snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn’t be public and can pose a security risk.
Typical examples include publicly accessible git repositories, backup files potentially containing passwords or database dumps. In addition it contains a few checks for other security vulnerabilities.
snallygaster HTTP Secret File Scanner Features
This is an overview of the tests provided by snallygaster.
- lfm_php – Checks for Lazy File Manager
- idea – Config file for JetBrains
- symphony_databases_yml – Symphony database config file
- rails_database_yml – Ruby on Rails default config file
- git_dir – Download the full Git repo
- svn_dir – Download the full SVN repo
- cvs_dir – Download the full CVS repo
- apache_server_status – Apache server-status page
- coredump – Memory dump file on Linux
- sftp_config – Configuration file from sublime FTP client
- wsftp_ini – Configuration file for WS_FTP
- filezilla_xml – Configuration file for FileZilla
- winscp_ini – Configuration file for WinSCP
- ds_store – Apple OS X File Manager
- backupfiles – Backup files and other leftovers from editors
- deadjoe – JOE editor dump file
- sql_dump – Checks for common names of SQL database dumps
- bitcoin_wallet – Scans for Bitcoin wallet files
- drupal_backup_migrate – Drupal migration backup
- magento_config – Magento XML based config file
- xaa – Output of the Linux split command
- optionsbleed – Checks for Optionsbleed vuln
- privatekey – Checks for private keys
- sshkey – Looks for SSH private keys
- dotenv – Looks for Laravel .env files
- invalidsrc – Checks webpage source for all inaccessible references
- ilias_defaultpw – Checks for the Ilias e-learning software default creds
- cgiecho – Leaks files from cgiemail
- phpunit_eval – Test for remote code execution
- axfr – Checks for DNS AXFR zone transfer requests
You could probably achieve something similar with Burp Intruder or Patator and something like the quickhits list from SecLists.
You can download snallygaster here:
Or read more here.
Topic: Hacking Tools
Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port. As a result, any attackers port scan results will become fairly meaningless and will require hours of effort to accurately identify which ports have real services on and which do not.
The tool is meant to be a lightweight, fast, portable and secure addition to any firewall system or security system. The general goal of the program is to make the reconnaissance phase as slow and bothersome for your attackers as possible. This is quite a change to the standard 5s Nmap scan, that will give a full view of your systems running services.
Techniques Used by Portspoof
All configured TCP ports are always open
Instead of informing an attacker that a particular port is in a CLOSED or FILTERED state a system running Portspoof will return SYN+ACK for every connection attempt, spoof all ports open.
Result: As a result it is impractical to use stealth (SYN, ACK, etc.) port scanning against your system, since all ports are always reported as OPEN. With this approach it is really difficult to determine if a valid software is listening on a particular port.
Every open TCP port emulates a valid services
Portspoof has a huge dynamic service signature database, that will be used to generate responses to your offenders scanning software service probes.
Scanning software usually tries to determine a service that is running on an open port. This step is mandatory if one would want to identify port numbers on which you are running your services on a system behind the spoofed ports. For this reason, Portspoof will respond to every service probe with a valid service signature, that is dynamically generated based on a service signature regular expression database.
Result: As a result an attacker will not be able to determine which port numbers your system is truly using.
Portspoof Port Spoofing Tool Features
The most important features that Portspoof has:
- Portspoof is a userland software and does not require root privilege
- Binds to just one TCP port per a running instance
- Easily customizable through your iptables rules
- Marginal CPU/memory usage (multithreaded)
- More than 9000 dynamic service signatures are supported
If you choose to, Portspoof can be used as an ‘Exploitation Framework Frontend’, that turns your system into a responsive and aggressive machine. This means exploiting your attackers’ tools and exploits in response to a port scan.
You can download Portspoof here:
Or read more here.
Topic: Countermeasures
Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
It’s kicking off in the UK and the US and Mark Zuckerberg has had to come out publically and apologise about the involvement of Facebook.
This goes deep with ties to elections and political activities in Malaysia, Mexico, Brazil, Australia and Kenya.
Controversial data analytics firm Cambridge Analytica has been hit with an emergency data seizure order in England following an extraordinary series of events Monday night that revolved around a TV undercover expose.
Following a day in which the company became the focus of attention online, in print, and in the UK Parliament and US Congress for its unethical use of user data, senior executives from the firm were then shown on camera boasting about the use of dark methods, including honey traps, fake news and sub-contracting with ex-spies to entrap individuals.
Those revelations – filmed during an undercover investigation by Channel 4 in the UK – came as the controversial company was already in the news after it was revealed it had secretly grabbed the personal details of over 50 million Facebook users and used the data to sell voter targeting services.
