Processor Vulnerability – Spectre

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre

Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.

Microsoft has issued a patch for Windows 10, while other versions of Windows are expected to be patched on the traditional Patch Tuesday on January 9, 2018. Microsoft has also issued a guidance document for mitigations on client devices. Please note that the patches released by Microsoft may be incompatible with certain antivirus software.

MacOS 10.13.2 mitigates some of the disclosed vulnerabilities, but MacOS 10.13.3 will enhance or complete these mitigations.

Processor Vulnerability – Meltdown

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure.

Processors give the illusion of a sequence of instructions executed one-by-one. However, in order to most efficiently use cpu resources, modern superscalar processors actually begin executing many instructions in parallel. In cases where instructions depend on the result of previous instructions or checks which have not yet completed, execution happens based on guesses about what the outcome will be. If the guess is correct, execution has been sped up. If the guess is incorrect, partially-executed instructions are cancelled and architectural state changes (to registers, memory, and so on) reverted; but the whole process is no slower than if no guess had been made at all. This is sometimes called “speculative execution”.

Unfortunately, although architectural state is rolled back, there are other side effects, such as changes to TLB or cache state, which are not rolled back. These side effects can subsequently be detected by an attacker to determine information about what happened during the speculative execution phase. If an attacker can cause speculative execution to access sensitive memory areas, they may be able to infer what that sensitive memory contained.

There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. Note: CVE-2017-5754 affects Intel x86-64 microprocessors. AMD x86-64 microprocessors are not affected by this issue.

krack attack scripts released

krack attack is a pseudonym for key reinstallation attacks. Krack attack uses a vulnerability in WPA2 (Wi-Fi Protected Access II ) handshake process. Wpa2 is used to protect communication of wireless devices. wpa2 has a mechanism that permits devices to join the network with a pre-shared password and a four-way handshake. The attack works against all modern protected Wi-Fi networks. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.

According to Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device.

Scripts to perform krack attack has released on GitHub.

You can find scripts here.

Cyberprobe open source real time monitoring SIEM

The Cyberprobe project is an open-source distributed architecture for real-time monitoring of networks against attack. The software consists of two components:

a probe, which collects data packets and forwards it over a network in standard streaming protocols.
a monitor, which receives the streamed packets, decodes the protocols, and interprets the information.
These components can be used together or separately. For a simple configuration, they can be run on the same host, for more complex environments, a number of probes can feed a single monitor.

The probe, cyberprobe has the following features:

The probe can be tasked to collect packets from an interface and forward any which match a configurable address list.
The probe can be configured to receive Snort alerts. In this configuration, when an alert is received from Snort, the IP source address associated with the alert is dynamically targeted for a period of time. In such a configuration, the system will collect data from any network actor who triggers a snort rule and is thus identified as a potential attacker.
The probe can optionally run a management interface which allows remote interrogation of the state, and alteration of the configuration. This allows dynamic alteration of the targeting map, and integration with other systems.
The probe can be configured to deliver on one of two standard stream protocols.

The monitor tool, cybermon has the following features:

Collects packets delivered in stream protocols.
Decodes packet protocols in and raises events in near-real-time.
Decoded information is made available to user-configurable logic to define how the decoded data is handled. A simple configuration language is used (LUA) and example configurations are provided to monitor data volumes, display data hexdumps, or stash the data in files.
Packet forgery techniques are included, which allow resetting TCP connections, and forging DNS responses. This can be invoked from your LUA in order to fight back against attacks on your network.
Has a pub/sub delivery mechanism with subscribers for ElasticSearch, Google BigQuery and Gaffer graph store.
Supports IP, TCP, UDP, ICMP, HTTP and DNS protocols, currently.

The cybermon software includes some support for STIX as a threat indicator specification, and can create alerts on the presence of threats on the network.

The code is targeted at the Linux platform, although it is generic enough to be applicable to other UN*X-like platforms.

Project Homepage

ThreatPinchLookup, threat intelligence extension for Chrome

ThreatPinchLookup supplies threat intelligence information on hover tool tips.

Creates on hover tooltips for every website for IPv4, MD5, SHA2, CVE or any custom IOC you define. Designed to work with any API, customization encouraged. Its the infosec threat and OSINT swiss army knife for your browser. Investigate less by taking your context with you.

