Tool for easy use of Human Interface Devices for offensive security and penetration testing - Kautilya

 

Kautilya is a toolkit which provides various payloads for a Human Interface Device which may help in breaking in a computer during penetration tests.

List of Payloads

Windows

Gather

• Gather Information
• Hashdump and Exfiltrate
• Keylog and Exfiltrate
• Sniffer
• WLAN keys dump
• Get Target Credentials
• Dump LSA Secrets
• Dump passwords in plain
• Copy SAM
• Dump Process Memory
• Dump Windows Vault Credentials

Execute

• Download and Execute
• Connect to Hotspot and Execute code
• Code Execution using Powershell
• Code Execution using DNS TXT queries
• Download and Execute PowerShell Script
• Execute ShellCode
• Reverse TCP Shell

Backdoor

• Sethc and Utilman backdoor
• Time based payload execution
• HTTP backdoor
• DNS TXT Backdoor
• Wireless Rogue AP
• Tracking Target Connectivity
• Gupt Backdoor

Escalate

• Remove Update
• Forceful Browsing

Manage

• Add an admin user
• Change the default DNS server
• Edit the hosts file
• Add a user and Enable RDP
• Add a user and Enable Telnet
• Add a user and Enable Powershell Remoting

Drop Files

• Drop a MS Word File
• Drop a MS Excel File
• Drop a CHM (Compiled HTML Help) file
• Drop a Shortcut (.LNK) file
• Drop a JAR file

Misc

• Browse and Accept Java Signed Applet
• Speak on Target

Linux

• Download and Execute
• Reverse Shells using built in tools
• Code Execution
• DNS TXT Code Execution
• Perl reverse shell (MSF)

OSX

• Download and Execute
• DNS TXT Code Execution
• Perl Reverse Shell (MSF)
• Ruby Reverse Shell (MSF)

Payloads Compatibility

• The Windows payloads and modules are written mostly in powershell (in combination with native commands) and are tested on Windows 7 and Windows 8.
  
• The Linux payloads are mostly shell scripts (those installed by default) in combination with commands. These are tested on Ubuntu 11.
  
• The OS X payloads are shell scripts (those installed by default) with usage of native commands. Tested on OS X Lion running on a VMWare
  

Usage

Run kautilya.rb and follow the menus. Kautilya asks for your inputs for various options. The generated payload is copied to the output directory of Kautilya.
The generated payload is an arduino sketch, ready to be used with Arduino IDE. Burn it to Human Interface Device of your choice and have fun!

Supported Human Interface Devices

In principal Kautilya should work with any HID capable of acting as a keyboard. Kautilya has been tested on Teensy++2.0 and Teensy 3.0 from pjrc.com. Updates about Kautilya can be found most of the times at my blog http://labofapenetrationtester.com/ and google group.

User Group

For any queries, discussions and feedback, post to official google group http://groups.google.com/group/kautilya-users or mail me at nikhil d0t uitrgpv at gmail.com

Bugs and Feature requests

Raise an issue or post to the google group.

Dependencies

Kautilya needs colored, highline and artii (and win32console on Windows) gems. Use
bundle install
to install all the required gems.

Download Kautilya

Read More

A JavaScript Static Security Analysis Tool - Jsprime

Today, more and more developers are switching to JavaScript as their first choice of language. The reason is simple JavaScript has now been started to be accepted as the mainstream programming for applications, be it on the web or on the mobile; be it on client-side, be it on the server side. JavaScript flexibility and its loose typing is friendly to developers to create rich applications at an unbelievable speed. Major advancements in the performance of JavaScript interpreters, in recent days, have almost eliminated the question of scalability and throughput from many organizations. So the point is JavaScript is now a really important and powerful language we have today and it's usage growing everyday. From client-side code in web applications it grew to server-side through Node.JS and it's now supported as proper language to write applications on major mobile operating system platforms like Windows 8 apps and the upcoming Firefox OS apps.

