MITRE ATT&CK TTPs - SIMULATION

ATOMIC RED TREAM >> AUTOMATE SIMULATION Simulate mimicking MITRE ATT&CKS using ART and Custom developed scripts This will reveal the maturity of SOC/SIEM detection capability when its come to a real adversarial attacks. Here we are ging to add 400+ test cases -One by One Work in progress ! Post soon !!!!!

V3n0M - Web Vulnerability Scan Tool

Vulnerability Scanner for SQLi/XSS/LFI/RFI  

V3n0M is a free and open source scanner. Evolved from baltazar's scanner, it has adapted several new features that improve fuctionality and usability. It is mostly experimental software.

This program is for finding and executing various vulnerabilities. 

https://github.com/v3n0m-Scanner/V3n0M-Scanner

Install note

Clone the repository:

$ git clone https://github.com/v3n0m-Scanner/V3n0M-Scanner.git

Then go inside:

$ cd V3n0M-Scanner/

Then install it:

$ python3 setup.py install --user

Note for Ubuntu : Please make sure you have installed --> 

sudo apt-get install python3-bs4 and apt-get install python3-setuptools
                   


For Kali : Please make sure  installed --> 

apt-get install python3-dev apt-get install python-dev

Memory Forensics - Lime | Volatility

LiME  is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices,  allows full memory captures .

Download from Github : https://github.com/504ensicsLabs/LiME

 #  git clone https://github.com/504ensicsLabs/LiME.git

Looks like below :-

Go to the directory Src / then type the command   Make

Once the donce the make command kernel object file will create with the extension.ko

  

:::  lime-4.11.0-kali-amd64.ko

Use below command to extract the memory dump file.

#    Sudo insmod ./keranlobjectname.ko ‘’path = /root/Desktop/dump_filename.mem format=raw”

Open another terminal and check the size –     ls –lha   

Use Volatility to do the analysis .

Volatility Framework - Volatile memory extraction utility framework
============================================================================

The Volatility Framework is a completely open collection of tools,
implemented in Python under the GNU General Public License, for the
extraction of digital artifacts from volatile memory (RAM) samples.

https://github.com/volatilityfoundation/volatility/wiki/Command-Reference

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Concepts | Encryption Methods | Digital Certificates

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) concepts

The SSL and TLS protocols enable two parties to identify and authenticate each other and communicate with confidentiality and data integrity. 

The SSL and TLS protocols provide communications security over the internet, and allow client/server applications to communicate in a way that is confidential and reliable. The protocols have two layers: a Record Protocol and a Handshake Protocol, and these are layered above a transport protocol such as TCP/IP. They both use asymmetric and symmetric cryptography techniques.

An SSL or TLS connection is initiated by an application, which becomes the SSL or TLS client. The application which receives the connection becomes the SSL or TLS server. Every new session begins with a handshake, as defined by the SSL or TLS protocols.

overview of the SSL or TLS handshake

Symmetric vs. Asymmetric Encryption

The simplest kind of encryption that involves only one secret key to cipher and decipher information. Symmetrical encryption is an old and best-known technique. It uses a secret key that can either be a number, a word or a string of random letters. It is a blended with the plain text of a message to change the content in a particular way. The sender and the recipient should know the secret key that is used to encrypt and decrypt all the messages. Blowfish, AES, RC4, DES, RC5, and RC6 are examples of symmetric encryption. The most widely used symmetric algorithm is AES-128, AES-192, and AES-256.

The main disadvantage of the symmetric key encryption is that all parties involved have to exchange the key used to encrypt the data before they can decrypt it.

Asymmetrical Encryption

Asymmetrical encryption is also known as public key cryptography, which is a relatively new method, compared to symmetric encryption. Asymmetric encryption uses two keys to encrypt a plain text. Secret keys are exchanged over the Internet or a large network. It ensures that malicious persons do not misuse the keys. It is important to note that anyone with a secret key can decrypt the message and this is why asymmetrical encryption uses two related keys to boosting security. A public key is made freely available to anyone who might want to send you a message. The second private key is kept a secret so that you can only know.

A message that is encrypted using a public key can only be decrypted using a private key, while also, a message encrypted using a private key can be decrypted using a public key. Security of the public key is not required because it is publicly available and can be passed over the internet. Asymmetric key has a far better power in ensuring the security of information transmitted during communication.

