tag:blogger.com,1999:blog-83172222311336605472024-03-19T08:30:32.443-03:00KitPloit - PenTest & Hacking ToolsKitPloit - leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security ☣Unknownnoreply@blogger.comBlogger436125tag:blogger.com,1999:blog-8317222231133660547.post-3050697682188098352024-01-08T08:30:00.014-03:002024-01-08T08:30:00.127-03:00CATSploit - An Automated Penetration Testing Tool Using Cyber Attack Techniques Scoring<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha7n_zcxvkwsQOFSeFgxPq6D8SJ_lLK-CKCGBZsXuPOe6prZW-G_A1CP4T_UmPKy4vqisac21QZ3TgX70oT2YoA4vD-lWgwTir1n959dERH8742vEDYd5r4vBCJLMzRP2KMtbv0LdVO0dL4lEo1kCty086m9SLph3lSbTr3n4sGhyMjd2m6Hj2mvh8zerd/s1792/CATSploit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1024" data-original-width="1792" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha7n_zcxvkwsQOFSeFgxPq6D8SJ_lLK-CKCGBZsXuPOe6prZW-G_A1CP4T_UmPKy4vqisac21QZ3TgX70oT2YoA4vD-lWgwTir1n959dERH8742vEDYd5r4vBCJLMzRP2KMtbv0LdVO0dL4lEo1kCty086m9SLph3lSbTr3n4sGhyMjd2m6Hj2mvh8zerd/w640-h366/CATSploit.png" width="640" /></a></div><p><br /></p> <p dir="auto">CATSploit is an automated <a href="https://www.kitploit.com/search/label/Penetration%20Testing" target="_blank" title="penetration testing">penetration testing</a> tool using Cyber Attack Techniques Scoring (CATS) method that can be used without pentester. Currently, pentesters implicitly made the selection of suitable attack techniques for target systems to be attacked. CATSploit uses system configuration information such as OS, open ports, software version collected by scanner and calculates a score value for capture eVc and detectability eVd of each attack techniques for target system. By selecting the highest score values, it is possible to select the most appropriate attack technique for the target system without hack knack(professional pentester’s skill) .</p> <p dir="auto">CATSploit automatically performs <a href="https://www.kitploit.com/search/label/Penetration%20Tests" target="_blank" title="penetration tests">penetration tests</a> in the following sequence:</p> <ol dir="auto"> <li> <p dir="auto"><strong>Information gathering and prior information input</strong> First, <a href="https://www.kitploit.com/search/label/Gathering%20Information" target="_blank" title="gathering information">gathering information</a> of target systems. CATSploit supports nmap and OpenVAS to gather information of target systems. CATSploit also supports prior information of target systems if you have.</p> </li> <li> <p dir="auto"><strong>Calculating score value of attack techniques</strong> Using information obtained in the previous phase and attack techniques database, evaluation values of capture (eVc) and detectability (eVd) of each attack techniques are calculated. For each target computer, the values of each attack technique are calculated.</p> </li> <li> <p dir="auto"><strong>Selection of attack techniques by using scores and make attack scenario</strong> Select attack techniques and create attack scenarios according to pre-defined policies. For example, for a policy that prioritized hard-to-detect, the attack techniques with the lowest eVd(Detectable Score) will be selected.</p> </li> <li> <p dir="auto"><strong>Execution of attack scenario</strong> CATSploit executes the attack techniques according to attack scenario constructed in the previous phase. CATSploit uses Metasploit as a framework and Metasploit API to execute actual attacks.</p></li></ol><span><a name='more'></a></span><div><br /></div> <h2 dir="auto" tabindex="-1">Prerequisities</h2> <p dir="auto">CATSploit has the following prerequisites:</p> <ul dir="auto"> <li>Kali Linux 2023.2a</li> </ul> <h2 dir="auto" tabindex="-1">Installation</h2> <p dir="auto">For Metasploit, Nmap and OpenVAS, it is assumed to be installed with the <a href="https://www.kali.org/" rel="nofollow" target="_blank" title="Kali Distribution">Kali Distribution</a>.</p> <h4 dir="auto" tabindex="-1">Installing CATSploit</h4> <p dir="auto">To install the latest version of CATSploit, please use the following commands:</p> <h5 dir="auto" tabindex="-1">Cloneing and setup</h5> <div><pre><code>$ git clone https://github.com/catsploit/catsploit.git<br />$ cd catsploit<br />$ git clone https://github.com/catsploit/cats-helper.git<br />$ sudo ./setup.sh<br /></code></pre></div> <h4 dir="auto" tabindex="-1">Editing configuration file</h4> <p dir="auto">CATSploit is a server-client configuration, and the server reads the configuration JSON file at startup. In <code>config.json</code>, the following fields should be modified for your environment.</p> <ul dir="auto"> <li>DBMS <ul dir="auto"> <li>dbname: database name created for CATSploit</li> <li>user: username of PostgreSQL</li> <li>password: password of PostgrSQL</li> <li>host: If you are using a database on a remote host, specify the IP address of the host</li> </ul> </li> <li>SCENARIO <ul dir="auto"> <li>generator.maxscenarios: Maximum number of scenarios to calculate (*)</li> </ul> </li> <li>ATTACKPF <ul dir="auto"> <li>msfpassword: password of MSFRPCD</li> <li>openvas.user: username of PostgreSQL</li> <li>openvas.password: password of PostgreSQL</li> <li>openvas.maxhosts: Maximum number of hosts to be test at the same time (*)</li> <li>openvas.maxchecks: Maximum number of test items to be test at the same time (*)</li> </ul> </li> <li>ATTACKDB <ul dir="auto"> <li>attack_db_dir: Path to the folder where AtackSteps are stored</li> </ul> </li> </ul> <p dir="auto">(*) Adjust the number according to the specs of your machine.</p> <h2 dir="auto" tabindex="-1">Usage <a name="user-content-usage" target="_blank" title="$ (12)"></a></h2> <p dir="auto">To start the server, execute the following command:</p> <div><pre><code>$ python cats_server.py -c [CONFIG_FILE]<br /></code></pre></div> <p dir="auto">Next, prepare another console, start the client program, and initiate a connection to the server.</p> <div><pre><code>$ python catsploit.py -s [SOCKET_PATH]<br /></code></pre></div> <p dir="auto">After successfully connecting to the server and initializing it, the session will start.</p> <div><pre><code> _________ ___________ __ _ __<br /> / ____/ |/_ __/ ___/____ / /___ (_) /_<br /> / / / /| | / / \__ \/ __ \/ / __ \/ / __/<br />/ /___/ ___ |/ / ___/ / /_/ / / /_/ / / /_<br />\____/_/ |_/_/ /____/ .___/_/\____/_/\__/<br /> /_/<br /><br />[*] Connecting to cats-server<br />[*] Done.<br />[*] Initializing server<br />[*] Done.<br />catsploit><br /></code></pre></div> <p dir="auto">The client can execute a variety of commands. Each command can be executed with <code>-h</code> option to display the format of its arguments.</p> <div><pre><code>usage: [-h] {host,scenario,scan,plan,attack,post,reset,help,exit} ...<br /><br />positional arguments:<br /> {host,scenario,scan,plan,attack,post,reset,help,exit}<br /><br />options:<br /> -h, --help show this help message and exit <br /></code></pre></div> <p dir="auto">I've posted the commands and options below as well for reference.</p> <div><pre><code>host list:<br /> show information about the hosts<br /> usage: host list [-h] <br /> options:<br /> -h, --help show this help message and exit<br /><br />host detail:<br /> show more information about one host<br /> usage: host detail [-h] host_id <br /> positional arguments:<br /> host_id ID of the host for which you want to show information<br /> options:<br /> -h, --help show this help message and exit<br /><br />scenario list:<br /> show information about the scenarios<br /> usage: scenario list [-h]<br /> options:<br /> -h, --help show this help message and exit<br /><br />scenario detail:<br /> show more information about one scenario<br /> usage: scenario detail [-h] scenario_id<br /> positional arguments:<br /> scenario_id ID of the scenario for which you want to show information<br /> options:<br /> -h, --help show this help message and exit<br /><br />scan:<br /> run network-scan and security-scan<br /> usage: scan [-h] [--port PORT] targe t_host [target_host ...]<br /> positional arguments:<br /> target_host IP address to be scanned<br /> options:<br /> -h, --help show this help message and exit<br /> --port PORT ports to be scanned<br /><br />plan:<br /> planning attack scenarios<br /> usage: plan [-h] src_host_id dst_host_id<br /> positional arguments:<br /> src_host_id originating host<br /> dst_host_id target host<br /> options:<br /> -h, --help show this help message and exit<br /><br />attack:<br /> execute attack scenario<br /> usage: attack [-h] scenario_id<br /> positional arguments:<br /> scenario_id ID of the scenario you want to execute<br /><br /> options:<br /> -h, --help show this help message and exit<br /><br />post find-secret:<br /> find confidential information files that can be performed on the pwned host<br /> usage: post find-secret [-h] host_id<br /> positional arguments:<br /> host_id ID of the host for which you want to find confidential information<br /> op tions:<br /> -h, --help show this help message and exit<br /><br />reset:<br /> reset data on the server<br /> usage: reset [-h] {system} ...<br /> positional arguments:<br /> {system} reset system<br />options:<br /> -h, --help show this help message and exit<br /><br />exit:<br /> exit CATSploit<br /> usage: exit [-h]<br /> options:<br /> -h, --help show this help message and exit<br /></code></pre></div> <h2 dir="auto" tabindex="-1">Examples <a name="user-content-examples" target="_blank" title="$ (13)"></a></h2> <p dir="auto">In this example, we use CATSploit to scan network, plan the attack scenario, and execute the attack.</p> <div><pre><code>catsploit> scan 192.168.0.0/24<br />Network Scanning ... 100%<br />[*] Total 2 hosts were discovered.<br />Vulnerability Scanning ... 100%<br />[*] Total 14 vulnerabilities were discovered.<br />catsploit> host list<br />┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━┓<br />┃ hostID ┃ IP ┃ Hostname ┃ Platform ┃ Pwned ┃<br />┡━━━━━━ ━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━┩<br />│ attacker │ 0.0.0.0 │ kali │ kali 2022.4 │ True │<br />│ h_exbiy6 │ 192.168.0.10 │ │ Linux 3.10 - 4.11 │ False │<br />│ h_nhqyfq │ 192.168.0.20 │ │ Microsoft Windows 7 SP1 │ False │<br />└──────────┴ ───────────────┴──────────┴──────────────────────────────────┴───────┘<br /><br /><br />catsploit> host detail h_exbiy6<br />┏━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━┓<br />┃ hostID ┃ IP ┃ Hostname ┃ Platform ┃ Pwned ┃<br />┡━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━┩<br />│ h_exbiy6 │ 192.168.0.10 │ ubuntu │ ubuntu 14.04 │ False │<br />└──────────┴──────────────┴──────────┴──────────────┴─ ─────┘<br /><br />[IP address]<br />┏━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━┳━━━━━━━━━━━━┓<br />┃ ipv4 ┃ ipv4mask ┃ ipv6 ┃ ipv6prefix ┃<br />┡━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━╇━━━━━━━━━━━━┩<br />│ 192.168.0.10 │ │ │ │<br />└──────────── ─┴──────────┴──────┴────────────┘<br /><br />[Open ports]<br />┏━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓<br />┃ ip ┃ proto ┃ port ┃ service ┃ product ┃ version ┃<br />┡━━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩<br />│ 192.168.0.10 │ tcp │ 21 │ ftp │ ProFTPD │ 1.3.5 │<br />│ 192.168.0.10 │ tcp │ 22 │ ssh │ OpenSSH │ 6.6.1p1 Ubuntu 2ubuntu2.10 │<br />│ 192.168.0.10 │ tcp │ 80 │ http │ Apache httpd │ 2.4.7 │<br />│ 192.168.0.10 │ tcp │ 445 │ netbios-ssn │ Samba smbd │ 3.X - 4.X │<br />│ 192.168.0.10 │ tcp │ 631 │ ipp │ CUPS │ 1.7 │<br />└──────────────┴───────┴──────┴─────────────┴──────────────┴────────────────────────────┘<br /><br />[Vulnerabilities]<br />┏━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┓<br />┃ ip ┃ proto ┃ port ┃ vuln_name ┃ cve ┃<br />┡━━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━┩<br />│ 192.168.0.10 │ tcp │ 0 │ TCP Timestamps <a href="https://www.kitploit.com/search/label/Information%20Disclosure" target="_blank" title="Inform ation Disclosure">Information Disclosure</a> │ N/A │<br />│ 192.168.0.10 │ tcp │ 21 │ FTP Unencrypted Cleartext Login │ N/A │<br />│ 192.168.0.10 │ tcp │ 22 │ Weak MAC Algorithm(s) Supported (SSH) │ N/A │<br />│ 192.168.0.10 │ tcp │ 22 │ Weak Encryption Algorithm(s) Supported (SSH) │ N/A │<br />│ 192.168.0.10 │ tcp │ 22 │ Weak Host Key Algorithm(s) (SSH) │ N/A │<br />│ 192.168.0.10 │ tcp │ 22 │ Weak Key Exchange (KEX) Algorithm(s) Supported (SSH) │ N/A │<br />│ 192.168.0.10 │ tcp │ 80 │ Test HTTP dangerous methods │ N/A │<br />│ 192.168.0.10 │ tcp │ 80 │ Drupal Core SQLi Vulnerability (SA-CORE-2014-005) - Active Check │ CVE-2014-3704 │<br />│ 192.168.0.10 │ tcp │ 80 │ Drupal Coder RCE Vulnerability (SA-CONTRIB-2016-039) - Active Check │ N/A │<br />│ 192.168.0.10 │ tcp │ 80 │ Sensitive File Disclosure (HTTP) │ N/A │<br />│ 192.168.0.10 │ tcp │ 80 │ Unprotected Web App / Device Installers (HTTP) │ N/A │<br />│ 192.168.0.10 │ tcp │ 80 │ Cleartext Transmission of <a href="https://www.kitploit.com/search/label/Sensitive%20Information" target="_blank" title="Sensitive Information">Sensitive Information</a> via HTTP │ N/A │<br />│ 192.168.0.10 │ tcp │ 80 │ jQuery < 1.9.0 XSS Vulnerability │ CVE-2012-6708 │<br />│ 192.168.0.10 │ tcp │ 80 │ jQuery < 1.6.3 XSS Vulnerability │ CVE-2011-4969 │<br />│ 192.168.0.10 │ tcp │ 80 │ Drupal 7.0 Information Disclosure Vulnerability - Active Check │ CVE-2011-3730 │<br />│ 192.168.0.10 │ tcp │ 631 │ SSL/TLS: Report Vulnerable Cipher Suites for HTTPS │ CVE-2016-2183 │<br />│ 192.168.0.10 │ tcp │ 631 │ SSL/TLS: Report Vulnerable Cipher Suites for HTTPS │ CVE-2016-6329 │<br />│ 192.168.0.10 │ tcp │ 631 │ SSL/TLS: Report Vulnerable Cipher Suites for HTTPS │ CVE-2020-12872 │<br />│ 192.168.0.10 │ tcp │ 631 │ SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection │ CVE-2011-3389 │<br />│ 192.168.0.10 │ tcp │ 631 │ SSL/TLS: Deprecated TLSv1.0 and TLSv1.1 Protocol Detection │ CVE-2015-0204 │<br />└──────────────┴───────┴──────┴─────────────────────────────────────────────────────────────────────┴───& #9472;────────────┘<br /><br />[Users]<br />┏━━━━━━━━━━━┳━━━━━━━┓<br />┃ user name ┃ group ┃<br />┡━━━━━━━━━━━╇━━━━━━━┩<br />└───────────┴───────┘<br /><br /><br />catsploit> plan attacker h_exbiy6<br />Planning attack scenario...100%<br />[*] Done. 15 scenarios was planned.<br />[*] To check each scenario, try 'scenario list' and/or 'scenario detail'.<br />catsploit> scenario list<br />┏━━━━━━━━━━━━━┳━━━━━ ━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━━┳━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓<br />┃ scenario id ┃ src host ip ┃ target host ip ┃ eVc ┃ eVd ┃ steps ┃ first attack step ┃<br />┡━━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━&#947 3;━━━━━━━╇━━━━━━━╇━━━━━━━╇━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩<br />│ 3d3ivc │ 0.0.0.0 │ 192.168.0.10 │ 1.0 │ 32.0 │ 1 │ exploit/multi/http/jenkins_s… │<br />│ 5gnsvh │ 0.0.0.0 │ 192.168.0.10 │ 1.0 │ 53.76 │ 2 │ exploit/multi/http/jenkins_s… │<br />│ 6nlxyc │ 0.0.0.0 │ 192.168.0.10 │ 0.0 │ 48.32 │ 2 │ exploit/multi/http/jenkins_s… │<br />│ 8jos4z │ 0.0.0.0 │ 192.168.0.1 0 │ 0.7 │ 72.8 │ 2 │ exploit/multi/http/jenkins_s… │<br />│ 8kmmts │ 0.0.0.0 │ 192.168.0.10 │ 0.0 │ 32.0 │ 1 │ exploit/multi/elasticsearch/… │<br />│ agjmma │ 0.0.0.0 │ 192.168.0.10 │ 0.0 │ 24.0 │ 1 │ exploit/windows/http/managee… │<br />│ joglhf │ 0.0.0.0 │ 192.168.0.10 │ 70.0 │ 60.0 │ 1 │ auxiliary/scanner/ssh/ssh_lo… │<br />│ rmgrof │ 0.0.0.0 │ 192.168.0.10 │ 100.0 │ 32.0 │ 1 │ exploit/multi/http/drupal_dr… │<br />│ xuowzk │ 0.0.0.0 │ 192.168.0.10 │ 0.0 │ 24.0 │ 1 │ exploit/multi/http/struts_dm… │<br />│ yttv51 │ 0.0.0.0 │ 192.168.0.10 │ 0.01 │ 53.76 │ 2 │ exploit/multi/http/jenkins_s… │<br />│ znv76x │ 0.0.0.0 │ 192.168.0.10 │ 0.01 │ 53.76 │ 2 │ exploit/multi/http/jenkins_s… │<br />└─────────────┴─────────────┴────────────────┴───────┴───────┴───────┴───────────────────────────────┘<br /><br />catsploit> scenario detail rmgrof<br />┏━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━┳━━━━━━┓<br />┃ src host ip ┃ target host ip ┃ eVc ┃ eVd ┃<br />┡━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━╇━━━━━━┩<br />│ 0.0.0.0 │ 192.168.0.10 │ 100.0 │ 32.0 │<br />└─────────────┴──────── ───────┴───────┴──────┘<br /><br />[Steps]<br />┏━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┓<br />┃ # ┃ step ┃ params ┃<br />┡━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━ ━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━┩<br />│ 1 │ exploit/multi/http/drupal_drupageddon │ RHOSTS: 192.168.0.10 │<br />│ │ │ LHOST: 192.168.10.100 │<br />└───┴───────────────────────────────────────┴───────────────────────┘<br /><br /><br />catsploit> attack rmgrof<br />> ~<b r="">> ~<br />> Metasploit Console Log<br />> ~<br />> ~<br />[+] Attack scenario succeeded!<br /><br /><br />catsploit> exit<br />Bye.<br /></b></code></pre></div> <h2 dir="auto" tabindex="-1">Disclaimer</h2> <p dir="auto">All informations and codes are provided solely for educational purposes and/or testing your own systems.</p> <h2 dir="auto" tabindex="-1">Contact</h2> <p dir="auto">For any inquiry, please contact the email address as follows:</p> <p dir="auto"><a href="mailto:catsploit@nk.MitsubishiElectric.co.jp" rel="nofollow" target="_blank" title="catsploit@nk.MitsubishiElectric.co.jp">catsploit@nk.MitsubishiElectric.co.jp</a></p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/catsploit/catsploit" rel="nofollow" target="_blank" title="Download Catsploit">Download Catsploit</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-58787130690379230622023-11-22T08:30:00.005-03:002023-11-22T08:30:00.137-03:00Deepsecrets - Secrets Scanner That Understands Code<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI9QztaDW6WlpgEnZVsz-Ycq41M9hB0DZbe35aaFiMI5gV2oEK0ylcKa606EFGrRZYa28CyLwZ6nkQpK7hUwAGptJzIJjgylc2tZ_plkUzEKKI_B55deZblPvx6PVUSR6CZ4eZqzjYFlsUtPu_FHsJrxTTndXFOPt-bvEY6hAdyg7jWNgiV7SjGa7CRxjm/s1792/Deepsecrets.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1024" data-original-width="1792" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI9QztaDW6WlpgEnZVsz-Ycq41M9hB0DZbe35aaFiMI5gV2oEK0ylcKa606EFGrRZYa28CyLwZ6nkQpK7hUwAGptJzIJjgylc2tZ_plkUzEKKI_B55deZblPvx6PVUSR6CZ4eZqzjYFlsUtPu_FHsJrxTTndXFOPt-bvEY6hAdyg7jWNgiV7SjGa7CRxjm/w640-h366/Deepsecrets.png" width="640" /></a></div><p><br /></p> <h2 dir="auto" tabindex="-1">Yet another tool - why?</h2> <p dir="auto">Existing tools don't really "understand" code. Instead, they mostly parse texts.</p> <p dir="auto">DeepSecrets expands classic regex-search approaches with semantic analysis, dangerous variable detection, and more efficient usage of entropy analysis. Code understanding supports 500+ languages and formats and is achieved by lexing and parsing - <a href="https://www.kitploit.com/search/label/Techniques" target="_blank" title="techniques">techniques</a> commonly used in SAST tools.</p> <p dir="auto">DeepSecrets also introduces a new way to find secrets: just use hashed values of your known secrets and get them found plain in your code.</p> <p dir="auto">Under the hood story is in articles here: <a href="https://hackernoon.com/modernizing-secrets-scanning-part-1-the-problem" rel="nofollow" target="_blank" title="https://hackernoon.com/modernizing-secrets-scanning-part-1-the-problem">https://hackernoon.com/modernizing-secrets-scanning-part-1-the-problem</a></p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto" tabindex="-1">Mini-FAQ after release :)</h2> <blockquote> <p dir="auto">Pff, is it still regex-based?</p> </blockquote> <p dir="auto">Yes and no. Of course, it uses regexes and finds typed secrets like any other tool. But language understanding (the lexing stage) and variable detection also use regexes under the hood. So regexes is an instrument, not a problem.</p> <blockquote> <p dir="auto">Why don't you build true abstract syntax trees? It's academically more correct!</p> </blockquote> <p dir="auto">DeepSecrets tries to keep a balance between complexity and effectiveness. Building a true AST is a pretty complex thing and simply an overkill for our specific task. So the tool still follows the generic SAST-way of <a href="https://www.kitploit.com/search/label/Code%20Analysis" target="_blank" title="code analysis">code analysis</a> but optimizes the AST part using a different approach.</p> <blockquote> <p dir="auto">I'd like to build my own semantic rules. How do I do that?</p> </blockquote> <p dir="auto">Only through the code by the moment. Formalizing the rules and moving them into a flexible and user-controlled ruleset is in the plans.</p> <blockquote> <p dir="auto">I still have a question</p> </blockquote> <p dir="auto">Feel free to communicate with the <a href="https://github.com/avito-tech/deepsecrets/blob/main/pyproject.toml#L6-L8" rel="nofollow" target="_blank" title="maintainer">maintainer</a></p> <h2 dir="auto" tabindex="-1">Installation</h2> <p dir="auto">From Github via pip</p> <p dir="auto"><code>$ pip install git+https://github.com/avito-tech/deepsecrets.git</code></p> <p dir="auto">From PyPi</p> <p dir="auto"><code>$ pip install deepsecrets</code></p> <h2 dir="auto" tabindex="-1">Scanning</h2> <p dir="auto">The easiest way:</p> <p dir="auto"><code>$ deepsecrets --target-dir /path/to/your/code --outfile report.json</code></p> <p dir="auto">This will run a scan against <code>/path/to/your/code</code> using the default configuration:</p> <ul dir="auto"> <li>Regex checks by the built-in ruleset</li> <li>Semantic checks (variable detection, entropy checks)</li> </ul> <p dir="auto">Report will be saved to <code>report.json</code></p> <h3 dir="auto" tabindex="-1">Fine-tuning</h3> <p dir="auto">Run <code>deepsecrets --help</code> for details.</p> <p dir="auto">Basically, you can use your own ruleset by specifying <code>--regex-rules</code>. Paths to be excluded from scanning can be set via <code>--excluded-paths</code>.</p> <h2 dir="auto" tabindex="-1">Building rulesets</h2> <h3 dir="auto" tabindex="-1">Regex</h3> <p dir="auto">The built-in ruleset for regex checks is located in <code>/deepsecrets/rules/regexes.json</code>. You're free to follow the format and create a custom ruleset.</p> <h3 dir="auto" tabindex="-1">HashedSecret</h3> <p dir="auto">Example ruleset for regex checks is located in <code>/deepsecrets/rules/regexes.json</code>. You're free to follow the format and create a custom ruleset.</p> <h2 dir="auto" tabindex="-1">Contributing</h2> <h3 dir="auto" tabindex="-1">Under the hood</h3> <p dir="auto">There are several core concepts:</p> <ul dir="auto"> <li><code>File</code></li> <li><code>Tokenizer</code></li> <li><code>Token</code></li> <li><code>Engine</code></li> <li><code>Finding</code></li> <li><code>ScanMode</code></li> </ul> <h3 dir="auto" tabindex="-1">File</h3> <p dir="auto">Just a pythonic representation of a file with all needed methods for management.</p> <h3 dir="auto" tabindex="-1">Tokenizer</h3> <p dir="auto">A component able to break the content of a file into pieces - Tokens - by its logic. There are four types of tokenizers available:</p> <ul dir="auto"> <li><code>FullContentTokenizer</code>: treats all content as a single token. Useful for regex-based search.</li> <li><code>PerWordTokenizer</code>: breaks given content by words and line breaks.</li> <li><code>LexerTokenizer</code>: uses language-specific smarts to break code into semantically correct pieces with additional context for each token.</li> </ul> <h3 dir="auto" tabindex="-1">Token</h3> <p dir="auto">A string with additional information about its semantic role, corresponding file, and location inside it.</p> <h3 dir="auto" tabindex="-1">Engine</h3> <p dir="auto">A component performing secrets search for a single token by its own logic. Returns a set of Findings. There are three engines available:</p> <ul dir="auto"> <li><code>RegexEngine</code>: checks tokens' values through a special ruleset</li> <li><code>SemanticEngine</code>: checks tokens produced by the LexerTokenizer using additional context - variable names and values</li> <li><code>HashedSecretEngine</code>: checks tokens' values by hashing them and trying to find coinciding hashes inside a special ruleset</li> </ul> <h3 dir="auto" tabindex="-1">Finding</h3> <p dir="auto">This is a data structure representing a problem detected inside code. Features information about the precise location inside a file and a rule that found it.</p> <h3 dir="auto" tabindex="-1">ScanMode</h3> <p dir="auto">This component is responsible for the scan process.</p> <ul dir="auto"> <li>Defines the scope of <a href="https://www.kitploit.com/search/label/Analysis" target="_blank" title="analysis">analysis</a> for a given work <a href="https://www.kitploit.com/search/label/Directory" target="_blank" title="directory">directory</a> respecting exceptions</li> <li>Allows declaring a <code>PerFileAnalyzer</code> - the method called against each file, returning a list of findings. The primary usage is to initialize necessary engines, tokenizers, and rulesets.</li> <li>Runs the scan: a multiprocessing pool analyzes every file in parallel.</li> <li>Prepares results for output and outputs them.</li> </ul> <p dir="auto">The current implementation has a <code>CliScanMode</code> built by the user-provided config through the cli args.</p> <h3 dir="auto" tabindex="-1">Local development</h3> <p dir="auto">The project is supposed to be developed using VSCode and 'Remote containers' feature.</p> <p dir="auto">Steps:</p> <ol dir="auto"> <li>Clone the repository</li> <li>Open the cloned folder with VSCode</li> <li>Agree with 'Reopen in container'</li> <li>Wait until the <a href="https://www.kitploit.com/search/label/Container" target="_blank" title="container">container</a> is built and necessary extensions are installed</li> <li>You're ready</li> </ol> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/avito-tech/deepsecrets" rel="nofollow" target="_blank" title="Download Deepsecrets">Download Deepsecrets</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-74968771087505460442023-04-26T08:30:00.006-04:002023-04-26T08:30:00.138-04:00PortEx - Java Library To Analyse Portable Executable Files With A Special Focus On Malware Analysis And PE Malformation Robustness<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiW8kr4EwzwG_DI9rmprK6xZA79d5msp4i8RdZYUUf-BRsJuX0_Bo_QqwiCymDoYCft0O41L8K0RxLco9CqvH0Eo9mUeBKybxJ4TUvkzYlIypgIZb-OTw2Zb3yAPi6bs0_edP2nhUO2Ta3XsINUh9XFTaFxeJ7AVsI5TiRdzM21A6thwO77knGB4xgv1Q"><img alt="" border="0" height="498" id="BLOGGER_PHOTO_ID_7209864659700324530" src="https://blogger.googleusercontent.com/img/a/AVvXsEiW8kr4EwzwG_DI9rmprK6xZA79d5msp4i8RdZYUUf-BRsJuX0_Bo_QqwiCymDoYCft0O41L8K0RxLco9CqvH0Eo9mUeBKybxJ4TUvkzYlIypgIZb-OTw2Zb3yAPi6bs0_edP2nhUO2Ta3XsINUh9XFTaFxeJ7AVsI5TiRdzM21A6thwO77knGB4xgv1Q=w640-h498" width="640" /></a></p> <p dir="auto"><br /></p><p dir="auto">PortEx is a Java library for static <a href="https://www.kitploit.com/search/label/Malware%20Analysis" target="_blank" title="malware analysis">malware analysis</a> of Portable Executable files. Its focus is on PE malformation robustness, and anomaly detection. PortEx is written in Java and Scala, and targeted at Java applications.<span></span></p><a name='more'></a><p></p> <h2 dir="auto" tabindex="-1">Features</h2> <ul dir="auto"> <li>Reading header information from: MSDOS Header, COFF File Header, Optional Header, Section Table</li> <li>Reading PE structures: Imports, Resources, Exports, Debug Directory, Relocations, Delay Load Imports, Bound Imports</li> <li>Dumping of sections, resources, overlay, <a href="https://www.kitploit.com/search/label/Embedded" target="_blank" title="embedded">embedded</a> ZIP, JAR or .class files</li> <li>Scanning for file format anomalies, including structural anomalies, deprecated, reserved, wrong or non-default values.</li> <li>Visualize PE file structure, local entropies and byteplot of the file with variable colors and sizes</li> <li>Calculate Shannon Entropy and Chi Squared for files and sections</li> <li>Calculate ImpHash and Rich and RichPV hash values for files and sections</li> <li>Parse RichHeader and verify checksum</li> <li>Calculate and verify Optional Header checksum</li> <li>Scan for PEiD signatures, internal file type signatures or your own signature database</li> <li>Scan for Jar to EXE wrapper (e.g. exe4j, jsmooth, jar2exe, launch4j)</li> <li>Extract Unicode and ASCII strings contained in the file</li> <li>Extraction and conversion of .ICO files from icons in the resource section</li> <li>Extraction of version information and manifest from the file</li> <li>Reading .NET <a href="https://www.kitploit.com/search/label/Metadata" target="_blank" title="metadata">metadata</a> and streams (Alpha)</li> </ul> <p dir="auto">For more information have a look at <a href="https://github.com/struppigel/PortEx/wiki" rel="nofollow" target="_blank" title="PortEx Wiki">PortEx Wiki</a> and the <a href="http://struppigel.github.io/PortEx/javadocs/" rel="nofollow" target="_blank" title="Documentation">Documentation</a></p> <h2 dir="auto" tabindex="-1">PortexAnalyzer CLI and GUI</h2> <p dir="auto">PortexAnalyzer CLI is a <a href="https://www.kitploit.com/search/label/Command%20Line" target="_blank" title="command line">command line</a> tool that runs the library PortEx under the hood. If you are looking for a readily compiled command line PE scanner to analyse files with it, download it from here <a href="https://github.com/katjahahn/PortEx/raw/master/progs/PortexAnalyzer.jar" rel="nofollow" target="_blank" title="PortexAnalyzer.jar">PortexAnalyzer.jar</a></p> <p dir="auto">The GUI version is available here: <a href="https://github.com/struppigel/PortexAnalyzerGUI" rel="nofollow" target="_blank" title="PortexAnalyzerGUI">PortexAnalyzerGUI</a></p> <h2 dir="auto" tabindex="-1">Using PortEx</h2> <h3 dir="auto" tabindex="-1">Including PortEx to a Maven Project</h3> <p dir="auto">You can include PortEx to your project by adding the following Maven dependency:</p> <div><pre><code><dependency><br /> <groupId>com.github.katjahahn</groupId><br /> <artifactId>portex_2.12</artifactId><br /> <version>4.0.0</version><br /></dependency> <br /></code></pre></div> <p dir="auto">To use a local build, add the library as follows:</p> <div><pre><code><dependency><br /> <groupId>com.github.katjahahn</groupId><br /> <artifactId>portex_2.12</artifactId><br /> <version>4.0.0</version><br /> <scope>system</scope><br /> <systemPath>$PORTEXDIR/target/scala-2.12/portex_2.12-4.0.0.jar</systemPath><br /></dependency> <br /></code></pre></div> <h3 dir="auto" tabindex="-1">Including PortEx to an SBT project</h3> <p dir="auto">Add the dependency as follows in your build.sbt</p> <div><pre><code>libraryDependencies += "com.github.katjahahn" % "portex_2.12" % "4.0.0"<br /></code></pre></div> <h2 dir="auto" tabindex="-1">Building PortEx</h2> <h3 dir="auto" tabindex="-1">Requirements</h3> <p dir="auto">PortEx is build with <a href="http://www.scala-sbt.org" rel="nofollow" target="_blank" title="sbt">sbt</a></p> <h3 dir="auto" tabindex="-1">Compile and Build With sbt</h3> <p dir="auto">To simply compile the project invoke:</p> <div><pre><code>$ sbt compile<br /></code></pre></div> <p dir="auto">To create a jar:</p> <div><pre><code>$ sbt package<br /></code></pre></div> <p dir="auto">To compile a fat jar that can be used as command line tool, type:</p> <div><pre><code>$ sbt assembly<br /></code></pre></div> <h3 dir="auto" tabindex="-1">Create Eclipse Project</h3> <p dir="auto">You can create an eclipse project by using the sbteclipse plugin. Add the following line to <em>project/plugins.sbt</em>:</p> <div><pre><code>addSbtPlugin("com.typesafe.sbteclipse" % "sbteclipse-plugin" % "2.4.0")<br /></code></pre></div> <p dir="auto">Generate the project files for Eclipse:</p> <div><pre><code>$ sbt eclipse<br /></code></pre></div> <p dir="auto">Import the project to Eclipse via the <em>Import Wizard</em>.</p> <h2 dir="auto" tabindex="-1">Donations</h2> <p dir="auto">I develop PortEx and PortexAnalyzer as a hobby in my freetime. If you like it, please consider buying me a coffee: <a href="https://ko-fi.com/struppigel" rel="nofollow" target="_blank" title="https://ko-fi.com/struppigel">https://ko-fi.com/struppigel</a></p> <h2 dir="auto" tabindex="-1">Author</h2> <p dir="auto">Karsten Hahn</p> <p dir="auto">Twitter: <a href="https://twitter.com/struppigel" rel="nofollow" target="_blank" title="@Struppigel">@Struppigel</a></p> <p dir="auto">Mastodon: <a href="https://infosec.exchange/@struppigel" rel="nofollow" target="_blank" title="struppigel@infosec.exchange">struppigel@infosec.exchange</a></p> <p dir="auto">Youtube: <a href="https://www.youtube.com/c/MalwareAnalysisForHedgehogs" rel="nofollow" target="_blank" title="MalwareAnalysisForHedgehogs">MalwareAnalysisForHedgehogs</a></p><p dir="auto"><br /></p><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/struppigel/PortEx" rel="nofollow" target="_blank" title="Download PortEx">Download PortEx</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-53808202762365959732023-04-25T08:30:00.004-04:002023-05-03T00:40:09.706-04:00Kubei - A Flexible Kubernetes Runtime Scanner<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-JcmVx4GeAH4/XyDlwj85wWI/AAAAAAAATR8/3rhxZPRX9AUGFHiTeL8M_KqXXfpnQ3U3QCNcBGAsYHQ/s1600/kubei_1_Kubei-logo.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="125" data-original-width="412" src="https://1.bp.blogspot.com/-JcmVx4GeAH4/XyDlwj85wWI/AAAAAAAATR8/3rhxZPRX9AUGFHiTeL8M_KqXXfpnQ3U3QCNcBGAsYHQ/s1600/kubei_1_Kubei-logo.png" /></a></div>
