Avet - AntiVirus Evasion Tool

About Avet - AntiVirus Evasion Tool
   AVET is an AntiVirus Evasion Tool, which was developed for making life easier for pentesters and for experimenting with antivirus evasion techniques. In version 1.3 new stuff was introduced, for a complete overview have a look at the CHANGELOG file.

   For basics about antivirus evasion, AVET & more information have a look here:
    * PAPER AVET BLACKHAT USA ARSENAL 2018
    * AVET VIDEO
    * AV Evasion
    * Why_Antivirus_Fails_-_Daniel_Sauder.pdf
    * Daniel Sauder | Twitter

   What and why:
    * When running an exe file made with msfpayload, the exe file will often be recognized by the antivirus software.
    * Avet is a antivirus evasion tool targeting windows machines with executable files.
    * Assembly shellcodes can be used.
    * make_avet can be used for configuring the sourcecode.
    * With make_avet you can load ASCII encoded shellcodes from a textfile or from a webserver, further it is using an av evasion technique to avoid sandboxing and emulation.
    * Call MSF ASCII encoded shellcode as a parameter from CMD.
    * For ASCII encoding the shellcode the tool format.sh and sh_format are included.

Install and run Avet:

Important Note about Avet: Not all techniques will evade every AV engine. If one technique or build script does not work please test another one.

How to use Avet?
   The purpose of make_avet is to preconfigure a definition file (defs.h) so that the source code can be compiled in the next step. This way the payload will be encoded as ASCII payload or with encoders from metasploit. You hardly can beat shikata-ga-nai.

   Let's have a look at the options from make_avet, examples will be given below:

   Of course it is possible to run all commands step by step from command line. In the "build" folder you will find preconfigured build scripts for relevant use cases. The build scripts themselves are written so as they have to be called from within the avet directory:
      sudo ./build/build_win32_meterpreter_rev_https_20xshikata.sh

   However, it is strongly recommended to use the avet_fabric.py! It makes the tool easier to use
      The fabric provides a more convenient interface on the command line, where you can choose which build script you want to use. It also gives you the opportunity to alter build scripts on the fly (see below).

      The latter is especially useful as you can define new LHOST and LPORT variables for msfvenom each time you run a build script via the fabric. You can define default LHOST and LPORT values in the /build/global_connect_config.sh file, which are used if you don't redefine.

      Here's a quick example: sudo python3 avet_fabric.py


Build scripts: Some comments on what each script provides


AVET & metasploit psexec
   New in version 1.2 is the support for metasploits psexec module. The corresponding make file looks like:

   And on the metasploit site:

Comparison of Antivirus Evasion tools: AntiVirus Software Evasion: An Evaluation Of The AV Evasion Tools

Download Avet

The Rogue Toolkit - Perform Targeted Evil Twin Attacks with Evil Access Points

Re-edited from PixelPrivacy

Getting Started with The Rogue Toolkit

 * Introduction
 * Usage
 * Features list of current features and the toolkit's roadmap
 * Installation toolkit's installation guide
 * Selecting a 802.11 protocol and authentication mode toolkit's usage guide
 * Performing Attacks a collection of Rogue attacks examples

Introduction about The Rogue Toolkit
   The Rogue Toolkit is an extensible toolkit aimed at providing penetration testers an easy-to-use platform to deploy software-defined Access Points (AP) for the purpose of conducting penetration testing and red team engagements. By using Rogue, penetration testers can easily perform targeted evil twin attacks against a variety of wireless network types.

   Rogue was originally forked from s0lst1c3's eaphammer project. The fundamental idea of the Rogue toolkit was to levera Tge the core concept of the eaphammer project in an alternative manner to allow for flexibility, integration and adaption to future changes to the 802.11 standards and supporting tools. Rogue is suited for the the following cases:
    * Compromising corporate accounts to be later used in impersonation attacks to gain access to corporate wireless networks.
    * To subvert network protections, such as captive portals or client to client isolation, to be able to target and compromise connected wireless devices and using compromised devices and credentials to pivot deeper into internal networks.

Install and run The Rogue Toolkit
   git clone https://github.com/InfamousSYN/rogue
   cd rogue
   sudo python install.py
   sudo python rogue.py

Usage The Rogue Toolkit

Download The Rogue Toolkit

Parrot Security OS 4.5 Stable Release!

Dropped 32bit architecture images for Parrot Security OS
      We are in 2019 now, and computers that are not capable of running 64bit and complex applications operating system are mostly old, legacy computers. To add to that, many programs and frameworks are no longer available for 32bit x86 systems.

   Parrot Team has released 32bit (i386 Architecture) images since the beginning of the project, and we worked hard to provide fresh binary updates for the i386 architecture for a long time; However, 32bit-only computers are no longer capable of running a full pentest campaign or providing hardware-accelerated support to our security protection systems.

