Sunday, August 30, 2020

SharpHose - Asynchronous Password Spraying Tool In C# For Windows Environments


SharpHose is a C# password spraying tool designed to be fast, safe, and usable over Cobalt Strike's execute-assembly. It provides a flexible way to interact with Active Directory using domain-joined and non-joined contexts, while also being able to target specific domains and domain controllers. SharpHose takes into consideration the domain password policy, including fine grained password policies, in an attempt to avoid account lockouts. Fine grained password policies are enumerated for the users and groups that that the policy applies to. If the policy applied also to groups, the group users are captured. All enabled domain users are then classified according to their password policies, in order of precedence, and marked as safe or unsafe. The remaining users are filtered against an optional user-supplied exclude list.
Besides just spraying, red team operators can view all of the password policies for a domain, all the users affected by the policy, or just view the enabled domain users. Output can be sent directly to the console or to a user-supplied output folder.
Follow me on Twitter for some more tool releases soon! @ustayready

Nozzles
Nozzles are built-in methods of spraying. While currently only supporting one Nozzle (LDAP), it's written in a way that makes it easily extendable.

LDAP
Active Directory spraying nozzle using the LDAP protocol
  • Asynchronous spraying for faster, but not too fast, results
  • Domain joined and non-joined spraying
  • Tight integration w/ domain password policies and fine grained password policies
  • Smart lockout prevention (lockoutThreshold n-1 just to be safe)
  • Optionally spray to specific domains and domain controllers
  • View password policies and the affected users

Coming soon!
  • MSOL
  • OWA/EWS
  • Lync

Compilation
  • Built using Visual Studio 2019 Community Edition
  • .NET Framework 4.5

Usage Examples
Cobalt Strike Users
Be sure to use the --auto to avoid the interactive prompts in SharpHose. Also, prepare your arguments locally so you can read the description before running. If you don't pass any arguments over execute-assembly, then SharpHose throws a "Missing Argument Exception" and Cobalt Strike won't return any output. You will know this is happening when you see [-] Invoke_3 on EntryPoint failed. This will be fixed eventually.
Domain Joined Spray w/o Interaction SharpHose.exe --action SPRAY_USERS --spraypassword Spring2020! --output c:\temp\ --auto
Domain Joined Spray w/ Exclusions SharpHose.exe --action SPRAY_USERS --spraypassword Spring2020! --output c:\temp\ --exclude c:\temp\exclusion_list.txt
Non-Domain Joined Spray SharpHose.exe --action SPRAY_USERS --spraypassword Spring2020! --domain lab.local --username demo --password DemoThePlanet --output c:\temp\
Domain Joined Show Policies Active Directory stores durations in negative large integer values which need to lapse after the last lockoutThreshold is exceeded. In future versions these will be formatted cleaner. SharpHose.exe --action GET_POLICIES --output c:\temp\
Domain Joined Show Policy Users SharpHose.exe --action GET_POLICY_USERS --policy lab --output c:\temp\
Domain Joined Show All Users SharpHose.exe --action GET_ENABLED_USERS --output c:\temp\
Domain Joined Spray Using Cobalt Strike execute-assembly /path/to/SharpHose.exe --action SPRAY_USERS --spraypassword Spring2020! --output c:\temp\ --auto