<br />
Kubei is a <a href="https://www.kitploit.com/search/label/vulnerabilities" target="_blank" title="vulnerabilities">vulnerabilities</a> <a href="https://www.kitploit.com/search/label/Scanning" target="_blank" title="scanning">scanning</a> tool that allows users to get an accurate and immediate risk assessment of their kubernetes clusters. Kubei scans all images that are being used in a <a href="https://www.kitploit.com/search/label/Kubernetes" target="_blank" title="Kubernetes">Kubernetes</a> cluster, including images of application pods and system pods. It doesn’t scan the entire image registries and doesn’t require preliminary integration with CI/CD pipelines.<br />
It is a configurable tool which allows users to define the scope of the scan (target namespaces), the speed, and the vulnerabilities level of interest.<br />
It provides a graphical UI which allows the viewer to identify where and what should be replaced, in order to mitigate the discovered vulnerabilities.<br />
<a name='more'></a><br />
<span style="font-size: large;"><b>Prerequisites</b></span><br />
<ol>
<li>A Kubernetes cluster is ready, and kubeconfig ( <code>~/.kube/config</code>) is properly configured for the target cluster.</li>
</ol>
<br />
<span style="font-size: large;"><b>Required permissions</b></span><br />
<ol>
<li>Read secrets in cluster scope. This is required for getting image pull secrets for scanning private image repositories.</li>
<li>List pods in cluster scope. This is required for calculating the target pods that need to be scanned.</li>
<li>Create jobs in cluster scope. This is required for creating the jobs that will scan the target pods in their namespaces.</li>
</ol>
<br />
<span style="font-size: large;"><b>Configurations</b></span><br />
The file <code>deploy/kubei.yaml</code> is used to deploy and configure Kubei on your cluster.<br />
<ol>
<li> Set the scan scope. Set the <code>IGNORE_NAMESPACES</code> env variable to ignore specific namespaces. Set <code>TARGET_NAMESPACE</code> to scan a specific namespace, or leave empty to scan all namespaces.<br />
</li>
<li> Set the scan speed. Expedite scanning by running parallel scanners. Set the <code>MAX_PARALLELISM</code> env variable for the maximum number of simultaneous scanners.<br />
</li>
<li> Set severity level threshold. Vulnerabilities with severity level higher than or equal to <code>SEVERITY_THRESHOLD</code> threshold will be reported. Supported levels are <code>Unknown</code>, <code>Negligible</code>, <code>Low</code>, <code>Medium</code>, <code>High</code>, <code>Critical</code>, <code>Defcon1</code>. Default is <code>Medium</code>.<br />
</li>
<li> Set the delete job policy. Set the <code>DELETE_JOB_POLICY</code> env variable to define whether or not to delete completed <a href="https://www.kitploit.com/search/label/Scanner" target="_blank" title="scanner">scanner</a> jobs. Supported values are:<br />
<ul>
<li><code>All</code> - All jobs will be deleted.</li>
<li><code>Successful</code> - Only successful jobs will be deleted (default).</li>
<li><code>Never</code> - Jobs will never be deleted.</li>
</ul>
</li>
</ol>
<br />
<span style="font-size: large;"><b>Usage</b></span><br />
<ol>
<li> Run the following command to deploy Kubei on the cluster:<br />
<code>kubectl apply -f https://raw.githubusercontent.com/Portshift/kubei/master/deploy/kubei.yaml</code><br />
</li>
<li> Run the following command to verify that Kubei is up and running:<br />
<code>kubectl -n kubei get pod -lapp=kubei</code><br /><a href="https://1.bp.blogspot.com/-iEhD58PFTLE/XyDl3KBxngI/AAAAAAAATSA/OzJ6izqbc00VFyHMuhZqVZYrFjCYQ5u7ACNcBGAsYHQ/s1600/kubei_2_kubei-running.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="38" data-original-width="567" height="26" src="https://1.bp.blogspot.com/-iEhD58PFTLE/XyDl3KBxngI/AAAAAAAATSA/OzJ6izqbc00VFyHMuhZqVZYrFjCYQ5u7ACNcBGAsYHQ/s400/kubei_2_kubei-running.png" width="400" /></a>
</li>
<li> Then, <a href="https://www.kitploit.com/search/label/Port%20Forwarding" target="_blank" title="port forwarding">port forwarding</a> into the Kubei webapp via the following command:<br />
<code>kubectl -n kubei port-forward $(kubectl -n kubei get pods -lapp=kubei -o jsonpath='{.items[0].metadata.name}') 8080 </code><br />
</li>
<li> In your browser, navigate to <a href="http://localhost:8080/view/" rel="nofollow" target="_blank" title="http://localhost:8080/view/">http://localhost:8080/view/</a> , and then click 'GO' to run a scan.<br />
</li>
<li> To check the state of Kubei, and the progress of ongoing scans, run the following command:<br />
<code>kubectl -n kubei logs $(kubectl -n kubei get pods -lapp=kubei -o jsonpath='{.items[0].metadata.name}') </code><br />
</li>
<li> Refresh the page (<a href="http://localhost:8080/view/" rel="nofollow" target="_blank" title="http://localhost:8080/view/">http://localhost:8080/view/</a>) to update the results.<br />
</li>
</ol>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-4Gf5glIOHgY/XyDl-hJEe-I/AAAAAAAATSE/t8v1zYjamIcudJ_eQVt0mJkALI1SIC1IQCNcBGAsYHQ/s1600/kubei_3_kubei-results.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="795" data-original-width="1600" height="316" src="https://1.bp.blogspot.com/-4Gf5glIOHgY/XyDl-hJEe-I/AAAAAAAATSE/t8v1zYjamIcudJ_eQVt0mJkALI1SIC1IQCNcBGAsYHQ/s640/kubei_3_kubei-results.png" width="640" /></a></div>
<br />
<span style="font-size: large;"><b>Running Kubei with an external HTTP/HTTPS proxy</b></span><br />
Uncomment and configure the proxy env variables for the Clair and Kubei deployments in <code>deploy/kubei.yaml</code>.<br />
<br />
<span style="font-size: large;"><b>Limitations</b></span><br />
<ol>
<li> Supports Kubernetes Image Manifest V 2, Schema 2 (<a href="https://docs.docker.com/registry/spec/manifest-v2-2/" rel="nofollow" target="_blank" title="https://docs.docker.com/registry/spec/manifest-v2-2/">https://docs.docker.com/registry/spec/manifest-v2-2/</a>). It will fail to scan on earlier versions.<br />
</li>
<li> The CVE database will update once a day.<br />
</li>
</ol>
<br />
<br />
<div style="text-align: center;">
<b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/Portshift/Kubei" rel="nofollow" target="_blank" title="Download Kubei">Download Kubei</a></span></b></div>
Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-47822900387260975312023-04-01T08:30:00.006-03:002023-04-01T08:30:00.245-03:00Noseyparker - A Command-Line Program That Finds Secrets And Sensitive Information In Textual Data And Git History<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHDC0T3Fnjhu0KOrTA0mVA1qNC6NB_ur2X-N86LLDaYLjROQWSDhvHUfQEpyJAwK5OPX1SiTN-I7MiBJ_TGoCVndqhd-CmBfg1abEK4-aQcW-0A3qKiqhx01DzsjEu-lnbPEnxHZvBxx2fsKNvKfFVBgDSt6b3yPykgyi_yAFtECTvPzXQ2lCuNkZu2A/s585/hack_img.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="385" data-original-width="585" height="422" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHDC0T3Fnjhu0KOrTA0mVA1qNC6NB_ur2X-N86LLDaYLjROQWSDhvHUfQEpyJAwK5OPX1SiTN-I7MiBJ_TGoCVndqhd-CmBfg1abEK4-aQcW-0A3qKiqhx01DzsjEu-lnbPEnxHZvBxx2fsKNvKfFVBgDSt6b3yPykgyi_yAFtECTvPzXQ2lCuNkZu2A/w640-h422/hack_img.png" width="640" /></a></div><p><br /></p> <p dir="auto">Nosey Parker is a command-line tool that finds secrets and <a href="https://www.kitploit.com/search/label/Sensitive%20Information" target="_blank" title="sensitive information">sensitive information</a> in textual data. It is useful both for offensive and defensive security testing.</p> <p dir="auto"><strong>Key features:</strong></p> <ul dir="auto"> <li>It supports scanning files, directories, and the entire history of Git repositories</li> <li>It uses <a href="https://www.kitploit.com/search/label/Regular%20Expression" target="_blank" title="regular expression">regular expression</a> matching with a set of 95 patterns chosen for high signal-to-noise based on experience and feedback from offensive security engagements</li> <li>It groups matches together that share the same secret, further emphasizing signal over noise</li> <li>It is fast: it can scan at hundreds of megabytes per second on a single core, and is able to scan 100GB of Linux kernel source history in less than 2 minutes on an older MacBook Pro</li> </ul> <p dir="auto">This open-source version of Nosey Parker is a reimplementation of the internal version that is regularly used in offensive security engagements at <a href="https://praetorian.com" rel="nofollow" target="_blank" title="Praetorian">Praetorian</a>. The internal version has additional capabilities for false positive suppression and an alternative machine learning-based detection engine. Read more in blog posts <a href="https://www.praetorian.com/blog/nosey-parker-ai-secrets-scanner-release/" rel="nofollow" target="_blank" title="here">here</a> and <a href="https://www.praetorian.com/blog/six-months-of-finding-secrets-with-nosey-parker/" rel="nofollow" target="_blank" title="here">here</a>.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto" tabindex="-1">Building from source</h2> <p dir="auto"><strong>1. (On x86_64) Install the <a href="https://github.com/intel/hyperscan" rel="nofollow" target="_blank" title="Hyperscan">Hyperscan</a> library and headers for your system</strong></p> <p dir="auto">On macOS using Homebrew:</p> <div><pre><code>brew install hyperscan pkg-config<br /></code></pre></div> <p dir="auto">On Ubuntu 22.04:</p> <div><pre><code>apt install libhyperscan-dev pkg-config<br /></code></pre></div> <p dir="auto"><strong>1. (On non-x86_64) Build <a href="https://github.com/Vectorcamp/vectorscan" rel="nofollow" target="_blank" title="Vectorscan">Vectorscan</a> from source</strong></p> <p dir="auto">You will need several dependencies, including <code>cmake</code>, <code>boost</code>, <code>ragel</code>, and <code>pkg-config</code>.</p> <p dir="auto">Download and extract the source for the <a href="https://github.com/VectorCamp/vectorscan/releases/tag/vectorscan%2F5.4.8" rel="nofollow" target="_blank" title="5.4.8 release">5.4.8 release</a> of Vectorscan:</p> <div><pre><code>wget https://github.com/VectorCamp/vectorscan/archive/refs/tags/vectorscan/5.4.8.tar.gz && tar xfz 5.4.8.tar.gz<br /></code></pre></div> <p dir="auto">Build with cmake:</p> <div><pre><code>cd vectorscan-vectorscan-5.4.8 && cmake -B build -DCMAKE_BUILD_TYPE=Release . && cmake --build build<br /></code></pre></div> <p dir="auto">Set the <code>HYPERSCAN_ROOT</code> environment variable so that Nosey Parker builds against your from-source build of Vectorscan:</p> <div><pre><code>export HYPERSCAN_ROOT="$PWD/build"<br /></code></pre></div> <p dir="auto"><strong>Note:</strong> The Nosey Parker <a href="https://github.com/praetorian-inc/noseyparker/blob/main/Dockerfile" rel="nofollow" target="_blank" title="Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history. (9)"><code>Dockerfile</code></a> builds Vectorscan from source and links against that.</p> <p dir="auto"><strong>2. Install the Rust toolchain</strong></p> <p dir="auto">Recommended approach: install from <a href="https://rustup.rs" rel="nofollow" target="_blank" title="https://rustup.rs">https://rustup.rs</a></p> <p dir="auto"><strong>3. Build using <a href="https://doc.rust-lang.org/cargo/" rel="nofollow" target="_blank" title="Cargo">Cargo</a></strong></p> <div><pre><code>cargo build --release<br /></code></pre></div> <p dir="auto">This will produce a binary at <code>target/release/noseyparker</code>.</p> <h2 dir="auto" tabindex="-1">Docker Usage</h2> <p dir="auto"><strong>A prebuilt Docker image is available for the latest release for x86_64:</strong></p> <div><pre><code>docker pull ghcr.io/praetorian-inc/noseyparker:latest<br /></code></pre></div> <p dir="auto"><strong>A prebuilt Docker image is available for the most recent commit for x86_64:</strong></p> <div><pre><code>docker pull ghcr.io/praetorian-inc/noseyparker:edge<br /></code></pre></div> <p dir="auto"><strong>For other architectures (e.g., ARM) you will need to build the Docker image yourself:</strong></p> <div><pre><code>docker build -t noseyparker .<br /></code></pre></div> <p dir="auto"><strong>Run the Docker image with a mounted volume:</strong></p> <div><pre><code>docker run -v "$PWD":/opt/ noseyparker<br /></code></pre></div> <p dir="auto"><strong>Note:</strong> The Docker image runs noticeably slower than a native binary, particularly on macOS.</p> <h2 dir="auto" tabindex="-1">Usage quick start</h2> <h3 dir="auto" tabindex="-1">The datastore</h3> <p dir="auto">Most Nosey Parker commands use a <em>datastore</em>. This is a special directory that Nosey Parker uses to record its findings and maintain its internal state. A datastore will be implicitly created by the <code>scan</code> command if needed. You can also create a datastore explicitly using the <code>datastore init -d PATH</code> command.</p> <h3 dir="auto" tabindex="-1">Scanning filesystem content for secrets</h3> <p dir="auto">Nosey Parker has built-in support for scanning files, recursively scanning directories, and scanning the entire history of Git repositories.</p> <p dir="auto">For example, if you have a Git clone of <a href="https://github.com/python/cpython" rel="nofollow" target="_blank" title="CPython">CPython</a> locally at <code>cpython.git</code>, you can scan its entire history with the <code>scan</code> command. Nosey Parker will create a new datastore at <code>np.cpython</code> and saves its findings there.</p> <div><pre><code>$ noseyparker scan --datastore np.cpython cpython.git<br />Found 28.30 GiB from 18 plain files and 427,712 blobs from 1 Git repos [00:00:04]<br />Scanning content ████████████████████ 100% 28.30 GiB/28.30 GiB [00:00:53]<br />Scanned 28.30 GiB from 427,730 blobs in 54 seconds (538.46 MiB/s); 4,904/4,904 new matches<br /><br /> Rule Distinct Groups Total Matches<br />───────────────────────────────────────────────────────────<br /> PEM-Encoded Private Key 1,076 1,1 92<br /> Generic Secret 331 478<br /> netrc Credentials 42 3,201<br /> Generic API Key 2 31<br /> md5crypt Hash 1 2<br /><br />Run the `report` command next to show finding details.<br /></code></pre></div> <h3 dir="auto" tabindex="-1">Scanning Git repos by URL, GitHub username, or GitHub organization name</h3> <p dir="auto">Nosey Parker can also scan Git repos that have not already been cloned to the local filesystem. The <code>--git-url URL</code>, <code>--github-user NAME</code>, and <code>--github-org NAME</code> options to <code>scan</code> allow you to specify <a href="https://www.kitploit.com/search/label/Repositories" target="_blank" title="repositories">repositories</a> of interest.</p> <p dir="auto">For example, to scan the Nosey Parker repo itself:</p> <div><pre><code>$ noseyparker scan --datastore np.noseyparker --git-url https://github.com/praetorian-inc/noseyparker<br /></code></pre></div> <p dir="auto">For example, to scan accessible repositories belonging to <a href="https://github.com/octocat" rel="nofollow" target="_blank" title="Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history. (14)"><code>octocat</code></a>:</p> <div><pre><code>$ noseyparker scan --datastore np.noseyparker --github-user octocat<br /></code></pre></div> <p dir="auto">These input specifiers will use an optional GitHub token if available in the <code>NP_GITHUB_TOKEN</code> environment variable. Providing an access token gives a higher API rate limit and may make additional repositories accessible to you.</p> <p dir="auto">See <code>noseyparker help scan</code> for more details.</p> <h3 dir="auto" tabindex="-1">Summarizing findings</h3> <p dir="auto">Nosey Parker prints out a summary of its findings when it finishes scanning. You can also run this step separately:</p> <div><pre><code>$ noseyparker summarize --datastore np.cpython<br /><br /> Rule Distinct Groups Total Matches<br />───────────────────────────────────────────────────────────<br /> PEM-Encoded Private Key 1,076 1,192<br /> Generic Secret 331 478<br /> netrc Credentials 42 3,201<br /> Generic API Key 2 31<br /> md5crypt Hash 1 2<br /></code></pre></div> <p dir="auto">Additional output formats are supported, including JSON and JSON lines, via the <code>--format=FORMAT</code> option.</p> <h3 dir="auto" tabindex="-1">Reporting detailed findings</h3> <p dir="auto">To see details of Nosey Parker's findings, use the <code>report</code> command. This prints out a text-based report designed for human consumption:</p> <div>(Note: the findings above are synthetic, invalid secrets.) Additional output formats are supported, including JSON and JSON lines, via the <code>--format=FORMAT</code> option. <h3 dir="auto" tabindex="-1">Enumerating repositories from GitHub</h3> <p dir="auto">To list URLs for repositories belonging to GitHub users or organizations, use the <code>github repos list</code> command. This command uses the GitHub REST API to enumerate repositories belonging to one or more users or organizations. For example:</p> <div><pre><code>$ noseyparker github repos list --user octocat<br />https://github.com/octocat/Hello-World.git<br />https://github.com/octocat/Spoon-Knife.git<br />https://github.com/octocat/boysenberry-repo-1.git<br />https://github.com/octocat/git-consortium.git<br />https://github.com/octocat/hello-worId.git<br />https://github.com/octocat/linguist.git<br />https://github.com/octocat/octocat.github.io.git<br />https://github.com/octocat/test-repo1.git<br /></code></pre></div> <p dir="auto">An optional GitHub Personal <a href="https://www.kitploit.com/search/label/Access%20Token" target="_blank" title="Access Token">Access Token</a> can be provided via the <code>NP_GITHUB_TOKEN</code> environment variable. Providing an access token gives a higher API rate limit and may make additional repositories accessible to you.</p> <p dir="auto">Additional output formats are supported, including JSON and JSON lines, via the <code>--format=FORMAT</code> option.</p> <p dir="auto">See <code>noseyparker help github</code> for more details.</p> <h3 dir="auto" tabindex="-1">Getting help</h3> <p dir="auto">Running the <code>noseyparker</code> binary without arguments prints top-level help and exits. You can get abbreviated help for a particular command by running <code>noseyparker COMMAND -h</code>.</p> <p dir="auto"><strong>Tip: More detailed help is available with the <code>help</code> command or long-form <code>--help</code> option.</strong></p> <h2 dir="auto" tabindex="-1">Contributing</h2> <p dir="auto">Contributions are welcome, particularly new regex rules. Developing new regex rules is detailed in a <a href="https://github.com/praetorian-inc/noseyparker/blob/main/docs/RULES.md" rel="nofollow" target="_blank" title="separate document">separate document</a>.</p> <p dir="auto">If you are considering making significant code changes, please <a href="https://github.com/praetorian-inc/noseyparker/issues/new" rel="nofollow" target="_blank" title="open an issue">open an issue</a> first to start discussion.</p> <h2 dir="auto" tabindex="-1">License</h2> <p dir="auto">Nosey Parker is licensed under the <a href="https://github.com/praetorian-inc/noseyparker/blob/main/LICENSE-APACHE" rel="nofollow" target="_blank" title="Apache License, Version 2.0">Apache License, Version 2.0</a>.</p> <p dir="auto">Any contribution intentionally submitted for inclusion in Nosey Parker by you, as defined in the Apache 2.0 license, shall be licensed as above, without any additional terms or conditions.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/praetorian-inc/noseyparker" rel="nofollow" target="_blank" title="Download Noseyparker">Download Noseyparker</a></span></b></div></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-80785415246775389192023-01-18T08:30:00.001-03:002023-01-18T08:30:00.298-03:00Kscan - Simple Asset Mapping Tool<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi_YvR6obDf0VIKelUhdE6Av2sgfTm100L7F2qU-CnkbN5MOJVlNU6BF-OmLzNo_QpQmra52zsL-ObWeAP9OPDYKaG8lftTrV4gPmopQwNuokn8_poTn09QKGXC7Ghe2lS--YN70xdyZ6FhDBvNEOJZ-81w24xFH7yxeyLXggskYr-0fFZ2TkrzQq1shA"><img alt="" border="0" height="302" id="BLOGGER_PHOTO_ID_7173885060284416338" src="https://blogger.googleusercontent.com/img/a/AVvXsEi_YvR6obDf0VIKelUhdE6Av2sgfTm100L7F2qU-CnkbN5MOJVlNU6BF-OmLzNo_QpQmra52zsL-ObWeAP9OPDYKaG8lftTrV4gPmopQwNuokn8_poTn09QKGXC7Ghe2lS--YN70xdyZ6FhDBvNEOJZ-81w24xFH7yxeyLXggskYr-0fFZ2TkrzQq1shA=w640-h302" width="640" /></a></p><p><br /></p><h2 dir="auto">0 Disclaimer (<del>The author did not participate in the XX action, don't trace it</del>)</h2><ul dir="auto">
<li>
<p dir="auto">This tool is only for legally authorized enterprise
security construction behaviors and personal learning behaviors. If you
need to test the usability of this tool, please build a target drone
environment by yourself.</p>
</li>
<li>
<p dir="auto">When using this tool for testing, you should ensure that
the behavior complies with local laws and regulations and has obtained
sufficient authorization. Do not scan unauthorized targets.</p>
</li>
</ul><p dir="auto">We reserve the right to pursue your legal responsibility if the above prohibited behavior is found.</p><p dir="auto">If you have any illegal behavior in the process of using
this tool, you shall bear the corresponding consequences by yourself,
and we will not bear any legal and joint responsibility.</p><p dir="auto">Before installing and using this tool, please be sure to carefully read and fully understand the terms and conditions.</p><p dir="auto">Unless you have fully read, fully understood and accepted
all the terms of this agreement, please do not install and use this
tool. Your use behavior or your acceptance of this Agreement in any
other express or implied manner shall be deemed that you have read and
agreed to be bound by this Agreement.<span></span></p><a name='more'></a><p></p><h2 dir="auto"><a aria-hidden="true" class="anchor" href="https://github.com/lcvvvv/kscan/blob/master/README_ENG.md#1-introduction" id="user-content-1-introduction"><svg aria-hidden="true" class="octicon octicon-link" height="16" version="1.1" viewbox="0 0 16 16" width="16"></svg></a></h2><h2 dir="auto">1 Introduction</h2><div class="snippet-clipboard-content notranslate position-relative overflow-auto"><pre class="notranslate"><code> _ __
|#| /#/ Lightweight Asset Mapping Tool by: kv2
|#|/#/ _____ _____ * _ _
|#.#/ /Edge/ /Forum| /#\ |#\ |#|
|##| |#|___ |#| /###\ |##\|#|
|#.#\ \#####\|#| /#/_\#\ |#.#.#|
|#|\#\ /\___|#||#|____/#/###\#\|#|\##|
|#| \#\\#####/ \#####/#/ \#\#| \#|
</code></pre></div><p dir="auto">Kscan is an asset mapping tool that can perform port
scanning, TCP fingerprinting and banner capture for specified assets,
and obtain as much port information as possible without sending more
packets. It can perform automatic brute force cracking on scan results,
and is the first open source RDP brute force cracking tool on the go
platform.</p><h2 dir="auto"><a aria-hidden="true" class="anchor" href="https://github.com/lcvvvv/kscan/blob/master/README_ENG.md#2-foreword" id="user-content-2-foreword"><svg aria-hidden="true" class="octicon octicon-link" height="16" version="1.1" viewbox="0 0 16 16" width="16"></svg></a></h2><h2 dir="auto">2 Foreword</h2><p dir="auto">At present, there are actually many tools for asset
scanning, fingerprint identification, and vulnerability detection, and
there are many great tools, but Kscan actually has many different ideas.</p><p>
</p><ul dir="auto">
<li>
<p dir="auto">Kscan hopes to accept a variety of input formats, and
there is no need to classify the scanned objects before use, such as IP,
or URL address, etc. This is undoubtedly an unnecessary workload for
users, and all entries can be normal Input and identification. If it is a
URL address, the path will be reserved for detection. If it is only
IP:PORT, the port will be prioritized for protocol identification.
Currently Kscan supports three input methods
(-t,--target|-f,--fofa|--spy).</p>
</li>
<li>
<p dir="auto">Kscan does not seek efficiency by comparing port numbers
with common protocols to confirm port protocols, nor does it only detect
WEB assets. In this regard, Kscan pays more attention to accuracy and
comprehensiveness, and only high-accuracy protocol identification , in
order to provide good detection conditions for subsequent application
layer identification.</p>
</li>
<li>
<p dir="auto">Kscan does not use a modular approach to do pure function
stacking, such as a module obtains the title separately, a module
obtains SMB information separately, etc., runs independently, and
outputs independently, but outputs asset information in units of ports,
such as ports If the protocol is HTTP, subsequent fingerprinting and
title acquisition will be performed automatically. If the port protocol
is RPC, it will try to obtain the host name, etc.</p></li></ul> <p dir="auto" style="text-align: center;"><a href="https://github.com/lcvvvv/kscan/blob/master/assets/kscan%E9%80%BB%E8%BE%91%E5%9B%BE.drawio.png" rel="nofollow" target="_blank" title="Kscan&#26159;&#19968;&#27454;&#32431;go&#24320;&#21457;&#30340;&#20840;&#26041;&#20301;&#25195;&#25551;&#22120;&#65292;&#20855;&#22791;&#31471;&#21475;&#25195;&#25551;&#12289;&#21327;&#35758;&#26816;&#27979;&#12289;&#25351;&#32441;&#35782;&#21035;&#65292;&#26292;&#21147;&#30772;&#35299;&#31561;&#21151;&#33021;&#12290;&#25903;&#25345;&#21327;&#35758;1200+&#65292;&#21327;&#35758;&#25351;&#32441;10000+&#65292;&#24212;&#29992;&#25351;&#32441;20000+&#65292;&#26292;&#21147;&#30772;&#35299;&#21327;&#35758;10&#20313;&#31181;&#12290; (9)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgRhEEr3_8Oq-0A_Oii9IgoGjKJLh9ca74uRE__8XnZlp55fRfF7HZx7ua_KguaCAVkkphP7RmNHJxQZokqX1Ph1DXL-vEVW6JSmaHoMrCX3Ugyl9Ffg-y2LaUZNmVnEKoJ-bAIIDagiavv8Z96uvZ5WSpdQcLFp6z4mOsD4GLlbBICPorsGyeMZnq-Bg"><img alt="" border="0" height="566" id="BLOGGER_PHOTO_ID_7173885051073445474" src="https://blogger.googleusercontent.com/img/a/AVvXsEgRhEEr3_8Oq-0A_Oii9IgoGjKJLh9ca74uRE__8XnZlp55fRfF7HZx7ua_KguaCAVkkphP7RmNHJxQZokqX1Ph1DXL-vEVW6JSmaHoMrCX3Ugyl9Ffg-y2LaUZNmVnEKoJ-bAIIDagiavv8Z96uvZ5WSpdQcLFp6z4mOsD4GLlbBICPorsGyeMZnq-Bg=w640-h566" width="640" /></a></p> <div style="text-align: left;"><h2 dir="auto">3 Compilation Manual</h2>
<p dir="auto"><a href="https://github.com/lcvvvv/kscan/wiki/%E7%BC%96%E8%AF%91">Compiler Manual</a></p>
<h2 dir="auto"><a aria-hidden="true" class="anchor" href="https://github.com/lcvvvv/kscan/blob/master/README_ENG.md#4-get-started" id="user-content-4-get-started"><svg aria-hidden="true" class="octicon octicon-link" height="16" version="1.1" viewbox="0 0 16 16" width="16"></svg></a></h2><h2 dir="auto">4 Get started</h2>
<p dir="auto">Kscan currently has 3 ways to input targets</p>
<ul dir="auto">
<li>-t/--target can add the --check parameter to fingerprint only the
specified target port, otherwise the target will be port scanned and
fingerprinted</li>
</ul>
<div class="snippet-clipboard-content notranslate position-relative overflow-auto"><pre class="notranslate"><code>IP address: 114.114.114.114
IP address range: 114.114.114.114-115.115.115.115
URL address: https://www.baidu.com
File address: file:/tmp/target.txt
</code></pre></div>
<ul dir="auto">
<li>--spy can add the --scan parameter to perform port scanning and
fingerprinting on the surviving C segment, otherwise only the surviving
network segment will be detected</li>
</ul>
<div class="snippet-clipboard-content notranslate position-relative overflow-auto"><pre class="notranslate"><code>[Empty]: will detect the IP address of the local machine and detect the B segment where the local IP is located
[all]: All private network addresses (192.168/172.32/10, etc.) will be probed
IP address: will detect the B segment where the specified IP address is located
</code></pre></div>
<ul dir="auto">
<li>-f/--fofa can add --check to verify the survivability of the
retrieval results, and add the --scan parameter to perform port scanning
and fingerprint identification on the retrieval results, otherwise only
the fofa retrieval results will be returned</li>
</ul>
<div class="snippet-clipboard-content notranslate position-relative overflow-auto"><pre class="notranslate"><code>fofa search keywords: will directly return fofa search results
</code></pre></div>
<h2 dir="auto"><a aria-hidden="true" class="anchor" href="https://github.com/lcvvvv/kscan/blob/master/README_ENG.md#5-instructions" id="user-content-5-instructions"><svg aria-hidden="true" class="octicon octicon-link" height="16" version="1.1" viewbox="0 0 16 16" width="16"></svg></a></h2><h2 dir="auto">5 Instructions</h2>
<div class="snippet-clipboard-content notranslate position-relative overflow-auto"><pre class="notranslate"><code>usage: kscan [-h,--help,--fofa-syntax] (-t,--target,-f,--fofa,--spy) [-p,--port|--top] [-o,--output] [-oJ] [--proxy] [--threads] [--path] [--host] [--timeout] [-Pn] [-Cn] [-sV] [--check] [--encoding] [--hydra] [hydra options] [fofa options]
optional arguments:
-h , --help show this help message and exit
-f , --fofa Get the detection object from fofa, you need to configure the environment variables in advance: FOFA_EMAIL, FOFA_KEY
-t , --target Specify the detection target:
IP address: 114.114.114.114
IP address segment: 114.114.114.114/24, subnet mask less than 12 is not recommended
IP address range: 114.114.114.114-115.115.115.115
URL address: https://www.baidu.com
File address: file:/tmp/target.txt
--spy network segment detection mode, in this mode, the internal network segment reachable by the host will be automatically detected. The acceptable parameters are:
(empty), 192, 10, 172, all, specified IP address (the IP address B segment will be detected as the surviving gateway)
--check Fingerprinting the target address, only port detection will not be performed
--scan will perform port scanning and fingerprinting on the target objects provided by --fofa and --spy
-p , --port scan the specified port, TOP400 will be scanned by default, support: 80, 8080, 8088-8090
-eP, --excluded-port skip scanning specified ports,support:80,8080,8088-8090
-o , --output save scan results to file
-oJ save the scan results to a file in json format
-Pn After using this parameter, intelligent survivability detection will not be performed. Now intelligent survivability detection is enabled by default to improve efficiency.
-Cn With this parameter, the console output will not be colored.
-sV After using this parameter, all ports will be probed with full probes. This parameter greatly affects the efficiency, so use it with caution!
--top Scan the filtered common ports TopX, up to 1000, the default is TOP400
--proxy set proxy (socks5|socks4|https|http)://IP:Port
--threads thread parameter, the default thread is 100, the maximum value is 2048
--path specifies the directory to request access, only a single directory is supported
--host specifies the header Host value for all requests
--timeout set timeout
--encoding Set the terminal output encoding, which can be specified as: gb2312, utf-8
--match returns the banner to the asset for retrieval. If there is a keyword, it will be displayed, otherwise it will not be displayed
--hydra automatic blasting support protocol: ssh, rdp, ftp, smb, mysql, mssql, oracle, postgresql, mongodb, redis, all are enabled by default
hydra options:
--hydra-user custom hydra blasting username: username or user1,user2 or file:username.txt
--hydra-pass Custom hydra blasting password: password or pass1,pass2 or file:password.txt
If there is a comma in the password, use \, to escape, other symbols do not need to be escaped
--hydra-update Customize the user name and password mode. If this parameter is carried, it is a new mode, and the user name and password will be added to the default dictionary. Otherwise the default dictionary will be replaced.
