Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/banlisttemp): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 273

Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/banlist): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 277

Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/ips): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 281

Warning: Cannot modify header information - headers already sent by (output started at /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php:273) in /home/seclistu/public_html/wp-includes/feed-rss2.php on line 8
ftp – Security List Network™ http://seclist.us Wed, 25 Apr 2018 22:10:46 +0000 en-US hourly 1 Access Brute Force – Android v7+ application to perform a dictionary bruteforce attack. http://seclist.us/access-brute-force-android-v7-application-to-perform-a-dictionary-bruteforce-attack.html Sat, 24 Mar 2018 22:50:43 +0000 http://seclist.us/?p=16954 Access Brute Force : Android v7+ application to perform a dictionary brute force attack against a host exposing:
+ SMB Windows shares.
+ FTP server.
+ SSH access.
The application is developed using Android Studio so you can import the project into it in order to compile a APK bundle.

Motivation
This tool was developed in order to provide help in this case:

During a reconnaissance phase of an authorized penetration test at network level, when a open WIFI network was identified in which hosts are connected and exposes SMB Windows shares (see port 445 opened) / FTP server / SSH access, the goal is to perform a quick evaluation from a smartphone (more easy to launch and hide than a laptop) of the attack surface represented by theses points.

The application allow to download and keep password dictionaries from predefined list of dictionaries or from the device itself (for tailored password dictionaries).

access_brute_force

Follow these steps:
1. Create a JKS keystore with a RSA keypair.
2. Create a file named keystore.properties at the root folder level (same location than the file gradlew) with the following content:

storePassword=[StorePassword]
keyPassword=[KeyPassword]
keyAlias=[KeyAlias]
storeFile=[Store file full location or relative location from app sub folder]

Example:

# Configuration of the keystore used to sign the released APK
storePassword=fB5YDpcvTvQH7Sg399xG49YFK
keyPassword=gHTaEq93Xe93c3rWJu8v33WVB
keyAlias=keys
storeFile=../release-keystore.jks

3. Use the following command line gradlew clean cleanBuildCache assembleRelease
4. APK is available in folder [ROOT_FOLDER]/app/build/outputs/apk

The application should be combined with the following applications to enhance efficiency:
– FING: For WIFI network discovery and target identification,
– FILE MANAGER: To access to Windows SMB Shares, FTP, SSH (via SFTP) content after the credentials identification.
– JUICE SSH: To access via SSH shell if SFTP is not enabled.

Use and Download:

git clone https://github.com/righettod/access-brute-forcer && cd access-brute-forcer
gradlew clean cleanBuildCache assembleDebug

Or Download APK Binary Here;
https://rink.hockeyapp.net/apps/64dd8a3981644cfd9923617dc0d05989

Source: https://github.com/righettod

]]>
net-creds : Sniffs sensitive data from interface or pcap. http://seclist.us/net-creds-sniffs-sensitive-data-from-interface-or-pcap.html Sat, 23 Dec 2017 12:30:39 +0000 http://seclist.us/?p=16128 net-creds Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification.

net-creds

Can Sniff:
+ URLs visited
+ POST loads sent
+ HTTP form logins/passwords
+ HTTP basic auth logins/passwords
+ HTTP searches
+ FTP logins/passwords
+ IRC logins/passwords
+ POP logins/passwords
+ IMAP logins/passwords
+ Telnet logins/passwords
+ SMTP logins/passwords
+ SNMP community string
+ NTLMv1/v2 all supported protocols: HTTP, SMB, LDAP, etc.
+ Kerberos

Usage:

git clone https://github.com/DanMcInerney/net-creds && cd net-creds
pip install -r requirements.txt
sudo python net-creds.py -i eth0
sudo python net-creds.py -f 192.168.1.1

Source: https://github.com/DanMcInerney

]]>
Shodanwave – Netwave IP Camera. http://seclist.us/shodanwave-netwave-ip-camera.html Wed, 15 Nov 2017 19:35:19 +0000 http://seclist.us/?p=15951 Attention!
Use this tool wisely and not for evil. To get the best performece of this tool you need to pay for shodan to get full API access Options –limit and –offset may need a paying API key and consume query credits from your Shodan account.

