Leaderboard

I'm releasing the whole package of the license + jrat 5.5.1 + plugins in a whole If you don't trust me or the files, download jRat from the official website https://jrat.io/ and just take the license file from my folder to your fresh download Mega Download

Video Download Test it in VM !!!

Hooking Chrome’s SSL functions ON 26 FEBRUARY 2018 BY NYTROSECURITY The purpose of NetRipper is to capture functions that encrypt or decrypt data and send them through the network. This can be easily achieved for applications such as Firefox, where it is enough to find two DLL exported functions: PR_Read and PR_Write, but it is way more difficult for Google Chrome, where the SSL_Read and SSL_Write functions are not exported. The main problem for someone who wants to intercept such calls, is that we cannot easily find the functions inside the huge chrome.dll file. So we have to manually find them in the binary. But how can we do it? Chrome’s source code In order to achieve our goal, the best starting point might be Chrome’s source code. We can find it here: https://cs.chromium.org/ . It allows us to easily search and navigate through the source code. Articol complet: https://nytrosecurity.com/2018/02/26/hooking-chromes-ssl-functions/

Use a Fake image.jpg (hide known file extensions) to exploit targets CodeName: Metamorphosis Version release: v1.3 (Stable) Author: pedro ubuntu [ r00t-3xp10it ] Distros Supported : Linux Ubuntu, Kali, Mint, Parrot OS Suspicious-Shell-Activity (SSA) RedTeam develop @2017 Legal Disclaimer: The author does not hold any responsibility for the bad use of this tool, remember that attacking targets without prior consent is illegal and punished by law. Description: This module takes one existing image.jpg and one payload.ps1 (input by user) and builds a new payload (agent.jpg.exe) that if executed it will trigger the download of the 2 previous files stored into apache2 (image.jpg + payload.ps1) and execute them. This module also changes the agent.exe Icon to match one file.jpg Then uses the spoof 'Hide extensions for known file types' method to hidde the agent.exe extension. All payloads (user input) will be downloaded from our apache2 webserver and executed into target RAM. The only extension (payload input by user) that requires to write payload to disk are .exe binaries. Exploitation: FakeImageExploiter stores all files in apache2 webroot, zips (.zip) the agent, starts apache2 and metasploit services(handler), and provides a URL to send to target (triggers agent.zip download). As soon as the victim runs our executable, our picture will be downloaded and opened in the default picture viewer, our malicious payload will be executed, and we will get a meterpreter session. But it also stores the agent (not ziped) into FakeImageExploiter/output folder if we wish to deliver agent.jpg.exe using another diferent attack vector. 'This tool also builds a cleaner.rc file to delete payloads left in target' Payloads accepted (user input): payload.ps1 (default) | payload.bat | payload.txt | payload.exe [Metasploit] "Edit 'settings' file before runing tool to use other extensions" Pictures accepted (user input): All pictures with .jpg (default) | .jpeg | .png extensions (all sizes) "Edit 'settings' file before runing tool to use other extensions" Dependencies/Limitations: xterm, zenity, apache2, mingw32[64], ResourceHacker(wine) 'Auto-Installs ResourceHacker.exe under ../.wine/Program Files/.. directorys' WARNING: To change icon manually (resource hacker bypass) edit 'settings' file. WARNING: Only under windows systems the 2º extension will be hidden (so zip it) WARNING: The agent.jpg.exe requires the inputed files to be in apache2 (local lan hack) WARNING: The agent.jpg.exe uses the powershell interpreter (does not work againts wine). WARNING: This tool will not accept payload (user input) arguments (eg nc.exe -lvp 127.0.0.1 555) WARNING: The ResourceHacker provided by this tool requires WINE to be set to windows 7 Another senarios: If you wish to use your own binary (user input - not metasploit payloads) then: 1º - Edit 'settings' file before runing tool and select 'NON_MSF_PAYLOADS=YES' 2º - Select the binary extension to use 'Remmenber to save settings file before continue' .. 3º - Run FakeImageExploiter to metamorphosis your binary (auto-storage all files in apache) .. 4º - Open new terminal and execute your binary handler to recibe connection. HINT: This funtion will NOT build a cleaner.rc The noob friendly funtion: Bypass the need to input your payload.ps1, And let FakeImageExploiter take care of building the required payload.ps1 + agent.jpg.exe and config the handler. "With this funtion active, you only need to input your picture.jpg :D" Select the binary extension to use HINT: This funtion allow users to build (ps1|bat|txt) payloads HINT: This funtion will NOT build .exe binaries "WINE is not owned by you": If you get this message it means that you are executing FakeImageExploiter as sudo and your wine installation belongs to user (is not owned by you) to bypass this issue just execute FakeImageExploiter as the wine owner. EXAMPLE: If wine its owned by spirited_wolf, execute tool without sudo EXAMPLE: If wine its owned by root, execute tool as sudo Download/Install/Config: 1º - Download framework from github git clone https://github.com/r00t-3xp10it/FakeImageExploiter.git 2º - Set files execution permitions cd FakeImageExploiter sudo chmod +x *.sh 3º - Config FakeImageExploiter settings nano settings 4º - Run main tool sudo ./FakeImageExploiter.sh Framework Banner settings file Agent(s) in windows systems Video tutorials: FakeImageExploiter [ Official release - Main funtions ]: FakeImageExploiter [ the noob friendly funtion ]: FakeImageExploiter [ bat payload - worddoc.docx agent ]: FakeImageExploiter [ txt payload - msfdb rebuild ]: Special thanks: @nullbyte | @Yoel_Macualo | @0xyg3n (SSA team menber) Credits: https://null-byte.wonderhowto.com/how-to/hide-virus-inside-fake-picture-0168183 Suspicious-Shell-Activity (SSA) RedTeam develop @2017 Source: https://github.com/r00t-3xp10it/FakeImageExploiter