But the problem is, many developers practice insecure coding which leads to many client side attacks, out of which DOM XSS is the most infamous. We tried to understand the root cause of this problem and figured out is that there are not enough practically usable tools that can solve real-world problems. Hence as our first attempt towards solving this problem, we want to talk about JSPrime: A JavaScript static analysis tool for the rest of us. It's a very light-weight and very easy to use point-and-click tool! The static analysis tool is based on the very popular Esprima ECMAScript parser by Aria Hidayat.

I would like to highlight some of the interesting features of the tool below:

• JS Library Aware Source & Sinks
• Most dynamic or static analyzers are developed to support native/pure JavaScript which actually is a problem for most developers since the introductions and wide-adoption for JavaScript frameworks/libraries like jQuery, YUI etc. Since these scanners are designed to support pure JavaScript, they fail at understanding the context of the development due to the usage of libraries and produce many false-positives and false-negatives. To solve this we have identified the dangerous user input sources and code execution sink functions for jQuery and YUI, for the initial release and we shall talk about how users can easily extend it for other frameworks.
• Variable & Function Tracing (This feature is a part of our code flow analysis algorithm)
• Variable & Function Scope Aware analysis (This feature is a part of our code flow analysis algorithm)
• Known filter function aware
• OOP & Protoype Compliant
• Minimum False Positive alerts
• Supports minified JavaScript
• Blazing fast performance
• Point and Click :-) (my personal favorite)

Upcoming features:

• Automatic code de-obfuscation & decompression through Hybrid Analysis (Ra.2 improvisation; http://code.google.com/p/ra2-dom-xss-scanner )
• ECMAScript family support (ActionScript 3, Node.JS, WinJS)

Links

• Test Cases
• Sources & Sinks
• BlackHat Slides

Usage

Web Client

Open "index.html" in your browser.

Server-Side (Node.JS)

1. In the terminal type "node server.js"
2. Go to 127.0.0.1:8888 in your browser.

Download Jsprime

Read More

A tool to find and exploit servers vulnerable to Shellshock - Shocker

A tool to find and exploit servers vulnerable to Shellshock

Help Text

usage: shocker.py
-h, --help show this help message and exit
--Host HOST, -H HOST A target hostname or IP address
--file FILE, -f FILE File containing a list of targets
--port PORT, -p PORT The target port number (default=80)
--exploit EXPLOIT, -e EXPLOIT Command to execute (default=/bin/uname -a)
--cgi CGI, -c CGI Single CGI to check (e.g. /cgi-bin/test.cgi)
--proxy PROXY A BIT BROKEN RIGHT NOW Proxy to be used in the form 'ip:port'
--ssl, -s Use SSL (default=False)
--threads THREADS, -t THREADS Maximum number of threads (default=10, max=100)
--verbose, -v Be verbose in output

Usage Examples

./shocker.py -H 127.0.0.1 -e "/bin/cat /etc/passwd" -c /cgi-bin/test.cgi
Scans for http://127.0.0.1/cgi-bin/test.cgi and, if found, attempts to cat /etc/passwd
./shocker.py -H www.example.com -p 8001 -s
Scan www.example.com on port 8001 using SSL for all scripts in cgi_list and attempts the default exploit for any found
./shocker.py -f ./hostlist
Scans all hosts listed in the file ./hostlist with the default options

Dependencies

Python 2.7+

Change Log

Changes in version 0.72 (December 2014)

• Minor corrections to logic and typos

Changes in version 0.71 (December 2014)

• Added timeout to urllib2.urlopen requests using a global 'TIMEOUT'

Changes in version 0.7 (November 2014)

• Add interactive 'psuedo console' for further exploitation of a chosen vulnerable server
• Attemped to clean up output buffering issues by wrapping sys.stdout in a class which flushes on every call to write
• Added a progress indicator for use in time consuming tasks to reassure non vebose users

Changes in version 0.6 (October 2014)

• Preventing return codes other than 200 from being considered successes
• Added ability to specify multiple targets in a file
• Moved the 'cgi_list' list of scripts to attempt to exploit to a file
• Fixed some output formatting issues
• Fixed valid hostname/IP regex to allow single word hostnames

