XSS Fuzzer : Tool Which Generates XSS Payloads Based On User-Defined Vectors & Fuzzing Lists

XSS Fuzzer is a simple application written in plain HTML/JavaScript/CSS which generates XSS payloads based on user-defined vectors using multiple placeholders which are replaced with fuzzing lists.

It offers the possibility to just generate the payloads as plain-text or to execute them inside an iframe. Inside iframes, it is possible to send GET or POST requests from the browser to arbitrary URLs using generated payloads.

Also ReadMCExtractor – Intel, AMD, VIA & Freescale Microcode Extraction Tool

XSS Fuzzer Why?

XSS Fuzzer is a generic tool that can be useful for multiple purposes, including:

  • Finding new XSS vectors, for any browser
  • Testing XSS payloads on GET and POST parameters
  • Bypassing XSS Auditors in the browser
  • Bypassing web application firewalls
  • Exploiting HTML whitelist features

Example

In order to fuzz, it is required to create placeholders, for example:

  • The [TAG] placeholder with fuzzing list: img svg.
  • The [EVENT] placeholder with fuzzing list: onerror onload.
  • The [ATTR] placeholder with fuzzing list: src value.
  • The payloads will use the mentioned placeholders, such as:
<[TAG] [ATTR]=Something [EVENT]=[SAVE_PAYLOAD] />

The [SAVE_PAYLOAD] placeholder will be replaced with JavaScript code such as alert(unescape(‘[PAYLOAD]’));.

This code is triggered when an XSS payload is successfully executed.

The result for the mentioned fuzzing lists and payload will be the following:

<img src=Something onerror=alert(unescape('%3Cimg%20src%3DSomething%20onerror%3D%5BSAVE_PAYLOAD%5D%20/%3E')); />
<img value=Something onerror=alert(unescape('%3Cimg%20value%3DSomething%20onerror%3D%5BSAVE_PAYLOAD%5D%20/%3E')); />
<img src=Something onload=alert(unescape('%3Cimg%20src%3DSomething%20onload%3D%5BSAVE_PAYLOAD%5D%20/%3E')); />
<img value=Something onload=alert(unescape('%3Cimg%20value%3DSomething%20onload%3D%5BSAVE_PAYLOAD%5D%20/%3E')); />
<svg src=Something onerror=alert(unescape('%3Csvg%20src%3DSomething%20onerror%3D%5BSAVE_PAYLOAD%5D%20/%3E')); />
<svg value=Something onerror=alert(unescape('%3Csvg%20value%3DSomething%20onerror%3D%5BSAVE_PAYLOAD%5D%20/%3E')); />
<svg src=Something onload=alert(unescape('%3Csvg%20src%3DSomething%20onload%3D%5BSAVE_PAYLOAD%5D%20/%3E')); />
<svg value=Something onload=alert(unescape('%3Csvg%20value%3DSomething%20onload%3D%5BSAVE_PAYLOAD%5D%20/%3E')); />

When it is executed in a browser such as Mozilla Firefox, it will alert the executed payloads:

<svg src=Something onload=[SAVE_PAYLOAD] />
<svg value=Something onload=[SAVE_PAYLOAD] />
<img src=Something onerror=[SAVE_PAYLOAD] />

Sending requests

It is possible to use a page vulnerable to XSS for different tests, such as bypasses for the browser XSS Auditor. The page can receive a GET or POST parameter called payload and will just display its unescaped value.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

KBD-Audio : Tools For Capturing & Analysing Keyboard Input Paired With Microphone Capture

KBD-Audio is a collection of command-line and GUI tools for capturing and analyzing audio data. The most interesting tool is called keytap – it can guess pressed keyboard keys only by analyzing the audio captured from the computer’s microphone.

KBD-Audio Installation

git clone https://github.com/ggerganov/kbd-audio
cd kbd-audio
git submodule update --init
mkdir build && cd build
cmake ..
make

Also ReadNodeJsScan – Static Security Code Scanner For Node.js Applications

Tools

record-full

Record audio to a raw binary file on disk

Usage: ./record-full output.kbd

play-full

Playback a recording captured via the record-full tool

Usage: ./play-full input.kbd

record

Record audio only while typing. Useful for collecting training data for keytap

Usage: ./record output.kbd

play

Playback a recording created via the record tool

Usage: ./play input.kbd

keytap

Detect pressed keys via microphone audio capture in real-time. Uses training data captured via the record tool.

Usage: ./keytap-gui input0.kbd [input1.kbd] [input2.kbd] ...

Demo

View post on imgur.com

keytap2

Detect pressed keys via microphone audio capture. Uses statistical information (n-gram frequencies) about the language. No training data is required. The ‘recording.kbd’ input file has to be generated via the record-full tool and contains the audio data that will be analyzed. The ‘n-gram.txt’ file has to contain n-gram probabilities for the corresponding language.

