This is default featured slide 1 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 2 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 3 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 4 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

Showing posts with label Toolkit. Show all posts
Showing posts with label Toolkit. Show all posts

PRET - Printer Exploitation Toolkit

June 05, 2017  , , , , , , , , , , , , , ,  


PRET is a new tool for printer security testing developed in the scope of a Master's Thesis at Ruhr University Bochum. It connects to a device via network or USB and exploits the features of a given printer language. Currently PostScript, PJL and PCL are supported which are spoken by most laser printers. This allows cool stuff like capturing or manipulating print jobs, accessing the printer's file system and memory or even causing physical damage to the device. All attacks are documented in detail in the Hacking Printers Wiki.

The main idea of PRET is to facilitate the communication between the end-user and the printer. Thus, after entering a UNIX-like command, PRET translates it to PostScript, PJL or PCL, sends it to the printer, evaluates the result and translates it back to a user-friendly format. PRET offers a whole bunch of commands useful for printer attacks and fuzzing.

Installation
PRET only requires a Python2 interpreter. For colored output and SNMP support however, third party party modules need to be installed:
# pip install colorama pysnmp
If running on a Windows console and Unicode characters are not displayed correctly, install the win_unicode_console module:
# pip install win_unicode_console
For experimental, ‘driverless’ printing (see print command), ImageMagick and GhostScript need to be installed:
# apt-get install imagemagick ghostscript

Usage
usage: pret.py [-h] [-s] [-q] [-d] [-i file] [-o file] target {ps,pjl,pcl}

positional arguments:
  target                printer device or hostname
  {ps,pjl,pcl}          printing language to abuse

optional arguments:
  -h, --help            show this help message and exit
  -s, --safe            verify if language is supported
  -q, --quiet           suppress warnings and chit-chat
  -d, --debug           enter debug mode (show traffic)
  -i file, --load file  load and run commands from file
  -o file, --log file   log raw data sent to the target

Example usage:
$ ./pret.py laserjet.lan ps
$ ./pret.py /dev/usb/lp0 pjl

Positional Arguments:
PRET requires a valid target and a printer language as arguments. The target can either be the IP address/hostname of a network printer (with port 9100/tcp open) or a device like /dev/usb/lp0 for a local USB printer. To quickly discover all network printers in your subnet using SNMP broadcast, simply run PRET without arguments:
./pret.py
No target given, discovering local printers

address          device                       uptime    status                 
───────────────────────────────────────────────────────────────────────────────
192.168.1.5      hp LaserJet 4250             10:21:49   Ready                 
192.168.1.11     HP LaserJet M3027 MFP        13 days    Paper jam             
192.168.1.27     Lexmark X792                 153 days   Ready                 
192.168.1.28     Brother MFC-7860DW           16:31:17   Sleep mode
The printer language to be abused must be one of ps, pjl or pcl. Not all languages are supported by every printer, so you may wan't to switch languages if you don't receive any feedback. Each printer language is mapped to a different set of PRET commands and has different capabilities to exploit.

Optional Arguments:
--safe tries to check via IPP, HTTP and SNMP if the selected printing language (PS/PJL/PCL) is actually supported by the device before connecting. On non-networked printers (USB, parallel cable) this test will fail.
--quit suppresses printer model determination, intro message and some other chit-chat.
--debug shows the datastream actually sent to the device and the feedback received. Note that header data and other overhead is filtered. The see the whole traffic, use wireshark. Debugging can also be switched on/off within a PRET session using the debug command
--load filename reads and executes PRET commands from a text file. This is usefull for automation. Command files can also be invoked later within a PRET session via the load command.
--log filename writes a copy of the raw datastream sent to the printer into a file. This can be useful to build a malicious print job file which can be deployed on another printer not directly reachable, for example by printing it from USB drive.

Generic Commands
After connecting to a printer device, you will see the PRET shell and can execute various commands:
$ ./pret.py laserjet.lan pjl
      ________________
    _/_______________/|
   /___________/___//||   PRET | Printer Exploitation Toolkit v0.25
  |===        |----| ||    by Jens Mueller <jens.a.mueller@rub.de>
  |           |   ô| ||
  |___________|   ô| ||
  | ||/.´---.||    | ||        「 cause your device can be
  |-||/_____\||-.  | |´           more fun than paper jams 」
  |_||=L==H==||_|__|/

     (ASCII art by
     Jan Foerster)

Connection to laserjet.lan established
Device:   hp LaserJet 4250

Welcome to the pret shell. Type help or ? to list commands.
laserjet.lan:/> help

Available commands (type help <topic>):
=======================================
append  debug    edit    free  id    ls       open      restart   timeout  
cat     delete   env     fuzz  info  mirror   printenv  selftest  touch    
cd      df       exit    get   load  mkdir    put       set       traversal
chvol   disable  find    help  lock  nvram    pwd       site      unlock   
close   display  format  hold  loop  offline  reset     status    version  

laserjet.lan:/> ls ../../
-      834   .profile
d        -   bin
d        -   dev
d        -   etc
d        -   hp
d        -   hpmnt
-     1276   init
d        -   lib
d        -   pipe
d        -   tmp
laserjet.lan:/> exit
A list of generic PRET commands is given below:
help      List available commands or get detailed help with 'help cmd'.
debug     Enter debug mode. Use 'hex' for hexdump:  debug [hex]
load      Run commands from file:  load cmd.txt
loop      Run command for multiple arguments:  loop <cmd> <arg1> <arg2> …
open      Connect to remote device:  open <target>
close     Disconnect from device.
timeout   Set connection timeout:  timeout <seconds>
discover  Discover local printer devices via SNMP.
print     Print image file or raw text:  print <file>|"text"
site      Execute custom command on printer:  site <command>
exit      Exit the interpreter.
Generic file system operations with a PS/PJL/PCL specific implementation are:
┌───────────┬─────┬─────┬─────┬────────────────────────────────────────┐
│ Command   │ PS  │ PJL │ PCL │ Description                            │
├───────────┼─────┼─────┼─────┼────────────────────────────────────────┤
│ ls        │  ✓  │  ✓  │  ✓  │ List contents of remote directory.     │
│ get       │  ✓  │  ✓  │  ✓  │ Receive file: get <file>               │
│ put       │  ✓  │  ✓  │  ✓  │ Send file: put <local file>            │
│ append    │  ✓  │  ✓  │     │ Append to file: append <file> <str>    │
│ delete    │  ✓  │  ✓  │  ✓  │ Delete remote file: delete <file>      │
│ rename    │  ✓  │     │     │ Rename remote file: rename <old> <new> │
│ find      │  ✓  │  ✓  │     │ Recursively list directory contents.   │
│ mirror    │  ✓  │  ✓  │     │ Mirror remote filesystem to local dir. │
│ cat       │  ✓  │  ✓  │  ✓  │ Output remote file to stdout.          │
│ edit      │  ✓  │  ✓  │  ✓  │ Edit remote files with vim.            │
│ touch     │  ✓  │  ✓  │     │ Update file timestamps: touch <file>   │
│ mkdir     │  ✓  │  ✓  │     │ Create remote directory: mkdir <path>  │
├───────────┼─────┼─────┼─────┼────────────────────────────────────────┤
│ cd        │  ✓  │  ✓  │     │ Change remote working directory.       │
│ pwd       │  ✓  │  ✓  │     │ Show working directory on device.      │
│ chvol     │  ✓  │  ✓  │     │ Change remote volume: chvol <volume>   │
│ traversal │  ✓  │  ✓  │     │ Set path traversal: traversal <path>   │
├───────────┼─────┼─────┼─────┼────────────────────────────────────────┤
│ format    │  ✓  │  ✓  │     │ Initialize printer's file system.      │
│ fuzz      │  ✓  │  ✓  │     │ File system fuzzing: fuzz <category>   │
├─ ─ ─ ─ ─ ─┴─ ─ ─┴─ ─ ─┴─ ─ ─┴─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤
│   path   - Explore fs structure with path traversal strategies.      │
│   write  - First put/append file, then check for its existence.      │
│   blind  - Read-only tests for existing files like /etc/passwd.      │
├───────────┬─────┬─────┬─────┬────────────────────────────────────────┤
│ df        │  ✓  │  ✓  │     │ Show volume information.               │
│ free      │  ✓  │  ✓  │  ✓  │ Show available memory.                 │
└───────────┴─────┴─────┴─────┴────────────────────────────────────────┘

