Malwoverview – Tool To Perform An Initial & Quick Triage On A Directory Containing Malware Samples

Malwoverview is a first response tool to perform an initial and quick triage on either a directory containing malware samples or a specific malware sample.

This tool aims to :

  • Determining similar executable malware samples (PE/PE+) according to the import table (imphash) and group them by different colors (pay attention to the second column from output). Thus, colors matter!
  • Determining whether executable malware samples are packed or not packed according to the following rules:
     2a. Two or more sections with Entropy > 7.0 or < 1.0 ==> Packed.

     2b. One one section with Entropy > 7.0 or two sections with SizeOfRawData ==> Likely packed.

     2c. None section with Entropy > 7.0 or SizeOfRawData ==> not packed.
  • Determining whether the malware samples contain overlay.
  • Determining the .text section entropy.
     Malwoverview.py only examines PE/PE+ files, skipping everything else.
  • Checking each malware sample against Virus Total.

Also ReadNodexp – A Server Side Javascript Injection Tool Capable Of Detecting & Exploiting Node.js Vulnerabilities

Requirements

This tool was tested on a Kali Linux 2018 system and Windows 10. Therefore, it will be necessary to install:

Kali Linux

  • Python version 2.7.x.
$ apt-get install python
  • Python-magic.

To install python-magic package you can execute the following command:

$ pip install python-magic

Or compiling it from the github repository:

$ git clone https://github.com/ahupp/python-magic
$ cd python-magic/
$ python setup.py build
$ python setup.py install

As there are serious problems about existing two versions of python-magic package, my recommendation is to install it from github (second procedure above) and copy the magic.py file to the SAME directory of malwoverview tool.

  • Pefile and colorama packages:
$ pip install pefile
$ pip install colorama
$ pip install simple-json
$ pip install requests

Windows

To install python-magic package you can execute the following command:

C:\> pip install python-magic

Or compiling it from the github repository:

C:\> git clone https://github.com/ahupp/python-magic
C:\> cd python-magic/
C:\> python setup.py build
C:\> python setup.py install
  • Pefile and colorama packages:
C:\> pip install pefile
C:\> pip install colorama
C:\> pip install simple-json
C:\> pip install requests
  • (IMPORTANT) Remove the magic.py file from malwoverview directory.
  • Install the python-magic DLLs by executing the following command:
C:\> pip install python-magic-bin==0.4.14

Virus Total and Hybrid-Analysis

You must edit the malwoverview.py and insert your APIs and secret to enable Virus Total and Hybrid-Analysis checking:

VT:

  VTAPI = '<----ENTER YOUR API HERE and UNCOMMENT THE LINE---->'

Hybrid-Analysis:

  HAAPI = '<----ENTER YOUR API HERE and UNCOMMENT THE LINE---->'    
  HASECRET = '<----ENTER YOUR SECRET HERE and UNCOMMENT THE LINE---->'

Malwoverview Usage

To use the malwoverview, execute the command as shown below:

  $ python malwoverview -d <directory> -f <fullpath> -i <0|1> -b <0|1> -v <0|1> -a <0|1> -p <0|1> -s <0|1> -x <0|1>
                        -w <0|1>

where:

    <directory> -d is the folder containing malware samples. 
    <fullpath>  -f specifies the full path to a file. Shows general information about the file (any filetype).
    (optional)  -b 1 (optional) adapts the output colors to black window.
    (optional)  -i 1 show imports and exports (it is used with -f option).
    (optional)  -x 1 extracts overlay (it is used with -f option).
    (optional)  -v 1 queries Virus Total database for positives and totals (any filetype).
    (optional)  -a 1 (optional) query Hybrid Analysis database for general report.Thus, you need to edit the 
                      malwoverview.py and insert your HA API and respective secret.
    (optional)  -s 1 shows antivirus reports from the main players. This option is used with 
                     -f option (any filetype). 
    (optional)  -p 1 use this option if you have a public Virus Total API. It forces a one minute wait 
                     every 4 malware samples, but allows obtaining a complete evaluation of the malware repository.
    (optional)  -w 1 used when the OS is Microsoft Windows.

    
    If you use Virus Total option, so it is necessary to edit the malwoverview.py and insert your VT API. 
    
    Remember that public VT API only allows 4 searches per second (as shown at the image above). Therefore, if you 
    are willing to wait some minutes, so you can use the -p option, which forces a one minute wait every 4 malware 
    samples, but allows obtaining a complete evaluation of the repository.
    

    *ATENTION: if the directory contains many malware samples, so malwoverview.py could take some time. :)

History

Version 1.4.5

  This versiom:
  
        * Adds the -w option to use malwoverview in Windows systems.
        * Improves and fixes colors when using -b option with black window.

Version 1.4:

  This version:

        * Adds the -a option for getting the Hybrid Analysis summary report.
        * Adds the -i option for listing imported and exported functions. Therefore, imported/exported function 
          report was decoupled for a separated option.

Version 1.3:

  This version:

        * Adds the -p option for public Virus Total API.

