DVR-Exploiter : DVR-Exploiter a Bash Script Program Exploit The DVR’s

DVR-Exploiter a Bash Script Program Exploit The DVR’s Based on CVE-2018-999. 

[*] Exploit Title:       DVR Credentials Exposed 
[*] Date:                09/04/2018
[*] Exploit Author:      Fernandez Ezequiel
[*] DVR-Exploiter By:    Belahsan Ouerghi  
[*] Contact:             www.facebook.com/ouerghi.belahsan
[*] Youtube Tutorial:	 https://www.youtube.com/watch?v=vdnATjE_4II
[*] Dorks:               		       intitle:"DVR Login"
	                                       html:"/login.rsp"
	                                      "Server: GNU rsp/1.1"

Tested In DVR

Novo
CeNova
QSee
Pulnix
XVR 5 in 1 (title: "XVR Login")
Securus,  - Security. Never Compromise !! - 
Night OWL
DVR Login
HVR Login
MDVR Login

DVR-Exploiter Installation

$ git clone https://github.com/TunisianEagles/DVR-Exploiter.git
$ cd DVR-Exploiter
$ ./DVR-Exploiter.s

Also ReadNmap-Bootstrap-XSL : A Nmap XSL implementation with Bootstrap

Details

[ After Running Choose The Host Example : 1 = 127.0.0.1 {IP } , / 2 = www.xxxxxxxx.com ]

  • Don’t Forget To Install The Plugin Of The DVR

Screenshot

How Safe is to Use the Internet From Public WiFi?

The Internet has taken over our lives in such a powerful way that sometimes, we can’t seem to thrive if we don’t have access to the web. The human being is a routine animal, and by now, we have grown accustomed to doing specific things online that can affect our daily schedule, mood, performance, and overall productivity if we don’t have access to them.

That is precisely why we tend to take advantage of any opportunity available to connect to the Internet. However, we don’t always prioritize online security, connecting to any Wi-Fi hotspot we encounter on the street instead, be it at a library, coffee shop, airport, etc.

How safe is to use the Internet from public WiFi? Well, to sum up, it isn’t. At all. These networks are more vulnerable to hacking attacks as they can be easily intercepted by these cybercriminals, which have the software and the skills to position themselves between the public network and the user’s device.

That is why there is an increase in the percentage of hacking attacks, identity thefts, lost files, and credit card frauds, among other inconveniences, when the person is using a public Wi-Fi network instead of a private, secure connection.

To the contrary of what some people may believe, private connections and networks aren’t 100% risk-free, either: they are just much less vulnerable than public Wi-Fi hotspots that you may encounter on your average mall or restaurant.

In several cases, the business managers and local administrators think they are doing people a favor by installing a setting up a free, public Wi-Fi for their customers. And they are, provided that they take the correct online and data security practices, establish robust passwords and implement other measures and firewalls.

Dangerous Activities and Consequences of the use of Public Wi-Fi Networks

  • Snooping: it consists of strangers having access to the data you share online in these networks. Third parties can get their hands on your digital assets and traffic if your communication is not encrypted.
  • Compromised devices: Unfortunately, public Wi-Fi is so insecure that you can get in touch with compromised devices from a security standpoint. Your device can get infected with a virus or other malware forms, including Ransomware.
  • Malicious hotspots: Sometimes, the devices connected to the Wi-Fi are not the ones that are compromised. Instead, the hotspot itself may be the one spreading infection around the network.
  • Man-in-the-Middle attacks: they happen when a device positions itself between the person using the Wi-Fi network and the hotspot itself, intercepting the shared data and traffic with no one noticing.
  • Sidejacking: When the attacker “injects” a packet sniffer or software in a device or network, we talk about sidejacking. It spies traffic and hijacks cookies used to enter online banking or social media accounts, among others.

How to be Safer at a Public Wi-Fi

There are scenarios and situation in which you need to connect to a public Wi-Fi. For example, you have just landed in a foreign country, and you want to let your family and friends know you are OK. Your data plan won’t work and, if you can’t find a phone to make a call, you can connect to the airport’s free hotspot to send a series of messages or use a VoIP service.

However, the practice isn’t recommended, security-wise. If you require to join a public network, take these tips into account:

Be responsible online

It doesn’t take a whole lot of common sense to know that hackers are more dangerous with each passing day. That’s why the less you can share and leave behind when you go to the World Wide Web in a public Wi-Fi, the better.

When you go to a coffee shop or a library, use these networks to catch up with that e-book you want to read, go through the daily news pages, or even check the latest sports-related scores and developments. Try to stay away from online banks and social media accounts.

Use your data plan and avoid Wi-Fi altogether

Hackers, cybercriminals, and even crypto miners trying to use your device to produce cryptocurrency money that you will never see tend to position themselves in public Wi-Fi networks. However, if you use the data plan for your phone, then they will have no access to what you do or share within the mentioned hotspot.

