Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label Anti-Forensic. Show all posts
Showing posts with label Anti-Forensic. Show all posts

Sunday, February 18, 2024

NullSection - An Anti-Reversing Tool That Applies A Technique That Overwrites The Section Header With Nullbytes


NullSection is an Anti-Reversing tool that applies a technique that overwrites the section header with nullbytes.


Install
git clone https://github.com/MatheuZSecurity/NullSection
cd NullSection
gcc nullsection.c -o nullsection
./nullsection

Advantage

When running nullsection on any ELF, it could be .ko rootkit, after that if you use Ghidra/IDA to parse ELF functions, nothing will appear no function to parse in the decompiler for example, even if you run readelf -S / path /to/ elf the following message will appear "There are no sections in this file."

Make good use of the tool!


Note
We are not responsible for any damage caused by this tool, use the tool intelligently and for educational purposes only.

Share:

Sunday, January 14, 2018

Linux Memory Cryptographic Keys Extractor - CryKeX





CryKeX - Linux Memory Cryptographic Keys Extractor

Properties:
  • Cross-platform
  • Minimalism
  • Simplicity
  • Interactivity
  • Compatibility/Portability
  • Application Independable
  • Process Wrapping
  • Process Injection

Dependencies:
  • Unix - should work on any Unix-based OS
    • BASH - the whole script
    • root privileges (optional)
Limitations:
  • AES and RSA keys only
  • Fails most of the time for Firefox browser
  • Won't work for disk encryption (LUKS) and PGP/GPG
  • Needs proper user privileges and memory authorizations

How it works
Some work has been already published regarding the subject of cryptograhic keys security within DRAM. Basically, we need to find something that looks like a key (entropic and specific length) and then confirm its nature by analyzing the memory structure around it (C data types).
The idea is to dump live memory of a process and use those techniques in order to find probable keys since, memory mapping doesn't change. Thanks-fully, tools exist for that purpose.
The script is not only capable of injecting into already running processes, but also wrapping new ones, by launching them separately and injecting shortly afterwards. This makes it capable of dumping keys from almost any process/binary on the system.
Of course, accessing a memory is limited by kernel, which means that you will still require privileges for a process.
Linux disk ecnryption (LUKS) uses anti-forensic technique in order to mitigate such issue, however, extracting keys from a whole memory is still possible.
Firefox browser uses somehow similar memory management, thus seems not to be affected.
Same goes for PGP/GPG.

HowTo
Installing dependencies:
sudo apt install gdb aeskeyfind rsakeyfind || echo 'have you heard about source compiling?'
An interactive example for OpenSSL AES keys:
openssl aes-128-ecb -nosalt -out testAES.enc
Enter a password twice, then some text and before terminating:
CryKeX.sh openssl
Finally, press Ctrl+D 3 times and check the result.
OpenSSL RSA keys:
openssl genrsa -des3 -out testRSA.pem 2048
When prompted for passphrase:
CryKeX.sh openssl
Verify:
openssl rsa -noout -text -in testRSA.pem
Let's extract keys from SSH:
echo 'Ciphers [email protected]' >> /etc/ssh/sshd_config
ssh [email protected]
CryKeX.sh ssh
From OpenVPN:
echo 'cipher AES-256-CBC' >> /etc/openvpn/server.conf
openvpn yourConf.ovpn
sudo CryKeX.sh openvpn
TrueCrypt/VeraCrypt is also affected: Select "veracrypt" file in VeraCrypt, mount with password "pass" and:
sudo CryKeX.sh veracrypt
Chromium-based browsers (thanks Google):
CryKeX.sh chromium
CryKeX.sh google-chrome
Despite Firefox not being explicitly affected, Tor Browser Bundle is still susceptible due to tunneling:
CryKeX.sh tor
As said, you can also wrap processes:
apt install libssl-dev
gcc -lcrypto cipher.c -o cipher
CryKeX.sh cipher
 wrap
 cipher




Share:

Sunday, January 24, 2016

Data Wiping Software - DBAN



DBAN is free erasure software designed for the home user. It automatically deletes the contents of any hard disk that it can detect. This method prevents identity theft before recycling a computer. DBAN is also a commonly used solution to remove viruses and spyware from Microsoft Windows installations.

DBAN users should be aware of some product limitations, including:

ºNo guarantee of data removal (e.g. DBAN does not detect or securely erase SSDs)
ºNo audit-ready reporting for regulatory compliance
ºLimited hardware support (e.g. no RAID dismantling)
ºNo customer support or regular software updates


Share:

ATTENTION-DEFICIT-DISORDER - ADD


ADD is a physical memory anti-analysis tool designed to pollute memory with fake artifacts. This tool was first presented at Shmoocon 2014. Please note that this is a proof of concept tool. It forges OS objects in memory (poorly). It would be easy (very easy) to beat with better tool development. The tools would only need to provide better sanity checks of objects discovered during scanning. In that case, further development on ADD would be needed to beat new versions of forensics tools.


Share:

OWASP - mantra



Mantra is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers, security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software. Mantra is a security framework which can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining access, and covering tracks. Apart from that it also contains a set of tools targeted for web developers and code debuggers which makes it handy for both offensive security and defensive security related tasks.

Mantra is lite, flexible, portable and user friendly with a nice graphical user interface. You can carry it in memory cards, flash drives, CD/DVDs, etc. It can be run natively on Linux, Windows and Mac platforms. It can also be installed on to your system within minutes. Mantra is absolutely free of cost and takes no time for you to set up.

