Category Archives: (D) Advanced Hacking

The Backdoor Factory (BDF) – Patch Binaries With Shellcode

The Backdoor Factory or BDF is a tool which enables you to patch binaries with shellcode and continue normal execution exactly as the executable binary would have in its’ pre-patched state.

The Backdoor Factory (BDF) - Patch Binaries With Shellcode

Some executables have built in protection, as such this tool will not work on all binaries. It is advisable that you test target binaries before deploying them to clients or using them in exercises.

There’s a couple of somewhat related tools you can also check out:

peinjector – MITM PE File Injector
PEiD – Detect PE Packers, Cryptors & Compilers

Features

Overall

The user can:

  • Provide custom shellcode.
  • Patch a directory of executables/dlls.
  • Select x32 or x64 binaries to patch only.
  • Include BDF is other python projects see pebin.py and elfbin.py

PE Files

  • Can find all codecaves in an EXE/DLL.
  • By default, clears the pointer to the PE certificate table, thereby unsigning a binary.
  • Can inject shellcode into code caves or into a new section.
  • Can find if a PE binary needs to run with elevated privileges.
  • When selecting code caves, you can use the following commands:
    • Jump (j), for code cave jumping
    • Single (s), for patching all your shellcode into one cave
    • Append (a), for creating a code cave
    • Ignore (i or q), nevermind, ignore this binary
  • Can ignore DLLs
  • Import Table Patching
  • AutoPatching (-m automtic)
  • Onionduke (-m onionduke)

ELF Files

Extends 1000 bytes (in bytes) to the TEXT SEGMENT and injects shellcode into that section of code.

Mach-O Files

Pre-Text Section patching and signature removal

Usage

You can download BDF here:

the-backdoor-factory-3.3.1.zip

Gdog – Python Windows Backdoor With Gmail Command & Control

Gdog is a stealthy Python Windows backdoor that uses Gmail as a command and control server, it’s inspired by Gcat and pushes a little beyond a proof of concept with way more features.

Gdog - Python Windows Backdoor With Gmail Command & Control

And don’t forget, Gcat also inspired Twittor – Backdoor Using Twitter For Command & Control.

Features

  • Encrypted transportation messages (AES) + SHA256 hashing
  • Generate computer unique id using system information/characteristics (SHA256 hash)
  • Job IDs are random SHA256 hashes
  • Retrieve system information
  • Retrieve Geolocation information (City, Country, lat, long, etc..)
  • Retrieve running processes/system services/system users/devices (hardware)
  • Retrieve list of clients
  • Execute system command
  • Download files from client
  • Upload files to client
  • Execute shellcode
  • Take screenshot
  • Lock client’s screen
  • Keylogger
  • Lock remote computer’s screen
  • Shutdown/Restart remote computer
  • Log off current user
  • Download file from the WEB
  • Visit website
  • Show message box to user

Usage

Requirements & Setup

For this to work you need:

  • Python 2.x
  • PyCrypto module
  • WMI module
  • Enum34 module
  • Netifaces module

And:

  • A Gmail account (Use a dedicated account! Do not use your personal one!)
  • Turn on “Allow less secure apps” under the security settings of the account.
  • You may also have to enable IMAP in the account settings.

Download/Install

You can download Gdog here:

gdog-v1.0.1.zip

INURLBR – Advanced Search Engine Tool

INURLBR is a PHP based advanced search engine tool for security professionals, it supports 24 search engines and 6 deep web or special options. Very useful for the information gathering phase of a penetration test or vulnerability assessment.

INURLBR - Advanced Search Engine Tool

This tool functions in many ways enabling you to harness the power of what’s already indexed by the search engines and analyse your target for potential exploits, capture E-mails and URLs with internal custom validation for each target/URL found.

Also supports external commands for exploitation, so if your scan/search finds a potential validated SQL Injection vulnerability, you could have INURLBR directly launch sqlmap or your tool of choice.

Features

  • Generate IP ranges or random_ip and analyse the targets.
  • Customization of HTTP-HEADER, USER-AGET, URL-REFERENCE.
  • Execute external commands to exploit certain targets.
  • Generate random dorks or set dorks file.
  • Option to set proxy manually or from a file list.
  • Supports both SOCKS and HTTP proxies
  • Set time for proxy change when using random.
  • Supports TOR to randomise IP.
  • Debug processed URLs & HTTP requests.
  • Can send vulnerable URLs to an IRC chat room.
  • Support for GET / POST => SQLI, LFI, LFD injection exploits.
  • Filter and validate based on regexp.
  • Extraction of e-mail addresses and URLs.
  • Validation using HTTP response codes.
  • Search pages based on strings file.
  • Exploits commands manager.
  • Paging limiter on search engines.
  • Beep sound when a vulnerability is found.
  • Use text file as a data source for URLs to test.
  • Find personalized strings in return values of the tests.
  • Checks and validates for Shellshock.
  • File validation for the WordPress config file – wp-config.php.
  • Can execute a sub-process for validation.
  • Validate syntax errors for databases and programming.
  • Data encryption as native parameter.
  • Random Google host.
  • Scan port.