Changes in version 0.5 (October 2014)

• Added ability to specify a single script to target rather than using cgi_list
• Introduced a timeout on socket operations for host_check
• Added some usage examples in the script header
• Added an epilogue to the help text indicating presence of examples

Changes in version 0.4 (October 2014)

• Introduced a thread count limit defaulting to 10
• Removed colour support until I can figure out how to make it work in Windows and *nix equally well
• Spelling corrections
• More comprehensive cgi_list
• Removes success_flag from output

Pre 0.4 (October 2014)

• No idea

TODO

• Identify and respond correctly to HTTP/200 response - false positives - Low priority/hassle
• Implement curses for *nix systems - For the whole application or only psuedo terminal? - Low priority/prettiness
• Thread the initial host check now that multiple targets are supported (and could be make this bit time consuming)
• Change verbose to integer value - quiet, normal, verbose, debug?
• Add option to skip initial host checks for the sake of speed?
• Add a summary of results before exiting
• Save results to a file? Format?
• Eventually the idea is to include multiple possible vectors but currently only one is checked.
• Add Windows and *nix colour support - Low priority/prettiness
• Add a timeout in interactive mode for commands which don't return, e.g. /bin/cat /dev/zero
• Prettify - Low priority/pretinness (obviously)
• Add support for scanning and explointing SSH and SMTP? https://isc.sans.edu/diary/Shellshock+via+SMTP/18879
• Add SOCKS proxy support, potentially using https://github.com/rpicard/socksonsocks/ from Rober Picard
• Other stuff. Probably.

Download Shocker

Read More

Public Malware Techniques Used In The Wild - Al-Khaser

al-khaser is a PoC malware with good intentions that aimes to stress your anti-malware system. It performs a bunch of nowadays malwares tricks and the goal is to see if you catch them all.

Possible uses

• You are making an anti-debug plugin and you want to check its effectiveness.
• You want to ensure that your sandbox solution is hidden enough.
• Or you want to ensure that your malware analysis environement is well hidden.

Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute.

Features

Anti-debugging attacks

• IsDebuggerPresent
• CheckRemoteDebuggerPresent
• Process Environement Block (BeingDebugged)
• Process Environement Block (NtGlobalFlag)
• ProcessHeap (Flags)
• ProcessHeap (ForceFlags)
• NtQueryInformationProcess (ProcessDebugPort)
• NtQueryInformationProcess (ProcessDebugFlags)
• NtQueryInformationProcess (ProcessDebugObject)
• NtSetInformationThread (HideThreadFromDebugger)
• NtQueryObject (ObjectTypeInformation)
• NtQueryObject (ObjectAllTypesInformation)
• CloseHanlde (NtClose) Invalide Handle
• UnhandledExceptionFilter
• OutputDebugString (GetLastError())
• Hardware Breakpoints (SEH / GetThreadContext)
• Software Breakpoints (INT3 / 0xCC)
• Memory Breakpoints (PAGE_GUARD)
• Interrupt 0x2d
• Interrupt 1
• Parent Process (Explorer.exe)
• SeDebugPrivilege (Csrss.exe)
• NtYieldExecution / SwitchToThread

