This is default featured slide 1 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 2 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 3 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 4 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

Showing posts with label cURL. Show all posts
Showing posts with label cURL. Show all posts

Reconnoitre - A Security Tool For Multithreaded Information Gathering And Service Enumeration

May 20, 2017  , , , , , , , , , , , , , , , , , , ,  


A reconnaissance tool made for the OSCP labs to automate information gathering and service enumeration whilst also creating a directory structure of results for each host, recommended commands to execute and directory structures for storing loot and flags.

Usage
This tool can be used and copied for personal use freely however attribution and credit should be offered to Mike Czumak who originally started the process of automating this work.
Argument Description
-h, --help Display help message and exit
-t TARGET_HOSTS Set either a target range of addresses or a single host to target. May also be a file containing hosts.
-o OUTPUT_DIRECTORY Set the target directory where results should be written.
-w WORDLIST Optionally specify your own wordlist to use for pre-compiled commands, or executed attacks.
--dns DNS_SERVER Optionally specify a DNS server to use with a service scan.
--pingsweep Write a new target.txt file in the OUTPUT_DIRECTORY by performing a ping sweep and discovering live hosts.
--dnssweep Find DNS servers from the list of target(s).
--snmpsweep Find hosts responding to SNMP requests from the list of target(s).
--services Perform a service scan over the target(s) and write recommendations for further commands to execute.
--snmpwalk SNMP walk target hosts and save results.
--hostnames Attempt to discover target hostnames and write to hostnames.txt.
--quiet Supress banner and headers and limit feedback to grepable results.
--execute Execute shell commands from recommendations as they are discovered. Likely to lead to very long execution times depending on the wordlist being used and discovered vectors.
--simple_exec Execute non-brute forcing shell comamnds only commands as they are discovered. Likely to lead to very long execution times depending on the wordlist being used and discovered vectors.
--quick Move to the next target after performing a quick scan and writing first-round recommendations.

Usage Examples
Note that these are some examples to give you insight into potential use cases for this tool. Command lines can be added or removed based on what you wish to acomplish with your scan.

Scan a single host, create a file structure and discover services
python ./reconnoitre.py -t 192.168.1.5 -o /root/Documents/labs/ --services
An example output would look like:
root@kali:~/Documents/tools/reconnoitre/reconnoitre# python ./reconnoitre.py -t 192.168.1.5 --services -o /root/Documents/labs/
  __
|"""\-=  RECONNOITRE
(____)      An OSCP scanner

