REMnux v6 - A Linux Toolkit for Reverse-Engineering and Analyzing Malware

REMnux is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software. It strives to make it easier for forensic investigators and incident responders to start using the variety of freely-available tools that can examine malware, yet might be difficult to locate or set up.

The heart of the project is the REMnux Linux distribution based on Ubuntu. This lightweight distro incorporates many tools for analyzing Windows and Linux malware, examining browser-based threats such as obfuscated JavaScript, exploring suspicious document files and taking apart other malicious artifacts. Investigators can also use the distro to intercept suspicious network traffic in an isolated lab when performing behavioral malware analysis.

Malware Analyis Tools Installed on REMnux

The REMnux distribution includes many free tools useful for examining malicious software. These utilities are set up and tested to make it easier for you to perform malware analysis tasks without needing to figure out how to install them. The majority of these tools are listed below.

Examine Browser Malware

• Website analysis: Thug, mitmproxy, Network Miner Free Edition, curl, Wget, Burp Proxy Free Edition, Automater, pdnstool, Tor, tcpextract, tcpflow, passive.py, CapTipper
• Flash: xxxswf, SWF Tools, RABCDAsm, extract_swf, Flare
• Java: Java Cache IDX Parser, JD-GUI Java Decompiler, JAD Java Decompiler, Javassist, CFR
• JavaScript: Rhino Debugger, ExtractScripts, Firebug, SpiderMonkey, V8, JS Beautifier

Examine Document Files

• PDF: AnalyzePDF, Pdfobjflow, pdfid, pdf-parser, peepdf, Origami, PDF X-RAY Lite, PDFtk, swf_mastah
• Microsoft Office: officeparser, pyOLEScanner.py, oletools, libolecf, oledump, emldump
• Shellcode: sctest, unicode2hex-escaped, unicode2raw, dism-this, shellcode2exe

Extract and Decode Artifacts

• Deobfuscate: unXOR, XORStrings, ex_pe_xor, XORSearch, brutexor/iheartxor, xortool, NoMoreXOR, XORBruteForcer, Balbuzard
• Extract strings: strdeobj, pestr, strings
• Carving: Foremost, Scalpel, bulk_extractor, Hachoir

Handle Network Interactions

• Sniffing: Wireshark, ngrep, TCPDump, tcpick
• Services: FakeDNS, Nginx, fakeMail, Honeyd, INetSim, Inspire IRCd, OpenSSH, accept-all-ips
• Miscellaneous network: prettyping.sh, set-static-ip, renew-dhcp, Netcat, EPIC IRC Client, stunnel

Process Multiple Samples

• Maltrieve, Ragpicker, Viper, MASTIFF, Density Scout

Examine File Properties and Contents

• Define signatures: YaraGenerator, IOCextractor, Autorule, Rule Editor
• Scan: Yara, ClamAV, TrID, ExifTool, virustotal-submit, Disitool
• Hashes: nsrllookup, Automater, Hash Identifier, totalhash, ssdeep, virustotal-search, VirusTotalApi

Investigate Linux Malware

• System: Sysdig, Unhide
• Disassemble: Vivisect, Udis86, objdump
• Debug: Evan’s Debugger (EDB), GNU Project Debugger (GDB)
• Trace: strace, ltrace
• Investigate: Radare 2, Pyew, Bokken, m2elf

Edit and View Files

• Text: SciTE, Geany, Vim
• Images: feh, ImageMagick
• Binary: wxHexEditor, VBinDiff
• Documents: Xpdf

Examine Memory Snapshots

• Volatility Framework, findaes, AESKeyFinder, RSAKeyFinder, VolDiff, Rekall

Statically Examine PE Files

• Unpacking: UPX, Bytehist, Density Scout, PackerID
• Disassemble: objdump, Udis86, Vivisect
• Find anomalies: Signsrch, pescanner, ExeScan, pev, Peframe, pedump
• Investigate: Bokken, RATDecoders, Pyew, readpe.py, PyInstaller Extractor

Investigate Mobile Malware

• Androwarn, AndroGuard

Perform Other Tasks

• ProcDOT, bashhacks, Docker, vtTool, REMnux Updater, Decompyle++

REMnux Documentation 

REMnux documentation is a relatively recent effort, which can provide additional details regarding the toolkit. The document set in need of improvement and expansion.

