In evidenza

Blog Ufficiale Centuria CyberLabs & Researchers

Il mio blog personale è diventato a tutti gli effetti quello ufficiale del mio centro ricerca (il primo indipendente italiano). La Centuria non è una azienda ma una passione per la cybersecurity e tutto no profit. Come viviamo? Ognuno ha il proprio lavoro e come laboratories offriamo i nostri servizi in cambio di una donazione. Questo ci permette di mantenere i nostri apparati che continuamente esplorano la rete e non solo honeypots.

hacked

 

Intesa San Paolo e Covid a bad credential harvesting phishing attempt

Researching in covid pandemic scams and phishing we notice that ome website turn into other type of scams.

The website:

hxxp://covid19-gruppisp.000webhostapp[.]com/

For example is a perfect example of bad change of mind phshing for credential harvesting

website is already knows as malicious but no activity to put down the page.

IoTGoat – IoT vulnerable firmware for testing

IoTGoat

Description

The IoTGoat Project is a deliberately insecure firmware based on OpenWrt and maintained by OWASP as a platform to educate software developers and security professionals with testing commonly found vulnerabilities in IoT devices. The vulnerability challenges are based on the OWASP IoT Top 10 noted below, as well as “easter eggs” from project contributors. For a list of vulnerability challenges, see the IoTGoat challenges wiki page.

OWASP IoT Top 10 2018Description
I1 Weak, Guessable, or Hardcoded PasswordsUse of easily bruteforced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems.
I2 Insecure Network ServicesUnneeded or insecure network services running on the device itself, especially those exposed to the internet, that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control.
I3 Insecure Ecosystem InterfacesInsecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering.
I4 Lack of Secure Update MechanismLack of ability to securely update the device. This includes lack of firmware validation on device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.
I5 Use of Insecure or Outdated ComponentsUse of deprecated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms, and the use of third-party software or hardware components from a compromised supply chain
I6 Insufficient Privacy ProtectionUser’s personal information stored on the device or in the ecosystem that is used insecurely, improperly, or without permission.
I7 Insecure Data Transfer and StorageLack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing
I8 Lack of Device ManagementLack of security support on devices deployed in production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities.
I9 Insecure Default SettingsDevices or systems shipped with insecure default settings or lack the ability to make the system more secure by restricting operators from modifying configurations.
I10 Lack of Physical HardeningLack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.

Getting started

Several methods exist to get started with hacking IoTGoat.

  1. For those looking to extract the filesystem, analyze configurations and binaries statically, download the latest precompiled firmware release from https://github.com/OWASP/IoTGoat/releases. Refer to OWASP’s Firmware Security Testing Methodology to help with identifying vulnerabilities.
  2. For dynamic web testing and binary runtime analysis, the quickest way to get started is downloading the latest “IoTGoat-x86.vmdk” (VMware) and create a custom virtual machine using the IoTGoat disk image. Select the following operating system details Type: Linux Version: Linux 2.6 / 3.x / 4.x (32-bit) and Enable PAE/NX in virtual machine settings. Both the .vmdk and .vdi have been tested in the latest VirtualBox release (April 2020) for Windows 10, Ubuntu 18.04 LTS, and MacOS Mojave. Refer to OWASP’s Web Security Testing Guide and ASVS projects for additional guidance on identifying web application vulnerabilities
  3. Emulate firmware with opensource tools (e.g. Firmadyne, ARM-X Framework, and FAT) that leverage QEMU to virtualize IoTGoat locally.
  4. Use the IoTGoat-raspberry-pi2-sysupgrade.img firmware to flash on a Raspberry Pi 2 (BRCM2708 & BRCM2709).

Refer to the Getting started page for additional details and screencaptures.

Building from source

OpenWrt can build many different CPU platforms and boards. Building from source gives users the flexibility to flash IoTGoat on supported OpenWrt hardware. Ensure 10-15GB disk space is available with at least 4GB of RAM and a supported Linux distribution such as Ubuntu 18.04. Use the following steps to get started with building custom firmware.

Do everything as a normal user, don’t use root user or sudo when building!

$ git clone https://github.com/OWASP/IoTGoat.git
$ cd IoTGoat/OpenWrt/openwrt-18.06.2/
$ ./scripts/feeds update -a
$ ./scripts/feeds install -a
$ make menuconfig # select your preferred configuration for the toolchain, target system & firmware packages.
$ make # Build your firmware with make. This will download all sources, build the cross-compile toolchain and then cross-compile the Linux kernel & all chosen applications for your target system.

The first build will take some time to complete and will vary based on the provided internet connection for downloading the toolchain. Once a successful build is complete, the compiled firmware will be placed in the following directory IoTGoat/OpenWrt/openwrt-18.06.2/bin/targets/ depending on the target selected in menuconfig. For example, IoTGoat Raspberry Pi 2 firmware will be located in the following directory IoTGoat/OpenWrt/openwrt-18.06.2/bin/targets/brcm2708/bcm2709. IoTGoat build configuration files are made availble for x86 (.config-x86) and Raspberry Pi 2 (.config-rpi) platforms.

