Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.

Included In

At its core, Inveigh is a .NET packet sniffer that listens for and responds to LLMNR/mDNS/NBNS requests while also capturing incoming NTLMv1/NTLMv2 authentication attempts over the Windows SMB service. The primary advantage of this packet sniffing method on Windows is that port conflicts with default running services are avoided. Inveigh also contains HTTP/HTTPS/Proxy listeners for capturing incoming authentication requests and performing attacks. Inveigh relies on creating multiple runspaces to load the sniffer, listeners, and control functions within a single shell and PowerShell process.

Inveigh running with elevated privilege

Inveigh

Since the .NET packet sniffer requires elevated privilege, Inveigh also contains UDP listener based LLMNR/mDNS/NBNS functions. These listeners can provide the ability to perform spoofing with only unprivileged access. Port conflicts can still be an issue with any running Windows listeners bound to 0.0.0.0. This generally impacts LLMNR. On a system with the Windows LLMNR service running, Inveigh’s unprivileged LLMNR spoofer will not be able to start. Inveigh can usually perform unprivileged NBNS spoofing on systems with the NBNS service already running since it’s often not bound to 0.0.0.0. Most of Inveigh’s other features, with the primary exceptions of the packet sniffer’s SMB capture and HTTPS (due to certificate install privilege requirements), do not require elevated privilege. Note that an enabled local firewall blocking all relevant ports, and without a listed service with open firewall access suitable for migration, can still prevent Inveigh from working with just unprivileged access since privileged access will likely be needed to modify the firewall settings.

By default, Inveigh will attempt to detect the privilege level and load the corresponding functions.

Inveigh running without elevated privilege

Unprivileged

Inveigh provides NTLMv1/NTLMv2 HTTP/HTTPS/Proxy to SMB1/SMB2 relay through the Inveigh-Relay module. This module does not require elevated privilege, again with the exception of HTTPS, on the Inveigh host. However, since the module currently only has a PSExec type command execution attack, the relayed challenge/response will need to be from an account that has remote command execution privilege on the target. The Inveigh host itself can be targeted for relay if the goal is local privilege escalation.

Inveigh and Inveigh-Relay running together to execute an Empire 2.0 launcher

Relay

Tutorials & Download

Advertisements

Johnny is the cross-platform Open Source GUI frontend for the popular password cracker John the Ripper. It was originally proposed and designed by Shinnok in draft, version 1.0 implementation was achieved by Aleksey Cherepanov as part of GSoC 2012 and Mathieu Laprise took Johnny further towards 2.0 and beyond as part of GSoC 2015.

Johnny’s aim is to automate and simplify the password cracking routine with the help of the tremendously versatile and robust John the Ripper, as well as add extra functionality on top of it, specific to Desktop and GUI paradigms, like improved hash and password workflow, multiple attacks and session management, easily define complex attack rules, visual feedback and statistics, all of it on top of the immense capabilities and features offered by both JtR core/proper as well as jumbo.

Features

  • Cross platform, builds and runs on all major desktop platforms
  • Based on the most powerful and robust password cracking software, supports both John core/proper and jumbo flavors
  • Exposes most useful JtR attack modes and options in a usable, yet powerful interface
  • Simplifies password/hash management and attack results via complex filtering and selection
  • Easily define new attacks and practical multiple attack session management
  • Manually guess passwords via the Guess function
  • Export Passwords table to CSV and colon password file format
  • Import many types of encrypted or password protected files via the 2john functionality
  • Fully translatable (English and French language for now)

Download

At the end of last year, Mozilla launched a privacy browser called Firefox Focus for the iOS platform, providing more comprehensive and professional protection for your Internet privacy, by default, including tracking, social and advertising tracking. And now, this privacy-oriented browser officially landed Android platform.

Download: Google Play and App Store

Compared to the regular mobile browser Firefox Focus in the function is a bit a single, only a search and URL bar, but also in the settings panel is also relatively “simple”, you can turn on/off different tracking type. This browser does not support tabs or other menus, and there is an erase button at the top of the app to clean up your online traces manually, and the app is automatically cleaned up after the application is closed.

Compared to the iOS version, Android version Firefox Focus added some additional features. Including an ad tracking count that allows the user to know how many sites each site has blocked, and to allow the user to manually turn off tracking blocking when the page is not loaded correctly, and when you run Firefox Focus in the background, Clean up the Internet history.

Image result for robots.txt

What is a robots.txt file?

Search engine through a program robot (also known as spider), automatically access the Internet page and access to web information.
You can create a plain text file, robots.txt, in your website that declares that the site does not want to be accessed by the robot so that part or all of the site’s content can not be included in the search engine, or Specifies that the search engine only includes the specified content.

Where is the robots.txt file?

The robots.txt file should be placed in the root directory of the site. For example, when a robots visit a website (such as https://www.linkedin.com ), it will first check whether the site exists https://www.linkedin.com/robots.txt this file, if the robot to find this file, it will be based on the contents of this file to determine the scope of its access.

The format of the robots.txt file

The “robots.txt” file contains one or more records, separated by blank lines (CR, CR / NL, or NL as the end), and the format of each record is as follows:

"<field>:<optionalspace><value><optionalspace>"

 

In the file can be used # for annotations, the specific use of the same practice and UNIX. The records in this file usually begin with one or more lines of User-agent, followed by a number of Disallow lines, as follows:

  • User-agent:
    The value of this item is used to describe the name of the search engine robot. In the “robots.txt” file, if there are multiple User-agent records that have multiple robots that are limited by the protocol, Say, at least one User-agent record. If the value is set to *, the protocol is valid for any robot. In the “robots.txt” file, there is only one record of “User-agent: *”.

