Viproy - VoIP Penetration Testing and Exploitation Kit

Viproy Voip Pen-Test Kit provides penetration testing modules for VoIP networks. It supports signalling analysis for SIP and Skinny protocols, IP phone services and network infrastructure. Viproy 2.0 is released at Blackhat Arsenal USA 2014 with TCP/TLS support for SIP, vendor extentions support, Cisco CDP spoofer/sniffer, Cisco Skinny protocol analysers, VOSS exploits and network analysis modules. Furthermore, Viproy provides SIP and Skinny development libraries for custom fuzzing and analyse modules.

Current Version and Updates
Current version: 4.1 (Requires ruby 2.1.X and Metasploit Framework Github Repo)
Pre-installed repo: https://github.com/fozavci/metasploit-framework-with-viproy

Homepage of Project
http://viproy.com

Talks

Black Hat USA 2016 - VoIP Wars: The Phreakers Awaken
https://www.slideshare.net/fozavci/voip-wars-the-phreakers-awaken
https://www.youtube.com/watch?v=rl_kp5UZKlw

DEF CON 24 - VoIP Wars: The Live Workshop
To be added later

Black Hat Europe 2015 - VoIP Wars: Destroying Jar Jar Lync
http://www.slideshare.net/fozavci/voip-wars-destroying-jar-jar-lync-unfiltered-version
https://youtu.be/TMdiXYzY8qY

DEF CON 23 - The Art of VoIP Hacking Workshop Slide Deck
http://www.slideshare.net/fozavci/the-art-of-voip-hacking-defcon-23-workshop
https://youtu.be/hwDD7K9oXeI

Black Hat USA 2014 / DEF CON 22 - VoIP Wars: Attack of the Cisco Phones
https://www.youtube.com/watch?v=hqL25srtoEY

DEF CON 21 - VoIP Wars: Return of the SIP
https://www.youtube.com/watch?v=d6cGlTB6qKw

Attacking SIP/VoIP Servers Using Viproy
https://www.youtube.com/watch?v=AbXh_L0-Y5A

Current Testing Modules

• SIP Register
• SIP Invite
• SIP Message
• SIP Negotiate
• SIP Options
• SIP Subscribe
• SIP Enumerate
• SIP Brute Force
• SIP Trust Hacking
• SIP UDP Amplification DoS
• SIP Proxy Bounce
• Skinny Register
• Skinny Call
• Skinny Call Forward
• CUCDM Call Forwarder
• CUCDM Speed Dial Manipulator
• MITM Proxy TCP
• MITM Proxy UDP
• Cisco CDP Spoofer
• Boghe VoIP Client INVITE PoC Exploit (New)
• Boghe VoIP Client MSRP PoC Exploit (New)
• SIP Message with INVITE Support (New)
• Sample SIP SDP Fuzzer (New)
• MSRP Message Tester with SIP INVITE Support (New)
• Sample MSRP Message Fuzzer with SIP INVITE Support (New)
• Sample MSRP Message Header Fuzzer with SIP INVITE Support (New)

Documentation

Installation
Copy "lib" and "modules" folders' content to Metasploit root directory.
Mixins.rb File (lib/msf/core/auxiliary/mixins.rb) should contains the following lines
require 'msf/core/auxiliary/sip'
require 'msf/core/auxiliary/skinny'
require 'msf/core/auxiliary/msrp'

Usage of SIP Modules
https://github.com/fozavci/viproy-voipkit/blob/master/SIPUSAGE.md

Usage of Skinny Modules
https://github.com/fozavci/viproy-voipkit/blob/master/SKINNYUSAGE.md

Usage of Auxiliary Viproy Modules
https://github.com/fozavci/viproy-voipkit/blob/master/OTHERSUSAGE.md

Download Viproy

Read More

DATA - Credential Phish Analysis and Automation

Credential Phish Analysis and Automation

BUCKLEGRIPPER (py)

• Given a suspected phishing url or file of line separated urls, visit, screenshot, and scrape for interesting files.
• Requirements can be installed by running or reviewing install_bucklegripper_deps.sh

usage: bucklegripper.py [-h] [-u URL] [-s SOURCE] [-r READFILE] [-a USERAGENT]

Visit a suspected phishing page, screenshot it and pillage it for phishing
archives

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Url to visit
  -s SOURCE, --source SOURCE
                        Apply a source to where this url came from
  -r READFILE, --readfile READFILE
                        Read in a file of URLs one per line
  -a USERAGENT, --useragent USERAGENT
                        Custom User-Agent

Example of reading in a single url

$ python bucklegripper.py -s openphish -u http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au/Login.html 

.: BUCKLEGRIPPER v0.1 https://github.com/hadojae/DATA/ :.

[+] Processing http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au/Login.html
  [+] Screencapped http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au/Login.html as 20170503-032950-openphish-www.govwebsearch.com.png
  [+] Found Zip file at http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au.zip
  [+] Saved http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au.zip as 20170503-032950-openphish-www.govwebsearch.com-optusnet.com.au.zip
[+] Found Opendir at http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au/
  [+] Found php file: http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au/post.php
[+] Found Opendir at http://www.govwebsearch.com/apc/opc/pdp/safe/
  [+] Saved http://www.govwebsearch.com/apc/opc/pdp/safe/optusnet.com.au.zip as 20170503-032951-openphish-www.govwebsearch.com-optusnet.com.au.zip
[+] Found Opendir at http://www.govwebsearch.com/apc/opc/pdp/
[+] Found Opendir at http://www.govwebsearch.com/apc/opc/
[+] Found Opendir at http://www.govwebsearch.com/apc/

Example of reading in a file of line separated urls

$ python bucklegripper.py -s openphish -r ../../test_urls.txt

.: BUCKLEGRIPPER v0.1 https://github.com/hadojae/DATA/ :.

