image
threat_note is a web application built by Defense Point Security to allow security researchers the ability to add and retrieve indicators related to their research. As of right now this includes the ability to add IP Addresses, Domains and Threat Actors, with more types being added in the future. This app fills the gap between various solutions currently available, by being lightweight, easy-to-install, and by minimizing fluff and extraneous information that sometimes gets in the way of adding information. To create a new indicator, you only really need to supply the object itself (whether it be a Domain, IP or Threat Actor) and change the type accordingly, and boom! That's it! Of course, supplying more information is definitely helpful, but, it's not required. Other applications built for storing indicators and research have some shortcomings that threat_note hopes to fix. Some common complaints with other apps are: Hard to install/configure/maintain Need to pay for added features (enterprise licenses) Too much information This boils down to there being so much stuff to do to create new indicators or trying to cram a ton of functions inside the app. Installation Now that we are using SQLite, there's no need for a pesky Vagrant machine. All we need to do is install some requirements via pip and fire up the server: cd threat_note pip install -r requirements.txt honcho start Once the server is running, you can browse to http://localhost:5000 and…

image
PowerShell Script to perform a quick AD audit _____ ____ _____ _ _ _ | _ | | _ |_ _ _| |_| |_ | | | | | | | | . | | _| |__|__|____/ |__|__|___|___|_|_| by phillips321 If you have any decent powershell one liners that could be used in the script please let me know. I'm trying to keep this script as a single file with no requirements on external tools (other than ntdsutil and cmd.exe) Run directly on a DC using a DA. If you don't trust the code I suggest reading it first and you'll see it's all harmless! (But shouldn't you be doing that anyway with code you download off the net and then run as DA??) What this does Device Information Get-HostDetails Domain Audit Get-MachineAccountQuota Get-SMB1Support Get-FunctionalLevel Get-DCsNotOwnedByDA Domain Trust Audit Get-DomainTrusts User Accounts Audit Get-InactiveAccounts Get-DisabledAccounts Get-AdminAccountChecks Get-NULLSessions Get-AdminSDHolders Get-ProtectedUsers Password Information Audit Get-AccountPassDontExpire Get-UserPasswordNotChangedRecently Get-PasswordPolicy Dumps NTDS.dit Get-NTDSdit Computer Objects Audit Get-OldBoxes GPO audit (and checking SYSVOL for passwords) Get-GPOtoFile Get-GPOsPerOU Get-SYSVOLXMLS Check Generic Group AD Permissions Get-OUPerms Check For Existence of LAPS in domain Get-LAPSStatus Check For Existence of Authentication Polices and Silos …

image
SGX-Step is an open-source framework to facilitate side-channel attack research on Intel SGX platforms. SGX-Step consists of an adversarial Linux kernel driver and user space library that allow to configure untrusted page table entries and/or x86 APIC timer interrupts completely from user space. Our research results have demonstrated several new and improved enclaved execution attacks that gather side-channel observations at a maximal temporal resolution (i.e., by interrupting the victim enclave after _ every _ single instruction). Abstract Trusted execution environments such as Intel SGX hold the promise of protecting sensitive computations from a potentially compromised operating system. Recent research convincingly demonstrated, however, that SGX's strengthened adversary model also gives rise to to a new class of powerful, low-noise side-channel attacks leveraging first-rate control over hardware. These attacks commonly rely on frequent enclave preemptions to obtain fine-grained side-channel observations. A maximal temporal resolution is achieved when the victim state is measured after every instruction. Current state-of-the-art enclave execution control schemes, however, do not generally achieve such instruction-level granularity. This paper presents SGX-Step, an open-source Linux kernel framework that allows an untrusted host process to configure APIC timer interrupts and track page table entries directly from user space. We contribute and evaluate an improved…