Usage: ./keytap2-gui recording.kbd n-gram.txt

view-full

Visualize waveforms recorded with the record-full tool. Can also playback the audio data.

Usage: ./view-full-gui input.kbd

view

Visualize training data recorded with the record tool. Can also playback the audio data.

Usage: ./view-gui input.kbd

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Kamerka – Build Interactive Map Of Cameras From Shodan

Kamerka is a tool to build interactive map of cameras from Shodan. The script creates a map of cameras, printers, tweets and photos based on your coordinates. Everything is clearly presented in form of interactive map with icons and popups.

Kamerka Requirements

  • Written with in Python 2
  • Shodan + paid subscription
  • Geopy
  • Foilum
  • Colorama
  • InstagramAPI – Credentials instead of api keys
  • Twitter
  • flickrapi
  • Branca

pip install -r requirements.txt

Put your API keys in lines 85-99

To use Instagram module, you have to add additional method to InstagramAPI.py file.

def geosearchLocation(self, lat, lon):
        return self.SendRequest('location_search/?latitude=' + str(lat)+'&longitude='+str(lon)+'&rank_token=' + self.rank_token)

Also ReadNodeJsScan – Static Security Code Scanner For Node.js Applications

Usage

root@kali:~/# python kamerka.py -h
Fail to import moviepy. Need only for Video upload.
usage: kamerka.py [-h] [--lat LAT] [--lon LON] [--radius RADIUS] [--dark]
             [--twitter] [--camera] [--flickr] [--instagram] [--printer]

              o#######o
            o###########o
            o#############o
            #################
            ######  \########o
           #;^ _^,/---\#####!
           ,` /^_ .-~^~-.__\#
          /    ^\/,,@@@,, ;|
         |      \!!@@@@@!! ^,
        #.    .\; '9@@@P'   ^,
        ###./^ ----,_^^      /@-._
                      ^--._,o@@@@@@
                         ^;@@@@@@@@@
                           ^-;@@@@
ꓘamerka 2.0 (FIST) - Build interactive map of cameras, tweets and photos
medium.com/@woj_ciech github.com/woj-ciech

python kamerka.py -h
Example: python kamerka.py --lat 37.235 --lon 115.811111 --dark --twitter --camera --printer

optional arguments:
  -h, --help       show this help message and exit
  --radius RADIUS  Radius in km (Default 3)
  --dark           Dark Theme
  --twitter        Twitter module
  --camera         Camera module
  --flickr         Flickr module
  --instagram      Instagram module
  --printer        Printer module

Required arguments:
  --lat LAT        Latitude
  --lon LON        Longitude


root@kali:~/#python kamerka.py --lat 37.8368723 --lon -122.2645793 --camera --flickr --instagram --twitter --printer

kamerka

Credit: @xrxz, @42B and @paoloo

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Mcreator – Encoded Reverse Shell Generator With Techniques To Bypass AV’s

Mcreator is an Encoded Reverse Shell Generator With Techniques To Bypass AV’s.

Mcreator Installation

git clone https://github.com/blacknbunny/mcreator.git && cd mcreator/ && python mcreator.py

Also ReadVba2Graph – Generate Call Graphs From VBA Code For Easier Analysis Of Malicious Documents

Runnig Mcreator console

python mcreator.py -rsg console

Help

usage: mcreator.py [-h] [-rsg RSGENERATOR]

Reverse Shell generator with techniques to bypass all the AV's

optional arguments:
  -h, --help            show this help message and exit
  -rsg RSGENERATOR, --rsgenerator RSGENERATOR
                        Reverse Shell Generator With Encryptions & Techniques

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Miasm – Reverse Engineering Framework In Python

Miasm is a free and open source (GPLv2) reverse engineering framework. Miasm aims to analyze / modify / generate binary programs. Here is a non exhaustive list of features:

  • Opening / modifying / generating PE / ELF 32 / 64 LE / BE using Elfesteem
  • Assembling / Disassembling X86 / ARM / MIPS / SH4 / MSP430
  • Representing assembly semantic using intermediate language
  • Emulating using JIT (dynamic code analysis, unpacking, …)
  • Expression simplification for automatic de-obfuscation

Also ReadAche – Web Crawler For Domain-Specific Search

How does Miasm work?

Miasm embeds its own disassembler, intermediate language and instruction semantic. It is written in Python.

To emulate code, it uses LLVM, GCC, Clang or Python to JIT the intermediate representation. It can emulate shellcodes and all or parts of binaries. Python callbacks can be executed to interact with the execution, for instance to emulate library functions effects.