Shodanwave is a tool for exploring and obtaining information from cameras specifically Netwave IP Camera. The tool uses a search engine called shodan that makes it easy to search for cameras online.

What does the tool to? Look, a list!
+ Search
+ Brute force
+ SSID and WPAPSK Password Disclosure
+ E-mail, FTP, DNS, MSN Password Disclosure
+ Exploits

shodanwave

This is an example of shodan wave running, the password was not found through raw force so the tool tries to leak the camera’s memory. If the tool finds the password it does not try to leak the memory.

Dependencies:
+ python2.7
+ shodan apikey https://www.shodan.io/

Usage:

git clone https://github.com/fbctf/shodanwave && cd shodanwave
pip install -r requirements.txt
create user.txt (for dictionary user)
create password.txt (for dictionary password)
python shodanwave.py -u user.txt -w password.txt -k (your shodan api key)

Source: https://github.com/fbctf

]]>
v3n0M ~ a free and open source scanner. http://seclist.us/v3n0m-a-free-and-open-source-scanner.html Mon, 06 Nov 2017 05:44:08 +0000 http://seclist.us/?p=15868 Latest Version 421:
– Enhancements, Fixes and Updates.

V3n0M is a free and open source scanner. Evolved from baltazar’s scanner, it has adapted several new features that improve fuctionality and usability. It is mostly experimental software.

This program is for finding and executing various vulnerabilities. It scavenges the web using dorks and organizes the URLs it finds. Use at your own risk.

V3n0M Scanner v421

Very useful for executing:
– Cloudflare Resolver[Cloudbuster]
Metasploit Modules Scans[To be released]
– LFI->RCE and XSS Scanning[LFI->RCE & XSS]
– SQL Injection Vuln Scanner[SQLi]
– Extremely Large D0rk Target Lists
– AdminPage Finding
– Toxin Vulnerable FTPs Scanner
– DNS BruteForcer
– Python 3.6 Asyncio based scanning

Usage:

git clone https://github.com/v3n0m-Scanner/V3n0M-Scanner && cd V3n0M-Scanner
python3 setup.py install --user
cd src
python3 v3nom.py

Source: https://github.com/v3n0m-Scanner

]]>
penthefire – Security tool implementing attacks test the resistance of firewall. http://seclist.us/penthefire-security-tool-implementing-attacks-test-the-resistance-of-firewall.html Sun, 20 Aug 2017 00:15:08 +0000 http://seclist.us/?p=15225 LEGAL DISCLAMER
The author does not hold any responsibility about the bad use of this script, remember that attacking targets without prior concent its ilegal and punish by law, this script was build to show how resource files can automate tasks.

penthefire – Security tool implementing attacks test the resistance of firewall.
TODO:
+ IRC
Data packet is received, the attacker send a forged DCC command.
+ FTP
Client connection is open by the attacker. Connect to the ftp server behind a firewall and initiate a real connection. Once the session is setup, he launch the attack by sending a forged 227 command, if using IPv6 using 229 command.

Open selected pin hole in firewall

Dependencies:
– libnetfilter-queue-dev
– python 2.7.x with NetfilterQueue module

How to use:

Install Dependencies Debian/Ubuntu Base system
apt-get install build-essential python-dev libnetfilter-queue-dev
pip install NetfilterQueue

git clone https://github.com/BREAKTEAM/penthefire && cd penthefire
example:
python wolffirewall.py --attacker -t 192.168.22.2 --helper ftp --port 29 -v -i eth0 192.168.22.2
python client.py -t 192.168.22.2 --port 29