Version 1.2:

  This version includes:

        * evaluates a single file (any filetype)
        * shows PE sessions.
        * shows imported functions.
        * shows exported function.
        * extracts overlay.
        * shows AV report from the main players. (any filetype)

Version 1.1:

  This version:

        * Adds the VT checking feature.

Version 1.0:

  Malwoverview is a tool to perform a first triage of malware samples in a directory and group them according 
  to their import functions (imphash) using colors. This version:

        * Shows the imphash information classified by color. 
        * Checks whether malware samples are packed.  
        * Checks whether malware samples have overlay. 
        * Shows the entropy of the malware samples.

Screenshot

 

DbgShell – A PowerShell Front-End For The Windows Debugger Engine

DbgShell a PowerShell front-end for the Windows debugger engine.

DbgShell Inducement

Have you ever tried automating anything in the debugger? (cdb/ntsd/kd/windbg) How did that go for you?

The main impetus for DbgShell is that it’s just waaaay too hard to automate anything in the debugger. There are facilities today to assist in automating the debugger, of course. But in my opinion they are not meeting people’s needs.

  • Using the built-in scripting language is arcane, limited, difficult to get right, and difficult to get help with.
  • DScript is kind of neat, but virtually unknown, and it lacks a REPL, and it’s too low-level.
  • Writing a full-blown debugger extension DLL is very powerful, but it’s a significant investment—way too expensive for solving quick, “one-off” problems as you debug random, real-world problems. Despite the cost, there are a large number of debugger extensions in existence. I think there should not be nearly so many; I think the only reason there are so many is because there aren’t viable alternatives.
  • Existing attempts at providing a better interface (such as PowerDbg) are based on “scraping” and text parsing, which is hugely limiting (not to mention idealogically annoying) and thus are not able to fulfill the promise of a truly better interface (they are only marginally better, at best).
  • Existing attempts to provide an easier way to write a debugger extension are merely a stop-gap addressing the pain of developing a debugger extension; they don’t really solve the larger problem. (for instance, two major shortcomings are: they are still too low-level (you have to deal with the dbgeng COM API), and there’s no REPL)
  • The debugger team has recently introduce Javascript scripting. Javascript is a much better (and more well-defined) language than the old windbg scripting language, but I think that PowerShell has some advantages, the largest of which is that nobody really uses a Javascript shell–PowerShell is much better as a combined shell and scripting language.

Also ReadKemon – An Open-Source Pre & Post Callback-Based Framework For macOS Kernel Monitoring

The goal of the DbgShell project is to bring the goodness of the object-based PowerShell world to the debugging world. When you do ‘dt’ to dump an ‘object’, you should get an actual object. Scripting should be as easy as writing a PowerShell script.

The DbgShell project provides a PowerShell front-end for dbgeng.dll, including:

  • a managed “object model” (usable from C# if you wished), which is higher-level than the dbgeng COM API,
  • a PowerShell “navigation provider”, which exposes aspects of a debugging target as a hierarchical namespace (so you can “cd” to a particular thread, type “dir” to see the stack, “cd” into a frame, do another “dir” to see locals/registers/etc.),
  • cmdlets for manipulating the target,
  • a custom PowerShell host which allows better control of the debugger CLI experience, as well as providing features not available in the standard powershell.exe host (namely, support for text colorization using ANSI escape codes (a la ISO/IEC 6429))

The custom host is still a command-line (conhost.exe-based) program (analogous to ntsd/cdb/kd), but it can be invoked from windbg (!DbgShell).

In addition to making automation much easier and more powerful, it will address other concerns as well, such as ease of use for people who don’t have to use the debuggers so often. (one complaint I’ve heard is that “when I end up needing to use windbg, I spend all my time in the .CHM”)

For seasoned windbg users, on the other hand, another goal is to make the transition as seamless as possible. So, for instance, the namespace provider is not the only way to access data; you can still use traditional commands like “~3 s“, “k“, etc.

What do you mean by “automation” and “scripting”?

I’m not only talking about the sort of thing where you open up a text editor and write some big script to do something complex—I’m also talking about being able to whip out relatively simple stuff directly on the command line. There are many situations where you would like to be able to use a little bit of logic, but nothing so big or re-usable that you would even want to save it. It should be easy to just whip off “one-liners” like “break on CreateFile if the file being opened is on the user’s desktop and function Blah is on the stack.”

Why PowerShell?