Software requirements

Miasm uses:

  • python-pyparsing
  • python-dev
  • elfesteem from Elfesteem
  • optionally python-pycparser (version >= 2.17)

To enable code JIT, one of the following module is mandatory:

  • GCC
  • Clang
  • LLVM with Numba llvmlite, see below

‘optional’ Miasm can also use:

Configuration

  • Install elfesteem
git clone https://github.com/serpilliere/elfesteem.git elfesteem
cd elfesteem
python setup.py build
sudo python setup.py install

To use the jitter, GCC or LLVM is recommended

  • GCC (any version)
  • Clang (any version)
  • LLVM
    • Debian (testing/unstable): Not tested
    • Debian stable/Ubuntu/Kali/whatever: pip install llvmlite or install from llvmlite
    • Windows: Not tested
  • Build and install Miasm:
$ cd miasm_directory
$ python setup.py build
$ sudo python setup.py install

If something goes wrong during one of the jitter modules compilation, Miasm will skip the error and disable the corresponding module (see the compilation output).

Windows & IDA

Most of Miasm’s IDA plugins use a subset of Miasm functionnality. A quick way to have them working is to add:

  • elfesteem directory and pyparsing.py to C:\...\IDA\python\ or pip install pyparsing elfesteem
  • miasm2/miasm2 directory to C:\...\IDA\python\

All features excepting JITter related ones will be available. For a more complete installation, please refer to above paragraphs.

Testing

Miasm comes with a set of regression tests. To run all of them:

cd miasm_directory/test
python test_all.py

Some options can be specified:

  • Mono threading: -m
  • Code coverage instrumentation: -c
  • Only fast tests: -t long (excludes the long tests)

Basic examples

Assembling / Disassembling

Import Miasm x86 architecture:

>>> from miasm2.arch.x86.arch import mn_x86
>>> from miasm2.core.locationdb import LocationDB

Get a location db:

>>> loc_db = LocationDB()

Assemble a line:

>>> l = mn_x86.fromstring('XOR ECX, ECX', loc_db, 32)
>>> print l
XOR        ECX, ECX
>>> mn_x86.asm(l)
['1\xc9', '3\xc9', 'g1\xc9', 'g3\xc9']

Modify an operand:

>>> l.args[0] = mn_x86.regs.EAX
>>> print l
XOR        EAX, ECX
>>> a = mn_x86.asm(l)
>>> print a
['1\xc8', '3\xc1', 'g1\xc8', 'g3\xc1']

Disassemble the result:

>>> print mn_x86.dis(a[0], 32)
XOR        EAX, ECX

Using Machine abstraction:

>>> from miasm2.analysis.machine import Machine
>>> mn = Machine('x86_32').mn
>>> print mn.dis('\x33\x30', 32)
XOR        ESI, DWORD PTR [EAX]

For Mips:

>>> mn = Machine('mips32b').mn
>>> print  mn.dis('97A30020'.decode('hex'), "b")
LHU        V1, 0x20(SP)

Intermediate Representation

Create an instruction:

>>> machine = Machine('arml')
>>> instr = machine.mn.dis('002088e0'.decode('hex'), 'l')
>>> print instr
ADD        R2, R8, R0

Create an intermediate representation object:

>>> ira = machine.ira(loc_db)

Create an empty ircfg

>>> ircfg = ira.new_ircfg()

Add instruction to the pool:

>>> ira.add_instr_to_ircfg(instr, ircfg)

Print current pool:

>>> for lbl, irblock in ircfg.blocks.items():
...     print irblock.to_string(loc_db)
loc_0:
R2 = R8 + R0

IRDst = loc_4

Working with IR, for instance by getting side effects:

>>> for lbl, irblock in ircfg.blocks.iteritems():
...     for assignblk in irblock:
...         rw = assignblk.get_rw()
...         for dst, reads in rw.iteritems():
...             print 'read:   ', [str(x) for x in reads]
...             print 'written:', dst
...             print
...
read:    ['R8', 'R0']
written: R2

read:    []
written: IRDst

Emulation

Giving a shellcode:

00000000 8d4904      lea    ecx, [ecx+0x4]
00000003 8d5b01      lea    ebx, [ebx+0x1]
00000006 80f901      cmp    cl, 0x1
00000009 7405        jz     0x10
0000000b 8d5bff      lea    ebx, [ebx-1]
0000000e eb03        jmp    0x13
00000010 8d5b01      lea    ebx, [ebx+0x1]
00000013 89d8        mov    eax, ebx
00000015 c3          ret
>>> s = '\x8dI\x04\x8d[\x01\x80\xf9\x01t\x05\x8d[\xff\xeb\x03\x8d[\x01\x89\xd8\xc3'

Import the shellcode thanks to the Container abstraction:

>>> from miasm2.analysis.binary import Container
>>> c = Container.from_string(s)
>>> c
<miasm2.analysis.binary.ContainerUnknown object at 0x7f34cefe6090>

Disassembling the shellcode at address 0:

>>> from miasm2.analysis.machine import Machine
>>> machine = Machine('x86_32')
>>> mdis = machine.dis_engine(c.bin_stream)
>>> asmcfg = mdis.dis_multiblock(0)
>>> for block in asmcfg.blocks:
...  print block.to_string(asmcfg.loc_db)
...
loc_0
LEA        ECX, DWORD PTR [ECX + 0x4]
LEA        EBX, DWORD PTR [EBX + 0x1]
CMP        CL, 0x1
JZ         loc_10
->      c_next:loc_b    c_to:loc_10
loc_10
LEA        EBX, DWORD PTR [EBX + 0x1]
->      c_next:loc_13
loc_b
LEA        EBX, DWORD PTR [EBX + 0xFFFFFFFF]
JMP        loc_13
->      c_to:loc_13
loc_13
MOV        EAX, EBX
RET

Initializing the Jit engine with a stack:

>>> jitter = machine.jitter(jit_type='python')
>>> jitter.init_stack()

Add the shellcode in an arbitrary memory location:

>>> run_addr = 0x40000000
>>> from miasm2.jitter.csts import PAGE_READ, PAGE_WRITE
>>> jitter.vm.add_memory_page(run_addr, PAGE_READ | PAGE_WRITE, s)

Create a sentinelle to catch the return of the shellcode:

def code_sentinelle(jitter):
    jitter.run = False
    jitter.pc = 0
    return True

>>> jitter.add_breakpoint(0x1337beef, code_sentinelle)
>>> jitter.push_uint32_t(0x1337beef)

Active logs:

>>> jitter.set_trace_log()

Run at arbitrary address:

>>> jitter.init_run(run_addr)
>>> jitter.continue_run()
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000000
40000000 LEA        ECX, DWORD PTR [ECX+0x4]
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
....
4000000e JMP        loc_0000000040000013:0x40000013
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000013
40000013 MOV        EAX, EBX
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000004 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFF8 RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000013
40000015 RET
>>>

Interacting with the jitter:

>>> jitter.vm
ad 1230000 size 10000 RW_ hpad 0x2854b40
ad 40000000 size 16 RW_ hpad 0x25e0ed0

>>> hex(jitter.cpu.EAX)
'0x0L'
>>> jitter.cpu.ESI = 12

Symbolic Execution

Initializing the IR pool:

>>> ira = machine.ira(loc_db)
>>> ircfg = ira.new_ircfg_from_asmcfg(asmcfg)

Initializing the engine with default symbolic values:

>>> from miasm2.ir.symbexec import SymbolicExecutionEngine
>>> sb = SymbolicExecutionEngine(ira)

Launching the execution:

>>> symbolic_pc = sb.run_at(ircfg, 0)
>>> print symbolic_pc
((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)

Same, with step logs (only changes are displayed):

>>> sb = SymbolicExecutionEngine(ira, machine.mn.regs.regs_init)
>>> symbolic_pc = sb.run_at(ircfg, 0, step=True)
Instr LEA        ECX, DWORD PTR [ECX + 0x4]
Assignblk:
ECX = ECX + 0x4
________________________________________________________________________________
ECX                = ECX + 0x4
________________________________________________________________________________
Instr LEA        EBX, DWORD PTR [EBX + 0x1]
Assignblk:
EBX = EBX + 0x1
________________________________________________________________________________
EBX                = EBX + 0x1
ECX                = ECX + 0x4
________________________________________________________________________________
Instr CMP        CL, 0x1
Assignblk:
zf = (ECX[0:8] + -0x1)?(0x0,0x1)
nf = (ECX[0:8] + -0x1)[7:8]
pf = parity((ECX[0:8] + -0x1) & 0xFF)
of = ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1))[7:8]
cf = (((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1)) ^ ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1)))[7:8]
af = ((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1))[4:5]
________________________________________________________________________________
af                 = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]
pf                 = parity((ECX + 0x4)[0:8] + 0xFF)
zf                 = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)
ECX                = ECX + 0x4
of                 = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]
nf                 = ((ECX + 0x4)[0:8] + 0xFF)[7:8]
cf                 = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]
EBX                = EBX + 0x1
________________________________________________________________________________
Instr JZ         loc_key_1
Assignblk:
IRDst = zf?(loc_key_1,loc_key_2)
EIP = zf?(loc_key_1,loc_key_2)
________________________________________________________________________________
af                 = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]
EIP                = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
pf                 = parity((ECX + 0x4)[0:8] + 0xFF)
IRDst              = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
zf                 = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)
ECX                = ECX + 0x4
of                 = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]
nf                 = ((ECX + 0x4)[0:8] + 0xFF)[7:8]
cf                 = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]
EBX                = EBX + 0x1
________________________________________________________________________________
>>>

