Framework for Digiduck Development Boards running ATTiny85 processors and micronucleus bootloader!

Roadmap:

  • Plan to implement a command for Duckyspark translation within the framework.


Requirements:
– ATTiny85 or other compatible “Digispark” Development Board(s)
– DigiSpark Drivers (If you can use it with arduino you should be fine.)
– OSX or MacOS
– ArduinoIDE with Digispark Library Installed

Getting Started:

Installation:
DigiDuck Framework (Referred to as DDF) is really simple to start and setup! There are no third party modules required for DDF! All you need to do is make sure you have Python 3.6+ (I used this to develop it but it should be backwards compatible *hopefully*). Clone this repository and enter the directory from the command line. Once inside the directory simply run:

python start.py

This will start the program and display the Welcome Screen shown above.

Help Menu::
There are three commands in this Framework! I wanted to make this as lightweight as possible so it only requires one command in order to get a payload onto your board.

Command: help
The help command displays this menu:

Command: show
The show command displays this menu:

All your available payloads will be shown here. However if you run the execute command they display again.

Execution:
The third and last command in DDF is execute. The execute command will display the same menu as the show command, however from this menu you will input the payload name. You have to include .hex at the end of it or it won't load correctly and ask you to enter it again.

execute command display.

Once you choose your payload you will be prompted to insert your desired board into the computer. From there it will install the desired payload and display this when completed:

Thats it! You can now go plug in your badUSB DigiSpark board into a computer and run the desired payload!

Payloads:
Payloads are DigiSpark .ino hex files that are installed using the micronucleus bootloader to your ATTiny85 or other boards.

Current Payloads:
All the current payloads are from Hak5's RubberDucky scripts available here. If you are unsure of what a payload may do this is the place to go read about it. I'll try to keep the payloads close to the same name but I don't want you on Windows to be typing out too much since rlcompleter doesn't work.

Creating a Payload:
Head to the (Duckyspark GitHub Page)[https://github.com/toxydose/Duckyspark] to see how to create your translated .ino file from a RubberDucky script. After that load your .ino file into Arduino IDE. Make sure Verbose is on inside Preferences and compile your code. Open the terminal output below and look for the .hex file location. It should be in a temp directory in your AppData or equivalent on MacOS. Here's and example:

This is right above where it tells you to plug in your board!
Pull the payloadname.cpp.hex file from that folder and drag it into payloads inside the DDF framework. Run the program and your payload will be loaded into Available Payloads!
Feel free to contribute by adding custom or more payloads from the Rubber Ducky scripts above! Make a PR with the new payloads.

Credits:
Duckyspark – https://github.com/toxydose/Duckyspark Micronucleus – https://github.com/micronucleus/micronucleus Hak5 RubberDucky Payloads – https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads

A framework based on the Fiddler web debugger to study Exploit Kits, malvertising and malicious traffic in general.

Installation

Download and install the latest version of Fiddler
https://www.telerik.com/fiddler
Special instructions for Linux and Mac here:
https://www.telerik.com/blogs/fiddler-for-linux-beta-is-here
https://www.telerik.com/blogs/introducing-fiddler-for-os-x-beta-1

Enable C# scripting (Windows only)
Launch Fiddler, and go to Tools -> Options
In the Scripting tab, change the default (JScript.NET) to C#.

Change default text editor (optional)
In the same Tools -> Options menu, click on the Tools tab.

  • Windows: notepad.exe or notepad++.exe
  • Linux: gedit
  • Mac: /Applications/TextEdit.app or /Applications/TextWrangler.app

Close Fiddler

Download or clone CustomRules.cs into the appropriate folder based on your operating system:

  • Windows (7/10) C:Users[username]DocumentsFiddler2Scripts
  • Ubuntu /home/[username]/Fiddler2/Scripts/
  • Mac /Users/[username]/Fiddler2/Scripts/

Finish up the installation
Start Fiddler to complete the installation of EKFiddle. That's it, you're all set!

Features

Toolbar buttons
The added toolbar buttons give you quick shortcuts to some of the main features:

QuickSave
Dumps current web sessions into a SAZ named (QuickSave-“MM-dd-yyyy-HH-mm-ss”.saz) to EKFiddleCaptures.

UI mode
Toggle between the default column view or extra columns with additional information (includes time stamp, server IP and type, method, etc.).

