Search the Community

Accenture made a tool called Spartacus, which finds DLL hijacking opportunities on Windows. Using Spartacus as a starting point, we created Crassus to extend Windows privilege escalation finding capabilities beyond simply looking for missing files. The ACLs used by files and directories of privileged processes can find more than just looking for missing files to achieve the goal. Features Parsing ProcMon PML files natively. The log (PML) parser has been implemented by porting partial functionality to C# from [Hidden Content]. You can find the format specification here. Crassus will create source code for proxy DLLs for all missing DLLs that were identified. For instance, if an application is vulnerable to DLL Hijacking via version.dll, Crassus will create version.cpp and version.def files for you with all the exports included in it. By default, the proxy DLLs will launch calc.exe. Build scripts are included to build the DLLs on Visual Studio or MinGW. For other events of interest, such as creating a process or loading a library, the ability for unprivileged users to modify the file or any parts of the path to the file is investigated. Able to process large PML files and store all events of interest in an output CSV file. [hide][Hidden Content]]

What the heck is a ferox anyway? Ferox is short for Ferric Oxide. Ferric Oxide, simply put, is rust. The name rustbuster was taken, so I decided on a variation. What’s it do tho? feroxbuster is a tool designed to perform Forced Browsing. Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the web application but are still accessible by an attacker. feroxbuster uses brute force combined with a wordlist to search for unlinked content in target directories. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network address, etc… This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration. Changelog v2.9.2 changed default value for --extract-links to true => added --dont-extract-links to turn off the new default behavior by @epi052 in #834 can load a wordlist from its url over http/https by @epi052 in #834 updated README with alternative installation methods for brew and chocolatey by @aancw in #824 fixed divide by zero error by @epi052 in #834 added check for forced recursion when directory listing detected by @epi052 in #834 [hide][Hidden Content]]

SubFinder is a subdomain discovery tool that uses various techniques to discover massive amounts of subdomains for any target. It has been aimed at a successor to the sublist3r project. SubFinder uses Passive Sources, Search Engines, Pastebin, Internet Archives, etc to find subdomains, and then it uses a permutation module inspired by altdns to generate permutations and resolve them quickly using a powerful bruteforcing engine. It can also perform plain bruteforce if needed. The tool is highly customizable, and the code is built with a modular approach in mind making it easy to add functionalities and remove errors. Features Simple and modular code base making it easy to contribute. Fast And Powerful Resolution and wildcard elimination module Curated passive sources to maximize results (26 Sources as of now) Multiple Output formats supported (Json, File, Stdout) Optimized for speed, very fast and lightweight on resources Stdin and stdout support for integrating in workflows Changelog v2.5.7 Fixed Docker file to avoid version mismatch by @olearycrew in #771 Added self update option (-update) + version check by @RamanaReddy0M in #780 [hide][Hidden Content]]

Slitheris Network Discovery – A Premium IP Scanner for Windows. Credential-free and Agentless Windows OS Detection & Fingerprinting The vast majority of network scanning software packages require some type of credentialed access to remote devices to detect operating systems. However, using TCP/IP stack fingerprinting and other technologies, Slitheris Network Discovery can identify a wide array of operating systems without credentials or authentication, including Windows (and its Edition), Linux, iOS, and Android. Slitheris can even scan for other details related to the operating system such as Windows Uptime, Cold Boot Time, Time of Day and Domain/Workgroup names, and distinguishes between Domain and Workgroup types, all without needing authentication or credentialed access. This saves the time and frustration trying various usernames and passwords or having to visit PCs and servers in person. Managed Service Providers and other IT Providers will particularly appreciate this unique feature. [Hidden Content] [hide][Hidden Content]]