Shout-Outs




via KitPloit

More information


  1. Github Hacking Tools
  2. What Is Hacking Tools
  3. Pentest Tools Alternative
  4. Hacking Tools Free Download
  5. Hacker Tools Free
  6. New Hack Tools
  7. Kik Hack Tools
  8. Pentest Box Tools Download
  9. Pentest Recon Tools
  10. Pentest Tools Subdomain
  11. Hacker Tools Software
  12. Hacker Techniques Tools And Incident Handling
  13. Hack Tools For Ubuntu
  14. Pentest Tools Website Vulnerability
  15. Hack Tools Mac
  16. Hacking Tools Free Download
  17. Hacker Tools For Pc
  18. Pentest Tools Review
  19. New Hacker Tools
  20. New Hack Tools
  21. Android Hack Tools Github
  22. Hacker Search Tools
  23. Game Hacking
  24. Top Pentest Tools
  25. Pentest Tools Online
  26. Pentest Tools For Windows
  27. Hacker Tools For Mac
  28. Hacking Tools Hardware
  29. Hacker Tools For Mac
  30. Pentest Box Tools Download
  31. Pentest Tools For Android
  32. Hacker Tools For Windows
  33. Computer Hacker
  34. Hacker Tools 2020
  35. New Hack Tools
  36. Tools 4 Hack
  37. Hacker Tools Online
  38. Bluetooth Hacking Tools Kali
  39. Hack Tools Online
  40. Pentest Tools Find Subdomains
  41. Pentest Tools Download
  42. Hacking Apps
  43. Hacking Tools Usb
  44. Usb Pentest Tools
  45. Underground Hacker Sites
  46. Hacking Tools Name
  47. Hack Tools
  48. Hacking Tools For Windows 7
  49. Best Hacking Tools 2019
  50. Android Hack Tools Github
  51. Hacker Techniques Tools And Incident Handling
  52. Pentest Tools Find Subdomains
  53. Hacking Tools Hardware
  54. Hacking Tools Software
  55. Hacker Tools Free Download
  56. Github Hacking Tools
  57. Pentest Tools Android

RapidScan: The Multi-Tool Website Vulnerabilities Scanner With Artificial Intelligence

RapidScan's Features:
  • One-step installation.
  • Executes a multitude of security scanning tools, does other custom coded checks and prints the results spontaneously.
  • Come of the tools include nmap, dnsrecon, wafw00f, uniscan, sslyze, fierce, lbd, theharvester, dnswalk, golismero etc executes under one entity.
  • Saves a lot of time, indeed a lot time!
  • Checks for same vulnerabilities with multiple tools to help you zero-in on false positives effectively.
  • Legends to help you understand which tests may take longer time, so you can Ctrl+C to skip if needed.
  • Association with OWASP Top 10 2017 on the list of vulnerabilities discovered. (under development)
  • Critical, high, large, low and informational classification of vulnerabilities.
  • Vulnerability definitions guides you what the vulnerability actually is and the threat it can pose
  • Remediations tells you how to plug/fix the found vulnerability.
  • Executive summary gives you an overall context of the scan performed with critical, high, low and informational issues discovered. (under development)
  • Artificial intelligence to deploy tools automatically depending upon the issues found. for eg; automates the launch of wpscan and plecost tools when a wordpress installation is found. (under development)
  • Detailed comprehensive report in a portable document format (*.pdf) with complete details of the scans and tools used. (under development)

For Your Infomation about RapidScan:
  • Program is still under development, works and currently supports 80 vulnerability tests.
  • Parallel processing is not yet implemented, may be coded as more tests gets introduced.

RapidScan supports checking for these vulnerabilities:
  • DNS/HTTP Load Balancers & Web Application Firewalls. 
  • Checks for Joomla, WordPress and Drupal
  • SSL related Vulnerabilities (HEARTBLEED, FREAK, POODLE, CCS Injection, LOGJAM, OCSP Stapling).
  • Commonly Opened Ports.
  • DNS Zone Transfers using multiple tools (Fierce, DNSWalk, DNSRecon, DNSEnum).
  • Sub-Domains Brute Forcing.
  • Open Directory/File Brute Forcing.
  • Shallow XSS, SQLi and BSQLi Banners.
  • Slow-Loris DoS Attack, LFI (Local File Inclusion), RFI (Remote File Inclusion) & RCE (Remote Code Execution).

RapidScan's Requirements:
  • Kali Linux, Parrot Security OS, BlackArch... Linux distros that based for pentesters and hackers.
  • Python 2.7.x

RapidScan Installation:


RapidScan's screenshots:
RapidScan helping menu
RapidScan Intro
RapidScan Outro

How to contribute?
If you want to contribute to the author. Read this.