The one-page REMnux cheat sheet highlights some of the most useful tools and commands available as part of the REMnux distro. It’s an especially nice starting point for people who are new to the distribution. 

• Malware Analysis Essentials Using REMnux

Download REMnux v6

Read More

Medusa - Speedy, Parallel and Modular Login Brute-Forcer

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

• Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
• Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
• Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

Why?

Why create Medusa? Isn't this the same thing as THC-Hydra? Here are some of the reasons for this application:

• Application stability. Maybe I'm just lame, but Hydra frequently crashed on me. I was no longer confident that Hydra was actually doing what it claimed to be. Rather than fix Hydra, I decided to create my own buggy application which could crash in new and exciting ways.
• Code organization. A while back I added several features to Hydra (parallel host scanning, SMBNT module). Retro-fitting the parallel host code to Hydra was a serious pain. This was mainly due to my coding ignorance, but was probably also due to Hydra not being designed from the ground-up to support this. Medusa was designed from the start to support parallel testing of hosts, users and passwords.
• Speed. Hydra accomplishes its parallel testing by forking off a new process for each host and instance of the service being tested. When testing many hosts/users at once this creates a large amount of overhead as user/password lists must be duplicated for each forked process. Medusa is pthread-based and does not unnecessarily duplicate information.
• Education. I am not an experienced C programmer, nor do I consider myself an expert in multi-threaded programming. Writing this application was a training exercise for me. Hopefully, the results of it will be useful for others. 

Module specific details:

•     AFP
•     CVS
•     FTP
•     HTTP
•     IMAP
•     MS-SQL
•     MySQL
•     NetWare NCP
•     NNTP
•     PcAnywhere
•     POP3
•     PostgreSQL
•     REXEC
•     RDP
•     RLOGIN
•     RSH
•     SMBNT
•     SMTP-AUTH
•     SMTP-VRFY
•     SNMP
•     SSHv2
•     Subversion (SVN)
•     Telnet
•     VMware Authentication Daemon (vmauthd)
•     VNC
•     Generic Wrapper
•     Web Form 

News

2015-06-07: Released Medusa v2.2_rc2

2015-05-28: Released Medusa v2.2_rc1

2012-05-25: Released Medusa v2.1.1

2012-04-02: Released Medusa v2.1

2011-03-04: tak and bigmoneyhat have released a Java-based GUI for Medusa (Medusa-gui)

2010-02-09: Released Medusa v2.0

Download Medusa

Read More

BruteX - Automatically Brute Force all Services Running on a Target

Automatically brute force all services running on a target including:

• Open ports
• DNS domains
• Web files
• Web directories
• Usernames
• Passwords

USAGE

./brutex target

DEPENDENCIES

• NMap
• Hydra
• Wfuzz
• SNMPWalk
• DNSDict

To brute force multiple hosts, use brutex-massscan and include the IP's/hostnames to scan in the targets.txt file.

