysis
  • IP geolocation fields inspection
  • Reverse lookup domain probe
  • Raw packet regexp matching
  • Malleable C2 profiles traffic validation
  • Work (or not) hours rule

Custom rules may be easily added, just register your RuleBaseCreator or RuleWrapperCreator. See already created RuleBaseCreators and RuleWrapperCreators

Rules configuration page may be found here.

Proxies

At the moment, BounceBack supports the following protocols:

  • HTTP(s) for your web infrastructure
  • DNS for your DNS tunnels
  • Raw TCP (with or without tls) and UDP for custom protocols

Custom protocols may be easily added, just register your new type in manager. Example proxy realizations may be found here.

Proxies configuration page may be found here.

Installation

Just download latest release from release page, unzip it, edit config file and go on.

If you want to build it from source, install goreleaser and run:

goreleaser release --clean --snapshot

Share:

PurpleKeep - Providing Azure Pipelines To Create An Infrastructure And Run Atomic Tests


With the rapidly increasing variety of attack techniques and a simultaneous rise in the number of detection rules offered by EDRs (Endpoint Detection and Response) and custom-created ones, the need for constant functional testing of detection rules has become evident. However, manually re-running these attacks and cross-referencing them with detection rules is a labor-intensive task which is worth automating.

To address this challenge, I developed "PurpleKeep," an open-source initiative designed to facilitate the automated testing of detection rules. Leveraging the capabilities of the Atomic Red Team project which allows to simulate attacks following MITRE TTPs (Tactics, Techniques, and Procedures). PurpleKeep enhances the simulation of these TTPs to serve as a starting point for the evaluation of the effectiveness of detection rules.

Automating the process of simulating one or multiple TTPs in a test environment comes with certain challenges, one of which is the contamination of the platform after multiple simulations. However, PurpleKeep aims to overcome this hurdle by streamlining the simulation process and facilitating the creation and instrumentation of the targeted platform.

Primarily developed as a proof of concept, PurpleKeep serves as an End-to-End Detection Rule Validation platform tailored for an Azure-based environment. It has been tested in combination with the automatic deployment of Microsoft Defender for Endpoint as the preferred EDR solution. PurpleKeep also provides support for security and audit policy configurations, allowing users to mimic the desired endpoint environment.

To facilitate analysis and monitoring, PurpleKeep integrates with Azure Monitor and Log Analytics services to store the simulation logs and allow further correlation with any events and/or alerts stored in the same platform.

TLDR: PurpleKeep provides an Attack Simulation platform to serve as a starting point for your End-to-End Detection Rule Validation in an Azure-based environment.

Requirements

The project is based on Azure Pipelines and requires the following to be able to run:

  • Azure Service Connection to a resource group as described in the Microsoft Docs
  • Assignment of the "Key Vault Administrator" Role for the previously created Enterprise Application
  • MDE onboarding script, placed as a Secure File in the Library of Azure DevOps and make it accessible to the pipelines

Optional

You can provide a security and/or audit policy file that will be loaded to mimic your Group Policy configurations. Use the Secure File option of the Library in Azure DevOps to make it accessible to your pipelines.

Refer to the variables file for your configurable items.

Design

Infrastructure

Deploying the infrastructure uses the Azure Pipeline to perform the following steps:

  • Deploy Azure services:
    • Key Vault
    • Log Analytics Workspace
    • Data Connection Endpoint
    • Data Connection Rule
  • Generate SSH keypair and password for the Windows account and store in the Key Vault
  • Create a Windows 11 VM
  • Install OpenSSH
  • Configure and deploy the SSH public key
  • Install Invoke-AtomicRedTeam
  • Install Microsoft Defender for Endpoint and configure exceptions
  • (Optional) Apply security and/or audit policy files
  • Reboot

Simulation

Currently only the Atomics from the public repository are supported. The pipelines takes a Technique ID as input or a comma seperate list of techniques, for example:

  • T1059.003
  • T1027,T1049,T1003

The logs of the simulation are ingested into the AtomicLogs_CL table of the Log Analytics Workspace.

There are currently two ways to run the simulation:

Rotating simulation

This pipeline will deploy a fresh platform after the simulation of each TTP. The Log Analytic workspace will maintain the logs of each run.

Warning: this will onboard a large number of hosts into your EDR

Single deploy simulation

A fresh infrastructure will be deployed only at the beginning of the pipeline. All TTP's will be simulated on this instance. This is the fastests way to simulate and prevents onboarding a large number of devices, however running a lot of simulations in a same environment has the risk of contaminating the environment and making the simulations less stable and predictable.

