OpenSnitch - GNU/Linux port of the Little Snitch application firewall

OpenSnitch is a GNU/Linux port of the Little Snitch application firewall.

Requirements
You'll need a GNU/Linux distribution with iptables, NFQUEUE and ftrace kernel support.

Install

sudo apt-get install build-essential python3-dev python3-setuptools libnetfilter-queue-dev python3-pyqt5 python3-gi python3-dbus python3-pyinotify
cd opensnitch
sudo python3 setup.py install

Run

sudo -HE opensnitchd
opensnitch-qt

Known Issues / Future Improvements
Before opening an issue, keep in mind that the current implementation is just an experiment to see the doability of the project, future improvements of OpenSnitch will include:
Split the project into opensnitchd, opensnitch-ui and opensnitch-ruleman:

• opensnitchd will be a (C++ ? TBD) daemon, running as root with the main logic. It'll fix this.
• opensnitch-ui python (?) UI running as normal user, getting the daemon messages. Will fix this.
• opensnitch-ruleman python (?) UI for rule editing.

How Does It Work
OpenSnitch is an application level firewall, meaning then while running, it will detect and alert the user for every outgoing connection applications he's running are creating. This can be extremely effective to detect and block unwanted connections on your system that might be caused by a security breach, causing data exfiltration to be much harder for an attacker. In order to do that, OpenSnitch relies on NFQUEUE, an iptables target/extension which allows an userland software to intercept IP packets and either ALLOW or DROP them, once started it'll install the following iptables rules:

OUTPUT -t mangle -m conntrack --ctstate NEW -j NFQUEUE --queue-num 0 --queue-bypass

This will use conntrack iptables extension to pass all newly created connection packets to NFQUEUE number 0 (the one OpenSnitch is listening on), and then:

INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass

This will also redirect DNS queries to OpenSnitch, allowing the software to perform and IP -> hostname resolution without performing active DNS queries itself.
Once a new connection is detected, the software relies on the ftrace kernel extension in order to track which PID (therefore which process) is creating the connection.
If ftrace is not available for your kernel, OpenSnitch will fallback using the /proc filesystem, even if this method will also work, it's vulnerable to application path manipulation as described in this issue, therefore it's highly suggested to run OpenSnitch on a ftrace enabled kernel.

Download OpenSnitch

Read More

Cowrie - SSH/Telnet Honeypot

Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.

Cowrie is developed by Michel Oosterhof.

Features
Some interesting features:

• Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included
• Possibility of adding fake file contents so the attacker can cat files such as /etc/passwd. Only minimal file contents are included
• Session logs stored in an UML Compatible format for easy replay with original timings
• Cowrie saves files downloaded with wget/curl or uploaded with SFTP and scp for later inspection

Additional functionality over standard kippo:

• SFTP and SCP support for file upload
• Support for SSH exec commands
• Logging of direct-tcp connection attempts (ssh proxying)
• Forward SMTP connections to SMTP Honeypot (e.g. mailoney)
• Logging in JSON format for easy processing in log management solutions
• Many, many additional commands

Requirements
Software required:

• Python 2.7+, (Python 3 not yet supported due to Twisted dependencies)
• python-virtualenv

For Python dependencies, see requirements.txt

Files of interest:

• cowrie.cfg - Cowrie's configuration file. Default values can be found in cowrie.cfg.dist
• data/fs.pickle - fake filesystem
• data/userdb.txt - credentials allowed or disallowed to access the honeypot
• dl/ - files transferred from the attacker to the honeypot are stored here
• honeyfs/ - file contents for the fake filesystem - feel free to copy a real system here or use bin/fsctl
• log/cowrie.json - transaction output in JSON format
• log/cowrie.log - log/debug output
• log/tty/*.log - session logs
• txtcmds/ - file contents for the fake commands
• bin/createfs - used to create the fake filesystem
• bin/playlog - utility to replay session logs

Read more.

Download Cowrie

Read More

mimipenguin - A Tool To Dump The Login Password From The Current Linux User

A tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz.

