Deep-pwning | Metasploit for machine learning

Deep-pwning

Deep-pwning is a lightweight framework for experimenting with machine learning models with the goal of evaluating their robustness against a motivated adversary.

Note that deep-pwning in its current state is nowhere close to maturity or completion. It is meant to be experimented with, expanded upon, and extended by you. Only then can we help it truly become the goto penetration testing toolkit for statistical machine learning models.

Deep-pwning

 

Structure:

Researchers have found that it is surprisingly trivial to trick a machine learning model (classifier, clusterer, regressor etc.) into making an objectively wrong decisions. This field of research is called Adversarial Machine Learning. It is not hyperbole to claim that any motivated attacker can bypass any machine learning system, given enough information and time. However, this issue is often overlooked when architects and engineers design and build machine learning systems. The consequences are worrying when these systems are put into use in critical scenarios, such as in the medical, transportation, financial, or security-related fields.

Hence, when one is evaluating the efficacy of applications using machine learning, their malleability in an adversarial setting should be measured alongside the system’s precision and recall.

clusterer

This framework is built on top of Tensorflow, and many of the included examples in this repository are modified Tensorflow examples obtained from the Tensorflow GitHub repository.

All of the included examples and code implement deep neural networks, but they can be used to generate adversarial images for similarly tasked classifiers that are not implemented with deep neural networks. This is because of the phenomenon of ‘transferability’ in machine learning, which was Papernot et al. expounded expertly upon in this paper. This means that adversarial samples crafted with a DNN model A may be able to fool another distinctly structured DNN model B, as well as some other SVM model C.

Tensorflow

 

Components:

Deep-pwning is modularized into several components to minimize code repetition. Because of the vastly different nature of potential classification tasks, the current iteration of the code is optimized for classifying images and phrases (using word vectors).

These are the code modules that make up the current iteration of Deep-pwning:

  1. DriversThe drivers are the main execution point of the code. This is where you can tie the different modules and components together, and where you can inject more customizations into the adversarial generation processes.
  2. Models is where the actual machine learning model implementations are located. For example, the provided lenet5 model definition is located in the model() function within lenet5.py.

Deep-pwning

 

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

 

 

Malware | Trojans & Keyloggers | ICSS Student |Gopal Roy

Malware

Malware means malicious software.in fact, it has been a problem for ages.it is basically a program designed to infect a computer without the owner’s knowledge.

Malware

Type of Malware

Malware exists in Manu forms. Some common types of malware that one needs to keep track of are:

  1. Trojan Horse-Trojan virus or Trojan horse is a common type of malware.it is mostly used to control the victimized computer rather than infect or destroy files on it.A Trojan, horse once installed into the victim’s system, can give the hacker complete access to the victim’s computer Trojan are of the most dangerous forms of malware.

Trojan Horse

2. Computer Virus-A computer virus is a malicious program, which is mostly developed to infect a computer once it infects a computer, it replicates itself, A virus needs another host on which it can get attached in order to infect a computer.

Computer Virus

 

3. Worms- Worms are almost similar to computer viruses. The only difference is that a computer virus does not require another host to attach to in order to infect a computer. Once a worm infects a computer.it replicates itself. Computer worms are major threats to large networks.

Worms

4. Keyloggers- It is a hardware or software device, which monitors every keystroke, screenshots,chats,etc ,typed on a computer . A key logger program does not require physical access to the user’s computer. Any person whit basic knowledge of computer can use a key logger.

Keyloggers

5. Adware- Adware stands for Advertisement-supported Software. Adware is commonly designed to display Advertisement on a computer .However, some adware may contain harmful viruses and spying programs, which can harm the computer system.

Adware

 

After understanding malwares, their types and their function, learn about keyloggers in detail.

Keyloggers:

Keyloggers are of two Types:

  • Hardware Keyogger
  • Software Keyogger

Hardware keylogger IS USED FOR keyloggers loggers. A hardware keylogger is plugged between the keyoggers plug and the USB or PS/2 port socket, and it works with PS/2 keylogger and USB Keyboards looks similar to a normal USB drive or any other computer peripheral. Due to this, the victims can never about that is a keyogger. Hardware keyogger has inbuilt memory. Which stores the typed keylogger.