 

  • Disallow:
    the value of the item used to describe the URL you do not want to visit, the URL can be a complete path, it can be part of any Disallow at the beginning of the URL will not be access to the robot. For example, “Disallow: /help” does not allow search engine access to /help.html and /help/index.html, and “Disallow: /help/” allows the robot to access /help.html without access to /help/index .html. Any Disallow record is empty, indicating that all parts of the site are allowed to be accessed, in the “/robots.txt” file, at least one Disallow record. If “/robots.txt” is an empty file, then for all the search engine robot, the site is open.

PRET is a new tool for printer security testing developed in the scope of a Master’s Thesis at Ruhr University Bochum. It connects to a device via network or USB and exploits the features of a given printer language. Currently PostScript, PJL and PCL are supported which are spoken by most laser printers. This allows cool stuff like capturing or manipulating print jobs, accessing the printer’s file system and memory or even causing physical damage to the device. All attacks are documented in detail in the Hacking Printers Wiki.

The main idea of PRET is to facilitate the communication between the end-user and the printer. Thus, after entering a UNIX-like command, PRET translates it to PostScript, PJL or PCL, sends it to the printer, evaluates the result and translates it back to a user-friendly format. PRET offers a whole bunch of commands useful for printer attacks and fuzzing.

Installation

# pip install colorama pysnmp
# pip install win_unicode_console
# apt-get install imagemagick ghostscript
git clone https://github.com/RUB-NDS/PRET.git

Usage

usage: pret.py [-h] [-s] [-q] [-d] [-i file] [-o file] target {ps,pjl,pcl}
positional arguments:
target                printer device or hostname
{ps,pjl,pcl}          printing language to abuse
optional arguments:
-h, --help            show this help message and exit
-s, --safe            verify if language is supported
-q, --quiet           suppress warnings and chit-chat
-d, --debug           enter debug mode (show traffic)
-i file, --load file  load and run commands from file
-o file, --log file   log raw data sent to the target
 
Source https://github.com/RUB-NDS/PRET

Some useful sqlmap command for testing SQL injection vulnerability.

1) — Analyzing the current user is dba
python sqlmap.py -u “url” –is-dba -v 1
2) — users: user list database management system
python sqlmap.py -u “url” –users -v 0
3) — passwords: Database user password (hash)
python sqlmap.py -u “url” –passwords -v 0
python sqlmap.py -u “url” –passwords -U sa -v 0
4) To view the user permissions
python sqlmap.py -u “url” –privileges -v 0
python sqlmap.py -u “url” –privileges -U postgres -v 0
5) — dbs can use the database
python sqlmap.py -u “url” –dbs -v 0
6) — tables column in a table
python sqlmap.py -u “url” –tables -D “information_scheam”
-D: Specifies the name of the data
7) — columns are listed in the table column names
python sqlmap.py -u “url” –columns -T “user” -D “mysql” -v 1
-T: Specify the table name, -D: Specifies the library name
8) — dump the contents of the column specified in the list
python sqlmap.py -u “url” –dump -T “users” -D “testdb”
-C: You can specify fields
The specified column in the range of 2-4
python sqlmap.py -u “url” –dump -T “users” -D “testdb” –start 2 –stop 4 -v 0
9) — dumap-all List all databases, all tables content
python sqlmap.py -u “url” –dump-all -v 0
Only lists the contents of the user’s own new database and tables
python sqlmap.py -u “url” –dump-all –exclude-sysdbs -v 0
10) — file to read the content of the document [load_file () function]
python sqlmap.py -u “url” –file / etc / password
11) execute SQL
python sqlmap.py -u “url” –sql-shell
12) -p parameter specified
python sqlmap.py -u “url” -v 1 -p “id”
You can specify multiple -p parameter -p “cat, id”
13) POST submission
python sqlmap.py -u “url” –method POST –data “id = 1”
14) COOKIE Submit
python sqlmap.py -u “url” –cookie “id = 1” -v 1
cookie value can be crawled by the TamperData
15) refer to deceive
python sqlmap.py -u “url” –refer “url” -v 3
16) using a custom user-agent or user-agents.txt
python sqlmap.py -u “url” –user-agent “Mozilla / 4.0 (compatible; MSIE 7.0; Windows NT 5.1)” -v 3
python sqlmap.py -u “url” -v 1 -a “./txt/user-agents.txt”
17) use of multithreading guess solution
python sqlmap.py -u “url” -v 1 –current-user –threads 3
18) specify the database, bypassing the automatic detection SQLMAP
python sqlmap.py -u “url” -v 2 –dbms “PostgreSQL”
19) Specifies the operating system automatically detects the bypass SQLMAP
python sqlmap.py -u “url” -v 2 –os “Windows”
20) — prefix and –postfix custom payload
python sqlmap.py -u “url” -v 3 -p “id” –prefix ” ‘” –postfix “and’ test ‘=’ test”
21) union injection test
python sqlmap.py -u “url” –union-test -v -1
22) with the order by
python sqlmap.py -u “url” –union-test –union-tech orderby -v 1
23) python sqlmap.py -u “url” -v 1 –union-use –banner
24) python sqlmap.py -u “url” -v 5 –union-use –current-user
25) python sqlmap.py -u “url” -v 1 –union-use –dbs

Many users use IPTables in Linux as a firewall, and from a strict point of view, IPTables (IPTables 101) is just a command-line tool that helps administrators define rules and communicate with Linux Kernel. It is only to help administrators configure the network traffic incoming, outgoing rules list, the specific implementation is actually in the Linux kernel.