Your phone’s data plan won’t protect you from the things you do or share on the Internet, though. As long as you have that in mind, you won’t necessarily have to add another risk to your online security by connecting to a public hotspot.

Connect to the Internet through an Ethernet cable

Hackers like to hide in public Wi-Fi networks by taking advantage of vulnerabilities in the signal. From that position, they can inflict irreparable damage on naïve people that connect on these hotspots without a clue of what can happen if they are unprotected.

However, if you connect directly to the router, you would be bypassing most of the dangers of the wireless signal and the possible hackers lurking on it. The only way to directly connect your device to the router is with an Ethernet cable. You will sacrifice some comfort and portability, but the things you will gain are much more prominent.

Also Read Aircrack-NG: Complete Suite Tools To Assess WiFi Network Security

Use the HTTPS protocol whenever possible

The HyperText Transfer Protocol (HTTP) is the key that lets us open and enjoys websites on the Internet. However, it is highly insecure and unreliable, as the things you do or share within the page will not be encrypted and can be visible to external threats and hazardous agents.

The Hyper Text Transfer Protocol Secure (HTTPS,) in turn, will encrypt the communications and requests you send to that particular page. It is far safer than the HTTPS, and more useful for those users than prioritize online and data privacy.

A reliable VPN provider

If you want to feel free and safe while using a public Wi-Fi network, the best thing you can do is hire the services of a VPN provider. Virtual Private Networks (VPN) are online tools for encryption and safe sharing of data through the web.

The VPN technology comes in the form of apps or clients provided by online security companies, in most cases. By using protocols such as OpenVPN, L2TP/IPSec, SSTP, IKEv2, or PPTP, a VPN company will hide your IP address (which is the main element that hackers can use to track you online) and shared content thanks to its ability to build a virtual tunnel to protect that information.

You will effectively avoid hackers, cybercriminals, crypto miners, governmental surveillance agencies, spies and snoopers, online advertising companies, and even your Internet Service Provider (ISP) from collecting and using logs of your activity.

Since the VPN app will mask your IP and lend you a new, temporary one from the location you choose, you will be able to browse the web anonymously and privately, providing a safer experience while using a public Wi-Fi.

You can get secure encryption, fast browsing and streaming speeds by performing the Wifi Speed Test as well as a broad server network provided you select a reliable, trustworthy VPN provider. SurfShark fulfills all the required criteria.

In conclusion, public Wi-Fi networks may be convenient from several angles. However, they are highly insecure, and they host a myriad of hackers, malware, and other threats that can harm your online safety.

Vboxdie Cracker – Virtual Box Disk Image Encryption Password Cracker

Vboxdie Cracker is a virtual box disk image encryption password cracker. User password is stored using a combination of PBKDF2 and AES-XTS, but they can be controlled inside the file format.

Vboxdie Cracker Requirements

  1. PHP >= 5.5.0
  2. OpenSSL >= 1.0.1 (XTS support)

Also ReadCyberChef – A web App For Encryption, Encoding, Compression & Data Analysis

Algorithm Description

User password is stored using a combination of PBKDF2 and AES-XTS as following (shown values are fixed at the moment, but they can be controlled inside the file format):

# 32 for AES-XTS128-PLAIN64
# 64 for AES-XTS256-PLAIN64
AES_key_length = 32 | 64

AES-password = PBKDF2(algorithm: SHA256,
                      password: user_password,
                      salt: random_salt_1,
                      iterations: 2000,
                      output_length: AES_key_length)

PBKDF2-decrypted-password = AES_decrypt(key_size: AES_key_length,
                                        mode: XTS,
                                        data: random_data
                                        password: AES-password,
                                        type: raw,
                                        iv: NULL)

Stored_hash = PBKDF2(algorithm: SHA256,
                     password: PBKDF2-decrypted-password,
                     salt: random_salt_2,
                     iterations: 2000,
                     output_length: 32)

The same process is performed each time the user wants to decrypt the machine disk.