Keylogger

1.Hardware keyloggers

 

Hardware keyloggers

 

2. ps/2 keylogger

 

ps/2 keylogger

 

3.  Usb keylogger

Usb keylogger

 

Keygrabber – Best Hardware Keylogger

Keygrabber is one of the best and most popular hardware keyloggers across the globe. The is primarily because of its large storage capacity. Keygrabber keystroke recorder comes in a standard version-4MB memory capacity, 2,000,000 keystrokes(over 1,000 pages of text), and a Venom version 2 billion keystrokes (over 1 million pages of text), organized into an advance flash FAT file system. It is compatible with all the three operating systems,i.e., windows, Linux and Mac OS.

Keygrabber

 

Features of hardware keylogger:

*Observer www.e-mail and chat usage by children and employees

*Monitors employee productivity

*Protects children from online hazards and predators

*saves a copy of the typed text

*Records all keystrokes-even Facebook Password

*Huge memory capacity, organized as an advance flash FAT system

Features of hardware keylogger

 

Software Keyloggers:

The hardware keylogger is useful only if you have physical access to the victim’s computer However, if you don’t and if by any chance the victim notices it and knows about your intention, It is only then that the software keylogger come into the picture.

Hardware

Software keylogger can also be classified into two types:

*Local Keylogger

*Remote keylogger

Local keylogger: They are used to monitor local computer(even your own PC).They are easy to install and are completely undetectable.However,once installed in the computer, they become

Really difficulty to find them. This is because the keylogger hide themselves from the Task manager. Windows registry,etc.

Whenever you want to see logs, screenshot,etc,press a short key (example,ship+ctrl+f10)

There are hundreds of keyloggers available nowadays.However,some of them are user-friendly and actually capable of hiding themselves once they are installed.

keylogger

 

Some popular local keyloggers are:

  • Spy Agent
  • Refog Keylogger

Spy Aggent:

Spy Agent is an award-winning software, which is used to monitor both local and remote computers. It invisible monitors all computer usage and internet activities.spyAgent’s logging capabilities are unmatched. Spy agent can log anything from what the users type, to the files they print and programs they run-all time stamped by date for easy viewing .ALL logs are easily saved and exported for later use.spyagent can be confifured to log all users on you computer with ease.spyagent monitors and log both sides of all chat conversations made on chat clients (supported clients include the latest versions of AOL,AOL instant Messnger,MSN Messenger,ICQ pro and ICQ Lite).

Spy Agent

Spy Agent keylogger:

Features of spy agent keylogger

It records:

*Keystroke monitoring

*Internet Connections

*Internet Conversations

*Website activate

*E-mail sent and received

*File/documents accessed and printed

*Windows activate

*Application usage

*Screenshot capturing

*Clipboard logging

*Events logging

*Activity logging

Refog is extremely powerful and has very low antivirus detection rete. It is one of the leading remote passwords hacking software combined whit Remote Install and Remote Viewing features. Once installed on the remote PC (s),the user only needs to login to his/her personal Refog account to view activity logs of the remote PC.This means that the user can view logs of the remote PC from any where in the would, as long as he/she has Internet access.

Refog

 

Features of Refog Keylogger are as follows:

  1. Keystroke recording: Once installed and running. Refog registers all keys pressed by the user, thus action as a keylogger. This function captures all data that has been entered using the keyboard, including chats, username,password,e-mail, search queries and other content. In addition to key logging, refuge is also enabled to log clipboard text.
  2. Web History Logging: Even If users delete their prowler history, the information is retained in refog’s log database, and is always available via the reports function. All relevant information can be collected including URLs visited page titles, etc.
  3. Application monitoring: since Refog can record all programs executed on a PC, it is hence possible to establish if a child is playing game instead of doing homework, an employee is wasting time logs etc sitting in any part of the world.

You can find tons of Remote keyloggers on web but lots of them are either not capable of properly recording keystrokes or they have a high antivirus detection rete.one keylogger worth the price is win spy.

Refog

 

Remote Keylogger:

Remote keylogger are used for the purpose of monitoring a remote pc, once a remote keylogger is installed on your computer the attacker can get your keystrokes, your webcam shots, chat logs etc sitting in any part of the world.

You can find tons of Remote keylogger on web but lots of them are either not capable of properly recording keystrokes or they have a high antivirus detection rate. One keylogger worth the price is win Spy.

