• Content Count

  • Avg. Content Per Day

  • Joined

  • Last visited

  • Days Won


0x1 last won the day on December 3 2015

0x1 had the most liked content!

Community Reputation

5,275 Excellent


About 0x1

  • Rank
    LeVeL23 HacKerS TeaM
  • Birthday 03/03/1900

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. 0x1


    FudgeC2 - A collaborative C2 framework for purple-teaming written in Python3, Powershell and .NET FudgeC2 is a campaign orientated Powershell C2 framework built on Python3/Flask - Designed for team collaboration, client interaction, campaign timelining, and usage visibility. Note: FudgeC2 is currently in alpha stage, and should be used with caution in non-test environments. Beta will be released later this year, at BlackHat Arsenal. Users Users within Fudge are divided into 2 groups, admins and standard users. Admins have all of the usual functionality, such as user and campaign creation, and are required to create a new campaigns. Within campaign a users permissions can be configured to once of the following: None/Read/Read+Write. Without read permissions, a user will not be able to see the existence of a campaign, nor will they be able to read implant responses, or registered commands. User with read permission will only be able to view the commands and their output, and the campaigns logging page. This role would typically be assigned to a junior tester, or an observer. Users with write permissions will be able to create implant templates, and execute commands on all active implants. Note: in further development this will become more granular, allow write permissions on specific implants. User Creation An admin can create a new user from within the Global Settings options. They will also have the option to configure a user with admin privileges. Campaigns What is a campaign? A campaign is a method of organising a engagement against a client, which allows access control to be applied on a per user basis Each campaign contains a unique name, implants, and logs while a user can be a member of multiple campaigns. Implants Implants are broken down into 3 areas Implant Templates Stagers Active Implants Implant Templates An implant template is the what we will create to generate our stagers. The implant template wil contain the default configuration for an implant. Once the stager has been triggered and an active implant is running on the host this can be changed. The list of required configurations are: URL Initial callback delay Port Beacon delay Protocol: HTTP (default) HTTPS DNS Binary Once a template has been created the stager options will be displayed in the Campaign Stagers page. Stagers The stagers are small scripts/macros etc which are responsible for downloaded and executing the full implant. Once an implant has been generated the stagers page will provide a number of basic techniques which can be used to compromise the target. The stagers which are currently available are: IEX method Windows Words macro Active Implants Active implants are the result of successful stager executions. When a stager connects back to the Fudge C2 server a new active implant is generated, and delivered to the target host. Each stager execution & check-in creates a new active implant entry. Example As part of a campaign an user creates an implant template called "Moozle Implant" which is delivery to a HR department in via word macro. This then results in five successful execution of the macro stager; as a result the user will see five active implants. These will be listed on the campaigns main implant page, with a six character unique blob. The unique implants will be listed something similar to below: Moozle Implant_123459 Moozle Implant_729151 Moozle Implant_182943 Moozle Implant_613516 Moozle Implant_810021 Each of these implants can be individually interacted with, or using the "ALL" keyword to register a command against all active implants. Implant communication Implants will communicate back to the C2 server using whatever protocols the implant template was configured to use. If an implant is setup to use both HTTP and HTTPS, 2 listeners will be required to ensure that full commincation with the implant occurs. Listeners are configured globally within Fudge from the Listeners page. Setting up and modifying the state of listeners requires admin rights, as changes to stagers may impact other on-going campaigns using the same Fudge server. Currently the listeners page displays active listeners, but will allow admins to: Create listeners for HTTP/S, DNS, or binary channels on customisable ports Start created listeners Stop active listeners Assign common names to listeners Implant configuration further info. URL: An implant will be configured to call back to a given URL, or IP address. Beacon time: [Default: 15 minutes] This is the time in between the implant calling back to the C2 server. Once an implant has been deployed it is possible to dynamically set this. Protocols: The implant will be able to use of of the following protocols: HTTP DNS Binary protocol A user can enable and disable protocols depending on the environment they believe they are working in. More info & Download [hide][Hidden Content]]
  2. 0x1