--hydra-mod specifies the automatic brute force cracking module: rdp or rdp, ssh, smb
fofa options:
--fofa-syntax will get fofa search syntax description
--fofa-size will set the number of entries returned by fofa, the default is 100
--fofa-fix-keyword Modifies the keyword, and the {} in this parameter will eventually be replaced with the value of the -f parameter
</code></pre></div>
<p dir="auto">The function is not complicated, the others are explored by themselves</p>
<h2 dir="auto"><a aria-hidden="true" class="anchor" href="https://github.com/lcvvvv/kscan/blob/master/README_ENG.md#6-demo" id="user-content-6-demo"><svg aria-hidden="true" class="octicon octicon-link" height="16" version="1.1" viewbox="0 0 16 16" width="16"></svg></a></h2><h2 dir="auto">6 Demo</h2>
<h3 dir="auto"><a aria-hidden="true" class="anchor" href="https://github.com/lcvvvv/kscan/blob/master/README_ENG.md#61-port-scan-mode" id="user-content-61-port-scan-mode"><svg aria-hidden="true" class="octicon octicon-link" height="16" version="1.1" viewbox="0 0 16 16" width="16"></svg></a></h3><h3 dir="auto">6.1 Port Scan Mode</h3></div> <p dir="auto" style="text-align: center;"><a href="https://github.com/lcvvvv/kscan/blob/master/assets/%E7%AB%AF%E5%8F%A3%E6%89%AB%E6%8F%8F%E6%BC%94%E7%A4%BA.png" rel="nofollow" target="_blank" title="Kscan&#26159;&#19968;&#27454;&#32431;go&#24320;&#21457;&#30340;&#20840;&#26041;&#20301;&#25195;&#25551;&#22120;&#65292;&#20855;&#22791;&#31471;&#21475;&#25195;&#25551;&#12289;&#21327;&#35758;&#26816;&#27979;&#12289;&#25351;&#32441;&#35782;&#21035;&#65292;&#26292;&#21147;&#30772;&#35299;&#31561;&#21151;&#33021;&#12290;&#25903;&#25345;&#21327;&#35758;1200+&#65292;&#21327;&#35758;&#25351;&#32441;10000+&#65292;&#24212;&#29992;&#25351;&#32441;20000+&#65292;&#26292;&#21147;&#30772;&#35299;&#21327;&#35758;10&#20313;&#31181;&#12290; (11)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi_YvR6obDf0VIKelUhdE6Av2sgfTm100L7F2qU-CnkbN5MOJVlNU6BF-OmLzNo_QpQmra52zsL-ObWeAP9OPDYKaG8lftTrV4gPmopQwNuokn8_poTn09QKGXC7Ghe2lS--YN70xdyZ6FhDBvNEOJZ-81w24xFH7yxeyLXggskYr-0fFZ2TkrzQq1shA"><img alt="" border="0" height="302" id="BLOGGER_PHOTO_ID_7173885060284416338" src="https://blogger.googleusercontent.com/img/a/AVvXsEi_YvR6obDf0VIKelUhdE6Av2sgfTm100L7F2qU-CnkbN5MOJVlNU6BF-OmLzNo_QpQmra52zsL-ObWeAP9OPDYKaG8lftTrV4gPmopQwNuokn8_poTn09QKGXC7Ghe2lS--YN70xdyZ6FhDBvNEOJZ-81w24xFH7yxeyLXggskYr-0fFZ2TkrzQq1shA=w640-h302" width="640" /></a></p> <h3 dir="auto">6.2 Survival network segment detection</h3> <p dir="auto" style="text-align: center;"><a href="https://github.com/lcvvvv/kscan/blob/master/assets/%E5%AD%98%E6%B4%BB%E7%BD%91%E6%AE%B5%E6%A3%80%E6%B5%8B%E6%BC%94%E7%A4%BA.jpg" rel="nofollow" target="_blank" title="Kscan&#26159;&#19968;&#27454;&#32431;go&#24320;&#21457;&#30340;&#20840;&#26041;&#20301;&#25195;&#25551;&#22120;&#65292;&#20855;&#22791;&#31471;&#21475;&#25195;&#25551;&#12289;&#21327;&#35758;&#26816;&#27979;&#12289;&#25351;&#32441;&#35782;&#21035;&#65292;&#26292;&#21147;&#30772;&#35299;&#31561;&#21151;&#33021;&#12290;&#25903;&#25345;&#21327;&#35758;1200+&#65292;&#21327;&#35758;&#25351;&#32441;10000+&#65292;&#24212;&#29992;&#25351;&#32441;20000+&#65292;&#26292;&#21147;&#30772;&#35299;&#21327;&#35758;10&#20313;&#31181;&#12290; (12)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjkNTLq54QNfCOXoaaqAVMgklvMGDH-2SnPi9rc57zjmaqGczeeieBucMk_YbGI6XGABuX91CazXPqYh4Vr1GioqrnAayEzsrTR5JcD-BgMQ6IMmY4d4M1j2GX78yrSq4j8Sqq4pRcf9o_Pj1N41MBM6VOo2OQ1Y4cO7oWZWa2VjThsaQ3pl3QN_pz6Uw"><img alt="" border="0" height="332" id="BLOGGER_PHOTO_ID_7173885069788206946" src="https://blogger.googleusercontent.com/img/a/AVvXsEjkNTLq54QNfCOXoaaqAVMgklvMGDH-2SnPi9rc57zjmaqGczeeieBucMk_YbGI6XGABuX91CazXPqYh4Vr1GioqrnAayEzsrTR5JcD-BgMQ6IMmY4d4M1j2GX78yrSq4j8Sqq4pRcf9o_Pj1N41MBM6VOo2OQ1Y4cO7oWZWa2VjThsaQ3pl3QN_pz6Uw=w640-h332" width="640" /></a></p> <h3 dir="auto">6.3 Fofa result retrieval</h3> <p dir="auto" style="text-align: center;"><a href="https://github.com/lcvvvv/kscan/blob/master/assets/Fofa%E7%BB%93%E6%9E%9C%E6%A3%80%E7%B4%A2%E6%BC%94%E7%A4%BA.png" rel="nofollow" target="_blank" title="Kscan&#26159;&#19968;&#27454;&#32431;go&#24320;&#21457;&#30340;&#20840;&#26041;&#20301;&#25195;&#25551;&#22120;&#65292;&#20855;&#22791;&#31471;&#21475;&#25195;&#25551;&#12289;&#21327;&#35758;&#26816;&#27979;&#12289;&#25351;&#32441;&#35782;&#21035;&#65292;&#26292;&#21147;&#30772;&#35299;&#31561;&#21151;&#33021;&#12290;&#25903;&#25345;&#21327;&#35758;1200+&#65292;&#21327;&#35758;&#25351;&#32441;10000+&#65292;&#24212;&#29992;&#25351;&#32441;20000+&#65292;&#26292;&#21147;&#30772;&#35299;&#21327;&#35758;10&#20313;&#31181;&#12290; (13)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgPxm8GwO__IeaqRYwlgNgjjKaz859kXcnoIFAOXzsuFiTq43JEeMBcw1tPWb2mB9GTYsDgJEiKZYgkZkI9Tjd06RARoRwjdQcoqwfFpXKRwdiKbQIEaPyjMzUsKKtLbEyzG0fTST58xrW4nj7kzr1_DJr80Bg4gCpTI5rhQQ172MKBgfI13nvj-BCGAQ"><img alt="" border="0" height="322" id="BLOGGER_PHOTO_ID_7173885072952435986" src="https://blogger.googleusercontent.com/img/a/AVvXsEgPxm8GwO__IeaqRYwlgNgjjKaz859kXcnoIFAOXzsuFiTq43JEeMBcw1tPWb2mB9GTYsDgJEiKZYgkZkI9Tjd06RARoRwjdQcoqwfFpXKRwdiKbQIEaPyjMzUsKKtLbEyzG0fTST58xrW4nj7kzr1_DJr80Bg4gCpTI5rhQQ172MKBgfI13nvj-BCGAQ=w640-h322" width="640" /></a></p> <h3 dir="auto">6.4 Brute-force cracking</h3> <p dir="auto" style="text-align: center;"><a href="https://github.com/lcvvvv/kscan/blob/master/assets/Hydra%E5%8A%9F%E8%83%BD%E6%BC%94%E7%A4%BA.png" rel="nofollow" target="_blank" title="Kscan&#26159;&#19968;&#27454;&#32431;go&#24320;&#21457;&#30340;&#20840;&#26041;&#20301;&#25195;&#25551;&#22120;&#65292;&#20855;&#22791;&#31471;&#21475;&#25195;&#25551;&#12289;&#21327;&#35758;&#26816;&#27979;&#12289;&#25351;&#32441;&#35782;&#21035;&#65292;&#26292;&#21147;&#30772;&#35299;&#31561;&#21151;&#33021;&#12290;&#25903;&#25345;&#21327;&#35758;1200+&#65292;&#21327;&#35758;&#25351;&#32441;10000+&#65292;&#24212;&#29992;&#25351;&#32441;20000+&#65292;&#26292;&#21147;&#30772;&#35299;&#21327;&#35758;10&#20313;&#31181;&#12290; (14)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhJZjTh9puP92ZB2xhLfjw572LW29Zwkglh3CTg0W2elklOFf5pPH0-NxM6PYvQ56qYFhpHFSwsH2x3DV33bGjsvUi_-_teBFo0SD3KT7e_YAL0dwlYMqeI0s3I0E9ubaQwtaP-mXkzcEjZOI7ggPVyn50GnPyWREiyifk3lKq9_5RBZti8N13OGaEoHQ"><img alt="" border="0" height="322" id="BLOGGER_PHOTO_ID_7173885082915901202" src="https://blogger.googleusercontent.com/img/a/AVvXsEhJZjTh9puP92ZB2xhLfjw572LW29Zwkglh3CTg0W2elklOFf5pPH0-NxM6PYvQ56qYFhpHFSwsH2x3DV33bGjsvUi_-_teBFo0SD3KT7e_YAL0dwlYMqeI0s3I0E9ubaQwtaP-mXkzcEjZOI7ggPVyn50GnPyWREiyifk3lKq9_5RBZti8N13OGaEoHQ=w640-h322" width="640" /></a></p> <h3 dir="auto">6.5 CDN identification</h3> <p dir="auto" style="text-align: center;"><a href="https://github.com/lcvvvv/kscan/blob/master/assets/CDN%E8%AF%86%E5%88%AB%E6%BC%94%E7%A4%BA.jpg" rel="nofollow" target="_blank" title="Kscan&#26159;&#19968;&#27454;&#32431;go&#24320;&#21457;&#30340;&#20840;&#26041;&#20301;&#25195;&#25551;&#22120;&#65292;&#20855;&#22791;&#31471;&#21475;&#25195;&#25551;&#12289;&#21327;&#35758;&#26816;&#27979;&#12289;&#25351;&#32441;&#35782;&#21035;&#65292;&#26292;&#21147;&#30772;&#35299;&#31561;&#21151;&#33021;&#12290;&#25903;&#25345;&#21327;&#35758;1200+&#65292;&#21327;&#35758;&#25351;&#32441;10000+&#65292;&#24212;&#29992;&#25351;&#32441;20000+&#65292;&#26292;&#21147;&#30772;&#35299;&#21327;&#35758;10&#20313;&#31181;&#12290; (15)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEg2ZQNKb7wpPslX8QL7wTuQo-blvYSWX9GLG89m6bUkyHTXCm7ACU11iPKqzGvS81EOv0SAkpZ9PCRtLgkPff6yolVbk7LdxzK3BD34EAfedgsg_5aT44iti_U0MPZ4H3tWT1MmJ3OMpbgfVAiLQDu61St33QOncxvAS4JWDbU1l0mU2YRVRu-sCYV5_g"><img alt="" border="0" height="332" id="BLOGGER_PHOTO_ID_7173885092223081138" src="https://blogger.googleusercontent.com/img/a/AVvXsEg2ZQNKb7wpPslX8QL7wTuQo-blvYSWX9GLG89m6bUkyHTXCm7ACU11iPKqzGvS81EOv0SAkpZ9PCRtLgkPff6yolVbk7LdxzK3BD34EAfedgsg_5aT44iti_U0MPZ4H3tWT1MmJ3OMpbgfVAiLQDu61St33QOncxvAS4JWDbU1l0mU2YRVRu-sCYV5_g=w640-h332" width="640" /></a></p> <div style="text-align: left;"><h2 dir="auto"><a aria-hidden="true" class="anchor" href="https://github.com/lcvvvv/kscan/blob/master/README_ENG.md#7-special-thanks" id="user-content-7-special-thanks"><svg aria-hidden="true" class="octicon octicon-link" height="16" version="1.1" viewbox="0 0 16 16" width="16"></svg></a>7 Special thanks</h2>
<ul dir="auto">
<li>
<p dir="auto"><a href="https://github.com/EdgeSecurityTeam">EdgeSecurityTeam</a></p>
</li>
<li>
<p dir="auto"><a href="https://github.com/dr0op/bufferfly">bufferfly</a></p>
</li>
<li>
<p dir="auto"><a href="https://github.com/EdgeSecurityTeam/EHole">EHole(Edge Hole)</a></p>
</li>
<li>
<p dir="auto"><a href="https://github.com/nmap/nmap/">NMAP</a></p>
</li>
<li>
<p dir="auto"><a href="https://github.com/tomatome/grdp/">grdp</a></p>
</li>
<li>
<p dir="auto"><a href="https://github.com/shadow1ng/fscan">fscan</a></p>
</li>
<li>
<p dir="auto"><a href="https://github.com/zhzyker/dismap">dismap</a></p>
</li></ul></div> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/lcvvvv/kscan" rel="nofollow" target="_blank" title="Download Kscan">Download Kscan</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-80985693540620735462023-01-08T08:30:00.006-03:002023-01-08T08:30:00.244-03:00AceLdr - Cobalt Strike UDRL For Memory Scanner Evasion<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhZeWXaM7lP8v3qst9OxNnwL3j8pK1LRyKzwJDsJuuyImNffH3_PQ3K9OEU4LIwv4ke_lsKP8MD1jigC9_EJJUQYJp1JfLaIb86fwgWN_c619d9458BcnRJPJnXrzpTst3nmmbGINlyvj2-1CDfiNW7C-6v4bwYOPM2HsLa-4QHGgVCp_k_QH-cmXW31A"><img alt="" border="0" height="360" id="BLOGGER_PHOTO_ID_7173884565671464482" src="https://blogger.googleusercontent.com/img/a/AVvXsEhZeWXaM7lP8v3qst9OxNnwL3j8pK1LRyKzwJDsJuuyImNffH3_PQ3K9OEU4LIwv4ke_lsKP8MD1jigC9_EJJUQYJp1JfLaIb86fwgWN_c619d9458BcnRJPJnXrzpTst3nmmbGINlyvj2-1CDfiNW7C-6v4bwYOPM2HsLa-4QHGgVCp_k_QH-cmXW31A=w640-h360" width="640" /></a></p><br /> <p dir="auto">A position-independent reflective loader for Cobalt Strike. Zero results from <a href="https://github.com/thefLink/Hunt-Sleeping-Beacons" rel="nofollow" target="_blank" title="Hunt-Sleeping-Beacons">Hunt-Sleeping-Beacons</a>, <a href="https://github.com/3lp4tr0n/BeaconHunter" rel="nofollow" target="_blank" title="BeaconHunter">BeaconHunter</a>, <a href="https://github.com/CCob/BeaconEye" rel="nofollow" target="_blank" title="BeaconEye">BeaconEye</a>, <a href="https://github.com/joe-desimone/patriot" rel="nofollow" target="_blank" title="Patriot">Patriot</a>, <a href="https://github.com/forrest-orr/moneta" rel="nofollow" target="_blank" title="Moneta">Moneta</a>, <a href="https://github.com/hasherezade/pe-sieve" rel="nofollow" target="_blank" title="PE-sieve">PE-sieve</a>, or <a href="https://github.com/waldo-irc/MalMemDetect" rel="nofollow" target="_blank" title="MalMemDetect">MalMemDetect</a>. </p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto">Features</h2> <h4 dir="auto">Easy to Use</h4> <p dir="auto">Import a single CNA script before generating shellcode.</p> <h4 dir="auto">Dynamic Memory Encryption</h4> <p dir="auto">Creates a new heap for any allocations from <a href="https://www.kitploit.com/search/label/Beacon" target="_blank" title="Beacon">Beacon</a> and encrypts entries before sleep.</p> <h4 dir="auto">Code <a href="https://www.kitploit.com/search/label/Obfuscation" target="_blank" title="Obfuscation">Obfuscation</a> and Encryption</h4> <p dir="auto">Changes the memory containing CS executable code to non-executable and encrypts it (FOLIAGE).</p> <h4 dir="auto">Return Address <a href="https://www.kitploit.com/search/label/Spoofing" target="_blank" title="Spoofing">Spoofing</a> at Execution</h4> <p dir="auto">Certain WinAPI calls are executed with a spoofed return address (InternetConnectA, NtWaitForSingleObject, RtlAllocateHeap).</p> <h4 dir="auto">Sleep Without Sleep</h4> <p dir="auto">Delayed execution using WaitForSingleObjectEx.</p> <h4 dir="auto">RC4 Encryption</h4> <p dir="auto">All <a href="https://www.kitploit.com/search/label/Encryption" target="_blank" title="encryption">encryption</a> performed with SystemFunction032.</p> <h2 dir="auto">Known Issues</h2> <ul dir="auto"> <li>Not compatible with loaders that rely on the shellcode thread staying alive.</li> </ul> <h2 dir="auto">References</h2> <p dir="auto">This project would not have been possible without the following:</p> <ul dir="auto"> <li><a href="https://github.com/secidiot/FOLIAGE" rel="nofollow" target="_blank" title="FOLIAGE">FOLIAGE</a></li> <li><a href="https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html" rel="nofollow" target="_blank" title="x64 return address spoofing (source + explanation)">x64 return address spoofing (source + explanation)</a></li> </ul> <p dir="auto">Other features and inspiration were taken from the following:</p> <ul dir="auto"> <li><a href="https://www.arashparsa.com/bypassing-pesieve-and-moneta-the-easiest-way-i-could-find/" rel="nofollow" target="_blank" title="https://www.arashparsa.com/bypassing-pesieve-and-moneta-the-easiest-way-i-could-find/">https://www.arashparsa.com/bypassing-pesieve-and-moneta-the-easiest-way-i-could-find/</a></li> <li><a href="https://github.com/secidiot/TitanLdr" rel="nofollow" target="_blank" title="https://github.com/secidiot/TitanLdr">https://github.com/secidiot/TitanLdr</a></li> <li><a href="https://github.com/JLospinoso/gargoyle" rel="nofollow" target="_blank" title="https://github.com/JLospinoso/gargoyle">https://github.com/JLospinoso/gargoyle</a></li> <li><a href="https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta" rel="nofollow" target="_blank" title="https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta">https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta</a></li> <li><a href="https://www.arashparsa.com/hook-heaps-and-live-free/" rel="nofollow" target="_blank" title="https://www.arashparsa.com/hook-heaps-and-live-free/">https://www.arashparsa.com/hook-heaps-and-live-free/</a></li> <li><a href="https://blog.f-secure.com/hunting-for-gargoyle-memory-scanning-evasion/" rel="nofollow" target="_blank" title="https://blog.f-secure.com/hunting-for-gargoyle-memory-scanning-evasion/">https://blog.f-secure.com/hunting-for-gargoyle-memory-scanning-evasion/</a></li> <li><a href="https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures" rel="nofollow" target="_blank" title="https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures">https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures</a></li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/kyleavery/AceLdr" rel="nofollow" target="_blank" title="Download AceLdr">Download AceLdr</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-12870405876283000802022-12-23T08:30:00.015-03:002022-12-23T08:30:00.265-03:00S3Crets_Scanner - Hunting For Secrets Uploaded To Public S3 Buckets<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj9Ahc2RsjM17KYp8WaTL_xp0roZiIbE5Xbu60gjF4E2beYJy47tn2Vv8-ZtfnvtIF7_4FQ7m5Kq40bUlY2tad0NYtdGCCvwNruBw9RuVYD73dZJt9CIn7O6bE2nrOlHZyERrgHBOrb4LceULA0-i-tDJZSFx6d68AGYrvjO4QBWUNCDZOXIM8QZJzVbg"><img alt="" border="0" id="BLOGGER_PHOTO_ID_7173881064504770658" src="https://blogger.googleusercontent.com/img/a/AVvXsEj9Ahc2RsjM17KYp8WaTL_xp0roZiIbE5Xbu60gjF4E2beYJy47tn2Vv8-ZtfnvtIF7_4FQ7m5Kq40bUlY2tad0NYtdGCCvwNruBw9RuVYD73dZJt9CIn7O6bE2nrOlHZyERrgHBOrb4LceULA0-i-tDJZSFx6d68AGYrvjO4QBWUNCDZOXIM8QZJzVbg=s16000" /></a></p><p><br /></p> <ul dir="auto"> <li><code>S3cret Scanner</code> tool designed to provide a complementary layer for the <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html" rel="nofollow" target="_blank" title="Amazon S3 Security Best Practices">Amazon S3 Security Best Practices</a> by proactively hunting secrets in public S3 buckets.</li> <li>Can be executed as <code>scheduled task</code> or <code>On-Demand</code></li> </ul><div><span><a name='more'></a></span><span style="font-family: monospace;"><br /></span></div> <h2 dir="auto">Automation workflow</h2> <p dir="auto">The <a href="https://www.kitploit.com/search/label/Automation" target="_blank" title="automation">automation</a> will perform the following actions:</p> <ol dir="auto"> <li>List the public buckets in the account (Set with ACL of <code>Public</code> or <code>objects can be public</code>)</li> <li>List the textual or sensitive files (i.e. <code>.p12</code>, <code>.pgp</code> and more)</li> <li>Download, scan (using truffleHog3) and delete the files from disk, once done evaluating, one by one.</li> <li>The <a href="https://www.kitploit.com/search/label/Logs" target="_blank" title="logs">logs</a> will be created in <code>logger.log</code> file.</li> </ol> <hr /> <h2 dir="auto">Prerequisites</h2> <ol dir="auto"> <li>Python 3.6 or above</li> <li>TruffleHog3 installed in $PATH</li> <li>An AWS role with the following permissions:</li> </ol> <div class="highlight highlight-source-json notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:GetLifecycleConfiguration", "s3:GetBucketTagging", "s3:ListBucket", "s3:GetAccelerateConfiguration", "s3:GetBucketPolicy", "s3:GetBucketPublicAccessBlock", "s3:GetBucketPolicyStatus", "s3:GetBucketAcl", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" } ] }" dir="auto"><pre><code>{<br /> "Version": "2012-10-17",<br /> "Statement": [<br /> {<br /> "Sid": "VisualEditor0",<br /> "Effect": "Allow",<br /> "Action": [<br /> "s3:GetLifecycleConfiguration",<br /> "s3:GetBucketTagging",<br /> "s3:ListBucket",<br /> "s3:GetAccelerateConfiguration",<br /> "s3:GetBucketPolicy",<br /> "s3:GetBucketPublicAccessBlock",<br /> "s3:GetBucketPolicyStatus",<br /> "s3:GetBucketAcl",<br /> "s3:GetBucketLocation"<br /> ],<br /> "Resource": "arn:aws:s3:::*"<br /> },<br /> {<br /> "Sid": "VisualEditor1",<br /> "Effect": "Allow",<br /> "Action": "s3:ListAllMyBuckets",<br /> "Resource": "*"<br /> }<br /> ]<br />}</code></pre></div> <ol dir="auto" start="4"> <li>If you're using a CSV file - make sure to place the file <code>accounts.csv</code> in the <code>csv</code> directory, in the following format:</li> </ol> <div><pre><code>Account name,Account id<br />prod,123456789<br />ci,321654987<br />dev,148739578<br /></code></pre></div> <hr /> <h2 dir="auto">Getting started</h2> <p dir="auto">Use <a href="https://pip.pypa.io/en/stable/" rel="nofollow" target="_blank" title="pip">pip</a> to install the needed requirements.</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="# Clone the repo git clone <repo> # Install requirements pip3 install -r requirements.txt # Install trufflehog3 pip3 install trufflehog3" dir="auto"><pre><code># Clone the repo<br />git clone <repo><br /><br /># Install requirements<br />pip3 install -r requirements.txt<br /><br /># Install trufflehog3<br />pip3 install trufflehog3</code></pre></div> <hr /> <h2 dir="auto">Usage</h2> <table> <tbody><tr> <th align="center">Argument</th> <th align="center">Values</th> <th align="center">Description</th> <th align="center">Required</th> </tr> <tr> <td align="center">-p, --aws_profile</td> <td align="center"></td> <td align="center">The aws profile name for the <a href="https://www.kitploit.com/search/label/Access" target="_blank" title="access">access</a> keys</td> <td align="center">✓</td> </tr> <tr> <td align="center">-r, --scanner_role</td> <td align="center"></td> <td align="center">The aws scanner's role name</td> <td align="center">✓</td> </tr> <tr> <td align="center">-m, --method</td> <td align="center">internal</td> <td align="center">the scan type</td> <td align="center">✓</td> </tr> <tr> <td align="center">-l, --last_modified</td> <td align="center">1-365</td> <td align="center">Number of days to scan since the file was last modified; <em>Default - 1</em></td> <td align="center">✗</td> </tr> </tbody></table> <h3 dir="auto">Usage Examples</h3> <h2 dir="auto"><code>python3 main.py -p secTeam -r secteam-inspect-s3-buckets -l 1</code></h2> <h2 dir="auto">Demo</h2> <p dir="auto" style="text-align: center;"><a href="https://github.com/Eilonh/s3crets_scanner/blob/main/DOCS/scanner_gif.gif" rel="nofollow" target="_blank" title="$ (8)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhDIFxgqRKTgBeHaUas40X6UFAX8cQtxAN_2-70ey9BInFW4J_kYMbcjjDJkyylOEHXUXcBsKfOP_duCQEJImFJ1OpWqvbVLHSo13_Fu6G2CyYusTM20JLxIOHf9U838kJBhm4yQh0iocIp_P3f6AA15PCksrWpevHciu-4A9YyQCW9n0xgY-DE6Y-mPw"><img alt="" border="0" height="236" id="BLOGGER_PHOTO_ID_7173881071595945890" src="https://blogger.googleusercontent.com/img/a/AVvXsEhDIFxgqRKTgBeHaUas40X6UFAX8cQtxAN_2-70ey9BInFW4J_kYMbcjjDJkyylOEHXUXcBsKfOP_duCQEJImFJ1OpWqvbVLHSo13_Fu6G2CyYusTM20JLxIOHf9U838kJBhm4yQh0iocIp_P3f6AA15PCksrWpevHciu-4A9YyQCW9n0xgY-DE6Y-mPw=w640-h236" width="640" /></a></p><p dir="auto" style="text-align: center;"><br /></p> <h2 dir="auto">Contributing</h2> <p dir="auto">Pull requests and forks are welcome. For major changes, please open an issue first to discuss what you would like to change.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/Eilonh/s3crets_scanner" rel="nofollow" target="_blank" title="Download S3Crets_Scanner">Download S3Crets_Scanner</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-73172537105953924652022-12-05T08:30:00.006-03:002022-12-05T08:30:00.270-03:00Scscanner - Tool To Read Website Status Code Response From The Lists<p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjB2azR3JMgJj8csRxnasfv3hpIGKtEs7KsxD9Gr7I9YCZEgqJQxJ1NW8ysp_j8a9JuyuaAj1OGW_jo72-kFiBngNk29ZJgOPayjos6v615yBq4-onZ0Wfmr6Tbj8YTBG_YXHZelr0-iwVexoa-kvcBzZbZge4WpG4SEueMv022mzqRhKDy-EIrivpc3g"><img alt="" border="0" height="392" id="BLOGGER_PHOTO_ID_7171059756431224210" src="https://blogger.googleusercontent.com/img/a/AVvXsEjB2azR3JMgJj8csRxnasfv3hpIGKtEs7KsxD9Gr7I9YCZEgqJQxJ1NW8ysp_j8a9JuyuaAj1OGW_jo72-kFiBngNk29ZJgOPayjos6v615yBq4-onZ0Wfmr6Tbj8YTBG_YXHZelr0-iwVexoa-kvcBzZbZge4WpG4SEueMv022mzqRhKDy-EIrivpc3g=w640-h392" width="640" /></a></p><br /> <p dir="auto">scscanner is tool to read <a href="https://www.kitploit.com/search/label/Website" target="_blank" title="website">website</a> status code response from the lists. This tool have ability to filter only spesific status code, and save the result to a file.</p> <h2 dir="auto">Feature</h2> <ul dir="auto"> <li>Slight dependency. This tool only need <strong>curl</strong> to be installed</li> <li>Multi-processing. <a href="https://www.kitploit.com/search/label/Scanning" target="_blank" title="Scanning">Scanning</a> will be more faster with multi-processing</li> <li>Filter status code. If you want only spesific status code (ex: 200) from the list, this tool will help you</li> </ul><span><a name='more'></a></span><div><br /></div> <h2 dir="auto">Usage</h2> <div><pre><code>┌──(miku㉿nakano)-[~/scscanner]<br />└─$ bash scscanner.sh<br /><br />scscanner - Massive Status Code Scanner<br />Codename : EVA02<br /><br />Example: bash scscanner.sh -l domain.txt -t 30<br />options:<br />-l Files contain lists of domain.<br />-t Adjust multi process. Default is 15<br />-f Filter status code.<br />-o Save to file.<br />-h Print this Help.<br /></code></pre></div> <p dir="auto">Adjust multi-process</p> <div><pre><code>bash scscanner.sh -l domain.txt -t 30<br /></code></pre></div> <p dir="auto">Using status code filter</p> <div><pre><code>bash scscanner.sh -l domain.txt -f 200<br /></code></pre></div> <p dir="auto">Using status code filter and save to file.</p> <div><pre><code>bash scscanner.sh -l domain.txt -f 200 -o result.txt<br /></code></pre></div> <h2 dir="auto">Screenshot</h2> <p dir="auto" style="text-align: center;"><a href="https://camo.githubusercontent.com/434504e2e2dc3214d0c271c6efcf3ed0c5cf27d8a60d89cb10e17538a089e412/68747470733a2f2f626c6f676765722e676f6f676c6575736572636f6e74656e742e636f6d2f696d672f622f523239765a32786c2f4156765873456a6d356f59714e766745377670556732564e6b6c4d744c4649687a55304b463963336864417656584e4534444f6e6b776b4764535a526c35675f59736a79654f656e5a7675795f46417737475763423233736b314d4f54652d707a55677373375a5a677571594f70552d30655146486754736d6474374c4d79355341795f35423941626c764a764365634b5866735053567a62364c387342597a555570464a466e65747438434d6a4e39686b6b7275377475526f5f414a785f4a68512f733730382f73637363616e6e65722e706e67" rel="nofollow" target="_blank" title="scscanner is tool to read website status code response from the lists. (3)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjB2azR3JMgJj8csRxnasfv3hpIGKtEs7KsxD9Gr7I9YCZEgqJQxJ1NW8ysp_j8a9JuyuaAj1OGW_jo72-kFiBngNk29ZJgOPayjos6v615yBq4-onZ0Wfmr6Tbj8YTBG_YXHZelr0-iwVexoa-kvcBzZbZge4WpG4SEueMv022mzqRhKDy-EIrivpc3g"><img alt="" border="0" height="392" id="BLOGGER_PHOTO_ID_7171059756431224210" src="https://blogger.googleusercontent.com/img/a/AVvXsEjB2azR3JMgJj8csRxnasfv3hpIGKtEs7KsxD9Gr7I9YCZEgqJQxJ1NW8ysp_j8a9JuyuaAj1OGW_jo72-kFiBngNk29ZJgOPayjos6v615yBq4-onZ0Wfmr6Tbj8YTBG_YXHZelr0-iwVexoa-kvcBzZbZge4WpG4SEueMv022mzqRhKDy-EIrivpc3g=w640-h392" width="640" /></a></p> <p dir="auto" style="text-align: center;"><a href="https://camo.githubusercontent.com/a151d195b672d00b859a50d2137f600269d73691c248ba9ec44a629f2075d74e/68747470733a2f2f626c6f676765722e676f6f676c6575736572636f6e74656e742e636f6d2f696d672f622f523239765a32786c2f4156765873456a6241685962514b35356634474d54415074504e7332716d696e4c3559457a6a33366b393864326e4c7a325957327a6474615471476f7674444c4374706a384a4e5379614d63444b71514f616b7843346f336d5655566968617565385137653868466b726b4275746f6732657139566e6a50664d5a69356e7a742d6a676c567a5a66733677646558315a484b336f5a6d4d6c6b416833634247514b2d4667504649575938437847396c3656316e43505f3063506a41796d73544748672f733730382f73637363616e6e65722532307361766564253230726573756c742e706e67" rel="nofollow" target="_blank" title="scscanner is tool to read website status code response from the lists. (4)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhf7t16w6RgsGW0CjHTDOxcoK31IguDin5hzqGJj1UMl2yP77Ch5vBBy-zk_WKPSHFumRh6Rn0mscz9qgopS2yY5M11vdgR9RJkhCodjbF-TcyNROhYJ3GEHxbmOdu0fHpNQUBj8gg5dvabKhvTFsmey-2rqiRENWOebamPiiU7nXsK-HeK2Reula2P6g"><img alt="" border="0" height="336" id="BLOGGER_PHOTO_ID_7171059760473852402" src="https://blogger.googleusercontent.com/img/a/AVvXsEhf7t16w6RgsGW0CjHTDOxcoK31IguDin5hzqGJj1UMl2yP77Ch5vBBy-zk_WKPSHFumRh6Rn0mscz9qgopS2yY5M11vdgR9RJkhCodjbF-TcyNROhYJ3GEHxbmOdu0fHpNQUBj8gg5dvabKhvTFsmey-2rqiRENWOebamPiiU7nXsK-HeK2Reula2P6g=w640-h336" width="640" /></a></p> <h1 dir="auto">To do List</h1> <ul class="contains-task-list"> <li class="task-list-item"><input checked="" class="task-list-item-checkbox" disabled="" id="" type="checkbox" /> Add multi-processing</li> <li class="task-list-item"><input checked="" class="task-list-item-checkbox" disabled="" id="" type="checkbox" /> Add filter status code options</li> <li class="task-list-item"><input checked="" class="task-list-item-checkbox" disabled="" id="" type="checkbox" /> Add save to file options</li> <li class="task-list-item"><input class="task-list-item-checkbox" disabled="" id="" type="checkbox" /> Get title from page</li> </ul> <p dir="auto">Feel free to contribute if you want to improve this tools.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/yuyudhn/scscanner" rel="nofollow" target="_blank" title="Download Scscanner">Download Scscanner</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-42441636518193725232022-11-24T08:30:00.001-03:002022-11-24T08:30:00.276-03:00Octopii - An AI-powered Personal Identifiable Information (PII) Scanner<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl7y0H8E0c68PUx70aQgM0Qko_TTERb2eKshlTC38Wzh4Y-x5Tce2Y5_cxwE8ZTRIEPvyaJ9nD-5cMNNfA8VyxTKa4ut7KudsSGrg99qvQOcIrtlcBWbA47slLlx1RH4sjQ2U7M0brNhqKgPvMik_WSJ0R0wKFKIaeFJoodAPf2BxGl9s6WmpEpYtuuA/s715/Octopii.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="496" data-original-width="715" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl7y0H8E0c68PUx70aQgM0Qko_TTERb2eKshlTC38Wzh4Y-x5Tce2Y5_cxwE8ZTRIEPvyaJ9nD-5cMNNfA8VyxTKa4ut7KudsSGrg99qvQOcIrtlcBWbA47slLlx1RH4sjQ2U7M0brNhqKgPvMik_WSJ0R0wKFKIaeFJoodAPf2BxGl9s6WmpEpYtuuA/s16000/Octopii.png" /></a></div><p><br /></p>
<p dir="auto">Octopii is an open-source AI-powered Personal Identifiable Information (PII) scanner that can look for image assets such as Government IDs, passports, photos and signatures in a directory.</p><span><a name='more'></a></span><p dir="auto"><br /></p>
<h2 dir="auto">Working</h2>
<p dir="auto">Octopii uses Tesseract's Optical Character <a href="https://www.kitploit.com/search/label/Recognition" target="_blank" title="Recognition">Recognition</a> (OCR) and Keras' Convolutional Neural Networks (CNN) models to detect various forms of personal identifiable information that may be leaked on a publicly facing location. This is done in the following steps:</p>
<h3 dir="auto">1. Importing and cleaning image(s)</h3>
<p dir="auto">The image is imported via OpenCV and Python Imaging Library (PIL) and is cleaned, deskewed and rotated for scanning.</p>
<h3 dir="auto">2. Performing image classification and Optical Character Recognition (OCR)</h3>
<p dir="auto">A <a href="https://www.kitploit.com/search/label/Directory" target="_blank" title="directory">directory</a> is looped over and searched for images. These images are scanned for unique features via the image classifier (done by comparing it to a trained model), along with OCR for finding substrings within the image. This may have one of the following outcomes:</p>
<ul dir="auto">
<li>
<p dir="auto"><strong>Best case</strong> (score >=90): The image is sent into the image classifier algorithm to be scanned for features such as an ISO/IEC 7810 card specification, colors, location of text, photos, holograms etc. If it is successfully classified as a type of PII, OCR is performed on it looking for particular words and strings as a final check. When both of these are confirmed, the result from Octopii is extremely reliable.</p>
</li>
<li>
<p dir="auto"><strong>Average case</strong> (score >=50): The image is partially/incorrectly identified by the image classifier algorithm, but an OCR check finds contradicting substrings and reclassifies it.</p>
</li>
<li>
<p dir="auto"><strong>Worst case</strong> (score >=0): The image is only identified by the image classifier algorithm but an OCR scan returns no results.</p>
</li>
<li>
<p dir="auto"><strong>Incorrect classification</strong>: False positives due to a very small model or OCR list may incorrectly classify PIIs, giving inaccurate results.</p>
</li>
</ul>
<p dir="auto">As a final verification method, images are scanned for certain strings to verify the accuracy of the model.</p>
<p dir="auto">The accuracy of the scan can determined via the confidence scores in output. If all the mentioned conditions are met, a score of 100.0 is returned.</p>
<p dir="auto">To train the model, data can also be fed into the <code>model_generator.py</code> script, and the newly improved h5 file can be used.</p>
<h2 dir="auto">Usage</h2>
<ol dir="auto">
<li>Install all dependencies via <code>pip install -r requirements.txt</code>.</li>
<li>Install the Tesseract helper locally via <code>sudo apt install tesseract-ocr -y</code> (for Ubuntu/Debian).</li>
<li>To run Octopii, type <code>python3 octopii.py <location name></code>, for example <code>python3 octopii.py pii_list/</code></li>
</ol>
<div><pre><code>python3 octopii.py <location to scan> <additional flags><br /></code></pre></div>
<p dir="auto">Octopii currently supports local scanning and scanning S3 directories and open directory listings via their URLs.</p>
<h3 dir="auto">Example</h3>
<div>Contributing
<p dir="auto">Open-source projects like these thrive on community support. Since Octopii relies heavily on <a href="https://www.kitploit.com/search/label/Machine%20Learning" target="_blank" title="machine learning">machine learning</a> and optical character recognition, contributions are much appreciated. Here's how to contribute:</p>
<h3 dir="auto">1. Fork</h3>
<p dir="auto">Fork the official repository at <a href="https://github.com/redhuntlabs/octopii" rel="nofollow" target="_blank" title="https://github.com/redhuntlabs/octopii">https://github.com/redhuntlabs/octopii</a></p>
<h3 dir="auto">2. Understand</h3>
<p dir="auto">There are 3 files in the <code>models/</code> directory.