Read more

Top10 Java Script Blogs To Improve Coding Skills

10 Top JavaScript Blogs to Improve Coding Skills
 

The Best JavaScript Blogs

With two decades of improvement, JavaScript has become one of the most popular programming languages of all time. The journey started in 1995 when Brendan Eich created JavaScript in just 10 days. From there, it has seen multiple revisions, drafts, and growth in the form of frameworks, API's, modules, etc. Today, we will go forward and list the top JavaScript blogs from the internet so that you can enjoy the lastest development in the field of JavaScript.

According to RedMonk programming language rankings and GitHut.info, JavaScript is leading the pack in the terms of repositories and the most discussed programming language on StackOverFlow. The numbers itself speaks about the future of JavaScript as it has grown beyond the initial capabilities of simple DOM manipulations.

Learning JavaScript, on the other hand, can be a tricky proposition. New libraries, features, API's or Style Guide, pop up almost every day. The speed of iteration is beyond imagination, and that is why reading leading JavaScript blogs are the best approach to keep up with new changes.

Slack-clone-angularjs

JavaScript is blessed with experts that regularly contribute to the community using live streams, videos, blogs, podcasts, conferences and open source projects. An example of a cool experienced Javascript programmer is evilsoft who broadcasts awesome Javascript projects weekly on LiveEdu..

Some blogs are just gold even when they are not updated frequently. To help you reach the best content on JavaScript, let's list the best JavaScript blogs on the internet. The following blogs have a huge fan following and contain epic JavaScript content.

10 Top JavaScript Blogs to Improve Coding Skills

1. David Walsh Blog

David Walsh is a renowned name in the JavaScript world. He started his career with DZone, but his first real break came while working for SitePen as a Software Engineer. His blog composes of topics related to JavaScript, personal thoughts, guides and much more. The blog design is captivating and is going to hook you up on the first visit. Currently, he is working as a Senior Web Developer at Mozilla.

top javascript blogs

2. DailyJS

DailyJS is one of the best JavaScript blogs on the internet. The blog was started by Alex R. Young, an entrepreneur and Node.js expert in 2009. However, there are recent changes that don't sound great. Currently, the blog is no longer updated, but that does not make the content useless at all. The blog covers diverse content on JavaScript including frameworks, API's, libraries, etc.

2-daily-js

3. SitePoint

SitePoint is one of the leading web development portals since 2000. The main attraction of SitePoint is the collection of highly detailed articles. They are aimed at teaching something new to the readers. JavaScript, on the other hand, is one of the leading topics on the website where experts around the world contribute regularly. The rate of the new blog post is high, and you won't find a blog post that doesn't teach you something new. Truly, a great learning place for any JavaScript developer.

3-Sitepoint

4. JavaScript.com

Not technically a blog, but if you love JavaScript, then you need to follow the website's offerings. JavaScript.com news section is an aggregator for excellent JavaScript news, tutorials, guides, and much more. All you need to do is move to their news section and discover tons of new content surrounding JavaScript. The domain is owned by CodeSchool and is mainly utilized to contribute to the community and a landing page to their courses.

4-JavaScript

5. Brendan Eich

What's the best place to find JavaScript knowledge? The inventor? Well, you are right. Brendan Eich, the creator of JavaScript, keeps his blog with filled with his musings and other excellent thought processes about JavaScript. You can also find videos on the blog. Virtually, the blog is the mind of JavaScript where you understand it in an entirely different manner.

5-brendan-eich

6. JavaScript Playground

JavaScript Playground is yet another great place to get started with all the different JavaScript frameworks, API, and libraries. The focus is to work with the JavaScript ecosystem and provide high quality blog articles, screencast, and podcast for the audience. They also blog about different JavaScript guidelines, tips, and tricks.

6-JavaScript-Playground

7. Superhero.js

If you are looking for a superhero to fetch you the best resources on JavaScript, then you have finally found one. Superhero.js is a simple website that aims to collect everything related to JavaScript including videos, articles, presentations, etc. The content is divided into meaningful sections such as "Understanding JavaScript", "Organize Your Code", etc. Also, the page is regularly updated with new information.