    Pixload -- Image Payload Creating tools DESCRIPTION Set of tools for creating/injecting payload into images. Useful references for better understanding of `pixload` and its use-cases: [Hidden Content] If you want to encode a payload in such a way that the resulting binary blob is both valid x86 shellcode and a valid image file, I recommend you to look here [Hidden Content] SETUP The following Perl modules are required: GD Image::ExifTool String::CRC32 On `Debian-based` systems install these packages: sh sudo apt install libgd-perl libimage-exiftool-perl libstring-crc32-perl On OSX please refer to this workaround [Hidden Content]
  3. Not Deobfuscated from me but have find some class interesing to help to Reverse Used Software for deobfus. : Java Deobfuscator Gui Config: java -Xmx16G -jar deobfuscator.jar -input C:\Users\User01\Desktop\java_deobfuscator\input.jar -output C:\Users\User01\Desktop\java_deobfuscator\output\deobfuscated.jar -transformer normalizer.SourceFileClassNormalizer -transformer zelix.string.EnhancedStringEncryptionTransformer -path C:\Users\User01\Desktop\java_deobfuscator\input.jar -path "C:\Program Files (x86)\Java\jre1.8.0_221\lib\rt.jar" -path "C:\Program Files\Java\jre1.8.0_221\lib\rt.jar" -path C:\Users\User01\Desktop\java_deobfuscator\javax-crypto.jar [hide][Hidden Content]] My Analyse : Interesing .class : b7s.class : putstatic b7s b7s.HEADLESS_WIZARD getstatic b7s b7s.REST_API getstatic b7s b7s.WIZARD e57.class : g8c.class u_.class net/portswigger/burp/bc.class Download : [hide][Hidden Content]]
  4. 0x1


    Welcome to the Forum , not forget to read rule of forum Here Yes Long life to LeVeL-23 HacKerS TeaM
  5. 0x1

    CyberChef V.9.7.1

    The Cyber Swiss Army Knife CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more. The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms. It was conceived, designed, built and incrementally improved by an analyst in their 10% innovation time over several years. How it works There are four main areas in CyberChef: The input box in the top right, where you can paste, type or drag the text or file you want to operate on. The output box in the bottom right, where the outcome of your processing will be displayed. The operations list on the far left, where you can find all the operations that CyberChef is capable of in categorised lists, or by searching. The recipe area in the middle, where you can drag the operations that you want to use and specify arguments and options. You can use as many operations as you like in simple or complex ways. Some examples are as follows: Decode a Base64-encoded string Convert a date and time to a different time zone Parse a Teredo IPv6 address Convert data from a hexdump, then decompress Decrypt and disassemble shellcode Display multiple timestamps as full dates Carry out different operations on data of different types Use parts of the input as arguments to operations Perform AES decryption, extracting the IV from the beginning of the cipher stream Automagically detect several layers of nested encoding Features Drag and drop Operations can be dragged in and out of the recipe list, or reorganised. Files up to 2GB can be dragged over the input box to load them directly into the browser. Auto Bake Whenever you modify the input or the recipe, CyberChef will automatically "bake" for you and produce the output immediately. This can be turned off and operated manually if it is affecting performance (if the input is very large, for instance). Automated encoding detection CyberChef uses a number of techniques to attempt to automatically detect which encodings your data is under. If it finds a suitable operation which can make sense of your data, it displays the 'magic' icon in the Output field which you can click to decode your data. Breakpoints You can set breakpoints on any operation in your recipe to pause execution before running it. You can also step through the recipe one operation at a time to see what the data looks like at each stage. Save and load recipes If you come up with an awesome recipe that you know you’ll want to use again, just click "Save recipe" and add it to your local storage. It'll be waiting for you next time you visit CyberChef. You can also copy the URL, which includes your recipe and input, to easily share it with others. Search If you know the name of the operation you want or a word associated with it, start typing it into the search field and any matching operations will immediately be shown. Highlighting When you highlight text in the input or output, the offset and length values will be displayed and, if possible, the corresponding data will be highlighted in the output or input respectively. Save to file and load from file You can save the output to a file at any time or load a file by dragging and dropping it into the input field. Files up to around 2GB are supported (depending on your browser), however some operations may take a very long time to run over this much data. CyberChef is entirely client-side It should be noted that none of your recipe configuration or input (either text or files) is ever sent to the CyberChef web server - all processing is carried out within your browser, on your own computer. Due to this feature, CyberChef can be compiled into a single HTML file. You can download this file and drop it into a virtual machine, share it with other people, or use it independently on your local machine. Live demo CyberChef is still under active development. As a result, it shouldn't be considered a finished product. There is still testing and bug fixing to do, new features to be added and additional documentation to write. Please contribute! Cryptographic operations in CyberChef should not be relied upon to provide security in any situation. No guarantee is offered for their correctness. A live demo can be found here - have fun! [hide][Hidden Content]] or On my Blog [hide][Hidden Content]] Source & Download [hide][Hidden Content]]
  6. ACT | Semi-Automated Cyber Threat Intelligence ACT enables advanced threat enrichment, threat analysis, visualisation, process automation, lossless information sharing and powerful graph analysis. Its modular design and APIs facilitate implementing new workers for enrichment, analysis, information sharing, and countermeasures. Included in the platform is Scio, a component that ingests human-readable reports, like threat advisories and blog posts, and uses natural language processing and pattern matching to extract structured threat information to import to the platform. Our Github repositories also include support for information import and data enrichment from MISP, MITRE ATT&CK, VirusTotal, PassiveDNS, ShadowServer and Splunk, with more on the way. So why build yet another threat intelligence platform? In 2014 we set out to find a platform on the market to meet the needs of our SOC and threat intelligence team. Our requirements were not particularly unique: we needed a platform that would help us to collect and organise our knowledge of threats, facilitate analysis and sharing, and make it easy to retrieve that knowledge when needed. We spent too much time on manual processes, copy-pasting information between different systems. Much of our knowledge was in an unstructured form, like threat reports, that made it difficult and time consuming to figure out if we had relevant knowledge that could help us decide how to handle security alerts and security incidents. Sound familiar? After evaluating the existing platforms, we concluded they could not easily be adapted to meet our requirements. In speaking with our partners, customers and the security community, we saw we were not alone and decided to research and develop a new platform: ACT. This session will focus on threat analysis using the GUI to demonstrate how ACT can help SOC analysts, incident responders and threat analysts/hunters/researchers. ACT Virtual Appliance This image is a virtual appliance that can be installed in virtual box or vmware. The image contains a "clean" installation, with only the ACT data model. When booting the image it will start to bootstrap the image with feeds, workers, enrichment and optionally a repository of reports. The import of data should start immediately after booting the image, but it could take several days to import and enrich everything. Image content The image contains: Centos Apache Cassandra Elasticsearch Apache NiFI ACT Platform ACT Workers ACT SCIO ACT SCIO API ACT Datamodel ACT Frontend Requirements The minimum requirements for this image are: Virtual Box 6, with NAT network 10GB RAM 4 CPUs 60 GB disk It should also work to install the virtual appliance on vmware, but the port forwarding is not automatically set up after installation, so you will need configure that yourself after importing the image. Download [Hidden Content] More info [hide][Hidden Content]]
  7. 0x1