Remote Keylogger

 

Winspy Keylogger:

WinSpy Software is a complete stealth Monitoring software that both monitor your Local PC and remote PC.It includes remote install and real-time remote PC viewer. Win spy software will capture anything the user sees or type the keyboard.

WinSpy Software

 

Features:

*Remote Screen Capture

*Remote Monitoring

*Remote PC Browser

*Notify’s User Online

*Remote Sound Listening/Recording

*Remote Camera view/Recording

*Remote File Launch

*Dualside Chat Recording

*Remote shutdown

*Remote FTP

*Webcam-motion Detect

*WebAccess Remote PC

*SMS Intruder Alert

*Works behind Firewall

WinSpy

 

RAT (TROJANS):

Rat or ‘Remote Administration Tool’s is one of the most dangerous types of malware. It is very similar to a Trojan. Once a RAT is installed in a computer, the attacker can do almost anything on the remote computer, such as installing a keylogger, shutting down the computer, infecting files, uploading & downloading files, etc If this is successful, the Trojan can operate with increased privileges, and go about installing other malicious codes. If the user has administrative access to the operating system, the Trojan can do anything that an administrator can.

A Compromise on any system on a network may have consequences for other system on the network. Particularly vulnerable are system that transmit authentication material, such as passwords, overshared networks in clear text or in a trivially encrypted from, which very common. If a system on such a network is compromised via a Trojan (or another method), the intruder may be able to record usernames and password or other sensitive information as if navigates through the network.

Some common types of RATS are:

*ProRat

*Lost Door

 

RAT (TROJANS)

 

FUNCEHION:

Trojan work similar to the client-server model. Trojan come in two parts, Client and server part. The attacker deploys the Client to connect to the server, which runs on the remote machine when the remote user(unknowingly) executes the Trojan on the machine. The typical protocol user by most Trojan is the TCP?IP protocol;however,some functions of the Trojans may mark use of the UDP protocol as well.

When the server is activated on the remote computer, it will try remain in a stealth mode or simply stay hidden, This is configurable, for example, in the Back Orifice Trojan, the server can be configured to remain in stealth mode and hide its processes.Onec activated, the server starts to listen on default or configured ports for incoming connections from the attacker.it is usual for Trojan to also modify the registry and/or use some other auto-starting methods.

FUNCEHION

 

Most Trojan use auto-starting methods so that server are restarted every time the remote machine reboots/starts, which in turn also notifies the attacker. As these features are being countered, new auto-starting methods are evoling.The Startup method ranger from associating the Trojan whit certain common executable files such as exploere.exe to the known methods such as modifying the system files or the Windows Registry. Some of the Popular system files targeted by Trojan are Auto start Folder, Win.ini,system.ini,wininit.ini,winstart.bat,Autoexec.bat ,Config.sys

Now, after getting the clear idea about RATS (TROJANS),let us see as to how we can even use Trojan to hack into a system.

FUNCEHION

 

ProRat:

ProRat is a powerful remote administrator tool ( RAT ) based on backdoor Trojan . It opens a port on the infected system , which allows the client to perform various operations on the infected computer . ProRat cannot to users over the WANs ( Wide Area Networks ) . It can connect only over LANs ( Local Area Networks ) . However , once ProRat is installed , almost impossible to remove it without up – to date antivirus software .

The following procedure is usually followed by a hacker to take control of the victim ‘ s computer using ProRat . it also dis cusses some of the author is using functions , which can be  performed with the help of this Trojan . Here the author is using the term `you ‘ to the hacker .

ProRat

 

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Pentmenu: a bash script for recon and DOS attacks

Pentmenu

Pentmenu is a bash script inspired by pentbox. It is designed to be a simple way to implement various network pentesting functions, including network attacks, using wherever possible readily available software commonly installed on most Linux distributions without having to resort to multiple specialist tools.

Pentmenu

 

Requirements for Pentmenu:

  • bash
  • sudo
  • curl
  • netcat (must support ‘-k’ option, openbsd variant recommended)
  • hping3 (or nping can be used as a substitute for flood attacks)
  • openssl
  • stunnel
  • nmap
  • whois (not essential but preferred)
  • nslookup (or ‘host’)
  • ike-scan

Bash

 

Module detail:

Recon Modules:

Show IP – uses curl to perform a lookup of your external IP. Runs ip a or ifconfig (as appropriate) to show local interface IP’s.