   Parrot Security OS 4.5 no longer provides any live ISO files for the i386 architecture, even if it is still supported by our repository and our netinstall images. We are slowly planning to drop support for it in the future.

   NOTE: 32bit deprecation does not affect our ARM support, and armhf architecture is still fully supported.

Virtual Appliances of Parrot Security OS

   Parrot Team has released official docker templates for parrot many months ago, and they proved to be a turnkey solution to bring a full parrot pentest stack on top of any operating system supported by docker.

   They released official docker templates for Parrot Security OS many months ago, and they proved to be a turnkey solution to bring a full parrot pentest stack on top of any operating system supported by docker.

   The next step that comes with Parrot Security OS 4.5 is the release of desktop virtual appliances in the OVA format that can be imported in VirtualBox, VMWare and other famous virtualization environments.

   These virtual environments are still experimental, and even if they are the perfect solution to give Parrot Parrot Security OS 4.5 a try and experiment with it, we still recommend a full custom installation from the ISO files for best chances of being supported and easier configuration and troubleshooting.

Linux kernel 4.19 on Parrot Security OS
   Linux kernel 4.19 is the default kernel in Parrot Security OS 4.5, and this new kernel version was already packaged by following our new kernel distribution policy implemented for Parrot Security OS 5.0 LTS.

   Parrot Team has a plan to support 2 Linux kernel branches, a stable kernel and a testing kernel, and provide updates for both. Linux kernel 4.19 is part of our testing branch, while the first release of the stable branch will be released with Parrot Security OS 5.0 itself.


   Read the full PSC here: psc 2 - linux kernel versioning convention

Metasploit Framework 5.0
   Metasploit 5.0 was released with many new important features that we immediately imported and tested for our users.

   Parrot Team absolutely loved the new evasion modules, the opportunity to write shellcode in C, the new search engine, the integrated web services or the json-rpc daemon, and we wanted to offer quick access to this awesome framework through this new Parrot Security OS release.

Better Dev Tools on Parrot Security OS 4.5
   We improved our metapackages for developers, and setting up an advanced development environment for several programming languages and frameworks is now easier than ever:

   parrot-devel: It is pre-installed in Parrot 4.5 and provides the following tools:
    * vscodium - an advanced and extensible text editor.
    * zeal - an offline documentation downloader and browser.
    * git-cola - a graphic client to GIT.
    * meld - a graphic patch inspector.
    * tora - a graphic database frontend compatible with several database backends.

      These packages are included in the metapackage by using the “Recommends” apt directive, and they can be removed individually without triggering the removal of the whole parrot-devel metapackage. The metapackage also recommends the installation of parrot-devel-tools. Using these following commands to install parrot-devel:
      sudo apt update
      sudo apt install parrot-devel

   parrot-devel-tools: It is recommended by parrot-devel and pre-installed in Parrot Security. It provides some useful compilers and interpreters for the most used languages and provides the following packages:
    * GCC/G++ - a compiler collection for C, C++ and other languages.
    * python3 - the cpython interpreter for the python 3.6 and 3.7 language.
    * ruby - the official ruby lang interpreter and basic toolkit (includes irb and ri as well).

      The package also recommends the following packages, that can be safely removed without triggering the removal of the entire parrot-devel-tools metapackage:
    * default-jdk - the latest Java OpenJDK distribution for Java 11 (both JDK and JRE).
    * cython3 - a compiler for the cython language, a strongly-typed dialect of python for efficient code.
    * rust/cargo - the rust compiler and devel tools and its package management system.
    * valac - the vala c compiler.
    * mono-devel - the development tools for the MONO framework, an open source implementation of .NET.
    * mono-runtime - the runtime of the MONO framework compatible and interoperable with the latest .net runtime.
    * php-cli - the PHP 7.3 language plus its command line interface and some useful core libraries.
    * perl6 - the PERL 6 interpreter and core libraries.

      Using these following commands to install parrot-devel-tools:
      sudo apt update
      sudo apt install parrot-devel-tools

   parrot-devel-extra: The parrot-devel-extra metapackage is a quick way to install many additional development utilities like advanced IDEs, additional languages, debuggers and extra tools:
    * golang - go language compiler and runtime
    * nodejs - node.js framework
    * npm - node.js package manager
    * atom - advanced and extensible editor by github
    * qtcreator - powerful C, C++ and Qt/QML IDE and debugger.
    * kdevelop - advanced general purpose IDE by KDE.
    * edb-debugger - graphical debugger.
    * jad - Java decompiler.
    * nasm - powerful general purpose x86 assembler.
    * radare2 - advanced command line hexadecimal editor.
    * cmake - cross-platform, open-source make system.
    * valgrind - nstrumentation framework for building dynamic analysis tools.
    * devscripts/build-essential - useful development utilities for debian developers/maintainers.