Example Of Usage

$ php VBOXDIECracker.php
VirtualBox Disk Image Encryption cracker

Usage: VBOXDIECracker.php disk_image.vbox [wordlist]

$ php VBOXDIECracker.php Encrypted.vbox wordlist.txt
VirtualBox Disk Image Encryption cracker

[+] Reading data from: Encrypted.vbox
----------------------------------------------------------------
[+] Checking hard disk encryption for: Encrypted.vdi
[+] Hard disk is encrypted
[+] KeyStore encoded string:
        U0NORQABQUVTLVhUUzI1Ni1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hB
        MjU2AAAAAAAAAAAAAAAAAAAAAAAAAEAAAAASAniX2ss6TE/u9IdinWigcwAg2bXe
        dJRAjHr5mvCCiSAAAAAntQHDFvSfwpay/jKFVzUWc4GsIJ/RwMg+XkG2b/PDWtAH
        AACKj0qUg37sG7TWmi58n/rcXmWVNt9FqBxGZiz2a+leWNAHAABAAAAA6qVV8nOu
        r58RVxKP0cNRfXyu9D7JqqVAaRfNE3LFdoz4hXxWWWcxjOGBJA/BQ5VuwvrDxO8O
        YpwYgl3yKOcewg==
[+] KeyStore contents:
        Header                        454e4353 (SCNE)
        Version                       1
        Algorithm                     AES-XTS256-PLAIN64
        KDF                           PBKDF2-SHA256
        Key length                    64
        Final hash                    12027897dacb3a4c4feef487629d68a0730020d9b5de7494408c7af99af08289
        PBKDF2 2 Key length           32
        PBKDF2 2 Salt                 27b501c316f49fc296b2fe32855735167381ac209fd1c0c83e5e41b66ff3c35a
        PBKDF2 2 Iterations           2000
        PBKDF2 1 Salt                 8a8f4a94837eec1bb4d69a2e7c9ffadc5e659536df45a81c46662cf66be95e58
        PBKDF2 1 Iterations           2000
        EVP buffer length             64
        PBKDF2 2 encrypted password   eaa555f273aeaf9f1157128fd1c3517d7caef43ec9aaa5406917cd1372c5768c
                                      f8857c565967318ce181240fc143956ec2fac3c4ef0e629c18825df228e71ec2
[+] Cracking finished, measured time: 6.13035 seconds
[!] KeyStore password found: 123
----------------------------------------------------------------
[+] Checking hard disk encryption for: New_Disk.vdi
[-] Hard disk is not encrypted

Singularity – A DNS Rebinding Attack Framework

Singularity of Origin is a tool to perform DNS rebinding attacks. It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine’s IP address and to serve attack payloads to exploit vulnerable software on the target machine.

It also ships with sample payloads to exploit several vulnerable software versions, from the simple capture of a home page to performing remote code execution. It aims at providing a framework to facilitate the exploitation of software vulnerable to DNS rebinding attacks and to raise awareness on how they work and how to protect from them.

How Do DNS Rebinding Attacks Work?

DNS rebinding changes the IP address of an attacker controlled machine name to the IP address of a target application, bypassing the same-origin policy and thus allowing the browser to make arbitrary requests to the target application and read their responses. The Singularity DNS server is responding with short time to live (TTL) records, minimizing the time the response is cached. When the victim browses to the Singularity manager interface, the Singularity’s DNS server first responds with the IP address of Singularity itself where the client-side code (payload) is hosted. When the DNS record times out, the Singularity DNS server responds with the IP address of the target host (e.g. 127.0.0.1) and the victim’s browser can access the target application, circumventing the browser’s same-origin policy.

It is also possible to trigger DNS rebinding before a cached DNS record expires, depending of the target platform and using a combination of techniques that are described in later sections.

Also ReadhideNsneak – A CLI For Ephemeral Penetration Testing

Singularity Features

  • Singularity provides a complete DNS rebinding attack delivery stack:
    • Custom DNS server to rebind DNS name and IP address mapping from the attacker web server address to the target machine address
    • HTTP server to serve HTML pages and JavaScript code to targets and to manage the attacks
    • Several sample attack payloads, ranging from grabbing the home page of a target application to performing remote code execution. These payloads can be easily adapted to perform new and custom attacks.
  • Supports concurrent users
  • Provides several DNS rebinding strategies, including sequential mapping from the attacker to the target IP address and random mapping, to minimize the impact of IDS/IPS interfering with the attack
  • A number of technical controls to maximize the reliability and speed of attacks:
    • Disabling HTTP keep alive, caching, DNS prefetching
    • Aggressive DNS response TTLs
    • Option to use DNS CNAME instead of A records to evade several DNS filtering solutions
    • Near instant rebinding for several browser and OS combinations, using multiple DNS answers and dynamic HTTP port blocking.
  • Ability to allocate HTTP servers at startup or dynamically thereafter
    • A convenience feature to avoid restarting Singularity to listen on a different HTTP port.
    • To lay the ground work to attack vulnerable ports discovered after a scan.

Requirements

  • A DNS domain name from a domain registrar such as gandi or namecheap. You need be able to add and edit your own DNS records for your domain.
  • A Linux server instance from a hosting provider such as Linode, Amazon AWS, Google Cloud, Microsoft Azure etc.

Setup

Let’s say that we want to retrieve the homepage of a tool listening on localhost, port 8080, of a victim desktop machine from domain “dynamic.your.domain.” You personally own/manage domain “your.domain.” You will mount attacks from a server with IP address “ip.ad.dr.ss“. This server will run the Singularity DNS and HTTP servers.