- The <code>keras_models.h5</code> file is the Keras h5 model that can be obtained from Google's Teachable Machine or via Keras in Python.
- The <code>labels.txt</code> file contains the list of labels corresponding to the index that the model returns.
- The <code>ocr_list.json</code> file consists of keywords to search for during an OCR scan, as well as other miscellaneous information such as country of origin, <a href="https://www.kitploit.com/search/label/Regular%20Expressions" target="_blank" title="regular expressions">regular expressions</a> etc.</p>
<h4 dir="auto">Generating models via Teachable Machine</h4>
<p dir="auto">Since our current dataset is quite small, we could benefit from a large Keras model of international PII for this project. If you do not have expertise in Keras, Google provides an extremely <a href="https://www.kitploit.com/search/label/Easy%20To%20Use" target="_blank" title="easy to use">easy to use</a> model generator called the Teachable Machine. To use it:</p>
<ul dir="auto">
<li>Visit <a href="https://teachablemachine.withgoogle.com/train" rel="nofollow" target="_blank" title="https://teachablemachine.withgoogle.com/train">https://teachablemachine.withgoogle.com/train</a> and select 'Image Project' → 'Standard Image Model'.</li>
<li>A few classes are visible. Rename the class to an asset type ypu'd like to upload, such as "German Passport" or "California Driver License".</li>
<li>Add images by clicking the 'Upload' button and upload some image assets. <strong>Note: images have to be square</strong></li>
</ul>
<p dir="auto"><em>Tip: segregate your image assets into folders with the folder name being the same as the class name. You can then drag and drop a folder into the upload dialog.</em></p>
<ul dir="auto">
<li>Click '+ Add a class' at the bottom of the page to add more classes with data and repeat. You can make the classes more specific, such as "Goa Driver License Old Format".</li>
</ul>
<p dir="auto"><strong>Note: Only upload the same as the class name, for example, the German Passport class must have German Passport pictures. Uploading the wrong data to the wrong class will confuse the machine learning algorithms.</strong></p>
<ul dir="auto">
<li>Verify the classes and images one last time. Once you're ready, click on the 'Train Model' button. You can increase the epoch size (such as 5000) to improve model accuracy.</li>
<li>To test, you can test the model by clicking the Input dropdown and selecting 'File', then uploading a sample image.</li>
<li>Once you're ready, click the 'Export Model' button. In the dialog that pops up, select the 'Tensorflow' tab (not Tensorflow.js) and select the 'Keras' radio button, then click 'Download my model' to export the newly generated model. Extract the downloaded zip file and paste the <code>keras_model.h5</code> file and <code>labels.txt</code> file into the <code>models/</code> directory in Octopii.</li>
</ul>
<p dir="auto">The images used for the model above are not visible to us since they're in a proprietary format. You can use both dummy and actual PII. Make sure they are square-ish in image size.</p>
<h4 dir="auto">Updating OCR list</h4>
<p dir="auto">Once you generate models using Teachable Machine, you can improve Octopii's accuracy via OCR. To do this:</p>
<ul dir="auto">
<li>Open the existing <code>ocr_list.json</code> file. Create a JSONObject with the key having the same name as the asset class. <strong>NOTE: The key name must be exactly the same as the asset class name from Teachable Machine.</strong></li>
<li>For the <code>keywords</code>, use as many unique terms from your asset as possible, such as "Income Tax Department". Store them in a JSONArray.</li>
<li><em>(Advanced)</em> you can also add regexes for things like ID numbers and MRZ on passports if they are unique enough. Use <a href="https://regex101.com" rel="nofollow" target="_blank" title="https://regex101.com">https://regex101.com</a> to test your regexes before adding them.</li>
<li>Save/overwrite the existing <code>ocr_list.json</code> file.</li>
</ul>
<h3 dir="auto">3. Edit</h3>
<p dir="auto">You can replace each file you modify in the <code>models/</code> directory after you create or edit them via the above methods.</p>
<h3 dir="auto">4. Pull request</h3>
<p dir="auto">Submit a pull request from your forked repo and we'll pick it up and replace our current model with it if the changes are large enough.</p>
<p dir="auto"><strong>Note:</strong> Please take the following steps to ensure quality</p>
<ul dir="auto">
<li>Make sure the model returns extremely accurate results by testing it locally first.</li>
<li>Use proper text casing for label names in both the Keras model and <code>ocr_list.json</code>.</li>
<li>Make sure all JSON is valid with appropriate character escapes with no duplicate keys, regexes or keywords.</li>
<li>For country names, please use the ISO 3166-1 alpha-2 code of the country.</li>
</ul>
<hr />
<h2 dir="auto">Credits</h2>
<ul dir="auto">
<li><a href="https://beautiful-soup-4.readthedocs.io/en/latest/" rel="nofollow" target="_blank" title="BeautifulSoup">BeautifulSoup</a></li>
<li><a href="https://github.com/madmaze/pytesseract" rel="nofollow" target="_blank" title="Tesseract">Tesseract</a></li>
<li><a href="https://keras.io/" rel="nofollow" target="_blank" title="Keras">Keras</a></li>
<li><a href="https://scikit-learn.org/" rel="nofollow" target="_blank" title="SciKit">SciKit</a></li>
<li>Python Image Library</li>
<li><a href="https://www.digitalocean.com/products/spaces" rel="nofollow" target="_blank" title="Spaces - DigitalOcean">Spaces - DigitalOcean</a></li>
<li><a href="https://teachablemachine.withgoogle.com/" rel="nofollow" target="_blank" title="Teachable Macine - Google">Teachable Macine - Google</a></li>
</ul>
<h2 dir="auto">License</h2>
<p dir="auto"><a href="https://github.com/redhuntlabs/Octopii/blob/master/LICENSE" rel="nofollow" target="_blank" title="MIT License">MIT License</a></p>
<p dir="auto">(c) Copyright 2022 RedHunt Labs Private Limited</p>
<p dir="auto">Author: Owais Shaikh</p>
<br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/redhuntlabs/Octopii" rel="nofollow" target="_blank" title="Download Octopii">Download Octopii</a></span></b></div></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-46158728922728243162022-05-28T17:30:00.003-04:002022-05-28T17:30:00.382-04:00BinAbsInspector - Vulnerability Scanner For Binaries<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_Vf77SEegN9hd3L-1LH__qKHmso-Umr6OXBz1Nb9B5MkgKlSLbxOrUGBdoSyZ0DxJnhNC0ObMqASuMmr2Lb0qxzOLfgOyvcwU5YxB7r1VQ5DEYyU6vDgxZbP2o-15P5cWcD5wsKYWn997GoL9V9xfeFp8Bku8UVgxlk7Z9YryxtLu66XQKeCDV-S0/s806/binary.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="450" data-original-width="806" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_Vf77SEegN9hd3L-1LH__qKHmso-Umr6OXBz1Nb9B5MkgKlSLbxOrUGBdoSyZ0DxJnhNC0ObMqASuMmr2Lb0qxzOLfgOyvcwU5YxB7r1VQ5DEYyU6vDgxZbP2o-15P5cWcD5wsKYWn997GoL9V9xfeFp8Bku8UVgxlk7Z9YryxtLu66XQKeCDV-S0/w640-h358/binary.png" width="640" /></a></div><p><br /></p> <p dir="auto">BinAbsInspector (Binary Abstract Inspector) is a <a href="https://www.kitploit.com/search/label/Static%20Analyzer" target="_blank" title="static analyzer">static analyzer</a> for automated <a href="https://www.kitploit.com/search/label/Reverse%20Engineering" target="_blank" title="reverse engineering">reverse engineering</a> and scanning vulnerabilities in binaries, which is a long-term <a href="https://www.kitploit.com/search/label/Research%20Project" target="_blank" title="research project">research project</a> incubated at <a href="https://keenlab.tencent.com/" rel="nofollow" target="_blank" title="Keenlab">Keenlab</a>. It is based on <a href="https://www.kitploit.com/search/label/Abstract%20Interpretation" target="_blank" title="abstract interpretation">abstract interpretation</a> with the support from Ghidra. It works on Ghidra's Pcode instead of assembly. Currently it supports binaries on x86,x64, armv7 and aarch64.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h1 dir="auto">Installation</h1> <ul dir="auto"> <li>Install Ghidra according to <a href="https://github.com/NationalSecurityAgency/ghidra#install" rel="nofollow" target="_blank" title="Ghidra's documentation">Ghidra's documentation</a></li> <li>Install <a href="https://github.com/Z3Prover/z3" rel="nofollow" target="_blank" title="Z3">Z3</a> (tested version: 4.8.15)</li> <li>Note that generally there are two parts for Z3 library: one is Java package, the other one is native library. The Java package is already included in "/lib" directory, but we suggest that you replace it with your own Java package for version compatibility. <ul dir="auto"> <li>For Windows, download a pre-built package from <a href="https://github.com/Z3Prover/z3/releases" rel="nofollow" target="_blank" title="here">here</a>, extract the zip file and add a PATH environment variable pointing to <code>z3-${version}-win/bin</code></li> <li>For Linux, install with package manager is NOT recommended, there are two options: <ol dir="auto"> <li>You can download suitable pre-build package from <a href="https://github.com/Z3Prover/z3/releases" rel="nofollow" target="_blank" title="here">here</a>, extract the zip file and copy <code>z3-${version}-win/bin/*.so</code> to <code>/usr/local/lib/</code></li> <li>or you can build and install z3 according to <a href="https://github.com/Z3Prover/z3#building-z3-using-make-and-gccclang" rel="nofollow" target="_blank" title="Building Z3 using make and GCC/Clang">Building Z3 using make and GCC/Clang</a></li> </ol> </li> <li>For MacOS, it is similar to Linux.</li> </ul> </li> <li>Download the extension zip file from <a href="https://github.com/KeenSecurityLab/BinAbsInspector/releases" rel="nofollow" target="_blank" title="release page">release page</a></li> <li>Install the extension according to <a href="https://ghidra-sre.org/InstallationGuide.html#GhidraExtensionNotes" rel="nofollow" target="_blank" title="Ghidra Extension Notes">Ghidra Extension Notes</a></li> </ul> <h1 dir="auto">Building</h1> <p dir="auto">Build the extension by yourself, if you want to develop a new feature, please refer to <a href="https://github.com/KeenSecurityLab/BinAbsInspector/wiki/Developer-Guide" rel="nofollow" target="_blank" title="development guide">development guide</a>.</p> <ul dir="auto"> <li>Install Ghidra and Z3</li> <li>Install <a href="https://gradle.org/releases/" rel="nofollow" target="_blank" title="Gradle 7.x">Gradle 7.x</a> (tested version: 7.4)</li> <li>Pull the repository</li> <li>Run <code>gradle buildExtension</code> under repository root</li> <li>The extension will be generated at <code>dist/${GhidraVersion}_${date}_BinAbsInspector.zip</code></li> </ul> <h1 dir="auto">Usage</h1> <p dir="auto">You can run BinAbsInspector in headless mode, GUI mode, or with docker.</p> <ul dir="auto"> <li>With Ghidra headless mode.</li> </ul> <div><pre><code>$GHIDRA_INSTALL_DIR/support/analyzeHeadless <projectPath> <projectName> -import <file> -postScript BinAbsInspector "@@<scriptParams>"<br /></code></pre></div> <p dir="auto"><code><projectPath></code> -- Ghidra project path.<br /> <code><projectName></code> -- Ghidra project name.<br /> <code><scriptParams></code> -- The argument for our analyzer, provides following options:</p> <table> <tbody><tr> <th>Parameter</th> <th>Description</th> </tr> <tr> <td><code>[-K <kElement>]</code></td> <td>KSet size limit <a href="https://github.com/KeenSecurityLab/BinAbsInspector/wiki/Technical-Details#kset" rel="nofollow" target="_blank" title="K">K</a></td> </tr> <tr> <td><code>[-callStringK <callStringMaxLen>]</code></td> <td>Call string maximum length <a href="https://github.com/KeenSecurityLab/BinAbsInspector/wiki/Technical-Details#context" rel="nofollow" target="_blank" title="K">K</a></td> </tr> <tr> <td><code>[-Z3Timeout <timeout>]</code></td> <td>Z3 timeout</td> </tr> <tr> <td><code>[-timeout <timeout>]</code></td> <td>Analysis timeout</td> </tr> <tr> <td><code>[-entry <address>]</code></td> <td>Entry address</td> </tr> <tr> <td><code>[-externalMap <file>]</code></td> <td>External function model config</td> </tr> <tr> <td><code>[-json]</code></td> <td>Output in json format</td> </tr> <tr> <td><code>[-disableZ3]</code></td> <td>Disable Z3</td> </tr> <tr> <td><code>[-all]</code></td> <td>Enable all checkers</td> </tr> <tr> <td><code>[-debug]</code></td> <td>Enable debugging log output</td> </tr> <tr> <td><code>[-check "<cweNo1>[;<cweNo2>...]"]</code></td> <td>Enable specific checkers</td> </tr> </tbody></table> <ul dir="auto"> <li> <p dir="auto">With Ghidra GUI</p> <ol dir="auto"> <li>Run Ghidra and import the target binary into a project</li> <li>Analyze the binary with default settings</li> <li>When the analysis is done, open <code>Window -> Script Manager</code> and find <code>BinAbsInspector.java</code></li> <li>Double-click on <code>BinAbsInspector.java</code> entry, set the parameters in configuration window and click OK</li> <li>When the analysis is done, you can see the CWE reports in console window, double-click the addresses from the report can jump to corresponding address</li> </ol> </li> <li> <p dir="auto">With Docker</p> </li> </ul> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone git@github.com:KeenSecurityLab/BinAbsInspector.git cd BinAbsInspector docker build . -t bai docker run -v $(pwd):/data/workspace bai "@@<script parameters>" -import <file>"><pre><code>git clone git@github.com:KeenSecurityLab/BinAbsInspector.git<br />cd BinAbsInspector<br />docker build . -t bai<br />docker run -v $(pwd):/data/workspace bai "@@<script parameters>" -import <file></code></pre></div> <h1 dir="auto">Implemented Checkers</h1> <p dir="auto">So far BinAbsInspector supports following checkers:</p> <ul dir="auto"> <li><a href="https://cwe.mitre.org/data/definitions/78.html" rel="nofollow" target="_blank" title="CWE78">CWE78</a> (OS Command Injection)</li> <li><a href="https://cwe.mitre.org/data/definitions/119.html" rel="nofollow" target="_blank" title="CWE119">CWE119</a> (Buffer Overflow (generic case))</li> <li><a href="https://cwe.mitre.org/data/definitions/125.html" rel="nofollow" target="_blank" title="CWE125">CWE125</a> (Buffer Overflow (Out-of-bounds Read))</li> <li><a href="https://cwe.mitre.org/data/definitions/134.html" rel="nofollow" target="_blank" title="CWE134">CWE134</a> (Use of Externally-Controlled Format string)</li> <li><a href="https://cwe.mitre.org/data/definitions/190.html" rel="nofollow" target="_blank" title="CWE190">CWE190</a> (Integer overflow or wraparound)</li> <li><a href="https://cwe.mitre.org/data/definitions/367.html" rel="nofollow" target="_blank" title="CWE367">CWE367</a> (Time-of-check Time-of-use (TOCTOU))</li> <li><a href="https://cwe.mitre.org/data/definitions/415.html" rel="nofollow" target="_blank" title="CWE415">CWE415</a> (Double free)</li> <li><a href="https://cwe.mitre.org/data/definitions/416.html" rel="nofollow" target="_blank" title="CWE416">CWE416</a> (Use After Free)</li> <li><a href="https://cwe.mitre.org/data/definitions/426.html" rel="nofollow" target="_blank" title="CWE426">CWE426</a> (Untrusted Search Path)</li> <li><a href="https://cwe.mitre.org/data/definitions/467.html" rel="nofollow" target="_blank" title="CWE467">CWE467</a> (Use of sizeof() on a pointer type)</li> <li><a href="https://cwe.mitre.org/data/definitions/476.htmll" rel="nofollow" target="_blank" title="CWE476">CWE476</a> (NULL Pointer Dereference)</li> <li><a href="https://cwe.mitre.org/data/definitions/676.html" rel="nofollow" target="_blank" title="CWE676">CWE676</a> (Use of Potentially Dangerous Function)</li> <li><a href="https://cwe.mitre.org/data/definitions/787.html" rel="nofollow" target="_blank" title="CWE787">CWE787</a> (Buffer Overflow (Out-of-bounds Write))</li> </ul> <h1 dir="auto">Project Structure</h1> <p dir="auto">The structure of this project is as follows, please refer to <a href="https://github.com/KeenSecurityLab/BinAbsInspector/wiki/Technical-Details" rel="nofollow" target="_blank" title="technical details">technical details</a> for more details.</p> <div><pre><code>├── main<br />│ ├── java<br />│ │ └── com<br />│ │ └── bai<br />│ │ ├── checkers checker implementatiom<br />│ │ ├── env<br />│ │ │ ├── funcs function modeling<br />│ │ │ │ ├── externalfuncs external function modeling<br />│ │ │ │ └── stdfuncs cpp std modeling<br />│ │ │ └── region memory modeling<br />│ │ ├── solver analyze core and grpah module<br />│ │ └── util utilities<br />│ └── resources<br />└── test<br /></code></pre></div> <p dir="auto">You can also build the javadoc with <code>gradle javadoc</code>, the API documentation will be generated in <code>./build/docs/javadoc</code>.</p> <h1 dir="auto">Acknowledgement</h1> <p dir="auto">We employ <a href="https://ghidra-sre.org/" rel="nofollow" target="_blank" title="Ghidra">Ghidra</a> as our foundation and frequently leverage <a href="http://brianburton.github.io/java-immutable-collections/" rel="nofollow" target="_blank" title="JImmutable Collections">JImmutable Collections</a> for better performance.<br /> Here we would like to thank them for their great help!</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/KeenSecurityLab/BinAbsInspector" rel="nofollow" target="_blank" title="Download BinAbsInspector">Download BinAbsInspector</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-62783649965482853062022-04-24T17:30:00.012-04:002022-04-24T17:30:00.270-04:00Spring4Shell-Scan - A Fully Automated, Reliable, And Accurate Scanner For Finding Spring4Shell And Spring Cloud RCE Vulnerabilities<h1 align="center" dir="auto"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiq83rixQ33OKbmoWJi89WYHdc4DrLKjaF4Fb_oNC9eI-0dinGfghgU-ON86t-dvUArvvR4Uytjd8t4wjK3r0hSR6SojDsdxtk5oTYh9zXEVVj_Vwr5Jv4R77tpdZamnECE8jW0wK86UlAO3xZNSDsr5XlvkezzB-JxjKcV1r204vACkoGhTZ5kDzKX"><img alt="" border="0" height="192" id="BLOGGER_PHOTO_ID_7089309044306887202" src="https://blogger.googleusercontent.com/img/a/AVvXsEiq83rixQ33OKbmoWJi89WYHdc4DrLKjaF4Fb_oNC9eI-0dinGfghgU-ON86t-dvUArvvR4Uytjd8t4wjK3r0hSR6SojDsdxtk5oTYh9zXEVVj_Vwr5Jv4R77tpdZamnECE8jW0wK86UlAO3xZNSDsr5XlvkezzB-JxjKcV1r204vACkoGhTZ5kDzKX=w640-h192" width="640" /></a></h1> <h4 align="center" dir="auto"><br /></h4><h4 align="center" dir="auto">A fully automated, reliable, and accurate scanner for finding Spring4Shell and Spring Cloud RCE vulnerabilities</h4> <p dir="auto" style="text-align: center;"><a href="https://camo.githubusercontent.com/50b8ab2234bbab2c18588a670936521d1ff5e59d5ca623a9a462da51a3ceafab/68747470733a2f2f646b68396568776b697363342e636c6f756466726f6e742e6e65742f7374617469632f66696c65732f38623637376131622d376335332d343062312d393333652d6531306635373163386262382d737072696e67347368656c6c2d44656d6f2e706e67" rel="nofollow" target="_blank" title="A fully automated, reliable, and accurate scanner for finding Spring4Shell and Spring Cloud RCE vulnerabilities (2)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhwUOGEkZWllztaONh15l-vccNxhEwBTiFlTp4EjnrWMxaQLx2Jazoo4d04LSQWwsomwL48sBTjfRoxCS0VtEC6FgI6jUjnQBbh_-dcDCKxovaU-2Su5R2LIHzccE1YG7A-NPawwE7dEld8q-n6CbDiSLi9-bW_6pwV8bvM5HRiVN9UHYqE9Y71sv4c"><img alt="" border="0" height="262" id="BLOGGER_PHOTO_ID_7089309062859969506" src="https://blogger.googleusercontent.com/img/a/AVvXsEhwUOGEkZWllztaONh15l-vccNxhEwBTiFlTp4EjnrWMxaQLx2Jazoo4d04LSQWwsomwL48sBTjfRoxCS0VtEC6FgI6jUjnQBbh_-dcDCKxovaU-2Su5R2LIHzccE1YG7A-NPawwE7dEld8q-n6CbDiSLi9-bW_6pwV8bvM5HRiVN9UHYqE9Y71sv4c=w640-h262" width="640" /></a></p> <h1 dir="auto">Features</h1> <ul dir="auto"> <li>Support for lists of URLs.</li> <li>Fuzzing for more than 10 new Spring4Shell payloads (previously seen tools uses only 1-2 variants).</li> <li>Fuzzing for HTTP GET and POST methods.</li> <li>Automatic validation of the <a href="https://www.kitploit.com/search/label/Vulnerability" target="_blank" title="vulnerability">vulnerability</a> upon discovery.</li> <li>Randomized and non-intrusive payloads.</li> <li>WAF Bypass payloads.</li></ul><span><a name='more'></a></span><div><br /></div> <h1 dir="auto">Description</h1> <p dir="auto">The Spring4Shell RCE is a critical vulnerability that FullHunt has been researching since it was released. We worked with our customers in scanning their environments for Spring4Shell and Spring Cloud RCE vulnerabilities.</p> <p dir="auto">We're open-sourcing an open detection scanning tool for discovering Spring4Shell (CVE-2022-22965) and Spring Cloud RCE (CVE-2022-22963) vulnerabilities. This shall be used by security teams to scan their infrastructure, as well as test for WAF bypasses that can result in achieving successful <a href="https://www.kitploit.com/search/label/Exploitation" target="_blank" title="exploitation">exploitation</a> of the organization's environment.</p> <p dir="auto">If your organization requires help, please contact (team at fullhunt.io) directly for a full attack surface <a href="https://www.kitploit.com/search/label/Discovery" target="_blank" title="discovery">discovery</a> and scanning for the Spring4Shell vulnerabilities.</p> <h1 dir="auto">Usage</h1> <div class="highlight highlight-source-python position-relative overflow-auto" data-snippet-clipboard-copy-content="$ ./spring4shell-scan.py -h [•] CVE-2022-22965 - Spring4Shell RCE Scanner [•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface <a title=" href="https://www.kitploit.com/search/label/Management" management="">Management Platform. [•] Secure your External Attack Surface with FullHunt.io. usage: spring4shell-scan.py [-h] [-u URL] [-p PROXY] [-l USEDLIST] [--payloads-file PAYLOADS_FILE] [--waf-bypass] [--request-type REQUEST_TYPE] [--test-CVE-2022-22963] optional arguments: -h, --help show this help message and exit -u URL, --url URL Check a single URL. -p PROXY, --proxy PROXY Send requests through proxy -l USEDLIST, --list USEDLIST Check a list of URLs. --payloads-file PAYLOADS_FILE Payloads file - [default: payloads.txt]. --waf-bypass Extend scans with WAF bypass payloads. --request-type REQUEST_TYPE Request Type: (get, post, all) - [Default: all]. --test-CVE-2022-22963 Test for <a href="https://www.kitploit.com/search/label/CVE-2022-22963" target="_blank" title="CVE-2022-22963">CVE-2022-22963</a> (Spring Cloud RCE). "><pre><code>$ ./spring4shell-scan.py -h<br />[•] CVE-2022-22965 - Spring4Shell RCE Scanner<br />[•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform.<br />[•] Secure your External Attack Surface with FullHunt.io.<br />usage: spring4shell-scan.py [-h] [-u URL] [-p PROXY] [-l USEDLIST] [--payloads-file PAYLOADS_FILE] [--waf-bypass] [--request-type REQUEST_TYPE] [--test-CVE-2022-22963]<br /><br />optional arguments:<br /> -h, --help show this help message and exit<br /> -u URL, --url URL Check a single URL.<br /> -p PROXY, --proxy PROXY<br /> Send requests through proxy<br /> -l USEDLIST, --list USEDLIST<br /> Check a list of URLs.<br /> --payloads-file PAYLOADS_FILE<br /> Payloads file - [default: payloads.txt].<br /> --waf-bypass Extend scans with WAF bypass payloads.<br /> --request-type REQUEST_TYPE<br /> Request Type: (get, post, all) - [Default: all].<br /> --test-CVE-2022-22963<br /> Test for CVE-2022-22963 (Spring Cloud RCE).</code></pre></div> <h2 dir="auto">Scan a Single URL</h2> <div><pre><code>$ python3 spring4shell-scan.py -u https://spring4shell.lab.secbot.local</code></pre></div> <h2 dir="auto">Discover WAF bypasses against the environment</h2> <div><pre><code>$ python3 spring4shell-scan.py -u https://spring4shell.lab.secbot.local --waf-bypass</code></pre></div> <h2 dir="auto">Scan a list of URLs</h2> <div><pre><code>$ python3 spring4shell-scan.py -l urls.txt</code></pre></div> <h2 dir="auto">Include checks for Spring Cloud RCE (CVE-2022-22963)</h2> <div class="highlight highlight-source-shell position-relative overflow-auto" data-snippet-clipboard-copy-content="$ python3 spring4shell-scan.py -l urls.txt --test-CVE-2022-22963 "><pre><code>$ python3 spring4shell-scan.py -l urls.txt --test-CVE-2022-22963<br /></code></pre></div> <h1 dir="auto">Installation</h1> <div><pre><code>$ pip3 install -r requirements.txt<br /></code></pre></div> <h1 dir="auto">Docker Support</h1> <div class="highlight highlight-source-shell position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone https://github.com/fullhunt/spring4shell-scan.git cd spring4shell-scan sudo docker build -t spring4shell-scan . sudo docker run -it --rm spring4shell-scan # With URL list "urls.txt" in current directory docker run -it --rm -v $PWD:/data spring4shell-scan -l /data/urls.txt"><pre><code>git clone https://github.com/fullhunt/spring4shell-scan.git<br />cd spring4shell-scan<br />sudo docker build -t spring4shell-scan .<br />sudo docker run -it --rm spring4shell-scan<br /><br /># With URL list "urls.txt" in current directory<br />docker run -it --rm -v $PWD:/data spring4shell-scan -l /data/urls.txt</code></pre></div> <h1 dir="auto">About FullHunt</h1> <p dir="auto">FullHunt is the next-generation attack surface management (ASM) platform. FullHunt enables companies to discover all of their attack surfaces, monitor them for exposure, and continuously scan them for the latest security vulnerabilities. All, in a single platform, and more.</p> <p dir="auto">FullHunt provides an enterprise platform for organizations. The FullHunt Enterprise Platform provides extended scanning and capabilities for customers. FullHunt Enterprise platform allows organizations to closely monitor their external attack surface, and get detailed alerts about every single change that happens. Organizations around the world use the FullHunt Enterprise Platform to solve their continuous security and external attack surface security challenges.</p> <h1 dir="auto">Legal Disclaimer</h1> <p dir="auto">This project is made for educational and ethical testing purposes only. Usage of spring4shell-scan for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.</p> <h1 dir="auto">License</h1> <p dir="auto">The project is licensed under MIT License.</p> <h1 dir="auto">Author</h1> <p dir="auto"><em>Mazin Ahmed</em></p> <ul dir="auto"> <li>Email: <em>mazin at FullHunt.io</em></li> <li>FullHunt: <a href="https://fullhunt.io" rel="nofollow" target="_blank" title="https://fullhunt.io">https://fullhunt.io</a></li> <li>Website: <a href="https://mazinahmed.net" rel="nofollow" target="_blank" title="https://mazinahmed.net">https://mazinahmed.net</a></li> <li>Twitter: <a href="https://twitter.com/mazen160" rel="nofollow" target="_blank" title="https://twitter.com/mazen160">https://twitter.com/mazen160</a></li> <li>Linkedin: <a href="http://linkedin.com/in/infosecmazinahmed" rel="nofollow" target="_blank" title="http://linkedin.com/in/infosecmazinahmed">http://linkedin.com/in/infosecmazinahmed</a></li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/fullhunt/spring4shell-scan" rel="nofollow" target="_blank" title="Download Spring4Shell-Scan">Download Spring4Shell-Scan</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-78821210867208238342022-04-02T17:30:00.020-03:002022-04-02T17:30:00.267-03:00Odin - Central IoC Scanner Based On Loki<div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEg8JMDBcn7KFgdJrJyEpbJYLlyw_W9iLuhVqoPGWjW2-g0KmiKGC_LSMjQje6ugtXeHbIltssuAKGWi4Syytvg7VtEkAWYBydltHb318vjJrLbOhlXpbe3U7CsVTbouUCfl-tuWqER9EtojRsmZcLgFjHYpp8yVx2I4GObBLplI4-hkbbAAkLdD0Vwk" style="font-family: monospace; text-align: center;"><img alt="" border="0" height="464" id="BLOGGER_PHOTO_ID_7080585606902543586" src="https://blogger.googleusercontent.com/img/a/AVvXsEg8JMDBcn7KFgdJrJyEpbJYLlyw_W9iLuhVqoPGWjW2-g0KmiKGC_LSMjQje6ugtXeHbIltssuAKGWi4Syytvg7VtEkAWYBydltHb318vjJrLbOhlXpbe3U7CsVTbouUCfl-tuWqER9EtojRsmZcLgFjHYpp8yVx2I4GObBLplI4-hkbbAAkLdD0Vwk=w640-h464" width="640" /></a></div><br /><br /> <p dir="auto">Odin is a central IoC <a href="https://www.kitploit.com/search/label/Scanner" target="_blank" title="scanner">scanner</a> based on <a href="https://github.com/Neo23x0/Loki" rel="nofollow" target="_blank" title="Loki">Loki</a></p> <h2 dir="auto">General Info <a name="user-content-general_info" target="_blank" title="Central IoC scanner based on Loki (9)"></a></h2> <p dir="auto">This application Loki latest version and download it on all machines using a <a href="https://www.kitploit.com/search/label/PowerShell" target="_blank" title="powershell">powershell</a> script and run it then this app receives the respose from all machines and parse the feed in CSV form.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto">Requirements <a name="user-content-requirements" target="_blank" title="Central IoC scanner based on Loki (11)"></a></h2> <ol dir="auto"> <li>Python +3.5</li> <li>PyQT5</li> <li>psutil</li> <li>pyparsing</li> <li>zipfile</li> </ol> <h2 dir="auto">Fetch <a name="user-content-fetch" target="_blank" title="Central IoC scanner based on Loki (12)"></a></h2> <p dir="auto">Odin download and extract the latest version on Loki and start HTTP server to deliver the executable (Loki) to all machines.</p> <p dir="auto" style="text-align: center;"><kbd><a href="https://github.com/Hamza-Megahed/odin/blob/master/img/fetch.png" rel="nofollow" target="_blank" title="Central IoC scanner based on Loki (13)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhxQuhakwkg2auRE3ZQTiBWsXcfMcfGo-DIcAII50dUrjD_akuqeMEWnWK78Nw7bfL7Y-3LmVHc9JN8xWCuSwFk068sb_DdK-RAsJd5zXHmh87TxzozBL-A3QDfFd66NmgBy1WgLnqEyezSnuEmp7zeZQMdI6KKFIA6trRUtdZxNltmSGIZk-3Tbue-"><img alt="" border="0" height="462" id="BLOGGER_PHOTO_ID_7080585594201643090" src="https://blogger.googleusercontent.com/img/a/AVvXsEhxQuhakwkg2auRE3ZQTiBWsXcfMcfGo-DIcAII50dUrjD_akuqeMEWnWK78Nw7bfL7Y-3LmVHc9JN8xWCuSwFk068sb_DdK-RAsJd5zXHmh87TxzozBL-A3QDfFd66NmgBy1WgLnqEyezSnuEmp7zeZQMdI6KKFIA6trRUtdZxNltmSGIZk-3Tbue-=w640-h462" width="640" /></a></kbd></p> <h2 dir="auto">Deploy Loki <a name="user-content-deploy_loki" target="_blank" title="Central IoC scanner based on Loki (14)"></a></h2> <p dir="auto">This step has ti be done manually using powershell script on a DC machine or suing domain admin account which the script deliver loki to all machines and start updating. The script is in Configurations tab and you can modiy the scipt as needed.</p> <p dir="auto" style="text-align: center;"><kbd><a href="https://github.com/Hamza-Megahed/odin/blob/master/img/deploy-loki.png" rel="nofollow" target="_blank" title="Central IoC scanner based on Loki (15)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEg8JMDBcn7KFgdJrJyEpbJYLlyw_W9iLuhVqoPGWjW2-g0KmiKGC_LSMjQje6ugtXeHbIltssuAKGWi4Syytvg7VtEkAWYBydltHb318vjJrLbOhlXpbe3U7CsVTbouUCfl-tuWqER9EtojRsmZcLgFjHYpp8yVx2I4GObBLplI4-hkbbAAkLdD0Vwk"><img alt="" border="0" height="464" id="BLOGGER_PHOTO_ID_7080585606902543586" src="https://blogger.googleusercontent.com/img/a/AVvXsEg8JMDBcn7KFgdJrJyEpbJYLlyw_W9iLuhVqoPGWjW2-g0KmiKGC_LSMjQje6ugtXeHbIltssuAKGWi4Syytvg7VtEkAWYBydltHb318vjJrLbOhlXpbe3U7CsVTbouUCfl-tuWqER9EtojRsmZcLgFjHYpp8yVx2I4GObBLplI4-hkbbAAkLdD0Vwk=w640-h464" width="640" /></a></kbd></p> <h2 dir="auto">Collecting <a name="user-content-collecting" target="_blank" title="Central IoC scanner based on Loki (16)"></a></h2> <p dir="auto">Start the <a href="https://www.kitploit.com/search/label/Listener" target="_blank" title="listener">listener</a> then from the powershell script start Loki to search for IoCs and results will be sent from Loki to Odin</p> <p dir="auto" style="text-align: center;"><kbd><a href="https://github.com/Hamza-Megahed/odin/blob/master/img/collect.png" rel="nofollow" target="_blank" title="Central IoC scanner based on Loki (18)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi5l3REo3lWxLf_PDrYXGWmZdjcSFo818XyF6ZBOzaGujzgflkPcM3qv_-q1bdGlQqKPJrp0i2ep9X3Xpfe5BVnje01N4aytsKK-Dj19NUZdVK2J0enruRiCeuxyLRxg4c8Ryvc8IJrpSeqhb9UM96FrZN_kVd9yO8UiaOZ8s65X1hmu1jhu_cELLmc"><img alt="" border="0" height="460" id="BLOGGER_PHOTO_ID_7080585621237985218" src="https://blogger.googleusercontent.com/img/a/AVvXsEi5l3REo3lWxLf_PDrYXGWmZdjcSFo818XyF6ZBOzaGujzgflkPcM3qv_-q1bdGlQqKPJrp0i2ep9X3Xpfe5BVnje01N4aytsKK-Dj19NUZdVK2J0enruRiCeuxyLRxg4c8Ryvc8IJrpSeqhb9UM96FrZN_kVd9yO8UiaOZ8s65X1hmu1jhu_cELLmc=w640-h460" width="640" /></a></kbd></p> <h2 dir="auto">Parsing <a name="user-content-parsing" target="_blank" title="Central IoC scanner based on Loki (19)"></a></h2> <p dir="auto">Collected logs will be parsed and can be exported as CSV file to be handled with something else like ELK.</p> <p dir="auto" style="text-align: center;"><kbd><a href="https://github.com/Hamza-Megahed/odin/blob/master/img/parse.png" rel="nofollow" target="_blank" title="Central IoC scanner based on Loki (20)"></a><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgkKYecL7FVOCir51nbuAH8FRRq4rvYgLNiH2VWvzCu12Vvs45kdhG0ljjqglfQFNqLr_8pUniKlc6bw3f3AG0B-QHpOrFCLbdhGKxtXTSX3q2_9992qRaxKYbzXb3Y3pWAVo5wFfItVy1LQhpPVHEkcMOBFfT_fR8nja2iMyZghxKjMA0osrdYnArN"><img alt="" border="0" height="462" id="BLOGGER_PHOTO_ID_7080585637221796674" src="https://blogger.googleusercontent.com/img/a/AVvXsEgkKYecL7FVOCir51nbuAH8FRRq4rvYgLNiH2VWvzCu12Vvs45kdhG0ljjqglfQFNqLr_8pUniKlc6bw3f3AG0B-QHpOrFCLbdhGKxtXTSX3q2_9992qRaxKYbzXb3Y3pWAVo5wFfItVy1LQhpPVHEkcMOBFfT_fR8nja2iMyZghxKjMA0osrdYnArN=w640-h462" width="640" /></a></kbd></p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/Hamza-Megahed/odin" rel="nofollow" target="_blank" title="Download Odin">Download Odin</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-37007336668774457512022-03-27T17:30:00.000-03:002022-03-27T17:30:00.278-03:00Ostorlab - A Security Scanning Platform That Enables Running Complex Security Scanning Tasks Involving Multiple Tools In An Easy, Scalable And Distributed Way<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZlatHQU1laDv407hhX_-D_1aGtFqTaDrwLd4sXeAYf45BYEkEQEHJd9UvZP3F1JoWEPS3BWIrXEpxpTFW2bN_L9cHhKh6843G3nJKEHteWqFoMW1gwty4Kvw2Crm23aUgfF_v7CIWSv13WiiyWFey3N6wWVy_bg1KUbeuBwjNn4mwMRGnp6lvQc2c/s999/ostorlab_5_scan_run.