Hacktronian: All In One Hacking Tools Installer For Linux And Android

Hacktronian Installation
   Termux users must install Python and Git first: pkg install git python
   Then enter these commands:   You can watch the full installation tutorial here:

Hacktronian Menu:

• Information Gathering
• Password Attacks
• Wireless Testing
• Exploitation Tools
• Sniffing & Spoofing
• Web Hacking
• Private Web Hacking
• Post Exploitation
• Install The HACKTRONIAN

Information Gathering menu:

• Nmap
• SEToolkit
• Port Scanning
• Host To IP
• wordpress user
• CMS scanner
• XSStrike Dork - Google Dorks Passive Vulnerability Auditor
• Scan A server's Users Crips

Password Attacks menu:

• Cupp
• Ncrack

Wireless Testing menu:

• Reaver
• PixieWPS
• Fluxion

Exploitation Tools menu:

• ATSCAN
• SQLMap
• Shellnoob
• commix
• FTP Auto Bypass
• jboss-autopwn

Sniffing and Spoofing menu:

• SEToolkit
• SSLtrip
• pyPISHER
• SMTP Mailer

Web Hacking menu:

• Drupal Hacking
• Inurlbr
• Wordpress & Joomla Scanner
• Gravity Form Scanner
• File Upload Checker
• Wordpress Exploit Scanner
• Wordpress Plugins Scanner
• Shell and Directory Finder
• Joomla! 1.5 - 3.4.5 remote code execution
• Vbulletin 5.X remote code execution
• BruteX - Automatically brute force all services running on a target
• Arachni - Web Application Security Scanner Framework

Private Web Hacking:

• Get all websites
• Get joomla websites
• Get wordpress websites
• Control Panel Finder
• Zip Files Finder
• Upload File Finder
• Get server users
• SQli Scanner
• Ports Scan (range of ports)
• ports Scan (common ports)
• Get server Info
• Bypass Cloudflare

Post Exploitation:

• Shell Checker
• POET
• Weeman

Hacktronian's License: MIT Licence

That's It... If You Like This Repo. Please Share This With Your Friends. And Don't Forget To Follow The Author At Twitter, Instagram, Github & SUBSCRIBE His YouTube Channel!!!

Thank you. Keep Visiting.. Enjoy.!!! :)

Download Hacktronian

Continue reading

1. Hacking Tools For Windows 7
2. Tools 4 Hack
3. World No 1 Hacker Software
4. Hacker Tools Apk Download
5. Nsa Hack Tools Download
6. Hack Tool Apk No Root
7. Hacker Tools Apk
8. Hacking Apps
9. Hackers Toolbox
10. Tools 4 Hack
11. Pentest Tools
12. Usb Pentest Tools
13. Hack Tools For Windows
14. Hacking Tools For Kali Linux
15. Game Hacking
16. Hack Tools
17. Pentest Tools Android
18. Tools Used For Hacking
19. New Hack Tools
20. Hacking App
21. Pentest Tools Kali Linux
22. What Are Hacking Tools
23. Hacking App
24. Hacking Tools Mac
25. Android Hack Tools Github
26. Blackhat Hacker Tools
27. Hacking Tools Windows 10
28. Pentest Tools Tcp Port Scanner
29. Hacker Security Tools
30. Hacking Tools For Games
31. Hacking Tools Windows 10
32. Hacking Tools For Pc
33. Hack Rom Tools
34. Hacker Tools Online
35. Hacker Tools For Ios
36. Hacking Tools 2020
37. Pentest Tools Windows
38. Hacking Tools For Pc
39. Pentest Tools
40. Hack Tools Github
41. Hack App
42. Nsa Hack Tools
43. Hacker Tools Windows
44. Hacker Tools Mac
45. Hacking Tools Mac
46. Nsa Hack Tools Download
47. Hackrf Tools
48. Bluetooth Hacking Tools Kali
49. Hack Tools For Ubuntu
50. Hacker Tools Apk Download
51. Hack Tools Mac
52. Hacking Tools Software
53. Hacking Tools For Windows 7
54. Blackhat Hacker Tools
55. Pentest Tools Subdomain
56. Hack App
57. Physical Pentest Tools
58. How To Hack
59. Hacker Techniques Tools And Incident Handling
60. Hack Tools 2019
61. Hacker Tools
62. Pentest Tools Find Subdomains
63. Hacker Tools Hardware
64. Hacker Tools Free
65. Hacker Tools Apk Download
66. Pentest Tools Online
67. Pentest Tools Website
68. Pentest Tools Free
69. Hacker Hardware Tools
70. Termux Hacking Tools 2019
71. Hacking Tools Windows 10
72. Hacking Tools For Windows Free Download
73. Pentest Tools Nmap
74. World No 1 Hacker Software
75. Ethical Hacker Tools
76. Hacker Tools Github
77. Pentest Tools
78. Nsa Hack Tools Download
79. How To Make Hacking Tools
80. Hacker Tools Software
81. Pentest Tools For Android
82. Hacking Tools Free Download
83. Hackrf Tools
84. Install Pentest Tools Ubuntu
85. Hack Tools Pc
86. Pentest Tools For Windows
87. How To Install Pentest Tools In Ubuntu
88. Hacker Tools
89. World No 1 Hacker Software
90. Pentest Tools Online
91. Kik Hack Tools
92. Hack Website Online Tool
93. Hack Rom Tools
94. Hacker Tools Online
95. Hack Tools Download
96. Hacker Tools For Mac
97. Hacker Tools 2020
98. Pentest Tools Find Subdomains
99. Hack Website Online Tool
100. Hacker Tools For Windows
101. Hacker Tools Apk
102. Growth Hacker Tools
103. Hacking Tools For Beginners
104. Hacking Tools For Pc
105. Hack And Tools
106. Hacks And Tools
107. Hacker Security Tools
108. Hacker Search Tools
109. Hacking Tools Name
110. Hack Tools Pc
111. Hack Tools For Ubuntu
112. Game Hacking
113. Hacking Tools For Windows
114. Android Hack Tools Github
115. Tools 4 Hack
116. Hacks And Tools
117. Hacker Techniques Tools And Incident Handling
118. What Is Hacking Tools
119. Hacking Tools For Games
120. Hacker Search Tools
121. Pentest Tools List
122. Pentest Automation Tools
123. Physical Pentest Tools
124. World No 1 Hacker Software
125. Pentest Tools
126. Nsa Hack Tools
127. Underground Hacker Sites
128. Pentest Tools Website Vulnerability
129. Pentest Tools Url Fuzzer
130. Pentest Tools Review
131. Beginner Hacker Tools
132. Pentest Tools Website Vulnerability
133. Pentest Tools Port Scanner
134. Hack Tools Github
135. Hacking Tools Usb
136. Best Pentesting Tools 2018
137. Wifi Hacker Tools For Windows
138. Pentest Tools For Windows
139. Wifi Hacker Tools For Windows