7-superhero

8. JavaScript Jabber

Another "not a blog entry" into the list — JavaScript Jabber is a weekly podcast on JavaScript. Each podcast is around 1 hour of jabber and will sure have something for you to learn. They keep their tab on everything related to JavaScript, including core concepts to popular Framework discussions.

8-JavaScript-Jabber

9. Medium JavaScript Collection

Is medium a blog? Technically, not, but it contains high quality JavaScript articles. Medium is a way to connect to the audience so be ready to read many opinions on how JavaScript should have been, and what's wrong with JavaScript. Other than the ramblings, it hosts amazing JavaScript content such as Speed Up Web Apps.

9-JavaScript-collection-medium

10. Smashing Magazine

Smashing Magazine is one of the oldest websites covering web designing and development. They have a dedicated section for JavaScript, which is constantly updated with tutorials of high caliber. The tutorials surround other web development ideas such as UX, Productivity, etc.

10-smashing-magazine

Conclusion

Here are the ten best JavaScript blogs to improve your coding skills. The blogs and mix of other content types will help you to keep up with new changes in JavaScript field, and improve yourself accordingly.

If you are new to JavaScript and want to get started as soon as possible, check out the JavaScript learn section on LiveEdu.tv. And, yes, it is the most popular programming language on LiveEdu.tv which can benefit from your attention! Also, don't forget to leave a comment on how the JavaScript category page can be improved. We are listening!

Dr. Michael J. Garbade

About Author Dr. Michael Jurgen Garbade is the founder of LiveEdu.TV, Kyuda, Education Ecosystem. He is future Venture Capitalist, Future Politician and always on the lookout for the Next Big Challenge. Obtained Masters in business administration and physics, and a Ph.D. in finance with professional work experience in high-paced environments at Fortune 500 companies like Amazon and General Electric. Expertize: Python, PHP, Sencha Touch & C++, SEO, Finance, Strategy & E-commerce. He speaks English and German and has worked in the US, Europe, and Asia. At Education Ecosystem he is the CEO and runs business operations.

More information


Saturday, August 29, 2020

Vulcan DoS Vs Akamai

In the past I had to do several DoS security audits, with múltiples types of tests and intensities. Sometimes several DDoS protections were present like Akamai for static content, and Arbor for absorb part of the bandwith.

One consideration for the DoS/DDoS tools is that probably it will loss the control of the attacker host, and the tool at least has to be able to stop automatically with a timeout, but can also implement remote response checks.

In order to size the minimum mbps needed to flood a service or to retard the response in a significant amount of time, the attacker hosts need a bandwith limiter, that increments in a logarithmic way up to a limit agreed with the customer/isp/cpd.

There are DoS tools that doesn't have this timeouts, and bandwith limit based on mbps, for that reason I have to implement a LD_PRELOAD based solution: bwcontrol

Although there are several good tools for stressing web servers and web aplications like apache ab, or other common tools used for pen-testing, but I also wrote a fast web flooder in c++ named wflood.

As expected the most effective for taking down the web server are the slow-loris, slow-read and derivatives, few host were needed to DoS an online banking. 
Remote attacks to database and highly dynamic web content were discarded, that could be impacted for sure.

I did another tool in c++ for crafting massive tcp/udp/ip malformed packets, that impacted sometimes on load balancers and firewalls, it was vulcan, it freezed even the firewall client software.

The funny thing was that the common attacks against Akamai hosts, where ineffective, and so does the slow-loris family of attacks, because are common, and the Akamai nginx webservers are well tunned. But when tried vulcan, few intensity was enough to crash Akamai hosts.

Another attack vector for static sites was trying to locate the IP of the customer instead of Akamai, if the customer doesn't use the Akamai Shadow service, it's possible to perform a HTTP Host header scan, and direct the attack to that host bypassing Akamai.

And what about Arbor protection? is good for reducing the flood but there are other kind of attacks, and this protection use to be disabled by default and in local holidays can be a mess.