DNS

DNS Recon – passive recon, performs a DNS lookup (forward or reverse as appropriate for target input) and a whois lookup of the target. If whois is not available it will perform a lookup against ipinfo.io (only works for IP’s, not hostnames).

Ping

 

Dos Modules:

  • ICMP Echo Flood – uses hping3 to launch a traditional ICMP Echo flood against the target. On a modern system you are unlikely to achieve much, but it is seful to test against firewalls to observe their behaviour. Use ‘Ctrl C’ to end the flood. The source address of flood packets is configurable.
  • ICMP Blacknurse Flood – uses hping to launch an ICMP flood against the target. ICMP packets are of type “Destination Unreachable, Port Unreachable”. This attack can cause high CPU usage on many systems. Use ‘Ctrl C’ to end the attack. See http://blacknurse.dk/ for more information. The source address of flood packets is configurable.

ICMP

 

Extraction Modules:

Send File – This module uses netcat to send data with TCP or UDP. It can be extremely useful for extracting data. An md5 and sha512 checksum is calculated and displayed prior to sending the file. The file can be sent to a server of your choice; the Listener is designed to receive these files.

Listener – uses netcat to open a listener on a configurable TCP or UDP port. This can be useful for testing syslog connectivity, receive files or checking for active scanning on the network.

File

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

AWS S3 Security Scanning Tool | AWSBucketDump

AWS

AWS launched in 2006 from the internal infrastructure that Amazon.com built to handle its online retail operations. AWS was one of the first companies to introduce a pay-as-you-go cloud computing model that scales to provide users with compute, storage or throughput as needed.

Amazon Web Services provides services from dozens of data centers spread across availability zones (AZs) in regions across the world. An AZ represents a location that typically contains multiple physical data centers, while a region is a collection of AZs in geographic proximity connected by low-latency network links. An AWS customer can spin up virtual machines (VMs) and replicate data in different AZs to achieve a highly reliable infrastructure that is resistant to failures of individual servers or an entire data center.

AWS

 

AWSBucketDump

AWSBucketDump is an AWS S3 Security Tool, which allows you to quickly enumerate AWS S3 buckets to look for interesting or confidential files. It’s similar to a subdomain brute-forcing tool but is made specifically for S3 buckets and also has some extra features that allow you to grep for delicious files as well as download interesting files if you’re not afraid to quickly fill up your hard drive.

This is a tool that enumerates Amazon S3 buckets and looks for interesting files.

AWSBucketDump

 

 How To Fix AWS

AWS Simple Storage Service (often shortened to S3) is used by companies that don’t want to build and maintain their own storage repositories. By using Amazon Simple Storage Service, they can store objects and files on a virtual server instead of on physical racks – in simple terms, the service is basically “A Dropbox for IT and Tech teams”. After the user has created their bucket, they can start storing their source code, certificates, passwords, content, databases and other data. While AWS promise safely stored data and secure up-and downloads, the security community has for a long time pointed out severe misconfigurations.

S3

 

AWSBucketDump S3 Security Tool Requirements :

Non-Standard Python Libraries:

  • xmltodict
  • requests
  • argparse
  • Created with Python 3.6

Python

 

Usage:

usage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE]

optional arguments:

-h, –help    show this help message and exit

-D            Download files. This requires significant diskspace

-d            If set to 1 or True, create directories for each host w/ results

-t THREADS    number of threads

-l HOSTLIST

-g GREPWORDS  Provide a wordlist to grep for

-m MAXSIZE    Maximum file size to download.

python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1

usage

 

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

Sandiflux: Another botnet using Fast Flux technology has emerged

SandiFlux

SandiFlux is a new Fast flux infrastructure has been identified. Hackers started using Fast Flux infrastructure in wild to hide the malicious activities such as malware and phishing campaigns.

Fast Flux is a technique to have multiple IP addresses assigned to the same domain and they change consistently in quick sessions through DNS records.

Security researchers from Proofpoint identified a new Fast Flux infrastructure dubbed as SandiFlux used to distribute malware and it is acting as a proxy for Grand crab ransomware.

Starting from December researchers observed new fast flux domain nodes and they decided to monitor separately along with some events from the dark cloud. Also, threat actors moved from DarkCloud to Sandiflux.

SandiFlux

 

Proofpoint said that their findings come from long-term observations of the DarkCloud botnet. DarkCloud has been using Fastflux technology since 2014. Most infected computers that makeup Dark Cloud are concentrated in Ukraine and Russia (77.4% and 14.5%, respectively).

