Skip to content

Commit

Permalink
Merge pull request #11 from gabemarshall/encoder
Browse files Browse the repository at this point in the history
Encoder
  • Loading branch information
gabemarshall authored Jul 30, 2016
2 parents e9dda63 + be2a0df commit aecc010
Show file tree
Hide file tree
Showing 20 changed files with 578 additions and 202 deletions.
1 change: 0 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,3 @@ build/Release
# https://www.npmjs.org/doc/misc/npm-faq.html#should-i-check-my-node_modules-folder-into-git
node_modules
bros.db
settings.js
24 changes: 21 additions & 3 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,21 +1,39 @@
# ChangeLog

## 0.2b _(Feb 16, 2016)_
## Major Release 1.1.1 _(July 30, 2016)_

- Features
- <strong>Full Windows Support added</strong>
- Better documentation added to the new [wiki](https://github.com/gabemarshall/Brosec/wiki)
- Simplified install process. Once you have nodejs installed just run ```npm install -g Brosec```
- ```bros encode``` module added (realtime encoder/decoder)
- ```bros ftp``` now supports auth via ```--username``` and ```--password``` parameters.
- New SQLi Polyglots added to ```bros 43```
- New XSS payloads ```bros 42```
- (```bros 424``` Credit to [@0xsobky](https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot))
- Dependencies
- Removed kexec dependency that was used to run netcat listeners (replaced by ```modules/nc.js```) -- this greatly reduces the complexity of Brosec and makes it easier to install.


- Bug fixes
- Lots and lots of bug fixes...and probably new bugs introduced ;p

## 1.0.2b _(Feb 16, 2016)_

- Features
- `bros update`
- Convenience module that check for updates via git, pull if any updates are found, and installs any new dependencies.


## 0.2a _(Feb 15, 2016)_
## 1.0.2a _(Feb 15, 2016)_

- Features
- `bros clean`
- New feature added to allow quick deletion of the local Brosec database.

- Minor performance improvements throughout Brosec

## 0.2 _(Feb 5, 2016)_
## 1.0.2 _(Feb 5, 2016)_

- Features
- `bros ftp`
Expand Down
85 changes: 30 additions & 55 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,95 +6,69 @@ Overview (tl;dr)

Brosec is a terminal based reference utility designed to help us infosec bros and broettes with useful (yet sometimes complex) payloads and commands that are often used during work as infosec practitioners. An example of one of Brosec's most popular use cases is the ability to generate on the fly reverse shells (python, perl, powershell, etc) that get copied to the clipboard.

Assuming the user has already set up the required variables (read on to learn how) a reverse shell using the awk command can be generated as easy as...
Assuming the user has already set up the required variables (see the [Getting Started](https://github.com/gabemarshall/Brosec/wiki/Getting-Started) section of the wiki) a reverse shell using the awk command can be generated as easy as...

[![asciicast](https://asciinema.org/a/2okrjipq4zt8669rb9n54xneg.png)](https://asciinema.org/a/2okrjipq4zt8669rb9n54xneg)

#### Payload Variables
Or maybe you need to remotely invoke a Powershell script? A download cradle can be generated like so.

Brosec allows you to store and retrieve values (in a local json db) for several variables in order to make command/payload generation easier. While some payloads will already include these variables, you can also include them in any payload that prompts for user input.
[![asciicast](https://asciinema.org/a/c2793p8lzzvla8pqji29snyvc.png)](https://asciinema.org/a/c2793p8lzzvla8pqji29snyvc)

For example, the following shows how a Powershell download cradle can be generated using the LHOST and LPORT variables (the values of which had already been set).

[![asciicast](https://asciinema.org/a/c2793p8lzzvla8pqji29snyvc.png)](https://asciinema.org/a/c2793p8lzzvla8pqji29snyvc)
##### Additional Features and Usage Examples

##### Available variables

- LHOST : Local IP or name
- LPORT : Local IP or name
- RHOST : Remote IP or name
- RPORT : Remote IP or name
- USER : Username (only used in a few payloads)
- PROMPT : User Prompt (This isn't a stored value. Instead, payloads with this variable will prompt for input.)
###### [Bros http(s)](https://github.com/gabemarshall/Brosec/wiki/bros-http)
Need a quick web server? Forget python SimpleHTTPServer, bros has your back with `bros http` when entered via the command line. An SSL server? `bros https` has you covered.

![](http://i.imgur.com/47BHim4.gif)

<br>
###### [Bros FTP](https://github.com/gabemarshall/Brosec/wiki/bros-ftp)
Need to exfiltrate some data via ftp? Bros comes with a handy `bros ftp` when entered via the command line. The ftp server accepts anonymous downloads/uploads from the CWD (so be careful when running).

