truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
truffleHog previously functioned by running entropy checks on git diffs. This functionality still exists, but high signal regex checks have been added, and the ability to surpress entropy checking has also been added.
truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git
truffleHog will go through the entire commit history of each branch, and check each diff from each commit, and check for secrets. This is both by regex and by entropy. For entropy checks, it will evaluate the shannon entropy for both the base64 charset and hexidecimal charset for every blob of text greater than 20 characters comprised of those character sets in each diff. If at any point a high entropy string >20 characters is detected, it will print to the screen.
Using truffleHog to Search Git for High Entropy Strings
usage: trufflehog [-h] [--json] [--regex] [--rules RULES]
[--entropy DO_ENTROPY] [--since_commit SINCE_COMMIT]
Find secrets hidden in the depths of git.
git_url URL for secret searching
-h, --help show this help message and exit
--json Output in JSON
--regex Enable high signal regex checks
--rules RULES Ignore default regexes and source from json list file
--entropy DO_ENTROPY Enable entropy checks
Only scan from a given commit hash
The max commit depth to go back when searching for
-i INCLUDE_PATHS_FILE, --include_paths INCLUDE_PATHS_FILE
File with regular expressions (one per line), at least
one of which must match a Git object path in order for
it to be scanned; lines starting with "#" are treated
as comments and are ignored. If empty or not provided
(default), all Git object paths are included unless
otherwise excluded via the --exclude_paths option.
-x EXCLUDE_PATHS_FILE, --exclude_paths EXCLUDE_PATHS_FILE
File with regular expressions (one per line), none of
which may match a Git object path in order for it to
be scanned; lines starting with "#" are treated as
comments and are ignored. If empty or not provided
(default), no Git object paths are excluded unless
effectively excluded via the --include_paths option.
You can download truffleHog here:
Or read more here.
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with capabilities of learning without any human intervention, DNS domain classification, Spam detection, network collector, network forensics and many others.
AIEngine also helps network/security professionals to identify traffic and develop signatures for use them on NIDS, Firewalls, Traffic classifiers and so on.
Functionality of AIEngine AI-driven Network Intrusion Detection System
The main functionalities of AIEngine are:
- Support for interacting/programing with the user while the engine is running.
- Support for PCRE JIT for regex matching.
- Support for regex graphs (complex detection patterns).
- Support six types of NetworkStacks (lan, mobile, lan6, virtual, oflow and mobile6).
- Support Sets and Bloom filters for IP searches.
- Supports x86_64, ARM and MIPS architecture over operating systems such as Linux, FreeBSD and MacOS.
- Support for HTTP, DNS and SSL Domains matching.
- Support for banned domains and hosts for HTTP, DNS, SMTP and SSL.
- Frequency analysis for unknown traffic and auto-regex generation.
- Generation of Yara signatures.
- Easy integration with databases (MySQL, Redis, Cassandra, Hadoop, etc…) for data correlation.
- Easy integration with other packet engines (Netfilter).
- Support memory clean caches for refresh stored memory information.
- Support for detect DDoS at network/application layer.
- Support for rejecting TCP/UDP connections.
- Support for network forensics on real time.
- Support for JA3 TLS Signatures on SSL.
- Supports protocols such as Bitcoin, CoAP, DHCPv4/DHCPv6, DNS, GPRS, GRE, HTTP, ICMPv4/ICMPv6, IMAP, IPv4/v6, Modbus, MPLS, MQTT, Netbios, NTP, OpenFlow, PPPoE, POP, Quic, RTP, SIP, SMB, SMTP, SSDP, SSH, SSL, TCP, UDP, VLAN, VXLAN.
- Integration of HTTP Server for retrieve and configure the system.
Using AIEngine AI-driven Network Intrusion Detection System
To use AIEngine(reduce version) just execute the binary aiengine or use the python/ruby/java/lua binding.
luis@luis-xps:~/c++/aiengine/src$ ./aiengine -h
-I [ --input ] arg Sets the network interface ,pcap file or
directory with pcap files.
Link Layer optional arguments:
-q [ --tag ] arg Selects the tag type of the ethernet layer (vlan,mpls).
TCP optional arguments:
-t [ --tcp-flows ] arg (=32768) Sets the number of TCP flows on the pool.
UDP optional arguments:
-u [ --udp-flows ] arg (=16384) Sets the number of UDP flows on the pool.
Regex optional arguments:
-R [ --enable-signatures ] Enables the Signature engine.
-r [ --regex ] arg (=.*) Sets the regex for evaluate agains the flows.
-c [ --flow-class ] arg (=all) Uses tcp, udp or all for matches the signature
on the flows.
-m [ --matched-flows ] Shows the flows that matchs with the regex.
-M [ --matched-packet ] Shows the packet payload that matchs with
-C [ --continue ] Continue evaluating the regex with the
next packets of the Flow.
-j [ --reject-flows ] Rejects the flows that matchs with the
-w [ --evidence ] Generates a pcap file with the matching
regex for forensic analysis.