Let me be clear: it took me approximately 4 years to “warm up” to PowerShell. I feel it has sharp edges, aspects that are just plain difficult, and plenty of bugs, both in design and implementation. Sometimes it really irritates me. However, the benefits of PowerShell are compelling, and have convinced me that it’s the best thing to use for this project:

  • It is both a scripting environment and a CLI environment. The fact that it has to do both leads to some negative things like a steeper learning curve, but in the end it is extremely handy, because you want to be able to both do stuff quickly in a command-line REPL, as well as write full-featured, robust scripts.
  • It is very discoverable—things like Get-Command, tab completion, the ability to expose hierarchical data like a filesystem, the facilities for providing and synthesizing help, are very good.
  • Tab completion. I know I mentioned it in the previous bullet, but it’s awesome enough to get its very own bullet.
  • The object pipeline: the object-oriented nature of the PowerShell pipeline is so much more powerful and easy to use than the bad old days of string-parsing-based scripting that it’s not even funny. Imagine doing “dt” to “dump” an “object”, and actually getting an object. DbgShell does that.
  • People know it: I estimate that the number of people who know PowerShell and/or C# is at least a handful of orders of magnitude larger than the people who know windbg scripting techniques. That means more people will be able to easily “pick up” a PowerShell-based debugger; and it also means that when people need help, the pool of potential helpers is much larger (for scripting-related issues, anyway).
  • PowerShell is still a general-purpose shell: when using DbgShell, you have access to not just debugger commands, but you can “cd” over to the filesystem, registry, AD, etc.; you can execute Send-MailMessage, Get-WmiObject, Invoke-WebRequest, Invoke-RestMethod, run arbitrary programs, etc.

Current Status

DbgShell has been in “prototyping mode” for a long time. I have spent a lot of time figuring how something could or should be done, but not necessarily “finishing” everything. There are a huge number of TODOs in the current code. So although it has started to become actually useful, the project is still pretty green. However, it can definitely demonstrate enough to give you a good taste of what it should be like.

Below are some screenshots. It’s important to note that nothing you see is dbgeng text output. Although some stuff in the output will look familiar, that is only because I have used PowerShell’s formatting and output features to customize how certain objects are displayed—all the output you see actually corresponds to real, full .NET objects. For instance, those ModLoad messages each correspond to a MS.Dbg.ModuleLoadedEventArgs object, which has more properties than what get displayed when sent to Out-Default. There is no string parsing of anything from dbgeng whatsoever. (Well… almost. I’ve made a few compromises where there is no other way to get information. For instance, disassembly stuff, or parsing the symbolic name of an adjustor thunk function to find the offset.)

This is a sort of “hello world” scenario: attaching to an instance of cmd.exe. I first use the PowerShell built-in command Start-Process, then pipe the output to the DbgShell command Connect-Process, and then poke around the namespace:

Here I have attached to a test program, and looked at the stack, switched to a particular stack frame, dumped locals, inspected the value of a local std::map, and inspected some type information for a local enum value. Note the display of the enumeration value: not only does DbgShell handle looking up the symbolic name for single enumerands, but also when multiple enumerands are OR’ed together. You can’t tell this from the screenshot, but there is tab completion for all of this stuff.

Disclaimers

  • This project is not produced, endorsed, or monitored by the Windows debugger team. While the debugger team welcomes feedback about their API and front ends (windbg, kd, et al), they have no connection with this project. Do not file bugs or feedback to the debugger team concerning this project.
  • This is not a funded project: it has no official resources allocated to it, and is only worked on by volunteers. Do not take any production dependency on this project unless you are willing to support it completely yourself. Feel free to file Issues and submit Pull Requests, but understand that with the limited volunteer resources, it may be a while before your submissions are handled.
  • This is an experimental project: it is not fully baked, and you should expect breaking changes to be made often.

DarkSpiritz – A Penetration Testing Framework For UNIX Systems

DarkSpiritz is a penetration testing framework for UNIX systems. It is a re-vamp of the very popular framework known as “Roxysploit”. You may be familiar with this framework and if you are then it will help you with DarkSpiritz. It also works like another pentesting framework known as Metasploit. If you know how to use metasploit setting up and working with it will be a breeze. Inside the program itself you will find a lot of help and documentation on plugins or you can head to our wiki here. If you need any help feel free to contact us at sectel.team@protonmail.com.

Also ReadAWS Key Disabler – Lambda Script That Will Disable Access Keys Older Than A Given Amount Of Days

Getting Started With DarkSpiritz 

Clone the repository with git:

git clone https://github.com/DarkSpiritz/DarkSpiritz.git

To install it clone the github repo and run:

sudo python installer.py

This will download all necessary modules for it. Once you run this you will be able to run:

python main.py

from within the same directory as it.

You will see a start-up screen. This screen will display things like commands and configuration settings. You can set configuration settings inside the config.xml file itself or through commands in the DarkSpiritz shell.

Features:

These are features that DarkSpiritz Team prides themself on based on this program:

  • Real Time Updating of Configuration
  • Never a need to restart the program even when adding plugins or editing them.
  • Easy to use UX
  • Multi-functionality

Credit: SecTel Team

Nodexp – A Server Side Javascript Injection Tool Capable Of Detecting & Exploiting Node.js Vulnerabilities

NodeXP is an intergrated tool, written in Python 2.7, capable of detecting possible vulnerabilities on Node.js services as well as exploiting them in an automated way, based on S(erver)S(ide)J(avascript)I(njection) attack!