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="999" data-original-width="925" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZlatHQU1laDv407hhX_-D_1aGtFqTaDrwLd4sXeAYf45BYEkEQEHJd9UvZP3F1JoWEPS3BWIrXEpxpTFW2bN_L9cHhKh6843G3nJKEHteWqFoMW1gwty4Kvw2Crm23aUgfF_v7CIWSv13WiiyWFey3N6wWVy_bg1KUbeuBwjNn4mwMRGnp6lvQc2c/w592-h640/ostorlab_5_scan_run.gif" width="592" /></a></div><p><br /></p> <h2 dir="auto">The Sales Pitch</h2> <p dir="auto">If this is the first time you are visiting the Ostorlab Github page, here is the sales pitch.</p> <p dir="auto">Security testing requires often chaining tools together, taking the output from one, mangling it, filtering it and then pushing it to another tool. Several tools have tried to make the process less painful with limited success. Ostorlab addresses the same challenge by simplifying the hardest part and automating the boring and tedious part.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <p dir="auto">To do that, Ostorlab focuses on the following:</p> <ul dir="auto"> <li><strong>Ease of use</strong> with simple one command-line to perform all tasks</li> <li><strong>Developer Experience</strong> through project documentation, tutorials, SDK and templates</li> <li><strong>Scalability and Performance</strong> by using efficient serialisation format and proven industry standard for all of its components</li> </ul> <p dir="auto">To do that, Ostorlab ships with:</p> <ul dir="auto"> <li>A simple, yet powerful SDK to make simple cases effortless while supporting the complex one, like <a href="https://www.kitploit.com/search/label/Distributed" target="_blank" title="distributed">distributed</a> locking, QPS limiting, multiple instance parallelization ...</li> <li>A battle-tested framework that has been powering Ostorlab Platform for years and used to perform complex dynamic analysis setup and demanding <a href="https://www.kitploit.com/search/label/Static%20Analysis" target="_blank" title="static analysis">static analysis</a> workloads running on multiple machines.</li> <li>Performant and scalable design, thanks to the use of message queue with dynamic routing, binary and compact message serialisation with protbuf, universal file format using docker image, resilient thanks to docker swarm mode to cite a few</li> <li>A store of agents that make is to use and discover tools to add your toolset</li> <li>An <a href="https://www.kitploit.com/search/label/Automated" target="_blank" title="automated">automated</a> builder to take the hassle away of building and publishing.</li> <li>A GUI to prepare and write down your tool collection setup</li> <li>Focus on documentation, multiple tutorials and upcoming videos and conference presentations</li> <li>A ready to use one-click template repo to get started.</li> </ul> <h1 dir="auto">Requirements</h1> <p dir="auto">For some tasks, like running scans locally, Docker is required. To install docker, please see the following <a href="https://docs.docker.com/get-docker/" rel="nofollow" target="_blank" title="instructions">instructions</a>.</p> <h1 dir="auto">Installing</h1> <p dir="auto">Ostorlab is shipped as a Python package on Pypi. To install, simply run the following command if you have <code>pip</code> already installed.</p> <div><pre><code>pip install -U ostorlab</code></pre></div> <h1 dir="auto">Getting Started</h1> <p dir="auto">To perform your first scan, simply run the following command:</p> <div><pre><code>ostorlab scan run --install --agent agent/ostorlab/nmap --agent agent/ostorlab/openvas --agent agent/ostorlab/tsunami --agent agent/ostorlab/nuclei ip 8.8.8.8</code></pre></div> <p dir="auto">This command will download and install the following scanning agents:</p> <ul dir="auto"> <li><code>agent/ostorlab/nmap</code></li> <li><code>agent/ostorlab/tsunami</code></li> <li><code>agent/ostorlab/nuclei</code></li> <li><code>agent/ostorlab/openvas</code></li> </ul> <p dir="auto">And will scan the target IP address <code>8.8.8.8</code></p> <p dir="auto">To check the scan status:</p> <div><pre><code>ostrlab scan list</code></pre></div> <p dir="auto">Once the scan has completed, to access the scan results:</p> <div class="highlight highlight-source-shell position-relative overflow-auto" data-snippet-clipboard-copy-content="ostorlab vulnz list --scan-id <scan-id> ostorlab vulnz describe --vuln-id <vuln-id>"><pre><code>ostorlab vulnz list --scan-id <scan-id><br />ostorlab vulnz describe --vuln-id <vuln-id></code></pre></div> <h1 dir="auto">The Store</h1> <p dir="auto">Ostorlab lists all agents on a public store where you can search and also publish your own agents.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE3JhiBz4jaqf2n-E_GvCakDDIAos0rFWVpwSHSG7fuZEg2LTcFwJALhSDZDdevF2V1S7ImCmr1teSlfUCME74rYuX2A8q-8rW5M2w-hGFCshugvSL9ttsa8nubZKVksrG3XchuJsXYc8v1iw0dAYYCvIOgj4u6dpMokPyRlO6N74J2FCLk5JUxlmR/s1719/ostorlab_6_store2.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1321" data-original-width="1719" height="492" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE3JhiBz4jaqf2n-E_GvCakDDIAos0rFWVpwSHSG7fuZEg2LTcFwJALhSDZDdevF2V1S7ImCmr1teSlfUCME74rYuX2A8q-8rW5M2w-hGFCshugvSL9ttsa8nubZKVksrG3XchuJsXYc8v1iw0dAYYCvIOgj4u6dpMokPyRlO6N74J2FCLk5JUxlmR/w640-h492/ostorlab_6_store2.gif" width="640" /></a></div><p dir="auto"><br /></p> <p dir="auto">In addition, the store, a graphical agent group builder is also available to compose multiple agents and see how they would interact with each other.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1c3j9rrC0qnOkqlRVjaHUniqAJRD_4FFeGkTfHQlYOLridGaWtmQBQxZGuQEqUQyXD0s9zUYr7LsQPk8zG0pEqmKYB50Qh9A_Oeg1FV-KI_MSGa_K-fm0qVYK6NpETdw0sDKbebs53P0e2p3msIJOQEr6LOD1J7Sfs_H9bUaAH4-7e_4uAY9RsbLF/s1719/ostorlab_7_store.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1321" data-original-width="1719" height="492" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1c3j9rrC0qnOkqlRVjaHUniqAJRD_4FFeGkTfHQlYOLridGaWtmQBQxZGuQEqUQyXD0s9zUYr7LsQPk8zG0pEqmKYB50Qh9A_Oeg1FV-KI_MSGa_K-fm0qVYK6NpETdw0sDKbebs53P0e2p3msIJOQEr6LOD1J7Sfs_H9bUaAH4-7e_4uAY9RsbLF/w640-h492/ostorlab_7_store.gif" width="640" /></a></div><p dir="auto"> </p> <p dir="auto">The builder also helps with generating the agent group YAML file to set special arguments that can be passed to agents to control their behavior.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiupNGLaocCV-rP77-pP1f9CVl1cdam4s5P38h9DjuhiOfy1ZGdGHfE24HCvMYrMCKE3dck2xVEvqaNoLm-q0joYISPcL5tLp5UoHhko3-Fjm1fXTP7mrGCenFiKU2-03vFQBaHK4C3NTaDucVd0rg1rCH-fDd3PS5SlrMc8KIAXZzsM6FDP93lgHd0/s1719/ostorlab_8_agent_group.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1321" data-original-width="1719" height="492" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiupNGLaocCV-rP77-pP1f9CVl1cdam4s5P38h9DjuhiOfy1ZGdGHfE24HCvMYrMCKE3dck2xVEvqaNoLm-q0joYISPcL5tLp5UoHhko3-Fjm1fXTP7mrGCenFiKU2-03vFQBaHK4C3NTaDucVd0rg1rCH-fDd3PS5SlrMc8KIAXZzsM6FDP93lgHd0/w640-h492/ostorlab_8_agent_group.gif" width="640" /></a></div><p dir="auto"><br /></p> <h1 dir="auto">Publish your first Agent</h1> <p dir="auto">To write your first agent, check out the full tutorial <a href="https://docs.ostorlab.co/tutorials/write-an-ostorlab-agent/" rel="nofollow" target="_blank" title="here">here</a>.</p> <p dir="auto">Once you have written your agent, you can publish it on the store for others to use and discover it. The store even handles agent building and will automatically pick up new releases from the git repo.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjERNIfS-pRBzr0FmXDUdf6sfD0RisBfggpTokX7-0aJxc-mFiNrp-oUAYJ-neDq1VUJXz0JXyHxPKEjTjF5dxNgt1PmyKP99LUa-V75DDYdQhMCeDnE54608YvDfE9Fsk2w9f77SrJy4sSp2KVij_FPIebfLKe7kl4zeQagYHdXiGqs4YPT8bO6BMA/s1719/ostorlab_9_build.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1321" data-original-width="1719" height="492" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjERNIfS-pRBzr0FmXDUdf6sfD0RisBfggpTokX7-0aJxc-mFiNrp-oUAYJ-neDq1VUJXz0JXyHxPKEjTjF5dxNgt1PmyKP99LUa-V75DDYdQhMCeDnE54608YvDfE9Fsk2w9f77SrJy4sSp2KVij_FPIebfLKe7kl4zeQagYHdXiGqs4YPT8bO6BMA/w640-h492/ostorlab_9_build.gif" width="640" /></a></div><p dir="auto"> </p> <br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/Ostorlab/ostorlab" rel="nofollow" target="_blank" title="Download Ostorlab">Download Ostorlab</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-25512588919817694702022-03-26T17:30:00.005-03:002022-03-26T17:30:00.264-03:00Request_Smuggler - Http Request Smuggling Vulnerability Scanner<p align="center" dir="auto"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEheUSDI43TNxb3qC5NB8ewRdQsERbmznb7XDpFE9eCVlcxg8YyiF6ULPkT7dDiMGYVJ4ZTJrhqJQe4sRrse5otBsjpC7H5-LRUHoKvT4q-OCzxEw7UGIsqzdQvj_9wciq7ueWr9xDJnfZZg0laSG7b9SQAIv0JQzpoey5x2PDxUa7_tcN0-kADwD-yH"><img alt="" border="0" height="350" id="BLOGGER_PHOTO_ID_7074807393516764706" src="https://blogger.googleusercontent.com/img/a/AVvXsEheUSDI43TNxb3qC5NB8ewRdQsERbmznb7XDpFE9eCVlcxg8YyiF6ULPkT7dDiMGYVJ4ZTJrhqJQe4sRrse5otBsjpC7H5-LRUHoKvT4q-OCzxEw7UGIsqzdQvj_9wciq7ueWr9xDJnfZZg0laSG7b9SQAIv0JQzpoey5x2PDxUa7_tcN0-kADwD-yH=w640-h350" width="640" /></a> </p> <p dir="auto"><br /></p><p dir="auto">Based on the amazing <a href="https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn" rel="nofollow" target="_blank" title="research">research</a> by <a href="https://twitter.com/albinowax" rel="nofollow" target="_blank" title="James Kettle">James Kettle</a>. The tool can help to find servers that may be <a href="https://www.kitploit.com/search/label/Vulnerable" target="_blank" title="vulnerable">vulnerable</a> to request smuggling vulnerability.</p><span><a name='more'></a></span><p dir="auto"><br /></p> <h2 dir="auto">Usage</h2> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="USAGE: request_smuggler [OPTIONS] --url <url> FLAGS: -h, --help Prints help information -V, --version Prints version information OPTIONS: --amount-of-payloads <amount-of-payloads> low/medium/all [default: low] -t, --attack-types <attack-types> [ClTeMethod, ClTePath, ClTeTime, TeClMethod, TeClPath, TeClTime] [default: "ClTeTime" "TeClTime"] --file <file> send request from a file you need to explicitly pass \r\n at the end of the lines -H, --header <headers> Example: -H 'one:one' 'two:two' -X, --method <method> [default: POST] -u, --url <url> -v, --verbose <verbose> 0 - print detected cases and errors only, 1 - print first line of server responses 2 - print requests [default: 0] --verify <verify> how many times verify the vulnerability [default: 2]"><pre><code>USAGE:<br /> request_smuggler [OPTIONS] --url <url><br /><br />FLAGS:<br /> -h, --help Prints help information<br /> -V, --version Prints version information<br /><br />OPTIONS:<br /> --amount-of-payloads <amount-of-payloads> low/medium/all [default: low]<br /> -t, --attack-types <attack-types><br /> [ClTeMethod, ClTePath, ClTeTime, TeClMethod, TeClPath, TeClTime] [default: "ClTeTime" "TeClTime"]<br /><br /> --file <file><br /> send request from a file<br /> you need to explicitly pass \r\n at the end of the lines<br /> -H, --header <headers> Example: -H 'one:one' 'two:two'<br /> -X, --method <method> [default: POST]<br /> -u, --url <url><br /> -v, --verbose <verbose><br /> 0 - print dete cted cases and errors only,<br /> 1 - print first line of server responses<br /> 2 - print requests [default: 0]<br /> --verify <verify> how many times verify the vulnerability [default: 2]<br /></code></pre></div> <h2 dir="auto">Installation</h2> <ul dir="auto"> <li> <p dir="auto">Linux</p> <ul dir="auto"> <li>from releases</li> <li>from source code (rust should be installed) <div class="highlight highlight-source-shell position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone https://github.com/Sh1Yo/request_smuggler cd request_smuggler cargo build --release"><pre><code>git clone https://github.com/Sh1Yo/request_smuggler<br />cd request_smuggler<br />cargo build --release</code></pre></div> </li> <li>using cargo install <div><pre><code>cargo install request_smuggler --version 0.1.0-alpha.2</code></pre></div> </li> </ul> </li> <li> <p dir="auto">Mac</p> <ul dir="auto"> <li>from source code (rust should be installed) <div class="highlight highlight-source-shell position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone https://github.com/Sh1Yo/request_smuggler cd request_smuggler cargo build --release"><pre><code>git clone https://github.com/Sh1Yo/request_smuggler<br />cd request_smuggler<br />cargo build --release</code></pre></div> </li> <li>using cargo install <div><pre><code>cargo install request_smuggler --version 0.1.0-alpha.2</code></pre></div> </li> </ul> </li> <li> <p dir="auto">Windows</p> <ul dir="auto"> <li>from releases</li> </ul> </li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/Sh1Yo/request_smuggler" rel="nofollow" target="_blank" title="Download Request_Smuggler">Download Request_Smuggler</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-70300334557069267662021-12-23T08:30:00.023-03:002021-12-23T08:30:00.269-03:00TrojanSourceFinder - Help Find Trojan Source Vulnerability In Code<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjLZ35ugOD0piJWR7qSn2RWkedUR85lL1SrkcGHENzzhubwIYmBRw4VbzkxFCZtkz5qatM7ddXdK9QHUO_z_X0SpQ8o0s-8LFbAd08MrmpOlNMGeODHaFKce3MOkCDQbekIrDaJLA3UKwoSBT2dDWKns0xvxnhsLJ_pqzs_TzAZ1eXmpwodQV8bb7VHPw=s1333" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="571" data-original-width="1333" height="274" src="https://blogger.googleusercontent.com/img/a/AVvXsEjLZ35ugOD0piJWR7qSn2RWkedUR85lL1SrkcGHENzzhubwIYmBRw4VbzkxFCZtkz5qatM7ddXdK9QHUO_z_X0SpQ8o0s-8LFbAd08MrmpOlNMGeODHaFKce3MOkCDQbekIrDaJLA3UKwoSBT2dDWKns0xvxnhsLJ_pqzs_TzAZ1eXmpwodQV8bb7VHPw=w640-h274" width="640" /></a></div><p><br /></p>
<h4 align="center" dir="auto">TrojanSourceFinder helps developers detect "Trojan Source" <a href="https://www.kitploit.com/search/label/Vulnerability" target="_blank" title="vulnerability">vulnerability</a> in source code.</h4>
<p align="center" dir="auto">
Trojan Source vulnerability allows an attacker to make malicious code appear innocent.
In general, the attacker tries to lure by passing his code off as a comment (visually). It is a serious threat because it concerns many languages. Projects with multiple "untrusted" sources could be concerned
<br /></p><div><br /></div><span><a name='more'></a></span><div><br /></div>
<p></p>
<h2 dir="auto">Install</h2>
<h3 dir="auto">With <code>go</code></h3>
<p dir="auto"><em>> Via <code>go install</code></em></p>
<div class="highlight highlight-source-shell position-relative overflow-auto" data-snippet-clipboard-copy-content="go install github.com/ariary/TrojanSourceFinder/cmd/tsfinder@latest
"><pre><code>go install github.com/ariary/TrojanSourceFinder/cmd/tsfinder@latest</code></pre></div>
<p dir="auto">Make sure <code>$GOPATH</code> is in your <code>$PATH</code></p>
<p dir="auto"><em>> From source</em></p>
<div class="highlight highlight-source-shell position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone https://github.com/ariary/TrojanSourceFinder
cd TrojanSourceFinder
make before.build
make build.tsfinder
"><pre><code>git clone https://github.com/ariary/TrojanSourceFinder<br />cd TrojanSourceFinder<br />make before.build<br />make build.tsfinder</code></pre></div>
<p dir="auto">If the command <code>make build.tsfinder</code> failed, try:</p>
<div class="highlight highlight-source-shell position-relative overflow-auto" data-snippet-clipboard-copy-content="env GOOS=target-OS GOARCH=target-architecture
go build -o tsfinder cmd/main.go
"><pre><code>env GOOS=target-OS GOARCH=target-architecture<br />go build -o tsfinder cmd/main.go</code></pre></div>
<h3 dir="auto">With <code>curl</code></h3>
<p dir="auto"><em>> From release</em></p>
<div class="highlight highlight-source-shell position-relative overflow-auto" data-snippet-clipboard-copy-content="curl -lO -L https://github.com/ariary/TrojanSourceFinder/releases/latest/download/tsfinder && chmod +x tsfinder
"><pre><code>curl -lO -L https://github.com/ariary/TrojanSourceFinder/releases/latest/download/tsfinder && chmod +x tsfinder</code></pre></div>
<h2 dir="auto">Detect Trojan Source</h2>
<p dir="auto"><em>> Help the detection of Trojan source for manual <a href="https://www.kitploit.com/search/label/Code%20Review" target="_blank" title="code review">code review</a> or with CI/CD pipelines (Unicode bidirectional characaters)</em></p>
<p dir="auto">To detect Trojan source in file or <a href="https://www.kitploit.com/search/label/Directory" target="_blank" title="directory">directory</a> <em><path></em>:</p>
<div class="highlight highlight-source-shell position-relative overflow-auto" data-snippet-clipboard-copy-content="tsfinder [path]
"><pre><code>tsfinder [path]</code></pre></div>
<h3 dir="auto">Detect only in text file</h3>
<p dir="auto"><em>> Source code files are likely text files. Withdraw them for scan could help to rule out false positives</em></p>
<div class="highlight highlight-source-shell position-relative overflow-auto" data-snippet-clipboard-copy-content="tsfinder -t [path]
"><pre><code>tsfinder -t [path]</code></pre></div>
<p dir="auto">Add <code>-v</code> help to see which file has been skipped by scan.</p>
<h3 dir="auto">Go further <em>(Homoglyph)</em></h3>
<p dir="auto">Trojan Source is not new and isn't the only hazard. Another one is <em>"Homoglyph"</em>.(<em><a href="https://github.com/ariary/TrojanSourceFinder/blob/main/TrojanSource.md#homoglyph" rel="nofollow" target="_blank" title="Kezako?">Kezako?</a></em>)</p>
<p dir="auto">tsfinder help detecting them with <code>homoglyph</code> command:</p>
<div class="highlight highlight-source-shell position-relative overflow-auto" data-snippet-clipboard-copy-content="tsfinder <a title=" homoglyph="" href="https://www.kitploit.com/search/label/Homoglyph">homoglyph [filename] [flags]
"><pre><code>tsfinder homoglyph [filename] [flags]</code></pre></div>
<p dir="auto">You could see if there is a sibling (ie word with same "skeleton") for the homographs found in <code>path</code> using the flag <code>--sibling</code>:</p>
<div class="highlight highlight-source-shell position-relative overflow-auto" data-snippet-clipboard-copy-content="tsfinder homoglyph [filename] --sibling [path]
"><pre><code>tsfinder homoglyph [filename] --sibling [path] </code></pre></div>
<p dir="auto"><em>Functionality under development, mainly depending on other project</em></p>
<h2 dir="auto">Visualize Trojan Source</h2>
<p dir="auto"><em>> Visualize how the code is really interpreted by machines/compiler</em></p>
<p dir="auto"><em>tsfinder</em> is deliberately not very verbose. By default, it will only output if Trojan Source code has been detected. To have more verbosity and <strong>visualize the dangerous line add the flag <code>-v</code></strong>.</p>
<p dir="auto">To better see where Trojan Sources were, you could enable colored output with <code>-c</code> flag (also useful with directory scan):</p>
<div class="highlight highlight-source-shell position-relative overflow-auto" data-snippet-clipboard-copy-content="tsfinder -c -v <directory>
"><pre><code>tsfinder -c -v <directory></code></pre></div>
<h2 dir="auto">Demo</h2>
<p dir="auto"><br /></p><p dir="auto"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjLZ35ugOD0piJWR7qSn2RWkedUR85lL1SrkcGHENzzhubwIYmBRw4VbzkxFCZtkz5qatM7ddXdK9QHUO_z_X0SpQ8o0s-8LFbAd08MrmpOlNMGeODHaFKce3MOkCDQbekIrDaJLA3UKwoSBT2dDWKns0xvxnhsLJ_pqzs_TzAZ1eXmpwodQV8bb7VHPw=s1333" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="571" data-original-width="1333" height="274" src="https://blogger.googleusercontent.com/img/a/AVvXsEjLZ35ugOD0piJWR7qSn2RWkedUR85lL1SrkcGHENzzhubwIYmBRw4VbzkxFCZtkz5qatM7ddXdK9QHUO_z_X0SpQ8o0s-8LFbAd08MrmpOlNMGeODHaFKce3MOkCDQbekIrDaJLA3UKwoSBT2dDWKns0xvxnhsLJ_pqzs_TzAZ1eXmpwodQV8bb7VHPw=w640-h274" width="640" /></a></p><p dir="auto"> </p>
<h3 dir="auto">Homoglyph</h3>
<p dir="auto"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiwWwHM_j9yuziZG9qH1HMZW9dm9Rj_c-RroYsHm3TsEQkTQFlZUHtc7Hw2yc3xL3CCJwD8tdHc9giTvV6FgX3h75qzfnOXtKqDXnPC3WE4Rx7Kt9rHkgjthRuLI39QebIZ4VWGPc_0SLDTpEBr9atuu-E09OzPflHkdEDhNCsVAoNBQu7wICV18OcxFw=s1333" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="571" data-original-width="1333" height="274" src="https://blogger.googleusercontent.com/img/a/AVvXsEiwWwHM_j9yuziZG9qH1HMZW9dm9Rj_c-RroYsHm3TsEQkTQFlZUHtc7Hw2yc3xL3CCJwD8tdHc9giTvV6FgX3h75qzfnOXtKqDXnPC3WE4Rx7Kt9rHkgjthRuLI39QebIZ4VWGPc_0SLDTpEBr9atuu-E09OzPflHkdEDhNCsVAoNBQu7wICV18OcxFw=w640-h274" width="640" /></a></div><p dir="auto"> </p>
<h2 dir="auto">Alternative</h2>
<p dir="auto">As mentioned by <code>@ioah86</code> <a href="https://www.reddit.com/r/cybersecurity/comments/qlh5j9/my_take_on_trojan_source/" rel="nofollow" target="_blank" title="here">here</a>, trojan source could also been detected w/ a <a href="https://www.kitploit.com/search/label/One%20Liner" target="_blank" title="one liner">one liner</a> using grep.</p>
<p dir="auto">The big difference is the output format and the exitstatus code (<code>tsfinder</code> exit with status code <code>0</code> if no Trojan source has been found, <code>1</code> otherwise; the opposite for <code>grep</code>)</p>
<p dir="auto">Also, this one-liner does not resolve the homoglyph issue</p>
<table>
<tbody><tr>
<th align="center">Goal</th>
<th align="left"><code>tsfinder</code></th>
<th align="left"><code>grep</code> one-liner</th>
</tr>
<tr>
<td align="center">Scan all files + show lines</td>
<td align="left"><code>tsfinder -v .</code></td>
<td align="left"><code>grep -arE $'(\u2066|\u2067|\u2068|\u202A|\u202B|\u202D|\u202E|\u202C|\u2069|\u200E|\u200F|\u061C|\u2066|\u2067|\u2068)'</code></td>
</tr>
<tr>
<td align="center">Scan only on human-readable files</td>
<td align="left"><code>tsfinder -t .</code></td>
<td align="left"><code>grep -IrE $'(\u2066|\u2067|\u2068|\u202A|\u202B|\u202D|\u202E|\u202C|\u2069|\u200E|\u200F|\u061C|\u2066|\u2067|\u2068)'</code></td>
</tr>
<tr>
<td align="center">Exit with status code 1 if found</td>
<td align="left">default</td>
<td align="left"><code>[one-liner] && exit 1 || exit 0</code></td>
</tr>
</tbody></table>
<br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/ariary/TrojanSourceFinder" rel="nofollow" target="_blank" title="Download TrojanSourceFinder">Download TrojanSourceFinder</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-65568337820161984882021-11-25T17:30:00.001-03:002021-11-25T17:30:00.242-03:00Nanobrok - Web Service For Control And Protect Your Android Device Remotely<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjXIZADjbhfltYttsXXmGsVXCr3YMifaIFHpURG0iosb0a-MgGTb4a2ljb9FF7TEvdh9Xj0cWGu4w3KAP1NdNFOu9bv2TJEqwUB4r_9hf_vrO06E2EWs-6n2K-n1aZgcsBPbXtsfXsGeTihL3ij39Cs-urGhd1pJE_MbSbPGKa13M1c4szPV81CAGZYaw=s2048" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2048" data-original-width="1674" height="640" src="https://blogger.googleusercontent.com/img/a/AVvXsEjXIZADjbhfltYttsXXmGsVXCr3YMifaIFHpURG0iosb0a-MgGTb4a2ljb9FF7TEvdh9Xj0cWGu4w3KAP1NdNFOu9bv2TJEqwUB4r_9hf_vrO06E2EWs-6n2K-n1aZgcsBPbXtsfXsGeTihL3ij39Cs-urGhd1pJE_MbSbPGKa13M1c4szPV81CAGZYaw=w524-h640" width="524" /></a></div><p><br /></p>
<p dir="auto"><strong>Web Service write in Python for control and protect your <a href="https://www.kitploit.com/search/label/Android%20Device" target="_blank" title="android device">android device</a> remotely.</strong> </p>
<p dir="auto">The official app can be found on the PlayStore:</p>
<ul dir="auto">
<li><a href="https://play.google.com/store/apps/details?id=com.mh4x0f.nanobrok" rel="nofollow" target="_blank" title="NanobrokPro">NanobrokPro</a></li>
<li><a href="https://play.google.com/store/apps/details?id=com.mh4x0f.community.nanobrok" rel="nofollow" target="_blank" title="Nanobrok Community">Nanobrok Community</a></li></ul><span><a name='more'></a></span><div><br /></div>
<h2 dir="auto">Overview</h2>
<p dir="auto"><strong>Nanobrok-Server</strong> is powerful <a href="https://www.kitploit.com/search/label/Opensource" target="_blank" title="opensource">opensource</a> webservice for control and protect your <a href="https://www.kitploit.com/search/label/Android" target="_blank" title="android">android</a> device, written in Python, that allow and offer a stable and security connection with your android device for protect , control remotely.</p>
<h2 dir="auto">Main Features</h2>
<ul dir="auto">
<li>Maps the location of your device</li>
<li>Alert flag (Event it's lost or stolen)</li>
<li>Recorder Audio Mic</li>
<li>Remote <a href="https://www.kitploit.com/search/label/File%20Transfer" target="_blank" title="File Transfer">File Transfer</a> [PRO]</li>
<li>Network <a href="https://www.kitploit.com/search/label/Scanner" target="_blank" title="scanner">scanner</a> [PRO]</li>
<li>and <strong>more</strong>!</li>
</ul>
<h2 dir="auto">Security features</h2>
<p dir="auto">We implemented some security features for try protect your remote server. But remember that no method of transmission over the internet, or method of electronic storage is 100% secure and reliable, and I cannot guarantee its absolute security.</p>
<ul dir="auto">
<li>CSRF token</li>
<li>Sign-in attempt block limit</li>
<li>X-Frame-Options</li>
<li>Same origin policy (SOP)</li>
<li>CORS flask implementation</li>
<li>HTTPS force redirect</li>
<li>API Header X-CSRFToken</li>
<li>Self Signed Certificate (CA)</li>
</ul>
<p dir="auto">we are always looking to implement security features.</p>
<h2 dir="auto">Supported platforms</h2>
<ul dir="auto">
<li>
<p dir="auto"><strong>Python</strong>: you need <strong>Python 3.7 or later</strong> to run Nanobrok-Server.</p>
</li>
<li>
<p dir="auto">You can run <a href="https://github.com/P0cL4bs/Nanobrok/wiki/Installation#virtualenv" rel="nofollow" target="_blank" title="localhost">localhost</a>, <a href="https://github.com/P0cL4bs/Nanobrok/wiki/Installation#install-on-vps" rel="nofollow" target="_blank" title="VPS">VPS</a> or as <a href="https://github.com/P0cL4bs/Nanobrok/wiki/Installation#heroku" rel="nofollow" target="_blank" title="heroku app">heroku app</a>.</p>
</li>
<li>
<p dir="auto"><strong>Operating System</strong>:</p>
<ul dir="auto">
<li>a recent version of Linux (we tested on <strong>Ubuntu 18.04 LTS</strong>);</li>
<li>please note: <strong>Windows</strong> is <strong>supported</strong> (was not tested yet)</li>
</ul>
</li>
</ul>
<h2 dir="auto">Installation & Documentation</h2>
<p dir="auto">Learn more about using <a href="https://github.com/P0cL4bs/Nanobrok/wiki" rel="nofollow" target="_blank" title="wiki">wiki</a></p>
<ul dir="auto">
<li><a href="https://github.com/P0cL4bs/Nanobrok/wiki/Installation" rel="nofollow" target="_blank" title="Installation">Installation</a></li>
</ul>
<h2 dir="auto">Contributing</h2>
<p dir="auto">See <a href="https://github.com/P0cL4bs/Nanobrok/blob/master/CONTRIBUTING.md" rel="nofollow" target="_blank" title="CONTRIBUTING.md">CONTRIBUTING.md</a> for how to help out.</p>
<h2 dir="auto">community</h2>
<p dir="auto">on discord: <a href="https://discord.gg/gYjBryBu" rel="nofollow" target="_blank" title="https://discord.gg/gYjBryBu">https://discord.gg/gYjBryBu</a></p>
<h2 dir="auto">License</h2>
<p dir="auto"><strong>Nanobrok</strong> is licensed under the <a href="https://github.com/P0cL4bs/Nanobrok/blob/master/LICENSE.md" rel="nofollow" target="_blank" title="Apche 2.0">Apche 2.0</a>.</p>
<p dir="auto">Made with by P0cL4bs Team</p><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/P0cL4bs/Nanobrok" rel="nofollow" target="_blank" title="Download Nanobrok">Download Nanobrok</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-89724482407678341402021-11-05T08:30:00.002-03:002021-11-05T08:30:00.275-03:00PyRDP - RDP Monster-In-The-Middle (Mitm) And Library For Python With The Ability To Watch Connections Live Or After The Fact<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh8og_R2OruoSFk_SgX2hNiEaD7UXpfovqfLDPa0ksj_exD01CJqd5Jubqj-mwxWA2oxWley8NvC25qt6lsUuoT_ScvomKDeV4kUB51d2nWh5pQADmEa6hpOfjU5vQ-WVBXJhgt-OLWFfn4mtWjcPGpkufijVIVL5F_6LV7_mIE9yexcd0idjiQ4SbtiA=s603" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="571" data-original-width="603" height="303" src="https://blogger.googleusercontent.com/img/a/AVvXsEh8og_R2OruoSFk_SgX2hNiEaD7UXpfovqfLDPa0ksj_exD01CJqd5Jubqj-mwxWA2oxWley8NvC25qt6lsUuoT_ScvomKDeV4kUB51d2nWh5pQADmEa6hpOfjU5vQ-WVBXJhgt-OLWFfn4mtWjcPGpkufijVIVL5F_6LV7_mIE9yexcd0idjiQ4SbtiA=s320" width="320" /></a></div><p><br /></p> <p>PyRDP is a Python <a href="https://www.kitploit.com/search/label/Remote%20Desktop%20Protocol" target="_blank" title="Remote Desktop Protocol">Remote Desktop Protocol</a> (RDP) Monster-in-the-Middle (MITM) tool and library.</p><span><a name='more'></a></span><p><br /></p> <p>It features a few tools:</p> <ul> <li>RDP Monster-in-the-Middle <ul> <li>Logs credentials used when connecting</li> <li>Steals data copied to the clipboard</li> <li>Saves a copy of the files transferred over the network</li> <li>Crawls shared drives in the background and saves them locally</li> <li>Saves replays of connections so you can look at them later</li> <li>Runs console commands or PowerShell payloads automatically on new connections</li> </ul> </li> <li>RDP Player: <ul> <li>See live RDP connections coming from the MITM</li> <li>View replays of RDP connections</li> <li>Take control of active RDP sessions while hiding your actions</li> <li>List the client's mapped drives and download files from them during active sessions</li> </ul> </li> <li>RDP Certificate Cloner: <ul> <li>Create a self-signed X509 certificate with the same fields as an RDP server's certificate</li> </ul> </li> </ul> <p>PyRDP was <a href="https://www.gosecure.net/blog/2018/12/19/rdp-man-in-the-middle-smile-youre-on-camera" rel="nofollow" target="_blank" title="introduced in 2018">introduced in 2018</a> in which we <a href="https://www.youtube.com/watch?v=eB7RC9FmL6Q" rel="nofollow" target="_blank" title="demonstrated that we can catch a real threat actor in action">demonstrated that we can catch a real threat actor in action</a>. This tool is being developed with both pentest and malware research use cases in mind.</p> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgYY-TN43yLP64gW2EXVWPCMYMnzyC9LPYpb93ijTWK7Bce2ERqvFgy9OAHxerRd03FX9jqCwIG4RaNd8AqxF-mLfSE8782XYwU2Cwmt4nTxhPQ8ZwhmMxcHIQdiYyxwIjDx86RIKH5TJd5GJ4b-VfM_Gg74N1HgPYxSM9ExSb7UoZ_QOuAquLpQBu-4A=s1156" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="871" data-original-width="1156" height="482" src="https://blogger.googleusercontent.com/img/a/AVvXsEgYY-TN43yLP64gW2EXVWPCMYMnzyC9LPYpb93ijTWK7Bce2ERqvFgy9OAHxerRd03FX9jqCwIG4RaNd8AqxF-mLfSE8782XYwU2Cwmt4nTxhPQ8ZwhmMxcHIQdiYyxwIjDx86RIKH5TJd5GJ4b-VfM_Gg74N1HgPYxSM9ExSb7UoZ_QOuAquLpQBu-4A=w640-h482" width="640" /></a></div><p><br /></p><span style="font-size: large;"><b>Supported Systems</b></span><br /> <p>PyRDP should work on Python 3.6 and up on the x86-64, ARM and ARM64 platforms.</p> <p>This tool has been tested to work on Python 3.6 on Linux (Ubuntu 18.04), <a href="https://www.kitploit.com/search/label/Raspberry%20Pi" target="_blank" title="Raspberry Pi">Raspberry Pi</a> and Windows (see section <a href="https://github.com/GoSecure/pyrdp#installing-on-windows" rel="nofollow" target="_blank" title="Installing on Windows">Installing on Windows</a>). It has not been tested on macOS.</p> <br /><span style="font-size: large;"><b>Installing</b></span><br /> <br /><b>Using the Docker Image</b><br /> <p>This is the easiest installation method if you have docker installed and working.</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="docker pull gosecure/pyrdp:latest "><pre><code>docker pull gosecure/pyrdp:latest<br /></code></pre></div> <p>As an alternative we have a slimmer image without the GUI and ffmpeg dependencies. This is the only provided image on ARM platforms.</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="docker pull gosecure/pyrdp:latest-slim "><pre><code>docker pull gosecure/pyrdp:latest-slim<br /></code></pre></div> <p>You can find the list of all our Docker images <a href="https://hub.docker.com/r/gosecure/pyrdp/tags" rel="nofollow" target="_blank" title="on the gosecure/pyrdp DockerHub page">on the gosecure/pyrdp DockerHub page</a>.</p> <br /><b>From Git Source</b><br /> <p>We recommend installing PyRDP in a <a href="https://packaging.python.org/guides/installing-using-pip-and-virtual-environments/" rel="nofollow" target="_blank" title="virtual environment">virtual environment</a> to avoid dependency issues.</p> <p>First, make sure to install the prerequisite packages (on Ubuntu). We provide two types of installs a full one and a slim one. Install the dependencies according to your use case.</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="# Full install (GUI, transcoding to MP4) sudo apt install python3 python3-pip python3-dev python3-setuptools python3-venv \ build-essential python3-dev git openssl \ libdbus-1-dev libdbus-glib-1-dev libgl1-mesa-glx \ notify-osd dbus-x11 libxkbcommon-x11-0 libxcb-xinerama0 \ libavformat-dev libavcodec-dev libavdevice-dev \ libavutil-dev libswscale-dev libswresample-dev libavfilter-dev # Slim install (no GUI, no transcoding) sudo apt install python3 python3-pip python3-setuptools python3-venv \ build-essential python3-dev git openssl "><pre><code># Full install (GUI, transcoding to MP4)<br />sudo apt install python3 python3-pip python3-dev python3-setuptools python3-venv \<br /> build-essential python3-dev git openssl \<br /> libdbus-1-dev libdbus-glib-1-dev libgl1-mesa-glx \<br /> notify-osd dbus-x11 libxkbcommon-x11-0 libxcb-xinerama0 \<br /> libavformat-dev libavcodec-dev libavdevice-dev \<br /> libavutil-dev libswscale-dev libswresample-dev libavfilter-dev<br /><br /># Slim install (no GUI, no transcoding)<br />sudo apt install python3 python3-pip python3-setuptools python3-venv \<br /> build-essential python3-dev git openssl<br /></code></pre></div> <p>Grab PyRDP's source code:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone https://github.com/gosecure/pyrdp.git "><pre><code>git clone https://github.com/gosecure/pyrdp.git<br /></code></pre></div> <p>Then, create your virtual environment in the <code>venv</code> directory inside PyRDP's directory:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="cd pyrdp python3 -m venv venv "><pre><code>cd pyrdp<br />python3 -m venv venv<br /></code></pre></div> <p><em>DO NOT</em> use the root PyRDP directory for the virtual environment folder (<code>python3 -m venv .