Asymmetric encryption is mostly used in day-to-day communication channels, especially over the Internet. Popular asymmetric key encryption algorithm includes EIGamal, RSA, DSA, Elliptic curve techniques, PKCS.

Asymmetric Encryption in Digital Certificates

To use asymmetric encryption, there must be a way of discovering public keys. One typical technique is using digital certificates in a client-server model of communication. A certificate is a package of information that identifies a user and a server. It contains information such as an organization’s name, the organization that issued the certificate, the users’ email address and country, and users public key.

When a server and a client require a secure encrypted communication, they send a query over the network to the other party, which sends back a copy of the certificate. The other party’s public key can be extracted from the certificate. A certificate can also be used to uniquely identify the holder.

SSL/TLS uses both asymmetric and symmetric encryption, quickly look at digitally signed certificates issued by trusted certificate authorities (CAs).

Digital certificates

Digital certificates protect against impersonation, certifying that a public key belongs to a specified entity. They are issued by a Certificate Authority.

Digital certificates provide protection against impersonation, because a digital certificate binds a public key to its owner, whether that owner is an individual, a queue manager, or some other entity. Digital certificates are also known as public key certificates, because they give you assurances about the ownership of a public key when you use an asymmetric key scheme. A digital certificate contains the public key for an entity and is a statement that the public key belongs to that entity:

• When the certificate is for an individual entity, the certificate is called a personal certificate or user certificate.
• When the certificate is for a Certificate Authority, the certificate is called a CA certificate or signer certificate.

SOC Setup Free of Cost

• Analyze and Search

• Collect and Process

• Drill-Down and Visualize

• Alert and Trigger

  
  
  

   

   

   

  Detailed Documentation and Video will be Posted Soon

XssPy - Cross Site Scripting Scanner

XssPy - Web Application XSS Scanner

XssPy is a python tool for finding Cross Site Scripting vulnerabilities in websites. This tool is the first of its kind. Instead of just checking one page as most of the tools do, this tool traverses the website and find all the links and subdomains first. After that, it starts scanning each and every input on each and every page that it found while its traversal. It uses small yet effective payloads to search for XSS vulnerabilities.

The tool has been tested parallel with paid Vulnerability Scanners and most of the scanners failed to detect the vulnerabilities that the tool was able to find. Moreover, most paid tools scan only one site whereas XSSPY first finds a lot of subdomains and then scan all the links altogether. 

The tool comes with:

1. Short Scanning
2. Comprehensive Scanning
3. Finding subdomains
4. Checking every input on every page   

 ~ How to Use:           

Installation:

Type the following in the terminal.

git clone https://github.com/faizann24/XssPy/ /opt/xsspy

The tool works on Python 2.7 and you should have mechanize installed. If mechanize is not installed, type "pip install mechanize" in the terminal.

https://github.com/faizann24/XssPy

Arachni - Web Application Security Scanner Framework

Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.

It is smart, it trains itself by monitoring and learning from the web application's behavior during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives.

Unlike other scanners, it takes into account the dynamic nature of web applications, can detect changes caused while travelling through the paths of a web application’s cyclomatic complexity and is able to adjust itself accordingly. This way, attack/input vectors that would otherwise be undetectable by non-humans can be handled seamlessly.

Moreover, due to its integrated browser environment, it can also audit and inspect client-side code, as well as support highly complicated web applications which make heavy use of technologies such as JavaScript, HTML5, DOM manipulation and AJAX.

Finally, it is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform.

Note: Despite the fact that Arachni is mostly targeted towards web application security, it can easily be used for general purpose scraping, data-mining, etc. with the addition of custom components.

A stable, efficient, high-performance framework

Check, report and plugin developers are allowed to easily and quickly create and deploy their components with the minimum amount of restrictions imposed upon them, while provided with the necessary infrastructure to accomplish their goals.

Furthermore, they are encouraged to take full advantage of the Ruby language under a unified framework that will increase their productivity without stifling them or complicating their tasks.

Moreover, that same framework can be utilized as any other Ruby library and lead to the development of brand new scanners or help you create highly customized scan/audit scenarios and/or scripted scans.

Simplicity 

Although some parts of the Framework are fairly complex you will never have to deal them directly. From a user’s or a component developer’s point of view everything appears simple and straight-forward all the while providing power, performance and flexibility.

From the simple command-line utility scanner to the intuitive and user-friendly Web interface and collaboration platform, Arachni follows the principle of least surprise and provides you with plenty of feedback and guidance.