image
DFIRtriage is a tool intended to provide Incident Responders with rapid host data. Written in Python, the code has been compiled to eliminate the dependency of python on the target host. The tool will run a variety of commands automatically upon execution. The acquired data will reside in the root of the execution directory. DFIRTriage may be ran from a USB drive or executed in remote shell on the target. Windows-only support. What’s New? *General Efficiency updates were made to the code improving flow, cleaning up bugs, and providing performance improvements. Cleaned up the output directory structure Removed TZworks tools from toolset avoiding licensing issues Added commandline arguments for new functionality (run "DFIRtriage –help" for details) *Memory acquisition memory is now acquired by default argument required to bypass memory acquisition free space check conducted prior to acquiring memory updated acquisition process to avoid Windows 10 crashes *New artifacts windowsupdate.log file Windows Defender scan logs PowerShell command history HOSTS files netstat output now includes associated PID for all network connections logging all users currently logged in to the target machine to the Triage_info.txt file Pulling dozens of new events from the Windows Event logs *New! DFIRtriage search tool Conducts keyword search across DFIRtriage output data and writes findings to log file The search tool is a separate executable…

image
vulnerability scanner tool is using nmap and nse scripts to find vulnerabilities This tool puts an additional value into vulnerability scanning with nmap. It uses NSE scripts which can add flexibility in terms of vulnerability detection and exploitation. Below there are some of the features that NSE scripts provide Network discovery More sophisticated version detection Vulnerability detection Backdoor detection Vulnerability exploitation This tool uses the path /usr/share/nmap/scripts/ where the nse scripts are located in kali linux The tool performs the following check the communication to the target hosts by cheking icmp requests takes as input a protocol name such as http and executes all nse scripts related to that protocol if any vulnerability triggers it saves the output into a log file it may perform all of the above actions for a range of IP addresses If the tool finds a vulnerabilty in a certain protocol (e.g http) it keeps the output into a log file which is created and saved in the following location /home/vulnerabilities_enumeration/http_vulnerabilities/http_vulnerabilities/http_vulnerabilities.txt In this example the folders have been created using the protocol prefix which in the current occasion is the http protocol. Usage: [Usage:] ./vscan.sh <ip_range> <protocol> <port> <Pn (optional)> [Usage:] ./vscan.sh <ips_file> <protocol> <port> <Pn (optional)> [Usage:] ./vscan.sh <ip> <protocol> <port> <Pn (optional)> How to…

image
_ Sojobo _ is an emulator for the B2R2 framework. It was created to easier the analysis of potentially malicious files. It is totally developed in .NET so you don't need to install or compile any other external libraries (the project is self contained). With _ Sojobo _ you can: Emulate a (32 bit) PE binary Inspect the memory of the emulated process Read the process state Display a disassembly of the executed code Emulate functions in a managed language (C# || F#) Using Sojobo _ Sojobo _ is intended to be used as a framework to create program analysis utilities. However, various sample utilities were created in order to show how to use the framework in a profitable way. Tengu _ Tengu _ is an utility which is based on _ Sojobo _ . It allows to emulate a given process and control the execution by providing a debugger like UI (in particular it was inspired by the windbg debugger). Documentation The project is fully documented in F# (cit.) 🙂 Joking apart, I plan to write some blog posts related to how to use Sojobo. Below a list of the current posts: Sojobo – Yet another binary analysis framework You can also read the API documentation . Compile In order to compile Sojobo you need .NET Core to be installed and Visual Studio. To compile just run build.bat . Download…

image
Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) files. This shellcode can be injected into an arbitrary Windows processes for in-memory execution. Given a supported file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains. It can be used in several ways. As a Standalone Tool Donut can be used as-is to generate shellcode from VBS/JS/EXE/DLL files or .NET Assemblies. A Linux and Windows executable and a Python module are provided for loader generation. The Python documentation can be found here . The command-line syntax is as described below. usage: donut [options] -f <EXE/DLL/VBS/JS> -MODULE OPTIONS- -f <path> .NET assembly, EXE, DLL, VBS, JS file to execute in-memory. -n <name> Module name. Randomly generated by default. -u <URL> HTTP server that will host…