      Using these following commands to install parrot-devel-extra:
      sudo apt update
      sudo apt install parrot-devel-extra

Other updates: Many more updates were imported since we are currently based on Debian testing, and we included all the latest updates, security patches and new features as usual.

From ParrotSec

Download Parrot Home Edition

Download Parrot Security Edition

Metasploit Object Model, Mixins and Plugins | Metasploit Tutorials

About Metasploit Object Model: Understanding the Metasploit Object Model

Metasploit Framwork architecture

   In the Metasploit Framework, all modules are Ruby classes:
    * Modules inherit from the type-specific class
    * The type-specific class inherits from the Msf::Module class
    * There is a shared common API between modules

   Payloads are slightly different:
    * Payloads are created at runtime from various components
    * Glue together stagers with stages

Metasploit Mixins and Plugins
   A Quick Diversion into Ruby:
    * Every Class only has one parent
    * A class may include many Modules
    * Modules can add new methods
    * Modules can overload old methods
    * Metasploit modules inherit Msf::Module and include mixins to add features.

   Metasploit Mixins
      Mixins are quite simply, the reason why Ruby rocks:
    * Mixins include one class into another
    * This is both different and similar to inheritance
    * Mixins can override a class’ methods

      Mixins can add new features and allows modules to have different ‘flavors’:
    * Protocol-specific (HTTP, SMB)
    * Behaviour-specific (brute force)
    * connect() is implemented by the TCP mixin
    * connect() is then overloaded by FTP, SMB, and others

      Mixins can change behavior:
    * The Scanner mixin overloads run()
    * Scanner changes run() for run_host() and run_range()
    * It calls these in parallel based on the THREADS setting

    * The BruteForce mixin is similar

   Metasploit Plugins
      Plugins work directly with the API:
    * They manipulate the framework as a whole
    * Plugins hook into the event subsystem
    * They automate specific tasks that would be tedious to do manually

      Plugins only work in the msfconsole:
    * Plugins can add new console commands
    * They extend the overall Framework functionality

   Example

From Offensive Security

SSLScan - Fast SSL/TLS Open source Scanner

About SSLScan
   SSLScan queries SSL/TLS services, such as HTTPS, in order to determine the ciphers that are supported. SSLScan is designed to be easy, lean and fast. The output includes prefered ciphers of the SSL service, the certificate and is in Text and XML formats.

Features:
  * Highlight SSLv2 and SSLv3 ciphers in output.
  * Highlight CBC ciphers on SSLv3 (POODLE).
  * Highlight 3DES and RC4 ciphers in output.
  * Highlight PFS+GCM ciphers as good in output.
  * Highlight NULL (0 bit), weak (<40 bit) and medium (40 < n <= 56) ciphers in output.
  * Highlight anonymous (ADH and AECDH) ciphers in output (purple).
  * Hide certificate information by default (display with --get-certificate).
  * Hide rejected ciphers by default (display with --failed).
  * Added TLSv1.1 and TLSv1.2 support (merged from twwbond/sslscan).
  * Compiles if OpenSSL does not support SSLv2 ciphers (merged from digineo/sslscan).
  * Supports IPv6 hostnames (can be forced with --ipv6).
  * Check for TLS compression (CRIME, disable with --no-compression).
  * Disable cipher suite checking --no-ciphersuites.
  * Disable coloured output --no-colour.
  * Removed undocumented -p output option.
  * Added check for OpenSSL HeartBleed (CVE-2014-0160, disable with --no-heartbleed).
  * Flag certificates signed with MD5 or SHA-1, or with short (<2048 bit) RSA keys.
  * Support scanning RDP servers with --rdp (credit skettler).
  * Added option to specify socket timeout.
  * Added option for static compilation (credit dmke).
  * Added --sleep option to pause between requests.
  * Disable output for anything than specified checks --no-preferred.
  * Determine the list of CAs acceptable for client certificates --show-client-cas.
  * Experimental build support on OSX (credit MikeSchroll).
  * Flag some self-signed SSL certificates.
  * Experimental Windows support (credit jtesta).
  * Display EC curve names and DHE key lengths with OpenSSL >= 1.0.2 --no-cipher-details.
  * Flag weak DHE keys with OpenSSL >= 1.0.2 --cipher-details.
  * Flag expired certificates.
  * Flag TLSv1.0 ciphers in output as weak.
  * Experimental OSX support (static building only).
  * Support for scanning PostgreSQL servers (credit nuxi).
  * Check for TLS Fallback SCSV support.
  * Added StartTLS support for LDAP --starttls-ldap.
  * Added SNI support --sni-name (credit Ken).
  * Support STARTTLS for MySQL (credit bk2017).