Source: https://github.com/BREAKTEAM

]]>
Egression – tools for testing the data loss prevention controls on a corporate network. http://seclist.us/egression-tools-for-testing-the-data-loss-prevention-controls-on-a-corporate-network.html Sat, 12 Aug 2017 01:53:40 +0000 http://seclist.us/?p=15156 EGRESSION is a tool that provides an instant view of how easy it is to upload sensitive data from any given network. It starts with a sensitive file with these contents, which is stored locally in plaintext. This file is used to test the egress / DLP controls on the network by attempting to connect outbound and upload this file using various techniques.
Many tools of this type work by testing outbound port connections alone, but Egression works by actually uploading a sensitive file to the internet in a number of ways.

egression

It has four (4) levels of testing.
– INFORMATIONAL: Tells you if it can connect to ports ont he internet.
– LEVEL 0: Tells you if it can FTP a file to the internet in cleartext.
– LEVEL 1: Tells you if it can SCP files to the internet over various ports.
– LEVEL 2: Tells you if it can send the same sensitive file to the internet via DNS queries.
It does each of these in succession and then reports on which levels it failed to block.

Dependencies:
+ Python 2.7.x
+ nc, curl and git

Usage:

git clone https://github.com/danielmiessler/egression && cd egression
cd dnsfilexfer
sudo pip install -r requirements.txt
cd ..
./egression.sh

Source: https://github.com/danielmiessler

]]>
Vanquish – Multithreaded scanning and enumeration automation platform. http://seclist.us/vanquish-multithreaded-scanning-and-enumeration-automation-platform.html Wed, 21 Jun 2017 09:50:32 +0000 http://seclist.us/?p=14517 Vanquish is a Multithreaded Kali Linux scanning and enumeration automation platform. Designed to systematically enumerate and exploit using the law of diminishing returns. Includes :
– Nmap Scanning
– GoBuster
– Nikto
– SSH
– mySQL
– MSSql
– RDP
– SMB
– SMTP
– SNMP
– SSH
– FTP
– DNS
– Web

Vanquish

Usage:

git clone https://github.com/frizb/Vanquish && cd Vanquish
python Vanquish2.py

Source: https://github.com/frizb

]]>
apt2 v1.0.1 – An Automated Penetration Testing Toolkit. http://seclist.us/apt2-v1-0-1-an-automated-penetration-testing-toolkit.html Wed, 14 Jun 2017 18:12:02 +0000 http://seclist.us/?p=14472 Changelog apt2 v1.0.1:
+ Added packaging and fix apt2_whois
+ fixed issues with misc data files and installing packages.
+ module: temp fix till I get time to do a better one.

apt2 v1.0

apt2 v1.0

modules lists

modules lists

This tool will perform an NMap scan, or import the results of a scan from Nexpose, Nessus, or NMap. The processesd results will be used to launch exploit and enumeration modules according to the configurable Safe Level and enumerated service information.
All module results are stored on localhost and are part of APT2‘s Knowledge Base (KB). The KB is accessible from within the application and allows the user to view the harvested results of an exploit module.

APT2 - An Automated Penetration Testing Toolkit

APT2 – An Automated Penetration Testing Toolkit

APT2 uses the default.cfg file in the root directory. Edit this file to configure APT2 to run as you desire. Current options include:
+ metasploit
+ nmap
+ threading

CURRENT MODULES:
anonftp Test for Anonymous FTP
anonldap Test for Anonymous LDAP Searches
crackPasswordHashJohnTR Attempt to crack any password hashes
gethostname Determine the hostname for each IP
httpoptions Get HTTP Options
httpscreenshot Get Screen Shot of Web Pages
httpserverversion Get HTTP Server Version
hydrasmbpassword Attempt to bruteforce SMB passwords
impacketsecretsdump Test for NULL Session
msf_dumphashes Gather hashes from MSF Sessions
msf_gathersessioninfo Get Info about any new sessions
msf_javarmi Attempt to Exploit A Java RMI Service
msf_ms08_067 Attempt to exploit MS08-067
msf_openx11 Attempt Login To Open X11 Service
msf_smbuserenum Get List of Users From SMB
msf_snmpenumshares Enumerate SMB Shares via LanManager OID Values
msf_snmpenumusers Enumerate Local User Accounts Using LanManager/psProcessUsername OID Values
msf_snmplogin Attempt Login Using Common Community Strings
msf_vncnoneauth Detect VNC Services with the None authentication type
nmapbasescan Standard NMap Scan
nmaploadxml Load NMap XML File
nmapms08067scan NMap MS08-067 Scan
nmapnfsshares NMap NFS Share Scan
nmapsmbshares NMap SMB Share Scan
nmapsmbsigning NMap SMB-Signing Scan
nmapsslscan NMap SSL Scan
nmapvncbrute NMap VNC Brute Scan
nullsessionrpcclient Test for NULL Session
nullsessionsmbclient Test for NULL Session
openx11 Attempt Login To Open X11 Servicei and Get Screenshot
reportgen Generate Report
responder Run Responder and watch for hashes
searchftp Search files on FTP
searchnfsshare Search files on NFS Shares
searchsmbshare Search files on SMB Shares
sslsslscan Determine SSL protocols and ciphers
ssltestsslserver Determine SSL protocols and ciphers
userenumrpcclient Get List of Users From SMB