Nodexp Getting Started – Installation & Usage

Download NodeXP by cloning the Git repository:

git clone https://github.com/esmog/nodexp

To get a list of all options run:

python2.7 nodexp -h

Examples for POST and GET cases accordingly:

python2.7 nodexp.py --url="http://nodegoat.herokuapp.com/contributions" --pdata="preTax=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA"
python2.7 nodexp.py --url="http://nodegoat.herokuapp.com/contributions" --pdata="preTax=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA" --tech=blind

python2.7 nodexp.py --url="http://192.168.64.30/?name=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA"
python2.7 nodexp.py --url="http://192.168.64.30/?name=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA" --tech=blind

Also ReadNeofetch – A command-line System Information Tool

Setting Up and Use Testbeds

In order get familiar with NodeXP you might need to set the Node.js testing services provided (/testbeds) and start using the tool. A local machine running Node.js server will be necessary.

Firstly, you should install ‘body-parser’ and ‘express’ packages, in the GET and POST directories.

Go to ‘testbeds/GET’ directory on your local machine and paste the command below in terminal:

npm install express --save

Go to ‘testbeds/POST’ directory and paste the commands below in terminal:

npm install body-parser --save
nmp install express --save

After the correct installment of the packages you could run each service by running the command ‘node’ and the desirable js file (ex. node eval.js).

After you server is up and running, you are ready to run NodeXP and test it upon those services!

Example for GET case shown below:

python2.7 nodexp.py --url=http://localiprunningnodejsserver:3001/?name=[INJECT_HERE]

Example for POST case shown below:

python2.7 nodexp.py --url=http://localiprunningnodejsserver:3001/post.js --pdata=username=[INJECT_HERE]

Maintain & Update Payload Files

Payloads used by both Blind and Results Based Injection technique are stored in “/files/blind_payloads.txt” and in “/files/payloads.txt”.

Payloads are written in every odd line number of text files and, in case of Results Based Injection, their expected responses are written in every even line number of the “payloads.txt” file as a list separeted with commas. Even line numbers of the “blind_payloads.txt” file are empty.

In order to stop the process of injection, “—end(nextline)—end” is used as a delimeter capable of stop parsing and injecting payloads, for both Blind and Result Based Injection cases.

Every user can maintain and update the payload txt files with its own payloads, as far as she/he follows the above instructions.

Disclaimer

The tool’s purpose is strictly academic and was developed in order to conduct my master’s thesis. It could also be helpful during the process of a penetration test on Node.js services. Any other malicious or illegal usage of the tool is strongly not recommended and is clearly not a part of the purpose of this research.

Credit: Dimitris Antonaropoulos

Subscraper – Tool That Performs Subdomain Enumeration Through Various Techniques

SubScraper uses DNS brute force, Google & Bing scraping, and Virus Total to enumerate subdomains without an API. Written in Python3, SubScraper performs HTTP(S) requests and DNS “A” record lookups during the enumeration process to validate discovered subdomains. This provides further information to help prioritize targets and aid in potential next steps. Post-Enumeration, “CNAME” lookups are displayed to identify subdomain takeover opportunities.

Also ReadDrltrace – A Library Calls Tracer For Windows & Linux Applications

Subscraper Install

pip3 install -r requirements.txt

Usage

python3 subscraper.py example.com
python3 subscraper.py -t 5 -o csv example.com

Options

  -s              Only use internet to find subdomains
  -b              Only use DNS brute forcing to find subdomains
  -o OUTFILE      Define output file type: csv/txt (Default: None)
  -t MAX_THREADS  Max threads (Default: 10)
  -w SUBLIST      Custom subdomain wordlist

BYOB : Open-Source Project To Build Your Own Botnet

BYOB is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop counter-measures against these threats.

It is designed to allow developers to easily implement their own code and add cool new features without having to write a RAT (Remote Administration Tool) or a C2 (Command & Control server) from scratch.

The RAT’s key feature is that arbitrary code/files can be remotely loaded into memory from the C2 and executed on the target machine without writing anything to the disk.

Also ReadDrozer v2.4.4 – The Leading Security Assessment Framework For Android

BYOB Server

usage: server.py [-h] [-v] [--host HOST] [--port PORT] [--database DATABASE]

Command & control server with persistent database and console

  • Console-Based User-Interface: streamlined console interface for controlling client host machines remotely via reverse TCP shells which provide direct terminal access to the client host machines
  • Persistent SQLite Database: lightweight database that stores identifying information about client host machines, allowing reverse TCP shell sessions to persist through disconnections of arbitrary duration and enabling long-term reconnaissance
  • Client-Server Architecture: all python packages/modules installed locally are automatically made available for clients to remotely import without writing them to the disk of the target machines, allowing clients to use modules which require packages not installed on the target machines

BYOB Client

usage: client.py [-h] [-v] [--name NAME] [--icon ICON]
[--pastebin API] [--encrypt] [--obfuscate] [--compress] [--compile] host
port [module [module ...]]

