What is DarkSpiritz?

Created by the SecTel Team it was a project of one of the owners to update and clean-up an older pentesting framework he had created to something updated and modern. DarkSpiritz is a re-vamp of the very popular framework known as “Roxysploit”. You may be familiar with this framework and if you are then it will help you with DarkSpiritz. DarkSpiritz also works like another pentesting framework known as Metasploit. If you know how to use metasploit setting up and working with DarkSpiritz will be a breeze. Inside the program itself you will find a lot of help and documentation on plugins or you can head to our wiki here. If you need any help feel free to contact us at sectel.team@protonmail.com.


Getting Started
Clone the repository with git:

git clone https://github.com/DarkSpiritz/DarkSpiritz.git

DarkSpiritz wiki available here
To install DarkSpiritz clone the github repo and run:

sudo python installer.py

This will download all necessary modules for DarkSpiritz. Once you run this you will be able to run:

python main.py

from within the same directory as DarkSpiritz.
You will see a start-up screen. This screen will display things like commands and configuration settings. You can set configuration settings inside the config.xml file itself or through commands in the DarkSpiritz shell.

Features:
These are features that DarkSpiritz Team prides themself on based on this program:

  • Real Time Updating of Configuration
  • Never a need to restart the program even when adding plugins or editing them.
  • Easy to use UX
  • Multi-functionality

Screenshots:

XenoScan is a memory scanner which can be used to scan the memory of processes to locate the specific locations of important values. These types of tools are typically used when hacking video games, as they allow one to locate the values representing the game's state in memory.
XenoScan is written in C++ with a Lua frontend, and I've been working on advanced functionality that goes beyond anything that has been in any other memory scanners I've seen. Notably, it has a way to enumerate and return all complex data structures (such as std::list and std::map) in the target's memory space, and it can even scan for any class instances and group the discovered instances by their underlying types.


Communication
If you need to get in touch with me, want a place to chat, or have a question, my Discord is the best place.

Sub-projects

XenoLua
XenoLua is a wrapper around Lua that provides a ton of functionality. Most notably, it provides a LuaVariant class which wraps the functionality of converting between C/C++ and Lua types. Additionally, it has helper functions for working with Lua in the LuaPrimitive class.

XenoScanEngine
XenoScanEngine is the meat of the project. It contains the code for the scanning, data structure detection, and everything else.

XenoScanLua
XenoScanLua ties XenoScanEngine to XenoLua to provide a Lua-scriptable frontend for the scanner. Currently, this is the only entry-point to the scanner.
Additionally, this project contains some test code that ensures everything is working properly. A test is a combination of a .cpp, a .h, and a .lua file. For examples on how to use the scanner, you can check out the .lua test files.

Compiling
XenoScan uses CMake, and has been tested with Visual Studio 2017. In theory, you should be able to build the code with any modernish compiler, as long as you use CMake to generate the project files. Before you can compile, you will need to make sure you've checked out the submodules. Once that's done, you'll also have to build the luajit submodule so XenoScan can link against the libraries.
If you're using Visual Studio, this should be easy. Simply run buildmsvc2017.bat from a Developer Command Prompt for VS. As an example, to build a project for Visual Studio 2017, I run

cd C:pathtoXenoScan
buildmsvc2017.bat

Which would make a file named XenoScan.sln appear in my build directory (e.g. C:pathtoXenoScanbuild).
The main development of XenoScan is done on this version of Visual Studio.
If you're on another system or using another compiler or IDE, you'll have to build luajit on your own and run CMake manually.

Platform
The code is designed to be platform-agnostic. Theoretically, to compile on any other platform, you would need to

  1. Create project/make files for your target IDE/compiler.
  2. Remove the ScannerTargetWindows.cpp and ScannerTargetWindows.h files from the project.
  3. Implement the ScannerTarget interface for your platform.
  4. Add your implementation to the project.
  5. ???? profit

Features
Basic scanning functionality supports the following types:

  • Integral types*:
    • int8_t
    • uint8_t
    • int16_t
    • uint16_t
    • int32_t
    • uint32_t
    • int64_t
    • uint64_t
  • float
  • double
  • ascii strings
  • wide strings
  • Custom data structures (think C++ struct)
    • Can consist of any combination integral and decimal types

* Lua frontend may choke on 64-bit integers, but the scanner library supports them.
Scanning supports the following types of matching:

  • Equal to
  • Greater than
  • Greater than or equal to
  • Less than
  • Less than or equal to
  • Ranges (min <= check <= max)

Additionally, there is functionality to detect all instances of the following types:

  • std::map
  • std::list
  • Any class with a virtual-function table

Burpsuite Plugin to decrypt AES Encrypted mobile app traffic.