Project leaders

  • Aaron Guzman (@scriptingxss)
  • Fotios Chantzis
  • Paulino Calderon

Contributors

  • Parag Mhatre (@paraaagggg)
  • Abhinav Mohanty (cyanide284)
  • Jason Andress (@jandress)
  • @0x48piraj

Screenshots




License

The MIT License (MIT)

KITT-Lite, a useful pocket for testing

Security Testing Framework

KITT Penetration Testing Framework – Lite Version (Regular Updates)

The KITT Penetration Testing Framework was developed as an open source solution for pentesters and programmers alike to compile the tools they use with what they know into an open source project. With KITT, users are able to easily access a list of commonly used tools to their profession which are all open to configuration in the source code.

UPDATE: Now Supporting Kali 2020.2!

If you want to check out the full GUI version of KITT its repo can be found here

Features

OSINT

Cracking

Phishing

  • Blackeye – Webpage Phishing Tool
  • SET – Social Engineers Toolkit
  • SocialBox – Social Media Password Bruteforcer
  • Seeker – Social Engineering IP GeoLocator (Give/Take 30m)
  • BruteDum – Common Protocol Bruteforcer
  • SayCheese – Takes Webcam pic on site visit
  • SayHello – Takes audio clip on site visit
  • Shellphish – Blackeye w/ Automated Ngrok
  • Nexphisher – Webpage Phishing Tool
  • Lockphish – Lock Screen Phishing Tool
  • SocialFish – Common Phishing Tool
  • Locator – Geolocator and IP Tracker
  • EvilApp – MiTM Phishing Attack Using APK
  • Droidfiles – Downloads Files from Android Dirs from .apk payload
  • Cuteit – IP Obfuscator
  • TrevorC2 – Cmd Injection Masked Phishing Site

Payloads

  • Evil-Droid – Android APK Payloading & Embedding Framework
  • Catchyou – Undetectable Win32 Payload Generator
  • Winspy – Windows Reverse Shell Generator w/ IP Poisoning
  • Evilreg – Windows .reg Reverse Shell Generator
  • Badlnk – Shortcut (.lnk) Reverse Shell Generator
  • Enigma – Multiplatform Payload Dropper
  • Avet_Fabric – Windows AV Evasive Payloads
  • Eviloffice – Injects Macro & DDE Code into Excel & Word Documents
  • Evilpdf – Embeds .exe Files into PDF Files
  • EvilDLL – DLL Reverse Shell Generator
  • DroidTracker – Android .APK Locaton Tracker
  • hmmcookies – Grabs Firefox, Chrome, and Opera Cookies

Keyloggers

Privilege Escalation/Exploitation

  • BIOS_UBTU_Rooter.sh – Custom Ubuntu usb boot exploit
  • LinEnum – Linux shell enumeration tool
  • Linux – Linux Exploits and Enumeration Scripts
  • Mimikatz_trunk – Windows post exploitation tool
  • mysql – MSQL exploits and enumeration scripts
  • passwd_backdoor.sh – Custom passwd/ backdoor exploit for post-exploitation
  • pspy – Process scanner for linux
  • windows-privesc-check – Windows PrivEsc Scripts
  • Windows-Privlege-Escalation – Windows PrivEsc Scripts
  • Chromepass – AV-Undetectable Chrome Login Extraction Tool (Local exec)
  • htbenum – Offline Local Enum Server (Mainly for HTB)
  • PeekABoo – Enables RDP Service (Only on WinRM Machines – Enabled by default on WinServer machines but not client machines)
  • firefox_decrypt – Mozilla Browser Saved Login Extractor
  • Powershell-reverse-tcp – Reverse TCP Powershell Payload w/ Obfuscation
  • Invoker – Post Windows Non-GUI Shell Utility
  • HiveJack – Windows SAM Dump Tool
  • Impacket – Python Network Protocol Tools
  • Win-Brute-Logon – Post Tool For Cracking User Passwords (XP -> 10)
  • Covermyass – Covers Your Tracks on UNIX Systems
  • Leviathan – System Audit Toolkit
  • ispy – EternalBlue/Bluekeep Scanner/Exploiter
  • NekoBotV1 – Auto Exploiter Tool
  • Gtfo – Unix Binary Search Tool
  • Grok-backdoor – Python-Based Backdoor with Ngrok Tunneling
  • Mimikatz – Windows password, hash, PIN, and kerberos ticket extraction tool

Ransomeware

  • Hidden-cry – Windows AES 256 Bit Encrypter/Decrypter
  • CryDroid – Android Encrypter/Decrypter

Bots

Network Cracking

  • Airsuite-ng – Software suite w/ detector, packet sniffer, WEP and WPA/WPA2-PSK Cracker and analysis tool
  • Wash & Reaver – WPS Cracking tools
  • Wifite2 – Network Auditing Tool
  • Ettercap – MiTM Attack Suite
  • Airgeddon – Network Auditing Tool
  • WiFipumpkin3 – Network Cracking Framework
  • Wifijammer – Stationary or Mobile WiFi Jammer
  • PwnSTAR – Fake AP Tool Framework
  • HT-WPS – WPS Pin Extractor
  • Linset – WPA/WPA2 MiTM Attack Tool
  • PentBox – HoneyPot Setup Tool
  • Espionage – Packet Sniffer/ARP Spoofer
  • EvilNet – ARP Attacks, VLAN Attacks, MAC Flooding, etc.