[+] Beginning processing of ../../test_urls.txt

[+] Processing http://onjasela.net/DB/fr/
  [+] Screencapped http://onjasela.net/DB/fr/ as 20170503-010034-openphish-onjasela.net.png

[+] Processing http://suesschool.com/yahoologin/yahoologin/clients/login.php
  [+] Screencapped http://suesschool.com/yahoologin/yahoologin/clients/login.php as 20170503-010053-openphish-suesschool.com.png
[+] Found Opendir at http://suesschool.com/yahoologin/yahoologin/clients/
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/clients/login.php
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/clients/data.php
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/clients/block.php
[+] Found Opendir at http://suesschool.com/yahoologin/yahoologin/
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/login.php
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/data.php
  [+] Found php file: http://suesschool.com/yahoologin/yahoologin/block.php
  [+] Found Zip file at http://suesschool.com/yahoologin.zip
  [+] Saved http://suesschool.com/yahoologin.zip as 20170503-010125-openphish-suesschool.com-yahoologin.zip
[+] Found Opendir at http://suesschool.com/yahoologin/

[+] Processing http://communitypartnersjc.org/wp-admin/js/index
  [+] Screencapped http://communitypartnersjc.org/wp-admin/js/index as 20170503-010138-openphish-communitypartnersjc.org.png

[+] Processing http://ytrdesh.com/info/
  [+] Screencapped http://ytrdesh.com/info/ as 20170503-010148-openphish-ytrdesh.com.png
  
...continues...

BULLYBLINDER (py)

• While capturing a pcap visit a suspected phishing page. Handle redirectors and obfuscation to find a web form. Scrape the form and make educated guesses at what should be entered into the fields. Submit the form and repeat.
• Requirements can be installed by running or reviewing install_bullyblinder_deps.sh

usage: bullyblinder.py [-h] -u URL [-a USERAGENT] -i INTERFACE

Visit a suspected phishing page and attempt form filling while getting a pcap

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     Url to visit
  -a USERAGENT, --useragent USERAGENT
                        Custom User-Agent to use
  -i INTERFACE, --interface INTERFACE
                        Interface to tell tshark to listen on

Example Usage

$ python bullyblinder.py -i eth0 -u http://www.justpropertydevelopers.com/scanned

.: BULLYBLINDER v0.1 https://github.com/hadojae/DATA/ :.

[+] Preparing pcap: 20170503-033243-www.justpropertydevelopers.com.pcap

[+] Processing http://www.justpropertydevelopers.com/scanned

[+] Submitting POST
    [+] Control: <HiddenControl(hidCflag=1)>, Control.Type: hidden, Control.Name: hidCflag, Control.ID: hidCflag
    [+] Control: <SelectControl(<None>=[])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <SelectControl(<None>=[*0])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <SelectControl(<None>=[*1])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <SelectControl(<None>=[*2])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <SelectControl(<None>=[*3])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <SelectControl(<None>=[*4])>, Control.Type: select, Control.Name: None, Control.ID: None
    [+] Control: <TextControl(Email=shannonjudith@gmail.com)>, Control.Type: email, Control.Name: Email, Control.ID: Email
    [+] Control: <PasswordControl(Passwd=696969)>, Control.Type: password, Control.Name: Passwd, Control.ID: Passwd
    [+] Control: <SubmitControl(signIn=Sign in to view attachment) (readonly)>, Control.Type: submit, Control.Name: signIn, Control.ID: signIn
    [+] Control: <CheckboxControl(PersistentCookie=[yes])>, Control.Type: checkbox, Control.Name: PersistentCookie, Control.ID: PersistentCookie
    [+] Control: <HiddenControl(rmShown=1) (readonly)>, Control.Type: hidden, Control.Name: rmShown, Control.ID: None

 [-] No form found, checking for redirectors and obfuscation. 

[+] Found js window.location or document.location, processing the redir

[+] https://drive.google.com/#my-drive appears to be a legitimate website.

[+] Complete! Submitted 1 form(s)

[+] Url Request Chain:
http://justpropertydevelopers.com/scan/docg/doc/filewords/index.php
--http://justpropertydevelopers.com/scan/docg/doc/filewords/index.php

SLICKSHOES (sh)

• A basic bash script that pulls urls out of pdfs in streams or in clear view.
• The only argument to the script is the path to a folder containing the pdfs you want to process.
• REQUIRES pdf-parser.py from https://blog.didierstevens.com/programs/pdf-tools/ location to be set in first line of script

Example Usage

$ ./slickshoes.sh ~/PDFs/
http://4cgemstones.com/polaiowpwwww/GD/index.php
http://80bpm.net/invoice-17524-Apr-26-2017-US-048591/
http://acheirapido.com.br/arquivos/pdf/
http://adams-kuwait.com/REview/office
http://rfaprojects.co.uk/invoice-80633-Apr-24-2017-US-665952/
http://sacm.net/SCANNED/ZN3747CGMSCWC/
https://geloscubinho.com.br/cgi/pdf/index.php
http://afriquecalabashsafaris.com/layouts/GD/index.php
http://akukoomole.com/AdobeLogin/index.php
...continues...

*PINCHERSOFPERIL and BULLYBUSTER are WIP
DATA scripts are a constant work in progress. Feedback, issues, and additions are welcomed.
Proper python packages will be created once suffecient testing and features have been added and more bugs have been squashed.

Troubleshooting
If you have pcap writing issues, use this to fixup dumpcap perms, observed when using some VPS

sudo chgrp YOUR_USER /usr/bin/dumpcap
sudo chmod 750 /usr/bin/dumpcap
sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap

Be sure to disable NIC features when capturing traffic run this as root. Checksum errors will cause all sorts of nightmares.