Requirements

  • Burpsuite
  • Java


Tested on

  • Burpsuite 1.7.36
  • Windows 10
  • xubuntu 18.04
  • Kali Linux 2018

What it does

  • Decrypt AES Encrypted traffic on proxy tab
  • Decrypt AES Encrypted traffic on proxy, scanner, repeater and intruder

How it works

  • Require AES Encryption Key (Can be obtained by reversing mobile app)
  • Require AES Encryption Initialize Vector (Can be obtained by reversing mobile app)
  • Request Parameter (Leave blank in case of whole request body)
  • Response Parameter (Leave blank in case of whole response body)
  • Character Separated with space for obfuscation on request/response
  • URL/Host of target to filter request and response

How to Install

Download jar file from Release and add in burpsuite

Original Request/Response

Decrypted Request/Response

pwnedOrNot uses haveibeenpwned v2 api to test email accounts and tries to find the password in Pastebin Dumps.

Features
haveibeenpwned offers a lot of information about the compromised email, some useful information is displayed by this script:

  • Name of Breach
  • Domain Name
  • Date of Breach
  • Fabrication status
  • Verification Status
  • Retirement status
  • Spam Status

And with all this information pwnedOrNot can easily find passwords for compromised emails if the dump is accessible and it contains the password.

Tested on

  • Kali Linux 18.2
  • Ubuntu 18.04
  • Kali Nethunter
  • Termux

Installation
Ubuntu / Kali Linux / Nethunter / Termux

chmod 777 install.sh
./install.sh

Usage

python pwnedornot.py -h
usage: pwnedornot.py [-h] [-e EMAIL] [-f FILE]

optional arguments:
-h, --help show this help message and exit
-e EMAIL, --email EMAIL Email account you want to test
-f FILE, --file FILE Load a file with multiple email accounts

Demo

[youtube https://www.youtube.com/watch?v=R_Y_QzVmERA]

Requirements

  • BurpSuite Professional v2.0.0beta or greater from PortSwigger

Dependencies

go get -u -v github.com/fatih/color
go get -u -v github.com/integrii/flaggy
go get -u -v github.com/tidwall/gjson
go get -u -v github.com/grokify/html-strip-tags-go


Binaries
Latest version available here.

Building

# macOS binary
make darwin

# Linux binary
make linux

# Windows binary
make windows

# Build releases
make all

Usage

$ go run Gurp.go -h
Gurp - Interact with Burp API Flags:
-h --help Displays help with available flag, subcommand, and positional value parameters.
-t --target Burp Address. Default 127.0.0.1
-p --port Burp API Port. Default 1337
-U --username Username for an authenticated scan
-P --password Password for an authenticated scan
-s --scan URLs to scan
-S --scan-id Scanned URL identifier
-M --metrics Provides metrics for a given task
-D --description Provides description for a given issue
-d --description-names Returns vulnerability names from PortSwigger
-I --issues Provides issues for a given task
-e --export Export issues json.
-k --key Api Key
-v --version Gurp version
  • Create a scan
go run Gurp.go -s "localhost.com/WebGoat/attack"
[+] SUCCESS: Found Burp API endpoint on 127.0.0.1:1337.
[i] INFO Setting up scanner...
[+] SUCCESS: Scanning localhost.com/WebGoat/attack over 8.
  • Get Scan Metrics
go run Gurp.go -S 8 -M
[+] SUCCESS: Found Burp API endpoint on 127.0.0.1:1337.
[!] ALERT Retrieving Metrics from task 8
[i] INFO: Scan status succeeded
[i] INFO: 181 Requests made
[i] INFO: 0 Requests queued
[i] INFO: 6 Audit items completed
[i] INFO: 0 Audit items waiting
[i] INFO: 20058 Audit requests made
[i] INFO: 2 Audit network errors
[i] INFO: 5 Issue events
  • Get Issues from scan
go run Gurp.go -S 8 -I
[+] SUCCESS: Found Burp API endpoint on 127.0.0.1:1337.
[!] ALERT: Retrieving Issues from task 8
[i] INFO: Frameable response (potential Clickjacking)
[*] HIGH: Cleartext submission of password
[*] LOW: Password field with autocomplete enabled
[*] MEDIUM: Host header poisoning
[i] INFO: Path-relative style sheet import
  • Export Issues' json
go run Gurp.go -S 8 -e /tmp
[+] SUCCESS: Found Burp API endpoint on 127.0.0.1:1337.
[!] ALERT: Retrieving Issues from task 8
[i] INFO: Frameable response (potential Clickjacking)
[*] HIGH: Cleartext submission of password
[*] LOW: Password field with autocomplete enabled
[*] MEDIUM: Host header poisoning
[i] INFO: Path-relative style sheet import
[!] ALERT: Exporting raw json to /tmp
  • Launch an authenticated scan with user/password
go run Gurp.go -s test.com -U admin -P 1234
[+] SUCCESS: Found Burp API endpoint on 127.0.0.1:1337.
[i] INFO Setting up scanner using credentials admin:1234
[+] SUCCESS: Scanning test.com over 13.
  • Connect to Burp using API Key
go run Gurp.go -k "APIKEY" -d | grep -i SQL
[2] SQL injection
[3] SQL injection (second order)
[35] Client-side SQL injection (DOM-based)
[36] Client-side SQL injection (reflected DOM-based)
[37] Client-side SQL injection (stored DOM-based)
[68] SQL statement in request parameter