On the DNS Registrar Web Management Interface

Configure appropriate DNS records to delegate the management of a test subdomain (“dynamic.your.domain.“) of a domain you own (“your.domain.“) to the Singularity’s DNS server that we will deploy shortly:

  • A Name: “rebinder”, IPv4: “ip.ad.dr.ss
  • NS Name: “dynamic”, Hostname: “rebinder.your.domain.

This sample setup informs DNS clients, including browsers, that “ip.ad.dr.ss” answers queries for any subdomains under “.dynamic.your.domain.“, e.g. “foo.dynamic.your.domain.”. This also permits one to access the Singularity management console using the “rebinder.your.domain” DNS name with a web browser.

On the Attacker Host

Install Golang

Follow the instructions from the official Go Programming Language web site.

Obtain Singularity

Open a terminal and type the following command:

go get -v github.com/nccgroup/singularity/

Compile

$ cd ~/go/src/github.com/nccgroup/singularity/cmd/singularity-server
$ go build

Deploy

  • Deploy the “html” directory in let’s say “~/singularity“.
  • Deploy the singularity-server binary in “~/singularity“.
$ cd ~/
$ mkdir -p singularity/html
$ cp ~/go/src/github.com/nccgroup/singularity/cmd/singularity-server ~/singularity/
$ cp ~/go/src/github.com/nccgroup/singularity/html/* /singularity/html/*

Run

Start singularity-server with sudo ./singularity-server --HTTPServerPort 8080. This will use a DNS rebinding strategy based on the content of the DNS query by default e.g. s-ip.ad.dr.ss-127.0.0.1-<random_number>--e.dynamic.your.domain will return first “ip.ad.dr.ss“, the attacker host IP address, then “127.0.0.1” for subsequent queries for a limited period of time.

Note: You will need to verify that other services do not listen on ports required by Singularity.

Minimum required ports:
  • UDP 53 (DNS)
  • TCP 8080 (configurable default port for the manager web interface)
  • The port where the vulnerable application is running (e.g. port 3000 for the Ruby on Rails Web Console or port 9333 for VS Code Chrome DevTools)

On Ubuntu 18.04 LTS, by default, systemd-resolved is listening on the localhost UDP port 53. This will prevent Singularity from starting. Disable systemd-resolved with this command: sudo systemctl disable --now systemd-resolved.service. Next, update the file /etc/resolv.conf to make sure it does not contain nameserver 127.0.0.53 but something like nameserver 8.8.8.8. Replace 8.8.8.8 with the IP address of the DNS server of your choosing (e.g. nameserver 169.254.169.254 on GCP).

Firewalls

Singularity requires multiple ports exposed to the Internet (or at least to the network from which you access the tool via your browser). The minimum required ports are UDP 53 for DNS and the port where the Singularity manager web interface is running. The default port for the manager web interface is TCP port 8080. Additionally, Singularity requires that the payload is served from the same port where the vulnerable/exploited application is running on to not violate the same-origin policy.

Minimum required ports are listed above.

Please check with your hosting provider to configure allowed inbound ports:

Test

On the Victim Host

  • Deploy a local test service with python -c 'import
    BaseHTTPServer as bhs, SimpleHTTPServer as shs;
    bhs.HTTPServer(("127.0.0.1", 8080),
    shs.SimpleHTTPRequestHandler).serve_forever()'     from a directory containing some test data files, on your client machine.
  • Browse to “http://rebinder.your.domain:8080/manager.html“.
  • Ensure that the following fields contain the correct information:
    • “Attack Host Domain” e.g. “dynamic.your.domain
    • “Attack Host” e.g. “ip.ad.dr.ss
    • “Target Port” e.g. 8080
    • “Attack Payload”, “payload-simple-fetch-get.html”.
  • Click on “Start Attack”.
  • The content of your victim host directory should be displayed within a few seconds/minutes in an alert box.

Browser Support

Singularity has been tested to work in the following browsers:

Browser Operating System Time to Exploit
Firefox Windows 7 / 10 ~1 min
Chrome Windows 7 / 10 ~1 min
Firefox Ubuntu ~1 min
Chromium Ubuntu ~1 min
Edge Windows 10 ~21 to ~49 min
Firefox macOS ~1 min
Chrome macOS ~1 min
Safari macOS ~1 min
Chrome Android ~1 min
Firefox Android ~1 min
Safari iOS ~1 min
Firefox iOS ~1 min

The above was tested with Singularity’s default conservative settings:

  • DNS rebinding strategy: DNSRebindFromQueryFirstThenSecond
  • Fetch interval (Web interface): 20s
  • Target: 127.0.0.1.

