image
Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training. Install Installation of Gophish is dead-simple – just download and extract the zip containing the release for your system , and run the binary. Gophish has binary releases for Windows, Mac, and Linux platforms. Building From Source If you are building from source, please note that Gophish requires Go v1.10 or above! To build Gophish from source, simply run go get github.com/gophish/gophish and cd into the project source directory. Then, run go build . After this, you should have a binary called gophish in the current directory. Docker You can also use Gophish via an unofficial Docker container here . Setup After running the Gophish binary, open an Internet browser to https://localhost:3333 and login with the default username (admin) and password (gophish). Documentation Documentation can be found on our site . Find something missing? Let us know by filing an issue! Download…

Source

image
Aaia (pronounced as shown here ) helps in visualizing AWS IAM and Organizations in a graph format with help of Neo4j. This helps in identifying the outliers easily. Since it is based on neo4j , one can query the graph using cypher queries to find the anomalies. Aaia also supports modules to programatically fetch data from neo4j database and process it in a custom fashion. This is mostly useful if any complex comparision or logic has to be applied which otherwise would not be easy through cypher queries. Aaia was initially intended to be a tool to enumerate privelege esclation possibilities and find loop holes in AWS IAM. It was inspired from the quote by @JohnLaTwC "Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win." Why the name "Aaia" ? Aaia in Tamil means grandma. In general, Aaia knows everything about the family. She can easily connect who is related to whom; and how ;and give you the connection within a split second. She is a living graph database. 😛 Since "Aaia" (this tool) also does more or less the same, hence the name. Installation Install the neo4j Database Instructions here Setup the username , password and bolt connection uri in Aaia.conf file. An example format is given in Aaia.conf file already. Install OS dependency Debian :- apt-get install awscli jq Redhat / Fedora / Centos / Amazon Linux :- yum install awscli jq Note: These packages are needed for…

Source

image
Scallion lets you create vanity GPG keys and .onion addresses (for Tor's hidden services ) using OpenCL. Scallion runs on Mono (tested in Arch Linux) and .NET 3.5+ (tested on Windows 7 and Server 2008). Scallion is currently in beta stage and under active development. Nevertheless, we feel that it is ready for use. Improvements are expected primarily in performance, user interface, and ease of installation, not in the overall algorithm used to generate keys. FAQ Here are some frequently asked questions and their answers: Why generate GPG keys? Scallion was used to find collisions for every 32bit key id in the Web of Trust's strong set demonstrating how insecure 32bit key ids are. There was/is a talk at DEFCON ( video ) and additional info can be found at https://evil32.com/ . What are valid characters? Tor .onion addresses use Base32 , consisting of all letters and the digits 2 through 7, inclusive. They are case-insensitive. GPG fingerprints use hexadecimal , consisting of the digits 0-9 and the letters A-F. Can you use Bitcoin ASICs (e.g. Jalapeno, KnC) to accelerate this process? Sadly, no. While the process Scallion uses is conceptually similar (increment a nonce and check the hash), the details are different (SHA-1 vs double SHA-256 for Bitcoin). Furthermore, Bitcoin ASICs are as fast as they are because they are extremely tailored to Bitcoin mining applications. For example, here's the datasheet for the CoinCraft A-1, an…

Source

image
Bluewall is a firewall framework designed for offensive and defensive cyber professionals. This framework allows Cybersecurity professionals to quickly setup their environment while staying within their scope. Credit Inspired by Andrew Benson's hostfw iptable generation script . Features Bluewall * Configure Firewall * Configure Hostname * Configure Interface(s) Supported Operating Systems * Redhat/CentOS * [Windows](<https://www.kitploit.com/search/label/Windows> "Windows" ) configuration can be generated but not executed. Commandline * bluewall -c config/example.ini ** See example configuration Utils * Enumerate – Identify live hosts inside your network (coming soon) Symantecs * Target Host – Outbound communication * Trusted Host – Bidirectional communication * No Strike – Devices your computer should not communicate with Setup # BUILT FOR PYTHON 2.x sudo python setup.py install sudo bluewall -h (for help) Getting Started # Setup Initial Environment using Configuration sudo bluewall -c config/hostconfig.ini # Export optional windows configuration sudo bluewall -c config/hostconfig.ini -w autoconfig.ps1 # Add additional inbound host or ranges sudo bluewall -ih 192.168.0.3,192.168.1.0/24 # Exclude host to communicate with sudo bluewall -eh 192.168.1.1 # Super easy wizard mode sudo bluewall –wizard Help usage: bluewall [-h] [-V] [-v] [-r] [-p] [-i] [-d] [-w WINDOWS_CONFIG] [-ot TCP_PORTS_OUT]…

