mimipenguin - A Tool To Dump The Login Password From The Current Linux User

A tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz.

Details

Takes advantage of cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. Will attempt to calculate each word's probability by checking hashes in /etc/shadow, hashes in memory, and regex searches.

Requires

• root permissions

Supported/Tested Systems

• Kali 4.3.0 (rolling) x64 (gdm3)
• Ubuntu Desktop 12.04 LTS x64 (Gnome Keyring 3.18.3-0ubuntu2)
• Ubuntu Desktop 16.04 LTS x64 (Gnome Keyring 3.18.3-0ubuntu2)
• XUbuntu Desktop 16.04 x64 (Gnome Keyring 3.18.3-0ubuntu2)
• Archlinux x64 Gnome 3 (Gnome Keyring 3.20)
• VSFTPd 3.0.3-8+b1 (Active FTP client connections)
• Apache2 2.4.25-3 (Active/Old HTTP BASIC AUTH Sessions) [Gcore dependency]
• openssh-server 1:7.3p1-1 (Active SSH connections - sudo usage)

Notes

• Password moves in memory - still honing in on 100% effectiveness
• Plan on expanding support and other credential locations
• Working on expanding to non-desktop environments
• Known bug - sometimes gcore hangs the script, this is a problem with gcore
• Open to pull requests and community research
• LDAP research (nscld winbind etc) planned for future

Development Roadmap

MimiPenguin is slowly being ported to multiple languages to support all possible post-exploit scenarios. The roadmap below was suggested by KINGSABRI to track the various versions and features. An "X" denotes full support while a "~" denotes a feature with known bugs.

Feature	.sh	.py
GDM password (Kali Desktop, Debian Desktop)	~	X
Gnome Keyring (Ubuntu Desktop, ArchLinux Desktop)	X	X
VSFTPd (Active FTP Connections)	X	X
Apache2 (Active HTTP Basic Auth Sessions)	~	~
OpenSSH (Active SSH Sessions - Sudo Usage)	~	~

Download mimipenguin

Read More

[Responder] a LLMNR and NBT-NS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server

Responder is a LLMNR and NBT-NS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

This tool is first an LLMNR and NBT-NS responder, it will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option to "On" via command line if you want this tool to answer to the Workstation Service request name suffix.

FEATURES

• Built-in SMB Auth server. Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set to On. This functionality is enabled by default when the tool is launched.
• Built-in MSSQL Auth server. In order to redirect SQL Authentication to this tool, you will need to set the option -r to On(NBT-NS queries for SQL Server lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will be used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested on Windows SQL Server 2005 & 2008.
• Built-in HTTP Auth server. In order to redirect HTTP Authentication to this tool, you will need to set the option -r to On for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes and Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari. Note: This module also works for WebDav NTLM authentication issued from Windows WebDav clients (WebClient). You can now send your custom files to a victim.
• Built-in HTTPS Auth server. In order to redirect HTTPS Authentication to this tool, you will need  to set the -r option to On for Windows versions older than Vista (NBT-NS  queries for HTTP server lookups are sent using the Workstation Service  name suffix). For Vista and higher, LLMNR will be used. This server  supports NTLMv1, NTLMv2, and Basic Authentication. This server  was successfully tested on IE 6 to IE 10, Firefox, Chrome, and Safari.  The folder Cert/ was added and contain 2 default keys, including a dummy  private key. This is intentional, the purpose is to have Responder  working out of the box. A script was added in case you need to generate  your own self signed key pair.
• Built-in LDAP Auth server. In order to redirect LDAP Authentication to this tool, you will need to set the option -r to On for Windows version older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested on Windows Support tool "ldp" and LdapAdmin.
• Built-in FTP Auth server. This module will collect FTP clear text credentials.
• Built-in small DNS server. This server will answer type A queries. This is really handy when it's combined with ARP spoofing.
• All hashes are printed to stdout and dumped in an unique file John Jumbo compliant, using this format: (SMB or MSSQL or HTTP)-(ntlm-v1 or v2 or clear-text)-Client_IP.txt The file will be located in the current folder.
• Responder will logs all its activity to a file Responder-Session.log.
• When the option -f is set to "On", Responder will fingerprint every host who issued an LLMNR/NBT-NS query. All capture modules still work while in fingerprint mode.
• Browser Listener finds the PDC in stealth mode.
• Icmp Redirect for MITM on Windows XP/2003 and earlier Domain members. This attack combined with the DNS module is pretty effective.
• WPAD rogue transparent proxy server. This module will capture all HTTP requests from anyone launching Internet Explorer on the network. This module is higly effective. You can now send your custom Pac script to a victim and inject HTML into the server's responses. See Responder.conf. This module is now enabled by default.
• Analyze mode: This module allows you to see NBT-NS, BROWSER, LLMNR requests from which workstation to which workstation without poisoning any requests. Also, you can map domains, MSSQL servers, workstations passively, see if ICMP Redirects attacks are plausible on your subnet.
• Responder is now using a configuration file. See Responder.conf.
• Built-in POP3 auth server. This module will collect POP3 plaintext credentials
• Built-in SMTP auth server. This module will collect PLAIN/LOGIN clear text credentials.
  
