Penetration Testing Operating system based on Ubuntu - LionSec Linux 5.0

LionSec Linux 5.0 is a Ubuntu based penetration testing distribution . It was built in order to perform Computer Forensics , Penetration Tests , Wireless Analysis . With the "Anonymous Mode" , you can browse the internet or send packets anonymously . There are lots of inbuilt tools like netool ,websploit , burpsuite , web analysis tools , social engineering tools and other pentesting tools . .

Minimum System Requirements

• 1.7 GHz processor (for example Intel Celeron) or better.
• 2.0 GB RAM (system memory).
• 8 GB of free hard drive space for installation.
• Either a CD/DVD drive or a USB port for the installer media.
• Internet access is helpful (for installing updates during the installation process).

If you have an old machine, you may consider other alternative like LionSec Linux 3.1

 LionSec Linux 5.0 Teaser

Screenshots

Download LionSec Linux 5.0

Read More

Pentest Security OS - ParrotOS 3.7

Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting, privacy/anonimity and cryptography. Based on Debian and developed by Frozenbox network.

Who can use it

Parrot is designed for everyone, from the Pro pentester to the newbie, because it provides the most professional tools combined in a easy to use, fast and lightweight pentesting environment, and it can be used also for an everyday use.

Features:

System Specs

• Debian jessie core
• Custom hardened linux 4.5 kernel
• Rolling release upgrade line
• MATE desktop environment
• Lightdm Dislpay Manager
• Custom themes, icons and wallpapers

Cloud

• Parrot Server Edition
• Parrot Cloud Controller
• Parrot VPS Service
• Custom installation script for Debian VPS

Digital Forensic

• "Forensic" boot option to avoid boot automounts
• Most famous Digital Forensic tools and frameworks out of the box
• Reliable acquisition and imaging tools
• Top class analysis softwares
• Evidence management and reporting tools
• Disabled automount
• Software blockdev write protection system

Cryptography

• Custom Anti Forensic tools
• Custom interfaces for GPG
• Custom interfaces for cryptsetup
• Support for LUKS, Truecrypt and VeraCrypt
• NUKE patch for cryptsetup LUKS disks
• Encrypted system installation

Anonymity

• AnonSurf
• Entire system anonymization
• TOR and I2P out of the box
• DNS requests anonymization
• "Change Identity" function for AnonSurf
• BleachBit system cleaner
• NoScript plugin
• UserAgentOverrider plugin
• Browser profile manager
• RAM-only browser profile
• Pandora's Box - RAM cleaner
• Hardened system behaviour

Programming

• FALCON Programming Language (1.0)
• System editor tuned for programming
• Many compilers and debuggers available
• Reverse Engineering Tools
• Programming Template Files
• Pre-installed most-used libs
• Full Qt5 development framework
• Full .net/mono development framework
• Development frameworks for embedded devices

Download Parrot Security OS 3.7

Read More

Post-Exploitation Powershell Tool for Extracting Juicy info from Memory - Mimikittenz

mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes.

mimikittenz can also easily extract other kinds of juicy info from target processes using regex patterns including but not limited to:

• TRACK2 (CreditCard) data from merchant/POS processes
• PII data
• Encryption Keys & All the other goodstuff

note : This tool is targeting running process memory address space, once a process is killed it's memory 'should' be cleaned up and inaccessible however there are some edge cases in which this does not happen.

Description

The aim of mimikittenz is to provide user-level (non-admin privileged) sensitive data extraction in order to maximise post exploitation efforts and increase value of information gathered per target.

Currently mimikittenz is able to extract the following credentials from memory:

Webmail

• Gmail
• Office365
• Outlook Web

Accounting

• Xero
• MYOB

Remote Access

• Juniper SSL-VPN
• Citrix NetScaler
• Remote Desktop Web Access 2012

Developement

• Jira
• Github
• Bugzilla
• Zendesk
• Cpanel

IHateReverseEngineers

• Malwr
• VirusTotal
• AnubisLabs

Misc

• Dropbox
• Microsoft Onedrive
• AWS Web Services
• Slack
• Twitter
• Facebook

Customization

• Custom regex - The syntax for adding custom regex is as follows:

    [mimikittenz.MemProcInspector]::AddRegex("<NameOfTarget>","<regex_here>")   

• Custom target process - Just append your target proccess name into the array:

    $matches=[mimikittenz.MemProcInspector]::InspectManyProcs("iexplore","chrome","firefox")   

Download Mimikittenz

Read More

Deepmagic Information Gathering Tool - DMitry

DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU) Linux Command Line Application coded in C language.

DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more. The information are gathered with following methods:

• Perform an Internet Number whois lookup.
• Retrieve possible uptime data, system and server data.
• Perform a SubDomain search on a target host.
• Perform an E-Mail address search on a target host.
• Perform a TCP Portscan on the host target.
• A Modular program allowing user specified modules

Download and installation

DMitry can be downloaded by issuing following commands:

$ cd /data/src/
$ wget http://mor-pah.net/code/DMitry-1.3a.tar.gz

For installation, issue following commands:

$ tar xzvf DMitry-1.3a.tar.gz
$ cd DMitry-1.3a/
$ ./configure
$ make
$ sudo make install

Then optionally create a symbolic link to your /pentest/ directory:

$ mkdir -p /pentest/enumeration/dmitry/
$ ln -s /usr/local/bin/dmitry /pentest/enumeration/dmitry/dmitry

Use

help
DMitry help can be displayed by issuing:

$ dmitry --help

Download DMitry

Read More

Reverse engineering, Malware analysis of Android applications - Androguard

Reverse engineering, Malware and goodware analysis of Android applications ... and more (ninja !)

Features
Androguard is a full python tool to play with Android files.

•  Map and manipulate DEX/ODEX/APK/AXML/ARSC format into full Python objects, 
•  Diassemble/Decompilation/Modification of DEX/ODEX/APK format, 
•  Decompilation with the first native (directly from dalvik bytecodes to java source codes) dalvik decompiler (DAD), 
•  Access to the static analysis of the code (basic blocks, instructions, permissions (with database from http://www.android-permissions.org/) ...) and create your own static analysis tool, 
•  Analysis a bunch of android apps, 
•  Analysis with ipython/Sublime Text Editor, 
•  Diffing of android applications, 
•  Measure the efficiency of obfuscators (proguard, ...), 
•  Determine if your application has been pirated (plagiarism/similarities/rip-off indicator), 
•  Check if an android application is present in a database (malwares, goodwares ?), 
•  Open source database of android malware (this opensource database is done on my free time, of course my free time is limited, so if you want to help, you are welcome !), 
•  Detection of ad/open source librairies (WIP), 
•  Risk indicator of malicious application, 
•  Reverse engineering of applications (goodwares, malwares), 
•  Transform Android's binary xml (like AndroidManifest.xml) into classic xml, 
•  Visualize your application with gephi (gexf format), or with cytoscape (xgmml format), or PNG/DOT output, 
•  Integration with external decompilers (JAD+dex2jar/DED/fernflower/jd-gui...) 

1. ScreenShots

Download Stable Release

Read More

A DNS Reconnaissance Tool for Locating Non-Contiguous IP Space - Fierce

First, credit where credit is due, fierce was originally written by RSnake along with others at http://ha.ckers.org/ . This is simply a conversion to Python 3 to simplify and modernize the codebase.

The original description was very apt, so I'll include it here:

Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains. It's really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for. This does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network. Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That's especially useful in targeted malware.

Installing

$ pip3 install fierce
$ fierce -h

OR

$ git clone https://github.com/mschwager/fierce.git
$ cd fierce
$ pip3 install -r requirements.txt
$ python3 fierce.py -h

Using
Let's start with something basic:

$ fierce --domain google.com --subdomains accounts admin ads

Traverse IPs near discovered domains to search for contiguous blocks with the --traverse flag:

$ fierce --domain facebook.com --subdomains admin --traverse 10

Limit nearby IP traversal to certain domains with the --search flag:

$ fierce --domain facebook.com --subdomains admin --search fb.com fb.net

Attempt an HTTP connection on domains discovered with the --connect flag:

$ fierce --domain stackoverflow.com --subdomains mail --connect

Exchange speed for breadth with the --wide flag, which looks for nearby domains on all IPs of the /24 of a discovered domain:

$ fierce --domain facebook.com --wide

Zone transfers are rare these days, but they give us the keys to the DNS castle. zonetransfer.me is a very useful service for testing for and learning about zone transfers:

$ fierce --domain zonetransfer.me

To save the results to a file for later use we can simply redirect output:

$ fierce --domain zonetransfer.me > output.txt

Internal networks will often have large blocks of contiguous IP space assigned. We can scan those as well:

$ fierce --dns-servers 10.0.0.1 --range 10.0.0.0/24

Check out --help for further information:

$ fierce --help

Download Fierce

Read More

Practice Penetration Testing - Labs

I found this page, it has a pretty good mind-map listing all available labs to practice your skill in doing penetration testing.  