Commands in PS mode
id         Show device information.
version    Show PostScript interpreter version.
devices    Show available I/O devices.
uptime     Show system uptime (might be random).
date       Show printer's system date and time.
pagecount  Show printer's page counter.

lock       Set startjob and system parameters password.
unlock     Unset startjob and system parameters password.
restart    Restart PostScript interpreter.
reset      Reset PostScript settings to factory defaults.
disable    Disable printing functionality.
destroy    Cause physical damage to printer's NVRAM.
hang       Execute PostScript infinite loop.

overlay    Put overlay eps file on all hardcopies:  overlay <file.eps>
cross      Put printer graffiti on all hardcopies:  cross <font> <text>
replace    Replace string in documents to be printed:  replace <old> <new>
capture    Capture further jobs to be printed on this device.
hold       Enable job retention.

set        Set key to value in topmost dictionary:  set <key=value>
known      List supported PostScript operators:  known <operator>
search     Search all dictionaries by key:  search <key>
dicts      Return a list of dictionaries and their permissions.
resource   List or dump PostScript resource:  resource <category> [dump]

dump       Dump dictionary:  dump <dict>
  Dictionaries: - systemdict - statusdict - userdict 
                - globaldict - serverdict - errordict
                - internaldict - currentsystemparams
                - currentuserparams - currentpagedevice

config     Change printer settings:  config <setting>
  duplex        - Set duplex printing.
  copies #      - Set number of copies.
  economode     - Set economic mode.
  negative      - Set negative print.
  mirror        - Set mirror inversion.
Not all commands are supported by every printer. Especially Brother and Kyocera devices use their own PostScript clones – Br-Script and KPDL – instead of licensing original ‘Adobe PostScript’. Such flavours of the PostScript language may not be 100% compatible, especially concerning security sensitive features like capturing print jobs. Access to the file system is supported by most printers, however usually limited to a certain, sandboxed directory.

Commands in PJL mode
id         Show device information.
status     Enable status messages.
version    Show firmware version or serial number (from 'info config').
pagecount  Manipulate printer's page counter:  pagecount <number>
printenv   Show printer environment variable:  printenv <VAR>
env        Show environment variables (alias for 'info variables').
set        Set printer environment variable:  set <VAR=VALUE>

display    Set printer's display message:  display <message>
offline    Take printer offline and display message:  offline <message>
restart    Restart printer.
reset      Reset to factory defaults.
selftest   Perform various printer self-tests.
disable    Disable printing functionality.
destroy    Cause physical damage to printer's NVRAM.
flood      Flood user input, may reveal buffer overflows.

lock       Lock control panel settings and disk write access.
unlock     Unlock control panel settings and disk write access.
hold       Enable job retention.

nvram      NVRAM operations:  nvram <operation>
  nvram dump [all]           - Dump (all) NVRAM to local file.
  nvram read addr            - Read single byte from address.
  nvram write addr value     - Write single byte to address.

info       Show information:  info <category>
  info config      - Provides configuration information.
  info filesys     - Returns PJL file system information.
  info id          - Provides the printer model number.
  info memory      - Identifies amount of memory available.
  info pagecount   - Returns the number of pages printed.
  info status      - Provides the current printer status.
  info ustatus     - Lists the unsolicited status variables.
  info variables   - Lists printer's environment variables.
Some commands are supported exclusively by HP printers, because other vendors have only implemented a subset of the PJL standard. This is especially true for PML based commands like restartor reset. Enabling long-term job retention via the hold command seems to be possible for some Epson devices only. NVRAM access via the nvram command is a proprietary feature of Brother printers. Limited access to the file system is supported by various HP, OKI, Konica, Xerox, Epson and Ricoh devices.

Commands in PCL mode
selftest   Perform printer self-test.
info       Show information:  info <category>
  info fonts      - Show installed fonts.
  info macros     - Show installed macros.
  info patterns   - Show user-defined patterns.
  info symbols    - Show symbol sets.
  info extended   - Show extended fonts.
PCL is a very limited page description language without access to the file system. The get/put/ls commands therefore use a virtual file system based on PCL macros, implemented mostly for the hack value. This proof-of-concept shows that even a device which supports only minimalist languages like PCL can be used to store arbitrary files like copyright infringing material. Although such a file sharing service is not a security vulnerability per se, it might apply as ‘misuse of service’ depending on the corporate policy

File Listing
  • pret.py - Executable main program
  • capabilities.py - Routines to check for printer langauge support
  • discovery.py - Routines to list printers using SNMP broadcast
  • printer.py - Generic code to describe a printing device
  • postscript.py - PS spezific code (inherits from class printer)
  • pjl.py - PJL spezific code (inherits from class printer)
  • pcl.py - PCL spezific code (inherits from class printer)
  • helper.py - Help functions for output, logging, sockets, etc.
  • codebook.py - Static table of PJL status/error codes
  • fuzzer.py - Constants for file system fuzzing
  • mibs/* - Printer specific SNMP MIBs
  • db/* - database of supported models
  • lpd/* - Scripts for LPD fuzzing

Getting Started
Given the features and various proprietary extensions in printing languages like PostScript and PJL, conducting a pentest on printers is not a trivial job. PRET can help to assist and verify known issues in the language. Once you have played around with the tool, you may wan't to perform a systematic printer security analysis. A good starting point is the Printer Security Testing Cheat Sheet.


