OWASP OWTF – Offensive Web Testing Framework

OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.

OWASP OWTF - Offensive Web Testing Framework

The purpose of this tool is to automate the manual and uncreative parts of pen testing. For example, Figuring out how to call “tool X” then parsing results of “tool X” manually to feed “tool Y” and so on is time consuming.

By reducing this burden we hope pen testers will have more time to:

  • See the big picture and think out of the box,
  • Find, verify and combine vulnerabilities efficiently,
  • Have time to Investigate complex vulnerabilities like business logic, architectural flaws, virtual hosting sessions, etc.
  • Perform more tactical/targeted fuzzing on seemingly risky areas
  • Demonstrate true impact despite the short time-frames we are typically given to test.


This tool is however not a silver bullet and will only be as good as the person using it. Understanding and experience will be required to correctly interpret the tool output and decide what to investigate further in order to demonstrate the impact.


  • Web UI. Now configure and monitor OWTF via a responsive and powerful interface accessible via your browser.
  • Exposes RESTful APIs to all core OWTF capabilties.
  • Instead of implementing yet another spider (a hard job), OWTF will scrub the output of all tools/plugins run to gather as many URLs as possible.
  • Scan by various aggression levels: OWTF supports scans which are based on the aggressiveness of the plugins/tools invoked.
  • Extensible OWTF manages tools through ‘plugins’ making it trivial to add new tools.
  • OWTF has been developed keeping Kali Linux in mind, but it also supports other pentesting distros such as Samurai-WTF, etc.
  • Tool paths and configuration can be easily modified in the web interface.
  • Fastest Python MiTM proxy yet!
  • Crash reporting directly to Github issue tracker
  • Comprehensive interactive report at end of each scan
  • Easy plugin-based system; currently 100+ plugins!
  • CLI and web interface

You can download OWASP OWTF here:

Or read more here.

OWASP OWTF: https://www.owasp.org/index.php/OWASP_OWTF

Download Offensive Web Testing Framework: https://owtf.github.io/#download

Original Post: http://www.darknet.org.uk/2016/09/owasp-owtf-offensive-web-testing-framework/

Portable Penetration Testing Distribution for Windows: PentestBox

    PentestBox is not like other Penetration Testing Distributions which runs on virtual machines. It is created because more than 70% of penetration testing distributions users uses windows and provides an efficient platform for Penetration Testing on windows. It provides all security tools as a software package, eliminating requirement of Virtual machines or dualboot environments on Windows Operating System. It is created because more than 50% of penetration testing distribution users uses windows.




A Portable Penetration Testing Distribution for Windows: PentestBox


Easy to Use

It is a command line utility which is all what you want.


Awesome Design

It is the same green font on black terminal but in an modern way.


Best Performance

PentestBox directly runs on host machine instead of virtual machines, so performance gain is obvious.


No Dependencies Needed

All the dependencies required by tools are inside PentestBox, so you can even run PentestBox on freshly installed windows without any hassle.



PentestBox is entirely portable, so now you can carry your own Penetration Testing Environment on a USB stick. It will take care of dependencies required to run tools which are inside it.


Linux Environment

PentestBox contains nearly all Linux utilities like bash, cat, chmod, curl, git, gzip, ls, mv, ps, ssh, sh, uname and others. It even contains your favourite text editor “vim”.  Because of this, most penetration testing tools which were earlier compatible only with Linux are working smoothly in PentestBox on Windows.


No Driver Issue

Windows has already large support of drivers for Graphic Cards and wireless chip-sets. Now, you don’t have to worry about drivers compatibility issues.



Only the best tools went into PentestBox, but if you miss something you can easily install it using tools-manager from the inside of PentestBox environment.


Less memory Usage

PentestBox runs on host machine without any need for virtual machine. It only needs 20 MB – compared to at least 2GB of RAM need for running virtual machine distributions.


Less Disk Usage

PentestBox is very light. It requires less than third of space of other penetration testing Linux distributions.


Inbuilt Browser

PentestBox packs a Mozilla Firefox Browser with nearly all security addons.


Automatic Updates

Automatic update feature will keep your tool up to date.


Can Be Shared On A Network

You can use PentestBox on many computers by sharing it through network. You don’t have to install it on each and every computer that you want it to run on. Just install PentestBox on one computer and share it to all other computers on the same network.











No Metasploit ?

Metasploit contain exploits/payloads inside its folder structure, so when installed on windows machines nearly all anti-viruses and firewalls fire up. Metasploit officially instruct users to disable anti-viruses and firewalls while using it. It’s your call. If you willing to switch off your antiviruses program and want to use Metsaploit on Windows, you can download windows installer for Metsaploit from officially Metsaploit website.


PentestBox throwing up red flags ?