Vulnerable Web Applications [36 unique web applications]

OWASP BWA http://code.google.com/p/owaspbwa/
OWASP Hackademic  http://hackademic1.teilar.gr/
Butterfly Security Project  http://thebutterflytmp.sourceforge.net/
Foundstone Hackme Bank  http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx
Foundstone Hackme Books  http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
Foundstone Hackme Casino  http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx
Foundstone Hackme Shipping  http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx
Foundstone Hackme Travel  http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx
LAMPSecurity  http://sourceforge.net/projects/lampsecurity/
Moth  http://www.bonsai-sec.com/en/research/moth.php
WackoPicko  https://github.com/adamdoupe/WackoPicko
BadStore  http://www.badstore.net/
WebSecurity Dojo  http://www.mavensecurity.com/web_security_dojo/
BodgeIt Store  http://code.google.com/p/bodgeit/
hackxor  http://hackxor.sourceforge.net/cgi-bin/index.pl
SecuriBench  http://suif.stanford.edu/~livshits/securibench/
SQLol  https://github.com/SpiderLabs/SQLol

Vulnerable Operating System Installations [16+ unique OS setups]

Damn Vulnerable Linux  http://sourceforge.net/projects/virtualhacking/files/os/dvl/
Metasploitable v1  http://www.metasploit.com/learn-more/how-do-i-use-it/test-lab.jsp
Metasploitable v2  https://community.rapid7.com/docs/DOC-1875
LAMPSecurity  http://sourceforge.net/projects/lampsecurity/
UltimateLAMP  http://ronaldbradford.com/tmp/UltimateLAMP-0.2.zip
De-ICE, hackerdemia, pWnOS  http://forums.heorot.net/
Holynix  http://pynstrom.net/holynix.php
Kioptrix  http://www.kioptrix.com/
CentOS  http://www.centos.org/

Sites for Downloading Older Versions of Various Software [3 sources]

Old Apps  http://www.oldapps.com/
Old Version  http://www.oldversion.com/
Exploit-DB  http://www.exploit-db.com/

Sites by Vendors of Security Testing Software [8 unique sites]

Acunetix acuforum  http://testasp.vulnweb.com/
Acunetix acublog  http://testaspnet.vulnweb.com/
Acunetix acuart  http://testphp.vulnweb.com/
Cenzic crackmebank  http://crackme.cenzic.com
HP freebank  http://zero.webappsecurity.com
IBM altoromutual  http://demo.testfire.net/
Mavituna testsparker  http://aspnet.testsparker.com
Mavituna testsparker  http://php.testsparker.com

Sites for Improving Your Hacking Skills [16 unique sites]

Google Gruyere  http://google-gruyere.appspot.com/
Hack This Site  http://www.hackthissite.org/
Hacker Challenge  http://www.dareyourmind.net/
HackQuest  http://www.hackquest.com/
Hax.Tor  http://hax.tor.hu/
Hacker Test  http://www.hackertest.net/
OverTheWire  http://www.overthewire.org/wargames/
Root Me  http://www.root-me.org/?lang=en
Smash The Stack  http://www.smashthestack.org/
TheBlackSheep and Erik  http://www.bright-shadows.net/
ThisIsLegal             http://thisislegal.com/
Try2Hack                http://www.try2hack.nl/
EnigmaGroup             http://www.enigmagroup.org/
hACME Game              http://www.hacmegame.org/
Exploit Exercises       http://exploit-exercises.com/
Hacking-Lab             https://www.hacking-lab.com

The link is http://www.amanhardikar.com/mindmaps/PracticewithURLs.html

OffensiveSec Blog

Read More

Intrusion Detection/Prevention System (IDS/IPS) Testing Framework - pytbull

pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing Framework for Snort, Suricata and any IDS/IPS that generates an alert file. It can be used to test the detection and blocking capabilities of an IDS/IPS, to compare IDS/IPS, to compare configuration modifications and to check/validate configurations.