VPN
VPN GUI directly built into Fiddler. It uses the OpenVPN client on Windows and Linux with ovpn files (sigining up with commercial VPN provider may be required). It will open up a new terminal/xterm whenever it connects to a new server via the selected .ovpn config file, killing the previous to ensure only one TAP adapter is used at any given time.

  • Windows

Download and install OpenVPN in default directory
Place your .ovpn files inside OpenVPN's config folder.

  • Linux (tested on Ubuntu 16.04)

sudo apt-get install openvpn
Place your .ovpn files in /etc/openvpn.

Proxy
Allows you to connect to an upstream proxy (HTTP/s or SOCKS).

Import SAZ/PCAP
A shortcut to load SAZ (Fiddler's native format) or PCAP (i.e. from Wireshark) captures.

View/Edit Regexes
View and create your custom regular expressions. Note: a master list is provided with auto-updates via GitHub. Additionally the custom list lets you create your own rules.
There are 4 types of indicators to match on:

  • URI (full or partial URI match)
  • IP (Single IP address or IP range)
  • SourceCode (Response Body)
  • Headers (any value within a Response's Headers)

Syntax:
Important! Fields are TAB delimited
URI My_URI_rule [a-z0-9]{2} Match URI
IP My_IP_address_rule 5.154.191.67 Match static IP address
IP My_IP_address_rule 5.154.191.(6[0-9]|70) Match an IP range
SourceCode My_sourcecode_rule vml=1 Look for specific string
Headers My_headers_rule nginx Look for specific string

Run Regexes
Run the master and custom regular expressions against current web sessions.

Clear Markings
Clear any comment and colour highlighting in the currently loaded sessions.

ContextAction menu
The ContextAction menu (accessed by right-clicking on any session(s) allows you to perform additional commands on selected sections. This can be very helpful to do quick lookups, compute hashes or extract IOCs.

Hostname or IP address (Google Search, RiskIQ, URLQuery, RiskIQ)
Query the hostname for the currently selected session.

URI

Build Regex
Create a regular expression from the currently selected URI. This action opens up a regex website and the URI is already in the clipboard, ready to be pasted into the query field.

Open in… Internet Explorer, Chrome, Firefox, Edge
This opens up the URI with the browser you selected.

Response Body

Remove encoding
Decodes the currently selected sessions (from their basic encoding).

Build Regex
Create a regular expression from the currently selected session's source code. This action opens up a regex website and the URI is already in the clipboard, ready to be pasted into the query field.

Calculate MD5/SHA256 hash
Get the current session's body and computes its hash.

Hybrid Analysis / VirusTotal lookup
Checks the current session's body for hash, then look up that hash.

Extract to Disk
Downloads the currently selection session(s)'s body to disk, into the ‘Artifacts' folder.

Extract IOCs
Copies into memory basic information from selected sessions so that they can be shared as IOCs. Extract Coinhive site keys

Connect-the-dots
Allows you to identify the sequence of events between sessions. Right-clik on the session you are interested in retracing your steps to and simply ‘connect the dots'. It will label the sequence of events from 01, to n within the comments column. You can reorder that column to have a condensed view of the sequence.

Crawler (experimental)
Load a list of URLs from a text file and let the browser automically visit them. Tools -> Crawler (experimental) -> Start crawler May require some tweaks in your browser's settings, in particular with regards to crash recovery.

Uninstalling EKFiddle
Delete CustomRules.cs

Injects C# EXE or DLL Assembly into any CLR runtime and AppDomain of another process. The injected assembly can then access static instances of the injectee process's classes and therefore affect it's internal state.


Usage
clrinject-cli.exe -p -a
Opens process with id or name , inject EXE and execute Main method.

Additional options

  • -e Enumerates all loaded CLR Runtimes and created AppDomains.
  • -d Inject only into -th AppDomain. If no number or zero is specified, assembly is injected into every AppDomain.
  • -i . Create an instance of class from namespace .