Details

Takes advantage of cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. Will attempt to calculate each word's probability by checking hashes in /etc/shadow, hashes in memory, and regex searches.

Requires

• root permissions

Supported/Tested Systems

• Kali 4.3.0 (rolling) x64 (gdm3)
• Ubuntu Desktop 12.04 LTS x64 (Gnome Keyring 3.18.3-0ubuntu2)
• Ubuntu Desktop 16.04 LTS x64 (Gnome Keyring 3.18.3-0ubuntu2)
• XUbuntu Desktop 16.04 x64 (Gnome Keyring 3.18.3-0ubuntu2)
• Archlinux x64 Gnome 3 (Gnome Keyring 3.20)
• VSFTPd 3.0.3-8+b1 (Active FTP client connections)
• Apache2 2.4.25-3 (Active/Old HTTP BASIC AUTH Sessions) [Gcore dependency]
• openssh-server 1:7.3p1-1 (Active SSH connections - sudo usage)

Notes

• Password moves in memory - still honing in on 100% effectiveness
• Plan on expanding support and other credential locations
• Working on expanding to non-desktop environments
• Known bug - sometimes gcore hangs the script, this is a problem with gcore
• Open to pull requests and community research
• LDAP research (nscld winbind etc) planned for future

Development Roadmap

MimiPenguin is slowly being ported to multiple languages to support all possible post-exploit scenarios. The roadmap below was suggested by KINGSABRI to track the various versions and features. An "X" denotes full support while a "~" denotes a feature with known bugs.

Feature	.sh	.py
GDM password (Kali Desktop, Debian Desktop)	~	X
Gnome Keyring (Ubuntu Desktop, ArchLinux Desktop)	X	X
VSFTPd (Active FTP Connections)	X	X
Apache2 (Active HTTP Basic Auth Sessions)	~	~
OpenSSH (Active SSH Sessions - Sudo Usage)	~	~

Download mimipenguin

Read More

SSLsplit - transparent SSL/TLS interception

SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. It is intended to be useful for network forensics, application security analysis and penetration testing.

SSLsplit is designed to transparently terminate connections that are redirected to it using a network address translation engine. SSLsplit then terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. Besides NAT based operation, SSLsplit also supports static destinations and using the server name indicated by SNI as upstream destination. SSLsplit is purely a transparent proxy and cannot act as a HTTP or SOCKS proxy configured in a browser.

SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both IPv4 and IPv6. SSLsplit fully supports Server Name Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites. Depending on the version of OpenSSL built against, SSLsplit supports SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2, and optionally SSL 2.0 as well.

For SSL and HTTPS connections, SSLsplit generates and signs forged X509v3 certificates on-the-fly, mimicking the original server certificate's subject DN, subjectAltName extension and other characteristics. SSLsplit has the ability to use existing certificates of which the private key is available, instead of generating forged ones. SSLsplit supports NULL-prefix CN certificates but otherwise does not implement exploits against specific certificate verification vulnerabilities in SSL/TLS stacks.

SSLsplit implements a number of defences against mechanisms which would normally prevent MitM attacks or make them more difficult. SSLsplit can deny OCSP requests in a generic way. For HTTP and HTTPS connections, SSLsplit removes response headers for HPKP in order to prevent public key pinning, for HSTS to allow the user to accept untrusted certificates, and Alternate Protocols to prevent switching to QUIC/SPDY. HTTP compression, encodings and keep-alive are disabled to make the logs more readable.

As an experimental feature, SSLsplit supports STARTTLS and similar mechanisms, where a protocol starts on a plain text TCP connection and is later upgraded to SSL/TLS through protocol-specific means, such as the STARTTLS command in SMTP. SSLsplit supports generic upgrading of TCP connections to SSL.

See the manual page sslsplit(1) for details on using SSLsplit and setting up the various NAT engines.

Requirements

SSLsplit depends on the OpenSSL and libevent 2.x libraries. The build depends on GNU make and a POSIX.2 environment in PATH . If available, pkg-config is used to locate and configure the dependencies. The optional unit tests depend on the check library.

