Armor is a simple Bash script designed to create encrypted macOS payloads capable of evading antivirus scanners. Below is an example gif of Armor being used with a simple Netcat payload.

A Netcat listener is started on port 4444. The “payload.txt” file is read and shown to contain a simple Bash one-liner that, when executed, will create a TCP connection between the target MacBook at the attacker's Netcat listener. Armor is used to encrypt the bash one-liner. Ncat is used to host the decryption key on the attacker's server. When the stager is executed in the target MacBook (not shown in the gif), the bash one-liner is decrypted and executed without writing any data to the harddrive. Ncat immediately terminates the listener after the key has been used. When the Netcat connection is established, the attacker has remote access to the target MacBook.
Admittedly, encrypting most macOS-specific payloads is overkill. This specific bash one-liner is capable of bypassing antivirus without the help of Armor. But this is just an exmaple. The same degree of obfuscation can be applied to sophisticated Python, Ruby, and Shell scripts designed to execute a variety of advanced attacks.

Installation
Armor relies on LibreSSL to encrypt the input file and create the SSL certificate. If LibreSSL isn't found in your system, Armor will attempt to install it. The function for this can be found in the armor.sh file. Ncat is also a dependency and can be installed in Kali using $ apt-get update && apt-get install nmap.
Armor can be cloned and executed using the below commands.

git clone https://github.com/tokyoneon/Armor
cd Armor/
chmod +x armor.sh
./armor.sh /path/to/payload.txt 1.2.3.4 443

The 1.2.3.4 address is the attacker's IP address where the decryption key will be hosted. This can be a local IP address or VPS. The port number (443), is arbitrary and can be changed as needed.
Questions and concerns:

Scannerl is a modular distributed fingerprinting engine implemented by Kudelski Security. Scannerl can fingerprint thousands of targets on a single host, but can just as easily be distributed across multiple hosts. Scannerl is to fingerprinting what zmap is to port scanning.
Scannerl works on Debian/Ubuntu/Arch (but will probably work on other distributions as well). It uses a master/slave architecture where the master node will distribute the work (host(s) to fingerprint) to its slaves (local or remote). The entire deployment is transparent to the user.


Why use Scannerl
When using conventional fingerprinting tools for large-scale analysis, security researchers will often hit two limitations: first, these tools are typically built for scanning comparatively few hosts at a time and are inappropriate for large ranges of IP addresses. Second, if large range of IP addresses protected by IPS devices are being fingerprinted, the probability of being blacklisted is higher what could lead to an incomplete set of information. Scannerl is designed to circumvent these limitations, not only by providing the ability to fingerprint multiple hosts simultaneously, but also by distributing the load across an arbitrary number of hosts. Scannerl also makes the distribution of these tasks completely transparent, which makes setup and maintenance of large-scale fingerprinting projects trivial; this allows to focus on the analyses rather than the herculean task of managing and distributing fingerprinting processes by hand. In addition to the speed factor, scannerl has been designed to allow to easily set up specific fingerprinting analyses in a few lines of code. Not only is the creation of a fingerprinting cluster easy to set up, but it can be tweaked by adding fine-tuned scans to your fingerprinting campaigns.
It is the fastest tool to perform large scale fingerprinting campaigns.
For more:

Installation
See the different installation options under wiki installation page
To install from source, first install Erlang (at least v.18) by choosing the right packaging for your platform: Erlang downloads
Install the required packages:

# on debian
$ sudo apt install erlang erlang-src rebar

# on arch
$ sudo pacman -S erlang-nox rebar

Then build scannerl:

$ git clone https://github.com/kudelskisecurity/scannerl.git
$ cd scannerl
$ ./build.sh

Get the usage by running

$ ./scannerl -h

Scannerl is available on aur for arch linux users

DEBs (Ubuntu, Debian) are available in the releases.
RPMs (Opensuse, Centos, Redhat) are available under https://build.opensuse.org/package/show/home:chapeaurouge/scannerl.

Distributed setup
Two types of nodes are needed to perform a distributed scan:

  • Master node: this is where scannerl's binary is run
  • Slave node(s): this is where scannerl will connect to distribute all its work

The master node needs to have scannerl installed and compiled while the slave node(s) only needs Erlang to be installed. The entire setup is transparent and done automatically by the master node.
Requirements for a distributed scan:

  • All hosts have the same version of Erlang installed
  • All hosts are able to connect to each other using SSH public key
  • All hosts' names resolve (use /etc/hosts if no proper DNS is setup)
  • All hosts have the same Erlang security cookie
  • All hosts must allow connection to Erlang EPMD port (TCP/4369)
  • All hosts have the following range of ports opened: TCP/11100 to TCP/11100 + number-of-slaves

Usage

$ ./scannerl -h
____ ____ _ _ _ _ _ _____ ____ _
/ ___| / ___| / | | | | | ____| _ | |
___ | | / _ | | | | | _| | |_) | |
___) | |___ / ___ | | | | | |___| _ <| |___
|____/ ____/_/ __| _|_| _|_____|_| ______|

USAGE
scannerl MODULE TARGETS [NODES] [OPTIONS]

MODULE:
-m --module
mod: the fingerprinting module to use.
arguments are separated with a colon.

TARGETS:
-f --target
target: a list of target separated by a comma.
-F --target-file
path: the path of the file containing one target per line.
-d --domain
domain: a list of domains separated by a comma.
-D --domain-file
path: the path of the file containing one domain per line.

NODES:
-s --slave
node: a list of node (hostnames not IPs) separated by a comma.
-S --slave-file
path: the path of the file containing one node per line.
a node can also be supplied with a multiplier (*).

OPTIONS:
-o --output comma separated list of output module(s) to use.
-p --port the port to fingerprint.
-t --timeout the fingerprinting process timeout.
-T --stimeout slave connection timeout (default: 10).
-j --max-pkt max pkt to receive (int or "infinity").
-r --retry retry counter (default: 0).
-c --prefix sub-divide range with prefix > cidr (default: 24).
-M --message port to listen for message (default: 57005).
-P --process max simultaneous process per node (default: 28232).
-Q --queue max nb unprocessed results in queue (default: infinity).
-C --config read arguments from file, one per line.
-O --outmode 0: on Master, 1: on slave, >1: on broker (default: 0).
-v --verbose be verbose (0 <= int <= 255).
-K --socket comma separated socket option (key[:value]).
-l --list-modules list available fp/out modules.
-V --list-debug list available debug options.
-A --print-args Output the args record.
-X --priv-ports use only source port between 1 and 1024.
-N --nosafe keep going even if some slaves fail to start.
-w --www DNS will try for www..
-b --progress show progress.
-x --dryrun dry run.

See the wiki for more.

Standalone usage
Scannerl can be used on the local host without any other host. However, it will still create a slave node on the same host it is run from. Therefore, the requirements described in Distributed setup must also be met.
A quick way to do this is to make sure your host is able to resolve itself with

grep -q "127.0.1.1s*`hostname`" /etc/hosts || echo "127.0.1.1 `hostname`" | sudo tee -a /etc/hosts

and create an SSH key (if not yet present) and add it to the authorized_keys (you need an SSH server running):

cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys

The following example runs an HTTP banner grabing on google.com from localhost

./scannerl -m httpbg -d google.com

Distributed usage
In order to perform a distributed scan, one need to pre-setup the hosts that will be used by scannerl to distribute the work. See Distributed setup for more information.
Scannerl expects a list of slaves to use (provided by the -s or -S switches).

./scannerl -m httpbg -d google.com -s host1,host2,host3

List available modules
Scannerl will list the available modules (output modules as well as fingerprinting modules) with the -l switch:

$ ./scannerl -l

Fingerprinting modules available
================================

bacnet UDP/47808: Bacnet identification
chargen UDP/19: Chargen amplification factor identification
fox TCP/1911: FOX identification
httpbg TCP/80: HTTP Server header identification
- Arg1: [true|false] follow redirection [Default:false]
httpsbg SSL/443: HTTPS Server header identification
https_certif SSL/443: HTTPS certificate graber
imap_certif TCP/143: IMAP STARTTLS certificate graber
modbus TCP/502: Modbus identification
mqtt TCP/1883: MQTT identification
mqtts TCP/8883: MQTT over SSL identification
mysql_greeting TCP/3306: Mysql version identification
pop3_certif TCP/110: POP3 STARTTLS certificate graber
smtp_certif TCP/25: SMTP STARTTLS certificate graber
ssh_host_key TCP/22: SSH host key graber

