Archive | December, 2015

Pupy Download – Open-Source Remote Administration Tool – RAT


Pupy is an open-source remote administration tool (RAT), that is cross-platform and has an embedded Python interpreter, allowing its modules to load Python packages from memory and transparently access remote Python objects. Pupy can communicate using different transports and have a bunch of cool features & modules. On Windows, Pupy uses reflective dll injection and leaves no traces on disk.

Pupy Download - Open-Source Remote Administration Tool - RAT


This is absolutely killer for the Python crowd and gives the possibility of a pure Python worm, with in-memory ONLY execution of Python modules on the target. That means no detection by malware scanners as it doesn’t touch the disk like the meterpreter reverse_shell.

Pupy RAT Features

Pupy has a fairly complete feature set and covers the following:

  • Multi-platform (tested on windows xp, 7, 8, 10, kali linux, ubuntu, osx, android)
  • On windows, the Pupy payload can be compiled as a reflective DLL and the whole python interpreter is loaded from memory. Pupy does not touch the disk :)
  • pupy can also be packed into a single .py file and run without any dependencies other that the python standard library on all OS
    • pycrypto gets replaced by pure python aes && rsa implementations when unavailable
  • Can reflectively migrate into other processes
  • Can remotely import, from memory, pure python packages (.py, .pyc) and compiled python C extensions (.pyd, .so). The imported python modules do not touch the disk.
  • Easily extensible, modules are quite simple to write, sorted by os and category.
  • A lot of awesome modules are already implemented!
  • Pupy uses rpyc and a module can directly access python objects on the remote client
    • We can also access remote objects interactively from the pupy shell and you even get auto-completion of remote attributes!
  • Communication transports are modular, stackable and awesome. You could exfiltrate data using HTTP over HTTP over AES over XOR. Or any combination of the available transports !
  • Cn communicate using obfsproxy pluggable transports
  • All the non interactive modules can be dispatched to multiple hosts in one command
  • Commands and scripts running on remote hosts are interruptible
  • Auto-completion for commands and arguments
  • Custom config can be defined: command aliases, modules automatically run at connection, …
  • Interactive python shells with auto-completion on the all in memory remote python interpreter can be opened
  • Interactive shells (cmd.exe, /bin/bash, …) can be opened remotely. Remote shells on Unix & windows clients have a real tty with all keyboard signals working fine just like a ssh shell
  • Execute PE exe remotely and from memory (cf. ex with mimikatz)
  • Generate payloads in various formats : apk,lin_x86,lin_x64,so_x86,so_x64,exe_x86,exe_x64,dll_x86,dll_x64,py,pyinst,py_oneliner,ps1,ps1_oneliner,rubber_ducky
  • Can be deployed in memory, from a single command line using pupygen.py’s python or powershell one-liners.
  • “scriptlets” can be embeded in generated payloads to perform some tasks “offline” without needing network connectivity (ex: start keylogger, add persistence, execute custom python script, check_vm …)

The imported python modules do not touch the disk. (.pyd mem import currently work on Windows only, .so memory import is not implemented). And rpyc can also access remote objects interactively from the pupy shell and even auto completion of remote attributes works.


Pupy Open Source RAT Modules

  • All platforms:

    • command execution
    • download
    • upload
    • interactive python shell with auto-completion
    • interactive shell (cmd.exe, powershell.exe, /bin/sh, /bin/bash, …)
      • tty allocation is well supported on both windows and *nix. Just looks like a ssh shell
    • shellcode exec
    • persistence
    • socks5 proxy
    • local and remote port forwarding
    • screenshot
    • keylogger
    • run the awesome credential gathering tool LaZagne from memory !
    • sniff tools, netcreds
    • process migration (windows & linux, not osx yet)
    • a lot of other tools (upnp client, various recon/pivot tools using impacket remotely, …)

    Windows specific :

    • migrate
      • inter process architecture injection also works (x86->x64 and x64->x86)
    • in memory execution of PE exe both x86 and x64!
    • webcam snapshot
    • microphone recorder
    • mouselogger:
      • takes small screenshots around the mouse at each click and send them back to the server
    • token manipulation
    • getsystem
    • creddump
    • tons of useful powershell scripts

    Android specific

    • Text to speech for Android to say stuff out loud
    • webcam snapshots (front cam & back cam)
    • GPS tracker !

You can download Pupy here:

master.zip

Or read more here.