SSLsplit currently supports the following operating systems and NAT mechanisms:

• FreeBSD: pf rdr and divert-to, ipfw fwd, ipfilter rdr
• OpenBSD: pf rdr-to and divert-to
• Linux: netfilter REDIRECT and TPROXY
• Mac OS X: pf rdr and ipfw fwd

Support for local process information ( -i ) is currently available on Mac OS X and FreeBSD.

SSL/TLS features and compatibility greatly depend on the version of OpenSSL linked against; for optimal results, use a recent release of OpenSSL proper. OpenSSL forks like LibreSSL and BoringSSL may or may not work.

Installation
With OpenSSL, libevent 2.x, pkg-config and check available, run:

make
make test       # optional unit tests
make install    # optional install

Dependencies are autoconfigured using pkg-config. If dependencies are not picked up and fixing PKG_CONFIG_PATH does not help, you can specify their respective locations manually by setting OPENSSL_BASE , LIBEVENT_BASE and/or CHECK_BASE to the respective prefixes.
You can override the default install prefix ( /usr/local ) by setting PREFIX . For more build options see GNUmakefile .

Download SSLsplit

Read More

Stitch - Python Remote Administration Tool (RAT)

This is a cross platform python framework which allows you to build custom payloads for Windows, Mac OSX and Linux as well. You are able to select whether the payload binds to a specific IP and port, listens for a connection on a port, option to send an email of system info when the system boots, and option to start keylogger on boot. Payloads created can only run on the OS that they were created on.

Features

Cross Platform Support

• Command and file auto-completion
• Antivirus detection
• Able to turn off/on display monitors
• Hide/unhide files and directories
• View/edit the hosts file
• View all the systems environment variables
• Keylogger with options to view status, start, stop and dump the logs onto your host system
• View the location and other information of the target machine
• Execute custom python scripts which return whatever you print to screen
• Screenshots
• Virtual machine detection
• Download/Upload files to and from the target system
• Attempt to dump the systems password hashes
• Payloads' properties are "disguised" as other known programs

Windows Specific

• Display a user/password dialog box to obtain user password
• Dump passwords saved via Chrome
• Clear the System, Security, and Application logs
• Enable/Disable services such as RDP,UAC, and Windows Defender
• Edit the accessed, created, and modified properties of files
• Create a custom popup box
• View connected webcam and take snapshots
• View past connected wifi connections along with their passwords
• View information about drives connected
• View summary of registry values such as DEP

Mac OSX Specific

• Display a user/password dialog box to obtain user password
• Change the login text at the user's login screen
• Webcam snapshots

Mac OSX/Linux Specific

• SSH from the target machine into another host
• Run sudo commands
• Attempt to bruteforce the user's password using the passwords list found in Tools/
• Webcam snapshots? (untested on Linux)

Implemented Transports
All communication between the host and target is AES encrypted. Every Stitch program generates an AES key which is then put into all payloads. To access a payload the AES keys must match. To connect from a different system running Stitch you must add the key by using the showkey command from the original system and the addkey command on the new system.

Implemented Payload Installers
The "stitchgen" command gives the user the option to create NSIS installers on Windows and Makeself installers on posix machines. For Windows, the installer packages the payload and an elevation exe ,which prevents the firewall prompt and adds persistence, and places the payload on the system. For Mac OSX and Linux, the installer places the payload and attempts to add persistence. To create NSIS installers you must download and install NSIS.

Wiki

• Crash Course of Stitch

Requirements

• Python 2.7

For easy installation run the following command that corresponds to your OS:

# for Windows
pip install -r win_requirements.txt

# for Mac OSX
pip install -r osx_requirements.txt

# for Linux
pip install -r lnx_requirements.txt

• Pycrypto
• Requests
• Colorama
• PIL

Windows Specific

• Py2exe
• pywin32

Mac OSX Specific

• PyObjC

Mac OSX/Linux Specific

• PyInstaller
• pexpect

To Run

python main.py
or
./main.py

Motivation
My motivation behind this was to advance my knowledge of python, hacking, and just to see what I could accomplish. Was somewhat discouraged and almost abandoned this project when I found the amazing work done by n1nj4sec , but still decided to put this up since I had already come so far.

