Tuesday, January 22, 2019

Open-Sourced Remote Vulnerability Testing Framework - Pocsuite

Pocsuite:

                 is an open-sourced remote vulnerability testing and proof-of-concept development framework developed by the Knownsec 404 Team.


It comes with a powerful proof-of-concept engine, many niche features for the ultimate penetration testers and security researchers.

Features

  • PoC scripts can running with `attack`,`verify`, `shell` mode in different way
  • Plugin ecosystem
  • Dynamic loading PoC script from any where (local file, redis , database, Seebug ...)
  • Load multi-target from any where (CIDR, local file, redis , database, Zoomeye ...)
  • Results can be easily exported
  • Dynamic patch and hook requests
  • Both command line tool and python package import to use
  • IPV6 support
  • Global HTTP/HTTPS/SOCKS proxy support
  • Simple spider API for PoC script to use
  • Integrate with [Seebug](https://www.seebug.org) (for load PoC from Seebug website)
  • Integrate with [ZoomEye](https://www.zoomeye.org) (for load target from ZoomEye `Dork`)
  • Integrate with [Ceye](http://ceye.io/) (for verify blind DNS and HTTP request)
  • More ...

Functions

Vulnerability Testing Framework

Written in Python and supported both validation and exploitation two plugin-invoked modes, Pocsuite could import batch targets from files and test those targets against multiple exploit-plugins in advance.(See "Pocsuite usage"

PoC/Exp Development Kit

Like Metasploit, it is a development kit for pentesters to develope their own exploits. Based on Pocsuite, you can write the most core code of PoC/Exp without caring about the resulting output etc. There are at least several hundred people writing PoC/Exp based on Pocsuite up to date.

Integratable Module

Users could utilize some auxiliary modules packaged in Pocsuite to extend their exploit functions or integrate Pocsuite to develop other vulnerability assesment tools.

Integrated ZoomEye And Seebug APIs

Pocsuite is also an extremely useful tool to integrate Seebug and ZoomEye APIs in a collaborative way. Vulnerablity assessment can be done automatically and effectively by searching targets through ZoomEye and acquiring PoC scripts from Seebug or locally.

Installation

pocsuite3 works out of the box with Python version 3.x on any platform.
You can use Git to clone the latest source code repository

    $ git clone git@github.com:knownsec/pocsuite3.git
 
Or click here to download the latest source zip package, and extract

    $ wget https://github.com/knownsec/pocsuite3/archive/master.zip
    $ unzip master.zip
    $ cd Pocsuite
    $ python cli.py --version
 
 
 
Or use pip

    $ pip install pocsuite
    $ pocsuite --version

More Videos : https://asciinema.org/a/133345

Download / Ref Link :

https://github.com/knownsec/Pocsuite
https://pocsuite.org/index-en.html

Sunday, January 13, 2019

GUI Based Snort Rule Creator / Maker - SNORPY

SNORPY:

                        A Simple GUI / Web Based Snort Rule Creator / Maker for Building Simple Snort Rules.

Snorpy is a simple Snort rule creator / builder / maker made originally with python but I made the most recent version with Node and jquery.




#Install
  1. Install nodejs
  2. Download repo
  3. Unzip the file name node_modules.zip
  4. cd /to/the/path/of/app.js
  5. run the following command: "node app.js"
Should be that easy.

Video Ref : https://vimeo.com/182794567

Download Link : https://github.com/chrisjd20/Snorpy

Online Play : http://snorpy.com/

Tuesday, January 1, 2019

Bulk_Extractor - Best Forensics tool to Extracts Sensitive Information

Bulk Extractor:

                          is to locate potentially sensitive information such as email addresses and credit card numbers, as well as other types of information such as GPS coordinates and image file types.

Bulk extractor ignores the file system and scans it linearly. This, in combination with parallel processing, makes the tool very fast. It will have an issue with fragmented files, but typically, files aren’t fragmented.

bulk_extractor can be used on Windows, Linux, and Macintosh OS X platforms.
This page contains instructions for downloading, building and installing bulk_extractor on Linux and OS X, and for downloading and installing the bulk_extractor binary on Windows. If you would like to build your own Windows binary

bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important.
We have made the following tools available for processing feature files generated by bulk_extractor:
  • A a small number of python programs that perform automated processing on feature files.
  • A Bulk Extractor Viewer User Interface (BEViewer) for browsing features stored in feature files and for launching bulk_extractor scans. Please see page BEViewer.