Examples

Usage examples

  • clrinject-cli.exe -p victim.exe -e

    (Enumerate Runtimes and AppDomains from victim.exe)

  • clrinject-cli.exe -p 1234 -a "C:PathToinvader.exe" -d 2

    (Inject invader.exe into second AppDomain from process with id 1234)

  • clrinject-cli.exe -p victim.exe -a "C:PathToinvader.dll" -i "Invader.Invader"

    (Create instance of Invader inside every AppDomain in victim.exe)

  • clrinject-cli64.exe -p victim64.exe -a "C:PathToinvader64.exe"

    (Inject x64 assembly into x64 process)

Injectable assembly example
Following code can be compiled as C# executable and then injected into a PowerShell process. This code accessees static instances of internal PowerShell classes to change console text color to green.

using System;
using System.Reflection;

using Microsoft.PowerShell;
using System.Management.Automation.Host;

namespace Invader
{
class Invader
{
static void Main(string[] args)
{
try
{
var powerShellAssembly = typeof(ConsoleShell).Assembly;
var consoleHostType = powerShellAssembly.GetType("Microsoft.PowerShell.ConsoleHost");
var consoleHost = consoleHostType.GetProperty("SingletonInstance", BindingFlags.Static | BindingFlags.NonPublic).GetValue(null);

var ui = (PSHostUserInterface)consoleHostType.GetProperty("UI").GetValue(consoleHost);
ui.RawUI.ForegroundColor = ConsoleColor.Green;
}
catch (Exception e)
{
Console.WriteLine(e.ToString());
}
}
}
}

Injection command:

clrinject-cli64.exe -p powershell.exe -a "C:PathToinvader64.exe"

Result:

The sandsifter audits x86 processors for hidden instructions and hardware bugs, by systematically generating machine code to search through a processor's instruction set, and monitoring execution for anomalies. Sandsifter has uncovered secret processor instructions from every major vendor; ubiquitous software bugs in disassemblers, assemblers, and emulators; flaws in enterprise hypervisors; and both benign and security-critical hardware bugs in x86 chips.
With the multitude of x86 processors in existence, the goal of the tool is to enable users to check their own systems for hidden instructions and bugs.


To run a basic audit against your processor:

sudo ./sifter.py --unk --dis --len --sync --tick -- -P1 -t

The computer is systematically scanned for anomalous instructions. In the upper half, you can view the instructions that the sandsifter is currently testing on the processor. In the bottom half, the sandsifter reports anomalies it finds.
The search will take from a few hours to a few days, depending on the speed of and complexity of your processor. When it is complete, summarize the results:

./summarize.py data/log

Typically, several million undocumented instructions on your processor will be found, but these generally fall into a small number of different groups. After binning the anomalies, the summarize tool attempts to assign each instruction to an issue category:

  • Software bug (for example, a bug in your hypervisor or disassembler),
  • Hardware bug (a bug in your CPU), or
  • Undocumented instruction (an instruction that exists in the processor, but is not acknowledged by the manufacturer)

Press ‘Q' to quit and obtain a text based summary of the system scan:
The results of a scan can sometimes be difficult for the tools to automatically classify, and may require manual analysis. For help analyzing your results, feel free to send the ./data/log file to xoreaxeaxeax@gmail.com. No personal information, other than the processor make, model, and revision (from /proc/cpuinfo) are included in this log.

Results
Scanning with the sandsifter has uncovered undocumented processor features across dozens of opcode categories, flaws in enterprise hypervisors, bugs in nearly every major disassembly and emulation tool, and critical hardware bugs opening security vulnerabilities in the processor itself.
Details of the results can be found in the project whitepaper.
(TODO: detailed results enumeration here)

Building
Sandsifter requires first installing the Capstone disassembler: http://www.capstone-engine.org/. Capstone can typically be installed with:

sudo apt-get install libcapstone3 libcapstone-dev
sudo pip install capstone

Sandsifter can be built with:

make

and is then run with

sudo ./sifter.py --unk --dis --len --sync --tick -- -P1 -t

Flags
Flags are passed to the sifter with –flag, and to the injector with — -f.
Example:

sudo ./sifter.py --unk --dis --len --sync --tick -- -P1 -t

Sifter flags:

--len
search for length differences in all instructions (instructions that
executed differently than the disassembler expected, or did not
exist when the disassembler expected them to

--dis
search for length differences in valid instructions (instructions that
executed differently than the disassembler expected)

--unk
search for unknown instructions (instructions that the disassembler doesn't
know about but successfully execute)

--ill
the inverse of --unk, search for invalid disassemblies (instructions that do
not successfully execute but that the disassembler acknowledges)

--tick
periodically write the current instruction to disk

--save
save search progress on exit

--resume
resume search from last saved state

--sync
write search results to disk as they are found

--low-mem
do not store results in memory

Injector flags:

-b
mode: brute force

-r
mode: randomized fuzzing

-t
mode: tunneled fuzzing

-d
mode: externally directed fuzzing

-R
raw output mode

-T
text output mode

-x
write periodic progress to stderr

-0
allow null dereference (requires sudo)

-D
allow duplicate prefixes

-N
no nx bit support

-s seed
in random search, seed value

-B brute_depth
in brute search, maximum search depth

-P max_prefix
maximum number of prefixes to search

-i instruction
instruction at which to start search (inclusive)

-e instruction
instruction at which to end search (exclusive)

-c core
core on which to perform search

-X blacklist
blacklist the specified instruction

-j jobs
number of simultaneous jobs to run

-l range_bytes
number of base instruction bytes in each sub range

Keys
m: Mode – change the search mode (brute force, random, or tunnel) for the sifter
q: Quit – exit the sifter
p: Pause – pause or unpause the search

Algorithms
The scanning supports four different search algorithms, which can be set at the command line, or cycled via hotkeys.

  • Random searching generates random instructions to test; it generally produces results quickly, but is unable to find complex hidden instructions and bugs.
  • Brute force searching tries instructions incrementally, up to a user-specified length; in almost all situations, it performs worse than random searching.
  • Driven or mutation driven searching is designed to create new, increasingly complex instructions through genetic algorithms; while promising, this approach was never fully realized, and is left as a stub for future research.
  • Tunneling is the approach described in the presentation and white paper, and in almost all cases provides the best trade-off between thoroughness and speed.

Tips

  • sudo
    For best results, the tool should be run as the root user. This is necessary so that the process can map into memory a page at address 0, which requires root permissions. This page prevents many instructions from seg-faulting on memory accesses, which allows a more accurate fault analysis.
  • Prefixes
    The primary limitation for the depth of an instruction search is the number of prefix bytes to explore, with each additional prefix byte increasing the search space by around a factor of 10. Limit prefix bytes with the -P flag.
  • Colors
    The interface for the sifter is designed for a 256 color terminal. While the details vary greatly depending on your terminal, this can roughly be accomplished with:
     export TERM='xterm-256color'
  • GUI
    The interface assumes the terminal is of at least a certain size; if the interface is not rendering properly, try increasing the terminal size; this can often be accomplished by decreasing the terminal font size.
    In some cases, it may be desirable or necessary to run the tool without the graphical front end. This can be done by running the injector directly:
     sudo ./injector -P1 -t -0

    To filter the results of a direct injector invocation, grep can be used. For example,

     sudo ./injector -P1 -r -0 | grep '.r' | grep -v sigill

    searches for instructions for which the processor and disassembler disagreed on the instruction length (grep ‘.r'), but the instruction successfully executed (grep -v sigill).

  • Targeted fuzzing
    In many cases, it is valuable to direct the fuzzer to a specific target. For example, if you suspect that an emulator has flaws around repeated ‘lock' prefixes (0xf0), you could direct the fuzzer to search this region of the instruction space with the -i and -e flags:
     sudo ./sifter.py --unk --dis --len --sync --tick -- -t -i f0f0 -e f0f1 -D -P15
  • Legacy systems
    For scanning much older systems (i586 class processors, low memory systems), pass the –low-mem flag to the sifter and the -N flag to the injector:
     sudo ./sifter.py --unk --dis --len --sync --tick --low-mem -- -P1 -t -N

    If you observe your scans completing too quickly (for example, a scan completes in seconds), it is typically because these flags are required for the processor you are scanning.

  • 32 vs. 64 bit
    By default, sandsifter is built to target the bitness of the host operating system. However, some instructions have different behaviors when run in a 32 bit process compared to when run in a 64 bit process. To explore these scenarios, it is sometimes valuable to run a 32 bit sandsifter on a 64 bit system.
    To build a 32 bit sandsifter on a 64 bit system, Capstone must be installed as 32 bit; the instructions for this can be found at http://www.capstone-engine.org/.
    Then sandsifter must be built for a 32 bit architecture:
     make CFLAGS=-m32

    With this, the 32 bit instruction space can be explored on a 64 bit system.

References

  • A discussion of the techniques and results can be found in the Black Hat presentation.
  • Technical details are described in the whitepaper.
  • Slides from the Black Hat presentation are here.

Author
sandsifter is a research effort from Christopher Domas (@xoreaxeaxeax).