Spartacus is utilising the SysInternals Process Monitor and is parsing raw PML log files. You can leave ProcMon running for hours and discover 2nd and 3rd level (ie an app that loads another DLL that loads yet another DLL when you use a specific feature of the parent app) DLL Hijacking vulnerabilities. It will also automatically generate proxy DLLs with all relevant exports for vulnerable DLLs. Features Parsing ProcMon PML files natively. The config (PMC) and log (PML) parsers have been implemented by porting partial functionality to C# from [Hidden Content]. You can find the format specification here. Spartacus will create proxy DLLs for all missing DLLs that were identified. For instance, if an application is vulnerable to DLL Hijacking via version.dll, Spartacus will create a version.dll.cpp file for you with all the exports included in it. Then you can insert your payload/execution technique and compile. Able to process large PML files and store all DLLs of interest in an output CSV file. Local benchmark processed a 3GB file with 8 million events in 45 seconds. [Defence] Monitoring mode trying to identify running applications proxying calls, as in “DLL Hijacking in progress”. This is just to get any low-hanging fruit and should not be relied upon. [hide][Hidden Content]]

Dismap positioning is an asset discovery and identification tool; its characteristic function is to quickly identify Web fingerprint information and locate asset types. Assist the red team to quickly locate the target asset information, and assist the blue team to find suspected vulnerabilities Dismap has a comprehensive fingerprint rule library, so you can easily customize new recognition rules. With the help of golang’s concurrency advantages, rapid asset detection and identification can be achieved Changelog v0.4 Optimize concurrency strategy to improve speed (a2a779f) Optimize json output (a2a779f) #19 Added giop protocol identification rules (edcf125) Added web fingerprinting rules [hide][Hidden Content]]

Dismap – Asset discovery and identification tool Dismap positioning is an asset discovery and identification tool; its characteristic function is to quickly identify Web fingerprint information and locate asset types. Assist the red team to quickly locate the target asset information, and assist the blue team to find suspected vulnerabilities Dismap has a comprehensive fingerprint rule library, so you can easily customize new recognition rules. With the help of golang’s concurrency advantages, rapid asset detection and identification can be achieved The scan results can be directly submitted to vulmap (>=0.8) for vulnerability scanning. Introduction to rule base in RuleLab Changelog v0.3 tcp/udp/tls protocol identification Port Feature Fingerprinting Optimized batch identification of read files, and can be mixed with domain name/IP/URL Added http/socks5 proxy Optimize txt text file format, add json file output Added optional cancel terminal color display Added debug/level information output, which can be used to manually judge hex Optionally specify a specific protocol/port/type Optimize the flag parameter options, support long and short option styles Extended http rulebase rule entry [hide][Hidden Content]]

A passive reconnaissance tool for known URLs discovery – it gathers a list of URLs passively using various online sources. Features Collect known URLs: Fetches from AlienVault’s OTX, Common Crawl, URLScan, Github, and the Wayback Machine. Fetches disallowed paths from robots.txt found on your target domain and snapshotted by the Wayback Machine. Reduce noise: Regex filter URLs. Removes duplicate pages in the sense of URL patterns that are probably repetitive and points to the same web template. Output to stdout for piping or save to file. [hide][Hidden Content]]

Yet another content discovery tool written in python. What makes this tool different than others: It is written to work asynchronously which allows reaching to maximum limits. So it is very fast. Calibration mode, applies filters on its own Has bunch of flags that helps you fuzz in detail Recursive scan mode for given status codes and with depth Report generations, you can later go and check your results [hide][Hidden Content]]

Yet another content discovery tool is written in python. What makes this tool different than others: It is written to work asynchronously which allows reaching to maximum limits. So it is very fast. Calibration mode applies filters on its own Has a bunch of flags that help you fuzz in detail Recursive scan mode for given status codes and with depth Report generations, you can later go and check your results Multiple url scans [hide][Hidden Content]]

Tachyon is a Fast Multi-Threaded Web Discovery Tool. The main goal of it is to help webadmins find leftover files in their site installation, permission problems and web server configuration errors. It is not a vulnerability scanner or a web crawler. Features It provides: Plugin support SSL support Robots.txt support Common directory lookup Fast Multi-Threaded execution Automatic variable rate limiter Recursive scanning Changelog v3.4.1 Merge pull request #58 from alacasse/limit-fp-for-c99shell limit-fp-for-c99shell: add match_string [hide][Hidden Content]]

