Policy as Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting and security automation for the cloud. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. The PacBot auto-fix framework provides the ability to automatically respond to policy violations by taking predefined actions. PacBot packs in powerful visualization features, giving a simplified view of compliance and making it easy to analyze and remediate policy violations. PacBot is more than a tool to manage cloud misconfiguration, it is a generic platform that can be used to do continuous compliance monitoring and reporting for any domain. More Than Cloud Compliance Assessment PacBot’s plugin-based data ingestion architecture allows ingesting data from multiple sources. We have built plugins to pull data from Qualys Vulnerability Assessment Platform, Bitbucket, TrendMicro Deep Security, Tripwire, Venafi Certificate Management, Redhat Satellite, Spacewalk, Active Directory and several other custom-built internal solutions. We are working to open source these plugins and other tools as well. You could write rules based on data collected by these plugins to get a complete picture of your ecosystem and not just cloud misconfigurations. For example, within T-Mobile we have implemented a policy to mark all EC2 instances having one or more severity 5 (CVSS score > 7) vulnerabilities as non-compliant. Quick Demo How Does It Work? Assess -> Report -> Remediate -> Repeat Assess -> Report -> Remediate -> Repeat is PacBot’s philosophy. PacBot discovers resources and assesses them against the policies implemented as code. All policy violations are recorded as an issue. Whenever an Auto-Fix hook is available with the policies, those auto-fixes are executed when the resources fail the evaluation. Policy violations cannot be closed manually, the issue has to be fixed at the source and PacBot will mark it closed in the next scan. Exceptions can be added to policy violations. Sticky exceptions (Exception based on resource attribute matching criteria) can be added to exempt similar resources that may be created in future. PacBot’s Asset Groups are a powerful way to visualize compliance. Asset Groups are created by defining one or more target resource’s attribute matching criteria. For example, you could create an Asset Group of all running assets by defining criteria to match all EC2 instances with attribute instancestate.name=running. Any new EC2 instance launched after the creation of the Asset Group will be automatically included in the group. In PacBot UI you can select the scope of the portal to a specific asset group. All the data points shown in the PacBot portal will be confined to the selected Asset Group. Teams using cloud can set the scope of the portal to their application or org and focus only on their policy violations. This reduces noise and provides a clear picture to cloud users. At T-Mobile, we create an Asset Groups per stakeholder, per application, per AWS account, per Environment etc. Asset groups can also be used to define the scope of rule executions as well. PacBot policies are implemented as one or more rules. These rules can be configured to run against all resources or a specific Asset Group. The rules will evaluate all resources in the asset group configured as the scope for the rule. This provides an opportunity to write policies which are very specific to an application or org. For example, some teams would like to enforce additional tagging standards apart from the global standards set for all of the cloud. They can implement such policies with custom rules and configure these rules to run only on their assets. PacBot Key Capabilities Continuous compliance assessment. Detailed compliance reporting. Auto-Fix for policy violations. Omni Search – Ability to search all discovered resources. Simplified policy violation tracking. Self-Service portal. Custom policies and custom auto-fix actions. Dynamic asset grouping to view compliance. Ability to create multiple compliance domains. Exception management. Email Digests. Supports multiple AWS accounts. Completely automated installer. Customizable dashboards. OAuth Support. Azure AD integration for login. Role-based access control. Asset 360 degree. Technology Stack Front End – Angular Backend End APIs, Jobs, Rules – Java Installer – Python and Terraform Deployment Stack AWS ECS & ECR – For hosting UI and APIs AWS Batch – For rules and resource collection jobs AWS CloudWatch Rules – For rule trigger, scheduler AWS Redshift – Data warehouse for all the inventory collected from multiple sources AWS Elastic Search – Primary data store used by the web application AWS RDS – For admin CRUD functionalities AWS S3 – For