In simple terms

Arachni is designed to automatically detect security issues in web applications. All it expects is the URL of the target website and after a while it will present you with its findings.

Features

General

• Cookie-jar/cookie-string support.
• Custom header support.
• SSL support with fine-grained options.
• User Agent spoofing.
• Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.
• Proxy authentication.
• Site authentication (SSL-based, form-based, Cookie-Jar, Basic-Digest, NTLMv1, Kerberos and others).
• Automatic log-out detection and re-login during the scan (when the initial login was performed via the autologin, login_script or proxy plugins).
• Custom 404 page detection.
• UI abstraction:
  • Command-line Interface.
  • Web User Interface.
• Pause/resume functionality.
• Hibernation support -- Suspend to and restore from disk.
• High performance asynchronous HTTP requests.
  • With adjustable concurrency.
  • With the ability to auto-detect server health and adjust its concurrency automatically.
• Support for custom default input values, using pairs of patterns (to be matched against input names) and values to be used to fill in matching inputs.

Integrated browser environment

Arachni includes an integrated, real browser environment in order to provide sufficient coverage to modern web applications which make use of technologies such as HTML5, JavaScript, DOM manipulation, AJAX, etc.

In addition to the monitoring of the vanilla DOM and JavaScript environments, Arachni's browsers also hook into popular frameworks to make the logged data easier to digest:

• JQuery
• AngularJS

In essence, this turns Arachni into a DOM and JavaScript debugger, allowing it to monitor DOM events and JavaScript data and execution flows. As a result, not only can the system trigger and identify DOM-based issues, but it will accompany them with a great deal of information regarding the state of the page at the time.

Full Detail 

||||||https://github.com/Arachni/arachni

KALI LINUX: Download and Extract Arachni

extract :-----      tar -xvzf arachni-1.5.1-0.5.12-linux-x86_64.tar.gz

:~terminal :   ./arachni_web

:~terminal :  ./arachni_rpcd

This start's arachni web scanner & can access at: localhost:9292

User Name: admin@admin.admin
Password: administrator

ZAP (OWASP : ZAP)

OWASP : ZAP

 Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools . It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

These are the key functionalities of ZAP:

• Intercepting Proxy

• Automatic Scanner

• Traditional but powerful spiders

• Fuzzer

• Web Socket Support

• Plug-n-hack support

• Authentication support

• REST based API

• Dynamic SSL certificates

• Smartcard and Client Digital Certificates support

You can either use this tool as a scanner by inputting the URL to perform scanning, or you can use this tool as an intercepting proxy to manually perform tests on specific pages.

|||||Download ZAP :  https://github.com/zaproxy/zaproxy

WAPITI - Web Application Security Auditor

WAPITI - VERSION 2.3.0 Wapiti is a web application security auditor.
           


Requirements
============
In order to work correctly, Wapiti needs :
+ Python 2.x where x is >= 6 (2.6, 2.7...)
+ python-requests v1.2.3 or more ( http://docs.python-requests.org/en/latest/ )
+ BeautifulSoup ( http://www.crummy.com/software/BeautifulSoup/ )
+ python-xml


How it works
============

Wapiti works as a "black-box" vulnerability scanner,  that means it won't
study the source code of web applications but will work like a  fuzzer,
scanning the pages of the deployed web application, extracting links and
forms  and attacking  the scripts, sending payloads and looking for error
messages, special strings or abnormal behaviors.


General features
================

+ Generates vulnerability reports in various formats (HTML, XML, JSON, TXT...)
+ Can suspend and resume a scan or an attack
+ Can give you colors in the terminal to highlight vulnerabilities
+ Different levels of verbosity
+ Fast and easy way to activate/deactivate attack modules
+ Adding a payload can be as easy as adding a line to a text file


Browsing features
=================

+ Support HTTP and HTTPS proxies
+ Authentication via several methods : Basic, Digest, Kerberos or NTLM
+ Ability to restrain the scope of the scan (domain, folder, webpage)
+ Automatic removal of a parameter in URLs
+ Safeguards against scan endless-loops (max number of values for a parameter)
+ Possibility to set the first URLs to explore (even if not in scope)
+ Can exclude some URLs of the scan and attacks (eg: logout URL)
+ Import of cookies (get them with the wapiti-cookie and wapiti-getcookie tools)
+ Can activate / deactivate SSL certificates verification
+ Extract URLs from Flash SWF files
+ Try to extract URLs from javascript (very basic JS interpreter)
+ HTML5 aware (understand recent HTML tags)