Read More

EAPHammer - Targeted Evil Twin Attacks Against WPA2-Enterprise Networks [Indirect Wireless Pivots Using Hostile Portal Attacks]

May 01, 2017  , , , , , , , , , , , , , , , ,  


EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. To illustrate how fast this tool is, here's an example of how to setup and execute a credential stealing evil twin attack against a WPA2-TTLS network in just two commands:
# generate certificates
./eaphammer --cert-wizard

# launch attack
./eaphammer -i wlan0 --channel 4 --auth ttls --wpa 2 --essid CorpWifi --creds
Leverages a lightly modified version of hostapd-wpe, dnsmasq, dsniff, Responder, and Python 2.7.

Features
  • Steal RADIUS credentials from WPA-EAP and WPA2-EAP networks.
  • Perform hostile portal attacks to steal AD creds and perform indirect wireless pivots
  • Perform captive portal attacks
  • Built-in Responder integration
  • Support for Open networks and WPA-EAP/WPA2-EAP
  • No manual configuration necessary for most attacks.
  • No manual configuration necessary for installation and setup process

Upcoming Features
  • Perform seemeless MITM attacks with partial HSTS bypasses
  • Support attacks against WPA-PSK/WPA2-PSK
  • Support for SSID cloaking
  • Generate timed payloads for indirect wireless pivots
  • Integrated PowerShell payload generation
  • impacket integration for SMB relay attacks
  • directed rogue AP attacks (deauth then evil twin from PNL, deauth then karma + ACL)
  • Updated hostapd-wpe that works with the latest version of Hostapd
  • Integrated website cloner for cloning captive portal login pages
  • Integrated HTTP server
Will this tool ever support Karma attacks?
  • At some point yes, but for now the focus has been on directed evil twin attacks.
  • If Karma attacks are like a wireless grenade launcher, this tool is more like an easy-to-use wireless sniper rifle

Setup Guide

Kali Setup Instructions
Begin by cloning the eaphammer repo using the following command.
git clone https://github.com/s0lst1c3/eaphammer.git
Next run the kali-setup.py file as shown below to complete the eaphammer setup process. This will install dependencies and compile hostapd.
python setup.py

Other Distros
If you are not using Kali, you can still compile eaphammer. I just haven't written a setup script for your distro yet, which means you'll have to do it manually. Ask yourself whether you understand the following:
  • python-devel vs python-dev
  • service vs systemctl
  • network-manager vs NetworkManager
  • httpd vs apache2
If you looked at this list and immediately realized that each pair of items was to some extent equivalent (well, except for service vs systemctl, but you catch my drift), you'll probably have no problems getting this package to work on the distro of your choice. If not, please just stick with Kali until support is added for other distros.
With that out of the way, here are the generic setup instructions:
Use your package manager to install each of the dependencies listed in kali-dependencies.txt. Package names can vary slightly from distro to distro, so you may get a "package not found" error or similar. If this occurs, just use Google to find out what the equivalent package is for your distro and install that instead.
Once you have installed each of the dependencies listed in kali-dependencies.txt, you'll need to install some additional packages that ship with Kali by default. These packages are listed below. If you're on a distro that uses httpd instead of apache2, install that instead.
  • dsniff
  • apache2
Compile hostapd using the following commands:
cd hostapd-eaphammer
make
Open config.py in the text editor of your choice and edit the following lines so that to values that work for your distro:
# change this to False if you cannot/will not use systemd
use_systemd = True

# change this to 'NetworkManager' if necessary
network_manager = 'network-manager'

# change this 'httpd' if necessary
httpd = 'apache2'

Usage Guide

x.509 Certificate Generation
Eaphammer provides an easy-to-use wizard for generating x.509 certificates. To launch eaphammer's certificate wizard, just use the command shown below.
./eaphammer --cert-wizard

Stealing RADIUS Credentials From EAP Networks
To steal RADIUS credentials by executing an evil twin attack against an EAP network, use the --creds flag as shown below.
./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid Example --channel 2 --interface wlan0 --auth ttls --creds
The flags shown above are self explanatory. For more granular control over the attack, you can use the --wpa flag to specify WPA vs WPA2 and the --auth flag to specify the eap type. Note that for cred reaping attacks, you should always specify an auth type manually since the the --auth flag defaults to "open" when omitted.
./eaphammer --bssid 00:11:22:33:44:00 --essid h4x0r --channel 4 --wpa 2 --auth ttls --interface wlan0 --creds
Please refer to the options described in Additional Options section of this document for additional details about these flags.

Stealing AD Credentials Using Hostile Portal Attacks
Eaphammer can perform hostile portal attacks that can force LLMNR/NBT-NS enabled Windows clients into surrendering password hashes. The attack works by forcing associations using an evil twin attack, then forcing associated clients to attempt NetBIOS named resolution using a Redirect To SMB attack. While this occurs, eaphammer runs Responder in the background to perform a nearly instantaneous LLMNR/NBT-NS poisoning attack against the affected wireless clients. The result is an attack that causes affected devices to not only connect to the rogue access point, but send NTLM hashes to the rogue access point as well.
The --hostile-portal flag can be used to execute a hostile portal attack, as shown in the examples below.
./eaphammer --interface wlan0 --bssid 1C:7E:E5:97:79:B1 --essid EvilC0rp --channel 6 --auth peap --wpa 2 --hostile-portal

./eaphammer --interface wlan0 --essid TotallyLegit --channel 1 --auth open --hostile-portal

Performing Indirect Wireless Pivots Using Hostile Portal Attacks
The hostile portal attack described in Stealing AD Credentials Using Hostile Portal Attacks can be used to perform an SMB relay attack against the affected devices. An attacker can use hostile portal attack to perform an SMB relay attack that places timed reverse shell on an authorized wireless devices. The attacker can then disengage the attack to allow the authorized device to reconnect to the targetted network. When the attacker receives the reverse shell, he or she will have the same level of authorization as the attacker.

Performing Captive Portal Attacks
To perform a captive portal attack using eaphammer, use the --captive-portal flag as shown below.
./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid HappyMealz --channel 6 --interface wlan0 --captive-portal
This will cause eaphammer to execute an evil twin attack in which the HTTP(S) traffic of all affected wireless clients are redirected to a website you control. Eaphammer will leverage Apache2 to serve web content out of /var/www/html if used with the default Apache2 configuration. Future iterations of eaphammer will provide an integrated HTTP server and website cloner for attacks against captive portal login pages.

Additional Options
  • --cert-wizard - Use this flag to create a new RADIUS cert for your AP.
  • -h, --help - Display detailed help message and exit.
  • -i, --interface - Specify the a PHY interface on which to create your AP.
  • -e ESSID, --essid ESSID - Specify access point ESSID.
  • -b BSSID, --bssid BSSID - Specify access point BSSID.
  • --hw-mode HW-MODE - Specify access point hardware mode (default: g).
  • -c CHANNEL, --channel CHANNEL - Specify access point channel.
  • --wpa {1,2} - Specify WPA type (default: 2).
  • --auth {peap,ttls,open} - Specify auth type (default: open).
  • --creds - Harvest EAP creds using an evil twin attack.
  • --hostile-portal - Force clients to connect to hostile portal.
  • --captive-portal - Force clients to connect to a captive portal.