Flash Dumping - Part I Date Tue 05 September 2017 By Emma Benoit Guillaume Heilles Philippe Teuwen Category Hardware. Tags PCB flash KiCAD First part of a blog post series about our approach to dump a flash chip. In this article we describe how to desolder the flash, design and build the corresponding breakout board. This blog post series will detail simple yet effective attacks against embedded devices non-volatile memories. This type of attack enables you to do the following: read the content of a memory chip; modify the content of a memory chip; monitor the accesses from/to a memory chip and modifying them on the fly (Man-In-The-Middle attack). In particular, the following topics will be discussed: Desoldering of a flash chip; Conception of a breakout board with KiCAD; PCB fabrication and microsoldering; Addition of a breakout board on an IoT device; Dump of a SPI flash; Dump of a parallel flash; Man-in-the-Middle attacks. Let's say you opened up yet-another-IoT-device and stumbled on a flash chip inside. Curious as you are, you obviously want to know what's going on inside. Desoldering the flash chip To read the content of the flash chip, there are basically two options : connecting wires directly on the pins of the chip; desoldering the flash and plug it on another board. One of the things to consider when choosing a method to read the chip is the packaging of the integrated circuit (IC). For example, connecting wires directly on the pins of the chip works well with chips using a quad flat pack (QFP) packaging, but it's less adapted if there are no visible pins. In the following case, the flash chip uses a ball grid array (BGA) packaging, which means no visible pin to fiddle with, so we choose to desolder the IC. Picture of our target chip: On the bright side: Since we're extracting the flash, all possible interferences with the onboard microcontroller are avoided. The chip is removed completely from the board, which gives us the ability to study the PCB underneath and find out the routing to the flash chip. The original chip can be replaced with something else (another chip, a microcontroller, ...). On the less bright side: The board cannot run without all of its components, you'll have to solder it back if you want to use it in the future. Some nearby components could be damaged during the extraction. The flash chip itself could be damaged if it's done improperly. So... desoldering flash, right? If you never tried desoldering electronic components before, the tricky part is to melt the solder on all pins at the same time. There are several techniques to do that. We choose to go with the heat gun. The goal is to heat the area where the chip is, wait for the solder to melt and remove the chip. This technique is simple and rapid but it tends to desolder adjacent components, so be careful not to move them (i.e. this is exactly the worst moment to sneeze). The picture below shows our chip out of its emplacement and we can now have a look at the PCB routing. We can already make some hypothesis, like the two bottom rows which are likely unused since they are not routed. Conception of a breakout board with KiCAD What do we do now with that chip? BGA layouts are a mess, you can have a 5x5 grid or a 4x6 grid for the exact same chip. Pinouts are equally fun, and usually specific to the chip. Another thing you might be wondering is how to access a particular pin when they are all packed together in a grid like that? One solution is to make a breakout board! Basically, a breakout board mirrors all the pins of the chip but with more space between them, so you can access them easily. To realize this, we first need to gather some information about the chip itself. Most of the time, the brand and/or model are written on the chip and help identifying it. With this information, one can look for the corresponding datasheets. If you can't identify the chip or if you can't find the datasheet, you will have to do some reverse engineering on the PCB to identify each signal. The brand is indicated on the first line of our chip: MXIC stands for Macronix International. The second line is the model of the chip, which leads us to the MX25L3255EXCI datasheet. The section that is of interest to us is the pin layout, page 7 of the datasheet. Both BGA configurations (4x6 and 5x5) are described as well as a SOP8 package. We can see that only eight pins are useful, other pins are tagged "NC" which means "no connection". To communicate with the flash chip, we need a PCB exporting all the required pins to some easy-to-access header. The design of the PCB can be realized using KiCAD, one of the most popular electronics design automation (EDA) software. If you are not familiar with KiCAD, many great tutorials are available like KiCAD Quick-Start Tutorial. The design of a breakout board follows the same process as for any other board: Create an electronic schematic for your board in eeschema, and define the components that are specific to your project, for example your flash chip. Create the specific footprint for your flash chip in pcbnew. This is where the information from the datasheet that we looked earlier is useful. We will add a 4x6 grid representing the BGA grid, and two 1x4 connectors linked to the 8 useful pins. The final step is to add routes to connect our components Our design is done, how do we transform a KiCAD project into a working PCB? PCB fabrication A PCB is basically a sandwich made of a layer of substrate between two layers of copper. The