Output modules available
========================

csv output to csv
- Arg1: [true|false] save everything [Default:true]
csvfile output to csv file
- Arg1: [true|false] save everything [Default:false]
- Arg2: File path
file output to file
- Arg1: File path
file_ip output to stdout (only ip)
- Arg1: File path
file_mini output to file (only ip and result)
- Arg1: File path
file_resultonly output to file (only result)
- Arg1: File path
stdout output to stdout
stdout_ip output to stdout (only IP)
stdout_mini output to stdout (only ip and result)

Modules arguments
Arguments can be provided to modules with a colon. For example for the file output module:

./scannerl -m httpbg -d google.com -o file:/tmp/result

Result format
The result returned by scannerl to the output modules has the following form:

{module, target, port, result}

Where

  • module: the module used (Erlang atom)
  • target: IP or hostname (string or IPv4 address)
  • port: the port (integer)
  • result: see below

The result part is of the form:

{{status, type},Value}

Where {status, type} is one of the following tuples:

  • {ok, result}: fingerprinting the target succeeded
  • {error, up}: fingerprinting didn't succeed but the target responded
  • {error, unknown}: fingerprinting failed

Value is the returned value – it is either an atom or a list of element

Extending Scannerl
Scannerl has been designed and implemented with modularity in mind. It is easy to add new modules to it:

  • Fingerprinting module: to query a specific protocol or service. As an example, the fp_httpbg.erl module allows to retrieve the server entry in the HTTP response.
  • Output module: to output to a specific database/filesystem or output the result in a specific format. For example, the out_file.erl and out_stdout.erl modules allow respectively to output to a file or to stdout (default behavior if not specified).

To create new modules, simply follow the behavior (fp_module.erl for fingerprinting modules and out_behavior.erl for output module) and implement your modules.
New modules can either be added at compile time or dynamically as an external file.
See the wiki page for more.

Robber is a free open source tool developed using Delphi XE2 without any 3rd party dependencies.
What is DLL hijacking ?!
Windows has a search path for DLLs in its underlying architecture. If you can figure out what DLLs an executable requests without an absolute path (triggering this search process), you can then place your hostile DLL somewhere higher up the search path so it'll be found before the real version is, and Windows will happilly feed your attack code to the application.

So, let's pretend Windows's DLL search path looks something like this:

A) . <– current working directory of the executable, highest priority, first check

B) Windows

C) Windowssystem32

D) Windowssyswow64 <– lowest priority, last check

and some executable “Foo.exe” requests “bar.dll”, which happens to live in the syswow64 (D) subdir. This gives you the opportunity to place your malicious version in A), B) or C) and it will be loaded into executable.
As stated before, even an absolute full path can't protect against this, if you can replace the DLL with your own version.
Microsoft Windows protect system pathes like System32 using Windows File Protection mechanism but the best way to protect executable from DLL hijacking in entrprise solutions is :

  • Use absolute path instead of relative path
  • If you have personal sign, sign your DLL files and check the sign in your application before load DLL into memory. otherwise check the hash of DLL file with original DLL hash)

And of course, this isn't really limited to Windows either. Any OS which allows for dynamic linking of external libraries is theoretically vulnerable to this.
Robber use simple mechanism to figure out DLLs that prone to hijacking :

  1. Scan import table of executable and find out DLLs that linked to executable
  2. Search for DLL files placed inside executable that match with linked DLL (as i said before current working directory of the executable has highest priority)
  3. If any DLL found, scan the export table of theme
  4. Compare import table of executable with export table of DLL and if any matching was found, the executable and matched common functions flag as DLL hijack candidate.