TODO

Must have

  • Check if pre-reqs have been fullfilled before executing the atomic
  • Provide the ability to import own group policy
  • Cleanup biceps and pipelines by using a master template (Complete build)
  • Build pipeline that runs technique sequently with reboots in between
  • Add Azure ServiceConnection to variables instead of parameters

Nice to have

  • MDE Off-boarding (?)
  • Automatically join and leave AD domain
  • Make Atomics repository configureable
  • Deploy VECTR as part of the infrastructure and ingest results during simulation. Also see the VECTR API issue
  • Tune alert API call to Microsoft Defender for Endpoint (Microsoft.Security alertsSuppressionRules)
  • Add C2 infrastructure for manual or C2 based simulations

Issues

  • Atomics do not return if a simulation succeeded or not
  • Unreliable OpenSSH extension installer failing infrastructure deployment
  • Spamming onboarded devices in the EDR

References


Share:

BestEdrOfTheMarket - Little AV/EDR Bypassing Lab For Training And Learning Purposes


Little AV/EDR Evasion Lab for training & learning purposes. (️ under construction..)​

 ____            _     _____ ____  ____     ___   __   _____ _
| __ ) ___ ___| |_ | ____| _ \| _ \ / _ \ / _| |_ _| |__ ___
| _ \ / _ \/ __| __| | _| | | | | |_) | | | | | |_ | | | '_ \ / _ \
| |_) | __/\__ \ |_ | |___| |_| | _ < | |_| | _| | | | | | | __/
|____/_\___||___/\__| |_____|____/|_| \_\ \___/|_| |_| |_| |_|\___|
| \/ | __ _ _ __| | _____| |_
| |\/| |/ _` | '__| |/ / _ \ __|
| | | | (_| | | | < __/ |_ Yazidou - github.com/Xacone
|_| |_|\__,_|_| |_|\_\___|\__|


BestEDROfTheMarket is a naive user-mode EDR (Endpoint Detection and Response) project, designed to serve as a testing ground for understanding and bypassing EDR's user-mode detection methods that are frequently used by these security solutions.
These techniques are mainly based on a dynamic analysis of the target process state (memory, API calls, etc.),

Feel free to check this short article I wrote that describe the interception and analysis methods implemented by the EDR.


Defensive Techniques

In progress:


Usage

        Usage: BestEdrOfTheMarket.exe [args]

/help Shows this help message and quit
/v Verbosity
/iat IAT hooking
/stack Threads call stack monitoring
/nt Inline Nt-level hooking
/k32 Inline Kernel32/Kernelbase hooking
/ssn SSN crushing
BestEdrOfTheMarket.exe /stack /v /k32
BestEdrOfTheMarket.exe /stack /nt
BestEdrOfTheMarket.exe /iat


Share:

Sunday, January 28, 2018

Detect And Bypass Web Application Firewalls And Protection Systems - WhatWaf



Features
  • Ability to run on a single URL with the -u/--url flag
  • Ability to run through a list of URL's with the -l/--list flag
  • Ability to detect over 40 different firewalls
  • Ability to try over 20 different tampering techniques
  • Ability to pass your own payloads either from a file or from the terminal
  • Payloads that are guaranteed to produce at least one WAF triggering
  • Ability to bypass firewalls using both SQLi techniques and cross site scripting techniques
  • Ability to run behind Tor
  • Ability to run behind multiple proxy types (socks4, socks5, http, https)
  • Ability to use a random user agent, personal user agent, or custom default user agent
  • More to come...

Installation
Installing whatwaf is super easy, all you have to do is the following:
Have Python 2.7, Python 3.x compatibility is being implemented soon:
sudo -s << EOF
git clone https://github.com/ekultek/whatwaf.git
cd whatwaf
chmod +x whatwaf.py
pip2 install -r requirements.txt
./whatwaf.py --help

Proof of concept
First we'll run the website through WhatWaf and figure out which firewall protects it (if any):



Next we'll go to that website and see what the page looks like:



Hmm.. that doesn't really look like Cloudflare does it? Let's check what the HTTP headers server and cookies say:



And finally, lets try one of the bypasses that it tells us to try:



Demo vídeo






Share:

Thursday, September 21, 2017

Advanced Web Shell - DAws


There's multiple things that makes DAws better than every Web Shell out there:
  1. Bypasses Security Systems(IPS, WAFs,etc) like Suhosin(uses up to 20 php functions just to get a command executed).
  2. Drops CGI Shells and communicate with them to bypass Security Systems.
  3. Uses the SSH Authorized Keys method to bypass Security Systems.
  4. Uses Shellshock in 2 methods to bypass Security Systems.
  5. Is completely Post Based and uses a XOR Encryption based on a random key that gets generated with every new session + private base64 functions to bypass Security Systems.
  6. Supports Windows and Linux.
  7. Finds a writeable and readable directory and moves there if it's a web directory; DAws will output everything in that found directory.
  8. Drops a php.ini and a .htaccess file that clears all disablers incase "suphp" was installed.
  9. Has an advanced File Manager.
  10. Everything is done automatically so there's nothing for the user to worry about.
  11. Open Source.
  12. and much more (check the source for more information; everything is well commented)

Credits:


Share:

Monday, December 12, 2016

Trace URL's jumps across the rel links to obtain the last URL - Hoper



It shows all the hops that makes a url you specify to reach its endpoint. For example if you want to see the entire trip by email URL or like a URL shorten. Hoper returns you all URLs redirections.