Supported attacks
=================

+ Database Injection (PHP/ASP/JSP SQL Injections and XPath Injections)
+ Cross Site Scripting (XSS) reflected and permanent
+ File disclosure detection (local and remote include, require, fopen,
  readfile...)
+ Command Execution detection (eval(), system(), passtru()...)
+ XXE (Xml eXternal Entity) injection
+ CRLF Injection
+ Search for potentially dangerous files on the server (thanks to the Nikto db)
+ Bypass of weak htaccess configurations
+ Search for copies (backup) of scripts on the server

Wapiti supports both GET and POST HTTP methods for attacks.
It also supports multipart and can inject payloads in filenames (upload).
Display a warning when an anomaly is found (for example 500 errors and timeouts)
Makes the difference  beetween permanent  and reflected  XSS vulnerabilities.


How to get the best results
===========================

To find more vulnerabilities (as some attacks are error-based), you can modify
your webserver configurations.

For example, you can set the following values in your PHP configuration :
safe_mode = Off
display_errors = On (recommended)
magic_quotes_gpc = Off
allow_url_fopen = On
mysql.trace_mode = On


Where to get help
=================

In the prompt, just type the following command to get the basic usage :
python wapiti.py -h
You can also take a look at the manpage.

If you find a bug, fill a ticket on the bugtracker :
https://sourceforge.net/p/wapiti/bugs/

What is included with Wapiti
============================

Wapiti comes with :
+ a modified version of PyNarcissus (MPL 1.1 License),
  see https://code.google.com/p/pynarcissus/
+ Kube CSS framework ( see http://imperavi.com/kube/ ) and jQuery
  for HTML report generation.


Source code structure (wapitiCore directory)
=====================================
.
|-- attack  # attack modules used for the vulnerabilities Wapiti can detect
|   |-- __init__.py
|   |-- attack.py        # Base for all attack modules
|   |-- mod_backup.py    # This module search backup of scripts on the server
|   |-- mod_blindsql.py  # Time-based blind sql scanner
|   |-- mod_crlf.py      # Search for CR/LF injection in HTTP headers
|   |-- mod_exec.py      # Module used to detect command execution vulnerabilities
|   |-- mod_file.py      # Search for include()/fread() and other file handling vulns
|   |-- mod_htaccess.py  # Try to bypass weak htaccess configurations
|   |-- mod_nikto.py     # Use a Nikto database to search for potentially dangerous files
|   |-- mod_permanentxss.py  # Look for permanent XSS
|   |-- mod_sql.py       # Standard error-based SQL injection scanner
|   `-- mod_xss.py       # Module for XSS detection
|
|-- config
|   |-- attacks   # Here are the text files where you can add payloads
|   |   |-- backupPayloads.txt
|   |   |-- blindSQLPayloads.txt
|   |   |-- execPayloads.txt
|   |   |-- fileHandlingPayloads.txt
|   |   `-- xssPayloads.txt
|   |
|   |-- language   # Compiled language files (.mo)
|   |   |-- en
|   |   |   `-- LC_MESSAGES
|   |   |       `-- wapiti.mo
|   |   |-- es
|   |   |   `-- LC_MESSAGES
|   |   |       `-- wapiti.mo
|   |   |-- de
|   |   |   `-- LC_MESSAGES
|   |   |       `-- wapiti.mo
|   |   |-- fr
|   |   |   `-- LC_MESSAGES
|   |   |       `-- wapiti.mo
|   |   `-- ms
|   |       `-- LC_MESSAGES
|   |           `-- wapiti.mo
|   |
|   |-- reports
|   |   `-- generators.xml  # Database of report engines
|   |
|   `-- vulnerabilities  # Info about vulnerability types (references etc)
|       |-- anomalies.xml
|       `-- vulnerabilities.xml
|
|-- file  # XML parsers used by Wapiti
|   |-- __init__.py
|   |-- anomalyxmlparser.py
|   |-- auxtext.py
|   |-- reportgeneratorsxmlparser.py
|   `-- vulnerabilityxmlparser.py
|
|-- language  # Manage internationalization
|   |-- __init__.py
|   |-- vulnerability.py  # Common strings used by Wapiti
|   `-- language.py
|
|-- language_sources
|   |-- de.po
|   |-- en.po
|   |-- es.po
|   |-- file_list.txt
|   |-- fr.po
|   |-- generateSources.sh  # Script to generate .po files from source code
|   |-- generateTranslations.sh  # Script to compile .po files to .mo files
|   `-- ms.po
|
|-- net
|   |-- HTTP.py    # Wrapper around python-requests, contains HTTP,
|   |              # HTTPResource and HTTPResponse classes.
|   |-- __init__.py
|   |-- crawlerpersister.py  # Class used to store and load scan status
|   |-- jsoncookie.py  # Library to load and save cookies to JSON files
|   |-- jsparser
|   |   |-- __init__.py
|   |   |-- jsparser.py  # Modified version of the PyNarcissus parser
|   |   |
|   |-- lamejs.py  # Home-made and lame JS interpreter using PyNarcissus
|   |-- lswww.py   # HTML parsing is made here
|   `-- swf_parser.py  # Home-made Flash SWF parser, not an ABC interpreter
|
|-- report   # Report generators
|   |-- __init__.py
|   |-- htmlreportgenerator.py  # The HTML generator is based on the JSON one
|   |-- jsonreportgenerator.py
|   |-- openvasreportgenerator.py  # Needs some more work
|   |-- reportgenerator.py   # Abstract class
|   |-- reportgeneratorinfo.py
|   |-- txtreportgenerator.py
|   |-- vulneranetxmlreportgenerator.py
|   `-- xmlreportgenerator.py
|
`-- report_template  # Template used for HTML reports
    |-- css
    |   |-- kube.css
    |   |-- kube.min.css
    |   `-- master.css
    |-- index.html
    |-- js
    |   |-- jquery-1.9.1.min.js
    |   |-- kube.buttons.js
    |    `-- kube.tabs.js
    `-- logo_clear.png