Generate fully-undetectable clients with staged payloads, remote imports, and unlimited modules

  • Remote Imports: remotely import third-party packages from the server without writing them to the disk or downloading/installing them
  • Nothing Written To The Disk: clients never write anything to the disk – not even temporary files (zero IO system calls are made) because remote imports allow arbitrary code to be dynamically loaded into memory and directly imported into the currently running process
  • Zero Dependencies (Not Even Python Itself): client runs with just the python standard library, remotely imports any non-standard packages/modules from the server, and can be compiled with a standalone python interpreter into a portable binary executable formatted for any platform/architecture, allowing it to run on anything, even when Python itself is missing on the target host
  • Add New Features With Just 1 Click: any python script, module, or package you to copy to the ./byob/modules/ directory automatically becomes remotely importable & directly usable by every client while your command & control server is running
  • Write Your Own Modules: a basic module template is provided in ./byob/modules/ directory to make writing your own modules a straight-forward, hassle-free process
  • Run Unlimited Modules Without Bloating File Size: use remote imports to add unlimited features without adding a single byte to the client’s file size
  • Fully Updatable: each client will periodically check the server for new content available for remote import, and will dynamically update its in-memory resources if anything has been added/removed
  • Platform Independent: everything is written in Python (a platform-agnostic language) and the clients generated can optionally be compiled into portable executable (Windows) or bundled into an standalone application (macOS)
  • Bypass Firewalls: clients connect to the command & control server via reverse TCP connections, which will bypass most firewalls because the default filter configurations primarily block incoming connections
  • Counter-Measure Against Antivirus: avoids being analyzed by antivirus by blocking processes with names of known antivirus products from spawning
  • Encrypt Payloads To Prevent Analysis: the main client payload is encrypted with a random 256-bit key which exists solely in the payload stager which is generated along with it
  • Prevent Reverse-Engineering: by default, clients will abort execution if a virtual machine or sandbox is detected

BYOB Modules

Post-exploitation modules that are remotely importable by clients

  1. Keylogger (byob.modules.keylogger): logs the user’s keystrokes & the window name entered
  2. Screenshot (byob.modules.screenshot): take a screenshot of current user’s desktop
  3. Webcam (byob.modules.webcam): view a live stream or capture image/video from the webcam
  4. Ransom (byob.modules.ransom): encrypt files & generate random BTC wallet for ransom payment
  5. Outlook (byob.modules.outlook): read/search/upload emails from the local Outlook client
  6. Packet Sniffer (byob.modules.packetsniffer): run a packet sniffer on the host network & upload .pcap file
  7. Persistence (byob.modules.persistence): establish persistence on the host machine using 5 different methods
  8. Phone (byob.modules.phone): read/search/upload text messages from the client smartphone
  9. Escalate Privileges (byob.modules.escalate): attempt UAC bypass to gain unauthorized administrator privileges
  10. Port Scanner (byob.modules.portscanner): scan the local network for other online devices & open ports
  11. Process Control (byob.modules.process): list/search/kill/monitor currently running processes on the host

BYOB Core

Core framework modules used by the generator and the server

  1. Utilities (byob.core.util): miscellaneous utility functions that are used by many modules
  2. Security (byob.core.security): Diffie-Hellman IKE & 3 encryption modes (AES-256-OCB, AES-256-CBC, XOR-128)
  3. Loaders (byob.core.loaders): remotely import any package/module/scripts from the server
  4. Payloads (byob.core.payloads): reverse TCP shell designed to remotely import dependencies, packages & modules
  5. Stagers (byob.core.stagers): generate unique payload stagers to prevent analysis & detection
  6. Generators (byob.core.generators): functions which all dynamically generate code for the client generator
  7. Database (byob.core.database): handles interaction between command & control server and the SQLite database

Kemon – An Open-Source Pre & Post Callback-Based Framework For macOS Kernel Monitoring

Kemon is an open-source Pre and Post callback-based framework for macOS kernel monitoring. With the power of it, we can easily implement LPC communication monitoring, MAC policy filtering, kernel driver firewall, etc. In general, from an attacker’s perspective, this framework can help achieve more powerful Rootkit. From the perspective of defense, it can help construct more granular monitoring capabilities. I also implemented a kernel fuzzer through this framework, which helped me find many vulnerabilities, such as: CVE-2017-7155, CVE-2017-7163, CVE-2017-13883, etc.

Also ReadSocialBox – A Bruteforce Attack Framework[ Facebook , Gmail , Instagram ,Twitter]

Supported Features

Features include:

  • file operation monitoring
  • process creation monitoring
  • dynamic library and kernel extension monitoring
  • network traffic monitoring
  • Mandatory Access Control (MAC) policy monitoring, etc.

In addition, this project can also extend the Pre and Post callback-based monitoring interfaces for any macOS kernel function.

Getting Started

How to use ?

  • Please turn off macOS System Integrity Protection (SIP) check if you don’t have a valid kernel certificate
  • Use the command “sudo chown -R root:wheel kemon.kext” to change the owner of the driver
  • Use the command “sudo kextload kemon.kext” to install the driver
  • Use the command “sudo kextunload kemon.kext” to uninstall the driver

Aircrack-NG : WiFi Security Auditing Tools Suite

Aircrack-ng is a complete suite of tools to assess WiFi network security.