Search Engines/Methods Supported

  • Google / (CSE) generic random / API
  • Bing
  • Yahoo! BR
  • Ask
  • HAO123 Br
  • Google (API)
  • Lycos
  • UOL Br
  • Yahoo! US
  • Sapo
  • Dmoz
  • Gigablast
  • Never
  • Baidu BR
  • Andex
  • Zoo
  • Hotbot
  • Zhongsou
  • Hksearch
  • Ezilion
  • Sogou
  • DuckDuckGo
  • Boorow
  • Google (CSE) generic random

Special

  • Tor Find
  • Elephant
  • Torsearch
  • Wikileaks
  • OTN
  • Shodan

Errors Checked For

  • Java Infinitydb
  • LFI
  • Zimbra mail
  • Zend framework
  • MariaDB
  • MySQL
  • Jbossweb
  • Microsoft
  • ODBC
  • PostgreSQL
  • PHP
  • WordPress
  • Web Shell
  • JDBC
  • ASP
  • Oracle
  • DB2
  • CFM
  • LUA

You can download INURLBR by cloning the Github repo:

SPF (SpeedPhish Framework) – E-mail Phishing Toolkit

SPF (SpeedPhish Framework) is a an e-mail phishing toolkit written in Python designed to allow for quick recon and deployment of simple social engineering phishing exercises.

SPF (SpeedPhish Framework) - E-mail Phishing Toolkit

Requirements

  • dnspython
  • twisted
  • PhantomJS

You can download SPF here:

SPF-master.zip

THC-Hydra – The Fast and Flexible Network Login Hacking Tool

THC-Hydra rocks, it’s pretty much the most up to date and currently developed password brute forcing tool around at the moment.

It supports a LOT of services and protocols too.

Number one of the biggest security holes are passwords, as every password security study shows. Hydra is a parallelized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast.

THC-Hydra

There are already several login hacker tools available, however none does either support more than one protocol to attack or support parallelized connects.

Currently this tool supports:

TELNET, FTP, HTTP-GET, HTTP-HEAD, HTTPS-GET, HTTP-HEAD, HTTP-PROXY, LDAP2,
LADP3, SMB, SMBNT, MS-SQL, MYSQL, POSTGRES, REXEC, SOCKS5, VNC, POP3, IMAP,
NNTP, PCNFS, ICQ, SAP/R3, Cisco auth, Cisco enable, SMTP-AUTH, SSH2, SNMP,
CVS, Cisco AAA.

 

However the module engine for new services is very easy so it won’t take a long time until even more services are supported. Planned are: SSH v1, Oracle and more…

This tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system.

 

You can download Hydra here:

hydra-5.4-src.tar.gz

Compile and install (./configure; make; make install)

IF you want the windows version you can grab this Cygwin version:

hydra-5.4-win.zip

Rekall – Memory Forensic Framework

Rekall is a memory forensic framework that provides an end-to-end solution to incident responders and forensic analysts. From state of the art acquisition tools, to the most advanced open source memory analysis framework.

Rekall - Memory Forensic Framework

It strives to be a complete end-to-end memory forensic framework, encapsulating acquisition, analysis, and reporting. In particular Rekall is the only memory analysis platform specifically designed to run on the same platform it is analyzing: Live analysis allows us to corroborate memory artifacts with results obtained through system APIs, as well as quickly triage a system without having to write out and manage large memory images (This becomes very important for large servers where the time of acquisition leads to too much smear).

The team also ensures the memory analysis tools are stable and work on all supported platforms (For example Rekall features the only memory imaging tool available for recent versions of OSX, that we know of – and it is open source and free as well!).

Rekall is the only open source memory analysis tool that can work with the windows page file and mapped files. Rekall also includes a full acquisition solution (in the aff4acquire plugin) which allows the acquisition of the pagefile and all relevant mapped files (Rekall does this by executing a triaging routine during acquisition).

Support

Rekall should run on any platform that supports Python.

Rekall supports investigations of the following 32bit and 64bit memory images:

  • Microsoft Windows XP Service Pack 2 and 3
  • Microsoft Windows 7 Service Pack 0 and 1
  • Microsoft Windows 8 and 8.1
  • Linux Kernels 2.6.24 to 3.10.
  • OSX 10.7-10.10.x.

Rekall also provides a complete memory sample acquisition capability for all major operating systems (see the tools directory).

