LiMEaide: remotely dump RAM of a Linux client

Simplify Linux digital forensics!

LiMEaide is a python application developed by Daryl Bennett that can remotely dump RAM of a Linux client.
It can also create a volatility profile for later analysis.

In order to use LiMEaide all you need to do is feed a remote Linux client IP address, sit back, and consume your favorite caffeinated beverage.


How does it work?

  1. Make a remote connection with specified client over SHH
  2. Transfer necessary build files to the remote machine
  3. Build the memory scrapping Loadable Kernel Module (LKM) LiME
  4. LKM will dump RAM
  5. Transfer RAM dump and RAM maps back to host
  6. Build a Volatility profile

Installation

In order to use LiMEaide you need to resolve some dependencies.

paramiko and termcolor

sudo apt-get install python3-paramiko python3-termcolor

dwarfdump

sudo apt-get install dwarfdump

LiME

  1. Download LiME v1.7.8
  2. Extract into LiMEaide/tools/
  3. Rename folder to LiME

More information and downloads

https://github.com/kd8bny/LiMEaide

UniByAv: shellcode obfuscation using Python

Applying XOR on a raw shellcode


UniByAv is a simple obfuscator that take a raw shellcode and generate executable that are Anti-Virus friendly, really useful to check antivirus solutions.

The obfuscation routine is purely writtend in assembly to remain pretty short and efficient. In a nutshell the application generate a 32 bits xor key and brute force the key at run time then perform the decryption of the actually shellcode.

I’m going to update the code over the time to also support some of the evasion technique that I was using.

Evasion techniques

  • process
    Check if a specific process is running. If it does not run the binary exit without running the payload.
  • time
    Check if SleepEx was hooked. If it return bogus information it exit without running the payload.
  • domain
    Check if the current user is part of the defined domain. If it is not the case it exit without running the payload.

Installation

Simply clone the github repository and resolve some dependencies:

git clone https://github.com/Mr-Un1k0d3r/UniByAv.git
# apt install mingw-w64
# apt install wine

More information and downloads

https://github.com/Mr-Un1k0d3r/UniByAv

Raven: a tool for gathering information about company employees using google and Linkedin

Useful during a pentest


Raven is a tool developed by 0x09AL to gather information about an organization employees using Linkedin.

It’s developed using python, Selenium e geckodriver

Features

  • Automatically check found emails in haveibeenpwned.com
  • Output in CSV format

Installation

Simply run setup.sh as root. 
The script resolves some python dependencies and installs geckodriver and xvfb:

pip install beautifulsoup4
pip install requests
pip install selenium
pip install tabulate
pip install pyvirtualdisplay


apt-get install xvfb
tar xvf bin/geckodriver-v0.18.0-linux64.tar.gz
mv geckodriver /usr/bin/geckodriver

Usage

The tool requires at least three parameters: company name , country initials and domain name.

raven.py [-h] -c COMPANY -s STATE -d DOMAIN [-p PAGES] [-lu LUSERNAME] [-lp LPASSWORD]

For example , if the company that you want to search is Evil Corp and the state is Albania the parameters would be:

python raven.py -c 'Evil Corp' -s al -d evilcorp.al

More information and downloads

https://github.com/0x09AL/raven

“Spaghetti”, a Python Web Application security scanner

Designed to find various default and insecure files, configurations and misconfigurations.


Spaghetti is a web application security scanner built on python2.7, designed to find various default and insecure files, configurations and misconfigurations.

It’s developed and mantained by Momo Outaadi(m4ll0k), that have also developed Infoga, an information gathering tool.


Features

Fingerprints

  • Server
  • Frameworks (CakePHP,CherryPy,Django,…)
  • Firewall (Cloudflare,AWS,Barracuda,…)
  • CMS (Drupal,Joomla,Wordpress)
  • OS (Linux,Unix,Windows,…)
  • Language (PHP,Ruby,Python,ASP,…)

Discovery

  • Admin Panel
  • Apache Enumeration Users
  • Apache XSS
  • Apache ModStatus
  • Backdoors
  • Backup
  • Captcha
  • Common Directories
  • Common Files
  • Cookie Security
  • Multiple Index
  • Information Disclosure (Emails and Private IP)

Installation

Really fast, simply clone the git repository and install the dependencies:

$ git clone https://github.com/m4ll0k/Spaghetti.git
$ cd Spaghetti
$ pip install -r doc/requirements.txt
$ python spaghetti.py -h

More information and downloads

https://github.com/m4ll0k/Spaghetti

Python for malware analysis

Six Python tools useful for identify and analyse malware

Python is a very used scripting language in the field of computer forensics and malware analysis.