SubScraper uses DNS brute force, Google & Bing scraping, and Virus Total to enumerate subdomains without an API. Written in Python3, SubScraper performs HTTP(S) requests and DNS “A” record lookups during the enumeration process to validate discovered subdomains. This provides further information to help prioritize targets and aid in potential next steps. Post-Enumeration, “CNAME” lookups are displayed to identify subdomain takeover opportunities. 


Usage

python3 subscraper.py example.com
python3 subscraper.py -t 5 -o csv example.com

Options

  -s              Only use internet to find subdomains
-b Only use DNS brute forcing to find subdomains
-o OUTFILE Define output file type: csv/txt (Default: None)
-t MAX_THREADS Max threads (Default: 10)
-w SUBLIST Custom subdomain wordlist

NodeXP is an intergrated tool, written in Python 2.7, capable of detecting possible vulnerabilities on Node.js services as well as exploiting them in an automated way, based on S(erver)S(ide)J(avascript)I(njection) attack!


Getting Started – Installation & Usage
Download NodeXP by cloning the Git repository:

git clone https://github.com/esmog/nodexp

To get a list of all options run:

python2.7 nodexp -h

Examples for POST and GET cases accordingly:

python2.7 nodexp.py --url="http://nodegoat.herokuapp.com/contributions" --pdata="preTax=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA"
python2.7 nodexp.py --url="http://nodegoat.herokuapp.com/contributions" --pdata="preTax=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA" --tech=blind

python2.7 nodexp.py --url="http://192.168.64.30/?name=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA"
python2.7 nodexp.py --url="http://192.168.64.30/?name=[INJECT_HERE]" -c="connect.sid=s:i6fKU7kSLPX1l00WkOxDmEfncptcZP1v.fy9whjYW0fGAvbavzYSBz1C2ZhheDuQ1SU5qpgVzbTA" --tech=blind

Disclaimer
The tool’s purpose is strictly academic and was developed in order to conduct my master's thesis. It could also be helpful during the process of a penetration test on Node.js services. Any other malicious or illegal usage of the tool is strongly not recommended and is clearly not a part of the purpose of this research.

Prerequisites

  • Python 2.7
  • Metasploit Framework
  • msfvenom
  • Kali Linux (or any other Linux distro with Metasploit Framework installed)

NodeXP Testbeds

  • Download and run the Node.js files for both GET and POST cases from here
  • Visit Nodegoat or install Nodegoat to your local machine!