The Mantra is a powerful set of tools to make the attacker's task easier. The beta version of Mantra Security Toolkit contains following tools built onto it. You can also always suggest any tools/ scripts that you would like see in the next release.


º Access Me
º Add N Edit Cookies+
º Chickenfoot
º CookieSwap
º DOM inspector
º Domain Details
º Firebug
º Firebug Autocompleter
º Firecookie
º FireFTP
º Firesheep
º FormBug
º FoxyProxy
º Google Site Indexer
º Greasemonkey
º Groundspeed
º HackBar
º Host Spy
º HttpFox
º iMacros
º JavaScript Deobfuscator
º JSview
º Key Manager
º Library Detector
º Live HTTP Headers
º PassiveRecon
º Poster
º RefControl
º Refspoof

º RESTClient
º RESTTest
º Resurrect Pages
º Selenium IDE
º SQL Inject ME
º Tamper Data
º URL Flipper
º User Agent Switcher
º Vitzo WHOIS
º Wappalyzer
º Web Developer
º XSS Me


Share:

Secure data destruction - wipe



Wipe is a secure file wiping utility. There are some low level issues that must be taken into consideration. One of these is that there must be some sort of write barrier between passes. Wipe uses fdatasync(2) (or fsync(2)) as a write barrier, or if fsync(2) isn't available, the file is opened with the O_DSYNC or O_SYNC flag. For wipe to be effective, each pass must be completely written. To ensure this, the drive must support some form of a write barrier, write cache flush, or write cache disabling. SCSI supports ordered command tags, has a force media access bit for commands, and write cache can be disable on mode page 8. IDE/ATA drives support write cache flushes and write cache disabling. Unfortunetly, not all drives actually disable write cache when asked to. Those drives are broken. 


Share:

Secure file deletion - srm


srm is a secure replacement for rm(1). Unlike the standard rm, it overwrites the data in the target files before unlinking them. This prevents command-line recovery of the data by examining the raw block device. It may also help frustrate physical examination of the disk, although it's unlikely that it can completely prevent that type of recovery. It is, essentially, a paper shredder for sensitive files.

srm is ideal for personal computers or workstations with Internet connections. It can help prevent malicious users from breaking in and undeleting personal files, such as old emails. Because it uses the exact same options as rm(1), srm is simple to use. Just subsitute it for rm whenever you want to destroy files, rather than just unlinking them. For more information on using srm, read the manual page srm(1).



Share:

Anti Forensic Practice - A study of its impact on computer forensics



Anti- forensic techniques to attack gathers information that can be trace. Be erasi tampering with or hiding the Anti- forensic techniques seek vulnerabilities in the procedures and methods used  as well as in forensic tools. 

By exploiting these vulnerabilities, search delay or even derail an investigation, examination or incident response. It is one of more subjects treated in Computer Forensics, treated often in international and national conferences ( Black Hat, Defcon, H2HC, SegInfo ). 

In addition to extensive research target, the Anti- forensic techniques are being detected with increasing frequency, from modern attacks with malicious code ( Stuxnet, Duqu ) to situations where the suspect himself may benefit by removing traces.




alt : anti-forensics.pdf


By Offensive Sec
Share:

TECHNICAL APPLICATION OF ANTI- FORENSIC IN COMPUTER FILES NTFS




Anti- forensic techniques to attack gathers information that can be trace. Be erasi tampering with or hiding the Anti- forensic techniques seek vulnerabilities in the procedures and methods used  as well as in forensic tools. 

By exploiting these vulnerabilities, search delay or even derail an investigation, examination or incident response. It is one of more subjects treated in Computer Forensics, treated often in international and national conferences ( Black Hat, Defcon, H2HC, SegInfo ). 

In addition to extensive research target, the Anti- forensic techniques are being detected with increasing frequency, from modern attacks with malicious code ( Stuxnet, Duqu ) to situations where the suspect himself may benefit by removing traces.



alt : anti-forensic.pdf


By Offensive Sec
Share:

Monday, January 4, 2016

USBkill - Anti-Forensic Kill-Switch that waits for a change on your USB ports


USBkill is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.

To run:
sudo python usbkill.py

Why?

Some reasons to use this tool:
  • In case the police or other thugs come busting in (or steal your laptop from you when you are at a public library as happened to Ross). The police commonly uses a "mouse jiggler" to keep the screensaver and sleep mode from activating.
  • You don’t want someone retrieve documents (such as private keys) from your computer or install malware/backdoors via USB.
  • You want to improve the security of your (Full Disk Encrypted) home or corporate server (e.g. Your Raspberry).
[!] Important: Make sure to use (partial) disk encryption! Otherwise they will get in anyway.
Tip: Additionally, you may use a cord to attach a USB key to your wrist. Then insert the key into your computer and start usbkill. If they steal your computer, the USB will be removed and the computer shuts down immediately.

Feature List

(version 1.0-rc.2)
  • Compatible with Linux, *BSD and OS X.
  • Shutdown the computer when there is USB activity.
  • Customizable. Define which commands should be executed just before shut down.
  • Ability to whitelist a USB device.
  • Ability to change the check interval (default: 250ms).
  • Ability to melt the program on shut down.
  • Works with sleep mode (OS X).
  • No dependency except srm. sudo apt-get install secure-delete
  • Sensible defaults

Supported command line arguments (mainly for devs):
  • --no-shut-down: Execute all the (destructive) commands you defined in settings.ini, but don’t turn off the computer.
  • --cs: Copy program folder settings.ini to /etc/usbkill/settings.ini

Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition