My Python Framework v1.0

Python-Framework-v1.0

This Framework is nothing but, Python GUI based 1. Port Scanning and 2. Banner Grabbing Tool

Simple python script can also change the scenario of your assignment, This tool is also do Banner Grabbing with the help of python sock.recv() – low-level network interface. it may take time to load the output on-screen because of addition of such interface in the script. Well, this is GUI based python platform, Please contact me for your questions, comments and feedback to “niraj007m[at]gmail[dot]com”

Required Packages details:

  1. Python 2.7.11+
  2. Tkinter – (pip install Tkinter)

Very Soon, we will add more and more scripts in this framework, so that we can do Complete Security Testing.
Github Repo: https://github.com/niraj007m/Python-Framework-v1.0

PFv1_screenshot_1PFv1_screenshot_2PFv1_screenshot_3

Advertisements

DNS Zone Transfer – Network Enumeration

Hi Testers,

Adding some information about DNS Zone Transfer,
We all are working on Gathering DNS information – It may help us to have confidential information – isn’t it ?

Here is the one small command (tool) that everyone have an idea, named as Dig (Source link – http://en.wikipedia.org/wiki/Dig_%28command%29%29

With proper understanding of any tools and proper timing of use – You can save your various time and implement various things on VAPT topic.
(May be command of Dig is known for experts but this information is for beginners only)

Command 1: dig http://www.target.com (hopefully show you Target Real IP address)

Command 2: dig http://www.target.com MX
(Can you find real IP range of your Target Network ? even you can conclude about webserver’s own mail functionality ?)

Command 3: dig http://www.target.com MX +noall +answer
Command 4: dig http://www.target.com MX +short

Through dig you can get, Exchange Records (MX), nameservers(NS), address records (A), PTR records (PTR), ixfr serial number to transfer DNS Zone Wink etc etc..

I hope you can try various dig command and understand the initial step of Testing.

(May be you are thinking that there are various automated tools provide auto report about DNS then why to use dig command or manual testing ?)

May be right question in your mind – but have you worked on manual testing before ? and how much accurate information you got ?. we can use automated tools to perform respective action but remember that tools are working on defined task/procedure, you have to configure it manually according to your requirement.

AXFR and IXFR:

Command x: dig http://www.target.com AXFR
Command y: dig http://www.target.com IXFR (IXFR is incremental zone transfer)

DNS Brute Force:
Here is the perl script that help to work on DNS brute-Force

Source Link: http://packetstormsecurity.com/files/24865/blindcrawl.pl.html

Command z: perl blindcrawl.pl -d http://www.target.com

Even Google(gxfr.py) help you lot to know the information about DNS

Fierce is the tool that help you to do DNS zone transfer –

follow the link,

http://securitytube-tools.net/index.php?title=Fierce
http://ha.ckers.org/fierce/
http://vimeo.com/6807644

Feel Free to reply back Smile

 

NETZOB: A Protocol Reverse Engineering Tool

Netzob is an opensource tool which supports the expert in its operations of reverse engineering, evaluation and simulation of communication protocols. Its main goals are to help security evaluators to :

  • Assess the robustness of proprietary or unknown protocols implementation.
  • Simulate realistic communications to test third-party products (IDS, firewalls, etc.).
  • Create an open source implementation of a proprietary or unknown protocol.

Netzob supports the expert in a semi-automatic infering process of any communication protocol. Hence, it includes the necessaries to passively learn the vocabulary of a protocol and to actively infer its grammar. The learnt protocol can afterward be simulated.

Netzob handles different types of protocols : text protocols (like HTTP and IRC), fixed fields protocols (like IP and TCP) and variable fields protocols (like ASN.1 based formats).

Netzob provides modules dedicated to capture data in multiple contexts : network, structured file, process and kernel data acquisition.

In addition, it integrates a stochastic and statefull model to represent any statefull communication protocol. The definition of the model can be shared and loaded in a dedicated component of Netzob, its simulator. Therefore, it becomes easy to simulate multiple actors (servers and clients) which communicates according to the infered protocol for advanced fuzzing processes or active infering process.

 

How to find potential security flaws in source code ?

GRAUDIT
Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It’s comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.

Graudit supports scanning code written in several languages; asp, jsp, perl, php and python.

USAGE
Graudit supports several options and tries to follow good shell practices. For
a list of the options you can run graudit -h or see below. The simplest way to use
graudit is;
graudit /path/to/scan

DEPENDENCIES
Required: bash, grep, sed

DOCUMENTATION
See the readme file and frequently asked questions.
graudit-1.1-screenshot.jpg

DOWNLOAD
You can download the latest version from the graudit download page.

SOURCE
http://www.justanotherhacker.com/projects/graudit.html

How to do reverse engineering on a AUTOIT scripted Keylogger ?

Question:
How to do the analysis of a keylogger installed on our system so as to get the user id and password bindind with the keylogger, the id is of gmail and hence wireshark is not showing anything due to an ssl connection. Also due the use of L3 switch MITM from BT is not working.
Is there any other way or tool that can help me to get theses things.
The keylogger is scripted in AUTOIT.
infosecplatform:Before going to reverse engineering, let others can understand –
what isAutoit ? and what isAutoitkeylogger ?AutoIt is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting. It uses a combination of simulated keystrokes, mouse movement and window/control manipulation in order to automate tasks in a way not possible or reliable with other languages (e.g. VBScript and SendKeys). AutoIt is also very small, self-contained and will run on all versions of Windows out-of-the-box with no annoying “runtimes” required!

AutoIt was initially designed for PC “roll out” situations to reliably automate and configure thousands of PCs. Over time it has become a powerful language that supports complex expressions, user functions, loops and everything else that veteran scripters would expect.

Features:

— Easy to learn BASIC-like syntax
— Simulate keystrokes and mouse movements
— Manipulate windows and processes
— Interact with all standard windows controls
— Scripts can be compiled into standalone executables
— Create Graphical User Interfaces (GUIs)
— COM support
— Regular expressions
— Directly call external DLL and Windows API functions
— Scriptable RunAs functions
— Detailed helpfile and large community-based support forums
— Compatible with Windows 2000/XP/2003/Vista/2008/Windows 7/2008 R2
— Unicode and x64 support
— Digitally signed for peace of mind
— Works with Windows Vista’s User Account Control (UAC)

AutoIt has been designed to be as small as possible and stand-alone with no external .dll files or registry entries required making it safe to use on Servers. Scripts can be compiled into stand-alone executables with Aut2Exe.

Also supplied is a combined COM and DLL version of AutoIt called AutoItX that allows you to add the unique features of AutoIt to your own favourite scripting or programming languages! AutoIt continues to be FREE

Source URL: http://www.autoitscript.com/site/autoit/
(Book) AutoIt v3: Your Quick Guide: http://shop.oreilly.com/product/9780596515126.do
(Book) Windows Admin Scripting Little Black Book, 2nd Edition: http://shop.oreilly.com/product/9781932111873.do


Lets now understand about some malwares/worm examples that are already analysed by Microsoft Malware Protection Center
Encyclopedia entry: Worm:Win32/Autorun.AGUEncyclopedia entry Updated: Jan 14, 2013 | Published: Dec 25, 2012Aliases
Trojan.MSIL.Agent.akng (Kaspersky)
Alert Level
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.141.2186.0
Released: Dec 19, 2012

System changes
The following system changes may indicate the presence of this malware:

The presence of the following files:

c:\documents and settings\administrator\local settings\temp\windows.exe
c:\documents and settings\administrator\start menu\programs\startup\55b3825ee39ada2fcddf7c7accbde69e.exe

— The presence of the following registry modifications:
Adds value: “55b3825ee39ada2fcddf7c7accbde69e”
With data: “”c:\documents and settings\administrator\local settings\temp\windows.exe” ..”
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

— Adds value: “C:\Documents and Settings\Administrator\Local Settings\Temp\windows.exe”
With data: “c:\documents and settings\administrator\local settings\temp\windows.exe:*:enabled:windows.exe”
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\St ​andardProfile\AuthorizedApplications\List

— Removable drives
Worm:Win32/Autorun.AGU may create the following files on targeted drives when spreading:
<targeted drive>:\55b3825ee39ada2fcddf7c7accbde69e.exe

Source URL: http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fAutorun.AGU
Quick overview of Worm:Win32/Autorun.AGU

Here is Naming standard of malwares/worms
Worm:Win32/Autorun.AGU — Type:Platform/FamilyName.Variant!Additional_information

Now we understand two things from this post and that is
1) Scripting language – Autoit and Autoit Keylogger
2) Example of Autoit worm (Worm:Win32/Autorun.AGU)
— System changes – Presence of files on Windows platform
— Installation location
— Spreading location/Information
— Payloads and Contact Remote Host


Now we come to your question, lets devide it.. (due to insufficient input to us)

1) how to analyse the keylogger installed on your system (wireshark – SSL connections or any other tool)
2) Can we analyse those packets with wireshark and over ssl connections..
3) L3 switch MITM(Man in the middle) in BT is not working

1st question is about Analyse the keylogger –
From my previous example of Autoit malware Worm:Win32/Autorun.AAO (Its different now Blush). we understand system changes, location, presence, Spread and payloads etc etc..

Now we can focus on Packet analysing.. either your worm/keylogger contact remote host, so we have to analyse/understand the packets those who are travelling thru your machine or those packets you are installing.. hahahaa…

Lets analyse the installed packet/worm/keylogger – Autoit Keylogger/malware has their own custom packets. initially we cannot examine packets so we have to try out with various Unpackers

well There are lot more things on google to study, so thati am not that much explaining about various packersetc etc.. we directly moving tounpacker known asPEiDPEiD: http://www.aldeid.com/wiki/PEiD
Description
PEiD detects most common packers, cryptors and compilers for PE files.
It can currently detect more than 470 different signatures in PE files.With the help of PEiD we got(suppose) the packer named as UPX..
UPX URL: http://upx.sourceforge.net/
Decompress that packer with upx
Find out Autoit Script string within your keylogger scipting..
Many Reverse engineers used Autoit decompiler, so grab and drag your Autoit script into Autoit decompiler for example myAuto2Exe – most known decompiler Angel

Hopefully you will get many things after following these steps TongueBig GrinCool

2nd question is about wireshark —
SSL traffic, you wouldn’t be able to read any of the data contained in the packets, and you certainly wouldn’t see all usernames and passwords transmitted in the clear…Source Contents from Book: Practical Packet Analysis, 2nd Edition
Topic: Protocol Dissection, Page:74
Basic username & password captured image example URL by sans:

 

3rd question is about MITM configuration — Mostly BT forum can help you lot instead of me.
Thread Name: Sniffing SSL traffic using MITM attack / ettercap, fragrouter, webmitm and dnsspoof.
Thread URL: http://www.backtrack-linux.org/forums/showthread.php?t=6021
Source URL: http://www.backtrack-linux.org/forums/forum.php or you can paste your actual configurations/steps so that we can help you..

Some different packet reverse engineering URL: http://blogs.technet.com/b/mmpc/archive/2011/06/27/malware-packer-integrates-with-upx.aspx

Hopefully we study/understand lot with such reverse engineering topic – Keep posting lot..

How to fit tools in a Vulnerability Assessment & Penetration Testing ?

When we were attending conferences on IT security, we usually asked and learn many things.
Here is one of my question regarding VA/PT to expert in IT security, hope you like it and learn from it too, Because sharing is caring (Its time to Share now)

Student:

How to fit tools in a VA/PT?
Student:

Behalf of Learners – i would like to ask one question – so that beginners also can understand the first basic of penetration testing..
In most cases student attend hacking workshops or classes have basic understanding of few security tools. Typically students have used port-scanner, Wireshark, Metasploit etc etc.. Unfortunately most beginners do not understand how these tools fit into the PT. or it may cause the knowledge of beginners or its incomplete knowledge.. or lack of knowledge..

so according to Expert of Penetration Testing – What is the best way to Fit such kind of tools in manner – so that it will define one kind of framework of penetration testing officially.. ???
( just like i read one cycle of PT (A)Reco->Scanning->Exploitation->Maintaining Access->(A) )
IT Security Expert:
Not an expert – but from my viewpoint, VA/PT is not just about tools. A training should include the following:

  • Why we do VA/PT?
  • VA/PT Process and Framework (Which is not just about tools)

The main problem is that generally these are the theoratical part of the trainings and most of the students are not interested in the theory. Most of the beginners are interested in the “exploit” or “shell” part of it.

As part of the trainings, the tools should be covered in such a way that the students should know:

  • Whey we need to use tool?
  • Which tool to use?
  • When to use a particular?
  • What information should be gatherred or collected?
  • How to use the tool? (Various options and parameters)
  • Advantages and Disadvantages of using tools
  • How to create your own custom tools, etc.

To summarize, a good VA/PT training should balance both the Theory and Practial Hands-on equally and also at the same time give importance to the Technial and Management side of VA/PT.

(Thanks Manu Zacharia for such beautiful guidance on IT Security )