Anti-virtualization

• Virtualbox registry key values artifacts:
  • "HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier)
  • HARDWARE\Description\System (SystemBiosVersion)
  • HARDWARE\Description\System (VideoBiosVersion)
  • HARDWARE\Description\System (SystemBiosDate)
• Virtualbox registry Keys artifacts
  • "HARDWARE\ACPI\RSDT\VBOX__"
  • "HARDWARE\ACPI\FADT\VBOX__"
  • "HARDWARE\ACPI\RSDT\VBOX__"
  • "SOFTWARE\Oracle\VirtualBox Guest Additions"
  • "SYSTEM\ControlSet001\Services\VBoxGuest"
  • "SYSTEM\ControlSet001\Services\VBoxMouse"
  • "SYSTEM\ControlSet001\Services\VBoxService"
  • "SYSTEM\ControlSet001\Services\VBoxSF"
  • "SYSTEM\ControlSet001\Services\VBoxVideo"
• Virtualbox file system artifacts:
  • "system32\drivers\VBoxMouse.sys"
  • "system32\drivers\VBoxGuest.sys"
  • "system32\drivers\VBoxSF.sys"
  • "system32\drivers\VBoxVideo.sys"
  • "system32\vboxdisp.dll"
  • "system32\vboxhook.dll"
  • "system32\vboxmrxnp.dll"
  • "system32\vboxogl.dll"
  • "system32\vboxoglarrayspu.dll"
  • "system32\vboxoglcrutil.dll"
  • "system32\vboxoglerrorspu.dll"
  • "system32\vboxoglfeedbackspu.dll"
  • "system32\vboxoglpackspu.dll"
  • "system32\vboxoglpassthroughspu.dll"
  • "system32\vboxservice.exe"
  • "system32\vboxtray.exe"
  • "system32\VBoxControl.exe"
• Virtualbox directories artifacts:
  • "oracle\virtualbox guest additions\"
• Virtualbox MAC Address:
  • "\x08\x00\x27"
• Virtualbox virtual devices:
  • "\\.\VBoxMiniRdrDN"
  • "\\.\VBoxGuest"
  • "\\.\pipe\VBoxMiniRdDN"
  • "\\.\VBoxTrayIPC"
  • "\\.\pipe\VBoxTrayIPC")
• Virtualbox Windows Class
  • VBoxTrayToolWndClass
  • VBoxTrayToolWnd
• Virtualbox network share
  • VirtualBox Shared Folders
• Virtualbox process list
  • vboxservice.exe
  • vboxtray.exe

Anti Dumping

• Erase PE header from memory

Code/DLL Injections techniques

• CreateRemoteThread
• SetWindowsHooksEx
• NtCreateThreadEx
• RtlCreateUserThread
• APC (QueueUserAPC / NtQueueApcThread)
• RunPE (GetThreadContext / SetThreadContext)

Timing Attacks

• Sleep -> SleepEx -> NtDelayExecution
• SetTimer (Standard Windows Timers)
• timeSetEvent (Multimedia Timers)

Download Al-Khaser

Read More

Tiny banker aka Tinba Source - Trojan Banker

Obs. I am not responsible for their actions, test in the virtual machine for not damage your real system.


Tinba got its name from its extraordinarily small size – its code is approximately 20 kilobytes in size, a remarkably small number for banking malware. Tinba is a combination of the words tiny and banker; the same malware is also known as Tinybanker and Zusy.

The program  encrypted with pass code and key file to security

Pass: offensivesec

Download Tiny Banker

Read More

Security Intelligence Collector - Machinae

Machinae is a tool for collecting intelligence from public sites/feeds about various security-related pieces of data: IP addresses, domain names, URLs, email addresses, file hashes and SSL fingerprints. It was inspired by Automater , another excellent tool for collecting information. The Machinae project was born from wishing to improve Automater in 4 areas:

1. Codebase - Bring Automater to python3 compatibility while making the code more pythonic
2. Configuration - Use a more human readable configuration format (YAML)
3. Inputs - Support JSON parsing out-of-the-box without the need to write regular expressions, but still support regex scraping when needed
4. Outputs - Support additional output types, including JSON, while making extraneous output optional

Installation

Machinae can be installed using pip3:

pip3 install machinae

Or, if you're feeling adventurous, can be installed directly from github:

pip3 install git+https://github.com/HurricaneLabs/machinae.git

You will need to have whatever dependencies are required on your system for compiling Python modules (on Debian based systems, python3-dev ), as well as the libyaml development package (on Debian based systems, libyaml-dev ).
You'll also want to grab the latest configuration file and place it in /etc/machinae.yml.