Posted in: Hacking Tools

Topic: Hacking Tools


Latest Posts:


Judas DNS - Nameserver DNS Poisoning Attack Tool Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation.
dsniff Download - Tools for Network Auditing & Password Sniffing dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network
OWASP Amass - DNS Enumeration, Attack Surface Mapping & External Asset Discovery OWASP Amass – DNS Enumeration, Attack Surface Mapping & External Asset Discovery
The OWASP Amass Project is a DNS Enumeration, Attack Surface Mapping & External Asset Discovery tool to help information security professionals perform network mapping of attack surfaces.
Cameradar - Hack RTSP Video Surveillance CCTV Cameras Cameradar – Hack RTSP Video Surveillance CCTV Cameras
Cameradar is a Go-based tool to hack RTSP Video Surveillance CCTV Cameras, it can detect open RTSP hosts, detect device models and launch automated attacks.
dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).


Latest Update Patches 78 CVE-classified Flash Security Vulnerabilities


So as a rule, in 2015 running Adobe Flash is already pretty scary – but the latest patch release covers 78 CVE-classified Flash security vulnerabilities.

That’s not scary, that’s terrifying.

Latest Update Patches 78 CVE-classified Flash Security Vulnerabilities

By now you kinda expect flaws in Flash, it’s just a given. But 78 CVE-classified vulnerabilities in one patch release? That’s just insane, that’s worse than the worst Windows release.

Adobe has released another update to address dozens of flaws in its Flash Player browser plug-in.

The December update fixes 78 CVE-classified security vulnerabilities in Flash Player for OS X, Windows, Linux, and Android. The patch includes 75 separate vulnerabilities that could be exploited by an attacker to remotely execute code on a vulnerable system.

In addition to the 75 remote code execution flaws, the update addresses three CVE-listed vulnerabilities that could allow for security bypasses. Adobe said it has not yet received any reports of the flaws being targeted in the wild.

Adobe is advising users running OS X and Windows to update their copy of Flash Player to version 20 or later, while Chrome, IE 11, and Microsoft Edge users will receive their updates through the browser. Adobe classifies the fix as a top priority for all Windows, OS X, and Linux browser versions.


So yah if you or your organisation is running Flash, don’t – just please stop. You don’t even have to visit dodgy sites any more, visit a legitimate site with a compromised ad banner and boom – you’re owned.

For example the Dailymotion malvertising attack that took place just a few days ago.

Users running Adobe AIR and AIR SDK for Windows, OS X, Android, or iOS are also advised to update their software to address the vulnerabilities.

Many will point to this latest update as yet another reason for developers, users, and site operators to minimize or outright eliminate the use of Flash. With more-secure platforms such as HTML5 gaining adoption, alternatives to the bug-riddled Flash are only growing more attractive.

Researchers have found that even when the browser-facing components of Flash are disabled, code can be injected into other documents that launches and then exploits vulnerabilities, leaving an outright removal the only option.

Even Adobe is nudging customers away from Flash, renaming its most-recent version of Flash Tools “Animator” and encouraging a move over to HTML5.

HTML5 can do everything that Flash was designed to do, I think people just want to commit the development time into replacing this obsolete technology. Adverts are still flash, non-youtube videos on the majority of the web are still Flash, interactive site elements are still Flash, some shitty website are still entirely built in Flash.

I turned off Flash long ago, but it still saddens me that today, at the end of 2015 – that still breaks parts of the Internet for me.

Please, give the World a great Xmas present and just KILL FLASH.

Source: The Register

Posted in: Exploits/Vulnerabilities

Topic: Exploits/Vulnerabilities


Latest Posts:


Judas DNS - Nameserver DNS Poisoning Attack Tool Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation.
dsniff Download - Tools for Network Auditing & Password Sniffing dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network
OWASP Amass - DNS Enumeration, Attack Surface Mapping & External Asset Discovery OWASP Amass – DNS Enumeration, Attack Surface Mapping & External Asset Discovery
The OWASP Amass Project is a DNS Enumeration, Attack Surface Mapping & External Asset Discovery tool to help information security professionals perform network mapping of attack surfaces.
Cameradar - Hack RTSP Video Surveillance CCTV Cameras Cameradar – Hack RTSP Video Surveillance CCTV Cameras
Cameradar is a Go-based tool to hack RTSP Video Surveillance CCTV Cameras, it can detect open RTSP hosts, detect device models and launch automated attacks.
dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).


SprayWMI – PowerShell Injection Mass Spray Tool


SprayWMI is a method for mass spraying Unicorn PowerShell injection to CIDR notations. It’s an alternative to traditional, ‘noisy’ tools which leave something on the disk like PsExec, smbexec, winexe and so on.

SprayWMI - Unicorn PowerShell Injection Mass Spray Tool

These tools have worked really well, however, they are fairly noisy creating a service and touching disk which will trigger modern defense tools such as Bit9 and other tools that detect rogue binaries on systems. Even using something like the standard psexec module in Metasploit nowadays will cause Windows Security Essentials to flag the service exe that gets created.