What the heck is a ferox anyway? Ferox is short for Ferric Oxide. Ferric Oxide, simply put, is rust. The name rustbuster was taken, so I decided on a variation. What’s it do tho? feroxbuster is a tool designed to perform Forced Browsing. Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the web application but are still accessible by an attacker. feroxbuster uses brute force combined with a wordlist to search for unlinked content in target directories. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network address, etc… This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration. Comparison w/ Similar Tools There are quite a few similar tools for forced browsing/content discovery. Burp Suite Pro, Dirb, Dirbuster, etc… However, in my opinion, there are two that set the standard: gobuster and ffuf. Both are mature, feature-rich, and all-around incredible tools to use. So, why would you ever want to use feroxbuster over ffuf/gobuster? In most cases, you probably won’t. ffuf in particular can do the vast majority of things that feroxbuster can, while still offering boatloads more functionality. Here are a few of the use-cases in which feroxbuster may be a better fit: You want a simple tool usage experience You want to be able to run your content discovery as part of some crazy 12 command unix pipeline extravaganza You want to scan through a SOCKS proxy You want auto-filtering of Wildcard responses by default You want recursion along with some other thing mentioned above (ffuf also does recursion) You want a configuration file option for overriding built-in default values for your scans [hide][Hidden Content]]

Trishul Trishul is an automated vulnerability finding Burp Extension. Built with Jython supports real-time vulnerability detection in multiple requests with user-friendly output. This tool was made to supplement testing where results have to be found in a limited amount of time. Currently, the tool supports finding Cross-Site Scripting, SQL Injections, and Server-Side Template Injections. More vulnerabilities would be added in the later versions. Configurations There are a couple of configurations available for a user to use Trishul. To view these configurations, head over to Trishul and view the config tab in the bottom left of the pane. Here is the List of Options Available: Intercept Button: With Intercept Button set to On, the tool will perform a test on all requests flowing to the website added in Scope. This button is restricted to scope as it is not feasible to test all the requests flowing to Burp from multiple domains. This would affect the performance. Auto-Scroll: With Auto-Scroll checked, the tool will scroll automatically to the last tested request. This option is feasible when testing a huge domain with Intercept turned on such that scrolling shouldn’t be a tough job. Detect XSS, SQLi, SSTI – These checkboxes are added if any user wants to only test for a specific vulnerability and want to omit other test cases. Used to obtain much faster results for a specific request. Blind XSS: This textbox is added for users who want to append their Blind XSS Payload for every parameter in a request. To use this, enter your Blind XSS payload (singular) in the text box and click on the Blind XSS Checkbox. Now, for every request passing through Trishul, the value of all parameters in the request would be replaced with the Blind XSS payload. Interpreting Results For every result, Trishul displays one of the three options for each of the vulnerability tested: Found: The vulnerability was successfully detected for the Request parameters. Not Found: The vulnerability was not present in the Request parameters. Possible! Check Manually: The vulnerability may be present. The tester has to reconfirm the finding. The test for these vulnerabilities depends on the parameters in the request. If the request has no parameters, Trishul would not process this request and would show Not Found in all of the vulnerabilities. If any of the Found/Possible! Check Manually is been seen under the vulnerability class for the specific request, the user has to click the result to see the vulnerable parameter displayed under the Vulnerability class in Issues Tab in the bottom left. The user then has to select the parameter displayed under the Vulnerability class and the description for that parameter would be shown to him. The user can then view the Request and Response which was sent from Trishul to determine the vulnerability. On Clicking the Highlighted Response Tab, you will be shown the highlighted text for some of the vulnerability class. For Example Payload reflection for Cross-Site Scripting or Error Based SQLi text shown in response. The Highlighted Response tab was added as there was no option in Burp API to highlight the response text in Burp’s MessageEditor Tab. [hide][Hidden Content]]

Trend Micro Deep Discovery Inspector suffers from a percent encoding IDS bypass vulnerability. View the full article