Easily run a hidden service inside the Tor network with this container
Generate the skeleton configuration for you hidden service, replace for your hidden service pattern name. Example, if you want to your hidden service contain the word ‘boss', just use this word as argument. You can use regular expressions, like ^boss, will generate an address wich will start with ‘boss'. Be aware that bigger the pattern, more time it will take to generate it.

docker run -it --rm -v $(pwd)/web:/web 
strm/tor-hiddenservice-nginx generate

Create an container named ‘hiddensite' to serve your generated hidden service

docker run -d --restart=always --name hiddensite -v $(pwd)/web:/web 
strm/tor-hiddenservice-nginx


Example
Let's create a hidden service with the name beginning with strm.

docker pull strm/tor-hiddenservice-nginx

Wait to the container image be downloaded. And them we can generate our site skeleton:

$docker run -it --rm -v $(pwd)/web:/web strm/tor-hiddenservice-nginx generate ^strm
[+] Generating the address with mask: ^strm
[+] Found matching domain after 137072 tries: strmfyygjp5st54g.onion
[+] Generating nginx configuration for site strmfyygjp5st54g.onion
[+] Creating www folder
[+] Generating index.html template

Now we have our skeleton generated, we can run the container with:

docker run -d --restart=always --name hiddensite 
-v $(pwd)/web:/web strm/tor-hiddenservice-nginx

And you have the service running ! 🙂

Troubleshoot

  • 403 error on nginx, check your directory permissions and folder permissions. Nginx run as “hidden” user, his UID is 666, just check if you give this user access to the /web/www folder (in the case the folder mapped to it).

Build
docker build -t strm/tor-hiddenservice-nginx .

Run
docker run -d –restart=always –name hiddensite
-v $(pwd)/web:/web strm/tor-hiddenservice-nginx

Shell
docker run -it –rm -v $(pwd)/web:/web
–entrypoint /bin/bash strm/tor-hiddenservice-nginx

ANDRAX The first and unique Penetration Testing platform for Android smartphones
What is ANDRAX
ANDRAX is a penetration testing platform developed specifically for Android smartphones, ANDRAX has the ability to run natively on Android so it behaves like a common Linux distribution, But more powerful than a common distribution!

Why is Android so powerful?
Simple, everyone has a smartphone and spends all the time with it! We have the possibility to camouflage easily in the middle of everyone, the processor architecture of most Android smartphones is ARM a modern and robust architecture extremely superior to the rest, With touch screens we can run the tools with great agility and take advantage of the graphical interface of Android, we can get in almost anywhere with our smartphones…
In technical terms, ANDRAX and NetHunter should never be compared, ANDRAX is a penetration testing platform for Android smartphones and NetHunter is just a Debian emulator running with chroot.
Termux is not our enemy, Termux is an application that allows installation of many Linux packages using a Debian environment running natively on Android.
ANDRAX and Termux have a similar development, ANDRAX and Termux share many libs and GNU/Linux resources.
But Termux is not a penetration testing platform, it's software to bring basic tools found in a Debian environment. Penetration tests are not something basic! But advanced techniques that involve advanced tools and a advanced environment to conduct good tests!
So you can install many tools manually in Termux but it would be extremely difficult to optimize and configure them to take 100% of the required potential for penetration testing.
Termux runs without root privileges and this makes it very difficult to use advanced tools. 

Features and Tools

Tool list

Information Gathering

  • Whois
  • Bind DNS tools
  • Dnsrecon
  • Raccoon
  • DNS-Cracker
  • Firewalk

Scanning

  • Nmap – Network Mapper
  • Masscan
  • SSLScan
  • Amap

Packet Crafting

  • Hping3
  • Nping
  • Scapy
  • Hexinject
  • Ncat
  • Socat

Network Hacking

  • ARPSpoof
  • Bettercap
  • MITMProxy
  • EvilGINX2

WebSite Hacking

  • 0d1n
  • Wapiti3
  • Recon-NG
  • PHPSploit
  • Photon
  • XSSer
  • Commix
  • SQLMap
  • Payloadmask
  • AbernathY-XSS

Password Hacking

  • Hydra
  • Ncrack
  • John The Ripper
  • CRUNCH

Wireless Hacking

  • VMP Evil AP
  • Aircrack-NG Tools
  • Cowpatty
  • MDK3
  • Reaver

Exploitation

  • MetaSploit Framework
  • RouterSploit Framework
  • Getsploit
  • OWASP ZSC
  • Rop-TOOL

More…

Advanced Terminal

Advanced and Professional terminal emulator for Hacking!