Additionally Rekall now features a complete GUI for writing reports, and driving analysis, try it out with:

 

Rekall GUI

History

In December 2011, a new branch within the Volatility project was created to explore how to make the code base more modular, improve performance, and increase usability. The modularity allowed Volatility to be used in GRR, making memory analysis a core part of a strategy to enable remote live forensics. As a result, both GRR and Volatility would be able to use each others’ strengths.

Over time this branch has become known as the “scudette” branch or the “Technology Preview” branch. It was always a goal to try to get these changes into the main Volatility code base. But, after two years of ongoing development, the “Technology Preview” was never accepted into the Volatility trunk version.

Since it seemed unlikely these changes would be incorporated in the future, it made sense to develop the Technology Preview branch as a separate project. On December 13, 2013, the former branch was forked to create a new stand-alone project named “Rekall.” This new project incorporates changes made to streamline the codebase so that Rekall can be used as a library. Methods for memory acquisition and other outside contributions have also been included that were not in the Volatility codebase.

Rekall strives to advance the state of the art in memory analysis, implementing the best algorithms currently available and a complete memory acquisition and analysis solution for at least Windows, OSX and Linux.

You can download Rekall here:

– Apple OS X – Rekall_1.4.1_Etzel_OSX.zip
– Windows 64-bit – Rekall_1.4.1_Etzel_x64.exe
– Windows 32-bit – Rekall_1.4.1_Etzel_x86.exe

Empire – PowerShell Post-Exploitation Agent

Empire is a pure PowerShell post-exploitation agent built on cryptographically secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.

Empire - PowerShell Post-Exploitation Agent

It has a LOT of modules (90+) and is currently in the midst of implementing a RESTful API which will be great.

Module Categories

Currently Empire has the following categories for modules:

  • Code Execution – Ways to run more code
  • Collection – Post exploitation data collection
  • Credentials – Collect and use creds
  • Exfiltration – Identify egress channels
  • Lateral Movement – Move around the network
  • Management – Host management and auxilary
  • Persistence – Survive reboots
  • Privesc – Privilege escalation capabilities
  • Recon – Test further entry points (HTTP Basic Auth etc)
  • Situational Awareness – Network awareness
  • Trollsploit – For the lulz

Why PowerShell?

PowerShell offers a multitude of offensive advantages, including:

  • Full .NET access
  • Application whitelisting
  • Direct access to the Win32 API
  • Ability to assemble malicious binaries in memor
  • Default installation on Windows 7+.

Offensive PowerShell had a watershed year in 2014, but despite the multitude of useful projects, many pen-testers still struggle to integrate PowerShell into their engagements in a secure manner.

How it works

Empire has a few components which you can chain together, similar to something like Metasploits.

It has:

Listeners – Think of this like a metasploit handler, this will catch your session.
Stagers – This is your payload, this is what you will execute on your target system.
Agents – This is how you interact with the target system, you can gather stats & info or run shell commands.

It also had fairly robust logging built in.

You can download Empire here:

Empire-1.5.zip

MISP – Malware Information Sharing Platform

 

MISP, Malware Information Sharing Platform and Threat Sharing, is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threat about cyber security incidents analysis and malware analysis. MISP is designed by and for incident analysts, security and ICT professionals or malware reverser to support their day-to-day operations to share structured informations efficiently.

MISP - Malware Information Sharing Platform

The objective of MISP is to foster the sharing of structured information within the security community and abroad. MISP provides functionalities to support the exchange of information but also the consumption of the information by Network Detection Intrusion System (NIDS), LIDS but also log analysis tools, SIEMs.

Core Functionalities

  • An efficient IOC and indicators database allowing to store technical and non-technical information about malware samples, incidents, attackers and intelligence.
  • Automatic correlation finding relationships between attributes and indicators from malware, attacks campaigns or analysis.
  • Built-in sharing functionality to ease data sharing using different model of distributions. MISP can synchronize automatically events and attributes among different MISP. Advanced filtering functionalities can be used to meet each organization sharing policy including a flexible sharing group capacity and an attribute level distribution mechanisms.
  • An intuitive user-interface for end-users to create, update and collaborate on events and attributes/indicators. A graphical interface to navigate seamlessly between events and their correlations. Advanced filtering functionalities and warning list to help the analysts to contribute events and attributes.
  • storing data in a structured format (allowing automated use of the database for various purposes) with an extensive support of cyber security indicators along fraud indicators as in the financial sector.
  • export: generating IDS, OpenIOC, plain text, CSV, MISP XML or JSON output to integrate with other systems (network IDS, host IDS, custom tools)
  • import: bulk-import, batch-import, import from OpenIOC, GFI sandbox, ThreatConnect CSV.
  • Flexible free text import tool to ease the integration of unstructured reports into MISP.
  • A gentle system to collaborate on events and attributes allowing MISP users to propose changes or updates to attributes/indicators.
  • data-sharing: automatically exchange and synchronization with other parties and trust-groups using MISP.
  • delegating of sharing: allows a simple pseudo-anonymous mechanism to delegate publication of event/indicators to another organization.
  • Flexible API to integrate MISP with your own solutions. MISP is bundled with PyMISP which is a flexible Python Library to fetch, add or update events attributes, handle malware samples or search for attributes.
  • Adjustable taxonomy to classify and tag events following your own classification schemes or existing classification. The taxonomy can be local to your MISP but also shareable among MISP instances.
  • Expansion modules in Python to expand MISP with your own services or activate already available misp-modules.
  • Sighting support to get observations from organizations concerning shared indicators and attributes. Sighting can be contributed via MISP user-interface, API as MISP document or STIX sighting documents.
  • STIX support: export data in the STIX format (XML and JSON).
  • Integrated encryption and signing of the notifications via PGP and/or S/MIME depending of the user preferences.