# for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth0 $i off; done

Download DATA

Read More

PhishingKitHunter - Find Phishing Kits Which Use Your Brand/Organization'S Files And Image

Find phishing kits which use your brand/organization's files and image.

PhishingKitHunter (or PKHunter) is a tool made for identifying phishing kits URLs used in phishing campains targeting your customers and using some of your own website files (as CSS, JS, ...). This tool - write in Python 3 - is based on the analysis of referer's URL which GET particular files on the legitimate website (as some style content) or redirect user after the phishing session. Log files (should) contains the referer URL where the user come from and where the phishing kit is deployed. PhishingKitHunter parse your logs file to identify particular and non-legitimate referers trying to get legitimate pages based on regular expressions you put into PhishingKitHunter's config file.

Features

• find URL where a phishing kit is deployed
• find if the phishing kit is still up and running
• generate a JSON report usefull for external usage
• use a hash of the phishing kit's page to identify the kit
• use a timestamp for history
• can use HTTP or SOCKS5 proxy

Usage

$ ./PhishingKitHunter-0.6.py -i LogFile2017.log -o PKHunter-report-20170502-013307.json -c conf/test.conf

  _ \  |  / |   |             |            
 |   | ' /  |   | |   | __ \  __|  _ \  __|
 ___/  . \  ___ | |   | |   | |    __/ |   
_|    _|\_\_|  _|\__,_|_|  _|\__|\___|_|   

-= Phishing Kit Hunter - v0.6b =-

[+] http://badscam.org/includes/ap/?a=2
  |   Timestamp: 01/May/2017:13:00:03
  | HTTP status: can't connect (HTTP Error 404: Not Found)
[+] http://scamme.com/aple/985884e5b60732b1245fdfaf2a49cdfe/
  |   Timestamp: 01/May/2017:13:00:49
  | HTTP status: can't connect (<urlopen error [Errno -2] Name or service not known>)
[+] http://badscam-er.com/eb/?e=4
  |   Timestamp: 01/May/2017:13:01:06
  | HTTP status: can't connect (<urlopen error [Errno -2] Name or service not known>)
[+] http://assur.cam.tech/scam/brand/new/2bd5a55bc5e768e530d8bda80a9b8593/
  |   Timestamp: 01/May/2017:13:01:14
  | HTTP status: UP
  | HTTP shash : 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
[+] http://phish-other.eu/assur/big/phish/2be1c6afdbfc065c410d36ba88e7e4c9/
  |   Timestamp: 01/May/2017:13:01:15
  | HTTP status: UP
  | HTTP shash : 2a545c4d321e3b3cbb34af62e6e6fbfbdbc00a400bf70280cb00f4f6bb0eac44
697475it [06:41, 1208.14it/s]

Help

$ ./PhishingKitHunter-0.6.py --help

  _ \  |  / |   |             |            
 |   | ' /  |   | |   | __ \  __|  _ \  __|
 ___/  . \  ___ | |   | |   | |    __/ |   
_|    _|\_\_|  _|\__,_|_|  _|\__|\___|_|    

-= Phishing Kit Hunter - v0.6b =-

   -h --help   Prints this
   -i --ifile    Input logfile to analyse
   -o --ofile    Output JSON report file (default: ./PKHunter-report-'date'-'hour'.json)
   -c --config   Configuration file to use (default: ./conf/defaults.conf)

JSON report example

$ cat ./PKHunter-report-20170502-013307.json

{
    "PK_URL": "http://badscam.org/includes/ap/?a=2",
    "PK_info": {
        "Domain": "badscam.org",
        "HTTP_sha256": "",
        "HTTP_status": "can't connect (HTTP Error 404: Not Found)",
        "date": "01/May/2017:13:00:03"
    }
}{
    "PK_URL": "http://assur.cam.tech/scam/brand/new/2bd5a55bc5e768e530d8bda80a9b8593/",
    "PK_info": {
        "Domain": "assur.cam.tech",
        "HTTP_sha256": "0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091",
        "HTTP_status": "UP",
        "date": "01/May/2017:13:01:14"
    }
}
[...]

Requirements

• Python 3
• requests
• tqdm
• json
• PySocks

Install
Install the requirements

pip install -r requirements.txt

Configure
Please read the conf/default.conf file to learn how to configure PhishingKitHunter.

Download PhishingKitHunter

Read More

Inspeckage - (Android Package Inspector) Dynamic Analysis With Api Hooks, Start Unexported Activities And More

Inspeckage is a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime.

• http://ac-pm.github.io/Inspeckage
• https://twitter.com/inspeckage
• https://play.google.com/store/apps/details?id=mobi.acpm.inspeckage
• http://repo.xposed.info/module/mobi.acpm.inspeckage

Features
With Inspeckage, we can get a good amount of information about the application's behavior:

Information gathering

• Requested Permissions;
• App Permissions;
• Shared Libraries;
• Exported and Non-exported Activities, Content Providers,Broadcast Receivers and Services;
• Check if the app is debuggable or not;
• Version, UID and GIDs;
• etc.

Hooks (so far)
With the hooks, we can see what the application is doing in real time:

• Shared Preferences (log and file);
• Serialization;
• Crypto;
• Hashes;
• SQLite;
• HTTP (an HTTP proxy tool is still the best alternative);
• File System;
• Miscellaneous (Clipboard, URL.Parse());
• WebView;
• IPC;
• + Hooks (add new hooks dynamically)

Actions
With Xposed it's possible to perform actions such as start a unexported activity and much else:

• Start any activity (exported and unexported);
• Call any provider (exported and unexported);
• Disable FLAG_SECURE;
• SSL uncheck (bypass certificate pinning - JSSE, Apache and okhttp3);
• Start, stop and restart the application;
• Replace params and return value (+Hooks tab).