storing inventory files and persistent storage of historical data AWS Lambda – For gluing few components of PacBot PacBot installer automatically launches all of these services and configures them. For detailed instruction on installation look at the installation documentation. PacBot UI Dashboards & Widgets Asset Group Selection Widget Compliance Dashboard Policy Compliance Page – S3 buckets public read access Policy Compliance Trend Over Time Asset Dashboard Asset Dashboard – With Recommendations Asset 360 / Asset Details Page Linux Server Quarterly Patch Compliance Omni-Search Page Search Results Page With Results filtering Tagging Compliance Summary Widget Installation Detailed installation instructions are available here Usage The installer will launch required AWS services listed in the installation instructions . After successful installation, open the UI load balancer URL. Log into the application using the credentials supplied during the installation. The results from the policy evaluation will start getting populated within an hour. Trendline widgets will be populated when there are at least two data points. When you install PacBot, the AWS account where you install is the base account. PacBot installed on the base account can monitor other target AWS accounts. Refer to the instructions here to add new accounts to PacBot. By default base account will be monitored by PacBot. Login as Admin user and go to the Admin page from the top menu. In the Admin section, you can Create/Manage Policies Create/Manage Rules and associate Rules with Policies Create/Manage Asset Groups Create/Manage Sticky Exception Manage Jobs Create/Manage Access Roles Manage PacBot Configurations See detailed instruction with screenshots on how to use the admin feature here User Guide / Wiki Wiki is here . Announcement Blog Post Introducing PacBot Download Pacbot
A cross-platform tool that use Certificates Transparency logs to find subdomains. We currently support Linux, Windows and MacOS. How it works? It tool doesn’t use the common methods for sub(domains) discover, the tool uses Certificate Transparency logs to find subdomains and it method make it tool very faster and reliable. If you want to know more about Certificate Transparency logs, read https://www.certificate-transparency.org/ Installation Linux If you want to install it, you can do that manually compiling the source or using the precompiled binary. Manually: You need to have Rust installed in your computer first. $ git clone https://github.com/Edu4rdSHL/findomain.git $ cd findomain $ cargo build –release $ sudo cp target/release/findomain /usr/bin/ $ findomain Using the binary: $ git clone https://github.com/Edu4rdSHL/findomain.git $ sudo cp findomain/bin/findomain /usr/bin $ findomain If you are using the BlackArch Linux distribution, you just need to use: $ sudo pacman -S findomain Installation Windows Download the binary from https://github.com/Edu4rdSHL/findomain/tree/master/bin/windows and use it. Installation MacOS Download the binary from https://github.com/Edu4rdSHL/findomain/tree/master/bin/osx and use it. Usage You can use the tool in two ways, only discovering the domain name or discovering the domain + the IP address. findomain 0.1.3 Eduard Tolosa A tool that use Certificates Transparency logs to find subdomains. USAGE: findomain [FLAGS] [OPTIONS] FLAGS: -h, –help Prints help information -i, –get-ip Return the subdomain list with IP address if resolved. -V, –version Prints version information OPTIONS: -f, –file Sets the input file to use. -o, –output Write data to output file in the specified format. [possible values: txt, csv, json] -t, –target Target host Features Discover subdomains without brute-force, it tool uses Certificate Transparency Logs. Discover subdomains with or without IP address according to user arguments. Read target from user argument (-t). Read a list of targets from file and discover their subdomains with or without IP and also write to output files per-domain if specified by the user, recursively. Write output to TXT file. Write output to CSV file. Write output to JSON file. Cross platform support: Linux, Windows, MacOS. Download Findomain
Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security’s premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to https://xerosecurity.com . SN1PER PROFESSIONAL FEATURES: Professional reporting interface Slideshow for all gathered screenshots Searchable and sortable DNS, IP and open port database Detailed host reports NMap HTML host reports Quick links to online recon tools and Google hacking queries Takeovers and Email Security HTML5 Notepad ORDER SN1PER PROFESSIONAL: To obtain a Sn1per Professional license, go to https://xerosecurity.com . DEMO VIDEO: SN1PER COMMUNITY FEATURES: Automatically collects basic recon (ie. whois, ping, DNS, etc.) Automatically launches Google hacking queries against a target domain Automatically enumerates open ports via NMap port scanning Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers Automatically checks for sub-domain hijacking Automatically runs targeted NMap scripts against open ports Automatically runs targeted Metasploit scan and exploit modules Automatically scans all web applications for common vulnerabilities Automatically brute forces ALL open services Automatically test for anonymous FTP access Automatically runs WPScan, Arachni and Nikto for all web services Automatically enumerates NFS shares Automatically test for anonymous LDAP access Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities Automatically enumerate SNMP community strings, services and users Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers Automatically tests for open X11 servers Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds Performs high level enumeration of multiple hosts and subnets Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting Automatically gathers screenshots of all web sites Create individual workspaces to store all scan output EXPLOITS: Drupal RESTful Web Services unserialize() SA-CORE-2019-003 Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts Drupal: CVE-2018-7600: Remote Code Execution – SA-CORE-2018-002 GPON Routers – Authentication Bypass / Command Injection CVE-2018-10561 MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption Apache Tomcat: Remote Code Execution (CVE-2017-12617) Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271 Apache Struts Content-Type arbitrary command execution (CVE-2017-5638) Apache Struts 2 Framework Checks – REST plugin with XStream handler (CVE-2017-9805) Apache Struts Content-Type arbitrary command execution (CVE-2017-5638) Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269 ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249 Shellshock Bash Shell remote code execution CVE-2014-6271 HeartBleed OpenSSL Detection CVE-2014-0160 MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843 MS08-067 Microsoft Server Service Relative Path Stack Corruption Webmin File Disclosure CVE-2006-3392 VsFTPd 2.3.4 Backdoor ProFTPd 1.3.3C Backdoor MS03-026 Microsoft RPC DCOM Interface Overflow DistCC Daemon Command Execution JBoss Java De-Serialization HTTP Writable Path PUT/DELETE File Access Apache Tomcat User Enumeration Tomcat Application Manager Login Bruteforce Jenkins-CI Enumeration HTTP WebDAV Scanner Android Insecure ADB Anonymous FTP Access PHPMyAdmin Backdoor PHPMyAdmin Auth Bypass OpenSSH User Enumeration LibSSH Auth Bypass SMTP User Enumeration Public NFS Mounts KALI LINUX INSTALL: bash install.sh UBUNTU/DEBIAN/PARROT INSTALL: bash install_debian_ubuntu.sh DOCKER INSTALL: docker build Dockerfile USAGE: [*] NORMAL MODE sniper -t|–target [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCE sniper -t|–target -o|–osint -re|–recon -fp|–fullportonly -b|–bruteforce [*] STEALTH MODE + OSINT + RECON sniper -t|–target -m|–mode stealth -o|–osint -re|–recon [*] DISCOVER MODE sniper -t|–target -m|–mode discover -w|–workspace [*] FLYOVER MODE sniper -t|–target -m|–mode flyover -w|–workspace [*] AIRSTRIKE MODE sniper -f|–file /full/path/to/targets.txt -m|–mode airstrike [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED sniper -f–file /full/path/to/targets.txt -m|–mode nuke -w|–workspace [*] SCAN ONLY SPECIFIC PORT sniper -t|–target -m port -p|–port [*] FULLPORTONLY SCAN MODE sniper -t|–target -fp|–fullportonly [*] PORT SCAN MODE sniper -t|–target -m|–mode port -p|–port [*] WEB MODE – PORT 80 + 443 ONLY! sniper -t|–target -m|–mode web [*] HTTP WEB PORT HTTP MODE sniper -t|–target -m|–mode webporthttp -p|–port [*] HTTPS WEB PORT HTTPS MODE sniper -t|–target -m|–mode webporthttps -p|–port [*] WEBSCAN MODE sniper -t|–target -m|–mode webscan [*] ENABLE BRUTEFORCE sniper -t|–target -b|–bruteforce [*] ENABLE LOOT IMPORTING INTO METASPLOIT sniper -t|–target [*] LOOT REIMPORT FUNCTION sniper -w –reimport [*] LOOT REIMPORTALL FUNCTION sniper -w <WORKSPACE_ALIAS& gt; –reimportall [*] DELETE WORKSPACE sniper -w -d [*] DELETE HOST FROM WORKSPACE sniper -w -t -dh [*] SCHEDULED SCANS’ sniper -w -s daily|weekly|monthly’ [*] SCAN STATUS sniper –status [*] UPDATE SNIPER sniper -u|–update MODES: NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance. STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking. FLYOVER: Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly). AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning. NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. DISCOVER: Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans. PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode. FULLPORTONLY: Performs a full detailed port scan and saves results to XML. WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly. WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port. WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port. WEBSCAN: Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni. SAMPLE REPORT: https://gist.github.com/1N3/8214ec2da2c91691bcbc Download Sn1per