Today, we look at some of the tools developed in this scripting language that are useful in the analysis of malicious programs.


pyew

A command line tool to analyse malware, developed by Joxean Koret.
It does have support for hexadecimal viewing and disassembly PE and ELF file formats , follows direct call/jmp instructions in the interactive command line, displays function names and string data references.
It also supports plugins to add more features.


Exefilter

Open-source tool and python framework to filter file formats in e-mails, web pages or files.
Detects many common file formats and can remove active content.


jsunpack-n

A generic JavaScript unpacker: emulates browser functionality to detect exploits that target browser and browser plug-in vulnerabilities.


yara-python

A library that allows using YARA in Python programs.
It covers all YARA’s features, from compiling, saving and loading rules to scanning files, strings and processes.


phoneyc

A ‘pure python’ honeyclient implementation that allows to give insights into malicious web sites, including the exploits on the page and their consequences.


pyClamd

A python interface to Clamd (ClamAV antivirus daemon) useful to add virus detection capabilities to python software.

The software is currently developed and maintained by Alexandre Norman.


Search and download exploits from command line, with getsploit

A python script that search and download exploit from Vulners Database


getsploit is a command line search and download tool for Vulners Database.

It was inspired by searchsploit, the tool used for search and download from https://www.exploit-db.com.

It allows you to search online for the exploits across all the most popular collections: Exploit-DB, Metasploit, Packetstorm and others. The most powerful feature is immediate exploit source download right in your working path.


Installation

Just a single command, no dependencies:

git clone https://github.com/vulnersCom/getsploit

How to use

Search

Es. searchs al exploits for WordPress 4.7.0 and displays them in a table output:

./getsploit.py wordpress 4.7.0

Download

Downloads all exploit found with previous search:

./getsploit.py -m wordpress 4.7.0

More information and downloads

https://github.com/vulnersCom/getsploit

Five online services to perform a port scanning

…and a python script to rule them all!

In early stages of penetration tests you could like to run a port scan on a host without having it originated from your IP address.

You can use some online services that allows this kind of scan.

YouGetSignal

Allow the scanning of a single port

http://www.yougetsignal.com/tools/open-ports/


Ping.eu

Like YouGetSignal, just one port at a time

http://ping.eu/port-chk/


ViewDNS

The scanned ports are: 21, 22, 23, 25, 80, 110, 139, 143, 445, 1433, 1521, 3306 and 3389

http://viewdns.info/portscan/


HackerTarget

Will test for common services only (21) FTP, (22) SSH, (25) SMTP, (80) HTTP, (443) HTTPS and (3389) RDP.
Nmap version detection ( -sV ) is enabled.

https://hackertarget.com/tcp-port-scan/


IPFingerprints

This service allow the scan of a port range, with a lot of options

http://www.ipfingerprints.com/portscan.php


Rule them all with a python script!

Furthermore, Austin Jackson has developed a python script that perform scans from console using this online services, scanless:

Usage

Requires the requests and bs4 libraries to run, install with pip.

$ python scanless.py --help
usage: scanless.py [-h] [-t TARGET] [-s SCANNER] [-l] [-a]
scanless, public port scan scrapper
optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        ip or domain to scan
  -s SCANNER, --scanner SCANNER
                        scanner to use (default: yougetsignal)
  -l, --list            list scanners
  -a, --all             use all the scanners
$ python scanless.py --list
Scanner Name   | Website
---------------|------------------------------
yougetsignal   | http://www.yougetsignal.com
viewdns        | http://viewdns.info
hackertarget   | https://hackertarget.com
ipfingerprints | http://www.ipfingerprints.com
pingeu         | http://ping.eu
$ python scanless.py -s viewdns -t scanme.nmap.org
Running scanless...
------- viewdns -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
110/tcp  closed pop3
139/tcp  closed netbios
143/tcp  closed imap
443/tcp  closed https
445/tcp  closed smb
1433/tcp closed mssql
1521/tcp closed oracle
3306/tcp closed mysql
3389/tcp closed rdp
-----------------------
$ python scanless.py -a -t scanme.nmap.org
Running scanless...
------- yougetsignal -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
110/tcp  closed pop3
115/tcp  closed sftp
135/tcp  closed msrpc
139/tcp  closed netbios
143/tcp  closed imap
194/tcp  closed irc
443/tcp  closed https
445/tcp  closed smb
1433/tcp closed mssql
3306/tcp closed mysql
3389/tcp closed rdp
5632/tcp closed pcanywhere
5900/tcp closed vnc
6112/tcp closed wc3
----------------------------
------- viewdns -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
110/tcp  closed pop3
139/tcp  closed netbios
143/tcp  closed imap
443/tcp  closed https
445/tcp  closed smb
1433/tcp closed mssql
1521/tcp closed oracle
3306/tcp closed mysql
3389/tcp closed rdp
-----------------------
------- hackertarget -------
tarting Nmap 7.01 ( https://nmap.org ) at 2017-05-06 02:31 UTC
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.065s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
PORT     STATE  SERVICE       VERSION
21/tcp   closed ftp
22/tcp   open   ssh           OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
23/tcp   closed telnet
25/tcp   closed smtp
80/tcp   open   http          Apache httpd 2.4.7 ((Ubuntu))
110/tcp  closed pop3
143/tcp  closed imap
443/tcp  closed https
445/tcp  closed microsoft-ds
3389/tcp closed ms-wbt-server
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.05 second
----------------------------
------- ipfingerprints -------
Host is up (0.16s latency).
Not shown: 484 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
80/tcp  open     http
111/tcp filtered rpcbind
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14
Network Distance: 10 hops
------------------------------
------- pingeu -------
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
53/tcp   closed dns
80/tcp   open   http
139/tcp  closed netbios
443/tcp  closed https
445/tcp  closed smb
3389/tcp closed rdp
----------------------