Retry execution with a concrete ECX. Here, the symbolic / concolic execution reach the shellcode’s end:

>>> from miasm2.expression.expression import ExprInt
>>> sb.symbols[machine.mn.regs.ECX] = ExprInt(-3, 32)
>>> symbolic_pc = sb.run_at(ircfg, 0, step=True)
Instr LEA        ECX, DWORD PTR [ECX + 0x4]
Assignblk:
ECX = ECX + 0x4
________________________________________________________________________________
af                 = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]
EIP                = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
pf                 = parity((ECX + 0x4)[0:8] + 0xFF)
IRDst              = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
zf                 = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)
ECX                = 0x1
of                 = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]
nf                 = ((ECX + 0x4)[0:8] + 0xFF)[7:8]
cf                 = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]
EBX                = EBX + 0x1
________________________________________________________________________________
Instr LEA        EBX, DWORD PTR [EBX + 0x1]
Assignblk:
EBX = EBX + 0x1
________________________________________________________________________________
af                 = (((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[4:5]
EIP                = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
pf                 = parity((ECX + 0x4)[0:8] + 0xFF)
IRDst              = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
zf                 = ((ECX + 0x4)[0:8] + 0xFF)?(0x0,0x1)
ECX                = 0x1
of                 = ((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1))[7:8]
nf                 = ((ECX + 0x4)[0:8] + 0xFF)[7:8]
cf                 = (((((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8]) & ((ECX + 0x4)[0:8] ^ 0x1)) ^ ((ECX + 0x4)[0:8] + 0xFF) ^ (ECX + 0x4)[0:8] ^ 0x1)[7:8]
EBX                = EBX + 0x2
________________________________________________________________________________
Instr CMP        CL, 0x1
Assignblk:
zf = (ECX[0:8] + -0x1)?(0x0,0x1)
nf = (ECX[0:8] + -0x1)[7:8]
pf = parity((ECX[0:8] + -0x1) & 0xFF)
of = ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1))[7:8]
cf = (((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1)) ^ ((ECX[0:8] ^ (ECX[0:8] + -0x1)) & (ECX[0:8] ^ 0x1)))[7:8]
af = ((ECX[0:8] ^ 0x1) ^ (ECX[0:8] + -0x1))[4:5]
________________________________________________________________________________
af                 = 0x0
EIP                = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
pf                 = 0x1
IRDst              = ((ECX + 0x4)[0:8] + 0xFF)?(0xB,0x10)
zf                 = 0x1
ECX                = 0x1
of                 = 0x0
nf                 = 0x0
cf                 = 0x0
EBX                = EBX + 0x2
________________________________________________________________________________
Instr JZ         loc_key_1
Assignblk:
IRDst = zf?(loc_key_1,loc_key_2)
EIP = zf?(loc_key_1,loc_key_2)
________________________________________________________________________________
af                 = 0x0
EIP                = 0x10
pf                 = 0x1
IRDst              = 0x10
zf                 = 0x1
ECX                = 0x1
of                 = 0x0
nf                 = 0x0
cf                 = 0x0
EBX                = EBX + 0x2
________________________________________________________________________________
Instr LEA        EBX, DWORD PTR [EBX + 0x1]
Assignblk:
EBX = EBX + 0x1
________________________________________________________________________________
af                 = 0x0
EIP                = 0x10
pf                 = 0x1
IRDst              = 0x10
zf                 = 0x1
ECX                = 0x1
of                 = 0x0
nf                 = 0x0
cf                 = 0x0
EBX                = EBX + 0x3
________________________________________________________________________________
Instr LEA        EBX, DWORD PTR [EBX + 0x1]
Assignblk:
IRDst = loc_key_3
________________________________________________________________________________
af                 = 0x0
EIP                = 0x10
pf                 = 0x1
IRDst              = 0x13
zf                 = 0x1
ECX                = 0x1
of                 = 0x0
nf                 = 0x0
cf                 = 0x0
EBX                = EBX + 0x3
________________________________________________________________________________
Instr MOV        EAX, EBX
Assignblk:
EAX = EBX
________________________________________________________________________________
af                 = 0x0
EIP                = 0x10
pf                 = 0x1
IRDst              = 0x13
zf                 = 0x1
ECX                = 0x1
of                 = 0x0
nf                 = 0x0
cf                 = 0x0
EBX                = EBX + 0x3
EAX                = EBX + 0x3
________________________________________________________________________________
Instr RET
Assignblk:
IRDst = @32[ESP[0:32]]
ESP = {ESP[0:32] + 0x4 0 32}
EIP = @32[ESP[0:32]]
________________________________________________________________________________
af                 = 0x0
EIP                = @32[ESP]
pf                 = 0x1
IRDst              = @32[ESP]
zf                 = 0x1
ECX                = 0x1
of                 = 0x0
nf                 = 0x0
cf                 = 0x0
EBX                = EBX + 0x3
ESP                = ESP + 0x4
EAX                = EBX + 0x3
________________________________________________________________________________
>>>