Following the segment on those secret recordings, UK Information Commissioner Elizabeth Denham said she would seek a warrant on Tuesday forcing Cambridge Analytica to hand over relevant data, after she said the company had refused to respond sufficiently to earlier requests.
Adding to a sense of drama, as Denham was on television saying she would apply for the warrant, a Channel 4 reporter posted outside the company’s headquarters reported that a team from Facebook was inside the building ensuring that their purloined data had been deleted.
There’s a whole #DeleteFacebook movement spawning from this like it’s somehow new that we are actually the product on Social Media networks and we live in a post-privacy era.
It’s a pretty widespread story as it affects pretty much every continent and billions of individuals all around the World.
Less than an hour after the program aired, the authorities announced they had received a warrant to search Cambridge Analytica’s offices that very night.
As to the undercover investigation, Channel 4’s reporters posed as Sri Lankan clients interested in paying the company to help their candidates in upcoming elections. Over the course of a series of meetings in London a series of senior executives outlined an increasingly disturbing array of services they would be willing to provide.
At an initial meeting with its managing director Mark Turnbull and chief data officer Dr Alex Tayler the pair talked about their infamous data analytics and profiling services as a way to identify potential swing voters.
That ethical line appeared to disappear however when the undercover journalists met with Cambridge Analytica’s chief executive Alexander Nix.
Nix was caught on film outlining a series of extremely dubious and many cases illegal scenarios for dealing with political opponents. They included bribing officials and candidates – “we can have a wealthy developer come in and offer a large amount of money to a candidate – for land, for example” – and film the transaction in order to expose them as corrupt.
He also suggested that the company could arrange for a honey-trap – sending young women to operate a sex sting – while stressing that he was “just giving examples of what can be done, what has been done.”
He also appeared to embrace the idea of creating and promoting fake news – an extremely sensitive topic given the evidence that fake news was used extensively in the US presidential elections in 2016 – noting that “it doesn’t have to be true, it just has to be believed.”
The latest is that Alexander Nix has been suspended pending an investigation.
The whistleblower for the whole thing is a young researcher called Christopher Wylie from London.
It even manages to be much bigger than the Equifax leak and scandal.
Source: The Register
Topic: Hacking News
GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it’s a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
It’s useful in a discovery phase of a pen-testing assessment, this tool can provide you with more information about your target and scope.
Features of GetAltName to Discover Sub-Domains
- Strips wildcards and www’s
- Returns a unique list (no duplicates)
- Works on verified and self-signed certs
- Domain matching system
- Filtering for main domains and TLDs
- Gets additional sub-domains from crt.sh
- Outputs to clipboard
GetAltName Subdomain Exctraction Tool Usage
You can output to a text file and also copy the output to your clipboard as a List or a Single line string, which is useful if you’re trying to make a quick scan with Nmap or other tools.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
usage: getaltname.py [-h] [-p PORT] [-s [timeout]] [-m] [-o OUTPUT] [-c {l,s}] [-d] hostname positional arguments: hostname Host to analyze. optional arguments: -h, --help show this help message and exit -p PORT, --port PORT Destiny port (default 443) -s [timeout], --search-crt [timeout] Retrieve subdomains found in crt.sh -m, --matching-domain Show matching domain name only -o OUTPUT, --output OUTPUT Set output filename -c {l,s}, --clipboard {l,s} Copy the output to the clipboard as a List or a Single string -d, --debug Set debug enable |
GetAltName Required
- colorama
- ndg-httpsclient
- pyperclip
- requests
- tldextract
There are other DNS discovery and extraction tools using different methods, including brute-forcing such as:
– InstaRecon – Automated Subdomain Discovery Tool
– hostmap 0.2 – Automatic Hostname & Virtual Hosts Discovery Tool
– SubBrute – Subdomain Brute-forcing Tool
– altdns – Subdomain Recon Tool With Permutation Generation
You can download GetAltName here:
Or read more here.
Topic: Hacking Tools
Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan. This is related to the recent record-breaking Memcached DDoS attacks that are likely to plague 2018 with over 100,000 vulnerable Memcached servers showing up in Shodan. What is […]
Topic: Hacking Tools
QualysGuard – Vulnerability Management Tool
QualysGuard is a web-based vulnerability management tool provided by Qualys, Inc, which was the first company to deliver vulnerability management services as a SaaS-based web-service. From reviews, it seems like a competent tool with a low rate of false positives that is fairly easy to work with and keep the more ‘dangerous’ parts of vulnerability […]
Topic: Security Software