Read More

Leviathan - Wide Range Mass Audit Toolkit

April 28, 2017  , , , , , , , , , , , , , , , , ,  


Leviathan is a mass audit toolkit which has wide range service discovery, brute force, SQL injection detection and running custom exploit capabilities. It consists open source tools such masscan, ncrack, dsss and gives you the flexibility of using them with a combination.
The main goal of this project is auditing as many system as possible in country-wide or in a wide IP range.

Main Features
Discovery: Discover FTP, SSH, Telnet, RDP, MYSQL services running inside a specific country or in an IP range via Shodan, Censys. It's also possible to manually discover running services on a IP range by integrated “masscan” tool.
Brute Force: You can brute force the discovered services with integrated “ncrack” tool. It has wordlists which includes most popular combinations and default passwords for specific services.
Remote Command Execution: You can run system commands remotely on compromised devices.
SQL Injection Scanner: Discover SQL injection vulnerabilities on websites with specific country extension or with your custom Google Dork.
Exploit Specific Vulnerabilities: Discover vulnerable targets with Shodan, Censys or masscan and mass exploit them by providing your own exploit or using preincluded exploits.

Integrated Tools
Masscan: It’s a very fast TCP port scanner by Robert David Graham. Leviathan uses masscan for detecting services on a huge IP range. https://github.com/robertdavidgraham/masscan
Ncrack: Ncrack is a high-speed network authentication cracking tool. Leviathan uses ncrack to brute force services such as FTP, SSH, RDP, Telnet, MYSQL etc. https://github.com/nmap/ncrack
DSSS (Damn Small SQLi Scanner): DSSS is a fully functional and minimal SQL injection vulnerability scanner by Miroslav Stampar. Leviathan uses DSSS to identify SQL Injection vulnerabilities on specific URLs. https://github.com/stamparm/DSSS

Installation
For detailed installiation, please visit our wiki page.

Kali Linux:
Download leviathan by cloning the Git repository:
git clone https://github.com/leviathan-framework/leviathan.git
Go inside the folder
cd leviathan
Install Python libraries:
pip install -r requirements.txt
It's done!

Debian/Ubuntu:
Download leviathan by cloning the Git repository:
git clone https://github.com/leviathan-framework/leviathan.git
Go inside the folder
cd leviathan
Run installiation script. It will setup required tools (ncrack, masscan) and python libraries.
bash scripts/debian_install.sh
It's done!

macOS:
If homebrew is not installed on your system, please install it first:
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Download leviathan by cloning the Git repository:
git clone https://github.com/leviathan-framework/leviathan.git
Go inside the folder
cd leviathan
Run installiation script. It will setup required tools (ncrack, masscan) and python libraries.
bash scripts/macos_install.sh
It's done!

Requirements
Python version 2.7.x is required for running this program.
Supported platforms: Linux (Kali Linux, Debian, Ubuntu), macOS

Usage
Run the program with following command:
python leviathan.py
You can get basic usage information inside the menus. For detailed usage manual, visit our wiki page.

Screenshots



Read More

RogueSploit - Powerfull social engeering Wi-Fi trap!

March 01, 2017  , , , , , , , , , ,  


RogueSploit is an open source automated script made to create a Fake Acces Point, with dhcpd server, dns spoofing, host redirection, browser_autopwn1 or autopwn2 or beef+mitmf.

TO DO LIST:
  • Add BeEF;[DONE]
  • Add MITMF;[DONE]
  • Add BDFProxy;
  • Add SeToolkit;
  • Add Hostapd as fake ap;
  • Add some features;

What you need:

Read More

SPARTA - Network Infrastructure Penetration Testing Tool

February 24, 2017  , , , , , , , , , , ,  


SPARTA is a python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by having point-and-click access to his toolkit and by displaying all tool output in a convenient way. If little time is spent setting up commands and tools, more time can be spent focusing on analysing results. Despite the automation capabilities, the commands and tools used are fully customisable as each tester has his own methods, habits and preferences.

Requirements
It is recommended that Kali Linux is used as it already has most tools installed, however SPARTA would most likely also work in Debian based systems.
Kali (preferred): 
apt-get install python-elixir
Ubuntu 12.04+ (untested) 
apt-get install python-elixir python-qt4 xsltproc
Other than these, the following tools are required for SPARTA to have its minimum functionality:
  • nmap (for adding hosts)
  • hydra (for the brute tab)
  • cutycapt (for screenshots)
In Kali Linux these can be installed with: 
apt-get install nmap hydra cutycapt
In Kali, to ensure that you have all the tools used by SPARTA's default configuration use: 
apt-get install ldap-utils rwho rsh-client x11-apps finger

Installation 
cd /usr/share/
git clone https://github.com/secforce/sparta.git

Place the "sparta" file in /usr/bin/ and make it executable.
Type 'sparta' in any terminal to launch the application.

Source code
The source code is structured in folders as such:
  • [app] - Contains the functionality (logic) as well as the models used by both the logic and gui
  • [controller] - The controller interfaces between the gui and the logic (MVC design)
  • [db] - Contains everything related to database, database tables, etc
  • [doc] - Contains all SPARTA documentation
  • [images] - Icons and images
  • [parsers] - Contains nmap xml output parser files
  • [scripts] - Contains custom scripts used by SPARTA
  • [ui] - Contains the gui (.ui and .py generated by Qt Creator). Do not manually edit these.
  • [wordlists] - Contains wordlists used by SPARTA
  • README.txt - This file.
  • sparta.conf - SPARTA's configuration file. Edit it to add custom tools and commands. If deleted, SPARTA will regenerate a new one.
  • sparta.py - The main program. The one that needs to be executed by the user.

Demos


Known issues
SPARTA uses a third-party tool called Cutycapt to take screenshots. One of the problems with the version that is currently in Kali's repositories is that it fails to take screenshots of HTTPS pages when self-signed certificates are in use. A way around this is to compile the Cutycapt executable yourself and edit SPARTA's configuration file to specify the path to the compiled executable.
It can be compiled in Kali by following these instructions: 
% sudo apt-get install subversion libqt4-webkit libqt4-dev g++
% svn co svn://svn.code.sf.net/p/cutycapt/code/ cutycapt
% cd cutycapt/CutyCapt
% qmake
% make
% ./CutyCapt --url=http://www.example.org --out=example.png


Read More

[IPv6 Toolkit v1.5.2] A security assessment and troubleshooting tool for the IPv6 protocols

January 22, 2014  , , , , , ,  

A security assessment and troubleshooting tool for the IPv6 protocols.