Extras

• APK Download;
• View the app's directory tree;
• Download the app's files;
• Download the output generated by hooks in text file format;
• Take a screen capture;
• Send text to android clipboard.

Configuration
Even though our tool has some hooks to the HTTP libraries, using an external proxy tool is still the best option to analyze the app's traffic. With Inspeckage, you can:

• Add a proxy to the target app;
• Enable and disable proxy;
• Add entries in the arp table.

Logcat
Logcat.html page. A experimental page with websocket to show some information from the logcat.

Installation
Requirements: Xposed Framework

Xposed Installer

1. Go to Xposed Installer, select "Download"
2. Refresh and search for "Inspeckage"
3. Download the latest version and install
4. Enable it in Xposed
5. Reboot and enjoy!

Xposed Repository
Get it from Xposed repo: http://repo.xposed.info/module/mobi.acpm.inspeckage

    adb install mobi.acpm.inspeckage.apk

1. Enable it in Xposed
2. Reboot and enjoy!

From Source
Feel free to download the source!

How to uninstall

    adb uninstall mobi.acpm.inspeckage

And reboot!

Genymotion

Screenshots

Download Inspeckage

Read More

MultiScanner - Modular File Scanning/Analysis Framework

MultiScanner is a file analysis framework that assists the user in evaluating a set of files by automatically running a suite of tools for the user and aggregating the output. Tools can be custom built python scripts, web APIs, software running on another machine, etc. Tools are incorporated by creating modules that run in the MultiScanner framework.

Modules are designed to be quickly written and easily incorporated into the framework. Currently written and maintained modules are related to malware analytics, but the framework is not limited to that scope. For a list of modules you can look in modules, descriptions and config options can be found in docs/modules.md

Requirements

Python 2.7 is recommended. Compatibility with 2.7+ and 3.3+ is supported but not thoroughly maintained and tested. Please submit an issue or a pull request fixing any issues found with other versions of Python.

An installer script is included in the project install.sh, which installs the prerequisites on most systems.

Installation

MultiScanner

If you're running on a RedHat or Debian based linux distribution you should try and run install.sh. Otherwise the required python packages are defined in requirements.txt.

MultiScanner must have a configuration file to run. Generate the MultiScanner default configuration by running python multiscanner.py init after cloning the repository. This command can be used to rewrite the configuration file to its default state or, if new modules have been written, to add their configuration to the configuration file.

Analytic Machine

Default modules have the option to be run locally or via SSH. The development team runs MultiScanner on a Linux host and hosts the majority of analytical tools on a separate Windows machine. The SSH server used in this environment is freeSSHd from http://www.freesshd.com/.

A network share accessible to both the MultiScanner and the Analytic Machines is required for the multi-machine setup. Once configured, the network share path must be identified in the configuration file, config.ini. To do this, set the copyfilesto option under [main] to be the mount point on the system running MultiScanner. Modules can have a replacement path option, which is the network share mount point on the analytic machine.

Module Writing

Modules are intended to be quickly written and incorporated into the framework. A finished module must be placed in the modules folder before it can be used. The configuration file does not need to be manually updated. See docs/module_writing.md for more information.

Module Configuration

Modules are configured within the configuration file, config.ini. See docs/modules.md for more information.

Python API
MultiScanner can be incorporated as a module in another projects. Below is a simple example of how to import MultiScanner into a Python script.

import multiscanner
output = multiscanner.multiscan(FileList)
Results = multiscanner.parse_reports(output, python=True)

Results is a dictionary object where each key is a filename of a scanned file.
multiscanner.config_init(filepath) will create a default configuration file at the location defined by filepath.

Other Reading
For more information on module configuration or writing modules check the docs folder.

Download MultiScanner

Read More

crackle - Crack Bluetooth Smart (BLE) Encryption

crackle cracks BLE Encryption (AKA Bluetooth Smart).

crackle exploits a flaw in the BLE pairing process that allows an attacker to guess or very quickly brute force the TK (Temporary Key). With the TK and other data collected from the pairing process, the STK (Short Term Key) and later the LTK (Long Term Key) can be collected.

With the STK and LTK, all communications between the master and the slave can be decrypted.

Before attempting to use crackle, review the FAQ to determine whether it is the appropriate tool to use in your situation.

crackle was written by Mike Ryan mikeryan@lacklustre.net See web site for more info: http://lacklustre.net/projects/crackle/

Modes of Operation

crackle has two major modes of operation: Crack TK and Decrypt with LTK.

Crack TK

This is the default mode used when providing crackle with an input file using -i .

In Crack TK mode, crackle brute forces the TK used during a BLE pairing event. crackle exploits the fact that the TK in Just Works(tm) and 6-digit PIN is a value in the range [0,999999] padded to 128 bits.

crackle employs several methods to perform this brute force: a very fast method if all pairing packets are present in the input file, and a slow method if a minimum set of packets is present.

To use this mode, launch crackle with an input PCAP or PcapNG file containing one or more connections with a BLE pairing conversation. crackle will analyze all connections, determine whether it is possible to crack a given connection, and automatically choose the best strategy to crack each one.

If the TK successfully cracks, crackle will derive the remaining keys used to encrypt the rest of the connection and will decrypt any encrypted packets that follow. If the LTK is exchanged (typically the first thing done after encryption is established) crackle will output this value to stdout. The LTK can be used to decrypt any future communications between the two endpoints.

Provide crackle with an output file using -o to create a new PCAP file containing the decrypted data (in addition to the already unencrypted data).