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

 

MCExtractor – Intel, AMD, VIA & Freescale Microcode Extraction Tool

MCExtractor is a tool which parses Intel, AMD, VIA and Freescale processor microcode binaries. It can be used by end-users who are looking for all relevant microcode information such as CPUID, Platform, Version, Date, Release, Size, Checksum etc.

It is capable of converting Intel microcode containers (dat, inc, h, txt) to binary images for BIOS integration, detecting new/unknown microcodes, checking microcode health, Updated/Outdated status and more.

MCExtractor can be also used as a research analysis tool with multiple structures which allow, among others, full parsing & information display of all documented or not microcode Headers.

Moreover, with the help of its extensive database, MCExtractor is capable of uniquely categorizing all supported microcodes as well as check for any microcodes which have not been stored at the Microcode Repositories yet.

Also ReadAche – Web Crawler For Domain-Specific Search

MCExtractor Features

  • Supports all current & legacy Microcodes from 1995 and onward
  • Scans for all Intel, AMD, VIA & Freescale microcodes in one run
  • Verifies all extracted microcode integrity via Checksums
  • Checks if all Intel, AMD & VIA microcodes are Latest or Outdated
  • Converts Intel containers (dat,inc,txt,h) to binary images
  • Searches on demand for all microcodes based on CPUID
  • Shows microcode Header structures and details on demand
  • Ignores most false positives based on sanity checks
  • Supports known special, fixed or modded microcodes
  • Ability to quickly add new microcode entries to the database
  • Ability to detect Intel Production/Pre-Production Release tag
  • Ability to analyze multiple files by drag & drop or by input path
  • Ability to ignore extracted duplicates based on name and contents
  • Reports all microcodes which are not found at the Microcode Repositories
  • Features command line parameters to enhance functionality & assist research
  • Features user friendly messages & proper handling of unexpected code errors
  • Shows results in nice tables with colored text to signify emphasis
  • Open Source project licensed under GNU GPL v3, comment assisted code

How to use MCExtractor

There are two ways to use MCExtractor, MCE executable & Command Prompt. The MCE executable allows you to drag & drop one or more firmware and view them one by one or recursively scan entire directories. To manually call MCExtractor, a Command Prompt can be used with -skip as parameter.

MC Extractor Executable

To use MC Extractor, select one or multiple files and Drag & Drop them to its executable. You can also input certain optional parameters either by running MCE directly or by first dropping one or more files to it. Keep in mind that, due to operating system limitations, there is a limit on how many files can be dropped at once. If the latter is a problem, you can always use the -mass parameter to recursively scan entire directories as explained below.

MC Extractor Parameters

There are various parameters which enhance or modify the default behavior of MC Extractor:

  • -? : Displays help & usage screen
  • -skip : Skips welcome & options screen
  • -exit : Skips Press enter to exit prompt
  • -redir : Enables console redirection support
  • -mass : Scans all files of a given directory
  • -info : Displays microcode header(s)
  • -add : Adds new input microcode to DB
  • -dbname : Renames input file based on DB name
  • -cont : Extracts Intel containers (dat,inc,h,txt)
  • -search : Searches for microcodes based on CPUID
  • -last : Shows Latest status based on user input
  • -repo : Builds microcode repositories from input

MC Extractor Error Control

During operation, MC Extractor may encounter issues that can trigger Notes, Warnings and/or Errors. Notes (yellow/green color) provide useful information about a characteristic of this particular firmware. Warnings (purple color) notify the user of possible problems that can cause system instability. Errors (red color) are shown when something unexpected or problematic is encountered.

Download MC Extractor

MC Extractor consists of two files, the executable (MCE.exe or MCE) and the database (MCE.db). An already built/frozen/compiled binary is provided by me for Windows only (icon designed by Alfredo Hernandez).

Thus, you don’t need to manually build/freeze/compile MC Extractor under Windows. Instead, download the latest version from the Releases tab, title should be “MC Extractor v1.X.X”. You may need to scroll down a bit if there are DB releases at the top.

The latter can be used to update the outdated DB which was bundled with the latest executable release, title should be “DB rXX”. To extract the already built/frozen/compiled archive, you need to use programs which support RAR5 compression.

