A DNS Reconnaissance Tool for Locating Non-Contiguous IP Space - Fierce

First, credit where credit is due, fierce was originally written by RSnake along with others at http://ha.ckers.org/ . This is simply a conversion to Python 3 to simplify and modernize the codebase.

The original description was very apt, so I'll include it here:

Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains. It's really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for. This does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network. Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That's especially useful in targeted malware.

Installing

$ pip3 install fierce
$ fierce -h

OR

$ git clone https://github.com/mschwager/fierce.git
$ cd fierce
$ pip3 install -r requirements.txt
$ python3 fierce.py -h

Using
Let's start with something basic:

$ fierce --domain google.com --subdomains accounts admin ads

Traverse IPs near discovered domains to search for contiguous blocks with the --traverse flag:

$ fierce --domain facebook.com --subdomains admin --traverse 10

Limit nearby IP traversal to certain domains with the --search flag:

$ fierce --domain facebook.com --subdomains admin --search fb.com fb.net

Attempt an HTTP connection on domains discovered with the --connect flag:

$ fierce --domain stackoverflow.com --subdomains mail --connect

Exchange speed for breadth with the --wide flag, which looks for nearby domains on all IPs of the /24 of a discovered domain:

$ fierce --domain facebook.com --wide

Zone transfers are rare these days, but they give us the keys to the DNS castle. zonetransfer.me is a very useful service for testing for and learning about zone transfers:

$ fierce --domain zonetransfer.me

To save the results to a file for later use we can simply redirect output:

$ fierce --domain zonetransfer.me > output.txt

Internal networks will often have large blocks of contiguous IP space assigned. We can scan those as well:

$ fierce --dns-servers 10.0.0.1 --range 10.0.0.0/24

Check out --help for further information:

$ fierce --help

Download Fierce

Read More

Practice Penetration Testing - Labs

I found this page, it has a pretty good mind-map listing all available labs to practice your skill in doing penetration testing.  

Vulnerable Web Applications [36 unique web applications]

OWASP BWA http://code.google.com/p/owaspbwa/
OWASP Hackademic  http://hackademic1.teilar.gr/
Butterfly Security Project  http://thebutterflytmp.sourceforge.net/
Foundstone Hackme Bank  http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx
Foundstone Hackme Books  http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
Foundstone Hackme Casino  http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx
Foundstone Hackme Shipping  http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx
Foundstone Hackme Travel  http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx
LAMPSecurity  http://sourceforge.net/projects/lampsecurity/
Moth  http://www.bonsai-sec.com/en/research/moth.php
WackoPicko  https://github.com/adamdoupe/WackoPicko
BadStore  http://www.badstore.net/
WebSecurity Dojo  http://www.mavensecurity.com/web_security_dojo/
BodgeIt Store  http://code.google.com/p/bodgeit/
hackxor  http://hackxor.sourceforge.net/cgi-bin/index.pl
SecuriBench  http://suif.stanford.edu/~livshits/securibench/
SQLol  https://github.com/SpiderLabs/SQLol

Vulnerable Operating System Installations [16+ unique OS setups]

Damn Vulnerable Linux  http://sourceforge.net/projects/virtualhacking/files/os/dvl/
Metasploitable v1  http://www.metasploit.com/learn-more/how-do-i-use-it/test-lab.jsp
Metasploitable v2  https://community.rapid7.com/docs/DOC-1875
LAMPSecurity  http://sourceforge.net/projects/lampsecurity/
UltimateLAMP  http://ronaldbradford.com/tmp/UltimateLAMP-0.2.zip
De-ICE, hackerdemia, pWnOS  http://forums.heorot.net/
Holynix  http://pynstrom.net/holynix.php
Kioptrix  http://www.kioptrix.com/
CentOS  http://www.centos.org/

Sites for Downloading Older Versions of Various Software [3 sources]

Old Apps  http://www.oldapps.com/
Old Version  http://www.oldversion.com/
Exploit-DB  http://www.exploit-db.com/

Sites by Vendors of Security Testing Software [8 unique sites]

Acunetix acuforum  http://testasp.vulnweb.com/
Acunetix acublog  http://testaspnet.vulnweb.com/
Acunetix acuart  http://testphp.vulnweb.com/
Cenzic crackmebank  http://crackme.cenzic.com
HP freebank  http://zero.webappsecurity.com
IBM altoromutual  http://demo.testfire.net/
Mavituna testsparker  http://aspnet.testsparker.com
Mavituna testsparker  http://php.testsparker.com

Sites for Improving Your Hacking Skills [16 unique sites]

Google Gruyere  http://google-gruyere.appspot.com/
Hack This Site  http://www.hackthissite.org/
Hacker Challenge  http://www.dareyourmind.net/
HackQuest  http://www.hackquest.com/
Hax.Tor  http://hax.tor.hu/
Hacker Test  http://www.hackertest.net/
OverTheWire  http://www.overthewire.org/wargames/
Root Me  http://www.root-me.org/?lang=en
Smash The Stack  http://www.smashthestack.org/
TheBlackSheep and Erik  http://www.bright-shadows.net/
ThisIsLegal             http://thisislegal.com/
Try2Hack                http://www.try2hack.nl/
EnigmaGroup             http://www.enigmagroup.org/
hACME Game              http://www.hacmegame.org/
Exploit Exercises       http://exploit-exercises.com/
Hacking-Lab             https://www.hacking-lab.com

The link is http://www.amanhardikar.com/mindmaps/PracticewithURLs.html

OffensiveSec Blog

Read More

Intrusion Detection/Prevention System (IDS/IPS) Testing Framework - pytbull

pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort, Suricata and any IDS/IPS that generates an alert file. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.

The framework is shipped with about 300 tests grouped in 11 testing modules:

1. badTraffic: Non RFC compliant packets are sent to the server to test how packets are processed.
2. bruteForce: tests the ability of the server to track brute force attacks (e.g. FTP). Makes use of custom rules on Snort and Suricata.
3. clientSideAttacks: this module uses a reverse shell to provide the server with instructions to download remote malicious files. This module tests the ability of the IDS/IPS to protect against client-side attacks.
4. denialOfService: tests the ability of the IDS/IPS to protect against DoS attempts
5. evasionTechniques: various evasion techniques are used to check if the IDS/IPS can detect them.
6. fragmentedPackets: various fragmented payloads are sent to server to test its ability to recompose them and detect the attacks.
7. ipReputation: tests the ability of the server to detect traffic from/to low reputation servers.
8. normalUsage: Payloads that correspond to a normal usage.
9. pcapReplay: enables to replay pcap files
10. shellCodes: send various shellcodes to the server on port 21/tcp to test the ability of the server to detect/reject shellcodes.
11. testRules: basic rules testing. These attacks are supposed to be detected by the rules sets shipped with the IDS/IPS.

It is easily configurable and could integrate new modules in the future.

There are basically 5 types of tests:

1. socket: open a socket on a given port and send the payloads to the remote target on that port.
2. command: send command to the remote target with the subprocess.call() python function.
3. scapy: send special crafted payloads based on the Scapy syntax
4. client side attacks: use a reverse shell on the remote target and send commands to it to make them processed by the server (typically wget commands).
5. pcap replay: enables to replay traffic based on pcap files

Architecture

Remote mode

In this mode, the IDS is plugged on the span port (or port mirroring) of the core switch and is configured in promiscuous mode. The IDS analyzes all traffic that goes through the core switch. Malicious files can be downloaded either by pytbull or by the server. This mode is called "remote".

Local mode

In this mode, files are downloaded on the client pytbull is started from.

IDS mode with attacked server in DMZ

In this configuration, a firewall splits the network into 3 parts (lan, wan, dmz). The IDS is plugged in a span port (or port mirroring) of the switch with its interface configured in promiscuous mode. It will analyze every traffic that is sent to the LAN interface of the firewall.

IPS mode

In this configuration, a firewall splits the network into 3 parts (lan, wan, dmz). The IDS is plugged between pytbull and the firewall. To give the IDS a chance to detect the malicious files, pytbull has to download the infected files itself.

IPS mode with attacked server in DMZ

In this configuration, a firewall splits the network into 3 parts (lan, wan, dmz). The IDS is plugged between pytbull and the firewall. Malicious files have to be downloaded by pytbull directly to give the IDS a chance to detect them.