</code>). You will make a mess, and using a directory name like <code>venv</code> is more standard anyway.</p> <p>Before installing the dependencies, you need to activate your virtual environment:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="source venv/bin/activate "><pre><code>source venv/bin/activate<br /></code></pre></div> <p>Finally, you can install the project with Pip:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="pip3 install -U pip setuptools wheel # Without GUI and ffmpeg dependencies pip3 install -U -e . # With GUI and ffmpeg dependencies pip3 install -U -e '.[full]' "><pre><code>pip3 install -U pip setuptools wheel<br /><br /># Without GUI and ffmpeg dependencies<br />pip3 install -U -e .<br /><br /># With GUI and ffmpeg dependencies<br />pip3 install -U -e '.[full]'<br /></code></pre></div> <p>This should install the dependencies required to run PyRDP. If you choose to install without GUI or ffmpeg dependencies, it will not be possible to use <code>pyrdp-player</code> without headless mode (<code>--headless</code>) or <code>pyrdp-convert</code>.</p> <p>If you ever want to leave your virtual environment, you can simply deactivate it:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="deactivate "><pre><code>deactivate<br /></code></pre></div> <p>Note that you will have to activate your environment every time you want to have the PyRDP scripts available as shell commands.</p> <br /><b>Installing on Windows</b><br /> <p>The steps are almost the same. There are two additional prerequisites.</p> <ol> <li>Any C compiler</li> <li><a href="https://wiki.openssl.org/index.php/Binaries" rel="nofollow" target="_blank" title="OpenSSL">OpenSSL</a>. Make sure it is reachable from your <code>$PATH</code>.</li> </ol> <p>Then, create your virtual environment in PyRDP's directory:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="cd pyrdp python3 -m venv venv "><pre><code>cd pyrdp<br />python3 -m venv venv<br /></code></pre></div> <p><em>DO NOT</em> use the root PyRDP directory for the virtual environment folder (<code>python3 -m venv .</code>). You will make a mess, and using a directory name like <code>venv</code> is more standard anyway.</p> <p>Before installing the dependencies, you need to activate your virtual environment:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="venv\Scripts\activate "><pre><code>venv\Scripts\activate<br /></code></pre></div> <p>Finally, you can install the project with Pip:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="pip3 install -U pip setuptools wheel pip3 install -U -e ".[full]" "><pre><code>pip3 install -U pip setuptools wheel<br />pip3 install -U -e ".[full]"<br /></code></pre></div> <p>This should install all the dependencies required to run PyRDP.</p> <p>If you ever want to leave your virtual environment, you can simply deactivate it:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="deactivate "><pre><code>deactivate<br /></code></pre></div> <p>Note that you will have to activate your environment every time you want to have the PyRDP scripts available as shell commands.</p> <br /><b>Building the Docker Image</b><br /> <p>First of all, build the image by executing this command at the root of PyRDP (where Dockerfile is located):</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="docker build -t pyrdp . "><pre><code>docker build -t pyrdp .<br /></code></pre></div> <p>As an alternative we have a slimmer image without the GUI and ffmpeg dependencies:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="docker build -f Dockerfile.slim -t pyrdp . "><pre><code>docker build -f Dockerfile.slim -t pyrdp .<br /></code></pre></div> <p>Afterwards, you can execute PyRDP by invoking the <code>pyrdp</code> docker container. See <a href="https://github.com/GoSecure/pyrdp#using-pyrdp" rel="nofollow" target="_blank" title="Usage instructions">Usage instructions</a> and the <a href="https://github.com/GoSecure/pyrdp#docker-specific-usage-instructions" rel="nofollow" target="_blank" title="Docker specific instructions">Docker specific instructions</a> for details.</p> <p>Cross-platform builds can be achieved using <code>buildx</code>:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="docker buildx build --platform linux/arm,linux/amd64 -t pyrdp -f Dockerfile.slim . "><pre><code>docker buildx build --platform linux/arm,linux/amd64 -t pyrdp -f Dockerfile.slim .<br /></code></pre></div> <br /><b>Migrating away from pycrypto</b><br /> <p>Since pycrypto isn't maintained anymore, we chose to migrate to pycryptodome. If you get this error, it means that you are using the module pycrypto instead of pycryptodome.</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="[...] File "[...]/pyrdp/pyrdp/pdu/rdp/connection.py", line 10, in <module> from Crypto.PublicKey.RSA import RsaKey ImportError: cannot import name 'RsaKey' "><pre><code>[...]<br /> File "[...]/pyrdp/pyrdp/pdu/rdp/connection.py", line 10, in <module><br /> from Crypto.PublicKey.RSA import RsaKey<br />ImportError: cannot import name 'RsaKey'<br /></code></pre></div> <p>You will need to remove the module pycrypto and reinstall PyRDP.</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="pip3 uninstall pycrypto pip3 install -U -e . "><pre><code>pip3 uninstall pycrypto<br />pip3 install -U -e .<br /></code></pre></div> <br /><span style="font-size: large;"><b>Using PyRDP</b></span><br /> <br /><b>Using the PyRDP Monster-in-the-Middle</b><br /> <p>Use <code>pyrdp-mitm.py <ServerIP></code> or <code>pyrdp-mitm.py <ServerIP>:<ServerPort></code> to run the MITM.</p> <p>Assuming you have an RDP server running on <code>192.168.1.10</code> and listening on port 3389, you would run:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="pyrdp-mitm.py 192.168.1.10 "><pre><code>pyrdp-mitm.py 192.168.1.10<br /></code></pre></div> <p>When running the MITM for the first time on Linux, a private key and certificate should be generated for you in <code>~/.config/pyrdp</code>. These are used when TLS security is used on a connection. You can use them to decrypt PyRDP traffic in Wireshark, for example.</p> <br /><b>Specifying the private key and certificate</b><br /> <p>If key generation didn't work or you want to use a custom key and certificate, you can specify them using the <code>-c</code> and <code>-k</code> arguments:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="pyrdp-mitm.py 192.168.1.10 -k private_key.pem -c certificate.pem "><pre><code>pyrdp-mitm.py 192.168.1.10 -k private_key.pem -c certificate.pem<br /></code></pre></div> <br /><b>Connecting to the PyRDP player</b><br /> <p>If you want to see live RDP connections through the PyRDP player, you will need to specify the ip and port on which the player is listening using the <code>-i</code> and <code>-d</code> arguments. Note: the port argument is optional, the default port is 3000.</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="pyrdp-mitm.py 192.168.1.10 -i 127.0.0.1 -d 3000 "><pre><code>pyrdp-mitm.py 192.168.1.10 -i 127.0.0.1 -d 3000<br /></code></pre></div> <br /><b>Connecting to a PyRDP player when the MITM is running on a server</b><br /> <p>If you are running the MITM on a server and still want to see live RDP connections, you should use <a href="https://www.booleanworld.com/guide-ssh-port-forwarding-tunnelling/" rel="nofollow" target="_blank" title="SSH remote port forwarding">SSH remote port forwarding</a> to forward a port on your server to the player's port on your machine. Once this is done, you pass <code>127.0.0.1</code> and the forwarded port as arguments to the MITM. For example, if port 4000 on the server is forwarded to the player's port on your machine, this would be the command to use:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="pyrdp-mitm.py 192.168.1.10 -i 127.0.0.1 -d 4000 "><pre><code>pyrdp-mitm.py 192.168.1.10 -i 127.0.0.1 -d 4000<br /></code></pre></div> <br /><b>Running payloads on new connections</b><br /> <p>PyRDP has support for running console commands or PowerShell payloads automatically when new connections are made. Due to the nature of RDP, the process is a bit hackish and is not always 100% reliable. Here is how it works:</p> <ol> <li>Wait for the user to be authenticated.</li> <li>Block the client's input / output to hide the payload and prevent interference.</li> <li>Send a fake Windows+R sequence and run <code>cmd.exe</code>.</li> <li>Run the payload as a console command and exit the console. If a PowerShell payload is configured, it is run with <code>powershell -enc <PAYLOAD></code>.</li> <li>Wait a bit to allow the payload to complete.</li> <li>Restore the client's input / output.</li> </ol> <p>For this to work, you need to set 3 arguments:</p> <ul> <li>the payload</li> <li>the delay before the payload starts</li> <li>the payload's duration</li> </ul> <br /><b>Setting the payload</b><br /> <p>You can use one of the following arguments to set the payload to run:</p> <ul> <li><code>--payload</code>, a string containing console commands</li> <li><code>--payload-powershell</code>, a string containing PowerShell commands</li> <li><code>--payload-powershell-file</code>, a path to a PowerShell script</li> </ul> <br /><b>Choosing when to start the payload</b><br /> <p>For the moment, PyRDP does not detect when the user is logged on. You must give it an amount of time to wait for before running the payload. After this amount of time has passed, it will send the fake key sequences and expect the payload to run properly. To do this, you use the <code>--payload-delay</code> argument. The delay is in milliseconds. For example, if you expect the user to be logged in within the first 5 seconds, you would use the following arguments:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="--payload-delay 5000 "><pre><code>--payload-delay 5000<br /></code></pre></div> <p>This could be made more accurate by leveraging some messages exchanged during RDPDR initialization. See <a href="https://github.com/GoSecure/pyrdp/issues/98" rel="nofollow" target="_blank" title="this issue">this issue</a> if you're interested in making this work better.</p> <br /><b>Choosing when to resume normal activity</b><br /> <p>Because there is no direct way to know when the console has stopped running, you must tell PyRDP how long you want the client's input / output to be blocked. We recommend you set this to the maximum amount of time you would expect the console that is running your payload to be visible. In other words, the amount of time you would expect your payload to complete. To set the payload duration, you use the <code>--payload-duration</code> argument with an amount of time in milliseconds. For example, if you expect your payload to take up to 5 seconds to complete, you would use the following argument:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="--payload-duration 5000 "><pre><code>--payload-duration 5000<br /></code></pre></div> <p>This will block the client's input / output for 5 seconds to hide the console and prevent interference. After 5 seconds, input / output is restored back to normal.</p> <br /><b>Other MITM arguments</b><br /> <p>Run <code>pyrdp-mitm.py --help</code> for a full list of arguments.</p> <br /><b><code>--no-downgrade</code></b><br /> <p>This argument is useful when running PyRDP in Honeypot scenarios to avoid scanner fingerprinting. When the switch is enabled, PyRDP will not downgrade unsupported extensions and let the traffic through transparently. The player will likely not be able to successfully replay video traffic, but the following supported channels should still be accessible:</p> <ul> <li>Keystroke recording</li> <li>Mouse position updates</li> <li>Clipboard access (passively)</li> <li>Drive access (passively)</li> </ul> <p>This feature is still a work in progress and some downgrading is currently unavoidable to allow the connection to be established. The following are currently not affected by this switch and will still be disabled:</p> <ul> <li>FIPS Encryption</li> <li>Non-TLS encryption protocols</li> <li>ClientInfo compression</li> <li>Virtual Channel compression</li> </ul> <p><strong>NOTE</strong>: If being able to eventually replay the full session is important, a good solution is to record the raw RDP traffic using Wireshark and keep the TLS master secrets. Whenever PyRDP adds support for additional extensions, it would then become possible to extract a valid RDP replay file from the raw network capture.</p> <br /><b><code>--transparent</code></b><br /> <p>Tells PyRDP to attempt to spoof the source IP address of the client so that the server sees the real IP address instead of the MITM one. This option is only useful in certain scenarios where the MITM is physically a gateway between clients and the server and sees all traffic. <a href="https://github.com/GoSecure/pyrdp/blob/master/docs/transparent-proxy.md" rel="nofollow" target="_blank" title="Specific examples can be found here.">Specific examples can be found here.</a></p> <p><strong>NOTE</strong>: This requires root privileges, only works on Linux and requires manual <a href="https://www.kitploit.com/search/label/Firewall%20Configuration" target="_blank" title="firewall configuration">firewall configuration</a> to ensure that traffic is routed properly.</p> <br /><b><code>--no-gdi</code>: Disable Accelerated Graphics Pipeline</b><br /> <p>PyRDP downgrades video to the the most recent graphics pipeline that it supports. This switch explicitly tells the MITM to not use the <a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpegdi/745f2eee-d110-464c-8aca-06fc1814f6ad" rel="nofollow" target="_blank" title="Graphics Device Interface Acceleration">Graphics Device Interface Acceleration</a> extensions to stream video. The advantage of this mode is a significant reduction in required bandwidth for high resolution connections.</p> <p>Note that some GDI drawing orders are currently unimplemented because they appear to be unused. If you have a replay which contains any unsupported or untested order, do not hesitate to share it with the project maintainers so that support can be added as required. (Make sure that the trace does not contain sensitive information)</p> <br /><b>Using the PyRDP Player</b><br /> <p>Use <code>pyrdp-player.py</code> to run the player.</p> <br /><b>Playing a replay file</b><br /> <p>You can use the menu to open a new replay file: File > Open.</p> <p>You can also open replay files when launching the player:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="pyrdp-player.py <FILE1> <FILE2> ... "><pre><code>pyrdp-player.py <FILE1> <FILE2> ...<br /></code></pre></div> <br /><b>Listening for live connections</b><br /> <p>The player always listens for live connections. By default, the listening port is 3000, but it can be changed:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="pyrdp-player.py -p <PORT> "><pre><code>pyrdp-player.py -p <PORT><br /></code></pre></div> <br /><b>Changing the listening address</b><br /> <p>By default, the player only listens to connections coming from the local machine. We do not recommend opening up the player to other machines. If you still want to change the listening address, you can do it with <code>-b</code>:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="pyrdp-player.py -b <ADDRESS> "><pre><code>pyrdp-player.py -b <ADDRESS><br /></code></pre></div> <br /><b>Other player arguments</b><br /> <p>Run <code>pyrdp-player.py --help</code> for a full list of arguments.</p> <br /><b>Using the PyRDP Certificate Cloner</b><br /> <p>The PyRDP certificate cloner creates a brand new X509 certificate by using the values from an existing RDP server's certificate. It connects to an RDP server, downloads its certificate, generates a new private key and replaces the public key and signature of the certificate using the new private key. This can be used in a pentest if, for example, you're trying to trick a legitimate user into going through your MITM. Using a certificate that looks like a legitimate certificate could increase your success rate.</p> <br /><b>Cloning a certificate</b><br /> <p>You can clone a certificate by using <code>pyrdp-clonecert.py</code>:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="pyrdp-clonecert.py 192.168.1.10 cert.pem -o key.pem "><pre><code>pyrdp-clonecert.py 192.168.1.10 cert.pem -o key.pem<br /></code></pre></div> <p>The <code>-o</code> parameter defines the path name to use for the generated private key.</p> <br /><b>Using a custom private key</b><br /> <p>If you want to use your own private key instead of generating a new one:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="pyrdp-clonecert.py 192.168.1.10 cert.pem -i input_key.pem "><pre><code>pyrdp-clonecert.py 192.168.1.10 cert.pem -i input_key.pem<br /></code></pre></div> <br /><b>Other cloner arguments</b><br /> <p>Run <code>pyrdp-clonecert.py --help</code> for a full list of arguments.</p> <br /><b>Using PyRDP Convert</b><br /> <p><code>pyrdp-convert</code> is a helper script that performs several useful conversions. The script has the best chance of working on traffic captured by PyRDP due to unsupported RDP protocol features that might be used in a non-intercepted connection.</p> <p>The following conversions are supported:</p> <ul> <li>Network Capture (PCAP) to PyRDP replay file</li> <li>Network Capture to MP4 video file</li> <li>Replay file to MP4 video file</li> </ul> <p>The script supports both encrypted (TLS) network captures (by providing <code>--secrets ssl.log</code>) and decrypted PDU exports.</p> <blockquote> <p><strong>WARNING</strong>: pcapng and pcap with nanosecond timestamps are not compatible with <code>pyrdp-convert</code> and will create replay files that fail to playback or export to MP4. This is due to incompatible timestamp formats.</p> </blockquote> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="# Export the session coming client 10.2.0.198 to a .pyrdp file. pyrdp-convert.py --src 10.2.0.198 --secrets ssl.log -o path/to/output capture.pcap # Or as an MP4 video pyrdp-convert.py --src 10.2.0.198 --secrets ssl.log -o path/to/output -f mp4 capture.pcap # List the sessions in a network trace, along with the decryptable ones. pyrdp-convert.py --list capture.pcap "><pre><code># Export the session coming client 10.2.0.198 to a .pyrdp file.<br />pyrdp-convert.py --src 10.2.0.198 --secrets ssl.log -o path/to/output capture.pcap<br /><br /># Or as an MP4 video<br />pyrdp-convert.py --src 10.2.0.198 --secrets ssl.log -o path/to/output -f mp4 capture.pcap<br /><br /># List the sessions in a network trace, along with the decryptable ones.<br />pyrdp-convert.py --list capture.pcap<br /></code></pre></div> <p>Note that MP4 conversion requires libavcodec and ffmpeg, so this may require extra steps on Windows.</p> <p>Manually decrypted network traces can be exported from Wireshark by selecting <code>File > Export PDUs</code> and selecting <code>OSI Layer 7</code>. When using this method, it is also recommended to filter the exported stream to only contain the TCP stream of the RDP session which must be converted.</p> <p>First, make sure you configured wireshark to load TLS secrets:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiixzX3IFM_nC0nckGB2BePKnBjsaHGLEQ3gelMuzG7-eSJsB5Rt47W4ECvL9njRVeyKRL4YcUvsqQsTytiZGvGRWoUmKQk3a-w-4tAOSJRH-YyGnNKewwR1iSyt_9WR2YY6DwI1Os9ACSzpGht8aEDBxArqFnlnsvE8YYywCnxYErnjO3Q87bIQD-qKw=s910" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="510" data-original-width="910" height="358" src="https://blogger.googleusercontent.com/img/a/AVvXsEiixzX3IFM_nC0nckGB2BePKnBjsaHGLEQ3gelMuzG7-eSJsB5Rt47W4ECvL9njRVeyKRL4YcUvsqQsTytiZGvGRWoUmKQk3a-w-4tAOSJRH-YyGnNKewwR1iSyt_9WR2YY6DwI1Os9ACSzpGht8aEDBxArqFnlnsvE8YYywCnxYErnjO3Q87bIQD-qKw=w640-h358" width="640" /></a></div><p><br /></p> <p>Next, export OSI Layer 7 PDUs:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgpT372cN7oWGK3woO3uDI8-Kw88SEo44hqB8EX7_k_CUuGVxuexHWXvjPxT9VMFhHp9bpEW-z7FJFJBRmT_W7nNdFNq2jvF3mumJzT5YhMrTPh5TpmgF2HighXyp_HI606_SFG9gogQkY7EQJd1qX3_kBNiLB3AAAGdpv9QXKXWEmm3t-S20uGlYC7Gg=s773" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="427" data-original-width="773" height="354" src="https://blogger.googleusercontent.com/img/a/AVvXsEgpT372cN7oWGK3woO3uDI8-Kw88SEo44hqB8EX7_k_CUuGVxuexHWXvjPxT9VMFhHp9bpEW-z7FJFJBRmT_W7nNdFNq2jvF3mumJzT5YhMrTPh5TpmgF2HighXyp_HI606_SFG9gogQkY7EQJd1qX3_kBNiLB3AAAGdpv9QXKXWEmm3t-S20uGlYC7Gg=w640-h354" width="640" /></a></div><p><br /></p> <p>And lastly, filter down the trace to contain only the conversation of interest (Optional but recommended) by applying a display filter and clicking <code>File > Export Specified Packets...</code></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgm2Udbxw5dF1NwK3Rtty12aCHUwwnKO1zV4Dqvb5PJC3jVHXFX4Q_rXDIOtFLzQaj9kjzf5gMKrlY74CYasiglsLKMb-IVfk-xrU_RjpUBUPGiIITLpyyHj7EW-cIz9MsEjtEwxpCRulECPoxEQXBrBHFuNKmwhbSIlcWfKl7ljvTIu56384TR2oxG9g=s1269" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="624" data-original-width="1269" height="314" src="https://blogger.googleusercontent.com/img/a/AVvXsEgm2Udbxw5dF1NwK3Rtty12aCHUwwnKO1zV4Dqvb5PJC3jVHXFX4Q_rXDIOtFLzQaj9kjzf5gMKrlY74CYasiglsLKMb-IVfk-xrU_RjpUBUPGiIITLpyyHj7EW-cIz9MsEjtEwxpCRulECPoxEQXBrBHFuNKmwhbSIlcWfKl7ljvTIu56384TR2oxG9g=w640-h314" width="640" /></a></div><p><br /></p> <p>Now this trace can be used directly in <code>pyrdp-convert</code>.</p> <br /><b>Configuring PyRDP</b><br /> <p>Most of the PyRDP configurations are done through <a href="https://www.kitploit.com/search/label/Command%20Line" target="_blank" title="command line">command line</a> switches, but it is also possible to use a configuration file for certain settings such as log configuration.</p> <p>The default configuration files used by PyRDP are located in <a href="https://github.com/GoSecure/pyrdp/blob/master/pyrdp/mitm/mitm.default.ini" rel="nofollow" target="_blank" title="mitm.default.ini">mitm.default.ini</a> and <a href="https://github.com/GoSecure/pyrdp/blob/master/pyrdp/player/player.default.ini" rel="nofollow" target="_blank" title="player.default.ini">player.default.ini</a>. Both files are thoroughly documented and can serve as a basis for further configuration.</p> <p>In the future there are plans to support other aspects of PyRDP configuration through those configuration files.</p> <br /><b>Using PyRDP as a Library</b><br /> <p>If you're interested in experimenting with RDP and making your own tools, head over to our <a href="https://github.com/GoSecure/pyrdp/blob/master/docs/README.md" rel="nofollow" target="_blank" title="documentation section">documentation section</a> for more information.</p> <br /><b>Using PyRDP with twistd</b><br /> <p>The PyRDP MITM component was also implemented as a twistd plugin. This enables you to run it in debug mode and allows you to get an interactive debugging repl (pdb) if you send a <code>SIGUSR2</code> to the twistd process.</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="twistd --debug pyrdp -t <target> "><pre><code>twistd --debug pyrdp -t <target><br /></code></pre></div> <p>Then to get the repl:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="killall -SIGUSR2 twistd "><pre><code>killall -SIGUSR2 twistd<br /></code></pre></div> <br /><b>Using PyRDP with twistd in Docker</b><br /> <p>In a directory with our <code>docker-compose.yml</code> you can run something like this:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="docker-compose run -p 3389:3389 pyrdp twistd --debug pyrdp --target 192.168.1.10:3389 "><pre><code>docker-compose run -p 3389:3389 pyrdp twistd --debug pyrdp --target 192.168.1.10:3389<br /></code></pre></div> <p>This will allocate a TTY and you will have access to <code>Pdb</code>'s REPL. Trying to add <code>--debug</code> to the <code>docker-compose.yml</code> command will fail because there is no TTY allocated.</p> <br /><b>Using PyRDP with Bettercap</b><br /> <p>We developped our own Bettercap module, <code>rdp.proxy</code>, to monster-in-the-middle all RDP connections on a given LAN. Check out <a href="https://github.com/GoSecure/pyrdp/blob/master/docs/bettercap-rdp-mitm.md" rel="nofollow" target="_blank" title="this document">this document</a> for more information.</p> <br /><b>Docker Specific Usage Instructions</b><br /> <p>Since docker restricts the interactions with the host system (filesystem and network), the PyRDP docker image must be run with some parameters depending on your use case. This section documents those parameters.</p> <p>We refer to the publicly provided docker image but if you <a href="https://github.com/GoSecure/pyrdp#building-the-docker-image" rel="nofollow" target="_blank" title="built your own">built your own</a> replace <code>gosecure/pyrdp</code> with the name of your locally built image.</p> <br /><b>Mapping a Listening Port</b><br /> <p>In most of the monster-in-the-middle cases you will need to map a port of your host into the docker image. This is achieved by the <code>--publish</code> (<code>-p</code>) parameters applied to <code>docker run</code>.</p> <p>For example, to listen on 3389 (RDP's default port) on all interfaces, use:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="docker run -p 3389:3389 gosecure/pyrdp pyrdp-mitm.py 192.168.1.10 "><pre><code>docker run -p 3389:3389 gosecure/pyrdp pyrdp-mitm.py 192.168.1.10<br /></code></pre></div> <br /><b>Logs and Artifacts Storage</b><br /> <p>To store the PyRDP output permanently (logs, files, etc.), add the <code>--volume</code> (<code>-v</code>) option to the previous command. In this example we store the files relatively to the current directory in <code>pyrdp_output</code>:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="docker run -v $PWD/pyrdp_output:/home/pyrdp/pyrdp_output -p 3389:3389 gosecure/pyrdp pyrdp-mitm.py 192.168.1.10 "><pre><code>docker run -v $PWD/pyrdp_output:/home/pyrdp/pyrdp_output -p 3389:3389 gosecure/pyrdp pyrdp-mitm.py 192.168.1.10<br /></code></pre></div> <p>Make sure that your destination directory is owned by a user with a UID of 1000, otherwise you will get permission denied errors. If you are the only non-root user on the system, usually your user will be assigned UID 1000.</p> <br /><b>Logging the host IP address</b><br /> <p>If you want PyRDP to log the host IP address in its logs, you can set the <code>HOST_IP</code> environment variable when using <code>docker run</code>:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="docker run -p 3389:3389 -e HOST_IP=192.168.1.9 gosecure/pyrdp pyrdp-mitm.py 192.168.1.10 "><pre><code>docker run -p 3389:3389 -e HOST_IP=192.168.1.9 gosecure/pyrdp pyrdp-mitm.py 192.168.1.10<br /></code></pre></div> <br /><b>Using the GUI Player in Docker</b><br /> <p>Using the player will require you to export the <code>DISPLAY</code> environment variable from the host to the docker. This redirects the GUI of the player to the host screen. You also need to expose the host's network and prevent Qt from using the MIT-SHM X11 Shared Memory Extension. To do so, add the <code>-e</code> and <code>--net</code> options to the run command:</p> <div class="snippet-clipboard-content position-relative overflow-auto" data-snippet-clipboard-copy-content="docker run -e DISPLAY=$DISPLAY -e QT_X11_NO_MITSHM=1 --net=host gosecure/pyrdp pyrdp-player.py "><pre><code>docker run -e DISPLAY=$DISPLAY -e QT_X11_NO_MITSHM=1 --net=host gosecure/pyrdp pyrdp-player.py<br /></code></pre></div> <p>Keep in mind that exposing the host's network to docker can compromise the isolation between your container and the host. If you plan on using the player, X11 forwarding using an SSH connection would be a more secure way.</p> <br /><span style="font-size: large;"><b>PyRDP Lore</b></span><br /> <ul> <li><a href="https://www.gosecure.net/blog/2018/12/19/rdp-man-in-the-middle-smile-youre-on-camera" rel="nofollow" target="_blank" title="Introduction blog post">Introduction blog post</a> in which we <a href="https://www.youtube.com/watch?v=eB7RC9FmL6Q" rel="nofollow" target="_blank" title="demonstrated that we can catch a real threat actor in action">demonstrated that we can catch a real threat actor in action</a></li> <li><a href="https://docs.google.com/presentation/d/1avcn8Sh2b3IE7AA0G9l7Cj5F1pxqizUm98IbXUo2cvY/edit#slide=id.g404b70030f_0_581" rel="nofollow" target="_blank" title="Talk at NorthSec 2019">Talk at NorthSec 2019</a> where two demos were performed: <ul> <li><a href="https://youtu.be/5JztJzi-m48" rel="nofollow" target="_blank" title="First demo">First demo</a>: credential logging, clipboard stealing, client-side file browsing and a session take-over</li> <li><a href="https://youtu.be/bU67tj1RkMA" rel="nofollow" target="_blank" title="Second demo">Second demo</a>: the execution of cmd or powershell payloads when a client successfully authenticates</li> </ul> </li> <li><a href="https://github.com/GoSecure/pyrdp/blob/master/docs/pyrdp-logo.png" rel="nofollow" target="_blank" title="PyRDP Logo">PyRDP Logo</a> licensed under CC-BY-SA 4.0.</li> <li><a href="https://docs.google.com/presentation/d/17P_l2n-hgCehQ5eTWilru4IXXHnGIRTj4ftoW4BiX5A/edit?usp=sharing" rel="nofollow" target="_blank" title="BlackHat USA Arsenal 2019 Slides">BlackHat USA Arsenal 2019 Slides</a></li> <li><a href="https://docs.google.com/presentation/d/1UAiN2EZwDcmBjLe_t5HXB0LzbNclU3nnigC-XM4neIU/edit?usp=sharing" rel="nofollow" target="_blank" title="DerbyCon 2019 Slides">DerbyCon 2019 Slides</a> (<a href="https://www.youtube.com/watch?v=zgt3N6Nrnss" rel="nofollow" target="_blank" title="Video">Video</a>)</li> <li><a href="https://www.gosecure.net/blog/2020/02/26/pyrdp-on-autopilot-unattended-credential-harvesting-and-client-side-file-stealing/" rel="nofollow" target="_blank" title="Blog: PyRDP on Autopilot">Blog: PyRDP on Autopilot</a></li> </ul> <br /><span style="font-size: large;"><b>Contributing to PyRDP</b></span><br /> <p>See our <a href="https://github.com/GoSecure/pyrdp/blob/master/CONTRIBUTING.md" rel="nofollow" target="_blank" title="contribution guidelines">contribution guidelines</a>.</p> <br /><span style="font-size: large;"><b>Acknowledgements</b></span><br /> <p>PyRDP uses code from the following open-source software:</p> <ul> <li><a href="https://github.com/bozhu/RC4-Python" rel="nofollow" target="_blank" title="RC4-Python">RC4-Python</a> for the RC4 implementation.</li> <li><a href="https://github.com/rdesktop/rdesktop" rel="nofollow" target="_blank" title="rdesktop">rdesktop</a> for bitmap decompression.</li> <li><a href="https://github.com/citronneur/rdpy" rel="nofollow" target="_blank" title="rdpy">rdpy</a> for RC4 keys, the bitmap decompression bindings and the base GUI code for the PyRDP player.</li> <li><a href="https://github.com/FreeRDP/FreeRDP" rel="nofollow" target="_blank" title="FreeRDP">FreeRDP</a> for the scan code enumeration.</li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/GoSecure/pyrdp" rel="nofollow" target="_blank" title="Download Pyrdp">Download Pyrdp</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-42472219492119899052021-09-23T17:30:00.013-03:002021-09-23T17:30:00.361-03:00JSPanda - Client-Side Prototype Pullution Vulnerability Scanner<p style="text-align: center;"><a href="https://1.bp.blogspot.com/-uBauZSD-Bhk/YUseN81_vXI/AAAAAAAAvSM/EC84hZKBoEwOsqwKqEIWBK4gLBDaa3zKgCNcBGAsYHQ/s1099/jspanda_3_pollute.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="844" data-original-width="1099" height="492" src="https://1.bp.blogspot.com/-uBauZSD-Bhk/YUseN81_vXI/AAAAAAAAvSM/EC84hZKBoEwOsqwKqEIWBK4gLBDaa3zKgCNcBGAsYHQ/w640-h492/jspanda_3_pollute.png" width="640" /></a></p><p style="text-align: center;"><br /></p> <p>JSpanda is client-side prototype pollution <a href="https://www.kitploit.com/search/label/Vulnerability" target="_blank" title="vulnerability">vulnerability</a> scanner. It has two key features, scanning vulnerability the supplied URLs and analyzing the JavaScript libraries' source code.</p> <p>However, JSpanda cannot detect advanced prototype pollution vulnerabilities.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b><strong>How JSPanda works?</strong></b></span><br /> <ul> <li>Uses multiple payloads for prototype pollution vulnerability.</li> <li>Gathers all the links in the targets for scanning and add payloads to JSpanda-obtained URLs, navigates to each URL with headless Chromedriver.</li> <li>Scans all words in the source code of potentially vulnerable JavaScript library and it creates a simple JS PoC by finding the script gadget, helping you analyze the code manually.</li> </ul> <br /><span style="font-size: large;"><b><strong>Requirements</strong></b></span><br /> <ul> <li>Download latest version of Google Chrome and Chromedriver</li> <li>Selenium</li> </ul> <br /><span style="font-size: large;"><b><strong>Usage</strong></b></span><br /> <p>Scan: python3.7 jspanda.py</p> <ul> <li>Add URLs to url.txt file, <em>for instance : example.com</em></li> </ul> <p>Basic <a href="https://www.kitploit.com/search/label/Source%20Code%20Analysis" target="_blank" title="Source Code Analysis">Source Code Analysis</a> : python3.7 analyze.py</p> <ul> <li>Add a JavaScript library's source code to analyze.js</li> <li>Generate PoC code using analyze.py</li> <li>Execute PoC code on Chrome's console. It pollutes all the words collected from the source code and show it on the screen. So it may generate false positive results. These outputs provide additional information to researchers, do not automate everything.</li> </ul> <br /><b>Demonstration</b><br /> <p><a href="https://asciinema.org/a/BOazgAVyW6yHqhUE3fEYcCiML" rel="nofollow" target="_blank" title="client-side prototype pullution vulnerability scanner (4)"><img alt="client-side prototype pullution vulnerability scanner (2)" data-canonical-src="https://asciinema.org/a/BOazgAVyW6yHqhUE3fEYcCiML.svg" src="https://camo.githubusercontent.com/b6c5d8b24c254dcdea70d25100ce01491c28c93b9d373a2a270606ed3b38da67/68747470733a2f2f61736369696e656d612e6f72672f612f424f617a674156795736794871685545336645596343694d4c2e737667" style="max-width: 100%;" /></a></p> <br /><b>Source <a href="https://www.kitploit.com/search/label/Code%20Analysis" target="_blank" title="code analysis">code analysis</a> - Screenshot</b><br /> <p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-uBauZSD-Bhk/YUseN81_vXI/AAAAAAAAvSM/EC84hZKBoEwOsqwKqEIWBK4gLBDaa3zKgCNcBGAsYHQ/s1099/jspanda_3_pollute.