Source

image
Framework to test any Anti-Cheat on the market. This can be used as Template or Code Base to test any Anti-Cheat and learn along the way. The entry level to reverse AntiCheats and Cheats is quite high, therefore, I'm realeasing all the code I developed during my research. The main idea is to help people and motive them to get into this topic which is really interesting and there is a lot to research about it. All this code is the result of a research done for Recon2019 (Montreal) and BlackHat Europe 2019 (London). Twitter: @Niemand_sec More info: Personal Blog Description for each module can be found on each folder . Modules can be used together or separated. Cuztomization should be simple due to the modularity of the code. Usage Most of the settings can be done by using config.ini file, however, some modules may require particular settings on the code, depending on your intentions. Remember to change location of config.ini file at CheatHelper/CheatHelper.cpp (variable configFile) Modules (more coming in the future) CheatHelper DriverDisabler DriverHelper DriverTester HandleElevationDriver HandleHijackingDLL HandleHijackingMaster LuaHook StealthHijackingNormalDLL StealthHijackingNormalMaster About this Project All this code is a result of the Researching presented at Recon 2019 and BlackHat Europe 2019: "Unveiling the underground world of Anti-Cheats" Links: First Release Info: https://recon.cx/2019/montreal/ …

Source

image
gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line. Both Linux and macOS is supported, with Windows support ‘partially working'. Inspiration for gowitness comes from Eyewitness . If you are looking for something with lots of extra features, be sure to check it out along with these other projects . Installation All you would need is an installation of the latest Google Chrome or Chromium and gowitness itself. gowitness can be downloaded using go get -u github.com/sensepost/gowitness or using the binaries available for download from the releases page. Running using docker To screenshot a page using docker, simply run the following command that would also pull the latest gowitness image: docker run –rm -it -v $(pwd)/screenshots:/screenshots leonjza/gowitness:latest single –url=https://www.google.com Keep in mind that a folder needs to be mounted into the container for gowitness to write your screenshots to, otherwise they will be lost when the container exits. The container is configured with the /screenshots/ directory as the working directory, so the above command mounts a local screenshots/ directory there. If you want to read an nmap file, save it locally into a screenshots directory, and use it with: docker run –rm -it -v $(pwd)/screenshots:/screenshots leonjza/gowitness:latest nmap -f /screenshots/nmap.xml For any other commands, you…

Source

image
Python library to remotely extract credentials. This blog post explains how it works. You can check the wiki This library uses impacket project to remotely read necessary bytes in lsass dump and pypykatz to extract credentials. Requirements Python >= 3.6 pypykatz >= 0.3.0 impacket Installation From pip python3.7 -m pip install lsassy From sources python3.7 setup.py install Basic Usage lsassy [–hashes [LM:]NT] [<domain>/]<user>[:<password>]@<target> Advanced Dumping methods This tool can dump lsass in different ways. Dumping methods ( -m or –method ) 0 : Try all methods (dll then procdump) to dump lsass, stop on success (Requires -p if dll method fails) 1 : comsvcs.dll method, stop on success (default) 2 : Procdump method, stop on success (Requires -p) 3 : comsvcs.dll + Powershell method, stop on success 4 : comsvcs.dll + cmd.exe method comsvcs.dll method This method only uses built-in Windows files to extract remote credentials. It uses minidump function from comsvcs.dll to dump lsass process. This method can only be used when context has SeDebugPrivilege . This privilege is either in Powershell local admin context, or cmd.exe SYSTEM context. Two execution methods can be used. WMIExec with cmd.exe (no SeDebugPrivilege), or powershell (SeDebugPrivilege) ScheduledTasks with SYSTEM context (SeDebugPrivilege) Procdump method This method uploads procdump.exe from…