Usage

If you have selected the clientSideAttacks module (see configuration file section for more information), you will need to start the reverse shell on the server. Following command uses port 34567/tcp:

$ ./pytbull-server.py -p 34567

Since the files are downloaded in the current directory, you can create a pdf/ directory and start pytbull from the parent location:

$ mkdir pdf/
$ cd pdf/
$ ../pytbull-server.py -p 34567

Then start pytbull (on the client side). An example to start pytbull tests against 192.168.100.48, running Snort:

$ sudo ./pytbull -t 192.168.100.48

Notice that you will need to adapt (config.cfg) the port used by the reverse shell if you use the optional parameter -p on remote side.

Download pytbull

Read More

Automatic SQL Database Injection - jSQL Injection

jSQL Injection is a lightweight application used to find database information from a distant server. Tool is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris).

jSQL Injection v0.72 Released

Injection and local test

Running injection requires the URL of a local or distant server, and the name of parameter to inject.
For a local test, you can save the following PHP code into file ‘simulate_get.php’ and move it to the root folder of your web server (e.g /www), then use

http://127.0.0.1/simulate_get.php?lib=


and finally click Connect to read the local database:

<?php

    mysql_connect("localhost","root","");

    mysql_select_db("my_own_database");

    $result = mysql_query("SELECT * FROM my_own_table where my_own_field = ". $_GET['lib'])# time based

        ordie( mysql_error());# error based

    if( mysql_num_rows($result)!==0) echo " something ";# blind

    while( $row = mysql_fetch_array($result, MYSQL_NUM))

        echo join(',',$row);# normal?>

Features:

ºGET, POST, header, cookie methods
ºNormal, error based, blind, time based algorithms
ºAutomatic best algorithm selection
ºMulti-thread control (start/pause/resume/stop)
ºProgression bars
ºShows URL calls
ºSimple evasion
ºProxy setting
ºDistant file reading
ºWebshell deposit
ºTerminal for webshell commands
ºConfiguration backup
ºUpdate checker
ºAdmin page checker
ºBrute forcer (md5 mysql…)
ºCoder (encode decode base64 hex md5…)
ºSupports MySQL

Download  jSQL Injection

Read More

OpenSource /Malware Analysis Pipeline System - Aleph

What?

Aleph is designed to pipeline the analysis of malware samples. It has a series of collectors that will gather samples from many sources and shove them into the pipeline. The sample manager has a series of plugins that are ran against the sample and returns found data into JSON form.

These JSON data can be further processed and queried in a objective manner instead of grepping and regexing.

How?

The main Aleph daemon is a loose-coupled python application and library. These are composed by the Aleph Service that spawns:

1.The Collectors. These are responsible for going to multiple sources (Filesystem folder, IMAP folder, FTP directory etc) and collect all the files there, store locally and add them to the processing queue. Each collector runs in its own process (fork).

2.Multiple (quantity is configurable) parallel SampleManager services (that will pull samples from the work queue and process them) and run the plugins that receives the sample path and return the JSON object of found artifacts.

3.The sample object is converted to JSON along with its data and is stored into an Elasticsearch backend.

Installing Aleph

Requirements

In order to get a clean and nice install, you should download some requirements: Ubuntu/Debian

apt-get install python-pyrex libffi-dev libfuzzy-dev python-dateutil libsqlite3-dev

ElasticSearch

First if you don't have an Elasticsearch instance ready, you must install one.
For Debian/Ubuntu/Redhat/Fedora/CentOS (yum + apt basically) users, follow this guide.
** Remember: Elasticsearh uses JVM, so you also must install it =) **

Python modules

We strongly suggest that you use python's virtual environment so you don't pollute the rest of your OS installation with python modules. To make a contained virtual environment, install virtualenv with pip:

pip install virtualenv

Go to the desired Aleph installation folder and type the following to create and activate your virtual environment:

virtualenv venv # 'venv' can be any name

source venv/bin/activate

There will be the environment name (venv) appended to your PS1 variable:

(venv)(2014-08-19 17:36:%)(~/opt/aleph/)

All python modules required are listed on the requirements.txt file on the root repository folder. You can install all of them at once using pip:

pip install -r requirements.txt

Then clone the repository and copy the settings file:

git clone https://github.com/merces/aleph.git --branch aleph-python --single-branch .