Much faster attacks can be achieved in certain configurations, as detailed in the table below:

Browser Operating System Time to Exploit Rebinding Strategy Fetch Interval Target Specification
Chrome Windows 10 ~3s DNSRebindFromQueryMultiA 1s 127.0.0.1
Edge Windows 10 ~3s DNSRebindFromQueryMultiA 1s 127.0.0.1
Firefox Windows 10 ~3s DNSRebindFromQueryMultiA 1s 127.0.0.1
Chromium Ubuntu ~3s DNSRebindFromQueryMultiA 1s 0.0.0.0
Firefox Ubuntu ~3s DNSRebindFromQueryMultiA 1s 0.0.0.0
Chrome macOS ~3s DNSRebindFromQueryMultiA 1s 0.0.0.0
Firefox macOS ~3s DNSRebindFromQueryMultiA 1s 0.0.0.0
Safari macOS ~3s DNSRebindFromQueryMultiA 1s 0.0.0.0

We will add more platforms as we test them. We elected a delay of 3s to perform DNS rebinding to cater for targets with a poor connection to the internet/network.

Using Singularity

When Singularity is run without arguments, the manager web interface listens on TCP port 8080. Browse to that port to configure and launch the DNS rebinding attack.

Personalizing The Manager Configuration File

Singularity comes with a default configuration file in html/manager-config.json. You can modify this file to change the default parameters, such as the attackHostDomain, the attackHostIPAddress, and the attackPayloads. You need to edit this file if you add your own payloads. You do not need to edit the configuration file if you want to use existing payloads as you can change the parameters in the web interface.

Server Arguments

Launch the Singularity binary, (singularity-server), with the -h parameter to see its parameters.

  • -DNSRebindStrategy string : Specify how to respond to DNS queries from a victim client. The supported strategies are:
    • DNSRebindFromQueryRoundRobin
    • DNSRebindFromQueryFirstThenSecond (default)
    • DNSRebindFromQueryRandom
    • DNSRebindFromQueryMultiA (requires Linux iptables)
  • -HTTPServerPort value : Specify the attacker HTTP Server port that will serve HTML/JavaScript files. Repeat this flag to listen on more than one HTTP port.
  • -ResponseIPAddr string : Specify the attacker host IP address that will be rebound to the victim host address using strategy specified by flag -DNSRebingStrategy (default value is 192.168.0.1).
  • -ResponseReboundIPAddr string : Specify the victim host IP address that is rebound from the attacker host address (default value is 127.0.0.1).
  • -dangerousAllowDynamicHTTPServers Specify if any target can dynamically request Singularity to allocate an HTTP Server on a new port. This feature may be dangerous as it allows opening new ports via the unauthenticated web interface.
  • -responseReboundIPAddrtimeOut int : Specify a delay in seconds for which we will keep responding with Rebound IP Address after the last query. After the delay, we will respond with ResponseReboundIPAddr. The default is 300 seconds.

Manager UI

The manager web interface is where you configure and launch the DNS rebinding attack. It listens on port 8080 by default. The following table describes all form fields and buttons in the manager interface:

Field Name Description
Attack Host Domain This is the (sub-)domain where the Singularity web server is running. Default value: dynamic.rebind.it
Attack Host This is the IP address where the manager and the attack payloads are hosted. Default value: xxx.xxx.xxx.xxx
Target Host This is the IP address of the target system where the victim (target) application is running. Default value: 127.0.0.1
Target Port This is the port where the victim (target) application is listening on. Default value: 8080
Request New Port This will request Singularity to listen on a new port. This feature is only available when Singularity has been started with the -dangerouslyAllowDynamicHTTPServers command line option.
Attack Payload This is where you select the payload, i.e. which application you are trying to exploit.
Start Attack Start the DNS rebinding attack. Be patient and wait for at least one minute. Open the browser web console to see debugging logs.
Toggle Advanced Options This button will enable the advanced fields described below.
Interval How long to wait between connection attempts to the target application in seconds. Default value: 20
Index Token The index token is used by Singularity to detect if the rebinding has happened yet. Default value: thisismytesttoken

Payloads Description

Singularity supports the following attack payloads:

  • Basic fetch request (payload-simple-fetch-get.html): This sample payload makes a GET request to the root directory (‘/’) and shows the server response using the fetch API. The goal of this payload is to function as example request to make additional contributions as easy as possible.
  • Basic XHR request (payload-simple-xhr-get.html): Another sample payload to make a GET request to the root directory (‘/’) and showing the server response using XMLHttpRequest (XHR).
  • Chrome DevTools (payload-exposed-chrome-devtools.html): This payload demonstrates a remote code execution (RCE) vulnerability in Microsoft VS Code fixed in version 1.19.3. This payload can be adapted to exploit any software that exposes Chrome Dev Tools on localhost.
  • etcd (payload-etcd.html): This payload retrieves the keys and values from the etcd key-value store.
  • pyethapp (payload-pyethapp.html): Exploits the Python implementation of the Ethereum client Pyethapp to get the list of owned eth addresses and retrieve the balance of the first eth address.
  • Rails Web Console (payload-rails-webconsole.html): Performs a remote code execution (RCE) attack on the Rails Web Console.
  • AWS Metadata (payload-aws-metadata.html): Forces a headless browser to exfiltrate AWS metadata including private keys to a given host. Check the payload contents for additional details on how to setup the attack.