Related word

  1. Hack Tools For Pc
  2. Hackers Toolbox
  3. Pentest Tools Apk
  4. Hacking Tools For Windows Free Download
  5. Pentest Tools For Windows
  6. Hacking Tools For Games
  7. Hacking Tools Software
  8. Hacking Tools Name
  9. Hack Apps
  10. Hacker Tools
  11. Hacking Tools Free Download
  12. Pentest Tools Online
  13. Hack Tools 2019
  14. Pentest Tools Find Subdomains
  15. Pentest Tools Open Source
  16. Hacking Tools For Windows
  17. Tools 4 Hack
  18. Hack Tools Github
  19. New Hacker Tools
  20. Pentest Tools Subdomain
  21. Hacker Tools Online
  22. Best Hacking Tools 2019
  23. Hacker Techniques Tools And Incident Handling
  24. Tools Used For Hacking
  25. Hak5 Tools
  26. Hacker Search Tools
  27. Kik Hack Tools
  28. Hacking Tools Pc
  29. Underground Hacker Sites
  30. Hacking Tools For Beginners
  31. Hack Tools
  32. Android Hack Tools Github
  33. Hacking Tools For Pc
  34. Hacking Tools 2019
  35. Pentest Tools Online
  36. Hacker Hardware Tools
  37. Hacker Tools For Mac
  38. Hacking Tools Software
  39. Hacking Tools Free Download
  40. Pentest Tools Windows
  41. New Hacker Tools
  42. Hacking Tools For Kali Linux
  43. Hack Tools For Games
  44. Hack Tools Online
  45. Hack Tool Apk
  46. Hacking Tools For Mac
  47. Beginner Hacker Tools
  48. Hacker Tools Github
  49. Pentest Tools Framework
  50. Hacking Tools Windows
  51. Pentest Tools Kali Linux
  52. Pentest Tools Open Source
  53. Pentest Tools For Android
  54. World No 1 Hacker Software
  55. How To Install Pentest Tools In Ubuntu
  56. Android Hack Tools Github
  57. Hacking Tools Hardware
  58. Hack Tools 2019
  59. Hacking Tools Windows
  60. Hack App
  61. Pentest Tools Find Subdomains
  62. Hacker Tools Linux
  63. Hacking Tools For Windows Free Download
  64. Black Hat Hacker Tools
  65. Pentest Automation Tools
  66. Pentest Tools Nmap
  67. Kik Hack Tools
  68. Nsa Hacker Tools
  69. Pentest Tools Kali Linux
  70. Black Hat Hacker Tools
  71. Hacking Tools Windows 10
  72. Hack Tools For Pc
  73. Hack Tool Apk No Root
  74. Pentest Tools For Ubuntu
  75. Hack Tools Github
  76. Black Hat Hacker Tools
  77. Best Pentesting Tools 2018
  78. Pentest Tools Download
  79. Hacker
  80. Hacking Tools For Windows 7
  81. Hackers Toolbox
  82. Hacker Tools Windows
  83. Hacker Tools For Pc
  84. Pentest Tools Nmap
  85. Hacking Tools Usb
  86. Easy Hack Tools
  87. Hacker Tools For Windows
  88. Hacking Tools And Software
  89. How To Install Pentest Tools In Ubuntu
  90. Hack Tool Apk No Root
  91. Hacker Hardware Tools
  92. Pentest Tools Free
  93. Pentest Tools Online
  94. Pentest Tools Open Source
  95. Nsa Hacker Tools
  96. Pentest Tools Android
  97. Hacker Tools For Ios
  98. Beginner Hacker Tools
  99. Hacker
  100. Hacking Tools For Windows Free Download
  101. Hacking Tools Usb
  102. Hacker Tools For Ios
  103. Pentest Tools Linux
  104. Pentest Tools Subdomain
  105. Github Hacking Tools
  106. Hacker Hardware Tools
  107. Pentest Tools Tcp Port Scanner
  108. Hacker Tools Online
  109. Hacking Tools For Mac
  110. Termux Hacking Tools 2019