My Python Framework v1.0

Python-Framework-v1.0

This Framework is nothing but, Python GUI based 1. Port Scanning and 2. Banner Grabbing Tool

Simple python script can also change the scenario of your assignment, This tool is also do Banner Grabbing with the help of python sock.recv() – low-level network interface. it may take time to load the output on-screen because of addition of such interface in the script. Well, this is GUI based python platform, Please contact me for your questions, comments and feedback to “niraj007m[at]gmail[dot]com”

Required Packages details:

  1. Python 2.7.11+
  2. Tkinter – (pip install Tkinter)

Very Soon, we will add more and more scripts in this framework, so that we can do Complete Security Testing.
Github Repo: https://github.com/niraj007m/Python-Framework-v1.0

PFv1_screenshot_1PFv1_screenshot_2PFv1_screenshot_3

How to do reverse engineering on a AUTOIT scripted Keylogger ?

Question:
How to do the analysis of a keylogger installed on our system so as to get the user id and password bindind with the keylogger, the id is of gmail and hence wireshark is not showing anything due to an ssl connection. Also due the use of L3 switch MITM from BT is not working.
Is there any other way or tool that can help me to get theses things.
The keylogger is scripted in AUTOIT.
infosecplatform:Before going to reverse engineering, let others can understand –
what isAutoit ? and what isAutoitkeylogger ?AutoIt is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting. It uses a combination of simulated keystrokes, mouse movement and window/control manipulation in order to automate tasks in a way not possible or reliable with other languages (e.g. VBScript and SendKeys). AutoIt is also very small, self-contained and will run on all versions of Windows out-of-the-box with no annoying “runtimes” required!

AutoIt was initially designed for PC “roll out” situations to reliably automate and configure thousands of PCs. Over time it has become a powerful language that supports complex expressions, user functions, loops and everything else that veteran scripters would expect.

Features:

— Easy to learn BASIC-like syntax
— Simulate keystrokes and mouse movements
— Manipulate windows and processes
— Interact with all standard windows controls
— Scripts can be compiled into standalone executables
— Create Graphical User Interfaces (GUIs)
— COM support
— Regular expressions
— Directly call external DLL and Windows API functions
— Scriptable RunAs functions
— Detailed helpfile and large community-based support forums
— Compatible with Windows 2000/XP/2003/Vista/2008/Windows 7/2008 R2
— Unicode and x64 support
— Digitally signed for peace of mind
— Works with Windows Vista’s User Account Control (UAC)

AutoIt has been designed to be as small as possible and stand-alone with no external .dll files or registry entries required making it safe to use on Servers. Scripts can be compiled into stand-alone executables with Aut2Exe.

Also supplied is a combined COM and DLL version of AutoIt called AutoItX that allows you to add the unique features of AutoIt to your own favourite scripting or programming languages! AutoIt continues to be FREE

Source URL: http://www.autoitscript.com/site/autoit/
(Book) AutoIt v3: Your Quick Guide: http://shop.oreilly.com/product/9780596515126.do
(Book) Windows Admin Scripting Little Black Book, 2nd Edition: http://shop.oreilly.com/product/9781932111873.do


Lets now understand about some malwares/worm examples that are already analysed by Microsoft Malware Protection Center
Encyclopedia entry: Worm:Win32/Autorun.AGUEncyclopedia entry Updated: Jan 14, 2013 | Published: Dec 25, 2012Aliases
Trojan.MSIL.Agent.akng (Kaspersky)
Alert Level
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.141.2186.0
Released: Dec 19, 2012

System changes
The following system changes may indicate the presence of this malware:

The presence of the following files:

c:\documents and settings\administrator\local settings\temp\windows.exe
c:\documents and settings\administrator\start menu\programs\startup\55b3825ee39ada2fcddf7c7accbde69e.exe

— The presence of the following registry modifications:
Adds value: “55b3825ee39ada2fcddf7c7accbde69e”
With data: “”c:\documents and settings\administrator\local settings\temp\windows.exe” ..”
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

— Adds value: “C:\Documents and Settings\Administrator\Local Settings\Temp\windows.exe”
With data: “c:\documents and settings\administrator\local settings\temp\windows.exe:*:enabled:windows.exe”
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\St ​andardProfile\AuthorizedApplications\List