Creating Your Own Payloads

Creating your own payloads is as simple as copying the sample payload HTML file (payload-simple-fetch-get.html) and modify it according to your needs. The sample payload makes a single GET request and displays the response. Start with copying the content of this file to a new .html file and add its name to the attackPayloads list in the manager-config.json file. Then modify the new HTML file to change the request URL for example.

Preventing DNS Rebinding Attacks

DNS rebinding attacks can be prevented by validating the “Host” HTTP header on the server-side to only allow a set of whitelisted values. For services listening on the loopback interface, this set of whitelisted host values should only contain localhost and all reserved numeric addresses for the loopback interface, including 127.0.0.1.

For instance, let’s say that a service is listening on address 127.0.0.1, TCP port 3000. Then, the service should check that all HTTP request “Host” header values strictly contain “127.0.0.1:3000” and/or “localhost:3000”. If the host header contains anything else, then the request should be denied.

Depending on the application deployment model, you may have to whitelist other or additional addresses such as 127.0.0.2, another reserved numeric address for the loopback interface.

For services exposed on the network (and for any services in general), authentication should be required to prevent unauthorized access.

Filtering DNS responses containing private, link-local or loopback addresses, both for IPv4 and IPv6, should not be relied upon as a primary defense mechanism against DNS rebinding attacks. Singularity can bypass some filters in certain conditions, such as responding with a localhost CNAME record when targeting an application via the Google Chrome browser for instance.

Advanced Techniques

  • Use the -DNSRebindStrategy DNSRebindFromQueryRandom DNS rebinding strategy instead of the default - DNSRebindStrategy DNSRebindFromQueryFirstThenSecond if you suspect the presence of an IDS in one or more environments that sends several DNS requests to the attack server in addition to the actual target. This will ensure that the target will eventually obtain the required IP address, albeit a bit more slowly.
  • Singularity responds with a DNS CNAME instead of an A record if one specifies “localhost” as the target instead of “127.0.0.1”. This works around DNS filtering of responses containing “127.0.0.1” in some configurations. Some browsers appear to perform their own lookup upon reception of a CNAME record containing “localhost”. Chrome populates its DNS cache with both “127.0.0.1” and “::1” in particular. Related: https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-06.
  • Similarly, specifying “0.0.0.0” on Mac and Linux, which corresponds to “this host, on any interface” on these platforms may work around some filters/controls.

Useful Notes and Other Loose Ends

  • Cross-platform compilation: go to “~/singularity/cmd/singularity-server/” and type env GOOS=linux GOARCH=amd64 go build for a Linux build or go build from a mac OS machine for a Mac build.
  • The fetch API based attack scripts in the “html” directories will stop after 5 attempts if there are network errors.
  • Going to chrome://net-internals/#dns in the Chrome browser is great for debugging.
  • Test dig query: dig "s-ip.ad.dr.ss-127.0.0.1-<random_number>--e.dynamic.your.domain" @ip.ad.dr.ss
  • sudo ./singularity-server -HTTPServerPort 8080 -HTTPServerPort 8081 -dangerouslyAllowDynamicHTTPServers starts a server on port 8080 and 8081 and enables requesting dynamically one additional HTTP port via the Manager interface.
  • Testing a service for a DNS rebinding vulnerability: In an HTTP intercepting proxy such as Portswigger’s Burp Suite, replay a request to localhost, replacing the host header value e.g. “localhost” with “attacker.com”. If the request is accepted, chances are that you have found a DNS rebinding vulnerability. What you can do after, the impact, depends on the vulnerable application.
  • Use the DNSRebindFromQueryMultiA strategy for instant rebinding when supported by the target browser/OS combination and with the tested settings, summarized in the table above.
  • The DNSRebindFromQueryMultiA rebinding strategy does not support the “localhost” target value if trying to evade IPS/IDS and DNS filters.

Screenshot

Singularity Manager Interface

Fetch a Vulnerable Application Home Page on Localhost

Disclaimer

This tool was built with the purpose of showing the concept of DNS rebinding. This software should not be used for illegal activity. The authors are not responsible for its use. Only use this tool to attack systems for which you have permission to.