Download BruteX

Read More

MITMf - Framework for Man-In-The-Middle attacks

Framework for Man-In-The-Middle attacks

Available plugins

• SMBtrap - Exploits the 'SMB Trap' vulnerability on connected clients
• Screenshotter - Uses HTML5 Canvas to render an accurate screenshot of a clients browser
• Responder - LLMNR, NBT-NS, WPAD and MDNS poisoner
• SSLstrip+ - Partially bypass HSTS
• Spoof - Redirect traffic using ARP spoofing, ICMP redirects or DHCP spoofing
• BeEFAutorun - Autoruns BeEF modules based on a client's OS or browser type
• AppCachePoison - Perform app cache poisoning attacks
• Ferret-NG - Transperently hijacks sessions
• BrowserProfiler - Attempts to enumerate all browser plugins of connected clients
• CacheKill - Kills page caching by modifying headers
• FilePwn - Backdoor executables sent over HTTP using the Backdoor Factory and BDFProxy
• Inject - Inject arbitrary content into HTML content
• BrowserSniper - Performs drive-by attacks on clients with out-of-date browser plugins
• jskeylogger - Injects a Javascript keylogger into a client's webpages
• Replace - Replace arbitary content in HTML content
• SMBAuth - Evoke SMB challenge-response authentication attempts
• Upsidedownternet - Flips images 180 degrees

How to install on Kali

apt-get install mitmf

Installation
If MITMf is not in your distro's repo or you just want the latest version:

• Run the command git clone https://github.com/byt3bl33d3r/MITMf.git to clone this directory
• Run the setup.sh script
• Run the command pip install --upgrade -r requirements.txt to install all Python dependencies

On Kali Linux, if you get an error while installing the pypcap package or when starting MITMf you see: ImportError: no module named pcap, run apt-get install python-pypcap to fix it

Download MITMf

Read More

Proxenet - Hacker Friendly Proxy for Web Application Penetration Tests

Proxenet is a hacker friendly proxy for web application penetration tests.

proxenet is a multi-threaded proxy which allows you manipulate your HTTP requests and responses using your favorite scripting language. No need to learn Java (like for Burp) or Python (like for mitmproxy). proxenetsupports heaps of languages (see the section "Language Versions") and more can be easily added.

proxenet is not script kiddie friendly, neither GUI friendly. If this is what you are looking for, here are a few links for you:

• ZAP
• Burp
• ProxyStrike

Or the best way, write your own GUI as a proxenet plugin!

Why ?

The idea behind proxenet came after a lot of frustration from attempting to write extensions for Burp. Moreover, only a few proxies already existing supports the possibility to add new extensions. And when they do, they are (one) language specific - despite Burp persistent attempts to make unnatural bindings (Python over Java or worse Ruby over Java.

Being written in pure C, it is fast, efficient and easily pluggable to anything else. It is the utimate real DIY web proxy for pentest(ers).

Features

Here are a sample of features already supported by proxenet:

• Written in C
  • Fast (heavy thread use)
  • Efficient (POSIX compatible)
  • Low memory footprint (for the core)
• Can interact with any language
• Provides plugins support for the following languages:
  • C
  • Python
  • Lua
  • Ruby
  • Perl
  • Tcl
  • Java
• SSL
  • Full SSL interception (internal CA)
  • SSL client certificate authentication
• IPv4/IPv6
• HTTP Proxy forwarding
• White-list/Black-list hosts filtering
• Command interface out-of-band
• Nice TTY colors :D
• 100% Open-Source

... and more !

The best of both world ?

Some people might miss the beautiful interface some other GUI-friendly proxies provide. So be it! Plug proxenet as a relay behind your favorite Burp, Zap, Proxystrike, burst, etc. and enjoy the show!

How to start

$ git clone https://github.com/hugsy/proxenet.git
$ cd proxenet && cmake . && make

Download Proxenet

Read More

The Exploit-Database Git Repository

This is the official repository of The Exploit Database, a project sponsored by Offensive Security.

The Exploit Database is an archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of exploits gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.

This repository is updated daily with the most recently added submissions.