Feauters :

  • Ability to select scan type (signed/unsigned applications)
  • Determine executable signer
  • Determine wich referenced DLLs candidate for hijacking
  • Determine exported method names of candidate DLLs
  • Configure rules to determine which hijacks is best or good choice for use and show theme in different colors

Find out latest Robber executable here


Parrot 4.3 is now available for download. This release provides security and stability updates and is the starting point for the plan to develop an LTS edition of Parrot.

Linux 4.18
Linux was updated to the 4.18.10 version, and linux 4.19 will be released soon.
Firefox 63
Firefox 63 provides noticeable security and privacy features, but it is no longer available to 32bit systems, so has been switched to firefox-esr on all the unsupported architectures.
Wine menu

Has been fixed a bug in the parrot menu configuration that prevented several menu categories to show up.
This fixed the missing wine menu bug, which is now back again.

Bashrc updates
The Parrot .bashrc file was updated, now it provides better snap support, the ll alias now shows the size in a human readable format and it does no longer overwrite some global settings as it used to do before.
Java 11
OpenJDK 11 is now the default java provider.
Anonsurf
Anonsurf received important stability upgrades and now it does not mess up the DNS configuration.
New Parrot icons

The Parrot edition of the MAIA icon theme was updated.
Has been dropped many old unused icons and replaced them with newer ones.

Core updates

Parrot 4.3 provides the latest updates of Debian Testing and many improvements to our sandbox system, in fact, both firejail and apparmor received significant updates, and now the whole system is smoother, more secure and more reliable.

SniffAir is an open-source wireless security framework which provides the ability to easily parse passively collected wireless data as well as launch sophisticated wireless attacks. SniffAir takes care of the hassle associated with managing large or multiple pcap files while thoroughly cross-examining and analyzing the traffic, looking for potential security flaws. Along with the prebuilt queries, SniffAir allows users to create custom queries for analyzing the wireless data stored in the backend SQL database. SniffAir is built on the concept of using these queries to extract data for wireless penetration test reports. The data can also be leveraged in setting up sophisticated wireless attacks included in SniffAir as modules.
SniffAir is developed by @Tyl0us and @theDarracott


Install
SniffAir was developed with Python version 2.7
Tested and supported on Kali Linux, Debian and Ubuntu.
To install run the setup.sh script

$./setup.sh

Usage

                                                                     % *        ., %                         
% ( ,# (..# %
/@@@@@&, *@@% &@, @@# /@@@@@@@@@ .@@@@@@@@@. ,/ # # (%%%* % (.(. .@@ &@@@@@@%.
.@@& *&@ %@@@@. &@, @@% %@@,,,,,,, ,@@,,,,,,, .( % % %%# # % # ,@@ @@(,,,#@@@.
%@% %@@(@@. &@, @@% %@@ ,@@ /* # /*, %.,, ,@@ @@* #@@
,@@& %@@ ,@@* &@, @@% %@@ ,@@ .# //#(, (, ,@@ @@* &@%
.@@@@@. %@@ .@@( &@, @@% %@@%%%%%%* ,@@%%%%%%# (# ##. ,@@ @@&%%%@@@%
*@@@@ %@@ .@@/ &@, @@% %@@,,,,,, ,@@,,,,,,. %#####% ,@@ @@(,,%@@%
@@% %@@ @@( &@, @@% %@@ ,@@ % (*/ # ,@@ @@* @@@
%@% %@@ @@&&@, @@% %@@ ,@@ % # .# .# ,@@ @@* @@%
.@@&/,,#@@@ %@@ &@@@, @@% %@@ ,@@ /(* /(# ,@@ @@* @@#
*%@@@&* *%# ,%# #%/ *%# %% #############. .%# #%. .%%
(@Tyl0us & @theDarracott)

>> [default]# help
Commands
========
workspace Manages workspaces (create, list, load, delete)
live_capture Initiates a valid wireless interface to collect wireless pakcets to be parsed (requires the interface name)
offline_capture Begins parsing wireless packets using a pcap file-kismet .pcapdump work best (requires the full path)
offline_capture_list Begins parsing wireless packets using a list of pcap file-kismet .pcapdump work best (requires the full path)
query Executes a query on the contents of the acitve workspace
help Displays this help menu
clear Clears the screen
show Shows the contents of a table, specific information across all tables or the available modules
inscope Add ESSID to scope. inscope [ESSID]
SSID_Info Displays all information (i.e all BSSID, Channels and Encrpytion) related to the inscope SSIDS
use Use a SniffAir module
info Displays all variable information regarding the selected module
set Sets a variable in module
exploit Runs the loaded module
run Runs the loaded module
exit Exit SniffAir
>> [default]#