Link :https://github.com/IFGHou/wapiti

WebPwn3r - Web Applications Security Scanner.

webpwn3r :- WebPwn3r - Web Applications Security Scanner.

How to use:

1- python scan.py

2- The tool will ask you if you want to scan URL or List of urls?

1- Enter number 1 to scan a URL

2- Enter number 2 to scan list of URL's

3- URL should be a full link with a parameters

.e.g http://localhost/rand/news.php?com=val&id=11&page=24&text=zigoo

same thing with the list of links.

 WebPwn3r got below Features:

1- Scan a URL or List of URL’s

2- Detect and Exploit Remote Code Injection Vulnerabilities.

3- ~ ~ ~ Remote Command Execution Vulnerabilities.

4- ~ ~ ~ SQL Injection Vulnerabilities.

5- ~ ~ ~ Typical XSS Vulnerabilities.

6- Detect WebKnight WAF.

7- Improved Payloads to bypass Security Filters/WAF’s.

8- Finger-Print the backend Technologies.

|||

RED HAWK - All In One Tool For Information Gathering, SQL Vulnerability Scanning and Crawling

RED HAWK -  All In One Tool For Information Gathering, SQL Vulnerability Scanning and Crawling

https://github.com/Tuhinshubhra/RED_HAWK

Features Of The Tool:

• Server detection
• Cloudflare detector
• robots scanner
• CMS Detector
• WordPress
• Joomla
• Drupal
• Magento
• Whois
• GEO-IP Scan
• NMAP Port Scan
• DNS Lookup
• SubNet Calculator
• Subdomain Finder
• Reverse IP Scanner
• CMS detection For Sites On the same server.
• Parameter Finder
• Error based SQLi Detector
• Crawler
• Basic Crawler {69}
• [ - ] Admin scanner
• [ - ] Backups Finder
• [ - ] Misc. Crawler
• Advance Crawler{420}
• [ - ] Admin scanner
• [ - ] Backups Finder
• [ - ] Misc. Crawler

---

Released Versions:

- Version 1.0.0 [11-06-2017]

Changelog:

• Version 1.0.0
• Initial Launch

Installation:

Run The Tool and Type fix This will Install All Required Modules.

Usage:

• git clone https://github.com/Tuhinshubhra/RED_HAWK
• cd RED_HAWK
• php rhawk.php
• Use the "help" command to see the command list or type in the domain name you want to scan (without Http:// OR Https://).
• Select whether The Site Runs On HTTPS or not.
• Leave The Rest To The Scanner