— Removable drives
Worm:Win32/Autorun.AGU may create the following files on targeted drives when spreading:
<targeted drive>:\55b3825ee39ada2fcddf7c7accbde69e.exe

Source URL: http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fAutorun.AGU
Quick overview of Worm:Win32/Autorun.AGU

Here is Naming standard of malwares/worms
Worm:Win32/Autorun.AGU — Type:Platform/FamilyName.Variant!Additional_information

Now we understand two things from this post and that is
1) Scripting language – Autoit and Autoit Keylogger
2) Example of Autoit worm (Worm:Win32/Autorun.AGU)
— System changes – Presence of files on Windows platform
— Installation location
— Spreading location/Information
— Payloads and Contact Remote Host


Now we come to your question, lets devide it.. (due to insufficient input to us)

1) how to analyse the keylogger installed on your system (wireshark – SSL connections or any other tool)
2) Can we analyse those packets with wireshark and over ssl connections..
3) L3 switch MITM(Man in the middle) in BT is not working

1st question is about Analyse the keylogger –
From my previous example of Autoit malware Worm:Win32/Autorun.AAO (Its different now Blush). we understand system changes, location, presence, Spread and payloads etc etc..

Now we can focus on Packet analysing.. either your worm/keylogger contact remote host, so we have to analyse/understand the packets those who are travelling thru your machine or those packets you are installing.. hahahaa…

Lets analyse the installed packet/worm/keylogger – Autoit Keylogger/malware has their own custom packets. initially we cannot examine packets so we have to try out with various Unpackers

well There are lot more things on google to study, so thati am not that much explaining about various packersetc etc.. we directly moving tounpacker known asPEiDPEiD: http://www.aldeid.com/wiki/PEiD
Description
PEiD detects most common packers, cryptors and compilers for PE files.
It can currently detect more than 470 different signatures in PE files.With the help of PEiD we got(suppose) the packer named as UPX..
UPX URL: http://upx.sourceforge.net/
Decompress that packer with upx
Find out Autoit Script string within your keylogger scipting..
Many Reverse engineers used Autoit decompiler, so grab and drag your Autoit script into Autoit decompiler for example myAuto2Exe – most known decompiler Angel

Hopefully you will get many things after following these steps TongueBig GrinCool

2nd question is about wireshark —
SSL traffic, you wouldn’t be able to read any of the data contained in the packets, and you certainly wouldn’t see all usernames and passwords transmitted in the clear…Source Contents from Book: Practical Packet Analysis, 2nd Edition
Topic: Protocol Dissection, Page:74
Basic username & password captured image example URL by sans:

 

3rd question is about MITM configuration — Mostly BT forum can help you lot instead of me.
Thread Name: Sniffing SSL traffic using MITM attack / ettercap, fragrouter, webmitm and dnsspoof.
Thread URL: http://www.backtrack-linux.org/forums/showthread.php?t=6021
Source URL: http://www.backtrack-linux.org/forums/forum.php or you can paste your actual configurations/steps so that we can help you..

Some different packet reverse engineering URL: http://blogs.technet.com/b/mmpc/archive/2011/06/27/malware-packer-integrates-with-upx.aspx

Hopefully we study/understand lot with such reverse engineering topic – Keep posting lot..

Introduction To Malware Analysis

In this session, Lenny Zeltser will introduce you to the process of reverse-engineering malicious software. He will outline behavioral and code analysis phases, to make this topic accessible even to individuals with a limited exposure to programming concepts. You’ll learn the fundamentals and associated tools to get started with malware analysis.

Keep updating the list, so that newbie can learn it ! Let me know new URL we will update it here.. Thank you guys

Source link 1: http://www.securitytube.net/video/882
Source link 1: http://www.securitytube.net/video/5154

Dexter – Android apps analysis !!

“Dexter” reminds us lot about Cartoon Network channel in 20’s century. Now its Android phone time to remind and recollect lot memories for next generation.

Here is the another Dexter that introduced by Bluebox. Lets share the knowledge and link about it.

Bluebox Labs is proud to present Dexter, a free Android application analysis framework with a rich web-based user interface. The tool extracts information from either legitimate or malicious Android application packages (APKs) and produces various views of the package & application contents.

Source URL:
http://bluebox.com/technical/blueboxs-dexter-free-android-analysis-tool/
Homepage URL:
https://dexter.bluebox.com/

Source link of mobile thread report analysis:
http://www.juniper.net/us/en/local/pdf/additional-resources/jnpr-2011-mobile-threats-report.pdf

Happy Learning !!

 

Small but effective script on Domain Scanning by (Fierce)ha.ckers.org !

Hi Auditors,

After a long break with new people and new terms, Here is my next share on, too small, but effective script known as Domain Scanning.
Yes, Its Fierce Domain Scan !

Well the whole story of the author is written on their website – so, I am directly pasting some command that help web sec auditor to find out many things of target terminal.

  • perl fierce.pl -dns target-domain.com -search string1,string2
  • perl fierce.pl -range 10.10.10.0-255 -dnsserver ns1.example.com
  • perl fierce.pl -dns example.com -wide -file output.txt
  • perl fierce.pl -dns example.com -connect headers.txt -fulloutput -file output.txt
  • perl fierce.pl -dns example.com -wordlist dictionary.txt -file output.txt
  • perl fierce.pl -help

Thanks to RSnake and team for wonderful efforts on such perl scripts.
We can easily understand the script and read the function. fierce script is written in PERL.

Here is the two files of Fierce Domain Scan: fierce.pl  &  hosts.txt

Do you think to describe it ?? Naaa.. Its awesome while working on script !!

Happy Scripting !!

Short-basket note on Information Security !!

When i was reading book on Linux Security: Craig Hunt Linux Library By Ramón J. Hontañón, I got very beautiful terms of Information security.

Security is not product. It is not software, and it is also not simply an excuse for a consulting engagement. It is a discipline that needs to be taken into consideration in any decision that you make as a network and system administrator. Security does not start or stop. You cannot install security, and you can’t even buy security. Security is training, documentation, design decision, and appropriate implementations. And the most important aspect of security is monitoring and honing your security policies as needed.

Well many organization follow the security auditing VAPT task, but they don’t follow the security policies. Even they miss to organize security training for their employees. they create disgruntled employee, may be due to senior authority ego, attitude etc.. and that is the loopholes for that company to data leakage.(See my earlier article)

WH-Type Questions on Vulnerability Assessment and Penetration Testing ! (0)

Many times we forgot to take output from many automated tools or Manual testing, we generally worked on raw data, The data which we have to arrange in way that client can understand risk rating of respective target. It is Tester’s skill to represent highly confidential data in-front of client.

Module O

Wh-type questions on VAPT

?


Before going to VAPT, we must have to know some criteria behind information Security. Every one have different point of view to explore their knowledge on any information Security topic, Here is some summary question that surely by searching answer of those, can create your own documentary !! wow..

General Questions on Information Security:-

What is information/data Security ?
What is Confidentiality ?
What is Integrity ?
What is Availability ?
What is Ethical Hacking ?
What are the classification of hackers ?

Future Questions:-

What is the history of hacking ?
why you want to know history of hacking, then go ahead and discover future of hacking 😉 ?

Motivation behind hacking:-

What is your purpose of hacking ? for money, profit, political view, competitive strategy, attitude,
personal grievance, curiosity, mischief, attract attention, credit ?

Optional Question on hacking:-

what is your point of view about hacking ?

A). Easy B). Hard C). neither easy nor hard D). Depends E). Not Applicable

Actual Terms in Ethical hacking:-

What is Vulnerability ?
What is Threats ?
What is Risk Management ?
What is IT Security Audit ?
What is LAW for ethical hacking in your country/state ?
What are the types of security test ?
What is Vulnerability Assessment ?
What is Penetration Testing ?
what is White Box and Black Box Testing ?
What is “Red Teams” ?

Actual Methodology of Testing:-

What is Testing Methodology ?

To be continued…

Is your browser teaching Ethical Hacking ?

You might be thinking about this topic,  Many of us, use various toolkit for various purpose for (un/) – professional ethical hacking. We used (Man-In-Middle)proxy interceptor, Scanner, Intruder, Decoder, and many more things while performing web auditing.

Very first step of ethical hacking is reconnaissance.  Sometimes we used 3rd party toolkit to do information gathering, absolutely the process of professional security enthusiasm is different, it depends on the perspective of them. No one can judge their professional security method in right and wrong category. This article is waiting to introduce about browser that help tester, developer and security professional etc.

OWASP Mantra Security Framework is the browser that i would like to introduce.