Installation
$ gem install hoper

Usage
Type in your command line:
$ hoper [url]

Development
After checking out the repo, run bin/setup to install dependencies. You can also run bin/console for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install . To release a new version, update the version number in version.rb , and then run bundle exec rake release , which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org .



Share:

Penetration testers favorite for WAF Bypassing - WAFNinja



WAFNinja is a CLI tool written in Python. It shall help penetration testers to bypass a WAF by automating steps necessary for bypassing input validation. The tool was created with the objective to be easily extendible, simple to use and usable in a team environment. Many payloads and fuzzing strings, which are stored in a local database file come shipped with the tool. WAFNinja supports HTTP connections, GET and POST requests and the use of Cookies in order to access pages restricted to authenticated users. Also, an intercepting proxy can be set up.

Usage:
wafninja.py [-h] [-v] {fuzz, bypass, insert-fuzz, insert-bypass, set-db} ...
EXAMPLE:
fuzz:
python wafninja.py fuzz -u "http://www.target.com/index.php?id=FUZZ" 
-c "phpsessid=value" -t xss -o output.html
bypass:
python wafninja.py bypass -u "http://www.target.com/index.php"  -p "Name=PAYLOAD&Submit=Submit"         
-c "phpsessid=value" -t xss -o output.html
insert-fuzz:
python wafninja.py insert-fuzz -i select -e select -t sql
positional arguments: {fuzz, bypass, insert-fuzz, insert-bypass, set-db}
Which function do you want to use?

fuzz check which symbols and keywords are allowed by the WAF.
bypass sends payloads from the database to the target.
insert-fuzz add a fuzzing string
insert-bypass add a payload to the bypass list
set-db use another database file. Useful to share the same database with others.

optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
Share:

Monday, October 3, 2016

IDPS & SandBox & AntiVirus STEALTH KILLER - MorphAES



MorphAES is the world's first polymorphic shellcode/malware engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it's cross-platform as well and library-independent.

Properties:

  • Polymorphism (AES encryption)
  • Metamorphism (logic and constants changing)
  • Platform independent (Linux/BSD/Windows)
  • IDPS stealthing (the total number of possible signatures is more the number of atoms in the universe for one given code)
  • Sandbox evasion (special assembly instructions)
  • Realism (no null bytes)
  • Can produce executables (malwares)
  • Input code can have arbitrary length
Dependencies for the morpher:
  • Python 2.7 - main engine
  • Python Crypto 2.6 - for encryption
Dependencies for the code execution:
  • 64-bit Intel AES-NI - for decryption
Nonetheless, there are some limitations (aka white-hat aspects):
  • Metamorphism is not very robust and can be detected using regular expressions (but can be improved pretty easily)
  • Unicode null bytes might still work (but who cares?)
  • It will only work on 64-bit Intel processors with AES-NI support, but since all the user's PCs (like Pentium, Celeron, i3, i5, i7) and the industry's servers (like Xeon) have it, it's more a specification, rather than a limitation, thus a 32-bit implementation is unpractical
  • Almost any shellcode is guarantee to work however, an arbitrary code (malware) doesn't
  • Windows/BSD PoC and executables are in progress...

How it works
  1. Shellcode padding with NOPs (since AES is a block cipher)
  2. Shellcode encryption with a random key using AES-128-ECB (not the best, but the simplest) - polymorphism
  3. Constants randomization, logic changes, instructions modification and rewriting - metamorphism

HowTo
For Linux:
sudo apt-get install python python-crypto
Execute the Pyhton script and enter your shellcode or nothing for a default Linux shell. You can specify your own execution address as well.
It is possible to build and execute on Windows/BSD/Mac as well, but I'm still testing it.
You can also use the Linux PoC in assembly:
as shellcode.s -o shellcode.o
ld shellcode.o -o shellcode
./shellcode
Every file is commented and explained

