krack attack scripts released

krack attack is a pseudonym for key reinstallation attacks. Krack attack uses a vulnerability in WPA2 (Wi-Fi Protected Access II ) handshake process. Wpa2 is used to protect communication of wireless devices. wpa2 has a mechanism that permits devices to join the network with a pre-shared password and a four-way handshake. The attack works against all modern protected Wi-Fi networks. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.

According to Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device.

Scripts to perform krack attack has released on GitHub.

You can find scripts here.

ThreatPinchLookup, threat intelligence extension for Chrome


ThreatPinchLookup supplies threat intelligence information on hover tool tips.

Creates on hover tooltips for every website for IPv4, MD5, SHA2, CVE or any custom IOC you define. Designed to work with any API, customization encouraged. Its the infosec threat and OSINT swiss army knife for your browser. Investigate less by taking your context with you.

Documentation here: https://github.com/cloudtracer/ThreatPinchLookup/wiki

Features:
– Add your own IOC’s by setting your own Look up type via regex
– Create your own data connections, maybe add a data connection for your asset portal
– Sync your data requests with a CouchDB
– Filter look up requests so that you aren’t looking up your own assets in online tools.
– Supports defanged IOCs

Out of the box integrations with:
– ThreatMiner for IPv4, FQDN, MD5 and SHA2 lookups.
– Alienvault OTX for IPv4, MD5 and SHA2 lookups.
– IBM X-Force Exchange for IPv4, FQDN lookups.
– VirusTotal for MD5, SHA2, FQDN lookups.
– Cymon.io for IPv4 lookups.
– Computer Incident Response Center Luxembourg (CIRCL) for CVE Lookups.
– PassiveTotal for FQDN whois Lookups
– MISP for MD5 and SHA2

Chrome Web Store Link

Inspector.py privilege escalation utility

The Inspector is a handy privilege escalation utility.

Features;
-can find processes with root privilege
-find exploits for your kernel version with builtin exploit database.
-The Inspector also analyses history files to find login information.

Download:
wget https://raw.githubusercontent.com/graniet/Inspector/master/inspector.py

usage:
python inspector.py

i think inspector is a handy utility which all pentesters like to store in their vault.

torcrack: ssh brute force over TOR

torcrack is a penetration testing utility which tries to crack SSH passwords multi-threaded and over TOR network.

argparse, PyFiglet, PySocks, Paramiko, tor installation

git clone https://github.com/norksec/torcrack.git

pip3 install pyfiglet pysocks paramiko argparse

apt-get install -y tor

usage

Make sure the tor service is running:

service tor restart

python3 torcrack.py -h for commands

LINK

rapid7/ metasploitable3 – a VM for metasploit.

metasploitable3

Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with metasploit.

Metasploitable3 is released under a BSD-style license. See COPYING for more details.
Building Metasploitable 3

System Requirements:

OS capable of running all of the required applications listed below
VT-x/AMD-V Supported Processor recommended
65 GB Available space on drive
4.5 GB RAM

Requirements:

Packer
Vagrant
Vagrant Reload Plugin
VirtualBox
Internet connection

NOTE: A bug was recently discovered in VirtualBox 5.1.8 that is breaking provisioning. More information here.

NOTE: A bug was recently discovered in Vagrant 1.8.7 on OSX that is breaking provisioning. More information here.

To build automatically:

Run the build_win2008.sh script if using bash, or build_win2008.ps1 if using Windows.
If the command completes successfully, run ‘vagrant up’.
When this process completes, you should be able to open the VM within VirtualBox and login. The default credentials are U: vagrant and P: vagrant.

To build manually:

Clone this repo and navigate to the main directory.
Build the base VM image by running packer build windows_2008_r2.json. This will take a while the first time you run it since it has to download the OS installation ISO.
After the base Vagrant box is created you need to add it to your Vagrant environment. This can be done with the command vagrant box add windows_2008_r2_virtualbox.box –name=metasploitable3.
Use vagrant plugin install vagrant-reload to install the reload vagrant provisioner if you haven’t already.
To start the VM, run the command vagrant up. This will start up the VM and run all of the installation and configuration scripts necessary to set everything up. This takes about 10 minutes.
Once this process completes, you can open up the VM within VirtualBox and login. The default credentials are U: vagrant and P: vagrant.