Here is the Source Information of OWASP Mantra Portal 1/2/3 :

OWASP Mantra is such an innovative product, a security framework built on top of a browser. Its cross-platform, portable and can run out of the box. You can take it with you where ever you go in absolutely any rewritable media including memory cards, flash drives and portable hard disks. More over, Mantra can be used for both offensive security and defensive security related tasks which makes it incredible.


Mantra is a free and open source security toolkit with a collection of hacking tools, add-ons and scripts based on Firefox and Chromium. It is intended for web application penetration testers, web application developers, security professionals, etc.

OWASP Mantra is a powerful set of tools to make the attacker’s task easier. The beta version of Mantra Security Toolkit has various tools built onto it. Moreover Mantra follows the guidelines and structure of FireCAT which makes it even more accessible. The OWASP Mantra Security Toolkit has tools under the following categories. The complete list of tools is available on the official website. (List of Tools)

  • Information gathering
  • Editors
  • Network utilities
  • Miscellaneous
  • Application auditing
  • Proxy

Mantra browser is teaching many times with the help of their Gallery and Hackery collection 🙂

1. Galley – Online Penetration Testing Tools Index

2. Hackery – Open Penetration Testing Bookmarks Collection

Mantra officially integrated with BackTrack 5 Linux in May 2011 and Matriux Krypton

Lets find out with intro video of OWASP Mantra here:

And Many More Videos

Well this article is all about Mantra Browser only. All you have to do just Experience it !!

I hope i introduced this browser very well and it’s really helpful for security professional that is why the topic of article is “Is your Browser Teaching Ethical Hacking ?

Happy Learning and Happy Hacking with Mantra ^_^

Can we use browser for Web Automation ? (Google is my Real-Best Friend !)

Hi Enthusiast-er,

(I am really sorry for long wait… 😦 )

Many Time we search so many things/information with the help of Google search engine. frankly speaking, I checked my internet connection by typing google.com in our url bar. But can you imagine how Google is helping us ?. Why we mumbled every-time that “Google is my Best friend” ? Can you analyze how Google is talking with our machines with the help of Wireshark ?

Here is some snapshot of my wireshark :-


Well above wireshark image is all about my topic today. nothing but, Talking with Google without any browser. A great resource for google hacking is Google Hacking for Penetration Testers. Volume 2.

Is there any relation between Penetration Tester and Google ? ohh.. simply YES !!

Google is just awesome tool for Penetration Testers. Just need to understand it properly, and you are gathering many information of your respective project title 😉 ! All you have to do every-time is “just ask” to Google. that’s it !

Now there are two options about to ask question to Google and that is,

  • with browser and
  • without browser

we all know about with browser, and basically we are moving to our main point of article. Lets find interesting stuff with without browser.

Here we used Perl script to get us a listing of files from Google. In this article we will be using Perl with many module as LWP::UserAgent or WWW::Mechanize

Before going directly to the Exact scripting, we surely understand Perl and Perl Script behavior through below link:
Perl Download link :- Click Here !
General Information :- Click Here !
Perl Module Information :- Click Here !
Best url all the time :- http://www.google.com ! Google is our best friend now ! 😛

Below is the Perl script which used to get a listing of files from google with the help of LWP::UserAgent module in order to handle web task.

—————Perl Script with LWP::UserAgent————-
#!/usr/bin/perl
use LWP::UserAgent;
use HTML::Parse;
$site = @ARGV[0];
$filetype = @ARGV[1];
$searchurl =”http://www.google.com/search?hl=en&q=site%3A$site+filetype%3A$filetype&#8221;;
$useragent = new LWP::UserAgent;
$useragent->agent(‘Mozilla/4.0 (compatible; MSIE 5.0; Windows 95)’);
$request =HTTP::Request->new(‘GET’);
$request->url($searchurl);
$response = $useragent->request($request);
$body = $response->content;
$parsed = HTML::Parse::parse_html($body);
for (@{ $parsed->extract_links(qw(a)) })
{
($link) = @$_;
if ($link =~ m/url/)
{
print $link . “\n”;
}
}

Now Understand above Perl Scripting Objects,

For defining any interpreter we used Shebang every-time in any respective scripting language.