    Block Alert XSS

    Blocked Window Alert - Prompt - Confirm - Open XSS && block function Window.Console To deblock make var DEBUG = true if i have forget some function you can add here on Comment Thanks [Hidden Content] Tested on my Blog: [hide][Hidden Content]] Reference : [hide][Hidden Content]]
  8. 0x1


    Redress - A tool for analyzing stripped Go binaries The redress software is a tool for analyzing stripped Go binaries compiled with the Go compiler. It extracts data from the binary and uses it to reconstruct symbols and performs analysis. It essentially tries to "re-dress" a "stripped" binary. It has two operation modes. The first is a standalone mode where the binary is executed on its own. The second mode is used when the binary is executed from within radare2 via r2pipe. The binary is aware of its environment and behaves accordingly. Running it standalone To run redress, just execute it on the command line. Below are some of the possible flags that can be given. It is possible to use multiple flags to extract different data. If no flags are given, no data is extracted. The idea is to print more information than what is asked by the user. Download [hide][Hidden Content]] More info [hide][Hidden Content]]
  9. 0x1


    The Prime Cross Site Request Forgery Audit and Exploitation Toolkit XSRFProbe is an advanced Cross Site Request Forgery (CSRF/XSRF) Audit and Exploitation Toolkit. Equipped with a Powerful Crawling Engine and Numerous Systematic Checks, it is now able to detect most cases of CSRF vulnerabilities, their related bypasses and futher generate (maliciously) exploitable proof of concepts with each found vulnerability. Some Features: Performs several types of checks before declaring an endpoint as vulnerable. Can detect several types of Anti-CSRF tokens in POST requests. Features a powerful crawler which features continuous crawling and scanning. Out of the box support for custom cookie values and generic headers. Accurate Token-Strength Detection and Analysis using various algorithms. Can generate both normal as well as maliciously exploitable CSRF PoCs. Follows a redirect when there is a 30x response. Well documented code and highly generalised automated workflow. The user is in control of everything whatever the scanner does. Has a user-friendly interaction environment with full verbose support. Detailed logging system of errors, vulnerabilities, tokens and other stuffs. Gallery: Lets see some real-world scenarios of XSRFProbe in action: Version and License: XSRFProbe v2.0 release is now a stable release and the work is licensed under the GPL v3 License. Source & Download [hide][Hidden Content]]
  10. 0x1