Changelog v1.5.2

  • Add support for GNU Debian/kfreebsd. The toolkit would not build on GNU Debian/kfreebsd before this release.
  • Add support for TCP/IPv6 probes. tcp6 can now send TCP/IPv6 packets (“–probe-mode” option), and read the TCP response packets, if any. This can be leveraged for port scans, and miscellaneous measurements.
Supported platforms
  • The following platforms are supported: FreeBSD, NetBSD, OpenBSD, Linux, and Mac OS.

List of Tools and Manual Pages

  • flow6: A tool to perform a security asseessment of the IPv6 Flow Label.
  • frag6: A tool to perform IPv6 fragmentation-based attacks and to perform a security assessment of a number of fragmentation-related aspects.
  • icmp6: A tool to perform attacks based on ICMPv6 error messages.
  • jumbo6: A tool to assess potential flaws in the handling of IPv6 Jumbograms.
  • na6: A tool to send arbitrary Neighbor Advertisement messages.
  • ni6: A tool to send arbitrary ICMPv6 Node Information messages, and assess possible flaws in the processing of such packets.
  • ns6: A tool to send arbitrary Neighbor Solicitation messages.
  • ra6: A tool to send arbitrary Router Advertisement messages.
  • rd6: A tool to send arbitrary ICMPv6 Redirect messages.
  • rs6: A tool to send arbitrary Router Solicitation messages.
  • scan6: An IPv6 address scanning tool.
  • tcp6: A tool to send arbitrary TCP segments and perform a variety of TCP-based attacks.

Read More

[SET v5.2] The Social-Engineer Toolkit "Urban Camping"

July 23, 2013  , , ,  



The Social-Engineer Toolkit (SET) version 5.2 codename “Urban Camping” has been released. This version adds a complete rewrite of the PowerShell injection techniques within SET and incorporates an automatic process downgrade attack detailed here: https://www.trustedsec.com/may-2013/native-powershell-x86-shellcode-injection-on-64-bit-platforms/. The attack will automatically detect if PowerShell is installed, then detect what platform its running on. If 64 bit is detected, it will automatically downgrade the process to a 32 bit process for native shellcode injection.

Changelog


* incorporated the new x86 PowerShell downgrade attack. This will automatically use x86 shellcode regardless of operating system. (https://www.trustedsec.com/may-2013/native-powershell-x86-shellcode-injection-on-64-bit-platforms/)
* changed platform detection from if($env:PROCESSOR_ARCHITECTURE -eq “AMD64″) to [IntPtr]::Size -eq 6 (thanks Matthew Graeber)
* rewrote payload generator in powershell menu to use new process downgrade attack
* rewrote java applet to use the new process downgrade attack
* rewrote powershell generation within setcore to use the powershell downgrade attack
* changed the default Java Applet wording to “Applet verified as safe (TRUSTED)”.
* fixed a bug that would cause SQL bruter to error out when specifying a single host and the host was not alive
* fixed a bug that would allow you use web templates with webjacking and tabnabbing which it should not have
* removed old encoding methods when using standard metasploit executables
* fixed an issue that would not allow SSL and harvester to work correctly – this required manually patching socket.py and keeping a patched version in the root directory upon launch. This is due to a bug in pyopenssl and unhandled packet handling within socket.py
* added more stability to the SSL harvester when using pem certificate files
* added powershell downgrade attack to psexec powershell attack
* added ExitOnSession to false when using psexec command
* added set EnableStageEncoding true when using psexec command for stager encoding with shikata
* added better stability to the powershell injection attacks with multiple detection points
* fixed an issue that would cause an error message when reusing credential harvester
* added proper cleanup on new socket.py – has to be in SET root – weird issue when os.chdir or sys.path.append – doesn’t recognize
* removed man left in the middle from the web attacks menu
* streched the text on the menu to be full line versus manual splitting
* added new code and binary for pyinjector to evade AV
* added new code and binary for multipyinjector to evade AV
* officially removed the “set” command and moved to se-toolkit, set was a linux command and conflicted – use se-toolkit from here on out
* simplified the replace code for the shellcode powershell injection technique in setcore
* improved string encryption on the java applet attack
* added -noprofile flag option to powershell injection for x86 downgrade attack
* slimmed down the code used for the powershell injection attacks, allows more space for shellcode

Read More

[EMET v4.0] Enhanced Mitigation Experience Toolkit

June 18, 2013  , , ,  

The Enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent hackers from gaining access to your system. Software vulnerabilities and exploits have become an everyday part of life. Virtually every product has to deal with them and consequently, users are faced with a stream of security updates. For users who get attacked before the latest updates have been applied or who get attacked before an update is even available, the results can be devastating: malware, loss of PII, etc.

Changelog v4.0

New features introduced in EMET 4: Certificate Trust, mitigations improvement hardening, and the Early Warning Program.


(Reposted from TechNet Blogs)
Redesigned User Interface: We realized that with the addition of the new features introduced in EMET 4.0 Beta, the old graphical user interface was not as effective and easy to use. For this reason, we decided to re-design EMET’s GUI to facilitate and streamline the configuration operations. We also added the possibility to select the look-and-feel of EMET from a set of skins that we included.

Configuration Wizard: We know that configuration can be challenging when installing EMET for the first time. In EMET 3.0 we added the Protection Profiles, which were used to facilitate the initial configuration for applications. With EMET 4.0 we are introducing a Configuration Wizard that will automatically configure EMET with a standard set of SSL certificate pinning rules as well as a list of applications to protect. It also can preserve existing EMET 3.0 settings, and gives the possibility to add standard configuration for the new features. The Configuration Wizard will start automatically during EMET’s installation and can also be accessed, at any time, from EMET GUI. Advanced users can choose to apply a standard configuration through the Configuration Wizard and then customize EMET’s configuration afterwards according to their needs.

Changes in Certificate Trust: We made a few changes to the Certificate Trust feature, based on users’ feedback, further internal investigation, and partnership with third party online services. We added a new exception to the SSL certificate pinning rules that if enabled will make EMET verify just the Public Key component of the Root CAs present in the rule without matching subject name and serial number. Additionally, we made the Certificate Trust feature available on 64-bit versions of Internet Explorer. Finally, we added to the previous default rules for Microsoft online services new rules also for Twitter, Facebook, and Yahoo!.

Updated Group Policy profiles: Enterprise customers will notice that we updated our Group Policy profiles to include not only the ability to configure system and application mitigations, but also the reporting mechanisms, the advanced mitigation configurations, and the exploit action.

Full Changelog: here

Read More

[SET v5.1] The Social-Engineer Toolkit codename “Name of the Doctor”

May 28, 2013  , , , ,  

The Social-Engineer Toolkit (SET) version 5.1 codename “Name of the Doctor” has been released. This version adds a complete rewrite of the MSSQL Bruter as well as a new attack vector utilizing the PSExec functionality within Metasploit.


