Ethical Hackers Vol. 2

2022-05-16 16:50:41 https://medium.com/@cryps1s/detecting-windows-endpoint-compromise-with-sacls-cd748e10950

Download Chlonium (https://github.com/rxwx/chlonium) Open / Comment

2022-05-16 16:50:41 etc.). Additionally, SharpDPAPI (https://github.com/GhostPack/SharpDPAPI#statekeys) will allow you to decrypt the Chromium state key file if you have DPAPI state keys, current password, or domain backup key - allowing you to dump cookies remotely over SMB! When carrying out Red Teaming, I sometimes need to dump a user's cookies multiple times over a sustained period (e.g. daily/weekly). Using a .NET assembly, Reflective DLL or other in-memory execution technique to extract individual cookies from the cookie file directly on the target system is unneccesary and exposes the operator to increased risk of detection. Instead you can simply dump the state key once, and copy the Cookies database file off whenever you need fresh cookies, without requiring additional execution. Demo See here (https://vimeo.com/452632559?quality=1080p) for a video demo. Password Import/Export ChloniumUI also supports password import and export. To use this feature, simply supply the Login Data database path instead of the Cookies db, along with the state key, and select the browser you wish to import them into (for export this doesn't matter). This allows you to either export passwords in plaintext to a file, or import them into your browser. As with cookies, you can import Chrome passwords into Edge, Edge passwords into Vivaldi etc. Offline Statekey Decryption Chlonium supports offline state key decryption (https://www.kitploit.com/search/label/Decryption) whereby you can decrypt the users statekey offline if you have all of the following files: The Local State file from: C:\Users\\AppData\Local\\User Data\Local State The DPAPI masterkey files from: C:\Users\\AppData\Roaming\Microsoft\Protect\\ and one of the following: Domain backup key .pvk file (e.g. from NTDS.dit) Domain backup key in base64 (e.g. from Mimikatz/SharpDPAPI LsaRetrievePrivateData API method) The user's password Now simply provide these values under the "Offline statekey decryption" tab, and Chlonium will attempt to decrypt the encrypted statekey by first decrypting the DPAPI masterkeys (using the backup key or password), and then using these keys to decrypt the statekey. Once the statekey is decrypted, this can be used in the "Import or Export Database" tab to retrieve cookies/passwords. Usage Note: When using the user's password to decrypt the DPAPI masterkey, Chlonium will first attempt to extract the user's SID from the BK- file from within the DPAPI masterkey folder. If this fails (or if the file does not exist), it will try to get the SID from the DPAPI masterkey folder name instead (which by default will be named after the user's SID). If you have renamed the folder, or do not have a copy of the BK file, you will not be able to decrypt the masterkey using a password. This feature makes use of the excellent SharpChrome (https://github.com/GhostPack/SharpDPAPI/tree/master/SharpChrome) and SharpDPAPI (https://github.com/GhostPack/SharpDPAPI) projects by @harmj0y. Full credit goes to the original authors of SharpDPAPI. Detection Set a SACL on the Chrome Local State and Cookies files (as well as other sensitive files such as Login Data and History). Look for suspicious (e.g. non browser related) processes opening any of these files. Take a look at this great blog post (https://medium.com/@cryps1s/detecting-windows-endpoint-compromise-with-sacls-cd748e10950) from @cryps1s about setting up SACLs for detection. For AV vendors that use a file system filter driver, consider blocking non browser-related processes from opening these files. e.g. PowerShell (https://www.kitploit.com/search/label/PowerShell) opening the Cookies file. References https://github.com/gentilkiwi/mimikatz/wiki/module-~-dpapi https://github.com/djhohnstein/SharpChromium https://github.com/GhostPack/SharpDPAPI https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/ Open / Comment