PentestBox is packed by UPX which is identified as malware by some antivirus softwares. You can scan PentestBox.exe with virtustotal.com and see the result. As an alternative there is a PentestBox.bat file in the same directory which upon running won’t show any warnings. There are some ruby gems also which can also flag as virus/malware, you can remove those of your antivirus are flagging it. Also THC-SSL-DOS will also be flagged because of it’s action against SSL servers.If you worried about those warnings then you can allow your Antivirus to remove those files, in that case you can start PentestBox through PentestBox.bat file and THC-SSL-DOS will not work. Rest other tools/products will work normally.


How to include your own Tool

If you want to include a tool which is not currently present in PentestBox then below are the ways to include it.

  • If it is Python based program
    • Place that folder in PentestBox_Directory/bin or in any folder inside bin.
    • As Python is configured inside PentestBox, you can directly go to that directory and then run that program by prepending python to the filename.
    • But if you want to set an alias for that program then please follow How to add an alias
  • If it is Ruby Based Program
    • Place that folder in PentestBox_Directory/bin or in any folder inside bin.
    • As Ruby is configured inside PentestBox, you can directly go to that directory and then run that program by prepending ruby to the filename.
    • But if you want to set an alias for that program then please follow How to add an alias
  • It it is Executable file
    • Place that folder in PentestBox_Directory/bin or in any folder inside bin.
    • You can directly access by moving to that folder and typing the filename.
    • But if you want to set an alias for that program then please follow How to add an alias


Source && Download



Original Post: https://n0where.net/portable-penetration-testing-distribution-for-windows/

MorphAES – IDPS & SandBox & AntiVirus STEALTH KILLER

MorphAES is the world’s first polymorphic shellcode/malware engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it’s cross-platform as well and library-independent.


  • Polymorphism (AES encryption)
  • Metamorphism (logic and constants changing)
  • Platform independent (Linux/BSD/Windows)
  • IDPS stealthing (the total number of possible signatures is more the number of atoms in the universe for one given code)
  • Sandbox evasion (special assembly instructions)
  • Realism (no null bytes)
  • Can produce executables (malwares)
  • Input code can have arbitrary length

Dependencies for the morpher:

  • Python 2.7 – main engine
  • Python Crypto 2.6 – for encryption

Dependencies for the code execution:

  • 64-bit Intel AES-NI – for decryption

Nonetheless, there are some limitations (aka white-hat aspects):

  • Metamorphism is not very robust and can be detected using regular expressions (but can be improved pretty easily)
  • Unicode null bytes might still work (but who cares?)
  • It will only work on 64-bit Intel processors with AES-NI support, but since all the user’s PCs (like Pentium, Celeron, i3, i5, i7) and the industry’s servers (like Xeon) have it, it’s more a specification, rather than a limitation, thus a 32-bit implementation is unpractical
  • Almost any shellcode is guarantee to work however, an arbitrary code (malware) doesn’t
  • Windows/BSD PoC and executables are in progress…

How it works

  1. Shellcode padding with NOPs (since AES is a block cipher)
  2. Shellcode encryption with a random key using AES-128-ECB (not the best, but the simplest) – polymorphism
  3. Constants randomization, logic changes, instructions modification and rewriting – metamorphism

For Linux:

sudo apt-get install python python-crypto

Execute the Pyhton script and enter your shellcode or nothing for a default Linux shell. You can specify your own execution address as well.
It is possible to build and execute on Windows/BSD/Mac as well, but I’m still testing it.
You can also use the Linux PoC in assembly:

as shellcode.s -o shellcode.o
ld shellcode.o -o shellcode

Every file is commented and explained

At this point, it should be pretty obvious that, the hashes would be different every time, but let’s compare SSDEEPes of 2 Linux executables of the same shellcode:

  • 96:GztTHyKGQh3lo6Olv4W4zS/2WnDf74i4a4B7UEoB46keWJl09:Gzty6VOlvqSTDflmNroh,
  • 96:GQtT23yKmFUh3lo6OlOnIrFS4rkoPPf74i4a4B7UEoB46keWJ5:GQtCGWVOlOWFSsPflmNroh,

Well, there’s something in common, but globally those are 2 different signatures, now what about the shellcode it-self:

  • 48:eip2bR2LRNtRPORDGRopRBXR3cRzER2vRU9BnH6ksr:Srn+,
  • 48:6RjNeR2IRN7RPWRDeRokRB5R3xRz3R28RUxFT2+75eFK9iKMAdXAJKo:O9Tdwoo,

Almost totally different signatures for the same morphed shellcode!
At the publication date, the executable was detected as a shellcode only by 2 out of 53 antiviruses (AVG and Ikarus) onvirustotal , but now, it just fails to analyze.
malwr’s with cuckoo2 doesn’t see anything suspicious.
On the reverser’s perspective, IDA won’t see anything either.
Radare2 would show the real instructions only if assembled by the assembler it-self however, it doesn’t detects any crypto or suspicious activity for the executable.
Althrough, I didn’t test it personally, I think that FortiSandbox, Sophos Sandstorm, Blue Coat, GateWatcher and their derivatives might fail badly…

To put it in the nutshell
Basically, it can transform a script-kid’s code (or a known-one ) into a zero-day.
IDPS will fail because, it’s almost impossible to make a signature and difficult to make a regular expression or heuristic analysis.
Most of the sandboxes doesn’t use Intel’s AES-NI instructions directly, so they will not execute the code, so “everything is fine” for them, whereas it’s not.
The only way to defeat this type of shellcode/malware is to use an appropriate sandboxing or/and an AI.
Notice that, the whole execution is done by a pure assembly, no Python (or shitty OpenSSL) is needed for the shellcode’s/malware’s execution since, I use built-in assembly instructions only, thus it’s system-independent (surely, you will have to assemble it for each-one by adapting the instructions/opcodes, but they are still same).