Configuration File

Machinae supports a simple configuration merging system to allow you to make adjustments to the configuration without modifying the machinae.yml we provide you, making configuration updates a snap. This is done by finding a system-wide default configuration (default /etc/machinae.yml ), merging into that a system-wide local configuration ( /etc/machinae.local.yml ) and finally a per-user local configuration ( ~/.machinae.yml ). The system-wide configuration can also be located in the current working directory, can be set using the MACHINAE_CONFIG environment variable, or of course by using the -c or --config command line options. Configuration merging can be disabled by passing the --nomerge option, which will cause Machinae to only load the default system-wide configuration (or the one passed on the command line).
As an example of this, say you'd like to enable the Fortinet Category site, which is disabled by default. You could modify /etc/machinae.yml , but these changes would be overwritten by an update. Instead, you can put the following in either /etc/machinae.local.yml or ~/.machinae.yml:

fortinet_classify:
  default: true

Or, conversely, to disable a site, such as Virus Total pDNS:

vt_ip:
  default: false
vt_domain:
  default: false

Usage

Machinae usage is very similar to Automater:

usage: machinae [-h] [-c CONFIG] [-d DELAY] [-f FILE] [--nomerge] [-o {D,J,N}]
                [-O {ipv4,ipv6,fqdn,email,sslfp,hash,url}] [-q] [-s SITES]
                targets [targets ...]

• See above for details on the -c / --config and --nomerge options.
  
• Machinae supports a -d / --delay option, like Automater. However, Machinae uses 0 by default.
  
• Machinae output is controlled by two arguments:
  
  • -o controls the output format, and can be followed by a single character to indicated the desired type of output:
    • N is the default output ("Normal")
    • D is the default output, but dot characters are replaced
    • J is JSON output
  • -f / --file specifies the file where output should be written. The default is "-" for stdout.
• Machinae will attempt to auto-detect the type of target passed in (Machinae refers to targets as "observables" and the type as "otype"). This detection can be overridden with the -O / --otype option. The choices are listed in the usage
  
• By default, Machinae operates in verbose mode. In this mode, it will output status information about the services it is querying on the console as they are queried. This output will always be written to stdout, regardless of the output setting. To disable verbose mode, use -q
  
• By default, Machinae will run through all services in the configuration that apply to each target's otype and are not marked as "default: false". To modify this behavior, you can:
  
  • Pass a comma separated list of sites to run (use the top level key from the configuration).
  • Pass the special keyword all to run through all services including those marked as "default: false"
  Note that in both cases, otype validation is still applied.
  
• Lastly, a list of targets should be passed. All arguments other than the options listed above will be interpreted as targets.
  

Out-of-the-Box Data Sources

Machinae comes with out-of-the-box support for the following data sources:

• IPVoid
• URLVoid
• URL Unshortener ( http://www.toolsvoid.com/unshorten-url )
• Malc0de
• SANS
• Telize GeoIP
• Fortinet Category
• VirusTotal pDNS (via web scrape - commented out)
• VirusTotal pDNS (via JSON API)
• VirusTotal URL Report (via JSON API)
• VirusTotal File Report (via JSON API)
• Reputation Authority
• ThreatExpert
• VxVault
• ProjectHoneypot
• McAfee Threat Intelligence
• StopForumSpam
• Cymru MHR
• ICSI Certificate Notary
• TotalHash (disabled by default)
• DomainTools Parsed Whois (Requires API key)
• DomainTools Reverse Whois (Requires API key)
• DomainTools Reputation
• IP WHOIS (Using RIR REST interfaces)

With additional data sources on the way.

Disabled by default

The following sites are disabled by default

• Fortinet Category ( fortinet_classify )
• TotalHash ( totalhash_ip )
• DomainTools Parsed Whois ( domaintools_parsed_whois )
• DomainTools Reverse Whois ( domaintools_reverse_whois )
• DomainTools Reputation ( domaintools_reputation )

Output Formats

Machinae comes with a limited set of output formats: normal, normal with dot escaping, and JSON. We plan to add additional output formats in the future.