Example usage:

$ crackle -i input.pcap -o decrypted.pcap

Decrypt with LTK
In Decrypt with LTK mode, crackle uses a user-supplied LTK to decrypt communications between a master and slave. This mode is identical to the decryption portion of Crack TK mode.
Example usage:

$ crackle -i encrypted.pcap -o decrypted.pcap -l 81b06facd90fe7a6e9bbd9cee59736a7

Running Crackle

Crack TK Mode
In Crack TK mode, crackle requires a PCAP file that contains a BLE pairing event. The best way to generate such a file is to use an Ubertooth to capture a pairing event between a master and a slave.
To check if your PCAP file contains all the necessary packets, run crackle with the -i option:

crackle -i <file.pcap>

crackle will analyze each connection in the input file and output the results of its analysis to stdout. If you have all the components of a pairing conversation, the output will look like this:

Analyzing connection 0:
  xx:xx:xx:xx:xx:xx (public) -> yy:yy:yy:yy:yy:yy (public)
  Found 13 encrypted packets

  Cracking with strategy 0, 20 bits of entropy

  !!!
  TK found: 412741
  !!!

  Decrypted 12 packets
  LTK found: 81b06facd90fe7a6e9bbd9cee59736a7

Specify an output file with -o to decrypt packets!

To decrypt all packets, add the -o option:

crackle -i <file.pcap> -o <output.pcap>

The output file will contain decrypted versions of all the encrypted packets from the original PCAP, as well as all the unencrypted packets. Note that CRCs are not recalculated, so the CRCs of decrypted packets will be incorrect.

Decrypt with LTK
In Decrypt with LTK mode, crackle requires a PCAP file that contains at a minimum LL_ENC_REQ and LL_ENC_RSP packets and the LTK used to encrypt the communications.
The format for LTK is a 128 bit hexadecimal number with no spaces or separators, most-significant octet to least-significant octet. Example:

-l 81b06facd90fe7a6e9bbd9cee59736a7

To check if your PCAP file contains all the necessary packets, run crackle with -i and -l:

crackle -i <file.pcap> -l <ltk>

If you have both of the required packets, the program should produce output similar to this:

Analyzing connection 0:
  xx:xx:xx:xx:xx:xx (public) -> yy:yy:yy:yy:yy:yy (public)
  Found 9 encrypted packets
  Decrypted 6 packets

Specify an output file with -o to decrypt packets!

To decrypt all packets, add the -o option:

crackle -i <file.pcap> -o <out.pcap> -l <ltk>

The output file will be produced similarly to the output file described above.

Sample Files
The test files included in the tests directory serve as interesting input for playing with crackle. Review the README files included in each test's subdirectory.
Grab some sample files for cracking with crackle. Refer to the README inside the tarball for more information:
https://lacklustre.net/bluetooth/crackle-sample.tgz

Frequently Asked Questions
We have compiled a list of Frequently Asked Questions .

See Also

• Ubertooth: http://ubertooth.sourceforge.net/
• libbtbb: http://libbtbb.sourceforge.net/
• #ubertooth on irc.freenode.net

Download crackle

Read More

Network-Analysis-Tools - Pcap Capture File Analysis Tool

Pcap Capture File Analysis Tool

Features

1-Top 10 Visited Sites
2-Emails
3-All Request Urls
4-User-Agents List
5-String Grep Mode
6-Connection details
7-Ports Used
8-ALL Ip List
9-Manuel Packet Filter
10-Smtp Analysis
11-Web Attack Detect

Installation Modules

$ pip install pyshark
$ pip install dpkt

Requirements(Third)

[+]Wireshark
[+]Tshark
[+]Mergecap
[+]Ngrep

Tested

[+]Debian
[+]Ubuntu

+SCREENSHOT

İmport Pcap File

Manuel Packet Filter

Web Application Attack Detect

Automatic Detect And Convert

ALL Conversation

ALL IP List

and more...

Download Network-Analysis-Tools

Read More

ScratchABit - Easily retargetable and hackable interactive disassembler with IDAPython-compatible plugin API

ScratchABit is an interactive incremental disassembler with data/control flow analysis capabilities. ScratchABit is dedicated to the efforts of the OpenSource reverse engineering community (reverse engineering to produce OpenSource drivers/firmware for hardware not properly supported by vendors).
ScratchABit supports well-known in the community IDAPython API to write disassembly/extension modules.
ScratchABit is a work in progress, features are added on as needed basis, contributions are welcome.
ScratchABit is released under the terms of GNU General Public License v3 (GPLv3).

Requirements/manifesto

1. Should not be written in an obfuscated language. These includes languages which are too low-level, which allow to access non-initialized variables, which don't differentiate between variables and functions/procedures, which start array indexes from arbitrary numbers, etc., etc. ScratchABit is written in Python (modern version, Python3) for your pleasure and sanity.
   
2. User interface framework should allow user interaction of the needed level, not add dependencies, bloat, issues, and incompatibilities between framework's versions. ScratchABit currently uses simple (no color even) full-screen text user interface, using ANSI/VT100 terminal escape sequences (yes, even curses library was deemed too bloat a dependency to force upon users).
   
3. Should leverage easy to use text formats to store "database", to facilitate easy reuse and tool writing, and storage in version control systems.
   

Quick start
To use ScratchABit, you need Python3 installed and VT100 (minimum) or XTerm (recommended) terminal or terminal emulator (any Unix system should be compliant, like Linux/BSD/etc., see FAQ below for more).
Clone the code using:

git clone --recursive https://github.com/pfalcon/ScratchABit

If you cloned code without --recursive , run git submodule update --init .
If you want to disassemble a file in self-describing executable format (like ELF), just pass it as an argument to ScratchABit.py . The repository includes example-elf (x86 32bit) for quick start:

python3 ScratchABit.py example-elf

Alternatively, if you want to disassemble a raw binary file, you need to create a .def (definition) file, to specify what memory areas are defined for the code, at which address to load binary file, etc. (Note: a .def file may be useful for .elf and similar files too.) The repository includes a simple x86_64 raw binary code, and the corresponding .def file:

python3 ScratchABit.py example.def

Press F1 if in doubt what to do next (ScratchABit works similarly to other interactive dissamblers; some previous experience or background reading may be helpful). Press F9 to access menus (mouse works too in XTerm-compatible terminals).