Using WMI (Windows Management Instrumentation) gives us another path to execute code and commands on remote systems without touching disk or creating a new service. We also have the ability to use the actual password or the hash.

The initial WMI communications use TCP port 135 and afterwards a random port is negotiated. Since WMI and RPC services are often used for remote administration and administration tools, it is common to see these ports open and unfiltered on internal networks.


It’ll literally be raining shells after you fire this tool up.

Usage

Example

It’s really fast, finishing a class C in around 4 seconds.

You can download SprayWMI here:

spraywmi-master.zip

Or read more here.

Posted in: Exploits/Vulnerabilities, Hacking Tools, Windows Hacking

Topic: Exploits/Vulnerabilities, Hacking Tools, Windows Hacking


Latest Posts:


Judas DNS - Nameserver DNS Poisoning Attack Tool Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation.
dsniff Download - Tools for Network Auditing & Password Sniffing dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network
OWASP Amass - DNS Enumeration, Attack Surface Mapping & External Asset Discovery OWASP Amass – DNS Enumeration, Attack Surface Mapping & External Asset Discovery
The OWASP Amass Project is a DNS Enumeration, Attack Surface Mapping & External Asset Discovery tool to help information security professionals perform network mapping of attack surfaces.
Cameradar - Hack RTSP Video Surveillance CCTV Cameras Cameradar – Hack RTSP Video Surveillance CCTV Cameras
Cameradar is a Go-based tool to hack RTSP Video Surveillance CCTV Cameras, it can detect open RTSP hosts, detect device models and launch automated attacks.
dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).


VTech Hack – Over 7 Million Records Leaked (Children & Parents)


And once again, the messy technical flaws of a company are being exposed with the recent VTech hack – it’s really not looking good for them with account passwords ‘secured’ with unsalted md5 hashes and all kinds of private information being leaked includes parents addresses, kids birthdays, genders, secret answers and associated meta-data (IP addresses, download histories and more).

VTech Hacked - Over 7 Million Records Leaked

The attack originally claimed to have leaked only around 220,000 records – but it turns out to be way worse than that. 4.8 million parents and 6.37 million children – including 1.2 million users of its KidConnect messaging service.

Names, home and email addresses, security questions and answers, and more information on millions of families worldwide have been swiped from a top toymaker’s database.

And the birthdays, names, and genders of nearly a quarter of a million kiddies have been accessed, too.

Chinese electronics giant VTech today admitted its systems were compromised on November 14. Miscreants were able to extract customer records from its Learning Lodge app store, which provides downloads of games, books, music and other stuff for VTech toys. The Hong Kong-based biz specializes in making computer-like gizmos for preschool kids to play with, settling them in for a lifetime of fondleslab smearing and internet addiction.

Computer security bloke Troy Hunt says he has seen a copy of the swiped information, and reckons he found “4.8 million unique customer email addresses,” suggesting that many accounts have been raided by hackers.

He also said people’s account passwords were one-way encrypted using MD5, a particularly weak hashing algorithm, meaning simple passwords can be easily cracked and revealed. No salting was used, so off-the-shelf rainbow tables can be used to divulge rudimentary passwords like “children15” or “welcome81”.


So yah pretty serious stuff, with the compromises of KidConnect and Learning Lodge holding some fairly sensitive information on both parents and children. Even though chats, images and audio are encrypted, it turns out they aren’t encrypted very well using a fairly weak algorithm AND weak keys. For example in the md5 hash for the filename they use a hash of the KidConnect username, in uppercase, and a constant value – ‘vtech’ or ‘vtechvtech’.

And the data itself is encrypted with the current time + a PRNG = not a very securely encrypted file.

Toymaker VTech has admitted that millions of kiddies’ online profiles were left exposed to hackers – much higher than the 220,000 first feared.

On Tuesday, the Hong Kong biz confessed in an updated FAQ page that it did not properly secure personal information on 4.8 million parents and 6.37 million children – including 1.2 million users of its KidConnect messaging service.

That admission comes four days after it emerged that a hacker had raided the entertainment company’s customer database.

After families buy VTech’s computer-like toys, which are aimed at preschool tykes, they are encouraged to sign up for online accounts to download apps, music, books and more to the gizmos.

That requires handing over sensitive information, such as parents’ names, email addresses and home addresses, and the birthdays, names, and genders of youngsters. All this data – plus MD5-hashed passwords, secret answers to personal questions for password resets, IP addresses, and download histories – was snatched by an intruder who bypassed VTech’s poor online security.

“Regretfully our database was not as secure as it should have been,” VTech’s FAQ admitted.

So yah, quite a mess for them. They are vehemently claiming no credit card details or social security numbers were leaked – because well that stuff makes you liable.