Adding additional sites

*** COMING SOON ***

Known Issues

• Some ISP's on IPvoid contain double-encoded HTML entities, which are not double-decoded

Upcoming Features

• Add IDS rule search functionality (VRT/ET)
• Add "More info" link for sites
• Add "dedup" option to parser settings
• Add option for per-otype request settings
• Add custom per-site output for error codes

Version History

Version 1.2.0 (2016-02-16)

• New features
  • Support for sites returning multiple JSON documents
  • Ability to specify time format for relative time parameters
  • Ability to parse Unix timestamps in results and display in ISO-8601 format
  • Ability to specify status codes to ignore per-API
• New sites
  • DNSDB - FarSight Security Passive DNS Data base (premium)

Version 1.1.2 (2015-11-26)

• New sites
  • Telize (premium) - GeoIP site (premium)
  • Freegeoip - GeoIP site (free)
  • CIF - CIFv2 API support, from csirtgadgets.org
• New features
  • Ability to specify labels for single-line multimatch JSON outputs
  • Ability to specify relative time parameters using relatime library

Version 1.0.1 (2015-10-13)

• Fixed a false-positive bug with Spamhaus (Github#10)

Version 1.0.0 (2015-07-02)

• Initial release

Download Machinae

Read More

Fast And Full-Featured SSL Scanner - SSLyze

SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL servers.

Key features include:

• Multi-processed and multi-threaded scanning: it's very fast.
• Support for all SSL protocols, from SSL 2.0 to TLS 1.2.
• NEW: SSLyze can also be used as a library, in order to run scans and process the results directly from Python.
• Performance testing: session resumption and TLS tickets support.
• Security testing: weak cipher suites, insecure renegotiation, CRIME, Heartbleed and more.
• Server certificate validation and revocation checking through OCSP stapling.
• Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP, PostGres and FTP.
• Support for client certificates when scanning servers that perform mutual authentication.
• Scan results can be written to an XML or JSON file for further processing.
• And much more !

Getting Started

SSLyze can be installed directly via pip:

pip install sslyze

It is also easy to directly clone the repository and the fetch the requirements:

git clone https://github.com/nabla-c0d3/sslyze.git
cd sslyze
pip install -r requirements.txt --target ./lib

Then, the command line tool can be used to scan servers:

python sslyze_cli.py --regular www.yahoo.com:443 www.google.com

SSLyze has been tested on the following platforms: Windows 7 (32 and 64 bits), Debian 7 (32 and 64 bits), OS X El Capitan.


Usage as a library

Starting with version 0.13.0, SSLyze can be used as a Python module in order to run scans and process the results directly in Python:

# Script to get the list of SSLv3 cipher suites supported by smtp.gmail.com
hostname = 'smtp.gmail.com'
try:
    # First we must ensure that the server is reachable
    server_info = ServerConnectivityInfo(hostname=hostname, port=587,
                                         tls_wrapped_protocol=TlsWrappedProtocolEnum.STARTTLS_SMTP)
    server_info.test_connectivity_to_server()
except ServerConnectivityError as e:
    raise RuntimeError('Error when connecting to {}: {}'.format(hostname, e.error_msg))

# Get the list of available plugins
sslyze_plugins = PluginsFinder()

# Create a process pool to run scanning commands concurrently
plugins_process_pool = PluginsProcessPool(sslyze_plugins)

# Queue a scan command to get the server's certificate
plugins_process_pool.queue_plugin_task(server_info, 'sslv3')

# Process the result and print the certificate CN
for plugin_result in plugins_process_pool.get_results():
    if plugin_result.plugin_command == 'sslv3':
        # Do something with the result
        print 'SSLV3 cipher suites'
        for cipher in plugin_result.accepted_cipher_list:
            print '    {}'.format(cipher.name)

The scan commands are same as the ones described in the sslyze_cly.py --help text.
They will all be run concurrently using Python's multiprocessing module. Each command will return a PluginResult object with attributes that contain the result of the scan command run on the server (such as list of supported cipher suites for the --tlsv1 command). These attributes are specific to each plugin and command but are all documented (within each plugin's module).
See api_sample.py for more examples of SSLyze's Python API.