The framework is shipped with about 300 tests grouped in 11 testing modules:

1. badTraffic: Non RFC compliant packets are sent to the server to test how packets are processed.
2. bruteForce: tests the ability of the server to track brute force attacks (e.g. FTP). Makes use of custom rules on Snort and Suricata.
3. clientSideAttacks: this module uses a reverse shell to provide the server with instructions to download remote malicious files. This module tests the ability of the IDS/IPS to protect against client-side attacks.
4. denialOfService: tests the ability of the IDS/IPS to protect against DoS attempts
5. evasionTechniques: various evasion techniques are used to check if the IDS/IPS can detect them.
6. fragmentedPackets: various fragmented payloads are sent to server to test its ability to recompose them and detect the attacks.
7. ipReputation: tests the ability of the server to detect traffic from/to low reputation servers.
8. normalUsage: Payloads that correspond to a normal usage.
9. pcapReplay: enables to replay pcap files
10. shellCodes: send various shellcodes to the server on port 21/tcp to test the ability of the server to detect/reject shellcodes.
11. testRules: basic rules testing. These attacks are supposed to be detected by the rules sets shipped with the IDS/IPS.

It is easily configurable and could integrate new modules in the future.

There are basically 5 types of tests:

1. socket: open a socket on a given port and send the payloads to the remote target on that port.
2. command: send command to the remote target with the subprocess.call() python function.
3. scapy: send special crafted payloads based on the Scapy syntax
4. client side attacks: use a reverse shell on the remote target and send commands to it to make them processed by the server (typically wget commands).
5. pcap replay: enables to replay traffic based on pcap files

Architecture

Remote mode

In this mode, the IDS is plugged on the span port (or port mirroring) of the core switch and is configured in promiscuous mode. The IDS analyzes all traffic that goes through the core switch. Malicious files can be downloaded either by pytbull or by the server. This mode is called "remote".

Local mode

In this mode, files are downloaded on the client pytbull is started from.

IDS mode with attacked server in DMZ

In this configuration, a firewall splits the network into 3 parts (lan, wan, dmz). The IDS is plugged in a span port (or port mirroring) of the switch with its interface configured in promiscuous mode. It will analyze every traffic that is sent to the LAN interface of the firewall.

IPS mode

In this configuration, a firewall splits the network into 3 parts (lan, wan, dmz). The IDS is plugged between pytbull and the firewall. To give the IDS a chance to detect the malicious files, pytbull has to download the infected files itself.

IPS mode with attacked server in DMZ

In this configuration, a firewall splits the network into 3 parts (lan, wan, dmz). The IDS is plugged between pytbull and the firewall. Malicious files have to be downloaded by pytbull directly to give the IDS a chance to detect them.

Usage

If you have selected the clientSideAttacks module (see configuration file section for more information), you will need to start the reverse shell on the server. Following command uses port 34567/tcp:

$ ./pytbull-server.py -p 34567

Since the files are downloaded in the current directory, you can create a pdf/ directory and start pytbull from the parent location:

$ mkdir pdf/
$ cd pdf/
$ ../pytbull-server.py -p 34567

Then start pytbull (on the client side). An example to start pytbull tests against 192.168.100.48, running Snort:

$ sudo ./pytbull -t 192.168.100.48

Notice that you will need to adapt (config.cfg) the port used by the reverse shell if you use the optional parameter -p on remote side.

Download pytbull

Read More

Automatic SQL Database Injection - jSQL Injection

jSQL Injection is a lightweight application used to find database information from a distant server. Tool is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris).

jSQL Injection v0.72 Released

Injection and local test

Running injection requires the URL of a local or distant server, and the name of parameter to inject.
For a local test, you can save the following PHP code into file ‘simulate_get.php’ and move it to the root folder of your web server (e.g /www), then use

http://127.0.0.1/simulate_get.php?lib=


and finally click Connect to read the local database:

<?php

    mysql_connect("localhost","root","");

    mysql_select_db("my_own_database");

    $result = mysql_query("SELECT * FROM my_own_table where my_own_field = ". $_GET['lib'])# time based

        ordie( mysql_error());# error based

    if( mysql_num_rows($result)!==0) echo " something ";# blind

    while( $row = mysql_fetch_array($result, MYSQL_NUM))

        echo join(',',$row);# normal?>

Features:

ºGET, POST, header, cookie methods
ºNormal, error based, blind, time based algorithms
ºAutomatic best algorithm selection
ºMulti-thread control (start/pause/resume/stop)
ºProgression bars
ºShows URL calls
ºSimple evasion
ºProxy setting
ºDistant file reading
ºWebshell deposit
ºTerminal for webshell commands
ºConfiguration backup
ºUpdate checker
ºAdmin page checker
ºBrute forcer (md5 mysql…)
ºCoder (encode decode base64 hex md5…)
ºSupports MySQL

Download  jSQL Injection

Read More