LINK

PenQ Pentesting Browser Bundle

penq

PenQ is an open source, Linux-based penetration testing browser bundle we built over Mozilla Firefox. It comes pre-configured with security tools for spidering, advanced web searching, fingerprinting, anonymous browsing, web server scanning, fuzzing, report generating and more.

PenQ is configured to run on Debian based distributions including Ubuntu and its derivative distros, and penetration testing operating systems such as BackTrack and Kali.

Steps to install and run PenQ

Download the PenQ package.
Open the command-line interface (CLI) and navigate to the location of the downloaded file.
cd [path to PenQ file]
Assign executable permission to this file.
chmod +x PenQ-installer-1.0
Run PenQ installer file from CLI.
./PenQ-installer-1.0
Provide sudo password and wait for installation to complete.
Once installed, double-click the PenQ icon on desktop or run ‘penq’ from CLI to open and use the tool.

To uninstall PenQ, navigate to the PenQ folder at ‘/usr/share/PenQ’ and run the uninstaller.

Features

OWASP ZAP Wfuzz Web Application Fuzzer PenTesting Report Generator OWASP WebScarab Mozilla Add-ons Collection Vulnerability Databases Search OWASP WebSlayer Integrated Tor Access to Shell and System Utilities Nikto Web Server Scanner OWASP Penetration Testing Checklist Collection of Useful Links

PenQ Website

Using Vuls Vulnerability Scanner For Linux

Vuls is a vulnerability scanner for Linux, agentless and written in golang.

Vuls downloads NVD(National Vulnerability Database) and inserts into a sqlite database. Vuls has built in CVE dictionary for this sqlite file.

Second step you should prepare ssh key based authorization between server and scan target. Because vuls is an insider scanner. Logic behind the vuls system is searching for unattended upgrades thus getting unsecure packages by this way.

Imho this could be problematic at some distros. Likewise debian team likes to patch some vulnerabilities in prior versions of packages. I think there could be many false positives.

Download

DROWN or not to DROWN

DROWN logo
DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption. DROWN is another downgrade attack over SSL hence this time over SSLv2.
SSL has a good history with downgrade attacks likewise Lucky13, Crime, BEAST, Poodle. Currently %33 of internet servers uses SSLv2. With DROWN an attacker can decrypt connection with server which has SSLv2 enabled.

Papers and Vulnerability Testing Here

Install OpenVAS 8 on Debian 8 Jessie

OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.

You can find all source packages for OpenVAS here.

first im gonna prepare system for openVAS;

sudo apt-get update
sudo apt-get install build-essential cmake bison flex libpcap-dev pkg-config libglib2.0-dev libgpgme11-dev uuid-dev \
sqlfairy xmltoman doxygen libssh-dev libksba-dev libldap2-dev \
libsqlite3-dev libmicrohttpd-dev libxml2-dev libxslt1-dev \
xsltproc clang rsync rpm nsis alien sqlite3 libhiredis-dev libgcrypt11-dev libgnutls28-dev redis-server texlive-latex-base

edited upon Thomas Frederiksen‘s suggestion

download sources;

wget http://wald.intevation.org/frs/download.php/2067/openvas-libraries-8.0.3.tar.gz
wget http://wald.intevation.org/frs/download.php/2071/openvas-scanner-5.0.3.tar.gz
wget http://wald.intevation.org/frs/download.php/2075/openvas-manager-6.0.3.tar.gz
wget http://wald.intevation.org/frs/download.php/2079/greenbone-security-assistant-6.0.3.tar.gz
wget http://wald.intevation.org/frs/download.php/1987/openvas-cli-1.4.0.tar.gz

open packages;

tar xvf greenbone-security-assistant-6.0.3.tar.gz
tar xvf openvas-libraries-8.0.3.tar.gz
tar xvf openvas-scanner-5.0.3.tar.gz
tar xvf openvas-manager-6.0.3.tar.gz
tar xvf openvas-cli-1.4.0.tar.gz

compile sources;


cd openvas-libraries-8.0.3
cmake .
make
make doc
sudo make install
cd ..