2022-05-16 16:50:41 Chlonium is an application designed for cloning Chromium Cookies. From Chromium 80 and upwards, cookies are encrypted using AES-256 GCM, with a state key which is stored in the Local State file. This state key is encrypted using DPAPI. This is a change from older versions, which used DPAPI to encrypt each cookie item in the cookie database. What this means is that if you have the state key, you will always be able to decrypt the cookie database offline, without needing continual access to DPAPI keys.This essentially makes cookie databases "portable", meaning they can be moved from machine to machine, provided you have dumped the state key. The cookies themselves need to be re-encrypted when they are imported, because the state keys will differ on each user profile & machine. This can be done using the same process as decryption, by first decrypting the state key from the "target" browser, and then re-encrypting each item with the new key. The project is written in C# and has two separate components to it. The first component, chlonium.exe is the collector binary. It simply decrypts the state key and prints it. Keep a note of this key and you can decrypt cookies in the future by downloading the Cookies database file whenever you need updated cookies. By default it will attempt to decrypt the Chrome state key. If you want to dump the state key for another browser (e.g. Edge), you can specify a path to the key. For example: Chlonium.exe "c:\users\user\AppData\Local\Microsoft\Edge\User Data\Local State" [+] Statekey = 3Cms3YxFXVyJRUbulYCnxqY2dO/jubDkYBQBoYIvqfc='>> Chlonium.exe "c:\users\user\AppData\Local\Microsoft\Edge\User Data\Local State" [+] Statekey = 3Cms3YxFXVyJRUbulYCnxqY2dO/jubDkYBQBoYIvqfc= The second component, ChloniumUI.exe is the "importer" tool. This takes care of decrypting a given Cookies database file with a given state key, re-encrypting the values with the current users state key, and importing the cookies into your chosen browser. You run this on the machine you want to import the cookies into. To use it, run the ChloniumUI.exe executable. Enter the previously extracted state key, choose the Cookies file you wish to import, and select the browser you wish the import the cookies into. Now click "Import Cookies" and the cookies will be imported. ChloniumUI currently supports three Chromium based browsers: Edge, Chrome and Vivaldi. Additional browsers can be added in Browsers.cs. This adds the unintended benefit of being able to import an Edge cookie file into Chrome, or vice versa (for example), though it's probably not a good idea given that the user-agent will mismatch. Important Note: When importing the cookie file into your browser, all old cookies are cleared! A backup is copied to the current directory (https://www.kitploit.com/search/label/Directory) (with relevant time stamp). If you need to restore the previous cookies, simply copy the backup file over the Cookies file. Why Tools such as Mimikatz (https://github.com/gentilkiwi/mimikatz/wiki/module-~-dpapi) and SharpChromium (https://github.com/djhohnstein/SharpChromium) already have the capability to dump Chrome 80 cookies, why another tool? This tool is specifically aimed at making it easier to import cookies into another browser. Whilst these tools do a great job of dumping Chromium cookies (and more!), I wanted to have something that let me easily import into another browser. Third-party cookie manager (https://www.kitploit.com/search/label/Cookie%20Manager) plugins exist, but I've always found these fiddly and prone to failure. CloniumUI is designed to make this process easier by importing the cookies directly into your browser's sqlite database. Whilst this project comes with the chlonium.exe collector, which aids in dumping the state key, this is really only an example. Other tools such as Mimikatz will also dump the state key for you, in a potentially stealthier way (depending on your operating environment, execution method Open / Comment

2022-05-16 16:50:41 Open / Comment

2022-05-16 16:50:41 Chlonium - Chromium Cookie Import / Export Tool
http://www.kitploit.com/2022/05/chlonium-chromium-cookie-import-export.html Open / Comment

2022-05-15 23:16:52 KitPloit - PenTest Tools!
Email-Prediction-Asterisks - Script That Allows You To Identify The Emails Hidden Behind Asterisks

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBmB5GMJbTCNbXT-Z-8jVvPbukaFRZMJqyWX_Tki-ZJgoj8UeItC5iYjQKnQCyyZ204ycjDZtkgsJre2ekNx41TD6nTY2DbSPo3gFdNXhxd7ewvYExBXySuWtIEMtvbd95m1MqtH3fPUFSdE37-eKu-QHB_2pvKfXWKDETIcyoySdfEfhhunHw5CYJ/w640-h300/email-prediction-asterisks_1_email-asterisks.png
Email prediction asterisks is a script that allows you to identify the emails hidden behind asterisks. It is a perfect application for osint analysts and security forces. It allows to intelligently predict, using Intelx leaks, which emails are related to the person we are looking for. It also allows you to automatically obtain information from emails for manual analysis through a CSV dataset that is generated with the results.
Example of email with asterisks on Twitter

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBmB5GMJbTCNbXT-Z-8jVvPbukaFRZMJqyWX_Tki-ZJgoj8UeItC5iYjQKnQCyyZ204ycjDZtkgsJre2ekNx41TD6nTY2DbSPo3gFdNXhxd7ewvYExBXySuWtIEMtvbd95m1MqtH3fPUFSdE37-eKu-QHB_2pvKfXWKDETIcyoySdfEfhhunHw5CYJ/w640-h300/email-prediction-asterisks_1_email-asterisks.png
DEMO

