Breaking News



pwnSpoof (from Punk Coverage) generates good spoofed log information for no longer odd internet servers with customisable assault eventualities.

Each log package deal is exclusive and completely customisable, making it highest for producing CTF eventualities and for coaching serials.

Are you able to in finding the attacker consultation and bring together the incident image?

 

About The Undertaking

pwnSpoof used to be as soon as created at the over again of a chance taking a look coaching workout Punk Coverage delivered for a buyer. The educational workout used to be as soon as to make use of a log analytic device similar to Splunk (different log analysing equipment are to be had) and IIS logs to search around out login brute-force assaults and command injections.

The theory in the back of the pwnSpoof utility is to;

  • Supply a at hand information a coarse CTF taste coaching atmosphere
  • Create distinctive logs every run
  • Take a look at chance taking a look in IIS, Apache and NGINX logs

Upon getting created a selection of logs, the idea is to load them in to Splunk and use somewhat numerous techniques to reply to the next questions;

  • What used to be as soon as the attackers IP handle and user_agent?
  • Did the attacker authenticate and if so, with what account?
  • The place used to be as soon as geo-location of the attacker?
  • When did the assault happen?
  • What sort of assault used to be as soon as it?
  • What came about all through the assault?
  • What artifacts would most likely stay at the server?
  • What steps will also be taken to remediate?

Getting Began

The next will give an explanation for tips on recommendations on how one can get began with pwnSpoof

Should haves

pwnSpoof is written in python and is examined with python3. No further modules are wanted, we most straightforward use the usual library.

Whilst you get the next error message, please specifiy python3 when operating pwnSpoof. Python2 isn’t supported.

  Document "pwnspoof.py", line 176
print("{:6.2f}% ".building(y * x), finish="r", flush=True)
^
SyntaxError: invalid syntax

Organize

  1. Git clone the pwnSpoof repo
git clone https://github.com/punk-security/pwnspoof
  1. trade record to pwnSpoof
  1. Run pwnSpoof
python pwnspoof.py --help

Utilization

Switches

positional arguments:
{banking,wordpress,generic}
App to emulate

not obligatory arguments:
-h, --help display this assist message and transfer out
--out OUT Output dossier (default: pwnspoof.log)
--iocs Do you wish to have to seize the attackers iocs for more straightforward taking a look? (default: False)

log generator settings:
--log-start-date LOG_START_DATE
Preliminary delivery of logs, within the building YYYYMMDD i.e. "20210727"
--log-end-date LOG_END_DATE
Finish date for logs, within the building YYYYMMDD i.e. "20210727"
--session-count SESSION_COUNT
Number of professional classes to spoof (default: 2000)
--max-sessions-per-user MAX_SESSIONS_PER_USER
Max selection of professional classes in keeping with person (default: 3)
--server-fqdn SERVER_FQDN
Override the emulated internet apps default fqdn
--server-ip SERVER_IP
Override the emulated internet apps randomised IP
--server-type {IIS,NGINX,CLF}
Server to spoof (default: IIS)
--uri-file URI_FILE Document containing internet uris to override defaults, don't come with extensions
--noise-file NOISE_FILE
Document containing noise uris to override defaults, come with extensions

assault settings:
--spoofed-attacks SPOOFED_ATTACKS
Number of attacker sequences to spoof (default: 1)
--attack-type {bruteforce,command_injection}
Number of attacker sequences to spoof (default: bruteforce)
--attacker-geo ATTACKER_GEO
Set the attackers geo through 2 letter area. Use RD for random (default: RD)
--attacker-user-agent ATTACKER_USER_AGENT
Set the attackers user-agent. Use RD for random (default: RD)

Examples

The next instance will create a selection of IIS logs for bruteforce against pwnedbank.co.united kingdom.

python pwnspoof.py banking --server-fqdn pwnedbank.co.united kingdom --attack-type bruteforce --server-type IIS --out iis-output.log

The next instance will create a selection of NGINX logs for command_injection against pwnedbank.co.united kingdom.

python pwnspoof.py banking --server-fqdn pwnedbank.co.united kingdom --attack-type command_injection --server-type NGINX

The next instance will create a selection of logs with 5000 regimen classes and three assault classes

python pwnspoof.py banking --session-count 5000 --spoofed-attacks 3

The next instance will create a selection of logs and output the attackers IP addresses

python pwnspoof.py banking --spoofed-attacks 3 --iocs 

Demo

Highway Map

pwnSpoof is constructed to supply to original internet assault logs and it does this truly smartly. In this day and age we’re fascinated by refactoring the code, building out our trying out suite and getting the primary push to PyPi on the other hand we now have now massive ambitions for pwnSpoof.

Coming briefly

At the side of further webapps earlier banking to provide further selection to the logs

  • Social media
  • WordPress
  • E-Industry

At the side of further and additional dynamic internet assaults

  • Entire OWASP TOP 10
  • Customisable payload encoding
  • Multi-session assaults
  • Obfuscation

Unscheduled aspirations

Coaching Movement footage!

pwnSpoof used to be as soon as constructed to be a great tool for coaching the blue team so it most straightforward makes sense to supply some coaching fabrics to turn it off.

  • Discover ways to ingest logs in to somewhat numerous log analyser (Splunk, Elastic, Open Disto, Sentinel)
  • Discover ways to use the power of REGEX to pivot across the knowledge

Now not simply weblogs

We wish to peer pwnSpoof producing a wide variety of chance taking a look logs similar to Office365 audit logs for Sharepoint, Onedrive and AzureAD

Blackhat Arsenal

We’ve got were given got submitted pwnSpoof to Blackhat Arsenal for attention and it will smartly be AWESOME to demo it at Blackhat London this one year (2021).

Why not touch us with some further concepts, or upload to the enterprise

Touch

Credit score rating score

  • ip2location :
    We employ the IP2Location LITE Nation database to provide geographically an identical IP addresses.

This product comprises IP2Location LITE knowledge to be had from https://lite.ip2location.com




Leave a Reply

Your email address will not be published. Required fields are marked *

Donate Us

X