Save Your Cloud: Gain Root Access To VMs In OpenNebula 4.6.1

In this post, we show a proof-of-concept attack that gives us root access to a victim's VM in the Cloud Management Platform OpenNebula, which means that we can read and write all its data, install software, etc. The interesting thing about the attack is, that it allows an attacker to bridge the gap between the cloud's high-level web interface and the low-level shell-access to a virtual machine.

Like the latest blogpost of this series, this is a post about an old CSRF- and XSS-vulnerability that dates back to 2014. However, the interesting part is not the vulnerability itself but rather the exploit that we were able to develop for it.

An attacker needs the following information for a successful attack.

• ID of the VM to attack
  OpenNebula's VM ID is a simple global integer that is increased whenever a VM is instantiated. The attacker may simply guess the ID. Once the attacker can execute JavaScript code in the scope of Sunstone, it is possible to use OpenNebula's API and data structures to retrieve this ID based on the name of the desired VM or its IP address.
• Operating system & bootloader
  There are various ways to get to know a VMs OS, apart from simply guessing. For example, if the VM runs a publicly accessible web server, the OS of the VM could be leaked in the HTTP-Header Server (see RFC 2616). Another option would be to check the images or the template the VM was created from. Usually, the name and description of an image contains information about the installed OS, especially if the image was imported from a marketplace.
  Since most operating systems are shipped with a default bootloader, making a correct guess about a VMs bootloader is feasible. Even if this is not possible, other approaches can be used (see below).
• Keyboard layout of the VM's operating system
  As with the VMs bootloader, making an educated guess about a VM's keyboard layout is not difficult. For example, it is highly likely that VMs in a company's cloud will use the keyboard layout of the country the company is located in.

Overview of the Attack

The key idea of this attack is that neither Sunstone nor noVNC check whether keyboard related events were caused by human input or if they were generated by a script. This can be exploited so that gaining root access to a VM in OpenNebula requires five steps:

1. Using CSRF, a persistent XSS payload is deployed.
2. The XSS payload controls Sunstone's API.
3. The noVNC window of the VM to attack is loaded into an iFrame.
4. The VM is restarted using Sunstone's API.
5. Keystroke-events are simulated in the iFrame to let the bootloader open a root shell.

Figure 1: OpenNebula's Sunstone Interface displaying the terminal of a VM in a noVNC window.

The following sections give detailed information about each step.