Begin
First create or load a new or existing workspace using the command workspace create or workspace load command. To view all existing workspaces use the workspace list command and workspace delete command to delete the desired workspace:

 >>  [default]# workspace
Manages workspaces
Command Option: workspaces [create|list|load|delete]
>> [default]# workspace create demo
[+] Workspace demo created

Load data into a desired workplace from a pcap file using the command offline_capture . To load a series of pcap files use the command offline_capture_list (this file should contain the full patches to each pcap file). Use the live_capture command to capture live wireless traffic using a wireless interface.

>>  [demo]# offline_capture /root/sniffair/demo.pcapdump
[+] Importing /root/sniffair/demo.pcapdump

[+] Completed
[+] Cleaning Up Duplicates
[+] ESSIDs Observed

Show Command
The show command displays the contents of a table, specific information across all tables or the available modules, using the following syntax:

 >>  [demo]# show table AP
+------+-----------+-------------------+-------------------------------+--------+-------+-------+----------+--------+
| ID | ESSID | BSSID | VENDOR | CHAN | PWR | ENC | CIPHER | AUTH |
|------+-----------+-------------------+-------------------------------+--------+-------+-------+----------+--------|
| 1 | HoneyPot | c4:6e:1f:##:##:## | TP-LINK TECHNOLOGIES CO. LTD. | 4 | -17 | WPA2 | TKIP | MGT |
| 2 | Demo | 80:2a:a8:##:##:## | Ubiquiti Networks Inc. | 11 | -19 | WPA2 | CCMP | PSK |
| 3 | Demo5ghz | 82:2a:a8:##:##:## | Unknown | 36 | -27 | WPA2 | CCMP | PSK |
| 4 | HoneyPot1 | c4:6e:1f:##:##:## | TP-LINK TECHNOLOGIES CO. LTD. | 36 | -29 | WPA2 | TKIP | PSK |
| 5 | BELL456 | 44:e9:dd:##:##:## | Sagemcom Broadband SAS | 6 | -73 | WPA2 | CCMP | PSK |
+------+-----------+-------------------+-------------------------------+--------+-------+-------+----------+--------+
>> [demo]# show SSIDS
---------
HoneyPot
Demo
HoneyPot1
BELL456
Hidden
Demo5ghz
---------

The query command can be used to display a unique set of data based on the parememters specificed. The query command uses sql syntax.

Inscope
the inscope command can be used to add a SSID to the inscope tables, loading all related data to the inscope_AP, inscope_proberequests and inscope_proberesponses tables. To view a summary of all inscope SSIDS run the SSID_Info command.

Modules
Modules can be used to analyze the data contained in the workspaces or perform offensive wireless attacks using the use command. For some modules additional variables may need to be set. They can be set using the set command set :