It focuses on different areas of WiFi security:

  • Monitoring: Packet capture and export of data to text files for further processing by third party tools.
  • Attacking: Replay attacks, deauthentication, fake access points and others via packet injection.
  • Testing: Checking WiFi cards and driver capabilities (capture and injection).
  • Cracking: WEP and WPA PSK (WPA 1 and 2).

All tools are command line which allows for heavy scripting. A lot of GUIs have taken advantage of this feature. It works primarily Linux but also Windows, OS X, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.

Also ReadPut2Win – Script To Automatize Shell Upload By PUT HTTP Method To Get Meterpreter

Aircrack-ng Installation and Optional Dependencies

Below are instructions for installing the basic requirements to build aircrack-ng for a number of operating systems.

Note: CMocka should not be a dependency when packaging Aircrack-ng.

Linux

Debian/Ubuntu

sudo apt-get install build-essential autoconf automake libtool pkg-config libnl-3-dev libnl-genl-3-dev libssl-dev ethtool shtool rfkill zlib1g-dev libpcap-dev libsqlite3-dev libpcre3-dev libhwloc-dev libcmocka-dev

Fedora/CentOS/RHEL

sudo yum install libtool pkgconfig sqlite-devel autoconf automake openssl-devel libpcap-devel pcre-devel rfkill libnl3-devel gcc gcc-c++ ethtool hwloc-devel libcmocka-devel

FreeBSD

pkg install pkgconf shtool libtool gcc7 automake autoconf pcre sqlite3 openssl gmake hwloc cmocka

OSX

XCode, Xcode command line tools and HomeBrew are required.

brew install autoconf automake libtool openssl shtool pkg-config hwloc pcre sqlite3 libpcap cmocka

Windows

Cygwin

Cygwin requires the full path to the setup.exe utility, in order to automate the installation of the necessary packages. In addition, it requires the location of your installation, a path to the cached packages download location, and a mirror URL.

An example of automatically installing all the dependencies is as follows:

c:\cygwin\setup-x86.exe -qnNdO -R C:/cygwin -s http://cygwin.mirror.constant.com -l C:/cygwin/var/cache/setup -P autoconf -P automake -P bison -P gcc-core -P gcc-g++ -P mingw-runtime -P mingw-binutils -P mingw-gcc-core -P mingw-gcc-g++ -P mingw-pthreads -P mingw-w32api -P libtool -P make -P python -P gettext-devel -P gettext -P intltool -P libiconv -P pkg-config -P git -P wget -P curl -P libpcre-devel -P openssl-devel -P libsqlite3-devel

MSYS2

pacman -Sy autoconf automake-wrapper libtool msys2-w32api-headers msys2-w32api-runtime gcc pkg-config git python opens

Compiling

To build aircrack-ng, the Autotools build system is utilized. Autotools replaces the older method of compilation.

NOTE: If utilizing a developer version, eg: one checked out from source control, you will need to run a pre-configure script. The script to use is one of the following: autoreconf -i or env NOCONFIGURE=1 ./autogen.sh.

First, ./configure the project for building with the appropriate options specified for your environment:

./configure <options>

TIP: If the above fails, please see above about developer source control versions.

Next, compile the project (respecting if make or gmake is needed):

  • Compilation:

make

  • Compilation on *BSD or Solaris:

gmake

Finally, the additional targets listed below may be of use in your environment:

  • Execute all unit testing:

make check

  • Installing:

make install

  • Uninstall:

make uninstall

./configure flags

When configuring, the following flags can be used and combined to adjust the suite to your choosing:

  • with-airpcap=DIR: needed for supporting airpcap devices on windows (cygwin or msys2 only) Replace DIR above with the absolute location to the root of the extracted source code from the Airpcap CD or downloaded SDK available online. Required on Windows to build besside-ng, besside-ng-crawler, easside-ng, tkiptun-ng and wesside-ng when building experimental tools. The developer pack (Compatible with version 4.1.1 and 4.1.3) can be downloaded at https://support.riverbed.com/content/support/software/steelcentral-npm/airpcap.html
  • with-experimental: needed to compile tkiptun-ng, easside-ng, buddy-ng, buddy-ng-crawler, airventriloquist and wesside-ng. libpcap development package is also required to compile most of the tools. If not present, not all experimental tools will be built. On Cygwin, libpcap is not present and the Airpcap SDK replaces it. See –with-airpcap option above.
  • with-ext-scripts: needed to build airoscript-ng, versuck-ng, airgraph-ng and airdrop-ng. Note: Each script has its own dependencies.
  • with-gcrypt: Use libgcrypt crypto library instead of the default OpenSSL. And also use internal fast sha1 implementation (borrowed from GIT) Dependency (Debian): libgcrypt20-dev
  • with-duma: Compile with DUMA support. DUMA is a library to detect buffer overruns and under-runs. Dependencies (debian): duma
  • disable-libnl: Set-up the project to be compiled without libnl (1 or 3). Linux option only.
  • without-opt: Do not enable stack protector (on GCC 4.9 and above).
  • enable-shared: Make OSdep a shared library.
  • disable-shared: When combined with enable-static, it will statically compile Aircrack-ng.
  • with-avx512: On x86, add support for AVX512 instructions in aircrack-ng. Only use it when the current CPU supports AVX512.
  • with-static-simd=: Compile a single optimization in aircrack-ng binary. Useful when compiling statically and/or for space-constrained devices. Valid SIMD options: x86-sse2, x86-avx, x86-avx2, x86-avx512, ppc-altivec, ppc-power8, arm-neon, arm-asimd Must be used with –enable-static –disable-shared. When using those 2 options, the default is to compile the generic optimization in the binary. –with-static-simd merely allows to choose another one.