Documentation here:

– Add your own IOC’s by setting your own Look up type via regex
– Create your own data connections, maybe add a data connection for your asset portal
– Sync your data requests with a CouchDB
– Filter look up requests so that you aren’t looking up your own assets in online tools.
– Supports defanged IOCs

Out of the box integrations with:
– ThreatMiner for IPv4, FQDN, MD5 and SHA2 lookups.
– Alienvault OTX for IPv4, MD5 and SHA2 lookups.
– IBM X-Force Exchange for IPv4, FQDN lookups.
– VirusTotal for MD5, SHA2, FQDN lookups.
– for IPv4 lookups.
– Computer Incident Response Center Luxembourg (CIRCL) for CVE Lookups.
– PassiveTotal for FQDN whois Lookups
– MISP for MD5 and SHA2

Chrome Web Store Link privilege escalation utility

The Inspector is a handy privilege escalation utility.

-can find processes with root privilege
-find exploits for your kernel version with builtin exploit database.
-The Inspector also analyses history files to find login information.



i think inspector is a handy utility which all pentesters like to store in their vault.

torcrack: ssh brute force over TOR

torcrack is a penetration testing utility which tries to crack SSH passwords multi-threaded and over TOR network.

argparse, PyFiglet, PySocks, Paramiko, tor installation

git clone

pip3 install pyfiglet pysocks paramiko argparse

apt-get install -y tor


Make sure the tor service is running:

service tor restart

python3 -h for commands


rapid7/ metasploitable3 – a VM for metasploit.


Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with metasploit.

Metasploitable3 is released under a BSD-style license. See COPYING for more details.
Building Metasploitable 3

System Requirements:

OS capable of running all of the required applications listed below
VT-x/AMD-V Supported Processor recommended
65 GB Available space on drive
4.5 GB RAM


Vagrant Reload Plugin
Internet connection

NOTE: A bug was recently discovered in VirtualBox 5.1.8 that is breaking provisioning. More information here.

NOTE: A bug was recently discovered in Vagrant 1.8.7 on OSX that is breaking provisioning. More information here.

To build automatically:

Run the script if using bash, or build_win2008.ps1 if using Windows.
If the command completes successfully, run ‘vagrant up’.
When this process completes, you should be able to open the VM within VirtualBox and login. The default credentials are U: vagrant and P: vagrant.

To build manually:

Clone this repo and navigate to the main directory.
Build the base VM image by running packer build windows_2008_r2.json. This will take a while the first time you run it since it has to download the OS installation ISO.
After the base Vagrant box is created you need to add it to your Vagrant environment. This can be done with the command vagrant box add –name=metasploitable3.
Use vagrant plugin install vagrant-reload to install the reload vagrant provisioner if you haven’t already.
To start the VM, run the command vagrant up. This will start up the VM and run all of the installation and configuration scripts necessary to set everything up. This takes about 10 minutes.
Once this process completes, you can open up the VM within VirtualBox and login. The default credentials are U: vagrant and P: vagrant.


MitmAP is a python program which creates a fake (Rogue AP) Access Point and sniff data


MitmAP is a python program which creates a fake (Rogue AP) Access Point and sniff data.


SSLstrip2 for HSTS bypass
Image capture with Driftnet
TShark for command line .pcap capture
Full featured access point, with configurable speed limit
DNS Spoofing
Saving results to file


Kali Linux / Raspbian with root privileges
A wireless card and an ethernet adapter / 2 wireless card
Python3 (mitmAP will install the dependenices, you don’t have to do it)

“git clone”


Kali Linux -> "sudo python3"
Raspberry PI -> "sudo python3"

Important: At the first run, choose ‘y’ on installing dependencies and on creating the config files!

PenQ Pentesting Browser Bundle


PenQ is an open source, Linux-based penetration testing browser bundle we built over Mozilla Firefox. It comes pre-configured with security tools for spidering, advanced web searching, fingerprinting, anonymous browsing, web server scanning, fuzzing, report generating and more.

PenQ is configured to run on Debian based distributions including Ubuntu and its derivative distros, and penetration testing operating systems such as BackTrack and Kali.

Steps to install and run PenQ

Download the PenQ package.
Open the command-line interface (CLI) and navigate to the location of the downloaded file.
cd [path to PenQ file]
Assign executable permission to this file.
chmod +x PenQ-installer-1.0
Run PenQ installer file from CLI.
Provide sudo password and wait for installation to complete.
Once installed, double-click the PenQ icon on desktop or run ‘penq’ from CLI to open and use the tool.

To uninstall PenQ, navigate to the PenQ folder at ‘/usr/share/PenQ’ and run the uninstaller.


OWASP ZAP Wfuzz Web Application Fuzzer PenTesting Report Generator OWASP WebScarab Mozilla Add-ons Collection Vulnerability Databases Search OWASP WebSlayer Integrated Tor Access to Shell and System Utilities Nikto Web Server Scanner OWASP Penetration Testing Checklist Collection of Useful Links

PenQ Website