[#] Performing service scans
[*] Loaded single target: 192.168.1.5
[+] Creating directory structure for 192.168.1.5
   [>] Creating scans directory at: /root/Documents/labs/192.168.1.5/scans
   [>] Creating exploit directory at: /root/Documents/labs/192.168.1.5/exploit
   [>] Creating loot directory at: /root/Documents/labs/192.168.1.5/loot
   [>] Creating proof file at: /root/Documents/labs/192.168.1.5/proof.txt
[+] Starting quick nmap scan for 192.168.1.5
[+] Writing findings for 192.168.1.5
   [>] Found HTTP service on 192.168.1.5:80
   [>] Found MS SMB service on 192.168.1.5:445
   [>] Found RDP service on 192.168.1.5:3389
[*] TCP quick scan completed for 192.168.1.5
[+] Starting detailed TCP/UDP nmap scans for 192.168.1.5
[+] Writing findings for 192.168.1.5
   [>] Found MS SMB service on 192.168.1.5:445
   [>] Found RDP service on 192.168.1.5:3389
   [>] Found HTTP service on 192.168.1.5:80
[*] TCP/UDP Nmap scans completed for 192.168.1.5
Which would also write the following recommendations file in the scans folder for each target:
[*] Found HTTP service on 192.168.1.50:80
   [>] Use nikto & dirb / dirbuster for service enumeration, e.g
      [=] nikto -h 192.168.1.50 -p 80 > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_nikto.txt
      [=] dirb http://192.168.1.50:80/ -o /root/Documents/labs/192.168.1.50/scans/192.168.1.50_dirb.txt -r -S -x ./dirb-extensions/php.ext
      [=] java -jar /usr/share/dirbuster/DirBuster-1.0-RC1.jar -H -l /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -r /root/Documents/labs/192.168.1.50/scans/192.168.1.50_dirbuster.txt -u http://192.168.1.50:80/
      [=] gobuster -w /usr/share/seclists/Discovery/Web_Content/common.txt -u http://192.168.1.50:80/ -s '200,204,301,302,307,403,500' -e > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_gobuster_common.txt -t 50 
      [=] gobuster -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -u http://192.168.1.50:80/ -s '200,204,301,307,403,500' -e > /root/Documents/labs/192.168.1.50/scans/192.168.1.50_gobuster_cgis.txt -t 50 
   [>] Use curl to retreive web headers and find host information, e.g
      [=] curl -i 192.168.1.50
      [=] curl -i 192.168.1.50/robots.txt -s | html2text
[*] Found MS SMB service on 192.168.1.5:445
   [>] Use nmap scripts or enum4linux for further enumeration, e.g
      [=] nmap -sV -Pn -vv -p445 --script="smb-* -oN '/root/Documents/labs/192.168.1.5/nmap/192.168.1.5_smb.nmap' -oX '/root/Documents/labs/192.168.1.5/scans/192.168.1.5_smb_nmap_scan_import.xml' 192.168.1.5
      [=] enum4linux 192.168.1.5
[*] Found RDP service on 192.168.1.5:3389
   [>] Use ncrackpassword cracking, e.g
      [=] ncrack -vv --user administrator -P /root/rockyou.txt rdp://192.168.1.5

Discover live hosts and hostnames within a range
python ./reconnoitre.py -t 192.168.1.1-252 -o /root/Documents/testing/ --pingsweep --hostnames

Discover live hosts within a range and then do a quick probe for services
python ./reconnoitre.py -t 192.168.1.1-252 -o /root/Documents/testing/ --pingsweep --services --quick
This will scan all services within a target range to create a file structure of live hosts as well as write recommendations for other commands to be executed based on the services discovered on these machines. Removing --quick will do a further probe but will greatly lengthen execution times.

Discover live hosts within a range and then do probe all ports (UDP and TCP) for services
python ./reconnoitre.py -t 192.168.1.1-252 -o /root/Documents/testing/ --pingsweep --services


Read More

Freedom Fighting - A collection of scripts which may come in handy during your freedom fighting activities

May 09, 2017  , , , , , , , , , , , , ,  


Freedom Fighting scripts
This repository contains scripts which may come in handy during your freedom fighting activities. It will be updated occasionally, when I find myself in need of something I can't find online. Everything here is distributed under the terms of the GPL v3 License.

nojail.py
A log cleaner which removes incriminating entries in:
  • /var/run/utmp, /var/log/wtmp, /var/log/btmp (controls the output of the who, w and last commands)
  • /var/log/lastlog (controls the output of the lastlog command)
  • /var/**/*.log (.log.1, .log.2.gz, etc. included)
  • Any additional file or folder designated by the user
Entries are deleted based on an IP address and/or associated hostname.
Special care is taken to avoid breaking file descriptors while tampering with logs. This means logs continue to be written to after they've been tampered with, making the cleanup a lot less conspicuous. All the work takes place in a tmpfs drive and any files created are wiped securely.
Warning: The script has only been tested on Linux and will not be able to clean UTMP entries on other Unix flavors.

Usage:
usage: nojail.py [-h] [--user USER] [--ip IP] [--hostname HOSTNAME]
                    [--verbose] [--check]
                    [log_files [log_files ...]]

   Stealthy log file cleaner.

   positional arguments:
     log_files             Specify any log files to clean in addition to
                           /var/**/*.log.

   optional arguments:
     -h, --help            show this help message and exit
     --user USER, -u USER  The username to remove from the connexion logs.
     --ip IP, -i IP        The IP address to remove from the logs.
     --hostname HOSTNAME   The hostname of the user to wipe. Defaults to the rDNS
                           of the IP.
     --verbose, -v         Print debug messages.
     --check, -c           If present, the user will be asked to confirm each
                           deletion from the logs.
     --daemonize, -d       Start in the background and delete logs when the
                           current session terminates. Implies --self-delete.
     --self-delete, -s     Automatically delete the script after its execution.
By default, if no arguments are given, the script will try to determine the IP address to scrub based on the SSH_CONNECTION environment variable. Any entry matching the reverse DNS of that IP will be removed as well.