But everything else was leaked, and honestly – along with it one of the worst crypto implementations I’ve ever seen. If you really want to have a laugh, check it out here:

Seriously.

Source: The Register

Posted in: Database Hacking, Exploits/Vulnerabilities, Privacy

Topic: Database Hacking, Exploits/Vulnerabilities, Privacy


Latest Posts:


Judas DNS - Nameserver DNS Poisoning Attack Tool Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation.
dsniff Download - Tools for Network Auditing & Password Sniffing dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network
OWASP Amass - DNS Enumeration, Attack Surface Mapping & External Asset Discovery OWASP Amass – DNS Enumeration, Attack Surface Mapping & External Asset Discovery
The OWASP Amass Project is a DNS Enumeration, Attack Surface Mapping & External Asset Discovery tool to help information security professionals perform network mapping of attack surfaces.
Cameradar - Hack RTSP Video Surveillance CCTV Cameras Cameradar – Hack RTSP Video Surveillance CCTV Cameras
Cameradar is a Go-based tool to hack RTSP Video Surveillance CCTV Cameras, it can detect open RTSP hosts, detect device models and launch automated attacks.
dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).


LSAT – Linux Security Auditing Tool


Linux Security Auditing Tool (LSAT) is a post install security auditing tool. It is modular in design, so new features can be added quickly. It checks inetd entries and scans for unneeded RPM packages. It is being expanded to work with Linux distributions other than Red Hat, and checks for kernel versions.

It (for now) works under Linux (x86: Gentoo, RedHat, Debian, Mandrake; Sparc: SunOS (2.x), Redhat sparc, Mandrake Sparc; Apple OS X).

LSAT - Linux Security Auditing Tool

You can also check out tools like:

Lynis v1.6.0 Released For Download – Linux Security Auditing Tool
Tiger – Unix Security Audit & Intrusion Detection Tool
unix-privesc-check – Unix/Linux User Privilege Escalation Scanner

Modules/Features

  • checkbp: Checks for boot loader password.
  • checkcfg: This module is performed last
  • checkdotfiles: Looks for .forward, .exrc, .rhosts and .netrc files on the system.
  • checkfiles: Checks that /tmp and /var/tmp have sitcky bit set, checks utmp, wtmp, motd, mtab for chmod 644.
  • checkftpusers: Checks that all accounts in /etc/passwd are in /etc/ftpusers.
  • checkhostsfiles: Reads /etc/hosts.allow and /etc/hosts.deny files
  • checkinetd: Checks either /etc/inetd.conf or /etc/xinetd.d/*
  • checkinittab: Checks to see if default runlevel is 5. If it is, give the user a warning.
  • checkipv4: Checks to see that common forwarding and ignoring are off/on in ipv4.
  • checklimits: Performs simple check of limits.conf file
  • checklogging: Performs a simple check to see if auth and authpriv logging facilities are on.
  • checkmd5: Performs md5sum on all regular files on the system and saves in lsatmd5.out
  • checknetforward: Checks that ipv4 forwarding is disabled under linux
  • checkopenfiles: Checks all open files on the system using lsof (if installed)
  • checkpasswd: Checks /etc/passwd for unneeded accounts.
  • checkpkgs: Checks list of packages (rpms, debs) installed on the system.
  • checksecuretty: Check to see if ttys other than tty[1-6] are in /etc/securetty
  • checkset: Checks system for all setuid/setgid files.
  • checkssh: Check some security features of ssh for instance: root logins, X11 forwarding and the like.
  • checkumask: Checks that the default umask on the system is sensible.
  • checkwrite: Checks system for world writable files.
  • checklistening: Checks for applications listening. This is an “extra” test

Usage

You can download LSAT here:

lsat-0.9.8.2.zip

Or read more here.

Posted in: Linux Hacking, Security Software

Topic: Linux Hacking, Security Software


Latest Posts:


Judas DNS - Nameserver DNS Poisoning Attack Tool Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation.
dsniff Download - Tools for Network Auditing & Password Sniffing dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network
OWASP Amass - DNS Enumeration, Attack Surface Mapping & External Asset Discovery OWASP Amass – DNS Enumeration, Attack Surface Mapping & External Asset Discovery
The OWASP Amass Project is a DNS Enumeration, Attack Surface Mapping & External Asset Discovery tool to help information security professionals perform network mapping of attack surfaces.
Cameradar - Hack RTSP Video Surveillance CCTV Cameras Cameradar – Hack RTSP Video Surveillance CCTV Cameras
Cameradar is a Go-based tool to hack RTSP Video Surveillance CCTV Cameras, it can detect open RTSP hosts, detect device models and launch automated attacks.
dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).