Usage & download:

git clone https://github.com/MooseDojo/apt2 && cd apt2
pip install python-nmap

vi default.cfg (then edit them with your MSGRPC config)
see https://help.rapid7.com/metasploit/Content/api-rpc/getting-started-api.html
./apt2.py

Upgrade:
git pull origin master

Source: https://github.com/MooseDojo | Our Post Before

Notice:
Usage of apt2 for attacking infrastructures without prior mutual consistency can be considered as an illegal activity. It is the final user’s responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program.

]]>
brutespray : Brute-Forcing from Nmap output – Automatically attempts default creds on found services. http://seclist.us/brutespray-brute-forcing-from-nmap-output-automatically-attempts-default-creds-on-found-services.html Fri, 12 May 2017 03:45:34 +0000 http://seclist.us/?p=14261 BruteSpray takes nmap GNMAP output and automatically brute-forces services with default credentials using Medusa. BruteSpray can even find non-standard ports by using the -sV inside Nmap.

Dependencies:
+ Nmap
+ Python 2.7.x

brutespray.py v1.0

Usage:

git clone https://github.com/x90skysn3k/brutespray && cd brutespray
First do an nmap scan with '-oA nmap.gnmap'.
Command: python brutespray.py -h
Example: python brutespray.py --file nmap.gnmap --services all --threads 3 --hosts 5

Source: https://github.com/x90skysn3k

]]>
Leviathan – wide range mass audit toolkit. http://seclist.us/leviathan-wide-range-mass-audit-toolkit.html Tue, 02 May 2017 19:42:38 +0000 http://seclist.us/?p=14164 Leviathan is a mass audit toolkit which has wide range service discovery, brute force, SQL injection detection and running custom exploit capabilities. It consists open source tools such masscan, ncrack, dsss and gives you the flexibility of using them with a combination.

The main goal of this project is auditing as many system as possible in country-wide or in a wide IP range.

Leviathan v0.1.2

Main Features:
+ Discovery: Discover FTP, SSH, Telnet, RDP, MYSQL services running inside a specific country or in an IP range via Shodan, Censys. It’s also possible to manually discover running services on a IP range by integrated “masscan” tool.
+ Brute Force: You can brute force the discovered services with integrated “ncrack” tool. It has wordlists which includes most popular combinations and default passwords for specific services.
+ Remote Command Execution: You can run system commands remotely on compromised devices.
+ SQL Injection Scanner: Discover SQL injection vulnerabilities on websites with specific country extension or with your custom Google Dork.
+ Exploit Specific Vulnerabilities: Discover vulnerable targets with Shodan, Censys or masscan and mass exploit them by providing your own exploit or using preincluded exploits.