Installation Steps for Windows / Linux :




Output Feature Files

bulk_extractor now creates an output directory that has the following layout:
alerts.txt Processing errors.
ccn.txt Credit card numbers
ccn_track2.txt Credit card “track 2″ informaiton, which has previously been found in some bank card fraud cases.
domain.txt Internet domains found on the drive, including dotted-quad addresses found in text.
email.txt Email addresses.
ether.txt Ethernet MAC addresses found through IP packet carving of swap files and compressed system hibernation files and file fragments.
exif.txt EXIFs from JPEGs and video segments. This feature file contains all of the EXIF fields, expanded as XML records.
find.txt The results of specific regular expression search requests.
identified_blocks.txt Block hash values that match hash values in a hash database that the scan was run against.
ip.txt IP addresses found through IP packet carving.
rfc822.txt Email message headers including Date:, Subject: and Message-ID: fields.
tcp.txt TCP flow information found through IP packet carving.
telephone.txt US and international telephone numbers.
url.txt URLs, typically found in browser caches, email messages, and pre-compiled into executables.
url_searches.txt A histogram of terms used in Internet searches from services such as Google, Bing, Yahoo, and others.
url_services.txt A histogram of the domain name portion of all the URLs found on the media.
wordlist.txt A list of all “words” extracted from the disk, useful for password cracking.
wordlist_*.txt The wordlist with duplicates removed, formatted in a form that can be easily imported into a popular password-cracking program.
zip.txt A file containing information regarding every ZIP file component found on the media. This is exceptionally useful as ZIP files contain internal structure and ZIP is increasingly the compound file format of choice for a variety of products such as Microsoft Office

Download Link :

http://downloads.digitalcorpora.org/downloads/bulk_extractor/ 

https://www.kazamiya.net/en/bulk_extractor-rec

https://github.com/simsong/bulk_extractor

Monday, December 31, 2018

Local Administrator Password Solution(LAPS) - Microsoft Free Password Management Tool

Local Administrator Password Solution (LAPS):

                                                                            is a Microsoft product that manages the local administrator password and stores it in Active Directory (AD). This solution automatically updates the password on a routine basis. The Microsoft Infrastructure (MI) team has implemented the LAPS schema extensions and created a default set of permissions to retrieve a password stored in AD.

 Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.

LAPS Architectural Diagram:


Img Source: Microsoft


Deployment Steps :




Security

  • Random password that automatically regularly changes on managed machines
  • Effective mitigation of Pass-the-hash attack
  • Password is protected during the transport via Kerberos encryption
  • Password is protected in AD by AD ACL, so granular security model can be easily implemented

Manageability

  • Configurable password parameters: age, complexity and length
  • Ability to force password reset on per-machine basis
  • Security model integrated with AD ACLs
  • End use UI can be any AD management tools of choice, plus custom tools (PowerShell and Fat client) are provided
  • Protection against computer account deletion
  • Easy implementation and minimal footprint

Requirements

  • Active Directory:
    • Windows 2003 SP1 and above
  • Managed/Client machines:
    • Windows Server 2016
    • x86 or x64
    • Windows Server 2012 R2 Datacenter
    • Windows Server 2012 R2 Standard
    • Windows Server 2012 R2 Essentials
    • Windows Server 2012 R2 Foundation
    • Windows 8.1 Enterprise
    • Windows 8.1 Pro
    • Windows Server 2012 Datacenter
    • Windows Server 2012 Standard
    • Windows Server 2012 Essentials
    • Windows Server 2012 Foundation
    • Windows 8 Enterprise
    • Windows 8 Pro
    • Windows Server 2008 R2 Service Pack 1
    • Windows 7 Service Pack 1
    • Windows Server 2008 Service Pack 2
    • Windows Vista Service Pack 2
    • Microsoft Windows Server 2003 Service Pack 2
    • Itanium NOT supported
  • Management tools:
    • .NET Framework 4.0
    • PowerShell 2.0 or above
Download Link :

https://www.microsoft.com/en-us/download/details.aspx?id=46899

Wednesday, November 14, 2018

Free Risk Assessment Tool - Titania

Risk Assessment Tool:

                                 is a quick to implement, easy to use tool that helps you lock down your workstations and servers against attack. Discover new vulnerabilities (that others might find) & harden your network today.

Cyber Essentials, the inspiration for our Risk Assessment Tool, is a Government-backed and industry supported scheme to guide businesses in protecting themselves from cyber threats. It is derived from years of research on business breaches - which resulted in practical, easy to implement actions removing up to 80% of your cyber risk.

The five controls, designed to maximise protection of your business are: 
  •     Boundary Firewalls and Internet Gateways
  •     Secure Configuration
  •     Access Control
  •     Malware Protection
  •     Patch Management

Despite its relative simplicity, basic knowledge of information security is required to understand and complete the Cyber Essentials self-assessment questionnaire (both in language and practice). This knowledge is something many businesses either don’t have or is it costly to hire (IT experts are often busy, costly or both!).

Titania’s automated audits help at every step, our free Risk Assessment Tool is simple enough for SME’s and our enterprise tools (Paws and Nipper Studio) will accelerate compliance, cut costs and free up your experts for the many projects on their “to do” list...