Building on Windows
   Thanks to a patch by jtesta, SSLScan can now be compiled on Windows. This can either be done natively or by cross-compiling from Linux. See INSTALL for instructions.

   Note that SSLScan was originally written for Linux, and has not been extensively tested on Windows. As such, the Windows version should be considered experimental.

   Pre-build cross-compiled Windows binaries are available on the GitHub Releases Page.

OpenSSL issues: OpenSSL 1.1.0 Support
   OpenSSL 1.1.0 introduced a number of significant changes, including the removal of old and insecure features such as SSLv2. While this is a very good thing for the SSL ecosystem as a whole, it is a problem for SSLScan, which relies on these legacy features being available in order to detect them on client system.
   In order to work around this, SSLScan builds against Peter Mosmans' fork of OpenSSL, which backports the Chacha20 and Poly1305 ciphers to OpenSSL 1.0.2, while keeping the dangerous legacy features (such as SSLv2 and EXPORT ciphers) enabled.

 TLSv1.3 and the future of SSLScan
    Since the OpenSSL made the (very sensible) choice to remove support for legacy and insecure protocols and ciphers, SSLScan has relied on a fork of OpenSSL by Peter Mossmans which provided support for both these legacy ciphers and newly added ciphers (such as ChaCha). However, this fork of OpenSSL does not support TLSv1.3. To my knowledge there is no version of OpenSSL which supports both the legacy crypto (SSLv2, EXPORT ciphers, etc) and TLSv1.3 - which means that it is not possible to build SSLScan with support for both.

   The primary goal of SSLScan is to identify misconfigurations and security weaknesses in the SSL configuration of a target system, so support for the legacy ciphers and protocols is much more important than for the newer (secure) protocols like TLSv1.3 - however over time this will change as new vulnerabilities are found.

   Supporting both SSLv2 an TLSv1.3 in SSLScan would either require a fork of OpenSSL with all the new code backported (which would be increasingly difficult to maintain over time), or a complete rewrite of SSLScan to not rely on the OpenSSL library. This is not a project that I have the time available for at present, and if I did, it would probably be a better investment of time to work on one of the other SSL scanning tools, rather than starting from scratch.

   As such, SSLScan should be considered legacy. I will still maintain it as far as I have time, but it is unlikely to ever support TLSv1.3, unless an OpenSSL fork is created by someone else that supports this while maintaining the insecure crypto that SSLScan requires to be useful.

   Statically linking a custom OpenSSL build
      It is possible to ignore the OpenSSL system installation and ship your own version. Although this results in a more resource-heavy SSLScan binary (file size, memory consumption, etc.), this allows to enable both SSLv2 and SSLv3 ciphers. In comparison to the method of repackaging the Debian build, this custom OpenSSL build won't affect other tools on the same system, as they would use the version packaged by the distro's maintainers.
      To compile your own OpenSSL version, you'll probably need to install the OpenSSL build dependencies:
      sudo apt-get install build-essential git zlib1g-dev
      sudo apt-get build-dep openssl

      then run: make static

      which will clone the OpenSSL repository, and configure/compile/test OpenSSL prior to compiling SSLScan.

   Please note: Out of the box, OpenSSL cannot compiled with clang without further customization (which is not done by the provided Makefile). For more information on this, see Modifying Build Settings in the OpenSSL wiki.
      You can verify whether you have a statically linked OpenSSL version, if ./sslscan --version looks a bit like:
      1.x.y-...-static
      OpenSSL 1.0.2-chacha xx XXX xxxx
      (pay attention to the -static suffix and the 1.0.2-chacha OpenSSL version).

   Building on Kali Linux
      Kali now ships with a statically built version of sslscan which supports SSLv2.
      The package can be found in the Kali Git Repository.
      If for whatever reason you can't install this package, follow the instructions above for statically building against OpenSSL.

   Building on Debian
      It is recommended that you statically build sslscan using the instructions listed above. If this is not an option and you want to compile your system OpenSSL with support for legacy protocols such as SSLv2 and SSLv3 then follow the instructions below.

      Note that many modern distros (including Debian) ship with a version of OpenSSL that disables support for SSLv2 ciphers. If sslscan is compiled on one of these distros, it will not be able to detect SSLv2.

      This issue can be resolved by rebuilding OpenSSL from source after removing the patch that disables SSLv2 support.

      The build_openssl_debian.sh script automates this process for Debian systems. It has been tested on Debian Squeeze/Wheezy; it may work on other Debian based distros, but has not been tested. The built version of OpenSSL will be installed using dpkg.

      If it is not possible to rebuild OpenSSL, sslscan will still compile (thanks to a patch from digineo/sslscan, based on the debian patch). However, a warning will be displayed in the output to notify the user that SSLv2 ciphers will not be detected.

Download SSLScan

Download SSLScan for Windows