Unlike DarkCloud, SandiFlux nodes are concentrated in Romania and Bulgaria (46.4% and 21.3%, respectively), but also a small number of other areas, such as Europe, Africa, the Middle East and southern Asia.

DarkCloud

 

Similar services as SandiFlux:

Similar services are offered by operators Dark Cloud, also Fluxxy, a multi-purpose botnet, whose activities in Proofpoint have been monitored since 2014. This infrastructure allows you to quickly and automatically change IP addresses, domains and even DNS servers to extend the life of fraudulent sites, malicious sites and C & C servers .

Dark Cloud is widely used by carders , exploit-pack operators , authors of malvertising-campaigns, spammers, phishers, herdsmen and malware operators – for example, downhiller Furtim, also SFG .

botnet

 

Now, according to Proofpoint, some of these intruders began to migrate to SandiFlux. So, in February a new opportunity was tested by the distributor zloader – the author of malicious campaigns, which the researchers conventionally call TA547. In November, this attacker, according to observations, used the infrastructure of Dark Cloud.

Proofpoint

 

Conclusion:

Fast Flux DNS has proved to be a powerful tool for threat actors looking to hide dark web sites, malicious infrastructure, and other web-based operations from researchers and law enforcement. While DarkCloud/Fluxxy is the best documented, a new Fast Flux botnet has emerged with nodes of compromised hosts distributed much more widely. It is likely that both DarkCloud and SandiFlux are operated by the same actor who rents capabilities to other actors. GandCrab ransomware in particular now has its command and control proxied behind SandiFlux, although a number of other actors we track are making use of the infrastructure to mass their operations. While direct effects on compromised hosts include performance and bandwidth degradation, the more significant global impact is increased capacity for providing Fast Flux DNS to threat actors.

Fluxxy

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

 

Streamalert: Serverless, Realtime Data Analysis Framework

Streamalert

StreamAlert is a serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define. A serverless framework for real-time data analysis and alerting.

Airbnb needed a product that empowered both engineers and administrators to ingest, analyze, and alert on data in real-time from their respective environments.

StreamAlert

 

Features of Streamalert:

  • Deployment is automated: simple, safe and repeatable for any AWS account
  • Easily scalable from megabytes to terabytes per day
  • Infrastructure maintenance is minimal, no devops expertise required
  • Infrastructure security is a default, no security expertise required
  • Supports data from different environments (ex: IT, PCI, Engineering)
  • Supports data from different environment types (ex: Cloud, Datacenter, Office)
  • Supports different types of data (ex: JSON, CSV, Key-Value, or Syslog)
  • Supports different use-cases like security, infrastructure, compliance and more

Supports

 

Benefits:

As partially outlined above, StreamAlert has some unique benefits:

  • Serverless — StreamAlert utilizes AWS Lambda, which means you don’t have to manage, patch or harden any new servers
  • Scalable — StreamAlert utilizes AWS Kinesis Streams, which will “scale from megabytes to terabytes per hour and from thousands to millions of PUT records per second”
  • Automated — StreamAlert utilizes Terraform, which means infrastructure and supporting services are represented as code and deployed via automation
  • Secure — StreamAlert uses secure transport (TLS), performs data analysis in a container/sandbox, segments data per your defined environments, and uses role-based access control (RBAC)
  • Open Source — Anyone can use or contribute to StreamAlert

Source

 

StreamAlert utilizes the following services:

  • AWS Kinesis Streams — Datastream; AWS Lambda polls this stream (stream-based model)
  • AWS Kinesis Firehose — Loads streaming data into S3 long-term data storage
  • AWS Lambda (Python) — Data analysis and alerting
  • AWS SNS — Alert queue
  • AWS S3 — Optional datasources, long-term data storage, & long-term alert storage
  • AWS Cloudwatch — Infrastructure metrics
  • AWS KMS — Encryption and decryption of application secrets
  • AWS IAM — Role-based Access Control (RBAC)

AWS

 

If you’re not an AWS customer, StreamAlert can support data such as:

  • Host Logs (e.g. Syslog, osquery, auditd)
  • Network Logs (e.g. Palo Alto Networks, Cisco)
  • Web Application Logs (e.g. Apache, nginx)
  • SaaS providers (e.g. Box, OneLogin)

It should be noted that StreamAlert is not intended for analytics, metrics or time series use-cases. There are many great open source and commercial offerings in this space, including but not limited to Prometheus, DataDog and NewRelic.