The MSSQL Bruter now incorporates UDP port 1434 quick discovery by sending a specially crafted packet to MSSQL servers and returning the port automatically. This technique eliminates the need to port scan and quickly identifies the SQL server as well as what port the SQL server is listening on. In addition, SET has moved away from the _mssql python module and towards impacket from Core Security. Main reason for this is due to some instabilities in later versions of _mssql with execute_query() being broke as well as the functionality built into impacket makes it much easier to use.

In addition to utilizing impacket, originally in SET you had two options for payload delivery, the first being POwerShell and the second the binary 2 hex debug conversion attack vector. This has been changed to automatically detect if PowerShell is installed on the victim machine, if it is – SET will automatically deploy a PowerShell injection technique that has been completely rewritten in the MSSQL module. If it does not detect PowerShell, it will automatically revert back to the debug. Lastly on the MSSQL Bruter portions, performance has been increased significantly on the brute forcing, discovery, and deploying of payloads.

For a video of the features, check out below:
Vimeo: Video

A new attack vector build into SET is the new psexec attack vector inside the Fast-Track menu. During a penetration test, often times you may have credentials to a server and want Meterpreter on a wide scale level. The psexec traditional module gets picked up by Anti-Virus due to known signatures being used. You can either use the EXE::Custom advanced feature however it still doesn’t give you the ability to select RHOSTS (multiple IP addresses) unless you custom script it or through something like railgun. The newer module “psexec_command” allows you to specify RHOSTS as well as execute a command on the operating system. Inside of SET, the psexec attack vector will automatically created a meterpreter backdoor through PowerShell and deploy it to systems you have permission to (RHOSTS). You can either use a username and password that you’ve decrypted or the hash for the pass the hash attack vector.

In addition to the new attack vectors, a number of other improvements, bug fixes, and enhancements have been made in this release. For more on all of the changes, check out the changelog before:

Changelog v5.1

  • when specifying a custom wordlist in SET – added the ability for ports to be specified ipaddr:portnum for example 192.168.5.5:2052 just in case a SQL server is not listening on 1433
  • incorporated udp port 1434 enumeration instead of portscanning – much more faster and efficent – also finds ports that are not on port 1433 (thanks Larry Spohn)
  • removed the src/core/portscan.py it is no longer needed
  • added impacket as a dependacy – will be used for psexec command execution and TDS connections via mssql
  • fixed an issue that would cause the import modules to not load properly when relaunching the MSSQL Brute attack
  • improved the speed of the MSSQL brute attack on initial brute force
  • completely rewrote MSSQL Brute to incorporate impacket – SET no longer uses the _mssql module – highly buggy in the latest versions
  • improved udp 1434 detection capability by piping through the printCIDR function which will utilize CIDR notations when scanning
  • incorporated new function called capture which will take stdout from function calls and present them as a string – important when doing regex in impacket
  • streamlined the MSSQL bruter to automatically profile the system to determine if Powershell is installed, if so it will automatically do powershell injection, if not it will fall back to the Windows debug method for payload delivery
  • rewrote the entire powershell deployment module – it now ties in to standard powershell shell payload delivery system
  • added dynamic shellcode patching to the MSSQL bruter – now generates shellcode automatically, cast it unicode, then base64 encoding for EncodedCommand powershell bypass technique
  • rewrote the hex2binary deployment method to support the new impacket method – it will now automatically deliver a binary based on the attack vector that you want to use
  • shrunk the powershell injection code to fit properly within MSSQL xp_cmdshell one call
  • added one line for xp_cmdshell disable which works on later versions of Windows
  • removed the portscan functionality completely out of the MSSQL payload
  • rewrote all portions of the MSSQL bruter to be fully impacket and removed the dependacy for _mssql from fast-track
  • added new attack vector within the Fast-Track menu “PSEXEC Powershell Injection” which will allow you to specify psexec_command and compromise via direct memory injection
  • added ability to set threads within the new PSEXEC PowerShell Injection technique
  • added quick dynamic patching for the powershell injection technique for payloads
  • added a new trustedsec intro ascii art that has the TS logo on it
  • updated rid_enum to the latest github version inside SET

Read More

[ShellNoob v1.0] Shellcode Writing Toolkit

May 02, 2013  , , , ,  

ShellNoob is a writing toolkit, that helps you to writting some shellcodes, converting to different formats, resolving some boring steps.

Features:
  • convert shellcode between different formats (currently supported: asm, bin, hex, obj, exe, C, python, ruby, pretty)
  • interactive opcode-to-binary conversion (and viceversa) mode. This is useful when you cannot use specific bytes in the shellcode.
  • resolve syscall numbers and constants (not exactly implemented yet)
  • portable and easily deployable (it only relies on gcc/as/objdump and python). And it just one python file!
  • in-place development: you run ShellNoob directly on the target architecture!
  • other options: prepend breakpoint, 32bit/64bit switch.
  • read from stdin / write to stdout support (use “-” as filename)

Use Cases
$ ./shellnoob.py -h
./shellnoob.py [--from-INPUT] (input_file_path | - ) [--to-OUTPUT] [output_file_path | - ]
./shellnoob.py -i (for interactive mode)
./shellnoob.py -c (insert a breakpoint at the beginning of the shellcode)
./shellnoob.py --64 (64bits mode)
./shellnoob.py --get-const <const>
./shellnoob.py --get-sysnum <sysnum>
supported INPUT format: asm, obj, bin, hex
supported OUTPUT format: asm, obj, exe, bin, hex, C, python, bash, ruby, pretty

Read More

[IPv6 Toolkit v1.3.4] A security assessment and troubleshooting tool for the IPv6 protocols

April 29, 2013  , , , ,  


A security assessment and troubleshooting tool for the IPv6 protocols.

The SI6 Networks’ IPv6 toolkit is a set of IPv6 security/trouble-shooting tools, that can send arbitrary IPv6-based packets.


Changelog v1.3.4

  • IPv6-host tracking support in the scan6 tool.
  • A new tool, address6, to analyze IPv6 addresses.
  • Minor bug fixes.
  • The toolkit runs on (at least) the latest versions of Linux, FreeBSD,
  • NetBSD, OpenBSD, and MacOS.

Supported platforms
  • The following platforms are supported: FreeBSD, NetBSD, OpenBSD, Linux, and Mac OS.


List of Tools and Manual Pages

  • flow6: A tool to perform a security asseessment of the IPv6 Flow Label.
  • frag6: A tool to perform IPv6 fragmentation-based attacks and to perform a security assessment of a number of fragmentation-related aspects.
  • icmp6: A tool to perform attacks based on ICMPv6 error messages.
  • jumbo6: A tool to assess potential flaws in the handling of IPv6 Jumbograms.
  • na6: A tool to send arbitrary Neighbor Advertisement messages.
  • ni6: A tool to send arbitrary ICMPv6 Node Information messages, and assess possible flaws in the processing of such packets.
  • ns6: A tool to send arbitrary Neighbor Solicitation messages.
  • ra6: A tool to send arbitrary Router Advertisement messages.
  • rd6: A tool to send arbitrary ICMPv6 Redirect messages.
  • rs6: A tool to send arbitrary Router Solicitation messages.
  • scan6: An IPv6 address scanning tool.
  • tcp6: A tool to send arbitrary TCP segments and perform a variety of TCP-based attacks.