Requirements:
+ Python version 2.7.x is required for running this program.
+ Supported platforms: Linux (Kali Linux, Debian, Ubuntu), macOS

Usage:

Install Kali Linux:
git clone https://github.com/leviathan-framework/leviathan.git && cd leviathan
pip install -r requirements.txt

Debian/Ubuntu:
git clone https://github.com/leviathan-framework/leviathan.git && cd leviathan
sudo bash scripts/debian_install.sh

Mac OS:
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
git clone https://github.com/leviathan-framework/leviathan.git && cd leviathan
bash scripts/macos_install.sh

python leviathan.py

Source: https://github.com/leviathan-framework

]]>
T50 v5.6.8 – The fatest network Packet Injector. http://seclist.us/t50-v5-6-8-the-fatest-network-packet-injector.html Wed, 12 Apr 2017 01:38:36 +0000 http://seclist.us/?p=14012 Changelog T50 v5.6.8 – April 11th, 2017
* Total source code refactoring to better distribute the functions.
* Got rid of common.h header file.
* Added -fno-stack-protection option on compilation.

T50 v5.6.8 – April 11th, 2017

Changelog v5.6.7 fix1:
+ Acertos no build system.
+ Remove specific build block
It seems that this new check makes it FTBFS (fail to build from source) on armhf, armel, mips64el, x32 (all on linux).

t50 v5.6.7-fix1

t50 v5.6.7-fix1

t50

t50 v5.6.6

T50 v5.6.3

T50 v5.6.3

T50 (f.k.a. F22 Raptor) is a tool designed to perform “Stress Testing”. The concept started on 2001, right after release ‘nb-isakmp.c’, and the main goal was:
– Having a tool to perform TCP/IP protocol fuzzer,  covering common regular
protocols, such as: ICMP, TCP and UDP.

Things  have  changed,  and the  T50 became a good unique resource capable to perform “Stress Testing”. And, after checking the “/usr/include/linux”,  some protocols were chosen to be part of its coverage:
a) ICMP   – Internet Control Message Protocol
b) IGMP   – Internet Group Management Protocol
c) TCP    – Transmission Control Protocol
d) UDP    – User Datagram Protocol

Why “Stress Testing”?  Well, because when people are  designing a new network infra-structure (eg. Datacenter serving to Cloud Computing) they think about:
a) High-Availability
b) Load Balancing
c) Backup Sites (Cold Sites, Hot Sites, and Warm Sites)
d) Disaster Recovery
e) Data Redundancy
f) Service Level Agreements
g) Etc…

But almost nobody thinks about “Stress Testing”, or even performs any test to check how the networks infra-structure behaves under stress,  under overload, and under attack.  Even during a Penetration Test,  people prefer not runningany kind of Denial-of-Service testing.  Even worse,  those people are missing one of the three key concepts of security that are common to risk management:
– Confidentiality
– Integrity
– AVAILABILITY

T50 was designed to perform “Stress Testing”  on a variety of infra-structure network devices (Version 2.45), using widely implemented protocols, and after some requests it was was re-designed to extend the tests (as of Version 5.3), covering some regular protocols (ICMP,  TCP  and  UDP),  some infra-structure specific protocols (GRE,  IPSec  and  RSVP), and some routing protocols (RIP, EIGRP and OSPF).

This new version (Version 5.3) is focused on internal infra-structure,  which allows people to test the availability of its resources, and cobering:
a) Interior Gateway Protocols (Distance Vector Algorithm):
1. Routing Information Protocol (RIP)
2. Enhanced Interior Gateway Routing Protocol (EIGRP)

b) Interior Gateway Protocols (Link State Algorithm):
1. Open Shortest Path First (OSPF)
c) Quality-of-Service Protocols:
1. Resource ReSerVation Protocol (RSVP).
d) Tunneling/Encapsulation Protocols:
1. Generic Routing Encapsulation (GRE).