PAnalizer is a forensic tool, you can search pornographic images in a specific directory, this is util in Pedestrian Detection. Also, you can search a specific person in the image set, is necessary give to the application a few pictures of the person of interest. Download PAnalizer
FinalRecon is a fast and simple python script for web reconnaissance. It follows a modular structure so in future new modules can be added with ease. Features FinalRecon provides detailed information such as : Header Information WHOIS SSL Certificate Details Found Flag in SSL Certificate – Securinets CTF Quals 2019 – Hidden (200 Points) Crawler More modules will be added in future Tested on Kali Linux 2019.1 BlackArch Linux Installation git clone https://github.com/thewhiteh4t/FinalRecon.git cd FinalRecon pip3 install -r requirements.txt Usage python3 finalrecon.py -h usage: finalrecon.py [-h] [–headers] [–sslinfo] [–whois] [–crawl] [–full] url FinalRecon – OSINT Tool for All-In-One Web Recon | v1.0.0 positional arguments: url Target URL optional arguments: -h, –help show this help message and exit –headers Get Header Information –sslinfo Get SSL Certificate Information –whois Get Whois Lookup –crawl Crawl Target Website –full Get Full Analysis, Test All Available Options # Check headers python3 finalrecon.py –headers # Check ssl Certificate python3 finalrecon.py –sslinfo # Check whois Information python3 finalrecon.py –whois # Crawl Target python3 finalrecon.py –crawl # full scan python3 finalrecon.py –full Demo Download FinalRecon
Tool to find and extract credentials from phone configuration files in environments managed by Cisco’s CUCM (Call Manager). When using Cisco’s CUCM (Call Manager), phone configuration files are stored on a TFTP server. These phone configuration files quite frequently contain sensitive data, including phone SSH/admin credentials. There is also an issue with how some browsers autofill fields such as the SSH Username & Password fields with their CUCM credentials (commonly their AD credentials) , if the administrator has saved the credentials in their browser. This issue has also been faced by administrators using password managers that automatically plug in credentials, where they found that their credentials were being automatically inputted into the SSH Username & Password fields, and then being saved (and stored in plaintext in the configuration files). While the issue was fixed in CUCM 12.0 , credentials stored in the past may still be discoverable. The issue can be somewhat mitigated by the following actions: Regularly purging existing configuration files from leaked credentials. Blocking autosave/autofill on CUCM. Enabling encryption of phone configuration files. Read more on that here . Note that this doesn’t completely mitigate the issue, as the encryption password could be obtained from the phones’ memory or through administrative access of CUCM. This tool utilises a lot of code from Dirk-jan’s tool adidnsdump to extract a list of phone hostnames from ADIDNS over LDAP. To read more aboout the technique and tool, you can read the associated blog post . So credit goes to him for a lot of the code. Installation To install the tool: git clone https://github.com/llt4l/iCULeak.py cd iCULeak.py pip install -r requirements.txt Usage: Run iCULeak.py against phones with hostnames found in the DNS zone python iCULeak.py -u domain\llt4l -c 10.100.1.29 10.100.1.1 Run iCULeak.py against a list of phones provided in a file python iCULeak.py -l phones_hostnames -c 10.100.1.29 10.100.1.1 Flags: View the help page with -h or –help Pass the username of the user that will authenticate to ADIDNS with the -u or –user flags. The user should be preceded by the user’s domain, so it should look something like this: domain\llt4l . This flag is optional if a list is passed instead. Pass the password to the program with the -p or –password flag. If you do not pass it as an argument, but do pass a username, then the program will prompt for a password when run . The IP address or hostname of the CUCM server should be passed to the program with either the -c or –cucm-server flag. If, for