IoT Exploitation

  • HomePwn – IoT Exploitation Framework
  • Spooftooph – BT Spoofing
  • BtVerifier – Rfcomm Channel Verifier
  • BlueScan – BT Port/MAC Scanner
  • Dronesploit – Drone Exploitation Framework

Hardware Hacking

  • MouseJack – BT Keyboard and Mouse Hijacker
  • GPIO_CTL – Custom GPIO Controller for RPi
  • Brutal – RubberDucky Payload Generator

System Security

  • SysIntegrity – File Integrity and Logging System Check
  • snort – Network Intrusion Detection System
  • ssh_port_randomizer – SSHD Port Randomizer
  • ssh rsa_key generator – RSA Key generator
  • proxy router – Traffic Proxy Router
  • ssh_encryption – Buffing SSHD Security Protocols
  • Fail2ban Configurations – Fail2ban Protocol Auditer
  • PTF – PenTesting Tool Installation Framework
  • ClamAV – CLI Virus/Malware Scanner
  • Wotop – Tunnels Internet Traffic Over HTTP
  • TorghostNG – Directs All Internet Traffic Through Tor Proxy

Getting Started

WARNING: Installation Takes About 20 Minutes To Finish!

To begin, run sudo ./setup.sh to install all necessary libraries and configure PATH usage. Simply follow all instructions in the installer.

If you want to only install the tools, run sudo ./catchup.sh

Usage

To begin the framework, type kittlite and execute in terminal.

Legal Disclaimer

Usage of KITT-Lite and/or the tools installed with KITT-Lite for attacking targets without prior mutual consent is illegal. It’s the end user’s responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

Built With

  • RPi 3B+ – Micro-Computer Developed by the Raspberry Pi Foundation
  • Kali Linux – Pentesting OS Developed by Offensive Security
  • GitHub – This Website!

Authors

License

This project is licensed under the GNU General Public License v3 – see the LICENSE file for details

Acknowledgments

All credits are given to the authors and contributors to tools used in this software

CapsuleCorp Pentest Enviroment – Improve your skill

1. Capsulecorp Pentest

The Capsulecorp Pentest is a small virtual network managed by vagrant and ansible. It contains five virtual machines, including one Linux attacking system running xubuntu and 4 Windows 2019 servers configured with various vulnerable services. This project can be used to learn network penetration testing as a stand-alone environment but is ultimatly designed to compliment my book The Art of Network Penetration Testing

Why is this cool?

Setting up a virtual network to learn penetration testing can be tedious as well as time/resource consuming. Everything in the capsulecorp environment is pretty much done for you already. Once you get Vagrant, Ansible and VirtualBox installed on your machine you only need to run a couple of vagrant commands to have a fully functioning Active Directory domain that you can use for hacking/learning/pentesting etc.

1.1. Current Funcionality

  • Active directory domain with one DC and 3 server members
    • Domain Controler: goku.capsulecorp.local
    • Server 01: vegeta.capsulecorp.local
    • Server 02: gohan.capsulecorp.local
    • Server 03: trunks.capsulecorp.local
    • Wrkstn 01: tien.capsulecorp.local
  • Vulnerable Jenkins server on vegeta
  • Vulnerable Apache Tomcat server on trunks
  • Vulnerable MSSQL server on gohan
  • Vulnerable MS17-010 on tien
  • Xubuntu pentest system running XRDP.
    • Metasploit
    • CrackMapExec
    • Nmap
    • Remmina RDP client
    • RVM
    • Python/Pip/Pipenv
    • Impacket

1.2. Requirements

In order to use the Capsulecorp Pentest network you must have the following:

1.3. OSX Configuration

In order to manage Windows hosts you’ll have to install pywinrm with pip inside the ansible virtual environment

source ~/ansible/bin/activate
pip install pywinrm
deactivate

2. Installation

For a detailed installation walkthrough check out the MacOS Setup Guide

2.1. Configure the windows hosts

The first thing you should do is bring up and provision Goku the domain controller. This system will likely take the longest to bring up because the dcpromo stuff just takes a while.

Bring up the VM

vagrant up goku

Provision the VM

vagrant provision goku

Repeat the above two commands for gohan, vageta and trunks.

…WARNING…

This section of the provision is expected to take a while because after a dcpromo it takes a long time for the system to reboot.

TASK [promotedc : Set a static address to 172.28.128.100] **********************
changed: [goku]

TASK [promotedc : Change hostname to goku] *************************************
ok: [goku]

TASK [promotedc : Install Active Directory Services] ***************************
ok: [goku]

TASK [promotedc : Promote goku to domain controller] ***************************
changed: [goku]

TASK [promotedc : Reboot after promotion] **************************************

2.2. Configure your pentest platform

Bring up the virtual machines using vagrant. First cd into the project directory, for example: cd ~/capsulecorp-pentes. Take note of the RDP port that gets forwarded to your localhost.

vagrant up pentest

Provision the pentest machine.

vagrant provision pentest

You can access your penitent machine either using your preferred RDP client to connect to the xrdp listener or via SSH with.

vagrant ssh pentest

SNEA INDIA (BSNL Executive Association) Hacked and Breached

Found a recent pastebin-like doc posted in some dark web forum with all DB of

http://sneaindia.com

Hack and breach not claim by any of well know hacker group.