Using Plugins
IDAPython processor plugins can be loaded from anywhere on the Python module path. Alternatively, you can symlink the plugin .py file into the plugins/cpu/ subdirectory.
After the plugin is made available, create a new definition file based on example.def that sets the plugin module name in the cpu xxx line.
For a very simple example that uses an external plugin, see this esp8266.def file that works with the xtensa.py plugin from the ida-xtensa2 repository .

TODO/Things to decide

• Currently uses multiple files for "database", each storing particular type of information. Switch to a single YAML file instead?
• Add color (low priority, (unbloated!) patches welcome).
• Few important UI commands to implement yet for comfortable work. ( All the most important commands should be there, other functionality is expected to be implemented using plugins).
• Offer to save DB on quit if modified.
• Git integration for DB saving.
• Improve robustness (add exception handler at the main loop level, don't abort the application, show to user/log and continue).
• Try to deal with code flow inconsistencies (e.g. within an instruction
  • low priority for intended usage) and data access inconsistencies (e.g. accessing individual bytes of previosly detected word - higher priority). (Improved in 1.4.)
• See how to support other types of IDAPython plugins besides just processor modules.
• Parse and use debugging information (e.g. DWARF) present in ELF (etc.) files.

FAQ

Q: What processors/architectures are supported?

A: ScratchABit doesn't support any processor architectures on its own, it is fully retargettable using IDAPython API plugins. Many plugins are available, writing a new plugin is easy. To let users test-drive ScratchABit, a very simple (!) X86 processor plugin is included in the distribution, using Pymsasid disassembler under the hood.

Q: I'm not on Linux, how can I run ScratchABit?

A: Install Linux in an emulator/VM on your system and rejoice.

Download ScratchABit

Read More

SAMHAIN v3.1.2 - File Integrity Checker / Host-Based Intrusion Detection System

The Samhain host-based intrusion detection system (HIDS) provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes.

Samhain been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance, although it can also be used as standalone application on a single host.

Samhain is an open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows).

Features

» Centralized monitoring

The client/server architecture allows central logging, central storage of baseline databases and client configurations, and central updates of baseline databases.

» Web-based management console

The web-based Beltane console, available as separate package, allows to monitor server and client activity, view client reports, and update the baseline databases.

» Flexible logging

Samhain supports multiple logging facilities, each of which can be configured individually.

» Tamper resistance

Samhain offers PGP-signed database and configuration files, a stealth mode, and several more features to protect its integrity.

   

Download SAMHAIN v3.1.2

Read More

Hook Analyser 3.1 - Malware Analysis Tool

Hook Analyser is a freeware application which allows an investigator/analyst to perform “static & run-time / dynamic” analysis of suspicious applications, also gather (analyse & co-related) threat intelligence related information (or data) from various open sources on the Internet.

Essentially it’s a malware analysis tool that has evolved to add some cyber threat intelligence features & mapping.

Hook Analyser is perhaps the only “free” software in the market which combines analysis of malware analysis and cyber threat intelligence capabilities. The software has been used by major Fortune 500 organisations.

Features/Functionality

• Spawn and Hook to Application – Enables you to spawn an application, and hook into it
• Hook to a specific running process – Allows you to hook to a running (active) process
• Static Malware Analysis – Scans PE/Windows executables to identify potential malware traces
• Application crash analysis – Allows you to analyse memory content when an application crashes
• Exe extractor – This module essentially extracts executables from running process/s

Download Hook Analyser 3.1

Read More

FS-NyarL - Network Takeover & Forensic Analysis Tool

NyarL it's Nyarlathotep, a mitological chaotic deity of the writer HP. Lovecraft's cosmogony.

It's represent Crawling Chaos and FS-NyarL it's The Crawling Chaos of Cyber Security :-)

A network takeover & forensic analysis tool - useful to advanced PenTest tasks & for fun and profit - but use it at your own risk!

 

• Interactive Console
• Real Time Passwords Found
• Real Time Hosts Enumeration
• Tuned Injections & Client Side Attacks
• ARP Poisoning & SSL Hijacking
• Automated HTTP Report Generator

ATTACKS IMPLEMENTED:

• MITM (Arp Poisoning)
• Sniffing (With & Without Arp Poisoning)
• SSL Hijacking (Full SSL/TLS Control)
• HTTP Session Hijaking (Take & Use Session Cookies)
• Client Browser Takeover (with Filter Injection in data stream)
• Browser AutoPwn (with Filter Injection in data steam)
• Evil Java Applet (with Filter Injection in data stream)
• DNS Spoofing
• Port Scanning

POST ATTACKS DATA OBTAINED:

• Passwords extracted from data stream
• Pcap file with whole data stream for deep analysis
• Session flows extracted from data stream (Xplico & Chaosreader)
• Files extracted from data stream
• Hosts enumeration (IP,MAC,OS)
• URLs extracted from data stream
• Cookies extracted from data stream
• Images extracted from data stream
• List of HTTP files downloaded extracted from URLs

DEPENDENCIES (aka USED TOOLS):

• Chaosreader (already in bin folder)
• Xplico
• Ettercap
• Arpspoof
• Arp-scan
• Mitmproxy
• Nmap
• Tcpdump
• Beef
• SET
• Metasploit
• Dsniff
• Macchanger
• Hamster
• Ferret
• P0f
• Foremost
• SSLStrip
• SSLSplit

Download FS-NyarL

Read More

Scout - Download and analyze webpage components to identify infected files

Uses the Pinpoint engine to download and analyze webpage components to identify infected files. Scout has a built-in HTTP Request Simulator that will render user-specified HTML files, catch the resulting HTTP requests, then drop the responses. Scout includes the ability to screenshot the webpage using PhantomJS (download PhantomJS and copy the .exe to the same folder as Scout). Use Scout in a VM since it could potentially cause your computer to become infected.