  

CONSIDERATIONS

• This tool listen on several port: UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, TCP 80, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587 and Multicast UDP 5553. If you run Samba on your system, stop smbd and nmbd and all other services listening on these ports. For Ubuntu users: Edit this file /etc/NetworkManager/NetworkManager.conf and comment the line : "dns=dnsmasq". Then kill dnsmasq with this command (as root): killall dnsmasq -9
• Any rogue server can be turn off in Responder.conf.
• You can set a network interface via command line switch -I. Default is all.
• This tool is not meant to work on Windows.

Download Responder

Read More

[Ncrack] High-Speed Network Authentication Cracker

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.

Ncrack's features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap's and many more. Protocols supported include RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet.

Ncrack was started as a "Google Summer of Code" Project in 2009. While it is already useful for some purposes, it is still unfinished, alpha quality software. It is released as a standalone tool and can be downloaded from the section below. Be sure to read the Ncrack man page to fully understand Ncrack usage. If you are a developer and want to write your own Ncrack modules, studying the Ncrack Developer's Guide would be the first step.

Download Ncrack

Read More

[AFF v0.1] Anonymous FTP Finder

Anonymous FTP Scanner (AFF) is a Security tool for penetration testers, network admins etc.

The tool is written in Python with wxPython as GUI and compiled with Py2exe.

AFF can scan large networks for Anonymous FTP Servers and regular FTP:s. Example of Anonymous FTP Server is network equipment, Multi Function Printers (MFP:s) etc. AFF can test if Anonymous FTP access can be used to store data. For example, hackers store/hide Trojans and other hacking tools in Anonymous FTP access.

Download Anonymous FTP Finder

Read More

[Filezilla Password Decryptor] FileZilla Password Recovery Software

Filezilla Password Decryptor is the FREE software to instantly recover FTP login passwords stored by FileZilla - most popular FREE FTP client application.

FileZilla stores the password for all the past FTP sessions in user profile location so that user don't have to enter it every time. FilezillaPasswordDecryptor makes it easy to quickly scan & recover all these stored FTP login passwords.

It presents both GUI as well as command line interface which will be useful for penetration testers & Forensic investigators. 

You can either use it to automatically recover the stored passwords from local system or recover passwords from remote machine by manually feeding FileZilla profile file.  

Features

•  Instantly scan and recover all stored FTP login passwords from FileZilla.


•  Comes with both GUI interface & Command-line version.


•  Useful for Penetration testers as well as Forensic investigators.


•  Recover FileZilla passwords from local as well as remote system.


•  Back up the recovered Filezilla password list to HTML/XML/TEXT/CSV file


•  Easier and faster to use with its enhanced user friendly GUI interface.


•  Support for local Installation and uninstallation of the software.