T50 is a powerful and unique packet injector tool, which is capable to:
a) Send sequentially the following fifteen (15) protocols:
1. ICMP   – Internet Control Message Protocol
2. IGMPv1 – Internet Group Management Protocol v1
3. IGMPv3 – Internet Group Management Protocol v3
4. TCP    – Transmission Control Protocol
5. EGP    – Exterior Gateway Protocol
6. UDP    – User Datagram Protocol
7. RIPv1  – Routing Information Protocol v1
8. RIPv2  – Routing Information Protocol v2
9. DCCP   – Datagram Congestion Control Protocol
10. RSVP   – Resource ReSerVation Protocol
11. GRE    – Generic Routing Encapsulation
12. IPSec  – Internet Protocol Security (AH/ESP)
13. EIGRP  – Enhanced Interior Gateway Routing Protocol
14. OSPF   – Open Shortest Path First

b) It is the only tool capable to encapsulate the protocols  (listed above) within Generic Routing Encapsulation (GRE).
c) Send an (quite) incredible amount of  packets per second,  making  it  a   “second to none” tool:
-> More than 1,000,000 pps of SYN Flood  (+50% of the network uplink)  in
a 1000BASE-T Network (Gigabit Ethernet).
-> More than 120,000 pps of SYN Flood  (+60% of the network uplink)  in a 100BASE-TX Network (Fast Ethernet).
d) Perform “Stress Testing” on a variety of network infrastructure, network      devices and security solutions in place.
e) Simulate “Distributed Denial-of-Service” & “Denial-of-Service”  attacks, validating Firewall rules,  Router ACLs,  Intrusion Detection System and Intrusion Prevention System policies.

The main differentiator of the T50 is that it is able to send  all protocols, sequentially,  using one single SOCKET,   besides it is capable to be used to modify network routes,  letting IT Security Professionals performing advanced “Penetration Test”.

Installation:

git clone https://github.com/fredericopissarra/t50
cd t50
autoconf -f -i
./configure
make
cd release
./t50
update cd <your Clone Folder>
git pull

Download :
v5.6.8.zip
v5.6.8.tar.gz
Master.zip  | Clone Url
Source : https://github.com/fredericopissarra | Our Post Before

]]>
opensvp v0.5 – Firewall and application layer gateway testing tool. http://seclist.us/opensvp-v0-5-firewall-and-application-layer-gateway-testing-tool.html Tue, 21 Feb 2017 00:49:24 +0000 http://seclist.us/?p=13527 Opensvp is a security tool implementing “attacks” to be able to test the resistance of firewall to protocol level attack. It implements classic attacks as well as some new kind of attacks against application layer gateway (called helper in the Netfilter world).
For example, opensvp is able under some conditions (see explanation below for details) to open a pin hole in a firewall protecting a ftp server: even if the filtering policy garantee that only the 21 port is open to the server, you can open ‘any’ port on the server by using opensvp.

Implemented attacks:
+ Spoofed attack on helpers
+ Abusive usage of helpers
+ TTL attack on DPI solution

opensvp

Description of the attack against helper
Principle
Some network protocols are using multiple connections for the exchange between a client and a server. The most known example is ftp where command goes through a connection on port 21 and where data exchange are done with two different mode (connection from port 20 or dynamic connection). Some firewall implementation implement application layer gateway (ALG) to be able to detect this parallel connection and be able to autorize them dynamically. Other solutions are to use application relay (transparent proxy) or to open all the possible flow (read almost everything).

The ALG analyse the traffic and detect and parse the command sent between the peers to declare the parameters of the parallel connections. Once done they open temporary pin hole in the firewall to let the probable traffic goes through. The idea of this attack is to forge this type of messages to open pin hole in the firewall but pin hole that should not have been open.
Condition:
– Attacker computer is on a network directly connected to the firewall.
– Firewall is sensible to the attack (for example, Netfilter with rp_filter set to 0)
– Attacker is able to sniff data packet (or by pcap sniffing or by running himself a data connection)
The cinematic is the following :
1. Sniffer on the attacker network capture one packet from the protocol flow
+-+ it reverse the ethernet dst and src
+-+ it increase id in IP and seq for TCP
+-+ it set payload to the wanted command (with selected port)
2. The forged packet is sent on the interface connected to the firewall
3. Firewall transmit the packet back to the client and is now expecting a packet with caracteristic based on attacker input
Usage:

git clone https://github.com/regit/opensvp && cd opensvp
python setup.py install

opensvp -h

Source: https://github.com/regit

]]>