Examples:

  • Configure and compiling:
./configure --with-experimental
make
  • Compiling with gcrypt:
./configure --with-gcrypt
make
  • Installing:

make install

  • Installing (strip binaries):

make install-strip

  • Installing, with external scripts:
./configure --with-experimental --with-ext-scripts
make
make install
  • Testing (with sqlite, experimental and pcre)
./configure --with-experimental
make
make check
  • Compiling on OS X with macports (and all options):
./configure --with-experimental
gmake
  • Compiling on OS X 10.10 with XCode 7.1 and Homebrew:
env CC=gcc-4.9 CXX=g++-4.9 ./configure
make
make check

NOTE: Older XCode ships with a version of LLVM that does not support CPU feature detection; which causes the ./configure to fail. To work around this older LLVM, it is required that a different compile suite is used, such as GCC or a newer LLVM from Homebrew.

If you wish to use OpenSSL from Homebrew, you may need to specify the location to its’ installation. To figure out where OpenSSL lives, run:

brew --prefix openssl

Use the output above as the DIR for --with-openssl=DIR in the ./configure line:

env CC=gcc-4.9 CXX=g++-4.9 ./configure --with-openssl=DIR
make
make check
  • Compiling on FreeBSD with better performance
env CC=gcc7 CXX=g++7 ./configure
gmake
  • Compiling on Cygwin with Airpcap (assuming Airpcap devpack is unpacked in Aircrack-ng directory)
cp -vfp Airpcap_Devpack/bin/x86/airpcap.dll src
cp -vfp Airpcap_Devpack/bin/x86/airpcap.dll src/aircrack-osdep
cp -vfp Airpcap_Devpack/bin/x86/airpcap.dll src/aircrack-crypto
cp -vfp Airpcap_Devpack/bin/x86/airpcap.dll src/aircrack-util
dlltool -D Airpcap_Devpack/bin/x86/airpcap.dll -d build/airpcap.dll.def -l Airpcap_Devpack/bin/x86/libairpcap.dll.a
autoreconf -i
./configure --with-experimental --with-airpcap=$(pwd)
make

JShell – Get a JavaScript shell with XSS

JShell get a JavaScript shell with XSS. The Java Shell tool is an interactive tool for learning the Java programming language and prototyping Java code.

JShell Usages

Run shell.py and it will automatically try to detect your IP address, default LPORT is 33.

As you can see the payload has been generated and now all you have to do is to deliver this payload to the victim.

Also ReadUDP2Raw Tunnel – A Tunnel which Turns UDP Traffic into Encrypted UDP/FakeTCP/ICMP

As soon as you do that, you will get a JS shell over netcat where you can execute your JavaScript code in victim’s browser as soon as the injected page is open.
Here’s a screenshot:

Credit: Rodolfo Assis

AWS Key Disabler – Lambda Script That Will Disable Access Keys Older Than A Given Amount Of Days

The AWS Key disabler is a Lambda Function that disables AWS IAM User Access Keys after a set amount of time in order to reduce the risk associated with old access keys.

AWS Lambda Architecture

SysOps Output for EndUser

Developer Toolchain

Also ReadHow Safe is to Use the Internet From Public WiFi?

AWS Key Disabler Current Limitations

  • A report containing the output (json) of scan will be sent to a single defined sysadmin account, refer to the report_to attribute in the /grunt/package.json build configuration file.
  • Keys are only disabled, not deleted nor replaced

Prerequisites

This script requires the following components to run.

It also assumes that you have an AWS account with SES enabled, ie domain verified and sandbox mode removed.

Installation

These instructions are for OSX. Your mileage may vary on Windows and other *nix.

  1. Grab yourself a copy of this script
  2. Navigate into the /grunt folder
  3. Setup the Grunt task runner, e.g. install its deps: npm install
  4. Fill in the following information in /grunt/package.json
    1. Set the aws_account_number value to your AWS account id found on https://portal.aws.amazon.com/gp/aws/manageYourAccount
    2. Set the first_warning and last_warning to the age that the key has to be in days to trigger a warning. These limits trigger an email send to report_to
    3. Set the expiry to the age in days when the key expires. At this age the key is disabled and an email is triggered to report_to notifying this change
    4. Set the serviceaccount to the account username you want the script to ignore
    5. Set the exclusiongroup to the name of a group assigned to users you want the script to ignore.
    6. Set the send_completion_report value to True to enable email delivery via SES
    7. Set the report_to value to the email address you’d like to receive deletion reports to
    8. Set the report_from value to the email address you’d like to use as the sender address for deletion reports. Note that the domain for this needs to be verified in AWS SES.
    9. Set the deployment_region to a region that supports Lambda. 10 Set the email_region to the region that supports SES. Also ensure that the region has SES sandbox mode disabled.
  5. Ensure you can successfully connect to AWS from the CLI, eg run aws iam get-user to verify successful connection
  6. from the /grunt directory run grunt bumpup && grunt deployLambda to bump your version number and perform a build/deploy of the Lambda function to the selected region