Frequencies optional arguments:
-F [ --enable-frequencies ] Enables the Frequency engine.
-g [ --group-by ] arg (=dst-port) Groups frequencies by src-ip,dst-ip,src-por
t and dst-port.
-f [ --flow-type ] arg (=tcp) Uses tcp or udp flows.
-L [ --enable-learner ] Enables the Learner engine.
-k [ --key-learner ] arg (=80) Sets the key for the Learner engine.
-b [ --buffer-size ] arg (=64) Sets the size of the internal buffer for
generate the regex.
-Q [ --byte-quality ] arg (=80) Sets the minimum quality for the bytes of
the generated regex.
-y [ --enable-yara ] Generates a yara signature.
-n [ --stack ] arg (=lan) Sets the network stack (lan,mobile,lan6,virtual,
-d [ --dumpflows ] Dump the flows to stdout.
-s [ --statistics ] arg (=0) Show statistics of the network stack (5 levels).
-T [ --timeout ] arg (=180) Sets the flows timeout.
-P [ --protocol ] arg Show statistics of a specific protocol of the
-a [ --port ] arg (=0) Sets the HTTP listenting port.
-e [ --release ] Release the caches.
-l [ --release-cache ] arg Release a specific cache.
-p [ --pstatistics ] Show statistics of the process.
-o [ --summary ] Show protocol summmary statistics
(bytes,packets,% bytes,cache miss,memory).
-h [ --help ] Show help.
-v [ --version ] Show version string.
You can download AIEngine here:
Or read more here.
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
The main goal of Sooty is to perform as much of the routine checks as possible which allows the analyst more time to spend on deeper analysis.
Features of Sooty SOC Analyst CLI Tool
- Sanitise URL’s to be safe to send in emails
- Perform reverse DNS and DNS lookups
- Perform reputation checks from:
- Check if an IP address is a TOR exit node
- Decode Proofpoint URL’s, UTF-8 encoded URLS, Office SafeLink URL’s and Base64 Strings
- Get file hashes and compare them against VirusTotal (see requirements)
- Perform WhoIs Lookups
- Check Usernames and Emails against HaveIBeenPwned to see if a breach has occurred. (see requirements)
- Simple analysis of emails to retrieve URL’s, emails and header information.
- Extract IP addresses from emails.
- Unshorten URL’s that have been shortened by external services. (Limited to 10 requests per hour)
- Query URLScan.io for reputation reports.
- Analyze email addresses for known malicious activity and report on domain reputation utilising EmailRep.io
- Create dynamic email templates that can be used as a base for phishing triage response.(.msg only, .eml coming in future update)
Installing Sooty SOC Analyst CLI Tool
- Python 3.x
- Install all dependencies from the requirements.txt file.
pip install -r requirements.txt
- To use the Hash comparison with VirusTotal requires an API key, replace the key
VT_API_KEYin the code with your own key. The tool will still function without this key, however this feature will not work.
- To use the Reputation Checker with AbuseIPDB requires an API Key, replace the key
AB_API_KEYin the code with your own key. The tool will still function without this key, however this feature will not work.
- To use the URLScan.io checker function with URLScan requires an API Key, replace the key
URLSCAN_IO_KEYin the code with your own key. The tool will still function without this key, however this feature will not work.
- Use of the HaveIBeenPwned functionality requires an API Key, replace the key
HIBP_API_KEYin the code with your own key. The tool will still function without this key, however this feature will not work.
You can download Sooty here:
Or read more here.
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
Reviews of popular botnets have shown HTTP-based botnets have a set of attributes that make it difficult for them to be detected. On the other hand, the number of studies focusing on the detection of HTTP-based botnets is relatively low (compared to the number of those on IRC-based and P2P botnets) especially in the HTTP-based mobile botnets which operate on the mobile devices and networks.
The main objective behind the creation of UBoat was to aid security researchers and to enhance the understanding of commercial HTTP loader style botnets so effective countermeasures can be developed.
Features of UBoat HTTP Botnet
- Coded in C++ with no dependencies
- Encrypted C&C Communications
- Persistence to prevent your control being lost
- Connection Redundancy (Uses a fallback server address or domain )
- DDoS methods (TCP & UDP Flood)
- Task Creation System ( Altering system HWID,Country,IP,OS.System )
- Remote Commands
- Update and Uninstall other malware
- Download and Execute other malware
- Active as well as Passive Keylogger
- Enable Windows RDP
- Plugin system for easy feature updates
Full Panel setup instructions can be found on the UBoat Github Wiki here.
You can download UBoat here:
Or you can read more here.
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner. AWS Lambda is an event-driven, serverless computing platform provided by Amazon Web Services. It is a computing service that runs code in response to events and automatically manages the computing resources […]
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows. This will convert any binary file (*.exe) to a BAT file, the resulting BAT file contains only echo commands followed by a PowerShell command to re-create the original binary file. […]