In the document seem they used a couple of different sql injection. The breach isn’t large but show poor security.

Part of DB users :

Padmanabha Rao
Sebastin K
Rajan
Umapathi Anand
Digamber

Stem-Immune DataBreach

The Stem-Immune website admin and customer db was breached and exposed.

From company Website:”StemImmune LLC is a biotechnology company that specializes in the development and manufacturing of the high quality cytokines, recombinant proteins, mediums and other kits for the lab and preclinical research. StemImmune LLC products are widely applied in stem cell and immune cell culture. Currently, StemImmune LLC is working to translate our products into human disease treatment, especially in the field of tumor immunotherapy. StemImmune LLC continues to create new and unique products to meet the demands of the life-science and cell therapy markets.

In addition, StemImmune LLC also provides many custom services to meet specific demand of your research. These services include: recombinant protein production based on E.coli/mammalian 293 cell, immune cell and stem cell culture, etc.

StemImmune LLC mission is to offer you the best products and solutions. StemImmune LLC vision is to be your trusted supplier for cytokines, proteins, mediums and other reagents.”

Data breached include:

Admin password and details
Orders
usernames and password
user addresses
user email

https://www.stem-immune.com/

Centuria Covid Research – 500 K IoC

Covid malicious indicators version 1.0

Centuria Laboratories collect different intelligence source (included Centuria research) and put into a unique IoC file.

Covid Pandemic brought a lot of attacks and frauds and this file will help to prevent phishing and malware.

The Research is not yet complete, is growing thru different level of intelligence now availabile version 1.0

IoX – Tool for port forward & intranet proxy, just like lcx/ew, but better

DOWNLOAD

 

Why write?

lcx and ew are awesome, but can be improved.

when I first used them, I can’t remember these complicated parameters for a long time, such as tran, slave, rcsocks, sssocks.... The work mode is clear, why do they design parameters like this(especially ew‘s -l -d -e -f -g -h)

Besides, I think the net programming logic could be optimized.

For example, while running lcx -listen 8888 9999 command, client must connect to :8888 first, then :9999, in iox, there’s no limit to the order in two ports. And while running lcx -slave 1.1.1.1 8888 1.1.1.1 9999 command, lcx will connect two hosts serially, but it’s more efficient to connect in concurrent, as iox does.

And what’s more, iox provides traffic encryption feature. Actually, you can use iox as a simple ShadowSocks.

Of course, because iox is written in Go, the static-link-program is a little large, raw program is 2.2MB (800KB for UPX compression)

Feature

  • traffic encryption (optional)
  • humanized CLI option
  • logic optimization
  • UDP traffic forward

Usage

You can see, all params are uniform. -l/--local means listen on a local port; -r/--remote means connect to remote host

Two mode

fwd

Listen on 0.0.0.0:8888 and 0.0.0.0:9999, forward traffic between 2 connections

./iox fwd -l 8888 -l 9999


for lcx:
./lcx -listen 8888 9999

Listen on 0.0.0.0:8888, forward traffic to 1.1.1.1:9999

./iox fwd -l 8888 -r 1.1.1.1:9999


for lcx:
./lcx -tran 8888 1.1.1.1 9999

Connect 1.1.1.1:8888 and 1.1.1.1:9999, forward between 2 connection

./iox fwd -r 1.1.1.1:8888 -r 1.1.1.1:9999


for lcx:
./lcx -slave 1.1.1.1 8888 1.1.1.1 9999

proxy

Start Socks5 server on 0.0.0.0:1080

./iox proxy -l 1080


for ew:
./ew -s ssocksd -l 1080

Start Socks5 server on be-controlled host, then forward to internet VPS

VPS forward 0.0.0.0:9999 to 0.0.0.0:1080

You must use in pair, because it contains a simple protocol to control connecting back

./iox proxy -r 1.1.1.1:9999
./iox proxy -l 9999 -l 1080       // notice, the two port are in order


for ew:
./ew -s rcsocks -l 1080 -e 9999
./ew -s rssocks -d 1.1.1.1 -e 9999

Then connect intranet host

# proxychains.conf
# socks5://1.1.1.1:1080

$ proxychains rdesktop 192.168.0.100:3389

enable encryption

For example, we forward 3389 port in intranet to our VPS

// be-controller host
./iox fwd -r 192.168.0.100:3389 -r *1.1.1.1:8888 -k 656565


// our VPS
./iox fwd -l *8888 -l 33890 -k 656565

It’s easy to understand: traffic between be-controlled host and our VPS:8888 will be encrypted, the pre-shared secret key is ‘AAA’, iox will use it to generate seed key and IV, then encrypt with AES-CTR

So, the * should be used in pairs

./iox fwd -l 1000 -r *127.0.0.1:1001 -k 000102
./iox fwd -l *1001 -r *127.0.0.1:1002 -k 000102
./iox fwd -l *1002 -r *127.0.0.1:1003 -k 000102
./iox proxy -l *1003


$ curl google.com -x socks5://127.0.0.1:1000

Using iox as a simple ShadowSocks

// ssserver
./iox proxy -l *9999 -k 000102


// sslocal
./iox fwd -l 1080 -r *VPS:9999 -k 000102

UDP forward

Only need to add CLI option -u

./iox fwd -l 53 -r *127.0.0.1:8888 -k 000102 -u
./iox fwd -l *8888 -l *9999 -k 000102 -u
./iox fwd -r *127.0.0.1:9999 -r 8.8.8.8:53 -k 000102 -u

NOTICE: When you make a multistage connection, the Remote2Remote-UDP-mode must be started last, which is the No.3 command in above example

UDP forwarding may have behavior that is not as you expected, because there are many differences between stream & packet.