https://github.com/vesche/scanless

Seriously? A backdoor that uses Telegram as C&C server?

Yep, it’s called BrainDamage


BrainDamage is a fully featured python based backdoor that uses Telegram as C&C server.

It is a hypothetical evolution of backdoor (very unlikely, from my point of view), so it’s a good idea to analyze its source code and its behavior.


Features


  • #whoisonline- list active slaves 
    This command will list all the active slaves.
  • #destroy- delete&clean up 
    This command will remove the stub from host and will remove registry entries.
  • #cmd- execute command on CMD 
    Run shell commands on host
  • #download- url (startup, desktop, default) 
    This will download files in the host computer.
  • #execute- shutdown, restart, logoff, lock 
    Execute the following commands
  • #screenshot- take screenshot 
    Take screenshot of the host of computer.
  • #send- passwords, drivetree, driveslist, keystrokes, openwindows 
    This command will sends passwords (saved browser passwords, FTP, Putty..), directory tree of host (upto level 2), logged keystrokes and windows which are currently open
  • #set- email (0:Default,1:URL,2:Update), filename (0: Itself, 1: Others), keystrokes (text) 
    This command can set email template (default, download from url, update current template with text you’ll send), rename filenames or insert keystrokes in host.
  • #start- website (URL), keylogger, recaudio (time), webserver (Port), spread 
    This command can open website, start keylogger, record audio, start webserver, USB Spreading
  • #stop- keylogger, webserver 
    This command will stop keylogger or webserver
  • #wallpaper- change wallpaper (URL) 
    Changes wallpaper of host computer
  • #find- openports (host, threads, ports), router 
    This command will find open ports and the router the host is using
  • #help- 
    print this usage

Installation

The setup is pretty simple:

First, install some requirements:

Then, starts the installation

  • Telegram setup:
    – Install Telegram app and search for “BOTFATHER”.
    – Type /help to see all possible commands.
    – Click on or type /newbot to create a new bot.
    – Name your bot.
    – You should see a new API token generated for it.
  • Dedicated Gmail account. Remember to check “allow connection from less secure apps” in gmail settings.
  • Set access_token in eclipse.py to token given by the botfather.
  • Set CHAT_ID in eclipse.py. Send a message from the app and use the telegram api to get this chat id.

bot.getMe() will give output {‘first_name’: ‘Your Bot’, ‘username’: ‘YourBot’, ‘id’: 123456789}

  • Set copied_startup_filename in Eclipse.py.
  • Set Gmail password and Username in /Breathe/SendData.py

More information and downloads

https://github.com/mehulj94/BrainDamage

Gathering e-mail accounts information with Infoga

Really simple tool, but very effective!


Infoga is a python script that allows gathering email information with Google, Bing, and Shodan:

Infoga is a tool for gathering e-mail accounts information from different public sources (search engines, pgp key servers). Is a really simple tool, but very effective for the early stages of a penetration test or just to know the visibility of your company in the Internet.

The installation is really simple, just install some requirements (requests, urllib3, urlparse) with PIP and start the infoga.py script.


Downloads

https://github.com/m4ll0k/infoga