Invoke the Lambda Function manually from the commandline using the AWSCLI

Execute the lambda function by name, AccessKeyRotation, logging the output of the scan to a file called scan.report.log:

aws lambda invoke --function-name AccessKeyRotation scan.report.log --region us-east-1

{
    "StatusCode": 200
}

Use jq to render the contents of the scan.report.log to the console:

jq '.' scan.report.log

{
  "reportdate": "2016-06-26 10:37:24.071091",
  "users": [
    {
      "username": "TestS3User",
      "userid": "1",
      "keys": [
        {
          "age": 72,
          "changed": false,
          "state": "key is already in an INACTIVE state",
          "accesskeyid": "**************Q3GA1"
        },
        {
          "age": 12,
          "changed": false,
          "state": "key is still young",
          "accesskeyid": "**************F3AA2"
        }
      ]
    },
    {
      "username": "BlahUser22",
      "userid": "2",
      "keys": []
    },
    {
      "username": "LambdaFake1",
      "userid": "3",
       "keys": [
        {
          "age": 23,
          "changed": false,
          "state": "key is due to expire in 1 week (7 days)",
          "accesskeyid": "**************DFG12"
        },
        {
          "age": 296,
          "changed": false,
          "state": "key is already in an INACTIVE state",
          "accesskeyid": "**************4ZASD"
        }
      ]
    },
    {
      "username": "apiuser49",
      "userid": "4",
       "keys": [
        {
          "age": 30,
          "changed": true,
          "state": "key is now EXPIRED! Changing key to INACTIVE state",
          "accesskeyid": "**************ER2E2"
        },
        {
          "age": 107,
          "changed": false,
          "state": "key is already in an INACTIVE state",
          "accesskeyid": "**************AWQ4K"
        }
      ]
    },
    {
      "username": "UserEMRKinesis",
      "userid": "5",
       "keys": [
        {
          "age": 30,
          "changed": false,
          "state": "key is now EXPIRED! Changing key to INACTIVE state",
          "accesskeyid": "**************MGB41A"
        }
      ]
    },
    {
      "username": "CDN-Drupal",
      "userid": "6",
       "keys": [
        {
          "age": 10,
          "changed": false,
          "state": "key is still young",
          "accesskeyid": "**************ZDSQ5A"
        },
        {
          "age": 5,
          "changed": false,
          "state": "key is still young",
          "accesskeyid": "**************E3ODA"
        }
      ]
    },
    {
      "username": "ChocDonutUser1",
      "userid": "7",
       "keys": [
        {
          "age": 59,
          "changed": false,
          "state": "key is already in an INACTIVE state",
          "accesskeyid": "**************CSA123"
        }
      ]
    },
    {
      "username": "ChocDonut2",
      "userid": "8",
       "keys": [
        {
          "age": 60,
          "changed": false,
          "state": "key is already in an INACTIVE state",
          "accesskeyid": "**************FDGD2"
        }
      ]
    },
    {
      "username": "admin.skynet@cyberdyne.systems.com",
      "userid": "9",
       "keys": [
        {
          "age": 45,
          "changed": false,
          "state": "key is already in an INACTIVE state",
          "accesskeyid": "**************BLQ5GJ"
        },
        {
          "age": 71,
          "changed": false,
          "state": "key is already in an INACTIVE state",
          "accesskeyid": "**************GJFF53"
        }
      ]
    }
  ]
}

Additional Configuration Option

  • You can choose to set the message used for each warning and the final disabling by changing the values under key_disabler.keystates.<state>.message
  • You can change the length of masking under key_disabler.mask_accesskey_length. The access keys are 20 characters in length.

Troubleshooting

This script is provided as is. We are happy to answer questions as time allows but can’t give any promises.

If things don’t work ensure that:

Bonus Points

Once the Lambda Function has been successfully deployed – the following commands can be performed:

  1. aws lambda list-functions
  2. openssl dgst -binary -sha256 ..\Releases\AccessKeyRotationPackage.1.0.18.zip | openssl base64
  3. aws lambda invoke --function-name AccessKeyRotation report.log --region us-east-1
  4. jq '.' report.log
  5. jq '.users[] | select(.username=="johndoe")' report.log
  6. jq '.' report.log | grep age | cut -d':' -f2 | sort -n

Bonus Bonus Points

  1. jq 'def maximal_by(f): (map(f) | max) as $mx | .[] | select(f == $mx); .users | maximal_by(.keys[].age)' report.log
  2. jq 'def minimal_by(f): (map(f) | min) as $mn | .[] | select(f == $mn); .users | minimal_by(.keys[].age)' report.log