Related Documents (PDF)

More Information:
http://www.si6networks.com/tools/ipv6toolkit/

Read More

[EMET v4.0 Beta] Enhanced Mitigation Experience Toolkit

April 20, 2013  , , ,  

The enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent hackers from gaining access to your system.

Software vulnerabilities and exploits have become an everyday part of life. Virtually every product has to deal with them and consequently, users are faced with a stream of security updates. For users who get attacked before the latest updates have been applied or who get attacked before an update is even available, the results can be devastating: malware, loss of PII, etc.

Security mitigation technologies are designed to make it more difficult for an attacker to exploit vulnerabilities in a given piece of software. EMET allows users to manage these technologies on their system and provides several unique benefits:

1. No source code needed: Until now, several of the available mitigations (such as Data Execution Prevention) have required for an application to be manually opted in and recompiled. EMET changes this by allowing a user to opt in applications without recompilation. This is especially handy for deploying mitigations on software that was written before the mitigations were available and when source code is not available.

2. Highly configurable: EMET provides a higher degree of granularity by allowing mitigations to be individually applied on a per process basis. There is no need to enable an entire product or suite of applications. This is helpful in situations where a process is not compatible with a particular mitigation technology. When that happens, a user can simply turn that mitigation off for that process.

3. Helps harden legacy applications: It’s not uncommon to have a hard dependency on old legacy software that cannot easily be rewritten and needs to be phased out slowly. Unfortunately, this can easily pose a security risk as legacy software is notorious for having security vulnerabilities. While the real solution to this is migrating away from the legacy software, EMET can help manage the risk while this is occurring by making it harder to hackers to exploit vulnerabilities in the legacy software.
4. Ease of use: The policy for system wide mitigations can be seen and configured with EMET’s graphical user interface. There is no need to locate up and decipher registry keys or run platform dependent utilities. With EMET you can adjust setting with a single consistent interface regardless of the underlying platform.

5. Ease of deploy: EMET comes with built-in support for enterprise deployment and configuration technologies. This enables administrators to use Group Policy or System Center Configuration Manager to deploy, configure and monitor EMET installations across the enterprise environment.

6. Ongoing improvement: EMET is a living tool designed to be updated as new mitigation technologies become available. This provides a chance for users to try out and benefit from cutting edge mitigations. The release cycle for EMET is also not tied to any product. EMET updates can be made dynamically as soon as new mitigations are ready

The toolkit includes several pseudo mitigation technologies aimed at disrupting current exploit techniques. These pseudo mitigations are not robust enough to stop future exploit techniques, but can help prevent users from being compromised by many of the exploits currently in use. The mitigations are also designed so that they can be easily updated as attackers start using new exploit techniques

New enhancements with v4 (from Microsoft Blog)


The feature set for this new version of the tool was inspired by our desire for EMET to be an effective mitigation layer for a wider variety of potential software exploit scenarios, to provide stronger protections against scenarios where EMET protection already exists, and to have a way to respond to 0day exploits as soon as possible. Here are the highlights of the EMET 4.0 feature set:

  • EMET 4.0 detects attacks leveraging suspicious SSL/TLS certificates
  • EMET 4.0 strengthens existing mitigations and blocks known bypasses
  • EMET 4.0 addresses known application compatibility issues with EMET 3.0
  • EMET 4.0 enables an Early Warning Program for enterprise customers and for Microsoft
  • EMET 4.0 allows customers to test mitigations with “Audit Mode”

SSL/TLS Certificate Trust features
EMET 4.0 allows users to configure a set of certificate pinning rules to validate digitally signed certificates (SSL/TLS certificates) while browsing with Internet Explorer. This option allows users to configure a set of rules able to match specific domains (through their SSL/TLS certificates) with the corresponding known Root Certificate Authority (RootCA) that issued the certificate. When EMET detects the variation of the issuing RootCA for a specific SSL certificate configured for a domain, it will report this anomaly as an indicator of a potential man-in-the-middle attack.

Advanced users can also add exceptions for each pinning rule. This will allow EMET to accept SSL/TLS certificates even if the pinning rule doesn’t match. Exceptions are related to some properties of the RootCA certificate, such as key size, hashing algorithm, and issuer country.

Strengthened mitigations, blocking bypasses
We learned a great deal during the “Technical Preview” phase of EMET 3.5. We saw researchers poking and presenting clever tricks to bypass EMET’s anti-ROP mitigations. EMET 4.0 blocks these bypasses. For example, instead of hooking and protecting only functions at the kernel32!VirtualAlloc layer of the call stack, EMET 4.0 will additional hook lower level functions such as kernelbase!VirtualAlloc and ntdll!NtAllocateVirtualMemory. These “Deep Hooks” can be configured in EMET’s Advanced Configuration. We have seen exploits attempt to evade EMET hooks by executing a copy of the hooked function prologue and then jumping to the function past the prologue. With EMET 4.0’s “Anti detours” option enabled, common shellcode using this technique will be blocked. Finally, EMET 4.0 also includes a mechanism to block calls to banned API’s. For example, a recent presentation at CanSecWest 2013 presented a method of bypassing ASLR and DEP via ntdll!LdrHotPatchRoutine. EMET 4.0’s “Banned API” feature blocks this technique.

Application compatibility fixes
Users of previous versions of EMET had encountered isolated compatibility issues when enabling mitigations on both Microsoft and third party software. EMET 4.0 addresses all these known app
-compat issues. That list includes issues in the following areas:
- Internet Explorer 9 and the Snipping Tool
- Internet Explorer 8’s Managed Add-ons dialog
- Office software through SharePoint
- Access 2010 with certain mitigations enabled
- Internet Explorer 10 on Windows 8
The EMET 4.0 installer also opts-in protection rules with certain mitigations disabled where we know a mitigation interacts poorly with certain software. Examples include Photoshop, Office 2013’s Lync, GTalk, wmplayer, and Chrome.

Early Warning Program for enterprise customers and for Microsoft
When an exploitation attempt is detected and blocked by EMET, a set of information related to the attack is prepared with the Microsoft Error Reporting (MER) functionality. For enterprise customers collecting error reports via tools like Microsoft Desktop Optimization Package or the Client Monitoring feature of System Center Operations Manager, these error reports can be triaged locally and used as an early warning program indicating possible attacks again the corporate network. For organizations that typically send all error reports to Microsoft, this information will add to the set of indicators we use to hunt attacks in the wild, and will facilitate the remediation of issues with security updates before vulnerabilities become a large scale threat. The EMET Privacy Statement (available also via the main EMET window) includes more information about the type of data that will be sent in the error report via Microsoft Error Reporting. The Early Warning Program is enabled by default for the EMET 4.0 Beta and can be disabled in the EMET UI or via the EMET command line component. We are eager to hear customer feedback about this feature to help shape the Early Warning Program for the EMET 4.0 final release.