substrate is usually made of FR-4 (glass-reinforced epoxy laminate) but other cheaper materials can also be found. Routes are traced on the copper layer and the excess copper is then removed. Several techniques exist to remove the unwanted copper, we tried the following: Etching; CNC milling. Both techniques are detailed, as we used the etching technique to build the 4x6 BGA PCB and the milling technique was used to build the 5x5 BGA PCB. Etching Etching refers to the process of using a chemical component to "bite" into the unprotected surface of a metal. We use ink as a way to delimit the traces and protect the bits of copper to keep. We use the toner transfer method to reproduce the design on copper. The design is printed on a glossy sheet of paper using a laser printer. The sheet of paper is then taped to the piece of copper/fiber glass substrate, and heat and pressure are applied to get the design out of the paper onto the copper board. Usually, this technique uses a regular clothes iron to apply heat and pressure. We found out that using a laminator is way more efficient as the heat and the pressure applied are more uniform. Next step is the actual etching. The board is immersed into a chemical solution which will remove excess copper, except where the toner is. Our breakout board after etching, still with the transferred toner attached: And after removing the toner with acetone: The PCB board is now ready for microsoldering. Microsoldering is like soldering but with tiny components, hence it requires a microscope. Another difference with traditional soldering is the packaging of the solder. Traditional soldering uses solder in the form of wire while BGA microsoldering uses solder balls. Next, we can start reballing: put a new solder ball in each slot and apply heat to melt the solder balls in place; align the chip and the board; reflow. The board being reballed: And the final result with the chip and the board after microsoldering: CNC Milling Alternatively, a CNC milling machine can be used to carve out bits of unwanted copper. Actually rather than removing all the unwanted copper, the CNC will simply isolate the required tracks and leave the excess of copper in place. 1. The 5x5 BGA format was used to build a PCB. While the 4x6 version was a breakout board, we designed the 5x5 version such that it can be directly plugged in a universal EEPROM programmer ZIF socket. As we've seen in the datasheet, this chip also exists in SOP8 package, so we've chosen to mimic a DIP8 pin header reproducing the same pin layout as for the SOP8. So for the universal EEPROM programmer, this setup will be virtually the same as reading the SOP8 chip via a classic SOP8-DIP8 adapter. 2. The footprint for the chip is somehow similar to the one we designed for the 4x6 but with a 5x5 grid, the 1x4 connectors closer, as for a DIP8, and a somehow more tortuous routing to respect the SOP8 layout which is unfortunately completely different from the BGA one. 3. KiCAD is not able to produce directly a file compatible with a CNC, therefore we'll use Flatcam which takes a Gerber file and allows to define a path for the CNC to isolate the desired copper tracks. To avoid shortage issues, we also define an area under the BGA chip to remove entirely the unwanted copper. 4. And we pass the produced STL file to bCNC, in charge of controlling the CNC. It has some nice features such as auto-levelling, i.e. measuring the actual height of the board in several points (because nothing is perfectly flat), and producing the heat map you can see in the snapshot below. Milling in action, corresponding to the tracks highlighted in green in bCNC: Board fully milled: Close up of the final result where we can distinguish the pattern of the flatcam geometry path under the BGA: 6. Next, we apply some solder mask, which is the characteristic green layer protecting the copper from oxidation, and cure it with UV light. 7. The solder mask covered the pads of the BGA and of the 1x4 connectors, they are unusable like this. We scratch manually the thin layer of paint to free the pads. Tinning step, where we apply solder on all pads: Back to the CNC to drill the holes and cut the edges of the board: Final board with the BGA chip soldered and ready to be inserted in a universal EEPROM programmer: As we've chosen to mimic the SOP8 pinout, we've simply to tell to the programmer that our chip is the SOP8 version! Bonus: the horror show Here is a compilation of our best failures, because things don't always go as planned, but we learned a lot through these experimentations and we are now ready for the next IoT stuff Toner transfer is not always as easy as it sounds... Milling on the CNC with the right depth neither... Failing at finding a plastic that doesn't adhere to the green mask... (eventually IKEA freezing bags revealed to work very well ) Attempt to mill the green mask... Second attempt with a tool mounted on a spring: looks almost good but actually all tracks were cut from the pads... Third attempt by adding first some solder in the hope to make them thicker Created a lake of green mask too thick to cure with UV light, and when the surface of the icy lake breaks... Conclusion That concludes our first article where we saw how to desolder a flash, design a PCB and detailed two techniques of PCB fabrication. Acknowledgements Thanks to all Quarkslab colleagues who proofread this article and provided valuable feedback. Sursa: https://blog.quarkslab.com/flash-dumping-part-i.html