Built With

  • Python 2.7

Versioning
NodeXP – Version 1.0.0

Authors

  • Dimitris Antonaropoulosesmog

An Open-Source Pre and Post Callback-Based Framework for macOS Kernel Monitoring.
What is Kemon?
An open-source Pre and Post callback-based framework for macOS kernel monitoring. With the power of Kemon, we can easily implement LPC communication monitoring, MAC policy filtering, kernel driver firewall, etc. In general, from an attacker's perspective, this framework can help achieve more powerful Rootkit. From the perspective of defense, Kemon can help construct more granular monitoring capabilities. I also implemented a kernel fuzzer through this framework, which helped me find many vulnerabilities, such as: CVE-2017-7155, CVE-2017-7163, CVE-2017-13883, etc.


Supported Features
Kemon's features include:

  • file operation monitoring
  • process creation monitoring
  • dynamic library and kernel extension monitoring
  • network traffic monitoring
  • Mandatory Access Control (MAC) policy monitoring, etc.

In addition, Kemon project can also extend the Pre and Post callback-based monitoring interfaces for any macOS kernel function.

Getting Started

How to build the Kemon driver
Please use Xcode project or makefile to build the Kemon kext driver

How to use the Kemon driver

  • Please turn off macOS System Integrity Protection (SIP) check if you don't have a valid kernel certificate
  • Use the command “sudo chown -R root:wheel kemon.kext” to change the owner of the Kemon driver
  • Use the command “sudo kextload kemon.kext” to install the Kemon driver
  • Use the command “sudo kextunload kemon.kext” to uninstall the Kemon driver

BYOB (Build Your Own Botnet)

Disclaimer: This project should be used for authorized testing or educational purposes only.
BYOB is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop counter-measures against these threats.
It is designed to allow developers to easily implement their own code and add cool new features without having to write a RAT (Remote Administration Tool) or a C2 (Command & Control server) from scratch.
The RAT's key feature is that arbitrary code/files can be remotely loaded into memory from the C2 and executed on the target machine without writing anything to the disk.


Server
usage: server.py [-h] [-v] [--host HOST] [--port PORT] [--database DATABASE]
Command & control server with persistent database and console

  • Console-Based User-Interface: streamlined console interface for controlling client host machines remotely via reverse TCP shells which provide direct terminal access to the client host machines
  • Persistent SQLite Database: lightweight database that stores identifying information about client host machines, allowing reverse TCP shell sessions to persist through disconnections of arbitrary duration and enabling long-term reconnaissance
  • Client-Server Architecture: all python packages/modules installed locally are automatically made available for clients to remotely import without writing them to the disk of the target machines, allowing clients to use modules which require packages not installed on the target machines

Client
usage: client.py [-h] [-v] [--name NAME] [--icon ICON] [--pastebin API] [--encrypt] [--obfuscate] [--compress] [--compile] host port [module [module ...]]
Generate fully-undetectable clients with staged payloads, remote imports, and unlimited modules

  • Remote Imports: remotely import third-party packages from the server without writing them to the disk or downloading/installing them
  • Nothing Written To The Disk: clients never write anything to the disk – not even temporary files (zero IO system calls are made) because remote imports allow arbitrary code to be dynamically loaded into memory and directly imported into the currently running process
  • Zero Dependencies (Not Even Python Itself): client runs with just the python standard library, remotely imports any non-standard packages/modules from the server, and can be compiled with a standalone python interpreter into a portable binary executable formatted for any platform/architecture, allowing it to run on anything, even when Python itself is missing on the target host
  • Add New Features With Just 1 Click: any python script, module, or package you to copy to the ./byob/modules/ directory automatically becomes remotely importable & directly usable by every client while your command & control server is running
  • Write Your Own Modules: a basic module template is provided in ./byob/modules/ directory to make writing your own modules a straight-forward, hassle-free process
  • Run Unlimited Modules Without Bloating File Size: use remote imports to add unlimited features without adding a single byte to the client's file size
  • Fully Updatable: each client will periodically check the server for new content available for remote import, and will dynamically update its in-memory resources if anything has been added/removed
  • Platform Independent: everything is written in Python (a platform-agnostic language) and the clients generated can optionally be compiled into portable executable (Windows) or bundled into an standalone application (macOS)
  • Bypass Firewalls: clients connect to the command & control server via reverse TCP connections, which will bypass most firewalls because the default filter configurations primarily block incoming connections
  • Counter-Measure Against Antivirus: avoids being analyzed by antivirus by blocking processes with names of known antivirus products from spawning
  • Encrypt Payloads To Prevent Analysis: the main client payload is encrypted with a random 256-bit key which exists solely in the payload stager which is generated along with it
  • Prevent Reverse-Engineering: by default, clients will abort execution if a virtual machine or sandbox is detected