Lancaster University study of Cyber Essentials found:

“This, more than anything else should be understood by SMEs, taking no action to combat cyber threats simply isn’t an option. With Cyber Essentials tools, more than 99% of the vulnerabilities in SMEs interviewed were mitigated.”

Download Link : https://www.titania.com/downloads/riskassessmenttool-1.3.291-win64.exe

Ref / Key Link : https://www.titania.com/customers/bonus-tools/risk-assessment-tool

Tuesday, October 30, 2018

YARA - Rule Management

YaraGuardian

 

A django web interface for managing Yara rules. The manager enables users to:

* Search for specific rules based on rule characteristics
* Categorize and organize rules easily and in bulk
* Make bulk edits on desired/filtered rules
* Track characteristics of the entire rule repository
* Automatically prevent and detect duplicate entries
 
 
 
Ref / Download Link : https://github.com/PUNCH-Cyber/YaraGuardian
 

YaraManager

 

Web based Manager for Yara Rules.

Ref / Download Link : https://github.com/kevthehermit/YaraManager

YaraEditor:


Web is a powerful website framework to write, test and organize your Yara rules. It features syntax highlighting, team collaboration features and publishing workflow.





 
FEATURES
  • Self-hosted solution (PHP/Mysql server needed)
  • Can run on Synology NAS (with Web Station)
  • REST API (submit, delete, update, get), with API Key
  • Authentication with modified UserCake library
  • Users Rights management
  • Easy to customize, with only one config file to change
  • Files management (creation/edition/removal)
  • Files exports
  • Rules management (creation/edition/removal)
  • Rules viewer
  • Rules export
  • Rules import
  • Give a name on rules/files copy
  • Stats page
  • Search page (with magic field)
  • Permissions (contributor, publisher, ...)
  • History page
  • Recycle Bin
  • Syntax check (with yara pythong)
  • Rule test (with yara pythong)
  • Tests page (string -ANSI/UNICODE-, Hex strings, Files -local storage-)
  • User comments (with conversations)

 Ref  / Download Link : https://github.com/Tigzy/yaraeditor

Plyara:


is a script and library that lexes and parses a file consisting of one more YARA rules into a python dictionary representation. The goal of this tool is to make it easier to perform bulk operations or transformations of large sets of YARA rules, such as extracting indicators, updating attributes, and analyzing a corpus. Other applications include linters and dependency checkers.

Ref / Download Link : https://plyara.readthedocs.io/en/latest/





Monday, September 17, 2018

Free / Open Source Compromise Assessment Tools

OTX ( Open Threat Exchange ):

 

                                     AlienVault provides OTX Endpoint Threat Hunter and its free, fast, and simple.


AlienVault threat hunting service delivers as much threat intelligence power as OTX Endpoint Threat Hunter. It is the Open & free service that natively uses the community-powered threat intelligence of OTX to scan your endpoints for known indicators of compromise (IOCs).

OTX Endpoint Threat Hunter uses the same agent-based approach as expensive endpoint security tools and DIY open source agents without the expense, complexity, or guesswork. 


How It Works
  • OTX Endpoint Threat Hunter is available to any registered Open Threat Exchange (OTX) user. It’s free to join OTX.
  • To get started, download and install the AlienVault® Agent on the Windows or Linux devices you want to monitor. The AlienVault Agent is immediately ready to find threats.
  • You can launch a query on any endpoint from OTX by selecting a pre-defined query that looks for IOCs in one or more OTX pulses.
  • Once launched, the AlienVault Agent executes the query, and the results of the query display on a summary page within OTX.


CERTitude:

 

       is a Python-based tool which aims at assessing the compromised perimeter during incident response assignments. It allows analysts to perform large scale scans of Windows-based information systems by searching for behavioral patterns described in IOC (Indicator of Compromise) files. The tool is currently composed of two main components:
  • The Python Flask-based web interface, used to configure the scans and visualize their results;
  • The scanner that connects to remote targets and runs the search for IOCs.
CERTitude is an open-source tool developed by the CERT-Wavestone. It is brought to you freely, but user support is only provided on a best-effort basis.

Compatibility

CERTitude is compatible with a wide range of target Windows operating systems, from XP / 2003 to Windows 10 / Server 2016. Though CERTitude can be run from a Linux host, it is only fully supported on Windows as some features may not be implemented on Linux.

Features:

  • Ability to scan hosts in a way that prevents the target workstation from knowing what the investigator is searching for
  • Ability to retrieve some pieces of data from the hosts
  • Multiple scanner instances (for IOCs and/or hash scans) can be run at the same time for parallel scanning
  • Built with security considerations in mind (protected database, secure communications with hosts using IPSec)