You can find why in the source code, if you have any ideas, PR / issue are welcomed

License

The MIT license

Mouse Framework is iOS and macOS post-exploitation framework

DOWNLOAD

Mouse Framework

mouse

mouse


About Mouse Framework

Mouse Framework is an iOS and macOS post-exploitation framework that gives you 
a command line session with extra functionality between you and a target machine 
using only a simple Mouse Payload. Mouse gives you the power and convenience of 
uploading and downloading files, tab completion, taking pictures, location tracking, 
shell command execution, escalating privileges, password retrieval, and much more.

Getting started

Mouse installation

cd mouse

chmod +x install.sh

./install.sh

Mouse uninstallation

cd mouse

chmod +x uninstall.sh

./uninstall.sh


Mouse Framework execution

To execute Mouse Framework you 
should execute the following command.

mouse


Why Mouse Framework

  • A lot of different payloads.
There are a lot of different payloads in Mouse Framework 
such as Bourne-Again Shell and Rubber Duck payloads.
  • Accessing device shell.
Mouse Framework can be used to remotely 
access iOS/macOS device shell.
  • A lot of different functions.
There are a lot of different functions in Mouse 
CLI such as displaying alerts, recording mic sound 
and taking pictures on remote iOS/macOS device.

Mouse Payloads (macOS/iOS)

payloads

Mouse Payloads are intended to 
get remote target machine session.

Bourne-Again Shell payload

Selecting Bourne-Again Shell payload from the payload 
menu will give us a 1 liner that establishes a remote 
Mouse session upon execution on the target machine.

Platform: iOS/macOS

Teensy macOS payload (USB injection)

Teensy is a development USB board that can be programmed 
with the Arduino IDE. It emulates usb keyboard strokes extremely 
fast and can inject the Mouse payload just in a few seconds!

Platform: macOS

Rubber Duck payload (USB injection)

USB Rubber Duck is a development USB board that can inject 
uploaded to duck SD card inject.bin payload in a few seconds!

Platform: macOS

Application macOS payload

Selecting Application macOS from the payload menu will give you
standart Mouse payload that converted to the macOS application.

Platform: macOS

MultiHandler CLI

multihandler

The MultiHandler option lets us handler multiple sessions. 
You can choose to interact with different devices while 
listening for new connections in the background.

MultiHandler commands

close          : Close active session.
exit           : Close all sessions and exit.
help           : Show all available commands.
interact       : Interact with a session. 
sessions       : List active sessions.

Mouse Substrate

Mouse Substrate is a package that can be installed 
on the target iOS device after receiving remote control 
to run substrate commands and services.

Substrate commands

dhome          : Simulate a double home button press.
home           : Simulate a home button press.
locat          : Toggle location services.
mute           : Update and view mute status.

Mouse CLI

help

After a session is established, we can execute commands on that device through 
the Mouse CLI. We can show all available commands by typing "help". Mouse CLI 
allows you to control a remote device. Remote device can be controlled by Mouse
CLI commands. You can explore list of available Mouse CLI commands bellow.

Local commands

exec

clear          : Clear terminal window.
help           : Show all available commands.
exec           : Execute local shell commands.
exit           : Close current session and exit.

Settings commands

setvol

macOS

getpaste       : Get pasteboard contents.
getvol         : Get speaker output volume.
idletime       : Get the amount of user activity time.
setbright      : Set screen brightness.
setvol         : Set output volume.

iOS

battery        : Get battery level.
getvol         : Get volume level.
msub           : Mouse Substrate.
setvol         : Set output volume.
sysinfo        : Show system information.

Trolling commands

alert

macOS

alert          : Make alert show up on device.
chwall         : Change desktop wallpaper.
close          : Close application.
imessage       : Send message through the messages app.
itunes         : Control iTunes player.
keyboard       : Control keyboard.
open           : Open application.
say            : Convert text to speach.

iOS

alert          : Make alert show up on device.
dial           : Dial a phone number.
ipod           : Control music player.
kill           : Terminate or signal a process.
killall        : Kill process by name.
lastapp        : Open last opened application.
open           : Open application.
openurl        : Open URL on device.
say            : Convert text to speach.
vibrate        : Vibrate device.

Stealing commands

screenshot

macOS

download       : Download remote file.
getfacebook    : Retrieve facebook session cookies.
mic            : Record mic sound.
picture        : Take picture through iSight.
prompt         : Prompt user to type password.
screenshot     : Take screenshot.

iOS

download       : Download remote file.
getcontacts    : Download addressbook.
getnotes       : Download notes.
getpasscode    : Retreive the device passcode.
getsms         : Download SMS data.
locate         : Get device location coordinates.
mic            : Record mic sound.
picture        : Take picture through the camera.