Download Scout

Read More

[CIAT] Crypto Implementations Analysis Toolkit

The Cryptographic Implementations Analysis Toolkit (CIAT) is compendium of command line and graphical tools whose aim is to help in the detection and analysis of encrypted byte sequences within files (executable and non-executable).

Download CIAT

Read More

[WebSploit Framework] Scan And Analysis Remote System From Vulnerability

WebSploit Is An Open Source Project For Scan And Analysis Remote System From Vulnerability.

WebSploit Is An Open Source Project For :

[>]Social Engineering Works

[>]Scan,Crawler & Analysis Web

[>]Automatic Exploiter

[>]Support Network Attacks

[+]Autopwn - Used From Metasploit For Scan and Exploit Target Service

[+]wmap - Scan,Crawler Target Used From Metasploit wmap plugin

[+]format infector - inject reverse & bind payload into file format

[+]phpmyadmin Scanner

[+]LFI Bypasser

[+]Apache Users Scanner

[+]Dir Bruter

[+]admin finder

[+]MLITM Attack - Man Left In The Middle, XSS Phishing Attacks

[+]MITM - Man In The Middle Attack

[+]Java Applet Attack

[+]MFOD Attack Vector

[+]USB Infection Attack

[+]ARP Dos Attack

[+]Web Killer Attack

[+]Fake Update Attack

[+]Fake Access point Attack

[+]Wifi Honeypot

[+]Wifi Jammer

[+]Wifi Dos

[+]Bluetooth POD Attack

Download WebSploit

Read More

[Binwalk] Firmware Analysis Tool

Binwalk is a firmware analysis tool designed to assist in the analysis, extraction, and reverse engineering of firmware images and other binary blobs. It is simple to use, fully scriptable, and can be easily extended via custom signatures, extraction rules, and plugin modules.

Binwalk supports various types of analysis useful for inspecting and reverse engineering firmware, including:

• Embedded file identification and extraction
• Executable code identification
• Type casting
• Entropy analysis and graphing
• Heuristic data analysis
• "Smart" strings analysis

Binwalk's file signatures are (mostly) compatible with the magic signatures used by the Unix file utility, and include customized/improved signatures for files that are commonly found in firmware images such as compressed/archived files, firmware headers, kernels, bootloaders, filesystems, etc.

Features

Binwalk is:

• Fast
• Flexible
• Extendable
• Easy to use

Binwalk can:

• Find and extract interesting files / data from binary images
• Find and extract raw compression streams
• Identify opcodes for a variety of architectures
• Perform data entropy analysis
• Heuristically analyze unknown compression / encryption
• Visualize binary data
• Diff an arbitrary number of files

Download Binwalk

Read More

[Raft v3.0.1] Response Analysis and Further Testing Tool

Not an inspection proxy

RAFT is a testing tool for the identification of vulnerabilities in web applications. RAFT is a suite of tools that utilize common shared elements to make testing and analysis easier. The tool provides visibility in to areas that other tools do not such as various client side storage.

RAFT uses markup to create templates for fuzz testing.

Download Raft v3.0.1

Read More

[Hook Analyser 2.5] Application (and Malware) Analysis tool

Application (and Malware) Analysis tool. Hook Analyser is a hook tool which could be potentially helpful in reversing application and analysing malwares.

Changelog v2.5

This has now five (5) key functionalities:

1. Spawn and Hook to Application – This feature allows analyst to spawn an application, and hook into it. The module flow is as following -
1. PE validation (with XOR bruteforce)
2. Static malware analysis.
3. Other options (such as pattern search or dump all)
4. Type of hooking (Automatic, Smart or manual)
5. Spawn and hook

Currently, there are three types of hooking being supported –

• Automatic – The tool will parse the application import tables, and based upon that will hook into specified APIs
• Manual – On this, the tool will ask end-user for each API, if it needs to be hooked.
• Smart – This is essentially a subset of automatic hooking however, excludes uninteresting APIs.

2. Hook to a specific running process-The option allows analyst to hook to a running (active) process. The program flow is –

1. List all running process
2. Identify the running process executable path.
3. Perform static malware analysis on executable (fetched from process executable path)
4. Other options (such as pattern search or dump all)
5. Type of hooking (Automatic, Smart or manual)
6. Hook to a specific running process
7. Hook and continue the process

3. Static Malware Analysis – This module is one of the most interesting and useful module of Hook Analyser, which performs scanning on PE or Widows executables to identify potential malware traces. The sub-components have been mentioned below (and this is not the full list) -

1. PE file validation (with XOR bruteforce)
2. CRC and timestamps validation
3. PE properties such as Image Base, Entry point, sections, subsystem
4. TLS entry detection.
5. Entry point verification (if falls in suspicious section)
6. Suspicious entry point detection
7. Packer detection
8. Signature trace (extended from malware analyser project), such as Anti VM aware, debug aware, keyboard hook aware etc. This particular function searches for more than 20 unique malware behaviours (using 100’s of signature).
9. Import intel scanning.
10. Deep search (module)
    Online search of MD5 (of executable) on Threat Expert.
11. String dump (ASCII)
12. Executable file information
13. Hexdump
14. PEfile info dumping
15. …and more.