any reason, the TFTP server being used by CUCM to store phone configuration files is found on another host, please provide that address. Provide a file that contains a list of phone hostnames with the -l or –list flag. The file should just be a list of phone hostnames, such that each line would look something like SEP112233445566 . If you’d like to save the results to a CSV file , pass the -s or –save flag along with the filename to be saved to. By default iCULeak.py checks credentials leaked for validity in the AD. To disable authentication attempts being made to verify the leaked credentials, pass the -nA or –no-authentication flag. To save all the phone configuration files dumped to a directory, pass the -O or –out-dir flag, along with the name of the folder you want to save it to. For increased verbosity , you can pass the -v or –verbose flag. If the DNS entries for the phones are in a different DNS zone to the default zone of the domain you are authenticating against, you can pass the zone along with the -z or –zone flag. Download iCULeak.py
Recon-Tool made for reconnaissance and information gathering with an emphasis on simplicity. It will do everything from. Features Information Security Headers WAF Detector Banner Grabbing Phone Number Credit Card Number Email US Social Security Number Url Crawl Dom Paramter Url Internal Dynamic Paramter External Dynamic Paramter Internal Link External Link Port Scanner Subdomain Enumeration Requirements click requests colorlog bs4 tldextract Usage & Installation $ apt-get install python3 nmap $ pip3 install -r requirements.txt $ python3 reconT.py http://target.co.li $ python reconT.py –help Usage: reconT.py [OPTIONS] TARGET Options: –timeout INTEGER Seconds to wait before timeout connections –proxy TEXT if Use a proxy ex: 0.0.0.0:8888if with auth 0.0.0.0:[email protected]:password –cookies TEXT if use cookie comma separated cookies to add the requestex: PHPSESS:123,kontol=True –help Show this message and exit. Info Support For Python Version: 3.x ReconT Version: 0.1 By: 407 Authentic Exploit Codename: JaxBCD Download ReconT
Simple Script For Generating Malformed QRCodes. These qrcodes are useful if you want to test some QRCode scanner’s parser or how the application handle QRCode data. Down side of this tool: you need to manually scan codes with camera. Proof Installation What do you need: python3 qrcode Pillow argparse Steps 1 git clone https://github.com/h0nus/QRGen 2 cd QRGen 3 pip3 install -r requirements.txt OR python3 -m pip install -r requirements.txt 4 python3 qrcode.py 5 Enjoy attacking QRCodes 😛 Personalization You can change the default wordlists to what you want by passing -w/–wordlist 🙂 Order of default wordlists group: SQL Injection XSS Command Injection Format String XXE String Fuzzing SSI Injection LFI/Directory Traversal custom passed with -w/–wordlist Download QRGen
CQURE Team has prepared tools used during penetration testing and packed those in a toolkit named CQTools. This toolkit allows to deliver complete attacks within the infrastructure, starting with sniffing and spoofing activities, going through information extraction, password extraction, custom shell generation, custom payload generation, hiding code from antivirus solutions, various keyloggers and leverage this information to deliver attacks. Some of the tools are based on discoveries that were released to the world for the first time by CQURE Team. CQURE was the first team that did full reverse engineering of DPAPI (Data Protection Application Programming Interface) and prepared the first public tool that allows monitoring WSL (Windows Subsystem for Linux) feature. This toolkit allows you to deliver complete attacks within the infrastructure, starting with sniffing and spoofing activities, going through information extraction, password extraction, custom shell generation, custom payload generation, hiding code from antivirus solutions, various keyloggers and leverage this information to deliver attacks. Some of the tools are based on discoveries that were released to the world for the first time by CQURE Team; some of the tools took years to complete, and all of the tools work in a straightforward manner. CQTools is the ultimate toolkit to have when delivering a penetration test. The tools work simply, and we use them in practice during our cybersecurity assignments. Come and have a look at how our CQTools can boost your penetration testing experience! • Download Presentation Slides • Download White Paper More info: https://cqureacademy.com/blog/no-category/black-hat-asia-2019-tools Download CQTools Password: CQUREAcademy#123!
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email email@example.com