Boot commands

macOS

reboot         : Reboot device.
sleep          : Put device into sleep mode.
suspend        : Suspend current session.

iOS

reboot         : Reboot device.
respring       : Restart SpringBoard.
safemode       : Put device into SafeMode.

Other commands

shell

macOS

icons          : List system alert icons.
pid            : Get Mouse process ID.
shell          : Open target device shell.
su             : Login as root.
upload         : Upload local file.

iOS

bundleids      : List bundle identifiers.
islocked       : Check if the device is locked.
pid            : Get Mouse process ID.
shell          : Open target device shell.
upload         : Upload local file.

Mouse Framework disclaimer

Usage of the Mouse Framework for attacking targets without prior mutual consent is illegal. 
It is the end user's responsibility to obey all applicable local, state, federal, and international laws. 
Developers assume no liability and are not responsible for any misuse or damage caused by this program.

Mouse Framework license

    ---------------------------------------------------
                      Mouse Framework                            
    ---------------------------------------------------
        Copyright (C) <2019-2020>  <Entynetproject>      

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.                

 

New Protonmail phishing for credentials stealin

Another attempt for phishing and credentials stealing for protonmail users.

Not well forged because is clear a fake email:

customerservice@matteformen

Probably an hacked smtp/web

20200110_092447.jpg

Attachment is clear for a first analisys and the link to revalidate the credentials point to

http://wordspirits.com/onegod/proton

 

Kamerka-GUI – Ultimate Internet of Things/Industrial Control Systems reconnaissance tool.

DOWNLOAD HERE

Powered by Shodan – Supported by Binary Edge & WhoisXMLAPI

writeup – https://medium.com/@woj_ciech/hack-the-planet-with-%EA%93%98amerka-gui-ultimate-internet-of-things-industrial-control-systems-5ff7d9686b29
Demo – https://woj-ciech.github.io/kamerka-demo/kamerka.html

Update 15-11.2019 – Maritime support

https://twitter.com/the_wojciech/status/1195381924098904065

Update 24-11.2019 – NMEA support

https://twitter.com/the_wojciech/status/1198598585182494720

Update 01-12-2019 – Axis, RDP, VNC, Screenshot support

https://twitter.com/the_wojciech/status/1201159932499963905

Update 11-12-2019 – Lots of new devices

https://twitter.com/the_wojciech/status/1204774550241722368

Requirements

  • beautiful soup
  • python3
  • django
  • pynmea2
  • celery
  • redis
  • Shodan
  • BinaryEdge
  • WHOISXMLAPI
  • Flickr
  • Google Maps API

pip3 install -r requirements.txt

Make sure your API keys are correct and put them in keys.json in main directory.

Run

python3 manage.py makemigrations
python3 manage.py migrate
python3 manage.py runserver

In a new window (in main directory) run celery worker celery worker -A kamerka --loglevel=info

In a new window fire up redis redis-server

And server should be available on https://localhost:8000/

Search

Search for Industrial Control Devices in specific country

  • “All results” checkbox means get all results from Shodan, if it’s turned off – only first page (100) results will be downloaded.
  • “Own database” checkbox does not work but shows that is possible to integrate your own geolocation database. Let me know if you have access to better than Shodan’s default one.

Search for Internet of things in specific coordinates

Type your coordinates in format “lat,lon”, hardcoded radius is 20km. 

Dashboard

Maps

Los Angeles map

Industrial Control Systems in Canada

Device map & details

Full list of supported devices with corresponding queries

"webcam": "device:webcam",
"webcamxp":"webcamxp",
"vivotek":"vivotek",
"techwin":"techwin",
"mobotix":"mobotix",
"iqinvision":"iqinvision",
"grandstream":"Grandstream",
'printer': "device:printer",
'mqtt': 'product:mqtt',
'rtsp': "port:'554'",
'dicom': "dicom",
"ipcamera": "IPCamera_Logo",
"yawcam": "yawcam",
"blueiris": "http.favicon.hash:-520888198",
'ubnt': "UBNT Streaming Server",
"go1984": "go1984",
"dlink": "Server: Camera Web Server",
"avtech": "linux upnp avtech",
"adh": "ADH-web",
"axis":'http.title:"axis" http.html:live',
"rdp":"has_screenshot:true port:3389",
"vnc":"has_screenthos:true port:5901",
"screenshot":"has_screenshot:true !port:3389 !port:3388 !port:5900",

"niagara": "port:1911,4911 product:Niagara",
'bacnet': "port:47808",
'modbus': "port:502",
'siemens': 'Original Siemens Equipment Basic Firmware:',
'dnp3': "port:20000 source address",
"ethernetip": "port:44818",
"gestrip": 'port:18245,18246 product:"general electric"',
'hart': "port:5094 hart-ip",
'pcworx': "port:1962 PLC",
"mitsubishi": "port:5006,5007 product:mitsubishi",
"omron": "port:9600 response code",
"redlion": 'port:789 product:"Red Lion Controls"',
'codesys': "port:2455 operating system",
"iec": "port:2404 asdu address",
'proconos': "port:20547 PLC",

