BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
Bruter is a parallel network login brute-forcer on Win32. This tool is intended to demonstrate the importance of choosing strong passwords. The goal is to support a variety of services that allow remote authentication. It currently supports following services: º FTP º HTTP (Basic) º HTTP (Form) º IMAP º MSSQL º MySQL º POP3 º SMB-NT º SMTP º SNMP º SSH2 º Telnet º VNC
Bruter Recent Changes º Re-licensed to new-BSD license º Added proxy support (CONNECT, SOCKS4, SOCKS5) º Allowed more delimiter in combo file º Added password length filtered in combo and dictionary mode º Fixed miscellaneous bugs º Updated openssl library to 0.9.8n
The story begins after the end of political conflict with the disabled concentration camps and compliant population with the situation until it comes "V" - an Anarchist wearing a stylized Guy Fawkes mask and is possessed of a wide range of skills and resources. He then begins an elaborate and theatrical campaign to overthrow the state . In the process, you know Evey , girl who lost her parents during the war. Evey is handled by V as an apprentice , always being presented to the remnants of a culture lost because of the war and degradation of society.
AfterGlow is a collection of scripts which facilitate the process of generating link graphs. The tool is written in Perl and needs to be invoked via the command line. Sorry, there is no graphical interface, however using the tool is quite simple. As input, AfterGlow expects a CSV file. The file can either contain two or three columns of data. A common way of generating the CSV files are parsers which take a raw input file, analyze it and output a comma separated list of records based on the data they found. The output of AfterGlow is one of two formats. Either it generates a dot attributed graph language file – the input required by the graphviz library – or it can generate GDF files that can, for example, be visualized with Gephi.
AfterGlow Parsers AfterGlow provides a couple of example parsers to generate CSV input files. The first one to parse tcpdump output and the second one to parse sendmail log files. Here is an example of how to run the tcpdump parser file: tcpdump -vttttnneli eth0 | parsers/tcpdump2csv.pl "sip dip dport" This command will invoke tcpdump on interface eth0 and pipe the input through the parser. We tell the parser that we are interested in the source IP (sip), the destination IP (dip) and the destination port (dport). To see what other fields are available, have a look at the parser. The output of this command is a comma separate list of sip, dip, dport pairs for each of the lines tcpdump outputs. For example, if the tcpdump output is the following: 18:46:27.849292 IP 192.168.0.1.39559 > 127.0.0.1.80: S 1440554803:1440554803(0) win 32767 18:46:27.849389 IP 192.168.0.1.80 > 127.0.0.1.39559: S 1448343500:1448343500(0) ack 1440554804 win 32767 the output would simply be: 192.168.0.1,127.0.0.1,80 192.168.0.1,127.0.0.1,80 You might wonder why the second entry shows the source and destination inverted, not following the exact output of tcpdump. Well, that’s because the parser remembers the source of a communication and automatically inverts the responses to reflect that behavior. It outputs the direction of the communication (client to server) and not the direction of the packets. This is very useful when visualizing network traffic. Think about it! Another possible way to generate input for AfterGlow is to use Microsoft Excel, manually enter the data and save the output as a CSV file. Invocation To generate a dot graph file for graphviz, run the following command: cat file.csv | perl afterglow.pl -c color.properties > file.dot This file can then be used with dot or neato to render a graph. Putting this all together, here is an example on how to generate a graph (gif file) from a saved pcap file: tcpdump -vttttnnelr /home/ram/defcon.tcpdump | ./tcpdump2csv.pl "sip dip dport" | \ perl afterglow.pl -c color.properties | neato -Tgif -o test.gif Invoking afterglow.pl, we specified a color property file. This file is used by AfterGlow to determine the colors of the edges and nodes in the graph. Read the section further down to find out more about that file.