Exchanging info results in faster detection of targeted attacks and improves the detection ratio while reducing the false positives. We also avoid reversing similar malware as we know very fast that others team or organizations who already analyzed a specific malware.

You can download MISP here:

MISP-v2.4.41.zip

Help Us Grow More – Proffesional Hacker

How Can you rate us :

  1. Go To Playstore and Review US or
  2. While Exiting our Application there is button to rate us
  3. We Would Love To work on your suggestion

And we will love to know where we can improvise

Thanks for your love and remember your one review can help us grow

How you can help and motivate us to grow more

Its our passion to share knowledge about each and every hacking skills to people

1.you can contribute us by rating and reviewing us

2.Suggestions are always acceptable by us

3.We would like to know what more u wanna learn and what u like for us most

4. So Please if you want us to grow more and help you all to learn more about hacking review and rate us

 

 

 

HTTP Strict Transport Security

HTTP Strict Transport Security or HSTS is a web security policy mechanism that helps websites to prevent various attacks like Protocol Downgrade Attacks and Cookie Hijacking (To know more on Cookie Hijacking : Cookie Hijacking) Using this HSTS policy, webapplications declare to web browsers that only a secure HTTPS connection should be used to interact with the website and insecure HTTP protocol should never be used up to a certain specified time, for example one year.
Why HTTP Strict Transport Security
When a web browser connects with a website, normally there is no way for the browser to know whether the website uses secure HTTPS connection or an insecure HTTP connection. So, if the webserver establishes an insecure HTTP connection, there is no way for the web browser to know whether it was meant to be a HTTP connection or an insecure connection is established because of an attack.
For example, in a Protocol Downgrade Attack, the attacker intercepts the initial conversation between the web browser and the webserver and changes the actual conversation in such a way that both the webserver and the web browser are tricked to believe that the connection was meant to be an insecure unencrypted connection only. They will think SSL/TLS is not implemented. And then, the attacker is free to steal sensitive data transferred over the insecure connection. You would find details of such an attack here : TLS Downgrade Attack For Email Transport.
HTTP Strict Transport Policy or HSTS is a policy that can safeguard websites from these attacks. Using this policy, the webserver sends a header to the web browser and lets it know that all connections made to the website is means to be a secure HTTPS connections. So, if the web browser finds anything otherwise, an error message is displayed (e.g. The server’s TLS certificate is not trusted) and the user gets warned about a possible attack.
How is HTTP Strict Transport Security implemented
HTTP Strict Transport Security or HSTS is implemented in the following manner :
  • When a web browser connects with the webserver for the first time or first time after a certain interval, the webserver sends a header to the web browser , e.g. Strict-Transport-Security: max-age=31536000, to indicate that all connections made to the website for that interval max-age, one year in this example, should be a secure HTTPS connection.
  • The web browser turns any insecure http link referring to the website into a secure https link.
  • Now onward, up to the max-age time, if any connection to the website fails to be a secure connection, an error message (e.g. The server’s TLS certificate is not trusted) is displayed to the user, so that the user can be warned in advance about a possible attack.
Limitations of HTTP Strict Transport Security
When a web browser connects with the webserver for the first time or the first time after the certain interval max-age specified by HSTS policy of the website, the attacker can intercept and change the HSTS policy header of the website. And in that case, HSTS would fail to provide the intended security.
Countermeasures
Google Chrome, Mozilla Firefox and Internet Explorer/Microsoft Edge address this limitation by maintaining a list of websites knows to implement HSTS policy, so that the attacker cannot intercept and change the initial conversation to take advantage of that.
Another solution is to implement HSTS policy using DNS records and accessing them via secure DNSSEC, so that after typing the URL in the address bar of the web browser, when a domain name resolution is performed, the web browser gets informed that the website implements HSTS.