LWP (short for “Library for WWW in Perl”) is a popular group of Perl modules for accessing data on the Web.
The LWP::UserAgent is a class implementing a web user agent. LWP::UserAgent objects can be used to dispatch web requests. Click Here for full LWP::UserAgent Description.

The name of site goes into $site and type of file goes into $filetype.

The string in $searchurl is a simple Google Search, with the values in $site and $filetype plugged in, in the appropriate places.

Then comes the useragent part of scripting to know the google about browser agent identifier.

HTTP::Request is a class encapsulating HTTP style requests, consisting of a request line, some headers, and a content body. Understand the basic idea, about how the request we are handling with $request and $response objects.

Next we used (HTTP::Parse) Parse module to parse the content of $body out into something we

Then we put together a for loop to go through our lines, looking only for the links and , of those links, only the links of href variety, and discarding images and other links in which we are not interested.

See below, my screenshot of command line Perl script output :-


( hope you can understand the white patches on images 😛 )

Save above script as google.pl and type command as “./google.com website(url) filetype” for example “./google.pl wordpress.com pdf” and you will get the result as above in jpg image.

Before going to next module of perl, we can used bit command line module as LWP::Simple, Here is the single command line: perl -MLWP::Simple -e “getprint ‘http://www.website.com'&#8221;

Now there is another beauty in Perl known as WWW::Mechanize module, we can do nearly anything from this module that we can do from web browser with a person operating it.

WWW::Mechanize, or Mech for short, is a Perl module for stateful programmatic web browsing, used for automating interaction with websites.

Features include:

  • All HTTP methods
  • High-level hyperlink and HTML form support, without having to parse HTML yourself
  • SSL support
  • Automatic cookies
  • Custom HTTP headers
  • Automatic handling of redirection
  • Proxies
  • HTTP authentication

Mech supports performing a sequence of page fetches including following links and submitting forms. Each fetched page is parsed and its links and forms are extracted. A link or a form can be selected, form fields can be filled and the next page can be fetched. Mech also stores a history of the URLs you’ve visited, which can be queried and revisited.

—————Perl Script with WWW::Mechanize————-

#!/usr/bin/perl

# Handy web browsing in a Perl object
use WWW::Mechanize;

# Name of the site, filetype, searchurl
$site = @ARGV[0];

$filetype = @ARGV[1];
$searchurl=”http://www.google.com/search?hl=en&q=site%3A$site+filetype%3A$filetype&#8221;;

# create mech as Handler
$mech = WWW::Mechanize->new();

# Sets user agent string to the expanded version from a table of actual user strings
$mech->agent_alias(‘Windows Mozilla’);

# Page Fetching Method
$mech->get($searchurl);

@links = $mech->find_all_links(url_regex => qr/\d+.+\.$filetype$/);
for $link (@links) {
$url = $link->url_abs;
$filename = $url;
$filename =~ s[.*/][];
print “downloading $url\n”;
$mech->get($url, ‘:content_file’ => $filename);}

Well we already tag comment in above perl scripting. For more Detail those who want to learn – can read Coding for Penetration Tester : Building Better Tools

Here is the video that will give you idea about wireshark with browser query

note: The google search used in above script is not the approved way to talk to google with automation. If you are not careful and abuse this type of connection, Google will get confused and ban your IP address. Google has helpfully documented the proper way for us, and we should really be using that. This is bit out of scope for what we are doing here, but documentation will get us there for constructing our queries in the approved manner.

Defensive Security – Vulnerable Web Apps Auditing

Hello Security Readers,

Find some video about SQL injection attack here,

1. Joe McCray – Advanced SQL Injection – LayerOne 2009

Joe McCray Described very nicely about the Advance SQL injection method – those who wants to have the ppt/pdf file – see the bottom of this post.

2. SQL Injection Imperva

3. Testing SQL injection with SQLmap

4. php Tutorial – Sql Injection

5. Sqlninja & Metasploit Demo

Some URL link for understanding the SQL injection:

http://www.exploit-db.com/papers/13650
http://www.cgisecurity.com/lib/advanced_sql_injection.pdf
http://www.net-security.org/dl/articles/Blind_SQLInjection.pdf
http://www.insecure.in/papers/ErrSQL_Inj.pdf
http://www.exploit-db.com/papers/13045

Most Beautiful PDF file of Advance SQL injection by Joe McCray

defcon-17-joseph_mccray-adv_sql_injection