Category Archives: Information Security

Foremost

Foremost adalah program recovery data forensik untuk Linux yang digunakan untuk memulihkan file menggunakan header, footer, dan struktur data mereka melalui proses yang dikenal sebagai file carving.

[1] Install Foremost

yum install foremost -y
Donwload packet foremost http://foremost.sourceforge.net/pkg/foremost-1.5.7.tar.gz

tar -xvzf foremost-1.5.7.tar.gz
cd foremost-1.5.7

[2] Command foremost

man foremost

[3] Untuk konfigurasi foremost ada di file # vi /etc/foremost.conf

[4] Contoh command untuk menjalankan foremost

pertama lihat file yang akan di recovery berada di mana

# df -h

Filesystem Size Used Avail Use% Mounted on
/dev/mapper/centos00-root 50G 4,4G 46G 9% /
devtmpfs 905M 0 905M 0% /dev
tmpfs 915M 0 915M 0% /dev/shm
tmpfs 915M 8,5M 907M 1% /run
tmpfs 915M 0 915M 0% /sys/fs/cgroup
/dev/mapper/centos00-home 469G 241G 229G 52% /home
/dev/sda1 497M 171M 327M 35% /boot
tmpfs 183M 0 183M 0% /run/user/0

Data yang akan saya recover ada di home : /dev/mapper/centos00-root

foremost -t pdf,jpg -T -v -Q -o /home/output /dev/mapper/centos00-root

 

 

Advertisements

dumpzilla

Dumpzila adalah tools untuk forensik browser

[1] Download dumpzilla di website resminya ada di http://www.dumpzilla.org/

[2] Setelah source dumpzilla berhasil di download, lalu jalankan script python

python dumpzilla.py

Version: 15/03/2013

Usage: python dumpzilla.py browser_profile_directory [Options]

Options:

--All (Shows everything but the DOM data. Doesn't extract thumbnails or HTML 5 offline)
 --Cookies [-showdom -domain <string> -name <string> -hostcookie <string> -access <date> -create <date> -secure <0/1> -httponly <0/1> -range_last -range_create <start> <end>]
 --Permissions [-host <string>]
 --Downloads [-range <start> <end>]
 --Forms [-value <string> -range_forms <start> <end>]
 --History [-url <string> -title <string> -date <date> -range_history <start> <end> -frequency]
 --Bookmarks [-range_bookmarks <start> <end>]
 --Cacheoffline [-range_cacheoff <start> <end> -extract <directory>]
 --Thumbnails [-extract_thumb <directory>]
 --Range <start date> <end date>
 --Addons
 --Passwords (Decode only in Unix)
 --Certoverride
 --Session
 --Watch [-text <string>] (Shows in daemon mode the URLs and text form in real time. -text' Option allow filter, support all grep Wildcards. Exit: Ctrl + C. only Unix).

Wildcards: '%' Any string of any length (Including zero length)
 '_' Single character
 '\' Escape character

Date syntax: YYYY-MM-DD HH:MM:SS

Win profile: 'C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\xxxx.default'
Unix profile: '/home/xx/.mozilla/seamonkey/xxxx.default/'

[3] Contoh untuk melihat history

$ python dumpzilla.py /home/space/.mozilla/firefox/g8gha5kg.default/ --History

Last visit: 2017-08-25 16:32:51
Title: Add New Post ‹ — WordPress
URL: https://anditoyugowicaksono.wordpress.com/wp-admin/post-new.php
Frequency: 10

================================================================================================================
Total information
================================================================================================================

Total urls in History: 1861

Cheers – Andito Yugo Wicaksono

 

Operative Framework

Operative Framework adalah open-source berbasis Python dan sangat powerful yang dapat digunakan untuk menemukan informasi domain yang terdaftar dengan alamat email yang sama, serta banyak fungsi investigasi lainnya. Tool reconnaissance ini memberi informasi tentang target dengan memeriksa relasi di domain yang mereka miliki.