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJPgxqI6BOolQ-x-0ptlYbA7CwM2H-Bh0Lha5icXO80DG-xqHHJbI5tJO-12JWSrUPQ3wnK7Ui90Gwd-OPFk0pn41nWed5AzxERxICl-mOF9yAjP0BHQwEOfpncMb0hzpO6Ea6kY3JLFBfYpjnUk2pzQFTeFzvrGJTNvCXk9g46A1LjmCHtw9WJ3Yc/w640-h342/email-prediction-asterisks_2_demo.gif
Installation

It's necessary to install the intelx library for python

git clone https://github.com/Quantika14/email-prediction-asterisks
pip3 install -r requiriments.txt

git clone https://github.com/IntelligenceX/SDK
pip3 install SDK/Python

You must put your api key here

# Directory: m/key.py
intelx = "HERE"
emailrep = "HERE"

Autor

* Twitter: @JorgeWebsec
* web: www.quantika14.com
Download Email-Prediction-Asterisks Open / Comment

2022-05-15 00:54:27 Features Attack Monitoring Outbound Network Calls Attack Blocking Outbound Network Calls Roadmap Attack Monitoring Command Execution File Calls Attack Blocking Command Execution File Calls Vulnerability Scanner Authors Lavakumar Kuppan Github - @lavakumar (https://github.com/Lavakumar) Twitter - @lavakumark (https://twitter.com/lavakumark) Sukesh Pappu Github - @thelogicalbeard (https://www.github.com/thelogicalbeard) Twitter - @thelogicalbeard (https://www.twitter.com/thelogicalbeard) License Apache License 2.0 (https://github.com/DomdogSec/NodeSecurityShield/blob/main/LICENSE)

Download NodeSecurityShield (https://github.com/DomdogSec/NodeSecurityShield) Open / Comment

2022-05-15 00:54:27 A Developer and Security Engineer friendly package for Securing NodeJS (https://www.kitploit.com/search/label/NodeJS) Applications. Inspired by the log4J vulnerability (https://www.kitploit.com/search/label/Vulnerability) (CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228)) which can be exploited because an application can make arbitrary network calls. We felt there is an need for an application to declare what privileges it can have so that exploitation (https://www.kitploit.com/search/label/Exploitation) of such vulnerabilities (https://www.kitploit.com/search/label/vulnerabilities) becomes harder. To achieve this, NSS (Node Security Shield) has Resource Access (https://www.kitploit.com/search/label/Access) Policy.
Resource Access Policy (RAP) Resource Access Policy is similar to CSP(Content Security Policy (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)). It lets the developer/security engineer declare what resources an application should access. And Node Security Shield will enforce it. Installation Install Node Security Shield using npm npm install nodesecurityshield Usage // Require Node Security Shield
let nodeSecurityShield = require('nodesecurityshield');

// Enable Attack Monitoring and/or Blocking
nodeSecurityShield.enableAttackMonitoring(resourceAccessPolicy ,callbackFunction); Sample resourceAccessPolicy const resourceAccessPolicy = {
"outBoundRequest" : {
"blockedDomains" : ["*.123.com", "stats.abc.com", 'xyz.com'],
"allowedDomains" : ["*.domdog.io"]
}
}; Note: blockedDomains holds precedence over allowedDomains. i.e., requests checked against blockedDomains first then allowedDomains. Sample callbackFunction for Attack Monitoring var callbackFunction = function (violationEvent) {
console.log(violationEvent);
} Sample callbackFunction for Attack Blocking var callbackFunction = function (violationEvent) {
throw new Error("Request Blocked. It violates declared Resource Access Policy.")
} Sample violationEvent {
"violationtType": "Outbound Request",
"message": "Outbound request to 'www.malicious.com' violates declared 'Resource Access Policy (RAP)'.",
"policy": {
"outBoundRequest" : {
"blockedDomains" : ["*.123.com", "stats.abc.com", 'xyz.com'],
"allowedDomains" : ["*.domdog.io"]
}
} Integrating with Sentry Sample callbackFunction to integrate with Sentry (https://sentry.io/) var callbackFunction = function (violationEvent) {

var e = new Error();
e.name = 'Resource Access Policy Violation';
e.message = JSON.stringify(violationEvent);
Sentry.captureException(e);

} Screenshot from Sentry dashboard Open / Comment

2022-05-15 00:54:27 Open / Comment

2022-05-15 00:54:27 NodeSecurityShield - A Developer And Security Engineer Friendly Package For Securing NodeJS Applications
http://www.kitploit.com/2022/05/nodesecurityshield-developer-and.html Open / Comment