4. Application crash analysis – This module enables exploit researcher and/or application developer to analyse memory content when an application crashes.This module essentially displays data in different memory register (such as EIP).

• Application crash analysis video demonstration – http://www.youtube.com/watch?v=msYo7pPsu6A

5. Exe extractor – This module essentially extracts executables from running process/s, which could then be further analysed using Hook Analyser , Malware Analyser or other solutions. This module is potentially useful for incident responders

More Information:

• http://hookanalyser.blogspot.com

Download Hook Analyser v2.5

Read More

[REMnux] A Linux Distribution for Malware Analysis

REMnux incorporates a number of tools for analyzing malicious executables that run on Microsoft Windows, as well as browser-based malware, such as Flash programs and obfuscated JavaScript. This popular toolkit includes programs for analyzing malicious documents, such PDF files, and utilities for reverse-engineering malware through memory forensics.

REMnux can also be used for emulating network services within an isolated lab environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and redirects the connections to the REMnux system listening on the appropriate ports.

You can learn the malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking the Reverse-Engineering Malware course that my colleagues and I teach at SANS Institute.

REMnux focuses on the most practical freely-available malware analysis tools that run on Linux. If you are looking for a more full-featured distribution that incorporates a broader range of digital forensic analysis utilities, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation.

Originally released in 2010, REMnux has been updated to version 4 in April 2013.

What’s New in REMnux v4

REMnux is now available as a Open Virtualization Format (OVF/OVA) file for improved compatibility with virtualization software, including VMware and VirtualBox. (Here’s how to easily install the REMnux virtual appliance.) A proprietary VMware file is also available. You can also get REMnux as an ISO image of a Live CD.

Key updates to existing tools and components:

• Core system: Upgraded the underlying Ubuntu OS components and packages; increased default RAM of the virtual appliance to 512MB; replaced OpenJDK with Oracle Java 7 runtime.
• Memory analysis: Updated Volatility to version 2.2.
• PDF analysis: Updated pdfid and pdf-parser, Origami, peepdf
• Web analysis: Updated SWFTools, V8, libemu, NetworkMiner, Burp Proxy, Wireshark, Firefox and its add-ons.
• Other changes: Updated xorsearch, DensityScout, Pyew, passive-dns, ClamAV, capabilities.yara; replaced FreeMind with XMind

New tools added to REMnux:

• Windows tools: Installed Wine; added OfficeMalScanner, Malzilla
• XOR analysis: Added NoMoreXOR, brutexor, XORBruteForcer
• PE file analysis: Added pev, dism-this, ExeScan, udis86 (udcli), autorule (/usr/local/autorule), distool
• Other file analysis: Added extract_swf.py, ExifTool, MASTIFF
• Other additions: Added hack-functions (/usr/local/hack-functions), bulk_extractor, ProcDot

Getting Started With REMnux

The one-page REMnux Usage Tips cheat sheet outlines some of the more popular tools installed on REMnux. Feel free to customize it to incorporate your own tips and tricks.

The recorded Malware Analysis Essentials Using REMnux webcast provides a good overview and examples of some of the tools for performing static malware analysis.

If you find REMnux useful, take a look at the reverse-engineering malware course. It makes use of REMnux and various other tools.

Download REMnux

Read More

[Binwalk v1.2] Firmware Analysis Tool

Binwalk is a tool for searching a given binary image for embedded files and executable code. Specifically, it is designed for identifying files and code embedded inside of firmware images. Binwalk uses the libmagic library, so it is compatible with magic signatures created for the Unix file utility.

Binwalk also includes a custom magic signature file which contains improved signatures for files that are commonly found in firmware images such as compressed/archived files, firmware headers, Linux kernels, bootloaders, filesystems, etc.

Changelog v1.2

• Recursive File Scanning and Extraction: Often files extracted by binwalk need to be further scanned / analyzed.
• Entropy and Strings Analysis: Binwalk’s signature analysis is great, but how do you know it didn’t miss something? What do you do if binwalk doesn’t find anything at all? Examining a file’s entropy can reveal a lot about its contents
• Plugin Support: In addition to a scriptable API, binwalk now supports plugins that are afforded considerable control over binwalk’s scan process. Plugins are particularly useful for extending or modifying binwalk’s analysis where custom signatures fall short.

Plugins are easy to write; check out some of the examples on the wiki!

Full Changelog: here

Download Binwalk v1.2

Read More

[360-FAAR v0.4.1] Firewall Analysis Audit And Repair

360-FAAR (Firewall Analysis Audit and Repair) is an offline, command line, Perl firewall policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in Checkpoint dbedit, Cisco ASA or ScreenOS commands, and its one file!

Changes: This release adds the 'mergelog' mode to merge binary log entries from one config with another and significantly updates the user interface. All configs can be loaded from the 'load' menu instead of specifying them on the command line. Added 'verbose' switches to 'print' and 'rr' modes so that screen output can be switched off, and all 'end.' key words have been changed to simply '.' to reduce the number of keystrokes needed. Entering '0' now adds all options and '.' chooses the default if available. The Netscreen output stage now uses a default zone if none are specified.

Read Policy and Logs for:

Checkpoint FW1 (in odumper.csv / logexport format),

Netscreen ScreenOS (in get config / syslog format),

Cisco ASA (show run / syslog format),

360-FAAR uses both inclusive and exclusive CIDR and text filters, permitting you to split large policies into smaller ones for virutalisation at the same time as removing unused connectivity.

360-FAAR supports, policy to log association, object translation, rulebase reordering and simplification, rule moves and duplicate matching automatically. Allowing you to seamlessly move rules to where you need them.

Download 360-FAAR Firewall Analysis Audit And Repair 0.4.1

Read More