Windows executable

A pre-compiled Windows executable is available in the Releases tab. The package can also be generated by running the following command:

python.exe setup_py2exe.py py2exe

Download SSLyze

Read More

An Anonymous VPN-Adapter (P2P layer 3 VPN based on Tor or I2P) - OnionCat

OnionCat is a VPN-adapter which allows to connect two or more computers or networks through VPN-tunnels. It is designed to use the anonymization networks Tor or I2P as its transport, hence, it provides location-based anonymity while still creating tunnel end points with private unique IP addresses.

OnionCat uses IPv6 as native layer 3 network protocol. The clients connected by it appear as on a single logical IPv6 network as being connected by a virtual switch. OnionCat automatically calculates and assigns unique IPv6 addresses to the tunnel end points which are derived from the hidden service ID (onion ID) of the hidden service of the local Tor client, or the local I2P server destination, respectively. This technique provides authentication between the onion ID and the layer 3 address, hence, defeats IP spoofing within the OnionCat VPN.

If necessary, OnionCat can of course transport IPv4 as well. Although it has native IP support, the suggested way to do this is to configure an IPv4-in-IPv6 tunnel.

Download OnionCat

Read More

Fuzzing Framework Written In Python - Kitty

Kitty is an open-source modular and extensible fuzzing framework written in python, inspired by OpenRCE's Sulley and Michael Eddington's (and now Deja Vu Security's) Peach Fuzzer .

Goal

When we started writing Kitty, our goal was to help us fuzz unusual targets --- meaning proprietary and esoteric protocols over non-TCP/IP communication channels --- without writing everything from scratch each time. A generic and abstract framework that would include the common functionallity of every fuzzing process we could think of, and would allow the user to easily extend and use it to test their specific target.

Features

With this goal in mind, the following features were very important to us:

Modularity:	Each part of the fuzzer stands on its own. This means that you can use the same monitoring code for different applications, or the same payload generator (aka Data Model ) for testing parsing of the same data that is received over different channels.
Extensibility:	If you need to test something "new", you will not need to change Kitty's core code. Most, if not all, features can be implemented in the user code. This includes monitoring, controlling and communicating with the fuzzed target.
Rich data modeling:	The data model core is rich and allows describing advanced data structures, including strings, hashes, lengths, conditions and many more. And, like most of the framework, it is designed to be extended even further as necessary.
Stateful:	Support for multi-stage fuzzing tests. Not only you can describe what the payload of an individual message will look like, you can also describe the order of messages, and even perform fuzzing on the sequence's order.
Client and Server fuzzing:	You can fuzz both servers and clients, assuming you have a matching stack. Sounds like a big requirement, but it isn't: it just means that you should have the means to communicate with the target, which you should have in most cases anyway.
Cross platform:	Runs on Linux, OS X and Windows. We don't judge ;-)

What it's not?

Well, Kitty is not a fuzzer. It also contains no implementation of specific protocol or communication channel. You can write your own fuzzer with it, and you can use Kitty-based code of others, but it's not an out-of-the-box fuzzer.

A good place to get (and add) implementations of Kitty models is Katnip.

Katnip

Kitty, as a framework, implements the fuzzer main loop, and provides syntax for modeling data and base classes for each of the elements that are used to create a full fuzzing session. However, specific implementations of classes are not part of the Kitty framework. This means that Kitty defines the interface and base class to perform data transactions with a target, but it doesn't provide implementations for data transmition over HTTP, TCP or UART.

Implementations of all sorts of classes can be found in the complimentary repository - Katnip .

What's Next?

• Install Kitty:
  

  pip install git+https://github.com/cisco-sas/kitty.git#egg=kitty

• Read some of the documentation at ReadTheDocs .
  
• Build your fuzzer :-)
  
• Need some help - ask at our google group: kitty-fuzzer@googlegroups.com 

Download Kitty

Read More