Compatibility

MC Extractor should work at all Windows, Linux or macOS operating systems which have Python 3.6 support. Windows users who plan to use the already built/frozen/compiled binaries must make sure that they have the latest Windows Updates installed which include all required “Universal C Runtime (CRT)” libraries.

Code Prerequisites

To run MC Extractor’s python script, you need to have the following 3rd party Python modules installed:

  • Colorama 
    pip3 install colorama

Build/Freeze/Compile with PyInstaller

PyInstaller can build/freeze/compile MC Extractor at all three supported platforms, it is simple to run and gets updated often.

  1. Make sure Python 3.6.0 or newer is installed: 
    python --version
  1. Use pip to install PyInstaller: 
    pip3 install pyinstaller
  1. Use pip to install colorama: 
    pip3 install colorama
  1. Use pip to install PTable: 
    pip3 install https://github.com/platomav/PTable/archive/boxchar.zip
  1. Build/Freeze/Compile MC Extractor: 
    pyinstaller --noupx --onefile MCE.py

At dist folder you should find the final MCE executable.

Pictures

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Trape – People Tracker On The Internet

Trape is a OSINT analysis and research tool, which allows people to track and execute intelligent social engineering attacks in real time.

It was created with the aim of teaching the world how large Internet companies could obtain confidential information such as the status of sessions of their websites or services and control over their users through the browser, without them knowing, but It evolves with the aim of helping government organizations, companies and researchers to track the cybercriminals.

Also ReadSSH Auditor – Scan For Weak SSH Passwords On Your Network

Trape Benefits

  • LOCATOR OPTIMIZATION: Trace the path between you and the target you’re tracking. Each time you make a move, the path will be updated, by means of this the location of the target is obtained silently through a bypass made in the browsers, allowing you not to skip the location request permit on the victim’s side , objective or person and at the same time maintain a precision of 99% in the locator.

  • APPROACH: When you’re close to the target, Trape will tell you.

  • REST API: Generates an API (random or custom), and through this you can control and monitor other Web sites on the Internet remotely, getting the traffic of all visitors.

  • PROCESS HOOKS: Manages social engineering attacks or processes in the target’s browser.
    • SEVERAL: You can issue a phishing attack of any domain or service in real time as well as send malicious files to compromise the device of a target.
    • INJECT JS: You keep the JavaScript code running free in real time, so you can manage the execution of a keylogger or your own custom functions in JS which will be reflected in the target’s browser.
    • SPEECH: A process of audio creation is maintained which is played in the browser of the objective, by means of this you can execute personalized messages in different voices with languages in Spanish and English.
  • PUBLIC NETWORK TUNNEL: Trape has its own API that is linked to ngrok.com to allow the automatic management of public network tunnels; By this you can publish your content of trape server executed locally to the Internet, to manage hooks or public attacks.

  • CLICK ATTACK TO GET CREDENTIALS: Automatically obtains the target credentials, recognizing your connection availability on a social network or Internet service.

  • NETWORK: You can get information about the user’s network.
    • SPEED: Viewing the target’s network speed. (Ping, download, upload, type connection)
    • HOSTS OR DEVICES: Here you can get a scan of all the devices that are connected in the target network automatically.

  • PROFILE: Brief summary of the target’s behavior and important additional information about your device.

GPUENERGY

30-Session Recognition

Session recognition is one of trape most interesting attractions, since you as a researcher can know remotely what service the target is connected to.

  • USABILITY: You can delete logs and view alerts for each process or action you run against each target.

How to use it

First unload the tool.

git clone https://github.com/jofpin/trape.git
cd trape
python trape.py -h

If it does not work, try to install all the libraries that are located in the file requirements.txt

pip install -r requirements.txt

Example of execution

Example: python trape.py --url http://example.com --port 8080

HELP AND OPTIONS

user:~$ python trape.py --help
usage: python trape.py -u <> -p <> [-h] [-v] [-u URL] [-p PORT]
                                              [-ak ACCESSKEY] [-l LOCAL]
                                              [--update] [-n] [-ic INJC]

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  -u URL, --url URL     Put the web page url to clone
  -p PORT, --port PORT  Insert your port
  -ak ACCESSKEY, --accesskey ACCESSKEY
                        Insert your custom key access
  -l LOCAL, --local LOCAL
                        Insert your home file
  -n, --ngrok           Insert your ngrok Authtoken
  -ic INJC, --injectcode INJC
                        Insert your custom REST API path
  -ud UPDATE, --update UPDATE
                        Update trape to the latest version
  • url In this option you add the URL you use to clone Live, which works as a decoy.
  • port Here you insert the port, where you are going to run the trape server.
  • accesskey You enter a custom key for the trape panel, if you do not insert it will generate an automatic key.
  • injectcode trape contains a REST API to play anywhere, using this option you can customize the name of the file to include, if it does not, generates a random name allusive to a token.
  • local Using this option you can call a local HTML file, this is the replacement of the
  • url option made to run a local lure in trape.
  • ngrok In this option you can enter a token, to run at the time of a process. This would replace the token saved in configurations.
  • version You can see the version number of trape.
  • update Option especially to upgrade to the latest version of trape.
  • help It is used to see all the above options, from the executable.