Included with this repository is the searchsploit utility, which will allow you to search through the exploits using one or more terms.

root@kali:~# searchsploit -h
Usage  : searchsploit [OPTIONS] term1 [term2] ... [termN]
Example: searchsploit oracle windows local

=========
 OPTIONS
=========
 -c         - Perform case-sensitive searches; by default,
              searches will try to be greedy
 -v         - By setting verbose output, description lines
              are allowed to overflow their columns
 -h, --help - Show help screen

NOTES:
 - Use any number of search terms you would like (minimum: 1)
 - Search terms are not case sensitive, and order is irrelevant

root@kali:~# searchsploit afd windows local
----------------------------------------------------------------|----------------------------------
Description                                                     |  Path
----------------------------------------------------------------|----------------------------------
MS Windows XP/2003 AFD.sys Privilege Escalation Exploit (K-plug | /windows/local/6757.txt
Microsoft Windows xp AFD.sys Local Kernel DoS Exploit           | /windows/dos/17133.c
Windows XP/2003 Afd.sys - Local Privilege Escalation Exploit (M | /windows/local/18176.py
Windows - AfdJoinLeaf Privilege Escalation (MS11-080)           | /windows/local/21844.rb
----------------------------------------------------------------|----------------------------------
root@kali:~#

Download The Exploit-Database Git Repository

Read More

BypassWAF - Burp Plugin to Bypass Some WAF Devices

Add headers to all Burp requests to bypass some WAF products. This extension will automatically add the following headers to all requests.

  X-Originating-IP: 127.0.0.1
  X-Forwarded-For: 127.0.0.1
  X-Remote-IP: 127.0.0.1
  X-Remote-Addr: 127.0.0.1

Usage

Steps include:

1. Add extension to burp
2. Create a session handling rule in Burp that invokes this extension
3. Modify the scope to include applicable tools and URLs
4. Configure the bypass options on the "Bypass WAF" tab
5. Test away

Read more here.

Features

All of the features are based on Jason Haddix's work found here, and Ivan Ristic's WAF bypass work found here and here.

Bypass WAF contains the following features:

A description of each feature follows:

1. Users can modify the X-Originating-IP, X-Forwarded-For, X-Remote-IP, X-Remote-Addr headers sent in each request. This is probably the top bypass technique i the tool. It isn't unusual for a WAF to be configured to trust itself (127.0.0.1) or an upstream proxy device, which is what this bypass targets.
2. The "Content-Type" header can remain unchanged in each request, removed from all requests, or by modified to one of the many other options for each request. Some WAFs will only decode/evaluate requests based on known content types, this feature targets that weakness.
3. The "Host" header can also be modified. Poorly configured WAFs might be configured to only evaluate requests based on the correct FQDN of the host found in this header, which is what this bypass targets.
4. The request type option allows the Burp user to only use the remaining bypass techniques on the given request method of "GET" or "POST", or to apply them on all requests.
5. The path injection feature can leave a request unmodified, inject random path info information (/path/to/example.php/randomvalue?restofquery), or inject a random path parameter (/path/to/example.php;randomparam=randomvalue?resetofquery). This can be used to bypass poorly written rules that rely on path information.
6. The path obfuscation feature modifies the last forward slash in the path to a random value, or by default does nothing. The last slash can be modified to one of many values that in many cases results in a still valid request but can bypass poorly written WAF rules that rely on path information.
7. The parameter obfuscation feature is language specific. PHP will discard a + at the beginning of each parameter, but a poorly written WAF rule might be written for specific parameter names, thus ignoring parameters with a + at the beginning. Similarly, ASP discards a % at the beginning of each parameter.
8. The "Set Configuration" button activates all the settings that you have chosen.

All of these features can be combined to provide multiple bypass options.

Download BypassWAF

Read More

SQLiPy - Plugin for Burp Suite that integrates SQLMap using the SQLMap API

SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API.

SQLMap comes with a RESTful based server that will execute SQLMap scans. This plugin can start the API for you or connect to an already running API to perform a scan.

Requirements

Jython 2.7 beta, due to the use of json
Java 1.7 or 1.8 (the beta version of Jython 2.7 requires this)

Usage

SQLiPy relies on a running instance of the SQLMap API server. You can manually start the server with:

  python sqlmapapi.py -s -H <ip> -p <port>

Or, you can use the SQLMap API tab to select the IP/Port on which to run, as well as the path to python and sqlmapapi.py on your system.