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="844" data-original-width="1099" height="492" src="https://1.bp.blogspot.com/-uBauZSD-Bhk/YUseN81_vXI/AAAAAAAAvSM/EC84hZKBoEwOsqwKqEIWBK4gLBDaa3zKgCNcBGAsYHQ/w640-h492/jspanda_3_pollute.png" width="640" /></a></div><p><br /></p> <p><strong>Supporting Materials :</strong></p> <p><a href="https://twitter.com/har1sec/status/1314469278322655233" rel="nofollow" target="_blank" title="https://twitter.com/har1sec/status/1314469278322655233">https://twitter.com/har1sec/status/1314469278322655233</a></p> <p><a href="https://github.com/BlackFan/client-side-prototype-pollution" rel="nofollow" target="_blank" title="https://github.com/BlackFan/client-side-prototype-pollution">https://github.com/BlackFan/client-side-prototype-pollution</a></p> <p><a href="https://github.com/ThePacketBender/notes/blob/01c0b834f6e3ee4d934b087b2d92c9e484dc2a50/web/prototype_pollution.txt" rel="nofollow" target="_blank" title="https://github.com/ThePacketBender/notes/blob/01c0b834f6e3ee4d934b087b2d92c9e484dc2a50/web/prototype_pollution.txt">https://github.com/ThePacketBender/notes/blob/01c0b834f6e3ee4d934b087b2d92c9e484dc2a50/web/prototype_pollution.txt</a></p> <p><a href="https://habr.com/ru/company/huawei/blog/547178/" rel="nofollow" target="_blank" title="https://habr.com/ru/company/huawei/blog/547178/">https://habr.com/ru/company/huawei/blog/547178/</a></p> <p><a href="https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2" rel="nofollow" target="_blank" title="https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2">https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2</a></p> <p><a href="https://github.com/securitum/research/tree/master/r2020_prototype-pollution" rel="nofollow" target="_blank" title="https://github.com/securitum/research/tree/master/r2020_prototype-pollution">https://github.com/securitum/research/tree/master/r2020_prototype-pollution</a></p> <p><a href="https://attacker-codeninja.github.io/2021-07-05-Learn-Prototype-Pollution-Part-2/" rel="nofollow" target="_blank" title="Learn">Learn </a><a href="https://www.kitploit.com/search/label/Prototype%20Pollution" target="_blank" title="Prototype Pollution">Prototype Pollution</a> in Series - Part 2</p> <p><a href="https://github.com/dwisiswant0/ppfuzz" rel="nofollow" target="_blank" title="dwisiswant0/ppfuzz">dwisiswant0/ppfuzz</a></p> <p><a href="https://github.com/raverrr/plution" rel="nofollow" target="_blank" title="GitHub - raverrr/plution: Prototype pollution scanner using headless chrome">GitHub - raverrr/plution: Prototype pollution scanner using headless chrome</a></p> <p><a href="https://medium.com/intrinsic-blog/javascript-prototype-poisoning-vulnerabilities-in-the-wild-7bc15347c96" rel="nofollow" target="_blank" title="JavaScript Prototype Poisoning Vulnerabilities in the Wild">JavaScript Prototype Poisoning Vulnerabilities in the Wild</a></p> <p><a href="https://www.whitesourcesoftware.com/resources/blog/prototype-pollution-vulnerabilities/" rel="nofollow" target="_blank" title="The Complete Guide to Prototype Pollution Vulnerabilities">The Complete Guide to Prototype Pollution Vulnerabilities</a></p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/RedSection/jspanda" rel="nofollow" target="_blank" title="Download Jspanda">Download Jspanda</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-51842848789030425402021-09-16T08:30:00.009-03:002021-09-16T08:30:00.295-03:00Plution - Prototype Pollution Scanner Using Headless Chrome<p style="text-align: center;"><a href="http://1.bp.blogspot.com/-Eph2jPyIEs4/YTVMaWNoJNI/AAAAAAAAt7w/2fS0PnouBd0kTzMlCj8esDtcSXJolnV1wCK4BGAYYCw/s1600/plution_1-714956.png"><img alt="" border="0" height="556" id="BLOGGER_PHOTO_ID_7004588810967721170" src="http://1.bp.blogspot.com/-Eph2jPyIEs4/YTVMaWNoJNI/AAAAAAAAt7w/2fS0PnouBd0kTzMlCj8esDtcSXJolnV1wCK4BGAYYCw/w640-h556/plution_1-714956.png" width="640" /></a></p> <br /> <p>Plution is a convenient way to scan at scale for pages that are <a href="https://www.kitploit.com/search/label/Vulnerable" target="_blank" title="vulnerable">vulnerable</a> to <a href="https://www.kitploit.com/search/label/Client%20Side" target="_blank" title="client side">client side</a> <a href="https://www.kitploit.com/search/label/Prototype%20Pollution" target="_blank" title="prototype pollution">prototype pollution</a> via a URL payload. In the default configuration, it will use a hardcoded payload that can detect 11 of the cases documented here: <a href="https://github.com/BlackFan/client-side-prototype-pollution/tree/master/pp" rel="nofollow" target="_blank" title="https://github.com/BlackFan/client-side-prototype-pollution/tree/master/pp">https://github.com/BlackFan/client-side-prototype-pollution/tree/master/pp</a></p><span><a name='more'></a></span><div><br /></div><span style="font-size: x-large;"><b>What this is not</b></span><br /> <p>This is not a one stop shop. Prototype pollution is a complicated beast. This tool does nothing you couldn't do manually. This is not a polished bug-free super tool. It is functional but poorly coded and to be considered alpha at best.</p> <br /><span style="font-size: x-large;"><b>How it works</b></span><br /> <p>Plution appends a payload to supplied URLs, naviguates to each URL with <a href="https://www.kitploit.com/search/label/Headless%20Chrome" target="_blank" title="headless chrome">headless chrome</a> and runs javascript on the page to verify if a prototype was successfully polluted.</p> <br /><span style="font-size: x-large;"><b>how it is used</b></span><br /> <ul> <li> <p>Basic scan, output only to screen:<br /> <code>cat URLs.txt | plution</code></p> </li> <li> <p>Scan with a supplied payload rather than hardcoded one:<br /> <code>cat URLs.txt|plution -p '__proto__.zzzc=example'</code><br /> <strong>Note on custom payloads: The variable you are hoping to inject must be called or render to "zzzc". This is because 'window.zzzc' will be run on each page to verify pollution.</strong></p> </li> <li> <p>Output:<br /> <code>Passing '-o' followed by a location will output only URLs of pages that were successfully polluted.</code></p> </li> <li> <p>Concurrency:<br /></p> </li> <li> <p><code>Pass the '-c' option to specify how many concurrent jobs are run (default is 5)</code></p> </li> </ul> <br /><span style="font-size: x-large;"><b>questions and answers</b></span><br /> <ul> <li> <p>How do I install it?<br /> <code>go get -u github.com/raverrr/plution</code></p> </li> <li> <p>why specifically limit it to checking if window.zzzc is defined?<br /> <code>zzzc is a short pattern that is unlikely to already be in a prototype. If you want more freedom in regards to the javascript use https://github.com/detectify/page-fetch instead</code></p> </li> <li> <p>Got a more specific question?<br /> <code>Ask me on twitter @divadbate.</code></p> </li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/raverrr/plution" rel="nofollow" target="_blank" title="Download Plution">Download Plution</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-13704447725452472642021-08-30T17:30:00.008-04:002021-08-30T17:30:00.293-04:00Reg1c1de - Registry Permission Scanner For Finding Potential Privesc Avenues Within Registry<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-tWKNROEOyGE/YSMfiMzMuUI/AAAAAAAAtVE/4QtVQdLlSVsyYh9rZNAFIcfOlNcT4gfHACNcBGAsYHQ/s1124/regicide_help.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="285" data-original-width="1124" height="162" src="https://1.bp.blogspot.com/-tWKNROEOyGE/YSMfiMzMuUI/AAAAAAAAtVE/4QtVQdLlSVsyYh9rZNAFIcfOlNcT4gfHACNcBGAsYHQ/w640-h162/regicide_help.png" width="640" /></a></div><p><br /></p> <p>Reg1c1de is a tool that scans specified registry hives and reports on any keys where the user has write permissions In addition, if any registry values are found that contain file paths with certain file extensions and they are writeable, these will be reported as well.</p> <p>More information on this tool and it's use can be found in the related github.io article: <a href="https://deadjakk.github.io/registry_privesc.html" rel="nofollow" target="_blank" title="here">here</a></p><span><a name='more'></a></span><p><br /></p> <p>Help output:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="++++++++++++++Reg1c1de++++++++++++++++ +author: @deadjakk | http://shell.rip+ ++++++++++++++++++++++++++++++++++++++ Description: Reg1c1de is a tool that scans specified registry hives and reports on any keys where the user has write permissions In addition, if any registry values are found that contain file paths with certain file extensions and they are writeable, these will be reported as well. These keys should be investigated further as they could potentially lead to a path to <a title=" escalation="" href="https://www.kitploit.com/search/label/Privilege%20Escalation" privilege="">privilege escalation or other evil Arguments: (THESE ARE ALL OPTIONAL!) -h show this help message -vv enable debug output (more verbose) -e scan the entire specified hive, this is disabled by default -o filename to write the <a href="https://www.kitploit.com/search/label/Vulnerable" target="_blank" title="vulnerable">vulnerable</a> keys to csv, example -o=filename -k base key to enumerate from under the hive, default=Software, example -k=Software -df disables writeable file checking, in case you don't want to make thousands of access denied file open attempts -r four letter shorthand of the root hive to enumerate from, default=HKLM, example -r=HKLM Acceptable values are: HKCU, HKLM, HKCR, HKCC, HKU -writetests enabling this flag will enable write tests, which will write a dummy <a href="https://www.kitploit.com/search/label/Registry%20Key" target="_blank" title="registry key">registry key</a> and value to every discovered instance of write access to a key. I DO NOT recommend using this, especially if you cannot make a registry backup, nevertheless it is here. Example Usage: Reg1c1de.exe -v -o=outputfile -r=HKLM -e "><pre><code>++++++++++++++Reg1c1de++++++++++++++++<br />+author: @deadjakk | http://shell.rip+<br />++++++++++++++++++++++++++++++++++++++<br /><br /><br />Description:<br />Reg1c1de is a tool that scans specified registry hives and reports on any keys where the user has write permissions<br />In addition, if any registry values are found that contain file paths with certain file extensions and they are writeable, these will be reported as well.<br />These keys should be investigated further as they could potentially lead to a path to privilege <a href="https://www.kitploit.com/search/label/Escalation" target="_blank" title="escalation">escalation</a> or other evil<br /><br />Arguments: (THESE ARE ALL OPTIONAL!)<br />-h show this help message<br />-vv enable debug output (more verbose)<br />-e scan the entire specified hive, this is disabled by default<br />-o filename to write the vulnerable keys to csv, example -o=filename<br />-k base key to enumerate from under the h ive, default=Software, example -k=Software<br />-df disables writeable file checking, in case you don't want to make thousands of access denied file open attempts<br />-r four letter shorthand of the root hive to enumerate from, default=HKLM, example -r=HKLM<br /> Acceptable values are: HKCU, HKLM, HKCR, HKCC, HKU<br /><br />-writetests enabling this flag will enable write tests, which will write a dummy registry key and value to every discovered instance of write access to a key.<br />I DO NOT recommend using this, especially if you cannot make a registry backup, nevertheless it is here.<br /><br />Example Usage:<br />Reg1c1de.exe -v -o=outputfile -r=HKLM -e<br /></code></pre></div> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/deadjakk/Reg1c1de" rel="nofollow" target="_blank" title="Download Reg1c1de">Download Reg1c1de</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-60615530990167299662021-08-18T17:30:00.006-04:002021-08-18T17:30:00.281-04:00Jsleak - A Go Code To Detect Leaks In JS Files Via Regex Patterns<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-fMvlStr5Pkk/YRvgsg3WiFI/AAAAAAAAqtM/aROefZ6A8ycBvdLqdeAd6IoAhWV8bOHNACNcBGAsYHQ/s583/jsleak.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="280" data-original-width="583" src="https://1.bp.blogspot.com/-fMvlStr5Pkk/YRvgsg3WiFI/AAAAAAAAqtM/aROefZ6A8ycBvdLqdeAd6IoAhWV8bOHNACNcBGAsYHQ/s16000/jsleak.png" /></a></div><p><br /></p> <p>jsleak is a tool to identify sensitive data in JS files through regex patterns. Although it's built for this, you can use it to identify anything as long as you have a regex pattern for it.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>How to install</b></span><br /> <p>Directly:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="{your package manager} install pkg-config libpcre++-dev go get github.com/0xTeles/jsleak/v2/jsleak "><pre><code>{your package manager} install pkg-config libpcre++-dev<br />go get github.com/0xTeles/jsleak/v2/jsleak<br /></code></pre></div> <p>Compiled: <a href="https://github.com/0xTeles/jsleak/releases/tag/jsleak_v2.1" rel="nofollow" target="_blank" title="release page">release page</a></p> <br /><span style="font-size: large;"><b>How to use</b></span><br /> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="Usage of jsleak: -json string [+] Json output file -pattern string [+] File contains patterns to test -verbose [+] Verbose Mode "><pre><code>Usage of jsleak:<br /> -json string<br /> [+] Json output file<br /> -pattern string<br /> [+] File contains patterns to test<br /> -verbose<br /> [+] Verbose Mode<br /></code></pre></div> <br /><span style="font-size: large;"><b>Demo</b></span><br /> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="cat urls.txt | jsleak -pattern regex.txt [+] Url: http://localhost/index.js [+] Pattern: p([a-z]+)ch [+] Match: peach "><pre><code>cat urls.txt | jsleak -pattern regex.txt<br />[+] Url: http://localhost/index.js<br />[+] Pattern: p([a-z]+)ch<br />[+] Match: peach<br /></code></pre></div> <br /><span style="font-size: large;"><b>To Do</b></span><br /> <ul class="contains-task-list"> <li class="task-list-item">Fix output</li> <li class="task-list-item">Add more patterns</li> <li class="task-list-item">Add stdin</li> <li class="task-list-item">Implement <a href="https://www.kitploit.com/search/label/JSON" target="_blank" title="JSON">JSON</a> input</li> <li class="task-list-item">Fix patterns</li> <li class="task-list-item">Implement PCRE</li> </ul> <br /><span style="font-size: large;"><b>Regex list</b></span><br /> <ul> <li><a href="https://github.com/odomojuli/RegExAPI" rel="nofollow" target="_blank" title="https://github.com/odomojuli/RegExAPI">https://github.com/odomojuli/RegExAPI</a></li> <li><a href="https://github.com/KaioGomesx/JSScanner/blob/main/regex.txt" rel="nofollow" target="_blank" title="https://github.com/KaioGomesx/JSScanner/blob/main/regex.txt">https://github.com/KaioGomesx/JSScanner/blob/main/regex.txt</a></li> </ul> <br /><span style="font-size: large;"><b>Inspired by</b></span><br /> <ul> <li>Necessity</li> <li><a href="https://github.com/0x240x23elu/JSScanner" rel="nofollow" target="_blank" title="https://github.com/0x240x23elu/JSScanner">https://github.com/0x240x23elu/JSScanner</a></li> <li><a href="https://github.com/KaioGomesx/JSScanner" rel="nofollow" target="_blank" title="https://github.com/KaioGomesx/JSScanner">https://github.com/KaioGomesx/JSScanner</a></li> </ul> <br /><span style="font-size: large;"><b>Thanks</b></span><br /> <p><a href="https://twitter.com/Highustavo" rel="nofollow" target="_blank" title="@fepame">@fepame</a>, <a href="https://twitter.com/gustavorobertux" rel="nofollow" target="_blank" title="@gustavorobertux">@gustavorobertux</a>, <a href="https://github.com/Jhounx" rel="nofollow" target="_blank" title="@Jhounx">@Jhounx</a>, <a href="https://twitter.com/arthurair_es" rel="nofollow" target="_blank" title="@arthurair_es">@arthurair_es</a></p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/0xTeles/jsleak" rel="nofollow" target="_blank" title="Download Jsleak">Download Jsleak</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-44540918330672470952021-07-29T17:30:00.001-04:002021-07-29T17:30:00.314-04:00Sniffle - A Sniffer For Bluetooth 5 And 4.X LE<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-mHA4cdhEfIA/YP8tV-PsksI/AAAAAAAAoyY/5bzZxEQAGP8ZGHSWdEpcy8vfiFrL6cOjACNcBGAsYHQ/s308/Bluetooth.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="163" data-original-width="308" src="https://1.bp.blogspot.com/-mHA4cdhEfIA/YP8tV-PsksI/AAAAAAAAoyY/5bzZxEQAGP8ZGHSWdEpcy8vfiFrL6cOjACNcBGAsYHQ/s16000/Bluetooth.jpeg" /></a></div><p><br /></p> <p><strong>Sniffle is a sniffer for Bluetooth 5 and 4.x (LE) using TI CC1352/CC26x2 hardware.</strong></p> <p>Sniffle has a number of useful features, including:</p> <ul> <li>Support for BT5/4.2 extended length advertisement and data packets</li> <li>Support for BT5 Channel Selection Algorithms #1 and #2</li> <li>Support for all BT5 PHY modes (regular 1M, 2M, and coded modes)</li> <li>Support for sniffing only <a href="https://www.kitploit.com/search/label/Advertisements" target="_blank" title="advertisements">advertisements</a> and ignoring connections</li> <li>Support for channel map, connection parameter, and PHY change operations</li> <li>Support for advertisement filtering by MAC address and RSSI</li> <li>Support for BT5 extended advertising (non-periodic)</li> <li>Support for capturing advertisements from a target MAC on all three primary advertising channels using a single sniffer. <strong>This makes connection detection nearly 3x more reliable than most other sniffers that only sniff one advertising channel.</strong></li> <li>Easy to extend host-side software written in Python</li> <li>PCAP export compatible with the Ubertooth</li></ul><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b>Prerequisites</b></span><br /> <ul> <li>TI CC26x2R Launchpad Board: <a href="https://www.ti.com/tool/LAUNCHXL-CC26X2R1" rel="nofollow" target="_blank" title="https://www.ti.com/tool/LAUNCHXL-CC26X2R1">https://www.ti.com/tool/LAUNCHXL-CC26X2R1</a></li> <li>or TI CC2652RB Launchpad Board: <a href="https://www.ti.com/tool/LP-CC2652RB" rel="nofollow" target="_blank" title="https://www.ti.com/tool/LP-CC2652RB">https://www.ti.com/tool/LP-CC2652RB</a></li> <li>or TI CC1352R Launchpad Board: <a href="https://www.ti.com/tool/LAUNCHXL-CC1352R1" rel="nofollow" target="_blank" title="https://www.ti.com/tool/LAUNCHXL-CC1352R1">https://www.ti.com/tool/LAUNCHXL-CC1352R1</a></li> <li>or TI CC1352P1 Launchpad Board: <a href="https://www.ti.com/tool/LAUNCHXL-CC1352P" rel="nofollow" target="_blank" title="https://www.ti.com/tool/LAUNCHXL-CC1352P">https://www.ti.com/tool/LAUNCHXL-CC1352P</a></li> <li>GNU ARM Embedded Toolchain: <a href="https://developer.arm.com/open-source/gnu-toolchain/gnu-rm/downloads" rel="nofollow" target="_blank" title="https://developer.arm.com/open-source/gnu-toolchain/gnu-rm/downloads">https://developer.arm.com/open-source/gnu-toolchain/gnu-rm/downloads</a></li> <li>TI CC26x2 SDK 5.10.00.48: <a href="https://www.ti.com/tool/download/SIMPLELINK-CC13X2-26X2-SDK" rel="nofollow" target="_blank" title="https://www.ti.com/tool/download/SIMPLELINK-CC13X2-26X2-SDK">https://www.ti.com/tool/download/SIMPLELINK-CC13X2-26X2-SDK</a></li> <li>TI DSLite Programmer Software: see below</li> <li>Python 3.5+ with PySerial installed</li> </ul> <p><strong>If you don't want to go through the effort of setting up a build environment for the firmware, you can just flash prebuilt firmware binaries using UniFlash/DSLite.</strong> Prebuilt firmware binaries are attached to releases on the GitHub releases tab of this project. When using prebuilt firmware, be sure to use the Python code corresponding to the release tag rather than master to avoid compatibility issues with firmware that is behind the master branch.</p> <p>Note: it should be possible to compile Sniffle to run on CC1352P Launchpad boards with minimal modifications, but I have not yet tried this.</p> <br /><b>Installing GCC</b><br /> <p>The <code>arm-none-eabi-gcc</code> provided through various Linux distributions' package manager often lacks some header files or requires some changes to linker configuration. For minimal hassle, I suggest using the ARM GCC linked above. You can just download and extract the prebuilt executables.</p> <br /><b>Installing the TI SDK</b><br /> <p>The TI SDK is provided as an executable binary that extracts a bunch of source code once you accept the license agreement. On Linux and Mac, the default installation directory is inside<code>~/ti/</code>. This works fine and my makefiles expect this path, so I suggest just going with the default here. The same applies for the TI SysConfig tool.</p> <p>Once the SDK has been extracted, you will need to edit one makefile to match your build environment. Within <code>~/ti/simplelink_cc13x2_26x2_sdk_5_10_00_48</code> (or wherever the SDK was installed) there is a makefile named <code>imports.mak</code>. The only paths that need to be set here to build Sniffle are for GCC, XDC, and SysConfig. We don't need the CCS compiler. See the diff below as an example, and adapt for wherever you installed things.</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="diff --git a/imports.mak b/imports.mak index d815a4e94..731d49419 100644 --- a/imports.mak +++ b/imports.mak @@ -18,14 +18,14 @@ # will build using each non-empty *_ARMCOMPILER cgtool. # -XDC_INSTALL_DIR ?= /home/username/ti/xdctools_3_62_00_08_core -SYSCONFIG_TOOL ?= /home/username/ti/ccs1030/ccs/utils/sysconfig_1.8.0/sysconfig_cli.sh +XDC_INSTALL_DIR ?= $(HOME)/ti/xdctools_3_62_00_08_core +SYSCONFIG_TOOL ?= $(HOME)/ti/sysconfig_1.8.0/sysconfig_cli.sh FREERTOS_INSTALL_DIR ?= /home/username/FreeRTOSv10.2.1 CCS_ARMCOMPILER ?= /home/username/ti/ccs1030/ccs/tools/compiler/ti-cgt-arm_20.2.4.LTS TICLANG_ARMCOMPILER ?= /home/username/ti/ccs1030/ccs/tools/compiler/1.2.1.STS -GCC_ARMCOMPILER ?= /home/username/ti/ccs1030/ccs/tools/compiler/9.2019.q4.major +GCC_ARMCOMPILER ?= $(HOME)/arm_tools/gcc-arm-none-eabi-9-2019-q4-major # The IAR compiler is not supported on Linux # IAR_ARMCOMPILER ?= "><pre><code>diff --git a/imports.mak b/imports.mak<br />index d815a4e94..731d49419 100644<br />--- a/imports.mak<br />+++ b/imports.mak<br />@@ -18,14 +18,14 @@<br /> # will build using each non-empty *_ARMCOMPILER cgtool.<br /> #<br /> <br />-XDC_INSTALL_DIR ?= /home/username/ti/xdctools_3_62_00_08_core<br />-SYSCONFIG_TOOL ?= /home/username/ti/ccs1030/ccs/utils/sysconfig_1.8.0/sysconfig_cli.sh<br />+XDC_INSTALL_DIR ?= $(HOME)/ti/xdctools_3_62_00_08_core<br />+SYSCONFIG_TOOL ?= $(HOME)/ti/sysconfig_1.8.0/sysconfig_cli.sh<br /> <br /> FREERTOS_INSTALL_DIR ?= /home/username/FreeRTOSv10.2.1<br /> <br /> CCS_ARMCOMPILER ?= /home/username/ti/ccs1030/ccs/tools/compiler/ti-cgt-arm_20.2.4.LTS<br /> TICLANG_ARMCOMPILER ?= /home/username/ti/ccs1030/ccs/tools/compiler/1.2.1.STS<br />-GCC_ARMCOMPILER ?= /home/username/ti/ccs1030/ccs/tools/compiler/9.2019.q4.major<br />+GCC_ARMCOMPILER ?= $(HOME)/arm_tools/gcc-arm-none-eabi-9-2019-q4-major<br /> <br /> # The IAR compiler is not supported on Linux<br /> # IAR_ARMCOMPILER ?=<br /></code></pre></div> <br /><b>Obtaining DSLite</b><br /> <p>DSLite is TI's <a href="https://www.kitploit.com/search/label/Command%20Line" target="_blank" title="command line">command line</a> programming and debug server tool for XDS110 debuggers. The CC26xx and CC13xx Launchpad boards both include XDS110 debuggers. Unfortunately, TI does not provide a standalone command line DSLite download. The easiest way to obtain DSLite is to install <a href="http://www.ti.com/tool/download/UNIFLASH" rel="nofollow" target="_blank" title="UniFlash">UniFlash</a> from TI. It's available for Linux, Mac, and Windows. The DSLite executable will be located at <code>deskdb/content/TICloudAgent/linux/ccs_base/DebugServer/bin/DSLite</code> relative to the UniFlash installation directory. On Linux, the default UniFlash installation directory is inside <code>~/ti/</code>.</p> <p>You should place the DSLite executable directory within your <code>$PATH</code>.</p> <br /><span style="font-size: large;"><b>Building and Installation</b></span><br /> <p>Once the GCC, DSLite, and the SDK is installed and operational, building Sniffle should be straight forward. Just navigate to the <code>fw</code> directory and run <code>make</code>. If you didn't install the SDK to the default directory, you may need to edit <code>SIMPLELINK_SDK_INSTALL_DIR</code> in the makefile.</p> <p>To install Sniffle on a (plugged in) CC26x2 Launchpad using DSLite, run <code>make load</code> within the <code>fw</code> directory. You can also flash the compiled <code>sniffle.out</code> binary using the UniFlash GUI.</p> <p>If building for or installing on a some variant of Launchpad orhter than CC26x2R, you must specify <code>PLATFORM=xxx</code>, either as an argument to make, or by defining it as an environment variable prior to invoking make. Supported values for <code>PLATFORM</code> are <code>CC2642R1F</code>, <code>CC2652R1F</code>, <code>CC1352R1F3</code>, <code>CC2652RB1F</code>, and <code>CC1352P1F3</code>. Be sure to perform a <code>make clean</code> before building for a different platform.</p> <br /><span style="font-size: large;"><b>Sniffer Usage</b></span><br /> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="[skhan@serpent python_cli]$ ./sniff_receiver.py --help usage: sniff_receiver.py [-h] [-s SERPORT] [-c {37,38,39}] [-p] [-r RSSI] [-m MAC] [-i IRK] [-a] [-e] [-H] [-l] [-q] [-Q PRELOAD] [-o OUTPUT] Host-side receiver for Sniffle BLE5 sniffer optional arguments: -h, --help show this help message and exit -s SERPORT, --serport SERPORT Sniffer serial port name -c {37,38,39}, --advchan {37,38,39} Advertising channel to listen on -p, --pause Pause sniffer after disconnect -r RSSI, --rssi RSSI Filter packets by minimum RSSI -m MAC, --mac MAC Filter packets by advertiser MAC -i IRK, --irk IRK Filter packets by advertiser IRK -a, --advonly Sniff only advertisements, don't follow connections -e, --extadv Capture BT5 extended (auxiliary) advertising -H, --hop Hop primary advertising channels in extended mode -l, --longrange Use long range (coded) PHY for primary advertising -q, --quiet Don't display empty packets -Q PRELOAD, --preload PRELOAD Preload expected encrypted connection parameter changes -o OUTPUT, --output OUTPUT PCAP output file name "><pre><code>[skhan@serpent python_cli]$ ./sniff_receiver.py --help<br />usage: sniff_receiver.py [-h] [-s SERPORT] [-c {37,38,39}] [-p] [-r RSSI] [-m MAC]<br /> [-i IRK] [-a] [-e] [-H] [-l] [-q] [-Q PRELOAD] [-o OUTPUT]<br /><br />Host-side receiver for Sniffle BLE5 sniffer<br /><br />optional arguments:<br /> -h, --help show this help message and exit<br /> -s SERPORT, --serport SERPORT<br /> Sniffer serial port name<br /> -c {37,38,39}, --advchan {37,38,39}<br /> Advertising channel to listen on<br /> -p, --pause Pause sniffer after disconnect<br /> -r RSSI, --rssi RSSI Filter packets by minimum RSSI<br /> -m MAC, --mac MAC Filter packets by advertiser MAC<br /> -i IRK, --irk IRK Filter packets by advertiser IRK<br /> -a, --advonly Sniff only advertisements, don't follow connections<br /> -e, --extadv Capture BT5 extended (auxiliary) advertising<br /> -H, --hop Hop primary advertising channels in extended mode<br /> -l, --longrange Use long range (coded) PHY for primary advertising<br /> -q, --quiet Don't display empty packets<br /> -Q PRELOAD, --preload PRELOAD<br /> Preload expected encrypted connection parameter changes<br /> -o OUTPUT, --output OUTPUT<br /> PCAP output file name<br /></code></pre></div> <p>The XDS110 debugger on the Launchpad boards creates two serial ports. On Linux, they are typically named <code>ttyACM0</code> and <code>ttyACM1</code>. The first of the two created serial ports is used to communicate with Sniffle. By default, the Python CLI communicates using <code>/dev/ttyACM0</code>, but you may need to override this with the <code>-s</code> command line option if you are not running on Linux or have additional USB CDC-ACM devices connected.</p> <p>For the <code>-r</code> (RSSI filter) option, a value of -40 tends to work well if the sniffer is very close to or nearly touching the transmitting device. The RSSI filter is very useful for ignoring irrelevant advertisements in a busy RF environment. The RSSI filter is only active when capturing advertisements, as you always want to capture data channel traffic for a connection being followed. You probably don't want to use an RSSI filter when MAC filtering is active, as you may lose advertisements from the MAC address of interest when the RSSI is too low.</p> <p>To hop along with advertisements and have reliable connection sniffing, you need to set up a MAC filter with the <code>-m</code> option. You should specify the MAC address of the peripheral device, not the central device. To figure out which MAC address to sniff, you can run the sniffer with RSSI filtering while placing the sniffer near the target. This will show you advertisements from the target device including its MAC address. It should be noted that many BLE devices advertise with a randomized MAC address rather than their "real" fixed MAC written on a label.</p> <p>For convenience, there is a special mode for the MAC filter by invoking the script with <code>-m top</code> instead of <code>-m</code> with a MAC address. In this mode, the sniffer will lock onto the first advertiser MAC address it sees that passes the RSSI filter. The <code>-m top</code> mode should thus always be used with an RSSI filter to avoid locking onto a spurious MAC address. Once the sniffer locks onto a MAC address, the RSSI filter will be disabled automatically by the sniff receiver script (except when the <code>-e</code> option is used).</p> <p>Most new BLE devices use Resolvable Private Addresses (RPAs) rather than fixed static or public addresses. While you can set up a MAC filter to a particular RPA, devices periodically change their RPA. RPAs can can be resolved (associated with a particular device) if the Identity Resolving Key (IRK) is known. Sniffle supports automated RPA resolution when the IRK is provided. This avoids the need to keep updating the MAC filter whenever the RPA changes. You can specify an IRK for Sniffle with the <code>-i</code> option; the IRK should be provided in hexadecimal format, with the most significant byte (MSB) first. Specifying an IRK allows Sniffle to channel hop with an advertiser the same way it does with a MAC filter. The IRK based MAC filtering feature (<code>-i</code>) is mutually exclusive with the static MAC filtering feature (<code>-m</code>).</p> <p>To enable following auxiliary pointers in Bluetooth 5 extended advertising, enable the <code>-e</code> option. To improve <a href="https://www.kitploit.com/search/label/Performance" target="_blank" title="performance">performance</a> and reliability in extended advertising capture, this option disables hopping on the primary advertising channels, even when a MAC filter is set up. If you are unsure whether a connection will be established via legacy or extended advertising, you can enable the <code>-H</code> flag in conjunction with <code>-e</code> to perform primary channel hopping with legacy advertisements, and scheduled listening to extended advertisement auxiliary packets. When combining <code>-e</code> and <code>-H</code>, the reliability of connection detection may be reduced compared to hopping on primary (legacy) or secondary (extended) advertising channels alone.</p> <p>To sniff the long range PHY on primary advertising channels, specify the <code>-l</code> option. Note that no hopping between primary advertising channels is supported in long range mode, since all long range advertising uses the BT5 extended mechanism. Under the extended mechanism, auxiliary pointers on all three primary channels point to the same auxiliary packet, so hopping between primary channels is unnecessary.</p> <p>To not print empty data packets on screen while following a connection, use the <code>-q</code> flag. This makes it easier to observe meaningful communications in real time, but may obscure when connection following is flaky or lost.</p> <p>For encrypted connections, Sniffle supports detecting connection parameter updates even when the <a href="https://www.kitploit.com/search/label/Encryption" target="_blank" title="encryption">encryption</a> key is unknown, and it attempts to measure the new parameters. However, if you know the new connection interval and Instant delta to expect in encrypted connection parameter updates, you can specify them with the <code>--preload</code>/<code>-Q</code> option to improve performance/reliability. The expected Interval:DeltaInstant pair should be provided as colon separated integers. Interval is an integer representing multiples of 1.25 ms (as defined in LL_CONNECTION_UPDATE_IND). DeltaInstant is the number of connection events between when the connection update packet is transmitted and when the new parameters are applied. DeltaInstant must be greater than or equal to 6, as per the Bluetooth specification's <a href="https://www.kitploit.com/search/label/Requirements" target="_blank" title="requirements">requirements</a> for master devices. If multiple encrypted parameter updates are expected, you can provide multiple parameter pairs, separated by commas (eg. <code>6:7,39:8</code>).</p> <p>If for some reason the sniffer firmware locks up and refuses to capture any traffic even with filters disabled, you should reset the sniffer MCU. On Launchpad boards, the reset button is located beside the micro USB port.