This is still a work in progress, I will implement Windows and BSD/Mac engines and PoCs ASAP.
IDPSes and sanboxes suck.

“Tradition becomes our security, and when the mind is secure it is in decay.”

Jiddu Krishnamurti

Original Post: http://www.kitploit.com/2016/09/morphaes-idps-sandbox-antivirus-stealth.html

Digital Forensics According to the FORZA Model and Diamond Model for Intrusion Analysis

The Bridge on the River Forza

We can teach these barbarians a lesson in Western methods and efficiency that will put them to shame.” -Colonel Nicholson (The Bridge on the River Kwai, 1957)

Efficiency. Something we look to implement in everything we do, whether that be through the elimination of waste through Six Sigma, or other frameworks and methodologies, efficiency is what we strive for. When performing digital forensics, efficiency and rigor in our approach to ensure no stone left unturned is paramount to the success of the investigation.

One of the many frameworks that exists is FORZA, a group of tasks and processes in a digital forensics investigation that revolves around a triad of: Reconnaissance, Reliability, and Relevancy.

For Reconnaissance, the case examiner will collect, recover, decode, discover, extract, analyze, and convert data that is kept on different storage media to readable evidence.

Reliability speaks to the integrity of the evidence and the relationship between the people and the evidence such that it will hold up in court if prosecuted.

Relevancy speaks to the relevancy of the evidence, even if it is admissible in court.

The FORZA Framework defines eight separate roles in a digital forensics investigation, the case leader, system/business owner, legal advisor, security/system architect/auditor, digital forensics specialist, digital forensics investigator/system administrator/operator, digital forensics analyst, and a legal prosecutor.

Each of these roles are interconnected through six categories of questions that must be answered in the investigation: (1) What (data); (2) Why (motivation); (3) How (function); (4) Who (people); (5) Where (network); and (6) when (time). If you think about it, this is very similar to what a crime scene investigator must answer when investigating a murder scene, which is why I’m always saying that digital forensics is like CSI: Miami meets Bones.

Here’s a short video I made on the topic.

Below is a table detailing out the responsibilities for each role in answering each of the six questions.

Okay, so now that we’ve covered FORZA (don’t get confused here), let’s discuss a newer, more novel model gaining widespread popularity, which is the Diamond Model of Intrusion Analysis; a model of intrusion analysis built by analysts, asking the simple question, “What is the underlying method to our work?” The model establishes the basic atomic element of any intrusion activity, the event, composed of four core features: adversary, infrastructure, capability, and victim.

These features are edge-connected representing their underlying relationships and arranged in the shape of a diamond, giving the model its name.

In its simplest form, the model describes that an adversary deploys a capability over some infrastructure against a victim. These activities are called events and are the atomic features. Analysts populate the model’s vertices as events are discovered and detected. The vertices are linked with edges highlighting the natural relationship between the features. By pivoting across edges and within vertices, analysts expose more information about adversary operations and discover new capabilities, infrastructure, and victims.

The Diamond Model of intrusion analysis comprises the core features of an intrusion event:adversary, capability, infrastructure, and victim. The core features are linked via edges to represent the fundamental relationships between the features which can be exploited analytically to further discover and develop knowledge of malicious activity.

The above depiction models analytic pivoting using the Diamond Model. One of the most powerful features of the Diamond — pivoting, allows an analyst to exploit the fundamental relationship between features (highlighted by edges between the features) to discover new knowledge of malicious activity.

Subsequent to this analysis is an Activity-Attack Graph, diagrammed above. This chart illustrates the integration of knowledge of actual adversary attack paths with the multitude of hypothetical attack paths that could be taken. Using an activity-attack graph highlights the potential paths of an adversary in the future as well as the preferred paths based on current knowledge.

As forensic analysts, we should always look to be continuously improving our craft, especially around our methodology in how we conduct investigations. I leave it to you to decide on which methodology you adopt, or possibly even make better.

A sample report has been created by Brier & Thorn that has been designed around the Diamond Model and is available here for free download.

More information on the Diamond Model can be found here and here.

Original Post: https://www.alienvault.com/blogs/security-essentials/digital-forensics-according-to-the-forza-model-and-diamond-model-for-intrusion-analysis

Up ↑