 >>  [demo]# show modules
Available Modules
=================
[+] Auto EAP - Automated Brute-Force Login Attack Against EAP Networks
[+] Auto PSK - Automated Brute-Force Passphrase Attack Against PSK Networks
[+] AP Hunter - Discover Access Point Within a Certain Range Using a Specific Type of Encrpytion
[+] Captive Portal - Web Based Login Portal to Capture User Entered Credentials (Runs as an OPEN Network)
[+] Certificate Generator - Generates a Certificate Used by Evil Twin Attacks
[+] Exporter - Exports Data Stored in a Workspace to a CSV File
[+] Evil Twin - Creates a Fake Access Point, Clients Connect to Divulging MSCHAP Hashes or Cleartext Passwords
[+] Handshaker - Parses Database or .pcapdump Files Extracting the Pre-Shared Handshake for Password Guessing (Hashcat or JTR Format)
[+] Mac Changer - Changes The Mac Address of an Interface
[+] Probe Packet - Sends Out Deauth Packets Targeting SSID(s)
[+] Proof Packet - Parses Database or .pcapdump Files Extracting all Packets Related to the Inscope SSDIS
[+] Hidden SSID - Discovers the Names of HIDDEN SSIDS
[+] Suspicious AP - Looks for Access Points that: Is On Different Channel, use a Different Vendor or Encrpytion Type Then the Rest of The Network
[+] Wigle Search SSID - Queries wigle for SSID (i.e. Bob's wifi)
[+] Wigle Search MAC - Queries wigle for all observations of a single mac address
>> [demo]#
>> [demo]# use Captive Portal
>> [demo][Captive Portal]# info
Globally Set Varibles
=====================
Module: Captive Portal
Interface:
SSID:
Channel:
Template: Cisco (More to be added soon)
>> [demo][Captive Portal]# set Interface wlan0
>> [demo][Captive Portal]# set SSID demo
>> [demo][Captive Portal]# set Channel 1
>> [demo][Captive Portal]# info
Globally Set Varibles
=====================
Module: Captive Portal
Interface: wlan0
SSID: demo
Channel: 1
Template: Cisco (More to be added soon)
>> [demo][Captive Portal]#

Once all varibles are set, then execute the exploit or run command to run the desired attack.

Export
To export all information stored in a workspace’s tables using the Exporter module and setting the desired path.

Acknowledgments
Sniffiar contains work from the following repoisoties:

Interactive sip toolkit for packet manipulations, sniffing, man in the middle attacks, fuzzing, simulating of dos attacks.

Video

Setup

git clone https://github.com/halitalptekin/isip.git
cd isip
pip install -r requirements.txt

Usage

  • Packet manipulation tools are in packet cmd loop. First start, you are in the main cmd loop.
isip:main> packet
isip:packet>
  • Create a new sip packet with new command. If you don't write name, isip create the packet named by message-{id}.
isip:packet> new
isip:packet> new r1
  • List the all created sip packets with list command.
isip:packet> list
  • Show properties of packets with show command. You can type ip, udp or sip with show command.
isip:packet> show message-1
isip:packet> show message-1 ip
isip:packet> show message-1 udp
isip:packet> show message-1 sip
isip:packet> show message-1 ip src
isip:packet> show message-1 udp sport
isip:packet> show message-1 sip uri
isip:packet> show message-1 sip headers.to
  • Set the properties of packets with set command. You can type ip, udp or sip and properties label with show command.
isip> set message-1 ip src 12.12.12.12
isip> set message-1 udp sport 4545
isip> set message-1 sip method OPTIONS
isip> set message-1 sip headers.from "blabla"
  • Set the random properties of packets with set command. You can use with random-headers-from, random-headers-to, random-headers-call-id, random-headers-max-forwards, random-headers-user-agent, random-headers-contact, random-headers-invite-cseq, random-headers-register-cseq commands.
isip:packet> set message-1 ip src random-ip
isip:packet> set message-1 udp sport random-port
isip:packet> set message-1 sip headers.from random-headers-from
isip:packet> set message-1 sip headers.to random-headers-to
isip:packet> set message-1 sip headers.contact random-headers-contact
isip:packet> set message-1 sip body random-data 50
  • Send the packet with send command.
isip:packet> send message-1 1
isip:packet> send message-1 150
  • Parse the text file to packet with parse command.
isip:packet> parse test/test1.txt r1
  • Load the packets from pcap file with load command. If you don't write name, isip create the packet named by message-{id}.
isip:packet> load test.pcap r1
isip:packet> load test.pcap
  • Save the packets tp pcap file with save command. You can save the packet list just single command.
isip:packet> save r1 test.pcap
isip:packet> save r2 test.pcap # assume you have r2.0, r2.1, r2.2, r2.3 ...
  • Open the wireshark for packets with wireshark command.
isip:packet> wireshark r1
isip:packet> wireshark r2 # assume you have r2.0, r2.1, r2.2, r2.3 ...
  • List the history with hist command.
isip:packet> hist
  • Execute the shell command with shell or !.
isip:packet> shell ls -la
isip:packet> ! cat /etc/passwd
  • Show the help page with ? or help command.
isip> ?
isip> help
isip:packet> ?
isip:packet> help
isip:packet> help new
isip:packet> help send
isip:packet> help set
isip:packet> help show

BlobRunner is a simple tool to quickly debug shellcode extracted during malware analysis.
BlobRunner allocates memory for the target file and jumps to the base (or offset) of the allocated memory. This allows an analyst to quickly debug into extracted artifacts with minimal overhead and effort.