Basic example:
./nojail.py --user root --ip 151.80.119.32 /etc/app/logs/access.log --check
...will remove all entries for the user root where the IP address is 151.80.119.32 or the hostame is manalyzer.org. The user will also be prompted before deleting each record because of the --check option. Finally, the file /etc/app/logs/access.log will be processed in addition to all the default ones.
If folders are given as positional arguments (/etc/app/logs/ for instance), the script will recursively crawl them and clean any file with the .log extension (*.log.1, *.log.2.gz, etc. included).

Daemonizing the script
./nojail.py --daemonize
Assuming this is run from an SSH connexion, this command will delete all logs pertaining to the current user's activity with the detected IP address and hostname right after the connexion is closed. This script will subsequently automatically delete itself. Please bear in mind that you won't have any opportunity to receive error messages from the application. You are encouraged to try deleting the logs once before spawning the demon to make sure that the arguments you specified are correct.

Sample output:
root@proxy:~# ./nojail.py
[ ] Cleaning logs for root (XXX.XXX.XXX.XXX - domain.com).
[*] 2 entries removed from /var/run/utmp!
[*] 4 entries removed from /var/log/wtmp!
[ ] No entries to remove from /var/log/btmp.
[*] Lastlog set to 2017-01-09 17:12:49 from pts/0 at lns-bzn-37-79-250-104-19.adsl.proxad.net
[*] 4 lines removed from /var/log/nginx/error.log!
[*] 11 lines removed from /var/log/nginx/access.log!
[*] 4 lines removed from /var/log/auth.log!

Disclaimer
This script is provided without any guarantees. Don't blame me it doesn't wipe all traces of something you shouldn't have done in the first place.

share.sh
A portable and secure file sharing script. While freedom fighting, it is generally not possible to scp files into compromised machines. Alternate ways to upload files are needed, but most sharing services are either too restrictive or do not provide a way to retrieve files easily from the command line. Security considerations may also prevent people from uploading sensitive files to cloud providers for fear that they will keep a copy of it forever.
This small and portable bash script relies on transfer.sh to solve that problem. It...
  • Encrypts files before uploading them (symmetric AES-256-CBC).
  • Automatically uses torify if it is present on the system for increased anonimity.
The only dependencies needed are openssl and either curl or wget.

Usage
root@proxy:~# ./share.sh ~/file_to_share "My_Secure_Encryption_Key!"
Success! Retrieval command: ./share.sh -r file_to_share "My_Secure_Encryption_Key!" https://transfer.sh/BQPFz/28239
root@proxy:~# ./share.sh -r file_to_share "My_Secure_Encryption_Key!" https://transfer.sh/BQPFz/28239
File retrieved successfully!
Additional arguments during the upload allow you to control the maximum number of downloads allowed for the file (-m) and how many days transfer.sh will keep it (-d). The default value for both these options is 1.
Warning: Do not use spaces in the encryption key, or only the first word of your passphrase will be taken into account. This is due to the way getopts handles arguments (I think). Pull requests are welcome if anyone is interested in fixing this.

autojack.py
AutoJack is a short script leveraging EmptyMonkey's shelljack to log the terminal of any user connecting through SSH. It watches auth.log for successful connections, figures out the PID of the user's bash process,and leaves the rest to shelljack.
Launch it in a screen, and wait until other users log-in. Their session will be logged to /root/.local/sj.log.[user].[timestamp].
The script is not particularly stealthy (no attempt is made to hide the shelljack process) but it will get the job done. Note that to avoid self-incrimination, the root user is not targeted (this can be trivially commented out in the code).


Read More
Subscribe to: Posts (Atom)