image
MalConfScan is a Volatility plugin extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers. Supported Malware Families MalConfScan can dump the following malware configuration data, decoded strings or DGA domains: Ursnif Emotet Smoke Loader PoisonIvy CobaltStrike NetWire PlugX RedLeaves / Himawari / Lavender / Armadill / zark20rk TSCookie TSC_Loader xxmm Datper Ramnit HawkEye Lokibot Bebloh (Shiotob/URLZone) AZORult NanoCore RAT AgentTesla FormBook NodeRAT ( https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html ) njRAT TrickBot Remcos QuasarRAT Pony Additional Analysis MalConfScan has a function to list strings to which malicious code refers. Configuration data is usually encoded by malware. Malware writes decoded configuration data to memory, it may be in memory. This feature may list decoded configuration data. How to Install If you want to know more details, please check the MalConfScan wiki . How to Use MalConfScan has two functions malconfscan and malstrscan . Export known malware configuration $ python vol.py malconfscan -f images.mem –profile=Win7SP1x64 List the referenced strings $ python vol.py malstrscan -f images.mem…

image
ispy : Eternalblue(ms17-010)/Bluekeep(CVE-2019-0708) Scanner and exploiter ( Metasploit automation ) How to install : git clone https://github.com/Cyb0r9/ispy.git cd ispy chmod +x setup.sh ./setup.sh Screenshots : Tested On : Parrot OS Kali linux Tutorial ( How to use ispy ) info GitHub profile : https://github.com/Cyb0r9 YouTbue channel: https://youtube.com/c/Cyborg_TN Ask Fm (ask me): https://ask.fm/Cyborg_TN E-mail address : [email protected] Disclaimer : usage of ispy for attacking targets without prior mutual consent is illegal. ispy is for security testing purposes only Download…

image
A powerful framework for network traffic analysis and security monitoring. _ Key Features _ — _ Documentation _ — _ Getting Started _ — _ Development _ — _ License _ Follow us on Twitter at @zeekurity . Key Features In-depth Analysis Zeek ships with analyzers for many protocols, enabling high-level semantic analysis at the application layer. Adaptable and Flexible Zeek's domain-specific scripting language enables site-specific monitoring policies and means that it is not restricted to any particular detection approach. Efficient Zeek targets high-performance networks and is used operationally at a variety of large sites. Highly Stateful Zeek keeps extensive application-layer state about the network it monitors and provides a high-level archive of a network's activity. Getting Started The best place to find information about getting started with Zeek is our web site www.zeek.org , specifically the documentation section there. On the web site you can also find downloads for stable releases, tutorials on getting Zeek set up, and many other useful resources. You can find release notes in NEWS , and a complete record of all changes in CHANGES . To work with the most recent code from the development branch of Zeek, clone the master git repository: git clone –recursive https://github.com/zeek/zeek With all dependencies in place, build and install: ./configure && make && sudo make install Write your first…

image
Maryam is a full-featured open-source intelligence(OSINT) framework written in Python. Complete with independent modules, built in functions, interactive help, and command completion, provides a command-line environment for used forensic and open-source intelligence(OSINT). Maryam is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Each module is a subclass of the "module" class.The "module" class is a customized "cmd" interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as standardizing output, and making web requests. Therefore, all the hard work has been done. Building modules is simple and takes little more than a few minutes. See the Development Guide for guide information . What can be done Can extract Comments, Links, CDNs, CSS, JS files.. Documentations(pdf, doc, ..) Keywords, errors, usernames, .. DNS, TLD and bruteforce it. SiteMap Can identify Interesting and important files Emails from search engines Onion related links Subdomains from different sources WebApps, WAF,.. Social networks .. links OWASP Wiki Modules Guide Download…

image
A utility to analyze malicious JavaScript. Installation Simply install box-js from npm: npm install box-js –global Usage Looking to use box-js with Cuckoo? Use cuckoo-package.py as an analysis package. Let's say you have a sample called sample.js : to analyze it, simply run box-js sample.js Chances are you will also want to download any payloads; use the flag –download to enable downloading. Otherwise, the engine will simulate a 404 error, so that the script will be tricked into thinking the distribution site is down and contacting any fallback sites. Box.js will emulate a Windows JScript environment, print a summary of the emulation to the console, and create a folder called sample.js.results (if it already exists, it will create sample.js.1.results and so on). This folder will contain: analysis.log , a log of the analysis as it was printed on screen; a series of files identified by UUIDs; snippets.json , a list of pieces of code executed by the sample (JavaScript, shell commands, etc.); urls.json , a list of URLs contacted; active_urls.json , a list of URLs that seem to drop active malware; resources.json , the ADODB streams (i.e. the files that the script wrote to disk) with file types and hashes; IOC.json , a list of behaviours identified as IOCs (Indicators of Compromise). These include registry accesses, written files, HTTP requests and so on. You can analyze these by yourself, or you can automatically submit them to Malwr, …