Data

 

Concluding Thoughts:

Open source has allowed us as a community, to both share, collaborate, and iterate on common needs and goals. Now with the ability to represent infrastructure as code, this goal can be further realized with reduced costs for both development and deployment.

We hope StreamAlert serves as an example of this, making deployment simple, repeatable and safe so that anyone can use it easily.

Deployment

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

GScript: Scriptable dynamic runtime execution of malware

GScript (Genesis Scripting Engine)

Genesis Scripting (gscript for short) is a technology I’ve developed to enable more intelligent malware stagers. Typically, stagers are pretty dumb. Most stagers are unique to the malware they deploy and do not allow for “bundling” of multiple payloads. Sophisticated attackers do in fact bundle their payloads, which makes runtime uncertainty even more assured.

GScript changes that. GScript allows for dynamic execution logic per payload. This is achieved by a modified Javascript runtime that is statically embedded in the final stager binary. This runtime/virtual machine runs “hook” functions that you’ve defined in your script, checking to ensure the script wishes to proceed after each hook.

GScript

 

GScript has significant benefits over traditional tactics:

Scripts are far more “sandboxed” from each other. If you’re bundling 10 payloads and 1 of them has a syntax error in its script, with gscript, only that scripts VM dies, not the entire program.

GScript’s VM, while sandboxed, has native hooks injected into it. This allows the VM to interact with things outside of the VM (filesystem, network, registry, etc.).

These functions are by and large, completely cross-platform. This allows someone to only learn GScript to write scripts without having to learn a different programming language.

Execution is also parallelized using the very effective go routine paradigm, resulting in the much faster execution of stagers with multiple payloads.

This development process is incredibly efficient with our gscript CLI utility.

sandboxed

Compiler

The compiler is what translates your gscripts and their assets into a finalized binary. Some features of the compiler:

  • Support native binary compilation for all major operating systems: Windows, Linux, OS X
  • Can support large numbers of scripts and assets into a single executable.
  • Built-in lossless compression and obfuscation of both scripts and embedded assets.
  • VERY FAST. Compilation times generally less than 5 seconds.
  • Post compilation obfuscation to remove references to the library.
  • Defaults to a null logger for the final binary (no output ever!), but can be overridden to inject a development logger into the final binary for testing.

compiler

 

VM Engine

The final binary contains the gscript engine with all scripts and their imported assets. It will initialize VMs, one for each script, and execute them generally in parallel (there’s priority overrides, but more on that below!).

The VMs cannot interact with one another and errors in one VM will be gracefully handled by the engine. This prohibits one VM from causing instability or fatal errors preventing other scripts from executing.

The Engine has been designed to be lean and free from bloated imports. It’s come a long way, but there will be more improvements here in the future as well.

scripts

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

Pagodo: Automate Google Hacking Database scraping

Pagodo (Passive Google Dork)

The goal of this project was to develop a passive Google dork script to collect potentially vulnerable web pages and applications on the Internet. There are 2 parts. The first is ghdb_scraper.py that retrieves Google Dorks and the second portion is pagodo.py that leverages the information gathered by ghdb_scraper.py.

 

Pagodo

 

What are Google Dorks?

The awesome folks at Offensive Security maintain the Google Hacking Database (GHDB) found here: https://www.exploit-db.com/google-hacking-database. It is a collection of Google searches, called dorks, that can be used to find potentially vulnerable boxes or other juicy info that is picked up by Google’s search bots.

 

Database

 

Usage:

To start off, pagodo.py needs a list of all the current Google dorks. Unfortunately, the entire database cannot be easily downloaded. A couple of older projects did this, but the code was slightly stale and it wasn’t multi-threaded…so collecting ~3800 Google Dorks would take a long time. ghdb_scraper.py is the resulting Python script.

pagoda

The flow of execution is pretty simple:

  • Fill a queue with Google dork numbers to retrieve based off a range
  • Worker threads retrieve the dork number from the queue, retrieve the page using urllib2, then process the page to extract the Google dork using the BeautifulSoup HTML parsing library
  • Print the results to the screen and optionally save them to a file (to be used by pyfor example)

dork

 

pagodo.py:

Now that a file with the most recent Google dorks exists, it can be fed into pagodo.py using the -g switch to start collecting potentially vulnerable public applications. pagodo.py leverages the google python library to search Google for sites with the Google dork.

file

 

Performing ~3800 search requests to Google as fast as possible will simply not work. Google will rightfully detect it as a bot and block your IP for a set period of time. In order to make the search queries appear more human, a couple of enhancements have been made. A pull request was made and accepted by the maintainer of the Python google module to allow for User-Agent randomization in the Google search queries. This feature is available in 1.9.3 (https://pypi.python.org/pypi/google) and allows you to randomize the different user agents used for each search. This emulates the different browsers used in a large corporate environment.

python

 

Future Work:

Future work includes grabbing the Google dork description to provide some context around the dork and why it is in the Google Hacking Database.

Hacking

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

WifiGod: Python script to test network security

WifiGod

WifiGod is a tool coded and developing by Blackhole, it is written in the Python programming lanuage and is used to test network security. Coded and Developed by Blackhole.

WifiGod

 

Need to know about WifiGod:

  • Monitor Interface is created for you:When you enter your network interface in the options, always use one that is not already in monitor mode, use your main wireless interface (Ex: wlan0) this is because wifigod creates its’ own wireless interface titled ‘wifigod’ when asked for a interface after the wifigod network interface is added (After first time of entering your main network interface) type ‘wifigod’ where it requests a network interface, the wifigod network interface is a prerequisite to the program, for it will not work without it.

Monitor

 

  • Turn of the main network interface for Network Jam and DeAuthentication:It is recommended that you turn off your wireless interface (ex: wlan0) when using these options (DO NOT turn off Wifi). To temporarily disable the interface type: ‘ifconfig wlan0 down’ in which your network interface would replace ‘wlan0’. The reason for doing this is when the program sends the arbitrary packets to network it WILL preclude anyone on the network that YOU ARE CONNECTED TO from having an external wireless connection while the program runs. You are able to run this options fine without wifi. !HOWEVER! You must turn your wifi off AFTER you have executed the option for the program needs a working external connection to resolve device types for the DeAuthentication and ‘Scan a Network for Devices’ Options.

Network

 

  • External Connection must be present for ‘Scan a Network for Devices’:When Scanning a remote network for devices, it is imperative that you are able to connect to the internet. This is because the program looks up the found MAC addresses in a MAC Address Vendor Database.

MAC

 

  • DNS traffic Interception will only word when the target device is being impersonated with option 5.

DNS

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

FakeDns: Python MITM DNS server with support for DNS Rebinding attacks

FakeDns

FakeDns is A regular-expression based python MITM DNS server with correct DNS request passthrough and “Not Found” responses.

Now with round-robin & improved options. A python regular-expression based DNS server.

FakeDns

 

 

How to use the hosts file to fake DNS:

The hosts file is stored on a computer or device to provide local entries for DNS lookup. Normally when you try to resolve a hostname or domain, your computer will consult your specified DNS server to discover the IP address that it points to. This requires that there is an existing DNS server out there with the record that you require, with the hosts file you can fake DNS entries that will resolve only on the local machine.

DNS

It’s great for testing or troubleshooting. If any one want to use a specific hostname that no DNS exists for, though ideally you should create DNS records where possible as they can be centrally managed. It can help to get around DNS propagation issues, for example if a DNS record has been updated but had a TTL of 24 hours you may have to wait up to this long (assuming the cache cannot be cleared) before the record will resolve to the new IP address. By adding a temporary host file entry you can resolve to the new IP address straight away as the hosts file takes precedence over external DNS.

host

Round-Robin:

Round-robin rules are implemented. Every time a client requests a matching rule, FakeDNS will serve out the next IP in the list of IP’s provided in the rule.
A list of IP’s is comma-separated.

Round-robin

DNS Rebinding:

FakeDNS supports rebinding rules, which basically means that the server accepts a certain number of requests from a client for a domain until a threshold (default 1 request) and then it changes the IP address to a different one.

rebinding

 

Most Popular Training Courses at Indian Cyber Security Solutions:

 

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

 

Cybersecurity services that can protect your company:

 

Web Security | Web Penetration Testing

Network Penetration Testing – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

×

Hello!

Click one of our representatives below to chat on WhatsApp or send us an email to [email protected]

× Hi How can we help you