Modules
Post-exploitation modules that are remotely importable by clients

  1. Keylogger (byob.modules.keylogger): logs the user’s keystrokes & the window name entered
  2. Screenshot (byob.modules.screenshot): take a screenshot of current user’s desktop
  3. Webcam (byob.modules.webcam): view a live stream or capture image/video from the webcam
  4. Ransom (byob.modules.ransom): encrypt files & generate random BTC wallet for ransom payment
  5. Outlook (byob.modules.outlook): read/search/upload emails from the local Outlook client
  6. Packet Sniffer (byob.modules.packetsniffer): run a packet sniffer on the host network & upload .pcap file
  7. Persistence (byob.modules.persistence): establish persistence on the host machine using 5 different methods
  8. Phone (byob.modules.phone): read/search/upload text messages from the client smartphone
  9. Escalate Privileges (byob.modules.escalate): attempt UAC bypass to gain unauthorized administrator privileges
  10. Port Scanner (byob.modules.portscanner): scan the local network for other online devices & open ports
  11. Process Control (byob.modules.process): list/search/kill/monitor currently running processes on the host

Core
Core framework modules used by the generator and the server

  1. Utilities (byob.core.util): miscellaneous utility functions that are used by many modules
  2. Security (byob.core.security): Diffie-Hellman IKE & 3 encryption modes (AES-256-OCB, AES-256-CBC, XOR-128)
  3. Loaders (byob.core.loaders): remotely import any package/module/scripts from the server
  4. Payloads (byob.core.payloads): reverse TCP shell designed to remotely import dependencies, packages & modules
  5. Stagers (byob.core.stagers): generate unique payload stagers to prevent analysis & detection
  6. Generators (byob.core.generators): functions which all dynamically generate code for the client generator
  7. Database (byob.core.database): handles interaction between command & control server and the SQLite database

Contact
Website: https://malwared.com
Email: security@malwared.com
Twitterhttps://twitter.com/malwaredllc

Aircrack-ng is a complete suite of tools to assess WiFi network security.

It focuses on different areas of WiFi security:
  • Monitoring: Packet capture and export of data to text files for further processing by third party tools.
  • Attacking: Replay attacks, deauthentication, fake access points and others via packet injection.
  • Testing: Checking WiFi cards and driver capabilities (capture and injection).
  • Cracking: WEP and WPA PSK (WPA 1 and 2).
All tools are command line which allows for heavy scripting. A lot of GUIs have taken advantage of this feature. It works primarily Linux but also Windows, OS X, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.

Aircrack-ng 1.4

It focuses a lot on code quality and adds a few visible features:

  • PMKID cracking
  • Crack 802.11w capture files
  • Speed and memory usage improvement when loading (large) files with Aircrack-ng and Airdecap-ng
  • Packages for Linux distributions and Windows
  • Fix building on various platforms
  • Improved and tweaked our CI/CD processes
  • Using new CI/CD tools for our buildbots and packaging, PyDeployer
  • Almost doubled the amount of tests

PMKID

On routers with 802.11i/p/r, the AP can cache an “ID” for the connection so roaming clients don't have to waste frames reauthenticating and just use the PMKID, which helps decrease a bit the latency (from 6 frames to only 2).

Calculation is of the PMKID is done this way:

PMKID = HMAC-SHA1-128(PMK, "PMK Name" | BSSID | STA MAC)

A big advantage here is that this PMKID is present in the first EAPoL frame of the 4-way handshake.

A few caveats about this attack:

  • Sometimes APs send empty PMKID
  • It doesn't work on WPA/WPA2 Enterprise networks

When loading a PCAP, Aircrack-ng will detect if it contains a PMKID. In the following screenshot, it is present for the network ogogo, notice the “with PMKID” on the same line:

When selecting the network, it will use it as if it were a regular PCAP with a handshake (and thus the wordlist requirement applies).

If you'd like to test, two capture files with PMKID are available this test files:

More details about the attack itself can be found in this post.

More info: https://aircrack-ng.blogspot.com/2018/09/aircrack-ng-14.html

Install

git clone https://github.com/aircrack-ng/aircrack-ng
cd aircrack-ng
./autogen.sh
make
make install
cd src/
aircrack-ng