To use BlobRunner, you can download the compiled executable from the releases page or build your own using the steps below.


Building
Building the executable is straight forward and relatively painless.
Requirements

  • Download and install Microsoft Visual C++ Build Tools or Visual Studio

Build Steps

  • Open Visual Studio Command Prompt
  • Navigate to the directory where BlobRunner is checked out
  • Build the executable by running:
cl blobrunner.c

Building BlobRunner x64
Building the x64 version is virtually the same as above, but simply uses the x64 tooling.

  • Open x64 Visual Studio Command Prompt
  • Navigate to the directory where BlobRunner is checked out
  • Build the executable by running:
 cl /Feblobrunner64.exe /Foblobrunner64.out blobrunner.c

Usage
To debug:

  • Open BlobRunner in your favorite debugger.
  • Pass the shellcode file as the first parameter.
  • Add a breakpoint before the jump into the shellcode
  • Step into the shellcode
BlobRunner.exe shellcode.bin

Debug into file at a specific offset.

BlobRunner.exe shellcode.bin --offset 0x0100

Debug into file and don't pause before the jump. Warning: Ensure you have a breakpoint set before the jump.

BlobRunner.exe shellcode.bin --nopause

Debugging x64 Shellcode
Inline assembly isn't supported by the x64 compiler, so to support debugging into x64 shellcode the loader creates a suspended thread which allows you to place a breakpoint at the thread entry, before the thread is resumed.

Remote Debugging Shell Blobs (IDAPro)
The process is virtually identical to debugging shellcode locally – with the exception that the you need to copy the shellcode file to the remote system. If the file is copied to the same path you are running win32_remote.exe from, you just need to use the file name for the parameter. Otherwise, you will need to specify the path to the shellcode file on the remote system.

Shellcode Samples
You can quickly generate shellcode samples using the Metasploit tool msfvenom.
Generating a simple Windows exec payload.

msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -o test2.bin

Feedback / Help

  • Any questions, comments or requests you can find us on twitter: @seanmw or @herrcore
  • Pull requests welcome!

Use this IDA python plugin to scan your binary with yara rules. All the yara rule matches will be listed with their offset so you can quickly hop to them!
All credit for this plugin and the code goes to David Berard (@p0ly)
This plugin is copied from David's excellent findcrypt-yara plugin. This plugin just extends his to use any yara rule.

Installation

Watch the tutorial video!
<a href="http://www.youtube.com/watch?v=zAKi9KWYyfM" rel="nofollow" target="_blank" title="Using Yara Rules With IDA Pro”>

[youtube https://www.youtube.com/watch?v=zAKi9KWYyfM]

Usage

Launch the plugin
The plugin can be launched from the menu using Edit->Plugins->FindYara. Or the plugin can be quickly launched using the hot-key combination ctl-alt-y.

Select a Yara file to scan with
When the plugin launches it will open a file selection dialogue box. You will need to use this to choose the yara file that you want to scan with.

View matches
All of the strings from the yara rule that match the binary will be displayed along with the match locations.

Acknowledgments

  • A huge thank you to David Berard (@p0ly) – Follow him on GitHub here! This is mostly his code and he gets all the credit for the original plugin framework.
  • Also, hat tip to Alex Hanel @nullandnull – Follow him on GitHub here. Alex helped me sort through how the IDC methods are being used. His IDA Python book is a fantastic reference!!

Feedback / Help

  • Any questions, comments, requests hit me up on twitter: @herrcore
  • Pull requests welcome!