Disclaimer

This tool has been published educational purposes in order to teach people how bad guys could track them or monitor them or obtain information from their credentials, we are not responsible for the use or the scope that may have the People through this project.

We are totally convinced that if we teach how vulnerable things are, we can make the Internet a safer place.

Credit: Jose Pino

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Skiptracer – OSINT Python Webscaping Framework

Initial attack vectors for recon usually involve utilizing pay-for-data/API (Recon-NG), or paying to utilize transforms (Maltego) to get data mining results. Skiptracer utilizes some basic python webscraping (BeautifulSoup) of PII paywall sites to compile passive information on a target on a ramen noodle budget.

Also ReadHassh : Tool Used To Identify Specific Client & Server SSH Implementations

Skiptracer Installation

$ git clone https://github.com/xillwillx/skiptracer.git skiptracer
$ cd skiptracer

Install requirements

$ pip install -r requirements.txt

Run

$ python skiptracer.py -l (phone|email|sn|name|plate)

Sample

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Janusec – Golang Based Application Security Solution Which Provides WAF

Janusec Application Gateway, an application security solutions which provides WAF (Web Application Firewall), unified web administration portal, private key protection, web routing and scalable load balancing. With Janusec, you can build secure and scalable applications.

Also ReadPastego – Scrape/Parse Pastebin Using GO & Expression Grammar

Janusec Key Features

  • WAF (Web Application Firewall), block SQL Injection, Cross-site Scripting, Sensitive Data Leakage, CC Attacks etc.
  • Group Policy (Cooperation with Multiple Check Points)
  • CAPTCHA support
  • Unified Web Administration
  • HTTPS support, No Agent Required.
  • Certificate Protection with Private Key Encrypted Storage
  • Scalable Architecture, Load Balance and Multiple Nodes Support

Requirements

  • PostgreSQL 9.3~9.6 or 10 (Required by Development and Master Node of Deployment)
  • CentOS/RHEL 7, Debian 9
  • systemd
  • Golang 1.9+ (Required by Development Only)

Quick Start for Deployment

https://www.janusec.com/documentation/quick-start/

Quick Start for Developer

go get -u github.com/Janusec/janusec
cd $GOPATH/src/github.com/Janusec/janusec

Edit config.json with PostgreSQL

"host": "127.0.0.1",
"port": "5432",
"user": "janusec",
"password": "123456",
"dbname": "janusec"

Janusec will encrypt the password automatically.
Then:

go build
su (switch to root)
./janusec

Web Administration

http://127.0.0.1:9080/ (The first address)

Release

go build
./release.sh (Only support Linux Now)

The release package is under ./dist .

Screenshots

SQL Injection Screenshot

Sensitive Data Leakage Screenshot

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Sheepl – Creating Realistic User Behaviour For Supporting Tradecraft Development Within Lab Environments

Sheepl is a tool for creating realistic user behaviour for supporting tradecraft development within lab environments. There are lots of resources available online relating to how you can build AD network environments for the development of blue team and red team tradecraft.

However the current solutions tend to lack one important aspect in representing real world network configurations. A network is not just a collection of static endpoints, it is a platform for communication between people.

Sheepl is a tool that aims to bridge the gap by emulating the behaviour that people normally undertake within a network environment. Using Python3 and AutoIT3 the output can be compiled into a standalone executable without any other dependancies that when executed on an Windows endpoint, executes a set of tasks randomly over a chosen time frame.

For red teamers this can serve to present those moments of opportunity to practice tradecraft. For blue teamers this supports focusing on detection of malicious activity indicators inside a sequence of benign user tasks.

Also ReadCloudBunny – CloudBunny Is A Tool To Capture The Real IP Of The Server

Sheepl Tooling

Sheepl has two modes, commandline and interactive where commandline can be used as part of a wider scripting solution and interactive allows you to build tasks in a question/response approach.

Example

python3 sheepl.py --name TBone --total_time=2h --wordfile "c:\\users\\matt\\Desktop\\matt.doc" --inputtext "content/if.txt" --cmd --cc "ipconfig /all" --cc "whoami" --cc "netstat -anto -p tcp"')

python3 sheepl.py --interactive

AutoIT3

You can download the AutoIT3 runtime and the Aut2EXE compiler here: AutoIT3 Download

The following video is an overview of Sheepl 0.1 as the beta release.

Video Tutorial

Credit: Jonathan Bennett

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.