image
FATT is a script for extracting network metadata and fingerprints such as JA3 and HASSH from packet capture files (pcap) or live network traffic. The main use-case is for monitoring honeypots, but you can also use it for other use cases such as network forensic analysis. fatt works on Linux, macOS and Windows. Note that fatt uses pyshark (a python wrapper for tshark) and therefore the performance is not great! But that's not a big issue as obviously this is not a tool you use in production. You can use other network analysis tools such as Bro/Zeek , Suricata or Netcap for more serious use cases. Joy is another great tool you can use for capturing and analyzing network flow data. Other than that, I'm working on a go based version of fatt which is faster, and you can use its libraries in your gopacket based tools such as packetbeat. I released the initial version of its gQUIC library ( QUICk ). Features Protocol support: SSL/TLS, SSH, RDP, HTTP, gQUIC. To be added soon: IETF QUIC, MySQL, MSSQL, etc. Fingerprinting JA3: TLS client/server fingerprint HASSH: SSH client/server fingerprint RDFP: my experimental RDP fingerprint for standard RDP security protocol (note that other RDP security modes use TLS and can be fingerprinted with JA3) HTTP header fingerprint gQUIC/iQUIC fingerprint will be added soon JSON output Getting Started Install tshark You need to first install tshark . Make sure you have the version v2.9.0 or…

image
Penta is is Pentest automation tool using Python3. (Future!) It provides advanced features such as metasploit and nexpose to extract vuln info found on specific servers. Installation Install requirements penta requires the following packages. Python3.7 pipenv Resolve python package dependency. $ pipenv install If you dislike pipenv… $ pip install -r requirements.txt Usage $ pipenv run start <options> If you dislike pipenv… $ python penta/penta.py Usage: List options $ pipenv run start -h usage: penta.py [-h] [-target TARGET] [-ports PORTS] [-proxy PROXY] Penta is Pentest automation tool optional arguments: -h, –help show this help message and exit -target TARGET Specify target IP / domain -ports PORTS Please, specify the target port(s) separated by comma. Default: 21,22,25,80,110,443,8080 -proxy PROXY Proxy[IP:PORT] Usage: Main menu [ ] === MENU LIST =========================================== [0] EXIT [1] Port [scanning](<https://www.kitploit.com/search/label/Scanning> "scanning" ) Default: 21,22,25,80,110,443,8080 [2] Nmap & vuln scanning [3] Check HTTP option methods [4] Grab DNS server info [5] Shodan host search [6] FTP connect with anonymous [7] SSH connect with Brute Force [99] Change target host Port scanning To check ports for a target. Log output supported. Nmap To check ports by additional means using nmap Check HTTP option methods To check the…

image
tarnish is a static-analysis tool to aid researchers in security reviews of Chrome extensions. It automates much of the regular grunt work and helps you quickly identify potential security vulnerabilities. This tool accompanies the research blog post which can be found here . If you don't want to go through the trouble of setting this up you can just use the tool at https://thehackerblog.com/tarnish/ . Unpolished Notice & Notes It should be noted that this is an un-polished release. This is the same source as the deployment located at https://thehackerblog.com/tarnish/ . In the future I may clean this up and make it much easier to run but I don't have time right now. To set this up you'll need to understand how to: Configure an S3 bucket (if using auto-scaling) Set up ElasticBeanstalk Use docker-compose Set up redis The set up is a little complex due to a few design goals: Effectively perform static against Chrome extensions Automatically scale up to increased workload with more instances and scale down. Work on a shoestring budget (thus the use of ElasticBeanstalk with Spot Instances). Some quick notes to help someone attempting to set this up: tarnish makes use of Python Celery for analysis of extensions. The Python Celery config uses redis as a broker (this will have to be created). The workers which process extension analysis jobs run on AWS ElasticBeanstalk spot instances. For those unfamiliar, spot instances are basically…

image
B2R2 is a collection of useful algorithms, functions, and tools for binary analysis , written purely in F# (in .NET lingo, it is purely managed code). B2R2 has been named after R2-D2 , a famous fictional robot appeared in the Star Wars. In fact, B2R2's original name was _ B2-R2 _ , but we decided to use the name _ B2R2 _ instead, because .NET does not allow dash (-) characters in identifiers (or namespaces). The name essentially represents "binary" or "two": "binary" itself means "two" states anyways. "B" and "2" mean "binary", and "R" indicates _ reversing _ . B2R2? B2R2 is _ analysis-friendly _ : it is written in F#, which provides all the syntactic goodies for writing program analyzers, such as pattern matching, algebraic data types, and etc. B2R2 is _ fast _ : it has a fast and efficient front-end engine for binary analysis, which is written purely in a functional way. Therefore, it naturally supports _ pure parallelism _ for binary disassembling, lifting and IR optimization. B2R2 is _ easy _ to play with: there is absolutely no dependency hell for B2R2 because it is a fully-managed library. All you need to do is to install .NET Core SDK , and you are ready to go! Native IntelliSense support is another plus! B2R2 is _ OS-Independent _ : it works on Linux, Mac, Windows, and etc. as long as .NET core supports it. B2R2 is _ interoperable _ : it is not bound to a specific language. Theoretically, you can use B2R2 APIs with any CLI…

image
Username recognition on various websites. Installation With pip3 # Linux sudo -H pip3 install git+https://github.com/decoxviii/userrecon-py.git –upgrade userrecon-py –help Build from source # Linux git clone https://github.com/decoxviii/userrecon-py.git ; cd userrecon-py sudo -H pip3 install -r requirements.txt python3 setup.py build sudo python3 setup.py install Usage Start by printing the available actions by running userrecon-py –help . Then you can perform the following tests: # print all results. userrecon-py target decoxviii –all -o test # print positive results. userrecon-py target decoxviii –positive -o test # print negative results. userrecon-py target decoxviii –negative -o test decoxviii MIT Download…