Microsoft signed DLL for the ActiveDirectory PowerShell module
Just a backup for the Microsoft's ActiveDirectory PowerShell module from Server 2016 with RSAT and module installed. The DLL is usually found at this path: C:WindowsMicrosoft.NETassemblyGAC_64Microsoft.ActiveDirectory.Management
and the rest of the module files at this path: C:WindowsSystem32WindowsPowerShellv1.0ModulesActiveDirectory

Usage
You can copy this DLL to your machine and use it to enumerate Active Directory without installing RSAT and without having administrative privileges.
PS C:> Import-Module C:ADModuleMicrosoft.ActiveDirectory.Management.dll -Verbose

To be able to list all the cmdlets in the module, import the module as well. Remember to import the DLL first.
PS C:> Import-Module C:ADModuleMicrosoft.ActiveDirectory.Management.dll -Verbose
PS C:> Import-Module C:ADToolsADModuleActiveDirectoryActiveDirectory.psd1
PS C:> Get-Command -Module ActiveDirectory

Benefits
There are many benefits like very low chances of detection by AV, very wide coverage by cmdlets (I leave the usage of cmdlets for a later post :P), good filters for cmdlets, signed by Microsoft etc. The most useful one, however, is that this module works flawlessly from PowerShell's Constrained Language Mode

Blog
https://www.labofapenetrationtester.com/2018/10/domain-enumeration-from-PowerShell-CLM.html

frida-wshook is an analysis and instrumentation tool which uses frida.re to hook common functions often used by malicious script files which are run using WScript/CScript.
The tool intercepts Windows API functions and doesn't implement function stubs or proxies within the targeted scripting language. This allows it to support analyzing a few different script types such as:
  • .js (JScript)
  • .vbs (VBScript)
  • .wsf (WSFile) (Initial support/testing. – Does not support specific jobs)
By default script files are run using cscript.exe and will output:
  • COM ProjIds
  • DNS Requests
  • Shell Commands
  • Network Requests
Warning!!! Ensure that you run any malicious scripts on a dedicated analysis system. Ideally, a VM with snapshots so you can revert if a script gets away from you and you need to reset the system.
Although common methods have been hooked, Windows provides numerous APIs which allow developers to interact with a network, file system and execute commands. So it is entirely possible to encounter scripts leveraging uncommon APIs for these functions.

Install & Setup

pip install frida
  • Clone (or download) the frida-wshook repository.

Supported OS
frida-wshook has been tested on Windows 10 and Windows 7 and should work on any Windows 7 + environment. On x64 systems CScript is loaded from the C:WindowsSysWow64 directory.
It may work on WindowsXP, but I suspect that CScript may use the legacy API calls and would bypass the instrumentation.

Usage
The script supports a number of optional commandline arguments that allow you to control what APIs the scripting host can call.

usage: frida-wshook.py [-h] [--debug] [--disable_dns] [--disable_com_init]
[--enable_shell] [--disable_net]
script

frida-wshook.py your friendly WSH Hooker

positional arguments:
script Path to target .js/.vbs file

optional arguments:
-h, --help show this help message and exit
--debug Output debug info
--disable_dns Disable DNS Requests
--disable_com_init Disable COM Object Id Lookup
--enable_shell Enable Shell Commands
--disable_net Disable Network Requests

Analyze a script with the default parameters:

python wshook.py bad.js

Enable verbose debugging:

python wshook.py --debug bad.js

Enable shell (execute) commands:

python frida-wshook.py --enable_shell bad.vbs

Disable WSASend:

python frida-wshook.py --disable_net bad.vbs

Check what ProgIds the script uses:

python frida-wshook.py --disable_com_init bad.vbs

Hooked Functions

Known Issues

  • Network responses are not captured
  • Disabling Object Lookup can cause the script to only output the first ProgId…Malware QA can be lacking.
  • WSF files with a specific job to target currently isn't supported

TODO

  • Change GetAddrInfoExW to use .replace instead of .attach
  • Add additional tracing and hooks to cover more APIs
  • Look at bypassing common anti-analysis techniques found in scripts (sleeps etc)
  • Update and improve network request hooking (ie: currently it captures requests, but not responses)

Feedback / Help
Any questions, comments or requests you can find us on twitter: @seanmw or @herrcore