    TIDoS Framework

    The TIDoS Framework The Offensive Web Application Penetration Testing Framework. Highlights :- Here is some light on what the framework is all about: - [x] A complete versatile framework to cover up everything from Reconnaissance to Vulnerability Analysis. - [x] Has 5 main phases, subdivided into __14 sub-phases__ consisting a total of __108 modules__. - [x] Reconnaissance Phase has 50 modules of its own (including active and passive recon, information disclosure modules). - [x] Scanning & Enumeration Phase has got 16 modules (including port scans, WAF analysis, etc) - [x] Vulnerability Analysis Phase has 37 modules (including most common vulnerabilites in action). - [x] Exploits Castle has only 1 exploit. `(purely developmental)` - [x] And finally, Auxillaries have got 4 modules. `more under development` - [x] All four phases each have a `Auto-Awesome` module which automates every module for you. - [x] You just need the domain, and leave everything is to this tool. - [x] TIDoS has full verbose out support, so you'll know whats going on. - [x] Fully user friendly interaction environment. `(no shits)` TIDoS is built to be a comprehensive, flexible and versatile framework where you just have to select and use modules. So to get started, you need to set your own `API KEYS` for various OSINT & Scanning and Enumeration purposes. To do so, open up `API_KEYS.py` under `files/` directory and set your own keys and access tokens for `SHODAN`, `CENSYS`, `FULL CONTACT`, `GOOGLE` and `WHATCMS`. Finally, as the framework opens up, enter the website name `eg. [Hidden Content]` and let TIDoS lead you. Thats it! Its as easy as that. To update this tool, use `tidos_updater.py` module under `tools/` folder. Flawless Features :- TIDoS Framework presently supports the following: Other Tools: net_info.py - Displays information about your network. Located under `tools/`. tidos_updater.py - Updates the framework to the latest release via signature matching. Located under `tools/`. TIDoS In Action: Lets see some screenshots of TIDoS in real world pentesting action: Version: v1.7 [latest release] [#stable] Upcoming: These are some modules which I have thought of adding: Some more of Enumeraton & Information Disclosure modules. Lots more of OSINT & Stuff (let that be a suspense). More of Auxillary Modules. Some Exploits are too being worked on. More info & Download: [hide][Hidden Content]]
  11. 0x1


    VoiceMailAutomator is a tool that serves as a Proof of Concept for the research I presented at DEF CON 26, "Compromising online accounts by cracking voicemail systems". Demo Voicemacracker demo: In this demo you will see how the tool works and how I am able to obtain the PIN of my test voicemail by trying the top 20 most common 4-digit PINs. Compromising WhatsApp: In this demo I will show how I compromise WhatsApp by abusing the verification process over phone call. On the left, you see the victim’s WhatsApp running on an actual phone. On the right, you see that I am actually using an Android simulator to hijack the victim’s WhatsApp account. I don’t even need a real phone! Compromising Paypal: Paypal implemented the protection in an interesting way. instead of requiring the user to press a key to hear the code, Paypal will display a 4 digit code in the UI when you initiate the password reset process and that is the code you need to enter when you receive the call. As soon as you do that, the UI will update and you will be prompted to enter a new password. This demo shows how you can use voicemailcracker to update the greeting message with DTMF tones corresponding to the code that Paypal displays and take over the account. Fast vociemailcracker uses [Twilio]([Hidden Content]), a VOIP service that allows you to programmatically manage phone calls. voicemailcrackerlaunches hundreds of phone calls at the same time to interact with voicemail systems and bruteforce the PIN. Cheap Bruteforcing the entire 4-digit keyspace costs less that $40. If you want to ensure a 50% chance of guessing the PIN correctly (according to Data Genetics research), it would cost you only $5. If we want to take a different approach, you can check a thousand different voicemails for the default PIN for only $13. Easy voicemailcracker comes with specific payloads for every major US carrier and automates everything. You only need to provide the victim’s phone number, the carrier, an the callerID provided by Twilio, that’s all. Efficient vociemailcracker uses Data Genetics research to optimize bruteforcing. It will favor common PINs, default PINs and patterns. It also tries multiple PINs at the same time to reduce the number of calls needed. Undetected Instead of call flooding, we can use [OSINT techniques]([Hidden Content]) to find out when the victim has the phone disconnected. It is very common for people to share their plans on Twitter like when they are flying, in the movie theater or going to a remote trip. The phone may also be set to Do Not Disturb overnight. DEF CON 26 talk Setup You will need a funded Twilio account, setup TwiML bins and configure localtunnel.me to accept Webhooks. Check the "Twilio setup" section in the script and add the missing information account_sid = "" # Obtain from Twilio auth_token = "" # Obtain from Twilio twimlPayloadChangeGreeting = "" # <?xml version="1.0" encoding="UTF-8"?><Response><Pause length="10"/><Hangup/></Response> twimlPayloadChangeGetNewestMessage = "" # <?xml version="1.0" encoding="UTF-8"?><Response><Pause length="10"/><Hangup/></Response> status_callback_url = "" # Obtain from localtunnel.me Usage python voicemailcracker.py message --victimnumber 5555555555 --carrier tmobile --callerid 4444444444 --backdoornumber 3333333333 --pin 0000 python voicemailcracker.py greeting --victimnumber 5555555555 --carrier tmobile --callerid 4444444444 --backdoornumber 3333333333 --pin 0000 --payload 1234 Authors Martin Vigo - @martin_vigo Source & Download [hide][Hidden Content]] More info [hide][Hidden Content]]
  12. 0x1