cd openvas-manager-6.0.3/
cmake .
make
make doc
sudo make install
cd ..

cd openvas-scanner-5.0.3/
cmake .
make
make doc
sudo make install
cd ..

cd openvas-cli-1.4.0/
cmake .
make
make doc
sudo make install

cd greenbone-security-assistant-6.0.3/
cmake .
make
make doc
sudo make install

configuration step;

sudo ldconfig

cd ~ && wget --no-check-certificate https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup &&
chmod +x openvas-check-setup && sudo ./openvas-check-setup --v8

# Create openvas certificates:

sudo openvas-mkcert# NVT feed:
sudo openvas-nvt-sync#SCAP feed:
sudo openvas-scapdata-sync#CERT feed:
sudo openvas-certdata-sync# Generate client certificates:
sudo openvas-mkcert-client -n -i

# Signature checking of NVTs:

sudo apt-get install gnupg
wget http://www.openvas.org/OpenVAS_TI.asc
sudo gpg --homedir=/usr/local/etc/openvas/gnupg --gen-key
sudo gpg --homedir=/usr/local/etc/openvas/gnupg --import OpenVAS_TI.asc
sudo gpg --homedir=/usr/local/etc/openvas/gnupg --lsign-key 48DB4530

to help generate a lot of random bytes on another shell:

sudo dd if=/dev/zero of=/tmp/500m.tmp bs=500M count=5

or install haveged deamon:

sudo apt-get install haveged

# enable sign check:

echo "nasl_no_signature_check = no" >> /usr/local/etc/openvas/openvassd.conf

#Update portnames:

wget http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
openvas-portnames-update service-names-port-numbers.xml
rm service-names-port-numbers.xml

# Create admin password:

sudo openvasmd --create-user=adminuser --role=Admin

write down the password

# Set passwd policy
sudo vim /usr/local/etc/openvas/pwpolicy.conf

# install nmap 5.51:

wget http://nmap.org/dist/nmap-5.51.6.tgz &&
tar xvf nmap-5.51.6.tgz &&
cd nmap-5.51.6 &&
./configure &&
make &&
make install

# Start OpenVAS Scanner
sudo openvassd

# Initialize the Database
sudo openvasmd --rebuild --progress

# Launch OpenVAS Scanner as root
openvassd

# Launch OpenVAS Manager daemon
openvasmd

# Launch OpenVAS Greenbone Security Assistant

gsad

configure redis-server with

http://download.redis.io/redis-stable/redis.conf
changes in redis.conf

unixsocket /tmp/redis.sock
unixsocketperm 777
dir /var/dump # create and chmod with root

comment and close below;

#repl-diskless-sync no
#repl-diskless-sync-delay 5
# repl-ping-slave-period 10

connect to website with “adminuser” and the password you wrote down:

https://localhost

GHOST glibc based vulnerability in Linux systems

Researchers for Redwood City, Calif.-based security vendor Qualys Inc. discovered the vulnerability, which is officially labeled CVE-2015-0235, but has been nicknamed GHOST because it can be triggered by the DNS resolver “_gethostbyname” function. This function translates hostname to ip address. The flaw, first reported by Threatpost, has been confirmed in Linux systems using GNU C Library (glibc) versions 2.2 and newer, which includes all glibc versions released since Nov. 10, 2000.

Qualys has categorized this as a critical vulnerability due to the vast number of affected systems, and because attackers can exploit the flaw remotely to gain control of a system without having any prior knowledge of system credentials.

“GHOST poses a remote code execution risk that makes it incredibly easy for an attacker to exploit a machine,” said Wolfgang Kandek, chief technical officer for Qualys. “For example, an attacker could send a simple email on a Linux-based system and automatically get complete access to that machine.”

 

How to Test GHOST vulnerability?

$ wget https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c
$ gcc GHOST.c -o GHOST
$ ./GHOST
[responds vulnerable OR not vulnerable ]

Note: Reboot your system after applying patches for this vulnerability.

How to Patch?

in debian, ubuntu systems;

$ sudo apt-get upgrade

in centos, red hat, oracle unbreakable systems

$ yum update