"plantvisor": "Server: CarelDataServer",
"iologik": "iologik",
"moxa": "Moxa",
"akcp": "Server: AKCP Embedded Web Server",
"spidercontrol": "powered by SpiderControl TM",
"tank": "port:10001 tank",
"iq3": "Server: IQ3",
"is2": "IS2 Web Server",
"vtscada": "Server: VTScada",
'zworld': "Z-World Rabbit",
"nordex": "Jetty 3.1.8 (Windows 2000 5.0 x86)",

"axc":"PLC Type: AXC",
"modicon":"modicon",
"xp277":"HMI, XP277",
"vxworks":"vxworks",
"eig":"EIG Embedded Web Server",
"digi":"TransPort WR21",
"windweb":"server: WindWeb",
"moxahttp":"MoxaHttp",
"lantronix":"lantronix",
"entelitouch":"Server: DELTA enteliTOUCH",
"energyict_rtu":"EnergyICT RTU",
"crestron":"crestron",
"wince":'Server: "Microsoft-WinCE"',
"ipc@chip":"IPC@CHIP",
"addup":"addUPI",
"anybus":'"anybus-s"',
"windriver":"WindRiver-WebServer",
"wago":"wago",
"niagara_audit":"niagara_audit",
"niagara_web_server":"Niagara Web Server",
"trendnet":"trendnet",
"stulz_klimatechnik":"Stulz GmbH Klimatechnik",
"somfy":"title:Somfy",
"scalance":"scalance",
"simatic":"simatic",
"simatic_s7":"Portal0000",
"schneider_electric":"Schneider Electric",
"power_measurement":"Power Measurement Ltd",
"power_logic":"title:PowerLogic",
"telemecanique_bxm":"TELEMECANIQUE BMX",
"schneider_web":"Schneider-WEB",
"fujitsu_serverview":"serverview",
"eiportal":"eiPortal",
"ilon":"i.LON",
"Webvisu":"Webvisu",
"total_access": 'ta gen3 port:2000'

Medical
"zoll":"http.favicon.hash:-236942626",
"perioperative":"HoF Perioperative",
"wall_of_analytics":"title:'Wall of Analytics'",
"viztek_exa":"X-Super-Powered-By: VIZTEK EXA",
"desert_view_bkup":"title:'DESERT VIEW BKUP'",
"intuitim":"http.favicon.hash:159662640",
"Medcon Archiving System":"http.favicon.hash:-897903496",
"orthanc_explorer":"title:'Orthanc Explorer'",
"Marco Pacs":"title:'Marco pacs'", 
"osirix":"title:OsiriX",
"clari_pacs":"title:ClariPACS",
"siste_lab":"http.html:SisteLAB",
"opalweb":"html:opalweb",
"neuropro":"title:'EEG Laboratory'",
"tmw_document_imaging":"title:'TMW Document Imaging'",
"erez":"title:'eRez Imaging'",
"gluco_care":"html:'GlucoCare igc'",
"glucose_guide":"title:'glucose guide'",
"grandmed_glucose":"title:'Grandmed Glucose'",
"philips_digital_pathology":"title:'Philips Digital Pathology'",
"tricore_pathology":"title:'TriCore Pathology'",
"appsmart_ophthalmology":"title:'Appsmart Ophthalmology'",
"chs_ophthalmology":"title:'CHS Ophthalmology'",
"ram_soft":"html:powerreader",
"xnat":"http.favicon.hash:-230640598",
"iris_emr":"title:'Iris EMR'",
"eclinicalworks_emr":"title:'Web EMR Login Page'",
"open_emr":"http.favicon.hash:1971268439",
"oscar_emr":"title:'OSCAR EMR'",
"wm_emr":"http.favicon.hash:1617804812",
"doctors_partner_emr":"title:'DoctorsPartner'",
"mckesson_radiology":"title:'McKesson Radiology'",
"kodak_carestream":"title:'Carestream PACS'",
"meded":"title:meded",
"centricity_radiology":"http.favicon.hash:-458315012",
"openeyes":"http.favicon.hash:-885931907",
"orthanc":"orthanc",
"horos":"http.favicon.hash:398467600"
"open_mrs":"title:openmrs",
"mirth_connect":"http.favicon.hash:1502215759",
"acuity_logic":"title:AcuityLogic",
"optical_coherence_tomography":"title:'OCT Webview'",
"philips_intellispace":"title:INTELLISPACE",
"vitrea_intelligence":"title:'Vitrea intelligence'",
"phenom_electron_microscope":"title:'Phenom-World'",
"meddream_dicom_viewer":"html:Softneta",
"merge_pacs":"http.favicon.hash:-74870968",
"synapse_3d":"http.favicon.hash:394706326",
"navify":"title:navify",
"telemis_tmp":"http.favicon.hash:220883165",
"brainlab":"title:'Brainlab Origin Server'",
"nexus360":"http.favicon.hash:125825464",
"brain_scope":"title:BrainScope",
"omero_microscopy":"http.favicon.hash:2140687598",
"meditech":"Meditech",
"cynetics":"cynetics",
"promed":"Promed",
"carestream":"Carestream",
"carestream_web":"title:Carestream",
"vet_rocket":"http.html:'Vet Rocket'",
"planmeca":"Planmeca",
"vet_view":"http.favicon.hash:1758472204",
"lumed":"http.html:'LUMED'",
"infinitt":"http.favicon.hash:-255936262",
"labtech":"labtech",
"progetti":"http.html:'Progetti S.r.l.'",
"qt_medical":"http.html:'QT Medical'",
"aspel":"ASPEL",
"huvitz_optometric":"http.html:'Huvitz'",
"optovue":"Optovue",
"optos_advance":"http.title:'OptosAdvance'",
"asthma_monitoring_adamm":"http.title:'HCO Telemedicine'",
"pregnabit":"http.html:'Pregnabit'",
"prime_clinical_systems":"http.html:'Prime Clinical Systems'",
"omni_explorer":"http.title:OmniExplorer",
"avizia":"http.html:'Avizia'",
"operamed":"Operamed",
"early_sense":"http.favicon.hash:-639764351",
"tunstall":"http.html:'Tunstall'",
"clini_net":"http.html:'CliniNet®'",
"intelesens":"title:'zensoronline)) - online monitoring'",
"kb_port":"http.html:'KbPort'",
"nursecall_message_service":"http.title:'N.M.S. - Nursecall Message Service'",
"image_information_systems":"http.html:'IMAGE Information Systems'",
"agilent_technologies":"Agilent Technologies port:5025",
"praxis_portal2":"http.html:'Medigration'",
"xero_viewer":"http.title:'XERO Viewer'"