![](http://i.imgur.com/FCateZJ.gif)
<br>Above are multiple examples of how to access and set the stored configuration variables.
- Configuration variables can be viewed via the `config` command at any time, or by entering the variable name
- Variables can be changed at any time by entering `set <variable> <value>`
- You can also navigate to frequently used payloads by entering the menu sequence from the command line: `bros <sequence>`
- Ex: `bros 413` - This would automate entering 4 for the Web Menu, 1 for the XXE sub menu, and 3 for the XXE local file read payload

<br>
###### [Bros Encode](https://github.com/gabemarshall/Brosec/wiki/bros-encode)

<br>
##### Additional Features and Usage Examples
###### XXE for Bros
![](http://i.imgur.com/hxrqlvk.gif)
<br>
In addition to payloads such as reverse shells, Brosec also has multiple XXE payloads that you can generate on the fly.
<br><br>
A realtime encoder/decoder utility designed with web pentesters in mind that often find the need to encode and decode various payloads.

![](http://i.imgur.com/wxFpA7o.png)


Learn about these features and more on the [Brosec wiki](https://github.com/gabemarshall/Brosec/wiki).

###### Simple HTTP(s) Server
Need a quick web server? Forget python SimpleHTTPServer, bros has your back with `bros http` when entered via the command line. An SSL server? `bros https` has you covered.

![](http://i.imgur.com/47BHim4.gif)

<br>
###### Anonymous FTP Server
Need to exfiltrate some data via ftp? Bros comes with a handy `bros ftp` when entered via the command line. The ftp server accepts anonymous downloads/uploads from the CWD (so be careful when running).

Installation
============

### [Releases](https://github.com/gabemarshall/Brosec/releases)

*Some features are unavailable in the compiled version, but is a good way to quickly try out Brosec*

### Manual installation
### Mac

#### Quick Installation

#### Mac
- `brew install node` - Install Nodejs (or download installer from https://nodejs.org/en/download/)
- `npm install -g Brosec` - Install Brosec (may need sudo to symlink to /usr/local/bin)

- `brew install node netcat` - Install Nodejs and netcat (nc or ncat will work too)
- `git clone https://github.com/gabemarshall/Brosec.git` - Clone Brosec repo
- `cd Brosec && npm install` - cd into the directory and install npm depdendencies

#### Kali Linux

- `apt-get install npm build-essential g++ xsel netcat` Install dependencies
- `npm config set registry http://registry.npmjs.org/` Npm registry seems to be broken by default when installed from Kali repos
- `apt-get install npm build-essential g++ xsel` Install dependencies
- `npm install -g n` Install n (nodejs version manager)
- `n latest` Install latest version of nodejs
- `git clone https://github.com/gabemarshall/Brosec.git` - Clone Brosec repo
- `cd Brosec && npm install` - cd into the directory and install npm depdendencies

### Windows (Unsupported)
- If the above fails, try - `npm config set registry http://registry.npmjs.org/`

- Install [nodejs](https://nodejs.org/download)
- Install [ncat](https://nmap.org/download.html)
- `git clone https://github.com/gabemarshall/Brosec.git` - Clone Brosec repo

Payloads that utilize netcat will not work due to the kexec library not being supported in Windows

- `n latest` Install latest version of nodejs
- `npm install -g Brosec` - Install Brosec (may need sudo to symlink to /usr/local/bin)

#### Optional
Add bros directory path to your PATH env variable, create a symlink for the bros file, etc
### Windows (Unsupported)

Configuration
=====================
- Install via official installer [nodejs](https://nodejs.org/download)
- `npm install -g Brosec` - Install Brosec

Brosec stores configuration values in a local json db file. The default storage location is /var/tmp, but can be changed by editing settings.dbPath variable in the settings.js file. Brosec also uses netcat for several payloads. If needed, the path to netcat can be altered via the settings.netcat variable (it can also be changed to ncat or nc).


Swag
Expand All @@ -114,5 +88,6 @@ Brosec was heavily inspired by the Red Team Field Manual by Ben Clark. In additi
- [pentestmonkey reverse shells](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
- [g0tmi1k linux privesc](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
- [obsecuresecurity](http://obscuresecurity.blogspot.com/2014/05/dirty-powershell-webserver.html)
- [SecLists](https://github.com/danielmiessler/SecLists)

Special thanks to [@LuxCupitor](https://twitter.com/LuxCupitor)
32 changes: 23 additions & 9 deletions bros
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,14 @@
var argv = require('yargs').argv,
log = require('cli-color'),
db = require('./db/db'),
os = require('os'),
menu = require('./modules/menu'),
secondaryMenu = require("./modules/secondaryMenu"),
check = require('./modules/inputChecks'),
simpleWeb = require('./modules/webserver/simple.js'),
simpleFtp = require('./modules/webserver/simpleFtp.js'),
interfaces = require('./modules/interfaces'),
settings = require('./settings'),
settings = require('./modules/settings'),
child_process = require('child_process'),
utilities = require('./modules/utilities'),
log = require('./modules/log.js');
Expand All @@ -18,11 +19,6 @@ var firstArgument = argv._[0];
var secondArgument = argv._[1];
var thirdArgument = argv._[2];






function getFirstArgValue(arg) {
switch (arg) {
case 1:
Expand All @@ -42,7 +38,7 @@ function getFirstArgValue(arg) {
}

function parseArgs() {

var oldSecondary;

if (firstArgument >= 1 && firstArgument <= 6) {
secondaryMenu = getFirstArgValue(firstArgument);
Expand Down Expand Up @@ -75,6 +71,7 @@ function parseArgs() {
} else if (typeof(firstArgument) === "string") {
firstArgument = firstArgument.toUpperCase();
try {
oldSecondary = secondArgument;
secondArgument = secondArgument.toUpperCase();
} catch(err){