Source

image
LOLBITS is a C# reverse shell that uses Microsoft's Background Intelligent Transfer Service (BITS) to communicate with the Command and Control backend. The Command and Control backend is hidden behind an apparently harmless flask web application and it's only accesible when the HTTP requests received by the app contain a valid authentication header. LOLBITS is composed of 3 main elements: The C# agent that is in charge of executing the commands in the compromised host, sending back the output to the C&C server once the process is done. The flask web application that acts as a dispatcher. This element is the one that allows to hide the C&C infrastructure behind a harmless website at the same time that supplies the new commands to the agent when an authenticated request is received. The C&C console, used to control the agent. In order to deny proxies content inspection, all the relevant content sent between the agent and the C&C server is encrypted using RC4 with a preshared secret key. A high level diagram of the infrastructure behaviour would be as it's shown in the following diagram: To avoid that the Blue Team could reproduce some of the old requests and discover the C&C infrastructure, each authentication header is generated randomly and is valid only for one single cycle (a cycle is composed of a POST request followed by a GET request). Old authentication headers will be ignored and the harmless website will be displayed for those requests. …

Source

image
What is a shell backdoor ? A backdoor shell is a malicious piece of code (e.g. PHP, Python, Ruby) that can be uploaded to a site to gain access to files stored on that site. Once it is uploaded, the hacker can use it to edit, delete, or download any files on the site, or upload their own. How to upload : Hackers usually take advantage of an upload panel designed for uploading images onto sites. This is usually found once the hacker has logged in as the admin of the site. Shells can also be uploaded via exploits or remote file inclusion, or a virus on the computer. Uses : Shells have many uses. They can be used to edit the webserver directory index page of site, and then hackers can leave their mark or "deface" for visitors to the site to see when they go to the homepage. Hackers may also use it to bruteforce FTP or cPanel, allowing them more access to the website. Shells can also be used to gain root access to the site. Some hackers may choose to host malware or spyware on the sites they have uploaded their shell to using various exploits. Please note that many shells contain malware and ‘Mark / deface page' might contain malware to obtain visitor's password as well. Prevention : To prevent a site from having a shell uploaded onto it, a webmaster must always keep up with the latest security updates and make sure to have a secure admin panel. They must also make sure that if they do have an admin panel they make sure it only permits the user to…

Source

image
hakrawler is a Go web crawler designed for easy, quick discovery of endpoints and assets within a web application. It can be used to discover: Forms Endpoints Subdomains Related domains JavaScript files The goal is to create the tool in a way that it can be easily chained with other tools such as subdomain enumeration tools and vulnerability scanners in order to facilitate tool chaining, for example: assetfinder target.com | hakrawler | some-xss-scanner Features Unlimited, fast web crawling for endpoint discovery Fuzzy matching for domain discovery robots.txt parsing sitemap.xml parsing Plain output for easy parsing into other tools Accept domains from stdin for easier tool chaining SQLMap-friendly output format Link gathering from JavaScript files Upcoming features Cleaner code Want more? Submit a feature request ! Contributors hakluke wrote the tool cablej cleaned up the code Corben Leo added in functionality to pull links from JavaScript files Thanks codingo and prodigysml/sml555 , my favourite people to hack with. A constant source of ideas and inspiration. They also provided beta testing and a sounding board for this tool in development. tomnomnom who wrote waybackurls, which powers the wayback part of this tool s0md3v who wrote photon, which I took ideas from to create this tool The folks from gocolly , the library which powers the crawler engine oxffaa , who wrote a very efficient…

Source