cp aleph/settings.py.orig aleph/settings.py

Edit settings.py and add a local source (a folder where Aleph will search for samples - WARNING: ALEPH WILL MOVE THE SAMPLE THUS REMOVING FROM THE ORIGINAL FOLDER) The folder must exists as Aleph won't try to create them

SAMPLE_SOURCES = [

    ('local', {'path': '/opt/aleph/unprocessed_samples'}),

]

Review your Elasticsearch installation URI

ELASTICSEARCH_URI = '127.0.0.1:9200'

** Workaround step ** As I still finish some of the code, there are some folders that are not on the repository and must be created manually and set accordingly on the settings.py file:

SAMPLE_TEMP_DIR = '/opt/aleph/temp'

SAMPLE_STORAGE_DIR = '/opt/aleph/samples'

Remember to verify folders permissioning. And Aleph is ready to run!

Running

Go to Aleph folder, activate the virtual environment and run the bin/aleph-server.py as following:

cd /opt/aleph/

source venv/bin/activate

./bin/aleph-server.py

And that's it. Check your logs under log/aleph.log to any troubleshooting.

Install the Web interface(Webui)

Edit the "SERVER_NAME" constant at your settings.py file. ex: SERVER_NAME = 'mydomain.com:90'
then create the following entry:

SECRET_KEY = 'Pu7s0m3cryp7l337here' #do not use this ;)

SAMPLE_SUBMIT_FOLDER= '/some/path' #where samples will be submitted from webui

Setup your database:

python bin/db_create.py

Run the webui script:

bin/aleph-webui.sh

To access your webinterface open your favorite browser at http://SERVER_NAME #That value you changed before.

Login: admin

Password: changeme12!

Note: For sake of Security's God, CHANGE YOUR PASSWORD! ;)

But if you do not like our webinterface you still can use other softwares to review and query data on elasticsearch. I strongly suggest this Chrome REST client plugin or the great Kibana

Currently implemented

Collectors

ºFileCollector: grabs samples from a local directory
ºMailCollector: grabs samples from email attachments on a IMAP folder

Plugins

ºPEInfo : extracts info from PE files such as entrypoint, number of sections and some PE characteristics(SEH/ASLR/DEP).
ºZipArchivePlugin: extracts zip files and puts their contents back into analysis queue.
ºStringsPlugin: extracts strings from sample into three categories: All Strings, URI Strings and Filename Strings (not 100% but we do our best).
ºVirustotalPlugin: check a sample SHA256 hash against Virustotal database and get the report. If that hash doesnt exist, send the file to analise.
ºTrID: check the filetype of a sample.

Download Aleph

Read More

Snowden says It's a 'Dark Day for Russia' after Putin Signs Anti-Terror Law

Whistleblower and ex-NSA employee Edward Snowden has criticized a new anti-terror law introduced on Thursday by Russian President Vladimir Putin, referring it as "repressive" and noting that it is a "dark day for Russia."

The new legislation signed by Putin would compel the country's telephone carriers and Internet providers to record and store the private communications of each and every one of their customers for six months – and turn them over to the government if requested.

The data collected on customers would include phone calls, text messages, photographs, and Internet activities that would be stored for six months, and "metadata" would be stored up to 3 years.
Moreover, Instant messaging services that make use of encryption, including WhatsApp, Telegram, and Viber, could face heavy fines of thousands of pounds if these services continue to operate in Russia without handing over their encryption keys to the government.

"Putin has signed a repressive new law that violates not only human rights but common sense. A dark day for Russia," Snowden wrote on Twitter.

Snowden is responsible for revealing global mass surveillance programs by leaking NSA classified documents back in June 2013 before finding asylum in Russia.

The activist explained that the new Russian law, in addition to "political and constitutional consequences," would cost telecommunications providers over $30 Billion to implement the new law, which is more than they can afford.

The CEO of Russia’s second-largest telecom company Megafon told a local newspaper Thursday that he would rather pay the government higher taxes than spend over $3 Billion yearly on infrastructure upgrades.
"Well be unable to fulfill the requirements of law in the way that it exists at present," said Megafon CEO Sergey Soldatenkov, adding that his company only generates an annual profit of $780 Million.

"When we saw the provisions of the bill, we really hoped that it will not be accepted. I believe we have done everything possible to inform deputies, Federation Council [and] the government that the bill in this form is impossible," Soldatenkov added.