Dynamic Categories Overlay (DCO)

Beautiful tools category system 

Advanced IDE

Complete support for many programming languages

Information Gathering

Tools for initial informations about the target

Scanning

Tools for second stage: Scanning

Packet Crafting

Tools to craft network packets

Network Hacking

Tools for network hacking

WebSite Hacking

Tools for WebSite and WebApps Hacking

Password Hacking

Tools to break passwords

Wireless Hacking

Tools for Wireless Hacking

Exploitation

Tools for Dev and launch exploits

More info in official site.

Ever been wondering if your ISP is hijacking your DNS traffic? Ever observed any misbehavior with your DNS responses? Ever been redirected to wrong address and suspected something is wrong with your DNS? Here we have a set of tools to perform basic audits on your DNS requests and responses to make sure your DNS is working as you expect.
You can measure the response time of any given DNS server for arbitrary requests using dnsping. Just like traditional ping utility, it gives you similar functionality for DNS requests.
You can also trace the path your DNS request takes to destination to make sure it is not being redirected or hijacked. This can be done by comparing different DNS queries being sent to the same DNS server using dnstraceroute and observe if there is any difference between the path.
dnseval evaluates multiple DNS resolvers and helps you choose the best DNS server for your network. While it is highly recommended to use your own DNS resolver and never trust any third-party DNS server, but in case you need to choose the best DNS forwarder for your network, dnseval lets you compare different DNS servers from performance (latency) and reliability (loss) point of view.


Prerequisites
This script requires python3 as well as latest dnspython and cymruwhois.

Installation
There are several ways that you can use this toolset. However using the sourcecode is always recommended.

From Source Code

  1. You can checkout this git repo and its submodules
git clone https://github.com/farrokhi/dnsdiag.git
cd dnsdiag
pip3 install -r requirements.txt
  1. You can alternatively install the package using pip:
pip3 install dnsdiag

From Binary
From time to time, binary version will be released for Windows, Mac OS X and Linux platforms. You can grab the latest release from releases page.

dnsping
dnsping pings a DNS resolver by sending an arbitrary DNS query for given number of times:

% ./dnsping.py -c 3 -t AAAA -s 8.8.8.8 dnsdiag.org
dnsping.py DNS: 8.8.8.8:53, hostname: dnsdiag.org, rdatatype: AAAA
4 bytes from 8.8.8.8: seq=0 time=123.509 ms
4 bytes from 8.8.8.8: seq=1 time=115.726 ms
4 bytes from 8.8.8.8: seq=2 time=117.351 ms

--- 8.8.8.8 dnsping statistics ---
3 requests transmitted, 3 responses received, 0% lost
min=115.726 ms, avg=118.862 ms, max=123.509 ms, stddev=4.105 ms

This script calculates minimum, maximum and average response time as well as jitter (stddev)

dnstraceroute
dnstraceroute is a traceroute utility to figure out the path that your DNS request is passing through to get to its destination. You may want to compare it to your actual network traceroute and make sure your DNS traffic is not routed to any unwanted path.

% ./dnstraceroute.py --expert -C -t A -s 8.8.4.4 facebook.com
dnstraceroute.py DNS: 8.8.4.4:53, hostname: facebook.com, rdatatype: A
1 192.168.0.1 (192.168.0.1) 1 ms
2 192.168.28.177 (192.168.28.177) 4 ms
3 192.168.0.1 (192.168.0.1) 693 ms
4 172.19.4.17 (172.19.4.17) 3 ms
5 google-public-dns-b.google.com (8.8.4.4) 8 ms

=== Expert Hints ===
[*] public DNS server is next to a private IP address (possible hijacking)

Using --expert will instruct dnstraceroute to print expert hints (such as warnings of possible DNS traffic hijacking).

dnseval
dnseval is a bulk ping utility that sends an arbitrary DNS query to a give list of DNS servers. This script is meant for comparing response time of multiple DNS servers at once:

% ./dnseval.py -t AAAA -f public-servers.txt -c10 yahoo.com
server avg(ms) min(ms) max(ms) stddev(ms) lost(%) ttl flags
------------------------------------------------------------------------------------------------------
8.8.8.8 270.791 215.599 307.498 40.630 %0 298 QR -- -- RD RA -- --
8.8.4.4 222.955 171.753 307.251 60.481 %10 291 QR -- -- RD RA -- --
ns.ripe.net 174.855 160.949 187.458 10.099 %0 289 QR -- -- RD RA -- --
4.2.2.1 172.798 163.892 189.918 7.823 %0 287 QR -- -- RD RA -- --
4.2.2.2 178.594 169.158 184.696 5.067 %0 285 QR -- -- RD RA -- --
4.2.2.3 153.574 138.509 173.439 12.015 %0 284 QR -- -- RD RA -- --
4.2.2.4 153.182 141.023 162.323 6.700 %0 282 QR -- -- RD RA -- --
4.2.2.5 154.840 141.557 163.889 7.195 %0 281 QR -- -- RD RA -- --
209.244.0.3 156.270 147.320 161.365 3.958 %0 279 QR -- -- RD RA -- --
209.244.0.4 159.329 151.283 163.726 3.958 %0 278 QR -- -- RD RA -- --
195.46.39.39 171.098 163.612 181.147 5.067 %0 276 QR -- -- RD RA -- --
195.46.39.40 175.335 160.920 185.618 8.726 %0 274 QR -- -- RD RA -- --

Author
Babak Farrokhi

Atlas is an open source tool that can suggest sqlmap tampers to bypass WAF/IDS/IPS, the tool is based on returned status code.

Screen

Installation

$ git clone https://github.com/m4ll0k/Atlas.git atlas
$ cd atlas
$ python atlas.py

Usage

$ python atlas.py --url http://site.com/index.php?id=Price_ASC --payload="-1234 AND 4321=4321-- AAAA" --dbms=mysql --random-agent -v

Example

  1. Run SQLMap:
$ python sqlmap.py -u 'http://site.com/index.php?id=Price_ASC' --dbs --random-agent -v 3

Price_ASC') AND 8716=4837 AND ('yajr'='yajr is blocked by WAF/IDS/IPS, now trying with Atlas:

$ python atlas.py --url 'http://site.com/index.php?id=Price_ASC' --payload="') AND 8716=4837 AND ('yajr'='yajr" --random-agent -v

At this point:

$ python sqlmap.py -u 'http://site.com/index.php?id=Price_ASC' --dbs --random-agent -v 3 --tamper=versionedkeywords,...

What is Subdomain Takeover?
Subdomain takeover is a class of vulnerability where subdomain points to an external service that has been deleted. The external services are Github, Heroku, Gitlab, Tumblr and so on. Let’s assume we have a subdomain sub.example.com that points to an external service such as GitHub. If the Github page is removed by its owner and forgot to remove the DNS entry that points to GitHub service. An attacker can simply takeover subdomain by adding CNAME file containing the sub.example.com.
Here is the command that checks CNAME record of a subdomain.
$dig CNAME apt.shopify.com –> apt.shopify.com.s3-website-us-east-1.amazonaws.com.

How Can Takeover script help bug bounty hunters?
There are a lot of sites having thousands of subdomain and it’s really hard to check each subdomain. Here we got a script that shows CNAME record for each domain. It takes a file name as an input and perform some action and finally produce it output, which shows CNAME record for each domain. The input file should contain a list of subdomains.
How can I recognise if the subdomain is vulnerable to subdomain takeover?
There are some fingerprints should be analysed when service is deleted and DNS entry remains as it is. The attacker get this error when visiting vulnerable subdomain such as “There isn’t a Github Pages site here.” or view below image for more detail.

Security researcher @edoverflow has listed all services and their fingerprints. For more detail visit https://github.com/EdOverflow/can-i-take-over-xyz

Youtube

[youtube https://www.youtube.com/watch?v=vpCI8foxP00&w=560&h=315]

dex2jar Tools to work with android .dex and java .class files

  1. dex-reader/writer: Read/write the Dalvik Executable (.dex) file. It has a light weight API similar with ASM.
  2. d2j-dex2jar: Convert .dex file to .class files (zipped as jar)
  3. smali/baksmali: disassemble dex to smali files and assemble dex from smali files. different implementation to smali/baksmali, same syntax, but we support escape in type desc “Lcom/dex2jartu1234;”
  4. other tools: d2j-decrypt-string


Usage

sh d2j-dex2jar.sh -f ~/path/to/apk_to_decompile.apk

And the output file will be apk_to_decompile-dex2jar.jar.

Need help ?
send email to dex2jar@googlegroups.com
or post on issue trackers list above.