Excluded:
title:"pacemaker-id"
html:klinikinew
title:"EEG Viewer"
http.favicon.hash:-1989988507
plexus platenet
http.favicon.hash:-189701579
title:"Insulin Dosage"
pathology image seve
http.favicon.hash:538032019
title:"MsFLASH"
title:"THIP EMR"
title:"CARDIOHF"
title:"CN EMR Office"
Power2Practice
http.favicon.hash:-1982401487
Cosmed EMR
http.favicon.hash:-1747178511
title:" Premier Radiology synapse"
title:"PRIME - Electrical Resistivity Tomography"
title:"OCT II System"
http.favicon.hash:-582594220
title:"Atomic Force Microscope"
title:axeda
http.favicon.hash:-1351683412
title:"InTouch Health Log Manager"
title:"Pharma Vtiger"
title:sema4
NAVIFY
Nextech
http.html:'Radiometer Medical '
HeartStart
http.favicon.hash:-893361748

Used components

Known bugs:

  • It’s version 1.0 so please raise an issue if you think you found any bug or have an idea to make it better.
  • Sometimes search page keeps the last values, so please use ctrl+shift+R to refresh the main search page
  • Debug info is left on purpose for raising an issues
  • still some problems with getting cves from shodan search results
  • Flickr infowindow size

Contribution

I really care about feedback from you. If you have any idea how to make tool better, I’m more than happy to hear it. It’s also possible to upload and host the tool online, if you want to help, dm me.

TODO

  • Live monitoring
  • Offensive capabilities
  • More devices
  • More sources (Instagram?, Youtube?)
  • Integration with Nmap and plcscan
  • Extensive error checking/debugging
  • Cleanup code, delete legacy/unused dependencies js, css files
  • Keeping keys in db
  • Your ideas

Remarks

  • Tested only on Kali Linux 2019.3
  • It uses default sqlite Django database
  • Buttons in Intel tab for device do not show the progress bars, you have a results in max couple of seconds.
  • Own database button does not work, it shows that it’s possible to load your own geolocation database. I haven’t found better than Shodan’s but let me know if you have access to one.
  • Looking for nearby Tweets works but I wasn’t able to find any tweets. It may be a problem with Twitter API. Let me know if you can find anything.
  • Don’t blame me for unintentional bug that might exhaust your Shodan/BinaryEdge/WHOISXMLAPI credits.
  • I’m not responsible for any damage caused by using this tool.

Misconfigured Horus Medical web portal expose more than 10.000 shared medical records

When you work with healthcare records security must be the first approach for everything.

In this case security and minimal good behaviour was involved. The result is a shame:

around 45 hospital/clinic expose patient records  online!

This incident was exposed during our research about healthcare security level worldwide.

No sign of contact where we can find information who host the server, for this reason we contacted all the hospital/clinic alterting them. Hope soon will be fixed.

 

Laravel framework misconfigured expose more than 200.000 logs with sensitive informations, credentials included

The open source PHP framework LARAVEL is not bad and often is the best solution to develop web app.

Many team use it to develop their stuff and the real problem are who don’t have a clue about security and minimal security prevention

Our recent research reveal that more than 200.000 web apps that use Laravel framework are misconfigured and expose LOGS!

Logs are always sensitive, especially those that reveal critical information, connection details and PASSWORD!

In our research many corporate companies are involved and all their PRODUCTION information are well recorded and exposed where anyone can easily access…

The problem is not only related by default configuration but also a web server misconfiguration.

laravel

laravel.jpg

Research reveal that the most involved country are:

  • Italy
  • Turkey
  • Brasil

In many cases server error and other exploit are availabile to compromise more corporate companies.

This article don’t want put dirt on the framework, i want just warn who use framework thinking they fix everything and no further security needs.

A suggestion for Laravel is: You really know people out there is not very security smart… so prevent them and put some sort of step by step to hide such area and avoid idiosecurity teams try to fix when is too late.