Tests
At this point, it should be pretty obvious that, the hashes would be different every time, but let's compare SSDEEPes of 2 Linux executables of the same shellcode:
  • 96:GztTHyKGQh3lo6Olv4W4zS/2WnDf74i4a4B7UEoB46keWJl09:Gzty6VOlvqSTDflmNroh,
  • 96:GQtT23yKmFUh3lo6OlOnIrFS4rkoPPf74i4a4B7UEoB46keWJ5:GQtCGWVOlOWFSsPflmNroh,
Well, there's something in common, but globally those are 2 different signatures, now what about the shellcode it-self:
  • 48:eip2bR2LRNtRPORDGRopRBXR3cRzER2vRU9BnH6ksr:Srn+,
  • 48:6RjNeR2IRN7RPWRDeRokRB5R3xRz3R28RUxFT2+75eFK9iKMAdXAJKo:O9Tdwoo,
Almost totally different signatures for the same morphed shellcode!
At the publication date, the executable was detected as a shellcode only by 2 out of 53 antiviruses (AVG and Ikarus) on virustotal , but now, it just fails to analyze.
malwr's with cuckoo2 doesn't see anything suspicious.
On the reverser's perspective, IDA won't see anything either.
Radare2 would show the real instructions only if assembled by the assembler it-self however, it doesn't detects any crypto or suspicious activity for the executable.
Althrough, I didn't test it personally, I think that FortiSandbox, Sophos Sandstorm, Blue Coat, GateWatcher and their derivatives might fail badly...

To put it in the nutshell
Basically, it can transform a script-kid's code (or a known-one ) into a zero-day.
IDPS will fail because, it's almost impossible to make a signature and difficult to make a regular expression or heuristic analysis.
Most of the sandboxes doesn't use Intel's AES-NI instructions directly, so they will not execute the code, so "everything is fine" for them, whereas it's not.
The only way to defeat this type of shellcode/malware is to use an appropriate sandboxing or/and an AI.
Notice that, the whole execution is done by a pure assembly, no Python (or shitty OpenSSL) is needed for the shellcode's/malware's execution since, I use built-in assembly instructions only, thus it's system-independent (surely, you will have to assemble it for each-one by adapting the instructions/opcodes, but they are still same).

Notes
This is still a work in progress, I will implement Windows and BSD/Mac engines and PoCs ASAP.
IDPSes and sanboxes suck.
"Tradition becomes our security, and when the mind is secure it is in decay."
Jiddu Krishnamurti


Share:

Sunday, August 28, 2016

Firewall and IDS Evasion / Bypassing the Firewalls and IDS/IPS - NMAP Scanning Tutorial





This post is for penetration testers that face issues with scanning the Corporate networks with firewalls deployed and are unable to bypass the Firewall or an IDS/IPS .
Firewall is generally a software or hardware to protect private network from public network.This is a trouble maker for the Penetration testers as they are not able to bypass this added layer of security .
Well the good news here is that we can use Nmap options to bypass the firewalls , IDS/IPS .
If a penetration tester can bypass firewall then half game is won for the penetration tester. In this tutorial you will learn how to bypass and test firewall using the NMAP options.


NMAP options to Bypass the Firewall :



-f (fragment packets):

This option is to make it harder to detect the packets. By specifying this option once, Nmap will split the packet into 8 bytes or less after the IP header. This makes the detection of Nmap sent packets difficult .

–mtu:

With this option, you can specify your own packet size fragmentation. The Maximum Transmission Unit (MTU) must be a multiple of eight or Nmap will give an error and exit. This helps in Firewall Evasion .

-D (decoy):

By using this option, Nmap will send some of the probes from the spoofed IP addresses specified by the user. The idea is to mask the true IP address of the user in the logfiles. The user IP address is still in the logs. You can use RND to generate a random IP address or RND:number to generate the <number> IP address. The hosts you use for decoys should be up, or you will flood the target. Also remember that by using many decoys you can cause network congestion, so you may want to avoid that especially if you are scanning your client network.

–source-port <portnumber> or –g (spoof source port):

This option will be useful if the firewall is set up to allow all incoming traffic that comes from a specific port.

–data-length:

This option is used to change the default data length sent by Nmap in order to avoid being detected as Nmap scans.

–max-parallelism:

This option is usually set to one in order to instruct Nmap to send no more than one probe at a time to the target host.

–scan-delay <time>:

This option can be used to evade IDS/IPS that uses a threshold to detect port scanning activity. Setting the Scan delay is always a good idea when you want to evade any security device .

Sources : Nmap.org

OffSec 

http://nmap.org/book/man-bypass-firewalls-ids.html
Share:
Established in 2015. Offensive Sec Blog has been sharing security research, hacking tools, threat intelligence, and offensive security content since 2015.
Copyright © OffSec Blog | Powered by OffensiveSec
Design by OffSec | Built for the security community