Command Line Parameters This is a list of all the command line parameters that afterglow.pl understands: perl afterglow.pl [-adhnstv] [-b lines] [-c conffile] [-e length] [-f threshold ] [-g threshold] [-l lines] [-o threshold] [-p mode] [-x color] [-m maxsize]
-a : turn off labelelling of the output graph with the configuration used -b lines : number of lines to skip (e.g., 1 for header line) -c conffile : color config file -d : print node count -e length : edge length -f threshold : source fan out threshold -g threshold : event fan out threshold (only in three node mode) -h : this (help) message -l lines : the maximum number of lines to read -m : the maximum size for a node -n : don't print node labels -o threshold : omit threshold (minimum count for nodes to be displayed) Non-connected nodes will be filtered too. -p mode : split mode for predicate nodes where mode is 0 = only one unique predicate node (default) 1 = one predicate node per unique subject node. 2 = one predicate node per unique target node. 3 = one predicate node per unique source/target node. -s : split subject and object nodes -t : two node mode (skip over objects) -u : export URL tags -v : verbose output -x : text label color
Xplico is a network forensics analysis tool (NFAT), which is a software that reconstructs the contents of acquisitions performed with a packet sniffer (e.g. Wireshark, tcpdump, Netsniff-ng). Unlike the protocol analyzer, whose main characteristic is not the reconstruction of the data carried by the protocols, Xplico was born expressly with the aim to reconstruct the protocols's application data and it is able to recognize the protocols with a technique named Port Independent Protocol Identification (PIPI). The name "xplico" refers to the latin verb explico and its significance. Xplico is free and open-source software, subject to the requirements of the GNU General Public License (GPL), version 2. Ubuntu 32/64bit from 11.04 to 15.10 sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" >> /etc/apt/sources.list' sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE sudo apt-get update sudo apt-get install xplico VirtualBox Image: Download OVA here. Based on Free VirtualBox Image. user: ubuntu password: reverse
Source code: Download here. Installation instructions are in the INSTALL file and in the Wiki. Ubuntu 12.10 32bit: Download here. Ubuntu Server 12.10 64bit:
Download here Deafult Users user: admin, xplico password: xplico, xplico
Digital Forensics Framework offers a graphical user interface (GUI) developed in PyQt and a classical tree view. Features such as recursive view, tagging, live search and bookmarking are available. Its command line interface allows the user to remotely perform digital investigation. It comes with common shell functions such as completion, task management, globing and keyboard shortcuts. DFF can run batch scripts at startup to automate repetitive tasks. Advanced users and developers can use DFF directly from a Python interpreter to script their investigation.
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
This is the first release since the publication of The Art of Memory Forensics! It adds support for Windows 10 (initial), Linux kernels 4.2.3, and Mac OS X El Capitan. Additionally, the unified output rendering gives users the flexibility of asking for results in various formats (html, sqlite, json, xlsx, dot, text, etc.) while simplifying things for plugin developers. In short, less code leads to more functionality. This is especially useful for framework designers (GUIs, web interfaces, library APIs), because you can interface with a plugin directly and ask for json, which you then store, process, or modify however you want.
MagSpoof is a device that can spoof/emulate any magnetic stripe or credit card. It can work “wirelessly”, even on standard magstripe/credit card readers, by generating a strong electromagnetic field that emulates a traditional magnetic stripe card. MagSpoof does not enable you to use credit cards that you are not legally authorized to use. The Chip-and-PIN and Amex information is not implemented and using MagSpoof requires you to have/own the magstripes that you wish to emulate. Simply having a credit card number and expiration is not enough to perform transactions. MagSpoof does allow you to perform research in other areas of magstripes, microcontrollers, and electromagnetism, as well as learn about and create your own devices similar to other existing, commercial technologies such as Samsung MST and Coin.