Expand All @@ -92,6 +89,13 @@ function parseArgs() {
//simpleFtp.ftps(argv);
} else if (firstArgument === "UPDATE"){
utilities.update();
} else if (firstArgument === "ENCODE"){
if (secondArgument){
utilities.encoder(oldSecondary);
} else {
utilities.encoder();
}

} else if (firstArgument+" "+secondArgument === "SET LHOST" && !thirdArgument){
interfaces.setlhost();

Expand All @@ -101,10 +105,20 @@ function parseArgs() {
} else if (firstArgument === "HELP") {
check.allInputChecks(firstArgument, menu.mainMenu, menu.mainMenu);
} else if (firstArgument === "CLEAN") {
child_process.execFile('rm', [settings.dbPath], function(error, stdout, stderr){

var currentOS = os.type();
var cmd = "rm";
var dir = settings.dbPath;
if (currentOS.match("Windows")){
cmd = "del";
} else {

}

child_process.execFile(cmd, [dir], function(error, stdout, stderr){
});
console.log("The Brosec database located at %s has been wiped.", settings.dbPath)
}
}
else {
check.allInputChecks(firstArgument, console.log, console.log)
}
Expand Down
13 changes: 6 additions & 7 deletions db/db.js
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
var dirty = require('dirty');
var settings = require('../settings.js')

var settings = require('../modules/settings.js');
var os = require('os');
// By default, brosec stores its data file in /var/tmp
// Change storage location by altering settings.js
try {
var db = dirty(settings.dbPath);
var db = dirty(settings.dbPath);
}
catch (err){
console.log("There was a problem initializing the bros. Check the settings.js file to specify a valid storage location.")
Expand All @@ -19,7 +19,7 @@ exports.new = function(title, description){
}

exports.newConfig = function(key, val){
var keyExists = false
var keyExists = false
db.forEach(function(keyStore, valStore) {
if (key === keyStore){
keyExists = true
Expand All @@ -33,7 +33,7 @@ exports.newConfig = function(key, val){
}
else {
db.set(key, val)
}
}
db.on('drain', function() {
});
}
Expand All @@ -52,11 +52,10 @@ function getConfig(value){
}
// If none exist
else {

}
});
return test
}

exports.getConfig = getConfig;

8 changes: 0 additions & 8 deletions modules/checkModule.js

This file was deleted.

29 changes: 23 additions & 6 deletions modules/colorize.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,22 +2,39 @@ var log = require('cli-color');

exports.samples = function(sample){

var doesSampleContainPrompt = sample.match(/((<(PROMPT)\s*?.*?>))/)
var doesSampleContainPrompt = sample.match(/((<(PROMPT)\s*?.*?>))/gi)
var doesSampleContainRemote = sample.match(/((<(RHOST)\s*?.*?>))/)
var doesSampleContainRemotePort = sample.match(/((<(RPORT)\s*?.*?>))/)
var doesSampleContainLocal = sample.match(/((<(LHOST)\s*?.*?>))/)
var doesSampleContainLocalPort = sample.match(/((<(LPORT)\s*?.*?>))/)
var doesSampleContainUser = sample.match(/((<(USER)\s*?.*?>))/)
var doesSampleContainPath = sample.match(/((<(PATH)\s*?.*?>))/)

function addSomeColor(val, color){
var temp = sample.split(val[0])
var final = temp[0]+color(val[0])+temp[1]
function replaceAll(str, find, replace) {
return str.replace(new RegExp(find, 'g'), replace);
}

function addSomeColor(val, color, debug){

if (val.length > 1){
for (b=0;b<val.length;b++){
sample = sample.replace(val[b], color(val[b]));
sample = replaceAll(sample, val[b], color(val[b]));
}
} else {
sample = sample.replace(val[0], color(val[0]));
}

// sample = replaceAll(sample, val[b], color(val[b]));
//var temp1 = sample.split(val[1])
//var final = temp1[0]+color(val[1])+temp1[1]
var final = sample;

return final;
}

if (doesSampleContainPrompt){
sample = addSomeColor(doesSampleContainPrompt, log.cyan)
sample = addSomeColor(doesSampleContainPrompt, log.cyan, true)
}
if (doesSampleContainRemote){
sample = addSomeColor(doesSampleContainRemote, log.red)
Expand All @@ -41,4 +58,4 @@ exports.samples = function(sample){

return sample

}
}
Loading

0 comments on commit aecc010

Please sign in to comment.