Other open-source Python RATs for Reference

• vesche/basicRAT
• n1nj4sec/pupy

Screenshots

Download Stitch

Read More

crackle - Crack Bluetooth Smart (BLE) Encryption

crackle cracks BLE Encryption (AKA Bluetooth Smart).

crackle exploits a flaw in the BLE pairing process that allows an attacker to guess or very quickly brute force the TK (Temporary Key). With the TK and other data collected from the pairing process, the STK (Short Term Key) and later the LTK (Long Term Key) can be collected.

With the STK and LTK, all communications between the master and the slave can be decrypted.

Before attempting to use crackle, review the FAQ to determine whether it is the appropriate tool to use in your situation.

crackle was written by Mike Ryan mikeryan@lacklustre.net See web site for more info: http://lacklustre.net/projects/crackle/

Modes of Operation

crackle has two major modes of operation: Crack TK and Decrypt with LTK.

Crack TK

This is the default mode used when providing crackle with an input file using -i .

In Crack TK mode, crackle brute forces the TK used during a BLE pairing event. crackle exploits the fact that the TK in Just Works(tm) and 6-digit PIN is a value in the range [0,999999] padded to 128 bits.

crackle employs several methods to perform this brute force: a very fast method if all pairing packets are present in the input file, and a slow method if a minimum set of packets is present.

To use this mode, launch crackle with an input PCAP or PcapNG file containing one or more connections with a BLE pairing conversation. crackle will analyze all connections, determine whether it is possible to crack a given connection, and automatically choose the best strategy to crack each one.

If the TK successfully cracks, crackle will derive the remaining keys used to encrypt the rest of the connection and will decrypt any encrypted packets that follow. If the LTK is exchanged (typically the first thing done after encryption is established) crackle will output this value to stdout. The LTK can be used to decrypt any future communications between the two endpoints.

Provide crackle with an output file using -o to create a new PCAP file containing the decrypted data (in addition to the already unencrypted data).

Example usage:

$ crackle -i input.pcap -o decrypted.pcap

Decrypt with LTK
In Decrypt with LTK mode, crackle uses a user-supplied LTK to decrypt communications between a master and slave. This mode is identical to the decryption portion of Crack TK mode.
Example usage:

$ crackle -i encrypted.pcap -o decrypted.pcap -l 81b06facd90fe7a6e9bbd9cee59736a7

Running Crackle

Crack TK Mode
In Crack TK mode, crackle requires a PCAP file that contains a BLE pairing event. The best way to generate such a file is to use an Ubertooth to capture a pairing event between a master and a slave.
To check if your PCAP file contains all the necessary packets, run crackle with the -i option:

crackle -i <file.pcap>

crackle will analyze each connection in the input file and output the results of its analysis to stdout. If you have all the components of a pairing conversation, the output will look like this:

Analyzing connection 0:
  xx:xx:xx:xx:xx:xx (public) -> yy:yy:yy:yy:yy:yy (public)
  Found 13 encrypted packets

  Cracking with strategy 0, 20 bits of entropy

  !!!
  TK found: 412741
  !!!

  Decrypted 12 packets
  LTK found: 81b06facd90fe7a6e9bbd9cee59736a7

Specify an output file with -o to decrypt packets!

To decrypt all packets, add the -o option:

crackle -i <file.pcap> -o <output.pcap>

The output file will contain decrypted versions of all the encrypted packets from the original PCAP, as well as all the unencrypted packets. Note that CRCs are not recalculated, so the CRCs of decrypted packets will be incorrect.