Inspired By: Taviso’s rbndr service & Blizzard DNS rebinding test case

Nmap-Bootstrap-XSL : A Nmap XSL implementation with Bootstrap

Nmap-Bootstrap-XSL is a  Nmap XSL implementation with Bootstrap.

Nmap-Bootstrap-XSL Usage

  • Add the nmap-bootstrap.xsl as stylesheet to your Nmap scan.
  • Example:
nmap -sS -T4 -A -sC -oA scanme --stylesheet https://raw.githubusercontent.com/honze-net/nmap-bootstrap-xsl/master/nmap-bootstrap.xsl scanme.nmap.org scanme2.nmap.org
  • Open the scanme.xml with your Web browser. It should look like the scanme.html sample report.
  • Alternatively you can transform the xml to html with
xsltproc -o scanme.html nmap-bootstrap.xsl scanme.xml
  • You will need to download the nmap-bootstrap.xsl beforehand.

Also Read4nonimizer – A Bash Script For Anonymizing The Public IP Used To Browsing Internet

Old scans

  • You can also format old scans with the xsl stylesheet.
  • Insert <?xml-stylesheet
    href="https://raw.githubusercontent.com/honze-net/nmap-bootstrap-xsl/master/nmap-bootstrap.xsl"
    type="text/xsl"?>     after <!DOCTYPE nmaprun>.

Screenshots

HackBar : HackBar plugin for Burpsuite v1.0

HackBar is a java based Burpsuite Plugin. It is tested and working perfectly on Burpsuite 1.7.36, Windows 10 and xubuntu 18.04. In order to use Hackar basic requirements is Burpsuite and Java.

How to Install HackBar

Download Jar 'https://github.com/d3vilbug/HackBar/releases/tag/1.0' and add in burpsuite

Upcoming Features/Modules

  • Ctrl + H (shortcut)
  • WAF bypass (SQLi)
  • Decoder/Encoder
  • Simulate Attack (Automatically test complete cheat sheet with one click)

Network Attacker : WiFi Stress Testing Beacon Flooding & De-authentication Attack

Network Attacker V0.1 is a Wifi Stress Testing Bash Script Program Based on Mdk3 Beacon Flooding & Deauthentication Attack.  This was created to help beginners and even professionals for a eacon flooding Or deauthentication attack on networks.

Also ReadLeaked 2.0 – A Checking tool for Hash codes, Passwords and Emails leaked

Network Attacker Installation

sudo apt-get install git
sudo git clone https://github.com/TunisianEagles/network-attacker.git
cd network-attacker
sudo chmod +x install.sh
sudo chmod +x network_attacker.sh
./install.sh
./network_attacker.sh

Tested On :

  • Backbox linux
  • Ubuntu
  • Debian
  • Kali linux
  • Parrot OS

Screenshot

Credit: Belahsan Ouerghi

 

hideNsneak – A CLI For Ephemeral Penetration Testing

hideNsneak application assists in managing attack infrastructure for penetration testers by providing an interface to rapidly deploy, manage, and take down various cloud services. These include VMs, domain fronting, Cobalt Strike servers, API gateways, and firewalls.

hideNsneak Overview

hideNsneak provides a simple interface that allows penetration testers to build ephemeral infrastructure — one that requires minimal overhead. hideNsneak can:

  • deploy, destroy, and list
  1. Cloud instances via EC2 and Digital Ocean (Google Cloud, Azure, and Alibaba Cloud coming soon)
  2. API Gateway (AWS)
  3. Domain fronts via AWS Cloudfront and Google Cloud Functions (Azure CDN coming soon)
  • Proxy through infrastructure
  • Deploy C2 redirectors
  • Send and receive files
  • Port scanning via NMAP
  • Remote installations of Burp Collab, Cobalt Strike, Socat, LetsEncrypt, GoPhish, and SQLMAP
  • work with teams teams

Running locally

A few disclosures for V 1.0:

  • At this time, all hosts are assumed Ubuntu 16.04 Linux.
  • Setup is done on your local system (Linux and Mac Only). In the future, we’re hoping to add on a docker container to decrease initial setup time
  • The only vps providers currently setup are AWS and Digital Ocean
  • You need to make sure that go is installed. Instructions can be found here
  • the GOPATH environment variable MUST be set
  1. Create a new AWS S3 bucket in us-east-1
    • Ensure this is not public as it will hold your terraform state
  2. go get github.com/rmikehodges/hideNsneak
  3. cd $GOPATH/src/github.com/rmikehodges/hideNsneak
  4. ./setup.sh
  5. cp config/example-config.json config/config.json
    • fill in the values
    • aws_access_id, aws_secret_key, aws_bucket_name, public_key, private_key, ec2_user, and do_user are required at minimum
    • all operators working on the same state must have config values filled in all the same fields
    • private and public keys must be the same for each operator
  6. now you can use the program by running ./hidensneak [command]