A spokesperson for Tele2, another Russian telecom company, said it might have to raise prices threefold or more in order to accommodate the new law, The WSJ reported.

The Russian government will establish the precise requirements of the new legislation, according to the Kremlin website.

This frightening new legislation comes into force on July 20th.

Source: The Hackers News

OffensiveSec 2016

Read More

Anonymous Operating System - Whonix 13

Whonix is a desktop operating system designed for advanced security and privacy. It realistically addresses attacks while maintaining usability. It makes online anonymity possible via fail-safe, automatic, and desktop-wide use of the Tor network. A heavily reconfigured Debian base is run inside multiple virtual machines, providing a substantial layer of protection from malware and IP leaks. Pre-installed applications, pre-configured with safe defaults are ready for use. Additionally, installing custom applications or personalizing the desktop will in no way jeopardize the user. Whonix is the only actively developed OS designed to be run inside a VM and paired with Tor.

Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible. With Whonix, you can use applications and run servers anonymously over the internet. DNS leaks are impossible, and not even malware with root privileges can find out the user's real IP.

 Whonix benefits anyone who does sensitive work on their desktop or online. This includes:

• Investigators and whistleblowers whose work threatens the powerful.
  • Within an isolated environment, research and evidence can be gathered without accidental exposure.

• Researchers, government officials, or businesspeople who may be targets of espionage.
  • Anti-malware and anti-exploit modifications lower the threat of trojans and backdoors.

• Journalists who endanger themselves and their families by reporting on organized crime.
  • Compartmentalized, anonymous internet use prevents identity correlation between social media (and other) logins.

• Political activists under targeted surveillance and attack.
  • The usefulness of threatening the ISP in order to analyze a target's internet use will be severely limited. The cost of targeting a Whonix user is greatly increased.

• Average computer users in a repressive or censored environment.
  • Easy Tor setup (and options for advanced setups) gives users in repressive countries full internet access desktop-wide, not just in their browser.

• Average computer users who simply don’t want all or some aspect of their private lives uploaded, saved, and analyzed.
  • Whonix does not silently upload identifying information in the background.

Qubes-Whonix:
Either start with fresh templates. I.e. uninstall qubes-template-whonix-gw and qubes-template-whonix-ws. Then, to install, run in dom0:

sudo qubes-dom0-update --enablerepo=qubes-tempates-community qubes-template-whonix-gw qubes-template-whonix-ws

Or you can also upgrade from Whonix’s repository. Please refer to the following instructions:
https://www.whonix.org/wiki/Upgrading_Whonix_12_to_Whonix_13


Non-Qubes-Whonix:
https://www.whonix.org/wiki/Download

Or you can also upgrade from Whonix’s repository. Please refer to the following instructions:
https://www.whonix.org/wiki/Upgrading_Whonix_12_to_Whonix_13

Whonix 12 -> 13 changes:
https://phabricator.whonix.org/maniphest/query/TfpGK0Sq8w1j/#R

Read More

A simple Python CLI to Spoof Emails - SimpleEmailSpoofer

A few Python programs designed to help penetration testers with email spoofing.


SimpleEmailSpoofer.py 

A program that spoofs emails. Currently in development 

spoofcheck.py 

A program that checks if a domain can be spoofed from. The program checks SPF and DMARC records for weak configurations that allow spoofing. 
Additionally it will alert if the domain has DMARC configuration that sends mail or HTTP requests on failed SPF/DKIM emails. 

Usage: 

./spoofcheck.py [DOMAIN]

Dependencies 

ºdnspython
ºcolorama

Download SimpleEmailSpoofer

Read More

Tool for Injecting Malicious Payloads Into Barcodes - Scansploit

Tool for Injecting Malicious Payloads Into Barcodes 

ºBarcodes (code128)
ºQRCodes
ºDataMatrix
ºEAN13


Requirements 

ºPython3
ºPyStrich

ºpip3 install pystrich
ºIncase of jpeg error: sudo apt-get install libtiff5-dev zlib1g-dev libfreetype6-dev liblcms2-dev libwebp-dev tcl8.6-dev tk8.6-dev python-tk

Pillow

ºpip3 install pillow

Download Scansploit

Read More