Download Filezilla Password Decryptor

Read More

[WS_FTP Password Decryptor] Recover FTP login passwords stored by WS_FTP

WS_FTP Password Decryptor is the FREE software to instantly recover FTP login passwords stored by WS_FTP - one of the popular FTP client application.

WS_FTP stores the password for all the past FTP sessions in the "ws_ftp.ini" file so that user don't have to enter it every time. WS_FTP Password Decryptor makes it easy to quickly scan & decrypt all these encrypted FTP login passwords. 

It presents both GUI as well as command line interface which will be useful for Penetration Testers & Forensic investigators.  You can either use it to automatically recover the stored passwords from local system or recover passwords from remote machine by manually feeding WS_FTP "ws_ftp.ini" file.

It works on most of the Windows platforms starting from Windows XP to latest operating system, Windows 8.

Features

Here are main features of WS_FTP Password Decryptor

Instantly scan and recover all stored FTP login passwords from WS_FTP.  Comes with both GUI interface & Command-line version.  Useful for Penetration testers as well as Forensic investigators.  Recover WS_FTP passwords from local as well as remote system.  Save the recovered password list to HTML file for transferring to other system or for future use.  Easier and faster to use with its enhanced user friendly GUI interface.  Support for local Installation and uninstallation of the software.

Screenshots

Here are the screenshots of WS_FTPPasswordDecryptor

Screenshot 1:WS_FTP Password Decryptor is showing the recovered ftp login passwords. Passwords are not shown being sensitive data, you can turn on by clicking on 'Show Password' button below.

Screenshot 2:  Command line usage of WS_FTPPasswordDecryptor showing various examples.

Screenshot 3:  Exported list of of recovered ftp login passwords by WS_FTPPasswordDecryptor in HTML format.

FREE Download WS_FTP Password Decryptor v1.5   License  : Freeware Platform : Windows XP, 2003, Vista, Windows 7, Windows 8

Read More

[FTP Password Kracker] Crack FTP password

FTP Password Kracker is a free software to recover your lost FTP password directly from server. It uses brute-force password cracking method based on universal FTP protocol and can recover password from any FTP server.

It automatically detects and alerts you if the target FTP server allows any Anonymous (without password) connections. In case your FTP server is running on different port (other than port 21) then you can easily specify the same in the tool along with server IP address.

By default it includes sample dictionary (password list) file for password cracking. However you can find good collection of password dictionaries (also called wordlists) here & here.

If your password is complex then you can use tools like Crunch, Cupp to generate brute-force based or any custom password list file and then use it with 'FTP Password Kracker'.

For penetration testers and forensic investigators, it can be very handy tool in discovering poorly configured FTP accounts.

It works on both 32 bit & 64 bit windows systems starting from Windows XP to Windows 8.

Here are the main benefits of FTP Password Kracker:

• Free tool to recover the lost FTP password
• Works against any FTP server.
• Automatically remembers last used settings
• Option to specify non-standard FTP port.
• Uses siimple & quicker Dictionary Crack method
• Displays detailed statistics during Cracking operation
• Stop the password cracking operation any time.
• Generate Password Recovery report in HTML/XML/TEXT format.
• Includes Installer for local Installation & Uninstallation.

How to use? 

It is very easy to use tool for any generation of users.

Here are simple steps:

• Install 'FTP Password Kracker' on any system.
• Enter the IP Address & Port number (default 21) of the FTP Server.
• Then enter the username (Example: admin, anonymous etc)
• Next select the password dictionary file by clicking on Browse button or simply drag & drop it. You can find a sample dictionary file in the installed location.
• Finally click on 'Start Crack' to start the FTP Password recovery.
• During the operation, you will see all statistics being displayed on the screen. Message box will be displayed on success.
• At the end, you can generate detailed report in HTML/XML/Text format by clicking on 'Report' button and then select the type of file from the drop down box of 'Save File Dialog'.

Download FTP Password Kracker
License  : Freeware
Platform : Windows XP, 2003, Vista, Win7, Win8
More Info

Read More