</p> <br /><span style="font-size: large;"><b>Scanner Usage</b></span><br /> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="usage: scanner.py [-h] [-s SERPORT] [-c {37,38,39}] [-r RSSI] [-l] Scanner utility for Sniffle BLE5 sniffer optional arguments: -h, --help show this help message and exit -s SERPORT, --serport SERPORT Sniffer serial port name -c {37,38,39}, --advchan {37,38,39} Advertising channel to listen on -r RSSI, --rssi RSSI Filter packets by minimum RSSI -l, --longrange Use long range (coded) PHY for primary advertising "><pre><code>usage: scanner.py [-h] [-s SERPORT] [-c {37,38,39}] [-r RSSI] [-l]<br /><br />Scanner utility for Sniffle BLE5 sniffer<br /><br />optional arguments:<br /> -h, --help show this help message and exit<br /> -s SERPORT, --serport SERPORT<br /> Sniffer serial port name<br /> -c {37,38,39}, --advchan {37,38,39}<br /> Advertising channel to listen on<br /> -r RSSI, --rssi RSSI Filter packets by minimum RSSI<br /> -l, --longrange Use long range (coded) PHY for primary advertising<br /></code></pre></div> <p>The scanner command line arguments work the same as the sniffer. The purpose of the scanner utility is to gather a list of nearby devices advertising, and actively issue scan requests for observed devices, without having the deluge of fast scrolling data you get with the sniffer utility. The hardware/firmware will enter an active scanning mode where it will report received advertisements, issue scan requests for scannable ones, and report received scan responses. The scanner utility will record and report observed MAC addresses only once without spamming the display. Once you're done capturing advertisements, press Ctrl-C to stop scanning and report the results. The scanner will show the last advertisement and scan response from each target. Scan results will be sorted by RSSI in descending order.</p> <br /><span style="font-size: large;"><b>Usage Examples</b></span><br /> <p>Sniff all advertisements on channel 38, ignore RSSI < -50, stay on advertising channel even when CONNECT_REQs are seen.</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="./sniff_receiver.py -c 38 -r -50 -a "><pre><code>./sniff_receiver.py -c 38 -r -50 -a<br /></code></pre></div> <p>Sniff advertisements from MAC 12:34:56:78:9A:BC, stay on advertising channel even when CONNECT_REQs are seen, save advertisements to <code>data1.pcap</code>.</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="./sniff_receiver.py -m 12:34:56:78:9A:BC -a -o data1.pcap "><pre><code>./sniff_receiver.py -m 12:34:56:78:9A:BC -a -o data1.pcap<br /></code></pre></div> <p>Sniff advertisements and connections for the first MAC address seen with RSSI >= -40. The RSSI filter will be disabled automatically once a MAC address has been locked onto. Save captured data to <code>data2.pcap</code>.</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="./sniff_receiver.py -m top -r -40 -o data2.pcap "><pre><code>./sniff_receiver.py -m top -r -40 -o data2.pcap<br /></code></pre></div> <p>Sniff advertisements and connections from the peripheral with big endian IRK 4E0BEA5355866BE38EF0AC2E3F0EBC22. Preload two expected encrypted connection parameter updates; the first with an Interval of 6, occuring at an instant 6 connection events after an encrypted LL_CONNECTION_UPDATE_IND is observed by the sniffer. The second expected encrypted connection update has an Interval of 39, and DeltaInstant of 6 too.</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="./sniff_receiver.py -i 4E0BEA5355866BE38EF0AC2E3F0EBC22 -Q 6:6,39:6 "><pre><code>./sniff_receiver.py -i 4E0BEA5355866BE38EF0AC2E3F0EBC22 -Q 6:6,39:6<br /></code></pre></div> <p>Sniff BT5 extended advertisements and connections from nearby (RSSI >= -55) devices.</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="./sniff_receiver.py -r -55 -e "><pre><code>./sniff_receiver.py -r -55 -e<br /></code></pre></div> <p>Sniff legacy and extended advertisements and connections from the device with the specified MAC address. Save captured data to <code>data3.pcap</code>.</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="./sniff_receiver.py -eH -m 12:34:56:78:9A:BC -o data3.pcap "><pre><code>./sniff_receiver.py -eH -m 12:34:56:78:9A:BC -o data3.pcap<br /></code></pre></div> <p>Sniff extended advertisements and connections using the long range primary PHY on channel 38.</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="./sniff_receiver.py -le -c 38 "><pre><code>./sniff_receiver.py -le -c 38<br /></code></pre></div> <p>Actively scan on channel 39 for advertisements with RSSI greater than -50.</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="./scanner.py -c 39 -r -50 "><pre><code>./scanner.py -c 39 -r -50<br /></code></pre></div> <br /><span style="font-size: large;"><b>Obtaining the IRK</b></span><br /> <p>If you have a rooted Android phone, you can find IRKs (and LTKs) in the Bluedroid configuration file. On Android 8.1, this is located at <code>/data/misc/bluedroid/bt_config.conf</code>. The <code>LE_LOCAL_KEY_IRK</code> specifies the Android device's own IRK, and the first 16 bytes of <code>LE_KEY_PID</code> for every bonded device in the file indicate the bonded device's IRK. Be aware that keys stored in this file are little endian, so <strong>the byte order of keys in this file will need to be reversed.</strong> For example, the little endian IRK 22BC0E3F2EACF08EE36B865553EA0B4E needs to be changed to 4E0BEA5355866BE38EF0AC2E3F0EBC22 (big endian) when being passed to Sniffle with the <code>-i</code> option.</p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/nccgroup/Sniffle" rel="nofollow" target="_blank" title="Download Sniffle">Download Sniffle</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-45286855571631991492021-07-26T08:30:00.006-04:002021-07-26T08:30:00.280-04:00Juumla - Tool Designed To Identify And Scan For Version, Config Files In The CMS Joomla!<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-bbraG4TyDzU/YPn-wgjFLFI/AAAAAAAAk5k/DXwPnKiyZrAqUCOLnguHltVAj9qbkZkMwCNcBGAsYHQ/s2048/juumla_1_banner.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1785" data-original-width="2048" height="558" src="https://1.bp.blogspot.com/-bbraG4TyDzU/YPn-wgjFLFI/AAAAAAAAk5k/DXwPnKiyZrAqUCOLnguHltVAj9qbkZkMwCNcBGAsYHQ/w640-h558/juumla_1_banner.png" width="640" /></a></div><p><br /></p> <p> <b>Juumla</b> is a python tool developed to identify the current Joomla version and <a href="https://www.kitploit.com/search/label/Scan" target="_blank" title="scan">scan</a> for readable Joomla config files.</p><span><a name='more'></a></span><div><br /></div><span style="font-size: large;"><b><div><b>Installing / Getting started</b></div></b></span> <p> A quick guide of how to install and use Juumla. </p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="1. Clone the repository - git clone https://github.com/oppsec/juumla.git 2. Install the libraries - pip3 install -r requirements.txt 3. Run Juumla - python3 main.py -u https://example.com "><pre><code>1. Clone the repository - git clone https://github.com/oppsec/juumla.git<br />2. Install the libraries - pip3 install -r requirements.txt<br />3. Run Juumla - python3 main.py -u https://example.com<br /></code></pre></div> <br /><b><div><b>Docker</b></div></b> <p>If you want to run Juumla in a Docker container, follow this commands:</p> <div class="snippet-clipboard-content position-relative" container="" data-snippet-clipboard-copy-content="1. Clone the repository - git clone https://github.com/oppsec/juumla.git 2. Build the image - sudo docker build -t juumla:latest . 3. Run <a title=" href="https://www.kitploit.com/search/label/Container">container - sudo docker run juumla:latest "><pre><code>1. Clone the repository - git clone https://github.com/oppsec/juumla.git<br />2. Build the image - sudo docker build -t juumla:latest .<br />3. Run container - sudo docker run juumla:latest<br /></code></pre></div> <p><br /><b>Pre-requisites</b></p> <ul> <li><a href="https://www.python.org/downloads/" rel="nofollow" target="_blank" title="Python 3">Python 3</a> installed on your machine.</li> <li>Install the libraries with <code>pip3 install -r requirements.txt</code></li> </ul> <p><br /><b>Features</b></p> <ul> <li>Fast scan</li> <li>Low RAM and CPU usage</li> <li>Identify Joomla version</li> <li>Config files detection</li> <li>Open-Source</li> </ul> <p><br /><b>To-Do</b></p> <ul class="contains-task-list"> <li class="task-list-item"><a href="https://www.kitploit.com/search/label/Vulnerability" target="_blank" title="Vulnerability">Vulnerability</a> Scanner</li> <li class="task-list-item">Improve Joomla detection</li> <li class="task-list-item">Config files detection</li> <li class="task-list-item">Improve code</li> </ul> <p><br /><b>Contributing</b></p> <p>A quick guide of how to contribute with the project.</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="1. Create a fork from Juumla repository 2. Download the project with git clone https://github.com/your/juumla.git 3. Type cd juumla/ 4. Make your changes 5. Commit and make a git push 6. Open a pull request "><pre><code>1. Create a fork from Juumla repository<br />2. Download the project with git clone https://github.com/your/juumla.git<br />3. Type cd juumla/<br />4. Make your changes<br />5. Commit and make a git push<br />6. Open a pull request<br /></code></pre></div> <p><br /><b>Resources</b></p> <p><a href="https://skynettools.com/juumla-python-cli-tool-for-joomla-information-hathering/" rel="nofollow" target="_blank" title="https://skynettools.com/juumla-python-cli-tool-for-joomla-information-hathering/">https://skynettools.com/juumla-python-cli-tool-for-joomla-information-hathering/</a></p> <p><br /><b>Warning</b></p> <ul> <li>The developer is not responsible for any malicious use of this tool.</li> </ul> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/oppsec/juumla" rel="nofollow" target="_blank" title="Download Juumla">Download Juumla</a></span></b></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-8317222231133660547.post-58287198192725299332021-07-12T08:30:00.009-04:002021-07-12T08:30:00.313-04:00Sx - Fast, Modern, Easy-To-Use Network Scanner<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-3bIbThI06jM/YOTsuhFhx8I/AAAAAAAAhmE/oRCAJBgCew0Ois6uzE9_MYFK27K6XJ9mgCNcBGAsYHQ/s207/sx.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="80" data-original-width="207" src="https://1.bp.blogspot.com/-3bIbThI06jM/YOTsuhFhx8I/AAAAAAAAhmE/oRCAJBgCew0Ois6uzE9_MYFK27K6XJ9mgCNcBGAsYHQ/s16000/sx.png" /></a></div> <p><strong><br /></strong></p><p><strong>sx</strong> is the command-line network scanner designed to follow the UNIX philosophy.</p> <p>The goal of this project is to create the fastest network scanner with clean and simple code.</p><span><a name='more'></a></span><p><br /></p><span style="font-size: x-large;"><b><div><b>Features</b></div></b></span> <ul> <li><strong><div><strong>30x times faster</strong> than nmap</div></strong></li> <li><strong>ARP scan</strong>: Scan your local networks to detect live devices</li> <li><strong>ICMP scan</strong>: Use advanced ICMP scanning techniques to detect live hosts and firewall rules</li> <li><strong>TCP SYN scan</strong>: Traditional half-open scan to find open TCP ports</li> <li><strong>TCP FIN / NULL / Xmas scans</strong>: Scan techniques to bypass some firewall rules</li> <li><strong>Custom TCP scans with any TCP flags</strong>: Send whatever exotic packets you want and get a result with all the TCP flags set in the reply packet</li> <li><strong>UDP scan</strong>: Scan UDP ports and get full ICMP replies to detect <a href="https://www.kitploit.com/search/label/Open%20Ports" target="_blank" title="open ports">open ports</a> or firewall rules</li> <li><strong>Application scans</strong>: <ul> <li><strong>SOCKS5 scan</strong>: Detect live SOCKS5 proxies by scanning ip range or list of ip/port pairs from a file</li> <li><strong>Docker scan</strong>: Detect open Docker daemons listening on TCP ports and get information about the docker node</li> <li><strong>Elasticsearch scan</strong>: Detect open <a href="https://www.kitploit.com/search/label/Elasticsearch" target="_blank" title="Elasticsearch">Elasticsearch</a> nodes and pull out cluster information with all index names</li> </ul> </li> <li><strong>Randomized iteration</strong> over IP addresses using finite cyclic multiplicative groups</li> <li><strong>JSON output support</strong>: sx is designed specifically for convenient automatic processing of results</li> </ul> <br /><span style="font-size: x-large;"><b><div><b>Install</b></div></b></span> <p>The simplest way is to download from <a href="https://github.com/v-byte-cpu/sx/releases" rel="nofollow" target="_blank" title="GitHub Releases">GitHub Releases</a> and place the executable file in your PATH.</p> <br /><span style="font-size: x-large;"><b><div><b>Build from source</b></div></b></span> <p>Requirements:</p> <ul> <li><a href="https://golang.org/dl/" rel="nofollow" target="_blank" title="Go 1.15 or newer">Go 1.15 or newer</a></li> <li><a href="https://www.tcpdump.org/" rel="nofollow" target="_blank" title="libpcap">libpcap</a> (already installed if you use <strong>wireshark</strong>)</li> </ul> <p>From the root of the source tree, run:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="go build "><pre><code>go build<br /></code></pre></div> <br /><span style="font-size: x-large;"><b><div><b>Quick Start</b></div></b></span> <p>Here's a quick examples showing how you can scan networks with <code>sx</code>.</p> <br /><span style="font-size: large;"><b>ARP scan</b></span><br /> <p>Scan your local network and display the IP address, MAC address and associated hardware vendor of connected devices:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="sx arp 192.168.0.1/24 "><pre><code>sx arp 192.168.0.1/24<br /></code></pre></div> <p>sample output:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="192.168.0.1 b0:be:76:40:05:8d TP-LINK TECHNOLOGIES CO.,LTD. 192.168.0.111 80:c5:f2:0b:02:e3 AzureWave Technology Inc. 192.168.0.171 88:53:95:2d:3c:af Apple, Inc. "><pre><code>192.168.0.1 b0:be:76:40:05:8d TP-LINK TECHNOLOGIES CO.,LTD.<br />192.168.0.111 80:c5:f2:0b:02:e3 AzureWave Technology Inc.<br />192.168.0.171 88:53:95:2d:3c:af Apple, Inc.<br /></code></pre></div> <p>with JSON output:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="sx arp --json 192.168.0.1/24 "><pre><code>sx arp --json 192.168.0.1/24<br /></code></pre></div> <p>sample output:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="{"ip":"192.168.0.1","mac":"b0:be:76:40:05:8d","vendor":"TP-LINK TECHNOLOGIES CO.,LTD."} {"ip":"192.168.0.111","mac":"80:c5:f2:0b:02:e3","vendor":"AzureWave Technology Inc."} {"ip":"192.168.0.171","mac":"88:53:95:2d:3c:af","vendor":"Apple, Inc."} "><pre><code>{"ip":"192.168.0.1","mac":"b0:be:76:40:05:8d","vendor":"TP-LINK TECHNOLOGIES CO.,LTD."}<br />{"ip":"192.168.0.111","mac":"80:c5:f2:0b:02:e3","vendor":"AzureWave Technology Inc."}<br />{"ip":"192.168.0.171","mac":"88:53:95:2d:3c:af","vendor":"Apple, Inc."}<br /></code></pre></div> <p>wait 5 seconds before exiting to receive delayed reply packets, by default <code>sx</code> waits 300 milliseconds:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="sx arp --exit-delay 5s 192.168.0.1/24 "><pre><code>sx arp --exit-delay 5s 192.168.0.1/24<br /></code></pre></div> <p>Live scan mode that rescans network every 10 seconds:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="sx arp 192.168.0.1/24 --live 10s "><pre><code>sx arp 192.168.0.1/24 --live 10s<br /></code></pre></div> <br /><span style="font-size: large;"><b>TCP scan</b></span><br /> <p>Unlike nmap and other scanners that implicitly perform ARP requests to resolve IP addresses to MAC addresses before the actual scan, <code>sx</code> explicitly uses the <strong>ARP cache</strong> concept. ARP cache file is a simple text file containing JSON string on each line (<a href="https://jsonlines.org/" rel="nofollow" target="_blank" title="JSONL">JSONL</a> file), which has the same JSON fields as the ARP scan JSON output described above. Scans of higher-level protocols like TCP and UDP read the ARP cache file from the stdin and then start the actual scan.</p> <p>This not only simplifies the design of the program, but also speeds up the scanning process, since it is not necessary to perform an ARP scan every time.</p> <p>Let's assume that the actual ARP cache is in the <code>arp.cache</code> file. We can create it manually or use ARP scan as shown below:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="sx arp 192.168.0.1/24 --json | tee arp.cache "><pre><code>sx arp 192.168.0.1/24 --json | tee arp.cache<br /></code></pre></div> <p>Once we have the ARP cache file, we can run scans of higher-level protocols like TCP SYN scan:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="cat arp.cache | sx tcp -p 1-65535 192.168.0.171 "><pre><code>cat arp.cache | sx tcp -p 1-65535 192.168.0.171<br /></code></pre></div> <p>sample output:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="192.168.0.171 22 192.168.0.171 443 "><pre><code>192.168.0.171 22<br />192.168.0.171 443<br /></code></pre></div> <p>In this case we find out that ports 22 and 443 are open.</p> <p>scan with JSON output:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="cat arp.cache | sx tcp --json -p 1-65535 192.168.0.171 "><pre><code>cat arp.cache | sx tcp --json -p 1-65535 192.168.0.171<br /></code></pre></div> <p>sample output:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="{"scan":"tcpsyn","ip":"192.168.0.171","port":22} {"scan":"tcpsyn","ip":"192.168.0.171","port":443} "><pre><code>{"scan":"tcpsyn","ip":"192.168.0.171","port":22}<br />{"scan":"tcpsyn","ip":"192.168.0.171","port":443}<br /></code></pre></div> <p>scan multiple port ranges:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="cat arp.cache | sx tcp -p 1-23,25-443 192.168.0.171 "><pre><code>cat arp.cache | sx tcp -p 1-23,25-443 192.168.0.171<br /></code></pre></div> <p>or individual ports:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="cat arp.cache | sx tcp -p 22,443 192.168.0.171 "><pre><code>cat arp.cache | sx tcp -p 22,443 192.168.0.171<br /></code></pre></div> <p>scan ip/port pairs from a file with JSON output:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="cat arp.cache | sx tcp --json -f ip_ports_file.jsonl "><pre><code>cat arp.cache | sx tcp --json -f ip_ports_file.jsonl<br /></code></pre></div> <p>Each line of the input file is a json string, which must contain the <strong>ip</strong> and <strong>port</strong> fields.</p> <p>sample input file:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="{"ip":"10.0.1.1","port":1080} {"ip":"10.0.2.2","port":1081} "><pre><code>{"ip":"10.0.1.1","port":1080}<br />{"ip":"10.0.2.2","port":1081}<br /></code></pre></div> <p>It is possible to specify the ARP cache file using the <code>-a</code> or <code>--arp-cache</code> options:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="sx tcp -a arp.cache -p 22,443 192.168.0.171 "><pre><code>sx tcp -a arp.cache -p 22,443 192.168.0.171<br /></code></pre></div> <p>or stdin redirect:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="sx tcp -p 22,443 192.168.0.171 < arp.cache "><pre><code>sx tcp -p 22,443 192.168.0.171 < arp.cache<br /></code></pre></div> <p>You can also use the <code>tcp syn</code> subcommand instead of the <code>tcp</code>:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="cat arp.cache | sx tcp syn -p 22 192.168.0.171 "><pre><code>cat arp.cache | sx tcp syn -p 22 192.168.0.171<br /></code></pre></div> <p><code>tcp</code> subcomand is just a shorthand for <code>tcp syn</code> subcommand unless <code>--flags</code> option is passed, see below.</p> <br /><span style="font-size: large;"><b>TCP FIN scan</b></span><br /> <p>Most network scanners try to interpret results of the scan. For instance they say "this port is closed" instead of "I received a RST". Sometimes they are right. Sometimes not. It's easier for beginners, but when you know what you're doing, you keep on trying to deduce what really happened from the program's interpretation, especially for more advanced scan techniques.</p> <p><code>sx</code> tries to overcome those problems. It returns information about all reply packets for TCP FIN, NULL, Xmas and custom TCP scans. The information contains IP address, TCP port and all TCP flags set in the reply packet.</p> <p>TCP FIN scan and its other variations (NULL and Xmas) exploit RFC793 Section 3.9:</p> <blockquote> <p>SEGMENT ARRIVES</p> <p>If the state is CLOSED (i.e., TCB does not exist) then</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content=" all data in the incoming segment is discarded. An incoming segment containing a RST is discarded. An incoming segment not containing a RST causes a RST to be sent in response. The acknowledgment and sequence field values are selected to make the reset sequence acceptable to the TCP that sent the offending segment. "><pre><code> all data in the incoming segment is discarded. An incoming<br /> segment containing a RST is discarded. An incoming segment not<br /> containing a RST causes a RST to be sent in response. The<br /> acknowledgment and sequence field values are selected to make the<br /> reset sequence acceptable to the TCP that sent the offending<br /> segment.<br /></code></pre></div> </blockquote> <p>so closed port should return packet with RST flag.</p> <p>This section also states that:</p> <blockquote> <p>If the state is LISTEN then</p> <p>...</p> <p>Any other control or text-bearing segment (not containing SYN) must have an ACK and thus would be discarded by the ACK processing. An incoming RST segment could not be valid, since it could not have been sent in response to anything sent by this incarnation of the connection. So you are unlikely to get here, but if you do, drop the segment, and return.</p> </blockquote> <p>the main phrase here: <strong>drop the segment</strong>, and return. So an open port on most operating systems will drop the TCP packet containing any flags except SYN,ACK and RST.</p> <p>Let's scan some closed port with TCP FIN scan:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="cat arp.cache | sx tcp fin --json -p 23 192.168.0.171 "><pre><code>cat arp.cache | sx tcp fin --json -p 23 192.168.0.171<br /></code></pre></div> <p>sample output:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="{"scan":"tcpfin","ip":"192.168.0.171","port":23,"flags":"ar"} "><pre><code>{"scan":"tcpfin","ip":"192.168.0.171","port":23,"flags":"ar"}<br /></code></pre></div> <p><code>flags</code> field contains all TCP flags in the reply packet, where each letter represents one of the TCP flags:</p> <ul> <li><code>s</code> - SYN flag</li> <li><code>a</code> - ACK flag</li> <li><code>f</code> - FIN flag</li> <li><code>r</code> - RST flag</li> <li><code>p</code> - PSH flag</li> <li><code>u</code> - URG flag</li> <li><code>e</code> - ECE flag</li> <li><code>c</code> - CWR flag</li> <li><code>n</code> - NS flag</li> </ul> <p>In this case we find out that port 23 sent reply packet with ACK and RST flags set (typical response for a closed port according to the rfc793).</p> <p>If we scan an open port, we get no response (unless the firewall is spoofing the responses).</p> <p>Other types of TCP scans can be conducted by analogy.</p> <p>TCP NULL scan:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="cat arp.cache | sx tcp null --json -p 23 192.168.0.171 "><pre><code>cat arp.cache | sx tcp null --json -p 23 192.168.0.171<br /></code></pre></div> <p>TCP Xmas scan:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="cat arp.cache | sx tcp xmas --json -p 23 192.168.0.171 "><pre><code>cat arp.cache | sx tcp xmas --json -p 23 192.168.0.171<br /></code></pre></div> <br /><span style="font-size: large;"><b>Custom TCP scans</b></span><br /> <p>It is possible to send TCP packets with custom TCP flags using <code>--flags</code> option.</p> <p>Let's send TCP packet with SYN, FIN and ACK flags set to <a href="https://www.kitploit.com/search/label/Fingerprint" target="_blank" title="fingerprint">fingerprint</a> remote OS:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="cat arp.cache | sx tcp --flags syn,fin,ack --json -p 23 192.168.0.171 "><pre><code>cat arp.cache | sx tcp --flags syn,fin,ack --json -p 23 192.168.0.171<br /></code></pre></div> <p>Windows and MacOS will not respond to this packet, but Linux will send reply packet with RST flag.</p> <p>Possible arguments to <code>--flags</code> option:</p> <ul> <li><code>syn</code> - SYN flag</li> <li><code>ack</code> - ACK flag</li> <li><code>fin</code> - FIN flag</li> <li><code>rst</code> - RST flag</li> <li><code>psh</code> - PSH flag</li> <li><code>urg</code> - URG flag</li> <li><code>ece</code> - ECE flag</li> <li><code>cwr</code> - CWR flag</li> <li><code>ns</code> - NS flag</li> </ul> <br /><span style="font-size: large;"><b>UDP scan</b></span><br /> <p><code>sx</code> can help investigate open UDP ports. UDP scan exploits RFC1122 Section 4.1.3.1:</p> <blockquote> <p>If a datagram arrives addressed to a UDP port for which there is no pending LISTEN call, UDP SHOULD send an ICMP Port Unreachable message.</p> </blockquote> <p>Similar to TCP scans, <code>sx</code> returns information about all reply ICMP packets for UDP scan. The information contains IP address, ICMP packet type and code set in the reply packet.</p> <p>For instance, to detect DNS server on host, run:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="cat arp.cache | sx udp --json -p 53 192.168.0.171 "><pre><code>cat arp.cache | sx udp --json -p 53 192.168.0.171<br /></code></pre></div> <p>sample output:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="{"scan":"udp","ip":"192.168.0.171","icmp":{"type":3,"code":3}} "><pre><code>{"scan":"udp","ip":"192.168.0.171","icmp":{"type":3,"code":3}}<br /></code></pre></div> <p>In this case we find out that host sent ICMP reply packet with <strong>Destination Unreachable</strong> type and <strong>Port Unreachable</strong> code (typical response for a closed port according to the rfc1122).</p> <p>Firewalls typically set ICMP code distinct from <strong>Port Unreachanble</strong> and so can be easily detected.</p> <br /><span style="font-size: large;"><b>Rate limiting</b></span><br /> <p>Sometimes you need to limit the speed at which generated packets are sent. This can be done with the <code>--rate</code> option.</p> <p>For example, to limit the speed to 1 packet per 5 seconds:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="cat arp.cache | sx tcp --rate 1/5s --json -p 22,80,443 192.168.0.171 "><pre><code>cat arp.cache | sx tcp --rate 1/5s --json -p 22,80,443 192.168.0.171<br /></code></pre></div> <br /><span style="font-size: large;"><b>Exclude subnets</b></span><br /> <p>Sometimes you need to exclude some ip addresses and subnets from scanning. This can be done with the <code>--exclude</code> option. It specifies a file with IPs or subnets in CIDR notation to exclude, one-per line.</p> <p>For instance, to exclude RFC 1918 addresses, create a file <code>ips.txt</code> with the following contents:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="10.0.0.0/8 172.16.0.0/16 192.168.0.0/16 "><pre><code>10.0.0.0/8<br />172.16.0.0/16<br />192.168.0.0/16<br /></code></pre></div> <p>You can also insert comments and blank lines:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="# exclude RFC 1918 addresses 10.0.0.0/8 # comment 1 172.16.0.0/12 # comment 2 192.168.0.0/16 # comment 3 0.0.0.0/8 # used in initialization procedures (RFC 6890) # exclude RFC 5735 addresses 127.0.0.0/8 # loopback address 192.0.0.0/24 # reserved block for IETF protocol assignments 224.0.0.0/4 # allocated for use in IPv4 multicast address assignments 240.0.0.0/4 # reserved for future use # exclude Amazon network 3.0.0.0/8 # ip addresses are valid as well 1.1.1.1 "><pre><code># exclude RFC 1918 addresses<br />10.0.0.0/8 # comment 1<br />172.16.0.0/12 # comment 2<br />192.168.0.0/16 # comment 3<br /><br />0.0.0.0/8 # used in initialization procedures (RFC 6890)<br /><br /># exclude RFC 5735 addresses<br />127.0.0.0/8 # loopback address<br />192.0.0.0/24 # reserved block for IETF protocol assignments<br />224.0.0.0/4 # allocated for use in IPv4 multicast address assignments<br />240.0.0.0/4 # reserved for future use<br /><br /># exclude Amazon network<br />3.0.0.0/8<br /><br /># ip addresses are valid as well<br />1.1.1.1<br /></code></pre></div> <p>and run a scan with <code>--exclude ips.txt</code> option.</p> <br /><span style="font-size: large;"><b>Live LAN TCP SYN scanner</b></span><br /> <p>As an example of scan composition, you can combine ARP and TCP SYN scans to create live TCP <a href="https://www.kitploit.com/search/label/Port%20Scanner" target="_blank" title="port scanner">port scanner</a> that periodically scan whole LAN network.</p> <p>Start live ARP scan and save results to <code>arp.cache</code> file:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="sx arp 192.168.0.1/24 --live 10s --json | tee arp.cache "><pre><code>sx arp 192.168.0.1/24 --live 10s --json | tee arp.cache<br /></code></pre></div> <p>In another terminal start TCP SYN scan:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="while true; do sx tcp -p 1-65535 -a arp.cache -f arp.cache; sleep 30; done "><pre><code>while true; do sx tcp -p 1-65535 -a arp.cache -f arp.cache; sleep 30; done<br /></code></pre></div> <br /><span style="font-size: large;"><b>SOCKS5 scan</b></span><br /> <p><code>sx</code> can detect live SOCKS5 proxies. To scan, you must specify an IP range or JSONL file with ip/port pairs.</p> <p>For example, an IP range scan:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="sx socks -p 1080 10.0.0.1/16 "><pre><code>sx socks -p 1080 10.0.0.1/16<br /></code></pre></div> <p>scan ip/port pairs from a file with JSON output:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="sx socks --json -f ip_ports_file.jsonl "><pre><code>sx socks --json -f ip_ports_file.jsonl <br /></code></pre></div> <p>Each line of the input file is a json string, which must contain the <strong>ip</strong> and <strong>port</strong> fields.</p> <p>sample input file:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="{"ip":"10.0.1.1","port":1080} {"ip":"10.0.2.2","port":1081} "><pre><code>{"ip":"10.0.1.1","port":1080}<br />{"ip":"10.0.2.2","port":1081}<br /></code></pre></div> <p>You can also specify a range of ports to scan:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="sx socks -p 1080-4567 -f ips_file.jsonl "><pre><code>sx socks -p 1080-4567 -f ips_file.jsonl<br /></code></pre></div> <p>In this case only ip addresses will be taken from the file and the <strong>port</strong> field is no longer necessary.</p> <br /><span style="font-size: large;"><b>Elasticsearch scan</b></span><br /> <p>Elasticsearch scan retrieves the cluster information and a list of all indexes along with aliases.</p> <p>For example, an IP range scan:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="sx elastic -p 9200 10.0.0.1/16 "><pre><code>sx elastic -p 9200 10.0.0.1/16<br /></code></pre></div> <p>By default the scan uses the http protocol, to use the https protocol specify the <code>--proto</code> option:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="sx elastic --proto https -p 9200 10.0.0.1/16 "><pre><code>sx elastic --proto https -p 9200 10.0.0.1/16<br /></code></pre></div> <p>scan ip/port pairs from a file with JSON output:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="sx elastic --json -f ip_ports_file.jsonl "><pre><code>sx elastic --json -f ip_ports_file.jsonl<br /></code></pre></div> <p>Each line of the input file is a json string, which must contain the <strong>ip</strong> and <strong>port</strong> fields.</p> <p>sample input file:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="{"ip":"10.0.1.1","port":9200} {"ip":"10.0.2.2","port":9201} "><pre><code>{"ip":"10.0.1.1","port":9200}<br />{"ip":"10.0.2.2","port":9201}<br /></code></pre></div> <p>You can also specify a range of ports to scan:</p> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="sx elastic -p 9200-9267 -f ips_file.jsonl "><pre><code>sx elastic -p 9200-9267 -f ips_file.jsonl<br /></code></pre></div> <p>In this case only ip addresses will be taken from the file and the <strong>port</strong> field is no longer necessary.</p> <br /><span style="font-size: x-large;"><b>Usage help</b></span><br /> <div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="sx help "><pre><code>sx help<br /></code></pre></div> <br /><span style="font-size: x-large;"><b><div><b>References</b></div></b></span> <ul> <li><strong>Network Security Assessment: Know Your Network 1st Edition</strong> by Chris McNab</li> <li><strong>ICMP Usage in Scanning - The Complete Know-How</strong> by Ofir Arkin</li> <li><a href="https://tools.ietf.org/rfc/rfc793.txt" rel="nofollow" target="_blank" title="Transmission Control Protocol ( rfc793 )">Transmission Control Protocol ( rfc793 )</a></li> <li><a href="https://tools.ietf.org/rfc/rfc768.txt" rel="nofollow" target="_blank" title="User Datagram Protocol ( rfc768 )">User Datagram Protocol ( rfc768 )</a></li> <li><a href="https://tools.ietf.org/rfc/rfc1122.txt" rel="nofollow" target="_blank" title="Requirements for Internet Hosts -- Communication Layers ( rfc1122 )">Requirements for Internet Hosts -- Communication Layers ( rfc1122 )</a></li> <li><a href="https://tools.ietf.org/rfc/rfc1928.txt" rel="nofollow" target="_blank" title="SOCKS Protocol Version 5 ( rfc1928 )">SOCKS Protocol Version 5 ( rfc1928 )</a></li> <li><a href="https://tools.ietf.org/rfc/rfc792.txt" rel="nofollow" target="_blank" title="Internet Control Message Protocol ( rfc792 )">Internet Control Message Protocol ( rfc792 )</a></li> </ul> <br /><span style="font-size: x-large;"><b><div><b>Contributing</b></div></b></span> <p>Contributions, issues and feature requests are welcome.</p> <br /><span style="font-size: x-large;"><b><div><b>Credits</b></div></b></span> <p>Logo is designed by <a href="https://mikhailtsoy.com/" rel="nofollow" target="_blank" title="mikhailtsoy.com">mikhailtsoy.com</a></p> <br /><br /><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/v-byte-cpu/sx" rel="nofollow" target="_blank" title="Download Sx">Download Sx</a></span></b></div>Unknownnoreply@blogger.com