[1] Installing the Operative Framework

git clone https://github.com/graniet/operative-framework.git
cd operative-framework
pip install -r requirements.txt
python operative.py

Jika paket pip belum terinstall bisa melakukan installasi python-pip

# sudo apt install python-pip
atau menggunakan git clone
git clone https://github.com/pypa/pip.git

[2] Jalankan operative.py

$ python operative.py
__ _ 
 ____ ____ ___ _________ _/ /_(_) _____ 
 / __ \/ __ \/ _ \/ ___/ __ `/ __/ / | / / _ \
/ /_/ / /_/ / __/ / / /_/ / /_/ /| |/ / __/
\____/ .___/\___/_/ \__,_/\__/_/ |___/\___/ 
 /_/ Version: 2.0 BETA | Twitter: @graniet75
 If you don't know how run it use :help

$ operative > modules 
 * viadeo_search Viadeo employee search module
 * email_to_domain Get domain with email
 * reverse_ipdomain Reverse ip domain check (Yougetsignal)
 * vhost_IPchecker Reverse IP domain check (BING)
 * https_gathering SSL/TLS information gathering (sslyze)
 * subdomain_search Search subdomain with google dork
 * getform_data Get all form parameters (BETA)
 * defaultPassword Search default password from manufactor
 * domain_search Search enterprise domain name
 * header_retrieval No module description found
 * file_common Read/Search common file
 * waf_gathering WAF information gathering : need wafw00f
 * cms_gathering Check if CMS is used (wordpress,joomla,magento)
 * get_websiteurl Extract url on website domain
 * metatag_look get meta name,content
 * search_db Forensics module for SQL database
 * website_archive Search archive of website domain (archive.org)
 * linkedin_search Linkedin employee search module
 * sample_module Module sample
 * whois_domain Whois information for domain
 * tools_suggester Check website & show possible tools for CMS exploitation
 * generate_email Generate email with employee list
$ operative >

example : how to use

$ operative > use whois_domain
Loading : core/modules/whois_domain.py
$ operative (core/modules/whois_domain) > show options
- website(is_required):No value
$ operative (core/modules/whois_domain) > set website=zotma.com 
$ operative (core/modules/whois_domain) > run

 

 

 

 

 

 

 

quasiBot ( complex webshell manager )

QuasiBot is a complex webshell manager written in PHP, which operate on web-based backdoors implemented by user himself. Using prepared php backdoors, quasiBot will work as C&C trying to communicate with each backdoor. Tool goes beyond average web-shell managers, since it delivers useful functions for scanning, exploiting and so on. It is quasi-HTTP botnet, therefore it is called. Also, quasiBot allows you to perform various bruteforce attacks on services such as ftp, ssh or databases.

All data about bots is stored in SQL database, ATM only MySQL is supported. TOR proxy is also supported, the goal was to create secure connection between C&C and backdoors; using SOCKS5, it is able to torify all connections between you and web server. All configuration is stored in config file. QuasiBot it’s still under construction so i am aware of any potential bugs.

You will need any web server software; tested on Linux, Apache 2.2 and PHP 5.4.4. Fully written in PHP.

Download QuasiBot

#How it works?

  • quasiBot is operating on web-shells delivered by user, each backdoor is being verified by md5 hash which changes every hour
quasiBot (C&C) -[request/verification]-> Bots (Webshells) -[response/verification]-> quasiBot (C&C) -[request/command]-> Bots (Webshells) -[response/execution]-> quasiBot (C&C)

 