Also ReadDoor404 – Door404 is Open Source Project

Commands

  • hidensneak help –> run this anytime to get available commands
  • hidensneak instance deploy
  • hidensneak instance destroy
  • hidensneak instance list
  • hidensneak api deploy
  • hidensneak api destroy
  • hidensneak api list
  • hidensneak domainfront enable
  • hidensneak domainfront disable
  • hidensneak domainfront deploy
  • hidensneak domainfront destroy
  • hidensneak domainfront list
  • hidensneak firewall add
  • hidensneak firewall list
  • hidensneak firewall delete
  • hidensneak exec command -c
  • hidensneak exec nmap
  • hidensneak exec socat-redirect
  • hidensneak exec cobaltstrike-run
  • hidensneak exec collaborator-run
  • hidensneak socks deploy
  • hidensneak socks list
  • hidensneak socks destroy
  • hidensneak socks proxychains
  • hidensneak socks socksd
  • hidensneak install burp
  • hidensneak install cobaltstrike
  • hidensneak install socat
  • hidensneak install letsencrypt
  • hidensneak install gophish
  • hidensneak install nmap
  • hidensneak install sqlmap
  • hidensneak file push
  • hidensneak file pull

For all commands, you can run --help after any of them to get guidance on what flags to use.

Organization

  • _terraform –> terraform modules
  • _ansible –> ansible roles and playbooks
  • _assets –> random assets for the beauty of this project
  • _cmd –> frontend interface package
  • _deployer –> backend commands and structs
  • main.go –> where the magic happens

IAM Permissions

Google Domain Fronting

  • App Engine API Enabled
  • Cloud Functions API Enabled
  • Project editor or higher permissions

Miscellaneous

A default security group hideNsneak is made in all AWS regions that is full-open. All instances are configured with iptables to only allow port 22/tcp upon provisioning.

If your program starts throwing terraform errors indicating a resource is not found, then you may need to remove the problematic terraform resources. You can do this by running the following:

cd $GOPATH/src/github.com/rmikehodges/hideNsneak/terraform

terraform state rm <name of problem resource>

This resource will need to be cleaned up manually if it still exists.

Troubleshooting

Error: configuration for module name here is not present; a provider configuration block is required for all operations

This is usually due to artifacts being left in the state from old deployments. Below are instructions on how to remove those artifacts from your state. If they are live resources, they will need to be manually destroyed via the cloud provider’s administration panel.

  • cd $GOPATH/src/github.com/rmikehodges/hideNsneak/terraform
  • terraform state rm <module or resource name>

Error: Error locking state: Error acquiring the state lock: ConditionalCheckFailedException: The conditional request failed status code: 400, request id: P7BUM7NA56LQEJQC20A3SE2SOVVV4KQNSO5AEMVJF66Q9ASUAAJG Lock Info: ID: 4919d588-6b29-4aa7-d917-2bcb67c14ab4

If this does not go away after another user has finished deploying then it is usually due to to Terraform not automatically unlocking your state in the face of errors. This can be fixed by running the following:

  • terraform force-unlock <ID> $GOPATH/src/github.com/rmikehodges/hideNsneak/terraform

Note that this will unlock the state so it may have an adverse affect on any other writes happening in the state so make sure your other users are not actively deploying/destroying anything when you run this.

Leaked 2.0 – A Checking tool for Hash codes, Passwords and Emails leaked

Leaked 2.0 is A Checking tool for Hash codes and Passwords and Emails leaked, uses leakz module from Aidan Holland, and leakz module uses API from Aurelius Wendelken.

Leaked? can work in any OS if they have support Python 3 and 2.

What’s new In Leaked 2.0 ?

  • Check email leaked
  • Update
  • More friendly for users
  • Support Python 2 and 3

Also ReadDroidefense – Advance Android Malware Analysis Framework

Features

  • Passwords leaked
  • Hash code leaked
  • Email leaked NEW!
  • Update NEW!
  • Exit
  • About Author

Install and Run in Linux

sudo apt update && apt install python3 python3-pip
git clone https://github.com/GitHackTools/Leaked
cd Leaked
pip3 install -r requirements.txt
pip install -r requirements.txt
python3 leaked.py

or python leaked.py

Install and Run in Windows

Download and run Python 3 setup file from Python.org. In Install Python 3 , enable Add Python 3.7 to PATH and For all users

Download and run Git setup file from Git-scm.com, choose Use Git from Windows Command Propmt.

Once completed, please Run Command Propmt or PowerShell and enter below commands:

git clone https://github.com/GitHackTools/Leaked
cd Leaked
pip install -r requirements.txt
python leaked.py

Update Leaked?

git pull -f

Screenshots

Credit: GitHackTools