    Install The script has 2 dependencies: pyperclip colorama You can install these by typing: python3 setup.py install Disclaimer This tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes! It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this tool and software. License This project is licensed under the GPLv3 License - see the LICENSE file for details Source & Download [hide][Hidden Content]]
  13. 0x1


    You need Bitcoin wallet ? online with Blockchain : [hide][Hidden Content]] local with Electrum: [hide][Hidden Content]]
  14. 0x1

    Vuls - VULnerability Scanner

    Vulnerability scanner for Linux/FreeBSD, agentless, written in golang. Agent-less vulnerability scanner for Linux, FreeBSD, Container Image, Running Container, WordPress, Programming language libraries, Network devices For a system administrator, having to perform security vulnerability analysis and software update on a daily basis can be a burden. To avoid downtime in a production environment, it is common for a system administrator to choose not to use the automatic update option provided by the package manager and to perform update manually. This leads to the following problems. The system administrator will have to constantly watch out for any new vulnerabilities in NVD (National Vulnerability Database) or similar databases. It might be impossible for the system administrator to monitor all the software if there are a large number of software packages installed in the server. It is expensive to perform analysis to determine the servers affected by new vulnerabilities. The possibility of overlooking a server or two during analysis is there. Vuls is a tool created to solve the problems listed above. It has the following characteristics. Informs users of the vulnerabilities that are related to the system. Informs users of the servers that are affected. Vulnerability detection is done automatically to prevent any oversight. A report is generated on a regular basis using CRON or other methods. to manage vulnerability. More info & Download [hide][Hidden Content]] Demo ascii [hide][Hidden Content]]
  15. 0x1


    Lets Map Your Network enables you to visualise your physical network in form of graph with zero manual error Presentations WHAT IT IS It is utmost important for any security engineer to understand their network first before securing it and it becomes a daunting task to have a ‘true’ understanding of a widespread network. In a mid to large level organisation’s network having a network architecture diagram doesn’t provide the complete understanding and manual verification is a nightmare. Hence in order to secure entire network it is important to have a complete picture of all the systems which are connected to your network, irrespective of their type, function, techology etc. BOTTOM LINE - YOU CAN'T SECURE WHAT YOU ARE NOT AWARE OF. Let’s Map Your Network (LMYN) aims to provide an easy to use interface to security engineer and network administrator to have their network in graphical form with zero manual error, where a node represents a system and relationship between nodes represent the connection. LMYN does it in two phases: Learning: In this phase LMYN 'learns' the network by performing the network commands and quering the APIs and then builds graph database leveraging the responses. User can perform any of the learning activities at any point of time and LMYN will incorporate the results in existing database. Monitoring: This is a continuos process, where LMYN monitors the 'in-scope' network for any changes, compare it with existing information and update the graph database accordingly. Below technologies have been used in the tool: Django Python Neo4j DB Sigma JS Celery and RabbitMQ WHY IT IS Visualizing infrastructure network in form of graph makes it more ‘visible’ and it becomes significantly easy to perform the analysis and identify the key areas of concern for a security engineer and network administrator Also, Let’s Map Your Network formulates the graph entirely based-on either network actions performed from ‘seed’ system which will be part of the actual network or quering the APIs. Hence there is no chance of manual-error in the mapping of network WHERE TO USE IT Network Architecture 'Validation' Troubleshooting for network administrator Internal Network vulnerability assessment and penetration testing Source & Download [hide][Hidden Content]] BlackHatEurope2018 presentation slide [hide][Hidden Content]]