Once the SQLMap API is running, it is just a matter of right mouse clicking in the 'Request' sub tab of either the Target or Proxy main tabs and choosing 'SQLiPy Scan'.

This will populate the SQLMap Scanner tab of the plugin with information about that request. Clicking the 'Start Scan' button will execute a scan.

If the page is vulnerable to SQL injection, then a thread from the plugin will poll the results and add them to the Scanner Results tab.

Read more here.

Download SQLiPy

Read More

I2P - The Invisible Internet Project

I2P is an anonymous network, exposing a simple layer that applications can use to anonymously and securely send messages to each other. The network itself is strictly message based (a la IP), but there is a library available to allow reliable streaming communication on top of it (a la TCP). All communication is end to end encrypted (in total there are four layers of encryption used when sending a message), and even the end points ("destinations") are cryptographic identifiers (essentially a pair of public keys).

How does it work?

To anonymize the messages sent, each client application has their I2P "router" build a few inbound and outbound "tunnels" - a sequence of peers that pass messages in one direction (to and from the client, respectively). In turn, when a client wants to send a message to another client, the client passes that message out one of their outbound tunnels targeting one of the other client's inbound tunnels, eventually reaching the destination. Every participant in the network chooses the length of these tunnels, and in doing so, makes a tradeoff between anonymity, latency, and throughput according to their own needs. The result is that the number of peers relaying each end to end message is the absolute minimum necessary to meet both the sender's and the receiver's threat model.

The first time a client wants to contact another client, they make a query against the fully distributed "network database" - a custom structured distributed hash table (DHT) based off the Kademlia algorithm. This is done to find the other client's inbound tunnels efficiently, but subsequent messages between them usually includes that data so no further network database lookups are required.

What can you do with it?

Within the I2P network, applications are not restricted in how they can communicate - those that typically use UDP can make use of the base I2P functionality, and those that typically use TCP can use the TCP-like streaming library. We have a generic TCP/I2P bridge application ("I2PTunnel") that enables people to forward TCP streams into the I2P network as well as to receive streams out of the network and forward them towards a specific TCP/IP address.

I2PTunnel is currently used to let people run their own anonymous website ("eepsite") by running a normal webserver and pointing an I2PTunnel 'server' at it, which people can access anonymously over I2P with a normal web browser by running an I2PTunnel HTTP proxy ("eepproxy"). In addition, we use the same technique to run an anonymous IRC network (where the IRC server is hosted anonymously, and standard IRC clients use an I2PTunnel to contact it). There are other application development efforts going on as well, such as one to build an optimized swarming file transfer application (a la BitTorrent), a distributed data store (a la Freenet / MNet), and a blogging system (a fully distributed LiveJournal), but those are not ready for use yet.

I2P is not inherently an "outproxy" network - the client you send a message to is the cryptographic identifier, not some IP address, so the message must be addressed to someone running I2P. However, it is possible for that client to be an outproxy, allowing you to anonymously make use of their Internet connection. To demonstrate this, the "eepproxy" will accept normal non-I2P URLs (e.g. "http://www.i2p.net") and forward them to a specific destination that runs a squid HTTP proxy, allowing simple anonymous browsing of the normal web. Simple outproxies like that are not viable in the long run for several reasons (including the cost of running one as well as the anonymity and security issues they introduce), but in certain circumstances the technique could be appropriate.

The I2P development team is an open group, welcome to all who are interested in getting involved, and all of the code is open source. The core I2P SDK and the current router implementation is done in Java (currently working with both sun and kaffe, gcj support planned for later), and there is a simple socket based API for accessing the network from other languages (with a C library available, and both Python and Perl in development). The network is actively being developed and has not yet reached the 1.0 release, but the current roadmap describes our schedule.

Download I2P

Read More