Executing Remote Code in Sunstone

In Sunstone, every account can choose a display language. This choice is stored as an account parameter (e.g. for English LANG=en_US). In Sunstone, the value of the LANG parameter is used to construct a <script> tag that loads the corresponding localization script. For English, this creates the following tag:

<script src="locale/en_US/en_US.js?v=4.6.1" type="text/javascript"></script>

Setting the LANG parameter to a different string directly manipulates the path in the script tag. This poses an XSS vulnerability. By setting the LANG parameter to LANG="onerror=alert(1)//, the resulting script tag looks as follows:

<script src="locale/"onerror=alert(1)///"onerror=alert(1)//.js?v=4.6.1" type="text/javascript"></script>

For the web browser, this is a command to fetch the script locale/ from the server. However, this URL points to a folder, not a script. Therefore, what the server returns is no JavaScript. For the browser, this is an error, so the browser executes the JavaScript in the onerror statement: alert(1). The rest of the line (including the second alert(1)) is treated as comment due to the forward slashes.

When a user updates the language setting, the browser sends an XMLHttpRequest of the form

{ "action" : { "perform" : "update", "params" : { "template_raw" : "LANG=\"en_US\"" } }}

to the server (The original request contains more parameters. Since these parameters are irrelevant for the technique, we omitted them for readability.). Forging a request to Sunstone from some other web page via the victim's browser requires a trick since one cannot use an XMLHttpRequest due to restrictions enforced by the browser's Same-Origin-Policy. Nevertheless, using a self-submitting HTML form, the attacker can let the victim's browser issue a POST request that is similar enough to an XMLHttpRequest so that the server accepts it.

An HTML form field like

<input name='deliver' value='attacker' />

is translated to a request in the form of deliver=attacker. To create a request changing the user's language setting to en_US, the HTML form has to look like

<input name='{"action":{"perform":"update","params":{"template_raw":"LANG' value='\"en_US\""}}}' />

Notice that the equals sign in LANG=\"en_US\" is inserted by the browser because of the name=value format.

Figure 2: OpenNebula's Sunstone Interface displaying a user's attributes with the malicious payload in the LANG attribute.

Using this trick, the attacker sets the LANG parameter for the victim's account to "onerror=[remote code]//, where [remote code] is the attacker's exploit code. The attacker can either insert the complete exploit code into this parameter (there is no length limitation) or include code from a server under the attacker's control. Once the user reloads Sunstone, the server delivers HTML code to the client that executes the attacker's exploit.

Prepare Attack on VM

Due to the overwritten language parameter, the victim's browser does not load the localization script that is required for Sunstone to work. Therefore, the attacker achieved code execution, but Sunstone breaks and does not work anymore. For this reason, the attacker needs to set the language back to a working value (e.g. en_US) and reload the page in an iFrame. This way Sunstone is working again in the iFrame, but the attacker can control the iFrame from the outside. In addition, the attack code needs to disable a watchdog timer outside the iFrame that checks whether Sunstone is correctly initialized.

From this point on, the attacker can use the Sunstone API with the privileges of the victim. This way, the attacker can gather all required information like OpenNebula's internal VM ID and the keyboard layout of the VM's operating system from Sunstone's data-structures based on the name or the IP address of the desired VM.

Compromising a VM

Using the Sunstone API the attacker can issue a command to open a VNC connection. However, this command calls window.open, which opens a new browser window that the attacker cannot control. To circumvent this restriction, the attacker can overwrite window.open with a function that creates an iFrame under the attacker's control.

Once the noVNC-iFrame has loaded, the attacker can send keystrokes to the VM using the dispatchEvent function. Keystrokes on character keys can be simulated using keypress events. Keystrokes on special keys (Enter, Tab, etc.) have to be simulated using pairs of keydown and keyup events since noVNC filters keypress events on special keys.

Getting Root Access to VM

To get root access to a VM the attacker can reboot a victim's VM using the Sunstone API and then control the VM's bootloader by interrupting it with keystrokes. Once the attacker can inject commands into the bootloader, it is possible to use recovery options or the single user mode of Linux based operating systems to get a shell with root privileges. The hardest part with this attack is to get the timing right. Usually, one only has a few seconds to interrupt a bootloader. However, if the attacker uses the hard reboot feature, which instantly resets the VM without shutting it down gracefully, the time between the reboot command and the interrupting keystroke can be roughly estimated.

Even if the bootloader is unknown, it is possible to use a try-and-error approach. Since the variety of bootloaders is small, one can try for one particular bootloader and reset the machine if the attack was unsuccessful. Alternatively, one can capture a screenshot of the noVNC canvas of the VM a few seconds after resetting the VM and determine the bootloader.

A video of the attack can be seen here. The browser on the right hand side shows the victim's actions. A second browser on the left hand side shows what is happening in OpenNebula. The console window on the bottom right shows that there is no user-made keyboard input while the attack is happening.