Audit Mode
When previous versions of EMET detected exploitation attempts, it would report the attack via the EMET agent and then terminate the program to block the attack. For EMET 4.0, in response to customer feedback, we provided an option to configure EMET’s behavior when it detects an exploitation attempt. The default option remains to terminate the application. However, customers wanting to test EMET in a production environment can instead switch to “Audit Mode” to report the exploitation attempt but not terminate the process. This setting is not applicable for all mitigations but we provide this option whenever possible.

Other Improvements
EMET 4.0 includes a bunch of other improvements. The quantity of new features and volume of work put into this release is the reason we skipped the EMET 3.5 full release and jumped straight to EMET 4.0. Please refer to the EMET 4.0 Beta Users Guide for the full set of features but here are several other highlights:

- EMET Notifier becomes EMET Agent, with new duties and functionalities
- More granular reporting options (tray icon, event log, both, or none)
- New default profiles for both mitigations and Certificate Trust
- Registry configuration to customize the EMET Agent’s messaging
- Optimized RopCheck for significantly better performance
- Numerous UI tweaks to make EMET easier to use
- Enable wildcard support when adding applications to be protected
- Allow processes to be protected even if they do not have .exe extension
- Switched to .NET Framework 4.0
- EMET is an officially supported Microsoft tool with support available for customers with Premier contract

Read More

[SET Version 5.0] The Social-Engineer Toolkit "The Wild West"

April 17, 2013  , , , ,  


Social-Engineer Toolkit (SET) v5.0 codename: The Wild West is a culmination of six months of development, bug squashing, and user feedback. New with this version includes a completely redesigned multiprocessing web server that handles non-rfc compliant HTTP information. The builtin SET web server would on occasion crash when receiving unexpected characters. The new version of the web server is stable, and significantly faster. This version if Kali Linux compliant (FSH) where all information is now moved and removed from src/program_junk and to your ~/.set home directory.

In addition to FSH structuring of SET, we have also added some significant performance and stability updates. For example, traditionally if you launched an attack, you would have to exit out of SET completely then relaunch. The dynamic importing has now changed to fix this and improve the ability to reuse modules.
For a full list of changes, the changelog can be found below:

~~~~~~~~~~~~~~~~
version 5.0
~~~~~~~~~~~~~~~~
* fixed a bug that would cause tabnabbing to throw an exceptions around check_options
* added setcore modules into tabnabbing to allow centralized routines
* fixed a bug that would cause webjacking to throw an exeptions around check_options
* added git clean -fd prior to set update, this will force a clean when pulling the latest files
* fixed a bug that would cause a system not setup properly when installing in setup.py
* fixed a bug on start_dns() upon launch will cause errors on certain systems
* added installation script for putting SET into /usr/bin and /usr/share for FSH compliant installer
* added set-update to the installation path, can type that anywhere now
* added set-automate to the list to be typed in anywhere
* fixed a bug that would cause the java applet method to not work a second time in use (reload)
* rewrote MASSIVE amounts of code to no longer use src/program_junk for storage of applications, its now all under ~./set
* fixed a os.chdir issue when using it to spawn a web server during java applet, moved to multi processing instead of threading.thread
* fixed a bug that caused credential harvester to throw an exceptions with the new ~./.set directory structure
* centralized setdir into the main repository to handle it through there and to call the ~/.set directory
* added additional passwords to wordlist.txt used for fast-track mssql brute forcing
* fixed a mssql access bug that would cause fast-track to error out if unspecified IP was added
* removed the pymssql check from the initial SET start and onto Fast-Track since it’s only used there
* turned java repeater to ON by default, much better success rate in SE pentesting
* rewrote large portions of payloadgen to incorporate the changes to the new ~/.set path variables
* added a new file structure to launch set called se-toolkit. The set executable is now depricated and should no longer be used – to launch set just type ./se-toolkit
* updated the setup.py installation to be more robust when performing installations (windows, etc.)
* moved all of the reporting structures within SET to the new ~/.set directory
* added a checkup routine in set and se-toolkit to check for the reports directory
* fixed a bug that would cause multi powershell injection to trigger even when using the powershell menu, it will just generate one now
* fixed an issue that could cause powershell injection to not work properly using the fast patch method
* fixed an issue that would cause definepath to not be specified when using the SE Toolkit Interactive shell
* fixed relative path issues in sccm_main and powershell teensy vectors to point to new .set directory
* fixed an issue that would cause the SE toolkit to hang on a weird bug when importing binascii – moved binascii to main import above and no longer hung
* fixed a before assignment error when using the windows debug conversion in the fast-track mssql menu (meta_path reference)
* changed reports directory within the teensy side to move to ~/.set/reports
* moved the report_generator in harvester to pull and report on the new ~/.set reports structure
* fixed an issue where webjacking would not post properly on certain websites (index2.html conflict issue)
* added the Metasploit MS13-009-IE SLayoutrun Use After Free Exploit to the Metasploit Brwoser Exploit attacks
* fixed a parsing issue with the JMX bean exploit in the SET menu text from appearing to be on one line
* added a new description on setting up sendmail for Kali Linux
* added a check for multi powershell injection and check for solo instances through powershell teensy and not to generate a ton
* changed the email handler from control-c to END instead. Control-C will break multiprocessing within src.html.spawn and this is the proper way to do it
* cleaned up setcore with old code and optimized other areas of the code base
* reduced the description of the allports payload when selecting in web attack method
* added a completely new and redesigned multi threaded and multiprocessing web server – should be significantly faster with less bugs and crashing when handling non-rfc compliant HTTP requests
* optimized applet load time to be much more efficent when being loaded into the web attack vector (about 4 seconds improvement)
* rewrote exceptions handler for the new web server to check to see if anything is running on port 80 when starting
* turned java repeater to on by default – more stable and tested on multiple platforms
* fixed an issue that would cause the java applet web cloner to fail upon running it twice – added reload(module) option to fix the bug
* fixed an issue that caused powershell.prep to not load if used twice
* fixed an import error when using powershell injection through the main menu
* changed initial set menu in powershell to be the standard setprompt
* changed the default port to 443 on powershell delivery in the set option number 10
* fixed an issue that would cause the powershell injection to spawn on port 22 versus 443 as specified
* removed the man left in the middle attack – no longer in use, outdated and not maintained
* removed beautifulsoup as a dependancy for SET due to the removal of man left in the middle
* added the ability to call the web server and stop it based on stop_server()

Read More
Subscribe to: Posts (Atom)