image
Github search is quite powerful and useful feature and can be used to search sensitive data on the repositories. Collection of github dorks that can reveal sensitive personal and/or organizational information such as private keys, credentials, authentication tokens, etc. This list is supposed to be useful for assessing security and performing pen-testing of systems. GitHub Dork Search Tool github-dork.py is a simple python tool that can search through your repository or your organization/user repositories. Its not a perfect tool at the moment but provides a basic functionality to automate the search on your repositories against the dorks specified in text file. Installation This tool uses github3.py to talk with GitHub Search API. Clone this repository and run: pip install -r requirements.txt Usage GH_USER – Environment variable to specify github user GH_PWD – Environment variable to specify password GH_TOKEN – Environment variable to specify github token GH_URL – Environment variable to specify GitHub Enterprise base URL Some example usages are listed below: python github-dork.py -r techgaun/github-dorks # search single repo python github-dork.py -u techgaun # search all repos of user python github-dork.py -u dev-nepal # search all repos of an organization GH_USER=techgaun GH_PWD=<mypass> python github-dork.py -u dev-nepal # search…

image
EyeWitness is designed to take screenshots of websites provide some server header info, and identify default credentials if known. EyeWitness is designed to run on Kali Linux. It will auto detect the file you give it with the -f flag as either being a text file with URLs on each new line, nmap xml output, or nessus xml output. The –timeout flag is completely optional, and lets you provide the max time to wait when trying to render and screenshot a web page. A complete usage guide which documents EyeWitness features and its typical use cases is available here – https://www.christophertruncer.com/eyewitness-usage-guide/ Supported Linux Distros: Kali Linux Debian 7+ (at least stable, looking into testing) (Thanks to @themightyshiv) E-Mail: EyeWitness [@] christophertruncer [dot] com Setup: Navigate into the setup directory Run the setup.sh script Usage: ./EyeWitness.py -f filename –timeout optionaltimeout –open (Optional) Examples: ./EyeWitness -f urls.txt –web ./EyeWitness -x urls.xml –timeout 8 –headless Docker Now you can execute EyeWitness in a docker container and prevent you from install unnecessary dependencies in your host machine. Note: execute _ docker run _ with the folder path in the host which hold your results ( /path/to/results ) Note2: in case you want to scan urls from a file, make sure you put it in the volume folder (if you put _ urls.txt _ in _ /path/to/results _ , then the argument should…

image
Sparrow-wifi has been built from the ground up to be the next generation 2.4 GHz and 5 GHz Wifi spectral awareness tool. At its most basic it provides a more comprehensive GUI-based replacement for tools like inSSIDer and linssid that runs specifically on linux. In its most comprehensive use cases, sparrow-wifi integrates wifi, software-defined radio (hackrf), advanced bluetooth tools (traditional and Ubertooth), traditional GPS (via gpsd), and drone/rover GPS via mavlink in one solution. [NOTE: Check the Raspberry Pi section for updates. A setup script is now included to get the project running on Raspbian Stretch.] Written entirely in Python3, Sparrow-wifi has been designed for the following scenarios: Basic wifi SSID identification Wifi source hunt – Switch from normal to hunt mode to get multiple samples per second and use the telemetry windows to track a wifi source 2.4 GHz and 5 GHz spectrum view – Overlay spectrums from Ubertooth (2.4 GHz) or HackRF (2.4 GHz and 5 GHz) in real time on top of the wifi spectrum (invaluable in poor connectivity troubleshooting when overlapping wifi doesn't seem to be the cause) Bluetooth identification – LE advertisement listening with standard bluetooth, full promiscuous mode in LE and classic bluetooth with Ubertooth Bluetooth source hunt – Track LE advertisement sources or iBeacons with the telemetry window iBeacon advertisement – Advertise your own iBeacons Remote operations – An agent is included that provides all…