º Allows you to store all of your credit cards and magstripes in one device º Works on traditional magstripe readers wirelessly (no NFC/RFID required) º Can disable Chip-and-PIN (code not included) º Correctly predicts Amex credit card numbers + expirations from previous card number (code not included) º Supports all three magnetic stripe tracks, and even supports Track 1+2 simultaneously º Easy to build using Arduino or other common parts
How MagSpoof Works MagSpoof emulates a magnetic stripe by quickly changing the polarization of an electromagnet, producing a magnetic field similar to that of a normal magnetic stripe as if it’s being swiped. What’s incredible is that the magstripe reader requires no form of wireless receiver, NFC, or RFID — MagSpoof works wirelessly, even with standard magstripe readers. The stronger the electromagnet, the further away you can use it (a few inches in its current iteration). MagSpoof also uses inexpensive, off the shelf parts, and can be built with almost nothing more than an Arduino, wire and a battery! I use a motor driver to provide a reasonable amount of power. Normally electromagnets have an iron core, however we lose the core for the sake of space and portability. Also, while the iron core does make the electromagnet more efficient, we still produce more than enough power to work. MagSpoof improves on new cards such as Coin. I’m a customer of Coin, and while I love their app and the card, the card actually works a very small percentage of the time. After looking over Coin’s FCC docs, I noticed they use two coils to produce a (very small) electromagnetic field, however it’s severely deficient and the card works less than 50% of the time for me, sadly. I found that by emulating a card with MagSpoof, if I send Track 1 one way, and then send Track 2 reversed, every card reader will assume I simply swiped a card back and forth, use the data from both tracks and my strong electromagnet, and properly read all of the data. This is extremely effective, uses only a single coil, and works for both tracks simultaneously. This also allows MagSpoof to work on Track 3. Additionally, if you’re using a Chip card with Coin, you still need to bring your actual credit card to dip, however because MagSpoof can disable Chip-and-PIN (see below), it does not require you to bring your card with you. Hardware
ºAtmel ATtiny85(microcontroller) An Atmel ATtiny85 is the microcontroller to drive the entire system. It stores all of the magnetic stripe / credit card data. In a thinner, credit-card sized (0.8mm thick!) version, I use an [ATtiny10]. ºL293D H-Bridge(motor driver)
I use an L293D H-bridge to drive the electromagnet. The L293D is a motor driver, but motors are actually driven by the electromagnet(s) and magnets inside of them. Any standard driver should work here. Technically the L293D doesn’t work down at 3.7V (voltage of the LiPo battery), but it works surprisingly well. In the credit-card size version, I suggest using a the TI DRV8835 or TI DRV8833. º24AWG Magnet Wire(coil) I use somewhere around ~24AWG magnet wire to act as the coil to produce the electromagnetic field. This piece of wire incredibly produces an electromagnetic field that makes the card reader believe a card is being swiped. Incredible. By rapidly controlling the polarization of this field, the magstripe reader believes the flipped bits of a real card are being swiped through the reader. º100mAh 3.7V LiPo battery(the powah)
A small 100mAh 3.7V lipo battery powers our contraption. For the credit card size version (not shown here), I use a battery from PowerStream.
º100µF Capacitor Keep enough energy in this capacitor to provide the electromagnet with power when we need it, otherwise it will pull too much current and reset the microcontroller. This is the capacitor kit I use as it has all the standard values I’d need.
Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012 Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing. Using this technique, we can elevate our privilege on a Windows workstation from the lowest levels to “NT AUTHORITY\SYSTEM” – the highest level of privilege available on a Windows machine. Windows 7
This is important because many organizations unfortunately rely on Windows account privileges to protect their corporate network. Often it is the case that once an attacker is able to gain high privileged access to ANY workstation or server on a Windows network, they can use this access to gain “lateral movement” and compromise other hosts on the same domain. As an attacker, we often gain access to a computer through a low privilege user or service account. Gaining high privilege access on a host is often a critical step in a penetration test, and is usually performed in an ad-hoc manner as there are no known public exploits or techniques to do so reliably. Windows Server 2008
The techniques that this exploit uses to gain privilege escalation aren’t new, but the way they are combined is. Microsoft is aware of all of these issues and has been for some time (circa 2000). These are unfortunately hard to fix without breaking backward compatibility and have been leveraged by attackers for over 15 years.
The exploit consists of 3 main parts, all of which are somewhat configurable through command-line switches. Each part corresponds to an already well known attack that has been in use for years: º Local NBNS Spoofer NBNS is a broadcast UDP protocol for name resolution commonly used in Windows environments. º Fake WPAD Proxy Server In Windows, Internet Explorer by default will automatically try to detect network proxy setting configuration by accessing the URL “http://wpad/wpad.dat” º HTTP -> SMB NTLM Relay Part of Windows Integrated Auth protocol suite. Essentially a challenge-response design
Home
Privacy Center
Data Protection
Community
Digital Policy
Security Tools
Online Utilities
Resources
Search Operators
Library