  • Backdoors consists of two types, with and without DDoS module, source code is included and displayed in home page;
  • Connection between C&C and server is being supported by curl, TOR proxy is supported, User Agent is being randomized from an array
quasiBot (C&C) -[PROXY/TOR]-> Bots (Webshells) <-[PROXY/TOR]- quasiBot (C&C)
  • Webshells can be removed and added at ‘Settings’ tab, they are stored in database
  • ‘RSS’ tab contain latest exploits and vulnerabilities feeds
  • ‘RCE’ tab allows to perform Remote Code Execution on specific server using selected PHP function
  • ‘Scan’ tab allows to resolve IP or URL and perform basic scan using nmap, dig and whois – useful in the phase of gathering information
  • ‘Pwn’ tab stands for few functions, which generally will help collect informations about server and try to find exploits for currently used OS version using Exploit Suggestor module
  • ‘MySQL Manager’, as the name says, can be used to perform basic operations on specific database – it could be helpful while looking for config files that include mysql connections on remote server; it also displays some informations about it’s envoirment
  • ‘Run’ tab allows you to run specific command on every bots at once
  • ‘DDoS’ tab allows you to perform UDP DoS attacks using all bots or single one, expanded backdoor is required
  • ‘Shell’ tab allows you to spawn reverse or bind shell; you may pick between few languages that will be used for creating reverse shell
  • You may enable authorisation module, user is being validated by session, auth credentials are stored in config file, not in db; using Cookie Auth, user won’t be able to use quasiBot until specific cookie will be used
  • ‘Bruteforce’ category consists of few modules, they allow you to perform single or massive attacks on ftp, ssh, mysql, pgsql, mssql and wordpress
  • Broken credentials are stored in database, bruteforce on websites can be done via tor
  • Whole front-end is maintaned by a pleasant, functional interface

#Screens

Home

Hack

Bruteforce

Tools

Bots

#Running quasi for first time

  • Move all files to prepared directory, change default settings in config file (config.php)
  • Visiting quasiBot for the first time will create needed database and it’s structure
  • In ‘Settings’ tab, you are able to add and delete shells, you’re ready to go
  • Using authorisation? To logout, simply add GET logout to current URL, like quasi/index.php?logout

#Misc

Todo:

  • Windows support in ‘PWN’ module
  • Bruteforce WWW: Joomla
  • Optimization
  • ???

Changelog:

  • 0.3
  • Bruteforce: SSH, FTP, WWW, DB’s
  • Details
  • 0.2
  • Added authorization (Sessions / Cookie Auth)
  • Added Shell Module (Reverse / Bind shell)
  • Added Linux Exploit Suggestor module

Referrence : https://github.com/Smaash/quasibot

 

 

 

 

RIPS – PHP Security Analysis

RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.

Download packet RIPS –> https://sourceforge.net/projects/rips-scanner/

Unzip packet to /var/www/html/rips

Access url via localhost web –> http://localhost/rips/index.php

Untuk menganalisa scrip php dengan cara memasukkan file/path lalu klik scan

Selection_322

Cheers – Andito Yugo Wicaksono

Source Code Analysis Tools

Open Source or Free Tools Of This Type

Bandit – bandit is a comprehensive source vulnerability scanner for Python

Brakeman – Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications

Codesake Dawn – Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby

FindBugs – Find Bugs (including a few security flaws) in Java programs

FindSecBugs – A security specific plugin for FingBugs that significantly improves FindBug’s ability to find security vulnerabilities in Java programs

Flawfinder Flawfinder – Scans C and C++

Google CodeSearchDiggity – Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.

PMD – PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)

PreFast (Microsoft) – PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.

Puma Scan – Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.

RIPS – RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.

SonarQube – Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by SonarLint.

VisualCodeGrepper (VCG) – Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.

Xanitizer – Scans Java for security vulnerabilities, mainly via taint analysis. The tool comes with a number of predefined vulnerability detectors which can additionally be extended by the user.

Source : https://www.owasp.org/index.php/Source_Code_Analysis_Tools

FoxyProxy

What is FoxyProxy ?

FoxyProxy sells reliable, fast, secure VPN and proxy servers in 68+ different countries with 5 ways to connect. Our free proxy and VPN management tools set industry standards as far back as 2006, with our award-winning Firefox addons used by millions.

[1] Untuk installasinya bisa langsung add-on melalui web browser mozilla firefox

[2] Setelah selesai terinstall lalu buka FoxyProxy, buat proxy baru sebagai contoh akan memakai localhost

– Select mode untuk mengaktifkan proxy

Cheers – Andito Yugo Wicaksono