Decrypt with LTK
In Decrypt with LTK mode, crackle requires a PCAP file that contains at a minimum LL_ENC_REQ and LL_ENC_RSP packets and the LTK used to encrypt the communications.
The format for LTK is a 128 bit hexadecimal number with no spaces or separators, most-significant octet to least-significant octet. Example:

-l 81b06facd90fe7a6e9bbd9cee59736a7

To check if your PCAP file contains all the necessary packets, run crackle with -i and -l:

crackle -i <file.pcap> -l <ltk>

If you have both of the required packets, the program should produce output similar to this:

Analyzing connection 0:
  xx:xx:xx:xx:xx:xx (public) -> yy:yy:yy:yy:yy:yy (public)
  Found 9 encrypted packets
  Decrypted 6 packets

Specify an output file with -o to decrypt packets!

To decrypt all packets, add the -o option:

crackle -i <file.pcap> -o <out.pcap> -l <ltk>

The output file will be produced similarly to the output file described above.

Sample Files
The test files included in the tests directory serve as interesting input for playing with crackle. Review the README files included in each test's subdirectory.
Grab some sample files for cracking with crackle. Refer to the README inside the tarball for more information:
https://lacklustre.net/bluetooth/crackle-sample.tgz

Frequently Asked Questions
We have compiled a list of Frequently Asked Questions .

See Also

• Ubertooth: http://ubertooth.sourceforge.net/
• libbtbb: http://libbtbb.sourceforge.net/
• #ubertooth on irc.freenode.net

Download crackle

Read More

mongoaudit - A Powerful MongoDB Auditing and Pentesting Tool

mongoaudit is a CLI tool for auditing MongoDB servers, detecting poor security settings and performing automated penetration testing.

Installing with pip

This is the recommended installation method in case you have python and pip .

pip install mongoaudit

Alternative installer

Use this if and only if python and pip are not available on your platform.

curl -s https://mongoaud.it/install | bash

^{works on Mac OS X, GNU/Linux and Bash for Windows 10}
If you are serious about security you should always use the PIP installer or, better yet, follow best security practices: clone this repository, check the source code and only then run it with python mongoaudit .

Introduction

It is widely known that there are quite a few holes in MongoDB's default configuration settings. This fact, combined with abundant lazy system administrators and developers, has led to what the press has called the MongoDB apocalypse .
mongoaudit not only detects misconfigurations, known vulnerabilities and bugs but also gives you advice on how to fix them, recommends best practices and teaches you how to DevOp like a pro!
This is how the actual app looks like:

Yep, that's material design on a console line interface. (Powered by urwid )

Supported tests

• MongoDB listens on a port different to default one
• Server only accepts connections from whitelisted hosts / networks
• MongoDB HTTP status interface is not accessible on port 28017
• MongoDB is not exposing its version number
• MongoDB version is newer than 2.4
• TLS/SSL encryption is enabled
• Authentication is enabled
• SCRAM-SHA-1 authentication method is enabled
• Server-side Javascript is forbidden
• Roles granted to the user only permit CRUD operations *
• The user has permissions over a single database *
• Security bug CVE-2015-7882
• Security bug CVE-2015-2705
• Security bug CVE-2014-8964
• Security bug CVE-2015-1609
• Security bug CVE-2014-3971
• Security bug CVE-2014-2917
• Security bug CVE-2013-4650
• Security bug CVE-2013-3969
• Security bug CVE-2012-6619
• Security bug CVE-2013-1892
• Security bug CVE-2013-2132

Tests marked with an asterisk ( * ) require valid authentication credentials.

How can I best secure my MongoDB?

Once you run any of the test suites provided by mongoaudit , it will offer you to receive a fully detailed report via email. This personalized report links to a series of useful guides on how to fix every specific issue and how to harden your MongoDB deployments.
For your convenience, we have also published the mongoaudit guides in our Medium publication .

Disclaimer

"With great power comes great responsibility"

• Never use this tool on servers you don't own. Unauthorized access to strangers' computer systems is a crime in many countries.
• Please use this tool is at your own risk. We will accept no liability for any loss or damage which you may incur no matter how caused.
• Don't be evil!

Download mongoaudit

Read More